c0mput3r n3ws
Who's Bitching Now??

Hackers put racist, anti-government slogans on embassy site

Web posted at: 1:07 p.m. EDT (1707 GMT)

(CNN) -- Hackers hit a Web site for the U.S. embassy in China Tuesday, replacing its home page with racist and anti-government statements.
A group named Level Seven Crew claimed responsibility on the page for the prank, making references to bombing China and a "war of skill" with hackers started by the FBI.
The State Department was not available for immediate comment, and Level Seven did not respond to e-mail.
The Attrition.org Web site, which monitors and mirrors hacked sites, shows that Level Seven has hacked more than two dozen Web sites this year, including those belonging to the NASA Goddard Space Flight Center, Atlanta Braves, Linux headquarters, Sheraton Hotels, Beyond Software and Santa's Official Page.

(Credits to a Reporter from CNN)


Hacker ruse can exploit ActiveX Controls
Web posted at: 12:39 p.m. EDT (1639 GMT)
by Ellen Messmer

(IDG) -- If you're using Microsoft Outlook Express in Internet Explorer 5.0 for e-mail and you don't disable the ActiveX Controls feature, someone could send you a message that could wipe the files off your hard drive or put a new file onto it.

Bulgarian computer consultant Georgi Guninski recently showed how the deceit can be done by embedding malicious script in an Internet mail message that can delete files while the victim is reading the message with Microsoft Outlook Express. This exploit takes advantage of ActiveX Controls, Microsoft's technology for executing a program on the Web, and doesn't appear to work with Internet Explorer 4.0.

"What Georgi did was create the 'nuclear e-mail message,' " claims Richard Smith, president of Cambridge, Mass., tools developer Phar Lap Software, who has kept close track of the security implications of ActiveX since Microsoft started developing the technology in the early 1990s.

"We have been anticipating something like this for years. In theory, it's no longer safe to read e-mail if you use Outlook Express," he says. "When you hear about browser exploits, think e-mail, too." In his presentation at the Usenix security conference, Smith explained how Guninski's ploy works. The Outlook Express e-mail viewer reads HTML by default with Internet Explorer 5.0.

Guninski's "nuclear e-mail" takes advantage of an ActiveX Control called "Object for constructing type libraries for scriptlets," or "Scriptlet Type Lib" for short, that ships as part of Internet Explorer 5.0.

In this case, Guninski's malicious code instructs Internet Explorer 5.0's ActiveX Control to wipe out an entire hard drive if the attacker drops an executable to do so. The trick also can add files to the user's hard drive, regardless of the Microsoft browser's security settings.

"Microsoft has shipped from the factory an ActiveX Control marked 'safe for scripting,' which it shouldn't have," Smith says. For its part, Microsoft last week acknowledged the problem, although the company did not make its technical staff available to talk about it. A company spokeswoman did acknowledge the vulnerability means "you can drop an executable file into the system to do whatever you want. It could do anything."

Microsoft issued a statement advising users concerned about the problem to disable ActiveX Controls until the company releases a patch for its browser. Guninski works as a security consultant for Netscape, which is now part of America Online. A spokeswoman there says Guninski was hired to review present and future Netscape products after discovering security problems in Netscape Communicator earlier this year. But she and Guninski denied Netscape was paying Guninski to crack Microsoft products.

The ActiveX e-mail escapade is just the latest in a long line of troubles associated with the technology, asserts Smith, who says about a dozen other ActiveX Controls written by Microsoft also need to be fixed. Microsoft provides the tools to let others - both the good guys and the bad guys - write ActiveX Controls. Smith says he is concerned that ActiveX Controls are proliferating in a way largely unknown to users, as the Controls ship with a growing number of laptop, computer and software applications.

"These preinstalled ActiveX Controls are the ones I see as very dangerous," Smith says. "Active Controls are pretty difficult to write, and these are written by the good guys. I'm talking about Controls you never have the option not to install - I call them 'accidental Trojans.' "

For instance, the Hewlett-Packard Pavilion laptop comes with an ActiveX Control called "Launch," designed to be used with the HP "System Wizard" for system diagnostics. Smith thinks it offers a back door into the laptop. 1Kodak's imaging software that ships with Windows 98 has a Control to override files. It looks like a GIF file in the directory, but it's actually an unsafe ActiveX Control, Smith contends. A Toshiba laptop Smith looked at came with about 1,000 preinstalled ActiveX Controls.

To locate ActiveX Controls, Microsoft makes a tool called OLE View, part of the Visual Studio and Visual C++ developer's kits. Smith says that he and his colleagues have not found a large number of ActiveX Controls embedded on public Web sites, probably because of the numbers of users still running a Netscape browser, which doesn't run ActiveX, he surmises.


Federal agency recruits hacker teens VIDEO CNN's Ann Kellan looks at a 15-year-old hacker being recruited by the NSA Windows Media 28K 80K --------------------------------------------------------------

Mike Hudack III talks about joining the NSA
Real 28K 80K Windows Media 28K 80K Web posted at: 11:21 a.m. EDT (1521 GMT) FAIRFIELD, Connecticut (CNN) -- What image comes to mind when you hear the word hacker?

If it's someone evil or malicious, somebody breaking into computers illegally, you're only partly right. For instance, Mike Hudack is your typical teenager. He hangs out with friends, loves pizza and argues with his parents that he really is old enough to drive. So why would the National Security Agency be interested in him? Because this 16-year-old is a computer whiz, a hacker. "Not every hacker, not everyone who calls themselves a hacker, is a bad person," Mike says. "Most hackers are not malicious. They are good people."

Mike was 12 years old when he bought his first computer. "And I took it home, and I loved it so much," Mike says. "One of the first things I did with it is I took it apart and then put it back together." He even set up his own hacker news Web site, offering security advice to government agencies. That is how he got the NSA's attention.


"They visited my site every day and I e-mailed them, they e-mailed me back, telling me about their recruitment program," Mike says. The NSA says it recruits students like Mike and will pay four years of college tuition, room and board and even a salary. In exchange, students work summers and at least five years after college for the NSA. It's tempting for someone like Mike who baby-sits every day after school and during the summer to make a buck. But he wonders if he can work for the NSA, given that he disagrees with some its policies. "I would have to think long and hard before I did it," Mike says.

CNN Correspondent Ann Kellan contributed to this report. ___________________________________________________________________

Wednesday October 18, 8:59 pm Eastern Time
Symantec's Norton products rescue quarter
(UPDATE: releads, adds earnings details, outlook, updated stock price, CEO comments)

NEW YORK, Oct 18 (Reuters) - Symantec Corp.(NasdaqNM:SYMC - news) said on Wednesday that demand for its Norton line of computer security products helped overcome a disappointing performance by its other products as it reported second-quarter earnings that beat Wall Street's expectations. For the quarter ended Sept. 29, the Cupertino, Calif.-based company said earnings before one-time charges rose 47 percent to $45.8 million, or 72 cents per share, compared with $31 million, or 52 cents in the year-ago period. Analysts had expected the company to earn 69 cents in the second quarter, according to research firm First Call/Thomson Financial.

The figures for both years did not include charges related to acquisitions, divestitures nor other one-time charges. Including the non-core items, the company said net earnings were $39 million, or 61 cents a share, compared with $24 million, or 40 cents a share, in the year ago period. Nevertheless, shares of Symantec were down in after-hours activity on the Instinet brokerage system, where shares traded at 34, down from its Nasdaq close of $39-9/16 on the poor performance of its pcAnywhere, which allows workers to tap into their corporate networks from remote locations.

``I would categorize our quarter in one simple product challenge and that is pcAnywhere just didn't deliver the kind of results we had expected,'' Symantec Chairman, Chief Executive and President John Thompson said in a conference call with analysts.


``That's across the board in every region in every market. The demand was not there for that product. One of the issues that comes through loud and clear from our customers is they like pcAnywhere because they really need the functionality but they'd like it to be more secure.'' Thompson said the company would work to beef up the security aspect of pcAnywhere for the next generation of the product expected to be released in March and reinvigorate its growth rate to the mid-teens to high-20 percent.

The strong dollar and sagging international currencies, especially the euro, also cost the company about $6.5 million in revenue and 6 cents a share, company officials said. However, Symantec's consumer products, lead by its Norton anti-virus products, turned in a stronger-than-expected performance of 19 percent growth, instead of the targeted 10 percent.

In the wake of the quarter, the company said it expects fiscal 2001 revenues to be up by only 15 percent to 16 percent instead of the 20 percent. About half of the decline is likely to be the result of weak foreign currencies, company officials said. Symantec still expects 2002 revenues to be up 27 percent. For the third quarter, the company said it sees revenues in the range of $206 million to $212 million and earnings per share to be between 73 cents to 79 cents.

Pro-forma revenues, accounting for a divestiture in 1999, rose 14 percent to $192.3 million from $169.2 million. Thompson said the company's planned acquisition of AXENT Technologies Inc., maker of security products for large businesses, is expected to close by the end of December. Following Symantec's release of its third-quarter financial statement, Rockville, Md.-based AXENT announced earnings of 7 cents a share that missed Wall Streets expectations by 3 cents a share.


Tech industry: No new anti-hacker laws
WASHINGTON (AP) - Congress appears eager to propose new or broader computer crime laws amid dramatic attacks on some of the Internet's flagship sites, but the technology industry is reluctant about broader government involvement even in online security.

Special report on Web security

The industry's sentiments - reflecting its traditional reticence against inviting government into its affairs - were delivered to Congress at a hearing Tuesday. They illustrate the gulf between Washington and the technology industry even beyond the 2,400 miles physically separating the epicenters of the two cultures. Panels from the House and Senate Judiciary committees organized the hearing to determine what changes, if any, are needed to existing crime laws in the wake of recent electronic attacks that disrupted for hours Web sites run by Yahoo!, Amazon.com, eBay, ETrade and others.

Deputy U.S. Attorney General Eric Holder testified Tuesday that the Justice Department is ''taking the attacks very seriously and ... we will do everything in our power to identify those responsible and bring them to justice.'' Holder acknowledged the industry's concerns that private companies should be responsible for securing their networks. ''We recognize that we in government will not be able to solve all these problems,'' Holder said. ''We believe the private sector should take the lead in protecting private computer networks.''

But Holder also said that some companies' security efforts eventually will fail. ''In such cases, law enforcement must be prepared and equipped to investigate and prosecute cybercriminals in order to stop their criminal activity, to punish them and to deter others who might follow in their path.'' Industry leaders appeared largely uninterested in new laws. Companies are worried about bad publicity or poor consumer confidence if they're identified in court as victims. Many are more concerned about restoring online business quickly than enduring a protracted legal investigation that results in the arrest, for example, of a misguided college student.

''Infrastructure security ... does not lend itself to government management,'' Microsoft's chief information security officer, Howard Schmidt, said in remarks prepared for the hearing. ''... The private sector has the knowledge and expertise to help fight against computer crimes on the infrastructures on which they operate.'' Schmidt warned lawmakers against ''unnecessary outside regulation or interference in the operation of dynamic, very productive businesses.'' The FBI still is trying to trace the origin of the assaults, which used dozens of ''zombie'' computers nationwide where attack software had been implanted and activated by hackers. The technique, called a ''denial of service,'' is similar to programming fax machines to dial a company's telephone number repeatedly to prevent other incoming calls.

Rep. Bill McCollum, R-Fla., chairman of the House crime subcommittee, was expected to poll federal authorities and technology executives whether existing laws against hacking - which typically prohibit breaking into computers - can be used to prosecute vandals in denial-of-service attacks. In most of the recent attacks, the companies and their Internet providers successfully filtered incoming ''junk'' data within hours to restore service to their Web sites. Yahoo!, for example, indicated that financial losses from the attack weren't serious. ''The technology industry showed that it can respond swiftly and effectively, taking steps to quickly beat back the attacks to make it harder for similar assaults to succeed in the future,'' Charles Giancarlo, a senior vice president for Cisco Systems Inc., said in prepared testimony.

Cisco, which makes computer hardware used by many of the major sites, helped stem the attack against the online auction site, eBay Inc. Giancarlo added that he was not asking Congress for new laws in the area of Internet security. An executive for Amazon.com, whose Web site fell under attack for more than an hour late Feb. 8, said his company supports better training and more money for federal agents to become digital detectives.

''Current laws ... appear to provide some prosecutorial authority and have been used successfully in several recent hacking cases,'' said Paul Misener, Amazon's vice president for global public policy. Congress has already offered to write new laws or change existing ones to protect Internet companies. Sen. Kay Bailey Hutchison, R-Texas, has promised legislation to double the penalties for hackers to 10 years in prison for a first offense and 20 years for a second offense.

( My commentary, Shut the fuck up already )


Two views of hacking

For different perspectives on hacking, CNN Interactive posed a series of questions via e-mail to two experts in the field, one a computer security expert for IBM, the other, editor of 2600, the Hackers' Quarterly.

-------------------------------------------------------------------------------- 'Hackers are necessary'

(CNN) -- Emmanuel Goldstein is the editor-in-chief of 2600: The Hacker Quarterly and hosts a weekly radio program in New York called "Off the Hook."
1. How do you define hacking?

Hacking is, very simply, asking a lot of questions and refusing to stop asking. This is why computers are perfect for inquisitive people -- they don't tell you to shut up when you keep asking questions or inputting commands over and over and over. But hacking doesn't have to confine itself to computers. Anyone with an inquisitive mind, a sense of adventure and strong beliefs in free speech and the right to know most definitely has a bit of the hacker spirit in them.

2. Are there legal or appropriate forms of hacking?

One of the common misconceptions is that anyone considered a hacker is doing something illegal. It's a sad commentary on the state of our society when someone who is basically seeking knowledge and the truth is assumed to be up to something nefarious. Nothing could be further from the truth.

'Hacking is a felony'

(CNN) -- Dr. Charles C. Palmer is the manager of Network Security and Cryptography and head of the Global Security Analysis Lab, which includes IBM's ethical hacking unit.
1. How do you define hacking?

Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.)

2. Are there appropriate forms of hacking?

Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it's OK. The key difference is that the ethical hacker has authorization to probe the target.


(More Microsoft growth, like they are not big enough already)
Wednesday October 18 8:01 PM ET

Microsoft Profit Surprises with Strong Growth

By Scott Hillis

SEATTLE (Reuters) - Software giant Microsoft Corp. (NasdaqNM:MSFT - news) on Wednesday posted a quarterly profit that blew past expectations, powered by shrinking expenses, growing investment gains, and momentum in its flagship product, the Windows 2000 (news - web sites) operating system. Microsoft, whose Windows software runs most personal computers, said its net profit in its fiscal first quarter ended Sept. 30 rose 18 percent to $2.58 billion, or 46 cents a share from $2.19 billion, or 40 cents a share, a year earlier.

Including a change in how it must account for some hedging activities, the quarter's profit was 40 cents a share. The Redmond, Wash.-based company was expected to show a profit of 41 cents a share, according to estimates compiled by First Call/Thomson Financial.

Revenues totaled $5.8 billion, compared to $5.38 billion a year earlier.

Analysts said they were relieved that Microsoft did not spring any nasty surprises on a market that has been battered by a string of bad news, diminished expectations and profit warnings by other technology heavyweights. ``I was very encouraged,'' said Scott McAdams, president of Seattle-based brokerage McAdams Wright Ragen. ``If you were looking for bad news, there just wasn't anything there.''

Treat, Not Trick

The higher-than expected profit was surprising since most analysts had expected the company to just meet estimates or perhaps top them by a penny or two at most. ``In general we feel good about the quarter. We came in with net revenue slightly higher than we expected, and net expenses were slightly lower, so our earnings per share got a bump in the quarter that was greater than what was probably expected,'' Chief Financial Officer John Connors said in an interview. Investors sent shares of Microsoft up $4, or 6 percent, to $55-3/4 in after-hours trading. The stock has fallen from its high of $119-15/16 last December. A component of the Dow Jones industrial average, the stock rose 2.6 percent to $51-3/4 in regular trading on Wednesday amid a nearly 115-point drop in the blue-chip index.

``I feel like we're out of the woods with the stock,'' McAdams said. ``The Street was extremely worried that they were going to downgrade their number'' for future earnings. Although Microsoft didn't lower guidance, it gave typically conservative forecasts for the rest of the year, saying it expected earnings for its full fiscal year to come in ``a few pennies higher'' than the current consensus analyst estimate of $1.88 per share due to the strong first quarter performance. ``It seems likely that revenue will be up in the low teens on a comparable basis, and up in the high teens sequentially. Operating income and EPS (earnings per share) should increase in line with revenue growth,'' Connors told financial analysts on a conference call. ``If the trends that we see continue, we are on track with our full-year expectations,'' Connors said.

Windows To Take Over From Investments

Profits were also helped by higher gains on Microsoft's vast investment portfolio, which earned $1.13 billion in the quarter, compared to $550 million a year earlier. About half of that was from two big transactions: the sale of its electronic billing business TransPoint and the merger of Titus, a Japanese cable television company in which Microsoft had a substantial stake, with a rival, Connors said. Heaping more on the ``plus'' side of its balance sheet, Microsoft also reported that it had a whopping $24.7 billion in cash or short-term cash equivalents. Microsoft consistently uses investment gains to help it meet profit targets, analysts say. Such gains have increased in recent quarters, coinciding with a lull in the company's product cycle as it waits for Windows 2000 to gain traction.

Connors said both Windows 2000 and the Windows Me operating for home users saw strong sales in the quarter, and, addressing a key worry among analysts, he repeatedly sounded a bullish note on Windows 2000, saying sales were on track to meet internal targets. ``The best way to characterize Windows is in this quarter, if you take the client and server and add them together, we had a record quarter. We're on track with where we hoped Windows 2000 would be,'' Connors said. Along with so-called server products such as the SQL Server 2000 database and Exchange 2000 communications software, Windows 2000 forms the cornerstone of Microsoft's new .NET strategy to weave the Internet into all its products. ``You've got clear evidence that Windows 2000 is getting traction and that server products are gaining traction,'' McAdams said.

Cloud Over Europe

One cloud over Microsoft's operations was Europe, where a weakening euro, Europe's unified currency, was casting a shadow on PC demand and revenues, Connor said. ``The weak euro is really hurting a number of technology companies and us as well,'' Connors said, noting that Microsoft booked 8 percent less quarterly revenue in U.S. dollar terms from Europe than a year earlier due to the euro's slide.

PC demand in Europe would likely remain sluggish because most machines were built by U.S. companies and priced in U.S. dollars, making them about 25 percent more expensive to European consumers than a year ago. However, Connors said that overall PC demand in the quarter had met Microsoft's diminished expectations, but was not lower, as many analysts had feared following warnings from other industry heavyweights such as chip-maker Intel Corp. (NasdaqNM:INTC - news) and PC maker Dell Computer Corp. (NasdaqNM:DELL - news).

More News to Come