Computer underground Digest    Sun  Mar 5, 1995   Volume 7 : Issue 18
                           ISSN  1004-042X

       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
       Archivist: Brendan Kehoe
       Semi-retiring Shadow Archivist: Stanton McCandlish
       Correspondent Extra-ordinaire:  David Smith
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Monster Editor:    Loch Nesshrdlu

CONTENTS, #7.18 (Sun, Mar 5, 1995)

File 1--Review of _The Virus Creation Labs_ (by George Smith)
File 2--The Virus Creation Labs: an excerpt
File 3--Re: Press Coverage Bloopers in the Mitnick Story (CuD 7.16)
File 4--Italian BBS Charged with "Subversion"
File 5--Cu Digest Header Info (unchanged since 26 Feb, 1995)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

----------------------------------------------------------------------

Date: Thu, 2 Mar 1995 21:13:33 CST
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 1--Review of _The Virus Creation Labs_ (by George Smith)

There are relatively few books on the "computer underground" that
provide richly descriptive commentary and analysis of personalities
and culture that simultaneously grab the reader with entertaining
prose. Among the classics are Cliff Stoll's _The Cuckoo's Egg_, Katie
Hafner and John Markoff's _Cyberpunks_, and Bruce Sterling's _The
Hacker Crackdown_.  Add George Smith's _The Virus Creation Labs_ to
the list.

_Virus Creation Labs_ is about viruses as M*A*S*H is about war.
Computer viruses are simply a window through which Smith guides our
gaze into a bizarre Pirandellian world of inflated egos, malicious
territorialism, questionable ethics, and avarice, about equally
divided between the moral entrepreneurs amongst virus fighters and
their nemesis, the virus writers.  Smith writes with irony, cynical
humor, and well-researched prose to provide insights into the
symbiotic, chaotic, and oft-times seemingly pathological relationship
between churlish virus writers and the equally churlish anti-virus
moral entrepreneurs.

At the outset, Smith makes it clear that his is neither a technical
tome nor an expose.  Although his text reads with the ease of a novel,
the subtext is a biting commentary on the Manichean world view
possessed by many in the phalleocentric anti-virus community and on the
maturity-challenged actions of many of the virus writers who coexist
in an uneasy partnership of co-dependency.

Smith begins his narrative with the Michelangelo virus hysteria of
1992, which, he explains, launched his own interest in viruses:

     It sent me down the trail to the rim of cyberspace in search
     of people who, perhaps not surprisingly, turned out to be
     pretty much like most Americans, except with an order of
     magnitude greater interest in the inner workings of the
     desktop personal computer. Like most of us, there wasn't a
     nobleman in the lot--and there were none among the ranks of
     the antivirus software developers and security consultants
     who consider themselves the gatekeepers at a fantasy wall of
     their own construction erected between the Wild West of
     cyberspace and the mannered, sterile environment of safe
     home and business computing (p. 2).

Smith argues with some persuasiveness that Michelangelo was fueled
largely by the anti-virus industry who, while seeming to magnaminously
provide the public with free cleansing software, in fact hyped the
virus to the media to dramatize the dangers of this and other viruses
as an effective commercial strategy.  Although Smith is hardly the
first to make this accusation, he is the first to provide a strong
argument. He notes, for example, that Compuserve made $100,000 in on
line charges from the McAfee forum, the source of anti-virus software
author John McAfee, in the days prior to March 6, the date the virus
was supposed to strike (p. 7), and notes how the virus threat allowed
McAfee to gain major dominance of the U.S. anti-virus software market.

Smith notes that some anti-virus experts, such as Pam Kane,
tried to temper the hysteria with reasoned writings, but she
and a few others were out-shouted by the "vendor-created hysteria:"

        It's a venal pattern repeated over and over: Anti-virus
     software manufactures and security consultants carping at
     each other and conducting back-stabbing negative publicity
     campaigns in the computer or mainstream press, complicated
     by the entrenched practice within computer industry
     publishing houses allowing corporate heads or their catspaws
     to write books and reviews focused on their merchandise.
     These tricks tend to be hidden behind mock concern over
     high-tech petty atrocities usually perpetrated by
     mysterious, unseen computer vandals or hackers.  Like many
     hardscrabble businessmen vying for commercial advantage in
     an increasingly confined arena dominated by one company,
     such tactics grant them all the charm and panache of a
     60-pound bag of money-mad cockroaches (p 18).

Among the anti-virus faction Smith singles out as especially dubious
are John Buchanan, who is described as a mercenary and a-moral
huckster with little technical talent but a bent for self-promotion,
and Alan Solomon, who is portrayed as a territorial, mean-spirited
busy-body.  Was Solomon at least partly responsible for the one of the
most mean-spirited and unethical acts on the nets? Smith implies that
he was. Paul Ferguson, "an obscure security consultant," wrote an
anonymous letter to RISKS Digests. In the anonymous letter, Ferguson
engaged in a good bit of disingenuous diatribe, character
assassination, and hysteria to complain that AIS BBS, a
general-information BBS run by the Treasury Department's Office of
Public Debt, was engaged in unethical and likely illegal distribution
of virus source code. A copy of the post was sent to Congress, and an
inquiry began. Ferguson was later exposed as the letter's author, but
not before his cowardly action brought the roof down on the AIS sysop,
a young woman with a military background and substantial integrity.
The story was picked up by the national media, and the "good ol' boys"
in the anti-virus crowd succeeded in illustrating that, in the name of
their sacred cause, they were not above engaging in actions as
reprehensible as those they claimed to opposed. Like the virus
writers, Ferguson and his cronies displayed no honor in their devious
assault on a security expert whose opposition to viruses was no less
than their own. So much for ethics.

It should be noted that Smith does not dispute the need for
anti-virus software, and he gives credit to those anti-virus
authors who make products that work. His intent is not to disparage
talent where it exists. Instead he criticizes the social
organization of the culture, its exclusiveness, and the often
self-serving shennanigans of some of the practitioners.

Smith is no less gentle on most virus writers than he is on
the anti-virus crowd. A few, such as Little Loc, the teenager
who wrote Satan Bug, and the mysterious Dark Avenger, depicted as one
of the most brilliant of virus writers, are acknowledged for their
talents, but not romanticized. Most virus writers, Smith argues, are
simply untalented kids capable of modifying source code (or running
"virus creation software"), but not of doing any real programming.
Although here I've emphasized some of Smith's discussion of the
anti-virus crowd, he covers both groups fairly evenly.

What do we learn from Smith's book? First, he provides a new look at
the relationship between virus writers and anti-virus software
developers. We learn that the former are not demons and the latter, as
a group, are hardly altruistic heroes. Second, we learn that there is a
difference between those who write viruses and those who plant them.
Smith displays an intellectual appreciation for the talents of
competent programers (of all types), but shares hostility for vandals,
"wannabes," and those who prey on others. Third, Smith describes in
nifty detail the workings of both virus and anti-virus cultures, and
suggests a symbiosis by which each culture is driven. Finally, Smith
drives home the lesson that the best protection against viruses is
simple common sense:  Maintain clean disks, make regular backups, and
practice "safe hex."

That _The Virus Creation Labs_ is both well-written and well
researched is no surprise. Smith, a chemistry Phd, combines a scholars
eye with the skills he honed as a journalist.  If he had chosen a
major publisher for his manuscript, a light routine editing would
smooth over some of the rough edges, and there likely would have been
an index included. However, a major publisher would also have more
than doubled the price of the book.  While there always minor flaws in
all books, and although not all readers will share the perspective or
some of the conclusions, _The Virus Creation Labs_ is one of the best
descriptions of this slice of computer culture to date.  The book will
serve as a handy resource or a supplement for classes.  Unfortunately,
it's not available in bookstores, and must be ordered directly from
American Eagle Publications, an unwise marketing move. But, it's
well-worth ordering.

"The Virus Creation Labs: A Journey Into the Underground" by
George Smith (American Eagle, ISBN 0-929408-09-8, paperback,
$12.95)

Orders:    Mark Ludwig
           American Eagle
           POB 41401
           Tucson, AZ  85717
           ameagle@mcimail.com
           (602)888-4957
           toll free: 1-800-719-4957

American Eagle Publications is the work of Mark Ludwig, a physics
graduate of Caltech, who was recently profiled in WIRED magazine
as a scientist who publishes books on computer viruses, artificial
life and the cutting edge of cyberspace.

------------------------------

Date: 19 Jan 95 15:17:53 EST
From: george c smith <70743.1711@COMPUSERVE.COM>
Subject: File 2--The Virus Creation Labs: an excerpt

     ------------------------------------------------------------
For Computer underground Digest, an excerpt from the newly
published book, "The Virus Creation Labs: A Journey Into the
Underground" by George Smith (ISBN  0-929408-09-8, American
Eagle)

"The Virus Creation Labs" is $12.95.  The publisher can be
contacted at:  American Eagle
               POB 41401
               Tucson, AZ  85717
               e-mail: ameagle@mcimail.com
               ph:     1-602-888-4957
                       1-800-719-4957

     ------------------------------------------------------------

                 A Priest Deploys his Satanic Minions

Everyone knows the best virus writers hang out on secret bulletin
board systems, the bedroom bohemias of the computer underground,
right?  Wrong.  In mid-1992, a 16-year-old hacker from San Diego who
called himself Little Loc signed on to the Prodigy on-line service for
his virus information needs.  The experience was not quite what he
expected.

Prodigy had a reputation in 1992 as the on-line service for
middle-class Americans who could stand mind-roasting amounts of retail
advertising on their computer screens as long as they had relatively
free access to an almost infinite number of public electronic mail
forums devoted to callers' hobbies.  Since Prodigy's pricing scheme
was ridiculously cheap per hour, it was quite seductive for callers to
spend an hour or two a night sifting through endless strings of
messages just to engage in a little cyberspace chit-chat.


Into this living-room atmosphere stepped Little Loc, logged on as
James Gentile, looking for anyone to talk with about computer viruses,
particularly his idea of properly written computer viruses.  Little
Loc, you see, had written a mutating virus which infected most of the
programs on a system dangerously quickly.  If you were using
anti-virus software that didn't properly recognize the virus - and at
the time it was written none did - the very process of looking for it
on a machine would spread it to every possible program on a computer's
hard disk. While many viruses were trivial toys, Satan Bug, which is
what Little Loc called his program, was sophisticated enough to pose a
real hazard.  The trouble was, Little Loc was dying to tell people
about Satan Bug. But he had no one to talk to who would understand.
That's where Prodigy came in.  Prodigy, thought Little Loc, must have
some hacker discussions, even if they were feeble, centered on
viruses.  It was a quaintly naive assumption.

The Satan Bug was named after a Seventies telemovie starring George
Maharis, Anne Francis and a sinister Richard Basehart in a race to
find a planet-sterilizing super virus stolen from a U.S. bio-warfare
lab.  Little Loc had never actually seen the movie, but he'd run
across the name in a copy of TV Guide and it sounded cool, so he used
it for his digital creation. Satan Bug was the second virus he had
electronically published.  The first was named Fruitfly but it was a
slow, tame infector so the hacker didn't push it.

A bigger inspiration for Satan Bug was the work of the Dark Avenger,
the shadowy Bulgarian virus programmer whom anti-virus software p.r.
men and others had elevated to the stature of world's greatest virus
writer.  Little Loc was fascinated by the viruses attributed to Dark
Avenger.  The Dark Avenger obviously knew how real computer viruses
should be written, thought Little Loc. None of his programs were like
the silly crap that composed most of the files stocked by the computer
underground.  For example, his Eddie virus - also known as Dark
Avenger - had gained a reputation as a program to be reckoned with.
It pushed fast infection to a fine art, using the very process
anti-virus programs used to examine files as an opportunity to corrupt
them with its presence.  If someone suspected they had a virus,
scanned for it and Eddie was in memory but not detected, the
anti-virus software would be subverted, spreading Eddie to every
program on the disk in one sweep. Eddie would also mangle a part of
the machine's command shell when it jumped into memory from an
infected program.  When this happened, the command processor would
reload itself from the hard disk and promptly be infected, too.  This
put the Eddie virus in total charge of the machine.  From that point
on, every sixteen infections, the virus would take a pot shot at a
sector of the hard disk, obliterating a small piece of data.  If the
data were part of a never-used program, it could go unnoticed.  So as
long as the Eddie virus was in command, the user stood a good chance
of having to deal with a slow, creeping corruption of his programs and
data.

Little Loc was a good student of the Dark Avenger's programming and
although he was completely self-taught, he had more native ability
than all of the other virus programmers in the phalcon/SKISM and NuKE
hacking groups.  "[Virus writing] was something to do besides blasting
furballs in Wing Commander," he said blithely when asked about the
origins of his career as a virtuoso virus writer.

Accordingly, the Satan Bug was just as fast an infector as Eddie and
it, too, would immediately go after the command shell when launched
into memory from an infected program.  But Satan Bug was very cleverly
encrypted, whereas Eddie was not, and it extended these encryption
tricks so that it was cloaked in computer memory, a feature somewhat
unusual in computer viruses but popularized by another program called
The Whale which intrigued Little Loc.

The Whale was a German virus which - theoretically - was the most
complex of all computer viruses.  It was packed with code which was
supposed to make it stealthy -- invisible to certain anti-virus
software techniques.  It was armored with anti-debugging code and
devilishly encrypted, designed purely to flummox anti-virus software
developers trying to examine it.  They would often mention it as an
example of a super stealth virus to mystified science and technology
writers looking for good copy. In practice, The Whale was what one
might call anti-stealth.  Although it was all the things mentioned and
more, when run on any machine, The Whale's processes were so
cumbersome the computer would be forced to slow to a crawl. Indeed, it
was a clever fellow who could get The Whale to consent to infect even
one program.

The Whale appeared to be purely an intellectual challenge for
programmers.  It was intended to mesmerize anti-virus software
developers and suck them into spending hours analyzing it. Little Loc,
too, was drawn to it.  He pored over the German language disassembly
of The Whale's source code.  The hacker even made a version that
wasn't encrypted, pulling out the code which The Whale used to
generate its score of mutant variations. It didn't help. The Whale,
even when disassembled, was loathe to let go of its secrets and
remained a slow, obstinately uninfective puzzle.

Have you gotten the idea that Prodigy callers might not be the perfect
choice as an audience to appreciate Little Loc's Satan Bug?

Nevertheless, Little Loc landed on Prodigy with a thud.  He described
the Satan Bug and invited anyone who was interested to pick up a copy
of its source code at a bulletin board system where he'd stashed it.
Immediately, the hacker got into a rhubarb with a Prodigy member named
Henri Delger.  Delger was, for want of a better description, the
Prodigy network's unpaid computer virus help desk manager.  Every
night, Delger would log on and look for the messages of users who had
questions about computer viruses.  If they just wanted general
information, Delger would supply it.  If they had some kind of
computer glitch which they thought might be a virus, Delger would hold
their hand until they calmed down, and then tell them what to do.
And, for the few who had computer virus infections, Delger would try
to identify the virus and recommend software, usually McAfee
Associates' SCAN, which would remedy the problem.

Little Loc was annoyed by Delger, whom he thought was merely a shill
for McAfee Associates.  Since Delger answered so many questions on
Prodigy, he had a set of canned answers which he would employ to make
the workload lighter.  The canned answers tended to antagonize Little
Loc and other younger callers who fancied themselves hackers, too.
Prodigy's liberal demo account policy allowed some of these young
callers to get access to the network under assumed names like "Orion
Rogue." This allowed them to be rude and truculent, at least for a few
days, to paying Prodigy customers. These techno-popinjays, of course,
immediately sided with Little Loc, which didn't do much for the virus
programmer's credibility.

There was often quite a bit of talk about viruses and Delger would
supply much of the information, typing up brief summaries of virus
effects embroidered with his own experiences analyzing viruses.
"You're not a programmer!" Little Loc would storm at Delger.  If you
weren't a programmer, you couldn't understand viruses, insisted the
author of Satan Bug. Little Loc would correct minor technical errors
Delger made when describing the programs. In retaliation, Delger would
calmly point out the spelling mistakes made by Little Loc and his
colleagues. It was quite a flame war.  On one side was Little Loc, who
gamely tried to get callers to appreciate the technical qualities of
some viruses.  On the other side was a bunch of middle-aged computer
hobbyists who were convinced all virus writers were illiterate teenage
nincompoops in need of serious jail time, or perhaps a sound beating.

The debates drew a big audience, including another hacker named Brian
Oblivion, whose Waco, Texas, bulletin board, Caustic Contagion, would
provide a brief haven for Satan Bug's author.  Little Loc, however,
soon found other places that would accept his virus source code. Kim
Clancy's famous Department of the Treasury Security Branch system was
among them.  Little Loc logged on and proffered Satan Bug.  The Hell
Pit - a huge virus exchange in a suburb of Chicago - had its phone
number posted on Prodigy, as was that of one called Dark Coffin, a
system in eastern Pennsylvania.  Dutifully, Little Loc couriered his
virus to these systems, too.

Satan Bug was a difficult virus to detect.  Although in a pinch you
could find Satan Bug because of a trick change it made to an infected
program's date/time stamp, for all intents and purposes Satan Bug was
transparent to anti-virus scanners. And this window of opportunity
stayed open for a surprising amount of time despite the fact that
Little Loc had supplied the Satan Bug to all the public virus
exchanges patrolled by anti-virus moles.

Little Loc stood apart from other virus programmers who seemed to have
little interest in whether their creations made it into the public's
computers.  The real travel of his virus around the world would grant
him recognition like that of the Dark Avenger, he thought. So, he
wanted people to take Satan Bug and infect the software of others,
period.  Months later, after the virus had struck down the Secret
Service network clear across the continent, I asked Little Loc how it
might have gotten into the wild in large enough numbers so that it
eventually found its way into such a supposedly secure system.

"I'll tell you this once and only once: Satan Bug had help!" he said,
simply.

After his Prodigy debut and before Satan Bug hit the Secret Service,
Little Loc was recruited by the virus-writing group phalcon/SKISM,
changing his handle in the process to Priest.  Joining phalcon/SKISM
didn't necessarily mean you were going to virus writing conventions in
cyberspace with other members of the group, but it was a badge of
status signifying to others in the computer underground who required
such things that you had arrived, as a virus writer anyway.

Since Priest lived on the West Coast, however, and the brain trust of
phalcon/SKISM was located in the metro-NYC area, there was little
concrete collaboration between the two, especially after Priest racked
up a $600 telephone bill calling bulletin boards.  Since Priest didn't
hack free phone service, his family had to pay the bill, which
effectively cut down on much of his long distance telephone contact
bulletin board systems like Caustic Contagion in Waco, Texas.

Caustic Contagion, for a short period of time, was one of the better
known virus exchange bulletin board systems.  Its sysop, Brian
Oblivion, had an extremely liberal policy with regards to virus access
and carried a large number of Internet/Usenet newsgroups which gave
callers a semblance of access to the Internet. Caustic Contagion's
other specialty, besides viruses, was Star Trek newsgroups and for
some reason which completely eludes me, the BBS's callers found the
convergence of computer viruses and Star Trek debate extremely
congenial.

Priest and another phalcon/SKISM virus writer named Memory Lapse would
hang out on Caustic Contagion.  Quite naturally, Oblivion's bulletin
board was one of the first places to receive the programmers' newest
creations, often before they were published in phalcon/SKISM's
electronic publication, 40Hex magazine.

Priest's next virus was Payback and it was written to punish the
mainstream computing community for the arrest of Apache Warrior, the
"president" of ARCV, a rather harmless but vocal English virus-writing
group which had been undone when Alan Solomon, an anti-virus software
developer, was able to convince New Scotland Yard's computer crime
unit to seize the hacking group's equipment and software in a series
of surprise raids. Priest's Payback virus would format the hard disk
in memory of this event.  Payback gathered little attention in the
underground, mostly because few people knew much about ARCV and Apache
Warrior in the first place.

Another of Priest's interests was the set of anti-virus programs
issued by the Dutch company, Thunderbyte.  The product of a virus
researcher named Frans Veldman, the Thunderbyte programs were regarded
by most virus writers as the anti-virus programs of choice.  They were
sophisticated, technically sweet and put to shame similar software
marketed by McAfee Associates, Central Point Software, and Symantec,
which manufactured the Norton Anti-virus.

One of Frans Veldman's programs, called TBClean, was of particular
interest to Priest and others because it claimed to be able to remove
completely unknown viruses from infected files.  How it did this was a
neat trick.  Essentially, TBClean would execute the virus-infected
file in a controlled environment and try to take advantage of the fact
that the virus always had to reassemble in memory an uncontaminated
copy of the infected program to make it work properly.  TBClean would
intercept this action and write the program back to the hard disk sans
virus.  Priest and virus writer Rock Steady, the leader of the NuKE
virus-writing group, had also noticed the phenomenon. Both tried
writing viruses that would subvert the process and turn TBClean upon
itself.

Priest wrote Jackal, a virus which - under the proper conditions -
would sense TBClean trying to execute it, step outside the Thunderbyte
software's controls and format the hard disk.  In theory, this made
Priest's virus the worst kind of retaliating program, with the
potential to destructively strip unsuspecting users' hard disks of
their data when they tried to disinfect their machines. (It couldn't
happen if you just manually erased the Jackal-virus-infected program,
but many people who use computers as part of everyday work simply want
the option of having the software remove viruses. They don't want to
have to worry about the technicalities of retaliating viruses designed
to smash their data if they have the temerity to use anti-virus
software.)

Of course, Jackal's development was deemed a great propaganda victory
by the North American virus underground.  Rock Steady nonsensically
insisted Frans Veldman's programs were dangerous software because
TBClean could be made to augment a virus infection instead of remove
it.

Brian Oblivion immediately tried Jackal out.  It didn't work, he said,
but only caused TBClean to hang up his machine.  This was because
Jackal was version specific, explained Priest.  It would only work on
certain editions of the program.  In reality, this meant that Jackal's
retaliating capability posed little threat to typical computer users,
who had never heard of the virus-programmer's favorite software,
Thunderbyte, much less TBClean. Nevertheless, Priest continued to
write the TBClean subverting trick into his viruses, including it in
Natas (that's Satan spelled backwards), which eventually got loose in
Mexico City in the spring of 1994.

All the routines to format a computer's hard disk and to slowly
corrupt data ala the Eddie virus, which Priest had designed his
Predator virus to do, made it clear the hacker cared little for any of
the finer arguments over the value of computer viruses which were
entertained from time to time by denizens of the underground as well
as academics.  Viruses were for getting your name around, infecting
files and destroying data, according to Priest.  He just laughed when
the topic of ethical or productive uses of computer viruses -- such as
the study of artificial life -- came up.

In any case, by the fall of 1993, after Priest had retired from the
Prodigy scene, Satan Bug was generating its own kind of media-fueled
panic.

On the Compuserve network, hysterical government employees were
posting nonsensical alarums about the virus in the McAfee Associates
virus information special interest group.

"Satan's Bug" was part of a foreign power's attempt to sabotage
government computers!  It was encrypted in nine different ways and was
"eating" your data!  A State Department alarm had started!

Wherever the information about "Satan's Bug" was coming from, it was
100 percent phlogiston. Satan Bug was hardly aimed at government
computer systems. It did not "eat" anything and although difficult for
many anti-virus programs to scan, the virus could be found on infected
systems by making good use of software designed to take a snapshot of
the vital statistics of computer files and sound an alarm when these
changed, which always happened when Satan Bug added itself to
programs.

Even more amusing was the suspicion that Satan Bug had been inserted
on government computers by some undisclosed foreign country, from
whence it originated.  I suppose, however, some people might consider
Southern California a foreign country.

Priest enjoyed reading these kinds of things.  His virus was famous,
an obvious source of confusion and hysteria.

About the same time, the Secret Service's computer network in
Washington, D.C., was infected by the virus, which knocked the
infected machines off-line for approximately three days.  News about
the event was tough to keep secret among government employees and it
leaked.  The Crypt Newsletter published a short news piece in its
September 1993 issue on the event and reported that the infection had
been cleaned up by David Stang, formerly of the National Computer
Security Association, but now providing anti-virus and security
guidance for Norman Data Defense Systems in Fairfax, northern
Virginia.

Jack Lewis, head of the Secret Service's computer crime unit, and two
other agents flew out to interrogate Priest in his San Diego home in
October of 1993.

Lewis and the other agents gave Priest the third degree.  They shook a
printed-out copy of The Crypt Newsletter containing the Satan Bug
story in his face and did everything in their power to make Priest
think he ought to cease and desist writing computer viruses forthwith.

"About the Secret Service, they weren't too happy about [Satan Bug],
and saw fit to pay me a little visit," recalled Priest ruefully.

The agents wanted to know everything about Priest - his Social
Security number, where he'd travelled, even who the 16-year-old worked
for.  But Priest didn't work for anyone.

"I'm not quite sure they believed me," he said.  "Apparently, they
thought I worked for some anti-virus company or something to write
viruses.  Plus, they wanted the sources for them."

The Secret Service men wanted to know, straight from the horse's
mouth, what Satan Bug did. "They said some victims were worried their
systems weren't completely clean because they thought it might infect
data files," Priest continued. "I told them it wouldn't.  They also
wanted my opinion on things which surprised me, like different
anti-virus programs and encryption algorithms, including Clipper. I
didn't ask why.

"Jack Lewis also said someone claimed I said 'All government computers
will be infected by December' or some such rubbish.  Apparently, they
thought I wrote Satan Bug as a weapon against the government or
whatever, I can't be too sure . . ."

Priest told them no, Satan Bug wasn't specifically aimed at government
computers, but it was hard to tell if the agents believed him. They
were trained to reveal little, and to be unnerving to those
interviewed.

"They just stared," Priest said, "as they did in response to every
question I asked, including 'what's your name?' I tried - really tried
- to act cool, but my heart was pounding like a hummingbird's."

The agents were keenly interested in Priest's other handles, all the
viruses he had written, which, if any, computer systems he might have
spread them on, the names of some phalcon/SKISM members and the
structure of the virus-writing group and details of their hacking
exploits.

Priest declined to say anything about the identities of members of
phalcon/SKISM. "I told them I knew nothing of the hackers and
phreakers, and little more than you could pick up from reading an
issue of 40Hex."

Priest was more interested in other secretive agencies within the
government.  He cultivated an interest in stories about deep black
intelligence agencies.  Perhaps he envisioned himself writing
destructive viruses as part of a covert weapons project for one of
them.

"Aren't there any other agencies which would be more interested in
what I'm doing?" Priest asked the agents.  He didn't get an answer.

Eventually, the Secret Servicemen went away with a Priest-autographed
printout of the source code to Satan Bug.

Programming Satan Bug had turned out to be richly rewarding for
Priest.  Not only had it gotten him recognized immediately in the
computer underground, it had made him feared in the trenches of
corporate America to the point where the Secret Service had felt
compelled to intervene.

Since the Satan Bug panic was a golden opportunity for anti-virus
vendors to once again market wares, the stories in the computing press
kept coming.  LAN Times put the virus on the front page of its
November 1 issue with the headline, "Be on the Lookout for the
Diabolical 'Satan Bug' Virus." LAN Times East Coast bureau chief Laura
Didio wrote "the Satan Bug is designed to circumvent the security
facilities in Novell Inc.  Netware's NETX program, thereby allowing it
to spread across networks."  While Satan Bug may have certainly spread
across networks, it had nothing to do with the virus's design. It
seemed no matter the truth about Satan Bug, the story just got more
pumped up with phlogiston and air as it rolled along.

"What's NETX?" asked Priest when he heard about the LAN Times article.

Of course, the LAN Times article accurately served as an advertisement
for the Satan Bug-detecting software of Norman Data Defense Systems
and McAfee Associates.

Priest, meanwhile, continued to work on viruses.  He had just
completed Natas, which he'd turned over to the Secret Service and to
phalcon/SKISM for publication in an issue of 40Hex.  He also uploaded
the virus to a couple of bulletin board systems in Southern
California. And he finished a very small, 96-byte .COM
program-infecting virus.  And there were other things he was working
on, he said.

The most interesting fallout from the Secret Service visit was a job
offer from David Stang at Norman Data Defense Systems, said Priest.
Stang wanted the virus programmer to come to work for him, starting in
the summer of 1994, after the hacker finished high school.

Priest said Stang was interested in his opinion about the use of virus
code in anti-virus software.  Such code wasn't copyrighted, so it was
fair game.  Priest thought this was a bad idea.  Too much virus code,
in his opinion, was crappy anyway, so why would anyone want to use it?
But Priest said he would think about the job offer.

By May 1994, Priest's Natas virus had cropped up in Mexico City,
where, according to one anti-virus software developer, it had been
spread by a consultant providing anti-virus software services.
Through ignorance and incompetence, the consultant had gotten Natas
attached to a copy of the anti-virus software he was using.  However,
like most of Priest's viruses, Natas was a bit more than most software
could handle.  The software detected Natas in programs but not in an
area of the hard disk known as the master boot record, where the virus
also hid itself.  The result was tragicomic.  The consultant would
search computers for viruses.  The software would find Natas!  Golly,
the consultant would think,  "Natas is here!  I better check other
computers, too."  And so, the consultant would take his Natas-infected
software to other computers where, quite naturally, it would also
detect Natas as it spread the virus to the master boot record, a part
of the computer where the software could not detect Priest's program.

Natas had come to Mexico from Southern California.  The consultant
often frequented a virus exchange bulletin board system in Santa
Clarita which not only stocked Natas, but also the issue of 40Hex that
contained its source code.  He had downloaded the virus, perhaps not
fully understood what he was dealing with, and a month or so later
uploaded a desperate plea for help with Priest's out-of-control
program. You could tell from the date on the electronic cry for help
-- May 1994 -- when Natas began being a real problem in Mexico.

Natas was another typical tricky Priest program.  When in computer
memory, it masked itself in infected programs and made them appear
uninfected.  It would also retrieve a copy of the uninfected master
boot record it carried encrypted in its body and fake out the user by
showing it to him if he tried to go looking for it there.  Natas also
infected diskettes and spread quickly to programs when they were
viewed, copied or looked at by anti-virus software. It was fair to say
that computer services providers wielding anti-virus software in a
casual manner ought not to have been allowed anywhere near Natas.

Back in San Diego, Priest was still being interviewed on the telephone
by David Stang and other associates at Norman Data Defense Systems.
They were concerned that Priest might leak proprietary secrets to
competitors after hiring, so it was a must that he be absolutely sure
of the seriousness of his potential employment.

By the end of the interview, Priest thought he didn't have much of a
chance at the job, but by July he'd accepted an offer and moved to
Fairfax to begin working for David Stang.  This was the same David
Stang who had written in the July 1992 issue of his Virus News and
Review magazine, "In this office, we try to see things in terms of
black and white, rather than gray . . . The problem is that good guys
don't wear white hats.  Among virus researchers are a large number of
seemingly gray individuals . . .  This grayness is clear to users.
Last week, I asked my class if anyone in the room trusted anti-virus
vendors.  Not one would raise their hand . . . "

But what was Priest working on at Norman Data Defense Systems?

"A cure for Natas," he laughed softly one afternoon in late July,
1994, in the Norman Data office. Looking over the virus once more,
Priest sardonically concluded that his disinfector made it clear the
hacker had made Natas a little too easy to remove from infected
systems. Norman Data Defense had clients in Mexico and at the Secret
Service.

You had to admire the moxie of the young American virus programmer.
He'd set out in 1992 to emulate the world's greatest virus programmer,
Dark Avenger, and ended up being paid cash money to cure the paintpots
of computer poison he'd created. As for that poor stone fool, the
legendary Dark Avenger, he never even got a handful of chewing gum for
his viruses, having the misfortune to have been born in the wrong
place, Bulgaria, at the wrong time, during the fall of Communism.

But by the end of the summer, the blush was off the rose for Priest
and Norman Data, too.  Another manager in the office, Sylvia Moon,
didn't like the idea of the hacker working for the company, Priest
said.  And when management representatives arrived from the parent
corporation in Norway on an inspection tour and were appraised of
Priest's status at a meeting, the hacker heard, they were not
pleasantly surprised to learn there was a virus writer on the staff.
Officially, said Priest, there was no reaction, but in reality, the
hacker felt, the atmosphere was deeply strained.  Nevertheless, said
Priest, David Stang maintained that he would protect the hacker's
position.  And Jack Lewis, said Priest, had contacted the company to
set up a luncheon date with the hacker to discuss more technical
issues.  However, Priest said, David Stang wanted Lewis to provide a
Secret Service statement to the effect that the hiring of the hacker
wasn't such a bad idea.  The luncheon fell through.  The Secret
Service would provide no such statement because, said Priest, it might
be construed as a conflict of interest.  Unknown to him at the time,
the agency had also started spying on his comings-and-goings in
Fairfax.

It all came to an end when one of Priest's acquaintances from the
BBSes called the Norman Data office and left a message for "James
Priest."  Priest was immediately let go.  David Stang, said Priest,
told him the call was an indication that the hacker couldn't be
trusted, that he was still in touch with the underground.

Paranoia and recriminations flew.  There had been an intern from
William & Mary working at the company whose father was a Pentagon
official, said Priest.  The rumor was that Priest had been pumping the
intern for information on how to penetrate Pentagon computers and
siphoning it back into the underground.  It was nonsense, said the
hacker, but it became the official version of events.  These were
pretexts, thought Priest.  The real reason he had to be shown the
door, he said, was pressure from the higher-ups in Norway.  They had
been presented with him as a done-deal hire and it hadn't set well, he
said. David Stang, said Priest, needed a reason to cut him loose and
the phone call from the friend had been the peg to hang it on.  Priest
was a hot potato and he had to go.

Back in San Diego once again, Priest almost sounded relieved.  He had
a Sylvia Moon-autographed copy of a computer book as a memento from
the company and that was it.  However, he had finally been able to
videotape "The Satan Bug" telemovie.  He shifted the VCR into replay
and turned to look at his computer while it was playing.  But the
hacker said he still didn't know what the movie was about when it was
over.  He had been too busy at the PC to pay attention.  Working . . .

copyright 1994 American Eagle Publications

------------------------------

Date: Thu, 2 Mar 1995 14:20:50
From: padgett@GOAT.ORL.MMC.COM(Padgett 0sirius)
Subject: File 3--Re: Press Coverage Bloopers in the Mitnick Story (CuD 7.16)

Jason Hillyard <jasonh@sdepl.ucsd.edu> writes:

>"Hacker case underscores Internet's vulnerability"
>New York Times, February 16, 1995.
><http://www.nando.net/newsroom/nt/216net1.html>

Just a quick comment - was surprised that no highlight of this was
made since *There Is No Security On The Internet* (see RFC 1281). The
net did exacly what it is supposed to do, delivered packets to the
proper recipients. The "vulnerability" was at improperly secured
nodes/sites that the big M gained access to.

Apparently it is "politically incorrect" to imply that certain
facilities should qualify as "attractive nuisances" (this has a
special meaning in the US - see swimming pools) since this could mean
that their management was negligent in not securing them from children
of all ages.

Not saying that criminal acts did not take place, just that there is a
difference between "breaking and entering" and "trespass" (I "assume"
there were "keep out" signs on each ?)  and that the fault should not
be all one-sided. Would make my job easier if some owners/stockholders
would start mentioning things like "culpable negligence" to Those In
Charge of compuer systems everywhere.

Obviously my personal opinion only - I am not a lawyer, the ones I
have asked over the years have all said "no precidence".

  			A. Padgett Peterson, P.E.

------------------------------

Date: Sat, 4 Mar 1995 21:20:19 +0000 (CUT)
From: Luc Pac <lpaccagn@RISC1.GELSO.UNITN.IT>
Subject: File 4--Italian BBS Charged with "Subversion"

   STATE CHARGES ITALIAN COMPUTER BULLETIN BOARD WITH 'SUBVERSION'

    On Tuesday, 28 February, at seven in the morning, members of the
Carabinieri Anti-Crime Special Operations Group raided the homes of a
number of people in Rovereto and Trento associated with the local
Self-managed Social Centre 'Clinamen'. Some of those raided are also
active in the Italian anarchist movement.

    The warrant from the Rovereto court spoke of 'assocation with
intent to subvert the democratic order' (art.270 bis CP), a charge
which carries a very heavy penalty for those convicted of 7 to 15
years imprisonment. The absurdity of the charge speaks for itself.

    Confiscated in the raids were journals and magazines, leaflets,
diaries, notebooks and video tapes, all of which were either publicly
available or else for strictly personal use.

    Also seized was the personal computer which hosted 'BITS
Against the Empire', a node in the Cybernet and Fidonet networks.
Stored on the computer was a vast number of documents concerning
the social use of new technologies, Italy's Self-managed Social
Centres and independent music production, along with hundreds of
elctronic reviews publicly available throughout the world computer
network. Having decided quite explicitly from the onset not to hold
any software whatsoever, the founders of the bulletin board (BBS) had
dedicated themselves exclusively to communication through public
electronic conferences and the consultation of texts held in the BBS
archives. There can, therefore, be no substance to any charge of
computer piracy or abusive software duplication, an accusation often
advanced in earlier cases against Italian BBSs.

    The seizure of BITS Against the Empire strikes at one of the
most prominent nodes within the Cybernet network, the first place in
Italy to open itself up to the voices of the non-aligned, to those who
refuse to be represented by the political parties, choosing instead
- both in the virtual and real worlds - the path of self-management.
Nor has Cybernet ever accepted the use of authoritarian instruments
tp police the BBS, whether these be 'the laws of cyberspace' or
conference moderators (cybercops), preferring instead to leave
all responsibilities - and thus freedom of action and thought - to
each individual.

    It is precisely these freedoms which are daily negated in the
physical world by the State and its demokracy. Cyberspace has now
been discovered as a new consumer market, and above all as a new
cultural terrain for the legitimation of the first, second and
all subsequent Italian Republics.

      Alongside the sensationalism surrounding their direct actions
against small, insignificant episodes of domestic computer piracy,
the Italian magistrates and police forces have for some years now
shown a certain fascination for places such as Cybernet and the
European Counter Network, places which have experimented with new
forms of social relations, new forms of contaminating culture and
knowledge in the light of digital media.

    It is not surprising that the repressive organs of the State
have reacted to their own technical and social ignorance by seizing
an instrument of communication like a BBS: if they don't understand
something it means they can't control it, and what can't be
controlled is dangerous for a social order based upon fear and
institutionalised violence.

			All those charged have formally applied for the return of the impounded
goods, as they await more information concerning the progress of the
investigation.

    Messages of support and requests for further information can be
sent to:

Internet:lpaccagn@riscl.gelso.unitn.it
Bitnet: lpaccag@itncisti
European Counter Network: Luc Pac 45:1917/2.1
Cybernet: Luc Pac 65:1400/6

------------------------------

Date: Sun, 26 Feb 1995 22:51:01 CDT
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 5--Cu Digest Header Info (unchanged since 26 Feb, 1995)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send a one-line message:  SUB CUDIGEST  your name
Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message:   UNSUB <your name>
Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on  internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE:  In BELGIUM: Virtual Access BBS:  +32-69-844-019 (ringdown)
         In ITALY: Bits against the Empire BBS:  +39-464-435189
         In LUXEMBOURG: ComNet BBS:  +352-466893

  UNITED STATES:  etext.archive.umich.edu (192.131.22.8)  in /pub/CuD/
                  ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
                  aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
                  world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
                  uceng.uc.edu in /pub/wuarchive/doc/EFF/Publications/CuD/
                  wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
  EUROPE:         nic.funet.fi in pub/doc/cud/ (Finland)
                  ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

  JAPAN:          ftp.glocom.ac.jp /mirror/ftp.eff.org/Publications/CuD
                  ftp://www.rcac.tdi.co.jp/pub/mirror/CuD

The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
  URL: http://www.soci.niu.edu:80/~cudigest

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

------------------------------

End of Computer Underground Digest #7.18
************************************