home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
CRYPT16.ZIP
/
CRPTLT.R16
next >
Wrap
Text File
|
1993-07-01
|
55KB
|
1,129 lines
▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄ ▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
█▒▒█ █▒▒▒▒▒▒▒█ █▒▒█ █▒▒▒▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒▒▒█ █▒▒▒▒▒▒█ █▒▒▒▒█
█▒▒█ ▀▀▀▀▀▀▀▀ █▒▒█ ▀▀▀▀█▒▒█ █▒▒█ █▒▒█ █▒▒█ ▀▀▀█▒▒█ ▀▀▀█▒▒█ ▀▀▀▀▀
█▒▒█ █▒▒█ ▄▄▄▄█▒▒█ █▒▒█ █▒▒█ █▒▒█ ▄▄▄█▒▒█ █▒▒█
█▒▒█ █▒▒█ █▒▒▒▒▒█ ▀▀ █▒▒█ █▒▒█ █▒▒▒▒█ █▒▒█
█▒▒█ █▒▒█ ▀▀▀▀█▒▒█ █▒▒█ █▒▒█ ▀▀▀▀▀ █▒▒█
█▒▒█ ▄▄▄▄▄▄▄▄ █▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█
█▒▒█ █▒▒▒▒▒▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█
▀▀▀ ▀▀▀▀▀▀▀▀ ▀▀▀ ▀▀ ▀▀ ▀▀▀ ▀▀
NEWSLETTER NUMBER 16
****************************************************************
EDITED BY URNST KOUCH, June-July 1993
CRYPT INFOSYSTEMS BBS - 818.683.0854
INTERNET: 70743.1711@compuserve.com or CSERVE: 70743,1711
****************************************************************
IN THIS ISSUE: THE SORROW AND THE PITY - the story behind the
gutting of the Bureau of Public Debt's Security Branch BBS . . .
Stormbringer: Winner of first international virus-writing
contest . . . Sandia National Laboratory whisperings about
poison gas shipments gone bad in the New Mexican desert:
The Navajo "mystery illness" . . . The Bandwagon Syndrome: more
non-functional anti-virus software . . . ASK MR. BADGER: media
watch with roving Sports Desk correspondent, Raoul Badger . . .
dismantling Microsoft Anti-Virus for DOS and Windows, politely
. . . and much, much more.
****************************************************************
-=The first section of this month's newsletter is dedicated
to the news events surrounding the break up of the hacker files
library on the U.S. Bureau of Public Debt's Security Branch
BBS in Parkersburg, WVa.=-
THE SORROW AND THE PITY: THE NAKED TRUTH TAKES IT ON THE CHIN
AT AIS
Early this month, the only professional security bulletin
board system run by the U.S. government worth visiting was
gutshot, the victim of a mounting campaign of
innuendo and anonymous gossip implying that it aided computer
criminals by granting easy access to virus source code and
dangerous hacker tools.
Profiled initially almost a year ago in Computer underground
Digest, the AIS BBS, run by Public Debt security branch team
leader Kim Clancy, the system was trumpeted as a place
where security professionals and interested parties could come
to get the unvarnished truth about hacking, computer intrusion
and virus infection. It delivered on the promise and more as
sysop Clancy amassed a truly comprehensive collection of
hacker files, including a basic library of commented virus
source code.
The BBS was grandly successful, amassing over 1,000 registered
users who came as professionals, hackers, and curiosity seekers.
But the distribution of hacker files and virus code was a
controversial idea, one which did not sit well with an "old-boy"
network of security professionals and anti-virus researchers and
software developers who comprise a loose professional/pan-
professional organization known as CARO, or the Computer Antivirus
Research Organization.
After the Crypt Newsletter profiled Clancy in February of this
year, CARO member and Englishman Alan Solomon, Ph.D., the
developer of Dr. Solomon's Antivirus Toolkit took the opportunity
to jawbone a captive audience on the impropriety of virus source
code on AIS at a meeting of security professionals in NYC in
March.
Also disturbed was Ken van Wyk, the moderator of Virus-L-Digest,
a weekly electronic mail collection distributed on the
INTERNET/USENET and dominated by the technical babble, gossip and
apocrypha of CARO members like Bulgarian researcher Vesselin
Bontchev and software developer Frisk Skulason. None of this,
said Clancy, made any difference. After all, the ramblings
of electronic mail digests - rantings in the vast electronic
ether of cyberspace are, generally, not taken seriously by
the vast majority of computer users who read them; they are
just part of the background radiation that everyone is used to.
Wyk's concern, she said, was just more of the same: inaccurate
and technically silly complaints which had dogged the BBS
intermittently since its inception.
But like a miraculous silver bullet in a storm of wild, ineffectual
buckshot, one anonymous letter finally undid all of Clancy's
work. Published in RISKS, another electronic mail forum originating
from SRI, an organization of computer security providers based in
the Silicon Valley, the letter, written by "anonymous" accused the
AIS BBS of distributing material that was illegal and unethical.
"Anonymous" was immediately labelled a catspaw of Alan Solomon,
a tattletale, a squealer with a hidden agenda according to
Crypt sources in the computer security community, hardly the
government "whistleblower" portrayed by the The Washington Post
when the story broke nationwide on June 19. In reality, "anonymous"
was Paul Ferguson, a Centreville native and obscure security
consultant and anti-virus software developer. The Washington
Post stumbled badly in its presentation of the facts, choosing
not to tell readers, if indeed it even knew, that Ferguson
was "anonymous," portraying him as independent, unbiased supporting
testimony. Ferguson played his double-role on the pages
of The Washington Post to the max, pontificating on the dangers
of leaving virus code and hacker tools on a government BBS
where anyone could see and download them. "That's like
leaving a loaded gun around and people saying, 'It's not
my fault if someone picks it up and shoots himself in the
head with it,'" he said.
Ferguson had polished this act by pulling the same
"gild the lily" stunt in RISKS a few weeks earlier.
RISKS editor Peter Neumann published a Ferguson letter in support
of "anonymous"'s "whistleblowing," neglecting to inform readers
that Ferguson was the same man. Interestingly, Neumann
chose not to publish any letters in support of Clancy and AIS
including one submitted by Frank Tirado, a USDA security
administrator. The Post also interviewed Neumann, who chose not
to inform reporter Joel Garreau, if indeed he knew himself, that
Ferguson and "anonymous" were the same.
Also unknown to reporters in the mainstream media, Ferguson
was no stranger to underground "virus exchange" bulletin
board systems which he would occasionally access to gather
virus tools. John Buchanan, the sysop of a Newport News/Virginia
Beach-based "Black Axis BBS", self-proclaimed as the "largest
virus exchange in the world" remembers Ferguson calling
him for virus code. "He wanted the Trident Polymorphic
Engine because he couldn't find it anywhere else. He pleaded
for it, so I gave it to him," said Buchanan in an interview
with the Crypt Newsletter about two months ago.
[The Trident Polymorphic Engine is a virus tool, inspired by
the Dark Avenger Mutation Engine, which confers complex, variable
encryption to any virus using it, often making the virus
transparent to conventional brute force anti-virus scanning
tools restricted to a simple, now obsolete "algorithmic"
approach.]
This seemed contorted, hypocritical behavior from a man secretly
lobbying, along with CARO members Alan Solomon and Frisk
Skulason, for the removal of the AIS BBS's virus code library,
a code library much less complete than Buchanan's Black Axis
but much more accessible to relatively straightforward security
workers hesitant to dive into the deep, uncharted pools of
source code and live files found on many underground systems.
Also lost in the hysteria was the obscure fact that CARO members
had already helped themselves to virus source code on AIS.
However, at the end of April, weeks after Ferguson's e-mail
sleight of hand had been played out in RISKS, AIS still
had its reputation. It took a serendipitous fax from the
House's Committee on Space, Technology and Science requesting
a copy of the RISKS issue in question to panic bureaucrats
above Clancy at the Bureau of Public Debt. Although the
requestor was never identified and no follow-up ensued, managers
worried that the sky was falling - surely a congressional
investigation was imminent.
Calling a meeting to discuss the future of AIS BBS, managers thrust
aside arguments that removing the hacker files and code from
the BBS would only shoot security workers in the foot, depriving
the less-experienced among them of a source of code and techniques
already widely available throughout the U.S. to any 15-year old
with a modem and a minimal understanding of the word 'BBS'ing.'
All the hacker files were subsequently removed from AIS BBS
and there were no further developments until the story
broke in the national press on June 19. Associated Press
sent it around the world with a savagely inaccurate lead
proclaiming the bulletin board system had aided computer vandals.
Where this fabrication came from is uncertain; what was
certain was that Kim Clancy's reputation was toast, thrown
into the barnyard muck and trampled by anti-virus software
developer-manipulated rabble from the newsmedia too easily
convinced that an out-of-control government agency had been
subverted by hackers into working for the forces of darkness.
What was not covered in the press were questions establishing
the professional connections between its "expert sources"
and the double duty Ferguson was allowed to serve as
anonymous whistleblower" and security expert/public good
watchdog. Nor was there was any mention of the bald-faced
cronyism required in the anti-virus/security
community so that Ferguson could plant himself at RISKS
and The Post with unblemished credibility.
Clancy, who now regards anti-virus software developers as
unethical in the extreme, said that although AIS was still
on-line, this was only temporary. The virus
source code in question was being picked up by MindVox,
however, a commercial system based in NYC with links to the
INTERNET, an advertising budget, and far more users than AIS.
Meanwhile, ill winds on the networks were starting to
blow. Unnamed hackers, enraged by the scandal, were said to
be preparing to exact their pound of electronic flesh from
Ferguson.
"Too my mind, the AIS BBS was one of the best applications
of my taxpayer dollars," said the USDA's Tirado angrily
during an interview for this story. "The spineless curs!"
PART II OF THE SORROW AND THE PITY: OP-ED AND ANALYSIS OF
THE NEWSMEDIA
MORE FEAR AND LOATHING: ON THE VIRUS CODE TRAIL AT AIS
On Saturday, June 19, the national press suddenly reared up
and without warning, mangled the reputation of one of the
finest, most professional security experts I know, Kim Clancy of
the Bureau of Public Debt's Security Branch.
I rolled out of bed Saturday morning, plugged into Compuserve's
Today's News and was promptly crushed by the brazen stupidity of
reporter Charles Bowen's newspiece, "GOVERNMENT BBS SAID TO
HAVE AIDED COMPUTER INTRUDERS AND VANDALS".
Bowen plagiarized the lead, "A government spokesman says an
obscure bulletin board system run by a federal agency apparently
helped computer vandals commit electronic sabotage," directly
from a same-day Associated Press story called "Dial-A-Virus".
But neither Bowen nor the AP offered a solitary shred of proof,
other than this outrageously leading statement, loosely
attributed to Public Debt spokesman Peter Hollenbach, that
Kim Clancy's AIS BBS has ever been responsible for abetting
documented cases of hacker intrusion or computer vandalism
by virus.
Further, Bowen reported, "The [Washington] Post says that among
the visitors to the system were computerists using handles such
as 'The Internet Worm,' 'Satan's Little Helper' and 'Dark Avenger's
Mutation Engine.'" The Washington Post story, reported by
Joel Garreau, said nothing of the kind, leading me to believe
Bowen is either a functional illiterate or willfully slack.
Indeed, anyone who has visited AIS knows beyond a shadow of a
doubt that the system NEVER supported handles of such nature.
[Of course, Bowen can respond by blaming it on a copy editor
and/or tight deadline, the last, best defense of lazy,
inaccurate newsmen the country over.]
These vague insinuations, however, were as nothing compared to
the wellspring of the controversy, Garreau's "Treasury Exposed
Computer Virus Info; Whistleblowers Halted Display Available To
Anyone With A Modem" which brought into the public glare the
chain of events that resulted in the removal of hacker tools,
text files and commented virus source code from AIS.
Although Garreau's story attempted to present a number of sides
it was packaged so that a general reader would get a picture
of a mad-dog government agency, finally "muzzled" after
distributing dangerous code to "every maladjusted sociopath
with Coke-bottle-bottom glasses." More savagely irresponsible
was the sideborn statement that treasury officials had neglected
to "discipline" Clancy, instead merely removing the dangerous
information from her system.
It was a real rabbit punch; a cheapjack, ham-handed slam on
Kim Clancy, successful in portraying her as someone who
spends her worktime beta-testing intrusion software against
her own department so that hackers might optimize their methods
for computer subversion and vandalism. This is hair-raising
stuff, to be sure, for a general readership, but not the real
truth. It is my understanding, and something I've seen
Kim Clancy make clear in lectures to many computer workers, that
the whole point of working with hackers on the development of
"Tone-Loc" software was so that it COULD and WOULD be
supplied to interested security personnel who would use it
to gain an understanding of how to harden their systems against
tools employing similar technology.
This is emphatically not the handiwork of someone who should
be disciplined or professionally tarred, but the work
of someone who Bruce Sterling, not me, says is "probably THE
BEST THERE IS [emphasis mine] in the federal government who's
not military or NSA. Probably better than most CIA."
Unfortunately, Sterling's appraisal was buried near the end
of the story, after all the cracked shouting about aiding
hackers and computer criminals.
But I've walked away from the real nut of the matter: the
presence of commented virus source code at AIS. The significance
of this is, in my opinion, beyond the current ability of
mainstream journalists to evaluate simply because the vast
majority of them have little technical grasp of the
labyrinthine reality of computer security, what viruses are,
how they work and don't work and where you find virus source
code. Certainly, The Washington Post story did nothing
to convince otherwise.
Consider these statements from The Post and some stony facts:
>>According to software writers, with the AIS information
"relative amateurs, could create new viruses."
This is dangerously misleading. As point of fact, relative
amateurs DO, not could, create new viruses from source
code and they've done so for a long time before the advent
of AIS. That AIS would be responsible for such a
development, which is already fact, is frankly idiotic.
>>Virus source code at AIS "is worse than making live
viruses available. A person without the skill to write
a brand new virus could nonetheless produce a variation
on an existing one . . . If sufficiently mutated, the
virus might slip past anti-virus programs designed to
look for known products."
This presumes that most virus-writers, would-be
virus-writers and "Coke-bottle glasses-variety
sociopaths" have little access to source code. This
is not even close to being true. Virus source code
is now commonplace on professional, semi-professional
and amateur BBS's run by every stripe of user across the
country. In fact, it is almost as common as pirated
software and pornography in some locales. Surprisingly,
the higher quality virus disassemblies stocked on such
BBS's are often the handiwork of anti-virus
researchers and software developers. Strangely, this
has never been reported by a mainstream newsman, perhaps
because "designated experts" often come from the same pool
of researchers and developers.
>>". . . some computer professionals minimize the risk,
saying the software on [AIS] was acquired through the
computer underground in the first place, and thus has
always been available to miscreants with sufficient
contacts, tenacity and skill."
This is a particularly nasty one because its presented
as justification by those attacked and seems true. It's
not. It requires NO tenacity or particular skill to
get hundreds of viruses and assorted source code listings.
Unlike the stunt of hacking a mainframe from a dial-up,
which often requires great patience, a brute-force approach
or some technical skill as substitute, from teenagers to
middle-age men, anyone with a PC and a modem can dig up a BBS
devoted to virus code in almost no time. Yes, they are that
common.
Why should this be? Where have all those live viruses come from?
Paradoxically, many of the virus files on these BBS's bear the
electronic mark of software developers like Certus
International, S&S International and security organizations
such as the National Computer Security Association.
Damn. How DO "relative amateurs" get ahold of
those samples? Of course, they could all be forgeries,
the work of some dangerous psychopath. Yeah, right.
In any case, the only people who can't access the hacker
files anymore are the security people. And the real story
may boil down to what I call the "You dunno this information,
it's too dangerous and and you don't have any business
knowing about viruses and hacker files so leave it to us
anonymous security experts and anti-virus researchers
because we're here to serve and protect and we'll
take care of all that stuff, thank you" explanation.
It is the very essence of professional arrogance
and hubris, in my estimation.
There is, obviously, much more which should have been addressed
by the mainstream media. Why hasn't it, then? Because it's
not as sexy a story as the visceral blurt of noble civil servant
whistleblowers bringing down a renegade government security
BBS pursuing new ways to pervert the public trust out on the
rim of cyberspace. And it would take time; it's a story that
couldn't be researched and rushed into print in a week. It's
complex, you see, and would be a great deal longer than the
piece which ran in America's finest newspaper, The Washington
Post. So maybe we should all forget about fairness,
because if it can't get into print at The Post, where will it?
I hope Kim can continue her fine work and I'm angry at the
stupid treatment this controversy has received at the hands
of the newsmedia, so I'm writing to you about it because if
I don't, I just might have to scream.
****************************************************************
HACKER GUIDE: HOW TO TELL WHEN YOU'RE PART OF AN 'OFFICIAL'
SCANDAL GENERATED BY THIRD PARTIES SKILLED OR LUCKY AT
MANIPULATING THE PRESS
The Crypt Newsletter doesn't claim credit for the idea and
definition of the "official" scandal; instead, it's supplied
by Martin Lee and Norman Solomon in their devastating
criticism of journalistic methods, "Unreliable Sources: A Guide To
Detecting Bias in Newsmedia" (1990, Lyle Stuart).
The AIS mess has many of the trappings of an "official"
scandal - that is, a catastrophe orchestrated by parties
with a vested interest in seeing it handled "properly."
Generally, such goings on are completely overlooked by
the newsmedia until it becomes an easy pitch to wake up
and produce a quick story with a lurid news hook.
According to Lee and Solomon, "official" scandals have
certain hallmarks. Directly from their book, then, with
embroidering comments by the Newsletter:
1. The "scandal" comes to light much later than it could
have. So it was with AIS: The hacker files were removed
from the BBS weeks before the story was retold in the
newsmedia.
2. The focus is on scapegoats, fallguys, as though remedial
action amounts to handing the public a few heads on a
platter. Kim Clancy, as the administrator of AIS, is the
fallguy, er, fall-lady, here.
3. Damage control keeps the media barking but at bay.
The press is so busy chewing on scraps near the outer
perimeter that it stays away from the chicken house.
While the newsmedia was chewing on AIS, it neglected to
discover Paul Ferguson doing double-duty, CARO members
helping themselves to dangerous code on AIS while
complaining about it to others, and the ugly truth
that much of the virus code and live viruses on amateur BBS's
throughout the U.S. can be traced to AIS's opponents,
a few anti-virus software developers.
4. Sources on the inside supply tidbits of information
to steer reporters in certain directions -- and away
from others. See Paul Ferguson and Peter Neumann of
RISKS.
5. The spotlight is on outraged officials -- in this case,
"anonymous", Neumann and Ferguson -- asking tough, but not
TOO tough, questions.
***********************************************************
FIRST INTERNATIONAL VIRUS WRITING CONTEST -- AND THE WINNER IS:
"Stormbringer"
for his ingenious companion virus which none could beat. . . .
To be unveiled in The Little Black Book of Computer Viruses, Volume 2.
Please contact American Eagle Publications, PO Box 41401, Tucson,
AZ 85717 to claim your reward. To prove you really are Stormbringer,
please tell us how long the small companion virus you submitted was,
and send the first 5 instructions.
*************************************************************
Thanks! - Mark L.
************************************************************
ASK MR. BADGER: OUR ROVING SPORTS DESK CORRESPONDENT, RAOUL
BADGER, SUMS UP ON THE INFORMATION SOCIETY
If you've ever had your day screwed up by what I call the
"technological arrogance" of others - that is, had half an
hour or more wasted straightening out a personal fiasco
foisted on you by some anonymous white-collar boob driving
a computer terminal at any service, infrastructure or
banking-related institution, you're going to curse out loud
when you see the the June 14 issue of BusinessWeek.
But to ease you into that, I'm going to talk about hippies
first.
This month's Whole Earth has a reprint of a Bruce Sterling speech
from '91 and stuff on encryption, Virtual Reality, the latest
Cypherpunk hit, and review of various books on fractals, fuzzy
logic, etc.
If nothing else, it must be commended on having almost no
digitized artwork. Except for a few small shots of fractals and
one shot of the Diet Pepsi commercial with Elton John and Louis
Armstrong (which actually do seem to fit), there is only one whacked
piece of artwork. Since that's in a review of "WIRED," I guess
I'll let it pass uncommented......
Now, I don't know if you've been following the Whole Earth's gradual
transformation/demise into a New Age burial ground for unwashed
heathen, but for me it's a welcome relief. I put up with their
articles on the magical influence of women's menses. I tolerated
their inexplicable reverence for R. Crumb (repeated in this
issue as well). I even endured the sudden dearth of insightful
reviews of tools, clothes, and real-life stuff.
The last issue, however, was tops. It featured a diatribe
against the North American male who is responsible for the wildly
inaccurate belief that fat is ugly.
When I beheld a picture of a three hundred pound porker, naked,
offered as proof that all women are beautiful, I calmly, but
surreptitiously, took the liberty of placing all the newsstand's
copies of Whole Earth in what is euphemistically known as "Section F."
That is, right next to the plastic-wrapped "Hefty Babes," and swore
I would never deign to pick up -- much less buy -- such tripe again.
Needless to say, I have again been proven premature in my vows.
But, onward.
The BusinessWeek article I warned you about ("The Technology Payoff")
requires massive amounts of scorn, ridicule, and sarcasm from any
sane, skeptical reader. A life-long, proud adherence to a cynic's
attitude is indispensible in avoiding thought contamination from
it.
It's subhead:
"Business spent $1 trillion on information technology in the last
decade - but showed little gain in efficiency. Now, productivity
is finally bursting out, thanks to better software and a
reorganization of work itself."
[This is really puzzling, as their own graphs show that investment
in "information technology" has quadrupled since 1980, but
productivity has only increased by about 1 per cent. It's even worse,
in that productivity is only about 0.5 per cent above 1982 levels.
Perhaps the writers flunked the test on chart-reading in high school.]
The "factoids":
"Hospitals are using computers to help cure medicine's inefficiency."
[They neglect to mention that it will probably automate its errors,
as well.]
"Scanners and satellites reduce paperwork and make for shorter
checkout lines . . ."
[I hope they're with me next time I'm in a Western Auto checkout line
and the entire staff is helpless because one product is missing an
inventory code.]
And let's not forget a sidebar entitled "The Power of Software:
New approaches are starting to get big results." Here's where
"..it all comes together". GUI's, networking, flexible databases,
and imaging combine to drive productivity gains! Yes, it slices and
dices, it mows the lawn and can cut through a tin can and still
keep an edge sharp enough to cut a tomato! But wait, there's more!
Where else could you get a side-splitter like this:
"[Window's solitaire] sure blew peoples' productivity,' admits
Wes Cherry, the Microsoft programmer who developed it. But then
a funny thing happened: When useful applications for Windows
arrived, workers HAD ALREADY MASTERED CLICKING AND DRAGGING
ON SCREEN OBJECTS -- SKILLS HONED WITH SOLITAIRE." (outraged
emphasis mine)
Shit, here I've been wasting my time learning assembler and DBase
when I could have been playing solitaire. All that time
using Lotus and WordPerfect when I should've been learning how to
use a mouse!
[Inchoate shriek of frustation and rage!] I've missed out on the
leading edge of technology once again!
I guess there's not much else for me to do other that sign off as
Mr. Behind-The-Times-Badger. I'm off to scout for a good mouse
tutorial.
Write ASK MR. BADGER at: mrbadger@delphi.com
SMOTHERING DOOM IN THE DESERT: VIRUSES, CHEMICAL WEAPONS
DUMPS AND FATAL MYSTERY ILLNESS
Jim Smith, a Ph.D. scientist working for the Department
of Energy at Sandia National Laboratories in Albuquerque,
New Mexico, home of the International School for Nuclear Weapons,
was on the phone a couple of weeks ago asking The Crypt Newsletter
why the national press was blaming the Navajo for the
recent cluster of asphyxiating, mystery illnesses knocking
more than a dozen dead in the desert of the reservations.
"What's wrong with those candy-asses in the media? Why
hasn't anyone asked about the military?" he said over the
phone.
"My colleagues have been discussing this and we think it's
strange most of the cases are near Gallup, which isn't
too far from an Army chemical weapons dump, Fort Wingate.
Wingate was closed about a year ago but more recently, they've
been moving materials out of it," he continued. "What if something
happened? You know, the desert is filled with off-limits places
that we're kept out of because there are toxic spills in them.
Funny, how no one is concerned about getting this 'disease' once
the victims are in the hospital, but don't stir the dust
up when you're in the area."
Smith went on about how Albuquerque is rocked infrequently
by strange, terrible explosions - the detonations of fuel-air
canisters out in the desert south of Kirtland Air Force Base where
the military tries to duplicate the overpressures of tactical
atomic shelling so it can see the effect of blast waves
on equipment and housing.
Intriguing stuff. Fort Wingate is indeed near Gallup; it's an
installation which can be barely glimpsed south of Interstate
40 as a weird-looking series of featureless structures close to
the Arizona/New Mexican border.
The military, unsurprisingly, has never commented on the exact
nature and quantity of chemical weapons in its arsenal. However,
one class of weapons is noteworthy, here: the choking agents phosgene
and diphosgene.
Phosgene, produced simply by burning the solvent chloroform,
has been manufactured by the U.S. military since
World War I. Used first in great quantity during the British
offensive at The Somme River, phosgene is an almost odorless,
colorless gas which produces fatal symptoms which seem weirdly
familiar.
At the Somme, phosgene victims initially felt nothing more
than a slight eye and nose irritation which passed. Then,
the victim might feel slightly euphoric, or slightly ill,
while the lungs began to fill with fluid. At a point, anywhere
from 6-48 hours after initial exposure, the victim would literally
begin to drown as his lungs filled; a thin, blood-streaked fluid
might dribble from the mouth as the dying victim tried to
expel the material accumulating in his lungs. By 1918, the
Germans had perfected a method of spreading phosgene as a dust;
the gas was carried in the interstices of powdered pumice.
In any case, the U.S. was no stranger to phosgene derivatives
either, testing the gas and large quantities of mustard agents
on Australian and Canadian volunteers at Brook Island, Queensland,
in 1943. It was a a project of the utmost secrecy and it remained
almost completely unknown until 1989 when an increasing flood
of test subjects, some suffering from horrible disabilities,
started to talk about it for documentaries and reporters. The
U.S. also tested volunteers at Bushnell, Fla., Dugway Proving
Ground at Tooele, Utah; Edgewood Arsenal, Md., and Camp Sibert,
Alabama.
It is not unreasonable to speculate that the U.S. retains large
quantities of phosgene and diphosgene in its arsenal to this
day.
The "mystery illness" which has killed more than a dozen by
sudden, inexplicable smothering has been attributed to the
"hantavirus," however, a heretofor obscure microorganism found in
the deer mouse. Infectious disease specialists speculate that the
virus, shed in droppings, creates disease in humans when inhaled on
fecal dust. For the most part, medical writers in the press
have accepted this explanation, leaving the story open and waiting
for more conclusive testimony from official sources. Curiously,
they have not questioned the military.
For their part, the Navajo have proclaimed the rodent dropping
explanation royal bunk.
On June 19, The Washington Post in its continuing coverage of the
story published this:
"If we take the federal government by the way they have treated
the American Indian from day one, then they are probably withholding
information," said Albert Tinhorn, 38, a tribal chapter president,
or government leader, from Dennehotso, Ariz.
"I find it hard to believe the mice theory," Tinhorn said. "I think
if there's any truth to be found, it's got to be in the toxic
wastes, all the radioactivity around here. The federal government's
been doing secret testing of who knows what out here for years.
Ten years from now, we'll hear there was a coverup."
Tinhorn agrees with tribal President Peterson Zah, who spoke in
Washington, criticizing media coverage of the illness as a Navajo
disease and offering examples of Navajos who have been treated
poorly by outsiders.
"The teeth of racism by the media and others have been bared
against the Indian people," Tinhorn said. "The Navajo people
have been very tolerant. Three or four Anglos have died of this
disease, whereas the diseases brought over by the European people
years ago wiped out entire Indian populations."
And a week earlier, on the editorial page of the L.A.
Times, Navajo Johnny P. Flynn wrote:
"The young people who died were probably smart enough not to
handle rat droppings, and they certainly did not get the
disease from stirring up the disease at a sing or ceremony,
because many young people no longer attend these. No, this
disease, some Dine' believe, will ultimately be traced
to the [white man's] insistence on using Dine'tah as a
dumping ground for their poisons."
As food for thought, the reader might consider:
The Soviet explanation of an outbreak of rapidly
fatal pneumonic anthrax in the city of Sverdlovsk in 1979.
Soviet officials said anthrax-tainted meat was the culprit.
Western powers, including the U.S., said bullshit - it was a
mishap at a biological weapons facility, one which aerosolized
anthrax spores and swept them over the city.
And this bizaare record of publicized chemical weapons
mishandling by the U.S. military:
In March 1969, an nerve agent test gone bad at Dugway
Proving Grounds, Tooele, Utah, kills 6,300 sheep in
nearby Skull Valley.
In August 1969, the U.S. Army was accused of rail-shipping
a large quantity of phosgene from Denver to New York State
were it was to be sold to a plastics manufacturer. Two
rail cars of phosgene eventually got lost in Buffalo for
a day.
Decemer 1969 - more nerve gas leaks at Dugway.
January 1969: Two hundred canisters of the nerve agent,
VX, are discovered at the bottom of a recently drained lake
near Fort Greely, Alaska. The poison had been stored on the
lake's ice, when it cracked through and sank in 1966.
Strangely, the Army never missed it.
Keep in mind that all the information presented in this
piece is purely circumstantial. But then, so is the "hantavirus"
theory.
IN THE READING ROOM: 'TECHNOLOGY REVIEWS' SPECULATES
ON THE COLOR OF THE FUTURE OF EDUCATION. IT'S BABYSHIT BROWN,
AS KURT VONNEGUT WOULD SAY.
In my endless ramblings through the local newsstand, I ran across
the July issue of Technology Review. Technology Review is put out
by the fine folk at MIT and features lightweight articles on a
variety of "scientific" subjects; imagine a Discover magazine with
fewer ads and you'll get the idea.
The cover story is "The Children's Machine: How Computers
Can Restore the Wonder of Learning". It shows a baby in diapers in
front of a terminal with an expression of wonder on his cherubic
face. [The cynical will immediately note that the baby is, in fact,
ignoring the monitor and staring at some attention getting device
not shown.]
But don't be fooled by the title, this isn't an article about
computers in education. No siree, it's about the Knowledge Machine!
You know about the knowledge machine, don't you? Why, you fool!
Its the device that would allow a child to use "speech, touch, or
gestures" to "quickly navigat[e] through a knowledge space much
broader that the contents of any printed encyclopedia."
As it turns out, the Knowledge Machine will allow a child to
select an animal and see it "eating, running, fighting, or
birthing...", all with realistic sounds! Even the smell and
touch of being with the animals will be available!
Parents will be glad to know that there is no lack of storage
or access technology impeding development of the Knowledge Machine.
No siree, Bob! All we need to do is bring together the knowledge,
and the enormous potential market for the machine guarantees that
it will happen.
By now you're wondering just who the heck thought all of this. I'm
not going to tell you . . .yet. [Well, yes I am.] Because you
should know that Professor Seymour Papert [Honest, that's his
name!], does have some decent insights into educator's use of
computers in the here and now. He speaks of school administrators
that view computers as things to be placed in "Labs". Once
safely cordoned in labs, curricula are drawn up. Now computers
become something to be taught, tested, and graded. In the
meantime, however, schools have inoculated themselves with a
subversive element. Computers aren't something students use, they
are something students learn. Here, I'll let the good professor's
words speak for themselves:
"...if "computer skill" is interpreted in a narrow sense of
technical knowledge, there is nothing the children can learn
now that is worth banking. By the time they grow up, the
computer skills required in the workplace will have evolved
into something fundamentally different. What makes the very
very idea of banking computer knowledge truly ridiculous is
that it undermines the only really important 'computer skill':
the habit of using the computer for doing whatever one is doing.
Yet this is exactly what was given up in shifting the computer
away from the classroom."
All of which seems to be perilously close to saying, "Let the
little hackers play, dammit!"
How then can this Professor Papert think that we're going to have a
"Knowledge Machine" available to every four-year old anywhere in the
near future? As it turns out, Professor Papert teaches learning
research at the MIT Media Laboratory. As it turn out, Professor
Papert is a proponent of progressive educational ideas.
People in this position really ARE screwed. Ever since John
Dewey came up with the idea of more self-centered education,
reformers have been continually embarrassed that their reforms
don't "bring about dramatically better learning." [Those're
Papert's terms. Most parents would state this "learn-at-your-
own-pace-learn-whatever-you-want-shit" hasn't done anything but
destroy a fairly decent educational system.]
Sure enough, the professor insists that previous reforms failed
because they didn't have the right tools. Like Leonardo da
Vinci, reformers lacked the infrastructure to create everything
they envisioned. Yeah, right. Regular Crypt readers probably have
no need for me to say how full of self-serving horse-hockey this
is.
A decade ago, computers were going to solve our nation's
educational problems. NOW, it's going to take a combination
of interactive CD's, a level of Virtual Reality technology that
doesn't exist, gigabytes of memory, the power of a Cray, and an
interface accessible to four and five year olds. In the meantime,
one must wonder if reliance on a non-existent form of technology
really means that Professor Papert and other educational reformers
have no good ideas for educating children in the present.
Wake up and smell the coffee, Professor. By the time we do have a
"Knowledge Machine", parents will be up in arms about children
being able to see unlimited footage of animals birthing. By the
time we have a Virtual Reality capable of reproducing the feeling
of fur and the smell of a cow, Crypt readers will have
some ***really*** interesting programming.
---Mr. Badger
**************************************************************
JUMPING ON THE BANDWAGON: NON-FUNCTIONAL ANTI-VIRUS SOFTWARE
IS WHERE YOU FIND IT
**************************************************************
The last couple of months have seen an explosion in the number
of anti-virus toolkits found on the market. A good case study
is the example of the Russian product, Anti-virus System
Protection, or AVSP. Marketed by Planning Works International
of Columbus, Ohio, the product appears to be sophisticated
shareware with a $50 registration.
In reality, it stands no chance on the market, being much less
functional from an average user viewpoint than any of the
current market heavies.
AVSP comes with a fast scanner limited by only 129 virus
signatures. It's your job, says developer Andrew Borisov,
to add signatures to it as you find viruses. Bad plan.
It presumes U.S. users will rely totally on the product's
data integrity/checksummer program to flag files infected
by viruses not included in AVSP's signature file. Then
comes the fun part. Using AVSP's diagnostic tools, which
include a disassembler and file viewer which graphically
represents the changes an unknown virus has made
to a file, the user is supposed to pluck out a signature from
the virus code, copy it to a clipboard, and transfer it to
AVSP's virus signature database.
I tried this and after a couple stabs got it right with
the Career of Evil virus included in Crypt Newsletter 15.
Then came the fun part: infecting a bunch of files with
Career of Evil and using AVSP to detect the virus.
AVSP detected every file containing Career of Evil, it
found the virus in memory, and even found the virus in
memory when it wasn't there! Howzzat? AVSP, it seems
holds your added signatures unencrypted in memory and then scans
this position; quite naturally it finds the virus in
memory every time. This is an amazing screw up for $50
shareware - effectively nixing the whole idea behind AVSP.
AVSP's documentation is laughable; the product of someone
who apparently learned English only yesterday.
While it's true that segments of AVSP are well-done, the
product is ill-conceived and clearly has no audience.
Programmers capable of using the disassembler and do-it-
yourself signature base don't need to spend $50 for this;
average users would never feel comfortable with the software.
There are many products currently in circulation which share
AVSP's dubious functionality. This is a direct result
of the idea that there's "cash to be made in them thar
hills!" As such, you would do well to regard most of them
as lousy buys until proven otherwise.
It is doubly interesting that AVSP is Russian, licensed to
America. We've been lead to believe that Russia is packed full
of unemployed programmers - all very skilled - working overtime
to make viruses as revenge. If they are all like the people who
put together AVSP, they will have to work a lot harder, in
the future, to make anyone lose any sleep at night.
****************************************************************
MORE MUTATION ENGINE STUFF AND DISMANTLING MICROSOFT ANTI-VIRUS,
POLITELY
****************************************************************
This month's issue includes the PC WEEVIL, a polymorphic direct
action .COMfile infector which utilizes The Mutation Engine (MtE),
again.
Big deal, you say! Ah-ah-ah, not so fast. Here at the newsletter
we were quite intrigued by Mark Ludwig's study of polymorphic
viruses in Computer Virus Developments Quarterly #3. Ludwig pointed
out the limitation of the engine, but he also looked at the flimsy
reeds many anti-virus scanners have tied themselves to in search
of the MtE.
A minor diddle of code before the MtE decryptor kicked in caused
most scanners to fail ignominiously. We checked with later versions
of scanners, most notably SCAN and FINDVIRUS and found that both
products had cleaned up their acts - both caught Ludwig's demo
virus. However, the change was so fast we suspected that it
was a bad kludge.
Ludwig's initial change involved inserting 24 instances of the
instruction "mul cx" before the Mutation Engine decryptor. He
rightly pointed out that this gives developers a constant handle
in front of the main body of the virus which can be seized by
a plain vanilla signature - in essence it puts a constant stream
of instructions into a polymorphic virus, mitigating some of its
features.
Strangely, the "mul cx" instruction had the effect of completely
wrecking the action of Microsoft Anti-virus. Any virus using this
sequence hangs the program thoroughly. So we changed that segment
to 24 instances of "jmp $ + 2 ", a nothing sequence which we
assumed had a good chance of confusing things still further. Micro-
soft Anti-virus no longer hung, but it wouldn't even detect
unencrypted versions of the virus, PC WEEVIL, included in this
issue. SCAN 106, FINDVIRUS and F-PROT 2.08 would only detect
unencrypted copies, identifying the MtE code. Likewise with
ThunderByte's TBSCAN. This program was successful against
plain-text copies of PC WEEVIL only. Heuristically, it
noted only that files contained garbage instructions, only
enough to trigger it's "infected" error flag if a series
of positively identified viruses were also found on the disk.
Leprechaun Software's The Doctor scanner, while very effective
at detecting standard MtE samples (although we might add it has
a high false positive rate), was equivalent to Microsoft Anti-virus
against PC WEEVIL.
The only thing left to do was to work around the nasty string of
constant instructions - "mul cx's" or "jmp $+2's" or whatever -
so that software developers would not be tempted to use a signature
scan, instead working to make their MtE detection logic better.
The Crypt Newsletter chose to insert 48 pairs of "00 00" words
in front of the MtE decryptor as additional garble. Take a
look at a number of your executable programs under a file viewer -
notice the many instances of repeated "00". Obviously, this
makes choosing a scan string from this sequence in the virus
a less than desirable quick fix. Within the PC WEEVIL we've
carefully pointed out the changes made to the code so that you
can experiment will all kinds of garbling instructions as the
anti-virus scanner wars continue.
Most scanners can still detect plain-text, or unencrypted
copies of PC WEEVIL, but they are blind to those where the
Engine has turned successfully. Only F-PROT 2.08 was
capable of occasionally picking up one of the garbled
copies of the virus.
Also included in PC WEEVIL is a very short routine which enables
to virus to rip through Microsoft Anti-virus's VSAFE memory
resident utility. This was pointed out by KohntarK, and the
beauty behind it was so simple, I fell out of my chair
laughing.
The routine takes advantage of VSAFE's hooking of the keyboard
interrupt, INT 16, so that a user can call up the program
and reconfigure or de-install it at any point by
hitting 'Alt-V'.
The code is this:
mov ax,0FA01h ;<----wakes up VSAFE for keyboard input
mov dx,5945h ;<----asks VSAFE to deinstall
int 16h ;<----calls the interrupt
By loading VSAFE into memory and looking at the interrupt table
with a memory diagnostic tool, you can see where the program
hooks into INT 16. By stepping into the VSAFE code at this
point with a good debugger, you should have no trouble
finding the branch point -
cmp ax,FA01h
which executes when the user, or a virus, steps through the
code of interest.
PC WEEVIL contains this sequence and it will easily go through
VSAFE when it is resident without anyone being the wiser.
We suspect, but leave it open for you to test, that the current
versions of CENTRAL POINT ANTI-VIRUS are also vulnerable to
this measure.
Other than that, PC WEEVIL is fairly innocuous. It will infect
every .COMfile in the current directory on an initial run
and is included as a DEBUG script and TASM 3.0 source listing.
To make a working copy directly from the source code requires
that you have the complete Mutation Engine archive, a common
files on BBS's throughout the country.
Simply link, thus,
TLINK /x /t pcweevil rnd mte pcweevil.com .
Also included in this issue is Black Wolf's DECOMPILE, a simple
yet handy utility for decompiling Mutation Engine viruses into
plain-text form. Rather than using the standard DEBUGGING
techniques outlined in Crypt 12, this utility completely
automates the task. Try it using some MtE generations produced
by PC WEEVIL.
Typing DECOM at the command prompt will cause the program to
prompt you for an input file name, and a target file name.
Then it will attempt to decrypt the virus and write it to
the disk in its plain-text form as the target file. A
simple test for effectiveness is to look for the text
embedded in PC WEEVIL, or use a program like SCAN 106 -
which does not detect encrypted PC WEEVILs. If DECOMPILE
was successful, SCAN 106 will identify plain-text copies
as [DAME]. Enjoy these programs and utilities. And a
big "Thank You" to Black Wolf for this fine public domain
piece of code!
*************************************************************
FICTUAL FACT/FACTUAL FICTION: BE ON THE LOOKOUT FOR THIS
'STUFF'
*************************************************************
>>NuKE INFOJOURNAL #6 is definitely worth your time and
brain damage. The current issue includes discussion
with Alan Solomon, Rock Steady and Aristotle as well as
an hilarious piece by someone acting as a fly-on-the-wall
at a recent NCSA meeting in San Francisco. In it, F-PROT
developer Frisk Skulason is characterized as "pudgy" and with-
drawn, apparently no match for John McAfee on the lecture
circuit.
>>The virus-programming/hacker group Phalcon/SKISM has an
information server on the INTERNET. Contact:
request@skism.login.qc.ca
or
timelord@skism.login.qc.ca
>>Black Axis BBS sysop Aristotle has started an echomail
feed on the FIDONet backbone called NuKE_THEWORLD. You
might request it from your local FIDO sysop if he doesn't
already carry it; tune into the outrageous gossip and snappy
repartee of various virus programming groups on NUKE_THEWORLD.
***************************************************************
*CAVEAT EMPTOR*
What is the Crypt Newsletter? The Crypt Newsletter is an electronic
document which delivers deft satire, savage criticism and media
analyses on topics of interest to the editor and the computing
public. The Crypt Newsletter also reviews anti-virus and
security software and republishes digested news of note to
users of such. The Crypt Newsletter ALSO supplies analysis and
complete source code to many computer viruses made expressly for
the newsletter. Source codes and DEBUG scripts of these viruses
can corrupt - quickly and irreversibly - the data on an
IBM-compatible microcomputer - particularly when handled foolishly
by individuals who consider high school algebra "puzzling."
Files included in this issue:
CRPTLT.R16 - this electronic document
PCWEEVIL.ASM - TASM source listing to PC WEEVIL virus
PCWEEVIL.SCR - DEBUG scriptfile for PC WEEVIL virus
VSLAY.ASM - virus-mediated dismantling program for Microsoft
Anti-virus's VSAFE
VSLAY.SCR - DEBUG scriptfile for VSLAY
DECOM.ASM - Black Wolf's Mutation Engine "decompiler,"
supplied as source code.
DECOM.DOC - Documentation for DECOMPILE
WOLF.LIB - library file needed by DECOM.ASM
DECOM.SCR - DEBUG scriptfile for DECOMPILE
----------------------------------------------------------------
To assemble programs in the newsletter directly from scriptfiles,
copy the MS-DOS program DEBUG.EXE to your work directory and
type:
DEBUG <*.scr
where *.scr is the scriptfile of interest included in this issue.
-------------------------------------------------------------------
So you like the newsletter? Maybe you want more? Maybe you
want to meet the avuncular Urnst Kouch in person! You can
access him at the e-mail addresses on our masthead, as well as
at Crypt InfoSystems: 818-683-0854/14.4.
Other fine BBS's which stock the newsletter are:
MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564
THE HELL PIT 1-708-459-7267
DRAGON'S DEN 1-215-882-1415
RIPCO ][ 1-312-528-5020
AIS 1-304-480-6083
CYBERNETIC VIOLENCE 1-514-425-4540
THE BLACK AXIS/VA. INSTITUTE OF VIRUS RESEARCH 1-804-599-4152
UNPHAMILIAR TERRITORY 1-602-PRI-VATE
THE OTHER SIDE 1-512-618-0154
REALM OF THE SHADOW 1-210-783-6526
THE BIT BANK 1-215-966-3812
CAUSTIC CONTAGION 1-817-776-9564
*********************************************************************
Comment within the Crypt Newsletter is copyrighted by Urnst Kouch,
1993. If you choose to reprint sections of it for your own use,
you might consider contacting him as a matter of courtesy.
*********************************************************************
