Computer underground Digest Sun July 26, 1998 Volume 10 : Issue 41 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #10.41 (Sun, July 26, 1998) File 1--Groups Write Senate on Pending Net Censorship Bills (EPIC) File 2--Joint Letter to USSentate IN RE S-1619 and S-1482 File 3--Followup to Rutstein review File 4--Re: [Secure-NT] Followup to Rutstein review File 5--Microsoft, Netscape, & Diversity File 6--cDc releases BACK ORIFICE for MS Windows File 7--Cu Digest Header Info (unchanged since 25 Apr, 1998) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Mon, 20 Jul 1998 18:18:18 -0400 From: EPIC-News List Subject: File 1--Groups Write Senate on Pending Net Censorship Bills (EPIC) Published by the Electronic Privacy Information Center (EPIC) Washington, D.C. http://www.epic.org [1] Groups Write Senate on Pending Net Censorship Bills EPIC joined with a dozen other free speech and civil liberties groups on July 14 in a letter sent to the U.S. Senate concerning two pending Internet censorship bills, saying they violate the First Amendment. The groups contend that the bills -- one requiring Internet content filters and the other setting criminal penalties for providing "inappropriate" online material to minors) -- would severely restrict free expression on the Internet. The Senate may soon vote on both bills. Sen. John McCain's "Internet School Filtering Act" (S. 1619) would require schools and libraries receiving federal Internet subsidies to install filtering software designed to prevent children from accessing "inappropriate" material. Sen. Dan Coats' bill (S. 1482) would criminalize the "commercial" distribution on websites of material that is "harmful to minors." The Coats bill, in adopting a criminalization approach to online content, is similar to the Communications Decency Act (CDA) struck down last year by the Supreme Court. The bill, which has been dubbed "CDA II," could come to the Senate floor as early as this week. "One year ago, the Supreme Court unanimously ruled that the Communications Decency Act of 1996, which made it a crime to transmit 'indecent' materials on the Internet, violated the First Amendment," the coalition letter states. "The two pending bills ignore the central holding of the Court; expression on the Internet is entitled to the highest degree of First Amendment protection. "We share the concern of Sens. McCain and Coats that the Internet remain a safe and rewarding medium for young people," the letter continues. "However, we strongly believe that these bills embrace approaches --filtering and criminalization -- that are both constitutionally suspect and ultimately ineffective in providing our children with positive online experiences." EPIC is supporting an online campaign to raise Congressional awareness of the implications of these Internet censorship bills. Faxes can be sent --free of charge -- to your Senators by visiting the EPIC Free Speech Action page: http://www.epic.org/free_speech/action/ If you sent faxes to the Senate earlier, you helped keep these bills off the floor. Please reiterate your concerns once again and let your Senators know that these measures remain controversial. The text of the coalition letter to the Senate is available at the Internet Free Expression Alliance website: http://www.ifea.net/joint_ltr_7_14.html ------------------------------ Date: Sun, 26 Jul 1998 11:52:05 -0500 From: jthomas@SUN.SOCI.NIU.EDU(Jim Thomas) Subject: File 2--Joint Letter to USSentate IN RE S-1619 and S-1482 INTERNET FREE EXPRESSION ALLIANCE INTERNET FREE EXPRESSION ALLIANCE JOINT LETTER TO THE UNITED STATES SENATE July 14, 1998 Re: S. 1619 and S. 1482 Dear Senator: We are writing on behalf of the undersigned organizations to express our concerns about two bills that would restrict free expression on the Internet -- S. 1619 and S. 1482. We understand that both of these bills may soon be considered by the Senate. One year ago, the Supreme Court unanimously ruled that the Communications Decency Act of 1996, which made it a crime to transmit "indecent" materials on the Internet, violated the First Amendment. The two pending bills ignore the central holding of the Court; expression on the Internet is entitled to the highest degree of First Amendment protection. The Internet School Filtering Act (S. 1619), sponsored by Senator McCain, would require that all public libraries and schools that receive federal funds for Internet access install blocking software to restrict minors' access to "inappropriate" material. S. 1482, sponsored by Senator Coats, would punish commercial online distributors of material deemed "harmful to minors" with up to six months in jail and a $50,000 fine. We share the concern of Sens. McCain and Coats that the Internet remain a safe and rewarding medium for young people. However, we strongly believe that these bills embrace approaches -- filtering and criminalization -- that are both constitutionally suspect and ultimately ineffective in providing our children with positive online experiences. As such, we urge you to consider a better approach to this issue, one that would encourage the development of "Internet drivers' education" programs of the kind being successfully employed in communities throughout the nation. These programs may effectively supplement policies that limit Internet use to educational and curricular purposes. Individual school districts that find them useful currently are free to adopt such educational use policies, even without specific legislation. We urge you to consider this alternative approach because we believe that parents and teachers -- not the federal government -- should provide our children with guidance about accessing information on the Internet. Clumsy and ineffective blocking programs are "quick fix" solutions to parental concerns that provide a false sense of security that minors will be protected from all material that parents may find inappropriate. At the same time, filtering software restricts access to valuable, constitutionally protected online speech about topics ranging from safe sex, AIDS, gay and lesbian issues, news articles, and women's rights. Religious groups such as the Society of Friends and the Glide United Methodist Church have been blocked by these imperfect censorship tools, as have policy groups like the American Family Association. This type of arbitrary censorship is a blatant violation of the First Amendment. S. 1482 should be rejected because it contains many of the unconstitutional provisions of the Communications Decency Act that were unanimously overturned by the Supreme Court in Reno v. ACLU. Like the CDA, S. 1482 would have the effect of criminalizing protected speech among adults. Whatever governmental interest may exist to protect children from harmful materials, that interest does not justify the broad suppression of adult speech. While the bill is ostensibly aimed at "commercial" web sites, that term is so broad that it covers anything from an on-line book seller like Amazon.com to a non-profit website that sells books or T-shirts. The age verification affirmative defense of S. 1482 -- which precisely duplicates the CDA's defense -- ignores the finding in Reno v. ACLU that there simply is no way to verify age on the Internet. As the Supreme Court noted, the vast majority of websites are not financially or technically capable of requiring a credit card or other form of identification to verify the age of users. The government may not mandate the application of a legal standard to the Internet -- whether it be "indecency" or speech that is "harmful to minors" -- that requires speakers to distinguish between adults and minors when such a distinction cannot be made. Finally, S. 1482 will not be effective in keeping from minors material that might be inappropriate for them. No criminal provision will be more effective than efforts to educate parents and minors about Internet safety and how to properly use online resources. Moreover, the Internet is a global medium. Despite all the enforcement efforts that might be made, a national censorship law cannot protect children from online content they will always be able to access from foreign sources. For the foregoing reasons we urge you to oppose S. 1619 and S. 1482 and any other efforts to dilute the potential of this powerful medium. We hope you will agree with our view that an educational approach, as opposed to filtering requirements and new criminal laws, is the best way to address the issue of how our children use the Internet. Sincerely, Christopher Finan President American Booksellers Foundation for Free Expression Laura W. Murphy Washington Office Director American Civil Liberties Union Aki Namioka President Computer Professionals for Social Responsibility Barry Steinhardt President Electronic Frontier Foundation David L. Sobel General Counsel Electronic Privacy Information Center Joan M. Garry Executive Director Gay & Lesbian Alliance Against Defamation Nina Crowley Director Massachusetts Music Industry Coalition David Greene Program Director National Campaign for Freedom of Expression Joan Bertin Executive Director National Coalition Against Censorship Audrie Krause Executive Director NetAction Bennett Haselton Co-ordinator Peacefire Diana Ayton-Shenker Director, Freedom-to-Write PEN American Center Carole Shields President People For the American Way ------------------------------ Date: Wed, 22 Jul 1998 15:34:53 -0700 (PDT) From: Mike Godwin Subject--[correction] EFF's Barry Steinhardt on Senate's Internet Date--Wed, 22 Jul 1998 15:45:42 -0500 From--Daniel Weitzner Subject: File 3--Followup to Rutstein review Boy, did *this* ever open a can of worms! I cannot recall any review that has generated this much response, this fast. Sorry to those who did not get a personal response, and thanks to the majority of you for your kind words about the reviews, but there were just too many of you, mostly asking the same question. Almost all of you wanted to know of an NT security book that I could recommend. Well, I am sorry to disappoint you, but *I'd* like to know of an NT security book that I could recommend. I haven't found one yet. (For those incipient authors who are experts in the field, and have about a year to give to the task, there is an apparent market niche.) The reason for this lack may lie in a number of areas. As one correspondent implied, many think that "NT security" is an oxymoron. I note that while there are a variety of NT security resources out there, and there have been a few attempts to start one, there is no really good NT security FAQ available yet. There are a number of sites with exploit information, and there is one vendor that tries to sell you an NT security file, but the closest I've seen to a good FAQ was a recent "top ten" list of things to do to make NT marginally more secure than it is when it ships. I suspect that part of the problem lies in the design of NT itself, which does not make security provisions straightforward to implement, but it may also be simply bad luck in the selection of authors who have attempted to address the issue so far. Of the number of NT security books I've reviewed to date, I still haven't found a definitely good one, let alone anything to the standard of Spafford and Garfinkel. Just to reiterate, here are the titles I've reviewed so far:

"PCWeek Microsoft Windows NT Security", Nevin Lambert/Manish Patel, 1997, 1-56276-457-8, U$39.99/C$56.95/UK#36.99 - good introductory or non-specialist guide, but there are holes

"Windows NT Security Guide", Stephen A. Sutton, 1997, 0-201-41969-6, U$29.95/C$41.00 - too vague for users, lacking detail for administrators

"Windows NT Security", Charles B. Rutstein, 1997, 0-07-057833-8, U$34.95 - reasonable range, but has gaps and lacks analysis Normally, if I were recommending texts on security in the UNIX field, I would also include works on system administration. However, in the NT arena, while some admin authors have tried to cover the topic it is just too big to handle as a subsection of a larger work. ====================== rslade@sprint.ca rslade@vcn.bc.ca robertslade@usa.net "If you do buy a computer, don't turn it on." - Richards' 2nd Law "Robert Slade's Guide to Computer Viruses" 0-387-94663-2 800-SPRINGER ------------------------------ Date: Fri, 24 Jul 1998 09:32:58 -0400 From: David LeBlanc Subject: File 4--Re: [Secure-NT] Followup to Rutstein review At 01:19 PM 7/23/98 -0800, Rob Slade wrote: >Almost all of you wanted to know of an NT >security book that I could recommend. >Well, I am sorry to disappoint you, but *I'd* like to know of an NT security >book that I could recommend. I haven't found one yet. I have to differ. I've found the reviews you've done of both Rutstein and Sutton's books to be hypercritical. Both of those books are resources that I find valuable. I personally recommend both of them, as well as Mark Edward's book. If I were to give someone an NT security reading list, I'd start with those three, add the NT Resource Kit, and the help system to ISS' Internet Scanner for Windows NT. As someone who lives and breathes NT security (and has for about 4 years), and who has been approached to write a book on the topic, I'd like to think I'm familiar with this area and would be a decent judge of the existing material. I'd also note that Jim Kelly (architect of NT's security subsystem, and author of the security reference monitor) had some very good words to say about Rutstein's book. I know Jim and have a lot of respect for him and his opinion. >The reason for this lack may lie in a number of areas. As one correspondent >implied, many think that "NT security" is an oxymoron. Nice joke, but any professional in the field understands that perfect security cannot be obtained. We've got a difficult job to do trying to secure networks, and there are significant challenges securing _any_ operating system. >I note that while there >are a variety of NT security resources out there, and there have been a few >attempts to start one, there is no really good NT security FAQ available yet. You may be missing Robert Malgrem's FAQ. Sutton's NSA paper isn't a FAQ, but is the clearest, most comprehensive and up-to-date information available on what to secure and how to secure it. I can find very, very few things I feel he's left out and little I can argue with. >There are a number of sites with exploit information, and there is one vendor >that tries to sell you an NT security file, but the closest I've seen to a good >FAQ was a recent "top ten" list of things to do to make NT marginally more >secure than it is when it ships. Then you should read Sutton's paper. It could be that you're not aware of all the resources. >Of the number of NT security books I've reviewed to date, I still >haven't found a definitely good one, let alone anything to the standard of >Spafford and Garfinkel. Let's not lose sight of another fact - Spafford and Garfinkel was first published in 1991. That is nearly 25 years after UNIX was invented. I would certainly hope that we will accumulate a well-defined body of knowledge on NT security in the next 20 years. A comparison of a book based on 3-4 years of experience to a book based on over 25 years (current edition) is going to be flawed - you're talking apples and oranges. ------------------------------ Date: Wed, 22 Jul 1998 13:31:03 -0700 (PDT) From: David Batterson Subject: File 5--Microsoft, Netscape, & Diversity Browser-Enemies Microsoft and Netscape Are Kindred Spirits Regarding Employee Diversity by David Batterson There are gay-friendly computer companies, and those that only pretend to be. Let's separate the wheat from the chaff. If a company isn't gay-friendly with its employees, do you want to buy from them? A few of the many gay-friendly computer corporations (A-Z) are Adobe Systems, Aldus, Apple Computer, AOL, Dell, Egghead, IBM, Gateway, Lucent Technologies, NEC America, Oracle, Qualcomm, Seagate Technology, Texas Instruments, US Robotics (now part of 3COM), Xerox and Ziff-Davis. Two companies are currently fighting a fierce browser-battle that makes the Bette Davis v. Joan Crawford spats look like ballroom dancing. While many favor Netscape's browser, that's not the issue today. What the focus is: are these companies a great place for those in the GLBT community to work? The answer in both case is: definitely. Both offer domestic partnership benefits, natch, and much more. Microsoft has a huge commitment to diversity, and also devotes a large Web section to it: www.microsoft.com/diversity/default.htm. Microsoft currently offers two interactive diversity training programs. The "Diversity Awareness" program is an introduction to diversity. The program "focuses on reducing the image and influence of stereotypes, identify elements that make each participant a diverse person, and share communication strategies that help participants in a diverse environment." The company also has a variety of internal initiatives, including an intranet site (internal to Microsoft employees only) called "DiversityNet" where employees can find information vital to the company's diversity efforts. If you have any questions/comments about diversity at Microsoft or their Diversity Web site, e-mail them at: diverse@microsoft.com. GLBT job candidates are encouraged to submit resumes directly to: Jobseek@microsoft.com. While Netscape's diversity section in their corporate Web site is not as elaborate as Microsoft's, it shows their true colors. Surf to: home.netscape.com/comprod/about_netscape/hr/diversity/index.html. Or just go to their main Web site, and search under "Jobs." Netscape's diversity statement says: "Netscape is committed to hiring the brightest and the best, and we execute this philosophy without regard to race, color, creed, religion, national origin, sexual orientation (perceived or otherwise), age, sex, or disability." It goes on: "Diversity in our work environment is not simply something Netscape values, we strive for it. Project DIVA (Diversity Involves Valuing All) is a four-step process conceived to actively pursue the goal of cultural diversity within the company." Netscape also has a program that works with university programs and community organizations to increase the diversity of their applicant pool. E-mail them for more info: diversity@netscape.com. So there you have it. In the diversity competition between Microsoft and Netscape, you'd have to call it a draw (and that's good for us). If you work for either company (or know those who do), your feedback is welcomed. ------------ Send comments to davidbat@yahoo.com. Copyright 1998, All Rights Reserved. May not be reprinted without permission. ------------ David Batterson has written for gay papers (B.A.R., Just Out, Bay Windows, The Texas Triangle, The Weekly News), as well as regional and national computer publications. ------------------------------ Date: Fri, 24 Jul 1998 18:47:33 -0700 (PDT) From: editor@cultdeadcow.com Subject: File 6--cDc releases BACK ORIFICE for MS Windows RUNNING A MICROSOFT OPERATING SYSTEM ON A NETWORK? OUR CONDOLENCES. [July 21, San Francisco] The CULT OF THE DEAD COW (cDc) will release Back Orifice, a remote MS Windows Administration tool at Defcon VI in Las Vegas (www.defcon.org) on August 1. Programmed by Sir Dystic [cDc], Back Orifice is a self-contained, self-installing utility which allows the user to control and monitor computers running the Windows operating system over a network. Sir Dystic sounded like an overworked sysadmin when he said, "The two main legitimate purposes for BO are, remote tech support aid and employee monitoring and administering [of a Windows network]." Back Orifice is going to be made available to anyone who takes the time to download it. So what does that mean for anyone who's bought into Microsoft's Swiss cheese approach to security? Plenty according to Mike Bloom, Chief Technical Officer for Gomi Media in Toronto. "The current path of learning I see around me is to learn what you have to to cover your ass, go home and watch Jerry. Microsoft has capitalized on this at the cost of production value which translates down to security. A move like releasing [Back Orifice] means that the lowest common denominator of user will have to come to understand the threat, and that it is not from [Sir Dystic] writing an app that [potentially] turns Win32 security on its ear, but that Microsoft has leveraged itself into a position where anyone who wants to can download an app [or write their own!] and learn a few tricks and make serious shit happen." None of this is lost on Microsoft. But then again, they don't care. Security is way down on their list of priorities according to security expert Russ Cooper of NT BUGTRAQ (www.ntbugtraq.com). "Microsoft doesn't care about security because I don't believe they think it affects their profit. And honestly, it probably doesn't." Nice. But regardless of which side of the firewall you sit on, you can't afford not to have a copy of Back Orifice. Here are the specs: Back Orifice (BO) allows the user to remotely control almost all parts of the operating system, including: File system Registry System Passwords Network Processes * BO contains extensive multimedia control, allowing images to be captured from the server machine's screen, or from any video input device attached to the machine. * BO has an integrated HTTP server, allowing uploads and downloads of files to and from a machine on any port using any http client. * BO has an integrated packet sniffer, allowing easy monitoring of network traffic. * BO has an integrated keyboard monitor, allowing the easy logging of keystrokes to a log file. * BO allows connection redirection, allowing connections to be bounced off a machine to any other machine on the Internet. * BO allows application redirection, allowing text based applications running on the server machine to be controlled via a simple telnet session. Even open a remote shell. * BO has a simple plugin interface, allowing additional modules to be written by third parties, and executed in Back Orifice's hidden system process. * BO is EASY TO INSTALL! Simply run the server, and it installs itself, and removes the executable it was originally run from, or it can be attached to any other Windows executable, which will run normally after installing the Back Orifice server. * BO is TRANSPARENT! Back Orifice does not show up in the task list, or even the Close Programs dialog, it is automatically restarted each time the computer boots, and does not affect the operation of any other applications. * BO is CONFIGURABLE! The filename that Back Orifice installs itself as, the port Back Orifice communicates on, and the encryption key are all configurable before the server is installed. * BO is ENCRYPTED! Communication packets used by Back Orifice are encrypted with a user definable key, so only the intended client can control the server. * BO is FREE! All the functionality mentioned above AND MORE is available in the 120k server, along with an easy to use text based or GUI client, Back Orifice comes with everything you need to distribute and control any number of machines. * BO is GROWING! New features, increased efficiency, new plugins, and more support are being added to Back Orifice every day. After August 3, Back Orifice will be available from www.cultdeadcow.com free of charge. For further details or lucrative film offers, please contact: The Deth Vegetable Minister of Propaganda CULT OF THE DEAD COW veggie@cultdeadcow.com ............................................................................ The CULT OF THE DEAD COW (cDc) is the most influential group of hackers in the world. Formed in 1984, the cDc has done everything from publish the longest running e-zine on the Internet to diddling military networks around the globe. We could go on, but who's got the time. Journalists can check out the Medialist link on our Web site for more background information. Cheerio. "cDc. It's alla'bout style, jackass." ------------------------------ Date: Thu, 25 Apr 1998 22:51:01 CST From: CuD Moderators Subject: File 7--Cu Digest Header Info (unchanged since 25 Apr, 1998) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-6436), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) CuD is readily accessible from the Net: UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD Web-accessible from: http://www.etext.org/CuD/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #10.41 ************************************