Hacker Zaps Tens of Thousands
Of Postings on Usenet System

          By ROBERT E. CALEM 

          Thousands of people with something to say on the Internet's Usenet newsgroup system were
          silenced this week by a rogue program, perpetrated upon the global network by a hacker
          armed with what experts said were relatively basic programming skills. 

          But despite the simplicity of the attack -- or perhaps because
          of it -- they added, there is apparently no remedy short of
          reposting every deleted message. And at least one official of
          the Federal Bureau of Investigation said Friday that although
          a suspect had been identified, no federal law had been
          broken. 

          In fact, one expert said Friday that such attacks were commonplace on a smaller scale and that the
          only thing unusual about this attack was the large number of postings deleted - estimated at one point
          to be more than 25,000 messages. 

          The attack, carried out on Sept. 22, involved a program called a "cancelbot" that scoured Usenet
          newsgroups for postings about a wide range of subjects, including women, religion, sex and
          computing, then issued commands to delete them from every newsgroup server on which they
          appeared. 

          The attack was traced to a customer of Cottage Software, Inc., a small Tulsa, Okla.,-based Internet
          service provider, which discovered the program on one of its servers during a routine check and
          investigated. 

          "We allow clients to run programs on our server, but only
          after they receive permission from us," said William Brunton,
          president of Cottage Software. 

          Brunton said that the offending program had not been
          authorized and that upon inspecting it, Cottage Software had
          uncovered its destructive nature. But by then it was too late.
          Brunton said that the program had already been sent on to
          Galaxy Star Systems, which provides Cottage Software with
          its Usenet news feeds, and had spread from there out to the
          entire Internet. 

          Brunton said that Cottage Software immediately terminated the offending account and notified the
          local FBI office about the accountholder's activities. But Brunton said of local FBI agents, "It didn't
          seem like they were really excited about what had happened." 

          James M. Hawkins, the supervising agent at the FBI's Tulsa office, confirmed Brunton's account,
          adding: "We don't have a case. I don't think we're going to be getting involved in the matter." 

          Hawkins also said that his office had contacted the local United States Attorney's office about the
          Usenet attack and had been told that no law had been broken. 

          Randall Edgmon, a spokesman for the United States Attorney for the Northern District of
          Oklahoma, said his office "can't confirm or deny anything" about the Usenet incident or its legal
          ramifications. 

          William Cheswick, an Internet security expert at Lucent Technologies in Murray Hill, N.J., said that
          cancelbots were very easy to create. They're simple programs that upload new messages, containing
          commands to cancel other messages, to a server that collects and distributes newsgroup postings. 

          Cancelbots have been used for about 10 years by system
          administrators to block excessively posted messages from
          propagating in the Usenet system. And they have also been
          used occasionally by some users with personal vendettas
          against other users, Cheswick said. 

          "This is not rocket science," he said, adding that anybody can
          cancel any message. "There's no security. . . . This sort of
          stuff happens all the time." 

          He explained that Usenet postings are read by a host server as a batch and can be fed through the
          cancelbot program, which then creates "cancel messages" matched to each posting. The program
          sends the cancel messages back to the computer that sent the original batch, Cheswick said, and
          from there the cancel messages are distributed to other news hosts throughout the Internet. It could
          take several days for the cancel messages to span the world, he said. 

          Cheswick also said that there was no practical defense against cancelbots, which were originally
          devised by well-meaning programmers to deal with abusive Usenet users. A big part of the loophole,
          he said, is the huge number of messages that pass through Usenet hosts at any moment. Each
          message on the host computer is a discreet file, and a typical host might see hundreds of thousands
          of messages a day, adding up to 2.5 gigabytes of data, the equivalent of "about 2,000 novels," he
          said. 

          On a lighter note, Cheswick said: "Frankly, I'm not going to spend a minute worrying about it. 
          This  is so minor and has been going on for so long, I'm surprised we're even talking about it."