Computer underground Digest    Tue  Dec 10, 1996   Volume 8 : Issue 87
                          ISSN  1004-042X

      Editor: Jim Thomas ([email protected])
      News Editor: Gordon Meyer ([email protected])
      Archivist: Brendan Kehoe
      Shadow Master: Stanton McCandlish
      Field Agent Extraordinaire:   David Smith
      Shadow-Archivists: Dan Carosone / Paul Southworth
                         Ralph Sims / Jyrki Kuoppala
                         Ian Dickinson
      Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #8.87 (Tue, Dec 10, 1996)

File 1--Is Connection to the Net an Inalienable Right?
File 2--The strange case of Eric Jenott & "Mr. Liu" (continued)
File 3--CDA Appeal on Supreme Court Docket
File 4--OPPOSITION: FRC on Supreme Court News (CDA)
File 5--Mike Godwin replies to CIEC bulletin on CDA
File 6--New House Rules Means More Info
File 7--BoS: Serious BIND resolver problem (fwd)
File 8--Cu Digest Header Info (unchanged since 10 Dec, 1996)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: Sun, 8 Dec 1996 21:53:43 -0600
From: Richard Thieme <[email protected]>
Subject: File 1--Is Connection to the Net an Inalienable Right?

    In his award-winning science fiction novel, "The Stars My
Destination," Alfred Bester conceived of a world in which
"jaunting," or short-distance teleportation, was the norm. In
order to jaunt, you had to know exactly where you were, so
criminals were kept in a maze-like cave in darkness, denied
access to the sense data that would allow them to visualize their
location. This intentionally cruel and unusual punishment had
nothing to do with the crimes for which prisoners were sentenced.
    Participation in the Internet and other computer networks is
our version of jaunting. That's how twenty-first century
humankind transcends time and space. Denying a criminal access to
computer networks is like breaking his fingers for writing a
hold-up note and forbidding him to use a pen. When the crime has
had nothing to do with computers or networks in the first place,
it's like putting him into a sensory-deprivation tank simply to
punish him.
    Enter Chris Lamprecht, alias "Minor Threat," a sometime hacker
and formerly a programmer, installer, and trouble-shooter for Optical
Document Technology in Austin, Texas. Lamprecht is now serving seventy
months in a Texas prison for money laundering, although the
activities connected to his sentencing included burglary and the
theft and sale of hundreds of thousands of dollars worth of
electronic switching systems and other telephone company
equipment. His crimes had nothing to do with hacking, but if the
criminal justice system has its way, he will not be able to use a
computer connected to a modem or connect to a network when he
gets out.
    The case illustrates not only the great gulf fixed between
those who use the Net and those who don't, but also how the image
of hackers as "evil geniuses" can distort the perception and
judgement of those who play into the image as well as those who
fear and misunderstand it.

    From the government side, it seems Lamprecht's computer
activities were linked to his criminal activities through a
bizarre chain of reasoning. Lamprecht once made calls to change
the outgoing telephone message on someone's answering machine. He
acknowledged that and stopped doing it. The police investigation
determined, however, that Lamprecht was "computer literate" and
he and his cohorts were "known hackers and had the capability to
enter into a computer program and review, extract, and change
information." Lamprecht and his pals, particularly Jason Copson,
had penetrated several private and government computer systems,
although "it is unknown if these illegal entries have resulted in
monetary gain." (Lamprecht says he never made a dime from his
hacking; like most hackers, he explored computer systems for the
pleasure of the quest and to learn).
    One of Lamprecht's errors was speaking openly with Copson
during a telephone call Copson made from prison. Both men knew
the calls were monitored, but discussed nevertheless their desire
to "ruin" an Austin cop, Paul Brick. They discussed obtaining his
social security number. To prevent them from entering computer
systems in search of that social security number, the following
stipulation was made:

    "Upon release from imprisonment ... for a term of three
years, the defendant cannot be employed where he is the
installer, programmer, or trouble shooter for computer equipment;
may not purchase, possess or receive a personal computer which
uses a modem; and may not utilize the Internet or other computer
networks."

    When he heard these conditions, Lamprecht broke down in the
courtroom and cried. They had hit him where it hurt. They
deprived him of the only way he knew how to make a living and
banished him for three additional years to the wasteland of the
caves.
    Did the judge, the Honorable Sam Sparks, really understand
what he was doing? Did he really intend that Lamprecht should not
attend schools that assign email addresses and in some cases
insist email be used to submit papers? Did he really intend that
he never use a public library online catalog?
    Doesn't Sparks know that anyone with a few dollars can buy a
social security number in the data marketplace? Besides, good
hackers are equally adept at "social engineering." If Lamprecht
talks someone out of their social security number, should we cut
out his tongue?
    In short, does the judge have a clue as to how life is lived
these days?
    Lamprecht's former boss, Selwyn Polit of ODT, laughed when
asked about the case. "They're dead scared of him because of the
computer stuff," he said. "They treat him differently because
they think if he just thinks about computers, he can do magical
things."
    Unfortunately, Lamprecht's statements feed these
projections. He plays enthusiastically to the "evil hacker genius" image.
    Lamprecht says his sentence is longer than that of any other
hacker, for example. But if his crime has nothing to do with
that, why identify himself that way? Why feed the distortion?
    Lamprecht often sounds as if he claims sole repsonsibility
for creating ToneLoc, a widely used program that scans for carriers
and selected dial tones; it's particularly useful for hacking PBX codes.
Simple wardialers existed before ToneLoc, but ToneLoc added some significant
features -- it did random scanning and displayed the scans graphically, for
example. Yet Lamprecht states in his biogrpahy in Phrack that he had lost
the source code and Mucho Maass brought the program back from the dead and
made it "user
friendly." The need to seem to be what his captors thought he was has
contributed
to the unnecessary harshness of his punishment.
    Lamprecht is learning painfully that you can be punished for
how you're perceived as much as what you've done. Some of his
colleagues describe him as an innocent despite his criminal
activity, naive about the real world. His employer as well as his
friends call him loyal, reliable, capable. His employer felt his
need to be more than capable might have led him to exaggerate his
computer skills.
    Polit said "he took pride in his work and wrote clean tight
code, but nothing spectacular. He's sharp, but not
extraordinary."
    Would ODT hire him back? Absolutely. But they may not have
that opportunity.
    Lamprecht feels it's a question of free speech and first
amendment rights, but he "will probably have an uphill battle
because of the wide discretion given judges in creating
conditions of probation," says Tim Muth, partner at Reinhart,
Boerner, Van Deuren, Norris, and Rieselbach, a Milwaukee,
Wisconsin, law firm. Muth built the firm's celebrated web site
and has a passion for the legal issues emerging in the virtual
world. "On the other hand, with the growing importance of
computers and network communications for making a living, a court
might say that a greater justification should be required for
this kind of restriction. Unfortunately for Lamprecht, our courts
have not yet recognized such a principle in the constitution or
elsewhere."
    Lamprecht hopes to find lawyers willing to work pro bono to
establish that principle. And who can blame him? Isolated from
the network, deprived of his livelihood, the prospect of
wandering the maze in the cave is a lonely one. You don't have to
be the anti-hero of Neuromancer to know how it feels to be kept
off the Net. Just as we don't speak a language, but our language
speaks us, once we have been connected, we can never forget that
the Net is our hive mind. We don't dream up the Net, the Net
dreams us.
    Now more than ever, you just can't be a human being alone.

Richard Thieme

------------------------------

Date: Mon, 9 Dec 1996 15:44:21 -0600 (CST)
From: Crypt Newsletter <[email protected]>
Subject: File 2--The strange case of Eric Jenott & "Mr. Liu" (continued)

According to the Fayetteville Observer, Eric Jenott's court martial
on espionage charges at Fort Bragg, NC, was set to roll today, Monday,
Dec. 9, 1996.  If convicted, the potential sentence -- life in prison --
is dire.

The Army, according to the Observer, will try to show Jenott was trying
to "gain favor" with the Chinese government by giving passwords on an
Army system to a Chinese agent, known as "Mr. Liu." According to the
paper, Jenott's family insist that he gave only an unclassified
"Internet code" to Liu.

Jenott's defense team wants "Mr. Liu," also identified as Qihang
Liu, declared an essential witness.  If this is granted by the court
and Liu cannot be produced, the prosecution could collapse. Liu
was a Chinese national who worked for a short time at Oak Ridge National
Laboratory on a computer database and management system.  He is no
longer in America.

According to the Observer, Liu was interrogated by the FBI before
leaving the country.

During this investigation, Liu apparently "told federal agents that
Jenott did not give him a classified computer password. Later, he said
Jenott might have given him the password, then
finally said he probably received [a] password from Jenott."

Further, "Liu told investigators that Jenott gave him at least two other
computer passwords, including one that let him enter [a] University of
Washington computer system."

John Jenott, the Ft. Bragg soldier's father, has provided a partial
transcript of a conversation conducted in which his son says the passwords
weren't secret. The passwords, said Jenott, were published in training
books given by GTE to soldiers for home study.

The Observer's report on the case contains further confusing mumble
about unspecified secret information on an Army system being passed by
Jenott to yet another individual.

The text of it can be found at http://www.foto.com .

George Smith
Crypt Newsletter
http://www.soci.niu.edu/~crypt

------------------------------

Date: Tue, 10 Dec 1996 22:51:01 CST
From: CuD Moderators <[email protected]>
Subject: File 3--CDA Appeal on Supreme Court Docket

Supreme Court to decide on Internet indecency law

By Richard Carelli
Associated Press Writer

WASHINGTON (AP) - Charting its first venture into cyberspace law,
the Supreme Court Friday agreed to decide whether Congress
violated free-speech rights by restricting indecency on the
Internet.

The justices said they will study the Communications Decency Act,
Congress' first crack at regulating the freewheeling global
computer network.

A three-judge federal court in Philadelphia blocked the law from
taking effect earlier this year, ruling that it wrongly would
chill adults' right of access to sexual material that may be
inappropriate for children.

A decision from the nation's highest court is expected by July.

<snip>

------------------------------

Date: Fri, 6 Dec 1996 16:21:07 -0700
From: --Todd Lappin-- <[email protected]>
Subject: File 4--OPPOSITION: FRC on Supreme Court News (CDA)

Source - [email protected]

We're not the only ones who are excited about the pending Supreme Court
case on the constitutionality of the Communications Decency Act.

Turns out, the CDA's proponents are also looking forward to having their
day in court.

The following press release from the Family Research Council gives their
side of the story, complete with Cathy Cleaver's usual rantings about the
dangers of online smut.

Remember... despite what the FRC says, "indecency" is NOT a synonym for
pornography.

Work the Network!

--Todd Lappin-->
Section Editor
WIRED Magazine

---------------------------------


FOR IMMEDIATE RELEASE: Dec. 6, 1996
CONTACT: Kristi S. Hamrick, (202) 393-2100
        For Radio, Kristin Hansen

SUPREME COURT TO REVIEW COMPUTER PORN RULING

WASHINGTON, D.C. -- The Supreme Court announced Friday that it
will review the Reno v. ACLU decision to enjoin the
Communications Decency Act made earlier this year by a
three-judge panel in Philadelphia.

Family Research Council Director of Legal Studies Cathy Cleaver
said that the Department of Justice's appeal of the
Philadelphia ruling is the right thing to do, and that now the
Supreme Court has the opportunity to "reverse the radical
ruling which gave Bob Guccione the right to give his Penthouse
magazine to our children on the Internet."

Cleaver continued, "Laws against selling porn magazines to kids
are not unconstitutional.  Why should we have to tolerate the
same degrading images of women being given to those same kids
on-line?"

Family Research Council presented a "friend of the court" brief
with the Philadelphia judges in ACLU v. Reno defending the
cyberporn provisions of the Communications Decency Act.
Cleaver said the Philadelphia decision contradicts previous
Supreme Court decisions on the distribution of indecent
material through the media.

The Communications Decency Act:

* Prohibits adults from using a computer to send indecent
pornography directly to a known child

* Prohibits adults from knowingly displaying indecent
pornography to children

* Defines "indecent material" as material, which in context,
depicts or describes sexual or excretory activities or organs
in a patently offensive manner

* Imposes fines, prison sentences (up to 2 years), or both on
violators

* Exempts those who merely provide access to a network or
system over which they have no control

* Provides limited defenses for employers and those who make a
reasonable and effective effort to restrict children's access
to pornography

* Expands telephone harassment prohibitions to include
harassment by computer

Arguments will likely be heard in early spring.  Family
Research Council and other pro-family and anti-pornography
groups will be filing briefs in support of the Justice
Department's defense of the law.

FOR MORE INFORMATION OR INTERVIEWS, CALL THE FRC MEDIA OFFICE.

###

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
This transmission was brought to you by....

       THE CDA DISASTER NETWORK

The CDA Disaster Network is a moderated distribution list providing
up-to-the-minute bulletins and background on efforts to overturn the
Communications Decency Act.  To subscribe, send email to
<[email protected]> with "subscribe cda-bulletin" in the message body. To
unsubscribe, send email to <[email protected]> with "unsubscribe
cda-bulletin" in the message body.

WARNING: This is not a test!            WARNING: This is not a drill!

------------------------------

Date: Fri, 6 Dec 1996 23:17:18 -0800 (PST)
From: Declan McCullagh <[email protected]>
Subject: File 5--Mike Godwin replies to CIEC bulletin on CDA

Source - [email protected]
[Forwarded with permission. --Declan]

---------- Forwarded message ----------
Date--Thu, 5 Dec 1996 19:59:54 -0800
From--Mike Godwin <[email protected]>
Subject--Re--CIEC Bulletin No. 16 - SC  Agrees to Hear CDA Appeal


Dear Jonah,

It seems to me that this release obscures rather than clarifies what the
significance of today's announcement was. Despite some fallacious news
reports, the announcement today was not about whether the Supreme Court has
chosen to review the lower court's decision in ACLU v. Reno -- the Court
has *no choice* as to whether it will review that decision, so long as the
government's appeal is not a frivolous one.

According to Article III of the U.S. Constitution, the Supreme Court can be
compelled by Congress to hear certain kinds of appeals, even though
normally Congress lets the Court set its own docket. Pursuant to Article
III, the CDA, like the Voting Rights Act and certain other legislative
measures, grants the government an "appeal as of right" whenever a
provision of the act is found unconstitutional by a lower court . This is
very different from the normal petition-for-certiorari process by which
cases normally come before the Court.

Journalists have been reporting the story today as if there had been some
doubt before now that the Supremes would review the case -- as to this
matter, that question was answered the instant the government filed its
appeal. What is significant about today's news is that the Supreme Court
has expressed 1) an interest in hearing oral arguments as well as 2) an
interest in speaking *directly* to the issues raised by the case (as
distinct from deciding the case summarily).

Yes, I know the CIEC announcement says the Supreme Court has "agreed to
hear" the case -- technically a true statement --  but a press release that
is technically correct yet does not clarify the legal issues does no one
any service. As lawyers and public-interest advocates, we are perpetually
obligated to explain the issues to our clients and consituents, and to
anticipate and resolve confusions before they happen. What we've done here
instead is hand the radical right an opportunity to say or imply that this
news signals the Court's intention to overturn the case,  when in fact what
it signals is the Court's deep interest in the case's issues.

Let's do better than the other side and aim for 100-percent clarity and
understanding evey time we tell people about our work.


--Mike




-- At 12:48 PM -0800 12/6/96, Jonah Seiger wrote:
>-----------------------------------------------------------------
>       _______   _       _    ____        _ _      _   _
>      |__   __| (_)     | |  |  _ \      | | |    | | (_)
>         | |_ __ _  __ _| |  | |_) |_   _| | | ___| |_ _ _ __
>         | | '__| |/ _` | |  |  _ <| | | | | |/ _ \ __| | '_ \
>         | | |  | | (_| | |  | |_) | |_| | | |  __/ |_| | | | |
>         |_|_|  |_|\__,_|_|  |____/ \__,_|_|_|\___|\__|_|_| |_|
>
>        Citizens Internet Empowerment Coalition Update No. 16
>                          December 6, 1996
>  -----------------------------------------------------------------
>                     http://www.cdt.org/ciec/
>                        [email protected]
>  -----------------------------------------------------------------
>   CIEC UPDATES are intended for members of the Citizens Internet
>   Empowerment Coalition. CIEC Updates are written and edited by the
>   Center for Democracy and Technology (http://www.cdt.org). This
>   document may be reposted as long as it remains in its entirety.
>  ------------------------------------------------------------------
>
>          ** 55,000 Netizens Vs. U.S. Department of Justice. **
>                 * The Fight To Save Free Speech Online *
>
>  Contents:
>
>  o Supreme Court Agrees to Hear CDA Challenge
>  o What You Can Do - Join the CIEC!
>  o How to Remove Yourself From This List
>  o More Information on CIEC and the Center for Democracy and Technology
>
> ----------------------------------------------------------------------
>
>SUPREME COURT AGREES TO HEAR LANDMARK CASE TO DETERMINE FUTURE OF FREE
>SPEECH IN CYBERSAPCE
>
>The United States Supreme Court today agreed to hear the government's
>appeal of a landmark legal challenge to the Communications Decency Act.
>The case, which will determine the future of freedom of speech in
>cyberspace, is expected to be heard in March or April. A special panel
>of
>federal judges in Philadelphia ruled the CDA unconstitutional in June.
>
>The Citizens Internet Empowerment Coalition (CIEC), which brought a
>successful challenge to the CDA earlier this year, applauded the courts
>decision to hear the case.
>
>"This case will determine the future of free expression in the
>information
>age, and is the most important first amendment case before the court in
>recent memory."  said Jerry Berman, Executive Director of the Center for
>Democracy and Technology  (CDT) and one of the organizers of the CIEC.
>"The lower court ruled unequivocally, based on a solid factual record,
>that
>the CDA was unconstitutional," Berman added, "and we believe the Supreme
>Court will agree with them upon review."
>
>The CIEC is a broad coalition of groups concerned about the future of
>the
>Internet, including on-line service and Internet service providers,
>libraries, book, magazine, newspaper and music publishers, software
>companies, public interest organizations, and more than 55,000
>individual
>Internet users.  The lead plaintiff in the case is the American Library
>Association.
>
>The Philadelphia court ruled the CDA unconstitutional in June, agreeing
>with the Citizens Internet Empowerment Coalition's arguments that:
>
>* The Internet is a unique communications medium that deserves free
>  speech protection at least as broad as that enjoyed by print medium.
>
>* Individual users and parents  -- not the government -- should decide
>what
>  material is appropriate for their children, and;
>
>* Simple, inexpensive user empowerment technology is a very effective
>and
>  constitutional way of limiting the access of minors to inappropriate
>  material on the Internet.
>
>The CIEC challenge, also known as ALA v DOJ, was consolidated with a
>separate lawsuit brought by the American Civil Liberties Union and 20
>other
>plaintiffs, ACLU v. Reno.  The cases were argued together before the
>three-judge federal panel in Philadelphia last spring, and the legal
>teams
>continue to work together as co-plaintiffs in the Supreme Court phase.
>
>The Communications Decency Act (CDA), passed by Congress in February
>1996
>for the first time imposed far reaching broadcast-style content
>regulations
>on the Internet.
>
>The full text of the Philadelphia ruling and other information on the
>case
>can be found on the Citizens Internet Empowerment Coalition Web Page
>(http://www.cdt.org/ciec/). Please also visit the CIEC web page for the
>latest news and information about the case.
>
>The 27 plaintiffs in the case include: American Library Association,
>Inc.;
>America Online, Inc.; American Booksellers Association, Inc.; American
>Booksellers Foundation for Free Expression; American Society of
>Newspaper
>Editors; Apple Computer, Inc.; Association of American Publishers, Inc.;
>Association of Publishers, Editors and Writers; Citizens Internet
>Empowerment Coalition; Commercial Internet eXchange; CompuServe
>Incorporated.; Families Against Internet Censorship; Freedom to Read
>Foundation, Inc.; Health Sciences Libraries Consortium; HotWired
>Ventures
>LLC; Interactive Digital Software Association; Interactive Services
>Association; Magazine Publishers of America, Inc.; Microsoft
>Corporation;
>Microsoft Network; National Press Photographers Association; NETCOM
>On-Line
>Communication Services, Inc.; Newspaper Association of America; Opnet,
>Inc.; Prodigy Services Company; Wired Ventures, Ltd.; and, the Society
>of
>Professional Journalists Ltd.

------------------------------

Date: Mon, 2 Dec 1996 18:21:33 -0800 (PST)
From: "Brock N. Meeks" <[email protected]>
Subject: File 6--New House Rules Means More Info

Source -  [email protected]

((MODERATORS' NOTE: Brock Meeks, fearless Net-reporter and
founder of CyberWire Dispatch, has moved on and up to MSNBC,
where his articles can be found at:
http://www.msnbc.com - His fans can find him there, and, of
course, on the Well))

House Rules Change Compels More Online Info
by Brock N. Meeks
Chief Washington Correspondent
MSNBC

Washington -- A new House rule for the 105th Congress compels committee
chairmen to make published documents available via the Internet, MSNBC
has learned.

The rule requiring published documents to be put online is ambiguous and
doesn't provide any details as to how the rule will be carried out.
Indeed, the entire text of the rule, which hasn't been made public, is
merely a single sentence: "Each committee shall, to the maximum extent
feasible, make its publications available in electronic form."

The House GOP leadership drafted the new rule as part of a package of
rules changes during a closed door session last week.  The new rules
won't go into effect until voted on by the entire House when the 105th
convenes January 7th.   Before that action takes place, however, the
rules must first be approved by the House Republican Conference
Committee. That move will take place "shortly before the full House
convenes," said a House Rules Committee staffer.

The House Rules staffer confirmed that the intent of the rule is to have
information available via the Internet.  "We all share the goal of
getting as much information out as quick as possible," he said. However,
"there are some logistical problems if we tie this [rule] too tightly."

One such problem is that of publishing committee meeting and hearing
transcripts.  Although committees usually get these transcripts back
within 48 hours, "they are usually filled with errors," the staffer
said.  Such errors can be a quote attributed to the wrong member by the
transcriber, he said.   Transcripts are currently circulated to House
members for the purposes of editing and error correction.  However, that
process often delays, sometimes by weeks during heavy legislative
calenders, how quickly transcripts are put online.

Other committee documents, such as the full text of bills are "much
easier" to put online, the staffer said, "but things such as transcripts
are a much stickier wicket."

There also is some question as to what the word "publication" actually
means. It's not clear, for example, that transcripts are publications,
nor is it clear that so-called "discussion drafts" -- or working
documents -- are publications the staffer said.

The whole rule "turns on this one word, 'publication,'" says Gary
Ruskin, director of the Congressional Accountability Project, a Ralph
Nader congressional watchdog organization.   "Some folks are saying that
the word 'publication' might be restrictive or tautological," Ruskin
said, "I'm still trying to figure it out."

In general, Ruskin said the rule "looks like a good step forward." His
organization pushed hard during the last Congress trying to get Speaker
Newt Gingrich (R-Ga.) to make good on his 1994 promise that all
congressional documents, without exception, would be made available via
the Internet through the Thomas system <http://thomas.loc.gov>. Gingrich
bailed on that promise and Thomas, though it now contains many more
documents from when it was first launched, is still far from being the
comprehensive service Gingrich promised.

Although the phrase "to the maximum extent feasible" appears to give
committee chairman a lot of latitude as to how quickly documents go
online, Ruskin said he's encouraged by the wording.  He said the
"intent" of that statement puts the presumption on a committee that if a
document is printed, "there should be no technical reason why it can't
go online quickly."  With this rule in place, "there will have to be an
awfully good reason why [committees] fail to put such documents online,"
Ruskin said.

Although there are no penalities attached to such a rule, Ruskin said
"if worse comes to worse" there can be a "an ethics complaint filed
against the committee chairman if a reasonably case can be made that
they aren't making documents available in a feasible time frame."

Just how this new rule will effect the future of a bill introduced by
Rep. Rick White (R-Wash.) late in the 104th, which mandated that a broad
range of congressional documents be put online, isn't known.  White's
bill (H.Res. 478) never made it out of committee.  White's office didn't
return our calls for comment.

Traditionally, committee chairman have used their power to distribute
important committee documents as means of controlling the committee's
agenda.   For example, after a bill has been passed by the full
committee, the chairman, behind closed doors and without the approval of
the full committee, can amend the bill, sometimes altering it
dramatically. This results in a "manager's amendment," a document that,
though published, is not widely distributed beyond the chairman's
political allies and assorted well-heeled lobbyists.

No where was such micro-managing of a bill more apparent than during the
legislative wrangling over the telecommunications reform act last year.
The House version of the telecom reform bill was radically amended by
Commerce Chairman Thomas Bliley (R-Va.) and few people, least of all the
public, were allowed to see those changes before they came to the floor
for a vote.  Under the new proposed rule it, Bliley would not have been
able to withhold that document from going online well before the floor
vote was taken.  To do so with the new rule in place would risk
triggering an ethics complaint from a group such as Ruskin's
Congressional Accountability Project.

The new rule, however, doesn't mandate that the Speaker's office put any
information online.  Despite all the bluster from Gingrich about the
benefits of a more informed public, he has yet to make the Speaker's
office accessible via the Internet.

--end--


------------------------------

Date: Wed, 20 Nov 1996 08:16:38 -0500 (EST)
From: Noah <[email protected]>
Subject: File 7--BoS: Serious BIND resolver problem (fwd)

From -Noah

---------- Forwarded message ----------
Date--Mon, 18 Nov 1996 22:53:16 -0700 (MST)
From--Oliver Friedrichs <[email protected]>
[email protected]
Subject--BoS--Serious BIND resolver problem


                       ######    ##   ##    ######
                       ##        ###  ##      ##
                       ######    ## # ##      ##
                           ##    ##  ###      ##
                       ###### .  ##   ## .  ###### .

                           Secure Networks Inc.

                            Security Advisory
                            November 18, 1996

                   Vulnerability in Unchecked DNS Data.

In research for our upcoming network auditing tool, we have uncovered a
serious problem present in implementations of BIND which trust invalid data
sent to them.  This vulnerability specifically applies to hostname to address
resolution and can result in local and remote users obtaining root privileges.

It is recommended that security conscious users upgrade to the latest version
of the BIND resolver immediately.  Information on obtaining the latest
official release is provided at the end of this message.

Technical Details
~~~~~~~~~~~~~~~~~

When a standard hostname lookup is performed on internet connected systems,
the resulting address should be 4 bytes (Forgetting about IPv6 for now).
Assuming that the address will always be 4 bytes, many privileged and
unprivileged programs (including network daemons) trust the address length
field which is returned from gethostbyname() in the hostent structure.  By
trusting the length field returned by DNS to be 4 bytes, it then copies the
address into a 4 byte address variable.  The vulnerability exists due to the
fact that we can specify the size of IP address data within the DNS packet
ourselves.  By specifying a size larger than 4 bytes, an overflow occurs, as
the program attempts to copy the data into the 4 byte structure it has
allocated to store the address.

One example of this vulnerability occurs in rcmd.c, the standard BSD library
routine which is used by rsh and rlogin to remotely connect to systems.  Note
that the code itself is not faulty, however the resolver implementation is.
Example code follows:

  hp = gethostbyname(*ahost);
  if (hp == NULL) {
     herror(*ahost);
     return (-1);
  }
  *ahost = hp->h_name;

  .
  .
  .

  bzero(&sin, sizeof sin);
  sin.sin_len = sizeof(struct sockaddr_in);
  sin.sin_family = hp->h_addrtype;
  sin.sin_port = rport;
  bcopy(hp->h_addr_list[0], &sin.sin_addr, hp->h_length);

In this example, we copy hp->h_length ammount of data into the address
variable of a sockaddr_in structure, which is 4 bytes.  The hp->h_length
variable is taken directly from the DNS reply packet.  If we now look at how
rcmd() declares it's variables, and after looking through rlogin with a
debugger, we can determine that this is a dangerous situation.

  int rcmd(ahost, rport, locuser, remuser, cmd, fd2p)
       char **ahost;
       u_short rport;
       const char *locuser, *remuser, *cmd;
       int *fd2p;
  {
       struct hostent *hp;
       struct sockaddr_in sin, from;
       fd_set reads;

On further testing, and implementation of exploitation code, we can verify
that this is indeed possible via the rlogin service. In order to exploit the
problem, we first start a program to send a fake DNS replies.

[root@ariel] [Dec 31 1969 11:59:59pm] [~]% ./dnsfake
oakmont.secnet.com(4732)->idoru.secnet.com(53) : lookup: random-domain.com (1:1)
sent packet fake reply: 270 bytes
idoru.secnet.com(53)->oakmont.secnet.com(4732) : reply: random-domain.com (1:1)

We then cause rcmd() within rlogin to do a host lookup and response with
our false data.

[oliver@oakmont] [Dec 31 1969 11:58:59pm] [~]% whoami
oliver
[oliver@oakmont] [Jan 01 1970 00:00:01am] [~]% rlogin random-domain.com
random-domain.com: Connection refused
# whoami
root
#

Impact
~~~~~~

By checking common BSD sources, we can see that over 20 local programs are
vulnerable to this attack, and possibly 2 remote daemons.  The possibility
of exploiting local programs may seem insignificant, however if one considers
an attacker somewhere on the internet intercepting DNS lookups, and inserting
their own replies, it isn't.  There is a real threat of passive attacks
present here, whereby any user on a network running any of these programs can
be a victim. Take for instance traceroute, or ping both of which fall prey
to this problem.

Aside from stock UN*X programs which ship with most vendor operating systems,
there appears to be problems related to h_length in external software packages.
Due to the flaw, FWTK (Firewall Toolkit) a freely available firewall kit
appears vulnerable. The generic routine, conn_server(), which is utilizied
by the proxy servers, appears to trust the data as well.

Vulnerable Systems
~~~~~~~~~~~~~~~~~~

At this point we would assume that most vendor systems who have incorporated
BIND directly into their operating system are vulnerable.

Solaris is not vulnerable according to Casper Dik <[email protected]>

Fix Information
~~~~~~~~~~~~~~~

The maintainers of BIND, and CERT were notified of this problem several
months previous to this posting.

We recommend upgrading to the latest release of BIND which solves this
problem due to the incorporation of IPv6 address support.

The latest official release of BIND is availible at:

ftp.vix.com in the directory /pub/bind/release/4.9.5



We wish to acknowledge and thank Theo Deraadt, the maintainer of the OpenBSD
operating system for his help in finding and analyzing this problem.  More
information on OpenBSD can be found at http://www.openbsd.org.

- Oliver Friedrichs <[email protected]>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1
A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd
Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR
tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO
fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8
45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU
qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8=
=xq4f
-----END PGP PUBLIC KEY BLOCK-----

  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     Oliver Friedrichs   -   (403) 262-9211   -   Secure Networks Inc.
        Suite 440, 703-6th Avenue S.W. Calgary, AB, Canada, T2P 0T9

------------------------------

Date: Thu, 21 Mar 1996 22:51:01 CST
From: CuD Moderators <[email protected]>
Subject: File 8--Cu Digest Header Info (unchanged since 10 Dec, 1996)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

    SUBSCRIBE CU-DIGEST
Send the message to:   [email protected]

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message:   UNSUB CU-DIGEST
Send it to  [email protected]
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on  internet);
and on Rune Stone BBS (IIRGWHQ) (860)-585-9638.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE:  In BELGIUM: Virtual Access BBS:  +32-69-844-019 (ringdown)
        In ITALY: ZERO! BBS: +39-11-6507540
        In LUXEMBOURG: ComNet BBS:  +352-466893

 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD
                 ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
                 aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
                 world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
                 wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
 EUROPE:         nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
                 ftp.warwick.ac.uk in pub/cud/ (United Kingdom)


The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
 URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
           the views of the moderators. Digest contributors assume all
           responsibility for ensuring that articles submitted do not
           violate copyright protections.

------------------------------

End of Computer Underground Digest #8.87
************************************

You are viewing proxied material from gopher.661.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.