1234567891011121314151617181920212223242526272829303132333435363738394041424344# #K-1INE#45#SCREAM#in#your#PANTS#45#SCREAM#in#your#PANTS#45#SCREAM#in#your#PANTS# ##DWfjEEDEW;######;;######KEEDEFKW#################E;;# EE#f fEEDjfD;;##DEDD###W #Dfffff;fffjfft,;,;;fffGjDfEK########KEDDEDDLfDEEDE###Gt;,;,,;;f;fLfffi;;tfGfi:# ##K#KDEDfffjffffffLffftffEDGK#W##Et, . . :,LE##Di. ;;GLfGt; .,;f# #####ED;ffffffjt;;;;ti;:;,####f; ';##DE#Dt; :fEW#KEDLD #f,;;,;t,;;it;,;ftfffftt###Wt :tL#W ;tfEfff;; f #GEfGEifffjt;,;,t,t;tfG##Kt, ;;;; ,;i:i;f;; ':KEEft; ;;fffjffD ###D;;;;;,;;ffjffGDDED##j ;jLt; . :,tG: ;##f;tGGG,tfDDj,fE #: fjfWfGfi;:,:;:;tDK##; ;; D##Wi ;iLGD### #Kffi;;;ffffffjjtf##KK; :;;: t#W############# #EDELffffLfLGEfiffK#D, itt DK####WG###KjfK #EfttffGDLDGED#EK#### t :DDDLfjt: ,,: . ;f jW;###fjG###D## #DffffffffjfjfLLLf#ED :jft: ::;,;jEf jG: f#i###Wtj###E;# #####D#WE###KEK#####j f tW, :; ;# KD i###WtK##: # ##;jWEfftW#WWj,fW#W#f t EL # fE ;K##WDK# t# ##jiK##DDftG##Wfj###j t# :f#EEWGi: t :fEt. :# G#j f###ff# L# #GK#Efjf###WK#KK###iW: DG ::; :t; t :i Li: :;L: f# W# ,###ff#Dt# # :LE###KfK; f#G#f ;D:i tL ft f . :, ;f .D::G tGt t###ff##:j # tK#f, .L, f## tG ;Kf;,;;tLi ; , :. .;f :i W t f###fj##if # :K#j. E. W#. :ftt t jGELjj, tED D###;###fE #ED#j iL D#E . K :i j#: ###LD###t# ####j ,D .W#. t: tifK: LG,f; f# f####KD#Lf# ####G ,D ,jW#WG ti: : .;: ;f .:#t ;#####WW#tf# ####K tEEDEfGK##; f; ,;: :DGi :j#f :W#########j# #####: t##Gf;..:iL#t t :EWW# :fK: tK#Ki fK#####WKL#DK# #####j j#####ELi:,fW#f Gf D#;LDf LGD; GE##D: ;K#######f;t#D## ###E#W ijDDGKEW####WWfj;f#j: E, t#G Kfj f;j: KG#L: t#####f####G###E# ####W#KDt,. :W###WW##fEfD#; :E L# :fLt Ei: :WDt. f#####iG########i# ####DD: ;#########fW#W f; ## G #t fE; j#f f####K;D##K;D####;# ###W, .,G##########f#: fD :#, GG #D D#t tG#####,i###:G#####f# ###t : j#############W ## fDG,LD .G; t#G L######t,W##it###### # ###. tKW##############;j#t :tDWDt Wf ;W#, f######K W###:####DW# # ###. ;LWEi:t#############G fj: ;G i###f ######KWGW##Lf###L ## # ###t.. ;#t .fEDEL,:::tD##L :; t####f ######j;####:G###: #G # #EDWt,. j#K: iL: i##E, :tD#####t #######L####:G###,:# # #jE##EKj. ,WW; .G; i##WLtt;;,;fD########j f#;K########GW###LfK f# ########L: :W#t D, E#,:fffjfGKEK#######f j#: tG####W##E###,Df K# #########D. .G#D. .E D#i ft i########f ;##G ;E########f#tG## ##########W: .;K#j LiifK#j if G#########j .###D :iW####### j## ###########E .jKWkkkkkKK####D#f. :j:D##########f t####i ;G#####Kf## E###########L :DKW#########t;f::,;iK##########,f f####G :fW###### #############; :K##########K; ,tD######W######:L . tW#####Kt .:tW### #############D f##W###################K######K; ; L########t;; ,D# #############j .i#########L############EG#######KtiL###E######L;ti f# W############f :EW######### G#####L#####;E#############E#########D;ft f# #############KL;iK###W#######ft###########t##########################Wfft f# #################WKWW########f;#######################################DjLGjt j# #############DDKKW########K##DG##############;####################K#####KKGGitW# #######W#####WW###########f##################f#####WW#######################WGW# ################################WWWWWWWWWWWWWWW################################# ##################WEDGLfjii,;::.:.;.::.;:.:.;.:::::;iitjfGDEKW################## ##########WEDfj;,::..:. . . .. ..::. :;tfLDK########### #####KGji.::.. . . . .:..,tfD###### ####D::. . .. .. .. .. .. . ,iW#### ###D: . ..::::,ittjjfjjffjfjjjjtt;;::... .. .i#### ##K;. .:,fGEW#WWEED;CYB0RG/ASM;EEEKW#WEGf,.. . ..t### ##i. :;E#ji' ':tE#D, .:D## #;,. :. ;LE#G' 't##KGj;:..: . . : :::G# #ELfi,;,,,,;itfDKKDf;#W ;#K;tfDKWEDGLLfLLLfLDEW# #tjfGDEEEEEEDLjt::.:,## ;#E:,.:::;iijjjjttjitiL# #,. :.. ....: . .t#E W#i. . .... . ::L# #i: .. :iWW, ;WWi:. .:D# iE;: . ... : :tG#K; :G#Efi:,....:.:..:;D#' 'K#EGfjjjjjjfLGE#WDi :tDW#WEDDDDDDDEW#E' ':ijLGGGGGGLft;:" ':;ttttttt;t;:' SCREAM in your PANTS K-1ine 45 Fall 2oo4 ^ ^ < RANDoM WoRDS > ^ ^ Pre-Introduction . . . . . . . . . . . . . . . . . . . CYB0RG/ASM ^ Introduction . . . . . . . . . . . . . . . The Clone ^ Contact Information . . . . . . . . . . . . . . . . . . The Clone ^ Link of the Quarter . . . . . . . . . . . . . CYB0RG/ASM ^ K-1ine Mirrors . . . . . . . . . . . . . . . . . . . . . The Clone ^ > DoCUMENtS < ^ ^ Hacking the Actiontec GT701(-wg) . . . . . . . . . omin0us and sub ^ Windows Logic Bombs . . . . . . . . . . . . Aftermath ^ Single Access Serving System . . . . . . . . . . . . Majestic 1/12 ^ Wetware hacking: Sound and Smell . . . . . . . Cybur Netiks ^ More Phun with the Audiovox 8900 . . . . . . . . . . . . . . TeK-g ^ Cracking Encrypted Intelligence . . . . . . . . . aestetix ^ Another Scam From the Dirty Pigs in Edmonton . . . . . . MsOgynis ^ Exploiting Telus POTS/Payphone Lines in Calgary . Falcon Kirtaran ^ Hacking Mircom Technologies Telephone Access Systems . . The Clone ^ < CoNCLUS:oN > ^ ^ Credits . . . . . . . . . . . . . . . . . The Clone ^ Shouts . . . . . . . . . . . . . . . . . . . . . . . . . The Clone ^ ^ K-1ine 45 SCREAM in your PANTS Fall 2oo4 ^ ^ Pre-Introduction By CYB0RG/ASM October 31st, Two Thousand Four --------------------------------------------------------------------- 1893. Norwegian painter, Edvard Munch, paints "The Scream". Munch's work often included the symbolic portrayal of themes such as misery, sickness, and death. --------------------------------------------------------------------- a century goes by wherein some misery, sickness, and death happens... then... --------------------------------------------------------------------- February 12th, 1994. The National Gallery's "Scream" painting is stolen. (Munch had made four versions of the painting.) Three months later the painting was recovered. --------------------------------------------------------------------- 1996. "Scream," directed by Wes Craven, hits theatres. The plot features a psychopathic serial killer stalking a group of teens... just like in the movies! Ha ha ha.. art imitating life imitating art. I get it. But then life starts imitating the art imitating life imitating art and things get really interesting if not just a little confusing. Oh yeah, and the killer wears a mask inspired by Edvard Munch's now infamous painting. --------------------------------------------------------------------- 1997. Three male teenagers who had repeatedly watched Scream murder two girls in Salem, Massachusetts. --------------------------------------------------------------------- 1997. "Scream 2" hits theatres. In this sequel to the 1996 film, the number of suspects only goes down as the body count slowly goes up! Ha ha ha.. I get it! Just like in real life! --------------------------------------------------------------------- 1999. Patrick was 14 when he put on a "Scream" mask and broke into a former teacher’s house near Hood Canal. Yelling "Die, bitch, die," he repeatedly stabbed and beat her while her baby slept in another room. --------------------------------------------------------------------- 1999. Thirty-four violent films, including Scream, found in the rooms of two male college students at Hadlow, Kent, who stabbed a friend to death, dismembered his body, and then burnt the leftovers. --------------------------------------------------------------------- 1999. Two schoolboys who brutally stabbed a friend and left him for dead after watching Scream are convicted of attempted murder at Hull. --------------------------------------------------------------------- 1999. With the help of two cousins, a teenager stabbed his mother to death after watching Scream in Lynwood, California. --------------------------------------------------------------------- 2000. "Scream 3" hits theatres. Because inspiring a monumental string of barbarous copycat murders really requires a trilogy! Ya dig? --------------------------------------------------------------------- 2000. Three men, one in a "Scream" mask, scaled a balcony and broke into an apartment in the England Run complex off U.S. 17. One victim was bound with duct tape. Matthew W. Glenn, 18, resisted his attackers and was shot in the back. --------------------------------------------------------------------- 2000. A woman and two men, wearing Scream masks, robbed a store in Lowell, Massachusetts, and shot a man dead. --------------------------------------------------------------------- 2000. Five young men wore Scream masks when they gang raped a 21- year-old woman in a town near Paris. --------------------------------------------------------------------- A few weeks later at Lebetain, eastern France, the police arrested a boy of 15 when his parents were found dead after being repeatedly stabbed while they slept. In his confession the boy said he had hallucinations after watching "Scream" and heard voices telling him to kill his parents. --------------------------------------------------------------------- November 29th, 2000. An 18-year-old man robbed a convenience store wearing a "Scream" mask -- and his 17-year-old wife drove the getaway car. Jessica Powell told police they took the money so they could go to the movies. --------------------------------------------------------------------- 2001. A 24-year-old Belgian in the town of Gerpinnes with no criminal record and no history of psychiatric problems dressed himself in a long black tunic, donned a Scream mask, and stabbed a 15-year-old schoolgirl 30 times with two enormous kitchen knives. --------------------------------------------------------------------- 2002. Man accused of shooting two men dead in a bar in Pennsylvania wore a Scream mask. --------------------------------------------------------------------- March 2002. After two teenage girls at Saint-Vit, eastern France, tortured a classmate in an abandoned house, the local public prosecutor said they had admitted watching the film just beforehand. He claimed that the girls, aged 15 and 13, had been influenced by the film and carried a knife which "strongly recalled the weapon used in the horror film." --------------------------------------------------------------------- April 2nd, 2002. Kevin Skaggs was at the counter of the Oregon Quick Cash Payday Advance when a man wearing a Scream mask walked in. The robber indicated that he had a gun and wanted money. Skaggs pulled his own gun and shot Jeffrey Gordon Duncan in the chest. The assailant fled and was found dead a few blocks away. "If there is one good thing that comes out of this," Skaggs said, "it's that people will know that we are not going to put up with this sort of thing." --------------------------------------------------------------------- May 2002. A 17-year-old french boy stabs a 15-year-old girl 17 times after watching "Scream". He had tried unsuccessfully to attack two other schoolgirls before inviting his final victim to go for a walk around a football field near their homes. --------------------------------------------------------------------- October 2002. A masked gunman robbed a North Toledo McDonald’s and fled with an undisclosed amount of money. Wearing a mask from the movie Scream and using a voice changer to disguise his voice, the robber approached the counter and pulled out a gun. --------------------------------------------------------------------- November 3rd, 2002. A group of about 15 men, all believed to be Asian and in their early 20's, went on a stabbing rampage in England and knifed 4 random people. The main offender was wearing a Scream-style Halloween mask. --------------------------------------------------------------------- November 23rd, 2002. 24-year-old Jeffrey Ivan Vample of Norristown, PA, raped, strangled, and robbed 67 year old Alice Hufnagle-Llauman. She was found half naked and bound with duct tape in her bedroom. A bloody "Scream" mask, and a calender with the notation on November 23rd reading "My Love, What a Day," were recovered. --------------------------------------------------------------------- July 31st, 2003. 51-year-old West Roxbury man, James Hayes, decided to break off his hockey stick, attach a 5-inch knife, grab a Scream mask, a cloak, and some electrical cord, and drive to his ex-wife's house after learning she was sleeping with a woman. Once there, he burst into the bedroom wearing the Scream mask and repeatedly stabbed his ex-wifes lesbian lover with his makeshift "man-spear". --------------------------------------------------------------------- October 31st, 2003. A crazed psychotherapist wore a Scream mask and "ghost" cloak to kill a stranger on Halloween. Heather Stephenson- Snell, president of an all-women chapter of the Hell's Angels, set out to murder her love rival Diane Lomax and frame her ex-lover (former porn video stripper Adrian Sinclair) for the murder. But when neighbour Bob Wilkie, 43, intervened she shot him dead with a sawn- off shotgun instead. --------------------------------------------------------------------- February 2004. At around 5am a man attired in black robe and a Scream mask, climbed through a dormitory window in Leeds. The burglar locked himself in the bedroom and held the student at hammer point. He then demanded mobile phone, credit cards, and relevant pin numbers. The burglar threatened to return soon and kill the student if he had given the wrong number. The burglar left, locking the student inside his room. After much frantic banging on ceilings and floors, the student succeeded in waking his flatmates who had to bust the door open and release the poor captive. --------------------------------------------------------------------- April 10th, 2004. A Hamilton liquor store was held up by an armed man wearing a green "Scream" mask. He got away on a blue mountain bike carrying several bottles of spirits. --------------------------------------------------------------------- August 22nd, 2004. Armed, masked thieves burst into an open Oslo museum in broad daylight and snatched the Edvard Munch masterpiece "The Scream". Estimated value of the painting is between $77 million and $97 million Canadian. The painting has yet to be recovered. --------------------------------------------------------------------- September 2004. 61-year-old Richard Anthony Carbone shot and killed a young friend, Daniel Ray Elzie, 19, who had been staying at his apartment in Rolling Hills in East Bremerton. Carbone heard a noise at the back of his apartment and was confronted by Elzie wearing a "scream mask" and carrying what appeared to be a bloody sword. Carbone shot Elzie in the stomach, continued to drink for a couple of hours, then called his son to tell him what had happened. By the time his son arrived, Elzie had bled to death. --------------------------------------------------------------------- September 29th, 2004, for reasons known only to her, Britney Spears put on a Scream-style mask for a visit to the local burger joint. Spears, accompanied by reputed spouse Kevin Federline, little sister Jamie Lynn, and mom-chauffeur Lynn, finished the evening by lobbing milkshakes at paparazzi. --------------------------------------------------------------------- Tonight, in your community, knife wielding maniacs are donning their Scream masks and hunting for victims just like you. Disembowelements, vicious sexual assaults, grisly tortures, senseless shootings, stolen priceless artworks, blatant abuses of frosty chocolate confections... you'd better prepare yourself to... ___________________ __________ ___________ _____ ___ ___ / ______/\ ___ \\______ \\_ _____/ / _ \ / \/ \ \______ \ / \ \/ | _/ | __)_ / /_\ \ / \ / \\ \____| | \ | \/ | \/ \ / \ Cyb______ / \______ /|____|_ //_______ /\____|__ /\_____||___ / \/ \/ \/ \/ In \/ your pants \/! -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Introduction: Greetings Boils and Ghouls... Welcome to the Fall Issue of K-1ine Magazine; #45. We have an incredible issue for you this quarter; because it not only contains some of the latest hacker and phreaker information, but because it's also a special Halloween edition! The K-1ine staff were pretty worried this wouldn't be able to compete with the absolutely mind-blowing Summer issue, but I think we at least came pretty close. Don't forget; the next time you write something original and thought provoking that relates to the hack/phreak scene, think about sending it our way. We may just publish it. Then again we might not. Take a risk and shoot it over to us. Now is the moment you've all been waiting for; K-1ine goodness in its most natural and most pure form. Hold onto your bags of candies, and change of underwear kiddies because you are about to leap into hacker greatness... -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Contact Information; |*> Comments/Questions/Submissions: theclone@hackcanada.com |*> Check out my site: (Nettwerked) http://www.nettwerked.net |*> Check out the Web-forum: http://board.nettwerked.net/ -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Link of the Quarter: Oddity Cinema - http://www.odditycinema.com/ Tired of hollywood regurgitating the same old crap? Well you should be you brain-dead zombie. Quit being such a victim and try thinking for yourself for a change. You know there is more to movies than what you find on the highly censored and intellectually sanitized shelves of your local Blobbuster Video™. Oddity Cinema offers the most brain-fucking demented selection of video on the planet. Whatever your twisted desire they can probably feed it. And if you don't have any twisted desires then there is no time like the present to discover some latent ones... like: Vomit churning gore & violence? Of course! Softcore Nazi porno? Only the finest. Cannibalism? Taste the other other white meat. A little token bestiality? oh yeah. Necrophelia? The only date you're likely to get. Snuff? Mm hmm. Hardcore anal sex with zombies? Probably! And not only do they have an online store, they also have a physical store right here in Deadmonton on Whyte Avenue, conveniently located under the daycare. Many of these movies are banned in most countries. You might want to take advantage of this little pocket of availability while you still can. So grab a bag of Orville Reddenblubber's Ultimate Theatre-Style Blubber-Lovers Popcorn (patent pending) and take in some gawd-awful bloody sex and violence in an effort to desensitize yourself to the horrors of the coming revolution as we push forward in accelerating the decline of our already doomed society. [ submitted by: CYB0RG/ASM ] -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- K-1ine Magazine Mirrors: WIRETAPPED "Wiretapped.net is an archive of open source software, informational textfiles and radio/conference broadcasts covering the areas of network and information security, network operations, host integrity, cryptography and privacy, among others. We believe we are now the largest archive of this type of software and information, hosting in excess of 20 gigabytes of information mirrored from around the world." Now mirrored in two places, one in Belgium and another in Sydney. http://www.mirrors.wiretapped.net/security/info/textfiles/k1ine/ HACK CANADA "Hack Canada is the source for Canadian hacking, phreaking, freedom, privacy, and related information." http://www.hackcanada.com/canadian/zines/k_1ine/index.html SECURITY-CORE "Security-Core mirrors K-1ine.. and that's about it so far." http://security-core.com/modules.php?op=modload& name=Downloads&file=index&req=viewdownload&cid=5 -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Hacking the Actiontec GT701(-wg) Or, a primer on building your own hacked (custom) firmware by omin0us and sub Note: We've also gone ahead and mirrored the source code downloads. As soon as I get around to reading the licenses I may post the raw firmware images. If you have any further questions you may contact me. Introduction This paper is our attempt to deobfuscate the Actiontec GT701 wireless gateway. There are a couple of other websites out there with the same goal in mind, however, our intent was to provide accurate information based off of various sources including both official and un-official documentation, kernel source, configuration files, and just plain hacking. Hardware The hardware making up this unit revolves around the ar7wrd, the ar7wrd is one of Texas Instruments' "system on a chip" solution for DSL routers. The hardware of the GT701 (or any other AR7-based device for that matter,) consists of a power supply, the 160Mhz MIPS 4KEc V4.8 processor, 16Mb of SDRAM, and 4Mb of FLASH. For your input/output, there's the RJ-11 for your DSL, your ethernet device (TI Avalanche CPMAC) jack, a USB port, and an ACX-11x based (chip # TNETW130) wireless setup as well as 6 status LEDs. On the board, there are also two separate sets of 5 pins each. These are mostly believed to be serial (JTAG is also possible) due to Texas Instruments displaying a serial/UART interface on the AR7 diagrams, several pins being attached to the board, and due to the following ADAM2 variables: modetty0 38400,n,8,1,hw modetty1 38400,n,8,1,hw bootserport tty0 ADAM2 To be perfectly honest, we're still not entirely too sure what ADAM2 really is. We know that it's stored on block 2 of the MTD device. We also know that it appears to be some sort of system for storing environment variables in flash used during both boot-time and run-time, as well as a boot-loader of some sort. We also know that it's responsible for storing the MAC addresses, as found in our mtd dump: Error: environment variable "maca" not set. Setting default mac address : 00:e0:a0:a6:66:70 The following is a dump of /proc/ticfg/env, which is the /proc interface to ADAM2. # cat /proc/ticfg/env memsize 0x01000000 flashsize 0x00400000 modetty0 38400,n,8,1,hw modetty1 38400,n,8,1,hw bootserport tty0 cpufrequency 150000000 sysfrequency 125000000 bootloaderVersion 0.22.02 ProductID GT701-WG HWRevision 2A SerialNumber none AEIBootVersion 0.2i my_ipaddress 192.168.0.1 prompt Adam2_AR7DB firstfreeaddress 0x9401d328 req_fullrate_freq 125000000 maca 00:20:E0:1D:95:F4 mtd2 0x90000000,0x90010000 mtd1 0x90010000,0x900d0000 mtd0 0x900d0000,0x903e0000 mtd3 0x903f0000,0x90400000 macb 00:20:E0:1D:95:F5 macc 00:20:E0:1D:95:F6 usb_board_mac 00:20:E0:1D:95:F8 usb_rndis_mac 00:20:E0:1D:95:F9 mac_ap 00:20:E0:1D:95:F7 autoload 1 mtd4 0x903e0000,0x903f0000 usb_pid 0x6010 usb_vid 0x1668 man Actiontec Electronics, Inc. prod Actiontec USB/Ethernet Home DSL Modem When you hold down the Reset button during boot, an FTP server is spawned on the default port (TCP/21) typically allowing you to flash new firmware, as well as set and unset different ADAM2 environment variables. The following is a list of commands that the ADAM2 FTP server supports. REBOOT UNSETENV SETENV GETENV MEDIA RETR TYPE STOR P@SW PASV SYST PASS USER PORT QUIT ABOR When Actiontec's recovery app is run, it also sends a UDP packet to port 5035, and then initiates a connection to the FTP port. The following is the output of a sniffed connection of a typical firmware upgrade. UDP broadcast port 5035: (16 bytes) 0x00 0x00 0x16 0x02 0x01 0x00 0x00 0x00 0xc0 0xa8 0x00 0x01 0x00 0x00 0x00 0x00 UDP response from modem to port 5035: (16 bytes) 0x00 0x00 0x16 0x02 0x02 0x00 0x00 0x00 0x01 0x00 0xa8 0xc0 0x00 0x00 0x00 0x00 220 ADAM2 FTP Server ready. USER adam2 331 Password required for adam2. PASS adam2 230 User adam2 successfully logged in. TYPE I 200 Type set to I. MEDIA FLSH 200 Media set to FLSH. PORT 192,168,0,102,130,11 200 Port command successful. STOR nsp.ar7wrd.squashfs.img mtd0 150 Opening BINARY mode data connection for file transfer. 226 Transfer complete. TYPE I 200 Type set to I. MEDIA FLSH 200 Media set to FLSH. PORT 192,168,0,102,130,12 200 Port command successful. STOR ram_zimage_pad.ar7wrd.nsp.squashfs.bin mtd1 150 Opening BINARY mode data connection for file transfer. 226 Transfer complete. TYPE I 200 Type set to I. MEDIA FLSH 200 Media set to FLSH. PORT 192,168,0,102,130,13 200 Port command successful. STOR config.xml mtd3 150 Opening BINARY mode data connection for file transfer. 226 Transfer complete. REBOOT 221-Thank you for using the FTP service on ADAM2. 221 Goodbye. QUIT The Actiontec GT701's MTD blocks are set up as follows: mtd0 3,136K Root (SquashFS - compressed filesystem) mtd1 768K Kernel mtd2 64K ADAM2 mtd3 64K config.xml mtd4 64K unkown/unused We're not too sure what else it is capable of, but there are some hints of it being able to boot off the network (DHCP,) and/or booting specified images. Here are some ADAM2 commands, though we haven't actually been able to test these yet: fixenv Defragment for Env. space unsetenv Unsets the Env. variable setenv Sets Env. variable with a value printenv Displays Env. Variables erase Erase Flash except Adam2 Kernel and Env space setmfreq Configures/dumps the system and cpu frequencies memop Memory Optimization info Displays board information h/help Displays the commands supported There are others, but some of the command names didn't show up, only the descriptions, and we don't have a console hooked up to see them for ourselves yet. Software The Actiontec GT701 runs off of Linux kernel 2.4.17 patched for MIPS, ATM, SquashFS, and pre-empt (not enabled.) The kernel is provided by MontaVista and is believed to be the MontaVista Carrier Grade Linux kernel version 2.1. Linux version 2.4.17_mvl21-malta-mips_fp_le (mspeng@localhost.localdomain) (gcc version 2.95.3 20010315 (release/MontaVista)) #24 Fri Jul 16 13:22:25 PDT 2004 Along with the kernel, the GT701 also runs on top of Busybox 0.61.pre with uClibc libraries (version 0.9.19.) The root filesystem uses SquashFS 1.x, which is a compressed, read-only filesystem stored on the MTD block. One should note that SquashFS 2.x is not backwards-compatible with 1.x. A ramdisk is mounted at /var and any files that require write access or either stored there, or symlinked to that tree. In order to retrieve and edit the file system one would first have to download SquashFS and compile it into their kernel, as well as build the user-land tools. Once this is complete your first step would be to either extract nsp.ar7wrd. squashfs.img from the recovery tool, or do something similar to the following (while running a tftp server): # dd if=/dev/mtdblock/0 of=/var/mtd0 6272+0 records in 6272+0 records out # tftp -p -l /var/mtd0 -p mtd0.img This will give you a mountable SquashFS image wherever you you placed your tftp root. In order to to write to it though, you will need to copy a mounted SquashFS directory to a non-SquashFS directory as follows: # mkdir temp fs # mount -o loop -t squashfs mtd0.img temp/ # cp -R temp/ fs/ And you now have a write-able directory to edit/delete or whatever else may please you. Re-creating the image is just as easy: # mksquashfs target.old/ target.img -noappend -check_data Creating little endian filesystem on target.img, block size 32768. Little endian filesystem, data block size 32768, compressed data, compressed metadata Filesystem size 1897.99 Kbytes (1.85 Mbytes) 33.35% of uncompressed filesystem size (5691.04 Kbytes) --- Output cut --- There are two things to keep in mind while building filesystem images. The first is that the GT701 can only STORE 3,136K (compressed) on the FLASH chip. You should at this point, also realize that the filesystem is decompressed and stored in RAM when mounted, and you only have 16Mb RAM to begin with, so either way, it's a tight fit. Actiontec uses a set of utilities to manage your configuration files. They manage the XML file stored on mtd3 as well as handle your web-based configuration changes. There is also supposed to be a CLI client for it, however, I haven't quite figured out how that works yet. These utilities can usually be identified by having "cm_" as a prefix, although the CGI program for the web-based configuration is called "webcm," and of course, we can't forget libcm.so. The XML file contains all of your configuration, including IP addresses, authentication, networking settings, and probably just about everything else. You can extract a current version of the file the same way we demonstrated dumping the filesystem above, but by replacing mtd0 with mtd3. You will also need to strip all of the excess garbage at the end of the file. I should also note that that mtd3 is monitored regularly for corruption, and if mtd3 happens to become corrupted, it will repopulate the block with /etc/config.xml. The list of configuration programs is as follows: cm_pc Started at boot, stdout is /dev/tts/0,starts cm_logic and cm_monitor cm_logic Monitors and re-populates mtd3 cm_monitor ? ... Not exactly sure. cm_cli Used to perform the actual updating of the config files. webcm Handles web-based configuration changes, sends them off to cm_cli Webcm is used in conjunction with thttpd to provide a small, yet working, web-based interface to allow you to make changes to your gateway's configuration. As far as networking is concerned, the GT701 used pppd with a PPPoA plugin for your connection to your ISP. For telnet and DHCP, the gateway uses utelnetd and udhcpd, respectively. The Actiontec GT701 also supports UPNP through the use of upnpd on interfaces ppp0 and br0. br0 consists of the USB device, the Ethernet device, and the wireless device. The wireless drivers are not compiled into the kernel or as a kernel module, rather, they are handled by a userland driver called user_drv. On the original firmware, the user_drv_cli utility provided a very capable command line interface that allowed you to change many settings pertaining to the wireless network device. Some of these settings included what Regulatory domain you were in, for instane, one could take their access point out of the FCC domain, and place it under the French domain, or better yet, a custom domain, and change power levels, as well as usable channels. In the newer firmware, it seems this software has been crippled, and will not allow you to access the CLI. Conclusion The Actiontec GT701-wg is a powerful embedded Linux device running on a MIPS platform based off of Texas Instruments' AR7 "one-chip" solution. It is relatively easy to hack the GT701. The firmware images are squashFS 1.x images and the base Linux system is run on BusyBox with the uClibc libraries. If one were to setup a cross-compile environment and use the squashFS tools they could generate new firmware images with great ease. -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- I just spent the last 45 mins watching some dude work a hand-loom while speaking in a language I don't understand. There is no hope for me. -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- . * * . * * * * * * * * * * * * * * * * * * , Windows Logic Bombs. , * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * _______________*____________________________________________*___________________ Ka - fucking - boom __________________________________________ / / / / / / / /| /_____/_____/_____/_____/_____/_____/_____/ | | | __|_____|_____|_____|__ | | | | ___ | | ___________________ | | ___ | | || |--| | 12:00:00 | |--|| | | ||___ | |=| Logic Set to blow |=| ||___ | | | |--| | At Memory Address | |--| | | || | | |=| 4556 x 1337 |=| || | | | ||__| |--| | DEVICE IS ARMED! | |--||__| | | | | | | |___________________| | | | | | | | |--|_______________________|--| | | / |_____|_____|_____|_____|_____|_____|_____|/ DISCLAMER: Note that some of the techniques in this file have not been tested on all operating systems. If you mess up your (or some one else’s) operating system(s) please do not blame me because I won't take responsibility. The following techniques have only been tested on windows XP Pro. Use at your own risk!!! NOTE TO THE WISE: This file is aimed at audiences with some batch experience and some knowledge of the windows operating system(s). If you’re into smashing kernel stacks and creating operating systems with ASM then this file is probably too basic for you. This text file is meant to show how easily it is to create a triggering effect in the Windows operating system and most anti- virus programs won't be able to pick it out. This is a very simple guide aimed towards beginners and anyone who wants to learn a quirk or two on the Windows OSes. "I don't know how world war three will be fought, but I do know that world war four will be fought with sticks and stones." - Albert Einstein Who knows what kind of terrible and terrifying weapons that will be created. Al is most likely thinking of the dangerous kind. The kind I am about to tell you about can be dangerous, but can also have a lot of really useful purposes and applications to it as well. In the virus world they are called logic bombs. What is a logic bomb? A logic bomb is an event that is triggered to happen when another event that the user does happens. I think that a time bomb is a type of logic bomb, and we will be touching on the subject of time bombs in this text as well. Thompson’s A+ guide to software defines a logic bomb as "Dormant code added to software that is triggered by a predetermined time or event." I think that is as clear as it's going to get on the definition. In windows it is extremely easy to make a program execute on a predetermined time or event. This guide will teach you how to make some code execute on a predetermined event (but if your smart you will probably figure out how to do the time part by yourself). First off, lets start at the windows root. Usually windows will be installed on C:\. in \windows OR \winnt we will find folders and some files that are essential for windows to run. These are the files we are going to use to make the logic bomb do what we want it to do. Windows XP, 98, and ME use c:\windows for essential windows programs and 2000 and NT use c:\winnt for those programs. NOTE: The following techniques have been tried and tested in windows XP pro. There is no guarantee that the following methods will work in any other version of windows. Try this. Go into c:\windows\system32. \system32 is where lots of command line programs are stored, and is also a place where the command prompt will call on if you ask it to run a program (such as ping or tracert). This is the place where we will do our mucking around in. If your using windows XP, then delete cmd.exe. Notice that after 5 seconds or so, cmd.exe re-appears! Try this with other exe files in the system32 folder and the \windows folder. Note that I'm not sure what all files will re-appear, but I am positive that lots of them will. Most of the exe files seam to, but don't count on files that you have placed there yourself, or picture or movie files to re-appear! Ok, what does this have to do with logic bombs? Ok, I am about to tell you how to make a logic bomb. Don't worry if you don't understand it at first. I will explain it after. 1) Go into c:\windows\system32\ and create a batch file (If you don’t know how to create a batch file learn how to do that first). Name the batch file "batchfile.bat" 2) In the batch file type this in the following order: start c:\windows\system32\calc.exe start c:\windows\system32\cmd32.exe Then close and save the batch file. 3) Create another batch file wherever you want and name it whatever you want. You will only be using this new batch file once. In the batch file type this: rename c:\windows\system32\cmd.exe c:\windows\system32\cmd32.exe rename c:\windows\system32\batchfile.bat c:\windows\system32\cmd.exe Then execute the second batch file. After you executed it you have made the logic bomb. Delete the second batch file that you made. What does this logic bomb do? I'll tell you. In step number one, we create the actual bomb. The bomb is the batch file, but it won’t work yet. In step two you enter the data of the bomb. The line start c:\windows\system32\calc.exe starts calculator. The second line, start c:\windows\system32\cmd32.exe starts the program cmd32.exe. But wait! There is no such file named cmd32.exe! That’s because we haven’t created it yet. In step three, we make a second batch file which renames cmd.exe to cmd32.exe in the first line. In the second line of the batch file, we rename the original batch file we made to cmd.exe. What does that mean? That means whenever you start cmd from now on you will be starting up a batch file first, then you will start up cmd32 (the REAL command prompt) and calc.exe. I put calc.exe into the batch file to demonstrate that when you try to call cmd.exe you have the ability to start two programs at once using this technique. Calc.exe can be replaced with ANY program that is on the computer. That’s the gist of making a logic bomb! Simple! The reason you need to use a batch file is if you try to rename cmd.exe (the real one) and try to make a batch file named cmd.bat you will find that the real cmd.exe comes back very quickly and you will only have a few seconds to create the new batch file name. Once created, the real cmd.exe will not be written back to its original name if the batch file is already in place. So from now on, whenever a user goes to start -> run and types "cmd" they will get both the cmd.exe and calc.exe. This is an extremely basic logic bomb. If you have looked in the system32 folder you may have noticed that there are a crap load of files in there! Even experienced windows system administrators don’t know what all of these programs do. A few changed file names would be hard for anyone to notice, especially if nothing has seamed to change. If you want to add some time properties you can add an "if" statement in your batch file. This would look something like this: if %date% == Fri 13/01/06 ( ping localhost) or something similar. Ok, lets do another example. This time, we are going to use a very common windows application. Notepad! Every time notepad opens, MrMalware.exe will open with it. Here is the example: Create the triggering batch file by making a batch file with these two lines in it: rename c:\windows\system32\notepad.exe c:\windows\system32\notepad32.exe rename c:\windows\system32\batchfile.bat c:\windows\system32\notepad.bat then close the file. Now make another batch file that will be the logic bomb itself. Make sure this file is in c:\windows\system32\ call it batchfile.bat start c:\windows\system32\notepad32.exe if %date% == Fri 13/01/06 ( start MrMalware.exe) Then execute and delete the first batch file. Now whenever notepad is called, notepad won't start up first, but notepad.bat will start up and it will call the real notepad program. The real notepad program is now called "notepad32.exe" because we re-named it. So that will start up. Then notepad.bat checks the date. If the date is Friday the 13th on January 2006, then it will start MrMalware.exe whatever that does. Simple, isn't it? I think that if you start to integrate time with the logic that you should use some high level programming language to do so because batch has its limitations. Anything more advanced than starting one program with any other program that you can call from start -> run you may want to consider not using batch. A program that has been compiled can have an extension of exe, which would make it harder to spot and detect. This logic bomb can be used for good and evil. If you’re an administrator, you can use it to start a log of how many times a user is using a specific program, or you can use it to execute malware. A more elegant way of writing this program would be writing it in VB. If you wrote it in VB, or any other non-script language, you have more control over the logic of the mechanisms of the bomb and what, why, how and when it executes, but this is the simplest and quickest way to do it. You could also make a vbs (vb script) file, but I have not played with this either. These are just ideas for you to use. There are many potential uses for this. One use I have not yet tried is getting administration privileges. You could create a logic bomb that starts when notepad starts that creates a user and puts him in the administrators group. You could do this from booting from a floppy disk and creating the logic bomb. A malicious user could put a program somewhere on the hard disk and set it to 'explode' on a certain event and be long gone by the time it actually occurs. You could also use the AT command in dos to do the same thing, or use the task scheduler, but that's a lot easier to detect. Another thing about this method is that it is not like a virus that is running in the background waiting for a specific keystroke (those can be detected in process viewers most of the time). This just waits for a program to be called. What is a solution to network administrators? There is a program called LAN Guard File Integrity Checker. It checks on a specified date and time what files have been changed. The same people who made the LAN Guard network-auditing tool make it. It will email you the changes some one made to the computer, but there are always ways around this. You could, for example, find out when it is scheduled to send the e-mail and shut down the program at that time and send fake emails or even shut down the service all together. Or even if your logic bomb works with an executable instead of a batch file, an administrator might see the changes made, but when they see that some obscure file has been deleted and replaced (with one that they don’t know is malware etc) and another file has been renamed and they see the system works exactly like it did before the changes were made, they might not put two and two together. And remember, the only way an administrator could find out is *after* the implementation of the bomb. If you are using an XP pro machine a solution is to use the Windows system file checker. This program checks to see if all of the system files are the originals. To start this program go to the command prompt and type SFC /scannow but this program too could be deleted or corrupted. Notepad is excellent to use for this type of re-naming logic bomb because it is used a lot. It is used to edit html, ini files, batch files and text files (duh) to name a few. Other programs to use for this technique are: ping, tracert, cmd.exe, calc.exe, dir and any other file in c:\windows, c:\winnt, c:\windows\system32 or any other place where your computer looks for command line executables. You may also want to note that the logic bomb will run whenever the batch file-logic bomb is executed and this may cause problems of its own, but that’s for you to experiment with. Usually discovery of such small hacks such as this are inevitable to the experienced system administrator, but as you can see, often discovery can theoretically be delayed and sometimes may not be discovered at all. As you have seen, making a logic bomb that will go off when a local windows program is executed is as easy as: 1) Making the logic bomb with batch or other programming language 2) Doing a Rename with another batch file, and 3) Deleting the evidence. Even Tron can (maybe) do it! Hopefully this guide has shown you the basics of event-triggered events and you will find your own new ways of triggering events when other events occur. Questions? Comments? Death threats? Mail aftermath.thegreat@gmail.com This file is not copywrited and is not intellectual property (intellectual property is stupid). -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- --> tron (~user@ip68-1-50-252.pn.at.cox.net) has joined #hackcanada oh. it's tron. can you shoot lasers out of your eyes? get a real handle kid haha lol lol your's is based off some fucking disney flick, you silly goose off an elite movie disney. hey disney rules! i especially like aladdin because it reminds me that someday i will be able to travel the world on a flying carpet. :`( I'm a lonely old man -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- ( SASS ) Single Access Serving System ( /SASS ) Written and Investigated by Majestic 1/12 Prepared for: http://www.datutoday.tk Submitted to: http://www.phreaksandgeeks.com ( Special thanX to " greyarea ", for finding and posting this number and Pass, allowing me access to the systems and functions of this Sass Unit! ThanX to " Lineside " For his Hz scales from his artie, also posted in the Sass Section of http://www.datutoday.tk ) Sass Unit Dialup Number: ( 602 ) 277 9994 Npa = (602) Pheonix Arizona xxx = (277) Quest Communications One or Two rings to Dialtone enter "****", you will be prompted to enter Tech ID, Enter in "****", a dialtone will proceed until you are prompted to enter the Ten digit subscriber line number... Type # and you will get the list of options as follows: Dial 5 for Dtmf Keypad Test Dial 6 for Caller ID Dial 71 for Ringback Dial 72 for Call waiting Ringback Dial 81 for Single tone: choose between 03 (304 Hz) and 32 (3204 Hz) Dial 82 for Low coil tone Sweep Dial 83 for Three tone slope (400 Hz,1004 Hz, 2804 Hz) Dial 85 for Quiet termination Dial 86 for Milliwatt tone Dial 87 for 30 Tone sweep: choose start and end tone between 03 (304 Hz) to 32 (3204 Hz). For a full tone sweep you enter * Dial 88 for Number identification sweep: 1200 HZ - 2200 HZ (for caller id) Dial 89 for Data sweep (900 Hz - 2800 Hz) Dial 80 for 10 tone slope (304 Hz - 3204 Hz) Dial # for New Subscriber Line Dialed 5 - DTMF Keypad Test, Whatever key pressed, machanical Voice told you the Numerical Number. Dialed 6 - When I tried #6 I was told Restricted .. I then unlocked my line with *82 and tried again. This time it spit out my number then repeated it. Upon dialing into a Sass Unit your ANI may be being logged, but wen you test the Caller ID option # 6 if your line is blocked with a permenant caller ID Block it will either readback as "Private" or "Restricted". Dialed 71 - <*>Ringback Please enter 10 digit ringback number. I was told by persons living in the above stated NPA that the ringback feature does work, but is NPA restricted. This Function as I was told by Greyarea and decoder would only work with a Sass Unit that was on the Switch in the NPA ( 602 ) So when I find one that is in or around this area, I will indeed be recording the full audio and submitting that to: http://www.phreaksandgeeks.com as well! Dialed 72 - <*>Call Waiting Ringback Please enter 10 digit ringback number. I was told by persons living in the above stated NPA that the ringback feature does work, but is NPA restricted. Dialed 81 - Single tone Enter 2 digits, ( only ones that worked so far that I saw were the ones stated above " 03 " ( 304 Hz ) and " 32 " ( 3204 Hz). Anything else gives an error message. Dialed 82 - Low Coil Tone Sweep - When to Milliwatt then to other Test Tones... Higher tones as the Sweep Progressed lasted 12 seconds! Dialed 83 - Three Tone Slope - Lower Level Tone to a Milliwatt, then to a higher pitched tone As stated above ... In Order (400 Hz,1004 Hz, 2804 Hz) Dialed 85 - Quiet termination Just as it said " Quiet " No noise at all! Dialed 86 - Milliwatt Tone - Instant Milliwatt for 10 seconds Dialed 87 - 30 Tone Sweep Press * to start full Sweep, or enter the same two digits as described in Promt 81. Dialed 88 - Caller ID Tone Sweep Multi Tone Sweep from Low to high end range. Number identification sweep: (1200 HZ - 2200 HZ) Dialed 89 - Data Tone Sweep, Tone Sweep from low to high end range. (900 Hz - 2800 Hz) Dialed 80 - Ten Tone Slope, (304 Hz - 3204 Hz) <*> options ( 71 & 72 ) have me wondering, if maybe you have to enter in the actual Ringback line number and is just a subscriber line number. I tried entering my number and never got a call back from the Sass Unit, or any other unit for that matter. I have tried this a few dozen times, and got the same response out of the Sass Unit. option 71 - " Ringback - Dial 10 Digit Ringback number, Entered in a Real NPA and XXX, made up last four and was prompted with " Please hangup for test ring. " I have yet to connect to a subscriber line number, as it tells me it is unable to connect. I have tried to connect to the numbers 602 277 9990 - 9999 as I thought maybe I had to use the same NPA and XXX as the Sass Unit. I was still not able to connect. Perhaps this system is like the Direct Access Test Unit systems,( DATU ) and require an admin code to setup certain features. I again hungup and redialed the Sass number and attempted to access an admin mode by using the same codes as a Datu. No response other then the 4 digit default logon code. I will continue to explore this system, and get to know it better. Perhaps I will learn more about admin feature, and such... I hope this .txt phile helps you understand the Sass a little better. Please feel free to email me @ datu_warrior@phreaker.net with more information and or questions on the Sass Unit. Please visit my Direct Access Test Unit site @ http://www.datutoday.tk for all your 1337 Remote Accessing needs... Added as of April 29 2004 ... Dialed the access number: 602 277 9994 Entered in the login **** and the Admin code of ******* and got The prompt: " Dial 10 digit subscriber line number! " I tried to press # for the feature list, but was then again prompted for the 10 digit subscriber line number! It wasn't until I entered a number in the 602 277 XXXX that I heard "ok" ... " Intercept " ... " Accessing " ... " Connected to 602 277 XXXX, Pair Gain Line ... ok Audio Monitor " 5 - 10 second delay until a double beep then the standard Datu fuction list was prompted. 2 = Audio Monitor 33 = Short Tip and Ring to Ground 37 = Short Ring to ground (Tip Open) 38 = Short Tip to ground (Ring Open) 44 = High Level Tone on Tip and Ring 47 = High Level Tone On Ring (Tip Grounded) 48 = High Level Tone on Tip (Ring Grounded) 5 = Low Level Tone 6 = Open Line 7 = Short Line (Tip to Ring Short) 9 = Permanent Signal Release # = New Subscriber Line ## = Force Disconnect * = Connect preparation function after disconnect (system programmable from 1 to 99 minutes enter number of minutes); enter number of minutes after "*" It is my conclusion that if a regular login of **** and a regular Tech ID of **** is entered, you will receive the standard test mode of the Sass Unit... Mainly Test Tones, and ANI confir mation for the Tech to use when either installing a new subscriber line, or testing a circuit at the CO. When the access number is dialed and the login of **** and Tech ID of ******* is entered you will receive the admin features, which then allows the use of the Datu ( Direct Access Test Unit ) features, as listed in the Harris Dracon Datu Manuals which can be found on the Harris Dracon Website or on my own site of: http://www.datutoday.tk! Shouts to: decoder, Ic0n, Natas, White Sword, Brisk Attivo, Royal, Twinkee the Kid, greyarea, Rijil V, Eta, Rios, The Clone, And everyone that has helped in my pursuit of Remote Access Information. L8er.... Majestic 1/12 ( The Collective ) -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- I can't stand re-heated coffee *shudders* That's one of the reasons I broke up with my EX, she'd make coffee in the microwave. -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Wetware hacking: Sound and Smell Cybur Netiks (cybur_netiks@Phreaker.net) http://www.hackdaplanet.150m.com Disclaimer: I take no responsibility to any damage either physical or otherwise that may occur. This kind of treatment may be harmful to some individuals. Make sure you are in top form physically and mentally if you decide to try this, which I still advise against. I based this on a trial beginning with sound (music) to stimulate memories / emotions and later moved on to smell. -sound- I simulated anger. I looked through my collection of old mp3's that I no longer listen to. Unfortunately, these were numbered and I cannot tell you what song I was using, but that doesn't really matter. I picked out a song that wasn't calm but that didn't currently inspire anger either, a kind of high-energy techno music I used. Then to recreate the appropriate conditions, I set the mp3 on repeat and recalled in as much detail as possible, times that I was extremely angry. Bringing back these memories gave me an energy rush simular to anger, but not as impacting. I repeated this at small intervals at least once every two days. I don't know how long I did this for, I think about two months, but I soon found I would immediately get the rush of energy associated with anger when I started the music, even before I began to simulate the conditions. For quite awhile afterwards, the simulated emotions triggered from this song were strong and unfaltering (I don't know about now, those old MP3's are gone) so it appeared to be a success. I never did try it with another emotion, unfortunately. I chose anger because it seemed to be the easiest to simulate. -smell- I noticed one day when I was in a store and someone was wearing the exact brand of perfume that my mom uses (the lady was wearing way too much perfume, i wasn't even that close to her) and immediately I was flooded with memories of my mom. Interesting, I thought, maybe someone could use this to recall anything. It wasn't until when I started this article (this incident was awhile ago) that I actually tried to make another memory stimulated by smell. I decided to see if I could remember my bed and be rejuvinated every time I smelled a certain scent. I picked out one rather strong-smelling scent of the axe deoderant bodyspray. I sprayed it over myself just before I went to sleep every night for about a month. I won't go into detail (after all, all I was doing is spraying deoderant and going to sleep) but I probably should have sprayed it every time I woke up, because instead of rejuvinating me, all it did was remind me of how tired I was when I went to sleep and made me tired immediately! Oh well, this just shows how something as simple as your perfume can trigger memories or emotions. I don't know how well this will work for other people, and I don't suggest trying it. It may be emotionally stressful for some people. Wetwear Hacking References: 'Brain-Wave Machine' (CYB0RG/ASM, Hack Canada) http://www.hackcanada.com/homegrown/wetware/brainwave/index.html 'Electronic Mind Control - remotely altering our lives' (The Clone, Hack Canada / Nettwerked) http://www.hackcanada.com/homegrown/wetware/misc/emc.txt 'Telepresence Bi-Autoerotic Intercourse' (CYB0RG/ASM, Hack Canada) http://www.hackcanada.com/homegrown/wetware/phuckme/index.html -- Smell and Memory References: 'SMELL AND MEMORY' (Shigeyuki Ito, Serendip) http://serendip.brynmawr.edu/bb/neuro/neuro00/web2/Ito.html 'Improving Memory' (Paula Tchirkow, MSW, LSW, ACSW) http://www.seniormag.com/headlines/memory-help.htm .eof -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- i'm turning emo. -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- MORE PHUN WITH THE AUDIOVOX 8900 By TeK-g (Sept. 2004) This time around we will explore the filesystem of the Audiovox 8900 (AKA LG VX6000) using Bitpim and the USB data cable. We will examine the Telus 8900 compared to other 8900's to gain a better understanding of Telus' frugality. ********************************************************************* *********** PLEASE READ THE FOLLOWING BEFORE CONTINUING.************* ********************************************************************* From: http://bitpim.sourceforge.net/testhelp/ Audiovox CDM8900 THIS PHONE IS NOT SUPPORTED The internal software in this phone is far too fragile and shoddy. There is a very real risk of locking up the phone so badly it won't reboot and has to be replaced through trivial operations. Consequently this phone is not supported by BitPim and you should not use it with BitPim even if it appears to work. You should not report any issues with this phone and we will not respond to support requests other than by pointing to this page. ********************************************************************** To paraphrase: this COULD seriously SCREW UP your phone. You have been warned. NEEDED: Bitpim: http://bitpim.sourceforge.net Datacable: http://ebay.com SETUP: 1) Install the 8900 on your respective OS using the driver disc accompanying your cable. Make sure phone is turned on and everything is connected correctly. 2) Download and install bitpim. FIRST STEPS: Once you have bitpim up and running, you will need to configure the phone so as to facilitate communication. This is accomplished by (under win2k3) EDIT --> SETTINGS. Once here you will need to modify the PHONE TYPE field to VX6000. Next go to BROWSE and select CURITEL PACKET SERVICE. The phone is now correctly configured and ready for some data transfer. Next we will need to view a copy of the filesystem. For this we select the FILESYSTEM tab and right click on REFRESH. This will give us the filesystem, all readable in HEX. FURTHER EXAMINATION: /ch/ <-- call history, readbale plain text. /nvm/$SYS.INVAR2 <-- ESN stored here. Note this phone was second hand, subsequently this is likely different on 1 owner phones. /nvm/nvm_0002 <--- at address 0000070 we see the security code for the phone, again plaintext, Below, you should see 2 six digit text numbesr, first set of 6 digits is your SPC code the next set of 6 digit should be Telus One time subsidy lock code. The SPC code can be used to access the ##TELUS menu referred to in article one. Shouts to Steve DM for this tidbit! /nvm/nvm_0005 <--- at address 00000f0 we see the phone's email address phone#@microbrowser.telusmobility.com ** /ams <-- this looks to be the java dir. Some .jar files here. /photo <-- here is all the photos. You can download them, a nice workaround if you are a victim of the story below. /preload/images <-- all the preloaded images for MMS /preload/ringer <-- all the preloaded ringers for MMS That basically does it for the filesystem, only other thing to try is adding a wallpaper and attempting to upload. Unfortuneately we get exception. Looking closer this is an error relating the BREW, the program on the phone designed to handle this sort of thing (so you dont need to use MMS/WAP). Looking where BREW is supposed to be on the phone, we see the directory is there /br, but no files. THANKS TELUS. Uploading images manually has had negative results for me. Even when I overwrite the old files, every time I go to open them, the phone freezes. A hypothesis for this is enclosed below. ** The 8900 is a very buggy phone. The phone is unstable at best and inoperable at worst, a combination of poor hardware and modified firmware (THANKS AGAIN TELUS) contribute to making this phone pretty unstable. An example: Activating a second hand 8900. The activation processes fine, however your WAP and MMS will not work. The reason? A memory allocation flaw in the filesystem disables this. It also has a tendancy to rename incoming calls (you see the last call's name on the current call's incoming number on call display). It also affects the numbers of pictures and occaisonally causes the phone to lock up all together. This memory allocation error is most likely the cause of the uploaded images crashing the device. The solution? Telus has a firmware upgrade for the phone for all second hand users. At last check my Telus dealer had just received it but were unsure of how to use it without permanently damaging my phone so they told me to come back. if you mess up your phone while trying to make your own ring tone for the phone and send it to it via your computer, don't fret. Delete the directory file, and it will recreate it after a power cycle. Problem, if you had other ring tones, you lose them. Possible solution: back up your files first!! (THANKS STEVE DM!) So that is it this time around. If you have anything to contribute, you can email me @ fawkyou420@hotmail.com. A BIG SHOUT TO STEVE DM FOR SOME OF THE INFO. YOUR HELP IS APPRECIATED AND PROVES YOU DONT HAVE TO BE A UNBERCODER TO HAVE A LITTLE PHUN AT THE EXPENSE OF TELUS. BWAHAHA. -TeK-g FURTHER READING ON THE 8900: http://www.phonescoop.com/phones/p_forum.php?p=241 http://www.cellphonehacks.com/viewforum.php?f=21 http://cellphoneforums.net/forumdisplay.php?s=d62ebc60bdf2cc9e03038c55cd542c97&forumid=85 http://www.howardforums.com/archive/forum/166-1.html http://bitpim.sourceforge.net/testhelp/ -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Is doing well on math assignments supposed to cause guilt^ port9, no masturbating with a math text book is -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Never Whistle While You're Pissing An in-depth guide to "Cracking Encrypted Intelligence" PhreakNIC 8 in Nashville, TN on 23 October 2004 aestetix (aestetix@aestetix.net) http://www.mw2600.org Introduction Humans are predictable. There's no questioning this statement: anyone with a minimal amount of exposure to other humans will attest to this. Telemarketers have scripts that not only give people information they know will catch their attention, but already have rebuttals to a wide spectrum of questions that might be asked. Anyone who's ever worked in sales will comment on a pattern that emerges on several levels, rush periods varying both in the hours of the day and the seasons of the year. For as long as history and human interactions have been recorded, but more specifically in the last 150 years as technology ballooned with the Industrial Revolution, these patterns have been noted and incorporated into a plethora of designs. The study of these patterns coincide almost directly with the desire to understand how the world works and attempts to answer "the mysteries of life". In studying patterns, three main concepts arise: what are these patterns; can they be replicated or destroyed, once recognized; and once controlled, can they be used to manipulate the environment? The first question can be restated in terms of philosophy, political and economical study, and is seen in the most basic mathematics. The second commonly arises in cryptology (the art of encip- hering and deciphering encoded messages) and artificial intelligence (AI). The final idea emerges in neuro-linguistic programming and social engineering tech- niques. The title of this talk is meant to be a pun on words: "encrypted intelligence" refers both to understanding how the human psyche works and subsequently replicating it in AI, methods which have been used in cryptologic study, and using the knowledge we've gathered from both spectra to enhance social engin- eering skills, "crack" the patterns that emerge, and take advantage of our new insight. The simple answer is that they actually have a great deal in common, depending on your view of what AI is supposed to be. By briefly studying cryptologic history, we can draw several direct links to AI, both in theory and practice. However, there are many misconceptions about both fields which must be dispelled before delving further into either spectrum. Inherent with AI is the classic argument of exactly what constitutes "thought". A longstanding debate within the AI community (and philosophic community in general) precludes the question of whether AI can actually exist; the approach that has been most successful in the last 40 years is to mimic patterns that simulate intelligence to the point that we lend enough credence to a machine to cross a specific threshold. In his book Computer Power and Human Reason, Eliza creator Joseph Weizenbaum goes into detail on this psychology, noting that people at times became so trustworthy of his psychologist program that they would actually ask him to leave the room so they could "talk" with the machine in private. The great myth of cryptology, especially when considering modern cryptology, is that security only comes from having the latest, greatest, most up to date cipher algorithms. Although proper implementation of these would theoretically make your information more secure, people forget that the true nature of crypt- ography lies in the key. What's more, computers aside, the most pattern-obfus- cating system in the world is utterly useless if you forget the key. From my experience, I've found that the best cryptologists concentrate less on a complex system and more on trying to understand the people they are hiding information from and constructing a system that will evade their knowledge. Cryptology is all about understanding your opposition. What is Cryptology? Cryptology is nothing new. The art of creating hidden messages and analysis thereof has existed since humans started recording information. In many arenas codes are unintentionally created: for example, the creators of the Greek Linea B cipher were simply recording information, and it has become a cipher because their language was lost to history, only revealing itself to people attempting a linguistic brute force. Anyone who has learned a foreign language is familiar with slowly analysing a paragraph and watching the meaning unravel as they identify word relationships. Cryptology traces its roots back to multiple cultures. Credit for the first major works written on the subject goes to the Arabs, including Abu an-Nabati for his "Kitab shauq al-mustaham fi ma'rifat rumuz al-aqlam" ("Book of the Frenzied Devotee's Desire to Learn About the Riddles of Ancient Scripts") where he introduces several cipher alphabets. The epitome of Arab cryptologic knowledge was completed in 1412 by Shihab al-Qalqashandi, who surveyed basic substitution techniques. The most primitive and best introductory cipher is the "substitution" cipher, which involves substituting a familiar symbol with a foreign symbol. Common examples of this include numeric substitution (A=1, B=2, C=3, etc) and rotation substitution such as the Caesar cipher, where the cipher text (CT) is the plain text (PT) rotated three times (A=C, B=D, C=E, etc). There are more complex forms created to add noise to the cipher, such as multiple letter substitution (A=BCD, B=FGE, C=DNF) or multiple number substitution (A=234, B=483, C=438). Replacing one symbol with multiple symbols adds an additional barrier to cryptanalysis. As was soon discovered, every language has a letter frequency order which arises with enough writing. English, the current universal language of the world, has an order beginning with "ETAOIN", where "E" tends to occur 13% of the time, "T" 11%, "A" and "O" 9%, and so on. These percentages will vary slightly with every text, but the deviation is not significant. If we were to run a letter frequency analysis on the previous paragraph, the result would be as follows: E (37 times or 13.6%), T (25 or 9.2%), N (23 or 8.5%), I (22 or 8.1%), A (19 or 7%), and so on. We also must consider that that was an extremely small paragraph; results become far more tangible when analyzing an essay or an entire book. This pattern is conspicuous within all works written in English, and although it varies with other languages, the principal is still the same. Another example of patterns emerging through obfuscation comes from the poly- alphabetic (multiple alphabets) cipher. Originally introduced by Giovanni Battista Porta as the cipher disk, this cipher was later refined into a tableau (table) by Blaise de Vigenere and subsequently termed the "Vigenere Cipher". Here, rather than having a single symbol substitution for each character, we have an entire alphabet that rotates. If we look at a cipher disk, we can see two rows of letters: the inner and outer alphabets. For a simple Caesar cipher, we rotate the inner alphabet so that the "c" matches the "a" on the outer alphabet, and can translate the entire CT. With a Vigenere cipher, the inner alphabet is rotated for -every letter- of the ciphertext. This additional rotation gave the poly- alphabetic cipher exponential security over the substitution cipher, and adopted the name "Le Chiffre Indechiffrable" (the undecipherable cipher) for centuries until it was finally cracked by Charles Babbage, the same man who created the Difference Engine and who's apprentice, Ada Lovelace, founded what we know today as computer science. While at first it seems incredulously impossible, cracking the Vigenere simply involved a natural derivative of frequency analysis. For a given polyalphabetic cipher, there is a limited length that the key can be. Borrowing an example from David Kahn, if we have the ciphertext: KIOVIEEIGKIOVNURNVJNUVKHVMGZIA we can see there are certain letter sequence repetitions (underlined) that occur. With a larger ciphertext, there will obviously be many more places of repetition, which makes our cracking technique much more reliable. Assuming the position of the first letter, "K", is 1, and each position thereafter 2, 3, 4, etc, we can determine the number of letters between each repetition. For example, the second occurence of KIOV begins at 10, which signifies a difference of nine letters. Here's where things get fun: nine factors into 3*3, 9*1, or 1, 3, and 9. If we do this for each repetition, we'll begin to see patterns in the numbers involved in the factors. Let's say that 3 is the most commonly occuring number; we can break the ciphertext up into groups of three: KIO VIE EIG KIO VNU RNV JNU VKH VMG ZIA Does this look familiar yet? Try splitting up the columns and looking down. Think for a moment. How can we apply frequency analysis to this? Each indi- vidual -column- is a rotation with a single letter for the key, and the keys for each column join together to form the keyword for the ciphertext! If you run a frequency analysis on the first column, we'll discover the key is "F", and "U" and "N" for the next two. Now apply this new key, "FUN", to the ori- ginal ciphertext, and the secret is revealed: "TOBEORNOTTOBE..." Once again, we've shown that no matter how obfuscated a message may be, there will always emerge inescapable patterns which betray it. There is -one- theoretical cipher that can never be cracked: the one time pad cipher. This involves setting a completely random key for each letter, aboli- shing all frequency. This is a derivative of the polyalphabetic cipher, and the fundamental groundwork for the German Enigma code. The Enigma, originally devised by the German Arthur Sherbius, is composed of several alphabets set on rotors hooked into a typewriter and a lightboard. When a key is pressed, electricity circulates through the rotors, depending on the configuration, and the resulting ciphertext lights up on the lightboard. There are other features, such a variable number of rotors and plugs to swap letters, but this description is sufficient for this paper; if you're interested in more, read Singh's The Code Book or Kahn's Codebreakers. Although the Enigma capitalised on abolishing letter frequency (look up the statistics: the amount of permutations possible is incomprehensible), where there's a will, there's a way. The team at Bletchley Park in England was determined to defeat the Nazis, and incorporated the right genii to do it, a team headed by crypto-god Alan Turing. Turing noticed that the Axis usually sent weather reports over the telegraph; he started making guesses as to words they would use to describe the day's weather, and used the correlation between rotor wheel locations and corresponding letters to unravel an incredible amount of permutation-- these techniques were incorporated into the Turing "Bombe", the partner of Colossus and the ancestor of modern computers. To even begin describing all the techniques the Allies used against the Nazis would require an entire book in itself; ironically, the mammoth Codebreakers makes little/no mention of these operations because the British government didn't consider declassifying them until the mid-70s, and the park wasn't officially declass- ified until 1987. During this time, many of the original machines had been lost or destroyed, and Hut 4 where Naval Intelligence operations occured had been cleared and turned into a cafe-- good food though :) Now let's look at Artificial Intelligence! At the end of WW2, because there was no need for cryptanalysts anymore, Turing started thinking about the machines he had created. Alongside the automata theories of Descartes (written of in his Discourses) and the rise of mechanism with the Industrial Revolution, viewing people as machines was nothing new. However, Turing applied these ideas directly with a method to determine intelligence: the Turing Test. Originally debuting in his paper "Computing Machinery and Intelligence", the Turing test involves a person (A) sitting at a computer recieving questions from both another person (B) and a computer. If A is fooled into thinking the computer is human, the computer has passed the test. There are many delimeters to this, and many questions about the ethics and religious implications which Turing answers at the end of his paper. The test quickly gained fame, and set the groundwork for the next two decades of AI research. In 1958, Marvin Minsky and John McCarthy founded the MIT AI Lab, where over the next ten years leaps and bounds were had. Two of the most significant projects were Eliza, the computer psychiatrist created by Joseph Weizenbaum, and SHRDLU, created by Terry Winograd. Eliza operated on a complex understa- nding of patterns which emerge in human language, creating realistic responses that would convince the user that "she" was sentient. Winograd's machine was an interpreter that could read input text and move blocks around or answer that it could not obey its instructions and why. Where cryptology for so long focused on analysing people patterns to destroy them, AI tried to create systems that could mimic them realisitically enough to fool people. To truly understand how Eliza works, we first need a good understanding of how a language (like English) is structured. While there are nitpick exceptions, a typical sentence is composed of a subject, verb, and direct object. There also exist descriptory words, like adverbs and adjectives, as well as prepo- sitions. A proper sentence clause is established with these. For example, if we have the sentence "Timmy caught the ball", we can insert the clause "who was running" to get "Timmy, who was running, caught the ball." At first, this seems like a typical lesson in English, until we apply game theory. Series exist in two basic forms: recursive transition networks and augmented transition networks. The first is like a fractal with parameters you set at the beginning that don't change. Each iteration feeds into another instance, following the same algorithm. The second is more like a chess game. There are set rules and limits, but the parameters change with every turn. Jumping back to language, if we apply these theories to how English is structured, we can actually view each clause as an instance, and a multi- clausal sentence can be seen as an iterative game. The structure is the same (you always have a subject and verb), but the parameters constantly change (the subject may move from "Timmy" to "he"). The challenge of a programmer is to understand how these changes work and to code his program accordingly. In addition, we must understand how the pronouns and subjects within clausal instances relate back to the original statement. Sounds easy enough, huh? Amazingly enough, Weizenbaum actually managed to create a system that could imitate conversation. The system was also prog- rammed to pick out certain words and ask common questions relating to them. For example, if it saw the user type the word "sad", it might respond with "Why are you sad?" Winograd's system, SHRDLU, was created under the same idea, but with a comp- letely different response mechanism. Rather than forming its own sentences and responding in text, it would interpret the user input and move blocks accordingly. Several challenges came up: what if someone wrote "PICK UP THE RED BLOCK" and then "PUT IT DOWN"? The system would have to link the pronoun back to "red" and "block". If there were more than one red block, it would need to respond by asking which red block to move, then understand the responce and know to apply it to the previous statement. With an ironic twitch, SHRDLU was appropriately named after "ETAOIN SHRDLU", the first ten letters of frequency in the English language :) There have been many new developments in the years since, including voice and handwriting recognition. The intricate details are far too elabourate for this paper, but their existence capitalizes off the same idea: understanding human patters and creating a system to mimic them. Is Your Brain Fried Yet? Ultimately, we can see that in human language and activity, certain inescapable patterns exist that will emerge if put under the right eyes. Both cryptology and artificial intelligence have, at heart, analysis of these patterns. As we saw with the substitution, polyalphabetic, and Vigenere ciphers, a good cryptosystem eradicates these patterns as much as possible while still leaving an opening that only a single key is able to unlock. While this is held in principal with the theoretical one-time pad cipher, realistically there will always be ways to pop these keys open. More modern algorithms tend to rely on prime numbers or insane iterations, substitution boxes, and elliptical curve cryptography, and many people, including Singh, feel that the advent of quantum cryptography means the death of cryptanalysis. To respond to this claim, I recall the words of V1RU5 regarding lockpicking: they can make the most secure electromagnetic door system possible, but if you cut the power, it opens right up. In other words, if a system seems secure, it just hasn't met the proper match yet. It's much harder to make a blanket statement like that about AI. For one thing, people can't seem to agree on what AI -is-, should be, or what determines intelligence versus thought. Some schools throw Godel's proof into the pile, saying that once a system reaches a certain point of complexity, it can be considered sentient. Ray Kurzweil wrote an article with an excellent example where a computer that was about to be disconnected emailed a plea to a lawyer, who fought a lawsuit on the computer's behalf. Others are more skeptic. John Searle's Chinese Room Experiment is an excellent example, where he effectively claims that a computer will never rise above the sum of its parts. However, we can agree that the same pattern analysis which influenced the development of cryptology have had a monumental affect on AI progress. Wait, Wait, Wait... What About Social Manipulation? If you notice the speaker list, you'll see Johnny Christmas and I are giving a joint presentation. More accurately, he's covering this because he knows his shit much better than I do. However, I can list off a few tidbits of NLP I've learned over the years. First, there's the shit with the eyes. It's fucked up, it's beyond your control, it kinda shocked me when I first learned about it. It's a really common trick used by inquisitors: when you're trying to remember something you -know-, your eyes move to one side of your head, an when you're trying to make up something, they move to the other side. This is one of the reasons that good investigators start out questioning with really easy questions. Second, men tend to think more in numbers and words, whereas women tend to be more visual. For example, a guy might not be able to do elementary algebra, but he can remember 10,000 football stats with no effort. Women prefer to upkeep appearance, both physical and home. Major newspapers like the New York Times and Wall Street Journal target industries dominated by men, and subsequently are filled with long textual articles, while Cosmopolitan and (insert woman's magazine) tend to be far more visual. Before I get flaming dog shit thrown at me, this obviously doesn't affect everyone. I know plenty of respectable businesswomen who read major newspapers religiously, and guys who are more into Mozart than Joe Montana (like myself). These are just a few quick examples I could think of... if you want to know more, ask Johnny Christmas. I've also seen listings for NLP talks at DefCon and other cons, but I really haven't attended them. Sue me. ;) Influenced By: General: Finite and Infinite Games by James P. Carse Republic by Plato The Underground History of American Education by John Taylor Gatto Cryptology: The Codebreakers by David Kahn Crypto by Steven Levy The Code Book by Simon Singh Codes, Ciphers, & Other Cryptic & Clandestine Communication by Fred Wrixon Applied Cryptography by Bruce Schneier Cryptonomicon by Neal Stephenson Artificial Intelligence: Machines that Think by Pamela McCorduck Computer Power and Human Reason by Joseph Weizenbaum Discourse on Method by Rene Descartes Godel, Escher, Bach by Douglas R. Hofstadter "Computing Machinery and Intelligence" by Alan Turing Giant Brains by Edmund Berkeley Understanding Computers and Cognition by Terry Winograd and Fernando Flores -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Nausea, heartburn, indigestion. Upset stomach, diarrea. Yay! -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Another Scam From the Dirty Pigs in Edmonton MsOgynis 2004.09.23 I got one of those forwards today. You know the ones. It's being sent to every person in the senders address book. I hate getting these generic emails. It was just a string of pictures. I expected the usual obscene grouping that amuses the same type of person that enjoys morning radio shows. I went through the pictures a couple of times to make sure what I was seeing was real, and that it was what it said it was. The images depicted police setting up a garbage can with a photo radar device. The pictures were of inside the garbage can too, so I was a little suspicious. I checked out what I could online to see if there was any corroborating evidence that such a thing was going on in my home town. I came across a lot of interesting information on how the government in Alberta has tried to limit the use of these devices, and the police refusing to abide by these legal decisions, or manipulating the law to best suit their motives. What motives could the police possibly have outside of enforcing safe driving habits in the populous? It has been touted in the media as a cash cow, with the public outraged, but helpless. The police have been making unbelievable amounts of money through this scam. In 1995, the year Edmonton police first started implementing photo radar, the city generated $3.5 million. Last year Edmonton police scammed $15,007,607. That's a significant increase either in speeders or the use of these systems. Digging through a few sites that were dedicated to the fight of photo radar in Alberta, I found this: "In 1999, Lockheed Martin (the company that, at the time, was taking a significant percentage of each ticket paid by Edmonton citizens) presented Edmonton city police with an award for their efforts." Lockheed Martin? You bet! The guys that brought you such innovations as missiles of mass destruction and the Columbine Massacre are the same ones that developed and made a cut of many of our speeding tickets. The images of the garbage can were still unverified anywhere though. I fired off an email to a guy that runs one of these "photo radar is evil" sites, with the pictures attached. He wrote back that he had heard of something like this being tested in Sherwood Park. And, he was right! "Photo radar operators can snap speeders coming and going with the Can-Cam. The Sherwood Park prototype, the only one of its kind in North America, is a four-foot-high metal box which an operator wheels across the street to monitor traffic travelling in the opposite direction from the photo radar vehicle. So far, Affiliated Computer Services (ACS), which operates photo radar and red light cameras in Strathcona County, is just using the Can-Cam on two-lane streets because provincial legislation requires the operator to visually identify the speeding vehicle. Although the Can-Cam doesn’t exactly stand out on a boulevard, the operators post portable photo radar signs to alert the public to the presence of the camera. It’s in the pilot phase and the technology seems to be an effective way to decrease speeds and make the roads safer." Portable signs that alert the drivers there may be photo radar. The device looks like any electrical box you'd see on the side of the street. Up close (in the picture provided) you can see the wheels, but as a driver going by, you'd never know. We can sit back and allow our civil liberties be eaten away one by one. Allow the police to scan your drivers license into a database when you go to a bar. Allow them to set up cameras to take pictures of you as you drive by. We can become the USA. Or, fight it. This is a test site, but it will be part of the regular system soon enough. Sources: Sherwood Park News - http://www.sherwoodparknews.com/story.php?id=101006 Edmonton Photo Radar - http://www.members.shaw.ca/halotic/radar/ Government of Alberta - http://www.solgen.gov.ab.ca/policing/radar.aspx?id=2512 Pictures: http://www.smartestgirls.com/images/photoradar12.gif http://www.smartestgirls.com/images/photoradar22.gif http://www.smartestgirls.com/images/photoradar32.gif http://www.smartestgirls.com/images/photoradar42.gif http://www.smartestgirls.com/images/can_cam2.gif -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- i wish everyone programmed in assembler. we could all be content with a screamin fast 486DX Blistov, in assembly. An assembler is the tool used to assemble the code. haha. Assembler, assembly, ASM. Why is everything argued over when it comes to the poor language^ -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- 'Exploiting Telus POTS / Payphone Lines in Calgary, AB.' Here are some things that do strange things with other things, if that makes any sense at all, on Telus systems in Calgary, AB (+1403): Nortel Centurions are bright orange under those black and brown covers which are fully removable! This is an armour plate - you can access the coin vault from it but need a key or a lockpick to access the circuits. 777-XXXX: 777 is an area which appears to be assigned mostly to an offsite Meridian PBX for the CBE; each room in the CBE schools has its own phone number that starts with 777 as far as I can tell. However, it is not all assigned to them. 777-9759 and 777-9758 both route to 911 operators. I obviously didn’t want to keep scanning there, they would have figured it out pretty quick. 211: 211 service exists from pots lines and cell phones, but not payphones Possible exploits: Here, I believe I may have discovered where Telus is hiding all its diagnostics. A few things one should know: - A busy signal is usually Telus telling us that we aren't allowed to do what we are doing - It can also mean you got the password wrong - There is no law against scanning in Alberta, or (I think) any other province. Stop confusing American state laws with Canadian ones. Exploit A: Telus 101XXXX codes The codes assigned to Telus used in Calgary are as follows: 0424: Payphones 0324: Not payphones If you dial 1010324# from a POTS line, you get a dialtone. If you dial it from a payphone, the carrier access code is wrong (like it is for every other valid carrier). Should you dial 1010424# instead, if you are on a POTS line you will get a busy signal. If you are on a payphone, it will do one of a few things. It might not let you call it or just hang up when you do (Millenniums), or tell you that you aren't authorised to call that number. It will do the same thing if you dial 1010424-0# from a pots line. Exploit B: Interestingly enough, if you dial 1010424-1-403-XXX-XXXX from a POTS line, "your local call is proceeding...". It won't. Now, should you choose to dial 1010424-1-570-XXX-XXXX from the same phone, it will be busy. However, if you dial 570XXXXXXX where XXXXXXX is not your own phone number, the call cannot be completed as dialed. 511XXXXXXXXXX will also be busy. However, it has done strange things in the past, like given recordings and routed before 10 digits after the 511. Exploit C: From a POTS line, dial #XXXXXX. You don't have that feature, apparently - what feature is this? Probably tests and loops, et cetera. -- Falcon Kirtaran 10/18/04 -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- * theclone virtual-hugs(tm) pontifex --- theclone gives channel operator status to pontifex * pontifex virtual-hugs(tm) theclone. (Virtual-hugs(tm) 2.0 Evaluation Version - 29 days remaining) I think I have a keygen for that somewhere... -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Hacking Mircom Technologies Telephone Access Systems Written by: The Clone Date: Tuesday October 19, 2004 Web-Site: http://www.nettwerked.net E-mail: theclone@hackcanada.com Blending Hacking, Phreaking, Lock Picking, and Urban Exploration into one phile. Dedicated to: Hack Canada and Nettwerked. Representing the Canadian hack / phreak scene for over 5 years, and to represent forevermore. Written for: The Fall 2004 Issue of K-1ine Magazine Table of Contents: # Introduction / Disclaimer # Mircom System Features # Exploiting Mircom Systems # Conclusion to this Document Introduction / Disclaimer: This document is dedicated to subverting the physical and remote security of the Mircom Telephone Access System, supposedly "uncrackable" machines widely used across Canada / the United States. Mircom Technologies, the company that invented these bitches, manufactures a full range of other security products which include fire control and communication products dedicated to life safety in the telephone access markets. In this document you will: learn what the Mircom Telephone Access Systems are, learn how to administrate the systems, and learn how to use a few "tricks" I have discovered in order to gain both building access, elevator control, free long distance telephone calls, and to cause general mayhem in your community. Now this is your warning; none of the knowledge you pick up from this article should EVER be used in practice. Unauthorized access to the administration functions of a computer controlled system of any kind, including building security systems is against the law. This file was simply written as a resource for individuals who want to learn about the unknown such as what big business and government agencies wish to keep from the public. This file is written for people sick of ignorance. If you do not want to use this knowledge as anything but a resource for your criminal activities, I advise you to STOP reading. Hell, don't stop reading... I'm not responsible for your behavior and could really care less that you want to spend the rest of your life rotting in a prison. Mircom System Features: The Mircom Technology Building systems range in size, in cost, and of course in features. Since I didn't feel it absolutely necessary to list off every single feature of each model, I simply linked to their data sheet PDF files. Make use of the resources linked off the images. There's a lot to learn about the models that I could not have possibly put better myself. Image: http://www.nettwerked.net/01.jpg (MODEL: MUS-2000SDK) URL: http://www.mircom.com/catsheets/tas/CAT-6518.pdf Image: http://www.nettwerked.net/02.jpg (MODEL: MUS-2036K) URL: http://www.mircom.com/catsheets/tas/CAT-6516.pdf Image: http://www.nettwerked.net/03.jpg (MODEL: MUS-3140K) URL: http://www.mircom.com/catsheets/tas/CAT-6517.pdf Image: http://www.nettwerked.net/04.jpg (MODEL: MUS-1000SDK) URL: http://www.mircom.com/catsheets/tas/CAT-6519.pdf Image: http://www.nettwerked.net/05.jpg (MODEL: MUS-1360K) URL: http://www.mircom.com/catsheets/tas/CAT-6520.pdf Image: http://www.nettwerked.net/06.jpg (MODEL: MRK-1RK/MRK-1RKS) URL: http://www.mircom.com/catsheets/tas/CAT-6515.pdf Image: http://www.nettwerked.net/07.jpg (MODEL: NSL-12K/24K/36K) URL: http://mircom.com/products/tas/nsl%20kits.htm Image: http://www.nettwerked.net/08.jpg (MODEL: US-2000 U.S.E.) URL: http://mircom.com/catsheets/tas/CAT-6521.pdf Exploiting Mircom Systems: Lets face it; every physical and remote computer controlled infrastructure on earth, whether it be some guy's personal computer or some lonely mainframe in a downtown office is vulnerable in one way or another. Don't be fooled by the marketing gimmicks being thrown your way by big business conglomerates out to make a buck on your ignorance. Every single Mircom Physical Security System around the planet is secured by a company that happened to have leaked it out to the wrong person. Now you're probably thinking to yourself "Yeah right, Clone. You're pulling my leg. You can't be telling me Mircom was that stupid!" Well they were. Now before you get too excited; I'm going to be straight with you; I will not be publishing the passwords. Don't bother asking me for the codes, because for all you know I don't even have them - and never have. But don't fret, my pet, I will let you in on a few interesting secrets anyways. Physical Administration: Mircom Technologies decided the best way to keep landlords and building owners from permanently getting locked out of administrating their security systems when they decide to forget their password, was to implement a 10 or 12 digit override password (factory default) that could work on every model. That way Joe Nobody has to pay Mircom a nice fat consulting fee every time he gets piss- drunk and loses the cigarette package he wrote the administration password on. The fucking hillbilly should have gotten the password tattooed on his ass. For this particular article I will be using the Mircom TAS-2000 Telephone Access System (MUS-3140K) as Physical Administration "subject matter". Now before you jump into finger hacking this system to death, you must, and I repeat must, *always* check for one of two things; people and cameras. People are less of a threat, because most of the time they will figure you're just calling someone you know in the building, and at times will even offer to let you in the building. External cameras watching the doorway and, depending on the model and the hardware implementation, a hidden camera (model #: CAM-1) located inside of the Mircom telephone access system itself may be watching your every move. If you notice a camera is possibly built into the model of Mircom you're about to hack, walk away. Come back a few days later and wear some kind of disguise; such as a head scarf that covers your entire face, or better yet a balaclava for a more phearsome "I'm gonna 0wn this b1tch!" look. As you approach the Mircom Telephone Access System you will notice a screen (unless altered by the administrator) that says: "Mircom - Enter Dial Code" # To enter the Administration Menu, enter the following code: 9999. Some older models use 0000. http://www.nettwerked.net/menu-3.jpg PHYSICAL ADMIN I.D. MENU # You will be prompted for the password. Enter that 10 or 12 digit pin code. (Don't worry the password is asterisked ************ for your "security".) http://www.nettwerked.net/menu-4.jpg PHYSICAL ADMIN PASSWORD MENU What you get access to when you've bypassed the administration login screen: http://www.nettwerked.net/menu-5.jpg (Navigation Tip: By pressing "0" on the menu, you enter the option your ">" cursor is pointed at. To scroll through the options press "#") You are now at the main menu. If you choose the "Add new record" option you will then have the ability to add extensions which dial any telephone number you want. If the building administrator did not set up a toll-block with the telecom carrier servicing the dedicated line, you can program long distance numbers including international and 1-900 pay telephone numbers into the system. So let's assume you have a need to enter into that menu, you will immediately be brought to this screen which says "Enter Dial Code [____]". At this point, dial any extension you want to program into the system for later use; such as 1234. http://www.nettwerked.net/menu-18.jpg After you have entered your extension of choice, you will be brought to a screen that says "Enter Telephone No. [____________]". http://www.nettwerked.net/menu-19.jpg This is where you will obviously enter your telephone number of choice. The next option you have will be "Enter Elevator Code". After you enter that code, you will be prompted to "Enter Elevator ID". To be honest with you, I have not yet figured out what this option is for exactly, but I'm guessing it has something to do with telling the elevator what floor to bring you to after you've been let in by the extension you called. Or maybe it has to do with Mircom's "Elevator Restriction Capability". This option only matters if you have an elevator in the building, and probably won't be much use to you anyways. http://www.nettwerked.net/menu-20.jpg http://www.nettwerked.net/menu-22.jpg The next option on the table is "Edit Record". Scroll down to this menu and access it. This menu is one of the most interesting ones because it will give you the option of viewing what specific extension is bound to what particular telephone number. This is a great way for you to capture the private phone number of a certain cute tenant *wink wink* or hated tenant you might have wanted to harass for some time. You also have the ability with "Edit Record" to, of course, EDIT which number any extension calls. Pissed off at someone in your building? Well the next time a loved one comes to their door to visit, they won't be reached because you edited the telephone number so that it calls something funny like phone sex or your favorite pizza delivery company. http://www.nettwerked.net/menu-23.jpg http://www.nettwerked.net/menu-24.jpg Your next option is "Delete Record". This is pretty self-explanatory. http://www.nettwerked.net/menu-26.jpg http://www.nettwerked.net/menu-27.jpg The next option on this menu is "Main Door DTMF". This is the code that is programmed into the Mircom system which, when triggered by a DTMF tone will open the door. When you call an extension and the person wants to let you in, they will (by default) press "9" on their telephone. You can piss off everyone in the building by changing it to another number. heh heh. http://www.nettwerked.net/menu-28.jpg http://www.nettwerked.net/menu-29.jpg The next option on this menu is "AUX door DTMF". "Aux" means Auxiliary and is essentially the code for opening a secondary door in the building. If there is no secondary door for the building, then it is typically left at the default 9. http://www.nettwerked.net/menu-30.jpg Other options include: Online Timer programming http://www.nettwerked.net/menu-32.jpg http://www.nettwerked.net/menu-33.jpg Enter New Password. You can set a secondary, non-override password for entry into the Mircom Telecom Access System. If being anonymous is your game, I would suggest not modifying this menu if a password has already been set by the administrator. If you change the password, chances are the administrator is going to wonder why his password doesn't work. http://www.nettwerked.net/menu-35.jpg The Set Time and Date on the next menu option. http://www.nettwerked.net/menu-36.jpg Display the Time and Date on the next menu option. http://www.nettwerked.net/menu-38.jpg http://www.nettwerked.net/menu-37.jpg You can Sort the directory by Name, by Dial Code (extension), or you can use the Auto Sort feature. http://www.nettwerked.net/menu-39.jpg http://www.nettwerked.net/menu-41.jpg You can select the language you want the Mircom Telecom Access System to display. The options: 0=E (English), 1=F (French), 2=S (Spanish), 3=M (Mandarin). http://www.nettwerked.net/menu-42.jpg Set and Enter NSL ID & SPA. http://www.nettwerked.net/menu-43.jpg http://www.nettwerked.net/menu-44.jpg Set and Enter NSLB ID & SPB/SPE. http://www.nettwerked.net/menu-45.jpg http://www.nettwerked.net/menu-46.jpg Set and Enter the Elevator ID and Timer. http://www.nettwerked.net/menu-47.jpg http://www.nettwerked.net/menu-52.jpg Auto-Program the Mircom System. http://www.nettwerked.net/menu-50.jpg http://www.nettwerked.net/menu-51.jpg Set the Mircom System to Tone or Pulse. 0=T (Tone), 1=P (Pulse). Stick with Tone. Pulse is essentially for rural areas still using rotary telephones. http://www.nettwerked.net/menu-54.jpg http://www.nettwerked.net/menu-55.jpg Options Menu. Haven't figured out what this does yet. Maybe you can, and then give me some insight. http://www.nettwerked.net/menu-56.jpg http://www.nettwerked.net/menu-57.jpg Reset - this resets the entire Mircom Telecom Access System. This is essentially a restart of the software. It will ask you "Are you sure?" Press * to Cancel, and # to Accept the reset. http://www.nettwerked.net/menu-58.jpg http://www.nettwerked.net/menu-59.jpg Initialize Logging. This starts logging of all keys pressed, including extensions and keyless entry codes. If you managed to purchase a Modem Module (model number: MDM-1000) you could "capture" this data and use it for whatever you wanted; like market research! =) http://www.nettwerked.net/menu-60.jpg Luckily for you there is the next option; Init/Erase all data. This essentially "clears" the logs. http://www.nettwerked.net/menu-61.jpg Exit - This exits the Mircom Menu System and thus wraps up my explanation of the menu options. http://www.nettwerked.net/menu-62.jpg (For much larger, high resolution panel images please go to: http://www.nettwerked.net/mircom-pics.zip) Mircom Keyless Entry: # One of the coolest features available on the various Mircom panel models is the ability to set a keyless entry code for access to the building. Are you into Urban Exploration? Want to gain access to a building for a little break and enter? Hate when you lose the keys to your building and get stuck waiting for someone to enter the building to let you in? All of these reasons are good enough reasons to set a keyless entry code. To enter the Keyless Entry Login Menu, enter the following code: 9998. Some older models use 0001. If you have not managed to successfully bypass the administration menu in all its 10 to 12 digit hard-to-hack glory, then you will not be able to set your own keyless code. The next best thing is the ever time consuming Brute Force Attack! With a 4 digit keyless entry code, you have 10,000 possible combinations to try. When you enter the login id (9998 or 0001) you will be asked for a pin code. When you get the pin code wrong, there will be a 3-5 second delay before you are brought back to the main menu which shows "Enter the dial code" on the screen. Try obvious combinations first: 0000, 1234, 2004, 9999, etc. If those don't work, work your way up; there is a high probability you will get the correct keyless entry code before trying all 10,000 combinations - unless of course the administrator didn't set a keyless entry code. Those silly bastards. Other ways to open the door for keyless entry: I've thought of two other ways to get access without physically breaking the door open or waiting for someone else to let you in. The first way: I noticed that in some cases misconfigured or inactive extensions for all of the Mircom Panel models will give you a 0+ operator. In my case Telus is the telco. If you social engineer a 0+ TOPS/TSPS operator into transferring you to a number (tell them your telephone keypad is jammed and it's urgent), such as a cell phone, you could then answer that cell phone and press '9'. The DTMF "9" key triggers the Mircom box which in turn opens the door when pressed. The other way to gain access for keyless entry is by blasting DTMF "9" into the voice mail message of your cell phone or landline beforehand and then when the time is right, social engineer a 0+ operator and have them transfer you to that telephone number. The problem with the second trick is that you might have problems with remote-controlled voice mail systems, such as most versions of Audix/Octel/Meridian Voice Mail System which stops recording when you hit any DTMF key on the telephone. Old-school tape recorders which allow you to record anything (including DTMF) will work fine enough indeed. A successful door entry hack is shown below in this photograph: http://www.nettwerked.net/menu-63.jpg Conclusion to this Document: This completes another article by yours truly. I expect this document opened up your eyes to another aspect of hacking and phreaking you might not have otherwise thought to research and exploit had you not sat down read this fine piece of modern literature. In conclusion to this article, I just want to say one thing; don't stop exploring. Don't stop your desire to explore beyond the boundaries set forth by the powers that be. Get out, play with technology and make it do something it wasn't intended to do. And don't ever stop sharing that knowledge with other like-minded individuals. Hackers and phreakers need to stick together like shit to stink! Peace. .eof This document is Copyright © 2004 by Nettwerked Incorporated. All Rights Reserved. -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- sooo many people poke me -x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x-X-x- Credits: Without the following contributions, this 'zine issue would be fairly delayed or not released. So thank you to the following people [none of which, besides CYB0RG/ASM, Cybur Netiks, and Tek-g, have mastered the apparently near-impossible task of 80-column formatting! *GLARE*]: aestetix, Aftermath, CYB0RG/ASM, Cybur Netiks, Falcon Kirtaran, Majestic 1/12, MsOgynis, omin0us, sub, TeK-g, and, of course, The Clone. Shouts: CYB0RG/ASM, Fractal, h410G3n, The Question, Phlux, Magma, Hack Canada, The Grasshopper Unit, port9, Nyxojaele, Ms.O, Tr00per, Flopik, jimmiejaz, oz0n3, *Senorita Chandelier*, Prologic, Kankraka, Markcore, cyburnetiks, coercion, H1D30U5, tek, the irc #hackcanada channel, The Nettwerked Meeting Crew, and the entire (active) Canadian H/P scene. .:,;itttttii;,:. :ijLEKW############WKEGfti,. :jEK############################KL; .jE###################################WG; ,G#########################################Ei :G############################################WG. .f################################################Et ;L#################################################WK: iW#############WWWWWW###############WWWW##########WWWWD ;W####WWWWW##WWWKKEEDDEKW#########WWKEEEEKKWWW#WW#WWWWWWf .GWWWWWWWWWWWWKWWKGti;;tGKWWWW####WEGfLLGEEEEEKWWWWWWWWWWW; ;KWWWWWWWWWWWKEEELt;. ,jEWWWWWWKf,:.,;ifLDDDEKKKKWWWWWWWE. jEWWWWKKKKKKKKEDGft. LWKKWWWE: .;ifGEKKKKKWWWWWWWW, .GEKKKKKKKKKKKKELft. jKKKWKKD tLDKKKKKKWWWWWKWi ,GEKKKKKKKWKKKKLti: jWWKKKKD. .:fGEKKKKKKWWWWKWj ,GEKKWWWWWWWWEf;: jWKKKKKK; :;fLDKKKKKWWWWKKE. ;DEKWWWWWWWEf;. .DWWWWWWKL :tfLEKWWWWWWWWWf jDKWWWWWKDj;. .LWWWWWWWWW; :ijLEKWWWWWWWWf ;EKWWKKDfi: ;EWW#####WWWE: .;jLDEKWWWWWWL. .fWWWDfi;:. ,GWKWW#####WWWWE: :iLGEKWWWWWE: ,GWWKDj,. .jKWKKWW###WWWWWWWD. :,tGEKWWWWD. .LWWWKDf: .jKWWKKKWWKDGfLEKKKWWEi .jDEKWWWL iKKKWWKDi ,tEWWKKKKKKGi .iGKKKWKf. .LEKKKKW; iKKKEKWWWEt. .iDKKKKKKKKKEf: .fEKKKKEGt: GKKKKEEG ;DKKEEEKKWWWWEDLffLLGEWWKKKKKKKKKEt .fEEKKKKKWKGji;;,:... ,fKKKKKEEE: :LKKEEEEEKKKKKKKKWWKKKEEDDEEKKKKEj ,GEKKEEKWWWWWWWWWKKKKWWWKKKKEED, ;EEEEEEEKKKKEEEKKEEDDGGGEEEEEEEDi ,cYb. ,GGEKEEDEKWWWKKKKKKKKKKKKKEEEEL. jDDDDEEEEEEEEEEDDGLffGEEEEEEEDDDLGGEKKKKEGfLDEDDEKEDGGDEEEKKKKKKKKKKEEDDDD; ;GDGGGGGGLLLffffjjjGEEEEEKKKWWW#WWWWWWW##WWWWWWWWKEDGLLGGGGDDDDDDDGGLLLGj .tfffjjttiittttjLDEEEKKKKKWW####WWWWWWWWWWWWWWWWKEEDDLfffffffffjjjjjffi :;iiiiiiiijLGDEEEEKKKKWWW###WWWKKKKKKKWWWWWWWWEEDDDLffjjttiiiittt;. ,ittjfLGDEEEEEEKKKKKWWWELji,:::::,;tLDEKWKKEEDDEDGLffjtttttti: ,fLLGDEEKKKKKEKKKKKKEj: .:tLDEKEEDEEEEDGLfffffji. iLGDDEEKKKKKEKKKKKEf. ,fDEEDDEEEEEEGGLLLfj, jLDEEEEKKKKKKKKEEL. :LDEEDDEEEEKEEDDGL, .;DEEKKKKKKKKKEED; ,fEEEDEEEEEKKEEDi LEEKKKKKEEEEEEf :GDDDDDEEEEEEDf ;EEKKEEEEEEEDD; fDDDDDDEEEEDG: .DEEEEEEEEEEDD: ;DDDDDDDDDDLt LEEEEEEEEEDDD: :GDDDDDDDDGt: :GDDDDDDDDDDD. .GEDGGGGGGj ;LGDDDDDDDDD: A LEGGGGGLj. ;fLGDDDDDDE; N E T T W E R K E D ;DGGLLLj: :tLGDDDDDEj P R O D U C T jDGLLLj. .;fLGDDDEE: .GGGGLf: :tLGDDEKj ..;DGGGL; .tLGDEKG. ::.fDGGGf. ;jGEKK;. :..DDDDGj jGEKG.. ..;EDDDGi .jDKK:. ..;GEDEDG, tEWG.. .. .:.GKEEEDj LWW;. . :.iKKEEEj iKWj.. . : LKKEEE, :KWE. ..KKKEEf DWW: jWKKKE, LWWf .. .DWKKKL jW#E: . iKWKKK; :WWK;. GWWKKD DWWi.. .EWKKKj ;KWf .. ,KKKKK, LKKi ..;DEEKGt .GDEL;,. :ifDGDEf; .fGLGGGLLLLLLLGi' ,jffjtttjfj;' .iLjfff"