Sunday, August 3, 2003
Thursday, February 21, 2002
CyberWar Update #5
The latest Cyberwar Update
./mark.hopkins.aka.rizzn//
Rizzn's Wartime Factbook: http://factbook.diaryland.com/
The Best UAV: http://www.unmannedaircraft.com
Rizzn's Musical Stylings: http://rizzn.trance.nu
--------------------
CyberWar Update #5
Update as of February 21, 2002
Report Assembled by Mark Hopkins
<markhopkins@mindless.com>
of Parallad Studios OSIS Project
Hello, my readers. The focus of this mailer revolves around two news stories that have come out recently, but are reasons, as the first headline says, to "hug a hacker, before [he/she] goes underground."
Most software hackers are quite familiar with the RFPolicy, written by Rain Forest Puppy. The first article is a commentary on how the industry is moving away from the usage of this policy, and how this is a Bad Thing for the industry.
Especially in this day and age of quite a bit more malicious strains of hackers showing up as wards of different branches of the al-Qa'ida network, it is in society as a whole's best interest to do as much as possible to embrace and encourage ethical hackers.
The second article is something of a far more sinister nature; it is the announcement by the US Government that cyberterrorists can now be bombed by the DOD. Given the broad nature of the government's definition of a cyberterrorist, compounded with the government's newfound liberty in the
ability to search, seize, and rifle through the belongings of 'cyberterrorists' without either the hacker's or a judge's permission, the government now announces without a vote by the people, that they intent to
physically harm with military force, hackers. I find this especially despicable and cringe for our collective future.
Can it be as bad as all that? Read the article. The statement was *intended* to sound sinister in nature, and it well acheives that purpose.
Also included in this issue is a complete text of the RFPolicy version 2 for your greater understanding.
If you have any questions, comments, article submissions, or criticizms, please send them to markhopkins@mindless.com.
Thanx to: l33td0g of hackinthebox.org, rain forest puppy of wiretap.net, Patrick Gray and Adam Pointon of IT.mycareer.com.au, and Nick Farrell of vnunet.com.
:::Hug a hacker, before they go underground:::
Wed, Feb 20 @ 09:12 AM :
http://www.it.mycareer.com.au/opinion/platform/2002/02/19/FFXZG1F5TXC.html
In June 2000 a hacker named RFP (Rain Forest Puppy) wrote the RFPolicy for vulnerability disclosure, which sought to create a set of rules by which individual hackers and researchers deal with security vulnerabilities. For the most part this has been the de facto policy that hackers have adhered to
and vendors have accepted. It created a framework that allowed a working relationship to form between hackers, security professionals and vendors.
Quoting from RFP: RFPolicy is an initiative to help establish concrete guidelines for disclosure of security problems. This was prompted due to many recent responses from vendors such as "we were never given a chance" or "there is an 'unwritten' standard of notifying the vendor X days ahead of time". RFPolicy works like this: A hacker or "researcher" finds a vulnerability in software made by a vendor. The hacker contacts the vendor and alerts them to the vulnerability. The company then has time to investigate the problem. A patch can then be written and an "advisory" can be released. The advisory usually gives full credit to the hacker for finding the vulnerability. The hacker is free to disclose to the hacking community the exploit code for the vulnerability exactly one week after notifying the vendor.
Unfortunately, several large software vendors have chosen to move away from this model. Now when a hacker finds a hole in a software product, vendors demand that they be alerted to the problem immediately and that the hacker not discuss the details of the vulnerability publicly. The vulnerability details are never released and vendors threaten to sue anyone who dares to publish the exploit.
As a result, most vulnerability research and exploit codes have gone underground and vendors are often not notified of security holes in their software.
An exploit is coded and passed on to the underground hacking and cracking community only. This means that many computers are being hacked through undisclosed security holes. Because the vulnerability is undisclosed, there is no patch or defence of any kind available, so the fight is lost before it begins.
But this is not where the problems associated with non-disclosure models end.
Full disclosure ensures that any patch released by a vendor has to work properly. When an exploit code is made public, the vendor comes under the scrutiny of the entire security community.
However, because teams of litigators under instruction from proprietary vendors are monitoring public security forums, many are now too scared to publicly post vulnerability information. Many are too eager to forget that the average hacker is no more than a software boffin with an enthusiasm for picking apart code. They strive to improve security on the Internet and scrutinise poor software engineering.
Perhaps large organisations believe their security images will benefit if talk of vulnerabilities in their products is pushed underground. Perhaps they are merely frustrated at being humiliated as security hole after security hole is found and made public.
Many argue that by keeping security issues transparent, vendors can benefit from the vast computing expertise of the new-millennium hacker.
:::Hackers face US bombing:::
[18-02-2002] : http://www.vnunet.com/News/1129301
The US government has warned that it could take military action against any terrorists who launch attacks through the internet. In a move that could send cruise missiles heading toward hackers' houses, a White House technology adviser says the US "reserves the right to respond in any way appropriate" to tackle the growing number of internet warriors.
Advisor Richard Clarke says Iran, Iraq, North Korea, China, Russia and other countries are already having people trained in internet warfare.
Speaking at a Senate Judiciary subcommittee hearing on cyber-terrorism, Clarke said the US could use covert action but military action was one of the tools available to the president.
Mr Clarke refused to say what level of cyber-attack might lead to a military strike. "That's the kind of ambiguity that we like to keep intentionally to create some deterrence," he said.
This is despite the fact that the US has not found a foreign government or terrorist group using internet warfare.
Clarke added: "It does not mean that it has not happened or will not happen. If I was a betting man, I'd bet that many of our key infrastructure systems already have been penetrated."
"There are lots of cases where there has been unauthorised intrusions but we have never been able to prove to our particular satisfaction that a particular government did it," Mr Clarke said.
:::Full Text of the RFPolicty:::
////// Full Disclosure Policy (RFPolicy) v2.0 //////
This policy is available at http://www.wiretrip.net/rfp/policy.html
\ Executive overview for vendors and software maintainers
This policy states the 'guidelines' that an individual intends to follow. You basically have 5 days (read below for the definitions and semantics of what is considered a 'day') to return contact to the individual, and must keep in contact with them *at least* every 5 days. Failure to do so will discourage them from working with you and encourage them to publicly disclose the security problem.
This policy is not set in stone--in fact, it is encouraged that all parties regularly communicate with each during the process, adjusting as situations arise.
\ Table of contents
Purpose of this policy
Policy definitions
Policy
Detailed/commented explanation of policy
Difference between version 1 and version 2 of RFPolicy
RFPolicy FAQ
Using this policy
Credits
\ Purpose of this policy
This policy exists to establish a guideline for interaction between a researcher and software maintainer. It serves to quash assumptions and clearly define intentions, so that both parties may immediately and
effectively gauge the problem, produce a solution, and disclose the vulnerability.
First and foremost, a wake-up call to the software maintainer: the researcher has chosen to NOT immediately disclose the problem, but rather make an effort to work with you. This is a choice they did not have to make, and a choice that hopefully you will respect and accept accordingly.
The goal of following this policy, above all else, is education:
Education of the vendor to the problem (ISSUE, as defined below).
Education of the researcher on how the vendor intends to fix the problem, and what caveats might cause a solution to be delayed.
Education of the community of the problem, and hopefully a resolution. With education, through continued communication between the researcher and software maintainer, it allows both parties to see where the other one is coming from. Coupled with compensation*, the experience is then beneficial to the researcher, vendor, and community. Win/win/win for everybody. :)
(*Compensation is meant to include credit for discovery of the ISSUE, and perhaps in some cases, encouragement from the vendor to continue research, which might include product updates, premier technical subscriptions, etc. Monetary compensation, or any situation that could be misconstrued as extortion, is highly discouraged.)
\ Policy definitions
The ISSUE is the vulnerability, problem, or otherwise reason for contact and communication.
The ORIGINATOR is the individual or group submitting the ISSUE.
The MAINTAINER is the individual, group, or vendor that maintains the software, hardware, or resources that are related to the ISSUE.
The DATE OF CONTACT is the point in time when the ORIGINATOR contacts the MAINTAINER.
All dates, times, and time zones are relative to the ORIGINATOR.
A work day is generally defined in respect to the ORIGINATOR.
\ Policy
A. The ORIGINATOR will send email regarding the ISSUE to the MAINTAINER; the point in time when email is sent from the ORIGINATOR is considered the DATE OF CONTACT.
It is important that the ORIGINATOR review any documentation included with the object of the ISSUE for indication of a proper method of contact. That failing, the ORIGINATOR should check the web site of the MAINTAINER for methods of contact. Should the ORIGINATOR not be able to locate a suitable email address for the MAINTAINER, the ORIGINATOR should address the ISSUE to:
security-alert@[MAINTAINER]
secure@[MAINTAINER]
security@[MAINTAINER]
support@[MAINTAINER]
info@[MAINTAINER]
regardless of their existence. Anyone who could be deemed as a 'MAINTAINER' is encouraged to populate at least some of the above email addresses. Email auto-responses should not be considered as a message from the MAINTAINER.
Note: addressing the ISSUE to InterNIC handles may cause the email to be misdirected (for example, to a virtual hosting company who happens to host the MAINTAINER's web site). Addressing the ISSUE to the above listed email addresses may cause the email to be received by non-authoritative persons (for example, to an online service provider who happens to have an user named 'security-alert').
B. The MAINTAINER is to be given 5 working days (in respects to the ORIGINATOR) from the DATE OF CONTACT; should no contact occur by the end of 5 working days, the ORIGINATOR should disclose the ISSUE. Should the MAINTAINER contact the ORIGINATOR within the 5 working days, it is at the discretion of the ORIGINATOR to delay disclosure past 5 working days. The decision to delay should be passed upon active communication between the ORIGINATOR and MAINTAINER.
C. Requests from the MAINTAINER for help in reproducing problems or for additional information should be honored by the ORIGINATOR. The ORIGINATOR is encouraged to delay disclosure of the ISSUE if the MAINTAINER provides feasible reasons for requiring so.
D. If the MAINTAINER goes beyond 5 working days without any communication to the ORIGINATOR, the ORIGINATOR may choose to disclose the ISSUE. The MAINTAINER is responsible for providing regular status updates (regarding the resolution of the ISSUE) at least once every 5 working days.
E. In respect for the ORIGINATOR following this policy, the MAINTAINER is encouraged to provide proper credit to the ORIGINATOR for doing so. Failure to document credit to the ORIGINATOR may leave the ORIGINATOR unwilling to follow this policy with the same MAINTAINER on future issues, at the ORIGINATOR's discretion. Suggested (minimal) credit would be:
"Credit to [ORIGINATOR] for disclosing the problem to [MAINTAINER]."
F. The MAINTAINER is encouraged to coordinate a joint public release/disclosure with the ORIGINATOR, so that advisories of problem and resolution can be made available together.
G. If the ISSUE is publicly disclosed, by a third-party, the ORIGINATOR is encouraged to discuss the current status of the ISSUE with the MAINTAINER; based on that discussion, the ORIGINATOR may choose to disclose the ISSUE The MAINTAINER is encouraged to credit the ORIGINATOR for discovering the ISSUE. Should the MAINTAINER disclose the ISSUE, or items supporting/relating to the ISSUE (patches, fixes, etc), the ORIGINATOR may choose to disclose the ISSUE.
\ Detailed/commented explanation of policy
This section serves to elaborate on the items in the policy, for better understanding.
A. Pretty self explanatory--the ORIGINATOR is to email the MAINTAINER about the problem. The ORIGINATOR should do their homework and try to find the correct address to email (by checking the MAINTAINER's web site, by looking in documentation distributed with the software/product, etc). Emailing InterNIC handles or addresses such as 'postmaster' or 'webmaster' is not good, since they are most likely IT support staff and not the proper representatives to handle such a situation.
B. The MAINTAINER has 5 work days respond. Note that all times of work days are relative to the ORIGINATOR, not the MAINTAINER. Suggestion to the MAINTAINER: sooner is better than later--just because you have 5 days does not mean you need to take them all. The ORIGINATOR is technically free to do whatever they want to do after 5 work days--however, they should be fair and wait if the MAINTAINER shows adequate initiative to fix the ISSUE.
C. Just as the MAINTAINER shouldn't ignore the ORIGINATOR, neither should the ORIGINATOR ignore the MAINTAINER. The ORIGINATOR should help the MAINTAINER recreate the problem, if necessary. It's probably in the best interest of the ORIGINATOR to help the MAINTAINER confirm the problem--otherwise, the ORIGINATOR stands to disclose a potentially false ISSUE.
D. The MAINTAINER has to actively give status reports. Note that it's the MAINTAINER's responsibility to do so, and not the ORIGINATOR's responsibility to request them.
E. If the ORIGINATOR does indeed take the time to follow this policy, they should be acknowledged not only for doing so, but in general, acknowledged for finding the problem. There are proper ways to cite references, credit sources, and otherwise respect the origination of information--I suggest vendors do the same. If you can not respect the ORIGINATOR enough for taking the time to notify you of the ISSUE, the ORIGINATOR (and possibly others) may feel reluctant to follow this policy with the same MAINTAINER in the future.
F. Making the problem and solution advisories available together allows the community to have immediate access to both the problem description and the appropriate fix.
G. If the MAINTAINER feels it's appropriate to alert the public of the issue, then there's no reason why the ORIGINATOR should not. Traditionally, alerting the community of a problem (but not providing full exploit details) has proven to be futile; other researchers are then just as likely to discover the problem as well--and they may not bide by the guidelines set by this policy. Therefore, if the issue is to be disclosed, all aspects of it should be disclosed. If a third-party discovers and publishes the vulnerability, the MAINTAINER and ORIGINATOR should evaluate the status of a fix, and act accordingly. No matter what, the MAINTAINER should always credit the ORIGINATOR.
\ Difference between version 1 and version 2 of RFPolicy
Version 1 required a 2 day initial contact period, and then a 5 day wait before disclosure. Due to all the possible ways '2 days' could be mishandled, it was removed in favor of a solid 5 day period.
The email section in version 2 was reworked to discourage emails to InterNIC handles, and encourage trying to locate the correct email address (RTFM :)
Version 2 better defines what should happen at the end of the initial 5 day waiting period.
Version 2 adds the provision for sustained contact from the MAINTAINER.
Version 2 defines possible actions should the ISSUE become public before disclosure by the originator.
"This is not a legal contract" mumbo-jumbo removed from version 2.
\ RFPolicy FAQ
Q. This policy uses dates and times for gauging responses. How do time zones/holidays/weekends/cultural differences factor in?
A. First off, as noted above, all dates and times are relative to the ORIGINATOR. Now, it is quite possible that a difference in date/time perspective occurs, due to: the ORIGINATOR being on a different continent than the MAINTAINER, the MAINTAINER having a different work week than the ORIGINATOR, the MAINTAINER being sick, the MAINTAINER taking an extended weekend, the MAINTAINER having a holiday, etc. Therefore the initial contact period was extended to 5 days--we feel that 5 days should be adequate to surmount any date/time differences.
Q. I'm a software maintainer, and I can't possibly fix the problem in 5 days....
A. You don't have to. If you (re)read the above, you have 5 days to establish communication. Provided you cooperate with the researcher and keep them 'in the loop', they should provide you with whatever time necessary to resolve the ISSUE (within fair reason).
Q. I'm a software maintainer, and I want more than 5 days!
A. Well, considering that, in general, you don't have *anything* technically, this document hopes to provide you with at least 5. Be on your best behavior, cooperate with the ORIGINATOR, and you should get more. :)
Q. You mention compensation--do ORIGINATORs expect to be paid?
A. NO! (Well, they shouldn't...I can't definitely predict the expectations of people) Compensation, as mentioned in this policy, is meant first-and-foremost to be PROPER CREDIT. Academia has historically and religiously provided credit when referencing all types of works and research; the ISSUE provided by the ORIGINATOR should also be thought of as research, and the ORIGINATOR should be credited accordingly. Now, beyond that, it may be in the vendor's best interest to promote good relations with the researcher, and one suggested way is to provide updates and product licenses. A lot of research is done on evaluation and trial versions of software--providing a single, full license/copy should produce little impact on the vendor, but greatly help the researcher. Another suggestion is to allow access to support sites/technical content, such as TechNet (if you happen to be Microsoft :)
\ Using this policy
This policy is free for anyone to modify, republish, sell, or otherwise use. The goal is to establish communication and interaction amongst the security community (users, researchers, and vendors)--not hamper it with copyrights and trademarks.
People are encouraged to use this policy or derivatives. You can make use this policy by supplying the URL (found at the top of this document) in the initial vendor contact email, and giving indication that you intend to following the guidelines stated.
If you intend to be an ORIGINATOR, we suggest you prefix your advisory sent to the MAINTAINER with something similar to:
"This advisory is being provided to you under the policy documented at http://www.wiretrip.net/rfp/policy.html. You are encouraged to read this policy; however, in the interim, you have approximately 5 days to respond to this initial email. This policy encourages open communication, and I look forward to working with you on resolving the problem detailed below."
In addition, should the ORIGINATOR and MAINTAINER arrive at a unified resolution and disclosure, it may be of interest to contact the CVE officials (http://cve.mitre.org) to assign a CVE identifier to the
vulnerability. Doing so allows the vulnerability to be referenced and cataloged, facilitating it's acceptance and use into the community.
\ Credits
Since this is an important part of what this policy attempts to achieve, I should follow the same advice. :)
Version 2 was drafted after extensive input of the community (some 400+ individual suggestions were received). Apologies for not listing all 400+.
Thanks to the following people for initial concepts and input (version 1):
Aleph1 [aleph1-at-securityfocus.com]
Steve Manzuik [steve-at-securesolutions.org]
Weld Pond [weld-at-atstake.com]
Russ Cooper [russ.cooper-at-rc.on.ca]
Special thanks to Russ Cooper for the large amounts of feedback that helped shape version 1 of this policy.
- rain forest puppy [rfp-at-wiretrip.net]
---
Information wants to be free! Get your friends to subscribe to the Rizzn's Wartime Factbook update. An awareness in intelligence will result in our collective greater safety. Send them to http://factbook.notifylist.com
To view the facts surrounding the civilised world's war versus terrorism, go to http://factbook.diaryland.com. Updated daily!
Information in this briefing completely accurate to the knowledge of the O.S.I.S. as of: 12:42 PM 2/21/2002. Stay tuned for updates.
This briefing is a service of Rizzn Do'Urden, Rizzn's Wartime Factbook, and Parallad Studio's Open Source Intelligence Service.
-------------------------------------------------------
Get your own free notify list at http://Notifylist.com !
to be removed from this mailing list, please go to:
http://members.notifylist.com/edit/quitlist?list_name=factbook-factbook&emai
l=rizzn@usa.com
Now playing: Slipknot - Pulse Of The Maggots (AKAradio.com: Judo's Radio Revolution!)
Saturday, February 2, 2002
Test test test
This is a test. I'm trying to figure out why this thing won't change the layout for every entry.
/rizzn
Sunday, December 23, 2001
CyberWar Update #4
Merry Christmas all -- I will be out of pocket for the coming holidays -- best to you and yours.
/mark hopkins
markhopkins@mindless.com
parallad studios
http://www.parallad.com
OSIS Project
Rizzn's Wartime Factbook: http://factbook.diaryland.com/
The Best UAV: http://www.unmannedaircraft.com
CyberWar Update #4
Update as of December 23, 2001
Report Assembled by Mark Hopkins
<markhopkins@mindless.com>
of Parallad Studios OSIS Project
http://www.parallad.com
Things this report will concern itself with:
a.. Operation Buccaneer
b.. Magic Lantern Developments and Analysis
c.. New Virus Developments: We have a new Christmas-time virus, the third email worm in three weeks. Read the details to protect yourself from attack.
d.. Al Qa'ida/Microsoft Hack
a.. The Story: Suspected member of the Al Qaeda terrorist network, Mohammad Afroze Abdul Razzak, claimed that Islamic militants infiltrated Microsoft and sabotaged the company's Windows XP operating system, according to a source close to Indian police.
b.. Analysis: How likely is this allegation to be true? Many say not very. Read for some interesting possible connections.
e.. New Federal Encryption Standard
a.. The Story:The U.S. Federal Government has finally decided to upgrade its DES standard to the newly created AES encryption standard, a long needed change.
b.. Analysis: How effective is the new standard? Is it all it's cracked up to be?
Operation Buccaneer
The Story
The federal government concludes a yearlong investigation into software piracy, and in the past week, been involved in raids against WAREZ groups, including 90+ scene group senior members and leaders in US, Canada, Britain, Australia, Norway, 2 cracking groups in Poland.
The US Customs Service, along with the US Department of Justice, on Tuesday December 11th 2001, raided universities and high-tech businesses in 27 cities as part of an international crackdown on underground groups that actively trade in illicit copies of software and digital media. Dubbed "Operation Buccaneer," the enforcement action occurred simultaneously in four other countries, where an additional 22 search warrants were issued, resulting in the arrests of nine people. None of the suspects in the United States have been arrested at
this point.
On Dec. 11, the DCIS, the Environmental Protection Agency's Office of Inspector General and the FBI served 34 search warrants in the United States and Canada. The searches came at the culmination of a sting, known as "Operation Bandwidth," in which an FBI office operated a fake warez site. More than 144,000 programs were uploaded to and downloaded from the site, said Alan Peters, supervisory special agent for the FBI's Las Vegas office.
Confirmed insider information: four major EFnet servers are currently running in debug mode, which enables them to see ALL private traffic, like private chat, passwords sent to channel protection bots, messages, etc. and the information is being filtered and sent to the FBI, which requested this. Currently, a big EDU server, and .ORG server.
In the first overt action of a 15-month investigation of such organized groups of pirates, the Customs Service targeted the oldest and largest group, known as DrinkOrDie.
"We are targeting these groups that do it all the time," Bell said. "If you are at your house one night and you want to get a free copy of some software, that's not what we are talking about."
Customs agents seized 129 computers in the 38 searches nationwide, Bell said. Among the data captured were Web sites with so much pirated media that it took 4,000 pages to list the titles. Another seized system had more than 5,000 movies, including the blockbuster Harry Potter and the Sorcerer's Stone.
"The data was available to millions of people all over the world," said Bell, who added that another 15 countries may take part in the action.
Members of the DrinkOrDie group included corporate executives, computer network administrators, and students at major US universities who regularly uploaded copy-protected software and digital media to be broken by other members of the group. There are perhaps as many as 10 major warez communities such as DrinkOrDie. And they don't do it for profit, Bell
said.
"They believe in a free Internet," he said. "They don't want any rules or any laws that inhibit what they do."
At least one computer security expert criticized the government's crackdown, saying it focuses on the wrong people. "There are two kinds of people pirating software: the kids, and the people who are stamping out 5,000 copies in Taiwan and selling them for $5 a pop," said Bruce Schneier, a well-known encryption expert and president of Counterpane Internet
Security, a network protection company.
The warez groups are typically students and computer aficionados having fun and testing themselves by breaking programs--generally on a power trip, Schneier said. "Throwing the book at these guys is the wrong thing to do," he added.
The Business Software Alliance (BSA), which represents the software industry's interests in Washington, DC, agrees that warez sites are as big a threat as "true" pirates. "You could have a good debate over who is hurting the industry more," said Bob Kruger, vice president of enforcement for the BSA, which has estimated that the software companies lost $2.6 billion in 2000 to US-based piracy. Although downloading programs from the Internet doesn't necessarily have a one-to-one correlation to lost sales, Kruger maintains that there is definitely harm suffered by the industry.
Cracking in The warez community can be divided into smaller "scenes" based on the type of content their members are interested in. Typical divisions are the DivX scene for movies available in MPEG-4 format, the MP3 scene for music available in that popular format, and the PS2 scene for pirated PlayStation 2 games.
"Everyone that had a significant role in the community is worried that the (DrinkOrDie) takedown will change the way the scene works," said the warez programmer, who asked that his name and online handle not be used. "It won't be quite so public anymore."
Typically, a "leak"--someone who supplies a copy of a yet-to-be-released program--uploads the data to an online drop box. The supplier often is someone who works in the company and sells the code for money or to get back at the company for some perceived slight.
The cracker then takes the program, breaks through the security and "rips" a copy that works without the CD-ROM. This step is, by far, the most time-consuming. Typically, the cracker then uses a private site to pass the program to a courier, or curry, who distributes the program to publicly accessible download sites.
Although the raids mainly targeted those suspected of cracking content, the effects will trickle down to hit the software pirates on the street, the warez programmer said. Such pirates depend on the warez community for their supply of copy-protection-free content.
For example, VideoCDs--popular in the Asia-Pacific region--might become scarce, especially those made from newer movies.
"VCD groups have stopped releasing," the warez programmer said. "Asian markets can't get copies of American movies to subtitle, which means they can't sell them on the street."
The discord within the community has been heightened by the FBI's ability to infiltrate at least one online group, RogueWarriorz. In his posting, "ttol" describes RogueWarriorz as a group of about 70 members with access to more than 40 sites belonging to other groups.
The FBI's Peters confirmed that the target of its Operation Bandwidth investigation was the RogueWarriorz.
Peters also predicted that the investigation will drive the remaining software pirates underground. "I think the trend is more, for their own protection, to keep the sites from outside access," he said. "Many have password protections added to them now."
Despite the discord, at least one member of the warez scene believes the law-enforcement victory is fleeting.
"I'm just sure that whatever the FBI decides to do, there will still be people ripping and releasing (warez) internally through groups," wrote one member of the music scene, who used the handle "dsif0r."
"We have finally lost; but I assure you, the FBI cannot keep us down."
Analysis
Truly, I could write volumes on this subject, enough to fill a whole book. For the constraints of this email, though, I will focus on a few key points.
The idea of targeting these warez distributors and crackers is distasteful on a couple of levels. Firstly, it is a very much needed debate as to whether or not the warez community takes any money away from the computer entertainment industry. As many recipients of pirated games have pointed out, more often than not, a player of a pirated game most likely would not have purchased the game if it were for sale in the first place, and is only playing it because it is free. Then there is the moral highground that some pirates take stating that the high cost of certain software packages (such as much of Adobe's product line) prevents the mass public from ever affording the products they'd like to use. Very few people can afford the $899 pricetag on the Adobe Photoshop product, much fewer than the number of people who are very talented at using it.
But moving past the debate as to whether certain types of pirates should be prosecuted, what is the actual impact of this event. Certainly, it can't be over-emphasized that this is probably the most influential event in piracy history. But the pirate trade is rooted in two things which will ensure its permanency: entertainment industry, and hacking. As long as the first world remains the first world in the technology age, we will have software piracy. The entertainment industry is the biggest industry for America, dwarfing its nearest second with the industry-wide profits, thus ensuring that there will always be software to pirate. And hacking will always be around as long as there is technology to discover -- and this is where the roots of piracy spring. Piracy stems two sources: from software cracking, or the techno-art of defeating the copy-protection routines put in place by software companies and the innate greed within every computer! user to get a something (computer program) for nothing.. For most crackers, it's simply a test of skill to see if they are up to the challenge. The fruits of their labors are then placed out for the world to see, and those that are in search of a way to copy their software. And for the traffickers, it's simply a public service to reroute 1's and 0's to those more deserving.
One thing is for certain, it hasn't taken the warez community long to regroup. They are an amorphous bunch, with a structure much like the infamous al-Qa'ida, and the ones not directly hit have already taken a look at their methods for certain. In much the same way that the human body reacts after a virus attack, pirates will become more aware of ways they can be tracked, and it will become that much harder to track those responsible for piracy in the future.
Magic Lantern Developments and Analysis
Magic Lantern's Existence Admitted
When is a virus, not a virus? When it's written by the FBI.
After months of speculation Reuters reports that an FBI spokesman has finally confirmed that the US government is working on a project, codenamed Magic Lantern, that will log the key-strokes made on infected machines and enable the FBI to track communications made using it.
The FBI has already acknowledged that it uses software that records keystrokes typed into a computer to obtain passwords that can be used to read encrypted e-mail and other documents as part of criminal investigations.
FBI spokesperson Paul Bresson described Magic Lantern to news sources as a "workbench project."
Said Bresson: "We can't discuss it because it's under development, [but] like all technology projects or tools deployed by the FBI, it would be used pursuant to the appropriate legal process."
Remember the recent W32.Badtrans.B@mm MAPI worm which opened a Trojan back door on an infected machine and deployed a keystroke logger to monitor what was written on it? (We do, as we're still getting plenty of infected messages caught in our firewall.) Well, it looks like Magic Lantern will do essentially the same thing.
Fortunately, most major antivirus companies have said that they would not voluntarily cooperate with the FBI, updating their software to detect and clean viruses, no matter where they originated. However, the FBI could get its virus ignored by antivirus software with a legal order. And ISPs have in the past voluntarily cooperated with the FBI allowing it to install its technology on their servers.
SecurityFocus incident analyst Ryan Russell told NewsFactor Network that the battles between civil libertarians and law enforcement agencies like the FBI have been ongoing from the first time cyber-snooping technologies were used.
"Currently, computer monitoring does not require the same standards that telephone taps do, and law enforcement has been constantly pushing to keep those standards lax," Russell said.
French Caldwell of Gartner's Information Security Group, who runs the research firm's project on technology and public policy, told NewsFactor: "The bottom line here is that companies and individuals will be responsible for protecting themselves from both cyberterrorism and the government's response to it."
Given the hijacking attacks of Sept. 11, it is also conceivable that the U.S. government would enlist the aid of private companies to combat terrorism and help its war effort, said Michael Erbschloe, vice president of research at Computer Economics, which analyzes the impact of viruses.
"In previous wars, including the Second World War, the government had the power to call on companies to help, to commandeer the technology," said Mr. Erbschloe, author of Information Warfare: How to Survive Cyber Attacks.
"If we were at war the government would be able to require technology companies to co-operate, I believe, in a number of ways, including getting back door access to information and computer systems."
The FBI's controversial Magic Lantern Trojan horse has been mimicked by the virus writing underground, but in a deadlier form.
Amid rumours of the FBI's cloak and dagger spy tool, it was discovered that a 17 year-old Argentinean virus writer, known only as 'Agentlinux', has created a malicious virus that masquerades as Magic Lantern.
Rather than acting as a Trojan keylogger, as the real Magic Lantern is supposed to do, 'Malantern', as it has been called to avoid confusion, simply deletes all files in the Windows system drivers directory and the 'Temp' directory.
Although it is not thought that the virus is spreading, one expert believes that this could be the start of a Magic Lantern copycat trend.
"It isn't important that the program isn't spreading. What is necessary to realise is that, with the appearance of the official 'Lantern' virus, writers won't wait long to release numerous clones," said Eugene Kaspersky, head of research at Kaspersky Labs.
Something else that has bothered the experts is the fact that the 'real' Magic Lantern could easily end up in the wrong hands and be used by the people it's supposed to catch.
"In addition, the possibility that the original Trojan version could end up in the hands of hackers cannot be excluded. In this case, hackers could use Magic Lantern as a means to their own ends," said Kaspersky.
This threat is heightened by the fact that some antivirus vendors have already said that they would exclude the FBI Trojan from any virus scans in a bid to support the authorities.
FBI asks for Access to Badtrans Database
The FBI is asking for access to a massive database that contains the private communications and passwords of the victims of the Badtrans Internet worm. Badtrans spreads through security flaws in Microsoft mail software and transmits everything the victim types. Since November 24, Badtrans has violated the privacy of millions of Internet users, and now the FBI wants to take part in the spying.
Victims of Badtrans are infected when they receive an email containing the worm in an attachment and either run the program by clicking on it, or use an email reader like Microsoft Outlook which may automatically run it without user intervention. Once executed, the worm replicates by sending copies of itself to all other email addresses found on the host's machine, and installs a keystroke-logger capable of stealing passwords including those used for telnet, email, ftp, and the web. Also captured is anything else the user may be typing, including personal documents or private emails.
Coincidentally, just four days before the breakout of Badtrans it was revealed that the FBI was developing their own keystroke-logging virus, called Magic Lantern. Made to complement the Carnivore spy system, Magic Lantern would allow them to obtain target's passwords as they type them. This is a significant improvement over Carnivore, which can only see data after it has been transmitted over the Internet, at which point the passwords may have been encrypted.
After Badtrans pilfers keystrokes the data is sent back to one of twenty-two email addresses (this is according to the FBI-- leading anti-virus vendors have only reported seventeen email addresses). Among these are free email addresses at Excite, Yahoo, and IJustGotFired.com. IJustGotFired is a free service of MonkeyBrains, a San Francisco based independent Internet Service Provider.
In particular, suck_my_prick@ijustgotfired.com began receiving emails at 3:23 PM on November 24. Triggering software automatically disabled the account after it exceeded quotas, and began saving messages as they arrived.The following day, MonkeyBrains' mail server was sluggish. Upon examination of the mail server's logs, it quickly became apparent that 100 emails per minute to the "suck_my_prick" alias were the source of the problem. The mails delivered the logged keystrokes from over 100,000 compromised computers in the first day alone.
Last week the FBI contacted the owner of MonkeyBrains, Rudy Rucker, Jr., and requested a cloned copy of the password database and keylogged data. The database includes only information stolen from the victims of the virus, not information about the perpetrator. The FBI wants indiscriminant access to the illegally extracted passwords and keystrokes of over two million people without so much as a warrant. Even with a warrant they would have to specify exactly what information they are after, on whom, and what they expect to find. Instead, they want it all and for no justifiable reason.
One of the most basic tenets of an authoritarian state is one that claims rights for itself that it denies its citizens. Surveillance is perhaps one of the most glaring examples of this in our society. Accordingly, rather than hand over the entire database to the FBI, MonkeyBrains has decided to open the database to the public. Now everyone (including the FBI) will be able query which accounts have been compromised and search for their hostnames. Password and keylogged data will not be made available, for obvious legal reasons.
The implications of complying with the FBI's request, absent any legal authority, are staggering. This is information that no one, not even the FBI, could legally gather themselves. The fact that they seek to take advantage of this worm and benefit from its illicit spoils, demonstrates the FBI's complete and utter contempt for constitutionally mandated due process and protection from unreasonable search and seizure. It defies reason that the FBI expects the American people to trust them to only look at certain permissible nuggets of data and ignore the rest of what they collect. One need only imagine what J. Edgar Hoover would do with today's expansive
surveillance system, coupled with the new powers granted by the Patriot Act, to appreciate the Orwellian nightmare that the United States is becoming. The last thing the FBI should have is a spying Internet worm, and it looks like they've found one. Welcome to the Magic Lantern.
New Virus Developments
Happy New Year/W32 Maldal Virus
A mass-mailing Internet worm that purports to offer New Year greetings was spreading rapidly Wednesday, and is rumored to be the big Christmas virus that antivirus companies have been gearing up for.
The first copy of the virus was detected at 7:23am GMT December 19 2001 by security firm MessageLabs and is said to have originated from South Africa. By using a number of aliases, the e-mail worm has spread virulently throughout the day. MessageLabs has detected 925 incidents of the worm at an Internet level to date, from a number of countries across the globe.
"This won't be as big as Goner, but it is likely to be the biggest Christmas virus," said Alex Shipp, antivirus technology expert at MessageLabs.
The worm, operating under the guises of Zacker, Reeezak, Maldal and Keyluc, arrives with the subject header "Happy New Year" and contains a file attachment entitled "christmas.exe." It uses familiar social engineering tactics to entice recipients to double click on the attachment, before mailing itself and the victim's contact list to everyone in the contact's address book.
How to Recognize the Virus:
W32/Maldal.c@MM was discovered on 7:23am GMT 19 December 2001, it's the third variant of the W32/Maldal@MM family.
The mass-mailing worm arrives in an e-mail file attachment called "christmas.exe", the filesize is 37376 bytes. The worm is using the MS-Outlook address book to mass-mail itself. .
The worm might also be using entries from MS-Messenger.
The worm sends rtf based e-mail messages with:
-File Attachment: christmas.exe
-Subject : Happy New Year
-Body: Hi , I can't describe my feelings But all I can say is Happy new year
Suspect Claims Al Qaeda Hacked Microsoft
The Story
Suspected member of the Al Qaeda terrorist network, Mohammad Afroze Abdul Razzak, claimed that Islamic militants infiltrated Microsoft and sabotaged the company's Windows XP operating system, according to a source close to Indian police.
Afroze, arrested by Mumbai (Bombay) police Oct. 2, has admitted to helping plot terrorist attacks in India, Britain and Australia, India's Hindustan Times newspaper reported Saturday.
During interrogation, Afroze, 25, also claimed that a member or members of Osama bin Laden's Al Qaeda network, posing as computer programmers, were able to gain employment at Microsoft and attempted to plant "trojans, trapdoors, and bugs in Windows XP," according to Ravi Visvesvaraya Prasad, a New Delhi information systems and telecommunication consultant.
Prasad, moderator of an Internet mailing list on south Asia security and information warfare, told us that Afroze made the claims in a police confession. Officials in the Mumbai police commissioner's office were not immediately available for comment.
Afroze has told Indian authorities that he was part of a team of Al Qaeda terrorists that planned to hijack an aircraft in London on Sept. 11 and crash it into the British House of Commons or into London's Tower Bridge, according to the Hindustan Times, which obtained parts of Afroze's confession.
British intelligence officials have dismissed the claims, according to a report last week in the Guardian, a British newspaper.
Microsoft spokesman Jim Desler said Afroze's claims about the company were "bizarre and unsubstantiated and should be treated skeptically."
According to Desler, Microsoft has rigorous processes in place during the development of Windows to ensure the security and integrity of source code.
Microsoft launched Windows XP in late October. While the company has already issued security patches for the software, no evidence of malicious code in the operating system has been reported.
Under interrogation, Afroze also warned Mumbai police that Al Qaeda was planning an attack on India's parliament complex in New Delhi, the Hindustan Times reported.
The Times of India reported last week that "official sources" believe Afroze is "very close" to Al Qaeda but that authorities find some of his claims inconsistent and "too theatrical to believe."
The Mumbai Police Cyber Crime Investigation Cell is at http://www.ccicmumbai.com .
Analysis
This report comes amid rumors that Microsoft with the aid of the Cult of the Dead Cow, an infamous hacker group responsible for the trojan horse virus Back Orifice, is installing a keylogging and web-traffic monitoring system in future versions of Windows XP for the marketing department and the USDOJ to share as well as reports of a major security flaw noted in the Windows XP operating system.
It is important to note, however, that whenever confronted publicly about the possibility of monitoring or any back-door access to the users machines, Microsoft has always flatly denied that any such system exists. Microsoft even presented the German Parlaiment the opportunity to review the source code of Windows XP in a good faith effort to prove that they had no back-door systems involved.
As for the what-if's and loopholes in Microsoft's statements -- Microsoft could be banking on the fact that they know the German Parlaiment wouldn't know heads from tails looking at the sourcecode to the bloated beast of Windows XP, coupled with the fact that Microsoft is currently in a bind with the USDOJ, what with the monopoly hearings and all, they might be using this as a bargaining chip -- "Look, we can offer you a window to every PC user in the world's hard drive/web traffic logs." In the terrorist/cyber-terrorist/warez trafficker hunt mode the FBI is in right now, that would appear to be a very attractive offer.
Whether or not that capability is installed into WinXP by Al-Qa'ida, cDc, or Microsoft themselves is very doubtful however. Rumors have flown about every time a release of a new operating system by Microsoft about how they are spying on your hardrive. In the past it has just been a scarey bed-time story that linux users and other open source os users tell to scare their children at night. Likely that is what it is this time around.
Important to note is, however, due to the major security flaw that allows hackers to seize control of your machine using a buffer overflow flaw, it is important to patch your copy of XP if you are running it using the patch that Microsoft provides at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34991. If you are running Windows 98, Windows 98se, Windows ME, or Windows XP, you are vulnerable, and should install the patch.
Feds Pick Next-Generation Encryption Standard
Story
The U.S. government on December 4, 2001 formally adopted its next-generation data encryption standard, aimed at better protecting government data transmission and storage. Known as the Advanced Encryption Standard (AES), this new algorithm will replace one first adopted by the federal government in 1977. The new standard is a 128-bit encryption algorithm based on a mathematical formula called Rijndael (pronounced "rhine doll") that was developed by cryptographers Joan Daemen at Proton World International and Vincent Rijmen at Katholieke Universiteit Leuven, both in Belgium.
The U.S. government first selected the pair's Rijndael algorithm to replace the two-decades-old Data Encryption Standard (DES) last year. A period of public comment and proposed revisions to the algorithm followed.
"Now it's an official standard," said Philip Bulman, an official at the National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department. While there is no deadline for the government to switch over to AES, Bulman expects "federal agencies will start migrating" to the new algorithm shortly. In addition, it's likely that many companies in the private sector, particularly in financial services, will consider adopting AES as well, he said.
U.S. government officials said last year that they chose Rijndael for their next-generation encryption standard because of its "combination of security, performance, efficiency, ease of implementation and flexibility." Rijndael performed well on a variety of hardware and software platforms, they concluded. It uses relatively small amounts of memory, and it provides strong defense against several different kinds of attacks.
The new standard can support encryption key strength of 128, 192 and 256 bits, according to a government statement. More information about the standard is posted on the NIST Web site.
The federal government's recent decision to adopt the Advanced Encryption Standard (AES) for securing sensitive information will trigger a move from the aging Data Encryption Standard (DES) in the private sector, users and analysts said.
But don't expect it to happen overnight, they added. Technology standards bodies representing industries such as financial services and banking need to approve AES as well, and that will take time. And products such as wireless devices and virtual private networks that incorporate AES have yet to be developed. Corporations using Triple DES technologies, which offer much stronger forms of encryption than DES, will have to wait until low-cost AES implementations become available before a migration to the new standard makes sense from a price perspective.
"AES will likely not replace more than 30% of DES operations before 2004," said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.
Experts claim that the algorithm is small, fast and very hard to crack - it would take 149 trillion years to crack a single 128-bit AES key using today's computers.
In software, AES runs about six times as fast as Triple DES and is less CPU-intensive.
The advantages of AES make it inevitable that private corporations will start using it for encryption, said Paul Lamb, chief technology officer at Oil-Law Records Corp., a provider of regulatory and legal information to oil and natural gas companies in Oklahoma City.
Corporations will adopt AES "because of the perceived problems with DES and the greater sense of security with AES," he said.
"I would expect the adoption curve to be pretty steep," said Steve Lindstrom, an analyst at Framingham, Mass.-based Hurwitz Group Inc. Any concerns corporations had about AES not being widely adopted have been put to rest with the government's decision to adopt it for all encryption going forward, he added.
Analysis
The jury is still out on AES. I am currently polling my friends who roam the encryption circles what they think. Distributed.net (www.distributed.net) has yet to come out with a statement as of press time on the Rijndael algorithm, or a contest for it, but from a precursory viewing of the algorithm's statistics, it is quite impressive. DES (the former standard) keys are 56 bits long, which means there are approximately 7.2 x 1016 possible DES keys. Thus, there are on the order of 1021 times more AES 128-bit keys than DES 56-bit keys.
The information page on csrc.nist.gov accurately states that:
"In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message."
It goes on to say:
"Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old.
127.24 gigakeys per second is the rate at which distributed.net currently cracks away at the RC5-64. This contest has been running for 4 years, and I believe at this time they estimate somewhere around another year to finally crack it. Undoubtably when encryption reaches the realm of 64-bit or more, you are talking about serious time to brute force hack.
Time will tell how strong the encryption algorithm is, especially once the contest to break it is announced. The problem with keeping data secure these days generally isn't the problem of the strength of encryption. Sure, the government is years behind in the effort to keep encryption secure, but the private sector and open source software groups have been using RC5-64 and RC5-128 for years with complete assuredness of their security.
No, the problem with keeping data secure these days is keeping your passwords safe. With the trojan/keylogger battle going back and forth between the FBI and private hackers, the strength of the encryption is entirely a moot point of the key is intercepted prior to encryption.
---
Information wants to be free! Get your friends to subscribe to the Rizzn's Wartime Factbook update. An awareness in intelligence will result in our collective greater safety. Send them to http://factbook.notifylist.com
To view the facts surrounding the civilised world's war versus terrorism, go to http://factbook.diaryland.com. Updated daily!
Information in this briefing completely accurate to the knowledge of the O.S.I.S. as of: 2:25 PM 12/23/2001. Stay tuned for updates.
This briefing is a service of Rizzn Do'Urden, Rizzn's Wartime Factbook, and Parallad Studio's Open Source Intelligence Service.
Now playing: Cheech and Chong - Mexican Americans (AKAradio.com: Judo's Radio Revolution!)
Saturday, December 15, 2001
CyberWar Report #3: John Walker Lindh Supplemental
This is the notes for my interview John Batchelor and John Alexander this evening (WABC 770am NYC @ 10:00pm EST) I've compiled into a CWR. It is based almost entirely off the newsgroup postings of John Walker Lindh before his departure for Yemen and later Afghanistan.
/mark
Rizzn's Wartime Factbook: http://factbook.diaryland.com/
The Best UAV: http://www.unmannedaircraft.com
CyberWar Report #3: John Walker Lindh Supplemental
The update as of December 15th, 2001
Report assembled by Mark Hopkins
<markhopkins@mindless.com>
of Parallad Studios OSIS Project
http://www.parallad.com
John Walker Lindh
Internet Profile and Analysis
Analysis
19 years old now, John Walker Lindh began showing his presence online around mid-1995 (Jun 30th, 1995) using the whimsical e-mail address "doodoo@hooked.net" and other similar variants at age 14. From his posting style, his language command is somewhat sophisticated, however the subject of his emails were mostly inflammatory trollings to begin with, the kind that most experienced newsgroupers will skip, and newbies/marks tend to respond in kind to.
He presented himself as a young, black hip-hop dj. The majority of his usage of his usage of newsgroups was to buy and sell audio equiptment, and occasionally other items such as console gaming systems, comics, and music collections, as well as occasionally make commentary on other's posted lyrics or to post lyrics of his own.
It can be said that John Walker Lindh, or John Doe, as he was known in his hip hop dj'ing circles, that he was somewhat of an expert the area of hip hop music, and he had one of the first hip-hop webpages on the internet, named "John Doe's Dukey Palace" (http://www.hooked.net/users/doodoo/index.html). Unfortunately, there exist no current archives of this page, and hooked.net is no longer independantly owned (purchased by BOSS Technologies - hooked.net seemed to be an ISP that was somehow affiliated with the old famous ISP from SF, the Well (well.sf.ca.us - well.com).
The attempt to get rid of his music collection in 1995 was most likely an attempt to convert to vinyl, since that is a better format for the dj wanting to mix music. In any case, it looks as if it was unsuccessful, because in 1997 he was still trying to sell the cds along with the vinyl for religious reasons.
In 1996, it is observed he first started asking questions about the Islamic faith, wanting to know what music was forbidden by the Quoran. Also, in 1996, he began to start liquidating much of his personal belongings (comics, music, console gaming stations, equipment) presumably to buy audio equiptment as well as a vinyl recording of Malcom X speeches.
In 1997, he bought and sold a volumunously large amount of audio equipment, as well as becoming more sure in his Islamic beliefs, no longer just asking questions, but answering them as well. Towards the end of the year, he had what appears to be all of his audio equipment and music collection for sale on the marketplace newsgroups.
The last post he made regarding religion reflected what can be considered probably the most extreme version of Fundamentalist Islam in which he takes what some consider to be the anti-Semite position of differentiating between Zionism and Judaism.
I consulted my father John C. Hopkins (a psychologist), before concluding my analysis, on John Walker Lindh. I noticed the rapid procession into Fundamentalist Islam, and from interviews with his parents (his Dad an Irish Catholic and his mom a Buddhist), the family and environment he was brought up into appeared to be quite hippy-happy, no boundaries or rules imposed.
My armchair diagnosis was that there was failure in the family somewhere, and that the parents could be blamed in some way for the descent into fanaticism. He agreed with me to a certain extent, but said there are three things that most people try to find out as they progress to adulthood: Who they are, where they came from, and where they are going. He told me that spiritual instruction from parental figures does not always ensure that children will not rebel, but if this isn't recieved in the home, and the child is encouraged, as John Walker Lindh was, to find his own true path from an early age, there are no shortage of leaders in the world who are willing to fill that void, and in Lindh's case, not all of them good.
John Walker Lindh's Internet Profile
You can view these posts in their original format by going to www.dejanews.com and doing a search with the "author:" option using the following email addresses:
a) doodoo@hooked.net : from aug 12 1995 - aug 19 1997 (46 posts)
b) doodoo@tuna.hooked.net : from jun 30 1995 (1 post)
c) doodoo@also.hooked.net : from jul 07 1995 - jul 19 1995 (2 posts)
d) doodoo@bebe.hooked.net : from jul 01 1995 (1 post)
And the following website (offline - cache unrecovered as of yet):
e) http://www.hooked.net/users/doodoo/index.html
1995
news:rec.music.hip-hop
news:rec.games.video.marketplace
Flame about a generalization that "all black men should read this rhyme."
Flame criticizing some (ed: bad) lyrics.
Getting rid of part of his CD collection. (includes Ice Cube, Public Enemy, and Redman). The reason he lists is that he doesn't have a CD player (this fact, however, is refuted in his next post to rec.games.video.marketplace by his stating he has a Turbo Grafx CD System for sale, which will play audio CDs)
1996
news:rec.music.makers.marketplace
news:rec.games.video.marketplace
news:rec.music.hip-hop
news:alt.rap
news:rec.music.funky
news:alt.music.makers.dj
news:alt.religion.islam
WTB: a Roland MS-1 Sampler, Alesis D4 Drum Machine, SR-16 Drum Machine, Rack Mountable Ensonique Mirage, Malcom X Speeches on Vinyl, E-MU Drumulator,
FS: Sega Genesis System (with games), the same cds he was trying to sell last year, the CD set that tends to come with Packard Bell computers in 1995-1996 MPC units, his well tended to Marvel Comics Cards collection, his Daredevil 258-318 collection + misc other Marvel Comics (mint condition), Tape of a freestyle performance collection,
First post to alt.religion.islam:
I've heard recently that certain musical instruments are forbidden by Islam. There is nothing in the Qur'an that I can find relating to this matter, and the Hadith that I've read were fairly vague.
My question is this: are in fact certain musical instruments haram, and if so, which instruments or types of instruments are they?
Thanks in advance to anyone who can help.
There were two responses: The first advised that drums were the only allowed instrument, but only before going to Jihad or at weddings. The second response said it was up to one's own logical faculties to decide what was "haram" (forbidden) or "not haram" -- as long as the music didn't lead to sexual behavior it shouldn't matter.
Flame on rec.music.hip-hop regarding drug usage and hip-hop in which he clearly states he looks down on drug usage as lowering ones conscience level.
1997
news:alt.music.midi
news:rec.music.makers.marketplace
news:rec.music.makers.synth
news:alt.religion.islam
news:soc.relition.islam
news:alt.rap
WTB: BOSS DR-660 DM, ARP AXXE or Moog Prodigy,
FS: Akai S01 Sampler, E-MU Drumulator, BOSS DR-660 DM, what appears to be his entire music collection,
Started signing his emails Mr. Mujahid (Arabic derivation of the word for holy warrior)
On alt.religion.islam, asked question: "are drawings of
living things (besides plants) forbidden altogether?" There were no responses.
On soc.religion.islam, posted a call to fellow Muslims to show solidarity and not to quibble over petty differences.
On soc.religion.islam, posted a chime-in post mentioning his agreement that those who are Zionists are not Jews and vice versa.
---
Information wants to be free! Get your friends to subscribe to the Rizzn's Wartime Factbook update. An awareness in intelligence will result in our collective greater safety. Send them to http://factbook.notifylist.com
To view the facts surrounding the civilised world's war versus terrorism, go to http://factbook.diaryland.com. Updated daily!
Information in this briefing completely accurate to the knowledge of the O.S.I.S. as of: 2:24 PM 12/15/2001. Stay tuned for updates.
This briefing is a service of Rizzn Do'Urden, Rizzn's Wartime Factbook, and Parallad Studio's Open Source Intelligence Service.
Friday, November 30, 2001
CyberWar Update #2
The Virus Invasion portion is new material that I've been working on for a couple days, it first became relevant news about Tuesday of this week. The FBI vs. CIA is material I went over with John and Paul on their radio show on WABC last night (hear them on 770am 10-1 EST) -- included is a list of other tools that the FBI and CIA are currently employing in their effort to come in line with the online world. Included is a description how you can completely, legally and safely circumvent all the known ways of online federal monitoring. There are other ways to make it more safe, but these include tactics which are not allowed within the confines of the law, and I cannot suggest their usage for everyday purposes.
Rizzn's Wartime Factbook: http://factbook.diaryland.com/
The Best UAV: http://www.unmannedaircraft.com
CyberWar Update #2
The update as of November 30th, 2001
Report assembled by Mark Hopkins
<markhopkins@mindless.com>
of Parallad Studios OSIS Project
There are two major fronts opening up in the Cyber War front, largely being ignored by the major media. Computer security groups are noting the vast influx of email-propelled virii. The other front largely ignored is the clash in the surveillance policies and programs between the FBI and the CIA, reported only by Charles R. Smith of Newsmax.com news service.
Virus Invasion
Badtrans is the name of the virus that is making the rounds currently and grinding email servers to a halt worldwide. There is much speculation by respectable theorists that this may be the much-talked about keylogging virus the FBI is threatening to release on the public known by the name Magic Lantern. Operationally, it fits the profile, logging keystrokes to a temp-file and when the temp-file reaches a certain size, mailing the log file to a pre-specified recipient. The Badtrans virus has had a couple modifications made to it over the last couple weeks, making it's transmission and operations more smooth, and therefore more infections and effective, however it is reported that most commercially available anti-virus software still picks it up prior to infection.
The new version of the Badtrans virus activates embedded HTML in the email and automatically informs Microsoft email programs to activate the attached virus program. The virus also appears to activate the MP3 player.
There are three scenarios within possibility which would explain the origin of the Badtrans virus. The first, most obvious, and most widely accepted is that it is a simple keylogging virus put out by a random hacker to get user's usernames and passwords. The second theory is more of an addendum to the first, in that it's a virus put out by a random hacker at this time to try to create a buzz and make it look as if the FBI is targetting certain groups or demographics (this theory has been posited by many members of the OSINT group RMNews). The third theory is that this is in fact the second iteration of the Magic Lantern keylogger.
The first theory is supported by the simple fact that this sort of thing comes out on a fairly regular basis, and to assume that this virus is any different than the last 15 that have come out is pure conjecture -- at least at first glance. The third theory is supported by the plethora of news releases that has accompanied the virus's release that tell of the FBI's Magic Lantern keylogger's inner workings. The operations are very similar in description, and a mass release through worm form is an effective means of distribution, despite the preferred method of delivery is reportedly the newly allowed ''sneak and peek'' method -- however, distribution through an email virus does seem to be a bit unconventional, a bit of a kludge-type attack. Granted, the FBI's technology teams have proven somewhat clueless as to implementation of internet technologies in the past, but this tends to lack the type of precision the FBI needs, and seems like it could lead to the type of legal trou! ble the FBI could ill-afford.
All of this lends the most credence to the second theory, that it is most likely being used as an Infowar tool, to make individuals feel as if they are being singled out by the FBI or other government agencies since most virus detection systems alert the user of it and mention it's purpose. It may have originally started out as the tool mentioned in theory one, but it has quickly become the tool mentioned in theory two.
FBI vs. CIA in Cyberspace
Most people who are in the intelligence community and those who follow it recognize that there was a vast intelligence failure that led up to the Sept 11 attacks.
The FBI and CIA are two agencies charged with law enforcement and intelligence operations, have taken the most heat for the failure. Both agencies had few areas of cooperation prior to Sept. 11. As it turns out the FBI and CIA have suddenly found themselves in diametrecially opposed roles inside cyberspace.
Below is a list of tools that would aid US Federal law
FBI tools:
Carnivore (http://www.fbi.gov/hq/lab/carnivore/carnlrgmap.htm)
The way carnivore works, according to the diagrams and explanations on the FBI website, is to trap all data going through a certain point, make a copy and send it back to a centralized point. The FBI is then able to sift through it using keyword searches.
Some time last year the FBI was forced by privacy advocates such as the ACLU and the EFF to reveal that it had a new software program called Carnivore designed to monitor Internet e-mail. The way the Carnivore system operates is not on home personal computers, or the client side, but on Internet Service Provider computers, or the server side. This allows the agency to siphon off data from suspected customers.
It is used only for looking through email, according to its description, *however* from it's description, it is also capable of sifting through web traffick. (remember that)
Magic Lantern
There is no official documentation on Magic Lantern on FBI's website, but open source intelligence resources describe it's operation and implementation as such:
It is to be spread either through an agent manually infecting the machine by inserting an infected disk or downloading the infection, or through targeted email virus infections. (i.e., opening an email, and a hidden virus is installed on the victim's machine without his knowlege by way of many security holes in email software).
It is a key-logging program, designed to intercept passwords and outgoing emails from the user's machine. It cannot log mouse clicks, however, which is it's only weakness. (i.e., if a user has an encryption software installed, and has the password stored locally, it can be activated by mouse clicks instead of a password being typed in, thus defeating the keylogging method).
dTective
Developed jointly by Ocean Systems Co. of Burtonsville Md. (did the software side) and Avid Technology Inc. (hardware side). Its purpose is to trace the financial transactions linked to Sept's terrorist attacks against New York and Washington by enhancing ATM video surveillance images that were previously unusable due to bad lighting and such.
Encase
Deleted file recovery tool. Used in cases where the suspect has clean sweep deleted the hard drive of data.
CIA tools:
Triangle Boy/SafeWeb
It's original intent was to allow Asian Surfers (primarily Chinese) to surf the web without government interference. It allowed them to bypass governmentally blockage of websites and to do so anonymously (at least to governments other than the United States).
Technically, this tool sponsored by the CIA could be used as an aid to hackers, as well as those hiding from governments and companies who filter what their users are able to see.
It could also be used as a device to in some way circumvent the FBI from positively tracking down the author of a message. Imagine if a terrorist sets up an account on Hotmail, but uses Triangle Boy to access it. The FBI would be able to determine what the content was, but would be unable to find the user by way of IP tracking. Nor would the FBI know what computer to put Magic Lantern on in case the user was employing a method of encryption, which would prevent the FBI from even seeing the content of the messages as well.
Fluent
Custom-written software scours foreign Web sites and displays information in English back to analysts. The program already understands at least nine languages, including Russian, French and Japanese. Not a remarkable piece of software, same results that this software produce can be accomplished by combining the power of Digital's babelfish project with Google's search engine software.
Echelon
Essentially a European Carnivore, not officially acknowleged by the US government.
Oasis
Technology that listens to worldwide television and radio broadcasts and transcribes detailed reports for analysts. Oasis currently misinterprets about one in every five words and has difficulty recognizing colloquial Arabic, but the system is improving, said Larry Fairchild, head of the CIA's year-old Office of Advanced Information Technology.
Conflicting tools:
The tool conflict comes up between the CIA and the FBI are the CIA's Triangle Boy utility and the FBI's Magic Lantern and Carnivore snooping utilities. Essentially, by using the Triangle Boy web proxy utility or any other commercially available approximation thereof while simultaneously running any number of publicly available different 128-bit encryption routines, you can effectively and completely block yourself off from any FBI monitoring.
What Triangle Boy allows you to do is anonymously surf the web. There are a couple public projects on the internet that approximate what Triangle Boy does, such as it's predecessor Anonymizer.com, probably the web's first public anonymous proxy server. By using this or a similar service to log on to a public, free email server, you have prevented the email server from logging your IP address, or in other words, a number that can be linked to your person.
To completely make your message unintelligable and unbreakable to the US Federal government, use 128-bit or better encryption methods, preferrably the RC5 standard. Distributed.net has been working with a brute force hack of the RC5 encryption routine (64-bit encryption) since 1998 using thousands of computers simultaneously on the project and estimates they have a year left until they break the code. From this one can safely assume that by the time the government is able to break your message at 128-bits, the usefulness of the contents of the message will long past be viable, not to mention most statute of limitation laws will have expired in the process.
Vulnerabilities in the Magic Lantern Keylogger
The Magic Lantern keylogger not only is ineffective in accomplishing it's purpose by virtue of the CIA's and the private sector's privacy tools, it also could backfire on the federal government. Any technically savvy hacker, could quite easily reverse engineer the product to either hack into the repository for the keylogged files or re-distribute the virus as an agent to gather his own data, especially if the government strikes deals with anti-virus makers to make the utility unnoticed by their detection software.
Now playing: ScRaTcH mIx - track16 (AKAradio.com: Dr SoNy AnD bLaCk IcE's TaCo StAnD)
Thursday, November 29, 2001
A different front in the Cyberwar.
Rizzn's Wartime Factbook: http://factbook.diaryland.com/
The Best UAV: http://www.unmannedaircraft.com
FBI v. CIA Battle in Cyberspace
Charles R. Smith
Wednesday, Nov. 28, 2001
U.S. Agencies Battle Each Other on the Internet
The U.S. government is struggling to rebuild its image after it failed to discover the plot to attack America on Sept. 11.
The FBI and CIA, two agencies charged with law enforcement and intelligence operations, have taken the most heat for the failure. Both agencies had few areas of cooperation prior to Sept. 11.
Now the FBI and CIA have suddenly discovered conflicting roles inside cyberspace.
The FBI recently was forced to reveal another part of its Cyber-Knight project, an effort by the agency to monitor all Internet communications.
Last year the FBI was forced by privacy advocates to reveal that it had a new software program called Carnivore designed to monitor Internet e-mail. The Carnivore system is reportedly installed not on home personal computers but on Internet Service Provider computers, allowing the agency to siphon off data from suspected customers.
The FBI is reportedly using a new and improved version of Carnivore, a software program designed to monitor secure e-mail over the Internet. The new FBI program, called Magic Lantern, is described as key logger software designed to steal the pass phrase used to start the popular encryption program PGP, or Pretty Good Privacy.
A key logger program is designed to capture keystrokes - what a user keys in - and then store the data in a separate location for later retrieval by a hacker. The FBI plans to use Magic Lantern to capture PGP information to crack encrypted e-mail and intercept Internet data.
Magic Lantern Flaws
Magic Lantern reportedly can be sent in a fashion similar to several virus programs, either as an attachment via e-mail or downloaded from an infected Web site. However, the Magic Lantern program may also be mistaken for a virus program.
The sudden discovery of Magic Lantern caused a flurry of activity from computer software producers. Anti-virus software maker McAfee Associates denied a recent report that it was working with the FBI to ensure its software would not stop the Magic Lantern program. McAfee spokesman Tony Thompson denied it had any contact with the FBI on
Magic Lantern.
According to an official statement by the anti-virus maker, "Network Associates/McAfee.com anti-virus programs will continue to protect our customers' computers from any program that intrudes into their system against their desires or without the knowledge of our customer."
Magic Lantern is also not perfect. Magic Lantern suffers from another flaw in that it is not designed to stop other popular computer encryption programs such as Softwar Pcypher and Mystx public key encryption systems.
These encryption software utilities do not use pass-phrase technology and are immune to Magic Lantern-type attacks. E-mail and data scrambling is done with the mouse using data keys that can be stored on offline diskettes, zip drives or CD disks.
CIA Triangle Boy
Yet, as the FBI struggles to introduce its new system to monitor the Internet, the CIA is working to develop a software program that thwarts government monitoring.
The CIA is a major sponsor of SafeWeb, a company that distributes a free program called Triangle Boy. Triangle Boy allows users to surf the Web anonymously. Citizens inside dictatorships are using the program to avoid monitoring by the oppressive regimes.
Triangle Boy operates much like a mail forwarding service. Each user request to view a Web page is scrambled and randomly sent to another machine, which actually performs the request, returning the data to he original user. Triangle Boy is very popular inside China, and the
Chinese government is working hard on ways to counter secure access to the Internet.
SafeWeb reportedly receives hundreds of e-mails a day from grateful Triangle Boy users worldwide. However, SafeWeb's growing audience in China, Saudi Arabia, the United Arab Emirates and Syria is in direct conflict with FBI efforts to monitor potential terrorist communications.
Despite the concerns, Triangle Boy's developer, SafeWeb's CEO Stephen Hsu, claims terrorists would not use the program.
"A terrorist would be crazy to use SafeWeb," stated Hsu, who noted that the CIA backs his company.
Yet Triangle Boy can be abused, and software vendors have rushed to develop new programs designed to counter the CIA's secure Internet browser.
Porn or Politics?
"I knew that if I knew about Triangle Boy, anybody who was really interested in porn would know about it too," stated Ed Miller, a security operations manager at Computer Sciences Corp.
Filtering vendor 8e6 Technologies, whose customers include major companies such as Computer Sciences Corp., recently developed a way to block Triangle Boy. 8e6 Technologies declined to comment on how its X-Stop filtering system disables Triangle Boy.
"Several IT (information technology) people at the universities and schools that I consult for did extensive research into this," noted Eric Gerlach, a Network Integration Consultant for Southwestern Bell Telephone.
"I have a few insights and an easy fix for it," noted Gerlach.
Ironically, many inside the computer security field declined to
describe ways to stop Triangle Boy - not for technical reasons but for political reasons.
Software experts are usually anxious to publish flaws inside
Microsoft operating systems or other major software packages. Yet this is not the case for Triangle Boy.
"Normally, I'm all for publishing flaws in software, but on this one I have to vote against," stated one computer security expert located in the Netherlands.
"The Chinese finally have access to the Internet. The flaws could be used by the Chinese government to block the Internet once again."
http://www.newsmax.com/archives/articles/2001/11/28/142513.shtml