Post by thread:[OT]: Mail viruses/Internet Security

{Quote hidden}> hi > ----- Original Message ----- > From: "Jinx" <spam_OUTjoecolquittTakeThisOuTCLEAR.NET.NZ> > To: <.....PICLISTKILLspam@spam@MITVMA.MIT.EDU> > Sent: Saturday, May 26, 2001 7:59 AM > Subject: [PIC]: Mail viruses > > > > In the past fortnight I've received four copies of the Magistr virus > > from four different list members. No harm has been done, but I > > worry about their security. Would everyone please keep their AV > > s/w running and current please. The next virus doing the rounds > > might not be so benign. Thanks > > > > A reminder that Computer Associate's InoculateIT is free and > > updated regularly. No spam, no BS, just the s/w > > > > http://www.antivirus.cai.com > > > > how do we know it doesnt have a backdoor in it? > > andy Disclaimer: I realize that their are other forums to discuss this, but everyone needs to be aware of what is going on nowadays. This is why I changed the topic to [OT] I guess you don't. But then you already have "backdoors/security holes" or these viruses couldn't get in. What about the backdoors already built into windoze? The German govt. doesn't like them. I just head out to http://www.trend.com and scan my system for free, without installing anything. Of course this works by using/exploiting the inherent security problem/danger with active x. If you think your system is somehow secure, you are sadly/dangerously mistaken. It's a trade off plain and simple. For months now I have been watching my firewall log messages such as: May 26 07:56:09 guardian kernel: Packet log: output REJECT eth1 PROTO=6 66.25.8.185:62386 24.93.35.161:110 L=40 S=0x00 I=2112 F=0x0000 T=255 (#51) May 26 07:56:27 guardian kernel: Packet log: output REJECT eth1 PROTO=6 66.25.8.185:62386 24.93.35.161:110 L=40 S=0x00 I=2113 F=0x0000 T=255 (#51) May 26 07:57:54 guardian kernel: Packet log: output REJECT eth1 PROTO=6 66.25.8.185:62388 24.93.35.161:110 L=40 S=0x00 I=2117 F=0x0000 T=255 (#51) May 26 07:57:56 guardian kernel: Packet log: output REJECT eth1 PROTO=6 66.25.8.185:62388 24.93.35.161:110 L=40 S=0x00 I=2118 F=0x0000 T=255 (#51) May 26 07:58:00 guardian kernel: Packet log: output REJECT eth1 PROTO=6 66.25.8.185:62388 24.93.35.161:110 L=40 S=0x00 I=2119 F=0x0000 T=255 (#51) May 26 07:58:08 guardian kernel: Packet log: output REJECT eth1 PROTO=6 66.25.8.185:62388 24.93.35.161:110 L=40 S=0x00 I=2120 F=0x0000 T=255 (#51) It looks benign, doesn't it? You say its only trying to check email. But that is WRONG. That is what it is supposed to look like to the unwashed. The destination IP address belongs to some computer at rr.com. Funny thing is, that this IP fails when you do a reverse DNS lookup. These messages only appear when outlook express is running on my laptop. However, OE looks like it is doing nothing as these messages appear. This is as a result of the roadrunner technician/spyware installer ran something on my laptop (after being told not to run anything, he did this when I had my back turned for a moment) This IP IS a server at rr. I have scoured my laptop for the IP address or some rr.com name and I can't find anything. So therefore the name or IP is encrypted or somehow otherwise stored/hidden in a non plain text format. Since OE doesn't give any indication that this is occurring, rr is using some undocumented "feature" that mickeysoft was kind enough to build into OE. This is blatant violation of my so called right to privacy, but try to get rr to fess up to what is going on. BTW, according to techs at rr, other customers (running really restrictive firewalls) are now starting to notice/question this behavior on their computers. See, most firewalls don't restrict access to pop-servers(port 110) or smtp-servers(25). Mine, however, does. I only allow connections to the pop/news/smtp servers that I specifically use. The above IP is not, I repeat NOT, one of rr's documented pop servers. By documented, I mean one that actually resolves via DNS to pop-server.houston.rr.com. I may not know much about PIC's but I damn sure know a few things about internet security. Take my word for it, you will be hearing more about this in the future, once enough people discover it. Now, in all fairness, this could be a benign thing. They could use this technique to mass-mail to all the account holders at rr without having to stuff each persons mailbox with a copy of the message. This could result in a significant amount of disk space savings. However, why would OE go to so much trouble to hide the fact that this is occurring??? They could have just set up another account to check without trying to hide it. The little icon in the upper right corner doesn't move when this is happening. You can press the send/recv button when its doing its thing and that will occur completely asynchronously with the covert-checking. If OE is in the process of doing this, you can close OE and it will close without delay. Some other interesting behavior: sometimes the destination IP changes to a different one, this implies that the IP is not hard coded, but is looked up. After the last big rr downtime/maintenance OE tried to connect on port 25 a few times. This is really disturbing as it implies that OE was trying to send something out. Fortunately this was also stopped by my firewall. I have not seen anymore of that behavior since. It becomes frighteningly obvious that they (rr) can somehow manipulate this behavior from their end. This in all probability has something to do with the FBI/carnivore fiasco. Unfortunately no matter how sophisticated my firewall is, it would be impossible for me to stop all surreptitious communications. I am fortunate in that this is occurring on privileged ports. You see, when you use windoze update to install security patches (or install anything), you really have no idea what is really being installed, or for that matter, what was already installed with the distribution. Doesn't anyone wonder why the govt. stopped harping on MS. What happened to the break up of the company? It seams reasonable to me that the feds made an agreement with MS involving mutual back scratching. You help us spy, and we will quit hammering you. I know all this sounds like some crazy conspiracy theory, but remember this. Anything, I repeat ANYTHING, that is technically possible will be attempted by someone. Whether it be cloning a sheep, or genetically altering human DNA to create a super soldier. It does not matter what the moral implications are. If morality and a dollar of profit are at issue, which do you think takes priority? Trust me, you have no privacy. If you even think, for a moment, that some corporation or the govt are concerned about you and your privacy/security, I have a bridge in SF bay to sell you. Remember, you heard it here first. So ends my sermon for today. Take care and sleep well knowing that big brother is watching. michael brown -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestKILLspammitvma.mit.edu

i already knew that :-) dont mention c a r n i v o r e in any emails or you will be logged unless you have earthlink(carnivore free) andrew {Original Message removed}

>dont mention c a r n i v o r e in any emails or you will be logged unless >you have earthlink(carnivore free) Carnivore! Carnivore! CARNIVORE!!! F*** the carnivore!!! :oPPP And the big brother is watching you...Its in your front now... -- http://www.piclist.com hint: To leave the PICList .....piclist-unsubscribe-requestKILLspam.....mitvma.mit.edu

At 12:25 PM 5/26/2001 -0400, Andy N1YEW wrote: >dont mention c a r n i v o r e in any emails or you will be logged unless >you have earthlink(carnivore free) > Actually... I've been known to send emails between my multiple accounts composed of nothing but a string of "watched words" just to see what happens. So far nothing.... If I don't want outsiders to see what I'm emailing I'll just encrypt it anyway... -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Peter L. Berghold EraseMEPeterspam_OUTTakeThisOuTBerghold.Net Schooner Technology Consulting CELL: (732) 539-7920 Unix Professional Services: Sun/Solaris, Perl, Perl/CGI, mod_perl -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestspam_OUTmitvma.mit.edu

At 01:58 PM 5/26/2001 -0300, you wrote: > >dont mention c a r n i v o r e in any emails or you will be logged unless > >you have earthlink(carnivore free) > > Carnivore! Carnivore! CARNIVORE!!! F*** the carnivore!!! :oPPP > > And the big brother is watching you...Its in your front now... > So... you mean if we were to have an off topic discussion about CARNIVOREs such as dogs, wolves, coyotes, then somewhere there is a mail watching program allegedly called "Carnivore" that will detect the word CARNIVORE in my email and put it on its CARNIVORE list? Kool! ;-) -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Peter L. Berghold @spam@PeterKILLspamBerghold.Net Schooner Technology Consulting CELL: (732) 539-7920 Unix Professional Services: Sun/Solaris, Perl, Perl/CGI, mod_perl -- http://www.piclist.com hint: To leave the PICList KILLspampiclist-unsubscribe-requestKILLspammitvma.mit.edu

me too that is why i got gpg :-) andy ----- Original Message ----- From: "Peter L. Berghold" <RemoveMEPeterTakeThisOuTBERGHOLD.NET> To: <spamBeGonePICLISTspamBeGoneMITVMA.MIT.EDU> Sent: Saturday, May 26, 2001 1:35 PM Subject: Re: [OT]: Mail viruses/Internet Security {Quote hidden}> At 12:25 PM 5/26/2001 -0400, Andy N1YEW wrote: > > > >dont mention c a r n i v o r e in any emails or you will be logged unless > >you have earthlink(carnivore free) > > > > Actually... I've been known to send emails between my multiple accounts > composed of nothing but a string of "watched words" just to see what > happens. So far nothing.... > > If I don't want outsiders to see what I'm emailing I'll just encrypt it > anyway... > > > > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > Peter L. > Berghold TakeThisOuTPeterEraseMEspam_OUTBerghold.Net > Schooner Technology Consulting CELL: (732) 539-7920 > Unix Professional Services: Sun/Solaris, Perl, Perl/CGI, mod_perl > > -- > http://www.piclist.com hint: To leave the PICList > RemoveMEpiclist-unsubscribe-requestTakeThisOuTmitvma.mit.edu > > > -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestEraseME.....mitvma.mit.edu

hi ----- Original Message ----- From: "Peter L. Berghold" <EraseMEPeterBERGHOLD.NET> To: <RemoveMEPICLISTEraseMEEraseMEMITVMA.MIT.EDU> Sent: Saturday, May 26, 2001 1:37 PM Subject: Re: [OT]: Mail viruses/Internet Security > At 01:58 PM 5/26/2001 -0300, you wrote: > > >dont mention c a r n i v o r e in any emails or you will be logged unless > > >you have earthlink(carnivore free) > > > > Carnivore! Carnivore! CARNIVORE!!! F*** the carnivore!!! :oPPP > > > > And the big brother is watching you...Its in your front now... > > > > So... you mean if we were to have an off topic discussion about CARNIVOREs > such as dogs, wolves, coyotes, then somewhere there is a mail watching > program allegedly called "Carnivore" that will detect the word CARNIVORE in > my email and put it on its CARNIVORE list? > > Kool! ;-) basically. you just get logged and unless ur wanted they cant access the logs ;-) > > > > -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > Peter L. > Berghold RemoveMEPeterspam_OUTKILLspamBerghold.Net > Schooner Technology Consulting CELL: (732) 539-7920 > Unix Professional Services: Sun/Solaris, Perl, Perl/CGI, mod_perl > > -- > http://www.piclist.com hint: To leave the PICList > RemoveMEpiclist-unsubscribe-requestTakeThisOuTspammitvma.mit.edu > > > -- http://www.piclist.com hint: To leave the PICList EraseMEpiclist-unsubscribe-requestspamspamBeGonemitvma.mit.edu

At 04:52 PM 5/26/2001 -0400, you wrote: >basically. you just get logged and unless ur wanted they cant access the >logs ;-) > OK.. I'll be modfying my mischief CRON job to include the word "Carnivore!" ;-) -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Peter L. Berghold RemoveMEPeterKILLspamBerghold.Net Schooner Technology Consulting CELL: (732) 539-7920 Unix Professional Services: Sun/Solaris, Perl, Perl/CGI, mod_perl -- http://www.piclist.com hint: To leave the PICList piclist-unsubscribe-requestSTOPspamspam_OUTmitvma.mit.edu

> i already knew that :-) > > dont mention c a r n i v o r e in any emails or you will be logged unless > you have earthlink(carnivore free) > > andrew Really. You may be interested in this then. http://grc.com/su/earthlink.htm -- http://www.piclist.com hint: To leave the PICList spamBeGonepiclist-unsubscribe-requestSTOPspamEraseMEmitvma.mit.edu

>me too that is why i got gpg :-) Would gpg be an encrypted form of pgp? :o) -- http://www.piclist.com hint: To leave the PICList KILLspampiclist-unsubscribe-requestspamBeGonemitvma.mit.edu

>> dont mention c a r n i v o r e in any emails or you will be logged unless >> you have earthlink(carnivore free) >Really. You may be interested in this then. http://grc.com/su/earthlink.htm BTW, Steve Gibson is someone that deserves all my respect. Excellent programmer and creator of great software :oD -- http://www.piclist.com hint: To leave the PICList EraseMEpiclist-unsubscribe-requestEraseMEmitvma.mit.edu

At 04:52 PM 5/26/01 -0400, Andy N1YEW wrote: >hi >----- Original Message ----- >From: "Peter L. Berghold" <@spam@Peter@spam@spam_OUTBERGHOLD.NET> >To: <spamBeGonePICLISTKILLspamMITVMA.MIT.EDU> >Sent: Saturday, May 26, 2001 1:37 PM >Subject: Re: [OT]: Mail viruses/Internet Security > > > > At 01:58 PM 5/26/2001 -0300, you wrote: > > > >dont mention c a r n i v o r e in any emails or you will be logged >unless > > > >you have earthlink(carnivore free) Who told you earthlink is carnivore free? -- Dave's Engineering Page: http://www.dvanhorn.org I would have a link to FINDU here in my signature line, but due to the inability of sysadmins at TELOCITY to differentiate a signature line from the text of an email, I am forbidden to have it. -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

www.stopcarnivore.com ----- Original Message ----- From: "David VanHorn" <.....dvanhornspam_OUTCEDAR.NET> To: <TakeThisOuTPICLIST.....TakeThisOuTMITVMA.MIT.EDU> Sent: Sunday, May 27, 2001 12:02 AM Subject: Re: [OT]: Mail viruses/Internet Security {Quote hidden}> At 04:52 PM 5/26/01 -0400, Andy N1YEW wrote: > >hi > >----- Original Message ----- > >From: "Peter L. Berghold" <TakeThisOuTPeterKILLspamspamBERGHOLD.NET> > >To: <.....PICLISTRemoveMEMITVMA.MIT.EDU> > >Sent: Saturday, May 26, 2001 1:37 PM > >Subject: Re: [OT]: Mail viruses/Internet Security > > > > > > > At 01:58 PM 5/26/2001 -0300, you wrote: > > > > >dont mention c a r n i v o r e in any emails or you will be logged > >unless > > > > >you have earthlink(carnivore free) > > Who told you earthlink is carnivore free? > > -- > Dave's Engineering Page: http://www.dvanhorn.org > > I would have a link to FINDU here in my signature line, but due to the > inability of sysadmins at TELOCITY to differentiate a signature line from > the text of an email, I am forbidden to have it. > > -- > http://www.piclist.com hint: PICList Posts must start with ONE topic: > [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads > > > -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

no gpg is GNU Privacy Guard. :-) 2048 bit encryption should be strong enough, considering it took about 160,000 PII 233's to crack RC4 (56 bit key) in 3 months. thats a lot of power (http://www.distributed.net/) check my stats by entering my email :) {Original Message removed}