A court ordered someone to switch to Windows to enable monitoring

A friend shared an interesting post with me from Ars Technica about a recent torrent website owner getting jailtime .

One of the more interesting facts from the article was the disposition of a previous case in 2007 which somehow escaped my attention back then. Scott McCausland was forced to have his computer monitored as a condition of his probation. He noted in his blog that, “their software doesn’t support GNU/Linux (which is what I use). So, he told me that if I want to use a computer, I would have to use an OS that the software can be installed on.”
I think there is a snarky lesson in all of this. Windows is the choice of those who want to monitor your every move. Irony aside McCausland “added a donation link to his blog to help pay for the cost of a Windows license.” This is a very real additional cost that wasn’t really considered by the judge. I’ve complained about this privately when the Extension School at Harvard offered a statistics class which only allowed the use of a Windows based statistics program. This was not known to me when I signed up and I subsequently withdrew from the course (costing me both time and money) because I refused to deal with a Windows only learning environment.

A history of hackers from the underground

A really cool db has been leaked to the internet which contains releases to “the scene”. I did a quick search on the term “hackers” and got the following presented in chronological order.

Calculating an ASNs IP Space

I couldn’t think of a good easy way to save a bunch of telnet addresses so I’m just going to blog them. I’m using BGP tables to calculate the theoretical IP space a given ASN has. I parse the table and use the CIDR notation to calculate how big the space can be and then tally each AS Number. It’s a useful metric for an analysis I’m conducting on the infection rate of badware however BGP tables differ from router to router. So I was finally pointed to a “looking glass” page which had a nice collection of public interfaces I could dump from!

BGP Route Servers (telnet access)

  1. RouteViews Project (collection)
  2. ATT Route Server (AS7018)
  3. CerfNet Route Server (AS1838)
  4. Colt Internet Route Server (AS8220)
  5. Exodus Communications USA Route Server (AS3967)
  6. Global Crossing Route Server (AS3549)
  7. Group Telecom Route Server (AS6539)
  8. Hurricane Electric Route Server (AS6939)
  9. Oregon Exchange Route Server (AS3582)
  10. Planet Online Route Server (AS5388)
  11. SAVVIS Communications Route Server (AS3561)
  12. SixXS GRH Route Server (SixXS IPv6 Project)
  13. TELUS Eastern Canada Route Server (AS852)
  14. TELUS Western Canada Route Server (AS852)
  15. Tiscali Route Server (AS3257)

While I’m taking notes for myself, the command to disable paging is:
‘term length 0′
and the command to dump the table is:
‘show ip bgp’

First pseudo virus

program virus:=
{1234567;

subroutine infect-executable:=
{loop:file = get-random-executable-file;
if first-line-of-file = 1234567 then goto loop;
prepend virus to file;
}

subroutine do-damage:=
{whatever damage is to be done}

subroutine trigger-pulled:=
{return true if some condition holds}

main-program:=
{infect-executable;
if trigger-pulled then do-damage;
goto next;}

next:}

– http://www.all.net/books/virus/part2.htm…

Towards a unified music format

Ironically we have had one for years now called MP3…
After a small fit of google-stalking myself for fun I found a post from a cyberlaw class I took last year

Internet & Society ’05: Harvard Extension School

The first sales doctrine is essential if we are to keep a fair 
balance between artists and public access.[1]   What the music 
industry fails to recognize in the beauty of the P2P model is the 
“Great Agora” of the many to many conversation.[2]  In 
that conversation many users will become vehicles of 
advertisement for bands and movies alike. They put all the 
incentive into the hands of the software middlemen (Apple, 
Real, Microsoft, etc) and not their most powerful ally, the end 
user.  In the current model if the consumer sells a song 
she is in violation of copyright.  For her to do the right thing, 
suggest purchase from a retailer or online medium, 
she receives no incentive.   

Extending the first sales doctrine to their digital media 
purchase will endow value to the files and make consumers less 
likely to “give away” what they could rightfully sell.  
The end users will take more responsibilities to ensure that the 
copyright is not infringed upon because now they hold
 a stake in the proper sale as well.  Software middlemen (Apple, 
Real Media, Microsoft, et al) may use the Digital Millenium 
Copyright Act as a shield that prevents consumers from 
transferring their ownership of a song to another person.  
This move to empower reselling will directly affect their 
revenues and create a necessity for interoperability 
between their codecs (e.g. iTunes AAC, Rhapsody RM, Windows WMA)  

[1] THE FIRST SALE DOCTRINE IN THE ERA OF 
DIGITAL NETWORKS by R. Anthony Reese 
[2] From Consumers to Users: Shifting the 
Deeper Structures of Regulation Toward 
Sustainable Commons and User 
Access by Yochai Benkler*

I thought I saw some hope in France and their new DRM bill but they backed down. “state-sponsored piracy” (Apple’s term) is more aptly described as “state mandated interoperability” which I am firmly in support of at the moment. Even though I finally broke down and bought an iPod I will never use iTunes until my federally assured right to resell my legal purchase is restored.

The first defcons

The first defcons have recently come up for debate. The founder of nCircle thought he was the first winner of the CTF contest.

“Moss recalls that another individual won the first two Capture the Flag contests. “It was this guy called A.J. Reznor, who won it in a pretty famous way,” Moss says. “This guy won it with no monitor, attacking the machine with a keyboard only. He memorized the entire attack and did it.””

AJ was last seen battling it out with ISC^2 over the CISSP cert. Which for the record I do not have.

Further erosion of vulnerability disclosure

[b] http://alerts.symantec.com/default.asp?R...('XSS')
[b] https://tms.symantec.com/formslogin.asp?...('XSS')
[b] hurm...
[i] bah its just xss
[b] should be ">
[b] yes but it is before login
[b] and isnt this a security minded service?
 it's embarassing if nothing else.
[i] are these internal? or external?
 also very funny !
[j] external
[o] tms is deepsight/threat management system i believe
[i] oh
[i] hahah
[i] nice work ;)
[t] i thought it was internal
[b] deepsight
[b] just got my account this morning
[b] XSS everywhere
[b] I wonder if I sent out a POC to the internal mailing list if I would get fired
[i] only one way to find out!
[d] there's an internal mailing list ?
[s] i think you should just blast it across worldwide GSS like happens when there's a need for staffing
[i] hhehe
[m] make sure to recommend that the ARIS (tm) threatcon be increased to at least 3 also


I lost the timestamps on this particular IRC log but sufficed to say it was after the Symantec acquisition of @stake. I’ve removed peoples handles lest they get in trouble for what is said here. If you are reading this from the security community it might be easy to criticize this. “Who cares about XSS vulnerabilities?” It’s a valid point and one that I’m not ignoring here. If I had evidence of more egregious violations I may be uncomfortable posting them on a public blog. I think even with the minor severity of a XSS vulnerability the underlying issues are the same. Employee [b] found a vulnerability in corporate intellectual property. He found a flaw. It would be the right and just thing for him to report this violation. He felt uncomfortable doing even that.
A read through the RFP disclosure policy gives the average reader an idea of the timeline that has been accepted among most researchers as both responsible and fair. Of course the roles of the “researcher” and the “company” in the RFP policy assume that there is no link. What if the researcher works for the company? Remember that in the US a company can fire any member in it’s employ for nearly any reason. So long as civil rights are not violated the employment of the researcher is fair game.
I would be remiss if I didn’t mention the Yankee Group report “Fear and Loathing in Las Vegas: The Hackers Turn Pro” by Andrew Jaquith. In this report he describes the constant attack that security product companies find themsevles under. Following the report Symantec announced that the @stake team, recently acquired, was already looking into these types of flaws. Most of us in the Cambridge office scratched our heads and muttered when this annoncement came out. No one had heard of this program and in the following weeks nothing was mentioned. If one were to look back through the email archives of the @stake team during this time and the months preceeding it would be interesting to see how many product flaws were found. Many of the researchers, still a bit unhappy with the acquisition, made discoveries in Lotus Notes (the new defacto mailing system by parent company Symantec) and other Symantec related products. It’s unclear how many of these “discoveries” either made it back to their respective companies or ever saw the light of day. It is almost certain that Symantec sits on a mountain (or perhaps it’s a hill) or 0day vulnerabilities discovered by the remaining all stars picked up in the @stake acquisition such as Ollie Whitehouse and Isaac Dawson.

Fun Moments in History: Symantec Acquires @stake

[oday@zero oday]$ ssh localhost
oday@localhost's password:
Last login: Fri Oct 15 12:44:48 2004 from 10.1.8.141
 
----------------------
Welcome to the Wayback
 (bring your own A/C)
----------------------
 
5 May 04: Sorry the SSH daemon has been flaky today.  I upgraded it to
OpenSSH 3.8p1 last night, but apparently some interoperability problem
with PAM/LDAP authentication caused many people not to be able to log
in at all.  We're now running 3.6.1p2 which is obviously not ideal,
but still much better than 2.5.2p2, which is what was installed up
until yesterday!
  --root
 
 
[1] ircii
[2] BitchX
 
Select: 2
BitchX - Based on EPIC Software Labs epic ircII (1998).
Version (BitchX-1.0c17) -- Date (19990221).
Process [8744]
Using terminal type [xterm]
[BitchX-1.0c17 by panasync]                    
??? BitchX: Created directory /tmp/.BitchX
??? BitchX: Auto Response is set to - oday
??? Connecting to port 6667 of server 127.0.0.1 [refnum 0]
[0]  *** Looking up your hostname...
[0]  *** Checking Ident
[0]  *** No Ident response
[0]  *** Couldn't look up your hostname
??? BitchX: For more information about BitchX type /about
??? Welcome to the Internet Relay Network oday (from wayback.atstake.com)
??? Your host is localhost[localhost/6667], running version 2.8/hybrid-6.0
          (from wayback.atstake.com)
[0]  *** Your host is localhost[localhost/6667], running version
          2.8/hybrid-6.0
??? This server was created Fri Jun 29 2001 at 23:31:14 EDT (from
          wayback.atstake.com)
??? wayback.atstake.com 2.8/hybrid-6.0 oiwszcrkfydnxb biklmnopstved
??? [local users on irc(16)] 67%
??? [global users on irc(8)] 33%
??? [invisible users on irc(16)] 67%
??? [ircops on irc(0)] 0%
??? [total users on irc(24)]
??? [unknown connections(0)]
??? [total servers on irc(2)] (avg. 12 users per server)
??? [total channels created(5)] (avg. 4 users per channel)
??? Current local  users: 16  Max: 19
??? Current global users: 24  Max: 27
??? [Highest client connection count(20) (19)]
??? 127.0.0.1  No such server
??? Mode change [+iw] for user oday
Channel      Users   Topic
#@stake          6   *** Please migrate over to the #symantec
#aol             1
#gs              1
#symantec       14
??? oday [~oday@127.0.0.1] has joined #symantec
??? [Users(#symantec:15)]
[ oday      ] [ pnguyen   ] [ mhammond  ] [ mlevine   ] [ vik       ]
[ patmadden ] [ txs       ] [ mmiller   ] [ imelven   ] [ idawson   ]
[ gmeltser  ] [ kdunn     ] [ jbailey   ] [@ceng      ] [@ChanServ  ]
??? Channel #symantec was created at Tue Oct 12 18:28:12 2004
??? BitchX: Join to #symantec was synched in 0.039 secs!!