One thursday morning

22 views
Skip to first unread message

Peter N. M. Hansteen

unread,
Feb 7, 1999, 3:00:00 AM2/7/99
to

Last thursday, tennish:

Phone rings, I pick it up.

Me: "Datadok, Peter Hansteen speaking"

Other: "This is from Dataguard. Did you know your network is wide open?"

Me: "Oh, really. How so?"

Other: "I can see everything on your network. You've got a permanent
connection,"

Me: "Actually not. But you might be lead to think we have."

Other: "OH. But there's an NT server[1] with a share called <something
truly obvious>[2], I'll demonstrate by putting a file called
dataguard.txt there."

Me: "Oh really. Let's see it then."

Other: "Eh, it didn't quite work[3]. But I can send a popup message to
your screen on the NT server, IP address (address of the NT box)."

Me: "That would be quite inconvenient. You see, I'm at a machine at
the opposite end of the building".

Other: "Oh. I just sent a message to the NT server[5]. What's your IP then?"

Me: "I'm at <workstation's host name>"

Other: "And the IP for that is?"

Me: "You mean you can't tell?"

Other: "Well, you really need a firewall there. We've got a great
product which we can set up for you."

Me: "When you can't figure out my IP from my host name, not bloody
likely. But thanks for pointing out the NT security hole[4]
anyway. Bye."

So essentially what we have here is a kiddie with a port scanner and
enough brains to almost grok tcpdump. Nothing unusual there, but he
uses that info to extort the apparently less clued people into buying
into his so called security plan.

Some sort of LART is in order, but I can't quite decide on what's
appropriate. While you ponder the question, some research into
dataguard.no might be in order.

- Peter

[1] Actually, there is an NT server, and yes, the pile of shit
broadcasts netbios packets. In a previous setup, we used diald's
filtering to kill those packets at the gateway, but swithcing to
ISDN, I never quite got around to doing proper filtering
again. Goes to show, I guess, that if somebody inflicts an NT
server on you, you should place both the box and the luser in a
nicely padded, lead lined cell.

[2] First sign of a truly uneducated guess. Our network contains a few
not quite standard features, two totally overlapping domains being
one.

[3] The reason being, no such share exists.

[4] I'm repeating myself, I know.

[5] Out of curiosity, I walked over there a few minutes later. There
was a popup message on the NT server's monitor. At least he
managed to get that right.

--
Peter N. M. Hansteen pe...@datadok.no http://www.datadok.no
Datadokumentasjon A/S, Bredsgaarden 2, N-5003 Bergen, Norway
Tel: +47 55 32 08 02 Fax: +47 55 32 14 95

Edward J. Powell

unread,
Feb 7, 1999, 3:00:00 AM2/7/99
to
Peter N. M. Hansteen (pe...@bgnett.no) wrote:
:
: Some sort of LART is in order, but I can't quite decide on what's

: appropriate. While you ponder the question, some research into
: dataguard.no might be in order.

Not quite sure how things work there in Norway, but my American
neuroimplants[0] are sending "LAWSUIT! SUE THE BASTARDS UNTIL THEY
BLEED!!!" signals to my brain. Hacking and blackmail, I don't think it
would take all that skilled of a lawyer to convict them on those counts...


[0] You know... the culture-override microchips they implant in every
American citizen.[1]
[1] What, you don't have yours yet?

--
Ed Powell, Fledgling SysAdmin and 100% RDA of Dementia
* http://www.visi.com/~epowell


Peter da Silva

unread,
Feb 7, 1999, 3:00:00 AM2/7/99
to
In article <m3679e4...@localhost.localdomain>,

Peter N. M. Hansteen <pe...@bgnett.no> wrote:
>Other: "This is from Dataguard. Did you know your network is wide open?"

At this point you get in touch with whoever you need to trace the call
so you can LART them bigtime. Even if Norway allows doorknob-twiddling, a
little publicity goes a long way to blowing a company's reputation, and
deservedly so.

A company in Houston by the name of Infosec discovered that. And to think I
was giving them their mail feed at the time. A UUCP link from my 386/16
running System V to their Waffle box... god that was painful.

--
In hoc signo hack, Peter da Silva <pe...@baileynm.com>
`-_-' "Heb jij vandaag je wolf al geaaid?"
'U`
"Tell init(8) to lock-n-load, we're goin' zombie slaying!"

Peter N. M. Hansteen

unread,
Feb 7, 1999, 3:00:00 AM2/7/99
to
pe...@baileynm.com (Peter da Silva) writes:

> >Other: "This is from Dataguard. Did you know your network is wide open?"
>
> At this point you get in touch with whoever you need to trace the call
> so you can LART them bigtime.

No need. A few minutes after I hung up on him, he even repeated the
"set up a firewall" offer to me by fax.

> Even if Norway allows doorknob-twiddling, a little publicity goes a
> long way to blowing a company's reputation, and deservedly so.

I must say the thought has struck my mind. A post to the no.*
newsgroups is probably enough for the local tabloids to pick up the
scent. We'll see how scared he gets after this.

Tanuki the Raccoon-dog

unread,
Feb 7, 1999, 3:00:00 AM2/7/99
to
In article <m3679e4...@localhost.localdomain>, Peter N. M. Hansteen
<pe...@bgnett.no> scrobe:
>Last thursday, tennish:

//snip//

>Other: "OH. But there's an NT server[1] with a share called <something
> truly obvious>[2], I'll demonstrate by putting a file called
> dataguard.txt there."
>
>Me: "Oh really. Let's see it then."
>
>Other: "Eh, it didn't quite work[3]. But I can send a popup message to
> your screen on the NT server, IP address (address of the NT box)."
>
>Me: "That would be quite inconvenient. You see, I'm at a machine at
> the opposite end of the building".
>
>Other: "Oh. I just sent a message to the NT server[5]. What's your IP then?"

Hmmm... here in .uk, this sort of behaviour would register
a clear 101% on the Stupid-o-Meter, and could lead to the
person doing it having a subsequent freedom-limiting experience
before a Judge, courtesy of our Computer Misuse Act.
--
!Raised Tails! -:Tanuki:-
http://www.canismajor.demon.co.uk/index.htm
"He's not so much a laughing hyena, more a tittering one..."

Brad Ackerman

unread,
Feb 7, 1999, 3:00:00 AM2/7/99
to
Tanuki the Raccoon-dog <Tan...@canis-major.daemon.co.uk> writes:

> Hmmm... here in .uk, this sort of behaviour would register
> a clear 101% on the Stupid-o-Meter, and could lead to the
> person doing it having a subsequent freedom-limiting experience
> before a Judge, courtesy of our Computer Misuse Act.

Forget about computer misuse -- what about extortion?

--
Brad Ackerman N1MNB "...faced with the men and women who bring home
bs...@cornell.edu the pork, voters almost always re-elect them."
http://skaro.pair.com/ -- _The Economist_, 31 Oct 1998

Charlie Stross

unread,
Feb 8, 1999, 3:00:00 AM2/8/99
to
Stoned koala bears drooled eucalyptus spittle in awe
as <epo...@visi.com> declared:

>Not quite sure how things work there in Norway, but my American
>neuroimplants[0] are sending "LAWSUIT! SUE THE BASTARDS UNTIL THEY
>BLEED!!!" signals to my brain. Hacking and blackmail, I don't think it
>would take all that skilled of a lawyer to convict them on those counts...

Er, portscanning is _legal_ in Norway. So the judges decided last week
or thereabouts: if you're on the net, you should expect to be scanned --
security is your own responsibility.

-- Charlie

Peter da Silva

unread,
Feb 8, 1999, 3:00:00 AM2/8/99
to
In article <36be971c$0$16...@nntp1.ba.best.com>,
Jeff Gostin <jgo...@shell2.ba.best.com> wrote:
>And just -what- is (well, was...) wrong with Waffle?

*is*. I've been running it on UNIX as a support BBS because it's luser
safe and newsgroup compatible.

I don't know about what Waffle on DOS was like to use, I just know that
getting those lusers to reliably stay up, generate valid return addresses,
handle large email messages (large for the time, over 60K or so), and
just generally NOT fill my spool with pending mail because they managed
to break something... THAT was painful.

Besides, these guys were supposed to be a computer security company.

Greg Andrews

unread,
Feb 8, 1999, 3:00:00 AM2/8/99
to
Jeff Gostin <jgo...@shell2.ba.best.com> writes:
>Peter da Silva <pe...@baileynm.com> wrote:
>: A UUCP link from my 386/16 running System V to their Waffle box... god
>: that was painful.
>
><snob mode=HRMPH tone=Humorous>

>
>And just -what- is (well, was...) wrong with Waffle?
>

IIRC, its uucico was hard-coded with a packet size of 64 octets
and a window size of 3. That was fine with 9600 bps and slower
modems, but performance was unnecessarily limited when everyone
moved to 14.4K and faster ones. It also had a hard-coded error
threshold. Get 200 errors during a session, and it disconnected
on you. Didn't matter that the errors weren't consecutive.
200 == Time To Die

-Greg


Jeff Gostin

unread,
Feb 8, 1999, 3:00:00 AM2/8/99
to
Peter da Silva <pe...@baileynm.com> wrote:
: A UUCP link from my 386/16 running System V to their Waffle box... god
: that was painful.

<snob mode=HRMPH tone=Humorous>

And just -what- is (well, was...) wrong with Waffle? It was a -really- nice
package for what it did, and even for some things it didn't do. Heck, I ran
one such node for, oh, about 3-4 years on an old XT, then later on a 386
box, and was quite happy with it. It was a nifty little thing for those of
us that had "real access" at some point, lost it, but still wanted email. :)

If you think SEPTEMBER will never come, try waiting for OCTOBER! Tom, if
you're out there somewhere, we're all still waiting for 1.66. ;)

</snob>


--J

Matt McLeod

unread,
Feb 9, 1999, 3:00:00 AM2/9/99
to
Yea, it is written in the Book of Cyril
that Greg Andrews did write:

>Jeff Gostin <jgo...@shell2.ba.best.com> writes:
>>Peter da Silva <pe...@baileynm.com> wrote:
>>: A UUCP link from my 386/16 running System V to their Waffle box... god
>>: that was painful.
>>
>><snob mode=HRMPH tone=Humorous>
>>
>>And just -what- is (well, was...) wrong with Waffle?
>>
>
>IIRC, its uucico was hard-coded with a packet size of 64 octets
>and a window size of 3. That was fine with 9600 bps and slower
>modems, but performance was unnecessarily limited when everyone
>moved to 14.4K and faster ones. It also had a hard-coded error
>threshold. Get 200 errors during a session, and it disconnected
>on you. Didn't matter that the errors weren't consecutive.
>200 == Time To Die

I'm pretty sure it wasn't hard-coded by 1.65. But it was still
pretty limited. Most people I know who were using it would
use something like FX as a replacement.

And it's rnews sucked. I don't recall the specifics, but it'd
refuse to process some batches.

I can still remember running a Waffle-based BBS for a short
while. Most of the lusers who called couldn't cope with
typing a username instead of their full name, and the
basic CLI was too complicated for 'em.

I suppose, if you really wanted to run a Waffle BBS on DOS
these days, you could probably graft chunks of UUFree
in to get around the problems with the UUCP stuff.

(That can't possibly be UI. If you're even considering doing
that, then you're a very sick person. Maybe even sicker
than the average monk).

Matt

--
Matt McLeod "A baseball cap and a love of rap
A BOFH for all seasons might need sympathy but still
<ma...@netizen.com.au> possibly a homeboy could be
http://www.netizen.com.au/~matt/ a dickhead pure and simple?" - TISM

Ryan Tucker

unread,
Feb 9, 1999, 3:00:00 AM2/9/99
to
In <slrn7bvhf...@hiro.netizen.com.au>,
Matt McLeod <ma...@netizen.com.au> spewed:

>(That can't possibly be UI. If you're even considering doing
> that, then you're a very sick person. Maybe even sicker
> than the average monk).

During an evening of [1], I apparently downloaded a FidoNet nodelist and
started seriously considering linking to FidoNet again. My old node
number is still free... -rt

[1] Self-censored. E-mail me for details. *cough*

--
Ryan Tucker <rtuck...@ttgcitn.com> http://www.ttgcitn.com/~rtucker/
GSM/VM/Fax: +15157712865 Box 57083, Pleasant Hill IA 50317-0002

Jeff Gostin

unread,
Feb 9, 1999, 3:00:00 AM2/9/99
to
Matt McLeod <ma...@netizen.com.au> wrote:
: I'm pretty sure it wasn't hard-coded by 1.65. But it was still pretty

: limited. Most people I know who were using it would use something like FX
: as a replacement.

Quite true. I was one of the sick bastards that started using the FXUUCP
dropins pretty early on. Same with Cnews/DOS (now -that- was amusing to set
up!). Pretty nifty stuff, considering it was DOS. :)

: And it's rnews sucked. I don't recall the specifics, but it'd refuse to
: process some batches.

Yes, that's quite true. It'd barf on some pretty wierd things, but once I
got Cnews/DOS running, it wasn't a problem.

: I can still remember running a Waffle-based BBS for a short while. Most


: of the lusers who called couldn't cope with typing a username instead of
: their full name, and the basic CLI was too complicated for 'em.

Bah. For me, it was a leaf-node. I just wanted my mail and news. The one
thing I /really/ liked about it was the ability to gate mail lists to
newsgroups. It made keeping up with a few active lists -simple-. Okok, so
it's not a terribly impressive thing, but I -liked- it. :)

: I suppose, if you really wanted to run a Waffle BBS on DOS these days, you


: could probably graft chunks of UUFree in to get around the problems with
: the UUCP stuff.

NoThankYouSir. I Monk for a living. I would rather like to avoid Monking at
home, too. :)

: (That can't possibly be UI.

Hey, the package hasn't been updated in 6 years. Even if it was UI "in the
day", it sure isn't now. :)

--J

Jeff Gostin

unread,
Feb 9, 1999, 3:00:00 AM2/9/99
to
[chickenized, and reposted... silly me]

Peter da Silva <pe...@baileynm.com> wrote:

: *is*. I've been running it on UNIX as a support BBS because it's luser
: safe and newsgroup compatible.

Considering that October '93 never happenned, I'd call it 'was'. ;) But, so
far as the rest of your points:

: I just know that getting those lusers to reliably stay up,
DOS was fine. C.B.W didn't seem to indicate there were DOS stability issues,
IIRC.

: generate valid return addresses,
Never had a problem here, but were you letting Waffle spool mail, or did you
pass it off to sendmail or somesuch?

: handle large email messages (large for the time, over 60K or so)
Hmmm. I don't remember this being an issue, either, but then again, I wasn't
shipping around alot of data that alrge.

: generally NOT fill my spool with pending mail because they managed to


: break something... THAT was painful.

Agreed. That was one of Waffle's failing points -- the whole "blind trust"
thing. :)

: Besides, these guys were supposed to be a computer security company.

Tom Dell? If memory serves, he was working at Apple at the time, and doing
Waffle in his spare time, though I didn't have any kind of interaction with
him, so this was all second-hand. :)

--J


void

unread,
Feb 9, 1999, 3:00:00 AM2/9/99
to
On 07 Feb 1999 19:07:08 -0500, Brad Ackerman <bs...@cornell.edu> wrote:
>
>Forget about computer misuse -- what about extortion?

Am I the only one here who thinks the original poster deserves a LART
himself for leaving his fscking network wide-open?

I mean, how sure can he be that the Dataguard luser was the first or only
person to probe his network?

The only excuse I can think of is that he's already submitted the proposal
to switch to a real system, and he's waiting for the big NT security
breach for justification. But if that's the case, he should have staged
it himself by now.

--

Ben

"You have your mind on computers, it seems."

Peter da Silva

unread,
Feb 9, 1999, 3:00:00 AM2/9/99
to
In article <36bff433$0$16...@nntp1.ba.best.com>,

Jeff Gostin <jgo...@shell2.ba.best.com> wrote:
>Peter da Silva <pe...@baileynm.com> wrote:
>: *is*. I've been running it on UNIX as a support BBS because it's luser
>: safe and newsgroup compatible.

>Considering that October '93 never happenned, I'd call it 'was'. ;)

I don't know about October '93, but I bought a license for Waffle for UNIX
around 1995.

>far as the rest of your points:

>: I just know that getting those lusers to reliably stay up,
>DOS was fine. C.B.W didn't seem to indicate there were DOS stability issues,
>IIRC.

DOS stability issues always seemed such a pointless concern. Of course
it was stable, you can't fall out of the gutter.

>: generate valid return addresses,
>Never had a problem here, but were you letting Waffle spool mail, or did you
>pass it off to sendmail or somesuch?

I wasn't running Waffle. I was the guy running System V and watching the
files and bounces fill up my spool directory because the Waffle system I
was dialing up was broken more often than not. I've never touched Waffle
for DOS myself.

>: Besides, these guys were supposed to be a computer security company.

>Tom Dell?

InfoSec Data Security (IIRC), composed of a bunch of ex-LoD guys trying
to turn their darkside reputation into money. And running a Waffle box for
all their email needs.

Jeff Gostin

unread,
Feb 9, 1999, 3:00:00 AM2/9/99
to
Peter da Silva <pe...@baileynm.com> wrote:
: I don't know about October '93, but I bought a license for Waffle for UNIX
: around 1995.

Eep. Sorry about that. Oct '93 was the expected release date of Waffle 1.66.
It never happenned. So far as UNIX licenses... interesting. I didn't think
there was anything happenning, even in '95, with Waffle. I'm glad to have
been corrected, though.

: I wasn't running Waffle. I was the guy running System V and watching the


: files and bounces fill up my spool directory because the Waffle system I
: was dialing up was broken more often than not. I've never touched Waffle
: for DOS myself.

Oh, right. Ok. I can see what you're saying about this, but I'd rather
imagine it was an administrative issue than a reliability issue (not that it
matters at this point).

What can I say? I -enjoyed- running Waffle, at least as a leaf-node. It was
almost fun to do, because of the things I learned, and the people I came in
contact with in the process of doing it.

: InfoSec Data Security (IIRC), composed of a bunch of ex-LoD guys trying to


: turn their darkside reputation into money. And running a Waffle box for
: all their email needs.

Gotcha.

--J

Bram Smits

unread,
Feb 10, 1999, 3:00:00 AM2/10/99
to
"Peter N. M. Hansteen" <pe...@bgnett.no> writes:

>Some sort of LART is in order, but I can't quite decide on what's

Doesn't .no have some interresting lega-LART you can inflict on him ?
Attempting to alter and/or corrupt data on your system, unauthorised use of
resources (sending popup messages) or something like that.

> again. Goes to show, I guess, that if somebody inflicts an NT
> server on you, you should place both the box and the luser in a
> nicely padded, lead lined cell.

I sure hope you accidetally mistyped "place both the luser and the box on
the bottom of a fjord" ?

v__
<"___\____ Bram 'mouser' Smits
--
You have reached extension 666, the helpdesk from Hell.
How can we be of disservice to you ?

Reply all
Reply to author
Forward
0 new messages