CRYPT NEWSLETTER 33 August-September 1995 Editor: Urnst Kouch (George Smith, Ph.D.) Media Critic: Mr. Badger (Andy Lopez) INTERNET: 70743.1711@compuserve.com Urnst.Kouch@comsec.org crypt@sun.soci.niu.edu COMPUSERVE: 70743,1711 IN THIS ISSUE: Triumph of the Shill: Kaiser Bill & Win95 . . . Washington Post puzzled by Stealth Boot C virus . . . The military's new scorn flakes: Infowarriors & TIME magazine . . . Blewed, screwed & tattoo'd continued: Virus writer Chris Pile set upon by computer forensic expert . . . Letters: On pepper spray, Win95, Underground Technology Review and nuts in militia groups . . . more. TRIUMPH OF THE SHILL: LARRY KING AND KAISER WILHELM To the surprise of no one at the Crypt Newsletter, Larry King sucked up to Kaiser Bill in front of millions on CNN prior to the delivery of Win95. But even for Larry's marshmallow questions on life, Win95, the Justice Department v. Microsoft, and Der Kaiser's wife, the Microsoft CEO was shifty and vague, parting with little except that his spouse worked in programming at his company and that he recommended his friends purchase PC's. "Heh-heh," chortled Larry. The only genuinely interesting part of the broadcast came when a caller from Africa inquired of Der Kaiser whether he was considering setting up a Microsoft operation in Nigeria - presumably virtual or otherwise - where programmers were ready and eager to work cranking out software for mere pennies on every US dollar. Microsoft's maximum leader didn't really answer the man. Perhaps this had something to do with the fact that Der Kaiser regrets the general penury of Africa which dictates that Nigerian users, among others, only pay for Microsoft products with mere pennies on every US dollar, if they decide they wish to pay for them at all. "Heh-heh," snickered Larry. Next caller. But the most unnerving development stemming from the Win95 roll-out in late August was a 30-minute infomercial at 7:00 pm on ABC the week following Kaiser Bill's date with King. Hosted by Anthony Edwards, a man who resembles the generic American sissy just enough to make even Microsoft's CEO look like a regular guy, the Win95 infomercial featured the paunchy Kaiser jabbering in flat tones without once looking the audience square in the face! All told, you could say - unless you're a computer industry journaflack, of course - it was a numbing exercise in the kind of pitiless merchandising that's now the standard for so-called "age of information" innovations. As such, Der Kaiser's Win95 show-and-tell was separated into a series of segments - each a shiny bit of Fool's Gold and contempt for consumers in its own right, each punctuated with a snazzy guitar riff copped from the stylebooks of either Dire Straits or Jimi Hendrix. For instance, one woman praised Kaiser Bill's OS for - and I'm not kidding - generating her office paperwork. The rest of her recommendation was devoted to the joy of watching the PC boot up. "It's cool," or something like that, she burbled, while little horns pooted out a cutesy melody in the background. There was a rock group named Sky Cries Mary shilling for Bill. Its members pulled the types of contrived stunts any struggling musical outfit would: namedrop lots of more successful rock bands that don't have computers but do employ an army of flunkies to manhandle the on-line or CD-ROM thing for them and preview its computer game, made easy to operate courtesy Win95, which allowed a purchaser to dress one of the musicians - his name sounded like "Wino" - in a tutu and women's underwear. An average number of nondescript yuppies were also deployed, yakking about how they had either: (1) taught their young daughter the rudiments of faxing or sending e-mail to cellular phone-linked modems with Win95 for ten times the effort of a simple _voice_ phone call or (2) decided that, as teachers, they weren't going to insist on silly curricula anymore when it was just plain easier to let school children fiddle about with Win95, the Microsoft Network or Microsoft's EnCarta CD-ROM encyclopedia. Not one to let grass grow under his feet, the same week Kaiser Bill was reported meeting another member of the Richest-Men-In-The-World club, Warren Buffett, perhaps to discuss a joint bulk purchase of the rights to everything for use in future CD-ROM projects or on-line promotions and the timely shipping of said rights back to Redmond, Washington - C.O.D. WASHINGTON POST COMPUTERS TROUBLED BY STEALTH BOOT COMPUTER VIRUS INFECTION Troubled by continuing incidence of Stealth Boot computer virus infections on PC's at its D.C. plant during the summer, the Washington Post is casting about for new anti-virus software. The Stealth Boot virus is a program written by Mark Ludwig, an Arizona-based graduate of CalTech and MIT, who has made a living as a publisher selling highly controversial - some would say _infuriating_ - technical books on computer viruses. His first volume, "The Little Black Book of Computer Viruses," included the complete source code for the original Stealth Boot virus, since altered into at least five variants and seemingly become one of the more common computer viruses circulating on world PC's. Inability to control Stealth Boot virus infections led information systems employees at the Post to cast about for corporate site-licensing of new anti-virus software. The front runners in the effort, employees said to the Crypt Newsletter, were Symantec's Norton Anti-virus, McAfee Associates SCAN and Datawatch's Virex because "Virex was a good anti-virus program for the Macintosh." There was no comment explaining what relevance the Macintosh product had to computer virus infection on the IBM-compatible PC. An information systems representative for the Post who was also in charge of evaluation of the software suites under consideration commented: "All the anti-virus products detect the same number of viruses, so the primary factor in choice is going to be the user interface." Regular readers of the Crypt Newsletter are invited to nod sagely and mysteriously while adding their own whimsical spin to this _corporate_ statement. Post employees were nonplussed when informed that Peter Norton once claimed computer viruses were an "urban legend" and that the majority of Symantec's Norton Anti-virus technical development staff had left the company en masse for competitor positions at McAfee Associates, IBM and Command Software, months previously. Post employees were surprised to learn the computer virus incommoding them had been published worldwide in books between 1990 and 1993, too. In related news, Glenn Jordan, the chief developer of Datawatch's Virex anti-virus software - another product highly thought of by Post software evaluators - has abandoned Datawatch for a European competitor, S&S International. S&S International's anti-virus software regularly thrashes the software Post employees were considering, a fact which has rarely made much impression at ponderous price-determined- by-the-pound US computer magazines. S&S p.r.-babble in late August concerning the matter showed Jordan - angry and tough - baring his teeth in defiance at the viral digital foe. "[A computer virus is] random mindless violence, up there with drive-by shootings," growled Jordan menacingly. "I'm at war." Grrrr. Get 'em, boy! Notes: The original Stealth Boot virus stems from Mark Ludwig's "Little Black Book of Computer Viruses" which was published in 1990 but didn't reach major circulation until 1992. Since then, the book has been rolled-out in subsequent editions and distributed widely in the United States and France. During this period, Ludwig rewrote the original virus a couple of times "to make it more compatible." The books contain the source code of the virus. Accompanying computer diskettes also included the source code, a binary image of the virus and a dropper program for infecting a floppy disk with the virus. The Stealth Boot virus, due to the nature of current operating systems for the IBM-compatible computer and the way the virus manipulates the PC, introduces instability to the operating system. Systems infected with Stealth Boot can seemingly become hostile when running Windows. Published versions of the Stealth Boot virus contain no intentionally harmful code. One variant of Stealth Boot was also used by Ludwig to deliver a data encryption scheme. It remains a curiosity and hasn't attained wide for a number of reasons, the simplest being not many people actually know of it with even fewer understanding it to any great degree. As written, it was not possible for this variant, known as KOH, to spread in the wild. The source code for it, as with the original Stealth Boot viruses, is sold by Ludwig's company, American Eagle. In 1993, Addison-Wesley France was the target of a lawsuit aimed at stopping it from publishing Ludwig's "Little Black Book" - retitled "Birth of a Virus" - and an accompanying disk which sold for 100 francs, containing Stealth Boot and other viruses. The case made it to the French equivalent of the Supreme Court where a decision in favor of Addison-Wesley France was returned. The plaintiff was also commanded to pay the publisher an undisclosed sum in damages and legal fees for hindering the book's publication. The French translation of the book was written by Jean-Bernard Condat, "secretary general" of the French chapter of the Chaos Computer Club. The back cover of the book is illustrated with an icon of a smiley-face, fizzing bomb rolling toward the reader. "The Little Black Book" and "Birth of a Virus" remain in print. The Stealth Boot viruses is only tricky - or _stealthy_ - in that when it is loaded on PC start from an infected partition sector of the hard disk, it will assume control of the machine at a low level and return an image of the partition sector free of the virus when various software tools attempt to observe this sector. The virus will also defeat attempts to write, erase or alter positions where its code is stored on disk when it is in memory. The net effect is the masking of the virus code on the disk from cursory examination. Stealth Boot C is the common name given to that Ludwig virus variant which appears to be consistently reported infecting US PC's by anti-virus software vendors. Since the virus also readily infects the boot sector of PC diskettes inserted into machines with Stealth Boot infected hard disks, the virus is easily transported. In 1990 Ludwig wrote, rather accurately in retrospect, "[Stealth Boot] is _highly contagious_ . . . It hides itself pretty well and once it's infected several disks, it is easy to forget where it's gone. At this point, you can kiss it good-bye." THE US MILITARY'S NEW SCORN FLAKES -or- ANONYMOUS GOVERNMENT INFOWARRIORS AND TIME MAGAZINE VERSUS THE WORLD TIME magazine, often ridiculed in the pages of the Crypt Newsletter, has been described as the magazine for those that can't think. Full of middle-brow cover stories of an editorial style that panders to elements in US society easily moved to nutso hysteria, it's out-of-touch quality this past summer was excessive, even by the standards of supermarket periodicals. "CYBERWAR" blared the cover of the August 21 issue. "Computer technology is revolutionizing the science of warfare, and the Pentagon is rushing to take full advantage of the new 'infowar' technology," read the blurb for the story in the table of contents. Yes, it was awesome. "Scientists," "CIA experts," "Pentagon officials," "a secret national intelligence report," "Senior Pentagon officials," - lots and lots of anonymous sources, all making claims delivered with the gravity of utterances from the burning bush - explained to TIME how the Pentagon was preparing to crush future foes with computer viruses, "wide-ranging plans," electromagnetic pulses, booby-trapped computer chips, psychologically demoralizing messages beamed from warplanes and bacteria that eat computer chips. The computer chip-eating bacteria were a particular attention grabber because their theoretical existence seemed to indicate that Pentagon officials, and TIME reporters, lacked even the most tenuous grip on the basics of modern science. For this article, the Crypt Newsletter made a few quick phone calls to its own Beltway bandit-type experts but the results were disappointing. No one would talk about "infowar" without laughing inappropriately. Welcome to infowar 1995, "courtesy the same people who brought you the Clipper chip - John Deutch, John McConnell -- they've convinced Clinton these are good things," chuckled Wayne Madsen of Computer Sciences Corporation. McConnell is head of the secretive National Security Agency, Deutch - the CIA. Ironically, Madsen is chairing an "infowar" panel this October at an information security conference partly sponsored by the NSA. Madsen also mused that perhaps it was time the "infowarriors" review Stanley Kubrick's "Dr. Strangelove," specifically the part where George C. Scott, as General Buck Turgidson shouts, "Mr. President, we'll have a mineshaft gap!" paraphrased or sub-titled to "infowar gap!" Dave Banisar at EPIC was pretty sarcastic, too, so Crypt went back to the TIME article to do some more reading. There was an interesting sidebar about "America's Persuader in the Sky," a fancy C-130 called the Napoleon Solo, er, the Commando Solo "stuffed with more electronics than a Radio Shack." It's purpose was to broadcast propaganda and annoying practical jokes and messages at once and future enemies like Saddam Hussein. It was deployed to the Gulf War to trick Iraqi soldiers into deserting, said TIME. The aircraft was also used to attack those menacing Haitian infowarrior enemies of Jean-Bertrand Aristide. But Crypt Newsletter found this intriguing, anyway, so it did more digging. Michael Gordon and General Bernard Trainor's "The General's War: The Inside Story of the Conflict In the Gulf" (1995, Little, Brown) came to the rescue. The newsletter looked up the Commando Solo, only it was called the Volant Solo by Trainor and Gordon. "Even with air superiority, however, the Air Force considered _Volant Solo_ to be a vulnerable aircraft and it never operated within broadcast range of Baghdad." Worse, even the CIA's attempts at "infowar" in the Gulf were pathetic: "Acting with the support of the CIA, the Saudis ran a network of radio stations, dubbed the Voice of Free Iraq, which urged the Iraqi people to topple Saddam Hussein. But the range of the radio stations limited the broadcast to Iraqi ground troops in [Kuwait] and the Shiite-dominated area of southern Iraq, a group Washington knew little about and was reluctant to support." In the Gulf War, wrote Trainor and Gordon, the Pentagon's "infowar" did not reach its audience. Further on in the TIME article, a security expert named Steve Kent babbled about Saddam Hussein's opportunity to take out the Internet courtesy of "Dutch hackers," a shopworn story of anonymous source which grows better upon each telling. Trainor tells a better one, however, in "The General's War": During the Gulf War the Iraqi high command never learned of one of the US's greatest vulnerabilities, its reliance on civilian communications networks carried over satellite. A great deal of the action on the network was carried over a commercial satellite uplink in occupied Kuwait City which, apparently, never came to the attention of Hussein's leadership. This is the same Saddam Hussein, mind you, that TIME magazine and Pentagon "experts" cast as one of the next bogeymen capable of bringing the Republic to its knees through "infowar." Trainor and Gordon also commented that the Army's vaunted reliance on e-mail in the Gulf War was overrated - lacking in flexibility and utility. Equipped with field FM radio sets that were thirty to forty years old, the VII Corps resorted to using electronic mail for messages, using portable microwave antennas and cellular phones hooked to computers. The authors claimed the links were easily broken and no one bothered to confirm by field telephone if e-mail was received. "The main communications channel the Army used to give its attack orders was not as good as a modern office fax" (p. 408). TIME magazine also portrayed CIA officials, unnamed of course, cackling over clever non-specific plans to slip computer viruses and logic bombs into software and hardware. There was no mention of the problem called "blow-back." "Blow-back" is what happens when a weapon you deploy on an enemy eventually smokes your own rear. One of the best models of "blow-back" - one that occurred unexpectedly - is the recent case of the Natas computer virus. An incompetent computer security consultant in Mexico inadvertently infected his software with the virus, which was written in southern California, and accidentally smeared it over clients' computers. The virus spread rapidly in Mexico and took little extra time - a couple months - to waft back across the border of the United States on diskettes carried by American businessmen with extensions and trading partners in Mexico. But lest you think all this "infowar" stuff isn't stupid-sounding enough, the best is saved for last. Another Pentagon denizen, Ken van Wyk of the Defense Information Systems Agency - a proxy of the National Security Agency, is credited with the flakiest non-sequitur of all: "Hackers" - although van Wyk offers no names or examples for TIME - "say our computers are crunchy on the outside but soft and chewy on the inside." Perhaps like the minds of the Pentagon's current crop of "infowarriors" - or subscribers to TIME. THE TURNABOUT INTRUDER: CARNEGIE MELLON'S MARTY RIMM ALSO A PUBLISHER OF PORN MARKETING PAMPHLET The outrage on the Internet over the unholy union of TIME magazine's peeper journalism/CYBERPORN cover story with the sensationalist Carnegie-Mellon/Marty Rimm on-line smut _study_ gathered momentum until news of Rimm's own role as an on-line porn booster surfaced. In its July 24 issue, TIME magazine almost, but not quite, recanted for making Rimm a national star and poster boy for the Christian Coalition in late June. Previously, Computer underground Digest 7.59, an electronic publication edited by Northern Illinois University professor Jim Thomas, revealed Rimm to have self-published a pamphlet entitled "The Pornographer's Handbook: How to Exploit Women, Dupe Men and Make Lots of Money." Computer underground Digest continued that Rimm "went native" during the research for his porn study by trying to become involved with the organization of adult files on the Amateur Action BBS. The system's operator - a Milpitas, CA, man - is currently serving time in an obscenity case in the U.S. and had been characterized as the Marquis de Sade of the on-line world by Rimm's Carnegie-Mellon study. In Computer underground Digest, Mike Godwin of the Electronic Frontier Foundation and a strong critic of the Rimm report, was reported as having interviewed Robert Thomas, Rimm's "Marquis de Sade," and told: ". . . Martin Rimm was a member of the Amateur Action BBS, that he quarrelled publicly and privately with Robert and Carleen Thomas about how they ran their BBS (among other things, he wanted them to change the way their BBS software kept track of downloads), that his messages to them after they refused to comply with his 'suggestions' grew angry and threatening, that he declared publicly that he would not renew his membership at Amateur Action, and that he _did_ renew his membership in February of this year." In a scathing indictment of Rimm, TIME magazine and the Rimm study, Brock Meeks of the Cyberwire Dispatch also reported that snatches of "The Pornographer's Handbook" were posted into the Usenet. Further, writes Meeks, Rimm had conceded to him that "The excerpts circulating around the Usenet were stolen from my marketing book . . . " Meeks subsequently republished a part of Rimm's pornographic "how-to" manual, from a chapter devoted to the on-line marketing of buggery: "When searching for the best . . . images, you must take especial [sic] care to always portray the woman as smiling . . ." Well, since this is a _family_ magazine, we can't reproduce the rest of it here. [However, Computer underground Digest 7.59 contains the full text.] [Hey, wait a minute! You say you're not worried about your family? Then click here for the -->dirty stuff<--. NOTE: FEATURE NOT AVAILABLE IN RAW TEXT EDITION. -Ed.] Sixty-seven copies of Rimm's "The Pornographer's Handbook" were distributed. Rimm's ex-girlfriend, also the pamphlet's illustrator, blew the whistle on its existence, according to the Carnegie Mellon student. When news of the pamphlet broke, Rimm promptly recharacterized it as a piece of satire. In late June, TIME magazine used Marty Rimm and his report as the star attraction in a voyeuristic expose of damnation and decadence on the hot rails to Hell of techno-America in the infamous CYBERPORN issue. "I think there's no almost no question that we're seeing an unprecedented availability and demand of material like sadomasochism, bestiality, vaginal and rectal fisting, eroticized urinating . . ." Rimm blurted for TIME's CYBERPORN cover story. TIME magazine did not uncover Rimm's role as author of a pornographic "how-to" manual for its original cover expose, but did mention it in the July 24 article, "Fire Storm on the Computer Nets," which arrived three weeks later. This was as close to rolling in its own excrement for misinformation crimes against the citizenry as TIME was willing to get. BLEWED, SCREWED & TATOO'D, PART II: ENGLISH VIRUS WRITER'S HANDIWORK EVALUATED FOR DAMAGES, INCITEMENT TO ENCOURAGE THE LIKE-MINDED, BY COMPUTER FORENSIC EXPERT Chris Pile, the 26 year old programmer also known as the Black Baron, remained in limbo in late August on whether or not he would be serving time in a United Kingdom bighouse for convictions on eleven charges related to writing and spreading of what are now commonly known as the SMEG computer viruses. The Devon man awaited sentencing dependent upon the evaluation of damages caused by his viruses and to what degree he had incited others to emulate his actions. Pile's defense team requested more time to gather evidence and prepare expert testimony. This was granted by the English Crown Court. Jim Bates of Computer Forensics commented to the Crypt Newsletter that Pile could be sentenced with anything from community service to 20,000 English pounds in fines or up to five years "custodial care" - a nicely Orwellian term for "prison" - on ten of the eleven charges accrued under the third main offense, unauthorized modification of computer material, described by the British Computer Misuse Act of 1990. This offense, under English law, covers erasure of data, modification of it and the placing of computer viruses and logic bombs into general circulation and encompasses most of the events surrounding the Pile/SMEG viruses. However, an eleventh charge concerning the issue of inciting others to commit similar crimes through the distribution of Pile's computer viral encryption software and electronic documentation providing instruction on its proper use in novel viruses, could add further time to be served in addition to any other criminal penalties. Bates was commissioned by English authorities to provide technical analysis of Pile's viruses and other evidence seized by New Scotland Yard from the defendant's home computer prior to the virus writer's trial. In addition, Bates has supplied ongoing collection and evaluation of evidence relating to the spread of the Pile/SMEG viruses and damages attributed to them. (See additional notes.) Bates added that one of the SMEG virus variants recently caused a shutdown of computer networks of one week's duration at a university in the Midlands of the United Kingdom. Pile, said Bates, had attached a SMEG virus to a computer game and uploaded it to a bulletin board system in the United Kingdom. The virus writer had also targeted the Dutch-made Thunderbyte anti-virus software, initially by infecting one of the company's anti-virus programs distributed via the shareware route. After examining software and source code for Pile's computer virus encryption engine, named the SMEG, Bates also maintained Pile had invested a great deal of time in fine-tuning subsequent revisions of it so it specifically generated encrypted computer virus samples opaque to the Thunderbyte anti-virus scanning software. There is little unusual about this feature in 1995. During the past two years, virus writers have been drawn to Thunderbyte anti-virus as an anti-virus software "of choice," of sorts, and seemingly invested a great deal of energy programming viral encryption schemes which defy the Dutch company's programs. The progressive development of the Thunderbyte anti-virus and computer viruses encrypted in a complex manner, much like Pile's SMEG viruses, could be said - in other words - to drive each other. Each enhancement of the Thunderbyte anti-virus's sensitivity provokes an enhancement in computer viral encryption schemes which, in turn, spurs further development of Thunderbyte anti-virus. Many other anti-virus programs enjoy a measure of similar attention but Thunderbyte is the program with the best word-of-mouth publicity in the virus underground. US anti-virus software vendors had been contacted with regards to incidence of Pile's viruses in the United States. Bates added these findings amounted to little since U.K. law stipulates the presence of a police officer during the collection of such evidence and British authorities in the Pile/SMEG case were uninterested in expending more money to send someone to America on an investigation for which the conviction had already been handed down. Notes: In late 1989, Jim Bates was among the first to examine software called the AIDS Information Trojan, used as part of a computer blackmail attempt launched by Joseph Popp, an erratic scientist from Cleveland, Ohio. Popp had concocted a wild scheme to extort money from PC users in Europe which involved the programming of a software booby-trap that masqueraded as a database containing information on AIDS and how to assess an individual's risk of contracting the disease. The database, as one might expect, was trivial and contained only the barest information on AIDS. However, when an unwitting user installed the software, the AIDS Information Trojan created hidden directories and files on the computer while hiding a counter in one of the system's start-up files, the AUTOEXEC.BAT. Once the count reached 90, Popp's creation would encrypt the directory entries, alter the names of files with the intent of making them inaccessible and present the operator with a message to send approximately $200 to a postal drop in Panama City for a cure reversing the effects of the program. The AIDS Information Trojan came with a vaguely menacing warning not to install the software if one didn't intend to pay for it at once. Popp mailed 20,000 sets of the trojan on disk to users in Europe, apparently subscribers to a now defunct magazine called PC Business World. Bates was among the first to analyze Popp's AIDS Information Trojan and supplied technical reports on it to English authorities. The disks were eventually traced back to Popp and New Scotland Yard began a lengthy process of extraditing him to England to stand trial for computer blackmail in connection with the disks, a battle which took almost another two years. Bates was eventually flown to Cleveland to present evidence in court which persuaded American authorities to hand over Popp for extradition to London. Bates also analyzed Popp's original AIDS Information Trojan software, source code and a program which was evidently intended to reverse the effects of the logic bomb, thus regenerating a victim's data. Instead of going smoothly, the Popp trial became a source of controversy and puzzlement. It was claimed Popp was unfit to stand trial because he began wearing a cardboard box over his head, making it impossible to determine whether he was legitimately _non compos mentis_ or merely shamming. As a result, Bates said, Popp was declared a "public disgrace" by the court and ejected from the country. In England, this is an unusual classification which, apparently, allows the case to remain open, the purpose being - on this occasion, according to Bates - to discourage by intimidation the authoring books or a publicity tour of talk shows in the United States by the defendant. More recently, Bates was asked to supply a copy of his AIDS Information Trojan analysis to Italian authorities who went on to try Popp for the AIDS Information Trojan affair in absentia. He was convicted and sentenced to two years prison in Italy. Popp currently resides in Lake Jackson, Texas. LETTERS: READER DISMAYED BY UNDERGROUND TECHNOLOGY REVIEW Dear Crypt: I just finished reading issue #32. Thanks for one of the best written and most sane publications on the Net. At least someone is willing to tell it like it is: These computer things are too damn complicated for 80% of the population! (It's a pity 40% of the population already have one.) However, I can't come to the same conclusions as you about the latest Underground Technology Review (UTR) from Mark Ludwig. Now, I have subscribed to Computer Virus Developments Quarterly - UTR's predecessor - since its inception. I have used knowledge derived from it to protect the network I administer - 1150 PCs, ugh - from viruses. For example, I've written a stealth-beating integrity checker which would not have been possible without Mark Ludwig's explanations of virus source code. I greatly admire Ludwig's approach to the issue (freedom of information, etc.), and when I heard that CVDQ was going "monthly" (hmm . . . 3 issues in 7 months . . .), I was interested. Only CVDQ had even begun to address stuff like protected-mode viruses, which are the future with Win95 and OS/2. However . . . I'll leave the David Stang issue aside, since I don't understand what's going on there. Still, it's the Op/Ed part of the publication and Ludwig is free to put in it whatever he likes. I was _very_ disappointed by the Windows 95 article. Both he and your reviewer seem to have missed the point. Windows 95 is multiTASKING (more or less, although it's not brilliant with 16-bit applications), but NOT a multiUSER operating system; so, memory read protection from one task to another is not an issue. Your boss can't be "logged in" to the same machine as you (you in one DOS box, him in another) under Windows 95, unless you are both very small and also very good at multiplexing one keyboard between two people - in which case you can probably read what he's typing, anyway. So this security "issue" is a non-issue. (I agree that if the DOS boxes are insufficiently virtualized that zapping one can take down the machine, that's not brilliant. But then OS/2's "crash protection" can be defeated just as easily on non-MCA, non-EISA machines, as Andrew Schulman has also pointed out. And crashing Windows 95, unless you set out to do it with the DEBUG command which, after all, is functionally equivalent to reaching out for the "Off" switch. In practice this requires that a misbehaving DOS program overwrite just those few bytes in the first 64K which have not been properly instanced - which, if you like - is a good emulation of its DOS behavior. I say all this as a fully paid-up member of the Microsoft Hater's Club, too.) Your reviewer extended this error by suggesting that you can spy on your boss "elsewhere on the network." Now, of course, with all the wonderful remote control packages out there, which most sites have to buy to hold the hands of their incompetent Windows users this is quite possible, but Ludwig's virus doesn't do this. It's a neat bit of programming since he's a great virus writer, but it is not terribly menacing. And if you're the system manager of the machine, a virus is surely _not_ the best way to modify your DOS .EXEs to install the keyboard snooper. A simple one-off addition to KEYB.COM or DOSKEY would do the trick just as well. What would have been _truly_ worthwhile would have been a protected-mode virus which could exploit the big holes in Windows 95 itself, like the wide-open nature of the VxD chain. I also wonder what Ludwig's - and, come to that, Crypt's - view is, of the alleged directory listing that the Microsoft Network connect software makes the first time you log in to GatesLand. Now that's "Underground" - and "Technology." The third article on weapons was pretty nauseating. But then I have a European attitude toward guns which is: The world is better off with as few as possible. An article in a previous Underground Technology Review about making pepper spray was at least entertaining. The latest article was messily written and when it finally got around to discussing shotgun cartridges and their relative effects on assailants, I found myself wondering how large the intersection is between the set of people interested in computer viruses and the set of people interested in shotgun reviews, who don't already subscribe to gun magazines. Anyhow, there is nothing "Underground," subversive or even "Technological" about most of this stuff, apart perhaps the "underground" nature of those who like to imagine their penises expanding because they carry what looks like an ice scraper but which _they know_ really turns them into John Rambo as soon as some punk tries to mess with them! I owe a lot to Mark Ludwig, his little black books, and Computer Virus Developments Quarterly. But Underground Technology Review seems to have more to do with anti-federal government politics than technology and I don't know if I'll be renewing my subscription. Nick Brown, Strasbourg, France [The Crypt Newsletter responds: As for the issue of David Stang, the brew-up in Underground Technology Review dates back to events which started around Christmas. Stang, the CEO of Norman Data, an anti-virus software company located in Fairfax, VA, had mailed Ludwig a holiday greeting card just around the same time American Eagle published "The Virus Creation Labs," my book. A chapter of the book dealt with Stang's employment of the virus-writer Priest. Stang had been quoted in Winn Schwartau's book "Information Warfare" (Thunder's Mouth) saying, "Virus writers belong in jail!" Ouch. According to Priest, while he was at Norman Data the virus writer spent his time writing a cure for one of his own creations, Natas, which was infecting PC's in Mexico and is now relatively common in North America. Indeed, the release of the news caused such a dust up at Norman Data that Stang and another Norman Data rep, Sylvia Moon, fought with each other while trying to secure a copy of "The Virus Creation Labs." First Ludwig was asked to send a copy directly to David Stang on the Norman company credit card. Then Sylvia Moon called, insisting the copy be sent to her! One can imagine there was a terrible amount of garment rending and spilt blood the day the book arrived in Fairfax. However, around mid-Summer Stang struck back, attacking Ludwig in a copy of the Arizona Daily Star, a Tucson newspaper. Underground Technology Review's editorial about anti-viral madmen was in response to the Star piece. It's purely a philosophical issue now. Stang's Norman Data was awarded a 1.5 million copy site license by the US Dept. of Defense for use of the Fairfax company's anti-virus software, Norman Armor. As for the convergence of "gun-loving militia types" and those pursuing the acquisition of computer viruses and related information, the overlap is probably greater than you think. It should be noted that American Eagle, according to Ludwig, had some success advertising in Soldier of Fortune magazine until the publication pulled the plug on the ads recently. Obviously, if you wanted to know if _some_ survivalists and the para-military types associated with militia groups have an interest in computer virus books and collections of live viruses, the answer is yes. Aristotle, the sysop of the Black Axis BBS and a merchandiser of computer viruses also commented to the Crypt Newsletter that, in the past, he'd sold a collection to someone associated with a militia group.] -=The Crypt Newsletter welcomes mail from readers. Published letters may be edited for length and clarity.=- CRYPT ON COMPUSERVE Those readers with accounts on Compuserve can now take part in the dedicated Crypt Newsletter message base and attached file library in the National Computer Security Association special interest group. GO NCSAFORUM and look for message base #20, Crypt Newsletter. Current issues are on-line in the attached file library. CRYPT HYPERBASE If you're reading this you don't have it. Crypt #33 was also published as a hypertext/xText reader. It adds hyperlinked cross indices and a linked glossary, as well as expanded discussion of topics covered in this edition. CRYPT NEWSLETTER WORLD WIDE WEB HOME PAGE You can visit Crypt & The Virus Creation Labs on the World Wide Web, download back issues and sample a chapter from VCL! Set your graphical browser (Mosaic, Netscape, etc.) to: URL: http://www.soci.niu.edu:80/~crypt -------------------------------------------------------------- If you quite enjoy the Crypt Newsletter, editor George Smith's book, "The Virus Creation Labs: A Journey Into the Underground," will really flip your wig. In it Smith unravels the intrigue behind virus writers and their scourges, the anti-virus software developers and security consultants on the information highway. What readers are saying about THE VIRUS CREATION LABS: "Heavens - I don't think I've had as hysterically funny a read in MONTHS! The politics of the anti-virus field is at least as back-biting and insane as the virus writing field, if not more. You really probably have no idea exactly how 'corrupt, corroded and tangled' the anti-virus field really was . . . *chuckle* . . . Anyhow, I just thought I'd write to you to express my appreciation, as an ex-member of that 'long chain of cheats, hypocrites and fools' for a hysterically funny look into the 'underground' that produced the code we had so much fun - and really we DID, especially in the early days - reverse engineering and countering." ---an ex-McAfee Associates employee "There are relatively few books on the 'computer underground' that provide richly descriptive commentary and analysis of personalities and culture that simultaneously grab the reader with entertaining prose. Among the classics are Cliff Stoll's 'The Cuckoo's Egg,' Katie Hafner and John Markoff's 'Cyberpunk,' and Bruce Sterling's 'The Hacker Crackdown.' Add George Smith's 'The Virus Creation Labs' to the list . . . 'Virus Creation Labs' is about viruses as M*A*S*H is about war!" ---Jim Thomas, Computer underground Digest 7.18, March 5, 1995 "THE VIRUS CREATION LABS dives into the hoopla of the Michelangelo media blitz and moves on to become an engaging, articulate, wildly angry diatribe on the world of computer virus writers . . . Expert reporting." ----McClatchy NewsWire -------------------------order form------------------------- Yes, I want my wig flipped and wish to receive a copy of George Smith's "The Virus Creation Labs: A Journey Into the Underground" (American Eagle, ISBN 0-929408-09-8). Price: $12.95/copy plus $2.50 shipping per book (add $7.50 overseas) NAME: _____________________________________________ ADDRESS: __________________________________________ CITY/STATE/ZIP: __________________________________ Payment method: ___ Master Charge ___ Money Order ___ Check ___ Visa Credit Card # ___________________________________________ Expiration date _________________________________________ Name: ____________________________ Orders can be taken by voice or fax through regular phone number and/or 1-800 number in USA. COD welcome. American Eagle: 1-800-719-4957 1-602-367-1621 POB 41404 Tucson, AZ 85717 ---------------------------------------------------- George Smith, Ph.D., edits the Crypt Newsletter. Media critic Andy Lopez lives in Columbia, SC. For this issue, the editors decided to kick ass _and_ chew bubblegum. Later, they found they were all out of bubblegum. copyright 1995 Crypt Newsletter. All rights reserved.