Note: CyberWire Dispatch is a mailing list only newsletter. It is
reprinted here with permision. Subscription information is at the end.
CyberWire Dispatch // August 1999 // All Rights Reserved
Jacking in from the "Pine-Sol" port:
By Lewis Z. Koch
CWD Special Correspondent
Twenty-year-old John Vranesevich calls his AntiOnline Web site "a
valuable tool in the fight against 'CyberCrime'" In a call to arms,
this self-anointed, junior G-man wannabe, promises to uncover, reveal
and inform on hackers and other miscreants.
Out of this misguided cyber-vigilantism, arises the "denunciator"
virus, which reaches its full lethality in totalitarian states but also
finds a home in democratic societies as well, usually in climates of
social resentment, political fanaticism, or, my personal favorite,
political self-righteousness.
The Denunciator virus, known also as the "Accuser" virus, destroys
careers, leaves permanent scars, called "blacklists," gives rise to
false alarms, warnings or contrived "cautionary tales" meant to lull or
divert citizens. The natural host for this virus is believed to be a
species of the rodent called a "snitch," aka squealer, stool pigeon,
informer; rat bastard.
Every delusional crusader needs a mission statement, Vranesevich is no
different. This self-anointed sheriff-of-cyberspace pens this
Uber-warning to hackers:
"I know that some of you are playing what you feel is a game. A game
that you think you are winning. Some of you sit back and laugh at
organizations like the FBI. You make sure that you provide enough
information to make it obvious who you are, yet are careful not to
provide enough information to actually have it proven. I have been
watching you these past 5 years. I know how you do the things you do,
why you do the things you do, and I know who you are."
And if you're keeping score-and you should be-you'll note that
Vranesenvich apparently started down this crusader road at the tender
age of 15 or just about the time he figured his Johnson could be used
for more than simple utilitarian bodily functions.
This not-very subtle paean to cyber-vigilantism could easily be
dismissed save for the fact that Vranesenvich has earned a
demi-celebrity status from journalists working for publications from
which we have come to expect more judicious sourcing, including, but
not limited to, Matt Richtel of The New York Times, John Schwartz of
The Washington Post and even, sadly, CWD's own Brock Meeks while
cloaked in his alter-ego as Washington correspondent for MSNBC.
And we wonder why fewer and fewer people trust the media.
Hung With His Own Rope
=====================
In his mission statement Vranesevich unequivocally states, "I've seen
myself talking with people who have broken into hundreds of
governmental servers, stolen sensitive data from military sites, broken
into atomic research centers."
Question is, can we believe him?
There's his rather perplexing story about hackers breaking into an
"Israeli" atomic research center.
At first, as Vranesevich tells it, when hackers told him what they had
done, he "freaked" even thought the boast might be "far fetched." But
these hackers sent him a "folder full of documents written in a foreign
language" they claimed they had copied from the "B'Hadvah" Atomic
Research Center. [Note: Vranesevich didn't know how to spell the name
of the so-called research center].
"Were the documents in Hebrew or English?" I asked.
"Bengali."
When he broke the "story" on his AntiOnline web site, all media hell
broke loose.
"Every mainstream media started calling and questioning and calling the
research center," Vranesevich said. "I had all these nuclear arms
proliferation people calling. Here I am in my parent's living room, and
one day, thirteen calls from anti-nuclear proliferation and pro-nuclear
proliferation (sic) groups wanting to know - is this significant, what
is Israel doing?"
I was still having a problem with the "Bengali" aspect to the
documents.
"Ah, John," I asked, "is this an Israeli research center or could it be
Indian? Pakistani?"
Silence. Then Vranesevich said, "I think it's Indian. Who was the one
that just did the nuclear testing?"
"That was India and Pakistan, not Israel."
"Oh, then this was India, not Israel."
Oh.
Then there's his story about changing medical records-pretty serious
stuff. Can we take him at his word there?
"[I]'ve seen people change the medical records of individuals in our
armed services" Vranesevich asserts in his "mission" statement.
When asked about these nefarious deeds, Vranesevich works himself up
into a high dudgeon about hackers breaking into sites and changing
medical records.
"What would have happened if medical records had been changed and a
cancer patient received the wrong treatment for it?...What if I had
looked into who these [hacker] guys were, a little further? What would
have happened if I would have published the story? What would have
happened if CERT had come out and said medical records had been changed
and a cancer patient received the wrong treatment because of it!"
I questioned him closely. "You really saw people change the medical
records of individuals in our armed forces?"
"I don't mean that literally," backtracking as fast as his voice could
carry him. "You see the language I was using? I don't mean literally 'I
saw them do it, I saw it happen.' It's something that transgressed
(sic) before. It's like we saw our country go through three wars. It
doesn't mean I caused (sic) the three wars. You see what I'm saying?
Or I've seen crime happen over and over again in my neighborhood.
Doesn't mean I literally saw it. You know what I mean? I don't know
if I'm making myself clear." Ah, er.. right. He gave it one more
chance.
"Looking back in retrospect (sic). It was like actions that
transgressed (sic) before. I've sort of watched the events transfold
(sic) before my eyes."
Yep, that clears it up; someone get this guy an English tutor...There's
more like that but after a while it gets, well, boring.
Vranesevich also claims a "semi-contractual" relationship with all
kinds of official military and police types, including one with the
NASA and one with the Defense Information Systems Agency (DISA).
Can we believe him?
NASA says no. After checking with their databases "they could find no
record of NASA having done business with Mr. Vranesevich or his company
AntiOnline," reports Patricia M. Riep-Dice, NASA Freedom of Information
Act Officer.
According to a DISA spokesman, no such relationship exists. None.
Nada.
In Other People's Words
=======================
In his grasp for distinction, celebrityhood, acclaim, Vranesevich
overreaches, as he did with his claim of unethical behavior on the part
of computer security expert Marcus Ranum. Ranum's "crime"?
"Guilt-by-association" with two hacker groups, L0pht Heavy Industries
and cult of the Dead cow (cDc).
L0pht Heavy Industries is among the finest Microsoft error-catchers in
the world; it is a company with employees and it pays taxes. "cult of
the Dead cow" is a group of hackers in the tradition of Yippie founders
Abbie "Steal This Book" Hoffman and Jerry Rubin.
The cDc promises Internet chaos, anarchy and terror; in 1968, in
Chicago, Abby Hoffman and Jerry Rubin threatened to pour LSD in the
water and send Yippie studs to O'Hare airport to seduce the wives of
delegates to the Democratic National Convention. If that analogy is
lost on you, cut your losses now, stop reading and return to your
"Internet for Dummies" workbook.
L0pht and cDc tend to despise Microsoft, but then so do a lot of
people, including folks in the Justice Department. More than likely
there is cross-over contact between L0pht and cDc since the two have
much in common, in the same way journalists from different newspapers
and television tend to hang out at the same bars, buy each other drinks
and complain about stupidity and venality of their editors.
cDc had been tinkering around the multiplicity of holes,
vulnerabilities and general screw ups in the Microsoft Windows
operating system. They developed a back-dooring program for Win 95,
one that allowed a Trojan Horse to exploit that vulnerability.
In a stroke of genius that would make an Wizard of Madison Avenue green
with envy, they dubbed the program "Back Orifice."
Ranum developed a program to counteract Back Orifice and called it
"Back Officer Friendly."
Vranesevich claims he was "shocked, shocked" to discover that Ranum
might have had conversations with hackers at L0pht, perhaps even some
at cDc about Back Officer Friendly.
Vranesevich's story alleged that Ranum could have even been talking
with the very people at cDc who developed the exploit in the first
place. So what do we have here? Collusion? Duplicity? Ethical lapse?
Double-agentry?
Whom to believe?
================
Bell Labs' William R. Cheswick, co-author with Steven Bellovin of the
exemplary "Firewalls and Internet Security - Repelling the Wily
Hacker," says of Ranum: "I have worked with Marcus for years. He is a
strong force for Good against Evil. A security person is paid to think
bad thoughts, and Marcus is quite good at it. The key is that he
doesn't do the bad stuff, but uses this approach to make things safer."
Bellovin, himself a world-class computer expert, certainly doesn't
equivocate. Ranum has "been a strong, positive force for Internet
security, both in the sense of building useful tools and in the sense
of teaching other people important principles. I've also never heard
any serious question about his ethics."
"Marcus has one of the most fluent understandings of Internet security
I have ever seen," says Bruce Schneier, whose books on encryption and
on privacy can trigger a physical and intellectual hernia, "his ability
to see threats and attacks, defenses and countermeasures, makes him one
of the most valuable resources we have in computer security world,"
Schneier said. Marcus' "association with the L0pht recognizes that
there is considerable expertise in the hacking community that can be
leveraged in the fight against computer crime. Marcus is just smarter
than other people, because he realized it and figured out how to use it
No kidding; he's that good."
So you do the math: self appointed cybervigilante John Vranesevich,
with his stolen "Israeli" atomic secrets written in Bengali, changed
medical records that weren't changed, unsubstantiated relationships
with NASA and DISA (and that's just for openers), and, on the other
hand, Marcus Ranum and people like Cheswick, Bellovin, and Schneier.
The best way to deal with "Denunciator" virus is simply silence; don't
feed the hype.
========================================
EDITOR'S NOTE: CyberWire Dispatch, with an Internet circulation
estimated at more than [500,000], is now developing plans for a
once-a-week e-mail publication. Every week, one of five well-known
investigative reporters will file for CWD. If you think your company
or organization would be interested in more information about
establishing an sponsorship relationship with CyberWire Dispatch,
please contact Lewis Z. Koch at lzkoch@wwa.com.
===================
To subscribe to CWD, send a message to:
Majordomo@vorlon.mit.edu
No subject needed.
In the first line of the message put:
Subscribe CWD
To remove yourself from this list, send a mesasge to:
Majordomo@vorlon.mit.edu
No subject needed.
In the first line of the message put:
Unsubscribe CWD
----