At 03:38 PM 05/09/2001 -0400, Faustine forwarded Kevin Poulsen's 9 May 01
article:
>...
>BIND hole
>In May, 1998, the Internet was reeling from a devastating vulnerability
>discovered in a ubiquitous piece of software called the BIND "named" domain
>server. Formally known as the iquery BIND Buffer Overflow vulnerability the
>hole been publicly announced by Carnegie Mellon's Computer Emergency Response
>Team (CERT) a month earlier, and a software patch to fix it was available for
>download. But according to an FBI affidavit, the hole was still in place
>on Air
>Force systems, nuclear laboratories, the U.S. Departments of Commerce,
>Transportation and the Interior, as well as the National Institute of Health.
>
>Near the end of May, the hacker group ADM raised the stakes by publishing a
>computer program capable of spreading through vulnerable systems
>automatically.
>It was concern over the damage the worm could wreak on an unprepared Internet
>that spurred Butler to his fateful course. "Mr. Butler modified the worm
>program to download and install the official software patch that repaired the
>BIND/named vulnerability from the software vendors' web site," Granick's
>motion
>reads. "Mr. Butler used his modified worm to automatically get root access on
>machines through the named vulnerability and fix the named hole."
>
>It could have been an unsullied act of mass guerilla patching -- a relatively
>harmless hack that would have left the Internet a little more secure, while
>dappling only a few spots of gray on Butler's white hat.
>
>But Butler's worm also installed back doors on every system it patched, and
>reported their location back to Butler, giving him a way into the machines
>even
>as he locked out other hackers. That feature simultaneously made the crime
>harder to defend, and easier to solve.
>
>"The Air Force was the first to realize what was going on; a lot of bases
>were
>being hit, a lot of flags were going up," says Eric Smith in an interview.
"All your base are belong to me".....
Not only are viruses a bad mechanism for getting people to
install software you want them to install (after all,
sometimes you really *do* know what's best for them
better than they do), and prone to breaking things
when the systems they infect don't quite match the
assumptions the virus writer wrote, but
here's yet another reminder that you shouldn't let people
install them on your machines even if they don't
realize that the viruses they're installing may have
extra features added.
>Ratting on DEFCON attendees
>Butler's new mission: Attend the DEFCON hacker convention at the Plaza Hotel
>and Casino in Las Vegas -- the largest annual gathering of security experts,
>hackers and cybercops in the world. "There, he was to collect PGP encryption
>keys from conference attendees and try to match people's real names with
>their
>hacker identities and with the keys," reads the motion.
Also a reminder that if you're using multiple identities and
don't want them leaked, be real careful about not mixing your
digital signature keys, and don't leave PGP secret keyrings in
unencrypted partitions on your disk (the keys themselves are
encrypted in the keyfiles, but the user names aren't.)
Out of curiousity, do most Defcon attendees pay for their rooms
using credit cards with True Names on them? Or cash?
Hotels generally don't like cash, though a number of the
attendees are young enough that they may not have credit cards.
Any guesses whether the Feds subpoena or otherwise obtain
the hotel reservation records? It'd be a real interesting place
to match up videotapes of guests registering with
videotapes of other activities. On the other hand,
the Alexis Park isn't a casino (I don't even remember slot
machines there),
so it may be much less rabidly camerafied than most of Vegas.
