Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Lowering the bar for hacking

By pb in Op-Ed
Tue Mar 18, 2003 at 09:58:31 AM EST
Tags: Internet (all tags)
Internet

Information related to 55,200 social security numbers were "stolen" from the University of Texas, and the "hacker" has turned himself in.  His crime?  Scanning ~2.7 million social security numbers through a web interface.  Obviously there are some security concerns here.


So tell me, who is the criminal here?  Is it the person who scanned a range of social security numbers through a public interface, demonstrating a gaping security hole?  If this is a crime, then so should be portscanning, or any other method of scanning; with an application this poorly designed, it wouldn't be too far-fetched for a search engine to do the same thing, automatically!

Or perhaps the real criminal is the University of Texas, for using social security numbers for identification purposes, and for their criminal negligence in designing a system that reveals the data associated with any social security number in their system with no authentication method whatsoever.

Perhaps at one point in time hacking (or cracking, even...) required some skill in circumventing an access method of some sort, as for instance the DMCA specifies, as opposed to merely looking up a number in a directory.  But this is even more trivial than a dictionary attack, and the whole situation would be completely laughable... if it wasn't so sadly true.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Criminally Negligent?
o The Evil Hacker! 3%
o The Incompetent University! 40%
o The Judicial System! 2%
o The Criminal Justice System! 0%
o The Media! 4%
o All of the above! 30%
o None of the above! 1%
o Mu! 15%

Votes: 142
Results | Other Polls

Related Links
o stolen
o Scanning ~2.7 million social security numbers
o security concerns
o so should be portscanning
o using social security numbers for identification purposes
o Also by pb


Display: Sort:
Lowering the bar for hacking | 70 comments (39 topical, 31 editorial, 0 hidden)
In other news (4.78 / 14) (#5)
by Rogerborg on Mon Mar 17, 2003 at 11:54:14 AM EST

Man admitted to emergency room with vacuum cleaner hose stuck up his ass claims that he only did it to demonstrate how badly designed vacuum cleaner hoses are.

Yes, it was cretinous for them to use the SSN as a publically queriable hash key.

Yes, it's probable that Mr Phillips was just screwing around and that they are massively over-reacting.

But, and it's a big hose-filled but, when he found the vulnerabile interface, his first good faith act should have been to send a proof-of-concept to the admin.  Or, if he felt unable to do that for some reason, I'm sure he could have gone to a student body who would have raised it on his behalf.

Why didn't he do that?

Seems to me like we're talking dumb and dumber here.  I hope that both get fined for wasting court - and Secret Service - time.

"Exterminate all rational thought." - W.S. Burroughs

Yep. (3.50 / 2) (#11)
by pb on Mon Mar 17, 2003 at 12:06:29 PM EST

They both messed up and probably over-reacted; the IT department admitted that this was their fault, too.

So if they're both at fault, then why is the one party a dangerous hacker, and the other an innocent bystander?
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]

Erm (4.50 / 4) (#14)
by Rogerborg on Mon Mar 17, 2003 at 12:12:28 PM EST

Because we tend to elect lawyers to public office, then they tend to pass laws that ensure lots of work for lawyers as part of an adversarial legal system that relies on demonizing the accused as a starting position for cutting a plea bargain?

I agree with you, but I think that's an issue with the whole legal system, not with cracking per se.

"Exterminate all rational thought." - W.S. Burroughs
[ Parent ]

Yes. (4.00 / 3) (#16)
by pb on Mon Mar 17, 2003 at 12:16:19 PM EST

I object to the "demonizing the accused" portion of it, insofar as the accusations are false.  If I were in this position, I'd want to counter-sue the university and every news outlet that didn't do their research for libel and slander where applicable.  Because this isn't "cracking"; it's pathetic.  And calling it cracking is a disservice to crackers everywhere, which is sad.
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]
Hmm...that made me realize something (3.00 / 1) (#17)
by LilDebbie on Mon Mar 17, 2003 at 12:29:23 PM EST

I could probably get every single SSN for the all University of Minnesota affiliates by just doing a combinatoric attack on our user lookup (thankfully not public, you have to work for our Office of Information Technology for access) and then recording all the matches. I mean, a billion web lookups would take a while, but not that long. Perhaps I should mention this to OIT.

My name is LilDebbie and I have a garden.
- hugin -

Please don't... (3.00 / 1) (#35)
by Fon2d2 on Mon Mar 17, 2003 at 05:31:13 PM EST

I went to the Duluth campus and I'm afraid that whatever database you are referring too... I'm in it.

[ Parent ]
Most likely (4.00 / 2) (#64)
by LilDebbie on Tue Mar 18, 2003 at 06:28:33 PM EST

...but don't worry. One, I won't parse the database because I would be easily caught (unless, of course, I used one of the identities stolen and went on the run). Two, your account info will get deleted within five years of your last semester.

My name is LilDebbie and I have a garden.
- hugin -

[ Parent ]
Heeheehee (1.50 / 10) (#19)
by exile1974 on Mon Mar 17, 2003 at 01:49:39 PM EST

I live in Austin. Heh. Grabs beer, shit I am out. Off to the store.

exile1974
"A sucking chest wound is Nature's way of telling you to stay out of a firefight." --Mary Gentle

School web interfaces.. (4.77 / 9) (#21)
by steveftoth on Mon Mar 17, 2003 at 02:06:41 PM EST

I've seen some really bad ones.
This one is just one of a few that have huge holes.

The CSU Fresno web class registration was one site that had a bug as of about a year ago. It would not escape single quote (') characters, but rather were passed on to the SQL engine, raw.  Anyone who knows SQL knows that this will cause the end of your query.  The page returned to you had the raw sql error in it.  With the type of DB used and everything.  Thus it's not hard to imagine that a skilled hacker could easily construct a query that had an SQL command in it to drop data from the tables or otherwise mess up the system.  

I do think it was funny how the bug was found though, my brother was entering the data the page asked for and one field was 'year of graduation (expected)'.  He entered "'02" as his year.  All of a sudden he got these errors.  Makes me wonder if they did nay testing at all on their system as this was a simple bug.

I sent an email to the webmaster, hopefully they patched it.

Hackers should be hacked to death with machetes (1.00 / 2) (#34)
by medham on Mon Mar 17, 2003 at 04:37:31 PM EST

I know that sounds harsh--even violent--but desparate times require desperate measures.

Crackers are good people, though. Don't you go a slurifying on them.

The real 'medham' has userid 6831.

crackers, hackers, who cares.. (3.28 / 7) (#36)
by circletimessquare on Mon Mar 17, 2003 at 05:40:57 PM EST

i think all of the goddamn "its crackers, not hackers!" dictionary nazis are just geeks with no social life as it is except pointing out to people the difference between crackers and hackers... ignore them, don't let them get to you.

however, you really have to understand on what slippery ground this hacker (oh shit! i mean cracker! i'm so sorry! how could make such a dreadful mistake! lol ;-P ) is operating.

yes, if the university's security system sucks, well then they should pay for it. but we are talking about what this c(h)racker did, not the university.

this c(h)racker should be aware of the grey area he is operating in, and take precautions, not the other way around. that is, society should not have to bend over backwards trying to read good into people who operate in the grey area between white hat and black hat efforts. instead, the chracker should bend over backwards to make sure no one will interpret his actions as black hat. and the university? assume someone is a black hat first, and ask questions later. really, that is the most responsible way to proceed, considering what is at stake.

and if their security system sucks, and they ignore alarm bells from white hats, well then let them suffer for it, but don't reward the grey hat.

because this chracker did not proceed the way a white hat would proceed. see?


The tigers of wrath are wiser than the horses of instruction.

Hmm... (4.00 / 1) (#42)
by carbon on Mon Mar 17, 2003 at 09:19:49 PM EST

You're making far more of a big deal over the 'cracker' vs. 'hacker' issue than anyone else...


Wasn't Dr. Claus the bad guy on Inspector Gadget? - dirvish
[ Parent ]
maybe so (3.00 / 2) (#43)
by circletimessquare on Mon Mar 17, 2003 at 11:03:08 PM EST

but i tremble in fear for your safety... by saying what you just said, the dictionary nazi geek trolls will hunt you down for sure! lol ;-P

The tigers of wrath are wiser than the horses of instruction.

[ Parent ]
Community definitions (none / 0) (#68)
by SmilingJack on Wed Mar 19, 2003 at 01:30:10 PM EST

I know next to nothing about all this security stuff. But I do know that I should respect the wishes of those who define names for themselves (as individuals or as a community). Example: I respect the difference between Chicano and Latino, though the differences aren't always clear to me. I chalk that last observation up to my own ignorance. Same with hacker, cracker, ass-smacker. I don't know the difference, but if those who identify say there is one, I should respect that. I especially shouldn't call em dictionary nazis and geeks. Now maybe you are trying to be funny, and if so, this whole 'moral lesson by example' is unnecessary. I am tired of emulating Christ anyway.
-- <CENSORED>
[ Parent ]
Verdict: Stupid (4.50 / 2) (#38)
by bsimon on Mon Mar 17, 2003 at 06:21:06 PM EST

So, is this guy an evil cracker, aiming to profit from massive identity theft? Or is he a white hat hacker exploring and exposing security flaws.

Well, he's neither really, he's just stupid - and there are 55,200 reasons why.

If his goal was identity theft, then why did he grab 55,200 Social Security Numbers, when a few hundred would be enough to profit? The massive number caught the university's attention, ensuring that those SSNs would be monitored in future, making them useless for ID theft.

And if his goal was to reveal security flaws, then then why did he grab 55,200 Social Security Numbers, when a few hundred would be enough to prove the concept? The massive number caught the university's attention, making sure his transgression wouldn't be dismissed with a slap on the wrist.

Of course, he's stupid, but the most stupid is the University of Texas - their poor security allowed this to happen.

you have read my sig

Wait a sec... (5.00 / 1) (#46)
by carbon on Tue Mar 18, 2003 at 01:12:18 AM EST

So, you're saying that the same amount of #'s he'd need to become rich and famous is the same amount he needed in order to not get punished? I want in on some of that action!


Wasn't Dr. Claus the bad guy on Inspector Gadget? - dirvish
[ Parent ]
Yes, that's right, therefore he's stupid... (none / 0) (#49)
by bsimon on Tue Mar 18, 2003 at 03:21:07 AM EST

...or, to be charitable, maybe the script he used to guess the numbers ran 500 times faster than he expected...

or he forgot to stop it running when he went to bed...

or perhaps he thought nobody would notice that the server had received a whole year's worth of hits in a few hours, and 99% of them were coming from a single IP address...

or... well, I think I'll just say he's stupid.

you have read my sig
[ Parent ]

Fun != Hacking (none / 0) (#41)
by the77x42 on Mon Mar 17, 2003 at 08:38:35 PM EST

55,200 SIN numbers? That sounds like fun to me. He came across a flaw and saw how big it was by hammering it with numbers. Wow, big deal, the guy's an idiot, but I'm sure his intentions were harmless.

Has anyone tried cracking a SN from a program before? You do it for fun, not benefit. Whooooopeee.

I supposed he's still a terrorist though. :P


"We're not here to educate. We're here to point and laugh." - creature
"You have some pretty stupid ideas." - indubitable ‮

A: Mr. Phillips (3.75 / 4) (#44)
by blakdogg on Tue Mar 18, 2003 at 12:24:12 AM EST

"So tell me, who is the criminal here?"

Are you serious ?  Is this an attempt at hyperbole ? Or are you insinuating that private databases are not private property. What Mr. Phillips did is equivalent to a homeless person squatting on the university's campus. And it is just as illegal if not more so.

The fact that the University of Texas did not take 'appropriate' measures to secure their database is not relevant in judging the legality of Mr. Phillips ' act. Extending that logic, if someone left their door unlocked it would be okay to take their belongings.  
Woe be onto the United Nations, there nothing but a front.

Yes. (none / 0) (#45)
by pb on Tue Mar 18, 2003 at 12:55:30 AM EST

I'm serious, in that I want to hear people's answers to that question.  It looks like you've made up your mind and posted your opinion, which is good.

How is he "squatting"?  Isn't he a student there?  I bet he even pays for room and board and stuff.  His data is probably in one of those publicly accessible databases too.  I bet he even pays for it.

Actually, for a more appropriate analogy, if someone left their door unlocked, it would be okay to photograph their belongings.
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]

Data belongs to collector (none / 0) (#48)
by blakdogg on Tue Mar 18, 2003 at 01:28:45 AM EST

"How is he "squatting"?  Isn't he a student there? "

He is not squatting, but he is making improper use of someone else property.

"His data is probably in one of those publicly accessible databases too.  I bet he even pays for it."

Maybe he does, but laws concerning computer database ownership are almost two decades old. Ownership of the database and records, belong to the collector of the data. It is similar to medical records, they belong to your doctor. Taking your files are forbidden as is taking the files of other patients.

You are not allowed to photocopy someone's medical records, because the clerk was in the bathroom. It is the same thing here ?

There are laws that govern what a collector can do  with data, but they are generally allowed to set terms and conditions for using their 'publicly available' databases. And I think/hope Mr. Phillips actions ran counter to those rules.
Woe be onto the United Nations, there nothing but a front.
[ Parent ]

Yes, but... (none / 0) (#52)
by cpatrick on Tue Mar 18, 2003 at 05:36:16 AM EST

From what I understand here, the University made available a public interface to search the database, and simply didn't anticipate that someone would automate the task of downloading the whole bloody lot, or realise that they had inadvertently made the SSN accessible along with other information in the database.

The fact that the University did make information public which should not have been made public smacks of incompetence on their part and probably falls afoul of whatever laws the USA has to protect people's privacy.

[ Parent ]

Actually (none / 0) (#54)
by subversion on Tue Mar 18, 2003 at 07:30:17 AM EST

It's more like this.

Your doctor writes medical articles for each of his patients, with a patient ID number written across the top of it.  You can only read the article if you give the clerk the right number.  But that's all the checking that's done.

The University made information accessible publicly, without adequate security.  They are at fault here, and possibly in contravention of some of the laws governing privacy of student data.  The student is also probably at fault of some of the computer crime legislation in the U.S., but most of that is state law, and I'm not from Texas.

If you disagree, reply, don't moderate.
[ Parent ]

University not blameless (none / 0) (#66)
by blakdogg on Tue Mar 18, 2003 at 09:04:18 PM EST

I am not saying that the university is not blameless, they obviously should have taken more steps to secure their data. I doubt their actions are illegal, and I hope the legal system has not taken to defining adequate computer security.

But you seem to miss the point that Mr. Phillips stole the SSNs of his fellow students, and used them to gain unauthorized access to the university database. In the physical world such behaviour is not tolerated. If upon losing your keys, you apartment building were to provide you with a skeleton key it would not be legal to enter anyone else's apartment. Same concept.
Woe be onto the United Nations, there nothing but a front.
[ Parent ]

Legality. (none / 0) (#69)
by subversion on Thu Mar 20, 2003 at 02:51:12 AM EST

Education institutions in the US have a legal obligation not to disclose some personal info of their students and employees - chief on this list would be SSNs.  It could easily be argued that the access method used by UT constituted disclosure of the SSNs.

He didn't steal their IDs and then access the database.  He accessed the database at random, essentially, and each time he had a successful access he retrieved a SSN.

If you disagree, reply, don't moderate.
[ Parent ]

No (none / 0) (#51)
by salsaman on Tue Mar 18, 2003 at 05:18:34 AM EST

What Mr. Phillips did is equivalent to a homeless person squatting on the university's campus.

Actually from what I've read, it is more akin to somebody going up to a security door on the campus, and then trying every combination of digits until the door opens.

[ Parent ]

Hooray - not about war (5.00 / 3) (#50)
by Herring on Tue Mar 18, 2003 at 04:56:02 AM EST

Anyhow, in the UK, the Data Protection Act implies that the university would have broken the law. OK, the wording of the act is a bit vague: "reasonable steps" must be taken to secure personal data, but I think the university would have a hard time convincing the court that this was the case. I'm involved in designing web apps which do hold personal data and we would always err on the side of caution.

The guy who did it would also have broken the Computer Misuse act though so he'd be in the crap as well.


Say lol what again motherfucker, say lol what again, I dare you, no I double dare you
In the USA, I think you could build a case (5.00 / 1) (#60)
by porkchop_d_clown on Tue Mar 18, 2003 at 02:27:37 PM EST

that the school was negligent in operating such an insecure web site - but that would be a matter of a civil law suit, rather than criminal charges. There would have to be monetary damages before a lawyer would get interested..


--
You can lead a horse to water, but you can't make him go off the high dive.


[ Parent ]
They're not the only one (none / 0) (#55)
by aechols on Tue Mar 18, 2003 at 11:26:02 AM EST

Practically anywhere you go, SS numbers will be in use. It's a convenient identifier, but it's reckless to use it as such. Here, all the foreign students and visiting people that need computer access or something like that get fake numbers of the form 000-0x-xxxx. So they certainly have the capacity to do make up ID's.

It sounds like all this guy had to do was brute force a bunch of numbers, a good portion of which are somewhat sequential. SS numbers come in blocks based on the area it is issued to, and then serially based on time.

At my school (not too far from texas university) there's a password required at every web page where a SSN is entered. By default it is set to your birthday, but it can be changed. Most people don't. Certainly this would slow down your would-be "hacker" by a factor proportional to the range of birthdays scanned. Lets say you're checking 10 years worth of birthdays, 5 years average case. (Yes it's oversimplified, but...) that would slow you down about 1800 times, so this guy would have only found about 30 SSN's with a similar amount of scanning.

Even with that, it's conceivable that once you get one number in a block, you could quickly find the rest by only checking a few birthdays after the one you just found for the next n numbers in the block you're scanning.

In any case universities need to get past the SSN thing and use real ID's that won't be a Bad Thing when they do get compromised.

---
Are you pondering what I'm pondering?

better, but still pathetic. (none / 0) (#58)
by pb on Tue Mar 18, 2003 at 01:01:11 PM EST

Yes, I was talking to a friend of mine, and a system similar to that is in place at her university for her course registration system (password set to birthday + SSN); at my old alma mater, we had a startlingly new innovation that protected our course registration, though...

Every user had a unique username that was required for access to the page, as well as their own personal secret password.  Also, I don't know if their SSN was available through that interface or not; I doubt it.  I don't see why you'd need to know your own SSN for course registration.  Oh, and in my last year or so there, the registrar's office was assigning people other numbers to use besides their SSN for some things, seeing as how most universities are moving away from them for both legal and privacy concerns and all...

So, yes, your SSN should not be available or required; there are better, more legal, more secure ways to do it, and there have been since before the personal data privacy act of 1974, even...
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
[ Parent ]

Phillips was wrong (4.66 / 3) (#56)
by HidingMyName on Tue Mar 18, 2003 at 12:01:15 PM EST

Suppose that someone had entered an unlocked room at the university where there were social security numbers printed in hard copy and a copying machine. Suppose that this person was not authorized to enter that place nor to access the information stored there. This person then copied the numbers and took them with him, and later it was the copying was discovered and the person doing the copying was caught. Would that action be wrong, did that person break the law? Are those social security numbers compromised or not?

Would that person be guilty of trespass and identity theft? I think so. Since many K5 readers are C.S. types and we tend to like to explore/learn about systems, there is a tendency to "brush this off" as a minor indiscretion, however, the act was deliberate, and thousands of (incredibly hard to replace) social security numbers are compromised. I don't think we should give people a pass on illegal and unethical actions just because they did them with a computer.

analogy, thy name is confusion (5.00 / 1) (#57)
by ethereal on Tue Mar 18, 2003 at 12:58:22 PM EST

What if you were the registrar, and your secretary would hand out any student's records to a student if they knew their own SSN? If this guy wanders in and asks for 55,000 different records, and your secretary hands them over, I'd think the problem is more in how you selected and instructed your secretary. Sure, the guy taking advantage of the system may be ethically questionable, but you ultimately have the responsibility for securing your data against simpleminded attacks like that. People trusted you with their data; "that evil hacker is a lot smarter than my secretary" isn't an adequate defense.

--

Stand up for your right to not believe: Americans United for Separation of Church and State
[ Parent ]

Negligence by UT played a role here (none / 0) (#62)
by HidingMyName on Tue Mar 18, 2003 at 02:44:36 PM EST

And I think they should be held liable for it (particularly if identity theft occurs using the compromised information). However, the original post could be construed as taking a view that UT is guilty of negligence and Phillips is just an inquisitive kid. I disagree with that view. Your analogy is almost right, but it is off a bit as well, since you have human intervention (which I tried to avoid).

[ Parent ]
A better analogy (none / 0) (#65)
by csmiller on Tue Mar 18, 2003 at 07:40:50 PM EST

Assume there is a terminal, where you can go up to it and enter your SSN, and nothing else, and it will give you your student records. Now, if this machine is in a publicly accessable room, then UT have screwed big time, if its in a authorised-area only, but otherwise unlocked, unmonitored, and does not normally have staff in it, then they have screwed slightly less.

Now, a student finds out about this, and then builds a machine (12 solinoids to press keys), that tries SSNs at random, until it finds one that matches, and we are getting closer to 'real' analogy, for the uninitiated

[ Parent ]

Yeah I know unlocked room ...blah blah blah (none / 0) (#59)
by tonedevil05 on Tue Mar 18, 2003 at 01:25:59 PM EST

Yes we can agree that this Philips fellow is guility. But if you were the person who was in charge of those SS records, and in charge of making sure the door was locked, you would be "exploring other employment oportunities". The big question isn't if the person who opens the unlocked door with out authorization has done something wrong, they are. The question, that this situation begs, is what about the person who is keeping the personal and valuable information for thousands of people safe, do they shoulder some responsibility? And that doesn't matter if it is done with a computer or not.

[ Parent ]
Negligence makes UT liable (5.00 / 1) (#61)
by HidingMyName on Tue Mar 18, 2003 at 02:37:35 PM EST

Regarding the issue of negligence, yes U.T. is liable, I probably should have explicitly agreed to that in my post. U.T. should not get a pass on this, since they did not make what constitutes a minimal attempt to keep the numbers secret, although it is their responsibility. In fact their liability is huge. I'm not sure that the social security numbers can be replaced, and if not, what happens if some criminal or illegal alien starts using them. I think U.T. could be liable for some serious damages in that case.

[ Parent ]
More or less real-life case... (5.00 / 2) (#63)
by Gooba42 on Tue Mar 18, 2003 at 03:23:16 PM EST

I worked for a small tech company working hard to get smaller and at one point the Chairman of the Board was making a copy of the "layoff list". He got fed up waiting for the fuser to warm up and left to make copies elsewhere. Come the next morning pretty much everybody knew who was gone because copies of the list were sitting in the copy room waiting to be discovered.

Now does anyone dispute that the Chairman did a really dumb thing? The next guy along who found the copies either had to toss them without looking at them and risk trashing someone's work or look at it and determine to whom it belonged or who he should notify.

The article obviously cites a case where both parties had done dumb things but I thought the copy machine idea was close enough that this would be interesting.

[ Parent ]

SSN (none / 0) (#67)
by mikelist on Wed Mar 19, 2003 at 06:03:51 AM EST

By law your SSN is not to be used for anything except social security. As a union steward, once I had to file a grievance against an employer who posted seniority lists with full SSNs, and won.

i'm sure that the U of T has learned (none / 0) (#70)
by ibbie on Thu Mar 20, 2003 at 07:49:48 AM EST

a valuable lesson, and will from this day forward reference it's students by something far more benign... perhaps their credit card numbers, this time. or their bank account numbers, or their home addresses.

gah.

--
george washington not only chopped down his father's cherry tree, but he also admitted doing it. now, do you know why his father didn't punish him? because george still had the axe in his hand.
Lowering the bar for hacking | 70 comments (39 topical, 31 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!