WNI's HACKER TRAP Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Sat, Nov 4, 2000, 5:38pm (EST-3) From: ulTRAX@webtv.net (///\ ulTRĊX \///) All I know is what everyone else knows... that WNI is baggin hackers for accessing URLs. Question is what how does WNI's system work? It'd be easy to get a referrer from the Accessor. If the next URL from that Accessor is a WNI URL... a match can be made. Some feel other forms of access are safe. But I'm not so sure. If WNI is using an referrer detection system then what's to stop it form detecting WTV URLs as the source? Just because we can't easily access WTV URL referrers doesn't mean WNI can't. This task would be a bit harder for WNI to implement... but theoretically it could be done. It depends on how intent WNI is on cracking down. For example they could easily create a database of all their links on all the pages in Production service. So say if someone accessed wtv-setup:/accounts they would know there's only so many pages that have that link. If the accessed page and the referrer don't match... bingo!! I don't think this system would work though. There's no way to create an exclusive list of referrers. Often we access WTV URLs with RECENTS. Another approach is WNI could just make a lit of URLs that are NOT available on Production Service. If any access is made of those URLs.... then it would make no difference where the access device was. They would know it was an "unauthorized" access. I don't think we have much to worry about accessing file:// URLs... just network URLs. Re: WNI's HACKER TRAP Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Sat, Nov 4, 2000, 5:53pm (EST-3) From: Clown-U-Fear@webtv.net (-=Clownz GhoSt=-) POST WAS NOT ARCHIVED DUE TO EXCESSIVE HTML Re: WNI's HACKER TRAP Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Sat, Nov 4, 2000, 7:58pm (EST-3) From: ulTRAX@webtv.net (///\ ulTRĊX \///) Seems WNI has a new system that detects access to WTV URLs (I assume only network URLs). It spits out SSIDs and I assume the URL accessed as well as the the referrer of the Accessor. When the reports were coming in of how many URLs were being accessed.. some corpies were bullshit wanting the blood of even those who accessed the Benchmark page. That WNI felt a need for this system on the eve of introducing Tokens is interesting. I have to agree with Reamer that if WNI had any faith in their Token system.. this would not be necessary. If in the post-token era all we get from a URL is a bad request error... WTF difference does it make to WNI if we TRIED to access it? Re: WNI's HACKER TRAP Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Sun, Nov 5, 2000, 3:25pm (EST-3) From: wasdiscovered@webtv.net (a-secret-file://) ulTRAX wrote: Seems WNI has a new system that detects access to WTV URLs (I assume only network URLs). Response: Is this what they have told you? Have you considered that there claim might be disinformation? Or maybe that the particular individual though a corpy does not officially speak for corp? Would it not be easier to simply monitor the logs of targeted people? Is it not evident that at least a few of the people targeted have posted specifics as to what they were doing? Things which are known to get you tossed? Are we to believe that they could make such a system work? How many new employees might be needed to monitor such a system? What would they do if they found one percent of users accessing urls? Would Bill allow a one percent drop in revenues? What is the basis for termination. Where in the terms of service does it say we cannot access urls? Where in the terms of service is the manner in which we access urls limited? What about there advertisements which falsely claimed that webtv allows full access of the world wide web? Are we not to even expect full access with in the firewall? Are we to be terminated for attempting to access what they promised the system would provide us? What purpose does this serve? What will be the response? What will come next? Will they terminate phone numbers? Can they make your roommate pay for things that you have been judged for? If not then what can be gained? ulTRAX also wrote: It spits out SSIDs and I assume the URL accessed as well as the the referrer of the Accessor. Response: In other words it tells them who got to what and how. So if I access wtv-home:/home using an accessor I find on the world wide web (which I was told I'd have access to) I will be tossed? hmm? (Long pause and scratching head) Based on what? Re: WNI's HACKER TRAP [was] Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Sun, Nov 5, 2000, 5:42pm (EST-3) From: ulTRAX@webtv.net (///\ ulTRĊX \///) wasdiscovered wrote: "Is this what they have told you? Have you considered that there claim might be disinformation?" I have no specifics about WNI's new system except that: 1: it caught people going to Benchmark 2: it got my page as a referrer 3: it's automated and connects boxes with URLs 4: that some at WNI are out for blood. The reason why I believe WNI's system is limited to network URLs is because the proxies are out of the loop when we access internal URLs. "Is it not evident that at least a few of the people targeted have posted specifics as to what they were doing? Things which are known to get you tossed?" As I said in hacking I think the only way to read WNI's mind is to find out who has been TOSed and find out what they were up to. "Are we to believe that they could make such a system work? How many new employees might be needed to monitor such a system?" If WNI is serious about security then they had to make these investments. If the system is automated then the data can be parsed anyway they want: by user or by URL. "What would they do if they found one percent of users accessing urls? Would Bill allow a one percent drop in revenues?" I think what is needed is a subscriber rebellion... especially when WNI is threatening to TOS uses for just finding out what their modem speed is... or trying to protect themselves by deleting their Cookies. "What is the basis for termination. Where in the terms of service does it say we cannot access urls?" They have some generic statements about unauthorized user of the network. ulTRAX also wrote: It spits out SSIDs and I assume the URL accessed as well as the the referrer of the Accessor...... So if I access wtv-home:/home using an accessor I find on the world wide web (which I was told I'd have access to) I will be tossed?" I too see the absurdity of this. That's why I have to believe WNI's only monitoring URLs not authorized for Production... but I don't know for sure. Re: WNI's HACKER TRAP Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Sun, Nov 5, 2000, 10:44pm (EST-3) From: Demo@webtv.net (D e m o) Section 4: Unauthorized Access Read it for yourself. If a hacker's roomate owns the box, they are responsible for the goings on. THIS is all there, nothing new. Look what happened to XebTV ! Re: WNI's ( trusted page referrers) Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Tue, Nov 14, 2000, 8:25pm (EST-3) From: ulTRAX@webtv.net (///\ ulTRĊX \///) I'm not sure if I posted on this or just wrote to a few people... There's some belief that accessors set up on trusted pages won't yield a referrer. They believe that this makes them safe from the Hacker Trap. I have questioned this on two counts. The first is that I were designing this security system... the referrer would be gravy. Actually the Accessor URL is unimportant to WNI. What do they care? What I'd really want to track is WHO is accessing WHICH restricted URLs. The second reason I believe this faith in trusted URLs is misplaced is because it IS possible to get referrers. We've been so conditioned to believe that because we just get "hidden" on referrer functions... the same will be true with WNI. Wrong. This page is an example of how WNI can STILL get referrers from so-called trusted pages. http://www.scottandjulie.com/webtv/ServerVariables.asp Re: WNI's ( trusted page referrers) Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Wed, Nov 15, 2000, 1:52am (EST-3) From: JO5H@webtv.net (Fück Off (-) hmmmmmm that's the first time I have seen the $ENV('all_raw') cgi variable interesting..... Re: WNI's ( trusted page referrers) Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Wed, Nov 15, 2000, 6:57am (EST-3) From: wasdiscovered2@webtv.net (a-secret-file://) ulTRAX wrote: the referrer would be gravy. Actually the Accessor URL is unimportant to WNI. What do they care? What I'd really want to track is WHO is accessing WHICH restricted URLs. Response: I agree that the main objective would be to find out who is getting into what. However getting the referrer to accessors would be the topping on the cake. By getting the urls they are getting all of the access methods which gives them the info needed to lock us out. At this point they would not need to worry about us getting to any urls at all. If they do lock us out and we find a way back in it might not be for long. Try this: Put your access script in a testbed which has a memory function that saves the script as a cookie. Such a testbed will have a button on it that says save. By doing this you will be removing the access method from the referrer. When they look at how you got to a webtv url by sourcing the page of the referrer they will only see the codes for the testbed. They will not get the access method unless they read your cookie. Unfortunately not all methods can be used like this. However any that can be should be used like this. As for the notion that webtv can't get a referrer because the referrer is what is called a trusted page is ridiculous and I can't believe that any one would believe this. P.S. The question I have is did they really create an omnipotent defense system or did they (or did we?) simply trick us into creating such a beast within our own minds? I know of only two things that give any suggestion of such a system. However they do not amount to a hill of beans. #1 Supposedly an UNSPECIFIED number of people were tossed who say they were tossed for using URL ACCESSORS??? I was tossed. I was tossed because. The I was tossed I was tossed because line is the biggest crocked of s--t to every ever be posted in the groups. #2 A corpy told ulTRAX that a wise person does not use an accessor these days. As for anything that corps might give out on this subject I suspect that it might be self serving and nothing but propaganda aimed at fear. Are we to discuss issues which have no foundation, are based on nothing but speculation, possible misdirection or simply because it has been stated as a fact? Maybe I missed something. Is there any evidence? Yes or no? Re: WNI's ( trusted page referrers) Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Wed, Nov 15, 2000, 8:29am (EST-3) From: WbWzrd@webtv.net (WbWzrd JJ) The referrer IS gravy!!! A simple javascript history list on an email or post or any other trusted environment shows all hidden urls, and always has. As for the testbed idea, if you press goto then view current, you see that the url is simply a cache:URL.#### which is still a part of the history list, which even my counter at Geocities shows. (one of my pages most frequent referrers is someone's page that's called a dynamic table, probably a source viewer, and it shows a cached url as the referrer to the counter) It isn't that easy to get around a referrer, since it is part of the request sent for the next page! Then there are the error logs of any network server, which can be set up to show errors in the log if pages are accessed from non-trusted locations, or bad urls. This has always been the first step in tracking down any suspicious traffic. Then there is the mysterious ghost logo, which I swear is tracking us, though I have no proof! LOL Re: WNI's ( trusted page referrers) Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Wed, Nov 15, 2000, 11:20am (EST-3) From: limdog@webtv.net (limdog) jerry wrote "the referrer is gravy" yes you can retrieve the entire history array from a trusted environment, though on old classix
tag in trusted environment will take care of that. ultrax pointed out a list of CGI Environmental variables that wni has cleverly put in a table. At one point i had tool that stored your CGI referer in a hidden input field, that you could then view when clicking on a button. I posted it in a.d.webtvtools. A week later CGI referer did NOT list wtv urls. maybe it's time to get this killed again? secretfile wrote "Did I miss something?" Apparently you did. And I missed it as well! People started posting about REKCAH (hacker backwards, now THAT is clever) What source does this info come from? What the hell is it, exactly? Are you all scared of it? Why? if you are afraid of losing your account because wni won't let you clear cookies... well hacking is dead. Why have people been TOS'd? naphead -accessing weekly server? publishing previewer posts?? Re: WNI's ( trusted page referrers) Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Wed, Nov 15, 2000, 11:36am (EST-3) From: ulTRAX@webtv.net (///\ ulTRĊX \///) wasdiscovered2 wrote: "I agree that the main objective would be to find out who is getting into what. However getting the referrer to accessors would be the topping on the cake. By getting the urls they are getting all of the access methods which gives them the info needed to lock us out. At this point they would not need to worry about us getting to any urls at all." Good point. I was just thinking Accessors are a dime a dozen. I must have 20 on my URL pages alone.... that WNI could not want tht URLs to target them. If they get from an individual is a referrer from a trusted page.... that means WNI can still get the method... It will just be a bit harder. WNI will have to go into that person's account to see what they have. It will make their job harder in tracking down methods... but they can still try to TOS the person for the mere act of accessing a restricted URL "Put your access script in a testbed which has a memory function that saves the script as a cookie. Such a testbed will have a button on it that says save. By doing this you will be removing the access method from the referrer. When they look at how you got to a webtv url by sourcing the page of the referrer they will only see the codes for the testbed. They will not get the access method unless they read your cookie." Clever, but if WNI is mainly tracking access... not accessors, they still will know to which account the restricted URL will be served. "The question I have is did they really create an omnipotent defense system or did they (or did we?) simply trick us into creating such a beast within our own minds?" I have no inside info from WNI.... hell, I have no Idea what RECKAH (or whatever even stands for). All I'm doing is saying how I would design the system.... that I'd only watch certain URLs.... and that getting accessors URLs would be gravy. At some point I did mention that if they REALLY wanted to go nuts they could define all URLs every build has access to and then define all the authorized links to those URLs. Any referrer deviation from the list of authorized links would indicate the location of a accessor. "#2 A corpy told ulTRAX that a wise person does not use an accessor these days. As for anything that corps might give out on this subject I suspect that it might be self serving and nothing but propaganda aimed at fear." Absolutely....that's why I think it was a useful exercise to try to put ourselves in WNI's shoes and figure out what we'd try to accomplish if our job was network security. "Are we to discuss issues which have no foundation, are based on nothing but speculation, possible misdirection or simply because it has been stated as a fact?" Essential to getting the facts was to find out exactly who was TOSed and finding out what they were up to. My attempt in a.d.w.h of some 10 days ago was disrupted as are all serious discussions there. Re: WNI's ( trusted page referrers) Group: alt.discuss.clubs.public.webtv.technical.ultrax Date: Wed, Nov 15, 2000, 3:38pm (EST-3) From: I-MiniMe-I@webtv.net (M B) Hmmm.. >8-) WNI has never (as far as i know) told us, in the T.O.S. or on the pages themselves, that they are forbidden to access. The tricks page s an exception, though. Same with info. I say we keep using accessors (i sure have been) and if we get TOS'ed, we can use this against them.