Chat with
Hackers

How to Defend
Your Computer 

The Heretic! 
A Hacker Thriller

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

It Sucks to Be Me!

Dec. 15, 2003 we featured Mark Peterson, one of the most amazing characters to harass me about crime. He didn't exactly ask me to help him to commit a crime. Instead, he asked me to pay an innocent bystander type to write a program that would supposedly be able to steal information from almost any computer.

I've foobarred the name of the innocent bystander because he denies having agreed to write this break-in program.

Peterson has refused to submit his (presumably imaginary) universal snooping program to anyone for analysis (and flaming, LOL), so he gets to be on "sucks."

From: "M Peterson" <apalamen@sbcglobal.net>
To: <cmeinel@techbroker.com>
Subject: Hi Carolyn - Would you want to discuss a new exploit?
Date: Wed, 19 Nov 2003 09:00:11 -0600

I have informed the FBI Cybernet Division of an unexplored backdoor exploit. Would you like to discuss this?

My background: In 1982, I was one of the very first documented hackers ever caught by the FBI, “Fraud-by-Wire”, The Source (aka CompuServe), FBI Juvenile Records).

Owen Mark Peterson

Here's how I first suspected he was a classic "sucks" case. The FBI has no "Cybernet" division. Peterson claimed to have been convicted of computer crime at a time when there were no laws against it. He knows at least that much, so he claims, in order to get the title of "first," that he was SOOOO important that the FBI managed to get him prosecuted as a special case, "Fraud-by-wire."

If he really was breaking into CompuServe or The Source, he would have known they were two different online services (aka means "also known as"). Anyhow, I asked him some questions, and he quickly dug himself in deeper.

From: "M Peterson" <apalamen@sbcglobal.net>
To: "'Carolyn Meinel'" <cmeinel@techbroker.com>
Subject: RE: Hi Carolyn - Would you want to discuss a new exploit?
Date: Wed, 19 Nov 2003 12:24:52 -0600

Yes. I accessed The Source generally through TELNET or a phreaked long-distance code.

Peterson really, REALLY blew it on this one. Telnet wasn't invented until 1983, but he says he got busted for telnetting into the Source in 1982.

If you were around back there The Source had distinct accounts from consumer and corporate accounts. I would trade with corporate account members for access to their company accounts in exchange for phreaked long-distance codes. It was a cornucopia as you can understand. We proto-hackers lived on trading passwords and telephone #’s with one another. I am grateful that I never abused the priveledge of exploration. I even met Dr. Vinton Cerf recently in New Zealand, and have become penpals ever since.

When the FBI met me, they said there were no precedents for what I was doing. So they came up with a charge called “Fraud-by-Wire”, which was a throwback to the old days of wire-transfer fraud via telegraph wire. They knew that I had already full-knowledge that it would be hard to prosecute a juvenile, even if The Source said I owed them $4000.00 worth of online time during the months they monitored me. I cooperated by handing over all the NIPRNET / ARPANET, Government numbers I had in my possession (as you can imagine). They got the charges and reimbursement dropped due to my cooperation.

Once again Peterson reveals that he failed to research his lies before telling them. NIPRnet was created in 1995. So he couldn't have been breaking into it in 1982.

In regards to the exploit, I discussed this with the FBI Internet Fraud Division while I was in Honolulu after finishing a project in New Zealand. They have acknowledged the capabilities of it. Only thing is, is that it requires intrusion to make it work. It is a backdoor that cannot be taken out without a large backlash. The FBI informed me that this is outside their jurisdiction and the technology this exploits is legal and nothing can be done by them.

If you are familiar with the current emergence of web analytics (online audience measurements) technology, you will know that this technology utilizes a .JS inclusion from a third-party to be placed on the webpages of any given website. The basics and security issues of a third-party .JS (Javascript) inclusion file are well-known across the internet. What makes this exploit dangerous, is that any given web-analytics firm controls/monitors thousands of individual websites from one central data monitoring site – this is increasing each day.

If a hacker were to penetrate the primary .JS hosting server and modify the JavaScript code to redirect traffic on their client’s website to another IP Address, this would theoritically bypass all internal security methodologies on thousands of websites at once and re-route account and password information to a 3rd-party repository site or IRC channel for collection.

This is known as a man-in-the-middle type attack. The problem with this kind of attack is that you somehow have to actually do it! So I asked him to show me the JavaScript that would actually do this.

I have attached the diagram to explain this situation. Just wanted to see what your team thought of the potential to backdoor several Online Banks at once. Public disclosure has not been disseminated for obvious reasons.

A diagram isn't the same as actual code. I told him I needed the code and if he would send it I would test it on my test network.

I was in charge of implementing a national web-analytics project across an entire country (New Zealand) this year and it was not until an independent security review from an EDS security threat analysis for one of my larger banking clients that even I realized the larger potential of the only undetectable way to backdoor an online bank.

Actually Peterson was working for Red Sheriff, a New Zealand web statistics analysis company. They fired him.

PS> Can you imagine an entire country being watched on the Internet? It hasn’t made front-page news either… Just an FYI.

Actually I was a participant in the DARPA (Defense Advanced Research Projects Agency) Cyberadversary workshop, and am familiar with research efforts such as Genoa that have considered the huge technological challenges of doing so. Anyhow, I decided to string Peterson along by questioning him a bit about his, ahem, discrepancies.

From: "M Peterson" <apalamen@sbcglobal.net>
To: "'Carolyn Meinel'" <cmeinel@techbroker.com>
Subject: RE: Hi Carolyn - Would you want to discuss a new exploit?
Date: Thu, 20 Nov 2003 11:56:54 -0600

Well around 1980-1983 I was bopping around ARPANET/MILNET. Later it grew into what we now call NIPRNET. I could use it to get around bases and colleges, but pretty clunky for every day use. I knew about Tymnet, but I didn’t use it as much at all.

Notice how he backpedals, changing NIPRnet to MILnet. He also suddenly changes the time until he got shut down by his bust from 1982 to 1983. Well, he blew it again. MILnet wasn't started until 1984!

Back then I just used basic VT100 ascii/ansi dialup software for TELNET access (not to be confused with Telnet Protocol). OS: TRS80-Model I/Level II, then C-64. – One 300 baud modem. (wow!) J

I had asked Peterson for the name of the terminal emulation program he used, but he couldn't "remember" it so he talked around the topic. He also poured on lots of words to cover up his mistake of claiming to telnet before telnet was invented. Now if he had talked about UUCP (unix-to-unix copy) or Kermit I would have been impressed.

Re: Telenet - There was a basic @ prompt I think the parameter was “@C 301120” to connect to different nodes. Most of the time we just used phreaked long distance codes to dial-up directly.

Here he's trying to cover up not knowing enough to make it look like he really abused long distance service.

I never got traced one time, because we always used LD providers before going into these systems. If I was going after a bigger target, multiple LD providers was the way we did it. It’s why I love “Sneakers” the movie – only hacker movie in existence that had it right. J

From: "M Peterson" <apalamen@sbcglobal.net>
To: "'Carolyn Meinel'" <cmeinel@techbroker.com>
Subject: RE: Hi Carolyn - Would you want to discuss a new exploit?
Date: Fri, 21 Nov 2003 14:21:50 -0600

It was TELENET. I had to check the Internet. It’s been a while…
Have you been able to review the drawing (attachment)?

Funny, those of us who were around back then had no trouble remembering. What he really means is he forgot to do his research before making up his stories. Anyhow, even habitual liars sometimes tell the truth. So I asked him, "Could you please send me the JavaScript program that would enable a company serving ads or, as you imply, getting Webalyzer-type data on behalf of a bank web site, to create a popover that looks just like the regular browser, instead of much truncated, like normal popovers? Or are you getting at some other technique? If you would provide the code, I have several webservers on which I could test it to see how easily it could fool a user. Also, are only certain browsers susceptible to your man-in-the-middle exploit? Against which browsers (please include version) have you tested this?".

From: "M Peterson" <apalamen@sbcglobal.net>
To: "'Carolyn Meinel'" <cmeinel@techbroker.com>
Subject: RE: Hi Carolyn - Would you want to discuss a new exploit?
Date: Mon, 24 Nov 2003 18:34:52 -0600

Unfortunately, I cannot provide the code that we used that did implement the popup surveys. This would breach NDA if I did have it in my possession. But the code’s existence can be verified by communicating or requesting information from the IT manager – John.griffin@redsheriff.com or mark.ottaway@redsheriff.com (NZ Managing Director).

Of course he evaded the question by talking about a popup ad code. I didn't want that -- I wanted the code that he said could redirect responses to web servers (POST data) to another computer without there being anything to alert the victim. Of course this can be done under certain circumstances -- but not under all circumstances, as Peterson is claiming. It's called cross site scripting. But so far he hadn't used that terminology.

The only limitation to the browser is that it accept JavaScript which at this time is pretty much all browsers available in the marketplace.

Actually MILNET was around back then – I was bopping around on White Sands Missile Range Base and Strategic Air Command – all non-classified. Can you provide references that state that MILNET was not around at the same time ARPANET was? I would really like to see that. Are you even researching any of this information? Or are you just guessing?

Ooh, now he's being insulting, losing his cool. Of course I wasn't going to tell him where to find a history of MILnet, because then it would be that much more easy for him to spin a convincing story to the next people he tries to social engineer.

Compuserve and the Source are not the same, I never actually said they were the same. The source was bought out by compuserve in 1983.

So he finally did his homework on this one, and is trying to deny that first email he sent me.

The old ID I had on the Source was STZ089 – all Admin ID’s were STCXXX. Check the formatting. It is much different from the XXXXX,XXX ID’s we used on Compuserve. Only reason I never liked hacking CompuServe was the fact that customers had to pay for any illegal access.

Were you actually around back then? Or are you just trying to smoke me out? Have bothered to check my FBI references out?

Obviously Peterson doesn't realize I'm 57 and obviously was around back then. John Goltz, the technical head of Compuserve, was a friend of mine. As for Peterson's FBI "references," they say that when Peterson was a teenager, an FBI agent knocked at his door and they had a chat. That's all the FBI could confirm.

I have yet to see Social Engineering (lying) work in the current IT marketplace. We used it back in the late 70’s and early 80’s – but I never did. Couldn't handle lying flatout to people. People who tell me about Social Engineering are usually people who never really hacked.

He's sure right about not being able to pull off a well-researched lie.

Your calling me a pathological liar? For what reason have I given you to do this? I lived through this. In 1982, the FBI had jurisdiction over this, not the Secret Service. The only charge at the time they could come up with was called Fraud-by-Wire. Have you ever heard of anyone being charged with this?

Look up the transition between the FBI and Secret Service and then back to the FBI (CyberDivision).

This is all irrelevant, an attempt by Peterson to change the subject.

I will be logging this transcription with you in my journals to show people what type of people I encountered to bring this to the public.
Oh, I'm terrified:) Anyhow, he sent a gazillion more emails and I kept on challenging him,

From: "M Peterson" <apalamen@sbcglobal.net>
To: "'Carolyn Meinel'" <cmeinel@techbroker.com>
Subject: RE: Hi Carolyn - Would you want to discuss a new exploit?

Reminder: Please do not discuss my situation or name with Red Sheriff personnel. This could open me up to an unnecessary civil lawsuit. I am giving you an additional document in good faith – regardless of whether or not you believe I was caught by the FBI in 1982. (Attached).

From: "M Peterson" <apalamen@sbcglobal.net>
To: "'Carolyn Meinel'" <cmeinel@techbroker.com>
Subject: RE: Hi Carolyn - Would you want to discuss a new exploit?

Who is your boss? Or do you run this so called consulting firm with this much ignorance all by yourself?

Guess Peterson has never heard that you catch more flies with honey than vinegar:)

From: "M Peterson" <apalamen@sbcglobal.net>
To: "'Carolyn Meinel'" <cmeinel@techbroker.com>
Subject: RE: Hi Carolyn - Would you want to discuss a new exploit?

Just because you show your ignorance over these facts does not mean they did not actually happen.

I am not bragging, I just wanted you to know that I had a bit of knowledge before hand of what I was presenting.

Besides, you don't want the independent security evaluation by EDS that was performed for my banking clients in New Zealand do you?

I have documented your accusations and ignorance. I believe it is legal to use them in any furture writing/freelance journalism. I thought you would be intelligent, not critical, judgemental, ignorant and intolerant of anyone who could have actually have been a simple 14 year old hacker meeting the FBI in 1982 – in Oklahoma City, OK.

Take care. I would rather deal with a more professional organization than yours.

From: "M Peterson" <apalamen@sbcglobal.net>
To: "'Carolyn Meinel'" <cmeinel@techbroker.com>
Subject: RE: Hi Carolyn - Would you want to discuss a new exploit?

PS> Today I just got verification from a JavaScript testing firm that the exploit is already well-known. It’s called cross-site scripting.

Talk about ignorant people…

So he finally learns about a class of exploits that do man-in-the-middle attacks, which means, of course, that I, not he, must be ignorant. LOL. Anyhow, I replied, "If you ever decide to reveal it -- if in fact you have it -- please post it to Bugtraq so others can verify that it works. This would be a serious security flaw in the vulnerable browser." Of course he'll never post to Bugtraq -- because he doesn't have an exploit.

More "it sucks to be me" --->>

Tired of reading about people that want to be computer criminals or are just plain malicious? To read about hackers who use their skills to make the world a better place, click here for "Have a Great Life." 

Carolyn's most
popular book,
in 4th edition now!


For advanced
hacker studies,
read Carolyn's

Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

My SQL for Free
© 2003 Happy Hacker All rights reserved.