CyberWire Dispatch // © August 1999 // All Rights Reserved Reprinted by permission of CWD CyberWire Dispatch can be found at www.cyberwerks.com/cyberwire Jacking in from the "Pine-Sol" port: By Lewis Z. Koch CWD Special Correspondent Twenty-year-old John Vranesevich calls his AntiOnline Web site "a valuable tool in the fight against 'CyberCrime'" In a call to arms, this self-anointed, junior G-man wannabe, promises to uncover, reveal and inform on hackers and other miscreants. Out of this misguided cyber-vigilantism, arises the "denunciator" virus, which reaches its full lethality in totalitarian states but also finds a home in democratic societies as well, usually in climates of social resentment, political fanaticism, or, my personal favorite, political self-righteousness. The Denunciator virus, known also as the "Accuser" virus, destroys careers, leaves permanent scars, called "blacklists," gives rise to false alarms, warnings or contrived "cautionary tales" meant to lull or divert citizens. The natural host for this virus is believed to be a species of the rodent called a "snitch," aka squealer, stool pigeon, informer; rat bastard. Every delusional crusader needs a mission statement, Vranesevich is no different. This self-anointed sheriff-of-cyberspace pens this Uber-warning to hackers: "I know that some of you are playing what you feel is a game. A game that you think you are winning. Some of you sit back and laugh at organizations like the FBI. You make sure that you provide enough information to make it obvious who you are, yet are careful not to provide enough information to actually have it proven. I have been watching you these past 5 years. I know how you do the things you do, why you do the things you do, and I know who you are." And if you're keeping score-and you should be-you'll note that Vranesenvich apparently started down this crusader road at the tender age of 15 or just about the time he figured his Johnson could be used for more than simple utilitarian bodily functions. This not-very subtle paean to cyber-vigilantism could easily be dismissed save for the fact that Vranesenvich has earned a demi-celebrity status from journalists working for publications from which we have come to expect more judicious sourcing, including, but not limited to, Matt Richtel of The New York Times, John Schwartz of The Washington Post and even, sadly, CWD's own Brock Meeks while cloaked in his alter-ego as Washington correspondent for MSNBC. And we wonder why fewer and fewer people trust the media. Hung With His Own Rope ===================== In his mission statement Vranesevich unequivocally states, "I've seen myself talking with people who have broken into hundreds of governmental servers, stolen sensitive data from military sites, broken into atomic research centers." Question is, can we believe him? There's his rather perplexing story about hackers breaking into an "Israeli" atomic research center. At first, as Vranesevich tells it, when hackers told him what they had done, he "freaked" even thought the boast might be "far fetched." But these hackers sent him a "folder full of documents written in a foreign language" they claimed they had copied from the "B'Hadvah" Atomic Research Center. [ Note: Vranesevich didn't know how to spell the name of the so-called research center]. "Were the documents in Hebrew or English?" I asked. "Bengali." When he broke the "story" on his AntiOnline web site, all media hell broke loose. "Every mainstream media started calling and questioning and calling the research center," Vranesevich said. "I had all these nuclear arms proliferation people calling. Here I am in my parent's living room, and one day, thirteen calls from anti-nuclear proliferation and pro-nuclear proliferation (sic) groups wanting to know - is this significant, what is Israel doing?" I was still having a problem with the "Bengali" aspect to the documents. "Ah, John," I asked, "is this an Israeli research center or could it be Indian? Pakistani?" Silence. Then Vranesevich said, "I think it's Indian. Who was the one that just did the nuclear testing?" "That was India and Pakistan, not Israel." "Oh, then this was India, not Israel." Oh. Then there's his story about changing medical records-pretty serious stuff. Can we take him at his word there? "[I]'ve seen people change the medical records of individuals in our armed services" Vranesevich asserts in his "mission" statement. When asked about these nefarious deeds, Vranesevich works himself up into a high dudgeon about hackers breaking into sites and changing medical records. "What would have happened if medical records had been changed and a cancer patient received the wrong treatment for it?...What if I had looked into who these [hacker] guys were, a little further? What would have happened if I would have published the story? What would have happened if CERT had come out and said medical records had been changed and a cancer patient received the wrong treatment because of it!" I questioned him closely. "You really saw people change the medical records of individuals in our armed forces?" "I don't mean that literally," backtracking as fast as his voice could carry him. "You see the language I was using? I don't mean literally 'I saw them do it, I saw it happen.' It's something that transgressed (sic) before. It's like we saw our country go through three wars. It doesn't mean I caused (sic) the three wars. You see what I'm saying? Or I've seen crime happen over and over again in my neighborhood. Doesn't mean I literally saw it. You know what I mean? I don't know if I'm making myself clear." Ah, er.. right. He gave it one more chance. "Looking back in retrospect (sic). It was like actions that transgressed (sic) before. I've sort of watched the events transfold (sic) before my eyes." Yep, that clears it up; someone get this guy an English tutor...There's more like that but after a while it gets, well, boring. Vranesevich also claims a "semi-contractual" relationship with all kinds of official military and police types, including one with the NASA and one with the Defense Information Systems Agency (DISA). Can we believe him? NASA says no. After checking with their databases "they could find no record of NASA having done business with Mr. Vranesevich or his company AntiOnline," reports Patricia M. Riep-Dice, NASA Freedom of Information Act Officer. According to a DISA spokesman, no such relationship exists. None. Nada. In Other People's Words ======================= In his grasp for distinction, celebrityhood, acclaim, Vranesevich overreaches, as he did with his claim of unethical behavior on the part of computer security expert Marcus Ranum. Ranum's "crime"? "Guilt-by-association" with two hacker groups, L0pht Heavy Industries and cult of the Dead cow (cDc). L0pht Heavy Industries is among the finest Microsoft error-catchers in the world; it is a company with employees and it pays taxes. "cult of the Dead cow" is a group of hackers in the tradition of Yippie founders Abbie "Steal This Book" Hoffman and Jerry Rubin. The cDc promises Internet chaos, anarchy and terror; in 1968, in Chicago, Abby Hoffman and Jerry Rubin threatened to pour LSD in the water and send Yippie studs to O'Hare airport to seduce the wives of delegates to the Democratic National Convention. If that analogy is lost on you, cut your losses now, stop reading and return to your "Internet for Dummies" workbook. L0pht and cDc tend to despise Microsoft, but then so do a lot of people, including folks in the Justice Department. More than likely there is cross-over contact between L0pht and cDc since the two have much in common, in the same way journalists from different newspapers and television tend to hang out at the same bars, buy each other drinks and complain about stupidity and venality of their editors. cDc had been tinkering around the multiplicity of holes, vulnerabilities and general screw ups in the Microsoft Windows operating system. They developed a back-dooring program for Win 95, one that allowed a Trojan Horse to exploit that vulnerability. In a stroke of genius that would make an Wizard of Madison Avenue green with envy, they dubbed the program "Back Orifice." Ranum developed a program to counteract Back Orifice and called it "Back Officer Friendly." Vranesevich claims he was "shocked, shocked" to discover that Ranum might have had conversations with hackers at L0pht, perhaps even some at cDc about Back Officer Friendly. Vranesevich's story alleged that Ranum could have even been talking with the very people at cDc who developed the exploit in the first place. So what do we have here? Collusion? Duplicity? Ethical lapse? Double-agentry? Whom to believe? ================ Bell Labs' William R. Cheswick, co-author with Steven Bellovin of the exemplary "Firewalls and Internet Security - Repelling the Wily Hacker," says of Ranum: "I have worked with Marcus for years. He is a strong force for Good against Evil. A security person is paid to think bad thoughts, and Marcus is quite good at it. The key is that he doesn't do the bad stuff, but uses this approach to make things safer." Bellovin, himself a world-class computer expert, certainly doesn't equivocate. Ranum has "been a strong, positive force for Internet security, both in the sense of building useful tools and in the sense of teaching other people important principles. I've also never heard any serious question about his ethics." "Marcus has one of the most fluent understandings of Internet security I have ever seen," says Bruce Schneier, whose books on encryption and on privacy can trigger a physical and intellectual hernia, "his ability to see threats and attacks, defenses and countermeasures, makes him one of the most valuable resources we have in computer security world," Schneier said. Marcus' "association with the L0pht recognizes that there is considerable expertise in the hacking community that can be leveraged in the fight against computer crime. Marcus is just smarter than other people, because he realized it and figured out how to use it No kidding; he's that good." So you do the math: self appointed cybervigilante John Vranesevich, with his stolen "Israeli" atomic secrets written in Bengali, changed medical records that weren't changed, unsubstantiated relationships with NASA and DISA (and that's just for openers), and, on the other hand, Marcus Ranum and people like Cheswick, Bellovin, and Schneier. The best way to deal with "Denunciator" virus is simply silence; don't feed the hype. ================================================================ EDITOR'S NOTE: CyberWire Dispatch, with an Internet circulation estimated at more than, is now developing plans for a once-a-week e-mail publication. Every week, one of five well-known investigative reporters will file for CWD. If you think your company or organization would be interested in more information about establishing an sponsorship relationship with CyberWire Dispatch, please contact Lewis Z. Koch at lzkoch@wwa.com. =================== To subscribe to CWD, send a message to: Majordomo@vorlon.mit.edu No subject needed. In the first line of the message put: Subscribe CWD To remove yourself from this list, send a mesasge to: Majordomo@vorlon.mit.edu No subject needed. In the first line of the message put: Unsubscribe CWD