From: James M. Atkinson, Comm-Eng Date: Wed Jan 31, 2001 6:18pm Subject: McDonald's Fast Food Job Application McDonald's Fast Food Job Application: This is an actual job application someone submitted at a McDonald's fast-food establishment. NAME: Greg DESIRED POSITION: Reclining. HA But seriously, whatever's available. If I was in a position to be picky, I wouldn't be applying here in the first place. DESIRED SALARY: $185,000 a year plus stock options and a Michael Ovitz style severance package. If that's not possible make an offer and we can haggle. EDUCATION: Yes. LAST POSITION HELD: Target for middle management hostility. SALARY: Less than I'm worth. MOST NOTABLE ACHIEVEMENT: My incredible collection of stolen pens and post-it notes. REASON FOR LEAVING: It sucked. HOURS AVAILABLE TO WORK: Any. PREFERRED HOURS: 1:30-3:30 p.m., Monday, Tuesday, and Thursday. DO YOU HAVE ANY SPECIAL SKILLS?: Yes, but they're better suited to a more intimate environment. MAY WE CONTACT YOUR CURRENT EMPLOYER?: If I had one, would I be here? DO YOU HAVE ANY PHYSICAL CONDITIONS THAT WOULD PROHIBIT YOU FROM LIFTING UP TO 50 LBS?: Of what? DO YOU HAVE A CAR?: I think the more appropriate question here would be "Do you have a car that runs?" HAVE YOU RECEIVED ANY SPECIAL AWARDS OR RECOGNITION?: I may already be a winner of the Publishers Clearinghouse Sweepstakes. DO YOU SMOKE?: Only when set on fire. WHAT WOULD YOU LIKE TO BE DOING IN FIVE YEARS?: Living in the Bahamas with a fabulously wealthy super model who thinks I'm the greatest thing since sliced bread. Actually, I'd like to be doing that now. DO YOU CERTIFY THAT THE ABOVE IS TRUE AND COMPLETE TO THE BEST OF YOUR KNOWLEDGE?: No, but I dare you to prove otherwise. SIGN HERE: Scorpio with Libra rising. -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2433 From: Date: Wed Jan 31, 2001 3:14pm Subject: This is not why I get the big bucks.... In a message dated 1/31/01 5:57:58 AM Pacific Standard Time, agrudko@i... writes: << Jeepers, this switch to yahoogroops has caused some headaches - anyway.... >> http://au.egroups.com/mygroups It's the same good old systems of eGroups. And it works great for us Yanks. You won't be disappointed. You'll have the same id and password. Also, you can try these. Australia http://au.egroups.com/mygroups Canada http://www.egroups.ca/ UK http://www.egroups.co.uk/ China http://cn.egroups.com/ HK http://www.egroups.com.hk/ India http://in.egroups.com/ Japan: http://www.egroups.co.jp/ Korea http://kr.egroups.com/ Taiwan http://tw.egroups.com/ Fra nce http://www.egroups.fr/ Germany http://www.egroups.de/ Italy http://it.egroups.com/ 2434 From: Steve Uhrig Date: Thu Feb 1, 2001 8:22am Subject: Surveillance at Super Bowl http://www.viisage.com/january_29_2001.htm Steve ******************************************************************* Steve Uhrig, SWS Security, Maryland (USA) Mfrs of electronic surveillance equip mailto:Steve@s... website http://www.swssec.com tel +1+410-879-4035, fax +1+410-836-1190 "In God we trust, all others we monitor" ******************************************************************* 2435 From: A Grudko Date: Thu Feb 1, 2001 10:06am Subject: Re: This is not why I get the big bucks.... ----- Original Message ----- From: > agrudko@i... writes: > Jeepers, this switch to yahoogroops has caused some headaches -> > http://au.egroups.com/mygroups> It's the same good old systems of eGroups. > And it works great for us Yanks. You won't be disappointed. You'll have the same id and password. Howdy Mac.... Why do they call you Yanks anyway? Maybe we should not go there....:-) Well, so far I've had 2 members of our South African PI list which I moderate accuse me of censorship 'cos their messages kept bouncing, another getting all messages twice, and I've been refused access to another list which I moderate!!! My feelings about Yahoo: as NYPD Sgt John McLean would say, 'Yippie kiay........' Andy Grudko Johannesburg 2436 From: James M. Atkinson, Comm-Eng Date: Thu Feb 1, 2001 4:40pm Subject: Blonde Handyman A blonde, wanting to earn some money, decided to hire herself out as a handyman-type person and started canvassing a well-to-do neighborhood. She went to the front door of the first house and asked the owner if he had any jobs for her to do. "Well, you can paint my porch. How much will you charge?" The blonde said "How about 50 dollars?" The man agreed and told her that the paint and other materials that she might need were in the garage. The man's wife, inside the house, heard the conversation and said to her husband, "Does she realize that the porch goes all the way around the house?" The man replied, "She should, she was standing on it." A short time later the blonde came to the door to collect money. "You're finished already?" he asked. "Yes," the blonde answered, "and I had paint left over, so I gave it two coats." Impressed, the man reached in his pocket for the $50. "And by the way," the blonde added, "it's not a Porch, it's a Lexus." -jma -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2437 From: James M. Atkinson, Comm-Eng Date: Thu Feb 1, 2001 8:13pm Subject: Hot Cup of Coffee The young clerk's responsibilities included bringing the judge a hot cup of coffee at the start of every day. Each morning the judge was enraged that the coffee cup arrived two-thirds full. The clerk explained that he had to rush to get the coffee delivered while it was still hot, which caused him to spill much of it along the way. None of the judge's yelling and insults produced a full cup of coffee, until he finally threatened to cut the clerk's pay by one-third if he continued to produce one-third less than the judge wanted. The next morning he was greeted with a cup of coffee that was full to the brim, and the next morning and the morning after that. The judge couldn't resist gloating over his success and smugly complimented the clerk on his new technique. "Oh, there's not much to it," admitted the clerk happily, "I take some coffee in my mouth right outside the coffee room, and spit it back in when I get outside your office." -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2438 From: Thomas H. Jones Date: Fri Feb 2, 2001 3:11pm Subject: RE: 2.4 GHz VBA >The VBA is roughly 8 inches long, 3 inches wide, and three quarters >inch thick (not including the sturdy fold-up antenna that is >provided). > >The only thing I don't like about it is that I feel the bandwidth >should be wider, and cover 2.00 to 2.700 GHz (700 MHz bandwidth), the >ripple is a little too high on the lower skirt. (cough-cough) I hope >Tom and Bruce see this, perhaps they could come out with a Wide band >version (cough-cough) To Jim and All, Thank you for the comments on the VBA. We have planned for some time to come out with a new wider band version of the VBA at the same price. It will go into production in the next few weeks. We had planned to replace the VBA with this model, but if the interest remains for the narrow-band version, we will certainly keep it. The new product will be called the LAA-1530 (Log-Periodic Active Antenna), and the frequency range will be from 1.5 to 3GHz. This will be identical to the current VBA with roughly the same total system gain. However, the noise floor of the unit will certainly be increased because of the wider frequency range. The size and packaging will change slightly due to variation in the antenna, but the total length will be about the same. Jim has pointed out to me that PCS phone systems at 1.8GHz may have a tendency to de-sensitize (overload) the pre-amp. It is a fair comment, but the design is basically finished and we will not modify it unless this proves to be a real problem. We will have to let you guys in field try it to see if this is a real problem. I would not expect it to be a problem unless you are pointing at a transmitter within 30 or 40 ft, so you must know your environment. Also, if you do overload the pre-amp, you will certainly know it, and this is the purpose of the device to detect transmitters. Regards, REI 2439 From: James M. Atkinson, Comm-Eng Date: Fri Feb 2, 2001 3:46pm Subject: RE: 2.4 GHz VBA At 3:11 PM -0600 2/2/01, Thomas H. Jones wrote: > >The VBA is roughly 8 inches long, 3 inches wide, and three quarters >>inch thick (not including the sturdy fold-up antenna that is >>provided). >> >>The only thing I don't like about it is that I feel the bandwidth >>should be wider, and cover 2.00 to 2.700 GHz (700 MHz bandwidth), the >>ripple is a little too high on the lower skirt. (cough-cough) I hope >>Tom and Bruce see this, perhaps they could come out with a Wide band >>version (cough-cough) > >To Jim and All, >Thank you for the comments on the VBA. We have planned for some time to >come out with a new wider band version of the VBA at the same price. It >will go into production in the next few weeks. We had planned to replace >the VBA with this model, but if the interest remains for the narrow-band >version, we will certainly keep it. The new product will be called the >LAA-1530 (Log-Periodic Active Antenna), and the frequency range will be >from 1.5 to 3GHz. This will be identical to the current VBA with roughly >the same total system gain. However, the noise floor of the unit will >certainly be increased because of the wider frequency range. The size and >packaging will change slightly due to variation in the antenna, but the >total length will be about the same. Jim has pointed out to me that PCS >phone systems at 1.8GHz may have a tendency to de-sensitize (overload) the >pre-amp. It is a fair comment, but the design is basically finished and we >will not modify it unless this proves to be a real problem. We will have to >let you guys in field try it to see if this is a real problem. I would not >expect it to be a problem unless you are pointing at a transmitter within >30 or 40 ft, so you must know your environment. Also, if you do overload >the pre-amp, you will certainly know it, and this is the purpose of the >device to detect transmitters. >Regards, >REI Tom, Bruce (and the rest of the list), I would applaud adding a new active antenna to the product line but would strongly suggest that you keep the VBA specific for 2.4 coverage, and would even go so encourage you to punch up the gain a bit more. A wider band version is good, but your right about the noise issues related in increasing bandwidth. I personally would prefer a higher gain active antenna as opposed to a wider bandwidth unit (or perhaps one with a logarithmic amplifier) Also, I would like to see (and would pay good money for) a 902-928 MHz version of the VBA (perhaps an 806 to 1700 MHz version with a switchable band reject filter for the cellular and Inmarsat bands). Good job Tom, I look forward to obtaining one of the new LAA-1530 units. -jma -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2440 From: Charles P Date: Fri Feb 2, 2001 5:00pm Subject: Want to bug someone? -humor For a cute interlude, try: http://www.send4fun.com/buggedp.htm charles charles@t... www.telephonesecurity.com [Non-text portions of this message have been removed] 2441 From: James M. Atkinson, Comm-Eng Date: Fri Feb 2, 2001 8:41pm Subject: Video Camera on Microwave Oven Frequency Just came across a Chinese made covert video transmitter and integral camera locked right on the 2.450 GHz microwave oven frequency with no means to change frequency. Typical FM modulated video (16-8 MHz wide) with two audio channels, and judging by the current draw (and a spectrum analyzer measurement) I estimate power output to be at least 135 mW. Typical consumer grade trash, and worthless is someone fires up a microwave oven nearby. -jma -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2442 From: Date: Fri Feb 2, 2001 10:58pm Subject: The Art of War: Contents HAVE A GREAT DAY !!! ---------- http://www.zedz.net/suntzu/index.html [Non-text portions of this message have been removed] 2443 From: Andre Holmes <1ach@g...> Date: Sat Feb 3, 2001 9:48am Subject: FCC delays TV-band spectrum sale Computerworld News & Features Story FCC delays TV-band spectrum sale | Computerworld News & Features Story Network Search Sites Services ITcareers Search Advanced Search | Contacts News & Features | Resources/Research | Careers | Communities | Subscriptions | Media Center Headlines | Biz Stories | Tech Stories | Emerging Companies | QuickStudy | Columnists | This Week in Print | CW Minute News & Features NEWS Latest Headlines . Browse by Date . Browse by Topic Business Headlines Tech Headlines This Week in Print CW Audio Minute FEATURES Field Reports Emerging Companies QuickStudies Executive Technology OPINIONS Latest Columns All Columnists Forums Letters Shark Tank PUBLICATIONS White Papers Surveys & Reports QUICKPOLL Take Latest poll Archives FCC delays TV-band spectrum sale By BOB BREWIN (February 01, 2001) The Federal Communications Commission decided to give cellular telephone companies already tapped out by last week's $17 billion spectrum auction a breather before starting the next multibillion-dollar airwaves sale. Yesterday, the FCC decided to push back an auction for spectrum currently occupied by television channels 60 to 69 from March 6 to Sept. 12. The FCC delayed the new sale after considering a request from nationwide carrier Verizon Wireless. The short time between the 1,900-MHz auction, which ended Friday (see story), and the March start date of the 700-MHz spectrum currently occupied by the TV broadcasters "would not allow companies enough time to accurately assess the interest in acquiring additional spectrum," said John Scott, vice president and general deputy counsel at Verizon, in a Jan. 18 letter to the FCC. Scott said a delay would be prudent because the FCC hadn't yet come up with a plan to quickly move broadcasters off that band and onto new digital-TV channels. Under FCC rules, the broadcasters can continue to occupy that band until 2006, even though carriers have paid billions of dollars this year for the right to use it. The FCC also received several comments from other major carriers in support of Verizon. Craig Mathias, an analyst at Far Point Group in Ashland, Mass., agreed that carriers "need some breathing room before the next auction." In his view, the carriers need time to figure out how much they want to spend for additional spectrum, since last week's auction "sucked a lot of money out of the digital economy." The customer, Mathias added, will ultimately pay the bill for the additional spectrum because carriers will pass their airwaves costs along to end users. But the Rural Telecommunications Group, which represents rural telephone companies, sharply disagreed about the need for a postponement. Caressa Bennet, an attorney at Bennet and Bennet in Washington, which represents the rural carriers, said in a letter to the FCC last week that Verizon's request for a delay was "merely for Verizon's business convenience. The commission should reject this invitation to fashion its auction process to meet Verizon's needs. Verizon's call for delay reflects the narrowest of self-interest masked as a general concern." Verizon, Bennet said in her letter, is engaged in a delaying game designed to "serve the interests of large carriers." She added that the FCC has already postponed the 700 MHz auction a number of times. Several companies also supported the rural group in its comments sent to the FCC. Other recent stories by Bob Brewin Send feedback Printer friendly E-mail this page Request a reprint ADVERTISEMENT MORE ON THIS TOPIC E-Commerce Chronicles: Wireless Wanderings FCC postpones March wireless auction Norwood demos Bluetooth office network On the Road Again Time to Catch Computing's 'Third Wave' Alaska Air Launches Wireless Check-in SAS Plans In-flight Wireless Web Access Building Broadband Into Business News Briefs Briefs at Deadline Help Desk | Site Guide | Send Us E-mail | Privacy Policy | Subscription Help Copyright © 2001 Computerworld, Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld, Inc. is prohibited. Computerworld and @Computerworld and the respective logos are trademarks of International Data Group, Inc. [Non-text portions of this message have been removed] 2444 From: Andre Holmes <1ach@g...> Date: Sat Feb 3, 2001 9:58am Subject: EQUIPMENT SOURCE http://www.jensentools.com [Non-text portions of this message have been removed] 2445 From: Andre Holmes <1ach@g...> Date: Sat Feb 3, 2001 11:36am Subject: CUMPUTER NEWS http://www.cwrld.com/nl/sub.asp [Non-text portions of this message have been removed] 2446 From: Steve Uhrig Date: Sat Feb 3, 2001 9:23pm Subject: Unblocked receivers still available I still have a few of these if anyone still wants one. ------------------- I have come across a small supply of government trade in ICOM R8500 receivers, and am offering them for sale here first before posting them on my used equipment page. These generally sell very quickly once they are posted. Many are familiar with the R8500. This is ICOM's newest wideband HF/VHF/UHF receiver, quite common with sweepers. The problem is getting them with 800 megacycle coverage. All the ones sold commercially are cellular blocked, with no provision for TSCM practitioners to obtain unblocked ones legally. We do not want receivers with holes in the coverage. Here are some that don't have the holes. Recently to some members of this group I demonstrated a high end surveillance transmitter which operates on these blocked frequencies where the receivers have holes. These are full coverage receivers originally purchased by the government, generally used for one weekend surveillance, then traded in. Basic specs are 100kc to 2 gigs, AM, Wide FM, Narrow FM, CW, SSB. This is a triple conversion tabletop receiver powered by 12VDC or 110VAC with included power supply. Can be used portable or mobile or fixed station. Go here for full specs and a photo: http://www.icomamerica.com/receivers/tabletop/icr8500.html This receiver is the best one ICOM has released to date, significantly better than the R9000, and a later model in the series of R7000/R7100. Remember this is a full coverage receiver, and covers from 100kc (0.1 megacycles) to 2 gigs (2000 megacycles). You do not need an additional receiver to cover the HF portion of the spectrum. When not sweeping, you will use this as a lab receiver on your test bench. The receiver has an IF output and a discriminator output already available at jacks on the rear panel. There is an RS232 input port as part of this receiver, so you do not need the expensive external level converter to computer control it. There are a number of third party software packages available to remotely operate the receiver. Rather than one of the computer-controlled black box receivers, the R8500 can be computer controlled as well as it has a full featured front panel for standalone use. There may be times when you do not want to drag a laptop around just to run your receiver. One of the standard internal features will scan and store any signals found in a special memory bank for later review. ICOM just raised the price on these substantially, and that higher price will soon be reflected on dealers' pricing. Even then, you can't buy them full coverage without a government sponsor willing to give you a blessing. Importing one from England or Canada will cost you more than my price and you have the very real risk of Customs seizing the thing at the border. I only have a few of these, so don't wait if you need a portable, decent full coverage receiver. Price is $2000 shipped in the U.S. (we pay the shipping and insurance fees totalling $58). This is less than current retail for a blocked receiver. Anyone buying an R8500 receiver is eligible to purchase a wideband discone antenna for $75, which is a $50 discount off the normal price of $125. This antenna is ideal for this receiver, and is a good antenna for sweeping. Mount it on a tripod or microphone stand and move the antenna around the area you are sweeping. Antenna can be used for transmit also, from 25- 2000 megs. The antenna is shipped separately in a sturdy tube which can be reused for a carrying case. I take credit cards for payment. And I will consider trades for other pieces of high end TSCM equipment. Swap something you don't need for something you do. Also have a few full coverage R100s if anyone needs one of them. Inquire. More equipment like this is on our used equipment page: http://www.swssec.com/used.html Steve ******************************************************************* Steve Uhrig, SWS Security, Maryland (USA) Mfrs of electronic surveillance equip mailto:Steve@s... website http://www.swssec.com tel +1+410-879-4035, fax +1+410-836-1190 "In God we trust, all others we monitor" ******************************************************************* 2447 From: mike f Date: Mon Feb 5, 2001 10:14am Subject: <<<<>>>> A Few of You Know how much I am Interested Forensics As I Mentioned some of U Know how much I like Forensics,....... Nicholas Short & Company has down a good job. AFTER REVEIWING and checking out 23+ Forensic Web sites that Mr.Short & company have Organised,by category, & or crime,I have to be honest. They Have not Done a Good Job.......Nope They Have Done An XXX-Cell-Ant Job WAY MORE THAN 23+ FORENSIC SITES! As an Example Check out this page here that is Crime Scene Forensics http://www.insurancefraud.com/nparsed/for_scene.htm MAIN PAGE http://www.insurancefraud.com/nparsed/forensic_index.htm http://www.insurancefraud.com/nparsed/for_drugs.htm http://www.insurancefraud.com/nparsed/for_database.htm <====good sites here!!! Michael T. Fiorentino Syracuse,NY 13206 "CONFIDENTIALITY WARNING" This electronic message contains information which may be privileged and/or confidential. The information is intended for use only by the individual(s) or entity named/indicated above. If you are not the identified/intended recipient, be aware that any disclosure, copying, distribution, or use of the contents of this message/information is prohibited. If you are not the indicated recipient or have received this message in error contact our offices immediately for instructions." 2448 From: Dragos Ruiu Date: Mon Feb 5, 2001 3:33pm Subject: Fwd: kyxspam: 802.11b wep attacks ---------- Forwarded Message ---------- Subject: kyxspam: 802.11b wep attacks Date: Mon, 5 Feb 2001 09:56:57 -0800 From: Dragos Ruiu url: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Security of the WEP algorithm This is some information about our analysis of the Wired Equivalent Privacy (WEP) algorithm, which is part of the 802.11 standard. This work was performed jointly by Nikita Borisov, Ian Goldberg, and David Wagner. If you have any questions, please contact us at wep@i.... Executive Summary We have discovered a number of flaws in the WEP algorithm, which seriously undermine the security claims of the system. In particular, we found the following types of attacks: Passive attacks to decrypt traffic based on statistical analysis. Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext. Active attacks to decrypt traffic, based on tricking the access point. Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic. Our analysis suggests that all of these attacks are practical to mount using only inexpensive off-the-shelf equipment. We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network. WEP setup The 802.11 standard describes the communication that occurs in wireless local area networks (LANs). The Wired Equivalent Privacy (WEP) algorithm is used to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network; this function is not an explicit goal in the 802.11 standard, but it is frequently considered to be a feature of WEP. WEP relies on a secret key that is shared between a mobile station (eg. a laptop with a wireless ethernet card) and an access point (ie. a base station). The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit. The standard does not discuss how the shared key is established. In practice, most installations use a single key that is shared between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from the attacks we descibe; however, no commercial system we are aware of has mechanisms to support such techniques. The following two sections describe the problems in the algorithm and the technical details of our attacks; they assume some background understanding of cryptographic protocols. You may wish to skip to the following section, which discusses the practicality of the attacks. Problems WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext. This mode of operation makes stream ciphers vulnerable to several attacks. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others. WEP has defences against both of these attacks. To ensure that a packet has not been modified in transit, it uses an Integrity Check (IC) field in the packet. To avoid encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet. The IV is also included in the packet. However, both of these measures are implemented incorrectly, resulting in poor security. The integrity check field is implemented as a CRC-32 checksum, which is part of the encrypted payload of the packet. However, CRC-32 is linear, which means that it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid. The initialization vector in WEP is a 24-bit field, which is sent in the cleartext part of a message. Such a small space of initialization vectors guarantees the reuse of the same key stream. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours. (The amount of time may be even smaller, since many packets are smaller than 1500 bytes.) This allows an attacker to collect two ciphertexts that are encrypted with the same key stream and perform statistical attacks to recover the plaintext. Worse, when the same key is used by all mobile stations, there are even more chances of IV collision. For example, a common wireless card from Lucent resets the IV to 0 each time a card is initialized, and increments the IV by 1 with each packet. This means that two cards inserted at roughly the same will provide an abundance of IV collisions for an attacker. (Worse still, the 802.11 standard specifies that changing the IV with each packet is optional!) Attacks Passive Attack to Decrypt Traffic The first attack follows directly from the above observation. A passive eavesdropper can intercept all wireless traffic, until an IV collision occurs. By XORing two packets that use the same IV, the attacker obatins the XOR of the two plaintext messages. The resulting XOR can be used to infer data about the contents of the two messages. IP traffic is often very predictable and includes a lot of redundancy. This redundancy can be used to eliminate many possibilities for the contents of messages. Further educated guesses about the contents of one or both of the messages can be used to statistically reduce the space of possible messages, and in some cases it is possible to determine the exact contents. When such statistical analysis is inconclusive based on only two messages, the attacker can look for more collisions ofthe same IV. With only a small factor in the amount of time necessary, it is possible to recover a modest number of messages encrypted with the same key stream, and the success rate of statistical analysis grows quickly. Once it is possible to recover the entire plaintext for one of the messages, the plaintext for all other messages with the same IV follows directly, since all the pairwise XORs are known. An extension to this attack uses a host somewhere on the Internet to send traffic from the outside to a host on the wireless network installation. The contents of such traffic will be known to the attacker, yielding known plaintext. When the attacker intercepts the encrypted version of his message sent over 802.11, he will be able to decrypt all packets that use the same initialization vector. Active Attack to Inject Traffic The following attack is also a direct consequence of the problems described in the previous section. Suppose an attacker knows the exact plaintext for one encrypted message. He can use this knowledge to construct correct encrypted packets. The procedure involves constructing a new message, calculating the CRC-32, and performing bit flips on the original encrypted message to change the plaintext to the new message. The basic property is that RC4(X) xor X xor Y = RC4(Y). This packet can now be sent to the acces point or mobile station, and it will be accepted as a valid packet. A slight modification to this attack makes it much more insiduous. Even without complete knowledge of the packet, it is possible to flip selected bits in a message and successfully adjust the encrypted CRC (as described in the previous section), to obtain a correct encrypted version of a modified packet. If the attacker has partial knowledge of the contents of a packet, he can intercept it and perform selective modification on it. For example, it is possible to alter commands that are sent to the shell over a telnet session, or interactions with a file server. Active Attack from Both Ends The previous attack can be extended further to decrypt arbitrary traffic. In this case, the attacker makes a guess about not the contents, but rather the headers of a packet. This information is usually quite easy to obtain or guess; in particular, all that is necessary to guess is the destination IP address. Armed with this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to a machine he controls, somewhere in the Internet, and transmit it using a rogue mobile station. Most wireless installations have Internet connectivity; the packet will be successfully decrypted by the access point and forwarded unencrypted through appropriate gateways and routers to the attacker's machine, revealing the plaintext. If a guess can be made about the TCP headers of the packet, it may even be possible to change the destination port on the packet to be port 80, which will allow it to be forwarded through most firewalls. Table-based Attack The small space of possible initialization vectors allows an attacker to build a decryption table. Once he learns the plaintext for some packet, he can compute the RC4 key stream generated by the IV used. This key stream can be used to decrypt all other packets that use the same IV. Over time, perhaps using the techniques above, the attacker can build up a table of IVs and corresponding key streams. This table requires a fairly small amount of storage (~15GB); once it is built, the attacker can decrypt every packet that is sent over the wireless link. Monitoring Despite the difficulty of decoding a 2.4GHz digital signal, hardware to listen to 802.11 transmissions is readily available to attackers in the form of consumer 802.11 products. The products possess all the necessary monitoring capabilities, and all that remains for attackers is to convince it to work for them. Although most 802.11 equipment is designed to disregard encrypted content for which it does not have the key, we have been able to successfully intercept WEP-encrypted transmissions by changing the configuration of the drivers. We were able to confuse the firmware enough that the ciphertext (encrypted form) of unrecognized packets was returned to us for further examination and analysis. Active attacks (those requiring transmission, not just monitoring) appear to be more difficult, yet not impossible. Many 802.11 products come with programmable firmware, which can be reverse-engineered and modified to provide the ability to inject traffic to attackers. Granted, such reverse-engineering is a significant time investment (we have not done this ourselves), but it's important to note that it's a one time cost. A competent group of people can invest this effort and then distribute the rogue firmware through underground circles, or sell it to parties interested in corporate espionage. The latter is a highly profitable business, so the time investment is easily recovered. Conclusions Wired Equivalent Privacy (WEP) isn't. The protocol's problems is a result of misunderstanding of some cryptographic primitives and therefore combining them in insecure ways. These attacks point to the improtance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided. Other Materials Slides from Nikita's talk at the Mac Crypto Workshop (January 30, 2001). A DRAFT of a paper describing the attacks. wep@i... -- Dragos Ruiu dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc CanSecWest/core01: March 28-30, Vancouver B.C. Speakers: a whole bunch of cool guys and the massive sig was a pain.... see http://dursec.com 2449 From: sebastien rittner Date: Tue Feb 6, 2001 9:43am Subject: T1 checking Hi all, How do you guys check a T1 trunk. Not that everybody can eavesdrop such a thing but I think that would be wise to sweep from A to Z. Best regards, Sebastien. ===== email : sebastien@t... web : www.tscm-technician.net voicemail : 510-903-0188 ext 7363 ___________________________________________________________ Do You Yahoo!? -- Pour dialoguer en direct avec vos amis, Yahoo! Messenger : http://fr.messenger.yahoo.com 2450 From: James M. Atkinson, Comm-Eng Date: Tue Feb 6, 2001 6:48pm Subject: Re: T1 checking At 4:43 PM +0100 2/6/01, sebastien rittner wrote: >Hi all, >How do you guys check a T1 trunk. >Not that everybody can eavesdrop such a thing but I >think that would be wise to sweep from A to Z. > >Best regards, Sebastien. > > >===== >email : sebastien@t... >web : www.tscm-technician.net >voicemail : 510-903-0188 ext 7363 Have the CO patch for a pure analog loop, or generate a loop back tone, then use a TDR to sniff the entire loop, open both pair and re-shoot from both end again with a TDR. -jma -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2451 From: James M. Atkinson, Comm-Eng Date: Tue Feb 6, 2001 6:51pm Subject: Surveillance remains controversial Surveillance remains controversial http://www.irishnews.com/current/news13.html By Kieran McDaid This is not the first time Jeffrey Donaldson has alleged his phone has been bugged. Last September, Mr Donaldson claimed his phone was tapped on the orders of the British government because of his opposition to the Good Friday agreement. At the time, he accused the government of “stooping to any level” to undermine opposition to the peace deal. In a BBC programme last year, former Secretary of State Mo Mowlam admitted she had sanctioned the bugging of a car used by senior Sinn Fein members during 1999 talks. In March last year, two men hunting near Blackwatertown, Co Armagh discovered fully operational surveillance equipment. Sinn Fein claimed the equipment was directed towards St Jarlath’s church. Last January, the Republic’s then Foreign Minister David Andrews met with British Foreign Secretary Robin Cook at an EU summit in Brussels. The two men discussed claims made in a Channel 4 programme that the British government had bugged telephone callsfrom Ireland over a long period. In 1997, it was claimed that military intelligence had placed a tracking device in a car used by Gerry Adams to trace his movements during secret discussions with British officials. The uncovering of military ‘spy-posts’ in vacant flats and deserted farmhouses has been a regular occurrence. Fears over the health implications of surveillance equipment have also emerged. Research in 1994 claimed those living in the south Armagh village of Crossmaglen were three times more likely to suffer brain haemorrhages than the rest of the population in the north. -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2452 From: Mike Date: Tue Feb 6, 2001 8:55pm Subject: Polygraphs I can get 10 Grass Valley Polygraph units DIRT CHEAP. These units are about 20 years old and are supposedly in great condition. Anyone know if there is still a market for them and if so how much? (They are rack mounted with the paper graph. Each unit weighs about 100lbs or more. ) They are in the Chicago area and i'll give someone 2 of them if they are willing to box and ship (and pay for shipping) for the other 8 units to Astoria, OR 97103 The owner says they were used by a hospital for animal testing and cost about 20K each when new. Will sell all 10 - any offers? Mike [Non-text portions of this message have been removed] 2453 From: James M. Atkinson, Comm-Eng Date: Wed Feb 7, 2001 1:46pm Subject: The Consultant [humor] A shepherd was herding his flocks in a remote pasture when suddenly a brand new Jeep Grand Cherokee advanced out of a dust cloud towards him. The driver, a young man in a Brioni suit, Gucci shoes, Ray Ban sunglasses and a YSL tie, leaned out of the window and asked our shepherd: "If I can tell you exactly how many sheep you have in your flock, will you give me one?" The shepherd looks at the yuppie, then at his peacefully grazing flock and calmly answers "sure!" The yuppie parks the car, whips out his notebook, connects it to a cell-phone, surfs to a NASA page on the Internet where he calls up a GPS satellite navigation system, scans the area, opens up a database and some 60 Excel spreadsheets with complex formulas. Finally he prints out a 150 page report on his hi-tech miniaturized printer, turns round to our shepherd and says: "you have here exactly 1586 sheep!" "This is correct. As agreed, you can take one of the sheep," says the shepherd. He watches the young man make a selection and bundle it in his Jeep. Then he says: "If I can tell you exactly what your business is, will you give me my sheep back?" "Okay, why not" answers the young man. "You are a consultant," says the shepherd. "This is correct," says the yuppie, "How did you guess that?" "Easy" answers the shepherd. "You turn up here although nobody called you. You want to be paid for the answer to a question I already knew the solution to. And you don't know anything about my business because you took my dog." -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2454 From: Date: Wed Feb 7, 2001 0:26pm Subject: e-bug from Dick Seward By Jennifer Beauprez Denver Post Feb. 6, 2001 - Watch out, an e-bug might bite you. That's the word from the Denver-based Privacy Foundation, which has discovered an e-mail technology that lets people spy on your conversations by sending your forwarded comments back to the e-mail's original sender. "There is wide potential for abuse here," said David Martin, a University of Denver professor. He and Privacy Foundation chief technologist Richard Smith recently learned of the so-called "e-mail bug" and are now demonstrating how it works. For instance, a person could attach the e-bug to an electronic version of a résumé to an employer and then read what was said about it as the e-mail was forwarded to other office workers. Business deals, too, could be fixed if negotiations were conducted via e-mail and one side learned inside information as the proposal was discussed through the potential customer's internal e-mail system. It could even be used to note off-color remarks from governmental officials, to gather e-mail addresses for companies that send out spam or by a boss to find out what you're saying about him. "The technology is not comparable to the ILOVEYOU virus, which deleted hard drives, shut down Web sites and was extremely destructive," Martin said. "But it could cost companies hundreds of millions of dollars." The spying technique doesn't take advantage of any security flaw in e-mail software. Rather, secret programming code is inserted into a computer language called JavaScript, which is used on Web sites to create pop-up windows and navigational aids. When the e-mail is forwarded, the implant secretly sends the text of those messages to the original sender. At risk are those who use Microsoft Outlook, Outlook Express and Netscape 6 Mail. Such HTML e-mail programs let users send and receive e-mail messages that look and act like Web pages and have JavaScript turned on by default. Earlier versions of Netscape are not affected because they do not support all the features of the JavaScript. HotMail, Yahoo! and AOL 6.0 are also immune to the wiretap. Martin said people can protect themselves by disabling the JavaScript on their e-mail program. They may learn how to do so by logging onto the Privacy Foundation's Web site, at http://www.privacyfoundation.org. Denver entrepreneur Peter Barton, along with FirstData Corp., the Denver Foundation and DU, formed the foundation in July to research and educate the public on issues. JavaScript isn't critical to most e-mail messages, Martin said: "There's not much downside to turning it off." But simply turning off JavaScript on your own e-mail doesn't debug the message entirely. The wiretap can still be carried with the e-mail. So if you forward it on to someone whose e-mail is JavaScript-enabled and that person forwards the message or sends a reply, then the contents of the e-mail will still bounce back to the original sender. A number of offshore companies provide the e-mail bugging technology free to online users. But deploying such bugs is illegal in the United States, said Philip A. Gordon, a fellow at the Privacy Foundation and an attorney with Horowitz & Wake in Denver. He said the sneaky computer code violates federal wiretapping laws, since it's equivalent to listening in on a conversation without consent. "This is as close as you can get to a telephone wiretap in the electronic environment," Gordon said. If the victims discover they've been e-bugged, they could file a civil lawsuit or press criminal charges punishable by up to five years in prison and $500,000 in fines, he said. Enforcing those laws is tricky, Martin said, because the identity of the sender is often difficult to trace. Spies can route their mail through third-party Internet services and keep the sender's identity from being divulged. "It can be extremely difficult to trace," said Martin. "You would have to bribe someone or break the law. A government would have to issue a warrant. That's rarely done - it would have to be a matter of national security." "Dick Seward "THE BUG HUNTER" 23 yrs. debugging. FCC & CCW lisenced. CALI Affiliated. Great prices & lots of experience. (949-770-8384)" The Privacy Foundation is calling for the major makers of e-mail programs to address the problem. Microsoft spokesman Ryan James said the newest downloadable update to Outlook Express, version 5.5, is not affected because JavaScript is off by default. Netscape spokeswoman Catherine Corre said the company is working on a patch, which will be available within the next few days, to stop the wiretaps. Meanwhile, Corre said, Netscape users should disable JavaScript in the Messenger program. The Associated Press contributed to this report. Copyright 2001 The Denver Post. All rights reserved. ________________________________________________________________ GET INTERNET ACCESS FROM JUNO! Juno offers FREE or PREMIUM Internet access for less! Join Juno today! For your FREE software, visit: http://dl.www.juno.com/get/tagj. 2455 From: James M. Atkinson, Comm-Eng Date: Thu Feb 8, 2001 8:23am Subject: Re: Polygraphs At 6:55 PM -0800 2/6/01, Mike wrote: >I can get 10 Grass Valley Polygraph units DIRT CHEAP. >These units are about 20 years old and are supposedly in >great condition. Anyone know if there is still a market for them and >if so how much? (They are rack mounted with the paper graph. Each unit >weighs about 100lbs or more. ) They are in the Chicago area and i'll give >someone 2 of them if they are willing to box and ship (and pay for shipping) >for the other 8 units to Astoria, OR 97103 > The owner says they were used by a hospital for animal testing and cost >about >20K each when new. Will sell all 10 - any offers? >Mike Mike, Are you sure that they are poly's (with the transducers), or could they just be the strip chart strip chart recorder. The reason I mention this is that poly's are of minimal value unless you have the entire system. -jma -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2456 From: Paolo Sfriso Date: Thu Feb 8, 2001 3:32am Subject: Cellphone use on aircraft Fwg is a free translation of a news item published by ANSA on February "nd and republished today by CNN-Italy: Saudi Army Captain is condemned to 70 whip lashes. According to the Saudi newspaper "Al-qtissadiya" an un-named Saudi Army Captain was condemned to 70 whip lashes "for having put aircraft passenger's life in serious danger" by the court of Tabuk (in NW Saudi Arabia). The Army Captain insisted on using his cellphone onboard an internal Saudi flight after having been warned by the aircraft crew. Your Italian Connection. Paul Sfriso Director GRUPPO S.I.T. Security, Investigations & Tecnology Quarto d'Altino, Venice ITALY phone +39 0422 828517 fax +39 0422 823224 24hr GSM cellphone +39 (0)335 5257308 paulsfriso@t... www.grupposit.com 2457 From: Jones, Billy R Date: Thu Feb 8, 2001 8:39am Subject: A e-mail bug was discovered October 5, 1998 by Carl Voth, this exploit uses features of Microsoft Dynamic HTML to surreptitiously intercept text added to email messages after they have been forwarded to secondary recipients. The exploit assumes that the original exploit message will eventually be forwarded to others with HTML-enabled mail browsers. The exploit takes advantage of DHTML functionality in Internet Explorer 4.0 which is used by Outlook 98. Outlook Express has not been tested but is presumed to be equally vulnerable. Any other email clients that use Internet Explorer as their HTML engine (eg. Eudora?) are likely vulnerable as well. For further information, please see http://www.cen.uiuc.edu/~ejk/browser-security.html\ http://www.geocities.com/ResearchTriangle/Facility/8332/reaper-exploit-relea se.html Jim, Can you kill my name and address - Since Aramco is the US subsidary of the Saudi National Oil Company, we like to stay a little quiet (politics and all). Best Regards, Billy R. Jones Electronic Security Technician Aramco Services Company 9009 West Loop South, MS-109 Houston, Texas 77096 713-432-4737 voice 713-432-4382 FAX 713-503-7940 (Cellular) bjones@a... http://www.aramcoservices.com 2458 From: Miguel Puchol Date: Thu Feb 8, 2001 10:09am Subject: RV: Email exploit HTML e-mail is like killing flies with a cannon. To send the same information you use up to 10 times more bandwidth. I always respond to HTML formatted messages with plain text ones. It's just a waste of space, and as it turns out, a big source of trouble, as if we hadn't enough with viruses and malicious scripts... Cheers all, and watch out! Mike > -----Mensaje original----- > De: Jones, Billy R [mailto:bjones@a...] > Enviado el: jueves, 08 de febrero de 2001 15:40 > Para: 'TSCM-L@yahoogroups.com' > Asunto: [TSCM-L] > > > A e-mail bug was discovered October 5, 1998 by Carl Voth, this > exploit uses > features of Microsoft Dynamic HTML to surreptitiously intercept text added > to email messages after they have been forwarded to secondary recipients. > The exploit assumes that the original exploit message will eventually be > forwarded to others with HTML-enabled mail browsers. > The exploit takes advantage of DHTML functionality in Internet > Explorer 4.0 > which is used by Outlook 98. Outlook Express has not been tested but is > presumed to be equally vulnerable. Any other email clients that > use Internet > Explorer as their HTML engine (eg. Eudora?) are likely vulnerable > as well. > > For further information, please see > http://www.cen.uiuc.edu/~ejk/browser-security.html\ > > http://www.geocities.com/ResearchTriangle/Facility/8332/reaper-exp > loit-relea > se.html > > > > Jim, > Can you kill my name and address - Since Aramco is the US subsidary of the > Saudi National Oil Company, we like to stay a little quiet (politics and > all). > Best Regards, > Billy R. Jones > Electronic Security Technician > Aramco Services Company > 9009 West Loop South, MS-109 > Houston, Texas 77096 > 713-432-4737 voice > 713-432-4382 FAX > 713-503-7940 (Cellular) > bjones@a... > http://www.aramcoservices.com > > > > > > > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.onelist.com/community/TSCM-L > > or email your subscription request to: > subTSCM-L@t... > =================================================== TSKS > > 2459 From: James M. Atkinson, Comm-Eng Date: Thu Feb 8, 2001 1:19pm Subject: Re: e-bug from Dick Seward At 10:26 AM -0800 2/7/01, dseward2@j... wrote: >By Jennifer Beauprez Denver Post >Feb. 6, 2001 - Watch out, an e-bug might bite you. >That's the word from the Denver-based Privacy Foundation, which has >discovered an e-mail technology that lets people spy on your >conversations Ok, but it sound like a lot of hype, and they didn't really "discover" anything that most of use were not already aware of. Also, it's not exactly a "e-mail technology: but is a scripting protocol that some Email programs recognize. >by sending your forwarded comments back to the e-mail's original sender. >"There is wide potential for abuse here," said David Martin, a University >of >Denver professor. He and Privacy Foundation chief technologist Richard >Smith >recently learned of the so-called "e-mail bug" and are now demonstrating >how >it works. For instance, a person could attach the e-bug to an electronic >version of a résumé to an employer and then read what was said about it >as >the e-mail was forwarded to other office workers. Ah, no.... his description is way out of touch with reality >Business deals, too, could be fixed if negotiations were conducted via >e-mail and one side learned inside information as the proposal was >discussed >through the potential customer's internal e-mail system. It could even be >used to note off-color remarks from governmental officials, to gather >e-mail >addresses for companies that send out spam or by a boss to find out what >you're saying about him. No.... while it is possible to imbed malicious elements inside an email message it really is not a practical method of eavesdropping. For example I can squirt an email to someone that will sample room audio for a few minutes and send back the audio file, or I can launch a script that can (and will) snap a picture of what is in the field of view of the camera (if they have a USB based camera on their computer). But neither is a practical method of eavesdropping. >"The technology is not comparable to the ILOVEYOU virus, which deleted >hard >drives, shut down Web sites and was extremely destructive," Martin said. >"But it could cost companies hundreds of millions of dollars." Listening to clueless pundits is also costing companies hundreds of millions of dollars >The spying technique doesn't take advantage of any security flaw in >e-mail >software. Rather, secret programming code is inserted into a computer >language called JavaScript, which is used on Web sites to create pop-up >windows and navigational aids. When the e-mail is forwarded, the implant >secretly sends the text of those messages to the original sender. JavaScript is not any kind of a "secret programming code" any more then Visual Basic >At risk are those who use Microsoft Outlook, Outlook Express and Netscape >6 >Mail. Such HTML e-mail programs let users send and receive e-mail >messages >that look and act like Web pages and have JavaScript turned on by >default. Yeah, so? Which is also why security use Email programs instead of "integrated packages" to read, write, and send email. >Earlier versions of Netscape are not affected because they do not support >all the features of the JavaScript. HotMail, Yahoo! and AOL 6.0 are also >immune to the wiretap. AOL 6.0 is actually vulnerable to other types of mischief. >Martin said people can protect themselves by disabling the JavaScript on >their e-mail program. They may learn how to do so by logging onto the >Privacy Foundation's Web site, at http://www.privacyfoundation.org. >Denver >entrepreneur Peter Barton, along with FirstData Corp., the Denver >Foundation >and DU, formed the foundation in July to research and educate the public >on >issues. Ah-ha.... so what is really going on here is a publicity stunt to drive people to the Privacy Foundations website. >JavaScript isn't critical to most e-mail messages, Martin said: "There's >not >much downside to turning it off." >But simply turning off JavaScript on your own e-mail doesn't debug the >message entirely. The wiretap can still be carried with the e-mail. So if >you forward it on to someone whose e-mail is JavaScript-enabled and that >person forwards the message or sends a reply, then the contents of the >e-mail will still bounce back to the original sender. OK, but it still does not make it a realistic threat. >A number of offshore companies provide the e-mail bugging technology free >to >online users. But deploying such bugs is illegal in the United States, >said >Philip A. Gordon, a fellow at the Privacy Foundation and an attorney with >Horowitz & Wake in Denver. He said the sneaky computer code violates >federal >wiretapping laws, since it's equivalent to listening in on a conversation >without consent. They are correct about it being contraband in the United States, but the comments about off shore companies is way off base. >"This is as close as you can get to a telephone wiretap in the electronic >environment," Gordon said. If the victims discover they've been e-bugged, >they could file a civil lawsuit or press criminal charges punishable by >up >to five years in prison and $500,000 in fines, he said. Yes, the use of bugs, wiretaps, and other kinds of e-mischief can seriously open up a user to serious legal problems. >Enforcing those laws is tricky, Martin said, because the identity of the >sender is often difficult to trace. Spies can route their mail through >third-party Internet services and keep the sender's identity from being >divulged. No, the sender of the email is easy to find, as is the recipient of the collected intelligence (especially if it is being done be someone inside the company). >"It can be extremely difficult to trace," said Martin. "You would have to >bribe someone or break the law. A government would have to issue a >warrant. But not if it is being done be someone inside the company, it would be fairly simple to find. >That's rarely done - it would have to be a matter of national security." > >"Dick Seward "THE BUG HUNTER" 23 yrs. debugging. FCC & CCW lisenced. CALI >Affiliated. Great prices & lots of experience. (949-770-8384)" Er... since when did the FCC start licensing TSCM people? >The Privacy Foundation is calling for the major makers of e-mail programs >to >address the problem. OK, but while their at it why not call for me to hit the lotto as well. "Calling for" this and that is just and old publicity stunt. >Microsoft spokesman Ryan James said the newest downloadable update to >Outlook Express, version 5.5, is not affected because JavaScript is off >by >default. ... and one should hope so. >Netscape spokeswoman Catherine Corre said the company is working on a >patch, >which will be available within the next few days, to stop the wiretaps. >Meanwhile, Corre said, Netscape users should disable JavaScript in the >Messenger program. >The Associated Press contributed to this report. >Copyright 2001 The Denver Post. All rights reserved. -jma -- ======================================================================= Sed quis custodiet ipsos Custodes? "In a time of universal deceit, telling the truth is a revolutionary act" - George Orwell ======================================================================= James M. Atkinson Phone: (978) 546-3803 Granite Island Group Fax: (978) 546-9467 127 Eastern Avenue #291 http://www.tscm.com/ Gloucester, MA 01931-8008 jmatk@t... ======================================================================= The First, The Largest, The Most Popular, and The Most Complete TSCM, Technical Security, and Counterintelligence Site on the Internet. ======================================================================= 2460 From: Charles P Date: Thu Feb 8, 2001 9:44pm Subject: FCC licensing made easy >>"THE BUG HUNTER" 23 yrs. debugging. FCC & CCW lisenced. CALI >>Affiliated. Great prices & lots of experience. " >Er... since when did the FCC start licensing TSCM people? I've been FCC licensed sinced 1967: N2AXO, formerly WA3IOB so I guess I could put "FCC Licensed" on my shingle too! :-) perhaps a CB license would work too, but they don't give those out anymore, do they? cp 2461 From: Robert G. Ferrell Date: Fri Feb 9, 2001 10:54am Subject: Re: e-bug from Dick Seward >X-eGroups-Return: sentto-49964-2922-981660032-rferrell=rgfsparc.cr.usgs.gov@returns.onelist.com >X-Sender: jmatk@t... >X-Apparently-To: TSCM-L@yahoogroups.com >X-Sender: spook@c... >To: TSCM-L@yahoogroups.com >From: "James M. Atkinson, Comm-Eng" >MIME-Version: 1.0 >Mailing-List: list TSCM-L@yahoogroups.com; contact TSCM-L-owner@yahoogroups.com >Delivered-To: mailing list TSCM-L@yahoogroups.com >>Feb. 6, 2001 - Watch out, an e-bug might bite you. >>That's the word from the Denver-based Privacy Foundation, which has >>discovered an e-mail technology that lets people spy on your >>conversations There's an absurdly simple "fix" for this "e-bug." It's called RFC 822: "Messages consist of lines of text. No special provisions are made for encoding drawings, facsimile, speech, or structured text." SMTP != HTML. Cheers, RGF Robert G. Ferrell, CISSP Information Systems Security Officer National Business Center U. S. Dept. of the Interior Robert_G_Ferrell@n... ======================================== Who goeth without humor goeth unarmed. ========================================