During the last Introductory Unix class for Fall 2002 (Tuesday, 17 December 2002) I lectured about taking pride in becoming super-user. If an employer gives you root access to their computers, then they are trusting us to treat their data (i.e. information) with respect.

The next day, 18 December 2002, Slashdot.org had a discussion thread on the topic on when a SysAdmin goes bad.

On Wednesday, 08 January 2003, the Arizona System Administrators Guild (AZSAGE) is going to have a speaker speak about Computer Crime and the SysAdmin.

[Extra] From InternetWeek.com... "A flaw in popular shopping cart software allows customers to modify the price of items that they purchase, a security firm has warned. ShopFactory, from 3D3.com in Australia, stores prices in cookies on the customer browser, and customers can change those prices by simply editing the cookies using a text editor, according to Trust Factory." Note: InternetWeek.com used the term flaw, but I prefer to call it a defect. [At least they didn't use the term bug.] [Trust-Factory.com]

A test suite was created that "demonstrated a number of vulnerabilities in different vendors' SSH products. These vulnerabilities include buffer overflows, and they occur before any user authentication takes place."

The test suite found the following defects.

   incorrect field lengths
   lists with empty elements or multiple separators
   "classic" buffer overflows
   null characters in strings

The aforementioned defects are common in many computer programs that are written in C and C++ programs.

CERT.org::Multiple Vulnerabilities in SSH Implementations

Learning About Cybersecurity requires us to start using CERT advisories for dot-edu purposes. CERT advisories are effective learning resources.

[Extra] Professor's Case: Unlock Crypto [WiredNews::Technology]

[Yet-Another-Extra] Today's (Friday, 13 December 2002) GDT::Dot::Headlines from Slashdot includes the following: Sun Security Patch Introduces Security Hole.

"Just weeks after the U.S. elections, we have witnessed the return of the two nightmare technologies that catalyzed CPSR's creation: high tech warfare and the biggest of Big Brothers, the Total Information Awareness program. It is more important than ever that CPSR serve as the voice of the grassroots public interest."

What is TIAP?

The following was obtained from a TIAP homepage located at DARPA.mil.

"The Total Information Awareness (TIA) program is a FY02 new-start program. The goal of the Total Information Awareness program is to revolutionize the ability of the United States to detect, classify and identify foreign terrorists, and decipher their plans, and thereby enable the U.S. to take timely action to successfully preempt and defeat terrorist acts."

It is from DARPA in which the Internet was born...

DARPA -- Defense Advanced Research Project Agency

Note: GDT contains few dot-mil hyperlinks.

"Some of the U.S. government's most important computer systems continue to suffer significant security lapses despite renewed focus protecting them against terrorist attacks." [ Problems Remain in U.S. Computer Security {InformationWeek.com}]

ISPs (Internet Service Provides) such as AOL, MSN, etc., could give the government more information about subscribers and police would gain new Internet wiretap powers. [ Say Hello to Big Brother {Declan McCullagh}]

Are these two stories oxymoronic? [I admit ignorance is not bliss.] In a nutshell, the government wants to use data collected from computer systems to help with homeland security, yet the data they want access to is being processed by insecure computing systems. Oxymoron: Using insecure tools to provide security.

• Trojan Horse tcpdump and libpcap Distributions [13 November 2002]

  "The CERT/CC has received reports that several of the released source code distributions of the libpcap and tcpdump packages were modified by an intruder and contain a Trojan horse."

• Multiple Vunerabilities in BIND [14 November 2002]

  "Multiple vulnerabilities with varying impacts have been found in BIND, the popular domain name server and client library software package from the Internet Software Consortium (ISC)."

• WiredNews::Business posted a story about a web hosting company that is suing spammers and any money they are awarded is redirected to charities. Suing spammers for a good cause .

• The vim Editor is free, but it is also charityware. If vim becomes one of your computing tools, then you can pay the creator of the program some money. In the case of vim, any money you give to its creator is passed along to a charity.

Why when I type in the URL http://SalmonForGovernor.org do I get re-directed to http://BestyBayless.com?

In addition to the redirect, a pop-up window occurs that displays an anti-Salmon article from http://ArizonaRepublic.com.

If I put on my Computer Professional hat, then this is called cyber-squatting.

The Arizona Republic did not publish this litter.

Learning About spam From the Newspaper
Here is a Letter to the Editor that I wrote that responds to an Arizona Republic Editorial about spam published on Monday, 28 October 2002. I did not submit the letter.

Although it may have been only a "musing," fighting spam with spam is not how we are going to win the war against spam.

The DMA (Direct Marketing Association) wants regulations passed so it can have exclusive rights to spam our email in-boxes. The DMA does not have a cost effective way to have their spam "stand-out" from other spam. Email spam has been a serious problem for a long time and I find it interesting that it takes action on the DMA's part before the Arizona Republic writes about it.

Here are URLs to help your readers learn about spam.

• Coalition Against Unsolicited Commercial Email
• Spam Recycling Center
• SpamCon Foundation
• The Center for Democracy and Technology
• People For Internet Responsibility

The Arizona Republic needs to be Thanked for writing about the spam problem, but their suggestion that spammees spam the spammers is bad. Their editorial ends with the sentence: "Ah, sweet revenge." When it comes to spam, this type of revenge is ineffective.

"We have a great deal of focus nowadays on weapons of mass destruction but we need to be aware of the proliferation in cyberspace of weapons of mass disruption." [...]

"Cyber crime is costing the world economy billions of dollars and it is still on the increase. The more we depend on the system, the more we use the system, the more they will exploit it." [...]

"What we are concerned about is reducing vulnerability whether the threat is from the Mideast or the Midwest." [...]

Great quotes, but let's consider the source: Howard Schmidt is a former chief security officer at Microsoft.

[Extra] You know the spam problem is getting bad when the Direct Marketing Association wants anti-spam laws. [Nutshell: The DMA wants exclusive rights to send email spam.]

Here is an article that was posted to Federal Government Weekly dot-com on 07 October, 2002 about how biometrics is proving to be more difficult than feds anticipated. Learning About Biometrics

[New Term::NanoBrother] "We are moving rapidly into a world in which the spying machinery is built into every object we encounter." -- Howard Rheingold [source:: WiredNews::Culture]

• NIPC Advisory: W32.Bugbear@mm or I.Worm.Tanatos [NIPC is the National Infrastructure Protection Center]. This is a defect that uses email to infiltrate a computer running Windows.

• Get Help, Get Cracked. This is a defect that uses the Window's Help facility to infiltrate a computer running Windows.

• On 02 October 2002, Microsoft issued four security bulletins due to defects in its operating systems and in SQL Server software. Microsoft Posts Four Security Alerts.

[Extra] Microsoft is not alone with respect to providing defective software. On 08 October 2002, a CERT Advisory was issued on a Trojan Horse Sendmail Distribution.

[Item] The U.S. Federal Government has money to give schools to help them computerize, but the money is given only if schools agree to run filtering systems as per the CIPA. No Filtering, No Government Funds [WiredNews.com] and CIPA: Children's Internet Protection Act [Internet Free Expression Alliance]

[Item] The state of Floriduh spent millions of dollars to purchase touch-screen electronic balloting devices. Throwing hardware at problems is an easy thing to do when you have money, but it usually doesn't work well and the state of Floriduh provides real-world evidence of this. [At least Floriduh can play college football.] Florida Primary 2002: Back to the Future [RISKS Digest]

Is FS/OS bad software? That is what I would ask if I'm paying the bills.

These cracks have me even more excited about the future of FS/OS. Why? Because of the pride-of-ownership that is behind much of the critical FS/OS.

Here is the CERT Advisory:   Linux systems running Apache with mod_ssl accessing SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures. In other words, the Apache / mod_ssl Worm.

In a nutshell, parasite programs are packaged with legitimate software to "display advertising on your screen, gather information on your browsing habits, and to sell your unused CPU cycles and disk space."

Parasite Programs; Adware, Spyware, and Stealth Networks

"Among the laws criticized as curbing Internet rights were the U.N. Security Council resolution 1373 on fighting terrorism, the U.S.A. Patriot Act and amendments tightening European Union rules on protecting electronic data."

Reporters Without Borders: Internet Freedom Also Victim of Sept 11

[Item] It appears the Google Toolbar, which can be used to search Google without going to its homepage, can be exploited. GreyMagic Security Advisory: Exploiting the Google Toolbar

[Item] Here is a follow-up to last week's extra posting. More discussion is happening with respect to our government wanting dot-edu's to report on the status of foreign students. Here is a quote from EDUCause.

"PeopleSoft and other companies that provide student-information systems for colleges are scrambling to create software that will help institutions meet a tight government deadline for reporting new information about foreign students."

Chronicle.com reports Companies and Colleges Scramble to Meet New Requirements for Foreign Students.

"Students who apply to Princeton, or to any other university, have every right to expect that information they provide in good faith will be used only for the purposes for which they provided it, and that their privacy and confidentiality will be respected."

I say this all the time: do as a I say, not as a I do.

"These actions were wrong, but the only information obtained from the Yale Web site was whether or not certain applicants had been admitted, and this information was not used in any way."

It is the use of the words but and only that are scary.

"One of the lessons of this experience is that even individuals with a high degree of sensitivity to ethical principles in traditional settings can fail to be equally sensitive when technology is involved (as when someone who would never open a sealed envelope addressed to another person enters a secured Web site). "

Dot-com, dot-net, dot-org cannot be trusted. Princeton has taught us the same is true when it comes to dot-edu.

Princeton Acts on Its Cracking of Yale's Computers.

[Extra]
Patriot Act... "Beginning 31 January 2003, universities and colleges must frequently transmit detailed information about their foreign enrollees to the Immigration and Naturalization Service. The INS has created an IT system, known as SEVIS (Student and Exchange Visitor Information System), to capture and disseminate information about the students to federal authorities."

During the week just ended, the CERT/CC issued an advisory against Sun Microsystems XDR library (XDR stands for eXternal Data Representation). The XDR library is commonly used in RPCs (Remote Procedure Calls). An RPC allows you to call a function on system A from a program running on system B. CERT Advisory: Integer Overflow in XDR Library.

[Extra] Computer security requires the use of good passwords, good software, good SysAdmin practices and strong computing ethics. It also includes physical security. Justice Department Missing Laptop Computers.

[Item] In the name of homeland security, some people in our government wants us to become a society of informants. A website has been established to report those who participate in Operation TIPS. Operation TIPS-TIPS: Report TIPS Informants.

[Item] Wow... I thought Unicode was just YACS (yet-another-character-set), but it turns out character sets are used to crack computer systems. According a Crypto-Gram article "Unicode is just too complex to ever be secure." Security Risks of Unicode.

[Item] Declan McCullagh sent out the following to his Politech mailing-list.

"Companies in every sector of the U.S. economy may soon find it difficult to operate without cybersecurity insurance, an evolving form of coverage that the Bush administration hopes will be instrumental in steeling the nation's information technology infrastructure against attack."

	(B) a revised legal framework for the prosecution of 
	    'hackers' and 'cyberterrorists'; and

[Extra] Here comes the .kids.us domains.

"To facilitate the creation of a new, second-level Internet domain within the United States country code domain that will be a haven for material that promotes positive experiences for children and families using the Internet, provides a safe online environment for children, and helps to prevent children from being exposed to harmful material on the Internet, and for other purposes."

"Apache administrators have reacted quite quickly to the problem, and within a week of first publication, well over 6 million sites have been upgraded to Apache/1.3.26, issued by the Apache project in response to the problem. However, this still leaves around 14 Million potentially vulnerable Apache sites." [More...]

[Item] I hope it never comes true, but someday I could see myself being an esoldier. [Not as a General, but as a Private.] On 27 June 2002, WashingtonPost.com posted a story titled Cyber-Attacks by Al Qaeda Feared.

[Item] Politicians who feed their families thanks to generous donations from the entertainment business (there are reasons why average family units cannot afford to go to movies, concerts and sporting events) continue to attack our Computing Freedoms. Thanks to Declan McCullagh for providing Legislating the Internet (Hollywood versus High-Tech). Here is a quote from a Congressman.

"I am a strong believer in the beneficial potential of P2P networks, but most people currently use them for unbridled copyright piracy. Billions of P2P downloads every month constitute copyright infringements for which creators and owners receive no compensation. P2P piracy must be cleaned up. The question is how."

SSH is Secure SHell and OpenSSH is an implementation of SSH. SSH allows you to execute a remote login where data is transmitted over the Internet encrypted.

Two problems have been discovered with OpenSSH. The first vulnerability is an integer overflow in the handling of the number of responses received during "challenge response authentication"

An integer overflow is when you assign a value to an int variable that is too large to fit into the memory allocated for that int variable.

OpenSSH is used on a variety of systems, but it is developed by the OpenBSD Project. On Wednesday, 26 June 2002, I purchased a copy of OpenBSD (version 3.1) from OpenBSD.org.

Open Source claims it is more secure than proprietary systems. Since Open Source is the challenger in today's computing market place, it cannot have CERT Advisories issued against it. Open Source must provide a secure computing environment. [I think it is our best chance.]

From the This Sucks department comes CERT advisory CA-2002-17 or Apache Web Server Chunk Handling Vulnerability.

[Advisory #1]
Denial-of-Service Vulnerability in ISC BIND 9
BIND is the most popular implementation of DNS. BIND (Berkeley Internet Name Domain) is maintained by the ISC (Internet Software Consortium). This vulnerability does not allow an intruder to execute arbitrary code or write data to arbitrary locations in memory, but is can cause the BIND program to shutdown (abort).

[Advisory #2]
Multiple Vulnerabilities in Yahoo! Message
This is a Microsoft Windows defect. In a nutshell, Yahoo! Messenger (a program used for communicating with others over the Internet), contains a buffer overflow and a URL validation vulnerability. These vulnerabilities can allow crackers to execute code they should not be executing.

PeaceFire.org, which was created in August 1996 to represent the interests of people under 18 in the debate over freedom of speech on the Internet, put Anonymize.com to the test and they came up with this list of Ten Anonymizer Security Holes.

[Extra] Macromedia's JRun is a product that supports the delivering of Java applications. Typically, I think Java stuff is secure, but this week the CERT issued this Macromedia JRun buffer overflow advisory.

The original version alone demonstrated effective social engineering and polymorphic techniques, as well as complex features that would be dangerous in conjunction with other forms of malware.

"DON'T RUN THAT PROGRAM ON YOUR COMPUTER! YOU DON'T KNOW WHERE IT'S BEEN!"

Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices. Companies selling these devices have claimed that they are very secure, and that it is almost impossible to fool them into accepting a fake finger as genuine. Matsumoto, along with his students at the Yokohama National University, showed that they can be reliably fooled with a little ingenuity and $10 worth of household supplies.

	"Securing your personal computer plays a 
	crucial role in protecting our nation's 
	Internet infrastructure. It's the 
	responsibility of every American 
	to ensure that these cyber security 
	needs are met: That's why the National 
	Cyber Security Alliance was formed. 
	Comprised of business and government 
	organizations, this alliance works to 
	educate you on the importance of protecting 
	your personal computers from online intruders."

I can't see how the Internet will grow to its potential (which is infinite) without our computers being free from crime.

Just like Richard Stallman (RMS), I want to press ENTER for my password. Not being able to press ENTER for my password is a violation of my computing freedoms.

I'm not sure what is happening, but the need for Security Watchdog resources is greater now than it ever has been.

The Internet -- our prized jewel -- is full of cracks.

If we are not careful, then we are at risk of losing many of our computing freedoms. Copy one of your music CDs onto your computer and you may be considered a criminal. Use the Internet in an anonymous way and you may be a criminal. Watch a movie about cars on your computer and all of a sudden you start getting spam from car companies. Fail to apply a computer patch and it is your fault if your computer is cracked. This list goes on and on and on.

When you read the postings that have been made to this resource over the last couple of years, it is a disgusting read. Using a computer is scary and dangerous. Sometimes I don't understand why I touch a keyboard. I end this rambling with a quote from Ken Thompson taken from a paper he wrote for receiving an ACM Turing Award:

   You can't trust code that you did not totally create yourself. 
   (Especially code from companies that employ people like me.) 
   No amount of source-level verification or scrutiny will protect 
   you from using untrusted code.

[Extra] This week the Supreme Court of the United States struck down a federal ban on virtual child pornography. I agree with the following quote from a 17 April 2002 New York Times editorial:

These are critical times for establishing the scope of our freedoms on the Internet. Courts right now are laying the groundwork principles that could last for generations for how legal doctrines like freedom of expression and copyright will be applied in cyberspace. Guided by yesterday's powerful First Amendment ruling, the three-judge court in Philadelphia should waste no time in striking down the oppressive and unconstitutional restrictions of the Children's Internet Protection Act.

Such a national database, though a large undertaking, is possible. My company, for example, has already offered to provide the necessary software for free, and I'm sure other companies would pitch in with hardware and support. It's important these donations be made with no strings attached: The database would be maintained and run by the government alone, with no question of corporations benefiting.

Sounds good, but now all data about everybody is stored in an Oracle proprietary format. Software is nothing [that is why so much good software is free and open]; it is the information that has value. Oracle's offer to provide software for free is nothing.

And here is another quote...

We don't need to trade our liberties for our lives. By law, Fourth Amendment protections against unreasonable search and seizure would govern access to the national security database. The "probable cause" standard will still have to be met.

Sounds good. Maybe our government will respect our Fourth Amendment protections, but what about everybody else? If these databases are stored on Windows computers, then all bets are off. Crackers will crack the computers and steal the databases.

Bottom-line: Oracle, which is a huge company, sees a major $$$ making opportunity.

NationalReview.com [conservative website]

Sadly, but probably true, the ACM states that the CBDTPA could "undoubtedly threaten" national security. Interestingly, some of our politicians are writing and saying the CBDTPA will enhance national security.

Hollings and his Disney-like friends say the CBDTPA is necessary for national security, whereas the ACM says the opposite. The CBDTPA wants to put legal harnesses on the way you and I use our computers. Here is a question: Who knows more about Computing? Hollings and his gang, or the ACM? I vote for the Computer Professionals who are paying members of the ACM. If the ACM says CBDTPA sucks, then it must suck.

Note: one of the two people who signed the ACM letter was Gene Spafford. Spafford is an ACM Co-Chair and ThurmDreamTeam member (he was added to the team during the Spring 2002 semester).

Hollings' quote:

"...legislation that will promote broadband and the digital television transition by securing content on the Internet and over the Nation's air-waves." For several years the private sector has attempted to secure a safe haven for copyrighted digital products, unfortunately with little to show for its efforts. The result has been an absence of robust, ubiquitous protections of digital media which has lead to a lack of content on the Internet and over the air-waves. And who has suffered the most? Consumers, as they are denied access to high quality digital content in the home.

Text of the Bill via Politech via Cryptome.

I wrote and sent this email message to Arizona senator John_McCain@McCain.senate.gov and North Carolina representative howard.coble@mail.house.gov. Here is an email message that EFF.org recommends sending if you are not happy with the CBDTPA. [Note: I am a paying member of the EFF (Electronic Frontier Foundation.)]

Antivirus companies received a copy of a worm called Sharpei, which is partially written in Microsoft's newest computer language, C#, and designed to infect computers loaded with the .Net framework. [ More... from ZDNet.com]

Note: Sharpei is a breed of dog. The Security Watchdog is dogged by two dogs named Iris and Harley. Iris is a sharpei.

The Patriot Act is not anti-terrorism legislation; it's anti-speech legislation. As EFF explains it, the government can investigate even simple Web searching 'by merely telling a judge anywhere in the U.S. that the spying could lead to information that is 'relevant' to an ongoing criminal investigation.'

There are numerous politicians in this country that want to use computers (and the Internet) to help them become Big Brother.

• The Patriot Act: Last Refuge of a Scoundrel [Internet Librarian at the American Libraries Association]
• Colleges Fear Anti-Terrorism Law Could Turn Them Into Big Brother [Chronicle.com]
• Using 21st Century Technology to Defend the Homeland [Whitehouse.gov]
• Too Much Surveillance Means Too Little Freedom [William Safire; International Herald Tribune]

This proposed legislation was created prior to 911, but I suspect 911 has caused the SSSCA to become more attractive to our elected officials.

Here is a working draft of the SSSCA dated 06 August 2001.

The SSSCA in a nutshell:

The U.S. Government wants to make it unlawful to manufacture, import, offer to the public, provide or otherwise traffic in any interactive digital device that does not include and utilize certified security technologies that adhere to the security systems standards adopted under section 104. [Section 104 in a nutshell: nothing but buzzwords (i.e. the Bill leaves the details up to the politicians and lawyers to decide).]

ThurmThanks to Declan McCullagh for maintaining his excellent SSSCA archive.

[Extra] Every time a CERT Advisory hits my in-box, it causes me to say this sucks.

   CERT Overview:
   Multiple vulnerabilities exist in the PHP scripting language. 
   These vulnerabilities could allow a remote attacker to execute 
   arbitrary code with the privileges of the PHP process.

Here are details provided by Security.e-matters.de.

"Microsoft's new version of its popular Media Player software is logging the songs and movies that customers play."

Microsoft claims they have no plans on selling the information. In effect, Microsoft is telling me to trust them. Microsoft's business practices have never been trustworthy so I have no reason to trust them now.

Microsoft promotes the fact that the Media Player software is provided for free. Big deal. For Microsoft this program is simply a tool for them to gather valuable data for free.

If Microsoft is given the benefit of the doubt and I trust them to not share the data they are collecting, then I am still in trouble because Microsoft is not able to provide a secure computing environment (i.e. their software can be cracked and the data can be stolen). From a crackers perspective this is cool because they don't have to buy my data from Microsoft, they can simply steal it from my computer for free.

I can't believe this is true: Microsoft stops new work to fix bugs.

The system Heathrow is using is called EyeTicket. EyeTicket is not new; Airports have been interested in Iris Scanning for sometime according this CNN Article from 24 July 2000.

[Extra] NPS.gov is up and running again.

[Extra Extra] Crackers have virtually an unlimited number of ways to crack a computer.

• Multiple defects have been found with SNMP (Simple Network Management Protocol). SNMP is a widely deployed protocol that is commonly used to monitor and manage network devices [ CERT Advisory]
• A Microsoft program designed to plug a common security hole is vulnerable to the very attack it was designed to prevent, the Wall Street Journal alleged in a report on Thursday, 14 February 2002.

What If a Brain Scan Reveals Nothing?
This is what I'm afraid of when "brain fingerprinting" becomes a popular biometric for determining a person's identity. What if no brain is found, then what do they do with you?

NPS.gov Remains Down
We are just out of luck if we want to find out some information from the National Park Service website.

From BBC News we learn that Iceland Likes Scanning Faces.

[Extra] Where is Floyd College?
"A COMPUTER GLITCH at Floyd College briefly made the Social Security numbers of 125 continuing-education students available on the Internet last week."

[YABO] They call it an overrun but it is really YABO (Yet-Another-Buffer-Overflow). This YABO was found in the RealPlayer 8 application. From Real.com comes this Buffer Overrun Exploit.

There is a remotely exploitable buffer overflow in ICQ. Attackers that are able to exploit the vulnerability may be able to execute arbitrary code with the privileges of the victim user.

ICQ is a program for communicating with other users over the Internet. ICQ is widely used (by over 122 million people according to ICQ Inc, an AOL Time Warner owned subsidiary). A buffer overflow exists in the ICQ client for Windows.

Details: Web.ICQ.com | CERT Advisory

[Extra] Expect the Unexpected -- ACM interview with Peter Neumann.

The Watchdog includes postings about viruses, worms, trojan horses, cracks, and stuff like that. The Watchdog also keeps a eye on issues such as biometrics, information warfare, privacy, and legal stuff (e.g. DMCA, SSSCA, etc.).

This resource was started in March 2000 and as of 04 January 2002 it contained 86 postings.

Just a few days earlier AOL announced they had over 33 million members. Shortly after IMCracked, AOL announced that during Year 2001 its customers spent 33 billion.

AOL is actually AOL Time Warner. AOL is huge. The AOL corporate website has press releases about having 33 million customers who spent $33 billion dollars, but there is no mention of IMCracked. [The Jargon Dictionary has an interesting definition of AOL.]

Thanks for Visiting