Re: virus: the program[and some theorizing]

Traumatic Dog (
Tue, 18 May 1999 02:18:12 +0300 (EEST)

On Mon, 17 May 1999, psypher wrote:

> > And is it absolutely necessary that we agree on a definition of
> > "truth" to do so?!?
> ...heck no. A meme doesn't HAVE to be true, it just has to be
> contagious. I figure we could go about this one of two ways [there
> may be options I've missed, feel free to add 'em]
> [1] We could focus on the propragation of the actual Church of Virus
> as an entity and forum. This would have as its merits the potential
> addition of people to our little clan and the expansion of our
> potential resources. The drawbacks as I see them are that in any
> situation where the forum is as volatile in its aims and purposes as
> this one, open access is a potential threat. I like that people
> coming here have - to some extent - to look for it. I also think that
> there's some danger in propagating these ideas without a firm
> understanding of their implications - to hack away at an old saw:
> To a myn with a hammer, everything looks like a nail.
> To a myn with a virus, everything looks like a meme.
> [2]If we want to attain some viability as memetic engineers, we
> should engineer and propagate a meme which is consistent with the
> viral ideology [to the extent that a group of analytic skeptics can
> be said to have an ideology] but does not itself refer directly to
> its origins. Is there a thought/concept/idea that we can agree to
> package and disseminate as a group? If so, what is it and how should
> it be designed? Should each individual virian be responsible for its
> dissemination in whatever fora to which they have access to? Should
> there be commonalities in its preparation and construction? Should we
> collectively design a [package] and work on collectively distributing
> it?
> ...we've got a theory about idea propagation, lets see if it works.

You guys are only now getting upto this??? HAHAHA!!! :-)

I've been doing this thing for several years already!! And so has the US Military, the US Congress and the Yugoslavian army.

For reference, research the subjects: Internet Terrorism, UK Military Satellite Theft, China Spy, etc. No real substance, lots of sensational stories and information spread to serve a purpose, often that of the US military.

I started with the Microshit; who are now in court with DOJ, which I consider to be a personal victory!

Recently I've really been getting the hang of this PR/propaganda/ InfoWar/meme thing. So here's a HOWTO, based on REAL experience:

How to influence things with Information War & the Internet:

  1. Get _juicy/sensational_ news articles driving home/enhancing the views and points you like. If not available, write some.

(It doesn't matter if the facts making the article sensational are false. It's the sensational bit that causes the snowballeffect. How believable and hard-to-disclaim those facts are, determine how big the snowball grows. Included facts make FUD more believable.)

2) Forward them to as many people as possible, with the source URL.

(Some E-mailing list relevancy would be good though. If not in the article itself, then in your added comments, etc, making it relevant to the particular target group. It's not much use preaching to the converted, but you can REALLY influence those not yet converted. People should feel compelled to forward the e-mails to even more people. Journalists are especially preferred targets.)

3) Repeat 1) & 2) if necessary. (E.g. keep adding gas to the fire.)

4) Watch the whole thing snowballing and possibly starting an


{ ...I originally posted this on the anti_ms -list.. }

For example, people on this list might consider forwarding and printing the "MICROSOFT'S HEAVY HAND IN THE COOKIE JAR" article for reading to others less informed about Microsoft's practices.

Another good thing to battle about would be the "economic harm being caused to the US companies due to the crypto-restrictions." Hackers are rampaging companies and crypto is the only defence, denied for us by the government for obscure & unknown purposes!

Journalists are an excellent target for sensational and "news-worthy" information.

Let's start a media-war on this! If the issues are posted and discussed about widely, there's going to be more news articles, and we can REPEAT the same process by forwarding those articles.

The more people do this forwarding/discussion thing, the harder and more seriously we hurt M$/stupid lawmakers.


Damn, you guys are really coming late into this game.

If you need a subject, how about starting a media circus about these M$ privacy violations?? You've got one Giant Monster of a vicious media-controlling company with billions of dollars of money against you!

Date: Tue, 11 May 1999 21:55:22 -0600 (MDT) From: cult hero <> To: InfoSec News <>
Subject: [ISN] Everywhere your MAC address shows up

Forwarded From: <anonymous>

MICROSOFT'S HEAVY HAND IN THE COOKIE JAR A special report from YEOW - Barry Simon.

See the Woody's Office Watch discussion and details on the Office 97 privacy problem. Issues 4.11 and 4.12

Because of the important Internet Explorer 5 coverage some regular WWW features have been held over to the next issue.

We reported earlier on the brouhaha over the inclusion of hardware IDs in the Pentium III chip and privacy advocates' concerns about it. Turns out many of us already have hardware IDs on our systems since all Ethernet cards have a MAC (stands for 'Media Access Control', whatever that means!), a six byte ID number that networks need to be sure to properly direct network packets. Of course, the Pentium III ID's are more serious since many home systems don't (yet) have network cards and the biggest privacy concerns are in the consumer space.

Due to wonderful sleuthing by Richard Smith of PharLap (who earlier located the April Fool's Bug discussed in WWW issue 2.2), the world has discovered a number of places that Microsoft has been using these MACs - in Windows 98 IDs, in Office 97 documents and in the cookies. And privacy concerns result from all these uses.

To understand the issues, try a few experiments. First, you'll need your MAC assuming you have an Ethernet adapter. With Windows 9x, run the program winipcfg from the Run box. It should load with a dropdown that says 'PPP Adapter'. Change the dropdown to the name of your hardware adapter. The Adapter Address field will say something like

00-70-06-9A-8E-43. That's your MAC. Each byte is presented as two hex digits (0 through 9 or A-F) for a 12 character ASCII string which is what Microsoft uses. With Windows NT, run instead winmsd, go to the Network tab and pick Transports and you'll get the MAC.

For the next experiment, you'll need to look at a Word 97 document in text mode. You can't do this with Word. If you have Quick View Plus (plain Quick View won't do), open a Word doc in QVP, go to the View menu and pick View as Text. Or make a small Word doc, save it and rename it to a .txt extension and open it in Notepad. Now search for the string PID. You should find _PID_ GUID and shortly afterwards, a long hex string inside braces such as
{F96EB3B9-C9F1-11D2-95EB-0060089BB2DA}. Those 12 hex digits at the end will be your MAC. Yup, every Word doc, every Excel spreadsheet and every Power Point presentation is branded with an identifier showing the PC it came from. If your boss has a Word memo you sent her and a copy of the anonymous whistle blowing attachment you sent to the Feds, she could determine they were made on the same machine. (Of course, if you aren't careful, the document includes an author name and if any corrections were made, it may say who made the corrections. Within the next few days, Microsoft expects to post a white paper on all the 'metadata'; embedded in Office documents).

To run the next experiments, you'll need Windows 98, so I'll tell you what happens so you can follow along in any event. In your Windows directory, you'll find a file called reginfo.txt. Open it in Notepad and look for a line called HWID; it ends with your MAC. This file is created when you install Windows and is transmitted to Microsoft when you register. And here's the clincher: even if you check the box not to send hardware information, this data is sent. And it's even worse - the data collection code is in an ActiveX control that can be used by any Internet site out there. Pharlap has a demo to illustrate this: go there and it displays your MAC on screen. Any site knowing of this control could track MACs of all Windows 98 visitors to their sites. There is also a demo and discussion at Windows Magazine. By the way, this ActiveX control is also in the Windows 2000 beta so if Microsoft hadn't been found out, NT users would have been hit next.

Next, go to your cookies directory and open the text file whose name ends with microsoft.txt (it probably has a username@ in front where username is your login name). In it you'll find a string called GUID that includes your MAC (GUID, by the way, is short for Global Unique Identifier). This cookie is sent to every time you visit that site. You may have realized they were making a cookie when you registered at their site but I bet you didn't realize they were adding hardware information without your permission. (Actually the Win98 Registration Wizard made the cookie before you went to the Microsoft site.)

You might want to search your Registry for your MAC as a string. I found mine numerous times - two in suspicious places viz a viz Microsoft. It's part of a key for Media Player called Client ID (is this passed on to the Media Player servers?) and as part of a key HKCU\Identities that seems to be connected with Outlook Express 5.0.

There is certainly plenty here for the paranoid. Microsoft is collecting and storing in its databases unique hardware information. That information brands your documents, and is always sent on when you access Microsoft's site. One has to consider the possibility that Microsoft is keeping some master database tracking all sorts of interactions based on your MAC. And one has to allow the possibility that the MAC will be encoded in the information that is sent by the Office Registration Wizard in Office 2000.

Microsoft has reacted vigorously to the developments in this story. They have two customer letters ( here and here) on their site in which they promise to remove the hardware ID part of the registration wizard in a Win98 upgrade. They also promise to delete 'any hardware ID information that may have been inadvertently gathered without the customer having chosen to provide Microsoft with this information.' Tools have already been posted to remove branding from Office applications and from already-created docs and there is a promise that branding will be removed from the final version of Office 2000.

Beyond these actions, there has been a full court spin operation. Some MS representatives have (unwisely in my opinion) attempted to minimize the issue. There have been claims that the doc branding was a part of a feature, never implement, intended solely to help network administrators. There has been harping on the fact that the MAC only identifies a machine but not an individual - true but not of much comfort in many cases. We've been told that Windows 98 sending a HWID even if you said not to send hardware information was a bug, not a feature - an inadvertent programming error. There's been no new statement about the use of MACs in cookies which I find most disturbing.

We've been told by Microsoft representatives that the Office 2000 Registration Wizard doesn't collect MACs or anything like a MAC. Indeed, they claim that while the Office CD serial number can be reconstructed from the 16 byte code sent by the wizard, the hardware info does not allow reconstruction. In particular, if the different CDs were used on the same machine, they'd be unable to tell that the codes came from the same machine.

The problem with the Microsoft position is that the company has so little credibility and there is too much of a pattern here. We pride ourselves on taking a middle road on Microsoft at Woody's newsletters. We don't hesitate to put their feet to the fire but, on the other hand, we don't take the position that Microsoft is the root of all evil and everything they say and do is two faced. That said, Woody's middle name isn't Polly and mine isn't Anna. Microsoft has amply demonstrated that it is company policy to, er, shade the truth when doing so serves a perceived business purpose. We see it in the leaked disinformation about Windows 2000 shipping this fall, we've seen it in their previous reactions to accusations and we saw it too often in the testimony at the DOJ trial.

That means one has to take skeptically every statement that Microsoft has made about the MAC problem. I'm inclined to believe that branding of Office documents wasn't part of a plot to link together our entire lives in Microsoft's databases. But I'm insulted that they try to bat their eyelashes and claim to us that the sending of the HWID even when you told them not to send hardware info was an inadvertent error. And I'm concerned that we have no way of knowing that they've kept their promise to remove hardware IDs from their internal databases. Indeed, my presumption is that they will not.

I worry that Microsoft is tucking all sorts of things into the holes they aren't discussing. While they have said they'll stop using HWID, they have also said they'll continue to use the MSID number which is created by the Windows 98 Registration wizard. And, guess what? As discovered by Peter Siering at the German publication C'T Magazine, the registration wizard also creates a Microsoft cookie that includes MSID. So even after the apologies and changes, it seems Microsoft will be quite capable of tracking us and linking online visits to registration information.

It's interesting about credibility. There was also an Intel slip reported recently that they claimed was inadvertent. Apparently some mobile Pentium II's shipped with hardware IDs even though these were only announced for Pentium III's. Intel's explanation is that they experimented with this feature in the manufacturing process for the mobile Pentium II but it was supposed to be disabled before shipping. One line inadvertently didn't do the disabling. Intel's credibility is such that I'm willing to accept their claim of inadvertence here.

Subscribe: mail with "subscribe isn". Today's ISN Sponsor: Hacker News Network []