.;..;. .;..;. . ;. . . .;; . ... .; ;...; .' . ; ;.. .;. .. .;;. .;..;. ttt ttt .;..;. .;... ..; NNN NNNN .;..;. ttttttttt ttttttttt .;. . NNNN NNNN ttt ttt .;..;..;..;. ...; ;. NNNNN NNNN ttt .;..;. ttt .;..;. ..; ..; NNNNNN NNNN eeeeeeee ttt ttt .; .. NNNNNNNNNNN eee eee ttt ttt _---_---_--- .; .; NNNN NNNNNN eeeeeeee ttt .;. ttt W E R K E D >>> .;;;. . NNNN NNNNN eee ttt ttt _---_---_--- . ; . ;.; NNNN NNN eeeeeeee ttt ttt .;..; . .;.;. .;;;. ..; --/-/-///--- _-- [ K - 1 i n e #7 ] --_ ---\\\-\-\-\-- 'It Comes On Anyhow' _)##vol.3####$.;..;..;..;. .;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. :: :: `:==--::--==--::--==--::--==--::--==--::--==--::--===?:--::--==--::--==--::--=:' ^ ^ ^ September 2000 ^ ^ ^ *: :* *: :* *: [-] Introduction .......................................... The Clone :* *: (-) Contact Information ................................... The Clone :* *:-=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=><=--=>y4y<=:* [Main Menu;] *: (x) 'Anyone with a Screwdriver Can Break In!' ............. Jay Beale :* *: (x] 'OB Duct Tape Hack' ................................... Kira Brown :* *: (x) 'Walk' ................................................ D.M.S. :* *: (x) 'Hacker Hypocrisy; @Stake/L0pht' ...................... The Clone :* *: (x) 'Model 001 Payphone Programming Guide' ................ Nettwerked :* *: (x) 'PBX Access Total' .................................... Flopik :* *: (x) 'US NATIONAL PARTYLINE NUMBERS' ....................... Kybo_Ren :* *: (x) 'Rogers/AT&T Pay-As-You-Go Billing Vulnerability' ..... The Clone :* *: (x) 'A Guide to General Packet Radio Service' ............. N&N :* *: (x) 'DND Non-Public Network and Workstation Security' ..... PsychoSpy :* *: (x) 'DND WAN DNet Architecture' ........................... PsychoSpy :* *: (x) 'How Non-Public DND Information Was Easily Compromised' PsychoSpy :* *: (x) 'Miklos Adventure at Graybar' [love this article!] ... Miklos :* *: [-] Credits ............................................... The Clone :* *: [-] Shouts ................................................ The Clone :* *: :* *: :* *: :* *: :* . . . =-=- == -= - . -= = =- -= - .;. .;..;..;..;. .;. ;;;; .;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. - - = - -= = - .,. ,. -= =- = = - .,. , - , ,. , =- -= [][][ PERSONAL ADS: ][][] -- Brand New Telephone Related Archive; 'Telecom File Archive' -- www.nettwerked.net/TFA/TFA.html -- Brand New Organization; 'Canadian Phreakers Union' (FAQ) -- www.nettwerked.net/TFA/cpu_faq.html -- .;..;..;..;..;..;..;..;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;. .;.. .;. .;..;. .;..;. == - , , ;; ;: ; ; / ; / ; ; ; ; / ;/;/; / ; / ; ;; .;..;..;..;..; ..;.;..;.. .;..;. .;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. brian had tailored his intestinal flora to allow him to remix music biologically... .;. .;..;..;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. .;..;..;..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .;.;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. .;..;..; Great, smashing, super. .;.;;. ;. ;; ;; ;.;..; ..;..;..;..;..;. .;..;. .;..;..;..;. .;..;. .; .. ; . ;. ; .,l,l,,,l;?quirk ;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. ;..;. .;..;. .;..;..;..;. .;..;. .;..;. .;..;. ;..;. .;..;. .;..;..;..;. .;..;. ;..;. .;..;. .;..;..;..;. .;..;. ;..;. .;..;.;..;. .;..;. ;..;. .;..;.;..;. ;..;. .;..;. ;..;. .;..;. ;..;. .;..;. .;..;. .;..;..;..;..;..;..;..; .; Introduction .; `.;..;..;..;..; - BEGINNING OF CHEESY INTRO - Welcome to the September edition of K-1ine - Oooo summer is over... back to school, kiddies! Alright, this is the seventh issue and third volume of K-1ine... the issues keep jumping numbers and growing & growing in submission size... what can I say - I'm impressed! Keep those rockin' articles coming, and I'll continue to compile them! Enjoy this far-out issue! - END OF CHEESY INTRO - Contact -- Comments/Questions/Submissions: theclone@haxordogs.net Check out my site: (Nettwerked) http://www.nettwerked.net Shoot me an ICQ message: (UIN) 79198218 ___ Anyone with a Screwdriver Can Break In! By: Jay Beale -- jay@bastille-linux.org August 28, 2000 - This article will discuss the second weakest layer of computer security, Physical Security. As we'll see, any attacker with physical access to a computer, a little ingenuity, and sufficient time can compromise the system. By way of example, I'll demonstrate attack and defense on a Red Hat Linux box and show how you might slow down, or even prevent, these kinds of attacks. You don't need a Linux machine, or even technical responsibility, for this article to be useful. This problem is independent of operating system and this article is general enough to be useful to every level of computer user. Be warned, though - you'll probably only be able to slow down a determined attacker. Breaking in Through the LILO Prompt If you boot a Red Hat Linux 6.x system right now, you can boot into single user mode like this: LILO: linux single This will place the machine in Runlevel 1, or single-user mode. You'll be logged in as the superuser, root, and you won't even have to type in a password! This is not a backdoor, as such - this mode is generally used for system maintenance, which is a good idea. Requiring no password to boot into root here is probably a bad idea! You can fix this by editing /etc/inittab. Insert the following line, right after the "initdefault" line: ~~:S:wait:/sbin/sulogin This will require a password to boot into single-user mode by making init run sulogin before dropping the machine to a root shell. sulogin requires the user to input the root password before continuing. So, what if we've password-protected single-user mode? Well, you can still have root on the machine if you type: LILO: linux init=/bin/bash This boots the Linux kernel, but runs the Bourne-Again-Shell (bash) as the first (non-kernel) process, in place of init. Since the kernel runs init as the root user, this shell is run as root. You now have an instant rootshell! OK, so how do we stop this and attacks like it? We really should restrict who gets access to the LILO prompt. LILO permits this, natively. First, we can password-protect the LILO prompt, so an attacker can't add options to the LILO prompt without typing a password. To add a password to the LILO prompt, just choose a password, and place the following lines in the top of the /etc/lilo.conf file: restricted password=SOME_PASSWORD_YOU_CHOOSE We can also protect the LILO prompt by setting the delay time to 1 millisecond, providing an attacker with insufficient time to add options[34]2. You can accomplish this by editing /etc/lilo.conf and then re-running lilo. Comment out any lines that read "prompt" by placing a # in front of them. Then insert the line: delay=1 near the top of the file. Once you're done, make sure to re-run lilo to effect your changes, by typing lilo at the root prompt. Type man lilo and man lilo.conf to learn more about the LILO Linux [kernel] Loader. OK, so we've secured lilo - have we completely locked an attacker out of superuser access? Sadly, we haven't, because an attacker with physical access can... Boot Via a Floppy/CD-ROM/Other Bootable, Removable Medium Well, if your computer has a floppy or CD-ROM drive, an attacker can usually boot the system from a bootable floppy/CD-ROM. I carry around a Tom's Root Boot disk in my laptop case, for occasions where someone forgets their root password (or a machine is too munged to boot properly). I boot the system from my Linux floppy disk, and then mount the drive, like this: # mkdir /jay # mount /dev/hda5 /jay # vi /jay/etc/passwd Since I booted with my own floppy disk, I'm root on the machine. If the drive isn't encrypted, I can mount it (as above), edit the passwd file, and create myself a root equivalent account, by adding a line like this: jay::0:0:Security Admin:/:/bin/bash This creates a non-passworded root-equivalent account named 'jay'. From here, I can repair the damage to the box, delete the account and go about my business. Unfortunately, an attacker can use the same technique illegitimately to quickly root a box. We can prevent this, initially, by restricting the machine to booting only off the hard drive. This technique is useless if the computer won't boot off a floppy/CD-ROM. You can generally configure boot options via your computer's battery-backed NVRAM, EEPROM, CMOS, or such. On Intel x86 hardware, turn your machine off and then, as it boots, press whatever key (Esc, F1, F2...) puts you into your BIOS's configuration menu. Now, when the option is saved, try to boot off a floppy. This should be impossible. OK, so now an attacker can't simply insert a floppy disk to root the box, nor can he get easy access through the LILO prompt. Does he have other methods? Of course! He can... Remove the Boot Device Restrictions! A knowledgeable attacker, upon finding that he can't boot from removable media, will simply follow the same procedure you just did, simply changing the boot device list back! Well, we can combat this, but you should be seeing two primary effects: 1. Stop less knowledgeable attackers by knowing just a little more than them. 2. Slow down and deter the knowledgeable attacker. We'll talk about these later - I just didn't want you to lose hope halfway through the article... So, the attacker can undo the change we just made to your system's boot restrictions. Well, most systems, including Intel-based hardware, allow you to set a password on the NVRAM, EEPROM, CMOS or whatever. This is an easy option to find, yet still an easy one to neglect. Place a password on your system's BIOS. This, combined with the options above, will stop a large percentage of attackers dead in their tracks. The remaining few might... Remove the BIOS/NVRAM/.../CMOS Password! OK, our attacker is annoying. He's also burning plenty of time. If he can get sufficient access, he might be able to use a tool to discover the BIOS password from inside Linux. Usually, he can't do this. Instead, since he has physical access, he can take the simpler approach. On Intel hardware, the CMOS/BIOS configuration is maintained via a small battery, often similar to a watch battery. If you disconnect this battery for a few moments, the RAM blanks, and the system forgets its password. While some systems then default to a manufacturer's password, there are online tables of these which our attacker can probably consult and/or partially memorize. What do we do here? Well, we can place a lock on the case, so it can't be easily opened. With time, and tools, these locks can be picked or broken. Further, the attacker might be able to compromise the lock by harming the case directly... Still, the lock (and strong case) will slow him down and may deter him to the extent that he leaves. Further, you might just remove the floppy drive, CD-ROM drive, and any other external drive/disk mount ports (Zip disk, parallel port...). What then? Remount the Hard Drive on Another Machine! Remember our mounting trick with the floppy disk from earlier? This can be applied from another host! While this may seem impractical, I'll note that I saw a deck-of-cards-sized computer just a few weeks ago, at DefCon, that could be used for this very purpose. Boasting a 340MB hard disk, with a Red Hat Linux install and a free IDE port, this ultra-portable computer could be used easily for this purpose. Just plug the hard drive into this system or another system you've got control of, and you've got somewhat-less-that-quick superuser access. All we need, generally, is a screwdriver to open the target machine to get at the hard drive! Again, the case locks can help here, but they only serve to slow down a determined attacker. So, suppose we're still working on stopping the determined attacker. This guy is a total pain. The physical access makes the machine weak! So, what if we could remove the physical access? We place the machine in a locked room, with a steel door, hinged on the inside, with multiple non-trivial locks. Only the monitor, mouse and keyboard are accessible. We're truly safe now, right? Well, don't start patting yourself on the back just yet. Check those walls. Most of you secure your server rooms behind walls that don't quite go up past the ceiling... What do I mean, you ask? Consider the ceiling tiles around the room. Push one up, right near your inter-office walls, and you might find plenty of crawl space over that wall into your "secure" server room. Once, when I locked myself out of my own office, I was told to use this space to unlock the door from the inside. Most offices don't think about this design in their physical security audit! OK, OK, I'm getting a little outrageous by now, yes? Eh, it really depends on how "secure" you need your computers to be. As I hope I've shown, it truly is difficult to stop an attacker who has time and unsupervised physical access to your computers. So, what do you do? Remove the Opportunity and Deter the Attacker You really can stop most attackers, simply by not providing them with the unsupervised opportunity and time required to carry out an attack. If you followed the path our attacker might take, you'd note that all of this took time. He had to reboot the host several times. This all takes time. If you harden the LInux LOader (lilo) sufficiently, set boot device restrictions and secure the method of changing such, our attacker will be getting into the realm of opening his target computer's case, possibly defeating locks along the way. While this part takes time, it's also highly likely to be noticed by anyone monitoring the area. If you've given physical access because the target is in a computer lab, you can hire a lab monitor to watch for anything this noticeable. If the physical access is accidental/unintended, you can look into door locks, alarm systems, and perhaps even guards. In any case, now that you understand the dangers, you'll be able to think about this problem more carefully and choose the measures that fit your organization. Not Really a Losing Battle? OK, so, against a determined attacker, with sufficient time and no supervision, you've got little chance, right? Well, not quite. Most attackers don't quite think of all of these methods, or don't have the time/energy/wherewithal to apply them. Further, I would think that most attackers wouldn't choose a method that might be so time-intensive, when they can be caught on the scene. So, work to foil all but the most capable attacker with the steps above. Secure the operating system boot loader, the physical boot loader (BIOS...) and the hardware itself. The few attackers left will require lots of time to break in, which, along with fear of being caught, will often provide an ample deterrent. Really, deterring the attacker is the name of the game for many of us. If we could get anywhere near to making a computer impossible to break into, it would be considered fairly unusable by most. So, we compromise. We remove all of the "easy" methods of breaking in, like the 30-second LILO: linux single or boot floppy "exploits" demonstrated above. We try to go as many steps further as we can, without disrupting normal use. If we can make our machines enough of a pain to root, most attackers will go after someone else. The remainder we'll have to try to catch or deter with other methods, like security systems and lab monitors. In the end, always remember, the attacker is a human being, with plenty of potential for creativity and brilliance. Don't underestimate him/her! Good luck! Footnotes 1. The absolute weakest layer of computer security is widely believed to be the social, or "people," layer. Crackers like Kevin Mitnick often broke in simply by calling users, pretending to be system administrators, and asking said users for their passwords. 2. By the way, Bastille Linux can perform both of these steps for you. (Wink, wink, plug, plug) ____ OB Duct Tape Hack Date: Sun, 03 Sep 2000 kira@linuxgrrls.org ObDuctTapeHack: If you get the wooden storage racks from the children's section of Ikea, the plastic boxes that go with them make excellent top-box luggage containers for motorbike usage. Just takes a little tape to stick the top on. ObThat'sTooObviousHack: I used duct tape to stick tagged 7/5AF cells together to make a new pack for my Compaq LTE5100 ancient crappy laptop. ObWhyNoWD40ThisTimeHack: WD40 makes an *excellent* polish for laminated wooden desk surfaces... ObHeyThisiMacIsKindofCool: when it's running LinuxPPC :-) Kira Brown. ___ ___ Walk A moonless night awaits my journey into the unknown, surrounded with the terrifying sounds of silence and the thick spring air thinking of careless times and childhood freedom just to realize the horror of times hold on humanity as it ticks by; no stars to wish upon desperately awaiting her smile, endless travel through the overgrown path sweat trickling down as nervousness takes over the thought, breathing, gasping, going nowhere, suddenly a wind passes by my soul and I start to shiver, droplets of water begin to fall, showering sounds take over the silence, still walking this path, ending where I began, I felt a warm moss touch my back. Fear ran down my spine, but alas, a hand touched mine, and gently whispered "I'm here, I'll walk with you from now on." My heart filled with happiness, and as the sun came, I saw her smile. - Dead Musicians Society ____ hows tarzan? small and shrinking I hear swinging around caught in a fan again? noop one of his cheetas is sick ____ Hacker Hypocrisy; @Stake/L0pht - 09/05/00 - RE: SecurityFocus News: AtStake jilts Phiber Optik http://www.securityfocus.com/templates/article.html?id=79 You know, in regards to @Stake I really don't know what to think. Here we are [in the] the year 2000 talking about "hacker hypocrisy" and what happens to a group of people (L0pht) who, until just recently stood for something pure in our hacking sub-culture. What happened? When a multi-million-dollar venture capital is offered to a group of people, who for the better part of the 90's relied on donations and t-shirt/cd sales, and eventually, computer security consulting jobs to break even -- well of course they're going to take it. I mean, who wouldn't turn down a nice comfortable corporate career doing what they love? WHO would of thought that a group who were so respected in the hacking scene go about screwing over both of their own; Space Rogue (in June) and now Phiber Optik? The same group who were once going against the grain, doing their part for our culture and at the same time maintaining a certain amount of respect have now sold out in a big big way. It's one thing to take on a well paying job, but it's another to have it interfere with what you love to do and have it ruin the friendships that were built over the years. Maybe it's me ranting about something I really don't know anything about... disappointed in a group who I looked up to for so many years as "heros of the information age" - maybe it's the rebellious generation-X all grown up? Whatever it may be is irrelevant now -- the damage has been done, it doesn't look like @Stake is bowing to hacking culture in any way at all. --- The L0pht is no more, HNN is now very heavily saturated by the bureaucracy of @Stake stockholder value rather than fair media reporting, and now it seems they want nothing to do with any hacker convicted of ... hacking? - The Clone Nettwerked; "a web-site for the 780 undergr0und scene" http://www.nettwerked.net ___ Model 001 Payphone Programming Guide FEATURES: * Coin operated line powered payphone. * Keypad programmable. * Multi coin phone: accepts nickels, dimes and quarters. * Touch-tone dialing. * Ringer On/Off switchable. * Phone emits warning tone 15 seconds prior to end of call. FACTORY PRESETS: * Tone dialing * Local calls: $0.25 for 3 minutes. * Long distance calls: $0.75 for 1 minute. * Information calls (1411/411): $0.50 for unlimited time. * Restricted calls: operator, international, 1900, 1976, 976, and 1700. * Free calls: 1800, 1888, 1877, and 911. * Incoming calls for unlimited time. * Allow 0+, calling cards, and credit cards calls. * Pass Code: 000000 IMPORTANT: It is recommend that you read the 001 users manual prior to installation and programming the phone. TO INSTALL THE 001 PAYPHONE: Simply plug the phones line cord into a standard RJ11 outlet provided by the phone company. TO REMOVE THE COIN BOX: Locate the metal tabs at the rear of the phone and pull the top tab back. This will allow the coin box to be removed. To lock the coin box close the tab and insert a pad lock (not provided with phone) between the two holes of the tabs. TO USE THE PAY PHONE: 1. Lift handset, LCD display will show HELLO 2. Dial desired phone number, the display will show the amount to be deposited 3. Deposit the amount requested 4. Press talk button when other party answers 5. If you get a busy tone or a no answer signal, hang up the handset and the money will be refund PROGRAMMING REFERENCE: Note: All programming must be done in the program mode. The first important thing you need to do is to change factory preset pass code. For all programming press # to save the entry, press * to cancel. To enter the program mode: 1. Enter # then the six digit pass code 000000, the display will show FLASH then FREE 2. Enter preset pass code, *#000000, the display will show P-, you are now in the program mode To change factory pass code: 1. Enter *96 the display will show the old pass code 2. Enter your new 6-digit pass code 3. Enter # to confirm, display will show PASS If you forget your pass code: 1. With the phone hang up, remove the tap underneath the base to reveal the dipswitches 2. Dipswitches should be dipswitch-1 off, dipswitch-2 on, and dipswitch-3 on 3. Put dipswitch-1 on and go off hook 4. Enter #000000 display will show FLASH then FREE 5. Enter *#000000 display will show P- 6. Put dipswitch-1 off 7. Enter *96 and your new 6-digit pass code, enter # to confirm and display will show PASS 8. The pass code becomes your own 6-digit number. To use Dipswitches: - Dipswitch-1 resets pass code. It is used as above. - Dipswitch-2 sets tone or pulse dialing. For tone dialing, put it on, for pulse dialing, put it off. - Dipswitch-3 sets ringer on or off. To check the amount of money in the coin box: 1. Enter *97 the display will show the cash amount 2. Enter # to reset or enter * to exit (Example: 00075 is $0.75, 00100 is $1, and 20000 is $200) To erase old program settings: 1. Enter *99, display will show [99] CLr 2. Enter # to confirm, display will blink CLr ----, then show PASS To set phone for PBX: To set phone to work on a PBX but you will manually dial the prefix i.e. 0 or 9. 1. Enter *13 2. Enter 1 then your 1-digit extension 3. Enter # to confirm, display will show PASS To set phone to work on a PBX but to automatically dial the prefix i.e. 0 or 9. 1. Enter *13 2. Enter 2 then your 1-digit extension 3. Enter # to confirm, display will show PASS To set phone for regular line: (preset by factory) 1. Enter *13 2. Enter 00 3. Enter # to confirm, display will show PASS Incoming calls: (preset as unlimited time) 1. Enter *14 2. Enter your 2-digit time limit; it can be set for 01 minute to 98 minutes 3. Entering 00 will restrict incoming calls; entering 99 will allow unlimited time on incoming calls 4. Enter # to confirm, or enter * to cancel Example: To set incoming time limit to 5 minutes. 1. Enter *14 2. Enter 05 3. Enter # to confirm, display will show PASS Free calls: There are 20 different locations you can used to allow 20 different free calls up to 12 digits. These locations are *40 thru *59. To allow a particular number to be free enter any locations from *40 thru *59. Enter that particular number, if the number is less than 12 digits enter # after the last number. Then enter # to confirm or enter * to cancel. Example: To allow the number 281-550-5592 to be free. 1. Enter *45 2. Enter 2815505592# 3. Enter # to confirm, display will show PASS, or enter * to cancel the entry. Restrict calls: There are 20 different locations you can used to restrict 19 different numbers up to 12 digits. These locations are *20 thru *39. To restrict a particular number enter any locations from *20 thru *39. Enter that particular number, if the number is less than 12 digits enter # after the last number. Then enter # to confirm or enter * to cancel. Example: To restrict 011 calls. 1. Enter *28 2. Enter 011# 3. Enter # to confirm, display will show PASS, or enter * to cancel the entry. Rate bands: *00 thru *12 allows you to create a total of 13 types of rate bands. The rate is set by an initial charge and time limit (in seconds) followed by an additional charge and time limit (in seconds). | RATE BAND | RATE # | INTIAL RATE/TIME LIMIT | ADDITIONAL RATE/TIME LIMIT | *00 00 025180 025180 *01 01 075060 075060 *02 02 050999 000999 *03 03 Empty Empty *04 04 Empty Empty *05 05 Empty Empty *06 06 Empty Empty *07 07 Empty Empty *08 08 Empty Empty *09 09 Empty Empty *10 10 Empty Empty *11 11 Empty Empty *12 12 Empty Empty - *00 is used by factory preset for local calls set at $.25 for the first 3 minutes and $.25 for each additional 3 minutes. - *01 is used by factory preset for long distance calls set at $.75 for the first minute and $.75 for each additional minute. - *02 is used by factory preset for information calls (1411 & 411) set at $.50 for unlimited time. To create a rate band enter any empty rate band from *00 thru *12 and set up the initial rate and time limit followed by the additional rate and time limit. Example: To set up a rate band to charge for $.50 the first 3mins, and $.25 each additional 2mins. 1. Enter *03 2. Enter 050180 025120, the initial rate 050180 is 50 cents for 180 seconds, the additional rate 025180 is 25 cents for 120 seconds. 3. Enter # to confirm, display will show PASS, or enter * to cancel the entry. Assign area codes or prefixes to rate bands: There are a total of 100 3-digit memory locations that may be used to assign special area codes and/or prefixes to a particular rate band (*00 thru *12). These 3-digit memory locations are 000 thru 099. You may first create a rate band containing charges and time limits you want (see rate bands), and then assign an area code or area code/prefix in a particular 3-digit memory location from 000 thru 099. Enter # after the last number if the area code and/or prefix is less than 7 digits. Then enter your rate number for the particular rate band you created and enter # to confirm. Example 1: To assign the area code 1-281 to the long distance rate band in the memory location 056. (assume *01 is kept as factory preset.) 1. Enter 056 1281#01 2. Enter # to confirm, display will show PASS, or enter * to cancel the entry. Example 2: To assign the area code 1-713 and prefix 551 to charge for $.75 for the first minute and $.25 for each additional minute. First create a rate band (we choose rate band *10) 1. Enter *10 2. Enter 075060 025060 3. Enter # to confirm, display will show PASS Then assign the area code and prefix to a particular 3-digit memory location and assign it to the rate band we just create by the rate number. (we choose 3-digit memory location 088) 1. Enter 088 1713551#10 2. Enter # to confirm, display will show PASS To allow/disallow 0-calls: (factory set to disallow) To allow 0-calls. 1. Enter *60 2. Enter 1 3. Enter # to confirm, display will show PASS To disallow 0-calls. 1. Enter *60 2. Enter 0 3. Enter # to confirm, display will show PASS To enable/disable 0+ rerouting calls: (factory set to enable) To enable 0+ rerouting calls. 1. Enter *61 2. Enter 1 3. Enter # to confirm, display will show PASS To disable 0+rerouting calls. 1. Enter *61 2. Enter 0 3. Enter # to confirm, display will show PASS Cut off time: (factory set as 5 second) *62 is programmed to set a cut off time on calls using 0 or Operator for the leading number prior to the prefix. If additional numbers are not entered within the preset time, the connection will be broken and deposited coins will be returned. This function is effective only under the condition that there is not a reroute number in *63. To change the cut off time. 1. Enter *62 2. Enter the 1-digit time limit in seconds 3. Enter # to confirm, display will show PASS Example: To set the cut off time to 3 seconds. 1. Enter *62 2. Enter 3 3. Enter # to confirm, display will show PASS To reroute number: *63 is used to program a 0+reoute number that will be dialed out when you dial 0. This number can be up to 29 digits, if the number is less than 29 digits enter # after the last number. The factory preset reroute number is 18884562277 pause 2815505592. Example: If you want to set up the reroute number as 1010222. 1. Enter *63 2. Enter 1010222*0#, the display will show [63] 1010222-0= 3. Enter # to confirm, display will show PASS When customers dial 0-281-550-5592, the phone will actually dial: 1010222 pause 0-281-550-5592. * is to put a pause in the reroute number. Example: If you want to set up the reroute number as: 18884562277 pause 2815505592. 1. Enter *63 2. Enter 18884562277*28155055920#, the display will show [63] 18884562277-28155055920= 3. Enter # to confirm, display will show PASS When customers dial 0-956-855-2345, the phone will actually dial 1888-456-2277 pause 281-550-5592-0-956-855-2345. To set the pause time in the reroute number: (factory set at 5 seconds) 1. Enter *64 2. Enter the time in seconds (1-digit) 3. Enter # to confirm, display will show PASS Example: To set the pause time to be 3 seconds. 1. Enter *64 2. Enter 3 3. Enter # to confirm, display will show PASS To clear the reroute number: 1. Enter *63 2. Enter # 3. Enter # to confirm, display will show PASS OWNERS TO MAKE A FREE COINLESS CALL: 1. Enter # then your pass code, the display will show FLASH then FREE 2. You are now able to make a free call ERROR CODE LIST: - Error 2: Dial restricted number or invalid numbers. - Error 4: Coin mechanism is full or has coin jam. - Error 6: You dont dial number for 25 seconds after handset is lifted. - Error 7: You dont deposit enough coins for 25 seconds. - Error 8: The line is connected for a long time but no one answers. FACTORY PRESETS: *#000000 Pass code *00 025180025180# Rate 00 for local at $.25 for 3mins. and $.25 for each add 3mins. *01 075060075060# Rate 01 for long distance at $.75 for 1min. and $.75 each add min. *02 050999000999# Rate 02 for information (411/1411) set at $.50 for unlimited time limit *13 00# Regular line dialing *14 99# Incoming calls set at unlimited time Restricted calls: *20 1900## Used to restrict 1900#s *21 1976## Used to restrict 1976#s *22 976## Used to restrict 976#s *23 1700## Used to restrict 1700#s Free calls: *40 1800## Used to allow 1800 toll free calls *41 1877## Used to allow 1877 toll free calls *42 1888## Used to allow 1888 toll free calls *43 911## Used to allow free emergency 911 calls *60 0 Used to disallow 0- calls *61 1 Used to allow 0+ calls *62 5 Cut off time set at 5 seconds *64 5 Pause time set at 5 seconds 000 through 099 3-Digit Memory locations 000 1#01# 1+ Long distance calls set a rate 01 001 2#00# 001 thru 008 are 3-digit memory locations 002 3#00# used to set local calls at rate 00 003 4#00# 004 5#00# 005 6#00# 006 7#00# 007 8#00# 008 9#00# 009 1411#02# 1411 calls set at rate 02 010 411#02# 411 calls set at rate 02 TECHNICAL SPECIFICATIONS: Complies with part 68, FCC rules FCC Regulation Number: 4N9THA-30319-CX-E Ringer Equivalence: 1.0A U.S.O.C.: RJ11C Model Number: ST-001 w w w . n e t t w e r k e d . n e t 0 8 . 3 1 . 2 0 0 0 ___ ------------------ Salut ,bon aujourd'hui ma vous présenter un systême de VMB,PBX qui j'ai nommer acces total car c'est la compagnie qui s'occuper de ca qui s'appelle dememe et j'ai pas trouver de nom officiel.C'est mon ami Loster qui ma donner un pbx dememe, mais j'avais jusqu'a resamment tester un peut toute les options que je vais vous faire partager.Pour ce qui est des nip (passwords)avant c'était les deux pbx que j'avais était de 4 numéro mais vu qu'il y a eu quelque abuseur (regarder moi pas comme ca)ben il on augmenter la sécurité selon ce que Neuro ma dis.Bon la vous saver un peu l'historique ,bon maitenant ce trouver un numero 990 a hacker .C'est ultra simple dans tout le range (450)(514)-990-XXX c'est rien que de ca! Vous pourriez aussi regarder dans les journaux car plusieur ligne érotique gratuite sont dans le 990 ,ou simplement des agences d'escortes (gang de pervert). Bon quand vous appeller vous a aller entendre un message et ensuite ca transfer a quelque chose d'autre.C'est avant le transfer et directement quand ca répond qui faut émidiatement composer un mot de passe. C'est habituellement entre 6-10 numéro(quoi que avant yen avais avec 4).Faut en rentrer deux apres * sinon ca te disconnect.Vu que c'est 6 chiffre et + c'est pas évidant a rappeller alors tu fais sois le numéro a l'envers ou des choses simples que la personne pourrais mettre (Voir zine de pyrofreak ou npc). La fiche technique: Rappelle -Se retrouvant surtout dans le (450)(514)-990-XXX -On rentre le nip rapidement au debut,tout de suite quand ça répond -Tu rentre deux nip ensuite tu fais * ,sinon apres trois ca te disconnect -Nip entre 6-10 habituellement MENU 2-Réacheminement des appelles De quel facon desirer vous que vos appelles sont réacheminer ? Vos appelles sont actuellement reacheminer a..... Entrer les deux chiffre de la mémoire pour reacheminer vos apelles ou encore appuiyer sur * pour laisser la fonction de reacheminement actuel 6-Transmettre un message Veuiller rentrer le numero access total ou vous désirer envoiyer un message 0-Aide 8-Fonctions évolués 1-Enregistrer un message d'acceuil pour une mémoire 2-Enregistrer l'intro standard 3-Modifier le numéro reserver 4-Modifier le nom enregistrer 5-Activé l'horraire hebdomadaire 6-Désactivé l'horraire 7-Écouter intro du systême et changer le nip Veuiller entrer votre nouveau Nip maitenant 9-faire un appelle (Seulement dans le 450-514 malheureusement) Si on veux faire un autre appelle ensuite tu fais deux fois le ## 'Pratique ca si tu est dans une cabine !! *-Avancer #-Reculer Pour conclure,si vous avez de la misère a trouver les mots de passes ,j'ai un ami qui a reussi a faire du social engineering en se fesant passer pour quelqu'un de Bell Canada ,alors a vous d'essaisser ce que vous pouver pour reussir.Have phone! Flopik ___ US NATIONAL PARTYLINE NUMBERS Submitted by: Kybo_Ren On: Friday September 1, 2000 For: Canadian Phreakers Union Notes: The following party line phone numbers offer free sign-up and private conference rooms for up to 8 people. Use these numbers for your conferences, but please don't abuse the systems because that just ruins it for the rest of us... - Boston Donut 617-933-7760 - Chitown Underground 312-602-1212 - Connecticut Raven 860-835-7760 - Mars Hotel 815-333-4356 - Miami Raven 305-503-7771 - Miami Zoo 305-503-7777 - NYC Club 30 718-280-7779 - Raven 305-503-7771 - Roach 305-503-1878 - "" 215-825-7776 - "" 305-503-7771 - Viper 305-503-1877 END ___ Jawa you little felching pile of festering maggot ridden cat shit! ___ [-` Rogers/AT&T Pay-As-You-Go Billing Vulnerability `-] Advisory released: Tuesday August 29, 2000 Severity: Pay-As-You-Go billing vulnerability on the part of Rogers/AT&T allowing anyone (especially YOU!) to exploit it and make local/national/international calls for free. Author: The Clone -- Disclaimer; I don't take responsibility for anything in this file because an Iranian terrorist group known as 'habakkkoktao' has held me at gun point requesting that I write this or they're going to shoot me. Don't blame me, blame them! Introduction; Rogers/AT&T (Canada) offers to its customers, a particular service plan known as the "ROGERS/AT&T Pay-As-You-Go Wireless Plan". This "plan" entitles you to full local, national, and international wireless service within the coverage areas that it offers (see www.rogers.ca for coverage info). In order to make use of the pre-paid wireless service, you must firstly sign up by: 1. Dialing one of the following toll-free numbers from a landline phone; (Between 8:00am-9:00pm weekly, 8:00am-6:00pm Saturdays and holidays) 1-800-663-1415 - British Columbia, Alberta, Saskatchewan, Manitoba 1-800-268-7347 - Ontario 1-800-361-0538 (1-800-ROGERS AT&T) - Quebec, New Brunswick, Nova Scotia, Prince Edward Island, Newfoundland OR 2. Walk into any Rogers/AT&T store or certified dealership and sign up there. Want to order over the phone or need help finding the nearest dealership? Call: 1-888-448-7994 OR 3. Buy 'Pay-As-You-Go' online: http://www.rogers.ca/wireless/english/voice/pay/buy/index.html Pre-Paid Cards; By going to any Rogers/AT&T wireless store location, you can pick yourself up one of many different Pay-As-You-Go cards. What I usually buy are the $25 1-hour cards because their cheap and I'm not really huge on talking on tumor causing insecure radio transmitter/receivers. Activating your Card; After purchasing your pre-paid card, what you can do is call up one of the INWATS number listed above (from a landline) that services your local area and speak to one of the friendly customer service representative who'll be MORE than happy to help you out. Tell them that you just purchased a pre-paid card and that you'd like them to renew the time to your phone. Re-filling your time; Either buy another Pay-As-You-Go card from a Rogers/AT&T dealership, call them up and pay with your credit card, OR see step 3 [above]. -- The Vulnerability - as a scenario. - Johnny picks up his wireless Rogers/AT&T pre-paid phone and turns it on - Johnny hears a beep, looks at his phone and notices that he has a lot of battery power left - Johnny feels glee and lets out a huge *sigh* - Johnny then proceeds to dial his boyfriend Frank's phone number - Johnny prepares to listen to the beautifully sounding automated female recording (that makes him for a moment in his very homosexual life want to be heterosexual just so he'd know what it was like to actually lust for such an angelic voice) read off the number of minutes he has left for his call (account balance). - Too bad for Johnny; no automated voice at all! "What duth dith mean?" lisps the very gay, confused, and curious Johnny. Well Johnny, what just occurred was simple; The Rogers/AT&T's Pay-As-You-Go billing system didn't recognize your account, therefore you weren't billed for that particular call. Each time the automated voice plays, you're billed for the call - each time it doesn't, you aren't. I've estimated (with my personal experience) that the billing errors occur approximately 40% of the time while 60% of the time the billing goes through absolutely fine. One good easily exploit this vulnerability by; Hanging up the call every time the automated voice appears on the phone, re-dialing the desired number and repeating the process until the automated voice doesn't appear. Simply only pay for one $25 Pay-As-You-Go card and keep exploiting the Rogers/AT&T system, calling any number you wish in the world for absolutely free! No one gets billed, no one is hurt. Leech off the capitalist pigs while you still can! -END- ___ A Guide to General Packet Radio Service Written by: PsychoSpy and The Clone Date: Sunday September 3, 2000 GPRS (short for General Packet Radio Service) is a data service upgrade for GSM networks. This allows GSM Networks to be completely compatible with the Internet. GPRS uses a packet-mode technique to transfer traffic in bursts. These bursts allow higher efficiency, and therefore higher speeds. The packet bursting technique is also used in DSL modems, and other methods of high-speed internet access. Due to this technique GPRS allows bit rates of 9.6 Kbps to anywhere more than 150 Kbps per user. There are a couple major benefits of using GPRS. These include better use of radio/network resources and a completely transparent support of IP. Radio resources are only used when data is being sent and/or received. GPRS also provides an immediate connection (again like DSL or Cable) and a high throughput. It also allows end user applications to only occupy the network when data is being transferred, and is an almost perfect design for the short data burst which data applications seem to have these days. Applications based on standard protocols (data) like IP and X.25 are supported. Four different quality of service levels are supported by GPRS. To supports data apps, GPRS uses several new network nodes in addition to the GSM PLMN network nodes. They are responsible for traffic routing, and various other internetworking functions with other, external, packet-switched data networks (can anyone say Datapac?), subscriber location, cell selection, roaming and all the other functions which all cellular networks need to operate. Now that we have the general info on what GPRS is, I will talk about a few other protocols which are linked with GPRS. NS ~~ NS (Network Service) transfers the NS SDUs between the SGSN (serving GPRS support node) and BSS (Base station system). There are several services which are provided to the NS user. They include: Network Congestion Indication - The Sub-Network Service (i.e. Frame Relay) perform congestion recovery control actions. The network service uses various congestion reporting mechanisms which are in the Sub-Network Service implementation. Status Indication - Is used to tell the NS user of NS affecting events. An example is a change in the capabilities of transmission. Network Service SDU Transfer - Allows network service primitives. This lets transmission and reception of upper layer protocol data units between the BSS and SGSN. NS SDU's are transferred in order of the Network Service, but under certain circumstances order might not be maintained. The NS PDU format is: 1 byte |----------------------------| | PDU Type | |----------------------------| | Other Information Elements | |----------------------------| The PDU Type can be any of the following: NS-ALIVE NS-ALIVE-ACK NS-BLOCK NS-BLOCK-ACK NS-RESET NS-RESET-ACK NS-STATUS NS-UNBLOCK NS-UNBLOCK-ACK NS-UNITDATA Next we're onto the Information Elements (IEs) of the PDU. The IEs which are present depend on what the PDU type is. The structure of an IE is as follows: 1 byte |------------------------------| | Information Element ID (IEI) | |------------------------------| | Length Indicator | |------------------------------| | Information Element Value | |------------------------------| The first 8th (or octet) of an information element, having the TLV format, contains the IEI of the IE. If the IEI is not known to the PDU, the receiver assumes that the next octet is the first octet of the length indicator. This rule is used to allow the receiver to skip unknown IEs to analyze any other following elements, Next up is the length indicator. This varies in length, and can be either one or two octets long. However, the second octet may not be present. This field has the field extension bit, 0/1 ext, and closely following it is the length of field in octets. The 8th bit of the first octet is reserved for the field extension bit. If the field extension bit is set to zero, the second octet of the length indicator is present. If it is set to one, then the first octet is the final octet of the length indicator. Lastly, the IE Value. The following IEs can be present, but are, once again, dependent on the PDU type: Cause NS-VCI NS PDU BVCI NSEI BSSGP ~~~~~ The primary functions of the BSSGP are: - Provision by an SGSN to a BSS of radio related information used by the RLC/MAC function (in downlink) - Provision by a BSS to an SGSN of radio related information from the RLC/MAC function (in uplink) - Provision of functionality to allow two physically distinct node, an SGSN and a BSS, to operate node management control functions. The BSSGP PDUs format is: 1 byte |----------------------------| | PDU Type | |----------------------------| | Other Information Elements | |----------------------------| LLC ~~~ The LLC (Logical Link Controller) defines the logical link control later protocol to be used for (packet) data transfer between the MS (Mobile Station) and a serving GPRS support node (SGSN). LLC goes from the MS to the SGSN and is intended to be used for both acknowledged and unacknowledged data transfers. LLC's defined frame formats are based on the ones defined for LAPD and RLP. Although, there are major differences between other protocols and LLC, in particular to frame delimitation methods and transparency mechanisms. These differences are necessary for independence from the radio path. Two methods of operation are supported by LLC. These are: - Unacknowledged peer-to-peer operation - Acknowledged peer-to-peer operation All LLC layer peer-to-peer exchanges are in frames of the following format: 1 byte |------------------------------| | Address | |------------------------------| | Control | |------------------------------| | Information | |------------------------------| | FCS | |------------------------------| The address field contains the SAPI and identifies the DLCI which a downlink frame is intended and the DLCI transmitting an uplink frame. The length of the address field is 1 byte, and has the following format: _______________________________ Bit | 8 7 56 4-1 | |------------------------------| | PD C/R XX SAPI | |------------------------------| - The protocol discriminator (PR) shows whether a frames is LLC or belongs to a different protocol. LLC frames have the PD bit set to zero. The frame is treated as invalid if its PD bit is set to 1. - The C/R identifies a frame as either a command or response. The MS side sends commands with the C/R bit set to zero, and responses with it at 1. The SGSN does the opposite (commands are sent with C/R set to 1, and responses are set to 0). - The XX bit is a reserved bit. - Service Access Point Identifier (SAPI) identifies a point where KKC services are provided by an LLE to a layer-3 entity. After the address, comes control. This identifies the type of frame. There are four types of control field formats. They are: - Confirmed information transfer (I format) - Supervisory functions (S format) - Unconfirmed information transfer (UI format) - Control functions (U format) Next is the information bit. This contains various commands and responses. The FCS (Frame Check Sequence) field consists of a 24-bit cyclic redundancy check (CRC) code. CRC-25 is used to detect bit errors in the frame header and information fields. SNDCP ~~~~~ SNDCP (Sub-Network Dependent Convergence Protocol) users the services provided by the LLC Layer, and SM (Session Management) sub-lay. The four main functions of SNDCP are: - Multiplexing of several PDPs (Packet Data Protocol) - Compression/Decompression of user data - Compression/Decompression of protocol control information - Segmentation of a network protocol data unit (N-PDU) into LLC protocol data units (LL-PDUs) and re-assembly of LL-PDUs into a N-PDU Data transfer is acknowledged by the SN-DATA PDU. The format of the SN-DATA PDU is: 8 7 5 6 4-1 |-------------------------------------------| | X | C | T | M | NSAPI | |-------------------------------------------| | DCOMP | PCOMP | |-------------------------------------------| | | | Data | |-------------------------------------------| The SN-UNITDATA PDU (used to Acknowledge data transfer) has a format as follows: 8 7 5 6 4-1 |-------------------------------------------| | X | C | T | M | NSAPI | |-------------------------------------------| | DCOMP | PCOMP | |-------------------------------------------| | Segment offest | N-PDU Number | |-------------------------------------------| | E | N-PDU Number (Cont'd) | |-------------------------------------------| | | | Data | |-------------------------------------------| NSAPI (Network Service Access Point Identifier. The values of this field may be any one of the following: 0 | Escape Mechanism for Future Extensions ----|-------------------------------------------------- 1 | Point-to-multipoint multicast (PTM-M) information ----|-------------------------------------------------- 2-4 | Reserved for future user ----|-------------------------------------------------- 5-15| Dynamically allocated NSAPI value ----|-------------------------------------------------- M is the more bit. It's values may be: ----|------------------------------------------------------- 0 | Last Segment of N-PDU ----|------------------------------------------------------- 1 | Not the last segment of N-PDU, more segments to follow ----|------------------------------------------------------- The T bit, SN-PDU type specifies whether the PDU is SN-DATA (0) or SN-UNITDATA (1). C is the compression indicator. If set to 0, the compression fields DCOMP and PCOMP are not included. While 1 tells that these fields are included. X is the spare bit. This is always set to 0. DCOMP (Data Compression Coding) is included if the C-bit is set. DCOMP values are: ----|-------------------------------------------- 0 | No Compression ----|-------------------------------------------- 1-14| Points to the data compression identifies | negotiated dynamically ----|-------------------------------------------- 15 |Reserved for future extensions ----|-------------------------------------------- PCOMP (Protocol Control Information Compression Coding) is included if the C-bit is set. The PCOMP Values are: ----|-------------------------------------------- 0 | No Compression ----|-------------------------------------------- 1-14| Points to the protocol control information | compression identifier negotiated dynamically ----|-------------------------------------------- 15 |Reserved for future extensions ----|-------------------------------------------- N-PDU Number 0-2047 when the extension bit is set to 0. 2048-524287 if the extension bit is set to 1. RLP ~~~ The Radio Link Protocol (RLP) is used to transmit data over the GSM PLMN. RLP covers the functionality of Layer 2 of the ISO OSI Reference Model. It has been tailored to the needs of digital radio transmissions and provides an OSI data link service. It also spans from the MS (Mobile Station) to the interworking function, which is located at the nearest MSC (Mobile Switching Center) or even further. There are currently three versions of RLP: Version 0 is a Single-link basic version, Version 1 is a Single-Link extended version, And Version 2 is a Multi-link version. RLP frames are fixed in length. The frame can either be 240 or 576 bits. The frame consists of a header, information field, and an FCS field. The format of the 240-bit frame is: _____________________________________ | Header | Information | FCS | |---------|-----------------|--------| | 16 bit | 200 bit | 24 bit | |---------|-----------------|--------| | 24 bit | 192 bit | 24 bit | |---------|-----------------|--------| The header is 16 bits in versions 0,1, and in the U frame of version 2. It is 24 bits in the S and I+S frames of version 2. The format of the 576-bit frame is: _____________________________________ | Header | Information | FCS | |---------|-----------------|--------| | 16 bit | 536 bit | 24 bit | |---------|-----------------|--------| | 24 bit | 528 bit | 24 bit | |---------|-----------------|--------| The header is 16 bits in version 1 and in the U frames of version 2. It is 24 bits in the S and I+S frames of version 2. The header contains control information. This control information can be any one of three types: 1) Un-numbered protocol control information (U frames) 2) Supervisory Information (S frames) 3) User Information Carrying Supervisory information piggypacked (I+S Frames) The FCS (Frame Check Sequence) field in the RLP is just like the FCS which is used in LLC which was discussed earlier. RLP can be either in Asynchronous Balanced Mode (ABM) or Asynchronous Disconnected Mode (ADM). ABM is the data link operation mode, while ADM is the data link non-operational mode. Now we're going to get into some, maybe, confusing diagrams. The following diagram shows the Structure of Versions 0 and 1. N(S) is a bit 4 low order bit, and N(R) bit 11 low order bit. Bits 1-16 are as follows: ___________________________________________________________________________ U | C/R | X | X | 1 | 1 | 1 | 1 | 1 | 1 | P/F | M1 | M2 | M3 | M4 | M5 | X | | | | | | | | | | | | | | | | | | |-----|----|----|---|---|---|---|---|---|-----|----|----|----|----|----|---| S | C/R | S1 | S2 | 0 | 1 | 1 | 1 | 1 | 1 | P/F | N (R) | | | | | | | | | | | | | |-----|----|----|---|---|---|---|---|---|-----|----------------------------| I+S | C/R | S1 | S2 | 0 1 N 1 1 1 | P/F | N (R) | | | | | (S) | | | |-----|----|----|-----------------------|-----|----------------------------| version 2 S is a L2R status Bit, N(S) is a bit 1 low order bit, N(R) is a bit 14 low order bit and UP is a UP bit. Bits 1-24 ___________________________________________________________________________ U | C/R | X | X | 1 | 1 | 1 | 1 | 1 | 1 | P/F | M1 | M2 | M3 | M4 | M5 | X | |-----|---|---|---|---|---|---|---|---|-----|-----|----| ----|---------| |----| S | X | X | X | 0 | 1 | 1 | 1 | 1 | 1 | P/F | C/R | S1 | S2 | N(R) X UP | |-----|---|---|---|---|---|---|-- |-|-|-----|-----|----|----|----------------|-| I+S | N(S) | | P/F | C/R | S1 | S2 | N(R) S UP | |-----------------------------------|-|-----|-----|----|----|----------------| The C/R (Command Response) bit shows whether the frame is a command or a response frame. It can have only one of two values: 1 Command 0 Response The P/F (Poll/Final) bit shows a special instance of the command/response exchange. The X bits don't really matter. In the Unnumbered Frames (U) the M1 M2 M3 M4 and M5 bits can have any of the following values in the U frames depending on the type of information carried. SABM 11100 UA 00110 DISC 00010 DM 11000 NULL 11110 UI 00000 XID 11101 TEST 00111 REMAP 10001 SABM == Set Asynchronous Balance Mode SABM is used to initiate a link for a numbered information transfer or to reset a link already established. UA == Unnumbered Acknowledge UA is issued as a response to acknowledge a SABMM or DISK command. DISC == Disconnect DISC is used to disestablish a previously established link information transfer link. (duh!) DM == Disconnect Mode DM Encoding is used as a response message NULL == NULL UI == Unnumbered Information UI says that the information f field is to be interpreted as unnumbered information. ID == Exchange Identification ID signifies that the information field should be interpreted as exchange identification, and is used to negotiate and/or renegotiate parameters of RLP and Layer 2 relay functions. TEST == TEST This shows that the information field of the frame is test information. REMAP == REMAP This signifies that a remap exchange takes place in ABM following a change of channel coding. If an answer is not received within a specified time then the module end enters ADM. In the S and I+S Frames the following are present: N(S) == Send Sequence Number N(S) contains the number of the I frame. N(R) == Receive Sequence Number N(R) is used in ABM to designate the next information frame to be sent and to confirm that all frames upto and including this bit have been correctly received. S == L2 Status Bit S1 and S2 bits can have the following significance in the S and I+S frames. RR 00 REJ 01 RNR 10 SREJ 11 RR == Receive Ready RR can be used as a command OR a response. It clears any previous busy condition in that area. REJ == Reject Encoding REJ is used to show that in numbered information transfer, 1 or more out of sequence frames have been received. RNR == Receive Not Ready RNR shows that the entity isn't ready to receive numbered information frames. SREJ == Selective Reject SREJ is used to request a retransmission of a single frame. UP is used in version 2, to indicate that a service level upgrade will increase the throughput. [- {GTP} -] The GPRS Tunnelling Protocol (GTP) is the protocol between GPR Support Nodes (GSNs) which allow multiprotocol packets to be tunnelled through it in the GPRS backbone network. These packets are the collection of data that carry one of two substantial pieces of information; either the user's IP or X.25 packets. Below GTP, the standard protocols (TCP or UDP) are employed to transport the GTP packets within the GPRS backbone network. X.25 expects a reliable data link to be used, thus why TCP is occupied for data transfer. UDP, is simply used for special access to IP-based packet data networks, which don't necessarily expect reliability in the network layer. IP is employed in the network layer to route specific packets through the GPRS backbone. Please note; Ethernet, ISDN, or ATM-based protocols may be used below IP for GTP packeting. Lets summarize shall we? In the GPRS backbone we have an IP/X.25-over-GTP-over-UDP/TCP-over-IP transport architecture. Subnetwork Dependent Convergence Protocol -- The Subnetwork Dependent Convergence Protocol (SNDCP) within the signalling plane, specifies a tunnel control and managment protocol which allows the SGSN is used to transfer data packets between the Serving GPRS Support Node (SGSN) and the Mobile Station (MS). Its functionality includes: * Compression and decompression of user data and redundant header information. * Multiplexing of several connections of the network layer onto one virtual connection in the underlying Logical Link Control (LLC) layer. (Definition; Logical Link Control (LLC): a data link layer protocol for GPRS. This layer assures the reliable transfer of user data across a wireless network.) - In the signaling plane, GTP specifies a tunnel control and management protocol which allows the SGSN to provide GPRS network access for a MS. - Signaling is used to create, modify and delete tunnels. In the transmission plane, GTP uses a tunneling mechanism to provide a service for carrying user data packets. The choice of path is dependent on whether the user data to be tunneled requires a reliable link or not. - The GTP protocol is implemented only by SGSNs and GGSNs. No other systems need to be aware of GTP's presence. GPRS MSs are connected to an SGSN without being aware of GTP. It is assumed that there will be a "many-to-many" relationship between SGSNs and GGSNs. - A SGSN may provide service to many GGSNs. A single GGSN may associate with many SGSNs to deliver traffic to a large number of geographically diverse mobile stations. GTP header structure The GTP header is a fixed format 16 octet header used for all GTP messages. Below is a simple diagram of the GTP header structure, hopefully this will give you a general idea of the relevancy of GTP headers. 8 7 6 5 - 2 1 Version Reserved LFN Message type Length Sequence Number Flow Label LLC Frame Number x x x x x x x FN Reserved TID GTP header structure GTP Header Structure; Definitions --------------------------------- - Version: Set to 0 to indicate the first version of GTP - Reserved: Reserved bits for future use, set to 1. - LFN: Flag indicating whether the LLC frame number is included or not. - Message Type: Type of GTP message. - Length: Indicates the length in octets of the GTP message (G-PDU). - Sequence number: Transaction identity for signaling messages and an increasing sequence number for tunneled T-PDUs. - Flow label: Identifies unambiguously a GTP flow. - LLC frame number: Used at the Inter SGSN Routing Update procedure to coordinate the data transmission on the link layer between the MS and the SGSN. - x: Spare bits x indicate the unused bits which are set to 0 by the sending side and are ignored by the receiving side. - FN: Continuation of LLC frame number. - TID: Tunnel identifier that points out Mobility Management and PDP contexts. The format of the TID is as follows: 5 - 8 4 - 1 MCC digit 2 MCC digit 1 MNC digit 1 MCC digit 3 MSIN digit 1 MNC digit 2 MSIN digit 3 MSIN digit 2 MSIN digit 5 MSIN digit 4 MSIN digit 7 MSIN digit 6 MSIN digit 9 MSIN digit 8 NSAPI MSIN digit 10 TID Format: MCC, MNC, MSIN digits Parts of the IMSI (defined in GMS 04.08). NSAPI: Network service access point identifier. [- {GMM} -] GMM What is GMM? GMM, or GPRS Mobility Management is a very complex versatile protocol that operates within the signaling plane of GPRS handing such things as: roaming, authentication, and selection of encryption algorithms. The main function of the GMM sub-layer is to support the mobility of user terminals, such as informing the network of its present location and providing user identity confidentiality. GMM header format: 8 7 6 5 4 3 2 1 Octet Protocol discriminator Skip indicator 1 Message type 2 Information elements 3-n GMM header structure; Definitions --------------------------------- Protocol discriminator - 1000 identifies the GMM protocol. Skip indicator - The value of this field is 0000. Message type - Defines the function and format of each GMM message. The message type is mandatory for all messages. Bit 8 is reserved for possible future use as an extension bit. Bit 7 is reserved for the send sequence number in messages sent from the mobile station. GMM message bit types: 0 0 0 0 0 0 0 1 Attach request 0 0 0 0 0 0 1 0 Attach accept 0 0 0 0 0 0 1 1 Attach complete 0 0 0 0 0 1 0 0 Attach reject 0 0 0 0 0 1 0 1 Detach request 0 0 0 0 0 1 1 0 Detach accept 0 0 0 0 1 0 0 0 Routing area update request 0 0 0 0 1 0 0 1 Routing area update accept 0 0 0 0 1 0 1 0 Routing area update complete 0 0 0 0 1 0 1 1 Routing area update reject 0 0 0 1 0 0 0 0 P-TMSI reallocation command 0 0 0 1 0 0 0 1 P-TMSI reallocation complete 0 0 0 1 0 0 1 0 Authentication and ciphering req 0 0 0 1 0 0 1 1 Authentication and ciphering resp 0 0 0 1 0 1 0 0 Authentication and ciphering rej 0 0 0 1 0 1 0 1 Identity request 0 0 0 1 0 1 1 0 Identity response 0 0 1 0 0 0 0 0 GMM status 0 0 1 0 0 0 0 1 GMM information --- Conclusion; PsychoSpy and I wrote this document as a guide for anyone desiring to learn more about the future of GSM wireless. Within the next couple of years, I guarantee you'll be seeing a vast number of GSM-type phones in Canada (FIDO provider) offering the high-speed GSM add-on technology known as GPRS. So when GPRS is released by 2002, you won't be left out in the cold wondering "now how the hell did they do that?" because you would of read this document! What to look for in the future in regards to our R&D: - A look at GPRS administration, configuration and security analysis - CDMA Protocols; CC, MM, BSSMAP, DTAP (GSM-L3), RR, BTSM, BSSAP - SS7 Protocols; MTP2/MTP3, SCCP (v2.0), TCAP ISUP, TUP, DUP ---- Contact Information; PsychoSpy -- E-mail: PsychoSpy@softhome.net ICQ: 5057653 The Clone -- E-mail: theclone@haxordogs.net ICQ: 79198218 URL: http://www.nettwerked.net ~-= An N&N Production =-~ ___ DND Non-Public Network and Workstation Security - By PsychoSpy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------- Beginning of Disclaimer --------- This file is to be used for educational purposes only. By continuing to read this file, you agree that all responsibility for any misuse of this information is bestowed upon you, the reader. --------- End of Disclaimer --------- Well, here we are once again! So, you've always wondered what kind of networks the DND are running haven't you? Have always wanted to know what kind of security mechanisms they use, how are their networks are setup etc.? Well, here's your chance kiddies! This file will answer all your questions and more! So, sit back, relax, and enjoy, while I take you on a journey through the DND Classified Network. *spooky music* 1- Introduction and Overview ~~~~~~~~~~~~~~~~~~~~~~~~~ The Department of National Defense IT Infrastructure (DND ITI) is segmented into two domains. One, a classified/mission critical environment, and the other a designated or general-purpose environment. The designated environment (which is detailed in one of my earlier files) consists of information processing which is administrative, and unclassified, or designated up to and including what they call a Protected B. Whereas, the classified environment if for information which is, obviously, classified due to national interest, or so the gov't says. Currently, the classified environment (CNet) is being certified and accredited to allow the processing of information upto and including "SECRET" level including all caveats. This file will talk strictly about the classified environment. According to the classified domain architecture planning, all traffic is to be encrypted at the network layer using high-grade network encryption units (NEU(H)), they also say that commercial encryption is to be used at the application layer to support secure messaging and caveat separation. It has been decided that the Entrust Public Key Infrastructure (PKI) and Entrust compatible cryptography will be used in the classified domain to meet the application layer encryption requirement. The diagram below shows the DND Classified Domain Architecture. DND Classified Domain Architecture ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NEU(H) ISAP Switch CDN3 NEU(H) CDN1 ISAP Switch NEU(H) CDN2 ISAP Switch |-------| |---| |---| |-------| |---| |-------| |///////|-----|CDN| |CDN|-------|///////| |CDN|---------|///////| |-------| |---| |---| |-------| |---| |-------| | | | | | | | | | |-------| | | ISAP Router |-------| |---------| |---------| |///////| ISAP Router |---------| |-------| |///////| | CDN CDN | | CDN CDN | |-------| | CDN CDN | |///////| ISAP Router |-------| |---------| |---------| \ |---------| |-------| / Classified Classified \ Classified \ / LAN LAN \ LAN \ /\ /\ / \ /\ \/ \ / \/ \/ \ \ / \ /\ \ / \ / \ \ / \/ \ /\ _______________________\___ / \ / \ { } / \/ \ { International }/ Cdn Classified NEU(H) ISAP \{ Switch } LAN CDN Boundary Switch { DWAN |-------| |-------| DWAN International |---------| |---| |-------| { |///////|---|///////| Router | CDN CDN |-------|CDN|-----|///////| { |-------| |-------| |---------| |---| |-------| {___________________________} \ | | / \ | | / \ ISAP Switch |---| MLS (EAL3) |-------| / \ |-------| |GTW| Coalition |///////|------/ \ /\ |///////|------------| |---| Boundary GTWY |-------| \/ \ |-------| | | Ottawa (101) \ | | | Router \ | |---| NEU(H) | \ |-------| |CDN| CDN_DPLY |---------| |---| NEU(H) \|///////| |---| | COA COA |-------|COA| COA Boundary |-------| | |---------| |---------| |---| Deployed ISAP |---| CDN CDN | Coalition | Router |---------| Classified LAN | Deployed Canadian | NEU(H) Classified LAN ~~~~~~~~~~~ COA_DPLY { COALITION } |---| |---------| Deployed Coalition { WAN }--------|COA|---| COA COA | Classified LAN { } |---| |---------| ~~~~~~~~~~~ COA == Coalition Classified CDN == Canadian Classified GTW == Gateway Assumptions ~~~~~~~~~~~ Certain assumptions are made by the DND as to how the Classified environment will operate. The following assumptions are made: - The amount of classified data stored on the workstation can be considerable - The systems will ensure local confidentiality protection (caveat separation) of data by standardizing on such security mechanisms as access control lists (ACLs), standard directory structures, encrypted directories on local hard-disks (Entrust ICE) and C2 operating systems - Workstations will be located in DND facilities with appropriate levels of physical access controls in place commensurate with those required for classified systems (e.g. commissioners, electronic door locks, swipe card access control systems) - Protection against malicious hacking from outside sources is not the primary goal. This protection will be provided at the domain boundary by firewalls or gateways as required - All DND employees who have access to the classified ITI will have the required security clearance. Uncleared persons will be escorted - All workstations within the classified environment will be considered as shared systems (i.e. intended for use by more than one person). Data on the workstation will be protected on a need-to-know or discretionary basis - A classified domain PKI will be implemented using Entrust Also, the Department of National Defense has suggested that an evaluated C2/EAL3 Operating System be a minimum standard OS for a classified domain workstation. To provide an acceptable level of protection against security threats and system vulnerabilities, while keeping the cost reasonable, several protection mechanisms and security policies will be implemented on all of the classified workstations. These mechanisms and policies are meant to provide confidentiality, integrity, authentication, and ensure classified data is valid and un-tampered. Operating Systems ~~~~~~~~~~~~~~~~~ There is a slight problem which occurred when the classified domain was being planned. This problem was due to the mixture of operating systems which are used on workstation. Currently both Windows NT and UNIX (mostly Solaris) are used. This poses a problem for creating a common set of security mechanisms, as some of the safeguards are not available for certain OSs. Due to the lack of safeguards which UNIX usually has, the DND has urged projects and implementors to migrate away from UNIX workstations to the Windows NT platforms. Later in this document, lack of a security mechanism for an OS will be identified. 2 - Security Services and Mechanisms ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The high-grade encryption which is present at the network layer in the classified domain provides confidentiality for classified information. However, a number of security services are required at the classified workstation to ensure the secure storage, processing, and transmission of coveted information, which local processing will decide who to give access to what data. The DND has decided that a mandatory access control (MAC) solution to achieving this was not feasible, not cost effective. Instead, they decided to implement a mixture of security services which are implemented in a certain way to create safeguards and procedures. The specifics of these security mechanisms and services are discussed below. The trusted computer base (TCB) must be able to enforce the authentication of each individual user, based on a secure login process (described later) which can be provided by a C2 OS, the platform BIOS, and the network OS. Strong authentication will also be provided through Entrust-ready programs, using key management certificates provided by the Entrust PKI. The TCB must also be able to control the deletion and release of objects and resources back the system once they contain coveted information. This ensures that coveted data does not become accessible to a system or user with insufficient clearance, and is provided by, once again, a C2 OS, and Entrust-ready programs. It also must be able to create, maintain, and protect and audit trail of certain security related events (i.e. failed login attempts etc). The audit log will be stored on a separate TCB. An audit "reduction" tool will also be used to allow the security administrator to centrally manage and extract any relevant audit data from the log files created by the OS. Audit can be provided by a C2 OS and by other third party tools. Need-to-know separation must be enforced between all object and subjects by the TCB. This separation is provided by a C2 OS, and encryption with Entrust. Access Control Lists (ACLs) allow a system administrator to limit the number of users, or groups of users access rights to certain data. These assist in the implementation of access rights in order to control access to information on a need-to-know basis. The DND has also said that all information in the classified domain must be labeled. This includes all hard copy output, files, e-mail, directories, content displayed on the screen, and any other stored objects. They must be labeled with the appropriate classifications, caveats and handling restrictions. This makes proper storage and transmission of classified information easier, and indicated the need-to-know required to access certain classified information. Mechanisms to do this include Entrust applications, or labeling applications which do the labeling at the system level within the directory of file system or as part of the text or data. Low-grade network encryption units (NEU(L)) can be used to provide login/password or other types of protection over the LAN if required by a Threat and Risk Assessment (TRA) (i.e. the login information to a CEO server should be protected over the LAN if there is a perceived threat of someone sniffing for login information). 3 - Safeguards and Procedures ~~~~~~~~~~~~~~~~~~~~~~~~~ This section will describe the details of safeguards and procedures which are implemented onto a classified workstation to provide the services and mechanisms which where described earlier. Viruses ~~~~~~~ Viruses, Trojan, Worms, Time Bombs, etc. are statistically one of the top security threats to any computer system and network. Individual computers and entire networks have been rendered inoperable for days due to a virus infection. Many hours of have been lost, and administrator workloads have increased exponentially due to network downtime, cause by the spread of a virus. Most viruses are introduced into the network by users who copy files from unknown, or untrusted sources, via floppy or across the internet etc. The best method to ensure that viruses are not introduces into the network, other than prevent users from copying files from floppy disks or other outside sources, is to have a resident virus scanner active at all times during operation of the workstation. As of 1999 the DND has a departmental license for McAfee anti-virus software and around 12,000 licenses for DrSolomon anti-virus software. Both products are now licensed from Network Associates Inc (NAI). Every workstation inside the DND's classified domain is required to be protected by an anti-virus program which has been selected by the DND. They are to be setup to scan for viruses every time a file is accessed. Encryption Software ~~~~~~~~~~~~~~~~~~~ Entrust Client is the software product of choice for DND classified systems to provide local confidentiality and discretionary access control on classified systems and networks. All local traffic which requires confidentiality and additional access control will be encrypted before being sent across the network. This can be accomplished using an Entrust-ready application. Traffic which requires proof-of-origin and/or strong integrity will be digitally signed using Entrust Private Signing Keys. Entrust provides strong public key encryption and key management which, combined with the x.500/x.509 directory service, will allow user to securely store and transmit local data for any user or group of users. As well, the Entrust client can provide secure delete services to files upon deletion. This object reuse feature is designed to ensure that sensitive information cannot be recovered by unauthorized people once the file has been deleted. A detailed description of how Entrust provides these services will be illustrated later in this document. Entrust Client is also essential for applications like secure e-mail, secure messaging, PeopleSoft, Remote Access etc. Hence, this product is to be installed on every classified workstation. The Entrust ICE software product has also been selected by DND as their local hard-disk encryptor. This, when used with Entrust Client, will allow users to implement need-to-know/caveat separation by selecting folders where files will be saved in encrypted form automatically every time they are saved to that specific folder. Folders can also be setup to encrypt files for only the owner's use or for a specified group of users. This product allows user to automatically save backup files on a server in an encrypted form just by copying or moving the file to a specific folder. This enables users to access sensitive files from any workstation across the network, and have appropriate protection on those files to prevent unauthorized users from viewing them. Entrust Tokens and Readers ~~~~~~~~~~~~~~~~~~~~~~~~~~ The DND has selected hardware token technology to provide a high assurance two-factor identification and authentication, storage and cryptographic processing device for use by applications that implement Entrust encryption and digital signature technology. This token may be a smart card, PCMCIA card, USB token, or any other appropriate, portable form. Tokens are issued to all users of the Military Message Handling System (MMHS) and the Command and Control Information Systems (CCIS) in the classified domain. This token is used to provide additional security to the desktop by ensuring the user identity, password and that the user is in possession of their Entrust Token. The hardware token can be compared to our debit cards, in that it the card must be inserted into a specific slot, and the PIN number must be entered before secure operations will be allowed. This token contains an internal computer processor and memory which allows the security functions (i.e. private encryption key and digital signature key storage, digital signatures, etc.) to be implemented into the token itself, and therefore taken awat from the threat environment of the workstation. The intent is that individual users will be issued their own token, which will support secure operations on a classified LAN. Token readers will be installed on all classified workstation within the department (or provided as add-on equipment for existing workstations). Specific details of token reader requirements will be covered in a future file on MMHS. Labeling Software ~~~~~~~~~~~~~~~~~~ Unfortunately not much information on this subject is available. The information which I have found however, says that the DND is currently being investigated. I may have an update for this in the near future. Keyed Locking Screws ~~~~~~~~~~~~~~~~~~~~ To prevent users and unauthorized people from gaining access to the internal components of the workstation, keyed locking screws will be utilized by system administration staff. These devices require the use of special keyed tools in order to remove them. The use of these screws is intended to prevent unauthorized individuals from easily opening the workstation to remove the BIOS battery which could reset the BIOS, remove components such as memory chips or circuit cards, or add components such as modems which could decrease the level of security. BIOS Configuration and Password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DND has required that the BIOS be configured in such a manor that users are not able to boot from a floppy disk or CD-ROM. This prevents any unauthorized users from booting around the systems Identification and Authentication mechanisms in order to install or run unauthorized, illegal and possibly harmful applications (i.e. key loggers, password crackers, disk recovery programs, etc.). Forcing the initial boot from the hard drive will also prevent accidental booting from a floppy disk, which could be infected with a boot sector virus. In the event that a workstation cannot be booted from the hard drive, administrator or maintenance personnel will be able to reset the BIOS to allow booting from a floppy disk in order to recover the workstation. The BIOS password is also to be set for all workstations to prevent users from making changes which could permit them to bypass security mechanisms. The system administrators are required to keep records of these passwords and effect changes in the same manner as Security Officers maintain combination numbers for file cabinets and safes. Only system administrators and maintenance personnel shall have access to the BIOS password and therefore the BIOS setting on workstations. Secure Configuration of Workstation Operating System ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ All workstations are to be secured as outline in "DND Secure Windows NT 4.0 Installation and Configuration Guide" or "DND Secure UNIX Installation and Configuration Guide". These documents include guidence on configuring and installing C2 configurations, file systems, registries, security policies, and profiles. This includes a properly configured registry for Windows NT. 4 - Workstation Cryptographic Processes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section will, obviously, go over the cryptographic processes which occur on the workstation. This includes, encrypting a file for multiple users, logging on, and the Entrust ICE Log-on Procedure. Encrypting a File for Multiple Users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The diagram below demonstrates how a file is encrypted for multiple users and then decrypted for any individual authorized user. The process for encrypting a file using symmetric and asymmetric encryption involves many steps and a complicated process. The file type (i.e. text document, picture, database, etc.) has absolutely no impact on this process as far as the encryption goes. Step 1: First the user creates a clear-text (unencrypted) file which could be a text document, graphic, database or any other file type. Step 2: Next this clear-text file is encrypted with a randomly generated symmetric encryption/decryption key. At this point of time the original clear-text file is securely deleted to ensure that the confidentiality of the information is maintained. Step 3: Now that we have our encrypted file with an exposed asymmetric encryption key, measures must be taken to protect that key from being compromised. The next process involves encrypting the symmetric key with the public asymmetric key of the intended recipient(s). A single copy (or copies for each recipient) of the encrypted symmetric key is attached to the original file to create a new file. When the new encrypted files is save, it is identified by the extension ".ent" which is appended to the original filename. Step 4: Now the file is encrypted with a symmetric encryption/decryption key and this key is protected using the public asymmetric key of all the intended recipients. The only way to decrypt the original file is for a user to obtain a copy of the symmetric key, which can then be used to decipher the original data. If the user is an authorized recipient for the file, that individual can use their private asymmetric decryption key to unwrap the symmetric key and subsequently decrypt the file. Step 5: At this point, the file is back to its original form, with the filename intact and ready for viewing. |------------| |++++++++++++| |+File+++++++| Original File |++Cleartext+| Unencrypted |++++++++++++| |------------| |------------| |------------| |+Data+++++++| |++Symetric++| Original File Encrypted |++Encrypted+| |+Encryption+| Using Symmetric |+By+++++++++| |++++Key+++++| Encryption/Decryption |+Encryption+| |++++++++++++| Key |------------| |------------| |------------| |------------|-----------| |------------|-----------| |------------|-----------| |+Data+++++++| |+Encrypted++|+++User1+++| |+Encrypted++|+++User2+++| |+Encrypted++|+++User3+++| A copy of the symmetric |++Encrypted+| |++Symetric++|+Asymetric+| |++Symetric++|+Asymetric+| |++Symetric++|+Asymetric+| decryption key is encrypted |+By+++++++++| |+Encryption+|+Encryption| |+Encryption+|+Encryption| |+Encryption+|+Encryption| with the asymmetric public key |+Encryption+| |++++Key+++++|++++Key++++| |++++Key+++++|++++Key++++| |++++Key+++++|++++Key++++| of each intended recipient |------------| |------------|-----------| |------------|-----------| |------------|-----------| |------------|-----------| |------------| |------------| The asymmetric private decryption |+Encrypted++|+++User2+++| \ The decrypted symmetric key |+Data+++++++| |++Symetric++| key of User2 is used to decrypt the |++Symetric++|++Private++| =====\ is then used to decrypt the |++Encrypted+| |+Encryption+| symmetric key originally encrypted |+Encryption+|+Asymetric+| =====/ original file |+By+++++++++| |++++Key+++++| with the User2 public encryption key |++++Key+++++|+Decryption| / |+Encryption+| |++++++++++++| |++++++++++++|++++Key++++| |------------| |------------| |------------|-----------| |------------| |++++++++++++| |+Data+++++++| Original File |++Cleartext+| decrypted and available for |++++++++++++| viewing by user |------------| Logging On ~~~~~~~~~~ There are a number of identification and authentication points for a user logging into the network from a classified workstation. An image should be included with this file, in the same directory, called "ntwrk_sec_diag.gif". This image shows a classified workstation connected to a network with its associated security components. The following paragraphs will provide a description of the processes which occurs each time a user logs on to the workstation. In Windows NT Workstations, when an authorized user logs on at a networked computer, that person must first authenticate himself or herself to a network server (A) where their policy file is stored before they can access the workstation. Once the user is authenticated, a copy of their policy file is downloaded to the workstation where it will be merged with the local registry settings. This will ensure that each time a user logs in they will be forced to comply with the security policy settings as determined by the network administrator. The Windows NT platform includes a secure log-on sequence (using the Ctrl-Alt-Del key sequence). This presents applications from trapping username and passwords from the login. Coupled with the account lockout feature, failure to enter the correct password after a specified number if attempts prohibits unauthorized users from accessing critical data. The NT secure logon process has been evaluated to the equivalent of a B2 platform's secure logon process. The applications which are available will depend on what is required for the particular user or group of users needs. All network post logon routines will be performed (i.e. virus scan, system checks, software updates, etc.). Entrust ICE Logon Process ~~~~~~~~~~~~~~~~~~~~~~~~~ Once the user has completed logging into the workstation, and all network software has completely loaded, the user will then have to logon to Entrust ICE, which enables the cryptographic security services. To do this, a user must authenticate him/herself to the Entrust ICE program. This is done by inserting their Entrust token into the reader and entering their user id and password. The Entrust token is used to store the user credentials. Storing the epf file on the token increases the level of protection for the user keys and other attributes to a much higher degree. During this authentication process, Entrust will check a user's credentials against the Certificate Revocation List (CRL) on the Entrust Directory Server (See "C" in the diagram) to verify that their .epf file has not been revoked. If the user is validated then the logon will continue as usual, otherwise the logon process will terminate. Once Entrust ICE become inactive for a specified period of time, ICE will automatically time-out. When this occurs a user still has the ability to encrypt files like usual by saving them to the designated folder. However, the user will not be able to decrypt a file until they go through the authentication process again to re-authenticate them to Entrust ICE. This is put in place to ensure that if a user leaves their workstation unattended for more than the predetermined time frame, an unauthorized person could not gain access to their encrypted files. 5 - Caveat Separation ~~~~~~~~~~~~~~~~~ Requirement ~~~~~~~~~~~ Currently, classified system (i.e. command and control systems) require mechanisms to isolate and protect caveat information (i.e. CEO, CANUS, NATO, AUSCANZUKUS) processed on the same workstation and/or LAN. There has been considerable work done to define the mechanisms for caveat separation based on Discretionary Access Control (DAC) mechanisms and Entrust. Presently, there is a requirement for several separate caveat domains. This results in significant complexity within the Classified Security Domain of DWAN. Some resolution of the caveat issue has been accomplished at the operational level. This is done by moving towards a "SECRET" (CANUS) dedicated mode of operation. For example, MCOIN III currently has a SECRET CANUS warning level on all its classified material. This has forced JC2IS to purge all CEO material, to allow it to declare itself CANUS and inter-operate with MCOIN III with limited need-to-know access enforcement, if any at all. However, using the mechanisms outlined in the following sub-sections, the objective is to separate or compartmentalize caveats and implement a Canadian Classified Domain of SECRET (MULTI CAVEATS). This would allow all classified work groups to operating in a multiple caveat environment. Mechanisms which provide separation of covet information within the DND Classified Domain must meet the following criteria: - Allow for a system high mode of operation where the need-to-know principle will be enforced - Classified documents will be labeled, stored, and protected according to their label - Caveat information will be separated/isolated through approved security mechanisms Well... All I can say now is that my hands are tired from typing, and my eyes are completely strained. I hope it was worth the time and effort which I put into this file. I truly hope that people out there find this useful, or interesting. There was one more section which I was going to add on labeling specifications, and an overview of the classifications. However, my computer didn't like the amount of text I was putting into it, and I didn't feel it was too important, so I left it out. However, if for some reason you're interested in this extra section, e-mail me and I'll write it up real quick and send it off to you. Look for more DND related files in the near future. I would like to send out a special shout to the guys at the DND who do a great job planning their network security, however you guys have to work on your implementation a little more. ;-) Shouts go out to Clone, Semtex, everyone at Hack Canada, and all the regulars at #Haxordogs. Keep up the good work everyone! Tune in next time to find my conclusion on the DWAN's overall security, and some possible security problems I see with their setups. Same Psycho time... Same Psycho site... -- PsychoSpy psychospy@hushmail.com ICQ#: 5057654 ___ when I say Moldy... you say BUNZ!!! ___ DND WAN DNet Architecture - By PsychoSpy ~~~~~~~~~~~~~~~~~~~~~~~~~ --------- Beginning of Disclaimer --------- This file is to be used for educational purposes only. By reading this file you agree that all responsibility for any misuse of this information is bestowed upon the reader. If you continue to read this file, you also agree that this file cannot be used in any legal cases, and that you are not employed by a policing, or intelligence agency. --------- End of Disclaimer --------- Introduction ~~~~~~~~~~~~ This file will go over the Department of National Defense Wide Area Network (DWAN_ designated domain (DNet) architecture. DWAN was setup to provide a computer/data communications infrastructure to connect various different Local Area Networks (LANs) and Metropolitan Area Networks (MANs) together within the DND. The DWAN is separated into three main domains. The first domain is called GP-Net. GP-Net is the unclassified domain. The second domain is the designated domain, which is known as DNet. The last domain is called CNet, and is the classified domain. Hopefully in future files I will cover GP-Net and CNet architecture, although they are relatively similar to each other. DWAN as a whole, uses DTES 3 for it's Network Authority and Configuration Control Manager. Now you're asking what exactly the DWAN is able to do. Well, DWAN was designed to "provide interconnection to approved, existing, and planned DND systems." DWAN fully supports the TCP/IP protocol as a migration towards OSI. It also provides a common, high-speed, reliable inter-networking communications backbone, and a communication infrastructure to facilitate the implementation of inter-networking requirements across DND. DNet allows user to perform the many tasks. These tasks include co-ordination and planning, cost control, security accreditation for the infrastructure, configuration management, and maintenance control. DNet Components ~~~~~~~~~~~~~~~ There are four main DNet components, which are much like any network components, including the internet. The first of the components are routers. The routers used in DNet act in the same way, and in most cases are the same, as Routers in any other network. What they basically do is route data and information to their proper destinations. They are also able to filter out data much like a firewall. Interconnected routers form the DNet Backbone and act as area backbones. NSMC centrally manages the routers. Management traffic is carried in-band via frame relay. Authentication of management traffic is done by TACACS+ and Secure ID. The next component of DNet is switches. DNet utilizes two different types of switches. The first type of switch is an Integrated Service Access Point (ISAP) Switch. Every DNet site has an ISAP Switch. The second switch is a Controller Switch. Controller Switches allow connection with the other 12 BAR sites, Border Area Routers, and their local ISAP Routers. DNet's third main component is the Domain Name System (DNS) Servers. The DNet DNS servers are the same as any DNS server on the internet. They take requests from hosts or remote DNS servers, and provide IP resolution for the request. i.e. A web browser requests http://www.nettwerked.net The DNS sees this, looks it up, and resolves the IP address for nettwerked.net. Within DNet is two levels of DNS. The first is at the national level and is managed by the network management center, NSMC. The second level of DNS is at the bases or MANOC level. There is a primary DNS which is located at the NSMC, and there are six secondary DNS servers, one for each region. The secondary DNS servers are in Esquimalt, Edmonton, Kingstong, Halifax, Valcartier and Ottawa. The primary and regional DNS for Area 4 are on the same server. The fourth, and last, main component is the Management Workstations. Each ISAP site has a Pentium 75 workstation and NetID software to enable the local MAN manager to manage their respective block of IP address's. Two network management workstations are provided to ensure reliable backup of the system management. The first system is a Hewlett- Packard Model 715 with 256MB RAM. The second is a Hewlett-Packard C-100 with 448MB RAM, 2 Gig HDD, SCSI Drive, 1.44 Disc Drive, Keyboard, Mouse, 4xCD-Rom, Externam 4mm DAT, External Gig HDD and a 20" Colour Monitor. The operating system of choice on these machines is HP-UX 9.0 with upgrades to Version 10.20. These specs where as of the 9th of April, 1997. They have most likely upgraded their systems, but types of hardware, and OS is most likely the same. System Architecture ~~~~~~~~~~~~~~~~~~~ The DND's inter-networking facilities have been recently, and continue to be restructured to improve capacity, performance, reliability, scaleability, manageability and to reduce overall costs. DNet physically organizes it's communications infrastructure at two levels. These two levels are regional, and inter-regional (or national backbone). The national communications topology is structured and combined to replace the low speed point to point dedicated circuits which existed to a relatively higher speed, frame relay Permanent Virtual Channels (PVCs). DNet is a TCP/IP router based backbone network, which combines MAN's and IT infrastructures into a common network. This combination occurs at the Base level through the ISAP switches. The design consists of cutting the country into six areas along geographic and address boundaries. There is an additional area (Area 9) which is the Test and Development Facility (TDF) which simulates an operational area for test purposes. Each operational area has two Border Area Routers (BARs) which brings all the traffic inside the IP subnet to two or three master subnet address that each router uses to tell other routers, through routing tables, who can be reached by which routers. The inter-connectivity between the BARs is what the main National level backbone for the DND consists of. These routers are the point of connection between the National backbone, and the area base routers. The six areas (plus the test area) are as follows: Name | Province/Region | Locations --------|----------------------|------------------- Area #1 | British Columbia |* Aldergrove | | Aldergrove ISAP | |* Esquimalt | | Esquimalt ISAP --------|----------------------|------------------- Area #2 | Prairie | Cold Lake | | Yellowknife | | Wainwright | | Shilo | | Moose Jaw | | Winnipeg ISAP | |* Winnipeg | | Suffield | | Edmonton ISAP | |* Edmonton --------|----------------------|------------------- Area #3 | Ontario |* Borden | |* Kingston | | Borden ISAP | | Kingston ISAP | | London | | Trenton | | North Bay | | Petawawa | | Toronto --------|----------------------|------------------- Area #4 | NDHQ |* Tunneys | |* Pearkes | | Tunnets ISAP | | Pearkes ISAP | | Leitrim --------|----------------------|------------------- Area #5 | Quebec/New Brunswick |* Montreal Area | |* Valcartier | | Montreal ISAP | | Valcartier ISAP | | Gagetown | | St. Jean | | Bagotville --------|----------------------|------------------- Area #9 | |* TDF | | TDF-2 ISAP | | TDF ISAP --------|----------------------|------------------- Note: "*" Indicates the site connects to the frame relay The BAR sites are fully meshed together while, within a geographical area ISAPs are only partially meshed. All data traffic is processed through a commercial Frame Relay service. BAR Sites ~~~~~~~~~ There are 12 BAR sites. The typical BAR site configuration is shown in the diagram below. BAR sites are made to consolidate all IP traffic across a single consolidated National backbone. Each primary BAR Site, except Tunney's Pasture, have the same configuration. They are made up of a Cusci 7505 Router with 16 Serial ports with an 8Mbps capacity on each port. The router has dual CPUs, dual power supplies and a two port fast ethernet card. The BAR site also has a local network management workstation and a fast ethernet switch for inter-connectivity to the resident ISAP Router. The Primary DNS is installed at the NSMC. Secondary DNSs are located at five BAR sites located at: Halifax, Valcartier, Edmonton, Esquimalt, and Kingston. The Ottawa regional DNS share the National DNS server in the NSMC. Network management traffic is carried in-band via frame relay. Authentication of the management traffic is done using TACACS and Secure ID Token Cards. BAR SITE CONFIGURATION ~~~~~~~~~~~~~~~~~~~~~~ MANAGEMENT INFRASTRUCTURE + BACKBONE INFRASTRUCTURE + + + + |-------| + |-------| |-------------| Other BAR Sites + /----| M M M |------------| M M M |------ X.21 ------| R R R R R R | (Cisck 7507) + Frame Relay / |-------| + |-------| |-------------| + |-------------|/ Modem + Modem + | FR FR FR FR | (Motorola/Luxcom) + (Motorola/Luxcom) + |-------------|\ Xm + Xm + | \ |-------| + |-------| |-------------| ISAPs Xn + |-| \----| M M M |------------| M M M |------ X.21 ------| R R R R R R | (Cisck 7507) + | |-------| + |-------| |-------------| + |-------| Modem + + | M M M | (Motorola/Luxcom) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + |-------| Xn + + | + + X.21 + + | + + |-------| Modem + + | M M M | (Motorola/Luxcom) + |--| + |-------| Xn + | | --------------| + | + |--| | + X.21 + Mgmt Workstation | + | + |---| | + |-----------| Border Area Router + |UPS| | + | R R R R R | (Cisco 7507) + |---| |--| 10M + |-----------| + | | -----------| | + | + |--| | | + | + Secondary Workstation 10M | + | + | | + |-----------| Leased + | |-------| C C C C C | Switch Controller MUX + |----------|-----------| {-------} + + | |----------{ L L L }------| + + | 10M {-------} | + + + + + + + + + + + + + + + + + + + + + | | | + |-----------| |-------| Modem |-------| |-----| UNIT + ISAP Router | R R R R R |----- X.21 -----| M M M | <-- (Motorola/ ---> | M M M |---| R R | (Cisco xxxx) + (Cisco 7505) |-----------| |-------| Luxcom) |-------| |-----| + | Xn + | + |-----------| + | S S S S S | + |-----------| + ISAP + Switch + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ISAP Sites ~~~~~~~~~~ ISAP Sites are location on every major base or station in Canada. There are 34 ISAP sites. The role of the ISA{ is to consolidate all IT Infrastructure of a DND base into a single point of access onto the backbone. The ISAP consists of a Cisco 7505 router with 12 serial ports, 2 port fast ethernet (100 Mbps) card and a 6 port ethernet card (10 Mbps). Because the ISAP router consolidates all base IT subnetworks it includes the Cisco Enterprise Software Suite which allows the Base MAN to inter-operate by allowing local IP, IPX, and VIP to be locally routed. However, the traffic on the main backbone is IP only. The typical configuration of an ISAP site is shown in the diagram below. ISAP SITE CONFIGURATION ~~~~~~~~~~~~~~~~~~~~~~~ MANAGEMENT INFRASTRUCTURE + BACKBONE INFRASTRUCTURE + + Modem + (Motorola/Luxcom) + Xn +|---------| |-------| +| R R R R |-X.21-| M M M | +|---------| |-------| |-------| |-------------| Other ISAPs Xn + Primary BAR / /----| M M M |------- X.21 ------| R R R R R R | (Cisco 7507) + (Cisco 7507) Frame|Relay / |-------| |-------------| + |-------------|/ Modem + | FR FR FR FR | (Motorola/Luxcom) + |-------------|\ Xm + / | \ |-------| |-------------| Secondary BAR + /----/ |-| \----| M M M |----- X.21 ------| R R R R R R | (Cisco 7507) + / | |-------| |-------------| + | | + | | + | | + |-------| |-------| Modems Leased Line + | M M M | | M M M | (Motorola/Luxcom) MUX |--| + |-------| |-------| Xn {-------} | | --------------| + | | |---------{ L L L }----------| |--| | + |--X.21-\ X.21 10M {-------} | Mgmt Workstation | + \ | | | |---| | + |-----------| |-------| Modem |-------| |-----| UNIT |UPS| | + | R R R R R |------- X.21 --------| M M M | <-- (Motorola/ ---> | M M M |---| R R | (Cisco xxxx) |---| |--| 10M+ |-----------| |-------| Luxcom) |-------| |-----| | | -----------| | + | ISAP Router |--| | | + | (Cisco 7505) TCP/IP Mgmt 10M | + | Workstation | | + |-----------| | |-------------| S S S S S | Switch Controller |----------------|-----------| + + + + + + + + + + + + + + + + + + Communication Protocol ~~~~~~~~~~~~~~~~~~~~~~ The Treasury Board of Canada and DND have been directed to evolve Open Systems Interconnect (OSI) protocols. Because of this, and to be sure that the network will remain manageable for them, the protocols to be allowed on DWAN will be limited. The Treasury Board quickly realized that OSI products are not readily available. Therefor they have allowed a migration to OSI through the use of TCP/IP which is now the internet standard. Security ~~~~~~~~ At the time of writing I was unable to gain access to any documents relating to the security of DWAN/DNet. Hopefully in the near future I will be able write a file on security alone. Well, that's it for today kiddies! Look for more DND and CSE related files soon! Although it sounds like an illogical order, I will be writing a file on DWAN Architecture itself, as opposed to just the designated domain of DWAN. Shouts go out to all the usual's. Especially The Clone, and Semtex (who saves my ass frequently). Thanks man! I appreciate it. Also, to all the rest of the Hack Canada Crew. -- PsychoSpy psychospy@hushmail.com ICQ#: 5057653 ___ How Non-Public DND Information Was Easily Compromised - By PsychoSpy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------- Beginning of Disclaimer --------- This information is for educational use only. By continuing to read this file, all legal responsibility for any damage done, or any other illegal activity is bestowed upon you, the reader. If you don't agree with this, than don't read the file. --------- End of Disclaimer ---------- As you may have noticed, I just recently (along with this file) released a few files on the DND network. You're probably wondering how I got so much great information on DWAN and various other DND computer information. To answer this pondering which many probably have, I am writing about the problem which I recently found in the DND, or more like the Government Canada's servers. This problem allowed me to gain much information which allowed me to write those files. So, here's the scenario. After talking to The Clone about AGNPAC (the Alberta Government Packet Switching Network), I decided to see of there was an Ontario version of this. To check, I booted up my computer and zipped my trusty web browser over to www.gc.ca, Government Canada's main site. I saw the Search link on the main page there and followed it. I type in a few keywords to search for information on there possibly being an Ontario Gov't Packet Switching Network. However, I didn't find anything of importance no the subject. What I did notice was the url which was in my url box after I hit the search button. It was something like this: http://search-recherche.gc.ca/cgi-bin/query?mss=canada%2Fem%2Fsimple& pg=q&enc=iso88591&site=main&bridge=&lowercaseq=&what=web&user=searchintranet &kl=XX&op=a&q=Ontario+Government+Packet+Switch+Network&x=44&y=2 (url is wrapped) There one thing which caught my eye when I saw this. It was the part that said "user=searchintranet". Wow.. This is interesting. I wonder what kind of files I can access. Is this really an intranet search? Well, you guessed it folks! It sure is. It's quite humorous actually. See, a couple days before I had tried to access a directory listing on the CSE's server but wasn't able to do so as the server was marked as forbidden. Oooo... Forbidden.. Damn I can't help my curious mind. Of course I want to see all that which is forbidden! So, I found the url for the directory I wanted to get a listing for, and clicked search. Then, POW right there on the screen was what basically amounted to a directory listing of this supposedly forbidden directory. Of course, it's the government, so they wouldn't put a password on the folder. I guess they figure that if it's marked forbidden people wouldn't be able to see the files inside. However, now that I have the full path names for the files, I could easily (with the click of a mouse) access these files. In fact, it turned out that I could access many files which are considered sensitive by the Canadian Government. These "sensitive" files where mostly seen on the CSE and DND servers. What I believe happened was that the method in which the trusts between the servers where setup, coupled with the manner in which the search script searched for sites, allowed a person to search through every directory on all government agency web servers which where above the root web directory. So, if the main page of a server resided on: /usr/cse_web/html/ Then anything inside of that HTML directory, including all sub-folders, was accessible and could be searched through. This also means that the passwd files etc. on the servers could not be accessed. However, due to the discovery of this, I found that there are many other vulnerabilities which various Government Agency servers are open to. Hopefully in the near future I will be able to write about these vulnerabilities on the various agency servers, however I do not feel that it would be in my best interest to do so right now. This really demonstrates how insecure these servers really are. It seems that the government has great planning for their security of servers, however, the implementation is just not there. Maybe more files like this will send a strong enough message to the gov't that they really should wake up. Well, that's it for today guys, and please try to stay out of trouble. Also, do NOT try any of the things mentioned within this file, we have delayed the release of this file to allow the administrators of the networks time to correct the issue at hand. Shouts go out to Clone, Semtex, everyone at #Haxordogs, and Hack Canada. -- PsychoSpy psychospy@hushmail.com ICQ#: 5057653 ____ Tuesday August 23rd - Miklos' Adventure at Graybar -------------------------------------------------------- Schools coming around shortly, and I haven't had much luck finding drains in my dismal city. However, I have kept my eye on a construction site, for the new home of a very successful electric wholesaler, Graybar. A couple months pass and I see that construction is coming together with some interesting things for me to check out. It is now 21:00 on August 23rd, and I pump myself up to travel solo, and explore the building. I have no car, so I pack up my backpack and begin walking to the building. When I arrived, I quickly made my way to a pile of girders. I hid behind the girders until traffic eased up, so no one could see me enter the building. The building is centrally located around residential, light industrial, and a lighted baseball field 500 meters away from this building. A few minutes pass, and I quietly slip into the building. In front of me are hundreds of girders, wall panels, and blocks of concrete. The building has 2 floors, the ground level, and an upstairs. The ground level so far is spilt into 2 sections. The section I entered was the offices, and such. The other section is a huge space to load trucks, and hold inventory. I crawled along against the wall of the office part of the building (to aviod being spotted by traffic) I entered the larger section of the building. whoa. There wasn't even a concrete floor yet, just a huge 4 walled, gravel floored building. As I started going through this room, I saw a light "shit!" I backed-up against the wall, quickly turned off the maglite, and waited for the light to go away. Then, I heard an engine noise, and some guy yelling. I was unsure at the moment what to do, so I waited for the guy(s?) to leave. After 15 minutes of some more yelling, the car finally left, and so did I, back to the office section of the ground level. I searched around the office section of the building, not finding much, and made my way towards the stairs. Again, I layed low against a wall until the traffic lightened up so I could go up the stairs un-noticed by motorists. The second level hasn't been done yet, but I could still move around up there. I walked mostly along planks to get a look at rest of the building. The upstairs didn't offer much for me, except a nice view of the entire building from above. I looked around for ladders, or anything else to get me higher.. Success! I found a 30-foot ladder to would take me to the roof! I quickly scaled the ladder, and got up on the roof. It was a nice site. I walked around up on the roof, and tried to take a picture of the city. Unfortunately, the picture turned out bad, as did most of the pictures that night. Anyhow, I had a nice, cool breeze against my face up on the roof, and decided to chill out and watch the night scenery for a bit. Afterwards, I went back down the ladder, down the stairs to the ground level and left the building. At this point in time, I didn't even care if anyone saw me on the site, cause I was leaving. I put the camera, my maglite, and streetchy gloves into my backpack, and started my journey back home. I pulled out my music, and strolled home to witness a beautiful lightning storm, and get a bit wet from the rain. So concludes my adventure at Graybar. For a pictorial version of this, check out: http://www.haxordogs.net/ghu/ue/ex/graybar.htm . See you in the next installment of Urban Exploration. Miklos@SunOS.com http://www.haxordogs.net/ghu -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Credits: I would like to give credit to the following people for helping with this issue of K-1ine - if it wasn't for you guys I don't think this issue would of been released... Dead Musicians Society (D.M.S.), Flopik, Jay Beale, Kira Brown, Kybo_Ren, Miklos, and lastly to PsychoSpy -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thanks you guys, seriously. I'm very happy to see all the contributions. Remember: Articles are ALWAYS welcomed. If you have something you'd like to see on this zine, feel free to send me an e-mail. Even if you're worried that the article is "lame" or "isn't technical" or something like that, send it anyways. Remember: everyone has something to offer to the scene. Show your support. -- Shouts: Cyb0rg/asm - I REALLY appreciate your full support by linking the last three issues from Hack Canada... thanks for getting the w0rd across about K-1ine. Psychospy - Partner in file written - keep up your superb work, brotha! Hack Canada (www.hackcanada.com) and Haxordogs (www.haxordogs.net), #CPU, k-rad-bob @ b0g (www.b0g.org), Magma, Alan, Ottawa 2600, RT, Enjoy` (my little cutie!), Seuss, Blackened @ Damage Inc., and lastly to everyone and anyone who gives a shit about the Canadian H/P scene. ;. .;.. ; ;. ;.. ;.. .;..; .;.; .;; ;.. .;..;. .;..; .;.;...; ;..;.. .;. A .;. .;. ;.. N E T T W E R K E D ;.. ;..;.. P R O D U C T ;..;.. .;..; ;..;.. ; .;..;.;.. .; . .;. ..;.. .;.. . .;..;..;..;.. .; ;..;. .;.. . .;.. .;.;. ;..;. ;..;..; .;. ;..;;..; ;..; .; ;..;;..;;..; ;.;.;; .;. . ;/.;:.. ,;.. .. /' . .-ll; .; ;;-.;. -- .;; -- .; . it doesnt matter it doesnt matter... *UH!*