[ About the "ScienoSitter" ]
Message-ID: <1998062716153900.MAA17263@ladder01.news.aol.com> From: firstname.lastname@example.org (CLKates) Newsgroups: alt.religion.scientology Subject: What CSI doesn't want Scns to See Date: 27 Jun 1998 16:15:39 GMT
The $cientology net nanny which Scientologists agree to use is hidden on the CD they receive in their packet of information about the Scientologist On-Line program. The CD contains three choices--the first, creating your spam page using the program CSI gives on the CD, second, creating online "FSM selection slips" to email to your selectees, who will take them to the Org they go to, landing the web-page-creator 15% of his purchases there, and third, installing Netscape Communicator and setting up your web page. This third choice is, as specifically mentioned in the packet, not to be chosen until after your page has received "Issue Authority" from CSI (for the use of such trademarks as "the collective membership mark SCIENTOLOGIST").
The third button installs the net nanny, hidden in the Netscape InstallShield. It is an invisible program in My Computer or Windows Explorer and cannot be viewed by pressing control+alt+delete. It is insidious, showing up on every 32-bit Internet program on a computer, in my case, Netscape and mIRC. When entering mIRC channel #scientology, those on-channel tested the nanny. We found that certain nicks were invisible (such as "alerma" and "zinjifar") and that whatever they wrote was visible in the mIRC status bar and not on-channel. Everyone else, filter-free, clearly saw their writing in the channel screen. Certain words, when typed by myself or others, would cause me to be immediately kicked from IRC, including: Xenu, xenu.net, Wollersheim, Erlich, Grady Ward, Keith Henson, freezone and several others. Many words were invisible to me when others typed them, and invisible to others when I typed them, a long, long list including most ars'ers names, and also, ARS, A.R.S., and alt.religion.scientology, and other words such as: the unbelievable deletion of the word "picket", clambake, Hemet, Gilman Hot Springs, Mark Ingber, Helena Kobrin, Kendrick Moxon, really nearly every critic and/or ex-member's name, from Roland Rashleigh-Berry to Graham Berry, and anti-cult people like Steven Hassan and Rick Ross. It was nearly impossible to converse on IRC with the filter. Luckily, using 16-bit mIRC was a quick and easy solution.
On the Web, sites such as xenu.net, entheta.net, lermanet.com, xs4all and csj.org (the AFF site) were completely blocked, whole domain names which also hosted critics' sites were blocked, dejanews.com was blocked. When reaching an unblocked search engines, all disliked domains would be listed as such: "home.inreach.com", became " . . " Just dots with no words..Other words, contained in an unblocked or new page, would cause a page to stop loading. For example, about 1/4 of a web page would load, and the filter would then hit the word, for example, Hemet, and stop loading.
One of the more interesting effects was its word chopping. For example "NOTs" is a blocked word. This meant also that "not sure" became "ure", and that "not surprised" became "urprised." Any configuration of "not" and "s" was deleted. Also, in honor of ARSer "Anima", the word "animal" became, simply, "l".
Yeah, right. "Think for yourself." I hope to post a far more complete list of "bad words" later...To any Scientologists reading, of course, 16-bit programs or Win98 kill it.
ScienoSitter patches wsock32.dll to forward calls to stcpx.dll. The following calls are patched and forwarded to the indicated entry points in stcpx.dll (reported by email@example.com (Zane Thomas)):
102 10 WSAAsyncGetHostByAddr (forwarded to STCP.I) 103 11 WSAAsyncGetHostByName (forwarded to STCP.J) 116 19 WSACleanup (forwarded to STCP.M) 1107 1C WSARecvEx (forwarded to STCP.K) 115 1F WSAStartup (forwarded to STCP.L) 1 24 accept (forwarded to STCP.O) 2 25 bind (forwarded to STCP.P) 3 26 closesocket (forwarded to STCP.A) 4 28 connect (forwarded to STCP.N) 51 2A gethostbyaddr (forwarded to STCP.G) 52 2B gethostbyname (forwarded to STCP.H) 16 3F recv (forwarded to STCP.B) 17 40 recvfrom (forwarded to STCP.C) 19 45 send (forwarded to STCP.D) 20 46 sendto (forwarded to STCP.E) 23 4A socket (forwarded to STCP.F)
Due to this mechanism, the "ScienoSitter" can simply be uninstalled by replacing the patched wsock32.dll with the original, which is backed up during the installation process at wsock32.dll.tmp .
Contrary to earlier speculations, the ScienoSitter does apparently not connect to other hosts on the internet during the installation procedure.
The information about what is not allowed to read resides in the three files d32l.dll, n32l.dll and p32l.dll. These files do not contain code but encoded text. This C program, courtesy of Taniwha, decrypts the three files. (See also the list and the program at Taniwha's site. The program was originally written by "Saruman" to decrypt CyberSitter's list of censored web pages.)
The decrypted files.
(If you are in a playful mood, you can now create your own lists and encrypt them using this C program. Have fun!)
The terms are decrypted upon starting the DLL and stored in plain text as a tree in memory.
Terms which are in square brackets are just blanked out. If a term in curly braces is encountered, the STCP layer returns an error to the application. The standard response of the application is to close the socket, stopping a web page from loading or disconnecting from IRC.
ScienoSitter apparently intercepts at least nameserver queries, SMTP, NNTP and HTTP protocols and IRC.
ScienoSitter has several points in common with CYBERsitter, a program marketed by Solid Oak Software:
However, Solid Oak Software declines that ScienoSitter is merely a customized version of CYBERsitter. The following arguments strengthen that point:
This makes two alternatives more likely:
People have tried from the content of the list to guess about its age. It has been pointed out that the list contains www.charlies-playhouse.ch which has been created around the beginning of 1998. On the other hand, the lists contain some entries which make it appear that they were created before the end of February 1998.