* via http://theMezz.com/lists

* subscribe at http://techPolice.com


w00w00's Instant Message: Listen Up, AOL
By Don Oldenburg,
Washington Post Staff Writer
Saturday, January 5, 2002; 10:09 AM

By Wednesday morning, Matthew Conover had impatiently waited a week. All he wanted was 
word one from America Online, acknowledging the two e-mailed warnings he'd sent them.

Any indication would do. He just needed to know that the world's largest Internet 
service provider was working on the security hole he uncovered in its Instant 
Messenger feature, so millions of AOL users worldwide would be protected from getting 
hacked big-time.

But nothing came. No phone call. No e-mail. A thank-you note might have been nice. So 
Conover did what he said he'd do: He "code-redded" AOL, went public. Somehow he 
figured it would come to that.

What he hadn't figured on was the explosion of national media attention an AOL 
security flap would spark  from the New York Times to Associated Press to NBC's 
"Today" show. When Conover answered his telephone Thursday morning, his voice sounded 
as flat as a no-trespassing sign. No "Hello," just "Yeah?" He was weary of attention. 
In 24 hours Conover's status had escalated from a virtual nobody to a techie hero, or 
rogue, depending on your perspective. Some folks hailed him; some lambasted him 
because he revealed part of the code that could be used to hack.

"I wasn't expecting this much commotion," says the 19-year-old from his apartment near 
Utah State University, where he's a computer science undergrad. "What we're happy 
about is that AOL has responded. The problem's getting fixed. But this has gotten more 
attention than I wanted."

The header on the message Conover sent to two online computer security discussion 
lists to reveal AOL's glitch was simple: "w00w00 on AOL Instant Messenger (serious 
vulnerability)."

Other than the peculiar "w00w00" part, it didn't seem remarkably different from a 
dozen or so other technical analyses of security breaches, viruses and difficulties 
posted by others this week or any other week.

But what's w00w00? It's a network of more than 30 computer security hotshots spanning 
nine countries and 14 states that Conover calls "the world's largest nonprofit 
security team." They operate uninvited and sometimes unwelcome. Conover founded w00w00 
Security Development three years ago  when he was in high school. It was sort of a 
weird science project.

The name is pronounced "woo-woo," but spelled with zeroes instead of O's. Conover 
thought it was a "completely humorous" name; at the time, "woowoo" was a buzzword in 
computerdom used for effect in e-mails and speech. "We kind of latched onto that," he 
says.

The w00w00 Web site (www.w00w00.org) has an audio clip of a comedian doing shtick on 
the woo word, saying it's the only true universal word. No matter where you go in the 
world, goes the punch line, you will find someone drunk and shouting, "Woo woo woo!"

Conover usually shortcuts the name to just w00. He says the unusual group of highly 
skilled security sleuths is "nonprofit" only unofficially. Members volunteer their 
expertise and hours to battle bugs on computers and on the Internet. Many of them  
including Conover  work full- or part-time day jobs as professional security 
brainiacs for corporations or as consultants or academic researchers. That's where 
they met one another and where they get new members  referral is the only way new 
members can join.

"People don't officially take any vows and there are no obligations to the group," 
says Conover. "It is something we do for fun. It is a passion."

Conover uses his name openly representing w00, but some members keep their affiliation 
secret, and others go by pseudonyms. Most members share similar philosophies and 
ideologies about the cyberworld  and stay tightknit by routinely communicating online 
in real time.

On the group's Web site are photographs of w00 meetings and social outings. Members 
appear to be mostly younger, postgrad-looking people, some beer-bellied, some 
tongue-studded and ponytailed, a few older, sneaker-wearing. Presumably some are drunk 
and shouting, "Woo woo."

"Best of all, we're all friends, talk about everything from crypto to reverse 
engineering and general software development, and get together offline all the time 
for meetings, beers, partying," Jordan Ritter, 24, says of the core w00 community, 
based mostly in San Francisco and Silicon Valley in the West and Boston and New York 
in the East. Ritter, a third-year w00 who was one of the developers of Napster and is 
starting an anti-spam technology company in San Francisco, says he and Conover got 
together recently to catch "The Lord of the Rings."

Is the group a Cyber Robin Hood and his Merry w00s? Ritter doesn't buy the renegade 
do-gooder image  he defines the network as "a tightknit group of security 
professionals of all types that trust each other implicitly." Neither does Conover, 
who maintains that w00 is "more of an academic research-type group, and I don't know 
if there is an interesting way to put that."

What Conover doesn't appreciate are perceptions outside the security industry that w00 
members are a band of computer geeks or  worse  hackers. "We're all geeks in our own 
right," he says. "But at the same time, you would probably never guess I'm in computer 
security by looking at me. I look like your typical college student."

Hackers? "In all senses of the word, we differ from hackers," he says. For one, w00 
members are careful to keep their research legal. "Aside from the interest in 
security, we're on opposite ends of the spectrum. We're trying to prevent hackers."

Their evidence: Over three years, w00 has released 10 advisories on faulty programs. 
Its first: a little-known problem called a "heap overflow" that showed up in a variety 
of consumer software. Its most notable: a buffer overload in Norton AntiVirus 2000 
software.

But nothing has raised the eyebrows like the AOL hole, what Conover and his computer 
cronies found buried in the binary bowels of the Instant Messenger feature. As they 
explained in their advisory Wednesday, this is a security flaw big enough to drive a 
Mack truck through, certainly big enough that malicious hackers could gain remote 
command over the computer of any AOL user who uses Instant Messaging.

But critics protested that because w00 added to the advisory partial "exploit codes"  
which if fully developed would take advantage of the glitch  they armed hackers with 
tools to break systems.

Elias Levy, chief technology officer of SecurityFocus, the company that runs the 
BugTraq mailing list where Conover posted the advisory, calls it "good work, 
certainly," but thinks publishing the code wasn't necessary.

"Breaking software is a lot easier than writing good software," he adds. "Not to 
minimize the research that people like Matthew do, but a hacker only needs to find a 
single hole in the armor whereas the software writer needs to close every hole."

Russ Cooper, public liaison on Internet security issues at the computer security 
company TruSecure, agrees with Levy: "Why I say they were irresponsible is because 
they released the functional exploit code."

Conover says the exploit code he included was not fully functional  it could shut 
down the Instant Messenger and no more. He says he included it to prove w00's claim 
that AOL's program could be breached.

He says that if AOL had only acknowledged his e-mails and looked into the issue, "we 
wouldn't have released the code at all." But AOL didn't and still hasn't, he says. "I 
guess they're pretty busy."

Enter AOL spokesman Andrew Weinstein.

"We encourage anyone who finds a potential issue to let us know," he says. "But it is 
in the best interest of users and all concerned to give companies an adequate amount 
of time to evaluate and hopefully address an issue before making it public."

What about w00w00's two e-mails to AOL? Weinstein has no clue. But there are other 
ways besides AOL's online front door to reach AOL security execs, he says. "We work 
very closely with most of the larger security organizations in the industry. If 
someone feels they discovered a potential security flaw, those organizations would be 
able to put them in contact with someone at AOL."

Conover wonders how hard is it to be more accessible? He sees AOL's attitude coming at 
the expense of the public. "We're fighting to keep the end user informed," he says. 
"We're going to continue to publish advisories like this. But hopefully we will avoid 
getting into too controversial a topic next time."

 2002 The Washington Post Company

============================================================
$8.95 Domain Name Registrations & Transfers! Go Daddy
Software -- Cool Name. Hot Prices. Transfer your existing
domain name for just $8.95 and SAVE! Get yours today at
godaddy.com!
http://click.topica.com/caaafisb1dhr0b2EDp2f/GoDaddy
============================================================

--via http://techPolice.com
archive: http://theMezz.com/cybercrime/archive
subscribe: [EMAIL PROTECTED]
--via http://theMezz.com

==^================================================================
This email was sent to: archive@jab.org

EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2
Or send an email to: [EMAIL PROTECTED]

T O P I C A -- Register now to manage your mail!
http://www.topica.com/partner/tag02/register
==^================================================================

Reply via email to