|
Hollywood Wants to Control Computing
DMCA, SSSCA, licenses, copyright, intellectual property,
lawyers, judges, politicians, computer criminals, and
so on. Computing is becoming a glob of legal stuff.
In a nutshell, content providers are worried about
their content being used for free. The following
are some quotes from an article by Mike Godwin.
A major component of new home-entertainment systems is
the personal computer. Says Business Software Alliance
special counsel Emery Simon: "That's the multipurpose
device that has them terrified, that will result in leaking
[copyrighted content] all over the world."
Hollywood believes "Just as computers make it possible
to create remarkably pristine images, they also make it possible
to make remarkably pristine copies." Because computers are
potentially very efficient and capable copying machines, and because
the Internet is potentially a very efficient and capable distribution
mechanism, even in the hands of ordinary individuals, the Content Faction
has set out to restructure the entire digital world we have today.
They want to rearchitect not just the Internet, but every computer
and digital tool on or off the Net that might be used to make
unauthorized copies.
Hollywood Versus the Internet [full article]
[Extra]
U.S. Yanks Mitnick's Radio License
[Extra]
As of Fri Dec 28 05:58:04 MST 2001 the
National Park Service
[http://www.nps.gov] is still down.
[28 December 2001, top]
|
NPS.gov is Down; Terrorists Worked on XP?; XP Cracked
[Item]
Due to security concerns, the has shutdown many portions
of its website. Sadly, this includes the
which now has the following posted on its homepage.
Due to conditions outside our department,
the National Park Service has suspended
operation of
www.nps.gov until further notice. We
apologize for this inconvenience and are
working to restore service as soon as possible.
[Item]
A suspected member of the
terrorist network has claimed that Islamic militants infiltrated
and sabotaged the company's
Windows XP operating system, according to this article from
Newsbytes.com.
[Item]
Microsoft has claimed XP is its most secure
OS to date. This was in today's in-box.
Date: Thu, 20 Dec 2001 20:15:44 -0500 (EST)
Subject: CERT Advisory CA-2001-37 Buffer Overflow in UPnP
Service On Microsoft Windows
[...]
Systems affected:
* Microsoft Windows XP
* Microsoft Windows ME
* Microsoft Windows 98
* Microsoft Windows 98SE
[...]
There is a vulnerability in the Universal Plug and Play
(UPnP) service on Microsoft Windows XP and Microsoft
Windows ME that could permit an intruder to execute
arbitrary code with administrative privileges on a
vulnerable system. The UPnP service is enabled
by default on XP. Microsoft does not ship Windows
ME with UPnP enabled by default, but some PC manufacturers
do. UPnP may be optionally installed on Windows 98 and Windows
98SE. This vulnerability was discovered by Eeye Digital Security.
For more information, see
http://www.eeye.com/html/Research/Advisories/AD20011220.html
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
[21 December 2001, top]
|
Here a Crack, There a Crack, Everywhere a Crack Crack
Two cracks: One Microsoft, One Unix [talk about parity].
, the most
commonly used browser on the web (maybe as high as 85%),
has a security hole that allows for spoofed files
to be downloaded onto a person's computer. The spoofing
can be accomplished without the aid of client-side programming.
Microsoft Internet Explorer Download Hole [NewsBytes.com
via Slashdot via KevinO]
YABO (Yet Another Buffer Overflow) problem has been discovered
on many Unix systems (IBM AIX, HP/UX, Solaris) that allow the
login program to be used to gain root access.
Once somebody becomes root on a Unix system, then that
system has been violated and can no longer be trusted.
Buffer Overflow in System V Derived Login [CERT.org]
[14 December 2001, top]
|
Hodgepodge: Digital Angels; Sousveillance Day; Microsoft Crap; CERT/DOS
Coming Soon: Digital Angels
is a
combination of advanced biosensor technology and
web-enabled wireless telecommunications linked to
GPS. The first target market appears to be Floriduh.
Digital Angel monitors key body functions (e.g. temperature
and pulse) and transmits that data along with location information
to a ground station or monitoring facility.
[
Digital Angel, Chip Implants, and Human Tracking]
Mark Your Calendars: Sousveillance Day
24 December 2001 is .
On December 24th, passengers photograph cab drivers, customers photograph
shopkeepers, citizens photograph police, etc.. There is also a photo
competition to encourage participants to send in pictures to be included
in a national face recognition database.
[Details about World Subjectrights
Day]
Microsoft Crap
[item] This hyperlink was provided by [UCLA Professor] and I agree with his editorial
comment that "normal people shouldn't have to keep track of
Microsoft's stupid patches." [I guess Microsoft could always
counter with how do you define normal?]
The Great Microsoft Patch Nobody Uses
[item]
Rumors are circulating that the current Microsoft Security Chief
may start advising our Government on computer security issues.
Given Microsoft's ability to provide a secure computing environment
[humor], I'm not sure this move makes much sense.
Microsoft Takes Its Security Skills to the White House.
[item]
On 04 December 2001, a fake screen saver program
started floating around the Internet that in turn
cracks computers running Windows. The subject-line
says 'Hi!' and the body starts with 'How are you?'
[at least it is user-friendly] The virus is a malicious Windows program
distributed as an email file attachment and via ICQ file
transfers. [
CERT Advisory]
[update] (10 December 2001)
Israeli Teens Created Level 4 Virus
CERT Suffers a DOS Attack
On 05 December 2001, the (Computer Emergency Response Team)
was hit by a strong DOS attack. [In this
case, DOS means Denial-Of-Service and not
Disk-Operating-System.]
[07 December 2001, top]
|
NIPC Worries About CyberProtests (Hackertism)
The NIPC () warns that Cyber protesters
(new word: hackertism) are going to target infrastructure
more often and exploit opportunities to disrupt or damage it.
The Internet is a major infrastructure component and if
it is attacked in a serious way, then I agree with
the NIPC's assessment that it could "bring
about large economic losses as well as potentially
severe damage to the national infrastructure,
affecting global markets as well as public
safety." The NIPC alerts us that "
network administrators must remain educated
and defenses must evolve along with the threats
and offensive capabilities." [really?]
More from :
Cyber Protests: The Threat to U.S. Information
Infrastructure [pdf document]
[Extra]
This week's is all about Red Hat (a major Linux
distributor), but it turns out many of the Linux
tools have security holes and on 29 November 2001
the CERT (Computer Emergency Response Team) issued
Advisory CA-2001-33 Multiple Vulnerabilities in WU-FTPD.
It turns out, Red Hat made a mistake handling this flaw
by releasing a patch that was intended to be a simultaneous
multi-vendor release, coordinated by the CERT and scheduled
for 03 December 2001.
[
ZDNet article (hyperlink provided by KevinM)]
[ThurmFoo] If the open source and free software communities
want to battle Microsoft, then this type of slop just cannot
happen. This is Microsoftic computing.
[30 November 2001, top]
|
CyberKnight, MagicLatern, Carnivore, Altivore...
On the next to last page of the Friday, 23 November
2001,
was a news article titled:
FBI developing high-tech eavesdropping tools
The article states that the FBI has technology called
that is one
of many technologies that comprise a FBI project named
. These tools
can intercept every key typed on a dumb keyboard, every
x-y coordinate a dumb mouse may navigate over, every
hyperlink clicked, every email subject-line, every word
of every instant message, every dot-mp3 listened to, every
dot-jpg viewed, so on and so on.
The article indicated that these tools could be installed
on PCs without the PC owner being alerted. [PC stands for
Personal Computer] These technologies can install themselves
using existing cracking tools that exploit known security holes.
[Many of which are buffer overflows.]
Magic Latern and CyberKnight already have
to
help them out.
I good way to learn about Carnivore is to
learn about Altivore.
[ThurmThanks to JeremyF for
the hyperlink]
[Extra]
Microsoft Says it is Sorry [Thanks Microsoft.]
[23 November 2001, top]
|
Potpourri::DDOS; HTTP Cookies; Microsoft
stands for Distributed
Denial Of Service and DDOS attacks are easy to implement,
but difficult to defend.
Key Internet Servers Vulnerable to Attack-Experts
from a low-level
perspective are relatively secure; however, the way some
websites use cookies are not. As a result,
Use of Internet Cookies Targeted.
products are dangerously
flawed when it comes to security. It appears as though their
software development practice is to produce some just good
enough software and patch the problems when they are found.
Microsoft Leaves its Wallet Wide Open.
[16 November 2001, top]
|
Airports Into Scanning Faces
Prior to 911 we had , but
post-911 is leading us into the ubiquitous presence of
-like programs. [e.g.
filtering, Carnivore, Echelon, biometric systems, ...]
Airports around the country are turning to biometrics
to help them with security. The biometric of choice?
Facial scanning.
[Extra]
Microsoft Admits Major Passport Flaw, but according to Phil Agre
it doesn't admit that the "Passport architecture is fundamentally
shoddy."
[09 November 2001, top]
|
Oxymoron: Microsoft Good
I second this motion:
Time to Stop Defending Microsoft Security
Microsoft has always treated security threats as a
public relations problem, so it would do anything
it could not to publicize its susceptibility.
Speaking of Microsoft's new XP operating system...
The following hyperlinks were supplied by
UCLA Professor |
Net Security: An Oxymoron
is a
ThurmDreamTeam member. He is a co-founder of
the PFIR (People For Internet Responsibility),
moderator of the RISKS Digest, and he works
as a Principle Scientist at the Stanford
Research Institute. Neumann is a computer
security guru. Here is quote extracted from
a receive interview with Neumann conducted
by CNET News.com:
The trouble, Neumann warns, is that the Internet
is populated by computers that were not designed
with network security in mind. As a result, security
is addressed on a patch-by-patch basis, but an effective
solution would require redesigning systems from scratch.
Here is the full CNET News.com interview with
Peter Neumann:
Net security. An oxymoron.
[Extra]
The NSA's (National Security Agency) has been
closed until further notice.
[Extra]
The
website has been cracked.
[26 October 2001, top]
|
Anthrax Worm Suffers from Anthraxic Code
An computer
worm has hit the Internet, but crappy code has
caused the worm problems at being effective.
About the Anthrax Computer Worm
[Extra]
Virginia Gov. James Gilmore, warned a congressional panel
about the threat of a terrorist cyberattack, and urged
the federal government to adopt an array of new defenses
against possible electronic strikes [this includes a
cyber-court]. Gilmore outlined the panel's cybersecurity
findings at a hearing that was cut short when an non-computer
Anthrax scare forced a postponement.
[
More...]
[19 October 2001, top]
|
Newbie Lawyer Thinks Carnivore is Good
Some newbie lawyer has posted a document to the
website
that defends the use of the FBI's spy program. I had to respond to some
of the stuff she wrote and I recorded my response in
this webpage.
[12 October 2001, top]
|
Crack a Computer and Rot in Prison
I believe accessing a computer without permission
is a crime and that those who do it should be treated
like criminals. However, the makes my bark worse
than my bite.
The , which is
legislation that is being discussed in the halls
of our government, classifies most computer crimes
as acts of terrorism. Under this Act, crackers would
face life imprisonment without the possibility of parole.
[
SecurityFocus.com article]
[05 October 2001, top]
|
Communicating Secret Messages Using Steganography
Steganography is a technique that allows
you to encode text or images into documents, images,
or sounds.
There are many who believe terrorists have been
communicating by sending documents around the world
hidden within pornographic images and MP3 files.
Create a resource and execute a program that embeds
your message into the resource. Go to a public computer
(e.g. at the library) and post the resource to a Usenet
group. Place a keyword in the subject line of your posting.
Your partner visits the Usenet group and sees a posting
containing the keyword. They down-load the resource and
execute a program to extract the embedded message.
I found a free program called gifshuffle
that can be used to conceal messages in GIF images by
shuffling the color-map, which leaves the image visibly
unchanged. The program also provides compression and
encryption of the concealed message.
sunnie.gif (no message) |
sunniemsg.gif (contains message)
Note: the GIF file without the encoded message is
2% larger that the GIF file containing the message.
-rw-r--r-- 1 thurmunit user 17696 Aug 3 1999 sunnie.gif
-rw-r--r-- 1 thurmunit user 17347 Sep 28 04:32 sunniemsg.gif
If you want to see the encoded message, then you
need to down-load the gifshuffle program
from the
Gifshuffle Home Page. Using your browser,
get sunniemsg.gif and save it to your disk,
then execute
gifshuffle -C -p foo sunniemsg.gif
The message should read that lucky old sun.
[28 September 2001, top]
|
Admin Spelled Backwards Equals Nimba
Yet another Microsoft related virus is
worming its way around the world. This
one is called nimba, which is
admin spelled backwards.
The Nimda worm has the potential to affect
both user workstations (clients) running
Windows 95, 98, ME, NT, or 2000 and servers
running Windows NT and 2000. Because of its
size and monopoly power, Microsoft places
the responsibility on customers to patch
the holes found in their bad software.
[It's like you buy a car with a faulty
engine and the car dealer gives you a
part and tells you to install it. If
you don't, then don't be surprised if
your car is unusable.]
Nimba spreads through
email, via web surfing and by exploiting known holes
in the Microsoft's software.
Nimda is believed to be the fastest-spreading
computer virus ever; it not only attaches itself
to different applications on a computer but spreads
to other computers in several different ways, which
makes it a worm as well as a virus.
The worm modifies web documents (e.g., .htm, .html,
and .asp files) and certain executable files found
on the systems it infects, and creates numerous copies
of itself under various file names.
The cost of fixing problems caused by nimba
is expected to reach $500,000,000 (half of
a billion dollars).
On 18 September 2001 the
issued
this advisory.
[Extra]
David Dittrich, senior security engineer for the
University of Washington and a computer forensics
expert, believes software makers such as Microsoft
will need to be pro-active about future security holes
and treat them like product defects. "Somehow,
as the number of patches coming out is going up
exponentially, the word has to get out to a larger
number of people to apply the patches."
[21 September 2001, top]
|
Beware of Terrorism-Related Scams Online
The has posted a press
release to their website titled Email Groups Warn
of Terrorism-related Scams Online. Here is a copy
of the first paragraph of their press release.
Email protection and consumer advocacy groups warned
today of online attempts to fraudulently profit from
the .
These attempts are taking the form of unsolicited
email (i.e. spam) and postings in community forums,
soliciting "donations" in the name of
victims of the attacks.
It is always wise to practice safe computing,
but that is even more true in times of uncertainty.
[
Full Press Release]
[Coming Soon] Prior to 911, I was going to post information
about a new Bill called the SSSCA [think ++DMCA] and about
a new worm/virus named Code Blue. In addition, the Attack
on American may result in increased usage of biometrics.
[14 September 2001, top]
|
Biometric Usage: From the Pentagon to Virginia Beach
Today's military weapon systems make extensive use of
computers. Military leaders are concerned that if those
systems end up in enemy hands, then the data stored in
the computers will become intelligence information for
U.S. detractors. To help ensure that the data on the
computers is accessed by authorized personal only, the
Pentagon Endorses Biometrics To Enhance Computer Security.
Ten (10) cameras feed images of people as they walk
along the Oceanfront to monitors, where software
compares faces against a database of mug-shots,
looking for a match. The database contains
outstanding felony warrants as well as pictures
of runaways and missing people. The software
generally works by creating a map of the
face and then identifying 80 distinctive points.
To achieve a match, 14 of those points must align
with a mug-shot. It appears as though they are
Scanning Faces in Virginia Beach.
Biometric related hyperlinks:
Biometric Consortium
Biometrics Digest [pro-biometric website]
Fight the Fingerprint [anti-biometric website]
[07 September 2001, top]
|
Scanning Faces at Borders; default.ida
When it comes to buying computer books, I like to
shop at . I'm
looking forward to the Borders opening on Mill
Avenue in downtown Tempe.
A couple of weeks ago reported that a couple
of Borders stores in the UK were going to setup
a security system that scans the faces of people
entering the store and compares the images to
those of known shoplifters.
Well... it turns out many Borders customers
were upset about this and as a result Borders
has decided not to install the security
system. Here is a quote from :
Borders strongly values the human rights and privacy of our staff and
our customers. At Borders, we feel we have an obligation to provide a
safe environment for our customers and staff. We promise to continue to
do so, while offering the best selection and service available anywhere.
[
More... from ]
[Extra]
The
worm has tried to attack the CSC servers at SCC. I
came across the following webserver log entry
200.47.144.162 - - [27/Aug/2001:18:38:58 -0700]
"GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9
090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
0%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 283
I didn't know what a default.ida
file was and a Google search resulted in the
the following find
http://thesitewizard.com/news/coderediiworm.shtml.
Estimated worldwide cost of the Code Red: $2.6 billion.
It appears the worm came from some university in China.
[31 August 2001, top]
|
Identity Theft -- It Happens
I'm not sure I would be overly happy if somebody
assumed my identity [at least without first
seeking out my permission]. How about you?
Identity Theft has been a recurring problem
for many years, but the exchanging of personal information
via the Internet has made Identity Theft easier for the
criminals of our world.
is
an organization formed to help us protect our
privacy and identities. Their website has all
kinds of useful information. If you don't think
Identity Theft can happen, then here are some
Identity Theft Victims' Stories.
[Extra]
The following is was distributed by the
:
"San Jose, California - Russian programmer Dmitry Sklyarov will appear
in a California federal court this Thursday, August 30, for an
arraignment on charges of trafficking in a copyright circumvention
device. For programming a software application that appears to be
legal in Moscow where he wrote it, Sklyarov -- who is out of custody
on $50,000 bail -- faces a potential prison term of five years and a
$500,000 fine."
"Well-dressed observers plan to attend the arraignment and nonviolent
protests are scheduled in Moscow (Russia), London (England), Boston,
Chicago, Los Angeles, San Francisco, and Black Rock City, Nevada. The
San Francisco protest will likely be well-attended since it will start
during the Linux World conference in front of the Moscone Center at
11:30 AM on August 30."
[ThurmFoo] Black Rock City, Nevada is
home of
Burning Man [which started on 27 August].
[24 August 2001, top]
|
Code Red Planning Another DDOS Whitehouse Attack
The Code Red worm continues to live and
computer security experts are predicting that it will
commence a second denial of service attack against an
IP address assigned to the website for the White House
at 8:00pm (Eastern) on Sunday, 19 August 2001. Proof
that the worm is still crawling the Internet:
"A minimum of eight servers operated by division have
been infected with the Code Red worm, according to
independent intrusion monitoring services."
Netscape Hit by Code Red from .
[17 August 2001, top]
|
Standing Up to Spam
During May 2001, the US House Judiciary Committee took up the issue of
spam and a couple politicians were going to introduce a bill that would
have allowed spam email recipients to sue the sending companies should
the company fail to remove the recipient from their distribution list.
But, some other politician came along and butchered the bill.
Standing Up to Spam from .
[10 August 2001, top]
|
Denver, CO to Scan Faces
The in
, is buying cameras
that will map every driver's facial characteristics like a three-dimensional
land chart. Why? It is an effort to prevent identity theft and driver's
license fraud.
Driver's get Faces Scanned from the .
[Extra] Last week we posted an item about
Tampa, Floriduh using scanners to help keep streets
safe. It appears as though people like to give the
spy-cams the
one finger salute.
[Another Extra] Due to the
virus, the
took the dot-mil websites off-line.
[
More...]
[27 July 2001, top]
|
Code Red Virus Hits the Internet
The has issued an advisory
on the Code Red virus. This virus uses systems running
Microsoft Windows NT 4.0 and Windows 2000 with IIS 4.0 or IIS
5.0 enabled. [IIS is Microsoft's webserver software.]
A recent report indicates that the Code Red virus
has been used to launch a denial of service
attack against www.whitehouse.gov.
Here is a Code Red overview provided by the CERT:
The CERT/CC has received reports of new self-propagating malicious
code that exploits certain configurations of Microsoft Windows
susceptible to the vulnerability described in CERT advisory CA-2001-13
Buffer Overflow In IIS Indexing Service DLL. These reports indicate
that the "Code Red" worm may have already affected as many as 225,000
hosts, and continues to spread rapidly.
CERT Advisory CA-2001-19 "Code Red"
Worm Exploiting Buffer Overflow In IIS Indexing
Service DLL
[Extra] Who stores classified information
on lap-top computers? The
FBI.
[20 July 2001, top]
|
POT Related Virus Hits the Internet
We support POT, but to us POT is Plain-Old-Text.
[20 years ago, POT was Plain-Old-Telephone] A
POT related virus has hit the Internet, but in
this case POT equals marijuana. The virus arrives
as an email with the message, check this out,
with a file named SYSTEM32.EXE attached.
"When activated the worm sends itself to everyone in
your address book, appears as a little marijuana leaf in
your system tray or on your task-bar and modifies the home
pages of your Internet Explorer browser to point to
My.Marijuana.com.
When the marijuana leaf is clicked on, a message in support of
legalizing Marijuana pops up. The virus also appears twice a day
as a message box reminder saying: "Time to toke up :)".
From comes
Marijuana Worm Too Mellow to Spread
[13 July 2001, top]
|
Tampa Must Like Biometrics
Police in Tampa, Florida, are using cameras equipped with
face-recognition software to search for criminal suspects
among people in a downtown district. Since Flori-duh doesn't
know how to handle their voting systems, it seems fitting the
state will allow some of its cities to violate the privacy of
residents and visitors.
Tampa Scans Faces from via the .
[FlashBack] The 02 February 2001 posting was about Tampa police
using cameras to scan for criminals at the 2001
Super Bowl.
[06 July 2001, top]
|
Opt-Out Must be the Default
Some websites use legal-like jargon to
cause users to not opt-out (i.e opt-in).
They use the word not in their
prompts. Programmer always pay close
attention to when the not
operator is used in expressions.
Note: JavaScript is used to cause the
checkbox input element
to be automatically checked and
unchecked -- i.e. it blinks.
[
view source]
The default is opt-out. The
checkbox input element
is never automatically checked. If
the user wants to opt-in, then they
check the box. The prompt does not
contain the word not.
[29 June 2001, top]
|
The Case Against Absolute Privacy
the CEO of
Sun Microsystems [and Bill Gates wanna-be] has indicated
that absolute computing privacy is dangerous and
not always necessary. Here is quote from McNealy:
"Any company that doesn't properly safeguard people's
personal information will suffer the same fate as a bank that
doesn't safeguard people's money. It will go out of business.
But privacy is not always desirable -- and absolute privacy
is a disaster waiting to happen."
I like this because it justifies the fact that
given today's computing environment absolute
privacy is impossible to guarantee. McNealy's
opinion provides the computing industry with
the ultimate excuse when people's privacy is
violated. [We never promised absolute privacy.]
The Case Against Absolute Privacy from the .
[22 June 2001, top]
|
Crackers Keep a Cracking
The following is from the 15 June 2001 issue
of the
by computer security guru .
The team of researchers
has built an entire computer network and completely wired it
with sensors. Then it put the network up on the Internet, giving
it a suitably enticing name and content, and recorded what happened.
(The actual IP address is not published, and changes regularly.)
Hackers' actions are recorded as they happen: how they try to
break in, when they are successful, what they do when they succeed.
The results are fascinating. A random computer on the Internet is scanned
dozens of times a day. The life expectancy of a default installation of
Red Hat 6.2 server, or the time before someone successfully hacks it, is
less than 72 hours. A common home user setup, with Windows 98 and file
sharing enabled, was hacked five times in four days. Systems are subjected
to NetBIOS scans an average of 17 times a day. And the fastest time for a
server being hacked: 15 minutes after plugging it into the network.
I have first hand experience with a
Red Hat 6.2 system being cracked
within 72 hours. It happens!
[15 June 2001, top]
|
Apache.org Cracked Using the SSHd
This week's posting deserves a great deal of discussion,
but we only have time to summarize in one word: Yuck.
I copy/pasted the following from :
Specifically: on May 17th, an Apache developer with a
SourceForge account logged into a shell account at
SourceForge, and then logged from there into his account
at apache.org. The ssh client at SourceForge had been
compromised to log outgoing names and passwords, so the
cracker was thus able get a shell on apache.org. After
unsuccessfully attempting to get elevated privileges
using an old installation of Bugzilla on apache.org,
the cracker used a weakness in the ssh daemon (OpenSSH 2.2)
to gain root privileges. Once root, s/he replaced our ssh
client and server with versions designed to log names and
passwords. When they did this replacement, the nightly automated
security audits caught the change, as well as a few other trojaned
executables the cracker had left behind. Once we discovered the
compromise, we shut down ssh entirely, and through the serial
console performed an exhaustive audit of the system. Once a
fresh copy of the operating system was installed, backdoors
removed, and passwords zeroed out, ssh and commit access was
re-enabled. After this, an exhaustive audit of all Apache
source code and binary distributions was performed.
Again, Yuck.
I had a real-world
experience today that will be used for next week's posting.
[08 June 2001, top]
|
CERT + EIA = ISA (Internet Security Alliance)
plans to begin selling the confidential warnings it has been giving
out to government agencies. Companies can pay between $2,500 and
$70,000 a year to receive the warnings 45 days before they are
released to the public.
The CERT has teamed up with the to create
the .
The ISA aims to enhance the information security of
member companies and, ultimately, the greater Internet
community, and to offer high-value information networks
that bring usable business ideas and thinking to member
companies.
[More...http://www.isalliance.org]
[01 June 2001, top]
|
CERT Website Hit by a DOS Attack
The
website has been subjected to a DOS (Denial-of-Service) attack. The attack
was reported in the "Nation" section of the 24 May 2001
(i.e. I.Q. Public may
have read about it) along with a bunch of online Internet resources.
is a federally funded computer
security group that warns government agencies and other computer
users about computer attacks and viruses.
was formed in 1988
after the first major crack of the Internet.
A attack is designed to keep a
server busy by flooding it with a bunch of simple service requests.
If you do any type of , then you should
be a regular visitor to
http://www.cert.org.
[25 May 2001, top]
|
Yale University has a Censorhappy Dean of Students
On 12 April 2001, the dean of students at ordered the school's newspaper to remove an
article about how poorly the Secret Service is protecting President
Bush's daughter. The paper, which is called the Rumpus,
is currently unavailable.
More... from .
[18 May 2001, top]
|
DVDs, CSS, DeCSS, 2600, OpenLaw, DMCA
Programmers at MIT created a short Perl program
that decrypts DVDs of a layer of encryption that
prevents people from watching DVDs without authorization.
The program name is qrpff and here is a copy
of it. [Does providing this source code make us a criminal?]
Update Wed Aug 29 07:09:37 MST 2001
The DMCA has me scared; therefore, I have removed
the source code from of this posting.
stands for , a (very weak) encryption used
for movie DVDs. is a piece of
software that breaks the CSS encryption and allows the reading of
encrypted DVDs.
has posted
DeCSS stuff to their website and the courts have been
after them to stop doing it. 2600 is being defended
by
Openlaw::Open DVD.
[04 May 2001, top]
|
RIAA Prevents Professor From Sharing Work
On Tuesday, 24 April 2001, we send an email to Dennis Ritchie
informing him that Unix made the New York Times crossword
puzzle. Ritchie replied and he alerted us to a New York
Times article concerning the RIAA and SDMI.
From dmr@plan9.bell-labs.com Tue Apr 24 13:22:00 2001
Subject: Re: [cszero] NY Times Crossword (fwd)
Thanks for the tip about the crossword. Looks like
two interesting things in the paper today-- that
and the Markoff article about the Felten et al.
paper about SDMI-hacking that RIAA is trying
to suppress.
Ritchie's concerns were about scholar being threatened with lawsuits if
he presents how his group cracked the code of a music copyright
protection technology. Felton works in steganograpghy,
which deals with concealing data openly. Felton received written
notice of possible action from the . Felton's research
stems from work done last year with the , a creation of
the recording industry. It is academic freedom versus the
interests of business. The says that sharing information on methods of
cracking computers and other technologies is illegal.
[source::New York Times via Dennis Ritchie via NickB]
RIAA Challenges SDMI Attack from
.
On Thursday, 26 April 2001, bowing to a threatened recording
industry lawsuit, a Princeton University computer scientist
decided against revealing Thursday how he and other researchers
thwarted security measures meant to protect copyright
digital music. [source::New York Times]
[27 April 2001, top]
|
Selling Urine Over the Web
Kenneth Curtis was arrested after selling his urine over the Internet.
Curtis was quoted saying "I'm not a drug dealer. I'm a urine
dealer." He was arrested at a gas station after he allegedly
delivered a urine kit to an undercover agent, who bought it online.
The state Supreme Court heard arguments in October about whether it
was legal for Curtis to sell urine online but has yet to rule on the
case. Curtis, who has sold his urine over the Internet for three years,
sued because he said the new statute targets him and infringes on his
constitutional rights. [Note: As of 20 April 2001, iUrine.com
and Pee4Sale.com are available.]
From the 13 April 2001 :
Urine Dealer Claims Free Speech [source::Declan McCullagh]
[20 April 2001, top]
|
$3.9 Billion Internet-based Bank Fraud Uncovered
On 12 April 2001, the reported uncovered an Internet-based
scheme involving fake bank guarantees worth $3.9 billion.
Twenty-nine websites were used in the scam and have been
shutdown, but the principles behind the fraud were still
at large. The websites were hosted by U.S. based ISPs.
Multi-Billion Dollar Net Banking Fraud Uncovered
[Extra]
On 06 April 2001, the issued an advisory about security hole
shopping-cart software produces by PDG Software, Inc. Crackers
used this hole to
steal credit card numbers. I was curious as to what websites are
using PDG Software, but I was not able to find anything except a piece
from November of 1999 about security problems with PDG Software.
[
PDG Software's Response to Security Threat]
[13 April 2001, top]
|
Security Hole Found in MSIE
A security hole has been found in the (MSIE) browser program.
On 03 April 2001, the
(Computer Emergency Response Team) issued
CA-2001-06 Automatic Execution of Embedded MIME Types --
Microsoft Internet Explorer. [Note: MSIE is used by
approximately 68% of web users.]
[Extra] This appears to a first: A virus called
has been produced
that runs on both Windows and Linux systems. It can replicate
under Windows 95/98/Me/NT/2000 (Win32) and Linux operating systems
and it infects EXE (Windows executable) and ELF files (Linux executable).
[
A Virus that Leaps Platforms]
[06 April 2001, top]
|
Security Flaw Reported with TCP
A company named
issued an advisory reporting a TCP security flaw.
Their report generated some Internet-based discussion,
but for the most part it was considered non-important
because they reported about a problem that existed in
1986. In 1996,
wrote a document explaining how to overcome it and most
of today's operating systems have probably implemented
AT&T's suggestions. [TCP -- Transmission Control
Protocol -- is one of the protocols used to transmit
data over the Internet. Webpages, email, telnet, FTP,
and so on use TCP.]
The TCP flaw stems from the random generation of initial
sequence numbers, which were believed to protect the
communication device. Guardent researchers discovered
that these sequence numbers are guessable with a high
degree of accuracy.
There are many computer researchers who believe
truly random numbers cannot be generated. If this
is true, then no tool can have 100% random behavior.
[30 March 2001, top]
|
Fraud Detected in Authenticode Code Signing Certificates
Wow... first we were going to report about a security
hold in TCP [Transmission Control Protocol which
is one of the protocols used to transmit data over
the Internet], but then we learned about a
security problem with PGP [Pretty Good Privacy which
is an encryption technique that is commonly used to
protect messages (i.e. data) that is transmitted over
the Internet], but then on 22 March 2001, the
issued an advisory warning that issued two certificates to an individual
fraudulently claiming to be an employee of Microsoft Corporation.
Any code signed by these certificates will appear to be legitimately
signed by Microsoft when, in fact, it is not.
The following was copied from the website:
The risk associated with these certificates is that the
fraudulent party could produce digitally signed code and
appear to be Microsoft Corporation. In this scenario, it
is possible that the fraudulent party could create a
destructive program or ActiveX control, then sign it
using either certificate and host it on a Web site or
distribute it to other Web sites.
Versign has revoked the certificates, which is a
necessary step, but it only works if software
checks the CRL (Certificate Revocation List).
Microsoft's Internet Explorer program does
not automatically do this.
At the time of the CERT advisory there did
not appear to be any patches available that
directly addresses the issue, and Microsoft
is working on producing patches that will ensure
the invalid certificates are not used.
[Side-bar] At the 1997 Java One conference, I
saw a webpage fetched that contained an ActiveX
control which then proceeded to examine Excel
spreadsheet data, Quicken data, and other files
containing data on the user's local computer.
When it done doing this, the ActiveX control
proceeded to erase data from the hard-disk.
but then... I find out about the
Lion Worm that attacks using BIND DNS
on Linux machines. I was done for the week
with this particular resource, but I was online
so what the heck -- we did this bonus
posting. [Remember that Billy Preston song...
nothing from nothing is nothing.]
[23 March 2001, top]
|
A Bit About Information Warfare
Time and time again we have indicated how awful cyberwar
will be. Corrupting data can be an effective way to "
drop bombs" on all citizens of a country. I would not
be happy to wake up some morning and have no money in my
checking account. I want to thank for providing a resource that introduces us
to the idea of
Information Warfare.
[09 March 2001, top]
|
ISP Guilty of Serving Up Child Porno
reports:
An ISP in Buffalo NY pleaded guilty to
the State Supreme Court to a misdemeanor charge
of knowingly providing access to child pornography.
I agree with the following quote:
"What the New York authorities are saying is
that ISPs are going to have to choose between being
policemen or criminals."
Excuse my childish-ness, but yuck. If I'm an ISP,
then I don't want the responsibility of deciding
what can and cannot be served.
It would be nice to be an ISP that didn't have to
host everybody and anybody, but most ISPs cannot
afford to turn away accounts. Our long term goal
is to establish an ISP that is open and free that
serves up nothing but good stuff.
WiredNews::ISP Guilty in Child Porn Case
[02 March 2001, top]
|
PFIR -- Professionals For Internet Responsibility
is the and this
organization is...
"a global, ad hoc network of individuals who are
concerned about the current and future operations,
development, management, and regulation of the Internet
in responsible manners. The main goal of PFIR is to help
provide a resource for individuals around the world to gain
an ability to help impact these crucial Internet issues, which
will affect virtually all aspects of our cultures, societies,
and lives in the 21st century. PFIR is nonpartisan, has no political
agenda, and does not engage in lobbying."
I've gotten lots of good stuff from the via their low-volume mailing list. was founded by Internet veterans
Lauren Weinstein and Peter Neumann.
[Note: ThurmUnit is a long time hyperlinker to Neumann's
RISKS Digest,
which is a moderated digest of postings from the
comp.risks Usenet newsgroup. Weinstein maintains
the Privacy Forum
and his most recent posting is
Network Solutions Sells Out -- Domain Info For
Sale to Marketers.]
If you are interested in making sure the Internet
remains open and fun, with minimal rules, regulations,
and laws, and safe from a political takeover, then visit
at
http://PFIR.org.
[23 February 2001, top]
|
Anna Kournikova Virus Worms the Internet
A person from the Netherlands who goes by the handle
has admitted to
writing the
email worm that hit the Internet on 12 February 2001.
The cracker posted the Visual Basic code to the
alt.comp.virus.source.code Usenet newsgroup.
Note: the cracker created their worm using a
point-and-click virus creation program called
the "Vbs Worms Generator,"
Here is what appears to be a Usenet posting by OnTheFly.
Date: Tue, 13 Feb 2001 17:49:00 GMT
From: OnTheFly <OnTheFly@Cotse.com>
Newsgroups: alt.comp.virus.source.code
Subject: Re: annakournikova / onthefly
Some info:
http://members.tripodnet.nl/on_the_fly/index.html
Interview with the writer:
http://www.wired.com/news/technology/0,1282,41782,00.html
Greetz,
OnTheFly
[Side-bar] I posted this to ThurmUnit because
Anna Kournikova is a popular query string entered
into search engines. Now if somebody searches for
her, then maybe a hyperlink to ThurmUnit will show
up. Users will probably have to scroll trough hundreds
of screens before hitting the ThurmUnit hyperlink, but
what the heck.
[16 February 2001, top]
|
Privacy.org -- Helping Keep the Internet Safe
As users of the Internet continue to enter more
and more information into email messages, chat
rooms, bulletin-boards and newsgroups, privacy
issues become increasingly critical.
Privacy.org
is the website for daily news, information, and
initiatives on privacy. It is a joint project of
the and . The following quotes
were obtained from :
Privacy is a right not a preference.
No eCommerce without ePrivacy.
Protect privacy protect anonymity.
[09 February 2001, top]
|
Beware... Facial Scanning Happens
I've had this facial scanning news item stored away
since 16 January 2001. It comes from and it is about how Ontario (Canada)
police want to use facial-scanning technology in casinos. They
justify its use because there is "no expectation of privacy" at
a casino.
[
NationalPost.com article] Recall, the 10 Nov 2000 posting was about how facial scanning
was being used to control access to clubs in the Netherlands.
[
Cyber-bouncer article]
Now, on 31 January 2001, there were reports that facial scanning
was done at the Super Bowl to search the crowd for potential bad guys.
[
WashingtonPost.com article]
Facial scanning is one of many forms of biometrics.
The overall market share for each of the biometric technologies
in 2000, however, was divided among fingerprint (39.1 percent),
hand (31 percent), voice (15.8 percent), face (7.1 percent),
eye (4.3 percent), and signature (2.7 percent).
[02 February 2001, top]
|
Microsoft Experiences a DOS Attack
computers were subjected to a
DOS attack on 25 January 2001. We have discussed DOS
attacks in previous postings.
29 December 2000
Provided the following hyperlink to the
New Year's DDOS Advisory.
13 October 2000
This posting reported the following.
Many computer security experts are predicting that a major
DOS attack will happen in the near future. In this scenario
DOS stands for Denial Of Service. DOS is an assault
on a network that floods it with so many additional requests
that regular traffic is either slowed or completely interrupted.
Unlike a virus or worm, which can cause severe damage to databases,
a denial of service attack interrupts network service
for some period and does not corrupt data.
12 Feb 2000
Here is a copy of that week's posting.
On 28 Dec 1999, the issued the following advisory:
CERT Advisory CA-99-17 Denial-of-Service Tools. On 07 Feb 2000 and
08 Feb 2000 major "Denial-of-Service" attacks were launched against
the world's largest websites (Yahoo, Ebay, CNN, and so on).
This Internet crack has all kinds of rumors behind it. Here
are just a few of what I have heard: it was conducted by our
Government to test just how bad Internet security is; it was
due to Y2K problems in many of the routers; a good portion of
the attacks were conducted using Stanford University's network.
On 02 Feb 2000, the issued
CERT Advisory CA-2000-02: Malicious HTML Tags Embedded
in Client Web Requests. Wow... I can hardly wait
for this one to manifest itself.
The
helps us answer the question...
what is ping?
Back to 26 January 2001...
During the 25 January 2001 CSC200 class I executed
the Unix whois command using microsoft.com
as an argument and redirected the command's standard output
stream into a file named msft.
$ whois microsoft.com >msft
Now we'll view the content of the file using the
Unix view command. [This command is really
the vi program, but it does not allow us
to modify the file -- we are in read-only
mode.] You will have to click the hyperlink
to see the file content.
$ view msft
[26 January 2001, top]
|
Help for Keeping Computers Secure
This week's posting provides some simple guidelines for
helping keep computers secure and, surprisingly, these
guidelines are provided by Microsoft -- a leader in
insecure computing. We also provide a hyperlink to
a resource that informs us of some useful tools for
helping keep our computers safe from the crackers of
the world.
The Ten Immutable Laws of Security from the
Microsoft Security Response Center
Top 50 Security Tools provided by
Insecure.org
[19 January 2001, top]
|
Why is There a Security Watchdog?
Given the explosion of the Internet during the last half of
the 1990's, computer security has become an increasingly
important issue. As of 01 January 2001, it is estimated
that computer users will spend more the $3 billion over
the next three years on security software to combat a rise
in computer-related offenses such as cracking. Thanks to
the WWW, John Q. Public has access to an amazing quantity
of stuff and public computer networks are used more today
than ever before.
The was started
to help us keep track of what is going on in the area of
computer security. Topics such as privacy, data encryption,
computer ethics, digital identity, biometrics, free speech,
and so on are critical to keeping the Internet a safe and
useful tool.
As of 01 January 2001, there have been 38 postings made
to the .
Typically, this resource is updated on a weekly basis.
[12 January 2001, top]
|