==Phrack Inc.== Volume 0x0b, Issue 0x3e, Phile #0x0e of 0x0f |=--------------=[ P H R A C K W O R L D N E W S ]=------------------=| |=-----------------------------------------------------------------------=| |=------------------=[ Phrack K0mbat Journalistz ]=----------------------=| Content 1 - CERT Pedophile Busted! 2 - Spender Receives Prized Items on Amazon Wishlist 3 - Widespread Panic on the TESO Mailing List 4 - One Giant Leap for Antisec 5 - TESO Member's XBOX is Infected with PHC Backdoor 6 - Michal "ineedaj0b" Zalewski Gives Pro-Bono Kodez 2 Theo 7 - Go Back to Work Men... It Was Only The DVDMAN! 8 - King Lamer RFP Retires 9 - At Least One Person on IRC Was Not a Pussy 10 - OpenBSD: Bugtraq Drama |=-----------------------------------------------------------------------=| |=-=[ CERT Pedophile Busted! ]=------------------------------------------=| |=-----------------------------------------------------------------------=| Phrack Staff Lowers Aris Threatcon Level for Underage Girls Down to 3, Warns Aris Threatcon Level for Underage Boys Will Remain High Until Emmanuel Goldstein's Nambla Membership is Revoked http://story.news.yahoo.com/news?tmpl=story&u=/ibsys/20030822/lo_wtae/1754436 An analyst at a government-affiliated facility in Pittsburgh allegedly tried to have sex with a 15-year-old girl after sending explicit e-mails. Ian Finlay, 26, of Pittsburgh's Friendship area, was arrested Friday at a McDonald's restaurant on Route 30 in Hempfield. He was allegedly planning to meet the teen there, but it turned out that she does not exist. State police said an undercover officer posed as the girl and met Finlay in an online chat room in July. They kept in touch via e-mail, and Finlay eventually arranged a face-to-face meeting so they could have sex, according to police. In the e-mails, Finlay allegedly asked the fictitious girl what she was wearing and whether she was a virgin. He also wanted to know if she was interested in sex with an older person and told her to keep it from her parents because it would be illegal, according to police. Finlay used his name during the correspondence and sent along a picture of himself, police said. Authorities seized computers from Finlay's home and searched his office at Carnegie Mellon University in Oakland, where he works at the Computer Emergency Response Team (CERT) Coordination Center for Internet security. CERT is part of the Software Engineering Institute, which CMU operates for the Department of Defense (news - web sites). Finlay is accused of attempted involuntary deviate sexual intercourse, attempted statutory sexual assault and unlawful contact with a minor. He is being held in Westmoreland County Prison on $150,000 straight cash bond. |=-----------------------------------------------------------------------=| |=-=[ Spender Receives Prized Items on Amazon Wishlist ]=----------------=| |=-----------------------------------------------------------------------=| Spender has finally received the most elusive request on his gift list, the "Null modem 25pin male," purchased for him by no other than Thomas Knop. Help support spender help support PAX security by buying him "Music for the Masses" by Depeche Mode. See http://www.amazon.com/exec/obidos/registry/1CG987MBXPRDY/103-9815471-4318252 for details. Or better yet, somebody please send spender's dorm-room address to ted kaminsky - he's got a pipe bomb ready with no address to forward it. |=-----------------------------------------------------------------------=| |=-=[ Widespread Panic on the TESO Mailing List ]=-----------------------=| |=-----------------------------------------------------------------------=| http://www.ananova.com/news/story/sm_358876.html Germany has demanded a rethink on EU guidelines on condom size after finding its average penis did not measure up. Doctors around Essen were ordered by the government's health department to check out the average size suggested by Brussels. They reported the EU has overestimated the size of the average penis by almost 20% and insist other countries will discover the same. Urologist Gunther Hagler, head of the team compiling the research, said: "By checking hundreds of patients we found German penises were too small for standard EU condoms. "On average they were 14.48 cms long and 3.95 cms wide. That makes them much smaller than the EU standard condom size of 17 cms in length and 5.6 cms in width." He denied the German man was any smaller than the rest of Europe, adding: "We think the EU has got its sums wrong, and if other countries were to check out their men's assets they would find the EU has made a mistake in its calculations. "There should be a rethink and the EU statisticians should check their figures again. After all, they have also ruled EU standard condoms should be able to hold 18 litres of fluid without breaking, which also seems a bit excessive." |=-----------------------------------------------------------------------=| |=-=[ One Giant Leap for Antisec ]=--------------------------------------=| |=-----------------------------------------------------------------------=| Apparently most of the following companies have realized that they are owned and their source/mail tarballs are floating around the net, and have attempted to save themselves by agreeing to antisec's demands. Of course, they didn't admit as much but look at the list of corporate retards that aligned themselves with Microsoft: http://www.securityfocus.com/news/5458 A group of 11 of the largest software companies and computer security firms released the first public draft of a proposed bug disclosure standard on Wednesday, and asked the security community for comments. The 37-page document sets out a detailed timeline for security vulnerability reporting, and standardizes the interactions between security researchers who find bugs and the software companies who write them. The group hopes to see the final version of the plan gain widespread industry acceptance. "The meat of it is all about the process -- how people come around to handling everything where they can talk to each other," says Scott Blake, a VP at security software firm BindView, an OIS member. The OIS officially formed in September of last year, but has its roots in a private Microsoft-hosted security conference held in Silicon Valley almost a year earlier. Member companies are Microsoft, @stake, BindView, SCO, Foundstone, Guardent, Internet Security Systems, Network Associates, Oracle, SGI and Symantec. (Symantec publishes SecurityFocus.) A chief objective of the organization is to encourage a limited form of public warning that withholds details useful to hackers. To that end, the plan would curtail the common but controversial practice of publicly releasing proof-of-concept or "exploit" code that demonstrates a security hole. Researchers following the policy would not be able to release exploits, nor provide "detailed technical information such as exact data inputs, buffer offsets, or shell code strategies" to the general public. That prohibition is loosened somewhat thirty days after the vendor releases a patch. At that point the bug-finder could distribute exploit code or technical details to "organizations such as academic institutions that perform research into secure software development techniques." Whether or not that includes popular forums and mailing lists like Bugtraq, NTBugtraq and Full Disclosure is a gray area, says Blake, that the group deliberately left open to interpretation. "It's one of the areas I suspect we're going to get comments on," Blake says. "That's one of the reasons we're putting this thing out for public comment, because we want people to come back with that kind of feedback." The group is accepting comments by e-mail for thirty days, ending July 4th, and expects to release the final plan at the Black Hat Conference in Las Vegas later that month. |=-----------------------------------------------------------------------=| |=-=[ TESO Member's XBOX is Infected with PHC Backdoor ]=----------------=| |=-----------------------------------------------------------------------=| http://www.securityfocus.com/archive/1/337210/2003-09-05/2003-09-11/0 Hi, well it finally happened. I came back home after work, connected my XBOX to the internet and went into the XBOX-Live menu configuration. Well what happened. The XBOX started automaticly downloading the new crappy XBOX-Live dashboard, which is of course fixed. This is IMHO an act of computer sabotage. I have never allowed MS to modify my dashboard or to auto update my dashboard. Is any lawyer on the list who can point me to the right paragraphs? I do not believe this computer sabotage is legal in any european country. Yours, Stefan Esser |=-----------------------------------------------------------------------=| |=-=[ Michal "ineedaj0b" Zalewski Gives Pro-Bono Kodez 2 Theo ]=---------=| |=-----------------------------------------------------------------------=| With his first remote backdoor ever since his exploit in ~el8 magazine, Zalewski has moved on with bigger and better projects, this time implanting a logic bomb deep into the heart of the OpenBSD kernel, for the first time since h4g1s (or those 8 other guys that backdoored OpenBSD). http://search.linuxsecurity.com/articles/network_security_article-7849.html Mike Frantzen recently committed OS fingerprinting capabilities to PF, OpenBSD's stateful packet filter, based on Michal Zalewski's p0f (passive OS fingerprinting) code. The functionality was also added to tcpdump. From the p0f README: "The passive OS fingerprinting technique is based on information coming from a remote host when it tries to establish a connection to your system. Captured packet parameters contain enough information to identify the remote OS. In contrast to active scanners such as nmap and queSO, p0f does this without sending anything to the remote host." Mike points out that it is very easy to spoof a TCP stack to make one OS appear as if it's really another, so this new functionality is not a security feature. Instead, it's intended as a policy feature... For Mike's announcement email which includes a few quick examples of how this functionality might be used, read on... |=-----------------------------------------------------------------------=| |=-=[ Go Back to Work Men... It Was Only The DVDMAN! ]=------------------=| |=-----------------------------------------------------------------------=| This is a rather lengthy article so we'll only replicate the juice of it, but the full text is also available from the link. http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci920359,00.html The GNU Project has apparently dodged a major bullet since the FTP server housing its source code was root-compromised by a cracker in March. Bradley M. Kuhn, executive director of the Free Software Foundation, the Boston-based sponsor of the GNU Project, said this week that the attack had no major impact on users downloading code from its site. "There is evidence the cracker did not touch the source code. In fact, it's looking like the person did not know they had gotten onto the machine hosting all the source code for the GNU Project," Kuhn said. |=-----------------------------------------------------------------------=| |=-=[ King Lamer RFP Retires ]=------------------------------------------=| |=-----------------------------------------------------------------------=| The heat has become too much for former w00w00/ADM/wiretrip whitehat security mogul RFP. Life in the limelight isn't made for everybody, and rather than being overjoyed with his new-found status as the most searched term after "horse cock" and "anal beads" on google.com, rfp has decided to retreat into a more solitary computer life where he runs a minimal risk of being owned/humiliated again. http://www.zdnet.com.au/newstech/security/story/0,2000048600,20277457,00.htm If you think famed security researcher Rain Forest Puppy's (RFP) recent announcement that he's stepping away from the limelight means he's precious, think again -- the guy has just had enough, and the problems he's been confronted with are fairly familiar. Take this analogy: ZDNet Australia has a tech savvy readership. Many of you reading this would have been in the same position I was in when every man, dog and its accompanying fleas were buying a PC. In my family, and among many of my friends, I was the incredible, the amazing... drum roll please: "computer guy". For most people, a computer is like a car. You put petrol in it, drive it, and then take it to the "car guy", read: mechanic, for a service or repairs. With a computer, you take it home, screw your configuration, and then call "computer guy" to come and fix it. I have spent countless hours of my time sorting out other people's computer hassles. If you can help, you're expected to help. Now let's take it one step further. Imagine you are "computer security guy" for all the "computer guys". Every time you plug "security guy" into Google, your name comes up. This has been the hell that RFP has been living for the last several years. He has become the world's largest one man computer security helpdesk. He's become a nerd overlord; the king of geeks. How did he find himself in this situation? By freely contributing his expertise and knowledge to an industry that desperately needed it. Not only is he a star bug finder -- RFP researched the most easily exploitable Microsoft Web server flaw ever found -- but he's written open source tools, such as the Whisker vulnerability scanner, that were way ahead of their time. Then there were his advances in the area of vulnerability disclosure. Several years ago RFP wrote the RFPolicy for vulnerability disclosure. It has been ubiquitously adopted as the accepted policy for the disclosure of security vulnerabilities. He has supported Whisker, written a new version, and answered nearly every single bone-headed question that has been thrown at him by scores of ignorant, neophyte drones. What was his reward for his countless hours of community service? Money? He says not a cent. RFP has mostly been "rewarded" with pressure and expectation. When the Organisation for Internet Safety released its draft guidelines for vulnerability disclosure, which it took way too seriously, especially considering everyone was pretty happy with the RFPolicy, he was told by sections of the security and media industries that he "owed it to them" to comment. His response isn't fit for our site, so I'll just have to leave it to your imagination. If that wasn't enough, the poor guy's had big business move in on his turf, selling sub-standard solutions for megabucks. In the statement he released in which he announced his plan to become anonymous, he seemed particularly flabbergasted by the domination of vendors that promote shiny red boxes with support contracts as a substitute for true security. The way some of the larger vendors are pushing their products is somewhat similar, in my mind, to the campaign dynamics of some modern politics. They appeal to the lowest common denominator, like the politician who oversimplifies. "I love what that man can do. He's a leader. He has vision. He can take the most complicated social issue and make it really, really simple." I guess it's the same in security now -- proper policy, procedure and management is no match for a shiny box with pretty flashing lights. Vendors say it's simple, and people believe them. Handing over his turf to people like that hasn't been easy for RFP. "What was free and open research is now profit, marketing, and illicit. Vendors stepped in and took control, and the government started providing oversight. Some will say the Wild West was tamed. I say the Free West was put under lock and key," he said in a recent statement. So what's next for RFP? Well he's in Sydney delivering his swan-song presentation at the Hack 2003 conference. From this day forward he will be in the crowd, not at the lectern. Does he owe us anything? I don't think so -- he's done enough. |=-----------------------------------------------------------------------=| |=-=[ At Least One Person on IRC Was Not a Pussy ]=----------------------=| |=-----------------------------------------------------------------------=| We encourage everybody too afraid to step inside gayh1tler's EZ-BAKE OVEN to do the same: http://egomania.nu/korlie/ [02:21] [OverRide> **** this [02:21] [OverRide> i hate the world [02:21] [vap0r> word indeed [02:21] [Desolate> hahahaha [02:21] [OverRide> i am going to go kill myself [02:21] [HATER_> gotta hit that **** before its ripe [02:21] [OverRide> look for me in the news tomorrow [02:22] [HATER_> really override? [02:22] [vap0r> pull a ripper,then OverRide [02:22] [OverRide> im going outside to stabmyself in the chest [02:22] [HATER_> lotta ppl kill themselves [02:22] [HATER_> whats gonna be special [02:22] [HATER_> about ur [02:22] [HATER_> s [02:22] [OverRide> you think i am joking [02:22] [Desolate> r|pper! [02:22] [HATER_> can you do it on webcam? [02:22] [OverRide> everybody look for it in the news tomorrow [02:22] [OverRide> search your hardest [02:22] [Desolate> hahahaha [02:22] [Desolate> HAHAHAHAHAHAHA [02:22] [OverRide> i live in ohio [02:22] [zerozero> cool whats the url for the event [02:22] [Desolate> HAHAHAHAHAHAHAHAHAHAHAHA! [02:22] [OverRide> mayfield heights [02:22] [HATER_> go on webcam [02:22] [OverRide> my name is dan bucci [02:22] [OverRide> i am going outside to kill myself [02:23] [OverRide> with my knife ... http://www.daytondailynews.com/localnews/content/localnews/daily/0802shootingdeath.html Police: Naked man killed while attacking officer Associated Press MAYFIELD HEIGHTS | A bloodied, naked man armed with a knife rolled over one police car and was shot and killed by a second officer whose patrol car side window was smashed by the attacker, police said. An officer shot Dan Bucci, 19, of Mayfield Heights, after he attacked her with a knife before dawn Thursday in this Cleveland suburb. He died Friday of a gunshot wound to the abdomen at Hillcrest Hospital, said Cuyahoga County Coroner Elizabeth Balraj. Residents called police about a nude man running down the street, smashing house windows with his fists and shouting ‘‘call the police,’’ according to Detective Doug Suydam. Police said Bucci had stabbed himself in the throat and torso. When police arrived, Bucci jumped on and rolled over one patrol car, Suydam said. Next, he put his fist through the driver’s window of another patrol car and began stabbing at the officer. Suydam said the officer was not injured. Bucci’s father, Fred, said his son had been using hallucinogenic mushrooms. |=-----------------------------------------------------------------------=| |=-=[ OpenBSD: Bugtraq Drama ]=------------------------------------------=| |=-----------------------------------------------------------------------=| Theo de Raadt got shut down for hundredth or maybe a thousandth time this week since trying to rip off the PAX src tree when two remote root bugs were found in OpenSSH. Although we don't condone the whitehat activities which led to the demise of these bugs, it's still funny to see the whitehat community turn inwards on itself and devour itself. "OpenBSD: Only Two Holes In the Default Installation in Two Days" |=[ EOF ]=---------------------------------------------------------------=|