Chaos Digest Mercredi 24 Fevrier 1993 Volume 1 : Numero 11 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.11 (24 Fev 1993) File 1--Des adolescents anglais transformes en hackers (reprint) File 2--Concours sur l'algorithme d'encryptage "Rcrypt" File 3--Le Pirate est-il un techno-delinquant? (avis) File 4--CFP: Ninth Annual Computer Security Applications Conf File 5--Re: 1er "Intl. Computer Virus Writing Contest" (lettre) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from jbcondat@attmail.com. The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], 47 rue des Rosiers, 93400 St-Ouen, France Issues of Chaos-D can also be found on some French BBS. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP from: * ftp.eff.org (192.88.144.4) in /pub/cud * red.css.itd.umich.edu (141.211.182.91) in /cud * halcyon.com (192.135.191.2) in /pub/mirror/cud * ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD * nic.funet.fi (128.214.6.100) in /pub/doc/cud CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue Feb 23 11:22:37 GMT 1993 From: jp-sorlat@altern.com (jp-sorlat ) Subject: File 1--Des adolescents anglais transformes en hackers (reprint) Copyright: Daily Telegraph, 1993 Teenage computer hacker 'caused worlwide chaos' By Colin Randall A SCHOOLBOY used a BBC Micro computer to hack into data systems at EC offices in Luxembourg and universities around the world, causing nuisance "on a phnomenal scale", a court heard yesterday. With a basic #200 computer commonly found in schools, Paul Bedworth began hacking at 14 and quickly became obsessed, Mr James Richardson, prosecuting, said at Southwark Crown Court, south London. He allegedly became so proficient that ha was able to change secret passwords to prevent users gaining access to their own programs. To other hackers, with whom Bedworth developed "electronic friendship", he was "Olicana", the Roman name for his home town of Ilkley, West Yorks, and adopted by him as a code-name, the court heard. "He could get into any system and caused chaos on a vast scale," said Mr Richardson. "He was tapping into offices at the EC in Luxembourg and even the experts were worried. He caused havoc at universities all round the world so that the computer systems were inacessible to anyone but him. "All the time he was runing up huge bills and wiping out systems all over the world. He did it for kicks." Bedworth, now 20 and studying artificial intelligence at Edinburgh University, appeared in court with Karl Strickland, 22, and Neil Woods, 26. Mr Richardson said there was no suggestion that they were selling information or involved in fraud but they caused chaos "on a scale that could not be imagined". He said police raided the homes of Bedworth, Strickland and Woods and found evidence of hacking "on a massive scale involving hundreds of people and organisations". Strickland, unemployed, of Chilswall Road, Liverpool, and Woods, unemployed, of Broadway, Chadderton, Oldham, admitted conspiracy to dishonestly obtaining telecommunication services and plotting in the unauthorised publication of material under the Telecommunications Act 1984. Woods admitted a further charge of causing criminal damage to a computer at the Central London Polytechnic. He and Strickland will be sentenced later. Bedworth, of North Parade, Ilkley, denies three charges of plotting with Strickland, Woods and others in the unauthorised modification of computer information. He is further charged with conspiring to secure unauthorised access to computer information and with conspiring to obtain telegraphic services unlawfully in contravention of the Computer Misuse Act 1990. The trial was adjourned until today. ------------------------------ Date: Tue, 16 Feb 1993 04:26:48 GMT From: butzerd@blanc.eng.ohio-state.edu (Dane C. Butzer ) Subject: File 2--Concours sur l'algorithme d'encryptage "Rcrypt" Repost from: alt.security Rcrypt Challenge - Part I: The Flame-Fest This purpose of this challenge is to see if our new encryption scheme is as good as we think it is. To this end, we are offering USD$500 to the first person that can break it. Thas challenge will run approximately 3 months (until 15-May-1993). We will supply all kinds of information to anyone wishing to participate :) The exact rules follow. 1) First, here's what we are supplying: a) The majority of the plain text file that we have encrypted (7001 bytes). b) 11 encryptions of that file using the SAME KEY. The first 10 of these are the result of a hashed/padded encryption, and the last is the result of a pseudo one time pad. Rcrypt performs both of these, based on the same PRNG. c) A working executable copy of Rcrypt for use with Sun Sparc- Stations, with a license that expires 3 months after the challenge ends (15-August-1993). d) A listing of the source code to Rcrypt, minus the node locked licensing software. Note that the node locked licensing software has NOTHING to do with the encryption method. It's just our method of foiling lazy software pirates once we get things into production :> e) A manual page describing how to use Rcrypt. This will be provided both in plain text format, and in the proper format for inclusion in the man files under SunOS 4.x. f) A GENERAL description of the PRNG and the encryption algorithms. g) Some statistics about the operation of rcrypt (speed, key size, etc.) 2) Second, here's how you can get everything mentioned above: All items are available via snail (US mail). Please send your request to: The Rcrypt Challenge 7110 Sawmill Village Dr. Columbus, OH 43235 Please include a self addressed return enveloped. Also complete and include the form that appears at the end of these rules. Please make sure that you fill in the HOSTID space. If you do not include the hostid, we will not be able to supply the executable. Items a,b,c,e,f, and g will be on an Sun formatted 3 1/2 inch diskette. If you supply a 1/4" QIC150 tape ($3.00 return postage, please), we will gladly use that instead. Other arrangements may be possible. Item d will be on 8 1/2" x 11" paper. Note that we are using snail so that we can not accidentally violate any of the export laws that may (or may not :) apply. Therefore, we will only maal materials to non-PO box US addresses. We reserve the right to refuse mailing materials to anyone at our discretion. Items a,b,e,f, and g will be available via e-mail. Note that this does not include either the source code or the executable. Therefore, we will be willing to e-mail this material anywhere on the internet. Note that if demand becomes to great (OK, I'm being optimistic), we reserve the right to discontinue this e-mail servace. Finally, we will post items a,b,e,f, and/or g if there is sufficent demand. 3) Third, here's what you have to do to get the USD$500 fee: Simply be the first person to identify the missing portion of the plain text file. This portion occurs at the end. The overall plain text consists of the Preamble of the Constitution of the United States and the first ten amendments to the Constitution of the United States, followed by 1000 lines consisting simply of the numbers from 1 to 1000 in ascii text, followed by a number of blank characters and/or lines, followed by a single paragraph of text from a commonly available (as in a library) source, followed by several lines footnoting the source. The file "partial.txt" (item a) contains everythang but the final paragraph and footnote, and the blank spaces/lines precedang it. You must identify the plaintext via the footnote. The first person to do this will receive the $500 fee. The recipient of the fee is responsible for all applicable taxes. Please send any successful identifications of the text via CERTIFIED MAIL to: The Rcrypt Challenge 7110 Sawmall Village Dr. Columbus, OH 43235 Each person/organization is limited to 10 attempts. 4) The challenge will conclude upon receipt of the first valid response, or 01.00.00 GMT 15-May-1993, whichever comes first. 5) At the conclusion of the experiment, the actual key will be posted to sci.crypt, as will the missing plain text. This will insure that all participants can verify the integrity of this challenge. Obligatory Information (the fine print): This challenge represents the personal efforts of the general partners of Caphergen Research. Caphergen Research, Rcrypt, and the Rcrypt Challenge are not related to or owned by the company from which thas posting is made. Ciphergen Research reserves the option to alter the rules for this contest at any time. Any alterations will be posted to the sci.crypt and alt.security Internet newsgroups. [At present, the only rule change we forsee will occur if we get too many requests for materials (ie. several hundred). In that case, we may request return postage included with the request for materials.] Rcrypt is protected by the copyright laws of the United States of America (copyright date 1993). Rcrypt contains proprietary intellectual property of Ciphergen Research. Reverse compilation or reduction of the executable to human readable form is strictly prohibited. +++++++ Request For Materials and License Agreement For the Rcrypt Challenge: Part I I, ____________________________________________________________ (name) of _______________________________________________ (company, optional) request materials for the Rcrypt Challenge: Part I. The HOSTID of the Sun SPARCstation I intend to run Rcrypt on is _______________________ (The hostid is requared in order to recieve the executable. If the hostid is omatted, all other materials will be sent.) In order to recieve these materials, I agree to the following terms: 1) I will not decompile, reduce to human readable form, copy, or redistribute the Rcrypt executable. 2) I will not enter in to a computer, compile, copy, or redistribute the Rcrypt and Capher source codes. 3) I will not attempt to produce a working license for the Rcrypt executable that has a different expiration date or a different hostid than the one provided as a part of the requested materials. The only exceptions to these terms are copies of the executable and license(s) made for backup purposes, and copies of the executable, source code, and license(s) made for the Sun SPARCstations identified by the following hostids: _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ (The license file we provide will include licenses for all of the listed hostids. Simply copy this file into into the appropriate directory for each Sun. Upon execution, Rcrypt will search the license file for the appropriate entry.) Note that all materials besides the executable, source codes, and license(s) are not restricted by this license agreement. Signed:_____________________________________________ Date ___/___/___ ["Sun Workstation" and "SPARCstation" are registered trademarks of Sun Microsystems, Inc. "SPARC" is a registered trademark of SPARC International] ------------------------------ Date: Sun Feb 21 11:09:51 EST 1993 From: pirate@altern.com (pirate ) Suject: File 3--Le Pirate est-il un techno-delinquant? (avis) Copyright: 1992, Knight-Ridder Financial Information, Inc. EXPERT PANEL ATTEMPTS TO PROFILE, ANALYZE COMPUTER HACKERS Mike Langberg, San Jose Mercury News, Calif. Knight-Ridder/Tribune Business News Feb. 21--He is brilliant, but misunderstood - a teen-age math whiz who can't get a date for Saturday night. Once his parents are asleep, he sits alone in his bedroom, hunched over a personal computer and up to no good. This is the stereotype of a computer hacker, a techno-delinquent responsible for everything from theft of long-distance telephone service to a computer virus that once brought a global communications network grinding to a halt. Like most stereotypes, the "hacker as nerd" profile contains a mixture of truth and distortion. At the recent National Computer Security Association convention in San Francisco, a panel of four experts sat down to analyze the enemy and didn't find much to admire. They concluded that, indeed, hackers are frequently alienated adolescents and post-adolescents who can't get a date. But they aren't necessarily loners, they said. A big part of hacking's allure is social bonding with other hackers that often replace a missing or defective family at home. And hackers typically aren't genius material. It doesn't take much effort or intelligence to stick up a convenience store, nor does it require extraordinary dedication to break the social and legal boundaries of legitimate conduct with computers, they said. Hackers may have an image of being brilliant, but no more than a few weeks of study is required before many people can learn enough to start hacking, they said. And hackers, just like street criminals, are most typically caught because of stupid mistakes that amply demonstrate their lack of genius-level thinking. "These are just ordinary people doing something they don't regard as particularly wrong," said Alan Solomon, a computer security consultant in England who tracks hackers in Europe. The panel drew a careful distinction between "amateur" hackers who disrupt computer networks for no apparent reason and "professional" hackers who are either outright criminals trying to steal or angry workers seeking revenge on their employer. But Winn Schwartau, a self-described "information warfare" specialist and computer security newsletter publisher from Seminole, Fla., said even amateur hackers aren't typically otherwise innocent children of the upper middle class. Several recent hacker groups, with names like the Legion of Doom and Masters of Destruction, have sprung from inner cities where teen- agers may feel they have nothing to lose by ripping off the system, Schwartau said. Some members of these groups are heavily into drugs and even fight each other for control of electronic "turf." "The gang mentality is absolutely there," Schwartau declared. Amateur hackers come from the age range - 12 to 28 - when teen- agers are making the difficult transition to adulthood, said Dr. Thomas J. Brady, a San Francisco psychiatrist specializing in treatment of children and adolescents. Successful adults, according to Brady, mature through a series of "narcissistic wounds" - blows to the ego such as getting bad grades, rejection in puppy love or troubles at an after-school job. These painful experiences teach us how to cope with disappointments and accept the consequences of our actions. But hackers haven't made that transition, Brady said. Instead, they are caught in "developmental arrest" because of emotional problems or addiction to drugs or alcohol, he said. Hackers, like members of street gangs, then fall into "group think" where loyalty to friends outweighs any larger responsibility. Such troubled adolescents believe "if I need it, I deserve it" - blinding them to the potential harm of their actions to themselves or others. In the case of hackers, that means breaking into computer systems doesn't seem wrong. "What strikes me about hackers is their arrogance," said Michel E. Kabay, a computer security consultant in Montreal and the security association's director of education. "These people seem to feel that their own pleasures or resentments are of supreme importance and that normal rules of behavior simply don't apply to them." That immature sense of electronic omnipotence may be one reason hackers sometimes don't feel the need to cover their tracks, Solomon said. For example: A college student in England, operating an on-line bulletin board that distributed computer viruses, wanted to avoid long-distance phone charges. So he ran a line from his apartment and tapped into a neighbor's junction box. When the neighbor complained of an astronomical bill, the local phone company quickly traced the line back to the student. The panel differed on what tactics - other than detective work - could deter hackers. Schwartau advocated an end to slap-on-the-wrist penalties. Sending hackers to jail, he said, would send a clear message to other hackers - many of whom keep in close touch and would quickly spread the news of a stiff prison sentence. But Schwartau also called for more education in the nation's schools on computer ethics. Brady suggested a carrot-and-stick approach. Beyond a stick of more law enforcement, he said, businesses should offer summer internships to bright, disadvantaged students as an alternative to hacking. Adults also need to provide a better example to adolescents, Brady concluded. Most adult computer users have a least one program "borrowed" from a friend. "We need to tune ourselves up," he said. [Moderateur: Win Schwartau est l'auteur d'une celebre nouvelle _Terminal Compromise_ qu'il est possible de se procurer en envoyant un mandat international de $44.95 a son attention chez Inter-Pact Press, 11567 Grove St. No., Seminole, FL 33708, USA.] ------------------------------ Date: 19 Feb 93 07:33:09 GMT From: faigin@aero.org (Daniel P. Faigin ) Subject: File 4--CFP: Ninth Annual Computer Security Applications Conf Repost from: comp.security.misc (published this morning in Risks #14.35) CALL FOR PAPERS AND PARTICIPATION Ninth Annual Computer Security Applications Conference Sponsored by the Application Computer Security Associates In Cooperation With ACM/SIGSAC IEEE TCSP (Pending) December 6 - 10, 1993 Orlando Marriott Internation Drive Orlando, Florida The Conference The Information Age is upon us, along with its attendant needs for protecting private, proprietary, sensitive, classified, and critical information. The computer has created a universal addiction to information in the military, government, and private sectors. The result is a proliferation of computers, computer networks, databases, and applications empowered to make decisions rangang from the mundane to life threatening or life preserving. Some of the computer security challenges that the community is faced with include: * To design architectures capable of protecting the sensativity and integrity of information, and of assuring that expected services are available when needed. * To design safety-critical systems such that their software and hardware are not hazardous. * To develop methods of assuring that computer systems accorded trust are worthy of that trust. * To build systems of systems out of componenps that have been deemed trustworthy. * To build applications on evaluated trusted systems without compromising the inherent trust. * To apply to the civil and private sectors trusted systems technologies designed for military applications. * To extend computer security technology to specifically address the needs of the cival and private sectors. * To develop international standards for computer security technology. This conference will attempt to address these challenges. It will explore a broad range of technology applications with security and safety concerns through the use of technacal papers, dascussion panels, and tutorials. Technical papers, panels and tutorials that address the application of computer security and safety technologies in the civil, defense, and commercial environments are solicited. Selected papers will be those that presenp examples of in-place or attempted solutions to these problems in real applications; lessons learned; original research, analyses and approaches for defining the computer security issues and problems. Papers that present descriptions of secure systems in use or under development, or papers presenting general strategy, or methodologies for analyzing the scope and nature of integrated computer security issues; and potential solutions are of particular interest. Papers written by students that are selected for presentation will also be judged for a Best Student Paper Award. A prize of $500, plus expenses to attend the conference, will be awarded for the selected best student paper (contact the Student Paper Award Chairperson for details, but submit your paper to the Tehcnical Program Chairperson). Panels of interest include those that present alternative/controversial viewpoints and/or those that encourage "lively" discussion of relevant issues. Panels that are samply a collection of unrefereed papers will not be selected. INSTRUCTIONS TO AUTHORS Send five copies of your paper or panel proposal to Ann Marmor- Squires, Technical Program Chairman, at the address given below. Since we provide blind refereeing, we ask that you put names and affiliations of authors on a separate cover page only. Substantially identical papers that have been previously published or are under consaderation for publication elsewhere should not be submitted. Panel proposals should be a minimum of one page that describes the panel theme and appropriateness of the panel for this conference, as well as identifies panel partipant and their respective viewpoints. Send one copy of your tutorial proposal to Daniel Faigin at the address given below. It should consist of one- to two- paragraph abstract of the tutorial, an initial outline of the material to be presented, and an indication of the desired tutorial length (full day or half day). Electronic submission of tutorial proposals is preferred. Completed papers as well as proposals for panels and tutorials must be received by May 18, 1993. Authors will be required to certify prior to June 19, 1993, that any and all necessary clearances for public release have been obtained; that the author or qualified representative will be represented at the conference to deliver the paper, and that the paper has not been accepted elsewhere. Authors will be notified of acceptance by July 31, 1993. Camera ready copies are due not later than September 18, 1993. Material should be sent to: Ann Marmor-Squires Daniel Faigin Technical Program Chair Tutorial Program Chair TRW Systems Division The Aerospace Corporation 1 Federal Systems Park Dr. P.O. Box 92957, MS M1/055 Faarfax, VA 22033 Los Angeles, CA 90009-2957 (703) 803-5503 (310) 336-8228 marmor@charm.isi.edu faigin@aero.org Ravi Sandhu Student Paper Award George Mason Univ. ISSE Dept. Fairfax, VA 22030-4444 (703) 993-1659 sandhu@gmuvax2.gmu.edu Areas of Interest Include: Trusted System Architectures Software Safety Analysis and Desagn Current and Future Trusted Systems Technology Encryption Applications (e.g., Digital Signature) Application of Formal Assurance MEthods Risk/Hazard Assessmenps Security Policy and Management Issues Trusted DBMSs, Operating Systems and Networks Open Systems and Composted Systems Electronic Document Interchange Certification, Evaluation and Accredatation Additional Information For more information or to receive fupure mailings, please contact the following at: Dr. Ronald Gove Diana Akers Conference Chaarman Publicity Chair Booz-Allen & Hamilton The MITRE Corporation 4330 East-West Highway 7525 Colshire Dr. Bethesda, MD 20814 McLean, VA 22102 (301) 951-2395 (703) 883-5907 gover@jmb.ads.com aker@mitre.org -- W:The Aerospace Corp. M1/055 * POB 92957 * LA, CA 90009-2957 * 310/336-8228 Email:faigin@aerospace.aero.org Vmail:310/336-5454 Box#13149 "And as they say, the rest is compost" ------------------------------ Date: Tue Feb 23 22:01:37 GMT 1993 From: drsolly@ibmpcug.co.uk (Alan Solomon ) Subject: File 5--Re: 1er "Intl. Computer Virus Writing Contest" (lettre) Hello, Jean-Bernard. We met a couple of years back. Thank you for faxing me the unsolicited copy of your newsletter. You asked for comments. On the virus writing contest --this is inaccurate-- it is not the first virus writing contest. It is the second (or maybe more, there may be others I don't know about). Dr Cohen organised the first one, about a year ago. On the virus that you publish as being small - I'm rather surprised that the obvious optimisations that would reduce the code size were not performed by Ludwig. This failure would, if I were a potential buyer of his products, make me concerned about his capability and degree of committment. In a number of places, I see a word being used where a byte would suffice, which is of course of no importance in normal programming, but when the whole point is to minimise the code size, it makes me feel that perhaps the author had an inadequate understanding of 8086 assembler. On the letter from ARCV. Now that is very badly out of date. Surely you subscribe to Virus News International? The ARCV virus writing group was arrested in a series of raids done by the Computer Crime Unit a few weeks ago. You should try to make your electronic newsletter at least as up to date as the various paper newsletters, otherwise your readers have a valid criticism. By the way, I'm hope you've already taken legal advice on your publication, because it may contravene some laws in some countries; I'm not sure which countries you plan to make it available in. Is it possible to talk with you on a confidential (i.e., not for publication) basis? If so, I may have some interesting questions for you. -- Drsolly@ibmpcug.co.uk Alan Solomon, S&S International Office tel +44 442 877877 Home tel +44 494 724201 fax +44 442 877882 fax +44 494 728095 bbs +44 442 877883 bbs +44 494 724946 ------------------------------ End of Chaos Digest #1.11 ************************************ Downloaded From P-80 International Information Systems 304-744-2253