* via http://theMezz.com/lists * subscribe at http://techPolice.com
w00w00's Instant Message: Listen Up, AOL By Don Oldenburg, Washington Post Staff Writer Saturday, January 5, 2002; 10:09 AM By Wednesday morning, Matthew Conover had impatiently waited a week. All he wanted was word one from America Online, acknowledging the two e-mailed warnings he'd sent them. Any indication would do. He just needed to know that the world's largest Internet service provider was working on the security hole he uncovered in its Instant Messenger feature, so millions of AOL users worldwide would be protected from getting hacked big-time. But nothing came. No phone call. No e-mail. A thank-you note might have been nice. So Conover did what he said he'd do: He "code-redded" AOL, went public. Somehow he figured it would come to that. What he hadn't figured on was the explosion of national media attention an AOL security flap would spark — from the New York Times to Associated Press to NBC's "Today" show. When Conover answered his telephone Thursday morning, his voice sounded as flat as a no-trespassing sign. No "Hello," just "Yeah?" He was weary of attention. In 24 hours Conover's status had escalated from a virtual nobody to a techie hero, or rogue, depending on your perspective. Some folks hailed him; some lambasted him because he revealed part of the code that could be used to hack. "I wasn't expecting this much commotion," says the 19-year-old from his apartment near Utah State University, where he's a computer science undergrad. "What we're happy about is that AOL has responded. The problem's getting fixed. But this has gotten more attention than I wanted." The header on the message Conover sent to two online computer security discussion lists to reveal AOL's glitch was simple: "w00w00 on AOL Instant Messenger (serious vulnerability)." Other than the peculiar "w00w00" part, it didn't seem remarkably different from a dozen or so other technical analyses of security breaches, viruses and difficulties posted by others this week or any other week. But what's w00w00? It's a network of more than 30 computer security hotshots spanning nine countries and 14 states that Conover calls "the world's largest nonprofit security team." They operate uninvited and sometimes unwelcome. Conover founded w00w00 Security Development three years ago — when he was in high school. It was sort of a weird science project. The name is pronounced "woo-woo," but spelled with zeroes instead of O's. Conover thought it was a "completely humorous" name; at the time, "woowoo" was a buzzword in computerdom used for effect in e-mails and speech. "We kind of latched onto that," he says. The w00w00 Web site (www.w00w00.org) has an audio clip of a comedian doing shtick on the woo word, saying it's the only true universal word. No matter where you go in the world, goes the punch line, you will find someone drunk and shouting, "Woo woo woo!" Conover usually shortcuts the name to just w00. He says the unusual group of highly skilled security sleuths is "nonprofit" only unofficially. Members volunteer their expertise and hours to battle bugs on computers and on the Internet. Many of them — including Conover — work full- or part-time day jobs as professional security brainiacs for corporations or as consultants or academic researchers. That's where they met one another and where they get new members — referral is the only way new members can join. "People don't officially take any vows and there are no obligations to the group," says Conover. "It is something we do for fun. It is a passion." Conover uses his name openly representing w00, but some members keep their affiliation secret, and others go by pseudonyms. Most members share similar philosophies and ideologies about the cyberworld — and stay tightknit by routinely communicating online in real time. On the group's Web site are photographs of w00 meetings and social outings. Members appear to be mostly younger, postgrad-looking people, some beer-bellied, some tongue-studded and ponytailed, a few older, sneaker-wearing. Presumably some are drunk and shouting, "Woo woo." "Best of all, we're all friends, talk about everything from crypto to reverse engineering and general software development, and get together offline all the time for meetings, beers, partying," Jordan Ritter, 24, says of the core w00 community, based mostly in San Francisco and Silicon Valley in the West and Boston and New York in the East. Ritter, a third-year w00 who was one of the developers of Napster and is starting an anti-spam technology company in San Francisco, says he and Conover got together recently to catch "The Lord of the Rings." Is the group a Cyber Robin Hood and his Merry w00s? Ritter doesn't buy the renegade do-gooder image — he defines the network as "a tightknit group of security professionals of all types that trust each other implicitly." Neither does Conover, who maintains that w00 is "more of an academic research-type group, and I don't know if there is an interesting way to put that." What Conover doesn't appreciate are perceptions outside the security industry that w00 members are a band of computer geeks or — worse — hackers. "We're all geeks in our own right," he says. "But at the same time, you would probably never guess I'm in computer security by looking at me. I look like your typical college student." Hackers? "In all senses of the word, we differ from hackers," he says. For one, w00 members are careful to keep their research legal. "Aside from the interest in security, we're on opposite ends of the spectrum. We're trying to prevent hackers." Their evidence: Over three years, w00 has released 10 advisories on faulty programs. Its first: a little-known problem called a "heap overflow" that showed up in a variety of consumer software. Its most notable: a buffer overload in Norton AntiVirus 2000 software. But nothing has raised the eyebrows like the AOL hole, what Conover and his computer cronies found buried in the binary bowels of the Instant Messenger feature. As they explained in their advisory Wednesday, this is a security flaw big enough to drive a Mack truck through, certainly big enough that malicious hackers could gain remote command over the computer of any AOL user who uses Instant Messaging. But critics protested that because w00 added to the advisory partial "exploit codes" — which if fully developed would take advantage of the glitch — they armed hackers with tools to break systems. Elias Levy, chief technology officer of SecurityFocus, the company that runs the BugTraq mailing list where Conover posted the advisory, calls it "good work, certainly," but thinks publishing the code wasn't necessary. "Breaking software is a lot easier than writing good software," he adds. "Not to minimize the research that people like Matthew do, but a hacker only needs to find a single hole in the armor whereas the software writer needs to close every hole." Russ Cooper, public liaison on Internet security issues at the computer security company TruSecure, agrees with Levy: "Why I say they were irresponsible is because they released the functional exploit code." Conover says the exploit code he included was not fully functional — it could shut down the Instant Messenger and no more. He says he included it to prove w00's claim that AOL's program could be breached. He says that if AOL had only acknowledged his e-mails and looked into the issue, "we wouldn't have released the code at all." But AOL didn't and still hasn't, he says. "I guess they're pretty busy." Enter AOL spokesman Andrew Weinstein. "We encourage anyone who finds a potential issue to let us know," he says. "But it is in the best interest of users and all concerned to give companies an adequate amount of time to evaluate and hopefully address an issue before making it public." What about w00w00's two e-mails to AOL? Weinstein has no clue. But there are other ways besides AOL's online front door to reach AOL security execs, he says. "We work very closely with most of the larger security organizations in the industry. If someone feels they discovered a potential security flaw, those organizations would be able to put them in contact with someone at AOL." Conover wonders how hard is it to be more accessible? He sees AOL's attitude coming at the expense of the public. "We're fighting to keep the end user informed," he says. "We're going to continue to publish advisories like this. But hopefully we will avoid getting into too controversial a topic next time." © 2002 The Washington Post Company ============================================================ $8.95 Domain Name Registrations & Transfers! Go Daddy Software -- Cool Name. Hot Prices.™ Transfer your existing domain name for just $8.95 and SAVE! Get yours today at godaddy.com! http://click.topica.com/caaafisb1dhr0b2EDp2f/GoDaddy ============================================================ --via http://techPolice.com archive: http://theMezz.com/cybercrime/archive subscribe: [EMAIL PROTECTED] --via http://theMezz.com ==^================================================================ This email was sent to: archive@jab.org EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2 Or send an email to: [EMAIL PROTECTED] T O P I C A -- Register now to manage your mail! http://www.topica.com/partner/tag02/register ==^================================================================
