==Phrack Magazine== Volume Four, Issue Forty-Four, File 12 of 27 **************************************************************************** Sarah Gordon's Response Greetz and Salutations :) Thank you for giving me the opportunity to contribute to Phrack. While we may not agree on everything, I appreciate the chance to speak for myself. In the past, as many people now know, I have not had the opportunity to do so. My philosophies and ideals are quite similar to your own, and I hope that my response to this "Article" will help shine a bit of light on what is really going on here. I don't really want to spend too much time on it, because it is, as you said, obviously a personal attack. But, on the other hand, such nonsense can grow to the point where it has an effect. Perhaps a backlash on the programmers and hackers in Bulgaria, which of course will spread to the United States. They have suffered a lot of persecution because of the past malicious and irresponsible acts of some of their virus writers. Since Dark Avenger stopped writing viruses, their reputation has improved somewhat. David Briscoe recently wrote: "Computer hackers in former communist countries, including an elusive Bulgarian known as the Dark Avenger, are creating mischievous and sometimes costly viruses that threaten computers around the world". Following a recent interview I conducted with Dark Avenger, I was chastised for not making his identity known so he could be 'made to pay'. In "Discover" Magazine, writers Paul Mungo and Brian Clough are quoted from their book 'Approaching Zero' "the Mutating Engine...the most dangerous virus ever produced". This is so stupid, especially considering the thing does not replicate. It's a tool that can be used to perform encryption. Well, decryption too, but explanation of how it works aren't the point here, suffice to say it's not "the most dangerous virus ever produced". If people are going to rely on the media as an information resource, the media owes it to us to provide us with accurate information. However, this is simply not always the case. If you consider the actual viruses commonly found -in the wild- (that is, by computer users such as those from universities, corporations, etc.), the number of Bulgarian viruses -directly- impacting the users is a very insignificant number. For some reason, the media likes to play up Bulgaria as the big force behind the destruction of data! I personally don't have an interest in the economy of Bulgaria or any other country, but the media sure likes to use this kind of "information" to sell their own particular brand of fear. No more fear. Fear is a bad thing. It is one of the things that leads us to have government intervention into areas of our lives where it is definitely not desired. Sara(h?) Gordon AND THE DARK AVENGER SCAM. By K$hntark In one of my many online conversations with Sara Gordon I once asked her about the validity of the VNI interviews and her real relationship with the alleged dark avenger; after logging into her VFR BBS and seeing a #2 (hers being #1) account named after him. Of course his (Dark Avenger) name was #2 there. I put it there for him. His last call to my BBS was July 31, 1993 at 1:55 p.m. However, this was not the start of this business with Kohntark. He had been mailing me for about one month. From an account using the address of cxxxxx.ic.xxxxxx.edu. Keep this address in mind. It will come in handy later. I am not exactly sure of the date of the first message, but I think about one month. He had been reasonable enough at first, but he became increasingly agitated. Since he felt it was appropriate to include personal mail from Dark Avenger to him here, I think I can go ahead and illustrate for you some of his "hacking" :) (well, if you can call it hacking. you decide). (OH GOD, LOWER CASE...LeTZ SeE...) I proceeded to leave a message for the dark avenger there, claiming that the whole account was bogus as it is highly improbable that this person might call all the way from Bulgaria and log into a mediocre BBS just to chat with her, considering the expense of such long distance call , the economic situation in Eastern Europe and a fact that would learn later: Sara(h) Gordon has an account on the Bulgarian DIGSYS unix server, locally accessible by phone from there! This guy doesn't seem to know much about the "economic situation in Eastern Europe". At least, about Dark Avenger's personal economic state:) or mine. Maybe Dark Avenger could call digsys, but I certainly couldn't when I first started talking to him. I didn't have any internet account. All I had was my mediocre BBS. He couldn't get to my BBS any way but to call me, directly. Yes, I have an account there -now-, but I don't and didn't use it to chat with Dark Avenger. He did not want the sysadmin to monitor our chats. And, I didn't -have- that account until after I had talked to Dark Avenger for a long time, so I could hardly have used that server to talk to him early on I didn't have an account there then :) In fact, neither did he, at that time, because there was no digsys.bg as far as I know. He called Danbo BBS for years. It was not on the internet. He did later use it later, once it actually got onto the internet, to occasionally mail me, but not much. He used it more to come to IRC. In fact, a couple people you know talked to him there, with me. They didn't like him much; found him rude and arrogant. He can be. However, he most certainly did call me here. Does Kohntark think he is the only one who can make long distance telephone calls? Dark Avenger called me frequently, and not always from Bulgaria. I don't know how or if he paid for the calls, all I know is that since I couldn't afford to call, and didn't know any number for him, he called me. As for my "mediocre" BBS, it serves its purpose:) I think giving out virus free anti-virus products, and products that don't cost the users a small fortune, and that actually WORK is quite a good purpose. I don't see any reason for people to be exploited by some a-v companies, who are promoted by various magazines, which in turn rate them highly because they are doing their advertising. As it was expected, Sara(h) quickly 'noticed' my personal message to the dark avenger and replied to my questioning in a public post in FIDONET, (I don't read FIDONET posts and she knows I have no access to them!!!! ) Kohntark called my BBS, at my invitation, on July 13, 1993 at 23:19. There's no other way he could have left any mail because its an invite only system. It's not like it was any big shock to me that he called. He asked me to make him an account and I did. Dark Avenger was a regular caller to my BBS, and read his message, I imagine, since he fwded it to me. I don't know what access Kohntark has or doesn't have, as far as what networks he uses, (as far as what networks he reads mail from, that is) as I explained to him. I mailed him there because of the mail he left to Dark Avenger (which he forwarded to me) on MY system, and because I received a very nasty message from Kohntark, using the address kohntark@rot.in.hell.com, if I remember correctly. I sent the message, and did include answers to his questions because I wanted to continue talking with him. The message had the headers included from, guess where? cxxxxx.ic.xxxxxx.edu.... She claimed that the dark avenger was fully aware of how much money she made out of the VNI interviews and that she was in touch with him, etc.etc. This is the truth. In case anyone is curious, the amount of money I made from this article was less than the amount of my PC Pursuit Bill from calling to do chats and talks with him. At that time he had accesses via various networks, and we talked on a regular basis. Additionally, Dark Avenger had full control over taking out or editing any of his comments in the interview. It is a policy of mine. If you wish to confirm it, I can put you in touch with other virus writers. I can in fact do it any time probably, as they are usually around where we are. Let me know if you want me to do it. Dark Avenger was even a bit obsessive about how much money I would make. I also "sold" the story to PCWorld, where it has been published, in part. I have not received any compensation for this yet. More later on why I did the interview. Maybe the problem is I didn't interview Kohntark... Afterward, I questioned her again about the whole affair and demanded a proof, or some sort of direct contact from the dark avenger to my anonymous internet account. First, I do not have to "prove" my contact with this man to anyone. It has been well enough observed and documented every step of the way. Ever hear of the dedicated virus? It is the demo virus that came with the Mutation Engine. It contains "We dedicate this little virus to sara gordon who wanted to have a virus named after her". (At this point, Dark Avenger did not really know me, we were just establishing our contact; he still used the spelling Sara for my name :) I provided Kohntark with an address with Dark Avengers permission. Actually, the account Dark Avenger had at digsys which he used to get to me on chats or IRC (2 years after initial contact) was not under the name Dark Avenger OR dav, but under another name which would draw less attention to itself if someone happened to finger us during one of our chats. The system adminstrator made the additional account later, since he knew quite well it -was- Dark Avenger, having had an ongoing battle with him for years. Kohntark wrote to Dark Avenger there, just like he said he did. At least this much is true. And, I did receive copies of the mail. Actually Dark Avenger did not want to even answer the mail, but I asked him to please do it so that the guy would leave me alone. Someone using the same mail headers had already sent a message to WIRED, telling them "The DA is old news, he hasn't made a virus in 2 years, you should interview ME". Wonder who that might have been...... Does the header cxxxxx.ic.xxxxxx.edu ring any bells? At that point, Kohntark forged mail to WIRED magazine, this time posing as Dark Avenger. I would never have known this, but Dark Avenger fwd back a very strange reply message from WIRED and asked me what in the hell was going on. In that message, WIRED had included part of the message they had received. It clearly displayed the cxxxxx.ic.xxxxxx.edu headers, indicating that the mail had been sent from someone there! Someone who told WIRED "I don't want to talk to you" (paraphrased). Even WIRED told me "That mail did not sound like Dark Avenger..it was just all wrong" (paraphrased). I pointed out the headers to them later. It was a bad hack on Kohntark's part. Anyone doubts, it mail the sysadmin at digsys.bg. Here is a copy of that mail, with "compromising" parts xxxxed out. First, Dark Avenger's legitimate fwd to me: From dav@digsys.bg Sat Jul 24 20:36:12 1993 Return-Path: Received: from mcsun.EU.net by mail.netcom.com (5.65/SMI-4.1/Netcom) id AA04202; Sat, 24 Jul 93 20:34:29 -0700 Received: from danbo.UUCP by mcsun.EU.net with UUCP id AA18612 (5.65b/CWI-2.220); Sun, 25 Jul 1993 05:35:36 +0200 Received: by danbo.digsys.bg (5.67/1.37) via EUnet id AA06614; Sun, 25 Jul 93 05:33:30 +0300 From: dav@digsys.bg (Dark Avenger) Message-Id: <9307250233.AA06614@danbo.digsys.bg> Subject: Re: FWD>None (fwd) To: vfr@netcom.com Date: Sun, 25 Jul 93 5:33:29 EET DST X-Mailer: ELM [version 2.3 PL11] Status: OR Then, the message from xxxxxxxxxxx at WIRED: Forwarded message: >From xxxxxx!wired.com!xxxxx Sat Jul 24 01:34:30 1993 Message-Id: <9307232129.AA02102@wired.com> Date: 23 Jul 1993 14:27:42 -0800 From: "xxxxxxxxxxx" Subject: Re: FWD>None To: dav@digsys.bg Reply to: RE>FWD>None *Some mail from WIRED guy replying to the message*** And now, the mail that prompted xxxxxxx's reply. I guess Kohntark didn't realize that the mail would receive a reply. Or, didn't realize the reply would include the mail headers: -------------------------------------- Date: 7/23/93 12:35 AM To: xxxxxxxxxxx From: xxxx Received: by xx.wired.com with SMTP;22 Jul 1993 05:38:19 -0800 Received: from anon.penet.fi by wired.com via SMTP (920330.SGI/911001.SGI) for xxxxx@xx.wired.com id AA00423; Thu, 22 Jul 93 05:35:20 -0700 Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id AA21218; Thu, 22 Jul 93 15:24:44 +0300 Date: Thu, 22 Jul 93 15:24:44 +0300 From: dav@digsys.bg Message-Id: <9307221224.AA21218@anon.penet.fi> Return-Path: Date: Fri 13, 66 00:00:00 EST To: Subject:Not interest. Status:RO I read in VIRUS-L that some idiot (atman@rahut.net) wants to do interview with me face to face. I am not interested in being in your magazine. I am not interested in being interviewed, even if you offer me $1000. or more. I am not interested. so tell your friend to stop mentioning me in VIRUS-L, i have NO interest. Please don't bother to reply. I have no time for stupidity. --------- Interesting use of the anonymous mailer port 25, eh? (clue: try helo) Since this was the first time anyone had ever questioned the validity of her relationship with the DA, she took this to heart and shortly after, I received 3 short messages originating from an Internet connected UNIX system in Bulgaria. HAHAHA. This has been questioned many times. Do you think the ACM, or any magazine would risk printing this without adequate proof? My contacts early on with the virus writer were well documented. I had to prove myself to everyone from Vesselin Bontchev (who did not believe me until he had seen the source code to Commander Bomber, which is a virus; the source code has never been made available to anyone). Here: From bontchev@informatik.uni-hamburg.de Tue Oct 12 02:34:53 1993 Return-Path: Received: from deneb.dfn.de by mail.netcom.com (5.65/SMI-4.1/Netcom) id AA09608; Tue, 12 Oct 93 02:34:34 -0700 Received: from fbihh.informatik.uni-hamburg.de by deneb.dfn.de (4.1/SMI-4.2) id AA05014; Tue, 12 Oct 93 10:33:30 +0100 From: bontchev@informatik.uni-hamburg.de (Vesselin Bontchev) Message-Id: <9310120933.AA22605@fbihh.informatik.uni-hamburg.de> Received: by fbihh.informatik.uni-hamburg.de (5.65+/FBIHH-1.21); id AA22605; Tue, 12 Oct 93 10:33:45 +0100 Subject: Re: urgent To: vfr@netcom.com Date: Tue, 12 Oct 1993 10:33:42 +0100 (MET) In-Reply-To: <9310120331.AA01134@netcom4.netcom.com> from "sara" at Oct 11, 93 08:31:48 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 2211 Status: OR ....blah blah..(deleted) So, here is my official statement. I hereby confirm that when I met Sarah S. Gordon in March 1993 in New York, she showed me the original source of the Commander Bomber virus. It was obviously a source and not a disassembly, and it was very similar to a couple of other sources of Dark Avenger's programs that I have seen. When I say "similar" I mean such things like label names, commenting style, layout of the text and so on. Of course, this is not a proof that it has been really produced by the Dark Avenger, but this is very probable. Sarah didn't give me a copy of it and I didn't insist, because she told me that she has promised to Dark Avenger not to give this source to anybody. To my knowledge, nobody else has the source. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN < PGP 2.3 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de 22527 Hamburg, Germany Keep in mind, Vesselin is not a product developer and has no affiliation with any developers. He is a Doctoral Student who has himself been accused of being the Dark Avenger. The Bulgarian Secret Police seemed to believe my contact was legitimate enough. I received an "invitation" to meet with them. I declined this "invitation" because I am not interested in the terrorist tactics of a desperate government to blame a hacker and virus writer for the problems of the country in general. I had to prove my contact lots of ways, just to get the article in print. Why did I want this article in print? One simple reason. To show this virus writer as not some evil sinister monster from Hell waiting to destroy the earth's supercomputer. Just as a person like the rest of us. Did it accomplish it? I think it did, from the response I got from most people. Did -I- personally 'benefit' from it? In some ways, I did. This reminds me, a certain ex-virus exchange sysop told me that he was going to make me expose the Dark Avenger; that he was going to find out his true identity, where no one else could; that he would make up some story, any story, to force Dark Avenger out into the open. Well, I don't narc on my friends. I am sure you can appreciate that. Here they are: (Private, compromising parts are X'd out) 1st Message: -------------------------------------------------------------------------------- - >From daemon@digsys.bg Wed Jul 14 19:07 EDT 1993 Received: from danbo.digsys.bg by XXXXXXXXXXXXXXXXXXXXXX; Wed, 14 Jul 93 19:07:3 4 -0400 Return-Path: Received: by XXXXXXXXXXXXXX (5.67/1.35) id AA12850; Thu, 15 Jul 93 02:04:46 +0300 Message-Id: <9307142304.AA12850@XXXXXXXXXXXX> To: XXXXXXX From: dav@danbo.digsys.bg Date: Wed, 14 Jul 93 23:41:36 +0300 Subject: No subject Status: RO kohntark- i just talked to a friend of mine who said you dont like her user log. why shouldnt i call her from bulgaria? i call whoever i want to, and this is not your problem. by the way, she sent me your mail. for your information, i do know how much money she made of that interview. and i also think that this is none of your business. also, maybe it would be good for you to know, that by offending her, you are offending me, too. keep this in mind. Second Message: ------------------------------------------------------------------------- >My mail with her is none of your business either. i dont think so, dude. maybe you need to read the next few lines again, in case you missed them. >> >> also, maybe it would be good for you to know, that by offending >> her, you are offending me, too. keep this in mind. >> >> > >HA HA! and you expect me to believe that you are the DA! >send me a proof: an email address from bulgaria or tell me >how many addressing modes does the MTE have? > >nice try. well, what do you think the domain .bg in my email address stands for? maybe you think its kameroon? as for the mte, im not giving you any info. i need not prove anything to anybody, and certainly dont plan to waste more of my time talking to you. you have been warned. Third Message: ------------------------------------------------------------------------- oh, yeah. sure it did. only you will not know where something else came from, when it knocks on your door. i have nothing more to say. ------------------------------------------------------------------------- Odd. He did not include the mail he forged using the address I gave him in good faith to WIRED magazine. He also did not include the mail he forged to Anthony Naggs, an engineer, in which he made the following statements: > > From @gate.demon.co.uk,@anon.penet.fi:darkavenger@sofia.somewhere.bg Fri Sep 17 18:16:32 1993 > > Received: from post.demon.co.uk by ubik.demon.co.uk with SMTP > > id AA4544 ; Fri, 17 Sep 93 18:16:22 GMT > > Received: from post.demon.co.uk via puntmail for amn@ubik.demon.co.uk; > > Fri Sep 17 14:49:12 BST 1993 > > Received: from gate.demon.co.uk by post.demon.co.uk id gk03845; > > 17 Sep 93 14:09 BST > > Received: from anon.penet.fi by gate.demon.co.uk id aa01230; > > 17 Sep 93 6:07 GMT-60:00 > > Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^see originating mail location? > > id AA15730; Fri, 17 Sep 93 07:58:28 +0300 > > From: DarkAvenger@sofia.somewhere.bg > > Message-Id: <9309170458.AA15730@anon.penet.fi> > > Return-Path: > > Date: Thursday, 16 Sept 93 22:02:54 > > To: amn@ubik.demon.co.uk > > MMDF-Warning: Parse error in original version of preceding line at gate. demon.co.uk > > Subject: NO i am NOT > > Status: RO > > NO , I have not found "more interesting thigs to do"! > If you don't know it yet, I am still active and will release > work at the end of the year. > Also in case you don't know the VNI interview was mostly made up. > I haven't talked to Sara in almost a year, and I will never again. > She betrayed me. > She will deny this and try to exploit my name more. > Until the end of year. > > Then again.. what do you know? you are like the weasel: another > stupid engineer.. you know nothing about viruses! > > UNtil then.. > > > > ------- Dark Avenger spells my name with an "h" :) And, he doesn't mail people from cxxxxx.ic.xxxxxx.edu :) And, I think this pretty clearly illustrates the motivations and methods of Kohntark. In my ignorance, I blindly trusted the three cryptic replies to be true, even thought whoever replied refused to give out trivial information such as the number of addressing modes for a 2 year old encryption engine (MTE) and spelled Cameroon with a 'k' (Check out Sara Gordon's spelling of URUGUAY in VIRUS-L Volume 6 Issue 120 -v06i120) Shortly after other unrelated discussions and a CUD post from Sara(h) in which I was mentioned (unnamed), someone warned me of several posts in NUKENET by an alleged dark avenger and Todor Todorov from an account belonging to the last, mentioning me and Aristotle. Sheesh. Kameroon with a -K- is the German spelling. It is also the most common spelling a European would use. The "correct" spelling, for anyone who cares, is Cameroun, because it is mainly a French speaking colony; A small portion of it is English-speaking and uses Cameroon. Most likely, An American would use Cameroon. Consult your nearest linguist or historical specialist for verification. Talk to discman about my linguistic aptitude. Do not attempt this at home. Kohntark spelled SKISM incorrectly in one of his messages to me. He must be the Dark Avenger. No, wait..he onlys -wants- to be... Those messages in the NukeNet were prompted by the virus exchange sysop mentioned earlier asking Todor Todorov to contact Dark Avenger and ask him if he had really talked to me. Todor -is- a friend of mine. He assisted me in my study of virus exchange bbs and their impact on end users. Todor put the mail on some Bulgarian BBS, and Dark Avenger answered it. Apparently, his answer was not liked very well by this Aristotle and others people, because an amateur linguistic analysis followed, detailing how much like me the Dark Avenger appeared to be. I employed the services of a professional linguist, who stated that indeed there are striking similarities. This can be attributed to the fact that Dark Avenger and I have spent many hours together. And, I usually type in lower case, in E-Mail messages, etc. Come to think of it, most of the hackers I know must be the Dark Avenger if this is the qualification :) In those messages I was referred to as 'hotshot,' a word that Sara Gordon had used on me several times on our personal email exchange; It was then that I became highly suspicious of the whole matter. Yes, I used this word. I use it all the time. So does Dark Avenger. It is a word we use to refer to certain people. It is a commonly used word in Bulgaria. It is not so common here, but it is there. They watch a lot of American television, and use a lot of words like this as well as a lot of profanity. Movies. Motherfucker and Asshole are two other words used a lot by Bulgarian hackers and virus writers. In fact, the word "motherfucker", which "proved" it was NOT a Bulgarian that posted as :) in the NuKeNet (since, as they said, NO Bulgarian would EVER use -this- word), was found in a virus of Bulgarian origin a very long time ago. Perhaps they should learn to disassemble the damned things before trying to say what's in them. In defense of NuKe (and believe me, there has been no love lost between some of those people and myself in the past), I think a lot of people were baited and led on by certain people. I called Virginia's Virus Research Institute's sysop and owner, Aristotle to find out more about the posts and he bought to my attention the particular writing style of Sara(h) Gordon: She NEVER uses capital letters and apostrophes on her personal email, and always signs her name on the lower left hand corner. (She seldom signs her posts Virginia Virus Research Institute is (was) The Black Axis BBS. The place that sold viruses for one hundred dollars per collection. Pretty enterprising, eh? Only, a lot of them were junk. The sysop is the same one who told me he was going to get the Dark Avenger to come forth, to 'Save my Name' or something like that. He also told me that if a new virus appeared, bearing the name 'Dark Avenger', people would want to 'catch' the virus writer again. And, guess what? Such a virus did appear. A crude hack of the Burma virus, with a text string included: DARKAVENGER :). And, it was this very sysop that uploaded it to a certain well known virus exchange BBS. Slick, huh? But definitely not the work of Dark Avenger. However, this will not make me identify the Dark Avenger, assuming I did know the path to his door. This same sysop also told me (when he closed his system) that he had intentionally tried to incite people, and had made some mistakes along the way in doing this. We all make mistakes. Unfortunately, Kohntark is making a really big mistake here. Yes, I use lower case ALL THE TIME. And, like Dark Avenger, I sometimes do and sometimes do not use correct punctuation. Apparently Kohntark has not been around in the early days of postings on Fidonet. Oh, that's right. He does not read it. Well, if he had, he would have seen Dark Avenger had this 'style' a long time before I ever heard of computer viruses. I am using upper case in this article (mostly) because when I write for a readership (as opposed to private mail, and online chats, etc.), I use correct form. Well, as correct form as I can. nowadays and changes her user name in her vfr@netcom.com account every week!; for further proof of her writing style, please refer to public posts in VIRUS-L Volume 6 #120; I also have over 100K of personal email exchange to prove this fact!) Shame on me. I change my user name :) I am so El33t.... I'm too hexy for my shirt, too hexy for my shirt...blah blah It was then that we realized that she was passing herself as Todor Todorov and the dark avenger (who could possibly verify their online identity?) and had infiltrated NUKENET.. HAHAHAHAHAHAAHHAAHHA oops, excuse me..hahahahahaha This is ridiculous, as anyone who has checked will know. Todorov is happy to take calls from people about this matter; eminent publicly (not anonymous) figures in the field know that I wrote the truth, and there really is nothing further to be said about this nonsense. The writing style described corresponds exactly to the one on the posts I received from the 'dark avenger.' Shortly afterward the account was cancelled and I learned the whole truth: Oh my. My writing style corresponds exactly to Dark Avengers. It certainly does, when I want it to, or when I have been writing to him a lot. And, it does when I write e-mail. So what? So does the style of a of people :) We are all Dark Avenger. If you counted the names of everyone who writes in lower case, makes spelling areas, and signs their mail in the lower left hand corner of messages, how many people do you think you would find? About the account: Yes, it was cancelled. After Kohntark forged mail from that site, prompting a response from WIRED, I asked the system administrator to cancel the account so that no more such trickery could take place, requiring me to spend time trying to straighten it out. He was happy to do it. He had more than a few problems with Dark Avenger ftping files in excess, and had only retained the account as a personal favor to me. (yes, that IS how he signs personal mail, e-mail and some of his viruses) did not exactly be a nice boy on that system. The danbo.digsys.bg Bulgarian site belongs to Daniel Kalchev, another self appointed AV researcher whose best claims to fame are submitting various Bulgarian viruses to Patricia Hoffman's VSUM!! Self-appointed? He is the administrator of the Internet there. I think Kohntark is not fully aware of just who Mr. Kalchev is. (You can check this by doing a search on 'Kalchev' on the current VSUMs or you can contact him thru: ) No. The best address is daniel@digsys.bg. Mr. and Mrs. Kalchev both have accounts there, and you can reach them best if you use this address. And please do feel free to contact him. He will tell you that he has talked to Dark Avenger for a very long time. Long before digsys was on the internet, and long before I met either of them. He is a very close friend of Sara(h) Gordon and he has an account in her VFR BBS (you can check this by logging into her system and checking the user list) and SHE has an account in digsys.bg under (this account is still valid as far as I know; notice the H after her name!) Of course he is a very close friend of mine. He has visited me here, and has been a great help to me in my work. Yes, I do have an account there. It has been there since I was invited by the Bulgarian ACM to present my work on Computer Viruses at their International Computer Virus Conference. It was nice of Daniel to do this for me, to make it convenient for me to access my mail, as I could have it forwarded there. We never did remove the account, as Bulgarian's prefer to mail in their own country for some reason. The H after my name is very simple: My name is Sarah Gordon. On the nets, I use Sara. When I am friends with someone, I use my given name. I do not like my given "familiar" name to be used in my articles or in e-mail from people I don't know. It is a quirk, I guess. My papers are presented using the Sara variant :) What I concluded is that is the DA would never get an account in such system as he HATES Daniel Kalchev!!!! Another wrong conclusion. The DA might not, but then the District Attorney usually doesn't :) Wrong. and Right. He certainly did get an account there. Call Daniel Kalchev or mail him to ask him. He has had many conversations with Dark Avenger there. He does sure hate Daniel. In this one thing, Kohntark is correct. He hates him violently. And, he's been on his BBS for years. Where do you think he used to post messages FROM? I tried repeatedly to act as intermediary between Dark Avenger and Kalchev, because they both have been very good to me. There was just no way to do it. Dark Avenger thinks Kalchev is (in his own words) "asshole hotshot with big company and lots of money, he can afford to give free accounts...". And yes, he used the word HOTSHOT. JUST LIKE ME. This is what really happened: Sara(h) Gordon in her desperation to prove that she was in touch with the dark avenger, told her pal Daniel Kalchev to make an account under the dark avenger's name ( this is how she always refers to him, even though he never signs his name that way (check the source code for his 'Dark Avenger' virus or the 'Commander Bomber' virus message name: [DAME]) No one has the source code for Commander Bomber that I know of except myself and Dark Avenger, as I previously noted. He has signed his name this way for a very long time, in his e-mail. You can verify this easily enough by asking Todor, Daniel, Bontchev, or anyone who used to read his old posts. Sometimes he does, sometimes he doesn't, just like me. From there she could email me messages that would come from Bulgaria and would be untraceable since she would log into her account in digsys.bg and log into the account internally from the same site in Bulgaria. (You can check where and when most of the people log from in most internet unix and vax sites) :). If I wanted to mail Kohntark untraceable messages, I would not have to go to this extreme, as you well know :) As it is expected from her, she has denied any of this. Some of her ridiculous explanations include things like "hotshot is a very common English word in Bulgaria" !!! You might ask yourself what is the deal with the h? is it sara or sarah?? Well, I asked her the same question when I noticed this in one of the VNI interviews, where her name is spelled as Sarah. She replied that this was a mistake of the publisher. Mistake? well not really, it was another lie, meant to throw off any information and truth seekers, for example you can check her account in Daniel Kalchev's system: I explained this previously. It was a mistake. VNI is not supposed to use my given entire familiar name. In fact, they did mess up. They did not use it in the Dark Avenger interview, despite I had put it there as "Sarah". I told Dark Avenger I would do this for him. He asked me to do it, but for some reason they did not. Later, they -did- use my given name in a totally different situation. I can't account for their errors. , spelled with an H, another 'mistake of the publisher?' :) Other countless Sara Gordon lies are told in NUKE Info- Journal # 6. In the last NuKe Journal, the authors posted some private mail of mine, and said "Look how nice she knows this public mail will be read"..at the same time, the posted some public mail, from my BBS, which I had forwarded to one of them as a reply, and said "Look how nasty she is when she thinks no one can see". All in all, their response to both letters prompted a lot of people to think I had -joined- NuKe. For the record, nope. This behavior puts in question the validity of the VNI interviews and the reputation of Sara(h) Gordon as a serious (self appointed) 'virus researcher' :) IMHO the VNI interviews are a complete fabrication, meant only to boost her validity as a 'journalist', and to make her lots of money, charging for further 'interviews' to other magazines. (She has offered her paid 'interviewing' services to various other publications.) :) Lots of money? Well, first off, I told you how the Dark Avenger interview profited me. It didn't. Secondly, yes, I do write for magazines and I sell the articles. Some, I give away. I don't do any of this for the money. As for other interviewing, I recently interviewed two virus writers (one who has stopped, one who has not), and they are quite pleased with the articles. I'll ask them to contact you personally to tell you as the article is not yet in print. Keep in mind, I have literally no control over commentary by editors, omissions, etc. To the best of my knowledge the information I present here is true and can be checked. Yes, it can be checked, and I hope you check it and print what you find along with this commentary. I chose to publish this information, despite threats against my well being and countless lies about me propagated by Sara(h) Gordon. Now, about threats and lies. Here is the sort of mail I have received from Kohntark. In the interest of space, I will send you the headers, etc., so that you can see them and include here only the sort of diatribe he has been so vehemently sending me. I contacted his system administrator after this continued for such a long time. I'm not a Cori. I don't take every "hey, wanna have phone sex" message as a potential threat, I don't call people's probation officers for the hell of it, I don't ring up sysadmins at the drop of a hat to accuse innocent people of causing trouble. And, I discussed this situation with a lot of people, hackers and virus writers, friends and foes, prior to taking this action. There's no way to know over the nets if someone is really a maniac or if they are just playing around. In this case, considering the nature of the mail, I did contact them. First, the apology after he had gotten particularly nasty. Organization: Anonymous contact service Reply-To: xxxxxx@anon.penet.fi Subject: Apology Date: Fri, 30 Jul 93 8:08:45 EDT Status: OR Sara: I want to apologize for everything that I have said that you might have found offensive. I drop all accusations I have made against you. again, I am sorry. I have no desire in creating any animosity, and / or bad publicity to my name or yours. Sorry things got this silly and out of hand. Please accept my apologies and let's drop the whole thing OK? Thank you. ------------ Followed almost immediately by a forgery. What Kohntark did not realize is that I am in contact with Simon. In fact, I arranged for him to come to a virus conference, with all of his expenses paid. I am writing an article for 40-HEX, and I immediately called Simon to ask what in the hell was this about. After he told me, I went back and checked the mail headers. Guess what I found? From simon@skism.login.qc.ca Sat Jul 31 07:44:26 1993 Received: from anon.penet.fi by mail.netcom.com (5.65/SMI-4.1/Netcom) id AA17333; Sat, 31 Jul 93 07:44:19 -0700 Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id AA21213; Sat, 31 Jul 93 17:40:54 +0300 From: simon@skism.login.qc.ca Message-Id: <9307311440.AA21213@anon.penet.fi> Return-Path: ****Notice: He misspelled skism. Maybe -he- is the Dark Avenger. I mean, if spelling counts..*** Date: Fri, 30 Jul 93 12:01:02 EST Subject: get real! Apparently-To: Status: OR to vfr@netcom.com.... (Nobody) what is the matter? everyone knows you are sara gordon, are you afraid to sign you own name now?? Yes sara gordon, i heard rumours that you are passing yourself as the dark avenger. It wouldn't surprise me since you are even afraid to sign your own postings. -------- Ha. Actually he signed the above message at the bottom left:) He must be me in Real Life.... As we all have seen by now, if you sign the bottom left of your mail, you are Sara Gordon. Then, here he tells me how he has proved yet another self-appointed virus researcher wrong. Of course, the researcher in question is not wrong. He is Vesselin Bontchev, a rather pedantic but technically brilliant anti-virus Doctoral student at the University of Hamburg. Kohntark seems obsessed with proving anti-virus researchers wrong. It would make more sense to me to learn from the researchers. I am not talking about product developers or sales people, but researchers. ME=Sara HIM=Kohntark ME: dont you get it? im sorry, i am not going to respond to all of this nonsense. maybe you can get vesselin to respond to you again, but i doubt it considering his opinion of your 'knowledge'... HIM: I don't give a damn about what he thinks, I have shown the self appointed virus expert is wrong.That is all. --------- and, here (i'm reverting to UNIX lower case now, i must be the dark avenger..), he begins his harassment again. HIM: you don't have any children do you? It shows Then, after he tell me he knows all about me, he proceeds to mail me to taunt me with addresses referring to my child. From kohntark@youhavea10yearoldson.com Sun Aug 29 10:55:45 1993 Return-Path: Received: from [193.64.138.3] by mail.netcom.com (5.65/SMI-4.1/Netcom) id AA07061; Sun, 29 Aug 93 10:55:39 -0700 Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id AA22796; Sun, 29 Aug 93 20:50:35 +0300 ME: am tired of your threats. the only danger you are to me is to waste my time with this nonsense. HIM: we will see. HIM: Never underestimate the power of hate. HIM: The end is coming. HIM: Also: you said 'oh my name is spelled SARA, VNI misspelled it! yeah right ! you idiot! you forgot who you are dealing here ha ha! not a fool like you!!! stupid tricks like changing your name can't defend you from thy mighty Kohntark! prepare yourself!! the end is near! Obviously i have overestimated your intelligence.. My dog has a higher IQ.. "who is anthony naggs?.." DUHH! Thanx for making my job easier he he. You think you got me? sure.. go ahead.. fry that guy's account, you will be doing me a favour he he! AH, and start looking for a new job.. you will need it soon after i am done with you you idiot! ------ He likes me to know he is watching me. Only, for a supreme UNIX hacker, he has not mastered the skills quite yet..note the paths again.. (baby copperfield is one of the names i used. i have red hair, and its a long story; someone asked me if i had read dickens and i replied 'yes, I've read baby copperfield'. CHFN followed :) But this was a bit eerie mail. Love him? From babycopperfield@haha.com Sun Sep 12 17:39:50 1993 Received: from anon.penet.fi by mail.netcom.com (5.65/SMI-4.1/Netcom) id AA22703; Sun, 12 Sep 93 17:39:42 -0700 Received: from cxxxxx.ic.xxxxxx.edu by anon.penet.fi (5.67/1.35) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id AA24832; Mon, 13 Sep 93 03:39:00 +0300 From: babycopperfield@haha.com Message-Id: <9309130039.AA24832@anon.penet.fi> Return-Path: Date: Fri 13 Dec 66 00:00:00 To: (Sara) Subject: I know you are on... Status: OR hi! i know you are logged on now... shame we cannot talk,, you know friendly discussions ha ha.. i might call to your bbs.. can i upload your gif picture?? yes? if i like you you might just get lucky ... Love me. ------ More of his article.. I am doing this to stop the lies and corruption fostered by the Anti-Virus industry. --------- What do you think? Is he doing -this- to stop the lies and corruption? It seems to me that the anti-virus industry would benefit from the Dark Avenger coming back onto the scene. They could sell more software, get the whole hacking community attacked by people who are afraid enough already. Why we could get a whole entire Legion of Virus Fighters up in arms, eh? If Kohntark wanted to do this 'stopping of lies and corruption', he would not be helping to recreate the myth of the Dark Avenger. He would not be impersonating him, harassing me, and telling people (impersonating Dark Avenger) that he will still release viruses into the wild. I also do not like lies and corruption, and work very hard to stop it. I do not profit from it in any substantial way. I run a free BBS: I distribute anti-virus software for free, and encourage people to choose software that will work for them in their situation. I don't go for the big scare tactics used by some companies, and I don't recommend those products. Not only because I don't like their marketing, but because their products are not as efficient/accurate as other products. I don't like that we have to have these products, but we do. It's a fact of life. If we can educate people on the real situation with viruses, we can stop a lot of this "Let's get those bad virus writers" before it's too late. We don't need another Dark Avenger. We don't need laws that will infringe on our freedoms. If anyone takes this "Sara and the Dark Avenger scam" even half-way seriously, they can email me, and ask me whatever specific questions they like. I also have a suggestion here, one that might even lead to some sort of agreement between this Kohntark and the rest of the hacker community that does not support lies and harassment. You call Todorov, e-mail or call Bontchev. Ask them. I'll come to HoHoCon (if someone buys me a ticket; although Kohntark thinks I had better look for a job, the fact is I don't have a real job), and compile the bomber source code and MtE Source (not the pitiful disassemblies that appear on a lot of BBS, but the REAL source, supplied to me by when I questioned HIM to make sure he was the "Real Thing". I'll show you step by step how it compiles flawlessly and works. If after you confirm that to the best of your knowledge, what I am saying is true, then I think Kohntark owes me an apology. And, an apology to the rest of the virus writers and hackers who do not need or deserve to be portrayed as evil demented creatures who are waiting to "Destroy the World".