Articles

AOP Plans Summit '97!

Submitted by Michele Stewart
1:369/21

Online Summit '97
The AOP 2nd Annual Conference

Planned for September 11-14, Online Summit '97 will be held at the Town & Country Resort and Conference Center in San Diego, CA. Senator Ron Wyden (D-OR), the keynote speaker for Online Summit '97 will address Congress' role in the future of the online world and the internet.

We are anticipating approximately 500 members to OS'97.

Cost for the event is:

                      AOP Members Non AOP-Member
Before August 1, 1997   $200        $350
After August 1, 1997    $300        $450

AOP Online Summit '97 Exhibition Rates:

                      AOP Members Non-AOP Members
10' x 10' booths only   $250        $1,000

AOP Online Summit Hotel Information and Rates:

Garden Rooms        $95
East Tower Rooms    $105
West Tower Rooms    $115

(prices are for single or double occupancy)

For room reservations call:

Town & Country Resort and Conference Center
500 Hotel Circle
San Diego, CA 92108
(800) 542-6082 (inside CA)
(800) 854-2608 (outside CA)
FAX: (619) 291-3584

960 rooms, in-room movies, beauty salon, barber shop, access to Health club, complimentary newspapers 6 days, walk to Fashion Valley shopping.

For Conference Registration or information contact:

Susan Merkel, Director Member Services
ASSOCIATION OF ONLINE PROFESSIONALS
6096 Franconia Road, Suite D
Alexandria, VA 22310
703-924-5800 (voice)
703-924-5801 (fax)
smerkel@bellatlantic.net (email)
Fidonet: 1:109/255

Impressed and Encouraged!
By: Clay Tannacore (1:372/136)

I have just recently completed reading FIDONEWS (1412), dated 24 March 97. In a guest editorial by a FidoNet SysOp named Carl Hultay (1:259/546) I believe I detected the traits of the old "comrade in arms" attitude that at one time was prevalent in the FidoNet community. It is possible that I misunderstood his rationalization, but I don't think so. I positively think I have found someone within the association that literally cares about the imminent problems of FidoNet. While I can not agree with his introspection regarding the forecast for FidoNet, I applaud his tenacity. It is heart warming to hear (read) a fellow Fido-Nut (OOPS) SysOp, at least proclaim his convictions as to the forthcoming future of our brotherhood.

I can relate to his predicaments concerning the "death of hardware", and the instinctive feeling of doom, when you are faced with the loss of a BBS. I (like many thousands before me) have had to endure similar conditions, on a number of occasions. I sympathize with him regarding the loss of users, especially due to financial obstacles, and especially due to the death of a family member (the computer, and accessories. . .[g] ) However, what disturbs me the most, is his reference to the "loss of users." For this gentleman to believe that he will again be able to boast of a user base near one thousand (or maybe more) without admitting that MANY radical changes will have to be contrived in the way FidoNet is operated, is a very discouraging supposition. At present there are just to many opposing forces in FidoNet, for a restoration to a position once held by this organization. To many "I want" attitudes , as well as to many "I gotta' have more power" points of view. Nothing will ever be the same, not in FidoNet's present mode.

Mr. Hultay speaks of the "commercialism" associated with The Internet. What he has apparently dismissed in his attempt to disallow the thought of a FidoNet "doomsday", is that FidoNet is no longer an association completely dominated by hobbyist, but has partially fallen into The Internet like, "Profit For Me" temperament. Many, many bulletin boards systems are at the present time directly competitive with the Internet, in that they conclude that a "pay-for- use" system is the way to go. "If the Internet can do it, then so can I" is something that has become an everyday behavior, a behavior which if it is not discontinued, will eventually bring down FidoNet.

Mr. Hultay goes on to explain his feelings when his computer (hard drive) developed a brain fart, and pooped out. He states that it was at that this in his life that, "I knew that I was a true SysOp. I could not give up. I WANTED my BBS." Mister, if that was your TRUE sentiment at the time. I SALUTE YOU! However, I believe my old professor (psychology 101) might take exception to that. I tend to believe he would more than likely classify you as (in direct English) a Hilter-like-wannabe. . .[g] Of course, you have to take into consideration that Professor Freedmen, pulled a Dr. Jack, and blew his own brains out about 10 years ago! Another predominate trait that FidoNet SysOps seem to have acquired over the last eight or ten years is the power for me temperament. For some reason there seems to be a growing number of SysOps that feel compelled to attain as much power, or influence (ability to intimidate) as possible over their users. Why? I have no idea, except to say what everyone else who has studied this formidable swing in human nature says, that it is a "sign of our times." Of course, this is probably of bunch of horse hockey! Whatever the reason, it is not exclusive of SysOps alone within the FidoNet community. We have an abundance of Network Coordinators with the same, or like, philosophy, not to leave out a number of Regional Coordinators who have become "Hooked On Power", and they think it "Works For Them." Consequently we have a network that will become a little known fleck in history, if "we" do not recognize the problems, and do something about it.

Brothers, I beseech you to take a very close look at FidoNet as it is today. Then try to visualize it five or ten years from now. Look into the prospective for FidoNet, if present conditions prevail, and try to visualize it with all these problems confronted, and corrected. I'll tell you right now, I can see a FidoNet similar to the early years, when Tom Jennings and a few more (caring and dedicated) people produced a telecommunications system unequaled from its conception to the present day. The Internet you say is bigger and has many more features. Maybe! Just keep in mind the GRANDFATHER who led the way for The Internet, and is still BIGGER than that inception. FidoNet was the trailblazer for all the nets which subsequently evolved from it, and with the dedication of those who care about it. It will be again! We can not allow the "me first" people who care for nothing but their own personal gratification to prevail. We can not tolerate those who would bring nothing but hopelessness within the net, to remain. These people must be identified by those who care, and be weeded out.

By now, most of you people are sick and tired of hearing (reading) me complain about what is faulty with FidoNet. Some would even like to see me get off the pot, and make some useful suggestions for the betterment of it. So would I! I could sit hear on my duff, day in and day out spreading my philosophy and criticisms. Chastising the *C structure, the SysOps, and most of all, that piece of garbage that is referred to as POLICY 4. I could do all that, and never add to the prosperousness of the Net. The trouble is, I could do all these things, but nothing would be gained. NOTHING at all! Nothing that is, without *Y*O*U* making a contribution. I (we) need input of everyone who cares one tiny bit about the future of our association. You (the members) SysOps out there who have been sitting on your opinions, for all these many years, and you Regional Coordinators who have opinions for your regions upward movement. The Network Coordinators, who know what is wrong within their individual regions, but are to damned worried about their positions as NC to voice those conceptions for fear of retaliation. Those users out there who read FIDONEWS, who would like to be a part of FidoNet, but because of the antiquated rules, procedures and the general cut throat mentality that is so obviously prevalent, have been reluctant to join. Now is the time to voice your opinions. Join in this endeavor with those who truly care. Let your voice be heard, by those who must listen if FidoNet is to have a reincarnation. Remember, there is safety in numbers, and more importantly, a greater pool of intellect to draw upon. With many voices, there comes many suggestions, and with those many suggestions comes many intelligent and significant recommendations which leads to a aggrandized membership, and a more equable association.

If anyone out there has any hesitancy in believing that I intend to accelerate the demise of those who have been responsible for the shortcomings of FidoNet, let them be assured I fully intend to raise enough hell to either cause sufficient change in the way FidoNet operates, or find myself without a node number, again.

If there are any inhabitants out there who consider themselves real FidoNet people, and would like to join in this crusade, by all means send me some mail (FidoNet, not Internet [gag]) with your suggestions. I am particularly interested in those who have suggestions pertaining to a NEW POLICY document. Those who have any complaints about the monitory provisos dictated by EchoMail Coordinators. Anyone who is infuriated with the multitude of Bulletin Boards (BBS) which indulge in the practice of charging users for access. Anyone who has ever had (what you consider) an unfair decision rendered by your NC, or RC, or both, let me know. Let us right a wrong that has been going on much to long. Do you have any suggestions concerning the EchoMail Policies in the different Nets you have been associated with? How about a REAL EchoMail POLICY for FidoNet, itself? Any ideas on how to better the present procedures or policies? Do you know of any person who is a part of the *C structure of FidoNet (also including SysOps) who have allowed his/her personal opinion of you (or someone else) to influence a rendering of a fair and impartial decision? Have you (or anyone you know) ever been denied a reasonable appeal process by anyone in the position to deny it (NC, RC, SysOp, ZC, et al). These are all questions that must be taken under consideration when attempting to reestablish a network such as FidoNet.

I realize with all the criticism I have expressed in this wonderful outlet (FIDONEWS - Thanks, Chris Baker) concerning FidoNet. I have irritated the hell out of the good-old-boy-network who in all likelihood will now attempt the FidoNetSqueeze. It may even work!

But, who cares? I've said my piece, expressed my opinions, got others to take a closer look at what is going on. I have actually received a few positive responses to the articles printed in FIDONEWS, shocking isn't it? Look folks, I'm not the only one with the desire to better this organization, there are many out there who would like to be proud of FidoNet, again. Perhaps some of these people are worried about what sort of retribution would be forthcoming if they were to speak out, or maybe they are just being a little overly circumspect than is absolutely necessary. Or perhaps their reluctance is justified in light of what has been a trend in FidoNet, of late. Whatever the reason, I believe this open challenge and solicitation for help, just may instigate these people to finally stand up and have their convictions noted.

More bugs
in MS Internet Explorer
& Netscape in Windows

From: "Mike Riddle" <mriddle@monarch.papillion.ne.us>
To: "Baker, Christopher" <cbaker84@digital.net (Christopher Baker)>
Date: Tue, 25 Mar 97 08:20:52 -0600
Reply-To: "Mike Riddle" <mriddle@monarch.papillion.ne.us>
Subject: Fwd: Warning: Latest Win95, Win97 & NT Browser/Networking Security

====BEGIN FORWARDED MESSAGE====

Received: from austin.onu.edu (austin.onu.edu [140.228.10.1]) by monarch.papillion.ne.us (8.7.4/8.6.9) with ESMTP id BAA13578 for <mriddle@monarch.papillion.ne.us>; Tue, 25 Mar 1997 01:37:15 -0600 (CST) >Received: from austin.onu.edu (localhost.onu.edu [127.0.0.1]) by austin.onu.edu (8.8.5/8.8.5) with SMTP id CAA35433 for <mriddle@monarch.papillion.ne.us>; Tue, 25 Mar 1997 02:34:14 -0500
Date: Tue, 25 Mar 1997 02:34:14 -0500
Errors-To: david@drw.onu.edu
Reply-To: network2d-l@austin.onu.edu
Originator: network2d-l@austin.onu.edu
Sender: network2d-l@austin.onu.edu
From: Jeff Beard <jbeard@microlaw.com>
To: mriddle@monarch.papillion.ne.us
Subject: Warning: Latest Win95, Win97 & NT Browser/Networking Security

These security bugs are really starting to bug me -- seriously! IMHO, this one is very disturbing, as it has the very definite potential to compromise security for an entire network.

I do apologize in advance that this message is lengthy, because it requires some technical explanation of what SMB is, and how it relates to the latest (and perhaps greatest) security problem. I also included the Wired news site article (at the bottom of this message) that explains it in plainer language.

THE SECURITY PROBLEM: If you are running either Win95, Win97, or NT, and use either MS IE 3.xx, Netscape 3.xx, or Netscape Communicator 4.0, there is now yet another bug (a whopping SIX security bugs for IE this month! and I think the second one for Netscape) THAT WILL SEND OUT YOUR WINDOWS LOGIN NAME AND PASSWORD TO A REMOTE SERVER which can capture it! And for most network users, their Windows login name and password are also their network login name and password, which of course puts the entire network at risk for break-ins. For example, a person's Win95 login name and password is often the same for their Novell Netware and MS Windows NT server. Cute, huh?

First, let me explain briefly what the SMB protocol is, because it is key to the security flaw -- then the rest of the message will make more sense. I compiled the following information from several web sites that did a good job of describing it:

It has to do with embedding a link (e.g., an image link) in the web page to an SMB server rather than the normal HTTP server. SMB, which stands for Server Message Block, is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers. It is a higher level protocol which can be transported over TCP/IP, NetBEUI and IPX/SPX. If TCP/IP or NetBEUI is in use, then the NetBIOS API is being used. If SMB is used over TCP/IP or NetBEUI, then NetBIOS names must be used in a number of cases. NetBIOS names are usually the name of the computer that is running NetBIOS. (In many instances, the computer names are referenced by the "\\" prefix to designate a different computer on the network -- this is an important aspect of the security flaw -- read on.)

For more info about SMB and its security problems, you can go to:

http://samba.anu.edu.au/cifs/docs/what-is-smb.html (Describes SMB)
~~http://www.sur.fr.net/ftp/supports/96/netbios-3.html~~ [faulty URL [jb 4/25/01]] (re: Security Problems)

(I'm sure there are a lot of other great SMB sites too, but these were among the first two I found using Alta-Vista when researching this.)

Okay, enough of the SMB explanations. Now that you know what SMB is, here's how the security flaw/bug works:

In a web page, the webmaster can insert a link reference uses a combination of the "file://" URL command followed by the "\\" reference that Win 95, 97, and NT use to refer to and access other servers (as I mentioned above). Then, because your browser sees this link (e.g., an image tag) as a reference to a different server (the SMB server), Win95, 97 & NT automatically send your Windows login name and password to the remote server to log in (the "\\" makes it think that the other PC is part of its network), ALL BEHIND THE SCENES, so the user has no idea whatsoever that this is happening!!! Basically the guy discovered this security flaw by combining different things that were in the previous IE bug reports this month -- very clever. The article below tells network administrators how to block this on their firewall setup, to block access to the SMB server. It appears that the rest of us using Win 95, 97 and NT are just out of luck for now.

The article posted at the end of this message is from the Wired news site, at:

http://www.wired.com/news/technology/story/2702.html

The web site referred to in the article is authored by the guy who discovered the bug, and gives a lot more info about it, as well as demonstrating the bug in real time to you.

WARNING!!! IF YOU GO TO THE FOLLOWING WEB SITE USING WIN95, 97, OR NT, IT WILL MOST LIKELY CAPTURE YOUR LOGIN NAME AND PASSWORD, AND THE SITE POSTS A TABLE SHOWING THE LAST 10 CAPTURED LOGIN NAMES, PASSWORDS (but only shows the beginning of the password for your protection), HOST NAME AND IP ADDRESS, SO YOU CAN SEE IF YOU ARE VULNERABLE, AND THEN TELLS YOU TO CHANGE YOUR LOGIN AND PASSWORD ASAP TO PROTECT YOURSELF! I used my standalone Win 3.1 laptop with no problem (hey, right now Win 3.1 apps are more secure on the Net, IMHO -- so don't knock it <g>). BTW, the "bug" web site mentions that "Notice that the most common account & password I get is 'Administrator' ". So it's capturing administrator logins and passwords as network administrators hear about the bug and visit his site -- full access, good grief. If any of you would like to read the full text from the site without going there, send me an e-mail and I will send it to you, since my Win 3.1 laptop system does not support that security flaw.

The URL for the bug site, if you are curious, is (but remember my WARNING!):

~~http://www.ee.washington.edu/computing/iebug/~~ [faulty URL [jb 4/25/01]]

(The following URL is okay to go to:)

http://www.wired.com/news/technology/story/2702.html

Another Windows Networking Bug Discovered by Toxic

11:56am 21.Mar.97.PST Yet another security-related browser bug has been uncovered, the sixth to affect Microsoft Internet Explorer this month. This latest bug, in the file sharing protocol of both Windows 95 and Windows NT, allows someone to set up a rogue Web site that obtains your username and Windows network password.

Windows NT users of all versions of Microsoft Internet Explorer and many versions of Netscape are vulnerable to this attack - which is not addressed by Microsoft's 12 March browser fix.

As with the rash of recent Internet Explorer security bugs and holes, Aaron Spangler, the bug's discoverer, has created a Web page to demonstrate the vulnerability.

"My bug is twofold," said Spangler, a systems administrator at the University of Washington. "It takes advantage of two exploits. The elegance lies in putting the two together to come up with grabbing people's passwords. That's a pretty scary thing," he said. Spangler has captured more than 940 passwords, many from administrator accounts using weak passwords such as "horse" and "dog."

Spangler said both bugs have affected IE for some time. He first tried contacting both Microsoft and Netscape on 13 March, and created his Web page the next day. He says he received a note from Microsoft saying that they were working on the bug. "But every time I send any more email they don't respond," he says. "They're completely ignoring me. It's frustrating."

Netscape sent an auto-generated response to his email, but has not contacted him since, he said.

The attack relies on the file structure of the Windows operating system, and the behavior of a browser when it encounters a URL that begins with the "file://" scheme. When Windows sees a file: URL, it attempts to read the specified file from the user's local hard disk. For example, file://C:\temp\foo.html will open C:\temp\foo.html from your local hard drive.

However, the Windows file system is designed such that filenames that begin with a double backslash actually reside on another machine. If you take these two factors and combine them, you realize that the file in the example above could also be referenced as a URL, as in file://\\bar.wired.com\temp\foo.html.

When a user attempts to access a file through this method, his Windows machine will connect to the specified server - bar.wired.com in the above example. The server will then attempt to authenticate the user by asking for a username and password. Windows will automatically send the information entered by a user when they logged into their own Windows network, which is what most users do when they first boot their machine. Windows will only prompt the user for a password if the values entered at startup are not accepted by the remote server.

Spangler's demo page contains an "<IMG>" tag that references an image stored on his SMB server instead of his Web server. When you load his page, your browser will attempt to load the image. It will connect to Spangler's Windows file server, and when requested, automatically send your username and password. You will receive the image, and Spangler will receive your password. Everything appears perfectly normal to the Web surfer.

Spangler says the fix is really trivial. "All [Netscape and Microsoft] have to do is make it so their Web browser will not accept URLs that come from an SMB server. It's a little statement that they can put in their code," he said.

Network administrators can protect users on their network by blocking TCP port 139 on their outgoing firewall (port 139 is the SMB port). An outgoing firewall configured in this manner will not allow traffic from a protected network to reach port 139 of any machine on an outside, untrusted network, and will thus thwart this kind of attack.

"Microsoft is checking into all bug reports and taking them very seriously," said a Microsoft spokesperson. "If it is something [engineers] need to change, they will do something about it."

Netscape could not be reached for comment.

----
Good grief!!! Now we have to stand in line to report browser/OS security flaws!

John L., I think this is a pretty good illustration of our discussion re: increasingly serious security flaws, don't you?

Jeff

Jeffrey J. Beard, Esq.
Legal Systems Consultant
MicroLaw, Inc., Milwaukee, WI

E-mail: jbeard@microlaw.com
Web Site: http://www.microlaw.com

====END FORWARDED MESSAGE====