Computer underground Digest Sun 4 Apr, 1999 Volume 11 : Issue 21
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Copy Editer: Etaion Shrdlu, III
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
CONTENTS, #11.21 (Sun, 4 Apr, 1999)
File 1--Virus Suspect Mean no Harm, Lawyer says (AP excerpt)
File 2--"Melissa" macro virus
File 3--regarding melissa and microsoft statement
File 4--Help B92 press release 03-04-1999
File 5--Access to NATO's Web Site Disrupted
File 6--CFP 99: Final Reminder
File 7--CPSR Newsletter on the WWW
File 8--Free SANS Web Briefing: IDNET
File 9--Cu Digest Header Info (unchanged since 10 Jan, 1999)
CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.
TO UNSUB, SEE ADMINISTRAVIA IN CONCLUDING FILE
---------------------------------------------------------------------
Date: Mon, 5 Apr 1999 01:09:39 EDT
From: tk0jut2@mvs.cso.niu.edu
Subject: File 1--Virus Suspect Mean no Harm, Lawyer says (AP excerpt)
VIRUS SUSPECT MEANT NO HARM, LAWYER SAYS
Associated Press.
TRENTON, N.J.
The man accused of creating the so-called Melissa virus, which
infected thousands of computers and overloaded e-mail systems
worldwide, never intended to do anything wrong, his lawyer said
Saturday.
David L. Smith, a 30-year-old computer programmer, will plead
not guilty to the state charges, said lawyer Steven Altman.
Smith was arrested Thursday night at a brother's house in
Eatontown. He faces charges that include interruption of public
communications, conspiracy and theft of computer service. The
charges carry a maximum penalty of 40 years in prison and a
$480,000 fine.
((snip))
The New York Times reported Saturday that investigators
determined that the first copy of the Melissa virus originated
from an account with Monmouth Internet Corp., based in Red Bank,
and then traced it to Smith's telephone line.
Apparently frightened when the FBI posted a warning about
Melissa last week, Smith threw his computer equipment into a
trash bin at his apartment complex, investigators said.
((snip))
------------------------------
Date: Tue, 30 Mar 1999 16:51:23 -0800
From: "Rob Slade, doting grandpa of Ryan and Trevor"
To: p1@canada.com
Cc: comsig-l@decus.ca, secsig-l@decus.ca, secedu@all.net, secure-nt@wwa.com
Subject: File 2--"Melissa" macro virus
The Melissa macro virus
A report prepared by Robert M. Slade
The following is an attempt to bring together the information about
the Melissa virus. It is taken from the most reliable available
sources. Additional sites have been listed at the end of the article.
I have not added a copyright line to this message in order to allow it
to be used as needed. I will be posting the latest updated version of
this article at http://sun.soci.niu.edu/~rslade/melissa.txt and
http://victoria.tc.ca/techrev/melissa.txt.
The virus, generally referred to as W97M.Melissa.A (with some
variations: Symantec, in a rather strained effort to be cute, seems to
be calling it "Mailissa"), is a MS Word macro virus. This means that,
if you don't use Word, you are safe. Completely safe. (Except for
being dependent upon other people who might slow their/your mail
server down. More on that later.) If you need to look at MS Word
documents, there is a document viewer available (free, as it happens)
from Microsoft. This viewer will not execute macros, so it is safe
from infection.
In the messages about Melissa, there have been many references to the
mythical and non-existent "Good Times" virus. Note that simply
reading the text of a message still cannot infect you. However, note
also that many mailers, in the name of convenience, are becoming more
and more automated, and much of this automation concerns running
attached files for you. As Padgett Peterson, author of one of the
best macro virus protection tools, has stated, "For years we have been
saying you could not get a virus just by "opening E-Mail. That bug is
being fixed."
Melissa does not carry any specifically damaging payload. If the
message is triggered there will be text added to the active document.
The mailout function can cause a large number of messages to be
generated very quickly, and this has caused the shutdown of a number
of corporate mail servers.
If you have Word set with macros disabled, then the virus will not
active. However, relying on this protection is a very dangerous
proposition. Previous macro viruses have also killed macro protection
in Word, and this one does as well.
The name "Melissa" comes from the class module that contains the
virus. The name is also used in the registry flag set by the virus.
The virus is spread, of course, by infected Word documents. What has
made it the "bug du jour" is that it spreads *itself* via email. We
have known about viruses being spread as attachments to email for a
long time, and have been warning people not to execute attachments (or
read Word documents sent as attachments) if you don't know where they
came from. Happy99 is a good example: it has spread very widely in
the past month by sending itself out as an email attachment whenever
it infects a system.
Melissa was originally posted to the alt.sex newsgroup. At that time
it was LIST.DOC, and purported to be a list of passwords for sex
sites. I have seen at least one message theorizing that Melissa is
someone's ill-conceived punishment for viewers of pornography. This
hypothesis is extremely unlikely. Sending a virus to a sex related
newsgroup seems to be a reliable way to ensure that a number of stupid
people will read and/or execute your program, and start your new virus
off with a bang. (No pun intended.)
If you get a message with a Melissa infected document, and do whatever
you need to do to "invoke" the attachment, and have Word on your
system as the default program for .doc files, Word starts up, reads in
the document, and the macro is ready to start. If you have Word's
"macro security" enabled (which is not the default) it will tell you
that there is a macro in the document. Few people understand the
import of the warning, and there is no distinction between legitimate
macros and macro viruses.
Because of a technical different between normal macros and "VBA
objects," if you ask for a list of the macros in the document, Melissa
will not show up. It will be visible if you use the Visual Basic
Editor, but only after you have loaded the infected file.
Assuming that the macro starts executing, several things happen.
The virus first checks to see if Word 97 (Word 8) or Word 2000 (Word
9) is running. If so, it reduces the level of the security warnings
on Word so that you will receive no future warnings. In Word97, the
virus disables the Tools/Macro menu commands, the Confirm Conversions
option, the MS Word macro virus protection, and the Save Normal
Template prompt. It "upconverts" to Word 2000 quite nicely, and there
disables the Tools/Macro/Security menu.
Specifically, under Word 97 it blocks access to the Tools|Macro menu
item, meaning you cannot check any macros. It also turns off the
warnings for conversion, macro detection, and to save modifications to
the NORMAL.DOT file. Under Word 2000 it blocks access to the menu
item that allows you to raise your security level, and sets your macro
virus detection to the lowest level, that is, none. (Since the access
to the macro security menu item is blocked, I do not know how this
feature can be reversed, other than programmatically or by
reinstallation.)
After this, the virus checks for the
HKEY_CURRENT_USER\Software\Microsoft\Office\Melissa?\ registry key
with a value of "... by Kwyjibo". (The "kwyjibo" entry seems to be a
reference to the "Bart the Genius" episode of the "Simpsons"
television program where this word was used to win a Scrabble match.)
If this is the first time you have been infected (and this "first
time" business is slightly complicated), then the macro starts up
Outlook, in the background, and sends itself as an attachment to the
"top" 50 names in *each* of your address lists. (Melissa will *not*
use Outlook Express.) Most people have only one (the default is
"Contacts"), but if you have more than one then Outlook will send more
than 50 copies of the message. Outlook also sorts address lists such
that mailing lists are at the top of the list, so this can get a much
wider dispersal than just fifty copies of the message/virus. There
was also a mention on one message about MAPI and Exchange servers,
which may give access to a very large number of mailing lists. From
other reports, though, people who use Exchange mail server are being
particularly hard hit. Then again, people who use Exchange are
probably also standardized on Word and Outlook.
Some have suggested setting this registry key as a preventative
measure, but note that it only prevents the mailout. It does not
prevent infection. If you are infected, and the registry key is
removed at a later date, then a mailout will be triggered the next
time an infected document is read.
Once the messages have been sent, the virus sets the Melissa flag in
the registry, and looks for it to check whether or not to send itself
out on subsequent infections. If the flag does not persist, then
there will be subsequent mass mailings. Because the key is set in
HKEY_CURRENT_USER, system administrators may have set permissions such
that changes made are not saved, and thus the key will not persist.
In addition, multiple users on the same machine will likely each
trigger a separate mailout, and the probability of cross infection on
a common machine is very high.
Since it is a macro virus, it will infect your NORMAL.DOT, and will
infect all documents thereafter. The macro within NORMAL.DOT is
"Document_Close()" so that any document that is worked on will be
infected when it is closed. When a document is infected the macro
inserted is "Document_Open()" so that the macro runs when the document
is opened.
Note that *not* using Outlook does not protect you from the virus, it
only means that the 50 copies will not be automatically sent out. If
you use Word but not Outlook, you will still be infected, and may
still send out infected documents on your own. The virus also will
not invoke the mailout on Mac systems, but definitely can be stored
and resent from Macs. At this time I do not have reliable information
about whether it can reproduce on Macs (there is one report that it
does), but the likelihood is that it can.
Vesselin Bontchev has noted that the virus never explicitly terminates
the Outlook program. It is possible that multiple copies may be
invoked, and may create memory problems. However, this has not been
confirmed, and is not probable given the "first time" flag that is
set.
The message appears to come from the person just infected, of course,
since it really is sent from that machine. This means that when you
get an "infected" message it will probably appear to come from someone
you know and deal with. The subject line is "Important Message From:
[name of sender]" with the name taken from the registration settings
in Word. The test of the body states "Here is that document you asked
for ... don't show anyone else ;-)". Thus, the message is easily
identifiable: that subject line, the very brief message, and an
attached Word document (file with a .doc extension to the filename).
If you receive a message of this form *DO NOT OPEN THE DOCUMENT WITH
WORD!* If you do not have alternate means or competent virus
assistance, the best recourse is to delete the message, and
attachment, and to send a message to the sender alerting them to the
fact that they are, very likely, infected. Please note all the
specifics in this paragraph, and do not start a panic by sending
warnings to everyone who sends you any message with an attachment.
However, please also note that, as with any Word macro virus, the
source code travels with the infection, and it will be very easy to
create modifications to Melissa. (The source code has already been
posted to one Web site.) We will, no doubt very soon, start seeing
many Melissa variants with different subjects and messages. There is
already one similar Excel macro virus, called "Papa." The virus
contains the text "Fred Cohen" and "all.net," leading one rather
ignorant reporter to assume that Fred was the author. Dr. Cohen was
the first person to do formal research into viral programs.
There is a message that is displayed approximately one time in sixty.
The exact trigger is if the current system time minute field matches
the current system time day of the month field when the virus is run.
In that case, you will "Twenty-two points, plus triple-word-score,
plus fifty points for using all my letters. Game's over. I'm outta
here." typed into your document. (This is another reference to the
"Simpsons" episode referred to earlier.)
One rather important point: the document passed is the active
document, not necessarily the original posted on alt.sex. So, for
example, if I am infected, and prepare some confidential information
for you in Word, and send you an attachment with the Word document,
containing sensitive information that neither you nor I want made
public (say, the fact that Bill Gates is a jerk for having designed
the technology this way), and you read it in Word, and you have
Outlook on your machine, then that document will be mailed out to the
top 50 people in your address book.
Rather ironically, a clue to the identity of the perpetrator may have
come from the identification number embedding scheme recently admitted
by Microsoft as having been included with Office and Windows 98.
A number of fixes for mail servers and mail filtering systems have
been devised very quickly. However, note that not all of these have
fully tested or debugged. One version that I saw would trap most of
the warning messages about Melissa.
Note that any Word document can be infected, and that an infected user
may unintentionally send you an infected document. All Word
documents, and indeed all Office files, should be checked for
infection before you load them.
Information and antiviral updates (some URLs are wrapped):
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html
http://www.ciac.org/ciac/bulletins/j-037.shtml
ftp://ftp.complex.is/pub/macrdef2.zip
http://www.complex.is/f-prot/f-prot.html
http://chkpt.zdnet.com/chkpt/hud0007500a/www.zdnet.com/zdnn/stories/
news/0,4586,2233030,00.html
http://www.zdnet.com/zdnn/special/melissavirus.html
http://www.symantec.com/techsupp/mailissa.html
http://www.antivirus.com/vinfo/security/sa032699.htm
http://www.avp.com/melissa/melissa.html
http://www.microsoft.com/security/bulletins/ms99-002.asp
http://www.sendmail.com/blockmelissa.html
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
http://www.innosoft.com/iii/pmdf/virus-word-emergency.html
http://www.sophos.com/downloads/ide/index.html#melissa
http://www.avertlabs.com/public/datafiles/valerts/vinfo/melissa.asp
http://www.pcworld.com/cgi-bin/pcwtoday?ID=10302
http://www.internetnews.com/bus-news/article/0,1087,3_89011,00.html
http://cnn.com/TECH/computing/9903/29/melissa.copycat.idg/
http://www.pcworld.com/cgi-bin/pcwtoday?ID=10308
------------------------------
Date: Wed, 31 Mar 1999 10:53:05 -0500
From: andrew hreschak
Subject: File 3--regarding melissa and microsoft statement
in regards to the microsoft statement (pasted below):
> Will Office 97/Office 2000 protect me from this and other macro viruses?
>
> Yes. Word 97 and Word 2000 will protect you from macro viruses
> including this one, provided the macro virus protection is turned on
> (this is the default setting). With the macro virus protection turned
> on, every time you receive a Word document that contains macros, a
> dialog box opens and allows you to choose whether to enable the
> macros. You should always disable macros when you are not certain of
> their purpose or functionality. By choosing to disable the macros, you
> will prevent this and any macro virus from running, rendering them
> harmless. The virus is only activated if you open the attached Word
> document and choose to enable the macros or if your macro virus
> protection settings have been turned off.
it should be noted that office 97 contains a bug which apparently has
not been fixed in version 2000. this bug allows macros to be executed
without asking for user-input (i.e. asking the user whether or not they
wish to run the macro). the statement pasted above is quite misleading,
especially considering that microsoft has acknowledged this bug:
http://www.microsoft.com/security/bulletins/ms99-002.asp
the fact remains, however, that without the patch having been executed,
it is possible for a user to become infected by a virus in a macro which
executes on its own.
the existence of this bug is well-known, and i find it surprising that
the author of this virus did not exploit this weakness. however, it has
now become known that a new virus (pappa) has begun to spread across
internet. i would expect that many similar virii will follow, and that
some will, in fact, use this security hole to proliferate in a more
widespread manner. we can, i think, consider ourselves lucky that
melissa, in its current iteration, did not carry a destructive payload.
the potential is certainly there.
sincerely,
andrew hreschak
------------------------------
Date: Sat, 3 Apr 1999 19:12:55 +0200 (CEST)
From: Maurice Wessling
Subject: File 4--Help B92 press release 03-04-1999
Press Release
April 3 1999
THE FREE VOICE OF B92 BANNED: THE STRUGGLE GOES ON
Latest news: http://helpb92.xs4all.nl
The last message from Yugoslavia's most prominent independent
broadcaster -B92 - as government officials and the police moved in on
April 2, 1999, to take over the station and silence the last vestiges of
free speech in Serbia was - 'Keep The Faith!'
HelpB92 was launched on March 25, 1999, to do just that. The support
group uses Internet technology to enable B92 and all other banned
independent media in Yugoslavia defend their right to speak freely, and
the pivotal role of free media to regional stability.
The action against B92 comes at the end of a week of intense media
repression against independent media in Yugoslavia. On March 24,
government officials confiscated B92's transmitter, cutting off direct
radio broadcasts to Belgrade. B92 responded by harnessing the power of
the Internet and Real Audio, satellite, medium wave broadcasts and
solidarity rebroadcasting across the world to its struggle for free
speech. B92 supporters responded in record number - the B92 web site had
15 million visitors in just 7 days.
At the same time, in the past ten days, ten rebroadcasters of B92's news
from the Association of Independent Electronic Media - ANEM have been
closed down by the government. Other ANEM members have the either taken
themselves voluntarily off the air rather than re-broadcast the
propaganda of state radio and TV, which they must do by law when the
country is in a state of war, or have been taken over by the government.
In Kosovo, the offices of the two most important alternative Albanian
language media - Koha and Radio 21 - have also been destroyed and their
staff have fled the country.
The closure of B92, on April 2, 1999, means that the only source of
information left for audiences and viewers in the region is the
state-controlled Radio Television Serbia.
All the journalists from these banned independent media are now in dire
straits and money is urgently needed to help assist these journalists to
find new means to get news out.
We therefore ask people to please express their involvement and support
this cause by donating money to the special HelpB92 fund, bank account
number 7676, Postbank Amsterdam, Swift address INGBNL2A, in the name of
Press Now. Please specify 'Help B92'
-------
Notes for the Editor
In the last week, HelpB92 has received an enormous amount of support
from around the globe. In Spain, Germany, Italy, Japan and Australia
supporting web sites have been established in their national languages.
Hundreds of people and organisations have
placed the HelpB92 logo and link to the web site on their home pages and
signed the interactive guest book.
Future actions include benefit concerts, global rebroadcasting
initiatives and Internet Real Audio actions.
HelpB92 was founded by: B92, De Balie, De Digitale Stad, Next 5 Minutes,
Press Now, Public Netbase (Austria), radioqualia (Australia), De Waag
(MONM) and XS4ALL Internet.
B92 Website: http://www.b92.net
HelpB92 campaign: http://helpb92.xs4all.nl
E-mail: helpb92@xs4all.nl
For more information contact:
Julia Glyn-Pickett
B92 Spokesperson
E-mail: juliab92@xs4all.nl
Phone: +31 20 4272127
------------------------------
Date: Wed, 31 Mar 1999 21:55:05 -0600 (CST)
From: Jim Thomas
Subject: File 5--Access to NATO's Web Site Disrupted
Source - http://www.cnn.com/WORLD/europe/9903/31/nato.hack/
Access to NATO's Web site disrupted
nato site
"Pinging" disrupted access to NATO's Web site
March 31, 1999
Web posted at: 10:42 a.m. EST (1542 GMT)
BRUSSELS, Belgium (CNN) -- NATO's Web site is under deliberate
electronic "bombardment" from Yugoslavia that has made e-mail
service and access to the site "erratic," NATO spokesman Jamie
Shea said Wednesday.
Shea said that computer users in Belgrade have been "pinging" the
NATO site -- sending repeated requests to the NATO server to
confirm that it's online -- since Sunday. The "ping bombardment
strategy," Shea said, has "caused line saturation" and noticeably
disrupted access to the alliance's Web site.
NATO's Web site contains the latest news releases and transcripts
of news conferences concerning the campaign against Yugoslavia.
Journalists around the world, as well as other people, look at
the site for information.
Additionally, Shea said NATO's e-mail servers were being
"saturated by one individual who is currently sending us 2,000
e-mails a day."
"And we are dealing with macro viruses from Yugoslavia in our
e-mail service," he said.
Shea did not say whether the "macro viruses" he mentioned were
from the recently released "Melissa" virus that causes e-mail
recipients to unknowingly spread infected files to other e-mail
users.
The NATO spokesman said that, despite the problems, NATO would
continue to put out up-to-date information.
------------------------------
Hacker Pleads Guilty in Agreement
.c The Associated Press
By MICHAEL WHITE
LOS ANGELES (AP) -- Kevin Mitnick, a computer vandal whose
exploits made him the FBI's most wanted hacker, pleaded guilty
Friday to computer and wire fraud charges in a deal that could
make him a free man in a year.
Mitnick, who admitted causing millions of dollars in damage to
companies whose computer systems he penetrated, pleaded guilty to
five felony counts in U.S. District Court.
Under a deal with prosecutors, Mitnick, 35, will be sentenced to
three years, 10 months in prison but will be credited for time
served, meaning he will be eligible for release in mid-2000.
(snip)
------------------------------
Date: Mon, 29 Mar 1999 19:21:22 -0500
From: EPIC-News List
Subject: File 6--CFP 99: Final Reminder
Register now for the cyber event of the year:
C COMPUTERS, FREEDOM, AND PRIVACY
F THE GLOBAL INTERNET
P
9 WASHINGTON, DC
9 Omni Shoreham Hotel
. April 6-8, 1999
O
R
G
** Online Registration Deadline - March 30, 1999 **
For almost a decade, the conference on Computers, Freedom and Privacy has
shaped the public debate on the future of privacy and freedom in the online
world. Register now for the number one Internet policy conference. Join a
diverse audience from government, industry, academics, the non-profit
sector, the hacker community and the media. Enjoy the U.S. Capital in the
spring at one of Washington's premier hotels.
* Keynote speakers include Tim Berners-Lee (Director, World Wide
Web Consortium), Vint Cerf (President, Internet Society),
Congressman Ed Markey (sponsor of "The Electronic Bill of Rights
Act"), Congressman Ron Paul (sponsor of the Freedom and Privacy
Restoration Act), Henrikas Yushkiavitshus (Associate Director,
UNESCO), and Commissioner Mozelle Thompson, Federal Trade Commission
* Lively and thought-provoking panels on -- "the Creation of a
Global Surveillance Network," "Access and Equity on the Global
Internet," "Anonymity and Identity in Cyberspace," "Free Speech
and Cyber Censorship," "Is Escrow Dead? And what is Wassenaar?",
"Self-Regulation Reconsidered" and more.
* Tutorials -- "The Electronic Communications Privacy Act" (Mark
Eckenwiler); "Cryptography: Basic Overview & Nontraditional
Uses" (Matt Blaze and Phil Zimmermann), "Free Speech, The
Constitution and Privacy in Cyberspace" (Mike Godwin),
"Techniques for Circumventing Internet Censorship" (Bennett
Haselton and Brian Ristuccia).
* Other Events -- Privacy International's Big Brother Awards to
the worst privacy violators in the US, EFF's Pioneer Awards to
those who have done the most to promote the net.
Online Registration Deadline - March 30, 1999
--------------------------------------------
Register on-line at http://www.regmaster.com/cfp99.html or call +1 407 628
3602. Registration inquiries may also be sent to mann@regmaster.com.
For more information about CFP99, visit http://www.cfp99.org/ or call +1
410 628 3186
------------------------------
Date: 29 Mar 1999 17:33:22 -0000
From: sevoy@quark.cpsr.org
Subject: File 7--CPSR Newsletter on the WWW
CPSR WINTER NEWSLETTER FOCUSES ON Y2K
"Will my house be warm on January 1, 2000?"
"Will I be able to fill my gas tank?"
"Will we have an accidental war?"
"Should I take all my cash out of the bank?"
Those are the questions inundating CPSR members.
The most obvious response CPSR can make is to dedicate
an issue of the CPSR Newsletter to sating the thirst with
our "take" on the issues.
A BREAKTHROUGH FOR CPSR PUBLICATIONS
The Special Winter 1999 Issue of the CPSR Newsletter will
be our first-ever completely online. You can link to it
from our home page or from:
http://www.cpsr.org/publications/newsletters/issues/1999/Winter1999/.
If you wish, we can email you a text version or mail you a transcript.
Just let our office know at cpsr@cpsr.org. Guest editor: Marsha Woodbury.
WHAT YOU'LL FIND
Arthur C. Clarke's chapter, "The Century Syndrome,"
from his novel, The Ghost from the Grand Banks.
"A Perspective on Y2K," by Peter Neumann, who won
the Norbert Weiner Award in 1997 for his work on
documenting computer risks. He views Y2K as a serious
concern and also as the tip of a much larger iceberg of
computer risk.
Gary Chapman, former Executive Director of CPSR, has
two articles: "Now for Another Daunting Y2K Task:
Educating America's Masses," and "A Moral Project for
the the 21st Century: Stop Creating Better Weapons."
Tony Ralston, professor emeritus of computer science
and member of the CPSR advisory board, gives his
impressions of the Y2K problem in "Y2K and Social
Responsibility."
Lenny Siegel's article "OOPs 2000: The Y2K Bug and the
Threat of Catastrophic Chemical Releases."
Khursch Ahmed, David Parnas, Barbara Simons, and
Terry Winograd express their nuclear weapons concerns
Norman Kurland and others in the CPSR Y2K Working
Group wrote the "How Y2K Will Impact the New York
Times."
Marsha Woodbury, Chair of CPSR, contributes the
introduction, "Y2K: A Broad View."
Y2K Humorfrom the Internet and Beyond," collected by
friends and members.
Chapter news, letters to the editor, a cartoon, and more.
Let's use Y2K to explore computer risks and our
relationship to them.
Take a look at the Y2K newsletter!
> --
Susan Evoy * Deputy Director
http://www.cpsr.org/
Computer Professionals for Social Responsibility
P.O. Box 717 * Palo Alto * CA * 94302
Phone: (650) 322-3778 * Fax: (650) 322-4748 *
Email: evoy@cpsr.org
Donations online: https://swww.igc.apc.org/cpsr/sec-membership-form.html
CPSR WINTER NEWSLETTER FOCUSES ON Y2K
"Will my house be warm on January 1, 2000?"
"Will I be able to fill my gas tank?"
"Will we have an accidental war?"
"Should I take all my cash out of the bank?"
Those are the questions inundating CPSR members.
The most obvious response CPSR can make is to dedicate
an issue of the CPSR Newsletter to sating the thirst with
our "take" on the issues.
A BREAKTHROUGH FOR CPSR PUBLICATIONS
The Special Winter 1999 Issue of the CPSR Newsletter will
be our first-ever completely online. You can link to it
from our home page or from:
http://www.cpsr.org/publications/newsletters/issues/1999/Winter1999/.
If you wish, we can email you a text version or mail you a transcript.
Just let our office know at cpsr@cpsr.org. Guest editor: Marsha Woodbury.
WHAT YOU'LL FIND
Arthur C. Clarke's chapter, "The Century Syndrome,"
from his novel, The Ghost from the Grand Banks.
"A Perspective on Y2K," by Peter Neumann, who won
the Norbert Weiner Award in 1997 for his work on
documenting computer risks. He views Y2K as a serious
concern and also as the tip of a much larger iceberg of
computer risk.
Gary Chapman, former Executive Director of CPSR, has
two articles: "Now for Another Daunting Y2K Task:
Educating America's Masses," and "A Moral Project for
the the 21st Century: Stop Creating Better Weapons."
Tony Ralston, professor emeritus of computer science
and member of the CPSR advisory board, gives his
impressions of the Y2K problem in "Y2K and Social
Responsibility."
Lenny Siegel's article "OOPs 2000: The Y2K Bug and the
Threat of Catastrophic Chemical Releases."
Khursch Ahmed, David Parnas, Barbara Simons, and
Terry Winograd express their nuclear weapons concerns
Norman Kurland and others in the CPSR Y2K Working
Group wrote the "How Y2K Will Impact the New York
Times."
Marsha Woodbury, Chair of CPSR, contributes the
introduction, "Y2K: A Broad View."
Y2K Humorfrom the Internet and Beyond," collected by
friends and members.
Chapter news, letters to the editor, a cartoon, and more.
Let's use Y2K to explore computer risks and our
relationship to them.
Take a look at the Y2K newsletter!
> --
Susan Evoy * Deputy Director
http://www.cpsr.org/
Computer Professionals for Social Responsibility
P.O. Box 717 * Palo Alto * CA * 94302
Phone: (650) 322-3778 * Fax: (650) 322-4748 *
Email: evoy@cpsr.org
Donations online: https://swww.igc.apc.org/cpsr/sec-membership-form.html
------------------------------
Date: Thu, 1 Apr 1999 13:29:03 -0700 (MST)
From: The SANS Institute
Subject: File 8--Free SANS Web Briefing: IDNET
Re: Free SANS Web Briefing #4: Tuesday, April 6, 1999
Topic: Comparing Intrusion Detection Systems, ID'Net 99
Time: Tuesday, April 6, 1999, 1 pm EST
Hosts: Stephen Northcutt and Rob Kolstad
Cost: Free (with high value)
One of the questions we received from the March 2 web broadcast
(on the advanced network scanning tool called nmap) was: "what is
the best intrusion detection software?"
Three weeks ago Stephen was part of a working group to help frame
the research agenda for the President's Decision Directive 63,
which deals with intrusion detection. On the last day there was
a discussion period with a single hot topic: how to compare intrusion
detection systems.
This webcast will focus on one approach to this problem, SANS's
Intrusion Detection Network ID'Net which was operational at the
ID'99 conference in San Diego and will run again at the SANS
Conference (May 7-14 in Baltimore, MD). We will discuss the history
and challenges of comparing intrusion detection systems and some
of the results of this first effort.
Guests on the broadcast will be:
* Simson Garfinkle, co-author of Practical Unix Security who
demonstrated Sandstorm's TCP Demux network forensic tool and was
able to capture and analyze the attacks
* Steve Schall, senior network engineer from ODS, who demonstrated
his company's network switch which has an integrated intrusion
detection capability.
* Paul Proctor, Chief Technology Officer
at Centrax who showed their new network intrusion detection
capability on ID'Net and he will discuss his experiences
* Chris Pettit, a senior network engineer for NCI, who is the chair
of the next ID'Net in May.
Should be a great show; hope to see you there!
When: Tuesday, April 6, 1999 (and later for `reruns')
10 am Pacific Time, 11 am Mountain, noon Central,
1 pm Eastern, 1800 GMT
Duration: 60 minutes
Cost: Free
How: Register at http://www.sans.org/apr6.htm
The website should reply within a minute or two with the URL and
password for the free broadcast. If you don't get a reply within
a few minutes, please let Rob know at .
Feel free to share this announcement with any potentially interested
parties.
Rob
ps: This message is coming to you from our shiny new mail server.
Please direct comments, complaints, duplicates, corrections,
and unsubscribes to -- please include your SD
number from the header.
Alan Paller & Rob Kolstad The SANS Institute sans@clark.net 301-951-0102
----- Upcoming Events: ------------------------ Current Publications: ----
Intr Detect & Response (San Diego 2/99) SANS Network Security Digest
The SANS NT Digest
SANS '99 (Baltimore, 5/99) Windows NT Security: Step-by-Step
Network Security 99 (New Orleans, 10/99) Incident Handling: Step-by-Step
Intrusion Detection: Shadow Style
1998 SANS Salary Survey
See http://www.sans.org for info WindowsNT Power Tools: Consensus
------------------------------
------------------------------
Date: Sun, 10 Jan 1999 22:51:01 CST
From: CuD Moderators
Subject: File 9--Cu Digest Header Info (unchanged since 10 Jan, 1999)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
CuD is available as a Usenet newsgroup: comp.society.cu-digest
Or, to subscribe, send post with this in the "Subject:: line:
SUBSCRIBE CU-DIGEST
Send the message to: cu-digest-request@weber.ucsd.edu
DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.
The editors may be contacted by voice (815-753-6436), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.
To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)
The mailing list is automated, so no human lies at the other end.
CuD is readily accessible from the Net:
UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
Web-accessible from: http://www.etext.org/CuD/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: ftp.warwick.ac.uk in pub/cud/ (United Kingdom)
The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu/~cudigest/
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
------------------------------
End of Computer Underground Digest #11.21
************************************
<--">Return to the Cu Digest homepage
Page maintained by: Jim Thomas - cudigest@sun.soci.niu.edu