Volume 5, Number 19 9 May 1988 +---------------------------------------------------------------+ | _ | | / \ | | /|oo \ | | - FidoNews - (_| /_) | | _`@/_ \ _ | | International | | \ \\ | | FidoNet Association | (*) | \ )) | | Newsletter ______ |__U__| / \// | | / FIDO \ _//|| _\ / | | (________) (_/(_|(____/ | | (jm) | +---------------------------------------------------------------+ Editor in Chief Dale Lovell Editor Emeritus: Thom Henderson Chief Procrastinator Emeritus: Tom Jennings Contributing Editors: Al Arango FidoNews is published weekly by the International FidoNet Association as its official newsletter. You are encouraged to submit articles for publication in FidoNews. Article submission standards are contained in the file ARTSPEC.DOC, available from node 1:1/1. Copyright 1988 by the International FidoNet Association. All rights reserved. Duplication and/or distribution permitted for noncommercial purposes only. For use in other circumstances, please contact IFNA at (314) 576-4067. IFNA may also be contacted at PO Box 41143, St. Louis, MO 63141. Fido and FidoNet are registered trademarks of Tom Jennings of Fido Software, 164 Shipley Avenue, San Francisco, CA 94107 and are used with permission. The contents of the articles contained here are not our responsibility, nor do we necessarily agree with them. Everything here is subject to debate. We publish EVERYTHING received. Table of Contents 1. ARTICLES ................................................. 1 Four Unusual Echos ....................................... 1 Our turn? How Hackers hacked away at Opus in Hong Kong ... 3 Your IFNA Working for You ................................ 5 Etiquette and Protocols -- SEAlink vs Zmodem ............. 8 New Features for SCOREKEEPER ............................. 11 Fido 12 Utilities ........................................ 12 2. COLUMNS .................................................. 20 FidoCon '88: Visit The Cincinnati Observatory ............ 20 3. NOTICES .................................................. 21 The Interrupt Stack ...................................... 21 Latest Software Versions ................................. 21 4. COMMITTEE REPORTS ........................................ 23 And more! FidoNews 5-19 Page 1 9 May 1988 ================================================================= ARTICLES ================================================================= George A. Stanislav Opus 1:129/39 The Four Astral Board Echos The logo of Astral Board, 1:129/39, is "The Unusual Board For Unusual People." Indeed, the whole purpose of Astral Board is discussing unusual things. Its two main local message areas are "Unusual Experiences" and "Martial Arts." Four echos have been born on Astral Board so far, all, hopefully, falling in the "unusual" category. The first and best known echo originating at Astral Board is 80XXX. Its purpose is to get a public forum to anyone writing programs for the 8088 Intel chip and its derivatives, e.g. 80286, 80386, 8087, etc. Another programming echo may not seem that unusual. After all, there is a general programmers' echo, a C echo, a Pascal echo and others. The "unusual" part of 80XXX is in its orientation towards low level programming of a specific chip, or rather a family of chips. Most of the discussion is about PC assembly language programming, although the echo is not limited to assembly language. As long as it has something to do with the low level programming of the Intel 80XXX chips, any message is welcome here. Another unusual thing about 80XXX echo is its file transfer protocol. If participants of the echo want to transfer chunks of code that will not fit into one message, or even if they want to transfer small binary files, they arc the file, convert it into an ASCII text file by John Navas's ECHOARC and post that text as a message. The recipient uses the same program to convert the message into an arc file. That is why all sysops carrying the 80XXX echo are required to carry a copy of ECHOARC on their systems for download by their users. Unidentified Flying Objects are the topic of discussion of UFO, another unusual echo from the unusual board. The history of this echo is somewhat peculiar. Before I started it, I had no special interest in the UFO phenomenon. Some of my callers were attracted to my BBS by its name, Astral Board, in the hope they would find a UFO related discussion there. After several users expressed a desire for such an area, I agreed to start it, not as a local discussion, but an echo. To my great surprise, the day I started the echo, messages started coming from all over the country, mostly thanks to Aaron Schmiedel, sysop of Chai Way in Dallas, who spread the new echo FidoNews 5-19 Page 2 9 May 1988 all over the USA and even sent it to Europe. People who have personally viewed UFO's have participated in our discussion. For me the echo was an eye opener. While before I started the echo I would have probably treated anyone claiming to have seen a UFO with great suspicion, nowadays I have no doubt about the UFO phenomenon and even about its potential danger for our planet. Those alliens seem to be anything but friendly folks. STARGAZE is another echo started on request of others. The echo is dedicated to Astrology. The echo has started very slowly, and up to this point not much discussion has happened there. Mostly I asked people to help me find the algorithms for astrological calculations as I would like to write an online astrology program. If anyone can help in this regard, please post in STARGAZE. The fourth unusual echo is BBOS. This echo seems the most unusual of all, at least to me. I started it when several sysops requested an echo dealing with Opus Embedded Commands and AVATAR (Advanced Video Attribute Terminal) for which I wrote a compiler, OECC. While the request for the echo was strong, there rarely ever appear any messages in it. BBOS stands for Bulletin Board Operating System. The echo is open not just to the discussion of the currently available Opus Embedded Commands, but to suggestions for new ones. In fact, the echo can be an excellent meeting place of developers and users of different BBOS's to possibly create standard ways of embedding commands and screen control codes into text files that could be portable among the various bulletin board operating systems. Apparently this idea came too early before its time. The echo is very little used. Ironically, I came to the point when I wanted to discontinue the echo. I posted a message to that matter in other echos and received many answers asking me not to do that. Despite that, the traffic has been slow. I hope that after reading this article more people will become aware of this echo and its purpose. All four echos are available at the Stars. One of the Stars polls me every night for the echos and delivers the messages from other places. I would like to emphasize especially the presence of the last two echos, STARGAZE and BBOS, as it seems not many sysops are aware of their existence. ----------------------------------------------------------------- FidoNews 5-19 Page 3 9 May 1988 SEAnet/2 - Hong Kong IFNA node 3:700/13.0 A POTENTIAL SECURITY PROBLEM IN OPUS ------------------------------------ Our turn? To every BBS, it seems, there comes a Hacker - and we've just had our first major attempt at gaining unauthorized access to our system. As we use Opus 1.03b which is, to say the least, a rather widely used system we have decided to share our experience with you in the hopes that you may avoid similar occurrences on your own systems. The hacker in question used a very simple, but powerful, method which could - had things gone according to his plan - have allowed him to gain full control of the machine running Opus. This would have included access to all the BBS utilities on the machine. Such a success would, of course, meant that the hacker would have been able to completely cover his tracks, even leaving the Sysop unaware that his system had been compromised. Due to some luck (good for us, bad for the hacker) he failed in his attempts to control our system, and merely managed to crash it leaving the system down for several hours. A debate -------- There is always something of a debate over whether the methodology behind such things as Virus programs, Trojans and so on should be publicly revealed in full detail. The argument against full disclosure is seated in the idea that we should not risk telling other people how such things can be accomplished in the hope that no more people will find out than already know. Opposing this is the belief that only by letting people know about a danger, and by fully informing them of that danger, can ways be developed to combat the danger. The two arguments might be summarized as the "Keep quiet and hope it goes away" against the "Forewarned is forearmed". It is in the light of the latter belief that this article will explain what the hacker did, and how he did it. I do of course advise all those who think their systems might be susceptible to this line of attack to protect themselves at once in the manner I will describe shortly. FidoNews 5-19 Page 4 9 May 1988 The Method ---------- Basically what the hacker did was to take advantage of the fact that we do not make much use of the *.GBS files in our Opus system. For those unfamiliar with .GBS files I should pause to explain that these are the graphic equivalents to the .BBS files containing system logos, file lists, menus and the like. People with ANSI graphics set ON will see what is in the .GBS files, while those with it off will see what is in the .BBS file. This allows users with ANSI capability to take full advantage of that system, while still producing perfectly legible displays for those without ANSI support. The hacker uploaded a file called FILES.GBS to a file area, as no such file existed previously the system allowed him to do this. This file was a text file containing OANSI embedded commands to shell to DOS and perform various functions. These included DEL *.LOG in a successful attempt to remove the system logs and so cover his trail. The hacker then tried to run the remote sysop utility using this system, luckily for us he was unaware of which com: port we are using. By performing CTTY with the wrong port he managed to crash the system. Protection ---------- Protecting against further attempts to do this is quite simple, we have now set the upload paths for all file areas to a directory that is only available from a file area in which the F)iles and T)ypes command are disabled. Sysops will have to check this area and hurl (real problem as Opus won't hurl across multiple drives) files into the areas they are intended for. Not entirely satisfactory, but it's a solution. Raymond C Lowe ----------------------------------------------------------------- FidoNews 5-19 Page 5 9 May 1988 Your IFNA Working for You Where DO those DUES go? Steve Bonine, 115/777 There has been discussion in the sysop echomail conferences about whether there is a need for an organization like IFNA, what such an organization should do, and what IFNA is doing now. I want to share with you a couple of things that IFNA is doing, right now, for the good of FidoNet. You can agree or disagree about whether they SHOULD be done, HOW they should be done, WHO should do them; but at least you will be able to argue from a base of facts. Last September, Ken Kaplan was looking for someone to help him out with replies to inquiries received at the IFNA post office box. I volunteered for the job because that aspect of IFNA is an important one -- it's all well and good to say that potential sysops can obtain information about FidoNet from a local BBS, but what do you do if you're in India, or if you don't know where the local BBS is? The IFNA mailing address provides an important means of distributing information about what we are doing. The work that Ken wanted to delegate seemed simple enough -- send some sort of reply to folks who request information by writing to IFNA. The pamphlet that Ken had been sending was a bit out of date. (It doesn't take long for things to get out of date when it comes to FidoNet information!) So I sat down with the old pamphlet, my trusty PCWrite and HP Laserjet, and came up with a new mailer. Nothing fancy, but it worked. The response to PO-box inquiries consists of this little pamphlet, a list of help nodes, a list of all the FidoNet coordinators, and an IFNA order/application form. It goes for a single unit of postage (two units international), and provides general information aimed at a diverse audience. The audience grew when PC Magazine ran a short article on FidoNet. The article referred to a number on the reader-service card, making it very easy for people to generate an inquiry. PC Magazine does a nice job of handling these "BINGO cards". They send the target company (IFNA in this case) a post-card-sized form for each inquiry, with a peel-off mailing label. There have been more than 500 requests from this one article. It has been especially interesting to watch PC Magazine make its way around the world in the last few weeks as requests started to appear from South America, Europe, Africa, Asia. . . PC's are truly international. Back in the dark ages (a year or so ago), requests for information on FidoNet came primarily from potential sysops -- people who were interested in starting their own BBS. This has changed, with many more requests coming from potential USERS. These are people who have heard about FidoNet and echomail, and want to know what benefits the network has to offer to them as users. This shows how FidoNet has matured to more than a network FidoNews 5-19 Page 6 9 May 1988 to facilitate communication between sysops. Based upon this change in the mix of the audience, the material in the pamphlet has been revised to include more user-oriented information. If you are interested in seeing the picture that IFNA is painting of itself, send me netmail (115/777) and I will gladly mail you a copy of the PO-box-inquiry mailing. To appeal to the potential sysop, a longer document provides a more detailed introduction to FidoNet. This file, NEWSYSOP.TXT, has been made available for download on a number of systems throughout the network. It provides an introduction to what options are available in BBS software, mailers, and echomail. The audience for this publication is technical enough to be able to cope with downloading from a local BBS, so this publication is not generally made available in printed form. So there you have it -- the attempts of one segment of IFNA to do something to help FidoNet. Now let me preach a bit. The work I have done for FidoNet has been quite rewarding. I do it because I enjoy it. Try it; you might enjoy it also. You don't have to be "anointed" to be a part of the team; I hold no position in IFNA whatsoever. I have found that many people criticize IFNA for "not doing anything" but there are mighty few who will actually pick up the ball and run with it. You want balls? OK. . . here are a few things that need to be done. Nick Baroque (104/413) has made the excellent suggestion that new systems receive a message from their IFNA director when they are added to the nodelist, providing them with a greeting and letting them know who their director is; in general, painting a positive picture of IFNA. (Remember how exciting it was to get netmail right after your node number first appeared in the nodelist?) We even have a volunteer who will send out the netmail. What we need in order to implement this fine suggestion is a way to identify new nodes. This is a bit more complex than a simple file matching program, since it has to weed out things like nodes that just changed their address. Any whiz programmers out there want to tackle this one? More balls. Mitch Kessler (107/269) has made another excellent suggestion that a local contact, perhaps a followup to the standard IFNA mailing, would be a valuable way to improve the public relations of FidoNet. In fact, Mitch feels that FidoNet PR should be coming from the local nets. Implementing this idea would require a network of systems organized geographically to provide this. Are there enough folks out there to make this work? There are other projects which could be done. Exposure in the national press, like the article in PC Magazine, counters the media's tendency to paint computer bulletin board systems as places where hackers and phreakers do their dirty work. Is anyone in a position to get us more of this type of publicity? (It would be even nicer if we knew it was coming this time, so we could gear up to answer the inquiries.) NEWSYSOP.TXT can always use a section on new products; to corrupt a popular phrase, "Send FidoNews 5-19 Page 7 9 May 1988 prose!". Maybe there are areas in addition to new-sysop orientation that you feel should be addressed by a similar booklet. The purpose of this article is to point out that IFNA really IS accomplishing something. There ARE reasons to have a national organization representing FidoNet, and two of them are providing a central location from which information can be requested and organizing a convention. Both of these tasks are being done; you've read about the great progress towards a super FidoCon in other articles. I hope to meet many of you at FidoCon this August! ----------------------------------------------------------------- FidoNews 5-19 Page 8 9 May 1988 Kilgore Trout, 107/9 System Enhancement Associates, Inc. Etiquette and Protocols We've done a number of benchmark runs on various file transfer protocols over the last few years, a few of which have been reported in FidoNews. Our last published benchmark series compared SEAlink and Zmodem at 2400 baud. Recently some people have questioned if it was valid to extrapolate the results of our 2400 baud trials to data transfers at 9600 baud. In particular, how would the Overdrive variant of SEAlink compare against Zmodem? We were confident that our earlier results were still valid at the higher baud rate, but we decided to confirm this opinion with hard data. For this benchmark series we used an IBM-AT (sending) and an IBM-XT (receiving) connected by a null modem cable at an interface speed of 9600 baud. The implementations test