Getting the dirt on D.I.R.T.
By Claire Wolfe
It all started in the No-Name Computer Store, just west of the Hardyville stoplight, just east of the edge of nowhere.
D.I.R.T. was the mega-spooky one. Real Enemy of the State stuff. Quotes featured prominently on the developer's Web site claimed it could invade "any personal computer in the world" -- slithering into your system entirely by stealth. Zap! Without you doing or seeing anything, it would monitor every word you typed and read any file on your computer.
But not to worry, Codex Data Systems said. They would sell it only to authorized government agencies -- all tightly bound by the Fourth Amendment (as we freedom lovers are so acutely aware).
Well, WorldNetDaily readers are a cagey lot. Helpful, too. E-mail flooded in. Suggestions. Techniques. Offers of assistance. And a few messages from unexpected sources.
First came a cheery note from Terrance L. Kawles, Esq., vice president-general counsel of Codex. That's lawyer for those who haven't had their coffee yet. Terry offered both an interview and a realtime demo of D.I.R.T.
In the same mail delivery, Alan Wild, senior-programmer/analyst in the Office of Information Services at the University of Rhode Island, said he and his colleagues would dig into D.I.R.T.
A match made in Heaven, I thought. Almost immediately Alan and Terry began setting up terms for the demo. We mere "civilians" would soon see D.I.R.T. doing its magic.
Well ... not exactly.
For one thing, it turns out that D.I.R.T can't quiiiiite invade "any personal computer in the world." When Alan said he planned to use Windows NT in the demo ... nope. They didn't have a product that could raid NT.
Unix? Mac? OS/2? No ... "any personal computer in the world" turns out to mean any stand-alone, Internet-capable computer running Windows 95 or 98. Since the Gang of Gates designed Windows 95/98 to be remotely operated by Microsoft technicians, invading it isn't exactly a trick. Codex says versions of D.I.R.T for other operating systems are under development or can be written "for a price." But this also seems to imply that any agent planning to throw D.I.R.T. at you would have to know your operating system in advance and buy (at $1,895 and up) the appropriate software.
Then Terry said the demo would involve e-mailing Alan an attached file which he would have to open -- as with any ordinary "Trojan Horse" virus.
"But wait a minute," Alan protested, "You said you can infect a system just by knowing an e-mail or IP address."
We can, they insisted. But we won't show you because you don't represent an authorized law-enforcement agency.
To make a long and not always civil story short, after Alan obtained a letter from his chief of campus security, requesting a demo of D.I.R.T.'s full stealth capability, it was still no go. In a conference call, Codex's president, Frank Jones, told Alan and me 1) that he didn't think the security chief had appropriate credentials, and 2) that they wouldn't demonstrate the stealth capabilities of D.I.R.T. even if he did. You don't see "stealth D.I.R.T." until after you buy the product.
In the end, Alan and I declined the limited demo, agreeing there was nothing to be learned from it.
It boils down to this:
Am I saying that D.I.R.T. is a fake? Not at all. Is it far less sophisticated than Codex wants the world to believe? Probably.
As Alan sums it up, "These guys are hackers who are trying to make money by legitimizing a virus. If I'm right, this technology has a limited lifespan. As soon as McAfee can get a signature on it, they've got it. So they have to make money before that happens."
Frank Jones as much as admitted Alan's speculations are correct. He said they'd just keep changing a few lines of code to evade the virus hunters. Well, we'll see.
Don't get the idea that D.I.R.T is harmless, though. As Alan hastens to note, it's very dangerous.
Here's what it almost certainly can do:
Perhaps the worst danger is that this or similar programs will inevitably "escape." Hackers, crackers, warez traders and rogue agents may soon be making knockoffs and "improvements." Nobody will have to pay $1,895 for them, either. They'll be free -- just as Back Orifice is already. Doubt the grand claims today, if you wish, but fear the reality tomorrow.
So what can you do to protect yourself?
One helpful note came from Tweety Fish of the Cult of the Dead Cow, the hacker group that created Back Orifice. After dismissing D.I.R.T. as "a big heap 'o not-much-at-all" Tweety suggested:
Relying on an anti-virus program to stop either D.I.R.T. or Back Orifice is a fallacy. A more effective way to defend yourself is to get a process viewer like PView and learn what the many ... processes running on your system are. Is this a particularly easy or user friendly thing to do? No, but we at the cDc believe that understanding what your computer is doing should be an integral part of knowing how to use it. ..."
The Dead Cow crew is developing its own system viewer "... so you can know what application is modifying what file and, if you so desire, deny it the privilege. Sort of a pain, but as I'm sure you know, freedom from external manipulation of any kind requires some personal involvement."
More than one reader wrote to elaborate upon what Bob-the-Nerd had already mentioned: If you have any reason to believe you're being monitored, don't input confidential messages, passwords, etc. on a computer that's ever connected to the Internet. Have a separate computer that's never online. (It doesn't have to be the latest thing.) Do all confidential work there and, when needed, "transmit" sensitive information "by sneaker net" -- carry it on a floppy disk -- to the 'Net-capable machine. Then hope your stalkers never get physical access to that machine so they can infect it with monitoring software, too.
One reader wrote to call attention to a new e-mail encryption program, InvisiMail. Unlike PGP, InvisiMail generates keys entirely through mouse movements, not keyboarding. Although it uses a password for access, it doesn't require inputting the password to encrypt every message, as PGP does. Does this provide some safety?
I called InvisiMail's U.S. representative, Kevin Shannon, who connected me with Britton Damian Fozard, developer of InvisiMail's algorithm. Both men were extremely professional and informative.
After giving the matter some thought, Fozard concluded that a thief could capture the logon and keyfiles, as with PGP. He noted, however, that a thief who wanted to impersonate you would still face a barrier PGP doesn't provide: InvisiMail automatically alerts a recipient if a message did not originate from the e-mail address of the key holder. "The thief would therefore need to also be able to control all mail to and from all of the user's e-mail accounts in order to complete his deception. This is likely to be a non-trivial task."
By the end of the call, I had the impression Fozard was going to think of little else until he had thoroughly chewed on the problem of protecting InvisiMail customers against Trojan Horse snooping. Indeed, within hours, he had e-mailed to say he'd thought of several security enhancements. What they may be remains to be seen. But InvisiMail is an interesting program -- easy to use, increasingly versatile, and definitely one to watch.
Finally, nearly every reader who suggested protective strategies mentioned this one: "Switch to Linux" -- the fast-growing operating system that's the hands-down favorite of freedom-loving computer nerds. Very hard to crack, too. As it happens, I share a household with a Linux fan. I've been watching and waiting for this operating system to be ready for non-nerds like me. I still don't think it is. But at the urging of several readers -- one of whom offered to help me get up to speed, I'm going to try anyway.
To be Windows free in 1999. Take that, you D.I.R.T.y snoops.
GO TO PAGE 1 | GO TO PAGE 2 | GO TO COMMENTARY
SEARCH WND | CONTACT WND
© 1998 WorldNetDaily.com, Inc.
Co-Located at Fiber Internet Center