Copy Link
Add to Bookmark
Report
Phrack Inc. Volume 04 Issue 44 File 12
==Phrack Magazine==
Volume Four, Issue Forty-Four, File 12 of 27
****************************************************************************
Sarah Gordon's Response
Greetz and Salutations :)
Thank you for giving me the opportunity to contribute to Phrack. While
we may not agree on everything, I appreciate the chance to speak for
myself. In the past, as many people now know, I have not
had the opportunity to do so. My philosophies and ideals are quite similar
to your own, and I hope that my response to this "Article" will help shine
a bit of light on what is really going on here.
I don't really want to spend too much time on it, because it is, as you
said, obviously a personal attack. But, on the other hand, such nonsense
can grow to the point where it has an effect. Perhaps a backlash on the
programmers and hackers in Bulgaria, which of course will spread to the
United States. They have suffered a lot of persecution because of the past
malicious and irresponsible acts of some of their virus writers. Since Dark
Avenger stopped writing viruses, their reputation has improved somewhat.
David Briscoe recently wrote:
"Computer hackers in former communist countries, including an elusive Bulgarian
known as the Dark Avenger, are creating mischievous and sometimes costly viruses
that threaten computers around the world".
Following a recent interview I conducted with Dark Avenger, I was chastised for
not making his identity known so he could be 'made to pay'.
In "Discover" Magazine, writers Paul Mungo and Brian Clough
are quoted from their book 'Approaching Zero' "the Mutating Engine...the
most dangerous virus ever produced". This is so stupid, especially
considering the thing does not replicate. It's a tool that can be used
to perform encryption. Well, decryption too, but explanation of how it
works aren't the point here, suffice to say it's not "the most dangerous
virus ever produced".
If people are going to rely on the media as an information resource, the
media owes it to us to provide us with accurate information. However,
this is simply not always the case.
If you consider the actual viruses commonly found -in the wild- (that is,
by computer users such as those from universities, corporations, etc.),
the number of Bulgarian viruses -directly- impacting the users is a very
insignificant number. For some reason, the media likes to play up
Bulgaria as the big force behind the destruction of data!
I personally don't have an interest in the economy of Bulgaria or any
other country, but the media sure likes to use this kind of
"information" to sell their own particular brand of fear.
No more fear. Fear is a bad thing. It is one of the things that leads us
to have government intervention into areas of our lives where it is
definitely not desired.
Sara(h?) Gordon AND THE DARK AVENGER SCAM.
By K$hntark
In one of my many online conversations with Sara Gordon
I once asked her about the validity of the VNI interviews and
her real relationship with the alleged dark avenger; after
logging into her VFR BBS and seeing a #2 (hers being #1)
account named after him.
Of course his (Dark Avenger) name was #2 there. I put it there for him. His last
call to my BBS was July 31, 1993 at 1:55 p.m. However, this was not the start of this
business with Kohntark. He had been mailing me for about one month. From
an account using the address of cxxxxx.ic.xxxxxx.edu. Keep this address
in mind. It will come in handy later.
I am not exactly sure of the date of the first message, but I think about one
month. He had been reasonable enough at first, but he became
increasingly agitated. Since he felt it was appropriate to include
personal mail from Dark Avenger to him here, I think I can go ahead and
illustrate for you some of his "hacking" :) (well, if you can call it
hacking. you decide). (OH GOD, LOWER CASE...LeTZ SeE...)
I proceeded to leave a message for the dark avenger there,
claiming that the whole account was bogus as it is highly
improbable that this person might call all the way from
Bulgaria and log into a mediocre BBS just to chat with her,
considering the expense of such long distance call , the
economic situation in Eastern Europe and a fact that
would learn later: Sara(h) Gordon has an account on the
Bulgarian DIGSYS unix server, locally accessible by phone
from there!
This guy doesn't seem to know much about the "economic situation in
Eastern Europe". At least, about Dark Avenger's personal economic
state:) or mine. Maybe Dark Avenger could call digsys, but I
certainly couldn't when I first started talking to him. I didn't have
any internet account. All I had was my mediocre BBS. He couldn't get to
my BBS any way but to call me, directly.
Yes, I have an account there -now-, but I don't and didn't use it to chat with
Dark Avenger. He did not want the sysadmin to monitor our chats. And, I
didn't -have- that account until after I had talked to Dark Avenger for
a long time, so I could hardly have used that server to talk to him
early on I didn't have an account there then :) In fact, neither did he,
at that time, because there was no digsys.bg as far as I know. He called
Danbo BBS for years. It was not on the internet. He did later use it later,
once it actually got onto the internet, to occasionally mail me, but not much.
He used it more to come to IRC.
In fact, a couple people you know talked to him there, with me. They didn't
like him much; found him rude and arrogant. He can be.
However, he most certainly did call me here. Does Kohntark think he is
the only one who can make long distance telephone calls? Dark Avenger
called me frequently, and not always from Bulgaria. I don't know how or
if he paid for the calls, all I know is that since I couldn't afford
to call, and didn't know any number for him, he called me.
As for my "mediocre" BBS, it serves its purpose:) I think giving out
virus free anti-virus products, and products that don't cost the users a
small fortune, and that actually WORK is quite a good purpose. I don't
see any reason for people to be exploited by some a-v companies, who
are promoted by various magazines, which in turn rate them highly
because they are doing their advertising.
As it was expected, Sara(h) quickly 'noticed' my personal
message to the dark avenger and replied to my questioning in
a public post in FIDONET, (I don't read FIDONET posts and she
knows I have no access to them!!!! )
Kohntark called my BBS, at my invitation, on July 13, 1993 at 23:19.
There's no other way he could have left any mail because its an invite
only system. It's not like it was any big shock to me that he called.
He asked me to make him an account and I did.
Dark Avenger was a regular caller to my BBS, and read his message, I
imagine, since he fwded it to me. I don't know what access Kohntark
has or doesn't have, as far as what networks he uses, (as far as what
networks he reads mail from, that is) as I explained to
him. I mailed him there because of the mail he left to Dark Avenger (which
he forwarded to me) on MY system, and because I received a very nasty message
from Kohntark, using the address kohntark@rot.in.hell.com, if I remember
correctly. I sent the message, and did include answers to his questions
because I wanted to continue talking with him. The message had the headers
included from, guess where? cxxxxx.ic.xxxxxx.edu....
She claimed that the dark avenger was fully aware of how much
money she made out of the VNI interviews and that she was in
touch with him, etc.etc.
This is the truth. In case anyone is curious, the amount of money I made
from this article was less than the amount of my PC Pursuit Bill from
calling to do chats and talks with him. At that time he had accesses via
various networks, and we talked on a regular basis. Additionally, Dark
Avenger had full control over taking out or editing any of his comments
in the interview. It is a policy of mine. If you wish to confirm it, I
can put you in touch with other virus writers. I can in fact do it any
time probably, as they are usually around where we are. Let me know if
you want me to do it. Dark Avenger was even a bit obsessive about how
much money I would make.
I also "sold" the story to PCWorld, where it has been published, in
part. I have not received any compensation for this yet. More later on why I
did the interview.
Maybe the problem is I didn't interview Kohntark...
Afterward, I questioned her again about the whole affair
and demanded a proof, or some sort of direct contact from the
dark avenger to my anonymous internet account.
First, I do not have to "prove" my contact with this man to anyone. It
has been well enough observed and documented every step of the way. Ever
hear of the dedicated virus? It is the demo virus that came with the
Mutation Engine. It contains "We dedicate this little virus to sara
gordon who wanted to have a virus named after her". (At this point, Dark
Avenger did not really know me, we were just establishing our contact;
he still used the spelling Sara for my name :)
I provided Kohntark with an address with Dark Avengers permission.
Actually, the account Dark Avenger had at digsys which he used to get to
me on chats or IRC (2 years after initial contact) was not
under the name Dark Avenger OR dav, but under another name which would
draw less attention to itself if someone happened to finger us during
one of our chats. The system adminstrator made the additional account
later, since he knew quite well it -was- Dark Avenger, having had an
ongoing battle with him for years.
Kohntark wrote to Dark Avenger there, just like he said he did. At least
this much is true. And, I did receive copies of the mail. Actually Dark
Avenger did not want to even answer the mail, but I asked him to please
do it so that the guy would leave me alone.
Someone using the same mail headers had already sent a message to WIRED,
telling them "The DA is old news, he hasn't made a virus in 2 years,
you should interview ME". Wonder who that might have been......
Does the header cxxxxx.ic.xxxxxx.edu ring any bells?
At that point, Kohntark forged mail to WIRED magazine, this time posing
as Dark Avenger. I would never have known this, but Dark Avenger fwd back
a very strange reply message from WIRED and asked me what in the hell was
going on. In that message, WIRED had included part of the message they
had received. It clearly displayed the cxxxxx.ic.xxxxxx.edu headers,
indicating that the mail had been sent from someone there! Someone who
told WIRED "I don't want to talk to you" (paraphrased). Even WIRED told
me "That mail did not sound like Dark Avenger..it was just all wrong"
(paraphrased). I pointed out the headers to them later. It was a bad
hack on Kohntark's part. Anyone doubts, it mail the sysadmin at
digsys.bg.
Here is a copy of that mail, with "compromising" parts xxxxed out.
First, Dark Avenger's legitimate fwd to me:
From dav@digsys.bg Sat Jul 24 20:36:12 1993
Return-Path: <dav@digsys.bg>
Received: from mcsun.EU.net by mail.netcom.com (5.65/SMI-4.1/Netcom)
id AA04202; Sat, 24 Jul 93 20:34:29 -0700
Received: from danbo.UUCP by mcsun.EU.net with UUCP
id AA18612 (5.65b/CWI-2.220); Sun, 25 Jul 1993 05:35:36 +0200
Received: by danbo.digsys.bg (5.67/1.37) via EUnet
id AA06614; Sun, 25 Jul 93 05:33:30 +0300
From: dav@digsys.bg (Dark Avenger)
Message-Id: <9307250233.AA06614@danbo.digsys.bg>
Subject: Re: FWD>None (fwd)
To: vfr@netcom.com
Date: Sun, 25 Jul 93 5:33:29 EET DST
X-Mailer: ELM [version 2.3 PL11]
Status: OR
Then, the message from xxxxxxxxxxx at WIRED:
Forwarded message:
>From xxxxxx!wired.com!xxxxx Sat Jul 24 01:34:30 1993
Message-Id: <9307232129.AA02102@wired.com>
Date: 23 Jul 1993 14:27:42 -0800
From: "xxxxxxxxxxx" <xxxxx@wired.com>
Subject: Re: FWD>None
To: dav@digsys.bg
Reply to: RE>FWD>None
*Some mail from WIRED guy replying to the message***
And now, the mail that prompted xxxxxxx's reply. I guess Kohntark didn't
realize that the mail would receive a reply. Or, didn't realize the
reply would include the mail headers:
--------------------------------------
Date: 7/23/93 12:35 AM
To: xxxxxxxxxxx
From: xxxx
Received: by xx.wired.com with SMTP;22 Jul 1993 05:38:19 -0800
Received: from anon.penet.fi by wired.com via SMTP (920330.SGI/911001.SGI)
for xxxxx@xx.wired.com id AA00423; Thu, 22 Jul 93 05:35:20 -0700
Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
id AA21218; Thu, 22 Jul 93 15:24:44 +0300
Date: Thu, 22 Jul 93 15:24:44 +0300
From: dav@digsys.bg
Message-Id: <9307221224.AA21218@anon.penet.fi>
Return-Path:<dav@digsys.bg>
Date: Fri 13, 66 00:00:00 EST
To:<xxxxxxx@wired.com>
Subject:Not interest.
Status:RO
I read in VIRUS-L that some idiot (atman@rahut.net) wants to do
interview with me face to face.
I am not interested in being in your magazine.
I am not interested in being interviewed, even if you offer me $1000.
or more.
I am not interested. so tell your friend to stop mentioning me in
VIRUS-L, i have NO interest.
Please don't bother to reply. I have no time for stupidity.
<dav>
---------
Interesting use of the anonymous mailer port 25, eh? (clue: try helo)
Since this was the first time anyone had ever questioned the
validity of her relationship with the DA, she took this to
heart and shortly after, I received 3 short messages
originating from <dav@danbo.digsys.bg> an Internet connected
UNIX system in Bulgaria.
HAHAHA. This has been questioned many times. Do you think the ACM, or
any magazine would risk printing this without adequate proof? My contacts early
on with the virus writer were well documented. I had to prove myself to
everyone from Vesselin Bontchev (who did not believe me until he had
seen the source code to Commander Bomber, which is a virus; the source
code has never been made available to anyone). Here:
From bontchev@informatik.uni-hamburg.de Tue Oct 12 02:34:53 1993
Return-Path: <bontchev@informatik.uni-hamburg.de>
Received: from deneb.dfn.de by mail.netcom.com (5.65/SMI-4.1/Netcom)
id AA09608; Tue, 12 Oct 93 02:34:34 -0700
Received: from fbihh.informatik.uni-hamburg.de by deneb.dfn.de (4.1/SMI-4.2)
id AA05014; Tue, 12 Oct 93 10:33:30 +0100
From: bontchev@informatik.uni-hamburg.de (Vesselin Bontchev)
Message-Id: <9310120933.AA22605@fbihh.informatik.uni-hamburg.de>
Received: by fbihh.informatik.uni-hamburg.de (5.65+/FBIHH-1.21);
id AA22605; Tue, 12 Oct 93 10:33:45 +0100
Subject: Re: urgent
To: vfr@netcom.com
Date: Tue, 12 Oct 1993 10:33:42 +0100 (MET)
In-Reply-To: <9310120331.AA01134@netcom4.netcom.com> from "sara" at
Oct 11, 93 08:31:48 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 2211
Status: OR
....blah blah..(deleted)
So, here is my official statement.
I hereby confirm that when I met Sarah S. Gordon in March 1993 in New
York, she showed me the original source of the Commander Bomber virus.
It was obviously a source and not a disassembly, and it was very
similar to a couple of other sources of Dark Avenger's programs that I
have seen. When I say "similar" I mean such things like label names,
commenting style, layout of the text and so on. Of course, this is not
a proof that it has been really produced by the Dark Avenger, but this
is very probable. Sarah didn't give me a copy of it and I didn't
insist, because she told me that she has promised to Dark Avenger not
to give this source to anybody. To my knowledge, nobody else has the
source.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany
Keep in mind, Vesselin is not a product developer and has no affiliation
with any developers. He is a Doctoral Student who has himself been
accused of being the Dark Avenger.
The Bulgarian Secret Police seemed to believe my
contact was legitimate enough. I received an "invitation" to meet with
them. I declined this "invitation" because I am not interested in the terrorist
tactics of a desperate government to blame a hacker and virus writer for
the problems of the country in general.
I had to prove my contact lots of ways, just to get the article in
print. Why did I want this article in print? One simple reason. To show
this virus writer as not some evil sinister monster from Hell waiting to
destroy the earth's supercomputer. Just as a person like the rest of us.
Did it accomplish it? I think it did, from the response I got from most
people. Did -I- personally 'benefit' from it? In some ways, I did.
This reminds me, a certain ex-virus exchange sysop told me that he was
going to make me expose the Dark Avenger; that he was going to find out
his true identity, where no one else could; that he would make up some
story, any story, to force Dark Avenger out into the open. Well, I don't
narc on my friends. I am sure you can appreciate that.
Here they are:
(Private, compromising parts are X'd out)
1st Message:
--------------------------------------------------------------------------------
-
>From daemon@digsys.bg Wed Jul 14 19:07 EDT 1993
Received: from danbo.digsys.bg by XXXXXXXXXXXXXXXXXXXXXX; Wed, 14 Jul 93 19:07:3
4 -0400
Return-Path: <dav@danbo.digsys.bg>
Received: by XXXXXXXXXXXXXX (5.67/1.35)
id AA12850; Thu, 15 Jul 93 02:04:46 +0300
Message-Id: <9307142304.AA12850@XXXXXXXXXXXX>
To: XXXXXXX
From: dav@danbo.digsys.bg
Date: Wed, 14 Jul 93 23:41:36 +0300
Subject: No subject
Status: RO
kohntark-
i just talked to a friend of mine who said you dont like her user
log. why shouldnt i call her from bulgaria? i call whoever i want
to, and this is not your problem.
by the way, she sent me your mail. for your information, i do
know how much money she made of that interview. and i also think
that this is none of your business.
also, maybe it would be good for you to know, that by offending
her, you are offending me, too. keep this in mind.
<dav>
Second Message:
-------------------------------------------------------------------------
>My mail with her is none of your business either.
i dont think so, dude.
maybe you need to read the next few lines again,
in case you missed them.
>>
>> also, maybe it would be good for you to know, that by offending
>> her, you are offending me, too. keep this in mind.
>>
>> <dav>
>
>HA HA! and you expect me to believe that you are the DA!
>send me a proof: an email address from bulgaria or tell me
>how many addressing modes does the MTE have?
>
>nice try.
well, what do you think the domain .bg in my email address stands for?
maybe you think its kameroon?
as for the mte, im not giving you any info.
i need not prove anything to anybody, and certainly dont plan to waste more
of my time talking to you. you have been warned.
<dav>
Third Message:
-------------------------------------------------------------------------
oh, yeah. sure it did.
only you will not know where something else came from, when it knocks on your
door. i have nothing more to say.
-------------------------------------------------------------------------
Odd. He did not include the mail he forged using the address I gave him
in good faith to WIRED magazine.
He also did not include the mail he forged to Anthony Naggs,
an engineer, in which he made the following statements:
> > From @gate.demon.co.uk,@anon.penet.fi:darkavenger@sofia.somewhere.bg Fri
Sep 17 18:16:32 1993
> > Received: from post.demon.co.uk by ubik.demon.co.uk with SMTP
> > id AA4544 ; Fri, 17 Sep 93 18:16:22 GMT
> > Received: from post.demon.co.uk via puntmail for amn@ubik.demon.co.uk;
> > Fri Sep 17 14:49:12 BST 1993
> > Received: from gate.demon.co.uk by post.demon.co.uk id gk03845;
> > 17 Sep 93 14:09 BST
> > Received: from anon.penet.fi by gate.demon.co.uk id aa01230;
> > 17 Sep 93 6:07 GMT-60:00
> > Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^see originating mail location?
> > id AA15730; Fri, 17 Sep 93 07:58:28 +0300
> > From: DarkAvenger@sofia.somewhere.bg
> > Message-Id: <9309170458.AA15730@anon.penet.fi>
> > Return-Path: <DarkAvenger@sofia.somewhere.bg>
> > Date: Thursday, 16 Sept 93 22:02:54
> > To: amn@ubik.demon.co.uk
> > MMDF-Warning: Parse error in original version of preceding line at gate.
demon.co.uk
> > Subject: NO i am NOT
> > Status: RO
>
> NO , I have not found "more interesting thigs to do"!
> If you don't know it yet, I am still active and will release
> work at the end of the year.
> Also in case you don't know the VNI interview was mostly made up.
> I haven't talked to Sara in almost a year, and I will never again.
> She betrayed me.
> She will deny this and try to exploit my name more.
> Until the end of year.
>
> Then again.. what do you know? you are like the weasel: another
> stupid engineer.. you know nothing about viruses!
>
> UNtil then..
>
>
>
>
-------
Dark Avenger spells my name with an "h" :) And, he doesn't mail people
from cxxxxx.ic.xxxxxx.edu :) And, I think this pretty clearly illustrates the
motivations and methods of Kohntark.
In my ignorance, I blindly trusted the three cryptic replies
to be true, even thought whoever replied refused to give out
trivial information such as the number of addressing modes
for a 2 year old encryption engine (MTE) and spelled Cameroon
with a 'k' (Check out Sara Gordon's spelling of URUGUAY in
VIRUS-L Volume 6 Issue 120 -v06i120)
Shortly after other unrelated discussions and a CUD post from
Sara(h) in which I was mentioned (unnamed), someone warned me
of several posts in NUKENET by an alleged dark avenger and
Todor Todorov from an account belonging to the last,
mentioning me and Aristotle.
Sheesh. Kameroon with a -K- is the German spelling. It is also the most
common spelling a European would use. The "correct" spelling, for anyone
who cares, is Cameroun, because it is mainly a French speaking colony; A
small portion of it is English-speaking and uses Cameroon. Most likely,
An American would use Cameroon. Consult your nearest linguist or historical
specialist for verification. Talk to discman about my linguistic aptitude.
Do not attempt this at home.
Kohntark spelled SKISM incorrectly in one of his messages to me. He must be the
Dark Avenger. No, wait..he onlys -wants- to be...
Those messages in the NukeNet were prompted by the virus exchange sysop
mentioned earlier asking Todor Todorov to contact Dark Avenger and ask
him if he had really talked to me. Todor -is- a friend of mine. He
assisted me in my study of virus exchange bbs and their impact on end
users. Todor put the mail on some Bulgarian BBS, and Dark Avenger
answered it. Apparently, his answer was not liked very well by this
Aristotle and others people, because an amateur linguistic analysis followed,
detailing how much like me the Dark Avenger appeared to be.
I employed the services of a professional linguist, who stated that
indeed there are striking similarities. This can be attributed to the
fact that Dark Avenger and I have spent many hours together.
And, I usually type in lower case, in E-Mail messages, etc. Come to
think of it, most of the hackers I know must be the Dark Avenger if
this is the qualification :)
In those messages I was referred to as 'hotshot,' a word that
Sara Gordon had used on me several times on our personal
email exchange; It was then that I became highly suspicious
of the whole matter.
Yes, I used this word. I use it all the time. So does Dark Avenger. It
is a word we use to refer to certain people. It is a commonly used word
in Bulgaria. It is not so common here, but it is there. They watch a lot
of American television, and use a lot of words like this as well as a
lot of profanity. Movies. Motherfucker and Asshole are two other words
used a lot by Bulgarian hackers and virus writers. In fact, the word
"motherfucker", which "proved" it was NOT a Bulgarian that posted as
<dav> :) in the NuKeNet (since, as they said, NO Bulgarian would EVER
use -this- word), was found in a virus of Bulgarian origin a very long
time ago. Perhaps they should learn to disassemble the damned things
before trying to say what's in them. In defense of NuKe (and believe me,
there has been no love lost between some of those people and myself in
the past), I think a lot of people were baited and led on by certain people.
I called Virginia's Virus Research Institute's sysop and
owner, Aristotle to find out more about the posts and he
bought to my attention the particular writing style of
Sara(h) Gordon: She NEVER uses capital letters and
apostrophes on her personal email, and always signs her name
on the lower left hand corner. (She seldom signs her posts
Virginia Virus Research Institute is (was) The Black Axis BBS. The place
that sold viruses for one hundred dollars per collection. Pretty
enterprising, eh? Only, a lot of them were junk. The sysop is the same
one who told me he was going to get the Dark Avenger to come forth, to
'Save my Name' or something like that. He also told me that if a new
virus appeared, bearing the name 'Dark Avenger', people would want to
'catch' the virus writer again. And, guess what? Such a virus did
appear. A crude hack of the Burma virus, with a text string included:
DARKAVENGER :). And, it was this very sysop that uploaded it to a
certain well known virus exchange BBS. Slick, huh? But definitely not the
work of Dark Avenger.
However, this will not make me identify the Dark Avenger, assuming I did
know the path to his door.
This same sysop also told me (when he closed his system) that he had
intentionally tried to incite people, and had made some mistakes along
the way in doing this. We all make mistakes. Unfortunately, Kohntark is
making a really big mistake here.
Yes, I use lower case ALL THE TIME. And, like Dark Avenger, I sometimes
do and sometimes do not use correct punctuation. Apparently Kohntark has
not been around in the early days of <dav> postings on Fidonet. Oh,
that's right. He does not read it. Well, if he had, he would have seen
Dark Avenger had this 'style' a long time before I ever heard of
computer viruses.
I am using upper case in this article (mostly) because when I write for
a readership (as opposed to private mail, and online chats, etc.), I use
correct form. Well, as correct form as I can.
nowadays and changes her user name in her vfr@netcom.com
account every week!; for further proof of her writing style,
please refer to public posts in VIRUS-L Volume 6 #120; I also
have over 100K of personal email exchange to prove this
fact!)
Shame on me. I change my user name :) I am so El33t....
I'm too hexy for my shirt, too hexy for my shirt...blah blah
It was then that we realized that she was passing herself as
Todor Todorov and the dark avenger (who could possibly verify
their online identity?) and had infiltrated NUKENET..
HAHAHAHAHAHAAHHAAHHA oops, excuse me..hahahahahaha
This is ridiculous, as anyone who has checked will know. Todorov is happy to
take calls from people about this matter; eminent
publicly (not anonymous) figures in the field know that I wrote
the truth, and there really is nothing further to be said about this
nonsense.
The writing style described corresponds exactly to the one on
the posts I received from the 'dark avenger.'
Shortly afterward the <dav@danbo.digsys.bg> account was
cancelled and I learned the whole truth:
Oh my. My writing style corresponds exactly to Dark Avengers. It
certainly does, when I want it to, or when I have been writing to him a
lot. And, it does when I write e-mail. So what? So does the style of a
of people :) We are all Dark Avenger. If you counted the names of
everyone who writes in lower case, makes spelling areas, and signs their
mail in the lower left hand corner of messages, how many people do you
think you would find?
About the account: Yes, it was cancelled. After Kohntark forged mail from
that site, prompting a response from WIRED, I asked the system administrator
to cancel the account so that no more such trickery could take place,
requiring me to spend time trying to straighten it out. He
was happy to do it. He had more than a few problems with Dark
Avenger ftping files in excess, and had only retained the account as a
personal favor to me. <dav> (yes, that IS how he signs personal mail,
e-mail and some of his viruses) did not exactly be a nice boy on that
system.
The danbo.digsys.bg Bulgarian site belongs to Daniel Kalchev,
another self appointed AV researcher whose best claims to
fame are submitting various Bulgarian viruses to Patricia
Hoffman's VSUM!!
Self-appointed? He is the administrator of the Internet there. I think
Kohntark is not fully aware of just who Mr. Kalchev is.
(You can check this by doing a search on 'Kalchev' on the
current VSUMs or you can contact him thru:
<daniel@danbo.sigsys.bg> )
No. The best address is daniel@digsys.bg. Mr. and Mrs. Kalchev both have
accounts there, and you can reach them best if you use this address.
And please do feel free to contact him. He will tell you that he has
talked to Dark Avenger for a very long time. Long before digsys was on
the internet, and long before I met either of them.
He is a very close friend of Sara(h) Gordon and he has an
account in her VFR BBS (you can check this by logging into
her system and checking the user list) and SHE has an
account in digsys.bg under <sarah@danbo.digsys.bg> (this
account is still valid as far as I know; notice the H after
her name!)
Of course he is a very close friend of mine. He has visited me here, and
has been a great help to me in my work. Yes, I do have an account there.
It has been there since I was invited by the Bulgarian ACM to present my
work on Computer Viruses at their International Computer Virus
Conference. It was nice of Daniel to do this for me, to make it
convenient for me to access my mail, as I could have it forwarded there.
We never did remove the account, as Bulgarian's prefer to mail in their
own country for some reason. The H after my name is very simple: My name
is Sarah Gordon. On the nets, I use Sara. When I am friends with
someone, I use my given name. I do not like my given "familiar" name to
be used in my articles or in e-mail from people I don't know. It is a
quirk, I guess. My papers are presented using the Sara variant :)
What I concluded is that is the DA would never get an account
in such system as he HATES Daniel Kalchev!!!!
Another wrong conclusion.
The DA might not, but then the District Attorney usually doesn't :)
Wrong. and Right. He certainly did get an account there. Call Daniel
Kalchev or mail him to ask him. He has had many conversations with Dark
Avenger there. He does sure hate Daniel. In this one thing, Kohntark is
correct. He hates him violently. And, he's been on his BBS for years.
Where do you think he used to post messages FROM?
I tried repeatedly to act as intermediary between Dark Avenger and
Kalchev, because they both have been very good to me. There was just no
way to do it. Dark Avenger thinks Kalchev is (in his own words) "asshole
hotshot with big company and lots of money, he can afford to give free
accounts...". And yes, he used the word HOTSHOT. JUST LIKE ME.
This is what really happened: Sara(h) Gordon in her
desperation to prove that she was in touch with the dark
avenger, told her pal Daniel Kalchev to make an account under
the dark avenger's name (<dav> this is how she always refers
to him, even though he never signs his name that way (check
the source code for his 'Dark Avenger' virus or the
'Commander Bomber' virus message name: [DAME])
No one has the source code for Commander Bomber that I know of except
myself and Dark Avenger, as I previously noted. He has signed his name
this way for a very long time, in his e-mail. You can verify this easily
enough by asking Todor, Daniel, Bontchev, or anyone who used to read his
old posts. Sometimes he does, sometimes he doesn't, just like me.
From there she could email me messages that would come from
Bulgaria and would be untraceable since she would log into
her account in digsys.bg and log into the <dav> account
internally from the same site in Bulgaria. (You can check
where and when most of the people log from in most internet
unix and vax sites)
:). If I wanted to mail Kohntark untraceable messages, I would not have
to go to this extreme, as you well know :)
As it is expected from her, she has denied any of this.
Some of her ridiculous explanations include things like
"hotshot is a very common English word in Bulgaria" !!!
You might ask yourself what is the deal with the h? is it
sara or sarah??
Well, I asked her the same question when I noticed this in
one of the VNI interviews, where her name is spelled as
Sarah.
She replied that this was a mistake of the publisher.
Mistake? well not really, it was another lie, meant to throw
off any information and truth seekers, for example you can
check her account in Daniel Kalchev's system:
I explained this previously. It was a mistake. VNI is not supposed to
use my given entire familiar name. In fact, they did mess up. They did
not use it in the Dark Avenger interview, despite I had put it there as
"Sarah". I told Dark Avenger I would do this for him. He asked me to do
it, but for some reason they did not. Later, they -did- use my given
name in a totally different situation. I can't account for their errors.
<saraH@danbo.digsys.bg> , spelled with an H,
another 'mistake of the publisher?'
:)
Other countless Sara Gordon lies are told in NUKE Info-
Journal # 6.
In the last NuKe Journal, the authors posted some private mail of mine,
and said "Look how nice she knows this public mail will be read"..at the
same time, the posted some public mail, from my BBS, which I had
forwarded to one of them as a reply, and said "Look how nasty she is
when she thinks no one can see". All in all, their response to both
letters prompted a lot of people to think I had -joined- NuKe. For the
record, nope.
This behavior puts in question the validity of the VNI
interviews and the reputation of Sara(h) Gordon as a serious
(self appointed) 'virus researcher'
:)
IMHO the VNI interviews are a complete fabrication, meant
only to boost her validity as a 'journalist', and to make her
lots of money, charging for further 'interviews' to other
magazines. (She has offered her paid 'interviewing' services
to various other publications.)
:) Lots of money? Well, first off, I told you how the Dark Avenger
interview profited me. It didn't. Secondly, yes, I do write for
magazines and I sell the articles. Some, I give away. I don't do any of
this for the money. As for other interviewing, I recently interviewed
two virus writers (one who has stopped, one who has not), and they are
quite pleased with the articles. I'll ask them to contact you personally
to tell you as the article is not yet in print. Keep in mind, I have
literally no control over commentary by editors, omissions, etc.
To the best of my knowledge the information I present here
is true and can be checked.
Yes, it can be checked, and I hope you check it and print what you find
along with this commentary.
I chose to publish this information, despite threats against
my well being and countless lies about me propagated by
Sara(h) Gordon.
Now, about threats and lies. Here is the sort of mail I have received
from Kohntark. In the interest of space, I will send you the headers,
etc., so that you can see them and include here only the sort of
diatribe he has been so vehemently sending me.
I contacted his system administrator after this continued for such
a long time. I'm not a Cori. I don't take every "hey, wanna have phone
sex" message as a potential threat, I don't call people's probation
officers for the hell of it, I don't ring up sysadmins at the drop of a
hat to accuse innocent people of causing trouble. And, I discussed this
situation with a lot of people, hackers and virus writers, friends and
foes, prior to taking this action. There's no way to know over the nets if
someone is really a maniac or if they are just playing around. In this case,
considering the nature of the mail, I did contact them.
First, the apology after he had gotten particularly nasty.
Organization: Anonymous contact service
Reply-To: xxxxxx@anon.penet.fi
Subject: Apology
Date: Fri, 30 Jul 93 8:08:45 EDT
Status: OR
Sara:
I want to apologize for everything that I have said that you might
have found offensive.
I drop all accusations I have made against you.
again, I am sorry.
I have no desire in creating any animosity, and / or bad publicity
to my name or yours.
Sorry things got this silly and out of hand.
Please accept my apologies and let's drop the whole thing OK?
Thank you.
------------
Followed almost immediately by a forgery. What Kohntark did not realize
is that I am in contact with Simon. In fact, I arranged for him to come
to a virus conference, with all of his expenses paid. I am writing an
article for 40-HEX, and I immediately called Simon to ask what in the hell was
this about. After he told me, I went back and checked the mail headers.
Guess what I found?
From simon@skism.login.qc.ca Sat Jul 31 07:44:26 1993
Received: from anon.penet.fi by mail.netcom.com (5.65/SMI-4.1/Netcom)
id AA17333; Sat, 31 Jul 93 07:44:19 -0700
Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
id AA21213; Sat, 31 Jul 93 17:40:54 +0300
From: simon@skism.login.qc.ca
Message-Id: <9307311440.AA21213@anon.penet.fi>
Return-Path: <simon@sklism.login.ca>
****Notice: He misspelled skism. Maybe -he- is the Dark Avenger.
I mean, if spelling counts..***
Date: Fri, 30 Jul 93 12:01:02 EST
Subject: get real!
Apparently-To: <vfr@netcom.com>
Status: OR
to vfr@netcom.com.... (Nobody)
what is the matter? everyone knows you are sara gordon, are you afraid
to sign you own name now??
Yes sara gordon, i heard rumours that you are passing yourself
as the dark avenger. It wouldn't surprise me since you are
even afraid to sign your own postings.
--------
Ha. Actually he signed the above message at the bottom left:) He must be
me in Real Life.... As we all have seen by now, if you sign the bottom
left of your mail, you are Sara Gordon.
Then, here he tells me how he has proved yet another self-appointed
virus researcher wrong. Of course, the researcher in question is not
wrong. He is Vesselin Bontchev, a rather pedantic but technically
brilliant anti-virus Doctoral student at the University of Hamburg.
Kohntark seems obsessed with proving anti-virus researchers wrong. It
would make more sense to me to learn from the researchers. I am not
talking about product developers or sales people, but researchers.
ME=Sara
HIM=Kohntark
ME: dont you get it? im sorry, i am not going to respond to all of this
nonsense. maybe you can get vesselin to respond to you again, but
i doubt it considering his opinion of your 'knowledge'...
HIM: I don't give a damn about what he thinks, I have shown the self appointed
virus expert is wrong.That is all.
---------
and, here (i'm reverting to UNIX lower case now, i must be the dark
avenger..), he begins his harassment again.
HIM: you don't have any children do you? It shows
Then, after he tell me he knows all about me, he proceeds to mail me to
taunt me with addresses referring to my child.
From kohntark@youhavea10yearoldson.com Sun Aug 29 10:55:45 1993
Return-Path: <kohntark@youhavea10yearoldson.com>
Received: from [193.64.138.3] by mail.netcom.com (5.65/SMI-4.1/Netcom)
id AA07061; Sun, 29 Aug 93 10:55:39 -0700
Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
id AA22796; Sun, 29 Aug 93 20:50:35 +0300
ME: am tired of your threats. the only danger you are to me
is to waste my time with this nonsense.
HIM: we will see.
HIM: Never underestimate the power of hate.
HIM: The end is coming.
HIM: Also: you said 'oh my name is spelled SARA, VNI misspelled it!
yeah right ! you idiot!
you forgot who you are dealing here ha ha! not a fool like you!!!
stupid tricks like changing your name can't defend you from thy mighty
Kohntark!
prepare yourself!!
the end is near!
Obviously i have overestimated your intelligence..
My dog has a higher IQ..
"who is anthony naggs?.." DUHH!
Thanx for making my job easier he he.
You think you got me? sure.. go ahead.. fry that guy's account, you will
be doing me a favour he he!
AH, and start looking for a new job.. you will need it soon after i am done
with you
you idiot!
------
He likes me to know he is watching me. Only, for a supreme UNIX hacker,
he has not mastered the skills quite yet..note the paths again..
(baby copperfield is one of the names i used. i have red hair, and its a
long story; someone asked me if i had read dickens and i replied 'yes,
I've read baby copperfield'. CHFN followed :)
But this was a bit eerie mail. Love him?
From babycopperfield@haha.com Sun Sep 12 17:39:50 1993
Received: from anon.penet.fi by mail.netcom.com (5.65/SMI-4.1/Netcom)
id AA22703; Sun, 12 Sep 93 17:39:42 -0700
Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
id AA24832; Mon, 13 Sep 93 03:39:00 +0300
From: babycopperfield@haha.com
Message-Id: <9309130039.AA24832@anon.penet.fi>
Return-Path: <babycopperfield@haha.com>
Date: Fri 13 Dec 66 00:00:00
To: <vfr@netcom.com> (Sara)
Subject: I know you are on...
Status: OR
hi!
i know you are logged on now...
shame we cannot talk,, you know friendly discussions ha ha..
i might call to your bbs.. can i upload your gif picture??
yes?
if i like you you might just get lucky ...
Love me.
------
More of his article..
I am doing this to stop the lies and corruption fostered by
the Anti-Virus industry.
---------
What do you think? Is he doing -this- to stop the lies and
corruption? It seems to me that the anti-virus industry would benefit
from the Dark Avenger coming back onto the scene. They could sell more
software, get the whole hacking community attacked by people who are
afraid enough already. Why we could get a whole entire Legion of Virus
Fighters up in arms, eh?
If Kohntark wanted to do this 'stopping of lies and corruption', he would
not be helping to recreate the myth of the Dark Avenger. He would not be
impersonating him, harassing me, and telling people (impersonating Dark Avenger)
that he will still release viruses into the wild. I also do not like lies and
corruption, and work very hard to stop it. I do not profit from it in any
substantial way.
I run a free BBS: I distribute anti-virus software for free, and
encourage people to choose software that will work for them in their
situation. I don't go for the big scare tactics used by some companies,
and I don't recommend those products. Not only because I don't like
their marketing, but because their products are not as
efficient/accurate as other products. I don't like that we have to have
these products, but we do. It's a fact of life. If we can educate people
on the real situation with viruses, we can stop a lot of this "Let's get
those bad virus writers" before it's too late. We don't need another
Dark Avenger. We don't need laws that will infringe on our freedoms.
If anyone takes this "Sara and the Dark Avenger scam" even half-way
seriously, they can email me, and ask me whatever specific questions
they like. I also have a suggestion here, one that might even lead to
some sort of agreement between this Kohntark and the rest of the hacker
community that does not support lies and harassment. You call Todorov,
e-mail or call Bontchev. Ask them. I'll come to HoHoCon (if someone buys
me a ticket; although Kohntark thinks I had better look for a job, the
fact is I don't have a real job), and compile the bomber source code
and MtE Source (not the pitiful disassemblies that appear on a lot of
BBS, but the REAL source, supplied to me by <dav> when I questioned HIM
to make sure he was the "Real Thing". I'll show you step by step how it
compiles flawlessly and works. If after you confirm that to the best of
your knowledge, what I am saying is true, then I think Kohntark owes me
an apology. And, an apology to the rest of the virus writers and hackers
who do not need or deserve to be portrayed as evil demented creatures
who are waiting to "Destroy the World".