[ About the "ScienoSitter" ]

How the "ScienoSitter" works

Message-ID: <1998062716153900.MAA17263@ladder01.news.aol.com>
From: clkates@aol.com (CLKates)
Newsgroups: alt.religion.scientology
Subject: What CSI doesn't want Scns to See
Date: 27 Jun 1998 16:15:39 GMT

The $cientology net nanny which Scientologists agree to use is hidden on the CD they receive in their packet of information about the Scientologist On-Line program. The CD contains three choices--the first, creating your spam page using the program CSI gives on the CD, second, creating online "FSM selection slips" to email to your selectees, who will take them to the Org they go to, landing the web-page-creator 15% of his purchases there, and third, installing Netscape Communicator and setting up your web page. This third choice is, as specifically mentioned in the packet, not to be chosen until after your page has received "Issue Authority" from CSI (for the use of such trademarks as "the collective membership mark SCIENTOLOGIST").

The third button installs the net nanny, hidden in the Netscape InstallShield. It is an invisible program in My Computer or Windows Explorer and cannot be viewed by pressing control+alt+delete. It is insidious, showing up on every 32-bit Internet program on a computer, in my case, Netscape and mIRC. When entering mIRC channel #scientology, those on-channel tested the nanny. We found that certain nicks were invisible (such as "alerma" and "zinjifar") and that whatever they wrote was visible in the mIRC status bar and not on-channel. Everyone else, filter-free, clearly saw their writing in the channel screen. Certain words, when typed by myself or others, would cause me to be immediately kicked from IRC, including: Xenu, xenu.net, Wollersheim, Erlich, Grady Ward, Keith Henson, freezone and several others. Many words were invisible to me when others typed them, and invisible to others when I typed them, a long, long list including most ars'ers names, and also, ARS, A.R.S., and alt.religion.scientology, and other words such as: the unbelievable deletion of the word "picket", clambake, Hemet, Gilman Hot Springs, Mark Ingber, Helena Kobrin, Kendrick Moxon, really nearly every critic and/or ex-member's name, from Roland Rashleigh-Berry to Graham Berry, and anti-cult people like Steven Hassan and Rick Ross. It was nearly impossible to converse on IRC with the filter. Luckily, using 16-bit mIRC was a quick and easy solution.

On the Web, sites such as xenu.net, entheta.net, lermanet.com, xs4all and csj.org (the AFF site) were completely blocked, whole domain names which also hosted critics' sites were blocked, dejanews.com was blocked. When reaching an unblocked search engines, all disliked domains would be listed as such: "home.inreach.com", became " . . " Just dots with no words..Other words, contained in an unblocked or new page, would cause a page to stop loading. For example, about 1/4 of a web page would load, and the filter would then hit the word, for example, Hemet, and stop loading.

One of the more interesting effects was its word chopping. For example "NOTs" is a blocked word. This meant also that "not sure" became "ure", and that "not surprised" became "urprised." Any configuration of "not" and "s" was deleted. Also, in honor of ARSer "Anima", the word "animal" became, simply, "l".

Yeah, right. "Think for yourself." I hope to post a far more complete list of "bad words" later...To any Scientologists reading, of course, 16-bit programs or Win98 kill it.

Charlotte Kates

ScienoSitter patches wsock32.dll to forward calls to stcpx.dll. The following calls are patched and forwarded to the indicated entry points in stcpx.dll (reported by z_thomas@ix.netcom.com (Zane Thomas)): 

        102   10          WSAAsyncGetHostByAddr (forwarded to STCP.I)
        103   11          WSAAsyncGetHostByName (forwarded to STCP.J)
        116   19          WSACleanup (forwarded to STCP.M)
       1107   1C          WSARecvEx (forwarded to STCP.K)
        115   1F          WSAStartup (forwarded to STCP.L)
          1   24          accept (forwarded to STCP.O)
          2   25          bind (forwarded to STCP.P)
          3   26          closesocket (forwarded to STCP.A)
          4   28          connect (forwarded to STCP.N)
         51   2A          gethostbyaddr (forwarded to STCP.G)
         52   2B          gethostbyname (forwarded to STCP.H)
         16   3F          recv (forwarded to STCP.B)
         17   40          recvfrom (forwarded to STCP.C)
         19   45          send (forwarded to STCP.D)
         20   46          sendto (forwarded to STCP.E)
         23   4A          socket (forwarded to STCP.F)

Due to this mechanism, the "ScienoSitter" can simply be uninstalled by replacing the patched wsock32.dll with the original, which is backed up during the installation process at wsock32.dll.tmp .

Contrary to earlier speculations, the ScienoSitter does apparently not connect to other hosts on the internet during the installation procedure.

The information about what is not allowed to read resides in the three files d32l.dll, n32l.dll and p32l.dll. These files do not contain code but encoded text. This C program, courtesy of Taniwha, decrypts the three files. (See also the list and the program at Taniwha's site. The program was originally written by "Saruman" to decrypt CyberSitter's list of censored web pages.)

The decrypted files.

(If you are in a playful mood, you can now create your own lists and encrypt them using this C program. Have fun!)

The terms are decrypted upon starting the DLL and stored in plain text as a tree in memory.

Terms which are in square brackets are just blanked out. If a term in curly braces is encountered, the STCP layer returns an error to the application. The standard response of the application is to close the socket, stopping a web page from loading or disconnecting from IRC.

ScienoSitter apparently intercepts at least nameserver queries, SMTP, NNTP and HTTP protocols and IRC.

ScienoSitter has several points in common with CYBERsitter, a program marketed by Solid Oak Software:

  1. The encryption mechanism for CYBERsitter 97 wordlists is identical to that of ScienoSitter.
  2. According to a test report of the German computer magazine c't (issue 15 from 1997), CYBERsitter patches wsock32.dll and intercepts certain system calls -- just as ScienoSitter does.
  3. Experiments indicate that a mixture of CYBERsitter and ScienoSitter (wsock32.dll from CYBERsitter and stcpx.dll from ScienoSitter) works just as well in censoring anti-Scientology sites as using ScienoSitter alone.
  4. Solid Oak Software has implemented the "CYBERsitter Partners Program" which allows concerned organizations to create and maintain their own lists of objectionable Internet sites for either private or public distribution (from the press release by Solid Oak Software).

However, Solid Oak Software declines that ScienoSitter is merely a customized version of CYBERsitter. The following arguments strengthen that point:

  1. CYBERsitter97 (the current version of CYBERsitter) contains encrypted data (stop words) in its code. ScienoSitter doesn't.
  2. CYBERsitter97 has no obvious reference to wordlist files in its code. ScienoSitter does. (Furthermore, the wordlists that come with CYBERsitter have names different from d32l.dll, n32l.dll or p32l.dll.)
  3. Even if the same source is compiled with two different compilers, I understand that static string constants would be identical in both cases. They are not. CYBERsitter97 contains a lot of string constants which are not included in ScienoSitter (see above), and vice versa.
  4. ScienoSitter's stcp.dll apparently has some knowledge about SMTP, NNTP and HTTP protocols. CYBERsitter97's equivalent is only about half as long if you don't consider the encrypted data and apparently delegates this knowledge to another DLL.

This makes two alternatives more likely:

  1. ScienoSitter is built from an earlier version of CYBERsitter than CYBERsitter97. The latest published version of CYBERsitter before CYBERsitter97 was CYBERsitter 2.12. It used a different "encryption" scheme: every character of the wordlist was simply XORed with 0x94. It is unlikely that the new encryption scheme would have been developed independently by the programmers of CYBERsitter 97 and ScienoSitter.

  2. ScienoSitter and CYBERsitter are built around a common piece of code licensed from an unknown third party (which will be called MTP Inc. - for "mysterious third party"). Solid Oak Software has confirmed that this kind of licensing has taken place during CYBERsitter97 development.

People have tried from the content of the list to guess about its age. It has been pointed out that the list contains www.charlies-playhouse.ch which has been created around the beginning of 1998. On the other hand, the lists contain some entries which make it appear that they were created before the end of February 1998.