Plateforme de Hacking est une communauté faisant évoluer un système de services vulnérables.

Nous apprenons à exploiter de manière collaborative des solutions permettant de détourner les systèmes d'informations.
Cet apprentissage nous permet d'améliorer les technologies que nous utilisons et/ou de mieux comprendre l'ingénierie social.

Nous défendons les valeurs de l'entraide, du challenge personnel et contribuons modestement à rendre l'expérience des utilisateurs finaux la plus agréable possible.

Vous pouvez nous rencontrer via notre salon irc.
Le forum est en cours de remplacement par une version plus moderne, et tout aussi faillible que l'ancien ^^.
A ce jours nous enregistrons plusieurs dizaines de hack réussi contre notre site, et ce chiffre est en constante évolution. Merci a tous les contributeurs!

La refonte est en version alpha. Cette nouvelle plateforme permet de pentester à distance sans avoir son matériel à disposition.
Via l'exécution de scripts python connecté en websocket à l'ihm web, nous pouvons piloter le chargement de scénario
d'attaque/défense en "multijoueur" ^^.
Le système permet de charger des scripts de bibliothèques partagées et de chiffrer les échanges selon les modules déployés.
Vous trouverez dans la rubrique article de nombreux tutoriels afin de mieux comprendre la sécurité informatique,
ainsi que différents articles plus poussés.
  • Sniffing
  • Cracking
  • Buffer overflow
  • Créations d'exploits
  • Social engineering
  • L'anonymat sur le web, spoofing
  • Bypass-proxy, Bypass-firewall
  • Injection de code SSI, SQL, etc...
  • Utilisation d'exploits, création de scripts(php, irc, perl)

Nous vous recommandons de sniffer votre réseau lors de votre navigation sur le site. La refonte vous fournira un outillage pour réaliser vos attaques/défenses.

Vous pourrez également participer à de nombreux challenges
Dernièrement, les missions relativent aux derniers produits open sources marchent bien :)

Votre ultime challenge sera de défacer HackBBS. De nombreuses failles sont présentes. A vous de les trouver et de les exploiter.

Cet ultime test permettra de constater votre réactions face à une faille.
Black ou White? ^^

Ezine du moment: hwa-hn34.txt
    [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
  =                       <=-[ ]-=>                         =
    [=HWA'99=]                         Number 34 Volume 1 1999 Sept 19th  99
    [                     61:20:6B:69:64:20:63:6F:75:                    ]
    [               6C:64:20:62:72:65:61:6B:20:74:68:69:73:              ]
    [              20:22:65:6E:63:72:79:70:74:69:6F:6E:22:!              ]        
         __ ___      _____     __           ___
        / // / | /| / / _ |   / / ___ __ __/ _ \____  ___ ___ _    _____
       / _  /| |/ |/ / __ |_ / _ Y _ `| \ / // / __/ / _ Y -_) |/|/ (_-<
      /_//_/ |__/|__/_/ |_(_)_//_|_,_/_\_\\___/_/ (_)_//_|__/|__,__/___/  

     The Hacker's Ethic

     Sadly, due to the traditional ignorance and sensationalizing of the mass
     media, the once-noble term hacker has become a perjorative.
     Among true computer people, being called a hacker is a compliment. One of
     the traits of the true hacker is a profoundly antibureaucratic and
     democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
     This ethic was best formulated by Steven Levy in his 1984 book Hackers:
     Heroes of the Computer Revolution. Its tenets are as follows:

      1 - Access to computers should be unlimited and total. 
      2 - All information should be free. 
      3 - Mistrust authority - promote decentralization. 
      4 - Hackers should be judged by their hacking not bogus criteria such as
          degrees, age, race, or position. 
      5 - You create art and beauty on a computer, 
      6 - Computers can change your life for the better. 

     The Internet as a whole reflects this ethic.

               A Comment on FORMATTING: 
               I received an email recently about the formatting of this
               newsletter, suggesting that it be formatted to 75 columns
               in the past I've endevoured to format all text to 80 cols
               except for articles and site statements and urls which are
               posted verbatim, I've decided to continue with this method
               unless more people complain, the zine is best viewed in
               1024x768 mode with UEDIT.... - Ed

     New mirror sites
              * Crappy free sites but they offer 20M & I need the space...
  is sponsored by Cubesoft communications
     and thanks to p0lix for the digitalgeeks bandwidth
     and airportman for the Cubesoft bandwidth. Also shouts out to all our
     mirror sites! tnx guys. 

  Mirror Sites:
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ** NEW ** ** NEW ** CHECK THIS ONE OUT ** *DOWN*

   The purpose of this newsletter is to 'digest' current events of interest
   that affect the online underground and netizens in general. This includes
   coverage of general security issues, hacks, exploits, underground news
   and anything else I think is worthy of a look see. (remember i'm doing
   this for me, not you, the fact some people happen to get a kick/use
   out of it is of secondary importance).

    This list is NOT meant as a replacement for, nor to compete with, the
   likes of publications such as CuD or PHRACK or with news sites such as
   AntiOnline, the Hacker News Network (HNN) or mailing lists such as
   BUGTRAQ or ISN nor could any other 'digest' of this type do so.

    It *is* intended  however, to  compliment such material and provide a
   reference to those who follow the culture by keeping tabs on as many
   sources as possible and providing links to further info, its a labour
   of love and will be continued for as long as I feel like it, i'm not
   motivated by dollars or the illusion of fame, did you ever notice how
   the most famous/infamous hackers are the ones that get caught? there's
   a lot to be said for remaining just outside the circle... 



                     Welcome to ... #34


    We could use some more people joining the channel, its usually pretty
    quiet, we don't bite (usually) so if you're hanging out on irc stop
    by and idle a while and say hi...   

    ***      /join on EFnet the key is `zwen'       ***
    ***                                                             ***
    *** please join to discuss or impart news on techno/phac scene  ***
    *** stuff or just to hang out ... someone is usually around 24/7***
    ***                                                             ***
    *** Note that the channel isn't there to entertain you its for  ***
    *** you to talk to us and impart news, if you're looking for fun***
    *** then do NOT join our channel try #weirdwigs or something... ***
    *** we're not #chatzone or #hack                                ***
    ***                                                             ***

  Issue #34

  [ INDEX ]
    Key     Intros                                                         
    00.0  .. COPYRIGHTS ......................................................
    00.1  .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
    00.2  .. SOURCES .........................................................
    00.3  .. THIS IS WHO WE ARE ..............................................
    00.4  .. WHAT'S IN A NAME? why `'?..........................
    00.5  .. THE HWA_FAQ V1.0 ................................................

    Key     Content 

    01.0  .. GREETS ..........................................................
     01.1 .. Last minute stuff, rumours, newsbytes ...........................
     01.2 .. Mailbag .........................................................
    02.0  .. From the Editor.................................................. 
    03.0  .. Army to Use MacOS ...............................................
    04.0  .. Phrack Issue 55 Has Been Released ...............................
    05.0  .. E-Commerce Sites Still Vulnerable ...............................
    06.0  .. Fakescan.c by Vortexia...........................................
    07.0  .. MS get Independent Auditor for HotMail ..........................
    08.0  .. US Gov to Switch From NT to Open Source .........................
    09.0  .. Sept 15th CryptoGram.............................................
    10.0  .. Move over BO2k here's Donald Dick from Russia with love..........
    11.0  .. New HOTMAIL hole found...........................................
    12.0  .. Security Hole Found in Security Product .........................
    13.0  .. Globalstar and FBI Are Nearing Agreement ........................
    14.0  .. Matt Drudge Defaced .............................................
    15.0  .. South Africa Stats Site Defaced .................................
    16.0  .. India And Israel BackDooring US Software ........................ 
    17.0  .. The Russians Are Coming, The Russians Are Coming ................ 
    18.0  .. Biometrics Takes Frightening New Step "I am not a number!".......
    19.0  .. NASDAQ Defaced ..................................................
    20.0  .. WebTV Hole Divulges User Info ................................... 
    21.0  .. Bookshelf: "Hacking Exposed" Available Soon .....................
    22.0  .. Major Tech Companies Announce Security Plans ....................
    23.0  .. NIST To Offer Security Awareness Workshops ......................
    24.0  .. Yet Another Firewall ............................................
    25.0  .. HNN Announces Partnership With Security Focus ................... 
    26.0  .. The Search for ULG Begins........................................
    27.0  .. BO2K Discontinues US Distribution................................
    28.0  .. Taiwan Increases Cyber Warfare Training .........................
    29.0  .. White House Set to Relax Crypto Export Controls .................
    30.0  .. Crypto Compromise Reached .......................................
    31.0  .. Network Solutions Screws Up .....................................
    32.0  .. Feds Approve GPS Tracking .......................................
    33.0  .. Student Sentenced to Five Weeks .................................
    34.0  .. Stupid Mistakes Worse than Viruses ..............................
    35.0  .. "23".............................................................
    36.0  .. STEALTH SOFTWARE RANKLES PRIVACY ADVOCATES.......................
    37.0  .. SOPHOS: TOO MUCH VIRUS SCAREMONGERING............................
    38.0  .. CRYPTO BREAKER TELLS PROGRAMMERS TO WISE UP......................
    39.0  .. REPORT URGES TOUGH NET STALKING LAWS.............................
    42.0  .. LIBELING AGAIN (ATTRITION vs ANTIONLINE).........................
    43.0  .. SECURITY A MANAGEMENT PROBLEM?...................................
    44.0  .. TROJAN IN FAKE MICROSOFT Y2K MAIL................................
    45.0  .. CERT ADVISORY CA-99-11-CDE.......................................
    46.0  .. HACKER PROFILER..................................................
    47.0  .. eDOCTOR GLOBAL NETWORK...........................................
    48.0  .. DEFAULT ISSUE 5 OUT..............................................
    49.0  .. ANOTHER WANNABE HACKER CAUGHT.................................... 
    50.0  .. TROJANS - MODERN THREAT..........................................
    51.0  .. IE5 BUG LEAVES COMPUTERS OPEN TO INVASION........................
    AD.S  .. Post your site ads or etc here, if you can offer something in return
             thats tres cool, if not we'll consider ur ad anyways so send it in.
             ads for other zines are ok too btw just mention us in yours, please
             remember to include links and an email contact. Corporate ads will
             be considered also and if your company wishes to donate to or 
             participate in the upcoming Canc0n99 event send in your suggestions
             and ads now...n.b date and time may be pushed back join mailing list
             for up to date information.......................................
             Current dates: POSTPONED til further notice, place: TBA..    .................
    Ha.Ha .. Humour and puzzles  ............................................
              Hey You!........................................................
              Send in humour for this section! I need a laugh and its hard to
              find good stuff... ;)...........................................

    SITE.1 .. Featured site, .................................................
     H.W   .. Hacked Websites  ...............................................
     A.0   .. APPENDICES......................................................
     A.1   .. PHACVW linx and references......................................


          Important semi-legalese and license to redistribute:
          APPRECIATED the current link is
          ME PRIVATELY current email
          Although this file and all future issues are now copyright, some of
         the content holds its  own copyright and these are printed and
         respected. News is news so i'll print any and all news but will quote
         sources when the source is known, if its good enough for CNN its good
         enough for me. And i'm doing it for free on my own time so pfffft. :)
         No monies are made or sought through the distribution of this material.
         If you have a problem or concern email me and we'll discuss it.
         Cruciphux [C*:.]


     Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
    Canada / North America (hell even if you are inside ..) and wish to
    send printed matter like newspaper clippings a subscription to your
    cool foreign hacking zine or photos, small non-explosive packages
    or sensitive information etc etc well, now you can. (w00t) please
    no more inflatable sheep or plastic dog droppings, or fake vomit

    Send all goodies to:

	    P.O BOX 44118
	    370 MAIN ST. NORTH
	    L6V 4H5

    WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
    ~~~~~~~  reading this from some interesting places, make my day and get a
             mention in the zine, send in a postcard, I realize that some places
             it is cost prohibitive but if you have the time and money be a cool
             dude / gal and send a poor guy a postcard preferably one that has some
             scenery from your place of residence for my collection, I collect stamps
             too so you kill two birds with one stone by being cool and mailing in a
             postcard, return address not necessary, just a  "hey guys being cool in
             Bahrain, take it easy" will do ... ;-) thanx.

    Ideas for interesting 'stuff' to send in apart from news:

    - Photo copies of old system manual front pages (optionally signed by you) ;-)
    - Photos of yourself, your mom, sister, dog and or cat in a NON
      compromising position plz I don't want pr0n. 
    - Picture postcards
    - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
      tapes with hack/security related archives, logs, irc logs etc on em.
    - audio or video cassettes of yourself/others etc of interesting phone
      fun or social engineering examples or transcripts thereof.
    Stuff you can email:
    - Prank phone calls in .ram or .mp* format
    - Fone tones and security announcements from PBX's etc
    - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
    - reserved for one smiley face ->        :-)            <-
    - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
    - burns of phac cds (email first to make sure we don't already have em)
    - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*

    If you still can't think of anything you're probably not that interesting
    a person after all so don't worry about it 

    Our current email:

    Submissions/zine gossip.....:
    Private email to editor.....:                                                                   



 00.2 Sources ***

     Sources can be some, all, or none of the following (by no means complete
    nor listed in any degree of importance) Unless otherwise noted, like msgs
    from lists or news from other sites, articles and information is compiled
    and or sourced by Cruciphux no copyright claimed.

    News & I/O zine .................
    Back Orifice/cDc..................
    News site (HNN) .....,............
    Help Net Security.................
    News,Advisories,++ .(lophtcrack)..
    NewsTrolls .(daily news ).........
    News + Exploit archive ...........
    CuD Computer Underground Digest...
    News site+........................
    News site+Security................
    News site+Security................
    News site+Security................
    News site+Security related site...  *DOWN*
    News/Humour site+ ................
    News/Techie news site.............

    +Various mailing lists and some newsgroups, such as ...
    +other sites available on the HNN affiliates page, please see as they seem to be popping up
     rather frequently ...
 .. IRC list/admin archives  .. Jesse Berst's AnchorDesk

    ISN security mailing list

    NEWS Agencies, News search engines etc:
    (Kevin Poulsen's Column)
    NOTE: See appendices for details on other links.
    Electronic Underground Affiliation
    ech0 Security Hackers Information Report
    Net Security
    Daily news and security related site


    All submissions that are `published' are printed with the credits
    you provide, if no response is received by a week or two it is assumed
    that you don't care wether the article/email is to be used in an issue
    or not and may be used at my discretion.

    Looking for:

    Good news sites that are not already listed here OR on the HNN affiliates
    page at

    Magazines (complete or just the articles) of breaking sekurity or hacker
    activity in your region, this includes telephone phraud and any other
    technological use, abuse hole or cool thingy. ;-) cut em out and send it
    to the drop box.

    - Ed

    Mailing List Subscription Info   (Far from complete)         Feb 1999
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~         ~~~~~~~~

    ISS Security mailing list faq :


    BUGTRAQ - Subscription info

    What is Bugtraq?

    Bugtraq is a full-disclosure UNIX security mailing list, (see the info
    file) started by Scott Chasin . To subscribe to
    bugtraq, send mail to containing the message body
    subscribe bugtraq. I've been archiving this list on the web since late
    1993. It is searchable with glimpse and archived on-the-fly with hypermail.

    Searchable Hypermail Index;


    About the Bugtraq mailing list

    The following comes from Bugtraq's info file:

    This list is for *detailed* discussion of UNIX security holes: what they are,
    how to exploit, and what to do to fix them.

    This list is not intended to be about cracking systems or exploiting their
    vulnerabilities. It is about defining, recognizing, and preventing use of
    security holes and risks.

    Please refrain from posting one-line messages or messages that do not contain
    any substance that can relate to this list`s charter.

    I will allow certain informational posts regarding updates to security tools,
    documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
    on this list.

    Please follow the below guidelines on what kind of information should be posted
    to the Bugtraq list:

    + Information on Unix related security holes/backdoors (past and present)
    + Exploit programs, scripts or detailed processes about the above
    + Patches, workarounds, fixes
    + Announcements, advisories or warnings
    + Ideas, future plans or current works dealing with Unix security
    + Information material regarding vendor contacts and procedures
    + Individual experiences in dealing with above vendors or security organizations
    + Incident advisories or informational reporting

    Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
    "CC" the bugtraq reflector address if the response does not meet the above criteria.

    Remember: YOYOW.

    You own your own words. This means that you are responsible for the words that you post on this list and that
    reproduction of those words without your permission in any medium outside the distribution of this list may be
     challenged by you, the author.

    For questions or comments, please mail me: (Scott Chasin)


       CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
      insights, and commentaries on cryptography and computer security.

      To subscribe, visit or send a
      blank message to To unsubscribe,
      visit Back issues are available

       CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
      Counterpane Systems, the author of "Applied Cryptography," and an inventor
      of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
      the International Association for Cryptologic Research, EPIC, and VTW. He
      is a frequent writer and lecturer on cryptography.

    CUD Computer Underground Digest
    This info directly from their latest ish:

    Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09

 ISSN 1004-042X

 Editor: Jim Thomas (
 News Editor: Gordon Meyer (
 Archivist: Brendan Kehoe
 Poof Reader: Etaion Shrdlu, Jr.
 Shadow-Archivists: Dan Carosone / Paul Southworth
 Ralph Sims / Jyrki Kuoppala
 Ian Dickinson
 Cu Digest Homepage:

    [ISN] Security list
    This is a low volume list with lots of informative articles, if I had my
    way i'd reproduce them ALL here, well almost all .... ;-) - Ed

    Subscribe: mail with "subscribe isn".


      Some HWA members and Legacy staff
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ currently active/editorial currently active/man in black currently active/IRC+ man in black ............. currently active/IRC+ distribution ........: currently active/IRC+ proof reader/grrl in black
      dicentra...(email withheld): IRC+ grrl in black
      eentity ...( ''      ''   ): Currently active/IRC+ man in black

      Foreign Correspondants/affiliate members
       Qubik ............................: United Kingdom 
       D----Y ...........................: USA/world media
       HWA members ......................: World Media
      Past Foreign Correspondants (currently inactive or presumed dead) 
       N0Portz ..........................: Australia           
       system error .....................: Indonesia           
       Wile (wile coyote) ...............: Japan/the East      
       Ruffneck  ........................: Netherlands/Holland 
       Wyze1.............................: South Africa

       Please send in your sites for inclusion here if you haven't already
       also if you want your emails listed send me a note ... - Ed

      Spikeman's site is down as of this writing, if it comes back online it will be
      posted here.
     ............ System Error's site (in Indonesian) 

       ***      /join on EFnet the key is `zwen'       ***


    1. We do NOT work for the government in any shape or form.Unless you count paying
       taxes ... in which case we work for the gov't in a BIG WAY. :-/

    2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
       events its a good idea to check out issue #1 at least and possibly also the
       Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...


 00.4 Whats in a name? why
      Well what does HWA stand for? never mind if you ever find out I may
     have to get those hax0rs from 'Hackers' or the Pretorians after you.

     In case you couldn't figure it out hax0r is "new skewl" and although
     it is laughed at, shunned, or even pidgeon holed with those 'dumb
     leet (l33t?) dewds'  this is the state
     of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
     up  and comers, i'd highly recommend you get that book. Its almost
     like  buying a clue. Anyway..on with the show .. - Editorial staff


00.5  HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)

    Also released in issue #3. (revised) check that issue for the faq
    it won't be reprinted unless changed in a big way with the exception
    of the following excerpt from the FAQ, included to assist first time

    Some of the stuff related to personal useage and use in this zine are
    listed below: Some are very useful, others attempt to deny the any possible
    attempts at eschewing obfuscation by obsucuring their actual definitions.

    @HWA   - see EoA  ;-)

    !=     - Mathematical notation "is not equal to" or "does not equal"
             ASC(247)  "wavey equals" sign means "almost equal" to. If written
             an =/= (equals sign with a slash thru it) also means !=, =< is Equal
             to or less than and =>  is equal to or greater than (etc, this aint
             fucking grade school, cripes, don't believe I just typed all that..)

    AAM    - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)

    AOL    - A great deal of people that got ripped off for net access by a huge
             clueless isp with sekurity that you can drive buses through, we're
             not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
             least they could try leasing one??

   *CC     - 1 - Credit Card (as in phraud)
             2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's

    CCC    - Chaos Computer Club (Germany)

   *CON    - Conference, a place hackers crackers and hax0rs among others go to swap
             ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
             watch videos and seminars, get drunk, listen to speakers, and last but
             not least, get drunk.
   *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
                 speak he's the guy that breaks into systems and is often (but by no
                 means always) a "script kiddie" see pheer
              2 . An edible biscuit usually crappy tasting without a nice dip, I like
                  jalapeno pepper dip or chives sour cream and onion, yum - Ed

    Ebonics - speaking like a rastafarian or hip dude of colour  also wigger
              Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
              ebonics, speaking in a dark tongue ... being ereet, see pheer

    EoC    - End of Commentary

    EoA    - End of Article or more commonly @HWA

    EoF    - End of file

    EoD    - End of diatribe (AOL'ers: look it up)

    FUD    - Coined by Unknown and made famous by HNN  - "Fear uncertainty and doubt",
            usually in general media articles not high brow articles such as ours or other
            HNN affiliates ;)

    du0d   - a small furry animal that scurries over keyboards causing people to type
             weird crap on irc, hence when someone says something stupid or off topic
             'du0d wtf are you talkin about' may be used.

   *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R

   *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
            define, I think it is best defined as pop culture's view on The Hacker ala
            movies such as well erhm "Hackers" and The Net etc... usually used by "real"
            hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
            some coffee?' or can you hax0r some bread on the way to the table please?'

            2 - A tool for cutting sheet metal.

    HHN    - Maybe a bit confusing with HNN but we did spring to life around the same
             time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
             noun means the hackernews site proper. k? k. ;&

    HNN    - Hacker News Network and its affiliates

    J00    - "you"(as in j00 are OWN3D du0d) - see 0wn3d

    MFI/MOI- Missing on/from IRC

    NFC   - Depends on context: No Further Comment or No Fucking Comment

    NFR   - Network Flight Recorder (Do a websearch) see 0wn3d

    NFW   - No fuckin'way

   *0WN3D - You are cracked and owned by an elite entity see pheer
   *OFCS  - Oh for christ's sakes

    PHACV - And variations of same 
            Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare

          Alternates: H - hacking, hacktivist
                      C - Cracking 
                      C - Cracking 
                      V - Virus
                      W - Warfare 
                      A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
                      P - Phreaking, "telephone hacking" PHone fREAKs ...
                     CT - Cyber Terrorism

   *PHEER -  This is what you do when an ereet or elite person is in your presence
            see 0wn3d

   *RTFM  - Read the fucking manual - not always applicable since some manuals are
            pure shit but if the answer you seek is indeed in the manual then you
            should have RTFM you dumb ass.

    TBC   - To Be Continued also 2bc (usually followed by ellipses...) :^0

    TBA   - To Be Arranged/To Be Announced also 2ba

    TFS   - Tough fucking shit.

   *w00t  - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
            from the underground masses. also "w00ten" 

            2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)

    *wtf  - what the fuck, where the fuck, when the fuck etc ..

    *ZEN  - The state you reach when you *think* you know everything (but really don't)
            usually shortly after reaching the ZEN like state something will break that
            you just 'fixed' or tweaked.
                            -=-    :.    .:        -=-

 01.0 Greets!?!?! yeah greets! w0w huh. - Ed

     Thanks to all in the community for their support and interest but i'd
     like to see more reader input, help me out here, whats good, what sucks
     etc, not that I guarantee i'll take any notice mind you, but send in
     your thoughts anyway.

       * all the people who sent in cool emails and support
     FProphet       Pyra                TwstdPair      _NeM_
     D----Y         Dicentra            vexxation      sAs72
     Spikeman       p0lix               Vortexia      Wyze1
     Ken Williams/tattooman ex-of PacketStorm,
     & Kevin Mitnick                      
     kewl sites:

     + NEW
     + NEW
     +    ******* DOWN (THANKS JP) ******
     + (Went online same time we started issue 1!)


 01.1 Last minute stuff, rumours and newsbytes

       "What is popular isn't always right, and what is right isn't
         always popular..."
                           - FProphet '99

    +++ When was the last time you backed up your important data?

        Ever wonder who you're really chatting with online? A new 
        game based on the Turing test may tell whether she is really
        a he, and vice versa. By Kristen Philipkoski.
     ++ CISCO PAYS $65 MILLION FOR COCOM (BUS. 8:30 am)

        The computer networking company buys Copenhagen's Cocom to
        expand its delivery of broadband access products.

        The technical drawing software company joins the Redmond
        empire in a US$1.3 billion stock deal.

        The cell phone and pager company agrees to spend US$11
        billion in stock for set-top box supplier General
        Instrument. Also: FCC walks a fine line with new orders....
        Seagate to trim 8,000 jobs.... American Airlines finds few
        New Year's passengers.... And more.

        As Germans clamor for Net access and tools like email, they
        leave their language behind them. German isn't what it used
        to be. By Carter Dougherty.

     ++ IS PALM LOSING ITS GRIP? (TECH. Tuesday)

        Handspring licenses the Palm OS for its handheld, then
        releases a more flexible organizer. Is the Palm dynasty on
        shaky ground? By Leander Kahney.

        Motorola develops a streamlined socket system for plugging
        info gadgets into autos. Adding wireless news,
        entertainment, and ads could get much simpler. By
        Craig Bicknell.  
     ++ DEMOS TO PREZ: 'USE SAFE TEXT' (POL. Tuesday)

        House Democrats want Bill Clinton to help them overturn his
        administration's own long-term policy restricting the export
        of strong encryption products.
           . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


        An ISP industry group tells a federal court that local
        governments should decide who gets access to cable networks.

      Thanks to myself for providing the info from my wired news feed and others from whatever
      sources, also to Spikeman for sending in past entries.... - Ed

 01.2 MAILBAG - email and posts from the message board worthy of a read
      (No mail worthy of posting here this issue,)
      Yeah we have a message board, feel free to use it, remember there are no stupid questions...
      well there are but if you ask something really dumb we'll just laugh at ya, lets give the
      message board a bit more use eh? i'll be using a real message board when the
      domain comes back online (soon) meanwhile the beseen board is still up...


 02.0 From the editor.


      printf ("Read commented source!\n\n");

     /* This issue is a little late, sorry 'bout that but I got a new toy
      * and have been spending time setting it up and playing with it, its
      * a PII 400 with Voodoo III 3000 and a Diamond Monster sound 3d card
      * with a 19" monitor and 10 gig hd plus a DVD drive and HP 8100 CDRW
      * all that connects to a soho 5 port CAT5 hub which goes out to the
      * cablemodem, my other system will be delegated to FreeBSD and the 
      * Linux box remains untouched. FreeBSD will be bestowed with a 13G
      * HD and I am probably going to bring Linux 'up front' as a proxy
      * and shell server at some point... so yay me 
      * This issue has a couple of articles contributed by wyzewun of FK
      * (Forbidden Knowledge) a .ZA zine that sheds some light on the hack
      * / security scene in South Africa so read on and enjoy the issue...
      * Cruciphux
      printf ("EoF.\n");


      Congrats, thanks, articles, news submissions and kudos to us at the
     main address: complaints and all nastygrams and
     mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to, private mail to


03.0  Army to Use MacOS 
      From HNN

      contributed by McIntyre 
      The US Army has migrated its web server duties off
      WindowsNT and onto MacOS. The site administrator has
      said that according the World Wide Web Consortium
      (W3C) MacOS is more secure and does not allow remote
      logins. (The reason was recently defaced was
      do to an application hole, not an OS problem and
      nothing against the W3C but when did they become
      security experts?) 

      Army Link News
      CMP Tech Web
      US Army
      Army Link News;
      Web page hacker arrested, government sites becoming more secure 
      by Sgt. 1st Class Connie E. Dickey 
      WASHINGTON (Army News Service, Sept. 1, 1999) - Working from information
      provided by the U.S. Army's Criminal Investigation Command, FBI agents
      arrested a 19-year-old Wisconsin man Aug. 30 for malicious altering of
      a U.S. Army Web page. 
      The agents identified the Green Bay man as the co-founder of a hacker
      organization known as "Global Hell." 
      The arrest capped a two-month investigation led by Army CID agents, 
      after an unidentified intruder gained illegal access to the Army Home
      Page June 28 and modified its contents. The intruder also gained access
      to an unclassified Army network and removed and modified computer files
      to prevent detection. 
      Since the case is still ongoing, Christopher Unger, web site administrator
      for the Army Home Page, didn't want to talk about specifics of what the 
      hacker did to the web page or what the Army is doing to protect its sites
      from future hackers. However, he said the Army has moved its web sites to
      a more secure platform. The Army had been using Windows NT and is currently
      using Mac OS servers running WebSTAR web server software for its home page
      web site. 
      Unger said the reason for choosing this particular server and software is
      that according to the World Wide Web Consortium, it is more secure than its
      counterparts.According to the Consortium's published reports on its findings,
      Macintosh does not have a command shell, and because it does not allow remote
      logins, it is more  secure than other platforms. The report also said the 
      Consortium has found no specific security problems in either the software or
      the server. 
      The Consortium is a worldwide group of representatives from more than 350
      organizations that provide the infrastructure for a global interoperable World
      Wide Web. Membership is open to any organization. 
      "Government networks are inviting to hackers because of their high profile,"
      Unger said. However, the Department of Defense is laying the groundwork now 
      for more secure Internet sites that will prevent unauthorized access to 
      information, he said. 
      (Editor's note: Some information was provided by the U.S. Army Criminal 
       Investigation Command.) 
04.0  Phrack Issue 55 Has Been Released 
      From HNN

      contributed by Modify 
      Phrack, the oldest continuously published underground
      e-zine , has released issue 55. This is the first issue in
      over eight months. It has all the usual goodies from
      Loopback and LineNoise to Phrack World News. 

      Phrack 55 - HTML version
05.0  E-Commerce Sites Still Vulnerable 
      From HNN

      contributed by netmask 
      News on the various vulnerabilities with numerous
      shopping cart software was first announced over four
      months ago. MindSec security has found that most web
      sites are still vulnerable to these holes leaving personal
      information including credit card numbers at risk.
      Hopefully these problems will be corrected soon. 

      MindSec Security   
      E-Commerce.. Shouldn't Security Be Involved?
      By: Erik Parker

      E-Commerce is something that isn't getting any smaller. Hundreds of sites are
      popping up every day that are using E-Commerce. People are spending millions of
      dollars over the web, via secure servers, and online shopping applications. We
      have found that some of those shopping applications, commonly referred to as
      "Shopping Carts", may be a major downfall to the security of your credit cards
      and personal information being secure.

      Just because you are transferring your Credit Card number over a secure
      connection, just exactly who is it, that is going to guarantee that it is safe once it
      reaches its destination server? Over 6 Months ago, Joe H. Had made a report to
      Bugtraq ( that many sites were insecure. Bugtraq is the
      most widely used, and a highly respected mailing list that the best security
      administrators in the world discuss possible security problems, and verified

      Dozens of Brands, and Hundreds of sites were vulnerable to people reading your
      credit card numbers, what you ordered, your home telephone number, and all the
      personal information you entered. Some of these carts even unknowingly let
      anyone who knows where the configuration program is, point their web browser
      to it, and change the site, the prices, the tax, and even make their own orders at
      whatever price they want. After 6 months some of these sites still remain remain
      vulnerable. It is almost as if the manufacturers didn't notify their customers of the
      problem. Many of the customers either were never informed, or just didn't take
      the time to pursue fixing their sites. Perhaps people hoped the problem would go
      away or be forgotten. 

      In Joe's first post to Bugtraq, he noted that c|net would be running an article on
      E-Commerce Security. He did not disclose who the manufacturers of these
      products were. However, when he got dozens of E-mails with people asking him
      who they were, he went ahead and posted a second post, which lists several
      companies that were vulnerable. Then other people started looking into these, and
      Bo Elkjaer posted a followup listing another company, Mountain Network
      Systems. Joe then checked out their products and in his follow up post he
      determined it was also vulnerable. 

      Mind Security has taken interest in the shopping cart problems, to make
      E-Commerce a little more safer, and a bit more trusted, as a good majority of
      people are still hesitant to shop online. E-Commerce is a great way of shopping
      and purchasing things over the web. With E-Commerce you do not have to be
      bothered by a sales man or be pressured, and yet you can still find all the
      information on products that you want without the help of a salesman who just
      wants to get his commission.

      The other reason we took interest, is because we were asked to investigate a
      recent hack by a group called HiP (Hackers In Paradise), who had hit a Web site
      that sells Adult Items. The web site owner had requested for us to look into it, and
      advise them on what they should do. 

      After investigating and obtaining the logs we determined that the hackers never
      gained access to the machine, under the Administrator account. There were
      hundreds of web sites hosted on that machine, and several that were more high
      profile. Also looking at their track record, many of these sites they had taken
      credit for ran WebCart, or other shopping cart like programs. There was no
      FTP involved, and no shell access granted that we could determine. We can't say
      with 100% certainty that it was done via the webcart. It does have an html
      update utility, and has such a bad track record, we had to strongly consider this as
      as being the point of entry for the hackers. The product also doesn't log any of its
      usage. People can upload, update, and if they aren't logged via the web server,
      then they were never logged. 

      When we went to and put "webcart AND mountain" in the search
      engine, we came up with dozens of matches We did a quick investigation and
      found more than 70% were vulnerable. We read an E-mail earlier from someone
      at Mountain-Net, which claims that if the user properly configures their web
      servers and read the install file, this wouldn't be a problem. I beg to differ, a good
      product ships with its own built-in security measures, and does not rely on other
      programs being setup, like Apaches htaccess feature, which lets you grant and
      refuse access by username and password and even by hostname is you wish. 

      Mind Security made a follow up post to Bugtraq on September 9th, concerning
      this, and the fact that no one had fixed it, and it was just kind of forgotten about.
      The post named off of a couple of sample vulnerable sites, as well as the correct
      paths to check for these problems. 

      If you would like to check your site for this vulnerability, we worked with Renaud
      Deraison who runs The Nessus Project. The "Nessus" Project aims to provide to
      the internet community a free, powerful, up-to-date and easy to use and remote
      security scanner. They have included a way to search for these vulnerabilities
      within their scanner. If you download their most current version from their CVS
      repository, you will be able to scan your site for it with that. If you can not get it
      from their repository, it will be included in their nessus-0.98.2 release. 

      Thanks go to:
      Brian Martin
      Benjamin DeLong, Research Lead, ZOT Group
      L0pht Heavy Industries
      The Staff
      The Nessus Project
06.0  Fakescan.c by Vortexia
      Read the comments in the source, its self explanitory, Vort tells me he initiated
      quite a stir in .za with this program with half the country thinking they were 
      being scanned by the other half etc... fun. anyways check it out...and shouts to
      Forbidden Knowledge, Vort and Wyze1
      [09:54]  Cruciphux did I give you fakescan.c?
      [09:54]  no
      [09:55]  this one is evil :)
      [09:55]  me to me to
      [09:55]  ok
      [09:55]  it really caused some ppl in the industry to go loco
      [09:55]  hehe
      [09:56]  cause suddenly half the world was scanning half the world
      [09:56]  you been causing shit again?
      [09:56]  hahaha
      [09:56]  Cruciphux :) read what it does
      [09:56]  ok
      [09:56]  its a braindead port scan spoofer that looks exactly like an nmap scan 
                         but is far easier to use to do mass scans and requires no brains to use :)
      [09:57]  vort: u giving him the ver with the fixed tcp/ip sequencing
      [09:58]  ?
      [09:58]  damnit, now he's making a phonecall ;)
      [09:58]  wyze1 its got almost perfect seq'ing
      [09:58]  hehe
      [09:58]  no greets to HWA yet huh?
      [09:58]  :-/
      [09:58]  its large enough to be realistic
      [09:58]  *g*
      [09:58]  Cruciphux ack I forgot
      [09:58]  add em in there yourself :)
      [09:58]  hahaha
      [09:58]  nah
      [09:59]  i'm not THAT lame
      [09:59]  hehehe
      [09:59]  there is pr0ps to HWA in the new FK
      No we're not THAT lame but just lame enough to include the irc log of me aquiring 
      this copy of fakescan ;-) ,,, enjoy


       * Fakescan.c (c) 1999 Vortexia / Andrew Alston
       * Ok... more crap code from me... thats yes... entirely useless other than as a
       * proof of case.  I wrote this quickly while trying to prove the case that
       * logging portscans that are syn/fin based is entirely useless.
       * What the code does: It reads in a list of hosts to spoof from a spoof host,
       * and sends fake fin or syn scans to a list of hosts found in the victims
       * file. Sorry there is no dns resolve on hosts in those files, it was a
       * quick job while I was bored and I found better things to do while coding
       * it so I didnt get around to adding it.
       * The code is once again written for BSD and compiles with no warnings under
       * fbsd 3.2 - I hate linux - Dont expect a linux port from me, someone else -
       * feel free to make one
       * If you wanna use my code, as always, feel free but I expect credit where
       * credit is due, I.E you use my code, you put my name in your code.
       * Greets and Shoutouts..
       * Mithrandi - Thanks for your help Ultima - For everything you've helped me
       * with in the past Van - What can I say, HI TimeWiz - Thanks for help in
       * times past, and for ideas for upcoming projects Sniper - My partner in
       * crime - You have and always will rock Opium - HI Hotmetal - A general
       * greet DrSmoke - HI jus - My social engineering partner - lets continue to
       * mindfuck together OPCODE - Thanks for the help - you rock gr1p and all the
       * people at b4b0 - Keep rocking guys To all the people at Forbidden
       * knowledge - Good going - Keep it up To everyone else on all the networks
       * and channels I hang on, a general greet and thanks - I couldnt keep doing
       * what I do without you guys.
       * Fuckoffs, Curses and the likes:
       * To Sunflower - If you cant handle an insult in a piece of code - and think
       * thats worth of an akill - GROW UP AND GO FUCK YOURSELF To Gaspode - May
       * you die a slow and painful death, and may the fleas of 10000 camels infest
       * your armpits To the person who said coding stuff like this was for script
       * kiddies - GET A CLUE you know who you are To anyone else I dont like -
       * FUCK YOU To anyone else who doesnt like me - FUCK YOU
      #define __FAVOR_BSD
      struct viclist {
      	struct in_addr  victim;
      	struct viclist *link;
      struct slist {
      	struct in_addr  spoof;
      	struct slist   *link;
      main(int argc, char *argv[])
      	int             i = 0;
      	int             sock;
      	int             on = 1;
      	struct sockaddr_in sockstruct;
      	struct ip      *iphead;
      	struct tcphdr  *tcphead;
      	char            evilpacket[sizeof(struct ip) + sizeof(struct tcphdr)];
      	int             seq, ack;
      	FILE           *victimfile;
      	FILE           *spooffile;
      	char            buffer[256];
      	struct viclist *vcur, *vfirst;
      	struct slist   *scur, *sfirst;
      	bzero(evilpacket, sizeof(evilpacket));
      	vfirst = malloc(sizeof(struct viclist));
      	vcur = vfirst;
      	vcur->link = NULL;
      	sfirst = malloc(sizeof(struct slist));
      	scur = sfirst;
      	scur->link = NULL;
      	if (argc < 4) {
      		printf("Usage: %s scan_type ((S)yn/(F)in) spoof_file victim_file\n"
      		  "Example: %s S spooffile victimfile\n", argv[0], argv[0]);
      	if ((strncmp(argv[1], "S", 1)) && (strncmp(argv[1], "F", 1))) {
      		printf("Scan type not specified\n");
      	if ((spooffile = fopen((char *) argv[2], "r")) <= 0) {
      	} else {
      		while (fgets(buffer, 255, spooffile)) {
      			if (!(inet_aton(buffer, &(scur->spoof))))
      				printf("Invalid address found in victim file.. ignoring\n");
      			else {
      				scur->link = malloc(sizeof(struct slist));
      				scur = scur->link;
      				scur->link = NULL;
      		bzero(buffer, sizeof(buffer));
      	scur = sfirst;
      	while (scur->link != NULL) {
      		printf("Found spoof host: %s\n", inet_ntoa(scur->spoof));
      		scur = scur->link;
      	scur = sfirst;
      	if ((victimfile = fopen((char *) argv[3], "r")) <= 0) {
      	} else {
      		while (fgets(buffer, 255, victimfile)) {
      			if (!(inet_aton(buffer, &(vcur->victim))))
      				printf("Invalid address found in victim file.. ignoring\n");
      			else {
      				vcur->link = malloc(sizeof(struct viclist));
      				vcur = vcur->link;
      				vcur->link = NULL;
      		bzero(buffer, sizeof(buffer));
      	vcur = vfirst;
      	while (vcur->link != NULL) {
      		printf("Found victim host: %s\n", inet_ntoa(vcur->victim));
      		vcur = vcur->link;
      	vcur = vfirst;
      	if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
      	if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) &on, sizeof(on)) < 0) {
      	sockstruct.sin_family = AF_INET;
      	iphead = (struct ip *) evilpacket;
      	tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip));
      	iphead->ip_hl = 5;
      	iphead->ip_v = 4;
      	iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
      	iphead->ip_id = htons(getpid());
      	iphead->ip_ttl = 255;
      	iphead->ip_p = IPPROTO_TCP;
      	iphead->ip_sum = 0;
      	iphead->ip_tos = 0;
      	iphead->ip_off = 0;
      	tcphead->th_win = htons(512);
      	if (!(strncmp(argv[1], "S", 1)))
      		tcphead->th_flags = TH_SYN;
      		tcphead->th_flags = TH_FIN;
      	tcphead->th_off = 0x50;
      	while (vcur->link != NULL) {
      		iphead->ip_dst = vcur->victim;
      		while (scur->link != NULL) {
      			seq = rand() % time(NULL);
      			ack = rand() % time(NULL);
      			tcphead->th_sport = htons(rand() % time(NULL));
      			sockstruct.sin_port = htons(rand() % time(NULL));
      			iphead->ip_src = scur->spoof;
      			sockstruct.sin_addr = scur->spoof;
      			for (i = 1; i <= 1024; i++) {
      				seq += (rand() %10)+250;
      				ack += (rand() %10)+250;
      				tcphead->th_seq = htonl(seq);
      				tcphead->th_ack = htonl(ack);
      				tcphead->th_dport = htons(i);
      				sendto(sock, &evilpacket, sizeof(evilpacket), 0x0,
      				       (struct sockaddr *) & sockstruct, sizeof(sockstruct));
      			scur = scur->link;
      		scur = sfirst;
      		vcur = vcur->link;
      	return (1);
07.0  MS get Independent Auditor for HotMail 
      From HNN

      contributed by Weld Pond 
      After prompting from industry watch dog groups
      Microsoft has agree to hire a third party auditing firm to
      review the recent HotMail incident. Microsoft has not
      released the name of the company and it is unlikely the
      resulting report will be made public. 

      All Eyes on Hotmail Audit
      by Chris Oakes 
      4:00 p.m.  10.Sep.99.PDT
      Can the Internet industry spank itself? Some are watching the
      outcome of the latest major Web breakdown to see. 
      Microsoft has chosen an undisclosed independent auditor to give
      Hotmail a security once-over. As it does so, the company, industry
      watchdog Truste, and privacy advocates cast the audit as a testament
      to -- or failure of -- effective self-regulation.       
      Following a recommendation last week by Truste, Microsoft went about
      choosing an independent auditing firm this week to test the security 
      of its free Hotmail email service. 
      "We're doing an independent review or audit of the Hotmail incident
      of last week, which got lot of attention," said Microsoft spokesperson
      Tom Pilla.
      Hotmail users were confronted with an alarming security breach last 
      week. Hackers exposed every Hotmail email account so that anyone who 
      knew a person's username could access that account without a password. 
      "Truste said Microsoft was in compliance and believed [the Hotmail 
      security issue] to be resolved. But we are continuing to investigate 
      that incident completely to ensure that the service complies with the
      high standards we put on consumer privacy," Pilla added. 
      Truste spokesman Dave Steer emphasized that his organization didn't 
      order Microsoft to hire an auditor; rather, it was a recommendation. 
      Pilla underscored the point. "They suggested and we agreed. It's not 
      something we had to do." 
      So if the agreement was such a non-threatening, voluntary arrangement,
      does it stand up as an effective demonstration of the power of
      "Yeah, I think it [does]," Pilla said. "As soon as the incident occurred
      we [were] in close coordination with Truste, as we always are on these
      Last week, Truste took an initial stance that the incident was a security
      issue, not a privacy matter. But Steer said the organization sees the two
      issues as connected, and a Truste statement on the organization's Web site
      clarifies its position. 
      "The statement clearly highlights the fact that there's not trust without
      privacy and similarly there's not privacy without reasonable security of 
      the data being protected," Steer explained. "So in some instances, yes --
      security and privacy go hand in hand." 
      Jason Catlett, a privacy advocate who closely watches the self-regulation
      issue, was guardedly impressed by the sheer notion of an audit. 
      "I don't write it off as [a] meaningless act. I'm quite pleased that they
      have agreed to an independent audit. It's a small window opened in the
      fortress Redmond," he said. 
      But Catlett read hidden meaning in the unprecedented Microsoft decision, 
      and doesn't see it as evidence of self-regulation's effectiveness. 
      "Basically, [Microsoft] realize[s] that nobody believes a single word they
      say anymore, so they're paying an accounting firm to say things for them."
      The nature of this security breach -- a simple function of logging into an 
      email account -- made it easier for Microsoft to open up Hotmail for
      review, Catlett said. 
      In contrast, the company's undisclosed use of a unique identifier in 
      Microsoft Office documents and Microsoft cookies created during user
      registration of Windows, had much broader implications. 
      Thus, when an audit was badly needed, Microsoft declined. 
      "Truste didn't do an audit [in that case] so [Catlett's Junkbusters watchdog 
      group] went to the FTC and asked them to require an audit, and Microsoft
      just refused." 
      This time, "Truste suggested an audit and Microsoft agreed -- this is the
      coziest regulation imaginable," Catlett said. 
      Pilla disagreed. "I think it's a very good expression of self-regulation,"
      he said. "I think our swift response to the Hotmail incident coupled with
      inviting a third party review is evidence of our commitment to protecting
      people's online privacy." 
      The legitimacy of the Hotmail audit will depend on the particular security
      issues the auditing firm is asked to test. "Management makes some assertion
      and the acting firm attests to that assertion. If the assertions are very 
      limited, then the conclusion [of the] accounting firm is very limited," 
      Catlett said. 
      Pilla said he couldn't comment on the specifics of the audit yet. 
      "We don't know what the process is, moving forward." 
      He also wouldn't say whether the public would ever get to review the test
      conducted by the auditing firm. 
      As to skepticism of the self-regulatory process, Truste's Steer said, 
      "We don't dictate where the program is going to go based on the skeptics. We
      have to take a good hard look at what the consumer needs. ... Any reasonable
      person can take a look at what's going on right now and come to their own
      conclusion. If you ask me personally, I think this is an example that the 
      system worked." 
      Whatever the outcome, it will no doubt be logged into any case histories 
      seeking to build a case for or against self-regulation. 
      Pilla said the audit should take "not months but a fairly short amount of
      Said Catlett: "They're on a tightrope where they're trying to maintain
      credibility as a consumer advocacy organization while still not scaring away
      potential licensees with any real prospects of sanctions." 
08.0  US Gov to Switch From NT to Open Source 
      From HNN

      contributed by Weld Pond 
      The National Security Council will soon create a
      software assessment office to evaluate different
      operating systems other than Windows NT including
      open source software. A major reason given for this
      switch was the susceptibility of Windows to viruses and
      other attacks. (The article says they are looking closely
      at Linux, I hope they don't forget OpenBSD.) 

      Federal Times   
      The Independent Weekly
      September 16, 1999 
             Top Officials Seek Alternatives to Microsoft 
      By Stephen Trimble
          Concerned about security and an excessive reliance on Microsoft software, senior administration
      officials plan to diversify the types of operating systems software purchased by the government. 
          The National Security Council soon will create a new office to assess the ways federal agencies
      could make greater use of open-source, or nonproprietary, software that is freely available to anyone
      and has codes that are not secret. 
          "One of the areas we are very interested in looking at is open-source code," a senior White House
      official told Federal Times. 
          The effort ultimately could affect the types of software the government purchases for network
      servers and desktop applications. 
          The government will buy $2 billion worth of software in 2000, according to Federal Sources Inc., of
      Fairfax, Va., a market research company. 
          The initial purpose of the new software assessment office will be to identify agencies and programs
      that will be candidates for trials of open source software, said the White House official, who asked not
      to be identified. 
          The General Services Administration and the National Institute of Standards and Technology also
      are involved in creating the office. Its location still is to be decided. 
          The new office will assess the costs and benefits of using open-source software to operate many
      government computers. Also to be determined are the cost and technical obstacles to communication
      between systems using open-source and the proprietary software now in use. 
          The White House official declined to say how extensive is the administration's plan to diversify its
      reliance on operating systems software. A chief reason for the effort, according to advocates, is to
      address concerns that Microsoft operating systems are vulnerable to malicious computer viruses and
      hacker attacks. This is partly because the Microsoft software is proprietary and security vulnerabilities
      are more difficult to find and correct, said Przemek Klosowski, a NIST physicist and leader of the
      Washington, D.C., Linux User's Group. 
          "Government should be vendor-neutral, and the government should not formulate IT requirements
      that say only a single vendor is applicable," Klosowski said. 
          Klosowski said Linux is used on a limited basis for computer research applications at Energy
      Department laboratories, NASA, NIST and the Defense Department. 
          "I don't know of any large government Linux contracts," he added. 
          Another purpose of adopting different types of software is to diversify the government's inventory of
      operating systems, so not all are vulnerable to the same viruses and attacks, the White House official
          Linux, an open-source operating system similar in functionality to Microsoft Windows, is being
      given serious consideration as an alternative for government computer users, the official said. 
          Access to the Linux source code "gives us some confidence," the White House official said, adding
      that it simplifies patching security breeches and correcting routine errors. 
          Created by a Finnish graduate student named Linus Torvalls in 1991, Linux's open code is
      relentlessly scrutinized and tested by tens of thousands of systems analysts worldwide, who
      constantly recommend improvements, Klosowski said. 
          As a result, Linux boasts a robust code that rarely malfunctions and is extremely difficult for
      hackers to crack, Klosowski said. 
          Microsoft, on the other hand, keeps its code secret and makes upgrades to its products on a
      yearly basis, he said. 
          Microsoft software products have been the target of numerous computer viruses. 
          One of the best known was the Melissa virus that struck thousands of government and
      nongovernment computers in March by exploiting vulnerabilities in Microsoft Word 97 and Microsoft
      Word 2000. In June, another virus called ExploreZip targeted vulnerabilities in Microsoft Windows 95,
      Windows 98 and Windows NT. 
          Microsoft officials argue their software products meet federal security standards. 
          Microsoft's main server software, Microsoft Windows NT 3.5, for instance, is certified under the
      federal security standard known as Federal Information Processing Standard 140-1, said Quazi
      Zaman, advanced technology manager for Microsoft Federal Systems of Washington, D.C. The
      newest version of Microsoft's server operating system, called Microsoft Windows NT 4.0, is undergoing
      certification and is expected to be certified "in the next three months," Zaman said. 
          Zaman added that Microsoft has been considering making some of its software products open
      source for two years. 
          "Open source is a very innovative way to develop software," Zaman said. "The issue is how much of
      our own code we should put out in the open source environment." 
          Zaman added that Microsoft likely would be willing to provide the National Security Council with its
      code for security inspections if it is for national security purposes. So far, he said, the NSC has not
      asked for access to any of Microsoft's software code. 
          Zaman argued that government agencies are not excessively reliant on Microsoft products, adding
      that other software suppliers, namely, database software suppliers, have larger shares of the federal
      software market. 
          The project to increase the government's use of open-source operating systems likely will present
      formidable challenges. 
          The government already relies extensively on Microsoft products for desktop and, increasingly,
      server applications. Thus, there are sure to be communications problems between systems that use
      different software, said John Gilligan, the Energy Department's chief information officer. 
          The concept also appears to run counter to the government's 3-year-old effort to concentrate on
      buying commercial, easy-to-use software, said Payton Smith of Federal Sources Inc. 
          Regardless of security concerns, Smith added, a multitude of software systems within an agency
      often can lead to interoperability problems. 
          "The more variations you have in the software, the more problems and the more costs you're going
      to have," Smith said. 
          The White House official acknowledged that concerns over costs and interoperability issues must
      be settled for the project to succeed. 
          "That's exactly the issues we're looking at," the official said. "Both costs and interoperability are
      critical issues." 
09.0  Sept 15th CryptoGram
      From: Bruce Schneier  
      Subject: CRYPTO-GRAM, September 15, 1999 
      Mime-Version: 1.0 
      Content-Type: text/plain; charset="us-ascii" 
                    September 15, 1999
                    by Bruce Schneier
                     Founder and CTO
            Counterpane Internet Security, Inc.
      A free monthly newsletter providing summaries, analyses, insights, and
      commentaries on computer security and cryptography.
      Back issues are available at  To subscribe or
      unsubscribe, see below.
      Copyright (c) 1999 by Bruce Schneier
      ** *** ***** ******* *********** *************
      In this issue:
           Open Source and Security
           NSA Key in Microsoft Crypto API?
           Counterpane Systems -- Featured Research
           Extra Scary News
           Counterpane News
           The Doghouse:  E*Trade
           Factoring a 512-bit Number
           Comments from Readers
      ** *** ***** ******* *********** *************
               Open Source and Security
      As a cryptography and computer security expert, I have never understood the
      current fuss about the open source software movement.  In the cryptography
      world, we consider open source necessary for good security; we have for
      decades.  Public security is always more secure than proprietary security.
      It's true for cryptographic algorithms, security protocols, and security
      source code.  For us, open source isn't just a business model; it's smart
      engineering practice.
      Open Source Cryptography
      Cryptography has been espousing open source ideals for decades, although we
      call it "using public algorithms and protocols."  The idea is simple:
      cryptography is hard to do right, and the only way to know if something was
      done right is to be able to examine it.
      This is vital in cryptography, because security has nothing to do with
      functionality.  You can have two algorithms, one secure and the other
      insecure, and they both can work perfectly.  They can encrypt and decrypt,
      they can be efficient and have a pretty user interface, they can never
      crash.  The only way to tell good cryptography from bad cryptography is to
      have it examined.
      Even worse, it doesn't do any good to have a bunch of random people examine
      the code; the only way to tell good cryptography from bad cryptography is
      to have it examined by experts.  Analyzing cryptography is hard, and there
      are very few people in the world who can do it competently.  Before an
      algorithm can really be considered secure, it needs to be examined by many
      experts over the course of years.
      This argues very strongly for open source cryptographic algorithms.  Since
      the only way to have any confidence in an algorithm's security is to have
      experts examine it, and the only way they will spend the time necessary to
      adequately examine it is to allow them to publish research papers about it,
      the algorithm has to be public.  A proprietary algorithm, no matter who
      designed it and who was paid under NDA to evaluate it, is much riskier than
      a public algorithm.
      The counter-argument you sometimes hear is that secret cryptography is
      stronger because it is secret, and public algorithms are riskier because
      they are public.  This sounds plausible, until you think about it for a
      minute.  Public algorithms are designed to be secure even though they are
      public; that's how they're made.  So there's no risk in making them public.
      If an algorithm is only secure if it remains secret, then it will only be
      secure until someone reverse-engineers and publishes the algorithms.  A
      variety of secret digital cellular telephone algorithms have been "outed"
      and promptly broken, illustrating the futility of that argument.
      Instead of using public algorithms, the U.S. digital cellular companies
      decided to create their own proprietary cryptography.  Over the past few
      years, different algorithms have been made public.  (No, the cell phone
      industry didn't want them made public.  What generally happens is that a
      cryptographer receives a confidential specification in a plain brown
      wrapper.)  And once they have been made public, they have been broken.  Now
      the U.S. cellular industry is considering public algorithms to replace
      their broken proprietary ones.
      On the other hand, the popular e-mail encryption program PGP has always
      used public algorithms.  And none of those algorithms has ever been broken.
      The same is true for the various Internet cryptographic protocols:  SSL,
      S/MIME, IPSec, SSH, and so on.
      The Best Evaluation Money Can't Buy
      Right now the U.S. government is choosing an encryption algorithm to
      replace DES, called AES (the Advanced Encryption Standard).  There are five
      contenders for the standard, and before the final one is chosen the world's
      best cryptographers will spend thousands of hours evaluating them.  No
      company, no matter how rich, can afford that kind of evaluation.  And since
      AES is free for all uses, there's no reason for a company to even bother
      creating its own standard.  Open cryptography is not only better -- it's
      cheaper, too.
      The same reasoning that leads smart companies to use published cryptography
      also leads them to use published security protocols: anyone who creates his
      own security protocol is either a genius or a fool.  Since there are more
      of the latter than the former, using published protocols is just smarter.
      Consider IPSec, the Internet IP security protocol.  Beginning in 1992, it
      was designed in the open by committee and was the subject of considerable
      public scrutiny from the start.  Everyone knew it was an important protocol
      and people spent a lot of effort trying to get it right.  Security
      technologies were proposed, broken, and then modified.  Versions were
      codified and analyzed.  The first draft of the standard was published in
      1995.  Different aspects of IPSec were debated on security merits and on
      performance, ease of implementation, upgradability, and use.
      In November 1998, the committee published a slew of RFCs -- one in a series
      of steps to make IPSec an Internet standard.  And it is still being
      studied. Cryptographers at the Naval Research Laboratory recently
      discovered a minor implementation flaw.  The work continues, in public, by
      anyone and everyone who is interested.  The result, based on years of
      public analysis, is a strong protocol that is trusted by many.
      On the other hand, Microsoft developed its own Point-to-Point Tunneling
      Protocol (PPTP) to do much the same thing.  They invented their own
      authentication protocol, their own hash functions, and their own
      key-generation algorithm.  Every one of these items was badly flawed.  They
      used a known encryption algorithm, but they used it in such a way as to
      negate its security.  They made implementation mistakes that weakened the
      system even further.  But since they did all this work internally, no one
      knew that PPTP was weak.
      Microsoft fielded PPTP in Windows NT and 95, and used it in their virtual
      private network (VPN) products. Eventually they published their protocols,
      and in the summer of 1998, the company I work for, Counterpane Systems,
      published a paper describing the flaws we found.  Once again, public
      scrutiny paid off.  Microsoft quickly posted a series of fixes, which we
      evaluated this summer and found improved, but still flawed.
      Like algorithms, the only way to tell a good security protocol from a
      broken one is to have experts evaluate it.  So if you need to use a
      security protocol, you'd be much smarter taking one that has already been
      evaluated.  You can create your own, but what are the odds of it being as
      secure as one that has been evaluated over the past several years by experts?
      Securing Your Code
      The exact same reasoning leads any smart security engineer to demand open
      source code for anything related to security.  Let's review:  Security has
      nothing to do with functionality.  Therefore, no amount of beta testing can
      ever uncover a security flaw.  The only way to find security flaws in a
      piece of code -- such as in a cryptographic algorithm or security protocol
      -- is to evaluate it.  This is true for all code, whether it is open source
      or proprietary.  And you can't just have anyone evaluate the code, you need
      experts in security software evaluating the code.  You need them evaluating
      it multiple times and from different angles, over the course of years.
      It's possible to hire this kind of expertise, but it is much cheaper and
      more effective to let the community at large do this.  And the best way to
      make that happen is to publish the source code.
      But then if you want your code to truly be secure, you'll need to do more
      than just publish it under an open source license. There are two obvious
      caveats you should keep in mind.
      First, simply publishing the code does not automatically mean that people
      will examine it for security flaws.  Security researchers are fickle and
      busy people. They do not have the time to examine every piece of source
      code that is published.  So while opening up source code is a good thing,
      it is not a guarantee of security. I could name a dozen open source
      security libraries that no one has ever heard of, and no one has ever
      evaluated.  On the other hand, the security code in Linux has been looked
      at by a lot of very good security engineers.
      Second, you need to be sure that security problems are fixed promptly when
      found.  People will find security flaws in open source security code.  This
      is a good thing.  There's no reason to believe that open source code is, at
      the time of its writing, more secure than proprietary code.  The point of
      making it open source is so that many, many people look at the code for
      security flaws and find them.  Quickly.  These then have to be fixed.  So a
      two year-old piece of open source code is likely to have far fewer security
      flaws than proprietary code, simply because so many of them have been found
      and fixed over that time.  Security flaws will also be discovered in
      proprietary code, but at a much slower rate.
      Comparing the security of Linux with that of Microsoft Windows is not very
      instructive.  Microsoft has done such a terrible job with security that it
      is not really a fair comparison.  But comparing Linux with Solaris, for
      example, is more instructive.  People are finding security problems with
      Linux faster and they are being fixed more quickly.  The result is an
      operating system that, even though it has only been out a few years, is
      much more robust than Solaris was at the same age.
      Secure PR
      One of the great benefits of the open source movement is the
      positive-feedback effect of publicity.  Walk into any computer superstore
      these days, and you'll see an entire shelf of Linux-based products.  People
      buy them because Linux's appeal is no longer limited to geeks; it's a
      useful tool for certain applications.  The same feedback loop works in
      security: public algorithms and protocols gain credibility because people
      know them and use them, and then they become the current buzzword.
      Marketing people call this mindshare.  It's not a perfect model, but hey,
      it's better than the alternative.
      ** *** ***** ******* *********** *************
             NSA Key in Microsoft Crypto API?
      A few months ago, I talked about Microsoft's system for digitally signing
      cryptography suites that go into its operating system.  The point is that
      only approved crypto suites can be used, which makes thing like export
      control easier.  Annoying as it is, this is the current marketplace.
      Microsoft has two keys, a primary and a spare.  The Crypto-Gram article
      talked about attacks based on the fact that a crypto suite is considered
      signed if it is signed by EITHER key, and that there is no mechanism for
      transitioning from the primary key to the backup.  It's stupid
      cryptography, but the sort of thing you'd expect out of Microsoft.
      Suddenly there's a flurry of press activity because someone notices that
      the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is
      called "NSAKEY" in the code.  Ah ha!  The NSA can sign crypto suites.  They
      can use this ability to drop a Trojaned crypto suite into your computers.
      Or so the conspiracy theory goes.
      I don't buy it.
      First, if the NSA wanted to compromise Microsoft's Crypto API, it would be
      much easier to either 1) convince MS to tell them the secret key for MS's
      signature key, 2) get MS to sign an NSA-compromised module, or 3) install a
      module other than Crypto API to break the encryption (no other modules need
      signatures).  It's always easier to break good encryption by attacking the
      random number generator than it is to brute-force the key.
      Second, NSA doesn't need a key to compromise security in Windows.  Programs
      like Back Orifice can do it without any keys.  Attacking the Crypto API
      still requires that the victim run an executable (even a Word macro) on his
      computer.  If you can convince a victim to run an untrusted macro, there
      are a zillion smarter ways to compromise security.
      Third, why in the world would anyone call a secret NSA key "NSAKEY"?  Lots
      of people have access to source code within Microsoft; a conspiracy like
      this would only be known by a few people.  Anyone with a debugger could
      have found this "NSAKEY."  If this is a covert mechanism, it's not very covert.
      I see two possibilities.  One, that the backup key is just as Microsoft
      says, a backup key.  It's called "NSAKEY" for some dumb reason, and that's
      Two, that it is actually an NSA key.  If the NSA is going to use Microsoft
      products for classified traffic, they're going to install their own
      cryptography.  They're not going to want to show it to anyone, not even
      Microsoft.  They are going to want to sign their own modules.  So the
      backup key could also be an NSA internal key, so that they could install
      strong cryptography on Microsoft products for their own internal use.
      But it's not an NSA key so they can secretly inflict weak cryptography on
      the unsuspecting masses.  There are just too many smarter things they can
      do to the unsuspecting masses.
      My original article:
      Nice analysis:
      Useful news article:
      ** *** ***** ******* *********** *************
         Counterpane Systems -- Featured Research
      "Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)"
      Bruce Schneier and Mudge, CQRE, Duesseldorf, Oct 1999, to appear.
      The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP
      connections over TCP/IP link. In response to [SM98], Microsoft released
      extensions to the PPTP authentication mechanism (MS-CHAP), called
      MS-CHAPv2. We present an overview of the changes in the authentication and
      encryption-key generation portions of MS-CHAPv2, and assess the
      improvements and remaining weaknesses in Microsoft's PPTP implementation.
      While fixing some of the more egregious errors in MS-CHAPv1, the new
      protocol still suffers from some of the same weaknesses.
      ** *** ***** ******* *********** *************
      The Internet Auditing Project.  This is REAL interesting.  A group did a
      low-level security audit of 36 million hosts on the Internet.  Just how
      secure is the Internet really?,1089,6_184381,00.html
      And if that isn't scary enough, here's a more detailed audit of 2200
      Internet sites.
      My all-time favorite Y2K compliance statement:
      If you need more evidence that proprietary security just doesn't work,
      Microsoft's digital music security format is cracked within days of being
      Patent blackmail:  Lawyers for someone named Leon Stambler have been
      sending threatening letters to security companies, claiming that SSL, PCK,
      FIPS 196, SET, Microsoft PPTP, Authenticode, etc. infringe on his patent.
      See for yourself; the U.S. patent numbers are 5,793,302 and 5,646,998.  See
      for yourself; the U.S. patent numbers are 5,793,302 and 5,646,998.
      With all the talk about electronic voting, it's nice that someone
      recognizes that there are some serious security problems.  The most severe,
      at least to me, is voter coercion.  When you step into a private voting
      booth, you can vote as you please.  No one can do anything about it.  If
      you can vote from your computer, in your own home, with some kind of
      electronic security measure, then it is possible for someone to buy your
      vote and to ensure that you deliver on the goods.
      Many people asked me about my comment last issue about Windows NT needing
      over 300 security changes to make it secure.  I queried the Usenet
      newsgroup asking if it was folklore or
      truth, and got several answers.   The consensus seemed to be that the
      number was somewhere between 50 and 3000, and 300 wasn't an unreasonable
      estimate.   A good checklist is available here:
      And see also:
      The U.S. crypto export regulations has led to the development of some
      excellent products from non-U.S. companies.  Judging from this article,
      though, this isn't one of them:
      Two Microsoft security white papers.  They're not great, but they do
      explain the Microsoft party line.
      Security basics:
      Office 2000 Macro Security:
      A flaw in Hotmail allows anyone to read anyone else's email, without a
      password.  To me, the real interesting story is not that the flaw was
      discovered, but that it might have been known by the underground community
      long before it became public.  Some of the news stories imply this.,3440,2324361,00.html
      Encrypted sculpture at the CIA's headquarters in Langley, VA.
      Join the military and see the basements of Ft. Meade.  The National
      Security Agency is offering free college tuition and room and board to
      hackers willing to work for them for five years after graduation.
      Nice BBC article on U.S. encryption debate:
      Funny stuff: the real story of Alice and Bob:
      There was a really good article -- clear, complete, understandable -- in
      _The Sciences_ recently about quantum computing.  Cryptome has put the
      article online, with the permission of the author. 
      ** *** ***** ******* *********** *************
                    Extra Scary News
      The Justice Department is planning to ask Congress for new authority
      allowing federal agents armed with search warrants to secretly break into
      homes and offices to obtain decryption keys or passwords or to implant
      "recovery devices" or otherwise modify computers to ensure that any
      encrypted messages or files can be read by the government.
      With this dramatic proposal, the Clinton Administration is basically
      saying: "If you don't give your key in advance to a third party, we will
      secretly enter your house to take it if we suspect criminal conduct."
      The full text of the Justice Department proposal, a section-by-section
      analysis prepared by DOJ lawyers, and related materials are available at:
      ** *** ***** ******* *********** *************
                   Counterpane News
      Bruce Schneier will be speaking at SANS Network Security 99, October 3-10,
      in New Orleans.  See for more conference
          Attack Trees:  Wed, 6 Oct, 10:30-12:30
          Internet Cryptography:  Tue, 5 Oct, 9:00-5:00
      Bruce Schneier authored the "Inside Risks" column for the Aug, Sep, and Oct
      99 issues of _Communications of the ACM_.
      Biometrics: Uses and Abuses:
      The Trojan Horse Race:
      Risks of Relying on Cryptography:
      ** *** ***** ******* *********** *************
              The Doghouse:  E*Trade
      E*Trade's password security isn't.  They limit the logon password to a
      maximum of 6 characters, and the only choices are letters (upper and lower
      case are distinguished), numbers, $, and _.  Whose portfolio do you want to
      trade today?
      ** *** ***** ******* *********** *************
               Factoring a 512-bit Number
      A factoring record was broken last month, on 22 August.  A group led by
      Herman te Riele of CWI in Amsterdam factored a 512-bit (155-digit) hard
      number.  By "hard," I mean that it was the product of two 78-digit
      primes...the kind of numbers used by the RSA algorithm.
      About 300 fast SGI workstations and Pentium PCs did the work, mostly on
      nights and weekends, over the course of seven months.  The algorithm used
      was the General Number Field Sieve.  The algorithm has two parts: a sieving
      step and a matrix reduction step.  The sieving step was the part that the
      300 computers worked on: about 8000 MIPS-years over 3.7 months.  (This is
      the step that Shamir's TWINKLE device can speed up.)  The matrix reduction
      step took 224 CPU hours (and about 3.2 Gig of memory) on the Cray C916 at
      the SARA Amsterdam Academic Computer Center.  If this were done over the
      general Internet, using resources comparable to what was used in the recent
      DES cracking efforts, it would take about a week calendar time.
      The entire effort was 50 times easier than breaking DES. Factoring
      e-commerce keys is definitely very practical, and will be becoming even
      more so in future years.  It is certainly reasonable to expect 768-bit
      numbers to be factored within a few years, so comments from RSA
      Laboratories that RSA keys should be a minimum of 768 bits are much too
      Certicom used the event to tout the benefits of elliptic curve public-key
      cryptography.  Elliptic-curve algorithms, unlike algorithms like RSA,
      ElGamal, and DSA, are not vulnerable to the mathematical techniques that
      can factor these large numbers.  Hence, they reason, elliptic curve
      algorithms are more secure than RSA and etc.  There is some truth here, but
      only if you accept the premise that elliptic curve algorithms have
      fundamentally different mathematics.  I wrote about this earlier; the short
      summary is that you should use elliptic curve cryptography if memory
      considerations demand it, but RSA with long keys is probably safer.
      This event is significant for two reasons.  One, most of the Internet
      security protocols use 512-bit RSA.  This means that non-cryptographers
      will take notice of this, and probably panic a bit.  And two, unlike other
      factoring efforts, this was done by one organization in secret.  Most
      cryptographers didn't even know this effort was going on.  This shows that
      other organizations could already be breaking e-commerce keys regularly,
      and just not telling anyone.
      As usual, the press is getting this story wrong.  They say things like:
      "512-bit keys are no longer safe."  This completely misses the point.  Like
      many of these cryptanalysis stories, the real news is that there is no
      news.  The complexity of the factoring effort was no surprise; there were
      no mathematical advances in the work.  Factoring a 512-bit number took
      about as much computing power as people predicted.  If 512-bit keys are
      insecure today, they were just as insecure last month.  Anyone implementing
      RSA should have moved to 1028-bit keys years ago, and should be thinking
      about 2048-bit keys today.  It's tiring when people don't listen to
      cryptographers when they say that something is insecure, waiting instead
      for someone to actually demonstrate the insecurity.
      RSA's analysis:
      Certicom's rebuttal:
      Prominent Web sites that still use 512-bit RSA:
          Microsoft's online store
          Compaq's online store
          Godiva's online store
          Flowers N More
      There are lots more.  You can check yourself by connecting to a site with a
      secure domestic version of Microsoft Internet Explorer 4.0.
      ** *** ***** ******* *********** *************
                 Comments from Readers
      From: Gene Spafford 
      Subject: Re: Comments on the "NSA" key in Windows NT
      Well, it is always easier to believe a conspiracy theory or dark designs.
      However, there may be alternative explanations.
      For instance, I happen to know that various 3-letter agencies use a lot of
      Windows machines (in a sense, that should be scary all by itself).  Suppose
      they want to load their own highly-classified, very closely-guarded version
      of their own crypto routines.  Do you think they will send copies of their
      code out to Redmond to get it signed so it can be loaded?  Or are they
      going to sign it themselves, with their own key, doing it in-house where it
      is "safe"?  If they are going the in-house route, then either Microsoft
      needs to share the private key with them (bad idea), or the code needs to
      accommodate a second  key schedule generated inside the TLA.  Hmmm, that
      sounds familiar, doesn't it?
      Another explanation, that I may have read here (this issue has been
      discussed on many lists) is that to get the approval for export, the folks
      at MS needed to include a "back-up" key in case the first was compromised
      in some way.  They would need to switch over to using the alternate key for
      all the systems already out there.  But how would they do that unless the
      second key was already installed, so they could do the switch using that
      second key?  So, if you were MS, and the NSA required you to install a
      backup key like this, what would you call it?
      Of course, it could be that MS wanted the backup key themselves, and the
      programmer involved in the coding decided to name it something silly.
      Or, there is a history of MS code being shipped with undocumented code
      elements, and things that MS management don't know are present. Suppose the
      code (involving only a few lines of code) was placed there by an agent of
      the intelligence services of some other country (it wouldn't be that hard
      to subvert an existing employee or place one at MS with good coding skills
      who could eventually gain access to the appropriate code).  He/she names
      the variables with "NSA" in place in case anyone doing a code review would
      question it -- and includes a comment block that says "The NSA required
      this to be here -- do not change or ask questions."  The "sinister purpose"
      might be correct, but you are blaming the wrong entity.
      Heck, maybe this is a grand design of Mr. Gates himself: after all, he's
      certainly having some aggravation from the U.S. Justice Department!
      There are other possible explanations for the name, too.
      These alternate explanations do not mean that the extra key does not have
      side-effects (such as clandestine installation and circumvention of the
      export controls).  And of course, we will probably never know what the
      primary reason for this key is, nor will we know what role these
      side-effects may have had in the decision, despite what people eventually
      The key thought is that there are possible scenarios for the naming of the
      key that do not involve nefarious activity, or do not involve such activity
      by the NSA.  That should not be the immediate conclusion people reach.
      And, at the risk of starting some tirades, let me ask a (rhetorical)
      question:  even if it was put there for purposes of clandestine monitoring,
      what is wrong with that?  If this gets used to monitor terrorists with NBC
      weapons, drug cartels, or weapons labs in Iraq, isn't that what we want
      done?  In that light, there should be some concern that this has now been
      exposed and possibly nullified!   The history of cryptography shows --
      repeatedly -- that having crypto assets makes a huge difference in times of
      conflict, and that getting such assets in place and working takes time.  It
      would be naive to believe that there are no such threats looming, or that
      there is no such likelihood in the future.
      We should be clear in our discussions as to whether our concern is the
      presence of the code, or over who may have control of it.  Is the issue
      really one of what controls are in place that ensure that the code isn't
      used against inappropriate targets (e.g., law-abiding, friendly businesses
      and citizens)?   Unfortunately, we don't have strong assurances in this
      realm, and there have been some past abuses (or alleged abuses).  But that
      may be moot if we the code was actually placed for some other group's dark
      From: "Lucky Green" 
      Subject: More NSAKEY musings
      I'd like to comment on some of your public comments regarding the NSAKEY.
      The goal of this email is to provide you with a few data points about the
      mindset intelligence agencies employ when compromising systems.
      First, I agree with your assessment that the NSA does not /need/ to
      compromise CAPI to compromise the computers of those running Windows. Which
      is not analogous to the claim that the NSA would not seek to compromise
      CAPI by causing Microsoft to install the NSA's key.
      For the academic cryptographer, once one catastrophic flaw in a cipher has
      been found, the work is over. "We have a 2^16th attack. The job is done.
      Let's go home". Intelligence agencies don't operate this way.
      My work with GSM has revealed that intelligence agencies, which as we all
      know ultimately stand behind the GSM ciphers, take a very different
      approach. Intelligence agencies will compromise every single component of a
      crypto system they can compromise. Intelligence agencies will, given the
      opportunity, compromise a component just because they can, not because they
      need to. This appears to be a somewhat perverted manifestation of
      implementing multiple redundancy into a system. Which, as I am sure we all
      agree, is generally a good idea.
      In the case of GSM, we have discovered the following compromises:
      o Compromised key generation.  
      The 64-bit keys have the last 10 bits of key zeroed out.  (I heard rumors
      that some implementations only zero out the last 8 bits, but either way,
      this is undeniably a deliberate compromise of the entropy of the key).
      o Compromise of the authentication system and keygen algorithm. 
      The GSM MoU was formally notified in 1989 (or 1990 at the latest) about the
      flaws in COMP128 we discovered last year. Long before GSM was widely
      fielded.  The MoU's Security Algorithm Group of Experts (SAGE), staffed by
      individuals who's identities are unknown to this day, kept this discovery
      secret and failed to inform even the MoU's own members.  As a result,
      intelligence agencies can clone phones and calculate the voice privacy keys
      used during a call.
      o Compromise of the stronger voice privacy algorithm A5/1. 
      This 64 bit cipher has numerous design "flaws", resulting in a strength of
      at most 40 bits.  It is inconceivable to me and virtually everybody I
      talked with that these rather obvious flaws were overlooked by A5/1's
      French military designers.
      o Compromise of the weaker voice privacy algorithm A5/2. 
      The MoU admits that breakability was a design goal of A5/2, even thought
      SAGE stated in their official analysis of A5/2 that they were unaware of
      any cryptographic flaws in A5/2.
      To allow for interception and decryption of GSM traffic, it would have
      sufficed to compromise the effective key length. It would have sufficed to
      compromise the keygen.  It would have sufficed to compromise the ciphers.
      The NSA/GCHQ did all three.
      Given these facts, it would not be at all unusual for the NSA to install
      backdoors in the Windows OS itself *and* have obtained a copy of
      Microsoft's signing key *and* have Microsoft install the NSA's own key.
      Think of it as well-designed failover redundant compromise.
      From: "Kevin F. Quinn" 
      Subject: Crypto-Gram April 15 1999, and the recent "NSA" spare-key debate.
      In Crypto-Gram April 15 1999, you mentioned the two-key approach of
      Microsoft with regard its root keys for Authenticode, and that they
      included the two keys "presumably for if one ever gets compromised".  We
      now know the same approach was taken for CSP.  Microsoft's own announcement
      on the subject is interesting; the two keys are present "in case the root
      key is destroyed" (paraphrase).  I think in your Crypto-Gram you meant
      "destroyed" rather than "compromised" -- Microsoft seem to be trying to
      guard against the possibility that the secret root key is burnt in a fire
      or somesuch; they're not guarding against unauthorised copies of the key
      being made with the two-key approach.  I think it's an important
      distinction to make.
      The only good reason I can see to have two keys, is to provide security
      against compromise -- in which case you need to validate signatures against
      both keys (i.e., AND rather than OR).  That way if one key is compromised,
      the validation will still fail as the second signature won't be valid.  If
      both keys are stored in separate secured locations, the attacker has to
      break the security of both locations in order to acquire both keys, and you
      hope that you might notice one break-in before the second occurs.  The
      sensible way to guard against the possibility of destruction (fire,
      catastrophe etc) is to have several copies, each securely stored and
      monitored (the same way classified documents are controlled).
      Microsoft claim that the two-key approach was suggested by the NSA -- I
      find it difficult to believe the NSA would suggest including two root keys,
      to guard against destruction of a root key.  My pet theory is that there
      was a communication problem; the NSA advice went something along the lines
      of, "having two root keys guards against loss", meaning compromise, and
      Microsoft took this to mean destruction.
      From: Greg Guerin 
      Subject: A new spin on the NSA-key/NT issue?
      In your article at
      , you end by
      saying:  "This virus doesn't exist yet, but it could be written."  [This is
      a virus that would replace the backup key in NT with a rogue key, and could
      trick the user into accepting malicious code as signed.]
      After I wrote , it
      occurred to me that the virus now exists, or at least all the parts of it
      do.  It only needs to be "turned to the Dark Side" and assembled.  The
      "construction kit" for this virus is none other than the "repair program" at:
      All the parts are there.  The "AddDelCsp.exe" program (no source provided)
      is the active infecting agent.  The "nsarplce.dll" and other DLL's are the
      "toxins".  The kit even includes "TestReplacement.exe" (with source) to
      test whether an enterprising young kit-builder has made his changes
      successfully or not.
      I'm sorta guessing, but someone with Wintel programming skills could
      probably construct a virus or Trojan horse with this kit in a matter of
      hours.  Probably the only skill they would have to sharpen is the crypto,
      but there's some nice starter info in the Fernandes report itself.  A
      little reading, a little key-generating time, maybe a little patching, and
      presto.  Try it on a local NT system, then release it to the world by
      mirroring the Fernandes report.  Or just send it to some "friends" via
      Hotmail.  It would certainly look authentic, and because even the original
      "repair" program was unsigned, and the original report says nothing about
      authenticating the download before running it, it could be a very
      well-traveled Trojan horse indeed.
      If this virulent "repair program" is written with a little restraint, it
      can spread VERY far before anyone even notices.  It could even camouflage
      itself and name its toxic key "NSAKEY", just like Microsoft's original.
      That is, after "removing" itself, it's still present.  How often do people
      even think of checking that key?
      If you know someone with NT programming experience, it might be interesting
      to have them read the Fernandes report, download the virus construction
      kit, er, I mean "repair" program, then give this a try.  I'd guess that not
      even prior virus-writing skills would be needed, just above-average NT
      programming skills.  I bet you'd have a virulent version in less than an
      afternoon.  A fine project for a lazy Labor Day holiday, eh?
      From:  Sam Kissetner
      Subject:  Meganet
      I thought this might amuse you.  The February issue of Crypto-Gram makes
      fun of Meganet's home page for saying:
          1 million bit symmetric keys -- The market offer's [sic] 40-160 
          bit only!!
      I visited that page today.  (The URL changed; it's at
      .)  Maybe they read Crypto-Gram, because
      they tried to fix the grammatical error.  But it was part of a graphic, so
      they just pasted a little white box over the apostrophe and s, leaving:
          1 million bit symmetric keys -- The market offer    40-160 bit only!!!
      Gee, that's *much* better.
      From: Marcus Leech 
      Subject: HP's crypt(1) description
      To be fair to HP, and crypt(1) -- HP has merely faithfully reproduced the
      original crypt(1) MAN page.  Crypt(1) first appeared in Unix V7, back
      around 1978 or so -- at a time when DES was just starting to be used in
      certain limited areas.  That an operating system had any kind of file
      encryption facility at all was some kind of miracle at the time.  Sun has
      obviously lightly hacked-over the documentation to reflect current reality,
      while HP has taken the approach of staying faithful to the original
      ** *** ***** ******* *********** *************
      CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
      insights, and commentaries on computer security and cryptography.
      To subscribe, visit or send a
      blank message to  To unsubscribe,
      visit  Back issues are available
      Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
      find it valuable.  Permission is granted to reprint CRYPTO-GRAM, as long as
      it is reprinted in its entirety.
      CRYPTO-GRAM is written by Bruce Schneier.  Schneier is founder and CTO of
      Counterpane Internet Security Inc., the author of "Applied Cryptography,"
      and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served
      on the board of the International Association for Cryptologic Research,
      EPIC, and VTW.  He is a frequent writer and lecturer on computer security
      and cryptography.
      Counterpane Internet Security, Inc. is a venture-funded company bringing
      innovative managed security solutions to the enterprise.
      Copyright (c) 1999 by Bruce Schneier 
10.0  Move over BO2k here's Donald Dick from Russia with love...
      Donald Dick v1.52 was coded by Yaworsky (aka Alexander A. Yaworsky) and 
      BAdMAN F0ReVeR  (aka Alexander A. Fedenko) 
      From the site;

      15 September 1999
      We just have received and used new AVP update. Very funny. It found only distributive Donald Dick file and GUI/cmd.line
      clients ;) (old 1.5 beta3 only). It does not see real Donald Dick installation. 

      By the way, the life for AVP will not be too easy soon - now we are implementing new 'SmartMorph' technology. The
      result will be that executable file will be different with each installation and will never contain any unique sequence of

      13 September 1999
      Almost all keyboard features are implemented into Donald Dick client 1.52 

      10 September 1999
      We have good news for you:
          New Donald Dick version 1.52 is now available. Catch! 
          Now we will produce only full version of server and it will be completely free with its current set of features (or
          bugs ;). 
          Network protocol was changed. So be careful - previous and current versions are incompatible. If you already use
          Donald Dick in any place you must completely reinstall it. You can upload server file on target machine using
          previous client and run it (don't issue upgrade command); after you issue run command, connection may be
          immediately lost and after that you must use new client. 

      Donald Dick server: new features: 
          The most wishful: UNINSTALL. Don't care - it completely wipes Donald Dick server out. 
          Hidden mode: server does not respond if the request was not actually processed 
          Ports can be set by server; now you don't need to edit the registry manually. 
          Pre-, Post-delay and repeat count for requests 
          Keyboard control: issue keystroke, remap keys and save key map so it will be loaded at startup ;) keyboard input is
          now captured, and because the server becomes operational immediately after the shell is loaded, you can see what
          the user typed at login prompts. NOTE that keyboard features except keystroke simulation are available only under
          Windows9X. For winNT they will be available later. 
          Chat rooms - volatile and non-volatile 

          So you need to wait a little for updated Donald Dick GUI client. New features will be available in nearest days. Or
          take the power of command line right now. 

     6 September 1999
     We radically changed design of this site. 

     18 August 1999
     Donald Dick 1.5 beta 3 became available. 

      About Donald Dick

      We are not liable for any damages caused by use of software we did.
      And we don't advise to ride our little brothers. But if you want to do it... 

      Let us introduce Donald Dick - another remote control system. 

             Donald Dick is a remote control system for workstations running Windows 95, 98 or NT 4.0 (not tested on 5,
             we didn't steal it yet). First, it was implemented to replace well-known trojans we used to confuse dummies,
             and to be invisible for existing antiviruses. We used it locally since february - march of '99 till the summer. The
             first implementation could only open and close cdrom tray but it quickly becomes powerful remote control

             Donald Dick consists of two parts - client and server. To install server on the destination computer, you simply
             must launch executable file there. Since you install Donald Dick server on a computer, all of its resources
             becomes completely yours. You can control it with Donald Dick client via TCP or SPX network protocol. But if
             you are going to use Donald Dick for serious purposes then you can restrict access to the server with

     Under Windows9X Donald Dick server becomes operational immediately after shell starts up. Under WindowsNT the server is
     loaded as a service process but we tried to hide it in the control panel->services. 

     Here is the list of actions you can perform: 

     File system - full access: browse, create, remove directories; erase, rename, copy, upload, download files; set date/time
     of file. 
     Processes and threads: browse, terminate; run programs; additionally for processes - set priority; for threads - suspend,
     Registry - full access: browse, create, remove keys and values; set values. 
     System: get/set system time (you can perform Y2K compliance test ;) ); shutdown/logoff/reboot/power off; query
     system info, query/set system parameters. 
     Windows: get list of windows; query and set system colors; get screenshot or the shot for particular window; send
     messages to window. 
     Hardware: read and write CMOS (does not work under Windows NT, we not implemented this feature yet). 
     Keyboard: simulate keystrokes, remap, disable keys, view keyboard input (all features except keystroke simulation are not
     implemented under Windows NT yet) 
     Jokes: open and close CD; turn monitor's power off and on; talk with dummy using message boxes; play wave files. 
     Chat: you can chat with other guys in volatile chat room and leave important messages in non-volatile chat room 

     Using services provided by server, GUI client offers additional services. You can: 

     query passwords for screensaver, BIOS (Phoenix is currently supported, not tested for other BIOSes) and shared
     make folders shared (still in progress) 

     Our to-do list: 

     change file names of server components when it is required 
     implement setup program to generate executable file which installs Donald Dick server with all predefined settings 
     read/write CMOS under NT 
     capture, disable, remap keys under NT 
     batch request execution 
     mixer control 
     capture and transmit sound 
     receive and play sound 
     mouse control 
     plugins support 

11.0  New HOTMAIL hole found
      From HNN
      contributed by AlienPlaque 
      Just several weeks after a major Hotmail security hole
      left 40 million Hotmail accounts freely open to anyone
      on the Internet, yet another hole has been discovered.
      The new hole allows embedded JavaScript in the 'style'
      tag to "jimmy open" accounts. While it looks like the
      problem could easily be solved by having Hotmail disable
      the style tags as it does regular JavaScript, Microsoft
      says "This is not a security issue." 

      ZD Net,4586,2333253,00.html?chkpt=hpqs014
      Internet News  "/article/0,1087,3_199751,00.html
      This story was printed from ZDNN,
      located at
      New Hotmail hole discovered
      By Steven J. Vaughan-Nichols, Sm@rt Reseller
      September 13, 1999 3:50 PM PT
      Just what the world didn't need: Another way to crack open Microsoft's beleaguered free,
      Web-based e-mail system, Hotmail. But, that's exactly what noted Bulgarian bugfinder Georgi
      Guninski claims to have found.
      Guninski, who has made a name for himself by finding security violations in browsers, has found that
      Hotmail enables Web-paged embedded Javascript code to run automatically.
      This makes it possible for someone to write Web programs that could do anything from steal
      passwords to read others' mail. While it's long been known that active Web applets, whether written
      in ActiveX or Java, have the potential to pry open systems from the inside, this is the first case in
      which someone has shown that Hotmail is vulnerable to such attacks. 
      Not just a theoretical hole
      Is this a purely theoretical hole or one that can only be used by crackers to attack users? The
      answer, unfortunately, is the latter: Correctly written JavaScript programs can, at the least, raid
      users' inboxes. 
      Microsoft (Nasdaq:MSFT) is not claiming ownership of this latest problem. "This is not a Hotmail
      security issue. We see it as an example of people encouraging users to run malicious code on the
      Web," a Microsoft spokesperson said.
      "To protect yourself now, you can disable JavaScript, just disable it before using Hotmail, or do not
      open mail from unknown people when you think it might contain JavaScript," the spokesperson
      added. "Microsoft is investigating ways for Hotmail users to have greater security against threats
      posed by malicious use of JavaScript in e-mail."
      The latest Hotmail hole opens up because Hotmail doesn't handle the new HTML tag "STYLE."
      Java programmers and Webweavers use STYLE to insert JavaScript into HTML pages. The
      solution is to force Hotmail to handle STYLE in the same way it does ordinary JavaScript --
      disabling it on arrival. 
      Timing couldn't be worse
      The fix may be simple, but the timing for Microsoft could not be worse. The latest Hotmail security
      breach follows by weeks a major Hotmail security meltdown. It took Microsoft hours to fix the
      problem, but millions of user accounts were left unprotected in the interim. Since that initial breach,
      the company has brought in TrustE and another auditing firm to help it head off future Hotmail
      security breaches. 
      Internet News;
      New Security Hole in Hotmail 
                                                                                          September 13, 1999
      By Brian McWilliams Correspondent 
                                                                                      Business News Archives 

      Microsoft's Hotmail service is at risk again from a new security threat. 

      Bulgarian programmer Georgi Guninski has discovered that the Web-based email service allows embedded javascript code to be
      automatically executed on the computers of Hotmail users. 

      According to Guninski, the flaw could enable a malicious person to launch password stealing programs or to secretly access the
      contents of a Hotmail users' account. 

      A functional but relatively harmless demonstration of the attack was sent by Guninski to InternetNews Radio. The test message
      showed how embedded javascript could be used to read messages from the Hotmail user's inbox and display them in a separate

      The latest Hotmail flaw affects users of Web browsers that support cascading style sheets, such as Internet Explorer version 5 and
      Netscape Navigator versions 4.x. 

      While Hotmail ordinarily detects and disables incoming messages containing javascript, according to Guninski it fails to properly handle
      a new HTML tag named STYLE which allows Web programmers to embed javascript in a Web page. 

      An MSN Hotmail spokesperson said the service is investigating the report. As a temporary workaround, concerned users can disable
      javascript in their browsers. 

      Last month, a separate security hole enabled outsiders to log in to others' Hotmail account without a password. 

      Gary McGraw, vice president of corporate technology for Reliable Software Technologies, said the new discovery suggests the
      Hotmail service may have become a new favorite target of hackers. 

      "As an attacker, it's a much juicier target than trying to attack every individual platform out there,"McGraw said. 

      "These holes are like raw material, and its good when the holes are discovered by people who are honest. But you can work that raw
      material into many different sorts of attacks." 

      In the wake of the earlier Hotmail attack, late last week Microsoft confirmed that it intends to hire an outside firm to audit the security
         of the service.
12.0  Security Hole Found in Security Product 
      From HNN

      contributed by Simple Nomad 
      Nomad Mobil Research Center, an HNN Affiliate, has
      released an advisory regarding Bindview's HackerShield
      scanner. During installation of the product (including the
      demo) a Service User with a non machine specific
      password is created. 


                                Nomad Mobile Research Centre
                                       A D V I S O R Y
                              Simple Nomad []
                                    Platform : Microsoft NT 4.0 SP5
                                 Application : Hackershield v1.1
                                    Severity : High
      The HackerShield product creates a local account during installation with
      a password that is not machine specific. This includes the HackerShield
      demo product available via the Internet.
      Tested configuration
      Testing was done with the following configuration :
      Microsoft NT 4.0 Server and Workstation with SP3 (no additional hotfixes)
      Microsoft NT 4.0 Server and Workstation with SP5 (with Csrss, LSA-3, RAS,
       WinHelp hotfixes)
      HackerShield Product Version 1.10.1105, Package Version 11
      Product Background
      Hackershield ( --
      originally developed by Netect (, but recently
      purchased by Bindview ( -- is a security scanner
      that scans for security flaws on Windows and Unix platforms. It is very
      similar and compares nicely to the feature set of ISS' Internet Security
      Scanner and NAI's CyberCop. It allows both manual and auto-updates of new
      hack signatures, called RapidFire updates, as well as automated scanning
      sessions which allow a system administrator to define a schedule for
      scanning a set of network resources. The idea is to provide an automated
      method of keeping your systems fairly up-to-date from a security
      perspective by downloading new vulnerabilities and running pre-scheduled
      scans. This is fairly similar to the modern anti-virus model where you set
      your anti-virus software to automatically download new virus signature
      files from the anti-virus vendor's FTP site and then run the virus scan,
      except the automated updates come via PGP-signed email.
      Bug - Service User password is recoverable
      To facilitate HackerShield automation of scanning, a Service User named
      NetectAgentAdmin$ is installed with local Administrator privileges on the
      scanning computer. Unfortunately, the password can be easily recovered.
      Since the advent of recent patches to Microsoft NT, recovery of Service
      User password information is a little harder. For example, pwdump will not
      recover the hash for NetectAgentAdmin$, but pwdump2 will. Users of
      L0phtcrack will not be able to dump this user, but using pwdump2 will get
      the following for this user (text is wrapped):
      NetectAgentAdmin$:1001:7a8754eda3b21376136260cc65a99030: \
      Being security conscious, the HackerShield folks at least made the
      password 14 characters, but the password is not machine-specific. The
      first 12 characters are np7m4qM1M7VT while the last two are non-printing
      characters. Due to the non-printing characters, L0phtcrack will not
      brute-force crack the password using the standard choices of character
      sets (although it should be possible to type in the alt codes into a
      custom character set -- we did not try this as the characters are still
      non-printing), but using Paul Ashton's code (posted to NTBugtraq August 9,
      1997) it can be extracted as plaintext on an NT 4 SP3 workstation or
      The implications of this should be obvious -- a service user with a known
      password and local administrator rights is a prime target for intruders of
      NT systems. Depending on where the product is loaded in your organization,
      you have a potential vehicle for additional password recovery, trojan
      horse planting, and further compromise of the NT environment.
      Bug Conclusions
      If you have loaded the HackerShield product (including the demo) then you
      have installed the Service User, and the two services called
      HackerShieldAgent and HackerShieldSniffer. If this system is not
      physically secure, or has Server services running, you have the potential
      for compromise via the Service User.
      Do not install HackerShield on non-physically secured systems. If you have
      loaded HackerShield onto an NT host only to perform a localhost scan, it
      is recommended you uninstall the product using the HSUninstall.exe program
      once you have completed the scan.
      Bindview has developed a patch for the Service User password to be machine
      specific. It can be downloaded from In the Readme
      file with the zip, Bindview has a reference to the following page:
      We'd like to commend Bindview in their response to our contact. An email
      was sent to them with our concerns, giving them an opportunity to respond.
      The email was sent at 9:30AM on August 30, 1999 to a generic support
      address, and a real human being replied within an hour, and confirmed our
      findings later that day. They stated this is a bug as they never intended
      to have non-unique passwords for the NetectAgentAdmin$ account.
      The fact that Service Users' passwords can be recovered is reason enough
      to upgrade to the latest patches, although Microsoft has still not
      addressed the pwdump2 issue. Despite the fact that you have to be a local
      administrator to recover the hashes, it still illustrates the danger of
      using Microsoft's own authentication methods when trying to deliver a
      secured solution to NT. For this we would like to issue our strong
      distaste for Microsoft's built-in authentication measures, and how they
      are (un) protected.
      We do understand why Bindview (or technically, Netect) did it -- they are
      in the business of delivering products to market as quickly as possible --
      but when you deliver a security product you must ensure that the product
      itself is secure. Personally, we like the anti-virus styled model as far
      as security scanners go, but if you build your security application on a
      shaky and flawed security model then your security application is only
      going to be as good as that flawed model.
      This scenario is probably in existence in any number of other products
      that use Service Users. Bindview is not alone here, we just happened to
      look at their product.
      HackerShieldTM Security Advisory 
                                                                                             Features and Benefits 
                                                                                             Types of Checks 
                                                                                             RapidFire Updates  
                                                                                             System Requirements 
                                                                                             View Online Demo 
                                                                                             View Press Coverage 
                                                                                             Download Eval Copy 

         BindView Development (formerly Netect, Inc.) has been notified of a potential high risk security problem with HackerShield v1.0
         and v1.1.

         Full details and correction actions are described below.

         Description of the Problem 

         HackerShield creates the account, "NetectAgentAdmin$" during installation. This account has local administrator privileges on
         the machine on which HackerShield is installed and is created with a 14-character password. This password is supposed to be
         randomly generated for each installation.

         Unfortunately, due to a programming error, the HackerShield installer creates the same "random" password every time. Since
         the password is not unique to each machine on which HackerShield is installed, the password created for the
         NetectAgentAdmin$ account is the same on every machine. Thus, an attacker could crack the password from one installation
         of HackerShield and then have a valid username and password (with Administrator privilege) on other HackerShield machines.
         If those machines are accessible, either physically or via any NetBios service over the network, an attacker could use this
         information to gain unauthorized access to the machine on which HackerShield is installed.

         This problem was discovered by an external group who will shortly release their own advisory on the subject. Once the problem
         is made public, hackers may attempt to exploit it. It is therefore imperative that you take one of the actions described below to
         correct the problem.

         Correction Actions 

         In order to eliminate this security problem, you need to take one (and only one) of the following corrective actions:

         Correction Option 1 
              Download and run HackerShield 1.1 - Maintenance Patch 2:
              This patch generates a unique password, changes the password for the NetectAgentAdmin$ account, and restarts the
              HackerShield services (HackerShield Agent and HackerShield Sniffer services). After you do so, your installation of
              HackerShield will no longer be vulnerable. 
         Corrective Option 2 
              You may fix this problem manually by either changing the password to one of your choosing (remembering to also
              change it in the Services control panel) or by deleting the NetectAgentAdmin$ account and using a different account to
              provide 'Log In As' permissions to the HackerShield services. 
         Corrective Option 3 
              If you have installed an evaluation copy of HackerShield 1.0 or 1.1 that is past its evaluation period, the simplest way to
              eliminate the problem is to uninstall HackerShield. HackerShield uses a standard uninstall procedure and may be
              uninstalled using the Add/Remove Programs feature in the Windows NT Control Panel. After you uninstall HackerShield,
              you should verify that the NetectAgentAdmin$ account has also been removed from your system. 

         Final Note 

         Please note that there are no reports of this problem being exploited. However, once the problem has been made
         public, hackers may attempt to exploit it. Therefore, you must apply Maintenance Patch 2 or take one of the other
         corrective actions (described above) to avoid being vulnerable.

         If you are interested in evaluating the latest version of HackerShield (version 1.1.1), it is available for download here:

         HackerShield 1.1.1 includes Maintenance Patch 1 and 2 and RapidFire Updates 1 and 2.


         If you have any issues that require technical support, 
         please contact BindView Support at: or  

13.0  Globalstar and FBI Are Nearing Agreement 
      From HNN

      contributed by AlienPlaque 
      Globalstar, a satellite phone firm, is close to an
      agreement with federal law enforcement officials who
      had threatened to delay its service if the FBI couldn't
      wiretap phone conversations. Even though the company
      is based in Canada, it needs to win approval from the
      Federal Communications Commission, which has already
      held up a license for another company due to concerns
      that the FBI would not be able to wiretap and monitor
      its service. 

      Globalstar close to pact with FBI over wiretaps 
     By John Borland
     Staff Writer, CNET
     September 13, 1999, 4:15 p.m. PT 

     A satellite phone firm is close to an agreement with federal law enforcement officials who had threatened to delay its
     service if the FBI couldn't wiretap phone conversations, company officials say. 

     Officials at the Federal Bureau of Investigation have been concerned that Globalstar and other satellite phone companies could
     undermine their ability to listen in on suspected criminals' telephone calls by sending the transmissions across national
     borders--and outside U.S. jurisdiction. 

     The issue had threatened to hold up Globalstar's long-awaited launch date, scheduled for later this month. FBI officials had even
     raised the possibility that the company would have to move several of its expensive land-based transmission stations from
     Canada into the United States--an option that would have dramatically raised costs and delayed service for the fledgling firm. 

                            The FBI's scrutiny of the satellite phone business has proved rocky for the struggling industry. Few
                            providers can afford to restructure their network to satisfy law enforcement concerns, and many in
                            the industry are watching Globalstar to see if a cheap technical solution to federal demands can be

                            After several months of negotiations with U.S. and Canadian officials, the company may have found
                            a way to deal with the law as well as stay financially afloat. In a recent meeting, FBI officials and
                            Globalstar executives agreed to pursue a technological fix that appears likely to satisfy the FBI's
                            needs to tap into the satellite calls, company officials now say. 

                            "We have tentatively agreed on a technical solution," said Andy Radlow, a spokesman for
                            Vodafone AirTouch, the company that is managing Globalstar's North American operations. "We
                            don't get any indication that they intend to hold us up." 

                            An FBI spokesman confirmed that the agency is in discussions with satellite phone providers, but
                            declined to comment specifically on negotiations with Globalstar. 

     Aside from federal concerns, Globalstar is just the latest player to enter an industry that has seen two of its early pioneers fall by
     the wayside. The firm's largest competitor, Iridium, has already filed for bankruptcy protection and is undergoing a company
     reorganization. Another smaller competitor has also filed for bankruptcy protection. 

     Not quite a borderless world
     Globalstar is run by a coalition of companies including Loral Space and Communications, Vodafone AirTouch, and Qualcomm,
     among others. With satellites already in orbit around earth, the company has said it plans to begin offering telephone service by
     the end of September. By the time its $3.9 billion satellite system is complete, the company will be able to serve customers
     almost anywhere on Earth. 

     But before it can begin serving customers in the United States, it needs to win approval from the Federal Communications
     Commission--and that's where the trouble starts. 

     The FCC has already held up a license for at least one smaller Canadian satellite phone company based on concerns that the
     FBI would not be able to tap and trace telephone calls made over the system. FCC officials say they have wanted to allow
     negotiations between the phone companies and the FBI to proceed before acting on the license requests. 

     In Globalstar's case, two of the four ground stations--places where equipment sends calls to and from the satellite
     network--serving the United States will be located across the border in Canada. 

     This has worried FBI officials, who don't want to have to seek approval from foreign governments when tapping telephones.
     Seeking permission from Canadian officials to conduct surveillance of U.S. suspects--a likely outcome if the FBI had to physically
     put taps in Globalstar's Canadian stations--would be a serious breach of national security, officials say. 

     The fix that Globalstar and the FBI are reportedly discussing would allow law enforcement officials a way to tap into the satellite
     system without having to cross the U.S. border. The technical details are still being finalized, but Qualcomm--the company that
     provides the land station and handset equipment to Globalstar--has assured the Justice Department that the fix will satisfy their
     concerns, Radlow said. 

     "We feel we're going to continue to have a good relationship on the federal and local level with law-enforcement," Radlow said.
     Once the FBI has officially signed off, Globalstar can go to the FCC for its license without much fear of delay. 

     The company is running up against its own stated deadline to begin rolling out service this month, however. But the North
     American version of the service still plans a "soft launch" this November and appears likely to make this deadline despite the
     wiretap concerns. 
14.0  Matt Drudge Defaced 
      From HNN

      contributed by evil wench 
      The 'United Loan Gunmen" who recently claimed
      responsibility for defacing CSPAN and ABC have now
      replaced the home page of the political commentary site
      of Matt Drudge, 

      HNN Cracked Pages Archive
      Yahoo News
      Nando Times  ,2294,92924-147335-1037579-0,00.html
      Hackers Vandalize Drudge Web Site
                        By TED BRIDIS Associated Press Writer 
                        WASHINGTON (AP) - Hackers who earlier claimed responsibility for computer attacks against ABC and C-SPAN
      vandalized the Web site run by Internet gossip columnist Matt Drudge late Monday.
      The group, calling itself ``United Loan Gunmen,'' replaced Drudge's main page with a message saying they ``take control of Mike (sic) Drudge's data stockyard to once
      again show the world that this is the realm of the hacker.''
      Drudge could not be reached immediately for comment.
      Although such electronic attacks aren't unusual, it was remarkable for a little-known hacker group to have claimed responsibility for raids on three remarkably
      high-profile Web sites over a period of weeks.
      The ``ULG'' group also had claimed responsibility for the defacement of the Internet site for ABC just weeks ago and for an attack at C-SPAN one week ago.
      It's believed to be relatively newly formed, and its only previously known attacks have been the ones against C-SPAN and ABC.
      The defacement of the Drudge site was first reported on a computer security Web site, Attrition.Org, which monitors hacking activity on the Internet.
      The vandalism of Drudge's Web site comes during a period of stepped-up prosecution of hackers by federal authorities.
      The Justice Department weeks ago arrested Chad Davis, 19, of Green Bay, Wis., on charges that he vandalized the Army's Internet site.
      And a colleague of Davis', Eric Burns, pleaded guilty recently in federal court in Virginia to charges that he vandalized a spate of Web pages and told others earlier this
      summer how to attack the Internet site run by the White House. Burns' sentencing was set for Nov. 19. 
      Earlier Stories
      Hackers vandalize Web site run
      by Internet gossip Drudge
      September 14, 1999
      Web posted at: 1:57 a.m. EDT (0557 GMT)
      WASHINGTON (AP) -- Hackers who earlier claimed responsibility for
      computer attacks against ABC and C-SPAN vandalized the Web site run by
      Internet gossip columnist Matt Drudge late Monday. 
      The group, calling itself "United Loan Gunmen," replaced Drudge's main page
      with a message saying they "take control of Mike Drudge's data stockyard to
      once again show the world that this is the realm of the hacker." 
      Drudge could not be reached immediately for comment. 
      Although such electronic attacks aren't unusual, it was remarkable for a
      little-known hacker group to have claimed responsibility for raids on three
      remarkably high-profile Web sites over a period of weeks. 
      The "ULG" group also had claimed responsibility for the defacement of the
      Internet site for ABC just weeks ago and for an attack at C-SPAN one week
      It's believed to be relatively newly formed, and its only previously known
      attacks have been the ones against C-SPAN and ABC. 
      The defacement of the Drudge site was first reported on a computer security
      Web site, Attrition.Org, which monitors hacking activity on the Internet. 
      The vandalism of Drudge's Web site comes during a period of stepped-up
      prosecution of hackers by federal authorities. 
      The Justice Department weeks ago arrested Chad Davis, 19, of Green Bay,
      Wisconsin, on charges that he vandalized the Army's Internet site. 
      And a colleague of Davis', Eric Burns, pleaded guilty recently in federal court
      in Virginia to charges that he vandalized a spate of Web pages and told others
      earlier this summer how to attack the Internet site run by the White House.
      Burns' sentencing was set for November 19. 

              Copyright 1999   The Associated Press. All rights reserved. 
      Nando Times;
      Hackers vandalize Drudge Report 
      Copyright  1999 Nando Media
      Copyright  1999 Associated Press
      From Time to Time: Nando's in-depth look at the 20th century 
      By TED BRIDIS 
      WASHINGTON (September 14, 1999 6:20 a.m. EDT - Hackers who claimed responsibility for earlier attacks against ABC and
      C-SPAN vandalized the Web site run by Internet gossip columnist Matt Drudge late Monday. 
      The group, calling itself "United Loan Gunmen," replaced Drudge's main page with a message saying they "take control of Mike (sic) Drudge's data
      stockyard to once again show the world that this is the realm of the hacker." 
      Drudge could not be reached immediately for comment. 
      Although such electronic attacks aren't unusual, it was remarkable for a little-known hacker group to have claimed responsibility for raids on three
      remarkably high-profile Web sites over a period of weeks. 
      The "ULG" group also had claimed responsibility for the defacement of the Internet site for ABC just weeks ago and for an attack at C-SPAN one week
      It's believed to be relatively newly formed, and its only previously known attacks have been the ones against C-SPAN and ABC. 
      The defacement of the Drudge site was first reported on a computer security Web site, Attrition.Org, which monitors hacking activity on the Internet. 
      The vandalism of Drudge's Web site comes during a period of stepped-up prosecution of hackers by federal authorities. 
      The Justice Department weeks ago arrested Chad Davis, 19, of Green Bay, Wis., on charges that he vandalized the Army's Internet site. 
      And a colleague of Davis', Eric Burns, pleaded guilty recently in federal court in Virginia to charges that he vandalized a spate of Web pages and told
      others earlier this summer how to attack the Internet site run by the White House. Burns' sentencing was set for Nov. 19. 
15.0  South Africa Stats Site Defaced 
      From HNN

      contributed by Anonymous 
      The official statistic web site for South Africa was
      defaced recently. The site is used mainly by economists
      looking for information such as the consumer price
      index, manufacturing production and gross domestic
      product growth. 

      Excite News
      Attrition Mirror   
      Hackers attack S.Africa's key statistics website
                                                                                                           Click on our sponsors!
                                                                         Updated 7:41 AM ET September 13, 1999
      JOHANNESBURG, Sept 13 (Reuters) - Cyber-hackers broke into South Africa's official statistics website on Monday, replacing
      details of the latest consumer price index with a slew of obscenities railing against national phone company Telkom.
      Visitors to the site (, which normally provides information on staid topics such as manufacturing production
      and gross domestic product growth, were met instead with a foulmouthed tirade against Telkom's alleged shortcomings.
      "Telkom stop your...lame-ass monopoly or we will disconnect you," the hackers warned, among other things.
      The page is a crucial source of information for economists tracking the country's performance.
      Many of Telkom's unionised workers are involved in a wage dispute with the employer and have engaged in organised go-slows.
      But a Telkom official said she didn't believe the defacing of the statistics website was related.
      Telkom's site ( wasn't affected.
      An information technology expert at Statistics South Africa said it could take at least two days to get the site back to normal. 
16.0  India And Israel BackDooring US Software 
      From HNN

      contributed by Simple Nomad 
      This article spreads a bit of FUD that manages to
      implicate Israel and India in plots to plant backdoors in
      U.S. systems because of the out-sourced Y2K
      programming efforts that utilize those country's
      programmers. It is of course possible that Israeli and
      Indian programmers might backdoor their code, but so
      might programmers from anywhere else. Somehow HERF
      guns make it into this article as well. This article is great
      if you are planning on preying upon the Y2K paranoid
      survivalist crowd. 

      Network Fusion   
      (Registration Required)
      This story appeared on Network World Fusion at
      Threat of 'infowar' brings CIA warnings
      Y2K work has given foreign-born programmers 'unprecedented access' to U.S. computer systems. 
      Network World, 09/13/99
      ARLINGTON, VA. - Some might call it paranoia, but the U.S. government is growing increasingly worried that foreign infiltrators are building secret trap doors into
      government and corporate networks with the help of foreign-born programmers doing Y2K-related work.
      A CIA representative last week named Israel and India as the countries most likely to be doing this because they each handle a large amount of Year 2000 software
      repair not done by U.S.-born workers. According to the CIA, the two countries each have plans to conduct information warfare and planting trapdoors wherever they
      can would be a part of that.
      Information warfare is a nation's concerted use of network hacking, denial-of-service attacks or computer viruses to gain access to or disrupt computer networks, now
      the heart of modern society in terms of banking, telecommunications and commerce.
      HERF guns work
      Though still secretive about the practice, nations are also building futuristic radio-pulse devices - popularly called High Energy Radio Frequency (HERF) guns - that can
      disrupt or destroy electronics in networks, cars, airplanes and other equipment by sending an energy beam at them. 
      A homemade version of a HERF gun successfully disrupted a PC and a digital camera during a demonstration last week at a session of the Infowar conference. This
      conference typically draws a large crowd of government spooks and high-tech strategists from around the world. 
      Y2K work is giving foreign programmers "unprecedented access to computer systems," Terrill Maynard, the CIA's chief of analysis and warning, said at the Infowar
      conference. He works at the National Information Protection Center, which is the government organization housed at the FBI that keeps a watch on threats to the U.S.
      While Maynard calls Israel and India the key suspects for planting software backdoors in American systems, Russia is also viewed as a threat because it has defensive
      and offensive information warfare programs underway. Cuba and Bulgaria are working on computer-virus weapons, he says. But Maynard claims Israel has already
      hacked its way into U.S. computer systems to steal information about the Patriot missile.
      With most Y2K work completed, "action options are few at this date," Maynard says. He recommends that IT departments closely examine the Y2K code that went in
      their systems and also run extensive checks on network security.
      In the 21st century, the threat of nuclear war is being displaced by that of information weapons, said another conference speaker, Igor Nemerov, general counsel of the
      Russian Embassy. "We can't allow the emergence of another area of confrontation," Nemerov said, adding that Russia is calling for "cyberdisarmament." 
      The first step in the cyberdisarmament process is to get the nations of the world to discuss the issue openly, Nemerov said. Russia recently requested that the United
      Nations ask member countries to recognize the threat and state their views on it.
      The U.S. Department of Defense has complained in meetings with Congressional subcommittees that it has seen severe network-based attacks coming from Russia.
      Congress has become convinced there's a big problem - and not just with Russia. Rep. Curt Weldon (R-Pa.) made an appearance at the Infowar conference last week
      to say he thinks information warfare is a bigger threat than biological or nuclear weapons.
      When asked by Network World if Russia carries out network-based attacks on U.S. computer systems, Nemerov conceded that sometimes things do happen, but "it's
      Robert Garique, chief technical officer for the Canadian province of Manitoba, said he favors cyberdisarmament talk. Garique noted that new hacking tools, such as one
      called nmap, make it very hard to be sure where a network-based attack is originating because the tool makes it easy for the attacker to spoof his identity.
      Easy to make
      But more than traditional hacker techniques constitute infowar. A new genre of high-energy radio-pulse weapons that disable electrical flows are under development in
      government labs around the world. "People are spending a lot of money on cyberweapons," Garique said.
      But how easy is it for terrorists or other criminals to build their own homemade HERF guns? That has been a topic of much debate, but last week a California-based
      engineer, David Schriner, demonstrated it's not very hard. 
      Schriner, president of Schriner Engineering and a former engineer at the Naval Air Warfare Center, hooked up a 4-foot parabolic antenna powered by ignition coils and
      parts from a cattle stun gun during one Infowar session. People with pacemakers were asked to exit the room.
      With not much more than $400 in parts, he directed a 300-MHz pulse at a computer running a program. Blasted in this manner from 10 feet away, the computer went
      haywire and a digital camera twice that distance away was affected.
      "It's high-school science, basically," says Schriner, who believes that as this kind of threat becomes better understood through research, the computer industry is going to
      have to sit up and take note. "It's going to cost an extra nickel or dime to put a shield in a computer where it's needed," he says. o
17.0  The Russians Are Coming, The Russians Are Coming 
      From HNN

      contributed by Space Rogue 
      A lot of people have been sending in a link to a recent
      Newsweek article and are wondering why HNN has not
      mentioned it. The article claims that the Russians are on
      our cyber back door waiting to break in. The article is
      written so that it appears that this is a current event.
      It is not. It is months old. Operation Moonlight Maze, as
      discussed in the article took place last spring, the DOD
      password change also mentioned in the article happened
      last month. While news outlets like Newsweek may think
      it is OK to report on stuff that is months old HNN tries
      to only report on timely events. 

      Note: Page 5 of 8
      Relevant section only, included

      'We're in the Middle of a Cyberwar'

      Russian hackers may have pulled off what could be the most
      damaging breach ever of U.S. computer security 

      By Gregory Vistica 

      It's being called "Moonlight Maze," an
      appropriately cryptic name for one of the
      most potentially damaging breaches of
      American computer security ever 
      serious enough for the Department of
      Defense to order all of its civilian and
      military employees to change their
      computer passwords by last month, the first time this precaution has ever
      been taken en masse. The suspects: crack cyberspooks from the Russian
      Academy of Sciences, a government-supported organization that interacts
      with Russia's top military labs. The targets: computer systems at the
      Departments of Defense and Energy, military contractors and leading
      civilian universities. The haul: vast quantities of data that, intelligence
      sources familiar with the case tell NEWSWEEK, could include classified
      naval codes and information on missile-guidance systems. This was,
      Pentagon officials say flatly, "a state-sponsored Russian intelligence effort to
      get U.S. technology"  as far as is known, the first such attempt ever by
      Russia. Washington has not yet protested to Moscow. But Deputy
      Secretary of Defense John Hamre, who has briefed congressional
      committees on the investigation, has told colleagues: "We're in the middle of
      a cyberwar." 

      In a cyberwar, the offensive force picks the battlefield, and the other side
      may not even realize when it's under attack. Defense Department officials
      believe the intrusions, which they describe as "sophisticated, patient and
      persistent," began at a low level of access in January. Security sleuths
      spotted them almost immediately and "back-hacked" the source to
      computers in Russia. Soon, though, the attackers developed new tools that
      allowed them to enter undetected (although they sometimes left electronic
      traces that could be reconstructed later). Intelligence sources say the
      perpetrators even gained "root level" access to some systems, a depth
      usually restricted to a few administrators. After that, "we're not certain
      where they went," says GOP Rep. Curt Weldon, who has held classified
      hearings on Moonlight Maze. 

      As a federal interagency task force begins its damage assessment, a key
      question is whether the Russians managed to jump from the unclassified
      (although non-public) systems where they made their initial penetration into
      the classified Defense Department network that contains the most sensitive
      data. Administration officials insist the "firewalls" between the networks
      would have prevented any such intrusion, but other sources aren't so sure.
      Besides, one intelligence official admitted, classified data often lurk in
      unclassified databases. With enough time and computer power, the Russians
      could sift through their mountains of pilfered information and deduce those
      secrets they didn't directly steal. That's one more thing to worry about,
      although security officials admit that they have a more pressing concern.
      The intruders haven't been spotted on the network since May 14. Have they
      given up their efforts  or burrowed so deeply into the network that they
      can no longer even be traced? 

      Newsweek, September 20, 1999 
18.0  Biometrics Takes Frightening New Step "I am not a number!" ready to be barcoded?
      What I want to know is how someone gets a patent for something like this? its an IDEA
      I was led to beleive that an IDEA was not patentable....this is proof otherwise..- Ed
      From HNN

      contributed by Weld Pond 
      The United States Patent and Trademark Office has
      issued a patent for what some may find extremely
      disturbing. Thomas W. Heeter of Houston, TX has been
      awarded patent #5,878,155 for using tattoos to identify
      customers prior to a retail transaction. The tattoo would
      consist of a bar code or other design that would be
      electronically scanned to confirm identity. (Personally I
      think this is taking biometrics a little to far. Hopefully no
      one will actually implement this patent.) 

      US Patent and Trademark Office 
      United States Patent 
                                                                                                                      Mar. 2, 1999
      Method for verifying human identity during electronic sale transactions 
      A method is presented for facilitating sales transactions by electronic media. A bar code or a design is tattooed on an individual. Before the sales transaction can be
      consummated, the tattoo is scanned with a scanner. Characteristics about the scanned tattoo are compared to characteristics about other tattoos stored on a computer
      database in order to verify the identity of the buyer. Once verified, the seller may be authorized to debit the buyer's electronic bank account in order to consummate the
      transaction. The seller's electronic bank account may be similarly updated. 
               Heeter; Thomas W. (55 Lyerly, Houston, TX 77022). 
      Appl. No.: 
               Sept. 5, 1996
      Intl. Cl. : 
                                                                                                                       G06K 9/00
      Current U.S. Cl.: 
      Field of Search: 
                                                                        382/115, 116, 124-127, 100, 128, 133; 348/77, 15, 161; 209/3.3, 555; 356/71;
                                                                                                     340/825.34; 235/379, 380, 382

19.0  NASDAQ Defaced 
      From HNN

      contributed by punkis 
      At approx. 21:23 on 9.14.99, United Loan Gunmen
      temporarily defaced a section of the NASDAQ website.
      This is the same group responsible for such high-profile
      defacements as the ABC Network, C-SPAN, and most
      recently the Drudge Report Web site. Data integrity
      measures on the part of NASDAQ appear to have limited
      the impact the ULG had on the site, but the intrusion
      was nonetheless evident. Unfortunately we were unable
      to get a full mirror of the defacement due to the limited
      time the page remained up. 

      Attrition Mirror

      Late Update: 1628EST
      And the media frenzy begins. 

      Associated Press - via USA Today
      ZD Net,4586,2334751,00.html?chkpt=hpqs014
      Rueters - Via Yahoo News
      Associated Press/USA Today;
      Nasdaq, Amex sites hacked overnight

      WASHINGTON (AP) - Computer hackers vandalized the Internet sites
      of the Nasdaq and American Stock Exchanges early Wednesday in a bold
      electronic affront to the world's financial markets.

      A group calling itself ''United
      Loan Gunmen,'' infiltrated the
      computer running the Web sites
      for Nasdaq and Amex just after

      It was highly unlikely the hackers
      manipulated any financial data
      within the exchanges. Nasdaq
      recently acquired the American
      Stock Exchange. 

      A spokesman for the exchanges was not available immediately for

      The hacker group left a taunting message saying it intended to ''make
      stocks rise drastically, thus making all investors happy, hopefully ending
      with the investors putting bumper stickers on their Mercedez' that say
      'Thanks ULG!''' 

      ''Meanwhile, ULG members go back to flipping burgers at McDonalds.'' 

      It also claimed to have briefly created for itself an e-mail account on
      Nasdaq's computer system, suggesting a broad breach in the system's

      ''That's a pretty serious allegation,'' said Christopher Rouland, director of a
      team of computer security engineers, called X-force, for Atlanta-based
      Internet Security Systems Inc. ''It's difficult to say if it's accurate, but once
      you breach the perimeter, it certainly is easier to get into the

      Nasdaq's Web site uses software from Microsoft Corp., called Internet
      Information Server, that has suffered several serious security problems
      during the past year. Microsoft has distributed patches in each case but
      relies on local computer administrators to install them correctly. 

      ''System administrators can forget to install patches,'' Rouland said. 

      Another expert, Russ Cooper, said it's a mistake to assume that the
      Internet's most popular sites are secure from hackers. 

      ''It would be nice if we could assume that a high-profile site would have
      better security people on-staff,'' said Cooper, who runs the NTBugtraq
      discussion group on the Internet for security flaws. ''Unfortunately, my
      experience is that's a hope, not a reality.'' 

      The hacker group also had claimed responsibility earlier this week for the
      defacement of the Internet site for Matt Drudge, the Internet gossip
      columnist, and electronic attacks against C-Span last week and ABC just
      weeks ago. All those organizations also used Microsoft's Internet
      Information Server to run their Web sites. 

      Rouland said the attacks on Nasdaq and Amex were likely to cause
      anxiety among computer professionals on Wall Street. 

      ''It certainly will in the financial communities,'' he said. ''People will notice,
      and it will cause a buzz. This is going to cause more people to pay
      attention to security.'' 

      Nasdaq trading volume averages about 800 million shares a day. 

      As global financial markets have expanded at a dizzying pace, Nasdaq has
      adopted an aggressive international strategy. Earlier this year, Nasdaq
      took over the Amex and announced plans to establish an electronic trading
      exchange in Japan. 

      Nasdaq also has set up a joint Web site with Hong Kong's stock
      exchange that will allow U.S. investors to trade in Hong Kong securities,
      has signed a similar deal with the Australian Stock Exchange, and is
      looking into new alliances in Europe. 

      The global expansion by the world's second-largest stock market has
      sharpened its competition with the largest, the New York Stock
      Exchange, which uses a traditional trading floor.
      Latest Cracker Caper: Nasdaq
      by Chris Oakes and Leander Kahney 
      11:30 a.m.  15.Sep.99.PDT
      Apparently following through on a threat earlier in the week, a cracking group called the United Loan Gunmen has attacked another major Web site. 
      But was the Nasdaq-AMEX stock site really attacked? And is that really bigger than cracking The New York Times' site? 
      Finally, to add to the intrigue, are the United Loan Gunmen the same people who called themselves Hacking for Girlies, which claimed responsibility
      for the Times' attack? 
      What is known is this: a high-profile information site was attacked in some way for a few minutes late Tuesday night. It appeared to the latest in a
      what has become a wave of Web site-cracking. 
      Visitors to domains hosting the news section of the Nasdaq-AMEX Web site were greeted by a mock news story boasting of the crack. The text
      attributed the break-in to the recently active hacker group the United Loan Gunmen. 
      "The Elite Computer Hacking group ULG [United Loan Gunmen] uprooted the Nasdaq Stock Market Web Site," the Nasdaq front page read. "... Their
      goal was to attempt to make stocks rise drastically, thus making all investors happy, hopefully ending with the investors putting bumper stickers on
      their Mercedez [sic] that say 'Thanks ULG!'" 
      Nasdaq denied any break-in. 
      "There's no evidence of an intrusion," said Nasdaq spokesman Scott Peterson. 
      The company said it wouldn't rule out the possibility until it had investigated its systems completely. 
      The crack was first tracked by Attrition, a security information group that monitors and archives cracks and site defacement. Attrition says it
      captured a browser image from the Nasdaq site early Wednesday, and said the pages showed clear evidence that the site had been breached. 
      "Nasdaq is still saying there's no evidence of intrusion -- but that's either because they don't want thousands of people who track the stock market
      each day to freak out or because [the crackers] are good at covering their tracks," said B.K. DeLong, a consultant and member of Attrition. 
      He said Attrition staffers visited the several host domains of the Nasdaq-AMEX site Tuesday evening after being notified of the crack around 9 p.m.
      PDT. The HTML behind the hacked page showed that the location of the intruding message had to be located at the actual Web site of Nasdaq,
      rather than a spoof site. 
      The motive in all these cases is almost always publicity for the group, said Peter Shipley, chief security architect for security firm KPMG. "The
      majority of Web hacks these days are by people trying to establish names for themselves." 
      He said it's the easiest -- and least respected -- path to notoriety in the hacker world. "One [path] is to do something shocking, the other is
      publish information -- write a good article for Phrack or 2600 [two highly regarded hacker publications]. 
      "The former is the route to quick glory rather than respect." 
      Regardless of the motivation, DeLong said ULG's communications indicate that they are expert crackers who know how to cover their tracks. 
      The recently established group also claimed responsibility for breaking into media-owned Web sites to post similar boasts on those homepages. Late
      Monday, the same group claimed it had cracked the site of self-styled gossip king Matt Drudge. 
      The latest incident only goes to show how easy Web page hacks are, Shipley said. 
      "You're dealing with a machine that's designed to have public access. So it's usually outside the firewall or at a co-locator's network, as opposed to
      one inside a secure internal network," Shipley said. 
      The message from the ULG also cited an email address at the domain for reaching the group. 
      Shipley said a lack of appropriate security measures -- a security team, regular security audits -- are behind most site hacks. But even when
      security is in place, the public nature of sites make them prime targets. The Nasdaq crack lasted only a few minutes, according to the Hacker News
      The United Loan Gunmen also praised the security news service, which distanced itself from the incident. Hacker News' editor, who calls himself
      Space Rogue, said following the Drudge crack that the United Loan Gunmen were reportedly planning another media-site attack that would be
      "bigger than NYT." 
      A source close to the hacking community said that the United Loan Gunmen are actually the same group as Hacking For Girlies, which last fall
      claimed responsibility for defacing the Web site of The New York Times. 
      "It's not ... any lame kiddie group under a new name, nor is it a new group just formed to take on the media," said the source. "The hacks were
      carried out by the same group in order to gain media attention." 
      Early last week, the United Loan Gunmen defaced the home page for C-SPAN. Last month, they defaced the Web site of the ABC television
      In Monday's attack, they added headlines to the Drudge site, including "Kevin Mitnick Still In Jail." 
      FBI officials in Maryland, where the Nasdaq site is based, couldn't be reached to confirm the possibility of an investigation. 
      Shipley said when the FBI does investigate such cases, their work is primarily "forensic," examining site logs that would show how the intruder broke
      in. Many sites don't maintain proper logs, which hinders any investigation. 
      In any case, it's highly unlikely the computers of the trading system itself would be at risk in such events. 
      It's equally unlikely that the crackers will be caught. 
      "It really depends on the person," Shipley said. "With proper efforts it would be very hard to catch the person. Anybody who would break in would
      relay their attack from various sites around the world. This causes a legal jurisdiction problem in tracing their path." 
      ZD Net,4586,2334751,00.html?chkpt=hpqs014
      This story was printed from ZDNN,
      located at
      'United Loan Gunmen' attack again
      By Robert Lemos, ZDNN
      September 15, 1999 11:22 AM PT
      Cyber vandals who recently hit a number of high-profile Web sites attacked again late Tuesday
      night, defacing the Nasdaq/AMEX Web home page.
      The group, which calls itself the "United Loan Gunmen," posted an obviously false story on the site
      for a short amount of time under the headline, "United Loan Gunmen take control of Nasdaq
      stock market."
      Despite claims in the story that the cybergang had "uprooted" the Web site, the only effects of the
      intrusion seemed to be defacing of the home page. 
      The Nasdaq site offers financial news and quotes.
      Up just a few minutes
      The phony page stayed up only a few minutes before Nasdaq's Web servers automatically
      detected and removed it, said B. K. DeLong, a staff member with security Web site
      Reports of the defacement initially appeared on, which obtained a screenshot of the
      modified site before Nasdaq's automatic measures cut in.
      Nasdaq officials could not confirm the intrusion at press time.
      "Our sites are working perfectly," said Scott Peterson, a spokesman for Nasdaq. "We have no
      evidence of intrusion at this time. However, we take all such allegations very seriously and we are
      investigating at this time."
      The United Loan Gunmen is a new group that has made a name for itself in recent weeks by
      defacing major sites, and leaking word of the defacements to The same group has
      claimed responsibility for hacks on sites including, C-SPAN and -- just this last
      Monday -- the Drudge Report.
      More details to follow.
      Rueters - Via Yahoo News
      Wednesday September 15 5:07 PM ET 

      Nasdaq Web Site Targeted By Hackers - Report
      By Jennifer Westhoven
      NEW YORK (Reuters) - The Web site for Nasdaq and the American Stock Exchange was reportedly attacked Wednesday by a hacker
      group calling itself the United Loan Gunmen, one day after the group sabotaged Internet gossip columnist Matt Drudge's Web site.
      The attack shortly after midnight was the latest in a recent wave of online graffiti sprayed on prominent media Web sites. It was reported by several news
      organizations, including Hacker News Network (, which monitors hacking incidents and keeps an archive of ``cracked'' sites as they
      appeared after being vandalized.
      The hacked site could be found at, or
      Nasdaq, citing security reasons, said it would not confirm or deny whether its site had been cracked. ``The Nasdaq Web site is operational and secure, and we will
      continue to monitor our sites,'' said Nasdaq spokesman Scott Peterson.
      Hacker News Network said the United Loan Gunmen, or ULG, temporarily defaced a section of the Nasdaq site. ``Data integrity measures on the part of Nasdaq
      appear to have limited the impact the ULG had on the site, but the intrusion was nonetheless evident,'' Hacker News Network said.
      The group posted a computer ``screen shot,'' or picture, of the hacked Web page. However, the picture itself does not prove the site was defaced; it is relatively
      easy for skilled computer users to make a copy of a page and deface the copy.
      In the screen shot, the group said its goal was ``to attempt to make stocks rise drastically, thus making all investors happy, hopefully ending with the investors putting
      bumper stickers on their Mercedez' (sic) that say 'Thanks ULG!'
      ``Meanwhile, ULG members go back to flipping burgers at McDonalds,'' it said.
      The group also claimed it set up an e-mail address on the Nasdaq site. If that claim is true, it would show a deeper level of penetration into the system than just
      defacing a Web site, two computer experts said.
      The latest media site to get hit by the United Loan Gunmen was the Drudge Report (, which was sabotaged briefly Monday,
      according to news reports.
      The masthead for the Drudge site was replaced with the message: ``United Loan Gunmen take control of Mike (sic) Drudge's data stockyard to once again show the
      world that this is the realm of the hacker,'' according to a mirror, or duplicate of the hacked page posted by Hacker News Network.
      Drudge, who is based in Los Angeles and also hosts weekly shows on cable television's Fox News Channel and on ABC radio, could not be reached for comment
      The attack on the Drudge site followed similar attacks on other high-profile media sites, including C-Span (, ABC (,
      Wired Online ( and ``The Jerry Springer Show'' ( 
20.0  WebTV Hole Divulges User Info 
      From HNN
      contributed by Weld Pond 
      A security flaw in Microsoft's WebTV product could
      divulge user information such as the user ID. This
      information could then be used to change information
      about the account. WebTV accounts can only hold 150
      messages, once this limit was reached bounce messages
      would include the customers information. 

      ZD Net   ,4586,2334232,00.html
      This story was printed from ZDNN,
      located at
      WebTV hole leaves users exposed
      By Lisa M. Bowman, ZDNN
      September 14, 1999 6:21 PM PT
      The account information of some WebTV customers could have ended up in the wrong hands, as
      a result of a security flaw in the set top box's software. 
      Microsoft Corp. (Nasdaq:MSFT), which owns WebTV, said Tuesday it has taken care of the
      flaw, which made it possible for malicious hackers to tinker with WebTV customers' accounts. 
      The problem occurred when an e-mail message sent to a WebTV user's mailbox was bounced
      back -- WebTV accounts can only hold about 150 messages and bounce back incoming e-mail
      messages when they are full. If the WebTV user had the spam filter activated, then the returned
      message would divulge the user's ID numbers to the sender -- in addition to the reason the e-mail
      was deflected. 
      As a result, those who knew about the flaw could gather a WebTV customer's account
      information by e-mail bombing the account -- without the customer ever knowing about the
      Net4TV duplicated flaw
      The glitch was first reported by Net4TV Voice, a publication of the interactive television
      consulting firm Iacta Inc. Net4TV Voice publisher Laura Buddine said some users notified her of
      the breach last week. In addition, she came across it the flaw when some messages on the
      Net4TV mailing list were returned containing the user's account information. Eventually, she
      duplicated the problem. 
      Microsoft said it would be difficult for hackers to alter accounts once they had the IDs because
      they also would have to trick the WebTV user into issuing certain commands. 
      The security breach appears to be an iteration of a flaw that surfaced last November, when people
      began noticing that user ID numbers showed up in e-mails that had bounced back from WebTV
      The glitch became a system-wide problem a few weeks ago, when WebTV installed a new
      automatic spam filter, which is activated by default. After it discovered the flaw, Net4TV was
      urging people to turn off the spam filter. 
21.0  Bookshelf: "Hacking Exposed" Available Soon 
      From HNN

      contributed by Weld Pond 
      Osborne McGraw-Hill, has published a new book by
      authors Stuart McClure and Joel Scambray entitled
      HACKING EXPOSED: Network Security Secrets and
      Solutions. McClure and Scambray are better known as
      columnists for InfoWorld's Security Watch column. This
      book is being billed as the ultimate resource for
      businesses needing a comprehensive plan to defend
      their network against the sneakiest hacks and latest
      attacks. Advanced reviews by leading security experts
      such as Marcus Ranum, Dr. Mudge, Simple Nomad, And
      Aleph One have all been extremely positive. 

      Internet Wire
      Hacking Exposed: Network Security Secrets and Solutions   

                                                    Technology News 
                                      HACKING EXPOSED
                         Network Security Experts Debut Just Released Book at N+I
      ATLANTA, GA -- (INTERNET WIRE) -- 09/13/99 -- Osborne McGraw-Hill, A Division of the McGraw-Hill Companies,
      today announced authors Stuart McClure and Joel Scambray will be signing copies of their just released book,
      HACKING EXPOSED: Network Security Secrets and Solutions, at Networld + Interop 99. 
      McClure and Scambray, Senior Manager and manager within the eSecurity Solutions Attack and Penetration Group
      at Ernst & Young, and columnists for InfoWorld's Security Watch column, have developed the ultimate resource for
      businesses needing a comprehensive plan to defend their network against the sneakiest hacks and latest attacks.
      With the dramatic growth of e-commerce, network security is one of the most important issues facing network
      administrators today-Hacking Exposed: Network Security Secrets & Solutions shows network administrators how to
      hack into their system in order to protect it. 
      HACKING EXPOSED provides invaluable information on:
           Finding and fixing security holes in your network 
           Implementing security, auditing, and intrusion procedures 
           Providing the top hacks the authors use to test security systems 
           Outlining the top 15 vulnerabilities found on common networks
      Don't miss the first opportunity to purchase copies of this book (not yet available elsewhere) and to meet the authors
      in person at their signing! 
      DATE: Tuesday, September 14th 
      TIME: 12pm 
      PLACE: DigitalGuru Bookshop (Official N+I Bookstore) 
      To learn more about HACKING EXPOSED, receive a press copy, or to schedule an interview with the authors for
      Tuesday, September 14th, please call Jane Brownlow at 510-549-6690. 
      Background Information
      The Osborne Media Group is a leading publisher of computer books that include user and reference guides;
      best-selling series on computer certification; high level but practical titles on networking, communication, and
      programming; and the hottest titles on new web development tools. With its established strategic publishing
      relationships with Oracle, Corel, Global Knowledge, J.D. Edwards, and Intuit, the Osborne Media Group is targeting
      consumer support, emerging technologies, and innovative applications for developing future computer books. For
      more information visit 
      Contact: Jane Brownlow
     Voice: 510-549-6690 

22.0  Major Tech Companies Announce Security Plans 
      From HNN

      contributed by Code Kid 
      Intel, IBM, Compaq, Microsoft and Entrust have
      announced what they are claiming is an end-to-end
      security network solution. The announcement was made
      at Networld+Interop in Atlanta. The plan calls for IPSec
      products for PCs and servers, optimized for MS Win2000
      and chipsets from Intel which include the 82594ED
      network encryption processor. 

      The UK Register     
      Posted 14/09/99 6:46pm by Mike Magee

      Intel, PC giants announce network security plans
      Intel is announcing what it claims is an end-to-end security network solution, in
      conjunction with IBM, Compaq, Microsoft and Entrust. 
      The announcement, at Network+Interop in humid Atlanta, includes IPSec (Internet
      Protocol Security) products for PCs and servers, optimised for MS Win2000. 
      Compaq and IBM will also include this technology in their products, with the aim of
      keeping corporate networks safe. 
      The aim is to prevent access by individuals able to monitor Lan traffic. Intel claims that
      firewalls are not safe enough. 
      Part of the protection will be chipsets from Intel which include the 82594ED network
      encryption processor. This will be built into adaptors and other devices during the
      course of this year. 
      The device is intended to thwart crime within rather than without a corporate firewall. 

23.0  NIST To Offer Security Awareness Workshops 
      From HNN

      contributed by Code Kid 
      The National Institute for Standard and Technology
      (NIST) will be offering a series of workshops to help
      agencies and companies deal with the complexity of
      information security. The Computer System Security and
      Privacy Advisory Board, part of NIST, will design the
      workshops over the next few months with the first one
      to be held in the middle of next year. 

      Federal Computer Week    
      SEPTEMBER 14, 1999 . . . 15:45 EDT 

      NIST to offer workshops on security issues


      A government and industry advisory group today took the first steps to
      develop the metrics for a series of workshops to help agencies and companies
      deal with the complexity of protecting their computer systems and

      The Computer System Security and Privacy Advisory Board, a group at the
      National Institute of Standards and Technology, plans to design the focus and
      format of the workshops over the next few months.

      Concepts for the workshops range from measuring the progress of an
      organization's security measures to measuring the return on investment for
      specific security practices and products to provide a business case to

      The first workshops will be based on subjects that everyone agrees on are
      needed most, and the board will develop issues that can be addressed in the
      future, said Fran Nielsen, a member of NIST's Computer Security Division
      who is heading the workshop development effort.

      The board has been working on the idea of metrics workshops for
      government and industry security professionals since NIST director Ray
      Kammer encouraged them last year. The first workshop is planned to be held
      by mid-2000.

24.0  Yet Another Firewall 
      From HNN

      contributed by Code Kid 
      Novell has announced the Novell FireWall for NT, a
      directory-enabled Internet security solution. The new
      firewall integrates Internet security features with
      network bandwidth-management tools. The combination
      allows IS managers from small and medium-sized
      companies to prioritize critical traffic during peak
      network usage. 

      Info World   
      Novell bows toward NT with firewall solution 
      By Katherine Bull 
      InfoWorld Electric 
      Posted at 9:55 AM PT, Sep 14, 1999 
      ATLANTA -- Continuing its push toward supporting all aspects of Windows NT, Novell announced its Novell FireWall for NT here Tuesday at
      A directory-enabled Internet security solution, Novell FireWall for NT integrates Internet security features with network bandwidth-management tools. The
      combination allows IS managers from small and medium-sized companies to prioritize critical traffic during peak network usage, officials said. 
      "Users can do the bandwidth management and have the Internet security - all from one place in NDS," said Patti Dock, Novell's vice president of product
      The Novell Firewall for NT is based on technology Novell obtained through its acquisition of Ukiah Software in June 1999. 
      Dock said the product will ship in October, and claims that it is the first directory-enabled firewall product to run on NT. 
      Novell also announced Tuesday a partnership with IBM to provide an Internet Caching System. The partners will offer preconfigured caching appliance
      solutions based on the Novell Internet Caching System and IBM's Netfinity line of server hardware. 
      The caching appliances can be plugged into existing networks to speed access to frequently requested Web pages, will be available through authorized
      distributors of IBM and Novell. 
      In addition, Novell announced the availability of directory-enabled Netware Cluster Services for NetWare 5.0. Executives from Compaq, Dell,
      Hewlett-Packard, and IBM were on hand at the press conference to endorse the Novell strategy. 
      Compaq announced ProLiant Clusters for NetWare; Dell said it would offer Dell PowerEdge Server with NetWare Cluster Services; HP will provide its HP
      NetServer Family with NetWare Cluster Services; and IBM will provide its IBM Netfinity with NetWare Cluster Services. 
      Novell in Orem, Utah, is at 
      Katherine Bull is InfoWorld's news editor. 
25.0  HNN Announces Partnership With Security Focus 
      From HNN

      contributed by Space Rogue 
      We apologize for todays news being slightly delayed but
      we where busy working on a new script to bring you the
      latest in security files. HNN now lists the newest
      security related files from Security Focus. This list will
      be displayed in the left menu and will be dynamically
      updated so keep checking back for new listings. 

      Security Focus
26.0  The Search for ULG Begins
      From HNN
      ULG Attacks windows2000test  ULG != HFG 

      contributed by Space Rogue 
      With ABC, C-SPAN, Drudge, and NASDAQ behind them
      the ULG now has the FBI hot on their trial. NASDAQ has
      said that they have not found any evidence left behind
      from the intrusion, which will not give the FBI much to
      go on. The big question is will The United Loan Gunmen
      strike yet another high profile media site, or disappear
      quietly into cyberspace? 

      The United Loan Gunmen have also claimed to have
      broken into two boxes on the
      subnet last week. was
      established by Microsoft to invite people to test the
      security features of the next release of the operating
      system. By violating the rules set up by Microsoft ULG
      claims to have gotten access to two terminals servers
      on the same network as the target system. They say
      that they were then disconnected from the systems and
      their access was later blocked. HNN has been unable to
      confirm any of these allegations. (This information
      provided by a trusted third party who was contacted
      by ULG) 

      There have been a few rumors floating around that net
      that the United Loan Gunmen are actually the same as
      Hacking For Girlies. HFG claimed responsibility for
      defacing the NYT web site last year. Most of the
      'evidence' presented to support this rumor is purely
      circumstantial and in reality proves nothing. It is
      interesting to note that most of sites attacked by HFG
      were UNIX based while ULG has only attacked NT
      systems. While this is not concrete evidence either, it
      does cast doubt on these rumors. 

      The staff of, in cooperation with HNN, have
      worked hard to create an accurate analysis and
      comparison of the few examples of HFG and ULG works.
      While this analysis is not actual proof it does make a
      very convincing argument that the two groups are not
      the same. 

      Graphics Comparison
      HTML Analysis

      HNN Cracked Pages Archive -,,
      Attrition Mirror -

      Associated Press - via USA Today
      ZD Net,4586,2334751,00.html?chkpt=hpqs014
      Reuters - Via Yahoo News
      CBS Market Watch   
      (See section on the NASDAQ site defacement for these articles)
      Hackers penetrate Nasdaq Web site

       By William L. Watts, CBS MarketWatch
       Last Update: 6:06 PM ET Sep 15, 1999
                                                    Net Economy
                                                   Silicon Stocks
      WASHINGTON (CBS.MW) -- The hackers who attacked Web sites
      operated by C-Span and Matt Drudge struck again early Wednesday,
      temporarily defacing a section of the Nasdaq-Amex Web site.
      The group, which calls itself the "United Loan Gunmen," hacked the
      computer running the Nasdaq and Amex sites early Wednesday morning.
      The hackers attacked the news section of the sites, posting a
      self-congratulatory message on the successful hack.
      Nasdaq acquired the American Stock Exchange
      earlier this year.
      "The Nasdaq Web site is operational and secure.
      We will continue to monitor our Web sites to
      maintain their integrity," said Nasdaq spokesman
      Scott Peterson. He wouldn't elaborate on specifics
      of the attack nor whether law enforcement agencies
      had been called in to investigate.
      In their message, the hackers claimed to have set
      up an e-mail account on the Nasdaq computer
      system. If true, such a measure would represent a
      major violation of the system's security measures,
      security experts said.
      Peterson would neither confirm nor deny whether
      the hackers had established an e-mail account,
      repeating only that the incident had nothing to do
      with the exchange's trading system.
      In their message, the hackers said they "uprooted the Nasdaq Stock
      Market Web site" with the goal of making "stocks rise drastically, thus
      making all investors happy, hopefully ending with the investors putting
      bumper stickers on their Mercedez' (sic) that say 'Thanks ULG.'"
      Hacker News Network, a Web site that monitors hacking incidents, said
      data integrity measures put in place by Nasdaq appeared to have limited
      the impact of the short-lived attack.
      Carolyn Meinel, a computer security expert who operates the Happy
      Hacker Web site, said the hackers' claim to have set up an e-mail account
      is disturbing. If true, it would represent a serious security breach, she said.
      "When you see a Web site hacked, it's a good idea to assume that every
      single computer has been compromised," she said.
      The hacker group claimed responsibility for an attack earlier this week
      that defaced Internet gossip columnist Matt Drudge's Web site. The
      company also attacked C-span's site last week and the ABC site a few
      weeks before.  

      William L. Watts is a reporter for CBS MarketWatch. 
27.0  BO2K Discontinues US Distribution
      From HNN

      contributed by Netmask 
      The 'U.S. Only' version of BO2K along with the 3DES
      plugin, has been discontinued. The reason for this
      discontinuation was given as the high cost of
      maintaining the U.S.-only download server. There will
      now only be one version of BO2K available to anyone
      world wide. if you want strong crypto there are
      numerous plug-ins available that where developed over
      seas and are therefore not subject to the draconian
      U.S. encryption export controls 


28.0  Taiwan Increases Cyber Warfare Training 
      From HNN

      contributed by Space Rogue 
      A series of nine seminars focusing on on computer
      security and virus prevention will be given by the
      Taiwanese Defense Ministry in an effort to increase the
      military's ability regarding electronic warfare. The
      Defense Ministry said that this was a direct result of the
      increased electronic threat from mainland China. 

      Inside China Today   
      Taiwan Steps Up Training For
      Electronic Warfare

      TAIPEI, Sep 14, 1999 -- (Agence France Presse)
      Taiwan has stepped up training of its military units to
      thwart any electronic warfare by rival China, officials
      said Tuesday.

      The defense ministry launched the first of nine
      seminars Tuesday "to beef up the military's ability
      regarding electronic warfare and to cope with the
      Chinese Communist threat," defense ministry
      spokesman Kung Fan-ding said.

      The seminars, focusing on communication security
      and computer virus prevention, aimed to "show the
      (ministry's) determination to ensure information
      security," said Kung.

      Several wargames held in China's Nanjing, Beijing
      and Lanzhou military districts since 1985 have focused on using electronic
      equipment to paralyze or destroy enemy computer and communications
      systems, the ministry noted.

      Last month Chinese computer hackers launched a cyber war to destroy the
      websites of several Taiwan government agencies venting their anger at
      Taiwan President Lee Teng-hui's provocative claim that the islands relations
      with Beijing were "state-to-state."

      Local hackers fought back posting Taiwan's national anthem and national flag
      on several Chinese government agencies websites.

      "Although the attacks by hackers did not ruin information systems here in
      sectors such as banking and stock market, the effect of the scare on the
      public might be far-reaching," warned General Tang Yao-ming, chief of the
      General Staff, at the opening of Tuesday's seminar.

      "We have to be cautious and should regard such events as the beginning of a
      potential electronic warfare," Tang said.

      Taipei-Beijing ties have hit the lowest level in the wake of Lee's remarks
      since 1996 when China lobbed ballistic missiles into the shipping lanes of
      Taiwan during the island's first direct presidential elections.

      Beijing has kept up a propaganda barrage against Lee describing him as a
      "historical sinner," trying to split the island from the motherland.

      Taiwan and the mainland were split in 1949 at the end of a civil war. ((c)
       1999 Agence France Presse) 

29.0  White House Set to Relax Crypto Export Controls 
      From HNN

      contributed by AlienPlague 
      The Clinton Administration is due to release by the end
      of the day Thursday recommendations on encryption
      export controls that are expected to suggest that
      current restrictions be eased. While agencies like the
      FBI have pushed to have encryption export controls
      tightened, it is reported that the President's Export
      Council Subcommittee on Encryption has advised the
      President to loosen the restrictions. 

      Info World  
      White House set to release crypto recommendations 
      By Nancy Weil 
      InfoWorld Electric 
      Posted at 11:02 AM PT, Sep 15, 1999 
      The Clinton Administration is due to release by the end of the day Thursday recommendations on encryption export controls that are expected to suggest
      that current restrictions be eased. 
      Members of a high-tech panel formed by U.S. Rep. Richard Gephardt, a Missouri Democrat, also are emphasizing the issue this week, sending a letter
      Tuesday to Clinton urging that he meet with them within the next week to discuss how best to make progress regarding encryption this year. 
      A presidential advisory committee, the President's Export Council Subcommittee on Encryption, passed its recommendations on to the White House in June
      and although that report has not been made public it has been widely reported to advise that encryption restrictions be loosened. 
      U.S. high-tech companies and some lawmakers have pushed for less-restrictive encryption laws, arguing that the current general prohibition on exportation of
      technology over 56 bits hurts vendors who cannot compete globally. However, the FBI and other law enforcement agencies argue that encryption
      restrictions should remain strong to keep encrypted data out of the hands of terrorists and other miscreants. 
      The subcommittee has recommended that restrictions be eased so that products and technology using 128-bit key encryption can be exported, according to
      the New York Times. 
      Gephardt's high-tech panel would likely welcome such a sweeping change. Along with Zoe Lofgren and Anna Eshoo, both Democrats from California,
      Gephardt is urging the administration to support the Security and Freedom Through Encryption (SAFE) Act (H.R. 850), under consideration by the House.
      SAFE would ease encryption export restrictions, but also addresses law-enforcement concerns. 
      "We recognize that opponents of H.R. 850, including several senior members of your Administration, have raised national security and law enforcement
      concerns regarding this legislation. While we respect these individuals and the expertise they bring to this debate, we believe that their opposition fails to fully
      appreciate how important strong encryption is to protecting the integrity of our national information infrastructure, ensuring the privacy of our citizens'
      personal communications over the Internet and enhancing the safety of their electronic commerce transactions," said the letter from the three lawmakers to
      "We must change our current encryption policy that needlessly places American companies behind the curve of technological advancements and international
      competition," they wrote. 
      Nancy Weil is a correspondent in the Boston bureau of the IDG News Service, an InfoWorld affiliate.
30.0  Crypto Compromise Reached 
      From HNN

      contributed by Dildog 
      As expected, The White House has relaxed U.S. controls
      on the export of data encryption technology. On the
      surface it would appear that the high-tech industry,
      Internet users, and privacy advocates have won the
      debate, arguing that the export rules hand the entire
      market to non-U.S. companies. But who really wins
      here? The only major change is that the export limit has
      been raised from 56-bit to 64-bit. Law Enforcement
      agencies have said that they will still push for Key
      escrow. And what will now become of the bill currently
      in the House, authored by Rep. Bob Goodlatte
      (R-Virginia), that would relax crypto exports even
      further? Was this announcement a preemptive strike by
      the Clinton Administration to take the steam out from
      under this bill? 

      White House moves to ease encryption limits 
      By Reuters
      Special to CNET
      September 16, 1999, 1:10 p.m. PT 
      WASHINGTON--President Clinton has decided to relax U.S. controls on the export of data encryption technology, a
      step long sought by the nation's computer industry and resisted by federal law enforcement officials.
      The move, which is to be announced later today, affects software and hardware and is intended to benefit the economy, preserve
      privacy, serve the national security interest, and protect law enforcement capabilities, said White House spokeswoman Nanda
      Once the realm of spies and generals, encryption has become an increasingly critical tool for securing e-commerce and global
      communications over the Internet. 
      Until now, the White House has tilted its export policy toward the needs of law enforcement and national security agencies, which
      fear strong encryption could be used by rogue nations and criminals to thwart U.S. surveillance. 
      But the high-technology industry, Internet users, and privacy groups appear finally to have won the debate, arguing that the export
      rules are simply handing a vast, international market to non-U.S. companies. 
      The announcement won't be without its detractors, though. 
      "This is going to be a severe blow to national security interests, and it is going to hurt law enforcement," said Stewart Baker,
      former general counsel to the National Security Agency. 
      But even Baker, a lawyer representing high-tech companies, said the change is inevitable, given the growing availability of
      encryption from non-U.S. companies. 
      "If they had delayed much longer, there was a real risk that large parts of the encryption technology would have moved offshore
      irretrievably," he said. 
      The change comes weeks ahead of an expected vote in the House of Representatives on legislation that would have gutted the
      existing export limits. The bill, authored by Rep. Bob Goodlatte (R-Virginia), was sponsored by more than half of the members of
      the House. 
      Industry officials welcome the change, which has been a major lobbying priority for years. 
      "It speaks very highly to their ability to see the writing on the wall and do exactly what they needed to do," said Lauren Hall, chief
      technology officer for the Software and Information Industry Association. 
      People who were briefed on the White House policy change said the new rules will largely abandon the case-by-case licensing
      approach that has applied to all but the weakest encryption products. 
      The slow and cumbersome licensing process has made it extremely difficult for U.S. companies such as Network Associates and
      RSA Security to sell their popular computer security products overseas. 
      And for makers of mass-market software, such as Microsoft and IBM, the rules have forced companies to weaken the security in
      Web browsers, email programs, and other products. 
      Under the new rules, such products with strong encryption features will undergo only a one-time review and then can be sold
      anywhere in the world--except to a handful of nations such as Libya and Iraq. 
      Exporters will have to report who bought the products, such as an overseas distributor, but not who the ultimate end-user is--an
      impossible requirement for programs sold in retail stores to millions of customers. 
      The administration's plan is also expected to ask for $500 million to beef up government computer security and additional funds to
      help law enforcement agencies deal with encrypted criminal communications. 
      Story Copyright  1999 Reuters Limited. All rights reserved. 
      Decoding the Crypto Policy Change
      by Declan McCullagh 
      3:00 a.m.  17.Sep.99.PDT
      Why did the Clinton administration cave on crypto? What caused the nation's top generals and cops to back down this week after spending the
      better part of a decade warning Congress of the dangers of privacy-protecting encryption products? 
      Why would attorney general Janet Reno inexplicably change her mind and embrace overseas sales of encryption when as recently as July she
      warned Congress of the "rising threat from the criminal community of commercially available encryption?" 
                                     See also: Clinton Relaxes Crypto Exports and Crypto Law: Little Guy Loses 
      It can't simply be that tech firms were pressing forward this fall with a House floor vote to relax export rules. National security and law enforcement
      backers in the Senate could easily filibuster the measure. Besides, Clinton had threatened to veto it. 
      It could be the presidential ambitions of Vice President Gore, who just happened to be in Silicon Valley around the time of the White House press
      conference Thursday. Still, while tech CEOs can get angry over the antediluvian crypto regulations Gore has supported, they regard Y2K liability
      and Internet taxation as more important issues. 
      Another answer might lie in a little-noticed section of the legislation the White House has sent to Congress. It says that during civil cases or
      criminal prosecutions, the Feds can use decrypted evidence in court without revealing how they descrambled it. 
      "The court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of the technique
      used by the governmental entity," Section 2716 of the proposed Cyberspace Electronic Security Act says. 
      There are a few explanations. The most obvious one goes as follows: Encryption programs, like other software, can be buggy. The US National
      Security Agency and other supersecret federal codebreakers have the billion-dollar budgets and hyper-smart analysts needed to unearth the bugs
      that are lurking in commercial products. (As recent events have shown, Microsoft Windows and Hotmail have as many security holes as a sieve
      after an encounter with a 12-gauge shotgun.) 
      If the Clinton crypto proposal became law, the codebreakers' knowledge could be used to decipher communications or introduce decrypted
      messages during a trial. 
      "Most crypto products are insecure. They have bugs. They have them all the time. The NSA and the FBI will be working even harder to find them,"
      says John Gilmore, a veteran programmer and board member of the Electronic Frontier Foundation. 
      Providing additional evidence for that view are Reno's comments on Thursday. When asked why she signed onto a deal that didn't seem to provide
      many obvious benefits to law enforcement, she had a ready response. 
      "[The bill covers] the protection of methods used so that ... we will not have to reveal them in one matter and be prevented, therefore, from using
      them in the next matter that comes along," the attorney general said. 
      Funding for codebreaking and uncovering security holes also gets a boost. The White House has recommended US$80 million be allocated to an FBI
      technical center that it says will let police respond "to the increasing use of encryption by criminals." 
      Another reason for the sea change on crypto is decidedly more conspiratorial. But it has backers among civil libertarians and a former NSA analyst
      who told Wired News the explanation was "likely." 
      It says that since the feds will continue to have control of legal encryption exports, and since they can stall a license application for years and
      cost a company millions in lost sales, the US government has a sizeable amount of leverage. The Commerce Department and NSA could simply
      pressure a firm to insert flaws into its encryption products with a back door for someone who knows how to pick the lock. 
      Under the current and proposed new regulations, the NSA conducts a technical analysis of the product a company wishes to export. According to
      cryptographers who have experienced the process, it usually takes a few months and involves face-to-face meetings with NSA officials. 
      "This may be a recipe for government-industry collusion, to build back doors into encryption products," says David Sobel, general counsel for the
      Electronic Privacy Information Center and a veteran litigator. 
      Sobel points to another part of the proposed law to bolster his claim: It says any such information that a company whispers to the Feds will remain
      That section "generally prohibits the government from disclosing trade secrets disclosed to it [by a company] to assist it in obtaining access to
      information protected by encryption," according to a summary prepared by the administration. 
      Is there precedent? You bet. Just this month, a debate flared over whether or not Microsoft put a back door in Windows granting the NSA secret
      access to computers that run the operating system. 
      While that widespread speculation has not been confirmed, other NSA back doors have been. 
      In the 1982 book The Puzzle Palace, author James Bamford showed how the agency's predecessor in 1945 coerced Western Union, RCA, and ITT
      Communications to turn over telegraph traffic to the feds. 
      "Cooperation may be expected for the complete intercept coverage of this material," an internal agency memo said. ITT and RCA gave the
      government full access, while Western Union limited the number of messages it handed over. The arrangement, according to Bamford, lasted at
      least two decades. 
      In 1995, The Baltimore Sun reported that for decades NSA had rigged the encryption products of Crypto AG, a Swiss firm, so US eavesdroppers
      could easily break their codes. 
      The six-part story, based on interviews with former employees and company documents, said Crypto AG sold its security products to some 120
      countries, including prime US intelligence targets such as Iran, Iraq, Libya, and Yugoslavia. Crypto AG disputed the allegation. 
      "It's a popular practice. It has long historical roots," says EFF's Gilmore. "There's a very long history of [the NSA] going quietly to some ex-military
      guy who happens to run the company and say, 'You could do your country a big favor if...'" 
      Could the security flaw be detected? Probably not, said Gilmore, who during a previous job paid a programmer to spend months disassembling parts
      of Adobe's PostScript interpreter. "Reverse engineering is real work. The average company would rather pay an engineer to build a product rather
      than tear apart a competitors'." 
31.0  Network Solutions Screws Up 
      From HNN

      contributed by McIntyre 
      Network Solutions attempted to offer a free email
      service to all of its customers yesterday. Unfortunately
      they totally screwed up the implementation. First, the
      default passwords on these accounts where relatively
      simple and easily guessable. Second, they emailed those
      passwords in the clear to their customers. Third, they
      made it almost impossible to remove yourself from their
      spam list. If you did opt to remove yourself you would
      no longer receive real info from Network Solutions about
      your domains. It is unknown what Network Solutions has
      done to rectify this situation but the free email site is
      not currently open. 

      Attrition - Security Advisory
      NSI makes free e-mail security blunder 
      By Sean Dugan 
      InfoWorld Electric 
      Posted at 12:00 PM PT, Sep 16, 1999 
      Network Solutions Inc. (NSI) discovered that no good deed goes unpunished
      this week, when its attempt to offer a free e-mail service backfired with
      a significant security problem. 
      NSI, the company that assigns and manages Internet domain names, recently
      launched a new Web site ( and an accompanying free e-mail
      service, similar to that offered by Yahoo and Microsoft Hotmail. Through
      the service, called "Dot Com Now Mail," NSI offered free e-mail accounts 
      for all those who registered domain names. 
      However, as it turns out, nearly anyone, including unauthorized users, 
      could sign up to use a domain registrant's e-mail account -- thanks to badly
      configured default security. 
      NSI set up the e-mail accounts for registrants using the convention 
      "domainid" for log-in, and "domainidnsi" for the password. InfoWorld on 
      Wednesday confirmed that anyone who knows a domain name could access the
      free e-mail account before the legitimate owner did. In doing so, the 
      unauthorized user could change the password and effectively lock legitimate
      users out. 
      Additionally, the accounts were set up using the domain registrant's last
      name, with the password "lastnamenai" convention, which makes them subject
      to the same problem -- if an unauthorized user knows a registrant's last 
      name, they gain access to the e-mail account. 
      NSI could not be reached for comment Thursday. 
      As of 2 p.m. Eastern time Thursday, the NSI Web site was 
      redirecting users to NSI's home site at 
      Sean Dugan is InfoWorld's senior research editor. 
      attrition advisory #001

      September 16, 1999 - "NSI are morons"
      Vulnerability: Due to Network Solutions (NSI) unsolicited email, practical
                     monopoly on domain registration, and their own stupidity,
                     all NSI "customers" are at risk. Two vulnerabilities have
                     been identified at this time, "stupidity" and "blackmail"
      Vendor Status: NSI was contacted and made aware of this issue on Wed, 15
                     Sep. Due to past lack of correspondance, no reply is
      Impact: Any NSI customer is vulnerable to a wide variety of social
              engineering attacks stemming from a "service" being forced upon
              them by NSI. NSI customers must continue to receive unsolicited
              spam at the threat of losing service from NSI.
      Details >-------------------------------------------------------------------
      Beginning mid September, NSI began spamming their 'customers' with the
      mail regarding "Important information about your domain name account". For
      anyone who has registered a domain via NSI, you are likely to be targeted
      and potentially affected by this security threat. 
      NSI's mail goes on to offer all domain holders a free "dot com" email
      service. This web based email is akin to Hotmail or any of the other free
      mail services out there.  Unfortunately, NSI makes two mistakes. 
         1. As a domain holder, you are not given a choice in receiving this
            account. Further, NSI sends you the login name and password, via
            email, with no encryption or other means of protection or
            verification. Here is a sample from the mail I received. (Yes, my
            password was changed). 
           "3. Lastly, we are pleased to offer you a FREE e-mail account using
            our new dot com now mail service. Because it's Web-based, you can
            use it in the office, at home or on the road. You'll need the
            following information to set up your account:
                       >>>>>>>>>>>>Login name:  jericho
                       >>>>>>>>>>>>Password:    jerichonsi"
         2. As you can probably guess, the login name and password are quite
            easily guessed. Examining my domain:
              Forced Attrition (ATTRITION2-DOM)
                 Administrative Contact, Technical Contact, Zone Contact:
                    Jericho, T  (TJ2573)  jericho@DIMENSIONAL.COM
                    602.347.0028 (FAX) private
            By using the last name as the "login name", and "last name+nsi"
            as the password, it is trivial to log into the 'dot com' mail
            service and pose as the legitimate owner of the domain.
      The last paragraph of the unsolicted mail reads:
         "If you do not wish to receive e-mail from Network Solutions, click on
          this e-mail address  and type
          "remove" in the subject line. PLEASE NOTE: by opting to be removed
          from this list we will not be able to communicate to you, in
          real-time, on issues regarding your account." 
      This is a clear case of blackmail on NSI's part. By clicking on the link,
      they inform you that no further updates will reach you regarding your
      domain. This means that you must suffer under their unethical ways and
      receive their spam if you wish to receive mail about your registered
      domain that you paid for. 
      Reference >-----------------------------------------------------------------
      Here is the full text of the mail for reference. Use this to alert others and
      watch for blatant spam by NSI.
      Date: Wed, 15 Sep 1999 21:00:29 -0400
      From: Network Solutions
      To: "T Jericho" 
      Reply-To: Network Solutions
      Subject: Important information about your domain name account
      Dear T Jericho,
      As a customer of Network Solutions or one of our Premier Program members,
      we'd like to update you on three important items: 
      1. On September 18, 1999, Network Solutions plans to move to a new
      Web-based prepayment process for registering domain names.  At that point,
      we will no longer accept NEW registrations without payment in full at time
      of registration.  This new online payment method gives customers the
      convenience of payment by credit card. THIS CHANGE DOES NOT AFFECT YOUR
      If you register ten or more domain names per month, you could be eligible
      for Network Solutions' Affiliates or Business Account Programs. Under
      these programs, you may qualify to continue receiving invoices for domain
      name registrations.  To be eligible, you must apply at or 
      2. Because you registered your domain name with us, your company has
      received a FREE listing in the NEW dot com directory.  We believe the dot
      com directory gives you a unique competitive advantage, enabling potential
      customers to find and do business with you.  Search the directory for your
      own business to see how easy it is!  Go to
      to find your business.  You can also click on "Update Your Listing" to
      search for and verify your company information. 
      3. Lastly, we are pleased to offer you a FREE e-mail account using our new
      dot com now mail service.  Because it's Web-based, you can use it in the
      office, at home or on the road. You'll need the following information to
      set up your account: 
       >>>>>>>>>>>>Login name:  jericho
       >>>>>>>>>>>>Password:    jerichonsi
      Please visit to review all the
      features of dot com now mail and set up your account. 
      Thank you for choosing Network Solutions to launch and develop your
      Internet identity.  We look forward to serving you for many years to come. 
      Network Solutions, Inc.  the dot com people
      Copyright 1999 Network Solutions, Inc.  Network Solutions is a registered
      trademark.  The following are trademarks of Network Solutions, Inc.: the
      dot com people; dot com directory; dot com now mail.  All rights reserved. 
      If you do not wish to receive e-mail from Network Solutions, click on this
      e-mail address  and type "remove" in the
      subject line. PLEASE NOTE: by opting to be removed from this list we will
      not be able to communicate to you, in real-time, on issues regarding your
      (c)opyright 1999, Brian Martin. Permission granted to reprint this
      advisory in full for any non-profit purpose.

32.0  Feds Approve GPS Tracking 
      From HNN

      contributed by TurTleX 
      The US Federal Communications Commission agreed on
      Wednesday to allow cellular telephone companies to
      include GPS technology in their phones. Some uses for
      this will be to help lost travelers or provide directions to
      a destination. The primary reason for this, however, is
      to pinpoint 911 callers for emergency services. (Those
      of us who are a little paranoid see a few other possible
      uses. Glad I don't have a cell phone.) 

      Feds OK Cell Phone Tracking
      by Joanna Glasner 
      3:00 a.m.  16.Sep.99.PDT
      Cell phone users of the future many never have to get lost or deal with the
      embarrassment of asking for directions. But if they ever need help, police 
      and paramedics won't have trouble tracking them down. 
      On Wednesday, the US Federal Communications Commission agreed to allow mobile
      phone companies to distribute handsets equipped with global positioning 
      satellite, or GPS, technology that pinpoints the location from which a call 
      is made. 
      FCC officials said GPS-equipped handsets will help authorities get to the
      scene of emergencies faster by tracing the source of 911 calls from mobile
      phones. Currently, police and paramedics don't always arrive at the scene as
      fast as they might without detailed information about a wireless caller's
      Manufacturers said the technology could also have commercial uses, like
      providing directions to drivers or access to local Yellow Pages. 
      GPS technology, which uses an embedded device in a handset to transmit 
      location information to a satellite, is one of two main technologies used
      for tracking the source of mobile phone calls. 
      Cellular providers can also derive location information by triangulating the
      location of the base station and antenna nearest to the caller. 
      But technologies for placing the location of cell phones have raised the 
      hackles of privacy advocates, who say the technology can be used to track
      users without their consent. 
      Advocates of the GPS system argue users can avoid surveillance by switching 
      off their GPS units. 
      Steve Poizner, chief executive of SnapTrack, a company that develops GPS 
      systems for wireless handsets, said many carriers are leaning toward the 
      satellite technology. Getting FCC approval was the last major hurdle in the 
      way of a commercial launch. 
      "Everyone has had a wait-and-see posture," Poizner said. "We expect to see
      pretty rapid deployment now." 
      The company is planning its first commercial rollout in Japan later this year, 
      and hopes to launch in the United States in the second half of 2000. 
33.0  Student Sentenced to Five Weeks 
      From HNN

      contributed by Code Kid 
      Four students of North View Secondary in Singapore
      shoulder surfed a password from a teacher two years
      ago. Some of those students then used that password
      for their own use. One student, no longer in school, has
      been sentenced to five weeks in jail, another is awaiting

      The Strait Times   
      Students stole Net password in class 

      One of them gave the password to a friend, so that
      the friend could access the Internet on the school's

      FOUR students of North View Secondary peeped over
      a teacher's shoulder when he was logging on to the
      Internet two years ago, and memorised the password
      for their own use. 

      One student also gave the password to a friend, so that
      the friend could access the Internet on the school's

      All of them are no longer at the school. 

      Yesterday, one of the students involved, and the youth
      who was given the password admitted securing
      unauthorised access to a computer account. 

      The youth, NSman Koh Chee Siang, 20, was sentenced
      to five weeks in prison. 

      One of the students who got hold of the password,
      Adam Cheang Mohamed Khairi, 17, will be sentenced
      on Wednesday. Cheang first stole the password and
      used it himself. 

      After the passwords were changed, he conspired with
      three others to steal a new password. 

      Deputy Public Prosecutor Christopher Ong told the
      court yesterday that in 1996, the head of North View's
      information technology department, Mr David Chia
      Hock Boon, had applied to subscribe to three Internet
      accounts for the school. 

      Two would be used by students and one would be used
      by staff. 

      The students did not have free access to these accounts.

      They had to ask Mr Chia for permission. Then he would
      personally enter the password and log in, and let them
      use the computer. 

      In November 1996, Cheang requested permission. 

      Mr Chia agreed and logged on to one account. 

      Cheang peeped over Mr Chia's shoulder and
      memorised the password used. 

      He then made use of the account on several other
      occasions to access the Internet. 

      In January 1997, Mr Chia changed the password for all
      three of the school accounts. 

      About a week later, Cheang conspired with three other
      North View students to get the new password by the
      same method. 

      One of them then gave the password to Koh, a former
      North View student, who used it to access the Internet. 

      In mitigation yesterday, Koh's counsel said that his client
      started on Internet relay chat in 1996, when he first
      became a subscriber. 

      A year later, Koh told his friend, one of Cheang's
      accomplices, that he had stopped going on IRC because
      it was getting too expensive. That friend then gave him
      North View's password so that he would not have to
      pay for Internet access, the lawyer added. 

      He asked the court to be lenient with Koh, saying his
      client had used the password illegally only to chat with
      his friends, and not for illegal purposes. 

      The cases of the other two boys allegedly involved in
      this incident will be mentioned on Wednesday and
      another is expected to be dealt with on Sept 30. 


      Koh Chee Siang, 20, was given the password for North
      View Secondary's Internet account by a friend. 

      Koh had told the friend that he had stopped going on
      IRC chats because it was getting too expensive. 

      Koh, a former North View student, was sentenced to
       five weeks in prison. 
34.0  Stupid Mistakes Worse than Viruses 
      From HNN

      contributed by Code Kid 
      A poll of 300 Microsoft Windows NT administrators found
      that 88 percent claimed accidental deletions of
      computer files by in-house workers caused more
      problems than viruses. Only 3 percent of the
      administrators said viruses were a major problem. 

      Chicago Tribune   "/article/0,2669,ART-34595,FF.html
      Electronic data loss:
      malice or missteps? 

      By Darnell Little 
      Tribune Staff Writer 
      September 17, 1999 

      Worried about computer
      viruses like Toadie,
      ExploreZip and Melissa?
      Maybe you shouldn't be. When it comes to electronic
      data loss, malicious viruses are no match for the daily
      missteps of average computer users, according to a
      recent poll. 

      Out of the 300 Microsoft Windows NT administrators
      surveyed in the study, 88 percent said accidental
      deletions of computer files by in-house workers caused
      most of their headaches, while only 3 percent said
      viruses were a major problem. 

      "There is a tremendous amount of media coverage on
      viruses and the amount of damage that viruses can
      cause, but even in some of the oldest studies that I've
      pulled up, viruses only account for 3 to 7 percent of all
      data loss," said Phil Proffit, director of research for
      Broadcasters Network International, the
      California-based market research firm that conducted
      the study earlier this summer. 

      "I can understand why the media covers viruses so
      much, it's a sexy topic," Proffit said. "And yet there is
      this vastly larger amount of data and productivity being
      loss due to accidental deletions. If we try to place a
      dollar value on it, it would just be billions and billions of
      dollars being lost in terms of productivity." 

      The poll focused only on Windows NT because of the
      operating system's growing popularity among business
      users and because there is a general belief among system
      administrators that Windows users are less technically
      adept than users on other operating systems, according
      to Proffit. 

      "Unix users tend to be better educated than NT users,"
      he said. "And uneducated users are the single largest
      source of accidental deletions. It's just that on
      Unix-based systems, either the system administrators
      have been more clever about how they protect certain
      critical files on servers or the users themselves tend to be
      a bit more educated on exactly what the program can
      and can't do. 

      "This isn't to say that educated users aren't making
      mistakes. But the uneducated user is a greater risk on
      NT systems because they have the Recycle Bin sitting
      there and they think, 'Great, if I make a deletion it's
      caught, it's not a big deal.'" 

      Microsoft's Recycle Bin, however, doesn't provide
      equal protection to every type of computer file on a
      network system. If a Windows user deletes a file on a
      local hard drive, the file goes into the Recycle Bin and
      stays there until the user manually empties the Bin. Until
      the Bin is emptied, all deleted files in the Bin can be
      easily recovered. 

      But data deleted from within an application program or
      files deleted from a network drive don't go into the
      Recycle Bin, and many NT users learn this fact the hard
      way, Proffit said. 

      "I also found an amazing degree of ignorance about
      programs that would handle accidental deletions on NT
      networks," he said. "Many people are unaware of
      utilities from Symantec or Executive Software that could
      help un-delete files. 

      "A lot of people rely on tape backups, but trying to find
      the tape backup that might contain some version of the
      file that was deleted is a bit like jumping into the space
      shuttle to go to the grocery store. It's just a tremendous
      amount of work, and in many cases we found that a lot
      of times the backups failed." 

      The susceptibility of NT networks to accidental data
      loss is the shared fault of both NT administrators and
      Microsoft, according to Antony Chen, vice president of
      Advantage Consulting and Technologies in Ann Arbor,

      "People who are running Windows environments just
      don't seem to educate their users enough about the type
      of power they wield and how not to step on their own
      feet," Chen said. "So you end up with user madness,
      they just don't know any better. They go and delete stuff
      and they empty the Recycle Bin and they just don't think
      about it." 

      But Microsoft contributes to the problem in the way that
      NT systems are designed to be set up, Chen said. 

      "When you create a new file system in Unix, it basically
      gives all the users no rights whatsoever and you actually
      have to install the rights. In NT, it's the other way
      around. Everyone has got access to everything and then
      you've got to lock it down." 

      Although the Unix method is more work, it forces the
      system administrator to manually give the appropriate
      access privileges to each user, Chen said. Unfortunately,
      since NT administrators can skip this step, many do and
      NT users often end up with more usage rights than they
      really should have. 

      "(Microsoft) thinks that, at first, you should just give
      everyone access to everything. The problem with that is
      it creates data-loss situations," Chen said. 

      Accidental data loss can, however, happen quite
      frequently on other operating systems besides NT,
      according to Edward Garcia, the management
      information systems manager for Datalogics, a
      Chicago-based publishing software firm. 

      Garcia manages more than a dozen different operating
      systems at Datalogics, and he's seen even vaunted Unix
      users destroy data through careless mistakes. 

      "People will issue command line commands and forget
      where they are in terms of directory structure," Garcia
      said. "So they do a delete *.* and they wind up deleting
      their whole home directory. That's basically where most
      of our restores happen. I'm surprised it doesn't happen

      "Or you do a copy command on a Unix system, and
      there's something that already exists with the same name
      in the location you're copying to. Unix doesn't ask if you
      are sure you want to overwrite it, it just does it." 

      Datalogics also suffers from too many users having too
      much access to network drives and files, Garcia said.
      But having a nearly wide-open system was a corporate
      decision, not a technical one. 

      "It's kind of crazy, but we feel -- at least the
      management feels -- that it's not worth it to risk
      hindering somebody from getting their job done as a
      result of security. I cringed when I first heard that, but
      we're kind of wide open here. And that's where
      inadvertent mistakes such as deletions really come back
      to haunt you, because somebody shouldn't have the
      rights to delete an entire shared folder. But because we
      like to leave it open that type of a situation happens." 

      But of all the issues confronting Garcia as a manager of
      multiple networks, he says viruses barely qualify as a
      minor nuisance. 

      "I've lost zero data as a result of viruses. I have never
      been bit by a virus so badly that an anti-virus software
      package couldn't fix it for me." 

35.0  'Hackers' Equal Global Terrorists In '23' 
      From HNN

      contributed by Weld Pond 
      A new movie by Hans-Christian Schmid entitled '23' uses
      the stereotypical, media perpetuated image of the
      'hacker' as a small-time gangster and global terrorist.
      Supposedly based on true events, "23" details how two
      anti-nuclear protesters break into computers, steal data
      and later sell it to the KGB. (Yeah, I'll wait in line to see
      this drivel.) 

      The Boston Phoenix   

      Why have so many notorious political assassinations or elections
      occurred on the 23rd of the month? Why do Masonic symbols appear
      on US currency? Why is information more important than wealth? 
      Hans-Christian Schmid's German thriller makes clever use of the
      writings of Robert Anton Wilson, whose Iluminatus trilogy explores
      the web of secret societies that rule the world as we know it.
      Karl Koch and his pal David are 19 years old in 1985: phone phreaks
      and computer hackers involved with anti-nuclear protesters. They meet
      a couple of small-time gangsters who arrange to sell their information
      to the KGB. Drunk on power, high on drugs, and obsessed with conspiracy
      theory, Karl and David take to their life of cyber-crime like ducks to
      water. Later a TV network wants to buy their story, and Karl, who has 
      become a coke and speed addict, manages to hack into the security system
      of a nuclear facility. But he's being followed by cops, and he's 
      increasingly paranoid and out of touch with reality, seeing occult 
      significance in news headlines and secret agents around every corner.
      Remember the '80s? People snorted coke on dashboards, Reagan sold 
      weapons to Qaddafi, computers were as big as fridges, and a small
      brotherhood of geeks with PCs infiltrated the political and economic
      infrastructure. Based on true events, "23" follows the maze of discovery
      that made hackers into global terrorists and suggests a terrifying 
      explanation for the Chernobyl disaster. Using lots of claustrophobic
      slow motion and fuzzed edges, Schmid crafts a slice of history so surreal
      it seems a fairy tale -- and so plausible it must surely be our future. 
                                                                   -- Peg Aloi
      From Help Net Security
      by Thejian, Saturday 18th September 1999 on 2:30 am CET
      A super stealthy software covertly monitors all keyboard and application activity, then
      invisibly e-mails a detailed report to the employees' boss. The newly upgraded
      software, Investigator 2.0 from WinWhatWhere, runs silently, unseen by the end-user
      as it gathers exacting details on every keystroke touched, every menu item clicked,
      all the entries into a chat room, every instant message sent and all e-commerce
      transactions. While it bolsters IT's ability to monitor workplace computer usage, it
      troubles privacy advocates who are claiming that workplace electronic monitoring
      calls out for new privacy legislations. Story.       
      Stealth Software Rankles Privacy
      (09/17/99, 5:19 p.m. ET)
      By Stuart Glascock, TechWeb 

      A super stealthy software covertly monitors
      all keyboard and application activity, then
      invisibly e-mails a detailed report to the
      employees' boss. While it bolsters IT's
      ability to monitor workplace computer
      usage, it troubles privacy advocates. 

      The newly upgraded software, Investigator 2.0 from
      WinWhatWhere, runs silently, unseen by the end-user
      as it gathers exacting details on every keystroke
      touched, every menu item clicked, all the entries into a
      chat room, every instant message sent and all
      e-commerce transactions. 

      "You get shocking detail," said Richard Eaton, president
      of WinWhatWhere, in Kennewick, Wash. 

      In one client case, a large grocery store chain suspected
      an employee was wrongfully taking information.
      Management installed the software and discovered the
      suspect employee was saving accounting information
      onto a diskette. In other cases, employees have been
      busted for taking client lists and sales leads. 

      WinWhatWhere Customers have included sensitive
      government agencies, private investigators, a trucking
      company, a tool and die company, a penitentiary, a
      dentist, and several libraries. Specific customers have
      included the U.S. State Department, the U.S. Mint in
      Denver, Exxon, Delta Airlines, Ernst & Young, the U.S.
      Department of Veteran Affairs, and Lockheed Martin. 

      "People buying it the most are people in corporations
      who need it because they suspect something is going on
      in a department, so they put on a computer for a small
      amount of time," Eaton said. 

                        While it may sound Orwellian,
                        electronic monitoring can serve
                        a purpose, said Jan Kallberg,
                        chief operating officer of
                        CyberDefense, a New York
                        company specializing in
                        protecting corporate digital

                        "It can be a good thing if the
                        rules are set and everybody
      knows the policies, then it eliminates the risk that
      someone gets blamed who is without any guilt," he said.

      It is not surprising that major employers are concerned
      about employee computer use, but monitoring all their
      keystrokes is frightening, said Lou Maltby, ACLU
      director of employment rights. 

      "Employers who practice this kind of monitoring don't
      have a clue as to what they are getting into," Maltby
      said. "People now turn to the Web for all kinds of
      information, including information about the most
      sensitive personal issues imaginable. If you are a
      member of [Alcoholics Anonymous], 20 years ago, you
      went to a meeting. Today, you are just as likely to talk
      to your support group over the Web. The same is true
      for incest survivors and people who are HIV positive. If
      you want to pry into your employees' deepest, darkest
      secrets, there couldn't be a better way." 

      Workplace electronic monitoring calls out for new
      privacy legislation, Maltby said, adding it is illegal for
      employers to listen in on an employee's telephone call to
      a spouse. But the same conversation over e-mail could
      be read and posted on a bulletin board. No legislation
      to address the issue is currently pending. 

      Privacy concerns aside, most corporations need
      protection, and not just from people who are hacking
      into their network, but from people working inside the
      firewall, Eaton said. 

      "If it is used incorrectly it is horrible," Eaton said." If you
      put it on with no suspicion or reason, that's wrong. But
      if you suspect something is going on your equipment,
      you have every right to do this." 

      Pricing runs from $99 for a single user to $5,500 for
      site licensing.  
      From Help Net Security
      by Thejian, Friday 17th September 1999 on 8:30 pm CET
      UK company Sophos has laid into arch anti-virus rivals Network Associates and
      Symantec for "virus scaremongering". Sophos, quoting recent statements by
      collegues Network Associates and Symantec, warned that with many businesses
      deeply concerned about Y2K, confusing statements from anti-virus companies
      trivialise the virus issue and damage the credibility of the industry as a whole. 
      17 September 1999
      Too much virus scaremongering, says
      by Jo Pettitt, VNU Newswire 
      Anti-virus vendors are falling into yet another
      spat, this time about whether the millennium
      poses a severely increased risk of virus
      UK company Sophos has laid into arch
      anti-virus rivals Network Associates and
      Symantec for "virus scaremongering", claiming
      that in a recent interview, the chief
      researcher at Symantec said there might be
      up to 200,000 new viruses written especially
      for the millennium.
      In addition, it said that Network Associates
      has set up a Web site warning of virus threats
      which, according to Sophos, are not in the
      wild and are never likely to be.
      Sophos warned that with many businesses
      deeply concerned about Y2K, confusing
      statements from anti-virus companies trivialise
      the virus issue and damage the credibility of
      the industry as a whole.
      Graham Cluely, Sophos senior technology
      consultant, commented: "Predictions of this
      type are unhelpful. We are surprised to see
      anti virus companies trying to capitalise on
      Y2K worries."
      Executives at Symantec said Sophos had
      taken its comments out of context.
      Kevin Street, Symantec technical director,
      commented: "What he meant was that there
      could be between one and 20,000 new
      viruses, but the numbers aren't what matter.
      What matters is that we are prepared."
      He added: "There will be a great temptation
      for virus writers to be the one to write the
      first Y2K virus to get the attention."
      David Emms, product manager at Network
      Associates, said the company's new Web site
      had been set up in response to customer
      "We have put the information up there
      because people are concerned," he said.
      He added: "We don't know exactly what the
      numbers of viruses will be yet, but it is most
      likely that virus writers will tack on to Y2K
      because of the date."
      To comment on this story email
      Article from News Wire
      VNU Business Publications
      From Help Net Security
      by Thejian, Friday 17th September 1999 on 8:10 pm CET
      Sun senior staff engineer Alec Muffett told an audience of developers at Sun's ".com"
      conference and exhibition in London on Thursday that businesses using strong
      encryption, such as RSA, had to be aware of developments like the recently broken
      512-bit keys in the latest RSA challenge and cycle their keys often; especially banks
      that adopted 512-bit crypto in the 1980s to protect long-term information such as
      mortgage databases. "You must think ahead," he said. "Use cryptography not only
      against people like me, here and now, but people who come after me in 10, 15, 20
      years time." Techweb.       
      Crypto Breaker Tells Programmers
      To Wise Up
      (09/17/99, 1:56 p.m. ET)
      By Madeleine Acey, TechWeb 

      Since the recent breaking of an RSA 512-bit
      encryption key -- the kind used by many
      banks -- IT managers should think
      longer-term about how to protect data with a
      long shelf-life, said one of the team that won
      the latest RSA challenge. 

      Sun senior staff engineer Alec Muffett told an audience
      of developers at Sun's ".com" conference and exhibition
      in London on Thursday that businesses using strong
      encryption, such as RSA, had to be aware of
      developments like this and cycle their keys often;
      especially banks that adopted 512-bit crypto in the
      1980s to protect long-term information such as
      mortgage databases. 

      At the time, breaking 512-bit keys "wasn't something a
      band of mere mortals could do," Muffett said, but things
      had changed. The self-described "band of like-minded
      geeks" took just a few days to crack the required
      155-digit number using Cray supercomputers and spare
      capacity on an Amsterdam university's PCs. 

      "You must think ahead," he said. "Use cryptography not
      only against people like me, here and now, but people
      who come after me in 10, 15, 20 years time." 

      A Giga Information Group spokesman said many banks
      used outside technology experts to look after certain
      aspects of their security, but there was a range of
      different levels of awareness. 

      "It's a constant game of using advances in technology to
      stay ahead of advances in technology," the spokesman
      said. "Not everyone is up to speed." 

      As well as foresight, IT decision makers also needed
      the support of thoughtful programmers, Muffett said.
      They had a responsibility to not program "silly things"
      into software in the first place when it came to security. 

      "Passwords of only one to eight characters are very
      silly," he said, and have been since the 1970s. 

      "How many of you still have 1234 as the password for
      your voice mail?" said Geoffrey Baehr, Sun's chief
      networking engineer, sharing the stage with Muffett.
      "We as engineers have done a terrible job." 

      "I've definitely heard complaints on that from experts,"
      the Giga Information Group spokesman said. 

      The panel, including Sun's chief scientist John Gage,
      took the opportunity to attack rival Microsoft. 

      "The best thing you can do is run a secure OS," Baehr
      said. "No one system can be stronger than the weakest

      "'That's it,' some countries say. 'We cannot accept
      black box OSes that feed back information," said Gage,
      referring to the key labeled "NSA KEY" discovered in
      Windows, which Microsoft denied was a backdoor for
      the U.S. National Security Agency. 

      "If you want a solid place to stand, it's good to be able
      to see everything," Muffett said. 

      The Giga Information Group spokesman said the IT
      research company had found that "regardless of
      whether it's an espionage key, it definitely has harmed
      Microsoft overseas". 
      From Help Net Security      
      by Thejian, Friday 17th September 1999 on 1:05 am CET
      Federal and state laws should be strengthened to help curb the growing problem of
      online stalking, a U.S. Justice Department report recommends. Two-thirds of states
      have no laws on the books that explicitly cover stalking on the Internet or through
      other electronic communications means, the report found. And federal law ought to be
      amended to make it easier to track down "cyberstalkers," it said. 
      Report urges tough Net stalking laws

      SACRAMENTO, Calif. (AP) - Federal and state laws should be
      strengthened to help curb the growing problem of online stalking, a U.S.
      Justice Department report recommends. 

      Two-thirds of states have no laws on the books that explicitly cover
      stalking on the Internet or through other electronic communications means,
      the report found. And federal law ought to be amended to make it easier
      to track down ''cyberstalkers,'' it said. 

      ''As more and more Americans are going online
      -- particularly our children -- it is critical that they
      are protected from online stalking,'' said Vice
      President Al Gore, who requested the report in
      February and was to release it in California on

      ''Cyberspace should be a place for learning and
      exploration, not a place for fear,'' he said in
      remarks prepared for a meeting in San Diego
      with victims of online stalking and their family

      The report surveyed steps that law enforcement, online industries, victims
      groups and others are taking to crack down on cyberstalking, and
      explored whether existing laws are adequate to combat a problem it
      contends is on the rise. 

      Internet service providers, which link users to e-mail and the World Wide
      Web, report a growing number of complaints about harassing and
      threatening behavior online, it said. The head of the sex crimes unit in the
      Manhattan District Attorney's Office reported that about 20% of the unit's
      cases involve cyberstalking. 

      The report cited several chilling examples. 

           In one case, a Los Angeles security guard terrorized a woman who
           rejected his romantic advances by posting online messages that she
           fantasized about being raped, and listed her phone number and
           address. On at least six occasions, sometimes in the middle of the
           night, men knocked on her door saying they wanted to rape her. 
           A San Diego man sent more than 100 e-mail messages to five
           female students at the University of San Diego and the University of
           California, San Diego last year. They included death threats, graphic
           sexual descriptions and references to the women's daily activities,
           prosecutors said. 
           Federal law enforcement officials have reported many cases in
           which pedophiles have made advances to children through online
           chat rooms and later made contact with the children, the report

      Technology allows some stalkers to harass victims anonymously, it said. 

      The report recommends that all states review their laws to ensure they
      prohibit and provide ''appropriate'' punishment for stalking through the
      Internet and other means of electronic communication, including pagers. 

      California recently amended its stalking statute to cover cyberstalking. 

      Last year President Clinton signed a bill into law that protects children
      from online stalking. But the report said the law should be expanded to
      outlaw interstate or international communication made with the intent to
      threaten or harass another person. 

      Such new laws should include stiffer penalties when victims are minors, the
      report said. And federal law should make it easier for law enforcement to
      track down cyberstalkers. 

      The report cited as a hindrance the Cable Communications Policy Act,
      which bars investigators from obtaining cable subscriber records without a
      court order and advance notice to the subscriber. 

      From Help Net Security
      by Thejian, Thursday 16th September 1999 on 7:10 pm CET
      Here's more on the UK forming of a cybercrime unit tapping data streams and
      breaking codes for surveillance sake. Tapping proposals outlined in a Government
      consultation document call for the monitoring of one in every 500 telephone
      connections to the Internet to extend the Governments surveillance powers to the
      Web. According to a report in The Economist today, it would require the Home
      Secretary to issue 10,000 tapping warrants a year, five times the current level of
      Codebreakers and
      phone 'spies' target
      crime on Internet

      By Robert Uhlig

      ONE in every 500 telephone connections to the internet
      is to be monitored under Government proposals to
      extend surveillance powers to the Web.

      The plans are outlined in a Government consultation
      document and require internet service providers to have
      facilities to intercept one telephone line in every 500 that
      they operate.

      The tapping proposals represent a considerable increase
      in police powers and a capacity roughly 20 times the
      level required in other European countries. According to
      a report in The Economist today, it would require the
      Home Secretary to issue 10,000 tapping warrants a
      year, five times the current level of authorisations.

      Using such tapping facilities, the police and intelligence
      agencies will be able to harvest raw data streams
      containing private e-mail or text and pictures. Jack
      Straw, the Home Secretary, has argued that law
      enforcers need to improve their ability to intercept
      communications between terrorists and criminals.

      The Home Office claims law enforcers now have few
      powers to fight the increased use of encrypted messages
      on the internet to arrange drugs deals or pass on
      paedophile images.

      To sift through the vast quantities of tapped data the
      Government is also to set up a 20 million specialist
      code-cracking unit using staff from the Government's
      communications centres at GCHQ, the National Criminal
      Intelligence Unit and code-breakers recruited from the
      private sector.

      But even the code-breakers admit that current encrypting
      technologies would take the most powerful computers
      several weeks to crack, by which time the information is
      likely to be redundant. The unworkability, cost and
      technical ignorance encompassed by the proposals have
      united the internet industry with privacy campaigners.

      Demon Internet, Britain's third largest service provider,
      estimates that the switches and infrastructure required by
      the intercept proposals would cost them more than 1
      million initially and up to 15 per cent of their infrastructure
      costs to upgrade the facilities every year. Richard
      Clayton, Demon's Internet adviser, said: "If the
      Government wants this information they should pay for

      Tim Pearson, chairman of the Internet Service Providers
      Association, said his members were concerned by the
      extension in state and police powers being requested.

      Malcolm Hutty, director of Liberty, said the proposals
      were "hideously expensive, technically unworkable and a
      threat to civil liberties."

      He added that with such a tapping system in place
      "Government could be checking on people's tax returns
      or anything else they fancy keeping an eye on."

      From Help Net Security
      by Thejian, Thursday 16th September 1999 on 6:50 pm CET
      The White House in a briefing today will announce what one administration official told
      will be a "large" relaxation of encryption controls. This is a major victory from the
      industries' and users' point of view, but there is another side to it. Key recovery is
      expected to be a part of this proposal, something to which strong encryption export
      supporters object. The key recovery program essentially guarantees law enforcement
      officials a so-called "back door" to encrypted communications. 
      Law Enforcement May Benefit From New Crypto Policy 
      By Robert MacMillan, Newsbytes
      WASHINGTON, DC, U.S.A., 
      16 Sep 1999, 10:54 AM CST

      Despite an initially jubilant reaction from the high- tech industry over the White House's anticipated
      relaxation of its encryption export controls, the policy change could pave the way for more unfettered law
      enforcement access to sensitive data. 

      The White House in a briefing today will announce what one administration official told Newsbytes will be a "large"
      relaxation of encryption controls. 

      Stewart Baker, a member of the President's Export Council Subcommittee on Encryption, told Newsbytes that if the
      administration allows an easing of regulations, it has a firm platform on which to petition Congress to pass its proposed
      Cyberspace Electronic Security Act (CESA), which would give law enforcement agencies sweeping access to sensitive

      "Key recovery is dumb even from the Justice Department's point of view," Baker said. "It's peculiar to say 'I really like your
      industry and to encourage you I'm going to add costs and expose you to criminal liability.'" 

      Baker said that when the subcommittee made recommendations to the administration to change its encryption export
      policies, "that was not on our list." 

      Attorney General Janet Reno, Defense Department official John J. Hamre, and several other administration representatives
      are expected to announce that 64-bit encryption will now become the strongest mass-market algorithm level available, in
      conjunction with the 33-nation Wassenaar Arrangement. 

      In addition, the administration is expected to make it easier for companies to export strongly encrypted products of an
      unlimited algorithm length, subject to a one-time Commerce Department review. 

      The announcement is particularly important to the high-tech industry because it is getting itself heartily smacked in the
      encryption products arena by other countries that don't have such onerous export restrictions. 

      Rep. Robert Goodlatte, R-Va., and his Democratic counterpart Zoe Lofgren, D-Calif., both are chief sponsors of the Security
      and Freedom Through Encryption (SAFE) Act, which calls for a total stand-down on encryption export controls. 

      Goodlatte officials were not immediately available for comment, though he is expected to discuss the White House proposal
      at a press conference later today. 

      Unfortunately for him, key recovery is expected to be a part of this proposal, something to which strong encryption export
      supporters object. The key recovery program essentially guarantees law enforcement officials a so-called "back door" to
      encrypted communications. 

      Kristin Litterst of Americans for Computer Privacy said the administration announcement is significant because House
      Speaker Dennis Hastert, R-Ill., has said he wants SAFE to come to the House floor for a vote, but added that the ACP
      wants to work with the administration to shape the regulations. 

      "The announcement is a real mixed bag from a privacy perspective," Center for Democracy and Technology (CDT) counsel
      Alan Davidson said. "We've seen so many promises of broad relief that don't in fact protect people's privacy It opens up a
      very important new debate on the Fourth Amendment in cyberspace - under what circumstances the government should
      have access to our most sensitive information." 

      Davidson added, however, that "If they follow through on their promise, this would be a real step forward. This would give
      encryption users around the world much stronger privacy protection software." 

      A staffer for Senate Communications Subcommittee Chairman Conrad Burns, R-Mont., a stalwart supporter of strong
      encryption exports, said that "It's great that (the White House supports) the need for encryption reform....but anything that
      is going to allow the federal government to just creep in the back door of Americans' computers is just unacceptable to us." 

      As a supporter of Senate Commerce Committee Chairman John McCain's, R-Ariz., PROTECT Act, the staffer said that
      Burns already has compromised his stance somewhat in deference to law enforcement, because PROTECT tends to fit in
      more with the scope of Wassenaar. 

      He added that Burns is unwilling to give up more ground. 

      Baker said that the administration announcement "will substantially reduce, if not completely eliminate, any of the burden
      associated with encryption controls, so it's a very big step and will probably take the issue off the table as a competitive

      Nevertheless, the move seems to tie into the administration's desire to offer a gift to law enforcement now that it has tried to
      please the high-tech industry. 

      Baker said CESA includes key recovery agent provisions, and allows law enforcement to ignore the privacy rights of criminal
      suspects in searches for information. The proposed bill also would allow law enforcement to require companies to get
      electronic information even in violation of privacy standards. 

      It also calls for sentencing guidelines to be drafted that would devise encryption crime penalties. "It sounds mildly harmless,
      but in my view is potentially rather dangerous," Baker said. "That provision is too broad." 

      He also said that CESA puts no restrictions on the Justice Department's ability to "order companies to violate the laws of
      other countries." 

      "You can imagine how a foreign country would feel if a local Internet service provider started hacking into their citizens'
      computers at the order of the Justice Department," Baker said. 


      Reported by, . 

      10:54 CST
      Reposted 11:31 CST 

      From Help Net Security
      by BHZ, Thursday 16th September 1999 on 3:45 pm CET
      Attrition members reacted to latest John Vranesevich article (Loan Gunmen ==
      HFG?). "Read on to see the obvious errors, illogical conclusions and outright libel
      contained within the AntiOnline article. It is being quoted here within guidelines of
      "Fair Use" quoting".       
      Attrition Responds to More AntiOnline Allegations
      Wed Sep 15 22:27:25 MDT 1999
      ATTRITION Staff
      (Official Press Release)
      For almost five years, various members of the Attrition staff have fought
      off unyielding attempts by AntiOnline and/or its staff to slander and
      defame their characters. These countless accusations and libelous statements 
      have always come without a shred of proof from those making them. Time and 
      time again, Attrition meets these allegations with arguments citing each and 
      every log or mail needed to openly prove our claims. Just once, the staff of 
      Attrition would like to be maligned using reasonably founded proof.
      The sickening irony in John Vranesevich and AntiOnline's malicious comments,
      is that they come in the middle of them plagiarizing Attrition's mirrors
      and other resources. In the past thirteen days,our logs have shown 13377 unique
      hits from AntiOnline's "AntiBot" as it spiders our site and utilizes
      our resources. For them to turn around and call us criminals, makes one wonder 
      if they are saying it purely to get media attention, supporting the people he 
      speaks ill of, or some sick hybrid of the two.
      Read on to see the obvious errors, illogical conclusions and outright libel
      contained within the AntiOnline article. It is being quoted here within
      guidelines of "Fair Use" quoting. The original article is in white text, 
      Attrition comments are in red.
         Loan Gunmen == HFG? 
         Wednesday, September 15, 1999 at 15:27:48
         by John Vranesevich - Founder of AntiOnline 
         September 13, 1998, The New York Times was broken into by a group
         calling itself HFG, Hacking for Girlies. The attack, which the New
         York Times claims cost them over $1 million in damages, falls almost
         one year ago to the day of when the Nasdaq was broken into.
         ABC News, C-span, The Drudge Report, and now the Nasdaq have all
         fallen victim to a group calling itself "The United Loan Gunmen".
         AntiOnline has reason to believe that this "new group", is actually
         the HFG acting out under a new name.
      [Consistant with a five year pattern of allegations and no proof to back
       them, these conclusions are no different.]
         Using concepts developed under its "Virtual Fingerprinting System",
         AntiOnline has taken data from the recent United Loan Gunman hacks,
         and compared it to data in its extensive databases of over 6,700
         individual hackers. The results?
      [This "Virtual Fingerprinting System" is nothing but a glorified hand-
       comparison of two files, as illustrated below.]
         Graphic Creation: Graphics created by members of the United Loan
         Gunman match the style and technique as graphics developed by members
         of HFG in September of last year. Several of these graphics also bear
         resemblance in creation method to a Defcon 6 logo submitted by a known
         individual, who's work also can be compared to several other attacks.
      [False. A comparison of their HTML elements and attributes, visual style,
       signatures and more, prove how inaccurate the above statement is. There is
       practically no similarity between HFG and ULG graphics. Determine for yourself.
       The Defcon 6 graphic referred to was designed well before HFG began their
       defacement spree. This image was paraded before over 4,000 hackers at
       the Defcon 6 convention in Las Vegas.  The fact that a member of HFG
       chose to emulate the graphic is inconsequential to this scenario. To suggest 
       otherwise without verfiable proof is to  invite charges of defamation of 
       character. Look at ALL of the graphics in question, on the same page. 
       You make the determination.]
         Content: Similar writing styles, political agendas, affiliates, and
         attacks as hacks done in September of last year by HFG.
      [False. The writing styles of both groups are quite different. Compare the 
       content in the ABC Hack (ULG) to that of the New York Times Hack.
       Notice the use of "elite speak" and all caps in most of HFG's defacements. 
       This style is seen nowhere in the ULG mirrors.]
         HTML: Matches in "free hand" creation style to hacks done by the HFG.
      [Due to the fact that HTML is a markup language and lacks a header identifying 
       how it was created, one cannot assume anything about how a page was created 
       without the existance of appropriate META tags denoting the authoring tool used. 
       Furthermore, well over half the pages created by defacers are done free-hand. 
       Compare the radical differences in HTML style between the two groups. To claim 
       that there are similarities between the HTML of both groups is a gross assumption.]
         Affiliation: "Attrition" members once again claim to have "spoken to"
         the individuals involved with the recent attacks, just as they claimed
         last year during the HFG hacks. Brian Martin, founder of Attrition,
      [False. HFG sent a notification e-mail to Brian Martin along with over
       twenty other people regarding their defacement. Likewise, the contact made 
       between ULG and Attrition staff was via IRC who have logs readily available 
       to any Federal law enforcement organization that makes a formal request as 
       mentioned in the warning on our mirror. In the statement made by AntiOnline, 
       the Attrition staff are being "jewelled." That is, they are being blamed for 
       a crime simply because they are the bearer of the news before others. This 
       is an ironic claim since AntiOnline has gained its reputation for doing exactly 
       the same thing. The only difference is the Attrition staff did not 
       admit to several felonies in their dealings with hackers. Attrition staff had no 
       foreknowledge of the victim of the intrusions and make it known that they are 
       aware such activity constitutes a felony.]
         was raided in December of 1998 as part of an FBI investigation into
         Hacking For Girlies (as reported by Forbes columnist Adam Penninburg).
      [References to the December 1998 raid of Brian Martin are total innuendo and
       counter the long-standing American concept of justice in which all are 
       innocent until proven guilty.  Further, it should be noted that it has
       been almost a year since the raid, no arrest warrant has been issued.  That
       in itself speaks volumes when observing how quick Federal law enforcement
       has been recently in raiding and charging other hackers.]
         Attack Method: Once again the methodology seems to be rather cloudy,
         and other industry leaders are drawing similarities into the attack
         styles (this could potentially become more clear as data from the
         recent Loan Gunmen attacks surfaces from the individual
      [False. Industry leaders are not making such illogical conclusions. It has 
       been confirmed that at a minimum, four machines compromised by HFG were 
       Unix, (one of which was Solaris), and the operating systems of all four of 
       the servers compromised by ULG were either Windows NT4 or Windows NT5.]
         Time: Just as before, attacks apparently done by the same group of
         people, yet under different names, are spread far apart by almost a
         year exactly.
      [False. AntiOnline has not established that there has been any indication of 
       previous examples where one group turned out to be a second group just with 
       a different name.]
         AntiOnline has been receiving more data from several other
         organizations who are also investigating these similarities, and is in
         the process of adding them to its catalog to be "fingerprinted".
      [If this is true, then just like AntiOnline, their resulting information 
       is completely based on speculation and print such assumptions without
       concrete evidence is a violation of journalistic ethics.]
         Exact results of AntiOnline's investigations are leading to a
         particular group of known hackers that AntiOnline has extensive
         information on. For obvious legal reasons, that data is not being
         disclosed to individuals outside of the law enforcement arena.
      [Such statements should be closely examined by AntiOnline readers. 
       Attrition staff has recently obtained hard proof that Vranesevich
       has continued to be involved in illegal activity, all in
       the name of 'journalism'. See for yourself.]
         For more information about "Hacker Profiling", read AntiOnline's Three
         Part Special Report entitled:
         "[6]How To Be A Hacker Profiler.
         Related Information On AntiOnline:
      [And see how easily these methods are countered in our piece called
       "Debunking the Hacker Profiler".]
         [7]What Hackers Head The Culture?
      [Another example of Vranesevich's libel can be found in this article. Once
       again, we have pointed out the errata and slander
       in this piece.]
      - Attrition Staff

      The original Article from Anti-Online
      Loan Gunmen == HFG? 
      Wednesday, September 15, 1999 at 15:27:48
      by John Vranesevich - Founder of AntiOnline 
      September 13, 1998, The New York Times was broken into by a
      group calling itself HFG, Hacking for Girlies. The attack, which the
      New York Times claims cost them over $1 million in damages, falls
      almost one year ago to the day of when the Nasdaq was broken into. 
      ABC News, C-span, The Drudge Report, and now the Nasdaq have
      all fallen victim to a group calling itself "The United Loan Gunmen".
      AntiOnline has reason to believe that this "new group", is actually the
      HFG acting out under a new name.
      Using concepts developed under its "Virtual Fingerprinting System",
      AntiOnline has taken data from the recent United Loan Gunman
      hacks, and compared it to data in its extensive databases of over
      6,700 individual hackers. The results?
      Graphic Creation: Graphics created by members of the United Loan
      Gunman match the style and technique as graphics developed by
      members of HFG in September of last year. Several of these graphics
      also bare resemblance in creation method to a Defcon 6 logo
      submitted by a known individual, whose work also can be compared
      to several other attacks.
      Content: Similar writing styles, political agendas, affiliates, and
      personal attacks as hacks done in September of last year by HFG.
      HTML: Matches in "free hand" creation style to hacks done by the
      Affiliation: "Attrition" members once again claim to have "spoken to"
      the individuals involved with the recent attacks, just as they claimed
      last year during the HFG hacks. Brian Martin, founder of Attrition,
      was raided in December of 1998 as part of an FBI investigation into
      Hacking For Girlies (as reported by Forbes columnist Adam L.
      Attack Method: Once again the methodology seems to be rather
      cloudy, and other industry leaders are drawing similarities into the
      attack styles (this could potentially become more clear as data from
      the recent Loan Gunmen attacks surfaces from the individual
      Time: Just as before, attacks apparently done by the same group of
      people, yet under different names, are spread far apart by almost a
      year exactly.
      AntiOnline has been receiving more data from several other
      organizations who are also investigating these similarities, and is in the
      process of adding them to its catalog to be "fingerprinted".
      Exact results of AntiOnline's investigations are leading to a particular
      group of known hackers that AntiOnline has extensive information on.
      For obvious legal reasons, that data is not being disclosed to
      individuals outside of the law enforcement arena.
      For more information about "Hacker Profiling", read
      AntiOnline's Three Part Special Report entitled:
      "How To Be A Hacker Profiler".
      From Help Net Security
      by Thejian, Thursday 16th September 1999 on 2:50 am CET
      The next big issue after the year 2000 is the threat to computer security, said a
      senior federal official whose job includes hacking into government systems to find
      their vulnerabilities. "Like Y2K, computer security is a management problem," says
      Keith Rhodes on a conference entitled "Defending Cyberspace: Enabling Electronic
      Government", quoting weaknesses in engineering, operations, and management.
      Most Computer Attacks Come
      From Organizations 
      (09/14/99, 1:46 p.m. ET)
      By Mary Mosquera, TechWeb 

      ARLINGTON, VA. -- The next big issue after
      the year 2000 is the threat to computer
      security, said a senior federal official whose
      job includes hacking into government
      systems to find their vulnerabilities. 

      Although threats to computer security from somewhere
      on the Internet capture more headlines, the most
      successful government break-ins are from within, said
      Keith Rhodes, director of the General Accounting
      Office's computer and information-technology
      assessment unit. Rhodes tests the security of federal
      systems by breaking in from within the government and
      from the Internet. 

      Like Y2K, computer security is a management
      problem. "There was no emphasis on Y2K until
      management took it seriously," Rhodes told a
      conference titled "Defending Cyberspace: Enabling
      Electronic Government," in Arlington, Va. 

      Computer-security threats come from non-malicious
      hackers, such as teenagers breaking into systems for the
      thrill, malicious attackers spreading viruses or wreaking
      other havoc, industrial spies, and terrorists. 

      "Being a cybercop is like being a sheriff in the old
      Arizona territory," Rhodes said. 

      Security is not just an issue for large federal or financial
      systems, but for any company doing business online or
      depending on email for communications.
      Well-publicized viruses, such as the Melissa virus, took
      their toll, albeit temporary, on businesses, including
      Microsoft and General Electric, Rhodes said. 

      In sniffing out security vulnerability, Rhodes finds
      weaknesses in engineering, operations, and
      management. "Why protect a computer firewall when
      you prop open the door to the computer room?"
      Rhodes said. While it used to take Rhodes one hour to
      break into government computers, it now takes three
      minutes, he said. 

      Lessons to be learned from Y2K start with having good
      personnel, Rhodes said. Similar to early in harnessing
      national attention for Y2K, management is afraid to
      disclose information about computer security for fear of
      litigation or disturbing public confidence. Threats come
      from not having enough competent personnel and the
      inability to recognize if a crash is Y2K-related or a
      break-in, Rhodes said. Organizations must take care
      with whom they outsource major tasks, such as payroll,
      and which personnel are given code to mission-critical

      Myths about computer security can make organizations
      complacent until they get creamed and need valuable
      time to get back up, Rhodes said. Some believe
      security is adequate if a single standard can be
      developed, or a sole vendor or product fills all its
      needs. "Public-key infrastructure is needed now,"
      Rhodes said, adding "You won't be able to operate
      without it." 

      "Attacks are faster and more bad software is being sold
      with holes in it. And changing system software will still
      present problems," Rhodes said. 

      Although systems can never be completely secure, a
      company can protect itself by putting a value on assets
      and deciding what it wants to protect, assure continuity
      of operations with contingency plans, and form a
      computer emergency response team that can protect
      the system, detect attacks, and react to them.
      Organizations should be willing to cooperate with law
      enforcement when systems are attacked, Rhodes said. 

      Because of its size and importance, government is
      experiencing increasingly more cyber attacks.
      "Government must take the lead in defending
      cyberspace," said Ben Miller, chairman of
      CardTech/SecurTech, which promotes advanced smart
      card and secure technologies. 

      Congress is recognizing the importance of computer
      security by increasing agency budgets against
      cyberthreats. However, funds are being taken from
      other programs, Rhodes said. 

      From Help Net Security 
      by Thejian, Wednesday 15th September 1999 on 11:40 pm CET
      Antivirus experts are urging computer users not to open a year 2000 countdown
      program that comes in the form of an e-mail sent by Microsoft. The "Y2Kcount.exe."
      file is said to include a Trojan. Users who try to install the program will see a
      message saying the Y2K counter was unable to install. It says: "Error!.. Password
      protection error or invalid CRC32!." However, analysis of the program's installation
      routine shows it already has connected to internal Windows files by the time it
      displays the error message. 
      Beware Of Virus-Riddled Y2K
      (09/15/99, 3:36 p.m. ET)
      By Lee Kimber, Special To TechWeb, TechWeb 
      Antivirus experts are urging computer users
      not to open a year 2000 countdown
      program that comes in the form of an e-mail
      sent by Microsoft on Tuesday. 
      The e-mail was not sent by Microsoft, and the enclosed
      attachment is not a Y2K countdown program, but
      rather a Trojan virus. If users attempt to open the
      alleged program, the virus can install itself onto the
      user's computer and then is capable of sending data and
      information from that system across the Internet. 
      Microsoft did not return calls by publishing deadline
      Antivirus experts at Star Internet, a U.K.-based ISP,
      along with Network Associates and Sophos, are
      analyzing the e-mail attachment, called "Y2Kcount.exe."
      Star has confirmed that the virus, which has been
      named Count2K, originated in Bulgaria and has also
      identified some key warning signs. 
      "It makes a lot of socket communications calls," said
      Star antivirusprogrammer Alex Shipp. "There's also a
      lot of file handle calls and keyboard handling calls." 
      Shipp said similar to the ExploreZip virus that
      decimated corporate e-mail systems several months
      ago, Count2K appears to have the ability to take files
      from users' systems and send them across the Net. The
      destination of the files or data has not yet been
      determined by Star's virus experts. On Wednesday,
      Network Associates antivirus experts confirmed
      Shipp's findings. 
      Shipp's analysis has determined -- that like the
      ExploreZip Trojan virus -- both are written in Pascal.
      He also said the internal programming of two viruses
      are very similar. 
      Users who simply open the e-mail but do not attempt to
      load the Y2K program are in no danger from the virus.
      Users who try to install the program will see a message
      saying the Y2K counter was unable to install. It says:
      "Error!..Password protection error or invalid CRC32!."
      However, analysis of the program's installation routine
      shows it already has connected to internal Windows
      files by the time it displays the error message, Shipp
      "If you see that [message], you think it failed," said
      Shipp. "By then, it has installed itself." 
      The message first raised eyebrows because of
      awkward wording that didn't seem like it would come
      from Microsoft. The accompanying message headers
      also suggested that the e-mail passed through
      CompuServe's e-mail system. No valid e-mail from
      Microsoft should route through CompuServe. 
      Antivirus experts said they are working quickly to
      develop a Count2K fix. Network Associates confirmed
      that programmers in their antivirus labs are working on
      a patch. Sophos has posted a warning on its website
      alerting users that it is working on a patch. Star Internet
      has already protected its 1,000 U.K. business
      customers from the Trojan by installing a scanner on its
      e-mail servers. The scanner looks for the Trojan's
      unique signature.  

      From Help Net Security
      by BHZ, Wednesday 15th September 1999 on 7:12 pm CET
      CERT ( released an advisory on several vulnerabilities in the Common
      Desktop Environment.       
      CERT Advisory CA-99-11 Four Vulnerabilities in the
                    Common Desktop Environment

                    Original release date: September 13, 1999
                    Last revised: September 13, 1999
                    Source: CERT/CC

                    A complete revision history is at the end of this file. 

                    Systems Affected

                         Systems running the Common Desktop Environment (CDE)

       I. Description

       Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE). These vulnerabilities are different from those
       discussed in CA-98.02. We recommend that you install appropriate vendor patches as soon as possible (see Section III below). Until you can do so, we
       encourage you to disable or uninstall vulnerable copies of the CDE package. Note that disabling these programs will severely affect the utility of the CDE

       At this time, the CERT/CC has not received any reports of these vulnerabilities being exploited by intruders. 

       Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism 

       The ToolTalk messaging server ttsession allows independent applications to communicate without having direct knowledge of each other. Applications can
       communicate through an associated ttsession which delivers messages via RPC calls between interested agents. 

       On many systems, ttsession uses AUTH_UNIX authentication (a client-based security option) by default. When messages are received, ttsession uses certain
       environment variables supplied by the client to determine how the message is handled. Because of this, the ttsession process can be manipulated to execute
       unauthorized arbitrary programs with the privileges of the running ttsession. 

       Vulnerability #2: CDE dtspcd relies on file-system based authentication

       The network daemon dtspcd (a CDE desktop subprocess control program) accepts CDE requests from clients to execute commands and launch applications

       When a client makes a request, the dtspcd daemon asks the client to create a file that has a predictable name so that the daemon can authenticate the request.
       If a local user can manipulate the files used for authentication, then that user can craft arbitrary commands that may run as root. 

       Vulnerability #3: CDE dtaction buffer overflow

       The dtaction utility allows applications or shell scripts that otherwise are not connected into the CDE development environment, to request that CDE actions be

       A buffer overflow can occur in some implementations of dtaction when a username argument greater than 1024 bytes is used. 

       Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION

       There is a vulnerability in some implementations of the ToolTalk shared library which allows the TT_SESSION environment variable buffer to overflow. A setuid root
       program using a vulnerable ToolTalk library, such as dtsession, can be exploited to run arbitrary code as root. 

       II. Impact

       Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism

       A local or remote user may be able to use this vulnerability to run commands on a vulnerable system with the same privileges of the attacked ttsession. For this
       attack to work, a ttsession must be actively running on the system attacked. The ttsession daemon is started whenever a user logs in using the CDE desktop, or
       upon interaction with CDE at some future point. 

       Vulnerability #2: CDE dtspcd relies on file-system based authentication

       A vulnerable dtspcd may allow a local user to run arbitrary commands as root. 

       Vulnerability #3: CDE dtaction buffer overflow

       A local user may be able to exploit this vulnerability to execute arbitrary code with root privileges. 

       Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION

       A local user may be able to exploit this vulnerability to execute arbitrary code with root privileges. 

       III. Solution

       Install appropriate patches from your vendor 

       We recommend installing vendor patches as soon as possible and disabling the vulnerable programs until you can do so (or uninstalling the entire CDE package
       if not needed). Note that disabling these programs will severely affect the utility of the CDE environment. 

       Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your
       vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. 

       Appendix A. Vendor Information

       Compaq Computer Corporation

            Problem #1 

            CDE ToolTalk session daemon & ToolTalk shared library overflow 

            This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E, V4.0F and V5.0. 

            This patch can be installed on: 

             V4.0D-F, all patch kits
             V5.0, all patch kits

            *This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX. 

            This patch may be obtained from the World Wide Web at the following FTP address: 


            The patch file name is SSRT0617_ttsession.tar.Z 

            Problem #2 

            Compaq's Tru64/DIGITAL UNIX is not vulnerable. 

            Problem #3 

            CDE dtaction buffer overflow 

            This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E and V4.0F. 

            This patch can be installed on: 

            V4.0D Patch kit BL11 or BL12
            V4.0E Patch kit BL1 or BL12
            V4.0F Patch kit BL1

            *This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX. 

            This patch may be obtained from the World Wide Web at the following FTP address: 


            The patch file name is SSRT0615U_dtaction.tar.Z 

            Problem #4 

            CDE ToolTalk shared library overflow 

            See solution fix described in in Problem #1. 


            Fujitsu's UXP/V operating system is not vulnerable to any of these vulnerabilities. 

       Hewlett-Packard Company

            HP-9000 Series 700/800 HP-UX releases 10.X and 11.0 systems with CDE patches previously recommended in HP Security Bulletins are not vulnerable to
            vulnerabilities #2, #3, and #4. 

            All HP-UX 10.X and 11.0 systems running CDE are vulnerable to vulnerability #1. 

            Patches are in progress. 

       IBM Corporation

            All releases of AIX version 4 are vulnerable to vulnerabilities #1, #3, and #4. AIX is not vulnerable to #2. The following APARs will be available soon: 

                  AIX 4.1.x:  IY03125  IY03847
                  AIX 4.2.x:  IY03105  IY03848
                  AIX 4.3.x:  IY02944  IY03849

            Customers that do not require the CDE desktop functionality can disable CDE by restricting access to the CDE daemons and removing the dt entry from
            /etc/inittab. Run the following commands as root to disable CDE: 

                  # /usr/dt/bin/dtconfig -d
                  # chsubserver -d -v dtspc
                  # chsubserver -d -v ttdbserver
                  # chsubserver -d -v cmsd
                  # chown root.system /usr/dt/bin/*
                  # chmod 0 /usr/dt/bin/*

            For customers that require the CDE desktop functionality, a temporary fix is available via anonymous ftp from: 


               Filename        sum             md5
               dtaction_4.1    32885    18     82af470bbbd334b240e874ff6745d8ca
               dtaction_4.2    52162    18     b10f21abf55afc461882183fbd30e602
               dtaction_4.3    56550    19     6bde84b975db2506ab0cbf9906c275ed
               libtt.a_4.1     29234  2132     f5d5a59956deb8b1e8b3a14e94507152
               libtt.a_4.2     21934  2132     73f32a73873caff06057db17552b8560
               libtt.a_4.3     12154  2118     b0d14b9fe4a483333d64d7fd695f084d
               ttauth          56348    31     495828ea74ec4c8f012efc2a9e6fa731
               ttsession_4.1   19528   337     bfac4a06b90cbccc0cd494a44bd0ebc9
               ttsession_4.2   46431   338     05949a483c4e390403055ff6961b0816
               ttsession_4.3   54031   339     e1338b3167c7edf899a33520a3adb060

            NOTE - This temporary fix has not been fully regression tested. Use the following steps (as root) to install the temporary fix. 

               1. Uncompress and extract the fix.

                  # uncompress < cdecert.tar.Z | tar xf -
                  # cd cdecert

               2. Replace the vulnerable executables with the temporary fix for
                  your version of AIX.

                  # (cd /usr/dt/lib && mv libtt.a libtt.a.before_security_fix)
                  # (cd /usr/dt/bin && mv ttsession ttsession.before_security_fix)
                  # (cd /usr/dt/bin && mv dtaction dtaction.before_security_fix)
                  # chown root.system /usr/dt/lib/libtt.a.before_security_fix
                  # chown root.system /usr/dt/bin/ttsession.before_security_fix
                  # chown root.system /usr/dt/bin/dtaction.before_security_fix
                  # chmod 0 /usr/dt/lib/libtt.a.before_security_fix
                  # chmod 0 /usr/dt/bin/ttsession.before_security_fix
                  # chmod 0 /usr/dt/bin/dtaction.before_security_fix
                  # cp ./libtt.a_ /usr/dt/lib/libtt.a
                  # cp ./ttsession_ /usr/dt/bin/ttsession
                  # cp ./dtaction_ /usr/dt/bin/dtaction
                  # cp ./ttauth /usr/dt/bin/ttauth
                  # chmod 555 /usr/dt/lib/libtt.a
                  # chmod 555 /usr/dt/bin/ttsession
                  # chmod 555 /usr/dt/bin/dtaction
                  # chmod 555 /usr/dt/bin/ttauth

            IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on
            FixDist, and to obtain fixes via the Internet, please reference 


            or send electronic mail to "" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs
            for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last
            update and list of individual fixes, send electronic mail to "" with the word "subscribe Security_APARs" in the "Subject:" line. 

       Santa Cruz Operation, Inc.

            SCO is investigating these vulnerabilities on SCO UnixWare 7. Other SCO products (OpenServer 5.0.x, UnixWare 2.1.x, Open Server / Open Desktop 3.0
            and CMW+) are not vulnerable as CDE is not a component of these releases. 

            SCO will make patches and status information available at 


       Silicon Graphics, Inc.

            SGI acknowledges the CDE vulnerabilities reported and is currently investigating. No further information is available at this time. As further information
            becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list. 

            Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate
            steps according to local site security policies and requirements. 

            The SGI Security Headquarters Web page is accessible at the URL 


       Sun Microsystems, Inc.

            Vulnerability #1: 

            Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX authentication mechanism (default) is
            used with ttsession. 

            The use of DES authentication is recommended to resolve this issue. To set the authentication mechanism to DES, use the ttsession command with the
            '-a' option and specify 'des' as the argument (see ttsession(1) for more information). The use of DES authentication also requires that the system uses
            Secure NFS, NIS+, or keylogin. For more information about Secure NFS, NIS+, or keylogin, please see the System Administration Guide, Volume II.
            Information is also available at: 


            Vulnerability #2: 

            The following patches are available: 

                CDE version         SunOS version                   Patch ID        
                ___________         _____________                   _________

                1.3                 5.7                             108221-01 
                1.3_x86             5.7_x86                         108222-01 
                1.2                 5.6                             108199-01 
                1.2_x86             5.6_x86                         108200-01 
                1.0.2               5.5.1, 5.5, 5.4                 108205-01 
                1.0.2_x86           5.5.1_x86, 5.5_x86, 5.4_x86     108206-01  
                1.0.1               5.5, 5.4                        108252-01 
                1.0.1_x86           5.5_x86, 5.4_x86                108253-01 

            Vulnerability #3: 

            The following patches are available: 

                CDE version         SunOS version                   Patch ID        
                ___________         _____________                   _________
                1.3                 5.7                             108219-01 
                1.3_x86             5.7_x86                         108220-01  
                1.2                 5.6                             108201-01 
                1.2_x86             5.6_x86                         108202-01

            Patches for CDE versions 1.0.2 and 1.0.1 will be available within two weeks of the release of this advisory. 

            Vulnerability #4: 

            Patches will be available within two weeks of the release of this advisory. 

            Sun security patches are available at: 


       The CERT Coordination Center would like to thank Job de Haas for reporting these vulnerabilities and working with the vendors to effect fixes. We would also like
       to thank Solutions Atlantic for their efforts in coordinating vendor solutions. 

       This document is available from: 

       CERT/CC Contact Information

       Phone: +1 412-268-7090 (24-hour hotline)
       Fax: +1 412-268-6989
       Postal address:
            CERT Coordination Center
            Software Engineering Institute
            Carnegie Mellon University
            Pittsburgh PA 15213-3890

       CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S.
       holidays, and on weekends. 

       Using encryption

       We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from


       If you prefer to use DES, please call the CERT hotline for more information.

       Getting security information

       CERT publications and other security information are available from our web site


       To be added to our mailing list for advisories and bulletins, send email to and include SUBSCRIBE your-email-address in the subject of
       your message. 

       Copyright 1999 Carnegie Mellon University.
       Conditions for use, disclaimers, and sponsorship information can be found in

      From Help Net Security
      by BHZ, Wednesday 15th September 1999 on 7:01 pm CET
      John Vranesevich published his thesis on United Loan Gunmen. Combining his
      "hacker profiler technique", he concluded: "Using concepts developed under its
      "Graphics created by members of the United Loan Gunman match the style and
      technique as graphics developed by members of HFG in September of last year". 
      His article - "Loan Gunmen == HFG?" 
      (found elsewhere in this issue, see LIBEL section 42.0)
      From Help Net Security
      by BHZ, Wednesday 15th September 1999 on 6:11 pm CET
      Security software company Trend Micro Inc. today released new online virus scanning
      service that builds virus protection directly into networks and e-mail systems. Service
      is called eDoctor Global Network and you could find more information on it here
      Trend Micro Announces eDoctor Global Network
      September 14, 1999 Trend Micro Inc. today announced the eDoctor Global
      Network, a worldwide Internet antivirus service initiative designed to provide a
      better defense against Internet viruses. The eDoctor Global Network builds
      malicious code protection right into the Internet infrastructure, enabling
      customers to obtain virus protection as a value-added service from Internet
      service providers, telcos, and managed service providers. By utilizing Internet
      technology and partnering with Internet infrastructure providers and security
      maintenance experts, the Trend eDoctor Global Network provides both home
      and corporate customers with the highest level of virus protection, 24x7
      support and information, and faster response to virus events.  Global Network
      Service Providers include Sprint, US WEST Breakwater Security Associates
      and others.
      From Help Net Security
      by BHZ, Tuesday 14th September 1999 on 7:37 pm CET
      We have released fifth edition of Default newsletter. Topics in this issue are: Hit2000
      report, Interview with v00d00, Want secure and encrypted e-mails?, Security audit
      with our Mac Part-2/2, More from the ACPO front, Infection and vaccination, Watch
      out for documents you publish on The Internet, Freedom of speech - related incidents,
      Y2K survey for 72 countries and brief article on Journalism (see the story below). So
      download default5.txt or If you want to get Default in your mailbox mail with this message in the body - subscribe news
      From Help Net Security
      by BHZ, Tuesday 14th September 1999 on 7:24 pm CET
      Another trojan user has been caught in Croatia. Denis Perisa (16) was questioned of
      entering the home PC of a known politician in his country. He said that he just
      wanted to snatch a connection password for Croatian ISP. Article was first published
      in daily newspapers Vecernji list, but I had to react to the article. It was written very
      badly and the purpose of the article was to modify his part in it. The plain trojan user
      without any knowledge became a super-hacker. My comments to the article could be
      seen here (Croatian language).
      From Help Net Security
      by BHZ, Tuesday 14th September 1999 on 7:18 pm CET
      SubSeven, Hack'a'Tack, Deep Throat, NetSphere are just couple of hundreds of
      trojans that are cruising The Internet. German web site ( has a nice
      article on trojans and their impact. 
      Read the article here
      Norbert Luckhardt

      Party Crashers

      Danger from uninvited guests on the Windows PC

      It was hardly possible not to hear the uproar triggered by the new Back-Orifice version. But there are several other less
      known relatives of these hacker tools lurking in the Internet that are just as dangerous - no matter whether they are
      called Trojan Horses, viruses or remote management tools. 

      The most prominent member of the backdoor family is probably Back Orifice 2000 (BO2K). Already one week before its 'birth' the
      online media went into a reporting frenzy as if it was the unborn successor to the thrown of a cherished monarch. Up to now there
      was much less commotion around SubSeven, Hack'a'Tack, Deep Throat, NetSphere and other cousins of the backdoor celebrities.
      Nevertheless the analysts of the Data Fellows virus laboratories write about the SubSeven author Mobman: 'His backdoor is the
      currently most advanced out there'. And also Network Associates (McAfee) attest a 'high risk potential' for SubSeven - while BO2K
      is only recognizes as a medium-size danger. 

      Windows backdoors offer an attacker almost unrestricted access to the victims' computer - according to what is publicized again and
      again. But this formulation is actually still not strong enough: Besides complete access to all files and system passwords such a 'remote
      management access' also paves the road to the local network or Intranet with all the rights of the user. If the user has a multimedia
      computer with camera and microphone he offers the attacker a monitoring station with picture and sound. There even are special
      Websites that show pictures of Back-Orifice victims. 

      Encryption and security software are no real obstacles: The backdoor sends all keyboard entries to the attacker; they can also record
      protocol functions while the user is offline. Together with secret keys or management information from the hard disk the attacker has
      the same capabilities as the rightful user. The backdoors are generally able to start any software while hiding it - there are no visible

      Changing entries in dialog boxes in the last second also seems possible: Just before the user sends off his transfer during homebanking
      for example - PIN and TAN have already been entered - an attacker could principally lock the keyboard, blackout the screen,
      quickly change the data on the fly and finish the transaction. Until the user gets a sobering look at his account statement he probably
      would assume the whole thing only was a minor technical glitch... 

      The 'open' computer can also be used for downloads or remotely turned into a server that covers up the tracks of the attacker for
      more - possibly criminal - activities: for example breaking into other computer systems or exchange and trading with illegal software
      copies or pornography. Apart from that the hacker tools offer a variety of harmless functions that only serve the purpose of confusing
      and annoying the user: switching mouse keys, mirroring the screen, opening and closing the CD-ROM drive, playing sounds, ending
      or crashing Windows and so on. 

      In the early days of the backdoor servers a dial-up connection to the Internet provider still offered a certain protection. After all, the
      attacker needed the IP address of the victim to connect with the parasitical software - and that address generally changes with every
      call. However, today the advanced backdoor servers notify their owners via the communication service ICQ, IRC (Internet Relay
      Chat) or via email and give them the IP victims as soon as their computer goes online. 

      From Redmond ...

      Meanwhile there are more than a handful of universal very well camouflaged backdoors. Partially they try tricking their opponents the
      virus scanners by changing shape or varying the data lengths. The anti-virus industry remains unfazed and says that the hacker
      community is underestimating the capabilities of the scanner if they think that they will not be discovered. However, the pure amount
      does bother the manufacturers: Almost 120 culprits are found on one single Website in the 'Black Library of Trojans' - 'The Trojans
      Removal Database' ( lists more than 50 backdoors with standard file names and registry entries. The
      motto for the virus laboratories is 'stay on it'. Contrary to the classic viruses that only do damage after some time, it does not help the
      user to find out after two weeks that he has a backdoor problem - by then the damage is probably already done. 

      Unfortunately the virus scanners so far only fight half-heartedly against the threat from backdoor servers. The software recognizes
      known Trojan horses (often just called 'Trojans' disregarding the historical events) and for the most part is also capable of deleting the
      dangerous program files. But specific problems are often not taken care off: For example virus scanners investigate generally only
      executable files with the usual file extensions - but during the start from the registry a backdoor server could also be called
      'Readme.txt'... Additionally backdoors are usually not recognized during regular operation. Therefore the risk of overlooking Trojans
      depends very much on the users' behavior - if he just relies on the standard settings of a virus scanner he is only protected

      Elaborate descriptions of the PC parasites are also hard to find - even if they are in the virus databases. The terminology is getting
      more and more mixed up and makes the search more difficult than necessary. Up to one year ago the families were separated clearly:
      remote management software allows system administrators and support personnel access to the computer without actually having to
      sit in front of it. Trojan horses steal the passwords in the background or do other nasty things while the innocent user is deceived by
      the faade of a more or less useful application or even just by an error message during the startup of the program. Viruses attach to
      the files, multiply and wait to be spread by the user - and then come up with a nasty surprise sometime later. 

      And today? The unsuspecting user opens a backdoor to his system without realizing it while starting or installing a program - with lax
      security settings it could happen by just clicking on a WWW page or reading an email (fortunately in this case several factors must
      come together - so far more a theoretical threat). The backdoors nest in the Windows systems like a virus in a file, trigger hidden
      actions like a Trojan and possess the same capabilities like remote management programs. For example 'Kuang2' is the first real file
      virus that opens a backdoor to the file system - with only 11 KByte code. Luckily Kuang2 is not very widespread. Troy

      Initially the manufacturers of anti-virus software took the easy way out by classifying the backdoors as Trojans because of the hidden
      functions. Strictly speaking this is not correct because the hacker tools do not do anything different than they claim to do - they are
      only difficult to detect. The actual Trojans are the programs that an attacker uses to wrap up the backdoor so a user installs them
      without knowing it. And there even is no need for programming - everything works with the toolbox principle: There is more than just
      one hacker tool for linking events during the program start of Back Orifice and consorts to random useful or funny programs or
      self-extracting archives without the need for any hex editor or previous knowledge. 

      The fact that the producers of anti-virus software increasingly add the new class 'backdoor' to their taxonomy will help to clarify
      matters. Unfortunately the conventions and names of the PC parasites differ from distributor to distributor making it difficult to stay
      informed - a synchronization of the names seems to become more and more impossible because of the sheer number of new entries. 

      On top of that the backdoor authors increasingly protest against the 'denigration' as Trojan Horses: they actually have a point by
      saying that the 'official' tools for remote management can be installed in a certain way so the user does not notice it. The NetBus
      people even accuse Symantec for ruining their business: Their tool is in direct competition with Symantec's PCAnywhere but the virus
      scanner calls NetBus a Trojan leading to confusion among potential customers (also see our interview with C.F. Neikter). 

      The Back Orifice authors from the Cult of the Dead Cow (cDc) direct their criticism against Microsoft: On one side Bill Gates'
      company condemns the cDc program as vicious because it contains 'camouflage functions that have no other purpose than to make it
      more difficult to detect'. On the other side Microsoft writes in their security guide for their own remote management software: 'It is
      possible to configure remote management in a way that there is never any proof of existing remote accesses'. Appropriate measures
      have been take to satisfy certain customers. CDc calls this 'hypocritical'. 

      Side door

      To declare the hacker tools as a 'totally normal' remote management program that could be misused is only half the truth, however:
      Whether the risk of the authors implementing additional backdoors to their programs is higher than with software from commercial
      distributors is yet another story. But at least the customer would stand a chance of winning when suing the latter for damages. On top
      of that in many hacker tools it seems to be possible to supersede the password protection that is supposed to protect implemented
      servers from unauthorized access. 

      The openly displayed source codes of Back Orifice 2000 offer a new quality: Everybody can convince himself that the backdoor is
      not a real Trojan Horse as well. Evaluating the source code also decreases the probability of undetected implementation errors that
      can lead to security holes - this is a competitive advantage to commercial software for remote management. 

      As long as the operating system does not offer any protection against unwanted programs and hidden functions the user can only use
      the virus scanner to avoid backdoors. A manual search is almost impossible. We can only discourage from using any special solutions
      against the backdoors: Firstly it is highly recommendable to have a virus scanner in the system anyway. And on top of that many
      backdoor killers originate from hacker circles. The temptation of adding a few hidden functions should be fairly high. 

      The best protection against a PC parasite is a healthy portion of mistrust: To execute a program from an unknown source is like
      crossing the street without looking left and right first. It is definitely not a good idea to start executable files that were send as an
      attachment to email if the transfer was not explicitly arranged with the sender. This is also true for personal email - there is quite a
      variety of viruses that automatically send out email with the name of the computer owner. And 'executable files' is becoming a wider
      and wider expression with regards to macro-capable office documents and HTML mails with active content: If you not care about
      the more colorful presentation or have confidential data on your computer you should rigorously ban active contents (ActiveX, Java,
      Javascript, VBScript and so on) from mail client and Web browser. 

      In general if the backdoor is used it would probably look more like a cat-and-mouse game between the hacker and the home user.
      However, one should not underestimate possible damage and the threat of criminal use. 

      We can only hope that for future operating system generations more thought is given to the question whether every program really
      needs to have access to every resource of the computer. Until then only three things should be kept in mind: to be careful - but also to
      use chip cards that at least protect secret key data, and to store data that need protection on non-networked computers. (nl)

      Rainer Hansen

      Moose test for Windows

      NetBus Pro and how it happened

      Since version 2.0 the former perfect Trojan example NetBus does not want to be called Trojan Horse nor backdoor but be
      recognized as commercial software for remote management. What started out as hacker fun among friends wants to be all grown-up

      The 21-year-old programmer Carl-Fredrik Neikter caused a lot of commotion. The young Swede developed one of the first
      programs that allows spying out a Windows computer in quite an easy fashion. With version 1.60 Netbus gained worldwide attention
      because contrary to the first Back Orifice it also worked under Windows NT. 

      Neitker almost completely rewrote version 2.0 and added many functions and a sophisticated user interface. Therefore the author
      does not just call it a spy tool anymore but experienced remote management software. At the same time NetBus changed from
      Freeware to Shareware (12 US-Dollar). c't talked to Carl-Fredrik Neikter about background and history of the controversial tool. 

      c't: What are your motives behind NetBus? 

      Neikter: The NetBus 1.x versions were supposed to be a toy. When I noticed that the program is mainly used as a hacker tool I
      decided to continue developing it into remote management software. It already had a few good features that suggested this direction. 
      There are already a few good remote management programs on the market. With the spy functions I wanted to carve out a special
      niche for NetBus Pro. My plan is to also integrate real-time control functions like you would find for example in PCAnywhere or in
      ReachOut. This would allow real-time interaction with other computers. 

      c't: How do you see NetBus in comparison to similar programs like Back Orifice or Socket de Troie? 

      Neikter: I reject any comparison between NetBus Pro and Trojan Horses - NetBus Pro is not a Trojan anymore and should not be
      treated like one by anti-virus software either. 
      Read my Website ( and you will understand that every program can be hacked and misused. NetBus Pro is in the
      limelight and this can be a problem. But NetBus Pro is not the predominant program out there that can be misused. Look at the
      macro problems with Microsoft Word and the recently discovered CALL security hole in Excel. Should anti-virus software not also
      detect and 'disinfect' non-patched Word and Excel versions? 

      c't: Do you know about any serious damage resulting from your program? 

      Neikter: I do not have any statistics but I know that it was misused often. I received mail from angry people. I am afraid that hackers
      that only wanted to destroy stuff logged on the systems. Unfortunately there are bad people everywhere. 

      c't: Have there also been questions from 'official' sides? 

      Neikter: Yes, a few. NASA and the US Air Force wrote to me. The security chief wanted more information about NetBus because
      he was working on a presentation. 

      c't: Could NetBus not also be used for actual criminal purposes - for example for manipulating homebanking? 

      Neikter: I do not believe that there is a big threat of money being stolen from bank accounts, because online banking (at least in
      Sweden) uses the same password only once. You enter your PIN code in a password generator and receive a code for logging into
      the system or transactions. For every login or for every transaction you must generate a new code [annotation of the editor: in
      Germany this is still pie in the sky.] 
      From Help Net Security
      by Thejian, Monday 13th September 1999 on 10:30 pm CET
      Microsoft is warning users of its Internet Explorer 5.0 Web browser about a
      vulnerability in IE 5's ImportExportFavorites that could let an attacker take the user's
      computer hostage. This feature could allow a malicious Web site operator run
      executable code on the computer of someone who visits that Web site. "The net
      result is that a malicious Web site operator potentially could take any action on the
      computer that the user would be capable of taking," warned Microsoft in a security
      alert. More info.
      IE 5 bug leaves computers open to invasion 
      By Paul Festa
      Staff Writer, CNET
      September 13, 1999, 9:40 a.m. PT 
      Microsoft is warning users of its Internet Explorer 5.0 Web browser about a security hole that could let an attacker
      take the user's computer hostage.
      The vulnerability is in IE 5's ImportExportFavorites feature, which lets users import and export lists of commonly accessed Web
      addresses. The trouble is that the feature lets a malicious Web site operator run executable code on the computer of someone
      who visits that Web site.
      "The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be
      capable of taking," warned Microsoft in a security alert.
      Microsoft said IE 5 users can disable Active Scripting to protect themselves pending the release of a patch. Scripting lets Web
      authors run mini applications, or "scripts," on a visitor's computer that operate without the user's interaction. Scripting typically is
      used on Web sites for functions like launching pop-up windows or scrolling text across the screen.
      Microsoft posted a list of frequently asked questions, which includes instructions for disabling Active Scripting.
      Microsoft acknowledged Bulgarian bug hunter Georgi Guninski for discovering the security hole. Guninski has been credited for
      discovering numerous security holes in Microsoft and America Online's Web browsers, many exploiting unintended effects of Web
      scripting capabilities.
      Guninski reported a similar hole in IE two weeks ago. Microsoft patched yet another hole in IE's armor the same week.
      From Help Net Security
      by Thejian, Monday 13th September 1999 on 10:00 pm CET
      The FBI has offered Russia a helping hand in cleaning up the Web from Islamic
      militants fighting in Dagestan. According to a report by the BBC the Feds have offered
      to trash Web sites set up by Islamic militants and "eliminate" them. Read (a bit)
      Posted 10/09/99 3:33pm by Tim Richardson
      US helps Russia trash Islamic militant Web sites
      The FBI has offered Russia a helping hand in cleaning up the Web from Islamic
      militants fighting in Dagestan. 
      According to a report by the BBC the Feds have offered to trash Web sites set up by
      Islamic militants and "eliminate" them. 
      Although there has been no official confirmation it would not be the first time such
      tactics have been used in international disputes. 
      Earlier this year it was reported that the CIA had been given the go-ahead by
      President Clinton to wage a cyberwar against Yugoslav leader Slobodan Milosevic. 
      Tim Richardson
      From Help Net Security
      by Thejian, Sunday 12th September 1999 on 11:00 pm CET
      Russian hackers broke into U.S. government computers and may have snatched
      classified naval codes and information on missile systems, Newsweek reported in its
      latest issue. The weekly, quoting intelligence sources, said the suspects were elite
      cyber-spooks from the Russian Academy of Sciences, a government-backed
      organization which works with Russia's leading military laboratories. Newsweek
      quoted one Pentagon official as saying this was "a state-sponsored Russian
      intelligence effort to get U.S. technology," adding it was apparently the first such
      attempt by Moscow. It further quoted Deputy Defense Secretary John Hamre as
      saying: "We're in the middle of a cyber war." 
      Full story.,2294,92270-146247-1027890-0,00.html
      Russian hackers reportedly accessed U.S. military secrets 

      Copyright  1999 Nando Media
      Copyright  1999 Agence France-Press
      From Time to Time: Nando's in-depth look at the 20th century 
      WASHINGTON (September 12, 1999 2:03 p.m. EDT - Russian hackers broke into U.S. government computers and may
      have snatched classified naval codes and information on missile systems, Newsweek reported in its latest issue. 
      The weekly, quoting intelligence sources, said the suspects were elite cyber-spooks from the Russian Academy of Sciences, a
      government-backed organization which works with Russia's leading military laboratories. 
      The hackers targeted computer systems at the Defense and Energy Departments, military contractors and leading civilian universities. 
      Pentagon officials, describing the intrusions as "sophisticated, patient and persistent," said they began in January and were almost immediately
      detected by U.S. security agents who traced them back to computers in Russia and developed counter-measures, according to Newsweek. 
      But the cyber-spies were said to have quickly developed new tools that allowed them to penetrate undetected, although they at times left behind
      electronic traces. 
      Newsweek quoted one Pentagon official as saying this was "a state-sponsored Russian intelligence effort to get U.S. technology," adding it was
      apparently the first such attempt by Moscow. 
      The weekly said Washington had not yet protested to Moscow but quoted Deputy Defense Secretary John Hamre as saying: "We're in the
      middle of a cyber war." 
      It said the security breach was so serious that the Pentagon had ordered its civilian and military employees to change their computer
      passwords, the first time such a step has been taken. 

      -=----------=-         -=----------=-        -=----------=-       -=----------=- 
                                           O O O   

     -=----------=-   -=----------=-    -=----------=-   -=----------=-  -=----------=-
     END of main news articles content... read on for ads, humour, hacked websites etc
     -=----------=-   -=----------=-    -=----------=-   -=----------=-  -=----------=-
AD.S  ADVERTI$ING.           The HWA black market                    ADVERTISEMENT$.
       *                                                                           *
       *           ATTRITION.ORG                      *
       *           ATTRITION.ORG     Advisory Archive, Hacked Page Mirror          *
       *           ATTRITION.ORG     DoS Database, Crypto Archive                  *
       *           ATTRITION.ORG     Sarcasm, Rudeness, and More.                  * 
       *                                                                           *
       m www.freeke www.kev#  Support and the Free Kevin www.kevinmitnick.
       com  defense fund site, visit it now! .  # www.k#             FREE KEVIN!     www.kevinmitnic www.2600.########################################om www.fre www.kevinmitnic www.fre
       One of our sponsers, visit them now
       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

        //  To place an ad in this section simply type it up and email it to        //
       //        hwa@press,, put AD! in the subject header please. - Ed    //

HA.HA Humour and puzzles ...etc
                                                           Don't worry. worry a *lot*
      Send in submissions for this section please! ............c'mon, you KNOW you
      wanna...yeah you do...make it fresh and famous...
        ____                 _ _                                 _             _ _
       / ___|  ___ _ __   __| (_)_ __  _   _  ___  _   _ _ __   / \   ___  ___(_|_)
       \___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | |
        ___) |  __/ | | | (_| | | | | | |_| | (_) | |_| | |   / ___ \\__ \ (__| | |
       |____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_|  /_/   \_\___/\___|_|_|
                                 / \   _ __| |_
                                / _ \ | '__| __|
                               / ___ \| |  | |_
                              /_/   \_\_|   \__| TOO, for inclusion in future issues
       Do the HWA logo etc and we'll showcase it here to show off your talents...remember
       the 80's? dig out those ascii editors and do yer best...                       
       High Tech Computer Sales Jargon 

      NEW - Different color from previous design
      ALL NEW - Parts not interchangable with previous design
      EXCLUSIVE - Imported product
      UNMATCHED - Almost as good as the competition
      DESIGNED SIMPLICITY - Manufacturer's cost cut to the bone
      FOOLPROOF OPERATION - No provision for adjustments
      ADVANCED DESIGN - The advertising agency doesn't understand it 
      IT'S HERE AT LAST! - Rush job; Nobody knew it was coming
      FIELD-TESTED - Manufacturer lacks test equipment
      HIGH ACCURACY - Unit on which all parts fit
      DIRECT SALES ONLY - Factory had big argument with distributor
      YEARS OF DEVELOPMENT - We finally got one that works
      REVOLUTIONARY - It's different from our competitiors
      BREAKTHROUGH - We finally figured out a way to sell it
      FUTURISTIC - No other reason why it looks the way it does
      DISTINCTIVE - A different shape and color than the others
      MAINTENANCE-FREE - Impossible to fix
      RE-DESIGNED - Previous faults corrected, we hope...
      HAND-CRAFTED - Assembly machines operated without gloves on
      PERFORMANCE PROVEN - Will operate through the warranty period
      MEETS ALL STANDARDS - Ours, not yours
      ALL SOLID-STATE - Heavy as Hell!
      BROADCAST QUALITY - Gives a picture and produces noise
      HIGH RELIABILITY - We made it work long enough to ship it
      SMPTE BUS COMPATABILE - When completed, will be shipped by Greyhound
      NEW GENERATION - Old design failed, maybe this one will work
      MIL-SPEC COMPONENTS - We got a good deal at a government auction 
      CUSTOMER SERVICE ACROSS THE COUNTRY - You can return it from most airports
      UNPRECEDENTED PERFORMANCE - Nothing we ever had before worked THIS way
      BUILT TO PRECISION TOLERANCES - We finally got it to fit together 
      SATISFACTION GUARANTEED - Manufacturer's, upon cashing your check 
      MICROPROCESSOR CONTROLLED - Does things we can't explain
      LATEST AER0SPACE TECHNOLOGY - One of our techs was laid off by Boeing



      Anonymous Email, WWW and surfing. A sample of a message sent from the anonymous
      replay remailer is included below. This message arrived with 15 minutes of me 
      sending it from the WWW. Check this site out before it gets closed down/becomes
      Email sent using the remailer; 
      Received: from ( []) 
      Received: (qmail 5532 invoked from network); 19 Sep 1999 18:45:25 -0000 
      Received: from (HELO ( 
      by with SMTP; 19 Sep 1999 18:45:25 -0000 
      Received: (from remailer@localhost) by (8.9.2/8.9.2) id UAA28531; 
      Sun, 19 Sep 1999 20:44:57 +0200 (CEST) 
      Date: Sun, 19 Sep 1999 20:44:57 +0200 (CEST) 
      Message-Id: <> 
      From: Anonymous  
      Comments: This message did not originate from the Sender address above. 
      It was remailed automatically by anonymizing remailer software. 
      Please report problems or inappropriate use to the 
      remailer administrator at . 
      You can Send in submissions for this section too if you've found a cool site...
      anonymous email
      Sent with AnonEmail at
      From (remodelled, check it out!)
      Origami is the art of "modelling" paper, erotism is the art of naked bodies. See these two
      mix in Zak Brown Underground origami page. See the dollar bill vagina...etc
  H.W Hacked websites 

      Note: The hacked site reports stay, especially with some cool hits by
            groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed

          * Hackers Against Racist Propaganda (See issue #7)

      Haven't heard from Catharsys in a while for those following their saga visit for 'the story so far'...
      Mass Defacement
      By: L0rdMyst1cal
      OS: NT
                                             Uh oh...It seems we have a small security problem here..LoL.
                                                This page is 0wned by L0rdM1stycal. AkA W4rl0rD
                                                                 I am g0d.
                                          h0 h0 h0 h0 naw, just kiddin, this site was h4x0r3d by santa clause....
                                                      How d0es it feel t0 be 0wned lewzer?
        The fact of the matter happens to be, the newz and the press, and the government all get the wrong idea of what a hacker really is, it kinda makes me sick, i'm doing
        this for edjucational perposes ONLY, and i'm doing it because it's fun, and i'm doing it because i'm smarter then you, but the main reason that i'm doing all this is
        because i'm g0d, naw, just kidding, i'm actually doing it, because you IDIOTS out there have no idea what hacking really is. If i see this on the newz and i hear a
        hacker did it, i'm going to hack 80 more pages, why? because what i just did isnt hacking, i diddn't delete anything, i diddn't fuck anything up, all they have 2 do is
        re-upload index.html or index.htm whichever it happens to be on that particular server. The point is i CRACKED this page, i diddn't HACK it, you people need to
                              learn the difference between the 2, and stop badgering real hackers because of what some lamer did. 
                          "This moment in history shall always be remembed, know thy name, but never know they face" -99 L0rdMyst1cal
      Latest cracked pages courtesy of
                                                    Last Updated: 09/16/99 at 14:30

      The Nasdaq Stock Market Web page ( 
      Penghu Islands National Scenic Area, Republic Of China ( 
      L'Association des maires de France ( 
      CompuCentre ( 
      The HITman ( 
      Elite Hangout ( 
      #2 Ministry of Civil Service, Republic of China ( 
      Taiwan Traffic Bureau, Republic Of China ( 
      Millennium Computers and Technology Center ( 
      Catholic Men ( 
      National Guard Bureau ( 
      Shop-With-Me Wines ( 
      Maos Realty ( 
      Agape ( 
      Expoente (BR) ( 
      Montelane ( 
      and more sites at the attrition cracked web sites mirror:

  A.0                              APPENDICES

  A.1 PHACVW, sekurity, security, cyberwar links

       The links are no longer maintained in this file, there is now a
      links section on the url so check
      there for current links etc.

      The hack FAQ (The #hack/alt.2600 faq)
      Hacker's Jargon File (The quote file)
      New Hacker's Jargon File. 
    Mirror Sites around the world:
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ** NEW ** ** NEW ** ** NEW ** ** NEW ***DOWN*          

      International links:(TBC)

      Foreign correspondants and others please send in news site links that
      have security news from foreign countries for inclusion in this list
      thanks... - Ed

      Canada .......:
      Finland ........                
      Germany ........
      South Africa ...       
      Turkey........: - Turkish Scene is Turkey's first and best security related e-zine.
    .za (South Africa) sites contributed by wyzwun tnx guy...                  

    Got a link for this section? email it to and i'll
    review it and post it here if it merits it.



     1998, 1999 (c) Cruciphux/  (R) { w00t }
   [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]

Le but de ce site est de mieux comprendre la sécurité informatique.
Un hacker par définition est une personne qui cherche à améliorer les systèmes d'information dans le seul et unique but de contribuer à la stabilité de ces systèmes!
La croyance populaire laisse entendre que les hackers sont des pirates.
C'est vrai. Mais il y a différents types de pirate.
Tout comme il y a différents types de personnes.
Les bavures courantes auxquelles on pense lorsqu'on évoque le terme de pirate informatique
seraient les hacks de compte msn, ordinateurs lâchement trojantés avec des exploits déjà tous faits
et encore peut-on classifier en tant que hack le fait de spammer
alors que depuis plus de 15 ans des scripts tous faits le font extrêmement bien?

Ce ne sont pas des hackers qui font ça!!!
Nous appelons ces gens des lammers! Quand ils sont mauvais,
ou des black hat lorsqu'ils sont doués dans la mise en application de leurs méfaits.
Aucun amour propre - Aucune dignité
Agissent par dégout, vengeance ou simple plaisir.
Les raisons peuvent être nombreuses et je ne prétends pas devoir juger qui que ce soit.
Je pense juste que l'on ne doit pas utiliser l'épée de fly pour commettre des injustices.
Il est 100 fois plus profitable d'améliorer un système que de marcher sur un château de sable... même si marcher sur un château de sable est rigolo :P
A vous de trouver votre amusement. ;)

Tu peux réagir sur la shootbox

Disclaimer Veuillez lire obligatoirement les règles ci-dessous avant de consulter ce site.
Conformément aux dispositions des différentes lois en vigueur, intrusions et maintenances frauduleuses sur un site, vol et / ou falsification de données.
Vous ne devez en aucun cas mettre en application les stratagèmes mis en place par ce site, qui sont présentés uniquement à titre d’éducation et de recherche dans le domaine de la protection de données.
Vous ne devez en aucun cas utiliser ce que vous aurez découvert, sauf si vous avez une autorisation écrite de l’administrateur d’un site ou que celui-ci vous ai ouvert un compte uniquement pour la recherche de failles.
Tout cela est interdit et illégal ne faites pas n'importe quoi.
Vous acceptez donc que l'administrateur de ce site n'est en aucun cas responsable d'aucun de vos actes. Sinon quittez ce site.
Vous êtes soumis à ce disclaimer.