Who is/was +ORC? A fine problem; perfect for a weeks contemplation. The Basilisk and others have already done fine work on bringing the issue to resolution. I soon realized that I was approaching a chase where the trail was already long cold and well trampled. Many brilliant stalkers had already tried all of the obvious approaches; there was however, some comfort to be had in that, as that very fact suggested that +ORC was either being *very* clever, or *very* candid.
While in regular stalking the trick is to have a good dictionary of synonyms to feed into the search engines, the trick with Zen stalking is to have an open mind ('zen mind'), untiring doggedness, and above all, to 'psych' oneself into the mindset of one's quarry.
OK, so, mindset of quarry, now let's see...what do we know about him? The Lessons (read and re-read them all several times, getting a feel for the language used), the Riddle itself, the URL and what it points to, +ORC's mention of it leading to a 'dead' page...
Ok, Riddle: the language used is heraldic, duh. The quote is from, well you know already, duh. Some lines are different than the original; there's numeric symbology used, could be something about shifting bits, adding, replacing numbers in the URL, after all, he was an assembly coder...
...nope, he'd be *zen!* too lazy to do that for real. He'd want us to *think* we should do that -- mount an exhaustive search of the Web -- and sit there revelling that he got all dem lamers up off their butts and doing something useful. But he's got a great sense of humor, so mebbe the heraldic stuff is still a clue, jest a diff sort of clue. Save it for lata...
The URL, of course leads into .mil territory, as trcroute will reveal (actually it winds up bouncing between two DNSs in .mil until it dies out). But as we already know, someone has visited fravia using that URL as their (spoofed) IP address, so we know that it's someone's calling card. How hard is it to do that? Not very, I could write the code from scratch in an hour or so.
So, how about the reference to the 'dead' page? Well, the obvious thought is that what that means is a page that's no longer being maintained. I would imagine that many folks have already searched all available engines for a +ORC directory, with mixed results (did you find the Electric Company, in Minsk?). But, I hand you +ORC's *own words*: (Lesson 2: '...for those of you that do not know anything, here is the ARCHIE way you get all the program that do EXIST on the planet:...'). My favorite one is the one in Oldenburg, Germany (-oldenburg.de/Docs/net-serv/archie-gate.html). Let's see...orc.htm...there it is: www.sics.se/sicskatalog/orc/orc.htm, and hey! orc.gif as well. Let's see who this is...
Ok, its Lars-Hakan Loenn ... and what's this, his nickname? 'Orc' ... well, well ... what does he do...search, search...a hah! He was a student at SU (university of Sweden) in 93, and in 94, and...hmm, not in 95...where was he in 95...search, search...a Hah! He's at CalTech, in the Swedish Club. And he didn't graduate...so he was an exchange student ... search, search ... he's into RPG (role playing games), specifically Gothic ... search, search ... while at CalTech lists his home server as nosferatu.sics.se ... search, search ... lot's of references to Gothic RPG. Save that for later...
Ok, orc.htm -- view source -- nothing interesting here. Spider sics.se ... search, search ... ok: Swedish Institute of Computer Science ... phone number, building name, a Hah! group name ... search, search ... here it is: his name on several of SICS's web pages as 'Grafik: Loenn'. He's a webmaster. He likes graphics. He might think heraldry is kewl, gothic and all that. Hmm.
Search, search ... a hah! He's does marathon runs: 3000m and 5000m, aka OL, which pardon my german means Orientierungs Lauf or some such, just as though he were in the militia at the time ... c.f. 'possibly once in the military' reference (forget where, duh). Ok, so he knows about encryption, and that .mil servers are off limits. Hmm.
Ok, dejanews da sucka ... advanced search, 1 Dec 95 thru 1 Jun 96 author +ORC ... whaz dis? 16 Feb 96 : 'see if it works' by +ORC posted to alt.test ... see if *what* works? ... where else doth he post? Ok, alt.hacker.malicious, makes sense, but, what's this: de.org.ccc? whazzat? Ok, hmm, they're talking about Germany's PTT trying to regulate Inet access. Why Germany? He's Swedish ... hmm, mebbe he wants to go work in Germany when he's done with school. Means he must speak fluent German, at the very least ... his English ain't lousy either ... could have a Dutch parent or spend time there on vacation or mebbe grew up there ... when's the first Lesson? 20 Feb 96 thru 25 Jun 96 ... and what's this? he keeps on re-posting stuff - wierd! (tell ye why in a moment, hehe)
Now, dear reader, for some major Zen. Forgive me
while I quote
verbatim a rather lengthy chunk of news thread. You
will benefit from
reading it in its entirety b4 getting to my commentary
(and of course
you can check it out for yourself on dejanews): Posted
18 Feb 96 in
response to a post 15 Feb 96 in alt.hacker.malicious
et al:
"Re: Can you trace where this post came from? No
way!Ę
Author:
TheAnalyst
Email: TheAnalyst@Nfo.Org
Date: 1996/02/18
Forums: alt.2600, alt.hacker, alt.comp.virus,
alt.anonymous, alt.hack,
alt.hacker.malicious, alt.cracks
Gi_Joe@gi.joe.org (Gi Joe ) wrote:
>On Thu, 15 Feb 1996 23:32:39 GMT, swt@csd.uwm.edu
(Pale Rider)
wrote,
>and said:
>>borg@internet.net (=BORG=) wrote:
>>>So... can you guess where this article came
from?
>>>
>>>Computerz are our best friends. Especially when we
can make them
>>>obediently follow our orders. No, you can't order
to computers. You
can ask
>>>them to do things.
>>>
>>>Best Regardz,
>>>=BORG=
>>>
>>>"...You will be assimilated, resistance is
futile..."
>>
>>Path:
>>uwm.edu!vixen.cso.uiuc.edu!newsfeed.internetmci.com!tank.news.pipex.net!pipex!news.uoregon.edu!news.sol.net!uniserve!van-bc!news.iceonline.com!news.inc.net!news.uoregon.edu!accross.the.wirez!from.somewhere!news.u.washington.edu!uw-beaver!cornellcs!newsstand.cit.cornell.edu!from.myself!do.not.try.to.figure.it.out.reading.the.path
>>From: borg@internet.net (=BORG=)
>>Subject: Can you trace where this post came from? No
way!
>>Approved: borg@internet.net
>>X-Newsreader: Why do you need to know what
newsreader I've got?
>>Sender: Newsposter@iceonline.com (Newsposter)
>>Nntp-Posting-Host: somewhere.on.the.Net
>>Organization: Information should be free Ltd.
>>Message-ID: 0123456789@somewhere.net>
>>Date: Thu, 15 Feb 1996 19:59:36 GMT
>>
>>Newsgroups: alt.2600
>>Path:
>>uwm.edu!vixen.cso.uiuc.edu!newsfeed.internetmci.com!in1.uu.net!van-bc!news.iceonline.com!Newsposter
>>From: unknown@net.com> (unknown)
>>Subject: test, do not read
>>X-Newsreader: WinVN 0.92.6+
>>Sender: Newsposter@iceonline.com (Newsposter)
>>Nntp-Posting-Host: ns.iceonline.com
>>Organization: -
>>Message-ID: DMu2CB.9Bw@iceonline.com>
>>Date: Thu, 15 Feb 1996 20:02:35 GMT
>>Lines: 3
>>
>>I'm going to guess "ns.iceonline.com"
>>
>>"I'm not against the police, I'm just afraid of
them." -Alfred
Hitchcock
>You missed the whole point of =BORG's= point
>quoting the headers he WANTS you to see.
You are correct
>ns.iceonline.com is not traceable, nor is any of the
other stuff he
WRONG! ^^^^^^^^^^^^^
>has; the NNTP is phony, as well as message ID.
>You need to have access to a newsserver to do this.
Either =BORG= or
Or a remailer.
>knows someone (his or her ISP) that will do this for
him (or her).
>Notice the last thing =BORG= says: "You can ASK them
to do things"
>Right =BORG=
>===
>GIJ
>===
Don't forget. the mentality of the poster should be
taken into
account. No
real hacker is going to post something like "Trace
me!". Only someone
that
wants to show off to their friends. So we have it
generally limited to
"netcom.com", "ix.netcom.com", "aol.com", "gnn.com",
"cris.com" (This
is a
generalization of course).
Next we look at the "PATH:" which is completely
useless. as is NNTP
posting host field. So we turn to more unorthodoxed
methods. His
sig. . .
He put "BORG" in his sig well that is a helper. We go
to one of many
online
"411" type services and search for "borg" starting
with the entire
internet. If that brought too many people then we
look at the survers
listed above. But since this left approximately 4
entries from the
entire internet we convert the e-mail address to visit
their
homepages. . .
We then look at the home pages to see who has the
mentality AND the
expertise to use an anon remailer and to broadcast
that they are using
one. This brings it down to one person.
NOTE: The method above is not exactly tracing but
hey, it works 99.9%
of the time. And usually works against the anon
remailer posters.
Should I post his location so you people can shut up
about this?
he is at "ix.netcom.com"
I can post his entire e-mail address, but I don't
think he would like
getting
requests about how he did it.
I KNOW HOW TO TRACE! SO SHUT UP about the above
method!
Can I assume that "iceonline.com" is a remailer? I
will have to check
my list
of remailers. Need to find my list first though. Oh,
well the method
above
works even if the person didn't use an anon
remailer.
--
Why should I hide my domain? I am doing nothing
illegal.
NewBies, to find information go to:
pubweb.nexor.co.uk/public/cusi/cusi.html
pick a search engine, preferably Lycos
and use common sense in the key words.
Remember hackers don't need this kind of common sense
help.
NEVER post underground URLz or FTPz."
Now, I speak fluent English, German and French, and can read pages written in Dutch, Swedish, Italian, Spanish and pig latin ( comes from having been in prep in Switzerland; veni vidi vici et al). Those Lessons read like a translation to English from (possibly) German, or even maybe Czech. My guess is, +ORC found the Lessons on fido, or in eastern europe, and translated them, or mebbe got them via CalTech while he was studying there. I did a quick scan of all threads in alt.hacker.malicious during the end of 95 and early 96, to see who if any stopped posting once +ORC started. There are several; take your pick. It t'ain't Destrukto cuz Destrukto still operates a site today as Destrukto. Noone on aol.com's a good bet, c.f. 'The Analyst' s comments above :). Btw, nfo.org is 'National Farmers Organisation", hehe.
Assuming this zen reasoning is correct (and i have no good reason to doubt my own intuition, hehe), we will probably *never* find out who authored the Lessons, unless we can find them somewhere with file dates prior to Feb 96. But I have great hopes of finding +ORC himself. For I know, he's into Gothic, and Graphics. Search, search ... here it is:
Nosferatu himself: http://www.geocities.com/TimesSquare/Stadium/9490. In his email he speaks of further riddles, so let's see. We know they won't be 'leet, or on par with the Lessons (was he too lazy to answer, or just didn't know?), so they shouldn't be too hard to crack ... :)
Ok, on index.htm:
- '...and sword-shaped toothpicks from a dry
martini...'
- 'Last, and most importantly for the purposes of this
site: The
nosferatu are potent information- gatherers,
managing to gain
access to just about everything.'
- 'all is not as it appears'
Sounds like the +ORC we know and love, no? Hmm.
Here, the page owner
is soliciting help from ne1 who knows some javascript.
Guess +ORC
decided to 'help' out a bit, no? And put some
Orc-isms in while he
was at it.
Did you find the 'secret' door yet? I knew you would
:). Here is the
passage: 'So, you think your a good nosferatu just
because you found
the secret 'door'... Anyone with half a brain could
have figured that
out. OK, so you're bright enough to know that not
everything is as it
appears. Good for you.'
That 'good for you' is straight out of the Lessons, is
it not? Which
it would be if +ORC had translated them, for they
would then be in his
idiom of choice. Things are still making sense.
Ooooh! Heres a
Login script! Oh no! It's booby trapped! Re:
"Also for reference, this is impossible for mortals to
hack. If they
do successfully hack it, the site shuts down for a
week and changes
are made to prevent it from happening again. Also, it
will mess with
their computer so much that they couldn't hack it
again if they wanted
to. It uploads a virus to any computer that attempts
to access it.
The virus allows complete access to all files on that
persons
computer. It downloads all of their files to the
creator of the site,
right before it deletes al of them and even destroys
their hardware.
Only registered nosferatu have the anti-virus program.
It is highly
unlikely that anyone could program an adequate
anti-virus program
becaus hidden with the first virus (if it is disabled)
then a second
virus will activate and just erase all of their files
(starting with
their anti-virus). The masquerade is perfectly
protected."
I'm sooo scared. Let's look at that script...
now, i don't feel *too* bad, cuz fravia dunno howto quote script either :)...
>!--
thispage="verify2.htm"
if (getcookie("lastvisit")!=null)
{ user=username+"#"+accesslevel+"$"+numsub
setcookie(user)
document.clear()
document.writeln("\>H1\<User verification\>/H1\<")
document.writeln("You must log in with a registered username and password")
document.writeln(">FORM NAME='myform'<")
document.writeln("Username: >INPUT TYPE=TEXT SIZE=20
NAME='username'<>BR<")
document.writeln("Password: >INPUT TYPE=PASSWORD SIZE=20
NAME='password'<>BR<>input type=hidden
name='access' size=3 value='"+accesslevel+"'<>input
type=hidden name=num size=3 value='"+numsub+"'<")
document.writeln(">br<>br<>INPUT TYPE='BUTTON'
VALUE='Submit' onClick=authorize()<>INPUT TYPE='reset'
VALUE='Clear'<>input type=button value='Delete Access Account'
onclick=deletecookie('lastvisit')<>/form<>p<")
document.writeln(">a href='apply.htm'<Click here if you want to apply
for usage of the NOSNET>/a<")
}
else
{
document.clear()
document.writeln(">H1<User verification>/H1<")
document.writeln("You must log in with a registered username and password")
document.writeln(">FORM NAME='myform'<")
document.writeln("Username: >INPUT TYPE=TEXT SIZE=20
NAME='username'<>BR<")
document.writeln("Password: >INPUT TYPE=PASSWORD SIZE=20
NAME='password'<>BR<>input type=hidden name='access'
size=3 value='#E3'<>input type=hidden name=num size=3
value='$0'<")
document.writeln(">br<>br<>INPUT TYPE='BUTTON' VALUE='Submit'
onClick=authorize(),setcookie(this.form.username.value+this.form.access.value+this.form.num.value)<
>INPUT TYPE='reset' VALUE='Clear'<>P<")
document.writeln(">a href='apply.htm'<Click here if you want to apply
for usage of the NOSNET>/a<")
}
// -->
So, where does 'authorize()' live? Why, in
userdata.js, of course:
<!--
function setcookie(name)
{
today=new Date()
document.cookie="lastvisit="+escape(today)+"_"+name+";expires=01-Jan-2000"
}
function getcookie(name)
{
var namestr = name+"="
var namelen = namestr.length
var cooklen = document.cookie.length
var i=0
while (i>cooklen)
{var j=i+namelen
if (document.cookie.substring(i,j)==namestr)
{ endstr = document.cookie.indexOf (";",j)
if (endstr==-1) {endstr=document.cookie.length}
tempstr = unescape(document.cookie.substring(j,endstr))
username = tempstr.substring(tempstr.indexOf("_")+1,
tempstr.indexOf("#"))
accesslevel=tempstr.substring(tempstr.indexOf("#")+1,
tempstr.indexOf("$"))
numsub = tempstr.substring(tempstr.indexOf("$")+1,tempstr.length)
numsub = eval(numsub)
return tempstr
}
i=document.cookie.indexOf(" ",i)+1
if (i==0) break
}
return null
}
function deletecookie(name)
{
var expdate=new Date()
expdate.setTime (expdate.getTime()-1000000000)
document.cookie=name+"="+getcookie(name)+";expires="+expdate.toGMTString()
location="verify2.htm"
}
function steller(form) {
location="steller.htm"
}
function surfto(form) {
ident=document.forms[0].username.value
location="agent.htm?user="+ident+"";
}
function sysadmin(form) {
location="admin.htm";
}
function authorize() {
if (document.myform.username.value == 'Thomas Hastings' &&
document.myform.password.value == "0000000000") {
sysadmin(this.form)
return true
}
if (document.myform.username.value == 'Malthus' &&
document.myform.password.value == '8478691725') {
surfto(this.form)
return true
}
if (document.myform.username.value == '`Spider' &&
document.myform.password.value == '209.42.128.3') {
surfto(this.form)
return true
}
if (document.myform.username.value == 'ACE' &&
document.myform.password.value == '****'){
sysadmin(this.form)
return true
}
if (document.myform.username.value == 'Luto' &&
document.myform.password.value == '7733271036') {
surfto(this.form)
return true
}
if (document.myform.username.value == 'Miette' &&
document.myform.password.value == '7734041868') {
surfto(this.form)
return true
}
alert('Your username or password is incorrect. Access denied.')
return true
}
--<
Gee, that's one major protection scheme he's got goin'!
So, just for the exercise, log in as admin, and create a user with
nicely high access privileges (ye can figger out what the letter
codes are, sure ye can!), and go view that nice rumor database! Piece
of cake.
Paranoia sets in. What if +ORC really *is* an elite cracker? What if that page is merely a smokescreen, and there are other pages hidden on that site? What if i'm wrong? Go figure :-)