Weird message from someone named "NIPC"

Declan McCullagh declan at well.com
Wed Jul 25 22:50:31 PDT 2001 

Now that I've actually read through some of what Tim posted, I think
it's clear what it is. Hint: Vatis wasn't in charge of NIPC by June
29, and I don't recall any such hearing, and his reported comments
are a little, well, unusual. --Declan


On Thu, Jul 26, 2001 at 01:15:21AM -0400, Declan McCullagh wrote:
> There seem to be three explanations.
> 
> 1. Tim is having some fun with us. It would be easy for him to do so, and
> NIPC (an FBI subagency) has been in the news today, with a WSJ article
> this morning posted to the list and a Senate hearing this afternoon.
> Tim's written similar things before and posted them straight-faced:
> http://www.politechbot.com/p-01332.html
> 
> 2. Someone is spoofing NIPC email and having fun with Tim.
> 
> 3. This really did originate from within NIPC and is a major
> cypherpunk intelligence find. The WSJ article
> (http://www.politechbot.com/p-02306.html) says NIPC has been hit by
> Sircam, which scans hard drives for email addresses in documents and
> mail archives, according to descriptions I've read. Reports say Sircam
> emails working documents (in My Documents or whatnot folder) and this
> could have happened.
> 
> -Declan
> 
> 
> 
> On Wed, Jul 25, 2001 at 06:42:34PM -0700, Tim May wrote:
> > Cypherpunks,
> > 
> > I've been getting anywhere from 10 to 30 "SirCam" worm messages a 
> > day. The volume is now declining. Most have attached files containing 
> > fragments of Microsoft Word documents, apparently extracted from the 
> > disk drive of the sender. Most are the usual garbage people write to 
> > each other, but some of the ones from corporations have been 
> > interesting. And this one, assuming it is real, seems to have 
> > orginated from within some department of the government called "NIPC."
> > 
> > It must be bogus.This does not seem plausible, that they would send 
> > me something, so I expect a hoax.
> > 
> > The attached filed, with the message, is 926 K, so I'm only enclosing 
> > a few tantalizing sections.
> > 
> > I really cannot imagine why I am getting these SirCam messages from 
> > some government agency named "NIPC," unless for some reason my e-mail 
> > address is in their address book. How could that happen?
> > 
> > (BTW, many of the SirCam messages have clock dates which are wrong. 
> > This one is incorrectly dated "8/24/01".)
> > 
> > At 2:39 PM -0400 8/24/01, NIPC Intern42 wrote:
> > ------017B5BE9_Outlook_Express_message_boundary
> > Content-Type: text/plain; charset=ISO-8859-1
> > Content-Transfer-Encoding: quoted-printable
> > Content-Disposition: message text
> > 
> > Hi! How are you=3F
> > 
> > I send you this file in order to have your advice
> > 
> > See you later=2E Thanks
> > 
> > ------017B5BE9_Outlook_Express_message_boundary
> > Content-Type: application/mixed; name="DC TOOLZ.zip.bat"
> > Content-Transfer-Encoding: base64
> > Content-Disposition: attachment;  filename="DC TOOLZ.zip.bat"
> > 
> > 
> > The NIPC and FedCIRC have recently received information on attempts 
> > to locate, obtain control of and plant new malicious code known as 
> > "W32-Leaves.worm" on computers previously infected with the SubSeven 
> > Trojan.
> > 
> > The default ports for SubSeven to listen for network traffic are 
> > 16959/tcp and 27374/tcp, though the numbers can be changed. Full 
> > descriptions and removal instructions of a number of SubSeven 
> > variants can be found at various anti-virus firm Web sites, including 
> > the following:
> > 
> > 
> > 
> > A computer security unit within the U.S. Federal Bureau of 
> > Investigation has detected a series of intrusions into U.S. 
> > government networks under an investigation code named Moonlight Maze, 
> > and the intrusions appear to have originated from Russia, an FBI 
> > official told Congress this week. A spokesman for the Russian embassy 
> > here today quoted the head of the press service for the Russian 
> > foreign intelligence service, Nikita Rabusov, as saying the Russian 
> > special services have "no relation whatsoever" to the theft of 
> > information from computer networks of the U.S. federal agencies.
> > 
> > "American specialists have failed to establish from where this 
> > intrusion originated," the embassy official quoted Rabusov as saying 
> > in an interview with the Russian news agency Itar-Tass. "They only 
> > indicated that it comes from a software company said to be 
> > reverse-engineering the products of leading American software 
> > companies. Russian special services are not so stupid to undertake 
> > such an operation, in case the necessity arises, directly from 
> > Moscow."
> > 
> > Please report computer crime to your local FBI office 
> > (www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate 
> > authorities. Incidents may be reported online at 
> > www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also 
> > can be reached at (202) 323-3204/3205/3206, or nipc.watch at fbi.gov.
> > 
> > References to ECONCOM are to be deleted ASAP from all departmental 
> > systems. SLAM DUNK cover to be vetted by NIPC for release to 
> > journalists. Oakland and Monterey offices to coordinate.
> > 
> > 
> > Michael Vatis, deputy assistant director and chief of the Federal 
> > Bureau of Investigation's National Infrastructure Protection Center 
> > (NIPC) created February 26, 1998, told the Senate Judiciary 
> > Subcommittee on Terrorism, Technology and Government Information June 
> > 29 that 'crypto anarchists" see Washington's computers as "the final 
> > exam, the ultimate challenge, the enemy which must be destroyed." 
> > Agents are advised to seek out means of forcing these persons out of 
> > the public debate.
> > 
> > 
> > Internal Memorandum. The FRENZY Conference was a fantastic showing of 
> > our capabilities for covert entry into target computers. PDs across 
> > the country are asking how they can get their own CARNIVORE systems. 
> > Here is one such request:
> > 
> > "We've bought so many necessary items from vendors who attended the 
> > last FRENZY Conference ... the Conference was definitely one of the 
> > best I've attended. I was particularly impressed by how easy the 
> > Carnivore system was to set up."
> > 
> > Rick Smithman, Criminalistics Bureau Administrator, Lodi Police Department
> > 
> > 
> > 
> > With this thought in mind, The Laissez Faire City Times interviewed 
> > Ed Hertzog, editor of The Free Associator, an interesting e-zine that 
> > wants to facilitate Digital Anarchy. This interview is a little 
> > mirror of an underground, libertarian world, whose landmarks and 
> > standard-bearers are John Perry Barlow and Neal Stephenson, Nicholas 
> > Negroponte and Ayn Rand, Louis Rossetto and David Friedman.
> > 
> > 
> > NIPC has been tasked to assist in the take-down of a high-profile 
> > hacker terrorist at the DefCon conference next week in Las Vegas. The 
> > take-down is being planned for maximal public impact, as per AG 
> > Ashcroft's memo of 24JUN01. Full assistance will be provided by NIPC. 
> > Plain clothes agents will be at the conference to render assistance.

More information about the cypherpunks-legacy mailing list