CyberWire Dispatch // © August 1999 // All Rights Reserved
Reprinted by permission of CWD
CyberWire Dispatch can be found at www.cyberwerks.com/cyberwire
Jacking in from the "Pine-Sol" port:
By Lewis Z. Koch
CWD Special Correspondent
Twenty-year-old John Vranesevich calls his AntiOnline Web site "a valuable
tool in the fight against 'CyberCrime'" In a call to arms, this
self-anointed, junior G-man wannabe, promises to uncover, reveal and inform
on hackers and other miscreants.
Out of this misguided cyber-vigilantism, arises the "denunciator" virus,
which reaches its full lethality in totalitarian states but also finds a
home in democratic societies as well, usually in climates of social
resentment, political fanaticism, or, my personal favorite, political
self-righteousness.
The Denunciator virus, known also as the "Accuser" virus, destroys careers,
leaves permanent scars, called "blacklists," gives rise to false alarms,
warnings or contrived "cautionary tales" meant to lull or divert citizens.
The natural host for this virus is believed to be a species of the rodent
called a "snitch," aka squealer, stool pigeon, informer; rat bastard.
Every delusional crusader needs a mission statement, Vranesevich is no
different. This self-anointed sheriff-of-cyberspace pens this Uber-warning
to hackers:
"I know that some of you are playing what you feel is a game. A game that
you think you are winning. Some of you sit back and laugh at organizations
like the FBI. You make sure that you provide enough information to make it
obvious who you are, yet are careful not to provide enough information to
actually have it proven. I have been watching you these past 5 years. I know
how you do the things you do, why you do the things you do, and I know who
you are."
And if you're keeping score-and you should be-you'll note that Vranesenvich
apparently started down this crusader road at the tender age of 15 or just
about the time he figured his Johnson could be used for more than simple
utilitarian bodily functions.
This not-very subtle paean to cyber-vigilantism could easily be dismissed
save for the fact that Vranesenvich has earned a demi-celebrity status from
journalists working for publications from which we have come to expect more
judicious sourcing, including, but not limited to, Matt Richtel of The New
York Times, John Schwartz of The Washington Post and even, sadly, CWD's own
Brock Meeks while cloaked in his alter-ego as Washington correspondent for
MSNBC.
And we wonder why fewer and fewer people trust the media.
Hung With His Own Rope
=====================
In his mission statement Vranesevich unequivocally states, "I've seen myself
talking with people who have broken into hundreds of governmental servers,
stolen sensitive data from military sites, broken into atomic research
centers."
Question is, can we believe him?
There's his rather perplexing story about hackers breaking into an "Israeli"
atomic research center.
At first, as Vranesevich tells it, when hackers told him what they had done,
he "freaked" even thought the boast might be "far fetched." But these
hackers sent him a "folder full of documents written in a foreign language"
they claimed they had copied from the "B'Hadvah" Atomic Research Center. [
Note: Vranesevich didn't know how to spell the name of the so-called
research center].
"Were the documents in Hebrew or English?" I asked.
"Bengali."
When he broke the "story" on his AntiOnline web site, all media hell broke
loose.
"Every mainstream media started calling and questioning and calling the
research center," Vranesevich said. "I had all these nuclear arms
proliferation people calling. Here I am in my parent's living room, and one
day, thirteen calls from anti-nuclear proliferation and pro-nuclear
proliferation (sic) groups wanting to know - is this significant, what is
Israel doing?"
I was still having a problem with the "Bengali" aspect to the documents.
"Ah, John," I asked, "is this an Israeli research center or could it be
Indian? Pakistani?"
Silence. Then Vranesevich said, "I think it's Indian. Who was the one that
just did the nuclear testing?"
"That was India and Pakistan, not Israel."
"Oh, then this was India, not Israel."
Oh.
Then there's his story about changing medical records-pretty serious stuff.
Can we take him at his word there?
"[I]'ve seen people change the medical records of individuals in our armed
services" Vranesevich asserts in his "mission" statement.
When asked about these nefarious deeds, Vranesevich works himself up into a
high dudgeon about hackers breaking into sites and changing medical records.
"What would have happened if medical records had been changed and a cancer
patient received the wrong treatment for it?...What if I had looked into who
these [hacker] guys were, a little further? What would have happened if I
would have published the story? What would have happened if CERT had come
out and said medical records had been changed and a cancer patient received
the wrong treatment because of it!"
I questioned him closely. "You really saw people change the medical records
of individuals in our armed forces?"
"I don't mean that literally," backtracking as fast as his voice could carry
him. "You see the language I was using? I don't mean literally 'I saw them
do it, I saw it happen.' It's something that transgressed (sic) before.
It's like we saw our country go through three wars. It doesn't mean I
caused (sic) the three wars. You see what I'm saying? Or I've seen crime
happen over and over again in my neighborhood. Doesn't mean I literally saw
it. You know what I mean? I don't know if I'm making myself clear."
Ah, er.. right. He gave it one more chance.
"Looking back in retrospect (sic). It was like actions that transgressed
(sic) before. I've sort of watched the events transfold (sic) before my eyes."
Yep, that clears it up; someone get this guy an English tutor...There's more
like that but after a while it gets, well, boring.
Vranesevich also claims a "semi-contractual" relationship with all kinds of
official military and police types, including one with the NASA and one with
the Defense Information Systems Agency (DISA).
Can we believe him?
NASA says no. After checking with their databases "they could find no record
of NASA having done business with Mr. Vranesevich or his company
AntiOnline," reports Patricia M. Riep-Dice, NASA Freedom of Information Act
Officer.
According to a DISA spokesman, no such relationship exists. None. Nada.
In Other People's Words
=======================
In his grasp for distinction, celebrityhood, acclaim, Vranesevich
overreaches, as he did with his claim of unethical behavior on the part of
computer security expert Marcus Ranum. Ranum's "crime"?
"Guilt-by-association" with two hacker groups, L0pht Heavy Industries and
cult of the Dead cow (cDc).
L0pht Heavy Industries is among the finest Microsoft error-catchers in the
world; it is a company with employees and it pays taxes. "cult of the Dead
cow" is a group of hackers in the tradition of Yippie founders Abbie "Steal
This Book" Hoffman and Jerry Rubin.
The cDc promises Internet chaos, anarchy and terror; in 1968, in Chicago,
Abby Hoffman and Jerry Rubin threatened to pour LSD in the water and send
Yippie studs to O'Hare airport to seduce the wives of delegates to the
Democratic National Convention. If that analogy is lost on you, cut your
losses now, stop reading and return to your "Internet for Dummies" workbook.
L0pht and cDc tend to despise Microsoft, but then so do a lot of people,
including folks in the Justice Department. More than likely there is
cross-over contact between L0pht and cDc since the two have much in common,
in the same way journalists from different newspapers and television tend to
hang out at the same bars, buy each other drinks and complain about
stupidity and venality of their editors.
cDc had been tinkering around the multiplicity of holes, vulnerabilities
and general screw ups in the Microsoft Windows operating system. They
developed a back-dooring program for Win 95, one that allowed a Trojan
Horse to exploit that vulnerability.
In a stroke of genius that would make an Wizard of Madison Avenue green
with envy, they dubbed the program "Back Orifice."
Ranum developed a program to counteract Back Orifice and called it "Back
Officer Friendly."
Vranesevich claims he was "shocked, shocked" to discover that Ranum might
have had conversations with hackers at L0pht, perhaps even some at cDc about
Back Officer Friendly.
Vranesevich's story alleged that Ranum could have even been talking with the
very people at cDc who developed the exploit in the first place. So what do
we have here? Collusion? Duplicity? Ethical lapse? Double-agentry?
Whom to believe?
================
Bell Labs' William R. Cheswick, co-author with Steven Bellovin of the
exemplary "Firewalls and Internet Security - Repelling the Wily Hacker,"
says of Ranum: "I have worked with Marcus for years. He is a strong force
for Good against Evil. A security person is paid to think bad thoughts, and
Marcus is quite good at it. The key is that he doesn't do the bad stuff, but
uses this approach to make things safer."
Bellovin, himself a world-class computer expert, certainly doesn't
equivocate. Ranum has "been a strong, positive force for Internet security,
both in the sense of building useful tools and in the sense of teaching
other people important principles. I've also never heard any serious
question about his ethics."
"Marcus has one of the most fluent understandings of Internet security I
have ever seen," says Bruce Schneier, whose books on encryption and on
privacy can trigger a physical and intellectual hernia, "his ability to see
threats and attacks, defenses and countermeasures, makes him one of the most
valuable resources we have in computer security world," Schneier said.
Marcus' "association with the L0pht recognizes that there is considerable
expertise in the hacking community that can be leveraged in the fight
against computer crime. Marcus is just smarter than other people, because
he realized it and figured out how to use it No kidding; he's that good."
So you do the math: self appointed cybervigilante John Vranesevich, with his
stolen "Israeli" atomic secrets written in Bengali, changed medical records
that weren't changed, unsubstantiated relationships with NASA and DISA (and
that's just for openers), and, on the other hand, Marcus Ranum and people
like Cheswick, Bellovin, and Schneier.
The best way to deal with "Denunciator" virus is simply silence; don't feed
the hype.
================================================================
EDITOR'S NOTE: CyberWire Dispatch, with an Internet circulation estimated
at more than, is now developing plans for a once-a-week e-mail publication.
Every week, one of five well-known investigative reporters will file for
CWD. If you think your company or organization would be interested in more
information about establishing an sponsorship relationship with CyberWire
Dispatch, please contact Lewis Z. Koch at lzkoch@wwa.com.
===================
To subscribe to CWD, send a message to:
Majordomo@vorlon.mit.edu
No subject needed.
In the first line of the message put:
Subscribe CWD
To remove yourself from this list, send a mesasge to:
Majordomo@vorlon.mit.edu
No subject needed.
In the first line of the message put:
Unsubscribe CWD