Computer underground Digest Sun Mar 5, 1995 Volume 7 : Issue 18 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Semi-retiring Shadow Archivist: Stanton McCandlish Correspondent Extra-ordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Monster Editor: Loch Nesshrdlu CONTENTS, #7.18 (Sun, Mar 5, 1995) File 1--Review of _The Virus Creation Labs_ (by George Smith) File 2--The Virus Creation Labs: an excerpt File 3--Re: Press Coverage Bloopers in the Mitnick Story (CuD 7.16) File 4--Italian BBS Charged with "Subversion" File 5--Cu Digest Header Info (unchanged since 26 Feb, 1995) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. ---------------------------------------------------------------------- Date: Thu, 2 Mar 1995 21:13:33 CST From: CuD Moderators Subject: File 1--Review of _The Virus Creation Labs_ (by George Smith) There are relatively few books on the "computer underground" that provide richly descriptive commentary and analysis of personalities and culture that simultaneously grab the reader with entertaining prose. Among the classics are Cliff Stoll's _The Cuckoo's Egg_, Katie Hafner and John Markoff's _Cyberpunks_, and Bruce Sterling's _The Hacker Crackdown_. Add George Smith's _The Virus Creation Labs_ to the list. _Virus Creation Labs_ is about viruses as M*A*S*H is about war. Computer viruses are simply a window through which Smith guides our gaze into a bizarre Pirandellian world of inflated egos, malicious territorialism, questionable ethics, and avarice, about equally divided between the moral entrepreneurs amongst virus fighters and their nemesis, the virus writers. Smith writes with irony, cynical humor, and well-researched prose to provide insights into the symbiotic, chaotic, and oft-times seemingly pathological relationship between churlish virus writers and the equally churlish anti-virus moral entrepreneurs. At the outset, Smith makes it clear that his is neither a technical tome nor an expose. Although his text reads with the ease of a novel, the subtext is a biting commentary on the Manichean world view possessed by many in the phalleocentric anti-virus community and on the maturity-challenged actions of many of the virus writers who coexist in an uneasy partnership of co-dependency. Smith begins his narrative with the Michelangelo virus hysteria of 1992, which, he explains, launched his own interest in viruses: It sent me down the trail to the rim of cyberspace in search of people who, perhaps not surprisingly, turned out to be pretty much like most Americans, except with an order of magnitude greater interest in the inner workings of the desktop personal computer. Like most of us, there wasn't a nobleman in the lot--and there were none among the ranks of the antivirus software developers and security consultants who consider themselves the gatekeepers at a fantasy wall of their own construction erected between the Wild West of cyberspace and the mannered, sterile environment of safe home and business computing (p. 2). Smith argues with some persuasiveness that Michelangelo was fueled largely by the anti-virus industry who, while seeming to magnaminously provide the public with free cleansing software, in fact hyped the virus to the media to dramatize the dangers of this and other viruses as an effective commercial strategy. Although Smith is hardly the first to make this accusation, he is the first to provide a strong argument. He notes, for example, that Compuserve made $100,000 in on line charges from the McAfee forum, the source of anti-virus software author John McAfee, in the days prior to March 6, the date the virus was supposed to strike (p. 7), and notes how the virus threat allowed McAfee to gain major dominance of the U.S. anti-virus software market. Smith notes that some anti-virus experts, such as Pam Kane, tried to temper the hysteria with reasoned writings, but she and a few others were out-shouted by the "vendor-created hysteria:" It's a venal pattern repeated over and over: Anti-virus software manufactures and security consultants carping at each other and conducting back-stabbing negative publicity campaigns in the computer or mainstream press, complicated by the entrenched practice within computer industry publishing houses allowing corporate heads or their catspaws to write books and reviews focused on their merchandise. These tricks tend to be hidden behind mock concern over high-tech petty atrocities usually perpetrated by mysterious, unseen computer vandals or hackers. Like many hardscrabble businessmen vying for commercial advantage in an increasingly confined arena dominated by one company, such tactics grant them all the charm and panache of a 60-pound bag of money-mad cockroaches (p 18). Among the anti-virus faction Smith singles out as especially dubious are John Buchanan, who is described as a mercenary and a-moral huckster with little technical talent but a bent for self-promotion, and Alan Solomon, who is portrayed as a territorial, mean-spirited busy-body. Was Solomon at least partly responsible for the one of the most mean-spirited and unethical acts on the nets? Smith implies that he was. Paul Ferguson, "an obscure security consultant," wrote an anonymous letter to RISKS Digests. In the anonymous letter, Ferguson engaged in a good bit of disingenuous diatribe, character assassination, and hysteria to complain that AIS BBS, a general-information BBS run by the Treasury Department's Office of Public Debt, was engaged in unethical and likely illegal distribution of virus source code. A copy of the post was sent to Congress, and an inquiry began. Ferguson was later exposed as the letter's author, but not before his cowardly action brought the roof down on the AIS sysop, a young woman with a military background and substantial integrity. The story was picked up by the national media, and the "good ol' boys" in the anti-virus crowd succeeded in illustrating that, in the name of their sacred cause, they were not above engaging in actions as reprehensible as those they claimed to opposed. Like the virus writers, Ferguson and his cronies displayed no honor in their devious assault on a security expert whose opposition to viruses was no less than their own. So much for ethics. It should be noted that Smith does not dispute the need for anti-virus software, and he gives credit to those anti-virus authors who make products that work. His intent is not to disparage talent where it exists. Instead he criticizes the social organization of the culture, its exclusiveness, and the often self-serving shennanigans of some of the practitioners. Smith is no less gentle on most virus writers than he is on the anti-virus crowd. A few, such as Little Loc, the teenager who wrote Satan Bug, and the mysterious Dark Avenger, depicted as one of the most brilliant of virus writers, are acknowledged for their talents, but not romanticized. Most virus writers, Smith argues, are simply untalented kids capable of modifying source code (or running "virus creation software"), but not of doing any real programming. Although here I've emphasized some of Smith's discussion of the anti-virus crowd, he covers both groups fairly evenly. What do we learn from Smith's book? First, he provides a new look at the relationship between virus writers and anti-virus software developers. We learn that the former are not demons and the latter, as a group, are hardly altruistic heroes. Second, we learn that there is a difference between those who write viruses and those who plant them. Smith displays an intellectual appreciation for the talents of competent programers (of all types), but shares hostility for vandals, "wannabes," and those who prey on others. Third, Smith describes in nifty detail the workings of both virus and anti-virus cultures, and suggests a symbiosis by which each culture is driven. Finally, Smith drives home the lesson that the best protection against viruses is simple common sense: Maintain clean disks, make regular backups, and practice "safe hex." That _The Virus Creation Labs_ is both well-written and well researched is no surprise. Smith, a chemistry Phd, combines a scholars eye with the skills he honed as a journalist. If he had chosen a major publisher for his manuscript, a light routine editing would smooth over some of the rough edges, and there likely would have been an index included. However, a major publisher would also have more than doubled the price of the book. While there always minor flaws in all books, and although not all readers will share the perspective or some of the conclusions, _The Virus Creation Labs_ is one of the best descriptions of this slice of computer culture to date. The book will serve as a handy resource or a supplement for classes. Unfortunately, it's not available in bookstores, and must be ordered directly from American Eagle Publications, an unwise marketing move. But, it's well-worth ordering. "The Virus Creation Labs: A Journey Into the Underground" by George Smith (American Eagle, ISBN 0-929408-09-8, paperback, $12.95) Orders: Mark Ludwig American Eagle POB 41401 Tucson, AZ 85717 ameagle@mcimail.com (602)888-4957 toll free: 1-800-719-4957 American Eagle Publications is the work of Mark Ludwig, a physics graduate of Caltech, who was recently profiled in WIRED magazine as a scientist who publishes books on computer viruses, artificial life and the cutting edge of cyberspace. ------------------------------ Date: 19 Jan 95 15:17:53 EST From: george c smith <70743.1711@COMPUSERVE.COM> Subject: File 2--The Virus Creation Labs: an excerpt ------------------------------------------------------------ For Computer underground Digest, an excerpt from the newly published book, "The Virus Creation Labs: A Journey Into the Underground" by George Smith (ISBN 0-929408-09-8, American Eagle) "The Virus Creation Labs" is $12.95. The publisher can be contacted at: American Eagle POB 41401 Tucson, AZ 85717 e-mail: ameagle@mcimail.com ph: 1-602-888-4957 1-800-719-4957 ------------------------------------------------------------ A Priest Deploys his Satanic Minions Everyone knows the best virus writers hang out on secret bulletin board systems, the bedroom bohemias of the computer underground, right? Wrong. In mid-1992, a 16-year-old hacker from San Diego who called himself Little Loc signed on to the Prodigy on-line service for his virus information needs. The experience was not quite what he expected. Prodigy had a reputation in 1992 as the on-line service for middle-class Americans who could stand mind-roasting amounts of retail advertising on their computer screens as long as they had relatively free access to an almost infinite number of public electronic mail forums devoted to callers' hobbies. Since Prodigy's pricing scheme was ridiculously cheap per hour, it was quite seductive for callers to spend an hour or two a night sifting through endless strings of messages just to engage in a little cyberspace chit-chat. Into this living-room atmosphere stepped Little Loc, logged on as James Gentile, looking for anyone to talk with about computer viruses, particularly his idea of properly written computer viruses. Little Loc, you see, had written a mutating virus which infected most of the programs on a system dangerously quickly. If you were using anti-virus software that didn't properly recognize the virus - and at the time it was written none did - the very process of looking for it on a machine would spread it to every possible program on a computer's hard disk. While many viruses were trivial toys, Satan Bug, which is what Little Loc called his program, was sophisticated enough to pose a real hazard. The trouble was, Little Loc was dying to tell people about Satan Bug. But he had no one to talk to who would understand. That's where Prodigy came in. Prodigy, thought Little Loc, must have some hacker discussions, even if they were feeble, centered on viruses. It was a quaintly naive assumption. The Satan Bug was named after a Seventies telemovie starring George Maharis, Anne Francis and a sinister Richard Basehart in a race to find a planet-sterilizing super virus stolen from a U.S. bio-warfare lab. Little Loc had never actually seen the movie, but he'd run across the name in a copy of TV Guide and it sounded cool, so he used it for his digital creation. Satan Bug was the second virus he had electronically published. The first was named Fruitfly but it was a slow, tame infector so the hacker didn't push it. A bigger inspiration for Satan Bug was the work of the Dark Avenger, the shadowy Bulgarian virus programmer whom anti-virus software p.r. men and others had elevated to the stature of world's greatest virus writer. Little Loc was fascinated by the viruses attributed to Dark Avenger. The Dark Avenger obviously knew how real computer viruses should be written, thought Little Loc. None of his programs were like the silly crap that composed most of the files stocked by the computer underground. For example, his Eddie virus - also known as Dark Avenger - had gained a reputation as a program to be reckoned with. It pushed fast infection to a fine art, using the very process anti-virus programs used to examine files as an opportunity to corrupt them with its presence. If someone suspected they had a virus, scanned for it and Eddie was in memory but not detected, the anti-virus software would be subverted, spreading Eddie to every program on the disk in one sweep. Eddie would also mangle a part of the machine's command shell when it jumped into memory from an infected program. When this happened, the command processor would reload itself from the hard disk and promptly be infected, too. This put the Eddie virus in total charge of the machine. From that point on, every sixteen infections, the virus would take a pot shot at a sector of the hard disk, obliterating a small piece of data. If the data were part of a never-used program, it could go unnoticed. So as long as the Eddie virus was in command, the user stood a good chance of having to deal with a slow, creeping corruption of his programs and data. Little Loc was a good student of the Dark Avenger's programming and although he was completely self-taught, he had more native ability than all of the other virus programmers in the phalcon/SKISM and NuKE hacking groups. "[Virus writing] was something to do besides blasting furballs in Wing Commander," he said blithely when asked about the origins of his career as a virtuoso virus writer. Accordingly, the Satan Bug was just as fast an infector as Eddie and it, too, would immediately go after the command shell when launched into memory from an infected program. But Satan Bug was very cleverly encrypted, whereas Eddie was not, and it extended these encryption tricks so that it was cloaked in computer memory, a feature somewhat unusual in computer viruses but popularized by another program called The Whale which intrigued Little Loc. The Whale was a German virus which - theoretically - was the most complex of all computer viruses. It was packed with code which was supposed to make it stealthy -- invisible to certain anti-virus software techniques. It was armored with anti-debugging code and devilishly encrypted, designed purely to flummox anti-virus software developers trying to examine it. They would often mention it as an example of a super stealth virus to mystified science and technology writers looking for good copy. In practice, The Whale was what one might call anti-stealth. Although it was all the things mentioned and more, when run on any machine, The Whale's processes were so cumbersome the computer would be forced to slow to a crawl. Indeed, it was a clever fellow who could get The Whale to consent to infect even one program. The Whale appeared to be purely an intellectual challenge for programmers. It was intended to mesmerize anti-virus software developers and suck them into spending hours analyzing it. Little Loc, too, was drawn to it. He pored over the German language disassembly of The Whale's source code. The hacker even made a version that wasn't encrypted, pulling out the code which The Whale used to generate its score of mutant variations. It didn't help. The Whale, even when disassembled, was loathe to let go of its secrets and remained a slow, obstinately uninfective puzzle. Have you gotten the idea that Prodigy callers might not be the perfect choice as an audience to appreciate Little Loc's Satan Bug? Nevertheless, Little Loc landed on Prodigy with a thud. He described the Satan Bug and invited anyone who was interested to pick up a copy of its source code at a bulletin board system where he'd stashed it. Immediately, the hacker got into a rhubarb with a Prodigy member named Henri Delger. Delger was, for want of a better description, the Prodigy network's unpaid computer virus help desk manager. Every night, Delger would log on and look for the messages of users who had questions about computer viruses. If they just wanted general information, Delger would supply it. If they had some kind of computer glitch which they thought might be a virus, Delger would hold their hand until they calmed down, and then tell them what to do. And, for the few who had computer virus infections, Delger would try to identify the virus and recommend software, usually McAfee Associates' SCAN, which would remedy the problem. Little Loc was annoyed by Delger, whom he thought was merely a shill for McAfee Associates. Since Delger answered so many questions on Prodigy, he had a set of canned answers which he would employ to make the workload lighter. The canned answers tended to antagonize Little Loc and other younger callers who fancied themselves hackers, too. Prodigy's liberal demo account policy allowed some of these young callers to get access to the network under assumed names like "Orion Rogue." This allowed them to be rude and truculent, at least for a few days, to paying Prodigy customers. These techno-popinjays, of course, immediately sided with Little Loc, which didn't do much for the virus programmer's credibility. There was often quite a bit of talk about viruses and Delger would supply much of the information, typing up brief summaries of virus effects embroidered with his own experiences analyzing viruses. "You're not a programmer!" Little Loc would storm at Delger. If you weren't a programmer, you couldn't understand viruses, insisted the author of Satan Bug. Little Loc would correct minor technical errors Delger made when describing the programs. In retaliation, Delger would calmly point out the spelling mistakes made by Little Loc and his colleagues. It was quite a flame war. On one side was Little Loc, who gamely tried to get callers to appreciate the technical qualities of some viruses. On the other side was a bunch of middle-aged computer hobbyists who were convinced all virus writers were illiterate teenage nincompoops in need of serious jail time, or perhaps a sound beating. The debates drew a big audience, including another hacker named Brian Oblivion, whose Waco, Texas, bulletin board, Caustic Contagion, would provide a brief haven for Satan Bug's author. Little Loc, however, soon found other places that would accept his virus source code. Kim Clancy's famous Department of the Treasury Security Branch system was among them. Little Loc logged on and proffered Satan Bug. The Hell Pit - a huge virus exchange in a suburb of Chicago - had its phone number posted on Prodigy, as was that of one called Dark Coffin, a system in eastern Pennsylvania. Dutifully, Little Loc couriered his virus to these systems, too. Satan Bug was a difficult virus to detect. Although in a pinch you could find Satan Bug because of a trick change it made to an infected program's date/time stamp, for all intents and purposes Satan Bug was transparent to anti-virus scanners. And this window of opportunity stayed open for a surprising amount of time despite the fact that Little Loc had supplied the Satan Bug to all the public virus exchanges patrolled by anti-virus moles. Little Loc stood apart from other virus programmers who seemed to have little interest in whether their creations made it into the public's computers. The real travel of his virus around the world would grant him recognition like that of the Dark Avenger, he thought. So, he wanted people to take Satan Bug and infect the software of others, period. Months later, after the virus had struck down the Secret Service network clear across the continent, I asked Little Loc how it might have gotten into the wild in large enough numbers so that it eventually found its way into such a supposedly secure system. "I'll tell you this once and only once: Satan Bug had help!" he said, simply. After his Prodigy debut and before Satan Bug hit the Secret Service, Little Loc was recruited by the virus-writing group phalcon/SKISM, changing his handle in the process to Priest. Joining phalcon/SKISM didn't necessarily mean you were going to virus writing conventions in cyberspace with other members of the group, but it was a badge of status signifying to others in the computer underground who required such things that you had arrived, as a virus writer anyway. Since Priest lived on the West Coast, however, and the brain trust of phalcon/SKISM was located in the metro-NYC area, there was little concrete collaboration between the two, especially after Priest racked up a $600 telephone bill calling bulletin boards. Since Priest didn't hack free phone service, his family had to pay the bill, which effectively cut down on much of his long distance telephone contact bulletin board systems like Caustic Contagion in Waco, Texas. Caustic Contagion, for a short period of time, was one of the better known virus exchange bulletin board systems. Its sysop, Brian Oblivion, had an extremely liberal policy with regards to virus access and carried a large number of Internet/Usenet newsgroups which gave callers a semblance of access to the Internet. Caustic Contagion's other specialty, besides viruses, was Star Trek newsgroups and for some reason which completely eludes me, the BBS's callers found the convergence of computer viruses and Star Trek debate extremely congenial. Priest and another phalcon/SKISM virus writer named Memory Lapse would hang out on Caustic Contagion. Quite naturally, Oblivion's bulletin board was one of the first places to receive the programmers' newest creations, often before they were published in phalcon/SKISM's electronic publication, 40Hex magazine. Priest's next virus was Payback and it was written to punish the mainstream computing community for the arrest of Apache Warrior, the "president" of ARCV, a rather harmless but vocal English virus-writing group which had been undone when Alan Solomon, an anti-virus software developer, was able to convince New Scotland Yard's computer crime unit to seize the hacking group's equipment and software in a series of surprise raids. Priest's Payback virus would format the hard disk in memory of this event. Payback gathered little attention in the underground, mostly because few people knew much about ARCV and Apache Warrior in the first place. Another of Priest's interests was the set of anti-virus programs issued by the Dutch company, Thunderbyte. The product of a virus researcher named Frans Veldman, the Thunderbyte programs were regarded by most virus writers as the anti-virus programs of choice. They were sophisticated, technically sweet and put to shame similar software marketed by McAfee Associates, Central Point Software, and Symantec, which manufactured the Norton Anti-virus. One of Frans Veldman's programs, called TBClean, was of particular interest to Priest and others because it claimed to be able to remove completely unknown viruses from infected files. How it did this was a neat trick. Essentially, TBClean would execute the virus-infected file in a controlled environment and try to take advantage of the fact that the virus always had to reassemble in memory an uncontaminated copy of the infected program to make it work properly. TBClean would intercept this action and write the program back to the hard disk sans virus. Priest and virus writer Rock Steady, the leader of the NuKE virus-writing group, had also noticed the phenomenon. Both tried writing viruses that would subvert the process and turn TBClean upon itself. Priest wrote Jackal, a virus which - under the proper conditions - would sense TBClean trying to execute it, step outside the Thunderbyte software's controls and format the hard disk. In theory, this made Priest's virus the worst kind of retaliating program, with the potential to destructively strip unsuspecting users' hard disks of their data when they tried to disinfect their machines. (It couldn't happen if you just manually erased the Jackal-virus-infected program, but many people who use computers as part of everyday work simply want the option of having the software remove viruses. They don't want to have to worry about the technicalities of retaliating viruses designed to smash their data if they have the temerity to use anti-virus software.) Of course, Jackal's development was deemed a great propaganda victory by the North American virus underground. Rock Steady nonsensically insisted Frans Veldman's programs were dangerous software because TBClean could be made to augment a virus infection instead of remove it. Brian Oblivion immediately tried Jackal out. It didn't work, he said, but only caused TBClean to hang up his machine. This was because Jackal was version specific, explained Priest. It would only work on certain editions of the program. In reality, this meant that Jackal's retaliating capability posed little threat to typical computer users, who had never heard of the virus-programmer's favorite software, Thunderbyte, much less TBClean. Nevertheless, Priest continued to write the TBClean subverting trick into his viruses, including it in Natas (that's Satan spelled backwards), which eventually got loose in Mexico City in the spring of 1994. All the routines to format a computer's hard disk and to slowly corrupt data ala the Eddie virus, which Priest had designed his Predator virus to do, made it clear the hacker cared little for any of the finer arguments over the value of computer viruses which were entertained from time to time by denizens of the underground as well as academics. Viruses were for getting your name around, infecting files and destroying data, according to Priest. He just laughed when the topic of ethical or productive uses of computer viruses -- such as the study of artificial life -- came up. In any case, by the fall of 1993, after Priest had retired from the Prodigy scene, Satan Bug was generating its own kind of media-fueled panic. On the Compuserve network, hysterical government employees were posting nonsensical alarums about the virus in the McAfee Associates virus information special interest group. "Satan's Bug" was part of a foreign power's attempt to sabotage government computers! It was encrypted in nine different ways and was "eating" your data! A State Department alarm had started! Wherever the information about "Satan's Bug" was coming from, it was 100 percent phlogiston. Satan Bug was hardly aimed at government computer systems. It did not "eat" anything and although difficult for many anti-virus programs to scan, the virus could be found on infected systems by making good use of software designed to take a snapshot of the vital statistics of computer files and sound an alarm when these changed, which always happened when Satan Bug added itself to programs. Even more amusing was the suspicion that Satan Bug had been inserted on government computers by some undisclosed foreign country, from whence it originated. I suppose, however, some people might consider Southern California a foreign country. Priest enjoyed reading these kinds of things. His virus was famous, an obvious source of confusion and hysteria. About the same time, the Secret Service's computer network in Washington, D.C., was infected by the virus, which knocked the infected machines off-line for approximately three days. News about the event was tough to keep secret among government employees and it leaked. The Crypt Newsletter published a short news piece in its September 1993 issue on the event and reported that the infection had been cleaned up by David Stang, formerly of the National Computer Security Association, but now providing anti-virus and security guidance for Norman Data Defense Systems in Fairfax, northern Virginia. Jack Lewis, head of the Secret Service's computer crime unit, and two other agents flew out to interrogate Priest in his San Diego home in October of 1993. Lewis and the other agents gave Priest the third degree. They shook a printed-out copy of The Crypt Newsletter containing the Satan Bug story in his face and did everything in their power to make Priest think he ought to cease and desist writing computer viruses forthwith. "About the Secret Service, they weren't too happy about [Satan Bug], and saw fit to pay me a little visit," recalled Priest ruefully. The agents wanted to know everything about Priest - his Social Security number, where he'd travelled, even who the 16-year-old worked for. But Priest didn't work for anyone. "I'm not quite sure they believed me," he said. "Apparently, they thought I worked for some anti-virus company or something to write viruses. Plus, they wanted the sources for them." The Secret Service men wanted to know, straight from the horse's mouth, what Satan Bug did. "They said some victims were worried their systems weren't completely clean because they thought it might infect data files," Priest continued. "I told them it wouldn't. They also wanted my opinion on things which surprised me, like different anti-virus programs and encryption algorithms, including Clipper. I didn't ask why. "Jack Lewis also said someone claimed I said 'All government computers will be infected by December' or some such rubbish. Apparently, they thought I wrote Satan Bug as a weapon against the government or whatever, I can't be too sure . . ." Priest told them no, Satan Bug wasn't specifically aimed at government computers, but it was hard to tell if the agents believed him. They were trained to reveal little, and to be unnerving to those interviewed. "They just stared," Priest said, "as they did in response to every question I asked, including 'what's your name?' I tried - really tried - to act cool, but my heart was pounding like a hummingbird's." The agents were keenly interested in Priest's other handles, all the viruses he had written, which, if any, computer systems he might have spread them on, the names of some phalcon/SKISM members and the structure of the virus-writing group and details of their hacking exploits. Priest declined to say anything about the identities of members of phalcon/SKISM. "I told them I knew nothing of the hackers and phreakers, and little more than you could pick up from reading an issue of 40Hex." Priest was more interested in other secretive agencies within the government. He cultivated an interest in stories about deep black intelligence agencies. Perhaps he envisioned himself writing destructive viruses as part of a covert weapons project for one of them. "Aren't there any other agencies which would be more interested in what I'm doing?" Priest asked the agents. He didn't get an answer. Eventually, the Secret Servicemen went away with a Priest-autographed printout of the source code to Satan Bug. Programming Satan Bug had turned out to be richly rewarding for Priest. Not only had it gotten him recognized immediately in the computer underground, it had made him feared in the trenches of corporate America to the point where the Secret Service had felt compelled to intervene. Since the Satan Bug panic was a golden opportunity for anti-virus vendors to once again market wares, the stories in the computing press kept coming. LAN Times put the virus on the front page of its November 1 issue with the headline, "Be on the Lookout for the Diabolical 'Satan Bug' Virus." LAN Times East Coast bureau chief Laura Didio wrote "the Satan Bug is designed to circumvent the security facilities in Novell Inc. Netware's NETX program, thereby allowing it to spread across networks." While Satan Bug may have certainly spread across networks, it had nothing to do with the virus's design. It seemed no matter the truth about Satan Bug, the story just got more pumped up with phlogiston and air as it rolled along. "What's NETX?" asked Priest when he heard about the LAN Times article. Of course, the LAN Times article accurately served as an advertisement for the Satan Bug-detecting software of Norman Data Defense Systems and McAfee Associates. Priest, meanwhile, continued to work on viruses. He had just completed Natas, which he'd turned over to the Secret Service and to phalcon/SKISM for publication in an issue of 40Hex. He also uploaded the virus to a couple of bulletin board systems in Southern California. And he finished a very small, 96-byte .COM program-infecting virus. And there were other things he was working on, he said. The most interesting fallout from the Secret Service visit was a job offer from David Stang at Norman Data Defense Systems, said Priest. Stang wanted the virus programmer to come to work for him, starting in the summer of 1994, after the hacker finished high school. Priest said Stang was interested in his opinion about the use of virus code in anti-virus software. Such code wasn't copyrighted, so it was fair game. Priest thought this was a bad idea. Too much virus code, in his opinion, was crappy anyway, so why would anyone want to use it? But Priest said he would think about the job offer. By May 1994, Priest's Natas virus had cropped up in Mexico City, where, according to one anti-virus software developer, it had been spread by a consultant providing anti-virus software services. Through ignorance and incompetence, the consultant had gotten Natas attached to a copy of the anti-virus software he was using. However, like most of Priest's viruses, Natas was a bit more than most software could handle. The software detected Natas in programs but not in an area of the hard disk known as the master boot record, where the virus also hid itself. The result was tragicomic. The consultant would search computers for viruses. The software would find Natas! Golly, the consultant would think, "Natas is here! I better check other computers, too." And so, the consultant would take his Natas-infected software to other computers where, quite naturally, it would also detect Natas as it spread the virus to the master boot record, a part of the computer where the software could not detect Priest's program. Natas had come to Mexico from Southern California. The consultant often frequented a virus exchange bulletin board system in Santa Clarita which not only stocked Natas, but also the issue of 40Hex that contained its source code. He had downloaded the virus, perhaps not fully understood what he was dealing with, and a month or so later uploaded a desperate plea for help with Priest's out-of-control program. You could tell from the date on the electronic cry for help -- May 1994 -- when Natas began being a real problem in Mexico. Natas was another typical tricky Priest program. When in computer memory, it masked itself in infected programs and made them appear uninfected. It would also retrieve a copy of the uninfected master boot record it carried encrypted in its body and fake out the user by showing it to him if he tried to go looking for it there. Natas also infected diskettes and spread quickly to programs when they were viewed, copied or looked at by anti-virus software. It was fair to say that computer services providers wielding anti-virus software in a casual manner ought not to have been allowed anywhere near Natas. Back in San Diego, Priest was still being interviewed on the telephone by David Stang and other associates at Norman Data Defense Systems. They were concerned that Priest might leak proprietary secrets to competitors after hiring, so it was a must that he be absolutely sure of the seriousness of his potential employment. By the end of the interview, Priest thought he didn't have much of a chance at the job, but by July he'd accepted an offer and moved to Fairfax to begin working for David Stang. This was the same David Stang who had written in the July 1992 issue of his Virus News and Review magazine, "In this office, we try to see things in terms of black and white, rather than gray . . . The problem is that good guys don't wear white hats. Among virus researchers are a large number of seemingly gray individuals . . . This grayness is clear to users. Last week, I asked my class if anyone in the room trusted anti-virus vendors. Not one would raise their hand . . . " But what was Priest working on at Norman Data Defense Systems? "A cure for Natas," he laughed softly one afternoon in late July, 1994, in the Norman Data office. Looking over the virus once more, Priest sardonically concluded that his disinfector made it clear the hacker had made Natas a little too easy to remove from infected systems. Norman Data Defense had clients in Mexico and at the Secret Service. You had to admire the moxie of the young American virus programmer. He'd set out in 1992 to emulate the world's greatest virus programmer, Dark Avenger, and ended up being paid cash money to cure the paintpots of computer poison he'd created. As for that poor stone fool, the legendary Dark Avenger, he never even got a handful of chewing gum for his viruses, having the misfortune to have been born in the wrong place, Bulgaria, at the wrong time, during the fall of Communism. But by the end of the summer, the blush was off the rose for Priest and Norman Data, too. Another manager in the office, Sylvia Moon, didn't like the idea of the hacker working for the company, Priest said. And when management representatives arrived from the parent corporation in Norway on an inspection tour and were appraised of Priest's status at a meeting, the hacker heard, they were not pleasantly surprised to learn there was a virus writer on the staff. Officially, said Priest, there was no reaction, but in reality, the hacker felt, the atmosphere was deeply strained. Nevertheless, said Priest, David Stang maintained that he would protect the hacker's position. And Jack Lewis, said Priest, had contacted the company to set up a luncheon date with the hacker to discuss more technical issues. However, Priest said, David Stang wanted Lewis to provide a Secret Service statement to the effect that the hiring of the hacker wasn't such a bad idea. The luncheon fell through. The Secret Service would provide no such statement because, said Priest, it might be construed as a conflict of interest. Unknown to him at the time, the agency had also started spying on his comings-and-goings in Fairfax. It all came to an end when one of Priest's acquaintances from the BBSes called the Norman Data office and left a message for "James Priest." Priest was immediately let go. David Stang, said Priest, told him the call was an indication that the hacker couldn't be trusted, that he was still in touch with the underground. Paranoia and recriminations flew. There had been an intern from William & Mary working at the company whose father was a Pentagon official, said Priest. The rumor was that Priest had been pumping the intern for information on how to penetrate Pentagon computers and siphoning it back into the underground. It was nonsense, said the hacker, but it became the official version of events. These were pretexts, thought Priest. The real reason he had to be shown the door, he said, was pressure from the higher-ups in Norway. They had been presented with him as a done-deal hire and it hadn't set well, he said. David Stang, said Priest, needed a reason to cut him loose and the phone call from the friend had been the peg to hang it on. Priest was a hot potato and he had to go. Back in San Diego once again, Priest almost sounded relieved. He had a Sylvia Moon-autographed copy of a computer book as a memento from the company and that was it. However, he had finally been able to videotape "The Satan Bug" telemovie. He shifted the VCR into replay and turned to look at his computer while it was playing. But the hacker said he still didn't know what the movie was about when it was over. He had been too busy at the PC to pay attention. Working . . . copyright 1994 American Eagle Publications ------------------------------ Date: Thu, 2 Mar 1995 14:20:50 From: padgett@GOAT.ORL.MMC.COM(Padgett 0sirius) Subject: File 3--Re: Press Coverage Bloopers in the Mitnick Story (CuD 7.16) Jason Hillyard writes: >"Hacker case underscores Internet's vulnerability" >New York Times, February 16, 1995. > Just a quick comment - was surprised that no highlight of this was made since *There Is No Security On The Internet* (see RFC 1281). The net did exacly what it is supposed to do, delivered packets to the proper recipients. The "vulnerability" was at improperly secured nodes/sites that the big M gained access to. Apparently it is "politically incorrect" to imply that certain facilities should qualify as "attractive nuisances" (this has a special meaning in the US - see swimming pools) since this could mean that their management was negligent in not securing them from children of all ages. Not saying that criminal acts did not take place, just that there is a difference between "breaking and entering" and "trespass" (I "assume" there were "keep out" signs on each ?) and that the fault should not be all one-sided. Would make my job easier if some owners/stockholders would start mentioning things like "culpable negligence" to Those In Charge of compuer systems everywhere. Obviously my personal opinion only - I am not a lawyer, the ones I have asked over the years have all said "no precidence". A. Padgett Peterson, P.E. ------------------------------ Date: Sat, 4 Mar 1995 21:20:19 +0000 (CUT) From: Luc Pac Subject: File 4--Italian BBS Charged with "Subversion" STATE CHARGES ITALIAN COMPUTER BULLETIN BOARD WITH 'SUBVERSION' On Tuesday, 28 February, at seven in the morning, members of the Carabinieri Anti-Crime Special Operations Group raided the homes of a number of people in Rovereto and Trento associated with the local Self-managed Social Centre 'Clinamen'. Some of those raided are also active in the Italian anarchist movement. The warrant from the Rovereto court spoke of 'assocation with intent to subvert the democratic order' (art.270 bis CP), a charge which carries a very heavy penalty for those convicted of 7 to 15 years imprisonment. The absurdity of the charge speaks for itself. Confiscated in the raids were journals and magazines, leaflets, diaries, notebooks and video tapes, all of which were either publicly available or else for strictly personal use. Also seized was the personal computer which hosted 'BITS Against the Empire', a node in the Cybernet and Fidonet networks. Stored on the computer was a vast number of documents concerning the social use of new technologies, Italy's Self-managed Social Centres and independent music production, along with hundreds of elctronic reviews publicly available throughout the world computer network. Having decided quite explicitly from the onset not to hold any software whatsoever, the founders of the bulletin board (BBS) had dedicated themselves exclusively to communication through public electronic conferences and the consultation of texts held in the BBS archives. There can, therefore, be no substance to any charge of computer piracy or abusive software duplication, an accusation often advanced in earlier cases against Italian BBSs. The seizure of BITS Against the Empire strikes at one of the most prominent nodes within the Cybernet network, the first place in Italy to open itself up to the voices of the non-aligned, to those who refuse to be represented by the political parties, choosing instead - both in the virtual and real worlds - the path of self-management. Nor has Cybernet ever accepted the use of authoritarian instruments tp police the BBS, whether these be 'the laws of cyberspace' or conference moderators (cybercops), preferring instead to leave all responsibilities - and thus freedom of action and thought - to each individual. It is precisely these freedoms which are daily negated in the physical world by the State and its demokracy. Cyberspace has now been discovered as a new consumer market, and above all as a new cultural terrain for the legitimation of the first, second and all subsequent Italian Republics. Alongside the sensationalism surrounding their direct actions against small, insignificant episodes of domestic computer piracy, the Italian magistrates and police forces have for some years now shown a certain fascination for places such as Cybernet and the European Counter Network, places which have experimented with new forms of social relations, new forms of contaminating culture and knowledge in the light of digital media. It is not surprising that the repressive organs of the State have reacted to their own technical and social ignorance by seizing an instrument of communication like a BBS: if they don't understand something it means they can't control it, and what can't be controlled is dangerous for a social order based upon fear and institutionalised violence. All those charged have formally applied for the return o f the impounded goods, as they await more information concerning the progress of the investigation. Messages of support and requests for further information can be sent to: Internet:lpaccagn@riscl.gelso.unitn.it Bitnet: lpaccag@itncisti European Counter Network: Luc Pac 45:1917/2.1 Cybernet: Luc Pac 65:1400/6 ------------------------------ Date: Sun, 26 Feb 1995 22:51:01 CDT From: CuD Moderators Subject: File 5--Cu Digest Header Info (unchanged since 26 Feb, 1995) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send a one-line message: SUB CUDIGEST your name Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (203) 832-8441. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) In ITALY: Bits against the Empire BBS: +39-464-435189 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ uceng.uc.edu in /pub/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/cud/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) JAPAN: ftp.glocom.ac.jp /mirror/ftp.eff.org/Publications/CuD ftp://www.rcac.tdi.co.jp/pub/mirror/CuD The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu:80/~cudigest COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #7.18 ************************************