I had too much free time on my hands today, so this week's MailBag is
pretty massive. It may take you more than one sitting to get through. I started spell
checking it, but that was taking forever, so you'll have to tough it out this week =)

Peter Submitted The Following:

Your web page is getting too cluttered.

- Peter

Yes, it was, wasn't it? Well, we've started to post our re-design. What
does everyone think of the new look? We have a lot more to add/revamp, but today's update is a start. Thumbs up, or thumbs down? Write in and let us know.

I think your proposal that the solution to kids accessing indecent material
on the Internet is self-regulation is ludicrous. Any parent knows he
cannot regulate his kid going to his friend's house and watching indecent
movies and/or accessing indecent web sites (not to mention these days - the
public library). My stepson actually boasted of this when we refused to
allow certain movies to be viewed in our home. There will always be
someone who could care less what their kids see or do and how will you know
who those people are? That's why I believe regulation of the Internet is a
must, controlling filth at the source and not the faucet. It all boils
down to community standards - whose values rule. There was a time in
America when our laws were set to the highest common denominator - to
protect the weak and the innocent. Now they're set to the lowest common
denominator and the weak and the innocent are getting hurt and nobody
cares. Oh yes, the big argument - First Amendment rights, freedom of
speech. . . When are we going to recognize that there is no such thing as
absolute freedom of speech, i.e. without consequences? You cannot threaten
the President, you cannot joke about carrying a bomb on a airliner, you
cannot slander someone, you cannot perjure yourself in a court of law and
of course the old familiar one - you cannot shout "Fire!" in a crowded
theater. These are just a few of the infringements on freedom of speech
our society accepts in order to protect innocent people. The same should
be no different with the Internet. I respect the desire of some people to
maintain the Internet as a vehicle for the free exchange of ideas.

Nonetheless, this "gun lobby" mentality that accepts absolutely no
restrictions for the sake of the common good is producing a great deal of
suffering. Ultimately I believe a way has to be found to restrict
availability to indecent material on the Internet by requiring adult
membership with verification for access to adult sites. This will set a
standard and permit law enforcement to prosecute those who violate this
standard. We have many bright minds, I'm sure with good intent we can find
an equitable solution - so help us God.

Wayne McCormick

Ok, so we set up adult-memberships for sex-related sites. What about
sites that deal with "anarchistic views"? Those are harmful to our nation's children too. Think
about how many kids blew their hands off trying to make pipe bombs. What about sites which
describe acts of violence? People say that the actions of many of these "school shooters" were
caused by the youth's access to violent computer games. What about sites that contain information about
"hacking"? Think about how many "young innocent kids" have been raided by the FBI in the past two
months, because they're doing things they read about on websites. My point is this. It's not the material
that the kid has access to, it's the kid. Sheltering our nation's youth does absolutely nothing to protect
them. Teaching them right from wrong, a sense of self worth, and a sense of the worth of those around them, is the
most important thing we as a society can do for our youth. Besides,
ask anyone in the industry, if ANY of these filtering methods actually 'stop kids from accessing material'. They stop
the kids that wouldn't access it anyway, because a kid that wants to get access to anything, be it drugs, weapons, or
'porn', will get access to it reguardless.

acidflesh Submitted The Following:

heh...I was just reading the mail bag. I found part of it pretty damn funny.
It was the letter from DeadMessiah (or something similar). Man he is an idiot.
Noone had ever heard of cDc until the released BO? haha...where the hell has he been!
They have been around forever. Anyway, I was just wondering what your thoughts on this
idiot were, since you didn't have a reply for him.

Well, he probably wasn't an idoit, just someone new to "the scene". Besides,
EVERYONE knows of cDc now, as being the organization that released a professional remote administration
tool, that as a bonus, will infect you with the CIH virus
, hahaha.


JP, you're one of the few people on whose statements i've never disagreed with.
I just thought you should know that


Well, that's kind of scarry, considering I usually say some pretty off the wall stuff for the
sole purpose of getting people to think more in-depth about certain issues. In other words, I don't even believe
half of the things that I say.

Let me see if I understand the theory here:

Software Publisher A creates code with vulnerabilities.
Software Publisher B finds the vulnerabilities.

B posts a way to use that vulnerability.

A responds by complaining that it is "not productive to release source code of this type."

Meanwhile, 3rd party software vendor(C)is relied upon by A to fix the stuff that they
created in the first place.

Also, some people are complaining about the fact that B *may* offer (for a small fee.
Call this fact F), a fix to A's product(s).


If we substitute real life for theory, we come up with this scenario....

A = Microsoft

B = cDc

C = Symantec, etc.

F = Free Enterprise

IMHO ...

A should pay B for fixing what A's employees can't do right C should pay B for seeing
things before it happens. B should play F for all it's worth and, E should seriously consider

E = Everyone

U* = Unix and its many derivatives

Finally... I'd like to pose a question... and a possible answer

Q. When you look at the "bargain" computer books, you see alot of older dos/windows books,
but you never see Unix books. Why is that?

A. Because 20 year old Unix *still works*. Even on a new-fangled thing like the internet.
Imagine that Bill.

Let's suppose B releases a software package infected with V, yet B is trying to tell people that
they are better than A because they take a more logical approach to security, which doesn't
include things like Virus Scanners (we'll call that concept S) from organizations such as C. However,
if they had implimented concepts shared by both A and C, they never would have had to deal with the
embarassment of V.

Now, let's suppose user U send an e-mail M to site JP and he publishes it P for the sole purpose
of showing how people like U add unnecessary confusion (we'll call that concept Un) to an already
confusing industry, I. Would U get upset at JP?

Clay Submitted The Following:

Mr. Caston makes some very good points in Paper or Plastic, and I agree with many of them
(I'm taking a break from MSCE training on CD-ROM--yeah, its sad). However, which OS to
embrace isn't as important as what you do with that OS and who you know in order to learn
an OS in the first place. No matter what OS you persue the basics of user administration,
backup scheduals, network policies, trouble shooting, and the politics of end users are
valuable skills that, in general, can transfer to any platform. So learn anything you can at
first, then be picky about what to specialize in. To get started, local area user groups can
be a great way to find people who are willing to teach the basics and excellent networking to
find a position when you are ready. If that doesn't work you can get your foot in the door
through the first level tech support positions, but bail for something better as soon as you

Well, I think what you say holds true in any field, including things
like medicine, etc. There are basics that must be learned first, and for the most part,
hold true through-out. Then you can get down to the "specifics" of what ever specialty
you've chosen.

Cthulhu Submitted The Following:

Hey JP,

Did you know your name is on the back of the Defcon 99 t-shirt?


I think they were pissed that noone got into your sever all week...

Hrm, not sure if that's true or not, I haven't seen
the shirt. However, I find it hard to believe that my name's on it
without being preceded with words such as "****" or "Rot In Hell". Heh.

Yeah, I think it pretty funny the way that all of these sites are being broken into, including
Def Con's. Needless to say, we saw a HUGE increase in attempts against all of our
servers the week the convention was held. However, they were just that, attempts
and not successes. We did get to log all sorts of neat attepts though, and probably have
the largest archive of commonly-used-hacker-jump-points in the world =)

BRAD Submitted The Following:





it isn't the ISP's job to "police its users". Instead, any abuse should
be dealt with through the appropriate law enforcement organizations.
Unfortunately, very few of those organizations are equipped to handle
such cases, and those that are, such as the FBI, are so backlogged in
cases, that unless actual damages from an attack are in the
tens-of-thousands of dollars, they will put very little, if any,
resources into a case. So, by having ISPs look into, and deal with cases
of abuse, the industry is able to self-police itself, and able to help
make the internet a more enjoyable experience for all of its users.


THANKS FOR SENDING US YOUR COMMENTS! Um, anyway. We got a call from an AOL
SpokesPerson shortly after our story was published. Needless to say, she was not happy. She directed
me to a page on their site, which she claimed, had all of their abuse information and contact addresses
on it, and demanded that we updated our story. So, while on the phone with her, I visited this
supposed page. "The link you clicked leads to an area on the AOL service. You must be an AOL member using the AOL software to
access this area."
She became rather embarassed, and ended the conversation rather abruptly.


I'd like to say that "The Rating Game" article posted on the 14th was near
and dear to my heart. I manage the Intrusion Detection and Response capability
of a large Internet based technology company. Basically, I'm the guy who
identifies the mosquitos, and tries to work with ISPs to get accounts shut down.
Sometimes, I get some really fun cases where the mosquitos actually have the
brains enough to hop through several servers first...those can be like a big
game of chess.

Anyway, I digress...I would like to add some of my own ratings to some of the
ISPs I have dealt with:

BellSouth.net: D- They have an abuse department to accept complaints, but you
never hear back from them, and never know what they do with the complaints.

AOL: F- *shiver* I agree 100% with the article's assessment of AOL

Compuserve: C Surprisingly, not too bad. They always promise results.
AOL should learn a thing or two from good ole MCI WorldCom.

Carolina Online: A+ Fantastic. Small ISP in North Carolina...these guys
simply hate the fact the people sometimes use their service to piss off other
ppl on the Inet, and they take it personally.

MidWest Inet: A Very good. Within one business day, they had completed
their investigation and taken appropriate action. The guy there actually
called *me* back to let me know what was going on from his side
of things.

Erols Internet: B+ Certainly better than average. Took them a couple of days,
but they tracked the activity down, confirmed it, and took appropriate action.

Navinet: A Another small, cool ISP who hates it when their users annoy
ppl on the Inet. This guy was so pissed off he added an ACL on his routers to drop all 31337
packets 8-)

Exodus Comms: C About the average of what's out there...has an
"abuse@companyname.com" mailbox...send logs to it, never hear a damn thing.

FishNET: A+ Another great one...a live body on the phone to talk to, who
understands exactly what I'm telling him. I honestly believe this guy did very
little else until the problem was resolved.

@Home: A+ These guys are concerned. They are a large cable modem ISP. We
all know that some of our mosquitos out there are targetting home users running default
Linux packages off of cable modems, simply because they maintain the same IP address
for long periods of time, and are easy to get into to set up a base of operations.
Although overworked, these guys will do their best to work
*with* you, and get their customers to work *with* you, to help
track stuff back another hop. In other words, if you're looking for a hop off point to
launch your attacks from, stay away from @Home, cuz
they will do what they can do to help track you back. I owe that
plug to @Home, they've helped me alot.

Digital Nation: C See comments on Exodus.


Roger's Wave: A+ A Canadian subsidiary of @Home, and they're just as good.

As a parting shot...there used to be a day when there was a "Community Village"
outlook on the Internet. This was before the massive upshot of hundreds of ISPs
nation and worldwide. When a point on the network was responsible for annoyance
on another site, *action* was taken to get to the bottom of it to ensure that it
stopped. It was simple respect, and everyone looked out for the health of the
network as a whole because it was theirs.

It's extremely disheartening to see that this concept has gone by the
wayside...massive numbers of people are hooked up to the Net for one
thing...money. And, whenever money is involved, moral issues die, ethical
issues die, and that sense of community simply goes away.

Is it really too much to ask to have someone answer the phone at 2 o'clock in
the morning when the hacker you've been tracking for 2 months probes your
network from a new machine?

Last parting shot...the guy at Navinet above? You know..the one with the elite
ACL? He answered the phone at 2am...twice.

Jerry Zepp, CISSP

Wow, great stuff! Thanks for writing in. I was hoping that my little
article would spawn some thought, and discussion, and apparently it did just that. If anyone
else out there would like to rate their local ISPs, or any National ISPs that they've had
to contact in order to deal with abusive users, we'd love to hear about it. If we get
enough responses, we may archive them all in a new section of the site. Thanks again Jerry.

CalvN Submitted The Following:

Love the site. And I actually put my real webbased e-mail address. Isn't that a first? =]

Ever worked at a fast food place? Doubt any of you "real" hackers ever have. Well,
Burger King's high-tech order system (Pascal based) really blows my mind. The order
pops up in a fancy ASCII frame.

If I were to rob a fast food place, I would be like: "Give me the ****ing computers,
skrew the money!" nah ... I just wish that fast food places would stop being cheap
and get a UNIX box. Thad be the day when all hackers and kiddies alike would get jobs
at fast food palces just to exploit their powerful knowledge on the Order Mainframe.
God bless America.

Tell me JP, what was your first job that doesn't have to do with compz?

Well, I've only had two jobs that weren't computer related. One as
a K-mart stock person, the other as a, believe it or not, farm-hand. Actually, it did
feel good to get out from behind the computer, and into the fresh air, but that novelty
soon faded. I love working for myself now, and never plan to work for anyone else again.

> AT&T World Net Service:

> Rating: F

Maybe they don't stop hackers......
but they sure gave the Church of Scientology
all the personal id info to get at a guy
protesting their actions and quoting from
their scriptures...........

Now he gets to run in fear from the legal
and other abuse this "Church" will be
throwing at him. Maintaining an
anon account with them is suicide!

- b0b

Church of Scientology, they're even more evil than Jehovahs. Jehovahs will
knock on your door to give you religion, but the Scientologist will try to sell it to you. Granted
this is off topic, but oh-well, this is my soap box =P

Regarding the mess with Carolyn Meinel's server...

I was on the winning team and would like to humbly offer that she did provide a "server"
that accepted TCP connections on ports that make sense, and what answered was partly or
wholly RFC-compliant. To the extent that her machine was designed to server Quake sessions,
it was a valid server.

Beyond that, however, the only running services were common honeypots that we detected
within 2 minutes and agreed to ignore. The problem with most discussions that arise from
her performance is that most people believe that she was foisting it as a broad-use server
(i.e. one service per port) which was immediately obvious to anyone worth hir salt.

So long as everyone understands that FTPing to Fangs is an immediate way to discredit the
legitimacy of the box, and that she intended those to be only honeypots, then there should
be no problems. Anywhere she claims that the machine was well defended, however, she is
asserting with no evidence. She wasn't hacked because there were better targets available;
Quake is a very big security risk. In effect, she didn't outrun the bear, rather she just
outran the other food.

Given the amount of time that real-world hackers have, her box would have fallen like any
other. CM is apparently still convinced that obscurity is a good replacement for security.
If she really wants to operate all those honeypots, then she should at least put some
countermeasures in to punish hackers for trying. That would be a game. What she did was
to try and waste the precious time that could have been better spent in other forums.

Just my $0.02


Ghetto Hackers

Carolyn has
informed me that she has placed this "controversial computer" on the internet for the world
to look at, and try to hack. Complete with open guest accounts, it's at fangz.happyhacker.org

Ditto a.k.a. Shanock Submitted The Following:

Several people in your mailbag post messages containing short strings of profanity aimed
against antionline and you personally (a recent example including system v's post).
I have never understood what anyone could hope to accomplish by doing this. Do they feel
that they will insult you? Do they think that flinging curses at you will inspire you to
change policy on your site? Perhaps their actions are a result of jealousy, repressed anger,
or perhaps it makes them feel like a big man. It doesn't help anything to inform you that some
people don't like you; I am sure you are already fully aware of that. Maybe it is a result of
resentment that they feel when you provide a resource that can aid both sides of the "hacker
war", and they feel threatened that their illegal activities will soon be stopped. I am not a
psychologist, although I do pride myself on my understanding of human nature... but this just
baffles me. Can you explain it to me?

You mean, there are people out there that don't like me? Damn. You should
SEE all of the different types of complaints my ISP has gotten from different malicious hackers out there.
People claiming I hacked them, flooded them, sold their name and number to telemarketers, run spam servers,
distribute warez, etc, etc. You know what they accomplished? They accomplished my ISP upgrading our
dedicated line at no additional cost to help handle our load. Personally, I hope they keep it up, maybe
I'll get a free T3 out of this...

Vaklav Submitted The Following:

I am a member of the rainbow coalition of Fruitieness and want to know why the hell we have
been left out of the bashing on your site? Us queers want to get in on the action also. Were
getting jealous of the mexican(t)s and brazilians and blacks and china men and clinton and
crackers and handicapped people getting pushed by the shaolin priest from Kung Fu: The legend