http://www.itworld.com/Man/2681/040719stolencode/ Paul Roberts IDG News Service 7/19/04 An online group claiming to have the source code for two popular computer programs for sale opened its doors for business again on Saturday. An e-mail message that claims to come from "larry hobbles" and the Source Code Club was sent to the Full-Disclosure security discussion list. The message said that the group has moved operations to Usenet, the network of online bulletin boards that makes up part of the Internet, where interested customers can buy the source code for the Dragon intrusion detection system (IDS) software from Enterasys Networks Inc. and peer-to-peer server and client software from Napster LLC, now owned by Roxio Inc. The club made headlines last week after posting messages to online discussion groups that advertised a Web site selling the source code and design documents for Dragon and Napster. By Thursday, the group's Web page displayed a message saying the club had ceased operations due to "fears our customers faced." A subsequent "newsletter" from the club dated July 17 and posted to the Usenet group alt.gap.international.sales at 10:28 PM Pacific Standard Time called Usenet the "official home" of the Source Code Club and said the informal network was "better suited" to the club and would give potential customers two ways to contact club members: through a club e-mail address and through messages posted in the Usenet group. The newsletter claims that the Source Code Club soon hopes to go underground and stop offering code for sale in public, but is offering the Dragon and Napster code "to authenticate our skills." The Enterasys code would allow purchasers to understand the "secrets behind Dragon," whereas the Napster code could give "any company interested in breaking into the online music industry" a jump-start, the newsletter said. The club also expressed regret for the "public fiasco that ensues when you publicly offer source code," an apparent reference to media attention to the group's unveiling. The club also posted instructions for potential customers to purchase the stolen code. Customers are encouraged to contact the group using e-mail and PGP (Pretty Good Privacy) encryption to disguise their requests. Source code for the Dragon software was priced at US$16,000 and Napster for $10,000, with payments made through one of a number of online payment services. Those wary of sending money to the club have the option of buying the source code in $500 increments to build confidence. Enterasys is working with the U.S. Federal Bureau of Investigation and reviewing the club's claims. The company claims that its product code was lifted off stolen media, such as a compact disc or computer hard drive, rather than stolen directly from its computer network, according to Kevin Flanagan, an Enterasys spokesman. A Napster spokeswoman said last week that while Roxio owns the rights to the original Napster code being sold by the club, the current Napster online service does not use any code from the original, free music swapping service and is not affected by the alleged theft. _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'