💾 Archived View for clemat.is › saccophore › library › ezines › 2600 › 2600_20-1_djvu.txt captured on 2021-12-03 at 14:04:38.
-=-=-=-=-=-=-
" ...the essence of the evil government is that it anticipates hud
conduct on the part of its citizens. Any government which
assumes that the population is going to do something evil has
already lost its franchise to govern. The tacit contract between
a government and the people governed is that the government
will trust the people and the people will trust the government.
But once the government begins to mistrust the people it is
governing, it loses its mandate to rule because it is no longer
acting as a spokesman for the people, but is acting as an agent
of persecution." - Philip K. Dick
Editor-In-Chief
Emmanuel Goldstein
Layout and Design
ShapeShifter
Cover Photo
Jon Baldwin
Cover Design
Mike Essl
Office Manager
Tampruf
Writers: Bernie S., Billsf, Eric Corley,
Dalai, John Drake, Paul Estev,
Mr. French, Javaman, Joe630,
Kingpin, Lucky225, Kevin Mitnick,
The Prophet, David Ruderman, Seraf,
Silent Switchman, Mr. Upsetter
Webmasters: Juintz, Kerry
Network Operations: css, mlc, Seraf
Broadcast Coordinators: Juintz, Pete,
daRonin, Digital Mercenary, w3rd,
Gehenna, Brilldon, Chibi-Kim
IRC Admins: Antipent, DaRonin,
Digital Mercenary, Redhackt, Roadie,
Setient, The Electronic Delinquent
Inspirational Music: Can,
Max Edwards, Kraftwerk, Edith Piaf
Dogs: Fritz, Espresso, Sammy,
Sophie, Sugar
Shout Outs: Wiley, Tamara, Mojo,
Gweeds, New Orleans 2600, Etox,
Maze, Darkstorm, Howling Flea,
Kuroishi, Battery, w1nt3rmut3,
Reba, Darcy, Alex
26001 ISSN 0749-3851) is published
quarterly by 2600 Enterprises Inc.
1 Strong's Lane. Setauket. A !Y 11733.
Second class postage permit paid at
Setauket. New York.
POSTMASTER:
Send address chanaes to
2600. P.O. Box 752. Middle Island.
NY 11953-0752.
Copyright (c) 2003
2600 Enterprises. Inc.
Yearly subscription: U.S. and Canada -
S20 individual.
$50 corporate (U.S. funds).
Overseas - S30 individual.
$65 coiporate.
Back issues available for 1984-2002 at
S20 per year.
$25 per year overseas.
Individual issues available from 1988 on
at $5.50 each. S7.50 each overseas.
ADDRESS ALL SUBSCRIPTION
CORRESPONDENCE TO:
2600 Subscription Dept.. P.O. Box 752.
Middle Island. NY 11953-0752
(subs@2600.com).
FOR LETTERS AND ARTICLE
SUBMISSIONS, WRITE TO:
2600 Editorial Dept.. P.O. Box 99.
Middle Island. NY 1 1953-0099
(letters @ 2600.com. articles @2600.com ).
2600 Office Line: 631-751-2600
2600 FAX Line: 631-474-2677
Congratulations: Kevin
Not in Our Name 4
AN I and Caller ID Spoofing 6
A Hacker Goes to Iraq 9
Getting Busted - Military Style 10
Unsolicited Mail 14
Anonymous E-mail Using Remailers 16
Fun with 802.11b at Kroger's 19
Best Buy Insecurities 21
Ripping Movies From DVD to CD-R 24
XM - The Rawed Future of Radio 26
Letters 30
A First Look at Virgin Mobile 40
Creating Delay in the New Age 42
Ibuyspy Portal Software 43
Defeating salon.com’s Premium Content 46
Fun with Hosting on your Cable/DSL 47
Keyboard Theory for the New Age Phreak 53
A Glimpse at the Future of Computing 54
Marketplace 56
Meetings
58
NOT IN OUR NAME
This is the kind of thing that nobody should
be surprised by. Whenever there are times of na-
tional crisis, particularly those involving intense
bouts of nationalism, we can expect to have the
image of hackers twisted and manipulated to
suit various parties' aims. Once again we find
ourselves in a position of having to stand up
against ignorant claims from a variety of
sources.
Obviously, when there's a war going on (or
invasion, which is probably a more accurate de-
scription at this point), there's going to be a lot
of saber-rattling on all fronts. That's what it’s all
about, after all. Inevitably, though, this leads to
distortions and misassumptions that desperately
need collection.
Hackers as a group tend not to identify
themselves with specific political parties or na-
tionalities. As individuals, hackers are much the
same as anyone else, although we've noticed
that due to our thoughtful nature and unending
battle with the authorities for basic rights, hack-
ers tend to be more cynical than most. You will
also find that, true to hacker form, we will ask
more questions and tend to doubt the answers
we're given until there is absolute proof of some
sort. All that said, it would be extremely pre-
sumptuous for anyone to claim that hackers as a
group support the war, oppose the war, are Bush
loyalists, or Bush haters. Yet this is exactly
what's happening and once again, we have the
mass media to thank.
Unlike the Gulf War of 1991, there are now
numerous voices and perspectives that the aver-
age person can get their hands on. The Internet
has expanded greatly in the past decade and
there has been a growing demand for foreign
news coverage on television, a demand which is
slowly (almost grudgingly) being met by the
satellite companies and digital cable. And,
while it would be rather arrogant to say how
hackers view particular policies or countries,
one thing we feel pretty comfortable concluding
is that most in the hacker world see such diver-
sity of opinion and perspective as a good thing.
We tend to have enough faith in the individual
to believe that they are capable of making up
their own mind on an issue, rather than being
spoonfed the answers via the media or any
government.
But there are those who see such diversity as
a threat because, for the first time, some alterna-
tive ideas may be creeping into the heads of
people who may not have even known there was
another side to a story. These are the people
who want control and who see individual
thought as an annoyance at best, a real danger at
worst. We also believe it is safe to say that most
people in the hacker world find that sort of thing
repugnant, for the simple reason that this mind-
set by nature would see the very concept of
hackers as one of the biggest threats of all.
So it was a bit ironic when we saw in our fa-
vorite mass media source that "hackers" were
busy attacking A1 Jazeera. A1 Jazzera is a news
channel from Qatar that has been broadcasting
since 1996. Despite being in the Middle East, it
has a distinctly Western style of broadcasting.
This has been the source of much criticism in
the region; their willingness to point out corrup-
tion has caused them problems in such places as
Saudi Arabia and Iraq. And naturally, the fact
that they are willing to give any time at all to
stories and people that wouldn't be seen in the
States has earned them all kinds of condemna-
tions here. Recently, their stock market reporter
(yes, A1 Jazeera actually has a stock market up-
date on the bottom of their screen) was banned
from the New York Stock Exchange because of
"security precautions" by authorities there. And
the Bush administration has been highly critical
of the network for not following the same
guidelines as our own mass media, which re-
fused to air gruesome pictures of war victims
that A1 Jazeera was able to obtain.
There's no doubt that this kind of broadcast
would get some people upset. But then, there
are lots of things about this conflict that are get-
ting people upset. What the presence of A1
Jazeera accomplished was the inclusion of a dif-
ferent, previously hard to see, perspective.
Since the network had been broadcast only
in Arabic, we looked forward to having an Eng-
lish version of both the channel and their
website so people here would be better able to
judge the content for themselves. That day ar-
rived on March 24 when the English version of
the website was finally launched. But the site
never made it to our screens. A massive denial
of service attack took the entire A1 Jazeera do-
main off the net, making it impossible for any-
one (at least in our part of the world) to see what
was on their pages. A couple of days later, when
their main page was finally back online, it was
almost immediately defaced with an American
flag and various words of pro-United States
propaganda.
This was bad enough but when it started to
be reported as something the hacker community
was responsible for, it became a nightmare.
Mail was pouring into our site from people
thanking us for "taking care of the Arab scum"
among other things. In yet another twisted way,
the media was defiling the image of hackers,
turning us into the Thought Police who had the
gall to judge what people should see and
eliminate anything that they didn't approve of.
Needless to say, this image didn't go over
too well in the hacker community. It's well
known and heavily documented that such ac-
tions as denial of service attacks and web page
"hacking" have become so trivial that virtually
anyone with the right script, sufficient band-
width, or simply a strong agenda of some sort is
capable of wreaking havoc on an intended tar-
get. The only hacker connection most likely oc-
curred at the beginning, when whatever bug
was exploited was discovered and revealed to
the world. It's equivalent to a hacker figuring
out (through endless experimenting and wasting
of time) that holding down three keys at the
same moment on an ATM will result in a $20
bill being released without being charged to an
account. If the hacker released this information
to the world and someone else comes along
with the sole intent of stealing money, that sec-
ond person is not a hacker in any sense of the
word. They are simply a thief who heard of an
exploit and decided to use it for their own pur-
poses. In the same way, the people who took A1
Jazeera off the net have got nothing to do with
the hacker world. They simply exploited some
well known security holes in order to achieve
their objective - silencing a voice they didn't
approve of.
Regardless of how we as individuals feel
about what they are broadcasting and putting on
their site, as hackers it should be obvious that
Spring 2003
any kind of authority imposing its beliefs on the
rest of society is neither wanted nor needed. We
don't know what the source of this shutdown
was - the nature of the exploits tells us it could
have been a bored kid or an angry government.
The end result is the same.
Back during the American spy plane inci-
dent in China, we received a number of pieces
of mail from people who wanted us to "take
China off the net." Each email address resolved
to various sites within the United States mili-
tary. That told us that hackers are seen by such
people as a weapon, to be used when needed
and for whatever political and military goals
they deem necessary. In the end, somebody ac-
commodated these people and started all kinds
of attacks on anything and everything in the .cn
domain. And, predictably, the same thing hap-
pened in reverse. That told us that it didn't take
a whole lot of skill to pull off a destructive act.
We have to be careful not to get drawn into
this way of thinking, where hackers are seen as
a military resource. Because there's a flipside to
that definition. If we are a resource when we do
their bidding, then we are a major threat when
we don't. And it's in our nature not to be in a
blind allegiance with any authority figure.
We believe hacker ingenuity can be used to
create something positive, where resources are
found when none appear to exist and creative
minds figure out ways of making the impossible
happen. Back in 1996, Yugoslavian radio sta-
tion B92 was forced off the air by the dictatorial
Milosevic regime for airing material not ap-
proved of by the authorities. Hackers helped
them get their signal onto the Internet via The
Netherlands which meant that the entire world
was now able to hear them. They moved beyond
the power of their government to silence them
(since most government officials had little if
any knowledge of the Internet).
What better message to send to the world
than to ensure that no voice is silenced and that
if somebody tries, a hundred others will spring
up to undo the damage? It goes beyond what
side of the fence you're on politically or what
part of the world you're from. This kind of thing
simply cannot be tolerated, particularly in the
environment we find ourselves in now where
truth seems particularly elusive. We may not
like the message, we may not agree with it, but
if what we allege to stand for is to have any
value, we have to do everything possible to
ensure it isn't silenced.
2600Magazine
Page 5
ANI AND CALLER
Spoo
by Lucky225
lucky225@2600.com
www.verizonfears.com
This article will explain many methods of
Caller ID and ANI spoofing that can still be used as
of today. I have also included a brief FAQ for those
of you who may not be familiar with the terminol-
ogy which should help you understand this article
more. I hope that this article will make many of
you aware that Caller ID and ANI, although often
great tools, can also be a waste of your time and
money.
Please don't confuse this article with past ones
I've written. While I mention techniques I have
used in the past, I also include up to date accurate
information. This is meant to be a reference article
on how caller ID and ANI can be spoofed, as well
as on how they've been spoofed in the past. All of
those telco techs out there who claim it can't be
done will find definite proof that it has been. You
will also find some useful links at the end of this
article. Enjoy.
FAQ
So, just what is ANI? ANI stands for Automatic
Number Identification. ANI is a service feature
that transmits a directory number or Billing Tele-
phone Number (BTN) to be obtained automati-
cally. In other words, your number is sent directly
to wherever you are calling to automatically. Un-
like Caller ID you cannot block this feature from
happening.
What is flex ANI? Flexible ANI provides "II"
(identification indicator) digits that identify the
class of service of the phone you are calling from.
Flex ANI is transmitted as II digits + BTN.
What are ANI "II" digits? Identification Indica-
tor digits describe the class of service of the
telephone. Some examples are:
00 "POTS" (plain old telephone service) or home phone
07 Restricted line
27 ACTS payphone
29 Prison phone
62 Cellular phone
70 Cocot Payphone
What is an ANAC? ANAC stands for Auto-
matic Number Announcement Circuit. This is a
phone number you can call that will ring into a cir-
cuit that announces the ANI number you are call-
ing from. Examples of ANACs are 800-555-1140
and 800-555-1180. When you call these numbers
you will get an ARU (Audio Response Unit). This
is the circuit that announces your ANI. The ARU
will say the following: 'The ARU ID is [id], your
line number is [trunk number], the DNIS is [DNIS
number], the ANI is [II digits followed by ANI]."
ARU ED: Audio Response Unit ID number.
This identifies which ARU in a group of ARUs you
reached.
Line number: The trunk you came in on.
DNIS: Dialed Number Identification Service -
tells you which number you called (i.e., 800-555-
1 1 40 is 03 122, 800-555- 1 1 80 is 03 1 25).
ANI: II digits followed by ANI.
What is a BTN? BTN is the Billing Telephone
Number, a phone number which charges are to be
billed to. It is not necessarily the phone number of
the line you are calling from.
What is Pseudo ANI? Pseudo ANI or PANI is a
unique non-dialable number used to route cellular
calls. PANI is used by 91 1 operators to find the cell
site and sector from which the cell phone is
What is an ANI fail? An ANI fail is when no
ANI is sent. Usually the area code of the tandem
office completing the call will be sent. (For in-
stance, if the tandem office is in 213 the ANI will
be sent as II digits+213.)
How do ANI fails occur? ANI fails can occur
when the tandem office completing a call didn't re-
ceive ANI from the central office originating the
call. ANI fails can also be caused when ANI is in-
tentionally not sent. This can happen by using a
method called op diverting. Another way you can
cause ANI fails is through the use of the AT&T
long distance network. Simply dial 10-10-288-0 or
dial 0 and ask your operator for AT&T. When
AT&T comes on the line simply touch tone in a toll
free number and the call will be completed with no
ANI. Note however that this method is dependent
upon the AT&T center you reach. Some AT&T
centers still forward ANI, others send an AT&T
BTN as ANI. But most AT&T centers currently
don't forward ANI.
What is op diverting? Op diverting is a term
that describes the process of intentionally causing
an ANI fail by having your local operator dial the
number you wish to reach. Most operator centers
are not equipped to forward ANI and so they com-
plete the call with no ANI.
What's the difference between ANI and Caller
ID? ANI is the BTN associated with the telephone
and is the direct number where you are calling
from. Caller ID is usually the BTN but occasion-
ally can be incorrect, i.e., the main number of a
business instead of the actual number being called
from. Another difference in ANI is that it shows
the class of service of the phone number while
Caller ID just shows the name and number.
Now that you have an idea of what ANI is and
how it differs from Caller ID I will explain some
methods for spoofing both of them.
Spoofing Caller ID
Method #/ - Using a PRI line. Major compa-
nies that have a PBX with many hundreds of lines
hooked up to a Primary Rate ISDN (PRI) line can
spoof Caller ID by setting the Caller ID number to
whatever number they want for a given extension
on that PBX by typing a simple command on the
PBX's terminal.
Some telephone switches also use whatever
Caller ID is sent from the PBX as ANI - a major
hole in the telephone network that I hope will
someday be fixed since the spoofed ANI can be
billed for long distance calls! Telephone company
billing records should be inadmissible for this rea-
son. I hope the telcos have switch logs for backup!
Method #2 - Orangeboxing. Orangeboxing is
Caller ID signal emulation through the use of a
bell 202 modem, sound card software, or a record-
ing of a Caller ID transmission. Orangeboxing is
not very effective because you have to send the
signal after the caller has answered their phone.
However, through the magic of social engineering
you could have one friend call a number and pre-
tend he has reached a wrong number while sending
a call waiting Caller ID signal fooling the victim
into believing he is receiving another incoming
call from the name and number spoofed and when
the victim "flashes over" have your friend hand
you the phone and continue with your social
engineering.
Method #S - Calling Cards. I learned this
method from some phone phreaks on a party line a
long time ago. I can't recall the name of the calling
card company but all one has to do is provide a
credit card as a method of payment to obtain a
PIN. Once you have the PIN you just op divert or
cause an ANl fail to the 800 number for the calling
card and it will ask you to please enter the number
you are calling from. You touch tone in any num-
ber you want, then it asks for your PIN and then
what number you want to call. The person you call
will see the number you touch toned in as the
Caller ID for that call. If the number is in the same
area as the caller, it will also show the name
associated with the phone number.
Spoofing ANI
Spoofing ANI is a little more difficult than
spoofing Caller ID unless you have access to a
central office switch.
A few years ago when Verizon was still GTE
here in California, the local "0" operator center
was located close to me and they had the ability to
send ANI without ANI fails. However, I found a
test number on a DMS-100 Switch in Ontario that
would give me a local "0" operator - only she'd see
an ANI fail and have to ask me what number I was
calling from. Any number I gave her would be
used as ANI for any call I had her place. A while
2600 Magazine Spring 2003
ago AT&T used to send ANI when you placed calls
to toll free numbers through the AT&T network
and you could only call 800 numbers that were
hosted by AT&T. After 2600 published my article
on how to spoof ANI by op diverting to 800-call-
att, AT&T had their networked changed within a
month. Their new network, however, just made it
easier to cause ANI fails to toll free numbers. On
the new network you could call any toll free num-
ber, not just AT&T hosted numbers, and there
would be no ANI on the call, unless you were call-
ing 800-call-att or a few other numbers that are in-
ternal numbers hosted by the call center itself. All
you have to do to cause ANI fails to toll free num-
bers now is dial 10-10-288-0 and touch tone in the
800 number when AT&T comes on the line. This
method of causing ANI fails is great because you
don't have to speak to a live operator and you can
even have your modem wardial 800 numbers
without fear of your ANI being logged.
However there are some AT&T call centers that
still forward ANI, and you may be able to reach
them even if the call centers aren't in your area. Try
op diverting to an AT&T language assistance oper-
ator. Since it is not likely that your call center will
have a Tagalog speaking operator, you will get
routed to a different AT&T center that does, possi-
bly an AT&T center that still forwards ANI. If you
get an AT&T center that still forwards ANI, you
can spoof ANI by simply giving the operator the
number you want to spoof as the number you are
calling from and social engineering her into plac-
ing a call to the toll free number you wish to call.
Here are some AT&T language assistance
numbers:
1 800 833-1288 Cantonese
1 800233-7003 Hindi
1 800233-8006Japanese
1 800 233-8923 Korean
1 800 233- 1823 Mandarin
1 800233-8622Polish
1 800 233-2394 Russian
1 800 233-9008 Spanish
1 800 233-91 18 Tagalog
1 800233-1388 Vietnamese
The best method for spoofing ANI and Caller
ID is social engineering a Telus operator to do it
for you. I stumbled upon this method when I was
testing out a theory. In my previous 2600 article
about spoofing ANl through AT&T I mentioned
something known as the 710 trick. This was a
method of making collect calls that the called party
wouldn't be billed for. The way the 710 trick
worked in the past was you'd op divert to 800-call-
att and give the operator a 7 1 0 number as the num-
ber you were calling from and have her place a
collect call to the number you want to call. The
called party would never get a bill because 710 is a
"non-existent" area code. AT&T does its billing
rates by where the call is being placed from and to
and because you used a 710 number, there were
Page 6
Page 7
undetermined rates. I was testing to see if the 7 10
trick also worked with a Canadian phone company
called Telus. After testing it out, my friend in
Canada dialed *60 and it read back the 710 num-
ber I gave the operator. This is how I discovered
Caller ID spoofing was possible through Telus and
I began to come up with a social engineering
method to get them to place a call for me without
selecting a billing method. I now know that it is
also possible to spoof ANI through Telus.
Telus' toll-free "dial-around" is 1-800-646-
0000. By simply calling this number with an ANI-
fail you can give the operator any number as the
one you are calling from. As of January 2003,
Telus can now place calls to many toll free num-
bers and the ANl will show up as whatever number
you say you're calling from. So by simply causing
an ANI-fail to Telus' dial-around service you can
spoof Caller ID and ANI to anyone you want to
call. Not only that but if the person you are calling
is in the same area as the number you are spoofing,
the name and number show up on the Caller ID
display. To cause an ANI fail to Telus all you have
to do is op-divert to 1-800-646-0000 or dial 10-10-
288-0 and touch tone 8006464)000 when AT&T
comes on the line.
You can social engineer the Telus operator to
place a "test call" for you which is a free call with
no billing. You simply tell the Telus operator at the
beginning of the call that you are a "Telus techni-
cian" calling from [number to spoof] and need her
to place a 'Test call" to [number to call].
It goes something like this:
You pick up the phone and dial 10102880.
AT&T Automated Operator: "AT&T, to place a
call...”
Touch tone 800-646-0000.
AT&T Automated Operator: "Thank you for
using AT&T.”
Ring.
Telus: "This is the Telus operator, Lisa speak-
ing." (Or "This is the Telus operator, what number
are you calling from?")
You: "Hi Lisa, this is the Telus technician. You
should see an ANI failure on your screen. I'm call-
ing from [number to spoof]. I need you to place a
test call to [number to call]."
Telus: "Thank you from Telus.”
What just happened was AT&T sent an ANI
fail to Telus, you told the operator to key in your
new number, Telus then placed the call and used
the number you gave as both ANI and Caller ID!
Note about spoofing ANI to toll free numbers:
Not all U.S. toll free numbers are accessible from
Canadian trunks. So even though you are spoofing
a U.S. number the call may not be able to be routed
through Telus.
Of course, the social engineering method will
probably become ineffective soon, although I've
demonstrated this at H2K2 in July 2002 and it’s
now 2003 and it's still working. The spoofed Caller
ID also shows up on collect calls (though I think
you can only call people in Canada collect with
this service), third party billing (would you accept
a third party bill call if the Caller ID said your girl-
friend's number and the op said she was the one
placing the call?), and calling card calls, so you
could even legitimately spoof Caller ID if you had
a Telus calling card. The rates are pretty expensive
though. But you can get one if you have Telus as
your local phone company. If you live outside
Canada you can pay with a credit card (you need a
Canadian billing address though!). Call 1-800-
308-2222 to order one.
The sad thing is that ANI spoofing and Caller
ID spoofing are so easy, yet many companies use
ANI and Caller ID as a security feature - Kevin
Mitnick even stated in his book The Art of Decep-
tion that Caller ID was easy to spoof with ISDN
PRI lines but that you can't spoof ANI (even
though on certain switches it will spoof ANI). Here
you can spoof Caller ID and ANI using simple so-
cial engineering that is very effective. T-mobile
and Sprint PCS allow you to check your voice mail
without entering your password if the Caller ID
shows your cell phone number. Credit card compa-
nies allow you to activate credit cards simply by
calling their toll free number with the ANI of the
"home phone" number you put on their applica-
tion. Some calling card companies allow you to ac-
cess your calling card by simply calling from
"your number." Some utility companies (including
the phone company) allow you to set up online
billing using only a call to one of their toll free
numbers that use ANI to verify that you are calling
from the phone number listed on the account. They
activate your online billing with no further
verification.
ANI and Caller ID can be nice tools for verifi-
cation, but you should also verify other identifying
information such as a social security number or
PIN before letting just anyone calling from a
certain number access your services.
http://www.verizonfears.com - Verizown.
http://lab.digitol.net/callerid.html - Spoob Open
Source Orangebox perl script and online CGI.
http://www.artofhacking.com/orange.htm -
Shareware "Software Orange Box" for Windows.
http://www.codegods.net/cidmage - CIDMAGE
Caller ID tone generator and FSK analyst.
http://www. testmark. com/develop/tml_callerid_cn
t.html - Everything you ever wanted to know
about caller ID.
2600 Magazine
by Chris McKinstry
http://www.chrismckinstry.com
On the face of it it seems rather odd. Why on
earth would a hacker go to live in Iraq, the most
isolated country in the world? Internet connec-
tions certainly must be hard to come by in a
country where there are no ISPs and the sole
provider of Internet services is the Ministry of
Culture and Information. In fact, until halfway
through the year 2000 the Ministry restricted In-
ternet use to the government itself. In July of
2000 according to CNN and the BBC there was
at least one Internet cafe in the center of Bagh-
dad, but today I can find no evidence of this -
backpackers.com lists zero as the count of Inter-
net cafes in Iraq and google turns up zilch as
well. Antarctica has better connectivity.
How can a modem hacker live without an
Internet connection? And why would I go
anyway?
The key to the answer to the first question is
the word "modem" and the key to the answer of
the second question is more complex but can be
summarized with the words "teach" and
"protest."
I am a modern hacker, but I've been inter-
ested in computers since I was a child in the
early 1970s when "hack” meant "create" and not
the current media corruption which essentially
translates to "destroy."
This was a time when there were no visible
computers and the government still decided
who had ARPANET access. Around then, the
first ads started appearing for Steve Jobs' and
Steve Wozniak's Apple II - a useful configura-
tion cost the same as taking a family to Europe
(or the United States if you're European).
A real physical computer like the ones I saw
in the magazines that taught me to program
were simply out of the question. My only com-
puter was imaginary. It existed only as a simula-
tion in my head and in my notebook - the old
fashioned paper kind.
My computer programs were just lists of
commands and parameters on paper, much like
Spring 2003
those programs of the first hacker Alan Turing,
who hand simulated the world's first chess pro-
gram in the 1940s before the computers he fa-
thered existed. Of course I gleaned my
commands and parameters from magazines and
trash cans while Turing seems to have gotten
them from God.
The situation is much the same for Iraqi chil-
dren today as it was for me in the 1970s, except
the children of Iraq have no computer maga-
zines to teach them to program and UN/US
sanctions are killing them at the rate of 5,000-
6,000 per month.
My plan of teaching and protest begins with
a flight to Amman, Jordan sometime early in
2003, from where I will drive overland to Iraq
even if bombs are falling. I will take no elec-
tronics. No computer. Not even a camera. Just
pen and paper and my 1976 copy of David Ahl's
The Best of Creative Computing. I will go from
town to town and school to school teaching
about programming and Alan Turing's imagi-
nary computer and how to teach the same. If
there is war, I will stand by my fellow pacifists
at hospitals and water treatment plants, willing
to die with Iraq's innocent citizens. If I live
through a day's bombing, I will write to the
world about it at night.
In a land where medicine and toys are
blocked by UN/US sanctions and those who
take it upon themselves to bring them in either
risk 12 years in prison, a $1,000,000 fine, and a
$250,000 administrative fine, I think even an
imaginary computer will make a difference.
It is simply true that one day Iraq will return
to the world, and if we do nothing now, an entire
generation will be completely dysfunctional in
this computer dominated world. As an individ-
ual person, I can't possibly smuggle in enough
medicine or toys to make but the tiniest of dif-
ference. But as a hacker, I can smuggle in an
idea - the idea of Alan Turing's imaginary com-
puter - and try to infect a people's children with
skill and hope.
Page 8
Page 9
by TC
In light of Agent Steal’s article on getting
busted by the feds that was published in 2600 in
the late 90s, I thought I would write an article
for the military audience and for those thinking
ofjoining the military.
First, a little background information on mil-
itary law. Those in the military are all covered
under the Uniform Code of Military Justice
(U.C.M.J.), which follows Title lOofU.S. code.
The U.C.M.J. became effective in 1951. Before
that time, military personnel were covered un-
der the Articles of War. The Articles of War was
different, and one of those differences was that
it did not allow persons under military jurisdic-
tion to be subject to civilian law. You could say
that is where the term "join the Army or go to
jail" came from. Congress gave the executive
branch control of this as it is the branch that
controls the military, even though they have
been known to stick their noses in it and make
their own changes. This means the President
can make changes to the U.C.M.J. at his discre-
tion. The U.C.M.J. is also a separate legal entity
so you cannot appeal your case to any federal
civilian court except the Supreme Court.
Each branch of the military has its own law
enforcement agencies. The Army has the Crimi-
nal Investigation Division (CID), Military Po-
lice Investigations (MPI), and Military Police
(MP). The Air Force has Office of Special In-
vestigations (OSI - not like on the Six Million
Dollar Man TV series), and Security Police
(SP). The Navy and Marines have Naval Inves-
tigative Service (NIS) and Shore Patrol (SP).
These agencies have authority over government
property, military installations, and military per-
sonnel throughout the world. The investigation
agencies serve to investigate criminal activities
that concern the military and its personnel. They
are also known to work with federal and local
law enforcement agencies, especially when it
concerns military personnel or military prop-
erty. Like every other policing agency, they also
have their own undercover agents. Each branch
even has their own customs agents overseas.
They usually handle black marketing. Congress
also has a directive or law that instructs that the
military installation is to enforce state laws that
the post is in. In fact, I will mention one inci-
dent that happened at Fort Sill, Oklahoma in
January 1995. The state has a law that prohibits
distributing certain kinds of pornographic mate-
rials. You may have heard about one case in Ok-
lahoma City in the mid 1990s concerning a
couple who ran a BBS there. They got busted
for selling the stuff on it. It was the same stuff
that you can get from all those x-rated produc-
ers in California. Oklahoma, being in the "Bible
Belt," decided to ban hard-core pom. In the Fort
Sill and Lawton area, local law and the CID got
together and busted a couple of people that had
BBSs on Fort Sill with some pom on their sys-
tems that people could download. One of them
decided to become a snitch in order to get out of
trouble and they only ended up with a Bad
Conduct Discharge.
These investigative agencies are known to
use coercion tactics to get people to talk. Coer-
cion is difficult to prove so I would suggest to
anyone that they not say anything to them at all,
no matter what they say to you. Of course, if
you do ever get yourself into a situation where
they want to interrogate you, ask for an attor-
ney. They are provided free of charge and you
do not need an appointment to see one. The
biggest thing that gets people convicted is their
own mouth.
Even if you just think you are under investi-
gation, go see a military attorney at once at your
nearest Trial Defense Service on post. The only
problem with these free attorneys is that they do
not have a big legal staff to assist them, so they
do all the casework themselves. That makes
presenting yourcase difficult.
I should cover some of the rights of military
personnel - or lack of rights. Like everyone else,
members of the military have the same basic
rights. There are a few differences though. One
right that is unavailable is the Fifth Amendment
right to a Grand Jury indictment. The Fifth
Amendment states, "No person shall be held to
answer for a capital, or otherwise infamous
crime, unless on a presentment or indictment of
a grand jury, except in cases arising in the land
or naval forces, or in the militia, when in actual
service in time of war or public danger...." This
issue has been before the Supreme Court and
they have decided that military personnel do not
have a right to a grand jury indictment. You of
course get something similar which I shall
explain later.
The military also has loopholes when it
comes to unreasonable searches and seizures.
Any time a person comes onto a military instal-
lation it is considered a border crossing by law
and all persons and vehicles are subject to a
search. Personnel living in the barracks do have
rights against unreasonable searches, but on the
other hand commanders have the right to do a
health and welfare inspection of everything that
is under their command. That includes bringing
drug sniffing dogs through and having selected
individuals search through your stuff to find
contraband that may affect the health and wel-
fare of everyone there. Even if you collect
knives, they are not supposed to be there and
will be taken. Married people who live in family
housing on post do have a lot more privacy, but
it still is not too hard to get in there either. Your
best bet for total privacy from the military is to
get a place off post. Try not to get in trouble
with your chain of command as they can direct
where you can live if you are troublesome to
Once an investigation of you has been com-
pleted, the case is turned over to your chain of
command for decision as to what should be
done next. It could be nothing all the way to a
general court-martial. So if the commander of
that post decides he wants you court-martialed,
it would be in the best interest of the other com-
manders in your chain to go along with his deci-
sion, if they value their careers.
There are many types of military justice to
recommend against you. First, there is a general
court-martial. A general court-martial may try
any case and may impose any prescribed pun-
ishment, including the death sentence. Then
there is a special court-martial. It may try of-
fenses involving non-capital offenses made
punishable to code. Next up is a summary court-
martial. It can try and sentence persons guilty of
more minor offenses. Last is non-judicial pun-
ishment. It is known as an Article 15, or in the
case of the Navy and Marines, captain's mass.
There are also three levels to this. First is field
grade. Next is company grade. Last is a type of
company grade, but it doesn't count against you.
The most you can get from an Article 15 is re-
duction of rank, forfeiture of pay, extra duty,
and restriction.
If you have been recommended for general
court-martial, you will next get your charges
read to you by your commander. He will read
each individual charge to you. I have heard
from people who have had something like 200
charges who kept falling asleep during the bor-
ing ordeal. Note that you may have many Arti-
cle 134 charges on your charge sheet. This
article is known as the "catchall" article. If there
is no other article under the U.C.M.J. to cover
what you did, then the catchall will get you.
As soon as the charges have been read to
you, the military has 120 days to bring you to
trial, but with a catch. As soon as you are in-
dicted, it is considered that you are brought to
trial. At that time though you can immediately
demand that you go to trial. This may be good if
the military is not ready to proceed. Soon after
the charges are read to you, you will have an Ar-
ticle 32 hearing. This is somewhat like a grand
jury. It's like a mini trial, which you are present
for. The purpose of the Article 32 is to deter-
mine if there is enough evidence to proceed
with a court-martial. The problem with this is it
is run by a selected officer who knows nothing
about law or procedure. Since this person does
not know what they are doing, they will cer-
tainly just come to the conclusion that the court-
martial must go ahead. They do not want to go
against that general who wants the court-martial
to proceed (good career move).
After the Article 32, you now get ready for
trial. During this time, the same general who
wants you court-martialed also gets to select
who will be on your jury ! Do you smell setup or
what? The military calls its jury a panel that
consists of six members who are at least the
Page 10
2600 Magazine Spring 2003
rank of colonel down to major. If you are en-
listed, you can have one third of the panel en-
listed. They also start at high-ranking sergeant
majors and go down. So if you are a lowly rank-
ing enlisted person, you will not have ajury of
peers, but supervisors! Here you have a trial
with a panel of members selected by the com-
manding general and you believe they aren't
thinking about their future and retirement? Most
of the panel members will have a mentality of
"He must be guilty or he would not be on trial."
(You do have the option of having a trial by
judge only. They are sometimes brought in from
other commands and tend to be a bit more neu-
tral.) Despite the drama you may have seen on
TV, a two thirds vote is what is required for
guilty or not guilty. There are no hung juries. I
will also note that according to compiled statis-
tics from military organizational groups, the ac-
quittal rate for a military court-martial is about
two percent. If you are offered a plea agree-
ment, you should seriously consider it. If you
don't take a plea agreement, you look at more
time in the long run if found guilty. It has also
been noted that a court-martial tends to be more
cautious of what it does when the media is pay-
ing attention. A good example is the trial of for-
mer Sergeant Major of the Army Gene
McKinney. His best defense in his case was
contact with the media. If you think you are get-
ting snowballed by the military, contact the
media and tell them of the military’s conduct.
The military justice system despite its flaws
is very efficient and swift. On average a trial is
about two to three days and you are sentenced
and put in jail as soon as it is over. On the other
hand, sentencing is not like the feds with their
sentencing guidelines. This can be bad or good
depending on your crime, personality, de-
meanor, remorse, and taking responsibility for
your guilt (if found guilty). So if you know you
are going to get slammed, you might as well put
on a good show for them. Tell them how sorry
you, show sadness, cry, anything to get that time
down as low as possible.
After sentencing, it's time for appeals. The
military judge or panel can only recommend
your punishment. Your case now goes to the
commanding general for review. He gets to-
gether with his advisors to discuss what to do
with your case. He can either go with the rec-
ommended punishment or reduce it, but not
give any more than the recommendation calls
for. Once he signs off on it, it goes to the next
level for review. This process with the general
usually takes about six to eight months. During
this time - if your time in the military has not
expired - you will continue to get paid until the
general takes action on your case. At that time,
if you have received forfeiture of your pay, your
pay will stop when the general signs off on your
case. If you have not received forfeiture, your
pay will continue until your end of service date.
The next stage of the automatic appeal of
your case goes to the service branch Court of
Criminal Appeals. If you are Army, your case
would go to the Army Court of Criminal Ap-
peals. At this time you also get a new attorney
who will handle your appeal from now until it's
done, unless he changes duty stations. The
chances of getting any relief from this court are
very slim, as it is also run by folks in uniform.
How long this process could take is really dif-
ferent for everyone. Some take months, some
take years.
The next step of your appeal is to the United
States Court of Appeals for the Armed Forces.
There is not an automatic review from this
court. The court decides if it will review your
case. If it does not, your appeals are over and
you cannot have the Supreme Court review it.
If you had a plea agreement, it usually takes
about one year for your case to go through the
appeals review. If you pleaded not guilty and
are continuing to fight your case, it is not un-
common for a person to be released before their
case has been through an appeals review.
After you have been sentenced it is off to
jail. The Army, Navy, and Marines have their
own prisons. The Air Force does not have con-
finement facilities and they send their own per-
sonnel to the nearest base. Those who receive a
sentence of five years or less will be sent to a re-
gional facility that is closest to their base. These
facilities are like basic training and are very
boring places. Expect much kitchen duty and
filling of sand bags. Everyone else who gets
more than five years is sent to the United States
Disciplinary Barracks at Fort Leavenworth,
Kansas. This is the first and oldest federal
prison in the United States. The original build-
ing was constructed in the early 1900s. The
original site dates back to 1875. The "castle" as
they call it is currently in a state of massive de-
cay. People have been injured by the falling
matter coming from the very high ceiling. The
place has a capacity of about 1500, but there
were just around 890 people when I was there in
the late 90s. It is closed now as a newer prison
has taken its place with a capacity of about 515.
2600 Magazine
Inmates were being transferred to the Federal
Bureau of Prisons in order to transition over to
the new facility because of its smaller size.
Compared to the F.B.O.P., the U.S.D.B. is really
not that bad of a place to be.
The U.S.D.B. has five different security lev-
els it handles. Because of this, the old facility
had a 40 foot wall around the entire place. The
security levels are Maximum, Medium, Mini-
mum Inside Only, Minimum, and Trustee. Once
you get to Minimum you can live in a dorm and
have a TV and stereo with cassette player, CD
player, and of course a typewriter or word
processor without disk drive. At one time com-
puters were allowed, but not anymore. They got
rid of them through attrition. I know of one per-
son who had to hide a hard drive in his com-
puter, as they were not permitted. He would turn
it on and off in the system BIOS. The size of
their manpower has shrunk along with the rest
of the military and they claim they cannot main-
tain security of computers with the amount of
personnel they have.
You can also leave the wall and work outside
as a Minimum with the supervision of a guard.
As a Trustee, you live about a half mile from the
prison. It's comparable to the Federal Prison
Camp of the F.B.O.P. They at one time could get
ajob in town, but that was taken away. Now you
are just able to work around Fort Leavenworth.
You can also have a video game machine, go
shopping every two weeks at the exchange on
post, and receive packages from home. The
other custody levels there are not worth
mentioning.
Military corrections is controlled by a De-
partment of Defense directive and supple-
mented by each service's own regulations. Its
system is set up quite similar to the feds' "old
law." Up front an inmate gets an amount of
good time based on their sentence length. A per-
son with ten or more years of a sentence length
gets a rate of ten days per month. Under ten but
more than five get a rate of eight days per
month. That amount of time keeps going down
as you have less time. There is also extra good
time one will receive for working on an as-
signed detail in the prison. The rate starts at one
day per month for the first five months. It con-
tinues up the scale until you get to five days per
month, which takes nearly two years to achieve.
Those who become Trustees will get up to
seven days per month as long as they remain out
there. And that is not the end of it. For special
projects and such, it is possible to earn an addi-
Spring 2003
tional five days per month. But nowadays it is
very difficult to get any of those days due to the
lock 'em up and throw away the key attitude.
Those with life or on death row cannot receive
any good time.
Military inmates are also eligible for parole
after serving one-third of their sentence for
those with up to thirty years. Those with more
than thirty or life are eligible after ten years.
Death row inmates are not eligible for parole.
Those who are granted parole must remain on
parole until the expiration of their maximum
sentence length and they are under the supervi-
sion of a U.S. Parole Officer. The problem with
parole though is that the conditions could be
changed and there is nothing you can do about
it, except maybe violate parole.
Military inmates also get a yearly clemency
review for a time reduction, restoration to duty,
and upgrade of their discharge (DD 214) that is
reviewed by a local board and their respective
branch secretary. Restoration to active duty is
exactly what it sounds like. Individuals are re-
turned to active duty for the remainder of their
sentence at the rank they were demoted to.
When they successfully complete their time in
service, they will receive an honorable dis-
charge. The problem with this clemency review
is that no one gets any sort of clemency from
them anymore. The process is still on the books
and still must be conducted. Nor has anyone
been returned to duty in years either. If you are
transferred to the F.B.O.P., you are still consid-
ered for clemency and restoration to duty, but
now the U.S. Parole Commission will deter-
mine your release on parole. Unlike the feds,
once the military releases you after your expira-
tion of sentence, you are scot-free, even if trans-
ferred to the F.B.O.P. If you are released from
the military confinement, you are given a re-
lease gratuity of $25, your property is mailed
home free, you are given some cheap clothes (or
you can have your own sent in), and you are
given the cheapest transportation home. This
usually means bus, but sometimes a plane is
cheaper for them.
I hope this article has been informative to
you all and if you end up at Fort Leavenworth,
in or out of prison, do enjoy the many historic
sites they have to offer as well as the scenic-
views all around the post, with plentiful fruit
and nut trees to enjoy.
Page 12
Page 13
This email from the U.S. Navy's Surface Warfare Development Group was sent to
an Internet mailing list, but it seems like it was intended for the classified SIPRNET
instead. It looks like the Navy's updating some key info on its heavy machine guns!
j IMMEDIATE ATTENTION NEEDED: HIGHLY CONFIDENTIAL
j FROM: GEORGE WALKER BUSH
DEAR SIR/MADAM,
I AM GEORGE WALKER BUSH, SON OF THE FORMER PRESIDENT OF THE UNITED STATES OF AMERICA GEORGE
HERBERT WALKER BUSH, AND CURRENTLY SERVING AS PRESIDENT OF THE UNITED STATES OF AMERICA. THIS
LETTER MIGHT SURPRISE YOU BECAUSE WE HAVE NOT MET NEITHER IN PERSON NOR BY CORRESPONDENCE.
I CAME TO KNOW OF YOU IN MY SEARCH FOR A RELIABLE AND REPUTABLE PERSON TO HANDLE A VERY
CONFIDENTIAL BUSINESS TRANSACTION, WHICH INVOLVES THE TRANSFER OF A HUGE SUM OF MONEY TO AN
ACCOUNT REQUIRING MAXIMUM CONFIDENCE.
3n employing
SWDG Tactical Bulletin
System
THAT ARE PRESENTLY TRAPPED IN THE REPUBLIC OF IRAQ. MY PARTNERS AND I SOLICIT YOUR ASSISTANCE IN
COMPLETING A TRANSACTION BEGUN BY MY FATHER, WHO HAS LONG BEEN ACTIVELY ENGAGED IN THE
EXTRACTION OF PETROLEUM IN THE UNITED STATES OF AMERICA, AND BRAVELY SERVED HIS COUNTRY AS
DIRECTOR OF THE UNITED STATES CENTRAL INTELLIGENCE AGENCY.
IN THE DECADE OF THE NINETEEN-EIGHTIES, MY FATHER, THEN VICE-PRESIDENT OF THE UNITED STATES OF
AMERICA, SOUGHT TO WORK WITH THE GOOD OFFICES OF THE PRESIDENT OF THE REPUBLIC OF IRAQ TO
REGAIN LOST OIL REVENUE SOURCES IN THE NEIGHBORING ISLAMIC REPUBLIC OF IFtAN. THIS UNSUCCESSFUL
VENTURE WAS SOON FOLLOWED BY A FALLING OUT WITH HIS IRAQI PARTNER, WHO SOUGHT TO ACQUIRE
ADDITIONAL OIL REVENUE SOURCES IN THE NEIGHBORING EMIRATE OF KUWAIT, A WHOLLY-OWNED U.S.-
BRITISH SUBSIDIARY
MY FATHER RE-SECURED THE PETROLEUM ASSETS OF KUWAIT IN 1991 AT A COST OF SIXTY-ONE BILLION U.S.
DOLLARS ($61,000,000,000). OUT OF THAT COST, THIRTY-SIX BILLION DOLLARS ($36,000,000,000) WERE SUPPLIED
BY HIS PARTNERS IN THE KINGDOM OF SAUDI ARABIA AND OTHER PERSIAN GULF MONARCHIES, AND SIXTEEN
BILLION DOLLARS ($16,000,000,000) BY GERMAN AND JAPANESE PARTNERS. BUT MY FATHER'S FORMER IRAQI
BUSINESS PARTNER REMAINED IN CONTROL OF THE REPUBLIC OF IRAQ AND ITS PETROLEUM RESERVES.
If you would like to stop receiving information through this list,
SIPRNET: subsoriber@swdg.navy.mil
About an hour later, they remembered which network was which. Although
we'd wager that they both use Microsoft Exchange.
Received: from rooks.swdg.navy.mil [138.139.136.3] by2600.com
Received: from PS55967 ([10.100.0.113]) by rooks.swdg.navy.mil with SMTP
(Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
REPUBLIC OF IRAQ AND ACQUIRING THE PETROLEUM ASSETS OF HIS COUNTRY, AS COMPENSATION FOR THE
COSTS OF REMOVING HIM FROM POWER. UNFORTUNATELY, OUR PARTNERS FROM 1991 ARE NOT WILLING TO
SHOULDER THE BURDEN OF THIS NEW VENTURE, WHICH IN ITS UPCOMING PHASE MAY COST THE SUM OF 100
BILLION TO 200 BILLION DOLLARS ($100,000,000,000 - $200,000,000,000), BOTH IN THE INITIAL ACQUISITION AND IN
LONG-TERM MANAGEMENT.
WrTHOUTTHE FUNDS FROM OUR 1991 PARTNERS, WE WOULD NOT BE ABLE TO ACQUIRE THE OIL REVENUE
TRAPPED WITHIN IRAQ. THAT IS WHY MY FAMILY AND OUR COLLEAGUES ARE URGENTLY SEEKING YOUR
GRACIOUS ASSISTANCE. OUR DISTINGUISHED COLLEAGUES IN THIS BUSINESS TRANSACTION INCLUDE THE
SITTING VICE-PRESIDENT OF THE UNITED STATES OF AMERICA, RICHARD CHENEY, WHO IS AN ORIGINAL
RICE, WHOSE PROFESSIONAL DEDICATION TO THE VENTURE WAS DEMONSTRATED IN THE NAMING OF A
CHEVRON OILTANKER AFTER HER.
I WOULD BESEECH YOU TO TRANSFER A SUM EQUALING TEN TO TWENTY-FIVE PERCENT (1 0-25 %) OF YOUR
YEARLY INCOME TO OUR ACCOUNT TO AID IN THIS IMPORTANT VENTURE. THE INTERNAL REVENUE SERVICE OF
THE UNITED STATES OF AMERICA WILL FUNCTION AS OUR TRUSTED INTERMEDIARY. I PROPOSE THAT YOU
MAKE THIS TRANSFER BEFORE THE FIFTEENTH (15TH) OF THE MONTH OF APRIL.
AM ASSURING YOU THAT ALL WILL BE WELL AT THE END OF THE DAY. A BOLD STEP TAKEN SHALL NOT BE
REGRETTED, I ASSURE YOU. PLEASE DO BE INFORMED THAT THIS BUSINESS TRANSACTION IS 100% LEGAL. IF
YOU DO NOT WISH TO CO-OPERATE IN THIS TRANSACTION, PLEASE CONTACT OUR INTERMEDIARY
REPRESENTATIVES TO FURTHER DISCUSS THE MATTER.
I PRAY THAT YOU UNDERSTAND OUR PLIGHT. MY FAMILY AND OUR COLLEAGUES WILL BE FOREVER GRATEFUL.
PLEASE REPLY IN STRICT CONFIDENCE TO THE CONTACT NUMBERS BELOW.
SINCERELY WITH WARM REGARDS, GEORGE WALKER BUSH
Switchboard: 202.456.1414 Comments: 202.456.1111 Fax: 202.456.2461
Spring 2003
Page 14
2600 Magazine
Page 15
E-mail using remailers
by angelazaharta
Sending an ordinary e-mail is equivalent to
the old way of mailing a postcard through the
post office. Think about this for a moment.
E-mails get passed along several servers before
they arrive at their final destination. There is
nothing stopping the administrators of these
servers from reading them if they so desire. A
copy of your e-mail will be kept in all the places
your mail goes through. Worse, while traveling
toward its destination, unscrupulous profiteers
may snag it, copy your e-mail address, and
begin to send you spam.
A lot of people think that by using free web-
based e-mail services such as Hotmail, Yahoo,
or any of the other countless free ones they will
be anonymous. How wrong they are! First, all
of the above mentioned keep excellent logs.
Second, they always will send your IP in the
header of your message, so using them won't
make you anonymous at all! Third, those places
like to cooperate with the "authorities" as much
as they can, and they may even monitor the
e-mails. (I don't have any actual proof that they
do any monitoring. I'm just speculating. It
stands to reason.
So What's a Person To Do?
Short answer: A person should learn how to
use remailers to send e-mail anonymously.
If you just want to send simple e-mail
anonymously (no attachments, only text) and
not expect an answer, you can do that by using
free web-based remailers. They are very easy to
utilize, but very insecure because the encrypting
process is on the server and not on your com-
puter. Several are available just for that purpose.
Here is a list of working (at the time of this arti-
cle being written) ones:
riot. eu. org/anon
http://www. all-nettools. com/tools4. htm
http://www5.tripnet. se/~brodd/anonmail. html
http://www.oldmadison. com/anon, htm
http://www. mani email, net
http://wmv.gilc.org/speech/anonymous/remailer.html
http://freedom.gmsociety.org/remailer/mixmaster.cgi
I'd definitely recommend you proxy yourself
while using them. Just remember you won't be
very secure since your message will not be
encrypted and everyone it goes through will be
able to read it.
What Ls a Remailer?
Let's look at ordinary e-mails for a momenl
first. They all carry the same From:, To:, and
Subject: fields. But they also carry invisible-
fields that will include your e-mail server do-
main's name, IP address, the time and the date
your e-mail was sent, and other info. These
fields are called headers.
Just by their names alone, remailers should
be clear to you as to what they do - they re-send
e-mail. But they not only blindly re-send the
mail, no sir! They also strip the headers so no-
body should know where the message came
from and/or who was the original sender. They
make sending anonymous e-mail possible. A re-
mailer will also pass the message along to other
remailers if that's what the poster wanted. From
there, the message can get passed along some
more, or it can go to its final destination.
A remailer is nothing more than a
specialized server running software.
A Little History
Remailers started way back in the 1990s.
The most famous was anon.penet.fi run by Jo-
han Helsingius of Oy Penetic Ab in Finland. He
wanted to create a way for individuals to ex-
press themselves freely on the Internet, without
fear of reprisal or prosecution.
Unfortunately, anon.penet.fi was brought
down when a court ordered its operator to turn
over records after the Church of Scientology
claimed a user was posting copyrighted infor-
mation to an Internet discussion forum.
anon.penet.fi was shut down. Fortunately, the
concept of remailers survived, and many more
remailers opened up.
Types of Remailers
There are two types of remailers. The first
type are the older remailers known as Cypher-
punk or Type I. The newer and more advanced
are called MixMaslers or Type II.
Cypherpunk accepts messages encrypted
with its publicly available PGP key. PGP is
Pretty Good Privacy, the well-respected public-
key encryption program which is widely avail-
able and, with a few exceptions, freeware.
2600 Magazine
Users encrypt their clear-text outgoing message
with the Cypherpunk remailer's public key. This
can be done with any text editor like Notepad
and a properly installed version of PGP. There is
a particular message format to follow, one that
the remailer software can understand.
The building of a Mixmaster message can-
not be done with a text editor, so special client
software is required. Some popular (and free)
packages are Quicksilver, Potato, Jack B.
Nymble, etc. I will detail how to use them
Preparation Steps
Remailers need a bit of extra work and
preparation on your part before you can utilize
them. Here's a list of the steps you need to take:
1. Download PGP (Pretty Good Privacy) en-
cryption software, install it, learn how to use it,
and create your set of PGP keys. This way no-
body, not even the remailer operators will be
able to read your message. You have a choice of
either getting the free older version from MIT
or the newer version. Teaching you how to use
PGP is beyond the scope of this article, but you
can easily find a PGP tutorial on the Internet.
2. Decide if you want to use a Type I
(Cypherpunk) or Type II (Mixmaster) remailer.
Cypherpunk versions work with PGP or
OpenPGP from http://www.openpgp.org. Re-
member, for Mixmaster you will also have to
download and configure an application
package. Here are some of them:
Mixmaster ( DOS/UNIX/MacOS X)fmm
http://rmxmaster. sourceforge. net.
Reliable for MS-Windows95/98/NT. from
http://www.skuz.net/potatoware/reli.
Quicksilver for MS-Windows95/98/NTfrom
http://quicksilver.skuz. net
Jack B. Nymble for MS-Windows95/98/NT from
http://www.skuz.net/potatoware/jbn2.
MiXfiTfor MacOS from
http://www.geocities.com/SiliconValley/Byte/6J
76/macmixmaster. html.
PGP International (all operating systems) from
http://www.pgpi. org.
GPG (most operating systems) from
http://www.gnupg.org.
3. Find a working remailer. Several sites
keep and constantly update a fresh list of work-
ing remailers. The best is by The Electronic
Frontier Georgia (EFGA) at http://anon.efga.
org/Remailers. The list is updated every day, so
you should be able to obtain the most current
list and their reliability rating. Another list of
current remailers is kept at: http://www.pub-
Spring 2003
lius.net/rlist.html. It's a good idea to choose a
remailers that's not in your home country!
4. Evaluate the remailer by looking at its
reliability statistics. Anything below 90 percent
is not reliable.
On this site you can find the public keyrings
or type II remailers (Mixmaster) in a secure
connection:
https://riot. EU. org/anon/pubring. mix
( insecure pubring.mix)
https://riot.EU.org/anon/type2.list
(insecure type2.list)
https://riot.EU. org/anon/pubring. asc
(insecure pubring.asc)
There are many sites that offer statistics and
public keyrings. For a complete index you can
look at http://www.privacyresources.org/frog
admin/Pingers.html or the Computer
Cryptology's Comparison at http://www.es
kimo.com/--turing/remailer/stats or http://www.
noreply.org/meta.
Updated statistics can be found at:
E. F. G.A.: http://anon. efga. org/Remailers/
Shinn: http://mixmaster. shinn. net/stats/
FarOut: http://www.nuther-planet.net/farout/stats/
Frog: http://www.privacyresources, org/fro
gadmin/Main. html
Austria: http://www.tahina.priv.at/~cm/stats/
Computer Cryptology: http://www.eskimo.
com/~turing/remailer/stats/
Cmeclax (Shinn mirror): http://lexx.shinn.net/
cmeclax/gumdatni. html
5. Create a nym for yourself. A good place to
use is Nym. Alias. Net. Very detailed instructions
can be found at: http://riot.eu.org/anon
/doc/nym.html.
Once the programs are installed and config-
ured, you must periodically download (at least
once a day) the public keyrings and the reliability
statistics of any remailer.
Remailer Commands and Fields
Remailers all use the same basic commands:
anon-to: Anonymous remailing.
anon-post-to: Anonymous posting to
newsgroups (Usenet).
cutmarks: Discards everything bellow the
designate line.
encrypted: PGP Tells the remailer it must
encrypt the message with PGP.
encrypt-key: Encrypts message with PGP using
conventional encryption.
latent-time: Allows time delays to be
programmed into the message.
## Pastes new headers to the remailed message.
Page 17
Page 16
null Instructs the remailer to discard the
message.
To send a message and be sure it gets delivered
you need to properly format it. An example:
From; you@your.e-mail-account
To: name-of -remailer
On the first line of the message you put two
colons like this On the next line you print
the remailer command "anon-to", followed by
the e-mail address of the person receiving the
mail. For example:
anon-to: someone @ his. e-mail, account
Skip the next line and then begin typing your
message. When the remailer receives your mes-
sage, it will remove the header information and
forward the rest of your message on to the ad-
dress on the "anon-to:" line.
Because the remailers remove the headers,
they also delete the subject line of the message.
If you want to include a subject line, you do this
by using the # # remailer command and placing
a subject on the following line. For example:
##
Subject: This is an anonymous e-mail message
Some free web e-mail places such as Yahoo
add a tag line at the end of each e-mail advertis-
ing their services. The Yahoo one looks like
this:
Do you Yahoo?
Fortunately, remailers solve this problem
with the cutmark command. The cutmark com-
mand instructs the remailer to remove every-
thing from the line beginning with a chosen
symbol.
In this example, "=" was chosen.
cutmark: = =
this line will be included in your message
this line will be removed because it follows the
remarks
As mentioned above, the latent command
will delay a message for a certain amount of
time before it is delivered to the next remailer.
This will confuse and prevent somebody from
tagging you and comparing the times you are
logged on to your e-mail server with the times
an anonymous e-mail is received. It also lets
you delay messages in order to be somewhere
else when the message is received.
For example:
latent-time: + 3:00
will delay the delivery of the message from
the remailer for three hours from the time it was
received by the remailer. It is also possible in
add a random factor to the latent command. In
adding an "r" after the time.
latent-time: +3:00r
will deliver the message at a random time
after it was received by the remailer.
Let's now look at a properly formatted mes-
sage using the various commands we discussed
so far:
From: you@your.e-mail.address
To: mix@ remailer
anon-to: someone @ someplace.e-mail.account
cutmark: = =
latent-time: +2:
##
Subject: This is the info you requested.
This is the text of your message. It will be de-
layed up to two hours from the time it was re-
ceived by the mix® remailer and later
forwarded to someone@someplace.e-mail.ac-
count. Remember, there is an empty line be-
tween the remailer commands and the body of
your message.
This text is below the cutmarks so it will be
removedfrom the remailed message.
Using PGP With Remailers
PGP encryption is an important part of
remailing because PGP increases the security
and anonymity of your e-mail communicating.
Even if somebody is monitoring your e-mail as
it leaves your PC, it will be impossible for them
to read the content or to determine who the mes-
sages are being sent to if the messages are en-
crypted. PGP has a bit of a steep learning curve
at first, and many novices get confused with it.
Just remember the basics: you produce two sets
of keys, a public key for a friend to open your e-
mail and a private key for you to encrypt your
mail with. You send your friend the public key.
Then you collect corresponding public keys
from remailers and from friends and place those
on a "keyring." Let's now go over the steps for
using PGP with remailers. I'll assume you have
prepared your PGP keys and collected the PGP
keys from remailers you plan to use.
Prepare your message to be sent as
explained above. Now encrypt it with the
remailer's public PGP key. Type the encrypted
PGP command into your e-mail text window
and use cut and paste to paste your encrypted
2600 Magazine
message below it.
Encrypted: PGP
BEGIN PGP MESSAGE-
END PGP MESSAGE.
When the remailer receives your message, it
will un-encrypt it and follow the instructions
you specified. Some remailers only accept
encrypted messages.
Chaining Remailers
Remailers can be chained, just like proxies.
This will further make tracking the original
sender of a message very difficult - almost im-
possible. It is advisable to use remailers located
in several countries.
To chain remailers, simply prepare the mes-
sage as if it will be sent through a single re-
mailer. Then begin inserting remailer addresses
above the address of the final recipient. Here's
an example:
From: you @your. e-mail.address
To: first-remailer@ .address
anon-to: second-remailer@ .address
anon-to: third-remailer@. address
by Kairi Nakatsuki
kairi @ phreaker.net
This guide assumes you already have a
working wardriving setup on a *nix machine.
This isn't necessarily meant to be a guide to
hacking your friendly neighborhood Kroger's
location. Though I do hope that this informa-
tion will be of use in case you stumble upon a
Kroger's location where an 802. lib network
is present. Remember, don't be evil children!
Spring 2003
tttt Subject: Anonymous email
This anon email has been sent through several
remailers.
Finally, here are some remailers that were up
at the time of this article:
squirrel: mix@squirrel.owl.de (Germany)
swiss: mix@ remailer, ch
hyper: mix@hyperreal.art.pl (Poland)
Ics: mix@anon.lcs.mit.edu (USA)
mccain: mccain@notatla.demon.co.uk (England)
bpm: mix@bpm.ai
widow: mix@wol.be (Belgium)
A couple of good links if you want to learn
more about e-mail remailers are
www.sendfakemail.com/~raph/remailer-list.html
and http://www.theargon.com.
This article only dealt with sending
anonymous e-mail. The same concepts are used
to post anonymously on Usenet too (since
Usenet shares the same basic principles), but
that subject is a lot more complicated and
requires a whole article of its own.
Info
The particular Kroger's I did most of my
dirty work at didn't have a terribly great secu-
rity model, as you might expect. Evidently,
management doesn't care much about their
data being broadcast in clear text over the air-
waves for 100 feet in every direction, though
they seem to think that cloaking their ESSID
would suffice. Since Kroger's wifi network(s)
are mainly set up to allow their POS
Page 19
anon-to: someone@soineplace-someplace.address
Page 18
terminals to telnet into a SCO OpenServer
machine, it is expected that these machines
will have to be rebooted from time to time; so
if the ESSID is not "kroger/bamey" at your
Kroger's, then it would be easy to obtain
within short order.
This particular network resides on
30.112.16.0. Despite the fact that all of
30.0. 0.0 is owned by the DoD, none of the
addresses within that network are Internet
routable (I confirmed this personally). So, I'm
guessing that their address assignment
scheme is purely coincidence.
There was a DHCP server that gladly gave
me an IP address. I was able to resolve names
that are on the Internet, though I wasn't able
to get a default route anywhere.
Tools Used
Kismet 2.8.1
Ethereal 0.9.9
Paketto Keiretsu 1.0
AirSnort
a Linux laptop and a backpack
(Disclaimer: I don't know what you would
have to do to use Kismet under Windows,
though you can use Ethereal on Windows to
read packet dumps from Kismet just fine.)
I used Kismet 2.8.1 to initially discover
the networks. After confirming that there
were only three or so networks, I made
Kismet only scan on the channels those net-
works resided on, doing something like this:
# killall kismet_hopper
# kismet_hopper -s 2,4,6
# assuming that channels 2,4, 6 are where the
# networks reside; do this while kismet_server is
# running
Setting kismet_hopper to hop only those
channels increases the amount of packets you
receive. Be sure to scan from lowest channel
to highest channel, as to avoid the pitfalls of
overlapping frequencies.
Start kismet_server in its own terminal so
you can see what IP addresses are found, in
real time. I used scanrand from Paketto
Keiretsu to stealthily do a portscan on the
nodes I found. Mostly Windows boxen with
open SMB shares.
Going In
After you have played around a little and
have confirmed that your Kroger's has a wire-
less network, it's time to get down to busi-
ness. You can associate with their network
and use Ethereal to do a packet capture in
promiscuous mode, if you feel like using an
Ethereal capture filter. This isn't as effective
as using Kismet to channel hop and sniff in
rfmon mode, however.
Now put your laptop in your backpack.
Go up real close; walk back and forth across
the storefront. Hell, pretend to fumble
through your change pocket and buy your fa-
vorite soft drink from a vending machine. I
don't suggest going in, however, since people
wearing backpacks in a store is kind of
frowned upon.
Back at Base
After you feel you've gotten your fill of
captured packets, it's time to open the Kismet
packet dumps with Ethereal. Use the display
filter "telnet"; expand the "Telnet" tree. Scroll
through the packets; a lot of them will be
"\033", but you'll eventually find the good
shit.
This is a mere sample of what I found.
SCO OpenServeriJM) Release 5
(xxx.xxx.kroger.com) (ttyp3)
You can telnet into the machine that this
prompt came from to see how many cash reg-
isters are in use; just use the ttypx as a clue. It
counts from ttypO up.
The POS terminals at Kroger's are used
for a lot of things, from the obvious cash reg-
ister functions, to ordering shelf labels, to en-
tering UPC codes and item names. I don't
suggest that you log in if you capture user-
name/password combinations; resist the
urge!
Miscellaneous
I did find a single WEP-encrypted net-
work. I wasn't able to stay close enough to
the signal, though. If you're brave enough,
you can let your car sit in the parking lot long
enough to capture enough packets to crack
this, if you have a good antenna. You can
continue to use Kismet to keep the packets
flowing, but I suggest using AirSnort to do
the packet capture on a single channel, so
you'll be able to see how far you're coming
Here's a recap, findings may be different:
ESSID: "kroger/bamey" (Barney Kroger
owns the chain)
Class C subnet: 30.112.16.0
Servers: 30.112.16.1, 30.112.16.2; running
SCO OpenServer
If anybody can share information on the
actual terminal interface used, let us know; I
would be more than glad to write a follow-up
article. Feel free to e-mail me.
by Wlnt3rmut3
mut3 @ oldskoolphrcak.com
Note: the following material should be
considered educational only. Attempting
anything in this article might result in pun-
ishment from Best Buy. No prior knowl-
edge of the Best Buy network was used in
my personal exploration.
As with most consumer electronic retail-
ers, Best Buy offers computers, DVDs,
CDs, stereos, etc., at decent prices. But did
you know that Best Buy also offers insight
into their business, right from inside their
store? I'll bet you didn't. Lets take a trip to
our local Best Buy....
Gamering Access
A few computers in every Best Buy offer
Internet access. They can come in the form
of a "Build Your Own Computer" terminal
or a "Try Out Broadband" terminal. I have
found the "Build Your Own Computer" ter-
minals to be most accessible, since they
aren't as "locked down" as their "Broad-
band" counterparts. Both types include a
printer, which is useful. They both have ac-
cess to "Internet," but this is limited to best-
buy.com, microsoft.com, and some of Best
Buy's partners. Normally, some type of in-
teractive demo or fixed browser window
protects the units that do allow Internet ac-
cess. Most keyboard shortcuts (alt F4,
{Windows key) R, and the ilk) have been
deactivated. One that hasn't been is FI, or
Windows Help. To be able to use this
Obligatory Disclaimer
Have fun with this information. And re-
member, go to school, don't do drugs, and
stay out of trouble! I can't take responsibility
for your actions. It's your choice to follow my
example, after all.
curities
keyboard shortcut, you are going to have to
get to a popup window, or sometimes it is
possible right from the interactive demo it-
self. Anyways, in Windows Help, you have
two options. The first is a drop-down menu
in the upper-left-hand comer. Here is your
standard close, minimize, etc., but also here
is the "Go to URL” choice. This allows any-
one, as long as certain privileges haven't
been set, to access local disk drives by go-
ing to the URL "c :/" or any drive letter for
that matter, and of course any web link too.
The other option is the "Web Help" button
on the top bar, which can get you an Internet
Explorer window. From there, you can
explore to your heart's content.
Exploration - Local Domain
But now you say, "mut3, this doesn't get
me anything." I say, "You're a hacker, figure
something out!" Well, that's what I did.
Cruising around the machine, I discovered
that most were running some form of NT
and even XP. The one that I was using had a
functional printer, which will be useful
later. An interesting application to run is Ex-
plorer. This allows you to connect to Access
Network Drives, under the Tools menu.
What you find here is extremely interesting,
and extremely insecure. All of the NT do-
mains for each store are accessible. Each
domain is labeled with STOR, and the four
digit store number. Inside, there are multiple
machines, with the following prefixes: SK,
SR, SS, SV, and SW.
2600 Magazine Spring 2003
Page 21
Page 20
The terminal that 1 use most frequently,
which is a "Make Your Own Computer" ter-
minal, had the hostname SKOlxxxx, the
xxxx being the store number. All of the
hostnames follow the pattern of a prefix,
some sequential number, and the store num-
ber. Machines within your local domain are
accessible, but ones outside of your domain
should require a login/password pair. But
there are many goodies found within the
store. By doing a NETSTAT, some connec-
tions piqued my interest. When network
browsing those computers, a lot of informa-
tion was accessible, but the greater percent-
age was just logs related to computers on
the premises. Nothing spectacular, but still
interesting. More exploration into the local
domain is required.
Exploration - Intranet
After thoroughly abusing one Best Buy, I
moved onto another, which gave me even
more insight into the network of Best Buy.
While executing the Windows Help vulner-
ability on a new machine, I was not allowed
to view the C: drive and, for that matter, any
local drive. But, by using the second option
described previously I was on my way. Be-
cause of privileges, we can't see any drives,
but we do have access to the "Internet,"
which, as mentioned before, isn't really
much. The real gold comes from history.
Some Best Buy employee browsed intranet
computers, and left the addresses in history.
The hostnames I found were:
toolkit: 168.94.67.20
tagzone: 168.94.67.11
msizone: 168.94.3.46
cf: 168.94.9.17
toolkit, from my experience, isn't view-
able from a floor computer at least, tagzone
is a corporate home page, giving you the
latest news on the company and the market,
msizone is some type of retailer information
center, which requires a login/password
pair, cf is either customer fulfillment or
computer fulfillment - I'm not sure since it's
called both on the site, tagzone and cf are
the two coolest sites to browse, tagzone, as
was mentioned, is a corporate home page.
But as you explore it, more thanjust news is
available. I was able to get instructions on
how to log on to the company's VPN, how
to hire and fire employees, and how the
company is structured. Let us assume for a
second that Best Buy didn't want the public
to see this. Then who the hell didn't think
that maybe putting floor machines behind
the corporate firewall is a bad idea? But I
digress....
cf is a site that allows employees to order
items not in store to be shipped from the
mysterious "Warehouse 87." I ordered a
nice flat panel monitor and had it shipped to
the store I was at. Little did I know that for
it to be shipped, it must be scanned and paid
for at checkout. Well, all is not lost, since
from cf you can view warehouse inventory.
Now you can see how many box sets of the
TV show 24 they really have.
If you have access to a printer, go ahead
and print. PDFs and documents are avail-
able, along with FAQs for employees. Some
machines, if you are sneaky, have floppy ac-
cess. So offloading PDFs arejust a matter of
time. Don't forget, bringing in programs is
also possible, so have fun.
As for the situation with the "Internet,"
as I said, it's bleak. Every computer passes
its traffic though a proxy, called "sproxy,"
with an IP address of 168.94.3.19. From
multiple trace routes, it looks like it is
blocking pages right from the proxy, but I
might be wrong. I did find configuration
files locally that specified what sites you are
allowed access to, but I think those must be
loaded when you first install the Best Buy
demo software on the machine. It might be
possible to do something through the reg-
istry. Another thing is that other open prox-
ies don't work right off the bat, but I am still
fiddling with it.
Conclusion
Best Buy made a big mistake in allowing
publicly accessible models behind the com-
pany's firewall. Best Buy must patch this up
soon. It could be simple as putting a PIN
number before entering any intranet site. If
not, then they could be headed for a world
of trouble.
Shouts: Stankdawg, for getting me going
on this whole project, dual for his constant
support, the crews of DDP, Hackermind,
and Radio Freek America, and most
importantly, Sarah and Ashley.
Page 22
2600Magazine
Vl« trouble
Jlhn Prtiu Control
November 6. 2002
WARNER BROS.
DISTRIBUTING
CORPORATION
4000 Wuror Boulevard
(818) 95*4-6373
Fax: (818)954-6411
Re: Piracy of Harry Potter and The Chamber of Secrets
Dear Theatre Manager/Projectioniat:
Harry Potter end The Chamber of Secrets Is a very Important asset of Warner Bros. Given the
extraordinary public interest In this film, the. potential for piracy Is especially h|gh Unfortunately,
technological developments have made It 'pot only possible, but also probable for films to be
camcorded off of theater screens, copied, and unlwifuly tlpsaminated throughout the world,
As the copyright owner of this film with exclusive worldwide distribution rights in all media, we are
ramping up our efforts 'against piracy for this release. Bp reminded that Section 7E of our General
Terms Agreement requires exhibitors to establish and usi, security procedures that are reasonably
sufficient to prevent any pirating, theft, copying, and unauthorized exhibition. Acco/dingly, in the
event that your organization, and/or any of Its affiliates, agents or employees engages In piracy or
ary other form of unauthorized copying of Harry Potter and The Chamber of Secrets, or Is found to
be facilitating, contributing to or aiding another person or entity in committing any form of
unauthorized copying of Harry Potter and The Chamber of Secrets (for example, by falling to take
necessary steps to control the security at a theater), Warner Bros, intends to take legal steps to
prosecute your organization and the alleged perpetrators to the full extent of applicable laws.
Warner Bros. Is working with the Motion Picture Association of America (’MPAA”) and appropriate
enforcement authorities. If yog or eny other person has information regarding any unauthorized
copying of this film, please contact both Warner Bros, at 1-888-863-8040 and the MPAA Piracy
Hotline at 1-800-662-6797 (the MPAA number can be remembered as 1 -800-no copies). If a pirate
Is identified and successfully prosecuted, the first person to contact the MPAA Hotline regarding
that pirate is eligjble for a reward.
Thank you for working with us to provide a secure environment for the exhibition Harry Potter and
The Chamber of Secrets.
Warner Bros. Distributing
What an obnoxious way to speak to the people who sell your product!
Perhaps this will piss off enough theater owners into going independent.
Spring 2003
Page 23
Movies
from dud to cd-r
by Solthae
I wrote this guide in reply to Cybersavior's
letter in 19:3 concerning an advertisement
claiming to sell software which will copy DVD
movies to CD-R's using a DVD, DVD-Reader,
CD-R writer, and their software. This is 321 stu-
dios' DVD Copy Plus "program" specifically,
but they are everywhere. I am delighted to say
that this is not only a reality, but also that the
software to do it is all freeware (including, no
joking, the software they sell you). I am sad to
say that the people who sell you these freeware
programs do not pay the authors of the freeware
anything (no donations, no fruitcakes in the
mail, nothing) and provide you only with a
shitty guide for your money. So here is a simple
(and hopefully not shitty) guide to start one on
this process and also point them in the direction
of more and much better guides and
information.
Overview
We will be first getting the data off of the
DVD and onto your hard drive with SmartRip-
per. Then we will be converting these DVD files
to MPEG-1 format. Last, we will bum these
mpegs to a CDR in VCD format.
Needed Hardware:
A VCD compatible DVD player.
A computer with sufficient free space (7 to 9
gigs in my experience).
A DVD-R drive ($500+ DVD-W unnecessary).
A CD-W drive.
A few blank CD-R's.
Some patience.
Needed Software:
(Coincidentally, these are the same programs
included in 321 software's DVD Copy Plus.)
More recent versions of: SmartRipper
(http://www.3dnews.ru/download/dvd/smart-ripper/),
DVDx (http://www.digital-digest.com/dvd/
downloads/dvdx.html), and
VCDEasy (http://www.vcdeasy.org/).
Page 24
If any of those links don't work, try
http://www.vcdhelp.com or just search google.
Note: These are not the only free programs out
there, just the ones I cover in this guide.
Using SmartRipper
1 - Open SmartRipper (put DVD in drive first).
2 - When SmartRipper is opening there
should be some automatic reading of the DVD
drive and analysis of the data on the DVD. The
only time this didn't work for me was when I
was trying to be cheap and read off the DVD
drive over a network on another computer.
3 - A neat little interface will pop up.
4 - Settings:
Target: This is a file name with a file specifi-
cation browser button to the left of it. Use this to
specify the location of the file to be saved. I al-
ways leave the name as vts_01, so if you change
it you're on your own here (shouldn't make a
difference though).
Stream Processing Tab: This is the tab next
to the Input tab. Click it and make sure "Enable
Stream Processing" is checked. In the
"Streams" list box, select the video stream (it
should say something like: [OxOE] Video
NTSC....), then with it highlighted click the
"Demux to Extra File" on the right. Select the
audio stream from the list as well. I have
skipped all these steps other than making sure
"Enable Stream Processing" was checked and
have had it work. It's up to you.
Setting Button: Click this button to bring up
some options. These you can leave except for
one. You have two choices here. Either you can
select "File - Splitting, Every Chapter" or "Max
Filesize". With "Max Filesize" you should bring
it up to at least 9000MB. Leave the rest alone
until you are ready to do a little more advanced
playing around once you get a few burns under
your belt.
2600 Magazine
Title -> Program Chain -> Angle: Select
"Program Chain 1" then "Angle 1". The time in
the brackets next to it should be the same length
as the movie length.
5 - Press START Buttons (it won't appear
until a target on a hard disk with sufficient space
6 - Wait a while (30 to 60 minutes).
7 - Another window should pop up and when
done an OK box will pop up stating "Rip
Complete".
Using DVDx
1 - Open DVDx.
2 - Go to "File - Open", then open the .IFO
file created in the target directory specified in
SmartRipper.
3 - Go to "Settings - Input Settings" (if it
doesn't pop up automatically). Specify anything
that is not already selected.
Audio: Select the audio stream you burned
(i.e., English).
Audio/Video Synchronization: Make sure
this is checked. Most of the things should al-
ready be checked so you won't have to worry
Press OK. Ifyou get some errors, that is OK.
Don't panic! These are more generally just
warnings. I've always still been able to convert
with them.
4 - Go to "Settings - Output Settings".
Resolution: Select 352x240 for NTSC.
Mode: Select to change the video mode
(none to leave same as is on DVD).
Volume Don't Exceed: This is the size of the
MPEG that will be created. Select 800MB if
you will be using 800MB CD-R's and 730MB
for 730MB CD-R's. If you wish to only convert
specific chapters select "Custom Chapters" then
"Settings".
Next to "Max Frame" click "Whole" then
"Apply".
5 - Here is the really cool part. Your movie
will appear in the box in the middle and you can
scan through it and check it out. Neat!
6 - When done marveling at the movie on
your hard drive select "File - Select Output" and
change the file name and location to your liking.
7 - When you are ready, click the "Encode"
button, but be warned these conversions can
take hours!
Using VCDEasy
1 - Open VCDEasy. If you get an ASPI error
when you start VCDEasy (I did the first time),
then you need a new ASPI Driver. Go to
http://www. vcdeasy.org/modules. php?name=_
Spring 2003
Guides&id=Cdrdao#ASPI and scroll down to
"how to install/check the ASPI Drivers" (or just
search through www.vcdeasy.org).
2 - Select your CD writer from the
"CD Writer Drop Down Combo Box".
3 - Uncheck "Simulate".
4 - Change the "Volume Label" to the name
of the movie (or whatever you wish).
5 - Select a location for the Bin Output File.
6 - Next Click "Add Files". A common dia-
logue box will pop up. Make sure to select only
one of the .mpg files (if there is more than one).
These are the two files created in separate parts
no bigger than 800MB (or 730MB) that you
specified in DVDx.
7 - Now click "Settings".
CD Writer: Your CD writer.
Speed: 4x (this is a good speed that will not
wear out your writer).
Buffer: 64.
Force Driver: Click on the "More Informa-
tion" link and you will be taken to a page that
will give you the options you need to select ac-
cording to your writer. Look up the needed set-
ting according to your vendor and model. This
is a very important part. It is most likely you
will be selecting "generic-mmc", so you may
just try it if you dare.
8 - We’re almost done here. Insert a blank
CD-R into your writer.
9 - When ready click GO. It shouldn't take
more than the usual time it takes to write a CD-R.
10 - Enjoy your backed-up movie.
More Sources for Information
1 - A great site for all your VCD, DVD,
SVCD, MPEG, etc. conversion guides and
programs: http://www.vcdhelp.com/.
2 - Check out the VCDEasy Website and
why not donate a few dollars for its creators)
generosity? http://www.vcdeasy.org/.
3 - Check out 321 software's website for free
information on troubleshooting the freeware
programs that they charge you $60 for:
http://www.32 1 studios.com/support.htm.
Conclusion
Backing up your DVDs can be a satisfying
experience as well as a frustrating one. Watch
out for Blue Screen of Death errors sometimes
when using SmartRipper. I hope this simple
guide has answered the same questions I had
when first faced with these programs and this
process for the first time. Support the generous
people who distribute freeware with all your
might. These are the people of inspiration for
those of us who oppose greed, hate, and general
fascism at every turn.
Page 25
The Flawed Future ' 4 !
of Radio /
by Acidus
Acidus @ resnet.galech.edu
www.yak.net/acidus
When people talk about XM Radio, they
tend to talk about things like its compression
and encryption algorithms, its quality, its con-
tent, and how to get it all for free. But everyone
is missing the big picture: XM isn't important
because of its technology or the exploitation
thereof. XM is important because it is the domi-
nant player in a brand new industry. Only two
companies have licenses for satellite radio and
both use approximately the same infrastructure.
This means the dominant company's architec-
ture will be the platform for future services
transmitted to cars. While taking advantage of
existing flaws to save $10 a month is trivial
now, the insecurities inherent in the platform
could cause some serious problems down the
road. Streaming pay-per-view movies to video
systems, local traffic reports with GPS, email
and limited web browsing, and voice over IP are
all coming to cars in the next decade. The flaws
in XM's infrastructure need to be addressed and
of XM as simply one radio station with lots of
programs. Y our XM radio then takes the entire
stream of channels and extracts the one channel
you want to listen to and decoded/decompresses it.
Signal Transmission
XM is broadcast from two Boeing satellites,
aptly named "Rock" and "Roll." From 22,000
miles up they pump out 70 megawatts of signal,
painting nearly all of North America. While it is
only offered in the US (due to licensing), the
signal can be received in most of Canada, Mex-
ico, the Caribbean, and even parts of Alaska.
There is no way for the radios to transmit any
data to either the satellites or the ground re-
peaters. This one-way approach offers several
fundamental problems with the system.
1 . All XM signals are received by all XM ra-
dios. There are currently no means of "spot
beaming" signals to only local areas (as Di-
rectTV does to offer local channels). This
means there can be no generic activation signal,
etc. It must be personalized to your radio ID (on
the bottom of the radio). This eats up more
bandwidth.
fixed now before security is sacrificed later on
forprofits and backwards compatibility.
XM Overview
There are a lot of myths about XM, so let's
clear them up. XM radios are exactly like nor-
mal radios in that they receive electromagnetic
waves and translate them into information. XM
receives its signal from two satellites and, in
heavily populated areas, ground-based broad-
casters. Normal radio simply has ground-based
broadcasters. The info in a normal radio signal
is analog and encoded using AM or FM. The
info in XM is in digital form, compressed to al-
low better quality in less space, and the signal is
encoded using a proprietary encryption scheme.
Just like normal radios, XM has an antenna
2. Since all radios receive the same signal,
all radios use the same decryption keys. From
the other end, you could say that based on the
limited bandwidth XM has (which we will dis-
cuss later), they can't transmit the same channel
at the same time with two different encryption
keys. Thus there is only one encrypted signal
sent, and all radios must decode it.
3. Since none of the radios can transmit,
control over them can only be one way. They
have no way of knowing if the activation signal,
deactivation signal, or decryption keys have
been received by your unit. The only way XM
will know of any problems is if you call them.
The Signal
This is the bottleneck for XM. The FCC li-
which receives the signal. You must have an an- censed only 12.5 MHz to XM, from
tenna capable of receiving the signal to even get 2332.5MHz to 2345.0MHz. They have 100
it. You tune to different frequencies to hear dif- channels (well 101, which I'll get to later),
ferent stations on normal radio; all of the XM which means that they only have 125KHz of
channels are on one range of frequencies. Think bandwidth for each channel. In contrast, FM ra-
Page 26
2600Magazine
dio stations have 200KHz. XM advertises that
they have "near CD quality sound." While I
don't want to get into how that's an impossible
statement, it does mean that they need to take an
audio signal of significantly higher quality than
an FM radio signal and make it fit into 125KHz.
In fact, when you count in the artist/song
name/album info displayed for every channel,
as well as control signals being sent from the
satellite, each channel has even less bandwidth.
The signal contains two types of informa-
tion, which I call broadcast info and personal-
ized info. Broadcast info is a signal that all
radios are supposed to get and act on (such as
the channels). Personalized info is information
that they intended for only one radio, and thus
all personalized info is tagged with your Radio
ID. Examples are activation signals and deacti-
vation signals. Don't get confused by this. All
radios receive the entire signal and the radios
use the broadcast in any personalized info if it's
tagged with that radio's ID. If not, the data is ig-
nored, just like IP packets on a network. If/when
the type of content is expanded, this could be a
way to packet sniff XM, though it would require
lots of knowledge of the hardware. If someone
attempts to implement a software decoder, this
could be easy.
The signal is incredibly redundant. Error
checking between the two signals from the two
satellites is done to try and determine what is
noise (ground based repeater signals are also
analyzed if present). The signal itself uses dual
Reed-Solomon codes and Viterbi codes. These
are powerful error checking systems commonly
used in satellite transmissions. They both only
work on blocks of data, which seems to imply
that the encryption algorithm is block based
instead of stream based.
According to an XM engineer, due to the
overhead caused by encryption, the signal is
sometimes compressed after it is encrypted. ST
Microelectronics makes the chipsets for XM ra-
dios. The STA400 channel decoder handles all
the nastiness of converting the satellite signal
into digital form, checking it for errors, and de-
crypting it. The STA450 source decoder decom-
presses the audio and handles volume and tone
control. The fact that the decryption circuits are
in the chip that receives the signal first seems to
imply that the signal is almost always encrypted
after it has been compressed.
Compression
The number of theories of the compression
schemes that XM uses is around the number of
Grassy Knoll theories. MP2, MP3, AMBE,
AAC, the list goes on and on. A few things are
known. XM Radio had a contract with Digital
Voice Systems Inc. to use their AMBE (Ad-
vanced Multi-Band Excitation) speech com-
pression algorithm. The XM Radio customer
agreement states that the AMBE technology in
their product is copyrighted and licensed for
their use. That makes it safe to say that AMBE
is used at least in part to compress the speech-
only channels. Since the STA450 has a built in
EPAC decoder, it is safe to assume that at least a
bulk of the music is encoded with this algo-
rithm. This conforms to a claim made by an XM
engineer that their compression technology is
similar to Mpeg-4.
Encryption
The only really complex part of XM is the
encryption. Nothing is known about the encryp-
tion algorithm. It is supposedly proprietary, but
even its key length isn't published. It is imple-
mented in hardware and works on blocks in-
stead of streams. The keys are dynamic, and
new keys are sent to the radio through control
signals from the satellites. Your radio must be
on to receive any signal including the new keys
(based on the fact that you must have your radio
on and be able to hear the preview channel to
activate your radio). Assuming Flaw 2 is cor-
rect, XM needs to be damn sure everyone has
the new keys before they switch the signal.
They could be broadcasting the new keys for a
long time before they implement them (perhaps
even a month or two early). These could be sent
as broadcast information and all radios would
store them. If you didn't have your radio on for
several months and reported the loss of signal to
XM customer service, they could simply upload
a request to the satellite to transmit personalized
data to you containing the new key. Perhaps
new keys are only broadcast once or twice a
year and an aging algorithm in the radio
changes it at set intervals until the new codes
are transmitted. Further testing with an XM
radio would help answer these questions.
However the keys are transmitted, they are
stored on what an XM engineer called an "SS
Decoder" (Source Secure? Sound Secure?
Something like that.) He stated this was tamper
resistant RAM in the radio. It was not remov-
able like a flash card, which he said "is where
DirectTV screwed up." Supposedly the SS
Decoder will erase/destroy itself if someone
attempts to remove it.
Spring 2003
Page 27
Activation
Let's step through the activation of an XM Radio.
1 . You buy the radio and turn it on. The radio
checks itself and sees that it has not received an
activation signal from the satellite, and thus
only lets you listen to the preview channel
(Channel 1).
2. You call XM customer service (800-852-
96%) or use their website and submit the radio
ID on the bottom of your XM radio. The XM
system tells the two satellites (and perhaps even
all the ground based transmitters since they
don’t know what city you're in) to transmit an
activation signal for your radio.
3. Since the signal is going to be received by
every XM radio in the US, it is personalized
with your radio ID. This activation signal is
broadcast every ten minutes for the next 60
4. You turn on your radio and await the sig-
nal. Once it gets the signal, your radio can now
receive all ofXM's channels.
Examining the amount of bandwidth they
have and the amount of content they deliver, we
can conclude that XM has very little left over to
send commands to the radio (such as new de-
cryption keys, control signals, etc.). Indeed, the
fact that they only transmit the activation signal
every ten minutes for 60 hours supports this. If
you never get this signal, you call XM and they
will broadcast it again.
Exploitation
So what happens when you cancel your ser-
vice? Well, basically the same thing. XM broad-
casts a cancellation signal which tells your radio
to stop receiving the full XM content. Again
this signal must be personalized to your radio
ID. But what if your radio never gets the cancel-
lation signal? Bingo. While I have no XM radio
to test this with, the shear overhead in having to
transmit personalized cancellation signals for
every radio that has canceled service on a regu-
lar basis is simply too great a task for the lim-
ited bandwidth they have. Granted, they
probably transmit a cancellation signal less of-
ten over a longer number of hours (such as once
an hour for 360 hours), but it's simply too much
overhead to keep it up for long. XM's security
could be defeated by something as simple as
turning the radio off for a month.
Further Strain
XM is now offering premium channels, cur-
rently only the Playboy Channel. It doesn't re-
place an existing channel. So now the limited
bandwidth must be divided up even finer to
allow for another station. This doesn't even in-
clude the added overhead of all the personalized
signals telling radios all over the country to al-
low access to the premium channels. This will
sadly lower quality on all the channels for all
the users, even those who aren’t paying for the
additional channel. They can only push so much
through the pipe they have. Now XM doesn't
have to allocate the same space to talk stations
as music stations, and indeed an on-line debate
rages on how XM assigns the bandwidth to
channels: dynamic or static. Regardless of how
it does, adding the Playboy Channel will cause
much more overhead on this already strained
system. This may force XM to reduce the length
of time it will transmit control data. For cus-
tomer service reasons, they won't cut the time
activation signals are broadcast, so deactivation
signals would be the first to go, making the
system easier to exploit.
XM's Future
XM's stock is one-sixth its IPO. While it is
meeting its customer goals (currently around
300,000 subscribers), it is still losing money.
They have a big contract with GM and several
2003 models come with XM standard or as an
option. The big bad wolf of the radio biz Clear
Channel has a good deal invested in XM. Even
if it tanks, the expensive part - the infrastructure
of the system - is already in place. The system
would be purchased for pennies on the dollar
and the services restarted. Satellite delivered
content for cars isn't going away.
If you want to use my article to cheat XM
out of $10 a month you missed the point. If you
want to use the info to try and open source a de-
coder, that would be a pretty cool graduate the-
sis (an XM antenna would be necessary, along
with some interface equipment from Gnu Radio
Project, and some spare time). XM needs to
make sure the next generation of its services
have some form of two-way communication. I
envision using G3 cell phones for upstream and
the satellite for downstream, just like satellite
modems. XM's delivery system needs to change
as more services are going to be delivered to
cars, and chances are it will contain much more
important information than Rick Dees and the
Weekly Top 40.
Final Words
Thanks to all the folks who I got to hang out
with and who listened to me talk at InterzOne
and Phreaknic, especially rockit, JohnnyX, Vir-
gil, Strick, psyioded, James Dean, JaneLane,
Optyx, specwhore, SD, and Freqout.
First I must sprinkle you with fairy dust!
-*4
Chaos Communication Camp 2003
The International Open Air Hacker Meeting
7/8/9/1 0th August 2003
near Berlin, Germany (Old Europe)
http://www.ccc.de/ca m p/
Page 28
2600 Magazine Spring 2003
Page 29
Babble
The War on Stupidity
Dear 2600:
I was reading through the letters from 19:3 when I
discovered a very big coincidence. In '"ITie School
System" section, ThyF wrote that the new sys admin
(he called leader) was formerly the science teacher
and had no certification and very little confidence.
Back when I was in high school (graduated in ’99) I
too had a new sysadmin for the computer systems
who happened to be the science teacher. I didn't di-
rectly have any experiences with him, but at the time
one of my hacker friends (we'll call him Bob for the
fun of it) was messing with the new novell network
system (don't know how novell is now, but back in the
day it was very easy to manipulate user privileges, es-
pecially when they kept the settings at default out of
box). Bob was messing with the messaging system
and thought it would be funny to send a popup to his
friend in another class since he knew what computer
he was at. Bob inadvertently sent the message to
everyone on the network (if I remember right the net-
work included about five schools in the area). Despite
their ignorance they managed to track down the
source of the message to Bob's computer. When he
explained how he did it, he told them of a few (gross)
security holes and even showed them how to fix one
of them in about three minutes. They gave him a
choice. Either be in huge trouble and be handed over
to the local police (which I think was BS but I'm not
sure) or be an unofficial tech support. That's right, he
got caught "hacking" and they make him the tech. As
"punishment." they made him clean all the computers
of a backdoor type program that was on many of the
computers that students used to mess with the teach-
ers (it was hilarious, one teacher swore that every time
he bumped the table the CD-ROM would open!). Bob
even told me the new sysadmin once asked him to ex-
plain the concept of "client and host!" A few years
down the road this got him a job in the school district
getting paid more than the teachers are to do the same
stuff he was doing already for free. He also frequently
got called out of class to fix some problem or another,
which was a major plus for some of the more boring
Because of him (and a few others like him, but
mostly because of him), they realized that high school
kids do have brains in their heads. If he (and others)
can learn all this stuff by teaching themselves (via
hacking and reading books), imagine what they can
do if they got taught the stuff in class. The year I grad-
uated they were talking about starting a program to
train high school kids to get various computer certs
(like A+ cert, etc.). I am told that the program is now
implemented in other school districts as well, but
don't know all the details on it.
Unfortunately, there were also the kids that abused
their skills so now 1 am told by my younger brother
that they have cameras at every computer console,
and severe actions are taken if you do so much as type
in 2600.com (or any site banned by the proxy). I have
even heard of someone getting in trouble because he
was doing research and a search in hotbot.com (back
before it was banner-bot) came up with a few porn
entries, right when a teacher happened to walk by.
Moral of the story: to get a job in a school district,
just get caught hacking. Seriously though, anyone
caught doing something like ThyF or my friend, show
them a few tricks to fix the problems and you just
might get on their good side if you play your cards
right and don't treat them like they're idiots even if
they are (it's human nature to penalize someone as
much as you can when they treat you like shit, which
is not what you want when they just caught you
hacking).
JF
Texas
Dear 2600:
http://www.wiwg.cap.gov/ES%20Tool%20Kit/Re
sources/National/FEMA%20ECD.pdf. They keep
moving it! Print the list.
shaggyeightball
Dear 2600:
I am an engineering student at a Canadian univer-
sity. As I am sure is the case in many post-secondary
institutions nowadays professors at my school are in-
creasingly turning to the Internet to dispatch course
information. Early this semester I was looking for one
of my course web pages. Having lost the syllabus, I
had only the first assignment from the class to guide
me. I typed a few of the more interesting words into a
Google search box and hit go. Much to my surprise,
two links emerged: one to the assignment and another
to the solution (both postscript files). Quite intrigued 1
clicked on the link to solutions. Rightfully, as the as-
signment is not due for another week, the link was
dead. However, Google keeps a cached text version of
the postscript files it encounters and it was broadcast-
ing these solutions to the world. Now I know there are
a lot of people in my class that would love to get their
hands on this information - hell, some of them would
probably be dumb enough to print it off, put their
name on it, and hand it in. My question is how do I get
it taken off the web? If I contact Google would they
be willing to remove it? How would I alert my profes-
sor without appearing guilty (but still remain credi-
ble)? Or should I just tell him to do some damn work
and come up with a new assignment every year in-
stead ofjust recycling them?
eigenvalue
It would be ridiculous to bother Google with this.
Your professor is lazy, plain and simple. If he gives out
the same assignment every year, surely the possibility
of a previous student passing on the solution to a cur-
rent student must have crossed his mind. If you think
you'd be somehow held responsible if you told him of
this hole (at the same time offering to complete a dif-
ferent assignment), then we suggest going the anony-
mous route, either letting him know the specifics
through some kind of anonymous note or telling the
entire class in the same way.
Dear 2600:
My school's proxy blocks 2600.com, but not
2600.ca. I missed Off The Hook (thank God for short-
wave!) and I can't download it because it reverts to
2600.com. Could you send me a form letter that I can
send to my school's I.T. department formally request-
ing that 2600.com be unblocked? I think you guys can
do a much better job. Why does Symantec by default
block 2600.com? It's absurd. My school being a lib-
eral private school they won't suspend me. Don't
2600 Reader
Sometimes people have luckftping to our site and
downloading the shows that way. We encourage mir-
roring of all the information at www.2600.com so that
people don't have to worry about this nonsense. We
think the best way to approach this is to go right to the
source and confront those companies that put us on
their blocking listfor no reason at all other than their
own presumptions and ignorance. We intend to do this
but it would be useful to gather as much information
on who is blocking us and what their alleged reason-
ing is.
Random Observations
Dear 2600:
According to www.atf.treas.gov/field/atlanta, the
Atlanta Field Division of the Bureau of Alcohol, To-
bacco, and Firearms is at 2600 Century Parkway with
a phone number of (404) 417-2600. Very odd that the
address and the number have what I believe a contact
number. Maybe 2600 related?
kyoung
Well, we do have fans in the oddest places....
Dear 2600:
Have you heard about the Homeland Security In-
fragard program? This directive/program has chapters
in all 50 states, has monthly meetings that are/ree to
Ihe attendees and information on computer security
issues and the people involved from a federal, state,
and private sector perspective. Check out www.infra-
gard.net for more information as well as local chapter
information.
Tom
Dear 2600:
Previously, I used to think that any of those people
that wrote to 2600 asking about how to "hire a hacker"
or mentioning some sleazy job they needed a "skilled
hacker" to do for them was based mostly, if not solely,
on their own ignorance. Then I ran across this just
now: http://www.1800hacking.com. It's talk and de-
tails about how to hire a hacker (among other things).
Now I'm beginning to wonderjust exactly how many
other sites like this are out there promoting all of us as
nothing more than some kind of tech mercenaries or
something. I don't know, maybe this just ties in with
so many other misconceptions and stereotypes about
us. Or perhaps this is just another corporate scam of
some type to use a computer user's paranoia as just
another source of revenue. All I know is, I really wish
there weren't sites like this out there, since I don't
think it helps us any.
CaptainJ
Dear 2600:
I think it's funny how you guys are trying to let the
public know that hacking isn't about going where
you're not supposed to go, yet in the marketplace sec-
tion of your magazine I see ads advertising how to
sneak into places by picking locks. In one ad it even
says "going places you're not supposed to go." Now.
isn't this detrimental to your ultimate goal of dissuad-
ing the general public of their injected beliefs?
Anon O. Mouse
What appears in the Marketplace is not necessar-
ily material that agrees with our editorial stance. It
would be completely wrong for us to insist that it was.
We will only step in if an ad has absolutely nothing to
do with the hacker world or is clearly advocating
some kind of illegal action. The mere pursuit of
knowledge simply doesn 7 meet that standard. So you
may see all kinds of things in there that don't seem to
be in line with what is said on other pages. That's the
nature of information exchange.
Dear 2600:
I've tried to keep up with your wonderful publica-
tion since roughly late 1995, but occasionally I've
missed an issue. I'm writing to say that all this DVD
ripping and all these pre-release screeners of movies
not even in theaters yet is definitely someone on the
inside. I know this because although I'm not in on it.
I've got several contacts who are. Just look around
IRC. Anybody who thinks Edonkey, Kazaa, and
Limewire are the big P2P networks are sadly mis-
taken. Just last week pre-DVD rips of Femme Fatale,
Signs, SIMONE, and several others surfaced on IRC.
Only one of them had any "This is not for sale" arti-
facts in it. So tell me, who other than someone on the
inside could release a DVD rip of a movie more than
two months before the movie is actually available to
the public? Not a common-day P2P pirate. The
MPAA and the RIAA both need to look within their
own ranks before they start pointing fingers at the av-
erage consumer asking, "Are you leaking our
material?"
TwinZero
Dear 2600:
In the 19:3 issue of 2600, I noticed behind the let-
tering of the article "Hacking On Vacation" the layout
artist had placed a "Save the Disney Hole" photo, this
referring to the large hole left in the middle of
Philadelphia on 8th and Market Streets by Disney.
Page 30
2600 Magazine Spring 2003
Page 31
Well, just to inform your readers, the Disney hole has
been saved. Saved into just what Philadelphia needs...
another parking lot.
rOb
Dear 2600:
Hey, if you'll notice on the back of 19:3, the third
payphone (the blue one) that doesn't seem to accept
anything has a sign near the top describing payment
methods. The very top of the photograph seems to say
''International credit card and collect calls only."
Maybe that would explain why there isn't a coin or
dougk ff7
Dear 2600:
In the 19:3 issue of 2600, I ran across a slightly
hidden IP address upside down on the Table of Con-
tents page under the word Monitoring. You may have
to hold it up the light to see but it reads
"166.112.200.202." So of course I had to type it into
my web browser and just so happens I see a pic of
Bush. The site is "Citizen Corps." Interesting as it is, I
was wondering why that was placed on your contents
page. If nothing else, thanks for the little oddities you
hide in the pages of your nifty little mag.
Also, is Freedom Downtime going to be released
on DVD? If so, when?
Phake
We're working on it. We hope to have it out by
summer. And we can't be held responsible for what
Dear 2600:
I think your magazine is pretty cool most of the
times. But I hate it when you guys start rambling on
and on about politics and how you're discriminated
against. I feel the magazine should be more technical
and less political. You should have more program-
ming tutorials and more code! Let's become aware of
the insecurities of the Internet by learning about
TCP/IP and learning how to protect ourselves with a
good IPChain tutorial. I think you should just skip the
crap and teach most of the script kiddies that read
your magazine how to be elite.
Victor Hugo
We have to strike a balance between all kinds of
different subject matter. If you can look around you
of anyone interested in 2600-related things, then we
really envy you.
Dear 2600:
I want to thank you for your promptness in getting
my Holiday "Guarded" Special to me. And I hate to
sound cliched, but as soon as I took the envelope out
of my mailbox I knew what was in it, and as soon as I
got in my apartment, I popped the tape into my VCR.
And I have to say that I have thoroughly enjoyed
it, but I would like to point out two of your remarks
from the scene where you were in Los Alamos. You
said "we noticed more of these weird guys in fatigues
all around the building." And then you continue with
"That's when we got lost on a dark road with no name
in the middle of New Mexico with a bunch of military
zealots surrounding us. We got the message." Those
of us who are in the military community are neither
"weird nor zealots." We are just ordinary citizens who
love our country enough to be willing to defend it
and/or their descendants.
Yes, as I am sure you can gather I have served this
great nation of ours in the U.S. Army having spent 1 1
years, both on active duty and in the U.S. Army Re-
serves. Now, granted, as with any community there
are of course some "weird" persons or "zealots," but
that doesn't make everyone in a given community
"weird" or "zealots." I do not consider neither myself,
nor those that I served with to be either "weird guys in
fatigues" nor "military zealots." Also, if you look at
just about every organized religion in the world, you'll
find your zealots and/or weird people. That does not
make organized religions themselves to be "weird" or
"zealots."
Also, considering that one of your goals is to de-
vilify, de-demonize, etc. the term hacker as being
someone who is just interested in learning how things
work, as opposed to those who break into computers
for personal/financial gains, you are not serving your
cause by resorting to the same level of name calling as
the mainstream media has when it comes to the
hacker community or individual hackers.
Just some food for thought. Keep up the fight.
Also I had to "laugh" at the statements by Markoff
that alludes to Kevin's skill as a social engineer. I
mean if that is now a crime, then how come all of the
sales people in the country aren’t in jail? I mean, to be
a successful sales person don't you have to be good at
social engineering?
In closing I just have to ask, has Markoff ever
finally met Kevin?
Herman
No, last we heard, that summit has yet to occur.
Regarding the remarks on the military, we really
trying to get into a library as we were in that part of
the film and instead we see all kinds of people in the
b ' ,sheS d J" fatigues watching us, the word
any map. It suited the mood of the moment to think of
Dear 2600:
In the past year 1 have seen everything from DoS
attacks to rooted servers and even death threats, all
against fellow 2600 groups and even against people in
the same 2600 group. I, personally, am getting sick of
it all and have distanced myself from almost every-
thing to do with the 2600 name, and as I watch all this
happen more and more I continue to distance myself
and I know I'm not the only one getting away from it
Page 32
2600 Magazine
all. I think you all need a serious reality check.
Groups are all at war with each other. We are forget-
ting the fact that we are all on the same side here.
There are much bigger problems in the world than
who said who is a lamer. We could actually get things
done in the world if we would concentrate that hate
lor each other against corporations and governments
lhat are trying to take away our freedom.
Dear 2600:
Regarding Microsoft's aptly named "Palladium," I
find their choice of nomenclature extremely intrigu-
ing. The New English Penguin Dictionary defines the
meaning of palladium as: "something that gives pro-
tection; a safeguard." Fair enough. We can see Mi-
crosoft's motivation behind their naming convention.
However, the attached etymology states: "via Latin
from Greek palladion, epithet of Athene, Greek god-
dess of wisdom. The safety of Troy was believed to
depend on a statue of Athene" (dictionary extracts
edited for brevity).
So she failed in her endeavor, looking more fool-
ish than wise. It absolutely amazes me that Microsoft
names their proposed technology after a statue that
watched over a city that was famous for its capture by
means of a Trojan Horse (according to Greek
mythology).
How ironic! An apparent paradox? Is Microsoft
building a large hollow wooden horse which it hopes
to deliver to unsuspecting Trojans (users) as
Palladium? Fate orcoincidence" You decide,
Johannesburg, South Africa
Dear 2600:
In 19:3 Jeff complained about Canadian customs
opening three of five packages he ordered from you. I
decided to test customs coming in my direction. I am
in the US military stationed overseas. Even though
my mail never leaves the USPS/Fleet post office sys-
tem it still must pass through US customs. The
question was if it would arrive unmolested.
On Dec 31 I decided to press my luck by ordering
Freedom Downtime from work during lunch. (I am
mildly surprised that 2600.com is not blocked on a
Department of Defense computer.) My package ar-
rived today in the ubiquitous plain brown wrapper. It
is postmarked Jan 4 with no customs paperwork (tsk
tsk guys) and no signs of having been opened. I even
checked it in the VCR to make sure it hadn't been
passed by a magnetic field to erase subversive
material.
Now let me compliment you on a great film that
scared me more than any horror film ever did. And
now that it appears we are going to war I'll make sure
that if I go it goes with me.
We hope you get back safely without killing anyone.
Dear 2600:
Over the holidays I visited an old childhood fa-
vorite place, the Museum of Science and Industry in
Chicago. I ducked quickly into the new "Internet" ex-
hibit (largely a disappointment) and found that they
gave some coverage to explaining "hackers" to the
general public (and indeed, the youth of today). You
might be pleasantly surprised at what the display text
has to say:
"Hackers: Let's face it. Hackers have a bad rep.
But true hackers aren 't ’computer criminals.' They ore
the adventurers who test the limits oftechnology with-
out causing damage. Many improve Internet security
by reporting any glitches that they encounter online.
In fact, some businesses hire hackers as system testers
to make sure all the 'doors and windows' are safely
locked.
“Crackers, on the other hand, use their smarts to
do destructive things, like bring down networks, steal
The first paragraph is quite progressive and hope-
ful ! Though I'm not sure merely moving the definition
of "computer criminal" from "hacking" to "cracking"
is especially helpful (we're still caught in a semantic
trap here, and looking for just another easy name for
the "bad guys" is hardly a solution). Anyway, the air-
time given to the goodness of hacking was quite a
pleasant surprise in an otherwise dull exhibit. They
even have a placard about Kevin Mitnick!
confusedbee
We agree that this is for the most pan a good
thing. But all of this nonsense about "crackers" isn't
going to solve anything. In fact, we believe it will
Nothing To
make matters worse since the word itself is being
based on something bad to begin with without offer-
ing much of a definition. If this were to become an ac-
cepted part of the language, anyone accused of being
a " cracker " would have a tough time gaining a sym-
pathetic ear , especially since no specific crime is be-
ing defined. It's still entirely possible to differentiate
between hackers and criminals by simply defining the
actual crime the latter are involved in.
Dear 2600;
I've discovered a disturbing trend at my high
school. I've seen - on a number of occasions and from
different people - teenagers selling cellular service. I
was able to ask one who was willing to talk about her
job. She stated that a ''nameless'' (think Catherine
Zeta Jones) cellular provider provides her with local
cellular service through a crappy used TDMA phone
for $5 a month. In return she must get at least ten peo-
ple a month to sign up for new service. I find this de-
spicable marketing tactic leaves a bad taste in my
mouth. It seems wrong to get teenagers to be friendly
with people their age and push cellular service on
them, like they are telling them about a service they
enjoy. Yuck!
fremont_dslam
This kind of indentured servitude is extremely
profitablefor those companies that engage in it. While
you won't find local service for that cheap (and it is
only local service ), you can still get many fairly cheap
plans without having to spend a lot of time trying to
get others signed up. If you actually worked directly
for the cellular provider doing sales , you would be
getting paid far more than you would be saving with
this deal.
Dear 2600:
The terrorists who are informed and protected are
in the government.
Thanks for the tip. Speaking of which....
Dear 2600;
Just in case anyone was curious as to how to "re-
port" a TIPS claim, here's the address:
https://tips.fbi.gov.
Dear 2600:
I'd like to add to the whole placement issue of
2600 at B&N. I go to the B&N in West Nyack, NY
and they not only have the magazine on the magazine
rack with the computer magazines, they also have a
clear magazine holder at eye level, all by itself, just
for 2600. It's easy to check to see if the new magazine
is in - I can see it from the other side of the store.
When I check out however, the magazine never seems
to scan correctly. The magazine always has to be man-
ually entered into the register when I check out and on
the receipt for issue 19:4 itjust says "Magazine" and
next to it ”5.00".
Dear 2600:
Telnet this: towel.blinkenlights.nl. Someone or
some people have way too much time on their hands.
We wanted to do something like this for the DVD
release of "Freedom Downtime." But we also wanted
to get it out before 2010.
Dear 2600:
BT have recently installed Internet enabled tele-
phone boxes in many areas of Scotland (and, presum-
ably, the rest of the UK). A cursory glance at one of
them told me that they have touchscreen monitors, of-
fer web access, telephone facilities, and SMS and they
are ridiculously expensive. I recently noticed, how-
ever, that they appear to have been renamed as "The
Blue Box." I find this interesting. Surely British Tele-
com, of all people, would know what a blue box is?
Anyway, I'll let you know if I obtain any detailed
information.
Dear 2600:
I noticed a message that says "Kevin is now free"
in the Table of Contents (Material) page in 19:4,
above the word Positivity, right below the line. Cool,
very, very cool.
dominatus
Dear 2600:
I've been reading your mag for about a year now
and feel I've learned a lot. I've known computers were
in my future since the day my stepfather took away
my mouse to keep me from using the computer, so I
experimented and figured out enough keyboard com-
mands to move around quite well in Windows. So I'd
been looking for someone to teach me how to use
computers to a more full potential. I've found that
there is an entire subculture of hackers that really is
many times more complicated than most people sus-
pect. Strangely, while considered a near computer god
at my school I know in my heart that should I ever go
to one of your meetings I'll immediately be pegged as
a script-kitty. But that doesn't bother me, because I
know if I find the right people they will be willing to
teach me as long as I'm not an ass about it. Also, read-
ing a letter in 19:3, page 30, 1 got the idea to make a t-
shirt and bumper sticker that said "Phr34k H34v3n" -
yellow text on a black background. Of course it would
draw a lot of attention as most people would think it
was some secret cult code. Then I remembered that I
get paid less than you people and for me to get even
one shirt/bumper sticker it would cost me most of one
of my pathetic paychecks. Anyway, keep up the fight.
As long as there are still embers a fire can be restarted.
You be the hot embers that keep this fire burning in
even the darkest of times.
chaos985
We're not sure how comfortable it is being hot
embers. But we're willing to give it a shot.
Dear 2600;
Didn't you find irony in the fact that Jack Valenti
presented an award right after Michael Moore
Page 34
2600Magazine
accepted his Oscar for Bowling for Columbine?
Michael Moore, an extreme activist in issues of free
speech and information and Jack Valenti, a suppresser
of new ideas and innovation.
2600reader
To his credit. Valenti is resisting pressure from the
Hush administration to rally Hollywood behind the
war effort. But it was pretty funny seeing him glower-
ing after Moore turned the place on its ear. It was a
true Hollywood moment.
Meetings
Dear 2600:
1 live on the USS Theodore Roosevelt (CVN 71)
and we are out to sea right now. I will go to a meeting
at any time no matter where on the boat as long as it's
on the boat. There are about 5500 people on this ship
right now so at least a few will know what we're
trying to do. What do I do next?
This is unusual although we really shouldn't be
surprised. Technically, a 2600 meeting should be
open to the public but in the case of a military vessel,
this probably isn't very likely. But there's nothing
wrong with having a gathering within the confines of
your environment , whether that be the military,
school, prison, etc. You just need to get the word out
to people who are interested and be prepared for any
kind of action taken by authority figures who don't get
it. Let us know what happens.
Dear 2600:
I read your "terms and conditions" for 2600 meet-
ings. There is a problem. Romania isn't presently on
your meetings list so this means that there are no
meetings in Romania. So I must be the first one who
wants to do this in this country. Tell me how these
meetings take place in a city. How many people must
come to the meeting? Is there a minimal number?
Give me more details so I will know if I will do this in
my city or not. Thank you very much!
Getting the meeting started is the hardest part and
it's also the pan that you have to accomplish on your
own before we start to publicize it. Otherwise we
would have literally thousands of meeting sites with-
out any indication that they really exist. In order to
get something like this started, you need to find a way
to reach out to people with similar interests. Some-
times there are online forums, classes at universities,
or even street comers where you can hand out flyers
announcing the first meeting. People have also had
success inserting flyers into issues of 2600 at book-
stores that sell it. Once the meetings get underway,
consistency is more important than the size of the
crowd. It's also a good idea to have a web page where
people can see for themselves what the meetings are
like and hopefully decide to attend. And don' tf or get to
send us monthly updates so we know you're still out
there once your meetings get underway.
Dear 2600:
I have a suggestion regarding the day 2600 meet-
ings are held. As it is on Friday, a lot of people who
work miss out, especially those of us who work on
swing shift. We simply cannot be asking for a day off
every first Friday of every month. So 1 ask you guys if
it can be moved lo a Saturday? In my opinion Satur-
day would be belter so that more people can partici-
pate in these meetings. I would almost guarantee that
2600 meetings will be bigger because obviously more
people would join and in the process more ideas,
opinions, and whatnot would be contributed to these
meetings and would ultimately make them better.
Oversight
The "first Friday of the month" system has worked
extremely well for the most pan. We originally chose
Fridays partly because that was traditionally when
the original "TAP" meetings had been held before we
were around but also because it's kind of a celebra-
tion of the end of the week, when people have gotten
out of work or school but aren't out doing "weekend"
stuff. Obviously, this isn t going to work for everyone
but that will be the case regardless of what day they're
held. In the nearly 16 years that the meetings have
been happening, we've only gotten a handful of com-
plaints concerning when they were held. But we are
open to suggestion on ways to improve things such as
possibly having secondary meetings in areas that
don't have first Friday meetings either because they're
too close to another meeting orfor reasons like yours.
The biggest challenge to this would be figuring out
how to make it simple so people will know when these
meetings take place. Since all of the "primary " meet-
ings would still be on the first Friday, those would re-
main easy for people to know about. If we can come
up with a common day for "secondary" meetings, it
shouldn't be too complicated. Suggestions are wel-
Security
Dear 2600:
After reading the article on CD data destruction in
19:4, 1 thought I had missed something. The article fo-
cused on destruction using the microwave. It also dis-
cussed very expensive alternatives to the destruction
of data on CD ROMs, to the tune of 10 or 20K!
I have an easier way, and it only requires that you
have a very rudimentary understanding of computers
and electronics. First, you will need one pair of soft
soled tennis type shoes. Second, you will need some
concrete or asphalt. You can mix your own for secu-
rity reasons, but the driveway or street will work fine
in a pinch. Third, you need one CD ROM that needs
the information on it destroyed.
Here is how it works. Put on your tennis shoes.
Take the disk in your hand and walk out to the drive-
way or street. Put the CD ROM upside down on the
concrete (the side you write things on, such as "Can-
did X10 video of the next door neighbor" should be
facing up). The next part is fairly easy to get mixed
up, but try to do it right. Put your tennis shoe that has
your foot in it directly over the CD ROM. Next, put
all your weight on the CD ROM and spin it back and
forth with your foot. Make sure you do this in differ-
ent locations on the disk to ensure that all of the
Spring 2003
Page 35
aluminum is off. You will know when your dala is de-
stroyed when the disk looks like a clear plastic Fris-
bee and there are aluminum flakes blowing off in the
wind about the size of finely ground flour. Try to
I don't know what all the fuss is about destroying
CD ROM data, but I think the sneaker grind method is
the easiest and most complete. If you're really para-
noid, you could sweep up the aluminum duff and
smoke it, but do that at your own risk. Just don't fall
down and break your leg while twisting the night
DWD
Dear 2600:
Recently, while using one of the many popular
P2P filesharing programs, I came across many files
called "Phone List" or similar. Upon discovering what
they were, I am truly afraid for humanity, though it
has helped clarify why incredulous ideas (such as the
DMCA, WBAI shutdowns, lawsuits against you,
Kevin and Bemie's treatment, et cetera) can prolifer-
ate and spread in today's society.
I am now in possession of more than 37 files filled
with personal, corporate, and other phone, address,
and email lists. More than 13 are corporate in nature
(three of which were from DSL/other technology-ori-
ented companies), with the remainder everything
from Greek organizations to private citizens' lists.
However, I find it interesting that I can be arrested
and imprisoned for having a publicly available set of
data that proves how unknowledgeable our society is.
This is just a simple warning to those who use P2P
filesharing utilities - please make sure you know what
you are sharing.
Poetics
Dear 2600:
A note in response to Rob T Firefly's letter in 19:3
about searching for .eml files in Kazaa. Another fea-
ture Kazaa was kind enough to include is an option to
allow your entire hard drive to be searchable for me-
dia by other users. Next time you go searching for
.eml files, or any other file extension that would not
normally be in a Kazaa shared folder, right click on
one of the results and choose "find more from the
same user." You will probably end up with a list of
everything on that user's machine, including cookies,
progs, pics, system files, all the way down to desktop
shortcuts. Of course, that's where the "send a message
to this user" option comes into play.
DVNT
New Projects
Dear 2600:
We're assembling a communications museum of a
sort and we'd like to have your approval on using the
first cover (4:1, January 1987) of 2600 Magazine as a
part of an info-wall coming to the set.
Finland
We'd be honored. For the record, ive generally
approve of such use as long as we get to see a picture
of it at some point. Thanks for your efforts.
Dear 2600:
Today I was patiently waiting in line at the Olive
Garden (not my choice, the wife had to drag me there)
when I started playing around with the little guest
page device they give you to let you know when your
table is ready. The system works like this: you sign
your name and are given a plastic object about the
size of a hockey puck. It really looks like a high lech
drink coaster. When your table is ready, a little box at
the door greeter's podium sends out a signal, causing a
little light on your pager to start blinking, and the
whole thing vibrates periodically. I didn't have any
sort of tools with me, so the most I got from the little
black hockey puck was a url for the company that
built its website, http://www.ntn.com. I was sitting
there looking at all of these people waiting on a table
and seeing the excitement they had when theirs was
ready. And then I got to thinking, what if I could make
all of these things go off at once? I've been scoring the
company's website and google for any kind of info I
can find on the system. It shouldn't be that hard to get
a cell phone, CB, ham radio, or possibly even a garage
door opener to emit the frequency required to set all
of these things off. I'm researching the idea exten-
sively, but why should I have all the fun? I've seen the
same systems used in O'Charley's restaurants as well.
Imagine the fun one could have driving down a row of
restaurants and setting off this signal. In times like
these, filled with so many worries and stresses, why
not use our skills to laugh a little? Of course, always
use your knowledge responsibly.
Ghent
We're certain such an act could be classified as
terroristic in these days as well. In a sense, you'd be
interfering with the nation's food supply. These de-
vices are basically beepers that have a very limited
range , most likely due to the low output of the sending
device, usually located near the cash register. We
don't know if it would be possible to blast out the sig-
nals so that everyone in a particular county would
suddenly believe their table was ready. It's certainly
worth looking into.
Inquiries
Dear 2600:
How can I get a copy for myself? By the way I am
living in Iran.
kayvan
We do offer a special "Axis of Evil" incentive for
people inside participating countries. Simply mail us
something of interest from your country and we'll re-
spond with anything from a single issue to a lifetime
subscription, depending on how interesting what you
send us is. Just another way to annoy the authorities.
Dear 2600:
I am writing a book which will contain references
to 2600 and I was wondering if you would mind.
We don't mind having our magazine appear in any
2600 Magazine
Page 36
medium so long as it isn't portrayed as something it's
not such as a manual for crime or even a surefire cure
for depression. It most definitely is a device to swat
/lies with so that kind of portrayal also wouldn't be a
problem.
Dear 2600:
I know that Kevin has been released for a while,
but would you object to Takedown being released in
the United States? I downloaded the movie a long
time ago, but I do not have a real copy of the
DVD/VHS. I don't feel like "modifying" my DVD
player to play DVDs from France.
InfrHck
We have no objection to any completed film being
released. Our problem was with the script and how it
unfairly portrayed Mitnick. We were successful in get-
ting a number of important changes made but we
don 't think it was enough to save the film. Now it's up
to the public to decide if the movie was fair or even
good. By not releasing it here, the studio appears to
have already made tluit decision. Anyone should have
the ability to order the DVDfrom another country and
make up their own mind. The artificial constraints
built into DVD technology are designed to keep you
from doing just that.
Dear 2600:
I work as a network admin for a school and have
been an avid reader of 2600 for a long time.
I want to submit a letter about what it's like work-
ing for a school from the perspective of somebody
who sees kids get blacklisted for the most innocent
activities or get accused of "hacking" when the only
thing they are guilty of is getting into a network share
that had been set up by somebody who failed to prop-
erly set up security.
My concern is anonymity. I do not wish my name
to be published as my letter is pretty harsh on school
administration and I could easily find myself out of a
job. If I were to submit such a letter, could you keep
my identity in the strictest of confidence?
x8ou;##5
Look at the clever way we disguised your name
for this letter. We hope this convinces you that we're
up to the task.
Dear 2600:
I think you are doing a great job. I also think that
the Off The Hook program on WBAI is great. I was
wondering if others have had this same problem. I
have an AT&T Calling Card that is connected to my
AT&T Universal Calling Card. There is a one rate
plan, where I am charged 20 cents a minute for calls,
providing I call 1 -800-CALL^ ATT and navigate to my
call. Frequently on my bill, they are saying I used an
operator and are charging me $6 or $7 for a one
minute call. How is it that they would say I am using
an operator when I alwaysjust dial 1-800-CALL-ATT
and then key in the appropriate numbers? Is this a way
to try and make additional money, assuming that I do
not read my billing statement carefully?
Ray
That's certainly the end result although the cause
is most likely bad programming that makes them lose
track of just how certain calls are made. We suggest
filing a compliant and if it continues to happen, just
use another company. These days, you should have
little trouble finding one for the same price.
Dear 2600:
I'm sure your articles are copywritten. What are
your requirements to use your articles in another
magazine?
Mark
Generally, articles can be reprinted in other mag-
azines as long as credit is given to the author and
2600. As the articles remain the property of the au-
thors, they arefree to do anything they want with them
after they appear in these pages. We ask that any arti-
cle submitted to us not appear in any publication (in-
cluding websites) before it appears here (or six
months after its submission). It makes our readers a
lot happier.
Dear 2600:
My dad and I were cleaning out the garage today
and came across an old telephone repairman's phone
device with a manual dialer and positive/negative alli-
gator clips to tap into the phone lines. Is there
anything I could do with it?
Apart from impressing people at your local 2600
meeting, you can always use these things to clip into
phone lines wherever those little wires can be found.
The best kind, though, are the ones where you don't
even have to make physical contact with the wire in
order to tap in. These have been used by all kinds of
entities over the years to tap into phone lines without
making audible clicks.
Dear 2600:
I'm wondering if anyone has any information on
STR intercom systems. I live in Manhattan in a typi-
cal residential building with an STR handset in my
apartment. The model is an HT2003/2. I am sur-
rounded by annoying neighbors and would like a bel-
ter way to buzz them than by having to run downstairs
to the building's entryway. Yeah, I know it's a bit
childish, but nothing short of that seems to do any
good. Would something like this require more access
than the wiring available on my end?
kaspel
We would love to see some guides on imaginative
ways to modify building intercom systems. There are
many different types employing all kinds of
technology so there are all kinds of possibilities.
Dear 2600:
I am pretty new to your magazine, and am unable
to fathom pages 40-45 inclusive, entitled
.ncsc.milj 144.51.x. x). I am just uninformed. It ap-
pears that the .x.x is intended to be a substitution for
the sets of numbers in brackets behind the name (e.g.,
airpiracy25 { 1 14. 189)), but I am unable to figure out
what to do with these numbers. I have tried submitting
www.ncsc.mil. 144.5 1.1 14.189 on my browser, but it
Spring 2003
Page 37
lead to nothing. Would you mind giving this newbie a
144.51.114.189 = airpiracy25.ncsc.mil. That's as
New Feedback
Dear 2600:
I was browsing the latest mag at Barnes & Noble
here in Austin, Texas. I noticed some rant about
emoticons and stuff. This was total rambling, no real
meat (where's the beef?). Anyway, I was talking to my
dad this past summer. He was an Army Intelligence
Officer in Vietnam. He said they used to use emoti-
cons back in the 60's, on teletypes, before the Internet.
Can you guys screen these articles a little better? This
totally turned me off and I didn't buy this issue.
ByteEnable
what happened.
Dear 2600:
In 19:4, page 48, jmk gave us the login and pass-
word to a www.singer.com intranet account. Your re-
ply that there isn't much to do with that login is
wrong. If you click on the Documents link
"http://www.singer.com/intranet/userindex.cfm"
you'll find that you can download their global phone
directory. Now it doesn't have all the employees'
names in it, and I'm sure by other means you could get
this info, but here it is for you all in one file! Now
with that, you can click on the Newsletter link
"http://www..singer.com/intranet/userindex.cfm” and
look at what appears to be some kind of company
newsletter... go figure. But in that file, you can get a
lot of information that you could use with that global
directory. I believe Kevin Mitnick brought up a sce-
nario like this in his recent book The Art ofDeception.
But to bring back up what you said about the guest
login; yes, there isn't much you can do on the site
other than that.
the info remains up to this day.
Dear 2600:
Ijust finished reading your latest edition magazine
and I have to say how much I admire your publication
of flamer letters. Doing so further shows the strong
character and promotion of thought of 2600. Although
I cannot be considered a hacker by any stretch of the
imagination, I thoroughly enjoy reading your articles
and learning new things (currently, I am a Maya stu-
dent). One of the reasons I love 2600 is your promo-
tion of open-mindedness in the face of ridicule and
stupidity - though not directly hacker related. Free
thought should be more obvious, but unfortunately it
isn't. Sooner or later, everyone will have to start think-
ing for themselves and I believe that your magazine is
a wonderful encouragement for this type of behavior.
I look forward to the day when anyone can buy any
type of media without suspicion or ridicule (minus, of
course, media that includes hate material, kiddie pom,
general maliciousness, etc.). Anyway, Ijust wanted
you guys to know that I fully support your magazine
and will continue to recommend it to my friends and
classmates. You are a beacon of sanity in a sea of
chaos (okay, that was really cheesy, but I think
accurate).
Kimberly
Dear 2600:
I purchased Freedom Downtime on VHS at H2K2.
I'm now in the process of burning a DiVX version
onto CD so I can keep it for years to come. I deeply
thank you for allowing me to feel secure in the
knowledge that you won't sue me for it.
See you all at the next HOPE!
Anewname
Toronto
Dear 2600:
This is in regards to the 19:4 article concerning
Warspying. The author stated that he had received a
couple of cable TV transmissions, which is easily ex-
plained. Radio Shack sells a 2.4ghz transmitter/re-
ceiver for use in your home when you want to, say,
watch cable in another room without having to run ex-
tra cable. I own one of these units for that purpose, as
the cable guy couldn't connect cable to my upstairs
bedrooms. The receiver also picks up xlO displays, as
I have picked up my neighbors using it to watch the
parking lot due to a couple of car break-ins.
An obnoxious thing about these using the 2.4ghz
band is that they severely interfere with 802.11b
equipment. I have to disable my cable transmitter/re-
ceiver in order to use my 802.1 lb network without
being less than 10 feet away from the AP. Also with
the AP on, it causes the cable transmitter/receiver to
have a garbled picture.
Dear 2600:
In response to diOnysus' article about spoofing
MAC addresses, you can change it in Windows XP
with a couple of clicks and keystrokes. Go to the
"Control Panel," then click on "Network Connec-
tions" and then right-click "Local Area Connection,"
click "Properties," then click the "Configure" button,
and then click the "Advanced" tab. Then under "Prop-
erty," click "Network Address," click the radio button
for value and enter the MAC address you want with-
out a delimiter There are ways to do it in Win
98/Me/2k/Nt, but it is not as easy.
c0ld ' b001
Dear 2600:
This letter is directed at area_51 who wrote in
19:4 the article entitled "Exposing the Coinstar Net-
work." I am writing to ask a question about the actual
receipts which print out of the Coinstar machine,
specifically if you have ever seen one that says
"Duplicate" on it.
The reason I ask is that a friend of mine, a night
manager in a supermarket which uses the Coinstar
machine, was fired for allegedly cashing one of these
receipts which allegedly said "Duplicate" on it. I work
part-time as a bookkeeper in this store. I have seen
perhaps hundreds of these receipts but never one that
had that word on it. I believe this man was framed and
I'd like more information on the machine to see if
indeed he was.
He says that a customer complained to him that
the Coinstar machine was not working. He asked the
bookkeeper in charge for the key which she gave him.
When he opened the machine he saw a receipt hang-
ing out of the area where they print out. The customer
had not used the machine yet so it was not hers. Since
our store has a "finders, keepers" rule in effect (which
means if you find money and it isn't claimed by any-
one and all cashier's drawers are even at the end of the
night, the finder gets to keep it), he thought it would
be fine if he cashed the receipt. Coinstar receipts, as
you know, are the equivalent of cash. The receipt was
intact and was not scratched off nor was the perfo-
rated wavy line down the side ripped in any fashion.
The bookkeeper who gave him the key was the same
one who cashed the receipt for him at the end of the
night. She says there was nothing odd looking about
the receipt when she was asked later on by myself and
other concerned coworkers.
How does one go about getting a "Duplicate" re-
ceipt to print, meaning what actions did he have to
take on the inner computer in order for this to occur?
Knowing the guy I can say, pretty much without a
doubt that he has no clue about how the Coinstar ma-
chines work. From previous conversations he men-
tioned he didn't have the password and couldn't fix the
thing when problems arose with it and we would have
to call the repairman. I read your article and you seem
like a leading authority on thesyhinfisjhe book-
keeper says thal she vjalchudrhjni open the nuiehii ,
and that she did not scahim touch any tattoos.
reason unknown lo us and that they fabricated this
whole thing in order to see him gone. The manager
has told us that he did not think he was doing anything
wrong and other managers in the store have said that
if he cashed the receipt and it was a valid one, not a
duplicate, there would have been no problem. I feel
that there isn't such a thing and they made it up but I
could be wrong.
I am hoping you can help. If you say that there is
no such thing or that the process to accomplish this is
beyond the means of any person opening this ma-
chine, then I will report the company to the union. The
main store manager is known for deceptive practices
such as hiding hours on employee timesheets in order
to not pay them full time wages, etc.
TheTechnophile
Responses to Old Feedback
Dear 2600 :
Ijust finished reading issue 19:4 of your magazine
and I felt like writing in response to Dave D.'s letter of
critique. I felt like expressing my reasons for reading
2600 and why I love it so much. His tone in the letter
seemed to assume that all readers of your magazine
used it as an underground hacking manual that barely
slips by punishment from the law. I am not a hacker,
phreaker, or script kiddie of any kind. I do, however,
have an unquenchable thirst for knowledge. Informa-
tion, in general, enhances knowledge, which hope-
fully leads to wisdom. The information that I read in
2600 furthers my knowledge of the technological
world around me. I believe that such a heightened
knowdedge is necessary to avoid becoming one of the
masses of uneducated people who fall victim to the
obscurity of the technology they use. Too often we
take technology for granted. Does the average Joe
know what happens behind the scenes when he picks
up the phone to make a long distance call? No, but he
probably doesn't need to know for his immediate sur-
vival. However, I refuse lo take technology for
granted and let it control me without keeping it in
check. Some of the information presented in your
magazine may resemble a "wink and nod approach to
criminal activity," but that all hinges on what the
reader does with that information. Do I have anything
"to fear from the law?" No. The FBI will not be
knocking down my door for illegally accessing a net-
work or for fraudulently erasing Blockbuster fees. I
don't read 2600 to pretend to be some sort of pseudo-
intellectual hacker-wannabe. I read 2600 because it is
information that I deem as vital to my survival and
success in the modern age of technology.
Kyle
Dear 2600:
I was 100 percent with you concerning the simple-
ton's letter (Greg in Colorado) about how the ACLU
continued on page 48
Page 38
2600 Magazine
Spring 2003
Page 39
A First Look at
by The Prophet
aka "Please don't call me the
Virgin Surgeon" TProphet
Overview
Virgin Mobile USA is the first foray by
David Branson's Virgin group into the North
American wireless market. It is also Virgin's
first experience with a CDMA system. The rest
of Virgin's worldwide markets utilize GSM
technology. While Virgin Mobile would have
preferred to partner with a GSM carrier, the lo-
cal GSM carriers (Cingular and T-Mobile) al-
ready had their own prepaid offerings and
weren't interested in selling them to Virgin Mo-
bile. Additionally, Virgin wanted a strong na-
tionwide network, and none of the GSM
carriers offer one.
Fortunately for Virgin, Sprint PCS was look-
ing to get out of the prepaid market, but had the
network capacity and technology to serve pre-
paid customers. In a $300 million joint venture
between Virgin and Sprint, Virgin Mobile USA
was formed, resulting in an overlay wireless
network with a myriad of opportunities for the
curious phreak.
Virgin Mobile operations are scattered hither
and yon across several companies and geo-
graphic locations. Their headquarters are in
Warren, New Jersey. Calls are carried over the
Sprint PCS network. Billing is handled by Cali-
fornia-based Siebel Systems, and data process-
ing is handled by EDS at their Sacramento
offices. A software package developed by Tel-
cordia (formerly Bellcore) is used at the MTSO
layer for prepaid billing. Customer service calls
are taken in Spokane, Washington by a firm
called the ICT Group (who, incidentally, also
take calls for America Online). They use
BEAAVebLogic to track all (and I mean all) the
people you call, the VirginXtras you use, how
you pay your bill, etc.), your interactions with
Virgin Mobile - but only after you get past Am-
ber, the interactive voice response (IVR) gate-
keeper system, which is driven (poorly) by
ScreamingMedia and BeVocal software. As you
may have guessed, outsourcing is the order of
the day at Virgin Mobile.
The Phones
As of this writing, Virgin Mobile customers
can choose from two Kyocera phone models,
the 2219 and 2255. The 2219 version is mar-
keted as the "Party Animal" and the 2255 ver-
sion is marketed as the "Super Model." The
phones are similar, with the more expensive
2255 version offering a bright blue display, ad-
ditional ring tones, and a few other bells and
whistles. The phones are bundled with a CD
sampler of songs from the Virgin music label,
an instruction booklet, and a sheet of stickers
that I imagine Virgin Mobile thinks are zany
and fun. Most of the stickers have something to
do with the Virgin logo, or are simply Virgin
advertisements.
The firmware, which in Kyocera phones is
flashable, is different from that found on the
Sprint PCS models of these phones. In addition
to providing unlimited Wireless Web access to
all the news and information that a user in Vir-
gin Mobile's 15-30 year old demographic could
ever need (that is, MTV news and information
about the Virgin record label's music catalog -
yes, they really are that condescending), along
with other "VirginXtras" features such as "blind
date" calls, where you can schedule an auto-
mated callback to your wireless phone (the
premise being you could schedule a callback to
occur during a date, then more easily fabricate
an excuse to leave). You can also check the re-
maining balance on your account, buy more
airtime, etc.
Unlike the Sprint PCS firmware's version of
Wireless Web, you are limited to visiting a hard-
coded list of URLs that Virgin Mobile has pro-
vided - nearly all of which promote other Virgin
products. If you were thinking of getting around
this annoying limitation by purchasing a data
cable for your laptop, don't bother. That
functionality is also disabled in the firmware.
Additionally, the PRL is locked to "Sprint
PCS Only" mode (although this is hidden from
the user), and you don't even have the option to
select analog roaming. If you were somehow
able to get around that, roaming is also disabled
in the Sprint PCS billing system for Virgin Mo-
bile ESN/MIN pairs. The inability to use an
available analog signal, even to call 91 1 (which
is always a free call), is a serious limitation.
Billing
New Virgin Mobile phones come with $10
worth of airtime, and you can get an additional
$5 for activating your phone on their website.
Calling time is purchased through the use of
Page 40
2600 Magazine
"top-up" cards, which are sold at Virgin retail-
ers, or by using a credit card. You can top-up
your account over the phone or via the Virgin
Mobile website. For each $50 purchased in any
one month. Virgin Mobile provides $10 in
bonus airtime. Additionally, a $10 one-time
bonus is granted for registering your credit card
number with them online.
Most voice calls are billed at 25 cents per
minute for the first ten minutes per day. Domes-
tic long distance is included. On the Virgin Mo-
bile network, a day begins at midnight and ends
at 11:59 pm. For the first ten minutes of calling
time each day you are billed 25 cents per
minute. After that, you are billed ten cents per
minute for the rest of the day. These rates apply
to both incoming and outgoing calls, and are the
same regardless of the time of day. International
long distance service is available, but is
disabled by default and very expensive.
Incoming calls that are transferred to voice-
mail are free. Outgoing calls to your voicemail
from your wireless phone are normally billed
airtime at the voice call rate. However, dialing
1 1 + NPA + your Virgin Mobile Number allows
you to check your voicemail for free in some
markets. This is how incoming calls that are
transferred to voicemail appear on your call de-
tail, so it appears to be a billing loophole. You
can also check your voicemail using a land line
without being billed airtime, by calling the
NPA-NXX of your Virgin Mobile number, then
replacing the last four digits with 6245 (MAIL).
Simply follow the voice prompts to log on to
your mailbox.
CDMA data service, which Sprint PCS mar-
kets as Wireless Web or PCS Vision, is unlim-
ited and free on Virgin Mobile. Unfortunately,
it's not very useful because of the limitations de-
scribed above. As usual, you get what you pay
for.
There are no credit checks, and no identifi-
cation is required to establish service with Vir-
gin Mobile. To activate service, you need to
give them a name and service address, but this
can be anything you like. Be aware, however,
that if you want to pay with a credit card, you
need to provide the name and billing address on
the card.
Virgin Mobile vs. Sprint PCS
If you have a Sprint PCS phone, you cannot
activate it on the Virgin Mobile billing system,
or vice versa. Each carrier requires the ESN of
your phone to be in their database; otherwise,
they cannot activate it.
If you call Sprint PCS customer service for
assistance, they will have never heard of your
phone number before and won't be able to pull
up your account. Technicians at the Tier 2 level
and above can pull up your account, but they'll
gel the Virgin Mobile national account (which is
administered by someone named Amber
Maxwell - my voice sounds like it belongs to a
disgruntled lumberjack, so they were reason-
ably skeptical about me being a woman).
Unfortunately, the above means that Sprint
PCS won't readily perform services such as re-
setting your browser's client certificate, per-
forming over-the-air (OTA) updates of the PRL
in your phone, or telling you how much Virgin
Mobile actually pays for that expensive service
you're using.
Fun Numbers To Call
(from your Virgin Mobile handset)