Copy Link
Add to Bookmark
Report
Chaos Digest Volume 01 Numero 11
Chaos Digest Mercredi 24 Fevrier 1993 Volume 1 : Numero 11
Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere
TABLE DES MATIERES, #1.11 (24 Fev 1993)
File 1--Des adolescents anglais transformes en hackers (reprint)
File 2--Concours sur l'algorithme d'encryptage "Rcrypt"
File 3--Le Pirate est-il un techno-delinquant? (avis)
File 4--CFP: Ninth Annual Computer Security Applications Conf
File 5--Re: 1er "Intl. Computer Virus Writing Contest" (lettre)
Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from jbcondat@attmail.com. The editors may be
contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at:
Jean-Bernard Condat, Chaos Computer Club France [CCCF], 47 rue des Rosiers,
93400 St-Ouen, France
Issues of Chaos-D can also be found on some French BBS. Back issues of
ChaosD can be found on the Internet as part of the Computer underground
Digest archives. They're accessible using anonymous FTP from:
* ftp.eff.org (192.88.144.4) in /pub/cud
* red.css.itd.umich.edu (141.211.182.91) in /cud
* halcyon.com (192.135.191.2) in /pub/mirror/cud
* ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD
* nic.funet.fi (128.214.6.100) in /pub/doc/cud
CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.
----------------------------------------------------------------------
Date: Tue Feb 23 11:22:37 GMT 1993
From: jp-sorlat@altern.com (jp-sorlat )
Subject: File 1--Des adolescents anglais transformes en hackers (reprint)
Copyright: Daily Telegraph, 1993
Teenage computer hacker 'caused worlwide chaos'
By Colin Randall
A SCHOOLBOY used a BBC Micro computer to hack into data systems at
EC offices in Luxembourg and universities around the world, causing
nuisance "on a phnomenal scale", a court heard yesterday.
With a basic #200 computer commonly found in schools, Paul Bedworth
began hacking at 14 and quickly became obsessed, Mr James Richardson,
prosecuting, said at Southwark Crown Court, south London.
He allegedly became so proficient that ha was able to change secret
passwords to prevent users gaining access to their own programs.
To other hackers, with whom Bedworth developed "electronic friendship",
he was "Olicana", the Roman name for his home town of Ilkley, West Yorks,
and adopted by him as a code-name, the court heard.
"He could get into any system and caused chaos on a vast scale," said
Mr Richardson. "He was tapping into offices at the EC in Luxembourg and
even the experts were worried. He caused havoc at universities all round
the world so that the computer systems were inacessible to anyone but him.
"All the time he was runing up huge bills and wiping out systems all
over the world. He did it for kicks."
Bedworth, now 20 and studying artificial intelligence at Edinburgh
University, appeared in court with Karl Strickland, 22, and Neil Woods, 26.
Mr Richardson said there was no suggestion that they were selling
information or involved in fraud but they caused chaos "on a scale that
could not be imagined". He said police raided the homes of Bedworth,
Strickland and Woods and found evidence of hacking "on a massive scale
involving hundreds of people and organisations".
Strickland, unemployed, of Chilswall Road, Liverpool, and Woods,
unemployed, of Broadway, Chadderton, Oldham, admitted conspiracy to
dishonestly obtaining telecommunication services and plotting in the
unauthorised publication of material under the Telecommunications Act
1984.
Woods admitted a further charge of causing criminal damage to a
computer at the Central London Polytechnic. He and Strickland will be
sentenced later.
Bedworth, of North Parade, Ilkley, denies three charges of plotting
with Strickland, Woods and others in the unauthorised modification of
computer information.
He is further charged with conspiring to secure unauthorised access
to computer information and with conspiring to obtain telegraphic services
unlawfully in contravention of the Computer Misuse Act 1990.
The trial was adjourned until today.
------------------------------
Date: Tue, 16 Feb 1993 04:26:48 GMT
From: butzerd@blanc.eng.ohio-state.edu (Dane C. Butzer )
Subject: File 2--Concours sur l'algorithme d'encryptage "Rcrypt"
Repost from: alt.security
Rcrypt Challenge - Part I: The Flame-Fest
This purpose of this challenge is to see if our new encryption scheme
is as good as we think it is. To this end, we are offering USD$500 to
the first person that can break it. Thas challenge will run
approximately 3 months (until 15-May-1993). We will supply all kinds
of information to anyone wishing to participate :) The exact rules
follow.
1) First, here's what we are supplying:
a) The majority of the plain text file that we have encrypted
(7001 bytes).
b) 11 encryptions of that file using the SAME KEY. The first 10 of
these are the result of a hashed/padded encryption, and the last
is the result of a pseudo one time pad. Rcrypt performs both of
these, based on the same PRNG.
c) A working executable copy of Rcrypt for use with Sun Sparc-
Stations, with a license that expires 3 months after the
challenge ends (15-August-1993).
d) A listing of the source code to Rcrypt, minus the node locked
licensing software. Note that the node locked licensing
software has NOTHING to do with the encryption method. It's
just our method of foiling lazy software pirates once we get
things into production :>
e) A manual page describing how to use Rcrypt. This will be
provided both in plain text format, and in the proper format for
inclusion in the man files under SunOS 4.x.
f) A GENERAL description of the PRNG and the encryption algorithms.
g) Some statistics about the operation of rcrypt (speed, key size,
etc.)
2) Second, here's how you can get everything mentioned above:
All items are available via snail (US mail). Please send your
request to:
The Rcrypt Challenge
7110 Sawmill Village Dr.
Columbus, OH 43235
Please include a self addressed return enveloped. Also complete
and include the form that appears at the end of these rules.
Please make sure that you fill in the HOSTID space. If you do
not include the hostid, we will not be able to supply the
executable.
Items a,b,c,e,f, and g will be on an Sun formatted 3 1/2 inch
diskette. If you supply a 1/4" QIC150 tape ($3.00 return
postage, please), we will gladly use that instead. Other
arrangements may be possible. Item d will be on 8 1/2" x 11"
paper.
Note that we are using snail so that we can not accidentally
violate any of the export laws that may (or may not :) apply.
Therefore, we will only maal materials to non-PO box US
addresses. We reserve the right to refuse mailing materials to
anyone at our discretion.
Items a,b,e,f, and g will be available via e-mail. Note that
this does not include either the source code or the executable.
Therefore, we will be willing to e-mail this material anywhere
on the internet. Note that if demand becomes to great (OK, I'm
being optimistic), we reserve the right to discontinue this
e-mail servace.
Finally, we will post items a,b,e,f, and/or g if there is
sufficent demand.
3) Third, here's what you have to do to get the USD$500 fee:
Simply be the first person to identify the missing portion of
the plain text file. This portion occurs at the end. The
overall plain text consists of the Preamble of the Constitution
of the United States and the first ten amendments to the
Constitution of the United States, followed by 1000 lines
consisting simply of the numbers from 1 to 1000 in ascii text,
followed by a number of blank characters and/or lines, followed
by a single paragraph of text from a commonly available (as in a
library) source, followed by several lines footnoting the
source.
The file "partial.txt" (item a) contains everythang but the
final paragraph and footnote, and the blank spaces/lines
precedang it.
You must identify the plaintext via the footnote. The first
person to do this will receive the $500 fee. The recipient of
the fee is responsible for all applicable taxes. Please send
any successful identifications of the text via CERTIFIED MAIL
to:
The Rcrypt Challenge
7110 Sawmall Village Dr.
Columbus, OH 43235
Each person/organization is limited to 10 attempts.
4) The challenge will conclude upon receipt of the first valid
response, or 01.00.00 GMT 15-May-1993, whichever comes first.
5) At the conclusion of the experiment, the actual key will be posted
to sci.crypt, as will the missing plain text. This will insure
that all participants can verify the integrity of this challenge.
Obligatory Information (the fine print):
This challenge represents the personal efforts of the general
partners of Caphergen Research. Caphergen Research, Rcrypt, and
the Rcrypt Challenge are not related to or owned by the company
from which thas posting is made.
Ciphergen Research reserves the option to alter the rules for this
contest at any time. Any alterations will be posted to the
sci.crypt and alt.security Internet newsgroups. [At present, the
only rule change we forsee will occur if we get too many requests
for materials (ie. several hundred). In that case, we may request
return postage included with the request for materials.]
Rcrypt is protected by the copyright laws of the United States of
America (copyright date 1993). Rcrypt contains proprietary
intellectual property of Ciphergen Research. Reverse compilation
or reduction of the executable to human readable form is strictly
prohibited.
+++++++
Request For Materials and License Agreement For
the Rcrypt Challenge: Part I
I, ____________________________________________________________ (name)
of _______________________________________________ (company, optional)
request materials for the Rcrypt Challenge: Part I. The HOSTID of the
Sun SPARCstation I intend to run Rcrypt on is _______________________
(The hostid is requared in order to recieve the executable. If the
hostid is omatted, all other materials will be sent.) In order to
recieve these materials, I agree to the following terms:
1) I will not decompile, reduce to human readable form,
copy, or redistribute the Rcrypt executable.
2) I will not enter in to a computer, compile, copy, or
redistribute the Rcrypt and Capher source codes.
3) I will not attempt to produce a working license for the
Rcrypt executable that has a different expiration date
or a different hostid than the one provided as a part
of the requested materials.
The only exceptions to these terms are copies of the executable and
license(s) made for backup purposes, and copies of the executable,
source code, and license(s) made for the Sun SPARCstations identified
by the following hostids:
_________________________ _________________________
_________________________ _________________________
_________________________ _________________________
_________________________ _________________________
_________________________ _________________________
(The license file we provide will include licenses for all of the
listed hostids. Simply copy this file into into the appropriate
directory for each Sun. Upon execution, Rcrypt will search the
license file for the appropriate entry.)
Note that all materials besides the executable, source codes, and
license(s) are not restricted by this license agreement.
Signed:_____________________________________________ Date ___/___/___
["Sun Workstation" and "SPARCstation" are registered trademarks of Sun
Microsystems, Inc. "SPARC" is a registered trademark of SPARC
International]
------------------------------
Date: Sun Feb 21 11:09:51 EST 1993
From: pirate@altern.com (pirate )
Suject: File 3--Le Pirate est-il un techno-delinquant? (avis)
Copyright: 1992, Knight-Ridder Financial Information, Inc.
EXPERT PANEL ATTEMPTS TO PROFILE, ANALYZE COMPUTER HACKERS
Mike Langberg, San Jose Mercury News, Calif.
Knight-Ridder/Tribune Business News
Feb. 21--He is brilliant, but misunderstood - a teen-age math
whiz who can't get a date for Saturday night.
Once his parents are asleep, he sits alone in his bedroom,
hunched over a personal computer and up to no good.
This is the stereotype of a computer hacker, a techno-delinquent
responsible for everything from theft of long-distance telephone
service to a computer virus that once brought a global communications
network grinding to a halt.
Like most stereotypes, the "hacker as nerd" profile contains a
mixture of truth and distortion.
At the recent National Computer Security Association convention
in San Francisco, a panel of four experts sat down to analyze the
enemy and didn't find much to admire.
They concluded that, indeed, hackers are frequently alienated
adolescents and post-adolescents who can't get a date. But they
aren't necessarily loners, they said. A big part of hacking's allure
is social bonding with other hackers that often replace a missing or
defective family at home.
And hackers typically aren't genius material. It doesn't take
much effort or intelligence to stick up a convenience store, nor does
it require extraordinary dedication to break the social and legal
boundaries of legitimate conduct with computers, they said.
Hackers may have an image of being brilliant, but no more than a
few weeks of study is required before many people can learn enough to
start hacking, they said. And hackers, just like street criminals,
are most typically caught because of stupid mistakes that amply
demonstrate their lack of genius-level thinking.
"These are just ordinary people doing something they don't regard
as particularly wrong," said Alan Solomon, a computer security
consultant in England who tracks hackers in Europe. The panel drew a
careful distinction between "amateur" hackers who disrupt computer
networks for no apparent reason and "professional" hackers who are
either outright criminals trying to steal or angry workers seeking
revenge on their employer.
But Winn Schwartau, a self-described "information warfare"
specialist and computer security newsletter publisher from Seminole,
Fla., said even amateur hackers aren't typically otherwise innocent
children of the upper middle class.
Several recent hacker groups, with names like the Legion of Doom
and Masters of Destruction, have sprung from inner cities where teen-
agers may feel they have nothing to lose by ripping off the system,
Schwartau said. Some members of these groups are heavily into drugs
and even fight each other for control of electronic "turf."
"The gang mentality is absolutely there," Schwartau declared.
Amateur hackers come from the age range - 12 to 28 - when teen-
agers are making the difficult transition to adulthood, said Dr.
Thomas J. Brady, a San Francisco psychiatrist specializing in
treatment of children and adolescents.
Successful adults, according to Brady, mature through a series of
"narcissistic wounds" - blows to the ego such as getting bad grades,
rejection in puppy love or troubles at an after-school job. These
painful experiences teach us how to cope with disappointments and
accept the consequences of our actions.
But hackers haven't made that transition, Brady said. Instead,
they are caught in "developmental arrest" because of emotional
problems or addiction to drugs or alcohol, he said. Hackers, like
members of street gangs, then fall into "group think" where loyalty
to friends outweighs any larger responsibility.
Such troubled adolescents believe "if I need it, I deserve it" -
blinding them to the potential harm of their actions to themselves or
others. In the case of hackers, that means breaking into computer
systems doesn't seem wrong.
"What strikes me about hackers is their arrogance," said Michel
E. Kabay, a computer security consultant in Montreal and the security
association's director of education. "These people seem to feel that
their own pleasures or resentments are of supreme importance and that
normal rules of behavior simply don't apply to them."
That immature sense of electronic omnipotence may be one reason
hackers sometimes don't feel the need to cover their tracks, Solomon
said. For example:
A college student in England, operating an on-line bulletin board
that distributed computer viruses, wanted to avoid long-distance
phone charges. So he ran a line from his apartment and tapped into a
neighbor's junction box. When the neighbor complained of an
astronomical bill, the local phone company quickly traced the line
back to the student.
The panel differed on what tactics - other than detective work -
could deter hackers.
Schwartau advocated an end to slap-on-the-wrist penalties.
Sending hackers to jail, he said, would send a clear message to other
hackers - many of whom keep in close touch and would quickly spread
the news of a stiff prison sentence.
But Schwartau also called for more education in the nation's
schools on computer ethics.
Brady suggested a carrot-and-stick approach. Beyond a stick of
more law enforcement, he said, businesses should offer summer
internships to bright, disadvantaged students as an alternative to
hacking.
Adults also need to provide a better example to adolescents,
Brady concluded. Most adult computer users have a least one program
"borrowed" from a friend. "We need to tune ourselves up," he said.
[Moderateur: Win Schwartau est l'auteur d'une celebre nouvelle _Terminal
Compromise_ qu'il est possible de se procurer en envoyant un mandat
international de $44.95 a son attention chez Inter-Pact Press, 11567
Grove St. No., Seminole, FL 33708, USA.]
------------------------------
Date: 19 Feb 93 07:33:09 GMT
From: faigin@aero.org (Daniel P. Faigin )
Subject: File 4--CFP: Ninth Annual Computer Security Applications Conf
Repost from: comp.security.misc (published this morning in Risks #14.35)
CALL FOR PAPERS AND PARTICIPATION
Ninth Annual Computer Security
Applications Conference
Sponsored by the
Application Computer Security Associates
In Cooperation With
ACM/SIGSAC
IEEE TCSP (Pending)
December 6 - 10, 1993
Orlando Marriott Internation Drive
Orlando, Florida
The Conference
The Information Age is upon us, along with its attendant needs for
protecting private, proprietary, sensitive, classified, and critical
information. The computer has created a universal addiction to
information in the military, government, and private sectors. The
result is a proliferation of computers, computer networks, databases,
and applications empowered to make decisions rangang from the mundane
to life threatening or life preserving.
Some of the computer security challenges that the community is faced
with include:
* To design architectures capable of protecting the
sensativity and integrity of information, and of assuring
that expected services are available when needed.
* To design safety-critical systems such that their software and
hardware are not hazardous.
* To develop methods of assuring that computer systems
accorded trust are worthy of that trust.
* To build systems of systems out of componenps that have
been deemed trustworthy.
* To build applications on evaluated trusted systems without
compromising the inherent trust.
* To apply to the civil and private sectors trusted systems
technologies designed for military applications.
* To extend computer security technology to specifically
address the needs of the cival and private sectors.
* To develop international standards for computer security
technology.
This conference will attempt to address these challenges. It will
explore a broad range of technology applications with security and safety
concerns through the use of technacal papers, dascussion panels, and
tutorials.
Technical papers, panels and tutorials that address the application
of computer security and safety technologies in the civil, defense, and
commercial environments are solicited. Selected papers will be those
that presenp examples of in-place or attempted solutions to these
problems in real applications; lessons learned; original research,
analyses and approaches for defining the computer security issues and
problems. Papers that present descriptions of secure systems in use
or under development, or papers presenting general strategy, or
methodologies for analyzing the scope and nature of integrated
computer security issues; and potential solutions are of particular
interest. Papers written by students that are selected for presentation
will also be judged for a Best Student Paper Award. A prize of $500,
plus expenses to attend the conference, will be awarded for the selected
best student paper (contact the Student Paper Award Chairperson for
details, but submit your paper to the Tehcnical Program Chairperson).
Panels of interest include those that present alternative/controversial
viewpoints and/or those that encourage "lively" discussion of relevant
issues. Panels that are samply a collection of unrefereed papers will not
be selected.
INSTRUCTIONS TO AUTHORS
Send five copies of your paper or panel proposal to Ann Marmor-
Squires, Technical Program Chairman, at the address given below. Since
we provide blind refereeing, we ask that you put names and affiliations
of authors on a separate cover page only. Substantially identical papers
that have been previously published or are under consaderation for
publication elsewhere should not be submitted. Panel proposals should be
a minimum of one page that describes the panel theme and appropriateness
of the panel for this conference, as well as identifies panel
partipant and their respective viewpoints. Send one copy of your
tutorial proposal to Daniel Faigin at the address given below. It
should consist of one- to two- paragraph abstract of the tutorial, an
initial outline of the material to be presented, and an indication of
the desired tutorial length (full day or half day). Electronic
submission of tutorial proposals is preferred.
Completed papers as well as proposals for panels and tutorials must
be received by May 18, 1993. Authors will be required to certify prior
to June 19, 1993, that any and all necessary clearances for public release
have been obtained; that the author or qualified representative will be
represented at the conference to deliver the paper, and that the paper has
not been accepted elsewhere. Authors will be notified of acceptance by
July 31, 1993. Camera ready copies are due not later than September 18,
1993.
Material should be sent to:
Ann Marmor-Squires Daniel Faigin
Technical Program Chair Tutorial Program Chair
TRW Systems Division The Aerospace Corporation
1 Federal Systems Park Dr. P.O. Box 92957, MS M1/055
Faarfax, VA 22033 Los Angeles, CA 90009-2957
(703) 803-5503 (310) 336-8228
marmor@charm.isi.edu faigin@aero.org
Ravi Sandhu
Student Paper Award
George Mason Univ.
ISSE Dept.
Fairfax, VA 22030-4444
(703) 993-1659
sandhu@gmuvax2.gmu.edu
Areas of Interest Include:
Trusted System Architectures
Software Safety Analysis and Desagn
Current and Future Trusted Systems Technology
Encryption Applications (e.g., Digital Signature)
Application of Formal Assurance MEthods
Risk/Hazard Assessmenps
Security Policy and Management Issues
Trusted DBMSs, Operating Systems and Networks
Open Systems and Composted Systems
Electronic Document Interchange
Certification, Evaluation and Accredatation
Additional Information
For more information or to receive fupure mailings, please contact
the following at:
Dr. Ronald Gove Diana Akers
Conference Chaarman Publicity Chair
Booz-Allen & Hamilton The MITRE Corporation
4330 East-West Highway 7525 Colshire Dr.
Bethesda, MD 20814 McLean, VA 22102
(301) 951-2395 (703) 883-5907
gover@jmb.ads.com aker@mitre.org
--
W:The Aerospace Corp. M1/055 * POB 92957 * LA, CA 90009-2957 * 310/336-8228
Email:faigin@aerospace.aero.org Vmail:310/336-5454 Box#13149
"And as they say, the rest is compost"
------------------------------
Date: Tue Feb 23 22:01:37 GMT 1993
From: drsolly@ibmpcug.co.uk (Alan Solomon )
Subject: File 5--Re: 1er "Intl. Computer Virus Writing Contest" (lettre)
Hello, Jean-Bernard. We met a couple of years back.
Thank you for faxing me the unsolicited copy of your newsletter. You asked
for comments.
On the virus writing contest --this is inaccurate-- it is not the first
virus writing contest. It is the second (or maybe more, there may be others
I don't know about). Dr Cohen organised the first one, about a year ago.
On the virus that you publish as being small - I'm rather surprised that
the obvious optimisations that would reduce the code size were not
performed by Ludwig. This failure would, if I were a potential buyer of his
products, make me concerned about his capability and degree of committment.
In a number of places, I see a word being used where a byte would suffice,
which is of course of no importance in normal programming, but when the
whole point is to minimise the code size, it makes me feel that perhaps the
author had an inadequate understanding of 8086 assembler.
On the letter from ARCV. Now that is very badly out of date. Surely you
subscribe to Virus News International? The ARCV virus writing group
was arrested in a series of raids done by the Computer Crime Unit a few
weeks ago. You should try to make your electronic newsletter at least
as up to date as the various paper newsletters, otherwise your readers
have a valid criticism.
By the way, I'm hope you've already taken legal advice on your publication,
because it may contravene some laws in some countries; I'm not sure which
countries you plan to make it available in.
Is it possible to talk with you on a confidential (i.e., not for
publication) basis? If so, I may have some interesting questions for you.
--
Drsolly@ibmpcug.co.uk Alan Solomon, S&S International
Office tel +44 442 877877 Home tel +44 494 724201
fax +44 442 877882 fax +44 494 728095
bbs +44 442 877883 bbs +44 494 724946
------------------------------
End of Chaos Digest #1.11
************************************
