CHE-West bulletin 99-3, mei ‘99
1
Nummer 99-3, 26 mei 1999: de Mei-uitgave .. 1. Inleiding Nog een paar daagjes en dan is er weer een CHE-West bijeenkomst. De belangstelling loopt wat terug en een extra (e)mailing kan daarom geen kwaad. Sinds de laatste Bulletin is er weer een heleboel gepasseerd: - Melissa is losgebroken ; heeft de mail lijsten van OutLook etc. ge-infecteerd en velen hebben een kwalijk aanhangsel aan hun mail ontvangen met de daar bij behorende ellende. ( zie verder). Helaas was Melissa ( en de opvolger PAPA ) geen HOAX maar echt .. - Windows NT 5 is ondertussen “2000” geworden en over het Millennium heen-getild. We wachten maar af.Inmiddels komt van elk pakket een echte of een beta “2000” versie uit, die alle vorige uiteraard in de schaduw stelt... - De USB poort, al op vele PC Hardware aanwezig en nu gepushed vis de iMac, gaat verder met de opmars en sinds 1 jan. zijn er vele devices en convertors op de markt om “alles aan alles” te hangen. Omdat de Mac en PC maar 2 USB poorten hebben is er al gauw een HUB nodig en wordt het toch weer een draden en snoeren-zooi. het lijkt wel of dat ons klein leed blijft. Evenals bij mij thuis de stapels in de studeer kamer , die zich uitzaaien naar de woonkamer etc etc. - De Mac heeft dus nu een polycarbonaat ‘G3 blue” uiterlijk geen SCSI en serieel meer maar alleen USB en FireWire. De bus is inmiddels ook 100 Mhz en de upgrade kaarten gaan tot 466 MHz wat te vergelijken is ( grafisch) met een 550 MHz Pentium. - Hun Operating Systeem is aan de versie 8.6 toe en heeft de eerste trekjes van de 2 jaar gelegen geaborteerde Copland en laat ons alvast verlangen naar de versie MacOS X (tien). - Bij de printers en de scanners komt steeds meer variatie al begrijpt een kind dat een aloude zwart-wit laser printer met toner eigenlijk het goedkoopste. Navullen van de cartridges van inktjetprinters gaat soms goed en soms ook niet. Wie weet daar het fijne van en vertelt eens in het Bulletin van de ervaringen hiermee/? Overigens ... waar blijven de pennevruchten van al onze CHE-West scribenten? Of leest het zo lekker weg van Internet dat er helemaal niet meer wordt geschreven maar allen ge-sponsd, gedownload en gescand ( Aan het laatste maak ik mij zelfs regelmatig schuldig ...) - Op de HCC Rotterdam dag / Communicatie dag was CHE-West weer aanwezig en viel een heleboel uit te leggen over mac's, imacs en Mac-PC connecties. Misschien komen er een paar leden bij uit het Rotterdamse .. - De geraffineerde verkoop technieken van JanK en ondergetekende bij Primafoon Delft hebben geleid tot een significante toename van de iMac verkoop aldaar .. uiteraard kunnen we als “PTT werknemers” geen cijfers noemen maar men zal het aan het eind van 1999 wel aan de jaarcijfers van het concern zien! Een uitnodiging om ook te demonstreren op huishoudbeurzen en braderieen hebben we afgeslagen.... - Mijn eigen hardware is na 3 jaar uitgebreid met een 4GB harddisk en ik doe mijn uiterste best om deze vol te krijgen met gescande dia’s. Nog een avondje volhouden op het formaat 4000 x 2800 in miljoenen kleuren, en die is ook weer vol. Tenslotte kondig ik aan dat op de 28ste mei in Schipluiden een gecombineerde borrel etc. van Pim, George en mij zal worden gehouden. De leeftijden van de jarigen worden angstvallig geheim gehouden om te voorkomen dat de excursie-commissie “over-bemand” zal raken. Komt allen en neem deel aan de discussies, de demonstraties en de traktatie op as. vrijdag. Ik voeg ter informatie wat ge-scande artikelen toe over “melissa” en de “watchers” toe. De laatste maal voor de zomerstop is op vrijdag 25 juni.
CHE-West bulletin 99-3, mei ‘99
2
2. Het Melissa Virus A sneaky e-mail virus invades thousands of computers, leading to a worldwide cyberhunt and a quick arrest BY: STEVEN LEVY, Newsweek
MELISSA WAS FAST...... Melissa was sneaky. And, boy, did Melissa ever get around. "This was the fastest that we've ever seen a computer virus spread," says Jeff Carpenter of the federally funded Computer Emergency Response Team (CERT). Just as swift was the manhunt for its creator: a one-week rollercoaster Internet intrigue that led to an arrest in New Jersey—and some unresolved questions...... A Virus That Messes With Your Addresses On first blush, Melissa looks benign. In your e-mail in-box you get an "important message" from a friend. Open it up and you read: "Here is that document you asked for ... don't show anyone else; - )." There is a Microsoft Word file icon. Click on it and you see a list of passwords for pornography sites on the World Wide Web. While you ponder that, Melissa is secretly exploiting a Word feature that works with another Microsoft program, Outlook, which handles e-mail: it grabs the first 50 names in your address book and mails them the virus....... The innocent-looking Melissa virus, sent through e-mail, invaded thousands of corporate and personal computers. Unlike viruses that destroy files or steal personal info, Melissa's effects were relatively benign: some e-mail systems were overloaded and crashed, others were temporarily shut down to avoid the problem. Here's how Melissa spread: o Getting sick: Melissa's victims found this e-mail (right) in their in-box. (The virus was unleashed only if a user opened the attached document, list.doc.) It fooled recipients, even the virus-savvy, since it seemed to come from someone they knew!! No wonder Melissa, born on Friday, March 26, was known as a digital “Typhoid Mary” before the weekend was out...... On Saturday, CERT reports, one 500-employee advertising firm got 32,000 messages in three quarters of an hour. The list of unexpected recipients of Melissa-mail included Boeing, Lockheed Martin and the U.S. Marines. CERT reported that at least 300 organizations and 100,000 machines were affected. But even those hit hardest by the scourge suffered only some e-mail downtime as administrators scrubbed the systems. As Nachie Marquez, a manager for the city of Tempe, Ariz., learned, the worst aftereffect of getting 'Lissaed was profound embarrassment as dozens of her correspondents received a Cliffs Notes of sex sites and a silicon social disease. By midweek, several antivirus companies had fixes in wide distribution. Even without those aids, anyone could be inoculated by simply not opening the document or, better yet, turning off the function in Word that can automate e-mail. When the bits cleared, it looked as if Melissa had left the world ruffled but unharmed. The raft of copycat variations (the Papa virus, the Mad Cow virus) were also easily thwarted.
CHE-West bulletin 99-3, mei ‘99
3
Not so the recriminations. Some people blamed Microsoft: if we weren't slaves to Bill Gates's applications, they griped, such attacks couldn't proliferate. Microsoft's John Dunkin, of course, disagrees. "Work and Outlook are popular products," he says, "and so that is why they are targets." The bigger complaints were directed at the pesky, punky community that condones the spread of viruses—and "scripts" new ones. "I love it to write such code ... to see them survive in the wild is kind of nice I also!" writes "Spooky," a 17-year-old scriptor and founder of the Codebreakers virus crew. Here's where the story got really interesting. Not since the Internet Worm of 1988 has a virus writer been pursued with such fury. First in the game were the antivirus companies; one of them quickly traced the original seed to a message posted in the alt.sex Internet discussion group. It was posted by "SkyRoket," an America Online account—without, it turned out, the l~-rz~~wlo<1(+s£ ~~f the account's owner, Scott Steinmetz, a Lynwood, Wash., engineer, who was stunned to learn his AOL account had been taken for a joyride by a virusplanting pirate. One of the canniest hunters was Richard Smith, head of PharLap Software. He had recently been in the news as the discoverer of a controversial Microsoft feature called a ~-,UID: essentially a digital fingerprint assigned to every computer, embedded in all the work a machine produces. Smith got a copy of the Melissa code, found the GUID number and posted it on the Net. A Swedish researcher tipped him off to the work of "VicodinES." The fingerprint on Vicodin's work was a match for Melissa. Smith also used another obscure Microsoft feature, the revision log, which can reveal the name of the person modifying a file. Along with some wacky monikers ("Dr. Diet Mountain Dew") he found two authentic-sounding names, one of which was David L. Smith. On Monday he passed these to the FBI. Later in the week the researcher, along with Rishi Khan, a 19-year-old University of Delaware undergrad, figured out that the Melissa author started off with Shiver, the handiwork of a scriptor known as ALT-F11 (proof that virus writers are weirdos: they name themselves after function keys). Melissa's author started with Shiver's list of porn sites, then replaced Shiver's virus code with the newly written Melissa code. This process took less than three minutes. Then, using the SkyRoket AOL account, he placed the virus on the sex newsgroup and waited for the fun to begin. Interestingly, that same account was used to similarly plant Vicodin's viruses in 1997. Who is VicodinES? A trip through the creepy canyons of the Internet yields a portrait of a cheeky, profane reprobate. A possible aficionado of the narcotic painkiller~ that provided him an onhsn~- L i . Of industrial music who lived in south Florida in the mid-'90s. A gentle teacher of eager young technovandals. Author of "Theory of Better File Virus Distribution;> ' sort of a self-help manual for better infection techniques. A hacker named Guillermito, whose France-based Web site stored the manual, defended Vicodin to NEWSWEEK in an email: "Of all the virus writers I know, Vic was maybe the most humane and mature. He's not the classical teen, wannabe hacker, he's a very curious and sensible guy, and he talked with me about the moral problems of creating viruses and infecting people. You have to mention the fact that none of his viruses was destructive. He never coded something to wipe out personal data." Law-enforcement officials didn't make much use of Richard Smith's information. Instead, they drew on a gift from America Online, whose tech team had been Melissa-hunting on its own. It apparently traced the invasion of the SkyRoket account to a New Jersey Internet provider. Early in the week an AOL emissary called the FBI and the Garden State attorney general~s office. The latter took over the case, perhaps because it is easier- to prove state crimes than more stringent federal charges. Jersey cops painstakingly
CHE-West bulletin 99-3, mei ‘99
4
went through the provider's customer accounts and found “David L. Smith” (a process that might have gone more quickly had they known that the FBI had been given the name earlier!!). Authorities concluded that Smith had planted the virus from his second apartment in a modest Aberdeen Township housing complex. A search warrant was executed around sundown on Thursday. According to an eyewitness, a dozen or so men entered the apartment with briefcases and cardboard boxes, lowered the blinds and went to work. Several hours later they left with their bulging briefcases and loaded boxes. At 9:10 p.m. they arrested David Smith at his brother's house nearby. He went quietly. At a press conference Friday, New Jersey authorities said that Smith, who had made bail, faced as much as 40 years in prison and a $480,000 fine. (A state spokesperson also said that the virus may have been named after a topless dancer Smith had fancied in Florida.) They also denied that David Smith was VicodinES, a contention that Richard Smith disputed. To bolster his claim, he circulated the source code of a year-old document on Vicodin's Web site, where the revision log indicates that the creator was David L. Smith. At the very least a connection exists, but the suspect wasn't taLking. A 30-year-old programmer for an ATFT contractor, he had moved back to his native New Jersey County after a bankruptcy in Florida, where, his lawyer said, he had racked up $24,000 in credit-card debt after losing a job at a computer firm. His Internet posts indicate that (like Vicodin) he's interested in music and computer viruses. He seemed, neighbors said, "a normal guy." "What I don't understand is, if you're that smart, why make a virus? Why not break into someone's bank account?" said Edward Stawicki, whose place faces Smith's. "At least that way he'd have some money." But that's not the scriptor's way. "The more interesting ones are like computer security researchers," Guillermito writes. "On one side they want to help computer users, improving the security of computers by showing the weaknesses. But on the other side, they infect innocent people and make them lose time, sometimes lose data. A sort of paradox that is not easy to deal with. " Unless you're the cops. As David L. Smith may learn—and the virus community might well note—they have a solution ready at hand: You've got jail! With NigalCROAL in New York, Brad STONE in San Francisco, Elizabeth ROBERTS in Florida and Jamie RENO in San Diego.
3. Who is Watching Who ? “Watch the Watchers” Purchase a top-of-the-line desk- top computer today, and odds are that it will contain Intel's new Pentium III microprocessor. If so, then the first time you boot it, the machine may present you with a puzzling choice. In essence, the beast will say: I have a name—a unique serial number— etched indelibly into my circuitry. By default, I will always keep this name a secret. However, if you check this box here, I will show my ID to programs that ask for it, and some of those programs may, with your permission, pass the number along to Web sites that you visit. Which option do you choose? Anonymity or a traceable name? Private Web surfing or myriad records scattered around the Internet noting what you—or rather whoever was using your machine—looked at and clicked on? The choice might seem like no choice at all. Even offering it, privacy pressure groups have argued, borders on the criminal.
CHE-West bulletin 99-3, mei ‘99
5
On-line anonymity is such an obvious and fundamental good, they imply, that there should be no way so convenient and reliable to reveal one's identity. In February watchdog groups launched a boycott of Intel's products to force the company to make computer chips that are once again indistinguishable. The boycott will almost certainly fail to change Intel's chips, but the brouhaha surrounding it may well succeed in persuading most Pentium III owners to keep their machines unidentifiable. If so, the cause of secrecy and anonymity, so widely accepted on the Net as the best strategy to prevent the misuse of private information by corporations and governments, will advance another step. But before reflexively retreating behind cloak and shadow, it is worth considering where those steps lead and whether there might be a less hazardous way for us to protect ourselves from information abuse. In his recent book, The Transparent Society (Addison-Wesley, 1998), David Brin points out that attempts to win freedom by evading the eyes of the powerful have usually failed, for two reasons. First, the rich and mighty always have better surveillance technology and more of it. Most Web services already record the Internet addresses of all visitors; many others will tag your machine with a so-called cookie, unless you expressly forbid it, so that they can recognize you when you return. If companies want to share their cookie jars with one another—or if Microsoft decides to attach your Windows serial number to every Web page request your browser sends out—they have the right to try. By hook or by crook, some Web servers will soon be able to make a good guess at who you are even if you have never visited that site before. Banning chip ID's will not delay this day for long, Brin asserts. "We are talking about an entire class of information— and one of the easiest to conceal," he says. "Identifiers are small, simple and can be embedded in myriad ways—in any piece of software that you buy, for instance. Programmers have for many years put [such undocumented] 'trap doors' in their code." A big secret can render a little one irrelevant. Hence the second way in which blindness can backfire: easy anonymity raises temptation and provides cover for those who have power to abuse. The same mask that lets you skulk unrecognized through the redlight districts of cyberspace can be worn by some bandit as he uses a bogus storefront to snatch your creditcard number with impunity. If executives at the tobacco companies had communicated via encrypted messages sent through anonymizing mail servers instead of by signed memoranda, would their deceit ever have been exposed? Accountability and privacy are both relatively new inventions; villagers three centuries ago knew little of either. But of the two, accountability is much more precious, and it is hard to enforce when a large swath of public life is shrouded in secrecy. Privacy laws and encryption, used sparingly, can help protect against violations that cause real harm. But: they should not become an automatic response to vague threats. You don't don a balaclava before going to the mall, even though you are under constant video surveillance as you walk through the stores, and a nosy neighbor might spot you in Victoria's Secret fingering lingerie two sizes too small for your spouse. You do, however, show the clerk at the mall your driver's license when you pay by check, and the numeric name of your Pentium III could serve a similar purpose, adding to your password some assurance—not proof— that you are not an impostor. A chip ID for computers is no more foolproof and hardly more threatening than caller-ID is for telephones. Both identify devices, not people; both can be disabled easily. And both could
CHE-West bulletin 99-3, mei ‘99
6
be used to develop, with time and some difficulty, a directory linking people with their machines. Of course, the phone book was around long before caller-ID. Instead of pressing for a ban on chip Id's, Brin argues, privacy advocates should urge Intel to disclose details of its design so that they can search for other, secret identifiers. "Another nice bit of reciprocal transparency would be to require that anyone who queries the identifier must give a receipt that includes their own identifier," he suggests. That way Victoria's Secret Online Shop could track down those who give it stolen credit-card numbers, just as you could = nab a bandit who steal yours. The World Wide Web Consortium has been working on a Platform for Privacy Preferences Project that, when complete, will provide a way for Web surfers to negotiate what information they are willing to share with Web sites. Once the platform is in place, Web services will be able to send new visitors a proposal: a request for particular personal data in exchange for access and certain binding promises—enforced by auditing firms—about how the data will be used. Swapping processor names could help seal such an exchange and move us one step closer to a society based on well-informed trust rather than blind suspicion. —Wayt Gibbs in San Francisco
SCIENTIFIC AMERICAN April 1999
4. En tenslotte: Hoop ik jullie, onder welk besturings-systeem dan ook, in groten getale gezond en wel te ontmoeten op:
vrijdag 28 mei 1999 aan de Keenenburgweg 10 in Schipluiden in het Dorpshuis
tussen 20 en 23.30 uur. Brengt een systeem en/of een introducé(e) mee. Stel je computer-problemen en ervaringen aan de orde bij de grote ronde. Wij zorgen voor een Internet-verbinding en een gemengd netwerk met PC’s en Mac’s onder de hoede van GerardS. en Peter vH. ---->>> Volgende bijeenkomst data zijn: 25 juni. Daarna 2 maanden rust . <<-----Apple dag op zaterdag 12 juni in Nieuwegein zie ook: www.klokhuis.nl .. Gegroet, KEES
